ML20125C593
| ML20125C593 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse  |
| Issue date: | 11/30/1979 |
| From: | Dorman R, Weaver W BABCOCK & WILCOX CO. |
| To: | |
| Shared Package | |
| ML20125C587 | List: |
| References | |
| TAC-43516, NUDOCS 8001100486 | |
| Download: ML20125C593 (72) | |
Text
_ _ _ . . _ _ . - ~ _ _ _ . _ . _ _ . _ , . _ _ _ _ _._
4 BAW-1581 Docket No. 50-346 License No. Npp.3 December 1979 Serial No. 573 January 4, 1980 Revised for Davis-Besse (Table 1) 12j31779 6
1/4/80 AUXILIARY FEEDWATER SYSTEMS RELIABILITY ANALYSES I
A Generic Report for Plants With Babcock &Wilcox Reactors by W. W. Weaver R. W. Dorman R. S. En:inna 90008186 l
l BABCOCK & W!LCOX Power Generation Group Nuclear Power Generation Division P. O. Box 1260 Lynchburg, Virginia 24505 Babcock & \Vilcox 80013og ,
EXECUTIVE
SUMMARY
f This report presents a generic summary of the analysis methods and results of a reliability study of Auxiliary Feedwater Systems (AFWS) at operating plants with Babcock & Wilcox designed Nuclear Steam Supply Systens.
The objectives of this report were:
- 1) To identify, through reliability based insights, dominant
- - contributors to AFWS unreliability.
- 2) To assess the relative reliability of B&W operating plant Auxiliary Feedwater Systems.
Dominant contributors to unreliability are identified in Table 2. These con-tributors vary widely in significance, ranging from the relatively unavoidable contribution of preventive maintenance to AC dependencies which preclude system operation on loss of AC power. In every case where significant contributors were identified, improvements by design and/or procedural changes snould be acnievable. These contributors provide a rationa,1 basis for design changes
, to improve AFWS reliability.
A comparative perspective on the range of reliabilities which can be expected from B&W operating plant Auxiliary Feecwater Systems is snown in Figure 1.
The relationship of these values to the NRC-calculated reliabilities for plants of Westingnouse and Combustion Engineering design is not straight forward in that certain assumptions appear to be more conservative in the B&W analyses than in the NRC analyses; the basis for this belief is explained in Appendix B.
90008187
- iii -
CONTENTS Page EXECUTIVE
SUMMARY
. . . . . . . . . . . . . . . . . . . ... . . . iii
1.0 INTRODUCTION
.........'................. 1 1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . I 1.2 Obj ec ti ves . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 Scope ........................... 2 1.4 Summary and Conclusions .................. 3 1.5 Limitations ........................ 4
2.0 DESCRIPTION
OF ANALYSIS . . . . . . . . . . . . . . . . . . . . . 5 2.1 Analysis Method ...................... 5 2.2 General Assumptions and Criteria . . . . . . . . . . . . . . 7 3.0 OVERVIEW OF B&W AUXILIARY FEE 0 WATER SYSTEMS . . . . . . . . . . . 10 4.0 RELIABILITY EVALUATION ,.................... 12 4.1 Quantitative Analysis Results ....... .. . .. ... 12 4.2 Dominant Failure Contributors .... .. .. . ..., .. 13 4.3 Single Point Vulnerabilities . . . . . . . . . . . . . . . . 15 REFERENCES ........................... 21 APPENDIX A - NRC-Supplied Data ... . .... . .. .... . . A-1 APPENDIX B - Comparability With NRC Analyses for the Reliability of Auxiliary Feedwater Systems . . . . . B-1 List of Tables
- 2. Major Failure Contributors .................. 17 List of Figures 1A. Relative AFWS Reliabilities, LMFW ... ... .. ..... .. 18
- 18. Relative AFWS Reliabilities, LMFW/ Loop . . .... . . ... .. 19 1C. Relative AFWS Reliabilities , LMFW/LOAC . . . . . . . . . . . . . 20 B-1 Effect of Assumption on Calculated AFWS Reliability ... ... B-3 B-2 Comparison of B&W AFWS Reliability With NRC Results for W Plants B-4 90008188 Babcock & kVilcox
-v-
1.0 INTRODUCTION
This report presents a generic summary of the analysis methods and results of a reliability study of Auxiliary Feedwater Systens at operating picnts with Babcock & Wilcox (B&W) designed Nuclear Steam Supply Systems.
The Auxiliary Feedwater System functions as an emergency system for the removal of heat from the primary system when main feedwater is not ,
available. Some B&W operating plants refer to this system as an Emergency Feedwater System; however, througnout this report, 'tne term Auxiliary Feedwater System ( AFWS) will be used.
Also contained in this report is an overview of AFWS designs at the B&W operating plants, a description of assumptions used during this study and appropriate limitations which should be observed wnen considering the results of the study.
1.1 Back around As one outgrowth of the incident at Three Mile Islanc-2, the NRC requested all operating plants to consider means for upgrading the reliability of their Auxiliary Feecwater Systems. As a part of the response to tnis request, the B&W Owners Group utilities asked B&W to perform reliability analyses of the existing Auxiliary Feedwater Systems at each B&W operating plant. The ultimate objective of this work is to determine wnat enanges, if any, will improve AFWS reliability.
The NRC has conducted similar analyses for Westingnouse and Combustion Engineering plants; descriptions of those analyses and the results are in References 1 and 2. The NRC requested that the B&W analyses be performed within a time frame and on a basis consistent with the NRC's own analyses.
Accordingly, the scope of B&W's study and arrangement of tne scnedule were made in agreement with the NRC's request.
B&W performed tne requested analyses and has issued to eacn of the utilities a report containing a plant specific AFWS reliability evaluation. A ceneric suntary of the analysis methods and results contained in these plant specific reports are cresented herein.
90008189
.i.
1.2 Objectives The objectives of this study were:
o To perform simplified analyses to assess tne relative reliability of B&W operating plant Auxiliary Feedwater Systems. It was intended that these analyses would be performed on a basis consistent with that used by the NRC in analyses for Westinghouse and Combustion Engineer-ing plants. It was further intended that such consistency would be achieved by use of the same evaluative technique, event scenarios, assumptions and reliability data used by the NRC.
o To identify, through the development of reliability-based insignt, dominant contributors to AFWS unreliability.
1.3 Scoce Auxiliary Feedwater Systems at the following B&W operating plants were analyzed:
Rancho Seco Oconee Units I, II & III Crystal River-3 Davis-Besse-1 Arkansas Nuclear One-1 Three Mile Island-1 The analysis for each plant was based on the configuration of the Auxiliary Feedwater System as it existed on August 1,1979, but also included were any near-term changes which were already in process and wnicn would be in place by December 3,1979. An exception was made for the Three Mile Island-1 plant; a configuration date of early 1980, corresponding to the earliest anticipated startup of this plant was used.
Three event scenarios were considered in this study:
1 o Case 1 - Loss of Main Feecwater with Reactor Trip (LMFW) o Case 2 - LMFW coincident with Loss of Offsite Power (LMFW/LOCP) l I
o Case 3 - LMFW coincident with Loss of all AC Power (LMFW/LOAC).
1 90008190 S
These event scenarios were taken as given; that is, postulated causes for ,
these scenarios and the associated probabilities of their occurrences were .
not considered. Additionally, external common mode events (earthquakes, fires, etc.) and their effects were excluded from consideration.
For each of the three cases, system reliability as a function of time was evaluated. Three times were considered: 5,.15 and 30 minutes following LMFW (Refer to Sect'on 2.2). A total of 54 detailed fault tree analyses were performed covering the six AFWS designs with three event scenarios and at three times for each event. Each plant's specific event tree can be found in the respective plant specific report (References 4-9).
1.4 Summary and Conclusions The principal result of this study is the identification of dominant contributors to AFWS unavailability for each plant. Pending further evaluation by the utilities, these contributors may provide a rational basis for the selection of design changes to improve AFWS reliability.
The dominant contributors itientified in Table 2 vary widely in significance, ranging from the relatively unavoidable contribution of preventive maintenance, to AC dependencies which will preclude system operation on loss of AC power. In every case where significant contrib-utors were identified, improvements by design and/or procedural changes snould be achievable. If appropriate modifications are accomplished, B&W operating plant AFW Systems will exhibit, as a group, reliabilities close to the maximum reliability attainable for real, two-train systems.
1 The quantitative results of these analyses, shown in Figure 1, provide a general comparative perspective on the range of reliabilities which can be expected from S&W operating plant Auxiliary Feedwater Systems.
Althougn it was intended that this study closely match the NRC study for Westinghouse and Combustion Engineering Auxiliary Feedwater Systems, the results of the two studies should not be directly compared; see Appendix B.
l l
90008191 I
i
' l 1.5 Limi tations l Careful consideration must be given to the validity and applicability of !
the results of this study, these results could be misleading if taken out j of context. Appropriate limitations on the use of these results include:
(1) Relative reliability standinas. This report presents (Figure 1) the ,
relative reliability standings of all the B&W plants, and while these results can show major differences, small differences between plants are not significant. Further, no direct comparison of the quanti- l tative results for the B&W plants to the NRC calculated results for l Westinghouse and C-E plants should be made without a thorough under-standing of the analyses. Even though a concerted effort was made to l maintain uniformity with analysis methods and assumptions used by the NRC, B&W believes that certain inconsistencies exist. (See Appendix B.)
(2) Absolute values of availability. This analysis resulted in only relative reliabilities and not absolute values of AFWS unavailability.
Any inference of realis. tic AFAS reliability must address tne probability of occurrence of the three event scenarios in addition to' consicering other defects which may accompany the conditions producing nese scenarios.
(3) Dominant failure contributors. This analysis identified the dominant contributors to system unavailability; however, this report did not explore possible modifications to those contributors. While in some cases a simple change appears feasible, other cases are obviously complex situations with many possible solutions. Each utility must decide if cost-effective modifications are available for their dominant contributors. (Dominant contributors are discussed in Section 4.2. )
90008192 l
l
2.0 DESCRIPTION
OF ANALYSIS 2.1 Analysis Metnod The analysis method used to evaluate the reliability of Auxiliary Feed-water Systems in operating B&W plants involved the construction and analysis of fault trees. The techniques used in this effort were consistent with those described in the Reactor Safety Study, WASH-1400 (Feference 3).
The result of this analysis is the point unavailability of the AFWS, under three scenario conditions and at three points in time following tne i initial existence of conditions requiring AFWS initiation. Point l unavailability is equivalent to the probability that the system will be unavailable at the point in time at which a demand is placed on it. ;
To support this analysis, eacn utility with a B&W NSSS furnished to S&W the plant specific system drewings, electrical schematic diagrams, operating, test and maintenance procedures and technical specifications for tne l Auxiliary Feedwater System and pertinent support systems. From tnis !
systems data, B&W extracted information necessary to prepare a detailed AFW system description (References 4 thru 9). This description was reviewed for accuracy by the utility to ensure that the system analyzed was, indeed, the system tnat pnysically exists at the site.
A fault tree was constructed for eacn utility based on this detailed system description. The top level event in the fault tree was failure ;
to acnieve mission success (defined in Section 2.2). Top level sub- I branches of the tree generally involved multiple failures resulting in the unavailability of all feedwater trains and included unavailability arising from preventive maintenance activities. Examples of multiple failures leading to system unavailability of a two-train system include:
failure of the pumos in both trains; or combination failures sucn as failure of one pump coupled with a disenarge path failure in tne opposite train and no available discharge cross-tie.
90008193
_S.
~
From the top level event, fault tree branches were expanded downward to "
a level of detail corresponding to unavailability data which was supplied ,
by the NRC. This level of detail was typically that associated with component failure cause (valve plugging, pump control circuit failure,' etc.)
The NRC-supplied unavailability data consisted of expected unavailability l
numbers for typical fluid and control system hardware, human failure probabilities as a function of time, and unavailability associated with
. preventive maintenance. This data was obtained 'as a part of Reference 1, and is shown in Appendix A. The data was supplemented when necessary by direct consultation with the NRC staff and by engineering judgment.
(The NRC has emphasized that these input data are largely unverified estimates of human and component reliability. According to the NRC, errors as large as an order of magnitude up or down may exist in this data. In spite of this uncertainty, such data can provide a uniform basis for obtaining reliability results for plants with substantially different system designs. Because of this uncertainty, absolute values of calculated reliability must be strongly de-emphasized, and even relative reliability standings are subject to . uncertainty.)
After construction of the fault tree, unavailability analyses were performed. These analyses were accomplished by inserting tne NRC-suppliec data at the bottom-level basic events of the fault tree and then working upward with hand calculations to assess the cumulation of unavailability.
Each tree was analyzed a total of nine times; this was necessary to incorporate appropriate modifications for the three event scenarios at 1
eacn of three times following the initial demand. '
Performing the analyses, at the level of detail described above, provided insights into the relative importance of various contributors to overall system reliability. Thus, the analysis approach used permitted the identification of major failure contributors which was a major objective of the study.
90008194
- 1 1
1 2.2 General Assumotions and Criteria 1
Agreement was reached with the NRC staff regarding the assumptions and .
criteria used'in this study, with the goal of obtaining results which were on a consistent basis with those produced by the NRC in its Westingnouse and Combustion Engineering analyses. The assumotions and criteria which )
were used in this study and wnich have general applicability are described below. Other, plant specific, assumptions were used and these are con-tained in the reliability reports for each utility (Peferences 4-9).
- 1) Definition of Mission Success - In order to evaluate the contribution I of system components to overall reliability, it was necessary to l detennine to what extent failure of those components might prevent successful accomplishment of the AFWS mission. This in turn requires an explicit definition of mission success. The definition adopted for this study was tne attainment of flow from at least one full capacity pump (or from at least two half-capacity pumps) to at least one' steam generator. Attainment of flow from only one half-capacity pump was not considered system success.
System reliability was calculat.ed at times of 5,15, and 30 minutes following the existence of initiating conditions to allow for a range of operator action. These times were specifically chosen because NRC-supplied operator reliability data for these times was available; these times are reasonable and consistent with LMFW mitiga-tion for B&W plants. In their study, the NRC staff has used steam generator dryout time as a criterion for successful AFWS initiation, and the 5-minute case represents a comparable result for B&W plants with anticipatory reactor trips on LMFW. However, steam generator dryout itself does not imply serious consequences; a more appropriate criteria is the maintenance of adequate core cooling. Recent ECCS analyses (Reference 10) have shown that adequate core cooling can be maintained for times in excess of 20 minutes witnout AFWS operation, providing that at least one Hign Pressure Injection Pumo is operated.
(For Davis-Besse-1, the reouirements are contained in References 7 and 11.)
90008195 4
In general, the loss of flow, resulting from random component failures after successful AFWS ini.tiation, was not
- considered within the scope of this study. However, system charac- '
teristics or component limitations which were known to potentially restrict the duration of system operation (to less than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) were considered in accordance with NRC guidance. Such limitations were included by assuming that they resulted in instantaneous unavailability of the affected components unless the underlying causes were correct-able within 5,15 or 30 minutes. It must be emphasized that this method for accounting for latent failures results in a very conserva-tive analysis. It may not take credit for successful AFWS operation until failure, nor does it allow for the possibility that corrective or mitigating measures can be used (such at restoring power or cycling components on and off).
- 2) Power Availability - The following assumptions were made regarding power availability:
LMFW - All AC and DC power was assumed available with a probability I of 1.0.
LMFW/ LOOP - All DC power was assumed available witn a probability o f 1. 0, Where applicable, one diesel generator was assumed available with a probability of 1.0 and the other was assumed unavailable witn a probability of 10-2 ,
LMFW/LOAC - DC and battery-backed AC were assumed available witn a orobabili ty of 1.0.
Interconnections with Other Units - In general, no credit was taken nor 3) any penalty assigned for steam, electric power or auxiliary feedwater I supplied from, or diverted to, other adjacent plants. l
- 4) NRC-Sucolied Data - NRC-supplied unreliability data for narcware, l operator actions and preventive maintenance were assumed valid and directly applicable.
- 5) Coucled Manual Actions - Manual initiation of valves with identical function and the same physical loc.ation was considered coupled. Such valves were assumed to be both opened manually or both not opened.
The case in wnich one valve was opened and the other valve was left closed was not consicered.
90008196 8
- 6) Decrated Failures - This was a binary type analysis as defined in Reference 3. Degraded failures were not considered; that is, i components were assumed to operate properly or were treated as failed.
- 7) Small Lines Icnored - Typically, lines on tne order of 1-inch were ignored as possible flow diversion paths.
- 8) Steam Sucoly for AFWS Turb4qas - Adecuate steam to tne turoine-driven. pump turbines was assumed for tne 15 and 30 minute cases. These turbines and pumps are designed to deliver water to the steam generators using steam remaining in the steam lines after generator dryout.
90008197 w
.g.
~
3.0 OVERVIEW OF B&W AUXILIARY FEEDWATER SYSTEMS .
A summary description of the major characteristics of Auxiliary Feedwater Systems at B&W operating plants is contained in Table 1. This information was extracted from plant specific reliability reports which were prepared for eacn utili ty (References 4-9). As indicated in the table, ther'3 are many functional similarities between the AFWS analyzed. These similarities and some exceptions are summari:ed below.
All AFWS are capable of providing auxiliary feedwater to one or both steam generators under automatic (or manual) initiation and control.
Each system consists of multiple feedwater trains with a combined capacity of twice the flow of a nominal full capacity pump. This capacity is achieved by the use of at least one full-capacity turbine-driven Dumo and, with tne exception of Davis-Besse-1, which has two turbine-dri /en pumps, each has either one full-capacity or two half-capacity motor-driven pumps, Wi th the exception of Crystal River-3 and the Oconee Units, all AFW turbines, motors and pumps are self-sufficient entities without dependence on secondary support systems.
- Eacn AFWS has multiple suction sources available, including the condenser hotwell or other backup water supply. Switchover to the backup water supply requires manual action except for Davis-Besse-1 for which this action is automatic.
Motive power for the motor-driven pumo(s) is obtained from one (or two, as applicable) nuclear service busses. These busses are backed by diesel generators or, at Oconee, hydro generators. Manual loading of the pump motors onto the diesel generators is required at Rancho Seco and Crystal Ri ve r- 3. In each system, steam for the AFWS turbine (s)' may be obtained from either steam generator.
Conditions which will cause AFWS initiation vary between plants with the only comron initiating condition being loss of botn main feedwater purps. Every system will be initiated by at least one otner condition; examples incluce: loss of all four reactor coolant pumps or low steam generator level . All AFWS pump initiation circuitry is battery-backed and, except for Arkansas Nuclear One-1, is inoependent of the Integrated Control System (ICS).
90008198 All AFWS but Davis-Besse-1 and the Oconee Units contsel the flow of auxiliary feedwater to the steam generators by flow control valves under ICS control. Oconee uses separate steam generator level control circuits and Davis-Besse-1 controls steam generator level by varying turbine speed.
With correct system alignment and no component failures, none of the plants require manual action to acnieve mission success for Case 1 (LMFW).
In Case 2 (LMFW/ LOOP), none of the plants except the Oconee Units require manual action to obtain flow from the turbine-driven pump (s), but manual actions described earlier are required to energize the motor-driven pumps at Rancho Seco and Crystal River-3. In Case 3 (LMFW/LOAC), only Rancho Seco and Three Mile Island-1 will achieve sustained auxiliary feedwater flow from the turbine-driven pump without manual actions.
90008199 a
4.0 RELIABILITY EVALUATION 4.1 Quantitative Analysis Results The quantitative results of the fault tree analyses are presented in Figures 1A, B and C. Indicated in these figures are the Auxiliary Feecwater System unavailabilities for each B&W coerating plant for each of the three scenario cases and at each time 5,15 and 30 minutes. These figures provide a general comparative PE *spective on tne range of relia-bilities wnich can be expected from B&W operating plant Auxiliary Feed-water Systems. Limitations described in Section 1.5, should be observed when considering data presented in these figures.
Shown in each figure is an approximate upper limit for the reliability j of a two-train AFW system in which the pump in one train is electric- l powered from a diesel generator during loss of offsite power. This limit is calculated for a two train system in which each train consists of one l pump with drive, one check valve and one nomally open flow control valve.
Pumo disenarges are interconnected witn a crosstie and pumo suctions are c:nnected to a " perfect" source. The system has no common moce vulners ' i l
bilities or human dependencies. This ubper limit, wnien does not apply i to Davis-Besse 1 in Cases 2 and 3 because of their two-turbine system, reoreserts tne reliability of an icealized system using only tne nuncer of components needed to approximate optimum reliability; this limit is calculated from NRC-supplied component failure data. The minimum reliability in each case represents unavailability of tne system (i.e.,
probability of unavailability is 1.0). The presentation of reliability results in the format of Figure 1 demonstrates tne range of reliabilities against a frame of reference which has physically meaningful limits for each case.
Consistent with the results reported by the NRC for Westinghouse and Combustion Engineering Plants (References 1 and 2), B&W operating plant AFWS designs exhibit more than an order of magnitude variability in the calculated reliability for eacn of the three event scenarios consicered.
90008200
The effect of degraded power availability is indicated clearly by the differences in the results for each of the three cases. Except for the Oconee '.Mits, the loss of offsite power results in a relatively small decrease in system availability (typically one order of magnitude or less),
primarily resulting from the assumed unavailability of one of the two diesel generators (with a probability of 10-2). However, as indicated by the Case 3 results, a loss of all AC power will have significant consequences for all units. In Case 3, all but two of the units nave AC dependencies whien would inhibit system operabilit:
The effect of corrective operator actions is also shown in Figure 1. As the time allowed for operator action increases from 5 to 15 and 30 minutes, system unavailability usually improves because human reliability improves and because the range of possible operator action increases (to include for example, manual actions outside the control room). Reflecting the NRC-supplied human reliability data, this improvement is much more pro-nounced in the interval between 5 and 15 minutes tnan in the interval between 15 and 30 minutes. This improvement is also somewhat more pro-nounced in Case 1 tnan in Ca,ses 2 and 3 where degraded power availability tends to reduce the number of available options for operator action.
In atypical cases, system reliability may decrease with time, even allow-ing for increased probability for operator corrective actions. This I results from the treatment of latent failures discussed in Section 2.2.
4.2 Dominant Failure Contributors A summary tabulation of dominant failure contributors revealed during the fault tree analyses is presented in Table 2. It appears that improvement of AFWS reliability, based on modifications of hardware-related failure contributors, should be achievable for all B&W plants. In no case are the contributors so extensive in nature that the inherent AFWS design is unaccep tabl e . Improvement in AFWS reliability with the removal of cominant contributors is expected to be dramatic in some cases. For example, the addition of a valve position indicator may result in a calculated system reliability improvement of nearly an order of maanitude.
l 90008201
The most comron dominant contributor for Case 1 is outage for preventive raintenance-related activities. Such outages reduce system redundancy and increase the likelihood of unavailability if AFWS use is required. Other typical contributors affecting more than one plant include: flow diversion tnrougn normally-closed manually-operated recirculation test valves wnich may be lef t open inadvertently, and failure to obtain pump initiation and/or control valve opening because both AFWS trains rely on common initiation / control circuit components. .
In general, the loss of offsite power does not impose significant new conditions on the AFWS such that new and substantially different failure contributors become dominant. Thus, Case 2 major failure contributors tend to be identical with those identified during the Case 1 analyses.
Specific exceptions to this rule include: human failures associated witn
- ne manual loading of the motor-driven pumps onto diesel generator-backed busses at Rancho Seco and Crystal River-3; and human failure to perform actions necessitated by automatic load shedding at Oconee.
Witn the exception of Three Mile Island-1 and Rancho Seco, tne Case 3 analyses indicate significant AC dependencies for Auxiliary Feecwater Systems. These dependencies may be direct as is one case for Davis-Besse-1 and Arkansas Nuclear One-1 where certain valves required for AFAS mission success are AC powered; or the dependencies may be indirect, as is tne case for Crystal River-3 and the Oconee Units, wnere AFAS support systems require AC power for continued AFAS operation.
The significance of failure contributors must be carefully evaluated before design and/or procedural changes are recommended. Such evaluation is required because even the significance for the same contributor varies widely between plants. Such variation exists because the importance of failure contributors is distributed differently for different AFWS designs.
A dominant failure contributor for a plant like Davis-Besse-1, wnien has a relatively uniform distribution of potential failure importance, may be almost insignificant by comparison to a dominant contributor for a plant with salient failure contributors. It is necessary to consider such factors in orcer to determine tne most effective utili;:ation of resources for reliability improvement.
90008202 9
4.3 Single Point Vulnerabilities ,
A review of Table 2 reveals that two of the AFWS designs (Davis-Besse and Oconee) do not have single point vulnerabilities in Case 1. In Case 2 only one AFWS (Davis-Besse) has no single point vulnerabilities. In Case 3, all plants have single point vulnerabilities.
90008203
i 1%ti 1. ' U:r.',it i of IW.ul iIt;el.:itl<!,8is , og (; ?.. oseiAlItr PtAral AtW s nll115 Irain ho ';eco th en.ce- l . l l I l l fay.tal River.) D.t v ibiles s e- l As i ansa s taur i . One.1 lin ee 11ile Islan.1 1 Puups I tuel ine/s.stor I tuel.inu. do ivesi . I tuibes.c .lsiven 2 lueleitie de-ivest I toebine driven drivest I tust.ine driven -
I notor driven 2 *,(ap. watne driven I amtor driven I a..s tos doivrai 2 *,t ap. motor driven Psimary Suction 250,000 g. CSI 50,tiou 9. U21Aib los Sounce 150,t,00 g. CSI 2 L51 *s ca(la 10/,000 g. CSI 2 C51*s cach IDP 250,000 g.
U516100,000 g. Cond. 150,000 g.
Ilo tw . for itOP '
Alter. Suition Canal 1 e eservoir Condensor flotwell Condensor llotwell Source connector 2 Svc. Water Irains flucl . Syc. Wa ter 5ys. Hiv. Water Sys. '
^
Switthover to Manual ttanual for IDP thnual Alt. Suction Auto. Minual Manual I
-Discharge Tes, uitte N.O. Ho (N.C. paths not Yes, two with t e t,ss t le valves Yes with it.C. valves Yes with ff.0. valves Yes any pump feeds considered) check valves 5fitCS/non. control any 5/G Iach Ind* feeds 15/G.
IDP feeds botin t.adop Power 2 diesel gen. Keovee hydro gen. 2 diesel gen. ? diesel tren. 2 diesel gen. 2 diesel gen.
Cnown Steam Yes Ves Yes E. t..,1y lleader Fed tio, sepaia te s tini. Yes Yes
,'_, supply lines with I v >n bo tti 5/G
<n , cross.over connec-t tions under SIRCS control l'*:ap YOP C5f A5. 4 Pt.P ti lp, 28tIUP to Disch Press 2 ftluP trip t ilf tt Viv. lli Rev. AP 2 811tlP Trip.! s/g to initiation 2 firuP trip 2 f tIUP irip 2 5/Glo leve.1 L S/G l olvl 4'l:CP 2 fif uP t n t.P. E ttf ur Irip ;
Lul. I Irip ,S/d to P*ll4 RCP Trip 4 I CP Irlp til.1* %me minus LSFAS Same Sane ti/A' Is mia :
Sanc meinus 2ilfldP Irip location l a t. to 105 Lat. to ICS [ m t. to 105 5f itC5 i
I.I'.4 Con t r o l. _ _ _ . l' 5 tein t r. for Ilsu
- g All within ICS - -.
--l-lLat, to ICS 5/Gi vi. Cont r. O ts.. . _ _ . 105 contr. fer l
- 1. Vahes tou tsul Vivs. 5/P's for ea(h 5/G llw flau rontr. vivs. ,Iuehin.t speed contr, g.105 tontr. for flow jlC5contr. for flow I for l oss of 4 RCP. contr. vivs ' sin ad-4.nn t r. vi vs . contr. vivs. 5/P's s tont r. valves. 5/P's j 2 filWP Sil:C5 Isol. vivs. for loss of 41TP, inr loa of 4 HCP,
~ All contr. sep. froen 2 fliWP 2 tilWP ICS
_.s__.
- t' pts ra tor t' .e t fl.nu? N'qal. ft9ne P'qd.
f(tions flone R*qd. t!nne R *.,d.
ilone R*iid. lione 1:".cl. (Opesa (>* 1 O
for Case 2 fl.oi.toadof litP on Open ILW Cool.Uater Stas wpply) f Si: stained Itan. tuod of lite lione R*qd. 14ane R*qd. teone it'eld . (0 pen 6*
C /.IW Ilaw H.G.(if Ito falls)
~
Viv..re. tore load .(if IDP falls) shed PWR g 5 tas. Supply) l C"3 Case 3 None it*qd. thne Avail, tsone Avail. Ibn. repen. AC Vlvs.
' @ itm.o AC Vlvs. ftone it' td.(Open 6"
_____...s_...__.._. ....k. _ _ pen_ ... -..I. N"** E"IblI - - - - - - -
- N _ _ . . - . . . .
4 O tiot e : f or detaih, ecler to plant specific Ili' ~ lue l ine th a ven l' imp tr.I - tipper Surge Tank da a f t ecports (itelerentes 4 9) fild* - tu tor Dr iven Puup 5/G - Lic..u t.cancia tor A IdP - lie.u. tor Coolant Puny 5/P - 5et Point CSI - Condens at e 5tus..ge lank tilWP - flain Ice 4#ater Pump ICS - Integrated Conteul Systene ,
e D**D D ~TY4
, ,, .3 .1 16 _,
- Im v i scil 12/31/79
s . 4
- l 'a ! t . / _MA.li!H_ Mll,UHl_. 3 Ottiftltullig .
Hane.hu 5etu Giunee-Lil.lli
_ Jptal ltiver- 6 Davis llesse-I . Ae hensa . that. l . One-I Itace flite Island-l II) f low diversion f rom I) luitiine suppun t 1) Valve plu99tng in 1) pieventive main-
- 1) Perventive main- 1) tailuse to olitain l both train via ei-cist. valvelu b H55, sys ti ia iai luers eg. a eunicani (oiiling teinanite of unie ti nante out .les. f ecibuter iIow aux, lutie nil pump. water line tolioth train (oupledwith if inadvertently 2) Ins hine pump hear- pumps,
- 2) f ailiste to otetaisi bit ause of at tua-g , open randoen f ailieres systens irit tiations that cistuit g*, ing talluie if 2) Outasjes for pov- in the other cara be(mese f ailureof g gg y '2) 0utahes f or pie- valve L P5W-131 ventive mainte- f ailures tunsiani to ven t i ve main tenan(e. elocan'tt.p n. defeat mission tems.sen uneennents both trains.
nante. success. In the initiation 2) Pwventive assini-3)ioss of suttion and control equip-hecause upper surge tenance outages.
' tants are not ,
sient f or Imth 3) Isolation valves replenished. trains. inadvertently left closed'
' 4) 510.# di vers ion via 3) flow diversion via liter pianp testing.
IWil A.12A llit or
~
recirc. valwe fitJ-88, 128.
If inadves tently open. 4) Suction related ,
failuies(incorsect -
allipunent of CV2303 and CV2800). I Ca'.e 1 Contiibutons Caw I lontilhutors Case 1 Cinstributors gelus:
Case 1 Contributor Case I Contributors Case I Coritritsutors p[lus 1 feiture: to nian- plus: ' ~
l udelly load unster 1)' toss of roolisii ill failure to m.aa. ally water to tortsine load the niotor driven inmip neto lie:np l.et_ause drivrn puup onto diesel. LIGH-131 is lu.ed t.he diesel.
i e,a ,< 4: s e.( d.
q g ,g gf 2) luu of sot tiun f or ggp tunteine unless 1 C-391 is opened j and NLinisal loading .
of hutuell pimps on l 41041 VAC leon es.
- 3) HS-W st. eying open lieviuse tr -Ill or H' 129 h e tailed
- on ,i i.n iii. . s e,I .a ,'
i, aa. tii se .e a.
for lushine I. st ~I tuait ritsutors i a:ase I awl 2 8 out rib- ] Caw I and .* I nnt rib- Caw I Cenit. ibulors i
dv61ving hariiid e utne. invalving tur'- plois involving t ur- Case I (ontritnetuis Case I (ontril,ulois " ~ ' -
stifvMnlpjm{f ~ pr.o ? lue bein puup.' liine f, 'tnihiise gumpl p)lus 1 -AC :depennient.e of (iTus: -
I) AC tependene.e of pei tanning to tuit ine p lir. and'tuileinepu.IplMs':
i 8ase 3: p)lus: all AlWS valves valves necessary 1[potes tial Iailuie INfu/
1 -ultimat.Oi>~dId ll' ul tiina te lids' o'I'~ proleileits initial for system ac tua- of it,V6 tactausi of 4 inc hin t l>i t ause of tuntiine pianp tie- AlWS missinsi IUAC '
ina kquale lobe oil o use of lad of tion piohibits loss of air leading
- O onlinj finm AC success, initial AfWS mis- to ilegrad.ed st(am l bearing (poling sion success.
O l opesated lobe oil water-supplied supply anil/or tur-o onoling water cirtu- from AC (oollny bine overspeed trip.
- y lating puup. wa ter ptmps.
i l'\) . _ . .
LT1 D SC D V
$g
l l
g 5 MIN O IE MIN O SO MIN INCREASING MIN
- APPROX. MAX. FOR REll ABILITY TWO TR A I N SY STEM' l
I RANCHO SECO O j 8 ,
0CCNEE I.2,M A 1 l
1 0,1YSTAL RIVER-3 ^
b l
?AV! S-S ES SE-l ! O 8; i ARXANSAS NUCLEAR ONE-l i O.H i i
[ l !
THREE MI LE I SL AND-l 8 i 0 -l -2 -3 -4 -5 -6 Log Scale -
PolNT UNAVAILABILITY l
l
' UPPER LIMIT i s OlFFERENT FOR RANCHO SECO BECAUSE OF THE MULTI-0 RIVE PUMP.
FIG. lA RELATIVE AP(S RELIABILITIES, LMFW 90008206 l
l 13
e 6 5 MIN O IS HIN O 30 MIN
- INCREASING APPROX. MAX. FOR
_ RELIABILITY TWO TRAIN SYS' RANCHO SECO I zs OCONEE-I,H,E g
b
[- - -
O I CRYSTAL RIVER-3 !
' i l !
DAVIS BESSE-l O
ARKANSAS NUCLEAR ONE-l b li O l l
THREE MlLE ISLAND-l 3
I I
O -l -2 -3 -4 -5 Log Scale =
PO!NT UNAVAlLABILiTY
'WHERE ONE TRAIN IS ELECTRIC POWERED FROM A DIESEL GENERATOR (IE..EhLUDING DAVIS-BESSE-l). LlHIT IS DIFFERENT FOR RANCHO SECO BECAUSE OF THE MULTI-0 RIVE PUMP.
FIG. 1B RELATIVE AFWS RELIABILITIES, LVFW/LCCP 90008207 Revised 1/4/80 19
6 5 MIN 15 MIN O 30 MIN -
INCREASE APPROX. MAX.FOR HIN RELIAS.
- TWO TRAIN SYSTEM
- I RANCHO SECO l I
)l l
OCONEE-I.II.IH l
CRYSTAL RIVER-3 l l
DAVI S BESSE-1 8i ARK. HUCLEAR ONE-l b 8 i THREE MILE I SLAND-l h
0 l
1 I
O -1 -2 -3 -a -s Log Seal e -
POINT UNAVAILABILITY
'hHERE ONE TRAIN IS ELECTRIC POWERED FRCH A DIESEL GENERATOR (II.. EXCLUDING DAvl3 SESSE-1) i l
FIG. 1C RELATIVE AFWS RELIABILITIES, LMFW/LCAC 1
I 90008208 20 1
REFERENCES
- 1. DRAFT version of Appendix III (W), Auxiliary Feedwater Systems as transmitted in a letter from T. E. Murley (NRC) to E. A. Womack (B&W)
November 8, 1979.
- 2. " Nuclear Power and Public Risk", IEEE SPECTRUM - Pgs. 58 November,1979.
- 3. WASH-1400 (NUREG-75/014), " Reactor Safety Study" USNRC, October 1975.
- 4. " Auxiliary Feedwater System Reliability Analysis for the Rancho Seco Nuclear Generating Station - Unit no.1" Babcock & Wilcox, Sept. 10, 1979.
S. " Emergency Feedwater System Reliability Analysis for the Oconee Nuclear Generating Station, Unit No. I, II, III" Babcock & Wilcox, Revision 1 November 1979.
- 6. "Auxilig Feedwater System Reliability Analysis for Crystal River Unit No. 3" Cabcock & Wilcox, October 1979.
7 " Auxiliary reedwater System Reliability Analysis for the Davis-Besse Nuclear Generating ;;ation Unit No.1" Babcock & Wilcox, Revision 1, Novemoer 1979.
S. " Emergency Medwater System Reliability Analysis for Arkansas Nuclear One Generating itation Unit No.1" Babcock & Wilcox, Revision 1, November 1979. 1 1
- 9. " Emergency sedwater System Reliability Analysis for the Three Mile Island l Nuclear Ger. rating Station Unit No.1" Babcock & Wilcox, Revision i, Dec.1979. 1
- 10. "Evaluati:n of Transient Behavior and Small Reactor Coolant System Breaks in the 177 Fuel Assembly Plant" Volume 1, May 7,1979, Babcock & Wilcox.
- 11. " Evaluation of Transient Benavior and Small Reactor Coolant System Breaks in the 177 Fuel Assembly Plant", Volume III - Raised Loop Plants (Davis-Besse) May 16, 1979, Babcock & Wilcox.
n d 90008209 l
4
, APPENDIX A .
NRC-SUPPLIED CATA USED FOR PURPOSES OF CONDUCTING A COMPARATIVE ASSESSMENT OF EXISTING AFWS DESIGNS & THEIR POTENTI AL RELI ABILITIES Point Value Estimate -
of Probability of*
Failure on Demand I. Comoonent (Hardware) Failure Data
- a. Val ves :
Manual Valves (Plugged) s1x10-i Check Valves 11 x 10
Motor Operated Valves
- Mechanical Components s1 x 10-3 Plugging Contribution s1 x 10"#
Control Circuit (Local to Valve) .
w/Qua rterly
- Tes ts .6 x 10~f w/ Monthly Tests s2 x 10~'
- b. Pumos: (1 Pumo)
.vecnanical Comconents .1 x 10-3 Control Circuit 3
w/ Quarterly Tests w/ Monthly Tests s7 A xx 10-10 3
- c. Actuation Locic $7 x 10-3
- Error factors of 3-10 (up and down) about such values are not unexpected for basic data uncertainties.
90008210 A-1 gm- s
APPendin A l
II. Ilunian Ac ts & E rrors - fai lure Da ta : ,
l t
1 l
Estimated fluinan Error / failure Probabilities
- 4 thdifying factors & Situations
- Wi th Local Walk-With Valve Position -
Around & Double l IndicaLion in Control Rooni Check Procedures w/o Either Point Es t on Point Est on Point Est on Value Error Value Errur Value Error Es tima te factor Es tima te fac tor Es timate factor A) Acts & Errurs of a Pre-Accident Nature _
- l. VaIves mispasitioned during test /niaintenance. .
a) Specific single I -2 I I -2 y valve wrongly selected 20 10 x X-20 - - x 10 20 x1X 10 10- xIX 10 N out of a population of valves during conduct of a tes t or maintenance ac t ("X" no. of valves in population at choice).
b) Inadvertently leaves -4 -2 m5 x 10 20 sS x 10- 10 +10 10 correct valve in wrong pos i tion.
-4
- 2. thre than one valve is ml x 10 20 ml x 10-3 10 %3 x 10-3 10 at fected (coupled errors).
O O
O CD N
enmue 6
Appendix A 4 .
II. Human Acts & Errors - Failure Data (Cont'd): -
- Estimated Human Error / Failure Probabilities -
Estimated Failure P rob. fo r P rima ry Tire Actuation Operator to Actuate Needed AFWS Comoonents B) Acts & Errors of a Post-Accicent Nature
- 1. Manual actuation of N5 min. %5 x 10-2 AFWS from Control s15 min. s1 x 10-2 Room. Considering N30 min. s5 x 10-3 "non-dedicated" operator to actuate AFWS and possible backup actuation of AFWS.
III. Maintenance Outace Contribution Maintenance outage for pumps and EMOVS:
, 3* 0.22 (= hours / maintenance act)
- Maintenance 720 90008212 A-3
t APPENDIX B ,
COMPARABILITY WITH NRC ANALYSES FOR THE RELI ABILITY OF AUXILI ARY FEEDWATER SYSTEMS 3.1 Back;round A major objective, established at the outset of S&W's Auxiliary Feecwater System Reliability Study, was the production of reliability results which could be compared with the results obtained by the NRC in its analyses of Westinghouse (W) and Combustion Engineering (CE) plants (References 1 and 2). The desired comparability was to be achieved by ma'intaining consist-ency with the NRC analyses; this consistency was to involve use of the same three event scenarios, the same fault tree analysis method, and the same assumptions, levels of detail and data employed by the NRC. Ques tions regarding the NRC's approacn were to be resolved by direct consultation i
with NRC staff personnel who had participated in the W and CE analyses.
B&W did not nave access to tne fault trees used in :ne NRC study and -
tnerefore nad to rely on telephone consultations with the NRC and independ-ent engineering judgment in many cases. It is new evident to B&W that some inconsistencies have occurred whicn may invalidate a direct compari-son between the B&W and NRC results. In particular, tne NRC calculated reliabilities reported for some W plants are higher tnan would be possible ;
using the B&W approacn. This implies that systematic differences in tne calculated reliabilities may reflect differences in tne B&W and NRC l approacnes, and do not necessarily signify actual differences in system reliabilities.
B.2 Examoles of Evaluation Accroach Differences and Their Effects One important area of difference between the NRC and the B&W approacn involves an assumption concerning the nurber of operating pumos required to acnieve mission success. It appears tnat, in some cases, the NRC gave credit for mission success upon successful coeration of a single "hal f-capaci ty" pump. The effect of this on system reliability, depencing on other areas of redundancy, is to shift reliability toward tnat of a tnree-train system.
90008213 5-1
. Two of the AFA systems analyzed by B&W also emoloyed half-capacity pumps; however, B&W assumed that mission success could not be achieved by operation of one half-capacity pump by itself. An example of the effect of this assumption is shown in Figure B1 for the Oconee Units. As indicated in the figure, the assumption of mission success upon operation of a single nalf-capacity cump improves the calculated system reliability by more than an order of magnitude. An estimated reciprocal effect on one of the W plants analyzed by the NRC is also shown in Figure Bl. As expected, ne quoted reliability decreases by over an order of magnitude.
The use of different pump operation assumptions described above is a readily detectable difference between the B&W and NRC approaches; other differences may also exist. One such area of concern is the scope and level of detail of the fault tree analyses. The level of detail (fault tree failure rate data input level) used by B&W appears to be generally consistent with that used by the NRC; however, the scope (number of fault tree branches) of B&W's analyses may be greater. It is likely tnat, witn more time available, B&W concutted a more comorenensive analysis; and a more comprenensive analysis frequently results in a lower calculated reliability. l B.3 Comoarison of Reliability Results Figure B2 shows a comparison of calculated reliabilities for the B&W operating plants with results obtained by tne NRC for W and CE. Tne format for this figure was cerived from References 1 and 2.
The figure demonstrates tnat, with allowances for analysis differences, the range of expected AF45 reliabilities for B&W plants is similar to that obtained by the NRC for W and CE.
90008214
~
B-2
h CASE 1: LMFW ,
OCON EE I H,.UI (lMP90VEMENT WITH g _a
~
IEPFECT OF S&W QeC AFW n t -~d ! N 20 M I NUT E S ASSUHPTION OH
!/2 CAP PUMPS) ;
O -i -2 -3 - 14 -5 j Log Scale =
POINT UNAVAILABILITY
' DATA OSTAINED FROM REFERENCE I AND PLANT X FSAR, l
1 FIG. El E:FECT OF ASSUMPTICN CN CALCULATED AFNS RELIABILITY 90008215
- 33
. ~
l s CASE 1: LMFW CASE 2: LMFW/ LOOP- CASE.3: LMFW/LOAC 0W HED HIGH W MD IN W C M AFW WITNIN 5 HIN.
RANCil0 SECO , y, , e OCONEE UNITS' g g o 4 <> -
CRYSTAL RIVER-3 o G 4 >
DAVIS BESSE-l e # d i ,
ARK. NUC. ONE-l , g <>
TilREE MILE ISLAND-l 8 0 O
^ -
RANGE OF B&W' O'4 G 8 PLANTS Willi NRC C C ASSUMPIl0NS AFW WITillN 20 HIN. .
C C G O RANGE OF W C O PLANTS (BY NRC) e o
- RELIABILITY CilANGE DERIVED l'20H FIG. BI O
C0 fM FIG. 82 COMPARISON OF B&W AFWS RELIABILITY WITil NRC RESULTS FOR W PLANTS Revised 1/4/80
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - - - _ _ _ _ . _ . _ _ _ _ - - - __ - . _ _ _ - _ _ _ _ - _