ML20100J448
| ML20100J448 | |
| Person / Time | |
|---|---|
| Site: | Calvert Cliffs  |
| Issue date: | 10/31/1984 |
| From: | Payne A SANDIA NATIONAL LABORATORIES |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| References | |
| NUREG-CR-3511, NUREG-CR-3511-V02, NUREG-CR-3511-V2, NUDOCS 8412100350 | |
| Download: ML20100J448 (778) | |
Text
_ _ _ _ _ . . - _ _ _ - - .-
NUREG/CR-3511/2 cf 2 SAND 83-2086/2 of 2 FN,RG Printed August 1984 (d Interim Reliability Evaluation Program: .
l Analysis of the Calvert Cliffs Unit 1 Nuclear Power Plant Volume 11 i
Appendices A, B, and C l
f
[ A. C. Payne, Jr., Principal Investigator prepareo by I $UUne'.*EI8nss eno uverrnere. cantoma asso l N YcN N EElc~u ?sw"*$" $ "
I l
i fjk2gggg[0joo8 g
P l Prepared for
- U. S. NUCLEAR REGULATORY COMMISSION
e 9
O NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, or any of their em-ployees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for any third party's use, or the results of such use, of any information, apparatus product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights.
Available from GPO Sales Program Division of Technical Information and Document Control U.S. Nuclear Regulatory Commission Washington, D.C. 20555 and National Technicel Information Service Springfield, Virginia 22161 0
NUREG/CR-3511/2 of 2 SAND 83-2086/2 of 2 AN, RG INTERIM RELIABILITY EVALUATION PROGRAM:
' ANALYSIS OF THE CALVERT CLIFFS UNIT 1 NUCLEAR POWER PLANT VOLUME II APPENDICES A, B, AND C AUGUST 1984 A. C. Payne, Jr. S. M. Davis D. W. Stack D. R. Lasher.
N. L. Brisbin P. D. O'Reilly S. W. Hatch U. S.-Nuclear Regulatory Sandia National Laboratories Commission S. H. McAhren J.J. O'Neill Remote Sensing, Inc.. Evaluation Associates, B. Atefi S. M. Davis W. L. Ferrell R. N. Hunt W. S. Galyean Baltimore Gas & Electric Co.
A. A. Garcia J. E. Kelly S. Lainoff M. Modarres J. Held M. Raeisinia. Energy, Inc.
Science Applications, Inc.
M. I. Roush University of Maryland Sandia National Laboratories Albuquerque, New Mexico 87185 Operated By-Sandia Corporation-J for the U. S. Department of Energy (N}
Prepared for Division of Risk Analysis'and Operations Office of Ndclear Regulatory Research' U. S. Nuclear Regulatory Commission Washington, D. C. 20555 Under Memorandum of Understanding DOE 40-550-75 NRC' FIN No. A1241
4 f
.1-VOLUME II
- TABLE OF CONTENTS Page 1
APPENDIX A - Systemic Event Tree Analysis............. A-0 i
A-1
_() A .1 - INTRODUCTION.....................................
li -
A;2 LOCA SYSTEMIC EVENT TREE DEVELOPMENT............. -A-2 1 ' A.2.1- Large LOCA (A)' Event Tree................. A-3 A.2.2 Small LOCA (SI) Event Tree................ A-9
. A.2.3 Small-small LOCA (S2)
Event Tree.......... A-15 f
A.3 TRANSIENT SYSTEMIC EVENT TREE DEVELOPMENT........ -A-32 f' A.3.1 Loss of Offsite Power / Loss of PCS (T1 /T2)r
[ Loss of a DC Bus (TDC), and Loss-of Ser-Vice Water (TSRW) Event Tree.............. 1A-33
- . A.3.2 Transients Requiring RCS Pressure Relief (T3) Event Tree........................... 'A
- A.3.3 Remaining Transients Requiring Reactor
' Shutdown (T4) Event Tree.................. A-44 REFERENCES............................................ A-63 APPENDIX B - FRONT-LINE AND SUPPORT SYSTEM' ANALYSIS... -B-0 B.1 INTRODUCTION..................................... B.1-0 SAFETY INJECTION TANKS SYSTEM DESCRIPTION (SIT).. B.2-0
, B.2 f B.2.1 Purpose................................... B.2-1 B.2.2 Description............................... B.2-1 B.2.2.1 Overall Configuration............ B.2-1
[ System Interfaces................ B.2-1 i' B.2.2.2 i B.2.2.3 Instrumentation and Control...... B.2-1
> B.2.2.4 Operator Actions................. B.2-2 B.2.2.5 Surveil 1:nce..................... B.2-2
.. B.2.2.6 Maintenan',e...................... B.2-2 B.2.2.7 Technicrl Specification
- l']-
! Limitations.................... B.2-2 .
I B.2.3 Operation................................. B.2-3 i= B.2.4 Fault Tree Description.................... B.2-3 Success / Failure Criteria.........
B.2.4.1 B.2-3 4 B.2.4.2 Major Assumptions................ B.2-3 1
i iii
-,,,. -w.*- ..~,,.,rw..n,-,,,,,-,,,_%ww..,,,..,%_ _,-,,--,,-.%,,,-,__,y,,73,ww.y.,ww.m.,,p,m.we,,w, 9.mr.w,,_,,.e-g.,,,pp.%,-,.w,,wm,,.,
TABLE OF CONTENTS (Continued)
Page B.3 LOW PRESSURE SAFETY INJECTION / RECIRCULATION SYSTEM DESCRIPTION (LPSI/R)...................... B.3-0 B.3.1 Purpose................................... B.3-1 B.3.2 Description............................... B . 3 -1 ggg B.3.2.1 Overall Configuration............ B.3-1 B.3.2.2 System Interfaces................ B.3-2 B.3.2.3 Instrumentation and Control...... B.3-3 B.3.2.4 Operator Actions................. B.3-5 B.3.2.5 Surveillance..................... B.3-5 B.3.2.6 Maintenance...................... B.3-6 B.3.2.7 Technical Specification Limitations.................... B.3-6 B.3.3 Operation................................. B.3-7 B.3.4 Fault Tree Description.................... B.3-8 B.3.4.1 Success / Failure Criteria......... B.3-8 B.3.4.2 Major Assumptions................ B.3-8 B.4 CONTAINMENT AIR RECIRCULATION AND COOLING SYSTEM DESCRIPTION (CARCS)....................... B.4-0 B.4.1 Purpose................................... B.4-1 B.4.2 Description............................... B.4-1 B.4.2.1 Overall Configuration............ B.4-1 B.4.2.2 System Interfaces................ B.4-2 B.4.2.3 Instrumentation and Control...... B.4-2 B.4.2.4 Operator Actions................. B.4-2 B.4.2.5 Surveillance..................... B.4-3 B.4.2.6 Maintenance...................... B.4-4 B.4.2.7 Technical Specification Limitations.................... B.4-4 B.4.3 Operation................................. B.4-4 B.4.4 Fault Tree Description.................... B.4-4 B.4.4.1 Success / Failure criteria......... B.4-5 B.4.4.2 Major Assumptions................ B.4-5 B.5 CONTAINMENT SPRAY / SHUTDOWN HEAT REMOVAL SYSTEM DESCRIPTION (CSS /SDHX).................... B.5-0 B.5.1 Purpose................................... B.5-1 B.S.2 Description............................... B.5-1 B.S.2.1 Overall Configuration............ B.5-1 iv
TABLE OF CONTENTS (Continued)
Page B.'5.2.2 System Interfaces................ B.5-3 B.5.2.3 Instrumentation and Control...... B.5 B.5.2.4 Operator Actions................. B.5-3 B.5.2.5, Surveillance..................... B.5-4
- B.S.2.6 -Maintenance...................... B.5-6 B.S.2.7 Technical Specification ~
Limitations.................... B.5-6 B.5.2.8 Surveillance Requirements........ B.5-6 B.5.3 Operation................................. B.5-7 B.S.4- Fault Tree Description.................... B.5-7 B.S.4.1 Success / Failure Criteria......... B.5-8 B.5.4.2 Major Assumptions................ B.5-8 B.6 HIGH. PRESSURE SAFETY INJECTION / RECIRCULATION SYSTEM DESCRIPTION-(HPSI/R)...................... -B.6-0 B.6.1 Purpose................................... B.6-1 B.6.2 Description............................... B.6-1 B.6.2.1 .Overall Configuration............ B.6-1 B.6.2.2 System Interfaces................ B.6-2 B.6.2.3 Instrumentation.and control...... B.6-3 B.6.2.4 Operator Actions................. B.6-4 B.6.2.5 Surveillance..................... B.6-4 B.6.2.6 Maintenance...................... .B.G-5 B.6.2.7 Technical Specification Limitations.................... B.6-5 B.6.3 Operation................................. B.6-6 B.6.4 Fault Tree Description.................... B.6-7
- B.6.4.1 Success / Failure Criteria......... B.6-7 B.6.4.2 Major Assumptions................ B.6-7 B.7 REACTOR PROTECTION SYSTEM (RPS).................. B.7-0 B.7.1 Purpose................................... B.7-1 B.7.2 Description............................... B.7-1 B.7.2.1 Overall Configuration............ B.7-l' B.7.2.2 System Interfaces................ B.7-1 B.7.2.3 Instrumentation and Control...... B.7-2 B.7.2.4 Operator Actions................. B.7-2 B.7.2.5 Surveillance..................... B.7-2 B.7.2.6 Maintenance...................... B.7-3 B.7.2.7 Technical Specification Limitations.................... B.7-3 V
TABLE OF CONTENTS (Continued)
Page B.7.3 Operation................................. B.7-3 B.7.4 Fault Tree Description.................... B.7-4 B.7.4.1 Success / Failure Criteria......... B.7-5 B.8 POWER CONVERSION AND SECONDARY STEAM RELIEF O
SYSTEMS DESCRIPTIONS (PCS)....................... B.8-0 B.8.1 Purpose................................... B.8-1 B.8.2 Description............................... B.8-1 B.8.2.1 Overall Configuration............ B.8-1 B.8.2.2 System Interfaces................ B.8-3 B.8.2.3 Instrumentation and Control...... B.8-3 B.8.2.4 Operation Actions................ B.8-6 B.8.2.5 Surveillance..................... B.8-7 B.8.2.6 Maintenance...................... B.8-8 B.8.2.7 Technical Specification Limitations.................... B.8-8 B.8.3 Operation................................. B.8-10 B.8.4 Fault Tree Description.................... B.8-10 B.8.4.1 Success / Failure Criteria......... B.8-10 B.8.4.2 Major Assumptions................ B.8-11 B.9 AUXILIARY FEEDWATER SYSTEM DESCRIPTION (AFWS).... B.9-0 B.9.1 Purpose................................... B.9-1 B.9.2 Description............................... B.9-1 B.9.2.1 Overall Configuration............ B.9-1 B.9.2.2 System Interfaces................ B.9-2 B.9.2.3 Instrumentation and Control...... B.9-3 B.9.2.4 Operator Actions................. B.9-3 B.9.2.5 Surveillance..................... B.9-4 B.9.2.6 Maintenance...................... B.9-4 B.9.2.7 Technical Specification Limitations.................... B.9-4 B.9.3 Operation................................. B.9-4 B.9.4 Fault Tree Description.................... B.9-6 B.9.4.1 Success / Failure Criteria......... B.9-6 B.9.4.2 Major Assumptions................ B.9-7 B.10 POWER OPERATED RELIEF VALVES DESCRIPTION (PORVs).......................................... B.10-0 vi
h TABLE OF CONTENTS (Continued)
Page B.ll CHEMICAL AND VOLUME CONTROL SYSTEM DESCRIPTION (CVCS)........................................... B.ll-0 B.ll.1 Purpose.................................. B.ll-1 B.ll.2 Description.............................. B.ll-1
)
B.11.2.1 Overall Configuration.......... B.ll-1 B.ll.2.2 System Interfaces.............. B.11-2 B.ll.2.3 Instrumentation and Control.... B.ll-3 B.ll.2.4 Operator Actions............... B ll-3
- B.11.2.5 Surveillance................... B.'ll-4 B.ll.2.6 Maintenance.................... B.ll-5 B.11.2.7 Technical Specification Limitations.................. B.ll-6 B.11.3 Operation................................ B.ll-6
- B.11.4 Fault Tree Description................... B.ll-6 B.ll.4.1 Success / Failure Criteria....... B.ll-7 B.ll.4.2 Major Assumptions.............. B.ll-7
] B.12 CODE SAFETY VALVES (SRVs)........................ B.12-0 B.13 EMERGENCY ELECTRICAL POWER SYSTEM................ B.13-0 B.13.1 Purpose.................................. B.13-1 B.13.2 Description.............................. B.13-1 B.13.2.1 Overall Configuration.......... B.13-1
- B.13.2.2 System Interfaces.............. B.13-5
, B.13.2.3 Instrumentation and Control.... B.13-6 B.13.2.4 Operator Actions............... B.13-6
- B.13.2.5 Surveillance................... B.13-6
' B.13.2.6 Maintenance.................... B.13-7 B.13.2.7 Technical Specification
- Limitations.................. B.13-7 B.13.3 Operation................................ B.13-10 B.13.4 Fault Tree Description................... B.13-10
/~
T B.13.4.1 Success / Failure Criteria....... B.13-10 j B.13.4.2 Major Assumptions.............. B.13-ll
. B.14 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM DE SC RIPTION ( ESFAS ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.14-0
- B.14.1 Purpose.................................. B.14-1 B.14.2 Description.............................. B.14-1 vii
TABLE OF CONTENTS (Continued)
Page B.14.2.1 Overall Configuration.......... B.14-1 B.14.2.2 System Interfaces.............. B.14-5 B.14.2.3 Instrumentation and Control.... B.14-6 B.14.2.4 Operator Actions............... B.14-7 B.14.2.5 Surveillance................... B.14-7 3 B.14.2.6 Maintenance.................... B.14-7 W B.14.2.7 Technical Specification Limitations.................. B.14-7 B.14.3 Operation................................ B.14-8 B.14.4 Fault Tree Description................... B.14-8 B.14.4.1 Success / Failure Criteria....... B.14-9 B.14.4.2 Major Assumptions.............. B.14-9 B.14.5 Data..................................... B.14-10 B.15 SERVICE WATER SYSTEM DESCRIPTION (SRW)........... B.15-0 B.15.1 Purpose.................................. B.15-1 B.15.2 Description.............................. B.15-1 B.15.2.1 Overall Configuration.......... B.15-1 B.15.2.2 System Interfaces.............. B.15-4 B.15.2.3 Instrumentation and Control.... B.15-5 B.15.2.4 Operator Actions............... B.15-5 B.15.2.5 Surveillance................... B.15-6 B.15.2.6 Maintenance.................... B.15-7 B.15.2.7 Technical Specification Limitations.................... B.15-7 B.15.3 Operation ............................... B.15-8 B.15.4 Fault Tree Description................... B.15-9 B.15.4.1 Success / Failure Criteria....... B.15-10 B.15.4.2 Major Assumptions.............. B.15-10 B.16 COMPONENT COOLING WATER SYSTEM DESCRIPTION (CCW). B.16-0 B.16.1 Purpose.................................. B.16-1 B.16.2 Description.............................. B.16-1 lh B.16.2.1 Overall Configuration.......... B.16-1 B.16.2.2 System Interfaces.............. B.16-2 B.16.2.3 Instrumentation and Control.... B.16-2 B.16.2.4 Operator Actions............... B.16-2 B.16.2.5 Surveillance................... B.16-2 B.16.2.6 Maintenance.................... B.16-3 B.16.2.7 Technical Specification Limitations.................. B.16-3 viii
TABLE OF CONTENTS (Continued)
Page B.16.3 Operation................................ B.16-3 B.16.4 Fault Tree Description................... B.16-4
'B.16.4.1 Success / Failure Criteria....... B.16-4 j B.16.4.2 Assumptions.................... B.16-4
)
B.17 SALT WATER SYSTEM DESCRIPTION (SWS).............. B.17-0 B.17.1 Purpose.................................. B.17-1 B.17.2 Description.............................. B.17-1 B.17.2.1 Overall Configuration.......... B.17-1 B.17.2.2 System Interfaces.............. 'B.17-2 B.17.2.3 Instrumentation and control.... B.17-2 B.17.2.4 Operator Actions............... B.17-2 B.17.2.5 Surveillance................... B.17-2 B.17.2.6 Maintenance.................... B.17-3 B.17.2.7 Technical Specification Limitations.................. B.17-3 B.17.3 Operation................................ B.17-3 B.17.4 Fault Tree Description................... B.17-4 B.17.4.1 Success / Failure Criteria....... B.17-4 B.17.4.2 Major Assumptions.............. B.17-4 B.18 HEATING AND VENTILATION SYSTEM DESCRIPTION....... B.18 B.18.1 Diesel Generator Room Ventilation System................................. B.18-1 B.18.1.1 Purpose........................- B.18-1 B.18.1.2 Description.................... B.18-1 B.18.1.2.1 Overall Configuration........ B.18-1 B.18.1.2.2 System Interfaces............ B.18-1 B.18.1.2.3 Instrumentation and control.. 8.18-1 B.18.1.2.4 Operator Actions............. B.18-2 B.18.1.2.5 Surveillance................. B.18-2
.p- B.18.1.2.6 Maintenance.................. B.18-2
%J B.18-2 B.18.1.3 Operation......................
B.18.1.4 Fault Tree Description......... B.18-2 ,
B.18.1.4.1 Major Assumptions............ B.18-2 B.la.2 ECCS Pump Room Cooling System............ B.18-3 '
B.18.2.1 Purpose........................ B.18-3 B.18.2.2 Description.................... B.18-3 l ix l
TABLE OF CONTENTS (Continued)
Page B.18.2.2.1 Overall Configuration........ B.18-3 B.18.2.2.2 System Interfaces............ B.18-4 B.18.2.2.3 Instrumentation and control.. B.18-4 B.18.2.2.4 operator Actions............. B.18-5 B.18.2.2.5 Surveillance................. B.18-5 g B.18.2.2.6 Maintenance.................. B.18-5 W B.18.2.3 Operation...................... B.18-5 B.18.2.4 Fault Tree Description......... B.18-5 B.18.2.4.1 Major Assumptionc............ B.18-5 B.19 HUMAN RELIABILITY ANALYSIS......................!" 8.19-0 B.19.1 Introduction............................. B.19-1 B.19.2 Calvert Cliffs Human Reliability Effort.. B.19-1 B.19.3 Evaluation of the Generic and Specific Human Related Tasks...................... B.19-2 B.19.3.1 Analysis of Task 1 (Failure to Restore System lollowing Component Maintenance)......... B.19-2 B.19.3.2 Analysis of Task 2 (Failure to Restore an Actuation System Following Maintenance)......... B.19-4 B.19.3.3 Analysis of Task 3 (Failure to Restore RWT Level Switches Following Test During Performance of Monthly STP-M-220-1)................... B.19-5 B.19.3.4 Analysis of Task 4 (Failure to Restore Sliding Link Terminals Following Functional Test [or maintenance] of ESPAS Contain-ment Pressure and Pressurizer Pressure Loops)................ B.19-6 B.19.3.5 Analysis of Task 5 (Failure to Restore Auxiliary Feedwater Pump Discharge Valve Following Per-formance of STP-0-51 Monthly Performance Test).............. B.19-7 llh B.19.3.6 Analysis of Task 6 (Failure of Operator to Successfully Per-form Emergency Boration Within 30 Seconda Given That an ATWS Scenario is Identified......... B.19-9 B.19.3.7 Analysis of Task 7 (Failure to Manually Actuate ESPAS)........ B.19-10 X
TABLE OF CONTENTS (Continued)
Page APPENDIX C - Accident Sequence Quantification.......... C-0 C.1 GENERAL APPROACH TO SEQUENCE QUANTIFICATION...... C-1 C.l.1 -Overview.................................. C-1 O' C.l.2 Accident Sequence Identification.......... C-1
' l.3 Fault Tree Manipulations.................. C-1 C.l.3.1 Fault Tree Merging............... C-1 C.l.3.2 Fault Tree Truncation............ C-3 C.1.3.3 Data............................. C-4 C.l.4 Sequence Quantification................... C-10 C.l.4.1 Quantification of sequences Con-taining Only Failed Systems...... C-ll i C.1.4.2 Quantification of Sequences !
Containing System Failures and Successes........................ C-ll C.l.4.3 Sequence Probability Calculations................... C-12 C.1.5 Final Quantification Process.............. C-14 C.l.5.1 Data Reevaluation................ C-15 C.l.5.2 Reevaluation of Conservative /Non-conservative Assumptions....... C-15 C.I.6 Quantification of Operator Recovery Actions................................. C-16 C.2 EXAMPLE CALCULATION OF SEQUENCE FREQUENCIES...... C-18 C.2.1 Introduction.............................. C-18 i C.2.2 Example Accident Sequence Identification.. C-18 C.2.3 Example Fault Tree Manipulations.......... C-18 C.2.3.1 Example Fault Tree Merging....... C-19 C.2.3.2 Example Fault Tree Truncation.... C-20 C.2.3.3 Data Peculiar to Sequence S 2-59.. C-21
(~J}
C.2.4 Example Sequence Quantification........... C-22 C.2.4.1 Sequence cut Set Development..... C-22 c.2.4.2 Sequence Probability Calculation...................... C-22
(
l xi
TABLE OF CONTENTS (Continued)
Page C.2.5 Final Quantification of Example Sequence.. C-23 C.2.5.1 Data Reevaluation................ C-23 C.2.5.2 conservative /Non-Conservative Assumptions.................... C-23 ggg C.2.6 Quantification of Operator Recovery for Example Sequence.......................... C-24 C.3 SEQUENCE SCREENING QUANTIFICATION................ C-25 C.3.1 Introduction.............................. C-25 C.3.2 Initiating Event Frequencies.............. C-25 C.3.2.1 LOCA Frequencies................. C-25 C.3.2.2 Transient Frequencies............ C-26 C.3.3 Screening criteria........................ C-28 C.3.4 Sequence Quantification Results........... C-29 C.3.4.1 Introduction..................... C-29 C.3.4.2 Large Break LOCA................. C-29 C.3.4.3 Small Break LOCA................. C-29 C.3.4.4 Small-Small Dreak LOCA........... C-29 C.3.4.5 Loss of Offsite Power Transient (T 1 )................. C-29 C.3.4.6 Loss of Main Feedwater (T2)...... C-30 C.3.4.7 Transients Requiring RCS Pressure Relief (T 3 ).................... C-30 C.3.4.8 All Other Transients (T4)........ C-30 C.4 DOMINANT ACCIDENT SEQUENCES...................... C-31 C.4.1 Introduction.............................. C-31 C.4.2 Sequence ATWS(PSF)........................ C-31 C.4.3 Sequence TDC-82 (TDCL).................... C-34 C.4.4 Sequence S 2-50 (S2H)...................... C-36 C.4.5 Sequence S 2-52 (S 2 FH)..................... C-38 C.4.6 Sequence T2-82 (T2L)...................... C-38 C.4.7 Sequence T4-173 (T4KU).................... C-39 C-42 m
W C.4.8 Sequence T4-147 (T4ML)....................
C.4.9 Sequence TI-81-65 (T1Q-D"CC')............. C-43 C.4.10 Sequence TI-82 (T1L)...................... C-44 C.4.11 Sequence Station Blackout................. C-45 C.4.12 Sequence T 4-152 (T 4 KQ).................... C-46 C.4.13 Sequence T 3 -139 (T 3 KU).................... C-49 C.4.14 Sequence T3-118 (T3KQ).................... C-49 l C.4.15 Sequence T3-113 (T3ML).................... C-50 l C.4.16 Sequence S 2-59 (S2D")..................... C-51 i
xii
~. . _ _ _ _ _ _ _ _ _ _ - _ _ - _ _
i TABLE OF CONTENTS (Continued)
Page !
C.4.17 Sequence T I -85 (TlLCC')................... C-52 C.4.18 Discussion of Candidate Dominant Sequences ,
Which Dropped Below lE-6 After Recovery... C-53 1 c-27 O """"c"' -
1 I
r 1
I i
l i
I 6
O ,
i l
l xiii
ACKNOWLEDGEMENT The efforts of the Quality Assurance Review Team which period-ically reviewed the conduct of the work and provided technical guidance are acknowledged. This team consisted of:
David D. Carlson, Sandia National Laboratories Jack W. Hickman, Sandia National Laboratories g
Gregory J. Kolb, Sandia National Laboratories Joseph A. Murphy, U. S. Nuclear Regulatory Commission Kenneth Murphy, U. S. Nuclear Regulatory Commission Jonathan Young, Energy, Inc.
In the area of human factors, we wish to thank Barbara Bell of Battelle Columbus Laboratories and Dwight Miller of Sandia National Laboratories for guiding the team in the human error calculations.
The authors also would like to thank Emily Preston, Vickie Black and Robin Cassell for their help in typing this report.
O xiv
O Appendix A Systemic Event Tree Analysis O
A-0
A.1 INTRODUCTION Appendix A contains the systemic event trees developed for the LOCA and transient initiators for Calvert Cliffs Unit 1.
This appendix briefly describes the initiating events, the event tree headings, and the system interactions.
The basic approach to systemic event tree development is to q start with existing functional event trees and then identify Q the required systems for each mitigating function in the event tree. Then, a systemic event tree is developed utilizing these mitigating systems as event tree headings. The structure of the systemic event tree should generally match the structure of
- the functional event tree upon which it is based. The loca-tions of specific success / failure choices on the systemic event tree, however, depend on the specific system interactions. The system success / failure criteria are shown in Tables A.1 and A.3 and are discussed in the following sections. The grouping of initiating events into Loss-of-Coolant Accidents (LOCAs) and anticipated transients is consistent with previous proba-bilistic risk assessment studies and follows the rationale presented in Section 4.0 of the main report.
In general, system interrelationships dictate the event tree structure. In sequences where either one of two systems can perform the same mitigating function, and the system appearing earlier in the event tree headings has succeeded, a success / failure decision is usually not made for the system appearing later in the event tree headings. Likewise, in sequences where the success of one system is dependent on the earlier success of another system, and that other system has already failed, a success / failure decision is not made for the dependent system.
The event trees consider the impact on consequence mitigation even for sequences in which a core melt is inevitable. This is accomplished by allowing success / failure decisions for systems that can delay the core melt, impact whether the containment will fail due to overpressure, or scrub the containment atmosphere of radioactive contaminants. All of these affect the nature and the severity of a release of radio-activity to the environment.
n A-1
A.2 LOCA SYSTEMIC EVENT TREE DEVELOPMENT Three LOCA initiators are defined as "Large" ( D* > 4.3 inches), "Small" (1.9 inches < D* s 4.3 inches), and "Small-small" (0.30 inches < D* s 1.9 inches) breaks, where D* is the equivalent diameter of the break. The basis of this definition of LOCA events is as follows. A Large LOCA results in rapid depressurization of the primary system allowing the use of the high-volume, low-pressure portions of the Safety Injection System (SIS) to reflood the core. A Small LOCA involves a relatively slow depressurization of the primary system, but the rate of flow of coolant through the break and consequent makeup by High Pressure Safety Injection (HPSI) allows adequate decay heat removal without depending on the secondary (i.e., steam, condensate and feedwater) systems. In a small-small LOCA, the rate of flow of coolant through the break is greater than the capability of the normal reactor coolant makeup system, and HPSI is initiated based on a low pressurizer pressure signal.
However, the rate of flow of coolant through the' Small-small break is insufficient to remove enough decay heat to lower the pressure to the HPSI shutoff head and, therefore, secondary heat removal is required. Thus, the systems required to perform the mitigating function of reactor heat removal are different depending on whether the LOCA is Large, Small, or Small-small. This difference necessitates separate systemic event trees for the three LOCA sizes.
The Large LOCA functional event tree shown in Figure A-1 was used to develop the Large LOCA systemic event tree shown in Figure A-2. The Small or Small-small LOCA functional event tree shown in Figure A-3 was used to develop the Small and Small-small LOCA systemic event trees shown in Figures A-4 and A-5. To form the systemic event tree headings, the mitigating functions which form the functional event tree headings were replaced by the systems which perform those mitigating functions. Table A.1 lists the mitigating systems and defines their success criteria.
The major difference between the Large LOCA and the Small or Small-small LOCA event trees For liesthe in the treatment of the Large LOCA, success reactor subcriticality function.
of the reactor subcriticality function is inherent in the design of the reactor and in the nature of the accident. The reactor ic automatically rendered subcritical due to core void-ing during the blowdown phase and is maintained subcritical during the subsequent core reflood by borated water from the h
Safety Injection System (SIS). It is assumed that the prob-ability of injection of inadequately borated water from the Refueling Water Tank (HWT) into the core is insignificant.
Therefore, the reactor subcriticality function does not appear on the Large LOCA functional event tree and is not represented on the Large LOCA systemic event tree. On the other hand, for A-2
the Small or Small-small LOCA, success of the reactor subcriti-cality function is dependent on the successful operation of the Reactor Protection System (RPS). Thus, the reactor subcriti-cality function appears on the Small or .Small-small LOCA functional event tree, and RPS appears on the corresponding systemic event trees.
A discussion of the event tree heading definitions, success criteria,- system interactions and tree structure for each
' d(s systemic event tree follows. The source of system success /
failure criteria is the Calvert Cliffs Unit 1 Final Safety Analysis Report (FSAR) oxcept au rioLed in the following sub-sections.
A.2.1 Large LOCA (A)
The Large LOCA initiating event is a random rupture of the RCS piping having a greater break area than a 4.3-inch-diameter circular break. This break size was selected because the primary system will depressurize rapidly for breaks of this size, resulting in a demand on the high-volume, low-pressure portions of the Safety Injection System (SIS). In addition, because of the rapid core voiding the reactor suberiticality function is not required for this event.
l A.2.1.1 Front-Line Systems Required and Success Criteria The front-line systems required to mitigate a Large LOCA '
comprise the headings of the Large LOCA systemic event tree (Figure A-2) and include the Low Pressure Safety Injection (LPSI) System, the Safety Injection Tanks (SIT), the Containment Air Recirculation and Cooling (CARC) System, the Containment Spray System in the injection mode (CSSI), the Containmenc Spray System in the recirculation mode (CSSR), the Shutdown Cooling Heat Exchangers (SDHX), and the High Pressure Safety Recirculation (HPSR) System.
The Low Pressure Safety Recirculation (LPSR) System is not included in Figure A-2, because LPSR success depends on successful operator action af ter the LOCA to restore LPSR af ter automatic lockout by the Recirculation Actuation Signal (RAS).
Successful operation of LPSR was treated as a recovery action in evaluation of the accident sequences.
O" The High Pressure Safety Injection (HPSI) System also is not included as a mitigating system in Figure A-2. The Calvert Cliffs FSAR states that the design bases and system require-ments during a design baais accident are met with the operation of the four safety injection tanks (one spilling through the break) and one high-pressure and one low-pressure safety injection pump. NUREG/CR-1659 [1] uses this as the emergency core cooling success criterion in the Large LOCA analysis. But !
A-3
this criterion has been judged to be too conservative because a HPSI pump does not add significant flow compared to a single LPSI pump, considering the large difference between the design flow rates of the HPSI and LPSI pumps, a ratio of less than 1:8, and the time required for the pressure to decrease to the LPSI pump shutoff head. Thus, the system success criterion shown on Table A.1 for reactor heat removal during the injection phase of a Lt.rge LOCA, which does not include HPSI, is believed to describe a more realistic set of minimum system operating conditions.* h The Large LOCA mitigating systems form the headings of the following subsections. The letters shown in parentheses after the system acronyms are the event identifiers used to indicate system failures in the sequence designators on Figure A-2. For example, the sequence designator AFH is used to designate the sequence in which the initiating event is a Large LOCA and both CSSR and HPSR fail. The same format applies to the subsequent LOCA and transient event tree discussions.
The Large LOCA mitigating systems and their succesc criteria are briefly described in the following subsections.
More detailed descriptions of the systems and their success criteria are presented in Appendix B. System interactions are described in Section A.2.1.2, and the significant system dependencies on operator actions are discussed in Chapter 6 of the main report.
A.2.1.1.1 Low Pressure Safety Injection, LPSI (D')
The Low Pressure Safety Injection (LPSI) system is one of the two systems which perform the early reactor heat removal function for the large break LOCA by providing coolant flow to the core. LPSI, operating in the injection mode, is aligned with the Refueling Water Tank (RWT). One of the two LPSI pump trains is required for successful operation in this mode. LPSI is automatically initiated by a Safety Injection Actuation Signal (SIAS) when pressurizer pressure drops below 1740 paia, or when containment pressure rises above 2.8 psig, but flow into the RCS will not commence until RCS pressure has dropped O
- This conclusion is deduced from the CE small break analysis reported in Section VIII of Reference 7 and the revised anal-ysis of CC-1 and 2 Emergency Core Cooling System performance in Appendix 14.15A of the FSAR. Even if HPSI was required for some intermediate break size, the Large LOCA sequences would still be negligible. The common support system requirements tend to dominate this sequence frequency.
A-4
to approximately 185 psig. Successful operation of LPSI, together with SIT, is required for successful reactor heat removal during the injection phase. Failure of LPSI leads to core melt and precludes any significant effect of SIT success or failure on the core melt consequences.
A.2.1.1.2 Safety Injection Tanks, SIT (D)
(" ,) The Safety Injection Tanks (SIT) system is the other system which, together with LPSI, is required to perform the early reactor heat removal function for the large break LOCA. Three of the four safety injection tanks (the water from one of the four is lost out the break) are required for successful oper-ation. SIT is passive and discharges automatically into the Reactor Coolant System (RCS) when RCS pressure drops below approximately 200 psig. Failure of SIT leads to core melt but does 'not prevent LPSI from significantly affecting the Consequences.
A.2.1.1.3 Containment Air Recirculation and Cooling, CARC (C)
The Containment Air Recirculation and Cooling (CARC) System can be used to attain successful containment heat removal, which is required during both injection and recirculation phases if the core melts and is needed during the recirculation phase, even if the core does not melt, of the Large LOCA. The CARC System draws the containment atmosphere past cooling coils which are cooled by the Service Water (SRW) System and the Salt Water System (SWS) (i.e., the coils are cooled by SRW and SRW is cooled by SWS) to remove heat from the containment. It is thus a means of reducing containment pressure caused by released steam. The CARC System consists of four air fans and associated coolers. Successful operation requires cooling from one of the four (1/4)) fan units and its respective SRW sub-system. This criterion differs from the PSAR, but is based on the results of NUREG/CR-1659 (1]. CARC is automatically initiated by a Containment Spray Actuation Signal (CSAS) when a pressure of 4.25 psig or greater is sensed in containment.
Successful operation of CARC by itself is sufficient to perform the containment heat removal function during both injection and recirculation phases. Failure of CARC constitutes the loss of one of the two alternate means of containment heat removal during both injection and recirculation phases.
O\"'
A.2.1.1.4 Containment Spray System in the Injection Mode, CSSI (C')
The Containment Spray System (CSS) can be used to attain successful containment heat removal, which is required during both injection and recirculation phases of the Large LOCA. In l addition, following the failure of reactor heat removal or con-l tainment heat removal, the CSS is necessary for radioactivity removal, which is needed for consequence mitigation starting in A-5
the phase (injection or recirculation) during which core melt or containment failure occurs. The CSS delivers borated water droplets to the containment atmosphere through dual trains consisting of redundant spray headers and pumps and associated piping. During the injection phase, water is drawn from the RWT. Successful CSS operation for this phase requires flow from one of the two (1/2) CSSI pump trains. The CSS is actuated by a Containment Spray Actuation Signal (CSAS) when a pressure of 4.25 psig or greater is sensed in containment. The CSS alone can perform the containment radioactivity removal function, and CSSI by itself can perform the containment heat g
removal function during the injection phase. Failure of CSSI constitutes the loss of one of the two alternate means of con-tainment heat removal, and the loss of the only means of containment radioactivity removal, during the injection phase.
(Another radioactivity removal system exists at Calvert Cliffs Unit 1; the containment iodine removal system. Radioactivity removal studies done for NUREG/CR-1659 showed that for LOCAs resulting in core melt, the iodine removal system did not have sufficient capacity to act as an alternate to the CSSI for severe accidents.)
A.2.1.1.5 containment Spray System in the Recirculation Mode, CSSR (F)
The functions of the CSS are the same in the recirculation phase as in the injection phase. CSSR uses the same components as CSSI except the system segments upstream of the common pump suction headers (i.e., components associated with the RWT for CSSI versus components associated with the containment sump for CSSR). The shift of CSS from the injection mode to the recirculation mode is automatically initiated upon receipt of a Recirculation Actuation Signal (RAS) when the RWT level reaches 2.5 feet. Some manual action is required to complete the shift since the RWT isolation valves do not close automatically. In the recirculation mode, water is drawn from the containment sump, pumped through one or both Shutdown Cooling Heat Exchangers (SDHXs) and discharged into the containment building through a spray ring located near the top of the containment building. The water droplets fall to the floor of the containment where they mix with water that is ejected from the break in the RCS and collect in the containment sump.
Successful CSS operation in this mode requires flow from one of the two (1/2) CSSR pump trains. The CSS alone can perform the containment radioactivity removal function, and CSSR together 3 with SDHX can perform the containment heat removal function W during the recirculation phase. Failure of CSSR constitutes the loss of two things during the recirculation phase:
A-6
(1) One of the two alternate means of containment heat removal.*
(2) The only means of containment radioactivity removal.
A.2.1.1.6 Shutdown Cooling Heat Exchangers, SDHX (G)
The SDHXs are cooled by the Component Cooling Water System (CCWS), which in turn is cooled by the Salt Water System O (SWS). This mode of cooling requires that one containment spray pump train and its respective shutdown cooling heat exchanger, component cooling subsystem, and salt water sub-system be operational. Although the SDHXs are physically part of the CSS, they are modeled as a separate system because their cooling function is not required for successful containment radioactivity removal. Their cooling function is required in conjunction with the CSS for successful containment heat removal only during the recirculation phase, because during the injection phase relatively cool water is being supplied from the RWTs. Likewise, the cooling function of either the SDHXs or CARC is required, together with HPSR, to perform the reactor heat removal function during the recirculation phase. Failure of SDHX constitutes the loss of two things during the recircu-lation phase:
(1) One the two alternate means of the heat rejection part of reactor heat removal.*
(2) One of the two alternate means of containment heat removal.**
A.2.1.1.7 High Pressure Safety Recirculation, HPSR (H)
HPSR is the portion of the Safety Injection System (SIS) that, together with CARC or SDHX, performs the reactor heat removal function during the recirculation phase following a LOCA. Successful operation of HPSR requires flow from one of the three (1/3) HPSR pump trains. HPSR is automatically aligned to take suction from the containment sump upon receipt of an RAS when the RWT level reaches 2.5 feet. Without HPSR the containment sump water, even if it has been cooled by CARC or by the combination of CSSR and SDHX, will not be reinjected into the core. Thus, failure of HPSR constitutes failure of reactor heat removal during the recirculation phase.
0
- Without CSSR to provide flow on the primary side of the Shut-down Cooling Heat Exchangers, SDHX cannot be effective in rejecting heat.
- Without SDHX to reject heat, CSSR can only recirculate, not cool, the spilled reactor coolant in containment.
A-7
A.2.1.2 System Interactions The following discussion explains how the mitigating system interdependencies have been translated into the j existence or nonexistence of a success / failure decision at each I point in the Large LOCA systemic event tree shown in Figure I A-2. The explanation is keyed to the LOCA systemic event tree notes as applicable.
Both LPSI and SIT are required for successful reactor heat removal in the injection phase. It is anticipated that any g
variation in the severity of the core melt consequences due to faults of reactor heat removal during injection will depend primarily on whether LPSI succeeds or fails. Thus, failure of LPSI precludes any significant effect of SIT success or failure on the core melt consequences whereas if SIT fails LPSI can still significantly affect the consequences. Therefore, LPSI appears first in the event tree headings, and no success / fail-ure decision is made for SIT following LPSI failure (Note 9).
CARC is not dependent upon any previous system in the large LOCA systemic event tree, and thus, a CARC success / failure decision is made for every sequence.
Either CARC or CSSI alone is sufficient to perform the containment heat removal function during the injection phase.
However, CSSI is the only system that can perform the contain-ment radioactivity removal function during the injection phase. Containment radioactivity removal during the injection phase is required in all sequences involving core melt in the injection phase. Therefore, a CSSI success / failure decision is made for every sequence except those involving the combined success of LPSI, SIT, and CARC (Note 1).
Since the CSS uses mostly the same equipment in both modes of operation, failure of CSSI precludes success of CSSR.
Therefore, a success / failure choice is not given for CSSR in sequences where CSSI has failed. A CSSR success / failure choice is, however, given in sequences where a CSSI success / failure decision has not been made, because in those sequences leading to core melt the severity of the offsite radiological dose consequences will vary depending on the success or failure of the containment radioactivity removal function during the recirculation phase.
Either CARC or the combined operation of CSSR and SDilX is a W
sufficient for successful containment heat removal during the recirculation phase. Similarly, either CARC or the combined operation of CSSR and S D ilX , in conjunction with !!PSR, is sufficient for successful reactor heat removal during the recirculation phase. Thus, in sequences where CARC has succeeded a success / failure decision for SDl!X is not made operation of SDlIX is (Note 2). Also, since successful success is dependent on dependent on CSSR success, and CSSR A-8
, . - - . _ . - ~ . - . ..- -. _ . . . - - -- . . _ - - . _.
i 1
, CSSI success, a success /failure choice is not given for SDHX 'in sequences. where either CSSI or CSSR has failed. Thus, SDHX
- . success / failure decisions are made only in those sequences where CARC has . failed and CSSR has succeeded.-
l The functional success of HPSR is dependent on the success of' LPSI, ~ SIT, and either CARC or. the combination of CSSR
^
(implying CSSI success) and SDHX. If the reactor heat removal 3 .
function fails during the injection phas~e, early core melt will- ,
. occur and thus reactor heat removal during the recirculation +
!. phase is no longer significant to accident mitigation. In sequences ACG and ACGH, where success /faildre decisions have ;
! been made for CARC and SDHX and both have failed, HPSR will i fail due primarily to either failure of an HPSR component ~ or 4
failure of the heat sink. An HPSR success / failure choice is 1 given in this case .to indicate the potential variation in '
[ consequences depending on the primary cause and the timing.of HPSR failure (Notes 3 and 11). A success / failure choice for HPSR is ' not given in sequences ACF and ACC', where'. CARC has
.' failed and either CSSI or CSSR has failed, even though the ,
- reactor heat removal function has been successful during the !
- injection phase, because HPSR is assessed to fail due to. i l boiling of the sump water upon failure of containment systems.
In this case the assumption of HPSR failure early in*the recirculation phase is conservative, although the difference in -
consequences between early and late HPSR failures is thought !
J not to be significant (Note 4). Thus, a success / failure choice i is given for HPSR only in those sequences involving success of
, the reactor heat removal function during the injection phase-s and success of the containment heat removal function during i both injection and recirculation phases or, as noted above for sequences ACG and ACGH, to differentiate between the conse-quences of two different- HPSR failure modes. In those i sequences involving a success / failure decision for HPSR, failure of HPSR leads to core melt due to loss of reactor heat removal during the recirculation phase (Note 3).
! A.2.2 Small LOCA (SI) i The Small LOCA initiating event is a random rupture of the l' RCS piping having a break area greater than that of a 1.9-inch-diameter circular break but less than or equal to that of a
, 4.3-inch-diameter circular break. A Small LOCA involves a relatively slow depressurization of the primary system, such j that the low-pressure portions of the Safety Injection System i- .
(SIS) will not be ' activated, ' but the rate of flow of coolant i through the break and consequent makeup by High Pressure j Safety Injection (HPSI) allows adequate reactor heat removal t
- without depending on the secondary systems (i.e., steam, l condensate and feedwater systems). Success of the reactor l subcriticality function is dependent on the successful l operation of the Reactor Protection-System (RPS).
1 i
)
k
.f
- A-9 I,
..--+mq,y-_-.w-,,yn, ,y_,_,y%, w , w% ._. . _ . _ _ _ _ , . . _ _ _ _ , , _ , _.-,,,.,-,,.m-,-e~.__
A.2.2.1 Front-Line Systems Required and Success Criteria The front-line systems required to mitigate a Small LOCA comprise the headings of the Small LOCA systemic event tree (Figure A-4) and include the Reactor Protection System (RPS),
the High Pressure Safety Injection (HPSI) System, the Con-tainment Air Recirculation and Cooling (CARC) System, the Containment Spray System in the injection mode (CSSI), the Containment Spray System in the recirculation mode (CSSR), the Shutdown Cooling Heat Exchangers (SDHX), and the High Pressure Safety recirculation (HPSR) System.
g The Small LOCA mitigating systems and their success criteria are briefly described in the following subsections.
More detailed descriptions of the systems and their success criteria are presented in Appendix B. System interactions are described in Section A.2.2.2, and the significant system dependencies on operator actions are discussed in Chapter 6 of the main report.
A.2.2.1.1 Reactor Protection System, RPS (K)
The function of the RPS for this event is to insert auto-matica11y and rapidly a sufficient number of Control Element Assemblies (CEAs) into the core to render the reactor sub-critical. One half of the CEAs are required to be inserted for RPS success.* RPS alone is sufficient to perform the reactor subcriticality function. Failure of RPS in the Small LOCA case leads to core melt.
A.2.2.1.2 High Pressure Safety Injection, HPSI (D")
HPSI is the portion of the SIS that, by itself, performs the reactor heat removal function during the injection phase following a Small LOCA. HPSI, operating in the injection mode, is aligned with the Refueling Water Tank (RWT). Successful operation of HPSI requires flow from one of the three (1/3)
HPSI pump trains. HPSI is automatically initiated by an SIAS when pressurizer pressure drops below 1740 psia, or when containment pressure rises above 2.8 psig, but flow into the RCS will not commence until RCS pressure has dropped to the HPSI pump shutoff head of 1275 psia. Failure of HPSI leads to core melt.
O
- This criterion is based on the definition of PWR scram failure contained in NUREG-0460, " Anticipated Transients Without Scram for Light Water Reactors," (U.S. Nuclear Regulatory Commission, April 1978), Appendix II, " Scram Failure Probability." [2]
A-10
L~
A.2.2.1.3 containment Air Recirculation and Cooling, CARC (C)
The Containment Air Recirculation and Cooling (CARC) System can be used~ to attain successful containment heat removal ~,
which is used for ' consequence mitigation following core melt-during 7both injection and recirculation phases and is needed O durine ewe recircu1ation eaase even if the core de not me1t-The CARC System draws the containment atmosphere past cooling coils which are cooled by the Service Water (SRW) System and the-Salt Water System (SWS) (i.e., the coils are cooled by SRW
'and SRW is cooled by SWS) to remove heat from the containment.
It is thus a means of reducing containment pressure caused.by released steam. The CARC system consists of four air fans and associated coolers. Successful operation requires cooling from one of the four (1/4) fan units and its respective SRW sub-system. This criterion differs from the FSAR, but is based on-the results of NUREG/CR-1659 [1]. CARC is automatically initiated by a Containment Spray Actuation Signal (CSAS) when a pressure of 4.25 psig or greater is sensed in containment.
Successful operation of CARC by itself is sufficient to perform the containment heat removal function during both injection and recirculation phases. Failure of CARC constitutes the loss of one of the two alternate means of containment heat removal during both injection and recirculation phases.
A.2.2.1.4 Containment Spray System in the Injection Mode, CSSI (C')
The Containment Spray System (CSS) can be used to attain successful containment heat removal, which is needed for conse-quence mitigation following core melt during both injection and recirculation phases of the small LOCA and is'needed during the recirculation phase even if the core does not melt. In addition, following the failure of reactor heat removal or con-tainment heat removal, the CSS is necessary for containment radioactivity removal, which ^ is needed for consequence miti-gation starting in the phase (injection or recirculation) during which core melt or containment failure occurs. The CSS delivers borated water droplets to the containment atmosphere through dual trains consisting of redundant spray headers and pumps and associated piping. During the injection phase, water is drawn from the RWT. Successful CSS operation for this O- phase requires flow from one of the two (1/2) CSSI pump-trains. The CSS is actuated by a containment Spray Actuation Signal (CSAS) when a pressure of 4.25 psig or greater is sensed in . containment. The CSS alone can perform the containment radioactivity removal function, and CSSI by itself can perform the containment heat- removal function during the injection phase. Failure of CSSI constitutes the loss of one of the two alternate means of containment heat removal, and the loss of A-11
r7-the only means of containment radioactivity removal, during the injection phase.
A.2.2.1.5 Containment Spray System in the Recirculation Mode, C_S_SR (F)
NOTE: This subsection is identical to Subsection A.2.1.1.5.
The functions of the CSS are the same in the recirculation phase as in the injection phase. CSSR uses the same components as CSSI except the system segments upstream of the common pump h
suction headers (i.e., components associated with the RWT for CSSI versus components associated with the containment sump for CSSR). The shift of CSS from the injection mode to the recirculation mode is automatically initiated upon receipt of a Recirculation Actuation Signal (RAS) when the RWT level reaches 2.5 feet. Some manual action is required to complete the shift since the RWT isolation valves do not close automatically. In the recirculation mode, water is drawn from the containment sump, pumped through one or both Shutdown Cooling Heat Exchangers (SDHXs) and discharged into the containment building through a spray ring located near the top of the containment building. The water droplets fall to the floor of the containment where they mix with water that is ejected from the break in the RCS and collect in the containment sump.
Successful CSS operation in this mode requires flow from one of the two (1/2) CSSR pump trains. The CSS alone can perform the containment radioactivity removal function, and CSSR together with SDHX can perform the containment heat removal function during the recirculation phase. Failure of CSSR constitutes the loss of two things during the recirculation phase:
(1) One of the two alternate means of containment heat removal.*
(2) The only means of containment radioactivity removal.
A.2.2.1.6 Shutdown Cooling Heat Exchangers SDHX (G)
NOTE: This subsection is identical to Subsection A.2.1.1.6.
The SDHXs are cooled by the Component Cooling Water System (CCWS), which in turn is cooled by the Salt Water System (SWS). This mode of cooling requires that one containment spray pump train and its respective shutdown cooling heat exchanger, component cooling subsystem, and salt water sub-g system be operational. Although the SDHXr tce physically part
- Without CSSR to provide flow on the primary side of the Shut-down Cooling Heat Exchangers, SDHX cannot be effective in rejecting heat.
A-12
of the CSS, they.are modeled as a separate system because their cooling function is not. required for successful containment radioactivity removal. Their cooling function is required in conjunction with the CSS for successful containment heat removal only during the recirculation phase because during the '
injection phase relatively cool water is being supplied from the RWTs. Likewise, the cooling function of either the _ SDHXs or CARC is required, together with HPSR, to perform the reactor heat removal function during the recirculation phase. Failure i
O of SDHX constitutes the loss of two things during the recircu-lation phase:
(1) One of the two alternate means of the heat rejection part of reactor heat removal.*
! (2) One of the two alternate means of containment heat removal.**
A.2.2.1.7 High Pressure Safety Recirculation, HPSR (H)
NOTE: This subsection is identical to subsection A.2.1.1.7.
HPSR is the portion of the Safety Injection System (SIS) that, together with CARC or SDHX, performs the reactor heat
, removal function during the recirculation phase following a-LOCA. Successful operation of HPSR requires flow from one of the three (1/3) HPSR pump trains. HPSR is automatically aligned to take suction from the containment. sump upon receipt
-of an RAS when the RWT level ' reaches 2.5 feet. -Without HPSR
- the containment sump water, even if it has been cooled by CARC or by the combination of CSSR and SDHX, will not be reinjected into the core. Thus, failure of HPSR constitutes failure of reactor heat removal during the recirculation phase.
A.2.2.2 System Interactions The following discussion explains how the mitigating system interdependencies have been translated into the existence or nonexistence of a success / failure decision at each point in the l Small LOCA systemic event tree shown in Figure A-4. The explanation is keyed to the LOCA systemic event tree notes as applicable.
- Without CSSR to provide flow on the primary side of the Shut-down Cooling Heat Exchangers, SDHX cannot be effective in j . rejecting heat.
- Without SDHX to reject heat, CSSR can only recirculate, not cool, the spilled reactor coolant in containment.
A-13 9 #
tw -y vr ---,r--- -e w .ew , .-,,-..ec ew.-.er,w--w a---,e-,,-.------en eee--se, --,-em --=---~,m-w,ews.--
RPS alone performs the reactor subcriticality function.
All sequences involving RPS failure are assumed to result in core melt (Note 6). For simplicity in the systemic event tree structure, and in conformance with the functional event tree, the RPS success / failure decision is made first.
If the reactor subcriticality function fails, reactor heat removal in both injection and recirculation phases will not significantly affect the core melt consequences. Thus, HPSI and HPSR success / failure choices are not given in the event tree branches which follow RPS failure. In these branches, the only success / failure choices which significantly affect the consequences are the choices involving containment heat removal or containment radioactivity removal (i.e., CARC, CSSI, CSSR, and SDHX).
Given success of the reactor subcriticality function, a success / failure choice is given for HPSI, which alone performs the reactor heat removal function during the injection phase (Note 5).
CARC is not dependent on any previous system in the Small LOCA systemic event tree, and thus, a CARC success / failure decision is made for every sequence.
Either CARC or CSSI alone is sufficient to perform the containment heat removal function during the injection phase.
However, CSSI is the only system that can perform the contain-ment radioactivity removal function during the injection phase. Containment radioactivity removal during the injection phase is required in all sequences except those involving the combined success of RPS, HPSI, and CARC. Therefore, a CSSI success / failure decision is made for every sequence except those involving the combined success of RPS, HPSI, and CARC (Note 1).
Since the CSS uses mostly the same equipment in both modes of operation, failure of CSSI precludes success of CSSR.
Therefore, a success / failure choice is not given for CSSR in sequences where CSSI has failed. A CSSR success / failure choice is, however, given in sequences where a CSSI success / failure decision has not been made, because in those sequences leading to core melt the severity of the offsite radiological dose consequences will vary depending on the success or failure of the containment radioactivity removal function during the recirculation phase.
Either CARC or the combined operation of CSSR and SDHX is sufficient for successful containment heat removal during the recirculation phase. Similarly, either CARC or the combined operation of CSSR and SDHX, in conjunction with HPSR, is sufficient for successful reactor heat removal during the recirculation phase. Thus, in sequences where CARC has A-14
l su'cceeded a success / failure decision for SDHX is'not made (Note 2).. Also,- since . successful operation - of SDHX is dependent ~on CSSR success, and~CSSR success is dependent on CSSI success, a
~ .
success / failure choice is not given for SDHX-in sequences where
-either: CSSI or - CSSR ..has failed. Thus , ' SDHX success / failure decisions are made only in those sequences where CARC has 4 -failed and CSSR.has succeeded.
The functional success of HPSR-is dependent on the success
!' of RPS, HPSI, and either CARC or the combination of CSSR (implying CSSI success).and SDHX. If the reactor heat removal function fails.during the injection Phase, early core ~ melt will occur and thus reactor heat removal during the recirculation phase is not significant to accident mitigation. In' sequences
'S ICG and S I CGH, where , success /. failure decisions have been made for CARC and SDHX and both have failed, HPSR will. fail due i primarily to .either failure of an HPSh component ~ or failure _of.
the heat sink. An HPSR success / failure' choice is given in this case .to indicate the potential variation in consequences
- depending on the primary cause and the i timing of HPSR' failure f (Notes 3 and 11). A success / failure choice for HPSR is not p given in sequences S1CF and S I CC', where CARC has
- f ai.? ed
- and either CSSI or CSSR has failed, even though the reaccor-
, heat' removal function has been successful during the injection i L phase, because HPSR will eventually: fail due to boiling of the
~
- _ sump water upon failure of containment - systems. In this ' case i- the assumption-of HPSR~ failure early in the recirculation phase'
!. is conservative, although the difference in consequences ,
4 between early and late HPSR failures is not' thought -to be
'f significant (Note 4). Thus, a success / failure choice is given~
for HPSR only in those sequences involving success of. the reactor subcriticality function, success. of the reactor ; heat removal function.during'the injection phase, and success of the i containment heat removal function during both injection. and
. recirculation phases or, as noted above; for sequences SICG j; and SI CGH, to differentiate between - the . consequences .of two:
i- different HPSR failure modes. In those sequences involving a i success / failure decision for HPSR, , failure of HPSR -leads to -
,L core melt during the recirculation. phase (Note 3).
4 Small-small LOCA-(S2) 4
- A '. 2 . 3 L The Small-small LOCA initiating event is a random rupture
.z n of' the RCS piping or a' reactor coolant pump seal having a-
! . break area greater than that of a 0.3-inch-diameter circular
, ~ break ' but less than - or equal to that of a 'l .9-inch-diameter -
circular break. In a - Small-small LOCA, the rate of-' flow of' coolant.through the break is greater than the capability of the .
. normal reactor coolant makeup- system, and HPSI- is initiated based on 'a low pressurizer. pressure signal. However, the-rate of coolant loss through the Small-small break is insufficient to remove 'enough. decay heat -to- prevent a- core = melt and therefore secondary heat removal is-required. Success of the p
A-15 1
1 reactor subcriticality function is dependent on the successful operation of the Reactor Protection System (RPS).
In addition to random piping ruptures, S2 can also be transient-induced. An example of a transient-induced LOCA is the failure of a pressurizer power-operated relief valve (PORV) to reclose after opening in response to a transient. A PORV has a diameter of 1.18 inches.
A.2.3.1 Front-Line Systems Required and Success Criteria The front-line systems required to mitigate a small-small LOCA comprise the headings of the Small-small LOCA systemic event tree (Figure A-5) and include the Reactor Protection System (RPS), Secondary System Relief with Auxiliary Feedwater (SSR with AFW), the High Pressure Safety Injection (HPSI)
System, the Containment Air Recirculation and Cooling (CARC)
System, the containment Spray System in the injection mode (CSSI), the Containment Spray System in the recirculation mode (CSSR), the Shutdown Cooling Heat Exchangers (SDHX), and the High Pressure Safety Recirculation (HPSR) System.
The Small-small LOCA mitigating systems and their success criteria are briefly described in the following subsections.
More detailed descriptions of the systems and their success criteria are presented in Appendix B. System interactions are described in Section A.2.3.2, and the significant system dependencies on operator actions are discussed in Chapter 6 of the main report.
A.2.3.1.1 Reactor Protection System, RPS (K)
NOTE: This subsection is identical to Subsection A.2.2.1.1.
The function of the RPS for this event is to insert auto-matically and rapidly a sufficient number of Control Element Assemblies (CEAs) into the core to render the reactor sub-critical. One half of the CEAs are required to be inserted for RPS success.* RPS alone is sufficient to perform the reactor subcriticality function. Failure of RPS leads to core melt.
A.2.3.1.2 Secondary System Relief With Auxiliary Feedwater, SSR with AFW (L)
Both SSR and Auxiliary Feedwater (AFW) systems must operate in order to attain functional success of reactor heat removal h
- This criterion is based on the definition of PWR scram failure contained in NUREG-0460, " Anticipated Transients Without Scram for Light Water Reactors," (U.S. Nuclear Regulatory Commission, April 1978), Appendix II, " Scram Failure Probability."[2]
A-16
in the event of PCS failure. Successful operation of AFW .is defined as feedwater flow to 1 of 2 steam. generators through-2 of the 4 flow paths at 200 gpm each or feedwater flow to 1 of 2 steam : generators through 1 of 4 flow paths at 400 gpm. The required driving force comes from 1 of 1 motor-driven pump at-450 gpm or from 1 of 1 turbine-driven pump at 700-gpm. The locked-out second turbine-driven pump and Unit 2 's motor-driven pump are assumed to be initially unavailable and are treated as recovery actions.
The second half of the reactor heat removal function is SSR. Successful steam relief can _be carried out by one of
.three sets of valves: 1 of 4 ' turbine bypass valves, 2 of 2 atmospheric . dump valves, or 1 of 16_ steam generator safety valves. Both SSR and AFW are shown together as parts of the same event heading, success of which requires both systems.
The failure of SSR with AFW constitutes the loss of the secondary heat removal function during the injection phase and results in core melt.
A.2.3.1.3 High Pressure Safety Injection, HPSI (D")
HPSI is the portion of the SIS that performs the reactor coolant makeup during the injection phase following a Small aaall' LOCA. HPSI, operating in the injection mode, sis sligned with the Refueling Water Tank (RWT). Successful operation of HPSI requires flow from one of the three (1/3)
HPSI pump trains. HPSI is automatically initiated by an SIAS.
when- pressurizer pressure drops below 1740 psia, or when con-tainment pressure rises above 2.8 psig,-but flow into the RCS will not commence until RCS pressure has dropped to the HPSI.
pump shutoff head of 1275 psia. Failure - of HPSI constitutes the loss of primary coolant makeup during the injection phase and leads to core melt.
A.2.3.1.4 Containment Air Recirculation and Cooling, CARC (C)
NOTE: This subsection is _ identical . to subsection A.2.1.1.3 and A.2.2.1.3.
The Containment Air Recirculation and Cooling (CARC) System can be used to attain successful containment heat removal, which is needed for consequence mitigation following core melt O during the injection and recirculation phases of the Small-small LOCA and is needed during the recirculation phase even if the core does not melt. The CARC System draws the contain-ment atmosphere past cooling coils which are cooled by the Service Water (SRW) System and the Salt Water System (SWS)
(i.e., the coils are cooled by SRW and SRW is cooled by SWS) to remove heat from the containment. It is thus a means of reducing containment pressure caused by released steam. The CARC system consists of*four air fans and associated coolers.
A-17
Successful operation requires cooling from one of the four (1/4) fan units and its respective SRW subsystem. This criterion differs from the FSAR, but is based on the results of NUREG/CR-1659 [1]. CARC is automatically initiated by a Containment Spray Actuation Signal (CSAS) when a pressure of 4.25 psig or greater is sensed in containment. Successful operation of CARC by itself is sufficient to perform the containment heat removal function during both injection and recirculation phases. Failure of CARC constitutes the loss of one of the two alternate means of containment heat removal during both injection and recirculation phases.
A.2.3.1.5 Containment Spray System in the Injection Mode, CSSI (C')
NOTE: This subsection is identical to Subsections A.2.1.1.4 and A.2.2.1.4.
The Containment Spray System (CSS) can be used to attain successful containment heat removal, which is needed for conse-quence mitigation following core melt during both injection and recirculation phases of the Small-small LOCA and is needed during the recirculation phase even if the core does not melt.
In addition, following the failure of reactor heat removal or containment heat removal, the CSS is necccsary for containment radioactivity removal, which is needed for consequence miti-gation starting in the phase (injection or recirculation) during which core melt or containment failure occurs. The CSS delivers borated water droplets to the containment atmosphere through dual trains consisting of redundant spray headers and pumps and associated piping. During the injection phase, water is drawn from the RWT. Successful CSS operation for this phase requires flow from one of the two (1/2) CSSI pump trains. The CSS is actuated by Containment Spray Actuation Signal (CSAS) when a pressure of 4.25 psig or greater is sensed in contain-ment. The CSS alone can perform the containment radioactivity removal function, and CSSI by itself can perform the contain-ment heat removal function during the injection phase. Failure of CSSI constitutes the loss of one of the two alternate means of containment heat removal, and the loss of the only means of containment radioactivity removal, during the injection phase.
A.2.3.1.6 Containment Spray System in the Recirculation Mode, CSSR (F)
NOTE: This subsection is identical to subsections A.2.1.5 and O
A.2.2.1.5.
The functions of the CSS are the same in the recirculation phase as in the injection phase. CSSR uses the same components as CSSI except the system segments upstream of the common pump suction headers (i.e., components associated with the RWT for CSSI versus components associated ith the containment sump for A-18 I
i . .
CSSR). The. shift. of CSS from the injection ~ mode to the recirculation-mode.is automatically initiated upon receipt of a recirculation actuation signal (RAS) when the RWT' level reaches.
s 2.5, feet. Some manual action.is required to complete the shift -
- - since-the RWT' isolation valves do not close automatically. .In the recirculation. mode, water is drawn from - the containment sump, pumped- through one. or both' Shutdown Cooling Heat i Exchangers (SDHXs)'and discharged into the containment building
-through a spray ring located near the top of the containment
- h.
building. The water droplets fall to the floor of-the contain-ment where they mix with water that is ejected from the break in the RCS and collect in the containment sump. Successful CSS I operation in this mode requires - flow from one of the two (1/2) i- ' CSSR pump . trains . - The CSS alone . can perform the containment radioactivity removal function, and CSSR together with SDHX can i perform the containment heat removal ' function during the-recirculation phase. Failure of CSSR constitutes the loss of two things during the recirculation phase:
i (1) One'of the two alternate means of containment heat removal.*
I (2) The only means.of containment radioactivity removal.
A.2.3.1.7 Shutdown Cooling Heat Exchangers, SDHX (G)
L k NOTE: This subsection is identical to Subsections A.2.1.1.6 and i A.2.2.1.6.
1 The SDHXs are cooled by the Component Cooling . Water System.
(CCWS), which in turn is cooled by the Salt Water. System (SWS). This mode of cooling requires that one containment'
- spray pump train and its respective shutdown cooling heat j exchanger, component cooling subsystem, and salt- -water j- subsystem be operational.- Although the SDHXs are physically ,
- i. part of the CSS, they are modeled as a separate system because
, their cooling function is- not . required for successful.
! containment radioactivity removal. Their cooling function is required in conjunction with. the CSS for successful i containment heat removal only during the recirculation phase
! because during the injection phase relatively cool water -is being supplied - from the RWTs . Likewise, the cooling function
- ~
of either the SDHXs or CARC is required, together with HPSR, to
- perform the reactor heat removal function during the
- .O- recirculation phase. Failure of SDHX constitutes the loss of two things during the recirculation phase
- l 1
, *Without CSSR to provide flow on the primary side of the Shut-down Cooling Heat Exchangers, SDHX cannot be effective in
- rejecting heat.
- A-19
l (1) One of the two alternate means of the heat rejection part of reactor heat removal.*
(2) One of the two alternate means of containment heat removal.**
A.2.3.1.8 High Pressure Safety Recirculation, HPSR (H)
NOTE: This subsection is identical to Subsections A.2.1.1.7 and A.2.2.1.7 h HPSR is the portion of the Safety Injection System (SIS) that, together with CARC or SDHX, performs the reactor heat removal function during the recirculation phase following a LOCA. Successful operation of HPSR requires flow from one of the three (1/3) HPSR pump -trains. HPSR is automatically aligned to take suction from the containment sump upon receipt of an RAS when the RWT level reaches 2.5 feet. Without HPSR the containment sump water, even if it has been cooled by CARC or by the combination of CSSR and SDHX, will not be reinjected into the core. Thus, failure of HPSR constitutes failure of reactor heat removal during the recirculation phase.
A.2.3.2 System Interactions The following discussion explains how the mitigating system interdependencies have been translated into the existence or nonexistence of a success / failure decision at each point in the Small-small LOCA systemic event tree shown in Figuro A-5. The explanation is keyed to the LOCA systemic event tree notes as applicable.
RPS alone performs the reactor subcriticality function.
All sequences involving RPS failure are assumed to result in core melt (Note 6). For simplicity in the systemic event tree structure, and in conformance with the functional event tree, the RPS success / failure decision is made first.
Failure of RPS with the reactor initially at full power, and the consequent loss of service water cooling to PCS components upon SIAS initiation, would leave only HPSI and SSR with AFW to remove reactor heat. RCS pressure is not expected to drop below the HPSI pump shutoff head of 1275 psia in time to prevent core melt if the reactor subcriticality function has failed, because the rate of energy release out the Small-small g
- Without CSSR tc provide flow on the primary side of the Shut-down Cooling Heat Exchangers, SDHX cannot be effective in rejecting heat.
- Without SDHX to reject heat, CSSR can only recirculate, not cool, the spilled reactor coolant in containment.
A-20
f p
^
break is in'itially_less'than the_ rate of energy addition to the reactor _. coolant system'from the' reactor, and therefore HPSI.and HPSR success / failure choices are not given (Note 8).
! Given success '. of . the reactor subcriticality function, SSR
heat removal and makeup functions during the injection phase.
. Thus, a success / failure choice is given for HPSI in every
, failed -(Note 7). 'In those sequences involving a HPSI success / failure decision, HPSI failure leads to core melt
- during the injection pha'se (Note 5).
CARC is not dependent on any previous system in the i Small-small LOCA systemic event tree, and thus,. a CARC success / failure decision is made for:every' sequence except, as notea above, . those in which _ both reactor subcriticality and reactor heat removal functions have failed.
Either CARC or CSSI alone is sufficient to perform the
< containment heat removal function during the injection phase.
. However,.CSSI is the only system that can perform the contain-ment radioactivity removal function during the. injection-phase. Containment radioactivity removal during the injection i phase is' required in all sequences except those involving the
- combined success of reactor subcriticality, reactor heat I
removal, and CARC. Therefore, a CSSI success / failure decision is made for every sequence except those involving the combined
- success of reactor subcriticality, reactor heat removal, and j CARC (Note 1).
l Since the CSS uses mostly the same-equipment.in both modes.
of. operation, failure of CSSI precludes success of ~CSSR.
' Therefore, a success / failure choice is not given for CSSR 'in i- sequences where CSSI has failed. A CSSR success / failure choice 4
is, however, given in sequences where a CSSI success / failure
- decision ' has not been made, because in those sequences leading-
- to core melt the _ severity of the offsite radiological - dose
- consequences will vary depending on the success or failure of
..the containment radioactivity. removal function during the
- - recirculation phase.
Either CARC or the combined operation of CSSR and SDHX is
~) - sufficient for successful containment heat removal during the recirculation phase. Similarly, either CARC or the combined
!= operation of CSSR and SDHX, in conjunction with HPSR, is sufficient for successful reactor heat removal during the
[ recirculation phase. Thus, in sequences where CARC has
,-- succeeded a success / failure decision for SDHX is not made j
(Note 2). Also, since successful operation of SDHX. is dependent on CSSR success, and CSSR success is dependent on CSSI success, a success / failure choice is not given for SDHX in 4
A-21 1
.-m-,--,m,.,m, ,.e._.m,,. _..,._.,.-...-,_.._m,-.,....-,.. ....-m._.,..,,.._m._m,,,,_.,_,____.,-mm..
sequences where either CSSI or CSSR has failed. Thus, SDHX success / failure decisions are made only in those sequences where CARC has failed and CSSR has succeeded.
The functional success of HPSR is dependent on the success of RPS, SSR and AFW, HPSI, and either CARC or the combination of CSSR (implying CSSI success) and SDHX. If the reactor heat removal function fails during the injection phase, early core melt will occur and thus reactor heat removal during the recirculation phase is not significant to accident mitigation.
In sequences S2CG and S 2CGH, where success / failure decisions have been made for CARC and SDHX and both have failed, HPSR will fail due primarily to either failure of an HPSR component or failure of the heat sink. An HPSR success / failure choice is given in this case to indicate the potential variation in consequences depending on the primary cause and the timing of HPSR failure (Notes 3 and 11). A success / failure choice for HPSR is not given in sequences S2 CF and S 2 CC', where CARC has failed and either CSSI or CSSR has failed, even though the reactor heat removal function has been successful during the injection phase, because HPSR will eventually fail due to boiling of the sump upon failure of containment systems. In this case the assumption of HPSR failure early in the recirculation phase is conservative, although the difference in consequences between early and late HPSR failures is not thought to be significant (Note 4). Thus, a success / failure choice is given for HPSR only in those sequences involving success of the reactor subcriticality function, success of the reactor heat removal function during the injection phase, and success of the containment heat removal function during both injection and recirculation phases or, as noted above for sequences S2CG and S 2 CGH, to differentiate between the consequences of two different HPSR failure modes. In those sequences involving a success / failure decision for HPSR, failure of HPSR leads to core melt due to loss of reactor heat removal during the recirculation phase (Note 3).
The event tree modeling of systems in the recirculation mode is conservative. A real Small-small LOCA sequence might involve an orderly transition to normal operation of the shut-down cooling system (which shares the shutdown cooling heat exchangers and some pumps, piping and valves with the engineered safety feature systems) following successful reactor shutdown during the injection phase, so that the mitigating systems would never be called upon for automatic operation in g
the recirculation mode. Such a small-small LOCA sequence might be initiated by a reactor coolant pump seal leak, for example.
However, as a result of the analysis, the failure of common support systems dominate these sequences and, in most cases, would also lead to failure of the shutdown cooling system.
This was treated as a possible recovery action for the dominant sequences.
A-22
+
V \. ]
a Table A.1 LOCA EVENT DEFINITION AND MITIGATING SYSTEMS SUCCESS CRITERIA FOR CALVERT CLIFFS UNIT 1 LOCA Sisel Mitigating Function 2 Reactor Injection Phase Recirculatton Phase Subcriticality IRESC) Reactor Containment Containment Reactor Containment Containment Heat- Atmospheric Radioactivity Heat Heat Radioactivity Removal Heat Removal Demoval Demove Removaj (REHR) Removal (CNRR) (REHR) (CNNR) (CNRR)
(CNHR)
Small-Saall RPS 1/3 HPS! 1/2 CSSI 1/2 CSSI 1/3 NPSR 1/2 CSSR OR 1/2 CSSR AND- OR with 1R
.3 *<D *$1. S * ~ 55R 1/4'DARC4 1/2 SDHE CARC AND 1/TkFM i
1 Small RPS 1/3 HPSI 1/2 CSSI 1/2 CSSI 1/3 HPSR 1/2 CSSR OR 1/2 CSSR OR with IN
- 1. 9 "<D *$4 . 3 " 1/4 DhBC4 1/2 SDMX CARC i N W
Large. None 3/4 SITS 1/2 CSSI 1/2 CSSI 1/3 HPSR 1/2 CSSR OR 1/2 CSSR 1 Requared5 AND On with IN
'! D*<4.3" 1/2 LPSI 1/4 DhBC 1/2 SDHE CARC e
9 i
l
.)
t l
I I'
1
TABLE A.1 NOTES
- 1. D* = Equivalent diameter of break in inches.
- 2. Mitigating functions are performed by mitigating systems.
Mitigating systems success criteria are defined as follows: llh RPS = Reactor Protection System.
One half of the control element assemblies (CEAs) insert.
3/4 SITS = Safety Injection Tanks.
3 of 4 SIT trains (not connected to the failed loop) operate.
1/3 HPSI = High Pressure Safety Injection.
= 1 of 3 HPSI pump trains operates with
= 1 of 4 safety injection headers (not connected to the failed loop).
1/3 HPSR = High Pressure Safety Recirculation.
1 of 3 HPSR pump trains operates with 1 of 4 safety injection headers (not connected to the failed loop).
1/2 LPSI = Low Pressure Safety Injection.
1 of 2 LPSI pump trains operates with 1 of 4 safety injection headers (not connected to the failed loop).
1/2 LPSR = Low Pressure Safety Recirculation.
1 of 2 LPSR pump trains operates with 1 of 4 safety injection headers (not connected to the failed loop).
SSR = Secondary Steam Relief.
2 of 2 atmospheric dump valves dump steam directly to the outside atmosphere, OR
~~
1 of 16 steam generator safety valves dumps O steam directly to the outside atmosphere.
1/2 AFW = Auxiliary Feedwater.
1 of 2 steam generators supplied by 1 of 2 AFW pump trains.
A-24
TABLE A.1 (continue'd) a 1/2 CSSI = Containment Spray System' Injection.
1 of 2.CSSI pump trains operates.
1/2 CSSR = Containment Spray' System Recirculation.
1 of 2 pump trains operates.
O 1/2.SDHx =
Shutdo n Coo 11ne Heae Sachaneer.
1 of 2 S D H X s .. ( a s s o c i a t e d with; the operating CSSR pump train) provides cooling.
1/4 CARC = Containment Air Recirculation and Cooling.
1 of 4 fan ~ cooler trains operates.
- 3. The function of containment radioactivity removal is not required if reactor heat removal and containment. heat removal have been successful. However, - the severity of the offsite .. radiological consequences of any ~ sequence which ends in core melt or containment failure will be affected by the success or failure of the containment radioactivity removal function in. the injection and/or recirculation phase, depending on .the timing of core melt and/or containment failure.
- 4. The function of containment heat removal may not be required for LOCA breaks with D* > 4.3 inches, providing the reactor heat removal function in the injection phase and the reactor subcriticality function- have been successful. However, if either the reactor heat' removal -
function in the injection phase or. the reactor subcriticality function has not been successful, then the consequence .will be core melt, .but - the severity :of the offsite radio 1ogical consequences will be affected by the success or failure of the containment heat removal function in the injection phase.
- 5. .The reactor subcriticality function is not - dependent on the successful operation of mitignting systems for LOCA breaks with D*s 4.3 inches. The reactor is automatically rendered subcritical due to. -core voiding during the blowdown phase and is maintained suberitical during the subsequent core reflood by borated water from the Safety O' 'ns ceioa =r e - (=1s)- 1e i- == a ** e **-
probability of ~ injection of inadequately borated water from the Refueling Water Tank- (RWT) 'into .the core is insignificant, i
i A-25
Figure A-1 Large IK A (A) Functional Event Tree Initiating Mitigating Functions Response Sequence Result Event Large Reactor Injection Phase Recirculation Phase LOCA Sub-criticality Reactor Contain- Contain- Reactor Contain- Contain-Heat ment ment Heat ment ment Removal Atmos- Radio- Removal Atmos - Radio-pheric Activity pheric Activity Heat Removal Heat Removal Repoval Removal A RESC REKR CNHR CNRR REHR CNHR CNRR 1 SAFE
, 2 CM
' 3 CM
, 6 CM J%
' 10 CM FAILURE
, 11 CM
' 12 CM
S 3, f
f O 2, 2, 3, 1 I
I 1 1 1 3 1 3 4 4 9 9 9 9 9 9 9 9 9 9 9 9 9 9 s
Su Ct Sa E E t F F S A M S C M A M M M M M M M M M M M M M M M M M M M C S C C C C C C C C C C C C C C C C C C C O c e x x a x x a s R D e p r u u C J l
i N
I a x a a a a
F C
l t a a 3 a m a a a R a n I M
o I i C J t N a a a c I n
e u e F c x r
S t a s a z a s T R N
t E n R J e
v N
I a a a z z a s s x s s a a a E
i c
m e
t r s o y t S a e n
) c g G F 'C A n i N G F 'C r 'C C C C C
( e s I I M G G F 'C F 'C C C C D C u e N ' F C C C C C C D D D D D D 'D 'D 'D 'D 'D 'D 'D A q D A A A A A A A A A A A A A A A A A A A A A A A C e D S I
e o 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 g M 1 2 4 5 6 7 8 9 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 r
a, 1
' )
) ) ) )
2 R 3 3 3 4 4
- S H ( ( ( ( (
A F H , ' I y ,I l e
r u
g i E F N G O )
S 2
(
,' ,I R
S F S
C , I l ,i e
s n
o p I '
s S C )
e S 1 l l aII R C (
s e
e O t S
s y
g C
S A
C C
n '
i t 9 a
g T O I
i S t
i M
9 I I S
F, 'D 1
g n
it tn ae iv tE i
e gA rC aO LL A
s s
N,% r n
I y4 m
t l
u E R
s e
F A M M M M M M M M M M M M M M M M M S C C C C C C C C C C C C C C C C C MM C C O e
c n
e u
q e 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 5 6 s 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 3 3 3 3 e
e r . y T n tl i ia .
t n a ovv R ttiio e e nndtm R v s oeace N E a CmRAR C ,' ,'
g' g' I' i ' ig l h a P n n -
o o n l i
t i
t i
a si c av cn a ttorto R u l u
nnmeam H M
F oethee c C m A pH R C , ' E'
)
r i
2 5 c e r l r R o a t v o e cto R g s aam E S n eee E
( o p
RHR R s
A e C R - y O n tl L s i ia l n a ovv R l o ttiio R
a i nndtm a t oeace N C
S c CmRAR
- n l u r
l a e -
g s n l s
m i
n h
a i a si c av R t P ttotto H r
o a g n nnmeam oethee N
C l
i o C m A PH R t i l i t a M c m e r l S j o a n t v 3 I cto R
- aam H A eee E R
RHR e
r u
g y i t F r i o l t a cbc C aui S eSt i E R R r
g c
4 s
S S
E C
E R
U L
O n - 2 C I it l ll S U A tn l rllA S F ae aoaaC r iv m mmO o tE S SSL g i
n S I
>0NCD
8 3, 3
7 2, 2, 3, 00 1
8 1 1 1 1 3 1 3 4 4 5 5 5 5 5 5 5 6 6 6 6 6 6 6 s
Su Ct B B B Ra F F F t
S A S N C AS NC AS MC NC NC NC FC NC NC NC RC MCNCN CN CN CN CN CN CM CN C C
R S
R a a a a a a O C R
N J
N I
a x a x a s
e C r
u R S x a a a a a a I
R l
i N I
a C J F N x u a I
l a
n C o S a a z x x z s i R R t N c E n R J e u N x s x a z z r e F I r '
T t C n S e E a a x a u a s v R E
c i
m e
t s r y o t
S a e n G F 'C lg cn g N F 'C C C C C G F 'C S
i N N G G F 'C * * * * * *
- F 'C C C C C
( e s 41 F gF Cg C Cg C gC Cg D Dg D D D gD D E E B E E E E u
q e g g g g g g g 3 g g g g g 3 3 3 A D S S S S S S S S S S S S S S S S S S S S S S S 9.
C e O S L .
l o 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 8 1 2 3 4 5 6 7 8 l N 2 2 2 2 2 3 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 a
m S
R ' ' ) )
4 S 4 4
- P N (
A N I I ,I ,I ',3- -(
e r
u X g
i M F D G S )
2 ,' , '
(
e s
n o
p R
S F s S e C ,I l ,'
D s
m e
t I s S 'C )
y S 1 l j l 1 S C (
g n
O i
t C a
g R C A
i t
C i
N I
- S D P
N S
P E R
g 8 n 8 it h 8 tn ae iv tS i
1 1A aC eD SI S
g s Mg g n
I
>1NW
1 5 5 * .~:. . E 3. * *. ;. .* i i .* i
- i. - - - - - - - . . . . . . .
2: . . .
3 isieieseeeeesseaees seeeaeaseas y . . . . . . . .
8 2 . . . . . . .
u
. ~ z a
g i 2 - . . .
g i , y . . . . ...
a : a y :
3 -
1 y . . . . ...
.M i * -
eab g
.ss.ts%Ek
%..FPPEE. .
. .. . s . s .s.... s .s .s .s s .~s .~ 1 1. .s1..tg.sog.s@ .s .s s
.? 8 j8 i : : : : : : : : : : : : : : : : : : : : : : : : :: : : : :: : :
[ .
- : c' .: :
e - -- -- .. --
t .
.A k , c -- -- m-9
.4 e ,
g g o= ., . __ .. __ . __
he
.e j 3 g L 3 -- --
V.
u I
~
c
- a .
3 -
=
. r- .
- 5 -
o O
g . ###
3 :
l3
, i F .5 ." 3
- :S b
h.$ .
A-30
Table'A.2 Notes for LOCA' Systemic Event Trees'
- 1. CSSI .is not -. required,. because - CARC performs the conta'inment heat removal function .during the injection . phase, -and because containment radioactivity removal is not' needed-until: af ter core melt,~which occurs during the recircula-
. tion phase if at all.
- 2. SDHX is !not E required because: (1) CARC performs the con-tainment heat removal function, (2) the combined operation of CARC.and HPSR can perform the reactor heat removal func-
. tion, and (3) CSSR performs the containment radioactivity removal' function independent of SDHX.
- 3. Core melt occurs early in the recirculation phase because of loss of core makeup due to failure of HPSR.
4.. HPSR will eventually fail due to failure of containment systems.
- 5. Core melt occurs.during the injection phase due to failure-of HPSI.
- 6. -Core' melt occurs during the injection phase due to failure.
of RPS. Primary pressure will not drop below the HPSI.
shutoff head in time to prevent core uncovery and melt since the turbine will not trip for an extended period of time and reactor power and pressure will remain high.
- 7. HPSI success / failure states are not given in sequences where SSR-AFW has failed, because RCS pressure; is assumed not to drop below the HPSI pump-shutoff head of 1275 psia.
- 8. With failure of RPS, RCS ' pressure ' is assumed not- to drop below the HPSI pump shutoff head of.1275 psia in time -- to prevent core uncovery and subsequent core melt since the turbine will not trip for an extended period of time and reactor power and pressure will remain high.
- 9. Even ~ though SIT is expected to operate before LPSI, LPSI appears first on the event tree because failure of LPSI precludes any significant effect of SIT success or failure on the core melt consequences whereas if SIT fails LPSI can still significantly affect-the consequences.
- 10. Sequences T1 /20 , TQ, and T3MQ- are transferred to the S2 tree in 3
locations where RPS has succeeded and SSR-AFW has succeeded.
- 11. Core melt occurs late in the recirculation phase because HPSR fails due to failure of heat sink.
-l A-31' s
A.3 TRANSIENT SYSTEMIC EVENT TREE DEVELOPMENT The initiating event group called transients are those conditions which cause a power plant to deviate from normal operation. They include all those events which have actually occurred or are likely to occur within the plant's operating lifetime and those events which are credible but unanticipated within the plant's lifetime. They do not include primary system pipe ruptures.
The survey of potential transients was carried out by O reviewing the outage list and Licensee Event Report (LER) data for Calvert Cliffs Unit 1, transient data reported in EPRI-NP-2230 [3], the Calvert Cliffs FSAR, and WASE-1400. From this survey were chosen those transients which required reactor shutdown to mitigate the transients' effects. The mitigating requirements of each event were examined to determine which events could be grouped based on a unique set of mitigating requirements.
Each of the transient events can be placed into one of four general categories: a) T1--loss of offsite power to both units, b) T 2 --events causing loss of the power con-version system, c) T3 --events causing a cufficiently high reactor coolant system pressure to require mitigation by operation of PORVs or code safeties, and d) T4 --most of the remaining transient events resulting in reactor trip. In addition, two special transient initiating events are defined:
TDC (the loss of DC bus 11), and TSRW (loss of service water train 12). The complete list of transients addressed in this analysis is shown in Table A.2.
Each of the transient groups share some similarities.
They all require the general functional responses of reactor subcriticality, reactor heet removal, and in the event of core melt, containment heat removal and containment radioactivity removal for consequence mitigation. While by definition, only the T3 group requires primary system relief to mitigate the initiating event, all transients require primary system reliefA in the event of failure of the Reactor Protection System.
comprehensive set of requirements and success criteria for the mitigating systems is shown in Table A.3. Details of the system success requirements and system interactions are discussed in each of the following sections for the respective transient groups. g The systemic event trees are based on the functional event tree in Figure A-6. Figure A-7 represents the tree for both T,1 T,2 TDC and TSBW due to the fact that their miti-gating systems are identical. The T3 group is represented by the tree in Figure A-8, and the T4 group by the tree in Figure A-9. The T1/T2/TDC/TSRW tree is actually evaluated four times (See Appendix C) because the system unavailability values are different for each initiating event.
A-32
+
)-
Finally, the Tl/T /TDC/TSRW, 2 T',
3 and T4 trees result in some ' sequences that are eventually evaluated as a small-small LOCA. The tie-ins between transient sequences _and -LOCAs are indicated, on the Small-small. LOCA tree. The transient sequences that result in Small-small LOCAs are identified .on the transient trees.
A.3.1- Los's of Offsite Power / Loss of PCS (T1/T9), Loss of a
- DC-bus (Tne), and Loss of Service Water (Tgnw)
'O The loss of . offsite power event (LOSP)(TI) - is analyzed
- here as a complete . loss of offsite power to both reactor units. The immediate results will be a trip of the control rods - and a loss of power to the condensate pumps and booster pumps, the pump trips constituting a loss of the power conversion system (PCS). The loss of feedwater flow eliminates the primary- source of heat removal from - the reactor and the
- temperature and pressure in the reactor coolant system will rise.
The loss of PCS event (T 2 ) is a loss of all main feed-water event excluding LOSP. Response to the loss of PCS is identical to the LOSP . with the exception that. normal power .is still available and therefore no diesel-generators are started.
Auxiliary feedwater and other mitigating. systems will .then operate on normal power. This difference is accounted for in the quantification of the T1 and T2 sequences in Appendix C.
The loss of a DC bus event (TDC) is analyzed here as a loss .of DC bus 11. The loss of DC bus 21 is discussed in Chapter 4 of the main report and is enveloped by the DC bus 11 results. There will be either an immediate or delayed loss of the power conversion system and .a degradation of responding safety systems. The loss of service water event (TSRW) is a loss of service - water train 12 which ' fails cooling to the feedwater turbine pumps and results in a delayed . loss of PCS with degradation of some responding safety systems. The effects -of the initiating events on the individual system failure modes is accounted for in the quantification process-described in Appendix C.
A.3.1.1^ Front-Line Systems Required and Success Criteria
~
In this section, all of the systems required for . mitigat--
ing . the Tl/T /TDC/TSRW 2 events are discussed. These include the Reactor Protection System (RPS), Chemical and Volume Control System (CVCS); Auxiliary Feedwater System (AFW),
Primary System Safety Relief Valves (SRV OPEN and SRV RECLOSE),
Containment Air Recirculation and Cooling (CARC), 'and -
Containment Spray System in the injection mode (CSSI).
A-33
A.3.1.1.1 Reactor Protection System, RPS(K)
The function of reactor subcriticality is primarily achieved by operation of the RPS. A successful reactor trip is attained by the insertion of one-half of the control rods into the reactor. This is a completely independent system deriving its trip signal from several sources. Failure of the RPS after a transient constitutes a loss of one method to shutdown the reactor. Unlike Small or Small-small LOCAs without reactor g trip, these events can be mitigated. W A.3.1.1.2 Chemical and Volume Control System, CVCS(U)
The CVCS can be used as an alternate system to shut down the reactor. The CVCS injects concentrated boric acid, which is a poison to the fission process, into the RCS. Success criteria for the boron injection phase of CVCS consists of one out of two boric acid pumps providing boric acid flow to two of the three charging pumps which then inject into the RCS through one of the two injection paths. To use this system to shut down the reactor requires operator action for the transients considered in this analysis. Emergency Operating Procedure 13 defines these operator actions which require one valve to be checked closed, one valve to be opened, and the boration switch to be turned on and all available charging pumps started. A success / failure decision for this system is only given for cases involving RPS failure. Successful operation of the CVCS will not prevent the pressure spike following failure to scram, but it is assumed the spike will not deter CVCS success once the pressure subsides. Failure of the CVCS due to the pressure spike is quantified separately (see the discussion in Section 8.1.1 of the main report). Failure of the CVCS to shutdown the reactor concurrent with RPS failure constitutes failure of the reactor subcriticality function. Core heat up resulting from the transient is assumed to be so great that the remaining heat removal systems would not provide sufficient heat rejection and a core melt would result. There are substantial thermal-hydraulic uncertainties associated with this sequence and a more detailed discussion is presented in Section 8.1.6 of the main report.
A.3.1.1.3 Secondary System Relief with Auxiliary Feedwater, SSR with AFW(L)
These two systems must operate in order to attain func-tional success of reactor heat removal. By definition of the h
initiating events, the main feedwater system is unavailable and therefore the AFW is the only source of water available to remove heat via the steam system. The successful operation of the AFW is feedwater flow to 1 of 2 steam generators through 2 of the 4 flow paths at 200 gpm each or feedwater flow to 1 of 2 steam generators through 1 of 4 flow paths at 400 gpm. The A-34 u
- required ' driving force comes from 1 of 1 motor-driven' pump at
'.450 _.gpm - or from 1 of ~1 turbine-driven pump at .700 gpm. The second turbine-driven pump at Unit 1 is locked out .due to l excessive - - pump suction ~ concerns.
. This second turbine-driven pump can be started manually if either of the other two pumps -
' failLto-start. This act.is treated as a recovery action. The inter-unit cross-tie can be used to allow Unit 2's motor-driven 4
pump No. 23 to feed unit ' l's AFW system. This act is also
- treated-as a recovery action.
l The second half of the . reactor heat removal function is I
SSR. Successful steam relief can. be carried out by one ' of three - sets . of values:. 1 of 4 turbine bypass valves, 2 of 2 atmospheric dump valves, or 1 of 16 steam generator safety valves. Both SSR and AFW are shown together as parts of the
- same event heading, success of which requires -both systems. :i i Failure of either SSR or AFW leaves no other heat removal mech-anism and the incident is assumed to lead to core-melt.
i
, A.3.1.1.4 Safety Relief Valves Open, SRV OPEN(P)
While- not required to mitigate the initiating event directly, the primary system safety relief valves are required i to mitigate the pressure rise following failure of the RPS
- after.the_ transient. Safety relief includes two power-operated ,
j relief valves (PORVs) and two code safety relief valves. For ,
f this transient with RPS failure, the success criteria are 4 of l i' 4 valves required to help reduce-pressure in the RCS. Failure- -l
. to relieve pressure under these circumstances could lead to coolant system. rupture and core melt.
?. A.3.1.1.5 Safety Relief Valves Reclose, SRV RECLOSE(Q) j.
4
- The primary safety relief. valves will not_ be required l . during T1, T,2 TDC or TSRW or. T2 transients to j mitigate the progression of the incident. except after RPS
! failure. However, .some recent data and analysis results -l
- indicate that the PORVs may open _ momentarily following one 'of 1 these transients. In- the case of a T1 incident, .recent -i thermal-hydraulic calculations of the Calvert Cliffs- NSSS response to a T1 event [4] indicate, within the accuracy of l
t_
the calculations,- that a PORV setpoint of 2400 psia may be '
l reached by a momentary RCS pressure rise after the transient.
In the case of a T2 transient, only one -_ i ncident which l-
- demanded a PORV at a CE plant could have also shut down the PCS.[5] This incident was the closure of an MSIV at Calvert
. Cliffs Unit 2. Should both MSIVs close in a future incident, steam supply - to the MFW pumps would terminate and a PORV could-i be' demanded momentarily.
I i
i i
a A-35 e.w--..g-_,w-,me-r,-, ,,,.~.,-_yw,yw,-.o_, ,_.,,m.,.pym,,.q,,.%_,y.,m, ,,,g ..,,,_._,,w__.m,,,9,7_..,,,,.,p, .,.,_,,y_ , y,, y y- .w-+w v. e ,m y
1 I
l In both of the above cases, there is some evidence to indicate that the PORVs may open. Therefore, the reclosure of the PORVs must be considered because failing to reclose would constitute a loss of RCS integrity. In Appendix C, the prob-abilistic evaluation of the PORV demand and the failure to reclose is treated under Event Q for the these transients, assuming RPS success.
For the RPS failure cases, all four primary safety relief valves are required to open to alleviate the rapid pressure rise.
Each of the primary safety relief valves that opens must be required to close after the RCS pressure has decreased to the valve closure setpoint. As four valves are required to open, then success for this event is four valves reclosing.
Failure of any valve to reclose results in a coolant loss con-dition equivalent to a Small-small LOCA.
A.3.1.1.6 Containment Air Recirculation and Cooling, CARC(C)
Although not required to directly mitigate the initiating event, the Containment Air Recirculation and Cooling (CARC)
System can be used to attain successful containment heat removal when core melting becomes inevitable due to failures of other mitigating systems. The CARC System draws the containment atmosphere past cooling coils which are cooled by the Service Water (SRW) System and the Saltwater System (SWS)(i.e., the coils are cooled by SRW and SRW is cooled by SWS) to remove heat from the containment. It is thus a means of reducing containment pressure caused by released steam. The CARC System consists of four air fans and associated coolers.
Successful operation requires cooling from one of the four (1/4) fan units and its respective SRW subsystem. Failure of the CARC will reduce the containment heat removal capability but not eliminate it as long as the heat removal function is carried out by the Containment spray System.
A.3.1.1.7 Containment Spray System in the Injection Mode, CSSI(C')
The functions of the Containment Spray System (CSS) are to reduce containment pressure by quenching steam released during the core melt and to remove radioactive fission products from the containment atmosphere.
droplets to the containment The CSS delivers borated water atmosphere through dual trains h
consisting of redundant spray headers and pumps and associated piping. During the injection phase, water is drawn from the RWT. Successful CSS operation for this phase requires flow from one of the two (1/2) CSSI pump trains. Failure of the CSSI will reduce the containment heat removal capability but not eliminate it as long as the heat removal function is carried out by by the CARC System. CSSI failure will also fail the containment radioactivity removal function.
A-36
y.
e
- A.'3.1.2 1 System Interactions Aside from- the' direct dependency of the. power conversion
! system ~on the initiating event, the T1/TDC/TSR'W events will also affect the . operation of all systems requiring AC power, DC power and service water respectively. Success .or failure 1of - these support systems is handled within the front-line- system fault trees. The Tl/T /TDC/TSRW-2 event-trees shown in Figure A-7 and its notes correspond to the i following discussion.
With the. reactor shutdown following the initiating event, the failure of. SSR or AFW leaves no other method to remove decay heat. It is expected that a rapid rise in RCS pressure and temperature would . result in . PORVs and code safeties being demanded but the SRV OPEN decision point does not appear on.the E tree at this. point (Note _1) .because the pressure relief would
[ not be sufficient to attain safe : recovery in the absence of l
secondary side heat removal.
1
- . The functions of containment heat removal and radio-i activity removal enter. into the tree after significant
{ mitigating system fa'. lures have iurt the course of the accident ,
- headed towards core melt. It is assumed that total core melt i ensues and a subsequent release of steam-and fission products - ,
to containment follows. The two systems- required to mitigate i the consequences of this release are CARC and CSSI, whose
, decision points are shown on the tree in these circumstances-t (Note 2). The sequences 87 through 90 are transient-induced S
LOCAs which lead to core melt. There are significant thermal-
- j. hydraulic uncertainties associated with these sequences and : a -
l more detailed discussion can be found in Section 8.1.11 of the main report.
The CARC and CSSI systems can individually perform con-l tainment heat removal and overpressure suppression .in the l' injection phase of an accident. Should CARC fail then CSSI l could carry out this function. -
Failure of both systems results in complete loss of containment heat removal and overpressure i suppression (Note 4). In addition, the CSSI decision point.
appears on both the success. and failure branches of -CARC because only the CSSI will provide radioactivity removal.
For Sequences 99 and 100, no decision point is shown for CARCS :since sequences ~ with failure of CARCS and/or = CSSI: are probabilistically negligible. CSSI was shown simply to emphasize that both containment heat removal and radioactivity removal are successful for the dominant sequence.
i- ,
l f A-37 ,
Failure of the RPS after a T1/T /TDC/TSRW 2 transient requires immediate (within 20 to 30 minutes) operation of CVCS to fulfill the reactor subcriticality function. As long as the RPS is succ3ssful, CVCS is not required even though it would be normally operating during the course of the accident. The CVCS will shutdown the reactor within several minutes (Note 5).
Likewise, failure of CVCS after RPS failure leaves no method to achieve subcriticality (Note 6). Due to the substantial thermal-hydraulic uncertainties associated with this sequence, core melt is assessed to result. A more complete discussion can be found in Section 8.1.6 of the main report.
h Successful mitigation of the T1/T 2/TDC/Tsaw event upon failure of RPS also requires Primary System Relief, SRV OPEN. Pressures are expected to rise well above the code safety setpoints of 2500 and 2565 psia. For example, a combustion Engineering analysis of loss of feedwater following on ATWS produced calculated RCS pressures of 3800 to 4300 psia.[6] In addition, the same CE analysis predicted that some pressure relief through the closure head seal would occur above 3500 psia, and that this leakage is essential to maintain the reactor vessel within design stress limits. For further dis-cussion of this as a sensitivity, see Chapter 8 of the main report. It is assumed in the T 1/T T2 DC/TSRW event tree analysis that the closure head seal does relieve pressure as designed or that the moderator temperature coefficient of reactivity (MTC) is favorable. Reactor integrity in maintained so long as SRV OPEN and SRV RECLOSE are successful (Note 7).
The requirement of 4 out of 4 relief valves is assumed to be essential. Therefore, failure of any one valve to open will lead to RCS overpressure and rupture followed by core melt (Note 9). The failure of the reactor vessel due to an unfavorable MTC or closure head seal failure was not modeled on the event trees. A separate calculation was done using the results of Reference 6 and our updated initiating event frequency. The results are discussed in Section 8.1.1 of the main report.
Along with the requirement for pressure relief is the necessity to have all valves reclose as the RCS pressure decreases below the valve closure setpoints. Failura of any of the valves to reclose would lead to a small-small LOCA (Note 8), which is indicated for Sequences 87-90.
In conclusion, TSRW events requires either successful recovery from T1/T2/TDC/
the combination of RPS and SSR g
and AFW or the combination of CVCS, SSR and AFW, SRV OPEN, and SRV RECLOSE. Any one system failing, besides RPS, will lead to the requirement for CARC and CSSI or lead to the requirement for additional systems to mitigate a transient-induced LOCA.
A-38
1 l
l A.3.2 Transients Requiring RCS Pressure Relief (T3)
This transient group consists of all events requiring primary system pressure relief to help mitigate the initiating event consequences. The events described below are those con-sidered by Combustion Engineering to be the only-ones likely to be T3 transients [7]:
- 1. Uncontrolled rod withdrawal.
- 2. Loss of load with turbine bypass capacity exceeded or unavailable. The most likely group of loss of load initiators are turbine trips.
- 3. Loss of all non-emergency AC power, depending on pressurizer heat transfer assumption.
Operating experience shows that only loss of load or turbine runback will result in pressure relief being demanded.
Further, the Calvert Cliffs reactivity control during normal operation is achieved via changes in soluble boron concentration while the control rods are fully withdrawn.
Therefore, uncontrolled rod withdrawal at full power could not normally occur. Lastly, loss of all non-emergency AC power must be distinguished from loss-of-offsite power as the latter would not be likely to place a demand on RCS pressure relief valves according to new analysis [13]. Therefore, the loss of all non-emergency AC power is interpreted to be a loss of non-emergency AC power on main buses supplying normally operating equipment resulting in the equivalent of a loss of load transient.
The T3 event is therefore defined as a loss of load event'such as a turbine trip or a loss of non-IE AC power on the main buses.
The following sections describe each of the mitigating systems and their success criteria for the T3 transient.
Following the system descriptions is a discussion of inter-actions between each of the mitigating systems.
A.3.2.1 Front-Line Systems Required and Success Criteria In this section, all of the systems required to mitigate the T3 event are discussed. These include the Reactor t]
k Protection System (RPS), Chemical and Volume Control System (CVCS), Secondary System Relief (SSR), Power Conversion System (PCS),-Auxiliary Feedwater System (AFW), Primary System Pressure Relief (SRV OPEN and SRV RECLOSE), Containment Air Recirculation and Cooling (CARC), and Containment Spray System in the injection mode (CSSI).
A-39
1 l
A.3.2.1.1 Reactor Protection System, RPS (K)
NOTE: This subsection is identical to Subsection A.3.1.1.1 The function of reactor subcriticality is primarily achieved by operation of the RPS. A successful reactor trip is attained by the insertion of one-half of the control rods into the reactor. This is a completely independent system deriving its trip signal from several sources. Failure of the RPS after a transient constitutes a loss of one method to shutdown the reactor. Unlike LOCAs without reactor trip, these events can h
be mitigated.
A.3.2.1.2 Chemical and Volume Control System, CVCS (U)
NOTE: This subsection is identical to Subsection A.3.1.1.2 A.3.1.1.2 Chemical and Volume Control System, CVCS(U)
The CVCS can be used as an alternate system to shut down the reactor. The CVCS injects concentrated boric acid, which is a poison to the fission process, into the RCS . Success criteria for the boron injection phase of CVCS consists of one out of two boric acid pumps providing boric acid flow to two of the three charging pumps which then inject into the RCS through one of the two injection paths. To use this system to shut down the reactor requires operator action for the transients considered in this analysis. Emergency Operating Procedure 13 defines these operator actions which require one valve to be checked closed, one valve to be opened, and the boration switch to be turned on and all available charging pumps started. A success / failure decision for this system is only given for cases involving RPS failure. Successful operation of the CVCS will not prevent the pressure spike following failure to scram, but it is assumed the spike will not deter CVCS success once the pressure subsides. Failure of the CVCS due to the pressure spike is quantified separately (see the discussion in Section 8.1.1 of the main report). Failure of the CVCS to shutdown the reactor concurrent with RPS failure constitutes failure of the reactor subcriticality function. Core heat up resulting from the transient is assumed to be so great that the remaining heat removal systems would not provide sufficient heat rejection and a core melt would result. There are substantial thermal-hydraulic uncertainties associated with this sequence and a more detailed discussion is presented in Section 8.1.6 of the main report.
g A.3.2.1.3 Secondary System Relief with Power Conversion System, SSR with PCS (M)
The functions of the SSR with PCS are to maintain the water inventory in the steam generators and to transfer core heat to the environment. The PCS consists of the MFW and A-40
- - = . - - . . .
Condensate System, the steam generators, turbine, and condensers; and the SSR consists of the Main Steam System (MSS) as. required to drive the turbine-driven feedwater: pumps and to -
relieve heat'in the form of steam from the steam generators via the relief valves or to the condenser. Success criteria for
=the SSR are l'of 4 turbine bypass valves or.2 of 2 atmospheric dump valves or 1-of 16 steam generator safety valves.
During normal operation, .feedwater from the condenser 4O. - hotwell is supplied to the steam generators by three normally-operating electrically-driven condensate pumps, two electrically-driven condensate booster - - pumps (another on- l standby)', and two steam turbine-driven MFW pumps. The system is designed to operate in several different modes, depending on conditions resulting from the initiating event. Each mode also entails a different means of transferring heat to the environ-ment.
Following the reactor shutdown, the MFW regulating valves close and the feedwater regulating valves' bypass valves open to allow five percent flow (i.e., decay heat. level) 'to -the steam generators, and steam bypasses the main turbine via the turbine bypass valves and dumps directly into the condenser'or passes to the outside atmosphere via the atmospheric -dump valves or steam generator - safety valves.- At least one MFW train and ' condensate train must be intact to deliver feedwater-from the condenser hotwell to the steam generator following reactor shutdown. Specifically, the-success criteria include 1 of 2 MFW pump trains, 1 of 3 condensate booster pump trains, 1 of 3 condensate pump trains, and 1 of 2 steam generators plus'.
interconnecting valves and piping. ,
If the MFW pumps fail,'the operator may attempt to reduce the pressure on the secondary side of the steam generators to allow the lower pressure . condensate' booster pumps to function as the source of flow energy for feedwater supply. In this mode, heat is removed from the steam generators through the atmospheric dump valves or the turbine bypass valves. ' Credit is not given for this mode of operation in this study since, without any other method of secondary heat removal,~it was not clear if the valves could lower the pressure sufficiently.
The probabilistic evaluation of PCS unavailability is not derived by consideration of success criteria, but is rather
{ obtained from a statistical review of- operating experience showing the frequency of loss of feedwater. Details are explained in Appendix C.
-A.3.2.1.4 Secondary System Relief with Auxiliary Feedwater, SSR with AFW (L)
Both SSR and AFW systems must operate in order to attain functional success of reactor heat removal in~the event of'PCS-failure. 'The successful operation of the APW is feedwater flow
.to 1.~of 2 steam generators through 2 of the 4 flow paths at 200' A-41 e
~s~m- ,-. _ _
gpm each or feedwater flow to 1 of 2 steam generators through 1 of.4 flow paths at 400 gpm. The required driving force comes from 1 of 1 motor-driven pump at 450 gpm or from 1 of 1 turbine-driven pump at 700 gpm each. Again, the other turbine-driven pump at Unit 1 and Unit 2's motor-driven pump are assumed to be unavailable and treated as recovery actions. ,
The second half of the reactor heat removal function is SSR. Successful steam relief can be carried out by one of three sets of valves: 1 of 4 turbine bypass valves, 2 of 2 atmospheric dump valves, or 1 of 16 steam generator safety h
valves. Both SSR and AFW are shown together as parts of the same event heading, success of which requires both systems.
Failure of either SSR or AFW leaves no other heat removal mech-anism and the incident is assumed to lead to core melt.
A.3.2.1.5 Safety Relief Valves Open, SRV OPEN (P)
The Primary System Safety Relief Valves act to mitigate the pressure rise immediately following a T3 transient.
Safety relief includes two power-operated relief valves (PORVs) and two code safety relief valves. For this transient, the success criteria are 1 of 4 valves required to help reduce reactor coolant system pressure if RPS is successful and 4 of 4 valves required when RPS has failed. Failure to relieve pressure under either circumstance could lead to primary coolant system rupture and core melt.
A.3.2.1.6 Safety Relief Valves Reclose, SRV RECLOSE (Q)
Each of the Primary System Safety Relief Valves that opens must be required to close after the RCS pressure has decreased to the valve closure setpoint. As four valves may be required to open, then success for this event is four valves reclosing in all cases. Failure of any valve to reclose results in a coolant loss condition equivalent to a Small-small LOCA.
A.3.2.1.7 Containment Air Recirculation and Cooling, CARC (C)
NOTE: This subsection is identical to Subsection A.3.1.1.6 Although not required to directly mitigate the initiating event, the Containment Air Recirculation and Cooling (CARC)
System can be used to attain successful containment heat removal when core melting becomes inevitable due to failures in other mitigating systems. The CARC System draws the g
containment atmosphere past cooling coils which are cooled by the Service Water (SRW) System and the Saltwater (SWS) System
.(i.e., the coils are cooled by SRW and SRW is cooled by SWS) to remove heat from the containment. It is thus a means of reducing containment pressure caused by released stcam. The CARC System consists of four air fans and associated coolers.
Successful operation requires co,oling from one of the four A-42
(1/4 ) ' f an units and its respective SRW subsystem. Failure of l the CARC .will' reduce the - containment . heat removal capability ~)
but1 not . eliminate it as long as the heat removal function is 1 carried out by the containment spray system.
A.3.2.1.8 Containment Spray System in the Injection Mode, CSSI (C')
NOTE:' This-subsection is-identical to Subsection A.3.1.1.7 O. The functions of the containment Spray System (CSS) are to reduce containment pressure by quenching steam released during the core melt and. to remove radioactive fission products from j
the containment atmosphere. The CSS -delivers borated water !
droplets to the containment atmosphere through dual trains consisting of redundant spray headers and pumps and associated piping. During the injection phase, water is drawn from the-RWT.- Successful CSS operation for this phase requires flow from one of the two (1/2) CSSI pump trains. Failure of the CSSI will reduce the containment heat removal capability but not eliminate it as long as the heat removal function is carried out by the - CARC System. CSSI failure will also fail the containment radioactivity removal function.
A.3.2.2 System Interactions Some of the system interdependencies on the T3 tree ~ are similar to those on .the T1/T 2/TDC/TSRW tree. The relationship between the. failure of reactor heat removal and the requirement for CARC and CSSI is the same for both initiating event groups. Lack of reactor heat removal results in core melt (Note 7) which. in turn results in a steam and fission product release to containment and a requirement for i CARC and CSSI (Note 4). Core melt would also result from a
- failure of the - SRVs to open (Note 3). Therefore, CARC - and CSSI are also required after this failure. The only difference
, in the CARC/CSSI requirement between the trees is af ter 'the
- -the availability of PCS after a failure to scram leaves the PCS
[ to operate with turbine bypass- to relieve steam from the NSSS
! at between 5% to 40% of the power. Due to the -large e uncertainties in the thermal-hydraulics, these sequences
! (139-142) are assessed to result in core melt. A more detailed
[ discussion is given in Section 8.1.12 of the main report.
i
> Another similar relationship between transient groups is
! is assumed that CVCS will also provide needed coolant
! inventory provided the SRVs reclose af ter ' performing Primary System Pressure Relief (Note 10).
- Other relationships are more generic to T3. initiators.
! The operation of PCS will be affected by the initiator; if T3 A-43 L
is a turbine trip, the PCS will be runback to a 5% heat removal level; if T3 is other than turbine trip, the PCS will be run-back only if the RPS has operated successfully. For sequences i 117 through 125, it is assumed that the initiator is a turbine I trip, and PCS is runback to 5% (Note 8). This is a conserva-tive approach for two reasons. First, the result of PCS running at full flow would likely be a safe sequence. With PCS at 5%, only 117 would be considered safe. Also, turbine trips account for the largest portion of loss-of-load T3 initiators.
For the T3 cases, successful decay heat removal can be O
carried out by operation of either SSR/PCS or SSR/AFW. When PCS fails, AFW will provide sufficient feedwater for secondary side heat removal as long as the reactor is shutdown either by RPS or CVCS. Shutdown by CVCS would require several minutes making the successful functionability of AFW less certain than for PCS operating at greater than 5% flow rate (Note 11).
The last relationship is between the subcriticality func-tion and SRV operation. By definition, the T3 transient demands the PORVs. With RPS success, the operation of one PORV will provide sufficient primary system relief (Note 1). With RPS failed but CVCS beginning to shut the reactor down, RCS pressure continues to rise for a short duration. It is assumed that both PORVs and both code safeties are required for successful primary system relief (Note 9). Should both RPS and CVCS fail, the failure to attain subcriticality is assessed to result in core melt. There are significant thermal-hydraulic uncertainties associated with this sequence and a more detailed discussion can be found in Section 8.1.13 of the main report.
A.3.3 Remaining Transients Requiring Reactor Shutdown (T4)
The last transient group consists of events that require reactor shutdown and reactor heat removal but are not severe enough to require RCS pressure relief after reactor trip.
Typical T4 events are loss of one RCS pump or loss of one MFW pump. The T4 group differs from T2 in that at least part of PCS is still available initially. They differ from the T3 group in not requiring the SRVs unless RPS fails. The T4 group also includes excess cooldown transients, such as an increase in main feedwater flow.
The following sections describe each of the mitigating systems and their success criteria under the T4 transient.
Following the system descriptions is a discussion of inter-g actions between each of the mitigating systems.
A.3.3.1 Front-Line Systems Required and Success Criter g In this section, all of the systems appearing on the T4 event tree are discussed. These include Reactor Protection System (RPS) Chemical and Volume Control System (CVCS),
A-44
- Secondary _ System Relief (SSR), . Power Conversion System (PCS),
Auxiliary Feedwater System (AFW), Primary System Relief (SRV OPEN and SRV RECLOSE), Containment Air Recirculation and Cooling (CARC), and Containment Spray System in the injection mode (CSSI).
A.3.3.1.1 Reactor Protection System, RPS (K)
' NOTE: This subsection is identical to Subsection A.3.1.1.1.
The function of reactor subcriticality is primarily achieved by operation of the RPS. A successful reactor trip is attained by the insertion of one-half of the control rods into the reactor. This is a completely independent system deriving its trip signal from several sources. Failure of the RPS after a transient constitutes loss of one method for shutting down
, the reactor. Unlike LOCAs without reactor trip, these events can be mitigated.
l A.3.3.1.2 Chemical and Volume control System, CVCS (U)
NOTE: This subsection is identical to Subsection A.3.1.1.2.
' The CVCS can be used as an alternate system to shut down the reactor. The CVCS injects concentrated boric acid, which is a poison to the fission process into the RCS. Success criteria for the boron injection phase of CVCS consists of one out of two boric acid pumps providing boric acid flow to two of the three charging pumps which then inject into the RCS through one of the two injection paths. To use this system to shut down the reactor requires operator action for the transients considered in this analysis. Emergency Operating Procedure 13 defines these operator actions which require one valve to be checked closed, one valve to be opened, and the boration switch
- to be turned on and all available charging pumps started. A success / failure decision for this system is only given for cases involving RPS failure. Successful operation of the CVCS will not prevent the pressure spike following failure to scram, but it is assuned the spike will not deter CVCS success once the pressure subsides. Failure of the CVCS due to the pressure spike is quantified separately (see the discussion in Section 8.1.1 of the main report). Failure of the CVCS to shutdown the reactor concurrent with RPS failure constitutes failure of-the reactor subcriticality function. Core heat up resulting from
_O the er a teat 1 u ea to be o ere e ea e eae re tatas ae e removal systems would not provide sufficient heat rejection and a core melt would result. There are substantial thermal-hydraulic uncertainties associated with this sequence and a more detailed discussion is presented in Section 8.1.6 of the main report.
l A-45
A.3.3.1.3 secondary System Relief with Power Conversion System, SSR with PCS (M)
The functions of the SSR with PCS are to maintain the water inventory in the steam generators and to transfer core heat to the environment. The PCS consists of the MFW and Con-densate System, the steam generators, turbine, and condensers; and the SSR consists of the Main Steam System (MSS) as required to drive the turbine-driven feedwater pumps and to relieve heat in the form of steam from the steam generators via the relief valves or the condenser. Success criteria for the SSR are h
typically 1 of 4 turbine bypass valves or 2 of 2 atmospheric dump valves or 1 of 16 steam generator safety for those T4 events that do not lead to closure of MSIVs.
During normal operation, feedwater from the condenser hotwell is supplied to the steam generators by three normally-operating electrically-driven condensate pumps, two electrically-driven condensate booster pumps (another on standby), and two steam turbine-driven MFW pumps. The system is designed to operate in several different modes, depending on conditions resulting from the initiating event. Each mode also entails a different means of transferring heat to the environ-ment.
Following the reactor shutdown, the MFW regulating valves close and the feedwater regulating valves' bypass valves open to allow five percent flow (i.e., decay heat level) to the steam senerators, and steam bypasses the main turbine via the turbine bypass valves and dumps directly into the condenser or -
passes to the outside atmosphere via the atmospheric dump valves or steam generator safety valves. At least one MFW train and condensate system must be intact to deliver feedwater from the condenser hotwell to the steam generator following reactor shutdown. Specifically, the success criteria include 1 of 2 MFW pump trains, 1 of 3 condensate booster pump trains, 1 of 3 condensate pump trains, and 1 of 2 steam generators plus interconnecting valves and piping. This success criteria would be altered if the mitigating event affects the PCS operation.
If the MFW pumps fail, the operator may reduce the pressure on the secondary side of the steam generators to allow the lower pressure condensate booster pumps to function as the source of flow energy for feedwater supply. In this mode, heat is removed from the steam generators through the atmospheric dump valves or the turbine bypass valves. Credit is not given g
for this mode of operation in this study since, without any other method of secondary heat removal, it was not clear if the valves could lower the pressure sufficiently.
The probabilistic evaluation of PCS unavailability is not derived by consideration of success criteria, but is rather obtained from a statistical review of operating experience showing the frequency of loss of feedwater. Details are explained in Appendix C.
A-46
~ -~ .- - - .- . . .-- - .. - . - . . - - .-. .
i -
L i
[ A.3.3.1.4 SecondaryTSystem Relief with Au'xiliary Feedwater, ,
SSR with AFW (L) i
' NOTE: This subsection is. identical to Subsection A.3.2.1.4.
Both _ SSR and AFW systems must' operate in order to attain-
! -functional success of reactor heat removal in the event of PCS 4
failure. The successful operation of the AFW is feedwater flow to_l of 2 steam generators through 2 of the 4 flow paths at 200 ;
! s '
'gpm each or'feedwater flow to 1 of 2 steam generators through 1 ;
of 4 flow : paths _ at' 400 - gpm. The required driving force comes '
ji ;. from 1 of 1- motor-driven pump ' at 450 gpm or from .1 of 1 i' turbine-driven pump at 700 gpm each. Again, the other
- turbine-driven ~ pump . at Unit 1 ' and . Unit '2's motor-driven . pump are assumed to be unavailable and treated as recovery actions.
i- The second half of the reactor heat removal function is 4
.SSR. Successful steam relief can be carried out by one of
- three sets of valves
- 1 of 4 turbine bypass valves, 2 of 2 .
atmospheric dump valves, or 1 of 16 steam generator safety . l
! __ valves. Both SSR and AFW are shown together as parts ~f o the ,
i same event heading, ' success of which requires both systems. !
I Failure of either SSR or AFW leaves no other heat removal
- l. mechanism and the incident is assumed to lead to core melt. :
i i A.3.3.1.5 Safety Relief' Valves Open, SRV OPEN~(P) j, It is assumed that the Primary-System Relief Valves act to l mitigate the pressure rise immediately following a T4 ,
I transient with failure of RPS. Safety relief includes ' two -
- power-operated relief valves (PORVs) and two code safety relief, valves. For this transient, the success criteria 'are 4.of 4
. valves required to help reduce reactor coolant system' pressure.- 1
} Failure to relieve pressure under either' circumstance could '
lead to primary coolant system rupture and' core melt.
A.3.3.1.6 Safety Relief Valves Reclose, SRV RECLOSE (Q)
Each of the . Primary Safety Relief Valves that opens L following RPS failure must be required to close after the RCS pressure has-decreased to the valve closure setpoint. As ' four i valves are required to o p e n ,. t h e n success for this event is j' four valves reclosing. -Failure of any valve to reclose results
' in 'a coolant loss condition equivalent to a Small-small LOCA.
}{ - th .
'A.3.3.1.7 Containment Air' Recirculation and Cooling, CARC (C) !
NOTE: This subsection'is identical to Subsection A.3.1.1.6.
1 Although not required to directly mitigate the initiating
- ' event, the Containment Air Recirculation and Cooling (CARC)
. System can .be. used to attain successful- containment heat 7
removal when core melting becomes inevitable due to failures 'of 1
I i
j A-47
_.A-, ..,n.....-...._.. ....__,,__......-..,.-,,._____.._,_,--.__,.-,__..,._.i.-
other mitigating systems. The CARC System draws the contain-ment atmosphere past cooling coils which are cooled by the Service Water (SRW) System and the Saltwater System (SWS)
(i.e., the coils are cooled by SRW and SRW is cooled by SWS) to remove heat from the containment. It is thus a means of reducing containment pressure caused by released steam. The CARC System consists of four air fans and associated coolers.
Successful operation requires cooling from one of the four (1/4) fan units and its respective SRW subsystem. Failure of the CARC will reduce the containment heat removal capability but not eliminate it as long as the heat removal function is carried out by the CSSI.
A.3.3.1.8 Containment Spray System in the Injection Mode, CSSI (C')
NOTE: This subsection is identical to Subsection A.3.1.1.7.
The functions of the Containment Spray System (CSS) are to reduce containment pressure by quenching steam released during the core melt and to remove radioactive fission products from the containment atmosphere. The CSS delivers borated water droplets to the containment atmosphere through dual trains consisting of redundant spray headers and pumps and associated piping. During the injection phase, water is drawn from the RWT. Successful CSS operation for this phase required flow from one of the two (1/2) CSSI pump trains. Failure of the CSSI will reduce the containment heat removal capability but not eliminate it as long as the heat removal function is carried out by by CARC System. CSSI failure will also fail the containment radioactivity removal function.
A.3.3.2 System Interactions The T4 transient event tree, shown in Figure A-9, shares trees. The several similar relationships with the other requirement for CVCS when RPS fails is common to all transients. The requirement for CARC and CSSI appear on the tree as in the other trees when core melt becomes T4 requires reactor inevitable. By definition, the T4 event subcriticality by either RPS or CVCS operation and reactor heat removal by either SSR with PCS or SSR with AFW (Note 1). If the PCS totally fails then AFW will take over the reactor heat removal function.
One of the T4 initiators affects the success criteria of the PCS, that is loss of one MFW train. The T4 initiator will not result in total loss of PCS, so the PCS success /
failure decision still appears on the T4 tree because the PCS minimum success criteria would still be met.
When the RPS fails, CVCS takes over the reactor sub-criticality function. It is assumed that PCS will operate at a A-48
flow coremensurate with the power level. If the tr&nsient event leads to a turbine trip, the feodwater pumps will run back to 5% flow (Note 11).
It is also assumed that a T4 transient with RPS failure will require the SRVs to open and reclose to ensure reactor coolant system integrity (Note 6). SRV failure to open would result in core melt while failure of an SRV to reclose results
~ in a Small-small LOCA and is assessed to result in core melt.
d There are significant thermal-hydraulic uncertainties associated with this sequence that are discussed in more detail in Section 8.1.11 of the main report. -Should both RPS and CVCS fail, the failure to attain subcriticality is also assessed to result in core melt and is discussed in detail in Section 8.1.6 of the main report.
O A-49
TABLE A.2 TRANSIENT EVENTS T1 TO T4 , TDC, and TSRW (See Table 4 - 5 in main report for a complete listing.)
T1 Total loss of offsite power to both Units 1 and 2 T2 Total loss of main feedwater flow Closure of all MSIVs g Feedwater flow instability W Loss of all condensate pumps Loss of condenser vacuum Loss of circulating water T3 Turbine trip or throttle valve closure (Loss of Load)
Generator trip or generator caused faults (Loss of Load)
Loss of non-emergency AC power on main buses (Loss of Load)
T4 CRDM problems, rod drop Low pressurizer pressure Increase in main feedwater flow in one loop Increase in main feedwater flow in all loops sudden opening of one or more steam relief valves CVCS Malfunction - Boron dilution incident High pressurizer pressure, pressurizer spray failure Loss of RCS flow in one loop Total loss of RCS flow Loss or reduction in main feedwater flow in one loop Inadvertent safety injection signal Pressure / Temperature / Power Imbalance Full or partial closure of one MSIV Loss of Condensate Pump (1 Loop)
Leakage in Secondary System Pressurizer Spray Failure Spurious Trips - Cause Unknown Auto Trip - No Transient Condition Manual Trip - No Transient Condition TDC Loss of DC bus 11 or 21 TSRW Loss of service water train 12 A-50
- p. n.
Table A. 3 Transient Event Definition and Mitigating Systems Success Criteria for Calvert Cliffs Unit 1 Transient Mitigating Functions I Reactor React or Primary Reactor Coolant Cont ainment Containment Suberiticality Beat Removal System Relief System Integrety Heat Removal Radioactivity Removal (RESC) (RENR) (PSR) (RCSI) (CNHR) {CNRR)
Loss of RPS SSR with RPS Success: With RPS Succgsa 1/4 CARC 1/2 CSSI Offsite m AND Mone 2/4 reclose m 2/3 CVCS 1/2 AFW With RPS Failures With RPS Fa!!ure 1/2 CSSI Power (T3) or 4/4 SRV Open 4/4 reclose Loss of with RPS & CVCS Failure Power None Effective 3 Conversion System (72)
Transients RPS 1/2 MFW (PCS) With RPS Success: WithRPSSuccege: 1/4 CANC 1/2 CSSI y 4/4 reclose m i Requiring m M 2/4 SRV Open W DCS Pressure 2/3 CVCS 1/2 AFW With RPS Failure: With RPS Failure: 1/2 CSSI Relief (T 3) 4/4 SRV Open 4/4 reclose with RPS & CVCS Pallure:
None Effective 3 Remaining RPS 1/2 MPW (PCS) With RPS Success: With RPS Success: 1/4 CARC 1/2 CSSI Transients OR (1/1 MrW f or Loss None 2/4 reclose 2 0R Requiring 2/3 CVCS of One MFW Train) With RPS Failures With RPS Failure 1/2 CSSI Reactor _OR, 4/4 SRV Open 4/4 reclose Trip (T 4) 1/2 AFW With RPS & CVCS Failure:
None Effective 3 e
TABLE A.3 NOTES Success Criteria for Transient Systems from Text:
PCS: 1 of 2 MFW pump trains and 1 of 3 condensate booster pump trains and 1 of 3 condensate pump trains and interconnecting valves, etc.
and 1 of 2 steam generators SSRS: 1 of 4 turbine bypass valves or 2 of 2 atmospheric dump valves or 1 of 16 steam generator safety valves SRVs open: 2 of 4 relief valves, where there are 2 PORVs, 2 CSVs 4 of 4 with RPS failure AFWS: 2 of 4 branches at 200 gpm each or 1 of 4 branches at 400 gpm (at least 400 gpm required) to 1 of 2 steam generators from 1 of 1 motor driven pumps at 450 gpm each (neglecting cross-tie from Unit 2) or 1 of 1 turbine driven pumps at 700 gpm each CARCS: 1 of 4 fan units and SRW subsystem CSS: 1 of 2 pumps RPS: One-half of the control rod assemblies (CEAs) insert CVCS: 1 of 2 boric acid pumps and 2 of 3 charging pumps and 1 of 2 injection paths O
A-52 L
M M M C C C r r r o o o
/ / /
d d d n n n t
l a a a u E A A A s F C C C e A O O O M M M M M M M M M R S L L L C C C C C C C C C O c e
n e
u q
e 0 1 2 3 S 1 2 3 4 5 6 7 8 9 1 1 1 1 y
e - tl e n ia r itovv T aniio t edtm R t
n nmace R o RAR N e C C v
E I I II II II .
, l
- a -
n n c l o itsi a R i anortv H t t emeao N c nmthem C n o A pH e u C R F e s
4 n T o p
y rt t
, s onmi I 3 e taer S 7 R cltg C
, n aose eoyt P
2 o RCSn T i t
I
, c 3 n T u ymf F ree t ati R n g msl S e n iye P i i rSR s t P n a a g r i T i t
M r l 6
- ota R A t av H ceo R aHm R e e e r R R u
g i y F t i
rl oa tc C ci S at E ei D Rr c
O- b u S E S S R t E U F n # C L S e C I v t U A S F E n g e i
n s i n T t a a r i
t T
i n
I
$ta.
I .
ame
.4 .. . .
- . . . . . . M.
,, . . . . . . . . . . . . . . M .
. .e. M. N. M.
M.
pe W e . M. M. . M. M. M. . M. M. M. M. M. M. . .
O s=6 ** pe ** ee me e M M M M M M M M a=6 ** M pe W M E
- 5. 5. 5. 5 e M . at at U. s*
6 5555 6
$$ 5555555655 3 N N N N N N N N N U
8 . .
N N N N N k
, g M b N N N N 8 :
.. N N N N N
.. .e O p g w
. "E b 2 O W N N N N N N N N dl .
.=
- s tJ M N k"l w $.
4 k :m
." t . . . . .
m N g
. . ss . O. N. b. . h. N. N. . .J b. b. . .O N.
O
- N N N N N N N N M MM N N N N N M M M M M d* % % **% %se % se% %me % se% %me % e4 % %ee% se
% % % me ee se
% %me % ** -
" . #. me - me .e ee %e
==" 3 Q e e e e e e e e e e e e e e e e e e e 9 e P.
& H H k k k & H H H H k & N k & > b H H H k"j w W se
$ 0 M . e w m A . .
g,n.
.-M
. . . . . . . . . . . >....M . . . .e M. . -
2 - . - . -
m
- . , m . . m . m .
- = m.
. m w m = m =
.e N
- m,
_._mo
- 8 g a __ _e._ __ _es_. __ __ __ __
g;
~3 a u -
n n
~ -
,g g O w - M= = n
.= v - -
3* .
- m > ==e .. M M a :: _ _ w -
9 .m-e.
4
. p to >S w 2 . &
N M
- 5 h . s=
- e ce W *
.I w
>= .no J m w as 4 .,,,
w e
U O
.e
& M as to .
8
, 5 +
r.
ne a rv
.e
- 4. N
=e D re en e 6
se A-54
Table A.4 Transients T1/T2/Tnc and Tqnw Event Tree Notes
- 1. Failure of SSR/AFW to remove sufficient heat from the reac-tor coolant system af ter a Loss of Offsite Power (LOSP) or Loss of Power Conversion System (PCS) will result in core
,, melt.
( )
'O 2. For all accidents leading to core melt, the consequences may be mitigated by containment atmospheric heat and radioactivity removal. Therefore, the operational response decisions for CARC and CSSI appears in these cases.
- 3. Failure of CSSI results in failure to remove radioactivity from the containment atmosphere.
- 4. Failure of CSSI when CARC has also failed results in com-plete loss of containment atmospheric heat removal and potential containment overpressure rupture.
- 5. Successful CVCS operation after failure of RPS will make the reactor subcritical with no side effects due to pres-sure spikes (see the discussion of the ATWS(PSF) sequence in Chapter 8). It is assumed that the SRVs will be chal-lenged when the RPS fails.
- 6. Failure of CVCS and RPS constitutes failure to reach sub-criticality. Reactor power will equilibrate at the AFW heat removal rate of about 5% after a severe pressure transient and substantial loss of primary inventory.
- 7. Due to failure of RPS but successful shutdown of the reac-tor by CVCS, the opening and reclosing of the SRVs is required. It is assumed that the excess pressure will not rupture the RCS and that the core will remain intact (see the discussion of the ATWS(PSP) sequence in Chapter 8).
- 8. Failure to reclose any one of the SRVs after PPS failure will result in a Small-small LOCA and subsequent core melt since the resulting high equilibrium primary pressure will prevent successful primary makeup for an extended period of time due to the low HPSI pump shutoff head.
o l 9. Failure of SRVs to open is assumed to result in RCS over-pressure and subsequent loss of RCS integrity and core melt.
- 10. CVCS will provide successful reactor shutdown but will not provide successful coolant makeup.
A-55
f Table A.4 (cont.)
Transients T1/T2/TDc and Tspw Event Tree Notes
- 11. Successful recovery does not require operation of the PORVs or Code Safeties when RPS succeeds, as described in NUREG-0635 for a realistic treatment of loss of feedwater transients. However, since there is a chance that a PORV may be opened, the SRV RECLOSE success would be required. g
- 12. Sequences with failure of CARCS and/or CSSI are probabilistically negligible. CSSI was chosen so that both containment heat removal and radioactivity removal are successful.
- 13. It is assumed that successful recovery from a T1 or T2 transient would result from successful RPS, SSR, AFW, and SRV RECLOSE (if SRV's demanded). However, in the event that RPS fails, successful recovery requires PORV and code safety operation.
- 14. Failure to reclose a PORV af ter RPS success would result in a small-small LOCA. The success of this sequence depends on LOCA mitigating systems success.
O A-56
\
2 8 I
e de 4 J .J e
e 4e de de 44idid e 3.24 4S4444
% J 4...g!
g 4 * .g J= 3.
=
2 J2d ; 2 2 2J e .4* 4 *J2..2
=
E y . 444d..d4444444444 s . .f d d.f .f S444444444444444443S 444444 die 4m d$3$J**
a I . 44 4 4 a
8888 88888888!$$ !8888! ! 88888888888888 3
I . . . . . . . . . . . . .......
,i g . . . . . ..... . .. ..
m I l .... .... .... ....
t 1
. i . . . ... ....
2 5 l . . . . ... .......
a
, i ......
- n ,
. 686.88t: 18t 1.8n accacascarcacaucaaaaaaaaaaaacaaaaaaaaacacace 181 18: 111: 111: 1118n:l: 1 3 i 1111II5I1523E353515553355555E5555515EI31!!i1 3 .
i
. .!. i
. . .!. .i. . !. i
.. _!_ .i.. !_ i
.. .!. .i !. .!. !
.. .i.
s s 4
g . -
_ _s_ i_ _i_ __
- _1m ,.
i s I s *
. gj .
i .i 3 .6 i .i e_i 8 5 5 ! !
1 II
- I I 11 .
I E I i* i
?= I In -
9 g '
I g .
( #
=
s +- :
e!
I, A-57
l Table A.5 Transient T3 Event Tree Notes
- 1. Successful opening and reclosing of the PORVs with the heat removal reactor subcritical and adequate reactor coolant loss will ensure a safe recovery. The RCS through the PORVs will be retained by the reactor coolant drain tank.
Failure to reclose one of the PORVs will lead to a 2.
Small-small LOCA.
- 3. Failure to open any of the primary system pressure relief overpressure and valves is assumed to result in RCS subsequent loss of RCS integrity and core melt.
- 4. For all accidents leading to core melt, the consequences may be mitigated by containment overpressure suppression and adequate containment atmospheric heat removal, which is carried out by CARC and/or CSSI.
- 5. Failure of CSSI results in a reduced capability to remove radioactivity from the containment atmosphere.
- 6. Failure of CSSI when CARC has also failed results in complete loss of containment atmospheric heat removal and potential containment overpressure rupture.
- 7. Failure of SSR/AFW after failure of SSR/PCS will result core melt due to insufficient reactor heat removal.
- 8. The initiator involves a turbine trip which will cause the PCS to run back to a 5% flow level.
- 9. Due to the failure of RPS, the shutdown of the reactor is carried out by cperation of CVCS, and the opening of the PORVs and Code Safeties can be expected. It is assumed that the excess pressure will not rupture the RCS and that the core will remain intact (see discussion of the ATWS(PSF) sequence in Chapter 8).
of CVCS after failure of RPS is assumed to
- 10. Success provide the additional needed coolant inventory provided th(. SRVs reclose.
- 11. Failure of RPS followed by failure of SSR/PCS would leave that is only SSR/AFW to remove heat from a reactor undergoing a slow shutdown. Safe recovery, even with pressure relief, may be less certain than for the PCS success sequence.
A-58
. . _ - . . - - . - . - . . ~ - . - - _ - - . . - . --.
Table A.5 (cont.) '
Transient T3 Event Tree Notes
- 12. The initiator involves a turbine trip which runs back PCS i flow to St. .
'13. With PCS ficw at 5% and AFW flow at 54, the excess energy
.in the core upon failure to scram will make the 'RCS O gre =re e2111er te ne r eue acS after a moderately severe ereer pressure v 1ve transient eveine-and substantial loss of primary inventory.
- 14. Failure of SSR/PCS with the reactor still critical would leave only SSR/AFW to remove heat. Reactor power will equilibrate at the AFW heat removal rate of about 5%
after a severe pressure transient and substantial loss of
-primary inventory.
- 15. Sequences with failure of CARCS and/or CSSI are . Prob-abilistically negligible. CSSI was chosen so that. both containment heat removal and radioactivity removal are successful.
- 16. Transient-induced LOCAs following failure to trip the reactor but successful shutdown by CVCS.are assumed to result in core melt because the pressure will equilibrate, above the HPSI pump shut-off head for an extended period of time.
- 17. Core melt sequences are distinguished from each other due 1 to timing of core melt and subsequent radionuclide release to the containment.
k p
1 O
A-59
l
. . =
. 7 a
- * ~~ E#2~
= i
,i t i *
- it5 7 .i
'. i *
,i
, ,4 7 ,4 a : a f -
.n.
...--- -s-s.... . ..---
- i s -
- . 1._2 8 eeee;-
eeee c . -
8:s 2
- 3 e e e e ! i M i s; e e e e . !I s; s; s; e e e e e e e e e e e e e e y
a .
u e
, i
. 0
=.
.m. .
_8 : ....
v
= 1 .
= . ...
m.
x.
a F . . . . . . .
- I _1 . v . V s. .
9
- o. '.as. s. ..k. u.V. f .V. V I. . .V. I.V.f .LV.s.. V s . s v. V. .s .X
} j . . . . . . .
, a
- u .. .. .. .. ..
C u F W u -
I e _
a.
I a. _
)
. ,a : :
8 2 # - -
&
- 5
- t. .
. h O. . !I
. =
h $- 0 -
, y .p -
. . .3 a
.en e
. .N g
r.
1i : e
- a .
1 A-60
l l
Table A.6-Transient T4 Event Tree Notes
- 1. Successful recovery from a T4 event is assumed to be achieved by tripping the reactor and removing - reactor heat.
- 2. Failure of SSR/AFW after failure of SSR/PCS will result in core melt due to insufficient reactor heat removal.
- 3. For all accidents leading to core melt, the - consequences may be mitigated by containment overpressure suppression and adequate containment atmospheric heat removal, which is carried out by CARC and/or CSSI.
- 4. Failure of CSSI results in a reduced capability to remove radioactivity from the containment atmosphere.
- 5. Failure of CSSI when CARC has also failed res'ults in complete loss of containment atmospheric heat removal and potential containment overpressure rupture.
- 6. Due to the failure of RPS but successful shutdown of the reactor carried out by operation of CVCS, the opening of the PORVs and code safeties can be expected. It is assumed that the excess pressure will not rupture the RCS and that the core will remain intact (see the discussion of the ATWS(PSF) sequence in Chapter 8).
I
- 7. Success of CVCS after failure of RPS is assumed to provide the additional needed coolant inventory provided the SRVs reclose.
- 8. Failure to reclose one or both of the PORVs after RPS failure will lead to a small-small LOCA and subsequent core melt, since the pressure will equilibrate above the HPSI pump shut-off head for an extended period of time.
- 9. Failure to open any of the primary system pressure relief valves would lead to RCS overpressure and rupture. This event is assumed to lead to a loss of RCS integrity and subsequent core melt.
- 10. . Failure of RPS followed by failure of SSR/PCS would leave only SSR/AFW to remove heat from a reactor that is undergoing a slow shutdown. Safe recovery, even with pressure relief, may be less certain than for the PCS success sequence.
A-61
1 Table A.6 (cont.)
Transient T4 Event Tree Notes
- 11. Failure v.o shutdown the reactor would allow the PCS to remove heat at a power level greater than or equal to 5%.
Should tutbine trip or MSIV closure occur after the T4 initiator, the PCS would runback to 5%. This is expected to occur in about 50% of the cases. g
- 12. With PCS flow at 5% and AFW flow at 5%, the excess energy in the core upon failure to scram will make the RCS pressure equilibrate near the RCS safety valve setpoints after a moderately severe pressure transient and substantial loss of primary inventory.
- 13. Failure of SSR/PCS with the reactor still critical would leave only SSR/AFW to remove heat, reactor power will equilibrate at the AFW heat removal rate of about 5%
af ter a severe pressure transient and substantial loss of primary inventory.
- 14. Sequences with failure of CARCS and/or CSSI are probabilistically negligible. CSSI was chosen so that both containment heat removal and radioactivity removal are successful.
O A-62
i l A.
4.0 REFERENCES
i
- 1. " Reactor Safety Study Methodology Applications Program:
Calvert Cliffs #2 PWR Power Plant," NUREG/CR-1659, Vol. 3.
l
- 2. NUREG-0460, " Anticipated Transients Without Scram for Light Water Reactors," (U.S. Nuclear Regulatory Commission, April 1978), Appendix II, " Scram Failure Probability."
- 3. "ATWS: A Reappraisal, Part 3: Frequency of Anticipated Transients," EPRI NP-2230, Interim Report, January'1982.
- 4. Fletcher, C. D., "A Revised Summary of PWR Loss of Offsite Power Calculations," EGG-CAAD-5553, Appendix D, l September 1981.
! 5. "PORV Failure Reduction Methods - Final Report,"
! Combustion Engineering, CEN-145, Docket No. 50-317, December 1980.
- 6. ATWS Early Verification, Response to NRC Letter of February 15, 1979, for Combustion Engineering NSSSs, CENPD-263-NP, November 1979.
l 7. " Generic Evaluation of Feedwater Transients and Small-Break Loss-of-Coolant Accidents in Combustion Engineering Designed Operating Plants," NUREG-0635,
- January 1980.
J l
i
, )
l
\_/
1 i
A-63
O Appendix B Front-Line and Support System Analysis O
B-0
4 O
1 Appendix B.1 Introduction to the Analysis of CC-1 Front-Line and Support Systems i
i I
4 O
6 B.1-0
B.1 INTRODUCTION B.l.0 Purpose The purpose of this introductory section of Appendix B is to delineate which systems are analyzed in this report, describe the nomenclature and provide a pathway through the various fault trees and fault summary tables.
B.l.2 Included Systems The systems analyzed in Appendix B are those front-line systems identified in the event trees presented in Appendix A.- These include the High Pressure Injection and Recircu-lation Systems (HPSI/R), the - Safety Injection Tank System (SIT), the containment Spray Injection and Recirculation Systems (CSSI/R), the Shutdown Heat Removal System (SDHX),
the containment Air Recirculation and. Cooling System (CARCS), the Auxiliary Feedwater System (AFW), the Reactor Protection System (RPS), the Low Pressure Safety Injection System (LPSI), the Power Conversion System (PCS), the Chemical Volume and Control System (CVCS) and the Primary Relief Valves (SRV/PORVs).
Also analyzed in Appendix B are the support systems whose action is required by the front-line systems during the course of an accident. That is, not all of the support systems at Calvert Cliffs Unit 1 were analyzed to the depth presented here. Preliminary analysis of the plant systems, initiating events, and event tree construction revealed several support systems which either did not need detailed examination or could be included in the analysis of another support system. Those support systems included here are the Emergency Electrical Power System, Engineered Safety Features Actuation System, Service Water System, Component Cooling Water System, Salt Water System, Heating and Ventilation System and Human.
Those support systems which did not require detailed analysis include instrument air, because the valves requir-ing it fail safe upon loss of air or there are secondary seismically qualified air supplies. Support systems included in other analysis were non-nuclear instrumentation and the feedwater regulating system. The first was examined a 1v 1 , wai1e ene O' in Ch Peer 4, the iaiei eine eveae second wtse treated as part of the Power Conversion System.
B.1.3 Nomenclature In general, the systems analysis followed the method-ology presented in NUREG/CR-3268, " Modular Fault Tree Analysis Procedures Guide" which was briefly described in B.1-1
i Chapter 6. The systems were divided into pipe and wire segments, as appropriate, and the rules outlined in the reference were used in constructing the fault trees.
The naming scheme for the intermediate and basic events follows that described in the above reference. This section will not attempt to describe all the descriptors found there, but will present an overview. The scheme is divided into three parts. The first part is eight characters long with (e.g.,
the first HPI for three characters representing the high pressure injection), the next four system h characters being a component identifier which is associated with either a piping or wiring diagram from the plant, and the last character identifying the system train to which the component belongs (e.g., A or B). The second part of the scheme is three characters in length and specifies the component type ( e . g . , VCC for motor-operated valve, normally closed and faults in the closed position) . The last part of the scheme is 2-4 characters in length and identifies the fault type (e.g., LF for local fault, FRFM for failure to restore from maintenance).
B.l.4 Guide to the Fault Trees We have attempted to provide an easy pathway through the fault trees. Given that the reader knows which system event, identified in the event trees of Appendix A, he wishes to understand, he should proceed to the appropriate systems analysis section in Appendix B. In this section he will find a description and diagram of the system as modeled ,
in this analysis. After familiarizing himself with the structure of the system, the reader is referred to the envelope of aperture cards at the back of this volume which contains all the fault trees. Each system fault tree is plotted on one or more of these aperture cards. The tree is developed there with transfers to support systems shown as developed events.
O B.1-2
~
O Appendix B.2 Safety Injection Tanks System O
B.2-0
, B.2 SAFETY INJECTION TANKS SYSTEM DESCRIPTION B.2. l' Purpose The safety Injection Tanks (SITS) are passive components which provide core protection continuity through flooding the reactor core with borated water following a large reactor coolant system pipe failure.
O e.2.2 oescrigeien B.2.2.1 Overall Configuration The four Safety Injection Tanks (SITS) are self-contained, self-actuating, and passive in nature. During normal plant operation, the tanks are half-filled with borated water and pressurized to 200 psig with nitrogen.
. They are connected to the reactor coolant system (RCS) by two check valves in series held closed by the higher RCS i pressure. If_the RCS pressure drops below approximately 200 psig,- the check valves will open and the tanks discharge into the kCS. A motor-operated gate valve is provided to permit isolating the tanks and prevent their emptying during normal plant cooldown and depressurization. These motor-operated valves (MOVs) are locked open and their associated breakers are de-energized during reactor power operation, and valve position indication is shown in the control room.
Three of the four tanks contain sufficient water to cover-l the core following a Design Basis Accident (DBA). The tanks contain borated water at a boron concentration of 1720 ppm.
This is sufficient to maintain the core subcritical by 5 percent reactivity at.60*F with all control rods withdrawn.
Connections are provided on the SITS for filling, draining, venting, relieving, sampling, and correcting the boron concentration of the tank contents. Level and pressure indicators and alarms are provided in the main control room for each tank. Parameters for the SITS are given in Table' B.2.1. A simplified overall system configuration is shown on Figure B.2-1.
B.2.2.2 System Interfaces The SITS are basically a passive, independent system which require no support from any subsystem for successful h' . operation once they have been pressurized. Hence, the only support of any kind is in the filling _and pressurization of the tanks. A support system Failure Mode and Ef fects Anal-ysis (FMEA) is presented in Table B.2.2.
B.2.2.3 Instrumentation and Control The SITS have no operational function during normal plant operation, hence there are no active control circuits.
B.2-1
Instrumentation is provided which gives SIT pressure and level indications in the control room. Each tank has two pressure and two level sensor channels.
B.2.2.4 Operator Actions There are no operator actions required for the SITS to perform their function. Operator action is required for surveillance and for maintaining the proper tank pressure, level, and boron concentration. h B.2.2.5 Surveillance Each SIT is demonstrated operable:
- 1. Every eight-hour shift (technical specifications specify every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />) by:
- a. verifying the contained borated water level and nitrogen cover-pressure in the tanks, and
- b. verifying that each SIT isolation valve is open.
B.2.2.6 Maintenance The SITS have no active components. Hence maintenance during power operation is performed on an as-needed basis, and includes only instruments and vents. Maintenance which takes even one SIT out of service is not allowed during reactor power operation.
B.2.2.7 Technical Specification Limitations The following requirements shall be met by the SITS, when the reactor is in operation.
- 1. The motor-operated isolation valve open,
- 2. A contained borated water volume of between 1113 and 1179 cu. ft. of borated water (equivalent to tank levels of between 187 and 199 inches, respectively).
- 3. A boron concentration of between 1720 and 2200 ppm, O
and
- 4. A nitrogen cover-pressure of between 200 and 250 psig.
B.2-2
B.2.3 Operation The SITS are independent of any other system and require no operator or control action to actuate. .During normal plant operation, the SIT isolation MOV is open, and the two check valves serve to prevent the high pressure reactor coolant from entering the SITS. Under a LOCA condition, if the RCS pressure drops below approximately 200 psig the m check valves open and the tanks discharge into the RCS.
B.2.4 Fault Tree Description A simplified system diagram for the SITS (used for fault tree modeling) is shown in Figure B.2-2.- The SITS fault tree is shown on the appropriate aperture card in the envelope at the back of this report. Data used to evaluate the tree is shown in Table B.2.3.
B.2.4.1 Success / Failure Criteria The success criteria for the SITS is defined as "the successful injection of 3 out of 4 safety injection tanks into the reactor core in case of a large LOCA in a cold leg." It is assumed that the contents of one of the tanks (llA) is spilled on the containment floor. Hence, the fault tree top event for safety injection tanks is defined as "one SIT train (not connected to the failed loop) fails to func-tion." This criteria is based on the FSAR.
B.2.4.2 Major Assumptions The following assumptions were considered during the construction of the SITS fault tree.
- 1. Since MOVs SI-614, 624, 634, and 644 are locked-open, and have their associated circuit breakers de-energized, and also have their position indication checked every shift in the control room, misposition faults have been neglected.
- 2. Since having one SIT inoperable (due to test or maintenance) for more than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> would. violate the technical specifications, test and maintenance
, faults have been neglected.
6 )
- 3. Since each SIT pressure or level is checked every shift (every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />), and also since boron con-centration is checked monthly and after each makeup, faults of the above nature have been neglected.
B.2-3
Table B.2.1 Safety Injection Tanks Parameters safety Injection Tanks Quantity 4 Type Vertical right cylindrical Design Pressure 250 psig Normal Operating Pressure 200 psig Design Temperature 200'F Operating Temperature 120*F Total Volume Per Tank 2015 cu ft Minimum Liquid Volume Per Tank 1113 cu ft Material of Construction Carbon Steel with Type 304L Stainless Steel O
B.2-4
- (:) C:)
Table B.2.2 Support System FMEA FRONT LINE SUPPORTING FAILURE FAULT EFFECT ON FRONT DETECTION SYSTEM ' SYSTEM MODE LINE SYSTEM OR COMPONENT METHOD-FUNCTION Safety Nitrogen Loss of SIT pressurized? Low pressure Injection supply nitrogen YES - none alarm sounds Tanks system supply NO -
inability to in control m press. SIT room-u i
Pressure Loss of Disables SIT- Low pressure relief valve tank alarm sounds on SIT fails pressure in control room SIT make-up Lowers volume of borated Low level system level of water lowers in SIT alarm sounds SIT in control room
Table B.2.3 SAFETY INJECTION TANK SYSTEM (SIT) DATA Sub Event Sub Event Fault Sub Event Event Sub Event Failure Exposure Unavail. Unavail.
Name q Q = Eq.
Event Description Description Rate (per/hr) Time (hr)
-- -- 1 SIS 011AX-PIP-LFD Large Pipe Breat --
4320 -- 4.0E-4 SIT 02151-CCC-LF Check Valve Failure --
' SIT 0225X-CCC-LF To Open l SIT 0235X-CCC-LF l SIT 0245X-CCC-LF l SISO217X-CCC-LF l SIS 0227X-CCC-LF
! SIS 0237X-CCC-LF l SISO247X-CCC-LF 3.0E-6 4 -- 1.2E-5 SIT 0211X-RCO-LFM Relief Valve Fails g Open
< . SIT 0221X-RCO-LFM h) SIT 0231X-RCO-LFM (Annuciated in Control I SIT 0241X-RCO-LFM Room-3 hrs. Detection.
' I hr Repair: Tech.
Spec. Limit) 4 -- 3.4E-9 t SIT 011AX-TNK-LF Tank Local Faults 8.5E-10
! SIT 011BK-TNK-LF (Rupture)
SIT 012AX-TNK-LF (NASH-1400 Large Pipe SIT 012BI-TNZ-LF Rupture) 1.0E-7 4320 -- 4.3E-4 SIT 0614A-VOC-LF MOV Failure To l SIT 0624A-VOC-LF Remain Open (Plug) j SIT 0634B-VOC-LF
' SIT 0644B-VOC-LF l
O O
O O ATMOSPHERE ATMOSPHERE
- i aL l '
oa
- ~
L SI-211 F.C. F.C.
>4 ; ATMOSPHERE ATMOSPHERE : 74 s -sis so-ass 4
l l l 12A
- 11A COLD LEGS
i si-ass .
4 s o-e14 si-11s si-iss s o-es4 W
s o-217 S
si-237 REACTOR 1
VESSEL
? N 'A Y SI-128 si-227 sI-247 sI-148
" SI-624 l 81-844 l 31-225 ' " t si-245 LPSI HPSI LPSI HPSI COLD LEGS
, SIT sT l
i 11s ;l I 12s i'
/ O O F.C. F.C.
>4 : ATMOSPHERE ATMOSPHERE : 7l4 S I-623 81-843 P
}Ps
,s
-221 as-241
' u ATMOSPHERE AYMOSPHERE i
Figure B.2-1 Simplified Diagram of Safety Injection Tanks j (SITS) i
ATMOsMcERE ATMOsPHERg o
g; hai-ast A s -ast stT 12A sti 11A COLD LEGS so-ass si-mis so-es4 so-sis 11A 1A @
N :A so-air so-as7 REACTOR VESSEL j w N / 'A
@ so-227 its las so-247 @
'g so-s44 so-one .
co so-ass si-24s COLD LEGS s:T its s:T its
--C 'si- i --f's -241 e-ir ir ATMOsMcERE ATM0sMcERE Figure B.2-2 SIT Simplified System Diagram Used in Fault Tree Modelling
- O
O.
Appendix B.3 Low Pressure Safety Injection /
Recirculation System 1
i i
k i
f L
l l
l0 l
[ B.3-0 l
l
B.3 LOW PRESSURE' SAFETY INJECTION / RECIRCULATION SYSTEM DESCRIPTION B.3.1 Purpose The Low Pressure Safety Injection / Recirculation (LPSI/R) system is part of the SIS which performs the following LOCA mitigating functions:
- 1. Injects borated water into the RCS to cool the
. reactor core following a large LOCA in order to limit fuel rod damage and radioactivity release to the containment.
- 2. Provides for the removal of heat from the core for extended periods of time following a LOCA.
B.3.2 Description B.3.2.1 Overall Configuration A simplified schematic of the system is shown in Figure-
] B.3-1. The system is composed of the following major components and associated piping, valves, actuation, instru-4 mentation, controls and power supply systems:
- 1. RWT
.2. Two (2) LPSI/R pumps
- 3. Four (4) motor operated LPSI/R valves.
- 4. Two (2) MOVs at the RWT outlet and two MOVs in the containment sump lines (these are common to SIS and CSS)
A short description' of the components of the LPSI/R Sys-tem is given in the following sections.
Refueling Water Tank (RWT)~
During emergency safety injection, the safety injection pumps and the containment spray pumps take suction from the RWT. During plant operation, at least 400,000 gallons of
- hf-s borated water must be available for safety injection and containment spray. The useful tank capacity exceeds 400,000 gallons and provides 36 minutes of safety injection time with all pumps operating at design flow rates. The water is maintained at a boron concentration of 1720 ppm at a temperature T(400F g T- < 1000F). The tank .has two safety injection outlets wh7ch are physically separated to preclude the possibility of simultaneous plugging. Other connections are provided for draining, filling, puri-fication, external heating, and instrumentation. Two B.3-1 L
l l
l l
instrument channels give t.he control room indication of the water level in the RWT. Each indicator actuates an alarm on high or low water level in the tank.
LPSI/R Pumps Each of the two LPSI/R pumps is connected to one of the two independent suction headers which also serve the HPSI/R and CSS pumps. The LPSI/R pumps are horizontal single stage centrifugal pumps driven by 400 HP induction motors supplied from the 4160V buses. The pump motor is capable of starting h
and accelerating the pump to full speed with 75% of rated voltage. The pumps are provided with minimum flow protec-tion to prevent damage when starting against a closed system.
CCW is used to cool the seal water from the pumping ring, the bearing housing and the stuffing box jacket. The seal water from the pumping ring passes through an external cooler mounted on the pump base. Data for the LPSI/R pumps are given below:
LPSI/R Pump Data Type Single stage, horizontal, centrifugal Motor Voltage 4000 (off 4160V bus)
Design Pressure, psig 500 Design Temperature 350 Design flow (per pump) gpm 3000 Horsepower 400 Valves The four power-operated LPSI/R valves are located outside the containment. These valves open automatically on initiation of SIAS.
Manual valves are provided for LPSI/R pumps suction and discharge isolation. These are of the globe type designed with leakage 1.miting devices when in the open position.
All check valves are of the totally enclosed type.
Check valves in the pump suction lines are of a low pressure drop type with flow resistance characteristics equal to or less than a clearway swing check valve of the same size.
Other check valves are of the conventional swing type.
g B.3.2.2 System Interfaces Shared Components The two independent suction headers supplied from either the RWT or the containment sump lines and a common portion B.3-2
l k
V of the pump recirculation _ lines are shared by both the HPSI/R, LPSI/R, and the CSS /SDHX systems. A common portion of the four injection lines to the reactor vessel are shared by the SITS, HPSI/R, and LPSI/R systems.
Electrical System LPSI/R pumps are powered from the 4kV ESF buses. Pump.
11 is powered f rom . bus 11 (load group A) and pump 12 is jh powered from bus 14 (load group B). Motor-operated valves are powered from the 480V AC motor control centers (MCCs) ,
ll4R and 104R.
control Power Control power for LPSI/R pumps 11 and 12 is provided from the 125V DC bus 11 and 21, respectively. The controls for motor-operated valves are supplied 120V AC through a transformer off the 480V AC MCCs. Table B.3.1 shows the motive / control power for LPSI/R components requiring actuation.
Actuation System LPSI/R pumps 11 and 12 are actuated by the SIASs A3 and B3, respectively. The pumps are shut down by the RASs Al and B1, respectively, as shown in Figure B.3-2. Motor-operated LPSI/R flow control valves in the safety injection lines are actuated by SIAS Al and B1, as shown in Figure B.3-3. Sump discharge valves are actuated by RAS Al and B1 as shown in Figure B.3-4. A list of LPSI/R components requiring actuation is presented in Table B.3.1.
Component Cooling CCW is provided for cooling the safety injection pump seals and bearings.
Pump Room Cooling LPSI/R pumps are located in the ECCS pump rooms 11 and 12, which are served by motor space heaters and pump room cooling. The plant heating system is used to maintain the RWT contents at a minimum temperature of 450F through the RWT heat exchanger.
The Support System FMEA for the LPSI/R system is shown in Table B.3.2.
B.3.2.3 Instrumentation and Control LPSI/R system instrumentation is part of the ESF instru-mentation which provides the equipment necessary to initiate the required safety features functions and monitors the power B.3-3
(
sources acting to assure the availability of emergency power to provide flow from at least one HPSI/R pump and one LPSI/R pump to one injection line. The controls are designed to automatically provide the sequence of operations required to initiate ESF system operation with and without offsite power available. The following ESF subsystems are related to the actuation of the LPSI/R system:
Sensor Subsystems
- 1. Containment pressure
- 2. Pressurizer pressure
- 3. RWT level Actuation Subsystems
- 1. SIAS
- 2. RAS The following measurement channels are provided for the LPSI/R system:
Pressure
- 1. LPSI/R pump pressure with transmitters at the discharge of each pump to indicate operation of the pumps
- 2. LPSI/R pressure with transmitter located on the LPSI/R line downstream of the shutdown cooling heat exchanger bypass connection. This indicator is used to determine when the LPSI/R pumps are operating and the magnitude of their discharge pressure.
Flow
- 1. LPSI/R Flow These orifice flow meters indicate flow rates in each of the four low-pressure injection lines.
Readout is provided in the main control room on the vertical display panel . The meters read flow rates g between 0 gpm and 3000 gpm. W Level
- 1. RWT Level Two instrument channels give control room indication of the water level in the RWT. Each indicator B.3-4
l actuates an alarm on high or low water level in the tank.
- 2. RWT Level l
Four level switches provide input to the RAS logic.
The signal is initiated when any two of the four switches indicate low tank water level.
B.3.2.4 Operator Actions The LPSI/R System is automatically actuated by an SIAS.
Operator action is not required in the injection phase of operation. However, in the recirculation phase, operator action is required to override the RAS signal (which turns off the LPSI pumps) and start the LPSI/R pumps for recircu-lation, if necessary. Operator action is also required to manually close the RWT suction valves after verifying the opening of the containment sump line valves. Also, accord-ing to EOP-5, operator action is required for generation of a manual RAS signal. Therefore, operation in the recircula-tion mode (LPSR) was ruled out as a front-line mitigating system in the event tree and fault tree analysis and was instead treated as a recovery action.
B.3.2.5 Surveillance The following LPSI/R surveillance requirements are specified in Section 4.5.2 of CC-1 Technical Specifications:
- 1. LPSI/R control valve CV-306 shall be demonstrated operable by verifying at least every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> that the valve is open with power to valve operator removed.
- 2. At least once per 31 6:tys the containment sump isolation valves MOV SI-4144 and MOV SI-4145 are verified to open upon RAS (test signal).
- 3. Once per 31 days, MOV-615, 625, 635, 645 are veri-fled to open upon SIAS (test signal)
- 4. Verifying that each valve (manual, power operated or g automatic) in the flow path that is not locked, sealed, or otherwise secured in position is in the correct position at least once per 31 days.
- 5. A quarterly stroke test is done on all LPSI/R MOVs.
- 6. At least once per 18 months a visual inspection is performed on the containment sump.
B.3-5
The following surveillance test procedures are related to the LPSI/R System:
0-4-1 Integrated ESF Test 0-7-1 ESP Monthly Logic Test 0-62-1 Monthly Valve Position Verification 0-65-1 Quarterly Valve Operability Verification $
0-67-1 Check Valve Operability Verification 0-73-1 ESF Performance Test 0-74-1 ESF Component Bearing Temperature Test 0-93-1 Locked valve Verification LPSI/R component test information is presented in Table B.3.3.
B.3.2.6 Maintenance Since the technical specifications require that two independent ECCS subsystems be operable, repair or main-tenance on the LPSI/R system requiring more than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> will require plant shutdown. Therefore, unavailability due to maintenance is limited to minor repairs and maintenance with duration 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. During that time, only one ECCS subsystem will be available in case of a LOCA. In the LPSI/R system analysis, maintenance has been considered for pumps, MOVs and circuit breakers. Information regarding LPSI/R component maintenance is presented in Table B.3.4.
B.3.2.7 Technical Specification Limitations Technical Specifications (Section 3.5.2) require that subsystems for RCS Tave _ 3000F, two independent ECCS shall be operabl_e with each subsystem comprised of:
- 1. One operable HPSI/R pump
- 2. One operable LPSI/R pump g
- 3. An operable flow path capable of taking suction from the RWT on SIAS and automatically transferring suction to the containment sump on a RAS F 3.3-6
F l-With one- ECCS subsystem inoperable, restore the inoperable subsystem to operable status - within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or the plant shall be in hot shutdown within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. Technical Specifications (Section 3.5.4) require that the.RWT shall be operable with:.
- 1. A minimum contained borated water volume of 400,000 gallons O 2. . boron concentraeien between 1720 and 2700 ppm
- 3. A minimum water temperature of 400F
- 4. A maximum solution temperature of 1000F ,
with the RWT inoperable, Technical Spec [fications require restoring the tank to operable status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or the plant must be in at least hot standby within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in cold shutdown within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.
B.3.3 Operation During normal operation, components of the LPSI/R System are in the standby mode for possible emergency operation.
Any condition which causes a low-presurizer pressure or high' containment pressure will start both LPSI/R pumps and open the LPSI/R system isolation valves. Safety injection is initiated when the pressurizer pressure drops below 1600 psia + 22 psi, or when the containment pressure rises above 2.8 pifig.
The safety injection pumps initially draw borated water from the RWT. This tank has sufficient water-volume to sup-ply safety injection flow for at least 36 minutes, assuming that three HPSI/R and two LPSI/R pumps and two CSS pumps are running. When the RWT is 10 percent full (water level reaches 30 inches), a RAS signal opens the isolation valves in the two lines from the containment sump and shuts down the LPSI/R pumps. The RWT suction valves remain open initially during the switch to the recirculation mode to preclude the loss of supply to a HPSI/R pump in the unlikely event that the isolation valve in tha containment sump line should experience delay in opening. Back flow through either RWT suction line is prevented by check valves. In addition, the operator will manually close the RWT - suction valves after verifying -the opening of the containment sump line -valves. The earliest that automatic recirculation would occur is 36 minutes, assuming that all ESF pumps are running.
During recirculation, the LPSI/R pumps may be arranged to take suction from the containment sump and discharge to the shutdown heat exchangers or directly into the reactor vessel as backup either for the CSS pumps or the HPSI/R B.3-7
pumps. This arrangement has not been considered in the LPSI/R system analysis because of the unusual operator actions involved.
According to Emergency Operating Procedure EOP-5, when the RWT level drops below 4 feet, the operator must initiate
. RAS and shut the RWT suction valves. If RAS is allowed to actuate automatically when the RWT level drops below 30 inches, it will be necessary to raise the RWT level ptior to resetting the RAS. As was noted before, the resetting of the RAS signal is necessary for starting the LPSI/R pumps in h
the recirculation mode.
B.3.4 Fault Tree Description A simplified LPSI/R system diagram used in the fault tree modeling is shown in Figure B.3-5. The fault tree, shown on the appropriate aperture card in the envelope at the back of this report, has as its top event failure of the system during the injection phase. The failure criteria and the major assumptions used in the development of this fault tree are described in the following sections. The data used to evaluate the tree are shown in Table B.3.5. Because LPSI/R is not normally used in the recirculation mode (as HPSI/R can draw directly from the sump and is the preferred system) and since operator action is required to re-initiate operation, it was decided to treat the LPSR mode of operation as a possible recovery action in the accident sequence analysis (see chapter 8 of the main report or Appendix C) and no fault tree was drawn for the recirculation phase.
B.3.4.1 Success / Failure Criteria The failure criteria used to describe the top event in the fault tree is:
o Failure to deliver the flow of one out of two LPSI/R pumps to one out of four safety injection headers during injection (pump suction headers supplied from RWT)
B.3.4.2 Major Assumptions Besides the general assumptions adopted in the IREP modular fault tree construction, the following assumptions g
were made with respect to the LPSI/R fault tree:
- 1. RWT water temperature was above 450F and failure of RWT due to freezing was not considered in the fault tree.
B.3-8
l
-2. No significant flow diversion paths to other ESF systems were identified.
- 3. Unavailability due to test events for pumps and MOVs was neglected. Testing of the MOVs requires a very short period of time and testing of the pumps does not make them unavailable.
'4. Failure to restore events for MOVs and their break-ers were neglected due to the following reasons:
- b. In case the MOV was not restored to its required position following test and/or maintenance, wrong positioning would be indicated in the control room. Also, if the MOV power breaker fails, the control power will be lost and this can also be detected by the operator during every shift.
- 5. A large break LOCA was assumed to occur in the loop to which injection line 11A is connected and _to dump flow onto the floor, thereby, failing that injection path, h'
V B.3-9
Table B.3.1 LPSI/R Components Requiring Actuation for ECCS Functions COMPONENT MOTIVE POWER CONTROL POWER SIAS NO. RAS NO.
LPSI Pump 11 4KV unit bus 11 (lA01) 125V DC at bus 11 A-3 start A-1 stop LPSI Pump 12 4KV unit bus 14 (lA04) 125V DC at bus 21 B-3 start B-1 stop MOV 615 480V MCCll4R 120V AC from MCCll4R A-1 None MOV 625 480V MCC114R 120V AC from MCCll4R A-1 None MOV 635 480V MCC104R 120V AC from MCC104R B-1 None p MOV 645 480V MCC104R 120V AC from MCC104R B-1 None w
y, o MOV 4142 480V MCCll4R 120V AC from MCCll4R None None MOV 4143 480V MCC104R 120V AC from MCC104R None None MOV 4144 480V MCC114R 120V AC from MCCll4R None A-1 l MOV 4145 480V MCC104R 120V AC from MCC104R None B-1 l
l i
O O
Table 3.3.2 LPSI/R Support System FNBA
.i SUPPGt? Sos-STSTER COMPOIENT AFFECTED FAILURE NODE ConPONENT FAILURE EFFECT OF SUBSYSTER EFFECT ON SYST3st* FAILUms ou ovsmALL SYSTER*
s Electric Power 4xV unit bus 11 LPSI pump 11 Lov or seto Voltage pump f alls to start LPSI pump 11 unavailable or run for $18 SER-152-1104 LPSI pump 11 F.O. PmBP fails to start LPSI pump 11 unavailable or run for SIS 4Ev unit bus 14 LPSI pop 12 Low or Sero Voltage pump fails to start LPSI pump 12 unavailable or run for SIS BR3-152-1404 LPSI pump 12 F.O. pump fails to start LPSI pump 12 unavailable or run for SIS 480V NCC114m mov=4142 N.O. FAI None None nov-615 N.C. FAI Loss of injection to Loss of injection to loop loop lit from LPSI 113 irom LPSI Nov.625 N.C. FAI Loss of injection to Loss of injection to loop 11A from LPSI 11A from LPSI MOV-4144 N.C. FAI Loss of St.ction f rom Loss of LPSI pump 11 containeer t sump suction during recircu-lation 400V MCC104R MOV-4141 N.O. FAI pone None pov-635 N.C. FAI Failure of injection Failure of injection to to loop 123 from loop 123 from LPSI pumps LPSI peps HOV-445 N.C. FAI Failure of injection Failure of injection to to loop 114 iron loop 12A from LPSI pumps LPSI Pumpe MOV-4145 N.C. FAI Loss of suction from Loss of LPSI p op 12 containment sump suction daring recircu-lation 125V DC bus 11 LPSI pe p 11 Low or Sero Voltage Failure to start LPSI pump 11 unavailable /
LPSI pump 11 no indication Lose indicotton CV-306 F.O. lon loss of Mone None alr)
O " -' ' -
c B.3-ll L _
Table 3.3.2 LPSI/R Support System FREA (continued)
RFFBCT OF SUBSYSTEM COMPONENT FAILURE FAILURE ON OVERALL SUPPCSt? SUD-STSTEM CORPOWINT AFFECTED FAILURE NODE IFFECT CN SYSTEM
- SYSTEM
- 124Y DC bus 21 LPS2 pump 12 Low or Sero Voltage Failure to start LPSI LPS! pump 12 unavailable pump 12 no indication Lose indication Component Cooling LPSI 11 Overheat Failure of LPSI pump LPSI pump 11 unavailable 11 due to overheat for SIS LPSI 12 Overheat Failure of LPSI pump LPSI pump 12 unavailable 12 due to overheat for SIS SIAS h-3 LPSI 11 Loss of signal Failure of LPSI LPSI pump 11 unavailable pump 11 to start for SIS SIAS B-3 LPS2 12 Loss of signal Failure of LPSI LPSI pump 12 unavailable pump 12 to start for SIS SIAS A-1 NOV-615 Loss of signal Blockage of LPS2 Loss of injection to loop injection line to lit from LPSI loop als SIAS A-1 NCt-625 Loss of signal Stockage of LPSI Loss of in}ection to loop infection line to 11A from LPSI loop 11A SIAS B-1 NOV-635 Loss of signal Blockage of LPSI Loss of injection to loop injection line to 123 from LPSI loop 128 SIAS D-1 NOV-645 Loss of signal Blockage of LPSI Loss of injection to loop injection line to 12A from LPSI loop 12A RAS Al NOV-4144 R.C. FAI Failure of actuation Failure of containment to open valve sump line for LPSI if needed during recircula-tion LPSI pump 11 Loss of signal to Failure of LPSI pump M9y Fall EPS2 pumps stop 11 to stop upon d. ring recirculation lattiating recircula-tion
.A.. in, n. re..ve,..
O B.3-12
~
Table 3.2.2 LPSI/R Support System FNBA (continued) b (j SUPPORT S08-878791 CORPOWENT PAILUBE EPtsCT OF SUBSTSTSN PA! LORE ON OVERALL COMPONWT APPRCTED PA! LORE NCDR BPPECT ON SYSTER* SYSTen*
SAS 31 Nov-4145 N.C. Phi Pallere of actuation Loos of containment eump to open valve !!ne for LPSI at needed during recirculation LPSI p er 12 Lose of signal to Pailure of LPSI pump Ney Fall EPSI pumpe stop 12 to stop upon during recirculation recirculation actua-lon Operator N07-4142 Closee valve in adv. Loss of suction to LPSI 11 unavailable for LPSI pump 11 SIS NOV-4141 Closes valve in adv. Loss of suction to LPSI 12 unavailable for LPSI pump 12 SIS LPSI p op 11 Failure to override LPSI p ep 11 store LPSI pop 11 unavailable RAS to start during recirculation for recirculation LPS! pump 12 Failure to override LPS! pmp 12 stopa LPSI pump 12 unavailable RAS to start during recirculation for recirculation CV-306 Closee valve in adv. Loss of low pressure Loss of low pressure injection from LPSI injection from LPSI 11 and 12 11 and 12
- Assuming no recovery A
B.3-13
Table B.3.3 LPst/R Component Test sunmary sheet CON 70MNTs TBAT NUsT FREQUENCY OF BE ALIGNED ANAT FNOR CONFONINT TYPE OF Esr POSITION WITE NO TEST BIPECTED TEST ALIGNNENT sOUSCE (TEST CON 70N 3rF TEST AUTOMATIC Rs10RN FRsQUENCT OUTAGE TIME VERIFICATION PROCEDURE $)
Pump 11 Flow None Monthly 15 Nin. monthly STP 0-73-1 Pump 12 Flow None Monthly 15 Min. monthly STP 0-73-1 NOV 615 EsFAs* None Monthly 5 Min. O uours STP 0-7-1 (strotel NOV 625 EsFAs pone Monthly 5 Min. O sours STP 0-7-1 (Stroke)
NOV 635 EsFAs None Monthly 5 Min. 8 sours STP 0-7-1 (stroke NOV 645 EsFAs None Monthly 5 Min. O sours STP 0-7-1 (stroke)
NOV 4144 EsFAs None Monthly 5 Min. 8 gours STP 0-7-1 (stroke)
NOV 4145 EsFAs None Monthly 5 Nin. 8 sours STP 0-7-1 (stroke)
NOV 4142 stroke None Quartely 5 Min. 8 Bours STP at 0-45-1 NOV 4143 stroke None Quartely 5 Min. e sours
- The Nova are also tested quarterly according to STP at 0-65-1 0
i B.3-14
Table 8.3.4 LPS!/R Campement Malatenance Summary Sheet Bapected Bayected C epenent C aponente which Must be Aligned Frequency Outage Time undergoing Type of Auey From est Peettion With No Frequency of Campenent of of
[ paintenance Naistenance Art antic Return Alignment Verification Maintenance
- Raintenance*
( l thr.) thral Pump 11 malatenance manual valvee 31-444 6 31 447 1 month 1.75 - 4 4.44 tequiring and P e p 11 Breaker Diseasembly Pump 12 maintenance manuel Valves SI-433 6 81 435 1 Month 1.73 = 4 4.44 mequiring and Pump 12 Breater Disassembly NOV 4144 Naintenance got A11eued at Power -
NOV 4145 Dequiring Nov 4142 Disassembly MOV 4143 MOV GIS NOV 625 se0v 635 MOV 645 NOV 640 NOV 659 NOT 615 Maintenance None 8 heure 3.5 t 4 7 MOV 425 on compor.ent NOV 635 Baternals -
NOV 645 MOV Maintenance gene 8 Seure 1.258 - 6 4 Breaker Sequiring (460V) Disassembly Pop Naintenance pone 1 month 8.48 - 6 8 Breaker poquiring (4160V) Bleessembly
- Plant Specifle Data rh (v)
B.3-15 l
1
)
Table B.3.5 LON PRESSURE SAFETY INJECTION (RECIRCULATION) SYSTEN (LPSI/R) DATA Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail.
Event Description Description Rate (per/ht) Time (br) g Q Eq.
SIS 011AX-PIP-LFD Pipe Break Cold Leg -- -- -- 1 LPIO124X-CCC-LF Check Valve Failure -- 4320 -- 4.0E-4 LPIO134X-CCC-LF To Open L110144X-CCC-LP LPIO434X-CCC-LF LPIO446X-CCC-LF SIS 0128X-CCC-LF SIS 0138X-CCC-LP SIS 0148X-CCC-LP SIS 0227X-CCC-LF SISO237X-CCC-LF SISO247X-CCC-LF g SIS 451X-CCC-LF Check Valve Failure -- 360 -- 1.0E-4
. SIS 448X-CCC-LF To Open w SIS 4146X-CCC-LF
[ SIS 4147X-CCC-LF SIS 659A-VOC-LF MOV Fail to Remain 1.0E-7 360 -- 3.65-5 SIS 660B-VOC-LF Open (Plug)
SIS 4142A-VOC-LP SIS 4143B-VOC-LF LPIO625A-VCC-LF MOV Fail to Operate -- -- 3.0E-3 3.0E-3 LPIO635B-VCC-LF MOV Fall to Remain 1.0E-7 24 2.4E-6 LPIO645B-VCC-LF Open (Plug)
LPIO306X-NOC-LF Pneumatic Valve 1.0E-7 4320 -- 4.3E-4 Failure to Remain Open (Plug)
O O
~ "
Table B.3.5 LOW PRESSURE SAFETY INJECTION (RECIRCULATION) (SYSTEN (LPSI/R) DhTA (Cont.)
Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Usave11.
Event Description Description Rate (Per/ht) Time (hr) q Q = Eq.
LPIO432X-XOC-LF Nanual Valve Failure 1.0E-7 360 J- 3.6E-5 LPIO4441-XOC-LF To Remain Open (Plug)
LPI4491-10C-LP LPI450X-ROC-LP LPIO435I-XOC-LF Manual Valve Failure 1.0E-7 4320 -- 4.3E-4 LPIO447X-10C-LF To Remain Open (Plug)
LPIO625A-CBL-LF Cable Fault. Open 3.0E-6 360 --
1.1E-3 LPIO6355-CBL-LF Circuit LPIO6458-CBL-LF LPIO011A-CBL-LF LPIGO128-CBL-LF t2 g LPIOC11A-CBL-LF Control Power Wire- 3.0E-6 360 1.1E-3 3.3E-3
- LPIOC128-CBL-LF Open Circuit Ed Either of 2 Fuses 3.0E-6 x 2 360 2.2E-3
'J Fall Open LPIOO11A-BOO-CC Pump Control Circuit -- -- -- 1.7E-4 LPIOO128-BOO-CC Faults (derived from Circuit Model)
LPIOO11A-BOO-LF 4KV BKR Fail To -- -- -- 3.0E-3 LP10012B-BOO-LF Tranafer LPIOO11A-PMD-LF Pump Fail To Start -- -- 3.0E-3 3.0E-3 LPIO012B-PMD-LF Pump Fall To Run 3.0E-5 .5 1.5E-5 LPIO011A-P-PRMN Pump Maintenance 1.7E-4 4.64 -- 7.9E-4 LPIO0128-P-PRMN
Table B.3.5 LOW PRESSURE SAFETT INJECTION (RECIRCULATION) SYSTEM (LPSI/R) DATA (Cont.)
Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail.
Event Description Description Rate (per/hr) Time (hr) q Q = Eq.
LP!0011A-B-PRMN 4KV BkR Maintenance 8.4E-6 8 -- 6.7E-5 LP!0012B-B-PRM LPIR625A-BOO-CC MOV Control Circuit -- -- -- 2.5E-3 LPIR635B-BOO-CC Faults (Derived from LPIR645B-BOO-CC Circuit Model)
LPIO625A-B-PRM 480V BkB 1.25E-6 4 --
5.0E-6 LPIO635B-B-PRMN Maintenance LPIO645B-B-PRMN (Table B.3.4)
LPIO625A-V-PRMN MOV Mair.tenance 3.6E-6 7 --
2.5E-5 LPIO635B-V-PRMN (Table B.3.4)
LPIO645B-V-PRIOl CD LPIO625A-BCO-LF Premature Transfer 1.0E-6 360 3.6E-4 y
LPIO635B-BCO-LF (NASH-1400)
H LPIO645B-BCO-LF co SIS 0011X-TNK-LF Rtrr Local Faults 8.5E-10 4 -- 3.45-9 (WASH-1400)
LPIOOOEX-PIP-LFD Pipe Break Common 8.5E-10 4320 -- 3.7E-6 Header (NASH-1400)
LPIO435X-X-FRFM Failure to Restore 1.OE-4x1.7E-4 360 -- 6.1E-6 LPIO432X-X-FRFM Following Pump LPIO444X-X-FRFM Maintenance LPIO447X-X-FRFM SIS 449X-X-FRFM SIS 450X-X-FRFM O O
I s.
[ s O O RWT RECIRC LINE CVCS SPENT FUEL POOL COOLING TO TO 7II SOHX11 SDHX12 S1657 LC ,
SI659 f. RAS CLOSES CSSO457 LO. CSSO456 LC. 'A S1660 k 13 RWT S14155 Jk S14154 NO.11 s SI4165 TOs ,
PLANT Sl448 WASTE A2
~
HEATING NO.11 SIAS g PROCESSING 'F' SYSTEM OPENS S14164 S14163 FROM , i
$1449 LO' TO HPSI PUMP *11b $14142 (4 PLACES) M S14146 TO PRI TO HPSI PUMP _
S14156 (
S3447 S8446 S14152 S1217 SI118 Sli t4 Sl615 3444 O. CYCS h q g LPSIPUMP *11 5 y S1441 LC.
SIAS STARTS CVC225 MAKEUP TO PRIM. s kIa j S1675 F.C. gg j g SI4143
' r N RAS STOPS LOOP 118 g SI227 SI128 S1124 S1625 _
@ S14147 W TO PRIM. &Ia F.O. S1306 Sl451 7l 4 ;) 7 4 $ -
h e
LOOP 12 A rm S1237 Sl138 S1134 S1635 Sl658 LC. j % Sl651 S1652 SHUTDOWN COOUNG
@ FROM PRIMARY LOOP 12 LO. jg MMM CSSO453 LO.
7 ^
LOOP 128 CSSO45 S1247 S1148 $1144 S1645 L C. JL SI435 Sl434 LO.
CONTAINMENT SUMP g, LPSI PUMP *12 TO HPSI
^ ^ SIAS STARTS PUMP '
ONT. SPR AY CONT AINMENT #13
. PUMP 11 SPRAY PUMP 12 wfa F'
S14144 RAS OPENS l
I. %,
Sl4145 S14149 RAS OPENS I
Figure B.3.1 Simplified Schematic of Low Press, Safety Injection / Recirculation System
START PUMP MOTOR BKR 11(12) SEC E y OPEN L c )
A MANUAL START 1-HS-302X (1-HS-302Y) -d V l
A" (B) BKR 11(12) RACKED OUT
'^ '
AUTO-START FAIL
{ PMP 11-1CO8-GO6 m " AUTO" PMP 12-1C09-HO2 w 1-HS-302X p _._ 3 START i i LPSIPMP y (1-HS-302Y) _
jl MOTOR
~
11(12)
LOCKOUT RELAY l
Figure B.3-2 Logic Diagram for LPSI Pump Motor (Start)
O O
- )l I\l! ll' ' !
- G O P P
MR)
PO2 O T1 TIS O (1 S
PM1 L
)
p o
t S
j (
r o
t o
)M.
.lf tp nm Y ou A CP
(
L I E 2S R P 6 3L T D B U 8 E r P eo O 1 H ) O rf K S B T u C (
S gm D ia O A "
L Fr L O A g
" A a h) L F
S E
F S
E U
N A
M i
D i
c g
')5, o L
R O
T O O M
T N
T N
T N
E E E P R R R M R R R U U U D U P C C N C P R R U R E E O E O V V R V T O O G O S
m4 o
tLh
. lllll ,lllllfllll lf f
OPEN 1-HS-3615
- AUTO
- k ESFAS f- j A
1-HS-3615 *OPEN* -
P D POS TIO D ATOR
- OPEN*
ZS CLOSED TS CLOSED OPEN ,
-j 1-MOV-615 ZS CLOSED MOTOR NOT CLOSINO MOTOR OVERLOAD CLOSE 1-HS-3615 PULLED *CLOSE*
i g
ESFAS ZS CLOSED TO 1-Z1-615 POSITION INDICATOR i
l
-7 CLOSE ZS CLOSED -j 1-MOV-615*
I 1-HS-3615 *CLOSE*
MOTOR NOT OPENINO
- SAME Fon 1-MOV-s25, 1-M OV-6 3 5, AND 1 -M OV-64 5.
MOTOR OVERLOAD l
Figure B.3-3 Logic Diagram fOr MOV LPSI FLOW Control l
l B.3-22
OPEN 1-MS-4145 *0 PEN * '
(1-MS-4144)
RAS S-1 FOR 1-880V-4145 (RAS A-1 FOR 1-400V-4144)
~
TS CLOSED
-j 2S CLCSED - OPEN
~
1-b00V-4145 (1-esOV-4144)
ZS CLOSED B00 TOR NOT CLOSING As0 TOR OVERLOAD CLOSE i
1-MS-4145 *CLOSE*
(1-HS-4144)
[
TS CLOSED -]
L -J zS CLOSED p p/
~
1-880V-4148
-j (1-800V-4144) 28 CLOSED 000 TOR NOT OPENING Rs0 TOR OVERLOAD Figure B.3-4 Logic Diagram for Containment Sump Valves B.3-23
88659 y RAS CLOSES S1660 f RWT l
NO.11 SIAS OPENS 81448 l (4 PLACES) R
! S8449 T M A LO. 88414 2
-l r O t A 8
- S1217 SI118 S1114 S1615 S8447 88446 N
4 B LPSI PUMP *11 L B b O AOV tD S4227 88128 St124 S1625 E V W M . 884147 L A , F
'. 84237 Ss138 St134 Ste35 54450 O.
o L 1B r H S247 S:148 St144 88645 S8435 88434
'0-X S8432 N PUMP +12 SIAS STARTS TO WI RAS STOPS PUMP 13 Figure B.3-5 LPSI/R Simplified Diagram Used in Fault Tree Modelling G 9
I L
l O
Appendix B.4 Containment Air Recirculation and Cooling System O
B.4-0
i-B.4 CONTAINMENT AIR RECIRCULATION AND COOLING SYSTEM DESCRIPTION
[ B.4.1 Purpose.
1 The' Containment Air Recirculat' ion and Cooling . System (CARCS) removes heat from the- containment during normal plant operations by closed recirculation of the containment '
atmosphere.
~O
- In the event that an accident leads to steam evolution 1
in the containment, the CARCS functions to limit the
. pressure rise to a . level below the design pressure of the containp.ent. The CARCS also functions to transfer' reactor decay heat from the containment to the Service Water System .
~
(SRWS), which in turn is cooled by the. Salt Water System (SWS). The SWS then transfers the' heat-to the environment.
B.4.2 Description B.4.2.1 Overall Configuration The CARCS consists of four cooling units, two located at the 69' level-in-the containment, numbers 13 and 14, and two t
located at the 45' level, numbers 11 and 12 . - .Each cooling- ;
unit consists of cooling coils and an electric two-speed - '-
motor directly coupled to a vane axial fan. The fans nor-i mally pull air through the coolers and distribute. it via duct work at the 69' elevation around the wall of the con-tainment. Each fan discharge duct is provided with a fusible link door which will open at an abnormally high containment temperature, such as would occur' under .a.
Loss-of-Coolant Accident (LOCA). This provides a - f ree flow of air to the containment environment even if the . ducts l collapse during or following a LOCA. The two-s peed fan t
motors receive power from individual 480V AC buses. Nor-mally, three out of four fans are' in operation in high speed-
- mode with the reactor at power or shutdown.
4
- A containment pressure greater than 4 psig will initiate
- a Containment Spray Actuation Signal (CSAS). Upon' receipt l of this signal, the three fans operating at high speed will
, switch automatically to slow speed and the fourth, standby,
- 1. fan is started in slow speed.
O' The cooling units are supplied by.the LRWS. The service water supply line for each cooler has an air-operated (fail-open) 8" inlet stop valve which is normally open and de-energized. A redundant supply line to the cooler is l normally valved off by a manually operated.8" valve.
1, The SRW return line has two air-operated (fail open),
one 4" and one 8", outlet stop valves and one manually j operated 8" valve, all in parallel. The 4" valve is used for B .4 -1 !
normal cooling requirements. The 8" air-operated valve opens automatically on a CSAS for increased cooling capac-ity. The manually operated valve is provided to permit passage of sufficient SRW in case the 8" valve should mal-function. Both the manual and air-operated valves are located outside of the containment. The air-operated supply and return valves have valve position indication in the con-trol room. Cooling water flow at the inlet to each cooler is indicted in the control room to detect abnormal high or i low flow rates. There is also a low flow alarm in the control room from the same flow detectors.
h The flow diagram'for the containment duct work and the SRW supply and return lines for the cooling units is shown on Figure B.4-1.
B.4.2.2 System Interfaces Support system interactions with the active components of the CARCS are described in the Interaction FMEA, Table B.4.1. In addition to the support systems listed in the FMEA, CARCS interfaces with DC power and instrument air.
Loss of either of these systems fails the SRW return line valves in their full-open accident position (i.e., the valves are fail-safe and hence there is no dependency on Instrument Air or DC power).
B.4.2.3 Instrumentation and Control During normal operation, containment cooling is accom-plished by operating three of four fans in high speed with reduced SRW flow through the cooling units. If accident conditions result in containment pressure exceeding 4 psig, the fans are switched to (or started in) slow speed and the SRW return line valves are opened to allow four times normal flow though the cooling units. This action is initiated by a CSAS. The fan speed and control valve position are indi-cated in the control room and remote operation of these components is possible. In addition, SRW flow through the cooling units is indicated in the control room. The failure of a fan to automatically start results in a control room alarm, as does low flow in the SRW lines.
B.4.2.4 Operator Actions Emergency Operating Procedure 5 (EOP-5) describes oper- O ator action in the case of a loss of reactor coolant. The following steps are pertinent to the CARCS:
- 1. Manually initiate a CSAS and containment isolation signal (CIS) if containment pressure has risen to 4 psig and if the signal has not already been initiated.
B.4-2
I
- 2. Check the appropriate actions initiated by - Safety -
Injection Actuation. Signal .(SIAS),. CSAS, Contain---
ment Isolation Signal, and Containment Radiation Signal. Attachments are provided with the .emer-gency procedure. _The attachments include check-off-lists.
- i. -3. 'The check-off list, 1C08-lC09-1C10 for the CSAS,
, requires verification of the_following:
O . rwe co e iamene -
gr r numes are on.
- b. Four containment air coolers are on- and SRW outlet valves SRW-1582-CV, SRW-1585-CV, SRW-1590-CV, and SRW-1593-CV are open.
- c. Four containment air coolers are running in slow.
~
Although no credit has been taken for them in the SRW-fault tree, 8" (full flow) inlet and outlet manual valves to the cooling units are located in the auxiliary building. If the control valves to the coolers fail closed, the operator can open these manual valves to restore SRW flow to the cooling unit.
B.4.2.5 Surveillance The CARCS is tested monthly. Cooling units 11 and .12 are tested according to STP-0-70-1 (Staggered Test of "A" Train Components) and Cooling Units 13 and 14 according to.
STP-0-71-1 (Staggered Test of "B" Train Components). The test procedures place _the components in their Engineered Safety Features position. Test duration is approximately-15 minutes. _
The Engineered - Safety Features' Actuation System (ESFAS)
Monthly Functional Test (STP-0-7-1) tests ESFAS actuation logic. When the CSAS is tested, CARCS is - placed into the LOCA. configuration.
Stroke tests are performed quarterly on the SRW inlet and outlet supply valves (STP-0-65-1). The normally locked-open manual inlet-valve to the - cooler is shut during this test, taking the cooler out of service for the test duration. A summary of CARCS component tests is presented in Table B.4.2.
B.4.2.6- Maintenance Maintenance is performed on an as-needed basis only.
Past maintenance records have been reviewed, modelled and incorporated ~into the analysis where applicable. The only B.4-3
maintenance event shown in the fault tree is maintenance on fan cooler #13 breaker. Maintenance is allowed on only one train at a time and all maintenance was lumped into train
- 13.
B.4.2.7 Technical Specification Limitations The following equipment shall be operable with the reactor at power, in startup, or in hot standby, as required g by Technical Specification 3.6.2.2: Two independent groups W of containment air recirculation and cooling units shall be OPERABLE with two units to a group.
If one CARCS unit becomes inoperable under the above reactor conditions, that unit must be restored to an operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If this is not achieved, the reactor must be placed in the hot shutdown condition within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
B.4.3 Operation B.4.3.1 Normal Operation Operation Instruction, OI-5A, describes the normal operation of the CARCS. Three of four fans are normally run in HIGH speed. Normal containment cooling requirements are satisfied with the 8" SRW inlet stop valve open and the 4" SRW outlet stop valve open. To prevent tube erosion, the outlet stop valve on the standby cooling unit is closed.
B.4.3.2 Emergency Operation In the event that accident conditions cause containment pressure to exceed 4 psig, a CSAS is initiated with the following effects on the CARCS:
- 1. The three fans operating in HIGH speed are switched to SLOW speed. The standby fan is started in SLOW speed.
- 2. The cooling unit 8" outlet valves open (SRW-1582-CV, SRW-1585-CV, SRRW-1590-CV, and SRW-1593-CV).
Service water flow is increased from 550 gpm to 2000 gpm (minimum) by this action.
If containment temperature exceeds 140'F, fusible links O
will melt, opening dropout plates to provide a free flow of cooled air to the containment in the event of duct collapse.
B.4.4 Fault Tree Description The fault tree for the CARCS consists of two parts; l) the air flow path inside containment which is shown on the B.4-4
H appropriate aperture card in the envelope at the back'of' this report), and ; 2) the SRW . flow through the - - containment -
i cooling units. The air flow path, which includes the-ducts, dampers, fans, and the' primary side of the cooling units, is analyzed here. The SRW flow through. the units, which includes the . inlet and outlet valves,- piping, and :the i secondary side of the cooling units,'is' analyzed in the SRW Fault Tree. Data used to. evaluate the fault tree is given
.in Table-B.4.4.
system failures wer'e identified primarily as loss of - air flow. The system was divided into duct segments; components whose failure. could lead to loss of flow within a segment were identified (See Figure B.4-1).
B.4.4.1 Success / Failure Criteria ,
The. CARCS succeeds if one of four fan coolers is operable.* Operability is defined as an air flow of at least 55,000 cfm over the cooling unit and a service water flow of-at least 2000 gpm, with an inlet temperature of 95'F.
Failure of ' the system and, - therefore, the fault tree top event, is " Failure of' the CARCS to cool Containment. ' with 1 of 4 Fan Coolers."
B.4.4.2 Major Assumptions '
The following assumptions were considered .during the construction of the CARCS fault-tree.
- 1. The CARCS supplies cooled, recirculated air to the containment in general, and to certain specific components within' containment.
The only. air flow paths that are considered in the fault tree are those that are rated for a normal air flow of 55,000
.cfm. This results in 5~ possible outlets through normal ventilation ducts and 4 emergency paths through-the dropout plates.
i 1
'h *FSAR states, "Three containment air cooling units will pro-vide 100% cooling capacity." Analyses by Battelle~ Columbus Laboratories have shown that one containment cooling unit will provide adequate cooling and' pressure control for both injection and recirculation phases of a LOCA. (S. W. Hatch, G. J. Kolb, P. Cybulskis, and R. O. Wooton; " Reactor Safety Study Methodology Applications Program: Calvert Cliffs #2 PWR-Power Plant," NUREG/CR-1659/3 of 4, SAND 80-1897/3 of 4, Sandia National Laboratories, May 1982. )
B.4-5
- 2. Fcr the large LOCA case, the steam / vapor atmosphere would overload the fan motors if they remained in HIGH speed. Therefore, the fan is assumed to fail if it does not receive a CSAS to switch to SLOW speed. For S1 and S2 LOCAs, the fan motor can remain in HIGH speed. A switching gate is used to represent this logic.
- 3. Three of four fans are normally running. Fan 13 is assumed to be in standby and requires CSAS actuation for any size LOCA. The switching gate mentioned h
above has been omitted from this tree segment.
- 4. Collapse of the ducts due to a pressure differential in the early stages of the LOCA is considered a credible event. This probability is modeled as
" local faults of duct."
- 5. Unusual success paths, such as 4 fans in slow speed with normal SRW flow through each cooler (total SRW flow here would equal emergency flow through one cooler) have not been considered.
- 6. In duct segment AFl (Figure B.4-1), failure of any damper is assumed to fail the segment. This is a conservative assumption and was made only to avoid complex fault tree logic.
Some important CARCS quantification assumptions are discussed in Table B.4.3.
O B.4-6
Table 3.4.1 CARCS SOFFW T SYSTBN FMA SOFFST COMcWWT - P&1 LORE Conf 0MNT FAILORE BFFECT OF SOFFORT SOS-STSTER SOS-SYSTWI AFFBCTED INDE BFFSCT ON SYSTBR* FAILORE ON OVERALL STSTBR*
400 VAC Unit Containment 50 power to Loss of 1 out of 4 f ans Loss of 1 out of 4 fame g Bus 11A (load Cooling Fan 11 the fan group A)
CSAS Channel Unit cooling Failure to Fans 11 and 12 continue in 2 fans (11 a 12) continue la high Al fans 11 6 12 signal high speed speed
- fan alow' i 440 VAC Unit Ctat. cooling No power to Loss of 3 out 4 f ans Lees of 1 out of 4 fans I sus 119 tload fan 12 the fan group Al l
l 400 VAC Unit Ctat. cooling so power to Loos of 1 out of 4 fano Loss of 1 out 4 fana l Dua 14A fload fan 13 the fan group 3) l CSAS Channel Ctat. cooling Failure to Fans la and 14 continue in 2 f ans (11 & 12) continue in high 31 fans 13 614 signal high speed speed
" fan slow" 400 VAC Unit Ctat. cooling No power to Lose of 1 out of 4 fans Loss of 1 out of 4 fano Bus les fload fan 14 the fan group 8)
Service water Ctat. cooling Loss of Loss of ecoling to the f ans 2 out of 4 fans fail System train f ans II & 12 cooling to 11 and 12. Failure of 2 out 11 the fans of 4 fans Service Water Ctat. cooling Loes of Loss of cooling to the f ans 2 out of 4 fans fall System f ans 13 4 14 cooling to 13 and 14. Failure of 2 out train 12 the f ans 4 fans
- Assuming no recovery.
k B.4-7
r-Table B.4.2 CARCs COMPONENT TEST
SUMMARY
SEEST FRAQUENCY OF COMPOWENTS TEAT MUST 88 ALIGNED BEPICTED COMPONENT TYPE OF ANAT FROM ESF POSITION WITE NO TEST TEST OUTAGE ALIGNMENT SOURCE COMPONENT TEST AUTOMATIC Sff0RN FREQUENCY TIME VERIFICATION ITEST PROCEDURE 6)
DANPERS WONE = = =
- O CFCD.===
ot CFCRD==
Continuous
- 877 0 70-1 staggered M Operability Wone Monthly 15 Min.
Duration test of 'A' train CFCFN11A componente M
- Mone Monthly 15 Min. Continuous
- STP.O.7 1 sect. It Duration EsF logie and CFCFW11A Monthly performance test FAN 13
- None Monthly 15 Min. Continuous
- STP.O.71 1 staggered Duration test of 'a' train ecaponente CFCFulla FAN 14
- Mone Monthly 15 Min. Continuous
- STP.O.7 1 sect. Ilt Duration Esr legte and CFCFN148 performance test
- Twice monthly for standby f an coolet O
B.4-8
Tehle 3.4.2 CARCS COIpouBWT TEST SUsumRT SSEET (Centlaued)
PBSGBENCT OF 1 a ComponerTS TEAT NUST se ALlease BAPBCTED 00mfCWWIT D TTPS OF AIBAI Paon BSP DOSITION WITE 50 TEST TBST CUTAGE ALIGunterf SOURCE Confesarf TBST AUTolmTIC RETUBII PRBQUONCY TIME VERIPICATION (TSST PROCSDURE 4)
Cooling Unit Operability pene Nonthly 15 Nia. Continuove* STP-0 70-1 staggered 11 Duretten test of 'A' train componente CPCCTCII
- pone monthly 15 Min. Continuove' STP-0 7 1 sect. Il Duration tsp logic and ,
performance test l
Nanuel espply velve Quarterly 15 Min. Continuous
- 877 45-1 quartetty from 11 anw subeysten valve operability anw01252 verification Cooling Onit operett11ty pone Monthly 15 Min. Pontinueue* STP-0 70 1 staggered 12 Deretten test of 'A' trela componente CPCCTC2X None Monthly 15 Min. Continuous' STP-0=7-1 Sect. II Duration Ber logie and performance test Nanuel supply valve Quartefly 15 Nia. Continuous
- STP-65-1 quartetty from 11 SDW embeyetoe 941re operabt!!ty Saw01421 verification
- Twice monthly for standby coolet O
B.4-9
Table 3.4.2 CARCS CORPONENT TEST SUMMART SEEET ! Continued)
FREQUENCY OF CORPOWENTS TSAT MUST BE ALIGNED EEFECTED COMPONENT TTPE OF AMAT FROM ESP POSITION WITE NO TEST TEST CUTAGE ALIGNMENT SOURCE
' COMPONENT TEST AUTOMATIC RETURN FREQUENCY TIME VERIFICATION (TEST PROCEDURS 0)
Cooling Unit operability None Monthly 15 Min. Continuova* STP-0-70-1 staggered 13 Duration test of 88* train componente CFCCTC3E
- Mone Monthly 15 Min. Continuous
- STP-0-7-1 Sect. !!
Duration Esr logie and performance test
- Manual supply valve Quarterly 15 Min. Continuous
- STP-65-1 quarterly from 12 SRW subsystem valve operability SRw0149E verification Cooling Unit Operability None Monthly 15 Min. Continuous
- STP-0-70-1 staggered le Duration test of 83* train components CFCCTC42
- None Monthly 15 Min. Continuous
- STP-0-7-1 Sect. !!
Duration Ear logic and performance test
- Manual supply valve Quarterly 15 Min. Continuous
- STP-65-1 quarterly from 12 ERw subsystem valve operability spwC154E verification
- Twice monthly for standby cooler O
s B.4-10
Table B.4.3 QUANTIFICATION ASSUMPTIONS FOR'CARCS SUS-EVENT DESCRIPTION ASSUMPTION Duct Collapse due to HI Most Probable Failure Mode D/P during LOCA would be collapse due to Hydrogen Explosion (local). A gross assumption is that 10% of LOCAs result in Containment Hydrogen Explosions Od ucts = .1 for LOCA's crud Deposition on HT Exch. The possibility of inert-Lowers U material plating out on the coolers after a core melt and failing the coolers due to the lower heat transfer rate is considered a credible event. Assumption: For consequence screening, if analyzing core melt sequence, assume Q = .1.
For non-melt sequence, assume Q = 0.
Normally open manual Assumption: Probability of damper fails closed plug failure is equal to lower bound of fluid valve plug probability as given in WASH.1400 (3E-5/D).
O B.4-11
Table B.4.4 CONTAINMENT AIR RECIRCULATION AND COOLING SYSTEM (CARCS) DATA Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail.
Event Description Description Rate (per/ht) Time (hr) q Q = Eq.
CFCDT01-PIP-LFB Duct Collapse Due to -- -- -- 1.0E-1 CFCDT02-PIP-LFB Hi D/P During LOCA CFCDT03-PIP-LFB (Table B.4.3)
CFCDT04-PIP-LFB CFCDTOS-PIP-LFB CFCDT09-PIP-LFB CFCDT10-PIP-LFB CFCDT19-PIP-LFB CFCDT20-PIP-LFB CFCDT21-PIP-LFB CFCDT22-PIP-LFB CFCDT23-PIP-LFB t2 CFCMDO1X-DOC-LF Damper Fails Closed -- -- -- 3.0E-5 I CFCMD02X-DOC-LF (Table B.4.3) e CFCMD03X-DOC-LF N CFCMD04X-DOC-LP CFCD104X-DOC-LP CFCD105X-DOC-LP CFCD106X-DOC-LF CFCD107X-DOC-LF CFCD146X-DOC-LP CFCD147X-DOC-LP CFCD148X-DOC-LP CFCD149X-DOC-LF CFCD1501-DOC-LF CFCD151X-DOC-LP CFCD152X-DOC-LF CFCD153X-DOC-LP CFCD154X-DOC-LP CFCD155X-DOC-LF CFCD156X-DOC-LF G 9
_ _ . _ . _. .__ _ _ . _ . . _ . _ _ _ _.. - _ m - . _ _ . _ _ _ ..
O O a
i i
Table B.4.4 CONTAIINENT AIR RECIRCULATION AND COOLING SYSTEN (CARCS) DATA (Cont.)
Sub Event Sub Event Fault Sub Event Event'
- Wane Sub Event Failure Exposure Unavail. Unavail.
- Event Description Description Rate (per/hr) Time (br) q Q = Eq.
1 i
CFCD1571-DOC-LF (Cont.)
CFCD158X-DOC-LF
, CFCD1591-DOC-LF CFCD160I-DOC-LF
- i CFCCTC1X-HTX-LFI Inadequate Rt. Res. -- -- -- 1.0E-1
} CFCCTC2X-IFFI-LFI - Crud Buildup i CFCCTC3X-HTX-LFI On Mt. Exch.
j CFCCTC4I-HTX-LFI (Table B.4.3) i
} CFCFW11A-FAN-LF Fan Fails to Start -- -- 3.0E-4 2.43-2
- CFCFN12A-FAN-LF Fan Fails To Run 1.0E-3 24 2.45-2 l CFCFW138-FAN-LP (Electric Motor - NASH-3 CFCFN148-FAN-LF 1400 Severe Environment) i t2
{ u CFCCFN11-CBL-LF Cable - Open Circuit 3.0E-6 24 -- 7.23-5
. CFCCFW12-CBL-LF j H CFCCFN13-CBL-LF j W CFCCFN14-CBL-LF l
j CFC1102A-3CO-LP BER Fails Open -- -- 3.0E-5 i CFC1114A-BCO-LF Control Circuit Faults -- -- 1.7E-4 2.0E-4
- CFC14025-BCO-LP l CFC14148-BCO-LP
- i i CFCFDP11-DCC-LP Fueible Link Fails to -- -- -- 1.0E-5 j CFCFDP21-DCC-LF Open i CFCFDF31-DCC-LP (Fuse Failure - MASH-j CFCFDF41-DCC-LF 1400)
{ CFCFW133-FAN-FRDOI BER Naintenance* 5.0E-6 4 -- 2.0E-5 I CFCFN133-FAN-FRFM Failure To Restore 5.0E-6x1.0E-4 360 -- 1.8E-7
- Following Maintenance *
!
- Distributed for 4 Fans I ,
t I
i 4
t
CONTAINMENT COOLERS
\ NO.14 NO.11 NO.12 NO.13 A13h22A10 CNER = CNER = CNER =
',7 g 37, C N ER= DAMPERS =CFCD j CFCCTC4X CFCCTC1X CFCCTC2X CFCCTC3X A12 g OR CFCMD
{ FAN = FAN = FAN = FAN =
- SYSTEM CFCFN145 CFCFN11A CFCFN12A CFCFN13E Att AF3 )
AF4 l % % CFCF 1X %
2X % CFCFDPSX (A18)
AF2 I PLATE N.CFCD107X 19 A23 CFCD104X\. N. CFCD105X N.CFCD106X AF1 -\ /(TYP.4) - g g -g
/ CFCDT19(A19)+ CFCFDP4X (A15) e CFCDT20(A20) # CFPDT21(A21) e (A22f s, CFCD14SX CFCDTO4X CFCM 2 CFCDT23 (A23) M
[ (AF4) CFCMO3(AF3) P2R
.CFCMD01 y CFCD146X - CFChWO4X s,,
N CFCMDo3X s~,. ".
CFCD151X
- CFCDTDG (AF9)
- CFCDTO2 (AF2) g CFCDTO1(AF1) CFCL152X
+ STM.
7 v
GEN. REACTOR
- sTM. CFCDrot (AFS)
CFCD1s3X GEN. v
.C.
CFCD154X R.C.
k CFCD147X CFCD1 sox CFCDissx i CFCD156X
/
CFCD157X . ..' f.1 OX
-/ -/ ./
/- /- /-
! Figure B.4-1 (sheet 1 of 2) Simplified Schematic of Containment Air Recirculation and Cooling System Used in Pault Tree Modeling i
e l O
(d O(h AC
- ggwp.g g N OM
~
i ,, 7 F se _
saw-tsesawg-ees H gew-317 FN4 ,
cT" gg
+-lI-N-W M-1888 88W"188 PO
, htM N137 '
' :: '+F-H f H f f--\
e m aim-tese d*-N-HT Cet w T. m.w-... e r,, + ==W-i = =W- =
F. gew-tee SRw.ggg PO ,
HT cat 8'"'"IO4 8'**I88 d 12 g l
g =
WIW-143 See l 1888 H TI N + cTa +-iF-N-E **I888 88**I*8 hats 12 t2 saw-143 anw-144 J ' p:: l- =*
. H t H tF- ' % ~-"' gm
-w e 3
=wa @ ,,w ,
.-iTtN+
SRW-330 ca to 8"
+-i6-N-SRW-1993 SRW-100
- )H+ F xD :: -:4l mw-i T =W-,. mw-3.i saw-m b Y
sIOTES: 1. Saw-1541-1988Ase Sftw-1500-1594AftE ACTUATED BY 90 Lese 00 VALVES. 2 TIE VALVES se TIESE rwE SEosEnf7S ARE N8 8 Y LOCKED CLOGED. 900 CREDff S TAKEN FOlt TMESE SE0aAEnTS AS ALTEltseATE WILET/0UTLET PATHS Se T1f FALET TACL
- 3. De.CMAftoE Esep 0F CastCS escoEL.
- 4. COOLANT - 0F CAaCS WooEt.
Figure B.4-1 (sheet 2 of 2) CARCS Service Water Supply
O Appendix B.5 Containment Spray / Shutdown Cooling Heat Exchanger System O B.5-0
l 1 B.5 CONTAINMENT SPRAY / SHUTDOWN COOLING HEAT EXCHANGER SYSTEM DESCRIPTIONS B.S.1 Purpose The Containment Spray / Shutdown Cooling Heat Exchanger (CSS /SDHX) system at Calvert Cliffs performs two important functions. The first is to limit the containment pressure , and temperature following a LOCA or transient-induced n) accident, thus reducing the possibility of a breach of containment and leakage of airborne radioactivity to the outside environment. The second is to reduce the amount of radioactive material in the containment atmosphere so that even in the event of a breach of containment a reduced amount of radioactive material will be released to the environment. In order to perform these two functions, the system actually has three different configurations which requires that three different fault trees be constructed, although they share many of the same components. These configurations are discussed below. B.5.2 Description B.5.2.1 Overall Configuration The CSS /SDHX System configuration is shown schematically in Figure B.5-1. In the injection phase the system sprays cooled borated water taken from the refueling water tank (RWT) into the containment atmosphere. In this phase the system performs both of the functions described above simul-taneously and is called the Containment Spray System (Injection) and denoted CSSI. When the RWT is depleted suction is switched to the containment sump for the recir-culation phase of the accident. In the recirculation phase if no heat is removed from the hot water coming from the sump, the system can still successfully remove radioactive material from the containment atmosphere. This is called the Containment Spray System (Recirculation) and denoted CSSR. In order to perform the heat removal function in the recirculation phase, heat must be removed from the sump water by the shutdown cooling heat exchangers before being injected into the containment atmosphere. In this configu-ration the shutdown cooling heat exchangers and the CSSR
- must both be working and the system is called the Shutdown Cooling Heat Exchanger System and denoted SDHX.
In both phases, the water is pumped through the shutdown cooling heat exchangers through spray nozzles and into the containment atmosphere. The spray nozzles are located in the dome of the containment and arranged in the headers to give complete spray coverage at the containment horizontal cross-section area. The CSS /SDHX system is redundant with the Containment Air Recirculation Cooling System (CARCS) and l B.5-1
consists of two electric motor-driven pumps, the two shutdown cooling heat exchangers, two spray headers and nozzles, and associated piping, valves and instruments. The capacity of each containment spray pump is such that it can limit the containment pressure to less than its design pressure following a LOCA without giving credit to the containment coolers. There are two separate suction headers from the refueling water tank, one to each of the two shielded ECCS pump rooms. Each pump room contains one spray pump. There are separate headers, one to each room, from the containment sump. Both suction lines from the sump are completely enclosed by a welded steel grating screen box designed to withstand severe shock and loading and prevent clogging. Prior to discharge into the containment, the recirculated water from the sump is cooled by the shutdown cooling heat exchangers using water from the component cooling water system as the cooling medium. A description of the components of the Containment Spray / Shutdown Cooling Heat Exchanger system is given in Table B.5.1. A Containment Spray Actuation Signal (CSAS) initiates the containment spray pumps, while a Safety Injection Actu-ation Signal (SIAS) operates the spray header isolation valves. These valves are air-operated valves which fail open upon loss of power. They are opened by a SIAS in order to prevent an inadvertent containment spray system actuation following an undesired CSAS. However, an inadvertent initia-tion of the spray system will not affect the safety of the plant since all equipment that could come in contact with the spray is insulated or made of reflective metal. The CSS /SDHX system is initiated by coincident safety injection system actuation and activation of any two of four pressure switches set to operate on containment high pressure (4 poig). To provide the containment spray Actuation Signal (CSAS), four independent containment pressure transmitters are utilized. The pressure transmitters are separate from those used for initiation of the safety injection actuation signal. Actuation occurs as result of either two-out-of-four containment pressure sensor channel trip signals or manual initiation from the control room. Each of the two independent containment spray actuation signals, A and D, starts one containment spray pump (along with other actions in the containment Air Recirculation Cooling system (CARCS)]. g In addition to the capability for manual initiation of the actuation signal from the control room, the header iso-lation valves and spray pumps may be individually initiated in the control room by appropriate control switch operation. B.5-2
r l When the refueling water tank level ' drops to thirty inches above the tank bottom, the Recirculation Actuation Signal (RAS) is actuated. The signal will open the two containment sump valves (along with other actions in the safety injection system), allowing the continuation of con-tainment spray. The RWT outlet valves will be . closed by .the operator . f rom ' the control room. (since the spray pumps are at a lower elevation than both the sump ' and the RWT, the pumps will not cavitate due to the operator leaving the RWT O 1- a rati ia. =^= ad tae valves.) The RAS is activated on coincident (2 out of 4) eaias at ta- - low' level signals from the level switches on the RWT. In addition, the RAS signal initiates opening of the SDHX out-let valves in the CCW system and CCW HX outlet valves in the SWS to allow for cooling of the sump water and, therefore, containment heat removal. B.5.2.2 System Interfaces The Containment Spray / Shutdown Cooling Heat Exchanger System interfaces with the Electric Power System, Component Cooling Water System, ECCS Pump Room: Cooling Systems ' and 4 Engineered Safety Features Actuation System, as shown in Table B.5.2. The spray header isolation valves are air-operated, thus . interfacing with the Instrument Air System. However, in the case of loss of air the valves fail in a safe position (open) and therefore this interface was not included. The two independent suction headers supplied from either the RWT or the containment sump lines and a common portion of the ECCS pump recirculation lines are shared by the
! HPSI/R, LPSI/R and the CSS /SDHX systems.
B.5.2.3 Instrumentation and Control As was noted above, the Containment Spray / Shutdown Heat Exchanger System is initiated by SIAS (opens the' spray header isolation valves) and CSAS (starts the spray _ pumps) which occur as a result of two-out-of-four containment pressure sensor channel trip signals set to operate on. con-tainment high pressure (4 psig). In addition to automatic actuation, these signals can be manually initiated from the control room and the components can be individually operated O br a ad itaa ia ta aaatrat raa - 1a av re at aa t tiaa of the system is alarmed when the spray pumps are started. Flow indication and valve position are provided for the operator in the control room. B.5.2.4 Operator Actions - There is no operator action required for the Containment Spray / Shutdown Heat Exchanger System. B.5-3
B.5.2.5 Surveillance on a monthly basis, engineered safety features equipment is manually tested per Surveillance Test Procedure 0-73-1 and tested for automatic actuation per STP 0-7-1. Thus, twice per month the containment spray pumps are tested and valve position is verified monthly so that there are two flow paths available to take suction from the RWT on a con-tainment high-pressure signal. The containment sump valves are tested monthly to verify that they open upon a Recircu-lation Actuation Signal. Following are the test procedures lll and their effect on the unavailability of components. Surveillance Test Procedures: Containment Spray System STP 0-7-1 Engineered Safety Features Actuation System Logic Test Test Interval = 1 month o pumps are tested for initiation by CSAS o sump valves are tested for opening by RAS o spray pump discharge valves CSS 0314X and CSS 0324X are closed during the test; a step in the procedure directs the operator to open them STP 0-62-1 Monthly Valve Position Verification Test Interval = 1 month o has no effect on availability of any components during procedure o MOVs CSS 0662B and CSS 0663A are not verified in this procedure STP 0-65-1 Quarterly Valve Operability Verification Operating Test Interval = 3 months o The following valves are stroke-tested: SIS 4144A Containment Sump Isolation Valves SIS 4145B CSS 662B CSS 663A SDHX Outlet to HPSI pumps 11 and 13 g CSS 4150A Spray Header Isolation Valves CSS 4151B SIS 4142A RWT Outlet Valves SIS 4143B B.5-4
Manual valves CSS 0315X and CSS 0325X are closed and the spray pumps are started to test the pump
discharge check valves; steps are included to open the-valves after the test.
STP 0-66-1 Quarterly Valve Operability Verification Shutdown Test Interval: every cold shutdown, need not be done more than every 3 months in case of frequent shutdown
.( ) Average Interval = 6 months o during shutdown the following valves are closed: ,
CSS 0317X steps in procedure direct operator CSS 0327X to reopen CSS 0319X these valves are not reopened in CSS 0329X this procedures they are opened as a part of the start-up procedure following shutdown i STP 0-67-1 Check Valve Operability Verification Test Interval = average of 6 months o During shutdown, the following valves are closed: l CSS 0314X Pump discharge valves CSS 0324X l SI 4142A RWT outlet valves l SI 4143B CSS 0657B SDC flow control valve Steps in this procedure reopen the RWT valves. Steps to reopen the discharge valves and the SDC flow control valve are in the start up procedures following shutdown, but not in this procedure. STP 0-73-1 Engineered Safety Features Equipment Performance Test Test Interval = 1 month STP 0-93-1 Locked Valve Verification Test Interval = 1 month
'() No effect on unavailability STP 0-74-1 Engineered Safety Features Equipment Inservice Bearing Temperature Test Test Interval = 18 months (Refueling)
Close: CSS 0314X Steps included CSS 0324X to reopen B.5-5
B.5.2.6 Maintenance Maintenance is done on an as-needed basis. Maintenance records were reviewed and the frequency and duration of maintenance on components in the Containment Spray / Shutdown Heat Exchanger System were derived. This data appears in Table B.5.4. B.5.2.7 Technical Specification Limitations Technical Specifications (Section 3.6.2.1) require the O following containment spray operability. Two independent Containment Spray systems shall be OPERABLE with each spray system capable of taking suction from the RWT on a Containment Spray Actuation Signal and Safety Injection Actuation Signal and automatically trans-ferring suction to the containment sump on a Recirculation Actuation Signal. Each spray system flow path from the con-tainment sump shall be via an OPERABLE shutdown cooling heat exchanger. With one Containmont Spray system inoperable, restore the inoperable spray system to OPERABLE status within 72 hours or be in at least HOT STANDBY within the next 6 hours and in COLD SHUTDOWN within the following 30 hours. B.S.2.8 Surveillance Requirements The following CSS /SDHX surveillance requirements are specified in Section 4.6.2.1 of the Technical Specifications. Each Containment Spray system shall be demonstrated OPERABLE:
- 1. At least once per 31 days by:
- a. Verifying that upon a Recirculation Actuation Test Signal, the containment sump isolation valves open and that a recirculation mode flow path via an OPERABLE shutdown cooling heat exchanger is established
- b. Verifying that each valve (manual, power operated or automatic) in the flow path is positioned to take suction from the RWT on a g
containment Pressure-High test signal.
- 2. At least once per 18 months, during shutdown, by:
- a. Verifying that each automatic valve in the flow 4 path actuates to its correct position on Safety Injection Actuation test signal.
B.5-6
t
- b. Verifying that each spray pump starts auto- i l~
matica11y on a Containment nSpray Actuation test signal. R p
- 3. At least once per - 5 ; years by . performing an air or s C
smoke flow test through each_ spray header and > verifying each spray nozzle is unobstructed. ' _B.S.3 Operation As was noted earlier, the CSS /SDHX System is ~ initiated by a safety injection' actuation' signal and a containment spray actuation signal..swithcover to the recirculation mode -
~ is automatic and is initiated by the recirculation actuation'
- signal. The only action required of the operator is closing 14- the1RWT outlet. valves following initiation of the recircula-
' tion- phase. It.is assumed that failure of.-- the operator . to close these valves after' recirculation has begun (RAS opened
-the1 containment sump valves and suction is being taken from, the : sump) will' not cause the pumps to cavitate: s i n c e - t h e.-
spray-pumps are at an _ elevation (-15 ft.) lower thanL both , the RWT-(45 ft.)'and the containment sump (10 ft.). L During the operation of the CSS /SDHX System, a portion of the cooled water can be manually diverted by the operator to the containment charcoal filters which are used to remove !- iodine caused by the LOCA. - Thel water is used as a dousing
. medium to c. ol the filter material to prevent - fire._ in - the filters _as temperature increases. There is temperature i indication in the control room and once the high temperature-condition has cleared, the . dousing , operation -is stopped.
~
.This is not considered to be a diversionary . path. - During-LOCA ' conditions, a containment ' isolation signal cuts off instrument air to components inside containment. The charcoal spray header valve fails open and flow may proceed into a four-inch header. Howev er ',~ the line to- the filter-sprays is a three-inch line with a - f ail-close valve isola-ting - the filter spray header, making the potential path of .
diversion less than a quarter of. the main - flow. - Which is ~ ' negligible. g. B.5.4 Fault Tree Description _Three . fault trees were developed for the CSS /SDHX system hc rand'are shown on the appropriate aperture cards in-the enve-
-lope at:the back of this report. The first tree has, as its top _ ' event , failure of the . CSS system during the injection phase, the.second has,__as its top event, failure of. the CSS' system during the recirculation phase and the third has, as its top _ event, -failure of -. the SDHX system to provide con- ,. "tainment scooling. in the recirculation phase. The failure L criteria Land "the ; major 1 assumptions -- used in- the developmente -
of-these fault trees are described in the:following sections.' B.5-7
--wn---. -_ _ _ - -
A simplified diagram of the CSS /SDHX system used in the fault tree modelling is shown in Figure B.5-2. The data used to quantify the trees is shown in Table B.5.5. B.5.4.1 Success / Failure Criteria In analyses performed by Battelle Columbus Laboratories, it has been determined that operation of either one contain-ment spray train or one. containment air cooler will provide sufficient heat removal capability to maintain the post-accident containment temperature and pressure below design value. Therefore, successful operation of the containment Spray / Shutdown Heat Exchanger system is defined as flow provided through one of two spray trains and the correspond-ing shutdown cooling heat exchanger. The fault tree top events for CSSI/R are defined as " Failure,to provide water from 1 of 2 CSS pumps through 1 of 2 headers in the injection / recirculation phase." The fault tree top event for SDHX is defined as " Failure to provide containment cooling through 1 of 2 shutdown heat exchang-ers." B.5.4.2 Major Assumptions The following assumptions were considered during the construction of the CSS /SDHX fault trees.
- 1. Dousing charcoal filters does not constitute diversion.
- 2. Failure of the operator to close the refueling water tank outlet valves after recirculation has begun (RAS opened the containment sump valves and suction is being taken from the sump) will not cause the pumps to cavitate since the spray pumps are at an elevation (-15 ft.) lower than both the RWT (45 ft.)
and the containment sump (10 ft.) and there is sufficient NPSH for continued pump operation.
- 3. The minimum flow recirculation line does not constitute a significant diversion path.
- 4. Lines to the LPSI header were not modeled in the fault tree as paths of divctsion since, for those cases where diversion could occur due to a single failure, rough calculations show that the head would be about the same in the two paths and significant diversion would not occur.
- 5. Operation in a post-core melt environment is assumed. While core melt debris thrown into the sump could fail this system, one of the dominant factors, pipe insulation, is not of the type identified as possibly leading to pump failure.
B.5-8
Table B.S.1 CONTAINMENT SPRAY PUMPS Quantity 2 D Type Vertical Split, Horizontal centrifugal Material ASTM A-296, Gr. CA-15 ('~} N/ Codes Motor: NEMA Pump : Standards of the Hydraulic . Institute . Suction Side: Design Pressure, psig 60 Desigt: Temperature, F 300 Material 304 SS Discharge Side: Design Pressure, psig 500 Design Temperature F 350 Material 304 SS MODE OF OPERATION INJECTION RECIRCULATION Capacity, gpm 1400* 1580 Head, ft. 160 350 NPSH Available, ft. 86.5 31.1 NPSH Required, ft. 18.0 22.0 Transient Temperature 40-300F in 10 seconds
' Motor HP 200
- Relief Valve Setting, Psig 285 SPRAY NOZZLES Quantity 90 Type Hollow Cone, Certifugal nozzle with vanes
-s capacity, gpm 15 .
' (_j Pressure Drop, psi 40 Droplet Size, microns (mean) 700-Material Bronze
- Includes 50- gpm for minimum flow recirulation B.5-9 yw-*+rv--, - -. , ew, ,-w, -r-r , -e --- ,w.,e- - e.-- -a----,.
Table 3.5.2 containment spray support system PREA (Css!/CssR/SD8I) COMPONENT PAILDRE EPPECT OP SUPPORT SUBSYSTEM SUPPolt? SUS-STsTER COMPNIBrT APPECTED PAILURE RCDE EPPECT ON SYSTEM
- PAILURE ON OVERALL STsTEM*
4EV AC sus 11 P op 11 Loss of ELC4E11A Css train 11 is unavail. (Css 0011A) Pump 11 f ails to start or run 125 V DC Bus 11 Pimp 11 Loss of ELC0011A Css train 11 is unavail. Panel 2D01 Pu p 11 fails to start (no effect on running p ap) Pep Rom 11 P op 11 Loss of cooling to P op motor burnout during Cooling pump and pump motor. recirc. Phase (ECC3011) P ep overheats during rectre. CSAs channel A Pump 11 Loss of signal to CSS train 11 is ur, avail. start p ap. Pump falla to start Loss of 1/2 of system capacity ** CSAS Channel 8 P op 12 Loss of signal to Css train 12 is unavail. (Css 001231 start p op Pump f ails to stut 4EV AC Bus 14 Pop 12 Loss of ELc4E143 Css train 12 is unavail. Pep f ails to start or run l 125 V DC Bus 21 Pep 12 Loss of ELC00213 Css train 12 is unavail. ! Panel 2D01 P op fails to start (no effect on running pump) Pmpsom12 Pump 12 Loss of cooling to P ep motor burnout during Cooling pump and pump motor recirculation phase (ECCR012) P op overheats during recire. Component Cooling shutdown Cooling Loss of cooling to Loss of function of train 11 unter system Beat Exchanger 11 heat exchanger during rectre. (CssOO11El during recirc. (loss of depressurization and cooling capability) shutdown Cooling Loss of cooling to Loss of function of train 12 Reat Exchanger 12 heat exchanger during recirc. (Css 0012X) during recire. (loss of depressurisation and cooling capabihty)
- Assuming no recovery.
** Success criterion for Css is one of two trains funettonal l
l B.5-10 l
~
Table 3.5.2 ^ Centainment Spray Support System FNBA (CESI/CSSR/SSEI)(Continued) ConrouBNT PAILUns BFFECT OF SUPPORT SUSSTSTsu SUPPORT SUB-SYSTEN COR90NWFF AFFBCTBS FAILURE NODE BFFECT ON SYSTEN* FAILORE Ou OVERALL STSTER* O - SIAS Channel & Seeder 11 leolation Loss of signal CSS train 11 is unavail. valve 4150 (CSS 41504) Falle to de-energies solenoid valve 4150 Loss of 1/2 system Valve fails closed capacity SAIS Channel 8 Seader 121 solation Loss of signal- CSS train 12 is unavail. valve 4151 Fails to de-energise (CSS 41518) solenoid valve 4151 valve falle to open RAS Channel A Sep toelation valve -Loss of signal CSS train 11 is unavail. 4145 (3134145B) Valve fails to open during rectrc. Phase RA$ Channel 3 Sump teclation Valve Lees of signal CSS train 12 is unavail. 4145 (S1841453) Valve fails to open during rectrc. phase
- Assuming no recovery.
B.5-11
I Table 3.5.3 Cas!/R/SDEI component Test summary sheet COMPONENTS TSAT NOST BE ALIGNED FREQUENCY OF COMPONENT TYPE OF ANAY FROM ESF TEST SEPECTED TEST COMPOWENT BOURCE (TEST TEST POSITION NITS 50 FREW ENCY OUTAGE TIME ALIGNMENT PROCEDURE 0) AJTOMATIC RETURN VERIFICATION Css Pop 9 11 Logic Css 314 Monthly 15 min. Months 0-7-1 Performance Css 314 Monthly 15 min. Months 0-73-1 LCss Pump i 12 Logic Css 324 Monthly 15 min. Months 0-7-1 Performance Css 324 Monthly 15 min. Months 0-73-1 SI 4144 Logic (stroke) None Monthly 5 min. O hours 0-7-1 31 4145 strate pone Quarterly 5 min. O bcure 0-45-1 31 4142 Position None Monthly pone 0 hours 0-42-1 SI 4143 Verification $1 4144 SI 4145 Cas 313 Operability Css 315 Quarterly 15 min. Quarterly 0-45-1 Css 323 (strokel Css 325 15 min. Quarterly Css 442 None 5 min. Quarterly Css 443 uone 5 min. Quarterly CSS 4150 none 5 min. Quarterly Css 4151 pone 5 min. Quarterly SI 4142 None 5 min. B hours s1 4143 uone 5 min. 8 hours Css 311 Position None Monthly None Monthly 0-93-1 CSS 314 Verification Css 315 Css 319 Cts 321 Css 324 Css 325 Cas 329 O f r B.5-12
Table B.5.4 Cas!/tesa 6 sees Maintenance summary sheet COIS0WWT NE3C3 FRBODENCY OF SIPRCTED SIFBCTED OUTAGE W ST M AL10NED All&T CONDONWIT FRBODENCY OF TIM OF COIWCWIrr . TTFE OF FRON 38 POSITION ALIGNIWWT E !IrTENANCE* Ilk!IrTBRANCE* UISBROOING . IE2ItTWIANCE WITE 30 AUTO RETUINI V333F2 CAT 10ll ( /br.) ( hr e. )- Pump 11 Maintenance , Manual valvee 311 1 month peguiring and 314 and pop 11 1.73-4 4.64 Disassembly circuit breaker Fimp 12 Maintenance Manual valves 321- 1 month mequiring and 324 and pump 12 1.78-4 4.64 Disassembly circuit breaker CV 4150 Maintenance For 4150 = manual 1 quarter
- CV 4151 moquiring valve 315 and 317 3.68-6 7 CV 622 - Disassembly 4151 - manual valve CV 663 325 and 327 WTE 11 Maintenance Manual valves 314 1 month en Beat and 319 2.38-5 7 Exchanger ETI 12 Maintenance Manual valves 324 1 month cn seat and 329 2.38-5 7 Exchanger NOV Dreaker Raintenance pone 1 month 1.258-6 4 (480V) on Breaker Pump Breaker Raintenance pone 1 month .0.48-6 e (4160V) . on Breaker
- Plent specific data.
'. J r B.5-13
e Table B.S.5 CONTAINMENT SPRAY (CSSI/R) AND SHUTDONN COOLING HEAT EXCHANGER (SDHK) SYSTEM DATA Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (hr) q Q = Eq. CSSNZ11X-SPN-LF Local Fault - Spray -- 21900 -- 4.0E-4 CSSNZ12X-SPN-LF Nozzle plugged (similar to orifice) SIS 4146X-CCC-LF Check Valve Failure -- -- -- 1.0E-4 SIS 4147X-CCC-LF To Open CSS 0313X-CCC-LF Check Valve Failure -- 4320 -- 4.0E-4 CSS 0316X-CCC-LF To Open CSS 0323X-CCC-LF CSS 0326X-CCC-LF CSS 0330X-CCC-LF CSS 0340X-CCC-LP w SIS 4148X-CCC-LF . SIS 4149X-CCC-LF U1 h cm CSS 0311X-XOC-LF CSS 0314X-XOC-LF Manual Valve Failure To Remain Open 1.0E-7 360 -- 3.6E-5 CSS 0315X-XOC-LF (Plug) CSS 0319X-XOC-LP CSS 0321X-XOC-LF CSS 0324X-XOC-LF CSS 0325X-XOC-LF CSS 0329X-XOC-LF CSS 0317X-XOC-LF Manual Valve Failure 1.0E-7 4320 -- 4.3E-4 CSS 0327X-XOC-LF To Remain Open (Plug) SIS 4144A-VCC-LF Failure to Operate -- -- 3.0E-3 3.0E-3 SIS 4145B-VCC-LF Failure to Remain 1.0E-7 24 2.4E-6 Open (Plug) e O .
e fs 's ss! wa Table B.5.5 CONTAINMENT SPRAY (CSSI/R) AND SHUTDOWN COOLING HEAT REMOVAL (SDHK) SYSTEM DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/ht) Time (br) q Q = Eq. SIS 4142A-VOC-LF NOV Failure to 1.0E-7 360 -- 3.6E-5 SIS 4143B-VOC-LF Remain Open (Plug) CSS 06628-VCO-LF MOV Failure to 5.0E-7 1080 -- 5.4E-4 CSS 0663A-VCO-LF Remain Closed (Catastrophic Leakage) SIS 4144A-BCO-LF Premature Transfer 1.0E-6 360 -- 3.6E-4 SIS 4145D-BCO-LF SIS 4144A-BOO-CC MOV Control Circuit -- -- -- 2.5E-3 SIS 41458-BOO-CC (Derived from circuit Model) tD CSS 4150A-NCC-LF Failure to Operate -- -- 3.0E-3 3.05-3 j' CSS 4151B-NCC-LF Failure to Remain Open 1.0E-7 24 2.4E-6 H U1 CSS 0011A-PMD-LFI Failure to Start -- -- 3.0E-3 3.05-3 CSS 0012B-PMD-LFI Failure to Run (Not-Eny) 3.OE-5 .5 1.5E-5 CSS 0011A-PND-LFR Failure to Run (Nor-Eny) 3.OE-5 24 -- 7.2E-4 CSS 00128-PMD-LFR CSSCL11A-CBL-LF Power Cable 3.3E-6 360 -- 1.25-3 CSSCL128-CBL-LF Open - 3E-6 SIS 4144A-CBL-LF Short - 3E-7 SIS 4145B-CBL-LF - CSSA011A-BOO-LF Failure to Transfer -- -- -- 3.0E-3 CSSA012B-BOO-LF
Table B.S.5 CONTAINMENT SPRAY (CSSI/R) AND SHUTDOWN COOLING HEAT EXCHANGER (SDHI) SYSTEM DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description ' Rate (per/ht) Time (br) q Q = Eq. CS31107A-CBL-LF Control Power Wire- 3.0E-6 360 1.'lE-3 3.3E-3 CSS 1407B-CBL-LF Open Circuit - Either of 2 Fuses 3.0E-6x2 360 2.2E-3 Fall Open CSS 0011X-HTX-LFI Inadequate Heat 8.5E-8 4320 -- 3.7E-4 CSS 0012X-HTX-LFI Removal CSS 0011X-HTX-LFB Blockage 8.5E-8 4320 -- 3.7E-4 CSS 0012X-HTX-LFB STP066-1A-T-FRFT Failure to Restore 1.lE-4x1.0E-4 4320 -- 4.8E-5 Following Test 0-66-1 g STP066-1B-T-FRFT Failure to Restore 1.lE-4x1.0E-4 360 -- 4.OE-6 . Following Test 0-66-1 un [, CSS 0313X-C-PRTS Unavailable Due to 4.6E-4 0.86 -- 4.05-4 as CSS 0323X-C-PRTS Test 0-65-1 CSS 0315X-C-FRFT Failure to Restore 4.6E-4x1.0E-4 360 -- 1.7E-5 CSS 0325X-C-FRFT Following Test 0-65-1 CSS 0011A-P-PRTS Unavailable For 1.4E-3 1.4 -- 1.9E-3 CSS 0012B-P-PRTS Period of Test CSS 0314X-P-FRFT Failure to Restore 1.4E-3x1.0E-4 360 -- 5.0E-5 CSS 0324X-P-FRFT Following Pump Test CSS 0011X-H-PRMN HTX. Maintenance 2.3E-5 7 -- 1.6E-4 CSS 0012X-H-PRMN
1
- O O -
I i i i Table 3.5.5 CONTAIISIENT SPRAY (CSSI/R) AND SHUTDOWN COOLING HEAT EXCHANGER (SDMI)
- SYSTEM DATA (Cont.)
Sub Event Sub Event Fault- Sub Event Event l Name Sub Event Failure Exposure Unavail. Unavail. ] Event Description Description Rate (per/hr). Time (hr) g 9 - Eq. 3 CS50011A-P-PRMN Pump Maintenance 1.7E-4 4.64 -- 7.9E-4 a CSS 00125-P-PRMN f CSS 4150A-N-PRMN Pneumatic Valve 3.4E-7 7 -- 2.4E-6 ! CSS 41518-N-PRMN Maintenance i CSSA011A-B-PRMN 4KV BKR Maintenance 8.4E-6 8 -- 6.7E-5 ! CSSA0128-B-PRMN i CSSO314X-H-FRFM . Failure To Restore 2.3E-5x1.0E-4 360 -- 8.3E-7 CSSO319X-H-FRFN Following HTX CS80324X-H-FRFM Maintenance , CS80329X-H-FRFM CS50311X-P-FRFN Failure To Restore .1.7E-4x1.0E-4 360 -- 6.1E-6
.m CS50314X-P-FRFN Following Neintenance U1 CSS 0321X-P-FRFM on Pump
[.
.a CSSO324X-P-FEFM j CSS 0662B-V-FEFN MOV Failure to Restore 3.65-6x1.0E-4 1000 -- 3.9E-7 CSS 0663A-V-FRFM Following Maintenance
! CSS 0315X-N-FRFM Failure To Restore 3.4E-7x1.0E-4 360 -- 1.2E-8 I CSS 0325X-N-FRFN Following Maint. On Pneumatic Valve i CSS 0317X-N-FRFN Failure To Restore 3.4E-7x1.OE-4 4320 -- 1.58-7 l CSS 0327X-N-FRFN Following Naint. On l Pneumatic valve ! SIS 0011X-TNK-LF Tank - Local Faults 8.5E-10 4 -- 3.4E-9 (NASH-1400) ,
- SIS-SUNP-FAULTS SUNP- Local Faults 8.5E-10 360 -- 3.1E-7 l (NASH-1400) l l
I
i REFUEL 5eO WATER CSSOS63 TM W1 SsS0011X u HPSI w 8 84'148 CONTAINMENT COMPONENTyg'g NO.11 FAI SUMP 4 C00UNO WATER SIS 4142 fag T t 4 SIS 4147 <> <? SIAS OPENS SHUTDOWN SIS 4146 888414S CSS 4150 COOUNO HEAT - - k RAS OPENS _ , 8854144 CSS 0317 CS50330 CSS 0316 CSSO319 UCIMGER 11 CSS 0314 RAS OPENS m , CSS 0011 CSS 031 ) 'A 8884148 LO. F.O. CSS 0315 LO. LO. CSS 0313 . LO. LO. 8884140 g g CTMT SPRAY - 3 O. 11 CONTAINMENT SPRAY HEADER 3 y 3 y NO.11 CSSNZ11 CSSO456 LC. CSS 4152 j LC. F.O. w a tU CSS 0657 FAI
' I ;;
l tPSI C) HEADER CSS 0658 LPSIPUMP SIAS OPENS CSS 4151 CSSO457 LO. CSSO453 LO. LO. CSS 0340 CSS 0325 LO. LO. CS50321 X CS$0327 F.O. CSS 0326 CO.s'380329 C HEAT CSS 0324 CS50323
~ '
EXC N R 12 6 o a CTMT SPRAY PUMP NO.12 CONTA90 MENT SPRAY HEADER ( FAI NO.12 CSSNzt " "' COotEOS'ATER
;4 : HPSIPUMP MO 13 CS50662 Figure B.5-1 Simplified Schematic of the Containment Spray / Shutdown Cooling Heat Exchanger System (CSS /
SDHX) O O
- O O 4
a d REFUEL 500 WATER CS80643A feo, y SIS 0011X Q g43g CMM-l StS4142A i 7,
; HPSIPUMP g g MENT COMPOtENT FAI No.11 E E N COOUNG
! WATER SIS 4147X42 %> SIAS OPENS i 8 1 f 1 P CSS 4150A SNUTDOWN SIS 4146X, , COOUNG _ SIS 4144A S0841458 RAS OPENS CSS 0317X CS80330X CSSO315X EXC CSS 0313X CS80311X RAS d% 11 4e CM11X LO FO CSS 031SX LO LO SIS 4149X CS 314X l.O CSSO319X CTMT SMtAY
~
g g g . CO8tTAINMENT PUMP No.11 SPRAY HEADER No.11 CSSNZ11X tIf W SIAS OPENS , h W CSS 41515 g i CS50327X CS80340X CSS 032sX CS8032eX CSSOC12X CSS 0324X SoffTDOw98 ' LO FO LO LO COOUNG LO CSS 0323X
~
CSS 0325X EXC A R" CTMT SPRAY l CONTAINMENT 4g PUMP No.12
" AY N COMPONENT l No.12
- COOUNG -
t CSSNZ12X WATER FAI css 0eems i Figure B.5-2 Simplified Schematic of CSS /SDHX Used in Fault Tree Modeling i i
O Appendix B.6 High Pressure Safety Injection / Recirculation System O B.6-0
, B.6 HIGH PRESSURE SAFETY INJECTION / RECIRCULATION SYSTEM DESCRIPTION B.6.1 Purpose The primary purpose of the High Pressure Safety Injection / Recirculation System (HPSI/R) is to inject borated water from the Refueling Water Tank - (RWT) into the Reactor m Coolant System (RCS) to prevent the uncovering of the core for small reactor coolant pipe breaks and to delay the uncovering of the core for intermediate-sized breaks. This system is capable of injecting borated water into the core at discharge pressures of up to 1275 psia.
Once the RWT reaches a low level, the HPSI/R pumps are automatically realigned to take suction from the containment sump for the recirculation mode. In this mode, HPSR main-tains a borated water cover over the core for extended periods of time following a loss-of-coolant accident (LOCA). B.6.2 Description B.6.2.1 Overall Configuration The HPSI/R system is a two-train, three-pump system . which draws borated water from the RWT and injects it into i the four RCS cold legs via.4 injection headers. The system is actuated on signals from the~ Engineered Safety Feature Actuation System. A simplified schematic of the HPSI/R is shown in Figure B.6-1. HPSI/R Pumps The three HPSI/R pumps .are horizontal, seven-stage centrifugal pumps driven by induction motors. The pumps are provided with minimum flow orifices connected between the pump discharge and the RWT to insure that no damage results when operating against a closed system. The pump parameters are presented below: Quantity 3 Type 7-stage; horizontal, centrifugal Manufacturer Bingham Pump Company / Type MSD Horsepowu 400 hp Design flow rate 345 gpm Electrical requirement 4000 volts (off 4160 v bus) Design pressure 1750 psig Design temperature 350'F B.6-1
HPSI/R Motor-Operated Valves There are eight normally closed HPSI/R injection valves which connect the two HPSI/R trains to four injection headers. These valves are opened by a Safety Injection Actuation Signal (SIAS). There are also two normally closed valves on the sump lines which are opened by a Recirculation Actuation Signal (RAS). The two motor-operated valves on the RWT outlet are normally open. Refueling Water Tank During emergency safety injection, the safety injection pumps and the containment spray pumps take suction from the RWT. During plant operation at least 400,000 gallons of borated water must be available for safety injection and containment spray. The useful tank capacity exceeds 400,000 gallons and provides 36 minutes of safety injection time with all pumps operating at design flow rates. The water is maintained at a boron concentration of 1720 ppm and at a temperature T (40'F g T 2 100*F). The tank has two safety injection outlets physically separated to preclude the possibility of simultaneous plugging. Other connections are provided for draining, filling, purification, external heating, and instrumentation. Two instrument channels give the control room indication of the water level in the RWT. Each indicator actuates an alarm on high or low water level in the tank. B.6.2.2 System Interfaces Shared Components The two independent suction headers supplied from either the RWT or the containment sump lines and a common portion of the pump recirculation lines are shared by the HPSI/R, LPSI/R and CSS /SDHX systems. The end portions of the four injection lines to the reactor vessel are shared by the SITS, HPSI/R and LPSI/R systems. Electrical System The motor-operated valves in the HPSI/R system get their motive power from the 480 V MCCs ll4R (load group A) and 104R (load group B). The 120 VAC control power for these valves is transformed directly from the components motive power circuit breaker. B.6-2
L I~ l The three HPSI/R. pumps are powered by 4.16 kV-AC buses, pump 11.by-bus 11, pump 12 by bus 14,.and pump 13, which is normally aligned to bus 14, but can swing between buses 11 and 14, . depending on the situation requirements. These requirements . mandate that only two HPSI/R pumps can operate at any one time (one from each load center). A list of the active components of the HPSI/R system and e .
.their corresponding electrical components is shown in Table B.6.1.
Actuation System As mentioned earlier, the HPSI/R system is initiated by signals from the Engineered Safety Feature Actuation System (ESFAS). The HPSI is initiated by the Safety Injection Actuation System (SIAS) signal based on low pressurizer pressure or high containment pressure. The HPSR is initiated by the Recirculation Actuation System (RAS) signal, which is triggered by low level in the RWT. The SIAS and RAS are both subsystems of the ESFAS. The two channels (A & B) of the ESFAS actuate two dif-ferent sets of components in the HPSI/R system. Pump 13 is the only exception and swings between channels A & B. Pump Room Cooling The HPSI/R pumps are located in two separate rooms. Pumps 11 and 12 are located in a room which is cooled by four fans and the supporting equipment. Three fans and the supporting equipment constitute the room cooling system for HPSI/R pump 13. The heat exchangers for these fans receive their cooling water from the Salt Water System. Room cool-ing is required for the operation of HPSI/R pumps during the recirculation phase. Component Cooling System The HPSI/R pumps themselves are cooled by the Component Cooling System. This cooling is crucial only during the recirculation phase when the pumps are' injecting hot water from the containment sump. O ! rae uvvere in Table'B.6.2. 1 ee ras ^ r r the ars 'a v ee ao = B.6.2.3 Instrumentation and Control 1
.The high pressure injection of borated water is initiated by a low pressurizer pressure - or tilgh containment pressure.
The SIAS signals cause the actuation of the HPSI valves and pumps, which deliver water from the RWT into the reactor Core. . B.6-3 -
The following components change status upon the SIAS signal:
- 1. MOVs 616, 626, 636, 646, 617, 627, 637, 647 open
- 2. Pumps 11 and 12 start (pump 13 backup for pump 12).
Also, when the RWT level drops below 30 inches, the RAS opens the MOVs 4144 and 4145 so that the HPSR system can pump water from the containment sump to the reactor core. In addition to the automatic actuation described, the HPSI/R pumps and valves may be remotely actuated by the operator from the control room. HPSI/R has to be manually terminated when it is necessary. The pump control logic diagrams are shown in Figure B.6-2. B.6.2.4 Operator Actions Operator action is not required for successful operation of the HPSI/R system since all the components are actuated automatically upon receiving the SIAS or RAS signal. Oper-ator actions can be limited to verifying operation of the system by observing HPSI/R flow to all four reactor coolant cold legs. However, the Emergency Operating Procedures (EOP-5) require the manual initiation of the RAS signal and shutting of the RWT suction valves. This requirement is due to design limitations in the Low Pressure Safety Recircula-tion (LPSR) System. For more information, reference must be made to Section B.3.3. B.6.2.5 Surveillance The status of the HPSI/R system is checked once every eight-hour shift. The procedure for this is the shift turn-over checklist which is performed during each shift. Listed below are the components of the HPSI/R system from the shift turnover checklist:
- 1. pump 11 available
- 2. pump 12 available pump 13 available (if pump 12 unavailable) 3.
4. 5. MOV-SI-616, 626, 636, 646 closed MOV-SI-617, 627, 637, 647 closed g
- 6. MOV-SI-653, 654, 655, 656 open
- 7. MOV-SI-4144, 4145 closed
- 8. MOV-SI-4142, 4143 open
- 9. MOV-SI-659, 660 open
- 10. RWT temperature and level B.6-4
l
.l t- l L 1
- ' Other surveillance requirements - for the HPSI/R system I
, are.
- 1. At least once per 31 days verify that each . valve (manual, power-operated, or automatic) . in the flow- ,
path .that is not locked, sealed, or otherwise ' secured in' position, is in its correct position.
- 2. least once per 31 days - veri fy. by- a visual
~
c At inspection that no loose debris is present in the containment . which could be transported to the con-tainment sump and cause restriction. of the pump- ' 3 suctions during LOCA conditions. Testing Components of the HPSI/R are. tested routinely, both dur-ing reactor operations and,during shutdown. Of concern here ' i is the testing that . takes place during reactor operation. i- Table B.6.3 lists a summary of these tests. i B.6.2.6 Maintenance Components of the HPSI/R system are maintained only on
- an as-needed basis during reactor . operation. The routine periodic maintenance is done while the reactor is shutdown.
Information concerning maintenance on- HPSI/R -components ' during reactor operation is presented in Table B.6.4. I g B.6.2.7 Technical Specification Limitations I Technical specifications requirements (when . the reactor coolant' system temperature is above 300*F) are: ,
- 1. Two out of..three -HPSI/R pumps .- powered. from l independent buses -
shall~ be . operable to provide [ redundant, independent flow paths. I
- 2. Valves associated with the HPSI/R system shall be. ,
operable or locked in their normal- operating posi-tion to provide two operable flow paths capable of l- taking suction from the refueling water tank on a l safety injection actuation signal and automatically j -transferring suction to the containment sump on a ll Recirculation Actuation Signal. Maintenance ~ is allowed on only one train of the HPSI/R system - during power operation ' as long as that . train is - restored ' to an operable status within 72 hours. If - this
. condition is not met the reactor must be in HOT SHUTDOWN
~ within the next-12 hours.
i I l i' B.6-5
- , ,a,,, .-,,mc---i,e, w=w+-w-v.,s +-,.,m-_ .ym-.. ,y,p#-,,my,www,,,,-,w,-,-....-,,,-.-,w,--.-.,-,,me,-,-,-w,,,w,,.%.,..,ww ww%,w--. , , , . , . - - - -
B.6.3 Operation Following an incident which results in a SIAS signal, the following actions take place: SIAS channel A opens MOV 617, MOV 627, MOV 637, MOV 647, and starts pump 11* SIAS channel B opens MOV 616, MOV 626, MOV 636, MOV 646, and starts pump 12* The specific sequence in which pumps and valves will operate depends on what type of power is available. If off-site power is available, the HPSI/R system equipment will be started and operated on receipt of the SIAS. If offsite power is not available the safety feature loads are divided between the two plant emergency diesel generators. In this case, the HPSI/R system is designed to be in full operation within 30 seconds after receiving SIAS. Operation of the HPSI/R system in injection mode will continue until the RAS switches the pumps' suction from RWT to the containment sump by opening the sump isolation valves. Once flow is verified from the sump to the HPSI pumps, the operator will manually shut the RWT outlet isolation valves. Once initiated, the recirculation continues until termi-nated or modified by operator action. There are minimum flow orifices, connected between the pump discharge and the RWT, to ensure that the pumps are not damaged if they are run against a closed system. In the recirculation phase, the RAS will shut both minimum flow recirculation valves (MOV 659 in series with MOV 660 and powered from separate buses) to preclude diverting flow back to the RWT. But even if the line were to remain open during emergency operation, it contains flow orifices which limit flow through it. There are connections provided between the shutdown cooling heat exchanger and HPSI/R pumps 11 and 13. During recirculation, a portion of the cooled containment spray flow leaving the heat exchanger may be diverted to the HPSI , pumps' suction through normally closed MOVs 662 and 663, which have to be manually opened by the operator. This mode of operation is not considered in the HPSI/R system analysis. g
- Pump 13 is not started and is a backup. Upon loss of pump 12, pump 13 starts automatically. In case of failure of pump 11, manual action should be taken to start pump 13 as the backup for pump 11.
B . 6 -6
B.6.4 Fault Tree Description A simplified diagram of the HPSI/R system (used for fault tree modeling) is shown in Figure B.6-3. For the pur-pose of fault tree development, the system has been broken up into pipe segments which are labeled. The fault trees are presented on the appropriate aper-e ture cards in the envelope at the back of this report. ( There are two trees - one for the injection and one for the recirculation phase. Table B.6.5 is the data used to quan-tify the trees. The HPSR fault tree includes all the basic events in the HPSI fault tree for sequence evaluation pur-poses. D.6.4.1 Success / Failure Criteria The success criteria for HPSI/R systems is defined as 1 of 3 pumps provide flow through 1 of 4 headers (FSAR criteria). Therefore, the fault tree top events are defined as " failure to provide 1 pump flow through 1 of 4 headers." B.6.4.2 Major Assumptions In constructing the fault tree for the HPSI/R system, the following assumptions were made:
- 1. Passive piping failures were neglected except for the initiating event LOCA which was assumed to occur in injection line 11A and to fail that line.
- 2. Flow diversion to other engineered safeguards sys-tems has been neglected, i.e., HPSI/R, LPSI, and containment spray system (CSS) pumps take their_
suction from the same line, it is assumed that one does not interfere with the other.
- 3. Flow diversion through pipes less than 1/3 the diameter of the main pipe has been neglected.
- 4. Misposition faults for the normally open motor-operated valves (when their normal position is the same as their engineered safety position) were neglected (see #12).
- 5. Tests for valves were neglected due to the short time interval of the-test.
- 6. Minimum flow recirculation lines were neglected as a diversion path but, if they fail closed, they were assumed to fail the pumps due to the pumps' low shutoff head and the slow decrease in pressure during a Small-small LOCA.
B.6-7
- 7. No immediate operator actions were modeled except for failure of the operator to actuate RAS.
- 8. Cavitation of the HPSI/R pumps due to the non-closing of MOV 4142 and MOV 4143 when switching to recirculation was neglected. Both the RWT and con-tainment sump are at higher elevations than the HPSI/R pumps and the pumps are gravity fed at their suction. Sufficient NPSH will exist for pump operation
- 9. Connections from the containment Spray system (which can provide cooled containment spray flow to HPSI/R pumps 11 and 13) which require operator action were not considered here but were considered as possible recovery actions.
- 10. Testing of pumps was neglected since no component has to be aligned away from its engineered safety position during the test.
- 11. In modeling the actuation of the sump isolation valves (RAS signal), the ESFAS fault tree considers both the manual and automatic initiation of RAS signal. As mentioned before, the operator is required to avoid the automatic initiation by manually initiating the RAS signal.
- 12. Failure to restore events for MOVs and their breakers have been neglected due to the following reasons:
- a. HPSI/R MOVs receive an ESPAS signal to go to their safe position.
- b. If an MOV or its breaker is not restored, there will either be a Wrong Position Indication or No Position Indication in the control room.
The operator will detect such errors during the shift turnover check.
- 13. The failure of a check valve in the LPSI line resulting in back flow from one HPSI line into the low pressure LPSI piping and subsequent rupture of the line which was identified as failing all of HPSI in the RSSMAP PRA (see Reference 9 of the main report) of Calvert Cliffs was neglected. First, failure of that line should only fail one injection path, not the whole system, since its effects on HPSI are similar to a LOCA occurring in an injection line. Second, the driving pressure would be the difference between the HPSI and LPSI injection pressures of 1275 and 185 psia which B.6-8
would reduce- the diversion somewhat. Third, the operator is directed to check flow in each HPSI and LPSI line and would note flow in one LPSI line and excessive: flow in one HPSI line and could close the MOVs in those lines isolating the diversion. O
.O g
B.6-9
Table B.6.1 HPSI/R Active Components Requiring Actuation for ECCS Futetion CONTROL SIAS RAS COMPONENT MOTIVE POWER POWER CHANNEL CHANNEL MOV 616 480V MCC 104R 120V AC* B NONE MOV 626 MOV 636 MOV 646 MOV 617 480V MCC 114R 120V AC* A NONE MOV 627 MOV 637 HPSR MOV 647 Pump 11 4.16KV bus 11 125V DC A NONE bus 11 Pump 12 4.16KV bus 14 125V DC B NONE bus 21 Pump 13** 4.16KV bus 11 125V DC A None or bus 14 bus 11 or 21 B MOV 4145 480V MCC 104R 120V AC* NONE B I
\ HPSR MOV 4144 480V MCC 114R 120V AC* NONE A
- Transformed from the components native power source circuit breaker
- Pump 13 is normally aligned to 4.16KV Bus 14 (125V DC bus 21, SIAS Channel B).
B.6-10
Table 3.6.2 Support System F584 for the EPSI/R System CosWOIRET PAILORS C00DONBIFF FAILURE EFFECT OF SUFFORT SOS-SYSTEM SOFFW T SOS-STStet AFFSCTBD INBt* BFFBCT CII SYSTBn** FAILDRS ON OVSR-ALL SYSTSN** A 400 V NCC How 617 IsCFC Loes of auxiliary bor i (x 114R flow to loop 11A le0V 627 BCFC Loes of aus111ery bar flow to loop 113 v Is0V 627 NCFC Loes of auxiliary bor l Loes of flow from WPS flow to loop 12A aus!!!ary beewer sect 647 BCFC Loss of auxiliary bdr 4 flow to loop 12e n0V 4144 BCFC Loss of 1/2 sep line Sep water inaccessible for for EPSR BPSR pumpe II & 12 400 V NCC MOV 616 WCFC Lose of main boeder i 194R flow to loop 11A nov 626 NCFC Loos of main header flow to loop 118 y Loss of flow from SPS j main beader It0V 636 NCFC Loss of mala boeder flow to loop 12A [ NOV 646 BCFC Loos of main boeder flow to loop 128 fe0V 4145 pCFC Loos of 1/2 sep line Sep water inaccessible for
*or sPSR EPSR pump 13 4.16 EV AC Pump 11 Does not WP pump 11 unavailable bus 11 start g run WPSI/EPSR p ape 11 and 13 (if St pump 13 Does not BP pump 13 unavailable needs to be powered from bus 11) if requirement start g run (if it needs to be unavailable esista powered from bus 11)
- WCFC
- IBCBRALLY CIASBD3 FAILS CICSED
** Asaming no recovery.
m B.6-ll
Table 3.6.2 Support system FMEA for the BPSI/R System (Continued) COMPONENT FAILURE COMPONENT FAILURE EFFECT OF SUPPCRT SUB-STSTEM SUFF00T SUS-STSTEM AFFEC1TD MCE>E* SFFECT ON SYSTEM ** FAILURE CM OVER-ALL SYSTEM ** 4.16 EV AC Pup 12 Does not kP pop 12 unavailable EP81/EPSR pumps 12 and 13 (13, if bus 14 start g run it needs to be powered from bus 14) unavailable
- P op 13, Does not EP p op 13 unavailable if requirement start g run (if it needs to be existe powered from bus 14)
SIAs MOV 617 NCFC Loss of auxiliary hdr Channel A flow to loop 11A MOV 627 BCFC Loss of auxillary bor flow to loop 118 MOV 637 NCFC Loss of auxiliary hdr flow to loop 12A EPs azalliery header, pump 11 and pop 13 (if pop 13 la MOV 447 NCFC Loss of auxiliary hdr required to actuate through flow to loop 123 Channel A circuitry) unavailable Pep 11 Does not P op 11 unavailable start P op 13 Does not P op 13 unavailable start through Channel A circuitry sAIS MOV 616 NCFC Loss of main header Channel 3 flow to loop 11A MOV 626 BCFC Loss of main header flow to loop 118 MOV 636 NCFC Loss of main header EPS main header, pump 12 and flow to loop 12A pump 13 (only if pump 13 is required to actuate through MOV 646 NCFC Loss of pain header Channel B circuitry) flow to loop 123 unavailable Pop 12 Does not Fmp 12 unavailable start Pop 13 Does not pump 13 unavailable start through Channel a circuitry e pCFC = normally closeds f ails closed
- Assuming no recovery.
O B.6-12
Table 3.6.2 Support System FNBA for the BPSI/R System (Continued) COMPOIRWT PAILORS Con 30NENT PAILUBE RPPECT OF SUPPORT SUS-8YSTEM SOTPORT SUS-STSTM APPOCTBD IN28* BPPECT Cu ST5TBN** PAILDRE 08 OVER-ALL SYSTEM ** k RAS NOV 4144 BCPC Loes of 1/2 emp lines - Sep water inaccessible Channel A for BPsa for BPsm pumpe 11 & 12 DAs MOV 4145 BCPC Lees of 1/2 eump linee Sump water inaccessible Channel 3 for BPan for BPsm p ep 13 Pop 11 6 12 P op 11 Loss of Pup 11 motor burnout poem Coolers cooling to Pump 11 and 12 unavail. p ap motor during rectre. phase Pap 12 Loss of P ep 12 motor burnout cooling to p op motor Pump 13 P op 13 Loss of Pump 13 motor burnout Pump 13 unavail. during poem Cooler cooling to recirc. Phase Pump C aponent Cooling Pump 11 Loss of P op 11 burnout P e p 11 onavail. during for Pump 11 cooling to rectre, phase Pop Camponent Cooling P op 12 Loss of P op 12 burnout P op 12 unavail. during for Pump 12 cooling to rectre phase pop 4 Camponent' Cooling Pump 13 Loss of P ep 13 burnout Pep 13 unavail. during for Pump 13 . cooling to rectre. phase pop 125 V DC - Pup 11 Does not Pop 11 unavailable bus 11 start EP pump 11 and 13 (swing pump)unavail. Pop 13 Does not Pop 13 le unavailable (swing p o p) start (oving pump) 12S Y DC Pump 12 Does not ' Pump 12 unavailable 5 bus 21 start. P op 13 Does not Pump 13 unavailable EP pop 12 and 13 (swing pump) start (swing pop) (swing pap) unavail.
- NCPC = normally closeds f aile elooed FN
, ** Assuming no recovery. /*
i I
/
B.6-13
l I Table S.4.3 EPSI/R CORPONENT TEST
SUMMARY
$3EET CORPONENT1 TEAT NDST FREQUENCY OF BE ALIGNED ANAT FROM COMPONEMT SOURCE TYPE OF ESF POSITION WITE NO TEST IIPECTED TEST ALIGNMENT (TEST pro =
CORPOfENT TEST AUTOMATIC REIURN FREQUENCY COTAGE TIME VERIP! CATION CIDURE No.) Pump 11 Flow None Monthly 15 Minutes monthly STP 0-73-1 Pimp 12 Flow None Monthly 15 minutes monthly STP 0-73-1 Pump 13 Plow None Monthly 3% Minutes monthly STP 0-73-1 MOV 4144 RAS
- None Month!y 5 uinutes 8 Rours STP 0-65-1 MOV 4145 RAS None Monthly 5 Minutes 8 Ecurs STP 0-65-1 MOV 617 SIAS* None Monthly 5 ninetes 8 Bours STP 0-65-1 MOV 617 SIAS Mone Monthly 5 Minutes 8 sours STP 0-66-1 nov 637 SIAS None Monthly 5 ninutes 8 Ecurs STP 0-65-1 MOV 647 81AS None Monthly 5 Minutee 8 Rours STP 0-65-1 MOV 616 SIAS None Monthly 5 minutes e sours STP 0-65-1 MOV 626 $1AS Mone Monthly 5 Minutes 8 sours STP 0-65-1 MOV 636 SIAS Mone Monthly 5 Minutes 8 sours STP 0-65-1 MOV 646 SIAS Mone Monthly 5 Minutes 8 Bours STP 0-65-1 MOV 4142 Stroke None Quarterly 5 Minutes 8 Ecure STP 0-45-1 MOV 4143 Stroke None Quarterly 5 Minutes 8 sours STP 0-45-1 MOV 659 Stroke None Quarterly 5 Minutes e sours STP 0-65-1 MOV 660 stroke None Quarterly 5 Minutes e sours STP 0-65-1
- These valves are also tested quarterly (manual stroke).
O B.6-14
y-
, Table 3.6.4 EPSI/R CONPONWT MINTWANCE SUNNARY BERET -
COR90NENTE NEICE NUST FFBQUENCY OF BIPSCTED OUTAGE CORPOWNT BE ALIGMD ANAT FROM - COMPONENT EXPBCTED FRSQUENCY TIME OF
, DISERGOING ' TTPE OF BSP POSITION WITE NO ALIGNMENT OF MINTWANCE
- NAINTENANCE *
(/ CORPOIENT MAIWrBNANCE AUTOMATIC RETDRN VERIFICATION ( /hr. ) thre.) Pump 11 Maintenance Manual Valve SI-470 1 Nonth 1.73-4 4.64 Dequiring Manual Valve SI-420
- Disassembly open P op 11 SER Pump 12 Malatenance Manual valve SI-411 1 month 1.7E-4 4.64 Regairing Manual Valve SI-415 Disassembly Open Pump 12 BER P op 13 Maintenance Manual Valve 31-402 1 month 1.7E-4 4.64 Requiring. Manual Valve SI-406 Disassembly - Open P o p 13 DER Motor opera. Natatenance None 8 hours 3.63-6 7 ted valves on Camponent (ROVs) 616, Etternals
'626, 634, 646, 617, 617, 637 MOV Breaker maintenance None 8 hours 1.258-6 4 (400v Dequiring areaker) Disassembly Pump Breaker Maintenance pone 1 month 8.48-6 8 (4 kv' requiring Breaker) Disassembly
- Plant specific data
\
L B.6-15 i
Table B.6.5 HIGH PRESSURE SAFETY INJECTION / RECIRCULATION SYSTEM (HPSI/R) DATA Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (Per/ht) Time (hr) q Q - Eq. SIS 011AX-PIP-LFD Pipe Break - Cold -- -- -- 1 Leg (LOCA) SIS 012AX-PIP-LFD Pipe Break - Cold -- -- -- 0 SIS 011BK-PIP-LFD Leg (LOCA) SIS 012BI-PIP-LFD HPIO401X-CCC-LF Check Valve -- -- -- 1.05-4 HPIO410X-CCC-LF Failure To Open SIS 4221-CCC-LF SIS 424X-LCC-LF SIS 426X-CCC-LF SIS 4146X-CCC-LP .m SIS 4147X-CCC-LF cs [. og HPIO113X-CCC-LF HPIO123X-CCC-LF Check Valve Failure To Open
-- 4320 -- 4.0E-4 HPIO133X-CCC-LP HPIO143X-CCC-LF HPIO40SX-CCC-LP HPIO414X-CCC-LF HPIO427X-CCC-LF SIS 0118X-CCC-LP SIS 0128X-CCC-LF SIS 0138X-CCC-LF BIS 01481-CCC-LF SIS 0217X-CCC-LF SISO227X-CCC-LF SIS 0237X-CCC-LF SISO247X-CCC-LF SIS 4148X-CCC-LP SIS 4149X-CCC-LP
._, _ ._. _. __. _ _ _ _ _ . . ._ _ ._. . . _ . . . . . _ _ m , _ _ s .-
1 j 'l Table B.6.5 HIGH PRESSURE SAFETY INJECTION / RECIRCULATION SYSTEN (HPSI/R) DATA (Cont.). l Sub Event Sub Event Fault Sub Event Event ! Name Sub Event Failure Exposure Unavail. Unavail. ! -Event Description Description Rate (per/hr) Time (hr) g O - Eq. 3 I HPIO406X-XOC-LF Manual valve Failure 1.0E-7 4320 -- 4.33-4 HPIO415X-IOC-LF To Remain Open (Plug)
- HPIO428X-IOC-LF i HPIO4021-XOC-LF Manual Valve Failure 1.0E-7 360 -- 3.6E-5 i HPIO411X-XOC-LF To Remain Open (Plug)
HPIO470X-XOC-LP { HPI421X-IOC-LF HPI423X-IOC-LP l HPI425X-IOC-LP SIS 4142A-VOC-LF NOV Failure To 1.0E-7 360 -- 3.65-5 i SIS 41438-VOC-LF Remain Open (Plug) ' tD 1 m HPIO6168-VCC-LF NOV Failure To -- -- 3.0E-3 3.08-3 } l HPIO617A-VCC-LF Operate I l* 4 HPIO6268-VCC-LF NOV Failure To 1.0E-7 24 2.4E-6 l- HPIO627A-VCC-LF Remain Open (Plug) 3 HPIO6365-VCC-LF ' ! HPIO637A-VCC-LP ' 4 HPIO646B-VCC-LF } HPIO647A-VCC-LP l SIS 4144A-VCC-LP l SIS 41455-VCC-LF l HPIO6168-CBL-LF Cable Fault - Open 3.0E-6 360 -- 1.18-3 i HPIO617A-CBL-LF Circuit HPIO6268-CBL-LF ! HPIO627A-CBL-LF. ) HPIO636B-CBL-LF j HPIO637A-CBL-LF HPIO6468-CBL-LP l HPIO647A-CBL-LF i SIS 4144A-CBL-LF j SIS 41455-CBL-LF i l 2 . i i i \ ,.
Table B.6.5 HIGH PRESSURE SAFETY INJECT?ON/ RECIRCULATION SYSTEM (HPSI/R) DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/ht) Time (hr) q Q = Eq. HPIO616B-BCO-LF BKR Fault. Premature 1.0E-6 360 -- 3.6E-4 HPIO617A-BCO-LF Transfer HPIO626B-BCO-LF HPIO627A-BCO-LF HPIO636B-BCO-LF HPIO637A-BCo-LF HP10646B-BCO-LF HPIO647A-BCO-LF BIS 4144A-BCO-LF SIS 4145B-BCO-LF HPIR616B-BOO-CC Mov Control Circuit -- -- -- 2.5E-3 HPIR617A-BOO-CC Faults (Derived HPIR626B-BOO-CC from Circuit Model) HPIR627A-BOO-CC .m HPIR636B-BOO-CC m HPIR637A-BOO-CC h co HPIR646B-BOO-CC HPIR647A-BOO-CC SIS 4144A-BOO-CC SIS 4145B-BOO-CC HPIO6538-VOC-LF Mov Failure to 1.0E-7 4320 -- 4.3E-4 HPIO654B-VOC-LF Remain Open (Plug) HPIO655A-VOC-LF HPIO656A-VOC-LF HPIO653B-V-PRMN Mov Maintenance 3.6E-6 7 -- 2.5E-5 HPIO654B-V-PRMN HPIO655A-V-PRMN HPIO656A-V-PRMN HPIO616B-V-PRMN HPIO617A-V-PRMN
O O Table B.6.5 HIGH PRESSURE SAFETY INJECTION / RECIRCULATION SYSTEN (NPSI/R) DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unava11. Event Deecription Deecription Rate (per/hr) Time-(hr) q Q = Eq. HPIO6265-V-PR858 (Cont.) HPIO627A-V-PR898 HPIO6368-V-PR898 HPIO637A-V-PR8el HPIO6465-V-PR858 HPIO647A-V-PR8el HPIO6168-B-PR858 480V BKR Maintenan:e 1.25E-6 4 -- 5.0E-6 HPIO617A-B-PR858 HPIO6268-B-PR8ef
.HPIO627A-B-PR896 HPIO6368-B-PR8ef HPIO637A-B-PR888 g HPIO646B-B-PR8ef
. HPIO647A-B-PRISI m
I HPIOO11A-FMD-LF Failure to Start -- -- 3.0E-3 3.0E-3
$ HPIOO12B-PMD-LF HPIOO138-P8W-LF Failure to Run 3.0E-5 0.5 1.5E-5 HPR0011A-FND-LF Failure to Run 3.OE-5 24 --
7.2E-4 HPR00128-PMD-LF (Recirculation) HPR00138-P90-LF HPIOO11A-CBL-LF Cable Fault - HPIOO128-CBL-LF Open Circuit 3.08-6 360 -- 1.1E-3 HPIOO13B-CBL-LF HPIOO11A-500-LF 4KV BKR Failure -- -- -- 3.0E-3 HPIOO128-BOO-LF to Transfer Power HPIOO138-BOO-LP
Table B.6.5 HIGH PRESSURE SAFETY INJECTION / RECIRCULATION SYSTEM (HPSI/R) DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (hr) q Q = Eq. HPIOC11A-CBL-LF Control Wire - 3.0E-6 360 1.1E-3 3.3E-3 HPIOC12B-CBL-LF open Circuit HPIOC13B-CBL-LF Either of 2 fuses 3.0E-6x2 360 2.2E-3 falls open HPIOO11A-BOO-CC Pump control Circuit -- -- -- 1.7E-4 HPIOO12B-BOO-CC Faults (derived from PHI 0013B-3OO-CC circuit model) HPIOO11A-P-PRMN Pump Maintenance 1.7E-4 4.64 -- 7.9E-4 HPIOO12B-P-PRMN HPI0013B-P-PRIel tD 'm HPIOO11A-B-PRMN 4KV BKR Maintenance 8.4E-6 8 -- 6.7E-5 g HPIOO12B-B-PRMN N HPI0013B-B-PRMN o HPIO4021-X-FRFM Failure to Restore 1.7E-4x1.0E-4 360 -- 6.1E-6 HPIO406X-X-FRFM Following Pump HPIO4111-1-FRFM Maintenance HPIO4151-X-FRFM HPIO428X-X-FRFM HPIO470X-X-FRFM HPI421X-X-FSFM HPI423X-X-FRFM HPI4251-1-FRFM HPICu13B-DSM-LF Local Faults Motor -- -- -- 1.0E-4 Operated Disconnect Switch 9 O
. ~ .
O O
~
Table B.6.5 HIGH PRESSURE SAFETY INJECTICII/RECIRCULATICII SYSTEBI (HPSI/R) DATA (Cont.) Sub Event Sub Event Pault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. , Event Description Description Rate (per/ht) Time (hr) q Q = Eq. HPIOO135-BS-CFO Contacts to Switch 3.0E-8 360 -- .' 1.15-5 Fail Open SIS 0011X-TNK-LF Tank-Local Faults 8.5E-10 4 -- 3.4E-9 (NASH-1400) SIS-SINIP-FAULTS Containment Sump 8.5E-10 360 -- 3.1E-7 Plugs (NASH-1400) g HPI33406-1-FRFIE Failure to 3.6E-6x1.0E-4 360 -- 1.3E-7
. HPI45404-I-FEFA Restore Following m HPI3B415-I-FEF98 Blow Maintenance
[ HPI5A415-I-FEFM g HPI5A420-X-FEFIE HPI6A428-I-FRFIE
s L.C.
. M. ^
~ .. .O.,. -
. i, _. . .
' -. , . . . . ... CtO n.:
.u/ ,
.. O .., . .
.>.it .*se. .* sin LOOP 194 ' gyg. 3
.'... -OC.h. 0,, ,,.
P88 CVC. M&EEUP
,,,1, . ,
,0 o ..
Puesp t t - I "II Ib484 .b.t 5'. '.ta. OP
.sa. Opt..
L.O. L.o. W" pas p
... eaa sau.t.O c - ,,
~ .. ._,.. . ,..
9.'.".8 , _.,.. u i
,,00.
, , , ,,,, . x x x r,
_.n
== e
.n O _
L.O. 'y $ h gpgggg L.O L.O. ,, 2... IE0 "I A
. a. gpgggNis Aaa.5 .>...o . .a . I g .> .F .ht.. .et.., , *
- ral L .O.
.EFUEL.80 WATE.
'
- L L DE AT EECseAsp.E. 4 puup o OOD t.4 'I g
T
"" '..'....,,,,,'0^ . . . . . .
,,,,,p M Puur geO.1. y gg N F 44 es.k..F
* .54
- b .>. S. F
'Op .. TO CTes? .p.at
.k..F .ht.. .p l. . PUtsP 1.
9g gg, tOO, .. = M M M: . . . .,... 10 6,.. PUt#P 9.
.a. Oct ..
1 CO.Ta.stse.T n n $ UMP I '... l N N v.. Figure B.6-1 Simplified Schematic of the High Pressure Injection / Recirculation System O O
START BKR 11(12) OPEN 1 SEC. DELAY l- D HS-301 X(Y) " AUTO
- j j
[ _ HS-301X(Y) QSIAS OVERRIDE LOCKOUT Q AUTO START ~ ~ SIAS SIGNAL BKR 11(12) POS. SW. FAILURE CHANNEL A(B) l - OPEN HS-301 X(Y)
- START * - START HPSI PUMP 11(12)
-J /
186 LOCKOUT RELAY Z STOP 151 OVERCURRENT 150A OVERCURRENT LOCKOUT RELAY 186 O
~
150B OVERCURRENT HS-301X(Y) "STOP- _ STOP PUMP 11(12)
,-- /
G ENG. SAFETY FEAT. LOAD SHED O Figure B.6-2 Control Logic Diagram for Pump 11 or 12 B.6-23
START PUMP 118KR OPEN RELAY 186 LOCKOUT R HS-301Z1 LOCKED CLOSE
$ RT PWP M SIAS CHANNEL *A* [
/ THRU BKR 1110 DISCONNECT -j 1 SEC g SW.1110 CLOSED SlAS 1110 OPEN r
f HS-301Z " AUTO
- HS-301Z
- START. H S-301Z LOCKED OUT HS-30122 LOCKED CLOSE*BKR 1410 OPEN 1 SEC h START
" FAILURE
[3 J SIAS CHANNEL *8* -j
~
DISCONNECT
-j SW.1410 CLOSED ,] START PUMP 13 PUMP 12 BKR OPEN THRU SKR 1410 RELAY 186 LOCKOUT a
4KV BUS 11 4KV BUS 14 l 8KR 1110 I) ) BKR 1410
- HS-30121 ANo HS-30122 cLoSe THe oeSc. Swerenes 1:10 ANo teto. SUT AT ANY SWOLe DISCONNECT oEY HS-30121 M HS-301Z2 Sw.1110 d N DISCONNECT Sw.1410 can se Locuro cooSeo .
HPSI OPUMP 13 Figure B.6-2 (Cont.) Control Logic Diagram for Pump 13 O O
O - 0 l STOP , _ 150A OVERCURRENT l _ 1508 OVERCURRENT b RELAY 186 LOCKOUT-
~
151 OVERCURRENT i STOP g ] ;HS 301Z1 OPEN (UNLOCKED) HPSIPUMP i 13 THRU G } ENG. SAFETY FEAT. LOADSHED "A= BKR 1110 4 l - DISCONNECT _ SW.1110 CLOSED L._ ] r-
- l _ HS-301Z "STOP" l
? .
. cn ! b
] vi _ DISCONNECT SW.1410 CLOSED - j _ENG. SAFETY FEAT. LOADSHED *B" y STOP
'-_HS 301Z2 OPEN (UNLOCKED) HPSIPUMP 13 THRU G k _ 151 OVERCURRENT
_150A OVERCURRENT _ 1508 OVERCURRENT i l ' s i ' Figure B.6-2 (Cont.) j Control Logic Diagram for Pump 13 l 4 I i
)
I
3 4 1 9 1 4 o g g # N 2 ' T W n
" 4 1
4
- e @
g' i g n o s 4 1 4 V \- l. l O e s e sy d I A A I ' o F F A F M V e s e E @ @ r
@o s
o s L o o 4 2 2 2 o 1 e 2 T 4.Mo-4N 4 4 e c s - i- i
- t s- a s s s 3
3 ss t s l n o' = = u 2 1 2 0 a 4 1 4 s 4 F s - 1 2 2 s 2 i s 4 8 4 s31 e 7 n X4! - i s s i P 4 1 e 1 i a W l 4N 4N s s s s
- d e
*h i s
P U s H 7 o t m 4
- - a s
s s s r 3 o s o e g 2M4 o L 2 4 i S L 1 4 i s L 0 4 s
- i D
a m s s @ s s 4 s e 4 4 t e e e- , 1 s s 4 e- @ s-i sN s o 4 3 S y i E 3 s s , P : : o o 0 s d N L s ' E P
- : e A o - i s g s -
f i a nI , l p 7 @7 s @7 s 7 s e m n 4 n 1 e- 2 e-N e-P e P 4
@ i gj bbA 7@j "as S
'osfs4 i
s, 'o @ t e t s sI s II s s i ti e@sl AJ :A A? R A A 2 A s i a, / F F F s F e- F sF e Is F I s - 3 3 s s o S 1 a t s s i s 4 1 [ P t o
- o
- i 7 w n> H s
s P s s e a s mM 3 O i 4 t t t
@ 1 g7A SU -
sMs-sM w 6 i i o s s s s o 7 7 7 7 c n B 1 2 3 4 2- ' 2 ' 2 2
- ' e o
s o s i s o s r u
- " g Y Y i
" s F
]"
P o 1 p r o
*2 1
'oP O
o t o L OoL T T eiw
- .... . . = - . .
1 1 I 1 I i Appendix B.7 Reactor Protection System a i
- 6 i
4 4 i i a
'4 f
i i B.7-0 i
. . _ , _ - - - -. ._ _ ,- . . . . . _ . _ _ . _ . . . , _ _ , . _ _ . _ _ , - _ . ~ . - . - . - . - . . . . . - _ _ _ _ . . . . _ . . . . _ - . _ _ _ . . . _ _ _ _ _ _ _ _ . _
'B.7 : REACTOR PROTECTION SYSTEM ~
B.7.1 Purpose The Reactor Protection System (RPS) encompasses the electrical and mechanical devices and circuitry (including ~ all sensors monitoring selected Nuclear Steam Supply System (NSSS). , parameters, bistable trip. devices, protective system logic, and Control Element Drive Mechanism (CEDM) . power interrupting devices which generate the signals associated with the reactor
. protective function.
.The - function of the RPS is . to . utilize these signals by initiating the protective action in the form of - a reactor trip whenever any one of the monitored selected NSSS conditions or variables deviates from a preselected operating range. -
B.7.2 Description B.7.2.1- Overall Configuration The RPS (see Figure B.7-1) consists of the following basic parts:
- 1. NSSS parameter measurement channels;
- 2. Bistable trip units;
- 3. Coincidence logic matrices;
- 4. CEDM power trip paths;
- 5. RPS testing system.
Each of these parts has its particular function in the overall system. The input variable measurement channels. supply-the information to the ' RPS on the selected NSSS.-conditions. The bistable trip units compare this information with reference set points and provide trip signals to .the RPS logic if the measured NSSS condition deviates from the reference'. The' coin-cidence logic matrices provide trip signals to the-reactor trip-circuit breakers upon selected coincident trip signals from the bistable trip units. With the exception of measurement channel- power supplies. and sensors, reactor- trip switchgear, and some auxiliary nuclear instrumentation equipment, ' the RPS is housed in ~four cabinets in the control room. This part of the RPS. is dis-cussed in the following paragraphs in detail with emphasis on function, operation and construction. 1- B.7.2.2 System Interfaces The ' support systems which interface with the RPS are delineated in the Failure modes and Effects Analysis -(FMEA) which is attached as Table B.7.1. B.7-1 c
B.7.2.3 Instrumentation and Control All operations of the RPS are df9 played in the control room. B.7.2.4 Operator Actions Initiation of a reactor trip in response to a plant tran-sient is normally automatic. Should a transient occur and an automatic trip not be initiated, the Emergency Operating Proce-dures (EOPs) instruct the operator to do so manually. Following unsuccessful attempts to automatically and manually initiate a reactor trip (full length rods not fully inserted or reactor power not decreasing) the operator is directed (by Reactor Trip Emergency Operating Procedure, EOP-1) to initiate emergency boration (EOP-13). B.7.2.5 Surveillance Once per shift the control room operator performs and records the results of the RPS channel check. Once per month and prior to unit start-up a test of each RPS function is con-ducted. During each refueling interval each RPS function is calibrated and its response time measured to verify that it meets the requirements specified in the technical specifica-tions. Note: Special precautions are taken during the performance of the test procedures described above to verify that no inadvertent errors are introduced into the measurement and comparative circuits employed in the RPS. These are:
- No adjustment can be undertaken by tt e tester to correct an out-of-tolerance condition without the concurrence of the shift supervisor. All adjustments are recorded on the test procedure cover sheet and are reviewed by the shift supervisor or foreman supervisor and the surveillance test coordinator.
- Procedures enploy "as found" and "as left" tolerances. The "as found" Lolerance band is approx-imately dout.e the width of the "as left" band.
Adjustments which are necessary as a result of a measured value falling within the "as found" band but outside the "as left" band can be made only with the concurrence of the shift supervisor (as described above). B.7-2 t
c , I Adjustments which are necessary as a result of a measured- value falling' outside the "as found" tolerance band, can only be made following initi-ation of ma_intenance request with its' review process, and following an investigation of the effects of such an out of tolerance condition on the limiting condition of operation for the plant, by the plant operating staff. O rae errece or the aove e ei=9 a i=i et eive ceio to protect against inadvertent miscalibration of multiple RPS re channels as a result of human error or defective test equip-ment. The maximum error which could ' be introduced would be the , difference between the "as left" and "as found" tolerances. I This is, of itself, insufficient to provide a failure of any l RPS function to operate during a transient. B.7.2.6 Maintenance The RPS is maintained on an as-needed basis. B.7.2.7 Technical Specification Limitations At power, the plant technical specifications permit the bypassing of one channel for each protective function to allow test and maintenance for period not to exceed 48 hours. After 48 hours, if the channel cannot be returned to operable status is must be placed in the tripped condition. The RPS logic matrices, matrix relays and reactor trip circuit breakers must be completely operable or the plant reduced to hot standby within 6 hours. However, a single channel may be bypassed for up to one hour to allow sur-veillance testing. 7 B.7.3 Operation During normal operation, the reactor is controlled by manual operation. However, during abnormal operations, tran-sients could occur which would lead to damage to the reactor and potentially hazardous conditions. The operator is able to deal with slow transients, but to guard against fast transients and incorrect operation or failures in the control system, the ultimate protection must be automatic. O
'V To protect the reactor under these conditions, a selected number of NSSS variables essential to reactor protection are continuously monitored by RPS . Whenever an NSSS condition or parameter monitored by the system approaches a state which could have consequences which exceed design criteria, the function of the RPS is to automatically initiate, with pre-cision and reliability, reactor protective action.
B.7-3
As shown in Figure B.7-2, " Reactor Protection System Block Diagram" and Figure B.7-3, " Simplified Functional Diagram of the Reactor Protection System" the RPS consists of four protec-tive channels A, B, C and D. Each of these protective channels monitors the following NSSS parameters:
- 1. Power Level;
- 2. Rate of Change of Power; Reactor Coolant Flow; 3.
4. 5. Water Level, Steam Generators; Steam Pressure, Steam Generators; h
- 6. Pressurizer Pressure;
- 7. Thermal Margin / Low Pressure;
- 8. Loss of Load;
- 9. Containment Pressure; .
- 10. Axial Power Distribution.
The signal output from each measurement channel is fed to the input of an auxiliary or bistable trip unit. Forty trip units, 10 for each of the four protective channels, monitor all NSSS parameters providing an input to the RPS. The four measurement channels monitoring each NSSS parameter are com-pletely independent and isolated from each other. All measuring circuits are ungrounded with interconnection wiring run in separate conduits or wire trays. Each protective channel in the protective system cabinet assembly is housed in separate cabinets to provide channel isolation. The trip units, from any NSSS parameter that will initiate reactor protective action, have their output contacts arranged in six logic matrices, identified as AB, AC, AD, BC, BD and CD to represent all possible two-out-of-four combinations of trip signals (see Figure B.7-3, " Simplified Functional Diagram of the Reactor Protective System"). Each logic matrix, when tripped, trips four matrix relays, which in turn provide trip signals to each of four trip circuits that interrupt the ac power from the CEDM power supplies to de-energize the magnetic coils that hold the control element assemblies (CEA's). The outputs of the CEDM power supplies are paralleled to prevent CEA release on a single power supply failure and to permit system testing during reactor operation. Manual trip action bypasses all logic trips and the CEA's directly by interrupting the ac power to the trip switcSgear. g B.7.4 Fault Tree Description A fault tree was developed for the RPS. It was determined that at full power, a reactor scram will be successful if at least one CEDM power supply bus de-energizes to cause approxi-mately half of the CEAs to enter the core. B.7-4
A simplified fault tree of RPS is presented in Figure B.7-4. A special logic gate is used for the input to each-of the two events involving a failure to open the trip circuit breakers that feed one of the CEDM groups (see Figure B.7-4, Sheets 3 and 4). Each of the two CEDM groups is fed from two redundant power sources, shown as Bus 1 and Bus 2 in Figure B.7-2. The line from each redundant power source contains two trip circuit breakers in series, each controlled by one of the n four independent trip paths. The failure to de-energize a CEDM V group involves the failure to trip both circuit breakers in the line from Bus 1, or the failure to trip both circuit breakers in the line from Bus 2, to that CEDM group. Thus, the Boolean S expression for each of the two special logic gates is: (TPl X TP2) + (TP3 X'TP4) wh'ere "TPX" represents the probability of the failure to open the trip circuit breaker for the given CEDM power supply that is controlled by Trip Path X as shown in Figure B.7-2. The RPS fault tree was not used in the quantification and sequence evaluation process. It is believed that a reliability calculation based on operating experience would provide a more realistic estimate of RPS failure. B.7.4.1 Success / Failure Criteria A study by the Calvert Cliffs Fuel Management Group indi-cates that a successful RPS trip will occur if only one of the two CEDM buses is de-engergired, less than 29 of 57 CEDM hold coils fail to de-energize, 1cha than 29 of 57 CEDM hold latches fail to release or 41 of 77 CEA's enter the core. 1
\
B.7-5 ( t
i Table 3.7.1 RPS Support Systen FREA F203PF 1,1NE SYSTEN SUFPCRT1pG SYSTER FAULT EFFICT ON FROtr7 LINE FAILURE NCDE SYSTIN CR COMPONrNT STSTEM Div COMPONENT FUNCTION
- SYSTEM DIV CON 70NENT NAME IDarTIF. RAME IDENTIF.
c5 Setpoint elsetpoint Det alTrip may not occur RPS ch Distable Operator concurrently with St. A Trip Unit- A Calibration too high 3 Bigh Contain- 3 6 Adjustment Containment could become C ment Pressure C b)Setpoint set overpressurised. D too low b) Unnecessary 6 Unwanted D Tripe caused by minor escussions of containment pressure ch Setpoint a)Setpoint set altistable will not trip RFS c5 31 stable Operator A Calibration too low in time to protect A Trip Unit = 0 Low 3.C. Flow 3 6 Adjustment againist loss of forced C C flow events that result D in fuel danange. D b)Setpoint set b) Unit may trip unneces. too high earily on ainor escursions of RC flow during operation. Oper ator Ch Setpoint alSetpoint set altrip will not occur in 373 ch 31 stable A Calibration too low time to prevent loss of A Trip Unita 3 Low S.G. B 6 Adjustment heat removal from core C event. C Water D Level D b)setpoint set b)Mo effect other than to too high cause f regeent shutdowns of F.W. Pumps on sigh 8.6. level signale. I RFS ch Bist able operator ch Setpeint a)Setpoint set altscesolve cool down Trip Unita A Calibration too low eaused by high eteam flow A Low S.G. S & Adjustment during eteam line break B C because of delayed trip. p C Pressure b) Unnecessary Trips D D b)Setpoint set too high caused by minor escut. elons of steam flow during normal operation. ch Dist able Operator ch Setpoint alSetpoint set affrip will not occur in RPS Trip Unit- A Calibration too high time to prevent escessive A blowdown of DC througa S Eigh Prst e 4 Adjustment C Pressure C relief valves when D reseter generates more D power than secondary side een accept.
. A.. ing t .ver,.
O f 13 . 7 - 6
i. I. Table 3.7.1 mp3 Support System pus 4 (Continued! O puost LIES STSTSN SOppCRT!WS STSTS4 pAOLT SFFSCT ON pm0NT List ph!LDRS INMPS SYSTSN rNt CORP 0p p f SYSTEL D1T CDuf0NSPt SYSTEM DIV CDuf0NWrr pUNCT10m
- mkna IDENT1p. EhMS IDarFIp.
\
icent.) b)Setpoint set b)Danecessary Tripe too low caused by e&ner escure-lone of pressuriser pree-ouro during normal opete-l l Sps eb Sistable Operator ch Verteble stopper limit a) Trip fatte to or*er et A Trip Deit. A Setpoint set too high l upper power limit. Power ' S Sigh power a Limite levels eseeeded. C Level C Adjusteent D D b) Lower Limit b) Trip unit setpoint will set too low not fellow decreasing power levele to maintain proper trip sergin. Trip will be delayed. SpS ch Sistable Operator ch variable Lower limit sistable will not trip A Trip Unit. A Setpoint set too low before DNS escure. May 3 T/N-Lp 8 Lower limit result in local elad damege. C Trip C Adjustseet D D SpS ch B! stable Operator ch Setpaint elsetpoint set a)Sistable will not trip A Trly Unit- A Cal!P,tation too high (>1.4 in stem to protect 3 Sigh Date. S & Adjustment DPM) against uncontrolled CSA C of-change C withdrawal or begon d!!u. 9 D tien evente. blSetpoint set blunit will trip unneere. too low (41.4 escrily during power Dyn) escalatten maneuvere... SpS Systes environ- Control pose a) Lees of e-1) Lose or degredation sental & C.S. pose Rose Cooling of erstem funetten caused conteel for SVAC by espesure to tempera-eabinets terse above those for 20013, C whten the equipment wee 6 designed. 2003A, e e 1)Spuritua system opeeatten eaused by esposure of equipment to temperatures above these for which it was designed. b) Lees of b) Lese er degradation of p forced air funetten specific to the V} g flow to indi-eidual eatinets affected cabinet caused by evertemperature effects.
- Acousing ne recovery.
a
+
B.7-7
4 Table 3.7.1 RFS Support System FREA (Continued) FRONT LINE SYSTEN SUFFCETING SYSTER FAULT EFFECT JON FRONT LINE FAILDE NCDE SYSTEM CN ComPoprie? SYSTEN DIV CONFORENT SYSTEM DIY CONFORENT FUNCT!on
- NAMS 1D ENTIF. RAMS IDENTIF.
RFS CEDN Control Physical Cabinet Nechanical Loss or degre.atica of system Support 6 10014 Failure or tystem f unetton due to Pr otection Damage occurrence of shorte grounds, open circuits or physical destruction of components. Negligible effect because cabinets are designed to withstand seismic and other mechan-ical shock input that can be espected to occur in the cable spreading toon. 373 *
- Cabinet 10038 RFS
- C abinet 1Q029
*
- Cabinet *
- 378 1002C
- Assuming me recovery.
f
\
O
- 13. 7 e
i r Table 3.7.3 pr$ Support Syeten PusA (Continued) u i PRDerf 1.115 SYST9m SUPPWTIBS STSTRII PADLT EPPSCV 018 P901FF LINS i PAILORE IIODE SYSTEII m Elf ! % SYSTen SIT Coppoltert SYST918 S!V C0Af0NSIT PURCT105 ! V anns Danttr. unas toest:P. i Centtel DPS Cell power Impet e) IIe 'peise* al CSA w!!! het withetow, programmer Element Centtel impet signal teneine stettenary. Drive Sys Signet present ICBDS)
- bl We ' Lever' b) CSA will not lacert, input signet receine stettenety.
l present el Presence of e) De effect+seet be eretteue soincident with e CPP
- *aelse' et enable signet to seve
'Lewet' signal CSA.
SPS Cell Power CBDS CPP Bneblo el no CPP enable el CSA will femela etettenary Programmet Signet signal present la 'golding* mede b) Presence b) se effect.neet be coincident of operieue with 'selse' or Lower' signal l CPP enable signal to move CBA. l RPS Cell Power 120 V AC A las y AC el Lees of al Centret pelsee for setten of Programmer Instr oent Instr. See eeltage group A CSAs will het be [ generated upon demand. CBA will Power 12, Pese og reseln stettenary. SPS C911 Power 120 V AC S 120 V AC el Lees of al Centrol putees fet settee of Progrannet Instrument Instr. See weltage group B CBAe will not be Power 12, Pese 71 genoteted spea deoend. CBA will temain otettenary. APS penuel Trip 240 V, 34 A 110 Set 1 el Complete a)ne of f set *CSDII's will 6 Trip C.S. 60 he, AC, Lose of Vettege seems tilpped condition CSDII Power en less of power i blundervettege bleould eeuse ettette pettern of dropped CSAe. 8)Underfregwency eleould desege CSDN lift, grippet 4 pull down collo des to higher thee Aeteet . ' eeit eersente giving ettette CBA drepe.
!n)%)
meneet Tity
- e n0 Set 2 *
- met 6 f tly C.B.
- Aseeing me reeevery.
f i B.7-9 i i
Table S.7.1 BFS Suppert tyetes PREA SContinued) Paort LINE SYSTER SUFFS TING SYSTER FAULT EFFICT ON FRONT List FAILDRE NODE ST87EN m CCwFoppt STATIN DIV CORFON Dff ST873N DIV CORFOWENT FUNCTIOu' NAMS IDENTIF. RAME ID ENTIF. 378 Systes Phyeleet ch Cabinet Nechanical Lees er degradatten of system support & A 1C11A F411ere f unction dee to eherte, grounds, Protection open etreutta er phyeleal ICabineto) destruction of campenente. Negligible effect beesuse eseinet le designed to uithstand seteste checke and other sechen. leal eheck input that een be es= poeted te occur in the pain centret tece. SFS *
- th Cabinet *
- 8 1C158 378 ' '
ch Cabinet *
- C 3CISC BFS *
- ch Cabinet *
- D 3C15D e Assuming no secovery.
O De7-10
l Table S.T.1 BPS Support States Fuen (Continued) SOPPWTtus Steven P&OLT EPPSCT Cu P90ert Lips Psomt 8.113 STsTen PAILORS nods STsTan cm SYSTWO DIY compos pF ST9 TON DIV CONF 0 sert PUBCT105
) noms IDerTIP. MAME IDGNTIP.
v RPs manuel Trip 125 V DC & Vital DC Due a) Lees of a) doenergiees UV telare reestt. 6 Trip C.S. Tit el 11 Voltage ing to Trip of C.B.'s Feuer bl voltage not eve 11eble to energiee shunt titP sette Cse men't trip from shunt trip eelle. b) eround el no effeet=etreelt not grounded
- el Lees of al ' , (b)
- DPS
- 8 Vital DC Due 12 voltage e) no effect est not grounded.
*
- C Vital DC Bue el Lees of a) * , (bi '
SPs il Voltage eine effect, ett not grounded SPs D Vital DC toe a) Lees of al ' , thi 22 Vettege e)ne ef fect, ces not grounded SPt petria Trip Nettle metrie Delay !aedvertent betris peley util not doenerglee peleys seley teet sett energisetten to the strip state. Test etete of Delay teet Circuit cell la 'Beld' mode. SPS Trip Path 6 120 VAC 4 VLtel Sue 11 al Leee of al doenergises relay 81 uhteh Trip C.S. Vitel vollege underfregt initiates opening of poetter Centrel Deleys Trip Dette b) Ground bl no offeet=eet not grounded DP4
- O Vital Sue 12 '
/
G SPS * ' C Vital Due 13 i ) Q) SPS *
- 9 Vital Bue 14 ' '
e geogege,ne gee,,,gy
\
B.7-11
Table 8.7.1 378 Support Systes rmEA (Continued) PSORT LINS SYSTEM SUPPW TING SYSTSN PAULT SFFECT ON PRONT LINE FAILURS NODE SISTEN 3 COMPONENT SYSTEM DIV CONFONINT STBTEM DIV COMPONENT FUNCTION
- RANS IDENTIF. RANE ID ENTIF.
RFS MattlE 110 VAC A Vital Sue Lose of Voltage Results la less of 28 VDC power Logies A-B Vit al !! (1CISA) to Logie Ladder waleh gives Powe r tilpped condition. 3 Vital Bus 12 (IC158)
- A Vital Bus *
- SPS Mattis Logica h-C 11 (ICISA)
C Vital Bue *
- 13 (1CISC)
RPS nettis
- A vital gue *
- Logies 4-D 11 (1C15A)
D Vital aus *
- 14 11C159) t r4 nettis
- 3 vital ses *
- Logies B-C 12 (IC15e)
C Vital sus *
- 13 (IC15C) patris * *
- SPS 3 Vital aus Logies B-0 la (IC158)
D Vital sus *
- DPS patsia ' C Vital aus 13 *
- Logies C-D (IC15C)
D Vital Bus 14 (IC150)
- Assuming no feeevery.
O B.7-12
I-1 N' g Table B.7.1 RPS Suspett System Puen (Contimmed) $ ( e !* PMW LIM STSTOIt ' SUPPWTING Stens P&OLT WPECT 05 PRONF LINE c N1 LORE 11038 SYSTM OR C13193M7 [ ~ _
.;;.~;4 .ie . -ana asased was tuneuuset - Pusu avn =
l, EhM ISWTIP. MHB ISWTIP. I SN eh Ausiliary Lees of ch Input el Pa!!ste of .Auo. trip unit falle to tilp A- Ttly seit Lead A signal' eentacts to - B 8 elese C C D D SPs sh Aust11 sty Aslal eb laput a) Pa11ste of Amo. trip unite f alle to -
-A Trip gait Psuet A signal esmperator - trip s B Stett. S senteete to C C eleae D D SP8 ch Ame!!!ary 110 vne eh e) Overveltage A Trip Unit Vital A Bus 11 ill VDC P.S. faile-Tity unit' S Peuer (1C1SA) ' eseuses tripped state C 3 ene 11 b) Undervoltage .
D (!CISB) C Due 13 11C1SC) 9 aus 14 e) Lees of assults in lose of ill VDC pomet (1CISO) weltage with trip unit assuming the - tripped state i SPs ch Biotable Trip Tn/LP ch Verteble est al setpoint - 81stehle felle to trip A Unit A point input f ails leu . B B C C l t e e l. I 978 ch 31stette Trip 130 ThC ch !. & Unit Vital A Due Il a) Overvettage ill VDC P.S. fette-Trip unit B Penet (1CISA) assumes tripped state en C 3 cas 11 b) Onestreitage less of ill VDC D (1C150) l C sus 13 e) Total less Seaults in less of i ll VOC ( (IC154) of voltage peser and trip unit seemos s aos 14 tripped state.
- (!C1 Sol I
SPS sh Stetable Trip Sigh For sh input signet al'pe input signal Dietette felle to trip !, A Dmit Presente A 8 B C C b) Channel Sistable felle to trip l .k' D' D equipment seteretes et t l 1evel belou trip t setpoint - l
- Assuming no recovery.
t i B.7-13
Table 3.7.1 RPS Support System FREA (Continued) Fpo#rr LIIS SYSTEN BUPPCRT1pG SYSTEM FAULT FFFECT ON F30NT Lier FAILURS NODE SYSTEN CEt CWPOWrNT SYSTER DIV COMPONWr? SYSTER DIV COMPONENT FUNCTION
- NAME IDWrTIF. MANE IDENTIF.
RPS ch Bistable Trip TR/LP ch Input Signal al Pressure Sistable does not trip A Unit A Signal Fa!!s a B Bigh C C b) Pressure Statable dose not trip D D Signal hangs up above ein. or ccaputed setpoint c) Failure to Distable does not trip remove 15 4 bypass power RFS ch Sistable Trip Bigh Con = ch Input signal a) No input sistable fa!!a to trip A Unit tainment A signal 3 Pressure O C C b) Channel 31 stable f ails to trip D D equipment saturates et a level below trip setpoint SPS ch B! stable Trip Sigh Power ch Variable set a) OTR fails Trip pargin increases A Unit Level A point input to fo!!cw Trip 1. solayed B B Power signal C C decreases D D b) Setpoint Distable fails to t.ip fails high RPS ch B! stable Trip El power ch Input Signal a) No input Sistable falla to trip A Unit Level A signal 9 Chan. 3 C C b) Channel 31 stable fa!!s to trip D D saturates below trip setpoint RPS ch 31 stable Trip B1 mate +ct ch Input Signal al 50 input 91 stable fails to trip A Unit change of A signal B power B C C b) Channel 31 stable fa!!s to trip D D saturates below (10 4 g bypees trip setpoint
- Assuming no recovery B.7-14 L
1 5' Table 3.7.1 BPS Support Systes FnaA (Contimmed)
- FROWf LIIW SYSTSN SUFFORTING SYSTBN FAULT BrrgCT ON FRONT LINE
( FAILURE MODE STf?BN M CORPONSpf SYSTWI ' DIY Comp 0NWIT SYSTEM DIV COR90Nurf FUNCTION
- unas IDBuTIF. nhMS IDENT!r.
RPS ch Distable Trip Low RC ch Input Signal a) Falle high B! stable falle to trip A Unit Flow A 3 3 b) Signal Sistable fails to trip C C bange up above D D setpolat RPS ch Sistable Trip Low S.G. ch Input Signal e) Both input Blatable fails to trip A Unit water A signals fall B Level B high C C D D b) Input signals 81 stable falls *.e trip hang up above set-potat RPS ch 31 stable Trip Low 8.G. ch Input Signal a) Both input sistable fails to trip A Unit Pressure A signale fat! B 3 high C C b) Input 31 stable f ails to trip D D signale hang up above setpoint
- c) railure to 31 stable f alla to trip remove Cold Start Inhibit
-t
- Assuelag no recovery.
B.7-15
NSSS h RPS MEASUREMENT CHANNELS MONITORING NSSS F 1 r TRIP UNITS : 1 r 2/4 COINCIDENCE m LOGIC ' RPS
" TESTING SYSTEM e
TRIP PATHS : 1r POWEk PLIES II CEA's O Figure B.7-1 Reactor Protective System Basic Block Diagram B.7-16
NSSS l
,_ _ _ _ _ _ _ _ _ _ g __; i,_ _________.,
I . 3_1 RPS RPS RPS RPS MEASUREMENT O MEASUREMENT CHANNEL A MEASUREMENT CHANNEL B MEASUREMENT CHANNEL C CHANNEL D o 1 o 4 o 1 o 1 TRIP UNITS TRIP UNITS TRIP UNITS TRIP UNITS CHANNEL A CHANNEL B CHANNEL C CHANNEL D RPS 2/4 COINCIDENCE LOGIC W TESTING SYSTEM .
-~
480 V 3$ 480 V 3$ B 1 B 2 M G SET M G SET 4 4 _ _--~.~--- PA #2 PAT #3
~~ ~~~
~~ ~~
TRIP e- -e TRIP - - ~ ~~
~ --~~~~
PATH 81 PATH#4
+ +
CEDM POWER SUPPLIES l CE 's l CEDM POWER SUPPLIES j l CE 's l Figure B.7-2 Reactor Protective System Block Diagram B.7-17 l
l l c g W We
,e f
if, s f 3; j<7I-1
'O I5 b+ i!! kHHHHH :. asr,.t ifilii P
- h_. (l
-. I e ~~* 1 -- l a ~~*i,_, j ! ;
II m W
~
ii rm g J t 2-+ C . IJ IIIff6 # I
', I'
- h b.I fHHHHHh 8
-~
- i is'~l jD' If dh! jg .
I a
,V,, -
.~2 .
. j ri i I E.g,=EP
. s '
- b' S*I=,I-~ El Ja u
- m i s s
~ -- h l[g ,I,i-.A -
i w -- i. (s8 o u m r '
--+
~
. ! Jh
@1 ' I g!A
-y
I l1l El bg ie lk' I
< .11 o
- h. 8 : I 8 i
C,r
,s I si I" u
o
'- +x 5 7. y -
I I f oI s! e s l .
"m n Jwe m 8v l si ji--. -OeC) A rr
=
i.r i i,=
= i -
- A'gg:
e a e-. = .
=
8 w=e,y
;g s 4 s I'l g, u u 0 .C 8' !!! hHHHHHH I<
l:l ,
!If 5
<LlQ;s8 e
'v l iffEisim R _,,,!'TT s g-J. .
Il li l m u al l
*~*
i ..
! . J_ i ll1 E "C
- em s
,tV d'yl,J[, 3' l3I g
. l l
--. ~
1I a 2k.
*~ . 8 iliisi s :-"
5 j h , I' lgl o l fHHHHHf "V I'
"O rm ,-
h - li- g-~, r~ O- -
. 'O o .-. est c ,iig ' c es! 6 -r lj >
n
.~ :-
y 3 %o - 3-N
*-* a ., rm .;fy i
.-. g .
'8
--. . "! - 4,. ,
~6 6 .
P sg u
* , se
- s I- sl
~
<- +: g
-r I g f
I i in h li ! i! :
?
O N 5 E 5 l, . e ggIE u g; ti, a g.gg l; n e i . ! ! s E !!= , = i regie:p!s li I!!!!! rill!
' s E!I lui e 1
- .u: :::::;
B.7-18
- 0. o .
4 i i i i REACTOR FAILS ! TO SCRAM i < 41 CEA'S 2 ENTER CORE
/m
. -MECHANICAL
> 29/57 > 29 CEDM DISRUPTION OF 7 HOLD COILS -
l' CEDM HOLD CORE PREVENTS [ LATCHES FAIL FAIL TO INSERTION OF ,
; TO RELEASE DE-ENERGISE > u rFA'%
] i 1 . i;
)
J Figure B.7-4 (sheet 1 of 4) Reactor Protection System (RPS) Simplified Fault Tree i 1 i i
4
> 29/57 CEDM HOLD COILS REMAIN ENERGIZED O
POWER SUPPLY POWER SUPPLY BUS TO CEDM BUS TO CEDM GROUP 1 FAILS GROUP 2 FAILS TO DEENERGIZE TO DEENERGIZE ,e I , m , ,
+ ,
TRIP CIRCUIT CABLE FAULT TRIP CIRCUIT CABLE FAULT BREAKERS BREAKERS PLACES EMF PLACES EMF FEEDING CEDM FEEDING CEDM ON GROUP 1 ON GROUP 2 CEDM POWER BUS
. BUS FAIL CEDM POWER BUS
$~0 E O @ O O Figure B.7-4 (sheet 2 of 4) Reactor Protection System (RPS)
Simplified Fault Tree 0 0
r%- p. , .O .V. TRIP CIRCUIT I BREAKERS l FEEDING CEDM . GR. 1 BUS FAIL
- TO OP EN SG = (TPl*TP2) + (TP3*TP4)
I I I I I . ELECTRIC ELECTRIC ELECTRIC ELECTRIC l' to POWER CIRCUIT POWER CIRCUIT POWER CIRCUIT POWER CIRCUIT w BREAKER BREAKER BREAKER BREAKER
- d, RPSTCB1 RPSTCB2 RPSTCB7 RPSTCB8
!~ i O O O @ TPl TP2 TP3 TP4 l i l Figure B.7-4 (sheet 3 of 4) Reactor Protection System (RPS) i Simplified Fault Tree i i i e
0 TRIP CIRCUIT BREAKERS FEEDING CEDM GR. 2 BUS FAIL . TO OPEN SG = (TPl*TP2) + (TP3*TP4) I I I I I ELECTRIC ELECTRIC ELECTRIC ELECTRIC POWER CIRCUIT POWER CIRCUIT POWER CIRCUIT POWER CIRCUIT ? BREAKER BREAKER BREAKER BREAKER y RPSlCB3 RPSTCB4 RPSTCBS RPSTCB6 O O O @ TPl TP2 TP3 TP4 Figure B.7-4 (sheet 4'of 4) Reactor Protection System (RPS) Simplified Fault Tree O O
O Appendix B.8 Power Conversion and Secondary Steam Relief Systems L O B.8-0
- . . _ - . - -. .. - - - . ..- _ - .~. . . .
I t B.8 POWER CONVERSION AND SECONDARY STEAM RELIEF SYSTEMS
- -DESCRIPTIONS :
B.8.l' Purpose The Power Conversion and Secondary Steam Relief Systems
. (PCS and SSRS) at CC-1 consist' of the Main Feedwater and Condensate System -(MFWCS ), the Steam Generators- (PCS), and the . Main - Steam System _(MSS) (Secondary : Steam Relief System
- (\- (SSRS)). i '
'The1MFWCS is designed to transfer . feedwater :-(condensate) from.the condenser hotwell.to the steam. generators, while.at i the same time raising the temperature and pressure and controlling the chemical composition of the feedwater (con-densate). This system also controls the quantity of feedwater delivered to the steam generators.
At - CC-1, two steam generators are used in parallel - to . transfer the heat generated in the RCS to the MSS. I The-MSS transfers steam from the steam generators to'the 4 turbine throttle stop valves, the reheaters, and the turbine-driven ' pumps. It also controls the pressure on the. secondary side of the steam generator. by. means of the l- turbine bypass valves, atmospheric . dump valves, or. steam generator safety valves (high pressure) and main-steam iso-lation valves (MSIVs) (low ~ pressure). B.8.2 Description B.8.2.1 Overall Configuration t-Figure B . 8 -1. (Sheets 1 and 2 ) - shows a diagram of the MFWCS. Figure B.8-2 shows a diagram of the CC-1. steam
!- generator. Figure B.8-3 is a diagram of the SSRS.
The MFWCS operates 'as .follows. - Condensate 'from- the S. condenser hotwells 'is pumped by three (above' 85% power) motor-driven condensate pumps (11, 12, and 13) through the
- steam packing ~exhauster, -the precoat filter system,- the i condensate -demineralizers, the lowest feedwater heating stage drain coolers (llA, llB, and llc), and the two . lowest - ,
e pressure feedwater1 heating stages (llA, 12A; 11B, 12B; llc, 12C - three heaters per : stage) to the suction of- the three
~O. condensate booster pumps (11, 12, and - 13 .t.wo operating,
. one'on standby). _These condensate booster pumps deliver the
- condensate to the two turbine-driven steam generator MFW pumps (11 and 12) through two parallel sets of three feed-water heaters-(13A, 14A, 15A, 13B, 14B, ISB). .The two steam generator MFW pumps pump the . f eedwater through the highest i- stage feedwater heaters (16A and 36B), which consist of two :
parallel shells, into the two steam generators. A three + B.8-1 l
element feedwater control system is provided to maintain the water level in the steam generators by controlling the amount of feedwater admitted to the steam generatorc. Table B.8.1 shows some of the characteristics of the MFW pumps, the condensate pumps, and the condensate booster pumps. The steam which is generated in each of the steam gen-erators is then piped via the MSS through the containment wall in separate 34-inch O.D. lines. The lines of the MSS have been designed to accommodate relative movement of the steam generators due to thermal expansion. One MSIV h assembly (CV-4043 or -4048) is provided on each main steam line header. It consists of a hydraulically-operated, Y-pattern globe valve, which is capable of shutting against pressure from either side. Closure of this valve within a maximum of six seconds after a trip signal is generated prevents rapid flashing and blowdown of water stored in the shell side of the steam generator, thus avoiding a rapid, uncontrolled cooldown of the RCS. In addition, the isola-tion valves prevent the release of the contents of the secondary sides of both steam generators to the containment in the event of the rupture of one main steam line inside the containment structure. During normal operation, these valves remain open. Upon low steam generator pressure, a steam generator isolation signal (SGIS) energizes the clos-ing mechanism of the valves to stop the steam flow. Each steam line has eight spring-loaded safety valves which dis-charge to the atmosphere (RV-3992 through -3999,- and RV-4000 through -4007). These safety valves have a steam relieving capacity greater than the total nuclear steam supply system (NSSS) thermal output. In addition, there is an atmospheric steam dump and turbine bypass system which relieves at a pressure lower than the setting of the safety valves. The turbine bypass system consists of four turbine bypass valves (CV-3940, 3942, 3944, and 3946), which exhaust to the main condenser in a sequential manner. The steam dump and turbine bypass system is designed to provide a means of dissipating excess NSSS stored energy and sensible heat following a turbine trip without lifting the steam generator safety valves (RV-3992,...,-4007). Steam is discharged from the main steam lines to the atmosphere via the atmospheric steam dump valves (CV-3938 and -3939) and to the condenser via the turbine bypass valves (CV-3940, -3942, -3944, and -3946). The steam dump and bypass valves are sized to prevent opening of the steam generator safety g valves following a turbine trip at full load. The steam flow is regulated by the steam dump and turbine b/ pass valves in response to Tave and secondary pressure sig-nals. Inputs to the system are Tave, turbine trip signal, and main steam line pressure. B.8-2
B.8.2.2 System Interfaces The systeme which comprise the PCS and SSRS interact with several support systems. Table B.8.2 contains an interaction failure modes and effects analysis (FMEA) for the PCS and SSRS. B.8.2.3 Instrumentation and control The feedwater regulating system main hins steam generator downcomer water level within acceptable limits by positioning the feedwater regulating valves (CV-llll and -1121), which control the feedwater to each steam generator. Steam flow, feedwater flow, and downcomer level are used in a three-element controller on each steam generator to maintain the desired level during steady state and transient operation above 15 percent of full power. Manual control of feedwater flow may be selected by the operator at any time. In the event of a reactor or turbine trip, feedwater flow is auto-matically ramped down to 5 percent o,f full load feedwater flow. This is approximately the flow required for decay heat removal through the turbine bypass valves (CV-3940,
-3942, -3944, -3946) at normal reactor coolant operating temperatures. This will allow the operator sufficient time to take either manual or automatic control of the level.
Below 15 percent power, a separate single element feedwater control may be selected by the operator to auto-matically control steam generator water level. The single element controller senses downcomer water level and controls the position of the feedwater bypass valves (CV-1105, -1106). The two steam generators are operated in parallel. When the control is operating in the automatic mode, each steam gen-erator has a three element controller using feedwater flow, steam flow, and downcomer level as inputs for water level control above 15 percent power.. The output of each con-troller provides a signal to position the respective feedwater regulating valve control (CV-1111 or -1121). The speed of the MFW pump turbines is controlled to maintain a fixed differential pressure across each of the two MFW regulating valves which regulate the flow of feedwater to the two steam generators. The differential pressure across each of the valves is transmitted to the hand / automatic controllers on the main control board, which in turn, con-Q,s trol the steam admission valve to each of the MFW pt mp Manual speed control of each turbines to determine speed. of the MFW pump turbines can be accomplished from the control room. Two overrides are provided:
- 1. Upon turbine trip, the MFW regulating valves (CV-1111 and -1121) are automatically closed and B.8-3
the feedwater bypass valves (CV-1105 and -1106) are automatically opened to provide 5 percent of full flow;
- 2. When an abnormally high steam generator level is sensed by an independent downcomer level sensor, a signal is sent to close to the associated feedwater regulating valve (CV-llll or CV-1121) and a control room alarm is annunciated.
The manual mode of control for the feedwater regulating system may be selected at any power level. When in manual control, the operator in the control room can:
- 1. Position each feedwater regulating control valve (CV-1111 and -1121);
- 2. Open or close each feedwater stop valve (MOV-4516 and -4517);
- 3. Position each feedwater bypass regulating valve (CV-1105 and -1106);
- 4. Control the speed of the MFW pumps (11 and 12).
Full flow may be sent to the condensate precoat filter system by shutting CV-5818 using the handswitch located on the condensate and feedwater control panel. As the conden-sate filters get dirty, the system pressure differential will build up, which is sensed by a Ap transducer. As the system Ap rises above 30 paid, a controller will cause CV-5818 to begin throttling open. At 40 psid, CV-5818 will be fully open, and an alarm annunciated on the condensate and feedwater control panel will indicate a high condensate precoat filter system high Ap. In addition to the system Ap, the air supply to CV-5818 is also monitored. If the air pressure should decrease to less than 80 psig, a solenoid valve will close, causing CV-5818 to fail as is. Full flow may be sent to the condensate demineralizer system by shutting MOV-4439, using its handswitch on the condensate and feedwater control panel. MOV-4439 may also be -manually throttled to send a desired portion of flow through the demineralizers. If the Ap monitor senses a high condensate demineralizer system Ap of?50 psid, MOV-4439 will open fully. h Six level transmitters are tapped into each steam gen-erator using only eight taps (four high-side and four lowside). One of these is used for level indication and control of the feedwater regulating system. Four are used to give a low steam generator level reactor trip and a high steam generator level turbine trip. The sixth level instru-ment, which is used for high/ low steam generator level B.8-4
a alarms, shuts the MFW regulating valve (CV-llll . or -1121) and opens the feedwater regulating bypass valve (CV-1105 or
-1106). This level transmitter can be electrically cross-connected to the steam generator . level control system. Four pressure transmitters come off four of the level transmitter lines. All four are used for steam generator level indica-tion and a low steam generator pressure reactor trip at.500 psia with decreasing pressure. Also, the MSIVs (CV-4043 and n -4048) and the MFW isolation valves (MOV-4516 and -4517)
U will automatically shut. 550 psia during shutdown; This trip may be bypassed below the bypass automatically is removed above 550 psia. Four taps are located on the pri-mary outlet side of the stream generator for RCS flow measurement. The steam dump and turbine bypass system consists of: 4
- 1. One steam dump controller
- 2. One steam dump quick opening override bistable
- 3. Two atmospheric steam dump valves.(CV-3938 and -3939)
- 4. One turbine bypass pressure controller
- 5. One signal auctioneering unit
- 6. Four turbine bypass valves (CV-3940, -3942, -3944, and -3946).
Inputs to the system are:
- 1. Tave (from reactor regulating system).
- 2. Main steam line pressure
- 3. Turbine trip (contracts in steam dump permissive relay) 4.. Loss-of-condenser vacuum (contacts).
The steam dump controller generates a suppressed range signal proportional to the quantity (Tave-532*F). Upon receipt of a turbine trip signal via the steam dump permis-h- sive relay, this signal is supplied to open the atmospheric steam dump valves, and is an input to the turbine bypass auctioneering unit to simultaneously open the turbine bypass valves (CV-3940, -3942, -3944, and -3946). The position of the atmospheric steam dump and turbine bypass valves is pro-portional to the-signals supplied to them, thus providing a-controlled relieving of excess pressure. B.8-5
Should reactor power be in excess of a predetermined power level prior to a trip, the steam dump quick opening override bistable will cause quick opening of the steam dump and turbine bypass valves. The atmospheric steam dump valves (CV-3938 and -3939) will close proportionately as Tave reduces, and will close completely at 535'F. They will remain closed unless Tave increaces again to more than 540'F.
- The turbine bypass valves receive the higher of the steam dump controller or steam bypass pressure controller signals through an auctioneering unit. The steam bypass pressure controller generates a suppressed range signal pro-portional to secondary system pressure over the range 895 to 905 psia. Loss-of-condenser vacuum will prevent opening of the turbine bypass valves. By manually changing the sat-point on the steam bypass pressure controller, or by manual operation of the steam dump controller, the operator may control reactor coolant temperature during plant cooldown by use of the bypass valves or the dump valves.
B.8.2.4 Operator Actions Following an unscheduled reactor trip, the operator is required to perform a number of immediate actions regarding the PCS and SSRS. These consist of verifying that:
- 1. The turbine is tripped. If necessary, the operator is required to trip the turbine manually.
- 2. The turbine bypass valves (CV-3940, -3942, -3944, and -3946) anJ/or the atmospheric dump valves (CV-3938 and -3939) are controlling secondary system steam pressure at 900 psia.
- 3. The MFW regulating valves (CV-llll and -1121) are shut and the feedwater regulating byass valves (CV-1105 and -1106) are open to the 5 percent flow position.
Subsequent to the immediate actions, the operator is required to perform specified supplementary actions. Cer-tain of these actions pertain to the PCS and SSRS as follows:
- 1. If both of the MFW pumps are running, the operator O
is required to trip one pump and operate the other pump to maintain a discharge pressure that is con-sistent with feedwater flow demand.
- 2. If MFW flow decreases below 5 percent full flow ( .1 ,
concurrently, the steam generator water level drups below -26", the operator is required to use the B.8-6
Auxiliary Feedwater System (AFWS) to feed the steam generators until the water level increases above
-26". l
- 3. If steam pressure cannot be maintained above 800 psia, the operator is required to shut both MSIVs (CV-4043 and -4045) to avoid excessive cool-down and depressurization of the RCS.
m
- 4. The operator is required to reset the MFW regulating valves (CV-llll'and -1121).
l
- 5. If the MFW pumps are available, the operator is required to maintain steam generator water level with the feedwater regulating bypass valves (CV-1105 and -1106). If the main feedwater pumps are not available, the operator is required to use the AFWS to maintain the steam generator level.
- 6. If the condenser vacuum has been lost, the operator is required to make every effort to regain it so that. reactor plant temperature control can be accom-plished by the turbine bypass valves (CV-3940,
-3942, -3944, and -3946) instead of the atmospheric dump valves (CV-3938 and -3939).
B.8.2.5 Surveillance The MFW flow transmitters and loop instrumentation are calibrated at least once every 18 months according to Sur-veillance Test Procedure (STP) No. M-535. In the event that the plant is operating during this- test, the feedwater regulating system is placed in the manual mode. Operability of the steam generator feedwater inlet check valves (FW-130 - and -133) is verified according to STP No. 0-67 at each cold shutdown, but not more often than once every nine months. Performance of this test requires shut-ting the MFW regulating valves (CV-llll and -1121), the MFW regulating bypass valves (CV-1105 and -1106), and the main feedwater isolation valves - (MOV-4 516 and -4517). However, without restoration of these valves to their normal operat-ing position, ascension from cold shutdown to 100 percent g power operation would not be possible. O The Steam Generator Isolation System (SGIS) Logic Test is performed according to STP No. 0-69 every 18 months. This test verifies that the SGIS portion of ESFAS will close the MFW isolation valves (MOV-4516 and -4517) ano the MSIVs (CV-4043 and -4048). The test procedure requires that the operator restore those valves to their normal operating position upon completion of the test. Again, the plant could not operate at 100 percent power if this restoration were not carried out correctly. B.8-7
In addition to the preceding test, the closure time for the MFW isolation valves (MOV-4516 and -4517) is verified to be within acceptable limits on a quarterly basis during cold shutdown according to STP No. 0-66. The test procedure requires that the valves be restored to their normal operat-ing position upon completion of the test. The same comment made above regarding restoration also applies here. Two other surveillance tests are performed on the MSIVs (CV-4043 and -4048) . The MSIV Partial Stroke Test, which is performed monthly according to STP No. 0-47, verifies that the MSIVs will respond to a closure signal. The MSIV Full Stroke Test, which is performed every 18 months according to STP No. 0-1, verifies that the MSIV closure time is within acceptable limits. If the MSIVs were not restored to their normal operating state following these tests, the plant could not operate at 100 percent power. B.8.2.6 Maintenance The only periodic maintenance performed on the PCS and SSRS is that performed on the main steam safety valves according to STP No. M-3. This maintenance is performed every 18 months during shutdown. B.8.2.7 Technical Specification Limitations The CC-1 Technical Specifications contain a number of limiting conditions for operation and corresponding surveil-lance requirements which address the PCS and SRS. Technical Specification 3/4.3.3.6 requires that a minimum of two feedwater flow instrumentation channels be operable in Operating Modes 1, 2, and 3 for the purpose of post-accident monitoring. If less than two channels are operable, the inoperable channel (s) must be restored to operable status within 30 days or else the plant must be taken to hot shutdown within the following 12 hours. Each channel of feedwater flow instrumentation must be demon-strated to be operable by means of a channel check on a monthly basis and a channel calibration every 18 months. Technical Specification 3/4.4.5 requires that each steam generator be operable while the plant is in Operating Modes 1, 2, 3, and 4. This operability must be demonstrated by performance of an augmented inservice inspection program and h the surveillance requirements of Technical Specification 4.0.5. If one or more steam generators should be inoperable, the inoperable generator (s) must be restored to operable status before the plant Tave can be increased above 200*F. B.8-8
Technical Specification 3/4.7.1.1-regaires that all-main steam line code safety valves -(RV-3992, . . .RV-4007) be oper-able-when the plant is operating-in' Modes 1, 2, and 3. The corresponding action for this limiting condition is as-follows. "
^With both reactor coolant loops and associated steam generators in operation'and with one or more main steam line
('\ - code safety valves inoperable, operation in Modes 1, . 2 , and V 3 . may proceed provided that, within 4 hours, either the ' inoperable valve is restored to OPERABLE status.or the Power Level High trip setpoint'is reduced per Table B.8.3; other-wise, be in at least HOT STANDBY within' the next 6 hours and in COLD SHUTDOWN within the following 30 hours. With one reactor coolant loop and Lassociated. steam
~
generator in operation, and with one or. more main steam line code safety valves associated with the operating steam generator inoperable, operation in Modes 1, 2, and 3 may proceed provided:
- 1. That at least two main steam line code safety valves "
on the nonoperating steam generator are OPERABLE;
- 2. That within 4 hours, either the inoperable valve is restored to OPERABLE status or the Power Level High trip setpoint is reduced . per Table B.8.4; .otherwise, be in at least HOT STANDBY within the next-6 hours-and in COLD SHUTDOWN-within the following 30 hours.
Technical- Specification 3/4.7.1.5 requires that each main- steam line isolation valve (CV-4043 and -4048) be operable when the plant is operating in Modes 1, 2, and 3. The corresponding action is as follows: MODE 1 - With one MSIV- inoperable, POWER OPERATION may continue provided the inoperable valve ~ is either restored to OPERABLE STATUS ' or closed within 4 hours; otherwise, be in HOT SHUTDOWN within the next 12 hours. MODES' With one MSIV inoperable, subsequent operation' 2& 3- in Modes 1, 2, or 3 may proceed provided: () a. The MSIV is maintained closed;
- b. The provisions of Specification 3.0.4 are not applicable.
Otherwise, be in H0T SHUTDOWN within the next 12 hours. B.8-9
l l s B.8.3 Operation This section describes the operation of the PCS and SSRS after a reactor trip at 100 percent power. The following actions occur automatically after a reactor trip: ,
- 1. The turbine will trip due to an under-voltage con-dition on the reactor trip bus unless the conditions causing the reactor trip (such as a high steam gen- a erator water level) had previously generated a W turbine trip.
- 2. Upon turbine trip, the MFW regulating valves (CV-1111 and -1121) close and the feedwater bypass valves (CV-1105 and -1106) open to allow 5 percent of MFW flow.
- 3. The steam dump quick opening override bistable causes the atmospheric steam dump valves (CV-3938 and -3939) and the turbine bypass valves (CV-3940,
-3942, -3944, and -3946) to open quickly to provide steam relief to the condenser. and/or to the atmos-phere.
B.8.4 Fault Tree Description B.8.4.1 Success / Failure Criteria The PCS operates successfully to provide 5 percent full MFW flow to the steam generators if one train of the MFWCS remains in operation during the transient. One train is defined as one MFW pump, one condensate booster pump, one condensate pump, and the associated valves and piping. One out of two steam generators functioning successfully is sufficient to remove the decay heat level of 5 percent full power from the RCS. The SSRS can remove 5 percent full power main steam flow successfully in several ways:
- 1. One out of four turbine bypass valves must open to relieve steam to the condenser, or
- 2. Two out of two atmospheric dump valves must open to relieve steam to the atmosphere, or h
- 3. One out of 16 steam generator safety valves must open to relieve steam to the atmosphere.
B.8-10
l-
, B.8.4.2 Major Assumptions Detailed fault trees were not developed for the PCS.
Instead, only systems which interface With the PCS and also interface .with other plant systems were considered. All
'other faults were grouped together as a single undeveloped i event- termed " local faults." Actuarial data from plant
, specific operating experience at CC-1 was used to calculate
. the local fault probability for loss of the PCS. A Boolean equation was written directly from knowledge of these ,
support system dependencies and is given in appendix C section C.2.4.3.2. t
\
s i e I 4 s c i. t i l , B.8-11 1
. - .-.. - - . . . , . . . , - . . _ . , . - . - . - . , - . . . - - - - - - , - _ = - - - - . - . - , , - . - . . _ - . - , . . _
Table 3.8.1 PCS Pop Characteristics CAPACITY O PURP RANUPACTURER TTPE (EACE) BEAD RATING Main Peedwater P eps Byron Jackson Double section, 15,000 GPM 2.392 ft. double volute, single stage, ver= tically split, hor-1: ental centrifugal Driver for Rain General Electric DRV-431, condensing, 9140 s.P. Feedwater P epe f.on-extracting, dual 4 $350 RPM inlet, horizontal steam turbine Condensate Booster Allis-Chalmers Double suction, 8540 GPM 750 ft. P ope double volute, bort-sental centrifugal Condensate Peps Byron Jackson vertical certrifugal 8250GPM 490 ft. i 9 B.8-12
Table 3.0.2 FCS and asa Support System FNEA FRONT LIIM SYSTBN SUFFS TING SYSTBN FAULT SFFECT ON FRONT Lint FAILDRS le0DB SYSTBN N CONFORENT SYSTEN DIV CON 80NWrf SYSTSN DIV CONFONSNT FUNCTION IIANE IDWTIF. NAME IDMITIF. Power A, Main Feodwater Operator A. IIanuel Valve left in Loss of section flow to SCFF 11 Conver. 3- system (NFWS). B Operation closed poettien (11), Fusy cavitates, with poe= elon Section Line alble burnout & lose of pump. System tool. Valves FW flow continues f ram other (KS) SCFF, RT escurs from lov SG 1evel if at p >=604 (Both SGFFe are reg'd for p > 604)
\
MS A, NFNS-Suction Environ. A, Turbine Loss of Vent No Rffect*Bquipment specified a Line Isol. Control B Blog. Vent. Air Flow for high temp. operation. Valves System MS A, IrWS-Steen Seal Water A, Water Inlet Loss of flow Seal overheats and f ails-exces-3 Generator Injection 3 to seals elve leakage of FW, Feed Pumpe System (SGFF) KS A, NFWS-Steen Seal Water A, Water Outlet a) Outlet plugged a) Escesolve pressure difference
-D Generator Injection 3 from seale no flow across seal = excesolve wet in-Feed Pumpe Systems flow of seal water into the pump (93FF) b) Outlet piping b) Loss of bact pressure to seat breat = excesolve water flow regulator. Desults flow in escessive flow of seal water through break, not lose of cooling to seal.
k KS A, Brus-SGFF SGFF A, Cooling Water al Loss of al Turbine bearings overbeat-3 Turbine B to Lube 011 facu supply burn out- Loss of pump driver. Lube 011 Coolers (Supply b) Blocked return b) Loss of Cooling as in (s). Sys. Cooler Return) line KS A, NFWS-SGFF SCFF Mata A, 400v AC a) Loss of al Comp. lose of oil flow-Auz. B 011 Fump B Pcwor Bus power pump starts to maintain oil flow Ils, NCC b) Under weltage/ and pressure. 1067 Skre under frequency b) Fertial loss of flow & pres
- 12A (13A) sure-If falls below 170 pe19.
Aus pump starts to restore oil flow and presevre. [ t N B.8-13
l l i l l i Table B.S.2 KS and SSR Support System FMEA (Continued) FROrf L15E SYSTEN SUPPORTIlh3 SYSTEN FAULT EFFICT ON FRONT LINE FAILDR$ NCDS SYSTEN OR COMPOWENT SYSTEM DIY COMPONENT SYSTEM DIY COMPONENT FUNCTION MAME IDENTIF. NAME IDENTIF. MS A, NFWS-SCFP SGFP Tur- A, 440V AC a) Loss of power el Comp. loss of oil flow. If a bine Lube B power - aus Main Pump also inop., emergency oil System 133, McC1167 b) Undervoltage/ DC pump starts to maintain oil Aux 011 Bkre 14A (15A) Under f requency supply to turbine bearings. Loss of SGFP because less of EP control oil, closes steam stop and control valves, b) Fartial loss of oil flow and pressure. If EP f alla below 34 peig, steam stop and control valves will close, shutting down the SCFP. KS A, NFwS-SCFP SCFP Tur- A, 250V DC Loss of voltage Loss of Emerg. 011 Supply to a bine Lube a power - aus Turbine bearings - If Main & Cil System 13, Fuses Aus. pumps inop. failure of DC toerg. 95-1308 turbiae bearings. srg oil (130g) Pop ( MS A, NFWS-SCFP SCFP Tur. A, 480V AC Loss of Power Loss of use of turning gest 3 bine Turn. B power - Bus during emergency shutdown may Ing Gear 11A (let) cause bowing of turbine rotor RCC 101 AT but does not directly cause (101 37), lose of SCFP. may delay re. Skre 13 (4C) start. KS A, MFWS-SCFP SCFP Tur- A, Speed Control Loss of Signal Turbine speed reduces to mini-a bine Speed a Signal output aus hand set speed. F.w. flow signal reduces but continues from other SCFP. If at power > 604 F.P., RT can occur f rom low SG 1evel. MS A, MFWS-SCFP E.P. Main- A, Manual Valve left Turbine startup not possible 3 steam B Isolation closed unless aus boiler steam availa-supply to Valve 14-1 ble. Startup on reheat sta is SCFP Tur- not available. bine O B.8-14
Table 3.8.2 Ks and SSR support system FNBA (Continued) FRONF LINE STsTBN SUPPORTING STsTBN FAULT BFFECT ON FRONT LINE l FAILDRS NODE SYSTBN OR COMPON5pT I g SYSTWI DIV CONF 0NWT STsTM D1V CONDON MT FUNCTION I \ NAME IDENTIF. DANE IDENT2F. I Ks A, frWS-sGFF Deheat A, Nanual too= Valve left Turbine reheat control valve a steam sur- 3 lation closed goes to full spen demand for ply to SGFP valves 26-1 steam Will open EP steam control Turbine valve to run turbine from main steam. Ks A, NFWS-sGFP 3CFF Tur= A, Motor-opere- Valve closes Turbine tripe on cloente signal a bane en- B ted Isolation from valve and low vacum sig-haust to valve 3964 x nal. If at power > 604, RT can condenser (3931) occur from low 30 level. Ks A, NFWS-sGPP SGFP Tur- A, al seal Loss of Seal Turbine may trip on low vacuum. 3 bine Gland a steam steam pressure !! power > 606, BT can occur seal steam supply and flow from low 3G 1evel. b) seal Loss of flow seal steam blows through seale steen !cto ream Fe offsets en Sahaust turbine operation. KA A, NFWs-Disch. Operator A, Manual Valve left in Loos of Feedwater flow to sG 11 a Line Isola- 3 Operation closed position (12). F.W. flow will continue tion valves from other sGFF. BT may occur (1FW103,106) if at power > 60% on low so level. Ks A, NFSW-5.P. FW Operator A, Nanual Velve left in a) If FW heater bypass valve a seater Inlet 3 operation closed position ciceed, reduction of FW flow Isolation could cause RT on low SG valves (IFW 1evel if at power > 60s. 117, 122) b) If FW beater bypass valve open, colder FW would be supplied to SG, but no effect on SG 1evel. Ks A, NFWS-5.7. Operator A, Manual Valved left in
- B FW Reater 3 operation closed position Outlet Isole-tion valves (1Fy-118,121)
D 1 >V B.8-15
]
Table 3.8.2 K S and SSR LSupport System FMEA (Continued) FRONF LINE STSTEM SUPPGtTING SYSTER FAULT EFFECT ON FRONT LINE FAILORE NODE SYSTEM Gt E PONrMT SYSTEM DIV COMPONENT STSTEM DIV COMPONENT FUNCTION NAME IDENTIF. NAME IDENTIF. FCS A, NFWS-FW Operator A, Manual Valve left in If FW Beg Valve bypass is s Line Manual B Operation closed position closed, FW flow to that SG is Isolation lost. RT will occur on low SG valves (IFW 1evel. If bypass valve is 128,111) opened RT will still occur since bypass flow is ~ 54 of full flow. PCS A, MFWS-FW Instrument A, Air Line Loss of FW Reg. Valve CV-1111 (1121) 3- Regulating Air Supply 3 2'R335-1036 Pressure (sila as is. valves (CV-1111 CV-1122) PCS A, MFWS-FW 120V AC A 120V AC Loss of Voltage No effect on solenoid valves 3 segulating Instrument B Bus which control air supply to (SV-1111A,Bs Power (IC35, Bus 11: CV-1111 and CV-1121. SV-1121 A,8 1C16 Bus 12 FCS A, NFWS*FW FW Override A, Control Signal a) Loss of signal a) No effect on valve position B Regulating Signal 3 (PW Controller b) Sperious b) Closes FW Beg. Valve - FW Valves (CV- 11 (12H signal flow to SG lost - RT will occur 1111,CV-1121) on low SG 1evel. FCS A, RFWS-FW Line 400V AC A, 480V AC sus Loss of power valve fails as-is. 4 FF valve B M.O. Isola- Power Sup- 3 113 ( 14A), is open - no effect on FW flow. tion valves ply MCC 114R Unable to close to isolate SG (1-MOV-4516, (104R) Skr on demand. 4517) 43 (4F). PCS A, RFWS-FW Line 120V AC A, 120 V AC Bus Loas of Vol- Loss of valve position indice-B N.O. Isole- Inst. S tage tion - no effect on valve tion Valves Power motion or position. (1-MOV-4516, 4517) PCS A, MFWS-FW Line Operator A, a) Remote Valve inadver- Losa of FW flow to SG 11 (12). 8 n.O. Isole- 3 Manual Oper- tently closed RT on low SG 1evel if at power tions Valves ation (CR) >604. (1-MOV-4516, b) Local 4517) Manual Oper-ation O B.8-16 [ ._ _ _ _ _ _ - - - - - - - - _ - _ _ - - _
Table 3.8.2 FCS and SSR Support System FMSA (Continued) w FIONF LIIE SYSTER SUPPCRTING SYSTBN FAULT SFFBCT ON FRONT LINS - FAILURS M(BB SYSTBN CR COMPONENT
) SYSTSN DIV CORPONBIT SYSTSN DIV CORPORWFF FUNCTION
(/ NANS IDSNTIF. MARS IDBrfir. KS A, Brus-FW Line Automatic A, Steam Gen. Failure to Valve does not close - FW con = B N.O. Isole= Actuation B teclation receive signal tinues to be supplied to SG. Rt tion valvee Signal Signal on h1 3G 1evel - Poes. initta-(1 N07-4516, (close) tion of overcooling tranatent. 4517) MS A, MPWS-3GFF Operator A, Manual Valve left No effect on FW flow at power a gypese Line a operation closed when SCFFe are operating. Would Zoolation prevent Fw flow to SG from Valves (1-rw- booster pumps when SGFra not 108) operating during startup. MS A, NFWS-SP Operator A, Manual Valve left SF Fw heatere 16A, 163 bypassed. S Seatere B operation open Colder than normal Fw supplied typese valve to SG but not effect on flow. Greater than normal heat removal fran primary systen lovera T.,, MS A. MFWS-EP Fw Instrument A, Air Line Loss of Air typese valve opene - Small in-B meg. Valve Air Supply 5 2*SD=35- Freasure crease in Fw flow to SG < 54. Bypese Velve 1036 Neg11ble effect on plant opera-(CV-1105, tion. 1106) KS A, NFWS-SP FW 1207 AC A, 110V AC Loes of 3 Reg. Valve Instrument 3 vital voltage Bypase Valve Power Bus 11 (11), (CV-1105, str 8 (8) 1106) MS A, NFus-SP FW Operator A, Manual a) Valve el At full power - Small < St B Reg. Valve - 3 Operation opened increase in FW flow - no signi-Bypase Valve b) Valve ficant effect on plant operation CV-1105 closed b) At powere ( 154, closing by-( 1106) pass valves causes loss of Fw flow to 30. RT will occur on low 3G 1evel. t G B.8-17
Table 3.8.2 FCS and SSR Support System FREA (Continued) FRONf LINE SYSTEM SUFFGtTING SYSTER FAULT IFFECT ON FRONT LINE FAILORS MODE SYSTEM CR COMPONrNT SYSTEM DIV CUMPONENT SYSTEN DIY COMPONENT FUNCTION NAME IDENTIF. EAMS IDENT!F. FCS A, MFWS-FW Flow Operator A, Manual a) Operator a) FW Control System senses con-3 Control tye- B level trans switches to tinued f also low SG 1evel sig., tem change level trans. SG overfills. Turbine Trips on that has St SG 1evel. f ailed low. b) FW Control System senses con-b) operator tinued falso high SG 1evel sig-twitches to mal. sc level falls, RT occurs level trans. on low SG 1evel. that has f ailed high. PCS A, MFWS-FW Flow Main steam A, Steam Flow a) Loss of a) FW Control System senses con-a control Sys. system B signal signal / fails tinued need for less FW flow. 10w. SG 1evel is prevented from drop-b) Signal ping because of level input to fails high. controller. Loss of control of FW. b) Flow input to 3 element FW control System senses f alse need for additional FW flow. Level control input may keep SG from overfilling. If not. Turbine will be tripped automatically on high SG 1evel. PCS A, MrWS-FW Flow 12DV AC A, 120V AC Loss of FW Reg. valve closes on loss of B control Sys. Vital In- B vital In- voltage control power. Loss of FW flow strument strument to that SG RT will occur from Power Bus 11 (12), low SG 1evel. This trip occurs Stra S (8). even if bypass valve is opened. PCS A, MFWS-FW Flow Turbine A, Signal in- a) Spurious a) FW peg. Valve closes, bypass 3 control Sys. Tripped 3 put signal rec'd. valve opens. At f ull power by-Signal b) No signal eiss FW flow not enough to main-sain SG 1evel-RT occurs on low SG 1evel. b) FW Reg. Valve fails to close, FW flow continues until FW 3eg. Valve closed by SG high level algnal. t O B.8-18
Table 3.0.2 FCs and sea support system Fush (Continued) l l i n SUFFCRTING SYSTBR FAULT RFFECT ON FRONT LINE l (Q) PRONT LIIE STsTEM FAILURS NCDE STsTEN OR CONFON8NT SYSTsN Div ConFOWErf STatsN DIV CCOWOMElf FUNCTION Mans IDsNTIF. NAME IDErTIF. FCs A. IWWS-PW Flow Operator A, nansal set. a) 1. setpoint al 1. SG 1evel will drop posai-3 control sys. 3 point Gen- set too low bly causing RT on low 3G 1evel. eretion 2. Setpoint 2. SG 1evel will rise poss. set too high causing Turbine trip on high 3G a) Level b) 1. Setpoint b) 1. Fw differential pressure b) Reg. too low is maintained low which decres. Valve Dif- 2. setpoint ses Fw flow into SG.. BT may ul-forential too high timately occur on low SG 1evel. Pressure
- 2. Fu differential pressure.
is maintained high which may Ancrease FW flow into SG. l l Turbine trip may occur ! ettmately on high eG 1evel. FCs - A, RFWS-sGFF Operator A, Manual Oper. Loss of Min / a) At full power - no effect B Min. flow / B ation (clo- Sectre. flow man. flow not needed valve CU Becirc ula- sure) of 4444 will be closed normally. tion system Inlet / Dis- b) At low powers where Fw flow charge is less than 2000 gym sin. flow Valves FW of 2000 gpa sust occur to pre-109 (111), vent burnup. 110 (114) or valves left closed. FCs A, MFWS-sGFF Instrument A, Turbine Loss of Air Valve opens, diverts 2400 gpa a Min. flow / Air supply B Blog. Air Pressure oppros.164 full flow to con = pectre. sys. seeder denser. SGFF may trip on low Valves (CV suction pressure causing at on 4484 (4475) low sG 1evel. Will eventually get RT on low 3G 1evel due to partial loss of FW flow. e b B.8-19 a . . .. .
Table 3.8.2 FCS and SSR support fyeten FMEA (Continued) l 9 FNOWT LINE SYSTEM SUFFCEtTING STsTIM FAULT EPfECT ON FRONT L!pt j FAILORE MODE SYSTEM Cat COMPOMENT SYSTEM DIV COMPONDtT STSTEM D1V CONFOWINT FUNCTION NAME IDENTIF. NAME IDENTIF. FCs A, MFws-sGFF 120V AC A, 120V AC Loss of a) SV 4484 (4445) deenergises 3 Min. flow / Vit al In- B Vital Instr. Voltage opening valve, causing lose of socire, sys. Strument aus 11 (12), 2400 gpa (16% of full flow). Power Brka 810) SGFF may trip on low asetton pressure causing RT on low SG 1evels will eventually get RT on low SG 1evel because of partial loss of Fw flow. bl switch to alternate AC Sua 11 (12), if energised no effect. If not energised then as in (a) above. O B.8-20
1 \-
*s ,
Table S.S.2 FCs and esa support systen FNBA (eentineed) FRONE LI M sT5 FEN WFDS TING sTSTBN FAULT WPSCT ON FRONT LINE FA!!4ms Nas STsTEN m CDur0Nart STsTWI DIY Cour0NWT sTsTWt Siv CONp0Bart FUNCTION
. tage 19 3r!F. MIS IDWrrIF.
asm - A,. staan semera- 120V AC A, last vital Lees of Vol. Causes trip of one enannel 9, ter - steme Vital Inst. S,- AC Bus 11 tage giving a half trip for RT and C, Pressere Feuer C,, (12), (11) usiv closure.. (Assuming loss of 9 Instrumente 3 . (14), stre one vital boa per event).
14, (16), (14), (14). sm A, steen Genera- Operator A, ' manual Valves closed Any one of tuo valves per line a ter aseface 3 opeeation er left prevent serface blowdeun of SG. 31eudoun Line closed No effec en aperation escept
- Isoletten casse deterioration of SG water valves ( Aen- - chemistry.
sal) (130 122 (114), lap 123 (117)) . set A, steen Gen. Operator A, Manual Valves closed Valve closed ut!! prevent sur. B surface Blow- S operation or left face bloudoun of 3G. No effect doun Line'= closed en operation escept to cause Bleudeva deter 10tation of SG unter valves (1CV- chemistry. 4010 (4812). se A, steen eenera- Contain. A, Contain. a) No signal. ,al Fallere'to close valve when a tot surface Zoolation s. Isolation 'b) Inadver- required for contatsment teole-gloedenen Liek eyeten - signal , tent signal tien.
- 31oudoun b) Closee valve - ne lamediate valves (1C affect on operation = causee 4010, (4012)). gradual deterioration of SG
- unter chemistry.
Sea A, steen Genera-. Contain A, Contain high a) No algnal
- 3 ter surface podiation B radiation b) Inadver-31oudoun Link Nomer.re- signal (31 tent signal
- Blo,doun meet 4014)
Valyse (1C 4010, (4012)). .w . . 9 B.8-21
Table 5.8.3 PCs and saa support System FREA (continued) FM)MT LINE SYSTEN PUFPGtTING SYSTER FAULT EFFECT OM FRONT LINE FAILURE NODE SYSTEN C5t gPONENT STsTEM DIT CORPOR WT SYSTEM DIV COMPONENT FUEdIon
.NAMS IDENTIF. NAME IDENTIF.
san A, steam Genere= 120V AC A. Instrument Loss of Air Closes valve - no lamediate 2 ter Surface Instrument 3 Air Line Pre ssure affect on operation - causes slowdown Link Power gradual deterioration of SG
- Blordown water chemistry.
Valves (IC 4010,(4011) SS A, Steam Geners- Operator A, Manual Valve closed 3 tor Bottom Line 3 operation or left slaudown Line closed.
- Manual Iso
- 1ation Valves 130-119013):
110 (114)). SSR A, Steam Genera = Cont ain. A, Containment al No signal 4) Failure to close valve when B ter Bottom Isolation B Isolation b) Inadver- required for containment isola-(, slowdown Line system signal tent signal tion.
- slowdown b) Closes valve - no immediate valves (ICV affect on operation - causes 4011, 4013). gradual detartoration of SG water chemistry.
$5R A,
- Containment A. Containment al 50 algnal 3 Radiation S High Radia- b) Inadver-Monitoring tion Signal tent signal Sys tew. (31-4014) san A,
- 125V DC A, 125V DC Loss of valve closes ca loss of 115v DC B Instrument 3 Instrument Voltage instrument power.
Fower sus 11 Pal No insediate effect on DC13, Bkr 6 operation - causes gradual deterioration of SG water chemistry. SSR A, Instrument A, Instrument Loss of B Air Supply B Air Line Pressure O B.8-22
Table 3.8.3 FCs and SSR support system FNBA (continued) . . . F90irt LIIE SYSTEM SUPPcitTING SYSTEN FADLT 3FFECT ON FROIFF LINE FAILURE NCDS SYSTEN CR CCetrget311T SYSTEst DIV Costs 0Nar! BTSTEN DIV COMPCNWrt FUNCTION ( MANS IDalTIF. NAME IDRIfTIF. SER A, Mala Stream Camponent A, CCir Sup ly Loss of CCW Beatup of penetration occurs E System = - Cooling B Lines 3/4 flow Oltimate failure of penetration. Containammt Noter Sys. 33-23-1171 penetration (1173) and Coolers 11 CCW retura (11) lines 3/4 as-23-1172 (74). ssR A, Main steam Instroent A, Instrument Loss of Air Valve fails closed on loss of S system . Air Supply B Air Line Pressure air. Unable to open on demand Atmospheric to dump steam. If condenser Dump Valves inoperable, will be unable to (CV 3930, remove stored and decay heat 3939) from primary coolant system except through spring loaded safety relief valves est A, Main Steam 125V DC A, 125V DC Loss of valves fait closed on loss of a system (ADV) Instrument B Bus 11, Pal Voltage voltsge-vill be unable to Atmospheric Power DC13, skr 5 quickly open dump valves on Dap Valves demand to d ap steam to renove (CV3938, 3939) stored and decay heat from primary coolant system. If modulating control is not available along with condenser ard turbine bypass valves, primary syste? heat removal must be accomplished through the spring loaded safety relief valves. m (v\ i B.8-23
Table 3.8.2 PCS and SSR Support System FMEA (continued) FEONT LINE SYSTEM SUFPCEtTING SYSTSM FAULT EFFECT ON FRotrf L1pS FAILURS MOD 2 SYSTEM Gt COMPOWENT SYSTEM DIV COMPONENT SYSTSN DIV COMPONElff FUNCTION MANS IDENTIF. NAMS IDENTIF. SSR A, Main Steam Steam Dump A, e) Modula- 1) No signal 1) Unable to open and control B System (ADV) & Bypass 3 ting steam ADV means not able to control Atmospheric Control dump signal heat removal through secondary D ep Valves System (RIC-4056 system it condenser and bypass (CV3938, A, 3) valves are not evallable. Beat 3919) can be removed through quick b) Override opening feature of ADV and quick open) safety /rettet valves. signal 2) Inadver- 2) causes lose of up to 54 of tent signal steam flow of affected SG. No major effect on operation.
- 1) No signal 1) Unable to
- quick open' the ADV on demand. May not be able to remove heat rapdily enough to prevent lifting of secondary safety / relief valves.
- 2) Inadver- 2) Causes immediate loss of St tent signal of steam flow of affected SG.
May cause RT and Main Steam System Isolation on low SG pressure. SSR A, Main steam Operator A, Manual Set a) 1. Set- a) 1. Causes delay in valve op-3 system - B Point Gener- point too ening which may cause lifting of Atmospheric stion high secondary safety valves. Dap Valves al Steam 2. Set- 2. Causes premature opening (CV 3918, Dump Con- point too of valve, 44 aping T.,, ,g , 3939) troller low lower than normal value and b) E!C 4056, b) 1. Set- reduces plant efficiency but no 4056 A, 3 point too severe effect on plant high b) 1. Prevents valve from open-
- 2. Set- ing on demand. Relief will point too occur through safety / relief low valves if turbine bypass valves and condenser are not available.
- 2. Valves open prematurely to vent steam to the atmosphere which otherwise would have been passed to the condenser.
Otherwise no effect on plant operation. O B.8-24
Table 3.8.2 FCS and SSR Support System F9tBA (continued) FRDNF LIIS SYSTSM SOFratTING SYSTEN FAULT SPFBCT ON PRONT List FAILDRS NCDS SYSTER cit COMPOWENT ST8 tan DIY Con 60NEIT SYSTSR DIV Comp 0mmeT FUNCTION \ IDWITIF. Mans IDarTIF. EMIB SSR A, Main Steem Operator A, Manual valve closed prevent ADV from performing 3 System - 3 operation or left its function of dumping excess ADF annual closed steam - may cause lifting of Isolation secondary safety valves. Valves (1-MS-101,104) Sat A, Main steam Operator A, Manuel a) Trip Set- a) Valve opens late or does not 3 System - B Operation = point too open = not a problem if turbine safety /De- Trip setting high bypass and atsoaphoric dump - lief Valves valves are operable. If not RT
-(RV 3392- en high pressure and venting RV 4007) through primary system safety valves.
b) Trip set- b)Causespresagureopeningof-poirt too low, valve, keeping are at a loves than normal value and reduces plant efficiency but no severe effect on plant. O B.8-25
Table 3.8.2 PCS and SSR Support System FMEA (continued F303rF LINE SYSTEM SUPF(MtTING SYSTEM FAULT EFFECT ON FRONT LINE FAILURS N2E SYSTEM OR CopONENT SYSTEM DIV CORPONENT SYSTEM DIV CORPONENT FUNCTION RAME ID ENTIF. MARE IDENTIF. SSR A, Main Steam 200 psig N2 A, Nitr ogen Loss of N2 Unable to pressuriae & blanket 8 System- supply B line 1/2 88 flow MSIV Bydraulic System Assumu= Main Steam 1067 lators. Common to both RSIVs. Isolation May cause loss of NPSs for hy-Valves (MSIV) draulic pumps and potential (Cv4043, contamination of hydraulic 4C48) fluid with water. 85R A,
- 12SV DC A, 12SV DC a) Loss of a) Unable to close RSIV since B power 8 Bas 11 Power ccetrol solenoids are energised pn1 1C03 to close.
b) Undervol- b) May not be able to energise tage solenoid valves sufficiently to activate them to allow RSIT to close on demand. SSR A, Main Steam 480V AC A, 480V AC a) Loss a) Loss of EP 6 LP hyCraulic 3 System - 3 Buses 114R Power pumps - unable to open or close MSIV (CV (104R) MSIV because of loss of hydrau-4043, 4048) lic pressure b) Undervol- b) Pump motors w!!! overheat tage/Under- and may not develop enough f req uency torque to drive the pump to put out its rated pressure. Some result as in (a) above. SSR A, Plant ser- N Plant ser- Loss of Air Unable to charge hydraulic ac-B vice Air A vice Air cumulators to operating pressure System Bora BB with N2 since N2 compressor 1099, ED air-driven. Energy, capacity 1132 and quantity of oil in accumu-lators may not be adequate to close MSIV on demand. O B. 8 -26
I i 1 1 a Table 3.8.2 PCs and SSR Support System FNRA (continued j FMDIrf LI M SYSTER SUPPCRTING SYSTSN FAULT BFFECT CN FRONT LINE { g PAILORE NCDR SYSTBN Cft COMPONENT I
% SYSTEM DIY CONSOMMIT SYSTER DIV CONSONEIrr FDMCTION f MAM IDENTIF. MkNE IDENTIF. .l SSR A, Main Steam Engineered A, Steam Gen- a) No signal a) Ns!V f ails to close on de-3 System - Safety 3 erator Iso- mand. No isolation of Main -
MEIV (CV Feature lation Steam System. Possible encon-4043, 4040) Activation Signal trolled blowdown of more than System one SG could lead to overcool-ing transient. b) Inadver- b) NSIV Close
- creates lose of tent close main heat link = RT on high signal prge pressure, lifting of see-ondary safety / relief valves.
SSR A, Main Steam Operator A, Manual a) Unadver-3 System - B operation tent manual M81V (CV open 4041, 4048) b) Inadver-tent manual closure SSR A, Main Steam 440V AC A, 480V AC a) Loss of al Valve normally closed - Loss B System - Pouer 3 Power Buses Power of power prevents opening valve MsIV Bypasa 114R (104R) if needed to establish bypass Skra 4C (!iA) flow. No effect for FF opera-Valves (NOV-tion. b) Under vol- b) Valve motor may overheat and tage/Under no* develop sufficient torque frequency to open or shut the valve on demand. Valve is normally closed daring FF operation, therefore no effect. SSR A,
- Operator A, Manual a) Inadver- al Some partioning of steam flow S operation tent open between main and bypass lines -
f S no effect at FP. If NSIV closed on SCIS will result in partial loss of SG isolation. b) Inadver- b) If bypass valve open - loss tent closure of bypass steam flow.
'm B.8-27 k
l t Table 3.8.3 PCS and S$a Support System FMEA (continued F3ONT LINE SYSTEM SUFFCStTING SYSTEM FAULT EFFECT ON FRONT LINE FAILURE RCDE SYSTEM cst COMPONFMT SYSTEM DIV COMPONBr7 SYSTEM DIV COMPONENT FUNCTION NAMR IDENT1F. RAME IDENTIF. SSk A, Main Steam 440V AC A, 480V AC a) Loss a) Valves fail as-is. Valves 3 rystem = Power B Bassa Power are normally open = valves noisture would f all to close on demand = Seperator/ will cause loss of ability to Beheater isolate the SG on demand. Isolation b) Undervol= b) R$1V f ails to close on de= Valves in0V tage/Under= mand. No isolation of Main 4025, 4028 frequency Steam Fystem. Posstble uncon-trolled blowdown of more than one SG could lead to overcool-ing transient. SSR A, Main Steam Operator A, Manual a) taedver= al Beheat steam to LP Turbines 3 System = 3 operation tent closure loses heat = reduction in plant Moisture efficiency at FF, otherwise no separator / effect. Seheater b) Inadver= b) Not applicable at FP but if Isolation tent opening SG isolated in response to CGIS Valve can result in only partial SG isolation. SSR A, Main Steam SSFAS A, DGIS el No signal a) Valve falle to cicae a para System-9CFP S tial f ailure to isolate SG on 3 Turbine SP demand f rom ISFAS if valve open. Stop Valves b) Inadvertent b) Valve normally closed during (CV 39S9, algnal FP Operation therefore no effect 3974) SSR A,
- Turbine A. Aete Tur= al No signal a) Turbine SV f ails to close on S Trip Signal B bine Trip Turbine trip demand - possible signal damage to DGFP turbine and loss of Fw flow to that SG.
b) Inadvertent b) SV closes, shute down SGFF, elose signal loss of FN flow to that SG. SSe Ae Operator A, Manual Inadvertent Valve normally closed during S S Operation Manual Trip FF operation therefore na effect O B.8-28
1 1 Table k.S.2 FCS and SSR Support System FRE?. (continued) FmDNF LI N SYSTER SUPPORTING SYSTEM FADLT BFFECT ON FRONT LINE PAILDRE NODE SYSTEM OR ConPougpT D' SYSTEM DIV ConPONENT SYSTEM DIV ConPONENT FUNCTION NAME IDENTIF. NAME IDENTIF. SSR A, Main Steam Turbine EP A, EP 011 to Loss of EP Unable to open SV or keep it 3 System = 011 System 3 SV operator oil pressure. open. Loss of FN flow to that SGFP Turbine SG. EP stop Valves (CV 3959, 3904) SSR A, Rain Steam Turbine A, Tave Input a) Teve signal a) 1. Steam bypass to Condenser S System - Sypass 3 Signal will be controlled only by steam Main Turbine Control 1. No signal pressure input. No effect on Bypass System plant operation ainee bypass is Valves (CV normally contro11e3 by steam 3940, 3942 pressure through an auctioneer-3944, 3944) ing circuit.
- 2. $1gnal 2. Same result as above.
fails low 3. sypass valves will open
- 3. Signaa on f ake Tave signal causing I fails high loss of up to 40% of steam flow from steam Tenerator. May cause RT and main steam isolation on low SG pressure b) Outet 96ma bl 1. Unable to ' quick open' on Teve bypass valves on demand. May
- 1. No signal not be able to remove heat rapidly enough to prevent lifting of secondary safety / relief vleves.
- 2. Inadver- 2. Causes imediate loss of tent open op to 40% of flow from steam signal generators. May cause RT and main steam system isolation on low SG pressure L
v B.8-29
Table 3.0.2 PCs and SSR Support System FMEA (continued) Faoprt LINE SYSTEM SUPPORTING SYSTEN FAULT RFFECT ON FRONT LINE FAILURE MCCE SYSTEM C5t ConPONrNT SYSTEM DIV COMPONENT SYSTEM DIV COMPONENT FUNCTION RAME ID ENTIF. RAME ID ENTIF. SSR A, Main steam Operator A, Manual Set- al 1. Setpoint a) 1. Teve - Trof may not be 3 System Main B peint Genere- too high enough to overcome auctioneer Turbine Byrssa tion circuit even on high temperature Valve a) Steam Dump transients, therefore no action Controller to control reactor coolant tem-perature transients through steam bypass is possible.
- 2. Setpoint 2. Causes premature and f re-too low quent opening of bypass valves keeping Tave at a lower than normal value and also prevents keeping secondary steam pressure sontrolled.
b) Steam b) 1. Setpoint b) 1. Prevents valves from open-typass too high ing to relieve excess steam Pressure pressure. setief will occur Controller through Safety / Relief valves and ADVs.
- 2. Setpoint 2. Valves open unnecessarily too low to bypass up to 40% of steam flow that could have been used by main Turbine. Lovers plant efficioney but no other adverse e ff ect.
SSR N Main Steam Turbine By- N Main Steam a) No signal a) No differential pressure sig-A System - Main pass *on- A Pressure nel at Auctioneer circuit. No Turbine Bypass trol System Signal secondary pressure control, Valve steam bypass valves controlled only by temperature controller. b) Signal fails b) Results as above. Iow c) Bypass valves open to bypass c) Signal falla up to 40% of steam flow from high steam Generators. May cause RT and Main Steam System isolation on low SG pressure. O I3.8-30
Table 0.0.2 DCS and SSR Support System PnSA (contiawed) PRONT L135 SYSTBN SUPPW TING SYSTSR PAULT SPPRCT ON PRONT LINS PAILDRS NODS SYSTER R CORPopBNT [ 4 SYSTER DIY Coup 0Werr luus 'IDurTIP. SYSTEM ELAS DIY ConPossrf IDWrt1P. PORCTIon SSR N Nela Steam Yurbine By- N Low Condenser Interlock Bypast valves may discharge A System - Nain goes Con = A Vacuum Inter- falle to aperate steam ..ito a condenser with Turbine Sypees trol System lect little or ao vacaen. Roselting valves pressure buildup in eendenser may rupture blowout surfaces ir
.ondenser vessel.
u ' 120V AC A 120V AC Lees of Power to a) Less of Power to Pals 1C03, SSR A Instrument S Instrument Pale 1CO3, 1R01A, 1R018 causes toes of Power Supply - 130113, ImS1A signal to 1/P converters whicL Pats 13018, remove air to bypese valves 1C03, IR01A. which fail closed. Unable to open bypese valves en demand. b) Loes of Power to Pal IC03 causes loss of DC to Steam Dump override controller and aus. relay - unable to ' quick open* bypese valves on demand. SSR u nain Steen 125V DC N 125V DC Loss of Power Causes loss of ADV and bypass A . System - Main Power A Pat DCall, valve ' quiet open* capability on Fe Sine Syp444 Skt 14 Teabihe T81p. Ym.ves SSR W Instrument N Instrument Loss of Air Valves require air to open. A Air Supply & Air Line Pressure Unable to open to bypass oncese steam to condenser. Raceas stees relieves through Safety / pelief valves. SSR u nain Steen 1600 peig N PAS, PJC & Loss of 011 SP etop valves rapidly close, A System - Main 011 Supply A STS Supplice . Pressure shutting down main turbine.. Turbine MP stop Szcess steam relief must occur valves iSV 3949, through bypass valves. If not 3950, 3951, 3948) sufficient, secondary Safety / Belief valves may lift. 4 4 4 lO I i 3 i B.8-31
e Table 3.8.2 PCS and SSR Suggott System FMEA (continued) FRONT LIIS STSTER SOFFCetTING SYSTER FAULT EFFECT ON FR0lrF LINE FAILORE MODE SYSTEM (R COMPONENT SYSTEM DIV COMPOWENT SYSTEM DIV CORPONENT FUNCTION RAME ID ENTIF. RAME IDENTIF. SSR N Main Steam 011 Drain N TCD Drain TCD blocked EP 011 may not be drained from A System - Main Systems A System cylinder or control valve Turbine BP Stop spaces, stop valves may close valves ($V 3949, slowly or not close at all. 3950, 3951, 3948) Could cause excessive blowdown of SG with RT and SGIS on low SG pressure. SSR N
- 24V DC N 24V DC power Loss of power Loss of power deenergisee Nester A power A from EEC trip Bua inactivating automatic Trip Bus. pilot solenoids, NTSVA 6 3 on from Cab 1711 each valve tripping the valve closed, papid closure at power causes builder of pressure in mala steam system that requires relief through bypass & ADVs.
If not enough Secondary Safety / pelief valves may lift. RT may also occur on Righ Pressure.
$$a N Main Steam 125V DC N 121V DC11 Loss of power Loss of power prevents energi=
A System - Main Power A Pn1 DC11 sing mechanical trip solenoid Turbine BP Stop Skt 4 preventing turbine trip--also Valves inactivates eight additional turbine trips. Prevents closure of EP stop valves from these events and tripping off main turbine f rom these events. May esuee turbine damage.
$$2 N
- 120V AC N 12FV AC Loss of power No power causes loss of c'rcuit A Instr ument A Inst r ument functions in the EBC Cabinet Power Power sus 11, that will ultimately cause clo-Skr 1. sure of the Er stop valves. At FP Sypass and ADVs must open to relieve excess steam pressure, otherwise secondary supplies left.
O I).8-32
C. Table a.0.2 PCS end Sea Support System FNBA (continued) FRDNT Liam SYSTEN SUPPCRTING SYSTER FAULT BFFECT ON P900FF LINE FAILDRE NODE SYSTEN (W CONPONWIT p) SYSTWI DIV CONDONWIT NhMB IDurTIF. SYSTWO MhMB DIV CONDONWIT IDWITIF. FUNCTION
%)
SSR N Nein Steam 440V AC A, 440V AC Bus Loss of power Pumps fail on loss of power, A Systes = Main power 3 125 (PF 11) hydraulic pressure fails, valves Turbine BP Stop 440V AC Bus shut. At FF, Dypese & ADve valves 134 (PP 123 must open to relieve escoes steam pressure. If not able, secondary safettee may lift and RT may occer on Prar Eigh Pressure.
- Operator A, Manual Inadvertent All BP etop velves close. At Sam N A B operatione ' Valves Close* FP, Dypees & ADVe must open to signal initiated relieve excese steam pressure.
by operator If not sufficient, secondary safeties may lift and RT may occur on Far 31 Pressure. N
- Operator N Manual Inadvertent Affected valve closes, partially SSR A A operatore Actuation of shutting off steam flow to EP
' Test' Switch Turbine. Steam pressure rises eeusing opening of typese valves to maintain secondary pressure within limits. No adverse effect on plant safety. Reduces plant efficiency.
San N N Inadvertent All stop valves trip closed. A A Actuation of At FF, typase & ADve suet open
'Nechanical Trip to re!! eve escoes steen pree-Lever
- sure. If not able, secondary safeties any lift and RT may occur en Prst Nigh Pressure SSR R N Inadvertent A A Actuation of
'Naster Trip' button f%
t 1 i i B.8-33
Table B.8.3. Maximum Allowable Power Level-High Trip Setpoint With Inoperable Steam Line Safety Valves During Operation With Both Steam Generators Maximum Allowable Power Maximum Number of Inoperable Safety Level-High Trip Setpoint Valves on Any Operating Steam Generator (Percent of RATED THERMAL POWER) I 93 2 79 3 66 O B.8-34
i l l Table B.8.4. Maximum Allowable Power Level-High Trip Setpoint With Inoperable Steam Line Safety Valves During Operation With One Steam Generator i Maximum Allowable Power Maximum Number of Inoperable Safety Level-High Trip Setpoint Valves on Any Operating Steam Generator (Percent of RATED THERMAL POWER) 1 40 J 2 35 3 29 d i f
- O B.8-35 ;
lIIiI L 4_ 4_'lII 4 0_
>. b C_
C. C O
.Eg n
. E= i
- - a
+. .
. M
)
+ _. N- -
N fS
- - oC 4_ 4 .
4_
>- W cF iM t(
a
. mm
- e. ee
- i. ht
- cs "l Sy l
". S d
"1 ee it
'.H s
. fa i s ln pe md i n
_ So X- C
)
2d n fa o N .- N_ r N_. N_ N_. . N_. 1e t
. . . . ta ew k_
k _. _. k . g4. _ k _. ed he se ( F
, . . 1 ll.
- .. M. =. =. m, 8 B
g. t.T e
~ r u
. . . g
$= gS. i _. $ m. F
- _ :_ O N_. N_. N_ x. N_
N_ x s oIyc t c n
_m. n n.. r r .
. D b U h
h b.m
,r I: 'C
,C 3E
. = -
v A,'.',y . -, H H . . . 1 - - . n
= = _
_ - - __ i H = e e a H M _e .
= = =_
. ~_ xu- x fS oC
)
W M 6 . cF iM t( a mm ee ht cs s s ~_ Sy 1 2 2 m- d ee S l l ii it
- - fa
- -- is
- - - - 1-i ln l l pe md az _
_ i z m. in So C 1 i 2 a r. ) 2d i n
- fa o
- F_
~_
F_
=
ii _- 2e r r t 6 .:;. h e
= =
ta ew ed H HH
= .
. = he se
=.. _ ( F d = = .-
M- - I__ _ ii 1 H_ __a. . 8 B e r u j 2 Ja 1Ju 2
=
=_ .
_2 2 i g F 21 __.9. J 1a.r . - tI u __ D ,-
- m C 4* i m= =
_ J. - I
=-
a
." 1 :
h" .
=- 2 : -
m _M~ _.~_ r e miwy
s 9eam l 126 9.am
,ia ; L Dryers 9eczn 32 S*Pofotof 9,,,,,,,,
Steam Secondary Dryer Manway I Water Levelhg
%,ma
[ Instrument Nonle fi2 - I
$,, pac ,
Water , d I Blowdown level N , / %uie 3 2393 00- ; Low J ]' f"d****! M*0ry Water Nozz7e Level Sottom Outlet
* - I . U'*I Blowdown Nozzle Aux 41ary ' Primary & Drain Te edwate r , -, l g,$"'p)W"**Y Nozzle Nozzle \ [.
8,519 f" CD % . ,
' I
- U"I 22o30' 45" Tubes - a insgry ,,,
l
' Nozz!n emil l 0 I o o
Length j 180 l (+)
! ri 165* 0 0 ,
- P,n, e, mary Nozzle ' Primary 45* % "**Y
'< - L It NOl IM'd Secondary e 2# p,,,,,y%uf a ne h 3'5' ~h* 45 B ttom Primary in,e, ,:\.o i P,es~,. .o,_oown View 8-8 %.e instrument & Drain Outle,t gfj Nonfes p) Nozzle S " g 3* Primary a 23, T f16"Dio, ou,le, I t Nonle O
Figure B.8-2 Simplified Diagram of the Steam Generators B.8-38
f) p d N
.i i ib
~[ assaAaan m w a m e a m a 3083 3003 300. Sett 3000 300F 3830 Sees N 8ese
,g. TO ATM
-c<
i -i.. M co-Sese ir - 4 15.-13. R.0-136 1
.x. .,
co-30.. . %.- m to 07a Seat , a-a** *** '***'e'"" h0-= =-. =
,o e,. ,,
HEGMLATeme 43 , su.-.ese TWIMES w ~ _.- .- V A M _3. _ .S.. y x-3x , x, . ir ir er m- u cv-Sm. 0- - a n se eso Ger E".*Te'n m = , semin x _, ase-3n co- m e x
==-n.
i,,7 ry ci >< I y er l- l \ius l inas l l nas l sans/l \ina/ \nu/ g '
* \L,,]I I .3 I I I Ll "'*'
tow earseas 6ow p seeuer Low - 9
\ I O '"* "**" "*"" ~
$ b l .5, 1
. i .E. I I n'ai i g 7 j i er g time / \ ema / \ ima /
\_m.]
__ \ m. I . e-. 3.- .
,- emua M'# AM teoT lupEa7
-n .e ="
n.-.02 9 2*' 3.* C8-*es s u, bn , 7 ro avuosa== d a., 1 , I' ~ , C'-~a AAA}}eA} - - . m m,s
, e ... ,. -
^ to" TO ATenoepsent
-c< -,
ev-== Figure B.8-3 Simplified Schematic of the Secondary Steam Relief System (SSRS)
4 1 1 i
)
1 4 4 L I Appendix B.9 i Auxiliary Feedwater System i 1 1 4 l i l n 4 4 l i i I L E .i
}
6 i t 4 i ,l B.9-0
B.9 AUXILIARY FEEDWATER SYSTEM DESCRIPTION B.9.1 Purpose The purpose of the Auxiliary Feedwater System (AFWS) is to provide feedwater to the steam generators for evaporation to provide for the removal of sensible and decay heat, and to cool the primary system to 300*F in the case that the main condensate pumps or the main feed pumps are inoperative i (this includes the loss of normal electric power sources case). B.9.2 Description B.9.2.1 overall Configuration As shown in Figure B.9-1A and B.9-1B, the AFWS supplies water from the safety-grade Condensate Storage Tank (CST)
#12 to the steam generators for evaporation and heat absorp-tion. If CST #12 is out of service, Unit #1 AFWS can be lined up to CST #11 and Unit #2 AFWS can be lined up to CST 921. (For this study, credit is given for CST #11 for recovery only and it is not modeled on the fault tree.) The system consists of a pair of steam turbine-driven feed pumps connected in parallel with a third motor-driven feed pump.
The electric motor-driven pumps on Units 1 and 2 are cross-connected at their discharges so they can be used to provide feedwater for either unit as required. The AFW systems for the CC-1 plants are being modified. The system for Unit 1 has been modeled here as it will exist after the modifications are complete. Primarily, these modifications involve the addition of motor-driven pumps #13 and #23 with associated piping and the replacement.of motor-operated valves in the steam supply lines to pumps ill and
#12 by fail-safe, air-operated valves. These modifications have already been made at Unit #2 and are scheduled to be made during the November 1983 outage of Unit fl.
Turbine-Driven Pumps The two steam turbine-driv' pumps (700 gpm), located in the auxiliary feedpump room, take individual suction from six inch branch lines fed from a common six inch header OV manifold to the condensate storage tanks. The two pumps dis 9arge into a common header to individual feedlines for each steam generator. Each feedline has two automatically operated block valves which close upon receipt of a " steam generator rupture signal." (SGRS) The turbine driver can be supplied with steam from the MSS as long as the pressure is above 50 psig. The turbine driver is a single stage turbine with one governor valve that can be controlled remotely from the control room or B.9-1
locally at the turbine. The governor has its own self-contained oil system which is water-cooled by a pump discharge recirculation line. Bearing lubrication is supplied by oil rings fed from individual bearing sumps. Oil temperature of the turbine is maintained by oil coolers which are cooled by AFW. The oil temperature of the AFW pumps is maintained by attached air fans and cooling fins. The only automatic trip associated with the turbine-driven AFW pumps is an overspeed trip. h Turbine-driven pump #12 will be normally locked out in order to ensure that too much suction will not occur in the CST line. Operator action is required to start pump #12 if either turbine-driven pump #11 or motor-driven pump fl3 does not start. Motor-Driven Pump The motor-driven ptmp #13 (450 gpm) is installed in the SRW heat exchanger roam and takes suction from the common condensate supply header through a six-inch line and discharges through two branch lines, one to each steam gen-erator. Each branch line has two automatically operated block valves which close upon receipt of SGRS. The branch lines from the steam-driven pumps and the motor-driven pump combine outside of containment to provide a single feed header for each steam generator. Flow-Limiting Valves In addition to the two block valves in each pump dis-charge branch, there is a throttling valve which regulates flow to 200 gpm for each branch. The throttling valves are valves 4511, 4512, 4525 and 4535. Water Sources The prime source of water is the CST #12, a missile and tornado proof tank which is also seismically qualified. The valves supplying the header from CST #11 and #21 are normally closed but could be made available for auxiliary feed should they be required. All valves between CST #12 and the pump suctions are normally locked open, g B.9.2.2 System Interfaces The effects of support system interactions with the active components of the AFWS are shown in the interaction FMEA, Table B.9.2. The AFWS is dependent upon 4-kV electrical power from bus #11 to provide motive power for AFW pump 813. B.9-2
l-The turbine-driven AFW pumps, #11 and $12, are: dependent u upon the availability _of steam with pressure greater than i 50.'psig ' to provide motive power. In case of loss of the Instrument Air System, the' valves will fail-open (fail-safe) on . loss of air pressure (the valves also have ai standby . air reservoir which 'will allow valve control for' about two hours). The ' throttling valves -- 4511, 4512, 4525, and 4535 --
.O' are . dependent upon instrument air for valve position con-trol. 'These valves all fail-open (fail-safe) on loss of air pressure.
B.9.2.3 Instrumentation and control , The following instrumentation and controls are located within the control room unless otherwise specified.- ,The availability of water in - CST #12 is displayed by a level-indicator. The pressure in the AFW pump suction header is-indicated by a local indicator with an alarm in the control room if the pressure drops below 5 psig.. The discharge pressure for each AFW pump'is displayed on a pressure indicator. The flow rate into the . steam gener-- ators is controlled by the AFW throttling valves. Under automatic operation, these valves are regulated to: provide =a flow of 200 gpm in each operable branch. .The cperator can control the flow through a given branch by switching to manual control and utilizing the corresponding hand indi-cator controller (HIC) to adjust flow. The . flow rate into the steam generators may be checked by observing the AFWS flow indicators (4 per steam' generator) or by observing the steam generator level indicator-(one for each steam generator). For the turbine-driven AFW pumps, there is one pressure indicator displaying the inlet steam pressure for each pump turbine. B.9.2.4 Operator Actions The AFW system is initiated automatically by Auxiliary Feedwater Actuation Signal (AFAS) logic. No operator action is normally required. If only one of the four branches to the steam generators operates properly, the resulting flow of 200 gpm will be inadequate. The operator can, having observed this condi-tion, switch the AFW regulating valve in the operating branch to manual control and increase the HIC setting to increase flow to exceed the 400 gpm required. Operator action would also be required to locally start pump 912 should pumps #11 and #13.not start. B.9-3
B.9.2.5 Surveillance The status of water level in CST #12 is checked once every eight-hour shift. It is one of the items on the shift turnover checklist. The operability of each AFW pump is verified monthly using test procedure 0-5-1. This test verifies that each pump will develop a total dynamic head of 2800 feet or greater on recirculation flow. All manual valves in the flow path of the AFW system are verified to be locked in the proper position monthly using Locked Valve Verification procedure 0-93-1. A summary of AFWS component tests is presented in Table B.9.3. B.9.2.6 Maintenance Maintenance is only performed on an as-needed basis. A maintenance summary sheet is compiled in Table B.9.4 and a plant specific maintenance frequency analysis is shown in Table B.9.1. B.9.2.7 Technical Specification Limitations The limiting conditions for operations contained in Technical Specification 3.7.1.2 state that two auxiliary feedwater pumps and associated flow paths shall be oper-able. If there is only one AFW pump operable, a second AFW pump must be restored to operable status in 72 hours or the plant must be in HOT SHUTDOWN within the next 12 hours. B.9.3 operation System Initiation Upon receipt of coincidental (2/4) signals of low steam generator level for either steam generator, the AFWS is automatically started. The Auxiliary Feedwater Automatic Start (APAS) signal
- 1. Starts the motor-driven pump Opens the steam supply valves from each steam gener-2.
ator to allow steam to enter the supply header for g each steam turbine (CV-4071 and CV-4070). Protection - Flow Limitations If no flow limitations were provided and should both steam generators be depressurized to any degree below the normal 1100 psi when the auxiliary feed pumps start, the pumps would go to their "run-out" conditions. This would cause a high suction flow and cause NPSH problems for the B.9-4
pumps. To prevent this from happening, flow in each of the four branches which feed the steam generators is restricted to 200-gpm by a throttling valve (CV-4511, -4525, ~4535,
-4512).' Each leg contains a . flow measuring orifice which
- t. provides the necessary process measurement to provide . con-trol for its respective throttling valve. The suction line o is sized to provide; adequate NPSH for flow rates up to l 1100 gpm.
- Protection - Ruptured Steam Generator To prevent the AFWS from feeding a ruptured steam' gen-erator,- logic has been installed to identify such an occurrence and take remedial action automatically.
~
Upon detection of 2/4 coincidence of low steam generator level and 2/4 coincidence of steam generator differential pressure greater than a prescribed amount, an AFAS blocking signal is generated for the steam generator with the lower pressure. This blocking signal is sent to the block valves in each branch feeding the steam generator and causes them
'to'close. Two independent channels feed two separate valves in each branch as shown below.
S/G $11 - CV-4521 and CV-4523 Ch. A CV-4520 and CV-4522 Ch. B , S/G #12 - CV-4533 and CV-4531 Ch. A
, CV-4532 and CV-4530 Ch. B Actuation of Channel A or Channel B is sufficient to block flow to a steam generator.
Protection - Ruptured Piping To notify the operator of a ruptured pipe in the common portion of discharge piping upstream of the steam generators, logic has been developed to cause an alarm to sound. Comparison of steam generator (S/G) pressure and header pressure is made and whenever the steam generator pressure exceeds the feedwater supply header pressure, an alarm sounds to notify the plant operator and allow him to take remedial action, such.as manually initiating the AFAS block signal to the suspect steam generator. Redundancy (Inter-Unit Cross Tie) If adequate AFW is not obtained using pumps $11, #12 and
#13, the motor-driven pump on the other unit (#2) can be started and the inter-unit cross tie opened by operator action in the control room. This changes the system from a 1/3 to a 1/4 combination and provides additional redundancy B.9-5
if required. This capability has not been included in the modeling of the AFW system, but has been considered as a possible recovery action. Reliability Considerations To increase the reliability of the AFWS, several features have been incorporated into the design.
- 1. To allow operation of the steam-driven AFW pumps during a loss of offsite power, the steam supply valves will be fail-open air operated valves. Each valve actuator will be vented through a three-way DC solenoid valve and will also have a manual three-way valve to allow local manual operation.
- 2. Redundant alarms, upon receipt of "High Steam Gener-ator Level" signals, will alert the operators to the potential for overfeeding a steam generator.
- 3. The motor-driven (450 gpm) pump will be fed from bus ill which is fed by the diesel generators during LOSP.
- 4. All solenoid valves are DC operated.
- 5. All isolation and flow limiting valves have accumu-lators on their air supplies to provide protection during a period when normal air supplies are not available.
- 6. All controls are safety grade.
- 7. The motor-driven pumps for Unit il and Unit #2 are cross-connected to allow feed by a fourth pump.
(This cross-connect must be instituted by operator action.) B.9.4 Fault Tree Description B.9.4.1 Success / Failure Criteria The AFWS supplies water through four branches with flow controlled to 200 gpm in each branch. By neglecting the consideration of partial success in any branch, the total AFWS flow need only be considered for various values from 0 g to 800 gpm in multiples of 200 gpm. Successful operation involves providing a flow rate of at least 400 gpm, starting within about 86 minutes after trip of main feedwater (reference: "A revised summary of PWR Loss of Of fsite Power Calculations," C. D. Fletcher, EGG-CAAD-5553, EG&G, Idaho, September 1981) . This time may vary depending on the speci-fic accident sequence being analyzed (see chapter 8 of the main report) . B.9-6
l Successful operation of the- AFWS is defined as the-supply of a sufficient flow of feedwater to the steam gen-
- erators. so they will perform their function.. This function is defined to include removing decay heat.and the> heat pro-vided by the reactor coolant. pumps and also-cooling down the primary to abe in equilibrium with conditions' established-by l' the atmospheric dump valves. Sufficient AFW flow. would be j' provided by any.one pump. The fault tree incorporates.only L two pumps into its success logic since only turbine-driven pump til and the motor-driven pump 413 , are available upon AFAS initiation. Operator initiation of pump- #121 given l failure'of either of the other pumps will be addressed as a j l recovery measure. The simplified drawing of the AFWS, used )
in the fault tree analysis, is presented in Figure B.9-2. l The fault tree developed for the AFWS appears on the appro-priate aperture card in the envelope at the back of this report. The data used to quantify the fault' trees is shown in Table B.9.5. B.9.4.2 Major Assumptions The following assumptions were considered during the construction of the AFW fault tree.
, 1. Although the capability exists, via- manual realign-ment, to supply water to ' the auction of the AFW pumps from CST #11, this capabilitytwas not included on the fault tree but was treated as recovery.
- 2. Although the capability exists, via operator action, to utilize AFW pump $23 to provide water to S/Gs 11 or 12, this capability was not included on the fault tree but was treated as recovery.
- 3. Although the capability exists, via manual action, to open a flow path to bypass any one of the throt-tling valves, this capability was not included on.
the fault tree but was treated as recovery.
- 4. The air-operated steam supply valves were assumed not to be dependent on the Instrument Air System, since the back-up air reservoirs will~ provide the necessary air pressure to operate these valves for a few hours, and they will then f ail open on loss of air.
5 .- Flow diversion by pipe rupture was considered only in the connections to the steam generators (high-energy lines) and in the suction line to the AFW pumps (sensitive to single failure). B.9-7
TABLE B.9.1 Maintenance Frequency for Components of Auxiliary Feedwater System for Period 1976-80 Component No. of Repairs Aux. Feed Pump #11 2 Aux. Feed Pump 112 7 Stop Valve #12 1 m AFW Pump Trip Valve #12 2 W CST #12 Level Indication 1 0 B.9-8
L Table 3.9.2 Ass 111ery Peedwater FNSA i l i l SOFF S T (805-) SYSTBR COIR 0MNT AFFSCTED FAILOBS NODE CORPOWBNT P&1 LUBE SFFBCT OF SUBST5 TEM SFFECT on SYSTM
- FAILURS ON OVERALL SYSTERg e 4tV Sus ill motor-driven Loos of function Loos of one out of Loss of one train ymp 13 three Arw pumpe Aust11ery Feeduster Motor-driven Loss of antamatic Lees of automatie Loos of automatic Automatic Start ymp 13 control control of one out control of System (AFAS). of three A N pape ausiliary feedwater 1 All channele systen value CV4070 Loss of automatic Liss of automatic control control of steam flou to AFW pape l 11 and 12 i value CV4071 Loss of automatic i control 115 Y DC Sue 4 11 All train A Fall open Turbine p op 1/2 system starts pneumatic valves i 11 starts 125 Y DC Sua 0 21 All train 3 Fall open Turbine pump 1/2 system starts pneumatic valves 4 11 starte instrument Ara All pneumatic Fall open Turbine p op 1/2 system starts valves 0 11 starts
- Assuming no recovery.
\
' d B.9-9
Table s.9.3 AFN Component Test summary COMPONENTS THAT NUST BE EXPECTED FREQUENCT COMPONENT TTFE OF ALIGNED ANAT TEET TEST OF EQURCE TEST FItON ESF POEITION WITN NO FREQUENCT OUTACE CORPONENT (TEST PROCEDURE $) AUTOMATIC RETURN TIME ALIGNMENT $3P VERIFICATION Pump 11 Flow AFN 0103 Monthly 1 hout Monthly 0-5-1 Fwp 12 Flow AFN 0117 Nonthly 1 hour Monthly 0-5-1 Pop 13 Flow AFN 0904 Monthly 1 hout Monthly 0-5-1 All manual Poettien None Monthly None Monthly 0-93-1 valves verification O B.9-10
Table 3.9.4 Aru IInintenance Summary COIWOIENT TrPE Or conf 0NENTS WEICE NUST BE FREQUENCY OF BXPECTBD REPBCTED e UISER00ING IIAINTENAIICE ALT 7mtD ANAT FROII 38F P001T1011 Cour0NWrf PSBCUENCY OF OUTAct Tins OF *l
/ mA!prenAmCs WITS p0 ActonATIC asrunn ALisluessT nalufsnAnCs
- natuTamasCs + l kj. VERIFICAT1011 ( /hr.) (bre.)
P ope 11 Itaintenance Arw 0101 fionthly 4.68-4 0 Dequiring APW 0103 Diesesembly APW M911 Pump 12 Reintenance APW 0115 nonthly 4.68-4 0 pequiring Aru 0117 l Disassembly Arw M912 Pop 13 maintenance AFW 0902 nonthly 1.7E-4 4.64 Dequiring APW D904 Disassembly APW 4520 Penumatie Valve AFW 0103, 0117 Monthly 4.95-5 4 i Arv 4521 Maintenance AFw 0162 l Afw 4522 poquiring AFw 0904 l Aru 4523 Disassembly Aru 0972 AFW 4530 AFW 0103, Oll? AFM 4531 AFw 0164 APW 4532 AFw 0904 APW 4533 AFW 0962 AFW 4511 Pneumatic Valve APW 0162 Monthly 4.9E-5 4 I AFw 4512 natatenance Arw 0164 l AFw 4525 Eaternata Only AFw 0972 Arw 4535 Arw 0162 i l
- Plant specific data i
jO fd B.9-11
Table B 9.5 AUXILILARY FEEDWATER SYSTEM (AFW) DATA Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/ht) Time (hr) q Q = Eq. AFW4511-CV-OE Failure of Operator -- -- -- 1.0E-2 AFW4512-CV-OE to Increase Flow thru AFW4525-CV-OE Valve when its the AFW4535-CV-0E only Flow Path AFWA-PIP-LFB Pipe Blockage 8.5E-10 360 -- 3 lE-7 AFWB-PIP-LFB (W4SH-1400) AFWC-PIP-LFB AFWD-PIP-LFB AFWE-PIP-LFB AFWF-PIP-LFB AFWG-PIP-LFB AFWH-PIP-LFB AFWI-PIP-LFB AFWM-PIP-LFB AFWN-PIP-LFB f AFWSP-PIP-LFB w I AFWA-PIP-LFD Pipe Rupture 8.5E-10 360 -- 3.15-7 H AFWB-PIP-LFD (WASH-1400) N AFWC-PIP-LFD AFWSP-PIP-LFD AFWO102-CCC-LF Check Valve Failure -- -- -- 1.0E-4 AFWO129-CCC-LF to Open AFWO130-CCC-LF AFWO960-CCC-LF AFWO963-CCC-LF AFWO971-CCC-LP AFWO973-CCC-LF AFWC9091-CCC-LF AFNC913X-CCC-LF AFWC9141-CCC-LF AFW0162-XOC-LF Manual Valve Failure 1.0E-7 487 -- 4.98-5 AFW0164-XOC-LF to Remain Open (Plug) AFWO962-XOC-LF AFWO972-XOC-LF O O
O O Table B.9.5 AURILILARY FEEDWATER SYSTEM (AFW) DAT. (Cont.) } Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (hr) q Q = Eq. AFW UtC1-IOC-LF Manual Valve Failure 1.0E-7 360 -- 3.EE-5 AFWO101-IOC-LF to Remain Open (Plug) AFWO103-ROC-LF AFW0161-XOC-LF AFWO903-IOC-LF AFWO904-IOC-LF AFWl911X-IOC-LF AFW4511-NOC-LF Fails to Remain 1.0E-7 487 4.9E-5 1.0E-3 AFW4512-NOC-LF Open (Plug) AFW4520-NOC-LF Command Faults -- -- 1.0E-3 AFW4521-NOC-LF (LER Evaluation) AFW4522-NOC-LF AFW4523-NOC-LF l tD AFW4525-NOC-LF w AFW4530-NOC-LP AFW4531-MOC-LP H AFW4532-NOC-LP W AFW4533-NOC-LF AFW4535-NOC-LP AFW3987A-NOC-LF AFWS903A-NOC-LF AFW40708-NCC-LF Fails to Operate -- -- 3.0E-3 4.0E-3 AFN4071A-NCC-LF Command Faults -- -- 1.0E-3 (LER Evaluation) AFW4511-N-PRM Pneumatic valve 4.9E-5 4 -- 2.0E-4 AFW4512-N-PRMN Maintenance AFW4520-N-PRPOf AFW4521-N-PR8Bf AFW4522-N-PRael
Table B.9.5 AUXILILARY FEEDWATER SYSTEM (AFW) DATA (Cont.) sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/ht) Time (hr) q Q = Eq. AFW4523-N-PRMN (Cont.) AFW4525-N-PRMN AFW4530-N-PRMN AFW4531-N-PRMN AFW4532-N-PRIGI AFW4533-N-PRlei AFW4535-N-PRIOl AFWM911X-X-PRMN Repairs to CV3989 2.3E-5 7 - 1.6E-4 and 5904 (.2 repairs yr) AFN0l62-X-FRFM Failure to Restore 4.9E-5x1.0E-4 360 -- 1.8E-6 [ AFW0164-X-FRFM after Pneumatic e AFWO962-I-FRFM Valve Maintenance I AFWO972-X-FRFM H AFWO903-X-FRFM Failure to Restore 1.7E-4x4.0E-4 360 -- 2.4E-5 AFWO904-X-FRFM after Motor Pump Maintenance AFWO101-X-FRFM Failure to Restore 4.6E-4x4.0E-4 360 -- 6.6E-5 AFWO103-X-FRFM after Turbine Pump Maintenance AFWO103-X-FRFT Failure to Restore 1.4E-3X4.0E-4 360 -- 2.0E-4 AFW0904-I-FRFT after Pump Test AFNol61-R-FRFM Closed Twice/Yr 2.3E-4x1.0E-4 2 -- 4.6E-8 Failure to Restore O O
% (%
- V a
Table B.9.5 AUXILILARY FERDWATER SYSTEM (AFW) DATA (Cont.) Sub Event sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (hr) q Q = Eq. AFW2N103-I-FEFM Failure to Restore 4.9E-5x1.0E-4 360 -- 1.85-6 AFW3N103-I-FRFM after Pneumatic AFW2N904-X-FRFM Valve Maintenance AFW3N904-X-FRFM AFIS8911X-X-FRFM Failure to Restore 4.8E-4x4.08-4 360 -- 6.9E-5 after TDP. Stop, or Throttling Valve Maintenance AFWP11-PTD-LF Fails to Start -- -- 4.0E-3 4.78-3 l W
, (LER Evaluation) l u) Fails to Run 3.0E-5 24 7.0E-4 I
H AFWP13-PMD-LF Fails to Start -- -- 3.0E-3 3.7E-3
- Fails to Run 3.0E-5 24 7.05-4 AFWP11-PTD-PRTS Pump Test (1 per 1.4E-3 1 -- 1.4E-3 AFWP13-PMD-PRTS Month for 1 Hour)
AFWP11-PTD-PR386 Turbine Pump Mainte- 4.6E-4 8 -- 3.7E-3 nance (4 Repairs /Yr) AFWP13-PMD-PR386 Motor Pump Maintenance 1.7E-4 4.64 -- 7.9E-4 AFWP13CL-CBL-LF Open Circuit or Short 3.3E-6 24 -- 7.9E-5 CBP13CL-CBL-LF CBP13-BOO-LF Failute to Close -- -- -- 3.0E-3
1
. 5 5 9 5 l . - - - -
iq E E 5 E taE 4 7 4 2 nv ea= 2 6 3 7 vn EUQ O t n. el vi Ea vq - - - - ba - - - - ) un
. SU t
n o C ( t ) n er A e rh T v u( A Ets 4 8 4 4 D loe 2 2 bupm ) uaxi W SFET F A (
)
M r E h T / 6 6 0 6 S t r - - 1 - Y n eep e E E - E S 0 4 E 0 vr( S. R Eu 1 8 3 E le 8 T bit A uaa W SFR D E E ) F e r Y u R t A p L u I e R L c ( I g n X n a t U n i n l A to rn e u k ni uo t a c et vp di n F o 5 t i ) l Ei na a l0 B 9 r er pe M a0 bc c4 s B us Op R o1 u Se O K L - o e D s B H i l lp kS r b im V nA u a au K aN p T FP 4 T( S n o 11l1 i ABAB er i t p O N M F L LLLL BBBB 1122 O mc as C R - 1111 B P K - - - - Ne - - N KKKK D 3 B T LLLL 1 - - BBBB t P 3 2 PPPP n B 1 1 SSSS e C P T AAAA v P B S FFFF E C C C AAAA 2 ) b*yIHCh
O O 4 AFWO970 m r, ' AFW4525 AFW4523 AFWO101 8/C AFWO971 AFWO972 AFW4522 )
- 11 AFWO973
~
i , AFWO162 AFW4521 AFW PUMP +11 AFWO129 AFW4511 AFW4520 ANO167 F AFWO116 AFWO183 l AN 0131 l Apwojjy AFWO115 Q AFWO181 f g AN016E AFW PUMP *12
^ ' AFWO903 AFW4312 AFW453 S/C l $
'f" '* M M AFWO164 AFWO963AFW4532 2^%aAFWO605 Apw3 161 f
AFW2-167 k AFWO960 AFW4535 AFW4533 AFWO906 l AFWO603 TO UNIT 4 AFW2-131 l y4 2 S/Cs AFWO604 l V
- i. AFWO961 AFW PUMP +23 i
TO AFW PUMPS : 21 &22 l 1 l
- Figure B.9-1 (sheet 1 of 2) Simplified Schematic of the j Auxiliary Feedwater System (AFWS) r i
i n _ _ _ _ . . _ = _ _ _ _
AUX. STEAM ii AFWC921 STEAM OUTLET
! STOP
[. - AFWC919 AFWC913 g tygg ! , AFW3997 VALVE AFWC909 AFWM911 / 7( FROH S/G X AFW 4070 # II "8# l TURSONE AFWS903 yj l ~ DRIVE AFW AFWC918 PUMP *11 I 4 STEAM c OUTLET I H STOP Co AFW3999 VALVE ANC910 AFWM912 A TURSINE S/G *12 AFW4071 A PUMP *12
~/
- 4. AFWC920 L2 AFWC919 AFWC922 w2 A L ,,
AFWC917 AUX. STEAM Figure B.9-1 (sheet 2 of 2) Simplified Schematic of the Auxiliary Peedwater System (AFWS) G G J
/"%, x d V STOP
_SP, , SG n A FW M 911 AFWC900 gyw gg3 g,, ,g7 AFW4S26 AFW4823 AFW4822 l AFW4070 AFWO97 WO97 AFWO103 i AFWO101 j S/O F 1 AFW4520 SJ \ \ AFWO129 AFW0162 , AFW4521 p , ett AFWC914 I I I v l AFW4071 l AFWO181 L l l COND. STO. l 3 TANK #12 I'O 09H AFW4 812 FW4531 AFW4530 0 l N I AFWO900 AFWO962 AFW4532 l F V
- AFW MOTOR DRIVEN PUMP 13 AND CORRESPONDtNG j
PIPE LINE AND V ALVES ARE PART OF THE AFW FUTURE DESIGN MODIFICATIONS. l Figure B.9-2 Simplified Schematic of the AFWS Used in Fault Tree Modeling
l O Appendix B.10 Power Operated Relief Valves O B.10-0
i h
- B.10 POWER OPERATED RELIEF VALVES DESCRIPTION The CC-1 plant- is equipped with two Power Operated L Relief' Valves (PORVs). The PORVs are located on the pres-surizer and are a type of electromatic relief valve. These
~
valves- are pilot actuated reverse-seated relief valves that-
!. use primary system pressure as the motive force to 'open and 4
close the valve. When the pressure in the primary system j' exceeds thav of the valve setpoint, the pilot valve solenoid. 6 is energized. The energizing of the solenoid causes its . plunger to actuate an operating lever which in turn opens ' the pilot valve.- The opening of the - pilot valve vents the main valve pressure chamber, resulting in 'a pressure differential across the main valve' disc thereby causing the +
+ . valve to open and permit the discharge of the primary fluid at full rated flow. Conversely, when. the pressure in the ; primary system drops below the valve setpoint, the solenoid t is- de-energized. When the solenoid is de-energized, 'the
, pilot valve closes and steam is trapped in the chamber above the main valve disc. The trapped steam builds up pressure ' and ' forces the main valve disc dcen on its seat thereby closing the . PORV. During power operation, the PORVs are actuated whenever the reactor protection system (RPS) high , primary pressure trip is actuated by two or.more channels of the four channel . logic system. The PORVs are actuated by the 'sume bistable trip units which actuate reactor trip on high reactor coolant system (RCS)' pressure. There are normally open motor operated valves- (MOVs)
, upstream of the PORVs. These block valves can isolate the '
' PORVs if seat leakage becomes excessive or the valve fails . to-reclose. 4 The setpoint pressure for the PORVs is 2385 psig and the capacity is 153,000 lb/ hour. For Small-small LOCAs and transients where the power conversion system (PCS) and auxiliary feedwater system (AFWS) have failed, the PORVs can be blocked open by removing a bistable; however, this is a complicated operator i action and is not in the procedures. Also, there is insufficient analysis to determine whether the PORVs are , capable of relieving sufficient pressure to allow the HPSI/R 'e . system to function due to the low shut-off head of the HPSI [ pumps and, at-this time, engineering judgement'has concluded ' that this is not a viable mode of operation. For these reasons,=" Feed and Bleed" was not modeled in this study. 1 Each PORV solenoid is powered from a 480 VAC. bus: l ERV402 - from MCC-ll4R and ERV404 ' f rom MCC-104R. The block values 1are; powered from the opposite 480 VAC bus of the PORV it blocks. Both PORVs require DC BUS 21: (load group B) to actuate a relay to allow AC power to energize the solenoids. B.10-1
^
.:-- . .n. , , e,,, n ---.n., ----ni.., -.,-,n._ .n., ,,,_,w.,nn ,,..n.n.,,.ne+-,.+.,.,,.,--.---n.,., .,,,,.n.-.~..
A fault tree was not constructed for failure of the PORVs to open on demand and to reclose when required. Operating experience from CE plants was used to quantify the basic failure modes
- and a Boolean equation was used to represent failure of the PORVs and SRVs to open (see the discussion of quantification in Appendix C for the equation). A value of lE-5 per valve was used for failure to open on demand and a value of 2E-2 per valve was used for failure to reclose.
O
- PORV Failure Reduction Methods, CEN-145, C-E Power Systems, Combustion Engineering, Inc. Windsor Connecticut, December 1980.
B.10-2
O l Appendix B.ll Chemical and Volume control System 1
- O l
i B.11-0
B.ll CHEMICAL AND VOLUME CONTROL SYSTEM DESCRIPTION B.ll.1 Purpose The Chemical and Volume Control . System (CVCS) provides several major functions during startup, normal operation, emergency condition, and shutdown of the reactor. The reactor coolant system boron concentration is normally
, controlled by the- make-up portion of the - CVCS; however, there are occasions when it is necessary to borate at a rate that exceeds the normal, maximum capability of the make-up system. In these situations, the CVCS is initiated either by a SIAS or manually' to rapidly inject concentrated boric acid into the reactor coolant system.
B.ll.2 Description Two boric acid storage tanks and two boric acid pumps are provided to supply boric . acid to the reactor coolant - system cold legs llA and 12B during the emergency injection phase of CVCS operation. A batching tank is provided for convenience in preparing boric acid for make-up to the stor-age tanks. The two boric acid pumps are started either manually or on a SIAS. For emergency boration a boric acid direct feed valve, MOV-514, is provided. This is a motor operated valve which comes off the common boric acid pump discharge and supplies concentrated boric acid directly - to the charging pump suction header. This valve may be opened by either a-SIAS or a handswitch on panel 1C07. To ensure a concentrated boric acid flow path to the charging pumps during an emergency, gravity feed valves (MOV-508 and MOV-509) were installed to feed boric acid directly to the charging pump suction. B.11.2.1 Overall Configuration The CVCS (boron injection) consists of two boric acid storage tanks which provide concentrated boric acid to the charging pumps via either the two boric acid pumps or . the two gravity feed lines. A simplified schematic of the emergency injection phase of this system is shown in Figure B.ll-1. Boric Acid Pumps Each boric acid pump is a single stage centrifugal pump which has a design flow rate of 143 gpm. The pumps are equipped with a minimum flow path back to the boric acid storage tank. The minimum flow is adjusted to about 10 gpm. The minimum flow valves (MOV-510 and MOV-511) are shut by a SIAS or may be shut by a handswitch on IC07 or manually. l B.ll-1
. _ ._-__ _ _ _ _. _. - ~~ _ _ _ _ _ . _ ._ . _ _ - . _
l Boric Acid Storage Tanks l l Boric acid for the CVCS is furnished by the two boric l acid storage tanks, each cc,ntaining 9500 gallons of boric acid at about 7.25 percent concentration. The concentrated boric acid must be kept hot in order to keep the boric acid in solution. To achieve this two independent electrical strap-on heaters are provided on each tank. The heaters cycle between 145* and 155*F in automatic mode. There are low and high temperature alarms at 135* and 165*F, respec-tively. h To ensure a minimum concentrated boric acid level in the tanks, level indication and alarm is provided for each tank. Charging Pumps Three charging pumps are supplied from the charging pump suction header. Each pump can be individually isolated for maintenance. Each charging pump has a discharge relief that relieves back to the suction at 2795 psig. This is to pro-tect the pump from overpressure. Each pump is a three cylinder positive displacement pump capable of providing 44 gpm. The pump requires a minimum NPSH of 9 psia. Each pump is provided with its own hand-switch in the control room on IC07. B.ll.2.2 System Interfaces Electrical System All pumps, motor-operated valves and boric acid tank heaters in the CVCS (boron injection) get their motive power from the 480 VAC electrical system. The 120 VAC control power for the system pumps, heaters, and valves is trans-formed directly from the component's motive power circuit breaker. Table B.ll.1 lists the active components of the CVCS (boron injection) and their corresponding electrical buses. Two independent electrical strap-on heaters are provided on each boric acid tank to keep the concentrated boric acid hot. If the heaters fail (due to some internal problems) to keep the temperature within a set range (145* to 155*F), a g low or high temperature alarm would be actuated in the con-trol room. Dependency on electrical heaters has therefore been ignored and not considered in the fault tree analysis. B.ll-2
Actuation System All active components of the CVCS (boron injection) l receive a.SIAS signal to actuate. But since CVCS is used to shut down . the reactor or to increase the shutdown margin under conditions where RPS and SIAS actions are not initi-ated, the CVCS has to be started manually. Charging Pump Cooling O The CVCS charging pumps are cooled by natural circula-tion of water from head tants that are located above the pumps. Since this cooling mechanism involves no active components, its contribution to system failure has been ignored. The support system Failure Modes and Effects Analysis (FMEA) is presented in Table B.ll.2. B.11.2.3 Instrumentation and Control The Chemical and Volume Control System is utilized in the transient event tree to provide an alternate method of obtaining reactor subcriticality. In such accident condi-tions, the system is initiated completely manually. The instrumentations of concern in the system are listed below:
- 1. The boric acid pumps have a' local pressure indi-cator and a low-pressure discharge alarm in the control room.
- 2. The charging pumps have a - local discharge pressure indicator and a flow indicator that-can be monitored
! from the control room. Also, the charging pump discharge header pressure is indicated in the ! control room.
- 3. The boric acid storage tanks have low- and high-i level indicators. To keep the boric acid -at a hot temperature, each tank has two independent electrical strap-on heaters. These heaters can be automatically controlled to cycle between 145' and 155'F. The tank temperature is indicated in the control room.
O
- 4. A portion of the flow path from the boric acid tank is heat traced to heat the boric acid remaining in the piping.
B.ll.2.4 Operator Actions The CVCS (boron injection mode) pumps and valves have to be remotely actuated by the operator from the control room B.11-3
during a transient where SIAS and RPS actions are not initiated. Operation of the system in boron injection mode will continue until terminated manually by the operator. Emergency boration may be used to shut down the reactor or to increase the shutdown margin (if the reactor is already shut down) in the event any of the following occur:
- 1. A slow and uncontrolled cooldown where SIAS or RPS actions are not initiated.
h'
- 2. The failure of one or more shutdown or regulating group CEAs to drop following a reactor trip.
- 3. Loss of main feedwater.
Actuation of boration mode of CVCS during the above transients is completely dependent upon operator action. Instructions for emergency boration are given in Emergency Operating Procedure EOP-13. According to EOP-13 the following immediate actions must be taken by the operator:
- 1. Switch the make-up stop (MOV-512) handswitch to the
" SHUT" position.
- 2. Open the charging pump suction direct feed stop (MOV-514).
- 3. Switch the make-up mode selector switch to the
" BORATE" position. This would start either one of the two boric acid (B.A.) pumps 11 and 12, depending on the B.A. pump selector switch position.
- 4. Check a boric acid pump running (again the B.A. pump selector switch position decides which pumps would be running).
- 5. Start all available charging pumps (two charging pumps would satisfy the requirements).
Credit is not given for use of gravity feed lines since the action to open the MOVs on these lines is not mentioned in EOP-13. Also credit is not given for the use of the RWT as another source of boration since manual action is required to open MOV-504 and this is not mentioned as an immediate g action in EOP-13. B.ll.2.5 Surveillance The fcllowing CVCS surveillance requirements are speci-fled in Section 4.1.2 of the Technical Specifications. B.ll-4
.l. At least two boron' ' injection flow paths shall be demonstrated operable:
- a. At least once per 7 days by verifying that the temperature . of the heat traced portion of the flow. path from.the concentrated boric acid tanks is above the limit temperature.
- b. .At least once per 31 days lby verifying that each
. ( g)- valve (manual, power-operated or automatic) in the flow path that is . not locked, sealed, or otherwise secured in position, is in its correct position.
- c. At least once per 18 months durin'g shutdown by verifying that each automatic valve in the flow path actuates to its correct position on a SIAS test signal.
- 2. At least two borated water sources shall- be demonstrated OPERABLE:
- a. At least once per 7 days by:
- 1. verifying the boron concentration in each water source (two boric acid storage tanks-and refueling water tank),
- 2. verifying the contained borated water volume in each water source, and
- 3. verifying the boric acid storage tanks solution temperature.
b .- At least once per 24 hours by verifying the RWT temperature when the outside air temperature is
$40*F.
Testing Testing of CVCS (Boron Injection System) components is performed on a routine basis, both during reactor operations and during shutdown. Only testing during reactor operations is of concern here. Table B.11.3 lists a summary of these tests. B.ll.2.6 Maintenance Maintenance is performed on the CVCS only on an as-
-needed basis during reactor operations. All '
. routine periodic maintenance is done while the reactor- is shut down. Table B.ll.4 lists the relevant information con-cerning maintenance on active components during reactor operation.
B.11-5
B.ll.2.7 Technical Specification Limitations Technical Specifications (Section 3.1.2) requires the following CVCS operability.
- 1. At least two of the following three boron injec-tion flow paths shall be OPERABLE:
- a. The flow path from the boric acid storage tank 11 via either a boric acid pump or a gravity feed connection and associated heat tracing h
circuit to the charging pumps header.
- b. The flow path from the boric acid storage tank 12 via either boric acid pump or the gravity feed connection and associated heat tracing circuit to the charging pumps header.
- c. The flow path from the refueling water tank to the charging pumps header. This source is not modeled in the fault tree since it is not used according to EOP-13.
At least two charging pumps shall be OPERABLE to inject the boric acid (from the above two flow paths) into the reactor coolant system when the requirement arises due to a transient. With only one of the above required boron injection flow paths and one charging pump operable, at least two boron injection flow paths and two charging pumps must be restored to operable status within 72 hours or the reactor must go to hot shutdown within the next 6 hours, and, if not corrected within the next 7 days, to the cold shutdown condition within the next 30 hours. Maintenance is allowed on the CVCS during power opera-tion if more than two charging pumps (one pump can be out indefinitely) and two boron injection paths (one RWT and one boric acid line) are not taken out of service. B.11.3 Operation Operation of CVCS (boron injection) in emergency bora-tion mode is done completely manually. Details of the necessary operator action is presented in Section B.11.2.4. B.ll.4 Fault Tree Description A simplified diagram of the CVCS is presented in Figure B.ll-2. In order to facilitate the fault tree development, the system has been broken up into piping segments which are labeled. B.ll-6
l , i
.The fault tree presented on the appropriate aperture card in the envelope at the back of this report utilizes the
- pipe . segment labels in the construction of the fault tree.
Data used to evaluate the fault tree events is shown _in Table B.11.5. The' top' gate -of the tree is a special gate 4 representing any combination of two of three pump trains l required for system s.uccess. B.ll.4.1 Success / Failure Criteria The fault tree presented here uses a success criteria-of-. one of . two boric acid pumps providing concentrated boric acid to two out of three charging pumps for injection into
- the reactor coolant system. Credit was not given for use of the gravity feed lines and RWT as Other. sources of trans .
i ferring boron to the charging pumps since they were not j mentioned in the Emergency Operating Procedure. j B.11.4.2 Major Assumptions t
. The following assumptions were considered during the
, construction of the CVCS-fault tree.
- 1. No credit was given for automatic actuation of the systems since it is believed that there will not be
. a SIAS signal generated in the transient event tree j sequence where there is requirement for CVCS.
- 2. Piping failures were neglected unless a single pipe failure-leads to the top event.
- 3. Credit was not given for use of gravity feed lines,.
since the action required to open the =MOVs on these lines is not mentioned in EOP-13. f 4 .' No credit was given for using the RWT as another source of boron. According to EOP-13, the RWT is used only in cases where the operator notices a low level in boric acid storage tanks.
- 5. Two out of three charging pumps were assumed to provide sufficient flow based on the information obtained from technical specifications and EOP-13.
,h. 6. The operator starts only one boric acid pump for emergency boration and verifies that the pump is running. L 7. It is assumed that one charging pump is running.at all times. Hence, faults of components in segments A, Al, A2, B,C, and D have been neglected in the fault tree analysis, since these segments are assumed to be operational at the time of accident. i i B.11-7 Y 6 w e e ,- . , - - -r., .m , .,,4.w,----e-wr a w r. - r ---,ww.-w--
,w--
- 8. Testing of valves is neglected since it would not make the pump unavailable.
- 9. The make-up stop motor-operated valve 512 has not been modeled in the fault tree. This valve should be closed by the operator during emergency bora-tion, but failure to close the valve would not lead to system failure and at most (if make-up pumps are running and MOV-501 is open) could dilute the boric acid flow.
- 10. The MOV relay contacts (located between breaker and MOV) which actuate the valve have been modeled in the fault tree as circuit breakers using the modular logic.
- 11. Since one charging pump is assumed running, the maintenance for that pump was distributed equally over the other pumps.
- 12. A THERP analysis was done to obtain a value for the operator action to start one charging pump, one boric acid pump, and MOV-514. See Section B.19.
O B.ll-8 L
] Table B.ll.1 CVCS, Component Electrical Dependencies Charging pump 11 480 V BUS llB Charging pump 12 480 V BUS 14B
/ Charging pump 13 480 V BUS 14A or llA depending on disconnect switch lineup (normally aligned to 480 V bus 14A)
Boric Acid pump 11 480 V MCC ll4R Boric Acid pump 12 480-V MCC 104R Boric' Acid direct feed stop 480 V MCC 104R (MOV 514) Boric Acid Gravity Feed valves 480 V MCC ll4R (MOV 508 & MOV 509) Boric Acid Tanks 11 & 12, 480 V MCC ll4R Heater A Boric Acid Tanks 11 & 12, 480 V MCC 104R Heater B i 5 O i B.ll-9
Table 3.11.2 CTCS FREA SUFFCut? SUBSTSTEN COMPONENT AFFECTED FAILURS NCDE COMPONENT FAILURE EFFECT OF SUFFORT SUB3YSTEM EFFECT ON SYSTEM
- FAILURE CW OVERALL SYSTEM
- Motor Control Boric Acid Pop 11 Does not run Boric Acid pump 11 2 out of 2 gravity feed lines Center 114R unavailable and 1 out of 2 Boric Acid pump lines unavailable, and 1 out of 2 heaters theater Al for tank NOV 508 WCFC MOV-508 gravity feed 11 6 12 fails to operate line unavailable MOV 509 NCFC MOV-509 gravity feed line unavailable Tank 11 6 12 A Does not Bester A, of Boric heaters operate Acid tanks 114 12, fail Motor Control soric Acid Pump 12 Does not run Boric Acid pump 12 Boric Acid direct feed line Center 104R unavailable unavailable, making 3.A. pumps 11 6 12 unavailable.
Also, I our of 2 heaters MOV 514 NCFC Boric Acid direct theater B) for tank II & 12 line unavailable fails. (Mov 514) Tank 11412 heater Does not operate Beater B of Boric 11 4 12 fails 480 V bus lla Charging pump 11 Does not run Charging pump 11 Charging pump 11 unavailable unavailable 480 V bus 148 Charging pump 12 Does not run Charging Pump 12 Charging pump 12 unavailable unavailable 480 V bus 14A ** Charging pump 13 Does not run Charging pump 13 Chargingpump13unavailabia anavailable
- Assuming no recovery.
- Charging p o p 13 is normally aligned to 480 V bus 14A.
O B.11-10
l l Table 3.11.3 CVCs Camponent Test summary sheet O COMPONENT TYPE OF TEST COMPOWENTS TEAT NUST TEST ESPECTED TEST SE ALIGNED ANAT FROM INTERVAL CGTAGE TIME ESF POSITION WITE NO AUTOMATIC RETURN FREQUENCY OF COMPONENT ALIGNMENT VERIFICATION SOURCE (TEST PROCEDURE NO.) MOV-518 Stroke None Quarterly 5 minutes Continuous
- 0 65-1 Mov-519 stroke None Quarterly 5 minutes 0-45-1 NOV-514 Stroke None Quarterly 5 minutes 0-45-1 MOV-508 stroke None Quarterly 5 minutes 0-65-1 Mov-509 stroke None Quarterly 5 minutes 0-45-1 Boric Acto Flow none Monthly 30 minutes Monthly 0-73-1 P op 11 Boric Acid Flow none Monthly 30 minutee Monthly 0-73-1 Pop 12 Charging Flow none Monthly 30 minutee Continuous 0-73-1 Pop 11 Charging Flow none Monthly 30 minutes Monthly 0-73-1 Pump 12 Charging Flow none Monthly 30 minutes Monthly 0-73-1 P op 13
- Charging pop 11 and MOV 518 and 519 are assumed to be normally operating and f ailure would result in noticeable eff ects within a short time. If MOV 514, 508 or 509 were open, the reactor would be shut down due to the pumping of boric acid into the primary.
O B.ll-ll
Table 3.11.4 CVCS Component Maintenance Sumunary Sheet COMPONENT TYPE OF COMPONENTS WEICE MUST BE ALIGNED ANAT FROM ESF POSITION MITE NO FRIODENCY OF CORPONENT ALIGNMENT EEPECTED FREQU D CT OF MAINTENANCE
- EXPECTED OUTAGE TIME OF MAINTENANCE
- O l UNDDGOING RAINTDANCE MAINTENANCE AUTORATIC RETURN VERIFICATION ( hr.) threei l
Charging P up 11 maintenance Manual valves continuous 3.4E-3 16 pequiring CVC-106 ( 0) ** Diaaasembly CVC-164 Charging P op 12 naintenance manual valves Monthly 3.4E-3 16 Dequiring CVC-172 (5.1E-3) ** Disassembly CYC-170 Charging P ep 13 maintenance manual valves Monthly 3.4E-3 16 Requiring CYC-178 (5.1E-3) ** Disasambly CVC-176 Boric Acid P ep 11 Maintenance Manual valves Monthly 2.6E-4 6 pequiring CVC-216 Disassembly CVC-218 Boric Acid P ep 12 Raintenance Manual valves Monthly 2.6E-4 6 Requiring CVC-221 plearts*bly cVc-232
- Plant specific data.
- Value when ymp al maintenance distributed over pumps 12 and 13.
O B.11-12
Table B.11.5 CHEMICAL AND VOLUME CONTROL SYSTEN (CVCS) DATA Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (hr) q Q = Eq. CVC0C11A-PMD-LF Pump Failure to Run 3.0E-5 0.25 -- 7.5E-6 CVCOC128-PMD-LF Pump Failure to Start -- -- 3.OE-3 3.0E-3 CVC0C121-PMD-LF Pump Failure to Run 3.0E-5 0.25 7.5E-6 CVCOB12B-PMD-LF CVCOB11A-PMD-LF CVCOC125-P-PIUG8 Charging Pump 5.1E-3 16 -- 8.2E-2 CVC0C13K-P-PRlef- Maintenance CVCOB11A-P-PR981 Boric Acid Pump 2.6E-4 6 -- 1.6E-3 CVCOB12B-P-PRPG8 Maintenance CVCOC128-B-PR988 400V BKR Maintenance 1.25E-6 4 -- 5.0E-6 [ CVC1314B-B-PR888 H CVC0514B-B-PR988 H CVCOB11A-B-PRiet h w CVCOB12B-B-PR8Si CVCOC128-CBL-LF- Cable Fault - 3.0E-6 360 -- 1.1E-3 CVC13145-CBL-LF Open Circuit CVC05145-CBL-LF CVCOB11A-CBL-LF CVCOB128-CBL-LF CVCOC128-BOO-LF BKR Failure to -- -- -- 3.0E-3 CVC13148-800-LF Operate CVC01711-CCC-LF Check Valve Failure -- -- -- 1.0E-4 CVC0177K-CCC-LF to Open CVCO2171-CCC-LF CVC02221-CCC-LF CVCO2351-CCC-LF
l Table B.11.5 CHEMICAL AND VOLUME CONTROL SYSTEM (CVCS) DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/ht) Time (hr) q Q = Eq. CVC01701-VOC-LF Nanual Valve Failure 1.0E-7 360 -- 3.6E-5 CVC01~21-VOC-LF to Femain Open (Pltg) CVC01761-VOC-LF CVC0178X-VOC-LF CVCO210X-VOC-LF CVCO214X-VOC-LF CVC02161-VOC-LF CVC0218X-VOC-LF CVCO221X-VOC-LF CVCO2231-VOC-LF CVC0170X-X-FRFM Failure to Restore 5.1E-3x1.0E-4 360 -- 1.8E-4 ' CVC0172X-X-FRFM after Charging Pump CVC0176X-X-FEFM Maintenance [ CVC0178X-X-FRFM H 9.3E-6 Fd CVCO216X-X-FRFM Failure to Restore 2.6E-4x1.0E-4 360 [, CVCO218X-X-FRFM CVCO221X-X-FRFM after Boric Acid Pump Maintenance 4, CVCO223X-X-FRFM CVC000GI-PIP-LFB Pipe Blockage or 1.0E-10 360 -- 3.6E-8 Rupture CVC0011-TNK-LF Tank Faults (Rupture 8.5E-10 4 -- 3.4E-9 CVC0012-TNK-LF (NASH-1400) CVCSTART-HSF-OE Operator Fails to -- -- -- 0.5 btart CVCS
. .m.. _ _ . . . . . - - . - - .
i t i 1 , Table B.11.5 CHEMICAL AND VOLT lME CONTROL SYSTEN (CVCS) DATA . (Cont.) Sub Event Sub Event Fault Sub Event Event i Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (hr) g Q = Eq. 1 CVCCC123-CBL-LF Cable-Open Circuit 3.0E-6 360 1.1E-3 3.3E-3 CVCC1314-CEL-LF Either of 2 Fuses 3.0E-6x2 360 2.2E-3 Fail Open CVCOC12B-BOO-CC Pump Control Circuit -- -- -- 1.75-4 i CVC13148-BOO-CC Faults ! CVCl314B-DFO-LF Disconnect Switch -- -- -- 1.0E-4 Failure CVCl3145-DFO-CC Disconnect Switch 3.0E-8 360 -- 1.1E-5 j Contact Failure tD
. CVC05148-BCO-LF BKR Premature 1.0E-6 360 -- 3.6E-4 F* CVCOB11A-BCO-LF Transfer y CVCOB12B-BCO-LF Fa ui CVCR5148-BOO-CC Control Circuit -- -- -- 2.5E-3 CVCRBilA-BOO-CC Faults (Nov Type) i CVCRB12B-BOO-CC (derived from circuit 1
Model) i CVC0514B-VCC-LF Nov Fails to Operate -- -- -- 3.0E-3 CVC0514B-V-PRMN Nov Maintenance 3.6E-6 7 -- 2.5E-5 CVC221Y-HS-LF Local Fault of -- -- -- 3.0E-5 CVC221Z-HS-LF Hand Switch CVC2261-HS-LF CVC226Y-HS-LF CVC2514-HS-LF 7 (
BORIC BORIC ACID ACID 1 j TANK 11 TANK 12 HEAT EXCHANGER CVC-435 CVC-188 n C - 10 NW REGENFRATIVE H.X LO. CvC-51e CVC-392 CvC-216 CvC-221 LET DOWN CVC-39a CVC-186
- d -
y x M m UNE 12A CvC-518 LO. CvC-218 CVC-217 g,g, D PUMP 11 CVC-184 CYC-183 LO. ] , W CVC-tes CVC-1s5 h CVC-51 8 A-h a W LO. CVC-1s4
'0' "
TANK I N ' PUMP 12 CVC-512 CVC-508 h m CvC-182 LO.
\ CVC-235 y : CVC-509 CHARGI PUMP r FC FROM CvC-172 CVC-171 ,
MAKE UP X M 3 MOV CvC-501 PUMPS LO. _ CHARGING PUMP CVC-182 1 CvC-178 CvC-177 CvC-17e N x LO. CHARGING PUMP 13 Figure B.ll-1 Simplified Schematic of the Chemical Volume and Control System (CVCS)
O. O .i 1 BORIC boric ACID ACID TO LET DOWN TANK 11 TANK 12 HEAT EXCHANGER CVC-435 CVC-188 CVC-210 CVC-214 C H.K. LO. A LO. CVC-187
- l CVC-216 CVC-221 i LET DOWN 186
- LNIE 12A CVC-518 LO. 7 ,
B.A. .I y PUMP 11 CVC-184 CVC-183 LO. W 1 P CVC-223 CVC-222 i CVC-166 CVC-165 j g CVC-514 g,A, ! [ X / CVC-184 PUMP 12 , h LO. .
- CVC-182 LO.
CHARGING PUMP 1 l CVC-172 CVC-171 CVC-170 1
- x LO.
- A CHARGING PUMP 4
12 d CVC-178 CVC-177 CVC-176 ) I LO. hCHARG#1G PUMP 13 j Figure B ll-2 Simplified Schematic of CVCS Used in Fault Tree Modeling i i i
l l O l l ' Appendix B.12 Code Safety Valves I l t O B.12-0
B.12 CODE SAFETY VALVES The Calvert Cliffs Unit 1 is equipped with two code safety relief valves on the pressurizer. These valves are entirely mechanical devices. Their set points are 2500 and 2565 psia. At least one valve must be operable when the plant is at power. Testing or maintenance can only be accomplished when the plant is at a cold shutdown. O ^ valves, eeu1e etee oae - aot co eruceea cor operating experience for code safety valves was tae e used for quantification. A probability of-lE-5 was used for failure of a code s&fety valve to open and 1.2E-3 per valve for failure to reclose. t B.12-1 l
O Appendix B.13 Emergency Electrical Power System 1 I l O B.13-0
B.13 EMERGENCY ELECTRICAL POWER SYSTEM B.13.1 Purpose The ' CC-1 Emergency Electrical Power System consists of both the emergency AC system and the 125V DC system. The purpose of the emergency AC system is to provide electrical power to components in vital systems which are needed to mitigate the consequences of LOCAs and transients. Among ( - these vital systems are those which shut the reactor down, remove the decay and sensible' heat of the reactor coolant and the containment building, and limit the' release of radioactive material from containment. The AC system is required for the operation of-pumps, fans, and MOVs in these systems. The only exception to this are the turbine-driven emergency FW pumps and DC-operated valves. In addition, the AC system supplies power to the DC power system via four battery chargers. The 125V DC system pro-vides continuous power for control, instrumentation, reactor protection, and ESFAS. Also, as a part of its lanction, the DC power system creates the field flashing and controls the diesel generator for the emergency AC electrical system. In addition, it provides control power to the emergency AC cir-cuit breakers for the 4160V switchgear and powers the control valves in the AFWS. B.13.2 Description The Emergency AC System is composed of two trains, each consisting of a diesel generator (DG), 4160V switchgear, 480V load centers and motor control centers, 120V instrumentation panels, and associated transformers and circuit breakers. The DC system is c'omposed of four separate trains, each comprising a 125V battery, bus, and control panels. They supply power for vital instrumentation, distribution panels, emergency lighting, and motors. In addition to tha batter-ies, the DC system is also supplied from the emergency AC electrical system through the battery chargers. A simpli-fled diagram of the entire electrical system at CC-1 is shown in Figure B.13-1. B.13.2.1 overall Configuration The emergency AC system consists of diesel generators 11 and 12, 4160V buses 11 and 14, 480V buses llA, llB, 14A,.and , 14B, motor control centers 104R and ll4R, 120V vital instru-mentation buses 11, 12, 13, and 14, and the associated circuit breakers, transformers, and instrumentation. B.13-1 l
There are two major sources of power to the emergency AC system, offsite and onsite power. The normal supply is via the 4kV switchgear connection to the 13 kV buses and con-sequently from the 13 kV buses to the 500 kV buses. The 500 kV red and black buses are energized from the two offsite 500 kV transmission lines which are connected to BG&E Company Power System or from the main generators of units 1 and 2. Another source of offsite power is a 69 kV trans-mission line which can be connected to the 13 kV buses as a recovery source during a loss of both normal offsite power sources. The second source of power is that of the diesel h generators, DGil energizing 4kV bus 11 and DG12 energizing 4kV bus 14. In such an event, the circuit breakers linking 4kV buses 11 and 14 to 12 and 13, respectively, open and the breakers connecting the two diesel generators to the emer-gency AC 4kV buses close. Both these actions, as well as the sequenced pickup of the critical loads, are automatic. The emergency diesel generator system for unit 1 consists of two 4160V, 3-phase, 60-cycle diesel generators with a nominal continuous rating of 2500 kV each. The emergency diesel generators are designed to reach rated speed and voltage and to start accepting load within 10 seconds after receipt of a start signal, and to be capable of carrying full load within 30 seconds after output breaker closure. One diesel generator can supply the minimum requirements for the plant's engineered safety features equipment. The auxiliaries of each diesel generator are powered or controlled by their respective AC or DC trains (i.e., odd for odd, even for even). The following events are automatically initiated by the trip of the Engineered Safety Features Actuation System (ESFAS) channels A and/or B:
- 1. Each diesel generator, if not already running, and if available, is automatically started.
- 2. The associated 4kV bus tie breaker is automatically opened.
- 3. If the associated 4160V Engineered Safeguard bus is being fed from the main bus and voltage is normal, any ESFAS initiated loads on that bus, which are in operation prior to the trip signal, continue run-ning. The other initiated loads commence in g
sequene: according to the individual time-delay circuitry. The diesel generator breaker is pre-vented from closing, yet the diesel remains running in case normal power is lost. l l B.13-2
- 4. If the associated 4160v. Engineered Safeguard bus is being fed only from =the diesel generator and bus voltage remains normal, the ESAS operated loads are applied sequentially.
Additionally, the diesel generators are automatically started upon loss of normal power to the 4160V buses. Specifically, undervoltage-on bus 11 opens the breaker tie p between itself and bus 12, starts DG 11, and closes its V -breaker to bus 11. Similarly, undervoltage on bus 14 results in opening of the tie breaker.between bus 13 and 14, starts DG 12,.and closes its breaker to bus 14. These tie breakers do not require control power to open and they have to be closed manually. Each diesel generator is supplied with a complete start-ing ' air system which includes a compressor, air receiver tanks, relief valves, starting air solenoid valves, pressure switches and gauges. DG 11 is supplied with a compressor driven only by an electric motor. DG 12 is provided with a dual drive compressor. The compressor can be driven by either an electric motor or by a small diesel engine. The shif t from one driver to another must be - done manually. Each compressor charges two air receiver tanks; each set of tanks can. automatically start its diesel, and the air is discharged to the air starters through the two DC controlled solenoid valves. Both solenoid valves are normally closed (energized to open) and are equipped with a manual override to permit starting the engine in case of loss of the 125V DC control power source or in case of other problems in the ' valve's control circuitry. After an emergency start of the diesels, we must have some means of loading down the diesels without too much delay, yet still slow enough such that the diesel and its associated controls can keep up with the load changes. This is accomplished by use of sequencers which start the ' equip-ment in a sequential manner. The sequencer consists of timer devices which start the necessary plant components after a given amount of time has elapsed since the diesel output breaker closed in on its safety feature bus.
; There are two conditions which require that the emergency diesels carry the electrical load; one is the loss of cool-ant incident (LOCI) accompanied by a loss of power, the other j case is a loss of power without a LOCI. There are thus two
, sequencers required, the LOCI sequencer which is a six-step sequencer and the shutdown sequencer which is a three-step sequencer. The first step from each sequencer occurs five seconds after the closure of the emergency diesel generator 4 6 I B.13-3
output breaker, with five-second intervals between succes-sive intervals. For further detail, reference should be made to the section on the ESFAS. During LOCI conditions accompanied by simultaneous loss of preferred power, the LOCI sequencer will start auto-matically to load sequentially the diesel generators. Similarly, the shutdown sequencer for the nonaccident unit will start automatically. The LOCI sequencers initially block the SIAS and the CSAS to the equipment to be sequenced and then unblock in programmed steps. The LOCI sequencer's 11 steps for bus 11 are shown in Table B.13.1. Each diesel generator is equipped with various local and control room alarms. Electrical instruments are provided in the control room and at the diesel generator for surveil-lance of generator voltage, frequency, power, and reactive volt-amperes. The following functions automatically trip the diesel generator:
- 1. Start Failure Relay
- 2. Engine Overspeed (1037-1067 RPM)
- 3. High Jacket Coolant Temperature (2/3 11gic)
- 4. Low Jacket Coolant Pressure (2/3 logic)
- 5. Low Lube Oil Pressure (2/3 logic)
- 6. High Crankcase Pressure (2/3 logic)
- 7. Loss of Field
- 8. Generator Differential
- 9. Generator Ground Overcurrent Reverse power and underfrequency protection are provided but are made permissive to trip only upon diesel generator synchronization to the normal auxiliary power supply. Jacket coolant pressure and temperature trips are blocked by an SIAS signal. $
The diesel generators require cooling from the SRWS for their operation. Without such cooling, they can only run for several minutes. Loss of such cooling directly causes a diesel trip, by causing high jacket coolant temperature. Each SRW loop cools one of the diesel generators. B.13-4
The 480V portion of the emergency AC ' system contains
.four 480V load centers 11A, 11B, 14A and'14B. These buses serve safety related components ' and safety related motor control centers 101AT, 101BT, 104R, and ll4R. These load centers and motor control centers are supplied power under
~
all conditions as they can be supplied from separate dieael generators through the 4160V buses. DC-System The 125V DC and 120V AC system for ' the two plants are divided - into four independent and isolated channels. Each channel consists of one battery, two battery chargers (one per plant), one DC bus, multiple DC unit control panels, two inverters (one per plant), and two 120V. AC vital instrumen-tation and control buses (one per plant). Power-to the DC bus, DC un i.t control panels, and inverters is . supplied by the station batteries and/or the battery
- chargers. The two battery chargers of a _ single channel are fed from' separate ESF 480V load centers (one in unit-1 and the other in unit-2). The 125V DC buses 11 and 21 feed the majority of DC equipment. They are the sources of control power for the two channels of switchgear throughout the plant auxiliary system.
The 120V vital AC provided for each unit has four separate instrument buses which - provide power for vital AC instrumentation and control (120 VAC buses 11, 12, 13, 14). Each bus is supplied by an inverter with its own -DC feeder. The four DC to AC inverters are provided with associated distribution switchboards and manual transfer switches. The. inverters are supplied from floating storage batteries. They ' maintain a constant output voltage and frequency over the normal range of battery voltage. -A manual transfer switch mounted in the inverter enclosure is provided so that the inverter may be taken out of service for maintenance. The switch transfers ' the vital load to the alternate AC supply. B.13.2.2 System Interfaces Table B.13.2 lists the interfaces which other systems have with the emergency AC and DC power system and the effect of component failures within those systems' on the (n)' emergency AC and DC power system. supportive functions to the diesel These systems provide generators, such as cooling, ventilation, and actuation. Furthermore, it should be noted that the dependency of AC on DC system is developed to include only the battery faults without the bus interfaces in between. This is done
~
for future analytic purposes so'that the fault tree will be B.13-5 L
a closed set and not a loop (i.e., a loop would occur where Component A requires the operation of Component B which requires the operation of Component A). B.13.2.3 Instrumentation and Control The emergency AC electric power system continuously operates, with the exception of the diesel generators, so that the status of the system is always displayed. In addition, there is much instrumentation connected to the diesel generators and their required support subsystems, so h that their availability is constantly known. In the event of a plant emergency, the control of the AC system is auto-matic, although if a failure occurs, manual control is both possible and required. Table B.13.3 lists the various instrumentation and controls confirming the availability and reliability of the diesel generator subsystems, which are the only portions of the system in standby. Indirect instrumentation for, and display of, the emergency AC system operation is provided by the performance of the systems and cc ponents powered by it. For example, the operation, or lack, of the battery chargers and inverters in the DC system, could indicate the status of emergency AC motor control centers, load centers, and switchgears. Any malfunction in the DC system, which is in continuous operation when the reactor is not shutdown, is annunciated by lights and/or alarms. In addition, the status of various components using control power is continually given. B.13.2.4 Operator Actions Except for recovery, no operator actions are necessary for the emergency AC or DC system operation because the sys-tems continuously operate except for the diesel generators. The diesel generators are automatically started upon loss of offsite power or on an SIAS signal. Operator recovery actions are discussed in Section B.13.1.3. B.13.2.5 Surveillance Few tests are conducted at power on the emergency AC or DC system although, with the exception of the diesel genera-tors, the system performance is continuously tested. For example, the engineered safety equipment is frequently tested, and some of the equipment needs AC and/or DC power. g Thus each test of such components is in fact a test of AC and/or DC system. In addition, tests that are performed on the diesel generators and on some of the DC equipment during power operation are listed in Table B.13.4. B.13-6
Also during= refueling, tests are done on ~ the diesel generators, batteries, and other components of the electrical system and prior to startup, all breakers are verified to be in their desired position. B.13.2.6 Maintenance No scheduled maintenance affecting system operation is pxf performed while the reactor is at power. However, compo-nents are maintained on demand, subject to the restraints of the technical specifications described in Section B.13.2.7. In the emergency DC system, maintenance can be perfctmed on the batteries, battery chargers, and inverters. Again, the bus maintenance was not considered here for two reasons. First, the bus components are passive components and as such' have little to maintain. Secondly, should one of the system buses actually require maintenance during power operation, it is highly likely that a scram would have already occurred due to the failure of the equipment and instrumentation powered and controlled by the various DC buses. Battery maintenance was not considered, since the plant has a fifth battery which is to be used as a backup. Thus for battery maintenance to impact system reliability, the backup battery must also be undergoing repair (a rare event). Lastly, inverter and battery charger maintenance were not considered since there was no plant-specific data sup-porting such unscheduled maintenance acts on these components. Maintenance activities which are herein analyzed are listed in Table B.13.5. B.13.2.7 Technical Specification Limitations CC-1 Technical Specifications regarding the emergency AC and DC system during reactor operation is provided in Sec-tions 1 through 3 below.
- 1. As a minimum, the following AC electrical power sources shall be operable:
b'" a. Two physically independent circuits between the offsite transmission network and the onsite class lE distribution system, and
- b. Two separate and independent diesel generators (one of which may be a swing diesel generator capable of serving both Unit 1 and Unit 2) each with:
B.13-7
l 1). Separate day fuel tanks containing a minimum volume of 375 gallons of fuel, 2). A common fuel storage system consisting of two independent storage tanks each contain-ing a minimum volume of 18,250 gallons of fuel, and A separate fuel transfer pump. 3 ). O The exceptions to the above requirements are:
- a. With either an offsite circuit or diesel generator of the above required AC electrical power sources inoperable, demonstrate the OPERABILITY of the remaining AC sources within one hour and at least once per 8 hours thereafter; restore at least two offsite circuits and two diesel generators to OPERABLE status within 72 hours or be in at least HOT STANDBY within the next 6 hours and in COLD SHUTDOWN within the following 30 hours.
- b. With one offsite circuit and one diesel generator of the above required AC electrical power sources inoperable, demonstrate the OPERABILITY of the remaining AC sources within one hour and at least once per 8 hours thereafter; restore at least one of the inoperable sources to OPERABLE status within 12 hours or be in at least HOT STANDBY within the next 6 hours and in COLD SHUTDOWN within the following 30 hours. Condition a. above applies from this point on.
- c. With two of the above required offsite AC cir-cuits inoperable, demonstrate the OPERABILITY of two diesel generators within one hour and at least once per 8 hours thereafter, unless the diesel generators are already operating; restore at least one of the inoperable offsite sources to OPERABLE status within 24 hours or be in at least HOT STANDBY within the next 6 hours. With only one offsite source restored, instructions of condition
- a. apply.
- d. With two of the above required diesel generators demonstrate the OPERABILITY of two g
inoperable, offsite AC circuits within one hour and at least once per 8 hours thereafter; restore at least one of the inoperable diesel generators to OPERABLE status within 12 hours or be in at least HOT STANDBY within the next 6 hours and in COLD SHUTDOWN within the following 30 hours. At this B.13-8
point, the instructions of condition a.. apply for restoration of both offsite circuits and the two diesel generators.
- 2. The following AC electrical buses shall be OPERABLE and energized from sources of power other than the diesel . generators with tie breakers open between redundant Luses:
4160 volt Emergency Bus #11 4160 volt Emergency Bus #14 480 volt Emergency Bus illa or 14B 480 volt Emergency Bus $14A or llB 120 volt AC Vital Bus #11 120 volt AC Vital Bus (12 120 volt AC Vital Bus #13 120 volt AC Vital Bus #14 With less than the above complement of AC buses OPERABLE, restore the inoperable bus to operable status within 8 hours or be in at least HOT STANDBY within the next 6 hours and in COLD SHUTDOWN within the following 30 hours.
- 3. The following DC bus trains shall be energized and OPERABLE:
- a. 125V DC bus ill, a 125V DC battery bank, and a full capacity charger.
- b. 125V DC bus #12, a 125V DC battery bank, and a full capacity charger.
- c. 125V DC bus #21, a 125V' DC battery bank, and a full capacity charger.
- d. 125V DC bus $22, a 125V DC battery bank, and a full capacity charger.
The exceptions to the above requirements for the DC system are:
- a. With one 125V DC bus inoperable, restore the inoperable. bus .to OPERABLE status within 2 hours or be in at least HOT STANDBY within the next 6 hours and in COLD SHUTDOWN within the following 30 hours.
B.13-9
- b. With one 125V DC battery and/or its charger inoperable, except during surveillance testing, restore the inoperable battery and/or charger to OPERABLE status within 2 hours or be in at least HOT STANDBY within the next 6 hours and in COLD SHUTDOWN within the following 30 hours. This condition does not take into account the backup battery which has been recently added to the plant.
Operation O B.13.3 Most of the emergency AC and DC system is in continuous operation and, as such, is not initiated in response to an abnormal situation. The exception to this is the operation of the diesel generators, which are in STANDBY, awaiting a start signal. As noted before, the automatic actuation of the diesel generators can result from any one of three signals: SIAS initiation (SIAS channel A for DG11 and A or B for DG12 ), undervoltage on the 4160V bus 11 for DGll, and bus 11 or 14 for DG12. The diesel generators can also be started manually. Although any of the three starts the diesels, only the undervoltage signal closes the diesel generator breakers to the 4160V buses. B.13.4 Fault Tree Description The fault tree for the emergency AC and DC system is discussed in this section. The simplified system configura-tion is shown in Figure B.13-2. The cross-ties between different buses are not shown since they are normally left open and involve operator actions to close, and thus are acts of recovery. The fault tree is given on the appropriate aperture card in the envelope at the back of this report. The tree does not have a single top event; rather, the four 5 120V AC buses and the two 480V MCCs constitute the top events of the emergency AC and DC system fault tree. The fault tree development for other buses and the diesel generator are presented as subtrees for the above six top events. The fault trees of other safety systems are developed down to the specific, powering bus, and hence, the associated circuit breakers are part of the other systems. The failure data used to evaluate the fault tree appears in Table B.13.6. The rest of this section discusses the success / failure criteria and the assumptions used in developing the fault tree. g B.13.4.1 Success / Failure Criteria The emergency AC and DC system is a support system, and as such has no overall success / failure criteria. Rather, it performs its function if a minimum set of mitigating compo-nents and instruments are powered by it for a given accident B.13-10
[ scenario. This. minimum set is defined by- the accident
- i. .
scenario and the success / failure criteria of the front line mitigating; system. l L Major AssumptionsE B.13.~4'.2 J
.The, major ~ assumption of this. analysis is the ' ~configura--
tion- which is used- for the ' emergency AC. and DC system (Figure B.13.2) . For example, the buses are assumed.not to
} be cross-tied.
. . Room cooling 'and ventilation is . assumed in the tree to be needed by the diesel generators. Cooling is assumed not to be needed by the switchgears, load centers, motor control centers, . and the batteries. Since the loads following an accident will-be lower, adequate ventilation ~can be obtained by - opening doors and - the time required to .heatup is . ig-
- nificantly longer. For the diesel generators, -the~ toom cooling and ventilation, .the SRW, and the undervoltage system trees are in another section as a support system. To eliminate the loop problems between the diesels and these systems, however, the buses powering the components in these systems will te developed --
in the merging stage -- to include only the local faults of buses in the emergency AC system (see Appendix C for a more detailed discussion of the. logic loop problem). Another assumption concerns the loop problem between the diesel generators and the DC control power. DC control. power is needed for the circuit breakers between the diesel generators and their respective 4160V switchgear and for the diesel generators themselves. Hence, the dependency ' of the diesel generators and their circuit breakers on the DC. power was developed to include - the~ battery faults, ~ and not the DC bus faults. By transferring directly to ' the battery instead of the actual DC bus, the local faults for the buses and circuit breakers in the control power ' path to a battery are included and the loop problems are avoided. Further assumptions concern the diesel generators, specifically in regard to their actuation and air start sys-tems. The lubrication system and the fuel supply system'are assumed to be part of the diesel generator . itself, not an auxiliary, and thus lubrication and fuel supply failure is a local fault of the diesel generator failure to run, given its start. Diesel generator ill is. assumed to start.on an SIAS or undervoltage signal and align to unit 1 on an under-voltage signal. Diesel generator #12 is assumed to start on an SIAS or undervoltage signal but is assuiaed to require operator action to align. The reason for this was to simplify the fault tree construction while at the same time trying to reflect the possible interactions between unit 1 and 2 during a loss of offsite power event. Given a B.13-11 o
simultaneous LOSP at both units, DG #12 may align randomly or not at all unless there is an SIAS signal from one of the units. Therefore, by assuming operator action is required, we are conservative in all cases. The modeling of the air start system assumes that the air receiver tanks are charged. The failure of the air start is then from two possible events: failure of the diesel to start or failure of control power. The former includes both sets of air receiver tanks failing for each diesel (a double event with low probability), and the failure to open of $ either of the two solenoid valves. Both solenoid valves for each diesel are energized to open through the same circuit breaker by DC control power. Other assumptions concern testing and maintenance. No testing is included in the tree if it is done at SHUTDOWN. To restore power, the system will have to be aligned properly following the test. Bus, battery, battery charger, and inverter maintenance terms have been neglected, as discussed in Section B.13.1.2.6. The final assumptions in the construction of the fault tree concern the DC power system. Manual recovery actions are not allowed (also true for emergency AC system). Only automatic switching is considered. The DC system fault tree is developed down to the DC buses and does not include failure of DC control panels and associated fuses and cables. Also, other safety system fault trees are developed to the DC buses and bypass the intermediate cables, fuses, and con-trol panels. O B.13-12
Table B.13.1 LOCI Sequencer Steps Sequencer Time Step No. (Seconds) Service O Power Transformer'for 208/120V Instrumentation Buses
. Diesel Fuel Transfer Pump
? Penetration Room. Exhaust Fan s Diesel Generator ~ Room Exhaust Fan Control Room Fans Control Room Condenser Fans Motor-Operated Valves ECCS Pump Room Air Coolers ECCS Pump Room Exhaust Fans' Battery Charges.ll and 14 Boric Acid Storage Tank Heaters Heat Tracing System 11 1 5 High Pressure Injection Pump 11. 2 10 Low Pressure Injection Pump 11 Charging Pumps 11'and 13 Boric Acid Pump 11 3 15 Containment Air Coolers 11 and 23 Containment Spray Pump 11 4 20 Service Water pump 11 Component Cooling' Water pump 11 Containment Filter Units 11' and 13 5 25 Salt Water P1mp 11 6 30- Control Room AC Compressor 11 Instrument Air Compressor 11 Note: At time 0 seconds, the generator breaker is closed and the loads listed for the 0-second time step are auto-
- ( ) ' matically energized independent of sequencer action.
B.13-13
Table 3.13.2 Electrical Power Suppost System FnEA SUrrm ? SUS-STSTEn conPONENT FAILORS CORPONENT FAILDRS EFFECT OF SUPPORT SUS-STSTEM AFFECTED RCDB BFFECT ON SYSTEM
- FAILURE ON OVEE-ALL SYSTEM
- Service Water System DG 11 Overbeattag Train A of Emergency Train A of emergen~ey AC System Loop A AC System is lost, if is lost, if LOSP LOSF Service Water System DG 12 Overheating Train 3 of Emergency Train 8 of Emergency AC System Loop a AC System is lost, if is lost, if1487 LOSP Diesel Generator Bocum DG 11 Generator Train A of Emergency Train A of Emergency AC System Cooling and overheat AC System is lost, if is lost, if LOSP Ventilation A LOSP Diesel Generater Rocum DG 12 Generator Train 8 of Baergency Train 3 of Emergency AC System Cooling and overheat AC System is lost, if is lost, if LOSP Ventilation B LOSF Starting Air System DC 11 Pall to Train A of Energency Train A of Emergency AC System f or DG 11 start AC System is lost, if is lost, if LOSP LOSF Starting Air System DC 12 Fall to Train 3 of Emergency Train 3 of Emergency AC System for DG 12 start AC System le lest, if is lost, if LOSF LOSP SIAS Train A DC 11 Fails to DG 11 will not receive DG11 will not start on SIAS, but Act uation start SIAS signal to start it can still be started by undervoltage Train A DG 12 Falls to DG 12 will not receive DG 12 will not start on SIAS start SIAS Train A signal to Train A, but it een still be start started by SIAS Train 3 or undervoltage Train A or B
$1AS Train 3 DG 12 Falls to DG 12 will not receive DG 12 will not start on SIAS Act ua tion start SIAS train 3 signal to trala 3, but it can still be start started by SIAS train A algnal or undervoltage signal train A or B
- Assuming no recover.
O B.13-14
Table 3.13.2 Electrical Feuer Support System FNBA (continued) m SOFFCRT SUB-STSTEM CONF 01ssT FAILURE CDeWouBNT FAILURS . EFFECT OF SUFFORT SUB-SYSTEM AFFECTBD MBE BFFECT CH SYSTen
- FAILoms ou ovta-ALL SYSTEM
- Uneervoltage Train & DG 11 Fall to Any of these f ailures Although DG 11 can still be (on 4kV bus ll) start causes the emergency automatically started by SIAS AC train & to be lost, channel A (if S!AS triggers),
Circuit F#11 to if LOSF occurs. since the breater will not Breaker close close without an undervoltage 152 1103 / signal, the emergency AC train A w!!! be lost Circuit Fail to treater open 152-1115 DG 12 Fall to amargency AC train a Baergency AC train B will still start will still be available be available if undervoltage if oneervoltste train a train B is triggered. is triggered. Circuit Fall to Br eaker close 152-1404 Circuit Fall to Breaker close 152 1414 Undervoltage Train 3 DG 12 Falls to Beergency AC train 3 Baergency AC train B will (on 4kV bus 143 start will sella be available still be available it under-if undervoltage train A voltage train A is triggered is triggered Circuit Fall to Steeker close 152 1404 Circuit Fall to treaker open 152 1414
- Assuming no recovery.
l l. t
/ '\
l( ) t v 1 i El .13-15 I
r Table 3.13.3 Electrical Power system lastrumentation DEVICE INSTRUMENT NUMBER SrT POI NT VENDOR NO. IN DIESEL CEN. DIESEL GEN. NORMAL PARENTEEs!s 50. Il NO. 12 ALARM RSsET RANGE Engine Overspeed 0-ss-4847 0-53-4849 Engine trip at O Trip 1037-1067 RPM (sos) speed switch 0-ss-4848 0-s8-4850 operates at 250 (Esw) RPM to shut off starting air Jacket coolant 0-Ps-4802 0-PS-4806 12 poi preseure Lo 0-PS-4403 0-P5-4407 14 psi ( CPL-1, CFL-2, CPL-3) 0-P5-4004 0-PS-4808 16 poi Jack et coolant 0-Ts-4003 0-TS-4007 195'P temperature high 0-Ts-4854 0-TS-4808 200*P 170*P - 183*P ( CTu-1, CTB-2, CTB-3) 0-Ts-4805 0-TS-4809 205*t Jacket coolant 0-Ts-4802 0-?S-4806 90*P temperature LO (CTLA) Jacket coolant 0-TC-4802 0-TC-4804 'ON* - 100*P heater control *0PP' - 110*P ( CMT) Jacket coolant 0-LS-4802 0-LS-4806 3 inches erpansion tank from bottom level Lube oil pressure 0-PS-4780 0-PS-4788 le pet 20 paa LO O-PE-4781 0-P5-4789 10 pel 20 pai (OPL-1, OPL-2, OFLe3) 0-Ps-4782 0-PS-4790 20 pet 22 pal Lube oil preseure engine run evitch 0-PS-4779 0-P8-4707 shut 8 4 pot-(OPS) Sect up for engine epeed evitch O B.13-16
1 Table 3.13.3 Bloctrieel peuer System Instrumentatica (continued)
-Ka -- -- luT N NO. IN DISSE GB. BItsE 05. INARAL l .
PASWTEMIs NO. 11 30. 12 ALARM MSET RANGE Lebe ett temp. high 6-TS-4770 0-To-4706 230't 220*F (OTM) Lebe oil temp. Ian 0-tJ-4700 0-Ts 470s 10S*F 110'r - (OTLA) Lube 011 bester contre! 0-TC-4779 0-TC-4707 *0u' - 13$'t , (CET) '0FF' = 140'r ' Lube 011 Day Tank leve! = low 0-LS-4701 0-La-4709 12* (OLLA) L M 011 Dey Tsak level = high 0-La-4700 0-Ls-4700 41-1/4' (OMA) Feel 011 Pressure low 8-Ps-4010 0-PS-4023 10 poi 15 pel (PFLA) Fee! 011 Dey Tank 1evel low 0-Ls 4017 0-La-4022 13.5 inches (PLLA) from top Feel Oil Day Tsah level high 0-La-4015 9-LS-4020 e inches (PMA) from top Fee! 011 Day Tank 0-to-4014 0-La-4021 'On* 10.5 laches level centrol, from top trenefer pump S-Ls.4014 0-Ls-4019 '0Pr* 4 laches sentrol from top h .\ 1 4 1 4 1 B.13-17
, . _ - _ . . , . _ . - _ , , - _ _ , _ , , _ . _ _ _ . _ _ . _ . . _ , . _ . . . _ _ , ~ . . . _ . _ _ , _ , _ , . _ , _ - . . _ , _ _ . _ _ _ . . . - . - . _ _ . , . - , _ _ _
Table s.13.3 Electrical Power system instrumentation (continued) DrVICE INSTPUMrNT FJ4BrP SETPOINT VENDCR NO. IN DIESEL GEN. DIESEL GEN. WORMAL PA8ENTBESIs NO. 11 NO. 12 ALARN RESET RANGE starting air, D=Ps-4841 D-PS-4843 pressure lo D-PS-4842 0-Ps-4844 125 poi 200 pai (APL-1, APL 2) Air start solenoid D-sv-40 30 0-sv-4034 valves 0-SV-4831 0-sv-4835 Air vent solenoid 0-tv-4 0 32 0-sv-4838 valve (40V) Diesel Air Compressor 0-PS-4829 B-Ps-4833 *0N' 225 pai control 0-73-48294 0-Ps-40 33A *orP' 250 psi Crankcase Press 6-Ps-478 3 0-Ps-4791 0.5 inches 0.4 to 2.0 high 0-Ps-4784 0-75-4792 of water inches of vacuum (CCP-1, CCP-2, CCP-3) D=P3-4785 S-78-4793 pressure O B.13-18
Table 3.13.4 31ectrical Peuer System Campenent Test summary Sheet j f 000W005WT8 TBAT NDST 88 ALIGESD ANAT Facet est 70g!. TS$7 BIFBCTED TSST/ Test Con 90Nert TTPE OF
\' CUTAGE T!ns paxtDUps TBet TION u!TE 50 AUTonATIC arreau rn800BsCY t
[ DG 11 Start none meetly none 0-8-0 I l DG 12 etart mene weealy none 0-6-0 bettery 11 battery check none guarterly none > 350 0 Sattery 12 battery check none guarterly none >350 0 pattery 21 battery check none quarterly none p-150-0 settery 22 bettery check none quarterly none >150 0 settery 11 battery pilot none guarterly none M-150-0 cell check settery 12 bettery pilot none quarterly none >150 0 cell check Dettery 21 bettery pilot none guetterly none >350 0 eell cheet Dettery 22 bettery pilot none guetterly none n.150 0 eell check OO . B.13-19
1 Table 3.11.5 Electrical Power system Component paintenance susunary sheet COMPOIENT TTPE OF CORPONENTS WEICE NU$T BE FREQUENCY OF EXPECTED EIPECTED UNDERCOING MAINTENANCE ALIGNED ANAT FROM Esf POSITION COMPONENT FREQUENCY OF CUTAGE TIME OF MAINTENANCE WITE NO AUTOMATIC RETURN ALIGNMENT RAINTINANCE
- RAINTINANCE' YER!PICATION ( /hr.) thrs.)
Diesel Maintenance generator pequiring none weekly 2.58-4 26.4 11 Diseassembly Diesel Maintenance generator sequiring none Weekly 2.53-4 26.4 12 Diseassembly 43Y paintenance circuits pequi ring none Continuoue 0.43-6 8 breakers Disassembly 480V Maintenance circuit poquiring none continuove 1.15E-4 4 breakers Diseassembly
- Plant specific data.
O B.13-20
O O Table 3.13.6 ELECTRICAL SYSTEN DATA ] Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Bate (per/hr) Time (hr) 4 0 = Eq. ELC0011A-120-LF Local Faults of 120 1.0E-S 24 -- 2.4E-7 ELC00123-120-LF VAC BUS ELC00135-120-LF ELC0014A-120-LF ELCoc11A-125-LF Local Faults of 125 1.0E-8 24 -- 2.4E-7 ! ELC00128-125-LF VDC BUS ELC00213-125-LF ! ELC0022A-125-LF ELC104BB-400-LF Local Faults of 400 1.0E-8 24 -- 2.4E-7 j ELC114BA-400-LF VAC BUS j ELC011AA-400-LF j CD ELC01)EA-400-LF 4
- F!,C014AB-430-LF
~ [I ELC014BB-480-LF bJ ELC4K11A-4KV-LF Local Faults of 4KV 1.0E-8 24 -- 2.43-7 H ELC4K14B-4KV-LF AC BUS ! ELC007A-CBL-LF Cable Fault - Open 3.0E-6 24 -- 7.2E-5 ELC00073-CBL-LF Circuit ELC0011A-CBL-LF ELC00125-CBL-LF l ELC00135-CBL-LF ! ELC0014A-CBL-LP
. ELC0020A-CBL-LF I ELC0022A-CBL-LF ELCOO23A-CBL-LF ! ELC0024A-CBL-LF l
ELC00265-CBL-LP l l l
)
Table B.13.6 ELECTRICAL !!YSTEM DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Descriptica Rate (per/ht) Time (hr) q Q = Eq. ELC00285-C3L-LF (Cont.) ELC0029B-CBL-LP ELC0031B-CBL-LF ELC0032A-CBL-LF ELC0033B-CBL-LF ELC0034B-CBL-LF ELC0035A-CBL-LF ELC0051A-CBL-LF ELC0054B-CBL-LF ELC1103A-CBL-LF ELC1406B-CBL-LF ELCOC11A '0BL-LF Cable Fault - 3.0E-6 24 7.2E-5 2.2E-4 U3 ELCOC128-CBL-LF Open Circuit ' p, Either of 2 Fuses 3.0E-6X2 24 1.48-4 ta Fall Open I h) ELC001LA-BCO-LF " Premature Transfer 1.0E-6 24 -- 2.4E-5 ELC0012B-BCO-LP ELC0013B-BCO-LF ELC0014A-BCO-LF ELC0020A BCO-LF ELC0022A-BCO-LF ELC0023A-BCO-LF ELC0024A-BCO-LF ELC0026B-BCO-LF ELC00288-BCO-LF ELC0029B-BCO-LF ELC0031B-BCO-LP ELC1102A-BCO-LF ELC1114A-BCO-LF
O O
'"able B.13. 6 ELECTRICAL SYSTEM DATA (Cont.)
Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/ht) Time (hr) q Q = Eq. ELC1402B-BCO-LF (Cont.) ELC1413B-BCO-LF l j l ELO1111A-BCO-LF l ELO1112A-BCO-LP : l ELOlll3A-BCO-LF ELO1119A-BCO-LF ' ELO1120A-BCO-LF l ELO1412B-BCO-LF . ELO1407B-BCO-LF l ELO1413B-BCO-LF l ELO1420-BCO-LF l EL10401B-BCO-LF l ell 401A-BCO-LF l U3 ELO14098-BCO-LF H ta I ELC1103A-BCO-LF BKR Fail to -- -- -- 3.0E-3 ELC1406B-B00-LF Operate
] l ELO1111A-B-PRMN 480 V PI3 Maintenance 1.25E-6 4 -- 5.0E-6 ELO1112A-B-PRMN ELOlll3A-B-PRMN ELO1119A-B-PRM ELO1120A-B-PRM ELO1412B-B-PRMN ELO1407B-B-PRMN ELO1413B-B-PRM ELO1420-B-PRMN EL10401B-B-PRM EL11401A-B-Pf34N ELO1409B-B-PRMN 4
4
Table B.13.6 ELECTRICAL SYSTEM DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Ur_ avail. Unavail. Event Description Description Rate (per/hr) Time (hr) q O = Eq. P '74N 4KV BKR Maintenance 8.4E-6 8 -- 6.7E-5 ELL. ' ELCl(06s ELC1413-B-Fu ELC0011A-BU-Fand" 1 Battery 0.0 -- -- 0.0 ELC0021B-BU-PRMN ance ELC00128-BU-PRMN ELC0022A-BU-PRMN NLC014AB-TFM-LF Transformer - Open 1.0E-6 24 2.4E-5 4.8E-5 f ELC0011AA-TFM-LF Local Fault circuit ps ELC014BB-TFM-LF - Short 1.0E-6 24 2.4E-5 W ELC0011BA-TTN-LF 1
$$ ELC014AB-T-PRMN Transformer 0.0 -- -- 0.0 ELC0011AA-T-PRMN Maintenance ELC014BB-T-FRMN ELC0011BA-T-PRMN ELC0011A-SWT-LF Manual Switch- 3.0E-8 24 -- 7.2E-7 ELC00123-SWT-LF Contacts fail Open ELC0013B-SWT-LF ELC0014A-SWT-LF ELC0011A-INV-LF Inverter Local 1.0E-4 24 -- 2.4E-3 ELC00128-INV-LF Faults ELC0013B-INV-LF ELC0014A-INV-LF l
t I i O .- O
O O Table B.13.6 ELECTRICAL SYSTEM DAU. (Cont.) Sub Event Sub Event Fault Sub Event Event Hame Sub Event Failv e Exposure Unavail. Unavail. Event Description Description Rate (per/ht) Time (hr) q Q = Eq. ELC0011A-BAT-LF Battery Local 1.0E-6 24 -- 2.4E-5 l i ELC0012B-B.*T-LF Faults ! ELC0021B-BAT-LF EE.C0022A-BAT-LF l ELC0011A-REC-LF Battery Charger 1.0E-6 24 -- 2.4E-5 ELC0012B-REC-LF Local Faults ELC0013B-REC-LF (Rectifier) ELC0014A-REC-LF ELC1103A-DISC-LF Disconnect Switch -- -- -- 3.0E-5 ELC1406B-DISC-LF Spurious Trip ELC0011A-GEN-LF Fail to Start -- -- 3.0E-2 5.4E-2 ELC00L2B-GEN-LF Fail to Run 3.0E-3 8 2.4E-2 f H 26.4 6.65-3 w ELC0011A-G-PRMN DG E4aintenance 2.5E-4 -- 1 ELC0012B-G-PRMN N ELC0011A-G-FRFM Failure to Restore 2.5E-4x1.0E-2 84 -- 2.1E-4 ELC0012B-G-FRFM following maintenance ELC0011A-G-PRTS DG Unavailable 6.OE-3 0.25 -- 1.5F.-3 ELC0012B-G-PRTS During period of Alignment after test ELC0011A-G-FRFT Failure to Restore 6.0E-3K1.0E-2 84 -- 5.OE-3 ELC0012B-G-FRFT following test ELC14068-BOO-CC D. G. Circuit -- -- -- 2.5E-3 ELC1103A-BOO-CC Breaker Control Circuits
Table B.13.6 ELECTRICAL SYSTEM DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. l Event Description Description Rate (per/hr) Time (hr) q Q = Eq. ELC0011A-ASSG-LF Airstart System -- -- 1.0E-4x1.0E-4 1.0E-8 ELC0012B-ASSG-LF Local faults - failure of both solenoid valves OP-FAIL-f0-ALIGN Operator fails to -- -- -- S.0E-2 Align DG12 to Unit 1 ELCOO21B-GEN-OPF DG21 Fails making -- -- -- 1.2E-1 DG11 unavailable to Unit 1 tD b w 1 N 04
O O
.. . LAC. .ts.
88
.. ,R400.8431".'.I.01 yegggg,gg,gg ' '
l l L"=**. L.m . u p... g 881=, k po,w.,,a,! po g _ 888.,
,,4,2 A.A..A. . 038 g gg y, k..*2(STALL ILC.) %%.2-.( ,
lea.I 8mitA,.It 1 I u.RA,.A %
"""' "8 pol. qr k.I-.1 -!-
l . II.. .U. e-u -, &m
,m.= m. ,m.en, -a.
mm e-u a
. , 3. N
,nAIIM,. .RL.I.g ec f* --o. R Set.
sch . R tc F n
,I II.t.c.
is. 3 . 48 33 f,)yg.=_ Id .W .L.E. N,II.st 3)-i 3 , h ,3_.. , . . . 1. S
.2-, , _. .. 3 3.-2, l ')
i
,3_.. . n_.sc. ii Nf3
._, mn; x> = p -... = " = ..,. ,,_ . x> = ;,>. =_ . _
., ., _- .,. T m
_ . L. .
=,,
. .y... . -, - . , .. _. _ .. g_
s_= . _ ,s, = =a rg >=.. _n=,. ;Jm.-
= a m nr_..: ,,6 =
= ,>o.=_.. _ ,_
=
1.....,
- m E1)E1)EA)t.d.jgg)!I),1)!A)3 I,; =I; ,IJ .. ,J s:J :; 4.. })."." .
'a m.
-"=
'g
"-"~i!.*in)gl(l: I ; ,I } "" u) ( i.J i1i AI(A f(o a.- ~gl
(
; ilillid'E JG88 lTm_= g _ "@is!iscl!ii tillii!i ,>
,...n' r'^.. . _ .- ,i
- p. ".."..f...mm.
g c p"v_9 "._
.'"= a"=
c c,1 ..cc ,u at.!z...
,3, 18
..cc.
,3 ... ... c me! m u g M ms ,,,,,,,
w . . =,f
* * " .a m .
_an.a. e RH
=" M.= = z.Mac,, == =a 1 A o. == a '* z === .au
,,,,,,c y
_n_.an.n, .=,,1 z
.. m. , ,4 .4 I , y,. =1- a .
,, l ~...::,,
.. .. r.. ..=,1!JJJ
. ,-r., s.g[A,4*;, 17 4-4,. ..
< 4
=
e n, i . , ,, ma s e , m .= = .u. " p _ _
.=_,a, a ,
=
i u=r K c.,,,,,,,,,,, Pamau au g = . .. ac.
.='rca an
,,,,s...__- .. 'f..=...
. , 8'
==r- __-rm. :rt:-
im.c wea -.m == ,s
- u. .ac r= m me " ,to ..C .t,.L .I.,st .u. ,. .3 AC .f, AL ,. .W,R. .tf. ,3 l
Figure B.13-1 Simplified Schematic of the Emergency AC and DC Power l
DIESEL DOESEL OE9L h11 (ZA) 0001 (sEN. No.12 0054
/
N.C. g 1103 _ }) 4KW. BUS 11(ZA) _ _ env. eUS 14(zG; V)1404
~
~
1914(A I)1102 1402 i} 0031 1413 l) 440-14A 440-148 1 a ae 113 SERVICg SERVICE TRANSFER TRANSFORMER TRANSFER A 01413 N0034 52- 01412 01112 }) 400 v. SUS 11 A(A) 480v.auS})1813 _ 11e( A) _ I)4eo V. BUS 14 A(s) Y)400 V. aus 14B(B) j) 01111j) 01120j}j}01119 01409 j)j 01420 Y 0097 Y V 0074 j T{)01407 12SVDC 125 WDC 112SVDC eATTERY 12$ VDC (A 125VOC BATTEhy 12 BATTERY 12S VDC { BATTERY 11 91401]4So v. MCC-114 Mal 480 V. MCC-104Me)Y) 8 2510401 g ""g W
. 1 T
. BA'TTE'RT 22 ",, :::. ,
i H 125 VDC SUS 11)0022 )0020 12$WDC 0024 (0023 \ 125 WDC hgy - IS'YOO EUE II W u u SUS 221 N ] eUS 21 % T- 3 MAIR3AL MANUAL TRANSFER ng,13 E PANELS sesA11 TRANSFER INV i v, MANUAL MANUAL 5#VTR CONTROL , gg SwfTCH No.14 TRANSFER TRANSFER Ng32 pa q SwfTCH 11 12.13 SwfT H 0013 0011 8 H 15,10,1 T _
~
0011
~~
0013 120 VAC vtTAL usSTR. BUS 11 0014 0012 120 VAC WIT AL sesTR. Est 13 120 VAC VITAL usSTR. BUS 14 120 VAC Vff AL SeSTIL SUS 12 Figure B.13-2 Simplified Schematic of tne Emergency AC and DC Power System Used in Fault Tree Modeling O O
I l l O 1 l l Apperidix B.14 Engineered Safety Features Actuation System l l lO B.14-0
i B.14 ENGINEERED 1 SAFETY FEATURES ACTUATION SYSTEM
. DESCRIPTION B.14.1-. : Purpose The - Engineered Safety _ Features- Actuation System (ESFAS) initiates the start of equipment 'which protects the public and - plant personnel from the . accidental. release of. radio-active fission products . in the event of a Loss of Coolant
'O ^ccioe=t-('oc^)- rae reer re '=re- <=actie#,1- to coatro
. leakage, mitigate, _and terminate such- incidents in order to minimize radiation exposure levels for-the general public.
B.14.2 Description B.14.2.1 Overall Configuration The ESFAS consists of _ eight . separate . signal groups. Each signal group' consists.of four sensor subsystems (D, E, F, and G), which monitor one or mote plant parameters, 'and . two_ action subsystems (A and'B), which actuate ESFAS compo-nents. Table =B.14.=1 lists the. ESFAS signal groups, -the: sensors monitored by each signal-group, and.' the sensor. trip threshold for each measured plant parameter. ~ The safety Injection Actuation Signal (SIAS), Cantainment: Spray Actuation Signal (CSAS),- and Containment Isolation l Signal (CIS) actuation subsystems are further subdivided into multiple actuation channels. (Al, A2, A3... and B1, B2, B3 . . . ) . In the event.of a loss of-voltage at the 4 kV buses 11 undervoltage sensors 'and actuation. logic ~ 'are
~
and 14,
.provided.. .This subsystem functions to remove components from the bus .and to then sequentially load the bus when the diesel. generators have restored power. to -the bus. . -In addition, should a LOCA be in progress at the time of the-loss of s the 4 kV buses, certain ESFAS signals 'are blocked
- and then sequenced- back in conjunction with; the emergency power. supply.
ESFAS System. Logic Figure B.14-1 shows the ESFAS system - lo'gic. Each plant parameter- is monitored by four redundant sensors, -except containment. pressure which .is monitored by. 12 redundant ~ sensors (4.for RPS and SIAS, 4 for-CSAS, and the remaining 4 for CIS). .Each sensor,..in turn,- is- monitored by a bistable trip unit which provides trip signals - to - the . actuation
-systems when the output of the sensor- crosses' a preset
. threshold.
The two- redundant and independent actuation subsystems (A.and B) monitor the logic outputs of the bistable and, by B.14-1
means of coincidence logics, determine whether a protective action is required. Each actuation system initiates inde-pendent and redundant protective systems. Normally, the logical combination of any two out of four j redundant sensor trips will initiate an output relay or i group of relays. However, if two of the four undervoltage l relays monitoring 4 kV bus 11 or bus 14 sense i decrease in ; line voltage, another sequence of events is initiated. The undervoltage logic actuates 32 output relays which load shed components on the bus, send start signals to the diesel gen-erators, and open the affected 4 kV bus feeder breakers. The ESFAS Sequencer senses the undervoltage signal and the feeder breaker "OPEN" signal causing eight of the ESFAS actuation subchannels' outputs to be blocked (SIAS-A2, A3, A6, A7, and A8, CSAS-Al and A2, and CIS-Al for 4 kV bus 11 and the corresponding B subchannels for 4 kV bus 14). When the diesel generator establishes the proper voltage and frequency, the diesel generator breaker will close, supply-ing the 4 kV bus with emergency power. The Sequencer will now receive the "DG Breaker Closed" signal. If a SIAS Signal is present, the Sequencer will, at 5-second time intervals, remove the block from each of the above actuation subchannels and, finally, three additional output relays are actuated. Alternatively, if the SIAS actuation signal is not present, the Sequencer will actuate seven output relays in three 5-second steps. Figures B.14-2 through B.14-5 show the ESFAS actuation logic for the different actuation sequences described above. ESPAS Signal Groups ESFAS is a support system, and, as such, must be required for actuation of a front line (or other support) system for faults in the ESFAS to be considered. The front line (and their supporting) systems that have been modeled in the Calvert Cliffs IREP study require the following ESPAS Signal Groups for actuation:
- Safety Injection Actuation Signal (SIAS), - Containment Spray Actuation Signal (CSAS),
- Recirculation Actuation Signal (RAS),
- Auxiliary Feedwater Actuation Signal (AFAS), - Undervoltage Logic (UV), - Sequencer. g Only these signal groups will be discussed for the remainder of the system description with the exception of AFAS. AFAS is covered in the Auxiliary Feedwater System (AFWS) description since its signals are sent exclusively to the AFWS. The remaining signal groups are ignored for the purposes of this study.
B.14-2
Safety Injection Actuation Signal (SIAS) The SIA Signal Group monitors pressurizer pressure and containment pressure with trip setpoints at 1600 psig (decreasing) and 2.8 psig (increasing), respectively. These signals are derived from the same sensor / transmitters that provide RPS . trips (High Pressurizer Pressure, Thermal Margin / Low Pressure, and High Containment Pressure). The A actuation subsystems are divided into 10 subchannels (A1, V A2,...A10 and B1, B2,...B10). This allows for flexibility in testing the actuation system and the actuated equipment. Logic is provided to allow the Pressurizer Pressure trip to be blocked during plant cooldown or startup. When pressurizer pressure . decreases below 1700 psig, 3 of 4 low bistables must trip to grant a block permissive. The operator must then insert a manual block signal to initiate the Pressurizer Pressure Block. The SIAS actuates equipment that serve the following functions:
- 1. Initiation of high and low pressure injection to the Core.
- 2. Realigns the Chemical and volume Control System (CVCS) to the Emergency Boration Mode. Seven percent boric acid solution is injected to the RCS in this mode.
- 3. Sends start signals to component cooling, service water (SRW), and salt water pumps in preparation for these systems' use in removing reactor decay heat.
- 4. Signals the diesel generators to start in antici-pation of a concurrent LOSP. Should a loss of normal power occur, the ESFAS components can be sequenced onto their buses immediately after the diesel generator breakers close.
- 5. Signals the swing diesel to align with the ' reactor unit . experiencing the SIAS demand if a loss of offsite power occurs and the swing DG is not already aligned to a particular unit.
A list of components actuated by SIAS appears in
..() Table B.14.2.
Containment Spray Actuation Signal (CSAS) The CSA Signal Group monitors containment pressure with the trip setpoint being 4 psig (increasing). The sensor / transmitters are independent of the pressure sensing equip-ment used for SIAS/RPS and CIS. The actuation systems are divided into three subchannels (Al, A2, A3, and B1, B2, B3). B.14-3 v w -a - - , . - - ~ - - , . - . - .- .-v <,e .-, , ~ , - , ~ m e
The CSAS actuates equipment that performs the following functions: l
- 1. Containment overpressure protection via the con-tainment sprays and containment fan coolers.
- 2. Reactor decay heat removal from the containment via the above two systems.
- 3. Sheds the spent fuel pool as a coo 3.ing load for the SRWS since SRW is required by the Fan Cooling Units h
to control containment pressure and temperature. A list of components actuated by CSAS is provided in Table B.14.3. Recirculation Actuation Signal (RAS) The RA Signal Group monitors refueling water tank (RWT) low level. When RWT level reaches 24" following the injec-tion phase of a LOCA, level switches close contacts which actuates RAS logic. The RAS serves to realign the safety systems from their injection configuration to that of recirculation. RAS opens the containment sump discharge valves allowing the safety injection (SI) and containment spray (CS) pumps to take suction from the containment sump, reusing the injection water spilled through the break; RAS shuts down the low pressure injection pumps and closes the recirculation line valves from the SI and CS pumps to the RWT. Finally RAS returns the SRW and component cooling heat exchangers' salt water control valves to AUTO after SIAS action had opened and closed these valves, respectively. A list of components actuated by RAS appears in Table B.14.4. Undervoltage Load Shed (UV) In the event of a loss of voltage at the 4 kV buses 11 and 14 the UV Signal Group serves to loadshed those compo-nents supplied by the 4 kV buses to prevent diesel generator overload when the diesel generator breakers close. Potential transformers on the 4 kV buses step the 4.16 kV voltage down to 120 Vac, energizing undervoltage relays. When the 4 kV bus voltage drops below 2450V, the g relays de-energize and actuate the undervoltage logic. In addition to load shedding components, the undervoltage actuation logic trips the affected 4 kV bus feederbreakers, sends start signals to the diesels and blocking signals to the Sequencer. When the diesel generator breakers are closed and the buses are energized, the UV signal clears B.14-4
allowing the start of equipment via other ESFAS Signal Groups. Table B.14.5 lists the components affected by the UV signal. , Sequencer In the event of a loss.of voltage at the 4 kV buses 11 or 14, the Sequencer functions to block certain ESFAS sub-channels (SIAS-A2, A3, A6, A7, A8, CSAS-Al, A2, CIS-Al for s bus 11 a:1d corresponding B subchannels for bus 14) if a LOCA l is in progress, and to sequentially load the equipment i actuated by these subchannels when the emergency power supply is available. In addition, the components listed in Table B.14.6 are started in the final step. If a LOCA is not in progress, the sequencer will sequentially load the components listed in Table B.14.7 to the bus. Figures B.14-3 through B.14-5 illustrate the action of the Sequencer in the LOCA and NO LOCA cases. Containment Pressure Transmitters There are 12 containment pressure transmitters dedicated I to ESFAS; 4 for SIAS/RPS, 4 for CSAS, and 4 for CIS. These transmitters are located on four lines which can be isolated from the containment via solenoid valves. The. A and B channel transmitters are located in the East Electrical Penetration Room. The C and D channel transmitters are located in the West Electrical Penetration Room. B.14.2.2 System Interfaces ESFAS actuates components in many of the front line and support systems required for LOCA mitigation. The specific breakdown by Signal Group is as follows: SIAS - Safety Injection System (SIS)
- 1. High Pressttre Injection (HPI)
- 2. Low Pressure Injection (LPI)
- 3. Safety Injection Tanks (SIT)
Containment Spray System (CSS)
- Chemical and Volume Control System (CVCS) b)
Component Cooling Water (CCW) Service Water System (SRW) Salt Water System (SWS) Diesel Generators (DG) CSAS - Containment Air Recirculation and Cooling System (CARCS) CSS SRW B.14-5
~. . .
RAS - SIS
- 1. HPI
- 2. LPI CSS CCW SRW SWS UV - 4 kV AC Power Supply O
CVCS CCW CSS CARCS SIS
- 1. HPI
- 2. LPI SRW SWS DG Sequer.. ...cerfaces with the same systems as SIAS and CSAS.
In addition, SIAS interfaces with RPS in that the systems share common pressurizer pressure and containment pressure transmitters. The interaction FMEA for ESFAS appears in Table B.14.8. B.14.2.3 Instrumentation and Control The sensor / transmitters monitored by the ESFAS Signal Groups have been discussed above. SIAS, CSAS, and RAS may be manually actuated with the A channel pushbuttons at 1C09 and the B channel pushbuttons at IC10. Control Room annun-ciation and/or alarms are provided for the following:
- 1. Sensor channel D, E, F, or G Tripped
- 2. Actuation System SIAS (CSAS, RAS, and UV) Tripped
- 3. Actuation System A (and B) Loss of Power O
- 4. Shutdown and Loss of Coolant Incident Sequencer Initiation
- 5. 4 kV Feeder Breakers Tripped
- 6. Diesel Generator Breaker Closed B.14-6
i B.14.2.4 Operal.cr Actions 1 1 The ESPAS monitors the input process variables ~and pro-vides outputs in the form of energized actuation relays when the proper input criteria is.present. No operator action is required during normal operation aside from performing scheduled test procedures. B.14.2.5 Surveillance Table B.14.9 lists the tests and test frequencies performed by the . operator during plant operation. The Channel Check records the Containment Pressure 'and Pressurizer Pressure Signals for SIAS and CSAS. The Channel Functional Test tests bistable trip action, logic subsystem actuation and Pressurizer Pressure Block Clearing. Table B.14.10 describes the effects of these tests on system availability. B.14.2.6 Maintenance Maintenance : c is performed on an as-needed basis only. The Calvert Cliffs Safety Related Maintenance Logs were reviewed to determine the maintenance frequencies for the various ESFAS components. THERP diagrams were developed to estimate the probability of the failure to restore from test or maintenance events. Components which can be r.aintained during reactor operations without putting a channel into the tripped condition include the actuation relays, sequencerr;, actuation logic modules, power supplies, containment pressure ~ sensors, and RWT level switches. Following- any maintenance action, a functional test of the subsystem is-required. B.14.2.7 Technical Specification Limitations The limiting conditions for operation for the ESPAS Signal Groups are as follows: SIAS, RAS, and With the number of OPERABLE channels one UV (Loss of 4 kV less than the total number of channels-
- ac power) (4), operation may proceed provided the following conditions are satisfied.
h 1. The inoperable channnl is placed in either the bypassed or tripped condition within 1 hour. For the purposes of testing and mainte-nance, the inoperable channel shall then be either restored to OPERABLE status or placed in the tripped condition. B.14-7
- 2. Within 1 hour, all functional units receiving an input from the inoper-able channel are also placed in the same condition (either bypassed or tripped, as applicable) as that required by a. above for the inoperable channel.
- 3. The minimum channels OPERABLE requirement is met; however, one additional channel may be bypassed h
for up to 48 hours while performing tests and maintenance on that chan-nel provided the other inoperable channel is placed in the tripped condition. CSAS With the number of OPERABLE Channels one less than the Total Number of Channels (4), operation nay proceed provided the inoperable channel is placed in ti._ bypassed condition and the Minimum Channels OPSRABLE requirement is demonstrated within 1 hour; one additional channel may be bypassed for up to 2 hours for surveil-lance testing. A channel is considered to be inoperable if the channel trip setpoint is less conservative than the Allowable value (see Tables B.14.11 and 12 for Allowable Values). B.14.3 Operation In an accident condition, such as a LOCA, system operation is directed by EOP-4 (Steam Line Break) and EOP-5 (LOCA) to ensure that ESPAS has been initiated and that the components actuated by ESPAS have switched to their accident positions. For the LOCA, the operator is directed to manu-ally initiate RAS when RWT level drops below 4 feet. This allows the operator to reset RAS without the necessity of refilling the RWT as would occur if level is allowed to drop below the 24" trip setpoint. EOP-6 (Steam Generator Tube Rupture) directs the operator to ensure the SIAS actuated components have changed to accident mode if SIAS is initi- g ated. B.14.4 Fault Tree Description About 100 components n.odeled in the Calvert Cliffs IREP study require ESFAS actuation. In most cases, one ESFAS actuation relay actuates one ESFAS component. Therefore, the ESPAS Fault Tree has about 100 top events which are B.14-8
referenced by the " Component Actuation System Fault. Module" contained in the Front Line and Support System Fault Trees. These top . events, _ when developed,~ lead' to the common actuation logic and sensor loops and these are divided into the following major fault trees: Safety Injection Actuation Signal (3 - Containment Spray Actuation Signal U - Recirculation Actuation Signal Undervoltage Load Shed Shutdown Sequencer Auxiliary Feedwater Actuation Signal System failures identified were primarily loss of actu-ation signal. .For the most part, spurious signals were ignored. The fault trees' level of detail correspond to modules located in the ESFAS cabinetry. For example, bistable trip units and actuation logic modules have been
" black-boxed;" faults in the circuitry of these modules have not been developed. A review of Calvert Cliffs Safety Related Maintenance Logs has been conducted to develop failure data for these components. Numerous special gates describe failure combinations within all the ESFAS trees.
The algorithms for these gates are listed in Tables B.14.14a-B.14.14f. The fault trees are shown on the appropriate aperture cards in the envelope at the back . of this report. B.14.4.1 Success / Failure Criteria The top event for each fault tree is " Loss of Actuation Signal Prior to Output of ASY (ESFAS Signal Group) Signal Path ... Therefore, failure will occur if either the actu-ation relay or actuation logic fails. Calvert Cliff's ESFAS is a two out of four system for successful operation; failure occurs if any combination of.three out of four sensor chan-nels fails to provide an actuation signal to the actuation logic. ( B.14.4.2 Major Assumptions B.14.4.2.1 General Assumptions l Wire faults (open or shorts) were neglected unless ; they could disable multiple trains of redundant equipment. B.14-9
B.14.4.2.2 Sequencer Assumptions Spurious blocking signals to the Sequencer are neg-lected. These signals would also start the diesel generators and result in the diesel generator breakers closing. The fault developed is that the Sequencer does not receive the subsequent signal to remove the block. B.14.4.2.3 Undervoltage Load Shed h Failure of the A2 and/or B2 subchannels of this sig-nal group to load shed plant components is assumed to fail the diesel by overloading it when the diesel generator breaker closes. When voltage is restored to tne 4 kV bus, the under-voltage signal must clear to allow a component to start either manually or via an ES?AS signal. This fault is neglected since it requires at least two simultaneous relay failures to fail one train of ESF equipment and four simultaneous failures to fail the system. B.14.4.2.4 SIAS-CSAS-RAS-SDS No other major assumptions were made for these signal groups. B.14.5 Data Where applicable, data from the IREP Procedures Guide
- was used to quantify the fault trees. For a number of com-ponents, such as actuation logic modules, bistable trip units, etc., failure rates were either not available or applicable. For these components, a review of the Calvert Cliffs I & II Safety Related Maintenance Logs was conducted and failure data developed. The failure data used to quan-tify the fault trees is shown in the following tables:
Table B.14.13 ESFAS Component Failure Data Table B.14.13.1 Safety Injection Actuation Signal Table B.14.13.2 Containment Spray Actuation Signal Table B.14.13.3 Undervoltage Table Table B.14.13.4 B.14.13.5 Shutdown Sequencer Recirculation Actuation Signal $ Table B.14.13.6 Auxiliary Feedwater Actuation Signal !
*Carlson, D. D., D. R. Gallup, A. M. Kolaczkowski, G. J. Kolb, D. W. Stack, and E. Lofgren, " Interim Reliability Evaluation Program Procedures Guide," NUREG/CR-2728, SAND 82-1100, Sandia National Laboratories, January 1982.
B.14-10
Table S.14.1 SSPAS Signal Groupe SSFAS SIGaAL GROUP SenS(Et(S) NOWITtELSD Seus0R TRIP TERS$50LD Safety 2njection Actuation - Containment Pressure 72.8 PSIG i ' Signal (SIAS) - Pressuriser Pressure <1400 PSIG f Containment Spray Actuation - Containment Pressure 34 PSIG j Signal (CSAS) ; I Containment teolation Signal - Containment Pressure 4 PSIG (CIS) Decirculation Actuation - Refueling Water Tank Level 24' Signal (RAS) above tank botton Steam Generator Isolation - Steam Generator Pressure < 500 PSIG . Signal (SGIS) Chemical Volume and Control - West Penetration Room and >.5 PSIG Systes !aolation Signal (CVCE) Letdown Beat Sachanger Room Pressure Auxiliary Peedwater Actuation - Steen Generatcr Level - 4 50' signal (AFAS) . Steam Generator Pressure. >100 PSID foifferential) Containment mediation Signal - Containment Radiation >2200 set /NR (CBS) a B.14-11 ii,.
Table B.14.2 SIAS Actuated Components Actuation Subsystem A Signal Relay Where Used SIAS 1 K1 Containment Spray Header No. 11 Isolation valve (1 - CV4150) . K1 Salt Water System Air Compressor-11. K2 H.P. Redundant Hydraulic Valve (IMOV 656) . K3 1MOV-617 HPSI to Loop Control Valve. K4 IMOV-627 HPSI to Loop Control Valve. K5 IMOV-637 HPSI to Loop Control Valve. K6 1MOV-647 HPSI to Loop Control Valve. K7 1MOV-615 LPSI to Loop Control Valve. K8 1MOV-625 LPSI to Loop Control Valve. SIAS 2 K9 High Pressure Safety Injection Pump-11. K10 High Pressure Safety Injection Pump-13. SIAS 3 K ll Low Pressure Safety !njection Pump-ll. SIAS 4 K12 Spare K13 1MOV-509 Boric Acid Storage Tank to Charging Pumps. B.14-12
Table B.14.2 SIAS Actuated Components (Continued) Actuation Subsystem A . Signal Relay Where Used SIAS 4 ~ K14 Boric Acid Storage Tank No.11 Recirculation
- O (Cont. ) (ICV 510).
K15 Check Valve (ICV 628) Leakage Drain to Radiation Waste Tank. K16 Recirculation Return Line Drain (ICV 661). K17 Check Valve Leakage Drain to Rad. Waste Tank l (ICV 618) K45 Containment Vent to Waste Gas Surge Tank (ICV 2180). RC Loop Hot Leg- Sample (lCV5467) . K56 Containment Heating Outlet Isol. (IMOV6579). SIAS 5 Kl8 Letdown Stop Valve (ICV 515). Kl9 IMOV-501 Vol. Cont. Tank Discharge Control.
'K20 Turbine Bldg. Service Water Shut-Off (ICV 1600).
Turbine Lube Oil & EHC Oil Cooler Water Shut-Off (ICV 1637). l K57 RCP Bleed-Off Valve (lCV506).
-() SIAS 6 K21- Boric Acid Pump-ll.
K22 Charging Pump-ll. K 23 Charging Pump-13. Kill IMOV-508 Boric Acid Tank to Charging Pump Suction. B.14-13
Table B.14.2 SIAS Actuated Components (Continued) Actuation Subsystem A .
)
Signal Relay Where Used SIAS 7 K 24 Component Cooling Pump-11 O K25 Salt Water Heat Exchanger-ll (ICV 5206). K26 Service Water Pump-11. K27 Component Cooling Pump-13. K28 Cooling Water System Control Valve (ICV 3828). K29 Service Water Pump-13, Salt Water Valves (1CV5160, ICV 5206) SIAS 8 K30 Salt Water Pump-ll. K31 Salt Water Pump-13. SIAS 9 K32 Diesel Generttor No. 11 Engine Control. K33 Service Water Heat Exchanger-11 Salt Water Valve (ICV 5210). K43 Containment Norm. Sump to Misc. Waste Receiver Tank (IMOV-5462). K44 Containment Purge Isolation (ICV 1410). K46 Containment Purge Air Supply Fan-ll. R.C. Recirculation Tank Discharge Isol. Valve (ICV 4260). B.14-24
Table B.14.2 SIAS Actuated Components (Continued) Actuation ,$ubsystem A Signal Relay Where Used J d - SIAS 9 K49 Purge Air Sample Isolation (ICV 5291). + ' (Cont.) Containment Purge Air Exhaust Fan-11 (ICV 5289). 4 K52 Diesel- Generator No.12 Engine Control. SIAS 10 K34 SI. TANK llA Isolation Valve (IMOV-614) l SI TANK llB Isolation Valve (IMOV-624) 4 i i i O k B.14-15 1
,- y 4 s.a g v r- a ,, ,-ms, ---~- ~~-.---v. - - ~ ~ -w,se,- --m,v,---m.- , , ,,e--n- -,-- -~~wa-- - = - ~ - - - - - , - = ,v--
i l Table B.14.2 SIAS Actuated Components (Continued) Actuation Subsystem B Signal Relay Where Used SIAS 1 K1 Containment Spray Header No. 12 Isolation Valve (ICV 4151). Salt Water System Air Compresser-12. K2 H.P. Redundant Hydraulic Valve (IMOV-654). IMOV-616 HPSI to Loop Control valve. K3 IMOV-626 HPSI to Loop Control Valve. K4 1MOV-636 HPSI to Loop Control Valve. K5 1MOV-646 HPSI to Loop Control Valve. K6 IMOV-635 LPSI to Loop Control Valve. K7 1MOV-645 LPSI to Loop Control Valve. SIAS 2 K8 High Pressure Safety Injection Pump-12 K9 High Pressure Safety Injection Pump-13 O B.14-16
i-Table B.14.2' SIAS Actuated Components (Continued) Actuation Subsystem B
- Signal Relay Where Used l
SIAS 3 K10 Low Pressure Safety Injection Pump-12. SIAS 4 Kll Boric Acid Storage Tank No. 12 Recirculation (ICV 510) Makeup Flow Control (ICV 512) K12 Boric Acid Feed Pump Valve IMOV-514 i K13 ' Check valve (ICV 638) Leakage Drain to Radiation Waste Tank K14 Check Valve (ICV 648) Leakage Drain to Radiation Waste Tank , 'SIAS 5 K15 Service Water Iso. Valves (ICV 1638) K16 Service Water Iso. Valve (ICV 1639) j K50 RCP Bleed-off (ICV 505) g SIAS 6 K17 Boric Acid pump-12 K18 Charging pump-12 K19 Charging pump-13. O' SIAS 7 K20 Component Cooling pump-12 Component Cool. Ex 12 Salt Water Valve ICV 5162. K21 Component Cooling pump-13. B.14-17
l l Table B.14.2 SIAS Actuated Components (Continued) Actuation Subsystem B Signal Relay Where Used SIAS ' (Cont.) K22 Component Cooling HX 12 Salt Water Values ICV 5208, ICV 5163. lh K23 Cooling Water System control valve (ICV 3830). K24 Service Water pump-12 K25 Service Water pump-13. SIAS 8 K26 Salt Water pump-12. K27 Salt Water pump-13. SIAS 9 K28 Diesel Generator No. 12 Feeder BRKR. 152-1406. K29 Service Water Ht. Exch.-12 Salt Water Valve ICV 5212, ICV 5153 Kll4 Diesel Generator No. 12 Engine Control. SIAS 10 K30 SI Tank 12A ISO. Value IMOV-634 SI Tank 12B ISO. Value IMOV-644 O B.14-18
Table B.14.3 CSAS Actuated Components Actuation Subsystem A Signal Relay Where Used CSAS 1 K35 Containment Cooling Fan-ll. O K36 Containment Cooling Fan-12. K37 Containment Cooling Coil No.11 Water Discharge i Valve (1CV1582) . K38 Containment Cooling coil No. 11 Water Discharge valve (ICV 1585) . CSAS 2 K39 Containment Spray Pump-11. CSAS 3 K40 Spent Fuel Cooler 11 Service Water Discharge Valve (1CV1596).
~ -
p o, Spent Fuel Cooler 12 Service Water Discharge Valve (' (1CV1598). ! l l 1 I I O l i B.14-19 ,
Table B.14.3 CSAS Actuated Components (Continued) Actuation Subsystem B Signal Relay Where Used CSAS 1 K31 Containment Cooling Fan 13. K32 containment Cooling Fan 14. K33 Containment Cooling coil No. 13 Water Discharge Valve ICV 1590. K34 ContainLent Cooling Coil No. 14 Water Discharge Valve ICV 1593. L CSAS 2 K35 Containment Spray Pump-12. , CSAS 3 -K36 Spent Fuel Cooler til Service Water Supply Valve ICV 1597.
\
Spent Fuel Copler 921 Service Water Supply Valve ICV 1599.
\
%* M
%g 4
B.14-20
Table B.14.4 RAS Actuated Components Actuation Subsystem A Signal Relay Where Used' RAS 1 K64 Containment Sump Discharge Valve (IMOV4144). 4 . K65 C.S. & S.I. Pumps Recirc. (IMOV659) 2 K66 Salt Water Heat Exchanger-11, Salt Water Valve , (ICV 5206A). Low Pressure Safety Injection Pump-ll i K67 Service Water Heat Exchanger-11, Salt Water Valve (ICV 5210). Actuation Subsystem B Signal Relay Where Used RAS 1 K53 containment Sump Discharge Valve IMOV4145. K54 C.S. & S.I. Pumps Recirculation IMOV660. K55 Low Pressure Safety Injection Pump-12. Salt Water Outlet Heat Exchanger 12, ICV 5208. K56 Salt Uater Heat Exchanger 412, Salt Water Outlet
'Vlvs. ICV 5212 & ICV 5153.
O B.14-21 A;. .-. _.. __ , , - - . , _ . . . . _ . . _ - - . _ . . _ _ . _ - - _ _ . . _ . . - . . _ _ _ _ . . . _ _ . . _ _ - _ . . _ . _ - _ _ _ - . .
Table B.14.5 Undervoltage Load Shed Components Actuation Subsystem A signal Relay Where Used UV 1 K80 4KV Buses Fdr. Bkr. to Switchyard Serv. Transformer (500 KVA). K81 4KV Bus-ll Feeder Breaker (152-1115). K82 4KV Bus-ll Feeder Breaker (152-1101). K83 Turbine MCC-101 At Feeder. UV 2 K84 Spare K85 250 V Battery Charger Feeder Breaker. K86 Cavity Cooling Fan-ll K87 Charging Pump-ll K88 Component Cooling Pump-11. K89 No. 11 Containment Filter Unit. K90 Containment Spray Pump-ll. Heating & Ventilating Control Room A/C Compressor 11. K91 Containment Cooling Fan-ll. Heating & Ventilating Switchgear Room A/C Compressor 11. K92 Proportional Controller Pressurizer Heater-ll. B.14-22
i Table B.14.5 Undervoltage Load Shed Components (continued) Actuation Subsystem A Signal Relay Where Used UV 2 K93 High Pressure Safety Injection Pump-ll. O (Cont.) K94 Spare K 95 Instrument Air Compressor 11. K96 Low Pressure Safety Injection Pump 11. K97 Heating & Ventilating Main Plant Exhaust Fan 11. I K98 Salt Water Pump-ll.
- K99 Service Water Pump-II.
UV 3 K100 Spare K101 Charging Pump-13 I K102 Component Cooling Pump-13. K103 Containment Filter Unit 13. K104 Containment Cooling Fan 12. (} K105 Spare B.14-23
l Table B.14.5 Undervoltage Load Shed Components (continued) Signal Relay Where Used UV 3 K106 High Pressure Safety Injection Pump-13. (Cont.) K107 Salt Water Pump-13. K108 Service Water Pump-13. UV 4 K109 Diesel Generator No.11 Engine Control. K110 Spare K113 Diesel Generator No. 21 Engine Control.
-- Sequencer " A" Blocking 9
B.14-24 i l L- _ _ - _ _ - _ - _ - _ _ - _ _ _ _ - _ _ _
l Table B.14.5 Undervoltage Load Shed Components (Continued) Actuation Subsystem B l Signal . Relay .Where Used l UV 1 K66 4KV Bus-14 Feeder Breaker 152-1401. O K67 4KV Bus-14 Feeder Breaker 152-1414. K68 Turbine MCC-101 BT. UV 2 K69 Spare K70 Cavity Cooling Fan 12. K71 Charging Pump-12. K72 Component Cooling Pump-12. Proportional Controller Pressurizer Heater 12. K73 Containment Filter Unit No.12. K74 Containment Spray Pump-12. K75 Fuel Pool Cooling Pump-11 & 12. Containment Cooling Fan-13. K76 Fuel Pool Cooling Pump-ll & 12. Switchgear Room A/C Compressor 12. K77 High Pressure Safety Injection Pump-12. K78 Spare K79 Instrument Air Compressor 12. B.14-25
Table B.14.5 Undervoltage Load shed Components (continued) Signal Relay Where Used UV 2 K80 Low Pressure Safety Injection Pump-12 (Cont.) K81 Main Exhaust Fan 12. K82 Salt Water Pump 12. K83 Service Water Pump 12. UV 3 K84 Spare K85 Charging Pump-13. K86 Component Cooling Pump-13. K 87 Containment Filter Unit 13. K88 Containment Cooling Fan-14. K89 High Pressure Safety Injection Pump-13. K90 Plant Air Compresscr 11. K91 Salt Water Pump-13. K92 Service Water Pump-13. K101 Turbine Trip SG $11 B.14-26 i
Table'B.14.5 Undervoltage Load Shed Components (Continued) Signal Relay Where Used UV 3 K102 Turbine Trip SG 912 (Cont.) UV 4 K93 Diesel Generator No. 21 Engine Control. K94 Spare K113 Diesel Generator No. 12 Engine Control. + - Sequencer "B" Blocking. P 10
.d
, B.14-27 i
Table B.14.6 Sequencer LOCA Step 6 Actuated Components Actuation Subsystem A Signal Relay Where Used LOCA 6 K 70 Switchgear Room A/C Compressor-ll. O K71 Spare K72 Spare Actuation Subsystem B Signal Relay Where Used LOCA 6 K59 Switchgear Room A/C Compressor-12. K t:0 Spare O B.14-28
-Table B.14.7 Shutdown Sequencer Actuated Components
' Actuation Subsystem A Signal Relay Where Used SDS 1 K73 Service Water Pump-11.
'- K74 Service Water Pump-13.
SDS 2 K75 Salt Water Pump-ll. K76 Salt Water Pump-13. SDS 3 K77 Spare K78 Heating & Ventilating Switchgear Room A/C Compressor-11. K79 Instrument Air Compressor-11. l-Actuation Subsystem B 4 Signal Relay Where Used SDS 1 K61 Service Water Pump-12. K62 Service Water Pump-13. SDS 2 K63 Salt Water Pump-12. () K64 Salt Water Pump-13. SDS 3 K65 Switchgear Room A/C Compressor 12. Instrument ~ Air Compressor 12. B.14-29
Table 3.14.9 ESFAS Interfacing Failure Mode and Effect Analysis SUFFGt? CONFONENT FAILCAE COiOONENT FAILURS EFFECT OF SUBSYSTEM SUS $TSTEM AFFECTED NWE EFFECT ON SYSTEM
- FAILURE ON OVERALL SYSTEM
- 120 VAC ESFAS Actua. Fails to Loss of Actuation Logic 1 of 2 Aduation Channels vital In- tion Logic Energise Channel A Falls to Actuate ESPAS Compo-strianent Channel A Actuation nents.
Bus 11 LEA) Belays 120 VAC ESFAS Actua- Falls to Loss of Actuation Logic 1 of 2 Actuation Channels Vital Irr- tion Logic Energize Channel 3 Fails to Actuate ESPAS Compo-strument Channel B Act uation nents. Sus 12 (IS) Belays
- Asemming no recovery.
t O B.14-30
Table 3.14.9 Engineered Safety Feetere Actuation System Instr'montation Surveillance pequirement CBANNEL NODES.!N ofEIG e GAMBL FUNCT10ltAL SURVEILIANCE FUNCTIORL WIT GRG TEST 98 QUIRED
- 1. SAFETT INJt3ICII (SIAS)
- a. Manual (Trip puttons) N.A. R N.A.
- b. Containment Pressure - Righ S(3) N(4) 1,2,3
- c. Pressuriser Pressure - Low S N 1,2,3
- 4. Automatic Actuation Logic N.A. N(1)(2) 1,2,3
- 2. CONIAINNENT SPRAY (CSAS)
- a. Manual (Trip auttons) N.A. R N.A. *
- b. Containment Pressure - Eigh 8 N 1,2,3
- c. Automatic Actuation Logic M.A. N(1) 1,2,3
- 3. CONTA!INEWr? EUMP RECIRCULATICII (SAS)
- a. Manual BAS (Trip Buttone) N.A. R N.A.
- b. Def ueling Nater Tank = Low W.A. N 1,2,3
- c. Qutomatic Actuation Logic N. A . N(1) 1,2,3
- 4. LO M OF POWER
- s. 4.16 kw Baergency sus Undervoltage (Loss of Voltage) N.A. N 1,2e3
- b. 4.16 kv Emergency sus Underveltage (Degraded Voltage) 5.A. N 1,2,3
\
B.14-31
Table B.14.9 (Continued) Table Notation (1) The logic circuits shall be tested manually at least once per 31 days. (2) SIAS logip circuits A-4, B-5, A-10 end B-10 may.be exempted from testing during operation; however, these logic circuits shall be tested at least once per 18 months during shutdown. (3) S = per shift Surveillance (4) M = monthly Frequencies (5) R = ref ueling (6) Mode Rx Condition el Power Operation 2 Hot Standby 3 Hot Shutdown B.14-32
f i-i L l L l Table 3.14.10 BSPAS Channel Checke and Functiemel Teste PBS00ssCT OP 8303/ ' SOBSYSTgn TEAT NDST BB SEPECTED SUBSYSTEM ACTOk?!05 TTPE OF BTPASStB WITE NO 'BST TBST OUTAGE OPERASILITY SOURCE acasTSTan TRS* noTomaTIC REToms P-= =M Tim van 2PleaTrau (Tast PROCEDURE 01 SIAS-CTWF . Channel gene 'Per shift 0 g/A CCI-114 L7-$ (sat 5) Pressure Check l Channels (Signal I- 3D, SS, Deviation) L. SP, SG CSAS-CTNT Channel pone Per Shift 0 N/A CCI-114-L7-5 (SBT 5) Pressure Check Channels (Signal e-ED, SE, Deviation) SP, SG SIAS-Pt" Channel Mone Per Shift 0 N/A CCI-114-L7-S (S/T $) Pressure Check Channels (signal 3D, SE, Deviation) SP, 30 SIAS- Auto SIAS P3R press. nonthly 5 min Continuous M-220-1 Pressuriser - Demoval of Actuation Logie (Alarms & Pressure PSR Press. Subsystem A Annunc. Pro-Actuation Sinck v1 sos when Logic signal Slash is A Init.) SIAS- Auto SIAS PSR Press. monthly $ min Continuous N-210-1 Presourtser manovel of Actuation Logic Pressure PER Press. Subsystem 8 At-eation Block Logie Signal 3 e s . B.14-33
Table 3.14.10 ESPAS Channel Checks and Functions! Tests (Continued) PREQUENCY OF StuscR/ SUBSYSTEM TSAT MUST SE EEPECTED SUSSYSTER ACTUATION TIPE OF STPASSED WITS NO TEST TEST OUTAGE OPERASILITY SOURCE SUBSYSTEM 7tST ACTOM ATIC P E* URN F7FOUENCY TIME TYRIFICATION (TEST PPOctDUPE 4) SIM-CTNT CTNT Sigh SIAS-CTNT Pressure monthly 5 mia. nonthly N-220-1 Pressure Pressure Sensor Subeystem D Sensor 31 stable Subsystem Setpoint D Verifice-tion SIAS-CTMT CTNT Sigh SIAS-CTMT Pressure Monthly 5 min. Monthly n-220-1 Pressure Prersure Sonstr Subsystem E Sensor 31 stable Subsystem Setpoint S Verifice-tion SIAS-CTNT CTNT Sigh SIAS-CTNT Pressure Monthly 5 min. Monthly n-220-1 Pressure Pressure sensor subsystem P Sensor Sistable Subsystem Setpoint P Verifice-tion $3AS-CTNT CTNT Sigh SIAS-CTNT Pressure Monthly 5 min. Monthly n-220-1 Pressure Pressure Sensor Subsystem 0 Sensor Sistable Sttsystem Setpoint G Verifice-tion CSAS-CTNT CTW: Bigh SIAS-CTNT Pressure Monthly 5 min. Monthly R-220-1 Pressure Pressure Sensor Subsystem D Se nsor 31st able Subsystem Setpoint D Verifice-tion O 13.14-34
Table 3.14.10 BSPAS Channel Checke and Punctional teste (Continued) PRSOUSNCY OP l n
'Q
$383/
ACTUATION SUBSYSTER TTPE OF TBST Set 'STBN TEAT NUST BE
,TPASSED WITE NO AL W TIC REFURN TBST PREQUENCY SSPECTED TBST CUTAOR TIES SUBSYSTEM OPERASILITY VERIPICATION SOURCE (TSST PROCdDURE Gl
$1AS-Al SIAS-CSAS Mone Monthly 0 Nonthly STP-0 7 1 Act uation RAS A Logie Logic Test l
l SIAS-A2 SIAS-CSAS EPSI 11 (Bandewitch in Monthly 20 min. nonthly S77-0-7-1 [ Actuation RAS A Logic Pull to Lock for Portion *EPSI 13 le running Logic Test of Test)* during this test phase. SIAS-A3 31AS-CSAS None Monthly 0 nonthly STP-0-7-1 Actuation RAS A Logic Logie Test l SIAS-A7 SIAS-CSAS Component Cooling P op 11 Monthly 20 min. Ronthly STP-0 7-1 j Actuation RAS A Logic Service Water Pump 11 413 Comp. Cooling Logic Test (Bandewitches in
- Pull to Pump and 13 Service Lock *)+ Water Pump are pun-ning during this test Phase BAS-Al SIAS-CSAS LPSI 11 (3.3. in Full to Monthly 20 min. nonthly STP-0-7-1 Actuation RAS A Logie Lock)
Logic Test SIAS-31 31AS-CSAS, pone month;f 0 ponthly STP-0-7-1 Act uation RAS S Logie Logic Test
$1AS-32 SIAS-CSAS, 12 EPSI up (38 in Full Monthly 20 min. Monthly P-0-7-1 Act uation RAS S to Lock) {13PumpSunning Logie Logie Test During this test Phase.
13 EPSI 3 Pump running to Lock)gump (ES in Full During This Test Phase f
.q) .
B.14-35
Table 3.14.10 ESPAS Channel Checks and Functions! Teste (Continued) PREQUERCT OP SEMfGt/ SUBSYSTEM TSAT MUST BE REFECTED SUBSYSTEM ACTUATION TTPE OF BTPASSED MITE NO TEST TEST OUTAGE OPERABILITY SOCRCE SUBSTSTFM TEST AUTOMATIC PFTUDN PREQUENCY TIME VTPIPICATION (TEST PPOCEDUPE 4) CSAS-CTNT CTMT Eigh CSAS-CTNT Pressure Monthly 5 min. Monthly R-220-1 Pressu re Pressure Sensor Subsystem E Sensor 31st able subsystem Setpoint E Verifice-tion CSAS-CTNT CTNT Eigh CSAS-CTNT Pressure Monthly $ min. Monthly M-220=1 Pressure Pressure Sensor subsystem P Se nsor 31 stable subsystem Satpoint P Verifica-tion CSAS-CTNT CTNT Eigh CSAS CTNT Pressure Monthly 5 min. Monthly R- 22 0- 1 Pressure Pressure sensor subsystem 0 Se nsor 31 stable subsystem Setpoint G Verifica-tion $1 AS-P ER BP4 Punct. SI AS-PER Press. Sensor Monthly 10 min. Monthly R-2105-1 Press. Eigh PER Subsystea D Sensor Press. & Subsystem TM/LP D Cha nnel Test S! AS-P ER 3PS Punet. SI AS-PIR Press. Sensor Monthly 10 min. Monthly M-2103-1 Press. Righ P1R Subsystem E Sensor Press. & Subsystem TM/LP E Ch annel Test lll> I3.14-36
p-l- I Tebte s.14.10 aSPAS Cnennel Chocte ena Funettonal T..t icentinosal l l m PRS 00ENCY OF (\ SMSW/ SUBSYSTBN THAT NDST BE SIFBCTBD SUBSTSTEN ACTUk!!ON TYPE OF STPASSBD WITE NO TEST TEST CUTAGE OPERABILITY SOURCS SumYstat TRST AUTORATIC RETURN PRBMIENCY TINE VERIFICATION (7387 PROCRDURE 9) SIAS-PER RPS Punct. SIAS-PSA Press. Sensor Monthly 10 min. Monthly N-210s-1 Press. 31gh PIR Subsystem P Seneer Prese. 6 Subsystem TM/LP P Channel Test SIAS-P;R BPS Punct. SI AS-FIR Press. Seneer Monthly 10 min. Monthly N-2109-1 Press. Bign 729 Subsystem G Sensor Prese. & Subsystem TM/LP G. Channel Teet RAS-RWT- DWT Lou RAS-Inff Low Level Sensor Monthly 15 min. Monthly N-220-1 Law Level Level Subsystem D Sensor Switch subsystem Calib. D Check RAS DWT- Strf Low RAS-RWT Low Level Sensor Monthly 15 min. honthly N-220-1 Low Level Level Subsystem E Sensor Switch subsystem Calib. 3 Cheet RAS-DWT- ptrF Low RAS-PWT Low Level Seneer Monthly 15 min. Monthly N-210-1 Low Level Level Subsysten P Seneer Switch subsystem Calib. P Check RAS-PWT- SWT Low RAS-StrF Low Level Sensor Monthly 1S sin. Monthly N-220-1 Low Level Level Subsystem G Sensor Switch Subsystem Calib G Ch.c .
.f x
B.14-37 r.. . .. .. .. .
Table 3.14.10 ESPAS Channel checks and Functional Teste (Continued) PR$QUENCY OF SIMSGt/ SUBSYSTEM TSAT MUST BE SE PECTED SUBSYSTEM ACTUATION TTPE OP STPASSED WITS MO TEST TEST CUTAGE OPERASILITY SOURCE SUBSYSTEM TEST AUTOMATIC RETURN PPEQUINCY TIME VIPIP! CATION (TEST PROCEDUPE f) SIAS-33 S3AS-CSAS Mone Monthly 0 Monthly STP-0-7-1 Act ua tion RAS S Logic Logic test $1AS-37 SIAS-CSAS 12 Camponent Cooling Pop Monthly 20 min. Monthly P-0-7-1 Act uation RAS S {13 Component 12ServiceWaterPung Cooling and 13 Logic Logic Test ($$ in Full to Lock) Service water Pumps Are Running During This Phase RAS-31 SIAS-CSAS, 12 LPSI Pump (SS Monthly 20 min. Monthly STLP-0-7-1 Act ua tion RAS S in Full to Lock) Logic Logic Test S!AS-A8 SIAf-CSAS 11 Salt Water purp Monthly 20 min. Monthly STP-0-7-1 Act uation RAS A Logic (SS in Full to Lock)* ' Pump 13 munning Logic Test During This Phase of Test CSAS-Al S!AS-CSAS Mone Monthly 0 Monthly STP-0-7-1 Act ua tion RAS A Logic Logic Test CSAS-A2 SIAS-CSAS 81-314 (CTMT Spray Pop Monthly 20 min. Monthly STP-0-7-1 Act uation RAS A Logic 11 Discharge Valee) Logic Test CSAS-A3 STAS-CSAS none Monthly 0 Monthly sTP-0-7-1 Act uation RAS A Logic Logic Test O B.14-38
l l Table 3.14.10 BSPAS Channel checks and Functional Teste (Continued) PREQUENCY OF SENSGt/ SUBSTITER TEAT MUST BS EXPECTED SUB8YSTER ACTUATION TYPE OF BYPASSED WITE NO TEST TEST OUTAG? OPERASILITT SOURCE SUBSYSTEM TEST AUTORATIC prTUpp PREQUENCT TIME VERIPTCATION (TEST PROCEDUDT 01 O SIAS-B8 Actuation Logic SIAS-CSAS RAS S Lotte 12 Salt Water pump (BS in Pa?! to Lock)I Monthly 20 mia Monthly P-0-7-1 { Pump 13 running During This Test Test Phase CSAS-B1 SIAS-CSAS None Monthly 0 monthly STP-0-7-1 Act uation RAS S Logic Logic Test CSAS-32 s!AS-CSAS SI-324 (CTNT Spray monthly 20 min. Monthly 377-0-7-1 Actuation RAS S Pump 12 Diecharge Valve) Logic Logic Test CSAS-n3 $1AS-CSAS uone Monthly 0 Monthly 377-0-7-1 Act uation BAS B Logic Logic Test
$1AS-A4 CVCS cvC-210 (SAST 11 Renthly 2* min. nonthly 377-0-7-1 a Actuation Logic Discharge Valve)
Logic Testing SIAS-A6 CVCS CVC-214 (SAST 12 Nonthly 20 sin. Monthly 377-0-7-1 Act uation Logic Discharge Valve) Logic Testing 11 Charging PumpI Ill Charging Pump (ES in Full to Lock) running During This base of Teet 13 Charging Pump 3 11 Charging Pump (ES in Full to Lock) running During This Phase of Test 9 B.14-39
Table 3.14.10 BSPAS Channel Checks and Functional Tests (Continued) PREQUENCY OF SENSCgt/ SUBSYSTEM TEAT prJST BB EXPECTED SUBSYSTEM ACTUATION TTPE OF STPASSED WITE NO TEST TEST 00TAGE OPERASILITT SOURCE SUBSYSTEM TEST AUTOMATIC B MURN PREOCENCY TIME VERIPICATION (TEST PPOCEDUWF 9) 51AS-34 CVCS CVC-218, CVC-223 Monthly 20 min. Monthly 5T7-0 7-1
- Act uation Logic (tA Pops 11 6 12 Logic Testing Discharge Valves) 12 Charging P op Monthly 20 min, ponthly
$1AS-34 Act uation CVCS Logie (ES in Full to Lock)I f-0-7-1 13 Pump punning Logic Testing During This Test thane.
SIAS-A9 Dn Logic pone Monthly 0 Monthly STP-0-7-1 Act uation Testing Logic S!AS-39 DG Logic mone Monthly 0 monthly 877-0 7-1 Act uation Testing Logic UVA-4, DG Logie pone monthly 0 Monthly STP-0-7-1 Sequence r Testing A UVS-4, DG Logic mone Monthly 0 ponthly STP-0-7-1 Sequencer Testing 9 O B.14-40 1 i
Table 3.14. Il Regineered Safety Feature Actuation System lastrumentation NININUN TOTAL 30. CEAMBLE CBAmusLS APPLICABLE TO TRIP ===== ncTrop ru m uo m L W IT OP ""' " c---""** ( 1. - SAPsfr tuJECTION (SIAS)
- e. Manual (Trip Buttons) 2 1 2 1,2,3,4, 6
- b. Containment Pressure- 4 2 3 1,2,3 7 Eigh
- c. Containment Pressure- 4 2 3 1, 2, 3(a) 7 Lov
- 2. CONTAINRENT SPRAY (CSAS)
- a. Manual (Trip Buttons) 2 1 2 1, 2, 3, 4 6
- b. Containment Pressure- 4 2 3 1, 2, 3 11 l
. Sigh
- 3. CONTAInnENT 180LAT10m (CIS) i a. nanual CIS (Trip 2 1 2 1, 2, 3, 4 6 l Buttons l
l b. Containment Presaere. 4 2 3 1, 2, 3 7 I Bigh
- 4. MAIN STIAN LINE 180LAT10N
- a. Manual (nsIV) 1/ valve 1/ valve 1/ valve 1, 2, 3, 4 6 Band Switches and Feed Bead Isolation Band l'
Switcheel D. Steam Generator 4/ steam 2/eteam 3/ steam 1, 2, 3(e) 7 Pressure-Law generator generator generator B.14-41
Table 3.14. 11 Engineered Safety Feature Actuation system Instrumentation (Continued) MININUM TOTAL NO. CEANNELS CHANNELS APPLICABLE PUNCTIONAL UNIT OF CBANNELS TO TRIP CPERABLE NODES ACTION
- 5. CONTAINNENT SUNP RECIRCUIATION (RAS)
- a. Manual ras 2 1 2 1, 2, 3, 4 6 (Trip Buttonal
- b. Refueling water 4 2 3 1, 2, 3 7
- 6. CONTAINNENT PURGE VALVES ISOLATION
- a. Manual (Purge Valve 2/ Penetration 2/ Penetration 2/Pene- 1, 2, 3, 4 6 Control switches) tration
- b. Containment Radiation-Bigh Area Nonitor 4 2 3 6 8
- 7. LOSS OF POWER
- a. 4.16 kv Energency sus 4/ Sus 2/ Bus 3/Sua 1, 2, 3 7 Ondervoltage (Losa of Voltage)
- b. 4.16 kw taergency tus 4/ sus 2/ Bus 3/ sue 1, 2, 3 7 Ondervoltage (Degraded Voltage)
A. CVCS 180LAT10N
- a. Manual (CVCs 1/ valve 1/ valve 1/ Valve 1, 2, 3, 4 6 isolation valve Control switches)
- b. weet Penetration 4 2 3 1, 2, 3, 4 7 Rocm/ Letdown Beat Exchanger poes Pressure - Nigh O
B.14-42
cc Table B.14.11 ' Table Notation
.(a) Trip function may be bypassed in this MODE when pressurizer
. pressure is < 1700 pslar - bypass shall be automatically re-moved when pressurizer pressure-is >1700 psia.
(c) Trip function may be . bypassed in this MODE below 600 psias bypass shall be automatically removed at or above 600 psia. ACTION STATEMENTS ACTION'6 - With the number of OPERABLE channels one less than the Total Number of Channels, restore the inoperable channel to OPERABLE . status within 48 hours or be in at least HOT STANDBY . within the next 6 hours and in COLD SHUTDOWN within the following 30 hours. 1 ACTION 7 - With 'the number of OPERABLE channels one less ' than the Total Number of Channels, operation may. proceed provided the following conditions are satisfied:
- a. The inoperable channel is placed in either the bypassed or tripped condition within 1 hour. For the purposes of testing and maintenance, 'the in-operable channel may be bypassed for up to 48 hours from time of. initial loss of OPERABILITY; however, the inoperable channel shall then be either restored to OPERABLE status or placed -in-the tripped condition.
- b. Within' one hour, all functional units receiving an input from the inoperable channel are also placed in - the same condition (either bypassed 'or tripped, as applicable) as that required by a.
above for the inoperaole channel.
- c. The Minimum Channels OPERABLE requirement is mett however, one additional channel may be bypassed for up to 48 . hours while performing tests and maintenance on that channel provided .the other inoperable channel is placed in the tripped con-dition.
ACTION 8 - With less than the Minimum Channels OPERABLE, 4O operation may continue provided the containment purge valves are maintained closed. ACTION 11 - With the number of OPERABLE Channels one -less than the Total Number .of Channels, operation may proceed provided the inoperable channel is placed in the bypassed condition and the Manimum Chan-nels OPERABLE requirement is demonstrated within I hours one additional channel may be bypassed for - up to 2 hours for surveillance testing per Specification 4.3.2.1. B.14-43
Table 3.14.12 Sagineered Safety Feature Actuation System lastrumentation Trip Values ALLOWABLE PUNCTf0NAL UNIT 7ptP SrfPOINT VA,Urs 1 SArtTT INECTION (SIAS)
- a. Nanual (Trip Buttons) Not Applicable Not Applicable
- b. Containment Pressure-sigh 4.75 peig 4.75 pelg
- c. Pressuriser Pressure-Low 1578 psia 1578 psia
- 2. CDNTAINNENT SPRAY (CSAS)
- a. Nanual (Trip Buttons) Not Applicable Not Applicable
- b. Containment Pressure-Bigh 4.75 psig 4.75 psig
- 2. COWTAINNENT SUNP RSCIRCUtATION
- a. Nanual RAS (Trip Buttons) Net Applicable Not Applicable
- b. Ref ueling Noter Tank-Low 24 inches above 24 inchas above tank tank bottom botton
- 4. LOSS OF POWER
- a. Undervoltage 4.16IV Smergency Bus 24501105 Volts with a 2+ 24501105 volts with a (Loss of Voltage) 0.2 second time delay 210.2 second time delay
- b. Undervoltage 4.14Ev Smergency Bus 3420+25 volts with a 0+ 2628+ Volts with a 8+0.4 (Degraded Voltage) 0.4 second time delay second time delay ,,
e B.14-44
I Table 3.14.13 BSPAs Campenent railure Dates No. of Pa!! ares No. of Tests / Demands or BSPAs (CC Safety Related Ratnt. Operating sours Pa11ere Date Camponent Lage3 ( A) seguencer pedale 1 1570 Teste 6.48 4/ Demand Actuation Relay 3 20,000 Testa 1.18 4/ Demand Actuation Logie med. 8 38,900 Teste 2.13 4/ Demand Isolation Module 4 3.687 sours 1.12 7/sm Feuer Supply 2 1.684 Sours 1.38 6/ga 31 stable Trip Onit 7 22,500 Teste 3.18 4/ Demand Isolation Device 33 3.136 sours 1.18 5/sm (1/2, s/t)
, CTr. Pressure sensor / - 2 1.714 soute 1.18 4/sm i Transeitter PER Press. Sensor / 4 4.085 Bours 1.)t.5/sa Transmitter kwr Level Switch 0 830 Testo 0.08 4/ Demand ($04)
Steam Generator 2 3.126 Boura 6.13 7/an Level Transmitter i b B.14-45
Table B.14.13.1 SAFETY INJECTION ACTUATICN SIGNAL SYSTEM (SIAS) DATA Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/ht) Time (hr) q Q = Eq. SIAKSGFT-RCA-LF Failure to energize -- -- -- 1.1E-4 relay (plant data) SGFT = 001A.002A.003A 004A.005A.006A 007A 008A.009A 010A.011A.013A 021*.022A.023A 111A.024A.025A 026A.027A.028A 029A.O.DA.n31A 032A.0*J1A.034A 114A 001B.002B f 003B.004B.005B
- p. 006B.0078.008B am 009B.010B.012B I 0178.018B.019B j' 0208.021B.022B 023B.024B.025B 026B.0278.029B 114B.030B ESF\C116-RCA-LF Failure to energize -- -- -- 1.1E-4 ESFAC113-RCA-LF relay (plant data)
ESFAC143-RCA-LF ESFAC146-RCA-LF RSFSQNCA-LOG-LF Failure of -- -- -- 6.4E-4 ESFSQNCB-LOG-LF Sequencer (plant data) O O
9
& tb 0
*%)I>,M/ IMAGE EVALUATION [777p
%, x$>// TEST TARGET (MT-3) T ((*(y 4 %g k//77 W9 $ %'$ % l 1.0 d2 E 5$ E ll E = RE 1.8 l
1.25 1.4 1.6
< 150mm 4 6" l
*r % //
>?
ff Sf7 37777f f [)+g//p W .. .. . b a
_ m.. . _ _ _ _ _ O O d 4 4 4 i Table B.14.13.1 SAFETY INJECTICII ACTUATICII SIGNAL SYSTEN (SIAS) DATA (Cont.) i i
- Sub Event l Sub Event Fault Sub Event Event' Name Sub Event Failure Exposure Unavail. Unavail.
Event Description Description Rate (per/hr) Time (hr) g Q = Eq. 4 i ESFSOPSA-BSC-LF Failure of 28V 1.3E-6 2 -- 2.65-6 l ESFSQPSB-BEC-LF power supply l RSFSIPSA-BEC-LF (plant data) j ESFSIPSB-BEC-LF To sequencer SIASIBITA-Serr-LF Contacts fail to -- 6480 -- 3.0E-4 SIASIIrrB-SWT-LF close in manual trip switch t
! OP-FL-ISt-SIASA Operator fails to --
j OP-FL-BWi-SIASB actuates SIAS la: ! large break LOCA -- -- -- 0.5 , Small or small-small -- -- -- 1.0E-2 , f break LOCA W A SIACPTUA-BTU-LF Bistable fails to -- -- -- 3.1E-4 I SIACPTUB-BTU-LF provide output signal A SIACPTUC-BTU-LF to actuation i SIACPTUD-BTU-LF Logic (plaat data) SIAPPTUA-BTU-LF j SIAPPTUB-BTU-LF l SIAPPTUC-BTU-LF SIAPPTUD-BTU-LP SIAPPBSA-Sert-LF Switch fails 2.7E-8 360 -- 9.7E-6
.SIAPPBSB-SWT-LF closed l
i SIAPPBLA-CAL-LF Blocking logic -- -- -- 1.lE-5 ! SIAPPBLB-CAL-LF generates spurious l signal (plant data) 1 l i I I
Table B.14.13.1 SAFETY INJECTION ACTUATION SIGNAL SYSTEM (SIAS) DATA (Cont.) Sub Event Sub Event Fault Sub Event Event. Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (hr) q Q = Eq. SIAPPBWA-CBL-LF Spurious EMF on 2.7E-8 360 -- 9.7E-6 SIAPPBWB-CBL-LF cable RPSCPT3A-ASP-LF Containment pressure 1.2E-6 4 -- 4.8E-6 RPSCPT3B-ASP-LF sensor fails low RPSCPT3C-ASP-LF or as is (plant data) RPSCPT3D-ASP-LF SIAASGPT-LOG-LF SIAS/SGIS Logic -- -- -- 2.1E-4 module fails to provide output to c3 relays (plant data)
$' SGPT = LO1A.LO2A.LO3A LO4A.LO6A.LO7A em LO8A.LO9A.L10A 00 LO1B.LO2B.LO3B LO4B.LO6B.LO7B LO8B.LO9B.L10B SIASGPT-ISO-LF Isolation module 1.1E-7 360 -- 4.0E-5 fails to transmit sensor loop signal SGPT = CAIA.CAIB CBIA.CBIB CCIA.CCIB CDIA.CDIB PAIA.PAIB PBIA.PBIB PCIA.PCIB PDIA.PDIB G G
1R 4 s k, 4 i Table B.14.13.1 SAFETY INJECTION ACTUATIOtt SIGNAL SYSTEN (SIAS) DATA (Cont.) i
. Sub Event Su'o Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail.
Event Description Description Rate (per/hr) Time (hr) g Q = Eq. i l CPLSA-PIP-LFB Pressure Sensing 1.0E-9 6400 -- 6.55-4 i CPLSB-PIP-LFB line blocked CPLSC-PIP-LFB CPLSD-PIP-LFB i
- CPLSV13A-SOC-LF Solenoid valve -- 6400 --
4.03-3 CPLSV13B-SOC-LF fails closed ! CPLSV13C-SOC-LF CPLSV13D-SOC-LF RP51102A-CND-LF I/I fails to transmit 1.lE-5 4 -- 4.4E-5 ! [ RPSIl028-CND-LF signal from PER ! p. RPSIl02C-CND-LF pressure sensor am RPSIl02D-CND-LF (plant data) I
#' 1.3E-5 4 5.2E-5 RPSP102A-ASP-LF PER Pressure sensor --
RPSP1028-ASP-LF fails high or as is RPSP102C-ASP-LP (plant data) RPSP132D-ASP-LF ESFSQNCA-T-PRMN Sequencer maintenance 2.8E-7 4 -- 1.1E-6 l ESFSQNCB-T-PRMN j ESFSQNCA-T-FRFM Failure to restore 2.8E-7x2.0E-3 360 -- 2.0E-7 ESFSQNCB-T-FRFM following maintenance i ESFSOP84-R-PRMN Power Supply 1.0E-6 4 -- 4.0E-6 ESFSOPOB-R-PRMN (rectifier) ESFSIP8A-R-PRMN Maintenance ESFSIPSB-R-PRMN f f i l i I l l
Table B.14.13.1 SAFETY INJECTION ACTUATION SIGNAL SYSTEM (SIAS) DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/ht) Time (hr) q Q = Eq. ESFSOP8A-R-FRFM Failure to restore 1.0E-6x2.0E-3 360 -- 7.2E-7 ESFSQP8B-R-FRFM following maintenance ESFSIP8A-R-FRFM ESFSIP8B-R-FRFM SIA-SGPT-C-PRMN Relay maintenance 1.4E-7 4 -- 5.6E-7 SIA-SGPT-C-FRFM Failure to restore 1.4E-7x2.0E-3 360 -- 1.0E-7 following maintenance g SGPT = A001. A002. A003 . A004. A005. A006 bd A007. A008. A009 f A010. A011. A013 Ln A021. A022. A023 c) A111. A024. A025 A026 A027. A028 A029. A030 A031 A032, A033 Alle A034 B001 B002 B003 B004. B005 B006. B007 B008 B009 B010. B012 B017 B018. B019 B020. B021. B022 B023 B024 B025 B026. B027 E029 B114. B030 RPS-SGPT-P-PRTS Sensor loop out for test 1.4E-3 0.083 -- 1.28-4 O O
Q) Table B.14.13.1 SAFETY INJECTION ACTUATION SIGNAL SYSTEN (SIAS) DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (br) q Q = Eq. RPS-SGPT-P-FRFT Failure to restore 1.4E-3x6.3E-3 8 *- 7.0E-5 following test SGPT = CP3A. CP38 CP3C. CP3D RPS-CP31-CN Containment pressure -- -- -- 1.45-3 sensor common mode RPS-SGPT-P-PRTS Sensor loop out for test 1.4E-3 .17 -- 2.4E-4 RPS-SGPT-P-FRTS -Failure to restore 1.4E-3x6.3E-3 8 -- 7.0E-S Following Test f $[ SGPT = PPLA. PPLB. I PPLC.PPLD ui h" Logic unit maintenance 2.0E-7 4 1.1E-6 COMPIDEN-T-PRMN -- COMPIDEN-T-FRFM Failure to restore 2.8E-7x2.0E-3 360 -- 2.0E-7 following maintenance COMPIDEN = SIAALXXX XXX = 01A.02A.03A.04A 06A 07A 00A.09A 10A.015.02B 03B 04B.065.07B.08B 098.108 RPS-PPLX-CM Pressurizer pressure -- -- -- 1.4E-3 sensor comaon mode
Table B.14.13.2 CONTAINMENT SPRAY ACTUATICN SIGNAL SYSTEN (CSAS) DATA Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (hr) q Q = Eq. CSAK035A-RCA-LF Relay fails to -- -- -- 1.1E-4 CSAK036A-RCA-LF energize CSAK037A-RCA-LF CSAKO38B-RCA-LF CSAK031B-RCA-LF CSAK032B-RCA-LF CSAK033B-RCA-LF CSAK034B-RCA-LF CSAK035B-RCA-LF CSAK039A-RCA-LF OP-FL-MN-CSASA Operator fails to actuate OP-FL-MN-CSASB CSAS: Large LOCA -- -- -- 1.0 small or small-small -- -- -- 1.OE-2 CD h A CSAMNPBA-SNT-LF Switch faults -- 6480 -- 3.0E-4 CSAMNPBA-SWF-LF I
$ CSAACLIA-LOG-LF Actuation logic fails -- -- -- 2.1E-4 CSAACL2A-LOG-LF to energize relays CSAACL1R-LOG-LF CSAACL2B-LOG-LF ESFCSP8A-REC-LF Power supply fails 1.3E-6 2 -- 2.6E-6 ESFCSP8B-REC-LF (rectitier)
CAISDA-ISO-LF Optically coupled 1.1E-7 360 -- 4.0E-5 CAISEA-ISO-LF Isolator fails to CAISFA-ISO-LF transmit signal CAISGA-ISO-LP (open) CAISDB-ISO-LF O O
O O Table 3.14.13.2 CONTAIISEENT SPRAY ACTUATIOtt SIGNAL SYSTEN (CSAS) DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Descr1Ption Description Rate (Per/ht) Time (hr) g Q = Eq. CAISEE-ISO-LF (Cont.) CAISFB-ISO-LF CAISGB-ISO-LF CSAPRBSA-BTU-LF Bistable Faults -- -- -- 3.1E-4 CSAPRBSB-BTU-LF CSAPRBSC-BTU-LF CSAPRBSD-BTU-LF CSAPT14A-ASP-LF Pressure Transmitter 1.28-6 4 -- 4.8E-6 CSAPT145-ASP-LF faults CSAPT14C-ASP-LF CSAPT14D-ASP-LF t2 CSA-SGPT-C-PROGE Relay Maintenance 1.4E-7 4 -- 5.6E-7 g A B CSA-SGPT-C-FRFN Failure to restore 1.4E-722.0E-3 360 -- 1.0E-7 (n Following maintenance ta SGPT = A035.A036 A037.A038 A039.3031 3032.5033 B034.5035 COOFIDEN-L-PROGE Logic Unit 2.8E-7 4 -- 1.1E-6 Maintenance COOWIDEN-L-FRFN Failure to restore 2.8E-7x2.0E-3 360 -- 2.0E-7 following maintenance
} 4 5 3 6 7 l . E E E E E iq 2 0 4 0 2 taE nv ea= 1 7 1 4 7 vn EUQ
)
t n t O o n. C el ( vi Ea - - - - - A vq - - - - - T ba A un D SU
)
S A S t ) C n er ( e rb v u( 0 M Ets 3 8 - 4 E loe 8 - 6 T bupm 0 3 S uaxi Y SFET 0 S L A ) 3 N r 3 - G h - E I / 3 E 6 0 S t r - 3 - n eep e E E 2 N 4 6 x O vr( x - O. 1 6 I Eu 1 3 - - T le - E A bit E 0 U uaa 4 T SFR 1 C 1 A Y t ) A s r R e e P T i e S e f c r r i n T o e ue t ea N f r sd c rn E o so e oe M n t t em r tt sn N to u s r pn ( I ni O e ei A et r o y ra T vp p e tm l e m N Ei o oc nm pc pn o O r o tn eo tg C bc L a mc ua n us en n sn ei Se r o re ir ao e rw uo 2 D ut rt en s ln ts ll 3 n ii nn wi il 1 e aa oe oa ao S FM Cs PM Ff 4 1 B AABB 1212 e n LLLL l o CCCC b i AAAA S T NN MM MM a T er mc t i p AAAA SSSS CCCC
=
T R P C F R F C
- ABCD PPPP M
C RR PP RR FF RR FF RR O as - - SSSS - - - - - Ne N T T CCCC I AB AB D E P P P 88 88 D G G = S PP PP t I S S C SS SS n P - - T - CC CC e M A A P A FF FF v O S S G S C SS EE SS EE E C C C S n fHAIu
O O 1 Table B.14.13.3 UNDERVOLTAGE SYSTEM (UV) DhTA Sub Event Sub Event Fault Sub Event Event i Name Sub Event Failure Exposure Unavail. Unavail. + Event Description Description Rate (per/hr) Time (br) q Q = Eq. I, i UVrutrY-BCA-LF Belay fails to -- -- -- 1.1E-4 a energize (plant data) , 111Y.000A.081A.082A OS3A.109A.113A 1 0663.0578.068B i 0935.1138 UV-Y1XX-C-PRMN Relay out for 1.4E-7 4 -- 5.6E-7 maintenance UV-Y1XX-C-FRFN Failure to restore 1.4E-7x2.0E-3 360 -- 1.0E-7 ! g relay following 3 . maintenance W A YXXX.A000. A001 A002 i 1 di A003.A109.A113 . Ln 3066.5067.5068
- 3093.B113 I
! UVACLGKY-LOG-LF Fails to actuate relays -- -- -- 2.1E-4 XY = 1A.3A.4A i 15.33.4B l i ESFUVPeh-REC-LF Power supply fails 1.3E-6 2 -- 2.6E-6 i RSFUVPSB-REC-LF To energize relay UVTDRSEX-BTU-LF Bistable trip unit -- -- -- 3.18-4 j fails to provide j output to relays i
Table B.14.13.3 UNDERVOLTAGE SYSTEM (UV) DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (hr) q Q = Eq. UVDKRLXX-RCA-LF Relay fails to -- -- -- 3.0E-4 deenergize UVC3tISIX-ISO-LF Isolation device 1.1E-5 4 -- 4.45-5 fails to transmit signal XX. AA.BA.CA.DA AB.BB.CB.DB UVACLGXY-L-PRfGE Actuation logic 2.8E-7 4 -- 1.lE-6 maintenance C3 UVACLGXY-L-FRFM Failure to restore 2.8E-7x2.0E-3 360 -- 2.0E-7 following logic [ maintenance I ut XY= 1A.3A.4A.18.38.4B m ESFUVP8A-R-PR898 Power supply (rectifier) 1.0E-6 4 -- 4.0E-6 ESFINP8B-R-PR788 Maintenance ESFUVPSA-R-FRFM Failure to restore 1.0E-6x2.0E-3 360 -- 7.2E-7 ESFUVP8B-R-FRFM following maintenance i O O
A U Table 3.14.13.4 SHUTDOWN SYSTEN (SDS) SEQUENCER DhTA Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (hr) g 0 - Eg. SDSK073A-RCA-LF Relay fails to -- 6400 - 3.4E-4 SDSE074A-RCA-LF energize SDSE075A-RCA-LF (use 95% value and SDSE076A-3CA-LP convert to mean SDSE0415-ECA-LP 50% = 1.1E-4 SDSE0423-BCA-LF 95% = 2.7E-4 SDSK0635-3CA-LF Neaa = 1.25 x 2.7E-4 = 3.4E-4) SDSK0645-RCA-LF (plant data) SDSSONCh-LOG-LF Sequencer fails to -- 6400 -- 3.8E-3 SDSSONCS-LOG-LF sequence loads (use 954 value and convert to mean g 50% = 6.4E-4
. 954 - 3E.3 M Neaa = 1.25x3E 3.8E-3)
A 3.0E-3 h w SDSAR113-SUT-LF SDSAR116-SNT-LF DG BER AUE. Relay contacts fail to close SDSAR143-SWT-LF SDSAR146-SWT-LF 3 SDOWS9SA-CSL-LF Spurious EOF on cable 1.0E-8 360 -- 3.6E-6 j SDSNS,Sa-Cat-Lr i j SDSSONCA-L-FWEB Logic unit meistenance 2.0E-7 4 -- 1.1E-6 j SDSSQNCB-L-Faget i i SDSSgeCA-L-FSFN Failure to restore 2.0E-7x2.0E-3 6400 -- 3.6E-6 l SDSSQNCS-L-FEFM following malatemance l l 1
Table B.14.13.4 SHUTDOWN SYSTEN (SDS) SEQUENCER DATA (Cont.) Sub Event Sob Event Fault Sub I int Event Name Sub Event Failure Exposure Unave 2. Unavail. Event Description Description Eate (per/hr) Time (br) q Q = Eq. ESFQP8A-B-PRMN Power supply 1.0E-6 4 -- 4.0E-6 ESFQP85-R-PRMN maintenance (rectifier) ESPQP8A-R-FRFM Failure to restore 1.0E-6x2.0E-3 360 -- 7.2E-7 ESFQPSB-R-FRFM following maintenance SDS-SGPT-C-PRMN Relay Maintenance 1.4E-7 4 -- 5.6E-7 SDS-SCFT-C-FRFM Failure to restore 1.4E-712.0E-3 6480 -- 1.8E-5 following maintenance SGPT . A073. A074 [# A075. A076
- p. B061. B062
- B063. 8064 E
(n to ESFSQP8A-REC-LF Power Supply Faults 1.3E-6 2 -- 2.6E-6 ESFSQP8B-REC-LP (rectifier) O @
O O Table 3.14.13.5 RECIRCULATICII ACTUATICII SIGIIAL STSTWE (RAS) DATA Sub Event Sub Rvent Fault sub Event Event Bene Sub Event Failure Exposure Unavail. Usavail. Event Descripties Descripties Rate (per/hr) Time (kr) g Q = Eq. BASE 064A-BCA-LF Relay Fails to -- -- -- 1.1R-4 RASE 064A-RCA-LF Energise BASE 047A-3CA-LF BASE 0535-3CA-LP BASK 0555-RCA-LP BASK 0565-3CA-LF BASACIAIA-IAG-LF Actuation Logic Fails -- -- -- 2.1E-4 mamar r '22. !AG-LF To signal relays to energize maansTFsA-Serr-LF Nessel BAS initiation -- 6480 -- 8.0E-3 BAserTFSS-Serr-LF - switch faults C1
. OF-FL-ass-RASA operater tails to - -- -- 1.0E-2 OF-FL-8ef-BASB actuate RAS
[ b C RASIS004-ISO-LF BASISOEA-ISO-LF Icelation 4evice fails to transmit 1.1R-7 360 -- 4.0E-5 BASIS 0FA-ISO-LF signal BASIS 0GA-ISO-LF RASISOOS-ISO-LF BASISOES-ISO-LF RASISOFR-ISO-LF [ BASISOGB-ISO-LF l BA342A-Serr-LP Level switch fails -- -- -- 8.0E-4 BAS 423-Sarf-LF to actuate BAS 42C-Serr-LF l BAS 42D-Strf-LF 1 l l l l i
Table B.14.13.5 RECIRCULATION ACTUATION SIGNAL (BAS) DATA (Coat.) Sub Event Sub Event Pault Sub Event Event Name Sub Event Failure Exposure Unavail. Unava11. Event Description Description Rate (per/hr) Time (br) q Q = Eq. BAS-SCFT-C-PR397 Relay maintenance 1.4E-7 4 -- 5.6E-7 RAS-SGFT-C-FRFM Failure to restore 1.4E-7x2.0E-3 360 -- 1.OE-7 fallowing saintenance SGPT - A064.A066. A067.5053 3055.8056 RASACLGA-L-PR5GE Logic unit 2.8E-7 4 -- 1.1E-6 RASACLGB-L-PR588 maintenance RASACLGA-L-FEFM Failure to restore 2.8E-722.0E-3 360 -- 2.0E-7 BASACLGB-L-FRFM following maintenance >* RAS-SGPT-C-PRTS Sensor loop out for 1.4E-3 0.25 -- 3.5E-4 f test m o RAS-SGFT-C-FRFT Failure to restore 1.4E-3x2.4E-3 720 -- 2.4E-3 following test SGFT = RSLA.RSLB RSLC.RSLD RAS-RSLX-CM Rtrr level sensor - -- -- 1.4E-3 common mode O O
(~h J Table 3.14.13.6 AURILIABY FREDIRTER ACTUATICII SItas&L SYSTBit (APAS) DATR Sub Event Sub Event Fault Sub Eveat Event Home Sub Event Failure Exposure Unavail. Usava11. Event Descripties Description Bate (per/hr) Time (kg) g 9 . Eg. AFassAV1-BCA-LF Belay fails te -- --- -- 1.1E-4 AFAKSAV2-BCA-LF emergize AFAspeF3-BCA-LF AFAEAFAB-BCA-LP Afar wa-ggag.LF Actuation logic - -- -- 2.05-4 Afar norm.gg)g.LF faults ESFAFFSA-BEC-LF Fewer supply faults 1.3E-6 2 -- 2.68-6 ESFAFF95-BEC-LF (rectifier) AFasesFBA-serr-LF Dwitch faults 1.0E-5 6400 -- 6.5E-2 AFAsesFBB-serr-LF C3
- Operator fails to OF-FL-355-AFASA -- -- -- 1.0E-2
$e OF-FL-858-AFASB manually actuate Artt m AFAISX11-ISO-LF Isolaties device 1.1E-7 360 -- 4.0E-5 P falls to transett signal.
XIX = DIA.EIA.F1A.GIA D2A.E2A.F2A.G2A D13.E13.F15.G1B D23.E25.F23.G2B AFALLBID-NTU-LF Bistable faults -- -- -- 3.1E-4 AFALLBIE-BTU-LF AFALLB1F-BTU-LF AFALLB1G-BTU-LF AFALLB2D-BTU-LP
Table B.14.13.6 AUZILIARY FEEDWATER ACTUATICat SIGNAL SYSTEM (AFAS) IATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/ht) Time (hr) q Q = Eq. AFALLR2E-BTU-LP (Cont.) AFALLB2F-RTU-LF AFALLB2C-BTU-LF
~
AFAMRPSI-SMT-LF Spurious blocking 3.0E-8 360 -- 1.1E-5 AFAMBPS2-Swr-LF signal RPSLI13A-ISO-LF Isolation device 1.1E-5 4 -- 4.4E-5 RPSLI23A-ISO-LF fails to trancait RPSLI135-ISO-LF signal (1/1) RPSLI235-ISO-LF RPSL113C-ISO-LP RPSLI23C-ISO-LF RPSLI13D-ISO-LF [ RPSLI23D-ISO-LF W A RPSLT13A-ASL-LF Level transmitter 6.5E-7 6480 -- 4.25-3 [ RPSLT23A-ASL-LF faults u RPSLT138-ASL-LP RPSLT23B-ASL-LF RPSLT13C-ASL-LF RPSLT23C-ASL-LF RPSLT13D-ASL-LF RPSLT23D-ASL-LF RPSLT13A-ASL-FSL Fault in sensing 1.0E-9 360 -- J.65-7 RPSLT138-ASL-FSL line (plug) RPSLTI3C-ASL-FSL RPSLT13D-ASL-FSL IPSLT23A-ASL-FSL RPSLT238-ASL-FSL RPSLT23C-ASL-FSL RPSLT23D-ASL-FSL e e
Table R.'14.13.6 AGEILIART FREDelhTER ACTUATICII SIGIEAL SYSTEM (AFAS) DATA (Cont.) Set Event Sub Event Fault Sub Event Event u=== Sub Event Failure ERPoeure Usava11. Umavail. Event Deecr1Pties Description Rate (Per/hr) Time (hr) q O = Eg. AFA-SAY1-C-PWWE Relay malatemance 1.4E-7 4 -- 5.6E-7 M A-SAV2-C-PSIEE AFA-ISP3-C-PWet AFAEAFAB-E-PSeet AFA-SAV1-C-FRF95 Failure to restore 1.45-722.0E-3 360 -- 1.0E-7 AFA-SAV2-C-FRFIE following malatemance AFA-ISP3-C-FRF9E AFAEAFAB-R-FRFUt AFAN-L-Pues Logic mait 2.8 E-7 4 -- 1.1E-6 AFALOGCB-L-FWet malatemance Afar en_L-ygy9t Failure to restore 2.SE-7m2.0E-3 360 -- 2.0E-7 ." AFALOGCB-L-FRF9E fallowiag me1steaaace H A ESFAFPSA-B-PSIGE Rectifier 1.OE-6 4 -- 4.0E-6 ESFAFPSB-R-PSIGf malatemance [ RSFAFPSA-B-FRF98 Failure to restore 1.0E-6x2.0E-3 360 -- 7.2E-7 ISFAFF05-E-FSF95 following malateasace RPS-SGPT-P-PRTS Sensor loeP est for 1.4E-3 .17 - 2.3E-4 test RFS-SGPT-P-FRFT Failure to restore 1.4R-1st.3E-3 8 -- 7.0E-5 following test SGPT = SLIA. SL2A SLIB. SL23 SLIC, SL2C SLID. SL2D
l Table B.14.14a. SIAS Fault Tree Special Gate Algorithms Designator Group Algorithm LOS-PIP-SIA-SIA2 (SPR-POP-ESF-Bil3)
* (SPR-POP-ESF-B116) h
+ (LOS-POP-SIA-S9SA)
+ (LOS-POP-SIA-SI2A)
LOS-PIP-SIA-SIA3, -SIA6, same Algorithm As Above With
-SIA7, -SIA8, Different Events
-SIB 2, -SIB 3,
-SIB 6, -SIB 7,
-SIB 8 LOS-PIP-SIAALOIA (LOS-POP-SIA-PPA 1)
* ( LOS-POP-SI A-CPA1)
* (LOS-POP-SIA-MTA1)
LOS-PIP-SIAALO2A, -3IAALO3A, Same Algorithm As Above With
-SIAALO4A, -SIAALO6A, Different Pvents
-SIAALO7A, -SIAALO8A,
-SIAALO9A, -SIAAL10A,
-SIAALOlB, -SIAALO2B,
-SIAALO3B, -SIAALO48,
-SIAALO6B, -SIAALO7B,
-SIAALO8B, -SIAALO98,
-SIAAL10B LOS-PIP-SI APPLAl Letting: D = LOS-POP-SIA-PDIA E = LOS-POP-SIA-DElA F = LOS-POP-SIA-PPIA LOS-PIP-SIAPPLA2, -SIAPPLA3, G = LOS-POP-SI A-PGIA
-SI APPLA4, -SI APPLA6,
-SI APPLA7, -SI APPLA8, Then Alorithm ist
-SI APPLA9, -SIACPLAO, D* E* F + D* E* G
-SI ACPLA1, -SI ACPLA2, +D* F* G + E* F* G
-SI ACPLA3, -SIACPLA4, Same Algorithm As Above With
-SI ACPLA6, -SI ACPLA7, Different Events
-SIACPLA8, -SIACPLA9,
-SI ACPLAO, -SI APPLB1,
-SIAPPLB2, -SIAPPLB3,
-SIAPPLB4, -SIAPPLB6,
-SIAPPLB7, -SIAPPLB8,
-SIAPPLB9, -SIAPPLBO,
-SIACPLB1, -SIACPLB2,
-SIACPLB3, -SI ACPLB4,
-SIACPLB6, -SIACPLB7,
-SI ACPLB8, -SI ACPLB9,
-SIACPLB0 B.14-64
i.
. Table 3.14.14b. CSAS Fault Tree Special Gate Algorithms Designator Algorithm LOS-PIP-CSA-A039 (SPR-POP-ESF-B113)
*(SPR-POP-ESF-Bil6)
+(LOS-POP-SIA-898A)
+( LOS-POP-CSA-CS 2A)
LOS-PIP-CSA-5035, Same Algorithm As Above
-CSAl, With Different Events
-CSBl LOS-PIP-CSAMACIA (LOS-POP-CSA-SA2A)
* (148-POP-CSA-SM 21.)
LOS-PIP-CSAMACIB, Same Algorithm as above
-CSAMAC25, with different events
-CSAMACIA LOS-PIP-CS AACL2A Letting D = LOS-POP-CSA-SD2A E = 148-POP-CSA-SE2A P = LOS-POP-CSA-SF2A G = LOS-POP-CSA-8G2A Then algorithm ist D*E*F + D*E*G
+D*F*G + E*F*G LOS-PIP-CSAACL2B, Same Algorithm As Above With
-CSAACLIA, Different Events
-CSAACL1B O
B.14-65
Table B.14.14c. RAS Fault Tree Special Gate Algorithms Designator Algorithm LOS-PIP-RASACLGA (LOS-POP-RAS-RSAA)
*(LOS-POP-RAS-RSMA)
LOS-PIP-RASACLGB Same Algorithm As Above With Different Events. LOS-PIP-RASRWTLA Letting D = LOS-POP-RAS-RSDA E = LOS-POP-RAS-RSEA F = LOS-POP-RAS-RSFA G = LOS-POP-RAS-RSGA Then algorithm is: D*E*F + D*E*G
+D*F*G + E*F*G LOS-PIP-RASRWTLB Same Algorithm As Above With Different Events O
B.14-66
d i Table B.14.14d. UV Fault Tree Special Gate Algorithms Designator Algorithm LOS-PIP-UVACI44A Letting D = LOS-POP-UV-U4DA i E = LOS-POP-UV-U4EA "l F = LOS-POP-UV-U4FA G = LOS-POP-UV-U4GA Then algorithm is: D*E*F + D*E*G
+D*F*G + E*F*G LOS-PIP-UVACI43A, Same Algorithm As
-UVACLGIA, Above With Different
- ' -UVACLG4B, Events
-UVACLG3B,
-UVACIGlB i
a 1 l i O i. B.14-67
Table B.14.14e. SDS Fault Tree Special Gate Algorithms Designator Algorithm LOS-PIP-SDS-SDAl (LOS-POP-SDS-Bil3)
*(LOS-POP-SDS-Bil6)
+(LOS-POP-SDS-S95A)
LOS-PIP-SDS-SDA2, Same Algorithm As
-SDB1, Above With
-SDB2 Different Events O
D.14-68
Table B.14.14f. AFAS Fault Tree Special Gate Algorithms Designator Algorithm LOS-PIP-AFA-MDP3 (SPR-POP-ESF-B113) ( '
*(SPR-POP-ESF-Bil6)
+(LOS-POP-SIA-S9sA) 4 +(LOS-POP-AFA-PMD3)
LOS-PIP-AFALOGCB (LOS-POP-AFA-LllB)
*(LOS-POP-AFA-L12B)
*(LOS-POP-AFA-AFMB)
' Same Algorithm As LOS-PIP-AFALOGCA Above With Different Events 1 LOS-PIP-AFALMllB Letting D = LOS-POP-AFA-ADlB 1 E = LOS-POP-AFA-AElB F = LOS-POP-AFA-AFIB ! G = LOS-POP-AFA-AGlB I Then algorithm is D*E*F + D*E*G
+D*F*G + E*F*G i LOS-PIP-AFALM12B, Same Algorithm As
-AFALMllA, Above With
-AFALM12A Different Events 4
i O l i ! e i B.14-69 i t
..n--- - - . - . - -. -
-..n--.,.- -n-- . . - - -- - - - -- - n-. n ,., - -.-,-., -- - - - , - . - , - - - -
! t t L 1
g I-~~~I--~ %-il 10p+3 I 3 i, 9 l-* y O l y n un--v g , I
; s 9
6 ,h--3_-Yt.d l= t. , .i a 3 ! e 9NI l -+ h~ 2I p W
"~"
t._ _*$- e , .. --w_
*_(_ -. ._ __ _ _ _ _ J! ' =
_s* = _ _ _ _ {
. x
-. 'd H f * , g ,! ,,
% S.i_ i -
!! ! l e; -
,,){G$. 'ri- >i.; ti .;p{ 6s O' a ", *
' 1,1
.E t-
=
_.as- i = g
, O kT '
i l g i !, I In i 9 - 91 4
+ z
- PPT. *:
- II i.i.i!.!!.jiIII{lin! Ill W' :# c - gI F%. n.. n. . i .
8 9'is. : r.G WOO
. i.
3 - s -,.}y_ _i { L _ _m_ _ _, 5 I t I C g C J l ,
, @a I T 4 l,gg3 < D l m
p g I h- a l _, i " (( f ~ Eli 5 i 8 l= @ '3.i b I h t
~3 YL_"n$ a
_____J I' t' 2 -
- ._ s1 I
s _}gg- t _3 .II_ _ _ __,(" t= O i *llg-6 - l = 't-% cll.!- l
,1..
j _ , '--
- h --r-m ...cw g
- -1 Figure B.14-lSimplified Functional Diagram of ESFAS (Sheet 1)
B.14-70 l
* 'l gI
< g- g_g-. @ :- - ,
- A i
, nt gg n"- :-
1 g. J
- -- I l , a
} p}
Ku _: g = y u ' g a K, _.- i ., , l _; gg = = ;j - V O 9_ . je>- gi-
- I !!?> It ?> == ny~
i, i i -> -
,_, 1 u. 1 18~~~Ti a 9 -
i i , ,_,1 v. , g nt ; 1 1
" & Kg
$5 9 L y ; E, i ;
E! p [~*
,lp. -
gb . a ;a &
' r: , g i
1 ;>i,19>M. E p I - igg
,qi phpl1 y P
gg e.g;l 9i=>w
- l
;, i_,
e
.qh&
1 6, fd "*)i ,Ik
\
4
#;it 1.m, g\.
it
# \ ,. = p h; 4 ji!
o" 1. me N.1In; ii - i. q:
'.401 ! . .,en
._1901 IN$. .
neore o.14-1 gty "" " ""' '"" B.14-71
1 l l O a a_ _ ._ . J 0 " x T* -
-((- -
E R _. sE g
]
ia! s;-
.gf- -
_ g ,T 5 g g!ii; a . : ._. 4
] W.
.[-- o gI
-- - _ i g : -
a -
,, f a -
O
! v gE f -
~
j
' I I in _ 8 ,4 _n y -
0 E I-s . 1 _,
~
_ .---.6
~
V g _ _ _
~
1 ' O 3_ I i _ _ g 5 a g o B 'L ( {_.- a1 _ _ 3 J Figure B.14-1 Simplified Functional Diagram of ESFAS (Sheet 3) B.14-72
ESFAS ACTUATION - NO LOSS OF 4 KV BUS 11 OR 14
\ ,
IEE N
- geS_TA8.L.E O
ESFAS ACTUATED ACT.94mSYS, A C00901ENT F
- A TRA50
- 8. l#
0 - OTMit ESFAS e ACTUATED COISOMNTS A TRASI ACT.SUBSYS.S
=0LATmN DEVICE a,
o SENSOR N SISTASLE nic c"A' A800ULE Lol E 5 aN EwAS gE
.- ACTuAfuD EI COEIPOMBIT
~
.g B
- TRA88 N
"cY "E 4 -
!"TU:"
Comp 0NEnt e TRAss q) I Figure B.14-2 ESPAS Actuation Logic B.14-73
TIME I DELAY I
.__ ________ __ .---- .m3 CHANNEL D
h V D UV-A1 ' f I 8 5 TO SEQ. 4 4
~
F4 I TIME ' [FDR BKR (FDR BKR _,,_____________ F DELAY ACT. \152-1101 (152-1*15 CHANNEL h t$o O LOG 8C kk 4KV BUS 11 E v - ACTUATION UNDERVOLTAGE < TIME RELAYS DETECTOR DELAY -.D,, _S CHAlp0EL Q UV*A2 _ F ~b ' 1 20F4 '~~ TIME F ACT. _ DELAY' O LOGIC CHANfsEL -
, p . _ _ _ . . -.-------- ---------
FROM SEO. UV-A3 - 1 1 OF 4 sEouEnct OFEvtuTs: f- ACT. ~ ~~~~ ~~~ COMP NENT 52-1103 si e/w OETECTons sense aus ussoEnvoLTaoE G LOGIC - fk TO SEQ. f si a or 4 vev OETEctons Tne actuaTioes touscs .s 1 [DO BKR p 33 actuatsoes Locac mEtavs: ~~~ D '30 II A a vne any sus FEEoER SAEaEERk - \152-1106 I g9,g4 3C DIESEL GEN. ~
- s. Loao seier, plant CoasPonEnts E -
NO.11 gN f [ e. SEmo asomats To staar osessts. 2OF4 ENG. CONTROL
- asmaTE EsFad StoCKuso af stoutNcER 1 ACT.
- 4) FoA SER "oPEm" seoss4Ls sENT G LOG 8C l To sEcutscEn Fon mLocasso
-e l OldsEL GEN. _
s) DG coesinots sEmst voLTact 4K3 FREouENCY NO.12 CONTROL
- EstaeusesEn - CausEs osse 04 sER To CLosE usomesaLLv esa tsa-stost 70 SEQUENCER '
en oG man actosto saossat sEnv 70 sEcutNCER BLOCKING Foss stoutPTlat LoaosesG WesTlarloss F) stouEh ** M 4AT" Me e, sEE FeouRE a. so-4 FoA eso Los.4 cast k sEE FeoumE a. so-s Fon Loca case 9 Figure B.14-3 Undervoltage Actuation Logic G G
O R
- e.
s s O.
=
.I.
I ! n E A . o OBA I F C L C T As SS N LmL A O I ' _ Uv
, T AL E
N TEPe l E I
.I. '
C c T 6 S P U T.1n,0 - W 3 TE Q t 0 Aa D I S E U s E I N I O o T D E S MLo s An E E
- C2 Wl 1
' OeT S mE S eB A sEs &L c O2 S Y E v i A R n L A eT g
o O .s, i.
?
E R S T N N 0 OE NI 0 8 L n I T N O A OC U P E T mS o C i IT>- <
,I .s, ' A Co$( t E.
@ a u
t E*b -
; c
.s, X A I T> - sn
- i. '
r e s c n I n>-
,A .s, i.
S n n nII>- . ' e 8 e 9 m a g f
)
S u 1 t n A s S D q S U aT ( e
.s.
e IT>- S emR S X D e E IT>- Am
, . i. '
S V E 4 L C 3 A N F N E T N O F OcU a Q 4 e 1 S E v SS F S S - e
.s. OI NA 4
' O IT>- s. I 6 '
f o L
- S SW 1 e N OO .
C R SU N TD B N O O O U e T IT>- .
,I A L N N U C A S e
I o T I e S N @ I r
,3/ u g
i F e 1 - O R0D 3* E1 E 0P 0 1 E
"' ..toss RE t
- p s
i t # D1 S O2L D6C
- O 1
2L 5C S O .seSs*
.s- i torDr
, e t
1
- 1 "
CbA1qw d I
n SEQUENCER-e ,I f.
. f.
fn{. _ : $: I I f stocun.o Ano SE
..S ,., _ B.S C .E o.u.EntiAt
,<.cA 00 SKR 152-1103
- CLOSED
- DO BKR j 152-1106
- CLOSED" kM SEouEmeneo ,<,
UVA. pgTIATSON
@ - . _. . - . - . _ . - . . - . i.
. m Es a.s as . a.s .s i a
.s si si en 152-1101 -
"OPEN" jeLOCK8MO-PERGAS$1VE FDit 8KR g 152-111S
, *orEn~ g , lH IH; IK; I ,, I 4 Ch , i , ,, y LOCA AC,UATBON RELAYS SEQUENCE OF EVENTS: h LOCA OCCLsts, ESFAS *ama'
- GENERATED h CLOSURE OF10F S EMESEL GEN, SKR$ Afe F100M SENSOfts AND ACTUATIO80 LOGac. STAS SaQNAL NETSATES LOCA SEQUENCER,
@ LOSS OF 4 KV SUS 1t; UNDERVOLTAGE Se0 seal, ACTUAftON RELATS ASSOC 8ATED wmt ESF S FDIt SIC 1*0PE18' SaossALS INMATE SLOCK COMPONENTS ARE EldERGEZED 50 S STEPS OF ESFAS SloseALS. ($ SECOND INTERVAL SETwtEN STEPSL Figure B.14-5 Sequencer Actuation Logic 2 9 9 _ _ - - - - -
l O Appendix B.15 Service Water System O B.15-0
1 B.15 SERVICE WATER SYSTEM DESCRIPTION B.15.1 Purpose The Service Water System (SRWS) is designed to remove heat from various plant components and to transfer this heat to the Salt' Water System (SWS) for ultimate disposal in
~ Chesapeake Bay.
B.15.2 Description The SRWS consists of two subsystems, each of which contains an electric motor-driven pump and a shell and tube heat exchanger. A third motor-driven pump can be used to supply either of the two subsystems in the event that the normal pump is lost. Two 2350-gallon head tanks located at the 69-foot elevation of the Auxiliary Building provide the required net positive suction head for the SRWS pumps. Make-up water for- the head tanks is available from the demineralized water system or the condensate system. The. level in each head tank is controlled by a level control valve (SRW-1579 for subsystem 11 and SRW-1565 for subsystem
- 12) which maintains the proper level. Water may also be added manually by opening the manually operated bypass valve.
In order to minimize corrosion in the SRWS, the service water (SRW) is treated with hydrazine from a 75-gallon additive tank. Tne hydrazine is injected into the system using the differential pressure across the SRW pumps. In case the system should become contaminated, SRW may be ^ discharged to the miscellaneous waste processing system to aid in cleanup. B.15.2.1 Overall Configuration - A simplified flow diagram for the SRWS is shown in Figure B.15-1. Each of the three SRW pumps is capable of ! delivering 7,050 gpm at 180 ft head (see Table B.15.1 for data on SRW pumps). Normally, two SRW pumps (#11 and #12) will be running with the other pump (113) in standby. Q,-m The normally running pumps each have their own head tank and supply a separate subsystem. The third pump (#13) can be lined up to take suction from and discharge to either subsystem 11 or 12 using either head tank. Normally, it will be lineo up mechanically to subsystem 12.- This ensures a supply of Later to diesel generator #12. Power for the pumps comes from the plant's 4160V buses. SRW pump #11 receives power from 4 kV bus ill. Pump fl2 receives power i B.15-1
l l 1 from 4 kV bus #14. Pump #13 can be manually aligned, using key-operated disconnect links (see Figure B.15-2 ) to receive power from either bus #11 or bus #14. curing normal operation, pump #13 is aligned to receive power from 4 kV bus #11. Pumps #11 and #12 will automatically start (see Figure B.15-3) if their control switches are in the " normal" position (standby) on a SIAS or a shutdown sequencer signal (SDS) if their respective supply buses are energized. Pump
- 13 will start on a SIAS or SDS signal only if the other SRW pump (either #11 or #12) supplied from the same 4160V bus to which pump #13 has been aligned by position of the dis-connect links (either bus #11 or bus #14) does not start within 1 second after the start signal is applied to the circuit.
Pump #13 is interlocked such that it cannot be energized from two buses at the same time and such that the disconnect links cannot be opened under load. The two SRW heat exchangers, 11 and 12, are of the shell and tube type with SRW on the shell side and salt water supplied by the SWS on the tube side. Both SRW heat exchangers are used during normal operation. However, one may be removed from service for a limited time for maintenance. The two subsystems of the SRWS may be cross-connected manually and one heat exchanger used to remove the full heat load for periods of time not to exceed the requirements of Technical Specification 3.4 (stated in subsection B.15.2.7 of this section of Appendix B). Table B.15.1 contains data for the SRW pumps and heat exchangers. The SRWS supplies cooling water to plant systems and components as follows: Subsystem 11 supplies: 11 and 12 Containment Air Coolers 11 Emergency Diesel Generator Instrument Air Compressors and Aftercoolers Plant Air Compressor and Aftercooler EHC Oil Coolers Main Lube Oil Cooler Turbine Sample Cooler g Make-up Degasifier Vacuum Pumps Auxiliary Feed Pump Room Air Cooler Subsystem 12 supplies: 13 and 14 Containment Air Coolers 12 Emergency Diesel Generator B.15-2
11 Spent Fuel Cooler Nitrogen Compressor Generator Isolated Phase Bus Duct Coolers Generator-Exciter Air Coolers Generator Hydrogen Coolers Generator Stator Liquid Coolers Waterbox Priming Pumps Condenser Vacuum Pumps
- Feed Pump Lube Oil Coolers Condensate Booster Pumps Of_the components identified above, only the containment air coolers and the diesel generators have been analyzed.
- with ' fault tree techniques . in this study. The others have either' not- been considered in enough detail. to. require analysis of service water faults .(e.g., the condensate booster pumps), . or have' not been included ir. ' this study at all (e.g., spent fuel pool cooler).
There are four containment cooling units. Only three of these are . normally in service with the fourth as a spare cooler (inlet valve open, outlet valves shut). Normally, #11 and..fl2 containment air coolers are supplied from GRW subsystem 11; #13 and #14 containment air-coolers are supplied from SRW subsystem 12. However, any containment air cooler can be supplied from either subsystem by the use of manual valves. Normal flow through each of the containment cooling units _ is through the normally open, r emotely--operated , eight-inch inlet valve (SRW-1581, -1589, -1584, or -1592), which is controlled from panel 1C13. Return water leaves' through a four-inch valve (SRW-1583, -1591, -J586, or-
-1594), also operated from panel 1C13.
In case of a containment spray actuation signal (CSAS), flow through the - containment air cooler is increased -by automatic opening of an eight-inch valve located on: the. discharge side of each cooler _ (SRW-158 2, ~ -1590, -1585, and
-1593). These valves can also be operated from the engineered safety features (ESP) control board (lC08, IC09,.
. 1C10). An alarm will be sounded at the ESF control board if the SRW flow through the containment air cooler drops below a minimum value of 500 gpm. If the containment air cooler is .being supplied . from the backup subsystem, the flow is controlled by locally operated manual valves.
-Unit 1 SRW subsystem 11 'normally supplies ill diesel. ,
generator. Unit 2 SRW subsystem 22 normally supplies cooling water to 921 diesel generator. #12 diesel generator is supplied from either Unit 1 SRW subsystem 12 or Unit 2 SRW subsystem 21. The pressure sensing valves on the supply B.15-3 I
(CV-1645 in each unit) and return (CV-1646 in each unit) from each subsystem sense the SRW pressure of the subsystem they are in and the position of the alternate supply and return pressure sensing valves. With one set of pressure sensing valves open and normal system pressure, #12 diesel generator will be supplied cooling water from that subsystem. However, if the valves are manually shut or if a low pressure is sensed in the supplying header, the valves will shut and the alternate set of valves will open auto-matically. This subsystem also supplies an aftercooler on the discharge of the starting air compressors. h The air-operated cooling water supply valves to the diesel generators (CV-1587 and -1588 for diesel generators
- 11 and #12, respectively) automatically open upon receipt of a signal from the centrifugal speed switch at 250 rpm and will modulate to maintain 5 psid across the diesel generator lube oil, jacketwater, and air coolers.
B.15.2.2 System Interfaces The SRWS interfaces with the following systems:
- 1. Spent Fuel Pool Cooling System
- 2. Containment Air Recirculation Cooling System
- 3. Emergency ac Power System - Diesel Generators
- 4. Power Conversion System (Main Feedwater and Condensate System)
- 5. Various Turbine - Generator Auxiliaries
- 6. Plant Air Supply System ,
- 7. Instrument Air Supply System
- 8. Steam Generator Blowdown Recovery System
- 9. Turbine Plant Sample System
- 10. Circulating Water System
- 11. Condenser Vacuum System g
- 12. Plant Water Treatment System
- 13. Nitrogen Supply System
- 14. Auxiliary Feedwater Room Air Conditioning System
- 15. Salt Water System B.15-4
16, 4160 Vac Power System Of : the above-identified systems, only' systems - (2 ), - (3 ), (4), -(15), and (16). have been considered . in .this study. Since the SRWS serves as a support system for sys tems ' (2 ) ,. (3), and L '(4 ), - refer to the' corresponding sections f of this appendix for additional FMEAs involving the SRWS and these three systems. The_ interaction of the SRWS with the systems.of interest-in_. this study is described in the SRWS Interaction-FMEA,
~
Table B.15.2. B.15.2.3- Instrumentation and Control Normally, two : SRW pumps (ill and l'12) will be running-with the third pump (#13) in standby and both SRWS heat. , exchangers (11 & 12) in service. SRW flow to each of the components served by the SRWS is controlled in most cases by the control valve located:at the outlet of each individual component. The position of this control valve is- regulated by an automatic temperature controller in some cases. In other cases,- the proper , SRW ' temperature is maintained by manual control of the outlet control valves. In another set of systems, the SRW outlet valve . is - throttled to maintain the component temperature warm.to the touch. For some components,. including the containment air coolers, temperature control of SRW is not necessary. As mentioned p'reviously, the emergency diesel generators- are supplied SRW through differential pressure regulating- valves. which modulate,:after the diesel starts, to maintain approx-imately 5 psid differential. pressure across the heat exchangers. In yet another set of. components, the SRW inlet _- pressure is regulated automatically.- One pump motor is connected to one of the = ESF. 4 kV bases, while the other two pump motors are connected to the redundant bus. In the event that~ the- latter bus 'is not. available, manual transfer capability to the operable bus is provided for the - swing pump. A low SRW discharge header pressure will annunciate in the . control room to alert the
- h. . operator, who can-then manually activate the standby pump. l Radiation monitors are installed in the- SRW' return .
-header from the spent fuel pool coolers to detect possible in-leakage of radioactive liquids through the-heat-exchangers.
-B.15.2.4 Operator Actions The SRWS is- completely automatic in nature and thus ~
requires no operator actions for successful system operation.
)
B.15-5
B.15.2.5 Surveillance A number of the quarterly valve operability verification tests specified in STP 0-65-1 involve SRWS components. These tests can be performed during any mode of plant operation. The tests affecting SRWS components are summarized in Table B.15.3 The operability of the SRW pump discharge check valves (SRW-314, -315, and -316) is verified in the following manner according to STP 0-65-1. This test consists of observing the behavior of the SRW pump discharge pressure while closing the corresponding pump inlet isolation valve subsequent to shutting off the pump. If no increase in pressure is observed at the pump discharge, the pump discharge check valve is functioning properly. In addition to the test for pump discharge check valve operability, the containment Cooler Operability Test prescribed by 0-65-1 involves the determination of the oper-ability of several valves in the SRWS. These are the manual containment air cooler supply valves (SRW-135, -142, -149, or -156) and the normal inlet valves (CV-1581, -1584, -1589, or -1592), as well as several other SRWS valves. Part of this test consists of closing the manual SRW supply valves (SRW-135, -142, -149, or -156) from the respective SRW subsystem, and closing and subsequently opening the normal SRW inlet valves (CV-1581, -1584, -1589, or -1592), the normal SRW discharge valves (CV-1583, -1586, -1591 or -1594), and the emergency SRW discharge valves (CV- 582, -1585, -1590, or -1593), recording the time required to obtain an open indication in each case. The operability of the spent fuel pool cooler SRW isolation valves (CV-1596 and -1597) is verified according to STP 0-65-1 by closing each valve and recording the time required to get a shut indication. In order to verify the operability of the cooling water supply and return valves (CV-1645 and -1646) for diesel generator #12, each valve is opened and the time required to get an open indication is recorded. The valve closing and opening times recorded in the above-mentioned tests are then compared with the appropriate acceptable values to determine whether any corrective maintenance is required. When the particular test is completed, STP 0-65-1 specifies that any components which have been moved out of their normal operating alignment must g be restored to their normal alignment. The operability of the Turbine Building SRW header isolation valves (CV-1600, -1637, -1638, and -1639) is verified on a quarterly basis while the plant is shut down according to STP 0-66-1. This test consists of closing each valve, recording the time required to get a shut indication, B.15-6
l' and comparing the recorded times to specified acceptable values. These valves are manually restored to their origi-nal operational alignment at the conclusion of the test. The performance of the SRW pumps is checked on a monthly 4 basis according to STP .0-73-1. In this- test, the pump discnarge is isolated from the SRW subsystem, the pump is started and the Ap across the pump. is determined. In y addition, the oil level in the pump is checked and the C_/ vibration amplitude is recorded. The data recorded are then compared with specified acceptable values to determine the
- need, if any, for pump maintenance. Components that are moved out of their normal operating alignment for.this test
- l. (namely, the SRW pump discharge _ valves) are restored immediately upon pump startup during the test.
B.15.2.6 Maintenance Maintenance is performed on SRWS components on a demand basis only. Scheduled maintenance is performed during refueling periods. Past plant maintenance records have been reviewed and, if appropriate, were considered. Table B.15.4
- specifies the component alignments for potential SRWS component maintenance.
B.15.2.7 Technical Specification Limitations Technical Specification 3.7.4.1 states the following limiting conditions for operation and corresponding action in operating modes 1, 2, 3, and 4:
- 1. At least two independent SRW loops shall be operable.
. 2. With only one SRW loop operable, restore at least two loops to operable status within 72 hours or be in at least HOT STANDBY within the next 6 hours and in COLD SHUTDOWN within the following 30 hours. The following surveillance requirements for the SRWS are stated in Technical Specification 4.7.4.1.
- 1. At least two. SRW loops shall be demonstrated OPERABLE.
- 2. At least once per 31 days by verifying that each valve (manual, power-operated or automatic)
, servicing safety-related equipment that is not locked, sealed, or otherwise secured in position, is in its correct position. B.15-7 1
..., .._,.,,,.,,+.,w . _ ,- , ..__.__ , _-.. . - , ,. __
,.,_.,.,s.
- 3. At least once per 18 months during shutdown, by verifying that each automatic valve servicing safety-related equipment actuates to its correct position on SIASs and CSASs.
B.15.3 Operation Following a LOCA, the SRW supply lines to components located in the turbine building will be isolated by the closure of air-operated valves, CV-1600, -1637, -1638, and
-1639, which will automatically shut on receipt of a SIAS.
As discussed previously, a CSAS will cause SRW flow through the containment air coolers to increase by automatically opening the eight-inch valves on the discharge side of the coolers. In addition, the CSAS will also cause the spent fuel pool cooler air-operated SRW supply and discharge control valves to close. As part of the supplementary Actions specified by EOP-5, " Loss of Reactor Coolant," the operator i; required to check that appropriate actions initiated by SIAS and CSAS have occurred, if applicable. In following the SIAS Check List (Attachment 1 to EOP-5), the operator will verify that two SRW pumps are running, and that the four noncritical SRW isolation valves (CV-1600, -1637,
-1638, and -1639) are closed. The operator is also required to perform certain actions regarding the salt water side of the SRW heat exchangers. For a discussion of these actions, refer to the section of this appendix concerning the SWS.
In following the CSAS Check List, the operator must verify that the four containment air cooler SRW outlet valves (CR-1582, -1585, -1590, and -1593) are open and that the two spent fuel pool cooler SRW isolation valves are closed. In performing these checks, the operator is required to match each handswitch position with its indication. After SIAS and CSAS are reset later in the accident, EOP-5 instructs the operator to restore SRW flow to the turbine area components and to the spent fuel pool cooling system. In the event that the initiating event consists of a loss of offsite ac power, the requirements of EOP-15, loss g of ac power, apply. As an immediate action, EOP-15 requires that the operator ensure that the diesel generators have started automatically and that they be started manually if the automatic action has not occurred. As part of the supplementary actions, EOP-15 instructs the operator to ensure that a SRW pump is running for each subsystem. In a B.15-8
i.
;. subsequent . -instruction, the operator is directed to start ;
i and run the containment air coolers'in LOW, with maximum SRW flow - as :necessary to maintain - the containment temperature below 120*F. i B.15.4- Fault Tree' Description The SRWS at CC-1 is a . Very complex - system, as can be
.lp seen in Figure B.15-1. However, the SRWS consists basically !
of'two independent subsystems, each of which contains a pump
. and a heat exchanger. Each branch of the SRWS which provides SRW to one of the plant systems and components ,
identified previously in subsection B.15.2.1 is connected in
- parallel with its . respective subsystem, as shown on of.
! Figure B.15-1. Of those systems and components listed in j subsection B.15.2.1, only the containment air coolers and I
the emergency diesel generators were considered in 'this study. A separate fault tree was developed for each of the two
;- SRWS branches coupled with the SRW subsystems. A fault tree 2
portion specific to the SRW cooling for the containment air. l coolers, a fault tree portion . specific to the SRW cooling for the emergency -diesel generators, and a fault . tree portion which is common to the diesel generators and the containment air cooler trees. All of these are on the SRW
-fault tree aperture cards in the envelope at the back of j- this report.
System failures identified consisted primarily of loss
- of flow in the SRWS trains. Each of the two independent subsystems and its respective SRW supply branch were divided ,
-into pipe segments .which' were assigned alpha -numeric identifiers (see Figure B.15-4. ) . For:each pipe segment in a fault tree, components - within that segment which could i
contribute to loss of segment function were modeled. The
- containment air coolers (11, 12, 13,. and 14) and the emergency diesel generators (11 and-12) were each treated as j single components in the fault trees.
I In the circuit breaker faults leading to loss of power.
- j. to each~ of the pumps- are special gates designated as :
.LOS-PIP-SRWDUMY1 and - SRWDUMY2 for circuits to pumps ill ^
c . and #12, respectively. The algorithm for each one is the- l !' same with dif ferent events under each'. For example, the
! first algorithm is:
LOS-PIP-SRWDUMY1 = (LOS-POP-SIA-A026)
*(LOS-POP-IP2)
- . +(LOS-POP-SDS-A073) i *(LOS-POP-IP4)
B.15-9
; l
B.15.4.1 Success / Failure Criteria The top event in each fault tree, representing the failure definition, is " Fault in System to Remove Heat From Heat Exchanger." Failure of the SRWS occurs, therefore, if the appropriate heat removal function is not fulfilled by either of the two SRWS trains. B.15.4.2 Major Assumptions The following assumptions were considered during the construction of the SRW fault tree.
- 1. Component outages due to maintenance were considered for maintenance of active components and the heat exchangers only.
- 2. Although the two independent SRWS subsystems are connected by a number of cross-ties, these cross-ties were not considered in this analysis because each contains at least one normally closed manual valve.
- 3. Although the capability exists, via manual realignment, to supply the SRWS at Unit I with SRW from Unit 2, this capability was not consicered.
The SRW supply to DG12 was treated as coming from Unit l's SRW system and the automatic switch to Unit 2's SRW was treated as a recovery action because of the difficulties in quantifying the other unit's SRW system.
- 4. SRW pump #13 was assumed to be aligned electrically with 4160 Vac bus 11 and mechanically with SRW subsystem #12. Because SRW pump #13 is not an automatic backup to either subsystem individually, it was not modelled on the fault tree but was treated as a recovery action.
- 5. As is discussed in the section of this appendix regarding the containment air coolers, only one containment air cooler is necessary to successfully fulfill the system function following a LOCA or a transient. Consequently, failure of the SRW supply isolation valves to isolate the turbine con.ponents and/or the spent fuel pool coolers was area g
not considered an SRWS failure. In addition to the analysis cited in this section of this appendix, actual CC-1 surveillance test data supports this assumption.
- 6. Secondary piping which was less than 1/3 the diameter of the main SRWS piping was not considered B.15-10
as a possible diversion source ~in this analysis since all lines required failure of two normally closed manual valves.
- 7. Gross failure of the unpressurized SRW head tanks was not considered because of its relative improbability when compared to SRWS piping ruptures.
p 8. The containment air cooler units (11, 12, 13, and 6 14), containing four fans each, were cach modelled as a single component. The diesel generators (11 and 12) with. each diesel gerarator auxiliary were also modelled as single components.
- 9. Those branches of the SRWS which provide SRW cooling to components other than the containment air coolers and the emergency diesel generators were not considered in this analysis except to examine if any could be potential flow diversion paths.
4 4 l 4 B.15-ll : 1
Table B.15.1 Service Water System Component Data
- 1. Service Water Pumps Data Number per unit 3 Capacity, ea., gpm 7,050 TDH 0 7,050 gpm, ft./psig 180/77.4 6 Shut off head gpm, ft./psig 235/101 Maximum allowable flow, gpm 1500 Operation, normal 2 pumps running 1 pump standby P ump Manufacturer Goulds Type Single stage, double volute, centrifugal unit Motor Manufacturer Westinghouse Rating 400HP, 3 , 60 hz, 1180 RPM
- 2. Service Water Heat Exchangers Data Type One pass tube, one pass shell Quantity per unit 2 Heat transfer area, square feet 19,000 Design pressure, psig - shell 175
- tube 50 Design Temp., 'F - shell 200
- tube 200 Material Shell Steel A-285 Gr. C Tubes 90-10 Cu-Ni Tube Sheet Aluminum Bronze, 2' thick Manufacturer Foster Wheeler Heat load, normal BTU /hr 105 x 10 6 Heat load, LOCI, BTU /hr 120 x 10 0 Heat load, LOCI, Total, BTU /hr 240 x 10 6 lg Design inlet serv. water temperature,*F 110 Design outlet serv. water temperature, *F 95 Design inlet salt water temperature, 'F 85 Design outlet salt water temperature, *F 95 B.15-12
i Table 3.15.2 muS FNSA SWFe? COIWUWWT FAILURE CO WOW NT FAILURE EFFTCT OF SUS-SYSTER h SUS-SYSTEM AFFBCTBD INBR BFFECT CII SYSTWI
- FAILURS CII OVERALL SYSTEM
- U 4160 volt M Fey 11 Loss of Subsystem 50. 11 Loos of 1/2 system. Subsystem A.C. Bus 31 SW Pump 12 Function lost. No. 12 att11 operational.
4160 volt WW Fiemp 12 Loss of None, if initteting Both subsysteme ett!! operation = A.C. Bus 14 Function event la e transient. el if initteting event is a Loss of Suberstem trenaient. If initiating event No. 12, if initle. La e LOCA, lose of 1/2 system. ting event is e IOCA Subsystem No. 11 will still be operational. Seit Water W W 5eet Ba= Loss of Loos of Subsystee Loss of 1/2 system. Subsystem System changer No.11 Function No. Il No. 12 still eperational. Train A Seit Water p seat Ba= Loos of Loos of subsystem Loes of 1/2 system. Subsystem System changer No.12 Function 30. 12 No. Il still operational. Train B
- Asaming no recovery.
9 L B.15-13
Table 3.15.3 service water system Component Test summary COMPO WNTs TsAT NUST BE EXPECTED PREQUENCT ALIGNED ANAT TEST OP SOURCE COMPOW NT TYPE OF PROM esp POSITION WITS NO TEs? OUTACR COMPONENT (TIST PROCEDUR! 9) TEST AUTOMATIC BrfDRM PREQUENCY TIME
- ALIGNMENT STP VERIPICATION **
SRW-316 Operability SRw-107 closed Quarterly None continuous 0-65-1 (Pop 13 aligned to subsystem for test) SRW Pop Logic Test SRW Pop 11 Monthly None Continuous 0-7-1 Il s!As A-7 (Pep 13 aligned to subsystem 11 & running) sRW Pump SRw Pump 13 Monthly 13 (Pap 11 running) spw Pop Performance spu-los closed Monthly None continuous 0-73-1 11 (Pump 13 aligned to Sabaystem 116 running) snW-315 Operability sRw-115 closed Quarterly None continuous 0-65-1 (Pa p 13 aligned to subsystem for test) sRW-316 Operability SRW-117 closed Quarterly None Monthly 0-65-1 saw-Ils closed (Backup pop running during test) 3RWPop Logic Test SRW P ep 12 Monthly None Continuous 0-7-1 12 SIAS A-1 (Pump 13 aligned to subsystem 12 a running) (Pump 12 running) sRw P op Performance spw-116 elosed Monthly pone continuous 0-73-1 12 (Pap 13 aligned to subsystem 12 & running)
- The redundant pop is operating and there is no outage time for either subsystem.
- For those components with continuous verification, f ailure to align would result in alaras due to high temperature, low pressure or low flow.
O B.15-14
Table 3.15.3 seretce water system Component Test summary (continued) CONPONENTS TRAT NUST BE EXPSCTED FR5QUENCY
. ALIGNED ANAT TBST OF SOURCE CONPOW NT TTFE OF FRON ESF P081 TION WITE NO TBST OUTAGE CONr0NENT ITEST PROCBDURE 4) w TSST ACTONATIC SETURN FRSQUENCY TIME ALIGNMENT STP VERIFICATION
- 4 3Rw Pump Performance SRW-122 closed Nonthly None Monthly 0-73-1 13 (seckup pump running) su Pmp Performance met Pug Il-stop Monthly None Monthly 0-74-1 13 (Pep 13 aligned to subsyst.m 116 running f or teit) sw-135 operability sw-135 Quarterly 5 min. Continuous 0-45-1 mw-1581 containment 5 min. Continuous saw.1543 Cooler 11 5 min. Continuous saw-1582 pone 2 weeks -
sw-142 operability saw-142 Quarterly 5 min. Continuous 0-65-1 spu-1584 Cont ainment 5 sin. Continuous sw-1546 Cooler 12 5 min. Continuous sw-1585 None 2 weeks saw-1582 Logie Test None Monthly None Continuous 0-7-1 sRw-1585 CSAS A-1 saw=1502 Response None 18 Monthe None - Continuous 0-56A-1 saw=1585 Time Test CSAS A-1 saw.135 Position None Monthly None Continuous 0-93-1 m w-136 verification Monthly SW-137 Nonthly WW-139 Aostbly sw-140 Nonthly sw=141 Ronthly mar =142 continuous Ww=143 Nonthly Sw-144- Monthly sw-145 Nonthly 5Rf-146 Monthly WW-147 Nonthly SRw=140 Nonthly
- For caponents with continuous eerification, a high temperature, low pressure or low flow alarm would be actuated on failure to align.
n v B.15-15
Table B.15.3 service water system component Test summary (continued) COMPONENTS TEAT NUs? BE EXPECTED FREQUENCY ALIGNED AWAT TEST OF SOCRCE COMP 0 TENT TTFE OF FROM ESF POSITION WITE NO TEST 00TAGE COMPONENT (TEST PROCEDURS 4) TEST AUTOMATIC RETURN FREQUENCY TIRE ALIGNMENT STP VERIFICATION
- Saw-1501 position None monthly None Continuous 0-62-1 saw-1502 Verification Monthly SRw=1504 Continuous saw-1585 nonthly saw.149 Operability SRw-149 Quarterly 5 min. Continuous 0-65-1 saw-1589 Containment 5 min. Continuous Spw-1591 Cooler 13 5 min. Continuous saw-1590 Mone 2 weeks sRW-154 Operability SRw-156 Quarterly 5 min. Continuous 0-65-1 ERW-1592 Containment 5 min. Continuous saw-1594 Cooler 14 5 min. Continuous sRw-1593 None 2 weeks SRW-1590 Logic Test None Monthly None 2 weeks 0-7-1 SRw-1593 CSAs B-1 2 weeks sau-1590 Response None 10 Monthe None 2 weeks 0-568-1 spw-1591 Time Test 2 weeks CSAs 9-1 sRW-149 Position N one monthly None Continuous 0-93-1 SRW-150 Verific ation Monthly spw=151 Monthly SRW-153 Monthly 374-154 nonthly saw-155 Monthly EPw-156 continuous saw-157 nonthly SRW-158 Ronthly sRw-160 Monthly SRw=161 Month 1/
ERW-162 Monthly
- For ecaponenets with continuous verification, a low flow alarm would be activated on f ailure to align.
O B.15-16
. m _ _ .-
Table 3.15.3 Service water System Component Test summary (continued) COMP 0mWTS TNAT NUST BE BIPSCTED PREQUENCY ALIGNED AWAY TEST OF SOURCE 3 . CONromWT TYPE OF FNON BSF POSITION WITE NO TEST 00TAGE COMPONENT (TBST PROCEDURE 4) N TEST AUTCNATIC Brr0RN FREQUENCY TIME ALIGNNENT STP VERIFICATION
- m w-1589 Position pone Monthly pone continuoue 0-61-1 Suw-1590 Verification 2 weeks s w=1592 Continuous spu-1593 2 weeks i
spw-165 Position None Monthly pone weekly 0-93-1 mw=169 Verification a spu-171 mw-173 saw=177 D1eaal Operability pone weekly 1 hour weekly 0-8-1 Generator No. 11 Sw-1587 Position pone Monthly pone weekly 0-62-1 Verification WW-1645 Operability None Quarterly None weekly 0-45-1 3RW-1646 ERw-164 Position None Monthly Wone Weekly 0-93-1 W W-168 Verification SW-170 SRw=172 spw=174 S W-176 Su-178 Diesel Operabt!!ty None Neekly 1 hour weekly 0-8-1 Generator No. 12 S W-1588 Positten pone Monthly pone weekly 0-62-1 saw=1645 Verification WW-16 66
- For components with continuous verification, a low flow alarn would be octuated on f ailure to align. For weekly verification, f ailste to align these componente would result in f ailure of the DG la its weekly test.
p i l
%)
B.15-17
l Table 3.15.4 service water tystem maintenance ConroISNT TTPE OF COMPOWENTS WBICE NUST BE FREQUEuCT OF EIFECTED EXPECTED OUTAGE UNDERGOING MAINTINANCE ALIGNED AwAT F30M ESF POSITION COMPONENT FREQUENCY OF TIME OF mAtuTEmanCE w!Ts No AUTonATIC RETURm ALIGNnEnt nAlwTEmANCg ee MAINTENANCE ** VERIFICATION * (/ hr.) (hrs.) saw natatenance Valves: sRw-107 closed Continuous 1.7E-4 4.64 Pump 11 pequiring SRW-108 closed (0) *** Disassembly Circuit breaker open BRw Pump 11 SRw Maintenance Erf Pump 12 Continuoua 1.7E-4 4.64 Pump 12 Requiring Ciacuit baeaker open (0) *** Disassembly valves: SRw-115 closed SRw=116 closed ERW Maintenance BRw Purp 13 Pump 13 Requiring Circuit breakers open Monthly 1.78-4 4.64 Disassembly Valves ERw-120 closed (5.12-4)*** ERw-124 closed ERW-110 closed BRW-122 closed SRw Naintenance manual valves: BRw=125 elosed Continuous 2.3E-5 7 seat Requiring ERW-128 closed Exchanger Diseassembly no. 11 BRw Maintenance Manual valves: BRw-127 closed Continucka 2.2E-5 7 seat Requiring saw-128 closed Exchanger Disassembly No. 12 Air Cooling Raintenance Manual valves: BRw-169 closed weekly 2.33-5 7 goat Requiring sRw=171 closed Exchanger Disessembly 11
- For components with continuous verification, a high temperature, low pressure or low flow alarm would be actuated on f a!!are to align.
- Plant specific date.
- when distributed to Pump 13 assuming Pump 11 and 12 normally operating.
- Plant specific date.
O B.15-18
Table 3.15.4 service water system Maintenance (Contlaued) COUWOIENT TVN OF COUWomsrts 11513 NUST BE PRSQUENCT OF B3PSCTED BEFSCTED OUTAGS UIDEROOIIIG NAINTsNANCE ALifeNED allay F90N Bar POSITICII CONroNWr? Fm80DENCT OF - TIMs OF WITE NO AUTOIIATIC RETUkN ALIGINISNT IIAINTENANCE
- NAINTBNANCE *
/N IIAINTENANCE VERIFICATICII (/ hr.) (hrs.)
Lubs 011 Maintenance Manual valves saw-170 weekly 2.35-5 f Cooler pequiring sw-172 No. 12 D13 assembly Jacket Maintenance Manual valves: sNw-170 weekly 2.3E-5 7 water seguiring arw-172 Cooler Disassembly No. 12 Lube 011 Maintenance Manual valves sins-169 weekly 2.33-5 7 Cooler poquiring 3Rw=171 No. 11 Diseassembly Manual Talves: Spw 169 weekly 2.3E=$ 7 Jack et Maintenance water seguiring sNw-171 Cooler Diseassembly No. 11 i Air Maintenance Manual valvees S w-170 weekly 2.38-5 7 Cooling sequiring saw-172 seat Dissassembly Exchanger 12 Manual valves saw-170 weekly 2.38-5 7 Lube 011 Malatenance Cooler moquiring saw-172 No. 12 Disassembly Manual valves saw.160 weekly 2.3E-S ? Jacket Maintenance water asquiring saw-172 Cooler Diseassembly No. 12
- Plant specific data.
'O v
B.15-19
l l l l I Table 3.15.4 Service water system Maintenance (Continued) COMPONENT TYPE OF COMPONENTS WEICE MUST BE FREQUENCY OF EXPECTED EXPECTED OUTAGE UNDERGOING RAINTENANCE ALIGNED AWAY FROM ESF POSITION COMPONENT FREQUENCY OF TIME OF MAllrrENANCE w!TE NO AUTOMATIC RETURN ALIGNMENT MAINTENANCE ** RAINTENANCE ** VERIFICATION * (/ br.) thrs.) Pneumatic Mainte nance Manual valves: SRw-170 weekly 3.4E 7 7 valve pequiring ERW-172 CV-164S Dissassembly Paeamatic Maintenance manual valves: ERw-170 weekly 3.4E-7 7 valve Requiring Epw 172 CV-1588 Dissassembly Pneuma tic Maintenance Manual valves: BRw=170 weekly 3.4E-7 7 valve seguiring ERw-172 CV-1644 Disassembly Pneuma tic Maintenance Manual valves sRw-169 weetly 3.4E-7 7 valve Requiring ERw-171 CV-1587 Disa ssembly Pnemmatic Maintenance Manual valves spw-135 Continuous 3.4E-7 7 valve Requiring spw 138 CV-1581 Disassembly spw-139 Pneumatic Maintenance Manual valves: gaw=135 Continuous 3.4E-7 7 Valve pequiring 3Rw-138 CV-1583 Disassembly spu-139 Pneanatie Maintenance Manual valves: SRW-135 2 weeks 3.4E-7 7 Valve Pequiring $3W-138 CV-1581 Disa ssembly saw.139 Pneumatic Maintenance Manual valves: ERw=149 Continuous 3.4E-7 7 Valve pequiring 3Rw.152 CV-1589 Disa ssembly SRW-153 For ccaponents with continuous verification, a low flow alarm would be actuated on f ailure to align.
** Plant rpecific data.
O B.15-20
Table 3.15.4 service Mater system Maintenance (continued)
/~% '
( CosEPOIENT TTTE OF COctPONENTS wEICE NOST BE PREQUENCY OF EXPECTED EXPECTED OUTAGE UISERGOING MAINTWANCE ALIGNED allay PROM RSP POSITIOtt CostPONENT PREQUENCY OF TIIE OF IIAINTEttANCE WITE 110 AUTOPSTIC RETURN ALIGINtRNT NAINTENANCE ** IIAINTENANCE ** VERIPICATICII * (/ hr.) (bre.) Pneumatic maintenance Manual valves pu-149 Continuous 3.4E-7 7 Valve pequiring spu-152
- CV-1591 Disassembly saw-153 Pnematic Raintenance Manual valvest 3Rw=149 2 weeks 3.4E-7 7 Valve pequiring pu-152 CV-1590 Disassembly pu-153 Pneumatic Maintenance Manual valves sw=142 continuous 3.4E-7 7 Valve pequiring pu-145 CV-1544 Disasembly pu-146 Pne matic Maintenance Manual valves spu-142 Continuava 3.4E-7 7 valve pequiring 3Rw-145 CV-1584 Disassembly haw-146 Pneumatic Maintenance Manual valvest spu-142 2 weeks 3.4R-7 7 Valve Requiring pu-145 CV-1585 Disassembly saw-144 Pne matic Maintenance Manual valves: sw=156 Continuous 3.4E-7 7 valve pequiring sw-159 CV-1592 Disassembly spu-160 Pne matic Maintenance Manual valvess saw=154 Continuous 3.4E-7 7 Valve Requiring sw-159 CV-1594 Disassembly spw=160 Pneumatic Maintenance Manual valves: pu-154 2 weeks 3.4E-7 7 Valve poquiring pu-159 CV-1593 Disassembly spu-160
- For emponents with continuous verification, a low flow alarm would be actuated on f a!!ure to align.
** Plant specific data.
t V B.15-21
Table 3.15.4 service Water system Maintenance (Continued) COMPOMNT TYPE OF CORPONENTS WBICE MOST BE PREQUENCY OF EXPECTED EIPECTED OUTAGE UNDERGOING MAINTDANCS ALIGNED AWAT PROR ESP PO61 TION COMPONENT PREQUENCY OF TIME OF MAllrfENANCE WITE NO AUTOMATIC RrrURN ALIGNMENT MAINTENANCE ** MAINTENANCE ** YERIP1 CATION * (/ hr.) (hrs.) Circuit paintenance C3 sRWA013A Monthly 8.4E-6 8 Breaker Requiring sw Pump 13 ( 2.5E-5 ) * ** for Disassembly SRW P op 13 Circuit Raintenance CB SNWA011A Continuous 8.4E-6 8 Breaker Requiring pu Pump 11 (0)*** for Disassembly SW Pop 11 Circuit Maintenance Cs awA0123 Continuous 8.43-6 8 Breaker requiring ERW Pump 12 (0)*** for Disassembly P o p 12
- For ecumponents with continuous verification, a low flow, high temperature, or low pressure alarm would be actuated upon f ailure to align.
- Pla tt specifie data.
- When distributed to pop 13, assuming pump 11 and 12 normally operating.
- Pla tt specifie data.
O B.15-22
O O . i l t i l Table B.15.5 SERVICE WATER SYSTEN (SRW) DATA Sub Event ) Sub Event Fault Sub Event Event j Name Sub Event Failure Exposure Unavail. Unavail.
- Event Description Description ' Bate (per/ht) Time (br) q Q = Eq.
I i SRWSH1HP-PIP-LFD Pipe rupture 8.5E-10 24 -- 2.0E-8 i SRWSH2HP-PIP-LFD (NASH-1400) ) SRWSP12P-PIP-LFD ) SRWSH1HP-PIP-LFB Pipe plugged 8.5E-10 24 -- 2.0E-8
- SRWSH2HP-PIP-LFB (NASE-1400)
SRWSP12P-PIP-LFB 4 SRWCCLIP-PIP-LFB
- SRWCCL2P-PIP-LFB i ORWCCL3P-PIP-LFB SRWCCL4P-PIP-LFB
{ SRWCTC11-HTX-LFS Heat exchanger 8.5E-8 24 -- 2.0E-6
- f3 SRWCTC2X-HTX-LFB local fault (plugged) 1 g SRWCTC3X-HTI-LFB (NASH-1400 - 10 i Ln SRWCTC4X-HTK-LFB segments)
' i SRWHK11X-HTX-LFB l U SRWH112X-HTK-LFB ! SRWDG11P-PIP-LFD Pipe rupture-standby 8.5E-10 84 7.1E-8 9.2E-8 SRWDG12P-PIP-LFD -Operating 8.5E-10 24 2.0E-8 ! SRWDG11P-PIP-LFB Pipe plugged- standby 8.5E-10 84 7.1E-8 9.2E-8 j SRWDG12P-PIP-LFB -Operating 8.5E-10 24 2.0E-8 DG11ACHX-HTX-LFB Heat exchanger - local .l
- DG11LOHK-HTK-LFB fault (plugging)
, DG11JWHX-HTX-LFB standby 8.5P-8 84 7.1E-6 9.2E-6 ! DG12ACHK-HTK-LFB Operating 8.5E-8 24 2.0E-6 j DG11LOKK-HTK-LFB (NASH-1400 - 10 . DG12JWHX-HTX-LFB segments) I 1 f
Table B.15.5 SERVICE WATER SYSTEM (SRW) DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/ht) Time (hr) q Q = Eq. SRWHX11X-H-PRMN Heat exchanger 2.3E-5 7 -- 1.6E-4 SRWHX121-H-PRMN maintenance DG11ACHX-H-PRMN DG11LOHX-H-PR798 i DG11JWHX-H-PRMN i DG12ACHX-H-PRMN DG12LOHX-H-PRMN OG12JWHX-H-PRief SRWO314X-COC-LF Check valve - failure 1.0E-7 24 -- 2.4E-6 SRWO315X-COC-LF to remain open (plug) SRWO317X-COC-LF SRWO318K-COC-LF SRWO 319X-CO *-LF f SRWO320X-COC-LF W ui SRWO3211-CCC-LF Check valve - failure -- -- -- 1.OE-4 SRWO322X-CCC-LF to open [ SRWO107X-XOC-LF Manual valve - 1.0E-7 24 -- 2.4E-6 SRWO108X-XOC-LF failure to remain SRWO115K-XOC-LF open (plug) SRWO116X-XOC-LP SRWO1251-XOC-LF SRWO126X-XOC-LF SRWO127X-XOC-LF SRWO1281-XOC-LF SRW3131X-XOC-LF SRWO132X-XOC-LF SRWO135X-XOC-LF SRWO142X-XOC-LF SRWO1491-XOC-LF SRWO156X-XOC-LF O O
O' f) Q/ . 1 1 l Table B.15.5 SERVICE MATER SYSTEN (SRW) DATA (Cont.) Sub Event Sub Event Fault Sub Event Event . Name Sub Event Failure Exposure Unavail. Unavail. 4 Event Description Description Rate (per/hr) Tine (hr) q- Q = Eq. i SRWO139X-XOC-LF Manual valve - 1.0E-7 1000 -- 1.1E-4 j SRWO146X-XOC-LF failure to remain SEW 0153X-XOC-LF open (plug) SRWG160X-XOC-LF SRW0165X-XOC-LF Manual valve - SRW0166X-XOC-LF failure to remain SRW016eX-10C-LF open (plug)-standby 1.0E-7 84 8.4E-6 1.1E-5 SRW0l69X-10C-LF -Operating 1.0E-7 24 2.45-6 i SRWOl70X-IOC-LF SRWO1711-10C-LF SRWO172X-XOC-LF SRWO173X-10C-LF j to SRWOl741-10C-LF
- SRWO176X-XOC-LF H SRWO1771-XOC-LP
[ SRWO178X-XOC-LF l M i U1 SRWOO11A-PMD-LP Pump - Failure to run 3.0E-5 24 -- 7.2E-4 j SRWOO12B-PMD-LF SRWA011A-BCO-LF Circuit breaker - 1.0E-6 24 -- 2.4E-5 SRNA 012B-BCO-LF premature transfer l j (NASH-1400) L ! SRNA 011A-B00-LF - Circuit breaker - -- -- -- 3.0E-3 I SRWA012B-B00-LF failure to transfer ! SRWTD13-LF Short across 1 second -- -- -- 1.1E-4 j time delaF PMD13 start circuit i ? a
Table B.15.5 SERVICE WATER SYSTEN (SRW) DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (hr) q Q = Eq. LOS-POP-DGil-OUT DG Start logic -- -- -- 1.0E-3 LOS-POP-DG12-OUT failure (1 failure in 1200 tries) SRNSV1582-LF Solenoid valve local -- -- -- 1.05-3 SRWSV1585-LF fault-failure to SRWSV1590-LF operate SRWSV1593-LF SRW1582A-NCC-LF Pneumatic valve - -- -- -- 3.0E-3 SRW1585A-NCC-LF failure to operate SRN1588B-NCC-LF SRW1587A-NCC-LP to SRW1590B-NCC-LF SRW1593B-NCC-LF H
$' SRW1581A-NOC-LF Pneumatic valve - 1.0E-7 24 --
2.4E-6 N) SRW1584A-NOC-LF failure to remain 04 SRW1589B-NOC-LF open (plug) l SRW1592B-NOC-LF SRW1645B-NOC-LF Pneumatic valve - SRW1646B-NOC-LF failure to remain open-standby 1.0E-7 84 8.4E-6 1.1E-5
-Operating 1.0E-7 24 2.4E-6 i
SRW1581A-N-PRTS Quarterly operability 4.65-4 0.84 -- 3.95-4 SRW1584A-N-PRTS test (once every SRW1589B-N-PRTS 2190 hrs) SRW15928-N-PRTS O O
O O i 4 1 4 i
- Table B.15.5 SERVICE MATER SYSTEN (SRW) DATA (Cont.)
Sub Event Sub i' Sub Event Fault Event- Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per.'hr) Time (hr) q Q = Eq.
, SRW1581A-C-PRMN Pneumatic valve 3.4E-7 7 -- 2.4E-6 SRN1582A-N-PRMN maintenance j .SRW1584A-N-PRMN SRW1585A-N-PRMN
- SRW1587A-N-PRMN SRW15888-N-PRMN SRW15898-N-PRMN I SRW15905-N-PRMN i SRW1592B-N-PRMN BRW1593B-N-PRMN SRW1645B-N-PRMN
, SRW16468-N-PRMN I I .C3 SRWIN139-1-FRFM Failure to restore 3.4E-7x1.0E-4 360 -- 1.2E-8 l F" SRW2N139-I-FRFM following pneumatic f SRW4N146-I-FRFN valve maintenance ! y SRW5N146-I-FRFM ! 4 SRWON153-X-FRFM i SRW9N153-I-FRPM j SRW2N160-I-FRFN SRW3N160-X-FRFM i SRW7N169X-N-FRFN Failure to restore 3.4E-7x1.0E-4 84 -- 2.9E-9 SRW7N171X-N-FRFM following pneumatic SRW5N170X-N-FRFM valve maintenance j SRW6N170X-N-FRFM t SRW8N170X-N-FRFK j SRW5N172X-N-FRFM SRW6N172X-N-FRFN j SRW8N172X-N-FRFM I e I i f
Table B.15.5 SERVICE WATER SYSTEM DATA (SRW) (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Event Description Description Failure Exposure Unavail. Unavail. Rate (per/hr) Time (hr) q Q = Eq. SRWAC171X-H-FRFM Failure to restore 2.3E-5x1.0E-4 84 -- 1.9E-7 SRWLOl71X-H-FRFM following heat
. SRWJW171X-H-FRFM exchanger maintenance SRWAC1691-H-FRFM SRWLOl691-H-FRFM SRWJW169X-H-FRFM SRWAC170X-H-FRFM SRWLO170X-H-FRFM SRWJW170X-H-FRFM SRNAC172X-H-FRFM SRWLOl721-H-FRFM SRWJW172X-H-FRFM .tD b
U1 I N CD G G
O O am t x x.- x. 2,... x..
. .-tx: - -
J,s ,..
... m ... ... - y-m Jh.
r- = I
=
i i *"" "5 "
. ,a
.m.a. , u ,
a .:"
- "x " ma-r.a ma-ra c---- -
i im im c ou.e i i m, , ,,, I .o i I ... .,, . ... g ,,, . ... . i I .a i l oI .-- -" .. ...
== l -- I -"
=,, = ,. -m
= ,,
= ,.
i i l
... l-JACN.T .AT
.m I .JACKE.T
. . ,, .4,. !
- H,_[--H[ - -
miP t.CM..0. e-LP.KC.-FA
.... - a.
g i
. t_ _ ';
-,..x -,-X 'T X "-' a X -'- L__
I .. . ... N
- m. , "
e w.in u. g "f;,
-N... t.>,G,-E.xH.
7 ..,F
.x: 177 x,7. ,F.,F.
. txH>4-E.x:,7.
Figure B.15-1 Simplified Schematic of the Service Water System (SRWS)
SREAKER 182-1111 OPEN _] " 1C13 14es-1572 LOCKOUT A C $W g ail SAFETY INJECTMNI ACTUATION PUGAP 11 SIGNAL CHANNEL A7 BREAKER 152-1108 OPEN Its LOCKOUT 1SEC. SMUTDOWN DELAY START SEQUENCER 11 STEP 1 l - N - PUtsP 13 1-HS-1572 182-1111
" START
- OtSCONNECT KETSwtTCH LOCKED DISCONNECT 18P1111 CLOSED PUR$P 13 BREAKER 162-1411 OPEN 1-MS-1872 ' AUTO" 1 SEC. DELAY
-7 %
. .) J 1448-1572 LOCKED OUT D
LOCKOUT h AUTO START SAFETY S _ INJECTION C.A .T g _ ACTUATION
, .S L_ _
3 Putsp NO.12 SHUTDOWN SEQUENCER 14 STEP 1 BREAKEg 152-1409 OPEN j f - START PutsP 13 J BREAKER ~ 1499-1972
- START
- DtSCONNECT REY SWITCH LOCKED DISCONNECT 18bl411 CLOSED O
Figure B.15-2 Logic Diagram for Starting Service Water Pump 13 l B.15-30 t
't A
i I ! 1-HS-1570 LOCKED OUT (1-MS-1571) LOCKOUT
- PUMP 11 BREAKER 152-1109 DPEN J A WS (PUMP 12152-1409) gj K I
_] AUT S ART
~
NOTE: ONE (1) ALARM WINDOW FOR THREE (3) PUMPS i SAFETY INJECTION ACTUATION
- SYSTEM CHANNEL A7 1-MS-1570 " START
- PUMP 12 CHANNEL 87 (1-HS-1571) 1C13
- to l :. & G Y SHUTDOWN SEQUENCER 11 STEP 1 -
-7 START PUMP 11 $ PUMP 12, SEQUENCER 14 STEP 1 --
j -j (12) ! 1-HS- 1570
- AUTO
- 186 LOCKOUT RELAY RUNINNG
~
(1-HS-1571) 1C13 4 i ! Figure B.15-3 (Sheet 1) l Logic Diagram for Starting Service Water Pump 11 or 12 i i i
150 OVERCURRENT 151 OVERCURRENT $A D 186 LOCKOUT RELAY
-t---./
ENGINEERING SAFETY FEATURE \ / 151 OVERCURRENT $C LOAD SHED STOP PUMP 11 G (12) C i 1-HS-1570 "STOP" (1-HS-1571) Figure B.15-3 (Sheet 2) Logic Diagram for Stopping Service Water Pump 11 or 12 9 O
n U . (ml
.c 2
-- x W,
x x x gew.es gAw,64 SRw,FO x I. CV .F ses,64 l
.w , . W,.. w ,.. - , .
SRW ,3, FO 800 FO NO SRw,SS. 8"* III GRw15008 SRW, SOS 300 CV
,,,w,,, w. g ,,,,
2 esc SRw3,7
"" ~
@ "", O a_
l _l ,
@ @ w.[-*" @ f""*" l -a l
- w. w, c,w, l 1
-l,, l . ce c- k- a- c- - I _
- l l - ... W , .. ,.
a ll 1 a,, ll w.. w , ,. wo. = l -l _ 98M getw3..
.O I - , Set w,
I 98tw SAW 3,. SAw 3,6 es.40 IsC 40 l =i
= @ = @g :-,.
-- ' -- tg-, .
?
H I
== l '; = ,,
X-a- ,,, O X '; SRw,.e .2 ,3 SfM ,53 Saw140 l
== _
l UE Swn322 saw,03 saw,07 88w eng , , S anw,30 w w , ,. cV == 3aw , F , Saw,77 SIUw176 .00 N i saw32, Sitw ,73 ggew,yg gegw ye sweg,73 i i i Figure B.15-4 Simplified Schematic of the Service Water System Used in Fault Tree Modeling 4 i
r 1 4 .5 f 4 i j i Appendix B.16 4 Component Cooling Water System i j 1 i 1 f i I 4 i i a i l. 4, iJ l
\
i i i t ) 1 B.16-0
. , - , _ . - _ . - . , _ _ . _ _ - , - , - - - . , _ _ - - - . . _ _--.~ _.,__m- _,.- .., _ . _
= B.16 COMPONENT COOLING WATER SYSTEM DESCRIPTION B.16.1- Purpose 4 The purpose of.the Component Cooling Water System (CCWS) is to remove heat from various plant components in order to maintain the required operating temperature. for, these compo-nents: and systems.- The- heat absorbed 'during this cooling
. process is transmitted to the SWS via . the component cooling heat exchangers. ,
B.16.2 Descriptien B.16.2.1 Overall Configuration Figure B.16-1 shows . a simplified schematic of the CCWS. The CCWS is a closed system that consists of three motor-driven component cooling circulation pumps, two component cooling heat exchangers, a head tank, an additive. tank and associated valves, piping, instrumentation, controls, and auxiliary systems. The component cooling circulating pumps circulate the nonradioactive chemically treated water through the component cooling heat exchangers where the absorbed heat is trans-ferred to the SWS from the components-served by CCWS. Items cooled by CCWS include:
- 1. Letdown heat exchanger for CVCS
- 2. Shutdown cooling heat exchangers
- 3. Reactor coolant pump mechanical seal coolers and motor lube oil coolers
- 4. CRDM coolers
- 5. Miscellaneous waste processing heat exchanger.
- 6. Waste gas compressor jacket and after coolers
- 7. LPSI/R pumps seal coolers and bearing jacket
- h. 8. HPSI/R pumps seal coolers and bearing jacket
- 9. Containment penetrations
- 10. Reactor vessel support coolers
- 11. Steam generators support coolers B.16-1 1
- 12. Liquid waste evaporators
- 13. Degasifier vacuum pump coo',er B.16.2.2 System Interfaces The CCWS interfaces with the SWS via the colaponent cooling heat exchangers. It also interfaces with the various sys te.ns which depend on CCWS for component cooling a requirements. Among tne various systems served by the CCWS, W only the following systems were considered for the fault tree development:
- 1. LPSI/R pumps seal coolers and bearing jacket
- 2. HPSI/R pumps seal coolers and bearing jacket
- 3. Shutdown cooling heat exchangers The CCWS interfaces with AC power, DC power, and the ESFAS, as shown in Table B.16.1.
B.16.2.3 Instrumentation and Control The CCWS is equipped with temperature and pressure monitors. The inlet and outlet temperatures are monitored on the CCW heat exchangers, letdown heat exchangers, reactor coolant pumps, and the shutdown cooling heat exchangers. There is an alarm for high outlet temperature on the CCW heat exchangers. The pressure is monitored on the CCW pumps normal and standby headers, and the CCW heat exchanger discharge headers. The differential pressure on the CCW and shutdown heat exchangers is also monitored. The control logic for the CCW Hx valves is shown in Figure B.16-2 and for the SDC Hx valves in Figure B.16-3. B.16.2.4 Operator Actions Operator action with the CCWS is limited to shifting operating pumps or heat exchangers in case of a malfunction of the normally operating components (Reference Operating Instruction-16). B.16.2.5 Surveillance O The locked manual valves in the system are verified for proper positioning monthly (STP 0-62-1). Control valve operability is verified quarterly (STP 0-65-1). Check valves at the pump discharge are verified for operability quarterly (STP 0-65-1). The CCWS pumps are tested monthly (STP 0-73-1). The bearing temperature of the pumps is tested at least every 18 months (STP 0-74-1). A summary of CCW component tests is presented in Table B.16.2. B.16-2
B.16.2.6 Maintenance Maintenance of CCWS components is done on an as-needed basis. A summary of component maintenance is presented in Table B.16.3. B.16.2.7 Technical Specification Limitations The limiting condition operation as specified in the O CCWS Technical Specifications is as follows:
- 1. With one CCW loop operable, the second loop shall be restored to operable status within 72 hours or be in at least HOT STANDBY within the next 6 hours and in COLD SHUTDOWN within the following 30 hours.
The Technical Specifications state the following sur-veillance requirements:
- 1. At least once per- 31 days by verifying that each valve (manual, power-operated, or automatic) servicing safety-related equipment that is not locked, sealed, or otherwise secured in position, is in its correct position.
- 2. At least once per 18 months during shutdown, by verifying that each automatic valve servicing safety-related equipment actuates to its correct position on a SIAS.
B.16.3 Operation During normal operation one pump and one heat exchanger provide cooling for system components. The heat exchanger bypass valve will automatically maintain the desired compo-nent cooling heat exchanger outlet temperature (normally set at 95'F). If, for example, the component cooling tempera-ture were to increase above 95'F, the bypass valve would shut some, forcing more water through the heat exchanger. For long-term cooling following a LOCA, one pump and one heat exchanger provide the necessary cooling capacity for one shutdown cooling heat exchanger. The pump motors are supplied f rom two separate 480 Vac O ESPAS buses, with the third motor having two supply breakers and two disconnects. This arrangement ensures that two pumps are available at all times. If a loss of power to the ESPAS buses should occur, the component cooling pumps would be load shed. After the diesel picks up the bus, the pumps can be restarted by manually operating the control switch. If a SIAS signal is present, the component cooling pumps will automatically 'be sequenced back on. Only two of the pumps B.16-3
will be automatically restarted. If for some reason the breaker on pump #11 or pump #12 does not close, then pump
- 13 will automatically start, depending on which bus its disconnects are selected. If its disconnects are selected to 480 Vac bus 11, then it will be a backup for pump #11.
If the disconnects are selected to 480 Vac bus 14, then it will be a backup for pump #12. If during normal operation a component cooling heat exchanger should malfunction, the other heat exchanger could be put in service immediately by opening its remotely-operated discharge valve. If the malfunction should occur during normal shutdown, the plant can be cooled down with the remaining heat exchanger. Upon initiation of a SIAS signal, two component cooling pumps will start and the outlet valves on the shutdown cooling heat exchangers will open automatically. This will provide component cooling to the shutdown cooling heat exchanger for long-term cooling. B.16.4 Fault Tree Description The fault tree developed for the CCWS is shown on the appropriate aperture card in the envelope at the back of this report. There are five top events representing the loss of component cooling to the three HpSI/R pump coolers and the two shutdown cooling heat exchangers. The data used to quantify the trees is shown in Table B.16.4. B.16.4.1 Success / Failure Criteria The CCWS is a support system. Five tree tops or top events were developed for the CCWS so these tops could transfer into the front line systems as required. In general, success of the CCWS is considered as one component cooling pump and one component cooling heat exchanger circu-lating and removing heat from a particular component in a front line system, and the f >w of cooling water to and through the component is neither blocked nor diverted. B.16.4.2 Assumptions In the process of developing fault trees for CCWS, the following assumptions are made: g
- 1. The plant is operating at full power at the onset of abnormal transients. The valve line-up is considered to be the normal operational line-up supplied by the utility, with two component cooling water pumps and one heat exchanger in service.
B.16-4
E
- 2. The head tank whose function is to provide net posi-tive suction head for component cooling pumps at startup is not considered in the fault tree develop-ment since the system is assumed in the full operating condition at the onset of abnormal transients.
- 3. The CCW chemical additive tank which is provided to permit the addition of chemicals to the system is O- not considered-in the fault tree development.
- 4. Only shutdown cooling heat exchangers and 'HPSI/R pump coolers are considered for the development of' CCWS fault trees since the LPSI pumps do not need CCWS cooling in the injection mode and treatment of LPSR was reserved as a recovery action if needed.
- 5. The interf ace between CCWS and the SWS is the heat transfer surface of the component cooling heat exchangers.
- 6. No maintenance actions are considered for manual valves since a review of plant logs showed that it was negligible.
i l l i l . n. lU I t 1 B.16-5
Table 3.18.1 CCwS Support Systes PnSA SUPPCIt? COMNNENT FAILURS ConPouBNT PAILUSS SFFSCT OF SUS-STSTER SUS. AFFECTSD NODE BFFSCT ON SYSTEN
- FAILURE ON OVERALL SYSTtR
- 1,, . .C bus 21
_ p.p 12
,. of , of , p.p.
control power can not be testarted in case Seduced system capacity O to p op een- of lose of power trol citesite ESPAS CFw pump pumps fall to 2 et 1 pumps can not be Seduced system capacity Train A 11 6 13 restest in testarted (LOSP). SDC Seat SDS er $1AS SDC heat LOSF et LOCA. eschanger il faite pumps, RAS. eschanger SDC heat es* h eat !! ehanger 11 eschengere valve f ail to open en lose of RAS signal PSFAS CCW pump 12 pump f ails to 1 of 1 puppe can not be Seduced system especity Train S SDC heat restatt in testerted (LOSP). SDC Seat SDS et SI AS etebanget 12 ease of LOsp eschangers 12 f ait pumpe, RAS. of LOCA. S DC heat Seat escham. eschengere get 12 valve f all te open en less of SAS signal 480 V AC CCW pump Il less of I out of 3 pumps f alle Seduced system tapeetty bus 114 power te (lead group pump 11 A) 4t0 V AC CCW pump 11 less of 1 out of 3 puppe f aite Seduced system especity bue lit power to fleed group Al pump 11 460 V AC CCW pump 12 loss of 1 out of 3 p sape falle Seduced system espeelty bus 14A power te (lead grevy pump 12 Si e As.uming ne feeevery. O B.16- 6
_ m._. . Table 3.16.1 CCue Support erstem fuen (Continued) serret coup 0ERWT PatLens Compo n WT Ph!LORS WPSCT OF SOS-ST9TBR ass = APrtC150 8 MSS SPPSCT ON ST8?gM
- PA!LORS ON OV9BAI.L STSTOR
- STSTER
. t . .or . ,e.t ! .. 1 t of . . t .e..co. . et . c.pecit, oyotee eschenger il seeling eschengere felle ,
train 11 ' Seit unter CCW heat less of 1 out of 3 CCW beat medeced system especity systen eschanger 12 eseling eschanger fall train 12 13S V DC Ctw pop less of 2 et 3 pope een not be seduced systen especity bus 11 !! and 12 centrol restarted in ease of lose power to of power p op sentrel tireelt
- Assuming me recovery,
.m o e B.16-7
Table 3.16.2 CCW component Test S umery Sheet COMPOfENTS TBAT NUST BE ALIGNED PREQUINCY OF COMPON ENT TYPt OF ANAT FROM ESF TEST EIPICTED TEST COMPONENT $003CE - (TEST TEST POSITION w!TE NO FREQUENCY OUTAGE TIME ALIGNMENT PROCEDURE 4) AUTORATIC RETURN VERIPICATION All Menval Poe& tion None monthly pone Monthly 0-93-1 valves Verification CV-3424 Position None monthly pone Monthly 0-62-1 CV-3826 Vertiteetion CV-3020 CV-3830 CV-st24 OpereB111ty pone Quarterly 5 min. Monthly 0-65-1 Cv=38 26 None pone Monthly CV-1828 Wome pone Moethly CV-1830 pone Wome Monthly CC-115 CC-121, 122 15 min. u/A CC-120 CC-116, 117 15 mia, s/A CC-125 CC-111, til 15 min. N/A Ctw pep i 11 Performance CC-114 monthly 15 min. Continuous 0-73-1 CCW Pep 9 12 CC-118 Ronthly 15 min. Monthly CCN p op 9 13 CC-124 ponthly 15 min. Monthly O D.16-8
Table 3.16.3 CCW Coopeneet nelatenance Seemary Sheet COMPOIEstf8 TBAT COISOISNT IW87 BE ALIGIED P9800BNCY OF SEPSCTED REPSCTED OUTAGE m em00!NG TYPE OF Ale &T PROM ESP CORPONENT PSBQURIICY OF TIME Or untyrsanNCE TEST POSITION w!?S 50 ALIG5It1NT IIAINTBRANCE
- MAINTENANCE
- AUTORATIC RWIURN TERIP; CATION (/ hr.) (hte.)
CCW 3Das 0 11 Maintenance CC-261 nonthly 2.38-5 7 CCW SasE 9 12 Dequiring CC-264 CCW LPsi WTF G 11 Disassembly CC-255, 256 CCW LPSI BTR 0 12 CC=443, 244 CCW EPSI FfE $ 11 CC-252, 253 CCW BPst pre O 12 CC-249, 250 CCW BPSI WTI i 13 CC-246, 247 CCW st 4 11 naintenance CC-148, 149 Continuous 2.38-5 7 mequiring (e)** CCW NTE 4 12 Disassembly CC-154, 154 Roethly 2.3E 5 7 (4.65-5)** CCW Pump 911 paintenance CC-111, 112, 114 Continuous 1.7B-4 4.44 Dequiring (o) ** CCW Pep 912 Disassembly CC-116, 117, 118 Nonthly 1.78-4 4.64 ( 2.6E-4 ) ** CCW P op 6 13 CC-121, 122, 124 Monthly 1.72-4 4.64 1 (2.63-4) ** CV-3813 maintenance CC-148, 149 Continuous (o) ** 7 CV-3824 Dequires CC-149, 161, 163 Continuous (o) ** CV-3825 Disassembly CC-154, 156 sconthly 3.48 7 CV-3826 CC-154, 161, 162 Ronthly 3.4E 7 t CV-3830 CC-266, Ill, 117, Isonthly 3.48-7 121 CV-3428 Natatenance pene Ilonthly 3.4E-7 7 on esternal only.
- Plant specifle date.
** Diettibuted maintenance assuming CCW pump 11 and BTR 11 are notaally operating.
d B.16-9
Table B.16.4 COMPONENT COOLING WATER SYSTEN (CCW) DATA Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/ht) Time (hr) q Q = Eq. CCWO115X-COC-LF Check valve failure 1.0E-7 24 -- 2.4E-6 to remain open (plug) CCWO1251-CCC-LF Check valve failure -- -- -- 1.0E-4 CCWO120X-CCC-LF to open CCWO112X-XOC-LF Manual valve failure 1.0E-7 24 -- 2.4E-6 CCWO114X-XOC-LF to remain open (plug) CCWO1481-XOC-LF CCWO1491-XOC-LF tU CCWO116X-XOC-LF Manual valve failure 1.0E-7 360 -- 3.6E-5 g CCWO118X-XOC-LF to remain open m CCWO122X-XOC-LF I CCWO124X-XOC-LF H CCW0161X-XOC-LF O CCW01621-XOC-LF CCW0163X-ZOC-LF CCWO242X-XOC-LF CCWO243X-ZOC-LP CCWO244X-XOC-LF CCWO246X-XOC-LF CCWO2471-XOC-LF CCWO249X-XOC-LF CCWO250X-XOC-LF CCWO252X-XOC-LF CCWO253X-XOC-LF CCWO255X-XOC-LF CCWO256X-XOC-LF CCWO258K-XOC-LF CCWO270Z-XOC-LP O O
O O k Table B.16.4 COOWOMENT COOLING MATER STSTEN (CCW) DATA (Cont.) l Sub Event i Sub Event Fault Sub Rvent Event Name Sub Event Failure Exposure Unavail. Unava11. j Event Description Description Rate (per/ht) Time (hr) q Q = Eq. 1 j CCWO111X-XOC-LF Manual valve failure 1.0E-7 1000 -- 1.13-4 ' to remain open (plug) CCWO121X-XOC-LF i CCWO154X-XOC-LF } CCW0156X-XOC-LP 1 CCWO259X-XOC-LF
; CCWO260X-XOC-LF 4
CCWO261X-XOC-LP i CCWO264X-XOC-LP J CCWO265X-XOC-LF CCWO2661-XOC-LF i CCNSDHX1-HTX-LFB Shutdown heat exch. 8.5E-8 1000 -- 9.2E-5 1 CCWSDHX2-HTX-LFB blockage t2
+ CCWLP11C-HTX-LFB Local fault causing 8.5E-8 360 -- 3.1E-5 H CCWLP12C-HTX-LFB blockage of pump f CCWHP11C-HTX-LFB cooler J H CCWHP12C-HTX-LFB H CCWHP13C-HTX-LFB CCINITICl-HTX-LFB Local fault causing 8.5E-8 24 -- 2.0E-6 blockage of CCW HTX 11 t d5EITXCl-HTX-LFI Local fault causing 8.5E-8 24 -- 2.0E-6 inadequate heat removal from CCWHTX 11 I
CCWHTIC2-HTX-LFB Local fault causing 8.5E-8 1080 -- 9.2E-5 blockage of CCWHTX 12 i - i i i i
Table B.16.4 COMPONENT COOLING MATER SYSTEM (CCW) DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (br) q Q = Eq. CCWHTIC2-HTX-LFI Local fault causing 8.5E-8 1080 -- 9.2E-5 inadequate heat removal from CCWHTZ 12 CCWA2PPS-PIP-LFB Local fault causing 8.5E-9 24 -- 2.0E-7 CCWPPPS-PIP-LFB blockage of header CCWAIPPS-PIP-LFB Local fault causing 8.5E-9 1080 -- 9.2E-6 blockage of header CCWHTXC2-H-PRles Heat exchanger 4.6E-5 7 -- 3.2E-4 maintenance us CCWSDHX1-H-PRIGI Heat exchanger 2.3E-5 7 -- 1.6E-4 $a CCWSDHX2-H-PRMN CCWLP11C-H-PRIel maintenance H CCWLP12C-H-PRief M CCWHP11C-H-PRiel CCWHP12C-H-PRiel CCWHP13C-H-PRiGi CCWO2431-X-FRFM Failure to restore 2.3E-5x1.0E-4 360 -- 8.3E-7 CCWO244X-X-FRFM manual valve after CCWO246X-X-FRFM heat exchanger CCWO247X-X-FRFM maintenance CCWO249X-X-FRFM CCWO250X-X-FRFM CCWO252X-X-FEFM CCWO253X-X-FRFM CCWO255X-X-FRFM CCWO256X-X-FRFM CCWO261X-X-FRFM CCWO266X-X-FRFM O O
. - . . ~ - -
O O Table B.16.4 CCOE*01RNT COOLING MTER SYSTRN (CCN) DATA (Coat.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (br) q Q = Eg. i ) CCWO1541-I-FRFN Failure to restore 4.6E-5x1.0E-4 360 -- 1.73-6 l CCWO156X-I-FRFN manual valve after j heat exchanger i maintenance l j CCWO116X-X-FRFN Failure to restore 2.6E-4x1.0E-4 360 -- 9.45-6 4 CCWO1171-I-FRFN manual valve after l CCuolleI-X-FRFN pump maintenance
! CCW0121X-X-FRFN CCW01221-I-FSFR CCW01241-I-FRFN < CCW3825N-N-FWWE Pneumatic valve 3.4E-7 7 -- 2.4E-6 CCW38265-N-FWW malatenance i
[ CCW3820W-N-FW W s CCN3830N-N-PSIGt m 8 CCW38245-NOC-LF Failure of pneumatic 1.05-7 24 -- 2.4E-6 .j [ valve to remain open j (plug) j CCW3826N-IOCC-LF Failure to operate -- -- -- 3.0E-3
! CCW382SN-NCC-LF l CCW3830N-NCC-LF
) Local fault of bypass 3.0E-3 CCW30235-Ir?O-LF - -- -- ] CCW3825N-NTO-LF valve (failure to j remain throttled) 1 J CCW38235-AST-LF Local fault la 3.0E-6 24 -- 7.2E-5
! toeperature control of bypass valve l
{ ] i i 4
Table B.16.4 COMPOWENT COOLING MATER SYSTEM (CCW) DATA (Cont.) Sub Event Sub Event Fault Event. Event Base Sub Event Failure Exposure Unavail. Unavail. Event Description Description Bate (per/hr) Time (br) q Q = Eq. CCN3825N-AST-LF Local fault in 3.0E-6 1080 -- 3.2E-3 temperature control of bypass valve CCWOO11A-P90-LF Failure to run 3.0E-5 24 -- 7.2E-4 CCW0011A-P90-LLF Failure to start -- - 3.0E-3 3.7E-3 CCWOO128-P90-LF Failure to run 3.0E-5 24 7.2E-4 CCWOO13A-PMD-LF CCWOO11A-CBL-LF Local fault in cable- 3.0E-6 24 -- 7.2E-5 open circuit CCWOO128-CBL-LF Local fault in cable- 3.0E-6 360 -- 1.1E-3 [ CCW0013A-CBL-LF cPen circuit H c5 CCMOO11A-SCO-LF Btr fault-premature 1.0E-6 360 -- 3.6E-4 [ a CCMD313A-BCO-LF transfer CCWOO11A-BOO-LF Btr failure to -- -- -- 3.0E-3 CCW00128-500-LF operate CCW0013A-BOO-LF CCMOO12B-PR988 Pump maintenance 2.6E-4 4.64 -- 1.2E-3 CCW0013A-FR308 CCN3526N-WCC-OE Operator fails to -- -- -- 5.0E-2 open valve given CCWHTIll fails O G
O O Table B.16.4 CN COOLIIBE MTER SYSTWI (COf) DATA (Cent.) Sub Eveat Sub Event Fault Sub Event Event Weee Sub Event Failure Espesure Umava11. Umave11. Event Descripties Descripties Este (per/hr) Time (kr) g Q = Eq. i CartD13-LF Short acrees one 3.0E-7 360 -- 1.1E-4 a second time delaF in Fer13 start logic 4 CCMOl61X-X-F9FEB Failure to restore 3.4E-7st.0E-4 360 -- 1.2E-8 j COSD162X-X-FSFWI manual valve after i N111-1-FBrst peoumatic valve cas088117-I-FSF98 maintenance r C000EI121-I-F9Fut j Cas0EE266-I-FSFIt j CDs588154-I-FSF98 CCW65156-1-FSFUL j s, O. 1 W C% 8 ) W < un l i I i t l
)
4
LPS8P11 COOLERS 1-CC-256 1-CC-2 55 A13 C LER$ 1-CC-253 1-CC-252 1-CC-2 70 A14 1-CV-3825 HPSI P12 1-CC-182 g 1-CC-15 5 COOLERS 1-CC-24 9
%H T ,
)4 HEAD 1-CC-250 1-C V *'
1-CC-154 24 C-A15 3826 3 > 156 . A11 FO s- 1-CC-113 l 1 W-3828 1-CC-261 1-CC-2 59 [ CCHX12 h OG }i 1-SV-34 4 SDCMX11 1-CC-2SO ( / g.CC-114 1-CC-115 -M1-CC-117 , Dec j A9 V CCP11 e 1-CC-2 8 5 A1-CC-181 C N *
,. . y l E
I '~
]
1 -3830 -CC-2 6 6 1-CC-2 64 I' ' 1-SV- 30 CCP12 e SDCMX12 1-CV-3823 [ ,
. 1.CC-112 e
. ] p g-124 1-CC-12 5 M AI r
g 1-CC- 1-CV. FC' r 'y r7 i.CC-123 CCP13 g.CC-116 O HP5aP13 163 3324 % M 1-CC-148 M C-122 1-CC-247 1-CC-24 8 A5 A7 / \
@ CCHX11 1-CC-2 4 2
~
1-CC-25 S 1-CC-2 44 1-CC-24 3 A6 RETURM HEADER (RH1) PE ' URN HEADER (RM2) Figure B.16-1 Simplified Schematic of Component Cooling Water (CCW) System Used in Fault Tree Modeling 9 O
- O O i
i I 1 t i I _ _ ; I ENERGIZE 1-SV-3824 ; i 1-HS-3824 (CLOSE) 1
=.
(1-SV-3826) l -
~ '
l>
?
(1-HS-3826) TO CLOSE 1-CV-3824 i (1-CV-3826) - d I Figure B.16-2 Logic Diagram for CCW Hx Valves (1-CV-3824), (1-CV-3826) 4 f l
1 SDC HX CONTROL VALVES OPEN VALVE DEENERGlZE 1-HS- 3828 'OPEN* M 1-SV-3828 (1-HS-3830) (1-SV-3830) TO OPEN ESFAS SIAS-A7 1-CV- 3 8 28 (SIAS-87) (1-CV-3830) CLOSE VALVE
~
NOT ENERGlZE ESFAS 1-SV-3828 _] (1-SV-3830) _j TO CLOSE 1-HS-3828 'CLOSE* 1-CV-3828 (1-HS-3830) (1-CV-3830) O Figure B.16-3 Logic Diagram for SDC flX Valves (1-CV-3828 ) , (1-CV-3830) D.16-18
O Appendix B.17 Salt Water System s I ) i i t i i I lO l l B.17-0
---,e-n-, - - -
--w-,--,------c,,,,m _,c,- , ,. ww,.n~-www-mn,m.,.-- w,-w.
B.17 SALT WATER SYSTEM DESCRIPTION B.17.1 Purpose The purpose of the Salt Water System (SWS) is to provide cooling water to the following equipment during both in-jection and recirculation phases of emergency core cooling (ECC) after a loss of coolant accident (LOCA). (m (_) 1. ECCS pump room air cooler $11
- 2. ECCS pump room air cooler #12
- 3. Service water (SRWS) heat exchanger til
- 4. Service water (SRWS) heat exchanger #12 It also provides cooling water to compone6t cooling water (CCW) heat exchangers ill and #12 during the recircu-lation phase.
B.17.2 Description B.17.2.1 Overall Configuration The SWS consists of two trains, each with its own dedicated pump as shown in Figure B.17-1. During normal operation, the train served by SWS' pump 311 (Loop #11) provides cooling water to:
- 1. CCWS heat exchanger (HX) #11
- 2. ECCS putap room air cooler til
- 3. SRWS HX fil
- 4. Circulating water pump (CWP) seals The train served by SWS pump fl2 (Loop #12) provides cooling to:
- 1. CCWS Hx (12
- 2. ECCS pump room air cooler fl2
- 3. SRWS Hx fl2
- 4. CWP seals
- 5. CWP room coolers
- 6. Condenser tube bulleting system B.17-1 L.
- 7. Water jet exh 'mter A third SWS pump fl3 can be substituted for either one of the dedicated SWS pumps #11 or #12.
A list of SWS equipment specifications is given in Table B .17 .1. Both SWS Loops til and #12 are required during normal operation. B.17.2.2 System Interfaces The SWS is a support system for several of the com-ponents which are used in response to an accident. However, the SWS in turn is dependent upon support systems. An interaction FMEA for the SWS is shown in Table B.17.2. The support systems and their failure effects on the SWS are given for the following support systems: Electrical Power (AC and DC) and ESFAS. B.17.2.3 Instrumentation and Control The alignment of the SWS for the Injection Phase mode of operation is initiated by the SIAS signal. Train "A" (Loop til) is actuated by Channel A of the Engineered Safety Features Actuation System (ESFAS) and Train "B" (Loop fl2) is actuated by Channel B of the ESFAS. The actuation signals along with the status indications for the SWS pumps and valves is given in Table B.17.3. The function logic diagrams for the SWS pumps ill and
#12 are shown in Figures B.17-2 and B.17-3. The function logic diagram for SWS pump #13 is shown in Figures B.17-4 and B.17-5.
The alignment of the SWS for the recirculation mode is initiated by the RAS signal. The actuation signals are shown in Table B.17.3. B.17.2.4 Operator Actions The SWS is completely automatic in nature and thus requires no operator actions for successful system operation. B.17.2.5 Surveillance Surveillance of Salt Water Pumps 11 and 12 and their O motors is limited to routine checking of operating param-eters as part of the normal procedure for operating the system outlined in OI-29 since these pumps are operating continuously during power operation. The swing Salt Water Pump 13 is tested at ? east once per 31 days as required by Section XI of the Boiler and Pressure Code. B.17-2 L_._________ _ _ _ _ _ _ _ _ _ _ _ _ _ _
- m Valves are . required to be checked once- per 31 days to ascertain that they are in their . correct . positions by Technical Specification Surveillance Requirement 4.7.5.1
.(a)._ Those. valves whose' positions must change to accomplish mode changes have their positions' indicated in the control room. and are checked with their position logged once per shift. .The operability of :these valves is required to be demonstrated at least once per. 18 months during a shutdown ' by Surveillance Requirement -4.7.5.1 (b). The test intervals ,
and procedures are listed on Table B.17.4. B.17.2.6 Maintenance Maintenance is only performed on an as-needed basis. A maintenance summary sheet is compiled in Table B.17.5. B.17.2.7 Technical Specification Limitations The . limiting conditions for operations contained in Technical. Specification 3.7.5.1 state that any one SWS loop can - be out of service for no more than 72 hours. If the out-of-service time is to be longer than 72 hours, then'the
. plant must be placed in HOT. STANDBY.within the.next 6' hours and in ' COLD SHUTDOWN within _the following- 30 hours. This means that any one loop-can be out of service for a total of 78 hours before a HOT STANDBY condition must be reached.
B.17.3 Operation Both loops of the SWS operate during normal operation. Upon receipt of a SIAS signal, CCW HX's 11 and 12 are iso-lated by the automatic closing of valves CV-5160, CV-5206, i CV-5162, CV-5163, and CV-5208. The flow of cooling water to ! the CWP Room Coolers is terminated by the automatic closing of valves MOV-5250 and MOV-5251. The- SIAS signal ~ also increases the flow through the' SRW HX's (to accept the increased heat loading from the containment fan coolers) by C opening to their maximum, valves CV-5210 and CV-5212. -When these operations have occurred, the SWS is lined up for-the injection . phase of ECC.- No operator actions, .other than verification that these actions have occurred, is required. The SWS is automatically realigned for the recirculation
~
phase by the RAS signal which reopens the valves closed by the SIAS signals, with the exception' of motor-operated valves (MOVs) MOV-5250 . and MOV-5251, which isolate the - CWP Room Coolers. Operator actions required .are those of verifying that valves CV-5160, CV-5206, CV-5162, CV-5163, and CV-5208 have been reopened - and to regulate .the flow of salt water to meet' the CCW and SRW cooling requirements u s i n g .- H a n d Indicator Controllers (HICs) 5206, 5208, 5210, and 5212. B.17-3
B.17.4 Fault Tree Description The SWS is a support system. Therefore, rather than construct a single tree top, six tree tops were developed, one for each subsystem supported. These tree tops are shown in Table B.17.6. The particular subsystems supported are described in Section B.17.4.1. The data used to quantify the trees is shown in Table B.17.7. The SWS schematics used for fault tree construction in the injection and recircu-lation modes are presented in Figures B.17-6 and B.17-7. g The SWS fault tree is shown on the appropriate aperture card in the envelope at the back of this report. B.17.4.1 Success / Failure Criteria The success of the SWS depends solely on having suf-ficient flow of salt water through the particular HX of interest. "'here are two independent loops of the SWS, each with three HX's (CCW, service water (SRW), and ECCS pump room cooler). Although only one of two redundant Hx's need function to accomplish the particular cooling task, that will be considered in the fault tree of the particular system served by the HX, and is therefore not of concern here. Hence, the enclosed fault tree is concerned only with flow reaching a particular HX, and not with the overall system performance. Since there are six HX's, there are six separate fault tree top events. B.17.4.2 Major Assumptions The following assumptions were considered in developing the CCW fault tree.
- 1. Flow diversion is not considered where the divert-ing piping diameter is 1/3 diameter of main flow.
(This eliminates the flow path with CV-5178 and CV-5177, see Figure B.17-1.)
- 2. Possible flow diversion from loop 11 to the Bay is not considered since CV-5149 does not receive any automatic actuation signal and is normally closed.
It couJd not be left inadvertently open, since loop 11 would fail and both SWS loops are necessary during normal operation.
- 3. The possible flow diversion in loop 11 that could bypass SRW Hx #11 is not allowed since CV-5156 and CV-5155 do not receive any automatic actuation signals. Also, if allowed, loop 11 would fail during normal operation.
- 4. The possible flow diversion in loop 11 path that could bypass CCW Hx ill is not considered since its valves CV-5166 and CV-5165 do not receive any B.17-4
_= i
-r automatic actuation signals. Also, if allowed, loop 11 would fail during normal operation. ;
- 5. Normally throttled valve CV-5210, outlet valve from SRW Hx #11, is considered closed prior to injection and open prior to recirculation. The same is true for SRW Hx fl2 outlet valve CV-5212. This is r-assumed since the valves must receive a signal and "
go fully open during injection. Also, in the O recircu1eeton ohese, ther receive e siene1 to so back to the throttled positions. -
- 6. During injection, failure of the CCW Hx to iso- --
late is assumed to fail the cooling of the SRW Hx. _ _
- 7. During the recirculation phase, failure of the SRW E Hx outlet valves CV-5210 and CV-5212 to close -
(i.e., throttle) is considered to cause the failure _r of cooling CCW Hx #11 and #12, respectively. _y
- 8. Although the ECCS pump room cooling Hx's receive salt water cooling during both injection and k
recirculation, flow diversion failures away from these coolers are not considered. This is because - the coolers are such a minor load on the SWS as to -:- be almost negligible compared to the SRW and CCW .~ coolers.
- 9. Both loops of the SWS are used during normal ,
operation. Therefore, restoration faults after @ maintenance on SWS components has been ignored. 7
- 10. The SWS pumps have no external lubrication system, nor do they have any external cooling (either lube _
[ oil coolers or room coolers). ar
- 11. SWS pump P13 has its circuit breaker aligned to bus -
11 and its discharge aligned with loop 12; --- therefore, it becomes significant only if both SWS _ pumps Pll and P12 fail and is not modelled on the liin fault tree. It is treated as a recovery action on the accident sequence level (see the recovery discussion in Appendix C). _ 5 - Valves which are throttled during normal opera-9- 12. tions (e.g., CV-5210 and CV-5212), and which are E required to go full-open upon SIAS, are assumed to fail their function if they do not fully open. ^^ _= Y 2 B.17-5 [
-(
-m.
w:
Table B.17.1 System and Equipment Specifications Salt Water Pumps Number 3 Flow (each) GPM 15,500 Head 0 Rated Flow, ft. 82 Type Single Stage Centrifugal O Motor Power, Hp 450 Normal System Total Flow, GPM 22,000 Maximum System Total Flow, GPM 31,000 CCW Heat Exchgr. Primary P (max.), psig 8 Minimum S.W.S. Header Pressure, psig 15 Maximum S.W.S. Header Pressure, psig 40 0 B.17-6 1
Table 3.17.2. Salt water System FNEA I i SOFFGt? CCHPOIENT FAILURE CONF 04ENT FAILDRE EFFECT OF SUBSYSTEN l - SUBBYSTEN AFFECTED NCDE BFFECT ON SYSTEN FAILURE ON OVERALL SYS.
'\ OPERATION
- OPERATION
- l 4 BY Does not start, Loss of salt water system Loss of SWS loop 12 Bus F12 does not run Icop 12 14 l
l 4 IV Does not start Loss of SMS loop 11 Loss of SMS loop 11 aus F 11, F 13 does not run 11 125 Y ALL auto-activa- Fall open Divert salt water away ' Transients - None DC ted valves in from Service water coolers LOCA's - Fails SRW Cooling Sus SMS during infection and away in 2nj. mode. C24A from component coolers - Fails CCW Cooling during recirculation in pectrc. mode. SIAS 'A' cv5206 Open Driverts flow from Service Falls saw TR 11 Cooling in water En 11 Inj. mode fLOCA's only) CV5210 Throttled Insufficient flow thre Falls CCW TR 11 Cooling in component cooling as Il pectre. Mode (IcCA's only) Fil None, P11 running during None normal operation l l F13 Does not start peduced reliability of Beduced reliability of l system system SIAS *B' CV5162 Open Diverts flow from Service Fails SRW TR 12 cooling in Cv5208 water En 12 Inj. mode (14CA's only) CV5212 Throttled Insufficient flow thre Falla CCW TR 12 Cooling in component cooling Ss 12 Decirc. mode (IDCA's only) F12 None, F12 running during None normal ops.
- Aasuming no recovery D
(d t B.17-7
Table 3.17.2. Salt Mater system FMEA (Continued) SUFFGtT COMPONENT FAILURE CORPOWENT PAIL.URE EFFECT OF SUBSYSTEM SUBSYSTEM AFFECTED RCEE EFFECT ON SYSTEM FAILURE ON OVERALL SYS. OPERATION
- OPERATION
- O RAS *A* CVS206 Closed No flow thru component Fail' CCM TR 11 cooling in cooling En 11 recirn mode CV5210 Open Diverts flow from Falls CCW TR 11 cooling in ecumponent cooling En 11 recirc. mode (14CA's only) 3As 'B' CV5208 Closed No flow thru component Falla CCW TR 12 cooling in cooling En 12 recire. mode.
CV5212 open Divette flow from com= Falla CCW TR 12 cooling in ponent cooling us 12 recirc. mode (LOCA's only)
- Assuming no recovery.
O B.17-8
Table 3.17.3 signal and Indication samary ITBN TRAIN (1) s!As (2) bas (3) 3D8 (4) DV BUN /STOP/ POSITION MAN. ANNyuc. m (PAC) CRAN CEAN CHAN CBAN INDICATION CONTROL N!sC. LOC'N l \ '%) sWS Pop 11 34 A-8 NA 11/2 UVA2 R/G Lamp-RCG (IC13), 35-5799 Skr. 1 E02 Local (IA01) 152-1105 sus P op 12 SS D-8 NA 14/2 UVB2 R/G Lamp-nCB (IC13), as-5200 skr. 1 E02 Local (1A04) 152-1405 EWS Pop 13 SA A-8 NA 11/2 UVA3 R/G Lampe-nCS (1C13), 38-5201 skr. 1 E02 Local (IA01) 152-1112 sus P op 13 IB B-0 NA ' 14/2 UVB3 R/G Lampe-NCS (1C13), 55-5201 Skt. 1 E02 Local (1A04) 152-1412 n0V 5250 RA A-8 NA NA NA R/G Lampe-NCB (1C13), 58-5250 skr. NA Local (13014) 52-11442 NOV 5251 Is 3-0 NA NA NA R/G Lamps-NCE (1C13), Es-5251 Skt. WA Local (15004) 52-10431-CV 5160 RA A-7 A-1 NA NA R/G Lampe= Local Es-5141 NA 0 2C24A CV 5162 ta s-7 s-1 NA NA R/G Lamps-Local as-5162 NA 9 2C24A CV 5143 sa 3-7 s-1 NA NA m/G Lampe-Local as-5164 1 E02 0 2C24h CV 5204 SA A-7 A-1 NA NA R/G Lampe-NCS (1C13), 52CS206 38-5161 1 E02 ' Local (2C24A) CV 5204 SS B-7 S-1 NA NA R/G L e pe-MCB (1C13), EIC5208 Es-5164 1 E02 Local (2C24A) CV 5210 SA A-9 A-1 NA NA R/G Lampe=NCB (1C13), BIC5210 us-5151 1 E02 Local (2C24A) CV 5212 IB 3-9 B-1 NA NA R/G Lampe-nce (IC13), EIC5212 3s-5154 1 E02 Local (2C244) (1) s1As = safety In>ction Actuation system (2) ras = Bactreulation Actuation system (3) sDs = shutdown sequences (4) UV = Undervoltage
~
L) B.17-9
w Table 3.17.4. Salt Water system Test summary sheet CouPOutu? TEST TYPE OF CouPONENTs REALIGNED C3t TAKEN RIPECTED SOURCE PREQUENCY TEST CUT OF Es POSITION DDE TO TEST TEST OUTAGE (Test PROctDU2E 0) WITS NO AUTO ES RETURN REATURS TIuS SW 5160 Nonthly stroke None pone STP 0-65-1 IIII-s 5W 5206 Monthly stroke mone pone STP 0-65-1 IIII-u su 5161 ponthly str oke pone pone STP 0-65-1 IIII-C su 520s panthly stroke pone pone STP 0-65-1 II!!-C BW $163 Monthly stroke pone pone STP 0-65-1 IIII-C sw 5165 nonthly stroke pone unne STP 0-45-1 IIII-C SW 5164 Quarterly str oke mone pone STP 0-65-1 I!!!-D sw 5170 Quarterly stroke pone pone STP 0-65-1 IIII-D SW 5171 Quarterly stroke pone pone STP 0-45-1 IIII-D BW 5171 Quarterly stroke pone none sTP 0-65-1 IIII-D SW 5174 Quarterly stroke pone pone STP 0-65-1 IIII-E SW 5175 Quarter 3y stroke pone mone STP 0-65-1 IIII-E SW 5177 Quarterly stroke pone pone BTP 0-45-1 IIII-E su 5178 Quarterly stroke pone pone STP 0-65-1 I!!!-E SW 5150 Qua rterly stroke pone pone STP 0-65-1 IIII-P sw 5210 ponthly stroke mone pone STP 0-65-1 IIII-P sw 5152 Quarterly stroke pone none STP 0-65-1 IIII-G su 5153 Quarterly stroke mone pone STP 0-65-1 IIII-G SW 5153 Quarterly st r oke pone mone STP 0-65-1 IIII-G su 5155 Quarterly stroke None pone STP 0-65-1 I!!!-G SW 5156 Qua rterly str oke pone mone STP 0-65-1 II!!-G SW $250 Quarterly stroke pone pone sTP 0-65-1 I!!!-R sw 5251 Quarterly str oke pone pone STP 0-65-1 IIII-s SW 111 Quarterly Closing of Mone pone sTP 0-65-1 IIII-I BW 103 Check Valve SW 107 su Pump (11 Vibration pone
- uone STP 0-73-1-3 SW Pump 412 Disc 1. Press su Pump $13 suction Press.
- SWs peps are realigned by opening and closing the manual crossover valves. sowever, if tests are performed correctly, it would not be possible to have incorrect realignment since SWs would not work otherwise.
O B.17-10
Table 3.17.5 salt Water system Maintenance summary sheet ColpoinNT TTPS OF CXMWQutirr WEICE NUST FREQUENCY OF EXPECTED RIPECTED 00TAGE DIDERGOING MINTSBANCE DE ALIGNED AWAY FRON COMPONENT FREQUENCY OF TINE OF
% NAINTElIANCE Bs Pos1 TION WITE NO ALIGWNENT NAINTENANCE ** NAINTENANCE **
AUTO RETURN yta!PICATICII * ( Ar. ) (hrs.) SfsP011A Naintenance asp 011A Continuous 1.73-4 4.64 poquiring Cs 11054 opened (o)*** Disassembly sus 01048 closed sN370123 Maintenance susP0125 Continuous DI.72-4 4.64 pequiring CB 14053 opened (o)*** Disassembly sus 01081 closed susP013A Maintenance sNsP0138 Nonthly 1.73-4 4.64 poquiring CB 14128 opened (5.13-4)*** Disassembly CB 1112A opened sus 01141 closed sus 0112E closed sus 5150A Maintenance sus 5210A Continuous 3.4t-6 6.8 Requiring sus 0104I Disassembly sus 5170A sus 5160A sus 5210A Maintenance None continuous 3.48-6 6.8 on esternals only sus 52123 Maintenance ass 51538 Continuous 3.4E-6 6.3 Dequiring aus51523 Disassembly sus 5153s Maintenance None Continuous 1.43-6 6.8 on esternals only.
- For caponents with continuous verification, a high temperature alarm would be actuated within a short time af ter failure to align. For the pump fa11eres, a low discharge pressure alarm would also be actuated.
** Plant specific data.
*** Distributed maintenance when two pumps (511 and 012) are assumed to be running.
t I l i 'J l l l
-4 B.17-11 i
l
r Table 3.17.5 salt Mater system palatenance summary sheet (Continued) COMPONENT TTPE OF COMPONENT WEICE NUST FREQUENCY OF EXPECTED EXPECTED OUTAGE UNDERGOING MAINTENANCE BE ALIGNED ANAT FROM CORPONENT FREQDENCY OF TIME OF RAINTENANCE Es POSITION WITE NO ALIGNMENT MAINTENANCE ** MAINTENANCE ** AUTO RETURN VERIFICATION * ( /br.) thre.) sus 5170A Raintenance sus 5160A Monthly 3.42-6 6.8 poquiring sus 0104E Disa ssembly sus 5150A swS5171A sWs5171A Maintenance None Monthly 3.4E-6 6.8 On externals only. Sus 51623 Maintenance sus 5163s continuous 3.4E-6 6.8 Requiring sus 0115E Disa ssembly SWs0108E sus 51738 sus 51523 sus 51633 Maintenance sus 51628 Continuona 3.4E-6 5.8 Requiring sus 52083 Disassembly sWs52083 maintenance None Continuous 3.42-6 6.8 on externals only. sus 5160A Maintenance sWs5206A Continuoua 3.4E-6 6.8 Requiring sus 5170A Disassembly sus 5150A sus 0104E sWs5206A Maintenance None Continuous 3.4E-6 6.8 on externals only.
- For components with continuous verificaton, a high temperature alarm would be actuated within a short time af ter failure to align.
** Plant specific data.
O B.17-12
4 Table 3.17.5 salt Water systee malatenance sammary sheet (concluded) i Q CONF 0mpT U S ERGOING TYPE OF MAINTENANCE COMP 0mWT NEICE NUsf BE ALIGNED ANAT FROM FREQUENCY OF COMPONENT BIPECTED FREQUENCY OF BIPECTED OUTAGE Tint or MAINTENANCE Es POs! TION WITE NO ALIGNMENT RAINTENANCE ** MAINTENANCE ** AUTO RETURN VERIFICATION * ( /hr.) thrs.) 3s51735 Maintenance sus 51743 nonthly 3.43-6 6.8 pequiring WE51623 Disassembly SNS51523 sus 0100I sus 0115I Sus 51743 Maintenance sus 51733 nonthly 3.4E-6 6.0 Dequiring SNS$1753 Disassembly sus 5175s naintenance pone Monthly 3.4E-6 6.8 on externals only. sus 51523 maintenance sNS52125 Continuous 3.45-6 6.8 poquiring sus 0108x Disassembly sus 0115E Sus 51738 Sus 51623
- For empenents with continuous verification, a high temperature alarm would be actuated within a short time after f ailure to align.
** Plant specific data.
9 O B.17-13
Table B.17.6. Components for Which Salt Water System Fault Trees Have Been Constructed Fault Tree Salt Water System Component Name Identifer Loop Number ECCS Pump Room Air SWS-ECCSRMll-CF 11 h cooler til Service Water Heat SWS-SRWSHX11-CP 11 Exchanger til Service Water Heat SWS-SRWSHX12-CF 12 Exchanger $12 ESSC Pump Room Air SWS-ECCSRM12-CF 12 Cooler $12 Component Cooling Water SWS-CCWHX11-CFR 11 Heat Exchanger til Component Cooling Water SWS-CCWHX12-CFR 12 Heat Exchanger fl2 O B.17-14
O O 4 Table B.17.7 SALT MATER SYSTEN (SNS) DATA Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (hr) q Q = Eq. i SWS0103X-COC-LF Check valve failure 1.0E-7 24 -- 2.45-6 SWS0107X-COC-LF to remain open (plug) 4
~
SW50104X-XOC-LF Manual valve failure 1.0E-7 24 -- 2.4E-6 SNS010EX-XOC-LF to remain open (plug)
% SWS0196X-XOC-LF 1
SNS0197X-XOC-LF SW50198X-XOC-LF SNS0199X-XOC-LF l SWS51748-NOC-LF Pneumatic valve - 1.0E-7 1000 -- 1.1E-4 SWSS175B-NOC-LF failure to remain open (plug)
. SWS5150A-NOC-LF Pneumatic valve - 1.OE-7 24 -- 2.48-6 H SWS5152B-NOC-LF failure to remain y SNS51538-NOC-LF open (plug) gn SMS3210A-NTC-LF Normally throttled 1.0M-7 24 --
2.4E-6 SWS52128-NTC-LF valve fails closed j SWS$160A-NCC-LF Pneumatic valve -- -- -- 3.0E-3
, SWSS1628-NCC-LF fails to operate j SWS51633-NCC-LF SWS5170A-NCC-LP '
j SWS5171A-NCC-LF
- SWSS173B-NCC-LF SWSS206A-NCC-LF i SWSS208B-NCC-LF l
i i 1
Table B.17.7 SALT WATER SYSTEM (SWS) DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Bate (per/ht) Time (br) q Q = Eq. SWSPollA-PMD-LF Fail to run 3.0E-5 24 -- 7.2E-4 SMSPO128-PMD-LF SWS1105A-CBL-LF Cable - open circuit 3.0E-6 24 -- 7.2E-5 SMS1405B-CBL-LF SWS1105A-BCO-LF Btr premature transfer 1.0E-6 24 -- 2.4E-5 SWS1405B-BCO-LF SMS1105A-BOO-LF Btr failure to -- -- -- 3.0E-3 SWS1405A-BOO-LF transfar FAULT-SMS-58 Rupture (NASH-1400) 8.5E-10 24 -- 2.0E-8 H SMS5150A-NOC-CC Pneumatic valve -- -- -- 2.5E-3 4 SWS5152B-NOC-CC Control circuit h cn SWS5153B-NOC-CC SMS5160A-NCC-CC fails SMS5162B-NCC-CC SWS$163B-NCC-CC SWS5170A-NCC-CC SWSS171A-NCC-CC SWS5173B-NCC-CC SWS5174B-NOC-CC SWS5175B-NOC-CC SWSS206A-NCC-CC SMS5208B-NCC-CC SMS5210A-NCC-CC SWSS212B-NCC-CC SWSTD13-LF Short across one 3.0E-7 360 -- 1.15-4 second time delay in PMP13 start logic O O
Table B.17.7 SALT WATER SYSTEN (SNS) DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure. Exposure Unavail. Unavail. Event Description Deecription Rate (per/hr) Time (hr) q Q = Eq. SNS5150A-N-PRBet Pneumatic valve 3.4E-7 7 -- 2.4E-6 SWS5152B-N-PRlet maintenance SWSS1535-N-PR588 SNS5160A-N-PR88f SMS5162B-N-PR3el SWS51638-N-PR3Gi SNSS170A-N-PRIOf SMS5171A-N-PR998 SWS5173B-N-PR998 SWSS1748-N-PR888 SWS51758-N-PR888 , l SNS$206A-N-PR8ef SNS52088-N-PR888 SNSS210A-N-PRati tD SWS$2128-N-PR886 SWS5210A-NTO-LF Normally open valve -- -- -- 3.OE-3 I fails to throttle
-4
DISCNARGE TO BAY 26 SwS$140 SWS0101 Sw$0198[_ N SwS0103 ip; m AC : *: =
.1 11 SwS5150 SwSS210 SwSP011 KO.-F.O. KT.-FO JLO A.O AO AO TO CwP SEAL ' '
SwS0113 /. SYSTEM Hl pql l l
',\' ;
SwSS156 SwSS155 SwS5212 SwSSIS3 Sws 0197 g NC -FC 90C-FC N.T.-F.O. N.O.-F.O. 8 EC AC SwS0112**/ AC, , _ t COOLER ' KC.- F.O. _ SwS$170 #11 SwS5171 H.C.-F.O. AO
, AO SwS0111 ; SwS$175 SwSSirr ..
SwSP013 g e NC-FC NC-FC
~"/ SwS0114 , a, e
, ,n [ SwS0199 1 J SwSS186
~
SwS5165
/ SwS0115 (D
- : ,,, H ,,
- SWSS162 SwSS163 SwS5208 H N.O.-F.O. N.O.*F.O. N.O.-F.O.
SwS0100 i H SwS0107 g AC AC SwSP012 CCW h w
, , _ , , ,r ir , ,
' ' ~
Ha e t t ' ' '
- 4' SwS5160 SwS$206 SwS0196 h N.O.-F.O. N.O.-F.O.
I a TO Cwp ROOM $ AIR COOLER gg _5 ECCS w AC AC TO CONO. TIJBE BULLETDeG SYS.
', j -
C R L O SwS5173 +12 SwSS174 SwSS175 TO Cwp K C.-F.O. N.C.-F.O. N.0L-F.O. SEAL SYSTEM TO @ AC SRw SwSS152 N.O.-F.O. Figure B.17.1 Schematic of Salt Water System O * -
O O 1-HS-519 9 " AUTO" 186-LOCKOUT (1-HS-5200) L 3
)HQ SIAS CHAN A(B) R I S T A R T P U M P 11 SHUTDOWN SEQUENCER 1-HS-519 9(1 C 13) 1 SEC. DELAY 11(14) -
"ST A R T" LOCKED OUT PUMP +11-BRKR 152-1105 OPEN '{ " ~
A (PUMP +12-BRKR 152-1405) CK D UT (1-HS-52OO) Y [ FROM PUMPd12 FROM PUMP +13 AUTO START FAILURE Figure B.17-2 Logic Diagram - Start Pump 11 (Typical of Pump 12)
4 1 i 1 150A OVERCURRENT ESF LOAD SHED 1508 OVERCURRENT d \ LOCKOUT RELAY H STOP
- -j j --i ] PUMP 11(12 w 151 OVERCURRENT 1-HS-5199(52OO) 1C13 h "STOP" 1C13 b
i Figure B.17-3 Logic Diagram - Stop Pump 11 (Typical of Pump 12) G G
O O 1-HS-5201 LOCKED OUT I LOCKED l OUT d A BRKR 152-1112 OPEN f,. (1C13) V SIAS CHAN A PUMP 11 BRKR OPEN - h START j FAILURE d 1 SEC. I DELAh SHDWN SEQ 11 - hr l
-JJ d l 1-HS-5201 " AUTO
- tu (1C13) 1-HS-5201 " START * (1C13) d
[ DISCONN. KEY SWITCH LOCKED START PUMP 13 , 'I H j 186 LOCKOUT (1C13)
- SWITCH 89-1112 CLOSED
,i l l j Figure B.17-4 Logic Diagram - Start Pump 13 - BRKR 152-1112 Closed . I J l l l l 'I j i i
lll
)
D T 3 E T OR 1 KU ^ CO V TA U R C 1 O ) A ( L 3 1 C 3 1 1 P T M U d e P s
' T R
A o l C O C .Y T T / E LA S 2 U O hLS ED 1 4 D 1 TJ 1 E K }> 2 5 C 1 O L R 1 K 0 R 2 B 5
- N -
S E D H P E D 3 O K 1 2 1 T/ C O E S 1 p 4 L O m L 1 H T C u
- P 2 C U T 2 5 )
I O 1 t 1 3 K 1 W 4 r R C S C 1 a K 1 O - t R ( Y L S B E 9 K 6 8 "T 8 -
-r R A
T N N 1 H C T m a N S O r C.Y I C Ab)L g E E L W P SE 1 S S a O I 0 D i 1 D 2 D R K TJ 5
- c R S i B H g 2 1 o 1 L P
M 5 U - P 7 "O 1 T . U B A
" )
e B 4 1 0 C 2 3 1 r u g 9 N 1 5 (1 i
- F A Q S H E H C S -
1 S N A I S W O H S
? yM l l
O O g m SWS0104 AC gg,
-O SWS0198 --
N lx, s i = IM C1 "NM l'4 tO SWS0103 go SWS5150 O u ,
! SWSP011 2 SWS5212 SWS5153 SWS01g7 NT-FO NO-FO O P AC ECCS PUMP I
j s s ROOM COOLER 1 % SWSS170 #33
- 1 9 NC-FO SWS5171 N -O SWS0199 a __ AC O LO
! , y 's ! H y E SWSS162 SWS5163 SWSS208 tu SWS0108 o NO-FO rss NO-FO NO-FO
;e wl 5 Vi2 Y SWS0107 NO 2 AC CCW Ha o y w SWSPO 12 h ! ,,, ! ! ;,
l\! j SWSS160 SWSS206 SWS0176 NO-FO s NO-FO LO iE AC A i , A C,
" s COOLER s s SWS5173
$ +12 SWSS174 SWS5175 o NC-FO s NC-FO NO-FO TOh A C, , SRW Hu j
#' i SWS5152 NO-FO i
- Figure B.17-6 Schematic Of Salt Water System Used fOr Fault Tree Construction
! in Injection Phase !
3
b NO SWS0104 g -FO es a SRW SWSO196 /
\
s \l at 8 ' # 116 *11
', % s' AC SWS5210 LO SWS0103 NO g SWS5150 C ,,
O SWS5212 SWS5153 WS0197 NO-FO ECCS PUMP NO-FO LO
$ AC
' ' ROOM 9 :
C N ER N SWS5170 E NO-FO
~
SWS5171 ~ -- NO-FO ~ / SWso1gg
& AC o S AC 1 CCW Hz d% i Ti :
*12 y 8 s g "
m SWS5162 SWS5163 SWS$208
- SWS0108 N C -FO NC-FO NC-FO
\! g v12 y SWSO107 NO z
w AC CCW Hz
$ N e,,e
'r ir SWSPO12 i~ s
#11 n S SWSS160 S S5206 SWS0176 iE NC-FO NC-FO LO ECCS PUMP AC AC AC ROOM 8
SWS51'73 I _ CMLER H g *12 SWS5174 SWS5175 O NO-FO NO-FO NO-FO AC SRW Hz
*12 SWS5152 NO-FO Figure B.17-7 Schematic of Salt Water System Used for Fault Tree Construction in Recirculation Phase e O
l O Appendix B.18 l Heating and Ventilation System l l l i 1 1 i O B.18-0
. . _ _ _ _ _ _ _ _ _ ._ \
. ,. - - -__- - - - - - - . . - . . -. _ - ~ . - _ _ _ -
, B.18 HEATING AND VENTILATION SYSTEM DESCRIPTION-B'.18.1 Diesel Generator Room Ventilation System B.18.1.1- Purpose f' '
.The diesel generator room ventilation _ system is designed to' remove heat radiated to the room from an operating diesel ~
generator 'and prevent the room temperature from increasing beyond the system electrical components qualification tem-perature, at which temperature the reliability.of the diesel' l _ generators may be compromised. B .' 18 .1. 2 Description l B.18.1.2.1 Overall Configuration
- The system consists of one vane-axial supply blower for each of three emergency ' diesel generator rooms located at l
the west end of the auxiliary building at the 45' elevation. Each1 blower is rated at 37,000 cfm. The supply fan takes-air either from outside through duct work at the 69' eleva-tion, from within the diesel room, or a combination of both, i by thermostatically controlled supply dampers. .The wall-mounted thermostat, which positions the mixing box dampers to prevent the local temperature from rising above the desired setpoint, will have a range from 600F-to 1100F. The vane-axial f ans have welded tubular steel casings, air foil blades, stationary discharge conversion vanes, and direct drive with adjustable motor mounts. The inlets are streamlined and discharge cones are used in the fan outlet side. A simplified diagram of the system is presented in Figure B.18-l. B.18.1.2.2 System Interfaces The sources of motive power for the fans and the system are Motor Control Centers (MCCs) 11G and 12G. These McCs power fans 11 and 12, respectively. MCCs llG and 12G are fed from MCC 114R and MCC 104R, respectively. The dampers' motive power is from the p* ant Instrument Air System. The dampers fail open (fail-safe) on loss of
-instrument air.
B.18.1.2.3 Instrumentation and Control The system can be operated manually from the local diesel generator room control board in addition to the remote auto-matic initiation. There is a smoke removal system in the B.18-1
rooms that can be initiated manually from outside (by open- l ing the exhaust damper) to remove smoke and heat from the l diesel generator room. 1 B.18.1.2.4 Operator Actions The system is initiated automatically and there is no operator action required for system operation. However, it is possible to initiate the system manually. B.18.1.2.5 Surveillance The system is verified operable during the weekly diesel generator operability test. B.18.1.2.6 Maintenance Maintenance on the system is performed only when required and as a corrective action. B.18.1.3 Operation The diesel generator room ventilation system is normally not running. A signal is generated in the diesel generator
" start logic" circuitry which generates a ventilation start signal coincident with the diesel generator start. This start signal turns on the fans, opens the room exhaust dam-pers, and allows the room temperature controller to position the pneumatically-operated inlet (fresh air) and recircula-tion air dampers to their correct position.
Loss of instrument air causes the inlet and exhaust dam-pers to fail in their open position (fail-safe). B.18.1.4 Fault Tree Description The fault tree for the diesel generator room ventilation system is shown on the appropriate aperture card in the envelope at the bank of this report. The data used to evaluate the fault tree is shown in Table B.18.1. The diesel generator room ventilation system was assessed as failed if the following failures occur:
- 1. Fans do not operate lh
- 2. Exhauct dampers fail to open
- 3. Fresh air inlet dampers fail to open.
B.18.1.4.1 Major Assumptions The following assumptions were considered in the devel-opment of the diesel generator room cooling fault tree. B.18-2
L
- l. . Loss of power to j the fans was included but was not developed further to avoid circular logic, i~
- 2. L'o s s 1 of ' actuation .was not considered-since the-ven-tilation start signal . was not developed or- modeled .
'in . the - diesel .' generator tree (i.e.,-the same. signal i that. starts the DG'results in an actuation signal to ; _the room' ventilation).
i
.qf y - B.18.2- ECCS Pump Room Cooling System B.18.2.1 Purpose l l.
i 'The purpose . of1 the ECCS Pump Room Cooling System is to i prevent' the room temperature from exceeding a normal limit
- of 1100F ' or an absolute . limit of . 1200F. By maintaining the room temperatures below 1200F_at all
- times, the reli-ability of the equipment. in the room will be optimal, and. >
the equipment can operate -in a design, basis environment. The components most.. susceptible ~to high ambient temperatures are the air-cooled shaf t- seals on the containment spray pumps. I B.18.~2.2 Description i B.18.2.2.1 Overall Configuration
- The system consists of two air- cooling units . (one 3
located in each ECCS compartment) for each plant -with the
; following nominal capacities: 884,000 BTU /hr. and 704,000 ,
BTU /hr. The' larger capacity cooling unit will be'. located in' the . east ECCS compartment, having' two HPSI/R ; pumps. Each ! cooling unit consists of cooling coils, steelt casing, and direct drive fans driven by individual - motors. - Saltwater will be circulated through.the tube side of the finned tube heat exchangers - of each unit by the SWS.- Recirculated air will be cooled-by the heat ' exchanger . The air is.distrib- , uted across the" heat exchanger-by three'or four motor-driven f ans, . depending upon the unit size. The smaller, three-fan ! system is installed in the west ECCS room.
~
The coils are extended su'rfac'e type, arranged for hori- - zontal air flow,- provided with inlet and outlet manifold piping, vent, and drain connections._The_ tubes are of 90/10 copper-nickel. The cooling fins are of' aluminum, extending. ,O t risat ae1 - to the ce eer11=e or eae tube - 'ae coi1-are designed for a pressure and temperature of 50 psig and , 1200F. The coils and headers are of the cleanable type,
.with removable. headers on both ends..A schematic representa-tion of the system is-shown in Figure B.18-2.
a t i B.18-3 1 i
,. --. ,-,,,.,e- , , , , , . . -,..e -._.,_n - . . , - _ , - , . - . . , __.,,_,n,-.-n.,_
B.18.2.2.2 System Interfaces The system is dependent on the SWS and EPS for its successful operation. The SWS cools the east (11) and west (12) ECCS room coolers, respectively. The motive power for the east ECCS room coolers (room 11) is provided by 480V Motor Control Center ll4R, while the 480V MCC 104R feeds the west ECCS cooler (room 12). B.18.2.2.3 Instrumentation and Control The system control parameter is room temperature, measured by TE 5404(5405). The normal range of operation is between 950F and 1040F. As the room temperature increases to 1040F, the output of the temperature controller element (TE) matches the set-point of the pressure switch PS 5404(5405). This pressure switch is then actuated and;
- 1. turns on the fans
- 2. opens the saltwater inlet and outlet valves by de-energizing SV 5170(5173) and SV 5171(5174).
As the room temperature decreases to 950F, the output of the temperature controller element TE 5404(5405) resets the PS 5404(5405) which then:
- 1. turns off the fans
- 2. re-energizes SV 5170(5173) and SV 5171(5174) to close the saltwater inlet and outlet valves.
The automatic initiation of the system can be overridden by handswitches described below: HS 5404 (5404A) OFF - fans off HS 5404 (5404A) ON - fans on HS 5404 (5404A) AUTO - fans controlled by PS 5404(5405) ECCS Pump Room til - Saltwater inlet & outlet valves HS 5172 open/ auto /close ECCS Pump Room fl2 - Saltwater inlet & outlet valves HS 5173 open/ auto /close s B.18-4
Indications are ' provided in the control room for the operational. status of.the fans.and position of the-saltwater valve. Also, an alarm is -initiated when the fan motors start to operate. The room ' temperature is measured .by a
-temperature sensor. This sensor initiates an alarm when the room temperature reaches 110*F.
B.18.2.2.4 Operator Actions The system is initiated automatically and there is no operator action required for system operation. However, it is possible to initiate the system manually. B.18.2.2.5 Surveillance The system has no scheduled test while the plant is in operation. However, the room temperature is monitored by. the auxiliary building operator.twice every shift. B.18.2.2.6 Maintenance Maintenance is performed on system components on an as-needed basis. B.18.2.3 Operation The ECCS room coolers will normally be on standby (not operating). Each unit has an' individual (OFF-AUTO-ON) con-trol switch located in the control room. The normal posi-tion of the control switches is AUTO so that the fans start and the saltwater cooling valves open automatically. B.18.2.4 Fault ~ Tree Description The fault tree for the ECCS Pump Room Cooling-System is shown on the appropriate aperture card in the envelope at the back of this report. The- data used' to evaluate the trees is shown ~ in Table B.18.1. Possible failure modes con-sidered for the system are listed below:
- 1. Loss of saltwater to the cooler system.
- 2. Failure of saltwater valves to open to allow saltwater to the coolers.
.(
3.- Failure of the temperature control loop.
- 4. Loss of power to the fans.
B.18.2.4.1 Major Assumptions The following assumptions were considered in the devel-opment of the ECCS room cooling fault tree: B.18-5
- 1. Loss of instrument air to the caltwater valves or loss of DC power to the controlling solenoid valves will cause the valves to fail open and will not fail the system.
- 2. To simplify the fault trees, the fans and also their controls were modeled as single entities.
O O B.18-6
-O O.
Table B.18.1 HEATING AND VENTILATION SYSTEN DATA Sub Event Sub Event Fault- Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (hr) q Q = Eq. DGVPN11A-FAN-LF DGVFN12C-FAN-LF Fall to start (motor) -- -- 3.0E-4 3.8E-4 Fail to run 1.08-5 8 0.0E-5 DGVCL11A-CBL-LF Cable - open circuit 3.0E-6 84 -- 2.5E-4 DGVCL12C-CBL-LF DGVCB11A-BCO-LP Bkr - premature 1.0E-6 04 -- 8.4E-5 DGVCB12C-BCO-LF Transfer l DGVCT11A-BOO-LP Bkr - fails to -- -- -- 3.0E-3 ! [ DGVCT12C-BOO-LF Operate l W m DGVFN11A-F-PRISI Fan maintenance 7.OE-5 7 -- 4.9E-4
$ DGVFN12C-F-Pasef MCC11G-LF Skr - premature 1.0E-6 84 --
8.45-5 NCC12G-LF transfer l I DGVTC11A-LF Damper temperature 3.0E-5 8 -- 2.4E-4 DGVTC12C-LF controller fails HI (WASH-1400) DGVRC11A-DCO-LF Damper fails open -- l 3.0E-3 i DGVRC12C-DOC-LF (failure to operate) DGVIN11A-D-PRBei Damper maintenance 7.0E-5 7 -- 4.9E-4 DGVIN12C-D-PR995 DGVOT11A-D-PR898 DGVOT12C-D-PR8ef DGVRC11A-D-PR8el DGVRC12C-D-PR888 l l
Table B.1G.1 HEATING AND VENTILATION SYSTEM DATA (Cont.) Sub Event Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (hr) q Q = Eq. DGVIN11h-DCC-LF Damper - failure -- -- -- 3.0E-3 DGVIN12C-DCC-LF to operate DGVOT11A-DCC-LF DGVOTI2C-DCC-LF DGVIN11A-D-FRFM Failure to restore 7.0E-5x1.0E-4 84 -- 6.0E-7 DGVIN12C-D-FRTM daaper atter DGVRC11A-D-FRTM maintenance DGVRC12C-D-FRFM [ DGVOT11A-D-FRFM H DGVOT12C-D-FRFM co DGVFN11A-F-FRFM 7.0E-5x1.0E-4 84 6.0E-7 $ DGVFN12C-F-FRFM Failure to restore fan after maintenance ECCFANEA-FAN-LF Failure to start -- -- 3.0E-4 5.4E-4 ECCFANWB-FAN-LF Failure to run 1.0E-5 24 2.45-4 ECCFANWE-CBL-LF Cable - open circuit 3.OE-6 2190 -- 6.6E-3 ECCFANWW-CBL-LP ECCFCB48-BCO-LF Bkr - premature 1.0E-6 2190 -- 2.2E-3 ECCR1448-BCO-LF transfer ECCCB048-BCO-LF ECCR0448-BCO-LP ECCHS404-SWT-LF Handswitch - NC 3.0E-6 2190 -- 6.6E-3 ECCHSO4A-SWT-LF contact FO ECCPSO4A-SWT-LF Pressure switch -- -- -- 1.0E-4 ECCPS058-SWT-LF failure to operate O O
b v b v 4 i i i I Table B.18.1 HEATING AND VENTILATIO0f SYSTEN DhTA (Cont.) i Sub Event i Sub Event Fault Sub Event Event Name Sub Event Failure Exposure Unavail. Unavail. Event Description Description Rate (per/hr) Time (hr) q Q = Eq.
. ECCFY404-RCA-LF Control relay -- -- +- 3.0E-4 ECCFY405-RCA-LF failure to energize
! ECCTC04A-AST-LF Temperature controller 3.0E-6 2190 -- 6.68-3
- ECCTCOSA-AST-LF fails to operate i
j LOS-IN-ECF-F404 Composite LF-Handswitch -- -- 3.0E-5 6.6E-3 m LOS-IN-ECF-F405 Wire-open circuit 3.0E-6 2190 6.6E-3 i + I H ECCFANEA-FANFROGt Fan maintenance 7.0E-5 7 -- 4.95-4 7 e BCCFANWB-FANFRIGI l ECCFANEA-FANFRFN Failure to restore 7.0E-5x1.0E-4 2190 -- 1.5E-5
- ECCFANWB-FANFRFN Following maintenance I !
i i 1 I
-j ----~~
O VTC -
~
g ql FROM ROOM
\ FC-AO
\ VRC e b d VIN EXHAUST FAN FO-AC. AIR TO FRESH A N g V0T Am --* LOUVER )
cr
/ ) .
i l ,,_,,
.R.ET p EXHAUST
/p LOUVER I Cf c:s p l EXHAUST Am --
g co F A l FROM ROOM --
' -- -- M l
A /S ---> f- .J --
~
< don
+, l m -
_ _ _ _ _ _ _ _ _ _ _ _ _ , l__f, _ _l_-6*o n M.D H.D. a SV A/8 l l l 43 l SMOKE HS m 43 434 REMOVAL l SWITCH
- 1. FAN START INITIATED BY SIGNAL FROM DIESEL START LOGIC 1
- 2. HS5433-3 POSITION SWITCH-LOCAL FAN CONTROL DIESEL STOP/ AUTO / START-SPRING LOADED TO
- AUTO
- START-STARTS
- 3. FAN START FUNCTION-DE-ENERGISES SV5430 TO ALLOW POSITIONING FAN Am SIGNAL TO FAN INLET DAMPERS DE-ENERGISES SV5429 TO OPEN EXHAUST DAMPER
- 4. SMOKE REMOVAL SW. HS5434-OPENS EXHAUST DAMPER-SWITCH IS OUTSIDE D/G ROOM Figure B.18-1 Simplified Diagram of IIeating and Ventilation System
( Diesel Generator #11 Room Cooling) ( DG # 12 similar) O O
O O I
*** y ll ll ll ll Sr"Roa. ll ll ll P TC MS PS
__ S,
. ________ M.S. .T.C., ,,,, ,,,, ______ _
j h _ _, r,--- , j h I
, @ A/S B d'"" !a",:v, !
l
- A/S '
.,8 ,.__'. , Q,-
}
i I i U e H yF 5 #
//
di jy L-5
, l
' ACC f sv i E 8'8 uns U ' > s$ " "
f
, d' // M SRT WATER F
~& Au ,
SALT WATER sysTE= M: s1F4 s -
- o 17 fd t SALT WATER SYSTEu AC-FO MEADER*11 SALT WATER system SALTWATER SysTEu Figure B.18-2 Simplified Diagram of Heating and Ventilation System (ECCS Pump Room Air Coolers)
O Appendix B.19 Human Reliability Analysis t O B.19-0 , l 1 _ _ _ _ . _ - _a
, i ic .l
]
B .19 ' -HUMAN RELIABILITY ANALYSIS B.19.1 Introduction Human reliability; methods, models, and estimated human error probabilities (HEPs) were employed to make quan-titative or qualitative assessments of occurrences 'of human errors in the Calvert Cliff's study that affect the ' avail-ability or operational reliability of engineered safety-5 systems and components. This section presents the details of the Calvert Cliff's Human Reliability Analysis of this study. B.19.2 Calvert Cliff's Human ReliabilityLEffort I The required human reliability analysis - used in this j study was attempted. exclusively using the concepts and data
- developed and presented in NUREG/CR-1278. Initial guidance L
.was provided by human factors analysts at Sandia National Laboratories, but the team developed most of the THERP i diagrams and their quantification independently.
Upon completion of the front-line and support system j fault trees development, and during the quantification pro-- cess of these fault trees, it was decided that estimates of j- HEPs were required for several generic (items 1 & 2 below) and specific (items 3 through 7 below) tasks - appearing in
- the fault trees. A list of these tasks is provided below.
5 Discussions of plant administrative controls were held with plant staff, and a review of the plant operating, ' test, 1 and maintenance procedures was conducted by the analyst. In addition, a detailed set of photographs of the plant' control. panels was used to identify possible conditions which may . influence the performance-shaping factors and potential-sources of error associated with the tasks of interest. l 1. Failure to restore a component to operable ' status - , i upon ~ completion of a maintenance or test act upon { that component. ! -2. Failure to restore an actuation system to operable I status upon completion of a maintenance or test act
- i. on that system.
- 3. Failure to restore RWT level switches following their ' functional test during performance of the monthly ESFAS test (STP-M-220-1).
4
- 4. Failure to restore sliding link terminals to their
., functional position following insertion of test
- signals to provide loop inputs to the pressurizer j pressure and containment pressure actuation systems j during . performance of the monthly ESPAS test j (STP-M-220-1).
B.19-1
, _ . . . ~ _ . . _ . _ . _ _ _ . _ _.____.__ _ _._ _,
- 5. Failure to restore the pump discharge valve upon completion of the monthly operational test of the auxiliary feedwater pumps (STP-0-5-1).
- 6. Failure to initiate and perform the Emergency Boration Procedure within 20 to 30 minutes of recog-nition of an ATWS incident.
- 7. Manual actuation of ESFAS functions given that they are needed and automatic initiation failed to occur (CSAS, SIAS, RAS).
The derivation of the required models for human behavior during the above tasks and the sources of information upon which the assumptions were based are presented in Section B.19.3. B.19.3 Evaluation of the Generic and Specific Human Related Tasks This section presents in detail the derivation of the required human error models for the Calvert Cliff's study. The work sheets and calculated HEPs are attached for each task. The actual HEP values used in the fault tree quanti-fication were generally made somewhat greater than those calculated here, to provide additional conservatism for the initial screening quantification. B.19.3.1 Analysis of Task 1 (Failure to Restore System Fol-lowing Component Maintenance) The first step in the evaluation was to discuss the gen-eral method of maintenance, documentation, and controls with members of the plant operating staff. A flow chart of this process was prepared and is included in Figure B.19-1. Following development of this outline, each administra-tive procedure was examined in detail, and the conditions under which they apply to the analysis are given below.
- 1. Tagging system in effect
- 2. Locked valve deviation sheet in effect
- 3. Components which are normally tested by the sur-veillance - test program are verified operable at the completion of maintenance by performance of the appropriate portions of the applicable surveillance test procedure.
B.19-2
- 4. Components (pumps & valves) covered by the in-service test program (ASME Code Section XI, ar'ticles IWV-3200 & IWP-3111) are verified operable upon completion of maintenance by performance of the appropriate surveillance test procedure.
NOTE: Surveillance test procedures (STP's) used for past maintenance testing are administrative 1y controlled in a manner identical to that of ~O routine 1r schedu1ed STP s. A brief outline of the content of the administrative control procedures for valve manipulation is given below. (a) Tagging System The system employed at Calvert Cliff's satisfies the definition for a Level I system (NUREG/CR-1278, Table 15-3) in that: (i) Individually identifiable tags are written and attached to each component which is removed from service during a maintenance action. (ii) A mechanism exists whereby a suspense sheet and tag sheet file allows verification of the status of any particular tag-out. (b) Locked Valve Deviation Log Any repositioning of a valve which is designated as a
" locked valve" in OP-6 or STP-0-62 must be preceded by generation of a locked valve deviation sheet:
(i) When the deviation is initiated, it is logged and initialed in the out-of-normal position. (ii) When the valve is returned to its normal position and locked, it is cleared from the log by an entry " returned to normal position" and initialled. O V restored (iii) Independent verification of the valve portion is performed by a senior licensed operator and so is indicated in the log. An individual locked valve deviation sheet is used for each evolution requiring manipu-lation of locked valves. B.19-3
Each valve has a readable identification tag which is color-coded to indicate the normal valve position and locked valves are indi-cated by use of a chain clipped around the valve. (c) Shift Turnover Sheets A system is not returned to service until tags are removed and required post maintenance testing is com-plete. Such out-of-service systems are identified on h the turnover sheet given to the oncoming senior control room operator (SCRO) by the outgoing senior control room operator. Table B.19.1 and Figure B.19-2 present the Task 1 basic HEP values and THERP tree, respectively. As derived in Figure B.19-2, the calculated value for this task is 3E-5, but to include some conservatism a value of lE-4 was used for screening purposes. This value applies to each valve isolated during main-tenance if no operability test is performed. If an operability test is required (which is almost universally true for Section XI ASME Components), all valves required to be open will be verified open when the test is performed. The value for HEP for these should be HEPF all To Restore = HEPGeneral X HEP Test Omission Inlet Valve However, for conservatism and simplicity, a constant HEP of lE-4 was used for all administratively controlled valves. B.19.3.2 Analysis of Task 2 (Failure to Restore an Actuation System Following Maintenance) Work on an actuation system is performed in accordance with the plant maintenance request administrative control procedure. The maintenance request (M/R) designates the post-maintenance testing requirements to be performed by the maintenance team and the post-maintenance operability test g to be performed by the operating staff prior to the affected system being restored to service. B.19-4
A copy of such a maintenance request form showing the entries of concern for this analysis is included as Figure B .19 -3 . The maintenance post-maintenance test procedure is typically a maintenance surveillance test procedure, func-tional test, or calibration procedure. The operability test would comprise an operations surveillance test procedure. The analysis does not take credit for any tagging pro-cedure 'since replacement of a sub-component of an actuation system would not typically involve tags associated with that subcomponent, but would involve the electrical boundaries - these must be restored if a test is to be successful. The tagging would serve to recover from an error wherein a post-maintenance operability test is indicated as necessary, but is omitted. Table B.19.2 presents assumptions and basic HEPs used during analysis of Task 2. Figure B.19-4 presents the Task 2 THERP tree and calculation of' HEP. B.19.3.3 Analysis of Task 3 (Failure to Restore RWT Level Switches Following Test During Performance of Monthly STP-M-220-1) A failure and effect analysis of the RWT level switch system, together with a brief overview of the maintenance procedure of concern and the assumptions and basic HEP values used in the analysis of Task 3 is provided below. Figure B.19-5 presents a simplified schematic of the RWT level switch system and the Task 3 THERP tree and calculation of HEP. Faults Effects V1 Closed - Level Switch Failure (Critical Step) V2 Closed - Low Reading - No Fault V3 Open - Low Reading - No Fault V4 Open - No Fault Procedure (STP-M-220-1) e Does not specify valve line-up j y e No tagging or locked valve deviation sheet i required i e Check-off provided for in restoration step e No recovery if valve V1 left mispositioned B.19-5
e Assume e Restoration by maintenance personnel e Optimal stress level Task Possible Actions HEP Source Procedure Fail to use avail. proc. .05 T20-22 Item 6
.5 T20-22 Item 8 O
Uses check- Improper use list Closure of Error of omission .001 T20-20 Short list V1 using check-off with C/O properly Error of omission .003 T20-20 Short list not using check-off no C/O properly Error of omission .01 T20-20 Proc. avail. not using procedure but not used B.19.3.4 Analysis of Task 4 (Failure to Restore Sliding Link Terminals Following Functional Test (or maintenance] of ESFAS Containment Pressure and Pressurizer Pressure Loops) The work sheet below provides information regarding procedure, assumptions, and basic HEP values used during analysis of Task 4. Figure B.19-6 presents the Task 4 THERP tree and calculation of HEP value. Recovery time for the error (FET) is 8 hours since loop parameters are measured and recorded once per shift. There is no procedural test which will allow verifica-tion of complete operability of the sensor loop, other than monitoring loop current as part of the test procedure. The procedure has steps defined with check-off provi-sions (Long List - 10 items). Stress level - optimal O Restoration done by maintenance personnel Task Analysis i B.19-6 u
Task Error HEP Source Procedure Will not use if avail. .05 Table 20.22 Item 6 Procedural Will not use correctly .5 Table 20.22 Item 8 Check-Off () Close Slid-ing Link Error'of omission (not using proc)
.3 Table 20.20 Item 3 Error of omission (not .01 Table 20.20.
using C/0) Item 5 Error of omission (using .003 Table 20.20 C/0) Item 2 Check Loop This step is felt to have a medium level of Current dependency with the closure of sliding link terminal, so: Error of omission (no .36 proc) Error of omission (no .15 Table 20.1 C/0) Error of omission (w C/0) .15 B.19.3.5 Analysis of Task 5 (Failure to Restore Auxiliary Feedwater Pump Discharge Valve Following Perfor-mance of STP-0-51 Monthly Performance Test) The work sheet below provides information regarding procedure, assumptions, and basic HEP values used during analysis of Task 5. Figure B.19-7 presents the Task 5 THERP tree and calculation of HEP values. Procedure has check-off provisions , Locked valve deviation sheet is initiated l Optimal stress level ' () Task Analysis Task Error HEP Source Written Does not use .01 T20-22 procedure Item 3 STP-0-5 Uses proc. 0.5 T20-22 improperly Item 8 1 B.19-7
Task Error HEP Source Restores Error of omission .01 T20-20 Item 8 valve (not using proc.) Error of omission .01 T20-20 Item 5 (using procedure W/O check-off) Error of omission (using procedure
.003 T20-20 Item 2 lll with check-off)
Selection Error - Not Considered - Dedicated Operator for Test Checking of Error of omission - .1 T20-21 Item 3 valve restora- LVDS used corrrectly tion by 2nd operator Error of omission - .01 T20-21 Item 2 LVDS used improperly Selection Error - Neglected because of plant consciousness of this valve following TMI incident. Reversal not considered - Valve ID shows correct state and intuition indicates valve must be opened following test - Closure of valve obviously wrong for return to service. RECOVERY TREE (CHECK BY 2ND OPERATOR) Task Error HEP Source LVDS Use improperly .5 T20-22 Item 8 Unrestored Error of omission .01 T20-21 Item 2 valve (Procedure used identified properly) Error of omission .1 T20-21 Item 3 (Procedure used improperly) ggg B.19-8
B.19.3.6 Analysis of Task 6 (Failure of Operator to Successfully Perform Emergency Boration Within 20 to 30 Minutes Given That an ATWS Scenario is Identified) The work sheet below provides information regarding procedure, assumptions, and basic HEP values used during analysis of Task 6. Figure B.19-8 presents the Task 6 THERP tree and calculation of HEP values. O The following steps are part of EOP-13 which dictate I j the immediate actions necessary during this transient.
- 1. Switch the make-up stop (CVC-512) handswitch to the
" SHUT" position (not a vital step).
- 2. Open the charging pump direct feed stop valve (CVC-514 ) .
- 3. Switch the make-up mode selector switch to the
" BORATE" position.
- 4. Check a boric acid pump running.
- 5. Start all "available" charging pumps (2 of 3 or 3 of 3 pumps are necessary).
Task Analysis i Task Error HEP Source Use of written Does not use 1.0 Time factor l procedure obviates use of written procedure Step I.B.2 Omit .01 T18-1 MD Open CVC-514 SW Sel .01 Line 4 (See below) Step I.B.3 Omit .01 MD Mode Sel to SW Sel .01 borate Step I.B.4 Omit check Recovery R. Verify Pump of indicator after LD running light completion Step I.B.5 Omit .01 LD Start n/3 avail Short 2 pps .00 pumps B.19-9
Assumptions e Mimic lines on panel e Speed Required MH stress e 2 others in C/R e 1 person doing task e Experienced operator - .01 e Both Boric Acid pumps functional e No recovery of failure because of time factor e Need for procedure identified & initiated e MD - Steps 2 & 3 e LD - Steps 4 & 5 e Step 4 performed at the end of procedure B.19.3.7 Analysis of Task 7 (Failure to Manually Actuate ESFAS) The following paragraphs provide information regarding derivation of HEP value for manual initiation of ESFAS signals. CSAS Large Break LOCA - Because of time constraints between onset of LOCA and containment reaching peak pressure it is not felt that manual initiation of CSAS is a viable option - HEP = 1.0 SIAS Large Break LOCA - Some additional time is available for SIAS actuation (of the order of ten minutes) and a value was taken from the recovery model. HEP = 0.1 (0.5 used for screening purposes). RAS - Clear to allow LPSI pumps to come on Felt to be analogous to manual initiation of RAS (Example: 21-6-CR-1278) but to allow conservatism use lE-2 should this be important, will model later. Manual initiation of the ESFAS functions above where a greater time is allowed (e .g . , Small-small, Small LOCAs, etc.) assume a value of 1E-2 because of large uncertain-ties in the PSPs. Reaction to a significant incident using EOPs is not defined sufficiently well. This will g be explored in greater depth should manual initiation be of significance. HEP = 0.01. B.19-10
'/'M TABLE B.19.1 TASK 1-BASIC HFP's TASK ANALYSIS - FAILUPE TO RESTOPR VALVF FOLLOWING MAINTENANCE NO OPERABILITY TFST PERFORMFD OR VALVE NOT RESTORED PRIOR TO OPFP7BILITY TFST Assumption - Optimal Stress Level Pasic HEP Stress M Source SCRO directs operator Frror of Omission .01 OPT .01 T-20-22 to restore valve i.am 1 (Oral Detective)
SCRO fails to identify. Error of Omission .003 OPT .003 T-20-20
. system OOS on turn-over Item 2 sheet
'(Error of Omission - written)
Operator' fails to follow Frror of Omission .001 OPT .001 T-20-18 Item 1 [ Oral Directive H W Control Room Op. fails to Frror of Omission .1 OPT .1 T-20-16 I identify the omission via Item 2 [ tag stubs SOL checker fails to Error of Omission
.1 OPT .1 T-20-16 identify. omission in Item 2 restoration via locked valve deviation sheet 1
TABLE B.19.2 TASK 2 - ASSUMPTIONS AND BASIC ffEP'S Failure to Restore Actuation System Following Maintenance Assumptions Restoration by Maintenance - available - written procedure with no check-off prevision Performance of Post Maintenance Operability Test - in conformance with CCI-200E, Section I optimal Stress (no plant evolutions in progress) Task Analysis A. Restoration by Maintainer HEP Source (CR-1278) Written Procedure Fails to Use 0.3 Table 20.22, Item 7 No Check-off Provision Uses Procedure Error of Omission 0.01 T.20,20, Item 5 (long list) to Fails to Use Procedure Error of Omission 0.3 T.20.20, Item 7 F" Selection Error Neglected - presumably if wrong component is selected, original fault will continue to 5' exist. Circuit will be complete (but non-operable) H hJ B. Verification of Operability by Operations Group - SrPO Post Maint. Operability Test SrPO decides not required .01 Table 20.22, Item 1 on M/R S C Rs) decides required - opits .003 Table 20.19, Item 2 to indicate on M/R G G
.t f3
-()
U _ TABLR B.19.2 (continued) HEP SOURCE Post Maint. Oper. Test - Written procedure - Proc. not used 0.1 Table 20.22 Item 3 at SCRO Direction . with check-off Check-off not used .5 Table 20.22, Item 8 available Procedure not used Frror of omission .01 Table 20.20,. Item 5 Check-off not used Frror of Omission .01 Table 20.20, Item 5 Check-of f used Frror of Omission .003 Table 20.20, Item 2 Notes Frror of omission in test procedure assueed to give invalid indication of successful tests. No credit given for recovery of omission to indicate PMT requirements when to intended by SCRO Pecovery would result from recognition of unsigned M/R by shifts in review process,
. tit W
t W LJ l
. . . . . .. a
Initiation of flatatenance Request (M/4) %gg,g
- p. 15 11 g
Tagging syst. et M/R toes to Group Foreman CCMPp is tevel 1 foreman defines procedures to be used foreman defines the reewired post maintenance testing h M/R goes to Asst. Gen. Foremen for review and approvs1 (tech. soet. reg. guides.AN5lSTO's) M/R goes to Tagging Authority T/A identif tes boundartes and prepares the Tags h M/R and Tags goes to Shif t Supervisor (55) 15 vertfles adequecy 6f Tags.
$$ verifles plant mode is suitable for the proposed Tag.out e*d does not violate any requirewnts of tech spect.
5$ indtcates change on valve line up itst. If valve is *1octed* in position, intilates a lected vetve deviattea sheet. I 15 Approves Tag out SCR0 inttats Tags to todttste his svareness of tmpending Tag out h Operators Tag out equipment Supervisors Tag stub placed in $$ file re espro.ves m r a tenM/R SCe0 renat w aint.tists
.,mh and returns to Wors proceeds e upon completion of wors repatruen fills out Section 5 or M/R and returns M/R A repairmaas stub to $C20 iteS spectf tes addittoast testtea if ree .itarv If testing is reoutred Tags may testing not reqvtred or is be Itf ted but not tietred to ter'pleted settsfactortly perform test SCR0 Informs the $$ of the results 9mittels ufe to se 9molcate Ste0 forwards the repatraan's stus to T/A for removal of Tags $(80 directs the posittentog of the valves.
h T/A returns repatrean's stwo one eiwtoment service Tags to SCe3 and retvens system to $1/SC83 tontrol.
$CR0 d..ta s,i, gas the lected valve nn7..t.
if volve is not on 'locted* valve 5% wertfies that elignm nt of itst valve Itne*ws Itst is thinged valves il es per valve line wp to show that abnormal conditten is Itst end signs the lected valve no longer present . intiteled by deviatten sheet to to tedicate .
$$. sheet reenved from file A for.
warded to Net.0 Figure B.19-1 Plow Chart of the General Procean for Maintenance Documentation & Control D.19-14
3CAO Fetts to Sfve Orel Directive Failure to Restore SCR0 Gives *0I Fellestag Maintemence Oral Directfve
.99 SCR0 Ident eHs # W Systee Syst. 005,ifies 005 et Shift Turnover Shift Tu* ,997 .003 over
--__ __ F Operator Falls to "
Follow Oral Directise Operator .001 Fellows Oral Directive
.999 SCR0 Falls to identify Syst.
SCR0 Ident. Syst. 005 9 .003 gg Shift Turnover .997 l Centrol Roan Falls to Ideit!Ty ! CM Identifles **' " * * '
- U 005 = Ost of Servfee gestoration "
*I Onission via .1 SOL Ch?cker Falls to Identify a
liestoration Onission via
,y Locked Velve Dev sht.
l Identifies *9 l 53 thatssten of F l Restoration wie Lv Dev. Sht 54 50CCts5 - .99 + (.01
.nt)] [(.999) + (. set x .997) + (..onset a .9) + (.001 m .003
.1 x .9)]
= .99997 FAILDEE * (.01 .003) + (.99 x .001 a .003 x .1 a .1)
= 0.00003 MP = 3 a 10 5 Figure B.19-2 Task 1 THERP Tree & Calculation of HEP l
l l _ _ _ _ _ _ - . _.
k AINT ENANCE RECUEST Ca 5, . .. . N .. SIRIAL NUMB [R: f.CMPON ENT A.0 CATION:_ PROBLEuAAAINTENANCE ACTION REQUIRED: O INDICAT10NS/P05118LE CAUSE: COM Q TE O 9005 O PRIORITY: 1Q 2Q 3g 4g RESPON1181LITY: fOM CCI.118 4
/ / / E ,.es N..
monatwas cast vint sceo weitia6s to. .a. . o ee r SAFETY R! LATED D NON-5APETv RELATEo a ET O ENTiON: ivtAR O evtARs LiPE O INSTRUCTIONS:
- M C%
c ... _ , ~~ m R . .. rf., '
.. ~ ~. - .
POST MAINTEN ANCE TESTr> A. --
, -w -
MAINTENANCE FOR[MANr DATE: AP PROVE D: / 0.C. CALL Nuu8tRll) / / swes e vison/ asst. se=. eces.*a sets j j PERMl1110N CRANTED TO 8!RFCRu wCRK: / / /
'"'" " " *"'** *'" / /
ACKlasWLEDCIP.!NTI ,, ToutetATE STARTED: / ACTION TAKENr R% C, o n,.- .i up , , (< Sc30 deleewtatt ,\ q- g flut/DATE CouPLETED: f/wi=sv / /
/
*0RK AREA CLE ANED LEAD MAN sus twyr o ta /
NtRATIONAL TE57 REOUIR10 PROCEDURE SA:" 57;te":On C ss trj;C ; O Coup'.ET10N ACKHont!DGED C AtTURNED 70 StavnCI PER / sleo osss
/
0.C. INSPECTt0N: ACCF8TED [ walvtD 2 NCT ACCIPTEL [ su,.. w.i .... Rt vit w PLANT HISTORY YtlO NC O Figure D.19-3 Maintenance Requent Form B.19-16
mesteretses ey --
" '***8" te ese arteta..s,se, sestates.or see, e.3 mrtttee meset.
Proceew, 0.1 stelet. sesfat. Fefis to res restore cat. cht. e.1 *y sensetet or s resteres ett. 8# retts to asco.scy . ,,e pur .98066 '"rF m eterv cat. .01 .01934 scas scas ausspeces ness,= sees ne
==c md aseems.y e.se .01 .01934
.99066 Test spec.
i 1.s l
.99 3 Test
- Test dame g c/o pre ****
w ir y n, ,,
='** c_e. s e1 e. ,
1 w ! 4 s. s ~2 Test Test act done prey. Test dame tryrogerty
.99 .st Test
.ees
'.*9 9 7 si Figure B.19-4 Task 2 d calculation of HEP
Recovery Tree S=Sj+S2+3 3 =
.99 x .99 x .5 x .997 + .99 x .01 x .7 + .99 x .99 x .5 x .99
=
.48858 + .00693 + .48515
= .98066 HEP = 1.9E-2
? Complete Restoration Tree 5 5= 0.7 x.99 + .7 x .01 x .98066 + .3 x .7 + .3 x .3 x .98066
= .998124 HEP = 1.88E-3 Failure to restore act. circuit following maint.
Figure B.19-4 (continued) G G
Level Switch Test Use Does not use writte written proc. proc. .05
,9$ Restores Y
Does not Omits restoration 4 te check. *II I VI gg,g eggg,,ff
~ provtston off .01
.5 5 m- .,
3 , Restores V1 Onits restoration
,997 of V1 2
Restores V1 p
.999 Onits I
restor. of F V1 Sy 5=Sy+52*31
; =(.95a.5a.999)+(.95a.5a.997)+(.05a.99)
= .9976 HEP = 1 . 9976 = 2.4E 3 i
V1. NO I V2 . N3 4 V3 . NC V4 . ht VI V2 1 (O RWT Level Switch System - LS - Level Switch Q Schematic
' ' P
'V3 V4 db JL Figure B.19-5 Task 3-THERP Tree and Calculation of HEP Schematic of RWT Level Switch l
B .19- 19
O Maintainer Maintainer fails uses to use procedure procedure
.05
.95 Restores links I*I oes not use .7 Uses check-off check-off ln
,$ ,3
.5 5 -
1 MD Restores Checks II"k8 Fails to reading
'64 Fails to check loop Fails to restore # 98
,99 Nn"g $ .36 link 1 Restores Ifnks
'#3 5
3 ( MD
.997 Checks \ Fails to NO readinD
.85 Ch' Checks Fails to check .15 c rn i Reading readings 5 readings
.15 4 y Sg 5=Sy+$2+$3+S4+55+$6
= (.95 x .5 x .997) + (.95 x .5 x .003 x .85) + (.95 x .5 x .99) + (.95 x .5 x .01 x .85) +
(.05x.7)+(.05x.3x.64)
= 0.99367 HEP = 1 . 99367 = 6.3E-3 Error in reading loop circuit in check step not considered since it will be zero if loop is open.
O Figure B.19-6 Task 4 THERP Tree and Calculation of HEP B .19- 20
. w l
0-5 Does not use ! $TP-0-5 l
.01 Restores F511sto Valve alls to restore l Uses check-off 85' C/* 'N correctly corr. .01 l p
.5 .5 2nd oper
*01 restores nd operator &
t valve LVD5 Oper~ falls (LVDS)
.945 .055 falls to identify l
to unrestored valve fails to restore- 2nd oper. store 6
.M3 valw 5 3
restores
- Operator valve 2nd oper. falls to restores R- (LVDS) identify unrest.
valve valve 2 l ,yy nd oper. fails .945 re t o msto m .055 L 1 (LVDS) .945 alve 5 4
.055 t
2 l S=Sg+52+53+54+55+$6* (.99 x .5 x .997) + (.99 x .5 x .003 x .945) + (.99 x .5 x .99) + (.99 x .5 x .01 x .945)
+ (.01 x .99) + (.01 x .01 x .945) = .99964 HEP = 4E-4 Locked valve deviation sheet (LVDS)
Identification of unrestored valve by 2nd operator Recovery Tree Used correctly Used incorrectly
.5 .5 Unrestored .9 Unrestored valve a e t Unrestored unidentified de ified Unrestored j valve *g valve .01 indentified p identifies
.99 1
l LO 5=Sg+52 = (.99 x .5) + (.5 x .9) = ,945 l F = .055 HEP = 5.5E-2 l l Recovery factor which results from check by 2nd operator using locked valve deviation sheet. l l v' Figure B.19-7 Task 5 THERP Tree and Calculation of HEP B .19- 21 o
Perfom Omit step to step to open open Cyc $14 CVC 514
.99 F
Open Fall to open CVC 514 VC 514
.01
.99 Perform step to Omit borate borate step
.99 F
Borate SW selection correctly rror
.01
.99 F
Omit step to start Perform Steps additional charging to turn on umps additional .01 charging Pumps F
.99 3 5= (.99)5
= .95 HEP = .05 i
i There is a .05 probability that emergency boration will not be successful in the ATWS Scenario. i O Figure B.19-8 Task 6 THERP Tree and Calculation of HEP l l l B.19-22
s. i ;.
- O 1
Appendix C Accident Sequence Quantification O 4
.O
)
I C-0 A
,.r- .. , - - . - _ , - - - --r~ - - - . - - - - ,,,..e .r- , ,,...,,,,,,..,y, -,w-. ,, , __._m.---,,,ww..,-- .. . - ., . . . . ,, - - ,, - - , .ww+,,y.w-.,
... . - - . - .. = . .- - - --
l C.1 . GENERAL APPROACH TO. SEQUENCE QUANTIFICATION' f C.1.1- Overview 1
-One of the major goals of. IREP is . to identify, .in a .
preliminary way, those accident sequences that dominate the contribution to the public health and safety risks origi-nating in nuclear power plant accidents.- Once the dominant 4-' - accident sequences were identified, a further goal ~ was to
' determine the . dominant component failure _ combinations (cut sets);that contributed to these accident sequences. Appendix C . describes the steps involved in. obtaining . these cut sets as . well as listing the dominant cut sets for each of the , dominant sequences.
C.1.2 Accident Sequence Identification The accident sequence identification task consisted of examining the systemic event trees .(see Appendix A) and forming the Boolean expression for each of - the core melt-i sequences. In the sequence quantification effort,: the system successes were included in the Boolean expressions - , and -the sequences listed were grouped in a logical fashion to minimize the number of sequences .which needed to be run (see Section C.1.4.1 for a ' detailed explanation of this-process). The next step in quantification was to substitute = the fault tree Boolean expressions into the sequence Boolean
-expressions.
t C l.3 Fault Tree Manipulations Before the fault tree Boolean expression for a ' front-line system can be obtained, the front-line system i; fault . tree must be merged with the support system fault trees. After the component failure data-is assigned to the. basic events of the fault tree,. the merged treet is Boolean reduced and truncated by dropping all cut sets with probabilities below a certain specified value. c.1.3.1 Fault Tree Merging j In this step, the. front-line and support system fault'
- trees are merged .to form the complete front-line system fault trees. This is accomplished by finding all of the
~ ; h~ developed events in the front-line system fault trees and replacing these events with either a portion of or the'whole
-support system fault tree. In ~ some' Cases the support system -
; fault tree will also have developed events. which must be' replaced by other appropriate ' support system fault trees.
The resulting merged - tree consists of a top event, inter-mediate gates, and basic events for which failure data , exists. All developed events are removed in the merging process. The SETS code [1] was used to perform all the. , l C-1
- a. . _ . - . ..-. - . . . - , , - . . - _ . - - . - . . . - . - - - - . _ . . . - . . . - - - - - . . - -
fault tree and Boolean algebra manipulations and has the capability of automatically performing this merging operation. The merged fault trees frequently contain what is called circular logic. Circular logic normally occurs when system interdependencies exist, especially in support systems. As an example, at Calvert Cliffs Unit 1, the diesel generators are cooled by the Service Water System (SRWS). Therefore, the diesel generator fault tree has a portion of the SRWS fault tree feeding into it. The SRWS pumps require AC power which is supplied by either offsite power or the diesel generators. Therefore, the SRWS fault tree has a portion of the diesel generator fault tree feeding indo it. Figure C.1 illustrates the logical loop which results from these dependencies. There are a number of ways to " cut" these logical loops. However, in the Calvert Cliffs Unit 1 merged fault trees, all circular logic was found to be caused by diesel generator support systems which themselves needed the diesel generators to operate under loss of offsite power conditions. Therefore, in order to cut the circular logic without losing any information from the analysis, the following procedure was used:
- 1. All electric power support systems and their support systems were identified.
- 2. For each electrical developed event appearing in these support systems, a portion of the original electric power tree was substituted. This sub-stituted portion was chosen so that no circular logic would appear in the merged tree. Since each electrical developed event represented an electri-cal bus that appeared in the electrical power fault tree, the portion of the electrical tree from that bus back to where a particular 4 kV bus connects to a diesel generator was used with the diesel generator portion trimmed off.
- 3. These support system fault trees were then merged with the electrical fault tree to create a merged electric power fault tree developed down to basic events with no logical loops.
- 4. One problem still remained. Some support systems support both front-line systems and electric power.
h However, the support system gates in the electrical tree, while having the same name as before, are defined differently since the diesel generator input has been removed. In order to merge the electrical tree with the other trees, the names of all dupli-cated gates in the electrical tree were changed by affixing a "1" to them. C-2
e Figure C.2 illustrates the two- types .of _ fault- tree - developments - that result from this process. . Figure C.2(A) shows the fault tree development for a pump in a support system that supports the EPS (e.g., a' service or. salt water F pump). The: local. faults of the . bus that supports the pump-
~ are input. to represent the loss of electric power to - the pump. The local failures of the 4kV bus can ' fail the pumps but may_ not fail- the entire EPS. Figure C.2(B) shows the t
^ fault tree development for a pump in -a support system that
;, does. not support the EPS (e.g., a component cooling wat'er pump). In this case, total loss of electric power from the 4kV. bus is modeled. For a further. discussion of logic loops in fault trees, see the IREP Procedures Guide [2].
1 C.1.3.2 Fault Tree Truncation The merged _ fault trees for .the. front-line systems resulted in very large Boolean expressions.. The average merged. tree had about 2000 unique events, with the largest
- tree having about 2500 events. Manipulation of Boolean i expressions representing such large trees for~ evaluation purposes is .dif ficult, costly, and often impossible with current computer codes. Therefore, the decision was made to f
probabilistically truncate the merged front-line- system : fault trees. Any1 cut set with a probability of : less than . a- 1.0E-8 was discarded. This value was chosen because . experience shows that most PRA-estimated core melt . frequencies are greater than or equal to lE-6/yr and that truncation at a probability value of- lE-8 introduces relatively small errors. I The truncation process followed a . modified " bottom up" procedure. Intermediate . events were chosen that were 4 either: (1) used more than once in the fault tree L(to minimize repetitive solutions of a portion of the trees)-or ' (2) were "AND" . gates where probabilities multiply, and thus become substantially-smaller. The SETS code-was used obtain reduced Boolean expressions- for low and intermediate . events
- (stop points ) as compared to events higher up_in the fault i tree structure. The results of the first round of trunca-tion were then used as the input for further rounds of truncation until the tree . top was reached. This truncation process reduced the fault tree size to - about 200 to 300 - basic events whose remaining cut sets averaged-about 1500 in d number.
In addition, the ' SETS code restructures the . fault tree
-looking for " independent subtrees;" that is, portions of the
- tree which can be solved-and then treated-as " surer events"
~ for solving the rest of the tree. This process results in smaller trees and more efficient solving of the original- ~ trees. These events must be resubstituted at the end if you wish to have cut sets in terms of the basic events defined i 4 on the original l tree. C-3
1 l C.1.3.3 Data There were four categories of data that were used signi-ficantly in the Calvert Cliffs Unit 1 IREP study. These categories were as follows: a) Basic hardware failure data b) Human error data c) Test and Maintenance data g d) Plant specific data w A description of each of these data categories is pre-sented in this section. c.1.3.3.1 Basic Event Hardware Data Basic event hardware failure was calculated based on the IREP Generic- Data Base described in the IREP Procedures Guide [2]. A copy of this is shown in Table C.l. For any failure mode or component type not found in this table, reference was made to a modified version of the WASH-1400 data base [3]. A copy of this data base is shown in Table C.2. For any failure not found in either of these tables, plant specific data was used where available or engineering judgment was used to select a similar failure from one that was used in the tables. The treatment of the data is different in this study than in 'the other IREP studies [4,5,6]. Since this is the last of the IREP studies, the lessons learned in the others could be incorporated here. The following differences are particularly significant:
- 1. The other IREP studies used the modified WASH-1400 data shown in Table C.2.
- 2. The other IREP studies used median values for calcu-lating the point estimate sequence frequencies while this study follows the IREP Procedures Guide recom-mendation and uses the mean value.
- 3. This study follows the recommendation of the IREP Procedures Guide and uses the upper bound on the median demand failure probability for those components greater.
tested at intervals of 6 months or h In general terms, the associated failure probabilities for hardware failure modes can be described as either "unavailabilities" (i.e., the probability of a component failing to function on demand) or "unreliabilities (i.e., the probability of a component failing to continue to func-tion for some period of time). The failure probabilities C-4
i. shown in Table C.1 and C.2 appear in three forms:. (1) demand failure probabilities (probability of failure on demand, denoted as Qd); (2) standby failure rates (failure per hour in a standby mode, denoted as As); and (3) operat-ing failure rates (failure per hour in an operating mode, denoted as Ao). Macro Components l For some components, such as control circuits for valves and pumps, typical circuit models were constructed from sub-components whose failure probabilities exist in the data base _ as was done in WASH-1400 and a typical failure proba-bility was obtained. All pump and MOV control circuits were compared and found to fall into two groups generally along the lines of component type (exceptions are noted in the data tables). The MOV control circuit consisted of a wire, trans-former, fuse, seven switch contacts, and a relay contact. The pump control circuit consisted of four switch contacts and a relay contact, the wire and two fuses being modeled as separate events for the pump circuit. The unavailability for the MOV control circuit was 2.5E-3/D and for the pump control circuit was 1.7E-4/D.
~
Failure of Component to Start Function This failure mode is applicable to components which have a pre-initiating event status different from that required after the initiating event. For active components,- this failure mode implies the failure to " change state," e.g., the failure of a pump to start, the failure of a valve to open, or failure of an open relay to close. For a passive component, this failure implies the failure to perform a post-initiating event function in its existing state, e .g. ,. a normally open valve fails to remain open or to be open when flow is required to pass. Information describing this type of failure mode is , available in terms of failure probability (Qd) or standby. I ( failure rates (As). Both of these quantities depict the occurrence of failures which appear only when the component is required to function. For those failure modes which 1,] occur on demand, the basic mean probability shown in the table could be used directly if the component was tested at-less than six-month intervals. If the component was tested at greater than six-month intervals, then the median value times the error factor was used. For failure modes with a standby failure rate, this had to be converted to an unavailability on demand by multiplying the failure rate (As) by one-half of the interval between tests (T), i.e., C-5
Q = 1/2 *A*T s Failure of Component to Continue Functioning This type of failure mode is applicable to (1) compo-nents whose mode of operation after an initiating event remains unchanged from that prior to the initiating event, i.e., a pump in a normally running cooling water system which continues to run, or (2) components which are suc- a cessfully activated after an initiating event and then must W continue to function, i.e., high pressure injection pumps which start after the accident and must run until the event is terminated. Operating failure rates (Ao) are used for these estimates. The period of required continuous operation for many of the components after the initial demand was assessed as 24 hours, after which time the accident was assumed to be terminated due to the low core decay heat and the possibility of extraordinary recovery actions. For some components, a shorter time was used, as indicated in the data tables, because the expected time of continued operation was significantly less than 24 hours, e.g., the diesel generator mean expected operating time was assessed at 8 hours from loss of offsite power recovery data. The unavailabilities are calculated using the equation Q = l-exp [-Ao t ] =Ato Aot <.1 where t is the time of expected operation. C.l.3.3.2 Human Errors The required human error probabilities were obtained by using THERP models and human error data suggested by the Human Reliability Handbook (NUREG/CR-1278) [7]. A THERP model combines human error data to predict human error probabilities, and to evaluate the degradation of- a man-machine system likely to be caused by human error alone or in connection with equipment functioning, operational procedures and practices, or other system and human characteristics that influence human systems behavior. Discussions of plant administrative controls were held with plant staff and a review of the plant operating, test, and maintenance procedures was conducted by the analysts. In addition, a detailed set of photographs of the plant control panels was used to identify possible conditions which may influence the Performance Shaping Factors and potential sources of error associated with the task of interest. Finally, the human error probabilities were calculated by using data and models obtained from the Handbook. These values are then used in the fault trees for final quantification of the sequence probabilities. A more detailed discussion showing the explicit calculation of the human err.or probabilities is held in Appendix B.19. C-6
c.1.3.3.3 Test and-Maintenance In general,. contributions - to a component unavailability from test. or maintenance acts arise from two sources: (i) the component is unavailable because it is in test or main-tenance and (ii) the component is not functional when demanded due to a human error involved in returning-the com-I ponent.to_ service after test or maintenance. In the_calvert-
' Cliffs analysis, these contributors were considered on -a component level in the construction for the fault trees in contrast to the subsystem or train level consideration ~ by other methodologies. To do this, significant interaction-
! _ bet. ween the analysts and plant personnel was necessary to' determine plant specific test and maintenance frequencies j and times required for various test and maintenance acts. Also, the method of . performing test acts was examined l particularly to determine the potential for returning a component to service prior to completion of the test. The contributions to unavailability from test and maintenance acts for each component are presented in the data tables in } Appendix B. Unavailability Contribution Due to Time in Test When a test is performed on a component, it may require either placing the component in service or making the compo-nent unavailable. for service, if needed. For example, the test of a standby pump involves starting .and' running the pump; thus, no contribution to the unavailability of the pump occurs simply because it is placed in test. However, any component that must be placed in a non-safety state with. no automatic return as a result of the test would have to be manually restored by the operator conducting the test if an accident occurred during the . test. This action was treated separately as a recovery action for the = sequence. Con- .< versely, the testing of some components may require removing -l them from service, thus, introducing a _ contribution to .the unavailability of the component. .To determine the magnitude-of this contribution requires knowledge of the time in test 1 and the time between tests. Also, the method of testing is important,- e.g., the possibility of readily returning the component to service should be considered. For.this analy- I sis, information on test intervals was derived from plant:
. procedures and technical specifications; monthly test inter-vals were the most common, although some components were tested on a weekly, quarterly or refueling basis.- Estimates-of component test times for each component were based on
-experience of plant personnel.
Example 1 - Time in Test Contribution to Sensor Unavailability For a sensor that is tested monthly with an average test time- of five minutes, the test time contribution to the unavailability can be calculated as: C-7
I P (Sensor unavailable because of test) i
=ET T = duration of test (in o hrs.)
=
.083 = 1.2E-4 T = 720 hr. (one month test 20 interval)
Unavailability Contribution Due to Time in Maintenance The Calvert Cliffs plant has no scheduled preventive maintenance at power, rather, maintenance is performed during plant shutdown or only on an as-needed basis during operation. Therefore, the contribution to component unavailability was derived from knowledge of repair times and the outage frequency (assumed constant). Specifically, if N = the number of failures in the interval T, then A= N/T is the outage frequency. Multiplying the outage frequency by the average component repair time, y , then P (component is in maintenance upon demand)
= h* Y = A Y.
The average component repair times,y , and the outage frequency,A, used in this analysis were generally based on plant maintenance records and are provided in the maintenance summary sheets for each system in Appendix B. The components fell into four groups: (1) MOVs, (2) AOVs, (3) CVCS pumps, and (4) all other pumps. Unavailability Due to Error in Returning Component to Service From Test Upon completion of a test, the possibility exists of incorrectly returning a component to service so that it may not function when demanded. For the analysis, all of the plant procedures were analyzed and THERP analyses were done on generic procedures or specific procedures if signifi-cantly different. The results of these THERP analyses are presented in Appendix B.19. In addition, consideration was given to the detection time for these human errors. example, some errors in returning components to service For Q would result in control room indications, thus, their detec-tion times would be expected to be very short, resulting in a negligible contribution to unavailability for these compo-nents. The following example will illustrate how these unavailabilities were evaluated. C-8
+ , - - .. - -. .. . . - -- _. ._ _
i . Example 2 - Contribution to Valve Unavailability Due to Error in Returning to Service from Test If .a manual valve is cycled monthly for test and position checked monthly, potential . errors in returning the valve to its operational state exist. These errors include placing a failed valve back in service and leaving a functional valve incorrectly aligned. (Because of the probability of a valve failing and the significant nature of
; the act, it was judged .that. placing a failed valve back in service is much.less likely than simply leaving a functional
. valve misaligned.) The error rate for failure to properly-return a component to service after test is 1.0E-4 per act r and is derived in Appendix B.19. It is assumed that an ' error of incorrectly positioning a valve would be caught on
- the first position check, thus, the unavailability due to incorrectly returning the component to service is
i
-P (valve unavailable due to failure to restore following test)
=P (error per act)*(fraction of time error exists)
= (1.0E-4)*(360/720 hr.) = 5.0E-5 This assumes that the position check and the cycle test-are staggered so that the time the error can exist is 1/2 month. If we include the possibility of error on the first position check, the value is not changed significantly.
Unavailability Due to Error- in- Returning a Component to Service from Maintenance As was the case with -returning components to service from test, errors may occur in the return of components to service from ~ maintenance. Similarly, THERP analyses were done on the maintenance procedures. Therefore, as shown in
- Example 3, the . contribution to unavailability due to incor-l rectly returning a component to service 'fcom maintenance is
, a function of the error rate, detection time, and the.
- probability that the component required maintenance. .
Example 3 - Contribution to Valve Unavailability Due to Error in Returning to Service from Maintenance
.O If the manual valve in Example 2 were found to be defec- .
[ tive then the potential error in returning it to service after maintenance would contribute to its unavailability. l-P (Valve unavailable due to error in return to service-from maintenance) 1,
= (frequency of valve requiring maintenance)*(time error exists)*P(error per act)
C-9 p
-._ -...._ _ __ _._._.._._._.___._ _._._._____ _ _ _._..._._ _.D
= 3.6E-6/hr.
- 360 hrs.
- 1.0E-4
= 1.3E-7 This assumes that the valve is an MOV with a maintenance frequency of 3.6E-6/hr. and that the average time that the error will exist is one-half of the monthly test interval.
C.l.3.3.4 Plant Specific Data A plant-specific data base was generated, but it was limited to those items for which no failure rate data was provided in the IREP data base or for which adequate plant-specific data was available and showed a significant difference from the generic data. The plant-specific data were obtained by reviewing the Calvert Cliffs maintenance reports and LERs. The review included components of the front-line and support systems addressed in the IREP analysis. Some results of the review are presented below. For the auxiliary feedwater (AFW) system a review of the LERs showed that the probability of failure of the turbine pumps to start was 4.0E-3 per demand and that the probability of command faults of both the steam admission and feedwater control valves was 1.0E-3 per demand. There was no failure rate information in the data base for SIAS relays, modules and isolators. Table B.14.13 presents the calculation of failure rates for these components from the plant-specific data. c.1.3.3.5 Variable valued Events Modeled in the fault tree are certain events whose values change depending upon the specific sequence being considered. Usually, these events are initiating events or they are component failure modes or failure rates that depend upon the initiating event directly or the unique conditions created by that initiating event. A list of these events and their values for the various initiators is In the initial fault tree merging and given in Table C.3. truncation process, all of these events had their values set to their maximum value (1.0 usually) so that no poten-tially important cut sets would be dropped. In the accident sequence evaluation, the events were then set to the speci-h fic value that they had for the sequence being evaluated. C l.4 Sequence Quantification At this point, the accident sequences have been identi-fled from the systemic event trees and the merged front-line C-10
fault trees (Boolean expressions) have been solved and truncated at a cut set value of 1.0E-8. The next step is to quantify the sequences. From the . list- of Boolean expressions which describe the event tree sequences, two-main categories can be identified: 1) those sequences consisting of the initiator, undeveloped events in the event tree, and failed systems, and 2) those sequences which con-sist of the initiator, undeveloped events in the event tree,
^ and a mixture of failed and successful systems.
c.1.4.1 Quantification of Sequences Containing Only Failed Systems This process involved the same techniques as were applied in the fault tree truncation process. For each event tree, the list of Boolean expressions that correspond to the sequences was examined and a strategy developed for optimizing the required computer runs. For example, if sequence Si = T3 E
- F
- G and sequence S2 =
T3 E
- F
- K (where T3 = transient initiator, and E, F, G and K represent system failure events), it is obvious that the expression for T,3
- E
- F should be obtained first. It can then be combined with the G expression to form sequence Si and then with the K expression to form sequence S2-The existence of a sequence strategy can save computer expense. If the combination of E and F system failures does not yield any cut sets with probability greater than 1.0E-8 cutoff, then the expressions EFG or EFK will'not yield cut set greater than 1.0E-8. Thus it is not necessary to even attempt to determine cut sets for an expression Alx A2 A3
* - An when an expression (Al
- A2 * ...
Am, m s n) has had all cut sets eliminated under the truncation rules (i.e., since all events have probabilities s i, any additional failures or successes can only decrease . the sequence probability). C.l.4.2 Quantification for Sequences Containing System Failures and Successes For sequences where a system or combination of system successes has occurred along with the failure of other systems, it is very important to try and account for the-n success states. These success states imply that certain .Q failure modes or combinations of failure modes in the failed systems cannot occur without creating a logical contridic-tion in the sequence definition. Elimination of those failure modes which are precluded by the requirement that a system succeed often leads to a reduction of one to two orders of magnitude -in the sequences developed events probability. C-ll i
The procedure used in this study was developed and implemented in the SETS program [8]. This approach uses Boolean algebra techniques to combine the accident sequence minimal cut sets resulting from the failed systems with the minimal cut sets of the individual succeeded systems. By applying the appropriate Boolean identities, if a minimal cut set of the failed systems is a multiple of any cut set of the successful systems, it is dropped from the failure equation. This is because the success of a certain combina-tion of failure modes in the successful system implies that that combination of events cannot occur in the failed h systems. An example of this procedure using a very simple case is shown in Figure C.3. A more detailed discussion is given in the IREP Procedures Guide [2] or in Reference 8. c.1.4.3 Sequence Probability Calculations Having determined the cut sets for each event tree sequence, the frequency estimates for those sequences can be found. This, in general, is obtained by the product of the initiator frequency (with units of Events / Year), the prob-ability of undeveloped events in the event tree, and the failed / successful systems cut set probability. C.l.4.3.1 Initiator Frequencies For LOCA initiating events, the frequencies were calcu-lated for the Calvert Cliffs break ranges using a probability distribution deduced from the Reactor Safety Study (WASH-1400) [3] (see Chapter 4 of the main report) and from new data on reactor coolant pump seal LOCAs.[9] For the T1, T2, T3, and T4 transients, the frequencies were found from EPRI NP-2230 [10]. The transient initiators were grouped according to the definitions of T1 through T4 and overall grouped frequencies were established by summing the data for all the transients in each group. Section C.3.2 discusses the transient grouping and frequency derivation in detail and Chapter 4 of the main report shows the explicit groupings and calculations of frequencies for both LOCAs and transients. The derivation of the frequencies of the two special initiating events (TDCi TSRW) are described in Chapter 4. c.1.4.3.2 Undeveloped Event Probabilities In the event trees are a number of events for which no fault tree or only an abbreviated fault tree was devel-oped. These events are: (1) failure of the PCS system, (2) failure of the Reactor Protection System (RPS), (3) PORV/SRV failure to open on demand, and (4) PORV/SRV failure to reclose after opening. ; 1 C-12
)
Failure of PCS The PCS system was examined to identify any support system ' dependencies which were also common with any of the safety systems or their support systems. All other faults were lumped into a PCS local fault which was quantified from operating experience. The PCS was found to fail if (1) offsite power was lost, (2) either of the two 125 VDC buses Q (/ 11 or 21 failed, (3) either of the two 120 VAC buses 11 or 12 failed, or (4) SRW cooling was lost to the pumps. The Boolean equation used was: PCS = LOSP+ECLO0llA-120-LPW+ELC0012B-120-LPW
+ ECL00llA-125-LPW+ELC0021B-125-LPW
+ SRWO128X-XOC-LF+PCS-LF The probability of PCS-LP is 4.8E-3 which is the 50%
confidence value for 0 failures in 150 reactor trips at Calvert Cliffs Unit 1 and 2. Failure of RPS The RPS system was examined to determine if there were any common modes with other systems and an abbreviated fault tree was developed. However, since no common dependencies exist with other systems, an actuarial based upper bound probability of 3E-5/ demand was used for the "RPS fails" event similar to that used in the Browns Ferry and Millstone IREP studies.[4,6] Failure of PORV/SRVs to Open For sequences where the RPS fails and the PCS has failed or runs back, we have conservatively assumed that all four PORV/SRVs must open to relieve primary system pressure or an unmitigatable LOCA leading to core melt will result. A Boolean equation was used to represent this event (P): P = SRV-FTO-LF+ELC0021B-125~LPW+ ELC104RB-480-LPW+ELCll4R4-480-LPW where p SRV-FTO-LF=4E-5 (i.e., failure to open is assessed as Q lE-5/ valve based on CEN-145 [13].) and failure of DC bus 21B fails both PORVs and failure of 480 bus 104RB or ll4RA fails one PORV. For sequences- where primary pressure relief is necessary (T3) and the RPS has not failed, then failure of all 4 PORV/SRVs to open is necessary for failure, and this is a negligible event. C-13
I Failure of PORV/SRVs to Close For those sequences where the relief valves either are necessary to relieve system pressure or are only inci-dentally demanded, the valves must reclose or else a transient-induced LOCA will result. For those sequences where RPS has failed, since all four valves are demanded, all four must reclose and Q = 4.2E-2. For those sequences where the RPS has not failed, then For LOSP and h only the PORVs will be demanded, if at all. PCS failure (T1 and T2 respectively), the probability of the PORVs being demanded is .07 and is calculated in NUREG-1659 [11] from data presented in the Generic AFW study [12], and CEN-145 [13]. O for these transients are therefore: 0 = .07x4E-2 = 2.8E-3. For T3 transients, the plant data on these is one possible demand in 45 transients which implies a 95% confi-dence value of 0.1. O for this transient is therefore Q= 0.1x4E-2 = 4E-3. The 95% confidence limit was used because of the lack of data. In all of the above calculations, data from CEN-145 [13] was used to quantify the failure to reclose. Failure of a PORV to reclose = 2.0E-2/ valve Failure of a SRV to reclose = 1.2E-2/ valve C.l.4.3.3 Developed Event Probabilities The SETS code will generate a list of the sequence cut sets and the probability associated with them. The sum of probabilities, assuming statistical independence, these provides a conservative estimate of the sequence probability for low probability basic events. Each set of cut sets was first reviewed to eliminate (e.g., any cut sets that would any " impossible" cut sets violate Technical Specifications such as having two heat exchangers of a system out for maintenance). The remaining cut set probabilities were summed, as per above, to obtain the sequence probability. This result was then multiplied frequency and any undeveloped event by the initiator probabilities to obtain an estimate of core melt frequency g for that sequence. c.1.5 Final Quantification Process The sequence quantification process described in Section C l.4 is a screening process. A large number of sequences are eliminated due to their low probability of occurrence (i.e., while each fault tree was truncated by C-14
i dropping cut sets of probability < l.0E-8, each sequence with a total sequence frequency of less than 1.0E-6/yr was eliminated because they contributed less than 1% of the overall core melt frequency). Out of about 308 original sequences, all but 40 were eliminated. The final quantification process consists of examining closely the remaining sequences to determine (1) if any of the data used for the screening calculation needed to be revised or (2) i x the effect of conservative or non-conservative assumptions (d on the sequences. i C l.5.1 Data Reevaluation The cut sets of the surviving accident sequences were ) examined individually to determine if the cut set proba- l bilities were valid. Where this was not the case, the cut set's failure data were examined for their validity. If a . component failure rate was believed to be invalid, the probabilities were recalculated and the sequence was reevaluated.
~
In the screening quantification most operator actions and human errors modeled on the fault trees were assigned
" conservative" screening values. All human actions which appeared in the dominant sequences were reevaluated, using THERP models where appropriate, and the improved estimates obtained were used in the final quantification. These estimates are calculated in Appendix B.19.
C.l.5.2 Reevaluation of Conservative /Non-Conservative Assumptions For each of the candidate dominant sequences, the accident scenario was analyzed in detail. The timing of the accident, the assumptions made in quantifying the compo-nent probabilities, assumptions -made about system failure criteria, etc. were examined to determine their validity for the particular sequence. Some examples are: (1) For the Small-small LOCA(s) case or transient induced LOCA 's (Q ) , the assumption that_ diversion of flow - from the CCW heat exchangers through the SRW heat exchangers in the salt water system would result in failure of pump cooling was determined to i Iy, be too conservative. The heat load on the pumps would be much less due to the long time that the plant has been cooling down than in the case of a A (large) or S (small) LOCA. The sequence cut sets for this event were deleted. (2) For certain valves which depended on an actuation signal to change state but which fail open on loss of power, although their failure due to loss of a C-15
.- , n- , .- , . . , . ,- . - - -- . , - - - - , - - = - - - - ~ . - . - - - - - , , - - - - , - . .
l l I power was not modeled, failure of their power source sometimes showed up as a failure. This was because failure of the power source failed the actuation system which fails the valve closed, but simultaneously results in the valve failing open due to loss of power. The sequence cut sets which result were deleted from the appropriate sequences. (3) The PCS equation assumes that failure of one of two DC buses or one of two vital AC buses will result in system failure. While this is certainly true for a system operating at high power, it is not clear that after the PCS has run back if the system will trip on a loss of one of these buses. This assumption was retained, and the sequence shows up in the final dominant list. C.l.6 Quantification of Operator Recovery Actions Before the sequence can be analyzed to determine whether the operator can intervene to restore failed equip-ment, the assumptions regarding types of operator recovery must be defined. We have included the following recovery considerations in the Calvert Cliffs Unit 1 analysis.
- 1) Failure Mechanism: The fault trees were developed to a level of detail that allows us to identify recoverable and nonrecoverable faults. For example, " local faults" of a valve generally included a mechanical failure of the valve that precluded any operator recovery, either remote or local. " Control circuit faults," however, have recovery potential by the operator actions of identifying the problem and possibly manually opening the valve.
In general, extraordinary actions were not considered unless they were clearly indicated as being needed and sufficient time was available to perform them.
- 2) Failure timing: This can be subdivided into two categories:
a) The time of the failure with respect to the accident scenario (i.e. the time to the onset of core damage) determined, in part, the state of the operator and his ability to cope with the failure. To pick two extreme examples, much less credit would be given to a recovery action that had to occur within the first two minutes of a large break LOCA (unless it is part of a defined emergency operating procedure required to be C-16
i. L I' performid - at that time) than to an action that must occur at the changeover to the recirculation phase of a small-small - LOCA (where literally hours have passed since the accident initiation). b) The time . to the. _" Point of No Return" for equip- i ment damage is also a factor. Most-failures are l not immediately catastrophic. .Many. support-1 system failures will cause a front line system failure only after a period of- hours has gone by. Thus, if the operator receives. warning of-a problem developing, he may have sufficient time to diagnose and-correct the situation.
- 3) Failed Equipment Location: For operations outside-of the control room, the operator must have definite indication of a problem with the system of interest and sufficient time to take correctional action.
For most locations at Calvert Cliffs, an additional ten minutes over the control room time is sufficient for the operator to reach the location.
- 4) Equipment Diagnostics: To recover from a failure, the operator must first identify. the _ problem.
Where sufficient indication and/or annunciation exists, we examined the possibility- that the operator would be able to interpret his data correctly and formulate a course of action. Where no in'dication was available, no credit was - taken-for recovery of a failure. We did not attempt to quantify misdiagnosis. The above considerations were applied to the candidate dominant sequences. For those cut - sets c whose failure ' proba-bility could be modified by recovery actions, a recovery-factor was used that is based on the time -'available for-recovery. The values which appear in Table- C.4 were supplied by the IREP Procedures Guide [2] and constitute a j generic recovery model. For each particular recovery action, reference was made to this table and, taking into account the particular characteristics of the recovery action, a value was selected. The values selected and a short discussion of each appear in Table C.S. Most of the time only one recovery action was allowed for each cut set; "O however, (1) in these cases wh ere severa1 hours are ava11-able to perform clearly indicated actions multiple credit was given and (2) in.those cases where multiple actions were necessary to recover a sequence to a success path, multiple credit was also given if the operator would be directed to these actions. t h C-17
C.2 EXAMPLE CALCULATION OF SEQUENCE FREQUENCIES C.2.1 Introduction The previous section discussed in some detail the pro-cess of quantifying the event tree sequences to obtain core melt frequency estimates. This section will choose one such sequence to show how the methodology is applied to a soe-cific case. The sequence that will be developed is a candidate dominant sequence from the S2 LOCA event tree (Small-small LOCA). The sequence S2 -59 has the shorthand h expression S2D" and involves the following combination of events: a Small-cmall LOCA(S2) has occurred, the RPS has successfully rendered the reactor subcritical, secondary heat removal via the Auxiliary Feedwater System (AFWS) has succeeded, but primary makeup using the HPSI system has failed. The core will undergo a slow melt. The Containment Air Recirculation and Cooling System (CARCS) rejects con-tainment heat to the environment via Service Water (SRW) and Salt Water (SWS) Systems and the Containment Spray System succeeded in both the injection and recirculation phases (i.e., CCSI/R) in order to remove radioactive materials from the containment atmosphere. The containment will probably fail via the molten core penetrating the mat, since CARCS can limit the pressure rise in containment. Also likely are the possibilities of a hydrogen burn or early steam explosion. The following sections will attempt to give the reader a flavor for some of the problems encountered in the IREP quantification effort. The discussion will follow the outline of the previous section (c.1), showing first the development of the truncated fault trees and the subsequent screening process and final quantification. C.2.2 Example Accident Sequence Identification Figure C.4 shows the event tree developed for the initi-ating event Small-small LOCA (S2). The sequence of interest is 32
-59 and is highlighted on the figure. The events that describe the system success / failure combinations are: RPS - succeeded (R); CVCS -
not needed since RPS succeeds; SSR + AFWS - succeeded (L); HPSI - failed (D"); CARCS - succeeded (C); and CSSI/R - succeeded (C', F) The complete Boolean expression for the sequence can be written as: S 2 -59 = S2RLD"CC'F, or in shorthand, S 2 -59 = S 2 D". Note that MFW is assumed not to be available due to the initiating event which results in a MFW system trip due to loss of pump cooling. C.2.3 Example Fault Tree Manipulations The Boolean expression for the sequence identifies the fault trees which must be developed and the undeveloped C-18
events which must be quantified to obtain the eventual sequence frequency estimate. The events appearing in this particular sequence are obtained as follows: S2= Frequency of Small-LOCA - Value obtained from Reference 9. Assigned a frequency of 2.lE-2 occurrences per reactor year. T( = Probability of RPS success = 1 - 3E-5 ~1 I = Probability of Secondary Steam Relief (SSR) and AFWS success - Value is ~ 1, but fault tree developed for this event so that cut sets can be compared with the cut sets of D". D" = Probability of Failure of HPSI-fault tree developed for this event. C = Probability of success of CARCS - Value is ~ 1, but fault tree must be developed-for C, so that cut sets can be compared with cut sets of D". C' = Probability of success of CSSI - Value is ~1, but fault tree developed so that cut sets can be compared with cut sets of D". F = Probability of success of CSSR - Value is ~1, but fault tree developed so that cut sets can be compared with cut sets of D". Of the first events, then, five fault trees, L,D", C,C', and F are required. These front-line system trees were developed, along with the support system fault trees. C.2.3.1 Example Fault Tree Merging This section discusses the combination of front-line and support systems required to form the complete, merged fault trees. C.2.3.1.1 SSR + AFWS Fault Tree (L) The problem of merging the front-line and support system fault trees is twofold. First, all tha front-line/ support ! system and support / support system dependencies must be identified and any logic loops cut. Figure C.5 illustrates these dependencies and also the structure of this fault tree. Note that this figure does not show the fault tree logic relationship between systems. For example, one of the three AFWS pumps is motor driven and requires AC power; hence the AC power fault tree and the AC power support systems are included in the SSR + AFWS fault tree struc-ture. The other two AFWS pumps are turbine-driven and are not dependent on AC power. C-19
As can be seen from the figure, the circular logic loops are created because of the AC power dependencies of systems which support the diesel generator AC supply in the case where a LOSP occurs during the LOCA. These loops were cut by the method discussed in Section C.1.3.1 and shown on Figure C.2. C.2.3.1.2 Other Fault Trees As with the SSR + AFWS fault tree, the dependencies must be identified and logical loops cut for the HPSI, CARCS, and CSSI/R fault trees. The same general notes discussed with the SSR + AFWS fault tree are applicable here. C.2.3.2 Example Fault Tree Truncation The complete, merged fault trees are now solved for their cut sets. Because of their size, Boolean expressions for these fault trees are truncated so that only cut sets with a probability greater than or equal to 1.0E-8 are retained. The truncation technique, as described in Section C.1.3.2, involves truncating selected lower gates of the tree first, and then using these subtree solutions as input to succeedingly higher gates of the tree. A list of inter-mediate events to be used as stop points is prepared (1) by the SETS program using one of its procedures and (2) con-firmed by a detailed examination of the fault tree structure by the system analyst. The stop points are either "AND" gates or intermediate events which are used multiple times in the tree. Reproducing the list here for each of the fault trees would not be instructive in any way. There are a number of specific comments which, however, should be addressed:
- 1) The computer analyst should either have a detailed knowledge of the fault trees (i.e., be intimately involved with their construction), or he should have worked very closely with the systems analyst during the truncation effort. The choice of stop points is crucial in determining the computer time and money expended.
- 2) Although the modular fault tree technique enables an inexperienced analyst to efficiently construct a fault tree, it leads to trees which can be difficult to solve. This is due to the " pipe segment" logic h
which analyzes the system by repetitively consider-ing faults ,i_n_ a segment and faults prior to a segment. Problems arise in systems with multiple output headers such as in LPSI, HPSI, or CARCS. CARCS is an extreme example, since the containment air flow path consists of nine possible outlet headers, any one of which will allow sufficient air C-20
., -]
s w w
- flow to cool ' containment. .Using: the .. modular .. tech-nique, the top. event . of. CARCS becomes .a. . nine-input "AND" gate,- showing c that~ all nine air paths must fail for CARCS system ' failure. Because of the
" faults prior to" logic, each of. .the nine . inputs to the top event consist of an expression.that contains all the system cut sets-developed.to this point. If- :
"ALL" represents all these cut sets, .and "Ai" !
represents the " faults in segment.1", the. SETS code is forced to solve the difficult expression: CARCS TOP EVENT = (A1+ALL) * (A2 +ALL) * (A 3 + ALL) * ....
* (A9+ALL). I The fault tree analyst using traditional techniques ,
might have constructed his tree such that the : Boolean expression for the top event would be . directly expressed as: l CARCS TOP EVENT = lA *A 2 *A3 * ++ *A9 + ALL Which is equivalent.to the resulting expression from the modular technique, yet much more efficient (and. less costly) to solve.
- 3) The SETS code offers the computer analyst tremendous flexibility in choosing the -solution method best '
suited to the fault tree structure. To make use of this flexibility, the analyst must become intimately - familiar with the capabilities and details of the
' SETS control program.
The results of the truncation. consisted of the system cut sets for this HPSI system. There are 1998 surviving cut sets for the HPSI fault tree, with 256 different terms con- - tained in the cut sets (including super events identified by SETS as independent). C.2.3.3 Data Peculiar to Sequence S 2 -59 The component failure data did not require any ' par-ticular modification for this . sequence. However, the following sequence dependent events were set to the- values that they should have for this sequence: (1) since this is
-O a Small-small LOCA, the event accounting for a LOCA was . set-to "1" while the event . accounting for a Large LOCA was set-to "0"; (2) the event. accounting for LOSP was -set to "lE-3", its value as an independent event, not an initi-ators (3) the events accounting for a LOCA. occurring in an
. HPSI injection - line and the requirement for SIAS actuation were set to "1*; (4) the events accounting for no LOSP were C-21
set to ".999," (5) the special initiating events were set to their independent failure valves; and (6) the operator fail-ures to actuate SIAS and CSAS were set to their Small-small LOCA values. This resulted in a reduction in the number of terms from 1998 to 259 with an estimated probability of 2.7E-4 for the event D". C.2.4 Example Sequence Quantification lh C.2.4.1 Sequence cut set Development The Boolean expression for this sequence can be written as: Small S2 -59= small RPS SSR+ HPSI CARCS CSSI CSSR LOCA
- FAILS
- AFWS
- FAILS
- FAILS
- FAILS
- FAILS OCCURS FAILS (1) (2) (3) (4) (5) (6) (7)
Terms (1), and (2) are undeveloped events and should require simply the substitution of their calculated or otherwise determined probability values. Terms (3), (4), (5), (6) and (7 ) are, at this stage, Boolean expressions for which probability values may be calculated. The probability value of the succeeded terms is approximately 1. However, we must combine the complement of the CARCS, AFWS, CSSI and CSSR fault trees with the HPSI fault tree so as to eliminate those cut sets of HPSI which are logically inconsistent with the success of CARCS, AFWS, CSSI, and CSSR. By using the procedure in SETS to delete logically inconsistent cut sets from the HPSI equation, approximately 40% of the cut sets of HPSI are removed leaving 155 cut sets with a probability of 1.3E-4 for the combination LD"CC'F. C.2.4.2 Sequence Probability Calculation The final step required to yield an estimate of the sequence frequency is to translate the Boolean sequence expression into general expression is: a frequency / probability statement. The lll Sequence Frequency = Initiating Event Probability of
- Sequence (Prob / Event) Frequency (Events / Year) (Prob / Event)
C-22
d
.b For this example, the expression becomes:
- Freq. (S2 -59) = [Freq.of *
( S2 ) ] RPS AFW HPSI CARCS CSSI CSSR Pr '" (FAILS
- FAILS
- FAILS
- FAILS
- FAILS
- FAILS-Y -
O A Given that RPS failure is independent of the other 4 l system failures. f Freq. (S2-59) = f Freq. of I l RPS ) ! i i i i* g ( S2 ) ,Pr( FAILS j
}
! AFW ) i HPSI CARCS CSSI CSSR i Pr
( FAILS
- PAILS
- FAILS
- FAILS *FAILSj The resulting frequency calculation becomes: U n
Freq. (S2-59) = 2.lE-2/yr
- 1
- 1.3E-4 -
= 2.75E-6/yr --
C.2.5 Final Quantification of Example Sequence The preceding section estimated the frequency of sequence S 2 -59 to be greater than 1.0E-6/yr. In the 4 screening process of candidate accident sequences, this " sequence would then be a candidate dominant sequence for - which data reevaluation and recovery must be performed. C.2.5.1 Data Reevaluation j A review of the data used did not result in the change of any data. - C.2.5.2 Conservative /Non-Conservative Assumptions E For this sequence, the frequency was dominated by two g cut sets which were not recoverable. the failure of either of the two valves in the pump recircu-These cut sets were J 1ation line which were assessed to result in pump failure due to the pumps pumping against high pressure for an 2 extended period of time until the primary pressure dropped - below 1275 psia (310 minutes). While this was a conserva-tive assumption, we did not change it since we had no data - on how long the pumps could operate pumping against high pressure before damage would occur. 3 C-23 - E.
'M
l l C.2.6 Quantification of Operator Recovery for Example Sequence The cut sets were examined to determine if any of the component failures could be recovered. Under the ground-rules established for the study and discussed in Section C.1.6, no direct recovery action by the operator of the failed equipment is possible. Two sequence: recovery actions were judged possible for this (1) manual actuation of the HPSI from the control h room given that auto actuation had failed, and (2) realign-ing the electric power supply of the swing HPSI pump (#13)) from the control room given that a LOSP, failure of DG #12 and failure of HPSI pump til had occur ed. For both of these events, a probability of .01 was assessed for non-recovery given that about one hour is available for the operator to start primary makeup. These actions affected over 90% of the sequence cut sets; however, they did not affect the two dominant cut sets. After applying these non-recovery factors to each cut set and requantifying the sequence, a final frequency of 1.6E-6/yr. was obtained. This sequence is, therefore, one of the final dominant sequences for this plant. O C-24 L
i s C.3 SEQUENCE SCREENING QUANTIFICATION 4
- C.3.1 Introduction i
The-event trees, as constructed, require the analysis'of F some 308 accident scenarios. However, many of these
- scenarios can be neglected due to their low probability of
~
occurrence. This screening process,- at the accident
'r sequence level as opposed to the cutLaet level, allows us to determine which scenarios deserve' further consideration as potential dominant accident sequences. This'section presents ,. the results.of the sequence screening for the Calvert Cliffs
{' Unit'1 event trees. 4- C.3.2 Initiating Event Frequencies e The frequency of a core melt / core degradation sequence j is determined by the frequency of the initial plant pertur-
- bation and the probability of .the mitigating systems
unsatisfactory response to that perturbation. The values l ' assigned to these initiating event frequencies - are presented here. { ' C.3'2.1
. LOCA Frequencies Table C.6 shows the LOCA initiating event frequencies.-
tl These frequencies were calculated in the following manner. p Since the break size ranges correspond reasonably closely,to' - the ranges in the Reactor Safety Study (WASH-1400 [3]), the j final value for each range of break sizes in WASH-1400 was-assumed to result from the.-integration of some constant
- probability distribution over the break range. This con-stant probability . distribution was calculated _and then integrated over the break size ranges selected for Calvert Cliff Unit 1 to give a frequency - for each of the Calvert -
l Cliffs LOCA ranges. The exact calculatien is shown in. , ! chapter 4 of the main report. The smallest LOCA range, the [_ .Small-small 'LOCA or S2, has, in addition to- this basic frequency, the frequency of a reactor coolant pump seal j LOCA. Since this frequency is large (.02/yr-[9] compared to ~ the 1.0E-3/yr for the other Small-small LOCA's), it over-L shadows the rest of the Small-small LOCA frequency. A search was conducted to identify potential active, F O 9 ive,. d =o -i o1 e 81e toc ^
. Coolant System (RCS). No significant events - were found and-iee- cor the ae ceor the' initiating event data was not modified by th'is work.
The interfacing systems LOCA is not a significant con-tributor .to the LDCA - frequency. Tb5 SIG headers each have- . three check valves and a norma 17; doned motor-operated-
' valve to isolate the high prm?>, e niping from the low
- - pressure piping. The CVCS c3. L r lines- likewise have g three- check valves and a nm ,nain open control valve
. downstream of the charging _ pumps. Should a LOCA occur in C-25 o
- . . _ , , . . . - , . _ . _ . _ , . - - - . . _ . . . , . . _ - - . . _ , _ . _ , , , . _ _ - , , - _ . . . . _ ~ , - _ _ . , . _ . . _ , . . _ . . , , _ . ,
the letdown line, either one of two control valves closing will provide isolation. The CVCS Isolation Signal senses the LOCA via a high room pressure signal and automatically sends signals to close these two valves. (SIAS also signals these valves to close.) All other RCS/ Support System inter-faces have at least two isolation valves that receive ESFAS signals to close during a LOCA. Their contributions to a non-isolatable LOCA frequency are, therefore, negligible. C.3.2.2 Transient Frequencies The transients were divided into four general categories plus two special initiators, each requiring a different plant response. Event trees were drawn for each of the following transient initiator categories:
- 1) Loss of Offsite Power (TI)
- 2) Loss of Main Feedwater (T2)
- 3) Transients Requiring Primary Pressure Relief (T3)
- 4) All Other Transients (T4)
The transient category frequencies to be used in quanti-fication were obtained from EPRI NP-2230 . [ 10 ] and are generic values. By means of comparison, these transient data were compared to the EPRI NP-2230 data base for only CE plants, and the WASH-1400 transient frequencies. The WASH-1400 numbers were found to be of the same order of magnitude, but high in comparison with the latest plant operating experience. The EPRI NP-2230 data on CE plants only was found to correspond closely to the generic plant data. Table C.7 shows the results of both the grouping of transient initiators into different categories and the fre-quency estimation. Some notes of explanation are in order here:
- 1) Because of the initial conditions for the IREP study (e.g., the plant is initially at high power at the time of the transient), only EPRI NP-2230 data for transients occurring between 25 and 110 percent of full power was included.
- 2) Tests were not made to determine if the first year data obtained for the CE plants was of the same distribution as that of the second year, and so h
on. This can lead to a conservative estimate for some transients, (e.g., Rod Drops & CRDM problems seem prevalent the first year
- or.ly ) , but the overall effect was considered to be negligible.
C-26
u c 4 Evaluation . of
- 3) LNUREG-0635 (Generic Feedwater I; Transients and Small ' Break LOCA in .CE Designed
[ Operating- Plants) [12] identifies the following r" W transients as -possibly ~ requiring RCS _ pressure relief via the PORV's: 4 a) Uncontrolled Rod Withdrawal .e
- i. b) Loss-of-Load,' Provided Turbine Bypass Capacity
,) is, exceeded or unavailable c) Loss _ of a l l -' n o n - e m e r g e n c y A C power, depending on pressurizer heat transfer assumptions F Transient -(a) .is not possible at-high power since
~
_Calvert Cliffs Unit la operates with all control' .; _ rods out. The loss of load transient (b) is the major contributor- to PORV challenges. Plant i' operating experience confirms this because the' loss of load transient is the only transient which .has challenged the PORVs. (See Section C l.4.3.2 for
.more Calvert Cliffs Unit 1 discussion on this point.) Transient (c) was distinguished from the 4 -LOSP transient _and assumed to- result in. the
- equivalent of a' loss of load' transient.
- 4) The LOSP Transient (TI)'has been analyzed for. the PJM grid in EPRI NP-2301 [14] and a: frequency cf 0.183/ year calculated. Calvert Cliffs Unit 1'has
~
i experienced 'l outage' -in .8 years for a frequency estimate of 0.12/ year. From EPRI-2230, a T1 fre- . quency of '0.14/ year is calculated. Since- these , values are all close to the generic- data, the generic value of .14 ' from EPRI .NP-2230 was used. The loss of offsite power . transient - was assumed . in NUREG-1659 [11] to demand the .PORVs with a-
- probability of 1, -but the SASA Station ' Blackout'.
Analysis '[15] shows that the characteristics of a loss of offsite power transient are similar to the loss of .feedwater . transient. Therefore, the
- probability- calculated is NUREG-1659;ffor a PORV i
demand during a loss - of feedwater transientf was also used for the loss of offsite power transient. For the. special initiating events, a discussion of
.their frequency derivation appears -in Chapter 4 'of the main.
The initiators TDC and TSRW result in a loss of-r report. PCS and are quantified using the T2 event tree. Table C.8
- summarizes the~ values used for 'the transient initiator
- frequencies. t -
.C-27
C.3.3 Screening Criteria As has been stated previously, the sequence frequency estimates are obtained by the product: SEQUENCE INITIATOR UNDEVELOPED DEVELOPED
*
- EVENT FREQUENCY = FREQUENCY EVENT PROBABILITY PROBABILITY The transient frequency is determined as discussed in Section C.3.2, the undeveloped probabilities from abbrevi-ated fault trees and other data sources, and the developed event probabilities from the evaluation of the system cut sets, truncated at 1.0E-8 probability and obtained from the fault trees. This breakdown of the sequence frequency into three components lent itself to a three-stage screening process:
STAGE 1. A conservative estimate of the sequence point valve was calculated by multiplying the initiating event frequency by the undeveloped events proba-bilities. If the sequence frequency was below the 1.0E-6/yr sequence cutoff used to determine the dominant' sequences, no further evaluation was per-formed. Of the 308 sequences, 18 were eliminated at this stage. STAGE 2. For a set of sequences, all of which have a common set of successes and failures, this common portion was evaluated and if the resulting sequence fre-quency for the initiating event, any undeveloped event, and this common portion was less than the 1.0E-6/yr sequence cutoff then none of the sequences needed to be further evaluated since any-additional successes or failures can be shown to only decrease the sequence frequency. Of the remaining 290 sequences, 145 were eliminated by this process. STAGE 3. Each of the remaining 145 sequences were indi-vidually evaluated and a sequence frequency calculated. Of the remaining 145 sequences, 105 were below the 1.0E-6/yr sequence cutoff. The remaining 40 sequences quencies greater than 1.0E-6/yr) from Stage 3 were analyzed (i.e. sequences with fre- g for any extreme conservative or non-conservative assump-tions. If any assumptions involved sequences which had been dropped in the above process, these too 'were reanalyzed. Recovery was treated in accordance with the methods de-cribed in section C.l.6. Of the final 40 candidate dominant sequences, only 14 sequences remained above 1.0E-6/yr and individually contributed 1% or more of the total core melt, frequency. C-28
C.3.4 Sequence Quantification Results C.3.4.1 Introduction This section summarizes the sequence quantification for all the Calvert Cliffs Unit 1 systemic event trees. The event trees are shown as Figures in Chapter 5 of' the main report and in Appendix A. Table C.9 shows the frequency and G probability values obtained for each of the sequences lead-V ing to a core melt. Table C.10 shows the screening results for just the candidate dominant sequences. Table C.11.shows the . final results af ter recovery. Included on this table are the numerical results of the credit given for operator recovery actions during the accident. The following sections discuss any unusual assumptions and/or peculiar-ities of the individual systemic trees and their ~ sequences. The dominant accident sequences will be discussed in detail in Section C.4. C.3.4.2 Large Break LOCA Appendix A discusses the general structure of the Large LOCA event tree. No unusual assumptions and/or peculiarities were associated with the Large LOCA event tree. C.3.4.3 Small Break LOCA The systemic event tree is conservative in assuming that only the RPS can satisfy the Reactor Subcriticality Func-tion. Thus, the sequence frequencies for Sl-42 through SI -48 should be considered as conservative bounds on the point estimates. C.3.4.4 Small-small Break LOCA 7 The comment in Section C.3.4.3 regarding the Reactor Subcriticality function also applies here. Thus, the sequence frequencies for S 2 -73 through S 2 -79 are con-sidered conservative bounds on the point estimates. Also, since an SIAS signal will isolate SRW cooling to the PCS pumps,. no credit is given for use of main feedwater for secondary heat removal. s C.3.4.5 Loss of Offsite Power Transient (TI) ' k~) Failure to scram sequences initially used a probability of 3E-5 for the failure to scram event. Since the dominant failure of the scram system is failure of the scram breakers I and this failure mode is bypassed by the loss of offsite power which results in de-energization of the control rod drive mechanisms, this number was assessed'as being much to conservative for this event. The only way failure to scram could occur is for some significant number of the rods to C-29
stick concurrent with the LOSP. This is considered negligible and all TK 1 sequences were assessed as being negligible. C.3.4.6 Loss of Main Feedwater (T2 ) For those sequences where a reactor scram has not occurred but the operator has successfully initiated emergency boration, a subsequent sticking open of a relief g valve is conservatively assessed to result in core melt. W From the SASA Station Blackout Analysis [15] approximately 86 minutes is available to restore secondary heat removal to prevent core uncovery given a successful scram. In this case where- the initial rate of coolant loss is much more and the rate of reduction of reactor power is less, it was con-cluded that the operator would have about 20-30 minutes to act. In this time, he would have had to identify the failure to scram, initiate emergency boration, manually increase AFW flow to the steam generators to twice normal, identify that a PORV stuck open, and initiate HPSI flow. In addition there are significant thermal-hydraulic uncertain-ties as to whether or not these actions would be successful Therefore, was (see discussion in section 8.1.11). it decided not to give credit for any additional operator actions. The frequencies for sequences T 2 -87 through T2 -90 should, therefore, be viewed as conservative bounds on the point estimates. C.3.4.7 Transients Requiring RCS Pressure Relief (T3) Failure to scram sequences for T3 transients are assumed to be similar to those for T2 transients but not AFW should be as severe. Either the PCS (runback) or available to remove decay heat. The comment in section C.3.4.6 regarding the subsequent sticking open of a relief valve also applies here. Thus sequence frequencies T3-118 through T3-121 and T3-127 through T3 -130 should be viewed as conservative bounds on the point estimates. C.3.4.8 All Other Transients (T4) Failure to scram sequences were treated the same for this initiator as for the others. Although, depending upon g the particular initiator, the pressure spike may not be as severe as in the other transient classes and for some (about 50%) the PCS may not runback. This treatment is conserva-tive and gives a conservative bound on the point estimates of the sequence frequencies.
'l C-30
~C.4.0 DOMINANT ACCIDENT SEQUENCES C . 4 .1 Introduction
. Table C.10 summarizes the candidate dominant sequences obtained from the event tree ~ quantification. This section will discuss those sequences, with emphasis on the final dominant sequences (those - sequences whicl' contribute more than_ or equal to 1% to the total core melt frequency).
;O Included- in the discussion are the dominant cut sets,-
conservative or nonconservative assumptions implicit.to the- ' sequence, and the factors considered.in assessing the operator recovery - potential. In Table C.11 a summary is presented of;the. final dominant accident sequences and their frequencies. These discussions are the same'as those pre-sented in Chapter 8 of the main report except . that a more extensive list of cut sets is given, both before and after recovery is applied. C.4.2 ATWS(PSF) C.4.2.1 Description This sequence is an anticipated transient without scram (ATWS) followed by primary system failure (PSF) due to over-pressure and is assessed to result in a LOCA and subsequent core melt. The CARCS and/or CSSI systems succeed and cool the containment. As a result of some transient, the PCS is either tripped, fails, or runs back and AFW and/or the PCS is removing heat from the primary at a reduced rate (i.e., at e least ~ 5% of full power). The - resulting imbalance between the energy removal rate-(~5%) and the energy production rate (~100 % ) leads to the heatup of the. primary system v and an increase in system pressure. .The magnitude of.the pressure increase is determined by several variables: the . initial- power level, final heat removal rate, and the net reactivity; in the core. Assuming the initial power. and final heat removal rat a are ~100% and ~ 5%, respectively, then'the major determining . factor is the moderator temperature coefficient-(MTC) of reactivity. The MTC determines the negative feed-back between the rise in temperature and the resulting
- decrease in power due to the negative reactivity added by the decreasing density _ r v iding of the primary coolant.
~ 0-. The less negative (i~.e., closer to. zero) the MTC, cthe smaller the feedback and the higher the peak pressure.
Given that the peak. pressure exceeds the service level'C (3200 psia) limit, various types.of system damage have-been postulated: (1) if the pressure should exceed 3500 phia then the reactor vessel head will lift (16] and will likely C-31 j I q,
fail to reseat completely; (2) the response of the steam generator tubes (particularly older tubes) is uncertain at these differential pressures and a large number could potentially rupture (17]; and (3) because there is insuffi-cient analysis of the operability of check valves in the primary system for pressures exceeding service level C, there is an assessment that the CVCS and HPSI systems would be unavailable some significant fraction of the time due to the check valves being forced shut and deformed to the point of inoperability. [17] Thus, continued reactor cooling and long-term recovery after the system has been overpressured is questionable. For the purpose of this analysis, it was assumed that pressures in excess of 3200 psia are equated to core melt. The sequence frequency is estimated at 2.8E-5/yr and contributes 20% of the total core melt frequency. C.4.2.2 Quantification In order to estimate the frequency of an ATWS event followed by an unfavorable MTC, one must multiply the transient frequency by both the failure to scram probability and the probability of having an unfavorable MTC (i.e., the probability of having an MTC value that results in the peak pressure exceeding the service level C limit) for that initiator.* Upon summing the results for the various initi-ators, the estimate of the frequency of this sequence is calculated to be: f(ATWS(PSF)) = T 2*K*p2(MTC) + T 3*K*P3(MTC) + 0.5*T4*K*P4(MTC)
= 0. 8
- 3 E-5 *0. 5 + 1. 8 5 *3 E-5 *0.1 +
0.5*6.8*3E-5*0.1
= 1.2E-5 + 5.6E-5 + 1.0E-5
= 2.8E-5/yr The sources of the various numbers are discussed in the next section.
C.4.2.3 Major Assumptions and Recovery Actions Because of the short time (~ 2 minutes) before pressure exceeds service level C, no credit has been given for any The IREP recovery model does not give recovery actions. credit for any action required to be performed in less than g 5 minutes.
- The MTC becomes more negative as a core approaches end-of-life. Thus, new cores will result in higher peak pres-sures than old cores. The probability of an unfavorable MTC is equivalent to the fraction of core life in which the peak pressure is expected to exceed 3200 psia for each specific transient type.
C-32
pq e h T1 (Loss- of AOffsite Power) transients were. not-quantified. since the ! initiator .directly results in .a
~
de-energization of the motor-generator sets and the use of a L 3E-5 probability for failure ~ to scram was assessed as being too - high for this ; initiator. The failure, to scram would need to result from some mechanical' common imode failure of all or most of the control rod drive mechanisms ' and was-assessed as being negligible. For T2 (Loss of Feedwater) transients a probability of 0.5~ was chosen for an unfavorable MTC. The peak pressure ' pr'edicted for this . type of transient was 4200 psia:for a new core-[16] =ind allows for the reactor vessel head-lifting h at ~3500 psia to relieve some of the pressure. This pre-dicted peak pressure greatly- exceeds the service level C (3200 psia) limit and a LOCA, due to failure of the vessel-head to rescat or steam generator tube rupture or some other. break in the primary, combined with failure of CVCS and HPSI-to supply makeup due to stuck check values results in core : melt. The value of 0.5 for the probability of a pressure
' transient exceeding service level C and - resulting in core melt comes from NUREG-0460 [18] and is the same as that used in the NRC analysis in support of the ATWS rule [17].
For T3 (Turbine Trip) transients, the system response . has a peak predicted pressure of ~3400 psia for a new core. l This is 'dif ferent from the response of larger CE plants for which the peak pressures from turbine trips and loss of feedwater are roughly the same (i.e., both ~ 4,000 psia). The NRC analysis in support of the ATWS rule [17] groups CE and B&W plants and uses a probability of 0.5 for exceeding service level C for turbine trip, transients. However; this value, while appropriate for larger CE plants, was judged to be t'oo large for smaller plants like , Calvert . Cliffs., A value of 0.1 was chosen based on the following considera-tions: (1) the 3400 psia peak pressure is based on a nominal full power initiator, but the analysis ,models . initiator's occurring from 25-1104 power, and (2) the ' prob-ability of having ian unf avorable MTC should be significantly less than for the loss of feedwater case since the transient , is less severe and the value of the MTC needed .to . exceed 3200 psia should be much higher than in. the' loss of feed ; water case (e.g., a factor of ~ 4 increase in the .MTC would- 4 be needed to produce pressure comparable to ' the loss of i h7 feedwater initiator).- The actual value was' estimated by shifting the MTC probability table in NUREG-0460, Vol. 4 [18] -to reflect the less severe characteristics of the sequence. For T4 (all other) transients, it was assessed that' approximately 50% of 'the initiators would not result in runback of the PCS and that no heat imbalance or pressure 4 transient would result. The remaining ^50% were assessed as C-33
resulting in a turbine trip and runback of the PCS or con-ditions roughly similar to a turbine trip. The pressure transient for these initiators would be similar to the T3 transient described previously. A value of 0.1 for the probability of an unfavorable MTC was therefore used in this case, also. The value of 3E-5 used for the failure to scram prob-ability is a generic value taken from NUREG-0460 fl8). This a is the same as the value used in the NRC analysis in support 5 of the ATWS rule [17]. Since the dominant contributors to failure to scram are likely to be common modes that result in tailure of all rods to insert (e.g., Salem failure to scram on February 22 and 25, 1983), this number was used to represent failure of all rods to insert, and no credit was taken for the possibility of some rod insertion that would significantly reduce the peak pressure. C.4.2.4 Engineering Insights As discussed in the previous section with the IREP recovery model and without ATWS procedures and training, no credit was given for operator actions mitigating this event. Calvert Cliffs has recently implemented a new ATWS procedure which directs the operator to (1) trip the reactor manually, (2) de-energize the motor-generator sets, and (3) to initiate emergency boration. The de-energization of the motor-generator sets should bypass any actuation or control circuit failures (e.g., the Salem incident) and result in successful scram. If done quickly enough, this could result in a reduction in any pressure transient. With appropriate operator training, it may be possible to mitigate this sequence. The only other ways of reducing this sequence's fre-quency or mitigating the results appear to involve changes to the plant such as: (1) reduce the number of transients, (2) improve the RPS reliability, (3) qualify the primary system and valve operability at higher pressures (~ 3 500 psia), (4) do improved analysis to show peak pressures are not as high as currently predicted, or (5) change the fuel loading so that a more negative MTC is obtained. C.4.3 Sequence TDC-82 (TDCL) C.4.3.1 Description O In this sequence, a failure of DC bus 11 (TDC) results in a trip of Units 1 and 2 and failure of the PCS with degradation of the safety systems. The plant scrams successfully, but AFW (L) subsequently fails. CARCS and CSSI succeed and cool the containment. As a result of the C-34
lack of secondary heat removal, the core inventory boils off through the cycling open of the PORVs. No credit is given for feed and bleed due to the low head of the HPSI pumps and the uncertainty as to whether or not the pressure could be reduced enough for the HPSI pumps to be able to inject water, [19, 20]. Recent calculations done by EG&G for the Station Blackout Program [15] indicate that approximately 86 minutes is available to start an AFW pump in order to ! prevent core uncovery. The sequence frequency is estimated as 2.lE-5/yr - and contributes 16% of the total core melt frequency. The dominant 160 cut sets of this sequence before recovery are listed in Table C.12, and the cut sets contributing 98% of the sequence frequency after recovery are listed in Table C.13. C.4.3.2 Major Assumptions and Recovery Actions The initial screening value for this sequence was
, 4.9E-4/yr. The recovery actions involve: (1) starting the locked-out AFW turbine pump (12 (RA-3, p = .04), (2) actu-ating the AFW turbine pump til manually from the control room (RA-2, p = .02), (3) feeding AFW from unit 2's APW j system (RA-16, p = .1), or (4) realigning AFW turbine pump til from test (RA-4, p = .01).
It is assumed, based on discussions with plant personnel, that the operator would be reluctant to manually close the motor pump circuit breaker due to the lack of pump pro-therefore, other tection resulting from the DC bus loss; recovery actions were preferentially considered. Also, while all the cut sets could be recovered by cross-feeding from unit 2's AFW system once the AFW modification is completed (see Section 6.9 of main report or Appendix B.9), credit for this was only given when no other reasonable recovery action was possible. Because the procedures for dealing with these events have not been written, we judged that there would be some reluctance on the part of unit 2's operators to divert flow to unit 1 and decrease the reli-ability 'of their own AFW supply and a 0.1 non-recovery probability was used for this event. It may also be possible for the. operator to restart one train of the PCS system; however, no ' credit was given for this action since the operator would preferentially be directed to the AFW system and, by the time he decided to try to restart the PCS, it is assumed that it would be too late. The application of the recovery actions reduced the sequence frequency to 2.lE-5/yr. C-35 t
--i. , - - .-- _ _ _ , . _ _ _ . . _ _ , _ _ _ _ , , _ _ , _
C.4.3.3 Engineering Insights For this sequence, the loss of DC bus 11 results in a trip of both unit 1 and 2, fails auto AFAS actuation and DC breaker control power to the motor-driven AFW pump #13, AFW steam admission valve 4071 fails open and AFW train A feedwater valves fail open resulting in auto start of AFW turbine-driven pump til. However, various single faults of AFW pump til result in a loss of all AFW. For most faults 3 (75% of the sequence frequency), it is possible for the W operator to manually start the locked-out turbine pump #13; however, for the case where feedwater valves 4530 or 4520 have been isolated for maintenance requiring disassembly (6% of the sequence frequency), the two turbine pumps are both unavailable. The only recovery is to then cross-feed from unit 2's AFW system. C.4.4 Sequence S 2 -50 (S2H) C.4.4.1 Description In this sequence, a Small-small LOCA (S2) occurs followed by successful scram and operation of AFW and HPSI providing both secondary heat removal and primary system makeup. When the RWT depletes and switchover to recircula-tion occurs (anywhere from 4 to 12 hours into the transient depending on the size of the leak), HPSR (H) fails. Due to the lack of primary makeup, the core then uncovers and core melt ensues. CARCS and CSSR succeed and cool the contain-ment. The sequence frequency is estimated as 1.4 E-5/yr and contributes 11% of the total core melt frequency. The dominant 160 cut sets of this sequence before recovery are listed in Table C.14, and the. cut sets contributing 90% of the sequence frequency after recovery are listed in Table C.15. C.4.4.2 Major Assumptions and Recovery Actions The initial screering value for this sequence was 3.3E-5/yr. All of the most significant cut sets involve failure of pump seal or pump room cooling. For pump seal cooling, since only CCW heat exchanger #11 is normally in service, the most important recovery action is operator to manually open the discharge valve on CCW heat for the exchanger #12 in order to place it in operation (CCS3826N-NCC-OE, p= .01). For pump room cooling, the operator can manually start the pump room coolers for control faults (local) (RA-17, p =.01). If the sump valves fail due to control faults, the operator can manually open the valves (local) (RA-20, p = .25). The application of recovery actions reduces the sequence frequency to 1.4E-5/yr. C-36
It is' assumed-in this sequence:that the operator must-go to' recirculation from the sump'in order to= continue cooling'
-the plant. It- is possible for. shutdown cooling to be- used g
_if ' the plant .is cooled down: fast enough.so that rem rcula-
' tion from the sump is.'never needed. .However, fit is unclear whether'or.not the operators would be directed to do.this in-
~ l an accident situation, and recovery-. credit was not-given for ,
'this action. Also, since the'LPSR and CSS' pumps. require the
? same - room . and seal? cooling - support as the HPSR pumps, the :;
) .-
support system failures which - dominate this- sequence would l' fail this: mode of operation as well. Possibly significant conservatisms exists- for- this - sequence: :
- 1. CCW seal cooling failure is assumed to -fail the '"
pumps. Recent . < calculations show possibly; two hours would be necessary to fail the seals and, even then,> s this might.not fail the pumps. If the. pumps did not fail due to seal cooling failure, the sequence - f re-quency would be reduced to 1.0E-5/yr.
- 2. Room cooling needs are based on all pumps running.'
For1 this size _LOCA, all but one pump would be shut down. This would significantly reduce the heat - up ! rate. If the pumps did not' fail due-to room cooling' failure, the sequence frequency- would be . reduced to 1.2E-5/yr. ,
- 3. If both of the above conservatisms are' combined, the final sequence- frequency would reduce to approxi-mately 1.5E-6/yr. .
.C.4.4.3 _ Engineering Insights ,
About 25% of the sequence frequency is duelto failures . of HPSI: pump #13 combined.with failure of pump room. cooling to .. ESF room fil. The reason that pump room cooling' is so significant is that the system is .not- tested often (on the average of twice a year). This means thati the average time-a fault could be expected to exist is about three.. months (i.e., one' half the test interval) and that anyTtime-depend-ent - failures are going to have an unavailability about six times that for a similar component tested monthly. , e About . 40% of the_ sequence frequency is- due to cut sets
~
-involving component cooling water faults. The largest con-tributors bein'g: (1) the failure of a single valve in the CCW return line for all, HPSR and LPSR pump coolers which
- would result in failure of all HPSR and HPSR pumps, and (2) the failure ~ of the operator to open the outlet valve on CCW heat exchanger #12 from the control room combined with some other. single failure of CCW heat' exchanger #11.
C-37 1 t.
C.4.5 Sequence S 2-52 (S2FH) C.4.5.1 Description In this sequence, a Small-small LOCA (S2) occurs and is followed by successful scram and operation of AFW and HPSI providing both secondary heat removal and makeup. When the RWT depletes and switchover to recirculation occurs (anywhere from 4 to 12 hours into the accident), HPSR (H) g and CSSR (F) fail. Due to the lack of primary makeup, the W core then uncovers and melt ensues. CARCS succeeds and cools the containment. The sequence frequency is estimated as 1.lE-5/yr and contributes 9% of the total core melt frequency. The dominant 160 cut sets of this sequence recovery are listed in Table C.16, and the cut sets contributing 90% of the sequence frequency after recovery are listed in Table C.17. C.4.5.2 Major Assumptions and Recovery Actions The initial screening value for the sequence was 5.7E-5/yr. The recovery actions involve either: (1) manually starting the ECCS room cooling fans given auto-actuation has failed (RA-17, p= .01), (2) manually opening the sump MOVs given valve control circuit faults (RA-20, p= } .25) c (3) manually opening SWS valves to the ESF pump room coolers given valve control circuit faults (RA-18, p= .1). The application of recovery actions reduces the sequence frequency to 1.1E-5/yr. Again, as with S2-50, if only one pump is running, then f ailure of room cooling might not be a failure of the o pumps and the sequence frequency would be about 1.lE-6/yr. Also, the operators are assumed to go to recirculation, not shutdown cooling. C.4.5.3 Engineering Insights Over 85% of frequency of this sequence involves cut sets with ESP pump room cooling failures. As discussed for the previous sequence, the long test interval for the room cool-ing system results in the unavailabilities of components with time-dependent failure modes being six times that of a similar component with a monthly test increasing their contribution to this sequence. interval, thus h C.4.6 Sequence T 2-82 (T2L) C.4.6.1 Description In this sequence, a loss of PCS (T2) occurs and is followed by a loss of AFW (L). The reactor has scrammed and C-38
l CARCS and CSSI succeed and cool the containment. As a j result of the loss of secondary heat- removal, the core ! inventory boils off through the cycling open of the PORVs. l No credit is given for use of feed 'nd bleed due to informa-tion presented in References 19 and 20. Recent calculationa done by EG&G for the Station Blackout program [15] indicate that 86 minutes is available to start an AFW pump in order-to prevent core uncovery. The frequency of this sequence is estimated to be 7.lE-6/yr and it contributes 6% of the total core melt frequency. The dominant 160 cut sets of this sequence before recovery are listed in Table C.18, and the cut sets contributing 97% of the sequence frequency after recovery are listed in Table C.19. C.4.6.2 Major Assumptions and Recovery Actions The initial screening value for this sequence was 1.8E-4/yr. The recovery actions for all cut sets involve recovering one train of AFW. These recovery actions are (1) manually starting the- motor AFW pump from the control room (RA-2, p = .02), or (2) locally starting the locked out turbine pump #12 (RA-3, p= .04) and possibly realigning AFW suction to CST #11 (RA-1, p = .1). The application of these recovery actions reduces the sequence frequency to 7.1E-6/yr. C.4.6.3 Engineering Insights The major contributor to this sequence is the plugging failure of the single valve in the suction train of the AFW system. In addition to realigning the AFW suction to an alternate CST and starting the locked out turbin( pump, it is also possible to recover by aligning unit 2's AFW system to unit 1; hcaever, procedures have not yet been developed for this and, because of the chance that cold water might be injected into unit 2's steam generators through its open feedwater regulation valves, no credit was given for this unless it was the only action possible. C.4.7 Sequence T4-173 (T 4KU) C.4.7.1 Description This sequence is a T4 (all other) transient followed by a failure to scram (K) and failure of emergency boration (U). The reactor vessel has survived the initial pressure transient due to an as'essed s PCS runback. The CE anal-yses [16] and NRC analysis in support of the ATWS rule [17] state that greater than 10 minutes are available for the operator to initiate. emergency boration. In this study, we have assessed that if the operator fails to start shutting the reactor down ad thin 20-30 minutes, then core melt will C-39
result. The CARCS and/or CSSI systems succeed and cool the containment. This sequence frequency is estimated as 6.7E-5/yr and contributes 5% of the total core melt frequency. The dominant 160 cut sets of this sequence before recovery are listed in Table C.20, and the cut sets contributing 99% of the cequence frequency after recovery are listed in Table C.21. C.4.7.2 Major Assumptions and Recovery Actions The T4 transient group is a collection of all transient initiators which do not affect safety system reliability or cause a loss of PCS. For sequences where reactor scram is successful, all the initiators require the same safety system response; however, for sequences involv-ing failure to scram, the response of the PCS system may vary depending upon the specific initiator. For some initiators such as closure of an MSIV, increase in feedwater flow, partial loss of feedwater, total loss of RCS flow, condenser leakage, leakage in secondary system, S/G relief valves opening, and trips from unknown causes, we expect an independent turbine trip and runback of the PCS system. While for initiators such as spurious scram signals, rod drop, high or low pressurizer pressure, boron dilution, loss of RCS flow in one loop, or pressurizer spray failure, we expect the PCS to stay at full flow. The original grouping of the transients was done assuming successful scram and, therefore, did not take this variability into account. In the quantification of the failure to scram sequences, the assessment was made that only 50% of the T4 transients resulted in a turbine trip and subsequent PCS runback or had characteristics roughly similar to a turbine trip. If the PCS were to remain at full flow, then reactor heat removal would be successful and the plant would be in a temporarily safe condition. However, some subsequent actions would have to be taken to terminate the incident. Under the general rules for recovery adopted in this study, only one operator recovery action is allowed unless: (1) sufficient time and indication is available for the operators to perform multiple actions; or (2) multiple actions are necessary to recover the sequence to a non-core melt. In this sequence the recovery action is the operator initiation of emergency boration and due to the high stress g and short time, no other recovery a :tions were allowed. Given the high stress in the failure to scram scenario, the operator failure to perform an appropriate action is typically assumed to be 0.1 in past PRAs (our generic recovery model assumes 0.1 at 10 minutes). However, the thermal-hydraulic analyses [16] show that the operator C-40
4 i-should have longer than 10 minutes. After examining the thermal-hydraulic characteristics of . the sequence and . the var oi us uncertainties in system response and phenomenology, it was judged that some operator action would be -necessary within 20-30 L minutes. .A THERP -analyses of the emergency boration procedure is presented in Appendix B.19 which leads to a . value of 0.05 and this'value corresponds to the O'.05 probability of operator failure in 20-30 -minutes f r o m -'o u r generic' recovery model. C.4.7.3 Engineering Insights There are substantial uncertainties associated'with the accident progression for this sequence. The CE analyses [16] show that after a moderately severe pressure transient (i.e., less than ~ 3400. psia) with the loss of - 1/3 of . the amount of water necessary to uncover the core, a quasi-equilibrium state is reached by about 10 minutes with
. pressure at/or about.1800 psia and increasing slowly. Given j
- no further coolant loss, possibly several hours, would be available for subsequent operator action. However, no 1cng-term analyses have been done on ATWS sequences and the -
long-term response can only be estimated based on the above runs. Also, there is a question as to whether the reactor coolant pumps (RCPs) will trip.
. ?. '
The fact that saturation conditions will be reached in some parts of the core does not necessarily lead to the cavitation of the RCP's. If the pumps do not trip, then the amount of voiding in the . core will be reduced and the pressure may actually increase back to the PORV setpoint due to the power remaining slightly higher than the secondary heat removal rate, though ' this remains uncertain. Given that. . coolant loss through the PORVs occurs, it is estimated that core uncovery (which is equivalent to core melt in our-analysis) will occur at greater than 40 minutes. In . order
~to give time 'for the boron - to begin reducing pressure about
~
, 5-10 minutes would be needed. Therefore, for this analysis, operator initiation of emergency boration would need to occur at greater than 20-30 minutes. Long-term analysis for various ~ initiators, times of boration initiation and boron mixing assumption, RCP response, and secondary heat removal rates would be necessary to resolve the timing questions. Follow-on analysis by the SASA program is planned in order to determine the long-term characteristics of this sequence. 7 The plant has implemented a new emergency procedure. explicitly for- ATWS . which directs the operator to (1) trip the reactor manually, '(2) de-energize the motor-generator sets,'and (3) to initiate emergency boration. However, the common mode failure of the operators in a high stress situ-ation to identify the failure to scram and take action dominates this sequence. The value of 0.05 for operator l C-41
failure in the high stress situation remains unchanged, based on our generic recovery model, and the sequence frequency is not significantly affected by the new proce-dure. Although it appears, that with this new procedure and improved operator training, some mitigation of this sequence could be obtained. C.4.8 Sequence T 4 -147 (T4ML) C.4.8.1 Description Q In this sequence, a T4 (all other) transient occurs and is followed by a loss of PCS (M) and AFW (L). The reactor has scrammed and CARCS and CSSI succeed and cool the containment. As a result of the loss of secondary heat removal, the core inventory boils off through the cycling open of the PORVs. No credit is given for feed and bleed due to information presented in References 19 and 20. Recent calculations done by EG&G for the Station Blackout program [15] indicate that 86 minutes are available to start an AFW pump in order to prevent core uncovery. The sequence frequency is estimated as 6.3E-6/yr and contributes 5% of the total core melt frequency. The dominant 160 cut sets of this sequence before recovery are listed in Table C.22, and the cut sets contributing 92% of the sequence frequency after recovery are listed in Table C.23. C.4.8.2 Major Assumptions and Recovery Actions The initial screening value for this sequence was 3.lE-4/yr. The important recovery action involved starting the AFW motor-driven pump from the control room given that auto actuation has failed (RA-2, p= .02). The application of this recovery action reduces the sequence frequency to 6.3E-6/yr. C.4.8.3 Engineering Insights The failure of the vital bus 11A inverter is postulated as causing PCS failure due to instabilities induced in the feedwater flow; however, while this is true at 380% flow, after a transient where PCS has run back, this is not necessarily true. If the failure occurred while the PCS was running back, it probably would cause the PCS to trip. If g the inverter fault will not cause the PCS to trip, the sequence frequency becomes negligible. C-42
i l- 'C.4.9 Sequence T 1-81-65'(T 10-D"CC') L 4 C.4.9.1 Description. i- This . sequence is a loss of offaite power (T 1 ) followed i by a transient-induced . LOCA(Q) . AFW works but HPSI (D*), CSSI(C') and CARCS(C) fail. Due to the lack of primary ' system makeup, the core uncovers in about I hour (see the . EGEG Station Blackout-Analysis [15]).. i I The frequency of this sequence = is estimated -to be ! 5'.3E-6/yr land contributes 4% of the total core melt- fre- ] quency._ The dominant 160 cut sets of this sequence before recovery are listed in Table C.24, and the cut sets con-
;- .tributing 90%.;of the sequence frequency after recovery are-I '
listed in Table C.25.
- C.4.9.2 Major Assumptions and Recovery Actions l- The initial screening valve for this sequence was:
1.3E-5/yr. The recovery action is to restore offsite AC . power within one hour, . close the ' PORV block valve and start
- HPSI to restore vessel inventory (RA-LOSP1, p = .45). Other- .
i~ recovery actions are possible for some cut' sets but are not
- likely in the limited time available. The application of-
- . this recovery action reduces the sequence frequency to i 5,. 3 E-6/y r .
l . i~ C.4.9.3 Engineering Insights t-l The dominant failures for this sequence are double j failures of both diesel generators either from-local faults , L or diesel , support systems -(room or DG cooling). :Many' of : } these' faults are not of the type which would cause immediatei t failure of the diesels. Therefore, AC power may or may' not l: be available to the PORVs in the early stages of the - acci-dent when the pressure transient occurs. . For purposes' of j '. simplifying the quantification, 'both PORVs ' were conserva- . tively assumed to have AC power available and to open if,the [ pressure reached the PORV set point in the early stages l of 4 the accident' (p = .07 for T1 initiators). _ If both open, both need to reclose and a failure to reclose of 2E-2/ demand , for eachL valve was used for a total of 4E-2 . for 1 of 2 valves - failing to reclose. Given that a PORV stuck 'open, e !Q then failure of the' diesel generators 'was assumed to occur , before the operator could close the-block valve - (i .e. , ' the 4 diesels fail within about 3-5 minutes due to loss of . cool-f- ing, and our recovery model does not, allow recovery within the first five minutes). t e 1 i C-43
--.- -.- .,,-.-. . _.- ,- ._,- - - _. _--,,_,...l
C.4.10 Sequence T I-82 (TIL) C.4.10.1 Description - This sequence is initiated by a loss of offsite power (Tl) followed by failure of AFW (L). The plant scrams successfully and CARCS and CSSI succeed and cool the con-tainment. As a result of the loss of secondary heat removal, the core inventory boilt off through the cycling open of the PORVs. No credit is given for feed and bleed due to the low head of the HPSI pumps and the uncertainty as to whether or not the pressure could be reduced enough to initiate HPSI (19, 20]. Recent calculations done by EG&G for the Station Blackout program (15] indicate that approxi-mately 86 minutes is available to start an AFW pump in order to prevent core uncovery. The sequence frequency is estimated as 4.9E-6/yr and contributes 4% of the total core melt frequency. The dominant 160 cut sets of this sequence before recovery are listed in Table C.26, and the cut sets contributing 90% of the sequence frequency after recovery are listed in Table C.27. C.4.10.2 Major Assumptions and Recovery Actions The initial screening value for this sequence was 2.4E-4/yr. The recovery actions involve recovery of AFW by either (1) starting the locked out AFW turbine pump #12 (RA-3, p= .04), (2) realigning AFW pump 11 from test (RA-4, p= .01), (3) crossfeeding from unit 2 (RA-16, p = .1) or (4) recovering offsite power and either crossfeeding from unit 2 or restarting the PCS (RA-LOSP1, p = .45). The application of these recovery actions reduces the sequence frequency to 4.9E-6/yr. C.4.10.3 Engineering Insights The dominant failure modes for this sequence are of two types: (1) loss and non-recovery of offsite AC power combined with failure of DG fil due to local faults (which fails the motor-driven AFW pump) and failure of turbine-driven AFW pump til (41% of the sequence frequency), or (2) loss and nonrecovery of offsite AC power and failure of AFW suction valve 161 (10% of the sequence frequency). factor prime contributor of the dominant cut sets of this The g sequence is the diesel generator unavailability. C-44
4 A C . 4 . ll' Sequence Station Blackout C.4.11.2 -Description , As mentioned at the beginning of this section, this
' sequence was not modeled explicitly on - the event trees.
This is a new sequence identified by the Station Blackout
~
program [21]. In this sequence, a loss of offsite power occurs followed by the loss of all onsite AC power. The AFW system succeeds until battery depletion occurs some four i- hours _into the accident (offsite and onsite AC power not being recovered). Due to a lack . of secondary heat _ removal,
' the - primary heats up and boils off. Within another two hours,. core uncovery followed by core melt occurs. All con- L tainment heat removal systems are failed due to the lack of AC power.-
The sequence frequency is estimated as 4.4E-6/yr and
- contributes 3% of the total core melt frequency.
; C.4.11.2 Quantification j An estimate of the frequency of this sequence can be made using the following formula: ,
f(Blackout) = (frequency of LOSP)*(probability of non-recovery of offsite AC within six hours)* 1 (probability of failure of - all onsite AC)* [ (probability of non-recovery of onsite AC). j = .14/yr*0.18*1.7E-3*0.1-
= 4.4E-6/yr . A discussion of the derivation of the various ' numbers 4
appears in the next section. i , C.4.11.3 Major Assumptions and Recovery. Actions The number used for the frequency of loss of offsite power was the generic number taken from EPRI-2230 [10]. This corresponds closely to the number calculated in
- EPRI-2301 [14] for the Calvert Cliffs grid and' to the plant specific number calculated from Calvert Cliffs data. There
!^ was no statistical dif ference and so the generic number was
- =
used. , i 2 The probability of non-recovery of AC within six hours comes from the Station Blackout program [21] and is ' the generic value used for all plants. This value is not sig- , i nificantly different from the value determined for the i Calvert Cliffs grid in EPRI-2301 [14]. l-k I C-45 i 4 i .
At Calvert Cliffs failure of two diesel generators (DGs ill and #12) will fail all AC power to unit 1, but will not result in the depletion of all DC power. The third DG, #21, while supplying AC power to unit 2 buses, will also charge two of the four shared DC buses. These DC buses power instrumentation on unit I which would allow a continued operation of the AFW system. In order to have a long-term loss of DC power, all three DGs must fail. The fault trees representing the DG and DG support systems were solved in a order to estimate the DG unavailabilities upon loss of W offsite power. The total DG unavailability (including support system faults) was found to be p = 0.12. About 50% of the unavailability is due to support system faults, the rest is a combination of local DG faults and test and maintenance outages. Since no significant common modes were found to exist between the DGs, the onsite reliability is estimated as 0.12*0.12*0.12 = 1.7E-3 for failure of all three diesels. There are two plausible recovery actions for onsite AC: (1) restoring a diesel generator or, (2) restore onsite power by connecting an existing 69KV line to a neighboring grid. Data from the Station Blackout program indicated that restoring a diesel generator is not very likely (~0.5 prob-ability); therefore, no credit was given for this action. Instead, the second recovery action of connecting the 69KV line was used. A non-recovery factor of 0.1 was estimated for this action based on the fact that this is a relatively complicated and unusual action (no procedure), but that a long time (~6 hours) is available to perform it. Since most causes of a loss of offsite power have been identifieo as plant or local grid related (17], the use of this line is plausible recovery action. C.4.11.4 Engineering Insights In light of the importance of loss of offsite power sequences, in general, and station blackout in particular, the utility is reviewing its procedure for connecting the 69KV line. Also, as a result of Task Action Plan A-44 Station Blackout, it is likely that all plants will be required to have improved loss of of fsite power procedures. These improved procedures and other changes should result in significant mitigation of loss of offsite power sequences in the future. g C.4.12 Sequence T4-152 (T4KQ) C.4.12.1 Description In this sequence, a T4 (all others) transient occurs and is followed by failure to scram and an induced LOCA due to a stuck open relief valve (0). The primary system has C-46
survived the initial pressure transient, due to an assessed PCS runback, and the operator has- successfully initiated emergency boration. Due to the high initial pressure, high l rate of coolant loss, and low rate of pressure reduction coupled with the low head of the HPSI pumps, core uncovery and melt occurs before injection can be successfully implemented. !n l V This sequence frequency is estimated as 4.3E-6/yr and contributes 3% of the total core melt frequency. C.4.12.2 Dominant Cut Sets
% of Cut Set Frequency (/yr) Sequence l
T4*K*Q 4.3E-6 100 Term Descriptions T4 = All other transients requiring reactor trip, for failure to scram only 50% results in pressure transients severe enough to demand the PORVs; f = 3.4/yr. K = Failure to scram; p = 3E-5. Q = Failure of 1 of 4 relief valves to reclosc; p = 4.2E-2. C.4.12.3 Major Assumptions and Recovery Actions As with the TKU sequences, there are similar phenomeno-logical uncertainties associated with the TKQ sequences. No explicit analyses have been done for sequences with a stuck-open PORV. The short-term response must be deduced from the TK analyses and then the long-term response must be extrapo-lated. From the CE analysis [16] for plants in Calvert Cliffs class, we find that for TK sequences, the pressure remains above the HPSI pump shutoff head until some time (~5 minutes) after boration is initiated. However, these analyses assume perfect mixing of the boron and the coolant pumps (RCPs) have (]- tripped. that reactor Nonuniform mixing would increase the time before pressure would begin to drop. If the RCPs failed to trip t (and it is not clear at present if they would trip), then reactor power might decrease slower due to the sweeping of voids from the core by the forced flow. This may affect the rate of pressure reduction or even increase pressure. Complicating this scenario is the stuck-open PORV itself. Core uncovery can be expected to occur in about 40 C-47
minutes due to the loss of coolant, but the mass loss should result in a decrease in pressure. It is problematical if the pressure decrease due to the mass loss can result in pressure reaching the HPSI shutoff head before core uncovery can occur. The RCPs not tripping, the increased heat removal rate through the PORV, and the longer the operator delays boration initiation all tend to make power equi-librate at a higher level and to keep the pressure up. Current expert opinion is that, for a plant with system characteristics such as Calvert Cliffs, that the race h between core uncovery (assumed to be equivalent to core melt in our analysis) and the initiation of successful makeup is too close to call without explicit long-term thermal-hydraulic analysec. In this study, therefore, this sequence has been modeled as resulting in core melt. Follow-on analyses by the SASA program are planned in order to clarify the long-term characteristics of this sequence. A possible recovery action is to close the PORV block valve. However, in this sequence, one operator action has already occurred, i.e., the initiation of emergency boration. Given that the operator can initiate emergency boration any time from 0 to 30 minutes, that leaves 10 to 40 minutes for the operator to recognize that the PORV is stuck open and to decide to isolate the PORV under an ATWS con-dition. It was decided that, due to the lack of ATWS procedures, lack of ATWS operator training, the high stress, and the short time (~ 10 minutes) that no credit should be given for this action. C.4.12.4 Engineering Insights Since these calculations were made, Calvert Cliffs has implemented a new emergency procedure for ATWS events which directs the operators to (1) trip the reactor manually, (2) de-energize the motor generator sets, and (3) to initiate emergency boration. The second step, de-energizing the motor generator sets should effectively bypass the most frequent of the electrical or mechanical common mode failures and result in a reactor scram in a majority of cases. The uncertainties in the accident phenomenology and the uncertainty in the time at which the operator performs the emergency boration or de-energizes the motor-generator sets make sequence it difficult without explicit to determine the affect on the thermalhydraulic calculations Although it appears that, with this new procedure and improved operator training, some mitigation could be obtained. C-48
C.4.13 Sequence T 3-139 (T 3KU) C.4.13.1 Description This sequence is a T3 (requires primary pressure relief) transient followed by a failure to scram (K) and failure of emergency boration (U). The primary system has survived the initial pressure transient (with PCS runback). O/ CE analyses [16] and NRC analysis in support of the ATWS , rule [17] state that greater than 10 minutes are available for the operator to initiate emergency boration. In this study, we have assessed that if the operator fails to start shutting the reactor down within the 20-30 minute time frame, then core melt will result. This sequence frequency is estimated as 3.7E-6/yr and contributes 3% of the total core melt frequency. The dominant 160 cut sets of this sequence before recovery are listed in Table C.28, and the cut sets contributing 99% of the sequence frequency after recovery are listed in Table C.29. C.4.13.2 Major Assumptions and Recovery Actions Given the high stress in the failure to scram scenario, the operator failure to perform an appropriate action is typically assumed to be 0.1 in past PRAs (our generic recovery model assumes 0.1 at 10 minutes). However, the thermal-hydraulic analyses [16) show that the operator should have longer than 10 minutes. After examining the thermal-hydraulic characteristics of the sequence and the various uncertainties in system response and phenomenology, it was judged that some operator action would be necessary within 20-30 minutes. A THERP analyses of 'the emergency boration procedure is presented in Appendix B.19 Which leads to a value of 0.05 and this value corresponds to the 0.05 probability of operator failure in 20-30 minutes from our generic recovery model. C.4.13.3 Engineering Insights The response of this sequence is the same as the T4KU sequence and the reader is referred to Section C.4.7.3 for c discussion of the thermal-hydraulic characteristics.
- C.4.14 Sequence T3 -118 (T3K0)
C.4.14.1 Description , In this sequence, a T3 (requires primary pressure relief) transient occurs and is followed by failure to scram and an induced LOCA due to a stuck open relief valve (Q). The primary system has survived the initial pressure C-49
transient, due to the PCS runback, and the operator has successfully initiated emergency boration. Due to the high initial pressure, high rate of coolant loss, and low rate of pressure reduction coupled with the low head of the HPSI pumps, core Lncovery and melt occurs before injection can be implemented. This sequence frequency is estimated to be 2.3E-6/yr and contributes 2% of the total core melt frequency. g C.4.14.2 Dominant Cut Sets
% of Cut Set Frequency (/yr) Sequence T3*K*Q 2.3E-6 100 Term Descriptions T3 = Transients requiring primary system pressure relief; f = 1.85/yr.
K = Failure to scram; p = 3E-5/yr. Q = Failure of 1 of 4 relief valves to reclose; p = 4.2E-2. C.4.14.3 Major Assumptions and Recovery Actions The assumptions and recovery actions are the same as for the T4KQ sequence (see Section C.4.12.3). C.4.14.4 Engineering Insights See Section C.4.12.4 of sequence T4KQ for insights applicable to this sequence C.4.15 Sequence T3-113 (T3ML) C.4.15.1 Description In this sequence, a T3 (requires primary pressure relief) transient followed by a loss of PCS (M) and AFW (L). The reactor has scrammed and CARCS and CSSI succeed and cool the containment. As a result of the loss of tdary heat removal, the core inventory boils off through lll secg'eycling the open of the PORVs. No credit is given for feed and bloed due to information presented in References 19 and
- 20. Recent calculations done by EG&G for the Station Blackout program [15] indicate that 86 minutes are available to start an AFW pump in order to prevent core uncovery.
C-50
The sequence frequency is estimated as 1.7E-6/yr . and contributes 14 of the total core melt frequency. . The dominant 160' cut sets of this sequence before recovery are listed in Ta.ble C.30, and the cut sets contributing 924 of the sequence frequency after recovery are listed in Table C.31. C.4.15.2 Major Assumptions and Recovery Actions The initial screening value for. this sequence was 8.5E-5/yr. The important recovery action involved starting
'the AFW motor-driven pump from the control room given that auto actuation has failed (RA-2, p = .02). The application of this recovery action reduces the sequence frequency to 1.7E-6/yr.
C.4.15.3 Engineering Insights The failure of the vital bus 11A inverter is postulated as. causing PCS failure due to . instabilities induced in the feedwater flow; however, while this is true at t80% flow, af ter a transient where PCS has run back, it is 'not clear what will happen. This is a dynamic situation with several valves in the PCS system opening or closing, combined with the loss of various instrumentation and may cause a sufficient loss of main feedwater turbine pump NPSH to result in a pump trip. If the failure occurred while the PCS was actually running back, it is judged likely that the PCS would trip. If the inverter fault occurred af ter the PCS had stabilized itself at the 54 level, then it is' not clear what the effect would be. 5 C.4.16 Sequence S2-59 (S2D*) C.4.16.1 Description In this sequence, we have a small-small LOCA (S2)r- . successful scram and secondary heat removal ' via the AFW system. However, HPSI (D') fails and we have no makeup in the injection phase. This initiator can be broken up into two parts: (1) reactor coolant pump seal LOCAs (IE=2E-2/yr.) and (2) other -Small-small LOCAs (IE=1E-3/ yr.). The other Small-small LOCA portion of the sequence is negligible (IE-3/yr. initiating event
- 1.3E-4 failure of
.Q a>=1 - 1 >=-7'vr-)-
- a 'r =a'a re- th- =e et -
Blackout program [15] indicates that for a leak of the maximum expected reactor coolant pump seal LOCA (5500 gpm) with secondary cooling available approximately three hours is available to isolate the leak or start primary makeup. Containment sprays (CSSI) and fans (CARCS) are successful and cool the containment. C-51 o
The frequency of this sequence is estimated to be 1.6E-6/yr and contributes 1% of the total core melt frequency. The dominant 160 cut sets of this sequence before recovery are listed in Table C.32, and the cut sets contributing 96% of the sequince Irequency a r t.e t tecuvery are listed in Table C.33. C.4.16.2 Major Assumptions and Recovery Actions The initial screening value for this sequence was 2.8E-6/yr. The recovery action is to recover HPSI by manually actuating HPSI from the control room (RA-6, p = .01) for auto actuation faults. The application of this recovery action reduces the sequence frequency to 1.6E-6/yr. C.4.16.3 Engineering Insights The dominant failures, responsible for 96% of the sequence frequency, are failure of either of the two valves in the common minimum flow recirculation line. These values are common to all HPSI, LPSI, and CSS pumps. For the Small-small LOCA case, if these valves should fail closed, the HPSI pumps were assessed to fail. This is because the slow drop in primary pressure from 1600 to 1275 psi would result in pump heat up and failure due to pumping against dead head for a significant period of time (greater than 10 minutes). C.4.17 Sequence T1-85 (TlLCC') C.4.17.1 Description In this sequence, we have a loss of cfr' site power (Tl) followed by failure of AFW(L), CSSI(C), arl CARCS(C'). The plant has scrammed successfully, but due to the lack of secondary heat removal, the core inventory loils off through the cycling open of the PORVs. No credit is given for feed and bleed due to information presented in References 19 and
- 20. Recent calculations done by EG&G for Station the Blackout program [15] indicate that 86 minutes are available to start an AFW pump in order to prevent core uncovery.
The sequence frequency is estimated as 1.0E-6/yr and contributes 1% of the total core melt frequency. The dominant 160 cut sets of this sequence before recovery are listed in Table C.34, and the cut sets contributing 90% of the sequence frequency after recovery are listed in Table C.35. C-52
l
} C.4.17.2 Major Assumptions and Recovery Actions The initial screening value' for this sequence was 5.9E-5/yr. The recovery actions are to recover offsite power- within one hour and start the AFW motor pump (RA-LOSP1, p= .45) er start _ an AFW train by either (1) starting the locked out turbine pump #12 (RA-3, p = .04),
~
(2) returning turbine pump 11 from test (RA-4, p = .01), (3) d starting the motor pump (RA-2, p = .02),'or (4) crossfeeding l r from unit 2 2(RA-16, p = .1). The -application of these recovery actions reduces the sequence frequency to 1.0E-6/yr. 1 C.4.17.3 Engineering Insights Approximately one-third of the acquence frequency is the result of cut sets which contain terms representing main-tenance of two AFW feedwater reguldtion valves. Maintenance i of .these valves _ requiring disassembly would require that both AFW turbine-driven pumps be locked out. This event ! would not have been allowed by technical specifications
; prior to adding the third motor-driven AFW pump.
' C.4.18 Discussion of Candidate Dominant Sequences Which Dropped Below IE-6 After Recovery s C.4.18.1 Introduction 1
In this section, we will present a short discussion of
- each candidate dominant sequence which failed to meet the i- lE-6 cutoff after recovery was applied. Included is a short discussion of the sequence cut sets, their percentage con-tribution to the sequence frequency, the recovery actions involved and the final sequence frequency estimate after recovery.
C.4.18.2 S 2 -66 (S2L) . This sequence can be. divided into two' parts: Reactor. ' coolant pump seal' LOCAs (IE=2E-2) -and other. Small-small LOCAs (IE=lE-3). The other Small-small LOCA sequence fre-- quency is 2.2E-7 and 'can be, neglected. For the reactor i - coolant pump seal LOCA when combined with failure to remove decay- heat, we have approximately one hour before- core uncovery. (See SASA results [15].) The cut sets consist ~of h (1) double AFW pump failure for various hardware and electrical faults (~ 82% ); (2) failure of AFW suction valve-
- 161 (~16%); and (3) maintenance of feedwater valves 4530-or
; 4520 which fail the turbine AFW-pumps combined with various failures of AFW motor' pump 913. -
For the cut sets of type
- (1) recovery- consists of either starting the locked out AFW turbine pump #13 (p = .04), or manually actuating the motor pump from the control room (p~= .01), or returning an AFW.
pump from its test position (p = .01). For the cut set of } C-53 4 e n.e-, ..-~w..,, , , a, ._,,.--a .-.-m,.sne,me,,,-+--my,,-ee ,--,_,w,,w.,,,,,,,r en-v e, ,+,,,,,c,,,,-w,,wm,,wrw-gyya,me,y-,,verw,vr
l I l type (2) recovery consists either of opening the suction line to CST #11 and starting the locked out turbine pump (p
.1), or cross-feeding from the Unit 2 motor AFW pump (p
.1). Application of these recovery actions reduces the sequence frequency from 4.8E-6/yr. to 2.5E-7/yr.
C.4.18.3 T I 50 (T10-H) This sequence is a transient induced PORV LOCA (v) resulting from a loss of offsite power (TI). AFW and HPSI work, but HPSR (H) fails upon switchover to the recircula-h tion phase which occurs at ~10 hours. The cut sets consist of CCW failure to supply HPSR pump cooling combined with failure of one diesel generator. All cut sets can be recovered by restoring offsite power within 8 hours (conservative) and then closing the AC powered PORV block valve or restarting the HPSR pumps in the room with CCW cooling (p = .12). Another recovery action independent of restoring offsite power is to close the block valve on the affected PORV (p = .01). This can be done in 50 percent of the cases because ha]f the time the diesel which is operating will also supply AC power to the block valve of the open PORV. Application of these recovery action reduces the sequence frequency from 7.4E-6/yr. to 4.5E-7/yr. c.18.4 T I 52 (T10-FH) This sequence is a transient induced PORV LOCA (Q) resulting from a loss of offsite power (Tl). AFW and HPSI work initially, but HPSR (H) and containment spray (F) fail upon switchover to the recirculation phase which occurs at ~10 hours. The cut sets consist of loss of room cooling to one ECCS pump room combined with failure of one diesel generator to supply power to the pumps in the other ECCS room. Again, as in the previous sequence T10-H, all cut sets can be recovered by restoring offsite power within 8 hours (conservative) and then closing a PORV block valve or starting the ECCS pump in the unaffected room (p = .12). Another recovery action independent of restoring offsite power is to close the block valve on the affected PORV (p = .01). This can be done in 50 percent of the cases assuming random failure of the valve since we have AC power from one diesel generator. Application of these recovery actions reduces the sequence frequency from 8.4E-6/yr to SE-7/yr. C . 4 .18 . 5 T I 59 (T10-D") This sequence is a transient induced PORV LOCA (Q) resulting from a loss of offsite power Due to the loss of (TI). capability, makeup AFW Works, but HPSI (D") fails. the core uncovers in about 1 hour (see SASA results [15]). The cut sets consist of (1) failure of a HPSI pump combined C-54
i i with failure of a diesel generator (98%), or (2) failure of the HPSI pump recirculation line valves (2%). For cut sets of type one, recovery consists of either realigning HPSI , pump #13 to its alternate bus (p = .01), or starting HPSI ; pump manually (p = .01) after auto actuation failed. .For cut sets of type (2), recovery consists of closing the appropriate PORV block valve (p = .12). Application of these recovery actions reduces the sequence frequency from 1.6E-6/yr. to 1.6E-8/yr. C.4.18.6 T I -83 (TlLC') This sequence is a loss of offsite power (TI) followed by failure of AFW (L) and CSSI (C'). Approximately 1 hour is available for recovery of AFW which will result in successful cooling of the core (see SASA results [15]). The majority of the cut sets (~98%) involve failure of AFW turbine pump #11 and failure of diesel generator #11 com-bined with CSSI train B failures. Recovery consists of either starting the locked out turbine AFW pump #13 manually (p = .04), returning an AFW pump from test ( p. = .01), or recovering offsite power which allows the motor AFW pump to be started (p = .45). Application of these recovery actions reduces the sequence frequency from 3.lE-6/yr. to 2E-7/yr. C.4.18.7 TI-84 (TILC) This sequence is similar to the above sequence TILC', but instead of the containment sprays failing, the contain-ment fan coolers (C) fail. The majority of the cut sets (98%) involve failure of AFW turbine pump til and diesel generator ill combined with failure of CARCS train B. The recovery actions are identical to the above sequence T 1 -LC' and their application reduces this sequence's frequency from 2.9E-6/yr. to SE-8/yr. C.4.18.8 TI-99 (T1KU) This sequence is a loss of offsite power (TI) followed by a failure to scram (K) and failure of CVCS (U). Initially, this sequence was estimated at 3.5E-6/yr. The failure mechanisms which lead to the 3E-5 failure to scram probability are dominated by electrical failure or involve mechanical failure of the scram breakers. Since failure 'of Or 'j offsite power de-energizes the CRDMs directly, these failure modes are bypassed. Therefore, this sequence frequency is
-reduced to lE-6/yr.
C.4.18.9 T 2 50 (T20-H) This sequence is a transient induced LOCA (Q) resulting from a loss of PCS (T2 ). AFW Works and HPSI supplies makeup to the core. HPSR (H) fails upon switchover to the recirculation phase which occurs at ~10 hours. The cut sets C-55
are either (1) double failures of both ECCS pumps due to loss of room pump seal cooling, or (2) failure of pump seal cooling to pumps 11 and 12 combined with failure of HPSI pump #13. All of these cut sets can be recovered by closing the PORV block valve (p = .01) since they do not involve any 480 VAC bus failures. These cut sets comprise 99% of the sequence frequency. Application of this recovery action reduces the sequence frequency from 5.4E-6/yr to 5.4E-8/yr. C.4.18.10 T 2 52 (T20-FH) This sequence is a transient induced LOCA (Q) resulting from a loss of PCS (T2). HPSR (H) and containment AFW and HPSI work initially, but spray (F) fail upon 'switchover to the recirculation phase which occurs at ~10 hours. The cut sets consist of loss of room cooling to both ECCS pump rooms (99%). Since none of these cut sets involve failure of 480 VAC buses, the recovery action consists of closing the , appropriate PORV block valve (p = .01). Application of this recovery action reduces the sequence frequency from 6.lE-6/yr. to 1.2E-7/yr. , C.4.18.11 T 2 -85 (T2LCC') This sequence is a loss of PCS (T 2) followed by failure of AFW (L), containment fans (C) and containment sprays (C'). Approximately 1 hour is available to restart , AFW in time to prevent core uncovery. The majority of the cut sets (98%) consist of failure of both vital AC inverters 11A and 12B which fails AFW auto start circuitry. Recovery consists of manually actuating the AFW system from the con-trol room (p = .01). Application of this recovery action reduces the sequence frequency from SE-6/yr. to lE-7/yr. C.4.18.12 T 2 -87 (T 2KQ) This sequence is a T2 (Loss of Feedwater) transient followed by a failure to scram (K) and a stuck open relief valve (Q). It is similar to sequence T4KQ (Section C.4.12), but much more severe. The TK2 transient has the most severe ATWS response with the most primary coolant being lost out the SRVs. In addition to the basic frequency calculated from the T,2 K, and Q events, this sequence frequency needs to be multiplied by .5 to account for the probability of having a favorable MTC for this initiator (see Section C.4.2.3 for a discussion of the MTC for this g sequence). Application of this factor reduces the sequence frequency from 1.0E-6/yr to 5.0E-7/yr. . C.4.18.13 T 2 -99 (T 2KU) This sequence is a T2 (Loss of Feedwater) transient followed by failure to scram (K) and failure of CVCS (U). C-56
The dominant failure mode of CVCS was failure of the operator to start the pumps, the value used in screening was 0.5. This value was reduced to 0.05 for final quantifica-tion (see discussion in Appendix B.19). No other operator recovery was allowed., Also, as for the previous sequence, the sequence frequency needed to be multiplied by a factor of 0.5 to account for the fact that a favorable MTC is needed in order to enter this sequence. If. the MTC was unfavorable, one would be in Sequence ATWS-PSF discussed in 0' Section C.4.2. Upon applying these changes, the sequence frequency was reduced from 1.2E-5/yr to 9.0E-7/yr. C.4.18.14 T3 -102-50 (T30-H)
.This sequence is a transient induced LOCA similar to T 50 in Section C.4.18.9 but resulting from a T3 (2 requires primary ; system relief) transient. All of the cut sets are the same as in Sequence T2 50 and the recovery actions also are similar. Application of these recovery actions reduces the sequence frequency from 1.6E-5/yr. to 3.2E-7/yr.
C.4.18.15 T3 -102-52 (T30-FH) This sequence is a transient induced LOCA similar to T 2 52 in Section C.4.18.10 but resulting from a T3 (requires primary system relief) transient. All of the cut sets tare the same as in Sequence T2 52 and the recovery actions also are similar. Application of these recovery actions reduces the sequence frequency from 1.9E-5 yr. to 3.8E-7/yr. C.4.18.16 T3-108-50 (T 3MQ-H) This sequence is a transient induced LOCA with similar phenomenology to T 2 50 but resulting from a T3 (requires primary system relief) transient. However, in this case, PCS fails independently of the initiating event. The cut sets fall into three groups (1) failures of an AC vital inverter combined with failure of pump seal ECCS cooling by CCW for the pump not affected by the inverter fault (91%), (2) local fault of PCS combined with failure of all ECCS pump seal cooling (6%), and (3) loss of offsite power combined with failure of one diesel generator and h- failure of the unaffected CCW train (3%). type (1) or (2) can be recovered by closing the appropriate All cut sets of
~ PORV block valve (p = .01) since they do not involve any 480 VAC bus failures. Cut sets of type (3) can be recovered by recovery of offsite power within 8 hours and then closing the block valve (p = .12). Application of these recovery actions reduces the sequence frequency from 2.2E-6/yr. to 2.8E-8/yr.
l C-57
l l l C.4.18.17 T 3 -108-52 (T 3MQ-FH) This sequence is a transient induced LOCA with similar phenomenology to T 2 52 but resulting from a T3 (requires primary system relief) transient. However, in this case, PCS fails independently of the initiating event. The cut sets fall into three general types (1) loss of a vital AC inverter combined with failure of an ECCS pump room pump cooling (90%), (2) loss of offsite power combined with failure of one diesel generator and the other train of ECCS room cooling (6.2%), and (3) local PCS faults combined with h double ECCS room cooling failure (3.8%). To recover from cut sets of type 1 or 3, the recovery action is to close the appropriate PORV block valve (p = .01). Cut sets of type (2) can be recovered by recovery of offsite power within 8 hours and then closing the block valve (p = .12). Applica-tion of these recovery actions reduces the sequence frequency from 2E-6/yr. to 3.4E-8/yr. C.4.18.18 T 3 -115 (T3MLC) and T4-149 (T 4MLC) These sequences are transients T3 (requires primary system relief)or T4 (all others) followed by failure of all secondary heat removal (ML) and containment fan coolers (C). Approximately 1 hour is available to restore secondary cooling (see SASA results [15]). All dominant cut sets involve failure of vital inverter llA combined with AFW turbine pump 11 failure and failure of containment fan train B. Recovery involves starting the AFW pump by manual actu-ation in the control room (p = .01). Application of this recovery action reduces the sequence frequencies from 1.4E-6/yr. and 5.lE-6/yr. to 1.4E-8/yr and 5.lE-8/yr. for T3 and T4 transients, respectively. C.4.18.19 T 4 -148 (T4MLC') This sequence is similar to the above sequences (T4 3MLC) except that containment spray (c') fails instead of , containment fans. All dominant cut sets involve failure of vital inverter 11 combined with AFW turbine pump 11 failure and failure of CSSI train B. Recovery involves manual actuation of AFW from the control room (p = .01). Application of this recovery action reduces the sequence frequency from 3.4E-6/yr. to 3.4E-8/yr. C.4.18.20 T 3 -116 (T3MLCC') and T4-150 (T4MLCC') O These sequences are transients T3 (primary pressure relief required) or T4 (all others) followed by failure of all secondary heat removal (ML) and both containment sprays (C') and fans (C). Approximately 1 hour is available to restore secondary cooling (see SASA results [15]). All dominant cut sets involve either (1) double vital inverter C-58
faults llA and 'llB which fail AFW auto start . (984) or (2) loss of offsite power- combined with failure of both diesel generators a n d :. f a i l u r e . o f the AFW turbine pump. . #11 (24). ' The recovery, action for cut' sets of type (1) is to start the AFW . system , manually from . the control room (p = .01).. For 4 cut sets of type (2), this recovery action is to start the locked out AFW turbine pump.912 (p = .04). Application of these recovery actions reduce the sequence frequencies from
- l.2E-5/yr. and 4.2E-5/yr. to 1.3E-7/yr. and 4.4E-7/yr. for
<O T 3 -11e e=d 24-1so, resveceive11-C.4.18.21 T4-177 (T KUM) 4 This sequence is a T4 (all others) transient followed by a failure to scram (K), failure of PCS (M),.and failure of the CVCS (U). All dominant cut sets involve failure of
-PCS combined with failure of CVCS. For those cut sets which
, involve a failure of the operator to start CVCS, the valve used in screening was 0.5, this was reduced to 0.05 for final quantification (see discussion in Appendix B.19). .No
.L other operator recovery was allowed. Upon changing the operator f ailure, the sequence frequency was reduced from 1E-6/yr, to 1.6E-7/yr. i- C.4.18.22 TDC-81-50 (TDCQ-H)
- This sequence is a transient induced LOCA similar in ;
phenomenology to T 2 50 (Section C.4.18.9) but resulting from a loss of DC bus 11 (TDC). The dominant. cut sets all involve single failures in HPR pump #13 train and support systems. Failure of bus 11 does not affect the PORV block valve operability and so recovery is to close. the appro-priate block valve (p = .01). Application of this recovery action reduces the sequence frequency from 9.2E-6/yr. to-9.2E-8/yr. C.4.18.23 TDC-81-52 (TDCQ-FH) , l This sequence is a transient induced LOCA similar. to sequence T2 52 (Section C.4.18.10) in phenomenology but
- resulting from a loss of DC bus 11 (TDC). The dominant-1, cut sets all involve failures in HPR pump #131 train, eithers
< room cooling or pump seal ' cooling combined with failure of CSSI train B. Recovery, as above, is to close the appro- . - priate PORV block valve (p = .01). Application of 'this recovery action reduces the sequence frequency from
;5.3E-6/yr. to 5.3E-8/yr.
! C.4.18.24 TDC-83 (TDCLC') 4 This sequence is a-loss of DC bus 11 (TDC) followed by failure of AFW (L) and containment sprays (C'). Failure of I Approximately 1 hour is available DC bus 11 trips the PCS. C-59
to restore some secondary heat removal (see SASA results [15]). The cut sets are failures of AFW turbine pump #11 train combined with failures of CSSI train B. Recovery is to start the locked-out AFW turbine pump (13 (p = .04). Application of this recovery action reduces the sequence frequency from 9.9E-6/yr. to 4.3E-7/yr. C.4.18.25 TDC-84 (TDCLC) This sequence is similar to the previous sequence except that containment fans (C) fail instead of sprays. The cut h sets involve failures of AFW turbine pump til train combined with failures of CARCS train B. The recovery is to start the locked out AFW turbine pump #13 (p = .04). Application of this recovery action reduces the sequence frequency from 1.3E-5/yr. to 5.2E-7/yr. O C-60
Table c.la Generic Data Base
- Component and Error Failures Modes Mean Median Factor Remarks
- 1. Pumps 1.1 Motor-driven Pump and motor; excludes control O 1.1.1 Failure to start 1.1.2 Failure to run, given start 3E-3/d IE-3/d 10 circuita.
1.1.2.1 Normal Environment 3E-5/h 1E-5/h 10 1.1.2.2 Extreme Environment 3E-3/d IE-3/h 10 Considered as interface with heavy chemical environment such as concen-trated boric acid. 1.2 Turbine-driven Pump, turbine, steam and throttle 1.2.1 Failure to start (includes under 3E-2/d IE-2/d 10 valves, and governor. and over speed) 1.2.2 Failure to run, given start IE-5/h IE-5/h 3 1.3 Diesel-driven Pump, diesel, lube oil system, 1.3.1 Failure to start IE-3/d IE-3/d 3 fuel oil, suction and exhaust 1.3.2 Failure to run, given start 8E-4/h IE-4/h 30 air, and starting system.
- 2. Valves Catastrophic leakage or " rupture" 2.1 Motor-operated valves assigned by engineering 2.1.1 Failure to open 3E-3/d IE-3/d 10 judgment; catastrophic leakage assumes 2.1.2 Failure to remain open IE-7/h IE 7/h 3 the valve to be in a closed 2.1.3 Failure to close 3E-3/d IE-3/d 10 state, then the valve fails.
2.1.4 Internal leakage (catastrophic) 5E-7/h IE-8/h 100 2.2 Solenoid-operated 2 2.1 Failure to operate IE-3/d IE-3/d 3 2.3 Air / Fluid-operted 2.3.1 Failure to operate 3E-3/d IE-3/d 10 5 2.4 Check valves 2.4.1 Failure to open IE-4/d IE-4/d 3 3E-7/h IE-7/h 10 Hourly rate is based on one actuation 2.4.2 Failure to close IE-3/d IE-3/d 3 per month. 3E-6/h IE-6/h 10 Hourly rate is based on one actuation 2.4.3 Internal Leakage per month. 2.4.3.1 Minor 3E-5/h IE-6/h 10 2.4.3.2 Catastrophic SE-7/h IE-8/h 100 Valve initially closed, then failed. 2.5 Vacuum breakers Applies only to BWRs.
~/ 2.5.1 Failure to open 1E-5/d IE-5/d 3 2.5.2 Failure to close IE-5/d IE-5/d 3 2.6 Manual valves Failure to operate is domir,ated by 1 2.6.1 Failure to operate IE-4/d IE-4/d 3 human error; hourly rate SE-7/h IE-7/h 10 is based on one actuation per month.
- Adapted from EGG.EA-5887. [18]
l 1 C-61
7---- l s I Table c.la (continued) Component and Error Failures Modes Mean Median Factor Remarks 2.7 Code safety valves Applies only to PWRs; premature 2.7.1 Failure to open IE-5/d IE-5/d 3 opening treated as an 2.7.2 Failure to close, given open IE-2/d IE-2/d 3 initiating event. 2.8 Primary safety valves Applies only to BWRs. 2.8.1 Failure to open IE-5/d IE-5/d 3 2.8.2 Failure to close, given open 3E-2/d IE-2/d 10 2.9 Relief valves 2.9.1 Failure to open 3E-4/d IE-4/d 10 2.9.2 Failure to close.given open 2E-2/d 2E-2/d 3 2.10 Stop check valves 2.10.1 Failure to open IE-4/d IE-4/d 3
- 3. Switches Where torque / limit switches are 3.1 Torque used as part of pumps / valves, 3.1.1 Failure to Operate IE-4/d 1E-4/d 3 switch failure rate is included in pump /
valve failure rate. 3.2 Limit 3.2.1 Failure to operate IE-4/d IE-4/d 3 3.3 Pressure 3.3.1 Failure to operate IE-4/d IE-4/d 3 3.4 Manual 3.4.1 Failure to transfer 3E-5/d IE-5/d 10
- 4. Other 4.1 Circuit breaker For sizes 4 kV and smaller.
4.1.1 Failure to transfer 3E-3/d IE-3/d 10 4.1.2 Spurious trip 3E-5/d IE-5/d 10 4.2 Funes 4.2.1 Premature open 3E-6/d 1E-6/h 10 4.3 Buses 4.3.1 All modes 1E-8/h IE-8/h 3 4.4 Orifices WASH-1400 data; no alternate data 4.4.1 Failure to remain open (plug) 3E-4/d 3E-4/d 3 available. g 4.4.2 Rupture 3E-8/h 1E-8/h 10 W 4.5 Transformers 4.5.1 All modes IE-6/h IE-6/h 3
' Adapted from EGG-EA.5887. [18]
C-62
Table C.la (continued) Component and Error Failures Modes Mean Median Fsetor Remarks 4.6 Emergency diesel (complete plant) Engine frame and associated moving (~l V 4.6.1 Failure to start 3E-2/d 3E-2/d 3 parts, generator coupling, governor, 4.6.2 Failure to run, given start natput breaker, static exciter, lube (emergency conditions) 3E-3/h IE-3/h 10 o.1 system, fuel oil, intake and exhaust air, starting system; excludes starting air compressor and accumulator, fueling storage and transfer, load sequencers, and synchronizers. Failure to start is
+
failure to start, accept load, and run for 1/2 hour; failure to run is failure to run for more than 1/2 hour, given start. 4.7 Relays 4.7.1 Contacts fail to transfer (open or close) 3E-4/d IE-4/d 10 4.7.2 Coil failure (open or short) 3E-6/h IE-6/h 10 4.8 Time Delay Relays 4.8.1 Premature transfer 3E-4/d IE-4/d 10 4.8.2 Fails to transfer 4.8.2.1 Bimetallic SE-6/h SE-6/h 3 Non consensus source. Data source is MIL-HDBK-217B [19]. Fail-to transfer rates are not currently available for non-bimetallic time delay relays. 4.9 Battery power system (wet cell) Assumes out-of-spee cell 4.9.1 Fails to provide proper output IE-6/h IE-6/h 3 replacement. 4.10 Battery charger 4.10.1 Failure to operate IE-6/h IE-6/h 3 4.11 DC motor-generators 4.11.1 Failure to operate 3E-6/h IE-6/h 10 4.12 Inverters 4.12.1 Failure to operate IE-4/h IE-4/h 3 4.13 Wires (per circuit) Consistent with IEEE-500 4.13.1 Open circuit PE-6/h IE-6/h 10 data for 1000 circuit feet 4.13.2 Short to ground fE-7/h IE-7/h 10 4.13.3 Short to powered .5E-8/h IE-8/h 10 (v). 4.14 Solid state devices For more detailed information, 4.14.1 High power applications 3E-6/h IE-6/h 10 see MIL-HDBK-217C [20]. 4.14.2 Low power applications 3E-6/h IE-6/h 10 4.14.3 Bistables 3E-7/d 1E-7/d 10
- Adapted from EGG-EA-588"7. [18]
C-63
Table C.la (concluded) Component and Error Failures Modes Mean Median Factor Remarks 4.15 Terminal Boards 4.15.1 Open circuit 3E-7/h IE-7/h 10 Values given are per terminal. g 4.15.2 Short to adjacent circuit 3E-7/h IE-7/h 10 4.16 Dampers 4.16.1 Failure to operate 3E 3/d IE-3/d 10 4.17 Air coolers 4.17.1 Failure to operate IE-5/h IE-5/h 3 Not consensus data. Plant specific from ANO-1 IREP study. 4.18 Heat exchangers 4.18.1 Tube leak (per tube) 3E-9/h IE-9/h 10 4.18.2 Shellleak 3E-6/h IE-6/h 10 4.19 Strainer / filter For clear fluids; contaminated fluids 4.19.1 Plugged 3E-5/h IE-5/h 10 or fluids with a heavy chemical burden should be considered on a plant-specific basis. 4.20 Scram systems 4.20.1 Failure to scram 3E 5/d 3E-5/d 3 4.21 Instrumentation (general) 4.21.1 Failure to operate 3E 6/h IE-6/h 10
- Adapted from EGG EA.5887. (18]
Table c.lb Multipliers to Compute Mean From Median Error Factor Multiplier g 3 1.25 10 2.66 30 8.48 100 50.33 C-64
r Table c.2a Nechanical Component Failure Rate Data 1 (from NASH-1400. Teole Ill 4 1) 4 FAILURE CWip0NENT & FAILURE IWDE RATE ASSESSED TYPE RANGE MEDIAN EF ! Pumps (includesdriver): Motor & turbine driven (generic class): Failure to start on desond: D(A) 3E-4 3E-3 1E-3 3 Failure to rwn, given start (normal envirosaments): D 3E-6 3E-4 3E-5 10 Failure to run, given start (extrese, post accident envirorusents inside containment): 0 1E-4 1E-2 1E-3 10 Failure to run, given start (post accident, after
- environmental recovery)
- 0 3E-5 3E-3 3E-4 10 Tu 41ne driven pumps: .
Failure to start on demand: D 1E-3 '1E-2 3E-3 3A Failure to run, given start (normal environment): 0 1E-5 IE-4 3E-5 3A Valves: Motor operated: Failure to operate (includes driver): 0 fB) 3E-4 3E-3 1E-3 3 DLC) 3E-5 3E-4 IE-4 3 4 Failure to remain open fplug)): Failuretoremainopendplug: s IE-7 1E-6 3E-7 3 Rupture: s IE-9 1E-7 IE-8 10 Solenoid operated: , Failure to operste: s D(D) 3E-4 3E-3 1E-3 3 Failure to remain open (plug): D 3E-5 3E-4 IE-4 3
-Rupture: . s 1E-9 1E-7 1E-8 10 Air-fluid operated:
Failure to operate: D (B) ' IE-4 1E-3 3E-4 3 Failure to remain open (plug): 0 3E-5 3E-4 IE-4 3 Failure to remain open (plug): s- 1E-7 IE-6 3E-7 3 Rupture: s IE-9 1E-7 IE-8 10 Check valves: Failure to open: D 3E-5 3E-4 IE-4 3 Internalleak(severe): D 1E-7 11E-6 3E-7 3 Rupture: s 1E-9 1E-7 IE-8 10 Vacuum Valve: , Failure to operate: 0 1E-5 1E-4 3E-5 3 Manuel Valve: Failure to operate: D 3E-5 3E-4 1E-4 3A i Failure to remain open (plug): D 3E.5 3E-4 IE-4 3 Rupture: s s 1E-9 1E-7 IE-8 10 Primary Safety Valves (PWRs): Failure to open: 0 1E-3 1E-2 3E-3 3R O- Promsture open: s 1E-6 1E-5 3E-6 3R Failure to reclose (given valve open): D(E) 3E-3 3E-2 1E-2 3 3R s C-65
- , - -.- - . ,.--,- -- - .---,- _ ,- - -,,.. ~.-n. - - - , , . - , - - , - - - . , - . -.--,-.--,.,-..,_-...n...,----,--,--,,.,-~,-w--
Table c. 2a (Concluded) FAILURE COMPONENT & FAILURE MODE RATE ASSESSED TYPE RANGE MEDIAN EF Primarysafetyvalves(BWRs): . Failure to open: D 3E-3 3E-2 1E-2 3R frenature open: s IE-6 IE-5 3E-6 3R Failure to reclose (given valve open): D 1E-3 IE-2 3E-3 3R Test Valves, Flow Meters. Orifices: Failure to remain open (plug): D 1E-4 IE-3 3E-4 3 Rupture: s 1E-9 IE-7 1E-8 10 Pipes Pipe s 3-inch diameter (per section): Rupture / plug: s+0 3E-11 3E-8 IE-9 30 Pipe > 3-inch diameter (per section): Rupture / plug: s+0 3E-12 3E-9 IE-10 30 Clutch. Mechanical: Failure to operate: D (D) 1E-4 1E-3 3E-4 3 Scram Rods ($1ngle): Failure to insert: D 3E-5 3E-4 IE-4 3 O C-66
i Table c.2b Electrical Component ra11ure Rate Data (fromNASH-1400.TableIII4-2) FAILURE CtMp0NENT & FAILURE MODE RATE ASSESSED TYPE rah 6E MEDIAN EF Clutch. Electrical: k Failure to operate: D(B) 1E-4 1E-3 3E-4 3 Premature disengagement: 0 IE-7 1E-5 1E-6 10 Motors.'Tlectric: Failum to start: D(B) 1E-4 1E-3 3E-4 3 Failure to run, given start (corun1 envirorment): 0 3E-6 3E-5 IE-5 3 Failure to run, given start (extreme environment): 0 1E-4 IE-2 1E-3 10 Relays: Failure to energize: D(B) 3E-5 3E-4 1E-4 3 Failure of N0 contacts to close, given energized: 0 1E-7 IE-6 3E-7 3 Failure of N0 contacts by opening, given not . energized: 0 3E-8 3E-7 IE-7 3 Short across N0/NO contact: 0 1E-9 1E-7 1E 8 10 Coil open: 0 1E-8 IE-6 IE 10 Coil short to power: 0 IE-9 IE-7 IE-8 10 t i Circuit Breakers: Failure to transfer: D(B) 3E-4 3C-3 1E-3 3 Premature transfer: 0 3E-7 3E-6 1E-6 3 Switches: ] Limit: Failure to operate: D 1E-4 IE-3 3E-4 3
- Torque
- Failure to operate: 0 3E-5 3E-4 1E-4 3 ,
i Pressure: l ! Failure to operate: D 3E-5 3E-4 1E-4 3 Manual: Failure to transfer: D 3E-6 3E-5 IE-5 3 Seritch Contacts: Failure of N0 contacts to close, given switch operation: 0 1E-8 1E-6 1E-7 10 Failure of NC by opening, given no switch operation: 0 3E-9 3E-7 3E-8 10 short across N0/NC contact: 0 1E-9 1E-7 1E-8 10 Battery power System (Wet Cell): Failure to provide proper output: s IE-6 IE-5 3E-6 3 Transformers: Open circuit primary or secondary: 0 3E-7 3E-6 IE-6 3 Short primary to secondary: 0 3E-7 3E-6 1E-6 3 Solid State Devices Transistors, )Nipower Applications (Diodes. etc. : J Fails to function: 0 3E-7 3E-5 3E 6 10 Fails shorted: 0 1E-7 IE-5 1E-6 10 C-67 l l l ________.____l
Table c.2b (Concluded) FAILURE CSF0NENT & FA! LURE N00E RATE A$$ESSED TYPE RANGE MEDIAN EF Solid State Devices. Low Power Applications: Fails to function: 0 1E-7 1E-5 IE-6 10 Fatis shorted: 0 1E-8 1E-6 IE-7 10 Diesels (CompletePlant): Failure to start: 0 1E-2 IE-1 3E-2 3 Failure to run, emergency conditions, given start: 0 3E-4 3E-2 3E-3 10 Diesels (Engine Only): Failure to run, energency conditions, given start: 0 3E-5 3E-3 3E-4 10 Instrumentation--General (Includes transmitter, esplifier and output device): Failure to operate: 0 1E-7 IE-5 1E-6 10 Shift in calibration: 0 3E-6 3E-4 3E-5 10 Fuses: Failure to open: D 3E-6 3E-5 1E-5 3 Promsture open: 0 3E-7 3E-6 IE-6 3 Wires (typicalcircuits,severaljoints): Open circult: 0 1E-6 1E-5 3E-6 3 Short to ground: 0 3E-6 3E-6 3E-7 10 Short to power: 0 1E-9 IE-7 IE-8 10 Terminal Boards: Open connection: 0 1E-8 IE-6 1E-7 10 Short to adjacent circuit: 0 1E-9 IE-7 IE-8 10 0 C-68
t Table C.2 (Notes) NOTES: (A) Demand probabilities are based on the presence of proper O input control signals. For turbine pumps, the effect of failures of valves, sensors, and other auxiliary hardware may result in significantly higher overall failure rates- for turbine driven pump systems. , (B) Demand probabilities are based on presence of proper input control signals. (C) Plug probabilities are given in demand probability, and per hour rates, since phenomena are generally time-dependent, but plugged condition may only be detected upon a demand of the system. (D) Demand probabilities are based on presence of proper input control signals. (E) These rates are based on LERs for B&W pressurizer PORV failure to reseat given the valve has opened. ABBREVIATIONS: (1) For failure rate type abbreviations: 1 D = demand failure rate--failures per demand
- 0 = operating failure rate--failures.per hour of operation S = standby failure rate--failures per hour of standby
- S+D = standby or operating failure rate--failures per hour (2) Remarks (lastcolumn) abbreviations:
j R = failure rate shown is a revision of WASH-1400 value A = failure rate shown is in addition to WASH-1400 failure rates. O . 4 C-69
Table C.3 Variable Event Values For Various Initiators Variable Event Initiating Event A S1 S2 T1 T2 T3 T4 TDC TSRW LOCA 1 1 1 0 0 0 0 0 0 LG-BRK-LOCA 1 0 0 0 0 0 0 0 0 LOSP IE-3 lE-3 1E-3 1 1E-3 lE-3 lE-3 lE-3 1E-3 SIS 011AX-PIP-LFD1 1 1 1 0 0 0 0 0 0 OP-FL-MN-SIASA .5 lE-2 lE-2 1E-2 1E-2 lE-2 lE-2 lE-2 1E-2 OP-FL-MN-SIASB .5 1E-2 lE-2 lE-2 lE-2 1E-2 1E-2 1E-2 1E-2 OP-FL-MN-CSASA 1 lE-2 1E-2 lE-2 lE-2 1E-2 lE-2 lE-2 lE-2 OP-FL-MN-CSASB 1 1E-2 1E-2 1E-2 lE-2 1E-2 1E-2 1E-2 lE-2 NO-LOSP 1 1 1 0 1 1 1 1 1 NOLOSP 1 1 1 0 1 1 1 1 1 SIAS-REQUIRED 1 1 1 0 1 1 1 1 1 LOS-POP-IP2 1 1 1 0 1 1 1 1 1 LOS-POP-IB4 0 0 0 1 0 0 0 0 0 SRWO128X-XOC-LF 2.4E-6 2.4E-6 2.4E-6 2.4E-6 2.4E-6 2.4E-6 2.4E-6 2.4E-6 1 ELC00llA-125-LF 2.4E-7 2.4E-7 2.4E-7 2.4E-7 2.4E-7 2.4E-7 2.4E-7 1 2.4E-7 O C-70
. s 1
- Table C.4 Generic Recovery Model'[2]
p 4 P(NR) Control Room Local i 1 <5 Min. <l5 .
- .25 5 15 ! .10 10-20 20-30
=-
.05 20-30 30-40 i- .03 30-60 40-70 '
.01- >60 >70 l
3 1 i i 4 a t I,)L t-I 1 ( \ 4 s i l-l 1 s. 4
\
!. v V j- - 4 I-I C-71 1. i 1
- ,ws+-- ne - van.-- w re--we .e we enw-- . _ _ . a wo mm m wm wr -
, wmw e ss, , , -- ym
Table C.5 Recovery Actions RA-LOSP1 = .45 restore offsite power in 1 hour RA-LOSP4 = .21 restore offsite power in 4 hours RA-LOSP6 = .18 restore offsite power in 6 hours RA-LOSP8 = .12 restore offsite power in 8 hours RA-1 = .1 recover AFW0161 within 1 hour by aligning to CST 11 and start AFW turbine pump 12 or restart turbine pump 11 ities, LOSP, difficult stress, two local-actions lll are not difficult to do in themselves 10 minutes, low suction alarm indication. RA-2 = .02 start AFW pump 11 or 13 in control room following auto actuation failure, El hour, .01 recovery + .01 pump unavail-abilities. RA-3 = .04 start AFW pump 12 locally, E1 hour, moderate stress, unusual action, .03 recovery + .01 pump unavailability. RA-4 = .01 AFW pump or other component in test, operator present, El hour, restore compo-nent. RA-5 = .01 reopen valve closed inadvertently (El hour), generic. RA-6 = .01 vital AC inverter fails, start systems manually in control room, El hour. RA-7 = .05 manually close CB (circuit breaker) local, E l hour , may be some reluctance to close due to lack of protection to CB. (Did not use.) RA-8 = .01 realign swing pump, El hour, in control room, not usual, stress low-moderate. RA-9 = .01 SIAS fails - manually actuate systema in control room, E l hour. RA-10 = .1 recover PCS in 1 hour for T2 tran- g sients. (Did not use.) W RA-11 = .05 operator fails to initiate CVCS or trip scram breakers (initiating CVCS is quantified in the fault trees). See THERP in App. B.19. RA-12 = .02 realign CCW pump 13 and open CCW HTX 12 valve CCW3826 from control room. C-72
4 Table C.5 Recovery Actions (Continued) RA-13 = .01 shut POR7 block valve, E1 ~ hour, AC
- available.
- RA-14 = .03 open AFW turbine steam bypass valve, difficult stress, El hour, local.
RA-15 = .01 open CCW 3826, 31 hour, control room. RA-16 = .1 start other unita AFW motor pump and divert flow to unit 1 (must be careful of injecting into unit 2 since valves are not closed to SGs)(procedure not yet written). If have a LOSP or trip at unit 2 degradation _of AFW may not allow. (Used only for maintenance of AFW 4530 or 4520.) 1 RA-17 = .01 turn on ECCS pump room coolers from con .g trol room or local, El hour,- low stress, hi temperature alarms. RA-18 = .1 open SWS pneumatic valves for room cool-ing, control faults El hour, local, fail op :n on loss of air, may involve bleeding _ air. RA-19 = .1 manually actuate RAS ~20 min. RA-20 = .25 open sump MOV, local, ~20 min.,. low stress to moderate stress (small-small
, LOCAs only).
RA-21 = .03 realign swing pump, locally, $1'hr., open
- manual valve.
RA-22 = .01 close valve manually, Al hr., generic. RA-23 = .01 initiate LPR (did not use). fO v I
1 Table C. 6 Comparison of RSS and Calvert Cliffs Unit 1 LOCA Frequencies Reactor Safety Study Calvert Cliffs Unit 1 LOCA Break 1 LOCA Breakl,2 Size Range Frequency Size Range Frequency llh S2 = .5 to 1.0E-3 S2= .3 to 1.9 2.1E-2 2 inches inches S1 = 2 to 3.0E-4 Si = 1.9 to 4.3 2.4E-4 6 inches inches A = 6 inches 1.0E-4 A = 4.3 inches 2.3E-4 and larger and larger 1 Equivalent diameter in inches. 2S2 LOCA includes RCS pump seal leak contribution. Sample Calculation 2 For the RSS S2 LOCA, PS2 dx = 1.0E-3
.5 6
Similarly, for the RSS S1 LOCA, Psi dx = 3.0E-4 2 Assume that the distributions are uniform probability distribu-tions. Therefore, the normalizing constants Psi = 7.5E-5 and PS2 = 6.67E-4. Now, integrate these distributions over Calvert Cliff's S1 LOCA break size. range to obtain its frequency: 2 4.3 g P S2
*+ 31 dx = 2.4E-4 W 2
P C-74
J Om Table C.7 Croged EPRI NP-2230 Transient Events Causing Reactor Shutdown at Calvert Clif f s Unit ! EPRI NP-2230 Total Prequency Tr ansient Transient Applicable EPRI NP-2230 Prequency Per Per Reactor
-Designator Description Transients Reactor Year Year Ty Total Loss of Off site Power 035) Total Loss of Off site Power 0.14 0.14 72 Total Interruption of the Power 016) Total Loss of Main Peedwater 0.15 0.80 Conversion System iMain Peed- Plow water) 018) Closure of all NSIVs 0.03 021622) Peedwater Flow Instability 0.36 O $24) Loss of All Condensate Pops 0.00 s
925) Loss of Condenser Vacum 0.20 M 0 30 ) Loss of circulating water 0.06 Transients Requiring RCS 833) Turbine Trip or Throttle 1.38 1.85 73 Pressure Relief Valve Closure 034) Cenerator Trip or Generator 0.38 Caused Paults 037) Loss of Power to Necessary 0.09 Plant Systems Other Transients Requiring 01) Loss of RCS Plow in One Loop 0.39 6.8 T4 Reactor Shutdown Which Do Not Significantly Affect Front 03) CPDM Problems, Rod Drop 0.65 Line Systeme
- 06) Low Pressurizer. Pressure 0.03 .
- 08) .Nigh Pressurizer Pressure 0.03
- 09) Inadvertent Saf ety Injection 0.06 Signal
Table C.7 (Continued) Crouped EPRI NP-2230 Transient Events causing Reactor Shutdown at Calvert Clif f s Unit 1 EPRI NP-2230 Total Frequency Transient Transient Applicable EPRI NP-2230 Frequency Per Per Reactor Designator Description Tr ansient s Reactor Year Year 811) CVCS Malfunction-Boron 0.04 Dilution
$12) Pre ssu re/Temperat ure/ Power 0.16 Imbalance f14) Total Loss of RCS Plow 0.03 615) Loss or Reduction in Main 1.88 Feedwater iI Loop) 017) Full or Partial Closure 0.23 of One MSIV O
e 419) increase in Main Feedwater 0.69 Flow in one Loops
$20) Increase in Main Feedwater 0.01 Flow in All Loops 023) Loss of Condensate Pump 0.08 i! Loop) 927) Condenser Leakage 0.05 628) Leakage in Secondary 0.08 System 829) Sudden Opening of Steam 0.04 Relief Valves 936) Pressurizer Spray Failure 0.04 838) Spurious Trips-Cause Unknown 0.14 039) Auto Trip-No Transient 1.55 Condition 840) Manual Trip-No Transient 0.62 Condition G G
=
5 t TABLE C.8 TRANSIENT INITIATOR CATEGORY FREQUENCIES Transient Category Category Category Description Frequency Used T1 Loss of Offsite Power 0.14/YR T2 Loss of Main Feedwater O.8/YR T3 Transients Requiring 1.85/YR RCS-Pressure Relief i e T4 All Other Transients 6.8/YR TDC Loss of DC Bus 11 3.6 E-2 4 h TSRW Loss of SRW Train 12 1.8 E-3 4
\
i C-77 (
, . - , - , - , , . - , - - . . , _ , ~ , , _ . . - , _ - - - - - - . _ , _ - - - - . . . . _ _ . - , . _ . - - - - - . . _ - - - - ~ . ,- . _ . , , - . - -
T Table C.9
SUMMARY
RESULTS OF SCREENING QUANTIFICATION KEY TO ACCIDENT SEQUENCE SYMBOLS EVENT TREE FRONT LINE SYSTEM FAILURE SYMBOL , A LARGE LOCA C CONTAINMENT AIR RECIRCULATION AND COOLING SYSTEM (CARCS) C' CONTAINMENT SPRAY SYSTEM (INJECTION) (CSSI) D SAFETY INJECTION TANKS (SIT) D' LOW PRESSURE SAFETY SYSTEM INJECTION (LPSI) D* HIGH PRESSURE SAFETY SYSTEM INJECTION (HPSI) F CONTAINMENT SPRAY SYSTEM (RECIRCULATION) (CSSR) G SHUTDOWN COOLING HEAT EXCHANGERS (SDHX) H HIGH PRESSURE SAFETY SYSTEM (RECIRCULATION) (HPSR) K REACTOR PROTECTION SYSTEM (RPS) L AUXILIARY FEEDWATER SYSTEM (AFW) AND SECONDARY STEAM RELIEF (SSR) c3 M POWER CONVERSION SYSTEM (PCS) AND SECONDARY STEAM RELIEF (SSR)
- P RELIEF VALVES DEMANDED
%J Q RELIEF VALVES RECLOSE 03 SMALL LOCA S1 S2 SMALL-SMALL LOCA T1 LOSS OF OFFSITE POWER (LOSP)
T2 LOSS OF POWER CONVERSION SYSTEM (PCS) T3 TRANSIENTS REQUIRING PRIMARY SYSTEM PRESSURE RELIEF T4 REMAINING TRANSIENTS REQUIRING REACTOR TRIP TDC LOSS OF DC BUS II TSRW LOSS OF SERVICE WATER TRAIN 12 U CHEMICAL "JOLUME AND CONTROL SYSTEM (CVCS) O O
.T/ . - -./\ x EC Y
CN NE EU e e < e e e e e < e e c e g e UQ QE ER SF Y D T E I _ PSL 3 3 3 3 3 3 3 3 3 3 6 6 6 6 4 OTI - - - - - - - - - - - - - - - A LNB E E E E E E E E E E E E E E E C EEA 5 8 3 3 3 3 3 7 7 7 8 8 8 8 2 _ O VVB L EEO 2 2 2 2 2 2 2 3 3 3 7 7 7 7 8 _ D R 1 1 1 1 1 1 1 $ 1 7 1 1 _ E P G R . A L D Y E T
- P I A OSL LTI ENB - - - - - - - - - - - - - - -
) VEA
. EVB t DEO n N R o U P c
( 9 C R Y E T/ L NY 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 B EC - - - - - - - - - - - - - - - A IN E E E E E E E E E E E E E E E T SE 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 NU AQ 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 RE TR F N O EI CT NP EI UR QC H G F 'C ES H H G C F 'C F 'C C C C C SE H F C C C C C D D D D D D D 'D D A A A A A A A A A A A A A A A
)/
e\ m E CR NE EB 0 l 2 3 4 5 6 7 8 UM 2 4 6 7 8 9 1 l 1 1 1 1 1 1 1 QU - - - - - - - - - - - - - - - EN A A A A A A A A A A A A A A A S 7 rs$[ f.h l ll' !' l l li !I l I L
Y EC CN NE EU UQ QE ( t e ( e e O ER SF Y D T E I PSL 4 4 4 4 4 4 OTI - - - - - - LNB E E E E E E A EEA 2 2 3 3 3 3 C VVB O EEO 8 8 1 1 1 1 L D R 1 1 5 1 5 1 P E G R A L D Y E T P I
- OSL A LTI ENB - - - - - -
) VEA -
EVB t DEO n N R o U P c ( 9 C R Y E T/ L NY 4 4 4 4 4 4 B EC - - - - - - A IN E E E E E E T SE 3 3 3 3 3 3 NU AQ 2 2 2 2 2 2 RE TR F N O EI CT NP EI UR G F 'C QC F 'C C C C C ES SE 'D 'D 'D 'D 'D 'D D A A A A A A E CR NE EB UM QU EN 9 1 A 0 2 A 1 2 A 2 2 A 3 2 A 4 2 A e S oeDO C
w . Y EC CN NE EU UQ e e < e c c e e e e e e e e ( QE ER SF Y T ^ D I 3 3 4 4 4 4 4 4 4 4 5 5 5 5 ESL - - - - - - - - - - - - - - PTI E E E E E E E E E E E E E E A A ONB C LEA 4 7
- l. l. 1 1 1 3 3 3 9 9 9 9 /
N O EVB 2 2 8 8 8 8 8 1 1 1 3 3 3 3 L VEO 5 1 1 2 5 1 1 $ 1 1 5 5 E R L D P L A M - S D ~Y E T _
- P I I OSL 5 S LTI -
ENB VEA
- - - - - - - - - - - - - - E 0
) EVB
. DEO 3 t N R n U P o
c ( 9 R C Y T/ E NY 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 L EC - - - - - - - - - - - - - - - B IN E E E E E E E E E E E E E E E A SE 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 T NU AQ 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 RE TR F N O _ EI _ CT - NP EI G G 'C UR H ' F 'C C C C C QC H H G G F C * * *
- ES X F C C C C C D "D D "D "D D D K SE I I I I I I I I I I I I I I 1 D S S S S S S S S S S S S S S S s
('% - E CR NE EB 6 8 0 1 2 3 4 5 6 7 8 9 0 1 2 UM 2 2 3 3 3 3 3 3 3 3 3 3 4 4 4 QU - - - - - - - - - - - - - - - EN I I I I I I I I I I 1 1 I I I S S S S S S S S S S S S S S S S n$ l l Ilifll!
=
EC CN NE Y O EU UQ e e < < e e QE ER SF Y D T E I PSL OTI A A A A A A A LNB / / / / / / C EEA N N N N N N O VVB L EEO D R L P L A M S D Y E T
- P I I OSL 5 5 5 5 5 5 S LTI - - - - - -
ENB E E E E E E VEA 0 0 0 0 0 0 ) EVB
. DEO 3 3 3 3 3 3 t N R n U P o
c ( , 9 R C Y T/ E NY 4 4 4 4 4 4 L EC - - - - - - B IN E E E E E E A SE 4 4 4 4 4 4 T NU AQ 2 2 2 2 2 2 RE TR F N O EI CT NP EI UR G F 'C QC F 'C C C C C ES K K K K K K SE 1 1 1 1 1 1 D S S S S S S E CR NE EB UM 3 4 4 4 5 4 6 4 7 4 8 4 9 QU - - - - - - EN I I I I I I S S S S S S S oI0N 3
b rv EC CN NE Y 5 E 5 E 6 E 6 E EU UQ l.5 7 E f e < ( 8 e < < e c E 8 QE 5 2 4 ER SF Y D T A E I C PSL 3 3 7 6 6 5 6 4 6 6 7 8 8 5 4 O OTI - - - - - - - - - - - - - - - L LNB E E E E E E E E E E E E E E E EEA 4 7 6 2 7 3 3 0 9 8 0 0 2 3 L VVB C. L EEO 2 2 6 2 6 1 2 1 3 1 5 1 9 3 2 A D R 5 M P S L L A D Y M E T S P I OSL LTI
- ENB - - - - - - - - - - - - - - -
2 VEA S EVB . DEO N R
) U P t
n o ' ' c ( R Y 9 T/ NY 2 2 3 2 2 2 2 2 2 2 2 2 2 2 2 C EC - - - - - - - - - - - - - - - IN E E E E E E E E E E E E E E E E SE L B NU AQ l.2 l.2 l.2 2l. l.2 l.2 l.2 l.2 l.2 l.2 l.2 l.2 l.2 l.2 l.2
- A RE T TR F
N O EI CT NP EI G F 'C UR H F 'C C C C C QC H H G G F 'C ES H F C C C C C "D "D "D "D "D "D "D L SE 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 D S S S S S S S S S S S S S S S E
.*$jJ *' CR NE .
EB 0 2 4 5 6 7 8 9 0 1 2 3 4 5 6 UM 5 5 5 5 5 5 5 5 6 6 6 6 6 6 6 QU - - - - - - - - - - - - - - - EN 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 S S S S S S S S S S S S S S S S e c 3 0 Cg
EC CN Y NE EU e ( t E ( ( c < < < t ( <
~
UQ QE ER SF Y D T A E I C PSL 8 7 7 8 8 6 O OTI - - - - - - L LNB E E E E E E A A A A A A A EEA 4 0 0 0 0 3 / / / / / / / L VVB N N N N N N N L EEO 7 5 8 l l 6 A D R s s M P S L L A D Y M E T S P I OSL 5 5 5 5 5 5 5 LTI - - - - - - -
- ENB - - - - - - E E E E E E E 2 VEA 0 0 0 0 0 0 0 S EVB DEO 3 3 3 3 3 3 3 N R
) U P t n o c ( R Y 9 T/ NY 2 2 2 2 2 2 2 2 2 2 2 2 2 C EC - - - - - - - - - - - - - IN E E E E E E E E E E E E E E L SE NU l.2 l.2 l.2 l.2 l
. l. l. l.2 l.2 1
- l. l. l.2 .
B AG 2 2 2 2 2 2 A RE _ T TR F N O EI CT NP EI UR G F 'C G F 'C QC F 'C C C C C F 'C C C C C ES L L L L L L K K K K K K K SE 2 2 2 2 2 2 2 2 2 2 2 2 2 D S S S S S S S S S S S S S E CR NE EB 7 8 9 0 1 2 3 4 5 6 7 8 9 UM 6 6 6 7 7 7 7 7 7 7 7 7 7 QU - - - - - - - - - - - - - EN 2 2 2 2 2 2 2 2 2 2 2 2 2 S S S S S S S S S S S S S S ng
. y- - ,, _
N . ,. i-T~ a TABLE C.9 (cont.) T1: LOSS OF OFFSITE POWER UNDEVELOPED DEVELOPED SEQUENCE. SEQUENCE TRANSIENT EVENTS EVENTS SEQUENCE 's NUMBER DESCRIPTION FREQUENCY /YR PROBABILITY PROBABILITY FREQUENCY - TI-81-50 T IQ-H .14 2.8E 1.9E-2 7.4E-6 . . TI-81-52 TIQ-FH .14 2.8E-3 2.lE-2 8.4E-6 TI-81-54 TIQ-CH .14 2.8E-3 2.6E-5 -c TI-81-55 T10-CG .14 2.BE-3 2.4E-5 e TI-81-56 T10-CGH . 14 2.8E-3 2.3E-5 e j TI-81-57 T1Q-CP .14 2.8E-3 2.9E-4 e TI-81-58 TIQ-CC' .14 2.8E-3 1.2E-4 e TI-81-59 T10-D' .14 2.8E-3 4.0E-3 1.6E-6 TI-81-60 TIQ-D*F .14 2.8E-3 1.6E-4 e CD um TI-81-61 TIQ-D*C' .14' 2.82-3 1.9E-5 e TI-81-06 TIQ-D*C .14 2.8E-3 5.9E-4 e TI-81-63 TIQ-D*CG .14 2.8E-3 46.0E-4 ( TI-81-64. TIQ-D*CF .14 2.8E 4.5E-7' c TI-81-65 TIQ-D*CC' .14 2.8E-3 3.3E-2 1.3E-5 4 TI-82 TIL .14' - 1.7E-3 2.4E-4
; TI-83 TILC' .14 -
2.2E-5 3.IE-E l 4 i 1
EC CN NE Y 6 5 6 9 EU - - - UQ E E E QE 9 9 e e e e : e e e e e e e 5 e ER SP 2 5 3 R Y E W D T O E I P PSL OTI E LNB 5 4 5 5 5 5 3 3 3 3 1 2 T EEA - - A A A A - - - - - - - - - - I VVB E E / / / / E E E E E E E E E E EEO N N N S F D R l.2 2 N 0 0 0 0 7 7 7 7 3 l. F P 4 4 4 4 4 1 l l l 8 4 O 5 s s s 5 s s s s F O D Y S E T S P I O OSL 6 6 L LTI 6 6 ENB - - - - 5 5 5 5 5 5 5 5 5 5 VEA 8 E E E - - - - - - - - - -
- EVB 6 6 6 6 E E E E E E E E E E I DEO - - 2 2 2 2 0 0 0 0 0 0 0 0 0 0 T N R U P 1 1 1 1 3 3 3 3 3 3 3 3 3 3
) t n R o Y c T/ ( NY 9 EC IN C SE NU AQ E RE 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 L B TR 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 A F T N O EI CT NP 'C 'C EI 'C UR 'C 'C C C 'C C C 'C C C 'C QC 'C C Q Q Q Q P P P P L L L L U U ES L L K K K K K K K K K K K K K K SE I I 1 I 1 1 1 1 1 1 1 I l 1 1 1 D T T T T T T T T T T T T T T T T E CR NE ED 4 5 7 8 9 0 1 2 3 4 5 6 7 8 9 0 0 O UM 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 1 QU - - - - - - - - - - - - - - - - EN I I I I I I I I I I I I I I I 1 S T T T T T T T T T T T T T T T T m*
<-~; ._<-n,
\m %g TABLE C.9 (cont.) T:
2 LOSS OF PCS 4 DNDEVELOPED DEVELOPED SEQUENCE SEQUENCE TRANSIENT EVENTS EVENTS SEQUENCE NUNBER 1 DESCRIPTION FREQUENCY /YR PROBABILITY PROBABILITY FREQUENCY T2-81-50 T2Q-H .80 2.8E-3 2.4E-3 '5.4E-6 T 2 52 T2Q-FH .80 2.8E-3 2.7E-3 6.lE-6 T 2 54 T20-CH .80 2.8E-3 6.6E-7 T 2 55 T2Q-CG .80 2.8E-3 $5.0E-6 e T2-81-56 T20-CCH .80 2.8E-3 55.0E-6 e T2-81-57 T20-CF .80 2.8E-3 's5.0E-6 e T 2 58 T20-CC' .80 2.8E-3 2.0E-6 e i T 2 59 T2Q-D' .80 2.8E-3 sl.3E-4 e T2-81-60 T20-D"F .80 2.8E-3 51.3E-4 e
; c)
T2-81-61 T2Q-D*C' .80 2.8E-3 51.3E-4 e f3 T 2 62 T2Q-D"C .80 2.8E-3 53.8E-5 e T 2 63 T20-D"CG .80 2.8E-3 53.8E-5 e T2-81-64 T2Q-D*CF .80 2.8E-3 53.8E-5 e T 2 65 T2Q-D"CC' .80 2.8E-3 53.8E-5 T 2 -82 TL2 .80 - 2.3E-4 1.8E-4 T 2 -83 T2LC' . 80 . 5.0E-7 e < T 2 -84 .T2 LC .80 - 8.0E-7 e T2-85 T2LCC' .80 - 6.3E-6 5.0E-6 4
Y EC CN NE EU 6 5 O UQ E e e e e e < e e < < a E e QE 0 2 ER SF 1 1 Y D T E I PSL S OTI C LNB 5 5 5 5 4 4 4 4 1 4 P EEA - - - - - - - - - - VVB 1 1 1 1 E E E E E E E E E 2 F EEO < 0 0 0 0 3 3 3 3 2 4 O D R P 4 4 4 4 2 2 2 2 5 3 S s s 5 5 5 5 5 S O L D Y E T
- P I 2 OSL 6 6 6 T LTI 6 ENB - - - - 5 5 5 5 5 5 5 5 5 5 VEA E E E E E
E E E E E E E E ) EVB 6 6 6 6 E
. DEO 2 2 2 2 0 0 0 0 0 0 0 0 0 0 t N R n U P 1 1 1 1 3 3 3 3 3 3 3 3 3 3 o
c ( 9 R C Y T/ E NY L EC B IN A SE T NU AQ RE 0 0 0 0 0 0 0 0 0 0 0 0 0 0 TR 8 8 8 8 8 8 8 8 0 8 8 8 8 8 F N O EI CT NP EI 'C 'C 'C UR 'C C C 'C C C 'C C C 'C QC Q Q Q Q P P P P L L L L U U ES K K K K K K K K K K K K K K SE 2 2 2 2 2 2 2 2 2 2 2 2 2 2 D T T T T T T T T T T T T T T E CR NE EB UM 7 8 8 8 9 8 0 9 1 9 2 9 3 9 4 9 5 9 6 9 7 9 8 9 9 9 0 0 1 O QU - - - - - - - - - - - - - - EN 2 2 2 2 2 2 2 2 2 2 2 2 2 2 S T T T T T T T T T T T T T T n$
l
- f
,N ),
F I E Y L EC E CN - R NE 5 5 EU - - E UQ E E e e e : e R QE 6 9 e e e e e e e e U ER S SF 1 1 S _ E R P N Y E D T T E I _ S PSL Y OTI . S L NB 3 3 8 8 6 6 7 5 7 7 8 8 8 7 EEA - - - - - - - - - - - - - - Y VVB EEO E E 5 E 7 E 2 E E E E E E E E E E R 1 4 0 2 9 3 4 0 0 0 1 A D R W N P 2 2 6 8 1 4 3 8 2 1 6 1 1 4 1 1 I 5 s 5 5 . R _ P D Y G E T N P I I R OSL I LTI 0 0 U ENB 3 3 3 3 3 3 3 3 3 3 3 3 3 3 1 1 Q VEA - - - - - - - - - - - - - - - - E EVB E E E E E E E E E E E E E E E E R DEO 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 N R S U P 4 4 4 4 4 4 4 4 4 4 4 4 4 4 1 1 T 5 s N E I S R N Y A T/ R NY T EC IN
- SE 3 NU T AQ 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 RE 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 TR
) F 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 <
t N n O o EI c CT G F 'C ( NP H F 'C C C C C 9 EI H H G G F 'C * * * *
- UR H F C C C C C 'D D D D "D D D C QC - - - - - - - - - - - - - - 'C ES Q Q 0 Q 0 0 0 Q Q Q Q Q Q 0 P P E SE 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 L D T T T T T T T T T T T T T T T T B
A T 0 2 4 5 6 7 8 9 0 1 2 3 4 5
.JL E CR 5
5 5 5 5 5 5 5 6 6 6 6 6 6 NE 2 2 2 2 2 2 2 2 2 2 2 2 2 2 3 4 EB 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UN 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 QU - - - - - - - - - - - - - - - - _ EN 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 S T T T T T T T T T T T T T T T T n j,
1 P E I EC Y O L E CN R NE 6 6 EU - - e e UQ e e E E e e e e e e e e e e e E R QE 2 0 U ER S SF 2 2 S E R P M Y E D T T E I S PSL Y OTI S LNB 4 4 7 7 6 6 6 5 6 6 7 8 8 5 EEA - - - - - - - - - - - - - - VVB E E E E E E E E E E E E E E Y EEO R A D R 0 7 9 0
- l. 0 6 9 8 8 2 0 0 2 M P 1 1 3 2 5 3 5 9 1 3 2 1 5 1 9 3 1 5 5 5 5 I
R P G D Y N E T I P I R OSL I LTI 0 0 0 U ENB 1 1 3 3 3 3 3 3 3 3 3 3 3 3 3 3 1 Q VEA - - - - - - - - - - - - - - - - - EVB E E E E E E E E E E E E E E E E E E R DEO 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 N R U P 1 1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 1 S 5 5 5 T N E I S R N Y A T/ R NY T EC IN
- SE 3 NU AQ 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 T RE 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 TR 1
) F 1 1 1 1 1 1 1 1 1 1 1 l 1 1 1 1 t N n O o EI G F 'C
( c CT H F 'C C C C C NP H H G C P 'C * * * *
- EI H F C C C C C "D D D D "D D D 9 'C - - -
UR - - - - - - - - - - Q Q P QC C C Q Q Q Q Q Q Q Q Q Q Q Q C ES P P M M M M M M M M M M M M M M M E SE 3 3 3 3 3 3 3 3 3 3 3 3 3 3 T 3 3 T T 3 L D T T T T T T T T T T T T T T B A T E CR 0 5 2 5 4 5 5 5 6 5 7 5 8 5 9 5 0 6 1 6 2 6 3 6 4 6 5 6 O NE 5 6 8 8 8 8 8 8 8 8 8 8 8 8 8 8 9 EB 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UM 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 QU - - - - - - - - - - - - - - - - - EN 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 S T T T T T T T T T T T T T T T T T 5eC3
p
-s ;
' \j . \,
' TABLE C.9 (cont.) T:3 . TRANSIENTS REQUIRING PRIMARY SYSTEM' PRESSURE RELIEF l UNDEVELOPED DEVELOPED SEQUENCE SEQUENCE TRANSIENT EVENTS EVENTS SEQUENCE-l NUMBER DESCRIPTION FREQUENCY /YR PROBABILITY PROBABILITY FREQUENCY T3-110 T3MPC' 1.85 1.0E-10 1 e T3-Ill T3MPC. 1.85 1.0E-10' I c-T3-112. T3MPCC' 1.85 1.0E-10 1 e T3-113 T3ML 1.85 -
4.6E-5 8.5 E-5 T3-114 T3MLC' 1.85 - 5.0E-7 e T3-115 T3MLC 1.85 - 7.5E-7 1.4E-6 T3-ll6 T3MLCC' 1.85 - 6.2E-6 1.2E-5' T3-118 T3KQ l.85 1.26E-6 1 2.3E-6 T3-Il9 T3KQC' 1.85 1.26E-6 5.0E-4 e n e T3-120 T3KQC 1.85 1.26E-6 6.6E-4 e to T 3 -121 .T3RQCC' 1.85 1.26E-6 7.3E-7 e T3-122 T3KP 1.85 3.0E-5 14.0E-5 c. T3-123 T3KPC' l.85 3.0E-5 14.0E-5 e T3-124 T3KPC 1.85 3.0E-5 14.0E-5 e T3-125 T3EPCC' l.85 3.0E-5 14.0E-5 e T3-127 T3KMQ 1.85 1.26E-6 #9.8E-3 e T3-128 T 3KMQC' 1.85 1.26E-6. 59.8E-3 e
F E I L EC Y O E CN R NE 6 EU - E UQ e c < c < g e ( e e E g ( e < e R QE 9 U ER S SF 2 S E R P M Y E D T T E I S PSL Y OTI S LNB 3 3 7 7 7 7 5 5 5 5 1 4 4 5 3 5 EEA - - - - - - - - - - - - - - - - Y VVB E E E E E E E E E E E E E 8 E E R EEO 8 8 8 8 8 8 2 2 2 2 2 5 4 8
- l. 8 A D R M P 9 9 3 3 3 3 5 5 5 5 5 2 3 2 5 5 I $ 5 1 1 5 5 1 5 R
P G D Y N E T I P I R OSL I LTI 6 6 U ENB - - 5 5 5 5 5 5 5 5 5 5 5 5 5 5 Q VEA E E - - - - - - - - - - - - - - EVB 6 6 E E E E E E E E E E E E E E E DEO 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 R N R 0. , S U P 1 1 3 3 3 3 3 3 3 3 3 3 3 3 3 3 T N E I S R N Y A T/ R NY T EC IN
- SE 3 NU T AQ 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 RE 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 TR 1 1 1
) F 1 1 1 1 1 1 1 1 1 l l 1 1 t N n O o EI c CT
( NP 'C 'C 'C EI C C 'C C C 'C C C 'C 'C 9 Q P P L L 'C C C M M UR Q P P L L U U U U U U QC M M M M M M M M M M C ES K K K K K K K K K K K K K K K K S E 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 E D T T T T T T T T T T T T T T T T L B A T E CR O NE 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 EB 2 3 3 3 3 3 3 3 3 3 3 4 4 4 4 4 UM 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 QU - - - - - - - - - - - - - - - EN 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 S T T T T T T T T T T T T T T T T dt3o
p
.s ,, m l (./ ,
.7 TABLE T.9 (cont. ) ,74: TRANSIENTS REQUIRING REACTOR TRIP ,
UNDEVELOPED DEVELOPED I SEQUENCE SEQUENCE . TRAMSIENT EVENTS EVENTS SEQUENCE [ NUMBER DESCRIPTION FREQUENCY /YR PROBABILITY PROBABILITY FREQUENCY-T4-147 T4ML 6.80 - 4.6E-5 3.1E-4 -- T 4 -148 T4MLC' 6.80 - 5.0E-7 - 3.4E-6 , _ i ! T 4 -149 T 4MLC 6.80 - 7.5E-7 5.1E-6 T 4 -150 T4MLCC' 6.80 - 6.2E-6 4 . 2 E-5, i l T 4 -152 .T 4KQ - 6.80 1.26E-6 1 . 8.6E-6 l l T4-153 T4KQC' 6.80 1.26E-6 5.0E-4. e 1.26E-6 T4-154 T4KQC 6.80 6.6E-4 e -
-T 4 -155 T4KQCC' 6.80 1.26E-6 7.3E-7 , e l T4-156 T4 KP 6.80 3.0E-5 54.0E-5 e
! T 4 -157 T4KPC' 6.80 3.0E-5 14.0E-5 g . l l c7 T 4 -158 ~ .T4KPC 6.80 -- 3.0E-5 54.0E-5 e l l $ T4-159 T4KPCC' 6.80 3.0E-5 14.0E-5 e -f T 4 -161 T4KMQ 6.80 1.26E-6 29.8E-3 e , T 4 -162 T4KMQC' 6.80 1.26E-6 19.8E-3 c ,
.a T 4 -163 T 4KMQC 6.80 1.26E-6 59.8E-3 e 4
x~ t e
..-N
~
j .
~
c w ,
EC CN NE Y 4 6 O EU - UQ e e c e e g < e e E ( e t E e P QE ER l.1 0 1 I SF R T R O Y T D T C E I A PSL E R OTI 5 4 5 3 5 LNB 3 7 7 7 7 5 5 5 1 4 G EEA - - - - - - - E E E E VVB E 0 E E E E E E E E E N EEO 8 8 8 8 8 2 2 2 2 2 5 4 8 1 8 I R D R 5 5 P 9 3 3 3 3 5 5 5 5 5 2 3 2 _ I 1 1 2 1 1 1 1 1 1 U Q E R D Y S E T P I T OSL N LTI 6 E ENB - 5 5 5 5 5 5 5 5 5 5 5 5 5 5 I VEA E - - - - - - - - - - - - - - S EVB 6 E E E E E E E E E E E E E E N DEO 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A N R R U P 1 3 3 3 3 3 3 3 3 3 3 3 3 3 3 T 4 T R Y
) T/ . NY t EC n IN o SE c NU 0 0 0 0 0 0 0 AQ 0 0 0 0 0 0 0 0
( 8 8 8 8 8 8 8 8 RE 8 8 8 8 8 6 8 9 TR 6 6 6 6 6 6 6 6 6 6 F 6 6 6 6 6 C E N L O B EI A CT 'C NP 'C 'C 'C T EI C 'C C C 'C C C 'C UR Q P P P P L L L L 'C C C M M QC M M P M M M M M M U U U U U U ES K K K K K K K K K K K K K K K 4 4 4 4 4 4 4 4 SE 4 4 4 4 4 4 4 T T T T T T T D f T T T T T T T E CR NE EB 4 6 5 6 6 6 7 6 8 6 9 6 0 7 1 1 7 1 2 7 1 3 7 1 4 7 1 5 7 1 6 7 1 7 7 1 8 7 1 O UM 1 1 1 1 1 1 QU - - - - - - 4 4 4 4 4 4 4 4 EN 4 4 4 4 4 4 4 T T T S T T T T T T T T T T T T
)
c j[
LJ 2%) 4 TABLE C.9 (cont.) Toc: LOSS OF DC BUS'11 UNDEVELOPED DEVELOPED SEQUENCE SEQUENCE TRANSIENT EVENTS EVENTS SEQUENCE NUNBER DESCRIPTION FREQUENCY /YR PROBABILITY PROBABILITY ~ FREQUENCY Toc-81-50 TDCQ-H 3.6E-2 2.8E-3 9.1E-2 9.2E-6 TDC-81-52 TDCQ-FM 3.6E-2 2.8E-3 5.3E-2 5.3E-6 TDC-81-54 -TDCQ-CH 3.6E-2 2.8E-3 3.5E-4 e TDC-81-55 TDCQ-CG 3.6E-2 2.8E-3 11.0E-3 e TDC-81-56 TDCQ-CGH 3.6E-2 2.BE-3 11.0E-3 e TDC-81-57 TocQ-CF 3.6E-2 2.8E-3 11.0E-3 e TDC-81-58 TDCQ-CC' ? 6E-2 2.8E-3 5.4E-4 e TDC-81-59 TocQ-D* 3.6E-2 2.8E-3 51.5E-3 e c4 TDC-81-60 TDCQ-D*F 3.6E-2 2.8E-3 fl.5E-3 e o TDC-81-61 TDCQ-D'C' 3.6E-2 2.8E-3 11.5E-3 < TDC-81-62 TDCQ-D*C 3.6E-2 2.dE-3 11.0E-3 < TDC-81-63 ~ TDCQ-D"CG 3.6E-2 2.8E-3 51.0E-3 e TDC-81-64 TDCQ-D*CF 3.6E-2 2.8E-3 fl.0E-3 e TDC-81-65 TDCQ-D*CC' 3.6E-2 2.8E-3 51.0E-3 e
. Toc-82' TDCL 3.6E-2 -
1.4E-2 4.9E-4 s TDC-83 'TDCLC' 3.6E-2 - 2.8E-4 9.9E-6 l . _ _
EC Y O CN NE 5 EU - t ( c e e ( t e E ( c < e < t UQ E QE 3 ER SP 1 Y 1 D T 1 E I PSL S OTI U LNB 4 5 4 4 4 4 2 4 4 3 B EEA - - - - - - - - - - VVB E E E E E E E E E E C EEO 6 7 0 0 0 0 8 6 7 5 5 5 D D R P 3 1 1 1 1 1 2 2 2 2 1 3 4 2 5 f F O 2 1 $ 1 1 5 1 2 S S D Y O E T L P I OSL LTI 6 6 6 6
- ENB - - - - 5 5 5 5 5 5 5 5 5 5 C VEA E E E E - -
E E E E E D EVB 6 6 6 6 E E E E E T DEO - - 2 2 2 2 0 0 0 0 0 0 0 0 0 0 N R U P 1 1 1 1 3 3 3 3 3 3 3 3 3 3
)
t n o c R ( Y T/ 9 NY EC C IN SE 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 E NU - - - - - - - - - - - - - - - - L AQ E E E E E E E E E E E E E E E E B RE 6 6 6 6 6 6 6 6 6 G. 6 6 6 6 6 6 A TR T P 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 N O EI CT 'C NP 'C 'C EI 'C 'C C C 'C CC 'C C C 'C UR C C Q Q Q Q P P P P L L L L U U QC L L K K K K K K T K K K K K K K ES C c C C c C C C c C C C C C C C SE D o D D o D D D o D D D D D D D D T T T T T T T T T T T T T T T T E CR 0 O NE 4 5 7 8 9 0 1 2 3 4 5 6 7 8 9 0 EB 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 1 UM - - - - - - - - - - - - - - - - QU C C C C C C C C C C C C C C C C EN D D D D D D D D D D D D D D D D S T T T T T T T T T T T T T T T T o j) m
w Y ' TABLE C.9 (cont.) TSRW: LOSS OF SERVICE WATER TRAIN 12 , UNDEVELOPED DEVELOPED SEQUENCE SEQUENCE TRANSIENT EVENTS EVENTS SEQUENCE-DFSCRIPTION FREQUENCY /YR PROBABILITY PROBABILITY FREQUENCY __ NUMBER 2.8E-3 2.lE-3 e Tsaw-81-50 TSRWQ-H 1.8E-3 e TSRW-81-52 TSRWQ-FH 1.8E-3 2.8E-3 2.6E-3 TSRW-81-54 TSRwQ-CH 1.8E-3 2.8E-3 12.7E-2 e TSRW-81-55 TSRWQ-CG 1.8E-3 2.8E-3 12.7E-2 e TSRW-81-56 TSRWQ-CGH 1.8E-3 2.8E-3 12.7E-2 5 l TSRW-81-57 TSRWQ-CF 1.8E-3 2.8E-3 g2.7E-2 t TSRW-81-58 TSRWQ-CC' 1.8E-3 2.8E-3 12.7E-2 e TspwQ-D
- 1.8E-3 2.8E-3 gl.4E-4 e l Tsaw-81-59
- e4 1.8E-3 2.8E-3 gl.4E-4 e j3 TSRW-81-60 TSRwQ-D*F N e TSRW-81-61 TSRWQ-D*C' l.8E-3 2.8E-3 21.4E-4 TSRW-81-62 TSRWO-D*C 1.8E-3 2.8E-3 11.2E-4 e 1.8E-3 2.8E-3 gl.2E-4 e Tsaw-81-63 .TSRNO-D*CG TSRW-81-64 TSRwQ-D*CF 1.8E-3 2.8E-3 11.2E-4 e i
TSRw-81-65 ISRwQ-D*CC' l.8E-3 2.8E-3 fl.2E-4 e TSRw-82 TSRWL 1.8E-3 - 1.7E-4 8 TSRW-83 TSRWLC' 1.8E-3 - 1.0E-8 e TSRW-84 TSRWLC 1.8E-3 - 5.5E-5 e Tsaw-85 TSRwLCC' l.8E-3 - 7.7E-6 e
1 , Y EC CN NE EU e e e e < e e e < e * < e G UQ QE ER 2 SP 1 N I A R Y T D T E I R PSL E OTI T LNB A EEA W VVB EEO E D R C P l l 1 l 1 1 1 1 1 1 1 1 1 1 I a i 1 f 5 5 5 1 5 2 1 5 1 5 V R E S D Y E T F P I O OSL LTI 6 6 6 6 S ENB - - - - 5 5 5 5 5 5 5 5 5 5 S VEA E E E E - - - - - - - - - - O EVB 6 6 6 6 E E E E E E E E E E L DEO 2 2 2 2 0 0 0 0 0 0 0 0 0 0 N R U P 1 1 1 1 3 3 3 3 3 3 3 3 3 3 W R S T R Y
) T/
. NY t EC n IN o SE 3 3 3 3 3 3 3 3 3 3 3 3 3 3 c NU - - - - - - - - - - - - - -
( AQ E E E E E E E E E E E E E E RE 8 8 8 8 8 8 8 8 8 8 8 8 8 8 9 TR F l l 1 l 1 I 1 l 1 l 1 1 1 l C E N L O B EI A CT 'C 'C 'C T NP 'C C C 'C C C 'C C C 'C EI Q Q Q Q P P P P L L L L U U UR K K K K K K K K K K K K K K QC W W W W W W W W W W W W w W ES R R R R R R R R R R R R p R SE S S S S S S S S S S S S s S D T T T T T T T T T T T T T T E 0 CR NE EB UM QU 7 8 g R 8 8 W R 9 8 W R 0 9 W 1 9 W 2 9 W 3 9 W 4 9 w a 5 9 W 9 6 w 7 9 W 8 9 W 9 9 W 0 1 W G EN S R R R R R a R R R R T S S S S S S s S s S S S S S T T T T T T T T T T T T T
' 3 50
'~
rs rr () . TABLE C.10 CANDIDATE DONINANT ACCIDENT SEQUENCES OBTAINED THROUGH SCREENING QUANTIFICATICN FREQUENCY SEQUENCE FREQUENCY SEQUENCE FREQUENCY SEQUENCE FREQUENCY SEQUENCE 5.1E-5 TI-84 2.9E-6 T3-102-52 1.9E-5 T 4 -149 5.1E-6 S2-50 S 2 -52 5.7E-5 TI-85 5.9E-5 T 3 -108-50 2.2E-6 T 4 -150 4.2E-5 ; i S 2 -59 2.8E-6 TI-99 3.5E-6 T3-108-52 2.0E-6 T 4 -152 8.6E-6 S 2 -66 4.8E-6 T 2 50 5.4E-6 T3-113 8. 5 E-5 T 4 -173 1.1E-4 T I 50 7.4E-6 T 2 52 6.1E-6 T3-115 1.4E-6 T 4 -177 1.0E-6 8.4E-6 T 2 -82 1.8E-4 T 3 -116 1.2E-5 TDC-81-50 9.2E-6 j , TI-81-52 T I 59 1.6E-6 T 2 -85 5.0E-6 T3-118 2.3E-6 TDC-81-52 5.3E-6 1.3E-5 T 2 -87 1.0E-6 T 3 -139 2.9E-6 TDC-82 4.9E-6
-TI-81-65 _.
2.4E-4 T 2 -99 1.2E-5 T4-147 3.1E-4 TDC-83 9.9E-6 TI-82 3.1E-6 1.6E-5 T4-148 3.4E-6 Toc ,84 1.3E-5 7 TI-83 T 3 -102-50 D I s
Table C.ll Final Calvert Cliffs Dominant Accident Sequences (after recove y) IREP FREQUENCY IREP PREQUENCY % TOTAL g BEFORE AFTER CM - RECOVERY RECOVERY FREQUENCY SEQUENCE DESCRIPTION (/YR) (/YR) ATWS(PSF) ---- 2.8E-5 2.8E-5 20 T -82 T L 4.9E-4 2.lE-5 16 DC DC S -50 2 SH 5.lE-5 1.4E-5 11 2 S -52 2 S2FH 5.7E-5 1.lE-5 9 T -82 TL 1.8E-4 7.lE-6 6 2 2 T -173 T 4 KU 6.7E-6 6.7E-6 5 4 T4,-147 T ML 4 3.4E-4 6.3E-6 5 T y 65 T yQ-D"CC' 1.3E-5 5.3E-6 4 T y -82 TL y 2.4E-5 4.9E-6 4 Blackout ---- 2.4E-4 4.4E-6 3 T 4 -152 T4KQ 4.3E-6 4.3E-6 3 T 3 -139 T3 3.75-6 3.7E-6 3 T- 8 T 0 * ~
* ~
3 3 T' b * -
* ~0 3 3 S -59 3 D" 2.8E-6 1.6E-6 1 2 2 T y-8E T yLCC' 5.9E-5 1.0E-6 1 Sequences below cutoff ---- ---- 7.8E-6 __6_
Total ---- ---- 1.3E-4 100 0 C-100
1
-e TERM PP.OB. W/O PROB. W/ CUT SET NUMBER RECOVERY RECOVERY (DOES NOT INCLUDE INITIATING EVENT)
SEQTDC-82 = 1 4.7ppfE-p3 1.88ppE-p4 AFWPll-PTD-LF
- RA-3 +
2 3.7pppE-p3 1.48ppE-p4 AFWPll-PTD-PRMN
- RA-3 +
3 1.4pppE-p3 1.4)##E-p5 AFWPll-PTD-PRTS
- RA-4 + ,
4 1.ppppE-p3 4.jpppE-p5 AFWS973A-NOC-LF
- RA-3 +
5 1.ppppE-p3 4.ppppE-p5 AFW3987A-NOC-LF
- RA-3 +
6 2.ppppE-p4 4.ppppE-p6 AFAIDGCB-IDG-LF
- RA-2 +
7 2.ppppE-94 8.ppppE-p6 AFWp173-X-FRFT
- RA-3 +
8 2.ppppE-p4 2.ppppE-p5 AFW4537-N-PRMN
- RA-16 +
9 2.ppppE-p4 2.ppppE-p5 AFW4527-N-PRMN
- RA-16 +
[ 17 1.6pppE-J4 6.4pppE-p6 AFWM911X-X-PRMN
- RA-3 +
3 11 1.lpppE-J4 2.2pppE-p6 AFAKAFAB-RCA-LF
- RA-2 +
12 1.ppppE-p4 2 1pppE-p6 AFAKSAV2-RCA-LF
- RA-2 +
13 1.ppppE-p4 4.ppppE-p6 AFWC979X-CCC-LF
- RA-3 + ,
14 1.ppppE-p4 4.ppppE-p6 AFWp172-CCC-LF
- RA-3 +
15 6.9pppE-p5 2.76ppE-p6 AFWM911X-X-FRFM
- RA-3 +
16 6.6pppE-75 2.64ppE-p6 AFWpip3-X-FRFM
- RA-3 +
1}}