ML20136C491

From kanterella
Jump to navigation Jump to search
Forwards Draft, Review of Vogtle Units 1 & 2 Auxiliary Feedwater Sys Reliability Analysis. Loss of Offsite Power Result Is Borderline.Related Info Encl
ML20136C491
Person / Time
Site: 05000000, Vogtle
Issue date: 12/13/1984
From: Youngblood R
BROOKHAVEN NATIONAL LABORATORY
To: Lefave W
Office of Nuclear Reactor Regulation
Shared Package
ML082840446 List: ... further results
References
CON-FIN-A-3702, FOIA-84-663 NUDOCS 8601030350
Download: ML20136C491 (137)
v  d  e


Text

{{#Wiki_filter:,- f y, % nw El Jyj j lj BROOKHAVEN NATIONAL LABORATORY Tl ^l O P ASSOCIATED UNIVERSITIES, INC. W4 MJ.. Upton. Long Island. New Ycrk 11973 (516) 282s 2363 Department of Nuclear Energy FTS 666' December 13, 1984 Mr. W. T. LeFave Auxiliary Systems Branch Mail Stop P1022 Di/ision of Safety Technology Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Comission Washington, DC 20555

Dear Mr. LeFave:

Enclosed is a draft of our report on the Vogtle Auxiliary Feedwater analysis. A first draft of the Beaver Valley report is undergoing internal review. You will note that the Loss of Offsite Power result is 10-4, which by some standards is " borderline." As noted in the summary, this-is based on what are probably conservatisms regarding failure to recover certain valxe misalignments. v We look forward to receiving your coments on this report and on Shearon Harris. Sinc rely Yours, bh, N Robert Y ungblo d csc Enc. cc: R. A. Bari A. Fresco b "~ B601030350 851127 PDR FOIA BELL 84-663 PDR

?, i I NUREG/CR-BNL-NUREG-DRAFT COPY REVIEW OF THE V0GTLE UNITS 1 AND 2 AUXILIARY FEEDWATER SYSTEM RELIABILITY ANALYSIS A. Fresco, R. Youngblood and I. A. Papazoglou Department of Nuclear Energy Brookhaven National Laboratory l'pton, NY 11973 October 1984 Prepared for U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Contract No.DE-AC-02-76CH00016 FIN A-3702 -.,s. -,,,.. _,,.,,.s, ..--n.- --.-e,y-. ,g,,,, ,,---_---__w.. --v

A ABSTRACT [ N h ' f, i This report presents the results of the review of the Auxiliary Feedwater System reliability analysis for the Vogtle Electric Generating Plant (VEGP) Units 1 and 2. The objective of this report is to estimate the probability that the Auxiliary Feedwater Systen will fail to perfonn its mission for each of three different initiators; (1) loss of main feedwater with offsite power available, (2) loss of offsite power, (3) loss of all AC power except vital instrumentation and control 125V DC / 120V AC power. The scope, methodology, and failure data are prescribed by NUREG-0611, Appendix III. The results are compared with those citained in NUREG-0611 for other Westinghouse plants. i s s

trs 73 i N.P P TABLE OF CONTENTS ib 2dB Page A BS T RA CT......................................................... LIST 0F FIGURES.................................................. L IS T OF TAB LE S................................................... -EXECUTIVE

SUMMARY

1.0 INTRODUCTION

2.0 SCOPE OF BNL REVIEW......................................... 3.0 MISSION SUCCESS CRITERIA.................................... 4.0 SYSTEM DESCRIPTION.......................................... 7 5.0 EME RGE NC Y OP E R AT IO N......................................... 5.1 Los s of tMai n Feedwater (LMFW).......................... 5.2 Los s of Of fsi te Powe r (LOOP )........................... 5.3 Loss of All AC (LOAC).................................. 6.0 TESTING..................................................... 7.0 SURVEILLANCE REQUIREMENTS................................... 8.0 OUTAGE LIMITATIONS AND MAI NTENANCE.'.........................- 8.1.0utage Limitations..................................... 8.2 Maintenance............................................ 9.0 RELIABILITY ANALYSIS........................................ 9.1 Qual i t ati ve As pe ct s.................................... 9.1.1 Mode of System Initiation....................... 9.1.2 System Control Following Initiation............. 9.1.3 Effects of Test and Maintenance Activities....... 9.1.4 Availability of Alternate Water Supplies........ 9.1.5 Adequacy and Separation of Power Sources........ 9.1.6 Common Mode Fail ures............................ 9.1.7 Single Point Failures........................... 9.1.8 Adequacy of Eme rgency Procedures................ 9.2 Quantitative Aspects................................... I 9.2.1 Applicant's Use of NRC-Suggested Methodology l and Data....................................... j 9.2.1.1 Fault Tree Construction and Evlauation.. l 9.2.1.2 Failure Data........................... 9.2.2 Ap pl i c a nt 's R es ul t s............................. 9.2.2.1 Systesm Unavailabilities............... l 9.2.2.2 Dominant Failure Modes and Conclusions.. l 9.2.3 BNL Assessment.................................. l 9.2.3.1 Fault Trees............................ 9.2.3.2 Failure Data........................... l 9.2.3.3 System Unavail abili ties................ i

9. 2. 3.4. Domi nant Fail ure Modes.................

9.2.3.5 General Comparison to Other Plants..... 9.2.3.6 Ge ne ral C omme nt s....................... R EFE R E NC E S.......................................................

f LIST OF FIGURES Figure Title Page 1 AFWS (Simpli fi ed Fl ow Di a gram)....................... t 2 dnit1 Auxiliary'Feedwater/SteamGenerat'orsIntake... 3 AFWS Simplified Piping Layout........................ 4 AFWS Reliability Evaluation Methodology Flow Chart... 5 Unit 1 AFWS Block Diagram............................ 6 AFWS Expand ed Bl ock Dia gram.......................... 7 Uni t 1 AFWS Fault Tree Model......................... 8 VEGP AFWS Unavailability Assessment Dominant Fail ure Mode s - Case No. 1 - LMFW................... 9 VEGP AFWS Unavailability Assessment Dominant Failure Modes - Case No. 2 - LOOP................... 10 VEGP AFWS Unavailability Assessment Dominant Fail ure Modes - Case No. 3 - LOAC................... \\ 4

,l* t s LIST OF TABLES Table Title Page 1 VEGP AFWS Conditional Availability Comparison to Other Plants Using the Westinghouse NSSS................... 2 Unavailabilities of the VEGP AFWS, Comparison of Applicant's Results to BNL Assessment................ 3 BNL Assumptions of VEGP NSSS Steam Generator Makeup Requirements Based Upon FSAR Information............. 4 FSAR Table 10A-4, AFWS Component Failure Data.......... 5 NRC-Supplied Data Used for Purposes of Conducting a Comparative Assessment of Existing AFWS Designs and Thei r Potenti al Reli abiliti es........................ t 6 Nomenclature Scheme for Fault Identifiers Added by BNL to the Appl icant 's Faul t Tree.................... 7 Compcri son of Data As sumptions......................... '~ 8 VEGP AFWS Unavailability Sensitivity Comparison........ e e g

'. '? J. EXECUTIVE SUMMd Y ' After the accident at Three Mile Island, a study was perfomed of the re-liability of the auxiliary feedwater system (AFWS) of each then-operating plant with NSSS designed by Westinghouse. The results of that study were presented in NUREG-0611 (1) At the request of the NRC,(2) Georgia Power Corporation, an operating license applicant, has provided. the NRC with a study cf the Vogtle Electric Generating Plant (VEGP) Units 1 and 2 AFWS,(3) perfomed using NREG-0611 as a guideline. BNL has reviewed this study. The BNL conclusions are as follows ("High", " Medium", and " Low" refer to the NUREG-0611 reliability scale). 1. For an accident resulting in a loss of main feedwater (LMFW with of-g fsite power availab'le the reliability of the AFWS is in the High range (un-availability = 2.2E-5/ demand). 2. For a loss of offsite power (LOOP) resulting in a concurrent loss of main feedtater (LMFW): The reliability of the AFWS is on the borderline of the High range (unavailability = 1.0E-4/ demand). 3. For_ a loss of all AC power (LOAC), except for the ?.25V DC /120V AC vital instrumentation and control power systems, resulting in a concurrent loss of main feedwater (LMFW): The reliability of the AFWS is in the Medium range (unavailability = 3.2E-2/ demand). A comparson of the VEGP AFWS reliability to other AFWS designs in plants using the Westinghouse NSSS is shown in Table 1. The specific quantitative comparison between the applicant's and BNL's results is shown in Table 2. The BNL results are based on the unavailabilites shown in Table 8 of this report, for Case C with " Multiple Errors Assumed." This evaluation incorporates certain fairly conservative assumptions which were made for lack of infomation. These are discussed in Section 9.2.3. It is likely that additional information would reduce the un- ~ availability estimates quoted a'bove.

Table 1 VEGP AFWS Conditional Availability Comparison (a) To Other Plants Using the Westinghouse NSSS i i TRANSIENT EVENTS LMFW LMFW/ LOOP LMFW/LOAC I i PLANTS LOW MED HIGH PLANTS LOW MED HIGH PLANTE LOW MED HIGH H GH WESTINGHOUSE WESTINGHOUSE WESTINGHOUSE HADOAM NECK e HADDAM NECK i> HADDAM NECIC 8> I l SAN ONOFRE e SAN ONOFRE e SAN ONOFRE <> - -MD 1 PR AIRIE ISLAND i> PR AIRIE ISL AND e PRAIRIE ISL AND 4I ( SALEM e 4 SAL E M t>-a SALEM 4> j ZION e ZION e ZION 4> YANKEE ROWE o YANKEE ROWE o YANKEE ROWE t> f T ROJAN e TROJAN e f TROJAN 1i INDIAN POINT 4' INDI AN POINT e INDI AN POINT 4' ~ KEWANEE e KEWANEE o KEWANEE H B. ROBINSON 4> H.B. ROBINSON e H.8. ROSINSON 1p BE AVER VALLEY 4 BE AVE R VALLEY e BE AVE R VALLEY ~ GINNA e GINNA e GINNA 4i POINT BE ACH e POINT BE ACH e POINT BE ACH ti COOK e COOK e COOK TURKEY POINT e TURKEY POINT e TURKEY POINT ei FARLEY e FARLEY e FARLEY tr SURRY 9 $URRY e SURRY NORTH ANNA e NORTH ANNA e NORTH ANNA e .g VOGTLE 4i VOGTLE e VOCTLE A. - l l-ORDER OF MAGNITUDE IN UNAVAILABILITY REPRESENTED. sNCREASING AVAILAalLITY. l.I[

8. THE SCALE FOR THIS EVENT IS NOT THE SAME AS THAT FOR THE LMFW AND LMFW/ LOOP.
  • ,g e Applicant's results

$ BNL assessment N L

[05U-ki,x A_,.s 'c2a, _,: ':;:=._.._.;__ 2 ~ TM$ ER.T k j /0.43- / Tablef Unavailabilities of the VEGP AFWS, Comparison of Applicant'd Results to BNL Assessment Transient Applicanc's Results BNL Assessment 1. LHFW

  1. .3E-6 2.2E-5 2.

LOOP 2.6E-5 1.0E-4 3. LOAC 1.0E-2 3.2E-2 C 4 4 e W e

m + s i i 1. INTRODUCTION This report is a review by Brockhaven National Laboratory (BNL) of the Vogtle Electric Generating Plant (VEGP) Final Safety Analysis Report (FSAR) Appendix 10A, entitled "VEGP Auxiliary Feedwater Systen Availability An-alysis," prepared by Bechtel Corporation for Georgia Power Corporation.(3) After the accident at Three Mile Island, a study was performed of the Auxiliary Feedwater Systems (AFWS) of all the then-operating plants. The re-sults obtained for operating Westinghouse-designed plants were presented in NUREG-0611.(1) At that time, the objective was to compare AFWS designs; ac-cordingly, generic failure probabilities were used in the analysis, rather than plant-specific d9ta. Some of these generic data were presented in NUREG-0611.. The probability that the AFWS would' fail to perform its mission on demand was estimated for three initiating events: (a) loss of main feedwater (LMFW) without loss of offsite power; (b) loss of main feedwater associated with loss of offsite power (LOOP); (c) loss 'of main feedwater associated with loss of offsite and onsite AC - (LCAC). Since then, each applicant for an operating license has been required (2) to submit a reliability analysis of the plant's AFWS, carried out in a manner -'similar to that employed in the NUREG-0611 study. A quantitative criterion for AFWS reliability has been defined by the NRC in the current Standard Re-view Plan (SRP) for Auxiliary Feedwater Systems:(4) "...An acceptable AFWS should have an unreliability in the range of 10-4 to 10-5.per demand based on an analysis using methods and data presented in NUREG-0611 and NUREG-0635. Compensating f actors such as other methods of accomplishing the safety functions of the AFWS or other reliable methods for cooling the reactor core during abnormal conditions may be considered to justify a larger unavailability of the AFWS." I '~ ,-mw,3-.-,--we__.ew- ,w-, = - * - - - + ,*w-- .--m-- m + - -

2. SCOPE OF BNL REVIEW The BNL review has been conducted in accordance with the methodology, data, and scope of NUREG-0611,. Appendix III.(1) It has two major ob-jectives: (a) to evaluate the applicant's reliability analysis of the AFWS. (b) to provide an independent assessment, to the extent practical, of the AFWS unavailability. Unavailability as used in this report has been defined as the " probability that the AFWS will not perform its mission on demand." The tem un-availability is used interchangeably with unreliability. -Specific goals of this review are then:'. (a) to campare the applicant's AFWS to the operating plants studied in NUREG-Ofil by following the methodology of the latter as closely as possible. (b) to evaluate the applicant's AFWS with respect to the reliability goal set forth in SRP 10.4.9, i.e., that the AFWS has unreliability in the range of 10-4 to 10-5 per demand, using the above methodology. The NUREG-0611 methodology and the BNL review specifically exclude = ex-ternally caused corr. mon mode failures such as earthquakes, tornados, floods, etc., and internal failures caused by pipe ruptures. A

^ '"- ' ' ' ggp bN f 3. MISSION SUCCESS CRITERIA According to Ref. 3, the AFWS is composed of three mechanical trains which serve the four steam generators at a given unit. The steam generators have been analyzed to require 510 gal / min of flow under the most severe acci-dent conditions. Each motor-driven pump of trains A and B has a capacity of 630 gal / min and provides more than 100 percent of the required auxiliary feedwater flow. Train A provides feedwater to steam generators 1 and 4, and train B provides feedwater to steam generators 2 and 3. The(steam) turbine-driven pump of train C has a capacity of 1300 gal / min and provides more than 200 percent of the required auxiliary feedwater flow. The turbine-driven pump provides feedwater to all four steam generators. The success criterion for the AFWS is flow to any two steam generators. Furthemore, as outlined by the NRC evaluation of generic AFWSs (NUREG-0611), the AFWS must actuate within the time it takes for the steam generators to boil dry when no flow is provided to the steam generators. At VEGP, the boiloff time (and therefore the limit on the AFWS actuation time) is approximately 30 min, as stated in Reference 3. In addition, FSAR Subsection 10.4.9.2.1 states that nomal flow is from the CST to the auxiliary feedwater pumps. The design of the CST provides for cold shutdown capability for a period of 9 hours: 4 hours at hot standby, fol-lowed by a 5 hour cooldown period. Table 3 of this report provides the nucle-ar steam supply system (NSSS) required makeup rates to the steam generators for the specific transients within the scope of this review. Initially, sens-ible heat is removed from the RCS to reduce the temperature from a full-power operation average temperature of 588'F to a nominal hot standby temperature of 500 F. Subsequently, to bring the reactor down to 350*F at 50'F/h, an initial' makeup rate of 500 gal / min is required. 8 k n

,A t 4 6 E".;- s.r 8 [u.;c..i[-} fl 4. SYSTEM DESCRIPTION The BNL review of the AFWS reliability is based on the system as described in the VEGP FSAR Sections 10.4.9 and 10A currently on file in BNL's Nuclear Safety Library. The simplified AFWS flow diagrams, fault trees, and other drawings from Section 10A have been included in this report for convenience (see BNL Figures 1 to 7). All figures and tables will be referred to by the present numbering scheme, e.g., Table 1 of this report, which is FSAR Table 10A-5, will be called simply Table 1. 4 e e I G

. - 4 ,i Table 5 NRC-SUPPLIED DATA USED FOR PURPOSES OF CONOUCTING A LvMPARAfift A53E55 MENT OF EXI5iiNG AFWS DE5IGN5 AND THEIR FOTENiiAL RELIA 8ILITIES Point Value Estimate of Probability of* Failure on Demand I. Comoonent (Hardware) Failure Data a. Yalves: Manual Valves (Plugged) ~1 x 10-4 Check Valves ~1 x 10 # Motor-Operated Valves Mec$anical Ccmponents ~1 x 10-3 Plugging Contribution ~1 x 10-4 Control Circuit (Lecal to Valve) w/Quartarly Tests ~ ~6 x 10-3 w/ Monthly Tests ~2 x 10-3 b. Pmos: (1 Pumo) Mechanical Cceponents ~1 x 10-3 Centrol Circuit w/ Quarterly Test: ~7 x 10-3 r w/ Monthly Tests ~4 x 10-3 c. Actuation Loefe ~7 x 10-3 Error rac:ars of 3-10 (up and dcwn) abcut such values are not = unexpected for basic data uncertaintfes. O ,w> v --,e

,m p-o---

-vr--,e -w-- c -~---gy -o-- --~ =----

'($ !. ~.. ) i f' Table 5 (Cont.) / 1 II. Test and Maintenance Outage Contributions: I i a. Calculational Approach 1. Test Outage Q ( hrs / test) ( tests / year) ~ j TEF nrs/ year j 1 ] 2. Maintenance Outage HINT. - (0.22)( hrs /maint. act) 8 isa + b. Data Tables for Test and Maint. Outages

  • 4 SU WARY OF TEST ACT DURATION b

Calculated l Range on Test Mean Test Act i Comconent Act Duration Time, hr Duration Time, tc, hr . k i Pumos 0.25 - 4 1.4 Valves 0.25 - 2 0.36 F Diesels 0.25.-~4 1.4 Instrumentation 0.25 - 4 1.4 LOG-NCRMAL MODELED MAINTENANCE ACT CURATION L4 Calculated i Range on Maintenance Mean Maintenance Act Component Act Duration Time, hr Duration Time, 0, hr Pue:ps 1/2 - 24 7 1/2 - 72 19 Valves 1/2 - 24 7 Diesels 2 - 72 21 Instrtnentation 1/4 - 24 6 11 Note: inese cata tables wre taken fr:m the Reactor Safety Study ('4 ASH-1400) for pur Joses of : Mis AF4 system assessment. '4here the plant technical specifications placed limits en the cutage duration (s) allcwed for AFW system trains, this tec.i spec limit was used to estimate the mean duration times 2 fer maintenance. In general, it was found that the outages allowed for saintenanca dcminated those c:ntributions to AF4 system unavailaoflity fr:m cutages due to testing. 9 - w a

e. Table h (Cont.) 4 I)). Human Acts' & Errors - Failure Data: . Estimated Human Error / Failure Probabilities Modifying Factprs & Situations * ~ ~ - -a With Valve Position ' With Local Walk-Around & W/0 Either Indication in Control Room Double Check Procedures Point Value Est Est. on Point Value Est Est. on Point Yalue 'Est On a Error Estimate Error Error l - Factor Factor Factor Acts & Errors of A Pre-Accident Nature a. 1. Valves Mispositioned During Test /Maint (a) Specific Single Valve Wrongly Selected out of A Population -2 -2 of Valves During Conduct of a -2 1 X 10 x1 10 g1 Test or Maintenance Act (X No. I g 10 X 1 4 of Valves in Population at Choice) TG R 20 Y I 10 1 10 3 2 4 (b) Inadvertently Leaves Correct 4 Valve in Wrong Position 5 x 10 20 5 x 10 10 10 10 ~3 -4 1 x 10'3 10 3 x 10 10 2. More than one valve is affected 1 x 10 20 i (coupled errors) 3. Hiscalibration of Sensors / Electrical Relays ~3 -2 5 x 10 10 10 10 (a) One Sensor / Relay Affected 3 3 (b) More than one Sensor / Relay 1 x 10 10 3 x 10 10 Affected s e e 1 e

_7._,_,.g.... Table 5 (Cont.) Time Actuation Needed Estimated Failure Estimated Failure Overall Estimated Prob. for Primary Prot}. of othe:- Estimate Error Factor Operator to (Backup) Control of Failure on Overall Actuate AFW5 , Rs. Operator to Probability Probability Actuate AFWS-~ b. Acts & Errors of a Post-Accident Nature 1. Manual Actuation of AFW system from Control Room (a) Considering " Dedicated Operator 5 min. 2x10',f 2 x 10'3 10 ~ to Actuate AFW system and Possible 15 min. Backup Actuation of AFWS 1 x 10,4 0.5 (mod. dep.) 5 5 10 10 30 min. 5 x 10 .25 (Iow dep.) 10 4, 10 (a) Considering "Non-Dedicated" Operator to Actuate AFW system 5 min,. 5 x 10',2 5 x 10'2 10 15 min. and Possible Backup 1 x 10,3 0.5 (mod. dep.) 5 5 10 10 30 min. 5 x 10 .25 (low dep ) 10 10 3 Acutation of AFW system 1 s 9 t e i l } i

,. ~. 8 Table 6 Nomenclature Schene for Fault Identifiers Added by BNL to the Applicant's Fault Tree Basic Events RA = Random Acts (includes pre-accident operator error for manual valves) MA = Maintenance Acts TA = Test Acts OE = Operator Error (includes both pre -and post-accident operator error for motor-operated valves) CL = Cl os ed OP = Open FT0 = Fails to Open ACTRNAF = Random failure of Train A AC power, i.e., Diesel Generator A. ACTRNBF = Same for Train B. Components BYV = Butterfly Valve NDP = Motor-Driven Pump CHV = Check Valve TDP = Turbine-Driven Pump SCV = Stop Check Valve DG = Diesel Generator MGV = Manual Gate Valve M0V = Motor-Operated Valve a e O

o j Table 7 Comparison of Data Assumptions Unavailability / Demand Description Applicant BNL A. Maintenance 1. Pumps 5.81x10-3 5.8x10-3 2. Valves a. Motor-operated gate and butterfly valves 2.17x10-6 2.1x10-3 b. Manual butterfly valves on CST discharge lines 4.0x10-7 0 c. Manual butterfly valves on pinp suction lines 7.0x10-8 0 d. Speed governor and trip and throttle valves 2.17x10-6 2.1x10-3 e. Manual stop check valves at steam generator intakes 0* O f. Manual stop check valves on pump discharge lines 2.17x10-6 o g. Manual gate valves on turbine steam i ntake 0* O h. Manual gate valves on pump discharge lines 7.0x10-8 0 1. Check valves at steam generator intakes 0* 0

j. Check valves on pump discharge lines 2.17x10-6 o

3. Diesel Generators (On site AC Power) 0 6.4x10-3 l 4. 125V DC Power 2.4x10-6 o B. Testing 1. Pumps 0 6.4x10-4 l 2. Valves Of Of 3. Diesel Generators 0 0 1

  • It is assumed that no maintenanc.e can be performed on these components due to their proximity to the steam generators.

l / Valve testing does not cause unavailability. l l

,4-Table 7 (Cont.) Unavailability / Demand Description Applicant BNL C.' Human Errors 1. Pre-accident nature a. Motor-operated valves with Control Room position indication 5x10-4 5x10-4 b. Manuel valves with no Control Room position indication

1) Post-accident operator recovery not possible within 30 minutes 0

5x10-3 ii) Post !, accident operator recovery possible within 30 minutes 0 1x10-3 2. Post-accident nature a. Operator fails to open motor-operated valves (includes transfer to alternate Condensate Storage Tank) 5x10-3 1x10-3 b. Operator fails to start pumps 5x10-3 1xio-3 D. Mechanical and Electrical Faults 1. Plugging of all valves 1x10-4 1x10-4 2. Failure of mechanical components including pumps and motor-operated valves 1x10-3 1xio-3 3. Diesel generator fails to start 3x10-2 3x10-2 4. 125V DC power failure 0 0 5. Failure of actuation logic for pumps and motor-operated valves (per train) 7x10-3 7x10-3 6. Control circuit failure 3 3 a. Pumps (monthly tests) 4x10 3 4x10 3 b. Valves (monthly tests) 2x10-2x10-

4 ,1 - Li Table 7 (Cont.) Unavailobility/ Demand Description Applicant BNL E. Summation of Random Failures (Human Errors and Mechanical and Electrical Faults) 1. Pumps, both motor-and turbine-driven 5x10-3 5x10-3 2. Valves a. Motor-operated, position change required (plugging plus control circuit failure) 3.1x10-3 3.1x10-3 b. Manual valves (locked open) 1. No post accident operator recovery possible within 30 minutes (Valve position not verifiable by pump testing) 1x10-4 5.1x10-3 11. Post accident operator recovery possible within 30 minutes (Valve position verifiable by pump testi ng) 1x10-4 1.1xig-3 c. Check valves 1x10-4 1x10-3. Diesel Generators 3x10-2 3x10-2 e S e e

o Table 8 VEGP AFWS Unavailability Sensitivity Comparison g A. All Manual Valves B. All Manual Valves 'C. All Manual Valves Applicant's Results 5.1E-3 Random Error 1.1E-3 Random Error 1.1E-3 Random Error Except SG Intake Valves at 5.1E-3 Case Random Error

1. LMFW a) Independent Fail-ures Only 4.1E-5 1.4 E-5 8.8E-6 b) Multiple 6.3E-6 Errors Assumed 5.4 E-5 2.7E-3 2.2E-5
2. LOOP a) Independent Fall-ur's Only 2.0E-4 1.1E-4 8.7E-5 b) Multiple 2.6E-5 Errors Assumed 2.1E-4 1.2E-4 1.0E-4
3. LOAC a) Independent Fail-ures Only 3.6E-2 3.2E-2 3.2E-2 b) Multiple 1.0E-2 Errors Assumed 3.6E-2 3.2E-2 3.2E-2 1

a 9

.i 5. EMERGENCY OPERATION For the discussions below, refer to Figures 1 and 2. 5.1 Loss of Main Feedwater (LMFW) Offsite power is available and the two motor-driven pumps (MDPs) start automatically upon trip of both Main Feedwater (MFW) pumps or low-low level in any one steam generator. Automatic actuation also occurs upon a Safety Injec-tion signal. The turbine-driven-pump starts automatically upon low-low level in any two steam generators by the opening of the DC Train C motor-operated steam admission valve 5106. Unless the normally aligned Condensate Storage Tank 001 contains an inadequate supply of water and pump suction has not already been aligned to the standby CST 002, there are no other closed valves which must be opened eithe'r manually or automatically to initiate auxiliary feedwater flow. Transfer to the alternate CST 002 must be done manually, either from the Control Roan or locally, by opening the motor-operated valves 5113, 5118 and 5119. The operator can remotely manipulate the position of the AFW flow control valves (5120, 5122, 5125, 5127, 5132, 5134, 5137, and 5139) to control steam generator level. This can also be done locally at the val ves. Upon reaching 100 GPM or greater pump flow rate, the motor-operated isolation valves in the recirculation mini-flow lines of each MDP are auto-matica11y isolated so that there is no recirculation flow during most of AFWS operation, except for the continuous recirculation flow of the TDP. If the motor-operated valves in the miniflow lines of trains A and B f ail to close, there is still sufficient flow to the steam generators because of the presence of a flow-limiting orifice to the miniflow lines. 5.2 Loss of Offsite Power (LOOP) In this case, with no offsite power available, the MDPs can only be started af ter receiving an automatic signal from the diesel generators sequencing logic. The TDP is automatically started upon LOOP. The Reactor Coolant Pumps are not powered so that cooldown of the reactor core is by natural circulation. BNL has assumed that the required flow rate is 510 GPM, the same as the LMFW case because of the lack of information concerning --=v v-m ,,m p-e

,i.. ;/ this in the applicant's FSAR and reliability analysis. This still results in only one MDP being required. All valve orientations and manipulations are the same as for the LMFW case, except that the steam admission valve, 5106, is automatically opened to start the TDP directly upon a LOOP signal. Steam generator level control is again either remote from the Control Room or local manual. 5.3 Loss of All AC Power (LOAC) Since both offsite and onsite power are unavailable, only the steam turbine-driven pump is available to supply AFW flow. All valves in the TDP train, including the flow control valves, are supplied with DC power so that the operator has complete control capability of the single TDP train from the Control Room without requiring local manual actions unless there are component failures. All of the motor-operated valves in the TDP train are powered from a separate DC train designated Train C which derives power fron AC Train A with backup power provided by batteries. Therefore, Train C DC power can be assumed to be independent of Train A DC power because it is backed by dedicated batteries which would become the sole power source for the LOAC condition. Since the LOAC condition includes a blackout sequance signal, the TDP is automatically actuated upon LOOP by opening steam supply valve 5106. For the same reasons explained previously, BNL has assumed that the required flow rate is 510 GPM. Again, the Reactor Coolant Pumps are not powered so that cooldown of the reactor core is by natural circulation. Steam generator level control is performed manually either from the Control Room or locally at the valves. b

' %, n b.Y-{$lkpre yk dhii 6. TESTING u The applicant has based his analysis with regard to testing on the fol-lowing in' formation which has been taken from FSAR Appendix 10A. As of the date of the applicant's evaluation, the Technical Specifications, operating procedures, maintenance procedures, and testing procedures applicable to the VEGP AFWS were not written. Thus, in order to model and analyze the contribution of human error, testing and maintenance to the unreliability of the VEGP AFWS, relevant generic documents were used. The Technical Specifications used were extracted from the Westinghouse Standard Technical Specifications.(5) The most notable factors of these preliminary Technical Specifications are (with respect to testing): a. The testing f requency for AFWS pumps is once every 31 days. b. The testing frequency of pumps and valves with automatic actuation is performed once every 18 months. c. The testing frequency of each DC train is once every 7 days. k BNL interprets item 4 to mean that the automatic actuation signal of pumps and valves is tested every 18 months, not that the pumps and valves themselves are tested every 18 months. BNL also assumes that testing of the automatic actuation signals and the DC trains does not cause those components to be un- ~ avai1able during the test. In addition, according to Ref.3, the generic plant testing and maintenance procedures used in the AFWS reliability evaluation were a synthesis of generic procedures. These generic procedures are based on current industry practice, lessons learned f rom previous human reliability analysis, and the VEGP AFWS design capabilities. Those procedures relevant to testing are: The motor-operated valves in the discharge lines (5120, 5122, 5125, a. 5127, 5132, 5134, and.5137) are used to manually throttle. AFWS flow and pressure during testing to keep AFWS flow frcr. entering a steam generator. b. The motor-operated valves in the discharge lines receive an automatic actuation signal to go to their full open position even if they are being used for testing. _m.

I ,i i . c. The only valves requiring manual realignment for testing or flushing are the recirculation bypass valves (81, 82, 83, and 84). d. If a single recirculation bypass valve has not been closed, there is still sufficient flow to the steam generators due to the presence of a flow-limiting orifice in the recirculation line. e. The motor-operated valves from CST 002 (5113, 5118, and 5119) are man-ually controlled with no automatic signals to close (if CST 002 is being used for testing or flushing of an AFWS train). f. Valve position after a test is checked by a single operation. The pump testing procedure cequires further discussion. According to Ref.3, the design' capabilities of the n.~.S W.ow flushing or testing while the plant is operating without affecting main feedwater flow. The alignment of any train of the AFWS for testing or flushing is suc-that suction is taken from a CST and the flow passes through the pump and discharge Unes where the motor-operated valves in the discharge lines are used to thrcttle the flow and pressure. The flow is then diverted away from the steam generators prior to the stop check valves by the manual opening of the bypass (recirculation) y,"

  1. valves and discharged to the condensate system.

Each recirculation line is fitted with an orifice that limits the amount of flow diverted away frcn the steam generators. This allows sufficient flow to the steam generators should the AFWS be required during flushing or testing. When not in use, the re-circulation valves (81, 82, 83, and 84) remain closed. Also, upon receipt of any of the AFWS automatic actuation signals, the discharge (control) valves go to the full-open position if not already open. Although the applicant states that failure to close the recirculation valves after a test, or during a test in which the AFWS is required, does not result in excessive flow diversion, it is not clear that this is true when only one MDP is available. In particular, ) if either MDP has a capacity of 630 GPM at steam generator pressure with the mini-flow recirculation lines closed, a diversion of more than 120 GPM through the test recirculation line would result in a flow rate below the required 510 x O %

.g. the GPM LMFW (see Table 3). To see the effect of this, ENL has modeled failure to close the recirculation line valves as independent human errors coupled with testing of a single pump which can cause insufficient flow to the respective steam generator. The net impact on the final results is, however,. quite small. 1 O' O i f F

i i ^ N#MFT 7. SURVEILLANCE REQJIREMENTS As explained in the previous section, the Technical Specifications were extracted from the preliminary Westinghouse Standard Technical Specifications. The most notable of them with respect to surveillance are: a. The verification frequency of the CSTs water volume is once every 12 hours. b. The verification frequency of valves in the flowpath is once every 31 days. The applicant's f ailure data is presented in Table 10A-4 of Ref.3 included in this report as Table 4. The aboto information is used in conjunction with the f ailure data for'. human acts and errors given in Table III-2 of NUREG-0611, which is provided as Table 5 of this repor*,. From Table 4, it appears that the applicant has assumed operator errors for motor-operated valves only. Pre-accident closure was given a 5x10-' unavailability / demand which cor-responds to the NUREG-0611 value for valves having control room position indication, which is the case for motor-operated valves. However, no pre-accident error was assumed for manual valves, which typically do not have such indication. BNL has assumed a value of 1x10-3/ demand for valves whose post-tion can be verified by the pump testing ac: and a value of 5x10-3/ demand for valves whose position can not bc verified. Post-accident closure of motor-operated valves is assumed at 5x10-37 demand, which is the NUREG-0611 value for a 30 minute allowable actuation time for a "Non-Dedicated" primary operator to actuate the AFWS. This does not consider the probability of the backup control room operator taking the proper action. In this case, the NUREG-0611 value for the overall estimated l f ailure probability is 1x10-3, i.e., a 0.2 recovery factor, which is what I has been assumed in the BNL analysis. No unavailability due to post-accident closure of manual valves is assumed. f

\\ 'i . 8. OUTAGE LIMITATIONS AND MAINTENANCE f 8.1 Outage Limitations From the preliminary Westinghouse Technical Specifications, the limiting conditions of operation are: a. With one AFWS pump inoperable, the limiting condition of operation ac-tion time to hot standby is 78 hours. b With tro AFWS pumps inoperable, the limiting condition of operation ac-tion time to hot standby is 6 hours. c. With one or more steam generators inoperable, the limiting condition of operat, ion action time is I hour. d. With less than 330,000 gal in the CSTs, the limiting condition for operation action time to hot shutdown is 16 hours. e. With one 125-V de train inoper:ble, the limiting condition for oper-ation act1Ibn time to hot standby is 2 hours. The above requirement essentially define a maintenance policy which does not allow more than one pump train br steam generator to be unavailable due to maintenance. Any secondary unavailability of a pump train or steam generator is assumed to be due to a failure discovered during testing of the remaining two pump trains. It should be noted that testing by itself does not cause-pump unavailability, only the failure to reclose the recirculation bypass valve or reopen the throttled control valve to a steam generator. However, it is assumed that testing of onlylone pump train at a time is allowed. 8.2 Maintenance The generic plant procedures contain the following items which pertain to maintenance: a. The performance of maintenance on a component requires that the com-ponent be manually isolated on both the upstream and downstream sides. b. The motor-operated valves in the miniflow lines of trains A and B (5154 and 5155) are subject to maintenance for calibration of the flow element actuation device in these valves. t e -~ e,

i . The applicant has stated the required actions to perform component mainte-nance, i.e., the need for both upstream and downstream isolation. Maintenance has been essumed by the applicant for all pumps and valves, including check valves and manually operated check, gate and butterfly valves. However, the applicant did not assume maintenance for the diesel generators. Although the applicant references both NUREG-0611 and WASH-1400(6) as sources for maintenance unavailabilities, the data values for valves appear to be substantially lower than those given in the referenced sources. In particular, the applicant's data compared to the sources is as follows: Component in Maintenance Applicant's Data NUREG-0611/ WASH-1400 Y

  1. ^"

Check, stop check'. motor-operated valves, trip and throttle valve, speed governing valve 2.17x10-6 2.1x10-3 Manual gate valves and manual butterfly valves on pump suc-tion lines 7x10-8 2.1x10-3 Butterfly valves on CST discharge lines 4x10-7 2.1x10-3 Motor and turbine-driven pumps 5.8x10-3 5.8x10-3 Diesel generators 0 6.4 x10-3 125V DC electric power

  • out of NUREG-0611 scope 4

In the BNL analysis, the NUREG-0611/ WASH-1400 data were used. However, maintenance was assumed only for motor-operated valves. All other valve maintenance was assured to be zero. The modeling of the fault trees and a complete comparison of the data as-sumptions are discussed in detail in Section 9.2 of this repo,rt. ) l 1

y,, ) ' id R !Ts;d E I 9. RELIABILITY ANALYSIS 9.1 Qualitative Aspects 9.1.1 Mode of System Initiation l 1. LMFW - As stated previously in Section 5, both MDPs start automatically upon loss of both MFW pumps or upon low-low level in any one steam generator. Should the MDPs fail to start, the TDP will start i automatically upon low-low level in any two steam generators. All three pumps can be manually started by the operator both from the Control Room 'and locally. Therefore, the applicant complies with Recommendation GL-1 of j NLREG-0611 that AFWS flow be automatically initiated using safety grade equipment and that manual start serve as a backup to automatic AFWS i nitiation. 2. LOOP - Both MDPs are automatically initiated by the diesel-generator j sequencing logic once power is received fran the diesel generators. The TDP is also automatically initiated by opening DC-operated valve 5106 by means of 125V DC Train C power provided either by the 120V AC power of the Train A diesel-generator through the inverters or by the dedicated battery backup [ power. All three pumps can again he manually started by the operator either j from the Control Room or locr.lly. Therefore, the applicant still complies with recommendation GL-1 mentioned above. 3. LOAC - In this case, only the TDP is available. Since this case implies LOOP, the TDP is 'again automatically initiated by opening valve 5106. The pump is normally aligned to CST 001. If the standby CST 002 must be utilized as the suction source, valve 5113 is powered by DC Train C and can be opencd manually either from the Control Roan or locally, although normally such aligranent would have been performed prior to the transient. The TDP. can also be manually initiated either from the Control Roan or locally in this I ~ case. Therefore, the applicant conplies with Recommendation GL-3 of NUREG-0611 which states that at least one AFW pump and its associated flow l path and essential instrumentation should automatically initiate AFW systen flow and be capable of being operated independently of any AC power source for at'least two hours. ~ 1 4

\\ . 's 9.1.2 System Control Following Initiation According to Ref.3, the AFWS is aligned to be placed in service auto-matically in the event of a demand. Following the receipt of a safety injec-tion signal, a two-out-of-four low-low steam generator water level signal from any one steam generator, a trip signal from both main feedwater pumps, or a loss of offsite power signal, the auxiliary feedwater discharge valves 90 to the full-open position if not already open and the two motor-driven auxiliary feedwater pumps are actuated and begin to deliver flow from the online CST to the steam generators. Once flow has been established, the motor-operated valves in the miniflow lines close automatically. The turbine-driven pump is actuated automatically on two-out-of-four low-low water level in any two steam generators or on a loss of offsite power signal. To actuate the turbine-driven pump, the normally closed de motor-operated valve (5106) in the steam supply line to the turbine is opened automatically. The speed governing valve and the trip / throttle valve, which are in the same line as the steam inlet valve, are automatically controlled by the speed governor on the turbine-driven pump. Following a transient or accident, the minimum flow is delivered to at least two effective steam generators within 1 min of an automatic auxiliary feedwater actuation signal. Once the system has been actuated, the operator can remotely manipulate the auxiliary feedwater control valves in order to control steam generator water level. For normal operation, the AFWS is used to fill and/or maintain the water level in the steam generators during startup, shutdown, and hot standby con-ditions. The AFWS may be actuated and controlled manually during normal oper-ation or abnormal conditions. The motor-operated valves in the miniflow lines of mechanical trains A and B (5155 and 5154) can only be actuated automatical-ly. Although not shown on Figure 1, safety-grade flow meters with both Con-trol Room and remote shutdown panel indication and instrument channels powered from emergency busses have been provided to indicate flow to each steam generator. This appears to satisfy the requirements of Additional Short Term Recommendation 5.3.3 of NUREG-0611. For the specific cases covered by this review, system control is as fol-lows: 1. LMFW - Steam generator level control is maintained by the operator manually modulating the motor-operated flow control valves in the pump

,i . discharge lines to each of the four steam generators (MOVs 5120, 5122, 5125, 5127, 5132, 5134, 5137, and 5139). In the event that suction must be transferred fran the primary condensate storage tank CST 001 to the standby tank CST 002, the normally closed MOVs 5113, 5118 and 5119 can be manually opened either from the Control Roan or locally. There is no automatic pump ' trip on low suction pressure. The mini-flow lines around the MDPs are automatically isolated when pump flow is above 100 GPM while the mini-flow line around the TOP continuously operates. There are two nonnally closed manual gate valves, 055 and 056, on a header which joins the two motor-driven pumps A and B together. Normally MDPA only supplies Steam Generators 1 and 4 while MDPB only supplies Steam Generators 2 and 3. By opening both of these valves, either motor-driven pump alone can supply all four steam generators. 2. LOOP - System control is basically the same as for LMFW. The only significant difference is that AC power is supplied by the diesel generators. . Level control can still be accomplished by modulating the flow control valves in the discharge lines to the steam generators. Transfer to the standby condensate storage tank and use of one motor-driven pump to feed all four steam generators are also performed in the same way as for LMFW. 3. LOAC - In this case, only the turbine-driven pump and its flow paths are available. Since all motor-operated valves in its flow paths are DC-operated, the operator can still control steam generator level by modulating the flow control valves either fran the Control Room or locally. In effect, the operator can perform all of the same functions as before with the TDP for LMFW and LOOP because the Train C DC power is backed up by its own dedicated batteries which are utilized when Train A 120V AC power'is unavail able. 9.1.3 Effects of Test and Maintenance Activities The effect of testing on this systen has been previously discussed in Section 6. As noted in Section 8, the applicant has correctly stated that to perfonn maintenance on any component, the component must be manually isolated both up' stream and downstream. This can quite easily incapacitate an entire pump train. For example (see Figure 1), if maintenance must be perfonned on J

/ sw .f C 57 i M /vutc,4 .Y e

  • s f

one of the manual gate valves on any one of the discharge lines to the four steam generators from the TDP, valves 016, 019, 022, or 025, all four valves must be closed, therby incapacitating the TDP. 9.1.4 Availability of Alternate Water Supplies There are two redundant condensate storage tanks which are each maintained I above a minimun level of 330,000 gallons. The minimum water level of each CST is designed to maintain the reactor. in a hot standby condition for 4 hours followed by a 5 hour cooldown period, at which time the residual heat removal systen can be used to further cool the reactor coolant systen. The combined f minimun operating capacity of the CSTs (660,000 gal) is designed to allow a hot standby condition for 31 hours followed by a 5 hour cooldown period until operation of the residual heat removal system is initiated. 4 Each tank is a Seismic Category I structure and has a capacity of 480,000 gal. The minimum safety capacity is ensured by all nozzles of nonsafety sys-tems being located on the storage tanks above the corresponding elevation. The condensate level in each tank is automatically maintained by a level con-trol valve in the line (to the tank) from the demineralized water system, which actuates when the volume in the tank drops t'o 472,250 gal. As the water in the online CST is depleted, the operator may manually realign the system so that the standby CST serves all three pumps. A separate line connects each ptrnp to each CST. Therefore, the applicant has taken substantial measures to ensure an adequate supply of alternate water sources. However, it should be noted that the check valves on the punps' suction side, valves 013, 033, 051, 058, and 061 have had their flappers removed (see Figure 1). The reason for this is not explained. Such being the case, if and when the operator must transfer to the standby CST 002, it seems that the level in CST 001 will precipitously rise while the level in CST 002 will precipitously fall to equalize the static head. This is because there are effectively no check valves on the pump suc-tion side, so that flow fran CST 002 does not isolate CST 001. This might cause some momentary confusion on the operator's part and possible mis-interpretation of instrument readings.

i- ' The specific emergency procedures for transferring to the standby CST have ~ not been provided in Ref. 3. The procedures should include criteria to infonn the operator when the transfer to the standby CST should take place, and should meet all other requirements described in Recommendation GS-4 of NUREG-0611. Ref. 3 does indicate that there are level indicators and alanns both in the Control Room and locally for the CST water level to allow the operator to anticipate the need to makeup water or transfer to the alternate CST to prevent a low pump suction pressure from occurring. It does not indi-cate whether the indicators and alanns are redundant and whether the low-low level of such alanns allows at least 20 minutes for operator action, as de-scribed in Additional Short-Tenn Recommendation 5.3.1 of NUREG-0611. 9.1.5 Adequacy and Seperation of Power Sources According to Ref. 3, physical separation between the trains of the AFWS is ' maintained with regard to the prevention of common cause failures created by fire, flooding, and missiles. The simplified piping layout schematic. of the AFWS is provided as Figure 3 of this report. Excluding the containment building, there are only two locations where a portion of all three trains lie in a common area. The first is in the building that houses the CSTs and the second is in a pipe chase in the auxiliary feedwater punphouse. Both of these locations: a. are protected from external missiles and have no internal source for

missiles, b.

have no conponents subject to disabling damage due to flooding, and c. have minimal sources of fire. Physical separation between electrical conponents of the FWS is provided in accordance with Regulatory Guide 1.75 and Institute of Electrical and Elec-tronics Engineers (IEEE) Standard 384. 9.1.6 Common Mode Failures . In BNL's judgement, there.are two obvious aspects of the Vogtle AFWS design which yield potentially significant common mode failure contributions to the system unavailability. See Figures 1 and 2. The first aspect involves the manuallly operated stop check valves at the steam generator inlet lines,

. 's h j e (113,114,115 and 116). If the operator inadvertently closes, any three of the four valves, the mission success criteria is violated. Closure of one of these valves prevents the flow from both of the pups which nomally supply a steam generator. Even if the normally closed inter-connection between the two motor-driven pmps, valves 055 and 056, is open, flow can still not enter the steam generator from the alternate motor-driven pump. The other aspect is the testing of the turbine-driven pump coupled with common mode failure to close at least two of the recirculation line valves, (81,82,83,84) causing excessive flow diversion fom the steam generators. Both of these cas9s are quantitatively assessed in Section 9.2.3.2. The applicant's own common cause analysis, according to Ref. 3 was perfomed deteministically and in two parts. The first part was perfomed explicitly for cmmon cause hardware failure by location, and is discussed in the a preceding Section 9.1.5 on physical separation. The second part of the common cause analysis was perfonned implicitly throughout the evaluation. According to the applicant, the results of the entire common cause anal sis revelaed no significant common cause potential within the VEGP AFWS. s 4epb WD rm % 9.1.7 Single Point Failures There were no single point failures discovered during the course of this review. 9.1.8 Adequacy of Emergency Procedures The applicant has not provided emergency procedures at this time. Such procedures should be provided in the future. 9.2 Quantitative Aspects 9.2.1 Applicant's Use of NRC-Suggested Methodology and Data 9.2.1.1 Fault Tree Construction and Evaluation In Ref. 3, the applicant states that the initial fault tree was developed to the component failure mode level and then expanded to the component failure cause level. The component failure causes considered were: m

1 .6-- I

  • a.

Random failure on demand. b. Unavailability due to testing. c. Unavailability due to maintenance. d. Independent human error during testing or maintenance. e. Common cause hunan error during testing or maintnenance. The fault tree developed for the analysis is shown in FSAR Figure 10A-7, Sheets 1 to 30, included in this report with BNL modifications as Figure 7, Sheets 1 to 33. Although the applicant states that unavailability due to testing and common cause human error during testing or maintenance were considered in the fault tree, BNL was not able to locate any such aspects in our review of both the fault tree and the applicant's assumptions in Table 3. Neither the fault tree nor the data table contain specific fault identifiers so that the applicant's results can not be unequivocally duplicated. Nevertheless, the fault tree is very comprehensive and great care was evidently taken to correctly model maintenance acts on all pumps and valves. However, the important contribution of diesel-generator maintenance was omitted. In addition, the fault tree does not model maintenance acts excluded by technical specification requirenents in any useful way, particularly considering that the applicant utilized in WAM-CUT (7) computer code. Specifically, in Figure 10A-7, Sheets 2 through 9 (BNL Figure 7, Sheets 3 through 10), show that the inputs to the AND gates :"N01F TO SG_, FROM TRAIN ~ __ DUE TO MAINTEMNCE" and a NOT gate described as "DOES NOT VIOLATE TECHNICAL SPECIFICATIONS". Obviously the latter gate cannot be utilized as described in any computer code because it does not identify exactly which coincident maintenance events are to be excluded. It is therefore not clear just exactly how the applicant arrived at his numerical results. When utilizing the WAMCUT code, there are basically two approaches to elimination of disallowed coincident test and/or-maintenance acts. The first is to make extensive use of NOT gates, while the second is so to define the top event that disallowed maintenance and test acts are inherently excluded.

, 'e . BNL utilized the SETS code (8) to quantify the results. SETS allows both of the methods mentioned above; additionally, it allows a third method. In the third method, the top event is defined so as to allow unlimited coincident - test and maintenance acts; the cutsets are then processed by SETS to eliminate those which are to be disallowed by the Technical Specifications. This is discussed further in Section 9.2.3, BNL Assessment. 9.2.1.2 Failure Data The applicant's failure data are shown in Table 10A-4, which is included in this report. The data is in substantial agreement with the data prescribed in Table III-2 of.NUREG-0611 (see Appendix A), with the very notable exception of valve and diese'l generator maintenance unavailabilities. The applicant's data values for valve maintenance are extremely low, ranging from 7x10-8 to 2.17x10-6, as compared to the NUREG-0611 value of 2.1x10-3, while diesel generator maintenance was neglected. The references cited are NUREG-0611 and WASH-1400, but BNL cannot ascertain how the applicant derived his values from those' sources. Reference 3 states: "All data were used to quantify point estimates of unavailability on demand, and uncertainty is not accoured for in the analysis. It should be noted that the data otilized in the reliability analysis is generic, and as such the result', are an evaluation of the AFWS design. The implication of the data is that they do not account for the actual characteristics of how the plant is to be operated and maintained", (emphasis by BNL). The situation of pre-accident operator error with respect to closing manually-operated valves appears to have been omitted from Table 10A-4. This subject is further discussed in Section 9.2.3, BNL Assessment, since it has a significant impact on the quantitative results. A minor comment: the applicant's data include a maintenance unavailability of 2.4x10-6 for 125-V DC electric power, while random failure was neglected. It does not appear that maintenance unavailability was inciuded in the fault tree, while random failure was included.

. 9.2.2 Applicant's Results 9.2.2.1 System Unavailabilities According to Ref. 3, the quantitative results of the conditional unavailabilities for the three cases designated by the NRC for the AFWS are: A. Case 1 - LMFW - For the case where there is an assumed loss of main feedwater with a reactor trip occurring and offsite AC power available, the conditional unavailability of the AFWS was calculated to be 6.3x10-6, [ B. Case 2 - LMFW/ LOOP - For the case where there is an assumed loss of main feedwater with a reactor trip occurring and offsite AC power not available, the coriditional unavailability of the AFWS was calculated to be 2.6x10-5, C. Case 3 - LMFW/LOAC - For the case where there is an assumed loss of main feedwater with a reactor trip occurring and no AC power available, the conditional unavailability of the AFWS was calculated to be 1.0x10-2, 9.2.2.2 Dominant Failure Modes and Conclusions It is stated in Ref. 3 that the quantitative measure of importance was used as an indicaticn of the daninant contributors to the AFWS conditional unavailability. The value of importance was then taken as the sum of all cut set probabilities containing a category of failure divided by the top event probability. The failure catetories analyzed for each case are: random failure of valves on demand; unavailability of valves due to maintenance; operator error; and pump unavailabilities (random or maintenance). The applicant's dminant failure modes and conclusions for each case are as follows: A. Case 1 - LMFW - The most significant contributor to system failure was pump unavailabilities. The importance value to pump unavailabilities was calculated to 86 percent. An examination of the category of pump unavailabilities revealed that pump failures were occurring in cmbination with electric power systen failure. Furthennore, it was detennined that the unavailability of the turbine driven pump was not the most significant single c aponent of the A S, but this pmp did not deinate system unavailability. t

B. Case 2 - LMFW/ LOOP - The findings for Case 2 revealed pump unavail-abilities contribute 80 percent to system unavailability. An examination of this category revealed, as did Case 1, no single component of the AFWS can be thought of as dominating (or controlling) system unavailability. The reduc-tion of the system conditional availability for this case was found to be directly attributable to the assumed loss of redundancy in ac power sources. C. Case 3 - LMFW/LOAC - The findings for Case 3 revealed (under assumed conditions) that the AFWS is reduced to only the turbine-driven pump.

Thus, any single failure along this pump train would be sufficient to fail the AFWS.

The dominant contributors to system unavailability were as follows: 1. The turbine-driven pump package (pump, trip throttle valve, and speed governing valve). 2. The steam inlet valve (motor-operated valve 5106). 9.2.3 BNL Assessment 9.2.3.1 Fault Trees Since the applicant's fault trees, provided in Ref.3, seem to be substantially correct and complete, particularly with respect to the modeling of maintenance acts at the component level, these same fault trees with minor revisions were utilized in the BNL analysis, provided in this report as Figure 7, Sheets 1 to 33. The major revisions which were necessary were the addition of fault identifiers and a finer separation of certain maintenance acts so the top event could be properly identified and the non-functional event "Does Not Violate Technical Specifications" eliminated. The fault _ identification nomenclature scheme is shown in Table 6. The applicant did not separate the steam generator intake sections in the expanded block diagram, Figure 6, into random and maintenance contributors because no maintenance can be performed on either of the two check valves,or the stop check valve in a typical intake section, e.g., check valves 121 and 125 and stop check valve 113 on Steam Generator 1 Intake. However, BNL did so in order to model both maintenance on

f - Table 3 BNL Assumptions of VEGP NSSS Steam Generator Makeup Requirements Based Upon FSAR Information Flow Requirements (GPM) Power Levels Loss of Main Loss of Offsite Loss of All (MWt) Feedwater (LMFW) Power (LOOP) AC Power (LOAC) 3425 510 510 510 AFW Flow Information Pump Discharge Flow Pump Recirculation (gal / min) Flow (gal / min) Turbi ne-Moto r-Moto r-Turbi ne-Motor-Moto r-Driven Driven Driven Driven Driven Driven Pump Pump A Pump B Pump Pump A Pump B 852 552 552 144 0(a) 0(a) at 1235 psia 120*F (a) The motor-operated valves in the motor-driven pump recirculation lines are intended to close when the pump flow reaches the miniflow,100 gal / min, within a minute. Thus, the motor-driven pump recirculation flow was not considered. l l 6 I l L

\\ , 's w The most important aspects of the applicant's data in terms of sensitivity in the quantitative results are the maintenance unavailabilities assumed for all valves and the pre-accident human error assumed for the operator inad-vertently closing a manual valve. The applicant's assumptions for valve maintenance are extremely low compared to the NUREG-0611 data, ranging from 7E-8 to 2.17E-6, while the BNL assumption was 2.1E-3, based on NUREG-0611 data, for all motor-operated valves and 0 for all manually-operated valves and check valves. \\ Similarly, the applicant appears to have assumed 0 for the pre-accident operator error of inadvertent closure of a manually-operated valve. The BNL assumptions for this case were SE-3 for locked-open manual valves whose posi-stion cannot be verified as a result of the testing of its associated pump and IE-3 if testing does allow position verification. This has very important implications for the manually-operated stop check valves 113, 114, 115, and 116 at the AFW intake to each steam generator. Since each valve lies in a common discharge path for the two AFW pumps which supply any given steam generator, its inadvertent closure blocks all AFW flow to that steam generator. It does not appear that pump testing per se can verify the position of those valves because, during the pump test, the discharge pressure is throt-tied by the motor-operated valves (5120, 5122, 5125, 5127, 5132, 5134, 5137, and 5139) so that flow does not enter the steam generators but is diverted to the Condensate System through the recirculation bypass valves. Thus, no flow passes through the locked-open stop check valves in question. In the NRC Standard Technical Specifications (4), periodic surveillance is generally not required if a valve is locked into its emergency position. Thus, the only way for the position of these valves to be verified appears to be by a voluntary visual inspection during a pump test. However, for independent failures, utilizing the post-accident recovery factor of 0.25 is specified in Table 5 for30minutesallowabletime, yields (5E-3)*(0.25)a IE-3. The common mode failures described in Secticn 9.1.6 have been quantified and added to the sys-tem unavailabilities for independent failures only, (as shown in Table 8) as follows:

. NOFLOSGS1234 = CRVLO*0EFTCCRVS+CM0ESCVS*0EFTOSCVS (1) CRVLO = CM0ECRVS + TATDPC001 (2) where NOFLOSGS1234 =. Multiple error contribution to the probability of no flow to steam generators 1, 2, 3, and 4. -CRVLO = probability of the condensate return valves (081, 082, 083, 084) being in the open position. OEFTCCRVS = probability of the operator failing to close the condensate return valves after automatic AFWS initiation, SE-3. CM0ESCVS = Comman mode probability of pre-accident operator error in leaving the manually-operated stop check valves (113, 114, 115, 116) in the closed position, 1E-3. OEFTOSCVS = probability of the operator failing to open the stop check valves after automatic AFWS initiation, SE-3. CM0ECRVS = Common mode probability of pre-accident operator error in leaving the condensate return valves in the open position, IE-3. TATDPC001 = probability of the turbine-driven pump undergoing test, which requires that the condensate return 9 valves be open, 6.4E-4. Substituting (2) into (1) NOFLOSGS1234 = (CM0ECRVS+TATDPC001*.(0EFTCCRVS) +(CM0ESCVS)*(0EFTOSCVS) =( I E-3+6.4 E-4 )*( S E-3 ) +( 1E-3 ) *( 5 E-3) ^ I = 8.2E-6+5E-6=1.3E-5 Therefore,1.3E-5 is the multiple error contribution to the top event from 4 eithe'r misalignment of multiple stop check valves or misalignment of multiple condensate return valves. 1 i

. s i the-stop check valves on the pump discharge lines to a given steam generator and also a possible unavailability due to testing if the operator fails to reclose the recirculation valve in the condensate system return line. See Figure 7, Sheets 12 and 13. Another significant revision was the inclusion of diesel generator maintenance unavailability on Sheets 14 and 15. There were other minor revisions which are identified on the f ault trees. It should also be noted that the top event on Sheet I was modified to show the actual gate names and the Boolean expression which was used to replicate the 3 out of 4 combination gate used by the applicant in the WAM-CUT code. The SETS code used by BNL does not utilize combination gates. 1 The fault trees 'as shown allow unrestricted coincident test and maintenance acts. Those acts which are not allowed by the Technical Specifications were then deleted from the cutsets by use of the DELETE TERM option of the SETS code. Specifically, the equation establishing the teras to be deleted is based on the Expanded Reliability Block Diagram in Figure 6, and is given below: DELETE = A*8 + B*C + A*C A = PMPAMAINT + A1MAINT + A4MAINT + TAMDPA003 B = PMPBMAINT + B2MAINT + B3MAINT + TAM 0P8002 C = PfiPCMAINT + C1MAINT + C2MAINT + C3MAINT + C4MAINT + TATDPC001 Af ter cutsets are obtained, they are processed to eliminate f ailure combina-tions which imply event " DELETE." This essentially disallows simultaneous maintenance on or testing of two or three pumps, or one pump and one of the discharge flow paths of another pump, or two or more discharge flow paths when each flow path is supplied by a different pump. 9.2.3.2 Failure Data A general comparison between the applicant's data assumptions and those utilized by BNL is provided in Table 7. I

't . For each of the initiators, and for different error probabitties as-sociated with other valves, Table 8 provides results calculated with and without this contribution. The purpose of this is to display the effect of the assumptions which have been made, which, in the present case, must be re-garded as ingredients of a parametric sensitivity study. It is unclear whether opening all of the condensate return valves really fails the system. If not, then the corresponding contribution if 5.E-6 (see above) should be subtracted from t' e system unavailability quoted in all " Case b" entries in Table 8, and from the results given in the Executive Summary. 9.2.3.3 System Unavailabilities A sensitivity comparison between the applicibutors because no maintenance can be perfomed on either of the two check valves or the stop check valve in a typical intake se LOAC in which the following assumptions have been made:

1) Case A - All manual valves are assigned a pre-accident operator error rate of SE-3/ demand plus a 1E-4/ demand for plugging.
2) Case B - All manual valves are assigned a pre-accident operator error rate of IE-3/ demand plus a 1E-4/ demand for plugging except the manually-operated stop check valves at the steam generator intake lines (113,114,115,116) which have a pre-accident operator error rate of SE-3/ demand.
3) Case C - All manual valves are assigned a pre-accident operator error rate of IE-3/ demand plus a 1E-4/ demand for plugging.

The manually-operated stop check valves 113, 114, 115 and 116 are evaluated with a recovery factor of 0.25, which also equates to a 1E-3/ demand failure rate. The purpose of presenting results in this way is to display more clearly the effects of certain assumptions. In many similar analyses of Westinghouse systems, credit has been taken both implicitly and explicitly for operator action to recover certain errors. Here, choosing lower error probabilities corresponds, in effect, to taking more credit for recovery.

's ,e . For the purpose of selecting the proper assessment for compliance with the NUREG-0611 guidelines, and correspondence with the applicant's actual design, BNL has chosen Case C with common mode failures included for the final evaluation provided in Tables 1 and 2 in the Executive Summary. 9.2.3.4 Dominant Failure Modes The results of the BNL analysis are provided in Figures 8, 9 and 10 for Case B of Table 8, assuming independent failures only. 1. Case 1 - LMFW The dominant failure modes are shown in Figure 8. The leading groop is random failure of one pump combined with maintenance outage of a second pump and random failure of one of the manual stop check valves on the steam generator inlet lines supplied by the third pump. The next significant set is random failures of three out of four of the manual stop check valves on the steam generator inlet lines, followed by random failure of two pumps and one of the manual stop check valves supplied by the third pump. 2. Case 2 - LOOP The dominant failure modes for this case are shown in Figure 9. The ~1eading group is random failure of both diesel generators (ACTRNAF and ACTRNBF) combined with random or maintenance acts on the turbine-driven pump train. The next major group is maintenance acts on one of the pumps combined with random failure of one of the diesel generators and random failure of either one of the manual stop check valves on the steam generator inlet lines supplied by the third pump or random failure of the third pump itself. 3. Case 3 - LOAC The dominant failure modes are shown in Figure 10 for this case. As expected, single random failures or maintenance acts on the turbine-driven pump itself or one of the several valves on the turbine inlet supply line comprise the predominant group of failure modes. At much lower failure probability rates, the next group consists of double failures pertaining to

l . random failures of the locked-open manually-operated butterfly valves on the condensate storage tank supply lines to the turbine-driven pump suction com-bined with random failure of or operator failure to open the normally-closed motor-operated valves isolating the turbine-driven pump suction from the standby cordensate storage tank. 9.2.3.5 General Comparison to Other Plants The Vogtle AFWS design is similar to many other plants in that it consists of two motor-driven pumps and a third pump which is steam turbine-driven. It does have several notable features such as two redundant, safety-class, con-densate storage tanks each of which has sufficient capacity for an extended cooldown and satisfaction of the design basis requirements. Transfer to the standby tank must be done manually. Another feature is the provision of a a third, independent train of DC power for the TDP and its associated motor-operated valves, designated as 125 V DC Train C power. In this manner, failure of either DC Train A or Train B fails only one of the MDPs, not an MDP and the TDP simultaneously. Also, since the motor-op5 rated throttle valves on the TDP discharge lines to the SGs are DC-powered by Train C, SG level control can be maintained by the operator from the control room even during a LOAC transient. The location of the test recirculation lines very close to the SG intakes allows the position of all valves on the pumps' discharge lines with the exception of the manually-operated stop check valves on the inlet lines to eachSG(113,114,115,116) to be verified by the pump testing. The MDP headers are joined together by two nonnally-closed manual valves 055 and 056. By opening both of these valves, either MDP can be utilized to feed all four steam generators. This feature is also provided in several other AFWS designs.

~ s :-. < t ' Finally, the provision of'the stop check valves 113,114,115, and 116 in the SG intake lines is rather unique. Although, as mentioned previously, the ' potential for human error blocking all AFW flow to an entire steam generator increases, the valves may provide additional safety margin in preventing the back-leakage of steam into the AFW lines. I 9.2.3.6 General Comments The Vogtle AFWS is a generally very well-designed system. The provisions for pump testing allow for nearly complete verification of the valve positions on the pump's discharge, the exception being the steam generator intake lines themselves. The inadvertent closure of the manually-operated stop' check valves on the intake lines does, however, have a significant effect on the unavailability analysis. This effect is substantially reduced if the valves have control room position indication or if the operator can credibly recognize the problem and take appropriate actions outside the Control Room l I within the 30 minutes allowable action time. The actual procedure for and the sequencing of pump testing was not adequately explained in the applicant's analysis. It is not clear how many of the recirculation bypass line valves to the Condensate System are simultan-eously opened during the testing of any one pump. Presumably, the recircu-lation line valves for the two steam generators supplied by each MDP and the four valves for the four steam generators supplied by the TDP are simultan-l eously opened. 4

h. y %

i 2 6 i [ - _ _ _ - _. _ - - - - _. - _ _ _ ___ -- __ _ ___ _ _..._, -_- _._ _ _. _,_..~.._ _ _ _. _ _ _..._._ _ _...

't .. REFERENCES 1. U.S. NRC, " Generic Evaluation of Feedwater Transients and Small Break Loss-of-Coolant Accidents in Westinghouse-Designed Operating Plants," NUREG-0611, January 1980. 2. Letter from D. F. Ross, Jr., U.S. NRC, to "All Pending Operating License Applicants of Nuclear Steam Supply Systems Designed by Westinghouse and Combustion Engineering," dated March 10, 1980. 3. Georgia Power Corporation, "VEGP Auxiliary Feedwater System Reliability Analysis," VEGP FSAR Appendix 10A, current edition. 4. U.S. NRC, " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants - LWR Edition - Section 10.4.9, ' Auxiliary Feed, water Systec '," NUREG-0800, Revision 2, July 1981. S '. U.S. NRC, " Standard Technical Specifications for Westinghouse Pressurized Water Reactors," NUREG-0452, Revision 4, Fall 1981. 6. U.S. NRC, " Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants - Appendices 3 and 4: Failure Data," WASH-1400 (NUREG75/014), October 1975. 7. Erdmann, R. C., Leverenz, F. L., and Kirch, H., "WAM-CUT: A Computer Code for Fault Tree Evaluation," EPRI-NP-803, Science Applications, Inc., June ~ 1978. 8. Worrell, R. B., Stack, D. W., "A SETS Users Manual for the Fault Tree An-alyst," NUREG/CR-0465, Sandia National Laboratory, November 1978, i i ~ 1 1

Table 4 TABLE 10A-4 ' (SHEET 1 OF 3) AFWS COMPONENT FAILURE DATA ~ Unavailability railure on Repa i r T ime Due to Faust Event / Tree Description Coseonent Demand Re fe rence fhl Maintenance Reference Check valve (at steam gen-121, 122, 1 x 10~" 1 NA NA NA Crator intake) falla to 123, 124, open on demand 125, 126, 127, 128 Ctop check valve (at steam 113, 114, 1 x 10-* 1 NA NA NA generator intake) rails to 115, 116 open on demand Ctop check valve (on AFWS, 017, 020, 1 x 10 " 1 7 2.17 x 10-' 1, 3 ~ discharge) rails to open 023, 026, 4 on demand 037, 040, til 043, 046 O

  • O

-8 8 Motor-operated velve (on 5120, 5122, 1 x 10-* 1 7 2.17 x 10 1, 3 Cischarge line) transfers 5125, 5127, closed 5132, 5134 y 5137, 5139 y a Cate valve ton discharge 015, 016, 1 x 10-* 1 7 7 x 10 1, 3 P O line) transfers 019, 022 closed 025, 035, 036, 039, 042, 045, 060 Check vaive (On discharge 001.-002, 1 x 10'" 1 7 2.17 x 10~' 1, 3 line) rails to open on 014 1 demand -3 Motor-driven pump 003, 002 5 x 10'3 1 19 5.81 x 10 1 rails (includes i controls) -3 Turbine-driven pump 001 5 x 10 1 19 5.81 x 10 1 rails (includes controls) I O e .A

I c Table 4 (Cont.) TABLE 10A-4 (SHEET 2 OF 3) tinavailability l Failure on Repair time Oue to Fault Event / Tree Descriation Component Demand Reference th) Malmtggance M erence Motor-operated valve 5106 3.1 x 10-8 fon turbine intake) ~1 7 2.17 x 10-' 1 raiIs on demand Check valves (on 006, 008 1x 10-' 1 7 2.17 x 10-6 g, 3 ~ turbine steam intake) rai8 to open on demand j Motor-operated valves 3009, 3019 1 x 10-6 1 7 2.17 x 10-' 1, 3 (on turbine steam intake) transfer closed on demand h Cate valve (on tu-bine 005, 007 1 x 10-* 1 MA NA NA steam Intake) transfers o closed on demand 'O i Sutterrty valve (on 093, 094, 1 x 10-* 1 7 7.0 x 10-8 1, 3 y suction Iine) transfers 095 y closed y 1 Motor-operated valve 5113, 5118, 3.1 x 10-3 1 7 2.17 x 10-' 1, 3 P Ipump suction Iine) 5119 o raiIs on demand Sutterfly valve (on 090, 091 1 x 10-4 1 40 4 x 10-7 2, 3 CST discharge 092, 097, Iine) transfers 098, 099 closed CST faiIs 001, 002 1 x 10-e 3 NA NA NA Failure of actuation Tra in A, 7 x 10-3 1 NA NA signal tra in 8, speed governor Loss of offsite power Case 1 0.2 3 NA NA NA taiture or 125-v dc Tra in A. NA 16A 2 2.4 x 10-8 3 i electric powaar train 8 train C l l t I

f .h. b b h Table 4 (Cont.) ~ TABLE 10A-4 (9HEET 3 OF 3) Unevellability Failure on Repa i r Time Due to Feeset Event / Tree Descrietion g;a g onent Demand Refe ren_.e_L_ thi teeintenance Iterarence Failure of oc Train A. 3 x 10-2 3 gia ggg gga electric power (ensite - train B case 1 and 2) Meter-operated valve cIssed 3009, 3019, 5 x.10~" 1 NA ISA NA by arrer 5120, 5122, ~5125, 5127, 5132, 5134 5137, 5139 No menuel open signal to 3009, 3019, 5 x 10-3 1 NA esA l.n meter-operated valve 5106, 5113, 5118, 5119, 5120, 5122, 5125, 5132, Q 5134, 5137, .o 5139 I Be menuel start signet to 001, 002, 5 x 10~3 1 NA IIA NA to pump 003, speed governor y Trip and throttle velve er Trip and 1.1 x 10-3 1 A. 7 2.17 x 10-6 3 o speed governing valve rails throttle C to apen en deoend vaive, speed governing valve a. meterences 1 U.S. nuclear Regulatory Commission, " Generic Evaluation er Feedwater Transients and small-treak Less-or-Coelant Accidents in Westinghouse-Designed Operating Plants," gDRfC-0611, Sulletins and Orders Task Force, orrice of Ituclear Reactor Regul$ tion, January 1980. 2. Engineering Judgment. 3. Rasmussen, N. C., 31_g[., "Iteacter Sarety Study - An Assessment of Accident Risks In. U.S. Commerical Ituclear Power Plants," U.S. Iluclear Regulatory Commission MASH-1400 (IsuntG-75/014), October 1975. h. seeintenance is defined to be meintenance whereby tese component is unable to perfore Its function. Also, uneveliability due to malatenance is calculated as the frequency or fatture times the ropair tlee.

4 -% m a .u.- >t e58 8 38-955 !s. !s. 5:n i E .c 3 -s -s ma -s ,s -s a w ca 8 8 6 o 3 3 k b O 1 2, C ^ 6 s'i s' ! SXS eX5 3Z5 SXI sXi SXI E =g = = I I 8-X E

  • -X5 *KE 8--X i e i(!
  • -XE V

t. I X3 ski 8XI 2XI SX3 SXS SXI 8X! SXI 3XI -2 5 OX di d d h i 6-6 o 3 N g O 4N 1 IX 1I SXI eX! E5 "9 E o 4 k I6 !Zg 5 I Zi O!

  1. 0; 5

'n 855 pc >wa b ")..____. l .{.. l,r----- <s SX5 i SX.

  1. y c

3( I s m i sii S W a n-b s2! f_I !Z ZI h ,I; .m 4 We p s[N,8 s[I IEI b f b s ,) Zi l.= rg C a -s -s 5 1 33 A$ 53 h4 h 6 h L h 4': h .Irp it it ti '

< w < x A ~ ~.... ~

== = 2 r 2 r '3 ML.q H u. L.q I l ..w.s...... l l ..w.s......w ss I en I I I s - ,le im . -- E r _.;... s - ,l. . E r _:.. m. _.....i..~- -~ Mm..._......i.. - -] w 1 I I I I I I I I I l < = < = I I I L_ _. . - _,] L _ __ _ __ aC o, .C OC ~~ O: ~~ O m i-i -e 2 e h, M .3, [, .Je I ......... ~ I i i-i i - i ,,~ i im y4 y 7., g '- - jm i.. i ,,,, 4 > 4 y 7Co g -- f, i _4 i ) i .-...i..~_ _) l --LXI I --iXI ......1.. I I I l I I I I I I I I i i I g < x

I .. -... I I L_ __ _ - a.I L__=== a = BNL Figure 2 vocTLE UNIT 1 AUXILIARY FEEDWATER/ k ELECTRIC GENERATINc PLANT STEAM GENERATORS INTAKE Geo. Power h unit i ano u ir 2 ia. s FSAR FIGURE 10A-2 4319

n T, U O Y A-L G N 2 I 3 1 P T T I A M S P 0 C 1 D E E I R F U I G a L I P F e M r I u I R g S A i S F S F L W N F 4 B A np B e r s oevmin u T toi u a o N r r MDP T n e C h A n np m p L o e e n b v moi m P i me r u o a u G p a i r mih uDP R T P N r P C T rnp A o I S T, oevmn C A W n1 t i oiu a F E. r MDP N r l T A e Eu nnA G. c u6 s A TT n i, f 1 a C N t. A u I A W R A T kn R T r m e m,c e g n w n8 A b u6 n r 1 I TT a i g ro e G TNEG MN mem NI mem n av o n D. iavo i I aelao Al aelao t t MSVR Tl MSvR u N B O C 9 -3 3 4

SYSTEM SYSTEM DESCRIPTIONS ORAwlNOS I I I SYSTEM SOUNDS RELIABILITY SLOCK DIAGR AM DEVELOPMENT FAULT TR EE DEVELOPMENT NUREG 0611 TO COMPONENT F AILU RE CAUSE TECHNICAL SPECIFICATIONS MINIMAL ) = CUT SET ANALYS18 OPERATING PROCEDURES R EVISED PAULT TREE DETERMINISTIC COMMON CAUSE + ANALYSIS STATISTICALLY INDEPENDENT )> FAILUM E CAUSE QUANTIFICATION RESULTS 9 AND ) CONCLUSIONS 10947 3 BNL Noure 4 v0aTLE AFWS RELIABILITY EVALUATION E LECTMIC OENERATING PLANT METl!ODOLOGY FLOW Cl! ART GeorgiaPower UNIT 1 ANO UNIT 2 FSAR FIGURE 10A-4 0939

3 y 1 I o TRAIN A Of5 CHARGE 9 TO ST E AM CENERATOR1 PUMP A IAll g SE CT80N y (PMPA) g TRAIN A otsCHARGE TO STE AM ~ ~ GENERATOR 4 (A41 1 TRA4N C STEAM OtSCt8ARGE GENERATOR 1 l f N TO ST E AM / INT AKE SECTION a GE8efRATOR1 ISG1) 0 (Cil I 1 '4 ? TRAINC SIEAM i i DISCHARGE GEhERATOR 4 ? 8 I TO STE Ang 8NTAKE SECTION I V GENE RATOR 4 I ISO *3 ICol l PUMP C SECTIOes O T RAIN C 3 STEAM OtSCHARGE GENE RATOR 2 TO STE AM INTAKE SECTION GENERATOft 2 s 15G2) 'g sc73 l g l i I ) inANC STEAM i OtSCHARGE N GENER ATOR 3 i? TO STE AM / INTAKE SECT 80N 'T GENERATOR 3 ISG31 i! eC3 .l l ' f-TRAles e fN otsCHARGE TO5 TEAM GE8sERATOR 2 fI es2 ruMrs SECTIOed >3 TRAIN s o SCnARGE TOSTEAM (; GEOsERATOR 3 BNL Figure 5 li B v0GTLE UNIT 1 AFWS BLOCK DIAGRAM C k ELECTRecGENERAveNG rLAser I~' laIDU h useer i Asso useer 2 j FSAR FIGURE 10A-5 l- .i i . An,

MAR N G O A I I S D M IV 2 E K 6 R C O A l L 0 L 1 N B D E B E T E T T T 4 N t N sK E R K N loTN s e I sNAI D U I TI T eT NA NA N A sI s M M M I M 6 N G sI I A I er P F E0 EO K D KD u X 4 2 s TN TN g T8 eTN G e g E R 1 e R s I R sI R s INA NA NA sN4 R i I F A S S L W F N F B A ? )

,l T

N ne Ts ? i t ? ? f f s m m l m A, es a s as es P e L A A Al a A a A A m e e m m m m 4 s s e M G l s 1 o t 3 2 A a C C C C' S S .a N I ~ ~ T A2 .o RT a EI c N N m. o EU m GO s. CS I O A nu ns D o O O O u E R D o s as 8 s L T1 u s s s s a m a a T CT a a a n m t m MEI e m m e 3 e~ S l LN t 3 C C t C A EU kh Uh ~ b .O ? 7 f I as .m na = am ap =a a p e ss c O a a m m k t a us sa ap p 1 9 3 3 4 a - h 'O D$o94 .O j j* hh a ! ll11,- !, 3s - J;P!: i, l;pL:fli i 1

i "'.lEElE.5 f no.8 Afu f rm IFTSGSl234, i T i i i I j ~TU* "U* "l2*

  • U*

S -,,1Se,g .,,1Se2g .,,1Se3 .,,TSe. I I I I i l i I sNTAm St C psTAK .C C mT a C.D.s ss.iAa A4LS SECiao.s . AILS SECTION 8 AsLS SEtt.o.s eAsLS SECTIO j r, c, i IFTSGilNTK , IFTSG21NTK IFTSG3lNTK IFTSG41NTK I ST N NI T ST GdN2 T STMGEN3 T STMGEN4 T i i i i i i i i ~;=~

=~

~;=~

=~

-:=~ ~;=~ ~;=~ ~:=~ unaem a inAmc tam.e e inAm c vnAm. vnam c inAm a inam c A.... A A o _a.... .A.... _A,,... o

m....

.n . E M IFTSGS1234 = STMGENS 123 + STMGENS 124 + STMGENS 134 + STMGENS 234 g STMGENS I23 = NOlFTSGI-NOlFTSG2-NOlFTSG3 STMGENS 134 =NOlFTSGI NOlFTSG3 NOlFTSG4 STMGENS 124 : NOlFTSGl

  • NOlFTSG2 NOlFTSG4 STMGENS 234 =NOlFTSG2 NOlFTSG3 NOlFTSG4 RNI Finurp 7 (% pts 1 nf 331 M TLE UNIT 1 AFWS FAULT TREE MODEL F

k ELECTRICGENERATINGPLANT FSAR l %. DVCI' h l l3 UNIT 1 ANG UP'tT 2 FIGURE 10A-7 (SIIEET 1 OF 30)1 l .~. cn*

~ SGI INTAKE SG 2 INTAKE SECTION FAILS \\ SECTION FAILS "I STMGEN2 T T I I i i SGI INTAKE SGI INTAKE SG2 INTAKE SG2 INTAKE SECTION FAILS SECTION IN SECTION FAILS SECTION IN MAINTENANCE RANDOMLY MAINTENANCE RANDOMLY OR TEST OR TEST SGilNTKR AND SG21NTKRAND SG2iNTKMAINT SGilNTKMAINT i i SG3 INTAKE SG 4 INTAKE SECTION FAILS \\ SECTION FAILS l STMGEN3 STMGEN4 rY 7 I I SG3 INTAKE SG3 INTAKE SG4 INTAKE SG4 INTAKE SECTION FAILS SECTION IN SECTION FAILS 'iECTION IN l RANDOWLY MAINTENANCE RANDOMLY MAINTENANCE l OR TEST OR TEST / A A ~ 1 SG31NTKRAND SG41NTKRAND SG3fNTKMAINT SG41NTKMAINT BNLPtaure7iSheetYOf33) Georg. Picxvern$ 1i =ounir2Nciniccemenarswa etANY l: WM 1 MS MM NE ME : ia BNL ADDITION SHEET _ IA OF 3l0 i, FSAR FIG. LOA-7 -eSW3

~ l l l 1 ? ,/ NOIF TO SGI FROM l, \\ TRAIN A NOlFTIFA t ~ BNL REVISION j T ( \\ \\ l NO F T SG NOIF TO SG1 R TR IN FROM TRAIN A E DUE TO RANDOM IN EN FAILURE '.e AIRPM PAR em l l DOks T TRAIN A FLOW TRAIN A DIS. TRAL'N A PUMP VI AT TO SG1 UNAVAIL. CHARGE SECTION SECTION FAILS ECf IC L ABLE DUF. TO TO SGI FAILS RANDOMLY E IF T . MAINTENANCE RANDOMLY .l- ~ AlMPMPAM A1 RAND PMPARAND ,T I I TRAIN A DIS-TRAIN A PUMP CHARGE VALVE SECTION IN NTENANCE MAIN N E L O. b PMPAMAINT 10967-3 , AIMAINT-MOV5139 i i I BNL Figure 7 (Sheet 3 Of,33) LECTRIC GENERATING PLANT t FSAR Georg. Power ia unit i ANo usiT a FIGURE 10A-7 (S!IENT 2 OF 30)i 433 9

i NOlF TO SG1 FROM \\ TRAIN C NOIFT1FC BNL REVISION T ( \\ \\ 1 I NWF TO SG1 N T SG R TR IN FROM TRAIN C DUE TO f1ANDOM E IN EN C F AILURE - c p CIRPMPCR m I I I NO TRAIN C FLOW TRAIN C DIS. TRAL'N C PUMP T TO SG1 UNAVAIL-CHARGE SECTION SECTION FAILS ) T A ABLE DUE TO TO SG1 FAILS RANDOMLY ~ E Tl MAINTENANCE RANDOMLY CIM PMPCM C1R AND PMPCRAND I I l TRAIN C DIS. TRAIN C PUMP g CHARGE VALVE SECTION IN ,,,5y2 lN ^" ugNCE i O o 18867 3 j CIMAINT-MOV5122 PMPCMAINT i BNI. Fiqure 7 (Sheet 4 Of 33) { ~ \\ ELECTRIC GENE 31 ATING PLANT unit i ANo unit 2 FSAR Georgia Power h FIGURE 10A-7 (SHEET 3 OF 30)'; 433-9

g. 5 I it;! lI NOlF TO SG2 FROM TRAIN G NOlFT2FB n T BNL REVISION l\\ \\ t i NO T SG NOlF TO SG 2 TR IN FROM TRAIN 8 D ET DUE TO RANDOM IN EN C FAILURE j ( B2RPMPBR \\ l I TRAIN 8 FLOW TRAIN 8 DIS. TRAL'N B PUMP TO SG2 UNAVAIL-CHARGE SECTION SECTION FAILS ICA A8LE DUE TO TO SG2 FAILS RANDOMLY E T NS MAINTENANCE RANDOMLY B2MPMPBM 82 RAND PMPBRAND I I i T^ ~ CA EV E E l N ,,,$'7,2,' 3 MAINTENANCE .l g L O o B2MAINT-MOV5132 PMPDMAINT 10987 3 1y j BNL Figure 7 (Sheet 5 of 33) Ijj voGTLE UNIT 1 AFWS FAULT TREE MODEL. ELECTRIC GENERATING PLANT FSAR Georg. Power ji ia UNir i AND UNIT tl FIGURE 10A-7 (SHEET 4 OF 30) ) I! 433-9

~ L F NOlF 10 SG2 + FROM \\ T RAIN C NOlFT2FC BNL REVISION T \\ \\ u IF NOlF TO SG2 FR T Al ' FROM TRAIN C UE O DUE TO RANDOM FAILURE i TE C2RPMPCR r em \\ DO S T TRAIN C FLOW TRAIN C DIS-TRAIN C PUMP VI LA TO SG2 UNAVAIL-CHARGE SECTION SECTION FAILS l EC Nic L ABLE DUE TO TO SG2 FAILS RANDOMLY SP IFI AT N$ MAINTENANCE RANDOMLY k C2MPMPCM C2 RAND PMPCRAND I I TRA CA EV L E ( I N Al ANCE MAINT NANCE L-0 A I 0 #'3 PMPCMAINT C2MAINT-Mpv5125 l BNL Figure 7 (Sheet 6 Of 33) VOGTLE UNIT 1 AFWS FAULT TREE MODEL 6 Georgia Power n [i,"50 UNIT FSAR "'*"I FIGURE 10A-7 (SHEET 5 OF 30) ~ ,- 433 9 s =

3 s er NOlF TO SG3 FROM TRAIN 8 NOlFT3FB BNL REVISION \\ \\\\ T I\\ \\ 1 I NO T SG NOlF TO SG 3 R TR IN FROM TRAIN B DET DUE TO RANDOM IN N E FAILURE ( B3RPMPBR ^ t I\\ l I E NO TRAIN 8 FLOW TRAIN B DIS. TRAL'N 8 PUMP O AT TO SG3 UNAVAIL. CHARGE SECTION SECTION FALLS T H ICA A8LE DUE TO TO SG3 FAILS RANDOMLY E Fic Tl MAINTENANCE RANDOMLY 83MPMPBM 83 RAND PMP8 RAND I l i fE^ CA EV E l MAINTENANCE MAI NANCE l I O o 10967-3 B3MAINT-MOV5134 PMPBMAINT l BNL Figure 7 (Sheet 7 of,33) VOGTLE UNIT 1 AFWS FAULT TREE MODEL EL ECTRIC GENERATING PLANT. FSAR' Georg. Power n ia UNIT uNa unit FIGURE 10A-7 (SHEET 6 OF 30)). 433-9 a

h i l .f NOlF TO SG3 FROM \\ TRAIN C NOlFT3FC (h BNL REVISION 'T I \\ \\ l N SG NOIF TO SG3 II IN FROM TRAIN C DUE TO RANDOM IN NC FAILURE C3RPMPCR ew \\ V I I T TRAIN C FLOW TRAIN C DIS-ygAg'N C PUMP VIO AT TO SG3 UNAVAIL-CHARGE SECTION SECTION FAILS T CH ICA ABLE DUE TO TO SG3 FAILS RANDOMLY E IFI T NS MAINTENANCE RANDOMLY C3 RAND PMPCRAND 1 1 TR AIN C DIS. TRAIN C POkT ,I CHARGE VALVE SECTION IN. I j ggyg27 tN 5 ~ Al A CE gn NCE ) o L\\ ..... 3 C3MAINT-MOV5127 PMPCMAINT BNL Fiaure 7 (Sheet 8 of *33) I i o LECTRIC GENERATING PL ANT Georgia Power h /. UNIT i ANo unit 3 FSA FIGURE 10A-7 (SHEET 7 OF 30), j ~ 0319 9

). ~ s 1 NOf F TO SG4 FROM TRAIN A NOlFT4FA I T BNL REVISION l l i \\ } ~ NOlF TO SG4 l N SG FROM TRAIN A R IN DUE TO RANDOM FAILURE 1 AIN NC A4RPMPAR m \\ I I \\_ DO T TRAIN A FLOW TRAIN A DIS-TRAL'N A PUMP T TO SG4 UNAVAIL-CHARGE SECTION SECTION FAILS \\SPE OF EC IC L ABLE DUE TO TO SG4 FAILS RANDOMLY AT MAINTENANCE RANDOMLY i A4MPMPAM A4 RAND PMPARAND I I " ^ ' CH RGE V L E E MAINTENANCE i 10967-3 I A4MAINT-MOV5137 PMPAMAINT BNL Figure 7 (Sheet 9 of 33) i i Georgialbwer nk ..L CTRICGENERAilNG PLANT OE. Y FSAR .T i ANo UNIT 2 FIGURE 10A-7 (S11EET 8 OF 30) ~ ~

  • 4339

m NOlF TO SG4 FROM \\ TR AIN C NOlFT4FC O T l BNL REVISION i g g i \\ NOlF TO SG4 FROM TRAIN C FR IN DUE TO RANDOM O FAILURE I NC T p j' C4RPMPCR m 1 I l ES TRAIN C FLOW TRAIN C OBS-TRAIN C PUMP V E TO SG4 UNAVAIL. CHARGE SECTION SECTION FAILS TE N L A8LE DUE TO TO SG4 FAILS RANDOMLY Cl ICA MAINTENANCE RANDOMLY ~ C4MPMPCM C4 RAND PMPCRAND I I TRAIN C DIS-TRABN C PUMP CHARGE VALVE SECTION IN ,,,y,j,(g MAINHNANCE O o 1o967 3 C4MAINT-MOV5120 PMPCMAINT BNL Figure 7 (Sheet 10.of 33) v0GTLE UNIT 1 AFWS FAULT TREE MODEL + k ELEGTRIC GENER ATING PLANT pgg Georgia Power h i UNIT uNO UNii 2 FIGURE 10A-7 (SHEET 9 OF 30),: l ~ 433 9

BNL REVISION h E,CTION ~ INTA TYPICAL SGilNTKRAND N*D 0 "'Y .___.t I /\\ / f l / A tft FA "ff3y f[gv V E 12S F E e TEfAN M M NT AN CtosED CLOSED CtosED O O O V O RACHV121 RACHV125 RASCVil3 S 6 rj. - h mTAx,Ejf TION R AN D o M LY / SG21NTKitAND 1 n / l 1 / A CHEC ALVE f ' ag' AE ff2FA 26F5f s 3 [ 5 ij'f3lg5 iu71E =cy ^ sc/ ctosto ctosEo uA TE 0 0 0 S O3 RACHV122 RACHVl26 RASCVil4 M O h E,cnoN mTAx "*"""'Y SG3lNTKRAND /l / t i / /4 vk 1l5f,^lgs [ 124 F A s 128 F S CHEC AtvE ,[ y As[ u 7,y,, ctosto ctosEo u TE 1 O O O l MS O6 RACHV124 RACHVl28 RASCVil5 S O i( k mTAm, E,cnoN SG41NTkRAND. " * " DC " 'Y / l I/ / i i / /t sTop / ge/ [ro*[E esfex vAtvc cHEcx vAtvE o, /NfY8A 'cl$s'O' 'E5s*!$5 Ilff[^,h5.[ TEyTN/c i i p l O O O A V 7 RACHV123 RACHVl27 RASCVil6 S O 3 BNL Figure 7 (Sheet 11 of 33) VOGTLE k ELECTRIC CENERATING PLANT UNIT 1 AFWS FAULT TREE MODEL Georg. Power L FSAR ia UNIT 1 AND UNIT 2 i FIGURE 10A-7 (SHEET 10 OF 30) 433 9 L

y:. -. a;. 3 SGIINTAKE I SECTION IN \\ M AINT EN ANCE SGilNTKMAINT OR TEST TRAIN A PUMP SECTION IN TRAIN C PUMP SECTION IN STOP CHECK STOP CHECK 5 OPERAM R FARS TEST & OPERAMR FARS VALVE O20 IN VALVE 046 IN TO RECLOSE CONDENSATE TO RECLOSE CONDENSATE MAINTENANCE MAINTENANCE VALVE 0 81 VALVE 081 O O SGIPMPATEST SGlPMPCTEST 3 MASCVO2O MASCVO46 I I TRAIN A PUMP OPERATOR FAILS TRAIN C PUMP OPERATOR FAILS SECTION IN TO RECLOSE SECTION IN TO RECLOSE TEST VALVE 081 TEST VALVE 081 O O O O TAMDPAOO3 OEMGVO810P TATDPCOOI OEMGVO810P SG 2 INTAKE SECTION IN \\ MAINTENANCE SG21NTKMAINT OR TEST l l l l TRAIN B PUMP SECTION IN TRAIN C PUMP SECTION.lN STOP CHECK STOP CHECK VALVE O23 IN VALVE 037 IN MAINTENANCE MAINTENANCE l VALV E 082 VALVE 082 s i O O o o MASCVO23 MASCVO37 SG2PMPBTEST SG2PMPCTEST I I i TRAIN B PUMP OPERATOR FAILS. TRAIN C PUMP OPERATOR FAILS SECTION IN TO RECLOSE SECTION IN TO RECLOSE TEST VALVE 082 TEST VALVE 082 O O O O ~ TAMDPBOO2 OEGVO820P TATDPCOOI OEMGVO820P l l BNL Figure 7 (Sheet 12 of 33) k Ectnic cENERATING PLANT BNL. ADDITION L GeorgiaPower m i umr uNo umT r FSAR FIG. LOA-7, SHEET IUA OF 30 ~ l 033 9 m.._-.. . _ _ _ _ _... _ _ _ _,, _. _., ~ _ _

~' e. SG3 INTAKE SECTION IN \\ MAINTENANCE SG31NTKMAINT OR TEST e 1 I I I STOP ' CHECK STdP CHECK TRAIN 8 PUMP SECTION IN TRAIN C PUMP SECTION IN S & OPERATOR FARS TEST & OPERATOR FARS VALVE O26 IN VALVE 040 IN M AINTENANCE M AINTEN ANCE VALVE 083 VALVE 083 O O 0 0

  • SG3PMPBTEST SG3PMPCTEST MASCVO26 MASCVO40 s

I I t, - TRAIN 8 PUMP OPERATOR FAILS TR AIN C PUMP OPERATOR FAILS SECTION IN TO RECLOSE SECTION IN TO RECLOSE TEST VALVE 083 TEST VALVE 083 O O O O TAMDPBOO2 OEMGVO830P TAMDPCOOI OEMGVO830P SG4 INTAKE SECTION IN \\ M AINTE N AN CE SG41NTKMAINT OR TEST w I I I I TRAIN A PUMP SECTION IN TRAIN C PUMP SE CTION,1N STOP CHECK STOP CHECK OR FARS MST & OPERATOR FARS VALVE OIT IN VALVE 043 IN ^ MAINTENANCE MAINTENANCE VALVE 084 VALVE 0 84 O O o o MASCVOl7 MASCVO43 SG4PMPATEST SG4PMPCTEST I I i TRAIN A PUMP OPERATOR FAILS ! TRAIN C PUMP OPERATOR FAILS SEC110M nM TO RECLOSE SECTION IN TO RECLOSE TEST VALVE 084 TEST VALVE 084 i 0 O O O TAMDPAOO3 OEMGVO840P TAMDPCOOI OEMGVO840P BNL Figure 7 (Sheet 13 Of 33) NecTRIC CENERATING PLANr T 1 EG NM WE MDE GeorgiaPower n$ BNL ADDITION unir uno unir FSAR FIG. IOA.7, SHEET T B' OF 30 ~ 433 9

o TRAIN A PUMP .~ [\\ SECTION FAILS / IN M AINT ENANCE PMPAMAINT g BNL ADDITION T I I I I I I ! DIESEL GENER ATOR GATE VALVE PUMP IRT3 NOlF TO GATE VALVE CHECK VALVE GATE VALVE f TR AIN A lle 9421N IN PUMP A DUE TO

  1. 351N Ag14N 8451N N AINT E N A NC E MAINT ENANCE MAIN T E N ANCE M AIN T E N ANCE MAINTENANCE MAINT E N ANCE MAINT E NANCE J

0 0 0 O O i O MADGA MAMGVO42 MAMDPAOO3 MAMGVO45 MACHVOOI MAMGVO45 i e 1 I IFTMDPAM AINT I i NOIF THROUGH NOlF THROUGH I BUTT ERFLY VALVE MOV 5119 i 095 0UE TO DUE TO MAINTENANCE MAINTENANCE BYVO95MAINT MOV5119MAINT i i I I I BU FY BUTTERFLY MOV 5119 A E VA VE VALVE #95IN IN IN IN MAINTENANCE MAINTENANCE MAINTENANCE MAINTENANCE O O O O MABYVO91 MABYVO95 MAMOV5119 MABYVO97 BUTTERFLY BUTT EftFLY BUTTERFLY BUTTERFLY VALVE 490 VALVE PJ2 IN VALVE A99 IN VALVE $98 MAINTENANCE MAINTENANCE M AINT ENANCE MAINTENANCE O O O O MABYV090 M ABYVO92 MABY VO99 MABYVO9'8 NOlF = NO OR INSUFFICIENT FLN BNL Figure 7 (Sheet 14 of 33) k LECTRIC GENERATING PLANT FSAR Georg Powerh f ia UNIT 1 AND UNIT 2 FIGURE lbA-7. (SHEET 11 OF 30)) 433-9

TRAIN 8 PUMP SECTION FAILS PMPBMAINT O BNL ADDITION T l T. I I I I I I OIE3EL SENERATom GATE VALVE PUMP M2 NOlF TO GATE VALVE CHECK VALVE GATE VALVE Til AlN 3 IN 036 IN IN PUMP 8 DUE TO S6S IN 902IN 039 IN CEAlN TEN AMC g MAINT EN# NCE MAINTENANCE MAINTENANCE MAINT ENANCE MAINTENANCE MAINTENANCE O O O O O O MADGB MAMGVO36 MAMDPBOO2 MAMGVO60 MACHVOO2 MAMGVO39 I I IFTMDPBM AINT I NOlF THROUGH NOIF THROUGH MOV 5118 8UTTERFLY VALVE M NANCE MAI TE ANCE BYVO94MAINT MOV5tl8MAINT em. em I I I I BUTTERFLY MOV 5118 BUTTERFLY SUTTERFLY IN VALVE 999 VALVE 090 VALVE 094 IN MAINTENANCE MAINTENANCE IN MAINTENANCE IN MAINT ENANCE O O O O MABYVO90 MABYVO94 MAMOV5118 MABYVO99 BUTTERFLY BUTTERFLY SUTTERFLY BUTTERFLY VALVE 992 IN 091IN VALVE 098 IN VALVE $97 MAINTENANCE MAINTENANCE MAINTENANCE IN MAINTENANCE e O O O O MABYVO92 MABYVO91 MABYVO98 MABYVO97' BNL Figure 7 (Sheet 15 of 33) NOtr - NO OR INsoFrICIENT FLOW voGTLE UNIT 1 AFWS, FAULT TREE MODEL k ELECTRIC GENERATING PLANT FSAg j Georg. Powern ia UNIT i ANO unit FIGURE 10A--7 (SHEET 12 OF 30)( 433 9

7 + ) g .'",*.c",g;7_, i 4 i j 'w'***J' 'It - 'L. '.,*J.'.c'.

  • ^J!.*0

run.7.!JAve= ca<g".*'c. .' '. '.'.J..v' t ...' '. 7..^,.f".

  • ^

- ' 5,7..,',l..

==><-c. gg,g,;g

g,g,;g

.c. O O O O TDPCMAINTQ O O MAMGVOl6 MAMGVOl9 MACHVOl4 MAMGVOIS MAMGVO22 MAMGVO25 J1'M,7?"ff IFTTDPCMAINT "%'."t,Tf" rua = =v'= c4'#. o "*J!.'"!S" !%fia

ov,3

i .IUP.'.'ai .Wlac. ~ 'a=" ..INA 50.'4,".0'.!? -.'!sai = ='ta^~ca = ~ O O NOISMAINT O O BYVO93MAINT MOV5113MAINT MATDPCOOl MASGV MATTV MAMOV5106 i i i SUT TE RF LV MOv5113 r { j 8NithANCE MAINT.6ANCE ) 3 5 O O i MABYVO93 MAMOV5Il3 I I i e i i f mua 0EUE

  • "'%.%A
    • Td*

'"'E1A'"

    • i="*

I "ll

=..a2I vEv'!"d!.In v'"NE2I!

  • "lll*

uunce =ca mam

===ce Mam==ce

== =cs

==ce mam => ca

== ance MABYVO90 MABYVO97 MABYVO98 MACHVOO8 MAMOV3Ol9 MACHVOO6 MAMOV3OO9

      • ee 4

BUTTEnftV $UffERFLV 2 B MAIN N& Cf 0.I M A LNA CE 1 MABYVO91 O O i MABYVO92 MABYVO99 BNL Figure 7 (Sheet 16 of 33) i vocTLE UNIT 1 AFWS FAULT TREE MODEL'- ELECTRIC GENERATING PLANT FSAR Georg. Power n ia unit i Ano unin i FIGURE 10A-7 (SHEET 13 OF 30),' ~ l 4339 I

_.m. _m. k e t RGE RGE 045 RGE RGE MCTm TO SG1 SECT TO5G2 SECTm TO SG3 SECT TO SG4 CIAAggg RAseDoesLY C2RA880 RAacDoesLY C3AA8dO RA9fDOesLY - C4AAf00 RAfsDOedLY I I I I I I I I LVE C'eECW LVE GATE VALW CpetCs GATE VALVE CDIEC LVE GATE VALVE CleEC VE GATE VALVE $f$ ' fN C$$ SLN 'f L C t t O O O O O O O O RASCVO2O RAMGVOl9 RASCVO23 RAMGVO22 RASCVO26 RAMGVO25 RASCVOl7 RAMGVOl6 asOV $t22 teOV 5125 esOV 5t22 asOV 5tM F AIL 5 CLOSED F AILS CLOSED F AIL 5 CLOSED FAILS CLOSEO O b b b DCDesv5123 DConsv5125 oCoasV5127 DCoasv5tN i 10967 3 i BNL Figure 7 (Sheet 17 of 33) k ELECTRICGENERATING PLANT l UNIT 1 AFWS FAULT TREE MODEL't VOGTLE FSAR Georg. Powerm ia ouir uNo uNir i FIGURE 10A-7 (SHEET 14 OF 30)I 433-9 c

~ e TRAIN A DIS-TRAIN A DIS-CHARGE SECTION i CHARGE SECTION TO SG4 F AILS TO SG1 F A8LS RANDOMLY l A4 RAND RANDOMLY A1 RAND -s i es\\ I' I i I STOP i I CHECK VAthE STOP GATE VALVE MOV 5137 GATE VALVE MOV 5139 CHECK VALVE M2 FAILS

  • FAILS M3 F AILS FAILS M6 FAILS CLOSED CLOSED CLOSED M5 FAILS I

CLOSED CLOSED CLOSED O A O O A O RASCVO43 RAMGVO42 AcDMysi37 RASCV O46 RAMGVO45

ACDuvsi3, l

l TRAIN 8 DIS-CHARGE SECTION f TRAIN 8 DIS-CHARGE SECTION TO SG3 FAILS i RANDOMLY TO SG2 F AILS 83 RAND i RANDOMLY j B2 RAND D es I I I STOP _ STOP GATE VALVE MOV 5134 CliECK VALVE I CHECK VALVE FAILS MS FAILS MOV 5132 $39 FAILS CLOSED [ GATE VALVE FAILS $37 FAILS CLOSED CLOSED 1 l 834 FAILS CLOSED CLOSED i CLOSED 0 0 A O I l O A RASCV040 RAMGVO39 ACDMvsi34 l RAMGV036 ACOMV5132 RA SC_V 037 10947-3 3 BNL Figure 7 (Sheet 18 Of 33) 4 7 UNIT 1 AFWS FAULT TREE MODEL t 1 VOGTLE i l j k ELECTRICGENERATINC PLANT FIGURE 10A-7 (SHEET 15 OF 30)f l GeoigiaPowei n unit i ANo uNir i ) ) l 033-9 I f 4

1' h E h T5 h .Pt.a.ot P I I I I 8 toss os eso 51 Ani esoson on:vtas cA1i wAtvt om seoes tnoas ce tcm vALvt L t t CI RBCAL SsG=At10 Ptmar es3 e att5 f A8tS BAOIOR DAlvt N M19 A84& t R oss eso Daevitt o taa ctOM D PuesP M3 cg OstD O irrMoeAOO O O.- iSTMoe OO3 0 RAMDPAOO3 RAMGVO35 RACHV001 ACTRNAF g-I I I I PN Ns't Ok VEN S R AL eAoi &a t s O teO 04 IOOPERAyg PuesP M3 TO IRADN A { b IFTMDPAOO3 "o'a2' ISTTRNAF OEMDPAOO3 T I I "I I" 0000F FRoss BUTitRFLVVALVE teOV 51H 0% IFFBYVO95 IFFMOV5119 I I I e DUTTERFLV SUTTamfLY BUTTERFLV ABOV SIM hT I F At 5 f A LS F Att$ O ctosto etosto cLosso O O. Q"ov5Sc' O O RABYVO99 RACSTOO2 RABYVO95 RABYVO92 I I an ot.$,, $,"tggY I tti R AL y, csf Mt ' A'ts opt==ovsin gg A=o O O O O RACSTOOl OEMOV5119FTO ACTRNAF RAMov5119 so w ?-3 BNL Figure 7 (Sheet 19 of 33) ao.e - =a on misueFic"""' vocTLE UNIT 1 AFWS FAULT TREE MODEL'. Georg. Ibwer d ELECTRICGENERATINGPLAttY FSAR ia

u., i Ano u r FIGURE 10A-7 (SHEET 16 OF 30){

433-9

~ ~. ~ r"

syg,

~gO. O .A. =_ b b I I I I ~a'"o=:;,, c":,c,=, e,v5 ,AttiL "?"! "ol, ".a".'?A". c^,t.r = g,i,a,,;

> O,a,,ogpa io,,si,A,;;,

,,0 O c os O cios. o 0 irruoesoo2 O O "'sTaoesooz RAMD BOO 2 RAMGVO60 RACHVOO2 ACTRNBF-7- I I I I MOTOn omeVEN esoof TO NO AUTOtsAf tC g g g MOTOR DRevf N START SsCasat

,:r'882

'U"A',; .T O..beOT.O.R. 1O ra-- O O b IFTMDPBOO2 mo

  • 2' iSTTRNBF OEuDPBOO2 T

i i F sui td v Lvt ~0y y [ IFFMOV5118 IFFBYVO94 I i i ez= wsw vsn','8 wz= ' A'L5 - F AttS CLOSED FAILS CLOSED Ortht o F Asts ctosto 0 O Cfovsnact-O O RABYVO98 RACSTOO2 RABYVO91 RABYO94 I Y,$fy$ Ett R cat pas A~o N CST 888

,a,,;

O Au O,.. v,.. O O O O tosuo RACSTOOI OEMOV5118FTO ACTRNBF RAMOV5tl8 BNt. Fiaure 7 (Sheet 20 of 33) UNIT 1 AFWS FAULT TREE MODELI vocTLE ELECTplC GENERArtNG PLANr - FSAR Georg. Power h ia unit i Ano uNir 2 i FIGURE 10A-7 (SHEET 17 OF 30)l 433-9

1 TRAIN C PUMP SECilON F AILS I RANDOMLV PMPCRANO O -m t i I I 'oQ'g7 CnECn vAtvf l cATE vatvE eis NOiF TO G14 f AILS FAILS T UR8tNE PUMP F AILS TO CLOSED CLO5ED OnlVEN PW OPERATE b IFTTDPCOOl T rF RACHVOl4 RAMGVOIS T I i 4 NO TH JGH SU ER Y LVE BNL ADDITION BNL ADDITION O O .lFFBYVO93 ,lFFMOv5113 em\\ e m1 l i I l SUTTERFLY SUTTERFLY MOV 5113 SUTTERFLY CST 002 i CST 001 VALVE 093 VALVE 99d F AILS TO VALVE 997 FAILS l FAILS FAILS CLOSED F AILS CLOSED OPEN FAILS CLOSED i O O O O O a vs"3c' RACSTOOI RABYO93 RABYVO90 RABYVO97 RACSTOO2 I I $8fyo" O EL R L N t I Ed ON DEMAND OPEN MOv 5113 O O O OEMOV5113FTO DCTRNCF RAMOV5113FTO i 1996F 3 BNL Figure 7 (Sheet 21 of 33) VOGTLE UNIT 1 AFWS FAULT TREE MODEL k E LECTRIC GENERATING PLANr FSAR Georg. Powern 4 ia unir u.mo unir i FIGURE 10A-7 (SHEET 18 OF 30)l 433-9

s-3 TuftSINE VEN TO OPERATE j O 1 T' ~ I I TURS4NE DR4VE9s PUter F AILS T O 80005iO OPERATE Ops TURS4NE DEMANO NOISTTDP RATDPCOOl y I I I I ' RADV 5166 NOIS TO T E GOVE FA4LS TO OPEN RAOV 5108 VALVE F AILS VALVE. F ABLS CLOSED CLOEED b N0lSMOV5lO6 b b l hsV1esF TTVF SGV5 l l 90005 FfeOed NOt$ FftORA STEAas STEAM GE90ERATOR 2 GENERATOR I O NOISFSG2 NOISFSGI em e s I I I I GATE VALW CNECat VALW Coettu VAtw GATE VALW asOV sets asOV som L 888 L$ hA8,8 F A8LS CLOSED FABLE CLosEO D D ED O O b b O O RACHVOO8 RAMGVOO7 souvene SNevose RAMGVOO5 RACHVOO6 3e967 3 90088 = NO Oft IIsBUFFactEssf STEAAf BNL Figure 7 (Sheet 22 of 33) UNIT 1 AFWS FAULT TREE MODEL. $cTascommanavenc etant FSAR Georgia Pbwer unifi u 1 FIGURE 10A-7 (SHEET 19 OF. 30)* 433-9

l ) 0 3 ) F 3 O 3 0 f ' o 2 3 T 2 EE te H e S h ( S

  • f l'

' ( 7 I R 7 A A r e S 0 w r F 1 N o u ED 6 g n E i MOPN 0 F R 1 A 5 U 1 L G 5OM V N I I VTE O B OSD M F MI N A L R AO O L F L AM T A F T UN1 6 N 5 O1 0 A 6 N G V L, I 0 ASO 5 P I 1 V G 5 MNM V O N O O E PO M T N OT E An. M R O N T EN. E O S Eu MP NTM Go I O E I 1 L Cn P S 5O OA E,I A II L VT NV T,i Q,T. OS O G O MI NI M L u S A C L I F TA C F ANN C OT n M GI N OI A R F I TSR [\\ M UNT r T e V AEO S w 1 I P T o /M OO P N L a C F D AN i C C g C N r FI N

ORR, R

o I T T e S C C G S E D O L L E 9-3 3 4

A TRIP AND l / { THROTTLE VALVE FAILS TTVF I I ~ LOSS OF DC SIGNAL TO TH O T E ELECTRICAL TRIP AND VALVE FAILS POWdR ON THROTTLE TO OPEN TRAIN C VALVE FAILS ON DEMAND ISTTTV DCTRNCF RATTVFTO I I i 1 OPERATOR FAILS O GOVER OR E FAILS GOVERNOR O O RASPDGOV OESPDGOV SPEED GOVERNING VALVE FAILS SGVF i i i I SPEED LOSS OF DC SIGN AL TO GOVERNING f ELECTRICAL SPEED VALVE FAILS POWER ON GOVERNING TRAIN C VALVE FAILS O ND 0 i l k ISTSGV i DCTRNCF RASGVFTO 7 I I SPEED OPER ATOR FAILS GOVERNOR TO OVEMRIDE FAILS SPEED GOVERNOR O O ~ RASPDGOV OESPDGOV so u r.: BNL Figure 7 (5heet 24 07 44) [ECTRIC GENER ATING PLANT UNIT 1 APWs FAULT TREE MODEL Georg. Power ia unir i ano unit FSAR j j FIGURE 10A-7 (SHEET 21 OF 30) an.,

~ MOV 3019 MOV 3499 FAILS FAILS CLOSED CLOSED SIMVG19 SIMV999 1 I I I MOV 3019 MOV M FA LS C ED FA SC ED NOT OPEN NOT MEN ON DEMAND ON DEMAND 4 O n O MOV3Ol3CL MOV3OO9CL i RA MOV3Ol9CL RAMOV3OO9CL t i I MOV 3819 MOV 3019 MOV 3609 MOV 3809 1 CLOSED FAILS CLOSED FAILS SY ERROR TO OPEN SY ERROR TO OPEN j MOV3Ol9FTO MOV3OO9FTO OEMOV3OO9CL m OEMOV3Ol9CL I I I I L OF DC NO MANUAL MOV 3019 FAILS MMUR M M FW E ELE TR C L I AL TO M m M OPEN SIGNAL TO OPEN ON POWER ON POWER ON TO MOV 3019 DEMAND TO MOV 3809 DEMAND TRAIN A TRAIN B o O O O O O DCTRNAF OEMOV3Ol9FTO RAMOV3Ol9FTO DCTRNBF OEMOV3OO9FTO RAMOV3OO9FTO 109674 BNL Figure 7 (Sheet 25 Of 33) k LICTRIC GENERATING PLANr - rsaa Georgia Power n j uNir i ANo uNir 3 FIGURE 10A-7 (SHEET 22 OF 30)l 433-9

MOV 5132 FAILS CLOSED ACDMV5132 ..~ 3 s I 1 MOV 5132 FAILS MOV 5132 CLOSED NOT ,,j ON DEMAND OPEN () MOV5132CL RAMOV5132CL I MOV 5132 MOV 5132 CLOSED BY FAILS ERROR TO OPEN o n MOV5132FTO OEMOV5132CL m I I NO OPEN MOV 5132 FAILS ELE TR CAL SIGNAL TO TO OPEN POWER ON MOV 5132 ON DEMAND TRAIN B ISTMOV5132 ACTRNBF RAMOV5132FTO I I NO AUTOMATIC NO MANUAL OPEN SIGNAL OPEN SIGNAL TO TRAIN B TO MOV 5132 ISTTRNBF OEMOV5132FTO l BNL Figure 7 (Sheet 26 of 34) voGTLE UNIT 1 AFWS FAULT TREE MODEL ELECTRIC GENERATING PLANT Georg. Power FSAR ia UNIT 1 ANo uNor 2 FIGURE 10A-7 (SHEET E3 'OF 30) I i en., i

i MOV 5134 FAILS CLOSED ACOMV5134 T . [ I MOV 5134 MOV 5134 FAILS CLOSED NOT ON DEMAND OPEN () O MOV5134CL RA MOV5134CL I MOV 5134 MOV 5134 CLOSED BY FAILS ERROR TO OPEN O MOV5134FTO OEMOV5134CL I I LOSS OF NO OPEN MOV 5134 FAILS ELECTRICAL SIGNAL TO .TO OPEN POWER ON MOV 5134 ON DEMAND TRAIN 8 () o ISTMOV5134 ACTRNBF RAMOV5134 FTO \\ I I NO AUTOMATIC NO MANUAL OPEN SIGNAL OPEN SIGNAL TO TRAIN B TO MOV 5134 i O O ISTTRNBF OEMOV5134FTO 19947 3 BNL Figure 7 (Sheet 27 of 33) A sLIctn c cENERATWG Pt. ANT UNIT 1 AFWS FAULT TREE MODEL l FSAR Georg. Poweral ia umr i *No umt : j FIGURE 10A-7 (SHEET 24 OF 30) i u>.

c7 - MOV 5137 FAILS CLOSED ACOMV5137 ~ 7 .... _ _ y y -- - t MOV 5137 > MOV 5137 FAILS CLOSED NOT ON DEMAND OPEN t O' (l MOV5137CL RAMOV5137CL i I l MOV 5137 MOV 5137 CLOSED BY FAILS ERROR TO OPEN O 'i MOV5137FTO ( OEMOV5137CL I I i 4 LOSS OF NO OPEN MOV 5137 FAILS ELECTRICAL SIGNAL TO TO OPEN P WER N MOV 5137 ,ON DEMAND O (l i ISTMOV5137 ACTRNAF RAMOV5137FTO j' l l l NO AUTOMATIC NO MANUAL OPEN SIGNAL OPEN SIGNAL TO TRAIN A TO MOV 5137 1 O O ~ i ISTTRNAF OEMOV5137FTO mm urtL tigure / pneeT,40 07. J.y, A ScTaic cENER ATING Pt. ANT UNIT 1 AFWS FAULT TREE MODEL Georgit Pbwer ma FSAR uifi u T FIGURE 10A-7 (SHEET 25 OF 30) ru.e

) MOV 5139 FAILS \\ CLOSED ACDMVS139 t g y MOV 5139 MOV 5139 FAILS CLOSED NOT ON DEMAND OPEN l r3 ? MOV5139CL I RAMOV5139CL i I + i MOV 5139 MOV 5139 CLOSED BY FAILS TO ERROR OPEN ( MOV5139FTO OEMOV5139CL I I LOSS OF ELECTRICAL NO OPEN MOV 5139 FAILS POWER ON SIGNAL TO TO OPEN MOV 5139 ON DEMAND TRAIN A r O f3 l ISTMOV5139 ACTRNAF RAMOV5139FTO [ NO AUTOMATIC NO MANUAL OPEN SIGNAL OPEN SIGNAL TO TRA1N A TO MOV 5139 O-O ISTTRNAF OEMOV5139FTO BNL Figure 7 (Sheet 29 of 33) Gw.. ia Power A,-- mygg" ~ t - ELECTRIC GENER ATING PL ANT ' UNIT 1 AFWS FAULT TREE MODEL i rg u 1 i AN. umn rsAR FIGURE 10A-7 (SHEET 26 OF 30) caw l

d

'..i MOV 5129 FAILS CLOSED DCDMV5129 T

I 1 MOV 5129 MOV 5129 FAILS CLOSED NOT ON DEMAND OPEN O Oi MOV5120CL RAMOV5120CL I MOV 5120 MOV 5129 CLOSED BY FAILS TO ERROR OPEN MOV5120FTO OEMOV5120CL I I a LOM OF DC NO OPEN MOV 5129 FAILS ELECTRICAL SIGNAL TO TO OPEN R ON MOV 5129 ON DEMAND (y O ISTMOV5120 DCTRNCF RAMOV5120FTO I I I NO AUTOMATIC NO MANUAL OPEN SIGNAL OPEN SIGNAL TO TRAIN C TO MOV 5129 O O ISTTRNCF OEMOV5120FTO BNL Figure 7 (Sheet 30 of 33). NECTRIC GENERATlhG PLANr UNIT 1 AFWS FAULT TREE MODEL FSAR GeorgiaPower unir i Ano unir : FIGURE 10A-7 (SHEET 57 'OF 30j w.,

1 3 MOV 5122 .I i . FAILS 1 'b CLOSED + DCMV3122 3 ~ T 0 I l MOV 5122 MOV 5122 S FAILS CLOSED NOT 's s ON DEMAND OPEN 4 T c ,v MOV5122CL RAMOV512bCL I MOV 5122 MOV 5122 + CLOSED BY ~ FAILS TO OPEN ~ ERROR i 3 ti OEMOV5122CL MOV5I2?.FTO f ~l l 1 SIGNAL TO I3 s MOV 5122 FAILS NO OPEN ELE TR CAL POWER ON MOV 5122 '.s TO OPEN ON DEMAND TRAIN C

/

O O ISTMOV5122 DCTRNCF RAMOV5I22FTO s s + l I NO MANOAL ) NO AUTOMATIC s OPEN SIGNAL OPEN SIGNAL <s, TO TRAIN C TO MOV 5122, y 1 O O ISTTRNCF OEMOV5122FTO 10967 3 . BNL Figure 7 (Sheet 31 of 33) v0GTLE UNIT 1 AFWS FAULT TREE MODEL ELECTRIC GENERATING PLANT GeorgiaPower L unit uso u~iT 2 FSAR 'a ~ FIGURE 10A-7 (SHEET 28 OF 30) C33 9 'L,,,

,? ... s MOV 5125 FAILS \\ CLOSED DCMV5125 T I I MOV 5125 MOV 5125 FAILS CLOSED NOT ON DEMAND OPEN O O MOV5125CL RAMOV5125CL I 4 MOV 5125 MOV 5125 CLOSED BY FAILS ERROR TO OPEN O MOV5125FTO OEMOV5125CL n l I LOSS OF DC NO OPEN MOV 5125 FAILS ELECTRICAL SIGNAL TO TO OPEN POWER ON MOV 5125 ON DEMAND O n ISTMOV5125 DCTRNCF RAMOV5125FTO 'I I NO AUTOMATIC NO MANUAL i OPEN SIGNAL OPEN SIGNAL TO TRAIN C TO MOV 5125 O O ISTTRNCF OEMOV5125FTO 10967 3 4 BNL Figure 7 (Sheet 32 of 33) vocTLE UNIT 1 AFWS FAULT TREE MODEL k ELECT RIC GENER ATING PLANT Georgia Power L UNIT 1 ANo UNIT 2 FSAR FIGURE 10A-7 (SHEET 29 OF 30) 4J3 9 +

r; = is MOV 5127 FAILS \\ CLOSED DCDMV5127 m i 1 MOV 5127 MOV 5127 FAILS CLOSED NOT ON DEMAND OPEN O O MOV5125CL RAMOV5125CL I 4 MOV 5127 MOV 5127 CLOSED BY FAILS ERROR TO OPEN f* MOV5125FTO OEMOV5125CL m I I LOSS OF DC ~ NO OPEN MOV 5127 FAILS ELECTRICAL SIGNAL TO TO OPEN POWER ON MOV 5127 ON DEMAND O O ISTMOV5125 DCTRNCF RAMOV5125FTO I I NO AUTOMATIC NO MANUAL OPEN SIGNAL OPEN SIGNAL TO TRAIN C TO MOV 5127 0 O ISTTRNCF OEMOV5125FTO 10967 3 V0GTLE BNL Figure 7 (Sheet 33 of 33) ELECTRIC GENER ATING PLANT UNIT 1 AFWS FAULT TREE MODEL Georgia Power h uNir i ANo uNir 2 FSAR FIGURE 10A-7 (SHEET 30 OF 30) 4339

+ { TEFP PR08. ? NUMEEE CF TERM IFTSGS1234-TKGL4 =

  • 1 1.4790E-0T RASCV115
  • RAMOPA003
  • MATOFC001 +

7 2

1. 479 0E- 07 RASCV114
  • RANDFA003
  • MATOPC001 +

3

1. 4 79 0E- 07 RASCV116
  • EAMCP8002
  • HATOFC001 +

f l 4

1. 479 0 E- 07 RASCV113
  • RAMCF8002
  • MATDFC001 +

5 1 479 0E-07 RASCV115

  • R AT0F.C001
  • PAM0FA00 3 +

l 6 1.479CE-07 RASCV114

  • FATOPC001
  • MAPDFA003 +

l 7 1.479 0E-07 RASCV115

  • FATDFC001
  • MAh0FB002 +

i 8 1 479 0E- 07 RASCV113

  • FATOFC001
  • MAPDF9002 +

9

1. 4 !E0 0E- 07 RANCPA003
  • RAMOP8002
  • MATCPC001 + j 10 1.4500E-07 R AMCP A0 03
  • RATOPC0J1
  • MAMCPE002 + f 11 1 45 0 0E- 07 RANCFB002
  • RATOPC001
  • HANCPA003 + f 12
1. 326 5E- 07 RASCV113
  • RASCV118.
  • R ASCV115 +

1-3 1.-22 e 5 E- 07 R A S CV 11-3--*-E A S C V 114 - *-R A S C V i-i f., 14-1. 3 26 5 E-07 RASCV114 *-RASC V115 *-R ASCV1169 15 1-d 265E- 07 RAS CV11-2 " T ASCV115 *4ASGV116 - 1C iv2750E-07 R ASCV115 *-F AMDP A 0 0.W ATDPC001 : I 17----19 275 0 E- 07 R ASCV 114 *4 AMOP A00 3- *--R ATDPC 00-1-4 I l 18 iv275 0E-07 R A SCV11t-*-F A MDPB 0 0 2 *-F ATO FC 001-4 l 13 1.275 0E-07 RASCV113 *-RANDPOGO-2WATDPC001--+ I 20 1.-250 0E- 07 RAMOPA003MANDPE002 *-R ATOPG001 : C BNL Figure 8 VEGP AFWS Un6<ailability Assessment-Dominant Failure i Modes Case No.1-LMFW (Sheet 1 of 2) i l l t

c__.____- c 4 TERP PR08. l NUMEER C F-T ER M - 21--9.169 8 E- 0 8 P.ASCV11-5 3-FASGVFTO

  • -M AMDPA0 051 i

22 0.-169 6 E- 08 RASCV114- *-FASGVFTO *-MAMCP A003 0 l 2 *H.169 EE- 06 R A S C V 116 5--F A S G V FT O

  • --N A H O P E 0 02-+

24--9.-le9 e E R ASCV113 *-RAS GVFTO- *-N AN CPB0 0 2--+ i 2'l 9.-169 8E- 08 RASCV115 *-FATTVFTO *-NANDPA003

  • i 20 9.169 EE RASCV114 3-FATTVFTO *-MAMOPA003 :

27 0 169eE-0S R ASCViiE *-EATT VFTO *-H AMCFE0 02-+ t 28 0 1698E RASCV113 *-FATTVFTO *-H AM0FB0 02 -+ 1 29-9 169 8E-06 -RASCV115 *-FAMOV5106 *-NAPDFA003 : 30 h169 EE- 08 RASCV114 8-FAMOV5106 8-NAHOPA003 31 0.-169 S E- 0 8 RASCV116 *-f AMOV5106

  • -M AEDFB00 2-+

02 0.169 8E-06--R ASCV113 *- F AMOV5106 *--NAPD FB 002-t 33 8 9900E-06 R AM CF A 0 03 *-RASGVFTO *--HA NOF8 00 2 + 3i S. 993-0 E- 08 RANGFE002 *-RASGVFTC *-NAMOFA003-+ 35 6.9900E-08 R AM OF A 0 03

  • RATT VFTO,*-NAHOF000 2-+

3 6---4. 99 0 0 E- 0 8 RAN CFE0 02- *-RATT VFTO *-NAPCPA 0 03-+ 37 S.9900E-06 RANCF A0 03 '-R AMOV5106 *-M ANCPB00 2-+ 38 4 990 OE-06-- RANCF00 02 *-RANOV5106J-H APCP A00Lt 39 ?-. 9 05 0 E- 08 R ASCV115

  • -R AMOP A00 3
  • -R ASGVF-TC +

BNt. Figure 8 (Sheet 2 of 2) O

.4 TERH Fo C E. NUMBER O F-TEP.H l IF TSGSt-234-T KDt.4 - ~rF2*0E-0E AC T RN A FHC-T RN B F-*-N AT OP C0 01--+ A 2 4.5000E-06 AC T Rti A F-+-ACT RN CF-+-R AT 00 C 0 01 + 3 2r79 0 0 E- 06---A C T RH A F--+-ACT RN ttF--+--R A S GVF T O-+ i a ?.-79 00E-t6 A C T Rtl A F- + '- AC T RN 8 F--+-R A T TV F T C-+ f 2r7900E-06 A CT Rit A F--+ -ACT RN 8 F-'-R AN OV 510 6 - +- f 6 1.6900E-06 ACT RN A F-* -AC-T RN E F-+ -H AN OV 3 0 0 9 -+ 7----17 8 9 0 JE- 0 6-AC T RN A F -+--AC T RN 8 F -+ -H A M OV 3019 - + ' I 8

1. 2 9 0 0E- 06 --- - AC T RN A F- ' ACTRtt6F
  • HAMOV5106 +-

9 i.-8 9 0 0 E- 0 6-- AC T Rtl A F -' --AC T RN 6F-* -N A T TV- + 10 178900E*06 ACT fcNA F + ACT RN 8F -+ -H ASGV + 11 -- 9 9000E-07 ACTRNA F ' - AC Trit BF * - R AMGV315 "+ - 12 3 r6 0 CCE- 07 ACTPN3F-'-R ATOPC001-*-N A0 GA + a M i6-00tt 07 ACT RN2 F"-R A TOP C001-' N ADGS- + iL 6.e-7L0r c7 R A S C V1T6-'-1. CT R N3F-'-M A-TOP C 0 01-+ 15 8.874tE-07 R A S C V 113 -+ -A C T R t;G F -* -M A TO P C 0 01.-+ 16 6.67n0Ev07 RAS CV1TS-*M CT Rit A F-=-MA TODC 0 01 + 17 6787#0*_ 4 7 R A S C V it4-+--A C T R N A F-+-M A T O P C 0 01--+ i 18 Jr7t NE-07 ACT-PHS F-'-R A MOP A 0 0 3-+-M AT O PCC 01 + 19 6.-?t90E-07 AC T RN 8 F-+ -R A TO D C 001* - M AN DP A 0 0 3 -+ Bill Figure 9 VEGP AFWS Unavailability Assessment-cominant Failure Modes Case No.2-LOOP (Sheet 1 of 2) 9 l

n ]

A TERM P ?. 05.

HUMBEx U F-T-ERM l 20---8-7 0 0 0E-Ct7 =ACT Rr4 A F-* -R A MOP B0 0 2-* --N AT O PC0 01-6 21 6 6-7 0S OE- 07 ACT RN A F -*--ft AT O P C 001--*-M AM O P90 0 2-+ i M 7.6500E-07 R A SCV116 +- ACT RNBF--*--R A TOPC0 01--+ 23-7T6500E-07 R A S CV113 -*- A CT R t4BF-+-R A TOP C 001-+ 28-7.6500E-07 RASCV115-*-ACTRhAr " RATOPC001 25

7. e5 0 0E-6 7 R A S CV114
  • A CT R rv AS-*-R A TO P C 001--+

26 7750f0E-07 ACT RN9 F-+-R AMO P A 0 0 3 -*-R ATO P C0 01-+ 27 7T590tE-7 AC T-RN A F-*-RA H OP bO O 2-*-R A T OP C 0 01-+ 28 Tr W 20i'-07 A C-T RN EF-*-R A S GV FT0-*--M A DG A--+ 3 29 5r95202-07 AC T RNS F--*--R A T T-V FTO-*-M A 0G A-+ 30 L.9520E-07 ACT RNS F-*--R A MO V 5106-4-N A 0G A e i '1 Sr9520E-07 ACT RN A F-* -RA SG V FTO-*-N A CGS--+ i 3 2 -5. 9520E-0 7 A C T Rr4 A F- *- RA TT V FTO -*-M A OG S -+ 33 3.-95 2 0E- 07 A CT R N A F -*-RA MOV S 10 6-+-M A0G 6-+ 34-573940E-07 ACT RNS F * - RA SGV FTO

  • N AMOP A 0 0 3 -+-

35 5.3990E ACT EtiSF-* RATTV FTO -* MA MOP A 0 0 3 - +-- 3 E-5.-3 9 0E- 0 7 ACTRNE F

  • -R A NOV510 6 -*-N AM OF A0 0 3 -+

37

5. 3 9 (4 0E- 07 ACTRH A F *-RA SGV FT0-*-N ANOPb0 0 2 -+

38

5. 39 CE- 0-7---- ACT RN A F *--RA TT V FT O
  • N A NOP 9 0 0 2 + -

i i BNL Figure 9 (Sheet 2 of 2)

N. .g* ,a TERN Pros. NUMBER OF TERM IFTSGS1234-TKDL4 = 1 5 8000E-01 MATOPC001 i ~ 2 5.0000E 03 RATDPC001 + l 3 3.1000E-03 RASGVFT0 + 4 3.5000E003 RATTVFT0 i l t 5 3 1000E 03 RAMOV5106 + l 6 2 1000E 03 MAMOV3009 + l 7 2.1000E-03 MAMOV5106 + J 8 2.1000E-03 MATTV + 9 2 1000E-03 MASGV + 10 2.1000E-03 MAMOV3019 + 11 1.1000E-01 RAMGV015 + i 12 2.2000E-04 DCTRNCF + i3 1.0000E-04 RACMV01'4 + 14 7 0000E-06 ISTTRNCF

  • OEMOV5106Fio i 15 3.4100E-06 RABYV090
  • RAMOV5113Fio I 16 3.4100E-06*

RABYV093

  • RAMOV5113FTO i f

~ 17 1.2100E 06 RABYV090

  • RABYV097 +

10 1 2100E-06 RAMGV005

  • RAMGV067 4 19 l'.2100E-06 RABYV093
  • RABYV097 +

20 1 1000E-0A RABYV093

  • OEMOV5113FT0 1 21 1.1000E-06 RABYV090
  • OEMOV5113FTO 1 22 5.0000E 07 RASpDGOV
  • OESPDGOV i BNL Figure 10 VEGP AFWS Unavailability Assessment Dominant Failure Modes Case No.3-LOAC h

~ *i.. /,1,q.,, ~

y...

[l D e,3 NRC DSER 01-115 (Loss of all Tower Fans) f, eq,l;F 1l. ' i! Il I. Statement of Problem 4 The NRC has requested we look at what would happen to bas.in temperaturesifwehadatornadokoincidentwithloss-of-offsite power (LOP), complete loss of all-f ans in one NSC T tower and loss of the other NSCW train. The analysis has been broken down into. several areas: How much auxiliary feedwater supply do we have to maintain e the plant at hot shutdown, and what can be done using safety-grade components to extend the period at hot shutdown? What are the ambient vet bulb temperatures (MBT's) e associated with tornadoes? What would be the performance of the NSCW during hot ~ e shutdown, cooldown, and cold shutdown following a tornado? e What effects, if any, would there be on components : cooled by NSCW? II. Auxiliary Feedwater Supolv Because we postulate the loss-of-offsite power and to accident, we do not have to include allowances for reactor coolant Pump (RCP) operation or spillage from a break. However, we still provide an allowance for cooldown to a reactor coolant system'(RCS) temperature of 350*F. Also, only the safety-grade. portion of the condensate storage tanks (CST's) is taken credit for, as.other connections are not missile protected. On this basis we have: e 11 hours hot standby capability with one. CST operable. e 55 hours (2.3 days) hot standby capability with both-CST's operable. For long-term hot standby capability, tempor,ary piping could be installed between the NSCW transfer pump in the operable' train and the operable CST (s). This would provide unlimited hot standby capability at the cost of having to chemically clean the steam generators before resumption of power operation. I III. Ambient Wet Bulb Temneratures Associated with Tornadoes ) Based upon a tabulation of reported tornadoes in the vicinity of VEGP combined with ambient vet bulb temperature (WBT) data over the 30 years from 1951 through 1980, the following general conclusions have been developed: f The peak tornado months are April and May. a 3 90 500 I -n

J. i >m cs d=U L'3 0 M OU 1

88 2143t

CRC DSER 01-115

Response

SUMMARY

There is sufficient safety grade auxili.3ry feedwater supply e for 11 hours at hot shutdown with one CST, and 2.3 days with both CST's. Unlimited safety grade auxiliary Teedwater supply can be made e available by using a temporary connection between the operable NSCW transfer pump and the CST's. e Ambient wet bulb temperature is 65-70*F for days on which tornadoes occur, and 55-60*F for the several days thereaf ter, Basin temperature for hot shotdown immediately following the e tornado is 97-100*F (NS 95"F nominal design value), Basin temperature during cooldown can be limited to 110*F by o cycling the RHR operation. Basin temperature during cold shutdown is 100-105*F. with RCS e temperature of 150-160*F. o Centrifugal charging. RIER. CCW. and NSCW pumps will see higher cooling water inlet temperatures, but this partially offset by 17 percent higher cooling water flow rates. Pump operability should not be affected. Components cooled by component and auxiliary component e cooling water systems not affected. Diesel generator operation not affected. o Containment cooler and ESF chiller performance degraded, but e the effect partially offset by reduced heat loads and/or lower than design outside temperatures. 4 PREUDmRy 9 i 6 2152t

NRC DSER 01-115 5E = (Loss of all Tower Fans) (( l e Tornadoes are generally associated with WBT's 10*F above average for the day (s) on which the tornado (es) occur, with a drop of 10*F in WBT one to two days after. e The median WBT for all tornadoes 1951 through 1980, was 65*F, with 75 percent of all tornadoes on days of 70*F WBT or less. e For NSCW system (ultimate heat sink) analyses, the design WBT's can be taken as follows: Use 65-70*F WBT for the day (s) of the tornadoes Use 55-60*F WBT for the days following the tornadoes IV. NSCW Performance Followinc a Tornado Consistent with Section I, NSCW system performance has been estimated for the case of one train operation during shutdown with loss-of-offsite power (LOP) and assuming all tower fans are lost due to tornado missile damage. The analysis has been divided into three phases: Hot shutdown immediately following the tornado until e depletion of auxiliary feedwater supply, followed by 5-hour cooldown to RHR cost in at RCS temperature of 350*F. e Cooldown from RCS temperature of 350*F to cold shutdown (RCS temperature < 200*F) starting 1-3 days after the tornado. e Extended cold shutdown operation starting several days after the tornado. A. Hot Shutdown Immediately After Tornado Since hot shutdown operation (auxiliary feedwater system available) occurs immediately following the tornado, an ambient WBT of 65-70*F should be assumed. For one train operation with loss of offsite power and loss of all fans in the operable train, the NSCW basin temperature will be 97 to 100*F, or only 2 to 5'F above the nominal design valve of 95'F. The potential effects of basin temperature in excess of 95'F are discussed in Section V. B. Cooldown from RCS Temperature 350*F ~ Assuming that offsite power is not restored or that continued operation of hot shutdown is not possible for any reason, plant cooldown could be initiated as early as 1-3 days after the tornado. Because of this delay, 2 2143t

NRC DSER 01-115 (Loss of all Tower Fans) j/ the WBT can be assumed to be 10*F lower than during hot shutdown, or 55-60*F. However, the heat load during cooldown is considerably in excess of that during hot shutdown to limit the effect on peak basin temperature, the RHR system can be periodically cycled to limit the heat dissipated to the basin in any given time period. ~ By so doing, the basin temperature can be kept below 105-110*F during cooldown. However, the time required to achieve cold shutdown (RCS temperature ISO to 200*F) will be several days. However, because a tornado with loss of all four fans is a special case, the time required to achieve cold shutdown is not a consideration. C. Extended Cold Shutdown Startino Several Days after the Tornado Again because we are looking at a time period several days after the tornado, an ambient WBT of 55-60*F can be assumed. However, the NSCW heat loads are greater than during hot shutdown because of the residual decay heat loads from the fuel in the reactor. It is estimated that the basin temp.erature during cold shutdown will,be 100 to 104*F, or 5 to 9'F higher than the nominal design values of 95'F. The RCS temperature during'this period will be 150-160*F. Both the RCS and the basin temperatures will decrease slowly as the fuel residual decay heat load decreases. V. Potential Effects of NSCW Basin Temperatures in Excess of 15.*f_ Basin temperatures in excess of 95'F will have some effect on the various components cooled either directly or indirectly by NSCW. However, these effects will be partially offset by the 17% higher NSCW flows which occur because the NSCW basin can be presumed full at the time the tornado occurs. Specific components potentially affected are: Degraded performance of the containment coolers and ESF 3 chillers will raise the temperature in the respective cooled areas a few degrees but this will be partially offset by lower ambient temperatures than used for HVAC design. Increased operating temperatures for the centrifugal e charging, residual heat removal, component cooling water, and NSCW pumps. Pump failure should not occur, i but pump and motor life could be affected. Components cooled by the ACCW would not be affected, as e they are generally designed to operate at temperatures as high as 120*F. i m 2143t

NRC DSER 01-115 (Loss of all Tower Fans) e The spent fuel pit (cooled by CCW) is not affected, as pool temperature rise margin is 40'F or more. The diesel generators would not be affected, as they are e designed for 105*F cooling water.. PREUM! NARY 4 4 2143t

ASB Items from NRC Letter dated February 14, 1985 The following items refer to the staff's additional areas to be addressed as identified in the NRC letter dated February 14, 1985. (1) As a result of a recent amendment, the applicant needs to add further discussion to the FSAR on the essential and normal chilled water systems. especially concerning alarms.

Response

See atta';*hed annotated copy of FSAR subsection 9.2.9. (2) All sheets of FSAR figure 10.3.2-1 need to be updated to correspond to sheet 2 of the figure. Also, bypass lines were added to the figure and the associated test now needs to be updated.

Response

See amendment 14 to FSAR section 10.3. (3) In FSAR Amt'ndment 7. monsafety connections above the 330,000 gallon level were deleted from table 10.4.9-4. This needs to be clarified.

Response

See FSAR paragtaph 9.2.6.4.C. (4) The staff will require at least one RHR suction valve in each RCS hot leg suction line to have power removed for alternate shutdown. ResDonse: 60ill LU10tf eValun$iott. (5) If sheets 1 and 2 of TSAR figure 9.2.1-1 are correct, a discussion needs to be added to FSAR to explain the seismic class change between the orifice and isolation valve on the sample lines. If the figure is wrong, it needs to be corrected.

Response

See amendment 14 to FSAR paragraph 9.2.1.2.3. 2154t 1

l (6) In response to a staff question, the applicant indicated ] that the air compressors cannot be manually loaded on to'the diesel generator busses.

Response

No additional response required. (7) The staff emphasized the need for Technical Specifications concerning the control room ventilation system when Unit 1 is operating and Unit 2 is still under construction because control room pressure envelope needs to be maintained. A similar situation may exist in the fuel building. j ResDonse: The technical specifications will address the control room ventilation system when Unit 1 is operating and Unit 2 is still under construction. Even though the fuel handling building ventilation system is shared Inr both Units 1 and 2, i the normal and emergency FHB ventilation systems will be complete and operational when Unit 1 is operating and Unit 2 is under construction. See amendment 14 to FSAR subsections i 6.4.2, 9.4.1 and 9.4.2. '(8) In response to a staff question, the applicant stated that failure of a non-safety-related ventilation system will not affect safety-related equipment. Response" i See amendment 14 to FSAR section 9.4. 4 ' c (9) In response to a staff question, the applicant stated that the only safety-related equipment in the equipment building is seismic Category 1 duct work.

Response

The safety-related equipment located in,the equipment 4 building is the containment purge and preaccess filter system containment isolation valves and associated piping. The Regulatory Guide 1.97, Rev. 2 Category 2 plant vent exhaust radiation monitor is also located in the equipment building. l ' *- (10) The applicant should add discussion to the FSAR as to consequences of loss of ventilation in the main steam isolation valve and feedwater isolation valve areas and the consequences of exceeding 200*F in these areas. 1 i

Response

I See attached revision to response to NRC question 410.55. 1 2154t 2

l i (11) The applicant should add a discussion to the FSAR on the l main steam isolation valve / main steam dump valve as to how the system works, whether or not it interfaces with the nitrogen system, what happens on loss of nitrogen, etc. t-

Response

A detailed description of the MSIVs is provided in FSAR i paragraph 10.3.2.2.4. JL description of the atmospheric dump

  • I valves is attached.

FEAR paragraph 10.3.2.2.3 will be revised to include this additional information. Power Operated Atmospheric Relief Valves Functional Description The valve operator is a self-contained linear modulating electro-hydraulic valve operator for use with an 8 K 10 inch l globe drag valve. On loss of power and/or signal, the l l operator will extend the operator and close the valve. I The primary function of the operator is modulation. The actuator recognizes 4 to 20 milliamp command signals; four milliamps represents full extension (valve closed) and with i increasing signal the actuator retracts (valve opens). The incoming signal is' compared to the feedback signal coming from the position transducer by an on-board servo amplifier. If there is a change from the previous level j greater than the deadb,and, the actuator is set in motion until the corresponding position is reached. Loss of command signal will extend the operator and close the valve. The system stores energy in a pneumatic accumulator and gas bottle pressurized by an electrically driven pump which is controlled by two fluid pressure switches; one to turn pump motor on (decreasing) and the other to turn pump motor off (increasing). The operator is mounted on the valve by. attaching the base plate to the gland of the valve. The operator rod is attached to the line valve stem. Opening or closing the normal operation is accomplished by either energizing both solenoids or de-energizing both 1 i solenoids, to either retract (open valve) or extend (close

  1. 9 valve) the operator cylinder rod.

Manual overide of the g>, solenoid is necessary for operating Yhe valve operator i during a 115 voc power lons - Speed or retracting topening falve) or extending (closing valve) is controlled by a flow ~ l-control valve which meters the flow of hydraulic fluid from l the cylinder to return. The flow control valve is set for i l optimum speed at the factory, but the customer has the l option of resetting at.his convenience. The operator can be positioned by means of a band pump in the event of pump l l l l l 2154t 3 i I _.___-_______~.1.._.-._..._._,,-_-__--,_......._,

[: i failure. To accomplish this, remove plugs and attach pump i ports located on the manifold bracket as shown on hydraulic i schematic. The solenoids must be in the proper mode to perform the functions with the hand pump. Component Description f All components are attached to a base plate and include the reservoir, pump, pump motor, junction boxes, accumulator, l hydraulic cylinder, servo valve, and flow control valve. I All electrical devices are connected to the junction boxes through flexible conduit. The complete hydraulic and i electrical configurations are shown on (PD-86297) B dwg. AX5AC13-88-1 and (PD-86642) B drawing AX5AC13-88-1. i Zinc plated or phosphate coated steel tube fittings connect i, the manifold to other hydraulic components through stainless steel tubing. Fittings are torqued to recommended valves, and installed to give leak proof service under severe i o conditions, i 4 Electrical System l The electrical system consists of servo-valve, three pressure switches (one for gas, two for oil) and a reservoir low fluid level indicator. The system also features a servo amplifier which compares incoming command signals with actuator position feedback transducer and then energizes the corresponding solenoid valve to comply with the command. Hydraulic System The hydraulic system must store sufficient energy to perform its intended functions. The energy is stored in an on-board ~ piston type accumulator. The procedure is to store the energy (charging) is initiated by a " fluid" pressure switch which is set to indicate the minimum system pressure necessary for proper operation. When the minimum is reached the system's hydraulic power supply is turned on to restore l 5 the system to its peak pressure. Upon reaching maximum, i system pressure as indicated by another pressure switch, the power supply is turned off. As the operator modulates, the system pressure drops. When the'ainimum pressure switch set i 2 point is reached, the above process repeats and the actuator is recharged. The corresponding settings are shown on the I hydraulic' schematic. l For modulation, the dual coil servo valves in the system are l operated. This is automatically done by the servo amplifier I I when there is a change in the incoming signal. To extend l the actuator (and close the valve) solenoids AEB are ~ h de-energized, Upon reaching the set Folat when extending, ~ 2 l solenoid B is energized to stop the actuator. If a command j L i signal is received to retract the actuator, the servo 2154t 4 .. ~

amplifier energizes solenoids A&B. At the set point, solenoid A is de-energized and solenoid B remains energized (as extending). The hydraulic circuit is protected from extreme pressure transients by two thermal relief valves, item 14. These valves become active when their relief setting is exceeded. Rescat is automatic. These valves are preset at the factory and must not be readjusted without consulting with the valve - manufacturer. Stroking speed is controlled by a cartridge type flow control valve which preadjusted to provide the specified stroking speed. (12) The applicant needs to provide discussions in the FSAR as to what type of protection was required for the AFW pump missile.

Response

See FSAR table 3.5.1-sheet 3. 3 >sy W N 5 A ~ J 2154t 5

VEGP-FSAR-9 y 9.2.9 CHILLED WATER SYSTEMS 9.2.9.1 Essential Chilled Water System 9.2.9.1.1 Design Bases 9.2.9.1.1.1 Safety Design Bases. A. The essential chilled water system is designed to remain functional during and following a safe shutdown earthquake (SSE). B. The essential chilled water system is designed to maintain stipulated ambient air temperature of the engineered safety features (EST) equipment rooms and the switchgear rooms during operation under accident conditions below the maximum design ambient air temperature of 104*F. C. The essential chilled water system is designed so that a single failure of any active camponent, assuming loss of offsite power, cannot result.in loss of ESF switchgear or the ability to operate at least one of the redundant emergency safeguard feature pumps. A failure mode and effects analysis of the system is provided in table 9.2.9-3. 9.2.9.1.1.2 Power Generation Design Bases. A. During its operation the essential chilled water system is designed to maintain ambient air temperatures within the switchgear rooms, battery and control room as specified 'in table 9.4.1-2,

rooms, within the limits recommended by the battery manufacturer, and in the American Society of Heating, Refrigeration, and Air-Conditioning Engineers (ASHRAE)

Comfort Standard 55-74, respectively. l B. The essential chilled water system is designed to testing, and maintenance jt,, permit periodic inspection, of principal components,witi e ei.1--- ~ 1..i ..-y-J -- - - -r....... l \\ PRElly;jygy 'I ^ 9.2.9-1 i

MEUpgf.p 3 e, VEGP-FSAR-9 buildings and the heat sink of the nuclear service coolingHeat transferred by the chilled water is piped past the chem water system. C.., _...g J. J....... m., suction of the chilled water pump.:::t!- f Chilled by the refrigeration P-the water leaves the evaporator at about 44*F to _y

circuit, return to the coils.

s 8_. _,m n z, c r e r v 1 c r . r.. m........... . ~ m m m. ~ -y._- -7 p f 9.2.9.1.3 Safety Evaluation Safety evaluations are numbered to correspond with the safety design bases. The condenser water pump, chiller, chilled water pump, and piping are designed in accordance with Seismic A. Category 1 requirements as specified in section 3.2. The essential chilled water system capacity is designed to provide adequate heat transfer to allow B. the coils to maintain design ambient air temperatures in essential areas. Two separate 100-percent-capacity independent systemsCoupled with C. provide complete mechanical backup. redundancy of electr single active component cannot result in a completethus ensuring a loss of both trains of ESF equipment, gfest safe shutdown condition. 4stm SL5#- 9 9.2.9.1.4 Tests and Inspections e The chilled water piping circuits are hydrostatically tested and balanced to provide design flowrates and temperatures 7-~,___.... within-e-tolerance of +10 perco o l'_ proper perf(rmance of system q components. k 9.2.9.1.5 Instrument Applications Chiller and pumps are operable from the main control room an 12 the remote shutdown panel. control room and the remote shutdown pane 7 Compressor and chilled water pump malfunctions are 7( status. Amend. 12 12/84 9.2.9-3 -,,,-,,---------,-m--,-

s -., u.a m. _.L-2 4 -.-A.-.h-e %e -a.--aw.-_A_-_au.a.aw--__<.A 4*h4.----a. .m.wW ma .-.-h.__an-a.-___a_ h j % E "MSe/LT, I I f 7~[j Aut' &'*A-L -eJ 'Qt

a. 4
  • As a suw a M sk tb - W v-M 7WWA Jn2:"

M u=& W 7 +. m + & er m p ym & ~m PRIANE b???? 4....o [(g l l l l l 9.2.9-3 4.

4 PREUtg?3gy ^ 92.91s' TM W N & aas a .. g _ oa a p-A ma Aus-.p.,mtz isku & & a-yA%dWw w _ oa m a~e 'W h p.A cnakaw ?o --lk~a e o .ns Ar t an . aw n m9 s. - W BA&ut " /Aw mR M x;L y%

M n+~n J Q L i k2 d

g - 9~L~e . atr &a - s ax p7 r i.t.9 3 L

'-tIk VEGP-FSAR-9 I 'y p r.T.;te... _ i t.J wid. J. 1111.,..ua

  • t kg;;;;;i;t;;y;t;.

12 T ) 9.2.9.2 Normal chilled Water System 9.2.9.2.1 Design Bases ) The normal chilled water 9.2.9.2.1.1 safety Design Bases _. system has no safety design basis. 9.2.9.2.1.2 Power Generation Design Bases During normal operation the normal chilled water system is designed to maintain normal design ambient A. air temperatures in various areas throughout the auxiliary, control, and fuel handling

turbine, buildings.

The normal chilled water system As designed to permit and maintenance of I B. periodic inspection, testing, principal components with a mini operation. 9.2.9.2.2

System Description

The normal chilled water 9.2.9.2.2.1 General Description. system consists of three chillers shown schematically in figure Major components include centrifugal chilled water 9.2.9-2. refrigeration machines (chillers), chilled water pumps, l The expansion tank, air separator, and chemical feed system. normal chilled water system is not a safety-related system as s 14 l indicated in table 3.2.2-1. / f UNLEv The normal chilledAsystem supplies chilled water to the essential and nonessential cooling units during normal plant j During an accident or loss of offsite power, the ( normal chillers shut down, while the essential air co operation. i I j l l system for safe shutdown. 9.2.9.2.2.2 Component Description. Design data for major components of the normal chilled water system are listed in table 9.2.9-2. Amend. 12 12/84 Amend. 14 2/85 9.2.9-4

O VEGP-FSAR-Q Oues' tion 410.55 In FSAR subsection 9.4.9 you state that the piping penetration ventilation system will maintain the concrete surrounding the piping restraints for the main steam and feedwater systems below 200*F. Verify that the ambient air temperatures in these areas, including the valve rooms, will be maintained at a low enough temperature to allow personnel to inspect equipment during normal plant operation. If there is another heating, ventilation. and air conditioning (HVAC) system that performs this function, identify the system.

Response

During normal plant operation, the maximum temperature has been calculated to be 115'F in the main steam /feedwater isolation valve areas. This is adequate to allow personnel entry for inspection during normal plant operation. No other HVAC system performs this function. A postulated loss of ventilation in the main steam and feedwater f isolation valve areas is detected by instruments that alert the operator in the control room, who would procedurally ensureRefer prompt repair and restoration of the ventilation system. to figure 9.4.9-4 for instrument configuration. t l PRELENMY 2147t Q410.55-1 Amendment. 9 8/84

= n 0 All safety-related structures, systems and components requiring protection All from externally generated missiles have been identified in the FSAR. safety-related structures are designed to withstand postulated tornado gener-ated missiles without damage to safety-related equipment. Safety-related piping and electrical cables that traverse between the safety-related tornado missile resistant buildings are located in underground concrete tunnels which t are also tornado missile resistant for the spectrust of missiles considered in the design. An exception to this is the diesel generator f g4 ) between the storage tanks and the diesel generator buildinge ,,rens.wr y g lines are adequately protected from tornado-generated missil y locating he. AI5a0 4 them ten feet underground. Safety-related HVAC openings are protected from Spent fuel tornado missiles by concrete barriers which prevent missile entry. is protected against tornado missiles in accordance with Position C.2 of RG 1.13, " Spent Fuel Storage Facility Design Basis," since tne spent fuel pool is located within the tornado missile protected fuel building. The ultimate heat sink for each unit has two mechanical draft cooling towers Thefansarenotprovidedwithverticalmissile with four fans in each tower. protection but are inherent 1y' protected'against direct horizontal' missiles by g the towers' concrete construction. Three of four fans in either tower are The minimum required to operate to provide adequate heat rejection capability. height a missile would have to obtain to vertically enter the cooling tower and strike a fan is approximately 45 feet above grade which eliminatas the heavier missiles-such as the utility. pole and automobile from consideration. ~ Each fan has its own croning (approximately 25 feet in diameter) such that The appiteant per-missiles entering an opening could only camage one fan. formed a detailed probabilistic study using site specific historical data for tornado occurrence frequency and lift / transport models. ~ The applicant stated that the study was sita-specific historical records for the tornado occurrence frequency and lift / transport models previously reviewed In order for the staff to verify the applicant's and accepted by the NRC. conclusions reached as a result of its study, the applicant should provide the The details of the analysis, including the methods used and assumptions mace. applicant should include a single failure analysis, and as a contingency, the cooling tower capabilities for performing a shutdown following a loss of 3-/ V0GTLE ORAFT SER INPUT SEC 3 11/16/S4

.1 ,.m.i. .m,- gs, .-6 //l -'n-All RCPB leakage in the containment structure which is not collected in the reactor coolant drain tank or in the pressurizar reitef tank is collected in Unidentified leakage is the containment normal sump or reactor cavity sump. Indication monitored by sump level and sump ptmp running monitoring systems. and*meansL to determine leak rate in gpm is provided in the control room. Thus, the guidelines of RG 1.45, Position C.1 regarding collection of unidentified leakage and flow monitoring are met. Unidentified leakage is also detected by containment airborne particulate radioactivity and gaseous radioactivity monitors which are qualified to remain These monitors functional when subjected to the safe shutdown earthquake. The respond to the increase in airborne radioactivity resulting from leakage. time to detect reactor coolant leakage by airborne particulate and gaseous radioactivity-monitors depends upon reactor coolant activity level, location of leakage, leak rate, and background concentration due to previous leakage. The applicant statad that with 0.01-% failed fuel and with background airborne activity of 10 3 %/ day or background gaseous activity equivalent to 1.0 %/ day, . a one gpm leak can be detected in approximately 1 hour with the particulate ( Indicators and alarms are provided in the and gaceous monitoring systems. control room to detect high airborne or gaseous radioactivity in the contain-As a backup, unidentified leakage is also detected by pressure, tempera-ment. ture and humidity monitors. Indications and/or alarms are provided in the Thus, the guidelines of RG 1.45, Positions C.3, C.5, and C.6 control room. regarding methods of uiiidentif'ted leak detection, sensitivity and capability -- Also since to perform its function of following an earthquake are satisfied. the particulate and gaseous radioactivity monitors are qualified for the safe shutdown earthquake the guidelines of RG 1.29 " Seismic Design Classification," are satisfied. For intersystem monitoring, radiation monitors are used to detect reactor coolant leakage into cooling water systems which supply the RHR heat exchangers, letdown heat exchangers, reactor coolant seal water and thermal. par m sleam ' Leakage through steam genecatac fubat s detecte i exchanger f 6 r* Gukhyn nemekr using the ampling Wa monitor the condenser air ejecto pent ceumulator. leakage is detected by level and pressure indications and system. f V0GTLE CRAFT SER INPUT SEC 5 5-2 11/16/84 .mmus e < ,Fw

_ - __ 7 __ _.

==- h s' p, the staff's evaluation of the pressurizer relief discharge system with respect to the applicable regulatf<ns of 10 CFR 50. ~ The pressurizer ret in.* discharge systent consists of the pressurizer relief tank, the discharge piping from the pressurizer relief and safety valves, the relief tank internal spray header, the tank nitrogen supply, and the drain to the liquid waste processing system. The system is non-safety-related (Quality Group L', nonseismic Category I) and it, not part of the reactor coolant pressure ~ boundary since all of its componsnts, are dewnstream of the reactor coolant system safety and relf of valves. Therefore, its fa.' lure would not affect,the integrity of the reactor cociant presuure boundary. The pressurirer relief tank is sized te condense and cool a discharge of steam equivaler.t to 110% of the full power pressurizer steam volume through the primary relief'and safety valves without exceeding a pressure / temperature condition of 50 psig/200'F in the tan't. Other discharges to the pressurizer rel!ef tank includa a reactor vessel head vent and the relief valves from the residual heat removal system and from the chemical and volume control _ system. _ deloases from these sources are less than the design basis release from the pressurizer. The internal sprAi sprayer and bottom drain on the pressurizer relief tank are used to cool the water-in the tank through a feed ard bleed process. A nitrogen blanket is also provided in the tank to permit expansion of entering steent and to control % tank internal atmosphere. If a discharge -- exceeding the design basis'should occur, the rupture discs on the tank would pass the discharge throu;h the tank to the containment. The content.: of the tank can be drained to the reactor coolant drain tank where it can be pay.d to the gateous radwaste system or the boron recycle system. Tht recture discs ort tha pressurizer relief tank have a capacity equal to or greater than the combined capacity of the pressurizer safet re. lid valves. The-tank and the rupture disc holders are designed for full vacuum to prevent collapse if the contents cool following a discharge without nitrogen being added. The pressurizer relief tank is provided with instrumentation in the control room to indicate end alarm high pressure, high temperature and high and low water levels. 11/16/84 5-4 V0GTLE ORAFT SER INPUT SEC 5

1 e k aswt 06fLC A b-obf Y ~ m)n 1 g i ILA 4 ht All connections to t e spent fuel pool are eb er near the norma 32 or are provided with antisyphon holes to preclude possible syphon draining of the pool water. The safety related component cooling water system provides cooling water to the fuel' pool heat exchanger and transfers its heat to the ultimate heat sink (refer to Sections 9.2.2 and 9.2.5 of this. report). i The spent fuel pool pumps can be powered from the emergency (Class IE) power sources. The design of the spent fuel pool cooling system and its accessible location is such that periodic testing and inservice inspection of the system can be accomplished. The active components of the spent fuel pool cooling system are either in continuous or intermittent operation during all plant operating conditions. Thus, the requirements of GDC 45, " Inspection of Cooling Water System," and 46, " Testing of Cooling Water System," are satisfied. Normal makeup to the spent fuel pool to replace normal operational losses (evaporation, seal leaka b efueling water storage tank (RWST), the reacto [ ja lfzed water storage tank (0WST), or the recycia norcup tanks." The RMW. veis as a seismic Category I makeup water source for the pool; makeup water can be pumped via the reactor makeup water pumps or gravity fed to the spent fuel pool via seismic Category I piping and valves. Water from the seismic Category I RWST may be pumped through the nonseismic purification system or gravity fed through __ seismic _ Category _.Lpiping and valves. Thus r the requirements of GDC 61, " Fuel Storage and Handling and Radioactivity Control" and the guidelines of RG 1.13, Position C.6 concerning fuel pool design are met. fo - hbh and Iba &Q The system incorporates control room alarm - po,ol water level,[ temperature and ~ building radiation level monitoring systems. The seam welds in the pool, transfer canal and cask pit liners are also equipped with [ continuous drain X systems which monitor leakage through the liners. Thus, the requirements of GDC 63, " Monitoring Fuel and Water Storage," are satisfied. Refer to Section 12.3 of this report for further discussion of area radiation moni-toring systems. 11/16/84 9-8 V0GTLE DRAFT SER INPUT SEC 9

.;... wm v --n

n 1

8 NSCW trains may be operating although one train is sufficient to bring the plant to a safe cold shutdown. In the event of a loss,of offsite power or a safety injection rignal, both trains are automatic' ally initiated'with two pumps in each train running after being sequenced on to their respective emergency' bu:ises. The NSCW system supplies cooling water at a higher pressure than the fluid in the safety-related component being cooled. Therefore, if leakage occurs it will be-into the cooled system. However, radiation monitors are installed in X the return line to each cooling tower to grthegrotectlagainst radioactivity Differential flow sensors and alarms are provided to detect. leakage releases. total The various flows which are monitored and alarmed are: from the system. NSCW pump, flow vs. return flow to the NSCd cooling tower spray header, inlet vs. out7et flow across the CCd and ACCd heat exchangers, flow to and from the diesel generttors, inlet vs. outlet flow across pairs of containment air coolers, and in*iet vs. outlet flows across the reactor cavity and containment s auxiliary air-cooling coils. j},\\v hv.sek Q seis y3 ( t backR R e* I c Ca. ory ( All safety-related portions of the NSCW system arrhersE in flood and tornado protected structures. Underground piping is run in seismic The34/e/- Nte ' ne e' - ich are also protected against natural phenomena. I ldda,4to s2 bO pe . smMsel gned to seismic Category I, Quality Group C requirements.Y en Thus, the. requirement of GOC 2, " Design Bases for Protection Against Natural Phenomena," and tha guidelines of RG 1.29,'" Seismic Design Classification, l .___j p, a. g};m s ef -}he. sys/cr; inside Conlainmenf are. ' are satisfied. S'*W 0 #$" CMC $s / o GM]!h1:.. end IMre G{narinv dt3(gritA b> (d tyr 4 %etsose, M each unit as iis owd separai.= between units, the requirements of GDC 5, " Sharing af Structures, Systems and Components," do not apply. Power is The NSCW system is designed to meet t're single failure criterion. supplied to the pumps in each train from a separate emergency bus backed by a diesel generator such that the failure of one diesel generator only affects The NSCW transfer pump in each cooling tower basin is powered one 14SCd train. by th emergency diesel generator bus associated with the basin to which the 9-13 . VCGTLE CRAFT SER INPUT SEC 9 11/16/84

=i r b e k een h a. s wp y,At /_ Each cooling water train ca(n supply the minimum cooling water is transferred. water requirements during a design basis accidentf including a LOCA, with or without offsite power, and during normal cold shutdown with or without offsite Thus, the requirements of GDC 44, " Cooling Water," are satisfied. power. The NSCW system has also been designed to minimize the effects of water hammer. Interties (2 inch) betwecn the two supply headers have been provided to act as a "keepr full" system for the idle-train. In order to further preclude water hammer in an idle train or on pump restart following a loss of offsite power, the NSCW system includes:

1) interlocks and pressure switches to close both tower valves (spray header and cold weather bypass valves) wnenever the NSCd pumps in that train are not operating and to allow normal valve operation when

~ the pumps are in service, 2) motor operators on the NSCW pump discharge valves, with interlocks to close if the respective pump is not running and to prevent pump start unless the valve is closedhhese valves start to open when the respective pumps start, thereby limiting the rate of system repressurization

3) check valves in the NSCW supply line to all components located above grade (prevent draining back to basin). 4) the " keep-full" system described above,

/ and 5) interlocks to close the NSCW tower blowdown valves unless at least I NSC4 pumps in the respective train are operating. The NSCW system incorporates provisions for accessibility to permit periodic inservice inspections as required and is capable of being functionally tested and inspected d'uring 'noimal plant operation.~~~Normally twor pumps-(one--train) ~~ ~ Thus, the requirements of GDC 45, " Inspection l in each unit will be operating. of Cooling Water Systems," and 46, " Testing of Cooling Water System," are met. l Based on the above, the staff concludes the nuclear service scaling water system meets the requirements of GDC 2, 5, 44, 45, and 46 with respect to natural phenomena, shared systems, decay heat removal capability, inservice inspection, and functionai testing, and the guidelines of RG 1.29, Positions I C.1 and C.2, with regard to seismic classification and is, therefore, acceptable. The nuclear service cooling water system meets the acceptance criteria of SRP Section 9.2.1. V0GTLE DRAFT SER INPUT SEC 9 9-14 11/16/84 + C). ga=e -e e-eee

( ~__a. L ~-- J ! \\ 9.2.2 Reactor Auxiliary Cooling Water Systems The cooling water systems for reactor auxiliaries were reviewed in accordance with Section 9.2.1 of the SRP (NUREG-0800). An audit review of each of the i areas listed in the ", Areas of Review" portion of the SRP sectiott was performed, according to the guidelines provided in the " Review Procedures" portion of the SRP section. Conformance with the acceptance criteria formed the basis for the staff's evaluation of the cooling systems for reactor auxiliaries with respect to the applicable regulations of 10 CFR 50. The reactor auxiliary co'oling water systems consist of the component cooling water (CCd) system, auxiliary component cooling water (ACC4), engineered safety features (ESF) chilled water, and the normal chilled water systems. These systems are used to provide cooling water for heat removal from reactor-The CCd system, ESF chilled water system and portions of plant components. ACCd system are safety related. f" 9.2'.2.1 Component. Cooling Water System (FSAR Section 9.2.2) t The component cooling water (CCW) system is a. closed loop cooling water system that transfers heat from reactor auxiliaries to the nuclear service cooling water (NSC4) system during plant operation and during normal and emergency shutdown. It provides an intermediate barrier between radioactive or poten-tiall[radioadtivit heat sources and the NSCd s9 stem. The CCd system for each unit consists of two trains, each having three half capacity motor driven cooling water pumps, one full capacity heat exchanger, a surge tank, a chemical addition tank and associated piping, valves, and instru-Each train.of th g +== is designed to bring the reactor to cold mentation. shutdown conditions i two trains operating cold shutdown can be achieved in 17 hours. Eacti train of the CCd system provides cooling water to one safety-related ~ ta ha g-r wf its asso-spent fuel pool cooling heat exchanger, one RHR otors::: M are d

eb the l

ciated RHR pump seal cooler. The RHR pump NSCW system as described in Section 9.2.1 of this report. 11/16/84 9-15 V0GTLE DRAFT SER INPUT SEC 9 l

= g-Thus, the requirements of GDC 45, " Inspection of Cooling Water System," and 46, " Testing of Cooling Water System," are satisfied. Based on the above, the staff concludes that the CCW system meets the require-ments of GDC 2, 5, 44, 45, and 46 with respect to protection against natural phenomena, shared systems, decay neat removal capability, inservice inspection, and functional testi'ng, and the guidelines of RG 1.29, Positions C.1 and C.2 with respect to the system's seismic classification. It is, therefore, acceptable. The CCW systear meets the acceptance criteria of SRP 9.2.2. 9.2.2.2 Auxiliary Component Cooling Water System (FSAR Section 9.2.8) The auxiliary component cooling water (ACCW) system is a closed loop cooling water system that transfers heat to the NSCW system from reactor auxiliaries not required for safe shutdown but essential for normal power operation and for normal shutdowns and cooldowns. It provides an intermediate barrier between radioactive or potentially radioactive heat sources and the NSCW which is open to the atmosphere. j The ACCW system for each unit consists of two full capacity heat exchangers (in series), two full capacity pumps, one surge tank, and associated piping, valves and instrumentation. The ACCW heat exchangers are in series such that l heat can be removed from the ACCW system by either NSCW train without having redundant ACCW-trains. SincC the-~ system is not re(uired for safe shutdown - ^ - ' - full redundancy is not required. The ACCW system provides cooling water to the positive displacement charging l pump and motor coolers, waste and recycle evaporator equipment, waste gas j compressors, catalytic hydrogen recombiners, sample coolers, reactor coclant drain tank heat exchanger, seal water heat exchanger, reactor coolant pump l (RCP) motor coolers, RCP thermal barriers, RCP bearing lube oil coolers, letdownheatexchanger,excessletdownheatexchangepandtheACCWp motor coolers. g7;%5 5 Coolers Safety-related portions of the system which are designed to seismic Category I, Quality Group B or C requirements are the containment penetrations and the l automaticallyisolableportionofthesystemthatservestheRCPthhalbarriers. X l 11/16/84 9-17 V0GTLE DRAFT SER INPUT SEC 9 i 'v

.. ~ ..u...,~w~. ~,,, ,us In the event of a leak in the RCP thermal barrfer, the ACCW return line from each pump is isolated automatically on high flow from the individual pump. Each pump return line has its own automatic motor-operated isolation valv.e. Downstream of these valves in the common return header is a redundant motor- ~ operated isolation valve which closes on high pressure or high flow in the return header. The return header isolation valve is powered from a different emergency bus than the individual isolation valves. A check valve in the supply line to each pump's thermal barrier provides the isolation on the inlet to the thermal barrier. The rest of the system that is necessary for normal plant operations, including startup and normal shutdown, is designed to seismic Category I, Quality Group D requirements. Portions of the system that are not seismically designed are provided with adequate isolation from the seismic Ca'tegory I portions of the systenr. Thus, the requirements of GDC 2 and the guidelines of RG 1.29, Positions C.1 and C.2 are satisfied. In response to a staff concern (SRP Section 9.2.2) regarding loss of cooling water flow to the RCPs as a result of a single failure in the common. supply line which mighc result in the occurrence-of a locked rotor condition, the ~ applicant indicated that testing performed by Westinghouse has shown that the RCPs will incur no damage as a result of flow interruption of ten minutes. This ten minute test. with no damage. indicates that the pumps could potentially run longer with loss of cooling water without the need for operator act -\\ Safety grade instrumentation and a av ' eau y n the N i k M e RCP motor lYn a' -aa= unna + h-d =+ = rH an ow AC W -. _, con artA lube oil bearing coolersg -G.T cy gr u. b:tre eatst h. h;... v um. g.w..ueu i.o d:ted ='laer ^* ^.C W 'hu t: th: "C." ;;;T Other safety grade instrumenta-j tion provided to aid in the detection of loss of ACCW flow include -..___.. Turge tank lev pressure nd valve position indication safety-rede instrumentation has been provided to det t loss of ACCW f. low str-the RCP l seals an earings, and adequate RCP testing has been performe t l-concludes that adequate time exists for the operator to trip the RCPs before unacceptable damage occur N the A(,CW pumps are automatically loaded onto the emergency buses following a loss of offsite power, with no safety l injection signal present, the design meets the recommendations of Item II.K.3.25 of NUREG-0737, " Clarification of TMI Task Action Plan. Requirements." Thus, the l requirements of GDC 44 are satisfied. I 11/16/84 9-18 V0GTLE DRAFT SER INPUT SEC 9

During normal operation chilled water is supplied by the normal chilled water system and during accident conditions chilled water is supplied by the ECW system. The essential. portions-of the ECW system are located in seismic Category I, flood and tornado protected structures. The essential portions of the system itself are designed to seismic Category I, quality Group C requirements. . Seismic Category I makeup capability is available from the demineralized water system. Thus, the requirement of GDC 2, and the guidelines of RG 1.29, Positions C.1 and C.2 are satisfied. Se(Ai4e. Neach unit has its own ECW system the requirements of GDC 5 are not a p Mea 5T I T[he fth 59sitm CNocs MD$ Opera n A ging normal plant operatT5g i.... ef the EC" :yst= h epawng * --- th;og.enpt Each train is powered from the us== or co H,i si J with the equipment it cools. A safety injection sign 1 ma m both trains of the ECW system. Both trains of the ECW system also start following'a loss of offsite power since the NCW system is not loaded onto the b emergency buses.ecm.use,A m ed each train of the system can supply adequate chilled k water to reach safe shutdown, the system meets the single failure criterion. Nonessential portions of the system (chemical addition) are normally isolated from the essential portions of the system by seismic Category I isolation valves. Thus, the requirements of GDC-44-are met.-~ - ----- I Durin;4e g v,c. ) tion all portions of at least one train of the system are ent. ra in cont nuous or' intermittent operation, and the operating train can be alter-nated between the two trains for equalized running time. The system components are' accessible to permit periodic inservice inspection as required. Thus, the requirements of GDC 45 and 46 are satisfied. The normal chilled water (NCW) system supplies chilled water to essential and nonessential cooling units during normal plant operation. During other than normal pla'nt. operations such as an accident or loss of offsite power, the essential air cooling units are supplied chilled water from the ECW system. The normal chilled water syst is designed such that a seismic event will not 11/16/84 9-20 V0GTLE DRAFT SER INPUT SEC 9

T A ~ _y. _e_ w - 5 result in failures that could affect the ECW systent or other seismic Category I Thus, the systems in accordance with the guidelines of RG 1.29, Position C.2. requirements of GDC 2.are satisfied. e NCW system is not necessary for safe plant shutdown or to prevent h the release of radioactivity,the system is not safety related;and it is not designed to seismic Category I requirements. Thus, the requirements of GDC 5, 44, 45, and 46 are not applicable. Based on the above, the staff concludes that the essential and normal chilled water systems meet the requirements of GDC 2.regarding protection against Also natural phenomena, and the guidelines of RG 1.29, Positions C.1 and C.2. based on the above, the staff concludes that the essential chilled water system meets the requirements of GDC 5, 44, 45, and 46 as they relate' to sharing, cooling water system design, and periodic inspection and testing. The staff, therefore, concludes that the essential and normal chilled water systams meet the acceptance criteria of SRP Section 9.2.1 and are acceptable. 9.2.2.4 Turbine Building-Closed Cooling and (0 pen) Cooling Water Systems f (FSAR Sections 9.2.10 and 9.2.11) ~* The turbine plant closed cooling water (TPCC4) system is a nonsafety-related system that removes heat from various turbine butiding heat exchangers and transfers the heat to the circulating water system cooling tower via the ~-~ nonessential turbine plant (open) cooling water (TPCW) system. l Equipment cooled by the TPCC4 system includes air comoressors, condensate pumps, heater drain pumps, turbine plant sampling system and electrahydrauf f e control coolers. Equipment cooled by the TPCW system includes the TPCCW heat exchangers, feedwater pumps, turbine lube oil coolers, normal. chilled water i system chillers, chemical and volume control system chillers and tu%ficM generator components. Neither the TPCCW nor the TPCW system are required to be designed to seismic Category I requirements since they are not required for safe plant shutdown~ and their failure will not affect safe plant shutdown or other seismic Category I Thus the guidelines of RG 1.29, Position C.2, and the requirements equipment. of GDC 2 are satisfied. l 11/15/94 9-21 V0GTLE ORAFT SER INPUT SEC 9 i

6 3 Each unit of the Vogtle plant hai its own ultimate heat sink (VHS) consisting of two full capacity mechanical draft cooling towers. One tower is associated with each train of the nuclear service cooling water (NSCW) system. Refer to Section 9.2.1 of this report for a discussion of the NSCW system. Each tower is subdivided into four individual fan cells. The fans are powered from the same emergency bus that powers the NSCW pumps associated with their respective trains (Train A pumps and Train A fans are powered from the Train A diesel generator)]E t of the fou s in e coolidg bw r are rem hperatefor e lant s td wit ut exce esign te ure imits. The UHS, including the pump house are des'igned to seismic Category I require-ments, and are flood and tornado protected. Flood protection and tornado missile protection are evaluated in Sections 3.4.1 and 3.5.2 of this report, respectively. Thus, the requirements of GDC 2, "Deisgn Bases for Protection Against Natural Phenomena" and the guidelines of RGs 1.27, " Ultimate Heat Sink for Nuclear Power Plants," Positions C.2 and C.3, and 1.29 "Seicmic Design Classification," Position C.1, are satisfied. As discussed in,Section 3.S.2 of this report, tonado missile protection--for the cooling tower fans requires further review and evaluation. During normal plant operation one train of the NSCW system is in continuous . operation. To guard against icing or freezing %t low temperatures in the N return line to th6 cooling tower, two valves function to bypass the cooling ~ tower spray headers ~'and return' the wate'r'diFectly t6' the cooling tower basin. ~ A drain hole is provided in each of the four 12-in supply headers to the spray nozzles to p'romote self-draining. Small stagnant lines and idle piping are protected from freezing by electric heat tracing. Freezing of the water in the idle basin can be prevented by operating both NSCW trains or by operating .both basin transfer pumps thereby mixing the two volumes of water. Also the. basin water level is below ground with the depth of water being approximately 80 feet which will tend to minimize the possibility of freezing. The NSCW V pumps' shaftj and impe11ers are located within a concrete casing surrounded by soil and the pumps and motors are further protected by the concrete pumphouse. Thus{the guidelines of RG 1.27, Position C.2 are satisfied regarding the Ac potential for UHS freezing. 11/16/84 9-25 V0GTLE DRAFT SER INPUT SEC 9

mz ___ ___ _ - - - - - - - = _ _ = _ _. -~ m a 5 o (ggphh b WS b O Db f l i There is no sharing of the UHS between units, since each unit has its own redundant UHS. Thus, the requirements of GDC 5, " Sharing of Structures, Systems and Components," are satisfied. In accordance with Position C.3 of RG 1.27, the UHS for each unit consists of two water sources. The methods used by the applicant for the calculation of residual decay heat input to the UHS are consistent wit'h BTP ASB 9-2, " Residual Decay Energy for Light Water Reactors for Long-Term Cooling." As evaluated in Section 9.1.3 of this report, the staff performed its own independent decay heat analysis using BTP ASB 9-2 and compared the results to those obtained by the applicant and concluded the applicant's methods for calculating decay heat are acceptable. Based on the applicant's analyses the combined basin volume sgngg 4 g t-) for each unit has a 26.7 day supply of water following a A train operation for one day and one train operation ther eg. Position C.1 of RG 1.27 and SRP Section 9.2.5 specify that a minimum of 30 days water supply without makeup should be provided unless it can be demonstrated that replenishment or use of an alternate water supply can be effected, -taking into account the availability of replenishment equipment and limitations that may be imposed on " freedom of movement" following an accic'ent or occurrence of severe natural phenomena. The reduction below 30 days has occurred since the CP stage because of increased diesel, generator rating (2.4 days), high density spent fuel storage (2.1 day ndnew"worg'30-day"meteorologicaldata (1.7. days)m_.The. analysis of thegkNaresulted in greater than 30 days _ -.. - - M..- supply) Two makeup sources of water may be used for the UHS cooling tower basins, the makeup water wells located on site and the Savannah River via the river makeup water pumps. Both sources are safatv velat re used r nr mileap wat=r umps a.re u. sed for hermal normal makeup to the NSCW cooling tower, traf cooling towers. maice9 fa Both sources are also considered as the ters (>30 days) makeup to the UHb in accordance with RG 1.27, Positio C.1, which recommends that procedures be available for assuring a continue Aca ability after 30 days '"..'L. O 'A fr"'" l'.llE b (ScliA3 @D(g'd is an 0 d b] i.M %eit % den f @ @ $errmi % h Am@- p6 L&ance of %e

  • WP /

ris cha tn Saun 2A h d4Wsp. %% Cad N 11/16/84 9-26 V0GTi.E DRAFT SER INPUT SEC 9 1

a.4 Components of the UHS which are not normally operating will be tested in accordance with plant technical specifications. The UHS components are acces-sible to permit periodic inservice inspection as required. Thus, the require-j ments of GDC 45, " Inspection of Cooling Water System," and 46, " Testing and . Cooling Water-System," are met. Based on the above, the staff concludes that the UHS meets the requirements of GDC 2, 5, 44, 45, and 46 with respect to protection against natural phenomena, shared systems, decay heat removal capability, inservice inspection, functional testing, guidelines of RGs 1.29, Position C.1 and 1.27, Positions C.1, C.2 and C.3 and BTP ASB 9-2 with respect to design capability, protection from freezing, seismic classification, and capability to remove sufficient decay heat to maintain plant safety and is, therefore, acceptable. The ultimate heat sink pli< ah!e :::apta.Qeria of SRP Section 9.2.5[Nhe approv deviation that a 26.7 day water supply is available in lieu of a 30 day suppply following a LOCA and assuming the worst 30 day meteorological conditions.,,, The adequacy of tornado missile protection for the cooling tower fans requires further review as discussed in Section 3.5.2 of this report. 9.2.6 Condensate Storage Facilities The condensate storage fa:ility was reviewed in accordance with Section 9.2.6 of the SRP (NUREG-0800). An audit review of each of the areas listed in the " Areas of Review" portion of the SRP section wa rperformed according'to'the ~ ~ guidelines provided in the " Review Procedures" portion of the SRP section. Conformance with the acceptance criteria formed the basis for the staff's evaluation of the condensate storage facility with respect to the applicable regulations of 10 CFR Part 50. The condensate storage facility serves as a safety-related source of water for the auxiliary feedwater system and provides makeup and surge capacity for the nonsafety-related steam and power conversion system. Each plant unit has an independent condensate storag w onsists-of two c sate pw o e dens uier sub - fem storagetanks,atransferpuja r ud 255 piping valves and instrumentation. us, the requirements of GDC 5, " Sharing of Structures, Systems and Components," are satisfie.'. 11/16/84 9-27 V0GTLE DRAFT SER INPUT SEC 9 .m

The condensate storage tanks, piping and valves to the auxiliary feedwater (AFW) system are designed to seismic Category I, Quality Group C requirements. The tanks are located in the yard area next to the-AFW pumphouse, and are 1 protected against tornado missiles, by their concrete construction (stainless stui liner) and is inherently protected against flooding. Each tank has an operating capacity of 480,000 gallons and is designed to contain a sufficient ' reserve of water for the AFW system to operate the plant in hot standby for 4 hours. followed by a 5 hour cooldown to 350*F (RHR cut-in-temp Of th gallons in( g tr.' is c5 col total tank capacity, a dedicated volume of 330,000 - 3 reserved for the AFW system. All piping connections to the tanks below elevation ;; ;;;.. mo., m.,..;itdreseismicCategoryI,QualityGroupC. >c Instrument lines and the piping to the AFW pumps are heat traced to protect against freezing with alarms in the control room actuated by a 25% reduction in heater circuit current to indicate heater circuit failure. Protection of the tank contents from freezing is prevented by periodic operation of the degasifier system and the hotwell level control system, plus the inherent protection of the large volume of water combined with the tankh:oncrete construc-X tion. The tank-water temperature is monitored. and' alarmed in the control room ~ on low-temperature. Thus, the requirements of GDC 2, " Design Bases for Protec-tion Against Natural Phenomena," and the guidelines of Positions C.1 and C. 2 of RG 1.29 are met. l _ The lines fron each tank (two t_anks_ per un_f t) to the AFW system are redundant,. i with three separate lines from each tank to three AFW pumps. The fac'ility design meets the single failure criterion and can perform its function following a loss of offhe power. All nonseismic Category I portions of the system are X designed such that their failure will not affect the seismic Category I portions of the system. The condensate storage facility for each unit has adequate capacity for the AFW system to perform its safety function under all postulated normal, transient and accident conditions. Thus, the requirements of GDC 44, " Cooling Water" are met. The condensate storage facility is normall'y in operation and its safety function L (supply to AFW system) is functionally tested with the monthly AFW pump tests in accordance with plant technical specifications. The facility components are accessible to permit periodic inservice inspection as required. Thus, the b l' & 11/16/84 9-28 V0GTLE DRAFT SER INPUT SEC 9 J t

n n. The guidelines of RG 1.13, " Spent Fuel Storage Facility Design Basis," Posit! ions C.1, C.4 and C.7, are met since the emergency FHB ventilation system is seismic Category I, provides post accident filtration while maintaining negative pressure and is automatically initiated by a high radiation signa g The guidelines of RG 1.52, " Design, Testing and Maintenance Criteria for F esSet Post-Accident ESF Filtration and Adsorption Units for Light-Water-Cooled Nuclear Power Pla nts," Position C.2 are satisfied by the design of the emergency Ney are redundant, seismic Category I, physically ~ filtration units N separated, protected against pressure surges by tornado dampers, instrumented to alarm in the control room, powered by the emergency power supplies, designed to allow maintenance, and do not exceed the maximum flow rate recommended by Position C.4f. The normal FHB ventilation system is designed to meet the guidelines of Positions C.1 and C.2 of RG 1.140, " Design, Testing and Main-tenance Criteria for Normal Ventilation Exhaust System Air Filtration Units of Light-Water-Cooled Nuclear Power Plants," -%hesystemisadequately X isol.ated from the emergency system, provided with inlet filters, designed with. adequate filtration to reduce releases of radioactive material during normal operation and provided'with adequate instrumentation and alarm. Based on the above the requirements of GDC 60, " Control of Releases of Radioactive Materials to the Environment," and 61 " Fuel Storage and Hand'ing and Radioactivity Control," are satisfied. Based on the above, the staff concludes that the fuel handling building ventila, ' ~~~ ' tion system is in conformance with the requirements of GDC 2, 5, 60, and 61 as i they relate to protection against natural phenomena, control of releases of radioactive materials, and radioactivity control, and the guidelines of,RGs 1.13, Positions C.1, C.4, and C.7; 1.29, Positions C.1 and C.2; 1.52, Position C.2; and 1.140, Positions C.1 and C.2, relating to protection against. radioactive releases, seismic classification, and system design for emergency and normal operation, and is, therefore, acceptable. The fuel handling building ventilation system meets the acceptance criteria of SRP Section 9.4.2. 9.4.3 Auxiliary and Radwaste Buildings Ventilation Systems l The auxiliary and radwaste building's ventilation systems were reviewed in accordance with Section 9.4.3 of tse SRP (NUREG-0800). An audit review of l 11/16/84 9-42 V0GTLE DRAFT SER INPUT SEC 9

c.' nup .. ~.... - -. -.. - .... - - ~. ~ ~ - - - ~ ~ i; i, each of the areas listed in the " Areas of Review" portion of the SRP section i was performed according to the guidelines provided in the " Review Procedures" portion of the SRP section. Conformance with the acceptance criteria formed the basis for the staff's evaluation of the auxiliary and radwaste buildings ventilation systems with respect to the applicable regulations of 10 CFR 50. The auxiliary building (AB) is provided with two ventilation systems, the A8 normal ventilation system and the AB emergency ventilation system. The radwaste bui1 dings have their own separate ventilation systems for the radwaste- (RW) transfer building, RW transfer tunnel, RW solidification building and control room, health physics building and RW electrical switchgear/ motor control center (MCC) room. The nonsafety-related AB normal ventilation system draws outside air through air handling units that filter and condition the air before distribution to the various equipment rooms, switchgear rooms, and access areas in the auxiliary building. Air is also supplied to the piping penetration area where it is distributed to the various valve galleries and penetration rooms. The air is collected through return registers and ducted to.the exhaust filtration units, where it is filtered and discharged to the plant vent. Although the normal ventilation system is not safety related the ductwork is designed to maintain its integr.ity.following a safe shutdown earthquake- (SSE) such that it cannot fail and damage seismic Category I equipment in accordance with Position C.2 1 ~~~ ~ ~ ~ ~ ~ T.97"Seisiic 0esign (flassifiMiU'l he system consists of two S ne. w. -SuW' apacity air supply units, thre apacity exhaust filtration units associat'ed ductwork, piping, dampers, registers plus instrumentation and a controls. l The AB emergency ventilation system includes those components wh'ich function after an accident / emergency to keep ESF equipment rooms cooled, maintain a ~ k negative pressure the areas to prevent releases of radioactivity to the atmospheri, and filter the exhaust from the negative pressure boundary. The A8 emergency ventilation system is comprised of two subsystems which are the ESF room coolers and the piping penetration area filtration and exhaust system. i 11/16/84-9-43 V0GTLE DRAFT SER INPUT SEC 9 4

~ :_ = p -l i 10.3 Main Steam Supply System (Up to and Including the Outboard MSIV) The main steam supply system was reviewed in accordance with Section 10.3 of the SRP (NUREG-0800). An audit review of each of the areas listed in the " Areas of Review" portion of the SRP section was performed according to the guidelines provided in the " Review Procedures" portion of the SRP section. Conformance with the acceptance criteria, except as noted below, formed the basis for the staff's evaluation of the main steam supply system with respect to the applicable regulations of 10 CFR 50. The acceptance criteria for the main steam supply system includes meeting RG 1.115, " Protection Against Low Trajectory Turbine Missiles." Compliance with' the guidelines of RG 1.115 is evaluated separately in Section 3.5.1.3 of this report. ~ The function of the main steam supply system (FSAR Sections 10.1 and 10.3) is to convey steam from the steam generators to the high pressure turbine and other auxiliary equipment, for power generation. The steam produced in the four steam generators is conveyed in four separate main steamlines through the main steam isolation valves (MSIVs), combined into two main steam headers _..___.(38, inch..and 36_ inch).and then each header. branches.into.two 28 inch lines,_ each of which goes to a turbine s W W a main-eteam headers are a. com en .zoen._k< Cu sn4e cross-connected by two 20-inch linais4j o spiming into the four - t.o-teamlines contains two ~ and cam hypes 6 L1 o'en ya c.s w m MSIV A he si ng vi Uie.so a on.h heeden n draulically balances the steam ine pressure drops from the respective pair of steam generators to the inlet of each of the turbine stop valves. This balancing was necessary since the main steam outlets from each pair of generators are widely separated with containment penetrations 180* (degrees) apart. Therefore, the safety-related portions of the main steamlines (each pair) cannot be affected by a single event. The portions of the main steamlines from the steam generators through ^taitnment-uplation yalve5)first restraint beyond the outboard MSIVs, the on through tha the de. b iso n i.y valves, and the power-operated relief valves are j MSIV,g 11/16/84 10-1 V0GTLE DRAFT SER INPUT SEC 10

_x< -c ~ located in seismic Category I, flood-and tornado prctected structures (refer to Sections 3.4.1 and 3.5.2 of this report), thus conIplying with the guide-lines of Position C.2 of RG 1.29, " Seismic Design Cicssification" relating to damage to safety-related portions of the main steamlines by nonseismic Category I structures, systems or components as a result of an SSE. ' The lines are designed to Quality Group 8 and seismic Category I requirements up to and including the outboard MSIVs. Downstream of the outboard restraints to the end of the tunnels the piping is ANSI B31.1 and designed to withstand the safe shutdown earthquake. Pipe whip restraints are provided as necessary. All branch lines upstream of the MSIVs up to and including the first normally closed v,alve or valve capable o.f auto-matic closure in the branch line are designed to seismic Category I, Quality Group B standards, thus complying with the guidelines of Positions C.1 and C.3 of RG 1.29, " Seismic Design Classification" relating to design of portions of main and branch steamlines and the extension of seismic Category I requirements. Thus, the safety-related portions of the main steamlines satisfy the require-ments of GDC 2, "Desian Bases for Protectinn Anainct Natural Dhenemana - and by [dl-clos el dir.cperaQ is okHon hype,ss Val ~ Main steam isolation Ts provided by redundant electrohyoraulic gate valvesfin each steamline located just outside the containment. Each MSIV is a bidirec-tion (stops flow in either direction) wedge-type gate (two gate halves) valve. Upon receipt of a' closing signal, the MSIVs complete the closing cycle despite - ~ the loss of'normaTTy required utility servfce~s Thy ~driuTic ~ fluid or powe'r).~" ~ Hydraulic fluid is used to hold the MSIV open and a self-contained stored energy syste's provides the pressure for closing. A cpherical nitrogen accumu-Tator which is part of the valve actuator maintains a constant 2500 pound (gauge) pressure on the closing surface of the actuating piston. Hydraulic l pressure at 4300 pounds is used to overcome this nitrogen pressure and hold the valve open. The actuator has sufficient self-contained capacity for two full closures without restoration of nitroge-- desagned to fail NNeiptof ' closed on loss of actuating power. The MSIV se a is signal (SLIS) which occurs on low steamline press e-fm am a u. ( BI.'2 Mnd.e^m I.m an ig 4c nment pressure, or high steam g sur rate in an oup. l The SIVs are esigned to close in 5 seconds or less.A ttned~thereareredundant V MSIV l n (.ch line, blowdown f more than one stear generator is precluded b hss }$ on yAlves 11/16/84 10-2 V0GTLE DRAFT SER INPUT SEC 10

J J ~.,... m .y.- e stop valves.go,useGwd~redundantsafetygrade 4 wit , sol tow Valves d d MSI re ro eu i% c.G g nerator, the guidelines of Issue No.1 of ] NURE 0138, " Staff Discussion of Fifteen Technical Issues Listed in Attachment to November 3,1976 Memorandum from Director, NRR to NRR Staff," are not applicable as reliance on the nonsaismic Category I turbine stop valves and dump valves is not required to mitigate the consequence of any pipe break. Each staant generar he MSIVs) is provided with a safety grade re - AC-seismic Category i wee ted tmospheric relief valve (atmospheric dump valve) including the actuators, power supplies and controls. The valves are electrohydraulic and use hydraulic pressure for opening and closing during valve modulation. An emergency nitrogen pressurized hydraulic reservoir is provided for emergency. closure. The operation of these pressure relief valves is automatically controlled by steamline pressure during plant operations. They can be controlled from the control room or from the remote-shutdown panels. The design complies with the requirements that safe shutdown be achieved with dependence upon safety grade components only, assuming a single active failure with either onsite or offsite power, as specified in Posi-tions A.2, A.3 and A.4 of BTP RSB 5-1, " Design Requirements of the Residual Heat Removal System." Twent'y seismic Category I, quality Group B safety valves (five on each main steamline) are provided. The safety valves have a combined relief capacity of 105% of the design steam flow at an accumulation pressure not to exceed 110% of the design pressure. The five safety valves on ~~ ~each line are loc ~ated ~outside ofchnt'ainment upstream of die HSIV e 6 pass isotahn vahc.s areas of the seismic Category I main steam valve areas. The MSIV 1 valves, and ' power-operated atmospheric relief valves will undergo preeperational functional testing at normal design temperature and pressure. MSIV closure times and safety and relief valve set points will be verified. Therefore, the staff concludes that the-design of the main steam supply system meets the requirements of GDC 34, " Residual Heat Removal," and the applicable guidelines of BTP RSB 5-1. The equipment required to function in order to assure main steam isolation ~ when called upon is protected against the effects of high-energy pipe breaks (refer to Sections 3.6.1 and 3.11 of this report). This equipment is located i tornado-missile protected structures and is located such that its safety 11/15/84 10-3 V0GTi.E DRAFT SER INPUT SEC 10

buried header back to the tower basin. Makeup to the tower basin is provided by four river makeup water pumps that supply makeup to both the Units 1 and 2 basins. The applicant has examined the effects of flooding of safety-related equipment As discussed in Sect 1on 3.4.1 as a result of a circulating water system failure. X of this report, the flooding analyses only assumed a ck y here X M this is a non-are no expansion joints at the condenser connections.j seismic Category I system, the staff requires the flooding analysis be performed for a full guillotine break with reliance only on safety grade seismic Category I Until this analysis is equipment to mitigate the consequences of the break. done, the staff cannot make a determination with respect to the requirements The staff therefore of GDC 4, " Environmental and Missile Design Bases." cannot conclude that the circulating water system is acceptable or meets the acceptance criteria of SRP Section 10.4.5. This open item has been identified previously in Section 3.4.1 of this report. 10.4.7 Co'ndensate and Feedwater System The condensate and feedwater system was reviewed in accordance with Section 10.4.7 An audit review of each of the areas listed in the of the SRP (NUREG-0800).- " Areas of Review" portion of the SRP section was perfor=ed according to the Conformance guidelines provided in the " Review Procedures" section of the SRP. with the acceptance'crii:erfa 7o~rmedThe" basis for the~ staff's evaluation of ~ the condensate and feedwater system with respect to the applicable regulations of 10 CFR 50. The condensate and feedwater system provides feedwater from the condenser to l the steam generators and includes the piping and components from the condenser hotwell, through the condensate pumps, condensate demineralizers, low pressure ficw pumps, high presser = 'eecNatar__he a d See M y byPp ss apia% n feedwater heaters ators. 4e control valves an -cent 9 -e.. solati 3 valves + ue. cur m ee sena There are three 50% capacity condensate pumps and two feedwater pu=ps thac are The three condensate pumps are motor-driven approximately 90% capacity each. and the two feedwater pumps are turbine driven. 10-5 V0GTLE,0RAF SER INPUT SEC 10 11/16/84 T d

2 The system serves no safuty function except for steam generator isolation. Therefore, the major portions of the system are not designed to seismic Category I requirements. Adequate seismic Category I isolation is provided at connections between seismic and nonsaismic Category I Nonseismic Category I portions of the system are also adequately piping. Therefore, failure of non-separated from other seismic Category I systems. safety-related (nonsaismic) portions of the condensate and feedwater system will not affect safe plant shutdown.

  • e am generator main The safety-related portions of the system are freekI$Nih isolation valve, feedwater nonle, back through a check valve, thhsE'dY 2Nolation valvef bymsNhich connectis to the auxiliary feed-

~*h water (AFW) nonle on the steam generator,+nc4uding-a-check valve-and

nt Wess ischt4ca-veh?These components and interconnecting piping are Group 8, including the restraint at the isolation seismic Category I, Quality (ced 4 r As a backup to theaeentr~ ent-isolation and bypass isolation valves, valves.

.in the event of a main steamline or feedwater i fne break inside containment, the main feedwater control valves and control bypass valves. are also seismic v Category I with safety grade. solenoids g et.ffy g als. la 8 ande :.tr&mhep is designed piping between the containment Ashtier 'i@!e s to maintain its integrity in the event o a safe sEutdown earthquake. Thesa-portions of the system are designed to seismic Category I requirements in order to assure feedwater isolation in accident situations and are located i seismic Category I, flood and tornado ' rotected structures (refer t:r-Section - - p l M 3.4.1 and 3.5.2 of this report). Thus, the requirements of GOC 2, " Design Bases for Protection Against Natural Phenomena," and the guidelines of RG 1.29, The " Seismic Design Classificaton," Positions C.1 and C.2 are satisfied. structure also provides protection against tornado missiles.. The essential equipment is separated frem the effects of internally-generated missiles and is not adversely affected by failures in high energy piping (refer to Sections 3.5.1.1 and 3.6.1 of this report). Thus, the requirements of GDC 4, " Environ-mental and Missile Design Bases," are satisfied. No portion of the condensate and feedwater system is shared between units so that the requirements of i GDC 5, " Sharing of Structures, Systems and Components," are satisfied. s V0GTLE ORAFT SER INPUT SEC 10 10-6 11/16/84 g P e e ae

1 ; .nn ~-. =_ The auxiliary feedwater (AFW) system is designed to supply high pressure feedwater to the secondary side of the steam generators when the normal feed-water system is not available, thereby maintaining the heat sink capabilities of the steam generator., It is an engineered safety features system which is relied upon to aid in preventing core damage in the event of transients such as loss of normal feedwater or a secondary system pipe rupture. The sy consists of two 630 gallon per minute (gps) motor-driven pumps and one gpa turbine-driven pump with associated valves, piping, controls, and instru-mentation. The two motor-driven pumps are powered from two separate busses of emergency onsite electrical power and each normally discharges into two steam generators. The steam turbine-driven pump supplies water to all four steam generators. The supply line from each pump to each steam generator 2N a sw eraf check valve and a motor-operated control valve that also acts as /g 1o valve. The steam for the turbine is supplied from two steam gene ors (1 and-

2) upstream of the main steam isolation valves.

The AFW flow to the steam generators is limited by a flow orifice located in each AFW line just down-stream of the AFW control valves. The orifices will restrict the flow to a depressurized steam generator and permit adequate flow to the intact steam generators followin'g a main steamli'ne or feedwater line break inside containment. The bine driven AFW pump train and controls are powered from a DC source an an mpletely independent of the motor-driven AFW pumps and controls. a _ Each unit has' its'own independent _AFW system with_,Jyo_ sharing. of structures,. systems, and components including the AFW water supply consisting of two condensate s,torage tanks (CSTs) per unit. Thus, the requirements of GDC 5, " Sharing of Structures, Systems and Components," are satisfied. The AFW systen is. designed to seismic Category I, Quality Grou C from the CSTs up to but not including the motor-operated control ion alves. The motor-operated i tio ntrol valves and the piping and valves from the motor-operated valves to the steam generators are designed to seismic Category I, Quality Group B. Thus, the guidelines of RG 1.29, " Seismic Design Classi-ficat; ion," Position C.1 are satis'fied. The AFW system is located within the AFW pumphouse, seismic Category I tunnels, auxiliary building, contr'o1 building 'and containment and is thus protected 11/16/84 10-10 V0GTLE DRAFT SER INPUT SEC 10 I l -. ~.

9 ' q is. against the effects of natural phenomena and tornado missiles (the CSTs are located outside of the buildings but are protected as discussed in Section 9.2.6 of this report). Thus, the AFW system meets the requirements of GDC 2, " Design Bases for Protection Against Natural Phenomena." There are separate cubicles for each AFW pump in order to prevent possible The applicant internally generated missiles from damaging more than one pump. has provided the results of an analysir which show that the missiles from the turbine-driven AFW pump cannot damage safety-related equipment from the other Thus, the design is in conformance with GDC 4, " Environmental and trains.' Missile Design Bases" as it relates to protection against internally-generated missiles (see Section 3.5.1.1 of this report). The AFW system can be o ated faa =naroximatm]y_nine hours,yi reserved (330,000 gallons.h-one 3,.,:g ; [Ee F is includes four hours at p g 4. stiiihtiy condit~fon andTadditfBTiilfive our cool-down to 350*F and includes 30 minutes of flow from the-turtine-drivenTumplate unnt.Wugh-a-p4pe-break-plus-- rF son kaks m um 33 0,0 0 0 g.ita s a s k y ung _,,, heat generated blone RCP. AN cdditienel safcty gr:d& CST predN a the eve 5.wi.L. 4by c;diticrNT*2'he 56tafneti--- I p .;r ::r:: Of u:te e' combined capacity can maintain hot standby fer greeter ther. fecr houd [M Therefor'e7the~'AFW"iyWem camp ~ for 3rhours-followed-byTS11 with the guidelinas of BTP RSB 5-1 and the requirements of GDC 19, with regard to cold shutdown from the controi room using only safety-related equipment. system has the capabili[y to transfer decay heat loads' from the secondary ~ The A (steam) system under all conditions. The AFW system is required to supply a minimum of 510 gpm total flow to at least one steam generator and is capable of supplying at least that amount to at least two steam generators even with the occurrence of a single failure for the following and other transients: loss of normal feedwater.(510 gpa' required) 1. ) loss of offsite power followed by reactor trip (470 gpa required) j 2. } V0GTLE CRAFT SER INPUT SEC 10 f 10-n 11/16/84 S c

~ vn. . m _.w .- m >.u m.-- -ra.o-.. s n~ ~ ~. ~ ~ ~- - - - ~ - L' 3. secondary system pipe rupture (510 gpm required) \\ 4~. cooldown following steam generator tube rupture (470 gpm required) 5. loss-of-coolant accident, small break (470 gpm required) 4 \\ - Each motor-driven pump has a design flow of 630 gpm. A miniflow line for j these pumps automatically isolat e flow has been established. The turbine-driven pump has a design flow of m including a maximum recirculation flow limited by an orifice to 160 gpe. The applicant has performed a reliability study of the AFW system in accoidance with NUREG-0737, Item II.E.1.1. This study is currently under review by the staff's consultants. Until this review i is complete the staff cannot make a determination regarding GDC 34, " Decay Heat Removal," and 44, " Cooling Water." This is an open item. The AFW system has been designed to permit periodic testing. In addition, the applicant will perform periodic monthly tests in conformance with the Standard Te'chnical Specifications for Westinghouse PressurizetWater. Reactors, NUREG-0452. This meets the requirements of GDC 46, " Testing of Cooling Water System." The AFW system has been designed to permit inservice inspection and periodic inspection of valves and pumps, thus meeting the requirements of GDC 45, " Inspection of Co61tng Water System." The AFW system has two diverse power sources which consist of offsite or onsite (Class 1E) AC power for the motor-driven pumps and steam for the turbine-driven pump. There are no auxiliaries in the train for the turbine-driven pump which require AC power to maintain operation of the train. This, meets the guidelines of BTP ASB 10-1. ikk The AFW system is so designed 4ht the turbine-driven pump portion of the system can be isolated from the portion containing the motor-driven pumps. 4 systes is desig7;d to--suppigweter te t.% stees ger,er:ters withe a potent.1al source or waterna........- Y 'Qu.iing, thus avoiding throttling 3 s d}shreventedMines being full of water by the main feedwat ar Wat a he AF& Sysfem Is desiped le g ppl snier la f),. 5ftwn jeneralars prel Wa t vel is l'onluelleef he threiHine %y valv es / 11/16/84 " 10-12 V0GTLE DRAFT SER INPUT SEC 10

L. ,p Case 1. Each pump has its own piping to each CST which is seismic Category I, flood and tornado'aissile protected. The normally lined up tank has two locked open isolation valves in series to each pump. The standby tank which is also protected against natural phenomena is normally isolated from the AFW system by a closed remote-manual valve in each Thus, this case is not applicable to the Vogtle units. line. . Case 2. Upon depletion -of'the-ta in service, the standby tank can be p avei&, placed in servi 4from the ontrol room or the remote shutdown SG pro e re ~ GS Initiation of AFW Flow Followinq a loss of AC Power This is not applicable to Vogtle. Under loss of all ac power, the turbine. driven feedwater pump, its associated flow path, and all instrumentaion will initiate and maintain the auxiliary feedwater flow using-only Class IE de power. i \\ GS AFW Flow Path Verification t /s The AFW system is used for startup at Vogtle, therefore Case 2 does ng apply. For Case 1, even while in test, the automatic start signal will align the ._ system for operation _and the_only valve that is placed in an off-normal. position is the recirculation test line isolation valve, and if left open, a flow limiting orifice limits the flow to an acceptable value. Thus this X j recommendation is not applicable. GS Nonsafetv Grade. Nonredundant Automatic Initiation Sforfals This is not applicable to Vogtle. The automatic start AFW signals and associ-ated circuitry are safety grade. The details of the design are evaluated in Section 7 of this report. 11/16/84 10-14 V0GTLE ORAFT SER INPUf Sic 10 1

._,--.--,--,.--.,_-..-.-----m

--.-.s

r.. I E t GS Automatic Initiation of AFW System This is not applicable to Vogtle. The auxiliary feedwater system is automati-cally initiated. Additional Short-Term Recommendations No.1 - Primary AFW Water Source Low Level Alarm Redundant CST level indication with alarm is provided in the control room and at the remote shutdown panels. -Ed[$'$ h is sized with a volume adequate to maintain the plant at hot standby for 4 hours, followed by a 5 hour cooldown The icw to 350*F prior to operation of the residual heat removal system. d r with at least 20 mid3 des warning prior to level alarm provides the opera,t[4uil.Me. switchovertothestandbyCSTjaThisisacceptable. No. 2 - AFW Pumo Endurance Test The applicant stated that the motor-driven auxiliary and turbine-driven feed- \\ The turbine-driven water pumps will be provided with a 48-hour endurance test. auxiliary feedwater pump will be endurance tested using natural convection as the ventilation means. This commitment is acceptable, s No. 3 - Indication of AFW Flow to Steam Generators Safety-rade flow transmitters, located up:tr :r'_ of the rcetr::t;valvy lown sieuno dheonle ve..oe' Refer to section 7 rifie f7 ndicate flow to each of the steam generators. of this report for further evaluation. No. 4 - System Availability During Periodic Surveillance Testing This is not applicable to Vogtle. When either Class 1E auxiliary motor-driven pump is in the test mode, the other motor-driven pump and turbine-drive pump is available for automatic operation. Also, the pump in test is available for automatic operation by overriding automatic controls that fully open the AFW control / isolation valve. V0GTLE ORAFT SER INPUT SEC 10 10-15 11/16/84 .}}

Retrieved from "https://kanterella.com/w/index.php?title=ML20136C491&oldid=5493767"