ML20137J333
| ML20137J333 | |
| Person / Time | |
|---|---|
| Site: | North Anna  |
| Issue date: | 08/26/1985 |
| From: | Stewart W VIRGINIA POWER (VIRGINIA ELECTRIC & POWER CO.) |
| To: | Butcher E, Harold Denton Office of Nuclear Reactor Regulation |
| References | |
| 85-600, NUDOCS 8508300249 | |
| Download: ML20137J333 (39) | |
Text
{{#Wiki_filter:, ___ _ - _ _ _ _ - _ _ _ _ - _ _ _ - _ _ _ _ - _ - - _ _ - - _ _ _ _ o , VINGINIA ELECTRIC AND PowEn COMPANY RIcunown, VIRGINIA 20261 W.L.svawier NUC EAm O a 7 as August 26, 1985 Mr. Harold R. Denton, Director Serial No. 85-600 Office of Nuclear Reactor Regulation EAC/RMB: plc Attn: Mr. Edward J. Butcher, Acting Chief Docket Nos. 50-338 Operating Reactors Branch No. 3 50-339 Division Of Licensing License Nos. NPF-4 U.S. Nuclear Regulatory Commission NPF-7 Washington, D.C. 20555 Gentlemen: REQUEST FOR ADDITIONAL INFORMATION NORTH ANNA POWER STATION UNIT N05. 1 AND 2 SERVICE WATER SYSTEM PROPOSED TECHNICAL SPECIFICATION CHANGE By letter dated August 9, 1985 you requested additional information to support our request to change the Technical Specifications for North Anna 1 and 2 regarding the limiting conditions for operation of the Service Water System. The proposed change would extend the allowable time that one of the redundant service water headers can be inoperable beyond 72 hours up to 168 hours provided three out of four service water pumps and one out of two auxiliary service water pumps are operable during the LCO. Our response to your request for additional information is provided in the enclosure to this letter. In responding to the staff's questions, justification has been provided for the fault tree modeling and assumptions used in the Probabilistic Safety Assessment. No re-analysis was required and our conclusions remain as previously stated in our submittal dated March 29, 1985. If you have questions or require any additional information, please contact us immediately. Very truly yours, C~ q W. L. Stewart 08 L 0 Y 8508300249 850026 DR ADOCK 0 % p
C
' VamosusA Es.actmic Ann Powsa Courawr to
Enclosure:
Response to Request For Additional Information North Anna Service Water System Probabilistic Safety Assessment. cc:- Dr. J. Nelson Grace Regional Administrator Region II-Mr. Leon B. Engle NRC Project Manager - North Anna Operating Reactors Branch No. 3 Division of Licensing Mr. M. W. Branch NRC Resident Inspector North Anna Power Station Mr. Charles Price Department of Health 109 Governor Street Richmond, Virginia 23219 6
g e ENCLOSURE RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION NORTH ANNA SERVICE WATER SYSTEM PROBALISTIC SAFETY ASSESSMENT EXTENDED SERVICE WATER SYSTEM LCO W X l l l
Question 1 (a) Page B-7. The fault subtree (S164) that begins with " pump fails due to maintenance" does not appear to lead to SWS failure. Answer A justification for modeling the event " Pump Fails Due to Maintenance" as it is shown on page B-7 of the Impe11 report is provided below. The success criteria for the Service Water System as stated in the NAPS UFSAR and Table 1-1 of the Impe11 report requires full flow from l two pumps. In addition, page 1-7 of the Impe11 report states that "Two service water pumps are assumed to be normally operating at the ! start of the mission time". As a basis for the fault tree models, I the two pumps assumed to be normally operating were 1-SW-P-1A and 2-SW-P-1A. If pumps 1-SW-P-1 A and 2-SW-P-1 A are normally supplying the system - l and one of them is taken out for maintenance, then an operator failure to start a back-up pump will leave only one pump supplying the system and the success criteria will not have been satisfied. j Maintenance on pumps other than 1-SW-P-1 A and 2-SW-P-1 A would not require an operator to start a backup pump since these pumps are in standby already. Therefore, only the two operating pumps are modeled in this event. l l 2
s . Question 1 (b) Pages B-8, B-9, and B-10. The fault trees include under the heading
" pump in maintenance" (5020, 5038, and S052) a stipulation that a minumim number of the other pumps cannot be in maintenance. While
- this is true from a Technical Specificaton limit standpoint,
~
inclusion of this limitation in the fault tree will lead to minimal cutsets that have events that do not contribute to system failure. Answer The events that "do not contribute to system failure" and are included in the minimal cutsets are the conditional events that alternate service water pumps are not in maintenance. These events are pre-conditions to placing a service water pump in maintenance, that is, prior to placing a service water pump in maintenance, a minimum number of alternate pumps must be operational (i.e. not in maintenance). Although the basic event " pump not in maintenance" does not directly contribute to system failure, it is a required event prior to " pump in maintenance" occuring. Therefore, the I modeling of the maintenance event is statistically correct. - There are two alternate methods of modeling the pump maintenance. - One method is to eliminate the conditional requirements (i.e. remove the basic events " pump not in maintenance") and compute the maintenance unavailability with a correction for these conditional
- events. Owing to the number of combinations which could occur involving maintenance, this was not considered as accurate or j efficient a method as the one used.
The second method would be to model pump maintenance as stated in the i paragraph above without an adjustment to pump unavailability. This l will have two impacts on the analysis. First, many cutsets will appear that are not in conformance with the Technical Specifications. These cutsets would subsequently have to be eliminated from the analysis manually. Given the value used for of a service water pump, it was maintenance unavailability judged that too many cutsets wou (0.1)ld appear that would have to be eliminated and that this number of cutsets would " mask" the true failure paths of the service water system. In addition, there is a greater chance of error and uncertainty in the analysis when a large number of manual computations have to be performed. The second impact would be to increase the failure probability of ' each cutset involving maintenance. Although the statistical correctness of this approach could be argued, the net effect on this analysis would be an increase in the failure probabilities on the order of 95. This increase is considered negligible given the uncertainty factors in the data (see Appendix C of the report). In conclusion, the modeling of pump maintenance is statistically correct, reduces the number of manual adjustments to the analysis to a minimum thereby reducing error, and does not significantly change the final result from a "more conservative" approach. 3
1 Question 1 (c) Pages B-10, B-11, and B-12. Provide the basis for excluding operator action under "MOV fails to open" for MOVs SW117, SW118, SW115A, SW215A, SW1158, and SW2158. Answer Page B-10 of the fault tree shows the model for an auxiliary pump failing to provide required service water flow. In the model there are six postulated failure modes which would preclude using the auxiliary pumps in their back-up capacity. Of these six failure modes, two are interrelated and affect the valves in question (MOV-SW117, MOV-SW118, MOV-SW115A, MOV-SW115B, MOV-SW215A, and MOV-SW2158). These two failure modes are discussed below in detail in order to resolve the question regarding inclusion of operator actions in the model. The event " Alignment Failures" under " Discharge Path to Header Fails" is detailed on pages B-11 and B-12 of the fault tree. These models - are purely concerned with physical valve failures. The possibility of encountering operator-related valve failures is addressed in the event "SPUSTRTX" (Operator Fails to Start and Align 1-SW-P-4, page B-10) . l Justification for the value of the probability associated with "SPUSTRTX" is given on page D-7 of the Impe11 report. It was judged in this analysis that the predominant human error is the operator failing to initiate auxiliary service water flow. Starting the auxiliary service water pumps and aligning the motor operated valves are highly dependent actions and are thus treated as a single event. l i r i i l , 4
Question 1 (d) Page B-21. Tfe staff has two comments regarding the event heading "DG in Maintenance." First, the staff questions including "DG not in maintenance" in the fault tree for the reasons outlined in Ib above. Second, the event "DG 1H in maintenance" has a "not" above the event, which is illogical. Is this just a typo, or is it carried through the rest of the-fault tree analysis? Answer The fault tree model for the event " Diesel Generator in Maintenance", watch appears on page B-21 of the Impell report contains a typographical error. The "not" gate above the event "DG 1H in maintenance" should be deleted. A line by line check of the computer generated analyses revealed that this typographical error was not reflected in the analysis. A revision of page B-21, which shows the corrected fault tree drawing, is included for clarification. Justification for modeling "DG not in maintenance" is addressed in the response to question 1(b). For this event, the impact on failure probability is negligible. . 5
A m:=anS ( 11 1c
-SAJ.
E. EW
.A E,
2J3 ESS2 ( ESS13 ( ESS4 3 ( ESS2 3 NO POWR 4:00 TO SUS VOLT l Sue 1H l
,AULTS
"@ :ESS5:-
,E.,,,
EE-t ES.E.1,3 4ESSEM2HF3 (ESSENSX 3 m DIESEL
,SEMERATOR AULTS S
POW.I E 4 ESGS 3 (EG123 ( ESAS 3 ELOSTPW g (ELOSTPW 3 I (ELOSTPW 3 DIESEL 4 ELDSTPW 3 % r dLD dLD ,.MDA no vSe s , . , - T b-p-V.w DIESEL DIESEL DIESEL DIESEL tEOSEM1JA3 4 EDGEMa# 3 ( EDGEMCsF 3 NERAT MERAT NERAT MERAT t EDGEge2HA 3 (EDGEM20F3 ( EDGEMC9F 3 INTE t IM E t IMTE t I t I I #' ' ED.E i ED.E 1J,. ED.E 2 ED.E 2. 4 EDGEM1 Jet 3 8 EDGEM1HM 3 (EDGEM2MM3 (EDGEM2J43 * ( EDGEM2HM 3 ( EDGEM1Hpt 3 i EDGEM1 Jet 3 ( EOSEse2JE 3 ( EDGEst2 Jet 3 4EDGEM1HM3 ( EOSEM1Jeg3 ( EOSEse20st 3
s . Question 1 (e) Page B-29. The fault subtree (5411) under the event heading " return fails" does not seem to make sense. One possibility is that the gate heading " insufficient flow return A" was switched with the gate heading " Alternate return fails." Please indicate if this is the case and what effect this incorrect arrangement has on the fault tree analysis. Answer The fault tree which models loss of flow to component cooling water heat exchangers 1-CC-E-1 A and 2-CC-E-1B, shown on page B-29 of the Impe11 report, has an inconsistency in the event " Return Fails". The headings and gate numbers for the two subevents (Insufficient Flow Return A and Alternate Return Fails) which are inputs to gate S411 are reversed on the fault tree shown on page B-29. This is a drafting error that occurred during report preparation and the . inconsistency was not carried through to the computer-generated fault tree evaluations for the component cooling water heat exchangers. A revised fault tree drawing for these heat exchangers is included for clarification. 1 7
d I- ( s1 1st in i. ( 1 3 - lsl
- I E al l l Q i i
ll f \n11911 28 s
! s M)l!
'l Qlre jh %
a
' ili! Il i
si i q /,,1 11 telefl$ i si V - l 3 il i - I
!- (
ll g { l L I
~ -- --_._1 __
I s . . l l Question 1 (f) l Pages B-33 and B-34. The basic event " Loss of air supply to TCV-SW102A" does not have an 8 character format number associated with it. Also, the main text indicates that loss of instrument air will not cause the lube oil cooler outlet to fail (this has been reaffirmed by the North Anna licensee via a phone conference). This is in direct conflict with the fault tree logic for the air operated valves TCV-SW102A, B, and C. Answer When originally modeled, it was unknown if the temperature control valves would fail safe upon loss of instrument air. Accordingly, this was modeled as a failure mode until it was confirmed otherwise. Upon determination that loss of instrument air cannot prevent these valves from performing their system function, the cutset which listed
, instrument air system failure (AINSTASF) as a common mode failure was considered invalid and deleted from the cutset listing for cases SA,
- 58, and F5C.
The fault trees which model these temperature control valve failures have been revised to delete the events which depict loss of instrument air as a postulated failure mode. The revised fault tree drawings are attached for clarification. i i 3 9
3 S 0 R 3 E S L C O A O - C P Ht RCg 8 OA 0 3 R 8 OC xFA O - SRP ES RLHL AOCI EO A
- GC1F M 3 U . E OP . VO T C . . LE E S
S1 FGM-ONIP IS-SLRH g OMAM S VSI R AR EEA TL LS 3 S W V X SOAC - TI S OOH- _- UM LCC1 - O 0 - 1 3 S C L S I - ORE ES ELHL SOCI s uO A LC1F
- S N
I L
- SS HR A
R5 T T A F 0E T A SO TE 2 NO AL LETI A - 8 IC S S PO O O OHLI E'R 1 WCL V RPL O I C C T^ A AMI LOA S HUA FTF CPF 9 8 3 3 S L S I - _ ORE - ES - ELHL SOCI UO A C1F
- 3 M . E U . VD OP S LE E T 0 \O AN S TE 4
NTW 1 9 9 S1 FSM-ONIP IS-SLRH g \S RR A EEA MVG TL LS I S S W V X _ EAO 9 SOAC TI S IWL OOH- UM C F LCC1 O IE 4 - FCR 8 FIE 3 - UVD i R S - SRA O8 - NEE xF1 ISH O - SRP - ES RLHL AOCI 7 EO A S 8 SC1F R 3 - E S _ L 8 O 1 A O - _ C P . L HL ARCI EO A SF1F "o l i } )1'
I s . m u,a-{ ei. 3 h~$W s II i j/\ _s /$jii llg il .d
~
n gg l e i- T-j:i <!! i .! i & 8 g - Is E a sl 1 l il ' l! gi
/'s -
(g d I~!! l_ k!! . a il i I!
~
c - dj!_ 3 il ,
! a /;<ii t .
n I i, 2 si , i! V .
! C E*
( ty_ bi m
@il 11
s . Question 1 (g) Page 35. It appears that the 8 character format number SXVW654E should be switched with SXVW653E and the same statement applies to SXVW637E and SXVW636E. Please clarify. Answer The basic events "SXVW654E" and "SXVW653E" (and SXVW636E and SXVW637E) under " Return Fails" on page B-35 of the report should ! remain as they are shown. The inconsistency arises from a drafting error in the simplified flow diagram for the charging pump lube-oil and seal coolers on page 3-20. The lines from the seal coolers to the main returns were drawn incorrectly. A revised simplified flow diagram for these coolers, which agrees with the actual plant flow diagrams, is included for clarification. J i 12
l s . n il w'._____.___.,i
-x sr W._.
ll ! -- 4 n; x e se a i
- a. .,
w . i
.lna ; ,
1
;3. . i n
- l
' ;l l w a. ! .,
. v, ii i. , . . -
- a. m . _ _ _ _ _ _ _ _ _ ., a
!i
!l i :l m a E il ;l w . .
8
? d d M,. _ _ _ _-**_ _ _ !_ _ .-" . dd?
u M si za is Q<l a q:a i.
. .i i
ew o.
. .i. . < .i s HD i.
3 OZ .ly' . ,,
<, o l n ig<
M a s_, j
< ]' I!'
wm a W Di W )
,e a ) ox--+4 ...
- #l- x--
uW
- , i n a ni a e e. l 6 . _ . _ . _ . -
_ _ _;.i I
%u.s at a
i l LI e n o ll I3 a H Q. : g ;[ ;l To . . g._...._., . e , , if wl ..-- I
.- _x, x ,,
g wa. < 1 h[
< l l ll,
- j I i l <
U a
.l 1!
l' w .
'.,, I l< .
t f ji
' I I
_x s :
%. , E, .
.s W. -
4 .
> r I ll li
, . - , ,I I >
t
- .j I./. a ; ;. . _ . _ . _ . _ . _ _i - n 3
I. 1 3 ... .,
\,l
/ v ma.vm Xf. . ,_ ,s
, ,,e a, p
N
. a wm %#
13
Question 1 (h) Explain why valves 1-SW-251, 252, 254, and 255 were not modeled in the fault trees. Answer Valves 1-SW-251 and 1-SW-254 are normally open manual valves and 1-SW-252 and 1-SW-255 are check valves on the header A and B supply ! lines to the chargin of the final report)g pump
. Theselube-oil and evaluated valves were seal coolers and not (see Figure 3-4 modeled ,
for the reasons stated below. The only credible failure mode for valves 1-SW-251 and 1-SW-254 is misalignment closed. Since lube-oil and seal coolers to one charging ' pump are assumed operating, flow through these lines is considered established. Misalignment of these valves is therefore considered a 4 pre-existing fault that would nonna11y be detected and corrected (see page 4-10, third paragraph of final report). - i For valves 1-SW-252 and 1-SW-255, the two possible failure modes are
" check valve fails to close" and " check valve fails to open."
Failure of the check valve to close (i.e. a stuck open check valve) would not fail system flow to the coolers and was not modeled. Since flow is considered established in the headers, the check valves are in the open position already, thus, "failing to open" is not a failure mode. As a note, this is consistent with the treatment given to the inlet valves (1-SW-662, through 1-SW-665 and 1-SW-686 through 1-SW-689) for the operating lube oil and seal coolers (see page B-33, 34, and 35). For the coolers not assumed to be operating, the inlet valves are modeled. 14
s ; Question 2 The power supply to the auxiliary service water pumps and their associated valves is such that failure of either 1H or 2H 4160 volt buses or the failure of either MCC IH1-1 or MCC 2H1-1 will prevent the alignment of both auxiliary service water pumps to the service water header system. Please provide the rationale for this arrangement. Answer Service water flow to the operating headers is normally provided by the service water pumps taking suction from the service water reservoir and discharging back to the service water reservoir via the spray system. The auxiliary service water pumps provide an alternate supply of service water taking suction from the lake and discharging back to the lake via the discharge tunnel. All operating headers are normally supplied by the same source, that is, either the service water reservoir or Lake Anna. The auxiliary service water pumps can be lined up to either supply header through the valve arrangement shown in Figure 3-2 of the Service Water System Probabilistic Safety Assessment. Also shown is, the valve arrangement for the service water discharge to the lake. The Service Water System is designed such that two valves are installed in series on all headers for systems and components that must be closed in the event of an accident to assure line isolation if a single valve were to fail. Accordingly, pairs of motor operated valves in series control the service water supply from the auxiliary service water pumps and the discharge to the lake thereby providing positive assurance that service water flow will be controlled when required by various acsident conditions in the event of one malfunctioning valve. The pairs of motor operated valves from the auxiliary service water pumps to headers A and B are powered from the emergency buses as listed below: Valve ' unction Power Supply MOV-SW-115A Discharge to A Header 1H1-1 MOV-SW-215B Discharge to A Header 2H1-1 MOV-SW-115B Discharge to B Header 1H1-1 MOV-SW-215A Discharge to B Header 2H1-1 The series valves are powered from separate emergency buses to ensure that the line can be isolated thus preventing service water flow to the lake during operation of the service water system from reservoir to reservoir. In the event of failure of either the 1H or 2H 4160 volt buses or the associated motor control center, the MOV can be operated by hand to align the auxiliary service water pumps to either header A or B should the alternate water source be required. 83r629RMB073 15
Question 3 In order to assess the validity of the values assigned to human actions it is necessary to know how much time is available before adverse results will occur and how long it takes for the operators to perform the necessary tasks to recover from the postulated loss of service water header scenarios. In this regard, provide the minimum time service water can be completely lost without adverse affects occurring for both normal conditions and for accident conditions and show that this time exceeds the time required for the various human actions assumed in the quantitative probabilistic assessment. Answer The consequences of a complete loss of service water, operator recovery actions, and conclusions with regard to operator response time are discussed below: Consequences of a Complete loss of Service Water Station abnormal procedures provide the indication of, probable, causes for, and the immediate and long term operator actions to be taken in the event of a loss of the service water system. In the event of a complete loss of service water flow during normal operation, service water would be lost to the following components:
- 1) The component cooling heat exchangers.
- 2) The main control and relay room air conditioning condensers.
- 3) The station instrument air and service air compressors.
(4) The charging pump lubricating oil, seal, and gear box coolers. Loss of service water flow to the component cooling heat exchangers would result in a heatup of the component cooling water propcrtional to the heat input to the system. The station abnormal procedure for loss of service water instructs the operator to reduce the heat load on the component cooling system by securing non-essential equipment. Evaluation of the components cooled by the component cooling system indicates that the most limiting component that would be adversely affected by a loss of service water would be the reactor coolant pumps. Station abnormal procedures instruct the operators to trip the reactor and the reactor coolant pumps if the motor bearing temperature exceeds 195 F. It is conservatively estimated that the reactor coolant pumps could continue to operate for at least one hour following a complete loss of service water at the reduced heat load on the component cooling system before the ma.ximum motor bearing temperature is reached. (The reduced heat load is defined in the response to Question No. 7 and assumes that the reactor has been tripped.) A complete loss of service water during normal operation would not cause an immediate adverse affect on the control and relay room 83r629RMB073 16
\ .
temperature. The design maximum temperature is 120 F at a relative humidity of 100%. The Technical Specifications allow both air conditioning systems to be inoperable for 24 hours before the units must begin shutting down. Loss of service water to the instrument air compressors (1-IA-C-1 and 2-IA-C-1) and to the service air compressors (1-SA-C-1 and 2-SA-C-1) would not cause an immediate adverse affect on unit operation. Station instrument air and service air is normally supplied by air cooled compressors. The air compressors cooled by service water are normally used only as backup to the air cooled compressors. It should be noted that the compressed air system is not required to safely shutdown the units. All safety-related, air operated valves that may be operated during accident conditions have air available from air storage bottles or will fail in the safe position. During normal operation, one charging pump is operating to provide the required seal injection flow to the reactor coolant pumps and makeup flow to the reactor coolant system. A complete loss of service water to the charging pump coolers will result in a high lube oil temperature on the operating pump. While it is known that the charging pump can continue to operate for several minutes following a loss of service water flow, the length of time until a high lube oil temperature is reached is difficult to accurately predict. When a high lube oil temperature is reached on the operating charging pump, the two standby pumps may be run for short periods in sequence. If a high lube oil temperature is received on all charging pumps, the abnormal procedure for loss of service water instructs the operator to trip the reactor, secure RCS letdown and charging flow, and lock out all charging pumps. The unit can then be maintained in a safe condition until the service water system can be returned to service. However, in order to ensure that the charging pumps are not lost in the event of a loss of the operational service water header, a temporary alternate supply of cooling water from the fire protection system will be provided whenever one of the two redundant main service water headers is removed from service during the planned service water system upgrades. This alternate supply water can be brought into service quickly by manually closing a service water branch line valve and opening the valve from the fire water line. It should be noted that the fault tree analysis for the charging pump coolers takes no credit for this alternate water supply. i During accident conditions resulting in a containment depressurization signal (hi-hi containment pressure), service water flow is isolated to the affected unit's component cooling heat exchangers and the recirculation spray heat exchanger isolation valves open. A complete loss of service water flow to the recirculation spray heat exchangers during a LOCA would result in an extension of the time required to depressurize the containment to sub-atmospheric conditions. The consequences of a complete loss of service water during a LOCA for any significant time period would not be acceptable with respect to the containment design criteria. 83r629RMB073 17 L
t i 'r . L During other accident conditions, not resulting in a containment
+
depressurization signal, no immediate adverse affect will result from ' a-loss of service water except with regard to operation of the charging pumps required for high head safety injection. As described above, these pumps will be maintained operable in the event of a loss of the operating service water header by providing an alternate
' cooling water supply from the fire protection system whenever one of the main supply or return headers is inoperable during the planned
. system upgrades.
Operator Recovery Actions Operator recovery actions in response to a loss of service water which were evaluated in the reliability analysis (Appendix D of the Probabilistic Safety Assessment) fall into two categories: actions ! that can be taken in the control room only and actions required outside the control room. .The operator actions that can be taken inside the control room are re-positioning of motor operated valves and remote starting of service water pumps. Actions taken outside the ; control room are alignments of manual valves in the service water pump house.
. ~ Human error probabilities are evaluated based on the operator's' ability to diagnose the problem and the operator's ability to take corrective action. Failures of the service water system which can be
- rectified from the control room by starting a backup pump and/or l re-positioning motor operated valves .can be recognized and completed l very quickly (a maximum of ten minutes is estimated). The most limiting case is when the action must be taken outside the control l room requiring the alignment of manual valves.- A maximum of 30 minutes is estimated to recover the service water system in this case.
Conclusion It'has been shown that under normal operating conditions and i non-LOCA events (excluding secondary coolant breaks inside the l containment), sufficient time exists for operator actions to be taken to recover service water flow before adverse results will occur. It cannot be shown that a complete loss of service water for any significant time period during a LOCA or secondary coolant line break inside the containment would be acceptable with respect to the containment design criteria. However, the current Technical Specifications allow one of the redundant service water headers to be inoperable for up to 72 hours given the low probability of this Condition IV event coincident with a loss of the operating service water header. The reliability analysis has shown that the reliability of the service water system will not be reduced in extending the allowable time that one of the redundant headers can be out of service from 72 hours to 168 hours. This conclusion is based on the assumption that three out of four main service water pumps and one out of two auxiliary service water pumps will be operable during the extended LCO. 83r629RMB073 18
L4, s . Question 4 Because of the inconsistences outlined in question IF above, the staff will need a complete description of the air operated valves TCV-SW102A, B, and C including the possible failure modes for these l' valves and their air supply. A discussion should be provided on the possibility of a common mode failure, either from hardware origins or from an act of human omission or comission, that would result in the loss of all three charging pumps. Answer TCV-SW-102 A, B, and C regulate the flow of service water through the lube oil coolers for charging pumps 1-CH-P-1A, 1B, and 1C respectively to maintain the temperature of the oil out of the oil coolers less than 125*F. The valves are Fisher Controls Model No. 657-ES (Type 657 actuator on a design ES valve body assembly). The valve actuator is setup for air to close the valve and spring force to open the valve. The positioner is a Fisher Model No. 3582 used with diaphragm-actuated control valves to provide a valve plug position that is proportional to the pneumatic input signal received from the controller. The temperature indicating controller is a Foxboro Model No. 43A-A4 whicfi senses the temperature of the lube oil leaving the oil cooler. An increase in lube oil temperature above the setpoint will modulate the temperature control valve to increase service water flow (decrease air pressure to valve actuator). A drawing of the valve actuator and positioner is included in Attachment 1. A loop diagram depicting the components in the instrument loop is included in Attachment 2. A review of the design of the temperature control valves has identified no common cause failure. The air supply to the temperature controller and the valve positioner is from the instrument air subsystem of the station compressed air system. Two instrument air compressors are used to provide air as required for instruments and controls associated with both units (outside containment). The control valves fail open on a loss of air supply maintaining service water flow through the lube oil coolers. Therefore, a loss of air supply is not a common mode failure. An individual control valve can fail shut due to a failure of its temperature controller or positioner. An increasing air pressure from the positioner will close the control valve. An individual valve could also possibly fail if the valve stem broke or the valve otherwise became plugged. These hardware failures however, would affect only one of three charging pumps and are therefore not a common causefgilure. The valve failure probability is assigned a value of 7.0x10- based on the IMPELL Component Reliability Data Book. No human acts of omission or comission have been identified that would result in the loss of all three temperature control valves. The individual controllers are calibrated by instrument technicians. The 83r629RMB073 19
calibration is not performed on all three control loops at the same time. The operating procedure for starting a charging pump requires that the operator verify locally that the TCV is regulating the temperature of oil out of the cooler to less than 125'F. No remote control is provided.for operating these control valves. It is concluded that no individual human error should be considered which would result in failure of all three of these control valves. 4 83r629RM8073 20
_ . _ _ _ _ - . _ _ .i i Attachment 1 - OUESTION 4 I l It m i. g s, ll .c E o g- a g g a i ~--
~ . EN
_ i .
, le e
. i SGG E I !
I i n 5$ g E "i E=4 "' % l~E E d m S 4
\ c m j -
~~
--E - j _ l g ? ? ? ?
? ? ?
a A
=
l 5 5 5 5 5 5 5 5 gj , s a s s s e e n ! 2
- ~ E i i i i i i i i ,t m ye
/ "I h m -
. e.
=
; s = = 4 4 s e = = = e e =
a s a m a s a s . l d,i5 Y p# 4
.i ' s 4 4 4 4 4 4 4 a
( : l
,h q F a $ 5 E !!!!3 -
y)I
, g#
< N qpu
%E E M % 3 t s
3 s a a n s t e l - i 8 y o/
! s a e s e e s e g II I k 5 W
21 l l
Attachment 2
.. ,. STONE E. WEBSTER ENGINEEQiNG CO3POR ATION Ouestion 4 0
Ar's:-Aux. t- . fagg
,Elev. 02u. ,
Col.8/K TIC-SW102A g Foxboro43A-p Range:60-180 F ( j,
., Scale:60-1800F Lube Oil Coolen Action: Inverse w %
Oil .: y
, O C X X 1 Oil 1-CH-E-h g o vatput w
CV
==
, g
'. d
' 15 PSIG t CV at r / c:a a .
p TCV-SV102A - Y
- O Fisher ,
Model:657- ES n : r 2"-VS-60
/ , .
N Air To Close Fails Open
- REF: FM-22B MATIO[ ,,N- "T g7ggg [
j S&W 7.64-39 ! F i l E&DCR 6191-2 ! t T TO BE UEEO FOR 'O l LOOP ACTION: An increase in charging pump lube oil cooler 1-CH-E-5A outlet oil temperature above setpoint will modulate TCV-SV102A to increase cooling water flow. .- POWER INDUSTRY GROUP TITLE CLIENT VEPCO aY DATE SERVICE WATER SYSTEM ,RosECT MIPS No.1 i [ ' VREPARED M I 11/i/7 9 VATER TO CHARGING PUMP LUBE *0IL COOLER J.o. NO. 11715, , jcHECKED W /*fgf 1-CH-E-5A TEMPERAWRE CNTROL VALVE OISSUED BY [M///fb/ l APPROVED f/Le() /Ifdgf[ DAT E Decembef ik.1975 CEVISIONS 8Y '@ # ' @ @ @ @ NUMBER o,7g , T-SW102A l t 22
l Question 5 , I l The onsite electrical distribution system is not modeled in the I
; service water system fault trees, except for diesel generator i
failures and 4160 volt bus faults. Justify not modeling the remainder of the onsite electrical system in the analysis. ; Answer Previous reliability analyses performed by Impe11 have demonstrated
- that the predominant contributors to failure of the electrical distribution system are due to diesel generator faults and essential
! buss faults. This is also consistent with results from other PRA's. The main purpose of modeling the electrical distribution system was . to evaluate the interface with the service water system. This was i a:complished by modeling down to the diesel generators and essential busses. Any further detailed modeling of the electrical distributior ~, system was evaluated as not significantly impacting the service water system failure probability.
- In addition, a more detailed model of the electrical distribution system would not influence the change in service water system reliability resulting from the proposed Technical Specification change on the service water system.
( d 1 23
Question 6 The updated FSAR indicates in Table 9.2-1 that service water is not needed to the component cooling water system (CCWS) for the unit experiencing an accident. Is this true for all accidents, including non-LOCA events? Answer Table 9.2-1 indicates the service water equipment flow rates required ' for the accident design basis for the Service Water System. The accident design basis for the pumping requirements of the service water system is the simultaneous loss-of-coolant accident (LOCA) for one unit and loss of station power for both units. During this accident, the intact unit will be placed in hot standby operation or will be cooled down by dumping steam followed by the use of the Residual Heat Removal System. During the design basis accident (LOCA), the component cooling water heat exchanger motor operated isolation valves shut on receipt of a containment depressurization actuation signal (containment hi-hi pressure) and the recirculation spray heat exchanger header isolation valves open on the affected . unit. Service water to the component cooling water heat exchangers is isolated on the affected unit to ensure adequate service water flow to the Recirculation Spray Heat Exchangers. The equipment cooled by component cooling water is identified in Section 9.2.2.3.1 of the North Anna UFSAR. Operation of this equipment on the affected unit is not required to mitigate the consequences of the Design Basis Accident (LOCA). The containment depressurization signal will close the affected unit's component cooling water heat exchanger motor operated isolation valves, trip the affected unit's component cooling pumps, and initiate Phase B containment isolation. Phase B containment isolation results in the closure of all normally.open trip valves in lines penetrating the containment that are not required for containment depressurization or safety injection including the component cooling water lines to and from the reactor coolant pump motors and thermal barrier, heat exchangers. Station emergency procedures instruct the operators to trip the reactor coolant pumps when component cooling water to that l pump is lost. Safety analyses have demonstrated that the reactor coolant pumps are not needed to maintain core cooling as long as j safety systems are functioning properly, e.g. safety injection. For non-LOCA events which do not result in a containment depressurization signal, the component cooling heat exchangers and component cooling pumps on the affected unit remain in operation
- providing component cooling water to the reactor coolant pump motors and thernal barrier heat exchangers. The reactor coolant pumps are therefore normally available during this type of event provided electrical power is available from the normal station service buses.
Neo-LOG events which result in a containment depressurization signal, 83r629RFE073 24 L
such as a loss of secondary coolant, will close the affected unit's component cooling water heat exchanger isolation valves, trip the component cooling pumps on the affected unit, and initiate Phase B containment isolation. Station emergency procedures instruct the operators to trip the reactor coolant pumps when component cooling water is lost to these pumps. Again, safety analyses have demonstrated that the reactor coolant pumps are not needed to maintain core cooling as long as safety systems are functioning properly. During normal two header operation, the Unit 1 component cooling water heat exchangers are lined up to the "A" service water header and the Unit 2 component cooling water heat exchangers are lined up to the "B" service water header. The normal valve lineup for two header operation is shown in Figure 3-3 of the Probabilistic Safety Assessment (attached). Receipt of a containment depressurization signal on Unit I will close MOV-SW-108A and 108B, thus isolating service water flow to the Unit 1 component cooling water heat exchangers. Likewise, receipt of a containment depressurization signal on Unit 2 will close MOV-SW-208A and 208B isolating flow to the Unit 2 component cooling water heat exchangers. During operation with one of the redundant service water headers out of service, the Unit 1 and Unit 2 component cooling water heat exchangers will be lined up to a single service water header. A review of the design of the automatic isolation system indicates that if a containment depressurization signal is received during operation with a single service water header, the service water flow to the component cooling water heat exchangers will either not be automatically isolated or will be automatically isolated to both units (depending on which unit is experiencing the accident). Therefore, station procedures will be modified to require manual operator action in the event that a containment depressurization signal is received while operating with a single service water header. Operator action will be taken to isolate service water flow to the affected unit's component cooling water heat exchangers and to maintain service water flow to the component cooling water heat exchangers on the intact unit. V" 83r629RMB073 25
t FIGURE 3-3 SERVICE WATER SYSTEM - COMPONENT COOLING WATER SYSTEM HEAT EXCHANGERS DIAGRAM SIMPLIFIED FLOW
- s a e
+ + + +
8 8 8 8 n, :, n, a, yX:, rn,Xrs in,X v rn,Xsr a ,: 7 a ; n
;X,n; :Xn,,:
; ; eX,n,;e :n,X ::
n : : : : : : : : : : : : : : : a a a a a a a a a a a a a a a a r rr r rr r rr s ss s s- s s rr rr rr x4
. ss ss ss E
s x r r r s s s Ei!;Ei! .! I
. . i i oKil oXi!a
- X^X^*
g g I W 4 S
Question 7 The statement is made that CCWS can tolerate loss of SWS for approximately two hours of reduced heat load. Please define " reduced heat load." Answer In the mechanical cleaning submittal dated February 27, 1985, it was indicated that under conditions of reduced heat load, the component cooling system can tolerate a loss of service water flow for approximately 2 hours. The minimum time calculated before adverse conditions will occur was based on the ability of the component cooling water system to provide adequate cooling to the reactor coolant pumps. The motor bearing temperature is to be maintained at less than 195"F. The calculation was based on the operator taking immediate action to reduce the heat load on the component cooling water system as instructed in the station abnormal procedure for loss ofcomponentcooling(1-AP-15). In the event that the component cooling water system cannot be immediately returned to service, this procedure instructs the operator to trip the reactor, monitor the reactor coolant pump motor bearing temperatures, terminate charging . and letdown, and secure non-essential heat loads on the component cooling system. The reduced heat load is defined as those remaining heat loads on the component cooling system after the reactor has been tripped, charging and letdown have been terminated, and the non-essential loads have been secured. The significant remaining heat loads are listed below: (1) the reactor coolant pumps (2) the reactor shroud cooling coils (3) the neutron shield tank coolers, and (4) the fuel pit coolers 6 The reduced heat load is approximately 26x10 BTU /hr assuming the maximum design heat load for the above components. As indicated in the response to Question No. 3, more conservative calculations, taking into account operator response time to diagnose the failure and reduce the component cooling heat load combined with more conservative assumptions regarding heat exchanger performance, indicates that the time that the reactor coolant pumps could continue l to operate following a complete loss of service water may be as short as approximately one hour. It is expected that the service water could be returned to service within this period under the most probable failure scenarios. However, if the maximum bearing temperature is reached on the reactor coolant pump motors, the abnormal procedure instructs the operator to trip the reactor coolant pumps. The unit can then be maintained in a safe shutdown condition under natural circulation until the service water system is returned to service. 83r629RMB073
- 27
Question 8 Provide the details of how the beta-factors were calculated for the common cause failure modes of the service water pumps and the diesel
; generators.
Answer The beta-factor for the service water pumps (two of two pumps fail -
- 0.055) was a factor taken for pumps in general from the reference SRD l
R146 United Kingdom AEA "A Study of Common Mode Failures." For the failure of three of four pumps, it was assumed that a third pump dependent failure was 0.1, thereby giving a beta factor of: 0.1 x 0.055 = 0.0055 It is acknowledged that the values used for connon causes are uncertain and debated in the industry. As a point of comparison, however, a recent study ("Connon Cause Data Analysis and Implications in System Modeling," K.N. Fleming and Ali Mosteh, Pickard, Lowe and Garrick .Inc, Published in Proceedings for the international Topical - Meeting on Probabilistic Safety Methods and Applications, February 24
- March 1,1985) computed a beta factor for service water pumps to be 0.03, which is less than the 0.055 assumed as a base factor.
For added conservatism, the beta factors were app probability of a pump failing to start (1.1 x 10-}ied ). against Since two the d be to use the pumpsarerunning,amoreaccurateapproachwou}/72hoursand4.0x ro 0 gability of a pump
/168 hours); failing however, thetolargest run (1.7 failure x 10-probability was used.
For diesel generators, a study of diesel generator common mode failures was performed by Impe11 for a study on decay heat removal (NSAC-83, Brunswick Decay Heat Removal Probabilistic Safety Study, to be published). Using a study performed for EPRI (" Diesel Generator Reliability at Nuclear Power Plants: Data and Preliminary Analysis". EPRI NP-2433, Interim Report, June 1982) there were 17 common mode failures of diesel generators and 254 total failures. Of these failures approximately 845 were demand failures. This results in a beta-factor of:
- 17 x 0.84 = 0.06 M
1 l Since plant specific connon mode failure data was not used, this i factor was arbitrarily increased by 33% to add conservatism. The result is a beta factor of 0.08. As a point of reference, the study
- noted in the second paragraph of this response computed a beta factor for diesel generators to be 0.05. Another study presented at the l
same conference ("On Common Cause Failure Methods Dealing with Dependent Failures; A Comparative Apglication To US Diesel Generator Data Based on Licensee Event Reports , Reino Virolainen - Finnish Centre for Radiation and Nuclear Safety and Arthur Buslik USNRC) presented a beta factor for diesel generators to be 0.031. 28
Question 9 (a) The ognimum cutset, SLC0HDRA, SPUSTRTX SXV1SW4X, has a value of 8x10- according to the information contained in Appendix C. However, there are three different values of this cutset used in the
- cases analyzed for this study contained in Appendix F.
Answer The singmum cutset, SLC0HDRA SPUSTRTX SXV1SW4X, has a value of 8 x 10- for all cases except for evaluation of the recirculation spray heat exchangers. When the recirculation spray heat exchangers are required, an Engineered Safeguards signal is present that wi'l automatically start all service water pumps. Accordingly, for the basic event, SPUSTRTX (" Operator fails to start pump") the failure to reflect automatic initiation. The new probability was changeg/hr value used was 3 x 10- (see Appendix C, Generic Data Base, page 4-25). This wo tid, as a result, give different probability values j for the above % set for the cases involving the recirculation spray ! heat exchangers. l The specific change to SPUSTRTX was not identified in the final , i report; however, a general discussion of this change is discussed on page 5-10, second paragraph. Another review of Appendix C was performed to check for other
- inconsistencies. This review revealed that the table listing failure l
probabilities in Appendix C contained some values used in preliminary analyses and not in the final analyses. A revised table is enclosed to clear up the above inconsistencies. i l l l 29
FAILURE DATA FOR SW FAULT TREE BASIC EVENTS BASIC DESCRIPTION FAILURE FAILURE EVENT PROB. PROB. ' 72 HR 168 HR I AINSTASF INSTRUMENT AIR FAILURE 1.70E-02 3.90E-02 CCVXXX1D. BACKWASH PUMP OUTLET CHECK VALVE FAILS 9.00E-04 2.10E-03
; CCVXXX2D BACKWASH PUMP OUTLET CHECK VALVE FAILS 9.00E-04 2.10E-03 CCVXXX3D BACKWASH PUMP OUTLET CHECK VALVE FAILS 9.00E-04 2.10E-03 CCVXXX4D BACKWASH PUMP OUTLET CHECK VALVE FAILS 9.00E-04 2.10E-03 CPUlW2AA BACKWASH PUMP l-CW-P-2A FAILS TO START 1.80E-02 4.20E-02 CPUlW2AF BACKWASH PUMP l-CW-P-2A FAILS TO RUN 4.50E-05 6.50E-05 CPU 1W2BA BACKWASH PUMP l-CW-P-2B FAILS TO START 1.80E-02 4.20E-02 CPU 1W2BF BACKWASH PUMP l-CW-P-2B FAILS TO RUN 4.50E-05 6.50E-05 CPU 2W2AA BACKWASH PUMP 2-CW-P-2A FAILS TO START 1.80E-02 4.20E-02
- CPU 2W2AF BACKWASH PUMP 2-CW-P-2A FAILS TO RUN 4.50E-05 6.50E-05 CPU 2W2BA BACKWASH PUMP 2-CW-P-2B FAILS TO START 1.80E-02 4.20E-02 CPU 2W2BF BACKWASH PUMP 2-CW-2B FAILS TO RUN 4.50E-05 6.50E-05 CTVlSW4A TRAVELING SCREEN 1-CW-S-lD FAILS TO STRT 9.90E-04 2.30E-03 CTVlSW4F TRAVELING SCREEN 1-CW-S-1D FAILS TO RUN 5.40E-04 7.80E-04 CTV2SW4A TRAVELING SCREEN 2-CW-S-2A FAILS TO STRT 9.90E-04 2.30E-03 CTV2SW4F TRAVELING SCREEN 2-CW-S-2A FAILS TO RUN 5.40E-04 7.80E-04 CXVXXX1D l-CW-P-2A MAN. ISOL. VALVE FAILS TO OPEN 1.00E-04 1. 00E-04 CXVXXXIX OPERATOR FAILS TO OPEN MAN. ISOL. . VALVE 1.00E-01 1.00E-01 CXVXXX2D 2-CW-P-2B MAN. ISOL. VALVE FAILS TO OPEN 1.00E-04 1.00E-04 CXVXXX2X OPERATOR FAILS TO OPEN MAN. ISOL. VALVE 1.00E-01 1.00E-01 E41601GF 4160V BUS 1G FAULTS 3.60E-05 8.40E-05 E41602GF 4160V BUS 2G FAULTS 3.60E-05 8.40E-05
. EBSEMlHF 4160 BUS 1H FAULTS 3.60E-05 8.40E-05 i EBSEM1JF 4160V BUS 1J FAULTS 3.60E-05 8.40E-05
- EBSEM2HF 4160V BUS 2H FAULTS 3.60E-05 8.40E-05 EBSEM2JF 4160V BUS 2J FAULTS 3.60E-05 8.40E-05 EDGEMlHA DIESEL GEN. 1H FAILS TO START 2.50E-02 2.50E-02 EDGEMlHF DIESEL GEN. 1H FAILS TO RUN 3.60E-02 3.60E-02 EDGEMlHM DIESEL GEN. 1H IN MAINTENANCE 1.10E-02 1.10E-02 EDGEMlJA DIESEL GEN. lJ FAILS TO START 2.50E-02 2.50E-02 EDGEM1JF DIESEL GEN. lJ FAILS TO RUN 3.60E-02 3.60E-02 EDGEMlJM DIESEL GEN. lJ IN MAINTENANCE 1.10E-02 1.10E-02 EDGEM2HA DIESEL GEN. 2H FAILS TO START 2.50E-02 2.50E-02 EDGEM2HF DIESEL GEN. 2H FAILS TO RUN 3.60E-02 3.60E-02 EDGEM2HM DIESEL GEN. 2H IN MAINTENANCE 1.10E-02 1.10E-02 EDGEM2JA DIESEL GEN. 2J FAILS TO START 2.50E-02 2.50E-02 EDGEM2JF DIESEL GEN. 2J FAILS TO RUN 3.60E-02 3.60E-02 EDGEM2JM DIESEL GEN. 2J IN MAINTENANCE 1.10E-02 1.10E-02 EDGEMCMF DIESEL GEN. COMMON MODE FAILURE 2.00E-03 2.00E-03 EIASTPWF IDSS OF OFFSITE POWER 0.00E-00 0.00E-00 ELOSTPWF LOSS OF OFFSITE POWER (LOSP CASES ONLY) 1.00E-00 1.00E-00 SAV102AF TCV-SW-102A FAILS TO OPERATE 7.00E-04 7.00E-04 SAV102BF TCV-SW-102B FAILS TO OPERATE 7.00E-04 7.00E-04 SAV102CF TCV-SW-102C FAILS TO OPERATE 7.00E-04 7.00E-04 SCMAIRSF COMPRESSED AIR SYSTEM FAILURE 1.70E-02 3.90E-02 SCVlSW3K 1-SW-P-1A DISCH CHECK VLV FAILS TO CLOSE 1.00E-04 1.00E-04 30
- . - _ _ . -=
FAILURE DATA FOR SW FAULT TREE BASIC EVENTS BASIC DESCRIPTION FAILURE FAILURE EVENT PROB. PROB. 72 HR 168 HR SCVlWlOD 1-SW-P-1B DISCH CHECK VLV FAILS TO OPEN 1.00E-04 1.00E-04 SCVlW22D 1-SW-P-4 DISCH CHECK VLV FAILS TO OPEN 1.00E-04 1.00E-04 SCV1W63D 1-SW-P-2 DISCH CHECK VLV FAILS TO OPEN 9.00E-04 2.10E-03 SCV2SW3K 2-SW-P-1A DISCH CHECK VLV FAILS TO CLOSE 1.00E-04 1.00E-04 SCV2W10D 2-SW-P.-1B DISCH CHECK VLV FAILS TO OPEN 1.00E-04 1.00E-04 SCV2W24D 2-SW-P-4 DISCH CHECK VLV FAILS TO OPEN 1.00E-04 1.00E-04 SCV2W28D 2-SW-P-2 DISCH CHECK VLV FAILS TO OPEN 9.00E-04 2.lOE-03 l SCVW114D CHECK VALVE l-SW-114 FAILS TO OPEN 1.00E-04 1.00E-04 SCVW116D CHECK VALVE l-SW-116 FAILS TO OPEN 1.00E-04 1.00E-04 , SCVW120D CHECK VALVE 1-SW-120 FAILS TO OPEN 1.00E-04 1.00E-04 SCVW130D CHECK VALVE 1-SW-130 FAILS TO OPEN 1.00E-04 1.00E-04 SCVW140D CHECK VALVE l-SW-140 FAILS TO OPEN 1.00E-04 l'00E-04 SCVW150D CHECK VALVE l-SW-150 FAILS TO OPEN 1.00E-04 1.00E-04 SCVW630D CHECK VALVE 1-SW-630 FAILS TO OPEN 1.00E-04 1.00E-04 SCVW631D CHECK VALVE l-SW-631 FAILS TO OPEN 1.00E-04 1.00E-04 SCVW641D CHECK VALVE 1-SW-641 FAILS TO OPEN 1.00E-04 1.00E-a4 SCVW644D CHECK VALVE 1-SW-644 FAILS TO OPEN 1.00E-04 1.00E-04 SCVW647D CHECK VALVE 1-SW-647 FAILS TO OPEN 1.00E-04 1.00E-04 SCVW648D CHECK VALVE l-SW-648 FAILS TO OPEN 1.00E-04 1.00E-04 SCVW658D CHECK VALVE 1-SW-658 FAILS TO OPEN 1.00E-04 1.00E-04 SCVW661D CHECK VALVE 1-SW-661 FAILS TO OPEN 1.00E-04 1.00E-04 SISOVIAF VALVES FAIL TO OPERATE TO ISOL RUPTURE A 4.00E-03 4.00E-03 SISOVLBF VALVES FAIL TO OPERATE TO ISOL RUPTURE B 4.00E-03 4.00E-03 SLCOBRCA BRANCH LINE HEADER A INOPERABLE O.00E-00 0.00E-00 SLCOBRCB BRANCH LINE HEADER B INOPERABLE 0.00E-00 0.00E-00 SLCOHDRA LCO HEADER A 0.00E-00 0.00E-00 SLCOHDRB LCO HEADER B O.00E-00 0.00E-00 SMV100AP RETURN A MOV-SW100A PLUGGED 2.90E-05 6.70E-05 SMV100BP RETURN B MOV-SW100B PLUGGED 2.90E-05 6.70E-05 SMV101AD MOV-SW101A FAILS TO OPERATE 1.00E-02 1.00E-02 SMV101AP MOV-SW101A PLUGGED 2.90E-05 6.70E-05 SMV101BD MOV-SW101B FAILS TO OPERATE 1.00E-02 1.00E-02 SMV101BP MOV-SW101B PLUGGED 2.90E-05 6.70E-05 SMV101CD MOV-SW101C FAILS TO OPERATE 1.00E-02 1.00E-02 ^ SMV101CP MOV-SW101C PLUGGED 2.90E-05 6.70E-05 SMV101DD MOV-SW101D FAILS TO OPERATE 1.00E-02 1.00E-02 SMV101DP MOV-SW101D PLUGGED 2.90E-05 6.70E-05 SMV102AP MOV-SWlO2A PLUGGED 2.90E-05 6.70E-05 SMV102BP.MOV-SW102B PLUGGED 2.90E-05 6.70E-05 SMV103AP MOV-SW103A PLUGGED 2.90E-05 6.70E-05 SMV103BP MOV-SW103B PLUGGED 2.90E-05 6.70E-05 i SMV103CP MOV-SW103C PLUGGED 2.90E-05 6.70E-05 SMV103DP MOV-SW103D PLUGGED 2.90E-05 6.70E-05 SMV104AP MOV-SW104A PLUGGED 2.90E-05 6.70E-05 SMV104BP MOV-SW104B PLUGGED 2.90E-05 6.70E-05 SMV104CP MOV-SW104C PLUGGED 2.90E-05 6.70E-05 SMV104DP MOV-SW104D PLUGGED 2.90E-05 6.70E-05 l-4 31
l
- FAILURE DATA FOR SW FAULT TREE BASIC EVENTS i
BASIC . DESCRIPTION FAILURE FAILURE i EVENT PROB. PROB. , l 72 HR 168 HR SMV105AD MOV-SW105A FAILS TO OPERATE 1.00E-02 1.00E-02 SMV105AP MOV-SW105A PLUGGED 2.90E-05 6.70E-05 SMV105BD MOV-SW105B FAILS TO OPERATE 1.00E-02 1.00E-02 SMV105BP MOV-SW105B PLUGGED 2.90E-05 6.70E-05
- SMV105CD MOV-SW105C FAILS TO OPERATE 1.00E-02 1.00E-02 SMV105CP MOV-SW105C PLUGGED '
2.90E-05 6.70E-05 t SMV105DD MOV-SW105D FAILS TO OPERATE 1.00E-02 1.00E-02 SMV105DP MOV-SW105D PLUGGED 2.90E-05 6.70E-05 SMV106AP MOV-SW106A PLUGGED 2.90E-05 6.70E-05 SMV106BP MOV-SW106B PLUGGED 2.90E-05 6.70E-05 SMV108AP MOV-SW108A PLUGGED - 2.90E-05 6.70E-05 SMV108BP MOV-SW108B PLUGGED 2.90E-05 6.70E-05 SMV115AD MOV-SW115A FAILS TO OPEN 1.00E-02 1.00E-02
- SMVil5AP MOV-SWil5A PLUGGED 2.90E-05 6.70E-05 l SMV115BD MOV-SW115B FAILS TO OPEN 1.00E-02 3. 00E-02
!. SMV115BP MOV-SW115B PLUGGED 2.90E-05 6.70E-05 8MV200AP MOV-SW-200A PLUGGED 2.90E-05 6.70E-05 SMV200BP MOV-SW-200B PLUGGED 2.90E-05 6.70E-05 SMV208AP MOV-SW208A PLUGGED 2.90E-05 6.70E-05 SMV208BP MOV-SW208B PLUGGED 2.90E-05 6.70E-05 SMV215AD MOV-SW215A FAILS TO OPEN 1.00E-02 1.00E-02 SMV215AP MOV-SW215A PLUGGED - 2.90E-05 6.70E-05 SMV215BD MOV-SW215B FAILS TO OPEN 1.00E-02 1.00E-02 SMV215BP MOV-SW215B PLUGGED 2.90E-05 6.70E-05 SMVAUTOF AUTOMATIC INITIATION FAILS 0.00E-00 0.00E-00 SMVW117D MOV-SW117 FAILS To OPEN 1. 00E-02 1. 00E-02 SMVWil7P MOV-SWil7 PLUGGED 2.90E-05 6.70E-05 SMVW118D MOV-SW118 FAILS TO OPEN 1. 00E-02 1. 00E-02 SMVW118P MOV-SW118 PLUGGED 2.90E-05 6.70E-05 SMVW217D MOV-SW217 FAILS TO OPEN 1. 00E-02 1. 00E-02
. ,8MVW217P MOV-SW217 PLUGGED 2.90E-05 6.70E-05 SPPISOAR ISOLATABLE RUPTURE HEADER A 8. 2 0E-06 1. 90E-05 ,
SPPISOAX OPERATOR FAILS TO ISOL. RUPTURE-HDR. A 1.00E-01 1.00E-01 SPPISOBR ISOIATABLE RUPTURE MEADER B 8. 20E-06 1. 90E-05 SPPISOBX OPERATOR FAILS TO ISOL. RUPTURE-HDR. B 1.00E-01 1.00E-01 SPPNISAR NON-ISOLATABLE RUPTURE HEADER A 8.20E-07 1.90E-06 SPPNISBR NON-ISOLATABLE RUPTURE HEADER B . 8.20E-07 1.90E-06 SPUISW2A 1-SW-P-2 FAILS TO START 1.80E-02 4.20E-02 SPU18W2F 1-8W-P-2 FAILS TO RUN 4.50E-05 6.50E-05 SPUISW4A 1-SW-P-4 FAILS TO START ' 1.10E-03 1.10E-03 SPU18W4F 1-SW-P-4 FAILS TO RUN 1.70E-04 4.00E-04 8PU18W4M 1-SW-P-4 IN MAINTENANCE 6.40E-02 6.40E-02 SPUISW4P 1-SW-P-4 8UCTION BIDCKED 7. 20E-05 1.70E-04
. SPUlW1AF 1-SW-P-1A FAIIA TO RUN 1.70E-04 4.00E-04 SPU1W1AM 1-SW-P-1A IN MAINTENANCE 1. 00E-01 1.00E-01 SPU1WlAP 1-SW-P-1A SUCTION BIOCKED 7. 20E-05 1.70E-04 SPU1W1BA 1-SW-P-1B FAILS TO START 1.10E-03 1.10E-03 9
32
FAILURE DATA FOR SW FAULT TREE BASIC EVENTS BASIC DESCRIPTION FAILURE FAILURE EVENT PROB. PROB. 72 HR 168 HR SPU1WlBF 1-SW-P-1B FAILS TO RUN 1.70E-04 4.00E-04 SPUlWlBM l-SW-P-1B IN MAINTENANCE 1.00E-01 1.00E-01 SPUlWlBP 1-SW-P-1B SUCTION BLOCKED 7.20E-05 1.70E-04 SPU2SW2A 2-SW- P-2 FAILS TO START 1.80E-02 4.20E-02 SPU2SW2F 2-SW-P-2 FAILS TO RUN 4.50E-05 6.50E-05 SPU2SW4A 2-SW-P-4 FAILS TO START - 1.10E-03 1.10E-03 SPU2SW4F 2-SW-P=4 FAILS TO RUN 1.70E-04 4.00E-04 SPU2SW4M 2-SW-P-4 IN MAINTENANCE 6.40E-02 6.40E-02 SPU28W4P 2-SW-P-4 SUCTION BIDCKED 7.20E-05 1.70E-04 SPU2WlAF 2-SW-P-1A FAILS TO RUN 1.70E-04 4.00E-04 SPU2W1AM 2-SW-P-1A IN MAINTENANCE 1.00E-01 1.00E-01 SPU2WlAP 2-SW-P-1A SUCTION BLOCKED - 7.20E-05 1.70E-04 SPU2WlBA 2-SW-P-1B FAILS TO START 1.10E-03 1.10E-03 SPU2W1BF.2-SW-P-1B. FAILS TO RUN 1.70E-04 4.00E-04 SPU2WlBN 2-SW-P-1B IN MAINTENANCE 1.00E-01 1.00E-01 SPU2WlBP 2-SW-P-1B SUCTION BLOCKED 7.20E-05 1.70E-U4 SPUAXCMF AUX. PUMPS COMMON MODE FAILURE 6.10E-05 6.10E-05 3 SPUMAINX OPERATOR FAILS TO START PUMP-MAINTENANCE 1.00E-05 1.00E-05 . SPUSTRTX OPERATOR FAILS TO START PUMP-FAILURE 2.00E-03 2.00E SPUSTRTX AUTO. STRT OF PUMP FAILS (RECSPRY CASES) 2.20E-04 5.00E-04 SPUSWCMF SERVICE WATER PUMPS COMMON MODE FAILURE 2.40E-05 2.40E-05 SRESEVRX OPERATOR DRAINS RESERVOIR 0.00E-00 0.00E-00 SRSLVLLO RESERVOIR LEVEL LOW 0.00E-00 0.00E-00 SRSMKUPX OPERATOR FAILS TO PROV. MAKEUP TO RESERV 1.00E-01 1.00E-01 STVlSlAA TRAV. SCREEN 1-SW-S-1A FAILS TO START 9.90E-04 2.30E-03 STV151AF TRAV. SCREEN 1-SW-S-1A FAILS TO RUN 5.40E-04 7.80E-04 STV1SlBA TRAV. SCREEN 1-SW-S-1B FAILS TO START 9.90E-04 2.30E-03 STVlS1BF TRAV. SCREEN 1-SW-S-1B FAILS TO RUN 5.40E-04 7.80E-04 STV2S1AA TRAV. SCREEN 2-SW-S-1A FAILS TO START 9.90E-04 2.30E-03 l STV2SlAF TRAV. SCREEN 2-SW-S-1A FAILS TO RUN 5.40E-04 7.80E-04 STV2SIBA TRAV. SCREEN 2-SW-S-1B FAILS TO START 9.90E-04 2.30E-03 STV2S1BF TRAV. SCREEN 2-SW-S-1B FAILS TO RUN 5.40E-04 7.80E-04 SXV1SW4D MAN. VALVE 1-SW-4 FAILS TO OPEN 1.00E-04 1.00E-04 SXVISW4X OPERATOR FAILS TO OPEN MAN. VALVE 1-SW-4 4.00E-03 4.00E-03 SXVISW6E OPERATOR MISALIGNED MAN. VALVE 1-SW-6 0.00E-00 0.00E-00 SXVlW11E OPERATOR MISALIGNED MANUAL VALVE 1-SW-11 0.00E-00 0.00E-00 SXVlW13D MAN. VALVE 1-SW-13 FAILS TO OPEN 1.00E-04 1.00E-04 l SXV1W13X OPERATOR FAILS TO OPEN MAN. VLV. 1-SW-13 4.00E-03 4.00E-03 SXV2SW4E OPERATOR MISALIGNED MANUAL 5 VALVE 2-SW-4 0.00E-00 0.00E-00 SXV2SW6D MAN. VALVE 2-SW-6 FAILS TO OPEN 1.00E-04 1.00E-04 SXV2SW6X OPERATOR FAILS TO OPEN MAN. VLV. 2-SW-6 4.00E-03 4.00E-03 SXV2W11D MAN. VALVE 2-SW-ll FAILS TO OPEN 1.00E-04 1.00E-04 SXV2W11X OPERATOR FAILS TO OPEN MAN. VLV. 2-SW-11 4.00E-03 4.00E-03 SXV2W13E OPERATOR MISALIGNED MAN. VLV. 2-SW-13 0.00E-00 0.00E-00 SXVW176E OPERATOR MISALIGNS VLV. 1-SW-176 1.20E-04 1.20E-04 SXVW177D MAN. VALVE l-SW-177 FAILS TO OPEN 1.00E-04 1.00E-04 SXVW177X OPERATOR FAILS TO OPEN VLV. 1-SW-177 4.00E-03 4.00E-03 33
I FAILURE DATA FOR SW FAULT TREE BASIC EVENTS l BASIC DESCRIPTION FAILURE FAILURE ! EVENT _ PROB. PROB.
- 72 HR 168 HR
. SXVW184D MAN. VALVE 1-SW-184 FAILS TO OPEN 1.00E-04 1.00E-04 SXVW184X OPERATOR FAILS TO OPEN VLV. 1-SW-184 4.00E-03 4.00E-03 i SXVW185D MAN. VALVE 1-SW-185 FAILS TO OPEN 1.00E-04 1.00E-04 SXVW185X OPERATOR FAILS TO OPEN VLV. 1-SW-185 4.00E-03 4.00E-03 i' SXVW186D MAN. VALVE 1-SW-186 FAILS TO OPEN 1.00E-04 1.00E-04 SXVW186X OPERATOR FAILS TO OPEN VLV. 1-SW-186 4.00E-03 4.00E-03 SXVW195D MAN. VALVE 1-SW-195 FAILS TO OPEN 1.00E-04 1.00E-04 SXVW195X OPERATOR FAILS TO OPEN VLV. 1-SW-195 4.00E-03 4.00E-03 SXVW222D MAN. VALVE 1-SW-222 FAILS TO OPEN 1.00E-04 1.00E-04 SXVW222X OPERATOR FAILS TO OPEN VALVE 1-SW-222 4.00E-03 4.00E-03 SXVW231D MAN. VALVE 1-SW-231 FAILS TO OPEN 1.00E-04 1.00E-04 SXVW231X OPERATOR FAILS TO OPEN VALVE 1-SW-231 4.00E-03 4.00E-03 SXVW232D MAN. VALVE 1-SW-232 FAILS TO OPEN 1.00E-04 1.00E-04 SXVW232X OPERATOR FAILS TO OPEN VLV. 1-SW-232 4.00E-03 4.00E-03 SXVW233E OPERATOR MISALIGNED MAN. VLV. 1-SW-233 1.20E-04 1.20E-04 SXVW240D MAN. VALVE 1-SW-240 FAILS TO OPEN 1.00E-04 1.00E-64 SXVW240X OPERATOR FAILS TO OPEN VLV. 1-SW-240 4.00E-03 4.00E-03 SXVW241D MAN. VALVE 1-SW-241 FAILS TO OPEN 1.00E-04 1.00E-04 SXVW241X OPERATOR FAILS TO OPEN VLV. 1-SW-241 4.00E-03 4.00E SXVW308D MAN. VALVE FAILS TO OPEN 1.00E-04 1.00E-04 SXVW308X OPERATOR FAILS TO OPEN MAN. VALVE 1.00E-01 1.00E-01 SXVW634E OPER. MISALIGNEO MANUAL VALVE 1-SW-634 1.20E-04 1.20E-04 SXVW635E OPER. MISALIGNED MANUAL VALVE 1-SW-635 1.20E-04 1.20E-04 SXVW636E OPER. MISALIGNED MANUAL VALVE 1-SW-636 1.20E-04 1.20E-04 SXVW637E OPER. MISALIGNED MANUAL VALVE l-SW-637 1.20E-04 1.20E-04 SXVW639E OPER. MISALIGNED MANUAL VALVE l-SW-639 1.20E-04 1.20E-04 SXVW642E OPER. MISALIGNED MANUAL VALVE 1-SW-642 1.20E-04 1.20E-04 SXVW643E OPER. MISALIGNED MANUAL VALVE 1-SW-643 1.20E-04 1.20E-04 SXVW645E OPER. MISALIGNED MANUAL VALVE 1-SW-645 1.20E-04 1.20E-04 SXVW646E OPER. MISALIGNED MANUAL VALVE l-SW-646 1.20E-04 1.20E-04 SXVW651E OPER. MISALIGNED MANUAL VALVE 1-SW-651 1.20E-04 1.20E404 SXVW652E OPER. MISALIGNED MANUAL VALVE 1-SW-652 1.20E-04 1.20E-04 SXVW653E OPER. MISALIGNED MANUAL VALVE 1-SW-653 1.20E-04 1.20E-04 SXVWC54E OPER. MISALIGNED MANUAL VALVE 1-SW-654 1.20E-04 1.20E-04 SXVW65CE OPER. MISALIGNED MANUAL VALVE 1-SW-356 1.20E-04 1.20E-04 SXVW6593 OPER. MISALIGNED MANUAL VALVE 1-SW-659 1.20E-04 1.20E-04 SXVW6603 OPER. MISALIGNED MANUAL VALVE 1-SW-660 1.20E-04 1.20E-04 SXVW669E OPER. MISALIGNED MANUAL VALVE 1-SW-669 1.20E-04 1.20E-04 SXVW670E OPER. MISALIGNED MANUAL VALVE 1-SW-670 1.20E-04 1.20E-04 34
I i Question 9 (b) - The appearance of this same cutset in the various cases does not seem to be consistent. It does not appear in case 1B but does appear in a very similar case, 38, and does appear in case 40, which is based on only one main service water pump in maintenance at any time. Answer A detailed review of the original computer analyses reveals that this cutset is included in Case 18, however, due to an editing error, this cutset was inadvertantly deleted from the table in Appendix F. The failure probability for Case 18 as reported in the final report does include the value for this cutset, therefore the numerical results are correct as reported. Since the cutset listings in Appendix F are an edited version of the actual computer results, a detailed review of Appendix F was perfonned to ensure there were no other inconsistencies with the cutsets. This review revealed the following: The cutset identified in 9 (a) was also inadvertently deleted from case 3D. Again, this deletion does not affect the numerical results. l Fo,r cases 4A, 5A, and F5C, the following cutsets should have been deleted from the tables. l Case 4A - Cutsets 15, 16, 17, 18 Case SA - Cutsets 5, 6, 7, 8 Case FSC - Cutset 50 These cutsets were deleted in the analysis because they modeled an l operator placing a service water pump in maintenance given that the alternate pump failed to start, which is not considered a credible event. Tha changes to the tables are simply an editing change and l ! are not reflected in the numerical results presented in the final l report. t l In conclusion, there exists some editorial errors (identified above) in the tables contained in Appendix F that occurred in translating the computer analyses to the final report. These errors do not affect the results reported in the final report. l I l f 35
Question 9 (c) Most of the cutsets in the Appendix F case include events that do not lead to system failure, i.e., pumps or diesel generators not in maintenance. This does not confom to the definition of minimal cutsets, which requires that only those events that contribute to system failure be included in a minimal cutset. Answer The response to this question is contained in the answer to question 1 (b) and 1 (d). e 36 c
e . Question 10 If the re-analysis of the service water system reliability based on the staff comments outlined above result in a significant decrease in reliability when the outage of a main service water header is extended to 168 hours (including the assumption of decreasing the number of main service water pumps in maintenance at any one time to one pump), the following issues will need to be addressed: a) Evaluate the effect this decreased SWS reliability will have on the core melt frequency and the ability of the containment to perform its function. b) Discuss from a qualitative standpoint the benefits that will be obtained from the long term increase in service water system reliability relative to the short term increase in plant risk. Answer Justification has been provided for the fault tree modeling and assumptions used in the North Anna Service Water System Probabilistig Safety Assessment. No re-analysis was required based on the staff comments as outlined in Questions 1-9 above. The reliability analysis has shown that there will be no decrease in reliability when the time that one of the redundant service water headers is allowed to be inoperable is extended to 168 hours. This conclusion is based on the assumption of decreasing the number of main service water pumps in maintenance at any one time during the extended header outage to one pump. 83r629RMB073 37}}