ML20133D892
| ML20133D892 | |
| Person / Time | |
|---|---|
| Site: | Sequoyah  |
| Issue date: | 07/31/1985 |
| From: | Kreslyon Fleming, Raabe P, Reny D PLG, INC. (FORMERLY PICKARD, LOWE & GARRICK, INC.) |
| To: | |
| Shared Package | |
| ML20133D849 | List: |
| References | |
| EPRI-NP-4128, EPRI-NP-4128-V01, EPRI-NP-4128-V1, NUDOCS 8510090212 | |
| Download: ML20133D892 (368) | |
Text
{{#Wiki_filter:-. _ ___ _ ____________ _________________ _ _ _ _ _ _ _ _ Topics: EPRI NP-4128 l Electric Power Risk assessment Plant Safety - Volume 1 Project 1842-4 Plant availability Final Report Research Institute Sequoyah nuclear power plant July 1985 GO methodology Systems reliability analysis 1 E Full-Scale Plant Safety and
~ wT,:/ Availability Assessment-A -
Demonstration of GO System ,; Analysis. Methodology \. volume 1: Plant Level Models l Prepared by Pickard, Lowe and Garrick, Inc. Newport Beach, California 8510090212 DR 851002 ADOCK 05000327 PDR l s
, ,,,,e c .
REPORT
SUMMARY
SUBJECTS Risk assessment / Reliability, operations, maintenance, and human factors / Safety analysis TOPICS Risk assessment Sequoyah nuclear power plant Plant safety GO methodology Plant availability Systems reliability analysis AUDIENCE Safety and productivity managers Full-Scale Plant Safety and Availability Assessment-A Demonstration of GO System Analysis Methodology ? Volumes 1 and 2 f The probabilistic GO methodology has demonstrated its ability to perform plant-level safety and availability analyses. The meth-odology proved effective in modeling system performance, and the GO sof tware, numerically efficient in quantifying system models and identifying critical components. " BACKGROUND In the past three or four years, utility analysts have found GO methods easy to use and computationally efficient in system reliability studies. The appli-cability of the method for larger, integrated full-plant safety and availability models, however, had not been evaluated. EPRI and cosponsor TVA initiated { a demonstration study in 1981. They designed the study to provide a thor-g ough plant level test of the methodology without unnecessary detail. The 1 initial phases of the assessment-through 1983-are described in EPRI report NP-3382. OBJECTIVE To demonstrate the applicability of GO methodology and sof tware to a plant-level safety and availability analysis. h APPROACH For the safety study, the project team developed 14 initiating event p sequences. Two of these sequences-large loss-of-coolant accidents and loss of steam flow-were quantified and analyzed.Those sequences are representative of the complexity found in a Level 1 probabilistic risk assess-ment. For the availability study, they modeled and integrated more than 40 production and support systems.They quantified the integrated models for assessing the plant performance at 100% rated power. The TVA's Sequoyah nuclear power plant served as the reference plant. RESULTS The study demonstrated that the GO methodology is an effective system analysis technique for both safety and availability studies. In the safety study, the GO model representation of the event sequence, the integration of GO system models into the sequence, the quantification of the sequence model, and the identification of critical componerts all were successful. A plant-level availability model, consisting of more than 40 systems having EPRI NP-4128s Vcis.1 and 2
- w. ,
more thin 1500 compon::nts, was construcbd and quintified. However, -
. because of limitations on the scope of this demonstration, the quantita-tive results constituted examples only, rather than the results of a com-
. plete plant-specific safety and availability analysis.
In addition to updating the material provided in interim report NP-3382, this final report contains several new apprcaches developed in response
< to the requirements of this large, complex, plant-level analysis and more -
detailed information on system and safety models. Volume 1 documents the plant-level models, whereas Volume 2 contains the appendix docu-
, menting the detailed system-level models.
-- ' EPRI PERSPECTIVE ' in a large-scale system analysis, attributes such as communication, comprehension, modification, and documentation of the models are very important.The GO methodology has very good characteristics in these respects. Especially when the analyzed results are to be applied to other engineering activities, such as enhancement of operating procedures and system maintenance, consideration of system design alternatives, and improvement of plant availability, the GO representation of system function and interdependence with linked models, together with its effi-ciency in model quantification may possess unique advantages. The methodo'ogy is also suitable for analyzing plant availability. This capa-bility is expected to be very useful to the electric utility industry.
PROJECT: RP1842-4 EPRI Project Manager: Boyer B. Chu , - Nuclear Power Division-Contractor: Pickard, Lowe and Garrick, Inc. For fdrther information on EPRI research programs, call . _./ '
" EPRI Technical information Specialists (415) 855-2411.
e k __m.-_________ __ -. __..___ _.__ _______ _ _ _ . _ _ _ _ . .
l' Full-Scale Plant Safety and Availability Assessment-A Demonstration of GO System Analysis Methodology Volume 1: Plant-Level Models
.,,..,_ NP-4128, Volume 1
' #. ; Research Project 1842-4 Final Report, July 1985 Prepared by PICKA9D,' LOWE AND GARRICK, INC.
2260 University Drive Newport Beach, California 92660 Principal Investigators
+
P. H. Raabe D.A.Reny K. N. Fleming Contributors A. W. Barsell D. C. Bley W. C. Gekler J. M. Geumlek D.H. Johnson A. Mosleh R. J. Mulvibill i J. G. Stampelos D. W. Stillwell D. M. Wheeler Prepared for Electric Power Research Institute 3412 Hillview Avenue Palo Alto, California 94304 l EPRI Project Manager l B.B.Chu Risk Assessment Program Nuclear Power Division i 1 i
e
' ORDERING INFORMATION Requests for copies of this report should be directed to Research Reports Center (RRC), Box 50490, Palo Alto, CA 94303, (415) 965 4081. There is no charge for reports
? requested by EPRI member utilities and affiliates, U.S. utility associations, U.S. government
. agencies (federal, state, and local), media, and foreign organizations with which EPRI has an
~ ' -
- information exchange agreement. On request, RRC will send a catalog of EPRI reports.
_ai. , 7; Copyright @ 1935 Electric Power Research institute. Inc. All rights reserved NOTICE This report was prepared by the organization (s) named below as an account of work sponsored by the Electnc Power Research Institute. Inc (EPRI). Neither EPRt. memoers of EPRI. the organization (s) named below, nor eny person acting on behalf of any of therrr (a)makes any warranty. express or empired, weh respect to the use of any
. information. apparatus. method, or process disclosed in thss report or that such use may not infnnge prfvately owned rights or (b) assumes any liabilitres with respect to the use of. or :or damages resulttng from the use of, any information apparatus. method, or process disclosed in this report Prepared by Pickard Lowe and Garrick. Inc Newpori Beach. California
EPRI FOREWORD The Sequoyah nuclear pcwer plant full-scale safety and availability demonstration has been a significant endeavor within the Risk Assessment Program of the Nuclear Power Division. The primary objective of this study has been to demonstrate the use of GO methodology in a large-scale system analysis and to assess the technical merits _of the methodology in such an application. This foreword is intended to
~
share experience and observations concerning the strengths and limitations of the G0
- methodology and software in this large-scale application.
The use of G0 techniques for large-system analysis was successfully demonstrated in this study. Several system-level benchmark studies have also been performed recently by utilities. By now, the methodology has evolved into a practical engineering tool. At present, more than 30 domestic utility companies have in-house engineering capability for using GO methodology and more than 10 are employing this technique routinely. These applications continue to provide us with supplementary information to use in assessing the GO methodology. The collective assessment so far is summarized below. G0 EVENT SEQJENCE DIAGRAM (ESD) DEVELOPMENT In some probabilistic risk assessments (PRAs), ESDs are used to describe the safety logic involved in an initiating event. These ESDs perform the same function as event trees (i.e., describing the progression, logic, and timing of event sequences). The GO representation has been used to characterize 13 ESDs in this
-study. It appears that the GO representation of ESDs provides a good portrayal of intrasystem dependencies and is flexible to manipulate yet can still be used to generste " standard" event trees in conventional format. However, the construction of GO ESDs may require more manpower resources than the preparation of event trees. The logic models of those G0 ESDs could at times be complex to develop.
SYSTEM MODEL DEVELOPMENT AND QJANTIFICATION In this area, the GO metho' has demonstrated its strength. G0 systerr model development appears to be less difficult than other approaches. The method can , effectively handle system dependencies, feedback loops, system details, and model 111 l
modifications. The output of.a G0 computer run provides information on the maximum
~ -- error accumulated from the roundoff error and the deletion error introduced from s ' user-preassigned deletion criteria used in the model evaluation procedure. This is
- , useful information in the system quantification process. Since the GO software'uses a direct evaluation procedure to quantify the GO models, the quantification n _ procedure is' numerically efficient.
FAULT SET IDENTIFICATION AND RANKING , The GO software determines the minimum cut sets from the GO system model and ranks their importance by several criteria. . However, there are several GO operators, such
!as the NOT gate, the signal splitter gate, and two or three others, that have logical structures very different from conventional fault tree analysis concepts.
Use of these types of GO operator will not allow accurate cut-set identification. Furthermore, at the present time because the cut-sat identification process used in the-G0'sof tware is.not numerically optimum, that process results in lengthy computer runs for large models. Additional software development may be required to eliminate this deficiency in the software.
~ SYSTEM LINKING AND INTEGRATION The GO system models~can be readily and correctly combined in accordance with event
- sequence models. -These sequence models can then be quantified efficiently. The
- models' linking, integration, and sequence quantification appear to be as effective as other-procedures, such as-use of event tree or fault tree techniques in PRA.
However, some difficulty has been encountered in the identification of dominant-contributors. in such GO sequence models--a very important aspect of system analysis. In_the report, a procedure has been devised for-determining the dominant contributors by using GOST software (a GO module). However, the procedure still appears to be: tedious. OTHER COMMENTS In a large-scale system analysis, attributes such as communication, comprehension, modification, and documentation of the models are very important. The GO models.
, 'have very' good characteristics in these respects. The methodology is also suitable .
for analyzing plant availability. This capability is expected to be very useful to the electric utility industry. iv
, . . . .. . _ . . . _ =
i In conclusion, the GO methodology was found in this study to be a viable alternative to fault tree analysis for PRA. When the results of PRA are to be applied to other
' engineering activities, such as enhancement of operating procedures and system
, maintenance, determination of system design alternatives,' and application to plant availability improvement, the GO representation of system function and inter-dependence with' linked models, together with<its efficiency in model quantification-
~
may possess _ unique advantages. However, the GO approach will require further i ~ enhancement, particularly in the identification of cut sets and dominant-cor.tributors in large models. We arelin deb' t-to Roberta Galante, Robert Christie, L. Wang Lau,-and John Raulston of TVA and to William Sugnet of EPRI for. their valuable suggestions and guidelines
- in this study. We are also grateful to TVA, owners of the Sequoyah nuclear power plant, for providing technical manpower and computer resources to support this work.
I-l Boyer B. Chu, Project Manager Nuclear Power Division e e m 5 t 6 i i ( J I I d 4 v
-*r -
- , , , , ...,y ,v-- w w , .. , , , , , - -- , , - ~ - , -+=m,,.-~.,w-.<,vvv v -
----4-------- >--v--,m- -
-*wt-M* vg *- ~'
e ABSTRACT
- This report marks the completion of a research project to demonstrate the usefulness and effectiveness of the GO methodology, originally developed by Kaman Sciences Corporation, to assess the safety and availability of nuclear power plants. The technical approach was to develop limited scope and availability assessment models patterned after a nuclear power plant design similar to the Sequoyah Nuclear Plant Unit 1 and to demonstrate that these models could be quantified using hypothetical data for a partially complete list of risk and loss of productivity contributors. The basic capabilities of quantification of large plant level models and determination of contributors was demonstrated. Important insights about strengths, limitations, and ways to circumvent these limitations of the GO methodology in large, plant level applications were identified.
vii
ACKNOWLEDGMENT The authors are pleased to acknowledge important contributions to those not listed as investigators. This study would not have been possible without the support of Tennessee Valley Authority (TVA) that provided the demonstration plant, documentation of the design and safety characteristics, and in-depth technical reviews of report drafts and project deliverables. Among the many at TVA deserving mention, Roberta Galante and Larry Proctor provided especially noteworthy contributions through their careful reviews and suggestions. The authors.are deeply appreciative of the important enhancements to the technical quality of the report made possible by the review of William R. Sugnet of the Electric Power Research Institute. Finally, the publications staff at Pickard, Lowe and Garrick, Inc., is commended for producing a quality manuscript. I t iX r
~
M CONTENTS' VOLUME I Section Page
SUMMARY
. S-1 1 INTRODUCTION 1-1
'1.1 References 1-4 2 G0 METHODOLOGY 2' 2.1 -General Description 2-1 2.2 Simple G0 Operators 2-3 2.3 Supertypes 2-15 2.4 = Quantification 2-19
< 2.5 Postprocessors 2-21 2.5.1 GOLF 2-21
-2.5.2 ' STEVE 2-21 2.5.3 GOST, 2-22 2.6 References 2-23
'3 AVriLABILITY ANALYSIS 3-1 3.1 Introduction 3-1 3.2 Plant Description 3-1 3.2.1 Success Criteria 3-2 3.2.2 Configuration 3-2
-3.2.3 Operation 3-2 3.2.4 Testing and Maintenance Requirements 3-2 3.3 System Descriptions 3-5 3.3.1 Primary System 3-5 3.3.2- Secondary System 3-14 3.3.3 Auxiliary Systems Description 3-42
.3.4 Availability Model 3-45 3.4.1- Primary System Model 3-45 3.4.2 Secondary System Model 3-57 xi
CONTENTS (continued) VOLUME I Section' Page 3.4.3 . Auxiliary Systems Model ., 3-73
'3.4.4 Results 3-73 4 SAFETY MODEL 4-1 4.1 Analysis Objectives and Scope 4-1 4.2 Methodo?ogy 4-3 4.2.1 Methodology Overview 4-4 4.2.2 Initiating Events 4-5 i 4.2.3 Plant Safety Logic 4-6 4.2.4 Systems Analyses 4-11 4.2.5 Integration 4-21 4.2.6 Quantification 4-23 4.2.7 Sequence Unraveling 4-25
/~ 4.3 Initiating Events 4-30 4.4 Plant Safety Logic 4-39 4.4.1 Event Sequence Diagrams 39~
4.4.2 Description of Success Criteria for ESD 4 Functional Blocks 4.4.3 G0 Models 4-46 4.5 Descriptions of Systems / Functions in ESDs 4-53 4.5.1 Description of System Analyses Functions . 4-53 4.5.2 Description of Operator and Minisystem Functions 4 ' 4.6 Systems Analyses 4-63 4.6.1 Detailed Systems Models 4-63 4.6.2 Model Condensation 4-64 [ h 4.7 Quantification 4-84 4.7.1 Model Integration 4-84 4.7.2 G0 Analyses 4-86 4.7.3 STEVE Analyses 4-88 4.7.4 Development of Annual Frequencies 4-97 4.8 Sequence Unraveling 4-100 4.8.1 Two-Stage Integrated Model 4-100 1 4.8.2 Hard-Wired Sequence Approach 4-143 xii J. e i
4 CONTENTS (continued) VOLUME I
= Section <
Page 4.9 . Summary of Results 4-163 4.9.1 STEVE Results 4-163
-4.9.2 Annual Frequencies of Sequences 4-163 4.9.3 Sequence Unraveling 4-173 4.10 References 4-175 5 DATA .
5-1 ^ 5.1 Component Failure Rate Data 5-1 5.1.1- Data Base Development Methodology . 5-1 5.1.2 Component Failure Rates 5-5 5.2 Component Maintenance Data 5-10 5.2.1- General Considerations 5-10 7 5.2.2 ' Component Maintenance Distributions 5-14 5.2 3 Component Unavailability Due to Maintenance .
. 5-14' 5.3 Initiating Events Frequency 5-16 5.3.1 LLOCA 5-16 5.3.2 Loss of Steam Flow 5-16 5.4 = Availability Model Data 5-17 5.5 References 5-23
~
- - 6 CONCLUSIONS /AND RECOMMENDATIONS 6 6.1 G0 Methodology Demonstration 6 6.2 G0 Modeling Insights and Enhancements 6-3 6.3 Safety Analysis Results 6-5 6.3.1 Event Sequence Modeling 6-5 6.3.2 Event Sequence Quantification 6-7 6.3.3. Tracing of Important Contributors 6-9
. 6.4 Plant Availability Assessment 6-9
- 6.5 Recommendations 6-17 6.6 References 6-18 9
4 4 i
, xiii t
b a --- , ~ + x eer- .m, ,.,e-
, - 4 ,--m -- r-- c v .- - , e - - , , .- ,- . . - - , ~ -- m -e- *--y , - - - ---e
ILLUSTRATIONS VOLUME I Figure Page . S-1 Coverage of. Event Sequences in G0 Safety Demonstration Model S-3 S-2 Tracing of Dominant Contributors to a Selected Sequence S-5 in Sequoyah Safety Model 2-1 Chart of G0 Operator Symbols 2-5 2-2 Comparison of System Diagram, G0 Model, and Fault Tree for 2-10 Example System 2-3 G0 Model of System in Figure 2-2 Using Supertypes 2-16 3-1 Reactor Coolant System Flow Diagram 3-7 3-2 Simplified Diagram of Pressurizer Components 3-8 3-3 Chemical and Volume Control System 3-12 3-4 Secondary System Configuration 3-15 3-5 Main Steam System Configuration 3-18 3-6 Turbine and Motsture Separator Reheater Configuration 3-20 3-7 Condenser and Hotwell Configuration 3-23 3-8 Condensate Demineralizers Configuration 3-24 3-9 Condensers and Condensate Heaters Configuration 3-25 3 Condensate Booster Fumps and Condensate Heaters Configuration 3-26 3-11 Main Feedwater Configuration 3-28 3-12 , Condenser Circulating Water Configuration 3-31 3-13 Raw Cooling Water Configuration 3-33 3-14 No. 3 Heater Drain Configuration 3-35 3-15 No. 7 Heater Drain Configuration 3-36 3-16a Plant Availability Model 3-48 3-16b Auxiliary Systems Availability G0 Model 3-49 3-16c Primary and Secondary Systems Availability G0 Model 3-50 3-17 G0 Model for the Chemical and Volume Control System 3-55 3-18 G0 Model f0r the Reactor Coolant System (ST 975) 3-56 3-19 Secondary System Model 3-58 3-20 Supertype 100 - Steam Generators and Blowdown 3-60 3-21 Supertype 700 - Turbine and Moisture Separator Reheaters 3-61 xv
ILLUSTRATIONS (continued) VOLUME I Figure Page 3-22 Supertype 800 - Condensers and Hotwell Pumps 3-62 3-23 Supertype 900 - Condensate Demineralizers and Pumps 3-63 3-24 Supertype 1100 - Heaters 5, 6, and 7 3 3-25 Supertype 1200 - Condensate Booster Pumps 3-65 3-26 Supertype 1300 - Heaters 2, 3, and 4 3-66 3-27 Supertypes 1500 and 1550 - Main Feedwater 3-67 3-28 Supertype 300 - Condenser Circulating Water (Closed Cycle Mode) 3-68 . 3-29 Supertype 1600 - Raw Cooling Water 3-69 3-30 Supertype 500 - Number 7 Heater Drain Tank and Pumps 3-70 3-31 Supertype 600 - Number 3 Heater Drain Tank and Pumps 3-71 3-32 Supertype 1700 - Generator and Support Systems 3-72 4-1 Illustrative G0 Model Format for a Simple ESD 4-10 4-2 Organization of System Models for Safety Study 4-13 4-3 Equipment Functional State Represented by Multiple Operators 4-15 4-4 G0 Model Condensation 4-17 4 Basic GO Safety Model Integration Concept 4-22 4-6~ Master Logic Diagram 4-32 4-7 Large LOCA ESD 1 4-40 4-8 Loss of Steam Flow ESD 7 4-41 4-9 G0 Model for ESD 1 Large LOCA 4-48 4-10 G0 Model for ESD 7 Total Loss of Steam Flow 4-51 4-11 Uncondensed Model for ST 105 4-65 4-12 Condensed Model for ST 105 4-67 4-13 Uncondensed Model for ST 1100 4-68 4-14 Modified Uncondensed Model for ST 1100 4-70 4-15 Condensed Model for ST 1100 4-72 4-16 First Stage Development of Abbreviated ESFAS Model 4-75 - 4-17 Final Abbreviated Model of ESFAS 4-76 4-18 STEVE Output for ESD 1 4-93 4-19 Event Tree for ESD 7 4-94 4-20 Hand-Corrected Event Tree for ESD 7 4-96 l l xvi
ILLUSTRATIONS (continued) VOLUME I Figure Page 4-21 ESD 7 Frontline Systems Model 4-103 4-22 Reactor Trip System Condensed Model (Supertype 1300) 4-106 4-23 Auxiliary Feedwater System Condensed Model (Supertype 1600) 4-107 4-24 Bleed and Feed Condensed Model (Supertype 1901) 4-108 4-25 Bleed and Feed Condensed Model (Supertype 1905) 4-109 4-26 CVCS Pumps (Supertype 1960) 4-111 4-27 SI Pumps (Supertype 1970) 4-112 4-28 CVCS Injection Paths (Supertype 1940) 4-113 4-29 Diesel Generator /EftCW System Dependency Logic 4-142 4-30 Hard-Wiring of Sequence 5 in ESD 7 4-146 4-31 Hard-Wiring of Dominant Subsequence to Sequence 5 in ESD 7 4-152 4-32 Sequence 14 of Trace 2 4-159 4-33 Sequence 34 of Trace 3 4-161 4-34 STEVE Output for ESD 1 4-164 4-35 Event Tree for ESD 7 4-165 4-36 Coverage of Event Sequences in GO Safety Demonstration Model 4-169 6-1 Coverage of Event Sequences in GO Safety Demonstration Model 6-6 6-2 Tracing of Contributors in ESD 7 Using Single-Stage 6-10 Integrated Plant Model 6-3 Tracing of Contributors in ESD 7 Using Double-Stage 6-11 Integrated Plant Model xvii
TABLES VOLUME I ~ Table- Page 2-1 G0 Operator Functions 2-6 2-2 G0 Input Records 2-12 2-3 G01 Input Records for Supertype Example 2-18 1 Sequoyah Nuclear Plant Availability Model - Major Systems and 3-3 j Components Required or 100% Power 3-2 Availability Model Systems 3-4 3 Auxiliary. System Dependencies for Primary and Secondary 3-43
-Systems 3-4 ' Auxiliary System Dependencies 3-46 3-5 Availability.Hodel Signal Numbers 3-51 3-6 Auxiliary System Results 3-74 3-7' Chemical and Volume Control System Results 3-76 3-8 Reactor Coolant System Results 3-77 3-9 Primary System Results 3-78 3-10 Condenser Circulating Water Results 3-79 3-11 Raw Cooling Water Results 3-80 -
3-12 Main Steam System Results 3-81 3-13 Heater Drain Tank 7 and Pumps Results 3-82 3-14 Heater Drain Tank 3 and Pumps Results 3-83 3-15 Condensate System Results (System Availability = 0.989478) 3-84l 3-16 Condensate System Results (System Availability = 0.9784296) 3-85 3-17 Main Feedwater System Recults 3-86 3-18 Electrical Generating System 3-87 3-19 Secondary System Results 3-88 3-20 Plant System Results 3-90 4-1 Initiating Event Categories 4-33 4-2 Initiating Events Selected for Detailed Modeling 4-36 4-3 Systems / Function Versus ESDs 4-47 4-4 Impacts of Input on ESFAS Output 4-74 4-5 Output Failure Fractions for Condensed and Uncondensed Models 4-77 4-6 Comparison Statistics for ESFAS Model 4-82 xix
TABLES (continued) VOLUME I Table Page 4-7 Comparison Statistics for Auxiliary Systems Model 4-83 4-8 Input File for ESD 7 G0 Model 4-87 4-9 G03 Output for ESD 1 4-89 4-10 G03 Truth Table for ESD 7 4-90 4-11 Input File for ESD 7 " STEVE" Analysis 4-92 4-12 ESD 1 Sequence Frequencies 4-98 4-13 ESD 7 Sequence Frequencies 4-99 4-14 Matrix of Dependencies Between Auxiliary Systems and 4-102 Frontline Systems 4-15 Matrix of Translation from Frontline System Impacts'to 4-104 i Frontline System Model Input Signals 4-16 Auxiliary Model Output Signal Descriptions 4-115 4-17 G0 Auxiliary Model Truth Table 4-117
~
4-18 GOST Input File 4-119 4-19 GOST Output of Impact Vectors 4-121 4-20 Impact Vector Grouping 4-127 4-21 G0 Output - Frontline Systems Model Runs 4-130 4-22 Final Quantification 4-138 4-23 GOLF Output of Dominant Cutsets for Auxiliary State 14 4-141 4-24 Trace 1 of Sequence 5 in ESD 7 4-148 4-25 Trace 2 of Sequence 5 in ESD 7 4-153 4-26 Output for Trace 3 4-155 4-27_ Signals Used for Hard-Wired Sequences 4-156 4-28 Tracing Root Causes of Sequence 5 in ESD 7 4-157 4-29 Summary of Numerical Results of the Tracing Process 4-158 4-30 Sequence Frequencies for Large LOCA 4-166 4-31 Sequence Frequencies for Total Loss of Steam Flow 4-167 4-32 Sequence Frequencies for Loss of Steam Flow with 4-170 Subsequent ATWS 4-33 Sequence Frequencies for Small LOCA Response to Loss of Steam 4-171 Flow with Subsequent ATWS 4-34 Frequencies by Plant State Totaled for Large LOCA and Loss of 4-172 Steam Flow (Including ATWS and SLOCA) Initiator Categories i 4-35 Unraveling Results from Two-Stage Integrated Model 4-174 j 5-1 Component Failure Data Source List 5-2 , l xx
~ TABLES (continued)
VOLUME I
- Table : Page 5-2 Sequoyah Component Failure Rate Data 5-6
'5-3 Summary of Component Maintenance and Unavailability Data 5-15 5-4 Plant Population Data for Loss of Steam Flow Initiating Events 5-18 5-5 Reliability and Maintainability Data Used in Availability 5-19 Model 6-1 Comparison of Results with Truncation Errors for Large LOCA 6-8 and Loss of Steam Flow ESD Models 6-2 Comparison of Predicted and Experienced Availability Factors 6-13 for Sequoyah 6-3 Systems Most Important to Plant Unavailability 6-15 6-4 Major Contributors to 100% Power Unavailability 6-16 5
xxi [ _4_
1
)
SUMMARY
This report presents the results of a research project whose purpose was to determine the effectiveness and usefulness of the GO methodology in order to a:sess the safety and availability of nuclear power plants. The GO methodology is a cenputerized, probabilistic systems analysis technique. The approach followed to conduct this investigation was to effect a limited demonstration of the GO ' methodology on Sequoyah Nuclear Plant Unit 1, which is owned and operated by the Tennessee Valley Authority (TVA). In a previous project (Reference S-1), the usefulness of the GO methodology to
- assess system reliability characteristics was demonstrated in a benchmark comparison with fault tree analysis. The favorable results of this comparison, which was carried out at the system level, indicated the potential for using the GO methodology in probabilistic risk assessment (PRA). Further support of the idea that GO might become an effective plant-level safety assessment tool was provided in the Midland PRA (Reference S-2). In that project, GO was used to quantify one of the event tree modules that modeled all the auxiliary (support) systems on both reactor units at Midland in response to a fuil complement of PRA initiating events. What remained to be demonstrated in this project for PRA applications was the full use of the GO methodology to model a complete set of plant event trees, covering frontline and auxiliary systems, and their functional interdependencies.
A second dimension to this GO methodology demonstration project has been to explore the extent to which an integrated G0 model of a nuclear power plant can be used to' assess plant availability (productivity) characteristics, as well as to perform a PRA-type safety assessment. No other modeling technique, such as fault tree analysis, event tree analysis, or combinations of these has ever been demonstrated in a plant-level study to be capable of an integrated safety and availability assessment. Therefore, the investigation of an integrated safety and availability assessment capability for the GO methodology was an important facet of this project. 5-1 6
~* , ,-, ---v - . , - , - . . - = . - - -
With the above perspective, the objectives established for.this project were to: e Develop integrated plant and systems models based on the Sequoyah Nuclear Plant Unit i for demonstration in safety and availability assessment. e Quantify'these models to obtain point estimates of the frequencies of selected accident sequences resulting in degraded plant states and a point estimate of a plant availability factor, e . Identify and rank the principal contributors to degraded plant state frequency and plant unavailability. e Evaluate the strengths and weaknesses of the G0 methodology for use as an integrated plant safety and availability assessment tool and reconsnendations for further development. 1 l To conserve resources to carry out this demonstration, the scope of the project was set large enough to provide a plant-level and thorough test of the methodology, but smaller than that required for a definitive assessment in terms of its completeness and accuracy in modeling plant details and human interactions. Even though the demonstration included a plant availability assessment, the total resources spent in this project were only about half of those recommended in the ANS/IEEE PRA Procedures Guide (Reference S-3) for the conduct of a level 1 PRA. Important elements of a level 1 PRA ommitted from the scope of this project included the quantifications of a full complement of initiating events, external events, internal plant hazards (e.g., fires and floods), spatial interactions, system level common cause failures,' and many important human interactions. The scope was controlled in the plant availability demonstration by only estimating the availability with respect to the scheduled production of 100% power. In both safety and availability applications, generic data were used without evaluating their detailed applicability to Sequoyah. Because of the above scope limitation, definitive conclusions with regard to the absolute or relative safety or availability characteristics of Sequoyah Nuclear Plant Unit 1 cannot be drawn from the results of the example calculations presented in this report. For example, scope limitations precluded the estimation of overall core melt frequency. On the other hand, there is no technical reason why the models developed in this project cannot be built upon and refined to complete a level 1 PRA on Sequoyah Nuclear Plant Unit 1. Such refinements would include some changes to the plant and system models to make these models more accurate with respect to the as-built details of the plant. S-2
This fine tuning of the models was not performed because the scope limitations precluded a definitive assessment of the plant anyway and the changes were not necessary for demonstrating the usefulness of the methodology. To demonstrate the effectiveness of the GO methodology in safety assessment applications, a Sequoyah plant safety model was constructed that consisted of 14 event sequence diagrams or event tree modules. These modules covered a representative set of initiating events and event sequences, which were developed out to the point of successful or degraded plant states short of core melt. Additional hardware and operator actions, such as recovery of failed equipment, would have to be added to the event sequence models in order to distinguish core melt states from other degraded plant states in which no melting occurs. Of the 14 event sequence modules,13 were associated with a particular group of initiating events. The 14th module was used to model the so-called "ATWS" sequences; i.e., these sequences in which failure to trip the reactor is postulated. .The overall structure of the event sequence model constructed in this study is shown in Figure S-1.
'%'.',.'#" . "&J^."J"& e i?^*.'s
^
- 6. toc. _
-{ iso. H u..,__
; -1.. H
.. . . . . _ : q ,.. H suaLL LOCA_ E50 3
;",ng'aa"a- '
-{no.
g,o' acs_ -{no.g-gog,,,_ E
-{ so.
~o - r wouiwes ; + 5";%
Ento.- -l '"' #1.,,,oo,,c., . g,,,,, 1......,_ -{ . . g- . {"g- _{ ... p- +l <5m l11: + % ?oo.= ben,- -l'""b- 2-"
,; ,,, , g, . ... ,
$3,5' l?'- d '"" 5-
=.=._ -{ no o g -
- TACH.LOCR SfP.ESEsett A $ EPA. ATE $VEN, SEQUENCs Deacmau Figure S-1. Coverage of Event Sequences in GO Safety Demonstration Model l
S-3
n L To demonstrate the quantification process, two event sequence models were selected for example calculations: total loss of steam flow and large loss of l. coolant accident (LOCA). A full plant model analysis requires the quantification
'of a. separate GO model for each event sequence model. A GO model for a given -
event sequence model includes all the frontline systems and support systems
.needed for the corresponding initiating event. A postprocessor, call STVQUANT, was developed and demonstrated combining the results for. each separate execution of G0 to complete a full plant model quantification. Such a quantification is .
needed in a full-scale PRA application to estimate the total frequency of each plant state from all initiating events and from separate initiating event contributions. A major. result of the safety model demonstration was the development of a procedure that maximizes the capabilities of existing GO software for tracing the important contributions to degraded plant state frequencies. A tractable approach to determine risk contributions was developed and demonstrated for a selected event sequence in the loss of steam flow event sequence model that resulted in a degraded plant state. The event sequence of interest involved a postulated failure of both the auxiliary feedwater system and bleed and feed cooling after a loss of steam flow initiating event. An initial ~ attempt to trace back through this sequence to the important contributors from a fully integrated GO model quantification proved cumbersome and ineffective because of limitations in the software for use with such a model and because of the lack of intermediate results it, the GO output. To circumvent-this difficulty, the event sequence models were segmented to form two integrated models: one for the auxiliary systems and the other for the frontline safety systems. These two models were run separately, and those runs were then linked via the GOST code, thereby effectively providing an integrated model of the
. complete plant. By segmenting the model in this way, the available GO postprocessors, such r, FF, G0ST, and GOLF, could be applied to competely , decomposite the risk contributors. The principal-contributors to the selected sequences are illustrated in Figure S-2. !
I l S-4
7--
..- g:==
inC' - 'tra y
. ti!' $6,'f,,, ,
5 A Ah0 20 (2N i,75 "fn"2" r t
$ nan o Nin$ut To
- =Us'4 """" 1"ATJ,'.L i,
. Figure S-2. Tracing of Dominant Contributors to a Selected Sequence in Sequoyah Safety Model
. A'second major result of the safety model demonstration was the development of procedure for successfully executing a large, plant-level GO model to avoid some practical computational constraints. The GO methodology manages its computer storage requirements by pruning sequences with fraquencies below a prescribed
~
cutoff (call PMIN) and assigning the probability of truncated sequences to a Jtruncation error. In constructing large models of the size needed for PRA applications, indiscriminate modeling as' to level of detail can lead to truncation errors so large that the significant results are masked by the truncation error. Procedures to circumvent this limitation using an iterative process of model condensation were identified to keep the truncation error low
~ relative to the frequencies of degraded plant sites.
A. single and separate GO model was constructed and quantified to estimate a plant availability factor; i.e., the average probability of the plant being capable of producing 100% power. Although this model was separate and different from the
. safety model, the fact that the safety and availability analyses were performed concurrently using the same modeling technique'is believed to have resulted in
_ significant savings in manpower resources in comparison with separate analyses, i A number of systems, particularly the auxiliary or support systems, were included in both the safety and availability _ analyses, while others appeared in just one
- - of these models. The fact that there are different plant and systems success
'L criteria for safety and availability applications requires the use of different plant-level'and system-level GO models and input data. Hence, the so-called integrated. safety and availability model for Sequoyah is actually a collection of 15 separate plant-level GO models,1 for each of the 14 event sequence models and c 1 plant availability model.
i 4 S-5 f
The numerical .results and ranking of dominant unavailability contributors for the plant availability demonstration were.found to be reasonable in light of industry experience with similar plants. However, the scope limitations alluded to earlier, particularly 'ir, the safety model, preclude the deve'lopment of definitive conclusions outside the domain of methodology demonstration. In summary this demonstration project has simulated most of the basic modeling and quantification problems that face the risk and reliability analyst in a level 1 PRA and plant availability assessment. A number of pitfalls were identified that, if not managed properly, could lead to difficulties with truncation' errors in highly detailed models and the ability to trace important contributors. However, solutions to these problems were developed and no insurmountable obstacles to the use of the GO methodology in the performance of
' integrated safety and availability studies were found. Judgment on the overall
. comparative strengths and weaknesses of G0 in relation to the other two more mature PRA methodologies; i.e., the' fault tree linking (e.g., Reference S-4) and modularized event tree (e.g., Reference S-5) methodologies, is reserved until a comparative degree of full-scale PRA applications of G0 is completed. Based on the experience in this demonstration project, a few areas have been identified
'where additional ~ development effort on the G0 software is recommended to assist
'in overcoming some of the difficulties encountered.
REFERENCES S-1. Kelley, A. P., Jr., and D. W. Stillwell, " Application and Comparison of the G0 Methodology and Fault Tree Analysis," prepared for the Electric Power Research Institute, PLG-0217, December 1981. S-2. Pickard, Lowe and Garrick, Inc., " Midland Probabilistic Risk Assessment," prepared for the Consumers Power Company, May 1984. S-3. ' American Nuclear Society and the Institute of Electrical and Electronics Engineers, "PRA Procedures Guide; A Guide to the Performance of
' Probabilistic Risk Assessments for Nuclear Power Plants," sponsored by the U.S. Nuclear Regulatory Commission and the Electric Power Research Institute, NUREG/CR-2300, April 1983.
S-4. NSAC, "0conee PRA, A Probabilistic Risk Assessment of Oconee Unit 3," consponsored by the Nuclear Safety Analysis Center, Electric Power Research Institute, Duke Power Company, NSAC 60-SY, June 1984. (Primary author of Oconee PRA is Nuclear Safety Analysis Center; Pickard, Lowe and Garrick, Inc.. either authored or coauthored " Data Base Development,"
" Turbine Building Flooding," " Seismic," and " Fire.")
S-5. Pickard, Lowe and Garrick, Inc., "Seabrook Station Probabilistic Safety Assessment," prepared for Public Service Company of New Hampshire and Yankee Atomic Electric Company, PLG-0300, December 1983. S-6 i
r Section 1 INTRODUCTION The purpose of this project is to demonstrate the usefulness of the GO probabilistic systems analysis software to assess the safety and power production availability characteristics of nuclear power plants. To effect this demonstration, plant and systems models were developed that largely conform to the Sequoyah Nuclear Plant Unit 1, which is owned and operated by the Tennessee Valley Authority (TVA). Because it was not within the scope of this research project to perform a definitive safety and plant availability assessment of Sequoyah, not all contributors to risk and unavailability were included in these model s. There are also some variations between the models and the detailed design and operational characteristics of the plant. Models were developed that were adequate to test the GO methods and software for use in plant safety and availability assessment. However, because this was not a plant-specific study, these models were not necessarily changed and updated to reflect all current plant configurations. Readers should bear this limitation in mind when interpreting and using the example calculations in this report. With the above perspective, the objectives established for this project were to: e Develop integrated plant and systems models based on Sequoyah Nuclear Plant Unit 1 (within the limitations described above) for use in safety and availability assassment. e Quantify these models to obtain point estimates of the frequencies of selected example accident sequences resulting in degraded plant states and a point estimate of a plant availability factor. e Identify and rank the principal contributors to plant unavailability and to degraded plant state frequency for the selected example accident sequences. e Evaluate the strengths and weaknesses of the GO methodology for use as an integrated plant safety and availability assessment tool and provide recommendations for further development. Even though the demonstration included a plant availability assessment, the total resources spent in this project were only about half of those recommended in Reference 1-1 for the conduct of a level 1 probablistic risk assessment (PRA). 1-1
Important elements of a level 1 PRA ommitted from the scope of this project included the quantifications of a full complement of initiating events, external events, internal plant hazards (e.g., fires and floods), spatial interactions, system level common cause failures, and many important human interactions. The scope was controlled in the plant availability demonstration by only estimating the availability with respect to the scheduled production of 100% power. In both safety and availability applications, generic data were used without evaluating their detailed applicability to Sequoyah. Because of the above scope limitation, definitive conclusions with regard to the absolute or relative safety or availability characteristics of Sequoyah Nuclear Plant Unit I cannot be drawn from the results of example calculations presented in this report. For example, scope limitations precluded the estimation of overall core melt frequency. On the other hand, there is no technical reason why the models developed in this project cannot be built upon and refined to complete a level 1 PRA on Sequoyah Nuclear Plant Unit 1. Such refinements would include some changes to the plant and system models to make these models more accurate with respect to the as-built details of the plant. This fine tuning of the models was not performed because the scope limitations precluded a definitive assessment of the plant anyway and the changes were not necessary for demonstrating the usefulness of the methodology. The GO methodology is a computerized, probabilistic systems analysis technique. An overview of those aspects of the methodology of particular interest in this demonstration is presented in Section 2. As a probabilistic systems analysis technique, the GO methodology can be used as an alternative to such methods as fault tree analysis, or reliability block diagrams in the perfomance of system-level reliabilty and availability analysis. This level of capability was demonstrated in Reference 1-2. Inasmuch as many plant-level PRAs have been performed with a fault tree-based methodology (e.g., Reference 1-3), the demonstration of,the equivalence of G0 and fault tree analysis in Reference 1-2 suggested a possible PRA capability for G0. What reinforced this view was that GO can be used in both a two output state mode, in which success and/or failure state probabilities can be quantified as with fault trees, and a multiple (> 2) output state mode, in which many system or plant state probabilties can be calculated concurrently. This capability enables the contruction of a single model whose output states correspond with the ) sequences in an event tree. The use of G0 as an event tree quantification 1-2
technique was demonstrated in the Midland PRA (Reference 1-4) in which a single GO model of the plant support systems was used in lieu of a support system event tree. What remained to be demonstrated in this project was that an integrated, full-scale plant model could be constructed for PRA-type safety and power production availability applications. The flexibility of G0 to be used as a multistate model provided impetus to the idea that G0 could be used to develop an integrated plant model for concurrent safety and power production availability assessment. Such a capability is in high demand because of the recognition that design changes, backfits, and operational changes to a plant can have both safety and power production availability implications. What needed to be demonstrated in this project for plant availabiliy assessment beyond that already performed in Reference 1-2 was that G0 could accommodate the kind of large models needed for a plant-level assessment. While the results presented in Section 3 favorably demonstrate a plant-level availability assessment capability for G0, a fully integrated plant model for safety and availabilty assessment was not completely achieved. Because of differences in the plant logic and systems success criteria for safety versus plant availabiltiy, the so-called integrated , tant model is necessarily a collection of separate models. Actually, in this demonstration project there were 15 separate plant-level models of Sequoyah,14 for the " safety model" and i for the availability model. The 14 safety models were constructed to cover different sets of initiating events in the same way that multiple and separate event trees have been used to construct a PRA model using alternative methodologies. The results of the safety model demonstration are presented in Section 4. The objectives and scope limitations of this project did not indicate a need for a detailed analysis of data that would have been required to support a definitive safety and availability assessment of Sequoyah. Nonetheless, to be able to determine that the models developed in this project were capable of providing reasonable results, a reasonable set of input data on failure rates, initiating events, repair times, and other parameters was needed. The data values used in this project, which were largely borrowed from data bases from PRAs on similar plants are presented in Section 5. The conclusions and recommendations stemming from this project are presented in Section 6 and details of the models supporting these conclusions are found in the appendices. 1-3
1.1 REFERENCES
- 1. American Nuclear Society and the Institute of Electrical and Electronics Engineers, "PRA Procedures Guide; A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants," sponsored by the U.S. Nuclear Regulatory Commission and the Electric Power Research Institute, NUREG/CR-2300, April 1983.
1-2. Kelley, A. P., Jr., and D. W. Stillwell, " Application and Comparison of the G0 Methodology and Fault Tree Analysis," prepared for the Electric Power Research Institute, PLG-0217, December 1981. 1-3. NSAC, "0conee PRA, A Probabilistic Risk Assessment of Oconee Unit 3," cosponsored by the Nuclear Safety Analysis Center, Electric Power Research Institute, and Duke Power Company, NSAC 60-SY, June 1984. (Primary author of Oconee PRA is Nuclear Safety Analysis Center; Pickard, Lowe and Garrick, Inc., either authored or coauthored " Data Base Development," " Turbine , Building Flooding," " Seismic," and " Fire.") 1-4. Pickard, Lowe and Garrick, Inc., " Midland Probabilistic Risk Assessment," prepared for the Consumers Power Company, May 1984. 1-4
Section 2 G0 METHODOLOGY This.section describes the basic G0 trathodology used in the availability and safety analyses presented subsequently. A more detailed description of this methodology is provided in Referen';e 2-1. 2.1 GENERAL DESCRIPTION The GO methodology is a probabilistic system analysis technique. In this project, its broader capabilities, which are needed for use as an integrated plant safety and availability assessment tool, are explored. The G0 methodology
- is designed for applicatir,n to general system reliability / availability \E assessments such as:
e Forcasting Sistem Reliability Performance e Identifying and Ranking Causes of System Unreliability and Unavailability
.[, e Identifying and Evaluating Design and Operational Changes to
.. Improve Performance
,r, o Performing Sensitivity Analyses A special G0 diagram or model is used to define either the success or failure logic of a system or subsystem in terms of the various equipment items, interdependencies, and operator actions that affect system operation. These special C0 models are similar in appearance to the reliability block diagrams and schematic diagrams of the systems me teled.
A convenient feature built into the GO methodology is the so-called supertype. A supertype is a logic substructure within a complete model that an analyst chooses to treat as a separate entity. Supertypes provide a convenient means for partitioning and subpartitioning a complete model into parts (usually done by
~
systems, subsystems, assemblies, and subassemblies) and for independently modeling and checking those individual parts. Then, the supertypes can be combined in the proper manner to form the complete model. Although supertypes 2-1
l l provide a convenient means for identifying and modeling individual systems, their greatest advantage comes when a logic structure is repeated many times in a model. A supertype for that structure need be defirred only once; that supertype 4' can then be used repeatedly throughout the model without ever having to be redeficed. As long as the supertype output signals are properly controlled, the supertype capability can be used to either represent repeated, logically identical events (i.e., A
- A = A) or identical logic structures representing 2
distinct events (i.e., A
- A = A ). For example, to represent two identical subsystems, a supertype can be defined ~once to represent the subsystem logic, but different output signals and kind data would be used to specify that two different events were being described.
At the time the computer analyses were performed in this study, the G0 computer program system consisted of nine distinct and interrelated programs. These were G01, G02, G03, FF1, FF2, FG0, eel, EE2, and EE3. The programs were typically executed in the following three sequences:
- 1. In the G0 sequence, the program G01 processes the input logic structure; G02 processes the input probability data; and G03 evaluates the GO model to produce a truth table with the ,
corresponding probabilities. The truth table lists the various combinations of success / failure states among the systems of interest to the analyst.
- 2. The FAULT FINDER sequence (FF1 and FF2) identifies up to fourth-order fault sets. FG0 may then be used to create a new GO model that is essentially equivalent to the original model based on only those equipment items and operator actions included in the fault sets.
- 3. The effects evaluation (EE) sequence contains G01, eel, EE2, and, optionally, EE3.- EE1 provides the modified sets of probability data needed for processing by EE2. EE2 then finds either the improvability or sensitivity with respect to the variable probability data, as identified by the user. If EE2 is used to produce sensitivities -(rather than improvabilities), EE3 can be used to calculate point and interval estimates for the probability of a user-selected event.
Under a separate Electric Power Research Institute (EPRI) contract, several l postprocessing codes were developed by Pickard, Lowe and Garrick, Inc. (PLG), to perform additional analyses of the GO output data. (The postprocessors have since been incorporated as options within a new, upgraded vers ton of GO). These codes are as follows: e GOLF. Quantifies and ranks the fault sets output by the FAULT FUEER sequence. 2-2
e STEVE. Transforms the truth table style of outout produced by the G0 sequence into an event tree format. e GOST. In a two-stage integrated modeling approach, transforms the success / failure states listed in the GO output for the first stage (covering the auxiliary systems model) to impact vectors that define input success / failure states for main systems in the second stage model (covering the frontline safety systems). The following paragraphs describe the basic GO modeling elements, supertypes, quantificaticn> and postprocessors in greater detail. Also given is some information about running the GO codes and the forms of the output results. 2.2 SIMPLE G0 OPERATORS A GO model consists of two parts: ooerators and signals. The signals indicate how the various operators are interconnected, while the operators cover two forms of functions:
- 1. Logic functions (such as AND, OR, EXCLUSIVE OR, and NOT gates).
- 2. Equipment and personnel functions (such as a valve that succeeds or fails, or a maintenance action that causes a component to be available or unavailable).
Together, the coerators and signals portray the logic by which various combinations of successes and failures of equipment and personnel constitute success, failure, and other states of the plant, system or subsystem that is being modeled. Each signal in a GO model is assigned an identification number. Although these user-soecified numbers are arbitrary and need not indicate the order in which the signal and associated operators are to be orocessed by the computer, some sort of sequential, systematic method of assigning them is highly recommended. Each identification number can be used for only one signal outout from an operator. Mislabeling signals has disastrous consequences similar to what occurs when basic events in event tree and fault tree models are mislabeled. However, any one outout signal can be inout to any number of operators. 4 The operators have two forms of numbering: type numbers and kind numbers. Every operator is assigned a type number that identifies the specific type of function that the operator performs in the model. There are 17 different types of operators available to the user, as briefly described below. The kind number 2-3
either provides probability input data, when the operator represents equipment or human actions, or information to specify the particular logical function when the operator represents certain general logic operators. A kind number is not required for every operator. It is needed only for those operators for which additional user-supplied information (called kind data) is needed to completely specify the manner in which the operator functions in the model. For example, the functioning of an OR gate in a model is completely determined when that type of operator is specified; no kind data are required in this case. However, in the case of a NOT gate, this represents a specialized function of a more general operator (actually, several different types of operators have the capability of performing this function); hence, kind data are needed in this case to identify that specialized function. In other cases, kind data are assigned to operators associated with the functioning of equipment and personnel. The kind data supply equipment success and failure probabilities as well as availability information
-for various user-specified states of test and maintenance.
The 17 types of operators available to the analyst are summarized in Figure 2-1. The operator functions are described in more detail in Table 2-1. (More complete descriptions, along with examples of applications, are given in Reference 2-1.) There is usually enough versatility in these operators to model all logic operations and all equipment and personnel functions of practical interest, particularly with the complete generality afforded by the type 13 operator. However, care must be observed in using this operator because it is not compatible with the FAULT FINDER sequence. It will be shown in Section 4 that this limitation can lead to difficulties in determining the contributors to accident sequences, which are modeled in part with type 13 operators. For the example system in Figure 2-2a, an example of a simple GO model is shown in Figure 2-2b. This illustrates the use of four different types of simple G0 operators: types 1, 2, 5, and 6, shown at the tops of the circles and triangles._ This GO model represents two parallel functioning trains, A and B, each with two series functioning components represented by type 1 and type 6 operators. Three type 5 operators are used to represent support system input (cooling water, air, or electric power) to the two trains. The type 6 operator, which represents operation of component B1, requires success of both support input-(S2 and S3) and success of the component B1 for its output signal 21 to inaicate success. The output signal 90 from the type 2 operator indicates success whenever either (or both) of input signals 14 and 22 are successful; failure results only when both input are failed. 2-4 t m
' ' ~;
s I[Y - ' TWO STATE COMPONENT OR GATE TRIGGERED GENERATOR MULTIPLE $lGN#.L $tNGLE $1GNAl, s 51 52 "" " s , ,
\ s g 2 OR 3 l 4 5 'N-( ;
< s s.s R R R I gg gN R NORMALLY OPEN CONTACT NORMALLY CLOSED DELAY GENEJt ATOR FUNCTION OPER ATOR ,' !$$!5 CONTACT 33 i St $2 '
St S
, . :g l l .. :;;::5:-::.
$2 S2 1 :s
. __q& __ , __q , , ;h5:
R R R R ' ANOGATi M OUT OF N GATE PATH $PLITTER MULTIPLE INPUT / OUTPUT 's OPE R ATOR St 3 52 ' St $N SN ,58 SN ,.,', e "-- ' s to AND 11 12 13 " R R 33 RN Rt RN LINE AR COue1 NATION VALUE/PROSASILITY G ATE ACTUATED NORM ALLY ACTUATED NORMALLY ', . . ' GENERATOR OPCN CONTACT CLOSEO CONTACT
$2 S 52 88 $N $2 s
- }.7. <
St R St R- $$$II . 84 15 [ 18 - ~ 17 3. , , < R R. Figure 2-1. Chart of G0 Operator Symbols
w Table 2-1 G0 OPERATOR FUNCTIONS Sheet 1 of 4 Type . Symbol Function
*' l' ~ Two-state component, such as pump or valve, that either succeeds or fails in its required
' function.
A _,f-si s OR gate for success. 2 A b 3 : Triggered generator, such as switch or valve actuator. 3 R
\
4 Multiple signal generator. at an R 5 Single signal generator. 57 . b 2-6 w + - , + - , . , - . - - - , , -, -
, , - -.- ..___ .. - -,--,--p..- - -v.
t Table 2-1 (continued) Sheet 2 of 4
. Type Symbol Function -
6 s' Normally open contact or normally closed
,, valve.
n f 7 si Normally closed contact or normally open
,, valve..
3-R 8 : Increment generator (delay). e n 9 ,, p ., Function operator. e A 10 AND gate for success. is R 1 F l 9 e 2-7
h Table 2-1 (continued) I Sheet 3 of 4 Type Symb,01 Function tt' n 11- pe. m-out-of-n gate for success. ! i si , A l l 12 Path splitter. 13 R1 RN t 13 si General purpose, multiple input,
"/m multiple output operator, i3 mi nN 03 14 :
n ,i Linear combination generator. 14 A 15 , Value/ probability gate that can be defined as a NOT gate. is A
-e 2-8
k
' Table 2'-1 (cont'inued)
Sheet 4 of 4 Type- Symbol Function 16' , a Actuated, normally open contact or nomally a closed valve.
- u
-17 m Actuated, normally closed contact or
,, , normally open valve, n
I F 4 i s 2-9 u , _ . . _ . - ..- - .. .
POWER
$UPPLY S i, G
r 4 intti -, ouTLEY O-D, G.
$TFAM POWER SUPPLY SUPPLY b '3
- a. Example System 1 1 6 to 12 14 I' g, 17 At 30 A2 9
x 20
- 21 22 2
=
.2
. TWO TR AINS.
A HA$ COMPONENTS Al AND A2 8 - 3 MAS COMPONENTS 51 AND B2 A 2 AND S2ARE IDENTICAL (USE SAME KIND DAT A) SUPPORT 5YSTEM INPUT REPRESENTED BY: 51 FOR INPUT TO TRAIN A
$2 AND $3 FOR INPUT TO TRAIN B
- b. G0 Model SYSTEM FAILS A
I r- I TRAIN A TRAIN $ j FAILS F AILS Q I , I o I A1 A2 51 SJ S1 82 33 FAILS F AILS FAILS F AILS FAILS FAILS FAILS O O O
- c. Fault Tree Figure 2-2. Comparison of System Diagram, G0 Model, and Fault Tree for Example System 2-10
The lower numbers in the triangles and circles in Figure 2-2, which represent the operators of the models, are the kind numbers associated with these operators. They identify the kind data (in tW case, they are all probability data) associated with each operator th > equires kind data. (The type 2 operator requires no kind data.) Notice thet und number 30 applies to both components A2 and 82, which signifies that they are identical components and both have the same probability input data corresponding with the label 30. The equivalent fault tree for this G0 model is presented in Figure 2-2c. Once a GO model has been developed, the next step is to re' cord that model In a form suitable for input for execution on the computer. The three. basic types of records needed for input to the G0 sequence are listed in Table 2-2 (in the correct format for the G0 BIG version of GO currently maintained by EPRI on the University Computing Company's CDC computer). The first line is a user-specified title for the operator record (s) to be read by G01. The second line specifies that GO is to represent the failure state of a component by assigning a value of 1 to a signal. A consequence of this specification is that the signal value 0 represents success. Any particular signal in a GO model can only take on these
- two values (0,1), however, the probabilities of, these values, as specified for exaniple in operator kind data or in the calculations made by G0, can take on any -
real numbered value between 0 and 1.
-The G0 code requires the user to specify a value for the parameter INFIN; any value from 1 to 127 is acceptable. If a value of, say, 3 were to be specified, signal values of 0 and 3 would ordinarily be interpreted to represent success and failure, respectively. The intermediate values of 1 and 2 might be interpreted to represent degrees of partial success or failure, or to signify some form of sequencing of events. In the Sequoyah analyses, the value INFIN = 1 was used throughout.
.The next eight ifnes in Table 2-2 list the operators shown in Figure 2-2. Each line gives the type number, kind number, and the input and output signal numbers for one specific operator in the G0 model. The "S" signifies the end of the operator data and the beginning of an optional user comment, which can be used (as illustrated) to identify what equipment or personnel function is represented by the operator. The operators are listed in the sequence that the user wants G0 to process them. This sequencing requires only that each operator must be listed after all other operators that produce the signals that feed into it. For l
2-11
- -1 Table 2-2 L I
' .GO INPUT RECORDS ( G01 INPUT -- OPERATOR RECORD $PARAM INFIN=1 $
.5 50 55 $ SUPPORT S3 5 21 20 $ SUPPORT S2 14- 6 22 20 55 21 $ COMPONENT B1 1 30 21 22 3 COMPONENT B2 5 11 10 $ SUPPORT S1 1 12 10 12 $ COMPONENT Al 1 30 12 14 $ COMP 0NENT A2 2 0.2 14 22 90 $ SYSTEM OUTPUT 0 10 20 55 90 $ MONITOR
- EOR
. 't _ , G02 INPUT -- KIND RECORDS 115 2 0 .9951.005 $ FOR S1
'12 1 .999 .001 $ FOR Al 21 5 2 0 .998 1 .002 $ FOR S2
-22 6 .9995 .0005 0 $ FOR Bl.
30 1 .993 .007 $ FOR A2 AND B2
-50'S 2 0 .999 1 .001'$ FOR S3 (L . *EOR G03 INPUT - PARAMETER RECORDS *PARAM PMIN=1.0E-10 $
- EOR M
s.
-Y b F
t 2-12 w
example, the type 2 operator must be listed after the two type 1 kind 30 operators because they produce the signals 14 and 22 that are input to the type 2 operator. The next line in Table 2-2 (the line beginning with "0") lists the so-called
-final signals. These are the signals that the ane.lyst is interested in and that GO uses as the headings for the output truth table. At most, there can be 24 of these signals. The next line (the first "* EOR") simply signifies that this is the end of the operator record. .This capability to track multiple output signals points to an enhanced computational capability of GO in relation to time state models and is the key to the capability of G0 to perform concurrent event tree type as well as fault tree type computations. Even though there are only two system states (success and failure) modeled in terms of signal values, the ability to track 24 output signals enables the use of G0 as an equivalent event tree quantification tool.
When 24 output signals are tracked, the GO output is equivalent to an event tree quantification with 24 top events corresponding to the tracked signals and potentially as many as 2 24 different event tree sequences. This capability is based on the equivalence of truth tables and event trees and is essential to the capability of G0 to model accident sequences as well as binary system states. When two-state models such as fault trees are used to quantify the frequencies of different end states of an event tree or event sequence diagram, a separate analysis must be performed for each end state. Hence, this suggests a computational efficiency advantage for the G0 methodology. The next line in the input table is a user-specified title for the kind record to be read by G02. The next six-lines list the kind data. Each line lists the operator kind number, the operator type number, and the kind data. The "$" separates that information from an optional user comment. The format for the kind data depends on the operator type. (Detailed formats for the operator and kind data are given in Reference 2-1). The listing within the kind record can be in any order; however, it is usually most convenient for the user if the entries are listed in ascending numerical order by kind number. Every kind number appearing in the operator record must appear in the kind record, but the converse is not necessary. Also, each kind number can appear only once in the kind record. In other words, each kind number can have only one operator type associated with it. Thus, even though kinds 12 and 50 have the same success and 2-13
failure probabilities, different kind numbers had to be used because of the two different operator types (l' and 5). Also, the sum of the probabilities in each set of kind data must always be exactly 1. The next line ("*EDR") signifies the end of the kind record. The next line in Table 2-2 is a user-specified title for the record (s) to be read by G03. The following line allows the user to specify a value for PMIN, which represents the user's threshold of probabilistic interest. During the course of the G03 analysis, the code will discard any state or substate (as defined by a particular combination of equipment and personnel success, failures, availabilities, and unavailabilities) whose probability is less than PMIN. This provision improves computer efficiency and maximizes the amount of computer memory available for the analysis. If the memory capacity is about to be exceeded at any stage of the analysis. G03 gradually and automatically increases PMIN and discards all appropriate states and substates until the current results fit. Then, PMIN is restored to the original user-specified value, and the analysis is continued. The total probability of all discarded states is accumulated and this total is printed out as a truncation error. The last line in the table ("* EOR") signifies the end of the G03 input record (s). When G03 processes an operator, its output signal becomes " active." That signal is assigned all possible values (0 and 1 in this case, based on INFIN = 1) consistent with the value(s) of the input signal (s), the kind data (if any) for the operator, and the computational algorithm for the specified operator type. The :iignal remains active for the remainder of the analysis if it is one of the final signals. Otherwise, it remains active until it is " consumed" by the last ^
-operator in the operator record, that has it as an input signal. (If such a signal is never consumed, G03 adds it to the list of final signals and it is included as one of the headings in the output truth table.) For example, the first operator listed in the operator record in Table 2-2 introduces signal 55, which remains active for the remainder of the analysis because it is designated as a final signal. Operator type 1 kilid 30 introduces signal 22 (from component B2), which remains active until it is consumed by the type 1 operator at the end of the analysis.
As G03 processes each operator, it identifies and stores all possible states and substates in terms of all combinations of 0 and 1 signal values for the then-current set of active signals, along with their associated state and l 2-14 l 1
substate probabilities. These'results are developed considering (1) the sets of signal values that had been developed for the active signals that existed for the immediately preceding operator, (2) the kind data (if any) for the current operator, and (3) the computational algorithm for the current operator type. It is clear that required storage space increases by roughly 2N, where N is the number of active signals. Because of this, it is desirable to _ develop a listing order in the operator record (which defines the processing order for G03) that minimizes the number of active signals throughout the G03 processing. It was this consideration that made it necessary to condense (simplify and reduce) the models used in the safety analysis (Section 4) to reduce the truncation errors to an acceptably low level. 2.3 SUPERTYPES A convenient modeling aid included in the G0 methodology is what is called a supertype. The user can define one or more of these supertypes, which essentially add to the 17 types of " simple" operators discussed above. Outwardly, a supertype appears like one of the simple operators--probably most
'like the type 13. A supertype generally has (but need not have) input signals and always has at least one output signal, and various input states defined by the input signals are analyzed and interpreted by the internal logic of the supertype to define the corresponding system states defined by the output signals. The internal logic of a supertype is defined by the user in terms of various simple operators and/or previously defined supertypes and their associated interconnecting signals. Supertypes are a helpful modeling tool in two major ways:
- 1. Complex subsystems that appear several times in a major system can be modeled just once as a supertype; then, that supertype can be used as a single superoperator wherever that subsystem is required in the GO model of the major system.
- 2. Supertypes provide a convenient mechanism for partitioning a large system into smaller subsystems (even though the subsystems appear only once in the large system) and displaying those subsystems and their interconnections; this provides a convenient aid for communicating the overall system model at a more easily understandable level of detail.
To illustrate the use of supertypes, the simple model in Figure 2-2 is redone in Figure 2-3 in terms of supertypes. Supertypes 110 and 120 model trains A and B, respectively, whereas, supertype 1112 models the combined two-train system. Each supertype is drawn as a rectangle. All the signal identification numbers 2-15
1 I T N 100 y 1 200 y [ 12 M PUMP A ST110 PCWER SUFPLY S2 101 G 1 6 1 X __.lg i 200 y ,, 22 M PUMPS ST120
' 200 100 INLET ST110 U -
gg,3
-m 100 2 a 200 '
OUTLET w
.5 3 101 4 NMP B 2.001 INLET ':
ST120 ST1112 2.000 11 0, 2.001 21 e 100~ 200 - ER N SUPPLY ST1112 L Figure 2-3. G0 Model of System in Figure 2-2 Using Supertypes 2-16
s . assigned within each supertype are dummy numbers that will be replaced by the actual signal numbers when the supertype is used in the main model. For example, supertypes 110,120, and 1112 in Figure 2-3 use dummy signal numbers 100, 101, and 200 to represent signals within the supertypes. As a convention (not a requirement), input signals are assigned dt.mmy numbers in the 100 to 199 range, output signals in the 200 to 299 range. Within each supertype, the external signals input to it must each be assigned different dummy signal numbers; this is illustrated by signal numbers 1, 2, 3, and 4 within supertype 1112. The same also applies to the dummy numbers assigned to the signals produced by the operators within that supertype as shown by signal number 1 used in supertypes 110 and 120. However, dummy signal nuitbers (in the 100 and 200 range) may be replicated from one supertype to another, as can be seen in supertypes 110,120, and 1112 shown in Figure 2-3. In addition to dummy signal numbers, the user can identify dummy kind numbers. As a convention, they are assigned numbers in the 2,000 range, as illustrated by j the numbers 2,000 and 2,001 in ST 1112 in Figure 2-3. This supertype also shows how the other two supertypes can be modeled within it. Signal numbers 1, 2, 3, and 4 within supertype 1112 connect supertypes 110 and 120 just as signal number 1 within supertype 110 connects operators 1-12 and 1-30. The final system model (at the bottom of Figure 2-3) shows that the dummy signal numbers 100 and 200 are to be replaced by actual signal numbers 55 and 90, respectively, thereby duplicating Figure 2-2. Also, the dummy kind numbers 2,000 and 2,001 are to be replaced by the actual kind numbers 11 and 21, respectively, which is in accord with Figure 2-2. The corresponding operator record to be used as computer input would appear as illustrated in Table 2-3. The first three records define the three supertypes. l The first line in each definition is a declaration line that lists the supertype number and a flag ("-1") to signify that it is a definition record, followed (in any . order) by the dummy input and output signals numbers and the dumy kind numbers. It is preferable to list these dummy numbers in ascending numerical value to avoid potential confusion later. The lines that follow this declaration line list the operators and supertypes within the supertype being defined. They are listed in the order that the user wants G03 to process them. When a supertype is used, its dummy signal and kind numbers are replaced with actual numbers or new dummy numbers. This is accomplished with as single line. 2-17
Table 2-3 G01 INPUT RECORDS FOR SUPERTYPE EXAMPLE
- G01 IN"PUT--- OPERATOR RECORDS $PARAM INFIN=1 $
110 -1 100 200 $ 1 12 100 1 $ 1 30 1 200 $
- v.
- EOR 120 -1 100 101 200 $
- 6 22 100 101 1 $
1 30 1 200 $ SEOR 1112 -1 100 200 2000 2001 $ 5 2001 3 $ 120 0 3 100 4 $- 5 2000 1 $ 110 0 1 2 $
~2 0 2 2 4 200 $
- EOR 5 50 55 $
1112 0 55 90 11 12 $ 0 55 90 $
- EOR I
l 2-18 a l g e
The first number is the supertype identification number. This is followed by a flag ("0") to signify that the supertype is being used. Then, the replacement actual or dummy signal number and actual kind numbers are listed in the order corresponding to the order of the dummy numbers in the original definition declaration line. For example, when ST 120 is used within the definition of ST 1112, its original dummy signal numbers 100 and 200 are replaced by new dummy signal numbers 3 and 100, respectively, from ST 1112. When ST 1112 is used in { the main model, dummy signal numbers 100 and 200 are replaced by actual signal ' numbers 55 and 90, and dummy kind numbers 2,000 and 2,001 are replaced by actual kind numbers 11 and 12, respectively. The feature of dummy kind data allows the supertype to be solely a logic model without any hardware-specific restrictions. That is, if two subsystems have the same logic structures, one supertype can be used for both, even though the probability data applicable for the two subsystems differ greatly because they are composed of different kinds of equipment. The different probability data can be taken into account by way of dummy kind numbers. In conjunction with the operator records listed in Table 2-3, the same G02 and G03 input records as given in Table 2-2 could be used as input for executing the G0 sequence. 2.4 QUANTIFICATION G03 provides four basic forms of output. Central to the output is the truth tabl e. The headings for the truth table are the final signal numbers specified by the user in the last line of the input operatar records (and as potentially augmented by G01 due to unconsumed signals). The truth table lists all possible states as defined by all admissible combinations of successes (signal 0 values) and failures (signal 1 values) for the final signals, except those that may be lost due to truncations asscciated with the PMIN value. Also shown for each state is its associated probability of occurrence, which may be in error due to losses of contributions arising from PMIN truncations. These results are listed in order of increasing probability. In the safety analyses, the output signals for the frontline safety systems were specified as the final signals. Then, each line in the truth table represents an event sequence that indicates a particular combination of system responses (success or failures) to an initiating event of interest. The probability value represents the conditional probability that its associated event sequence occurs, given that the initiating event has occurred. 2-19
The second basic form of output is given immediately following the truth table. It gives the total probability (corresponding to all of the probabilities listed in the truth table) and the total error (one minus the total prtbability). This latter figure is-important because it is _a measure of the impact of all the , errors caused by the PMIN truncations. This error must be maintained well below l the probability result of interest in the study being performed. 1 The third form of the output lists the total success and failure probabilities for each final signal considered separately, based on the data in the truth E table. (The sum of these two values plus the total error is 1.) This was helpful in the availability analyses for monitoring the overall availability characteristics of'various systems and subsystems within the plant. The fourth form of output is a list of the specific operators (in the model) at which G03 had to increase PMIN and by how much. This information can sometimes be helpful in identifying where to change the model to decrease the number of active signals, thereby reducing the need to increase PMIN and reducing the truncation error. The next step .in probabilistic analyses is often to identify the dominant hardware and/or personnel contributions to the output results of interest. The-FAULT FINDER sequence is intended for that. purpose and was found very helpful in analyzing individual systems in support of the 100% power availability analysis performed in this study. Because 100% power availability was modeled, the plant model required successful functioning of all power production systems and their support systems. Because this plant-level model was comprised of operators in series, ranking the dominant system contributors to unavailability could easily be done directly from the results provided by the G0 sequence. Applying the FAULT FINDER sequence to the individual systems models yielded the contributing
' first-order through fourth-order fault sets at the component level. This was a
. relatively inexpensive application of the FAULT FINDER sequence. Because of the size and complexity of the safety models (involving both series and parallel logic at the plant level), the FAULT FINDER sequence would have to be applied to the plant-level model rather than to the individual systems model s. (The same would be true for availability models of lower power levels, such as 70% or 50% power.) Running the FAULT FINDER sequence at the plant level was found to be considerably more expensive. Also, it was found that a 2-20
processing characteristic of the FAULT FINDER sequence rendered it unsuitable for use in analyzing _the safety models. Sample problem analyses have shown that the FAULT FINDER sequence processes NOT gates in such a manner as to yield incomplete listings of fa~1t sets. Because of the use of NOT gates in the safety models and ) because of this shortcoming of the FAULT FINDER sequence, it could not be relied upon to identify the dominant contributors tc the event sequences of interest from the safety analysis when a single integrated plant model is used. Thus, another approach had to be devised to accomplish this task. In Section 4, it is shown how to circumvent this limitation by separating the plant model into two parts, eliminating the NOT gates and applying the FAULT FINDER sequence to selected portions of the plant model. 2.5 POSTPROCESSORS Three separate postprocessors were developed to facilitate the use and interpretation of the results produced by the G0 BIG version of G0/ FAULT FINDER. These codes, which Mye been incorporated into the most current version of the G0 code, are described below. 2.5.1 GOLF One of the shortcomings of the FAULT FINDER sequence is that it simply lists fault sets without quantifying or ranking them. Although this limitation is not too severe if only a few fault sets are listed, it evolves into a massive hand calculational problem when several hundred or several thousand fault sets are listed. The GOLF postprocessor (which stands for G0 list frequencies) was developed to perform those calculations automatically. As input, it reads the fault sets listed by the FAULT FINDER sequence, along with the operator and kind data output by G01 and G02. Then, it computes the fault set probabilities using the rare event approximation and ranks them in order of decreasing probabilities. It also groups the fault sets by both specific and generic types of equipment, as identified by the user in the optional comments region l (following the "$" in the input fire). The grouped fault sets are then ranked as well. The use of GOLF with the FAULT FINDER Sequence to determine the i contributors of the safety model is discussed in Section 4. 2.5.2 STEVE , The computer code STEVE (which stands for Standard event tree) was developed as a GO supplement to generate an event tree from the GO output. The user simply l l 2-21
l 1 inputs the truth table output by G0 (including the associated probabilities) along with the desired event tree column headings (which represent systems or actions that correspond to the final signals specified in the G0 input). The output from STEVE is the desired event tree. l 2.5.3 GOST As mentioned above, the FAULT FINDER sequence cannot be applied to the safety model for unraveling the important event sequences to find their dominant contributors when a single integrated plant model is used, especially one using NOT gates. One approach that was investigated for accomplishing this unraveling function was one that had been developed and used successfully for the Midland Probabilistic Risk Assessment (Reference 2-2). That approach might be characterized as being a two-stage integrated modeling techn'aun In essence, this technique makes use of two separate integrated models--one for the support systems and the other for the frontline safety systems. The GOST code then serves as the mechanism for coupling these two models into one integrated model. The two-stage integrated modeling approach is performed in five steps, as follows: e Step 1. An integrated model of the support systems is developed having 24 or less final signals to represent the success / failure states of the key support systems. e Step 2. The impacts that these support sytem failures have individually on the frontline systems are identified and documented in the form of an intersystems dependency matrix. (It is usually necessary to perform steps 1 and 2 in an iterative manner to identify the right combination of support system final signals needed to properly access the impacts on the frontline safety systems.) This is done as follows for each support systems final signal in turn. Assume that the signal is failed and that all other final signals are successful. From the functional logic for the frontline safety systems, determine which frontline system trains are failed as a direct consequence of the assumed failure of the support systems final signal, considered by itself. This impact on the frontline system trains is represented by an ordered series of 0's and l's. The O's indicate no impact and the l's indicate consequential failure. One such impact is developed for each support system final signal. e Step 3. The third step in the two-stage integrated modeling approach is to run the GO model for the support systems. The truth table o'.tput from that run is input to GOST, along with the impac+s discussed above, names corresponding to the support system final s gr.als, and names for the frontline system trains that can be impacted by the support system failures. 2-22
e Step 4. The fourth step is to run GOST. GOST analyzes cach support system event sequence individually, in turn. For each such event sequence, it determines which final signals are failed and finds the Boolean sum of the corresponding frontline impacts. That sum represents the impact vector of that support system event sequence on the frontline system trains. One such impact vector is developed for each support system event sequence. There are typically many duplications among the impact vectors. Hence, all impact vectors that are exactly alike are collected together and printed out together and the corresponding state probabilities are accumulated. Thus,'although there may be several thousand support systems event sequences, there may be only a few (perhaps 50 to 100) unique impact vectors. The GOST output lists each unique impact vector. For each such vector, it lists all the support systems event sequences that can cause it, the probability for each such event sequence, and the sum of those probabilities (which is the probability for the impact vector).' There are provisions within GOST that allow the user to group impact vectors. Several bases for grouping the impact vectors exist, the most obvious of which is trainwise symmetries. For example, one impact vector may show train A of a frontline system to be failed, and another may show train B of that system to be failed. Although these two impact vectors are unique, they may be essentially the same (indistinguishable) in tenns of their external effects on the plant. Hence, there is a loss in generality if those two impact vectors are grouped together. This grouping process is applied to models for Sequoyah in Section 4. e Step 5. The last step in the two-stage integrated modeling approach is to run the GO model for the frontline safety systems model. One-run is made for each of the grouped impact vectors
. output by GOST. Each such vector specifies a set of initial conditions for the frontline systems trains, indicating which trains are to be set in failed and successful states from the start. The important frontline event sequences output by these multiple GO runs can then be unraveled back through the impact vectors that dominated their occurrence and from there back to the dominant contributing support system event sequences. This, in turn, identifies the dominant individual support system failures, whose dominant equipment and personnel contributors can readily be - determined from FAULT FINDER sequence runs. (Runs performed in support of an availability analysis may not be applicable because of potential differences in success criteria.)
2.6 REFERENCES
2-1. Electric Power Research Institute, "G0 Methodology," EPRI NP-3123-CCM, June 1983. 2-2. Pickard, Lowe and Garrick, Inc., " Midland Probabilistic Risk Assessment," prepared for the Consumers Power Company, May 1984. ), 2-23
k - Section 3
-AVAILABILITY ANALYSIS
3.1 INTRODUCTION
The Sequoyan Nuclear Plant consists of Units 1 and 2. The full power production license for the operation of Unit I was granted by the Nuclear Regulatory Commission in September 1980, and in September 1981 for Unit 2. The purpose of the availability ~ analysis is to demonstrate the use of the GO methodology in an availability epplication. A plant availability model of Unit 1 is constructed and quantified such that the plant availability contributors are ! identified and ranked by system and components. !~ . .. . .
. To fulfill this purpose, a GO model has been constructed to estimate the cavailability of Unit 1 to produce power at 100% capacity based on the January 1982, plant design. This model includes the main power producing
~
systems, plant auxiliary support systems, and their interdependencies as required
, to produce' power at 100% capacity. The plant availability GO model is comprised of interconnected or "hard wired" system GO models. Each of the system GO models
- consists of the logical combination of its components needed for successful system' operation. - In this marner, the complex operation and configuration of the plant car be viewed at two levels of detail; the system level and plant level.
System modeling of components was accomplished to a level of detail consistent 1 i with the data base. 3.2 ~ PLANT DESCRIPTION ~ The Sequoyah nuclear plant is located approximately 9.5 miles northeast of Chattanooga in Hamilton County, Tennessee, on the west shore of Chickamauga Lake. i: The plant consists of two four-loop units, rated at 3,411 MWt core power and 1,129 MWe net electrical power each. The' nuclear steam supply system (NSSS) .was designed and supplied by Westinghouse Electric Corporation. - The turbine-generators are also of Westinghouse manufacture. ,~ f ' i.
^
p 3-1
3.2.1 Success Criteria Availability is defined as the ability of Unit 1 to operate at 100% capacity power output. Included within this analysis are component failures which cause a reduction (within 8 hours) in power output from the 100% capacity state. Individual system / subsystem success criteria are presented in the following system sections and are summarized in Table 3-1. 3.2.2 Configuration In order to operate at 100% power output, the primary systems, secondary systems, and auxiliary systems must be in an operable status capable of supporting full
~
power production. The systems assumed necessary for power production are included in the Unit 1 model and listed in Table 3-2. Three of the system requirements assumed necessary for power production (main feedwater pump turbine condenser drain tank pumps, steam generator blowdown, and cooling tower and cooling tower lift pumps) have alternate modes of operation (not modeled here) which would reduce the availability impact of these requirements. however, for demonstration purposes these conservative requirements are retained within the model. Other systems were excluded from the model if unavailability of the system had a negligible impact on plant power production or if the system repair time was shorter than the time required for system unavailability to impact power production. 3.2.3 Operation Normal operation of the plant is controlled from the main control room where all controls, indicators, and alarms of the main power production systems are located. During steady state operation at full power, the plant is in automatic control. The operator interfaces to correct any deviations from normal automatic control by use of mcnual control actions. In this analysis, steady state automatic control of the olar.t is analyzed, considering only the simplest operator actions to mitigate failures. No credit is given for operator actions to recover failed equipment or to provide an alternate operating configuration.
.Likewise, no penalty is assessed for operator actions that would cause plant unavailability.
3.2.4 Testing and Maintenance Requirements In the availability analysis, testing requirements of safety systems as
. delineated in the technical specifications are not modeled as contributors to unavailability. Similarly, planned maintenance is not currently included in the 3-2
m Table 3-1 SEQUOYAH NUCLEAR PLANT AVAILABILITY MODEL - MAJOR SYSTEMS AND COMPONENTS REQUIRED FOR 100% POWER I Reactor Coolant System (RCS) Condensate e Four RCS Pumps. e Three Condensers e One Pressurizer e Three Hotwell Pumpsa e Four Steam Generators e Three Demineralized Condensate Papsa e Two Main Feedwater Pump Turbine Condensers Main Feedwater e Three Strings of Seven Heaters Eacha e Three Condensate Booster Pumpsa e Two Main Feedwater Pumps e Four Feedwater Control Valves e One of Two Injection Water Main Steam Dumps e Turbogenerator
- Controls Heater Drains -- Speed Controller
- Generator Cooling e No. 3 Heater Drain Tank and - Bus Cooling Three Paps e Steam Generator Blowdown e No. 7 Heater Drain Tank and (one of two pumps)
Two Paps e ;1ain Feedwater Pump Turbine Condenser Drain Tank and Condenser circulating Water (CCW) Two Pops (helper or closed mode) e Three CCW Planps Raw Cooling Water (RCW) e Four Cooling Tower Lif t Pumps e One Cooling Tower e Three of Four Strainers e Three of Five RCW Pops Chemical and Volume Control System (CVCS) Auxiliary Support Systems e One of Two Chargin Lines e One of Three Charg ng Pumps e Electrical Power Distribution e Seal Water Circula ton e Essential Raw Cooling Water. e Reactor Coolant Pep e Component Cooling System. e One of Two Letdown Lines e Control Air System aOne string of heaters may be isolated provided all nine pups within the condensate system are operating. If all heaters are available, the head requirements can be met by two hotwell pumps, two demineralized condensate pups, and two booster pumps. 3-3
m Table 3-2 AVAILABILITY MODEL SYSTEMS Primary Secondary Auxiliary Reactor Coolant System Main Steam Station Electric Power System - Includes Standby Diesel Chemical Volume and Control Condensate Generator System and Instrumen-System tation and Control Power System Main Feedwater Essential Raw Cooling Water Extraction Steam System (ERCW) Heater Drains and Vents Component Cooling System (CCS) y> Condensate Demineralizer Control Air System , 4 l Steam Generator Blowdown Raw Cooling Water Condenser Circulating Water
. Generator Cooling and Sealing Gland Seal Water -
Feedwater Control Turbogenerator Control Injection Water System. Generator Bus Cooling
analysis. However, future expansion of the model to include planned maintenance and testing unavailability based on specific action frequencies and durations is feasible. Unplanned maintenance or forced outages of systems and components are modeled in the unavailability terms calculated for the various systems and components. 3.3 SYSTEM DESCRIPTIONS To model Unit i for power production, the plant systems have been organized in three major groups: the primary system, secondary system, and auxiliary system (see Table 3-2). The descriptions of all the plant system: which belong in tSese three groups follow. 3.3.1 Primary System - The primary system consists of the reactor coolant system and the chemical and volume control system. The RCS transfers heat generated in the reactor vessel to the secondary system via the steam generators. The pressurizer vessel in the reactor coolant system functions as the primary coolant pressure and volume controller. The CVCS functions as the primary coolant chemical composition controller and provides reactor coolant makeup as required. The constant letdown and makeup of primary coolant by the CVCS maintains correct chemical composition. The CVCS charging pumps also provide seal coolant flow for the reactor coolant pumps. 3.3.1.1 Reactor Coolant System. 3.3.1.1.1 Function. During operation, the RCS transfers the heat generated in the reactor core to the steam generators. The water also acts as a neutron moderater and as a carrier for the neutron absorber used in chemical shim control. 3.3.1.1.2 Success criteria. The key RCS functions during full power and the governing success criteria are listed as follows. 3-5
System Function Success Criteria Maintain Proper 1. At least one of three source paths Pressurizer Conditions to pressurizer spray available. t
- 2. Operability of proportional and backup electrical heaters.
- 3. Steam leakage from pressure relief ;
system within technical specification limits. RCS Hot Leg Outlet to 4. RCS pressure and temperature, Cold Leg Inlet Flow power-to-flow ratin, and other NSSS operating parameters within acceptable limits.
- 5. Water leakage from the RCS within technical specification limits.
The technical specification and operating limits referred to in these criteria can be found in the technical specification writeup in Section 16 of the Sequoyah Final Safety Analysis Report. 3.3.1.1.3 Configuration. Figure 3-1 is the RCS flow diagram. The system consists of four similar heat transfer loops connected in parallel to the reactor pressure vessel. Each loop contains a reactor coolant pump, a steam
. generator, and associated piping and valves. A pressurizer surge line is connected to the loop 2 hot leg.
Figure 3-2 shows a schematic of the pressurizer. The pressurizer is a vertical cylindrical vessel with hemispherical top and bottom heads. Electric heaters are-installed through the bottom head of the vessel while the spray nozzle, relief valve, and safety valve connections are located in the top head. The primary function of the pressurizer is to provide control of RCS pressure under all normal operating conditions, including plant startup,' load char.ges, shutdown, and cool ('cwn until cooling by the residual heat removal system is initiated. The pressurizer also functions as a surge volume to assist in accommodating reactor coolant volume changes in conjunction with the charging and letdown functions of the CVCS. The vessel is 25% filled with water at zero power level, and is 60% filled at 100% of rated power. 3-6
REACTOR COOLANT SYSTEM ERCW SAFETY VALVES (3) 64-335 -334 l USEOILy 3 W OIL (TYP ALL OIL COOLER ZR SMAY T FROM RCS LOOPS PZR RELIEF TANK '
*1 &*2 OR FROM d ssa .uoa ROCK PORVS(2)
CVCS WLVES (2) 8 KS PRESSURtZER (PZR) 4 O m STEAM STEAM GENERATOR GENERATOR
-*- 5 ~ -w Q -
GJ REACTOR # \ REACTOR 8 COOLANT COOLANT N pgup3 PUMPS.. \ -- pgg _ VESSEL j STEAM STEAM GENERATOR GENERATOR
+ 4 j L~ b b LOOP'1
- l
- LOOP"4 ---*
, l RE GENER ATivE REGENERATIVE HEAT HEAT EXCHANGER EXCHANGER Figure 3-1. Reactor Coolant System Flow Diagram
4 9 i l l l W
- >I COLD LEG LOOP 1 w2 VM
- )4 COLD LEG LOOP 2 x_v_'s 4 74 CVCs 2
i
- RC HOT LEG LOOP 2 Figure 3-2. Simplified Diagram of Pressurizer Components 3-8
. e f
- , - - , .n , e a .~. . , . , , . , ,-e, , , , , - n ,-- , e- - v,_
L 3.3.1.1.4 Operation. The reactor coolant enters the reactor vessel through the inlet nozzles and flows down the annulus between the core barrel and the vessel wall, turns at the bottom, and flows upward through the core to the outlet nczzles. The heated water then flows to the tube side of the steam generators which are vertical shell and U-tube evaporators with integral moisture separating equipment. The cooled water flows out the bottom of the - steam generator and from there to the reactor coolant pumps.
' The amount of pressurizer spray flow is controlled by air-operated flow control valves. In parallel with each spray control valve is a needle valve which permits a small, continuous flow through the spray line. Each spray line has a temperature sensor that provides control room readout and a low temperature alarm. This alarm indicates insufficient flow in the spray line.
Pressurizer heaters are turned on by automatic control when either the pressure falls below the desired pressure by a specified amount or the pressurizer water level exceeds a preset level by 5% during an insurge. Control room indication of pressurizer water level and steam pressure are provided along with alarms. 3.3.1.2 Chemical and Volume Control System.
=3.3.1.2.1 Function. The CVCS has multiple functions both for continuous
~ full power operation and for intermittent or occasional use (adjustments, startup, shutdown, etc.). During full power, the system provides continuous feed and bleed of reactor coolant (letdown and makeup) for inventory control and water purification, and makeup water for the reactor coolant pump seal water circulation.
Intermittently, the system performs the following fuNtivis:
- ,o Provides pressurizer spray water on demand.
i
- e Fills, drains, and pressurizes the reactor coolant loop (startup and shutdown).
e . Controls reactor coolant chemistry to reduce corrosion. l e ' Adjusts boric acid concentration for reactivity control. e Reclaims primary water and concentrates boric acid. l ! 3-9
)
1
l The two continuous functions are essential and of primary interest in the
~
o system availability model. Failures during intermittent uses are not reflected in the model. 3.3.1.2.2 Success Criteria. Successful operation of the CVCS requires the following functions: 1.- Primary coolant charging flow.
- 2. Seal water. circulation for the reactor coolant pumps.
In order to provide these functions, water must be made available continuously from the normal or excess letdown lines. The normal letdown line provides_ hot shell side fluid in the regenerative heat exchanger to raise the temperature of the (tube side) charging flow in addition to water makeup for charging flow and losses through reactor coolant pump seals. The chemical control functions and certain purification system functions (i.e., cation demineralizer) are assumed to be of no importance to CVCS availability since these are used only occasionally (once weekly to once monthly). Specifically, the following criteria were derived for system availability at 100% power: System Function Success Criteria Reactor Coolant At least 75 to 100 gpm continuous letdown Letdown Flow flow from the RCS, either from the normal letdown line or from the excess letdown line. Primary Coolant Maintain a positive (normally 55 gpm) Charging Flow charge flow to the reactor coolant cold legs, providing water makeup to the RCS and a cooling medium for the regenerative heat exchanger. Seal Water Maintain, via charging pumps and flow a Circulation control, at least 32 gpm water flow to the reactor coolant pump seals. I Charging Pump Maintain a positive charge flew which can Flow to be diverted to the pressurizer spray on I Pressurizer demand. Spray I 3-10 d: _
Only .two operability states are considered: success and failure. Success is the system state when the first three success criteria are all met simultaneously (letdown flow, charging flow, and sea's water circulation). The purpose of the fourth. success criterion is to provide input for RCS
. availability. ~ Failure of the charging pump to supply flow to the pressurizer spray and failure of the loop 1 and 2 cold leg supply lines to pressurizer spray results in failure of the RCS. The normal source for pressurizer spray is from the cold legs of loops 1 and 2. .
3.3.1.2.3 Configuration. Figure 3-3 depicts the major components of the CVCS. The three basic subsystems of the CVCS for the essential functions are: e The seal water circulation loop for the reactor coolant pumps from the charging pumps to the reactor coolant pumps to the seal water heat exchanger and back to the charging pumps. e The letdown line including the normal and the excess letdown. The excess letdown path terminates in the seal water circulation loop. e The charging line from the flow split point downstream of the charging pumps through the regenerative heat exchanger to the RCS (cold leg or pressurizer). Reactor. coolant letdown flow is controlled by the pressurizer level. Two letdown paths are provided: ..the normal letdown and purification pa'th, and the excess letdown path. Normally, the former is used and the latter is closed.
.3.3.1.2.4 Operation. Reactor coolant is discharged to the CVCS letdown
- lines from the reactor coolant loop piping between the reactor coolant pump I
and the steam generator. In the normal letdown path, a discharge of about. 75 'gpm flows through the shell side of the regenerative heat exchanger where
.its temperature is reduced by heat transfer to the charging flow passing through the tubes.1The coolant pressure is then greatly reduced as it passes through the letdown orifice (s) and flows through the tube side of the letdown heat exchanger where its temperature is further reduced to the operating temperature of the mixed bed demineralizers, which is less than
^
~140*F.
s a 3-11
. , ~ , , - - _ - - _ - . _ . . _ _ _ _ --
y - - i. i-t l t,,,o;,i : l.L_ _1 i LETDOWN ALTERNATE CHARGING . C NGER NOMAAL CHARGWG W t AuftAS PRESSURIZER SPRAY fNIb tuttSS Lt.TW r stat matta turtSS Lf f 008N N bra i - ou n unera jfa'aourt. HOLDUP Tant
==
Lg Lg _4 ElIll5 _7_.. g ,y .a. ig .
;' -l 7g o-- 9 t" E WATER
... .. romart l
_0 _.C. , _s_ IIECFROCATING g- - i' CHARGING
.. i euue
.,a-.
L :: p== r'1*a_
- =.'m,. l ,
- m
_::: sc g & -+ vuve er eaLLv ortu O CtestRwuGAL I stat
= ;,,,,,
4 CuaRG=G ._ _ m.E _ ,t ruuPs
- .c.o p i
Figure 3-3. Chemical and Volume Control System 3-12~ 5 I 6 _[ _ ' d
Next, the normal' letdown flow passes through one of the mixed bed demineralizers and may then pass through the cation bed demineralizer which is used intermittently when additional purification of the reactor coolant is required. It is estimated that the cation bed demineralizer is in use about 10 to 15% of the' time. The coolant then flows through the reactor coolant filter and into the volume control tank through a spray nozzle in the top of the tank. The gas space in the volume control tank is filled with hydrogen, the partial pressure of which determines the concentration of hydrogen dissolved in the reactor coolant to prevent the accumulation of oxygen in the reactor coolant due to radiolytic disassociation of water. After passing through flow control valves, the normal letdown flow path ends at the suction end of the charging pumps. An alternate letdown path from the RCS is provided in the event that the normal letdown path is inoperable. Reactor coolant can be discharged from a cold leg to flow through the tube side of the excess letdown heat exchanger where it is cooled by component cooling water. The flow normally goes to the seal leakoff manifold and passes through the seal water filter and heat excha9ger to the suction side of the charging pumps. The excess letdown flow can also be directed to the reactor coolant drain tank. When the-normal letdown line is not available, the normal purification path is also not in operation. Therefore, this alternate condition would allow continued power operation for a limited period of time, dependent on reactor coolant chemistry and radioactivity levels. The present analysis assumes 24 hours for this limited period. Three charging pumps which normally take suction at the exit of the normal letdown line provide the flows for the charging line (return of cooled, purified coolant back to the RCS) and for the seal water circulation to the reactor coolant pumps. During normal operation, one of these charging pumps is all that is needed (the capacity of a reciprocating charging pump is 98 gpm; centrifugal charging pumps can generate 90 gpm each after subtracting for bypass flow). Downstream of the charging pumps, the flow splits. The bulk of the charging pump flow is routed back to the RCS through the tube side of the regenerative heat exchanger. The letdown flow in the shell side of the regenerative heat exchanger raises the charging flow temperature to apprcach that of the reactor coolant. The flow (normally about 55 gpm) is then 3-13 m
w ;~ < r EU injected into a cold leg of the RCS. Two charging paths are provided from a
- point' downstream of the regdnerative heat exchanger. - A flow path is also provided from the regenerative heat exchanger outlet to the pressurizer spray line. An air-operated valve in-the spray line is employed to provide auxiliary spray to the vapor space of the pressurizer on demand (usually duri_ng plant cooldown or,if normal pressurizer supply is unavailable--see the RCS).
- A portion of the charging flow is directed to the reactor coolant pumps-
--(normally 8 gpm per pump) through a seal water injection filter. This flow -
is' directed to a point-between the pump shaft bearing and the thermal barrier cooling coil. There, the flow splits and a portion (normally 5 gpm per pump) is directed down the pump shaft and enters the RCS through the
-labyrinth seals and pump thermal barrier. - The remainder of the flow is directed up the pump shaft, cooling the lower motor bearing, and the No.1 seal. This flow is returned to the charging pumps via the seal water heat exchanger and filter. Thus, the seal water' circulation loop loses about 20 gpm out of-the initial 32 gpm to thq RCS; the remaining-12 gpm is
-g recirculated.
When the plant is at full power the CVCS is operated continuously through a combination-of automatic controls and operator interaction from the main control room. 3.3.2 . Secondary System LThe secondary system serves as an intermediate loop in the heat cycle between the i primary coolant system and the heat sink (Chickamauga Lake). This: system provides5feedwater to the steam generators where saturated steam is produced. The steam drives the main turbine-generator and is exhausted to the condensers which are cooled by the condenser circulating water system. The condensate is t pumped back to the main' feedwater system. l
~ The ' secondary system configura'
- t ion is shown in Figure 3-4. All the secondary systems are operated in one distinct, full power operational state except the condensate heaters and pumps. The different configurations of condensate heaters
-and pumps can combine into two distinct success states. The first state requires that all of the hotwell pumps, condensate booster pumps, and demineralized condensate pumps (DCP) are in operation. If all of the above pumps are 3-14
Smens O P STEAM GENERATOR MOISTURE SEPARATOR REHE ATER 1 I \ l, CIAi I) (Isi () (I Ci l} o wPT fWR M M C OiA [CONO Ab c c W M M N# N#
'I
- HP TUROINE LP TURGINE - LP TUR8tNE LP TURSINE lCONDSF g g I[ IHEATE r% /% g ----
O gypy HEATER A: M lCOND C h CONOiS I I {lA2 l} (l 82 l} (lC2 l} HOTWELL DE MINERALIZE O PUMPS CONDENSATE PUMPS l l l o M
- MAIN STE AM
$7EAM GEN ERATOR$
O STE AM GENERATOR BLOWOOWN TURBINE - GENERATOR Figure 3-4. Secondary System Configuration 3-15 v s
e M fi i( SECONDARY SYSTEM i ' HEATE735 t HE ATER C5 HE ATER A2 ' _ HEATER 32 - HE ATER C2 , , Ii i Ii i Ie i ir i II i
~ HEATESGB HEATER (S HEATER A3 HE ATER 83 HE ATER C3 NEATERgl .
IE i iI i I_ I i i 1 1 1 _ l_ _A l_ a f HEATER 87 HE ATER C7 HEATER A4 . HEATER M _ HE ATER C4 44 8 % HEATER C1 In ift i i s i 11 J 11 i _ 11 j l MAIN FEEDuYATER 9 y CONDE NSATE 9 y y pygpg , BOO $TER PUMPS i
- l MMNSATE MAIN FEEDuvATER "t
4 TI j APERT M cD1D i Also Available On Aperture Cad 1
)
990016 % /.L ~ 0 / _
)
X available, then only two out of three heater strings are required for succr.ssful operation. The second state requires that all of the heater strings be in operation. If all of the heater strings are available, then only two out of three of each set of pumps mentioned above are needed for successful 3peration. The secondary or steam system begins in the shell side of the steam generator (s) where the incoming feedwater is boiled as it picks up heat from contacting the U-tubes containing hot reactor coolant. These U-tubes provide the barrier between the primary and secondary systems. Saturated steam exiting the steam generators passes through main steam isolation valves and is directed to the high pressure section of the main turbine. After exiting the high pressure turbine, the low energy, moisture laden steam is routed to a moisture separator / reheater where the excess moisture is removed and a small amount of superheat is applied. The dry, reheated steam then enters the low pressure turbines where energy is removed, and exits to the main condenser. In the condenser, the, steam is condensed by passing over tubes containing condenser circulating water and collects in the condenser hotwell. Condensate is then pumped from the hotwell by hotwell pumps that discharge into a common header which carries the condensate through the condensate demineralizers and pumps, the gland steam condenser, the main feedwater pump turbine condensers, and through three parallel strings of low pressure heaters (each string consisting of three stages of low ' pressure extraction feedwater heaters), then to the condensate bo'oster pumps. These pumps discharge to a common header which divides into three parallel strings of intermediate pressure heaters, each string consisting of three stages of extraction feedwater heaters. The condensate from these heaters then flows to the main feedwater pumps. These pumps discharge to a common header which divides and passes through three parallel strings of single-stage high pressure heaters . and returns to a common line before dividing into four streams which go through level control valves into the four steam generators where the cycle begins again. Heat for the feedwater heating cycle is supplied by the moisture separator-reheater drains and by steam from the turbine extraction points. ' The condenser circulating water system is clso included in the secondary system model. This system provides the ultimate heat sink by pumping water from ! Chickamauga Lake through the condensers to the cooling tower lif t pumps which, in 3-16
turn, pump water to the cooling tower, and then back to the lake or through the l condensers directly to the lake. The raw cooling water system pumps take suction from the CCW pump supply conduits and supply various secondary cooling loads. The heater drains, tanks, and pumps are also included as part of the secondary . system. In the following sections, descriptions of the various subsystems are provided. 3.3.2.1 Main Steam System. 3.3.2.1.1 Function. The primary function of the main steam system is to conduct steam from the four steam generators to the turbine and to the high pressure reheat stage of the moisture separator-reheaters. The system is provided with self-actuated safety valves to protect the steam generatort from overpressurization. Atmospheric relief valves permit plant cooldown by the discharge of steam into the atmosphere in the event that the turbine bypass system is not available. To achieve optimum effectiveness in the control of steam generator secondary side water chemistry, continuous blowdown is maintained from each steam generator during normal plant operation. The steam generator blowdown system provides this function. 3.3.2.1.2 Success criteria. The main steam system must supply steam from all four steam generators to the turbine. For analysis purposes, all stages of the turbine and all moisture separator reheaters must be available for 100% power operation. This assumption is slightly conservative, but reflects normal plant operation. 3.3.2.1.3 Configuration. The main steam system contains four steam generators and main steam lines each with a main steam isolation valve (see Figure 3-5). All of the steam generators have blowdown lines which supply the steam generator blowdown system. 'Each blowdown line has two isolation valves. All the blowdown lines go to a flash tank which supplies two 100% pumps. The flash tank pumps are motor-driven, four-stage, vertical, single suction, centrifugal pumps sized to pump 85 gallons per minute at 770 feet of head. Two pumps are provided with'one pump designated as standby. The flash tank will normally operate at 28 psia and is designed for 150 psig. 3-17
f SAFETY _j VALVES u,,,, E""' "4"g f g 4
, 'v'"U L".In O
L , , . _ 4 _#c - l-T l-108 o A TAIIst 4-212 l c ' L E"'A
, o:: c'^lJu
'J T 9r1r1P9r r TO CONDEN$ERS
' ' " '^"* fRE JLJkJLJk 6 NM (TURSINE STPAS$s
[uYR$'cN""
- u. ,,*, O v=ve I g' - - "sEn 5 N tar i eb '
, .A,E,,
L,02" TUR -
" g c 0] ,, / ,vAtvEs o_x . n":"
PuesPS W 6 23 f.405 o c - :: :::::::: SPHERIC am R Tens
=v E I m.
,, aawr DEulM ER ALIZER a P TO MP TUR0000E h
.Q ~
I-32 B-IG4 c. F Figure 3-5. ' ain Steam System Configuration
The turbine (see' Figure 3-6) is a tandem compound,1,800 rpm, double-stage reheat unit with 44-inch last stage blades, designed for inlet steam conditions of 832 psia with 0.36% moisture at a throttle flow of 14,925,300 pounds per hour. It consists of a double flow high pressure turbine and three double flow low pressure turbines. Main steam from the steam generators at 857 psia, 526.2*F, is supplied to the high pressure A turbine through two throttle valve-steam chest assemblies, one on each side of the turbine. Each throttle valve-steam chest assembly consists of two horizontally mounted throttle valves and two plug type governing valves. Each of these valves is controlled by the electrohydraulic governing system through individually operated valve actuation.
~
3.3.2.1.4 Operation. Main steam ig = each ctar. generator through a 32-inch line which is provided with a flow restrictor near the steam generator. There are five safety valves per steam generator, with a combined capacity of 3,917,000 pounds per hour, which is the maximum calculated flow rate for one steam generator. The steam generator safety valves provide emergency pressure relief for the steam generators as a result of imbalance between steam generation and steam consumption. The main steam line isolation valves are 32-inch globe Y-type, straight through flow, air to open, spring to close. These valves are capable of closing within 5 seconds of receipt of a high containment pressure signal or high steam flow rate signal. The seat leakage rate for these valves is less than 3 cc per hour per inch of seat diameter. In series with and downstream of each isolation valve is a check valve to prevent reverse flow of steam. The check valves have side air cylinders and counterweights to minimize pressure loss, and spring assist for closing. Downstream of the isolation and check valves, the lines increase to 36 inches and are connected to a turbine stop valve and turbine control valve. Once the steam passes through these valves, it enters the high pressure turbine. Exhaust steam from the high pressure turbine at 172 psia and 369.4*F passes I through six moisture separator-reheaters, reheat stop valves, and interceptor valves in parallel before entering the thee low pressure turbines at 156.6 lb/ psia and 495.4*F. I 3-19 l
,, - - - . . - _ - - - - _ _ _ - , . -1
n.
~
i i t -
....n.. i ... ... c.:
FRoM W! I ~ W REMEI %.TER. 1 oys.iw [ ust 1 i.is, fi.. kua. Xian
- a. _ .. ; i i ro, gg.,
MRM- Xi.it. Xun Xuu I
=
$Qb-
>k ;Md.gii==i % =pii-na ro m eeF X ... X,. Xuoi Win,Tr.Es*
sro v ars
~
- lp" * : f u xi.., .. xwo,
^
.'?" : ~
J - im im I DM..e ND _
^~'
d")f7.
~
Figure 3-6. Turbine and Moisture Separator Reheater Configuration I l l 1 3-20 , I
r.
- The turbine extraction nozzles are' designed for seven stages of feedwater heating. The Nos.1, 2, and 3 extraction ports on the high pressure turbines provide extraction steam to the No.1 feedwater heater and the first stage reheater, the No. 2 feedwater heater, and the No. 3 feedwater heater, respectively. The Nos. 4, 5, 6, and 7 extraction ports on the low pressure turbines provide steam to the Nos. 4, 5, 6, and 7 feedwater heaters, respectively.
The blowdown water from each steam generator is piped into a common header I and is carried irto a flash tank. Approximately half the water is flashed
-off and routed to the No. 7 heater. The remaining water and impurities collect in the flash tank and are pumped to the condensate cleanup system where the impurities are removed. As an alternative, the unit operator may elect to discharge the concentrate from the flash tank to the diffuser pond, or, if the flash tank pumps are out of service, it mcy be discharged to'the main condenser hotwell. l 3.3.2.2 Condensate System.
3.3.2.2.1 Function. The turbine exhaust from the three low pressure
. turbines is condensed in thrc 3 main condenser shells. Then the hotwell condensate is heated in seven stages of feedwater heating by pumping the
- water through three separate strings of feedwater heaters. The feedwater heaters are supplied heat from the turbine extractions. The chemical composition of the condensate water is controlled by a condensate demineralizer system included in the flow path of the condensate water. The condensate water is then supplied to the main feedwater system at the proper temperature and pressure.
3.3.2.2.2 Success criteria. There are two operational configurations that define success of the condensate system. The first configuration is availability of all the heater strings and availability of two out of three of each set of hotwell pumps, condensate booster pumps, and demineralized condensate pumps. The second configuration is availability of all nine pumps and availability of tvo out of three heater strings. The success of the condensers depends on adequate CCW flow and two out of three condenser vacuum pumps to maintain proper condenser vacuum.
~
3-21
.The success of.the condensate demineralizer system is based on the ,
availability of five out of six condensate demineralizer strings. This is rufficient to handle maximum condensate flow. 3.3.2.2.3, Configuration. Noncondensable gases are removed from the three condenser shells by three condenser vacuum pumps connected to a common header which connects all three shells Dee Figure 3-7). These shells are connected to a common header from which the three hotwell pumps take suction. The hotwell pumps discharge to a common header connected to six condensate demineralizer strings (see Figure 3-8). These six strings connect to a common header from which the condensate demireralizer pumps take suction. The three condensate demineralizer pumps discharge to a common header which directs flow through the gland steam condenser, two main feedwater pump (MFP) turbine condensers, and on to three parallel strings of three heaters each (the Nos. 5, 6, and 7 heaters) (see Figure 3-9). The three condensate booster pumps take suction from a common header on the No. 5 heater string and discharge to a common header which supplies three
- parallel strings of three heaters each (the Nos. 2, 3, and 4 heaters) (see Figure 3-10). These three heater strings combine into a common header which supplies the MFPs.
3.3.2.2.4 Operation. In the condensate system, the turbine exhaust is condensed and collects in three hotwells from which three vertical, centrifugal hotwell pumps take suction. The head imparted by these pumps is sufficient to provide adequate suction pressure to the main feedwater pumps during unit startup and low load operation. The demineralized condensate pumps are started whenever the plant load equals' nr exceeds 80%. The condensate booster pumps (started at 50% plant load) combined with the DCPs and hotwell pumps are capable of delivering the required flow rates with sufficient pressure to the main feedwater pumps. The main condenser evacuation system consists of three mechanical vacuum pumps and related piping and controls. Two pumps are nonnally in operation in parallel, with the third aligned to start automatically on rising condenser pressure. 3-22
Iii n 4 MNT TO ROOF concensta
-e a
-9
[ a"D E4Y a M,$g
--ee.**"
- amma
- d** _a e ce=or.nsen e
, _ _. re %
2-S34 - M"
,u.
f0f'c"on Figure 3-7. Condenser and Hotwell Configuration 3-23
k i r b ( y @,h.
W, > i!ns N so .
k:,, f e '-= hj M,. _ ,, ,t,,,, El!%=s,n 6""n"omus (..:. [ ( T y 0 8,2 g .. i:... ( ~\-
.,.l.. i. .
u-n ( ) , . ,
'3
- g. r 1 1hD
,.. . t ' * ; .,Q,-!.,g gyg, mn
- gg;n Figure 3-8. Condensate Demineralizers Configuration 3-24
, 4 , - , , , . , . , -- , - -
3 ,_ - - - -,.m,. -my - -- -, ----e- ,g> - -
l l M E I' E [E Eo n-5- 2 Ae 2 x h5 S n o s i eA n r a s A t a r u g u i f n 1 o J5 4 As e e s. C s r a2 Ja- a t e a e H
. a t
s m e
,u 4 a
t a
"r.,b,,am
, m. s
,c s n e
d n o C d n a s r
, e s
n r< g O d e n
, o
- C A .
R 9 3 n ir i e r r= b 6 m et O T i g u F l
"f" '
=
Y
,I' llill! i l l l
I I HEATERS l i n n n l A4 A3 At coNDE Ufa ' C
' ~
gogs n I a no a-ize
. a l.
e4 B3 e2 l
~!
A-c= 2 -43o
= => A-2-14r FRCas f) ffjy1 2.or W '
I 4 : 'u r w l l Puurs l m m n C4 C3 C2
& ,Q s t
a.
= '
a.asr
-es g.
l l l l 1 I I Figure 3-10. Condensate Booster Pumps and Condensate Heaters Configuration I l l 3-26 , 1 i l I
. . .- -. - . ~ - .. . . .. _
- ~4 a
\
The secondary water. cycle inventory is maintained at the proper level by an automatic condensate bypass makeup system. Level controllers monitor the , _ hotwell liquid level and position bypass and makeup valves as required to
= bypass inventory to or withdraw it from the condensate storage tanks.
3.3.2.3 . Main Feedwater System.
; 3.3.2.3.1; Function. The' main feedwater system boosts the pressure and flow b 'of the. condensate and supplies this water to the steam generators for steam
- , . production. ' The feedwater flow to all four steam generators is controlled
, _ by .the feedwater regulating valves and by varying the main feedwater pump [' speed. The controllers use main steam and feedwater system pressure drop, along with main steam flow, as a load index to establish MFP speed. 3.3.2.3.2.~ Success criteria. Both WPs must be operational for 100% power
-output. Flow through the heaters to all four _ steam generators must be in 'a
[ stable condition. This requires that the flow controllers perform successiully. One out of two injection water pumps is required for
~
successful feedwater pump operation. 1 3.3.2.3.3 Configuration. The main feedwater system contains two main feedwater pumps (see Figure 3-11). The flow from the No.-2 heaters supplies r suction to the MFPs which discharge to a common header and then supply flow
. .to the No. I heaters. Flow from the No. I heater string supplies feedwater
! ~ to all four steam generators. The-feedwater flow to each steam generator > ) is controlled by a flow control valve. The MFPs depend on injection water for successful operation. The injection
~ water system consists of two 100% capacity pumps that take suction from the l-- hotwell pumps discharge header. Flow from the injection pumps supplies the seals of both W Ps. .The intermediate seal leakoff drains to the No. 3 i
heater drain tank and final stage leakoff drains to the atmospheric drain sump. 3.3.2.3.4 Operation. The two turbine-driven, variable speed main feedwater F- pumps are capable of delivering feedwater to the four steam generators under all expected operating conditions. Feed pump speed is automatically
. 3-27
~ . . _ ..,.-- _._.
j p-h _ E G a n a M,
- o,wcM
- g pD'uS
,~
'v 1J eo
_ Gs _ o s C*5 _ = +L^' _ g 4 o _ 0 5
.. g $ s. n 4 o si TRS
_ 5 1 cEP s oaeTM
%s 4 iWP R.U 7
T g I 2 3 _ S 3
* 'P O P O _ x4$ 5 O O L N L ~
o OS oG 0S T TS TS 7S -
- 3 n
o n 0 5- s. o 3 3 7 4 7 e. 4 s 3 4 i t a 3 3 3 3 e T - s a r 3 0 0 4 5 s e g u 1 9 3 5 ~ i
- f Iig tl ,;
n IlI o C rs r t e a w d e
@ e 3 3 F R
0 S n 0 T i R A 5 1 A s C E
. a T I i I T
A M S E H n o i 3 T n 2 c . 4s-3
- c 1 3 a a
n 1 nM g i E! 4 N 3 cS\ aY T e TS X ' r E u g L I O i E F G U g L Pe - G wa -
< T NI0 FMIA _
R7 A E t g O O t
)
CI P T T W A ai g p P 89
%ev A n a i
( p 8 c' y #3 R M t 4 2
$ 2-R 2 S
P F M U) UP3 L( I K O N 'f
, A S T
L I R4 E C
,T8 A 3,
,fM2 .
sa Le
-adjusted to meet the system demands. The feed punv speed control system
. consists of three interrelated parts:
- 1. The setpoint calculators which sum the four steam' flow rates, provide the lag on setpoint changes, and contain the basic scaling adjustments. '
- 2. The differential pressure controller which compares the steam header pressure, feedwater header pressure, and the calculated setpoint to determine the speed signal required.
- 3. The feed pump manual / auto stations which provide the operator with the flexibility of choosing various operating modes.
The unit operator will have the choice to operate either or both pumps on manual speed control to base load the plant, to operate one pump on manual with the other automatically following plant load danges, or to let both pumps follow the load changes. Feed flow to the individual steam generators is controlled automatically above a 15% load by a feedwater regulator valve in the piping to each steam generator. Below 15% load, the level in each steam generator is controlled manually using the feedwater regulating valves. Above 15% load, the regulating valve's position is determined by a three-element controller that uses steam generator water level, steam flow, and feedwater flow as the control variables. The regulator valves are pneumatically operated and are designed to fail closed on loss af air. The injection water system operates whenever the MFPs operate. Normally, one injection pump operates while the other is in an automatic standby mode. If pressure from the normally operating injection pump drops, the standby pump starts automatically and :;upplies pressure to the seals. 3.3.2.4 Condenser Circulating Watir_. 3.3.2.4.1 Function. The pri tary function of the CCW system is to provide cooling water to the main confensers of the main steam turbines. The system also provides water for auxiliary cooling equipment and an efficient means of rejecting waste h2at from the power generation cycle into the ambient surroundings. In the helper cycle mode, the cooling tower provides supplementary cooling before the water is discharged to the ultimate heat sink, which is the lake. This function controls the temperature of discharge to the lake. In the open cycle mode the cooling water is discharged directly to the lake. 3-29 q
d
'3.3.2.4.2 Success criteria. CCW flow to all three low pressure turbine
= condensers by three CCW pumps is required. Furthermore, it is assumed that the plant.is in the helper mode of operation and all four cooling tower lift pumps are required for success.' Because the plant can operate in the open mode (cooling tower and pumps not required) the above success criteria is
; conservative but will suffice for demonstration purposes.
- 3.3.2.4'.3 Configuration. The CCW intake pumping station it located at the land end of the-intake channel. 'In order to provide cooling water.to the-
> condensers at the'10 west possible sink temperature, water from the lake is i
. drawn into the intake bay under a skimmer _ wall. The pumping station houses the CCW pumps, traveling screens, and screen wash pumps (see Figure 3-12).
_ Each CCW pump is installed in a separate suction well with incoming water
strained by trash racks and a 3/8-inch mesh traveling screen. Each of the three pump discharge lines is provided with an 84-inch diameter motor-operated butterfly valve. The discharges are brought together in a concrete transition to a single tunnel 13.5 feet square. The water flows to
- the condensers through this conduit. Water is supplied to and discharged
-from each divided waterbox of the three condenser shells through two 72-inch -
inlet and outlet conduits. Each conduit is provided with a motor-operated butterfly valve to permit isolation of the separate waterboxes. Eight cooling towcc lift pumps are located in the cooling tower lift pumping
. station which is at the downstream end of the discharge channel. Four lift pumps supply the Unit 1 cooling tower. The cooling tower discharge can be directed to the diffuser pond in the helper mode or back.to the intake channel in the closed mode. 9 3.3.2.4.4 Operation. The three CCW pumps will provide a flow rate of 533,484 gpm to the main condensers and 26,000 gpm to the RCW system. The-main condenser mass flow rate is based on a maximum temperature rise of 29.5'F for the circulating water through the condensers. This water flow rate'is sufficient to condense the steam at an optimum main condenser backpressure and to dissipate all rejected heat.
.The CCW system is designed to operate in any of three modes: open, helper, or closed. In the open moda, the water is returned to the reservoir through the diffuser pond and the discharge diffusers. In the helper mode, the 3-30 s
best sam e s '
- ., _ 1 ,
4 ri r 27-50 27-60 Am""" A 2 7- 61 27-69 t_" 27-139 . 9 F II A 27-10 21-78
~
ROND g'27-22
--M L _R L r GATE R. ,
~
2'7-863 n W g 27-79 27-90 STRUCTURE COOLedG 27-66 S TOWER , 2 7-91 27-99 + 27-32 La
&W C M COPOENSER 27-E7 CONDENT R q A D
TRAdlM 27-100 27-110 COOLING TOWER SCREEftS gyppgy pyg pg i LJ LJ TO RAW COOLING WATER SYSTEM MTAKE Figure 3-12. Condenser Circulating Water Configuration i i
l water is pumped into the cooling towers by the lift pumps, passes through the cooling towers where part of the waste heat is liberated directly to the atmosphere. The water is then returned to the reservoir through the I diffuser pond and the discharge diffusers. In the closed mode, the water is pumped through the cooling towers where the waste heat is liberated directly to the atmosphere. The water is then returned to the intake channel through a discharge control structure located in the cooling tower return channel. 3.3.2.5 Raw Cooling Water System. 3.3.2.5.1 Function. The RCW system is a nonsafety related system shared by the two units. The function of the system is to furnish cooling water to the many miscellaneous nonsafety related loads in the turbine building, auxiliary building, and yard. Examples of the loads served are the generator stator heat exchangers, generator hydrogen heat exchangers, and various pump and driveturbine seal feed and lubricating oil heat exchangers. 3.3.2.5.2 Success criteria. Three out of four strainers and three out of five pumps are required for success of the RCW system. 3.3.2.5.3 Configuration. The RCW system consists of five centrifugal pumps of 7,200 gpm capacity each, four strainers, and the necessary piping, valves, and instrumentation. The pumps take suction from the CCW system' supply conduits, and the system discharge is to the CCW discharge conduits (see Figure 3-13). The RCW pumps and strainers are located in the turbine building. All the pumps discharge into a common pipe loop system which serves loads in the turbine and auxiliary buildings. Valves are provided in the loops to sectionalize and isolate portions of the system as required for maintenance without removing the system from service. The valves also permit increasing the water velocity and reversing the direction of flow to flush aquatic life and sediment from the headers. Branch lines connect the headers to the
. individual heat loads in the turbine and auxiliary buildings and to the electrical bus heat exchangers in the yard.
3.3.2.5.4 Operation. One of the five RCW pumps is a spare and only three are normally operating, with the fourth starting automatically if the header pressure drops to a preset value. 3-32
- - - - . . .-- ~ , -
UNIT t CCW PUUPs 'sTRAmEO WATER uan orJCHAnGE HEADEn HEAoEn r;/ waota <; p - _ _ _LOAos _ _--
~
l l :>o._ConocusEn w.cuu Puws M, u .a m 24Td2. I 1 j :>G-HoTWELL pumps l l 24 ssi 24-est l I
! :>o._Conocasare .oosten Puws I
' M.
ar U, r I =wan ~u.,m./u- x x u-- i
. marca eaa. ..
I :>o PUws l
-N-C
-N- d M d - [ize c
I
! :>o-e r wAcca onAn ram I
l 24-ess 24-css PuuPs l 1
' :>q-uan rcroWaren PuuP a l .
-iu-f84
+ H Zo-if.f-24-6 o
" M*
s i[kas l l 1 I
.I sinamens I, :>o-man raroWaren PuuPl .
u-m 2 *
"-ao l#l L I __toaos
__ __ __ a_ or=a __ __ _ l T u. 3. ea -*>o actuoco uNir2CCW PUuPs '# DSCHAn0E HEAMn Figure 3-13. Raw Cooling Water Configuration 1 i 3-33
l l 3.3.2.6 Heater Drain System. 3.3.2.6.1 Function. The heater drain system is designed to remove and
~
dispose of all drainage from the moisture separators, reheaters, feedwater l heaters, MFP turbine condensers, and gland steam condenser during all modes of unit operation by returning the condensed water back to the feedwater system. 3.3.2.6.2 Success criteria. For success, all operational sources of condensed water must be pumped back into the condensate flow path or returned to the condenser. In order for all drainage to be pumped back, all of the heater drain pumps and tanks must operate with the exception of the main feedwater pump turbine condensate tank pumps, of which only one out of two is. required. 3.3.2.6.3 Configuration. The heater drain and pump system consists of two subsystems: the No. 3 heater drain tank with pumps and the ko. 7 heater drain tank with pumps, Figures 3-14 and 3-15, .respectively. The No. 3 heater drain tank receives drainage from the low pressure, high pressure, and moisture separator-reheater drain tanks. The Nos. 1, 2, and 3 heater strings also drain to the No. 3 tank. There are three drain tank pumps which pump the drain tank water through a common line. This common line divides into three separate lines which join the three main condensate heater strings between the Nos. 2 and 3 heater strings. The No. 7 heater drain tank receives drainage from the Nos. 4, 5, 6, and 7 heaters. The MFP turbines exhaust to the MFP turbine condensers which drain to the MFP turbine condenser tank. Two drain tank pumps deliver the MFP turbine condensate to the the No. 7 heater drain tank. A bypass line (not modeled) is available as an alternate route; tne line allows the MFP turbine condenser drain tank to be drained directly to the main condenser by vacuum drag. The two No. 7 heater drain tank pumps discharge the condensate to three separate connections which join the main condensate flow between the Nos. 6 and 7 heaters. 3.3.2.6.4 Operation. The feedwater heaters are numbered from 1 to 7 with the highest pressure designated as No. 1. During normal unit operation, the No.1 heater drain, composed of the high pressure reheater drains and the 3-34
l
. REMEATER ORA 50 TANAS NO $ ME ATER DRAINS HIGM PRESSURE gp g/ \/
A3 83 C3 HEATER ORAINS n AI ING A l Cl o No. S HEATER ! 4, 4fg.i y -- 9 6_
-&-=.
l g ~ -- q , yR, C2 NQ $ HEATER
', RETURN TO 6-94A DRA50 TANK PUt0PS C TE GATE Om pt TANKS
= Q--0V 6-4A 94 6-28 A 6-SOA A2 ,
6-72A et A 4- 6- S 6-0 6-97 SsA 0 4 CI G-SOA *' WOISTURE MPARATOR DRAIN TAlett Al Of Cl At St CR Figure 3-14. No. 3 Heater Drain Configuration i I 3-35
1 f o
}
e
' WPt CONDENSER DRAINS NO. 7 HE AfER ORAINS
%p %/ %/ %/ %/
^ ' c g
6 -43e Yl A6 Q 6 -13 5 AS 6-12 A Y A4 - g. 6 ise fl e6
&Y Gass es 6-i4h e4 b -
- g. Yl %Y 6-eT7 C6 6 -87 2 Cs $466A C4 HEAftR OR AINS g,~= (== ()
I ,?, E'A /u'A" "" e b,b,6 EEs!?: now Figure 3-15. No. 7 Heater Drain Configuration 3-36
d [ No. I turbine extraction from the high pressure turbine,' cascades into the shell of the No. 2 heater. The No. I heater drains plus the No. 2 turbine extraction and the low pressure reheater drains, cascade into the No. 3 heater drain tank. The No. 3 heater drains (No. 3 extraction) and the moisture separator drains also flow into the No. 3 heater drain tank. Water from this heater drain tank is then pumped forward into the condensate cycle (between the No. 3 and No. 2 heaters) by the No. 3 heater drain pumps, or it may be bypassed to the main condenser. In order to simplify the model, the bypass to the main condenser is not included. The first extraction from the low pressure turbines is condensed in the No.-4 heaters. These drains are cascaded into the shell of the No. 5 heaters. The No. 5 heater drains (No. 5 extraction plus No. 4 heater
. drains) cascade to the No. 6 heater, whose drains cascade in turn to the No. 7 heater drain tank. The condensed Nn. 7 extraction, MFP turbine condenser drains, and other miscellaneous drains are also routed to the No. 7 heater drain tank. This water is pumped forward into the condensate system (at a point between the Nos. 7 and 6 heaters) by the No. 7 heater drain pumps, or it may be bypassed to the main condenser by vacuum drag.
The bypass function is not modeled explicitly. Proper level is maintained in tre Nos.1, 2, 4, 5, and 6 feedwater heaters by modulating level control valves that receive their control signal from level indicating controllers mounted on the heater shells. The Nos.1 and 4 heaters are equipped with modulating bypass to condenser valves. Should the level in a No.1 or a No. 4 heater exceed the normal control level, the bypass valve begins to open. High-high level in a No. I heater results in isolation (of both feedwater and extraction steam) of that heater. High-high level in a No. 2 or No. 4 heater results in isolation of the appropriate bank of Nos. 2, 3 and 4 heaters. High-high level in a No. 5 or 6 heater results in isolation of the appropriate bank of Nos. 5, 6, and 7 heaters. Hofsture separator-reheater drain control is provided by maintaining a proper level in the drain tanks connected to the individual moisture separators, high pressure reheaters, and low pressure reheaters. This level is controlled in the individual drain tanks by modulating level control valves (one per tank) that receive their signals from tank-mounted level indicating controllers. 3-37
Air-assisted nonreturn valves are provided in each moisture separatcr reheater drain line downstream of-the point where the bypass to condenser piping is connected so that in the event of a turbine pressure transient due to a load rejection, the water stored in the feedwater heaters cannot flash back to the moisture separator-reheater. The bypass to condenser valves , will still be available for level control during a transient of this type. A single drain tank receives the drains from both MFP turbine condensers. Normal water level in the tank is maintained by a level control valve at the drain pump discharge that receives its control signal from a level indicating controller mounted to the drain tank. The three No. 3 heater drain pumps start sequentially as the unit load increases. The particular order in which the pumps start is determined by the position of a selector switch. Conditions that must be satisfied before any pump can start include: e Level in the No. 3 heater drain tank above a permissive level setpoint. e Sufficient lubricating oil pressure. Two drain pumps start when feedwater flow reaches 40% guaranteed flow, and a third pump starts at 60% feedwater flow. The pumps are sequentially tripped on decreasing load when feedwater flow drops below the 60 and 40% setpoints. in addition, the pumps may be tripped by low level in the No. 3 heater drain tank, low lube oil pressure, or a motor protection signal. Minimum flow for pump protection is provided by an automatic recirculation control valve at the discharge of each pump. The No. 7 heater drain pumps are controlled in the same manner as the No. 3 heater drain pumps except that the unit load setpoints for sequential starting and tripping of these pumps are 40 and 50%. The MFP turbine condenser drains are eq'Jipped with two 100% capacity pumps which take suction from a single drain tank. One pump is started manually while the second pump is put on standby by placing the selector switch in the " auto" position. Should the pressure in the discharge of the active pump drop below a preset pressure, the standby pump is automatically started. A trip of the main turbine will result in tripping of all Nos. 3 and 7 heater drain pumps due to low level in the heater drain tanks. 3-38
With few exceptions, the operating mode of the heater drain system has no effect on the RCS and the ability of the condensate feedwater system to deliver feedwater to the steam generators in sufficient quantity to meet all system demands. However, some transient conditions can exist that do require proper interfacing between the heater drain system and other secondary cycle systems to prevent a reactor trip. With all drains from the No. 3 heater drain tank being bypassed to the condenser (and being passed through the hotwell and condensate booster , pumps), the condensate feedwater system can deliver only 85% guaranteed flow to the steam generators. Thus, with unit load greater than 85%, indication that the No. 3 heater drain tank bypass to condenser valve has left the fully closed position initiates a load runback to the 85% power level. Trip of a No. 3 heater drain pump during operation at unit load in excess of 85% produces a low differential pressure across the No. 3 heater drain pump station (indicating that the remaining pumps are passing excessive flow and are in danger of damage due to insufficient net positive suction head). As a result, one of the two level control valves in the drain pump discharge is tripped closed for pump protection. This action will cause the bypass to condenser valve to open and subsequent runback to the 85% load condition. 3.3.2.7 Generator and Generator Support Systems. 3.3.2.7.1 Function. The generator serves as the component that converts the mechanical energy of the turbine to electrical energy, which is the final product supplied by the plant. The generator support systems provides the necessary cooling functions of the hydrogen and stator cooling water along with the seal oil circulation function. 3.3.2.7.2 Success criteria. At 100% power output, the successful operation of the generator depends upon the successful operation of the generator support systems. For the hydrogen system, this means all hydrogen circulation fans and blowers must be operational along with the hydrogen cooling loop. The stator cooling water system must have one of two stator water cooling pumps, both heat exchangers, and one of two filters. The hydrogen side and air side seal oil systems are also needed for success. The stator cooling water system also depends upon a supply of hydrogen for pressurization. This supply of hydrogen is also necessary for successful operation. 3-39
3.3.2.7.3 Configuration. The generator is directly connected to the main turbine by a shaft. The hydrogen cooled,1,800 rpm synchronous generator is rated at 1,356,200 kVA for 100% power and requires a constant supply of hydrogen and stator cooling water. The hydrogen is stored in two hydrogen truck trailers which supply initial fills and hydrogen makeup. The generator is cooled by a ventilation system which includes a hydrogen cooler, blowers to circulate the hydrogen, and numerous passages in which the hydrogen removes heat generated by windage, magnetic losses in the stator core, and resistance losses in the rotor winding. A six-stage axial flow blower at each end of the rotor (mounted and driven by the generator rotor) circulates the hydrogen through and over the working parts and through the fin-tube hydrogen cooler. In the ventilation circuit, the blowers are located immediately ahead of the cooler so that the gas temperature rise due to the blower losses will not be added to the total temperature rises of the electrical components. Cold hydrogen gas leaving the hydrogen cooler flows into the passageways in the stator iron and into the ends of the rotor as well as on to the exciter end of the generator where it is introduced into the parallel rings and into the lead connectors within the lead box. Radial passageways through the stator iron conduct cold gas into rotor ventilation zones in the air gap. These ventilation zones are established by baffles located in the gap between the rotor and stator. The baffles consist of nonmagnetic rings shrunk on the rotor body in conjunction with segmental, nonretallic, stationary baffles mounted on the stator core. Cooling gas is delivered to each inlet zone and exhausted from each outlet zone through radial vents in the stator core. The cooling gas is returned to the two ends of the generator by means of hot gas ducts at the periphery of the stator core. These ducts connect into a common gas return. The portion of the cold gas which enters the rotor end flows through only a portion of the rotor and then discharges into the air gap through special ventilating passages provided in the rotor winding itself. The gas flows through the blower and then through the hydrogen cooler where it gives up heat to the cooling water in the finned tubes of this cooler. 3-40
Hydrogen leakage along the generator shaft is prevented by the seal oil system. That oil which is supplied from the hydrogen side of the seal oil system will flow inward along the shaft toward the inside of the generator, and that oil which is supplied by the air side of the system will flow outward along the shaft toward the bearing. The hydrogen and air side seal oil systems have separate feed pumps, filters, and water-to-oil coolers. The generator stator winding is water cooled. Cold water is piped through the generator shell into the circumferential manifold in one end of the generator. Inside the generator, water flows from the inlet manifold into the coil ends through teflon insulating tubes. Water discharges from the stator coil at the other end, is collected by hoses and a discharge manifold, and is returned to the water tank. The water tank provides for degasification of the water returning from the generator. The tank is equipped with a water level control, a sight level gauge, a window, and a conductivity cell. Two stainless steel centrifugal water circulating pumps connected in parallel are provided with check valves on the outlet side of the pumps. Two coolers are provided and are normally operated in series. Either cooler may be isolated from the loop during less than 100% power operation. The stator coil cooling water flows through the shell side of the cooler. Two filters are provided in the system with the necessary valves to operate one filter while the other is held as a spare. A small fraction of the stator coil water is continuously circulated through one of two mixed bed demineralizers. The water system is pressurized by means of hydrogen pressure above the water level in the water tank. The hydrogen supply is obtained from the generator gas supply system. Makeup water for the system is supplied from the gland seal water system. 3.3.2.7.4 Operation. Whenever water is present in the stator coils, hydrogen pressure must be maintained in the generator. Water must be circulated by two pumps through the stator coils whenever electric load is being carried. Either pump may be operated with the other pump on automatic standby. Two coolers are provided and are normally operated in series, but they may be operated individually at up to 75% of the rated stator coil heat load. Either cooler may be isolated from the loop during operation. The stator coil cooling water flows through the shell side of the cooler. Two filters are provided in the system with necessary valves to operate one filter while the other is held as a spare. The water system is pressurized 3-41
i l by means of hydrogen pressure above the water level in the water tank. The hydrogen supply is obtained from the generator hydrogen cooling system. Makeup water for the system is supplied from the gland seal water system. The hydrogen side and air side seal oil systems operate continuously to , prevent hydrogen leakage. The air side seal oil pressure is maintained at the same pressure as the hydrogen side seal oil pressure by means of pressure equalizing valves. 3.3.3 Auxiliary Systems Description There are four auxiliary systems which are required to continuously support normal plant operations. The electric power system provides power for all electrical requirements of plant operating equipment. The compressed air system (CAS) provides instrument quality compressed air to air-operated valves and other equipment. The ERCW system supplies cooling water to the heat exchangers of the RCS, the component cooling system, and the compressed air system compressors. The CCS provides cooling water for the CVCS heat exchangers and also for the reactor coolant pump heat exchangers. Individual system descriptions are provided within each systems analysis. This section will describe the function, success criteria, and configuration of the auxiliary systems as a group. 3.3.3.1 Function. The function of the auxiliary systems is to support plant operations by providing electric power and air pressure for equipment operation and cooling water for the heat removal requirements of the equipment. Electric power and control air are needed by most systems while essential raw cooling water and component cooling water are needed only for the primary systems normal operations. 3.3.3.2 Success Criteria. The plant support requirements needed for 100% power production must be satisfied to meet the success criteria of this analysis. For the auxiliary systems, this requires that all essential operating equipment loads are satisfied. The essential load requirements of the primary and secondary systems have been listed in Table 3-3. 3.3.3.3 Configuration. The configuration of the auxiliary systems is illustrated by the top portion of the simplified block diagram of Figure 3-5. This diagram shows electric power being supplied to the essential raw cooling water system, component cooling system, and control air system. Essential raw 3-42
n k
% sa
- R
% j$ **
- m 3 ... . .
3 a E4 o Ej xx
- s. 0 === = =
Ag a m u x w 3. 3 l ;g g ww w w w w w ! m =
= =
-x t t a .
3 E i 8" w l m 5 a, a 8 G } a&
~ ~
>- o a
56 E m Pa MM M M i x *
- m. a.
", gw E a
i
.a i
e M 8 ! s w s p G a 3 a y 8 -- n w e : w , Q. E
, g-3u ----
w s m
$ hg MM M M M M
>- t
.im "
m
- g. ==== u = = =
a u ! x e U w M MM M C6 _ s' EI 22R2 2 CE M : E A2 2 A3 4 : *O M sJ
..un? Y rrirr i rrrF F
~~~~E' 3 . E sassT sssss&
TTTT = 1 ...C: : : : : : : : : :
~~~ ;
i 5 3* - TTT2 J J 2 A 2 2
- 2 -433), j y,7.{.33*
- , a
, a , 2,.,.4
# "< a.b.3lb,a .
s: ette" y .a= 3 re - - s
- s *' o Asss3 E ttf5gEgMe~e 3 3 Eew=W3vssa v-3 I
-----T-2-I88883-s..nem:e m 5<.ans,v.D/ 3 8 9D0..Y37.9x5W C . ... . . d 5. a < a*u 5*D.D a De r 0572'
~ .
l
- 3-43 l
i i
7 l l l l Table 3-3 (continued) 1 Sheet 2 of 2 l Primary Secondary
$1 pal 51741 Main Steau Condensate Heater Drains Main Generator Oescristin Eseer CVCS RCS CCW RCW a4Pgs F % ater ST1700 ST950 ST975 ST300 ST1600 ST103 ST700 ST800 ST900 ST1100 ST1200' ST1300 ST500 ST600 ST1550 ST1500 Electric Power 440V Tsetime Building 8 I Cauce 8 CCW Coolig Toe MCCs A avs 5 7 I Condensate Deafneralizer E 11 I Watee Scoly M & 12 1 125W DC Vital Battery 63 I Board !!
1258 CC Vital Battery 79 I y 82ard I e 12CV AC v!? Reard 1-1 76 I g 2531 OC Tertise Building So4rd 1 82 I Erd Ctter Users 14 53 I E Reacter la11tieg Meader 74 Y I T W 1 Barriers 85 I Miscellaneous Heah 83 I E Coetrol Air Pressa'e 71 I I I I I I I I I I I I l 1
m l cooling water is supplied to the component cooling water system and control air system. The support output of all four of these systems are then supplied to'the
- primary and secondary systems. These support output functions of each of these four systems are listed in Table 3-4.
3.3.3.4 Operation. The normal operation of each auxiliary system is discussed within each system analysis in Appendix A. 3.4 AVAILABILITY MODEL The availability model is divided into three major areas: primary systems, secondary systems, and auxiliary systems (see Table 3-2). The system GO models are categorized into one of these three areas. The availability model is shown in Figure 3-16. This one-line block diagram (Figure 3-16a) shows the functional configuration of the auxiliary systems with the primary and secondary systems. The model represents the flow of power initiated from the heat producing primary system to the power conversion cycle of the secondary system. All the support output of the auxiliary sytems is shown supporting the primary and secondary systems where needed.
. Figure 3-16b shows the actual auxiliary systems GO model. Figure 3-16c shows the primary and secondary systems GO model. Table 3-5 lists the descriptions of all the supertype signal numbers.
L
- The interdependencies of the auxiliary systems are also modeled. For example, the ERCW system supplies cooling water to both the CCS and compressed air system; electric power is supplied to all availability systems. The auxiliary systems l will be discussed further in each individual auxiliary system analysis included in Appendix A. '
f ( 3.4.1 Primary System Mode) ; 3.4.1.1 Analysis Boundary Conditions. The following assumptions and conditions i have been applied to the primary system model: o All chemicals required for CVCS operation are assumed available. I RCS flow is assumed available to the letdown lines. e The cation demineralizer is not necessary for CVCS success. e Either the normal letdown path or the excess letdown path can provide successful letdown for the CVCS. 3-45 1
i Table 3-4 AUXILIARY SYSTEM DEPENDENCIES Sneet 1 of 2 Description ERCW CCS CAS Electric Power 6.9 kV h tdown Board 1A-A 17 Pops 0-A, J-A 6.9 EV SPutdows Board 15-8 20 Paps 15-8 L-B 6.9 kV Shutdourt Board 2A-A 22 Paps R-A, K-A 6.9 kV Shutdown Board 25-8 24 Pops M-8 P-8 4MV ERCW EC 1A-A 44 Strainer Al-4 Trave 11ag Screen 1 4o0V ERCd EC 18-5 38 Strainer 818-8, Traveling Screen 3 43CV ERC4 MCC 2A-A 48 Strainer A2A-A, Traveling Screen 2 48CV ERCW MCC 25-8 52 Strainer 823-8 Traveling Screen 4 480V Reactor Building EY 1A2-A 42 1-FCV-67-81.147,223,424 FCV-67-146 FCV-70,23,25,6,10,4,197.2 Y 4mCV Reactor Building MOV 2A2-4 45 2-FCV-67-81,147,223 h 44CV Reactor Building MV 182-5 36 1-FCV-67-82 FCV-67-478
- FCV-70-9,13,196,12 480V Reactor Building MCV 232-8 49 2-FCV-67-82 FCV-67-152 480V Reactor Building EV 1 Al-A 40 Turbine Building Booster P op 1A-A 48CV Reactor Building MCV 181-8 34 Turbine Building Booster -
P;sep 18-8 4aCV Shutdows Board 1Al A 39 Pep 1 A-A 430V Sautdown Board 181-8 33 Pop 18-8 Corapressor B 4a0Y Shutdown Board IA2-A 43 Pop C-5 Compressor A 430V Asmittery Building Camurt Board Bus A 13 Compressor C 4301 Auxiliary Ba11 ding Common Boare sus 8 14 Compressor D 480V Containment and Auxiliary Building Board 2Al-A 46 Auxiliary Ccmpressor AA, Dryer A7 480V Costalmneet and Auxiliary Building Board 231-8 50 Auxiliary Compressor ud, Dryer BB 12SV CC Vital Battery Board I 79 12SV DC Vital Sattery Board II 63 FCV-32-32,37,42,137 12CV AC Vital Instreerit Air Compressor AA, BB, Power Boa-d 1-1 76 FCd 32-82,61
l l Table 3-4 (continaed) Sneet 2 of 2 III
- Description ERCW CCS CAS number Electric power (continued) f 1207 AC Vital Instrueret Power Board 1-11 77 Compressor A.C. FCV 32-85,87 1201 AC Vital Instrument Pouer Board I-III 65 compressor B 1201 AC vital Instrument Pouer Board 1-Is 64 Compressor D Dryer 8,C 120W AC Isstruneet Power Distributtos Paul 1-A 78 Dryers A.B.C Et at other Users Header 1A 53 Pumproom Coolers Compressors A,8,C D.A-A Ctner issers Header 18 54 Pumproom Coolers Compressors A,8,C D Component Cooling Heat Emenanger A 55 Heat Exchanger A w Component Coollag Heat
. Exchanger C 56 Heat Exchanger C Compressor B-d m
9
r.
+
1 1 1 l l l s o,....
. . . Cv..C . .v ., . .
ACPOWFA 44STRUMENT4flO80 ANO Co8efROL 80wtR iP 1P if IBSENflAL AAW Compos,tmf CoOINeo ComtAOL Aan W4ffR CoOLIlso WATE A .g W4ftR g $YSTEM Asq ir u ,,
+ u ,,
enemany systeu seco=oany systru 4C, Coou ... ..A....A,o.,..,.. CM0ueCAL WoLut80 oA8,.... Cosetn06 Sv0f EM MA84 875 AM WOTM TUR9tNS newsaaton wetu surrong systems M Coe,ogggAgg pf aff AS, PUMrg, Asso oggehtRALigER$ ea 7 MNT Av A LAsiury A .v e.n. A.m..
.o .vaie RAW C n4ftm
, Co o.o.o.t.18ee
.C aCour.A,.
coo,
.A.. =o Figure 3-16a. Plant Availability Model 3-48
j .. ELECTRIC POWER $YSTEM S2 B3 I I 100 101 st 200 200 201 202 m 204 20s 20s 4 s sa s2 31 e7 4 s s2 s3 si se l g l g l g g 3 2 s 10 s3 s2 I I I f I I I I I I I i 1 2 3 4 s e iO l l l I I I 100 101 102 103 104 105 gg 100 101 102 103 104 105 g ST 210 ST 210 I I l I I I I l l Si m 100 101 102 103 104 106 100 101 102 200 201 200 201 202 203 20d 200 204 st 220 sT 240 l l l i i I I I I 22 19 19 20 29 30 23 24 Il 200 201 202 m 204 200 201 I i l i i i 1 0 18 12 13 14 25 7 68 20 83 24 87 22 I I I i I I 100 301 100 101 100 tot ET 260 ST 250 ST 250 200 201 202 203 204 200 201 202 203 20 200 201 202 203 204 1 I I I I I I I I I I I i i I 33 34 35 38 3; 49 to 61 62 70 46 46 47 de op UNIT 2 BOARDS COMMON DOARDS 70 63 53 && 43 33 13 14 63 55 42 38 49 40 34 30 33 Es 67 17 22 20 24 44 48 38 5 i l l 1 I I I I I I I I I I I I I I I I I I I I I 1 101 102 103 104 805 106 107 108 109 110 111 los 102 103 104 105 los 107 ti 104 106 108 107 100 100 110 118 ST 510 ST 400 ST 310 m a m a 204 m m m m i l i I I i i i I et 80 74 SS $3 64 $$ $$ 79 lA 2A 18 2B COMPONENT COOLING SY$f tM E$$1NilAL RAW COOLING WAT CONTROL AIR $YSTEM Figure 3-16b. Auxiliary Systems Availability G0 Model 3-49
e v I & C POWE R SYSTY M INV OC BATTERif $ I' 1MV DC SATTERIES I 11 V IV Ill YY u .0
. f u $.i. .
3a. : . .. -a == . . . . . . . . . . g i I I I I I I I I I I i 11 -I I l I I I N gr 900 101 tot im 10415 tot 107 101 102 103 104 106 106 107 108 101 102 103 104 105 106 107 100 ST 235 ST 170 ST 170 35 300 =1 302 353 304 206 205 202 204 207 20e 210 202 204 207 200 210 I I I i, i =i i l i i l I I i I I
.i, i si n 1. 2, = = = n = = = = a .I. =
o = . . . . . . I l I I i 1 I i 109 101 100 101 102 103 104 tot ST 200 ST 179 i
= = .1 === = = wi = = =
i i i i i i l i i i i i O 30 40 40 42 43 44 80 81 82 83 M UNIT 1 SOAAOS SUPtRTYPE DESCRIPTIONS SUPtRTYPE OfSCRIPf EON ) 170 1MV OC SATTERY SOAROS p&C POWER) IPS 200V DC BATTERY 00ARDS H&C POWER) 350 210 CSETs UNIT 2 t hVAN.D BOARDSSTART ANO 4eDV SUSES UNIT 90ARDS
#8 SES 220 BOAROS g 230 COMMON. 9 k V BOARD $ 1 A,18. I A-A; 400V UNI' 00ARO 1A g
2= UNIT1 1.S hV BOAADS 1C.10,10-8; 400V UN'T 90ARO 18 UNIT ,C l 00 240 CCW 90ARDS HmA HuC 200 UNtT 2 400V SHUTDOWN DOARDS 338 UNif 1400V SHUTDOWN DOARP$ 310 CONTROL AIRSYSTEM SYST888 400 EXMIPONENT COOLINO SYSTEM SIO ESBENTIAL RAW COOLINO WATER 5YSit M APEItTU M CARD Also Available 06 Aperture Care
$ $ /*
- f a 2./ t ? k ~~- ..
.. 3, * . * , , W l
. . co. n. sn. . . . ;'* ' * ' " ' " ' ' '
l O , e ... . D .e.e g y, .
.a g
.,,.,. .. 8.D PU '$
. ,, n .
l ._ M, I, I, .I I .I
- 9. , ,,
I l .l l ,,l.,,l _ ,,...,,, ,. .l . . . . . I c_ _ _ ,,, l l ... .., .
=
l l .__ _ . . _ . .
. . . . . .. .n.. _... i I = *,' =
n , , .
...s,.
n , , , . . . . g
..n......n a I---n - - - r w mn rm.M I I I i i i i i l i i i ii i ,l i i e i
-.anas
. . ~ " " ,a' l l l l l I I il I
._.,,,..,,I ___ .
, .u .n .,. 2 l l
.. .II
..I I
,, _,,l .. I
, . t, i
..I . I, ,o I I
.. ..I, ..i
,, J =_ .n . u=I . ., a ,. "d_ . ~ .a
., J.rt ,,, .n8
.a ~ . . , , ,,, .
l ,, g ,,, n ou o [ b11 11.1111 _ .. g ina.c.
.co.3
.vu .
.o.s.o.
.,. l 11 1. ",l,*'"*""'*"'"""
i l mo.uos,, ow .. s,. co u.o I i
=
u . .. . ,n . 1
, s.
,,,,.,,B I n. g . l l l tI!If I I "
a .n.
........,,,..u.,, .. ..t ..,
.. a . dup puuP5 W p .Pt ,n.0 m 3. m - , ,
.u n.s.sJ.C. 0 ,,
_ , . . . . , _ . . --y,, ,,, r- - - l
.n
,, =
n .. I a a = ....o.. IIIIfI I
,,I. l ll lll l
. _ . . . , , , , , ,, , . . . . . . , ..t . . , . . . . . . . ,
. . _ _ ,_ . m .. 2._l . .
- . . l . . . . , , , , .
l lll i i ! i i i aa5 i
- l l
. = " , ...
-_______________1O..- a.
.5.G. l i _._ __ ____
Figure 3-16c. Primary and Secondary Systems Availability G0 Model
Table 3-5 AVAILABILITY MODEL SIGNAL NUMBERS Sheet 1 of 3 Signal Supertype Description 1 200 Main . Transformer 2 200 Start Bus 1A 3 200- Start Bus 18 4 200 Start Bus 2A 5 200 Start Bus 2B 6 - Perfect Signal Initiator 7 240 480V CCW Cooling Tower MCC A and B 8 220 480V Turbine Building Common Board B 9 200 Unit Station Service Transformer 1A 10 200 Unit Station Service Transformer 1B 11 220 480V Condensate Demineralizer MCC . 12 220 480V Water Supply MCC A 13 220 480V Auxiliary Building Common Board A ^
-14 220 480V Auxiliary Building Common Board B 15 235 480V Turbine Building M0V Board 1A 16 235 480V Turbine Building Vent Board 1A 17 235 6.9 kV Shutdown Board IA-A 18 230 480V Turbine Building MOV Board 1B 19 230 480V Turbine Building Vent Board IB 20 230 6.9 kV Shutdown Board 18-B 21 210 480V Unit Board 2A 22 210 6.9 kV Shutdown Board 2A-A 23 210 480V Unit Board 28 24 210 6.9 kV Shutdown Board 28-B 25 240 6.9 kV CCW Cooling Tower Board A and B 26 235 6.9 kV Unit Board 1A 27 235 6.9 kV Unit Board 1B 28 235 480V Unit Board 1A 29 230 6.9 kV Unit Board 10 30 230 6.9 kV Unit Board 1C 31 230 480V Unit Board IB 32 235 480V Turbine Building MOV Board 1C 33 260 480V Shutdown Board 181-B 34 260 480V Reactor Building MOV Board 181-B 35 260 480V Reactor Building Vent Board 181-B 36 260 480V Reactor Building MOV Board IB2-B 37 260 480V Shutdown Board 102-0 38 260 480V ERCW MCC IB-B 39 260 .480V Shutdown Board 1Al-A 40 260 480V Reactor Building MOV Board 1Al-A 41 260 480V Reactor Building Vent Board 1Al-A 3-51
~_ _ f Table 3-5 (continued) Sheet 2 of 3 Signal Supertype Description 42 260 480V Reactor Building MOV Board 1A2-A 43 260 480V Shutdown Board 1A2-A 44 260 480V ERCW MCC 1A-A 45 250 480V Reactor Building MOV Board 2A2-A 46 250 480V Containment and Auxiliary Building Vent Board 2Al-A 47 250 480V Shutdown Board 2A2-A 48 250 480V ERCW MCC 2A-A 49 250 480V Reactor Building M0V Board 2B2-B 50 250 480V Containment and Auxiliary Building Vent Board 281-B 51 250 480V Shutdown Board 2B2-B 52 250 480V ERCW MCC 28-B 53 400 ERCW Other Users Header 1A 54 400 ERCW Other Users !!eader 2A 55 400 ERCW Other Users Header 1B 56 400 ERCW Other Users Header 28 57 400 ERCW to Component Cooling Heat Exchanger A 68 400 ERCW to Component Cooling Heat Exchanger C 59 - 125V DC Battery I Initiator l 60 - 125V DC Battery II Initiator 61 - 125V DC Battery III Initiator , 62 - 125V DC Battery IV Initiator 63 170 125V DC Vital Battery Board II
- 64 170 120V AC Vital Instrument Power Board I-IV 65 170 120V AC Vital Instrument Power Board I-III 66 170 120V AC Vital Instrument Power Distribution Panel 2-B 67 170 125V DC Vital Battery Board IV 68 170 125V DC Vital Battery Board III 69 250 480V Shutdown Board 2Al-A 70 250 480V Shutdown Board 2B1-B 71 310 Control Air Supply 74 510 Component Cooling Reactor Building Header
- c. 76 170 120V AC Vital Instrument Power Board 1-1 L 77 170 120V AC Vital Instrument Power Board 1-11 78 170 120V AC Vital Instrument Power Distribution Panel 1-A 79 170 125V DC Vital Battery Board I 80 175 250V DC Battery Board I 81 175 250V DC Battery Board II 82 175 250V DC Turbine Building Board 1 83 175 250V DC Turbine Building Board 2 .
84 175 250V DC Electrical Control Board Distribution Panol 85 510 Component Cooling Thermal Barriers Supply 3-52
p L i Table 3-5 (continued) Sheet 3 of 3 L Signal Supertype Description 86 510 Component Cooling Safety Header 1A 88 510 Component Cooling Miscellaneous Header
- 100 1600 Raw Cooling Water Supply l 101 300 CCW Supply to Raw Cooling Water 102 500 No. 7 Heater Drain Tank Return to String A 103 500 No. 7 Heater Drain Tank Return to String B 104 500 No. 7 Heater Drain Tank Return to String C
' 105 600 No. 3 Heater Drain Tank Return to String A 106 600 No. 3 Heater Drain Tank Return to String B 107 600 No. 3 Heater Drain Tank Return t) String C 108 1550 Main Feedwater Pump 1A Injection Water 109 1550 Main Feedwater Pump 1B Injection Water 110 100 Main Steam to Turbine and MSRs t 111 700 Low Pressure Turbine Exhaust A ! 112 700 Low Pressure Turbine Exhaust B 113 700 Low Pressure Turbine Exhaust C 114 800 Condenser Hotwell Pumps Output 115 900 Condensate Demineralizer Pumps Output i 116 1100 Heater Strings 5, 6, and 7 Output 117 1200 Condensate Booster Pumps Output 118 1300 Heater Strings 2, 3, and 4 Output i 119 1500 Main Feedwater Pumps and Heater String 1 Output 120 300 CCW to Main Condensers 125 950 CVCS Charging Pumps Output 126 950 CVCS Pressurizer Spray Output 127 950 CVCS Seal Water Circulation Output 128 975 Primary System Output 149 1700 Generator Output t 150 - Plant Availability 3-53 e _ _ ___ . . _ _ _ - - _ - .__
r e- Only one out of three charging pumps is necessary for CVCS success. e CCS flow from three sources is required: (1) CCS booster pump discharge; (2) reactor building discharge header; and (3) miscellaneous discharge header. 3.4.1.2 G0 Model. The primary system GO model consists of the CVCS model output (seal water, charging, and pressurizer spray) supplying the RCS model. The RCS model starts with an initiator and supplies two output which combine to show successful operation of the primary system. The CVCS GO model is shown in Figure 3-17. This model is logically conditional on the availability of input flow from the RCS to the CVCS letdown lines. Thus, a type 5 operator (signal generator) with a perfect signal is the starting point of the GO model. Three system outputs are the GO model end points. These outputs are: (1) seal water circulation; (2) charging or makeup flow back to the RCS; and (3) pressurizer spray fl'ow (on demand). Failure of the CVCS is defined as failure of either of these first two output signals. Thus, the availability of the CVCS is defined as the availability of both of these output signals. The third output signal, pressurizer spray flow on demand, is monitored for input to the RCS since it represents a potential unavailability contributor to that system. Figure 3-18 depicts the GO model representation of the RCS. The reactor coolant loops were simulated by parallel straight line paths starting with the hot leg outlet flow from the reactor vessel and ending with the inlet cold leg flow to the reactor vessel (including the vessel itself). All four flow loops must be successful (AND gate) for full power availability. Thus, the starting point for the GO model is the RCS outlet flow, assumed to be a type 5 generator with a perfect signal. The type 6 components of steam generators and reactor coolant pumps in each loop are dependent on input from multiple supporting auxiliary systems. These are: e Electrical Power Supply (480V and 120V) e Actuating Instrumentation e Secondary Coolant Flow 3-54 I
106 6 FCV
,. 62 n 106 t. 106 0% 2 I Il 6 16 1 21 6 18 97 6 96 t 22 FCV FCV REGENERATE FCW RV FCW RV TCV LEYDOWN FCV E 6246 62 70 HN 906 82 3 62 462 62 77 62 666 62 79 HX 6241 624 106 4 16
/ FCV S244 S ta FCV 106 i FCW6266 e xCtss LiivuWN HM 106 6 18 160 W 106 146 147 RECIPROCAflNG CH ARGING PUMP iP 1P 2 30
.06 S iG ,CV 2 -2 [6 . 6 16 62 69 CV $2 &19 FCV GV FCV FCV 62 49 62643 6280 62 69 144 ir I 14 CENTRIFUGAL A py CH ARGING PUMP 62 676 CV $2 422 2 lit e FCV 63 1 22 6 30 144 l'Il I ll CENTRJUGAL 6 CV 62 42% CH ARGING PUMP FILIE R GV GV 62 647 62 619 I le6 146 9 11 I 11 ilN? , ,
, !r FILTE R GV GW en, ut u 660 Figure 3-17. GO Model for the Chemical and Volume Control System 3-55 1%
A
%= V CHEMICAL VOLUME AN0 CONTROL SYSTEM 106 14 6 147 42 4ut AMeXED 62 909 SE D DEMINE R alt 2E R
~ I lde 6 14 9 22 144 6 16 4 16 8 22 FILTER LCV CV VOLUME FCV FCV CV M 62 116 62 484 CONTROL 62 132 62143 62 49 TANK 1ft 143 3 11 62 003 S MIEE D 62 902 SE D 1' DE MINE R ALI2 E R I 99 9 27 1 22 FCV 84 Cv eso CW 217 CHARc:NG t it t 22 l 22 FCV 06 CV469 CV 714 FRE tsuRil NG sPR AW F C'! S4 CW 441 SOS 1 23 8 22 FCV CV 106 62 ) 42 640 147 144 163
.e ] t 22 9 22 gg at WATER FCV CV CV CIRCULATION
- 'OE $2 22 62441 62 677 80 1 21 44 6 14 146 66 ; 202
"' RV FCW FCV SEAL SEAL
'" 22 1 22 62 43 WATER 42 434 6241 WATER FIL TE R MM tas FCW CV CW
== = = > u t ,.
% t -22 l 22 FCV CV CV n ot 62 6u u G F, UUTPUT *NPUT 200 CMARGING $06 AIR '
231 FRES$URIZER EPRAT 202 SE AL WATER
#44 4 9 KV SMUTDOWN 90 t A A 145 6 9 K V SHUTDOWN GO IS S
)4 CIRCUL Af TON 146 480V RE ACTOR Mov 60 t At A 147 SaOV RE ACTOR MOV OD 166 4 150 400V 6HUTOOWN 90 80% S 6 M
162 RE ACTOR BLOG ME ADER ICCSI 16J MISC ME ADER ICCS) Also Available 06 Aperture Carf
~~
f Spo76uc-o3
- 5. O,4 HI RE SEnv0am 16 If JP in in .. in /....
1,uw C. L,,, Q. .
,Cv . oo 0, 144
..n i ,,
# N A A4 15 NORMAL PRESSORIZER 1r CONDITIONS
, .n
;...R
.n
, s, ,a Q . ...
14 3 R $a nv0eR 105 . 12 1 21 , ,, ..C. :. -
- - - .R in g
.CV, O.
"""5 63 Ost B43 RESERVOut
? in in .. ia ; 4 PUMP CW OstCOOttR , !
- a gppyT@f>
R..e,OR viu t . spp OUTPUT g too O.,UT.P.ut 70 tot .AI.R.. u.., .o i. ni . . av umit .o i. in .. av unit o iC Also Ava.;ag>ge i on it.s . . v u~ v .o ' Ort
.n..
... ov vR.Re.CrO. viu,,
.C,0., vi .oiin
~ .o APcrture Card Mt St RVOiR
'43 144 84 ..EvSMutOOWN.0 Kv SMutDOwm .01.A. l . IRCW OTHE R ust R51.1 i33 9 32 .. 12 !!!EE"IEi:= 170 PREtsum ZER $ PRAY IOUTPUT 20t OF CYCSI 17188 AL W ATWt CinCutAYION fout 202 OF CVCSt t .vesP Cv Oct COOL ER t72 CHARGsNG (OUTPUT 200 08 cvCsl Figure 3-18. G0 Model for the Reactor Coolant System (ST 975) 3-56
- 5 0?$f f Y_ _ _ _ _ __
. J + - e ,.-
A 4 bl O. 121 lie tel H2 R-If IP gy, le 146 144 . 33 1 22 to FILTER FIL TER Cy s G.i gACP. _LIF_T PUtsP _Ost Si < 122 100 tel 143 i P P m to 146 146 6 33 s 22 66 t FILTER FIL TER LIFirutsP CV' Oak COC ' 5 46 146 to 1 73 SG2 SG2 RCP2 y.. RCV OUTLET 123 196 tog M2 6 DeOTLEGI FLOW II II j gy, 10 146 144 6 33 142 64 5 FILTER FILTER LIFT PUter CV Ost COC - Set 146 10 3 G.3 ACP3 ( 124 100 tot 343 . gy, 10 146 146 6 33 1-22 64 FILTER FILTE R LIFT PUtdP CV OIL COOLI i 9 47 146 to 6 34 6G4 RCPe ! l 1
Each loop flow merges into a type 10 operator or AND gate. With this output signal and with availability of the RCS and loop piping, the output function of the RCS loop flow is derived. The second output function of the RCS is the set of operating conditions for the pressurizer. This requires either input flow to the spray from either the loop 1 or 2 lines as controlled by two air-operated valves, or by the CVCS pressurizer spray line (see CVCS writeup). In addition, the leaktightness of the pressure relief system is required, as is operability of the electric heaters and integrity of the pressurizer tank and associated piping. 3.4.2 Secondary System Model 3.4.2.1 Analysis Boundary Conditions. For the secondary systems analysis, all the.following assumptions and conditions were applied: e Steam generator unavailability is not included in the secondary system as it is included in the RCS; however, steam generator blowdown system unavailability is included. e Cooling water from Chickamauga Lake is available to the condenser circulating water pumps. e Extraction steam from all of the main steam extraction points is available to the main feedwater pump turbines, moisture separator
' reheaters, and condensate heaters.
e Condensed water from the heaters is available to the heater drains to be pumped forward by the heater drain tank pumps. e Condensate water from the hotwell pumps discharge is available to the injection water system. e Only the steady state, full power production operation of the secondary system was considered. There are two operational modes considered for steady state operation: (1) all of the condensate system pumps are available and two out of three within each of the seven heater strings are available; and (2) two out of three of each of the condensate system pumps and all of the seven heater strings are available. 3.4.2.2 G0 Mocel. The secondary system has been divided into six subsystems as shown in Figure 3-19. Each of these subsystems contain supertypes which model the major components of the subsystem. The six subsystems are main steam, condensate, main feedwater, secondary cooling water, heater drains and pumps, and generator.' Figure 3-19 also shows the flow paths of subsystem output. 3-57
1,
=
=
a n a v a
. R
, O
,vo T
, A
, .A R E
, W., N E
G I ll lI,i l I lI R E T
. A
- o. ,, W 1
C
,, D E
- 0. ,, E 5.Y 5 A F 1 .
m{ N I A M 1 I l l l , l I Nl 1 - I 4t
~ fmS fi AaP _ ,u l
e
~
- eTU tN M r
,. d 3sP _
,. o O
s s0A
.a N O
,% M m
e _
- t s
y _ S m "y v y _ f .
'ao, r I
m=a,= m , o a _ d n _
- o
.M T
c S Y _ , e S S Y
=
,nt tbs AAP s
,u E
T A A , ETMU _ ,
,, S O . tpN ,
, ,- N .
7sP 4p se E O C E S gO NOA AN AD
,O D N
O 9 1 C _ + 3
- e
, r I I 1
, u I- m ',
g _ .'= 1 7==- i F
+
D _0 *AI 0 ,
=
1 , _ 5 a 4 _ ,m 5'a u G
.='
g = a-gsp
= gY
, l l >l 1 l I
. gMaf -
C. aA t
- CW _
_ m "^ ,y. ' ,, r a _ g'a,";,AO' "" Y' l M , A R E E T _ + T S YA N RW - I AG A Ds$ hes n M DLfi CO$ EOV _ mvo f' " - SCS A
'a "
= "
I The main steam subsystem consists of two supertypes: supertype 100 and supertype 700. Supertype 100 (Figure 3-20) consists of the steam generators, steam generator blowdown system, and main steam isolation valves. Supertype 700 ( (Figure 3-21) consists of the high pressure and low pressure stages of the turbine and the moisture separator reheaters. The condensate subsystem consists of five supertypes: supertypes 800, 900, 1100, 1200, and 1300. Supertype 800 (Figure 3-22) contains the condensers, condenser
- vacuum pumps, and hotwell pumps. Supertype 900 (Figure 3-23) contains the condensate demineralizers and the condensate demineralizer pumps. Supertype 1100 (Figure 3-24) consists of the condensate makeup and blowdown lines, gland steam condenser, main feedwater pump turbine condensers, and the Nos. 5, 6, and 7 s . heater strings. Supertype 1200 contains the condensate boost pumps (Figure 3-25). Supertype 1300 (Figure 3-26) contains the Nos. 2, 3, and 4 heater strings.
The main feedwater subsystem consists of two supertypes: supertype 1500 and supertype 1550. Supertype 1500 (Figure 3-27) contains the main feedwater pumps, the No. I heater string, and feedwater control. Supertype 1550 (also Figure 3-27) contains the injection water booster pumps which supply injection water to the seals of the main feedwater pumps. The secondary cooling subsystem consists of supertype 300 (condenser circulating water) and supertype 1600 (raw cooling water). Supertype 300 (Figure 3-28) contains the CCW pumps, condenser isolation valves, cooling tower lift pumps, and cooling tower. Supertype 1600 consists of the RCW strainers and pumps (Figure 3-29). The heater drain and pump system consists of two supertypes: supertype 500 and supertype 600. Supertype 500 (Figure 3-30) contains the No. 7 heater drain tank, the No. 7 heater drain tank pumps, and all drains flowing into the tank. Supertype 600 (Figure 3-31) contains the No. 3 heater drain tank, the No. 3 heater drain tank pumps, and all drains flowing into the tank. The electrical generating system consists of supertype 1700. Supertype 1700, Figure 3-32 contains the main generator and generator support systems. The generator support systems consist of stator cooling water, seal oil, hydrogen cooling, and hydrogen circulation blowers and fans. The generator is represented by operator 1-2. 3-59
I
/
_ _f3..._d... .._g... _g...
. .. g . .. . .. . .. . . g . . .. . . ., g . .. . .. . .. . .. g . . .. ,7 . .. . ...
- m. .
Ch O
= ... ...
.~..,.
m, .. . .
- v so .i.
v_
., oo,.. . . . .
g,y, y ...,u O a.so.n.
.P .TO .e. . 81
= ...
. .ess.. . .as es
( .<o ) 4 Figure 3-20. Suptertype 100 - Steam Generators and Blowdown
. P...
q.)2, 9m q:3: ,
~~ 63;t. 63;'?. 63;t.
. n. .-
7." : " () : = (j : (.) :
. . .u e.
W O TV TUR.aos. e ai
- n. k. 2 .
;c,;
;g k'h...'..
h, . k'),,. (.. (.. (... ' ' .
,. 7 1
O.,.UT men.sse .T..m. mons.u ATV4 .D. 33 To t UTS
= = .
3 O. .u mTV Figure 3-21. Supertype 700 - Turbine and Moisture Separator Reheaters
_.T_ CQenOE4 Mas, eeDTWELL AsuG WACWuns pues,5 W
=
~
(= _ l _ (=_. a v. = * . (.= _ c .
,v. =
..%. = . . ..%, =
.co . .
PCw 974 'CW '8'
= ,,,
w 6 = 121 1P
,. s
/
a O ~~ 300 70 08ePUT 900 0F SUPEnTYPE seo
,v,
Wee.,
12 SSB v AC WeesT .O 1 A to ..c v . ..
=> ..
go v..
=_ ::
. . = . _ , . . . .
123 0000 w UI411 BD SC 124 126 .900 W Utesi SD 1D t.3 OUT,UT.
. =x o,
- 96. SUPtRTYPE 30B
=\< "
O O c U c V co o. .. eva n. se0 Twt LL Pues,s Figure 3-22. Supertype 800 - Condensers and Hotwell Pumps
,= .=
I .U .T O v O O .. co o. no ..un -
- o. .+>
938 1 ,gy n : , s
,e. .
U- . , , ...., , , , . , , , 93.
'CW IA C. IM 138 138 IM i j i OOb. Mn C,,.
n
- >=
n Q v ..
= ;
m 5
,C.
A.. A.. . C m we . ,,, , W 138 13e e
^
Q v U,, , , ,
.. .n
.. ,e. ==
.= ,"" gllll=,,a,s,aL n.
,c.
MM ,OLas.sta 8 ne Yn.ss, M45
='ava ac gp,WRTV,. 3
==ua
- 30. TON.,Uft O s.e .,W. .C U sf .O t
.I SUPERIV'E l' B-35 4W .C UNIT .O
.c Tu ..
, .c ru i.
t= CO 0te.SER Dt n.En.t42tm CC , Figure 3-23. Supertype 900 - Condensate Demineralizers and Pumps ' I t I w i
.~ _
CGasDE ksSATE E ET. ACTtDat STOmAGE STE Am TAeset V V LCW 23 m gg FCW
'245 A7 A. A.
' 25 FC.W N FCW t# PT FCv 2- 2-o . .
_>_. g -
=e_ s ~
= . .
.V
.C.
~
y STE AM 17 24 245
, cO O u. .3 m
4:=
.. .. .. . a2 . .
FCW 3 2,, teF.PT. CO FC,W 2 ,.
.. . i. .. .. ..
Pur t sNPut #Ross SUPERTYPE .u. " ' 2 9 A LA
., ACTu Ov 0,.
1 4 v AC Tum.shE AsOw O BC ERTRACT,O's 578 Aas HB' 54 2 OUTPUTS 241.242,243 froes $UPERTYPE S.0 H3. OUTPUT 3 TO enspu? 9 SUPtnTvrt 12O.F. Figure 3-24. Supertype 1100 - Heaters 5, 6, and 7
101 14 10 122 SUPERTYPE 1200 gg CONDENSATE BOOST PUMPS Ott COOLER 1P 6 16 'h 6 30 FCV PUMP 1A 2 94 101 14 10 123 107 OIL COOLER 1r 1r
~ 6-16 ~ 3 ~ 10 ' 200 FCV 287 PUMP 18
\ sL 101 14 10 124 108 OilCOOLER 1r
.. : .-30 FC.V PUMP 1C 2- i a
INPUTS OUTPUT 100 OUTPUT PROP 4 $UPERTYPE 1100 200 TO INPUT 100 OF 101 RCW SUPERTYPE 1300 los 400V AC TUR8BNE MOV BO 1 A 107 400V AC TURS4NE MOV 5018 122 0900 V UNIT 3D 18 123 0000 V UNIT BD IC 124 0900 V UNIT 5010
- Figure 3-25. Supertype 1200 - Condensate Booster Pumps 3-65
m - I W m t 2
- 1 E
P 0 0 M T Y 4 R T R E E P Y - P U T R T U M - S P E mPU UT M MORM F T u S O N 1 T A e PM m. O vvT 0 T U P 3* UIRst. OumF
- MO R
W O 0 OA'T T 2 05s72 300.swi J51 0 . n i m 01 ( - es . D s TM o a . t 4 CA A&v 9 l 6 1 AE t 4 0 - RT TS u f S 1 8V 6 d a n 3 9 7 2 6 1
, ., 3 e i ,
6v 4 . + 3V 6 G S 6 2 s E S , r N O O T O S 0, m i e t TM I CA m 8 a AE RT t
- 4 e TS 5 H X
E - 0 0 e .
,v . 3 7 .
8 2 t i i - 4 . & 1 3V
- - 6 6 g e e
p us 6 0 S O 0 n y o 1 I i t TsM CA m r AE T 1 0 4 e p RS S T N u E S Alv ', 6 0 e 5 5 2 0V. 1 1 3 e N O r TIM 0 u g CA 0 0 7 A( 1 5 i R7$ T F F N E 7 7 2 4 1 0 7 2
. 3 0 7
2 i - 4v 4 - 4 - 5 4 3V G 6 6 6 e 6 8 6 , 6 . e 3 t 0 0 0, 0 D 1 1 1 1 03 st Tn 0 .
. CA 8 7 AE 1 4
R7 5 T$ E I
- . 4 e A6v
'_ . 1 6 t
- 0
. 3 s
0 0 1 ~ ~ 3bnc ( A e
b q 149 149 149 149 149 149 149 149 149 149 149 143 i l 2 2 2 1 2 149 2 14 7 / n s s 21g } i 149 10 10 10 CONTROLLERS 1-53 1 43 lag 1 63 CONTROLLER CONTROL F 1P SIG. 1 1F 8G-MFPTIA MFPT1B 105 80 1 E XTR ACTION FEEDWA STEAM 106 l 505 im im b (,, e FCV 6 16 &32 627 & 16 4 6 16 FCV 2-221 k FCV FCV FCV 5 21 10 E lON 575 6-23 6 23 p 1 FCV A.g gg FCV FCV 107 a 1 39 1 38 SEARING 10 to LUBE OIL 107 107-t 616 FCV 5-23 r. i
- 3 MFPTI A CONTROL SIG HYDRAULIC OIL 107 i 6\1 63 V ,,
[41 107 105 FCV FCV i 3M M 3M I j ,,,, Sie 6-32 627 4 16 106 108 FCV FCV FCV FCV 348 341 5-25 2 22e W NECTION INPUT $ TEAM 6 23 423 to WATER 2 5 16 43 [61 ' FCV FCV 100 F ROM SUPT RTYPE 1300 FCv C. , ,Cy s 145 i46 f 30: nCW 105 AIR B E ARING 106 18 MOV A 10 LUBEOIL
]-
j 107 TB MOV 8 10e is uOv C
) ist 6900 V unit eo 1 A ; HYDRAULIC f 122 8900 V UNIT eD 18 MFPT18 CONTROL O1L 126 R6h0V 1A2 A 8'O J
127 R8MOV 182 0 OUTPUT l 129 MFWP OIL UMP P (AC) I 130 MFWP OIL PUMP (DCl 200 TOTAL PLANT AVAILABILITY i i j Figure 3-27. Supertypes 1500 and 1550 - Main Feedwater
}
l 3-67 =(
1 b St SUPE RT YPE S 1600,1680 L MAIN FEEDWATER M N ' NDICATOR$ 130 3 129 6 33 6 33 129 2 W 2 W OilPUMPS 2 13 10 146 146 1 63 1 63 FILTER qy HYDRAULIC 10 AIR 10 2 1I 3G.3 II SG.4 RCW RCW 66 66 HX HM 2 I gg lI qI BE ARING LUBEOIL ote Si6 FCV Fcv 3' BNJECTION 84.2 1I 127
~
^
1 3 oi. 5,6 FCV FCV 106 1-63 6 18 106 6-18 1-63 3 48 34I pdc 200 PCV PCV pdc 3G.31 P 127 10 106 1 63 618 618 1-63 106 pdc PCV PdO 4 6-14 6 16 64 1 PCV 64 1 pg 64 4 FCV FCV 3 90 387 2 INJECTION SG.S1P 126 pyupg GV 1 11 1- t 1 GV
. 33 6 16 64 606 64 607 FCV FCV riO3 > 00 C.V, i.n i 22 C,V,,,
gy
,2, 1A
.31 62, 18 in cMW ;
GV 1'" ' GV N \sh\c 'O* 64 608 64-600 KISO ttitfC A HOTWE LL PUMP DISCHARGE 9 floo1#2JL 4I l
, statnivet als Cose0E esse a cinCutattssG 1% 55 f b
FCW FCW 27 et 2748
- 18' t.S tee ses 27
. 30 . 95 tM 121 33e 64 64 PCw fCW Sa FCW g g 2144 27G N t.
643 . 3e . tg tes W ,e g, sa la FCV IIt2 . 9% 99 TW
.M . 35 IM $22 13e FCv #CW
- te WCW 27 M 37 M gy g
=
.. t .. . 39 8. 1. 3- 9. t= 1. I S. 1.5 m, c 2 =,,,,,,,,
se se SCw 2 t 27453 CootemsG 27 22 3 . 30 . 95 70sst a 13B 13e 138 ,
.M
. 4 ,g SC #Cy 4 80 s ,M v.
- 18. 17 9.e -
t .. . t. l l = SC C- . . t. .= .4 raavetenc CCm D 32
- t- - ,C. ,C. to .C.
27 91 2700 N tG7 l i - a Coou G l 988 107 Tousta
,tw u T.
. t. . t.
p i ;le. ;'Its APERTURE l o
- CARD ETOourtnivra tosal M Avaifel,[e 0,,
ouveuw APerture e r., E.esv aC Tunens esov en la ses m come aw-v
* * '# """ 399 TOsuurVW 88005 surtnTvrt teep 129 EEESTunusf se 34 m esos v unas so se 53e Was ytpueT es W. 1 330 mwCCuu COOLauuG Touan esCC t e eens v Coouns test so a Figure 3-28. Supertype 300 - Condenser Circulating Water (Closed Cycle Mode) 3-68 Q (fO $f Y US
4 e SUPERTYPEt m RAW COOUfeG WATER - 1-10 6 31 1 22 1-10 OM435 A SM438 SM426 9-90 14 t'te g 6 24865 D N 46 , 1-10 S39 1 22 1-10 f
.. ,, ,.,. ea432 e aM43: 0 M42 in g O24462 6 24 468 100 tt 1 10 &31 1 22 1-10 19 7 ,
3m 424433 C 424438 SM428 35 9-10 14 3-10 131 S24463 4 24 450 Y m t 10 E31 1-22 1 10 S-to 14 1-10 0244M O S24439 4 M 429 024464 624440 132 BUTTERFLY STRAt9 DER BUTTERFLY WALVES VALVES 1-10 6-31 1 22 1 10 S M 435 E S24440 6 24 430 BUTTERFLY RCW CHECK SUTTERFLY VALVES PUesPS VALVES VALVES iwuf OUTPUT 100 OUTPUT 20s FRome SUPERTYPE 300 200 RCW AVAILAStLITY 102 400 VAC UessT 901 A 103 400 VAc ussIT SO tt 131 400 VAC Ues1T SO 2A 132 400 VAc usefT 80 26 133 400 VAC TS Coed 80 Figure 3-29. Supertype 1600 - Raw Cooling Water
s- m -- -w-- --n. __:
..o .
i 5 228 i N s 5 111 0 o Ij[l k IIIls Is a.E i : d ! $ 9-y W$$ !ge,! 7 g Gj lli, e 3
$.8 5, 35
~
f.
'40'3 '40 '40 ",!!!, j &
Of Of l i .
,<d',<0 , , i l.
01 01 of i
,<c' ,<0 ,<p' ,
=,i 5 . el d N l i. i D' p-(o -= . il .y ;j, .
pij _g i, !! il . . D '
~ ';
. a, lq! ,
. i
*e e i
- 6> ;Ili ' *ge% uD n
2 , l
\'r 106 6 10 LC DRA $ 1-62 g 1 83 A-1 105 106 Al LCV A2 CV 615A 6 21 106 106 LCV M
w 10 ; to 148 4V,, .1.
=A
= _
4 62 8A g
... e 6 HEATER DRAINS g
+
i HEATER DR AINS
- 41. LCV 694 A H.P. REHE ATER DRAIN TANKS 106
$ to 306 6-14 6 18 6-18 6-18 6- 1 1 6 3A 4A 6-7 A Cg LCV -1 81 1 A2 g
5 Cv 6 72A
.2 .L C.V, A a
C2 6 00A LP, Rt HE Af tR DRAIN T ANK$ Figure 3-31. Supertype 600 - Number 3 Heater Drain Tank and Pumps , 3-71 l D
r 9
$UPERTYPE GOD 121 NO. 3 HEATER DRAIN TANK ANDPUMPS 10 14 101 COOLER 1%
,UM,1A I" 253 6 16 FCV 6 18 6 108 10 14 101 CV S106A 106 COOLER
; ; 6-30 10 2 Er16 254 $UPERTYPE gg FCV I#
PUMP 106 6 109 123 107 6 18 10 14 101 266 6- 068 6 16 COOLER 0 rU 1C 880. 3 HEATER DRABN TANK PUMPS I INPUT 101 RCW ! 106 AIR ! 106 400V AC TURBINE MOV BD 1 A 107 400V AC TURSINE MOV SD 18 121 0000 V UNIT 001 A g 122 0000 V UNIT BD 10 LCV 123 6000 V UNIT SD IC LCV 343A 642A MOISTURE SEPARATOR OUTPUT DRAp6 TANKS 253 ' TO INPUT 148 264 163,154,155 g3 C4 255 <' OF CUPERTYPE g300 TI l APERTURE CARD Also Available On Aperture Card 1 t i
- - 8 Slet y J Liz.-48 t
3
I c9 M I11 4 31 MVDROGENSaOE SE AL Ott PUnsP
.3, ST ATO,.R m .G m l'5 i4 115 ** mo"
wATE R Pu-s.
- 903 2 65 && FILTE RS 2 STATOR CDOLifeG 1I WATER TapeK STATOR COOLPsG wATE R
*eEAT EXCHA88GERS G-31 M2 I#
10 PCv amer
< 6-18 St 6 31 1-11 S-S t-46 1F PCW =0 AsR $IDE PCv FeLTER 901 to 1-2 105 SE AL OIL PUReP M M d GENERATOR w
y += PCv N 105 . . 10s to MYOROCEN t = , .. . t. Sie +1 s'** R$ III s-191 4 181 F t91 911 FCV PCW PCV FCV
, , , - PCV MYOROGEN COOLING LOOP III i-UT g gg 101 FROne SUPE RTYPE 1500 102 WV UNet 3014 103 deDV UNIT BO 18 to 105 AIR NYOROGEN 111 W VTGVENT90tt FANS 116 RCW 103 #M 102 S tat S tat 20D f tNAL PLANT AVAILASILITY 41 Figure 3-32. Supertype 1700 - Generator and Support Systems *N
s G s' 3.4.3 Auxiliary Systems Model 3.4.3.1 ' Boundary Conditions. The auxiliary systems supply support functions necessary for plant operation. For the electrical system, the support function b6undary is a particular bus or board from which a component draws power. The individual component breaker connected to that bus and.all equipment between the b'reaker'at its assigned component are included _ in the system model.
. Th'e compressed air system boundary is the CAS main supply header. All ' systems using control air will be supplied from the main supply header. All system air-supplies,from the main header, including associated valving, are included in the
- systiem models.
- . The ERCW boundary for Unit 1 is the output of the two main headers, lA and 18.
All systems using ERCW will be supplied from these two headers. ~ All system heat exchangers and associated valving are included within the system models.
.The CCS boundary is the output of CCS water to the main' supply headers. All systems using CCS water will be supplied from-these headers. All system heat exchanger leads and associated valving are included in the system models. - The three CCS heat exchangers'are included in the CCS model.
. 2.4.3.2 Interface with Plant Model. The auxiliary systems output is summarized
. in . Table' 3-3. All functions which support plant operations are listed in this table.
3.4.4 Results The availability analysis results are divided into auxiliary systems,-primary systems, and secondary systems.- The auxiliary. systems results are shown in Table 3-6. These results are presented strictly as auxiliary function
- availabilities with all dependencies included. For example, the ERCW system results include.the dependency on electric power and'the CCS results include the
~ dependency on electric power and ERCW.. The effect of these interdependencies on the auxiliary results must be accounted for before a dominant contributor ranking can be accomplished. For further individual system results, refer to the dappropriate systems analyses in Appendix A.
/
3-73 L
e - .- 1 I I l I Table 3-6 AUXILIARY SYSTEM RESULTS Signal Numbers Description Unavailability 26,27,29,30 6.9 kV Unit Board 1.32-3 17,20,22,24 6.9 kV Shutdown Board 1.30-3 25 6.9 kV CCW Cooling Tower Board 1.32-3 21,23,28,31 480V Unit Board 1.70-3 33,37,39,43,47, 480V Shutdown Board 1.31-3 51,69,70 16,19 480V Turbine Building Vent Board 1.30-3 15,18,32 480V Turbine Building MOV Board 1.30-3 35,41 480V Reactor Building Vent Board 1.30-3 34,36,40,42,45, 480V Reactor Building MOV Board 1.30-3 49 38,44,48,52 480V ERCW MCC 1.69-3 46,50 480V Containment and Auxiliary Vent 1.30-3 Board 8 480V Turbine Building Common Board 1.73-3 11 480V Condensate Demineralizer MCC 6.64 12 480V Water Supply MCC 1.68-3 13,14 480V Auxiliary Building Common Board 1.30-3 7 480V CCW Cooling Tower MCC 1.30-3 80,81 250V DC Battery Board 2.41-6 82,83 250V DC Turbine Building Board 7.57-8 64,65,66,76,77, 120V AC Vital Instrument Power Board 1.43-E
- 78 63,67,68,79 125V DC Vital Battery Board - 5.81-6
.71 Control Air Supply - 7.83-3 86,88 CCS Safety Header Supply 1.37-3 85 CCS Thermal Barrier Supply 1.40-3 57,58 ERCW - CCS Heat Exchanger Supply 1.76-3 53,54,55,56 ERCW - Supply Headers 1A,1B, 2A, 1.76-3 and 2B NOTE: Exponential notation is ipdicated in abbreviated form; i .e.~ , 1.32-3 = 1.32 x 10-J.-
t 3-74
The primary and secondary systems results include system contributions and dominant contributors. Tables 3-7 and 3-8 show the CVCS and RCS results, respectively. Table 3-9 shows the overall primary system results. The secondary system results are as follows: Tables 3-10 through 3-12 show the CCW, RCW, and main steam systems results. Tables 3-13 and 3-14 show the results for the heater drain tanks and pumps. Tables 3-15 and 3-16 show the results for the condensate system under two sets of success criterion. Tables 3-17 and 3-18 show the main feedwater and generator systems results, respectively. The overall secondary system results and dominant contributors ranking is shown in Table 3-19. The overall plant results are shown in Table 3-20. The plant dominant contributors to unavailability are ranked and their percentage contribution to the plant unavailability is also shown. The dominant contributors of the CCW system, listed in Table 3-10, are the four cooling tower lift pumps. These pumps only surface as dominant contributors to unavailability because of the conservative modeling assumption requiring operation of the cooling tower and pumps. Since the CCW system can operate without the cooling tower and pumps, the cooling tower lift pumps would not shcw up as dominant contributors in the CCW system results, the secondary system results (Table 3-19), or the plant results (Table 3-20). The dominant contributors of the heater drain tank systems are the heater drain tank 7 pumps (see Table 3-13) and heater drain M,k 3 pumps (see Table 3-14). These drain tank pumps only surface as dominant contributors to unavailability because of the conservative modeling assumptions requiring all five pumps for success. A less stringent success criteria for these pumps would eliminate them as dominant contributors to the heater drain tank 7 system results (Table 3-13), heater drain tank 3 system results (Table 3-14), secondary system results (Table 3-19), and plant results (Table 3-20). 3-75
p Table 3-7 CHEMICAL AND VOLUME CONTROL SYSTEM RESULTS (System Availability = 0.998296) Fault Sets Importance (percent) Unavailaoility
- 1. RV 62-636 49.50 d.44-3
- 2. - Seal Water Filter 4.11 7.01-5
~3. FCV 62-9 J.53 0.02-o
- 4. FCV 62-22 3.53 6.02-5
- 5. FCV 62-So 3.63 0.02-o
- 6. FCV 62-48 3.5J 6.02-5
- 7. FCV 62 2.90 4.94-b
-8. GV 62-543 2.90-
- 9. CV 62-560 2.90 4.94-b
- 10. CV 62-576 2.90 4.94-5
.11. CV 62-561 2.90 4.94-6
- 12. CV 62-577- 2.90 4.94-5
- 13. CV 62-562 2.90 4.94-6 14.' CV 62-578 2.90 4.94 15. CV 62-563 2.90 4.94-6
- 16. CV 62-579 2.90 4.94-5
- 17. -Seal Water Heat 2.23 J.61-b Exchanger NOTE: Exponential notation is indicated in abbreviated form; i.e.', 8.44-3 = 8.44 x 10-3, 1
?
3-76
. Table 3-8 REACTOR COOLANT SYSTEM RESULTS (System Availability = 0.962789)-
6-Fault Sets Importance (percent) Unavailability
- 1. Steam Generator A 15.17 b.35-4
- 2. Steam Generator B 15.17 S.35-J
- 3. --Steam Generator C 15.17 6.05-4
- 4. Steam Generator D 15.17- 5.35-3
. 5. RCP A S.36 1.69-J I 6. .RCP.B 5.36 1.89-3
}. 7. RCP C 6.36 1.89-J
-8. RCP D 5.36 1.89-3
[l
- 9. Safety Valve 1 2.49 d.44-4
.10. Safety Valve 2 2.39 8.44-4
- 11. Safety Valve 3 . 2.49 8.44-4
- 12. Oil Lif t Pump 68-84 1.54 5.42-4
- 13. Oil Lif t Pump 68-85 1.64 5.42-4
- 14. Oil Lift Pump 68-86 1.54 5.42-4
- 15. Oil Lift Pump 68-87 1.54 5.42-4
= NOTE: Exponential notation is indicated in abbreviated form;
'i.e.,-5.35-3 = 5.35 x 10-J.
3-77
L
~
Table 3-9 PRIMARY SYSTEM RESULTS (System Availability = 0.963585) Fault Sets Importance (percent) Unavailability
- 1. ' Steam Generator A 14.45 -5.35-3
- 2. Steam Generator B 14.45 5.35-3
- 3. Steam Generator C- 14.45 5.35-3
- 4. Steam Generator 0 14.45 5.35-3
- 5. Reactor Coolant Pump A 5.10 1.89-3
- 6. Reactor Coolant Pump B 5.10 1.89-3
- 7. Reactor Coolant Pump C 5.10 1.89-3
- 8. ' Reactor Coolant Pump D 5.10 1.89-3
- 9. Relief Valve 62-636 2.28 8.44-4 (CVCS) 10.. Safety Valve 1 2.28 8.44-4
- 11. Safety Valve 2 2.28 8.44-4
- 12. Safety Valve 3 -2.28 8.44-4
- 13. Lift Pump 68-84 1.46 5.42-4
- 14. Lift Pump 68-85 1.46 5.42-4
- 15. Lift Pump 68-86 , 1.46 5.42-4
- 16. Lift Pump 68-87 1.46 5.42-4 NOTE: Exponential notation is indicated in abbreviated form;
-i.e., 5.35-3 = 5.35 x 10-3 3-78
[ , Table 3-10 CONDENSER CIRCULATING WATER RESULTS (System Availability = 0.993857) Fault Sets importance (percent) Unavailaoility
;.. 1. -Cooling Tower Supply Pump A 24.87 1.47-3
~2. Cooling Tower Supply Pump 8 23.87 1.47-3 t~ 3. Cooling Tower Supply Pump C 23.87 1.47-3 j ~
-4; Cooling Tower Supply Pump U 23.87 1.47-3
; 5. ' Gate Structure 1.62 1.00-4
- 6. JCooling Tower 1.62 1.00-4 NOTE: Exponential notation is indicated in aboreviated foria; 1.e., 1.47-3 = 1.47 x 10-3 3-79
Table 3-11 l
. RAW COOLING WATER RESULTS (System Availability = 0.99999885)
Fault Sets Importance (percent) unavailability
.l.s Butterfly Valve (at CCW 97.26 1.00-0 pumps discharge header)
- 2. Strainer A and Strainer B 0.44 4.91-3
- 3. Strainer A and Strainer C 0.44 4.91-9
- 4. Strainer A and Strainer D 0.44 4.31-9
- 5. Strainer B and Strainer C 0.44 4.91-9
- o. -Strainer B and Strainer 0 0.44 4.91-9
- 7. Strainer C and Strainer D 0.44 -4.91-9
- NOTE: Exponential notation is indicated in aobreviated f'o'rm; . "'
i .e. ,1.08-6 = 1.08 x 10-6, I v 4 V 3-80
Table 3-12 MAIN STEAM SYSTEM RESULTS (System Availability = 0.9205958) Fault Sets Importance (percent) Unavailability
- 1. 'Turoine 74.21 u.00-2
- 2. Loop 1 Steam Generator 5x(1.04 ) 5x(8.44-4)
Safety Valves 1 to 5-
- 3. -Loop 2. Steam Generator 5x(1.04) 5x(8.44-4)
Safety Valves 1 to 5
- 4. -Loop 3 Steam Generator 5x(1.04) 5x(8.44-4)
Safety Valves 1 to 5
- 5. Loop 4 Steam Generator 5x(1.04) 5x(8.44-4)
Safety Valves 1 to 5 NOTE: ~ Exponential notation is indicated in aobreviated fonn; 1.e., 6.00-2 = 6.00 x 10-2,
.(? ,N 15) i Y!
f" 5 _f -
's t
b 3-81 e ,
Y' w Table 3-13 HEATER DRAIN TANK 7 AND PUMPS RESULTS (System Availability = 0.996189) Fault Sets Importance (percent) Unavailability
- 1. Heater urain Tann Pump 1A 38.62 1.47-3
- 2. . Heater Orain Tank Pump 1B' 38.52 1.47-3
- 3 '. LCV 6-127A 1.58 6.02-3
- 4. LCV 6-133 -1.58 6.02-6
- 5. -LCV 6-13d 1.58 b.02-b
- b. LCV 6-147A 1.58 6.02-5
- 7. LCV 6-153 1.58 o.02-b
- 8. LCV 6-158 1.58 6.02-5
- 9. LCV 6-166A 1.58 6.02-o
- 10. LCV 6-172 1.58 6.02-6
- 11. LCV 6-177 1.68 b.02-5
- 12. FCV 6-190A 1.58 6.0/-5
- 13. LCV 6-20b 1.bd 0.U2-b l
- 14. HJTP 1A 011 Cooler 1.00 3.81-b
- 15. HOTP 1B 011 Cooler 1.00 J.dl-5 NOTE: Exponential notation is indicated in aboreviated form; i.e., 1.47-3 = 1.47 x 10-J.
5 1 3-82
Table 3-14 HEATER ORAIN TANK 3 and PUMPS RESULTS (System Availability = 0.9938608) Fault Sets Importance (percent) Unavailability
- 1. ' Heater Urain Tank Pump 1A 23.88 1.47-4
- 2. Heater Orain Tank Pump 18 23.88 1.47-3
- 3. Heater Urain Tank Pump 1C 24.88 1.47-3
- 4. .LCV 6-13A 0.98 6.02-5
- 5. LCV 6-33A U.98 6.uz-b
- 6. LCV b-56A~ 0.98 b.02-5
- 7. LCV 6-76A 0.98 6.U2-5
- 8. LCV 6-85A 0.98 6.02-6
- 9. LCV 6-94A 0.98 b.02-b
- 10. LCV 6-4A 0.98 6.02-5
- 11. LCV 6-28A 0.98 6.UZ-b
- 12. LCV 6-50A 0.98 b.02-5 13.- LCV 6-72A U.98 6.02-5
- 14. LCV 6-81A 0.98 0.02-5
- 15. LCV 6-90A U.98 6.02-5
- 16. LCV 6-16A 0.98 6.02-S
- 17. LCV 6-35A U.98 6.02-6
- 18. LCV 6-58A 0.98 6.02-S
- 19. LCV 6-9A U.98 6.UZ-b
- 20. LCV 6-31A 0.98 6.02-5
- 21. LCW 6-52A U.98 b.02-b
- 22. LCV 6-74A 0.98 6.02-5
- 23. LCV 6-83A .U.98 6.02-b
- 24. LCV b-92A 0.98 6.02-5
- 25. LCV 6-21 U.98 0.02-b
- 26. LCV 6-43 0.98 6.02-S
- 27. LCV 6-6b U.98 6.02-S NOTE: Exponential notation is indicated in abbreviated form; i.e., 1.47-3 = 1.47 x 10-4 3-83
c: Table 3-15' C0llDENSATE SYSTEM RESULTS* (SystemAvailability= 0.989478) Fault Sets Importance (percent) Unavailaoility 1.. Condenser A 12.b7 1.J3-3'
- 2. Condenser B 12.57 1.33-4 3.--Condenser C" 12.57' 1.JJ-3
- 14. Gland Steam Condenser 10.40 1.10-J
'_. 5 . MFPT Condenser 1A 10.40 1.10-J
'6. MFPT Condenser 1B 10.40 1.10-4
- 7. Condenser Vacuum Pump A and 8 1.80 1.904-4
- 8. Condenser Vacuum Pump A and C 1.80 1.904-4 ,
- 9. Condenser Vacuum Pump B and C 1.60 1.904-4
- 10. Condensate Heaters Al to A6,- 20.34 2.16-3 B1 to B6, and C1 to C6 (18 heaters)-
- *0perational Mode = 2/3 Hotwell, condensate, and demineralized condensate
. booster pumps with all heater trains.
~
NOTE: Exponential notation is indicated in abbreviated form; ' i.e., 1.33-3 = 1.33 x 10-3, 1 1
- l ..
3-84 ______________.m_ _ _ _ - - - - - - - - - ^ - - - " ' - * '
7-Table 3-16 CONDENSATE SYSTEM RESULTS* (System Availability = 0.9784296) Fault Sets Importance (percent) Unavailaoility
- 1. Hotwell Pump A 6.74 1.47-J
- 2. Hotwell Pump B 6.74 1.47-3 -
- 3. Hotwell Pump C 6.74 1.47-4
- 4. Demineralized Condensate 6.74 1.47-3 Booster Pump A S. Demineralized Condensate 6.74 1.47-J Booster Pump B
- 6. Demineralized Condensate 6.74 1.47-3 Booster Pump C
- 7. Condensate dooster Pump A b.74 1.47-3
- 8. Condensate Booster Pump B 6.74 1.47-3
- 9. Condensate Booster Pump C b.74 1.47-J
- 10. Condenser A 6.10 1.43-3
- 11. Condenser B b.10 1.JJ-4
- 12. Condenser C 6.10 1.33-3
- 13. Gland Steam Condenser 5.05 1.10-J
- 14. MFPT Condenser 1A 5.05 1.10-J
- 15. MFPT Condenser 1B 5.05 1.10-3
*0perational Mode = all hotwell, condensate, and demineralized condensate booster pumps with 2/3 heater trains.
NOTE: Exponential notation is indicated in abbreviated form; i.e., 1.47-3 = 1.47 x 10-J. 3-85
. Table 3-17
. MAIN FEEDWATER SYSTEM RESULTS
-(System Availability = 0.9547117)
Fault Sets - Importance (percent) Unavailaoility ;
- 1. Main Feedwater Pump 1A 48.87 2.Z4-2
- 2. Main Feedwater Pump 18 48.87 '2.24-2
- NOTE: Exponential notation is iDdicated in aooreviated form; i.e., 2.24-2 = 2.24 x 10-2 J
r 1 i s 3-86 l
p + Table 3-18 ELECTRICAL GENERATING SYSTEM (SystemAvailability= 0.9427104) Fault Sets Importance (percent) Unavailability
- 1. Generator 51.31 3.u0-2
- 2. Hydrogen Fan A 8.52 4.98-J
- 3. Hydrogen Fan.B b.52 4.9d-J
- 4. Hydrogen Slower A - 8.52' 4.98-4
- 5. Hydrogen Blower B 8.62 4.9d-J
- 6. Hydrogen Blower C 8.52 4.98-J
- 7. Hydrogen Side seal Oil 2.51 1.47-J Pump
- 8. Air Side Seal Oil Pump 2.51 1.47-J
- 9. Filter (air side seal 0.12 7.01-S oil pump)
NOTE: Exponential notation is indicated in abbreviated form; i.e., 3.00-2 = 3.00 x 10-2, + 3-87
i l Table 3-19 SECONDARY SYSTEM RESULTS (System Availability = 0.79771) Sheet 1 of 2 0 Fault Sets fp,rtan rcent Unavailability
- 1. Turbine (main steam system) 26.90 6.00-2
- 2. Generator (generator) 13.45 3.00-2
- 3. Main Feedwater Pump 1A (main feedwater system) 10.04 2.24-2
- 4. Main Feedwater Pump 1B (main feedwater system) 10.04 2.24-2
- 5. Hydrogen Fan A (generator) 2.23 4.98-3
- 6. Hydrogen Fan B (generator) 2.23 4.98-3
- 7. Hydrogen Blower A (generator) 2.23 4.98-3
- 8. Hydrogen Blower B (generator) 2.23 4.98-3
- 9. Hydrogen Blower C (generator) 2.23 4.98-3
- 10. Cooling Tower Supply Pump A (CCW) 0.66 1.47-3
- 11. Cooling Tower Supply Pump B (CCW) 0.66 1.47-3
- 12. Cooling Tower Supply Pump C (CCW) 0.66 1.47-3
- 13. Cooling Tower Supply Pump D (CCW) 0.66 1.47-3
- 14. Heater Drain Tank Pump 1A (HDTP 7) 0.66 1.47-3
- 15. Heater Drain Tank Pump 1B (HDTP 7) 0.66 1.47-3
, 16. Heater Drain Tank Pump 1A (HDTP 3) 0.66 1.47-3 .i
- 17. Heater Drain Tank Pump 1B (HDTP 3) 0.66 1.47-3
- 18. Heater Drain Tank Pump 1C (HDTP 3) 0.66 1.47-3 >
- 19. Hotwell Pump A (condensate system) 0.66 20.' Hotwell Pump B (condensate system) 0.66
- 21. Hotwell Pump C (condensate system) 0.66
- 22. Demineralized Condensate Booster Pump A (condensate system) 0.66
- 23. Demineralized Condensate Booster Pump B (condensate system) 0.66
- 24. Demineralized Condensate i
Booster Pump C (condensate system) 0.66
- 25. - Condensate Booster Pump A (condensate system) 0.66
- 26. Condensate Booster Pump B (condensate system) 0.66 t,<
- 27. Condensate Booster Pump C (condensate system) 0.66 ,
- 28. Hydrogen Side Seal Oil Pump (generator) 0.66 1.47-3 ;
- 29. Air Side Seal Oil Pump (generator) 0.66 1.47-3
- 30. Condenser A (condensate system) 0.60 1.33-3
! 31. Condenser B (condensate system) 0.60 1.33-3
- 32. Condenser C (condensate system) 0.60 1.33-3 j
! l NOTE: Exponential notation is igdtcated in abbreviated form; i.e., 6.00-2 = 6.00 x 10 .
]
l l 3-88 k
__. . . - . ..- -.- - -~ _ ._= _ _ - -_ =- 4 f Table 3-19 (continued) Sheet 2 of 2 Fault Sets I or Unavailability , fp,ta"en
- 33. Gland Steam Condenser (condensate system) 0.60 1.10-3
- 34. WPT Condenser A (condensate system) 0.60 1.10-3
- 35. MFPT Condenser B (condensate system) 0.60 1.10-3
- 36. Loop 1 Steam Generator Safety Valves 1 to 5 5x(0.38) 5x(8.44-4)
, 37. Loop 2 Steam Generator Safety Valves 1 to 5 5x(0.38) 5x(8.44-4) 3
- 38. Loop 3 Steam Generator Safety Valves 1 to 5 5x(0.38) 5x(8.44-4)
- 39. Loop 4 Steam Generator Safety Valves 5x(0.38) 5x(8.44-4)
NOTE: Exponential notation is indicated in abbreviated form; i.e., 1.10-3 = 1.10 x 10-3 1 4 ! + l 1 3-89
Table 3-20 PLANT SYSTEM RESULTS (Plant Unavailability = 0.23) Sheet 1 of 2 Importance Component System Unavailability (approximate percent)
- 1. Turbine Main Steam 6.00-2 25.4
- 2. Pain Feedwater Pump Main Feedwater 4.48-2 19.0 >
(1A and 1B) 3.- Generator Electrical 3.00-2 12.7 Generating
- 4. Hydrogen Fan / Electrical 2.49-2 10.6 Blower (FA, FB, BA, Generating BB, and BC)
- 5. Steam Generator Reactor Ccolant 2.14-2 9.1 (A 8, C, and D)
- 6. Main Steam Line Main Steam 1.69-2 7.2 PSV (20)
- 7. Reactor Coolant Reactor Coolant 7.56-3 3.2 Pump (A, B, C, and D)
- 8. Cooling Tower Condenser 5.88-3 2.5 Supply Pump Circulating (A, B, C, and D) Water
- 9. Heater Drain Heater Drain 4.41-3 1.9 Tank 3 and Pump Tank (A B,3andPump C )
- 10. Condenser Condensate 3.99-3 1.7 (A, B, and C)
- 11. Heater Drain Heater Drain 2.94-3 1.2 Tank 7 Pump Tank 7 and Pumps (A and B)
NOTE: Exponential notation is indicated in abbreviated fonn; i.e., 6.00-2 = 6.00 x 10-Z. L 3-90 ,
Table 3-20 (continued) Sheet 2 of 2 Importance Component System Unavailability (approximate percent)
- 12. Seal Oil Pump Electrical 2.94-3 1.2 r (air and hydrogen Generating L side)
- 13. Pressurizer Safety Reactor Coolant 2.53-3 1.1 valve (3)
- 14. MFPT Condenser Condensate 2.20-3 0.9 (A and B) r l 15. RCP Oil Lift Pump Reactor Coolant 2.17-3 0.9 l (4)
- 16. Condensate Heater Condensate 2.16-3 0.9 (18)
- 17. Gland Steam Condensate 1.10-3 0.5 Condenser NOTE: Exponential notation is indicated in abbreviated form;
! 1.e., 2.94-3 = 2.94 x 10-3 i l 3-91 l
Section 4 SAFETY MODEL The purpose of this section is to present the G0 safety model demonstration in terms of the objectives and scope of the safety model, the application of the methodology, and a detailed presentation of the results. Those interested only in the results of this facet of the GO methodology demonstration may proceed to o Section 6, where a brief summary is provided. 4.1 ANALYSIS OBJECTIVES AND SCOPE The objectives of the safety analysis portion of this project were twofold:
- 1. Demonstrate the applicability of the basic G0 methodology to the probabilistic safety analysis process.
- 2. Develop meaningful insights into the advantages and disadvantages (or limitations) of using the GO methodology and estimate its potential capacity as a tool for performing full-scope probabilistic risk assessments (PRA).
The :. ope of the safety analysis included the development of a fairly complete plant event sequence model. This event sequence model was quantified only for two initiating event groups and the event sequence model was only developed to the point of degraded plant states. For the purposes of this study, the term
" degraded plant state" represents a condition that may require operator recovery actions to prevent a severe core damage state. This type of definition is in keeping with the manner in which probabilistic safety analyses are typically performed and with the scope limitations of this study. The scope of the safety model was set large enough to provide an adequate test of the methodology, but minimized to conserve resources. Specific limitations in scope in comparison with a complete PRA are summarized below.
Not all initiating events expected to be significant risk contributors were included in this analysis, as discussed more fully in Section 4.3. Although the major systems important to safety were taken into account in the analysis, a number of operator recovery actions and associated plant hardware were not 4-1
modeled in this safety demonstration. Other important elements of a full-scope PRA not included in the safety analysis were: e A full treatment of common cause failures and operator errors associated with not executing appropriate operations, test, and maintenance procedures properly. (However, a full treatment of dependencies among systems was included.) e External events and internal plant hazards such as seismic, floods, and fires. The above elements were not included because their inclusion was not necessary to demonstrate the applicability of the G0 methodology to safety assessment. The analysis also departs from more common practice in full-scope PRAs in the following areas: o Only a single generic degraded plant state was considered. (Full-scope PRAs typically identify and analyze several degraded plant categories with different potential for radioactivity release.) e Only selected operator actions necessary to consider a full set of safety systems were modeled; e.g., " bleed and feed" systems. e The process of unraveling the key event sequences leading to the degraded plant state was only partially applied to demonstrate the feasibility of doing so with the GO methodology. o Uncertainty analyses were not performed. With regard to the second area, it was recognized that no new or additional insights would be gained regarding the G0 demonstration objective of this study by including operator actions and performing the human factors analyses needed to obtain definitive probability estimates. Thus, operator actions per se generally were not modeled. The major exception to this was the case of operator-related functions that appear in event sequence diagrams (ESD) and are not developed into full systems models. These functions are represented in the GO models by simple G0 operators (rather than the supertypes used to model systems), as illustrated by such functions as operator isolates upper head injection (ESD 3 in Appendix B) and operator terminates containment spray (ESD 7). In these few cases, probability estimates were obtained from prior studies. It is shown in Section 4 that omitting the operator action required in the bleed and feed function in ESD 7 has a negligible effect on the results of interest. 4-2 l l l l I
Some of the considerations identified above, such as the exclusion of system-level common cause failures, operator errors, and external events, tend to underestimate the degraded state frequency; others, such as the exclusion of backup safety systems and associated operator recovery actions, tend to overestimate the degraded state frequency. An accurate estimate of the frequency of degraded plant states at Sequoyah was not obtained in this study in view of the objectives and scope. In developing the models for the safety analysis, it was found that much of the modeling information developed for the auxiliary systems' plant availability models could be used to develop the auxiliary systems safety models. Most of the changes involved changed success criteria. The most significant hardware change was the need to add the engineered safety feature actuation system (ESFAS). This safety system was included among the auxiliary systems because it provides support-like input to all of the frontline safety systems in a manner similar to the auxiliary systems. Since many of the frontline safety systems are standby systems that are not required to function during normal operation, models of those systems were not developed as a part of the plant availability analysis task. Thus, completely new models had to be developed for those systems to support the safety analysis task. 4.2 METHODOLOGY .The G0 safety model demonstration was performed in six basic steps as follows:
- 1. Identification of initiating events.
- 2. Preparation of the safety logic and associated GO models.
- 3. Preparation of the systems analyses and associated GO models.
- 4. Integration.
- 5. Quantification.
- 6. Sequence unraveling.
An overview of the modeling process is given below, followed by a more detailed discussion of each of its six facets. 4-3
4.2.1 Methodology Overview Probabilistic safety analyses of nuclear power plants are typically performed by identifying various event sequences (potential accident scenarios) and quantifying both the occurrence frequency and the consequence of each such sequence. In this study, the primary emphasis was to investigate the feasibility of developing GO models of event sequences as a basis for performing frequency quantifications. Limited frequency quantifications were completed to confirm that the GO methodology can be used in probabilistic safety analyses. The consequence aspect of the analysis was limited to a qualitative identification of a few plant state categories. The category of primary interest was that of the + potentially degraded plant state. The other categories represented various success states. Event sequences are typically expressed in terms of the various initiating events that can occur and the various ways that the plant systems can respond to each initiator. Although there are many possible events that can initiate a need for various plant systems to respond in order to mitigate the consequences of those events, it is fortunate that those initiators can be grouped into a relatively small number of categories (on the order of approximately 20) so that all initiators within each category involve the same plant response characteristics. Several techniques have been developed to organize the search for initiating events, promote a feeling of completeness in that search, aid in categorizing the initiators, and help identify the systems needed to respond to each initiator category. One of those techniques involves the master logic diagram. The methodology of the master logic diagram as an aid in initiator identification / categorization is discussed in Section 4.2.2. The plant safety logic identifies the various event sequences that are possible for each category of initiating events. These sequences represent the admissible combinations of systems successes and failures in responding to the initiating events. For this study, the event sequence diagram mode of logic representation was selected. The logic presented in each ESD was then transformed into an equivalent GO model to pennit its quantification. The subject of the plant safety logic, as expressed by the ESDs and their corresponding GO models, is discussed in Section 4.2.3. Although the ESDs portray the interrelationships of the frontline safety systems in defining the plant safety logic, they do not represent the internal workings 4-4 i __ _ _ _ _ _ _ _ _ _ _ _ _
m l l l of those systems nor their dependence on one another or on the plant auxiliary
- systems. This information is developed by means of the systems analyses. It is i used to develop the GO models for the various auxiliary and frontline safety l systems and to identify the intersystems dependencies. The systems analyses are discussed in Section 4.2.4.
Af ter the plant safety logic models and the systems GO models have been developed, they can be combined in the appropriate manner to form the complete plant safety GO models. This process is discussed in Section 4.2.5. When the complete plant models are ready, they can be input for processing by the GO code to obtain the quantitative results. The GO output provides a truth table type of representation of the event sequences, along with their corresponding probabilities. (These are conditional probabilities, conditioned to the l occurrence of the initiating event for the specified model quantified.) The sequences are listed in order of increasing probabilities. Because of this probabilistic basis for ordering the results, the order is scrambled when compared with that dictated by the logic of the original ESD or by its comparable l event tree. To facilitate the reading and understanding of the GO output, Pickard, Lowe and Garrick Inc., developed (under a separate contract with the Electric Power Research Institute (EPRI)] a GO postprocessing code called STEVE (Reference 4-1). This code sorts the event sequences output by GO into event tree order and prints the GO results in the form of an event tree. The j probabilities' output by G0 are then multiplied by the initiating event frequency
- l. to get the annual occurrence frequency for each event sequence. This quantification process is discussed in Section 4.2.6.
I The final step in the analysis is to identify the dominant sequences that lead to the plant damage state and unravel those sequences to find the dominant system, j subsystem, and component failures that lead to those sequences. This part of the analysis process is discussed in Section 4.2.7. 4.2.2 Initiating Events
-In an effort to improve confidence that all the important initiating events have been identified, it is helpful to use an organized structure that allows the analyst to probe the specific plant being studied by asking a logical sequence of questions. Fault trees provide such an organized, logical structure, and that type of thinking process has often been used to develop what has come to be r
4-5 l l
t l called the master logic diagram (MLD). The logical, organized thinking process entailed in constructing this diagram helps the analyst to probe a specific power plant to identify and categorize initiating events, and it helps in visualizing what specific safety systems may have to respond to the initiating events in each category to mitigate their consequences. The top event in the MLD is an undesired event. For the purposes of this demonstration study, this event was taken to be degraded plant state. This constitutes level 1 of the MLD. The level !! events are identified by asking the question, "How can that happen?" Successively asking thi; question at lower and lower levels of the MLD Icads to the 20 categories of initiating events and then to the individual initiating event contributors. The MLO developed for this study is discussed in Section 4.3. Historical data can be analyzed to estimate the occurrence frequency of each individual initiating event. Then, those frequencies can be added for all initiators within each category to estimate the total occurrence frequency of each category. All the insights gleaned from constructing the MLD help in developing the plant safety logic. It was concluded that the process of initiating event identification was no different when using the GO methodology than any other methodology. 4.2.3 Plant Safety _ Logic The [50 was found to be a good communication tool. It provides a good basis for discussing plant operation with plant operations personnel and plant engineers. It was a good communicator among personnel directly involved in the safety analysis itself, and its use in this report is expected to provide a good vehicle for communicating the safety logic used for the Sequoyah safety analysis. The plant safety logic was developed in two basic (but logically equivalent) formst (1) the event sequence diagram, and (2) the GO model, both of which are discussed in detail in Section 4.4. The basic ESD is a block diagram in which each block represents an action of a specific plant system in response to the initiating event. In some cases (such as the emergency core cooling system (ECCS)], the blocks identify specific modos of safety system action, such as high pressure injection (HPI) or low pressure recirculation (LPR). The lines interconnecting the blocks depfct various scenarios in which different combinations of system actions succeed and fall, where all actions are shown in 4-6
1 correct temporal order. These lines ultimately lead to the scenario end conditions--either some form of successful shutdown (such as hot standby or cold shutdown) or a degraded plant state requiring further equipment operation or operator recovery actions to mitigate against adverse plant conditions, r ESDs were developed for 13 categories of initiating events identified in the master logic diagram. A separate ESD was developed for sequences identified in the first set of ESDs as terminating in the plant state referred to as anticipated transient without scram (ATWS). For this particJ1ar state, an event ) tree had previously been developed (for the Zion and Indian Point studies) that l was judged to be applicable to Sequoyah (the numbers might be different, but the ! system logic was the same). Since no particular advantage or improvement was anticipated from transforming the ATWS safety logic from the event tree format to the ESD format, no effort was devoted to that task. Furthermore, it allowed demonstration of the capability by developing a GO model from an event tree rather than from an ESD. The logic described in the 13 ESDs and the 1 event tree was then transformed into 4 GO models. These models consisted primarily of logic operators (AND, OR, , i EXCLUSIVE OR, and NOT gates) and their associated interconnecting signals (or logic flow paths). At this stage of the analysis, the models were intended to ; portray only the safety logic, not to perform the detailed quantifications. Accordingly, the functioning of the various safety systems was initially represented by simple (type 5) GO operators. (These operators were eventually replaced by the detailed systems models--the supertypes developed from the j systems analyses--and used in the final detailed quantifications.) The simple GO
- models could then be run to check that the safety logic and associated resultant I sequences agreed with those of the corresponding ESDs. !
There are three basic principles that were used in converting from an ESD to a GO 4 model. First, use one operator (or, eventually, supertype) to represent a specific safety system function (such as high pressure recirculation (HPR)), even though that function may appear two or more times in the ESD. The reason for doing thf s is that the signal output from that operator (or supertype) can be monitored (by including it among the final signals) to indicate the functional ' state of the system that it represents in the various event sequences output by GO. The second principle can most easily be described in conjunction with the following example. i 4-7
t AcTI N YES & jo A " occuns NO ACTION y
> B A ocCuns 5 15 20 2
2 0 The sketch at the left is in the form of an ESD, whereas the one at the right is the corresponding GO model. The ESD logic indicates that action or safety system function B is activated only if function A fails; it is bypassed whenever function A is successful. In the GO model, functions A and B are represented by operators 5-1 (type 5, kind data No.1) and 5-2, respectively. The G0 code assigns a value of 0 or 1 to signal 10 to represent success or failure, respectively, for function A. Whenever a 0 value is assigned, the G0 code causes the type 2 operator (an OR gate on success) to yield a value cf 0 for its output signal 20, regardless of the value assigned to the other input signal 15. This, in effect, bypasses function B, in agreement with the ESD. Whenever G0 assigns a value of 1 to signal 10, the value of signal 20 is the same as that of signal 15, thereby indicating whether function B is successful. Thus, signal 20 properly indicates whether function B is bypassed or activated and indicates the proper success / failure state in the latter case. Hence, signals 10 and 20 would be monitored (included among the G01 final signals) to properly indicate the state co.nbinations for functions A and B as prescribed by the ESD logic. Whereas the second principle concerned parallel functions, the third one concerns serial functions and can be discussed in conjunction with the following example. ACTION YES ACTION 10 A A B YES > occons occuns NO NO V 5 15 20 B 4-8 m
In this case, function B is activated only when function A is successful; it is bypassed whenever A fails. In the GO model, whenever the G0 code assigns a value of 1 to signal 10 (to represent failure of function A), it also assigns a value of 1 to signal 20, which is the output from the type 10 operator (an AND gate on success). This, in effect, bypasses function B, in agreement with the ESD. Whenever a 0 value is assigned to signal 10, the value of signal 10 is the same as that of signal 15: a 0 if function B is successful, a 1 if failed. Thus, signal 20 properly indicates when function B is bypassed or activated and indicates the proper success / failure state in the latter case. Hence, signals 10 and 20 should be monitored (included among the G01 final signals) to properly indicate the state combinations for functions A and B as prescribed by the ESD logic. These last two principles, which are two forms of intersystems dependency, are illustrated in Figure 4-1, which shows an ESD at the top and the corresponding GO model below it. As a modeling convention to be used elsewhere in the report, the success output of a block (or YES outcome) is understood to exit at the right, and failure (or N0 outcome) at the bottom. In the G0 model, signals 1 through 6 are monitored to properly represent the states of the functions represented by the six type 5 operators with the corresponding kind numbers. The logic shown in this figure is a simplified version'of that given in Section 4.4 for the large loss of coolant accident (LOCA). The first block in the ESD is the initiating event. The next six blocks represent functions performed by plant systems or a condition within the core. Successes are represented by lines exiting the blocks to the right, and failures by downward exiting lines. The last two blocks depict two possible end states of the plant following an occurrence of the initiating event and the subsequent responses of the various systems to that initiator. The first block (for the initiating event) has no counterpart in the GO model; that model is thus conditioned on the occurrence of the initiator, which means that the GO output probabilities must all be multiplied by the occurrence frequency of the initiator to obtain the occurrence frequencies of the event sequences output by G0. The next four blocks in the ESD illustrate the third modeling principle: if any one of the functions represented thereby fails, all . functions following it are bypassed. The five AND gates (type 10 operators) take' this into account. For example, if the LPI function fails, signal 3 is set equal to 1. The AND gates cause signals 4, 5, and 6 to be 1 also, thereby bypassing their corresponding functions in accordance with the ESD. 4-9
\fN D E
W D E DO A T LD R A OT G T CU E S H D S f\ \/ u G DE
$' T C K I D
RO L S m' E C 6 R a l e L H p P L i m S R P L o iU ev t f t a r o a m r
, 4
,vl F
d o e o Pt L 3 M 3 0 G Dv e v R i O t T A a L
, r U t M s C
U u C I l R A _ i 0 2 oUO T A L u o 3 o 4
- o e GO NL D
E K C l I w R I 1 T U LB kR T S C L - OT Y S W R H 4 OO w R YC A YP L YP L yCN e r u g i F Tj G N IT L TN E AE ,D IV O T IE N I - D S E _ Ss
The last two ESD blocks before the two plant end states block illustrate the , second basic principle: if the high pressure hot leg recirculation function succeeds, the cooling-not-blocked condition of the core is bypassed. The OR gate (type 2 operator) takes this into account. If signal 5 is set equal to 0, the OR gate causes signal 6 to be 0 also, thereby bypassing its corresponding condition in accordance with the ESD. As can be-seen from the above examples, the three basic principles for ESD-to-G0 conversion are essentially quite simple. However, as the ESD logic became more and more complex, more and more complex sequence-dependent GO logic was required to indicate when a function was to be bypassed. In some cases, NOT gates had to be introduced to properly model these conditions. Because of the nontrivial nature of some of those ESD-to-G0 conversions, it was felt that sound engineering practice dictated that the GO models be checked against the corresponding ESDs. This was done by running the GO models, processing the results by STEVE, and checking to be sure that there was a one-to-one correspondence between the event sequences displayed by STEVE from the GO output and those defined in the corresponding ESDs. Because these GO runs were performed to check sequence structures and were not intended to provide quantitative results, arbitrary values were selected for the success and failure probabilities input for the type 5 operators (and operator types 1, 4, and 13 needed for some of the ESDs) used to represent the systems functions. The GO input files checked in this manner were saved and used later to develop the input files developed for the final quantification runs. The STEVE input files were also saved for later use with the actual GO output results. 4.2.4 Systems Analyses The systems analyses were performed in two stages: detailed and condensed. The detailed analyses identified all the significant components in each system, the input (such as electric power or cooling water) needed for the components to l function properly, and the logic structure by which the components are l interrelated in producing successful or failed functioning of the system. The resultant systems GO models, when combined into the GO safety logic models, would have produced unacceptably high G0 truncation errors because of the large size of the complete models and the large number of active signals produced thereby. For this reason, the systems models had to be simplified by a process called condensation. These two analysis stages are discussed below. 4-11
4.2.4.1 Detailed Systems Models. The systems included in the safety analysis, as listed in Figure 4-2, are divided into two main categories:
- 1. The frontline systems, which are the systems required to control the reactor and dissipate the core heat in response to a potential accident initiator or transient event.
- 2. The auxiliary systems, which support the frontline systems by providing required electric power, cooling water, and compressed air.
The frontline systems are further partitioned into safety systems and the ECCS. There are eight different modes of operation within the ECCS, a condition referred to previously (Section 4.2.3). Separate G0 models were developed for each of these eight modes of ECCS operation and these models were later inserted in their proper places in the G0 safety logic models. The five major auxiliary systems were modeled individually. Those individual models were then interconnecte'd in the proper manner to form one auxiliary systems model that provided all of the input required by the frontline safety systems models. On the whole, the modeling focused only on the systems and operating modes of Sequoyah Unit 1. However, certain auxiliary systems, such as the electric power system, support both units. In such cases, the auxiliary systems GO model included not only the equipment and functions serving Sequoyah Unit 1, but the Unit 2 equipment and functions that provide a redundant backup for Unit 1. The systems requiring simple GO models (such as the reactor trip system) were modeled as single supertypes. The more complex systems (such as the electric power system and the HPl mode of ECCS) were partitioned into subsystems. These individual subsystems were modeled as supertypes, which were then combined within another supertype that represented the model for the complete system. Thus, nested supertypes (that is, supertypes contained within supertypes) were used for the safety systems analyses, with nesting running as much as three deep in some cases. Within a supertype, the functional state (success or failure, available or unavailable) of an individual equipment item was represented by one or more of the following simple operators: types 1, 3, 4, 5, 6, and 12. (Use of the type 13 operator was avoided because of its incompatibility with the FAULT FINDER 4-12
AUXlLIARY SYSTEMS FRONTLINE SYSTEMS e E LECTRIC POWER SYSTEM SAF ETY SYSTEMS e ESSENTIAL RAWCOOLING WATER SYSTEM e AUXILIARY FEEDWATER SYSTEM e COMPONENT COOLING WATER e REACTOR TRIP SYSTEM SYSTEM e CONTAINMENT SPRAY SYSTEM e COMPRESSED AIR SYSTEM e ENGINEERED SAFETY FEATURES EMERGENCY CORE COOLING SYSTEM ACTUATION SYSTEM e HIGH PRESSURE INJECTION MODE e LOW PRESSURE INJECTION MODE e HIGH PRESSURE RECIRCULATION MODE e LOW PRESSUR E RECIRCULATION MODE e HOT AND COLD LEG RECIRCULATION MODE e CLOSED LOOP RESIDUAL HEAT REMOVAL MODE e ACCUMULATORS e BLEED AND FEED u n AUXILIARY SYSTEMS MODEL SAFETY SYSTEMS MODELS m PLANT SYSTEMS m SAFETY MODELS Figure 4-2. Organization of System Models for Safety Study l 4-13 i
i sequence.) A simple example is'shown in Figure 4-3 to indicate how several operators may be required to properly represent the functional state of individual equipment items (or equipment trains). Two type 5 operators are shown in this example to represent the equipment items of interest, identified as EI-1 [ and EI-2. Although signals 1 and 2 can be used to indicate whether the respective items function as required (that is, if they are given a chance to ! function), they do not properly represent the total functional states of those two items because they ignore' the possibility of being down for test and maintenance. This is represented by the single type 4 operator with kind number 211 and the " test and maintenance" label. The separate output signals 11 and 12 provide a measure of whether the respective items are unavailable because of test and maintenance but, again, do not completely represent the functional states of those items. However, when the signals are combined as indicated with the two type 10 operators (which are AND gates on success), the output signals 21 and 22 do provide a proper representation of the corplete functional states of items El-1 and El-2, respectively. Extensive use was made of operators such as 4-211 to account for test and maintenance. The basic level of detail to which the safety systems GO models were developed l was dictated by two considerations: , 1. How important the equipment is to safety.
- 2. The level at which the required probability data are available.
j 4.2.4.2 Condensation. As mentioned previously, it was necessary to condense (simplify) the detailed GO models of the individual systems in order tr lower the G0 truncation errors to acceptably low levels during the final calculations. These condensations were performed in such a manner as to retain not only the intersystems dependencies defined in the detailed models, but also the effects that individual equipment items, test and maintenance activities, and operator actions have on system functioning. Two forms of condensation were used. One involved looking at the internal logic structure of individual systems and subsystems and grouping components in such a manner as to form logically equivalent supercomponents. This was the most widely used approach. Because of the logic structure in the ESFAS, this approach could not be effectively applied, and a second approach had to be devised and applied to that system. This second approach involved looking at ESFAS externally and ( 4-14 l
' 21 y
> 10 11 4
211 T&M 2 22
=
% "O Figure 4-3. Equipment Functional State Represented by Multiple Operators 4-15
developing a simple GO model that would faithfully reproduce the output states and probabilities. Both of these condensation approaches yield condensed models whose external characteristics are logically equivalent to the original detailed models. Thus, using the condensed models in place of the detailed models has no effect on the logic in the G0 safety models developed from the ESDs; the only effect is the desired one of reducing the G0 truncation errors. Both approaches are compatible with the sequence unraveling processes described later for identifying those components that are the dominant contributors to the event sequences of interest. If dominant contributors are identified as being certain supercomponents, it is usually obvious (by visual inspection) which internal component or components are the dominant contributors to the failure of each of those supercomponents. If one or more of the dominant contributors originate within ESFAS, an unraveling process would have to be applied to the detailed ESFAS model. The two condensing approaches are described below. I' 4.2.4.2.1 Internally based condensation. As indicated above, most of the condensation was performed from an internal, within-system perspective in which components are grouped together and replaced by logically equivalent supercomponents. Figure 4-4 can be used to illustrate this basic condensation process. Part (a) of this figure shows a hypothetical, detailed GO model of a subsystem, represented as a supertype. Although the type 6 operator appearing in this model can model premature operation, that capability was not used at all in the Sequoyah safety analysis. Deleting this capability was accomplished by properly specifying the kind data. Under such circumstances, the 6-612 operator is equivalent to a two-operator combination as follows:
- 1. A type 10 operator with input signals 11 and 103 (the same as the two input to operator 6-612) and output signal 10 (a new number for an additional signal).
- 2. A type 1 operator with input signal 10 (from the new type 10), output signal 12 (the same as the output from operator 6-612), and the same success and failure probabilities as were specified in the kind data for operator 6-612.
Based on this view of operator 6-612, it is clear that output signal 12 can represent success (with a signal value of 0) only if both input signals 11 and 103 represent success (both with values of 0) and the function ! represented by operator 6-612 is successful. 4-16
103 104 105 1r ir 102 m 11 m 6 12 1 15
' 10 ,
' 612 115 ir 21 1 1r 113 122 13 22 1r I I 101 ' 10 102
'10 132
' 10 a
4 100 STt37 (al DETAILED SUPERTYPE MODEL i 104 105 103 40 1 200 10 1137 102 a 101 100 ST1137 (b) CONDENSED MODEL i Figure 4-4. GO Model Condensation l l l 4-17 I
w ;;
,y i
k
- 1, l' N . With this understanding of operator 6-612, the entire model given in supertype ST137 can be reviewed from the standpoint of condensation. It is
[ ;' quite clear from the logic structure displayed by the operators and interconnecting signals that output signal 200 from supertype ST137 can
- M' ' represent success (with a value of 0) only if all six of the input signals e t
>i (numbered 100 through 105) represent success (each with a value of 0) and all functions represented by the six type 1 operators and the one type 6 a
operator. are successful. Conversely, if any one of the six input signals represents failure (with a signal value of 1) or'if any one of the seven operators representing hardware functioning indicates a hardware functional failure, that failure propagates through the remainder of the model to cause signal 200 to have a value of 1. For example, if all input signals x represent success and the function represented by operator 1-115 is the only i . one that fails (all'other hardware functioning being successful), the value of signal 15 would be 1. This signal value would also cause each of the signals 21, 22, and 2'00 to have a value of 1. (All other signals in the modelwodidhave0 values.) Thus, failure of the function represented by operator 1-115 causes failure of the subsystem represented by ST137, as evidenced'by the value of 1 for signal 200. This same logic is expressed in a much more condensed fonn in Part (b) of the figure, where supertype ST1137 is logically equivalent to supertype ST137. In supertype ST1137, success at signal 200 requires success at all six of the input signals 100 through 105. This is exactly the same logic as in ST137. Subsystem success also requires success of the composite functions represented by the equivalent operator 1-1137, which
'A, represents successful functioning from all six of the type 1 operators and
- s. .the one type 6 operator in ST137. This requires that the probability of success assigned to operator 1-1137 in the kind data be equal to the product of the success probabilities assigned to all seven of the operators in ST137. That is, R1137 = R102
- R111 R113
- R115
- R122
- R132
- R612
, where the R's represent success probabilities and the subscripts correspond
- to the kind numbers in the two supertypes.
3o y*1-
;Z' i
4-18 y T
i-This example serves to illustrate the basic mechanism of condensation as it was implemented in the Sequoyah safety analysis for cperators representing I equipment that is functionally in series. A similar form of condensation was performed for equipment functioning in parallel and for series-parallel and parallel-series combinations. f Using the condensed models appears to offer several advantages over using the complete, detailed models. Among these advantages are the following:
- 1. Consensation leads to reductions in the numbers of signals that have to be processed. This minimizes the number of truncations required in the G0 sequence, thereby reducing the truncation errcr.
- 2. There are fewer operators for the computer to process, thereby reducing computer running time and costs. These cost savings apply.to the codes in both the G0 sequence and the FAULT FINDER sequence.
- 3. With fewer operators for the FAULT FINDER sequence to analyze, a much lower value can be prescribed for the PRUNE probability than would be possible for the corresponding uncondensed model; thus, fewer higher fault _ sets will be automatically dropped. With fewer operators for the FAULT FINDER sequence to analyze, fewer fault sets are listed in the output. (To illustrate this point, a FAULT FINDER l analysis of ST137--by itself--in Figure 4-4 might list seven l first-order fault sets, whereas an FAULT FINDER analysis of i ST1137 could yield only one such fault set; namely, l operator 1-1137. Although this seems like a small effect I when considering this one simple supertype, that effect can be multiplied manyfold when a large number of supertypes are combined to form a single GO model and the FAULT FINDER run picks up second and higher order fault sets.)
- 4. With fault sets identified in terms of the equivalent operators (f.e.,1-1137 in Figure 4-4), the major contributor (or contributors) can readily be identified manually from among the operators (i.e., 1-111 and 6-612) used to define the equivalent operator.
With regard to advantage (3), the condensed safety model that was subuitted for FAULT FINDER evaluation for the interim evaluation had a total of 684 operators, while the initial availability model had more than twice that number. The value selected for PRUNE in the FAULT FINDER evaluation of that safety model was 5 x 10-5, which was deemed low enough for a first exploratory run to identify the major contributors to the sequence of interest. (This is discussed further in Section 4.2.7.1.) Because of the much larger size of the availability model, a value a couple of orders of magnitude higher had to be used for that model. While such a high PRUNE 4-19
value was~ acceptable for the availability analysis (because the dominant scenarios leading to plant unavailability are relatively high in value), such a value would be totally unacceptable for the safety model because it would identify no useful fault sets pertaining to the low-frequency degraded state scenarios. Thus, it was absolutely essential that a low value be specified for PRUNE for the FAULT FINDER evaluation of the safety model. With regard to advantage (3), FAULT FINDEP. listed a total ,0f 'only 10 fault sets for the initial safety model. By contrast, FAULT FIUER yielded many times that number of fault sets for the initial availability nadel. 4.2.4.2.2 Externally based condensation. As mentioned before, the ESFAS model could not reasonably be condensed using the internally based approach described above. Instead, an externally based approach was used. Instead of analyzing the internal logic to replace it with a simplifed but equivalent logic, the ESFAS model was condensed solely on the basis of the externally observable effects of that internal logic. This external look at the model considered only the input and output signals for the model. The analysis was performed in two steps:
- 1. Perfect input signals.
- 2. Perfect functioning within the system.
The first step was performed by making all input signals perfect and letting the output states (combinations of successes and failures of the output from the system) be totally determined by the combinations of successes and failures of the internal equipment. The results were examined to identify which output signals functioned independently of one another and which exhibited some degree of dependency. Then, success and failure probabilities were estimated for the independent signals, and path-dependent conditional probabilities were estimated for the dependent ones. This information was used to construct a part of the condensed ESFAS model. That model was run and its results compared with those from the detailed run to confirm that the condensed model was equivalent to, the detailed model. . l l In the second step, the internal operators were made perfect, and various I input states (combinations of successes and failures among the input ) signals) were analyzed to determine their direct impacts on the output signals. This was accomplished with only one physical GO run, usirg the 4-20
]
l
supplement run feature within G03. Based on the information output by that one run, the input-to-output impacts were easily identified, and it was a simple matter to incorporate those impacts into the condensed GO model, yielding the final condensed version of the ESFAS model. In performing the second step, the emphasis in analyzing the input-to-output impacts was restricted primarily to considering all first-order effects (cases in which only one input is failed) and certain second-order effects (two input are failed). Only those pairs of input failures that were deemed to have a reasonable potential for impacting the output signals were analyzed. All other pairs plus all third-order and higher order effects were excluded from the present analysis because it was felt that the analysis adequately demonstrated the methodology; furthermore, little additional impact information was anticipated from the larger number of additional runs required for completeness. 4.2.5 Integration Section 4.2.4 discusses the process of developing supertype models for the safety and auxiliary systems and subsystems needed in the overall plant safety model, and Sections 4.2.2 and 4.2.3 discuss the process of developing the safety logic that defines the logic by which the safety systems interact to produce either a . safe plant state or a degraded plant state. The next step is to merge (or integrate) these individual models into complete plant safety models. The basic integration concept is portrayed schematically in Figure 4-5. The many supertypes used to model all of the auxiliary systems were treated as a single unit called the auxiliary systems model, represented by the large rectangle at the left. The rectangle at the right represents the safety logic model for the
, specific category of initiating events to be analyzed. The squares in the center represent supertypes for the safety systems whose output is needed in the safety logic model. (In the actual analysis, all G0 safety models involved more than three safety systems. The use of three squares in the figure is for illustration purposes only.) In Figure 4-5, a model with five building blocks is illustrated: one for the auxiliary systems model, one for the safety logic model, and three for the safety systems models.
The building-block concept described above suggests the approach used to build the G0 input files. It made use of the permanent files that had been developed for the auxiliary systems models, each safety system model, and each ESD model. 4-21
SAFETY
> SYSTEM 10 MODEL-1 A
AUXILIARY # SAFETY SAFETY SYSTEMS ? LOGIC SYSTEM ' MODEL MODELj MODEL l l -
?
N = SAFETY
> SYSTEM ;
MODE L-k 1 UNUSED StGNALS v l 5 2 PERFECT OPERATOR Figure 4-5. Basic GO Safety Model Integration Concept
The kind data from all files except the ESD files were combined to form a master file of kind data, which was substituted for the kind data in each of the ESD files. The supertype definition records for all of the safety systems were lifted out of their respective input files and inserted among the definition records in the file for the auxiliary systems model. That file was then edited to preserve only the operator records needed for the auxiliary systems model, and the resultant file was inserted at the beginning of the operator records for each of the ESD files. Then, the operator types 1, 4, 5, and 13 that had originally been used in the ESD files to represent the various safety systems were replaced by their corresponding supertypes. It was found that, because different safety systems are required for the different ESD safety models, the auxiliary signals needed for input to the safety systems varied from one ESD model to another. Some of these unused signals are never input to any G0 operator in the model. One of the provisions of the G0 code is that all such unused signals are added to the list of final signals and, hence, appear in the output truth table listing produced by G0. In order to eliminate all such signals from the output, it is necessary to artificially " consume" them--that is, to input them to an operator in such a way that they have no effect on the logic of the model. A method for doing this is shown in the lower left corner of Figure 4-5. The unusual signals are input to a type 2 operator, along with the output from a perfect (always successful) type 5 operator. The output from the type 2 operator is always successful, regardless of the states of the unused signals. This "always successful" output signal, in turn, was combined through a type 10 operator with a signal output by a safety system, thereby having no effect on that safety system signal. Although this process of artificially using signals appears in the figure as only one step occurring fairly late in the model, it was actually performed in three or four steps, generally at the earliest possible time in the model. This was done deliberately in an effort to minimize the number of active signals and, therefore, to minimize the G0 truncation error. 4.2.6 Quantification 1 Three' basic quantification steps were performed, as discussed in detail in Sections 4.7.2 through 4.7.4. I
- 1. Run the G0 sequence.
- 2. Run STEVE.
- 3. Compute annual frequencies.
4-23 j l i
The development of the kind data needed for the GO-input files is discussed in Section 5. Wit!h that data and the input files developed as discussed above, two , G0 examples were selected to demonstrate the methodology with respect to quantification: one for the large LOCA and one for loss of steam flow. These example cases yielded two output files, each listing event sequences in a truth table format, the corresponding sequence probabilities, and the truncation error-resulting from discarding event sequences of relatively low probability. With a modest amount of file manipulation, the two GO output files were transformed into two files- for input to the code STEVE. This analysis yielded two event trees. (These event trees are somewhat unconventional in that they do not include-the initiating event as a part of the tree structure, and the numerical data represent conditional probabilities of sequence occurrence given ! 'that the initiating event has occurred.) The sequences in the event trees bore a
. one-to-one correspondence with those in their associated ESDs, as intended.
j Therefore, the plant end states identified for the various event sequences depicted in the ESDs directly applied to the corresponding event sequences in the j event trees. output by STEVE.
'Both event trees had several sequences going to the degraded plant state and several going to the plant success states. It would be possible to modify the G0 -
4 models so as to have only one final signal such that a 0 value for it would
-indicate a plant success. state and a 1 value a degraded plant state.- It might be considered desirable to do that as a means of reducing the G0 truncation error by -
reducing the number of active signals. Unforturnately, that would not have helped for the models analyzed in this study. A review of the G03 output from both quantitative analyses revealed that the truncations occurred primarily
'within the essential raw cooling water (ERCW) and the control air system (CAS) portions of the auxiliary systems part of the models, well in advance of the
'frontline safety systems and the associated interconnecting signals used to portray the safety logic prescribed by the ESDs. Thus, it is anticipated that very little decrease (if any) ;ould be achieved in G0 truncation error by changing the G0 logic to output one signal that indicates either success or a ,
degraded plant state. Futhermore, such a model change would be. undesirable for a ! couple of additional reasons. First, it would eliminate the event tree display l of' plant end states that have traditionally been used in analyses of this type to portray the various alternative ways' that a plant can respond to initiating events and to provide a probabilistic indication of their relative importance. 5 4-24 4-i
~ , _ . _ _ _ _ . _ . _ . . _ _ _ , _ _ _ . - - . _ _ _ , _ . _- _ , _ . _ _ - - _ _ . , _ _ . - _ _ _ . _
Second, it would add another layer of analysis to the unraveling process used to identify dominant contributors to the degraded plant state. That is, the event tree directly provides one level of information in the sequence unraveling process. Some concern may be raised that the manner in which event sequences are grouped or not grouped may have an effect on the way that model condensation should be performed. In other words, condensation might cause errors in the results, based on how event sequences are grouped. Two important points must be brought out in this regard.
- 1. All condensations were performed entirely within individual systems in such a way that the within-system logic was preserved.
That is, no condensations were performed across systems boundaries.
- 2. The ESDs and their associated G0 safety models express the logical interrelations of the systems.
Because of these considerations, the condensation process as applied herein would have no effect on results developed from either grouped or ungrouped ESD (or event tree) sequences, as noted in Section 4.2.4.2. The information in the event trees along with the annual frequencies for the corresponding initiating events was input to a BASIC program called STVQUANT. The output from STVQUANT gives the annual occurrence frequency for each sequence, the total frequency for each safety category (degraded state, hot standby, cold shutdown, ATWS) for the individual ESDs, and a measure of the maximum possible errors that could have occurred in the frequency totals given for each safety category because of the G0 truncation errors. 4.2.7 Sequence Unraveling The term " sequence unraveling" refers to the process of identifying the dominant event sequences that lead to the undesired end states (in this analysis, the degraded plant state) and then tracing 'down through the contributors to those sequences to identify the systems, subsystems, and components that dominated in causing them to occur. In this study, three different approaches to sequence unraveling were tried, with varying degrees of success, as follows:
- 1. FAULT FINDER.
- 2. Hard-wired sequence approach.
- 3. Two-stage integrated model.
4-25 l
=-
These approaches are discussed below. 4.2.7.1 FAULT FINDER. As mentioned in Section 4.2.4.2, a single FAU T FINDER run was made to try c;t that approach as a part of the interim quantification. In that case, the complete safety model was submitted for FAULT FINDER evaluation. The 7AdLT FINDER parameter PRUNE was assigned a value more than two orders of magnitude below the probability for the event sequence of interest. This value was dewed low enough to pick up the most dominant contributors to the degraded state seqcence of primary interest, yet hopefully high enough to avoid an unreasonably high computer run cost for that initial trial run. That run yielded only three first-order fault sets and seven second-order fault sets, not enough output to be considered to have provided a reasonably comprehensive unraveling of the event sequence of interest, especially when one considers that recovery probabilities can significantly affect the relative contribution of sequences initially dominating the results. Presumably, the value of the parameter PRUNE could have been reduced to a level that would have yielded a more comprehensive listing of fault sets. This was not done (that is, no further FAULT FINDER runs of the complete plant model were made) for a couple of reasons. First, the cost of that one FAULT FINDER run exceeded $500. There was concern that a disproportionately large portion of the computer budget might be consumed for more detailed FAULT FINDER runs. The second reason concerned certain operational characteristics that had been identified. One adverse FAULT FINDER characteristic observed in the FAULT FINDER analyses of some of the systems models was that it would list the fault sets associated with the failing of one of the output signals from a type 4 operator (typically used in this study to model test and maintenance activities) but never listed the symmetrically similar fault sets associated with the failure of the other output signals. It was obvious to the systems analysts that the results produced by the FAULT FINDER sequence were incomplete and caused project personnel to wonder if there are any other such sources of incompleteness and inaccuracy within the FAULT FINDER sequence. The second adverse FAULT FINDER characteristic concerned NOT gates. When a test case of a GO model with NOT gates was tried, the FAULT FINDER sequerce was found to produce an incomplete listing of minimal cutsets. This certainly pointed up a 4-26
Very real problem in applying the FAULT FINDER sequence to the G0 safety models, because these models generally require NOT gates in order to properly represent the safety logic as prescribed in the ESDs. Because of the problems identified and the concern for the completeness and accuracy of the FAULT FINDER sequence, it was decided not to apply FAULT FINDER to the complete G0 safety models as a means of unraveling the event sequences of - interest. (However, it was used in support of another unraveling technique, as discussed in Section 4.2.7.3.) Instead, another technique had to be developed to accomplish the unraveling task. 4.2.7.2 Hard-Wired Sequence Approach. Since one of the advantages of the G0 methodology is considered to be the ability to "hard wire" all of the systems
'interdependencies directly into the model, it was hoped that an unraveling technique could be developed that could be applied to the complete plant G0 safety models. The technique that was developed is referred to as the hard-wired sequence approach.
This new hard-wired sequence approach is performed in four basic steps, as 3 follows:
- 1. Hard wire the sequence (or sequences) to be unraveled to yield one signal that can be monitored to determine whether the sequence (or i sequences) of interest has occurred.
- 2. Select the additional signals to be monitored.
- 3. Run G0. .
- 4. Identify the subsequences to be further unraveled.
Those four steps are repeated several times at earlier and earlier stages in the GO model until the sequence unraveling has been completed. The first sequence (or sequences) to be hard wired is the dominant sequence leading to the degraded plant state. Hard wiring is easily accomplished by the technique illustrated in the following sketch, where an example sequence of 4 4-27
interest might be defined by 0 values (success) for signals 110 and 120 and 1 values (failures) for signals 210 and 220: 110 SUCCESSES 120 10 15 (NOT) FAILURES So N 2 Signal 50 has a value of 1 whenever the sequence of interest (S110 " 3120 = 0 and S210
- 3220 = 1) occurs; otherwise, its value is 0. Multiple sequences can be hard wired concurrently by inputting their output signals (such as signal 50 in the above example) to a type 10 operator and monitoring the output signal from that type 10 operator.
The result of the hard-wiring process is a single signal that can be monitored to determine whether the sequence of interest has occurred. This leaves as many as 23 additional signals that can also be monitored to gain some insight as to what caused the sequence of interest to occur. The intent in selecting these additional signals is to determine whether the failed systems as identified in the hard-wired sequences (such as the systems with output signals 210 and 220 in the above example) failed due to internal or external causes. Thus, the input to those failed system would be selected for monitoring, and those signals would be specified as the final signals in the G01 input along with the signal from the hard wiring (signal 50 in the example). No other signals should be included with these final signals. The next step is to run G0 and edit its output to delete all event sequences having a 0 value for the hard-wired signal (signal 50 in the example). What is left is a listing only of all of the subsequences that can lead to the hard-wired sequence of interest. The dominant (high probability) subsequences are at the bottom of the table. Each subsequence identifies the state vectors for the signals input to each of the failed systems. A manual review of the logic for each system reveals whether 4-28
r l l the input state vector was sufficient to cause system failure without any failures within the system.' If no system failures were required, that subseq' u ence must be hard wired (and combined through type 10 operators with previously hardwired sequences and subsequences) to continue the unraveling process, and the four-step process would be repeated. Eventually, the point is reached where system failure is caused by failures
-within that system. The origins of such failures can usually be identified manually.from the system logic for simple systems. For more complex systems, the system may have to be analyzed using the FAULT FINDER sequence. In either case,
. the appropriate state vector for the input signals must be applied to the analysis of that system.
Applying this analysis approach was found to be quite laborious, requiring much review.of systems logic under varying conditions of input and some tedious signal signal. selections; processes to maintain the number of final signals within the G0 limi tation . of. 24. As this approach now stands, it is judged unacceptable for use
, in full-scope PRAs. Before it could reasonably be used for such analyses, software would have to be developed to, in effect, automate / computerize the basic approach outlined above.
4.2.7.3 Two-Stage Integrated Model. To overcome the shortcomings of the other
- two unraveling approaches, a third approach was tried that had been successfully implemented in the Midland PRA (Reference 4-2). This might be called a two-stage integrated modeling approach.-
With this approach, the complete plant safety GO model is modularized to provide efficient unraveling.' Separating the portion of the plant model containing the , auxiliary systems from that containing the frontline systems, all signals connecting the auxiliary systems to the frontline systems can be grouped, based on similarity of the impact on frontline system performance. Making use of this grouping, a dependency matrix can be constructed that indicates the impact of grouped support system signals on the frontline systems. An integrated model of the auxiliary systems can then be quantified, keeping track of these grouped output signals. That output and the dependency matrix can then be run through- -
-GOST, which assigns impact vectors to each auxiliary system state, indicating the l specific ' impacts on the frontline systems. One run can then be made of the integrated GO model of the frontline systems, using the supplemental run t
4-29
C capabilities within G03 to individually account for each impact vector having a significant frequency (normally less than 10 such quantifications are adequate). The above procedure enables a decomposition of the frequency of any accident sequence, call it 6 , in terms of 3 N
#j *
- IE ghg6A (1) * *F(jli)
M
*A(i) = j 6A(1,k) where
&A(1,k) = the frequency of the k th auxiliary system state having impact vector 1.
+A(i) = the total frequency of all auxiliary states having impact vector 1.
6F(jli) = the conditional frequency of the frontline model event sequence number j given any auxiliary state with impact vector-1. The GOST program provides the decomposition represented by the second equation directly in the computer printout. Tables can be developed to show each term in the first equation. After breaking the problem down in these terms,100% decomposition of the scenario frequency is clearly shown in terms of system failures. Finally, further unraveling can then be done using FAULT FINDER for a limited number of systems (the FAULT FINDER results previously obtained for most systems may suffice). This procedure is demonstrated in this report for one of the event sequences. This was found to overcome the difficulty with the tightly integrated, plant-level GO models. 4.3 INITIATING EVENTS It.is necessary to estimate the occurrence frequencies of the various events that can potentially initiate accident sequences at a plant in order to quantify the probabilistic aspect of plant safety. The process of analyzing initiating events has four facets, as follows:
- 1. List the potential initiating events.
- 2. Assure completeness of that list.
4-30
- 3. Estimate the initiator occurrence frequencies.
- 4. Identify the safety systems required to respond to the initiators.
The MLD helps the analyst to accomplish facets 1, 2, and 4. A benefit derived from the fourth facet is the grouping of a large number of initiating events into a relatively small number of initiator categories. The master logic diagram developed to support the Sequoyah safety study is shown in Figure 4-6. The top undesired event in this fault-tree-like diagram is shown to be a degraded plant state. This event is designated as level I in e diagram. The two events at level II are (1) loss of core cooling and (2 excess core power, either of which can lead to the degraded plant state. Loss of tore cooling can be caused by failure of the reactor coolant pressure boundary or by insufficient core heat removal. These two level III events represent two different levels of severity of lost core cooling. The case of insufficient core heat removal can be partitioned into direct and indirect initiators at level IV. The direct initiators directly cause a condition of insufficient core heat removal, whereas the indirect initiators lead to plant response transients that can lead to insufficient core heat removal. The four categories at levels II through IV are further partitioned into the 20 more specific initiator categories shown at level V. Level VI indicates that there can be any number of fundamental causes for each initiating event category, as shown in Table 4-1. These fundamentaf causes would ordinarily be considered in quantifying the occurrence frequencies for the initiating event categories. However, for this demonstration , study, only two were quantified: large LOCA (category 1) and loss of steam flow (category 8). Out of the 20 categories of initiating events shown at level V in Figure 4-6, 13 were selected for developing the ESDs portraying alternative response combinations of plant safety systems to the initiators, and then transforming those ESDs into the logically equivalent GO models. These initiating events are identified by the ESD names listed at the top of Table 4-2. Because 10 of those 13 initiating events or ESDs can lead to ATWS sequences, it was appropriate to analyze the ATWS event in order to be able to complete the safety modeling of those 10 initiating events. Rather than including the ATWS model in each of these 10 models, a separate model was developed for ATWS; in actual computations, the initiator frequency would be taken to be the sum of the ATWS sequence frequencies produ'ed c from the other 10 models. This led to the 14 events that 4-31
I m !
?EPERTURE~
CARD Xvallable Qs,
,f i erturetara LEVEL I LEVEL 11 LOSSC CORECoo l
L EVE L Ill RE ACTOR COOL ANT BOUNDARY F ALLURE Q LEVELIV
+
[ g l l
- 9. T 6 G'E NER AL I I I- 4 LOCA LEVELY REACTOR 3 III"'# LO55 0F LOS507 C'OMPL['
VE 53E L 2'ARGE L MEDIUM SAAALL OUT5 TOE GENERATOR pgay STEAM LOS5 N LOCA LOCA CONTAIN- FEE W RUPTURE LOCA MENT TUBE LE AK pggoygg T LW l AN TE RNA L IN T E HN A L (MTLHNAL INlEHNAL IN T E R NA L INTERNAL INTE RN AL IN T E RNAL (N T E RN( INITIA. TORS INITIA. TORS INITIA. TORS INITIA. TORS INITIA. TOR $ INtTIA. TOR $ INiilA. TORS INITIA. TORS INITIA.T tEvit vi : E X TE RNAL EzTERNAL E X TERNAL E X TE NNAL E XTE RNAL E R TERN AL EXTERNAL E X TERNAL E X TERN INITLATOR$ INiilATOR$ INITIATOR $ INITIATORS INITIA, TORS INtflATOR$ INiilATOH$ INITI AT INITIA, TORS 1
-[ TI .
<APERTURY ....,q f 4 e a. ..Ehlt* k
- s . . . c 1/,w
%A f
s I
e
.4 e
b l PLANT DEGR ADt D ST A78 I E XCf st ,mo CORE POWER O I INSUF FICIE NT CORE HE AT REMOVAL i I
'aITIaSs ITiATOds i i I I I I I i l l
,, n i. u.
LOSSOF I4
- LOS$OF LOSS OF g g, gg 20 n LOSS OF f055 0F 16
) TURGINE TR#P LOAD A100 OFF Siff ESSE NT6AL "A" COMPONENT COOLING LO5807 CONTROL REACTOR yntp STE AM INSIDE E TE AM OUTSIDE
$PURIOUS gayety CENERAL INDIRECT CORE POWER O AIR N T AIN- NTAIN. INJECTION INITIATOR GNCR E ASE POWER TR SYST E M r
lit $ INnRNAL mnRNAL mrER~AL muRNAL mnRNAL mnRNAL mnRNAL mnRNAL mnRNAt m nRNAt onRNAL INITIA. TOR $INITIA. TORS INITIA. TORS INITIA. TOR $ INITIA. TOR $ INITIA. TORS INITIA. TOR $ INITIA. TOR $ INiflA. TORS INITI A. TORS INITIA. TOR $ I E R V E RNA L E RYG RNAL ERIE 14NAL E X TLRNAL E X TERNAL E X T E RNAL INITIATOR $ EXTERNAL INITIATOR $ EXTERNAL INITIATORS EXTERNAL INITIATOR $ EXTERNAL ERIERNAL IR$ INITIA TORS INiilATORS INtilATOR5 INITIATOR $ INITIATORS INITI A, TOR $ INITIA, TORS Figure 4-6. Master Logic Diagram 4-32 r 15]derd24L-07 4
Table 4-1 INITIATING EVENT CATEGORIES Sheet 1 of 3 REACTOR COOLANT BOUNDARY FAILURE e Reactor Vessel Rupture. Blowdown greater than design basis accident (DBA). e Large Loss of Coolant Accident. Blowdown greater than 6-inch pipe rupture up to DBA.
--Pipe Failures
--Valve Failures
--Other Large LOCAs e Medium Loss of Coolant Accident. Blowdown in range of a 2-inch to 6-inch pipe rupture.
--Pipe Failures
--Pressurizer Safety and Relief Valve Failures (multiple)
--Other Valve Failures
--Other Medium LOCAs e Small Loss of Coolant Accident. Blowdown less than 2-inch pipe rupture.
--Pipe Failure
--Pressurizer Relief Valve or Safety Valve Failure
--Other Valve Failures
--Control Rod Drive Mechanism Failures
--Reactor Coolant Pump Seal Failure (four or less)
--Other Small LOCAs e Loss of Coolant Accident Outside Containment
--Interfacing System LOCA e Steam Generator Tube Rupture
--Single Steam Generator Tube Rupture
--Other Steam Generator Leaks INSUFFICIENT CORE HEAT REMOVAL DIRECT INITIATORS - ONE UNIT AFFECTED e General loss of Heat Removal
--Loss of Reactor Coolant Flow i
4-33
f, a i i l Table 4-1 (continued) Sheet 2 of 3
--Loss of Reactor Coolant Flow in One Loop
--Loss of Reactor Coolant Flow in All Loops
--Other Losses of Reactor Coolant Flow-e . Loss of Steam Flow
--Full Closure of One to Three Main Steam Isolation Valves (MSIV)
--Partial Closure of One to Four MSIVs
--Other Loss of Steam Flow e - Complete Loss of Feedwater
--Loss of Feedwater Flow in all Steam Generators
--Loss of Condensate
--Condenser Leakage
--Other Secondary Leakage e Turbine Trip
--Closure of All MSIVs
--Increase Feedwater Flow in All Steam Generators
--Loss of Condenser Vacuum
--Throttle Valve Closure / Electrohydraulic Control Problems
--Generator Trip or Generator Caused Faults -
--0verspeed
--Other Turbine Trips DIRECT INITIATORS - TWO UNITS AFFECTED*
e- Loss of Load and Offsite Power e Loss of Essential Raw Cooling Water e Loss of Component Cooling Water System (CCS) e Loss of Control Air
- Loss of raw cooling water will also contribute to a two-unit shutdown.
However, loss of the related functions such as turbine lube oil cooling can be tolerated for several hours before plant shutdown will be required. Since an orderly shutdown can be accomplished, it is not listed 'as~ an initiating event. 4-34
Table 4-1 (continued) Sheet 3 of 3 e Loss of Component Cooling Water System o Loss of Control Air INDIRECT INITIATORS e Reactor Trip
--Control Rod Drive Motor / Rod Drop
--Spurious Automatic Trip - No Transient Condition
--Automatic / Manual Trip - Operator Error
--Hanual Trip Due to False Signal
--Other Reactor Trips e Loss of Steam Inside Containment
--Steam Break Inside Containment
--Feedwater Break Inside Containment
--O the r e Loss of Steam Outside Containment
--Steam Break Outside Containment
--Feedwater Break Outside Containment
--Throttle Valve Opening / Electrohydraulic Control Problems
--Steam Relief Valve or Safety Valves Open Inadvertently
--Steam Dump Valves Failing Open
--Other e Spurious Safety Injection e General Indirect Initiator
--High or Low Pressurizer Pressure
--High Pressurizer Level
--Primary Pressure, Temperature, Power Imbalance
--Other o Core Power Increase
--Uncontrolled Rod Withdrawal
--Boron Dilution - Chemical Volume Control System Malfunction
--Core Inlet Temperature Drop
--Other Positive Reactivity Addition 4-35
Table 4-2 INITIATING EVENTS SELECTED FOR DETAILED MODELING Demonstration Demonstration ESD Initiating Event Model Quantification 1 Large LOCA Yes Yes 2 Medium LOCA Yes No 3 Small LOCA Yes Noa 4 Steam Generator Tube Leak Yes No 5 Loss of Reactor Coolant System Flow Yes No 6 Loss of Feedwater Flow Yes No "7 Total Loss of Steam Flow Yes Yes 8 Turbine Trip Yes No 9 Spurious Safety Injection Yes No 10- Reactor Trip Yes No 11 Steam Loss Inside Containment Yes No 12 Steam Loss Outside Containment Yes No 13 Core Power Increase Yes No
-- Reactor _ Vessel Rupture No No LOCA Outside Containment No No Loss of Load and Offsite Power No No
-- Loss of Essential Raw Cooling Water No No I.
-- Loss of Component Cooling Water No No
-- Loss of Control Air System No No General Indirect Initiators No No awhile the SLOCA initiating event was not quantified, sequences originating in ' ESD 7 and developing into an SLOCA were quantified.
l 4-36 l
- . .-- _ . .---- ~
~.
J were modeled. The remaining initiating events from level V of Figure 4-6 were not analyzed further but are recommended for future analysis. They are listed at the bottom of Table 4-2. The two ESD models for which demonstration calculations were made are also shown in that table. J While the G0 safety models developed for Sequoyah include considerations of offsite power and of the functioning of the three auxiliary systems (ERCW, CCS, and CAS) appearing in this list of initiating events, these considerations include only the potential for failure after one of the initiating events listed
- in Table 4-2 occurs. The ESDs and associated GO models that were developed for this study identify plant responses to the initiating events studied, not to the loss of offsite power or the failure of one of the auxiliary systems as initiating events in and of themselves. To properly study these system failures as initiating. events would require that ESDs and associated G0 safety models be developed for each failure and that different ground rules be used to estimate their occurrence frequencies as initiators. However, the auxiliary systems model would remain essentially unchanged. The only change would be that some kind data ;
would be changed to reflect the system or functional failures caused by the initiator. For-example, in the case of a loss of offsite power as an initiating event, the kind data for the type 5 operator used within the auxiliary systems 4 model to represent the availability of offsite power would be changed to make it
- failed with a probability of 1. -The model would then properly account for all 7 system and functional dependencies on the loss offsite power. A similar approach
~ can be-used for the other auxiliary systems mentioned above. '
.A question may be raised as to how other types of common cause initiating events
'might be modeled; that is, events that are not already included in the logic models. One important example that is frequently important in probabilistic safety analyses is a seismic event. If such an event occurs, it can impact a wide range of equipment in many different plant locations, and some of this equipment may have no other explicitly identifiable forms of dependency. This
. particular example is complicated by the fact that multiple seismic intensity levels can occur with widely differing impacts on plant equipment. This type of initiator can. readily be incorporated into the GO models. One way of doing this is to replace all GO operators that represent seismically affected equipment by a
. supertype of the following form.
L 4-37
100 19 1 20 2t 22 200 (g - 2 t 2 t JL J JL J 51 52 53 1 1 1 ( l 2001 002 003 10 a JL 12 13 ST50 (This modeling approach seems quite general and appears to be compatible with the running of the FAULT FINDER sequence. A simpler modeling approach can be devised using type 13 operators, but that operator has the disadvantage of not being compatible with FAULT FINDER runs.) In the modeling approach illustrated above by ST50, one type 1 operator is used to represent normal (nonseismic) operating conditions and one for each seismic intensity level being modeled. In the example above, three intensity levels are modeled. In the four type 1 operators, the numbers 2000 through 2003 are dummy kind numbers that are replaced by the kind numbers appropriate for the specific equipment being represented by ST50. Dummy kind number 2000 corresponds to normal operating conditions, while dummy kind numbers 2001 through 2003 correspond to seismic intensity levels 1 through 3. The type 4 operator represents a form of switch tha allows the user to select the seismic or nonseismic condition to be analyzed. Thus, if the operator record for that operator is 4 50 4 10 11 12 13 S, one of the four following kind records can be used: 50 4 4101 1 1 1 $ . . . . . normal (nonseismic) 50 4 41 101 1 1 $ . . . . . seismic intensity level 1 50 4 41 1 101 1 $ . . . . . seismic intensity level 2 l 50 4 4 1 1 1 1 0 1 $ . . . . . seismic intensity level 3 1 L 4-38
For seismic intensity level 2, for example, the kind data cause the GO code to assign signal number 12 a value of 0, with probability 1. This allows operator 1-2002 to indicate success or failure (by assigned values of 0 or 1 for signal 52) in accordance with the probabilistic split specified in its kind record. The other three signals (10,11, and 13) are all assigned values of 1, again with probability 1. That forces signals 19, 20, 51, 21, and 53 to all be assigned values of 1. Hence, the value of signal 200 is the same as that of signal 52, thereby signifying success or failure of the seismically affected equipment item in accordance with the seismic level 2 probability data specified through kinq 2002. Using the type 4 operator is not necessary. It is suggested as an analysis convenience. Changing the kind of data for that one operator is all that is needed to switch from one analysis condition to another. Without using that operator, the analyst would have to change the kind data for all operators representing seismically affected equipment throughout the model, and those changes would generally differ significantly from one operator to the next (a condition tending to increase the potential for analysis error). The main drawback of using the type 4 operator is that it causes several (in the example, four) active signals to be added when the type 4 operator is introduced in the model. These added signals could potentially increase the G0 truncation errors at a few points during the G0 processing of the model. In those few cases, it might be wise to leave the original G0 operators in the model and to change their kind data for each run of' the model. The loss of offsite power or loss of ERCW is of concern because it affects both units. Such initiators may be among the most important with respect to safety. (Some confirmation of this is provided by the results of the sequence unraveling reported in Section 4.8.1.3.) 1 4.4 PLANT SAFETY LOGIC 4.4.1 Event Sequence Diagrams Event sequence diagrams were developed for the 13 categories of initiating events listed at the top of Table 4-2. Two of these diagrams are shown in Figures 4-7 and 4-8. The remainder are shown in Appendix B. These diagrams were constructed and reviewed based on input provided by engineers and operating personnel well l versed in the operation of the plant. The convention used in these diagrams is that successful operation of a safecy system or the successful execution of a l 4-39
I LARCE LOWERHD. SUMP AND (p COLD m - RWST - ACCUMU-LATORS
- LPI -
UL/LL - LPR ggg [SHUTDOW g ORAINS \ COOLING LPCYR~l
- CSR - - NOT q CONTIN BLOCKED
... UE_S_ _ J i .
l 8 l 8 \DE-GRADE LOSS OF RHR HEAT EXCHANGER STATE DUE TO CCS LOSS.
** ALL OTHER LPR FAILURES.
*** INCLUDES E RCW TO CONTAINMENT f
4 SPR AY HEAT E XCHANGE R. C3 Of ACCORDING TO THE SUCCESS CRITERIA LISTED FOR THE LPR, LPHLR, AND LPCLR FUNCTONS. THE TOTAL COOLING DURATION TO BE PROVIDED SY LPHLR AND/OR LPCLR is 9 HOURSs THIS PUMP RUNNING TIME HAS BEEN ADDED TO THAT REQUIRED FOR THE LPR FUNCTION. WHICH MEANS THAT THE GO MODEL WILL ACCOUNT FOR ALL PUMP RUN FAILURES ASSOCIATED WITH THE LPHLR AND LPCLR FUNCTIONS IN CONJUNCTON WITH PUMP RUN FAILURES FOR THE LPR FUNCTION. THE SUCCESS CRITERIA ALSO STATE THAT INJECTION REALIGNMENT FAILURES DURING LPHLA AhE OF TWO TYPES: (1) EITHER NO HL PATHS ARE ALIGNED AND ALL CL PATHS ESTABLISHED PREVIOUSLY REMAIN. OR (M ONE HL PATH IS ALIGNED AND AT MOST ONLY ONE CL PATH IS ISOLATED. THEY ALSO STATE THAT LPCLR ACCEPTS WHATEVER INJECTION PATHS ARE AVAILA8LE FOLLOWING TW ATTEMPTED LPHLR OPERATION. THl$ LEAVES LPCLR AS A DO-NOTHING BLOCK. A5 SUCH,IT IS SHOWN DASHED HERE ANO 15 NOT kXPLICITLY IDENTIFIED IN THE GO MODEL Figure 4-7. Large LOCA ESD 1
LOSS OF STEAM FLOV' RX TRIP AFW [ STANDBY HOT BLEED OP. SUMP AND CS COLD AND - DEMAND CS - TERM. -- UL/LL - HPR SHUTDOWN FEED CS DRAINS A E \DE- ~ GRADE [ STATE
\ ATWS
/
- RWST EMPTIES IN-3/4 HOUR, LEAVING THE OPERATOR WITH ONLY~ 1 HOUR TO ALIGN FOR HPR.
Figure 4-8. Loss of Steam Flow ESD 7
.. =. __ __ _ _. _ _ _ . _ _ _ _ _ _. __.
i l l 1 I
~
safety function is shown as a line leaving the right side of the block
, representing that system or function. Failure is represented by a line leaving ; -the bottom.
1 Figure 4-7 presents ESD 1, the event sequence diagram for the initiator category 1 designated as the'large LOCA. The first block at the left represents the initiator itself. The next block is for the refueling water storage tank (RWSI), and labeled "RWST." This accounts for the availability of at least i 375,000 gallons of borated water with a boron concentration of 2,000 ppm. This water 'is required for.the low pressJre injection and containment spray functions
, shown later in this diagram. If the required water. is not available, a degraded L ' plant state occurs because those subsequent functions cannot be performed. - The next block represents the lower head accumulators. During a large LOCA, there is initially a' rapid loss of primary coolant inventory from the reactor coolant system (RCS). Since the response time of the active safety injection function is too slow to adequately respond to this initial loss of coolant, the
- - ' passive accumulator systen is needed to provide the required instantaneous response time. Success requires the discharge of three of the four accumulators through their respective check valves. Failure to do so is assumed to lead to a I
-degraded plant state. The discharge from the accumulators is automatically initiated (through the check valves) by the decreasing RCS pressure.
The next block in Figure 4-7 represents the LPI function. Success of this automatically initiated function requires the start and operation of one out of , the two residual heat removal (RHR) pump trains, injecting water from the RWST to at least two of the three intact RCS cold legs for 1 hour. Failure to do so is , assumed to lead to a degraded plant state.
- i I The next block covers the status of the sump and upper level / lower level drains.
) This equipment becomes important as the RWST runs out of water. In order to maintain RCS cooling, it is necessary to switch RHR pump suction from the RWST to the containment sump, where the water from the leaking RCS and the containment spray actions is supposed to collect. However, in order not to impede the flow of water from the source of the LOCA to the sump. operating personnel must ensure i that the containment sump screens are free of debris. They must also be sure that the drain plugs between the upper and lower compartments of the containment j are removed and that the drains are unobstructed in order that water from the i 4-42 u--w-" + + - * '
containment spray action will also drain back to the sump. Failure of operating personnel to maintain these unobstructed flow paths to the containment sump is shown in ESD 1 to lead to the degraded plant state because the subsequent low pressure recirculation (LPR) and containment spray recirculation (CSR) functions cannot be performed due to an inadequate supply of water in the sump. The next block in Figure 4-7 is the LPR function. Success of this function entails automatic alignment of RHR pump suction from the RWST to the containment sump and the continued operation of at least one of the two RHR pump trains for 23 hours, injecting into at least two of the three intact RCS cold legs. An additional condition for success is that operating personnel align the component cooling water system (CCS) to the RHR heat exchangers. This cooling function is 4 required to remove the heat accumulated as the water is recirculated through the RCS. Two different forms of failure are shown in the ESD. One involves the loss of the heat removal capability due to a loss of the CCS as a heat sink. (In this case, CSR can be used as an alternate mode of heat removal.) The other failure path involves all other forms of failure of the LPR function, a condition shown to lead to the degraded plant state. The next block is the CSR function, which provides a backup to the loss of the CCS as a heat sink for the RHR heat exchangers. Success requires manual alignment of pump suction to the containment sump, then startup and operation of at least one of two containment spray pump trains for at least 23 hours, with ERCW manually aligned to supply cooling water to the containment spray heat exchangers. Failure to do so leads to the dcgraded plant state, as shown in ESD 1. The next block in Figure 4-7 is labeled low pressure hot leg recirculation (LPHLR). There are mixed schools of thought as te whether the change from col,d leg to hoi, leg recirculation is really required. Some contend that it is necessary to preclude baron precipitation within the core. Success of this function requires manual realignment of LPR from the cold leg to the hot leg and continued operation for 9 hours. The success of this function leads to cold shutdown. The consequences of a loss of this function depend, in part, on the potential for boron precipitation. The next block, labeled " cooling not blocked," addresses the boron precipitation issue. If boron is precipitated, the degraded plant state occurs. If not, the outcome depends on whether the LPR function can be continued through the cold 4-43 _ _ - m
legs for the additional 9 hours, as indicated by the dashed low pressure cold leg recirculation (LPCLR) continues block. If not, the degraded plans state occurs. Otherwise, cold shutdown is successfully achieved. This shows how ESD 1 depicts the safety logic of the plant safety systems in responding to a large LOCA type of initiating event. The plant proceeds to either a cold shutdown state or a degraded plant state. In the latter case, a . number of alternatives would be available to plant operating personnel to recover from such an outcome and restore the plant to a safe (cold shutdown) condi", ion. Such recovery actions have not been considered in any of the models developed in this study. Figure 4-8 represents ESD 7, the event sequence diagram for loss of steam flow. The first block at the left represents the initiator category being modeled, loss of steam flow. When this event occurs, essentially no more heat is being removed from the RCS at the steam generators. To prevent temperature increases within the RCS, the reactor is tripped (represented by the second block in ESD 7) to greatly reduce the amount of heat being generated by the core. Failure to do so leads to an ATWS, which is modeled in Appendix B. ( Because the core continues to produce heat (the decay, or residual, heat) even after the reactor has been tripped, some means has to be provided to remove that heat in order to prevent excessive temperature rises within the RCS. The next ESD block is for the auxiliary feedwater (AFW) and is labeled "AFW"; this block accounts for such a function. The AFW system extracts- the residual heat via the steam generators. Success requires that at least one of three AFW pump trains . starts automatically and runs for 8 hours, feeding through at least two of the four steam generators. If this function is accomplished successfully, the plant will remain in a hot standby condition. If not, another mode of RCS cooling must be t'nvoked. i The next block in Figure 4-8, labeled " bleed and feed," provides the backup cooling function to AFW. Success requires manual control of the two of two l pressurizer power-operated relief valves (PORV), for the bleed function and ' manual startup of the high pressure injection pumps (for the feed function), with suction aligned to the RWST. Two of the four high pressure pump trains must l function, along with both PORVs, and this functioning must be initiated within 30 i minutes of the loss of the AFW function. Failure to do so is assumed to lead to the degraded plant state. l 4-44 1
7 As noted above, the bleed and feed function requires that pump suction be aligned with the RWST. However, the functioning of the RWST is not explicitly shown in Figure 4-8. The reason is that tanks in general (and the RWST in particular) are highly reliable and, hence, do not significantly impact probabilistic results. This point is brought out when the numerical results are presented in the event tree format in Section 4.7.3. The next three blocks deal with the containment spray function. Their impact on the plant end state is an indirect one that results from the functional requirements imposed on the high pressure recirculation (HPR) function. The first of these three blocks (" containment spray demand") questions whether a containment spray demand is initiated by the containment instrumentation as a result of the bleed and feed operatien. Although containment spray is not needed for this accident sequence, it may be initiated anyway because of the changed containment-atmosphere. If it is not initiated, then the event sequence proceeds normally, with no impact on the HPR function. If it is, then the next block questions whether the containment spray injection (CSI) function is performed. If this function fails, the event sequence progresses as though there had been no containment spray demand, and there is no impact on the HPR function. If it is successful, the next block asks if operating personnel terminate the CSI function. If they do, there is no impact on HPR. However, if they do not terminate it, the water supply in the RWST is depleted much more quickly than intended, which has two impacts on HPR: (1) the manual switchover to HPR must be accomplished much earlier than usual, ar.d (2) HPR must function for a longer time to make up for the decreased time of bleed and feed cooling. The next block in Figure 4-8 is " sump and upper level / lower level drains." This precedes the HPR block and represents the same functions and functional requirements as the corresponding block did in Figure 4-7 as it leads into the LPR function. The next block in Figure 4-8 represents the HPR function. The water that is bled from the pressurizer during bleed and feed collects in the containment sump. When the RWST supply is depleted, the high pressure pump suctions must be realigned to the containment sump to continue RCS cooling. RHR success requires at least one of four high pressure pump trains to run for 18 hours, with automatic switchover to the containment sump and manual alignment of the RHR pumps to supply water to the high pressure pumps. Successful operation leads to cold shutdown, failure to the degraded plant state, as shown in ESD 7. 4-45
The preceding paragraphs describe the alternative ways that the plant can respond to two different categories of initiating events and show how ESDs can be constructed to pictorially display that response logic. As mentioned in Section 4.2.2,:these ESDs do not display all possible ways that the plant would respond to their respective initiating events. Analysis conservatisms were included in some of the models as specifically identified in some of the figures in Appendix B. Furthermore, the ability to use nonsafety systems as backups to failed safety systems was not modeled. 4 Because 10 of the 13 ESDs identify sequences leading to an ATWS-type sequence, it was deemed simpler to develop one ATWS model rather than to repeat the ATWS logic in every one of those 10 ESDs. Then, the total frequency of ATWS occurrences as determined for all 10 ESDs would serve as a single input to that ATWS model. Because a valid ATWS model was already available (Reference 4-3) in event tree format, it was left in that form rather than transformed into ESD format. This event tree is shown in Appendix B. 4.4.2 Description of Success Criteria for ESD Functional Blocks A matrix which correlates systems / functions with ESDs is presented in Table 4-3. A description of the system / functions including success criteria, failure effects, and required operator actions is given in Section 4.5. 4.4.3 G0 Models All of the ESDs, along with the ATWS event tree, were transformed into GO model s. This transformation process is illustrated here by transforming ESDs 1 and 7 (from Figures 4-7 and 4-8) into their corresponding GO models. The other GO models are given in Appendix B, along with the ESDs and one event tree. The GO model for ESD 1 is shown in Figure 4-9. This diagram is very similar to that given in Figure 4-1, and it was constructed using the modeling fundamentals presented in Section 4.2.3. Since the construction of that earlier model was discussed in some detail in that section, there is no need to repeat that here. However, there are certain characteristics of the present model worthy of special note. The signals numbered from 301 through 308 are the ones specified in the GO input as the final signals. The G0 output lists all admissible combinations of 0 and 1 values for those signals, along with their associated probabilities. Those 4-46
, Table 4-3 l SYSTEMS / FUNCTION VERSUS ESDs ESD Naber Number System / Fun: tion Naae 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 Accumulators (lower head) X 2 AFW (L-1) X X X X X X X X X X X X' 3 AFW (L-2) X 4 ATWS Pressure Relief X 5 Bleed and Feed X X X X X X X X X X X X 6 Closed Loop RHR X X X X 7 Cooling Not Blocked X 8 CSI X X X X X X X X X X 9 CSI Demand X X X X X X X X X X 10 - CSR X X X 11 HPI X X X X X X 12 HPR X X X X X X X X X X X 13 LPCLR X 14 LPHLR X
~15 LPI X X X
- 16 LPR X X X 17 Manual Reactor Scram X 18 MSIV X X X X X
- 19 Operator Depress and Cool X X X X 20 Operator Isolates Upper Head X X X X Injection (UNI) 21 Operator Recovers X X X X 22 Operator Teminates CSI X X X X X X X X X X 23 Operator Teminates Excursion X 24 Power Level > 805 X 25 Rapid Depressurization X X 26 Rods in by 1 Minute X 27 RWST X X X X 28 Reactor Trip X X X X X X X X X X
.29 Secure Pressure Relief X 30 Steam Generator Safety Valve X Reseat 31 Sep and Upper Level / Lower X X X X X X X X X X X X X Level Drains 32 Turbine Runback X 33 Turbine Trip X X X *
*MSIV and turbine trip are conside ed together in ESD 14.
4-47
- 402 410 301 r 10 1010 RWST l
l
'I S 306 =0 - COLD SHUTDOWN 5 302 =1 - DEGRADED MATE 420 m S 306 MULATORS 430 ST1100 200 10 201 202 LPl 431 432 440 304 PAND UL/LL DRA NS V 1r 450 CCS- V 101 102 CAUSED RHR HEAT / 305 EXCHANGER FAILURES mf 10 200 ST1400 211 455 ALL OTHER RHR FAILURES lv 201 202 LPR
^
451 452 4 53 & 454 ! f1 PERFECT v ' v V i 10 2 ' 61 ST950 200 I CSR V 470 07 ST1800 204 0 LPHLR l 1 480 481 308 2 COOLING NOT BLOCKED Figure 4-9. G0 Model for ESD 1 Large LOCA l 4-48 l ,
= i-
, , signals indicate the states (success,' failure, or bypass) of the safety systems represented by the type 5 operators or supertypes shown at the left in the
' diagram.
The type 5 operators represent safety systems functions that have no input from
- the auxiliary systems.- (The one' exception to this is discussed shortly.) All
. safety systems functions that require input from the auxiliary systems are represented by supertypes. Because there are so many of these input, they are not shown in this-diagram so that attention can be focused on the safety logic;
- however, the input for all. supertypes are listed in a. table in Appendix B.
- Supertypes ST1100 (for the LPI function) and ST1400 (the LPR function) are directly joined by the two signals numbered 431 and 432. These two signals separately indicate the success / failure states of the two pump trains following the.LPI function. Thus, if train A fails during the LPI function, it must also be failed in the subsequent LPR function. That is, the GO model can account for functional dependencies that arise from staged missions in which the same basic -
equipment is used to perform similar or different functions over two different time periods. Signals 451 and 452 indicate the states of the two pump trains after the LPR function. Since these signals are not needed in this model,'they had to be
" zeroed out." This is where the above-mentioned exception to_ the type 5 operators comes in. The 5-1 operator (labeled " PERFECT") is always perfect; that
., -is, its output signal 453 is always assigned a value of 0. That signal plus signals 451 and 452 are -input to the type 2 operator, whose output signal 454 l must therefore always be assigned a valhe of 0. Inputting that zero-valued !
signal to the type 10 operator therefore has no effcct on the value of its output - signal 305. In other words, this " zeroing out" of signals 451 and 452 cause's their values to have no effects on the output results produced by this model. Notice that no external trainwise dependency is shown between the LPR and LPHLR functions. The reason for this is that this dependency is taken into account
-within ST1400; the total run-time requirements for the LPR, LPHLR, and LPCLR functions shown in ESD,1 (Figure 4-7) have been combined and included in the
.model for LPR as a means of1 simplifying the overall modeling process. This means j that ST1800 has to account only for the valve realignment part of the LPHLR ;
1 function, as noted in Figure 4-7. l 1 1 4-49 1
1 l l 1
.The output' signals 450 and 455 from ST1400 account for the two different forms of
'LPR failure, as. identified in ESD 1. If the only cause of LPR failure is the
'. loss.of CCS cooling of the RHR heat exchangers, the type 2 operator with output signal ~ 306 allows CSR to pick up the required cooling function, thereby allowing LPR to continue. 'However, if any other form of LPR failure occurs (as monitored by signal 455)', the CSR function is bypassed by inputting that signal to the type 10 operator with output signal 462.
~
The 1ast point to be mentioned regarding Figure 4-9 concerns input signal 402'at the top of the model. That' signal comes from the auxiliary systems model and was produced by " zeroing out" some of the auxiliary systems output signals- that are not required as input to any of the safety systems in this model. The " zeroing
~
- out" process performed. in the auxiliary systems model is the same as that used for signals 451 and 452 in this diagram, as discussed above. The GO model' for ESD 7 is shown in Figure 4-10. It was constructed from Figure 4-8 using the modeling fundamentals given in Section 4.2.3. Signals 301 through'305 were identified as the final signals in the GO input, and those signals represent the success / failure states of the corresponding safety systems functions shown at the left by the supertypes and the 5-1050 operator. The signals input.to the supertypes from the auxiliary systems model are not identified in this diagram, but they can be found in a table in Appendix B. Signal 200 is an input from the auxiliary systems model; it is the result of
" zeroing out" signals produced in'the auxiliary model that are not needed in the GO safety model.
Signal 420 is shown as an_. input to the AFW function, represented by supertype ST1600. It is a simplified representation of the availability of steam for the turbine-driven pump. It was taken to be perfect for the purposes of this demonstration analysis. Signals 415 through 418 that are input to ST1901 account for test and maintenance actions on two centrifugal charging pumps and two safety injection pumps. Output-signals 445 through 448 indicate the success / failure states of those four pump trains following the bleed and feed function. They are input to ST1500 to account for the phased mission dependency between the HPR and bleed and feed functions. Two of the other input (signals 548 and 549) account for test and maintenance activities on the RHR pumps. 4-50
200 ST1300 410 , 200 10 RT 5 420 t L PE RFECT
' =0- COLD $HUTDOW% OR HOT STANDOY S g
'# (HOT STAN08Y ONLY IF Sg=0) 428 Arw O [ 10 302 g30S*t - DEGRADED STATE OR ATws(ATw$
ONLY IF Sg = 1) s 4 S 416 47418 if IP II if ist 162 1 71 172 If 1' 430 U ls06 437 431 303 1 432 433 g 434 436 ST1909 201 W 100 200 to 2 gg, tm 200 - IM2 2
' BLEED AND f EED DEMAND (RM N TES CS gg 439 1P 1F if if 25 446 446 447 446 302 (NOT) 440 ' "4 ' 3*
1060
" 2 O 9)MP AND UL/LL DRAINS see see
<r 1r 4 302 101 102 I"g , 490 RHR Hf AT E
- CHANGE R 10UE TO CCSI
.T I.00 211 466 ALL OTHER EQUIPMENT N m g 450 2
"6P to I'
121 122 131 132 MPR 49g i ff" 446 444 447 444 45. 4gy g
'# 41 PUMP T&M see Figure 4-10. G014odel for ESD 7 Total loss of Steam Flow 4-51
As mentioned in the discussion of ESD 7, the functions related to containment spray have an indirect effect on the plant end state by way of their impact on the HPR function. This impact is monitored by signal 436. It has a value of 1 j only if there is a containment spray demand, containment spray injection l functions successfully, and the operating personnel do not terminate that injection function. Under such circumstances, the HPR pumps must run longer. This means that the probability of pump failure must be greater under these circumstances (with S436 = 1) than it is otherwise (with S436 = 0). The method of taking this conditional dependency into account is illustrated in the following sketch. l' 436 5 2 PROBABILITY CONDITIONER M to 1 PUMP AUXILIARY
/ d INPUT The type 1 operator accounts for all of the hardware that is required to function in the pump train; i.e., the pump, its drive motor, and the various flow control and isolation valves. The input to the type 10 operator accounts for the auxiliary systems input required for the functioning of the equipment in the pump train. The type 5 operator provides for the probability conditioning. If signal 436 has a value of 0, that type 5 operator is bypassed, and the probability evaluation is based on normal operating conditions. However, if S436 = 1, that operator is included, and the failure probability of the train increases according to the probability data assigned to that type 5 operator.
This illustrates a very powerful probability conditioning feature of the GO methodology. 4-52
4.5 DESCRIPTION
S OF SYSTEMS / FUNCTIONS IN ESDs There are 33 separate functions represented in the 13 ESDs. These functions can be equipment responses, operator responses, a plant state, or any combination thereof. A single system may provide multiple functions with the same or a different set of equipment. 4.5.1 Description of System Analyses Functions 4.5.1.1 Emergency Core Cooling System Functions. The following functions are analyzed within the ECCS analysis (see Appendix A). o Accumulators (Cold Leg) for Large LOCA
--Description and Success Criteria. This is the injection of the contents of at least three out of four accumulators into their associated RCS cold legs (one accumulator is assumed to discharge into the failed RCS loop).
It should be noted that the two upper head accumulators (one with borated water, the other with pressurizing nitrogen) have no ultimate effect on core damage, as judged from the perspective of a realistic probabilistic assessment. Hence, they are not included in the model; only the lower head (cold leg) accumulators need be modeled.
--Dependency Upon Other Systems. None.
--Effect of Failure. Assumed to result in degraded state if accumulator injection fails.
--Operator Actions. None, o High Pressure Injection for Small LOCA and Other Initiating Events
--Event Description and Success Criteria. This is the automatic start and operation for at least 1 hour of one or more out of four high pressure pump trains injecting into at least one out of four RCS cold legs. Also requires automatic alignment of component cooling pump (CCP) suction to the RWST.
--Dependency Upon Other Systems. The safety injection pump (SIP) and CCPs require AC and DC power, CCS water for pump seal cooling and ERCW for pump oil cooling and pumproom ventilation cooling, and an actuation signal from ESFAS. The motor-operated valves require AC power and an actuation signal from ESFAS.
--Effect of Failure. Loss of the HPI function which results in a need for rapid depressurization of the RCS to allow the LPI pumps to function.
--Operator Actions. None.
4-53
l e HPI for Medium LOCA
--Description and Success Criteria. This is the automatic start and operation for at least I hour of two or more out of four high pressure pump trains (two CCP trains plus two SIP trains) injecting into at least two out of four RCS cold legs. Also requires auto alignment of CCP suction to the RWST. --Dependency Upon Other Systems. The SIPS and CCPs require AC and DC power, CCS water for pump seal cooling and ERCW for pump oil cooling and pumproom ventilation cooling, and an actuation signal from ESFAS. The motor-operated valves require AC power and an actuation signal from ESFAS. --Effect of Failure. Loss of the HPI function which results in a need for rapid depressurization of the RCS to allow the LPI pumps to function. --Operator Actions. Hone.
o Bleed and Feed
--Description and Success Criteria. This is the manual initiation of core decay heat removal using the high pressure injection pumps (feed) and the pressurizer PORVs (bleed). Success requires operation of at least one out of four high pressure pump trains (two CCP trains and two SIP trains) and two out of two PORVs. This function must be initiated within 30 minutes after a loss of the AFW function. --Dependency Upon Other Systems. The HPI pumps require AC and DC power, and component cooling water and ERWC systems. The PORVs require DC power and instrument air. Operator action is necessary to initiate and control this function. --Effect of Failure. Failure of the bleed and feed function given failure of AFW function is assumed to result in degraded plant state. --Operator Actions. Manual start of HPI pumps and alignment to RCS (if not already running). Must open two out of two PORVs. --Time to Initiate Action. Within 30 minutes of failure of AFW function.
e Low Pressure Injection'
--Event Description and Success Criteria. This is the automatic start and operation for 1 hour of at least one out of two RHR pump trains in the LPI mode of operation injecting water to at least two of three intact RCS cold legs. --Dependency Upon Other Systems. The RHR pumps require AC and DC power and an ESFAS S signal to start. --Effect of failure. Failure to reflood the core af ter a large LOCA, assumed to result in a degraded plant state.
4-54
i
--Operator Actions. None.
I' e High Pressure Recirculation
--Event Description and Success Criteria. This is the continued
' operation for 18 hours of at least one out of four high pressure pump trains in the recirculation mode. This event requires successful operation of one or more RHR pump trains with f automatic switchover to containment sump suction and manual alignment of the RHR pumps to supply water to the high pressure pumps. The operator actions necessary to complete the switchover alignment are included in this top event.
--Dependency Upon Other Systems. The high pressure purrps and the RHR pumps require AC and DC power and CCS water for pump seal cooling. The high pressure pumps require ERCW for lube oil and room cooling. The RHR heat exchangers require CCS water for heat removal. The RHR pumps require an automatic start signal from ESFAS. The switchover to containment sump requires the presence of coincident RWST low-low level signals and ESFAS S signals.
j --Effect of Failure. Loss of long-term core cooling function, which leads to degraded plant state, t
--Operator Actions. The operator must align the low pressure recirculation pumps' discharge to supply the operating HPI pumps.
I --Time to Initiate Action. Within 30 minutes of automatic
- switchover.
l' ! e Low Pressure Recirculation h --Event Description and Success Criteria. This is the automatic
- alignment of the RHR pumps suction from the RWST to the containment sump and the continued operation of at least one of two RHR pump trains for 23 hours injecting into at least two out l
of three intact RCS cold legs. Operator action is necessary to complete this function successfully (align CCS water to the RHR
- heat exchangers).
--Dependencies Upon Other Systems. Tne RHR pumps require AC and DC power and component cooling water for pump seal cooling. The l
motor-operated containment sump valves and RWST isolation valves require AC power and an ESFAS S signal. The RHR heat exchangers require CCS for decay heat removal and operator action to align CCS to the RHR heat exchangers.
--Effect of Failure. Failure of CCS water to the RHR heat exchangers (flow path mechanical failures only) does not fail the LPR function as cooling can be provided by the containment spray heat exchangers. All other failures are assumed to result in a degraded plant state.
--Operator Actions. Operator must align CCS water to RHR heat exchangers. ,
i 4-55 , ! l l L. 1
--Time to Initiate ~ Action. After completion of automatic switchover.
e Low Pressure Hot Leg Recirculation
--Event Description and Success Criteria. This is the manual i realignment of at least one of two RHR pump trains to the hot leg recirculation mode of operation and to continued operation in this mode for 9 hours, to preclude boron precipitation in the core area following a large LOCA.
l
--Dependency Upon Other Systems. The dependencies of the RHR pumps and heat exchangers are included in the top event for LPR. This event depends on operator action only. --Effect of Failure. Failure of this top event is assumed to result in a degraded plant state if boron precipitation blocks coolant flow. Otherwise (which was the condition assumed in this analysis), cooling can be continued via the cold leg. --Operator Actions. This event is entirely operator action. --Time to Initiate Action. Approximately 15 hours after occurrence of large LOCA.
e Low Pressure Cold Leg Recirculation
--Event Description and Success Criteria. This is the continued operation for at least 5 hours.of at least one out of two RHR pumps in the LPR mode of operation after failure to achieve LPHLR. --Dependency Upon Other Systems. The RHR pumps require AC and DC power, and CCS for pump seal cooling. The RHR heat exchangers require CCS water for decay heat removal. --Effect of Failure. Failure of this function is assumed to result in a degraded plant state. --Operator Actions. None.
e Closed Loop Residual Heat Removal-
--Event Description and Success Criteria. This is the manual initiation of long-term core decay heat removal using the closed loop RHR cooling path.' Success requires at least one out of two RHR pumps and associated heat exchangers to operate for at least 23 hours taking suction from the RCS loop 4 hot leg and discharging to at least two out of four cold leg injection paths. --Dependency Upon Other Systems. The RHR pumps require AC and DC power and component cooling water. The RHR heat exchangers require component cooling water. The various motor-operated valves require AC power.
4-56
a-
--Effect of Failure. If the hot leg suction valves fail;to open, the long-term core decay heat. removal function is provided by
=LPR. All other. failures . lead to a degraded plant state.
--Operator Actions. Open one RCS hot leg to RHR suction
' motor-operated valves, ensure cooling water is lined up through
- the RHR heat exchangers, control cooldown rate.
--Time to) Initiate Action. ' Action cannot start unti1~ RCS pressure
.and temperature limits for RHR operation are satisfied. This
-takes approximately 6 to 8 hours.
- o. ' Refueling Water Storage Tank
--Event Description and Success Criteria. .This event models the availability of the refueling water storage tank inventory for RCS injection and CSI operation. Success requires at least 375,000 gallons of borated water at 2,000 ppm boron and an operable RWST- (e.g., vent not plugged).
--Dependency Upon Other Systems. None.
--Effect of Failure. Failure of this event results in a degraded plant state due-to insufficient water for HPI, LPI, CSI, and bleed and feed functions.
--Operator Actions.- None.
4.5.1.2 Safety Systems Functions.> The following functions are analyzed as. main line safety functions'within their respective systems analyses. e Auxiliary Feedwater '(AFW or AFW (L-1) for ATWS)
--Description and Success Criteria. This.fs the automatic start and operation for 8 hours of at least one out of three pump trains (two motor-driven and one turbine-driven) feeding'at least two of four steam generators.
--Dependency Upon Other Systems. Motor-driven AFW pumps require -j AC and DC power. Turbine-driven AFW pump requires steam from 'I one of two steam generators. Requires an automatic actuation-signal from ESFAS.
--Effect of Failure. Core cooling must be provided by other means (such as feed and bleed).
--Operator Actions. None.
e Auxiliary Feedwater (AFW -(L-2) for ATWS)
--Descriptio'n and Success Criteria. This is the automatic start and operation for 8 hours of two out of two motor-driven AFW pump trains or one. turbine-driven pump train feeding four out of four steam generators in response to an ATWS event.
4-57
I Y l l
;--Dependency Upon Other Systems. Same as event AFW (L-1).
l
--Effect of Failure. : RCS pressure' increase due to ATWS event is assumed to cause failure of RCS pressure boundary (small LOCA).
--Operator. Actions. None. ;
e ~ -Containment Spray Injection
--Event- Description and Success Criteria. This is the automatic start and operation for at least I hour of at least one out of two containment spray pump trains. i
--Dependency Upon Other Systems. The containment spray pumps and valves require AC power and an actuation signal from ESFAS. The containment spray pumps also require DC control power. The containment spray heat exchangers require ERCW for heat ,
rejection.
--Effect of Failure. Failure of the event results in failure of the containment cooling function necessary to maintain long-term '
containment integrity. .
--Operator Actions. None.
e Containment Spray Recirculation
--Event Description and Success Criteria. This event is the continued operation of the containment spray pumps in the recirculation mode of operation. _ Requires manual alignment of i the containment spray pump suction to the containment sump,
- restart and operation for at least 23 hours'of at least one of two containment spray pump trains with ERCW-supplied to the containment spray heat exchangers.-
--Dependency Upon Other Systems. The containment spray pumps
. require AC and DC power for operation. The motor-operated valves require AC power. The containment spray heat exchangers require ERCW for heat removal.
--Effect of Failure. Loss of the long term containment cooling l function.
--Operator Actions Required. -The operator must stop the' running i containment spray pumps upon receipt of an RWST low-low. level (start of automatic-switchover to containment sump recirculation), manually shift the containment spray pump suction to the containment sump path, and then restart the containment spray. pumps and manually align ERCW to the i containment spray heat exchanger.
P
--Time to Initiate Action. Within 1 hour of containment spray pump automatic start.' .
I l t 4-58 1
. - - _ , _ ~ _ _ _ _ _ . _ - _ _ _ . _ _ _ _ _ . _ _ _ _ . _ _ _ . . . _ . _ _ _ _
e Reactor Trip
--Event Description and Success Criteria. This event models the automatic response of the reactor protection system to an initiating event. Succes:; requires the insertion of a i sufficient number of rod control cluster assemblies into the Core.
--Dependency Upon Other Systems. Requires the successful operation of the solid state protection system (SSPS) for the generation of the automatic trip signal. Failure of power to SSPS results in an automatic reactor trip signal.
--Effect of Failure. Failure of automatic reactor trip results in an ATWS scenario.
--Operator Actions. None.
e Turbine Trip
--Event Description and Success Criteria. This is the automatic trip of the turbine (isolating the steam supply) as a result of a trip signal from the reactor trip breakers, turbine protection system, or the generator protection system.
--Dependency Upon Other Systems. Trip signal must be present.
--Effect of Failure. Rapid overcooling of the RCS due to excessive steam demand after reactor trip. The MSIV automatic function is expected given failure of the turbine trip system.
--Operator Actions. None.
4.5.2 Description of Operator and Minisystem Functions lhe following ESD functions are not analyzed within the context of a systems analysis but are simply represented as a single function based on the success of failure data explained in Section 5. e Anticipated Transient without Scram Pressure Relief
--Description and Success Criteria. This is the automatic opening of three out of three primary safety valves and at least one out of two PORVs in response to an ATWS event.
--Dependency Upon Other Systems. Primary safety valves are independent of other systems. The PORVs require a high pressure signal from pressurizer pressure instrumentation and DC power and instrument air for operation.
--Effect of Failure. RCS pressure increase due to an ATWS event is assumed to cause failure of the RCS pressure boundary (small i LOCA). l i
--Operator Actions. None. l 4-59 l
l
e Cooling Not Blocked
--Description and Success Criteria. This event represents the nonoccurrence of boron precipitation given the failure of low pressure hot leg recirculation. --Dependency Upon Other Systems. None. --Effect of Failure. Failure of this event is assumed to result in a degraded plant state. --Operator Actions. None.
e Containment Spray Demand
--Event Description and Success Criteria. Demand for the containment spray system for a small LOCA initiating event will be manifested when the containment pressure high-high setpoint is reached. The setpoint is set at 2.81 psi above normal. The likelihood that the setpoint will be reached and the time to reach the setpoint is a function of the size and location of the small LOCA. Containment spray is automatically actuated when the setpoint is reached. If the automatic actuation fails, the operator is required to start manually. The operator may terminate containment spray (train A or train 0 or both trains) when the containment pressure is within safe limits.
e Manual Reactor Scram
--Event Description and Success Criteria. This e,ent models the operator actions necessary to manually scram the reactor given a failure of the reactor trip breakers to open automatically.
Success requires at least one out of two reactor trip breakers open.
--Dependency Upon Other Systems. The reactor trip breakers require AC power to energize the shunt trip coils. --Ef fect of Failure. No scram in response to a plant transient.
Initiates an ATWS sequence.
--Operator Actions. The operator manually initiates scram from Control room. --Time to Initiate Action. Within 1 minute of ATWS event to minimize the pressure transient associated with ATWS event.
Within 10 to 30 minutes to initialize the ATWS. e Main Steam Isolation Valves.
--Event Description and Success Criteria. This is the automatic closure of at least three out of four MSIVs in response to a steam line isolation signal. --Dependency Upon Other Systems. Requires the presence of at Icast one of two steam line isolation signals (both trains of ESFAS send signals to all MS!Vs) and DC power for MSIV actuation.
4-60
F
--Effect of Failure. Rapid overcooling of the RCS which may lead to pressurized thermal shock of the reactor vessel. --Operator Actions. None.
e Operator Depressurizes and Cools
--Event Description and Success Criteria. This event models the operator actions necessary to cool down and depressurize the RCS using normal plant procedures. --Dependency Upon Other Systems. Requires the successful operation of the AFW system and a method of heat removal from the steam generators (atmospheric steam relief or condenser steam dump). --Ef fect of Failure. Plant must 90 to long-term HPR or LPR rather than normal RHR decay heat removal. --Operator Actions. This event is entirely operator action. --Time to Initiate Action.
e Operator Isolates Upper Head Injection
--Event Description and Success Criteria. This event models the operator actions and equipment operation necessary to isolate the UHI system during plant depressurization. --Dependency Upon Other Systems. Operator action is necessary to initiate UHI isolation. The motor-operated valves require AC power. --Ef fcct of Failure. Dased on presumed rupture of the membrane, possible blockage of natural circulation RCS flow due to nitrogen accumulation in steam generator tubes. --Operator Actions. This event is entirely operator action. --Time to Initiate Action. Prior to RCS pressure decreasing to UHI accumulator setpoint.
e Operator Recovers
--Event Description and Success Criteria. Unsuccessful isolation of the UH1 system can lead to core melt. Successful recovery is defined as successful closed loop RHR notwithstanding nitrogen in some or all of the steam generator tubes. Success depends on amount of nitrogen and heat removal requirement.
e Operator Terminates CSI
--Event Description and Success Criteria. This event models the operator actions to terminate CSI af ter containment conditions are returned to normal. This event is only necessary for small LOCA and feed and bleed scenarios where lower compartment pressure may initiate automatic CSI operation.
4-61
1
--Dependency Upon Other Systems. None.
--Effect of Failure. Operation of CSI during small LOCAs and feed and bleed scenarios limits the amount of water available to the HPI pumps from the RWST. If the containment spray pumps ,
automatically start, within 30 minutes automatic switchover to l containment sump recirculation will occur due to decreasing RWST l i nventory. By procedure, the operators cannot secure CSI until containment conditions have returned to normal-(pressure and . temocrature). Failure of this evant is assumed to occur for all small break and feed and bleed scenarios. This results in requiring HPR within 30 minutes of containment spray pump initiation.
--Operator Actions. This event is entirely operator action.
--Time to Initiate Action. Prior to reaching RWST low-low level
(< 30 minutes). e Operator Tenninates Excursion
--Event Description and Success Criteria. This event models the operator actions necessary to terminate a reactor overpower excursion prior to reaching a reactor trip setpoint.
--Dependency Upon Other Systems. Plant instrumentation and alarms must be available to alert the operators to the conditions.
--Effect of Failure. Automatic reactor trip initiated.
--Operator Actions. This event is entirely operator action.
--Time to Initiate Action. Prior to reactor trip.
e Power Level > 80%
--Event Descriotion and Success Criteria. No success criterion is appif cable here. The probability distribution has been developed from operating experience of Sequoyah Unit 1.
e Rapid Depressurization
--t. vent Description and Success Criteria. This event models the operator actions necessary to rapidly depressurize the reactor coolant system by blowing down the steam generators after failure of the HPI function. --Dependency Upon Other Systems. Requires successful AFW noeration and a method of raoidly depressuring the steam generators (atmospheric relief valves or condenser steam dump) which requires plant instrument air and 120V instrument power. --Effect of Failure. Failure of this event is assumed to result in a degraded plant state. --Operator Actions. The operator must recognize the loss of the HPI function; and, following procedures, rapidly depressurize and cool down the RCS by dumping steam to the steam generators.
4-62 ,
y ,
--Time to Initiate Action. Within 30 minutes of the loss of the HPI function.
f- e Rods Inserted within 1 Minute (included in manual scram) e Secure Pressure Relief
--Event Description and Success Criteria. This is the automatic reclosure of the primary safety and PORVs after an ATWS overpressure condition has been mitigated.
--Dependency Upon Other Systems. None.
--Effect of Failure. Failure of this event is assumed to result in a small LOCA.
--Operator Actions. None.
e Steam Generator Safety Valve Reseat
--Event Description and Success Criteria. This is the reseating of the steam generator safety valves after opening in response to a steam generator tube rupture event. All valves which open must reseat.
--Dependency Upon Other Systems. None.
--Effect of Failure. Failure of the steam generator safety valves to reseat implies containment bypass following a steam generator tube rupture.
--Operator Actions. None.
e Sump and Upper Level / Lower Level Drains
--Event Description and Success Criteria. This event models the operator actions necessary to ensure the containment sump screens are free of debris and the drain plugs between the upper and lower compartments are removed and the drains are unobstructed. These actions are in response to plant technical specification requirements.
--Dependency Upon Other Systems. None.
--Effect of Failure. Failure of LPR and CSR functions leading to a degraded plant state and possible containment failure.
--Operator Actions. This event is entirely operator actions taken prior to the initiating event.
4.6 SYSTEMS ANALYSES 4.6.1 Detailed Systems Models Systems analyses were performed for the ESD function blocks specified in the previous section. In the process, auxiliary support. dependencies were identified 4-63
i
'l t
1 and an' auxiliary systems model was developed. The auxiliary model provides.the necessary support for main line' safety functions. Therefore, the systems analyses were composed of auxiliary systems and main lina safety systems. The interfaces between the auxiliary model and main line systems were accounted for in.the model integration process, as discussed in Sect % n 4 7.1. The detailed system model's were developed to model specific functions with specific success cri.teria. The procedure was to develop the models individually based on the' condition that all dependencies, auxiliary support and otherwise, "are available. The emergency core cooling system models have dependencies
. between themselves because, in many cases, the models rely on the same equipment to perform separate functions. Most other safety system models only have auxiliary support dependencies.
.The models were represented as supertypes with input dependencies and output
-indicating the functional status of the equipment modeled.
4.6.2 Model Condensation The two methods used for condensing the GO models are described in Section 4.2.4.2. Section 4.6.2.1 illustrates one method with two of the GO models--a simple one and a more complex model. The other method was applied to ESFAS, .as discussed in Section 4.6.2.2. Section 4.6.2.3 compares the results ' from the condensed and uncondensed models. 4.6.2.1 Illustrations of Condensation. The first condensation to be illustrated is supertype 105 which is a part of the compressed air system. The original (uncondensed) model is shown in Figure 4-11. Also in that figure is a closed curved line that shows what G0 operators in that modes are to be combined into a single (condensed) type 1 operator which is to be assigned kind number 105. In order for output signal 201 to be successful, all operators included within that closed curved line must be successful. The success fractions used in the kind data are related as follows: R R105 = R71 72 RfR 7 75 R76 N77 R 245 4-64
SUPERTYPE 105 102 CONTROL AIR SYSTEM COMPRESSORS TRAIN A 103 f___________________ [ GV 636 } TRAIN B g \ -105 1 A,B,C,D g 1-73 2 1 1-73
,/ v GLV 632 1
v-73 GV 627 i l l A,B,C,D A,B,C,D g 1 l FSV 32-42 N-~% 32-37 1-77 1-73 GLV 1-73 GLV 32- A1,B1,C1,D1 A2,B2,C2,D2 ! GV
! C ~N 0-32-518 w l
& l r _g ( ) 0-32-519
- 9 l 0-32-520 l f g l l u g 0-32-562 101! I l 201-ivi l INTAKE l M iv O
v GV viV'v ^ RELIEF l ! AFTER v CV v' g FILTER J AIR l COMPRESSOR AIR 0-32-515 VALVE l l COOLER 0-32-568 l 0-32-569 0-32-516 A,B,C,D A,B,C,D
%_, COM- lA,B,C,D 0-32-517 g g 0-32-570 !
PRESSOR lNST \ 0-32-561 / \ 0 / fog io. __________- 10. _ _ _ _ _ _ _ _ _-32-571 _- MOTIVE POWER AIR COMPRESSOR MAINTENANCE Figure 4-11. Uncondensed Model for ST 105
=
2
= where the subscripts are the kind numbers and the exponent 7 on R73 signifies that there are seven. type 1 operators with kind 73. Substituting numbers from the kind records for the uncondensed model yields the value
' R105 " '904 The kind record for this condensed type 1 operator is then 105 1 .984 .016 $
The condensed model would then appear as indiceLed in Figure 4-12. Notice that this model preserves the logic involving the six input signals. The second condensation to be illustrated is supertype 1100 which is the model
- for low pressure injection. The original (uncondensed) model is shown in-
. Figure 4-13. Also in that figure are five closed curved lines that show what GO operators in that model are to be combined and replaced by five single 4
(condensed) operators assigned the four kind numbers 1110, 1111, 1112, and 1141. Notice that operator 4-1141 is lef t unchanged. The operators that define 5-1111 represent serially functionally equipment. Hence, their success fractions are related as follows: R1111 = RgR1103 R1120
- A similar condition exists for operator 1-1110 5
R R R R1110 = R1102 1103R 1104 1120 1130 Operator 1-1112 is more complex in that it involves GO operators in series and in parallel. The success fractions for this case are related as follows: 2 6 4 2 1-R R1112 = R1103 R1120 + 3R1120 1120
+R1103 (1-R1103) R1120 4-66 r - -____e - - . _ _ _ _ - _ _ _ _ . _ _ _ _ - - _ _ _ - . . _ _ _ _ . . _ . - - - - - - . . . _ . _ - - _ _ _ - - - - _ . - - - _ - - - - - _ - ~ _ _ _ - . _ _ . _ - . . _ _ _ . - _ _ _ _ _ _ . - - - - - _ - _ _ . - _ _ - - _ . - - - - - - _ _ _ _ _ _ _ _ _ _ - _ - _ _ -
101 104 102 01 in l 2 M@M 10 l g 105 100 J
- SUPERTYPE 106 COMPRESSED AIR SYSTEM COMPRESSORS Figure 4-12. Condensed Model for ST 105 1
l I I' l 4-67
l t I h l
-- MECHANICAL SEAL COOLER g
199 I{11102 1-1102 O 1 l d1102l /' 1 71~]
! GV GV GV 127l l74-5640 74-5660 74-5678 l s______) i j 1-1103 10 1 1131 1-1120 1 11C 3 '
I 51111 l
\ FCV 74-21 l PUMP CV GV
(""*~"""~~~~~~""" _ , _ . _ . . ( 10-D 74-S15 74-5: 102 l p .1141 4 I*1110
! 6-1 1 1101 1-1120 [ l 4 114 l 101 l 3 PERFECT FCV FCV ! l( - - _ ..) 1-1110 g l lNITIATOR 63- 63 502 I _ 1
% J /* % f I
'=j 1 1103 -->
l 10 l 1-1131 1 1120 H I 1-111 l FCV l l l l PUMP CV ( GV
/* " "" ~ "" "" " *" j 74-3 l 120l 1A-A 74 514 74-5:
- ~ ~ ~ - - -
l _ y_ , ,. 100 1 l- 11102 ) 1 1102 I U1102 GV GV GV l
! 74 564A 74 506A 74-567A !
N ./ MECHANICAL SEAL COOLER o 1 I t
+
p--------- g 202 TRAIN B l i I
! 1 I / 1112 l ,_1______-------_--_--_5 b
I i l 1 1103 l 3H [11120 A 11120 I i l )H j "fll l l FCV Q CV V CV I l OV FCV l 63-94 H-635 63-563 l l h _ 'h'2 - - .l* -. J g l l25 l 2 [-l1 18 11 I l 25 l l
" 20 f '-"20 1 CV CV H 1 1102 H 1 1104 [
1 1103 - 63 634 63-562 VOV VlFCV I I l ICY ) 74 624 74 16 J l I l 63 93 11 4 1 H 1 1120 l l l l CV CV l l s_______ 82 832 63-a6 __j
- ' 5 TRAIN A Figure 4-13. Uncondensed Model for ST 1100 TI ,
APEltTGtR CARD
' Moo Avaliable On Apertnro GM 4 60 ,
9 S/w142) V IO ,
i The results computed from the above formulas yield the following kind data for l the condensed operators: 1110 1 .99747 .00253 $ 11115 2 0 .99%91 13.09E-4 $ 1112 1 .9999878 1.22E-5 $ l 1141 4 2 3 C 0 .99648
*'O 1 .00176 1 0 .00176 5 An alternate method of obtaining the kind data for the condensed models is illustrated in Figure 4-14 for supertype 1100. The uncondensed model is modified such that the output from any set of operators being combined into one condensed operator is always converted to success (zero signal valt e) >efore it is input to another set of operators. This conversion is accomplishmi n Ith the aid of a perfect (always successful) operator (shown as a type 5, kind 1 operator) and one or more type 2 operators. For example, the output from operator 1-1120 represents the output from condensed operator 5-1111. That output signal, which had been identified as signal 3 in Figure 4-13, is renumbered 53. It is input to a newly added type 2 cperator, along with signal 51, the output of a perfect operator. The output of the type 2 operator is assigned signal number 3, the number that had been the output from operator 1-1120. This change assures that signal 3 is always zero valued wherever it is used in the model. (In this case, it is input to both pump trains.) Similar changes are shown with regard to signals 10f and 102 that are output from operator 4-1141. Since the two output signals from the two uses of condensed operator 1-1110 are fed through the type 2 operator and then input to condensed operator 1-1112 by way of signal 18, that signal must be zeroed out. This can be done quite simply by inputting signal 51 (the output from the perfect operator 5-1 mentioned above) to that type 2 operator. Then, the spilt fractions for the four condensed operators can be detemined by monitoring the following signals with all input to ST1100 (signals 126,127,130,131,198, and 199) perfect ,
Operator Signa) 1-1110 201 or 202 5-1111 53 r 1-1112 200 ! 4-1141 111 and 112 4 69
f i
< -- MECHANICAL SEAL l
COOLER I 199 1-1102 1-1102 1-1102 l r -- sl 131 GV I l cv GV 127l l 74-5648 74-566B 74-5678 l
\__ __ l 5
___3 3 l 1-1103 10 l1-1131 1-1' l 51111 l l k ( FCV 74-21 j 102 e-----------) SI 14 2 io..
,E ma c___, A
(, i 6., .
,.,,03 ,.,,20 i e3 ,
i i 4.,,4, I 1,2 1 iii0
/
l I l 11 l ' I PERFECT ! .l FCV FCV l # h. - - 51 I INITIATOH 63 63 4114 t f~~~% 101 f
\ _ _ _ _ _ _ _ _ _ _-502_J I l 1 1-1103 10 1-1131 1-1 I I i i ruo, C
<------J ,rCv 43 , ,,,i ,A.A ,4 I (_ .L30 / r ~~ - -
1 i 198 1 1102 1 1102 1-1102 g i I GV GV GV
! 74 566A 74-567A !
74-564A A > MECHANICAL SEAL COOLE R i 6
i 4
\
l u i i _ 3 202 I I I I i-t u 2 l ,_1____________________, I i i l l 1-noa 1-u2 i-u 20 l 3 1-no2 1 1102 1-no4 l l l l Fev cv cv . l "55 "s 72s2i 70s2s . [2Es j l " S* " 55' I > I l 1 12m st 2 i8 it I I I i-u= i-u= j ='= i l l p i tio2 - i-no2 1 iso 4 l i nos - e 34 a s2 I ev ov rev ' II I rev I 74 74 is I l , _74 _sm_ _ _-s24____ _> . g n o3 i-tiro i-iin i l I g cv cv l n s32 n set _ _ _ _, _ _ j
! TRAIN A Figure 4-14. Modified uncondensed Model for ST 1100 TI APERTURE CARD Also Available On Aperture Card 4-70 45/so r a 2/ E- // )
4 4 In order to be able to specify'the internal signals (like 53 and 111) in the list
~ ! of final signals, the analyst must first run the model to determine what signal . numbers G0 assigns to those duneny signals. The model can then be run a second time with those actual signal numbers called out in the list of final signals.
- In other words, each model involving supertypes must be run twice to obtain the
-desired kind data for the condensed operators.
j From the analysis approach illustrated above, the condensed model for i - supertype 1100 would appear as shown in Figure 4-15.- 4.6.2.2 ' Abbreviated ESFAS Model. The ESFAS model was uniquely different from ; 1 'all other models included within the scope of this study, for two reasons: 1 1. It was by far the largest GO model for any one system analyzed in !
, this study. As such, it was the largest single contributor to the ;
active signals list and was therefore the largest single ! 1 _ contributor,to truncation errors. Thus, shortening the model was imperative.
- 2. Its logic was of such a nature as to render the partial ,
application of the previously described condensation process virtually impossible.
- j. .
- - Thus, it was absolutely. essential that the model be reduced in size to maintain the truncation errors at an acceptably low level;.the method used to condense the s
ESFAS model is discussed in Section 4.2.4.2. t The reduction approach that was used was performed in four steps: i J
- ' 1. Run the ESFAS model with perfect input and imperfect internal '
operators to establish the internal logic and probabilistic f- characteristics of the model.
- g. 2. -Develop a simple GO model that will reproduce the characteristics
~
= identified by the first step.
- v
~
- 3. Run the ESFAS model with specified combination's of failed input and with perfect internal operators, thereby determining the
. impact of the input on the output.
- 4. Modify the simple model to account for the impacts that.the input have on the output.
, .p. The run with perfect input and imperfect internal operators was made, and the results were transfonned into the event tree format by STEVE. A copy of that event tree output is presented in Appendix C. Also shown in that event tree are m 4-71 L J
1 1l l m, . m 2 1 0 2 2 0 2 N TD J 5, 0 0 1 1 T S r o f 7 2 b,m ' 8 9 1 l d e o 1 M d e 1 0 s 3 3 n l 1 0 o t L 1 e j d n 9 ' o 9 1 m,
'1 1
0 ' 6 2 1 C 5 1 4 e r 4 u g i F N O I T C E J N 0I 0E 1 1 R U N E P S YE TR RP E S PW UO SL
'l !
the . conditional branching fractions for each branch point in the tree, which can easily be estimated from the sequence occurrence fractions listed to the right of the event tree. These.results give the following conditional failure fractions for each of tne following ESFAS trains: RT 4.86 x 10-4 ERCW 4.86 x 10-4 AFW 4.86 x 10-4 ECCI 0.5 if ERCW fails 2.43 x 10-4 otherwise SI .999757 if both ERCW and ECCI fail 0 otherwise (All-departures from these values are explainable in terms of rounding or truncation errors.) The ESFAS model developed from this information is shown in Figure 4-16. The two 5-645 operators account for the shift in the ECCI failure fraction from 2.43 x 10-4 to 0.5 whenever an ERCW failure occurs. The two , type 2 operators shown after the two 5-650 operators allow SI failures to occur only if both an ERCW and an ECCI failure occur (in the same train). The calculations needed for step 3'were performed with one GO run using a series of supplementary calculations. For that analysis, all operators internal to the uncondensed ESFAS model were made perfect, and the input signals were set to 0's' and l's in specific, preselected sets. The input signal combinations and resultant output signal values were_ as summarized in Table 4-4. It is clear that signal 38 impacts all A train output, while signal 39 impacts all B train output. This information was used to modify the model in Figure 4-16 to obtain the ' final model shown in Figure 4-17. The ESFAS model is included as a part of the auxiliary systems model. As such, the signals that serve as input to it are identified in Appendix A, Section A.11. Its output. signals are required as input to most of the safety systems, and these specific requirements are discussed in Saction 4.7.1. 4.6.2.3 Comparison of Condensed and Uncondensed Models. As a check on the condensation process, the major'supertypes were run separately with perfect input: once in uncondensed form and once in condensed form. The resultant failure fractions for the various ouC;t signals are shown in Table 4-5. As can be seen, the error percentages are generally of the order of 0.1% or less, which 4-73 i
Table 4-4 IMPACTS OF-INPUT ON ESFAS.0UTPUT t.
- Output Signals
'_ Input Signals
-RT 'ERCW .AFW ECCI SI 100 10'1 102 103 104 105 215 200 201 202 204 205 206 207 213 214
'31 33 ;43 41 38 39 109 110 111 112 114 115 116 117 123 124
'O 0 0' 0 0 0 0 0 .0 f0 0' 0 0 0 0- -0 1-- 0 0 .0 0 0 0 0 0. 0 0 0 0 0 0 0 ;
- 0 1 0 0 -0 .0 0- 0 0 0 0 0 0 0 0 0 0- 0' 1 0 0 0- 0 0 0 0 0 0~ 0 0 0 0 0- 0 0: 1 0 0 0 0 0 .0 0 0- 0 0- 0. 0 0 0 0 0 1 0 1 0 1 0 1 0 1 0 1 0 0: 0 0 0 0 1 0. 1 0- 1 0 1 -0 1 0 1-
'1' 1~ 'O 0 0' ~0' O 0 0 'O 0 0 0 0 'O O 0 0 1- 1 0. 0 0 0 0 0. 0 0 0- 0 .0 0 a 0 0 0 _0 1 1 1 1 1 1 1 1 1- _1 1 1 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
-0 1 _0- 1 0 1. 0 1 -0 1 0 1 0 1 0 1 0 1 0' ' 1 0- 0' 0 0 0 0 0 0 0 0- 0- 0' '
0 -1 l' 0 0 0 0 0 0 0 0 0 0 0 0 0 f 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0
,1 0 =1 0 0 0 0 0' 0' 0- 0 0- 0 0- 0 0 0 'l _1 l' 0 'O 0- 0 0 0 0 0 0 0 0 0
'l-- 0 -1 1 0- 0- 0 0 0 0 0 0 0 0 0- 0
- 1 l' 0 1 0 0 0 0' 0 0 0. 0 0 0 0 0 1- 1 'l 'O 0 0 0 '0- 0 0 0- 0 0 0 0 0
; 1 1 1 1 0 ~0 0 0 0- .0 0 0 0 0 0 0 A
4-74 _.,~,-~,-r
IsPas N i. 2,s
'YR T-A 15 K
A, Z.I N . ,, K. A ,. - N as " x .. b ., x v - S"'"ll =O ~
=
7o ECClA V e. 2 2
- f. .CC .
v ,, N. ERCW . .. DEP- 207 X. g N ,, v,k .i 7SFA if hn
% :V\ "
- l Figure 4-16. First Stage Development of Abbreviated ESFAS Model i
4-75 l
31 33 .3 .I 33 39 ST 600 100 101 102 103 10. 106 McCT
\ s i. 30.
=
K 'Q
=c =
ii0
=
x b h-o .0, ,,,
=
z.
=c =
2,, z'.
=
=
o i i. n'" = z
= ii.
-o ECCO ERCW DEP. qr
= .
5 .0
- g[ ,
M %c ., x E RCW DEP. y 207 117 5 _6 m
=
%, ' O[
.[k m n3
' V, n 'C
% I Na s _/5 m ,2.
% 'c. 'c =
l Figure 4-17. Final Abbreviated Model of ESFAS 1 1 4-76 l
\
n Table 4-5 0UTPUT FAILURE FRACTIONS FOR CONDENSED AND UNCONDENSED MODELS Sheet 1 of 4 System' C UC A % ST170 .202747-4 .202942-4 .000195-4 .096 125V Instrumentation .202747-4 .202946-4 .000199-4 .098 and Control (I&C) .223258-3 .223174-3 .000084-3 .038
.226082-4 .226382-4 .000300-4 .133
.226082-4 .226382-4 .000300-4 .133 ST175 .226081-4 .226381-4 .000300-4 .133 250V I&C .323080-4 .323379-4 .000299-4 .092
.226081-4 .226381-4 .000300-4 .133
.323080-4 .323379-4 .000299-4 .092 ST180 .416000-4 .416194-4 .000194-4 .047 480V Motor Control .416000-4 .416194-4 .000194-4 .047 Center .641991-4 .642383-4 .000392-4 .061
.641991-4 .642383-4 .000392-4 .061 ST190 .121166-4 .121165-4 .000001-4 .001 6.9 kV .121166-4 .'121165-4 .000001-4 .001
.154098-4 .153847-4 .000251-4 .163
.154098-4 .153847-4 .000251-4 .163
.570091-4 .570034-4 .000057-4 .010
.570091-4 .570034-4 .000057-4 .010
.282892-4 .281973-4 .000919-4 .326
.282892-4 .281973-4 .000919-4 .326 ST205 .226000-4 .226198-4 .000198-4 .088 Containment and Auxiliary Boards ST210 .659000-4 .658783-4 .000217-4 .033 Common Boards ST230 .62576-5. .62514-5 .00062-5 .099 Chiller /AC .62576-5 .62514-5 .00062-5 .099 System ST240 .186000-4 .185876-4 .000124-4 .067 ERCW-Diesel Generator Cooling System Legend: C = condensed model results; UC = uncondensed model results; A = difference = C-UC; % = percent difference = A/UC.
4-77 a
Table 4-5 (continued) Sheet 2 of 4 System C UC a % ST250 .212570-4 .212266-4 .000304-4 .143 ERCW-DC A and B ST260 .156000-3 .156000-3 0 0 Diesel .156000-3 .156000-3 0 0 Generator .156000-3 .156000-3 0 0
.156000-3 .156000-3 0 0
, ST300 .8136-6 .8127-6 .0009-6 .111 CAS ST400 .670441-4 .671082-4 .000641-4 .096 ERCW-Diesel .670441-4 .671082-4 .000641-4 .096 Generator .670441-4 .671082-4 .000641-4 .096 Water Supply .670441-4 .671082-4 .000641-4 .096 - ST401 .30000-5 .30000-5 0 0
~ERCW-CCS .30000-5 .30000-5 0 0 and Other .30000-5 .30000-5 0 0
.30000-5 .30000-5 0 0
.59999-5 .59999-5 0 0
.60000-5 .60000-5 0 0 ST500 .351977-4 .351817-4 .0160-4 .045 CCS .4188-6 .4180-6 .0008-6 .191
.360076-4 .359877-4 .000199-4 .055
.368136-4 .367936-4 .000200-4 .054
.758645-2 .758746-2 .000101-2 .013
.565300-4 .565134-4 .000166-4 .029 ST600 .486000-3 .485941-3 .000059-3 .012 ESFAS .486000-3 .485941-3. .000059-3 .012
.486000-3 .485941-3 .000059-3 .012
.486000-3 .485941-3 .000059-3 .012
.486000-3 .485941-3 .000059-3 .012
.486000-3 .485941-3 .000059-3 .012
.485882-3 .485941-3 .000059-3 .012
.485882-3 .485941-3 .000118-3 .012
.242882-3 .243000-3 .000118-3 .049
.242082-3 .243000-3 .000118-3 .049 ST900 .134078-3 .136-3 .001922 -1.413 CSI Legend: - C = condensed model results; UC = uncondensed model results; a = difference = C-UC; % = percent difference = A/UC.
4-78
- Table'4-5 (continued)
Sheet 3 of 4 System C UC ~A % Sf950- .595360-3' .595-3 .000360-3 .061 CSR ST1100 .329512-3 .329575-3 .000063-3 .019 LPI. .321714-2 .321528-2 .000186-2 .058
.321714-2 .321528-2 .000186-2 .058 ST1300 .130379-3 .131229-3 .000850 .648 RT
.000132 .071
-ST1400 .184900-4 .185032-4 LPR~ .933000-2 .932781-2 .000219-2 .023
.933000-2 .932781-2 .000219-2 .023
.900886 .900505-4 .000381-4 .042 ST1500 .185761-4 .185506-4 .000255-4 .137 HPR .267966-3 .267809-3 .000157-3 .059
^
1 ST1600 .100577-4 .098146-4 .002431-4~ 2.477 AFW (L-1)- ST1700 .858000-2 .858151-2 .000151-2 .018
' Closed Loop .121550-1 .121593-1 .000043-1 .035 RHR .121550-1 .121593-1 .000043-1 .035 ,
.147630-3 .147736-3 .000106-3 .072 ST1800 .437330-2 .437333-2 .000003 .001 ,
'LPHLR ,
1
~.
ST1900 .793133-2 .792964-2 .000169-2 .021 HPI- .793133-2 .792964-2 .000169-2 .021 .
.113153-1 .113145-1 .000008-1 .007-
.113153-1 .113145-1 .000008-1 .007
.2818-6 .2819-6 .0001 .035
.140001-4 .205990-4 .065989-4 -32.035 ST1901 .2843-6 . .2848-6 .0005-6 .176 BF1 .681028-2 .681077-2 .000049-2 .007.
.807056-2 .806883-2 .000173 .021'
.807056-2 .806883-2 .000173-2 .021
.114545-1. ' .114533-1 .000012-1 .010
.114545-1 .114533-1 .000012-1 .010 Legend: 'C = condensed model results; UC_ = uncondensed model results; A = difference = C-UC; % = percent difference = A/UC.
4-79 a
Table 4-5 (continued)
'i Sheet 4 of 4
+ System C UC A % ST1902 .679000-2 .679001-2 .000001-2 .000 BF2 .166849-3 .166920-3 .000071-3 .043
.166849-3 .166920-3 .000071-3
.043
.173639-3 .173783-3 .000144-3 .083
.173639-3 .173783-3 .000144-3 .083 Legend: C = condensed model results; UC = uncondensed model results;>
A = difference = C-UC; % = percent difference = A/UC. 4-80
o is consistent with the fact that the failure fractions in the uncondensed models are generally given to three significant digits. The only major exception was the pair of values listed last in that table for supertype 1900 (high pressure injection); the signal involved here is the one that represents HPI functioning under medium LOCA conditions. The error for that one signal was found to be about 32%, while the errors for the other five HPI signals were all found to be less than 0.1%. These other five signals represent the two centrifugal charging pump trains (two signals), the two safety injection pump trains (two signals), and HPI functioning under small LOCA conditions (one signal). It is not clear why these five signals were correct, while the one for medium LOCA conditions was 32% in error. A check of the model and its logic failed to uncover the cause of the error. It was decided not to pursue the cause of that error any further because:
- 1. The methodology and benefits of condensation had already been demonstrated.
- 2. The one signal involving the error (HPI under medium LOCA conditions) is required only in ESD 2 (medium LOCA). In all other ESDs, that signal is zeroed out in conjunction with a perfect operator and a type 2 operator.
- 3. Because of the nature of the error, the nature of the cause is expected to be a rather subtle one that may require a substantial tracing effort in order to identify it. This level of effort could not be justified for this G0 demonstration project.
The discussion thus far has focused on the overall accuracy attained with the condensation process (with the one exception noted above). The next point of interest is to comment on the benefits to be derived from condensation. As mentioned before, the greatest gain was realized for the ESFAS model. Table 4-6 lists some comparison statistics for the condensed and uncondensed ESFAS models. Notice that the condensed model is significantly smaller than the uncondensed model in all four of the characteristics listed. A similar comparison was made for the model of all auxiliary systems combined, and the comparison statistics are listed in Table 4-7. Notice that the condensation process reduces the auxiliary systems model to a size one-third to one-fourth that of the original model. Also, the large reduction in the maximum number of active signals reduces the truncation error by a factor of about 35. The truncation error is lower because fewer sequences have to be discarded 4-81
Table 4 . COMPARISON STATISTICS FOR ESFAS MODEL l Uncondensed Condensed Characteristic Model Model Number of Operators - 6'65 29 Number of. Signals 675 34 Maximum Number of Active Signals - 55 13
. Total Error 2.8-9 < 5-11*
_, - *The value listed in the computer output was 0.0000000000. NOTE: Exponential notation is indicated in abbreviated form; f.e., 2.8-9 = 2.8 x 10-9 } h o i 4-82
Table 4-7 COMPARI' SON STATISTICS FOR AUXILIARY SYSTEMS MODEL . Uncondensed Condensed Characteristic Model Model Number of Operators' 1,494 414-
-Number of Signals 1,509 424 Maximum Number of. Active Signals 63 45 Total Error 1.76-5 4.98-7 Number of Sequences in G0 Output 140 538 NOTE: Exponential notation is ipdicated in abbreviated form; i.e., 1.76-5 = 1.76 x 10-3 e
1 4-83
because of data storage-?imits. This is confirmed by the fact that nearly four times as many sequences are output by the condensed model as the uncondensed model. The error reduction shown in Table 4-7 is very important. If the analyses had been performed using the uncondensed models, the error would have been of the same order of magnitude as the occurrence fractions for the dominant degraded plant sequences of interest. The condensation process yleided errors at an acceptably low level with regard to sequence occurrence fractions of interest.
'4.7 QUANTIFICATION 4.7.1 Model Integration The GO input file for each integrated safety model consists of the following five parts:
- 1. Supertype Definition Records
- 2. Auxiliary Model
- 3. G0 Safety Model
- 4. Kind Records 5.- PMIN Record Each part is briefly described below.
The supertype definition records are the operator records that define all the supertypes needed for the G0 safety models. While some of the supertypes defined therein are needed in all the G0 auxiliary and safety models, some are needed in one or only a few of the models. However, every supertype that is needed in at least one of the models is included in this part of the input file. Tne supertype definitions cover both the auxiliary and safety systems models and are based on the condensed models developed by the processes described in Section 4.6.2. The auxiliary model gives the operator records that show the logic depicting the way in which the auxiliary systems supertypes stre interconnected. This logic includes any other G0 operators needed to repre.ent equipment or plant operator functions that are performed in connunction with, or in support of, the auxiliary systems but are not included in the definition records of any of the auxiliary 4-84
systems supertypes. The structure of this model is presented and discussed in Appendix A, Section A.11. As mentioned in Section 4.2.5, the original auxiliary systems model produced some output _ signals that were not input to any other auxiliary systems or to any of the safety systems used in the G0 safety models. Those signals had to be " zeroed out" by the technique described therein to prevent their being included in the truth table output produced by G03, and the auxiliary systems model was modified _ internally to accomplish this result. In addition to those signals, there were a few more that were not required as input in a couple of the G0 safety models. The logic for zeroing them out was included at the interface between the auxiliary systems and G0 safety models. The GO safety models are the models discussed in Section 4.4.3. Although the models discussed and diagrammed therein show only the interconnections among safety systems, the present models are expanded to include all dependencies on the auxiliary systems. Tables showing these dependencies are presented in Appendix D. The kind records provide the success-failure split fractions and maintenance data required for all G0 operators needed in the G0 safety models. While some of these data are required for all of the G0 safety models, some are needed in only one or in only a few of the models. Furthermore, these data apply to the GO operators defined during the model condensation process described in Section 4.6.2. The PMIN record was set at 1 x 10-12 This represents the user-defined truncation level used during the G03 execution. As G03 steps through the logic specified in the operator records defined by the first three parts of the G0 input file, it automatically discards any sequence (whether fully developed or only partially developed) having a likelihood below this value of PMIN. If the allocated storage space is completely filled at some intermediate stage of a run, G03 will temporarily increase PMIN to a level that will free enough storage space to permit program execution to continue. Then, it automatically returns PMIN to the user-specified value. 4-85
A partial listing of the input file for ESD 7 is shown in Table 4-8. This listing includes the job control cards at the beginning of the file. The complete listing of the input file for the integrated model is given in Appendix E. 4.7.2 G0 Analyses Once the G0 input files have been prepared as described above, the process of
" running" them is quite simple and straightforward. These files are individually input via a comand such as the following:
BATCH,1fn, INPUT,HERE where Efn is the name of the local file being input to the computer. The HERE specification is important since the output from the computer run must be retrievable for editing. Once the run has been completed, the following commands are executed in conjunction with the output file (ofn): BATCH,0fn, LOCAL SCAN,0fn G/ SIGNALS AND/2AL Q The first command transfers the output file from remote output to local file space. The second one permits the user to scan the contents of the file. The third command allows the user to confirm that the run was successful. If the SCAN monitor indicates that the phrase " SIGNALS AND" is not present in the output file, there is an error in the input file that must be identified (with the help of the error messages in the output file) and corrected; then, the input must be rerun. _ If that phrase " SIGNALS AND" is present in the output (indicating that GO ran successfully), the SCAN monitor will list the final signals that were actually monitored and listed as the column heading in the output truth table. This gives the user positive verification that G0 monitored all the signals that were supposed to be monitored and that no unused signals accidentally slipped into the list of final signals. The last command gets the user out of the scan nonitor. If the GO run was successful and if the final signals were, in fact, the ones desired by the user, the following set of comands would be made: COPYBF,ofn,Afn BATCH,ofn, PRINT,uid,banr SCRIBE,1fn t 4-86 l
Table 4-8 INPUT FILE FOR ESD 7 G0 MODEL* ESD07,P4,110,T1000. ACCOUNT,******. CHARGE,****+6 ATT ACH.G3F: Ll e,ID =E PR IO TR AK .
- A TT ACH,G3RJ N, ID=E PR I.
L I B R A R Y , G O). UN . E X , G01. EX,G02.
'E X , G0 3.
- EOR G01 -- GD S AF ET Y M30EL FOR E50 7
$PARAM I N: !N =1,5 IGNALS =0 5 105 -1 101 102 103 104 105 10 6 201 1 US ED IN ST300 2 0 2'102 103 Id 1 1 105 16 5 5 10 0 5 5 111 104 10 5 10 6 ~ 201 5
- EOR
- 110 -1 101 132 103 104 10 5 106 201 5 US ED IN ST300 202102103 12 5 CO2 -- KIN) DATA 1510 1 5 251 115 CS SIGNAL 25 15 103001 5 63 1 .997931 1.9E-5 5 XFMR 65 5 2 0 .797540 1 4.54E-4 5 BATT I 66 520 797596 1 4.54E-4 S BATT II 67 5'2 0 .797546 1 4.546-4 5 BATT III 6a 5 2 0 .799546 1 4.54E-4 S BATT IV 105 1 .984 .016 i 110 1 .9849 .0152 5 G03 -- RJN ESD MODEL SP AR AM P MI N= 1E-12 1
- Excerpts of G01, G02, and G03 input shown here. See Appendix E for complete input file for ESD 7.
4-87 m
G/ SIGNALS AND/4A-LL
-/KBL G/0----/0A-LL
-/KI
-2
%A
-2LL Q
The first command provides a duplicate of the output file (ofn), where the user is free to specify the name of that duplicate file (Efn). The second command batches the output file (ofn) to the printer under the three digit user identification code (uid) with the four-digit banner (banr). Copies of the truth tables output for ESDs 1 and 7 are shown in Tables 4-9 and 4-10. The next command allows the user to edit the duplicate file. The next four commands delete all but the truth table output from the file, and the last one of those four commands allows the user to insert the "-2" at the end of the file (which is the next command listed above). The last three comands get the user out of the editor. (The "-LL," "BL," and "-2LL" portions of the commands listed above are optional. They can be used to confirm correct positioning of the cursor and to verify that all operations have been performed successfully.) The edited duplicate file (Efn) is then ready to be inserted into the input file for STEVE. (The "-2" that was inserted at the end of that file is an end-of-data marker for STEVE.) 4.7.3 STEVE Analyses STEVE is a GO postprocessing code that converts the truth table style of output from G0 into an event tree format. The STEVE input file consists of two basic parts (following the job control cards), as follows:
- 1. The control and heading data.
- 2. The truth table output of G0.
The first part of the input file consists of four cards (or lines). The first is the title that the user wants printed at the top of every page of STEVE output. The second card specifies the number of event tree top events, which must be the same as the number of final signals listed in the G0 output. The third card specifies the desired format for the event tree, as follows:
- 1. Yields " standard" format.
- 2. Yields " swept-wind" format.
4-88
Table 4-9 G03 OUTPUT FOR ESD 1 FINAL EVENT TABLE (thFINITY = 1)
, S IGNALS AND THEIR VALUES
----------------- _-- _=_---------
~~P R~0BIBTC) TY 10T~~T02 303 3D4 TGb 3T)6 307 308
------------ - - - - - - - - - - - - - - - - - - - - = ---- -
.0000002739 0 0 0 0 1 0 1 0
.000060749'9 - 1 1 1 1 1 1 1 1
.0000515913 0 0 0 0 1 0 0 0
.0003382689 0 0 0- 0 1 1 1 1
.0~0D677657s9 0 0 1 1 1 1 1 1
.0042399959 0 1 1 1 1 1 1 1
.0044015947 0 0 0 0. 0 0 1 0
. 00T9 75'4 071 0 0- 0 1 1 1 1 1 9853142912- 0 0 0 0 0 0 0 0
---------------==--- --- - ---- -------__=_ _ _-
TOTAL PROBABILITY = .9999998319 70 TAC ERROR = .DD00001T81 4-89
Table 4-10 G03 TRUTH TABLE FOR ESD 7 F INAL E VE NT TA4LE Ilh>INtiY = 13 SIGNALS AND THt!d WALUh5 I
.P4-0 64!9
- L I_T Y- - - .301 302 JOJ J t. s - 3 )$
.000000M 00 o 1 0 0 1
.0000000 % l 0 1 0 1 1
.0000111691 r 1 0 0 0 0000441673 0 1 1 1 1
.000141122S 1 1 1 1 1 9 Td B 02 6H 4 0 - 0 0 0 0 0
..- _ _ - .... _...........=_-
TOTAL PWOdA4tLITV = .dd999961#1 TOTAL Ed40R = . 0JOO O C l o0 9 4-90
n The fourth card lists the event tree-top events. They are entered in a 20A4 format (in FORTRAN), which allows four characters (including spaces) for each of at most 20 top events. This first part of the input can easily be created. However, for this analysis, the input had already been created and saved as a part of the checkout of the G0 models, as discussed in Section 4.2.3. Thus, it was simply a matter of recalling those files and deleting the old (fictitious) truth table data, thereby leaving only the job control cards followed by the STEVE control cards and the proper headings for the event tree top events. The second part of the input could then be read directly on to the end of the new file, using the local file that had been edited from the GO output (as discussed in the previous section). This would complete the file, and it would be ready for input. The comands for accomplishing these steps are listed below: SCRIBE,2fns G/ ./0A-LL
/K 0/rfn/
ER
-LL Q
B ATCH ,1 fns,1NPUT,uid The fir'st command permits the user to edit the old STEVE input file, to which the local file name Efns has been assigned. The second command locates the cursor at the beginning of the fictitious G0 output data, with the "-LL" listing the previous and current lines to confirm this. The next comand discards that fictitious data. The next two commands read in the G0 truth table from the local file Rfn, which had been developed from the G0 output as discussed previously. The "-LL" confirms that the file ends with the "-2" required by STEVE to signal the end of tne input data. The "Q" gets the user out of the edit mode. The last comand is to input the updated STEVE input file, routing the output directly to the printer under the three-digit user identification code "uid". One complete input file is shown in Table 4-11 for ESD 7. This listing includes the job control cards at the beginning of the file. Copies of the event trees output for ESDs 1 and 7 are shown in Figures 4-18 and 4-19. 4-91
7 y I ! Table 4-11 INPUT FILE FOR ESD 7 " STEVE" ANALYSIS p -- t L5307,P6.Il0,1100. A CC 00 N T ,5 ** * * * . CHA'GE,******. A T T ACet, X, P. G e lD= S TE VE d. x.
*EGR E VE NT TRt-E FDe. ESD 7 2
RT AFd st: S ED etPR
.0 000L'07 20 0 0 1 0 U 1
.J000307532 0 1 0 1 1
.0000111091 0 1 0 0 0
.0000641373 0 1 1 1 1
.00J1417 22 5 1 1 L 1 1
.999dC25640 0 0 0 0 0
-2 t
4-92 e _
s-7 f
... Yn85 Pa0Gaam Ha5 NOT SEEN CHECNED 04 aPPa3ftD SY PICuaAD. Lost' aND GAARICE. INC.
- 5. T. AL=000 vat 10 APRIL. 1992 E.ini idEt FOR E501
. . . Lp! . S&D4 .. LPt ., CSE . LPHL . CMaL ,
t e5 i . a CJ M
. e . ..
..................*................e......e.......e.........................e..................... .
P 4 0d a4 I'. II T
------ - - - - - - - - - - - ----- - - - - - - - - - - --- -- 11 .4613142912 I I I I I I 4h I 3- t 8 i FFfffffFFFFF 23 .00**3159*F h
w I 3 I I I I I I I
' F F f f F F F F F F F F --------- - - - - - - 39 .0000515913 8 I I I I I 3 I I ! I FFFFFFFFFFFF-- -
48 .3030002 F39 - 3 I I I I I I .I I ffFFFFFFFFFFFFFFfffffFFFFFFFFFFFFFFF St .0003382669 I I I I I I I FffFFFFFFFFFFFFFFFFFFFFFFFFFF5FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF bl .00 9754071 I I I I I FFFFff7FFFFFFFFFFFFFFFFFFiffffFFFFFFFF6FFFFFFFFFFFFFFFFFFFFFFFFfFFFFFFFF 78 .0006FF6589 I I I FFFf f F5FFFFF FFFFFFFf f FF8 FFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFF FF FFFFFf f FFFFFFFFFFFFFFFFF 89 .0042394999 I
#F F F# sis FFFF FF F8 FF Fiff f f 7F FF FF FFsif F FFFF Ff pF FF FFFF FFFF FFFF FFf f f f FF F# FF Fs FFFF FF FFFF FFFf f f 7FFFFF FF . as .3000307499 Figure 4-18. STEVE Output for ESD 1 W w
T-I v8 4f TREE F04 E50 7 ee ee ee ee eeeeee ee eeee ee ee ee ee ee ee ee ee ee ee eeee ee ee ee eeee ee ee ee ee ee ee eeee ee eeeeeeee ee ee ee eeee ee eeee ee eee e e o e o e e af e AFm e e e BEF SED 4 MF4
- e o e o e e ee ee ee ee e e eeee ee ee ee ee ee ee ee ee ee e e ee ee ee ee ee ee e e ee ee ee e e ee ee e e ee ee ee ee ee ee ee ee e e ee ee ee e e ee ee e e ee e e paOSABILITY eee
== =-
13 .4946326840 I I y I FFFFFFFFFFFFFFFEdFFF- 23 .0000111691 e ! I I I NO I I I
- FFFFFFFFFFFFFFFFFFFF JI .0030000200 I I I I I FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF'FF5F I
I el .3030000562 I l I FF FF FF FF F F FF F F FF F F FF FF FF FF FF FF FF F FFF FF F F FF FF FF FFFF FF F F FF FF FF SB .0000ee1673 i i F F FF FF F:FF F F FF FF FF FF FF FF FF FF FF FF FF Fe FF FF F F FF FF FF F F F F FF FF FF FF FF FF FF FF FF FF FF F F FF F F F F FF FF FF F F F F FF FF F F F F , 68 .0031e t F22 S I Figure 4-19. Event Tree for ESD 7 l l 1
As mentioned in the discussion about constructing ESD 7 in Section 4.4.1, the required RWST function was not specifically called out in that diagram (Figure 4-8) because including it would have had no significant effect on the computed results. That is, that function was assumed to be always successfully. If it had been modeled to include its very small potential for failure, it would have appeared in the output event tree as a top event between Top Events AFW and BAF, in a diagram similar to Figure 4-20. When events RT and AFW are both successful, RWST is bypassed, leaving sequence 1 exactly the same as shown in Figure 4-19, with exactly the same sequence probability. If event RT succeeds and AFW fails, a new branching point would exist for the RWST function. The success branch would lead to the same sequences as sequences 2 through 5 in Figure 4-19. Since a failure fraction of 7.5 x 10~7 was assigned to the RWST function (in the kind data for GO operator 5-1010), the probabilities for those four. sequences would decrease by a very small amount. ( As it turns out, that decrease is so small that its effect cannot be seen in the 10 decimal digits displayed in the diagram.) The failure branch would produce a new sequence between sequences 5 and 6; this is identified in Figure 4-20 as sequence 5.5. Since its occurrence probability would have been approximately 4.2 x 10-II, the G0 (and, hence, STEVE) output would have listed a value of zero out to 10 decimal digits, as shown in Figure 4-20. If event RT fails, the RWST function is bypassed, leaving sequence 6 exactly the same as shown in Figure 4-19, with exactly the same sequence probability. As can be seen by comparing Figures 4-19 and 4-20, no significant numeri al errors were ir. curred by assuming that the RWST is always successful (that is, by leaving it out of the diagram), and no significant insights would have been gained by including it. Thus, as is done for many tank-related functions, the RWST function was assumed to be perfect. As mentioned in Section 4.1, operator actions per se are not generally modeled. One case in point involves the bleed and feed function, where the operator actions needed to perform that function ware not s?ecifically included within the GO supertype model of that function. It can easily be seen from Figure 4-19 that operator actions can have only a minor impact on the occurrence of sequence 5, which is the only degraded plant sequence involving failure of this operator-impacted bleed and feed function. The figure reveals two sequences of interest in this regard: 4-95 L l
1 RT AFW RWST B&F S&DR HPR PROBABILITY O O 1 .9998026840 0 0 0 0 2 .0000111691 3 0000000200 4 0000000562 5 0000441673 5.5 0000000000 6 .0001417225 Figure 4-20. Hand-Corrected Event Tree for ESD 7 4-96
Sequence AFW B e nd Probability ed 2 F S 1.1 x 10-5 5 F F 4.4 x 10-5 i Sequence 2 shows AFW failed and bleed and feed successful, while sequence 5 shows both failed. As shown in Section 4.8, both functions fail primarily because of failed common input to both functions from the auxiliary systems. Thus, the failure of both AFW and bleed and feed occurs because of an external dependency that is essentially unaffected by the consideration of operator actions. What must be considered is a situation in which AFW fails and bleed and feed succeeds (which is the case with sequence 2), then overlay the potential for bleed and feed failure due to operator actions. Without going through a detailed human factors assessment, the potential for operator error causing bleed and feed failure might reasonably be estimated at 10 -2 or lower. The probability of progressing to sequence 5 on such a basis would be the product of this value and the 1.1 x 10-5 result for sequence 2, yielding a value of 1.1 x 10-7 This is more than a factor of 300 below the value shown for sequence 5, indicating that the impact of operator actions on the occurrence at sequence 5 is negligible. 4.7.4 Development of Annual Frequencies For the purposes of this G0 demonstration, only two of the ESDs were fully nuantified, and the initiator frequencies for those two ESDs were taken directly from the Seabrook Station Probabilistic Safety Assessment (Reference 4-4) without any attempt to modify the data for application to Sequoyah. Those two l frequencies are as follows: l l ESD 1: Large LOCA 2.03 x 10-4 year-1 2.44 x 10-3 year-1 ESD 7: Total Loss of Steam Flow These frequency values were input to the code STVQUANT, along with the event sequence data output by STEVE and the plant end state information from the ESDs. The output from STVQUANT, which is given in Tables 4-1?. and 4-13, shows the annual frequency for each sequence classified by plant end state and the total frequency for each end state. ) l l 4-97 l l l ' )
y ; l Table 4-12 ' l L.
'ESD 1 SEQUENCE FREQUENCIES i
Annual. Frequency ESD Seq Sequence
- No. No. Likelihd aInitiator Cont. Run Cid Shtdn Ht Stndby Degraded ATuS ccess SLOCA Tot Error 1 ! 9.853E-01 2.030E-04 2.000E-04 1 2 ' 4.402E-03 2.030E-04 B.935E-07 1 3. 5.159E-05 2.030E-04 -1.047E-08 1 4 2.739E-07 2.030E-04 5.560E-!!
! .5 3.383E-04 2.030E-04 6.867E-08 1 6 .4.975E-03 2.030E-04 1.010E-06 1 7 6.777E-04 2.030E-04 1.376E-07 1 8 4.240E-03.2.030E-04 B.607E-07 1 9 7.499E-07 2.030E-04 1.522E-10
-1 1.681E-07 2.030E-04 3.412E-11 Totals by Plant State- 0.000E+00 2.009E-04 0.000E+00 2.077E-06 0.000E+00 0.000E+00 0.000E+00 3.412E-Il
.. a Sequence likelihood = conditional probability of sequence given occurrence of initiating event.
+
- l E
4-98 L
Table 4-13 ESD 7 SEQUENCE FREQUENCIES Annual Frequency ESD Seq Sequente a No. .No. Likelihd initiator Cont. Run tid Shtdn Ht Stadby Degraded Tot Error - ATWS Success SLOCA 7 1- 9.998E-01 2.440E 2.440E-03
.7 2 1.Il7E-05 2.440E 2.725E-08 7' 3 2.000E-08 2.440E-03 4.880E-!!
1 7 -- 4 5.620E-08 2.440E-03 1.37tE-10
,- 7 5 .4.417E-0) -2.440E-03 1.078E-07 Lit - 7 ~6 1.417E-04 2.440E-03 3.458E-07 7 1.809E-07 2.440E-03 '4.414E-10 Totals by Plant State 0.000E+00 2.725E-08 2.440E-03 1.000E-07 3.458E-07 0.000E+00 0.000E+00 4.414E-10 .
a Sequence likelihood = conditional probability of sequence given occurrence
-of initiating event.
/
5 EPJ 4-99 d.-.
4.8 SEQUENCE UNRAVELING As mentioned in Section 4.2.7,'three different approaches to sequence unraveling were attempted in this study:
- 1. FAULT FINDER
- 2. Hard-Wired Sequence Approach
- 3. Two-Stage Integrated Model As discussed in Section 4.2.7.1, FAULT FINDER was tried part way through this project and found to have some deficiencies that required that some other approach be developed and used.
The first approach.that was developed and tried made use of the existing model (for ESD 7) with a minimum of change. However, it was found to be rather cumbersome to apply with the computer programs currently available, and considerable manual analysis was required. The limited results obtained with
*this approach are discussed in Section 4.8.2.
Of the .three approaches tried in this study, the two-stage integrated modeling approach was found to be the most effective means for unraveling the dominant sequences down to their dominant system and component contributors, based on the currently available computer programs. This approach is an extension of one that had successfully been applied to a previous probabilistic analysis (Reference 4-2). It led to essentially a 100% identification of the contributors to the dominant sequence (sequence 5) in the degraded plant state in ESD 7. As would be expected, the list of contributors included those found by the. hard-wired sequence approach. The two-stage integrated modeling typtc ch is discussed in detail in Section 4.8.1. 4.8.1 Two-Stage Integrated Model This unraveling approach requires three steps: (1) modularization of the model, (2) quantification of the modularized model, and (3) identification of dominant
. sequences and contributors. The following sections develop the procedure for accomplishing these steps.
4.8.1.1 Modularization of the Model. The modularized model consists of two parts: (1) the integrated auxiliary systems model, and (2) the integrated frontline systems / event sequence model. The procedure for modularizing the model 4-100 l
requires that the auxiliary systems dependencies of the frontline systems be established first. Once these dependencies are established, a dependency matrix
-(Table 4-14) is developed that defines the impacts that individual auxiliary systems failures have on the ESD frontline systems. Because of experience gained from constructing, running, and analyzing the auxiliary systems model, it was concluded that the impacts on the frontline systems could be adequately specified in terms of only 18 " generic" auxiliary systems output signals. Because of this simplification, the auxiliary model must be modified to match the requirements of the dependency matrix. The auxiliary model is quantified, and its output truth ' table is input to GOST, along with the dependency matrix shown in Table 4-14.
GOST develops the frontline input vector for each auxiliary state listed in the truth table and then groups all auxiliary model states according to like frontline impacts. The ESD frontline systems model is modified by inserting a set of type 5 operators to generate input signals that represent the auxiliary systems impacts on the frontline systems. These input signals (listed at the top of Figure 4-21) can be preset by the analyst in the specific combination of successes and failures (with a probability of 1) needed to represent any one impact vector produced by GOST. , As can be seen in Table 4-14, the AFW impacts occur in groups. For example, under the SGM category, steam generators 1 and 2 are always both impacted or both not impacted. This condition exists because of the plant design and operating logic. Thus, only one impact signal is required in the above example to represent that impact in the frontline systems model, not two signals. Overall,
- the individual AFW impacts can be taken into account with four signals rather than eight. This type of translation from impact vectors to the type 5 signal generators of ESD7 is shown in Table 4-15.
The following is an example of how this entire unraveling process works. First, the auxiliary system states are grouped into impact vectors according to the dependency matrix. Next, the impact vectors are translated into a series of frontline system input (type 5 operators) that represent the auxiliary system impacts. Finally, the ESD model is run once, using the supplemental run capabilities of G03 to account for all the different impact vectors. For example, several auxiliary states are grouped together to form an impact defined
-as auxiliary feedwater SGM1 and SGM2 failed, CVSC/SI train A failed, and CVCS/CL 4-101
Table 4-14 MATRIX OF DEPENDENCIES BETWEEN AUXILIARY SYSTEMS l AND FRONTLINE SYSTEMS Auxiliary Feedwater System Bleed and Feed Reactor Auxiliary Systems Output Trip a b c d e 3g SGT 3 j3g 3g PORY A B 1 2 3 4 1 2 3 4 A B A B AC Electric Power A X X X X AC Electric Power B X X X X DC Electric Power Board 1 X X DC Electric Power Botrd 2 X X DC Electric Power Board 3 X X X X DC Electric Power Board 4 X X 120V AC Vital Instrument Power Board I X X- X Instrtment Power Board II X X X Essential Raw Cooling Water A X Essential Raw Cooling Water B X Component Cooling System A X Component Cooling System B X ESFAS Reactor Trip A X ESFAS Reactor Trip B X ESFAS AFWS Actuation A X X ESFAS AFWS Actuation B X X ESFAS AFWS Actuation A and B X X X X X X X X Compressed Air X X X X aSGM represents motor-driven pump supplies to the steam generators. bSGT represents redundant turbine-driven pump supplies to the steam generators. CCfCS is chemical and volwne control system. d SI is safety injection.
'CL is cold leg path.
4-102
m
.. ... _ _._ _ _ m m _.
i
.es i .. .. _
.. .. m p j.
1, gn . ttttttttttt ".
. + ..++ -_
i....a._ g 4 4 = = ~ ~
- - . .n .. . ,.
~ O ... O. . .:. ~ .. _ _
m ,1, -
.. 8%. P.. u g
u _ o x y
.Hs
. e.
111111, , a _ . . . _ . . . . . . _ n. i .i. .i .i. .i _i =. .-. -
.s.a.et. ec.
Figure 4-21. ESD 7 Frontline Systems Model
Table 4-15 MATRIX OF TRANSLATION FROM FRONTLINE SYSTEM IMPACTS TO FRONTLINE SYSTEM MODEL INPUT SIGNALS Frontline Systems Model Input Auxiliary Feedwater System Bleed and Feed Reactor Trip Frontline System Impacts Motor-Driven Pumps Turbine-Driven PORV Pump (164) (199) A B A B I* A B A B (131)* (132) (161) (162) (191) (192) (195) (196) Reactor Trip A X Reactor Trip B X p Aaxiliary Feedwater SGM lb y
- Auxiliary Feedwater SGM 2 X Q Auxiliary Feedwater SGM 3 Auxiliary Feedwater SGM 3 X
X Auxiliary Feedwater SGT IC X X Auxiliary Feedwater SGT 2 X X Auxiliary Feedwater SGT 3 X Auxiliary Feedwater SGT 4 X CVCS/SI A X CVCS/SI B X CVCS/CL A X CVCS/CL B X PORY X aThe ntraber in parentheses are signal numbers. b SGM represents steam generators supplied by motor-driven pumps. C SGT represents steam generators supplied by turbine-driven pump.
train A failed. Using the translation matrix, this imact vector can be represented by failing three type 5 operators that control' the frontline system input to (1)~ auxiliary feedwater motor-driven pump A (signal 161), (2) CVCS/SI train A-(signal 191), and (3) CVCS/CL train A (signal 195). The ESD frontline systems model .is quantified with these three type 5 operators failed and the other eight type 5 operators (signals 131, 132, 162, 167, 192, 196, and 199) successful. 4.8.1.1.1 Frontline systems model and dependency matrix. ES07 was chosen to demonstrate the unraveling process. Since sequence 5 contributes about 99.8% of the total frequency of the degraded plant state (see Table 4-13), it is obviously the dominant contributor to that state and should clearly be the one focused upon to demonstrate the unraveling process. Hence, the dependency matrix was developed specifically to unravel that sequence. The
. dependency matrix could be developed to unravel all sequences of interest up to the limitations of the computer programs, which are (1) auxiliary systems output (limited to 24 individual signals by the G0 program), and (2) the frontline systems impacts (limited to 20 individual frontline system impacts by the GOST impact vector code). Unraveling dominant sequence 5 of ESD7 requires consideration of impacts on only three of the five frontline systems modeled in ESD7: (1) the reactor trip system model, (2) the auxiliary feedwater system model, and (3) the bleed and feed model of the emergency core cooling system. (The reason for this is that the other two systems functions--sump and upper level / lower level drains, and HPR--are bypassed in sequence 5.) These system models are represented by the following supertypes shown in the G0 model for ESD7 (Figure 4-21):
Super Type Numbers System Model 1300 Reactor Trip 1600 Auxiliary Feedwater 1901, 1905 Bleed and Feed In order to define a dependency matrix, the dependencies among these three frontline system models and the auxiliary systems output must be established. The' auxiliary systems dependencies are established using the condensed frontline system models of Figures 4-22, 4-23, 4-24, and 4-25. 4-105
r 0 . 0 _ 2 _ 1 2 R O 8 2 ST N 2 ,. ) 3 AC P I 0 0 1 FAIA SERR 1 0 ERTT 3 1 e p R O A y 1 ST N 1 t 3 AC P I 0 r 1 FAIA 1 e _ SERR p - ERTT u - 0 S 9 2
; i (
o l e T N ' i R I d H o T O T M U P P)T P wt N U d U S D ' e IP E Y EE ' s PIN RN SP a n Y AO UY e TTC IT I LT d R A L IC AR 2 n E XN NEP o P P UM S (t L UU AF GU I SS Q _ 7 C m e s t i s y S
, 1 0 p o, 3
' ., i
' . 1 r s - '
T 2 0 2 0 3 [6 - 2 0 3 1 r o n6 1 0 1 0 t 1 6
- 3 i
1 c a e
- O R 5
2 _ 1 2 2 3 [5 , 2 4 e _ r _ u g - _ i - _, F N 1 0 0 _ 3 _ 1 4 p
, ,o ,., ,a , , ,o ' . . . . ,.
' = ~~ ~~' + 4 + + + + + + +- +
~~'a~" ~ *= *= .e 4 .. nno
,oc .
, s .a ,.a,ec. e ,oc . - 0 ,oc... ec
.c . ,. . ..4
.,. e in .e
. .n., c.a.
. , .o. ,, . , .u. cree e '"C.". .o.,.o e .o..o sie m
.u
. '*("..
..,. '.o. , ev
. vo.. .
o o o. o .o o
- v. , .
.c.,v ,io. .. ..c,u.
,o .
4 ,4 ,4 +
.u . v . , I t, ,,3 ,3, 32 ,33 M ... 42 ,
2 ,S. O == ., v
.3
,UM, . # v e.,
D-=,. 4 n,
.M7
.. V O
ou "> -
"> '/ : .3 n.
,,,,o , ......
37 rast.w .G,, a_ ,. , a ,. ., - 93 in
=>
w
=
O==r
; =~a ,
= ....., ,,.
,-0. .v.,18
- ~ ,w
.GM3 ""
a "
....n El
,,g,, y,, 4& H.
a3 '" =>
" o
n.
M 2 . ,33 .c,4 9,
,,, 37, 327
~
m e.,. anc.
,,,,. 2
= v,. n
= .n * - ,o.,. . '",,
~
a ,
* ,.~ ,,,,, ; .. '" ,.... on
. , = , ,
"' mv.
! v, ,
- s. .
u,s,t L,s
.v . . . D..,. .
,q
.u.
r .tas G.m..,0 3 Figure 4-23. Auxiliary Feedwater System Condensed Model (Supertype 1600)
SUPERTYPEINPUT (IMPACT INPUT)
+ 191 192 191 192 191 192 195 196 AC AC CCS CCS ERCW ERCW AC AC AUXt LI ARY A ELECTRIC E LECTRIC ELECTRIC ELECTRIC SUPPORT FUNCTION POWER POWER TRAIN A TRAIN 8 TRAIN A TRAIN 8 POWER POWER TRAIN A TRAIN 8 TRAIN A TRAIN 8 SIGN AL USEO WITHIN --> 111 112 198 199 150 151 126 SUPERTYPE 127 111 112 198 199
- 4 44 150 4 10 200 201 151 - >
ST 1960 % 1/2 PUMPS 10 2 HPI 173 4 175 - t CVCS PUMPS 40 126 127 415 ~ PUMP CVCS A 50 p 416 - MAINTEN ANCE CVCS8 ST 1970 201 k 1/4 PATHS 10 > O 196 M 417 ~ INPUT % St A CVCS COLO LEG INJECTION PATHS 150 151 198 199 111 112 80 418-* %ggy St 8 ST 1940 197 4 51 PUMPS [ 80 5-2000 7 1/4 PATHS ST 1901 SI COLO LEG INJECTION PATHS Figure 4-24. Bleed and Feed Condensed Model (Supertype 1901)
b i i SUPERTYPEINPUT 430 (IMPACT INPUT) i 199 199 199 12 120V AC COMPRESSED IN7UT FROM I. FUNCTION O y,0V pg,gAC vips.ll AIR SUPERTYPE 1901
- 1P 7 1 74 176 145 100 iTH N S PERTYPE 7
1 - d 4 145 2 100 m 1 i 200
- 10 ( q.2000 7 O
l 174 176 , 1 . SUPERTYPE 1905 1 l Figure 4-25. Bleed and Feed Condensed Model (Supertype 1905) t f i 4-109
- , . . ._. . _ _ _ . _ _ . . . . . . _ _ . _ _ _ _ . _ . . _ _ _ . _ . . _ _ . . _ _ . _ . . _ , _ . . ~ . _ _ . , . . . _ _ . _ . .
'm
'The reactor trip system model (Figure 4-22) has two auxiliary systems
. dependencies: ,(1) ESFAS reactor tr.ip train A, and (2) ESFAS reactor trip
< train B. These two signals are the only impacts on the reactor trip _ system. , 1 i The auxiliary feedwater system model (Figure 4-23) h'as 13 auxiliary systems dependencies. These. dependencies (listed at the top of Figure 4-23) impact
- the availability of auxiliary feedwater to the steam generators. There are eight auxiliary feedwater supply paths to four steam generators (two for each steam generator). The system configuration is such that the auxiliary systems dependencies impact these eight auxiliary feedwater supply paths.
The system success criteria call for. one pump or more to supply feedwater to
. at'least two steam generators. The bleed and feed model consists of a feed portion (Figure 4-24) and the bleed portion (Figure 4-25.) The feed portion consists of four pump trains (two for CVCS and two for SI) and two cold leg
~ injection paths for the CVCS pumps. The CVCS pumps are represented by supertype 1960 and shown'in Figure-4-26. The SI pumps are represented by supertype 1970 and shown in Figure 4-27. The CVCS injection pathsiare reperesented by supertype.1940 and shown in Figure 4-28. The SI pumps' injection paths are not dependent on auxiliary systems. The bleed portion of the model consists of two valves, and both must operate for success.
i, Both valves are dependent on_ compressed air and each valve depends on one train of 120V AC vital instrument power. There are 15 separate main line systems functions (2 from reactor trip,
; 8 from auxiliary feedwater, and 5 from bleed and feed) that can be impacted by the. auxiliary systems output. The 26 auxiliary model output signals have been grouped to form 18 separate auxiliary systems output and these output, along with the 15 main line systems functions, form the dependency matrix of Table 4-14. .
As noted previously, HPR is bypassed in sequence 5. , With the unraveling focused on this dominant sequence 5, there is no need to be concerned with the auxiliary systems impacts on HPR. Hence, all_of the auxiliary input
~
signals to that' system (represented by supertype 1500) were forced to be always successful by using the the user-def.ined perfect operator 5-1. If HPR had been a contributor to the sequence being unraveled, its auxiliary dependencies'would have to be identified and included in Tables 4-14 and 4-15. 4-110
112 198 199 150 151 173 175 SUPERTYPEINPUT A 111 Y t + + + t + + AC AC CCS CCS ERCW ERCW PUMP PUMP E LECTRIC TRAIN A TRAIN 8 TRAIN A TRAIN B MAINTENANCE MAINTENANCE FUNCTION POWER ELECTRIC POWER PUMP A PUMPS TRAIN A TRAIN B 1r 1r 1P 1r 1r' 1r 112 198 199 150 151 161 162 SIGNAL USED WITHIN A 111 SUPERTYPE b 111 150 10 1-1962 1-1906 2 l 5 6 2 2 1-1961 112 151 Q 1-1906 i 4 221 93 10 ' 1962 r 199 162 SUPERTYPE 1960 , Figure 4-26. CVCS Pumps (Supertype 1960) l
SUPERTYPE INPUT % 111 112 1P AC . AC , E LECTRIC ELECTRIC FUNCTION % POWER POWER TRAIN A TRAIN B l a
! StGN AL USE D WITHIN IF If f
1 SUPERTYPE M 111 112 111 111 1-1970 10 1 1970 f 2 2 1-1971 m 112 1-1970 to 1-1970 112 SUPERTYPE 1970
)
{ Figure 4-27. SI Pumps (Supertype 1970) l 1 i 1 i
198 199 .50 151 196 197 SUPERTYPEINPUT W III 112 h h h h PUMP h PUMP AC AC CCS CCS ERCW ERCW FUNCTION M E LE CTRIC E LECTRIC TRAIN A TRAIN B TRAIN A TRAIN B MAINTENANCE MAINTENANCE POWER POWER PUMP A PUMPS TRAIN A TRAIN B II II 'I 'I II II SIGN AL USED WITHIN 198 199 150 151 196 197 SUPERTYPE % 111 112 111 198 14 231 10 1-2001 W 150 196 52000 ; 2 112 199 l 4 232 10 1-2001 151 197 i .i SUPERTYPE 1940 < Figure 4-28. CVCS Injection Paths (Supertype 1940) 4
e_ L , 4.8.1.1.2 Auxiliary model. The auxiliary systems model remains essentially unchanged from that presented in Appendix A, Section A.11. However, its 1 output had to be modified to include only those output required by the frontline systems. None of the other auxiliary systems model output was ; monitored for this quantification. The auxiliary systems model output required are listed in Table 4-16.
-.The AC electric power train A (98) and train B-(99) output signals represent an' entire train of AC electric power from the 6.9 kV shutdown board to the last 480V board. Signals 98 and 99 actually account for the frequency of
' failure of the-last 480V AC board to which the 6.9 kV boards distribute power. This last 480V AC board has the highest failure frequency; therefore, the use of this frequency to represent all other boards is a mildly conservative assumption because the failure frequency of the AC
. electric power trains is dominated by the sources of power to the 6.8 kV boards and not by the distribution of power from the 6.9 kV boards to the -
480V boards. The ESFAS auxiliary feedwater actuation train A (114) and train B (115) signals are combined by an "0R" gate (type 2 operator) to produce signal 200. This signal is for the activation of the turbine-driven pump, which receives both A and B train activation signals. All other auxiliary
' systems output signals are combined with a perfect operator to negate unwanted signals contributions and, combined with signal 70, produce signal 201, which represents compressed air.
4.8.1.2 ' Quantification Process. The quantification process involves first an auxiliary model G0'run to generate frequencies for auxiliary systems states.
'Next, these are grouped into impact vectors according to similarities in impact
< on frontline systems, as defined by the dependency matrix, using the computer
' code GOST. The third step is a series of GO computer runs to detemine the frequencies of plant damage states resulting from the interaction of auxiliary system impact vectors and frontline systems. (This is accomplished with a single
. physical computer run, using the supplementary run capabi lit esi w ti hin G03.)
These frequencies can later be examined.to determine dominant contributors toward the system failure frequency. The following sections discuss the three stages of
- the quantification process.
4-114 r
Table 4-16
-AUXILIARY MODEL OUTPUT SIGNAL DESCRIPTIONS Signal Description 98 AC Electric Power Train A 99 AC Electric Power Train B 38 125V DC Vital Battery Board 1 39 125V DC Vital Battery Board 2 49 125V DC Vital Battery Board 3 48 125V DC Vital Battery Board 4 31 120V AC Vital Instrument Power Board 1-1 33 120V AC Vital Instrument Power Board 1-11 50 ERCW Other Users Supply 1A 51 ERCW Other Users Supply IB
.71 Component Cooling Safety 1A 75 Component Cooling Safety 1B 109 ESFAS Reactor Trip Train A 110 ESFAS Reactor Trip Train B 114 ESFAS Auxiliary Feedwater System Activation Train A 115 ESFAS Auxiliary Feedwater System Activation Train B 200 ESFAS Auxiliary Feedwater System Activation Train A snd B 201 Compressed Air 4-115
i 4 4.8.1.2.1 Auxiliary run. The _first stage of quantification involves processing the GO model of the auxiliary system. ' Part of the output from - this run.is the G0 truth table, a portion of which is shown in Table 4-17. This table gives frequencies in ascending value of all combinations'of. success or failure states of the final signals for the various auxiliary systems being monitored (0 represents success and I represents failure). The leftmost column shows the system state frequency and the 18 columns
'of 0's and l's display the values for the signals being monitored. The signal numbers that are described in Table 4-16 have been inserted at the top of the column for reference.
As discussed earlier, all electric power system signals for train A have
= been combined into signal 98, and the electric power train B signals are included in signal 99.
Taking as an example the first line in the truth table, it can be deduced -
.that the combination of. signals 51, 71, and 115, or ERCW display 1B, component cooling safety 1A, and ESFAS start motor-driven auxiliary i
feedwater pump train 1B, fails with a frequency of 2.88 x 10-8 , 4.8.1.2.2 GOST run. GOST is the program that uses the dependencies given
- in Table 4-14 to transform each auxiliary systems state (tha't is, each line in the truth table shown in Table 4-17) into a frontline systems impact vector. Then, it categorizes the numerous combinations of system states according to similarity of impact on the frontline systuns.
For GOST input, the dependency matrix is translated into a table of O's $ and l's; the rows represent auxiliary systems and the columns ~ represent frontline systems. Each entry of a 1 in the table defines the dependence of a frontline or auxiliary system. Table 4-18 shows the first portion of GOST input including titles, dimensions,18 auxiliary system titles,15 frontline system titles, the dependency matrix section, and the first part of the G0 truth table input. The output from GOST gives groupings of truth table sequences according to their similar impact on the main line systems, along with the frequency associated with each sequence. The frequencies of each group of sequencs t are added together, and these become the impact vector frequencies. They l l' r 4-116
c Table 4-17 G0 AUXILIARY MODEL TRUTH TABLE Signal Numbers Fre u n EEN OE NO NNS3%008
.0000000 08 010100000111 110100 .0000000178 000000000010C00100 .0000000178 000000000010001000 .0000000178 000000000010010000 .0000000178 000000000010100000 .0000000181 .000000010000000001 .0000000201 1 10000001 111000101 .0000000201 110000001 111001001 .0000000201 1 10000001111 01 0001 .0000000201 11 0000001 11 1 1 00001 .0000000208 000000100000000001 .0000000284 010000000010000000 .0000000288 0000000001100001 00 .0000000238 000000000110001000 .0000000288 000000000110010000 .0000000288 000000000110100000 .0000000304 1000000000000001 00 .0000000304 100000000000001 000 .0000000304 100000000000010000 .0000000304 '1 000000000001 00000 .0000000304 010000000000000100 .0000000304 01000000000000-1000 .0000000304 010000000000010000 .0000000304 010000000000100000 .0000000325 101 000001011 101000 .0000000327 00000100101 1 000000 .0000000352 000000001000000001 .0000000365 010000000111 000100 .0000000365 010000000111 001000 .0000000365 010000000111 010000 .0000000365 0100000001 1 1 100000 .0000000402 100000001000000100 .0000000402 100000001000001000 .0000000402 100000001 000010000 .0000000402 100000001000100000 .0000000452 0000000001 1 1000001 .0000000461 100000001001 000001 .0000000549 0000000001 1 1 0001 00 .0000000549 000000000111 001000 .0000000549 000000000111 010000 .0000000549 00000000011 1 100000 .0000000620 010000000111 000001 .0000000711 101000001010101000 .0000000826 000000001000000100 .0000000826 000000001 000001000 .0000000826 000000001 000010000 .0000000826 000000001000100000 .0000001252 100000001011C00000 4-117
Table 4-17 (continued) Signal. Numbers Frequency m m m m v e m n S G; ;-* R 8 S * $ 8 g
.0000001297 100000000010000000
.0000001417 010000000101000001
.0000001567 100000001 000C00001
.0000001591 000000100001000000
.0000001593 000000010001000000
.0000001803 101000001001 101000
.0000002322 00000000000000111 0
.0000002322 00000000000001 0100
.0000002322 00000000000001 1000
.0000002322 000000000000100100
.0000002322 000000000000101000
.0000002322 00000000000011 0000
.0000002491 00000000101 1000000
.0000002695 100000001010C00000
.0000002876 10000000011 1C00000
.0000002879 010000001000000000
.0000003256 1 10000001010000000
+
.0000003314 110000000111000000
.0000005060 010000000001000000
.0000005069 100000000001000000
.0000007158 000000000011 000000
.0000008666 000000000000000001
.0000009688 100000001001000000
.0000016750 000000001001000000
.0000038530 0 0 0 0 0 0 0 0 0.0 0 1.0 0 0 1 0 0
.0000038530 000000000001001000
.0000038530 000000000001010000
.0000038530 000000000001100000
.0000096425 010000000101000000 .
.0000139631 000.000001111000001
.0000200280 000000100000000000
.0000200316 000000010000000000
.0000226377 101000001000101000
.0000228584 000001001001000000
.0000228924 000010000111000000
.0000229151 0101000.00111010100
.0000373688 000000000010000000
.0000431675 11000000111 1000001
.0000605743 000000000110000000
.0000633896 100000000000000000
.0000634884 010.000000000000000
.0000776724 010000000111000000
.0000859535 100000001000000000
.0001173814 000000000111000000
.00017e0171 000000'OO1000000000
.0004809885 000000000000000100
.0004809885 000000000000001000
.0004809885 000000000000010000
.0004809885 000000000000100000
.0079306314 000000000001000000
.9892378039 000000000000000000 4-118
Table 4-18 G0ST INPUT FIUE OPTION 2 SEQUOYAM AUX SYSTEM SEQUENCES MAINLINE IMPACT VECTORS 13 15 AFB ACA ACB DC1 DC2 DC3 DC4 VIP 1 VIP 2 ERCA ERCB CCSA CCSB ESFA ESF8 AFA AFAB CA PORV RTA RTS MD1 MD2 MD3 MD4 :TD1 TD2 TD3 TD4 CVSA CVSS CLA. CLB 001100000010100 ACA 000011000001010 ACB 001100000000000 DC1 000011000000000 DC2 000000111100000 DC3 000000110000000 DC4 001100000000001 VIP 1 000011000000001 VIP 2 i' 000000000010000 ERCA C 000000000001000 ERCB
- 000000000010000 CCSA 000000000001000 CCSB -
100000000000000 ESFA 010000000000000 ESFB 001100000000000 AFA 000011000000000 AFB 001111111100000 AFAB 000000111100001 CA
.0000000001 1010000010001 01001
.0000000001 0000000001 10000001
.0000000001 1 00000000000000001
.0000000001 01 0000000101 000101
.0000000001 01 0000000101 001001
.0000000001 010000000101 010001
.0000000001 010000000101 100001
.0000000001 100000001 000000101
.0000000001 1 00000001000001001
.0000000001 1 00000001000010001
.0000000001 1 0 0 0 0 0 0 0-1 0001 00001
.0000000001 010000000000000001
are arranged in order of descending value. This enables the analyst to decide the impact vectors to be quantified in frontline GO runs. It is also helpful in unraveling dominant sequences. -Table 4-19 shows the G0ST output of impact vector groupings. An "X" in a column indicates failure of that system. It can.be seen how a set of main line system failures might be caused by one of several combination of auxiliary system failures. For example, in impact vector 2, failure of main line system CVSB might be
. caused by failure of auxiliary system CCS train B, both ERCW train B and CCS train B, or simply by failure of ERCW train B. Auxiliary tree sequence 2, failure of CCS-train B, contributes almost all of the frequency toward this impact vector, so it would be of most interest in the unraveling study if -impact vector 2 is found to be a dominant contributor. (The relative importance of the impact vectors can only be assessed after the frontline model is run for each. However, vector 12 is probably a crucial one because it leads directly to sequence 5 in ESD7.) In other impact vector groupings, there might be several sequences to be examined. In addition to this grouping, the analyst can further combine impact vectors according to system symmetry. For example, impact vector 3 causes failure of reactor trip train A, and impact vector 4 fails reactor trip train B. Because these two failures have symmetrically identical impacts in the event sequence diagram, only impact vector 4 was run, and its contribution to system failure would be added in twice for impact vectors 3 and 4. Table 4-20 gives the combinations of impact vectors chosen to be compiled in single GO runs of frontline models.
4.8.1.2.3 Frontline systems run. The third stage of the quantification process involves running G0 for the frontline systems event sequence diagrams, setting specific signals to have failed because of auxiliary system impact vectors. For this quantification,- the impact vectors are grouped into 15 separate frontline model runs. These 15 runs will apply to all the impacts of all the impact vectors as noted in Table 4-20. Impact vector 1 is where none of the frontline systems are impacted (failed) as a direct consequence of auxiliary system states; impact vector 2.causes the CVSB system to fail, etc. The G0 output of final signal values for the 15 frontline model runs are reproduced in Table 4-21. In ESD7, the dominant degraded plant state contributor (sequence 5) is defined by the following system states: reactor trip is successful and both the auxiliary feedwater system and the bleed and feed system fail. The rest 4-120
1
?.
a 6 I
,! e I 3 i 3* 6
. ? + ! 1 f .
o . I. . !3I i . t ! s! s8I3* 1& '
- t. .
e. e. h . II ,
- I I 8I! i3I2! 1I!Il
. +
S.. .
. t !I* t I ! I I2I 38 8I 1II? !
. I t!* I I
- I I1I 8!8ts 1# *t !
. . V t I ! I I4 3!8I ' 8 I!i
. . R 1 It1
. . BO
. . SALP
. . RLC YcIaM
. . OC
. T B ! I 1i8 !82t t Iit
. C AS t !t8 I
. . E SV MII xXAXX
. . V4VC IIM xIIXX IIIMI
. . DC
. . TT
. . C 8f! 8 I I tt tItfI 8f1 "
. . A 3 t
. . P 2D
. . M1DT S . . IDT
. . T R . . E 1 t I I I18 tI*i8 8*1t!
O . . N 4 t 8I T . I 3D X
. L2DM I C . . NDM E II4It E . I M V A
- 8!I t t I It8 tI*I* 1t3*i
. M t
. SD I 1rXEI T . ATM I C . . TR I
. . R 9 A . . I!8 tI3it 8I*it 1 P . . I $1*
- I I I
- M .
. : I8* t I I ! It8 tI3i8 8tI8I 4 I e F . .
l O .
. t*38t 5i 8!
b . . 8 3* t I 8 t 3I8 a T . . T U . P . T . . ! 1 ! IIt ItIIt &8I t U . . B L I$t t O . . AA
. . BFC
. . FA X T . . A S . . t I II! :tI .- IIItt O . . BA 1 I$t t
. . AFF N G . . FSA I I
. . SE u
. . E
. . S S I!L +
- 2 I IIi s!3*3 t: t!
E AS 1 C3SC IM x XxX
. . NCCC II xI xX II
. . ERC NI xX UE Q A t 3 8 .2 3t1f ttI t
. . E 2C 3 3*3 8
. . SSPR I I X I I I E
. . PIE
. . MIV
. . EV
. . T I 3 8 *tt 3i& ttt3 .
. . S 4 3 8 3 3
. Y 3C
. S2CD
. . CD
. . ED
. . U t 8 8 tt 33tti t188!
. . A 1 3 I33
. . SC
. . ACD
. CA IIIrX
. A S 5 5 S 100 430e3 S6572 V 9 490 R.
O T T I 0 3 0 0 9 3 300 111 3 8 4 8 5 8 a u 5 8 8 8 5 8 S 0 3 706 8 160 9 1 14559 877:4 6 5 9 3 990 3 624 210 C L I 0 0 9 7 0 8 600 000 3 9 6 0 9 9 v v 8 9 9 0 8 9 9 0 8 030 9 670 9 3S672 3 70300 36000 5 0 S9M000 000 E. V. B A 0 3 0 : 7 3 300 900 0 8 3 4 0 9 4 a 0 8 0 4 0 0 8 4 0 0 730 8 4 100 000 3 1 10000 2 00000 8 t 0M000 0 00000
. T B 0 9 2 700 9 0 4 O 4 0 4 0 00000 0 00000 O 0 9 9 000 7 0 0 O 0 0 0 0 0 000 0 00000
. A.. R P
0 9 0 6 000 9 0 0 0 0 O 0 0 C 0 0 0 0 0 000 0 0 00000 0 0 P. P S O
. I .
t 2S4 3 4 S 6 755 e3t19 B 9?9t7
.H . E 12 1233 !3S6
. S S9
.AY.
.YS I1 1
.OUT.. PC MEO 1 t I 2 2 3 3 4 4 S S 6 & 7 7 e 8 9 QR.
.EO.
SS IVN s Dewo.t
) 6 f t 2!lLi!!*
- i 3 3 f tt 3 .$!t I? +
o 2 t I 188I3!1* iI $1I 42 I tI2!!it' 31
- 6 t1 e
e h S I i1!13!3 68t 1*5tt a t2$!3I! 38*
- i3
! t$Lt3!321I !8t32! 1I121tI! 321
- t2 t I!888 I3113 !tIttt 3I 38ttI I3$
- I1 Y
R I !:1It8 I1 !t8I*! Ii3! tit I8! !t _ BO sALP IIIIIIII RLC IIIIIIIIII IIIIII IIIIIIII III OC I IIIIIIII T S C AS 3 t;I2!!tIII $IItII I!III8!8 III 8 It c SV v4VC IIIIIIIIII IIIIII IIIIIIII III I II DC I IIIIIIIIII IIIIII II III I II TT IIIIIIII I C. 3 I IIt!!It2!* ttI!it I!I!3III 38* t tI ersDT 2D IIIIIIII I TDT I I IIIIII I II T IIIIIIII I II
, e n 4 I I8tItII$t1 II&ItI I2&t&&II .8I 8 28 t 3D IIIIIIIIII IIIIII IIIIIIII III
)
s2DM tP CM I IIIIIIIIII IIIIII II III II I IIIIIIII IEI d a I8It1$8I M 3 I 4!838III8I 1!IIt& I*t e SD 3 I3 u ATM I IIIIIIII n TR E III i t I $8381III8I i!8III 3It31822 18I I! n o 3 !333!8tI38 IiI*:I 3!t$11t3 !88 3 II c ( 9 3 it48!3I338 t3Il32 3iI3$I!1 !*3 3 *t 1 4 e S AA 8 IIC1iI!388 I88!II t!iIIi2 I33 8 tI l b BFC IIIIIIII FA a A I I III I I T SA 3 33t8!!t388 :I8ItI I3!!I2& I*8 8 i1 AFF FSA I I SE III E se AS S 8 38Ii8I88t3 2I84tI 3IIttIII II3
- t8 cSSC nCCC I I III II II IIIIII IIIIIIII I II II I II rRC I III III I I uE I I I I I IIIIII II I D A c 2C 1 :II!1I *3I1 I!8I& III*III3 38 . I It StPR PIE I II II IIIII II I II MIV sV m 3C4 3 82 8iiI213t I!3It8 8!It8t3 :I I *I S2CD I II CD I I ID I u
A 8 $833II!Iti I 3II3 3I!822 IC I8I 3 !I SC ACD CA IIIIIIIIII IIIIII IIIIIIII III A I IIIIIIII V 4 4 547O422S 45042S S11S3 7? 151 4 7 0O G3 - e T I 0 3 9 2 2 65320 3 1 3-7 W. 0 "00 0 0O 9 1 82604 6 1 622OG G-5 560 6 130 7 3 v 4 2 v s3 2 4 a 0C 3%05 3-00 300CG 9G0 n0 L 1 6 - 3 4 7 - 3 3 n i 94030N I 9 7O0 0 w 0 6 300O w G-- 2 2 v0 9 e v e0 a 70033MG-S 9 0 0 v 3 600- 0 3 400O w 6- 3 2G0 2 e i e0 2 W 7O0W^0N0M0G A 4 0O0 -
- 0G 7 000 0 7 000O w G -
4 0 w0 2 G e Q0 2 S O R 1 0 0 0O0 0O0 0O0 X-0 0 0G 0O 0 000X-0 000 0 000 0O 0O 0O 0 0 0 000O 000Ov 000CO w G G G_
- 0 0
0 0 0G0 0G0 v0 0 0 0 O O O u O0 G O0 G C0 G G G P 0 0 0 0 0 G G G E 2 O62S044253 133941 42323a93 60I 7 94 S S S37S4S1333 123734 39944S83 17S 8 37 4S2222 12 31I12 2 eC rEO 9 0 o t I 2 2 3 3 4 4 5 tVN 1 t t 1 1 1 3 5 1 1 3
~
ObNN - I
llj1ll ,Ii
,II ( i1I.
6
* . T ,
f &83* *1 I3 .!$81!* t 3 1 !* o 3 I!33 I* I$ 38!3 2 I3t1
- 1 . * .I ?
t e e h S II3* tt 83 T8t3883I1 6 t t t I*
!I I85t813!I 3 2 8 t tI?
* .3t 38 t32 I !$ E1 333t8I3!2 1 3 8 t t8t V *$8I3I2!I E 5 I II!
R t31I tI ' i 3 BO SALP EE II EIIEEIIEI RLC IEI OC IEII T S I t28 C AS 1B!8 I! !t I$3BI:I38 t ! $ E SV E E 5E3 V4VC IIIIEEIII I I EE E DC IIII III I XNII I IIII EIIIX TT C 3 I I 831 A 3 *I88 I! i* I3ItIBItI I P 2D ISIIIIIII MIDT IDT III IIIII I T IEIIIIIII E ! 8 3 I *$3 N 4 I*2$ Ii i* 38I3!8I*8 3D I
) !. 2 D M II I
d MCM IP IEEI II IE E EIE e A M I t12I I3 8I e8I3!$ t18 t 8 & 8 *$I u SD n ATM IEXE EE E M EEI i TR E t R EIXE n t1t8 13 iI I8I8t$t12 I 3 3 8 83I o 33i8t!*82 I B t E E3I ( c t3!8 t3 tI 9 1 I3i8 t% tI $3t8t1 I11 I I t ! I3* 4 e $2t8IiIII I I I t 8 a2 l B I8t f t* tI b AA IIIEIIIIE a BFC FA T A
- I I 8 I $*I SA I3tE 3* t* !I1IItI11 I AFF T E FSA II I
SE E _ E I55I S S II38II3$t i
- I I $I1 E AS 88 1i 31 t I CSSC EIEEIIII I E I I III NCCC E N I I II II I ERC II E IIII I UE Q A ! I t I3*
E 2C 88tt 33 tI 2It$*III2 3 SIPP I I IEII 5 PIE EIX MIV I5 EV EI T III3I!I1I t t t $ 3 t3 S 4 53!t t3 !3 Y 3C S2CD I IE EI I CD ED U 83111t1t! t t t $ 3Ii A I 1$I I t & 13 SC ACD EE CA EII A IIII V 7824 e4 0 12965 3 0 0 0 0 n 896 T 7800 4 0 3 3 3 3 0 3 0 3 0 3 a 667 iM 1
. S 3 5 3 S 6O9 I
L 3743 600 9 7 7 1 0 0 3 3640 300 S 9 S 3 M 900 0 0 W t0 M'w 4 3 S 8 a 3 3 8 3
=
9S2 0 0 I 200E- - m 3 0 W 100 0 4 , 3 W.W B 200 2 2 '- W.0N7 W.000W0MM m:- mW 0 0 A 000 2 O 0 1 0 S 000 O 000 e 000_ C O O O O O O 0 O C 00 O 000 O 000 O 000 0 0 0M:- 0 0 C mO
- 0 0
0 m0M0 0 0 0 0 P C O O 0 0 3 6 7 927 E 9750 05 18 24I909108 4 5 S 1S68 23 21 26I234506 2 2 2 2 233 1 1 1111122 PC 9 0 0 1 2 2 3 3 4 M 6 6 7 7 9 9 9 3 IWO N 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 f 9W .. 8
,llI! I i1 i l I
*m Table 4-19 (continued)
I Sheet 4 of 6 I AUI SYSTEM SEGUENCES nAlsolsE SPFACT VECTORS
** ACA DC2 v3Pt ERCE ESFA AFB ATA PED 2 TDI TD4 CLA WC ACS DC3 v!P2 CCSA ESFS AFAR R TS MD3 TD2 CVSA CLB l 90 SE3 P90BA88LITV DCS DC4 ERCA CCSS AFA CA MD1 MD4 TD3 CVSS PGiv S2 .0000001252 E I I I I II 3 3 $ 1 8 8 1 3 I i 1 II 3 3 3 3 1 3 8 1 141 . N"h E I I I II
- I 3 8 2 I E IE $ 3 M1 ! E 3 8 I : 8 1 ISS C- - - --{--{ - - E I I I II 8 I I I t ! E 8 I 8 II I I
$ 8 I I I 8 l' 257 .NM E I 3 I 3 I $ E1 8 8 8 1 3 8 E 3 8 II I E t 5 t ! $ $
230 , M- E 2 E I E8 8 8 I I E I l ! 8 8 8 II t X I 5 3 $ ! ! 256 OOwwwOOOO8 5 3 5 8 III I I I t I 1 2 3 3 I I 8 II I I $ $ t F ! 3 24 .0000039936 25 30 0000008666 2 I t 3 I I t 3 8 3 I III t I 1 E3 i t I i 23 .W' 26 34 0000003314 EE 2 3 3 III 3 3 8 8 8 8 I I III ! $ II $ II 8 3 1 8 5 . 33 0000003256 EE ! ! I I E I I I t 28 I I III I I EX 3 II I 1 8 I I 137 0000000040 II 8 3 I 3 II t 3 3 3 1 8 I I EXE $ 1 II $ II t 1 I .
- 1 152 .0000000C21 EE ! 3 8 3 5 3 8 8 8 I 8 III $ 3 EI t II I 3 t I I I 156 00000C0038 II I I E 8 8 3 3 8 3B I I III I I XI t IE 5 I I I 3 3 4 567 0000000016 II 3 8 1 3 8 8 8 2 38 I I III I I II ! II I I E 8 3 1 e 234 M W 2 II I 1 1I I 2 I $ 8 3 I ! ERI 3 8 II 2 EM $ 1 4 8 $ 3
- 244 0000000003 II I I E t I 3 E 8 8 3 3 3 E I III I I II 3 RE 1 I I I !
$ 24S 248 C000000001 II 0000000001 EI 3
I 3 5 3 I 8 t III t I E E I 1 2 3 1 E $ III 5 8 II I II I t I ! ! I I 8 I I I E 1 III t 8 II t ME 8 8 8 3 8 ! 249 W 3 II I 3 I III $ ! E 3 8 8 8 E I III 3 8 II 8 XX ! ! I t i 26 0000006678 27 40 000000.T s t
- t II I t I t II t 3 3 I t I t t 1 27 T-- -- '
28 41 . PN I 1 t E I $ 5 8 I E I E I 8 8 $ I t 3 I 3 i !
- 28 00000023.7 29 42 0000002322 3 3 3 $E I E I I I tE 8 II I I I 8 8 & I , 1 29 .S N 30 43 OOOOOn e a 3 3 8 IE : : 5 II I I I t t t ! t 1 30 E--T-T{ y_ve 31 44 0000002322 3 4 8 I I I I I 1 8 I E I II I I I 4 1 2 3 8 8 31 0000002322 32 45 C ---- w I t 3 8 I t II I $ 38 I I III I III $ E I I I B I ! '
iiiinwu sz2 '
- --J
s, 6 f o &$ 1 t !t ; 4 Itt ! t !: !' e1 5 t e 3)I!i ? ' ta ;! * + *I aI I! !' e h S i * , ! 3 ,t;! t 3' 14 T' .* t ' 8Ia1! ! 5 !I 3 !3* IL !1 II I!
+!;3t I 2 !t1I :3I II !8 ti !i V
R 1i ti I t ! 1I 31I EE 1I Ii t8 SO
. SALP I I IxXI IXI RLC IXI OC IIxII IE3E T 3 C AS 3I4tI t I I 3I !!! iI 1t It I1 E SV
. V4VC XIIXE I E III DC XIIXI IIII IX XX II II TT EIII MII C
A 3 !! t8 1 I !313 1II II IB 83 !I P 2D M1DT IXT I III IDT IIII I II T IIII III E
) N 4 ItII3 3 1 tIII !3! !t iI 8t iI I 3D d L2DM I IIX II e NDM I IXX II u IM A
IEEEI X I3II XX n M S 3I3I$ I ' 8!3I I83 !t t! 4i 13 i SD t ATM EIrIE I EIE3 XI n TR XI R IIWII IX o { c 1*8I 1 3 I!1I !!3 It 38 iI !8 88t8I 1 3 I:3I i&3 I4 3! tI I8 9 1 4 88t8! 3 3 838I tit II It tI I3 e l b a S AA 3tI8! 3 3 3II8 $8I II 5I I2 I3 T SFC IIIE IEE FA A- - I EI SA BII3! I I 881t tI8 It tI I8 I$ AFF FSA II E IE SE XI E E3I5X EE S S E AS III8! * ' 8i8t I31 II $t 83 tI CDSC NCCC EIIXI I I N E E ERC I I I I I N UE X I I G A E 2C 31333 3 4 8t!t 1I3 I! !I I8 3I StPR PIE IME IEI 2 I I I M!V E Ev 5 1 S 4 1 tit 8 t !I tt3 !I 3I *! 1! Y 3C S2CO CD ED U A I I8II' 4 3 3tII BI8 1I 3I 3 8i BC ACD I3 CA 1I5 A X5mEI NIEE V 53 3 3 1 75tt 711 68 69 68 68 T 4 9 3 9 1 60 4 1 0 9 ?7 4 27 4 27 4 27 4 I E30 0 3 5 9 5 9 7 G 8 1 0 91 0 83 0 01 0 220'N0 0 L t C 0 1 1 S 1 5 :0 5 1 0 4 0 0 00 0 0G 0 0 I 0 0 2 0 I 0 3 00 1 0 1 0 00 1 0 v 1 0 1 S 0 0 0 0 0 00 0 0 0 0 0 0 00 0 0G 0 0 0 B O R P 3 A hW0 0 0M 0 0C0 0 0 0 0 0 0 0 0 0 0 0 0 N0 0 0 0 0 0 0 0 0 50MMN 00S 00 00 00X 0 0 0 0 0 4N0M0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 00 00 00 0 0 0G 0 0G 0 0G 0 0 v 0 0 0 0 0 0 0 0 0 0 0 0 0 0 E 65584 7 9 9517 096 35 46 57 60 S 47125 4 4 496a 556 59 59 59 59 222 122 22 eC rEO 3 3 4 4 5 5 6 6 7 7 8 8 9 9 0 0 1 3 T%h 3 3 3 3 3 3 3 3 3 3 3 3 3 3 4 4 4 4 yey
TN' - C v wh 4 9 ____ .__.9- M_
.y Wi O '______. . ___ _ _ _ , . . . ____ __ ___ _.,
W. 4h- - m _____J ____ ____ ____ ____ s g.______ ____ ____ ____ ____ ______ eds. ..---- - ---- -- Ed"'=' " " _ " " _ " _ " ____ 0 _ ____ ____ ____ ______ __ W --- . ---- ---- ---- ------ k
$$.__M----
Q --MM--
----M.
-MM- M--- - M- M-M- M--MM-
---M--
M ______ ____
.MGP t.22 M----- ------- - MM-M-
------ M--MM--
1 M W - ______ ____- ____
- M ---- i gNg MM----
_f.'_"_"_"_""_" t . _ ____ ____ .____ ____ ______ __
. -+ 4:2 ---- .
-N-M y
- Hg
,E M N-
,g C'
O di - - ______ ____ ____ ____ ____
.. . m
't M t ..~
---HHN --M---
@ IQ .
-M--
p __ A g( '__m___ ____ W W ---- . 3 3'______
. - -- -- - -- -M.---
.ycu8
$Q M
-M M. - -- M M. - -- -
MM - W -- -' M MM -- M. "
=___ ____ . __ _ _ _ * . - .
. g"Nu, - ---- -
bE -- -- - - - - -
- v. 5.V ____ ____ _____ ______ __-
E , ______ ____
= =
ANQ8 a t . ___ __ ____ ____- ____ _ _ . ______ __ 4"8-uW ----- --
---M--
'(
IO48N @ M @ 41 0 @ 40 @ M _W48 N -N,
. @, OW
- m4= NNN Mhemb g 4 e=NPh4 484 4NN40 de DMMeh wwmm me = d
- emmN N 43@m a a wwwN M ,
O, e, ,4 ,4 h, h, e, _kW 9 te N, M, , , , f r 1 4-126 1
)~ }
=. -
..1 Table 4-20 IMPACT VECTOR GROUPING Sheet 1 of 3 RT MD TD CVS CL Fmth Model Runs- No. Frequency a p0RV Comments 1 1 .98924 2 2 7.93-3 X 3 3 4.81-4 X 3 4 4.81-4. X Covered by Impact Vector 3 4 5 4.81-4 X X 4 6 4.81-4 X X Covered by Impact Vector 5 2 7 2.13-4 X Covered by Impact Vector 2 5 8 1.81-4 X X em 6 9 1.50-4 X X X X 0 7 10 7.80-5 X X X X X Z 6 11- 7.37-5 X X X X Covered by Impact Vector 9 8 12 4.32-5 X X X X X X X X X X X X X 9 13 2.30-5 X X X X X .X 10 14 2.30-5 X X X X X X 11 15 2.30-5 X X X X 12 16 2.28-5 X X X X X 7 17 - 2.00-5 X X X Covered by Impact Vector 10 7 18' 2.00-5 Y X' X Covered by Impact Vector 10 10 19 -1.40-5 X X X X X.X X Covered by Impact Vector 14 2 20 3.85-6 X X Covered by Impact Vector 2 2 21 3.85-6 X X C, overed by Impact Vector 2 13 22 3.85-6 X X X 13 23 3.85-6 X X X Covered by Impact Vector 22 7 24 1.89-6 X X X X X Covered by Impact Vector 10 10 25 8.67-7 X X X X X Covered by Impact Vector 14 aFrequency = conditional probability given the occurrence of an initiating event.
Note: Exponential notation is indicated in abbreviated fom; i.e., 7.93-3 = 7.93 x 10-3
4 Table 4-20 (continued) - Sheet 2 of 3 RT MD :D CVS CL F th Model' Runs No. Frequencv a~ - PORY Coments A 8 1 2 3 4 12 3 4 A B A B 14 26- 6.67-7. XX X X X X X X
-- 27 2.32-7 X X Zero Contribution 4 28 2.32-7 X X. X Covered by Impact Vector 5 4 29 2.32-7 X X X Covered by Impact Vector 5 4 30 2.32-7 X X X Covered by Impact Vector 5 4 31 2.32-7 X X' X Covered by Impact Vector 5 15 32 2.32-7 X X X X X X X X 7 33 2.13-7 X X X- X X X. Covered by Impact Vector 10 7 34 1.59-7 X X X X Covered by Impact Vector 10 7 35 ,1.59-7 X X X X Covered by Impact Vector 10 11 36 1.57-7 X X X X X X X X X Covered by Impact Vector 15 p 11 37 1.42-7 X X X X X X X X X Covered by Impact Vector 15 g 13 38 1.00-7 X X Covered by Impact Vector 22 cn 13 39 1.00-7 X X Covered by Impact Vector 22 13 40 1.00-7 X- X X Covered by Impact Vector 22 13 41 1.00-7 X X X Covered by Impact Vector 22 10 42 7.50-8 X X X X X X X X X X. Covered by Impact Vector 14 10 43 8.46-8 X X X Covered by Impact Vector 14 10 44 8.46-8 X X X Covered by Impact Vector 14 10 45 8.46-8 X X X X Covered by Impact Vector 14 10 46 8.46-8 X X X X Covered by Impact Vector 14 10 47 5.96-8 X X X X X X X X X X Covered by Impact Vector 14 10 49 7.06-8 X X X. X X Covered by Impact Vector 14 10 49 7.06-8 X X X X X X Covered by Impact Vector 14 10 50 3.66-8 X X X X X X Covered by Impact Vector 14 10 51 3.66-8 X X X X X X X Covered by Impact Vector 14 10 52 3.52-8 X X X X X 'X X Covered by Impact Vector 14 aFre pency = conditional probability given the occurrence of an initiating event.
Note: Exponential notation is indicated in abbreviated fom; i.e., 2.32-7 = 2.32 x 10-.7
3
/
Table 4-20 (continued)' Sheet 3 of 3 RT. MD . TD CVS CL-No. Frequency a PORY Cosuments'
- Model Runs -
10 53 3.47-8. X -X X X X Covered by Impact Vector 14
.10 - 54 3.68-8 X X X X X Covered by Impact Vector 14 10 55 3.47-8 .X X X X X X X Covered by Impact Vector 14 10 56 .2.12-8 X X X X X X X Covered by Impact Vector 14 8 57 2.39-8 X X'X X X X X X X X X X-X X Covered by Impact Vector 12 8 SS 2.39-8 X X X X X X X X X X X X X X- Covered by Impact Vector.12 59 1.85-8 X X X X X X X 60 1.08-8 X'X X X X X X 8 61 1.08-6 X X X~X X X X X X X X X Covered by Impact Vector 12 62 1.07 X X X X X X X 63 1.07-8 X X X X X X X e 64 1.07-3 X X X X X X X X 1.07-8 X X X X X X X X h 65 66 1.06-8 X X X X X 67 1.06-8 X X X X X 68 1.06-8 X X X X X X 69 1.06-8 X X X X X X 70 1.06-8 X X X X X X 8 71 1.06-8 X X X X X X X X X X X Covered by Impact Vector 12 72 9.4-9 X X X X X 73 9.4-9 X X X X 74 1.87-8 X X X X X 75 9.3-S X X X X 76 9.3-9 X X X X 77 6.9-9 X X X X X X 78 6.6-9 X X X X X X X X 79 6.6-9 X X X X X X X X aFrequency =, conditional probability given the occurrence of an initiating event.
Note: Exponential notation is indicated in abbreviated form; i.e., 2.32-7 = 2.32 x 10-7
Table 4-21 C0 OUTPUT . FRONTLINE SYSTEMS MODEL RUNS Run 1 (Impact ...._ ....___. _________,. ______....... I Vector 1) FINAL EVENT TABLE (INFIhITY = 1) SIGNALS AN? Th!!R VALLES P40BAEILITY* 3C1 30E 303 3C4 305
.00000C0033 0 1 G I 1
.00C00C0499 0 1 C 1 1
.00C00C05t5 0 1 1 1 1
.0000099346 0 1 0 0 0
.00C13C3792 1 1 1 1 1
.999F595641 0 C C 0 0 TOTAL PACeAEILITY = .9999999996 TOTAL ERRCh .CC00CCC?G4
.Run 2 (Impact ---------------------------------------
Vectors 2, 7, 20, FINAL E Vii. T TAALi (INFI.ITY = 1) and 21) SIONALS AND THi!R VALLC5 PROE Ab1LITY
- 3C1 !C2 303 304 3CS
.00CUCCC031- 0 1 0 0 1
.00C00LC49; O 1 C 1- 1
.00000;Cc92 0 1 1 1 1
.0GC0C9v336 0 1 0 C C
. GOC 13C3793 1 1 1 1 1
.9995395c42 0 C C C O' TOTAL PF.C' : ABILITY = .9999999943 TOTAL E R a C P. =
.0000GCC002
- Conditioned on occurrence of initiating event.
4-130 W
Table 4-21 (continued) Run 3 (Impact ... _.._______ ......_........__..... . Vectors 3and4) FINAL EVif4T TAdLL ( I,N F I N I T Y = 1) SIG:a A L S AA) 188!4 V4LL8.5 PP.0bAe LITY* 101 .t C E Iw3 :C* 30!
.00C00CC032 0 1 L C 1
.00C0000494 0 1 0 1 1
.00C0000677 0 1 1 1 1
.00000io263 0 1 0 0 0
.011029C7c3 1 1 1 1 1
.96E96C9707 0 0 C ( 0 TOTAL PROLALILITY = 93479090?f TOTAL ERACR = .CCCJOCC004
---------------~~~~--------------------
Run 4 (Impact . ' Vectors 5, 6, 28, FINAL EVLhT TASLE (INFIh!TY = 1) 29, 30, and 31) S I C 'J A L S A \' THEIA VALuis , PR06A01LITY* 301 302 -303 304 3C5
.0000002eb2 0 1 0 0- 1
.00C0040344 0 1 C 1 1
.00C005c013 0 1 1 1 1
.0001303792 1 1 1 1 1
.0003125375 0 1 C 0 0
.7990471233 0 0 0 0 0 TOTAL PHObALILITY = .99&?99999c TOTAL ERACR .C00000C004
- Conditioned on occurrence of initiating event.
1 l 1 1 I 4-131
Table 4-21 (continued) Run 5 (Impact _______________________________________ i Vector 8) FINAL EVENT TA5LE (INFINITY = 1) SIGNALS A%D THEIR VALUES PROBAEILITY* 301 302 303 304 305 ;
...__________ ____ .... ____ ____ ____ 1
.00C00CC037 0 1 C C 1
.00C0000499 0 1 C 1 1
.00CC0C070c 0 1 1 1 1
. 00C0099321 0 1 0 C 0
.00C13C3793 1 1 1 1 1
.99sc5 5642 0 C C C 0 TOTAL PRCSA3ILITY = .Q;9094509s TCTAL ERRCR =
.00COCCC702 Run 6 (Impact _________...____.-_____________________
Vectors 9 and 11) FINAL EVENT TABLE (IhfIhITY = 1)
, SIGNALS AND T EIR VALUES PR0bAEILITY
- 3C1 302 303 3C4 305
.0001303793 1 1 1 1 1
.0003224917 0 1 1 1 1
.9990471289 0 0 0' C 0 TOTAL PROEABILITY = 1.CC000CC00C TOTAL ERRGR = .CC000CC000 Vectors 10, 17, FINAL EVENT TABLE (INFIkITY = 1) 18, 24, 33, 34, and 35)- (((([l[,(([,Tj E {}__V}' L'{ s _
PROSAEILITY* 301 S02 303 304 305
.0000003022 0 1 0 C 1
.000004033e 0 1 0 1 1
.0000057773 0 -1 1 1 1
.0001503793 1 1 1 1 1 l
.00Ca123235 0 1- C C 0
.9990471289 0 0 0 0 C TOTAL PROEABILITY = .99999C9995 TOTAL ERROR = .CCC0000002
- Conditioned on occurrence of initiating event.
4-132
Table 4-21 (continued) Run 8 (Impact --------------------------------------- FINAL dVENT TABLE.(IAFINITY = 1) Vectors 12,57l 58, 61,'and 71 SIGNAL 3 *\; T EIF VALUE5 PRO' d AEILITY
- 3C1 302 303 304 3C3
.00013C3793 1 1 1 1 1
.9993o9c20e 0 1 1 1 1 TOTAL P.0.-;5ILITY =
. 1.CCC0COC00C TCTAL ERE;R = .0000C2C000 Run 9 (Impact ---------------------------------------
Vector 13) FINAL LVENT 1ASLE (INFINITY = 1) SICNALS AND T EIR VALUE3 PROBAEILITY* 301 3C2 303 3C4 3C5
.0005135264 0- 1 1 1 1
.0110290764 1 1- 1 1 1
.9SE1573972 0 0 0 0 0
-TOTAL PROEABILITY = 1.CCC00CC00C ,
TOTAL ERRCR = .CC030CC00C L Run 10 (In, pact
~
Vectors 14, 19, FINAL EVENT TASLE (INFINITY r 1) 25, and 42 through 56) SIGNAL 3 Aso THEI: VALUES PROB ABILITY
- 301 302 303 3C4 305
.00C1303793 1 1 1 1 1
.00C2130934 0 1 1 1 1 .
.999656S272 0 0 0 C 0 TOTAL PR03 ABILITY = .9999979099 TOTAL-ERRCR = .GCC00CC001 l
2 l
- Conditioned on occurrence of initiating event. i 1
I
%. 1 4-133 l
L.. I
Table 4-21 (continued) Run 11 (Impact ----------------~~~~---~~~~------------ Vector 15) 1) FINAL EVENT TA3LE (IhFIhITY = SIGNALS AND THEIR VALUES
?ROBASILITY* 301 302 303 3C4 305
.0000205722 0 1 1 1 1
.0001303793 1 1 1 1 1
.9993490434 0 0 0 0 0 TOTAL PROBABILITY = .9999999999 TOTAL ERRCR = .00000C0001 Run 12 (Impact Vector 16) FINAL EVENT TAELE (INFIhITY : 1)
SIGNALS AND THEIR VALUES PROBASILITY* 301 302 303 3C4 3C5
.00C00C29c9 0 1 C 0 1
.00C00 039C 0 1 0 1 1
.00C0057144 0 1 1 1 1
.00C6034741 0 1 0 0 0
.0110290763 1 1 1 1 1
.9851573972 0 0 0 0 0 TOTAL PRCSA3ILITY = .9999999099 TOTAL dRROR = .0000000001
---------~~~-~~~~~--------~~~------~~--
Run 13 (Impact Vectors 22, 23, FINAL EVENT TABLE (INFINITY = 1) 38, 39, 40, and 41) SIGNALS AND THEIR VALUES PROBABILITY
- 301 302 303 304 305
.0000002967 0 1 0 0 1
.0000040842 0 1 0 1 1
.0000056563 0 1 1 1 1
.0001303793 1 1 1 1 1
.0008124525 0 1 0 0 0
.9990471289 0 0 0 0 0 TOTAL PROBABILITY = .9999999999 TOTAL' ERROR = .0000000001
- Conditioned on occurrence of initiating event.
t^ 4-134
Table 4-21.(continued) Run-14 (Impact --------------------------------------- Vector 26) -FINAL EVENT TABLE (INFINITY = 1) SIGNALS AND THEIR VALUES PROBABILITY
- 301 302 303 304 305
.0001303793 1 1 1 1 1
.0483300991 0 1 1 1 1
.9510395215 0 0 0 0 0 TOTAL PROBABILITY = 1.0000000000 TOTAL ERROR = .0C00000000 Run 15 (Impact ---------------------------------------
Vector 32) FINAL EVEf4T TA3LE (INFINITY = 1) SIGNALS AND THEIk VALUES PROPAEILITY* 301 302 303 304 305
.0001303793 1 1 1 1 1
.0003260916 0 1 0 0 1
.0040053J11 0 1 0 1 1
,0066093744 0 1 1 1 1
.9377653334 0 1 0 0 C TOTAL PR024EILITY = 0??4Y37097 TOTAL EF909 a .000~000003
- Conditioned on occurrence of initiating event.
4-135
- of the frontline systems do not contribute to this sequence. Tnis sequence is represented in the G0 truth table by a 0 value for signal 301, and values of 1 for signals 302, 303, 304, and 305.
With impact vector 12, all frontline systems (except reactor trip) are known to have failed. Therefore, the probability of this sequence occurring is Reactor Trip (success)*AFW (failure)*B+F (failure) or
.9998696*1.0*1.0 = .9998696 which is the probability found in the truth table for this sequence.
4.8.1.2.4 Final quantification. The final quantification equation for the frequency of this accident sequence is N
^j " *IE
- gh #A (1) * #F (jli) t and M
DA (i) " g
#A(1,k) where
= frequency of sequence.
6)
$ 1E = frequency of initiating event.
c A(1,k) = the frequency of the kth auxiliary model state, which has impact vector 1. 4A(i) = the total frequency of all auxiliary states having impact on vector i. 4F(j/1) = the conditional frequency of frontline model event sequence j, given any auxiliary state with impact vector i. 4-136
r-Table 4-22 shows the impact vector contributions (tA(i)) in the first column and the corresponding conditional frontline system frequencies (o p g g) in the second column. Multiplying the column 1 entries with the corresponding column 2 entries produces the product shown in column 3. Summing column 3 gives the total conditional plant response frequency (conditional on the occurrence of an initiating event). Column 4 gives the percentage contribution of the components contributing to the conditional plant response or accident frequency, because the initiating event frequency is a constant. 4.8.1.3 Identification of Dominant Contributors. Using the quantification process of the two-stage integrated model allows the dominant contributors to be identified in three steps: (1) identification of dominant sequence, (2) identification of dominant systems (frontline or auxiliary systems), and (3) identification of dominant system contributors (components). The first step, identifying the dominant sequence to ESD7, was accomplished previously. The second step can be accomplished by inspecting the final quantification contributors and products of Table 4-22, which shows that impa'ct vector 12 of the auxiliary systems contributes 97.73% of the failure frequency of this sequence. Inspecting the G0ST output of Table 4-19 shows that impact vector 12 is 100% dominated by auxiliary systems state 14. The third step requires analyzing auxiliary state 14 down to the dominant component cutsets. This is accomplished by running FAULT FINDER on auxiliary model state 14. This is accomplished by modifying the auxiliary model output to produce auxiliary state 14 and then running FAULT FINDER. Auxiliary state 14 is composed of failures of both AC electric power trains, botn ERCW trains, bcth component cooling trains, and compressed air. All other auxiliary output are success (see Table 4-17). The modification of the auxiliary output requires all of the failed output to be combined with an OR gate and all of the successful output to be combined with an "AND" gate. The two output of the OR and AND gates can be specified in the FAULT FINDER to be traced for success of the AND gate output and failure of the OR gate output. In this ; manner, the FAULT FINDER will trace all cutsets that are produced by auxiliary state 14. l l l 4-137 .
A; - Table 4 y ' FINAL QUANTIFICATI0tl
? -
Sheet 1 of 2 Auxiliary System Percentage Impact. Vectors -Frontline Sequence Contribution of Sy em Frequency b Frequencya Leading Number Frequencya. Contributors 1 .9892378 6.85-8 6.78-8 .15 c 2 7.93-3 6.92-8 5.49-10 c
.g 3 4.81-4 '6.77-8 3.26-11 c
4 4.81-4 6.77-8 3.26-11 4.81-4 c 5 5.60-6' 2.69-9 c
. 6 4.81-4 5.60-6 2.69 c
'7 2.13-4 6.92-8 1.47-11 c
8 1.81-4 7.06-8 1.28-11 c 9- .1.50 5.78-6 8.67-10 10 7.80-5 8.22-4 .6.41-8 .15 c 11 7.37-5 5.78 4.26-10 12 4.32-5 .9998696 4.32-5 97.73 c 13' 2.30-5 8.14-4 1.87-8 c
. 14 2.29-5 2.13-4 4.88-9 c
15 2.29-5 2.06-5 4.72-10 c 16 -2.28-5 5.71 1.30-10
.17- 2.00-5 8.22-4 .1.64-8 .04 18 2.00-5 '8.22-4 1.64-8 .04 19 1.40-5' 2.13-4 2.93-9 c
- 20 : 3.85-6 6.92-8 2.66-13 c
21 3.85-6' 6.92-8 2.66-13 c
=22 :3.85-6 5.66-6 2.18-11 c
'23 .3.85-6 5.66-6 2.18-11 C
- 24 1.89-6 8.22-4 1.55-9 25 8.67-7 2.13-4 1.85-10 c event.
. baConditional C onditional on onthe theinitiating initiating' event and auxiliary system impact vector.
cLess than .03%.
. Note: Exponential notation is indicated in abbreviated form; i.e., 6.85-8 = 6.85 x 10-o.
4-138 f
Table 4-22 (continued) Sheet 2 of 2 Auxiliary System Percentage Frontline Sequence Contribution of Impact Vectors Sy em Fraquency a Leading Frequency b Contributors Number Frequency a 26 8.67-7 4.88-2 4.23-8 .10 c 27 through'31 9.28-7 5.60-6 5.20-12 c 32 2.32-7 6.81-3 1.58-9 c 33 through 35 4.31-7 8.22-4 3.54-10 c 36, 37 2.99-7 6.81-3 2.04-9 c 38 through 41 4.00-7 5.66-6 2.26-12 c 42, 47 1.35-7 4.88-2 6.59-9 43 through 46 3.38-7 4.88-2 1.65-8 .04 48 through 56 3.06-7 4.88-2 1.49-8 .03 57, 58, 61, 71 6.92-8 .9998696 6.92-8 .16 All Others < 7.00-7 < 4.88-2 < 3.42-8 .08 Truncation Error 5.96-7 1.00 5.96-7 1.35 ! Total Conditional Plant Response Frequency 4.42-5 100.00 aConditional on the initiating event, bConditional on the initiating event and auxiliary system impact vector, cLess than .037,. Note: Exponential notation is indicated in abbreviated form; i.e., 8.67-7 = 8.67 x 10-7 4-139
The results of the FAULT FINDER run are processed by the GOLF computer code, which identifies and ranks cutsets. The GOLF output is shown in Table 4-23. The first five cutsets contribute 99.9% of the frequency to auxiliary state 14. The contribution of the cutsets to the frequency shown in this table will be higher than the corresponding frequency calculation in the GO model quantification because the GOLF code only multiplies the cutset component failure frequencies, whereas the GO code multiplies the failure and success frequencies, which produce a lower value. The five dominant cutsets are composed of four third-order custsets and one second-order cutset. The third-order cutsets are composed of loss of offsite power (LOSP) within the 24-hour period following an initiating event and the failure to start and run of two diesel generators, one A train and one B train, from either Unit 1 or Unit 2. The failure frequency of offsite power is eLOSP = .81 x 10 The failure frequency for a diesel generator to start and run is 60G = .117 These four cutsets contribute 88.9% of the total contribution to this event sequence, t The last cutset is composed of water chillers A and B failing. These water chillers cool the Class 1E electric power board rooms and one or the other is required for success. The failure frequency for a water chiller to fail during operation is (CHILLER-This cutset contributes 11.1% of the total contribution to this sequence. The following discussion explains why these particular cutsets surface as the dominant contributors to sequence failure. Figure 4-29 shows the diesel _ generator /ERCW system modeling dependency logic. The ERCW syste:n is shared between Units 1 and 2 and is powered by both unit's diesel generators as shown by this figure. During a loss of offsite power, the diesel loading restrictions only allow one ERCW pump to be loaded on a diesel. This loading restriction 4-140
Table 4-23 GOLF OUTPUT OF DOMINANT CUTSETS FOR AUXILIARY STATE 14 (FAULT SETS ORDERED BY PROBABILITY) Bant OP(model Components OP(sodel Components OP(sode) Components Probability Subtotal 1 102(1) LOSP 145f1 ) OG 11 154(1) OG 18 1069111-4 '.1069111-4 2 102(11 LOW 14511) DG 1 A 180(1) DG 28 1069111 4 .2138222-4 3 102(1) LOSP 154(1) DG 18 171 (1 ) OG 24 1069111-4 .3207333 4 4 102(1) LO57 171(1) DG 24 1 80(1) OG 28 1069111-4 .4276444 4 5 108(1) Water Chf11er A 114(1) Water Chiller 8 .5244100-5 4800854-4 6 102(1) LOSP 127(1) DG 2A Maintenance 145(1) DG 14 1425481-7 4802279-4 7 102(1) LOSP 127(1) DG 1 A Maintenance 171(1 ) DG 24 .1425491-7 4803/06-4 0' 102(1) LOSP 127(1) OG 29 Maintenance 154(1) DG 18 .1425481-7 4805130-4 9 102(1) LOSP 127(1[ DC 18 Maintenance 180(1) DG 28 .1425481-7 4806556-4 10 102(1) LOW 187(t r ERCW Trash Rack 1093400-7 4807649-4 11 102(1) LOSP 145(1) DG 1 A 15R(1) 480V ERCW MCC 18-8 .3R01283-8 48G3029-4 12 102(1) LOSP 149(1) 480V ERCW MCC 1 A-A 154(1) DG 18 3801283-8 4808409-4 13 102(1) LOSP 145(1) DG 1 A 247(1) ERCW 5 trainer 818-8 .1553409-8 4808565-4 14 102(1) LOSP 1 54(1) DG 18 244(1) ERCW 5 trainer A1 A-A .1553409-8 4808720-4 15 '. ?(1 ) LOSP 145(1) DG 1 A 157(1) 6.9 ftf Bus 18-8 1105662-8 4908830-4 16 ' 7(1) LOSP 145(1) DG 1 A 183(1) 6.9 KV Sus 28-8 1105662-8 4808941-4 17 102(1) LOW ' 144f1 ) 6.9 KV gus 14-A 154 f1 ) OG 18 .1105662-8 4409052-4 18 102(1) LOSP 14811) 6.9 KV Bus I A-A 180ll) OG 28 1105662-8 4809162-4 19 102(1) Losp 154(1) OG 18 174(1) 6.9 uf Sus 2A-A 1105662-8 4809273-4 20 102(1) LOSP 1 57(1) 6.9 KV Sus 18-8 171(1) DG 2A .1105662-8 4809183-4 21 102(1) LOSP 171(1) OG 24 183(1) 6.9 KV Sus 28 8 1105662-8 4809494-4 22 102(1) LOSP 174(1) 6.9 KV Bus 2A-A 140(1) DG 28 1105662-8 4809604-4 23 102(1) LO5P 145(1) OG 14 246(1) ERCW Header 8 IV .5482620-9 4809659-4 24 102(11 L OSP 1 54(1 ) OG 18 243(1) ERCW Header A IV .5482620-9 ,4809714-4 25 102(1) LOSP 171(1) DG 24 246(1 ) ERCW Header 8 IV .5482620-9 4809769-4 26 102(11 LOSP 180(1) OG 28 243(1) ERCW Header A IV 5482620-9 4809824-4 27 109(1) Water Chf11er A 117(1) AHU 15-8 124(1) ANU 28-8 ,1029218-9 4809834-4 28 11111) AHU 14-A 114(1) Water Ch{1ler 8 1 21(1 ) AWU 2A-A 1029218-9 4809844-4 29 102(1) LOSP 127(1) DG Maintenance 149f t) 480V ERCW MCC 14-4 .5068374-11 4809945-4 30 102(1) LOSP 127(1) DG Maintenance 158(1 ) 480V ERCW MCC 15-8 5068378-11 4809845-4 31 102(1) LO%P 127(1) DG Maf etenance 244(1) ERCW 5 trainer A14 4 .2071212-11 4809946-4 32 102(1) LOSP 127(1) DG Maintenance 247(1) ERCW 5 trainer 818-8 .2071212-11 .4809846-4 33 102(1) LOSP 127(l) DG Maintenance 149(1) 6.9 KV Sus 14-A 1474216-11 4809946-4 34 102(1) LOW 127(1) DG Maintenance 174(1) 6.9 KV gus 2A-A 1474216-11 4809846-4 35 102(1 ) LOSP 127(1) DG Maintneance 157(1) 6.9 KV Bus 18-8 1474216-11 4809846-4 36 107(1) LosP 12)(1) DG Matatenance 181(1) 6.9 KV Sus 28-8 1474216-11 4809e46-4 37 102(1) LOW 127(1) DG Maf etenance 243(1) ERCW Header 4 IV 7310160-12 4809846-4 38 192(1) LOSP 127(1) DG Maintenance 244(1) ERCW Header 8 IV 7310160-12 4809846-4 39 102(1) LOSP 148(11 6.9 KV Bus 14-4 14A(1) 4%V ERe.W MCC 18-8 .3111242-12 48t9946-4 40 102(11 L OS# 14R(1) 6.9 n Bus 1 A-A 247(1) ERCW 5 trainer 818-8 ,16065' F-12 4809847-4 41 107'1) LOW 18 ?(1) 6.9 AV Bus 19-J 244(1 ) ERCW 5t*ainer 464-4 1606517-12 4109847 4 42 102(11 L OSP 144(1) 6.9 KV Bus I A-A 157 f 1) 6.9 KV I4s 18-8 1143462-12 4t09847-4 43 102(1) LO57 14HI) 6.9 KV tas 1 A-A 181f i l 6.9 KV Sus 2810 .16434(2 12 4A09947 4 44 \02(11 LosP 15741) 6.9 p Bus 18-8 174ll) 6.9 FV Sas 2A-8 1143442-12 4809847-4 45 1G7(1) LOW 174(1 ) 6.9 tv Bus 24-A 183(1) 6.9 KY Sat 28-8 1143462 12 4409841-4 44 10?i8) L p5P 148(1) 6.9 KV Bus I A A 246(1) ERCW He64er 8 IV .5670064-13 463)S47-4 47 10i(1) L O*.P 157(1) 6.9 KV Sas 18-8 241(1 ) E arW 4eader A IV 5670060-13 4809n4L4 48 102{1) LD5P 174 f1) 6.9 KV Bus 1 A-A 246(11 ERCd Header 8 IV .567006')-13 4809847-4 49 10211) LOSP 183(1) 6.9 KV Bus 28-8 243(1) ERCW Header A IV .5670060-13 4309847-4 DG e diesel generator IV e isolation valve al0TE t tuponentf al notat'on is indicated in abbreviated form; 1.e. 1069111-4 * .1069111 a 10**.
)
1 4-141
{ DIESEL ERCW DIESEL LOADING - ERCW TRAIN GENF9ATOR PUMPS RESTRICTION SUCCESS CRITERIA POWER SUPPLY
- J-A ONE OUT 1A OFTWO
- Q-A
_ TWO PUMPS FOR TRAIN A SUCCESS
- KA -
2A ONE OUT OFTWO RA LB ONE OUT 1B ' OFTWO NB TWO PUMPS FOR TRA!N B SUCCESS
- M.B -
28 ONE OUT OFTWO'
- p.B DIESEL GENERATOR FAILURE COMBINATIONS THAT LEAD TO ERCW SYSTEM FAILURE DIESEL GENERATORS 1 A AND 18 DIESEL GENERATORS 1A AND 2B DIESEL GENERATORS 2A AND 1B DIESEL GENERATORS 2A AND 28 Figure 4-29. Diesel Generator /ERCW System Dependency Logic
! 4-142 l
coupled with the ERCW trainwise success criterio of two pumps per train requires that both diesels of a train A or B) are required for train success. If one train A diesel fails, ERCW train A is failed (failure of one train B diesel causes failure of ERCW train B). If both ERCW trains fail, there is no cooling water for the operating diesel generators to remain operating; subsequently, all diesel generators fail. The ERCW modeling success criterion of two pumps per train is somewhat conservative. Obviously, if there were only one pump per train, there would still be cooling water available, but would there be enough cooling water to service all cooling water loads? In some circumstances, one pump would be sufficient; in other circumstances, some nonessential ERCW cooling loads may need to be isolated so that essential loads would be assured of sufficient cooling water. The outcome of this discussion is that the ERCW tr.odeling success criterion is subject to further analysis not provided within this study. With further analysis, the contribution to sequence failure from these cutsets could be reduced. 4.8.2 Hard-Wired Sequence Approach This approach was found to be very cumbersome to implement given the current state of development of the GO series computer programs because of the extensive amount of manual analysis required. The manual analysis caused this to be much less cost-effective than the two-stage integrated modeling approach. Thus, the approach and results are only briefly summarized herein. If the manual processing currently required for this approach were to be computerized, this hard-wired sequence approach might become a more viable alternative to the two-stage integrated modeling approach. However, there are a couple of major reservations with regard to this hard-wired sequence approach. The first concerns the increase in truncation error as sequences are hard-wired at deeper and deeper levels within the model. Although a computerized approach may be able to circumvent that difficulty, the second reservation appears to be more formidable. Formal level 1 PRAs tend to be much more detailed and complete than the analyses performed in this demonstration analysis. Applying the GO methodology to such PRAs would require much more detailed models, and the expected result is an increased truncation error. It is much easier to reduce such errors by performing a two-stage or three-stage modeling of the plant than to try to include all of the complexities of the plant in one large GO model. 4-143
l i l 4.8.2.1 Unraveling Analysis. As described in Section 4.2.7.2, this analysis involves a cyclic type of approach requiring three basic steps in each cyclic
- repetition
- 1
- 1. ' Review the G0 output to identify the dominant sequence (s) of interest. Identify the failed systems in the dominant sequence (s).
- 2. For the failed systems identified in step 1, review their associated GO supertype model to identify all input signals.
- 3. fitrd wire the dominant sequence (s) of interest into the GO model, s pecify the input signals identified in step'2 as the final
! Ignals, and run that revised model.
4 This cyclic analysis approach is repeated until the dominant contributors are traced to either an input that is generated by a simple G0 operator that is external to all of the systems supertype models (such as the operator for loss of offsite power after the initiating event occurs) or to no input signal to a failed system (which indicates that the dominant failure contributor was internal to that systems model). In the first case, the dominant component failure can usually be ascertained manually; it is usually obvious. In the latter case, the dominant component failure can usually be identified manually if the model is simple. Otherwise, the FAULT FINDER /G0LF combination can be applied to the system of interest to identify its dominant internal failure contributors. To unravel ESD7 to find the dominant contributcrs to the degraded plant state, three levels (or cycles) of tracing back through the model were used. The first started with the results produced by the main GO run of ESD7, as displayed in event tree form in Figure 4-19. Sequences 3, 4, and 5 all lead to the degraded ! plant state. Of those three, sequence 5 clearly dominates by contributing over l 99.8% of the total degraded plant frequency from that ESD. Hence, for the first of'the three. cyclic steps, sequence 5 was selected to test.this unraveling technique for tracing back through the complete model to its dominant contributors. That sequence is defined by the following safety systems states (and corresponding GO model signal values). I 4-144 e
F G0 Model Signal System State Number Value RT S 301 0 AFW F 302 1
'B&F F 303 1 S&DR F* 304 1*
HPR F* 305 1*
.The "*" in the table above signifies conditions directly caused by bleed and-feed failure, as can easily be determined from the GO safety model for ESD 7. It is clear from this that sequence 5 is caused by the failure of AFW and bleed and feed.
The second step is to identify the signals that must be monitored to determine-the-dominant contribu' tors to the failures of AFW and bleed and feed. The signals to be monitored are the input to those systems from their supporting auxiliary
- systems. The following table shows the supertype numbers for the GO models for those two safety systems, along with their input signals:
Safety System Supertype Input Signal Numbers AFW 1600 50, 51, 34, 35, 9, 14, 38, 39, 49, 48, 31, 33, 70, 114, 115 1901 50, 51, 34, 35, 8, 13, 415, 416, 417, 418, 71, 75 Bleed and Feed 1905 31, 33, 70 This gives 23 input signals to be monitored. The third step requires that sequence 5 be hard wired into the model. The method for doing this is shown in Figure 4-30. The general method consists of inputting all successful signals to an AND gate (a type 10 operator), whose output is input to a NOT gate (specified in this case by operator 15-25). Since signal 301 is the only one that is successful (0-valued) in sequence 5, the AND gate is not 4-145
m.m.. -, _.. . _ _ _ _ . - _ . . _ _ . . . .m-. . _ _ . . _ . _ . _ _ . _. _ _ _ - _ _ - . . . .
,^ w _
/ )
. ,. V,', 1 i 7 - 4 - r i i !4 Jt t k t
- i. . .
}' I i. 4 I f 301 i - 501 25 V'
^
- (NOT) i-
!. 302
- V.
303 pj -2. ;
- Ml '
n i 304 t i .- 305 4 [' j I Sg *O* SEQUENCE 5 DOES NOT CCCUR [.
- , Sg =1= SEQUENCE 5 OCCURS iz Figure'4-30. 'Hard-Wiring of Sequence 5 in ESD 7
.1 f'
u 1 1- ? 4 4-146 2-L...,_--,_.
aeeded; signal 301 is input to the NOT gate directly, which outputs a signal value of 1 whenever signal 301 has a 0 value. The output from the NOT gate is input to an OR gate (a type 2 operator) along with all of the failed (1-valued) signals in-sequence 5- (signals 302 through 305). As indicated in Figure 4-30, the value of the output from the OR gate (which is labeled with signal number 500) indicates whether sequence 5 occurs: e 1 signifies occurrence, e 0 signifies nonoccurrence. Signal 500 is added to the 23 input signals (from the recond step) to form a list of 24 final signals in the G0 input file (which is con.patible with the maximum of 24 ' final signals allowed by GO). The model is modified to include the hard-wiring logic in Figure 4-30 and then run. The results of the first tracing run are shown, in part, in Table 4-24, Notice that signal 500 is the first of the 24 signals listed in the output (because it was first in the list of final signals). This was done to facilitate deleting all lines having a 0 in the signal 500 column, thereby deleting all auxiliary systems states in which sequence 5 did not occur. The full listing contains a large number of sequences with S500 = 1. So far, the analysis seems quite simple and easy to implement, and the unraveling process can be continued by applying a 'second cycle of the tracing process. The first step is to review the GO output listed in Table 4-24. Althcugh there are many subsequences that contribute to sequence 5 in the event tree for ESD 7, there is only one that really dominates sequence 5; it is listed 18th from the bottom of Table 4-24. Its probability is P 7.5-1 = 4.23 x 10-5 This is 95.8% of the total probability of P 7.5 = 4.42 x 10-5 for sequence 5. (All other subsequence contributors to sequence 5 have probabilities less than 3.17 x 10-7, which is in the error " noise" for that run (the error is 3.39 x 10~ for that run, as shown in Table 4-24).) This 4-147
l l
; . t t e8 000 000 000 000000000-*273303 a s a e O, s o 9023300-0-*O00
,j
< i l l
j A 6 OOOOOO OOOOOO OOOOOO ' 3 3 O O J -* == 0 0 C D C O O O O 3 3 3 O O O a O i
** e ei 300000 000 000 000000 > 7 0 ** -8 333300000320303300**O0
< l
' i l I e0 0OO OOO OOO OOO OOO O O O 3 0 3 O O -e a o O O O O O O O O O O O O O O O O O **
i i , ei O O **-*O** O O se O O ** O =8 O
- O O 3 3 3 -* O ** O a*0; ** O *8, O O O O 3 3 0 -s O O O O O O e
l 6 9
' i l i I g 'd me O Os* OOO *OO -*O.*O ,e .*
- 3 1 O =* O -e O -e O se 0 -* O O O O -s 3 O O O O O O O
~I l l
# $ 000 000 000000 000000330030000000000000**O0000'00
' ' I l
' i ! !
P{ es 000 000 000 000 0000 0 0 O 3 0 0 0 0 0 0 0 0 0 0' 0 0 0 0 0 0 0 0 =* O 0 0,0 0 I i { g OOO O O .e oOO OOO OOOO O O 3 O O O O O. O O O O O O O O O O O O O ** O O O O O O 000 000 000 000 l l 0 0 =* 3 3 3 0 0 0 0 0 0 0 0 0. 0 0 0 0 0 -e O 0 0 0 0 0.0 0 l ej 200 r M N
- g 1 '!
o l e .* .* O O O .e .* .e O .e ,ei .* -s
. M o e1 O**** O**** =* ce ** ** as O O=*** =* =* O O ** -s O O O O O O O O -e W NJ G f
- 2'.e ,
/- ae 9 i.e****O +8 =* O O **
- O ** eOO O O O 3 O O O O O' O O O O O O O O -* O O O O -e me..* O O' O O en i
@ g ett J . 1 L,j M I OOO ae O ** O O ** ao O as ***-sOOO 3ooOOOOO O O O O e O O O O O -e O OOOOO (NJ I U l g at 2:
"le {
L.J g p e *OO O =* O O O =8 .* O ae *OO.* m ,e 3 = -3 O O O O O O O O O O O 3 O O *e O O O 3 O O O O I r** O l l { 4 W e l ! ! l l { 4 $ DOOwOn DOMMOm A00 000 2000000000000m30000mO00000
- b. .
l l l f I g PS re O O lO pe O O O me '-* O ** =* O O O O ** 3 ** 3 3 O O O O O.O O O O O O O O ** O O O 'O O O O O
' ' i 1 I w $
l l l l O O .* .e OOO O O O O ** O O O O O O O *.* d O 3 O O 3 O O O e O O O -e O O C O O O O O O O O t I
- "l
- O O OOO l 1 O O O
- O O O O O O O O O O O 3.* ae O 3 0 3 =* .e O O O O O l l
- c-e l O =* ** O .a =* O O =*
j i e u c l l
.] i ; @
l O 4 as =e eCO O O O O O me .* O O O O se = **
- O O O O O O O O O O O -e O O d a* O O O O O O O "
# # 4 @
l i ii
! Un en I M 8 000 c' O O O .* O es ee O u00 000 J 4 G O O O O O O O O O O O O O ** C O O O O O O O O C
*r=
g!t "! % I 8 4 . O
.J ' l l a et .tqll P 4 ** i 300 000 =00000 000 000 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 =* O 0 0 0 0 0 0 0 0 0 e N
i
=4 iM t g 3 f j
a g i l
*e-
.= e
- 8 I
w . ,C e Z IeI OOO e O as O O e ** O ** -e O O O O O a O O O O O O O Of O O O O -* O O O O O ** O.O O O Oto e= m I e i l
> e @
- O $ i
- 1 4
.g 2 e f 8 4OO O =* O O O ** ** O s.e
- O O O O ** s -* 3 O O O 3 O O O O O 3 0 0 3 O =* O O O O O O O O p
_6
, s e . i i c
= as O s
= I O9 O=*** OOO d =* ** re O =* .* O O O O =a r :* '3 3 O O O 3 O O O O O 3 0 3 O O O O O'O O O O O O O $ $, *"'"
en no e8 8t3
.4 e e e g C
O ee wmR nmo edM MMM nmm44M S493OOOmndMe
& . *Mn O O O 0 0 O O O O O O O en .= = = m n - a a a -
O OO OOnOOOO O p O O O O O O O o O o O o e a e e e e o e e e a. a. a #% t m N e e***=ceee e O e .4-ec **8 e9 e0e* *e* C n O =e e e .e.e ed 4J W - - O O O O O O p o O O O O b O O O O O ei se c * * * * * * * * * = + c e c .* * *
- e ? ? ? * -
e.-me i poOOOODOOOOOOOOpOOo?
- N N N N N N N N M ** * ** "" *NNNNOOOOO O O O O 7 1 O O O O O -* =* .* N N N N M # # f f g
J l OOOOOODOOOOODoouOO e V 8-* C me li O Q O O O O ta O O O O O O O O O O O O 1 O O O O 3 "J'OOOO3'4t'OO^OO se l ODOOOO 30000ODOODOO e
- C O O O q 0 0 O O O O O *> * > O *> O OOOOOOO "OOOOO Q
*e0000000 300000000000 O "' 3 ~3 0 0 soOOOO0o00o030O00000 y ee000000 3O000O000000 -^OO3000000000000000000000 e * * . e e e e e e o e o e e *
- Os e o e e e e e e e er e eIe
- I l s
4-148
l 1 0 000000 000000 00=OO 0000 000000 0000do00 0000 00000000040000 00000000000 0
- O 0 010 0 0 000000000dO000000 0000000000 0d000000 I
0 00000000000000000 1 0000000000000000 00 000000000000000000 000000000000000000
^
mOOOOO*O*OOOOOOO"O V Q 3 *MOOOOmOMOOOOOOOOO C me-l C *O0*00*O0000000000 O U w HOMOOOOMOO OOOOOOOO 4 N I Q WOOOOdmOOOOOOOOOOO Q r b *O00 '00400 00000000 4 H
*O0000000000000000
*40000&O*O000000 00 1
*O00000MO*OOOOOOOO 0000 00000000000000 0000006O0000000000 f4
, me i em em m00000=00000000000 PO g PC PO 90 l *O 1
MOOOOOD AO0000 00000 90 e o 0 0 0'0 0 000000 e
=O00000 i: ="
$ m i J OeNhNaNNde-N%Nmmem l -
me e4MNOOmedeMat ##f90 1 5 e l WW w h N N.e e h e h rlef dehhhhee hhhhNm eQ mm -e N N N O N O e'd w e d e e
- h Om N.P N N'N N e le e N '
eeeedahwamehOpOOhm o == OC O O O Q O b d ni4 4 m m d M N O l- Lw OOOOOOODOOOcemech P l s lu DODOOOOOOOOOOOOOOD JJ 44 0400000000000A000F o e o e o e e e i t - 8 wh
*
- e o e e o e e e 1 9? 00 1
0! hh V {l 4-149 i L
dominant subsequence is characterized by the set of monitored signal values clisted below. m Supertype Output Signals Supertype 0-Valued Signals 1-Valued Signals 180 38,39,48,49 8,9,13,14 185 31,33 34,35 300 70 401 141,115 50,51 500 415,416,417,418 71,75 The supertype numbers in the first column identify the supertypes that produce the output signals listed to the right. The second step is to identify the signals to be monitored. In this case, the signals of interest are those input to supertypes 180, 185, 300, 401, and 500--the supertypes that output the 1-valued signals listed in Table 4-24. This is done below. Supertype Fai d tput Input Signals 180 8.9,13,14 34,35,38,39 185 34,35 2,3,86,88,101,102 300 70 7,11,31,33,36,39,50,51,54,55,84,85 401 50,51 9,19,35,45,66,67,68,69 500 71,75 1,6,8,11,13,22,24,50,51,64,65,123,124 This gives 38 signals that are input to supertypes having failed output signals. Of these 38 signals,10 had been included among the final signals in the first tracing run. Since those signal values are to be set when the dominant sequence is hard-wired into the model, they should not be monitored. That leaves 28 input signals to be monitored, in addition to the output from hard-wiring the sequence.. This total of 29 signals exceeds the maximum of 24 final signals 4-150
allowed by~the G0 code. Reducing the total number of signals to be monitored to a level below' the G0 limit on final signals required a manual evaluation of the
.. logic within tne supertypes listed above to identify which input signals were key contributors to the successful and failed output signals. This culled the list' of. input' signals tj eight. These signals are listed below, along with the supertypes that produce them and the failing supertypes that consume them:
Producing Signal Numbers Consuming Supertype Supertype 190 2, 3, 101, 102 185 400 66, 68 401 J 250 86, 88 185 Because there are so few signals that need to be monitored, some other signals
- can be added to improve the effectiveness of each G0 tracing run. These signals were identified by examining' the logic within supertypes 190, 250, and 400 to identify' which input signal'are important to the output signals listed above.
Those important input signals were similarly traced back manually to their supertype sources to identify additional signals of importance, etc. This
! approach yielded 22 signals to be monitored: 1, 2, 3, 4, 5, 10, 15, 20, 25, 56, 57, 58, 59, 60, 66, 67, 68, 69, 86, 88, 101, and 102. These 22 signals plus the one produced from the hard-wired sequence are within the GO limit of 24 final
' signals.
The' third step requires that the dominant subsequence'of interest (the 18th from last sequence in Table 4-24) be hard wired into the model. The logic for this is shown in Figure 4-31. Notice that this new hard wiring is added to that done previously. After output signal 500 and the 22 input signals identified above are listed as the final signals in the GO input file, the model is run to find
. the sequences and subsequences in the output for which S500 = 1. The output was edited to' eliminate all .other sequences, leaving only the sequences and subsequences of interest. A copy of the edited output is given in Table 4-25 and 18 sequences are listed. Attention was focused on the last 10 of these
; sequences, which yield a total probability of 4.22 x 10-5 This is over 99% of the probability of P 75 = 4.23 x 10-5 for the subsequence being traced; the
, balance of 0.01 x 10-5 -1is less than the error of 0.468 x 10-5 shown in Table 4-25 for this second trace run.
4-151
31 115 33 301 415 114 1F lf 501 15 M3 38 '
' 10 ' '
10 ] ' 25 JL J (NOT) 39 49 416 418 48 417 35 g 303 302 34 p U
\ U "m 504 n 2 m 500 m r 2 r 305 JL 8 14 70 75 9 13 71 Sg =1= SEQUENCE 5 AND ITS DOMINANT SUBSEQUENCE OCCUR S
500=0 OTHERWISE Figure 4-31. Hard-Wiring of Dominant Subsequence to Sequence 5 in ESD 7
~
y . N N s-
- w Table 4-25 TRACE.2 0F SEQUENCE 5 IN ESD'7 FINAL EVENT TABLE (INFINITY = 13 SIGNALS AND THEIR WALUE5 PROEAYTCITY- 500 1 4 2 4 3 to 13 40 .z3 36 37- 3s . 39 s
60 66 er. 6e, 69. 86 .. .es .101 102
.0000000013 :1 0 0 0 0 1 0 0 0 1 1 1 1 ': io- 0 1' 1 1' 1 1 't- 1 1 7 0000UU0013 1 o o 1 o o o 1 o o a 1 1. O o. I 1 1 .I 1 1 1 1
.0000000015- .1 0 0 0- 0 0 0 1 0. 1 1 1 0 0 1 1 1 1 1 1 1 1-l'^
.0000000015 1 0 1 0 0 0 1 0' O O 1 1 1 0 0 1 1- l' 1 1 1- 1 1 o o
.UUU000001s a o o a o o 1 1 10 o 1.- .1 L 0 .o-el . o 1;' ~ ' 11 ', ' '07 1 1.
0 1' 1
~1 1
.0000000018
.0000000029 1-1-
.0 0
1 1 0 1 0 1 0 1 1
-1 1-1 1 0.
1
' l P; 1_
1- 1 S1)' 1'
;,0}'j 1' "I'
oi.V71
'1'
[il 1 1 1 1 1 1 1
.000000004s 1 o .o o o o o o o o 1 1 O o 1 I 1 1 1 1 1 1
.0000001367 1 0 1 1 1 1 1 1 1 l' 1 1 1 0 0 1 1 1 1 1 1- l' 1 0 0 -1 7
.0000010795
.u00001U79v 1
1 0 u 0 1 1 u 1 a 1 1
'0 1
l' 0 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1: 1 1 -- .. I 1 1
.1 1 1
1
'.1 ,.' 1-
$ .0000010799 1 0 1 1 1 0- 1- -1 '1- 'O' 1 ;, ;1I t h- oA 0 JT. ' il?~'l' 0 i ' . 1. 1^ .1-. 'l' '& "I'.
.0000010799 1-' O 1 1 0 1 1 1 0 1 1' 1 1 0- 0' 1 1 1 1 1 1 1 1
"'. .000005TITA 1 0 1 1 1 1 1 1 1 1 o o o 1 1 1 1 1 1 1 1 0 0' 4
. 0000051509 1 0 0 0 .I 1 .0 0 1 1 1 1 1 0 0: 1 1 .1. I 1 1 1 1.
.0000061513 1 0 0 1 1 0 'O 1 1 0 1 1 1 0 0 1 1 '1 1 1 1 1 1
.~0000081516~ 1 0 1 o o 1 1 o o 1 1 1. .1_., O. o. ;1 1- .1 1 1 I 1 1
.0000081520- 1 'O 1 1 0 0 1 1 'O O 1. 1 -- ~ 1 i , ' ,i o ? ~ 0 ] c ;.1 -; ; 1 ;
'1- 1 -1, ;1 1 1
=- - - _ - _ . ~ - . _ _
v.',.s- %w"' m y' . , , s. . .
;' "il ,
s m.. . , . . . c . .
~ . '
TOTAL PROBASILITY = !.9999953155 < . _ ; ~J ,
+ . +I; W) ~
TOTAL ERROR = .0000046815 - '
- Conditional on the initiating event.- !
i 5 l ? .'
~
A third cycle of tracing was performed in the same basic manner as the first two. The edited output from that run is listed in Table 4-26. It yielded 34 subsequences that contributed to ESD sequence 5. The last 10 account for over 99% of the total probability that was traced in that run. Overall summary data are given in Tables 4-27 through 4-29. The first list signals used to hard wire sequences. The next lists the final signals specified for each tracing run (where trace 0 represents the original run of the ESD GO model). The signals are shown grouped according to the 0 and 1 values that they had in the tracing runs. Also listed are the supertypes that produce the 1-valued signals. Table 4-29 shows the probability results produced by the various sequences in the various tracing runs, and shows percentages relative to four key probability values of interest. 4.8.2.2 Unraveling Results. The first subsequence to be identified as a root cause to sequence 5 in ESD7 was sequence 14 in trace 2. With attention focused on this specific sequence, the GO model logic was reviewed to identify the path of the failure through the auxiliary systems supertypes to cause both AFW and bleed and feed to fail. This failure path is shown in the simplified G0-type model presented in Figure 4-31. The failure path is known to start within supertypes 230 because signal 1 (its only input signal) is 0-valued for this sequence. The failure path passes through several supertypes and ends in
=supertypes 1600 and 1905, which represent AFW and the PORV portion of the bleed and feed function. The signals shown passing directly through supertypes indicate .that the failed input directly causes the specified output to fail without any additional failure within the supertype. Considering only the three signal's'shown in Figure 4-32 as input to supertype 1600, the logic shown internal to that supertype is equivalent to that given in the complete model.
The complete sequence can be attributed primarily to the failing of two operators identified as 1-231 (type 1, kind 231), which are located within supertype 230.
.The failure fracticq for this operator is 2.29 x 10-3 The failure fraction for both operators failing concurrently is 5.24 x 10-6 which compares favorably with the likelihood of 5.11_ x 10-6 for sequence 14 in trace 2. (The small ;
discrepancy in these results is attributable to two factors. First, the
-G0-produced result of 5.11 x 10-6 takes the effects of success fractions into account, whereas those effects are ignored in this simple evaluation. Second, the difference in the two values is well within the error " noise" of the G0 truncation errors.)
4-154
4 Table 4-26 0UTPUT FOR TRACE 3
~ ~ ~ ~ ~
~ ' ~ ~ -~
5l'GNALS~iND"THEIR VALUES PROB AB I L I TY* 500 2 3 4 5 77 91 92 93 94
.0000000013 1 1 0 1 1 0 0 0 0 1
.0000000013 1 0 1 -
1 1 0 0 0 0 1
.0000000013 ~~ 1-~ ~ 1- - - - ~0 ' ~ ~l~ ~ ~
-1 ~ ' ~ 0~~ 0 0 1 0
.'0000000013 1 0 1 1 1 0 0 0 1 0
.0000000013 1 1 0 1 1 0 1 0 0 0
~ '0 ~ ~0- - - ~1- ~ 0" 'O
-~
.0000000013' ~~~ 1~~ 0 -- ~ ~~ 1 '- ~ ~~ 1 - ~ 1
.0000000013 1 1 1 0 1 0 0 0 0 1
.0000000013 1 1 1 1 0 0 0 0 1 0
~~'l~~"~1
.0000000013' 1 '- "-~1~ ~ ~ ~0 0 0 1 0 0
.000000001n i 1 1 0 1 0 0 1 0 0
.0000000013 1 1 1 1 0 0 1 0 0 0
- .0000000011 1 . 1 0 1 0 1 0 0 0
.0000000027 1 v 0 0 1 0 0 0 0 0
.0000000027 1 0 1 0 0 0 0 0 0 0
.0000000028 1- ~G'~ '0~ ~l~ -~~0 0' 0' ~ 0 ~ ~~ 0 ~ J
.0000000028 1 1 0 0 0 0 0 0 0 0
. . 0000000063 1 0 0 0 0 0 0 0 0 0
'.'0000000104 '1'--'O'-~~~0' ~ ' 1" --~ 1-~~0 '0~ ^~~0- 0~ T~
.0000000104 1 0 0 1 1 0 0 0 1 0
.0000000104- 1 0 1 1 0 0 0 0 1 0
.00000 00104 ~ "- l~ ~0'--" l' 1 ~ '-- O ~0- ~0~ I ~0 ~ ~ ' O' ~
.0000000105 1 1 0 0 1 0 0 0 0 1
'tr. .0000000105 1 1 0 0 1 0 1 0 0 ' 0
.0000000105 " '- " 1 -- ~1"~~1~ 0 ~ ~ " 0 "~ "0 ' ~ 0~~ il 'O O
.0000000105 1 1 1 0 0 0 1 0 0 0
.0000001426 1 1 1 1 1 0 0 0 0 0
.0000010791 1 0 1 1 1 0 0 0 0 0
.0000010792 1 1. 0 1 1 0 0 0 0 0
.0000010792 1 1 1 0 1 0 0 0 0 0
.0000010792 1 1 1 1 0 0 0 0 0 0
.0000081468 1 0 0 1 1 0 0 0 0 0
.0000081471 1 0 1 1 0 0 0 0 0 0
.0000081474 l' 1 0 0 1 0 0 0 0 0
.0000081477 1 1 1 0 0 0 0 0 0 0
-----------------------------------=--;;-----------------.;- -
)
i TOTAL PROBABILITY - .9999993190 - - ~ ~ ~ - ~ - - ~ ~ ' " - ' " ~ ~ ' ~ ~ ' - ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ] TOTAL ~ ERROR ~= ~~'~ ' ~.0000006810
- Conditional on the initiating event.
i 4-155
g, l I Table 4 SIGNALS USED FOR HARD-WIR D SEQUENCES i Trace- 0-Valued Signals 1-Valued Signals 1 s301 302-303 304 305 2 -301 31 302 8 D, 33- 303 9 38 304 13
. 39 305 14
' -c 48 34 49 35 -i 114 50
'115 51 415 70 416 71 417 75 418 3 - 301 ~31 1 302. 8 56 33 59 303 9 57 38 60 304 -13 58 39 '305 14 66 48 34 67 49 35 68 114 50 69 115 51 101 415 70 102 416 71.
417 75 418 t 1 3 Y 4-156 s -
, e e, --. - , + - - - - - , . - . . , , , - - w, -
- y -- e % -r n-
Table 4-28 TRACING ROOT CAUSES OF SEQUENCE'S IN ESD 7 Trace Y*I"*8 of Monitored Signals Suo'ertypes Producing Sequence . Level 0-Valued Signals 1-Valued Signals 1-Valued Signals 0 5 301 302 1,600 303 1,901, 1.905 304, 305 Caused by 303 1 -- 1 Last 31, 33 34, 35 185 38, 39, 48, 49 9, 14, 8, 13 180 114, 115 50, 51 401 415, 416, 417, 418 71, 75 500 70 300 2 Common 1 66, 67, 68, 69 400 to 9-18 86, 88 250 I 14 56, 57, 58, 101, 102 59, 60 230 9-13 59,'60 56, 57, 58 None A 101, 102 190 15-18 *
- 190 3 Comon 77 --
l; to 26-34 91, 92, 43, 94 -- 34 4, 5 2, 3 .190 33 3, 4 2, 5 190 32 2, 5 3, 4 190 31 2, 3 4, 5 190 30 5 2,3,4 190 29 4 2,3,5 190 28 3 2, 4, 5 '190 27 2 3, 4, 5 . 190 26 -- 2,3,4,5 190
- Signals 2, 3, 4, 5, 10, 15, 20, and 25 have various combinations of values for the various sequences; however, signals 2 and 10 have the same value in each individual sequence, and the same conditions apply to signals 3 and 15,.
signals 4 and 20,- and signals 5 and 25. 4-157 l-i f b_ ' ._
p 1 1 Table 4-29
SUMMARY
OF NUMERICAL RESULTS OF THE TRACING PROCESS TRACE O 5 PT(0) = 4.41673E-5 ..... total traced Error = 1.809E-7 TRACE 1 PT(1) = 4.41560E-5 ..... total traced Error = 3.386E-7 Seq. Individual Cueulative % of PT(0) % of PT(1)
-1 Last 4.23180E-5 4.23180E-5 95.813 95.837 Rest 0.18380E-5 4.41560E-5 99.974 100.000
- TRACE 2 PT(2) = 4.21917E-3 ..... total traced Error = 4.6815E-6 Seq. Individual Cueulative % of PT(0) % of PT(1) % of PT(2) 18 0.81520E-5 0.81520E-5 18.457 18.462 19.311
'17 0.81516E-5 1.63036E-5 36.913 36.923 38.642 16- 0.81513E-5 2.44549E-5 55.369 55.383 57.961 15 0.81509E-5 3.26058E-5 73.823 73.842 77.280 14 .51111E-5 3.77169E-5 85.396 85.417 89.394 13 0.10799E-5 3.87968E-5 87.841 87.863 91.954 12' O.10799E-5 3.98767E-5 90.286 90.309 94.513 11 0.10799E-5 4.09566E-5 92.731 92.754 97.073 10 0.10795E-5 4.20361E-5 95.175 95.199 99.631 9 0.01387E-5 4.21748E-5 95.489 95.513 99.960 1-8 0.00169E-5 4.21917E-5 95.527 95.551 100.000 e
TRACE 3 3.71643E-5 ..... total for trace 3 alone 0.51111E-5 ..... deleted free previous traces PT(3) = 4.22754E-5 ..... total traced Error = 6.810E-6 Seq. Individual. Cueulative % of PT(0) % of PT(1) % of PT(2) '% of PT(3) Prev 0.51111E-5 0.51111E-5 11.572 11.575 12.114 12.090 34 0.81477E-5 1.32588E-5 30.019 30.027 31.425 31.363 33 0.81474E-5 2.14060E-5 48.466 48.479 50.736 50.635 32 0.81471E-5 2.95533E-5 66.912 66.929 70.045 69.907 31 0.81468E-5 3.77001E-5 85.358 85.379 89.354 89.177 30 0.10792E-5 3.87793E 87.801 87.823 91.912 91.730 29 0.10792E-5 3.98585E-5 90.244 90.267 94.470 94.283 28 0.10792E-5 4.09377E-5 92.688 92.712 97.028 96.836 27 0.10791E-5 4.2016BE-5 95.131 95.155 99.585 99.388 26 0.01426E-5 4.21594E-5 95.454 95.478 99.923 99.726 1-25 0.01160E-3 4.22754E-5 95.717 95.741 100.198 100.000 N.B. - A " " preceeding an individual entry signi fies that it is not included in any future traces. 4-158 L _
I,ll i l4II P 2 0 0 0 0 2 6 1 T S 0 5 0 0 9 9 2 1 T e e S W W V 1 2 0 W R F'5 2 2 5 F 4 1 1 1 A O P 0 7 9 4 2 1
!I e 3
0 0 3 3 o 0 0 0 c 2 8 0 2 8 2 3 a 1 T 1 T T S r S S T 0 0 2 0 0 1 1 f 4 l 1I 2 0 '3O o 1 i 4 1 0 1 5 5 e c 4 5 4 5 01 n 3 3 0 0 4 e 2 2 T u S q 0 5 0 0 2 e 0 0 1 8 1 0 1 S 2 2 1 T S . 0 1 6 8 0 1 0 1 6 6 2 _ 3 0 2 0 - 0 2 0 2 0 4 4 _ T S e _ 5 7 r _ 0 0 u 1 1 g _ i _ o 5 F 2 3 t 1 _ 2 3 e 0 0 0 0 2 2 2 9
- 1 T
0 S 1 3 9 0 3 2 9 9
' 2 T S
1 1 9 M 1 7 1 6 6 2 1 9 5 0 0 1 1 1 3 2 1 1 0 6 1 9 N 1 7 6 61 2 1 ~
- g
. i; 4 ;l l
- o. ; ' . !i
I
' Operator 1-231 is a condensation of serially functioning operators 1-171 and 6-169, whose failure fractions are as follows:
a Operator .pr et n Equipment Type 1-171 1.88 x 10-5 Temperature Control Valve 6-169 2.27 x 10-3 Water Chiller It is clear that the failure of the two water chillers in supertype 230 (which models the board room chillers and air conditioning system) is one of several dominant root causes for sequence 5 in ESD 7. From Table 4-29, it can be determined that this subsequence-(sequence 14 in trace 2) contributes about 11.6% to the' total likelihood of 4.42 x 10-5 for ESD sequence 5. Sequence 34 in trace 3 has the highest likelihood of all of the subsequences identified therein. Figure 4-33 presents a GO-type model constructed in a manner similar to that described above. The complete sequence can be attributed to two contributions: one external to supertype 190 and one internal to it. The , external contribution comes from either the failure of operator 1-177 (with a failure probability of 7.81 x 10-4) or the concurrent failure of three
- operators 1-63 (each with a failure probability of 1.54 x 10-5). It is clear that operator 1-177 dominates, and it is the one shown in Figure 4-33. That failure causes ST190 input signals 56, 57, and 58 to all be failed. A review of the internal logic of ST190 reveals that the failure of thse three input signals is not enough to directly cause failure of the.four output signals shown in Figure 4-33. That is, some additional failures must occur. Because all of the other relevant input signals are successful, it follows that the additional failures must be' internal to ST190. From the internal logic, it is clear that the output failures can be caused by the failure of operator 6-194 (with failure
- probability 0.117) or operator 6-195 (with failure probability 1.21 x 10-5),
It is clear that operator 6-194 dominates, and it is the one shown in Figure 4-33. In order for the four output signals to fail, it is necessary that operator 1-177 and both of the 6-194 operators fail concurrently. The associated 4 probability is 1.07 x 10-5 Within the context of the two qualifiers mentioned above, this compares quite favorably with the likelihood of 0.815 x 10-5 found 4-160
n n a ' a
=
a $ I
^ m E 5 9 8 4 E 2 e 3 R m S E S R u 3 a a g H g g
~
~
g og t x = , S 3 k R- . W
. , u O
8 O
+ s
- - o R 8 8
- m o
8
~
g 3 3 . U m 4 m li .= . .= _ R E a. 4 b E B L
- - 2 CD 8 , - - .
N M O
~ O s f . . -
a 3 8 $
. 2 . = .s . = -
3 S
.T -
al 4 R 4-161
l 1 for sequence 34 in trace 3. _ (Notice, in particular, that the truncation error for trace 3 was 0.68 x 10-5,,which is more than three times the difference in the two results.) l Operators 1-177 and 6-194 are the dominant contributors. Operator 6-194 is a condensation of:three serially functioning operators whose failure fractions are listed below together with that of operator 1-177. a Operator pr t n Equipment Type 1-177 7.81 x 10-4 Offsite Power 1-167 7.88 x 10-4 Breaker 1-62 .113 Diesel Generator (start) 59 3.15 x 10-3 Normally Operating Breaker FTC It is clear from this that a loss of offsite power (following the initiating event) plus the failure of two diesel generators to start represents one more of several dominant root causes for sequence 5 in ESD 7. From Table 4-29, it can be determined that this-subsequence (sequence 34 of trace 3) contributes about 18.4% to the total likelihood of 4.42 x 10-5 for ESD sequence 5. The two subsequences identified above account for a total of about 30.0% of the total likelihood of ESD sequence 5. In principle, this unraveling process could have been continued to identify more of the contributors. However, this was deemed to be not cost-effective because of the large amount of manual analysis and processing that was required. This was particularly true in view of the relative ease of implementing the two-stage integrated modeling approach, which easily yielded an cssentially complete listing of contributors. It should be pointed out that the results obtained by the two unraveling approaches are consistent. Subsequence 34 of trace 3 was identified as the
- contributor, which agrees with the top-ranked cutset shown in Table 4-23 for the other approach. Subsequence 14 of trace 2 corresponds to the fifth-ranked cutset in Table 4-23.
4-162
~ 4.9
SUMMARY
OF RESULTS The numerical results achieved in this analysis are summarized below for the following two ESDs: e ESD 1, large LOCA e ESD 7, Steam Generator Tube Leak - The example results are presentea only for these two ESDs (rather than for all
-14 ESDs) for two reasons:
- 1. The primary objective of this study was to determine whether GO can be effectively used as a tool for performing risk-type studies. - (It was not intended that a risk study be performed.)
Reporting the results for these two ESDs should provide sufficient insights into the analysis capabilities of G0.
- 2. The study scope was limited as follows:
- a. -Only a limited number of initiating events was analyzed.
- b. Common cause failures were not analyzed.
- c. Some conservatisms were used to simplify the ESDs.
- d. Operator recovery actions and some other operator actions were not modeled.
4.9.1 STEVE Results While the truth table output by GO does give the results of the analysis, it is not in a form that is conducive to easy comprehension, understanding, and interpretation. Transforming those results into the pictorial format of event trees puts them in a better form for understanding them. This transformation is performed by STEVE, yielding the event trees shown in Figures 4-34 and 4-35 for ESDs 1 and 7. 4.9.2 Annual Frequencies of Sequences The computer code STVQUANT was used to compute the annual occurrence frequencies of all event sequences in ESDs 1 (large LOCA) and 7 (total loss of steam flow). The output for these two ESDs is shown in Tables 4-30 and 4-31. For each ESD, categories the sequence frequencies by plant state, lists the total frequencies by plant state, and indicates the truncation error. 4-163.
~
4 f e8mf teEE FOR ESO 1 eeeeeeeeeeessee++esseeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee e _e e e .e e e e e e t eS t e aCW4 e LFI e 1804
- LPs . e C54
- LFML e C4tL e o e e e e e e e e s e ee e e ee ee ee e e ee ee ee ee ss ee ee ee e e ee ee ee ee s e ee ee ee ee ee e e ee e e e e ee ee ee ee ee ee e e ee ee e e e e ee ee e e e.
eeeeeeee 74 04 44 3'.I f ?
. . - - _. ___. .. ..._ _ g3
,3e33goyg42 8 8 3 I I I I I 8 8 I FFFF8FFFFFFF I I I I 20 .0 0ss3154s F I
I I I I FFFFFFFFFFFF=----- -- Ja i I 3B .0 00 05 u 913 s I I. 1 g g g g g . ,I,~
, , p p y g g , y p .._...._..
m I I I 49 .0000002739 8 I Ja I 8 8 1 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF I I I I St .0003302689 8 8 8 FF FF FFFF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FFFF FF FF F F FF FF FF FF FF F F FF 63 .00s9FSo071 3 8 1 I I FF FF FFFFFFFF FFFFFF FFFF FF FF FFFF FFFF FF FF FF FFFF FF FF FFFFFFFF FFFFFFFFFF FFFFFF I I F3 .0006776589 I I 's FF F F FF FF FF FF FF FF FF FF F8 FF FF FF FF FF FF FF FF FF FF FF FF F F FF FF FF FF FF FF F F F F F F FF FF FF FF FF FF F F FF GI .00s2394959 FF FF FF F8 FF FFF F FF F F FF FF FF FF FF FF F FFF FF FF FF FF FF FF FF FF FF FF F F F F F FFF F F FF FF FF F F FF FF FF FF FF FF FF F F FF FF FF FF.000000:449 18' Figure 4-34. STEVE Output for ESD 1
h' 6 i # t yl uf TaEE FOR ESD 7 eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeesseeeeeeeeeeeeeee e o e e e e af e .afu e SEF e 5604 e MP4 e e e e e e e ' ' ee eeee ee voooee eeee ee eeee ee ee ee eeee ee ee ee ee ee ee ee eeee ee eeee ee ee ee ee ee ee ee eeeeeoosee ee eeeeee eeee ee ee eee F4DBASILITV' _ = . . 10 9944026800 8 1 A I FF FF FF FFFF FF FF FF FF FF - - == -- . . = ~ . . ~ 23 .0000111691 8 I I I I I FFFFFFFFFFFFFFFFFFFF 33 .0030000200 ci 1 i I I I I I~ FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6FFFFFFF el .3030000562 8 I I FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FFFF FF FF FFFF FF FF FF FF FF FF FF FF S) .0000e41673 8 FF FF FF F8 FF FFFF FF FF FF FF FF FF FF FF FF FF F8 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FFF FFF FF FF FF F F FF F F F F FF FF F F FF 65 .003141722S Figure 4-35. Event Tree for ESD 7
Table 4-30 SEQUENCE FREQUENCIES FOR LARGE LOCA Annual Frequency ESD Seq Sequence No.'No. Likelihd initiator Eont. Run Eld Shtdo Ht Stadby Degraded ATuS Success SLDEA Tot Error i I 9.853E-01 2.030E-04 2.000E-04 1 2 4.402E-03 2.03E -04 8.935E-07
~l 3 5.159E-05 2.030E-04 1.047E-08 1 '4 2.739E-07 2.03E-04 5.560E-!!
- .- 5 3.383E-04 2.030E-04 6.867E-08
~l 6 4.975E-03 2.030E-04 1.01E-06 1 7 6.777E-04 2.03E-04 1.37&E-07 1 8 4.24 E -03 2.03 E-04 8.607E-07 1 9 7.499E-07 2.03 E-04 1.522E-10 1 1.681E-07 2.030E-04 3.412E-Il Totals by Plant State 0.000E+00 2.009E-04 0.000E400 2.077E-06 0.000E400 0.00E*00 0.000E+00 3.412E-11 i-l 4-166 L
Table 4-31 SEQUENCE FREQUENCIES FOR TOTAL LOSS OF STEAM FLOW Annual Frequency ESD Seq Sequente ------- - No. No. Likelihd . Initiator Eont. Run Eld Shten Nt Stadby Degraded ATUS Success SLOCA Tot Error
-7 8 9.998E-01 2.440E-03 2.440E-03 .7 2 1.117E-05 2.440E-03 -2.725E-08 7 3 2.000E-08 2.440E-03 4.880E-Il 7 4 5.620E-08 2.440E 03 1.371E-10 7- 5 4.417E-0) 2.440E-03 1.078E-07 7 6 1.417E-04 2.440E-03 3.458E-07 7 1.809E-07 2.440E-03 4.414E-10 Totals bv Plant State 0.000E+00 2.725E-08 2.44CE-03 1.080E-07 3.458E-07 0.000E+00 0.000E+00 4.414E-10 s
4-167
p . y t i Figure 4-36 shows the way in which STVQUANT would process the numerical results
- from all groups of initiating events. It separates the ATWS sequences from the non-ATWS sequences and finds the total annual frequency of ATWS from all ESDs that'cen lead to an ATWS event. That total frequency is used as the initiating event frequency to quantify the ATWS ESD. Its results are separated into SLOCA (small LOCA) behavior and non-SLOCA behavior. The total frequency of the SLOCA
-type of behavior is then recycled through the small LOCA analysis (ESD 3) conditioned to the nonoccurrence'of an ATWS event. The results from the non-ATWS, non-SLOCA, and SLOCA-type sequences are combined to give the annual frequency totals for all of the ESDs quantified.
l As a means of demonstrating the complete quantification process, the complete quantification was performed for the two categories of initiating events discussed previously. Event Initiating Event Frequency Large LOCA 2.03 x 10-4/ reactor year Total Loss of 2.4 x 10-3/ reactor year Steam Flow The frequencies of these events are derived in Section 5. The frequency of the ATWS sequence produced from the ESD 7 analysis was input to ESD 14 (the ATWS logic model 1). -The results of that analysis are listed in Table 4-32. - The total frequency of the four ATWS sequences leading to SLOCA-type behavior was input to ESD 3 (the small LOCA logic model), and those results are listed in Table 4-33. STVQUANT then combined the numerical results of the two initiator categories plus the two additional ESD quantifications needed to completely analyze the total loss of _ steam flow initiator. The code lists the I grand total annual frequencies by plant state and the grand totals for . ATWS events, SLOCA events, and truncation error. The truncation error is added to the other grand totals to give the maximum total frequency for each category. ! Then STUQUANT computes the maximum percent truncation error for each category. The total results for these two categories of initiating events are shown in I Table 4-34. The total frequency of the degraded plant state is given as 4-168
i INITIATING SEQUOYAH PLANT PLANT EVENTS EVENT SEDUENCE MODEL* STATES LARGE LOCA y - ESD1 - X 1 MEDIUM LOCA L - ESD 2 A R REACTOR TRIP Y - ESD10 - S SMALL LOCA g
- ESD 3 7 T
STE AM GENER ATOR y ~ N4 TUBE LE AK g - M OF RG pfow O D
- ESD 6 [~
E L - ESD 6
~~
NON.ATWSSEQUENCES Y OPER T ON F D TE R _ LOSSOF __ STE AM FLOW ESDF _ H ATWS SEQUENCES + STANDBY TURBINE TRIP - ESD8 [~ NON-SLOCA m SPURIOUS --
+ ESD 14 Stougggg3 - + COLD SHUTDOWN SAFETY -
ESD8 ~ INJECTION STE AM LINE SLOCA BRE AK INSIDE - ESD11 -- SEQUENCES CON T AINME NT 9 ESD 3 M' -> DEGRADED STE AM LINE -- BRE AK OUTSIDE - gSo 32 - CONT AINME N T
~ ~
CORE POWER - ESO13 - E XCURSION
'E ACH BLOCK REPRESENTS A SEPARATE EVENT SEQUENCE DIAGRAM Figure 4-36. Coverage of Event Sequences in GO Safety Demonstration Model 4-169
Table 4-32 SEQUENCE FREQUENCIES FOR LOSS OF STEAM FLOW WITH SUBSEQUENT ATWS Annual Frequency ESO Seq Sequence - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --- --- No. No. Likelihd Initiator Cont. Run Cld Shtda Ht Stndby Degraded ATUS Success SLOCA fot Error 14 1 1.512E-01 3.605E-M 5.450E-07 14 2 1.341E-06 3.60$E-M 4.834E-12 14 3 1.380E-07 3.60E-M 4.975E-13 14 4 1.000E-10 3. H 5E-M 3.605E-16 14 5 9.00M-!p 3 H5E-M 3.244E-15 14 6 ' 5.900E-09 3.H5E-M 2.127E-14 14 7 ' O.000E*00 3.H5E-H 0.000E+00 14 8 0.000E+00 3.H5E-H 0.00M+00 14 9 2.900E-09 3.60$E 06 1.045E-Il 14 10 6.282E-04 3.60$E-M 2.264E-09 14 11 1.262E-05 3.60 M-H 4.54K-Il 14 12 2.463E-01 3.HM-M 8.880E-07 14 13 1.834E-03 3.HM-M 6.611E-09 14 14 2.277E-01 3.60 M -H 8.209E-07 14 15 2.235E- M 3. H 5E-06 8.058E-12 14 16 8.9HE-09 3.605E-06 3.20K-14 14 17 0.000E+00 3.HM-M 0.000E+00 14 18 1.000E-10 3.60 M-H 3.60$E-16 14 19 2.53M M 3.HM-H 9.147E-12 14 20 1.700E-09 3.605E- M 6.128E-15 14 21 1.004E-05 3.HM-H 3.619E-li 14 22 3.H4E-01 3.605E-M 1.331E-06 14 23 1.959E-04 3. H5E- M 7. M M -10 14 24 2.694E-03 3. H5E-06 9.71tE-09 14 25 3.639E-M 3.605E-H 1.312E-Il 14 26 1.700E-09 3.60 M-06 6.12K-15 14 27 2.490E-08 3.605E- M 8.976E-14 14 28 7.100E-09 3.603E- M 2.559E-14 14 29 0.000E+00 3.60M-06 0.000E+00 14 1.969E- M 3.605E- M 7.099E-12 Totals by Plant State 0.000E+00 0.00M+00 0.000E+00 1.711E-08 0.000E+00 2.697E-M 8.903E-07 7.099E-12 4-170
Table 4-33 SEQUENCE FREQUENCIES FOR SMALL LOCA RESPONSE TO LOSS OF STEAM FLOW WITH SUBSEQUENT ATWS Annual Frequency Cont. Run Cld Shtdn Ht Stadby Degraded ATuS Success SLOCA Tot Error Brand Totals by Plant State 0.000E+00 2.0!E 04 2.44E-03 2.187E-06 3.458E-07 2.588E-07 8.540E-08 4.763E-10 Manteue Totals by Plant State 4.763E-10 2.010E-04 2.44K-03 2.188E-06 3.463E-07 2.592E-07 8.588E-08 Maiteus Per Cent Erroe 8 0.000E*00 2.369E-04 1.952E-05 2.177E-02 1.377E-01 't.841E-01 5.577E-01 i Errors base; on 60 truncation errors only. 4-171
Table 4-34 FREQUENCIES BY PLANT STATE TOTALED FOR LARGE LOCA AND LOSS OF STEAM FLOW (INCLUDING ATWS AND SLOCA) INITIATOR CATEGORIES Annual Frequency ESD Seq Sequence --- - ---~=-- -------------- --------------------- --------- -------- No. No. Likelihd Initiator Cont. Run Cld Shtdn Ht Stad6y Degraded ATWS Success SLCCA Tot Error 15 I 9.94tE-01 8.90M-07 8.850E-07 15 2 5.169E-05 8.90 H -07 4.602E-!! 15 3 4.685E-04 8.903E-07 4.171E-10 15 4 4.997E-03 8.90X-07 4.44K-09 15 5 5.002E-06 8.90 X-07 4.453E-12 15 6 2.73tE-07 8.903E-07 2.432E-13 15 7 1.616E-06 8.90'E-07 !.438E-12 15 8 1.446E-06 8.903E-07 1.287E-12 15 9 3.020E-08 8.90 X-07 2.689E-14 15 10 1.500E-99 8.903E-07 1.336E-15 15 11 9.60!E-09 8.903E-07 8.548E-15 15 12 8.901E-09 8.903E-07 7.924E-15 15 13 1.480E-06'O.903E-07 1.318E-12 15 14 1.850E-08 8.903E-07 1.647E-14 15 15 7.401E-09 8.903E-07 6.589E-15 15 16 1.116E-05 8.90M -07 9.934E-12 15 17 1.500E-09 8.903E-07 1.336E-15 15 18 1.670E-08 8.903E-07 1.487E-14 15 19 5.591E-08 8.903E-07 4.977E-14
.15 20 1.141E-07 8.903E-07 1.016E-13 15 21 9.708E-07 8.90 X-07 8.643E-13 15 22 3.040E-08 8.903E-07 2.707E-14 15 23 1.000E-10 8.903E-07 8.904E-17 15 24 3.000E-10 B.903E-07 2.671E-!&
15 25 8.383E-05 8.90 K-07 7.463E-Il 15 26 5.801E-09 8.903E-07 5.164E-15 15 27 1.000E-10 8.903E-07 8.904E-17 15 28 5.120E 07 8.903E-07 4.558E-13 15 29 3.100E-09 8.903E-07 2.760E-15 15 30 ' 2.59&E-04 8.90 X-07 2.311E-lc 15 31 3.483E-06 8.90 X-07 3.10!E-12 15 32 4.40 W-05 8.903E-07 3.921E-Il 15 33 0.000E+00 B.90 H-07 0.000E+00 15 34 7.45 M-07 8.903E-07 6.637E-13 15 6.007E-07 8.903E-07 5.340E-13 7otals by Plant State 0.000E+00 8.850E-07 0.000E*00 5.217E-09 0.000E+00 0.000E+00 0.000E+00 5.348E-13 j l l l 4-172 l l
2.2 x 10-6 yr -1, and the truncation error is less than 0.02%. The fact that this error is so low is attributable to using condensed models in the final quantifications. i 4.9.3 Sequence Unraveling. Sequence 5 in ESD 7 was selected to demonstrate the unraveling process for two reasons:
- 1. It involves the concurrent failure of two frontline safety systems.
- 2. Its frequency of 1,1 x 10-7 yg-1 is close to the grand total truncation error of 1.4 x 10-0 yr-1 found for the four ESDs that were quantified.
The results of the more comprehensive two-stage integrated modeling approach are summarized in Table 4-35. Only the first five cutsets, which contribute about 99.8% of the total frequency for that sequence, are listed. The other cutsets could easily be identified from the data in Table 4-23, if desired. The first four entries in Table 4-35 are third-order cutsets. They each involve a loss of essential AC power due to a loss of offsite power following the initiating event (total loss of steam flow) and the loss of two diesel generators. Even though Unit I was the focus of the present demonstration analysis, these results reveal the importance of analyzing and modeling all equipment that is shared in common with both units. A discussion of the cross-unit effects appearing in this table is given in S ction 4.8. The fifth-rank entry in Table 4-35 is a second-order cutset involving the failure of both board room chillers. These chillers are a part of the air conditioning system that provides cooling for the 6.9 kV shutdown boards. Losing both chillers causes room overheating and failure of both 6.9 kV boards. A complete PRA would not stop at this point, as was done in this demonstration analysis. For example, analyses would be performed to determine whether the input probabilistic data properly reflect plant-specific characteristics. Furthermpre, the potential for operator recovery actions to mitigate the effects of dominant cutsets in dominant sequences would be factored into the models where appropriate. This kind of approach keeps the overall modelir; as simple as possible and tends to introduce detail only in the quantitatively significant areas. This appears to be important in developing GO models to maintain G0 truncation errors at acceptably low levels. 4-173
I s q Table 4-35 UNRAVELING RESULTS FROM TWO-STAGE INTEGRATED MODEL l Approximate Percent Rank . Component 1 Component 2 . Component 3 Contributions Individual Cumulative
- 1. LOSP' DG 1A DG 18. 22.2 ?.2.2 2 LOSP DG 1A. DG 28 22.2 44.5
-3 LOSP DG 1B DG 2A 22.2 66.7 4 LOSP DG 2A DG 28 22.2- 88.9 5 WC A- WC B -- 10.9 99.8 All Others .2 100.0 Legend:
,, LOSP = less of offsite power. DG = diesel generator. WC = water chiller. 9 f P ! 4-174
, 4.10 ' REFERENCES s
, 4-1. Almodovar, S., " STEVE Computer Code User's Manual," Pickard, Lowe and Garrick, Inc., Draft, September 1983.
4-2. Pickard, Lowe and Garrick, Inc., " Midland Probabilistic Risk Assessment,"
-prepared for the Consumers Power Company, May 1984.
4-3. Pickard, Lowe and Garrick, Inc., Westinghouse Electric Corporation, and Fauske a Associates, Inc., " Zion Probabilistic Safety Study," prepared for Commonwealt5 Edison Company, September 1981. 4-4. Pickard, Lowe and Garrick, Inc., "Seabrook Station Probabilistic Safety Assessment," prepared for Public Service Company of New Hampshire and Yankee Atomic Electric Company, PLG-0300, December 1983. O 4-175
Section 5 DATA 5.1 COMPONENT FAILURE RATE DATA The Sequoyah component failure data are based on a broad cross-section of information obtained from a variety of data sources as listed in Table 5-1. Although Unit I at the Sequoyah plant has been operating since September 1980 and there is some plant-specific information regarding the performance of components and systems, it was decided to use generic component failure data. This decision can be justified when one observes that in most cases, the generic data presented here agree well with the plant-specific data obtained from several other probabilistic risk assessments (PRA). In addition, one can argue that the quantity of data collected during the relatively short period in which the Sequoyah plant has been operating is not expected to add much to the cumulative industry experience represented by the generic data. In developing generic data from various sources, it is necessary to reflect the uncertainty that is naturally associated with such data. However, in the
, Sequoyah study, only point estimates for failure rates, repair rates, and unavailabilities are required as input to the GO models.
The approach taken here to obtain point estimates was to develop full , distributions that would reflect the source-to-source and/or plant-to-plant variability in the data base and use the mean values of such distributions as point estimates. 5.1.1 Data Base Development Methodology The following basic steps were taken in the development of the Sequoyah failure data. 5.1.1.1 Correlation of Data Availability to Failure Analysis Requirements. The first and most important step from the standpoint of assuring compatibility between the data base and the plant system analysis was a joint review of the data requirements for each system model. During this review, the level of detail 5-1 L _ _ l
, Table 5-l' COMPONENT FAILURE DATA SOURCE LIST
~1. Hubble, W. H., and C.- F. Miller, " Data Sumaries of Licensee Event Reports of Valves at U.S. Commercial Nuclear Power Plants,"
NUREG/CR-1363, EGG-EA-5125, June 1980.
- 2. Poloski, J. P., and W. H. Sullivan, " Data Summaries of Licensee Event Reports of Diesel Generators at U.S. Comercial Nuclear Power Plants," NUREG/CR-1362, EGG-EA-5092, March 1980.
3.' ' Sullivan, W. H. and J. P. Poloski, " Data Sumaries of Licensee Event Reports of Pumps at U.S. Commercial Nuclear Power Plants," . NUREG/CR-1205, EGG-EA-5044, January 1980.
- 4. U.S. Nuclear Regulatory Commission, " Reactor Safety Study: An Assessment of Accident Risks in U.S. Comercial Nuclear Power Plants," NUREG/75-014, Appendix III, Failure Data, WASH-1400, October 1975.
- 5. Nuclear Power Engineering Comittee of the IEEE Power Engineering Society, "IEEE Guide to the Collection and Presentation of Electrical, Electronic and Sensing Component Reliability Data for.
Nuclear Power Generation Stations," IEEE STD-500, June 1977.
- 6. Equipment Availability Task Force of the Prime Movers Committee, Edison Code ElectricReport Summary Institute. " Equipment for the Availability Com196/-1976,gonent Cause' Ten-Year Period to EEI publication 77-64, January 1978. -
- 7. Southwest Research Institute, " Nuclear Plant Reliability Data System 1979 Annual Reports of Cumulative System and Component Reliability," NUREG/CR-1635 September 1980.
- 8. Combustion Engineering, Inc., Nuclear Power Systems, " Component Failures at Pressurized Water Reactors," ALO-74, October 1980.
- 9. Reliability Analysis Center, Rome Air Development Center, "Nonelectronic Parts Reliability Data," NPRD-1,1978.
- 10. Hughes Aircraft Company, "RADC Unanalyzed Nonelectronic Part Failure Rate Data Interim Report (NEDCO) No.1," AD-806546, December 1%6.
- 11. Moss, T. R., and L. W. Youdell, " Reliability Data on Electronic Components-from the Harwell Series of Nucleonic Equipments "
National Centre of Systems Reliability, UKAEA, NCSR-R3,1975.
- 12. Southwest Research Institute, " Generation and Component Data Usage in Availability _ Engineering," EPRI NP-81-2-LD, February 1981.
5-2
Table 5-1 (continued)
- 13. Hannaman, G. W. , "GCR Reliability Data Bank Status Report,"
General Atomic Company, GA-A14839, UC-77, July 1978.
- 14. ARINC Research Corporation, Reliability Engineering, W. H. Von Alven Ed., Prentice-Hall, Inc. ,1964.
- 15. U.S. Department of Defense, " Military Standardization Handbook:
Reliability Prediction of Electronic Equipment", MIL-HDBK-217C, April 1979.
- 16. " Nuclear Power Experience," Petroleum Information Corporation, August 1981.
- 17. Liquid Metal Engineering Center, " Failure Data Handbook for Nuclear Power Facilities," LMEC-Memo-69-7, Volume 1, August 15. 1969.
- 18. Vitro Laboratories Division, Automation Industries, Inc.,
" Reliability / Availability Analysis for Engineered Safety Features Actuation System, Midland Plant, Units 1 and 2," Part 1, November 30, 1978,
- 19. Pickard, Lowe and Garrick, Inc., Westinghouse Electric Corporation, and Fauske & Associates, Inc., " Zion Probabilistic Safety Study," prepared for Commonwealth Edison Company, September 1981.
L
- 20. Pickard, Lowe and Garrick, Inc., Westinghouse Electric Corporation, and Fauske & Associates, Inc., " Indian Point Probabilistic Safety Study " prepared for the Power Authority of the State of New York and Consolidated Edison Company of New York, Inc., March 1982.
- 21. Burke, F. R., Nuclear Power Generation Division, Babcock and
'Wilcox, Private Communication with P. M. Abraham, Duke Power Company, July 17, 1981.
5-3
l I r i
.in each model was established, macroscopic component failure modes were defined, and essential data requirements'were delineated. This integrated review served to focus both the data gathering effort and the systems modeling tasks toward a comon levei_ of detail so that the analysis quantification results would accurately reflect the information content of the data base.
5.1.1.2 Review and Analysis of Generic Data Sources. The second step of the development process is a thorough review, analysis, at ti tabulation of the available generic data for each of the component failure modes identified in the first step. The second step is essential to assure that the final failure rate distributions accurately reflect the range of information available. Unfortunately, the lack of standardization in the generic literature dictates that this task involves much more than a simple catalog of published failure rate
/ estimates. Often, it is not possible to discern the reasons for significant differences among several sources publishing data for the same component failure j mode. Because of the innerent difficulty in ascertaining the direct
- j. comparability among these various estimates, the only practical approach to the problem is the assignment of subjective weighting factors to each piece of data based on the perceived compatibility of the source with the desired failure rate
! information. In many cases, the availability of well-documented, site-specific ! failure rate data from power plants examined in previous or ongoing risk studies provided the most important input to these relative weights. l 5.1.1.3 Development of Failure Rate Distributions. A direct extension of the l weighting process is 'the development of probability distributions that l appropriately model the range of information embodied in the literature. This
- task also involves subjective evaluation and the product essentially represents a l mathematical expression of the available state of knowledge regarding the desired failure rate information.
A few notes regarding the general practices followed in the development of.the ! Seqvoyah data base may be useful in tracing the thought processes and rationale ' behino the documentation presented in the data table. I The estimated failure rates used in this study are the mean values of lognormal distributions developed to reflect variation of data among different sources. The principal reasons for choosing the lognormal distribution are its simplicity I of use and application and that the general shape of the lognormal distribution L 5-4
seems to closely approximate the observed variability in actual component failure rate data; for instance, most components within a given population exhibit failure rates grouped toward the low end of the spectrum, while a few points represent components that fail more frequently. In general, the failure rate distributions were derived by choosing the median value and range factor as the two most physically meaningful parameters of the lognormal distribution (the range factor is defined here as the ratio of the 95th percentile tc the median, or the square root of the ratio of the 95th and
-l Sth percentiles). In most cases, the range factor was subjectively assigned so that the resulting distribution exhibited the following general properties:
o The lognormal mean value either approximates the data source assigned the highest subjective weight or falls within a reasonably tight grouping of several sources. e The median represents approximately the midpoint of the range of the available data. e The 5th and 95th percentiles of the distribution represent realistic bounds for expected or observed component failure rates. e The range of the distribution represents an appropriate expression of the uncertainty in the data as demonstrated by the variability in the data sources and the available experience from site-specific information. 5.1.1.4 Review and Verification. The final step in the data development process was a detailed review of the entire data base. This review verified that the data base was internally self-consistent (i.e., that the general methodology described here was uniformly applied), the primary input to each distribution were documented and traceable, and the final distributions and the resulting mean values were representative of the available data and experience. 5.1.2 Component Failure Rates Table 5-2 presents the failure rates developed for the Sequoyah study. Documentation of the information used to . develop each failure rate is provided in Reference 5-1. A list of all modeled components and the failure data used is included in the system analysis. 5-5 1
Table 5-2 SEQUOYAH COMPONENT FAILURE RATE DATA Sheet 1 of 4 Mean
' Component Failure Mode Failure Variance Ratea Motor-Driven Failure to Start 2.12-3/d 2.54-6 Pump Failure to Run 2.62-5/h 3.87-10 Turbine-Driven Pump Failure to Start 4.00-2/d 2.54-6 Failure to Run 4.10-4/h 3.87-10 Heat Exchanger Rupture / Excessive 6.69-7/h 2.51-13 Leakage During Operation Motor-Operated failure to Operate 4.30-3/d 2.75-5 Valve on Demand Transfer Open/Close 1.32-7/h 9.87-15 During Operation Air-Operated Failure to Operate 3.40-3/d 9.73-5 Valve on Demand Transfer Open/Close 7.82-7/h 4.41-12 During Operation Check Valve Failure to Operate 2.98-4/d 5.42-7 on Demand Reverse Leakage 6.42-7/d 2.51-12 During Operation Manual Valve Transfer Open/Close 3.36-8/h 6.86-15 During Operation Relief Valve (other Failure to Open 2.42-5/d 3.26-9 than power-operated on Demand relief valve or safety) . Premature Open 2.42-5/h 3.26-9 Note: Exponential notation is indicated in abbreviated form; i .e. , 2.12-3 = 2.12 x 10-3 a/d = per demand; /h = per hour.
5-6
.J Table 5-2 (continued) Sheet 2 of 4
. Mean Component Failure Mode Failure Variance Ratea Primary Safety Valve Failure-to Open 2.66-4/d .4.32-7 on Demand Failure to Reseat 2.87-3/d 4.64-5 on Demand PORY Failure to Open 4.27-3/d- 1.03-5 on Demand Failure to Reseat 2.50-2/d 3.51-4 on Demand Electrohydraulic Failure to Operate 3.40-3/d 9.73-5 Valves on Demand Tranfer Open/ Closed 7.82-7/h 4.41-12 During Operation Storage Tank Rupture During 2.66-8/h 4.32-15 Operation Water Chiller Failure to Start 8.07-3/d 1.04-4 on Demand Failure During 9.44-5/h 5.00-9 Operation
- Air Handling Unit Fail to Start on 7.99-4/d 3.89-6 Demand or Shift Speed on Demand Fail During 8.85-6/h 4.40-11 Operation Coil Excessive 2.69-6/h 4.41-11 Leakage / Rupture Strainer Failure During 5.70-7/h 4.68-12 Operation-Note: Exponential notation is indicated in abbreviated form; i .e. , 2.12-3 = 2.12 x 10-3, a/d = per demand; /h = per hour.
5-7
iN Table 5-2 (continued) Sheet 3 of 4 . Mean Component -Failure Mode Failure Variance Ratea Diesel Generator Failure to Start 2.45-2/d 3.37-4 on Demand Failure During 1.47-2/h- 1.22-4 , Operation
- Transformer - Failure During 2.85-6/h 4.56-12 Operation
-Transformer Failure During 7.91-7/h 3.20-12 (6.9 kV/480) Operation Transformer Failure During 8.23-6/h 4.13-10 (Instrument 480V Operation to 120V)
Current Limiting - . Failure During 7.91-7/h 3.20-12 Reactor . 0peration Inverter Failure During 3.41-5/h 7.08-9 Operation Bus Failure During 5.06-7/h 4.38-13 Operation Battery Failure of Output 2.25-6/h 4.94-12 During Operation Failure of Output 4.00-4/d 5.24-8 on Demand Battery Charger Failure During 3.22-5/d 6.33-9 Operation Fuse Fail Open During 3.26-7/h 8.00-13 Operation Note: Exponential notation is indicated in abbreviated form; i.e., 2.12-3 = 2.12 x 10-3 a/d'= per demand; /h = per hour. 5-8
Table 5-2 (continued) Sheet 4 of 4 Mean Component - Failure Mode Failure Variance Ratea Bistable Failure to Operate 3.89-7/d 1.50-13 on Demand Spurious Operation 2.21-6/h 8.41-10 Circuit Breaker Failure to Open 7.88-4/d 3.78-6 (AC-480V and above) on Demand Failure to Close 3.15-3/d 6.05-5 on Demand Transfer Open 2.19-7/h 6.31-14 During Operation Circuit Breaker Failure to Open 3.38-4/d 4.28-6
-(AC or DC-less on Demand than 480V)
-Failure to Close '2.27-4/d 3.15-7 on Demand Transfer Open 1.13-7/h 9.39-14 During Operation Relay Failure to Operate 2.43-4/d 3.26-7 on Demand 3 Failure During 3.11-7/h 1.30-12 Operation Signal Modifier Failure During 6.56-7/h 1.53-12 Operation Voltage Regulator Failure. 7.2-6/h 1.4-8 Note: . Exponential notation is indicated in abbreviated form; i.e., 2.12-3 = 2.12 x 10-3 a/d = per demand; /h = per hour.
5-9
5.2 COMP 0NENT MAINTENANCE DATA 5.2.1 General Considerations Maintenance activities that remove components from service and alter the normal system configuration can provide a significant contribution to the overall unavailability. The distributions for component maintenance frequency and duration presented in this section are based on generic information. The maintenance distributions presented in this section apply to nonroutine maintenance performed at power operation or, in some cases, at hot standby. Honroutine maintenance activities include repairs of component failures experienced during operation, repairs of failures during periodic testing, removal from service for special testing or inspection, minor adjustments, hardware modifications, etc. The data base on such maintenance activities is restricted to power operation and hot standby conditions for the following reasons: e Operating, maintenance, and system testing procedures and practices are modified significantly.when the plant enters the cold shutdown condition. e The limiting conditions of operation generally dictate that components be removed from service for routine maintenance only at cold shutdown. e . The plant operating modes of primary concern in this study are power operation and hot standby. The nature and duration of maintenance performed during cold shutdown are significantly different from that performed at power. The inclusion of cold shutdown component unavailability information in the maintenance distributions used in this study would therefore provide unrealistic data. The distributions apply to maintenance that removes a component from service so that it cannot perform the action assumed in the system analysis. For example, most pump maintenance requires the pump to be mechanically and electrically isolated and, therefore, it is unable to pump. Such activities contribute to the unavailability of the pump. Some maintenance performed on valves may be accomplished with the valve in the position required for successful system operation. This maintenance may require the component to be declared inoperable administrative 1y, but it does not affect the ability of the equipment to perfonn its function. (Examples of this type of valve maintenance include valve packing adjustment and electrical repairs of motor-operated valves performed with the 5-10
valves in the desired position.) Therefore, although valves may be tagged out of service for maintenance quite frequently, reviews of operating plant maintenance records indicate that a relatively small percentage of these activities actually L result in functional flow path unavailability. These considerations have been included in the distributions for valve maintenance. Experience has also shown that most valve maintenance performed during the power operation mode involves the valve operator and is of a relatively short duration. Mechanical repairs requiring valve disassembly are generally postponed, if possible, until a scheduled unit outage, because they require fluid isolation and draining of the affected system piping. In other cases, unit shutdown may be required because the repairs cannot be completed within the time allowed by the technical specifications. In either case, these extended duration valve maintenance events do not contribute to system unavailability during the power operation mode and immediately after in hot standby as addressed in this study. The valve maintenance distributions, therefore, apply generally to maintenance activities involving the operators of power-operated valves and apply to events that are performed with the valves deenergized in the position opposite from that required for system success or fluid isolated. Maintenance that requires a pump to be removed from service in order to provide pump suction protection or personnel protection at the pump's discharge is not treated separately in the system analyses and is included with the pump maintenance distributions developed in this section. The generic plant operating experience that forms the basis for these distributions in many cases does not identify the specific reasons for a pump being removed from service. The single distribution for pump unavailability applies to all maintenance performed on equipment requiring the pump or surrounding components to be removed from service. For most systems, this distribution is clearly dominated by repairs to the pump, with valve maintenance providing a small additional contribution to pump flow path unavailability. 5.2.1.1 Frequency of Maintenance. The frequency of maintenance on a given component during power operation or hot standby is dependent on three major factors:
- 1. The normal service of the component and its reliability necessitates unscheduled maintenance for the repair of failures or component degradation.
5-11 _ .i _ _
- 2. Certain components will be subject to regularly scheduled plant preventive maintenance and inspection programs.
- 3. The duration of component inoperability allowed by the plant's technical specifications affects the frequency of maintenance.
The precise impact of the technical specifications on maintenance frequency is dependent on the specific maintenance practices adopted by the maintenance staff. This will vary depending on the plant's specific limiting conditions of operation (LCO) and varies widely between plants. Relatively short inoperability time limits (24 hours, for example) may result in either: e A high frequency of very short duration events during which maintenance personnel perform very minor repairs and preventive maintenance. e A low frequency of maintenance determined by the component's failure rate because of minimal preventive maintenance. In the former case, plant personnel attempt to avoid events of long duration by scheduling many controlled events of shorter duration, while in the latter case, personnel are willing to accept infrequent failures requiring unit shutdown in order to avoid frequent events during which the possibility of imposed shutdown exists due to unforeseen delays. Whether the former or the latter (or some intermediate) case prevails at a given plant is dependent on that the plant's specific operating 'and maintenance practices and, thus, cannot be easily generalized. The Sequoyah technical specifications generally impose a 72-hour limit for single-train inoperability before requiring unit shutdown. This time is sufficient for the performance of relatively minor repairs but is inadequate for , j major equipment overhaul. 1 (~ 5.2.1.2 Duration of Maintenance. As applied in this data base, the duration of l a maintenance event includes the entire time during which the affected component l _is unavailable for operation. This period is defined from the time when the I component is originally isolated or otherwise removed from service to the time
" when the component is returned to service in an operable state, and, in many I cases, it may be only weakly dependent on the actual time required for maintenance personnel to effect the repairs. Thus, the duration of a maintoiance 5-12
event performed during power operation or hot standby periods is generally dependent on four major factors:
- 1. The magnitude of the failure determines the minimum time required for maintenance personnel to effect repairs and may atfect the complexity and duration of the tagout time and return to service operations.
- 2. The availability of maintenance personnel affects the duration of the period between component failure and initiation of repairs and also affects the duration of the repair job (e.g., if maintenance personnel are regularly available from 7:00 a.m. until 11:00 p.m.,
repairs cannot be quickly initiated during the 8-hour offshift).
- 3. General plant maintenance scheduling and prioritizing practices influence the sequence in which components are repaired and the relative effort expended toward repairing a given component within a fixed time.
- 4. The duration of component inoperability allowed by the plant's technical specifications directly affects the relative priorities assigned to certain maintenance events.
'It is noteworthy that the availability of personnel and the prioritizing practices in effect at a given plant often dominate the determination of maintenance duration (as opposed to the relatively ideal case in which duration is directly proportional to the complexity of repair). The impact of the technical specifications on the relative priorities assigned to maintenance . activities cannot be overemphasized. A major repair required on a component allowed to be inoperable for 72 hours will often be completed more quickly than a minor adjustment to a component allowed to be inoperable indefinitely. This applies even if both components function as portions of engineered safeguards systems (however, with apparently different importance or available redundancy, as indicated by the different limits on technical specifications allowed downtime). It is difficult to generalize maintenance duration data to several plants, even if applied to otherwise physically identical components. This generalization is difficult to make because of these influences and because each plant has its own unique personnel and procedural limitations.
Maintenance frequency and duration are both necessary for the systems analysis in this study. The frequency of maintenance defines the rate at which components are removed from service. The evaluation of recovery factors and human interactions both require the frequency. The duration and frequency contribute to the component unavailability which in turn contributes to the system unavailability. The frequency and duration of maintenance are not directly 5-13
l related; therefore, it was decided to develop a separate distribution for each of these parameters for each component included in the data base. These distributions were then combined to obtain the maintenance data used in the system analyses. 5.9.2 Component Maintenance Distributions 5.2.2.1 _ Frequency of Maintenance. Distributions for the frequency of component maintenance were developed for four general component categories based on the component type, its normal service duty, and the applicable inoperability time limit. These distributions are described in detail in Reference 5-1. The mean values are reported in Table 5-3. 5.2.2.2 Duration of Maintenance. The plant technical specifications are the most important influence on the duration of all but the most complex repair work. Distributions for maintenance duration were developed for four component categories based on the applicable inoperability time limit. The derivation of distributions are described in Reference 5-1. Each of these distributions represents a single expression of our state of knowledge about maintenance event durations. The mean value of each distribution is, therefore, a single estimate of the mean duration of maintenance for the given component type. To provide an expression of uncertainty about this mean value, each of the distributions was expanded into a family of distributions by allowing the 5th and 95th percentiles of the lognormal curves to take on various possible values. The probability assigned to each of the values in the given range provices an expression of the uncertainty about the value of that parameter. The resulting distribution of mean values for maintenance event duration is then weighted in accordance with these relative probabilities and expresses an " educated" state of knowledge about the distribution of the means. The derivation of these distributions are explained in Reference 5-1 with the mean values reported in Table 5-3. l 5.2.3 Component Unavailavility due to Maintenance In order to develop information for the unavailability of components at Sequoyah due to maintenance, the frequency distributions and the distributions of event mean duration were multiplied together using discrete probability distribution I l 5-14
Table 5-3
SUMMARY
OF COMPONENT MAINTENANCE AND UNAVAILABILITY DATA Mean Maintenance Mean Maintenance Mean Component Frequency (event / hour) Duration (hour / event) Unavailability Safety Injection (SI) 1.26-4 40.8 5.16-3 and Charging Pumos m Residual Heat Removal Pumo 8.42-5 20.9 1.76-3
- 4. Turbine-Driven Auxiliary 2.19-4 20.9 4.59-3 m Feedwater Pump .
Motor-Driven Auxiliary 8.42-5 20.9 1.76-3 Feedwater Pump Containment Spray 1.26-4 40.8 5.16-3 Pumo Air Comoressor 2.28-4 8.0 1.83-3 Diesel Generator 2.19-4 20.9 4.59-3 Emergency Raw Cooling Water 1.26-4 116.0 1.48-2 Pumo Component Cooling 1.26-4 116.0 1.48-2 Water System (CCS) Pump NOTE: Exponential notation is indicated'.in abbreviated form;. i.e., 1.26-4 = 1.26 x 10-4
arithmetic. -The resulting distributions of component unavailability are provided in Reference 5-1. Table 5-3 gives the mean unavailability for each component. 5.3 INITIATING EVENTS FREQUENCY As mentioned in the report summary, only two of the initiating events were selected for quantification. The selected events are large loss of coolant accident (LLOCA) and the loss of steam flow. This section describes how the frequency of these initiators was calculated.
~ 5.3.1 LLOCA A distribution for the frequency of LLOCA was developed by incorporating the cumulative operating experience at U.S. pressurized water reactors (PWR) into a prior. state of knowledge represented by the LLOCA frequency distribution assessed by WASH-1400 (Reference 5-2).
The cummalative evidence from U.S. PWRs as of June 1,1983, was zero events in 340 reactor years. The evidence from all plants were lumped together because it was judged that there is little, if any, plant-to-plant variability in the LLOCA frequency since the primary piping systems are essentially designed according to
- the same codes and are based on similar standards. Moreover, these piping systems are not.affected as much by the variation of operating practices among plants as are most other components and systems.
The evidence (zero events in 340 reactor years) was combined with WASH-1400 distribution using Bayes' theorem (Reference 5-3). The updated distribution has the following characteristics: 5th Percentile: 6.73 x 10-6 Per Year 50th Percentile: 8.11 x 10-5 Per Year 95th Percentile: 5.75 x 10-4 Per Year Mean: 2.0 x 10-4 Per Year The mean value-of this distribution was used in the quantification of sequences initiated by.LLOCA. 5.3.2 Loss of Steam Flow l l This initiator is defined as inadvertent closure of all main steam isolation valves (MSIV). The value used as the frequency of this initiator is the mean of I 5-16 L
a distribution that was developed based on the experience at all U.S. PWRs as of January 1, 1981. Here, however, as opposed to the LLOCA case, the plant-to-plant variability of the frequercy was assumed and the two-stage Bayesian technique of Reference 5-4 was used to develop the population variability distribution. The calculations were performed with the aid of the computer code BEST (Reference 5-5). The principal source of plant population data was the information provided in the Electric Power Research Institute (EPRI) study of PWR transients (Reference 5-6). The event of concern here corresponds with the event under category 18 of the EPRI study. The EPRI data indicated several occurrences at both units of the Point Beach Nuclear Power Plant and one incident at Davis-Besse 1. However, further investigation revealed that no inadvertent closure of all MSIVs had been experienced at any of those units. As a result, the evidence for each plant in the population was no occurrence during that plant's operating history as of January 1,1981. Table 5-4 lists the operational years for the plants in the population. The result of using this evidence in the Bayesian calculations was the following distribution: Sth Percentile: 3.86 x 10-5 Per Year 50th Percentile: 8.78 x 10-4 Per Year 95th Percentile: 7.24 x 10-3 Per Year Mean: 2.44 x 10-3 Per Year 5.4 AVAILABILITY MODEL DATA To quantify the plant availability, a set of component unavailability values was developed for use in the plant availability models. The component unavailability value is approximated as the product of the component failure rate and the corresponding mean time to repair (MTTR). Table 5-5 lists the values estimated for the failure rates and MTTRs. It also provides the calculated unavailability values. In general, the sources consulted to develop these values were those listed in Table 5-1. However, in certain cases where no data were available, a distribution based on engineering judgment was developed and its mean value was used as the value of the quantity of interest. 5-17
Table 5-4 PLANT POPULATION DATA FOR LOSS OF STEAM FLOW INITIATING EVENTS
~
Plant Name Operating Years *
. 1. Yankee Rowe 17.7
- 2. Indian Point 1 12.1
- 3. San Onofre 12.3
- 4. Haddam Neck 12.4
- 5. R. E. Ginna 9.1
- 6. Point Beach 1 9.3
- 7. H. B. Robinson 9.3
- 8. Palisades 3.8
- 9. Point Beach 2 ~7.5
., 10. - Surry 1 6.0
- 11. Main Yankee 3.1
- 12. Surry 2 5.6
- 13. Oconee 1 7.5
- 14. . Indian Point 2 6.6
- 15. Prairie Island 1 5.9
- 16. Zion 1 4.3
- 17. Kewaunee 6.6
- 18. Fort Calhoun 5.5
- 19. Three Mile Island 1.7
- 20. Oconee 2 ~5.3
- 21. Zion 2 3.6
- 22. Oconee 3 6.0
- 23. Arkansas 1 5.4
- 24. Prairie Island 2 4.9
- 25. Rancho Seco 5.7
- 26. Calvert Cliffs 1 4.9
- 27. Cook 1 5.4
- 28. Millstone 2 4.4
- 29. Trojan 4.2
- 30. Calvert Cliffs 2 3.0
- 31. Salem 1 3.5
- 32. Davis-Besse 1 3,1
- 33. Farley 1 2.3
- 34. North Anna 1 1.7
- 35. Cook 2 2.5 -
- 36. Indian Point 3 0.3 Total 213.5
*As of January 1,1981, s
5-18
Table 5-5 RELIABILITY AND MAINTAINABILITY DATA USED IN AVAILABILITY MODEL Sheet 1 of 4 Kind Type Component Unavailability g 3 -1) 3) 2 1 Generator 1.55-4 200 .03 3 6 Condensate Heaters 6.69-7 47 3.144-5 4 6 Main Steam Relief 1.00-6 110 1.1-4 5 6 Heat Exchangers 6.69-7 57 3.81-5 6 1 011 Cooler 6.69-7 57 3.81-5 7 1 Condenser Heat Exchanger 1.00-5 110 1.1-3 8 6 Condenser 1.00-5 57 5.7-4 9 1 Reactor Vessel 1.0-6 10 1 Butterfly Valve 3.36-8 32 1.075-6 11 1 Gate Valve 3.36-8 32 1.075-6 12 '6 Electrical Heater 1.0-4 13 ~1 Pressurizer 1.0-6 15 6 Motor-Operated Valve 1.32-7 32 4.224-6 16 6 Motor-Operated Valve 1.32-7 32 4.224-6 17 6 Air-Operated Diaphram BV 7.82-7 32 2.502-5 18 6 Air-Operated Diaphram GV 7.82-7 77 6.021-5 19 6 Air-Operated Cylinder BV 7.82-7 32 2.502-5 20 6 Air-Operated Cyli 9r GV 7.82-7 77 6.021-5 21 1 Primary Safety Va F v (relief) 2.66-5 32 8.44-4 22 1 Check Valve 6.42-7 77 4.943-5 23 6 Cylinder-Operated Valve 1.47-7 32 4.704-6 27 6 Reverse Current Valve 6.42-7 77 4.943-5 30 6 Condensate Booster Pump 2.62-5 56 1.47-3 31 6- Raw Cooling Water Pep 2.62-5 56 1.47-3 32 6- Main Feedwater Pump 4.10-4 56 2.24-2 33 6 011 Pump 2.26-5 24 5.42-4 34 6 Reactor Coolant Pep 1.00-6 500 5.0-4 35 6 Vacu m Pump 2.50-4 56 1.38-2 40 1 Turbine 2.89-4 220 .06 43 1 Polisher 1.00-5 10 - 1.0-4 44 1 Resin Trap 1.00-5 10 1.0-4 45 1 Steam Generator 1.00-6 500 5.0-4 45 1 Filters / Strainers 8.76-6 8' 7.01-5 47 6 Traveling Screen 8.76-6 30 2.63-4 48 1 Tank 2.66-8 200 5.32-6 49 1 Level Indicator 4.25-6 8 3.4-5 (instroent) 1.0-4 50 1 Gate Discharge 1.00-6 100 51 1 Cooling Tower 1.00-6 100 1.0-4 52 1 Grains 1.00-6 8 8.0-6 (heater and condensate) 53 1 Controller 6.56-7 8 5.25-6 54 1 CSST Transformer 2.85-6 453 1.29-3 55 1 Normally Closed Breaker 2.19-7 62 1.36-5 p 480V) 56 .6 Buf~ 5.06-7 5 2.53-6 Note: Exponential notation ~is i icated in abbreviated form; i .e. ,1.55-4 = 1.55 x 10-
~
5-19
Table 5-5 (continued) Sheet 2 of 4 Kind Type Component
,-1) ,) Unavailability
( 57 1 No a1 pen ' Breaker 1.13-7 15 1.7-6 58 l' Current Limiting Reactor 7.91-7 62 4.9-5
, 54 6 Nomally Open Breaker 3.00-4 62 .0183
& 480V)
' 60 .1 Fuse. 3.26-7 5 1.63-6 61 1 Battery Charger 3.22-5 72 2.31-3 62 6 Nomally Closed Breaker 2.19-7 62 .1.36-5
(> 480V) 63 1 Tra3sfomer (6.9 kV/480V) 7.91-7 453 3.58-4
. 64 1 Instrument Transfomer 8.27-6 100 8.26-4 (480V/120V) 65 5 Battery I - 2.25-6 100 2.25-4 66 5 Battery II 2.25-6 100 2.25-4 67 5 Battery III 2.25-6 100 2.25-4
, 68 5 Battery IV 2.25-6 100 2.25-4 69 1 Inverter 3.41-5 72 2.45-3 70 1 Bus 5.06-7 5 2.53 6 71 -1 Filter 8.76-6 2.2 1.93-5 72 5 Air Compressor 2.90-4 52 1.51-2 73 1 Gate Valve 3.36-8 32 1.08-6 74 1 Relief Valve N/A N/A 0.0 75 1 Aftercooler 6.69-7 52 3.48-5 76 5 Check Valve 6.42-7 30 1.93-5 77 5 Solenoid Valve 1.47-7 32 4.7-6 78 5 Relay 3.11-7 5.3 1.65-6 79 1 Receiver 2.66-8 30 7.98-7 80 1 Dryer 3.64-5 24 8.74 4 82 5 Gate Valve 3.36-8 32 1.08-6 83 1 Pressure Control Valve 1.14-4 30 3.40-3 84 1 Breaker P 480V) 3-4 62 .0183 85 5 Reservoir ~ N/A N/A 0 86 5 Oil Supply N/A N/A 0 87 1 Trash Rack 8.76-6 30 .'2.63-4 88 6 Traveling Screens 8.76-6 30 2.63-4 89 6 Pumps Fall to Start 2.62-5 80 2.09-3 90 1 Check Valve 5.00-8 30 1.5-6 91 6 Open Flow Control Valves 1.30-7 30 3.9-6 (FCV) 92 6 Strainers 8.76-6 9.2 8.06-5 93 ~5 Engineered Safeguards. N/A N/A 0.0 Actuation System 94 6 Closed Flow Control Valves 1.70-7 360 4.75-5 (FCV) . 95 6 Pumps Fall to Operate 2.62-5 80 2.1-3 96 5 Flow Control Valves (FCV) N/A N/A 0.0 Actuation Note: Exponential notation is i icated in abbreviated fom; -r f .e. , 6.56-7 = 6.56 x 10-5-20 f , e
Table 5-5 (Continued) Sheet 3 of 4 Type Component Unavailability Kind g 3 -1) g ,) 97 1 Noma 11y Open (< 480V) 2.27-4 15 3.39-3 Breaker 98 1 CCS Heat Exchanger 6.69-7 160 1.0703-4 99 1 Temperature Control Air- 7.82-7 32.3 2.52-5 l Operated Valve 100 1 Temperature Control Air- '7.82-7 32.3 2.52-5 Operated Valve 101 6 MOV Fall 1.32-7 32.3 4.26-6 102 1 MOV 1.32-7 32.3 4.26-6 103 1 MOV 1.32-7 32.3 4.26-6 104 1 Check Valve 6.42-7 32.3 2.07-5 105 1 Check Valve 6.42-7 32.3 2.07-5 106 1 Themal Booster Pump 2.62-5 24 6.28-4
'109 -1 P ep Fails to Operate 2.62-5 24 6.28-4 110 6 Spare Cooler, Fans, Coils 1.15-4 49 . 5.64-4
, 111 1 Check Valve 6.42-7 32.3 2.07-5 l 115 5 Pep in Operatioa N/A N/A 0.0 116 5 Station Blackout N/A N/A 1.0 117 5 Auto Start on Low Flow N/A N/A 0.0 118 5 SI ESF IA - N/A N/A 1.0 119 5- .SI ESF IB N/A N/A 1.0 120 5 Manual Loading of N/A N/A 1.0 i Pump Power 127 1 Manual Valve 3.36-8 32.3 1.09-6 128 1 Manual Valve 3.36-8 32.3 1.09-6 129 1 Manual Valve 3.36-8 32.3 1.09-6 130 1 Space Cooler 1.15-5 49 5.63-4 1 31 1 Space Cooler . 1.15-5 49 5.63-4
~133 1 Flow Control Valve 7.82-7 32.3 2.53-5 176 -5 250V Battery 2.25-6 100 2.25-4
< 177 5 250V Battery 2.25-6 100 2.25-4 178 1 Auto Switch 1.00-6 L 8-6 . 179 1 Switch 3.26-7 5 1.63-6 ! 180 5 Extraction Steam 1.00-6 10 1.0-5 l 181 6 Fans 1.00-4 50 4.98-3 2 30 4 Control Air System for 2.32-4 8 1.83-3/ Availability Model trai n Maintenance 235 5 Air Compressor (2)* Cycled 2.90-4 52 1.51-2 Different Number of Demands 236 5 Air Compressor (3)* Cycled 2.90-4 52 1.71-2 Different Ntsnber of Demands 237 5 Air Compressor (4)* Cycled 2.90-4 52 1.61-2 Different Number of Demands Note: Exponential notation is 1 icated in abbreviated fom; i .e. ,1.70-7 = 1.70 x 10~ 5-21
Table 5-5 (continued) Sheet 4 of 4 Kind Type' Component
" Unavailability g ,-1) gg ,)
238 5 - Check Valve (2) ' 6.42-7 30 1.93-5 239 5 Check Valve (3) 6.42-7 30 7.64-4 (2d/ day) . . 6.42 3.92-6
-240 5 Check Valve (4) 30
.(1d/ day)-
241 .5 Solenoid Valve (2) 1.47-7 32 4.7-6 242 5- Solenoid Valve-(3) 1.47-7 32 6.48-3 (2/ day) 243 5- Solenoid Valve (4) 1.47-7 32 3.24-3 (1/ day) 245 1 Relief Valve - 2.45-5 32 7.84-4 Note: Exponential notation is i icated in abbreviated fom; i .e. , 2.90-4 = 2.90 x 10-r s 5-22 t.hz
5.5 REFERENCES
5-1. Pickard, Lowe and Garrick, Inc., " Midland PRA Data Analyses" Proprietary Report PLG-0306, October 1983. 5-2. U.S. Nuclear Regulatory Commission, " Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants," WASH-1400, NUREG/75-014, October 1975. 5-3. Kaplan, S. , G. Apostolakis, B. J. Garrick, D. C. Bley, and K. Woodard,
" Methodology for Probabilistic Risk Assessment of Nuclear Power Plants,"
PLG-0209, June 1981. 5-4. Kaplan, S.~, "On a 'Two-Stage' Bayesian Procedure for Determining Failure Rates fro.n Experiential Data," IEEE Transactions on Power Apparatus and Systems, PLG-0191, Vol. PAS-102, No.1, January 1983. 5-5. Mosleh, A., and D. Rao, " Bayesian Estimation Computer Code, BEST," Pickard, Lowe and Garrick, Inc., PLG-0285, July 1983. 5-6. Electric Power Research Institute Inc., "ATWS: A Reappraisal, Part III, Frequency of Anticipated Transients," EPRI NP-2230, January 1982. 5-23
f Section 6 CONCLUSIONS AND RECOMMENDATIONS The purposes of this section are to present conclusions, summarize some of tne
~
key results of the safety and availability analyses, and make some recommendations for further refinements to the G0 methodology and its application. 6.1 G0 METHODOLOGY DEMONSTRATION The principal objective of this project was to demonstrate that the GO methodology can be effectively used as a probabilistic modeling technique for assessing nuclear plant safety and availability. The scope of the analyses presented in Sections 3 and 4 and the appendices of this report establish that GO methodology is a feasible technique for these purposes. Although the scope of the safety model was significantly less than required to perform a level 1 PRA, there is no apparent technical reason why a full-scope level 1 PRA using the GO methodology could not be performed. No insurmountable analytical problems in such an application of GO have been identified. Furthermore, this methodology has the special capability of being well-suited to concurrent development of safety and availability models at the system level. While such an approach requires the development two separate sets of plant models for each application, it should make the effort for evaluating availability and safety at the same ti:ne more efficient. Although technical feasibility has been demonstrated at all key stages of safety and availability analysis, the relative cost of using G0 in place of the current methods has not been established; however, the level of both the engineering and the computing resources used in this demonstration project are encouraging signs. The principal criteria used to come to the favorable conclusion presented above about the effectiveness and usefulness of the GO methodology in safety and availability are:
- 1. The methodology must be capable of handling large, plant-level models of nuclear power plants, their systems, components, and interdependencies. (System level capabilities of G0 have been successfully demonstrated in Reference 6-1.)
6-1
- 2. The methodology must be capable of identifying and ranking all '
significant contributors to risk and unavailability as well as calculating bottom-line, numerical results.
# 3. The methodology must provide models of nuclear power plants and
- systems that can be easily constructed by engineers knowledgeable of the plant and system design and operational characteristics.
The model must also be amenable to review for errors in logic and ' inaccuracies in modeling important plant details. With regard to Criterion 1, the plant-level models of Sequoyah Nuclear Plant linit I were of a size and level of complexity comparable to that of existing level 1 PRAs. While project scope limited the breadth of this model, the depth of the modeling included all of the system and component level interdependencies in the plant. Only a relatively small amount of size and complexity would have to be added to accommodate risk contributors that were not modeled; e.g., common cause events, external events, and most human recovery actions. To handle large,
. plant-level models of the _ sizes developed for Sequoyah, special model condensation procedures were needed and developed to prevent' the final results
. from becoming masked by the truncation error associated with pruning sequences.
4 These procedures are described in Section 4. A major advantage of the GO methodology is the ease in modeling and reviewing the model for_ intersystem functional dependencies. This is afforded by having , . separate GO model elements to model component states (operators) and interdependencies and interconnections among components and systems (signals). In some alternative methodologies, such as fault tree and event tree analysis, many of the interdependencies are only implicitly reflected in the structure'of l the model or in the way input data are applied to the model. l The' ability to demonstrate the G0 methodology with respect to Criterion 2 was I- ' established only after some significant difficulties were encountered in the initial attempt to trace dominant contributors. ' To achieve satisfactory. capability to trace important contributors, it was necessary to modularize the h plant model quantification process and to integrate these modules using
- GO postprocessor software in a G0, GOST, FAULT FINDER,' GOLF sequence. Some' results of this process are summarized below.
l In checking off G0 against Criterion 3, a second major advantage of the GO methodology _ was identified. This advantage is the relative similarity between the GO model of a system and its process and instrumentation diagram. This makes 6-2 i
, - . _ - - , - . . _ . . - - - - - , - ~ _ - _ _ _ . .. - _ _ _
it easier for the layman who knows his system to develop a G0 model and to review a GO model developed by someone else. This analogy only goes so far because oftentimes, the logical and functiontCrelationships that need to be modeled are not similarly structured in the prccess and instrumentation diagram. 6.2 G0 MODELING' INSIGHTS AND ENHANCEMENTS The successful demonstration of the G0 methodology in this project required the development of new insights and enhancements of the basic methodology, as alluded to in the above. This section provides a summary of some key insights and enhancements. The most important modeling insight developed in this project is that, depending on how a large, plant level G0 model is constructed, it can be either extremely difficult or relatively easy to trace the dominant contributors to accident sequence frequency. Difficulties can occur as a result of limitations in the software (referred to as FAULT FINDER) and the fact that all intermediate numerical results of interest are not automatic. A contribution of this study was the development of procedures to modularize the structure of the plant model to circumvent this difficulty in tracing procedures. More details on this procedure are provided in Section 6.3. All probabilistic risk assessment (PRA) methodologies (e.g., the' event tree-based y and the fault tree-based methodologies) have encountered various degrees of difficulty in coping with the large number of' states encountered in plant-level applications. This_ size is reflected in the numbers of evert sequences and/or minimal cutsets in relation to computer size and speed. GO manages computer storage requirements by truncating sequences of component states whose probability is below a prescribed cutoff value (called PMIN). This' cutoff value is variable, and rises automatically at points in the quantification process when the prescribed value is set too low. The probability of the truncated states are accumulated to form a truncation error probability. In previous attempts to estimate accident sequence probabilities using a large plant level GO model, the model was so large that the truncation error masked the key results for the accident sequence probability. A major result of ths study was the development of procedures for effecting the condensation of G0 submodels in manner that did not impact the accuracy of the results, but enabled the reduction of the truncation error to a small fraction of the accident sequence probability. This iterative condensation procedure is explained in Section 4. 6-3
- - + , - y , , - - - w. r- e-a -iS--
Solutions were found as well for other problems frequently encountered in applied risk and reliability evaluations using alternate methodologies. Two such
- problems frequently encountered are special types of dependencies: loops and phased missions. -An example of a loop dependency is the case where an essential raw cooling water (ERCW) pump is dependent on electric power from a diesel generator, which is in turn dependent on the supply of cooling water from the same ERCW pump. The ability to break these loops was found to be particularly
~
easy to accomplish in the G0 modeling of Sequoyah systems in Saction 4. Phased missions, in which the same hardware performs several functions at different times during an event sequence, were also found to be easily modeled using G0. One of the capabilities of G0 models of interest in both safety and availability applications is that many output states of a system or plant can be calculated simultaneously. A G0 model can provide as many as N2 output states where N is the number of selected output signals to be tracked. This multiple output state capability allows a single GO model to simultaneously calculate the probabilities of many accident sequences as well as a combined degraded plant state (or core melt) probability. Multiple output states also give G0 a capability to construct plant availability models with different power-level states and capacity factor i model s. Additional modeling insights are summarized below. e The large number of available G0 operators and the use of supertypes and supercomponents provide a wide degree of modeling flexibility to the analyst. e Care must be exercised in interpreting results in light of the truncation errors. Because the truncation probability (PMIN) is-actually a variable, it is impossible to infer the allocation of ! the truncation error (E) to output state. Therefore, the 'true"
- result for the probability of any output state P(y) lies somewhere l -between P(y) and P(y) + E.
7: e The truncation error often frustrater efforts to " debug" a model
-or to recreate results using logically equivalent but different GO models.
l .o The wide degree of modeling flexibility that exists has a pitfall in that for a given system there are many different " correct" G0 models. Therefore, there is much room for analyst-to-analyst variability and this complicates review efforts. l e The mapping of event sequence diagrams or event trees into GO models is not very straightforward and requires some iterative steps to confirm that proper logic has been modeled. 6-4 i
6.3 SAFETY ANALYSIS RESULTS 6.3.1 Event Sequence Modeling A major result of the G0 demonstration was the development of an event sequence model of a size and complexity approaching that of a level 1 PRA. The event sequence model (whose major elements are illustrated in Figure 6-1) that was developed distinguishes among 13 different groups of initiating events and 4 different end states called " plant states." The plant states are (1) continue plant operation, (2) hot standby, (3) cold shutdown, and (4) degraded. If the event sequence model were expanded beyond the scope of this project, the addition of some events to the model, such as omitted operator recovery actions, would result in the subdivision of the degraded plant state into various substates, such as no core damage, severe core damage, core melt, etc. For modeling convenience, the event sequence model was subdivided into modules including an auxiliary systems model and 14 different frontline systems event sequence diagram (ESD) models. All non-anticipated transient without scram (ATWS) event sequences pass through two modules: the auxiliary systems module and one frontline ESD module. ATWS sequences that emerge from the first frontline ESD are processed by a separate ATWS event sequence model, whose sequences end in either a plant state or a small loss of coolant accident (LOCA). These small LOCA sequences are processed through ESD 3 before termination in a plant state. Hence, depending on the sequence, one, two, or three frontline ESD models are used to describe its evolution from initiating event to plant state. As noted above, the event sequence model of Figure 6-1 is comparable in size and complexity to event sequence models needed for typical level 1 PRAs. However, to provide a methodology demonstration, it was necessary to quantify the event sequence models for only two groups of " internal" initiating events; namely, loss of steam flow and large LOCA. These models could, if desired, be used to analyze a full complement of internal and external initiating events needed for a full-scope, level 1 PRA. To analyze an event such as " loss of offsite power" or " loss of emergency raw cooling water," its frequency would need to be calculated and the input data to the appropriate model elements would have to be conditioned on the occurrence of the event. To analyze external events, the frequency of the events leading to various damage states would need to be calculated and the input data to the G0 models conditioned for each damage state. Special software to model common cause initiating events such as seismic events is available to 6-5
l i
)
INITIATING SEQUOYAH PLANT PLANT EVENTS EVENT SEQUSNCE MODEL' STATES LARGE LOCA h ESO 1 X 1 MEDIUM LOCA L - ESO 2 - A R REACTOR TRIP Y - ESD 10 S SMALL LOCA - ESO 3 3 _ T. STEAM GENERATOR h __ TUBE LEAK ESD 4 g _ w' D ESD 5 ~_~ E LOSS OF L ~~ CONTINUE FEEDWATE R ESD 6 NON- ATWS SEQUENCES + OPERATION LOSS OF __ STE AM FLOW ESD 7 _ ATWS SEQUENCES + HOT y
~~
- TUR8INE TRIP -
ESD 8 ~ SPURIOUS NON-SLOCA COLD SAFETY - ESD 9
~
+ ESO14 SEQUENCES Y SHUTDOWN INJECTION STEAM LINE SLOCA BR E A K INSIDE - ESD 11 _
SEQUENCES CONTAINMENT M 4 DEGRADED 9 ESD 3 STEAM LINE BR E A K ')UTSIDE CONTAINMENT ESD 12 ~_~
- i. CORE POWER -
ESD 13
~ ~
EXCUR$10N
*EACH BLOCK REPRESENTS A SEPARATE EVENT SEQUENCE DIAGRAM
- Figure 6-1. Coverage of Event Sequences in GO Safety Demonstration Model l
t 6-6
simplify this process for the analyst (Reference 6-2). Hence, the demonstration of a PRA-type event sequence modeling capability has been satisfactorily completed. 6.3.2 Event Sequence Quantification A second key result of this project was the satisfactory demonstration that a plant-level model of a nuclear power plant could be quantified to obtain accurate and reasonable results. Because the equivalence of G0 modeling and fault tree analysis had already been demonstrated at the system level in a previously completed project (Reference 6-1), one issue to be resolved in this project was whether a much larger model of a complete power plant could be quantified. Because of the way in which G0 is programmed to manage its computer storage requirements, increasing the size of the model results in increasing the magnitude of the truncation error. Hence, to demonstrate the feasibility of plant-level quantification, it was necessary to demonstrate that the truncation error could be kept to a manageable level. The first conclusion reached with respect to quantification is that large plant models made up by linking together system models of the level of detail normally incorporated into PRA fault trees quickly yield truncation errors that are greater in magnitude than the final results and therefore totally mask these resul ts. This problem was encountered at an early stage of this G0 demonstration project. The implication of the problem was that, unless an approach to reducing the size of the truncation error could be found, the G0 methodology would not be suitable insofar as plant-level applications are concerned. Fortunately, a solution to this problem was found by developing procedures to condense the level of detail of the model and reduce the size of the truncation error to manageable levels. These procedures are described in Section 4. A comparison of the results with the truncation errors for the two sets of initiating events that were quantified is presented in Table 6-1. The results were calculated using two different versions of the Sequoyah plant model that were used to optimize procedures for tracing risk contributors as explained more fully below. The condensation procedures were successful in the reduction of l truncation errors to about 1% or less of the degraded plant state frequency. Therefore, the G0 methodology was satisfactorily demonstrated in regards to the feasibility of large plant model quantification. A remaining problem, however, is that the approach to model condensation is manual, requires iteration, and is 6-7 1
g e a f
.a v V w
\
i
~ Table 6-1 COMPARIS0N OF.RESULTS WITH TRUNCATION ERRORS FOR-LARGE LOCA AND LOSS OF STEAN FLOW ESD MODELS-Single-Stage. Integrated Model Two-Stage Integrated Model Event equence Conditional Conditional ' .
Diagram Degraded Truncation Percentage Degraded. Truncation Percentage Plant State Error- Error ' Plant State Error- Error Frequency Frequency. c'o ESD 1 1.02-2 '1.68-7 0.0016% * *
- Large LOCA ESD 2 4.43-5 1.81-7 0.41% 4.43-5 5.96-7 ~1.3%
Loss of Steam Flow Note: Exponential notation is indicated in abbreviated form; i.e., 1.02-2 = 1.02 x 10-2,
*This case not analyzed.
not as systematic as one would like it to be. It is recognized that all PRA methodologies have encountered to varying degrees a similar need to simplify and condense models to " fit" them into the computer. Further refinement of these techniques should be undertaken to make them as efficient and automated as possible. 6.3.3 Tracing of Important Contributors The final result of the safety model analysis was the satisfactory demonstration of a capability to trace the important contributors to degraded plant state and event sequence frequencies. Some significant difficulties were experienced during initial attempts in tracing contributors when a single-stage, highly integrated plant model was used. Because the G0 FAULT FINDER option is not able to accommodate NOT gates, and bogs down when used on a large model, direct use of FAULT FINDER on a single integrated plant level model to identify the important contributors to sequence is not possible. Procedures to circumvent this difficulty are presented below. A G0 run does not provide intermediate results beyond that enabled by the tracking of the 24 available output signals. As a result, the entire G0 model had to be rerun three times to enable the identification of only two minimal cutsets, making a total of 31% of the degraded plant stcte frequency. The result of this tracing process is illustrated in Figure 6-2. While this process could have been continued in the identification of a greater percentage of the risk contribution, this procedure was found cumbersome and impractical for full-scale PRA applications. A satisfactory capability for tracing contributors was demonstrated by using a two-stage, integrated plant model . In this two-stage model, which is described more fully in Section 4.8, the G0 model was executed a number of times and results synthesized externally. This approach was structured to provide a capability to use the FAULT FINDER and GOLF software to help determine a greater percentage of risk contributors as indicated in Figure 6-3. Hence, a satisfactory level of tracing capability was demonstrated. 6.4 PLANT AVAILABILITY ASSESSMENT The second major application of the G0 methodology demonstrated in this project was the assessment of the availability of the overall plant with respect to its capability to produce electric power. As explained more fully in Section 3, the l 6-9 I
EVENT SEQUENCE GROUPTRACING . CUTSET TR ACING
^
^
,r ,
ESD 7 DEGRADED PLANT l STATE FREQUENCY 0.2% 99 8% TRACEO OTHER ESO SEQUENCES f l SEQUENCE 5 l 4.2% 95.8% TRACE 1 OTHER *LAST* SUBSEQUENCE) SUBSEQUENCE GROUPS OF I GROUPOF TRACE 1 TRACE 1 87.9% 12.1% TRACE 2 OTHER [ SUBSEQUENC 7[ LOSSOF TWO HVAC CHILLE RS GROUPS OF TRACE 2 80.7% 19.3% TRACE 3 OTHER LOSP', OIESE L SUBSEQUENCE - GENERATORS 1A GROUPS OF 0 IB TRACE 3
/ *LOSP = LOSS OF OFFSITE POWER WITHIN 24 HOUR
/ OF INITIATING EVENT g \
Figure 6-2. Tracing of Contributors in ESD 7 Using Single htage Integrated Plant Model 6-10
-1 1
EVENT SEQUENCE GROUP TRACING CUTSET TRACING
^
^
i r i r ESO 1 DEGRADE PLANT STATE REQUENC 0.2% 99.85,
'OTHER - E30 7 SEQUENCES SEQUENCE S 2.3% 97.7% (97.5%)'
22,2% OTHE" IMPACT (21.6%) toSp** DIESEL
,MpACT GENERATORS 1A VECTOR 12 VECTORS AND 18 0% 100% (97.5%)
2.M OTHER AUXILIARY AUXILIARY III O LOSP. DIESEL SYSTEM GSNERATORSIA SYSTEM AND28 STATES STATE 14 0.1% 99.9% (97.4%) FIVE 21 6%) OSP DIESEL y ugg MINIMAL 7 GENERATORS 2A CUTSETS ND 18 CUTSETS 22.2% (21.6%) LOSP DIESEL GENERATORS 2A
- PE RCENTAGES GIVEN FOR INCREMENTAL CONTRIBUTION AND28 (CUMULATIVE CONTRIBUTIONI
** LOSP = LOSS OF OFFSITE POWER WITHIN 24 HOURS OF INITIATING EVENT 11.1%
(10 8%) LOSS OF TWO HVAC CHILLERS Figure 6-3. Tracing of Contributors in ESD 7 Using Double-Stage Integrated Plant Model i 6-11 t
Il Sequoyah plant model constructed for this application is necessarily different and separate from the plant safety model because the systems logic and success criteria for the electric power production function are entirely different from the safety functions of the plant. For example, the event sequence of a turbine trip and plant shutdown to a cold shutdown state would be a " success" with respect to a safety model, but a " failure" with respect to a plant productivity ~ or availability model. Because some of the plant systems, particularly the auxiliary systems, are included within both the safety and availability models and because both of these plant models were constructed at the same time using the same methodology, albeit different logic and success criteria, it makes sense to talk about the collection of these models for a given plant as constituting an
" integrated safety and availability model" of a nuclear power plant.
As with the safety model demonstration, the scope of the availability model was restricted to that necessary to provide an adequate demonstration of methdology but short of that needed for a definitive assessment of the Sequoyah plant. These scope restrictions for the availability demonstration include the following: e The only availability factor calculated was the probability that the plant is capable of producing 100% power. Hence, all operating states that will not normally allow operation at full power were modeled as part of the unavailable state. e Only forced outages are included such that planned shutdowns for maintenance and refueling were excluded. e The model was quantified using only generic data that were not reviewed for detailed applicability to Sequoyah. e Some systems that have only an indirect effect on plant availability, such as the systems that replenish depleted supplies of condensate, were not modeled. Despite the above restrictions, a relatively large model was constructed and , successfully quantified. The model included 13 systems and 1,500 contributors to unavailability. Each contributor represented cither a component or group of similar components. l Numerical results are summarized in Table 6-2, which includes a comparison with a ! short period of operating experience at Sequoyah. The truncation error for this evaluation was less than 5 x 10-6 This comparison is not presented as a benchmark of the model, in view of the scope restrictions above, but it does indicate that a reasonable result was achieved. This satisfactorily demonstrates that a large, detailed plant level availability model can be successfully 6-12
Table 6-2 COMPARISON OF PREDICTED AND EXPERIENCED AVAILABILITY FACTORS FOR SEQUOYAH Availability Result Factor (percent)* G0 Model Prediction - Unit 1 76 z (100% Power) Sequoyah Experience (90% - 100% Power) Unit 1 55 Unit 2' 71 Average 63
*All results exclude period of refueling outage.
' Experience values are based on the first 16 months of commercial operation of Unit 1 (excluding t nearly 3 months' refueling) and the first 8 months of commercial cperation of Unit 2.
Consequently, the availability factor may be low
~
due to startup problems. 4 6-13
y l quantified. This is not surprising in view of the fact that the availability
. model, being a two-output state model, was less difficult to implement than the safety model, which needed to account for many different accident sequences.
As with the safety model, the sheer size of the fully integrated plant-level availability model precluded the use of the GO software for tracing the underlying contributors, the G0-FAULT FINDER-GOLF sequence. To overcome this ifmitation, use was made of the fact that the plant-level model was constructed as a sequence of system level models functionally connected in series; i.e., unavailability of any system causes plant unavailibility. This is reasonable for a 100% power production type of model. Because of the simple structure of the plant model, principal contributors to plant unavailability could simply be determined by running the system-level models separately through the G0-FAULT FINDER-GOLF sequence. The results of the system-level GO analyses and their contributions to plant unavailability are summarized in Table 6-3 for those systems making significant contributions. The main steam, generator, feedwater, and reactor coolant systems were each found to make more than 3% unavailability contribution out of a total plant unavailability of 24%. A subdivision of the system-level contributors into component and subsystem contributions is presented in Table 6-4. At this level of specifying contributors, the turbine was found to be the ranking components, a result that is consistent with industry experience. By contrast, industry experience would suggest a lower contribution should be expected for the main feedwater pumps. This is attributed to the fact that the failure rate for main feedwater pumps assumed in this project was taken to be the same as that supported by generic data on steam-driven auxiliary feedwater pumps. Nothing unusual about the design of the Sequoyah main feedwater pumps was identified in this analysis. The results of Tables 6-3 and 6-4 provide a satisfactory demonstration of the capability to trace contributions in a large, plant-level availability model. The tracing process was aided by the simplicity of the plant model that facilitated separate, system-level analyses, which were necessary to work around the limitations of the GO-FAULT FINDER-GOLF sequence of software. Had a more complex plant level logic been encountered, it is reasonable to assume that the condensation and modularization procedures developed to cope wi'h these problems in the safety model could have been applied here as well. 6-14
t Table 6-3 SYSTEMS MOST IMPORTANT'T0 PLANT UNAVAILABILITY System. Unavailability Percent Contribution, Percent of Total
' Main Steam 7.69 32.6 Generator 5.78 24.5 Main Feedwater 4.48 19.0 Reactor Coolant- 3.37 14.3'
. Condensate 0.95 4.0 Heater Drains- 0.73 3.1-
' Condenser Circulating 0.59 2.5 Water k
6-15
i' l Table 6-4 MAJOR CONTRIBUTORS TO 100% POWER UNAVAILABILITY System / Component Component ., System Primary Reactor Coolant 3.12 Steam Generators 2.14 Reactor Coolant Pumps .76 Reactor Coolant Pump Oil .22 Lift Pumps Chemical and Volume Control Pressurizer Safety Valves 0.25 0.25 Total Primary 3.37 Secondary 8 Main Steam 7.69 Turbine 6.00 Main Steam PSVs 1.69 Main Feedwater 4.48 Main Feedwater Pumps 4.48 Generator 5.78 Main Generator 3.00 Hydrogen Fans and Blowers 2.49 Seal Oil Pumps 0.29 Circulating Water 0.59 Cooling Tower Supply Pumps 0.59 Heater Drain 0.73 Heater Drain Tank 3 Pumps 0.44 Heater Drain Tank 7 Pumps 0.29 Condensate 0.95 Condenser 0.40 Main Feedwater Pumps Turbine 0.22 Condenser Condensate Heaters 0.22 Gland Steam Condensers 0.11 Total Secondary 20.22 a L l 6-16
f 'I J
-In summary, the demonstration of' a plant-level availability assessment capability L of the GO methodology was successfully completed. The authors identified no technical reasons why the GO methodology could not be used as an effective tool
-to evaluate and manage risks associated with unforeseen losses of plant productivity.1This result, combined with the results of the safety demonstration, support' the use of the GO methodology to perform integrated safety j- and availability assessments of nuclear power plants.
t,.. 6.5 RECOMMENDATIONS L* } Upon completing the project, the authors have concluded that the G0 methodology 0 and associated postprocessor software provide an acceptable set of tools to perform meaningful- probablistic safety and plant availability analyses. How this
; methodology stacks up against' alternative methodologies can only be determined
,~ after some experience is accumulated in complete plant-level assessments, which
.this demonstration ~ project is not. There is no apparent reason why such t- -assessments should not be performed using the G0 methodology.
In the event that Tennessee Valley Authority elects to perform a full-scope level 1'PRA in'Sequoyah,' the resources needed to remove the scope limitations
- from the models developed in this project and to refine the models for definitive applicability to Sequoyah should be substantially less than those resources
=needed to implement an alternative methodology from scratch. A similar comment
. applies to the availability model.
~
There are a number of refinements to the software that would further enhance the . L usefullness of the GO methodology in safety and availability assessment. These recommendations are itemized below. ' e The FAULT FINDER software 'should be refined to accept NOT logic and evaluate larger models more economically, and find larger order fault' sets. , o The'enchancement of STEVEQUANT to integrate-to GO results in a two-stage integrated plant model application should be performed ~ l and could be completed with'a modest investment of resources. e The manual steps needed to carry out the two-stage integrated
- plant model using the GO-GOST-G0-FAULT FINDER-G0LF sequences should be automated or.at least made interactive.
'o The G0 software should be reprogrammed to make greater use of
. virtual .necory capabilities on some currently available
< minicomputers such as IBM, PRIME, and VAX. With this added 17 s- w y, m -.,m - ,-c, ., , -y.mm,,- 7%,, ,.g, . - . , , , , , _ - y e , y y
capability, the problems encountered in this project related to truncation errors and insufficient output signals could be more easily solved.
6.6 REFERENCES
6-1. Kelley, A. P., Jr., and D. W. Stillwell, " Application and Comparison of the GO Methodology and Fault Tree Analysis," prepared for the Electric Power Research Institute, PLG-0217, December 1981. 6-2. Raabe, P. H., D. B. Simpson, and R. J. Mulvibill, "G0CC Computer Code Users Manual," prepared for the Electric Power Research Institute, PLG-0351, February 1984. I l l l 6-18
I EPRI NP 4128, Volume 1 Below are five index cards that allow for filing according to the 3& 2!
$ y,5 s E 22g four cross-references in addition to the title of the report. A brief
$F@! abstract describing the major subject area covered in the report
*3*'%
h is included on each card. W r0 s*s# >>n
$;3 h 9 N N 9 E m E: 2 a
atg i r a,g: : 1 8 .a emgm&> o m x P RI i;; E8 533%g & S Eg E > EPRI NP-4128 Fult-Scale Plant Safety and Availability
!~ $ volume t Assessment-A Demonstration of GO System p j*
t! E lhi % KgS.*[~ ;g 6 y ]y [8 RP1842-4 Analysis Methodology Volume 1: Plant Level Models
~
tract a Packard we and GaniA Inc. EJ y 1 85 N $ NI$ G h rr1 The probabitistic Go methodology has demonstrated its ability to perform plant-f 6 c2 ! g O *s O_O O- O[ Z level safety and availabhty analyses. The methodology proved effective in mod. d O @3 a,7@ - S B$ m s . (O 3 G ehng system performance. and the GO sof tware, numerically efficient in quanti-
- gj* } " OM O <~ fying system models and identifying critical components. 368 pp.
@ ]
>> I QC-* $ mWU Q EPRI Project Manager: B. B. Chu IS y yyE.c* j { hg5
&w7a 5' O-g y Cross
References:
3 Risk Assessment Program 4. Risk s g O. > > 1. EPRI NP 4128. Volume 1 Assessani
- 2. RPi&42-4 a;
O g
- a
' s o.
Ec-5 e O =:
- I agga 3m o b ! k jk D hhb gCD x
=
l g<.=.q ag ? E L EoH.c. po., crR i.c. p30 o.wi2p... E vi , E. s. EcA A R,,c 303 i ~.s.ass t i v2000 urE 3 <x m g g a = _o - m,
.go E*
gm EPRI NP 4128, VOLUME 1 i sie o3 g i'53 cr
- Eull Scale Plant Safety and Availability F
ag23 - EPRI NP 4128 volume 1 c ssessment-A Demonstration of GO System RP1842 4 Analysis Methodology Volume 1: Plant-Level Models Final Report contractor: Pickard, Lowe and Garrick. Inc. er July 1985 (-[ing]m 13 g The probabikstic Go methodology has demonstrated its abihty to perform plant-level safety and availabihty analyses. The methodology proved effective in mod. Ne ehng system performance, and the Go sof tware, numerically efficient 6n quanti-
$@gg-*]**$ g fying system models and identifying critical components. 368 pp.
A g EPRI Project Manager: B. B Chu Cross-Referencas: 2 RP1842 4 3. Risk Assessment Program 4 R+sk g O g.gy
,s3 ppq 1 EORI NP 4128 Vo.ume 1 Assessment g,o 3oc 9Wm? 3 5
!?? 2 Uassi$ $ $ d"a " m E o8 cnmX
- c- 2 e s 7 55 2 on y8 S. 3 3 .E8gx mmgE >
bh e I j -- -k.ogO Sn CDE@ , 3 $ pg] ELECTRIC POWER REsEARcM iNsTITu1E Post oH4e Boo 10412 Paioatto. CA 94303 415 85$ 2000 o
- a {a
- 3 :. O ,
ylm m M 5$$k38"220 O
$ o,
- 5 O.5g> ~3 E RP1842 4
~ z
[3 $ $ *j$ a SNa h ! hEPRI -- NP 4128 Full-Scale Plant Safety and Availability C 8 9
*$%gr ? y 3m volume 1 Assessment-A Demonstration of GO System y }gy 36-g RP1842 4 Analysis Methodology Volume 1: Plant-Level Models Final Report ar ==g3 #* ' * * "" U *"# '"'
u p [5!gy 3- g :: a* E[Wk 3
,sE July 1985 The probabihstic Go methodology has demonstrated its abihty to perform plant-
;a
% oe o_ "- -og level safety and availabihty analyses. The methodology proved etfective in mod-g2 g4 c ! $ ya 3 -*= g
$Q-y ehng system performance. and the Go sof tware numerically officient in quanti-lying system models and identifying critical components. 368 pp 3
j y atgg , ;a; pO"g EPRI Project Manager: B. B. Chu 3 ea:o h -m Cross-References.
, ePRi Ne 4,28 voiume i 2 RPis42 4 3 R,si. *ssessmeni prog..m 4 a.sk
;; F {$3 Ig Assessment 5h o53 -
E3e m "8.$ T-ELECTRfC POWER REsEARcM INSTITUTE g - Post oH+ce Bos 10412 Psio A io C A 94303 41S 855 2000 s}}