ML20150F344
| ML20150F344 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 03/31/1988 |
| From: | Gore B, Harris M, Vo T Battelle Memorial Institute, PACIFIC NORTHWEST NATION |
| To: | NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION I) |
| References | |
| CON-FIN-B-2602 NUREG-CR-5058, PNL-6394, TAC-M66591, NUDOCS 8804050160 | |
| Download: ML20150F344 (74) | |
Text
'
i NUREG/CR-5058 PNL-6394
'd PRA Applications Program for Inspection at Arkansas Nuclear One Unit 1
Prepared by T.V. Vo, M.S. Harris, B.F. Gore Pacific Northwest Laboratory Operated by Battelle Memorial Institute Prepared for U.S. Nuclear Regulatory Commission ggaaBM BiBMk
.. = _. - _
v q
~
NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government, Neither the United States Government not any agency thereof, or any of their employees, reakes any warranty, expressed or implied, or assumes any legal liability of re, sponsibility for any third party's use,'or the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights.
NOTICE Availabihty of Reference Materials Cited in NRC Publications Most documents cited in NRC' publications will be available from one of the following sources:
- 1. The NRC Public Document Room,1717 H Street, N.W.
Washington, DC 20555
- 2. The Superintendent of Documents U.S. Government Printing Oflice, Post Of fice Dos 37082, Washington, DC 20013 7082
- 3. The National Techrucal Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC pubhcations.
it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Docu.
ment Room include NRC correspondence and inter ul NRC memoranda: NRC Of fice of Inspectior-and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and beensee documents and coreespondence.
The following documeats in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of federal Regulations, end Nuclear Regulatory Commission Issuances.
8 Documents available from the National Technics' information Service include NUREG series reports and technical reports prepared by other fedo i agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Regelfer notices, f ederal and state legislation, and congressional reports can usually be obtained from these libraries.
Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference proceedings are available for purchase from the organitation sponsoring the publication cited.
Singte copies of NRC draft reports are available irce, to the extent of supply, upon written ll request to the Division of information Support Services, Distribution Section, U S. Nuclear i
Regulatory Commission, Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner m the NRC regulatory process s
are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the pubhc. Codes and standJrds are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018.
l l
l
..~.
_. _.,._ _.... _ _ _ ~ _..
NUREG/CR-5058 PNL-6394 PRA Applications Program for I:.3pection at Arkansas Nuclear One Unit 1 Manuscript Completed: January 1988 Date Publishedf March 1988 Prepared by T.V. Vo, M.S. Harris, B.F. Gore Pacific Northwest Laboratory Richland, WA 99352 Prepared for Division of Reactor Projects Region i U.S. Nuclear Regulatory Commission King of Prussia, PA 19406 NRC FIN B2602
ABSTRACT The level one PRA for ANO-1 has been analyzed to identify plant systems and components important to minimizing public risk, as measured by system contributions to plant core melt frequency, and to identify the primary failure modes of these components.
This information has been tabulated, and correlated with inspection modules from the NRC Inspection and Enforcement Manual.
The report presents a series of tables, organized by system and prioritized by risk importance, which identify components associated with 98% of the inspectable risk due to plant operation.
The systems addressed, in descending order of risk importance, are: DC Power, High Pressure Injection, Low Pressure Injection, Service Water, Reactor Protection, Emergency Feedwater, Vital AC Power, Safety Relief Valves, Main Faadwater, and Emergency Feedwater Initiation and Control. This ranking is based on the Fussel-Vesely measure of risk importance, i.e., the fraction of the total core melt frequency which involves failures of the system af interest.
I i i i i
r--.,
s.,-c,
- -w w w v-+--wt---r--vm a+e-e re sr-e wy~g------c=
w e-w+mse vw+
e~*
'e te-+-w-
-w-
~e-e 5
- < ev
=-*es m-
--=n--
SUMMARY
The PRA Applications Program for inspection at ANO-1 was performed for the NRC at Pacific Northwest Laboratory.
This program applies a previously developed methodology to identify and present information which is useful for the planning and performance of powerplant inspections.
The level one PRA for ANO-1 (Kolb et al.1982) has been analyzed to identify plant systems and components important to minimizing public risk, as measured by system contributions to plant core melt frequency.
This information has been tabulated and correlated with inspection modules from the NRC Inspection and Enforcement Manual (NRC 1984) which are used by inspectors in the planning and performance of inspections.
The body of this report consists of a series of tables, organized by system and prioritized by risk importance, which identify components associated with 98% of the core melt probability resulting from plant operation.
Following a section describing important accident initiators and sequences identified in the PRA, tabulations are presented for ten systems. These system tables are ordered by system risk importance, as measured by the fraction of the total core melt probability associated with failures of each system.
Three tables are presented for each system.
The first table presents the failure modes identified in the PRA for each important system component.
The second table correlates each component with the IE inspection modules most related to ensuring component reliability.
The third table provides a modified system check off list identifying the proper line-up of each component during normal operation.
The tabulations wre developed by the following analysis procedure.
- First, the plant systems were ordered according to system risk importance.
To accomplish this, the dominant cut sets representing more than 98% of the core melt probability were listed, and the fraci. ion of the total core melt probability which involved failures of components from each system was calculated [this is the Fussel-Vesely Importance measura (Henley 1981)].
Systems were then selected from the ordered list until aore than 98% of the core melt probability was accounted for. Second, for each selected system, the fault tree from the PRA was reanalyzed to rank system components according to their importance to system failure.
For each system, components were selected for inclusion in the tabulations until more than 95% of the system failure probability had been addressed.
The tables thus present, in decreasing order of system importance, the failure modes, applicable inspection modules, and a check off list of normal operational state for all components associated with 98% of the core melt probability associated with plant operation.
This information allows an inspector to readily identify important systems and components when developing an inspection, plan, and when walking down systems in the plant.
The information presented in this document allows an inspector to concentrate his efforts on systems important to the prevention of core melt.
v
b However, it is essential that inspections not focus exclusively on these i
systems. Other systems which perform essential safety functions, but are absent from the tables because of high reliability and redundancy, must also be addressed to ensure that their importance is not increased by allowing their reliability to decrease. A balanced inspection program is essential.
This information represents but one of the many tools to be used by experienced inspectors, i
vi
CONTENTS ABSTRACT..............................................................
iii
SUMMARY
............................................................... v ACKNOWLEDGEMENTS......................................................
ix
1.0 INTRODUCTION
1.1 2.0 ANALYSIS OF THE ANO-1 PRA........................................ 2.1 2.1 CALCULATION OF SYSTEM IMPORTANCES........................... 2.1 2.2 CALCULATION OF COMPONENT IMPORTANCES........................ 2.2 2.3 PR E PA RAT ION O F TAB L ES....................................... 2.3
2.4 CONCLUSION
S AND RECOMMENDATIONS............................. 2.4 3.0 IMPORTANT ACCIDENT INITIATORS AND SEQUENCES......................
3.1
- 3.1 VERY SMALL LOCA.............................................
3.2 3.2 SMALL LOCA..................................................
3.2 3.3 MEDIUM LOCA.................................................
3.2 3.4 LOSS OF 0FFSITE POWER.......................................
3.2 3.5 POWER CONVERSION SYSTEM UPSET...............................
3.3 3.6 REACTOR TRIP WITH ALL FRONT LINE SYSTEMS AVAILABLE..........
3.3 4.0 SYSTEM INSPECTION PLANS..........................................
4.1 4.1 DC POWER SYSTEM............................................. 4.2 4.2 HIGH PRESSURE INJECTION SYSTEM.............................. 4.8 i
4.3 LOW PRESSURE INJECTION SYSTEM............................... 4.13 4.4 SERVICE WATER SYSTEM........................................ 4.19 4.5 REACTOR PROTECTION SYSTEM................................... 4.24 4.6 EMERGENCY FEEDWATER SYSTEM.................................. 4.27 4.7 CLASS 1E AC POWER SYSTEM.................................... 4.32 4.8 SAFETY RELIEF VALVE SYSTEM.................................. 4.36 vii
-. - - _.. - _ ~..
- -. ~.
CONTENTS (contd) 4.9 POWER CONVERSION SYSTEM..................................... 4.39 4.10 EMERGENCY FEE 0 WATER INITIATION AND CONTROL SYSTEM........... 4.42 REFERENCES............................................................
R.1 i
viii
\\
1 1
ACKNOWLEDGMENTS Thanks are extended to Dave Campbell and Randy Kirchner of JBF Associates, Inc., for information which they provided concerning the effects of plant modifications made since the PRA for AN0-1 was performed.
This information was developed during their work on a plant-specific version of the interactive PRA analysis code PRISIM.
They used the ANO-1 PRA as a starting point, but modified the analysis somewhat as a result of extensive on-site studies.
They provided us with modified system fault trees and revised availability data developed in their work, which we used in our analysis to ensure that our results are as up to date as possible.
Thanks are also extended to our Project Manager from NRC Region 1, Bernie Hillman, for inviting us to join the ongoing program to which this analysis contributes. We also wish to thank our colleagues at Brookhaven National Laboratory and at the Idaho National Engineering Laboratory for many discussions.
In particular, we thank Ron Wright of INEL for providing us with a version of the IRRAS fault tree analysis code specially adapted for use on an IBM /PC.
t ix
1.0 INTRODUCTION
This work was performed for the U.S. Nuclear Regulatory Commission (NRC) as part of an extensive program to develop information based on probabilistic risk analyses (PRAs) for use in the planning and performance of nuclear powerplant inspections. Due to the broad scope of this program, project work has been divided among three national laboratories, each of which concentrates upon a particular reactor type.
Thus, Brookhaven National Laboratory analyzes plants powered by boiling water reactors (BWRs), and at Idaho National Engineering Laboratory analyzes pressurized water reactor plants (PWRs) built by Westinghouse.
Pacific Northwest Laboratory (PNL) analyzes PWRs from both Babcock and Wilcox and Combustion Engineering, due to the smaller number of plants from these vendors.
In this particular project, information from the Arkansas Nuclear One Unit 1 (ANO-1) PRA (Kolb et al.1982) has been used to identify plant systems and components important to minimizing the probability of core melt, and to identify failure modes for these components.
This information has been tabulated and correlated with inspection modules from the NRC Inspection and Enforcement (IE) Manual (USNRC 1984) which are used by inspectors in the planning and performance of inspections.
The body of this report consists of a series.of tables, organized by system and prioritized by system importance, which identify components associated with 98% of the plant core melt probability.
Previous studies in this program (Hinton and Wright 1986, Higgins 1986) have addressed how PRA-based information may be best incorporated into inspection planning, performance and evaluation.
The conclusion of this previous work was that the existing IE Manual provides a logical and effective framework for inspection planning.
This manual contains an extensive sequence of inspection procedures, or modules, addressing functional areas such as calibration, surveillance, maintenance, ESF system walkdown, etc.
It also contains a methodology for selecting inspection modules for performance, plus guidance on the frequency at which modules should be performed.
It was concluded that this manual should be retained as the general framework for inspection planning.
PRA-based information, which is necessarily plant specific, should be provided for each plant.
This information should then be used in the inspection planning process to help focus on areas where public risk is most sensitive to performance degradation.
The NRC program is, therefore, directed towards the preparation of a series of plant-specific appendices to the IE Manual which contain plant-specific information of a common type and safety significance.
These appendices are structured according to a common format.
Each appendix begins with a description of accident initiators and sequences important at the plant.
This is followed by a listing of plant systems associated with 98% of the plant core melt probability, which is ordered according to the importance of each system to plant damage.
For each system addressed, the components associated with 95% of the probability of system failure are identified and ranked according to importance.
Three tables are presented for each system.
1.1
f The first identifies the failure modes by which each component contributes to plant damage.
The second correlates each component with the IE inspection modules most related to ensuring component reliability.
The third provides a modified system check-off list identifying the proper line-up of each component during normal operation. The body of this report presents the plant-specific appendix developed for the ANO-1 plant.
It follows the format described above.
PRAs have been performed for less than one quarter of the nation's nuclear plants. Consequently, a significant aspect of the NRC program addresses the development of generic insights which may be utilized to guide inspection planning for plants without a PRA. As plant-specific appendices are developed the information is reviewed to identify dominant generic contributors to risk including:
initiating events, accident sequences, important systems and components, component failure modes, significant human errors, and common cause failures.
l The compilation of generic insights resulting from the analysis of PRAs indicates systems and components which may have risk importance at other plants.
For application to a specific site, plant-specific information must be used to evaluate the relevance and applicability of the generic insights.
For instance, important functions may be performed by different systems at different plants, or, systems may be either more vulnerable (single failure dependencies) or less vulnerable (redundancies) at different plants.
PNL has performed an analysis of the Rancho Seco plant (no PRA), using the results of PRAs for the ANO-1 and Oconee-3 plants, plus a detailed comparison of system designs at the three plants (Gore and Huenefeld 1987).
EG&G and Brookhaven are performing similar studies using generic insights and plant-specific information to address plants for which PRAs have been performed (Higgins et al.1987).
Future comparison of results from those studies with results obtained from analyzing the plant-specific PRAs will provide an indication of how effective this approach is in identifying important systems and components.
As was noted above, this document reports the results of a detailed analysis of the PRA performed for the ANO-1 plant.
It was not necessary to utilize generic insights in the performance of this analysis.
Rather, the results of this study will contribute to the database of generic information to be utilized in the analyses of plants which lack PRAs.
The analysis approach used in this study is discussed in the following Section 2.0.
The results of the analysis are presented in Sections 3.0 and 4.0, according to the above-described format for plant-specific appendices to the IE Manual.
l l
1.2
2.0 ANALYSIS OF THE ANO-1 PRA The analysis required three major steps to produce the tables presented in Section 4.
The first step was the calculation of risk importance for each system from information in the PRA. This was used to select systems to be analyzed for component importances. The second step was the re-analysis of system fault trees from the PRA to calculate component importances.
The third step was the correlation of components and their dominant failure modes with inspection modules relevant to maintaining component reliability.
These steps are discussed below.
2.1 CALCULATION OF SYSTEM IMPORTANCES The selection of systems for detailed fault tree analysis required that they be ranked according to an appropriate measure of risk.
The AN0-1 PRA is a level 1 PRA. Core melt probability is addressed in detail, with only a limited analysis of subsequent containment failure mechanisms, and radionuclide releases to the public. Consequently, for this study core melt frequency is used as the risk measure used to rank system importance.
The Fussel-Vesely (F-V) Importance measure (Henley 1981) applied to core melt frequency was selected as the specific risk measure used to rank systems and components.
The F-V Importance is the fraction of the total risk (core melt frequency) which results from failures involving the system or component of interest. Thus, high values of F-V Importance identify systems which are the greatest contributors to risk.
In addition, the increase in risk due to a given percentage increase in system failure probability is also highest for systems with highest F-V Importance values. Thus, this measure identifies not only the systems which are the greatest contributors to risk, but also those for which risk is most sensitive to performance degradation.
It is therefore the logical measure to use for ranking system importance for inspect;on attention, to ensure that safety performance is maintained.
Appendix C of the ANO-1 PRA presents a detailed listing of initiating events and cut set elements, and associated unavailabilities (both with and without recovery factors).
The dominant cut sets presented in the body of the PRA were selected from this list.
This listing of about 500 cut sets was analyzed to determine system importances.
Each element of each cut set was analyzed to determine what system was responsible for the root cause failure represented by the cut set element. Core melt frequencies associated with each cut set were input to a spread sheet data file (recovery factors from the PRA were included).
This file was then manipulated into system-based sub-files, each of which included data only from cut sets involving failures of components in a given system.
The F-V Importance of each system was then calculated by summing the sub-filea and dividing by the total from all of the cut sets.
One significant deviation from the results of the PRA was made in the system importance analysis.
This deviation resulted from changes made to the 2.1
r plant since performance of the PRA. At the time the PRA was performed, the loss of one vital AC or DC bus would trip the plant and fail the power conversion system.
Consequently, loss of any of these buses was an initiating event, which could lead to core melt via appropriate cut sets listed in the PRA.
Plant modifications made since the PRA was peformed removed the dependence of normal plant operations on the vital bus availability, such that loss of a vital bus no longer results in a trip of the reactor.
Consequently, vital bus loss should no longer be included as an initiating event in the PRA.
Since our objective was to develop iaformation that is as up to date as possible, it was decided to eliminate from the analysis all cut sets resulting from vital AC or DC bus loss initiators (initiators T(A3),
T(001) and T(002) in the PRA).
The obvious effect of climinating the electrical-transient initiated cut sets (about 100 cut sets) from the system importance calculations was to reduce the importance of the vital AC and DC power systems. However, in the PRA analysis the electrical upsets were also associated with a loss of the Main Feedwater System (MFW). Many of the climinated cut sets involved subsequent loss of Emer System (EFC)gency Feedwater (EFW) or failure of the Emergency Feedwater Contro
, followed by the opening of Safety Relief Valves (SRVs) and their failure to rescat.
This resulted in the calculation of lower importance values for the EFW, EFC and SRV systems than would have been calculated using the unmodified results of the PRA. The positions of these systems in the risk-prioritized ranking have therefore been lowered; however these systems have not been displaced from the list by this modification.
The systems tables in Section 3 are presented in order of calculated system importance. DC Power has the highest F-V Importance, primarily due to the high probability of a single cut set representing common mode failure of both station batteries following a loss of offsite power. High Pressure Injection (HPI) and low Pressure Injection (LPI) follow, with all three of these systems having an Importance exceeding 20%.
The Service Water System (SWS), Reactor Protection System (RPS), EFW System and Vital AC Power Systems follow, with importance values between 8% and 12%.
They are followed by the Safety Rt lef Valves, the Power Conversion System (PCS) and the EFC Systems, all of which have Importance values of 5% or less.
2.2 CALCULATION OF COMPONENT IMPORTANCES Construction of the tables presented in Section 4 of this report required the identification of components associated with at least 95% of the system failure probability for each of the systems selected for anlaysis.
This required a reanalysis of the fault trees presented in Appendix 8 of the PRA document to identify the components most important to system failure.
It was not possible to extract information with this degree of detail from the cut sets published in the PRA because, in general, the cut set elements were not basic events.
Instead, many contained "module" elements, which combined the effects of several possible failures causing the final result (i.e., failure 2.2
of a pump, or of its suction or discharge valves located in a single run of piping, any of which would prevent flow through the line).
For systems selected for analysis, the system fault trees were reanalyzed using the Integrated Reliability and Risk Analysis (IRRAS) computer code (Russel et al. 1987) run on an IBM-PC.
For all but six systems, the fault tree analyzed was that published in this PRA. However, modified fault trees were used for the HPI, LPI, SWS, EFW, AC, and EFIC systems in order to incorporate the effects of plant modifications made since the PRA was completed.
These fault trees had been modified during work to develop and apply the PRISIM interactive FRA analysis code (Kirchner et al.1986) at the ANO-1 plant.
They were provided by the authors of PRISIM through the courtesy of J.B.F. Associates, Inc.
Fault tree gates and component reliability data were input to the code and processed with an integrated fault tree analysis package.
IRRAS identified the dominant minimal cut sets, and quantified the fault trees by ordering cut sets by probability.
IRRAS also calculated the F-V Importance of both cut sets and of system component failures.
The calculated importance of the component failures was then used to select components for inclusion in the tables.
For all systems analyzed, components comprising more than 95% of the total component importance were selected for tabulation.
Considerable care was required in checking the input information supplied to IRRAS for analysis, because the code version available to us lacked error-diagnoctic capability to check that the input produced a coherent fault tree.
Thus, an input error could effectively remove a segment of a tree from analysis.
In addition to careful checking of input against the reference fault tree, calculated system and module event failure probabilities were subsequently compared against values published in the PRA.
Final values calculated agreed well with published values for all systems.
2.3 PREPARATION OF TABLES For each system, the components selected for inclusion in the tables were grouped according to type for discussion of failure modes (e.g., pump suction and discharge MOVs in parallel trains).
For many components, cut set elements indicated more than one failure mode (e.g., failure to operate, operator failure to initiate, inappropriate change of position).
These failure modes were grouped and discussed for each component type in the system failure mode identification tables.
The characteristics of each component were assessed to determine what types of inspection would be most appropriate for ensuring component reliability.
This information was then used to prepare a table for each system correlating each of the relevant IE inspection modules with components which should be addressed when the module is applied to the system.
This table also contained a cross correlation to the failure modes which would be minimized by the given type of inspection.
For instance, pump failure to start and run is addressed in modules for Surveillance, Operational Safety Verification, and ESF System 2.3 y
y
...y.
7---..-..-
-..-m,-
.w-
,-_._,m
Walkdown.
It is also addressed through the Maintenance module, in terms of minimizing unavailability due to maintenance scheduling and work.
For each system, an abbreviated system walkdown table was prepared addressing only the selected system components. This table identifies the normal operating state or position of each component determined to be risk significant from the PRA.
It was compiled using information from the PRA, and also from plant system descriptions, operator training information, and plant drawings.
In many cases it was possible to correlate and verify this information using system lineup tables from plant operating procedures.
In general, these tables are considerably shorter than lineup tables in procedures.
1 hey therefore allow an inspector with limited available system walkdown time to concentrate on risk-significant components, without concern that he may be overlooking something important.
2.4 CONCLUSION
S AND RECOMMENDATIONS In this project, we have identified the systems and components most important to public risk during operation of the ANO-1 powerplant.
They are identified in Tables 4.1 through 4.10.
Systems are addressed in the order of decreasing importance, as determined by the fraction of the total core melt frequency which involves the failure of each system.
This information has been developed from the PRA analysis of the ANO-1 plant (Kolb et al.1982).
An attempt has been made to incorporate the effects of plant changes made since performance of the PRA. Subsequent plant changes may require that these results be further updated.
The DC Power, HPI and LPI Systems are the most important systems for minimization of core damage. Systems of intermediate importance include the Service Water System, RPS, EFW and Vital AC Power Systems.
Lower importance systems include the Safety Relief Valves, Power Conversion (i.e., MFW) System and the Emergency Feedwater Control System.
The information in these tables allows an inspector to identify quickly the components most important to pubite risk--a combination of failure probability and of the consequences of the failure.
This infonnation allows him to direct his attention to these components preferentially.
In particular, by using the system walkdown tables he can rapidly review the line up of important system components on a routine basis. He may also use these tables when selecting systems for the performance or more detailed inspection activities, i
In using these tables, however, it is essential to remember that other systems are also important.
If, through inattention, the failure probabilities of other systems were allowed to increase significantly, their risk significance might exceed that of systems in the tables. Consequently, a balanced inspection program is essential to minimizing plant risk.
The tables allow an inspector to concentrate on systems of highest risk importance.
In so doing, however, he must maintain cognizance of the status of systems performing other essential safety functions, and ensure that their reliability is maintained.
2.4 1
3.0 IMPORTANT ACCIDENT INITIATORS AND SEQUENCES Two basic types of accident initiators are addressed in the PRA: Loss of Coolant Accidents (LOCAs), and transients. However, subsequent event sequences leading to core melt are not distinct, because each of the transient types addressed has the potential for inducing LOCA events.
Table 3.1 identifies the event types, and presents the core melt frequency per year of operation estimated in the PRA document for events of each type.
TABLE 3.1.
Initiating Event Categories Mean annual core-melt Initiating Events frequency very small (0.4" to 1.2" dia.)
1.0E-5 small (1.2" to 1.7" dia) 1.2E-6 medium (1.7" to 4.0" dia) 1.6E-6 Transients Loss of offsite power 1.1E-5 Power conversion system upset (MFW) 2.0E-6 Trip; all front line systems OK 3.8E-6 Table 3.1presentsonlytheinitiatingeventswychthePRAanalysis found to cause a core melt frequency greater than 10 per year. Other initiators were addressed in the PRA (e.g., large LOCA, loss of Service Water).
As was discussed in Section 2.0, transients initiated by loss of vital AC and DC buses were addressed in the PRA, but have not been included in this analysis.
Once again, the reason for this is that plant modifications made since the PRA was performed have removed loss of these vital buses from the category of initiating events (because they would not now result in reactor trip). For the unmodified plant, core melt frequencies for transients initiated by the vital bus loss events were similar in magnitude to the frequencies presented in Table 3.1 for other transient initiating events.
The following discussion presents the various types of event sequences identified in the PRA as most likely to lead to core melt following occurrence of these initiating events.
In several cases, there is more than one type of sequence which may lead to core melt following a given iattiating event.
3.1
3.1 VERY SMALL LOCA (0.4" to 1.2" dia.)
1.
The very small LOCA is followed by a loss of all HFi, resulting in core uncovery and melting.
The dominant HPI failure mode is operator failure to initiate the system. Other HPI system failure modes involve local faults of the HPI, LPI (pump suction) and SWS systems.
2.
The very small LOCA is followed by loss of EFW, and then by loss of HPI during operation in the recirculation mode.
EFW system failure modes are local system failures or failures of the EFIC control system.
The dominant HPI system failure mode is due to loss of Others are due to local faults in the LPI (pump cooling)by SWS.
suction, AC Power, and DC Power systems.
3.2 SMALL LOCA (1.2" to 1.7" dia.)
1.
The small LOCA is followed by loss of HPI during operation in the recirculation mode.
The dominant HPI system failure mode is failure of the operator to switch HPI pump suction from the BWST to the RB sump through the LPI system when the BWST is depleted. Other HPI failure modes involve local faults of the LPI (pump suction), SWS and AC Power systems.
3.3 MEDIUM LOCA (1.7" to 4.0" dia.)
1.
The medium LOCA is followed by loss of HPI during operation in the injection or recirculation mode.
The dominant HPI failure mode is failure of the operator to switch HPI pump suction from the BWST to the RB sump through the LPI system when the BWST is depleted. Other HPI failure modes involve local faults of the LPI (pump suction),
SWS, Pump Room Cooling and AC' Power systems.
3.4 LOSSOFOFFSITEPOWB 1.
Loss of offsite power fails MFW.
It is followed by loss of EFW, the opening and failure to reseat of one or more safety relief valves (transient induced LOCA), and the failure of one or more train of HPI.
EFV failure modes are local faults in the system or failure of the EFIC control system.
Failure modes for one train of HPI include local faults in the DC Power system (dominant), the AC Power system, or the SWS system.
2.
Loss of offsite power fails MFW.
It is followed by loss of EFW and loss of HPI.
The dominant failure mode is common mode failure of both station batteries (DC Power) which fails both EFW and HPI.
Important failure modes for failure of both trains of HPI include failure of both emergency diesel generators (AC Power) or local 3.2 4
faults in both trains of DC Local faults in one train of HPI or of LPI (pump suction) power.or of SWS (pump cooling), in combination with faults in the opposite train of AC or DC power are also important modes for total failure of HPI.
EFW failure modes are local faults in the system or failure of the EFIC control system.
3.5 POWER CONVERSION SYSTEM UPSET (MFW LOSS) 1.
MFW loss is followed by the opening and failure to rescat of one or more safety relief valves (transient-induced LOCA).
EFW may or may not fail, depending on the transient, and HPI fails.
If EFW fails, failure of one train of HPI leads to core melt. HPI failure modes include operator failure to switch suction to the RB sump through the LPI system on BWST depletion, and local faults in the HPI, LPI (pump suction), SWS and AC power systems.
EFW failure modes are local faults in the system or failure of the EFIC control system.
2.
MFW loss is followed by failure of the EFW and HPI systems.
EFW and HPI failure modes are as above.
3.6 REACTOR TRIP WITH ALL FRONT LINE SYSTEMS AVAILABLE 1.
Reactor trip is followed by the independent failure of MFW, the opening and failure to reseat of at least one SRV (transient induced LOCA), and failure of at least one train of HPI.
EFW may or may not fail, depending on the transient.
EFW failure modes are local faults in the system or failure of th EFIC control system.
HPI failure modes include local f aults in DC Power, AC Power, SWS and HPI system components, and operator failure to switch suction to the RB sump through the LPI system after BWST depletion.
2.
Reactor fails to trip on receipt of a valid trip signal, and HPI fails preventing reactor shutdown by borated water injection or makeup of primary coolant losses.
RPS system failure modes are double circuit breaker failures.
The dominant failure mode of the HPI system is operator failure to actuate it.
i 1
3.3 i
4.0 SYSTEM INSPECTION PLANS Tables are presented for each of the systems selected in the analysis which identify important system failure modes, IE modules applicable to the inspection of system components, and the required position of each important cor.ponent durir.g normal system operation (i.e., system walkdown checklist).
The systems are presented in decreasing order of risk importance,-and together comprise more than 98% of the public risk associated with plant operation.
t 4.1
4.1 DC POWER SYSTEM TABLE 4.1A.
DC POWER SYSTEM FAILVRE MODE IDENTIFICATION The DC system at ANO-1 f,rovides continuous power for control, instrumentation, reactor protection systems and engineered safeguards actuation systems, and emergency safeguard actuation control systems. As part of its function, the DC power system provides control power for the diesel generators for the emergency AC electrical system.
In addition, it powers the control valves in the emergency feedwater system and provides control power to the Emergency AC circuit breakers for the 4160 V switchgear, and 480 V load centers.
It also powers the inverters supplying the 120 V vital AC system.
Conditione that Lead to Failure i
1.
Failure of Battery Chargers 003, D04, or DOS Three battery chargers (003, 004, and 005) are supplied with two (003 and D04) serving as normal supplies to the DC buses with the associated battery floating on the bus.
The third battery charger (005) serves as a standby battery charger to either bus. Combined unavailability of battery chargers and battery sets can prevent DC power from being supplied to the DC buses.
Periodic testing, maintenance, and surveillance in accordance with Technical Specifications requirements will help maintain availability, as will attention to minimizing prolonged maintenance activities. Operator training and awareness of Emergency Operating Procedures will enhance the probability of recovery.
t 2.
Failure of Distribution Panels Dil and 021 4
Two distribution panels (011 and 021) are provided, supplying the DC j
instrumentation and control power for the plant.
Failures of these panels i
can prevent electrical power from being supplied to the respective loads.
Periodic testing, and maintenance should be observed and reviewed, and appropriate breaker lineups maintained.
3.
Failure of DC Buses 001 and 002 Two DC buses (001 and 002) are provided for vital instrumentation, distribution pancis, emergency lighting and motors.
Failures of these buses would usually be associated with subcomponent failures in the control i
circuit, or improper breaker positions for automatic operation.
Maintenance, surveillance, and system lineup should be observed and/or records of these activities should be reviewed, i
4.2
_______ ____~
TABLE 4.1A.
(continued) 4.
120 Volt Vital AC Distribution Panels RS1, RS2, RS3, and RS4 Unavailable The DC system powers four redundant 120 V vital AC distribution panels through inverters to supply power for nuclear instrumentation, reactor protection systems, engineered safeguard actuation systems and other vital loads.
Failure of these panels can fail these vital loads.
Maintenance and surveillance should maintain availability, and operator training and awareness will enhance the probability of recovery.
5.
Failure of 480 Volt Motor Control Centers (MCC) B51 and 861 Failure of the MCC causes loss of power to the battery,
!n combination with insufficient power from the batteries, this may cause loss of power to the DC buses.
Periodic testing and maintenance should be performed to maintain availability.
6.
Failure of Static Inverter Y11, Y13, Y22, and Y24 These inverters convert DC power to AC power for 120 V distribution panels.
)
Failures of these inverters may result from electronic component failures J
or DC bus failures. Observation of maintenance, surveillance, or review of the records of these functions should be performed.
7.
Battery Sets D06 or D07 Unavailable A battery set being unavailable either due to component outage or scheduled or unscheduled maintenance combined with failure of offsite power sources and emergency diesel generator failures can prevent electrical power from being supplied to the buses.
Periodic testing of battery voltage and specific gravity, according to Technical Specifications, and proper maintenance should maintain the probability of failure at a low value.
8.
Normally Closed Circuit Breakers Fail Open Failure of normally closed circuit breakers in the open position leads to loss of power to associated buses or distribution panels.
Periodic maintenance, and verification of system lineup should be observed or reviewed.
4.3
a TABLE 4.18.
IE MODULES FOR DC POWER SYSTEM INSPECTION Failure (a)
Module Title Components'
_ Mode 41700 Training Battery Chargers D03 1
D04, 005 Panels RS1, RS2, RS3 4
RS4 61701 Surveillance (Complex)
DC Buses D01, D02 3
Battery Sets D06, 007 7
61725 Surveillance Testing and Battery Chargers D03, 1
Calibration Program D04, 005 Panels RS1, RS2, RS3 4
RS4 Battery Sets D06, D07 7
61726 Monthly Surveillance Battery Chargers D03, 1
Observation D04, DOS DC Buses 001, D02 3
Panels RS1, RS2, RS3, 4
RS4 Inverters Y11, Y13, 6
Y22, Y24 Battery Sets 006, D07 7
Transformer Circuit 8
Breakers 62700 Maintenance Battery Chargers 003, 1
004, DOS Distribution Panels Dil, 2
D21 DC Buses D01, D02 3
Panels RS1, RS2, RS3, 4
RS4 Motor Control Centers 5
B51, B61 Inverters Y11, Y13, 6
Y22, Y24 Battery Sets D06, 007 7
Transformer Circuit 8
Breakers 4.4
TABLE 4.18. (continued) 1 Failure (a)
Module Title Components Mode 71707 Operational Safety Battery Chargers D03, 1
Verification D04, DOS Distribution Panels Dil, 2
021 DC Buses D01, D02 3
Panels RS1, RS2, RS3, 4
RS4 Motor Control Centers 5
B51, 861 Inverters Y11, Y13, 6
Y22, Y24 Battery Sets DO6, 007 7
Transformer Circuit 8
Breakers ESF System Walkdown Battery Chargers 003, 1
71710 004, DOS Distribution Panels Dil, 2
D21 DC Buses 001, 002 3
Panels RS1, RS2, RS3, 4
RS4 Motor Control Centers 5
B51, 861 l
Inverters Y11, Y13, 6
Y22, Y24 Battery Sets 006, D07 7
Transformer Circuit 8
Breakers (a) See Table 4.1A for failure identification l
i h
i 4.5 i
i
TABLE 4.1C.
DC POWER SYSTEM WALKDOWN l
Component Component Required (a) Actual Number Name Lucation Positirn Position D01 (112)
Panel Dil Feed from D01 or 002 D01 Position to feed from 001 002(212)
Panel D21 Feed from 002 or D01 002 Position to feed from D02 _
122A Supply from Battery 001 Charger D03 Breaker Closed 122B Supply from Battery D01 Charger 005 Breaker Clo::ed 123 Panel RAI Breaker D01 Closed 124 Emergency Supply to Panel D-21 001 Closed 152A DC Supply to Inverter Y-11 001 Closed 152B DC Supply to Inverter Y-13 001 Closed 222A Supply from Battery 002 Charger 004 Breaker Closed 223 Panel RA2 Breaker 002 Closed 224 Emergency Supply to Panel D-11 002 Closed 242A DC Supply to Inverter Y-22 002 Closed 2428 DC Supply to Inverter Y-24 002 Closed 5141A Inverter Transfer Switch Y-11 B51 Closed 51418 Inverter Y-11 851 Closed 5145A Inverter Transfer Switch Y-13 B51 Closed 5145B Inverter Y-13 B51 Closed 5193A Battery Charger 003 B51 Closed 56228 Battery Charger 005 B56 Closed 6121A Inverter Transfer Switch Y-22 B61 Closed 6121B Inverter Y-22 B61 Closed i
4.6
TABLE 4.10.
(Continued)
Component Component Required (a) Actual Number Name location Position Position 6143A Battery Charger D04 B61 Closed 6145A Inverter Transfer Switch Y-24 B61 Closed i
6145B Inverter Y-24 B61 Closed (a)
Due to the integrated nature of the DC power system failure mode, power available to the buses, distribution panels, and batteries should be verified.
I
\\
l i
e 4
h t
[
4.7 1
4.2 HIGH PRESSURE INJECTION SYSTEM TABLE 4.2A.
HIGH PRESSURE INJECTION SYSTEM FAILURE MODE IDENTIFICATION The High Pressure Injection (HPI) system is designed to perform both normal and emergency functions in several modes of operation. Under normal conditions, the HPI system is known as the Makeup and Purification (MU) system.
In this mode the suction source for the pump is the reactor coolant system via the makeup tank. During an accident, the pump suction is realigned to the Borated Water Storage Tank (BWST) and borated water is injected into the reactor vessel via the Reactor Coolant System (RCS) cold legs.
This prevents uncovering of the core for-small reactor coolant piping leaks where high system pressure can be maintained, and delays uncovering of the core for intermediate-sized lecks.
In addition, HPI provides makeup to the reactor coolant system during depressurization following a reactor shutdown due to a transient initiating event and thus prevents core uncovery resulting from coolant volume shrinkage.
Conditions that Lead to Failure 1.
Operating Pump P36A, B, C Fails to Ru" or Standby Pumps Fail to Start and Run Failure of any combination of two out of three pumps can prevent sufficient cooling water flow to the RCS cold legs.
The failure causes are random hardware or electrical failures of these three pumps or failure of the pump room cooling units.
Testing, maintenance, and surveillance of the pumps which are not in use according to Technical Specific 6tions should maintain the availability of these pumps.
2.
Failure of Pump Suction Manual Valves MU-18A, B and C These are manual valves in the HPI system suction lines. They must be locked open during normal operation or emergency conditions.
The important failure causes are random hardware failures. Maintenance of these valves should be reviewed or observed, and valves should be returned to standby position and verified.
3.
Failures of Pump Discharge Manual Valves MU-20A, B, or C, and Check Valves MU-19A, B or C The required position for these valves is "open" during normal operation or emergency condition.
The dominant failure cause is random hardware failure. A contributing cause is manual valve closure by operators during l
naintenance or testing. Maintenance and testing of these valves should be observed or reviewed, and operator awareness of the importance of restoration of proper lineup ascertained.
4.8
TABLE 4.2A.
(continued) 4.
BWST Discharge Valves CV-1407 and CV-1408 Fail to Open on Demand These are the motor-operated discharge valves for the BWST.
They must be open following a LOCA.
The dominant failure cause is ra dom hardware failure. A contributing cause is operator failure to open these valves if actuation fails.
Power availability, operator awareness, surveillance, and maintenance of these valves should be reviewed and observed to maintain reliability.
5.
Motor-Operated Discharge Valves CV-1219,1220,1227, and 1228 Fail to Open on Demand The flow of HPI system to the RCS cold legs is controlled by means of motor-cperated valves CV-1219, 1220, 1227, and 1228. Failure of these valves in "closed" position will prevent sufficient coolant injection to the cold legs.
The important cause is multiple hardware failures.
Operator failure to actuate valves manually also affects probability of recovery from these failures.
Power availability, operator awareness, surveillance, and maintenance of these valves should be reviewed and observed to maintain reliability.
6.
Check Valves MU-1211, 1213, 1214, and 1215 Fail Closed These are discharge header cteck valves for HPI. iailure of these valves in closed position will prevent HPI flow to the designated cold leg.
Testing and maintenance of these valves according to Technical Specifications should maintain the availability of these valves.
7.
Operator Fails to Initiate HPI and Establish Feed-and-Bleed for Small Loss-of-Coolant Accident (LOCA)
During an accident, the HPI pump suction is realigned to the BWST and borated water is injected into the reactor vessel via the RCS cold legs.
This HPI prevents uncovering of the core for small LOCA where high system pressure can be maintained.
The dominant failure is operator failure to initiate the HPI and establish feed-and-bleed. Operator awareness of criteria for HPI initiation and adherence to emergency procedures is important.
l 8.
Manual Valves BW-2 and BW-3 Fail Closed t
These failures result primarily from operator failure to restore valves 4
to the open position after testing, and failure to discover the error.
I The valves are manual suction header valves. They should be locked open.
j These operator errors are addressed by proper post-test surveillance, j
which should be reviewed and observed.
l 4.9 1
l l
TABLE 4.28.
IE MODULES FOR HIGH PRESSURE INJECTION SYSTEM INSPECTION Failure (a)
Module Title Components Mode 41700 Training Valves CV-1407, 1408 4
Valves CV-1219, 1220 5
1227, 1228 Emergency Procedures 7
Valves BW-2, 3 8
61701 Surveillance (Complex)
HPI Pumps 36A,B,C 1
61725 Surveillance Testing and HPI Pumps 36A,B,C 1
Calibration Program Valves CV-1407, 1408 4
Valves CV-1219, 1220 5
1227, 1228 Valves MU-1211, 1213 6
1214, 1215 61726 Monthly Surveillance HPI Pumps 36A,B.C 1
Observation Valves CV-1407, 1408 4
Valves CV-1219, 1220 5
1227, 1228 Valves BW-2, 3 8
62700 Maintenance HPI Pumps 36A,B,C 1
Valves MU-18A,B,C, 2
Valves MU-20A,B,C, 3
i MU-19A,B.C Valves CV-1407, 1408 4
Valves CV-1219, 1220 5
1227, 1228 Valves MU-1211, 1213, 1214, 1215 6
Valves BW-2, 3 8
l 4.10 m
TABLE 4.28.
(continued)
Failure (a)
Module Title Components Mode 71707 Operational Safety HPI Pumps 36A,B,C 1
l Verification Valves MU-18A,B,C, 2-Valves MU-20A,B,C 3
Valves CV-1407, 1408 4
Valves CV-1219, 1220 5
1227, 1228 Valves BW-2, 3 8
i
-i 71710 ESF System Walkdown HPI Pumps 36A,B,C 1
Valves MU-18A,B,C, 2
i Valves MU-20A,B,C, 3
Valves CV-1407, 1408 4
Valves CV-1219, 1220 5
1227, 1228 Valves BW-2, 3 8
i (a) See Table 4.2A for failure identification i
1 i
i i
1 I
I 3
I i
)
1 1
4.11 l
3
TABLE 4.20.
MODIFIED HIGH PRESSURE INJECTION SYSTEM WALKDOWN Component Component Required Actual i
Number Name Location Position Position Electrical 306 HPI Pump 36A Breaker A3 Racked In 307 HPI Pump 36B Breaker A3 Racked In l
406 HPI Pump 36C Breaker A4 Racked In i
407 HPI Pump 36B Breaker A4 Racked In 5151 CV-1219 HPI Loop A Isolation B51 Closed valve Breaker 5152 CV-1220 HPI Loop A Isolation B51 Closed Valve Breaker 6151 CV-1227 HPI Loop B Isolation B61 Closed Valve Breaker 6152 CV-1228 HPI Loop B Isolation B61 Closed Valve Breaker 5164 CV-1407 BWST Outlet Valve B51 Closed Breaker j
6164 CV-1408 BWST Outlet Valve 861 Closed Breaker Valves CV-1219 HPI Loop A Isolation Valve UNPPR Closed CV-1220 HPI Loop A Isolation Valve UNPPR Closed i
CV-1227 HPI Loop B Isolation Valve UNPPR Closed CV-1228 HPI Loop B Isolation Valve UNPPR Closed i
CV-1407 BWST Outlet Valve El.354 Closed t
i CV-1408 BWST Outlet Valve El.354 Closed MV-18A Pump P36A Suction Valve P36A Rm Open MV-18B Pump P36B Suction Valve P36B Rm Open MV-18C Pump P36C Suction Valve P36C Rm Open i
MV-20A Pump P36A Discharge Valve P36A Rm Open i
MV-20B Pump P36B Discharge Valve P36B Rm Open MV-200 Pump P36C Discharge Valve P36C Rm Open i
BW-2 BWST Supply to Pump 36C P36A Rm Open Suction Valve BW-3 BWST Supply to Pump 36A P36A Rm Open j
Suction Valve j
l i
4 i
i 4.12 4
4.3 LOW-PRESSURE INJECTION SYSTEM TABLE 4.3A.
LOW-PRESSURE INJECTION SYSTEM FAILURE MODE IDENTIFICATION The low-Pressure Injection (LPI) system is designed to perform both normal and emergency functions in several modes of operation. Under normal conditions, the most frequently used function is Decay Heat Removal (DHR) after a shutdown.
The system is also used to supply water for auxiliary spray to the pressurizer, to maintain the proper reactor-coolant temperatures for refueling, and to provide a means for filling and draining the fuel-transfer canal.
The emergency functions are LPI and Low Pressure Recirculation (LPR).
In the LPI mode, the system provides two flow Water Storage Tank (BWST) paths for injecting borated water from the Borated-into the reactor vessel af ter a loss-of-Coolant Accident (LOCA).
In the LPR mode, it also provides two flow paths for recirculating the reactor coolant spilled in a LOCA from the reactor-building emergency sump back to the reactor vessel.
The LPR mode can also be coupled with high-pressure pumps to provide high-pressure recirculation.
Conditions That Lead to Failure 1.
LPI Pumps P34A and P34B or Heat Exchangers E35A and E35B Unavailable due to Maintenance or Testing This is the dominant failure mode for the low head recirculation operation.
Both scheduled and uischeduled maintenance and testing are included.
Maintenance or testing activity, and training should be reviewed or observed to minimize this unavailability, by enhancing the timeless and correctness of these activities.
2.
LPI Pumps P34A and P348 Fail to Start or Run Failure of pumps P34A and P34B will prevent water flow from being provided l
to the reactor vessel.
The important failure causes are random hardware or electrical circuit failures or failure of the pump room cooling units, and human errors in following procedures to recover from failures.
Training, operator awareness, surveillance and maintenance of these pumps should be reviewed or observed to maintain reliability.
3.
Manual Valves DH-3A, DH-3B, BW-8A and BW-8B or Check Valves DH-2A, DH-28, BW-4A and BW-4B Fail Closed Failure closed of these valves in the suction and discharge lines will prevent water flow from being provided to the reactor vessel.
The dominant failure cause is random hardware failure. A contributing cause is operator failure to open these valves after test. Maintenance and surveillance of these valves should be reviewed or observed to maintain reliability, and restoration of proper post-test lineup should be verified.
4.13
l l
TABLE 4.3A (continued) l 4.
Pump or Heat Exchanger Failure due to Insufficient Cooling by Service Water System Failure This failure mode can lead to failure of either or both LPI trains.
The important failure cause is random hardware failures of the Service Water System (SWS) Valves CV-3840 and 3841 which supply cooling to pumps P34A and B, and Valves CV-3821 and 3822 which supply cooling to heat exchangers E35A and B.
Surveillance and maintenance of these SWS valves should be l
reviewed or observed.
l S.
Motor-Operated Valves CV-1405, CV-1406, CV-1407, CV-1408, CV-1400 or 1401 Fail to Open on Demand i
l These valves are the LPI pump suction and discharge lines including lines l
from both the BWST and the RB sump.
They must open following automatic actuation signals.
The important failure causes are random hardware or electrical failures. Surveillance and maintenance of the valves according to Technical Specifications should help maintain availability.
6.
Pneumatic Valves CV-1428 and 1429 Unavailable due to Maintenance This includes both scheduled and unscheduled maintenance.
The performance of maintenance should be reviewed to ensure that efficient scheduling is done, and that repairs are performed correctly, minimizing downtime.
7.
Coupled Human Error-Failure to Close Valves DH-8A and B After Test These include failures to realign or close a valve at the end of a test, and failure to discover and correct the error.
The valves are manual valves allowing recirculation flow to the BWST. They should be locked I
closed after testing.
These errors are addressed by proper test perfonnance and post-test surveillance, which should be reviewed or l
observed.
8.
Check Valves DH-13A, DH-138, OH-14A, or DH-14B Fail Closed Failure of these check valves in the closed position will prevent water flow to the reactor vessel. The dominant failure cause is random hardware failure. Maintenance of these valves should be reviewed or observed to i
maintain reliability.
l 1
4.14
TABLE 4.3B.
IE MODULES FOR LOW-PRESSURE INJECTION SYSTEM INSPECTION i
Failure (a)
Module Title Components Mode 41700 Training Pumps P34A,B 1,2 Heat Exchangers E35A,8 1
Valves DH-8A,B 7
61701 Surveillance (Complex)
Pumps P34A,8 and Heat 1
Exchangers E35A,B 61725 Surveillance Testing and Pumps P34A,8 1,2 l
Calibration Program Heat Exchangers E35A,B 1~
l 61726 Monthly Surveillance Pumps P34A,8 1,2 Observation Heat Exchangers E35A,8 1
Valves DH-8A,B, 3A,B 3,7 SWS Valves CV-3840,3841, 4
3821, 3822 Valves CV-1405,1406 5
1407,1408,1400, 1401 62700 Maintenance Pumps P34A,B 1,2 Heat Exchangers E35A,B 1
Valves DH-4A,B,8A,B 3,7 2A,B,3A,B SWS Valves CV-3840,3841, 4
3821, 3822 j
Valves CV-1405,1406 5
1407,1408,1400, 1401 i
Valves CV-1428,1429 6
Valves DH-13A,B,14A,B 8
71707 Operational Safety Pumps P34A,B 1,2 Verification Heat Exchangers E35A,B 1
Valves DH-4A,B,8A,B 3,7 2A,B,3A,B 1
SWS Valves CV-3840,3841, 4
3821, 3822 Valves CV-1405,1406 5
1 1407,1408,1400, 1401 J
j 1
]
4.15
]
... -... _ _ ~
i I
l TABLE 4.3B.
(continued)
Failure (a)
Module Title Components Mode 1
71710 ESF System Walkdown Pumps P34A,8 1,2 Heat Exchangers E35A,B 1
Valves OH-8A,B, 3A,B 3,7 SWS Valves CV-3840,3841, 4
~
4 3821, 3822 Valves CV-1405,1406 5
1407,1408,1400,1401 L
l (a) See Table 4.3A for failure identification i
4 i
l i
4 A
i a
I 4.16 1
i
TABLE 4.30, NODIFIED LOW-PRESSURE INJECTION SYSTEH WALKDOWN Component Component Required Actual Number Name Location Position Position Electrical 2
305 LPI Pump 34A Breaker A3 Racked in 405 LPI Pump 34B Breaker A4 Racked in I
51112 CV-1405 LPI Pump 34A Sump B51 Closed Suction Valve Breaker 6166 CV-1406 LPI Pump 34B Sump B61 Closed
~
Suction Valve Breaker 5164 CV-1407 Outlet Valve Breaker B51 Closed i
6164 CV-1408 Outlet Valve Breaker 861 Closed 6161 CV-1400 LPI Line "B" Isolation B61 Closed Valve Breaker 51114 CV-1401 LPI Line "A" Isolation B51 Closed i
Valve Breaker 5182 CV-3822 LPI Cooler "A" SW B51 Closed Supply Valve 6183 CV-3821 LPI Cooler "B" SW B61 Closed Supply Valve l
l
{
Valves
)
BW-8A LPI Pump 34A Suction Valve P34A Rm Open BW-8B LPI Pump 34B Suction Valve P34B Rm Open DH-3A P34A Discharge Valve P34A Rm Open DH-3B P34B Discharge Valve P348 Rm Open 3
i 1
4.17 s
l t
TABLE 4.3C.
(continued) l Component Component Required Actual l
Number Name Location Position Position l
l CV-3840 P34A Cooler SW Inlet Valve P34A Rm Closed l
CV-3841 P34B Cooler SW Inlet Valve P34B Rm Closed CV-1405 LPI Pump 34A Sump Suction Valve P34A Rm Closed CV-1406 LPI Pump 34B Sump Suction Valve P34B Rm Closed CV-1407 BWST Discnarge Valve El.354 Closed CV-1408 BWST Discharge Valve El.354 Closed CV-1400 LPI Loop "B" Isolation Valve UNPPR Closed CV-1401 LPI Loop "A" Isolation Valve UNPPR Closed i
CV-3821 DH Cooler "B" SW Isolation Valve El.317 Closed CV-3822 DH Cooler "A" SW Isolation Valve E1.335 Closed CV-1428 DH Cooler "A" Outlet Valve P34A Rm Open l
CV-1429 DH Cooler "B" Outlet Valve P34B Rm Open i
4.18 I
4.4 SERVICE WATER SYSTEM TABLE 4.4A.
SERVICE WATER SYSTEM FAILURE MODE IDENTIFICATION The Service Water System (SWS) supplies cooling water for many emergency and non-emergency needs throughout the plant.
The SWS consists of two redundant loops with three pumps and associated valves and piping. The normal cooling is supplied from Lake Dardanelle through the intake structure; however, an emergency pond is available in case of loss of flow from the lake.
The SWS is normally discharged back to the lake via the circulating water discharge flume.
If the lake source is lost, the SWS would be discharged back to the emergency pond.
The emergency pond also serves as a heat sink for normal plant shutdown of either Unit 1 or Unit 2.
i Conditions That Lead to Failure 1.
Motor-Operated Valves CV-3820 and CV-3643 Fail to Close on Demand These are the Intermediate Auxiliary Cooling isolation valves for the service water system.
They must be closed following engineered safeguard actuation signals.
The important failure cause is random hardware and electrical failures. Surveillance and maintenance of these valves should be observed or reviewed.
2.
Failures of Manual Valves SW-2A, 2B, 20, or Check Valves SW-1A, 18, 1C Operation of two of the three service water pumps is required to supply the designated nuclear headers during normal and emergency conditions.
Failure of these valves in the closed position will prevent service water flow to the designated headers. Maintenance of these valves should be reviewed or observed to ensure their operability and proper lineup.
3.
Operating Pumps 4A,B,C Fail to Run or Standby Pump Fails to Start and Run Failure of pumps may prevent sufficient service water flow from being provided to the essential header. Testing, maintenance, and surveillance of the pumps which are not in use according to the Technical Specifications should maintain reliability.
i 1
4.19
X.
TABLE 4.4A.
(Continued) 4.
Crosstie Motor-Operaged Valves CV-3660, 3642 or CV-3644, 3646 Fail to Close on Demand i
t In the event of an Engineered Safeguard (ES) actuation with a simultaneous loss of offsite power, the crossover valves between the two operating i
SWS pumps will close. Failure to close these valves which supply service water to the Intermediate Cooling Water (ICW) or Auxiliary Cooling Water (ACW) systems may overload and fail the SWS.
Proper maintenance and testing of these valves according to Technical Specifications should help prevent failures.
5.
Motor-Operated Valves CV-3641 and CV-3645 Fail to Remain Open.
These motor-operated valves must remain open to allow flow from the pumps to the designated headers. The dominant falure cause is random hardware failure. Valve maintenance, surveillance and the availability of electrical power should be reviewed or observed to maintain reliability.
i i
C I
4.20
P TABLE 4.48.
IE MODULES FOR SERVICE WATER SYSTEM INSPECTION Failure (a)
Module Title Components Mode 41700 Training Valves CV-3640,3642 4
3644,3646 61701 Surveillance (Complex)
Pumps 4A,B,C 3
61725 Surveillance Testing Valves CV-3820,3643 1
Calibration Program Pumps 4A,B,C 3
Valves CV-3640,3642, 4
3644,3646 Valves CV-3641,3645 5
61726 Monthly Surveillance Valves CV-3820,3643 1
Observation Pumps 4A,B,C 3
Valves CV-3641,3645 5
62700 -
Maintenance Valves CV-3820,3643 1
Valves SW-7A,B,C, 2
1A,B,C Pumps 4A,B,C 3
Valves CV-3640,3642, 4
3644,3646 Valves CV-3641,3645 5
71707 Operational Safety Valves CV-3820,3643 1
Verification valves SW-2A,B,C 2
Pumps 4A,B,C 3
Valves CV-3641,3645 5
71710 ESF System Walkdown Valves CV-3820,3643 1
Valves SW-2A,B,C 2
Pumps 4A,B,C 3
Valves CV-3540,3642, 4
3644,3646 Valves CV-3641,3645 5
(a)
See Table 4.4A for failure identification 4.21
TABLE 4.4C.
SERVICE WATER SYSTEM WALKDOWN Component Component Required Actual Number Name Location Position Position Electrical 5181 CV-3820 SW to ICW Valve Breaker B51 Closed 5653 CV-3643 SW to ACW Valve Breaker B56 Closed
'I 302 Pump 4A Breaker A3 Racked In 303 Pump 4B Breaker A4 Racked In 403 Pump 4B Breaker A4 Racked In 402 Pump 4C Breaker A4 Racked In 6223 CV-3640 Loop 2 Crossover Breaker B62 Closed 6224 CV-4642 Loop 2 Crossover Breaker B62 Closed 5223 CV-3644 Loop 1 Crossover Breaker B52 Closed 5224 CV-3646 Loop 1 Crossover Breaker B52 Closed 6184 CV-3641 SW to Loop II Discharge B61 Closed Valve Breaker 51121 CV-3645 SW to Loop I Discharge B51 Closed Valve Breaker Valves CV-3820 Intermediate Cooling Motor El.335 Open Operated Valve CV-3643 Auxiliary Cooling Motor Intk Open Operated Valve CV-3640 Loop 2 Crossover Motor Intk Open Operated Valve CV-3642 Loop 2 Crossover Motor Intk Open Operated Valve CV-3640 Loop 1 Crossover Motor Intk Open Operated Valve 4.22
TABLE 4.4C.
(Continued)
Component Component Required Actual Number Name Location Position Position CV-3646 Loop 1 Crossover Motor Intk Open Operated Valve CV-3641 Loop 2 Discharge Motor Intk Open Operated Valve CV-3645 Loop 1 Discharge Motor Intk Open Operated Valve SW-2A Pump P4A Discharge Manual Valve Intk Open SW-2B Pump P4B Discharge Manual Valve Intk Open SW-2C Pump P4C Discharge Manual Valve Intk Open 4.23
4.5 REACTOR PROTECTION SYSTEM TABLE 4.5A.
REACTOR PROTECTION SYSTEM FAILURE MODE IDENTIFICATION The Reactor Pr^tection System (RPS) consists of redundant sensors, relays, logic, and other equipment necessary to monitor selected nuclear steam supply system conditions and to effect a reliable and rapid reactor shutdown (reactor trip) if any, or combination of monitored conditions reach specified safety system settings.
Successful RPS operation protects the nuclear fuel from cladding damage and helps prevent reactor coolant system overpressure by limiting energy input.
Conditions That Lead to Failure 1.
Reactor Trip Breakers A or B Fail Closed l
Reactor trip breakers A and B supply main and alternate AC power to the RPS systeai.
Failure of either bicaker to trip will provide system power unless interrupted by other breaker trips in the DC power circuit.
The cause is hardware failure of the trip breakers. Maintenance and surveillance of these breakers should be observed or reviewed to minimize these failures. Operator training and awareness of Emergency Operating Procedures will enhance the probability of recovery, 2.
DC Reactor Trip Breakers C1, C2 or D1, D2 Fail Closed Reactor trip breakers C and D supply main and alternate DC power to the safety rod hold circuit.
Failure of any one of these breakers will result in two of the four safety rods failing to insert, and failure of both of C1 and C2 or D1 will result in all safety rods failing to insert.
The cause is hardware failure of the trip breakers. Maintenance and surveillance should be observed or reviewed, and operator awareness of procedures will maintain reliability and enhance the probability of l
recovery.
3.
Wiring Fault in Reactor Protection Channel A hardware-related wiring fault in the RPS channel may prevent the trip breakers actuation. Maintenance of these channels should be observed or reviewed to maintain reliability.
4.
Trip Relays Fail Closed The required position for these relays is "open" once the trip signals have been generated from the process parameters.
The important failure causes are the result of the relay coil failure to de-energize and random hardware failure.
Surveillance and maintenance of these relays should be reviewed and observed.
1 l
4.24
TABLE 4.58.
IE MODULES FOR REACTOR PROTECTION SYSTEM INSPECTION Failure (a)
Module Title Components Mode 41700 Training Trip Breakers A,B 1
Trip Breakers C,0 2
61701 Surveillance (Complex)
Trip Breakers A,B 1
Trip Breakers C,0 2
Trip Relays 4
61725 Surveillance Testing Trip Breakers A,B 1
Calibration Program Trip Breakers C,0 2
Trip Relays 4
61726 Monthly Surveillance Trip Breakers A,8 1
Observation Trip Breakers C,D 2
Trip Relays 4
62700 Maintenance Trip Breakers A,8 1
Trip Breakers C,D 2
Channels Wiring 3
Trip Relays 4
71707 Operational Safety Trip Breakers A,B 1
Verification Trip Breakers C,0 2
Trip Relays 4
l (a) See Table 4.5A for failure identification 4.25
TABLE 4.50.
MODIFIED REACTOR PROTECTION SYSTEM WALKDOWN Component Component Required Actual Number Name Location Position Position Walkdown is ineffective against risk significant RPS failures.
l 4.26
4.6 EMERGENCY FEEDWATER SYSTEM TABLE 4.6A.
EMERGENCY FEEDWATER SYSTEM FAILURE MODE IDENTIFICATION The purpose of the ANO-1 Emergency Feedwater system (EFW) is to backup the Main Feedwater system (MFW) in removing post-shutdown decay heat from the reactor coolant system via the steam generators. During normal shutdowns the MFW is throttled down to a level capable of removing decay heat and the EFW is not utilized. However, if the plant shutdown is caused by a loss of the MFW or the reactor coolant pumps, or if the MFW is lost subsequent to the plant shutdown, then the EFW is put into operation.
Conditions That Lead to Failure 1.
Turbine-Driven Emergency Feedwater Pump P7A Fails to Start or Run This is the primary contributor to secondary system failure to provide cooling to the steam generators.
Dominant system failure modes are turbine-driven emergency feedwater pump failure to start or run due to random hardware or control system faults, or operator failure to start the pump, or loss of room cooling, ventilation system, or instrument air. Observation or review of surveillance, maintenance, and lineup of this pump will maintain availability.
Training in Emergency Operating Procedures and system malfunction response will enhance recovery when it is possible.
2.
Motor-Driven Pump P78 Fails to Start or Run Failure of motor-driven pump P7B to start or run when required, or to be repaired while under maintenance will prevent cooling water flow from being supplied to the steam generator.
Dominant system failure modes are pump failure to start or run due to random hardware or control system faults, or operator failure to start the pump, or loss of room cooling or ventilation system. As with the turbine-driven pump, maintenance and surveillance should be reviewed, lineup checked, and operator awareness of response procedures for malfunctions verified.
4.27
i TABLE 4.6A.
(Continued)
)
i 3.
Motor-Operated Valves CV-2613, and CV-2663 Fail to Open or CV-2667, and 2617 Fail Closed l
Steam supply for EFW pump P7A turbine is obtained from both steam generators via valves 2667, and 2617. Downstream of these valves, the i
pipes join to form a common supply to the pump turbine through parallel l
valves CV-2613 or CV-2663.
Failure of valves CV-2613 and CV-2663 to open or failure of 2667, or 2617 to remain open will fail turbine-driven pump P7A and prevent cooling water to flow to the steam generators.
The important failure cause is random hardware or control system failures.
Proper system lineup, operator training and awareness of Emergency and abnormal Operating Procedures will enhance recovery.
Surveillance and maintenance should be reviewed or observed to maintain reliability.
i 4.
Failure of Motor-Operated Valves CV-2800, 2802, 2803, and 2806 4
These are pump suction valves for the EFW system. A common control switch i
for each pair causes the valves to assume opposite positions; that is, if one valve, e.g., CV-2806 is open, the other valve CV-2802 is closed and vice versa.
Failure of these valves in the improper position will prevent EFW flow to the designated steam generator.
The dominant failure cause is human error failure to manually realign suction for the EFW 3
pumps. Operator awareness of criteria for switchover and adherence to emergency procedures is important.
1
)
1 i
l 1
i l
I i
l l
l 4.28 i
TABLE 4.68. MODIFIED EMERGENCY FEEDWATER SYSTEM INSPECTION Failure (a)
Module Tit 1e Components Mode i
41700 Training TD Pump P7A 1
MD Pump P7B 2
Valves CV-2613,2663, 3
2667, 2617 Valves CV-2800,2802, 4
2803,2806 61701 Surveillance (Complex)
TD Pump P7A 1
MD Pump P7B 2
61725 Surveillance Testing and TD Pump P7A 1
Calibration Program MD Pump P78 2
Valves CV-2613,2663, 3
2667, 2617 61726*
Monthly Surveillance TD Pump P7A 1
Observation HD Pump P78 2
Valves CV2613,2663, 3
2667,2617 62700 Maintenance TD Pump P7A 1
MD Pump P7B 2
Valves Cv2613,2663, 3
2657,2617 Valves CV-2800,2802 4
2803,2806 7170'/
Operational Safety TD Pump P7A 1
Verification MD Pump P78 2
Valves CV-2613,2663 3
2667,2617 Valves CV-2800,2802 4
2803,2806 71710 ESF System Walkdown TD Pump P7A 1
MD Pump P7B 2
Valves CV-2613,2663 3
2667,2617 Valves CV-2800,2802 4
2803,2806 (a) See Table 4.6A for failure identification 4.29
TABLE 4.6C.
MODIFIED EMERGENCY FEEDWATER SYSTEM WALKDOWN Component Component Required Actual Number Name Location Position Position Electrical 311 Motor-Driven EFW Pump Breaker A3 Racked in 5173 CV-2800 Motor-Driven Pump 78 B51 Closed CST Suction Valve Breaker 5193 CV-2803 Motor-Driven Pump 78 B51 Closed
~
SW Suction Valve Breaker 6175 CV-2802 Turbine-Driven Pump 7A B61 Closed CST Suction Valve Breaker 6181 CV-2806 Turbine-Driven Pump 7A B61 Closed SW Suction Valve Breaker 6241 CV-2617 SG B Steam Supply to P7A B62 Closed Valve Breaker 5241 CV-2667 SG A Steam Supply to P7A B52 Closed Valve Breaker 2512 CV-2613 P7A Steam Supply D25 Closed Valve Breaker 1512 CV-2663 P7A Steam Supply D15 Closed Valve Bre6ker Valves CV-2800 Motor-Driven Pump 78 CST Pump Rm Open Suction Valve CV-2803 Motor-Driven Pump 7B SW Pump Rm Closed Suction Valve CV-2802 Turbine-Driven Pump 7A CST Pump Rm Open Suction Valve CV-2806 Turbine-Driven Pump 7A SW Pump Rm Closed Suction Valve CV-2667 SG A Steam Supply to P7A Valve Penthouse Open CV-2617 SG B Steam Supply to P7A Valve Penthouse Open 4.30
TABLE 4.6C.
(Continued)
Component Component Required Actual Number Name Location Position Position CV-2613 P7A Steam Supply Valve Penthouse Closed CV-2663 P7A Steam Supply Valve Penthouse Closed e
l 1
l i
4.31
4.7 CLASS 1E AC POWER SYSTEM TABLE 4.7A.
CLASS 1E AC POWER SYSTEM FAILURE MODE IDENTIFICATION The purpose of the Class 1E AC electrical power system is to provide electrical power to components in systems which are deemed vital to mitigate the consequences of loss-of-coolant accidents and transients.
These vital systems include those which shut the reactor down, remove the decay and sensible heat of the coolant and building, and limit the release of radioactive material from the reactor building.
In addition, the Class 1E AC electrical power system supplies power to the DC power system via three battery chargers.
Conditions that Lead to Failure 1.
Failure of 480 Volt Load Centers B5 or 86 Two load centers, B5 and B6, are provided.
They serve engineered safeguard or essential loads and motor control centers.
Each has a 4160/480 volt transformer between it and its energy source.
Failure of these load centers would usually be associated with subcomponent failures in the control circuit, transformers, or improper lineup for automatic operation. Observation of maintenance, surveillance, and system lineup, or a review of the records of these functions should be performed.
2.
Failure of 4160 Volt Distribution Penel A3 or A4 The normal sources of power of the class 1E AC are through the 4160 volt distribution panels, A3 and A4.
Loss of these panels will prevent electrical power from being supplied to the corresponding safeguards components.
The unavailability could be caused by panel failure, circuit breaker failure, or maintenance outage.
Periodic testing, and proper maintenance should minimize unavailability due to these causes.
3.
Failure of Motor Control Center (HCC) 856 The motor control center, 856, supplies electrical power to emergency lighting, standby battery charger, turbine generator emergency bearing and pump, and the electrical system room chillers and coolers, lhe unavailability could be caused by control circuit or circuit breaker failures.
Proper surveillance and maintenance of the motor control center and the protective devices should be reviewed and observed.
4.32
TABLE 4.7A.
(Continued) 4.
Motor Control Center B51, B52, B61, or B62 Unavailable These motor control centers being unavailable either due to component failure or scheduled or unscheduled maintenance or testing, combined with failure to restore the motor control centers to service, prevents the elettrical power from being supplied to the respective loads.
Periodic testing, proper maintenance, and surveillance should be observed and reviewed.
5.
Failure of Emergency Diesel Generators DGl DG2 Failure of DG1 or DG2 either to start or to run when required, or to be repaired while under maintenance will prevent electrical power from being supplied to the corresponding safeguards component buses. When combined with the loss of offsite power, a total loss of power source can result.
Periodic maintenance, surveillance in accordance with Technical Specifications, callbration activities, and lineup check will enhance the availability. Operator training and awareness of Emergency Operating Procedures will enhance the probability of recovery.
4.33 4
TABLE 4.78.
IE MODULES FOR CLASS 1E AC POWER SYSTEM INSPECTION Failure (a)
Module Title Components
, Mode 41700 Training CG1,0G2 5
61701 Surveillance (Complex)
DG1,DG2 6
61725 Surveillance Testing and Load Centers B5,6 1
Calibration Program MCC B56 3
MCC B51,52,61,62 4
DG1,DG2 5
61726 Monthly Surveillance Load Centers B5,6 1
Observation MCC B56 3
MCC 851,52,61,62 4
DG1,DG2 5
l 62700 Maintenance Load Centers 65,6 1
Switchgear A3,4 2
MCC B56 3
MCC B51,52,61,62 4
DG1,DG2 5
71707 Operational Safety Load Centers B5,6 1
Verification Switchgear A3,4 2
MCC B56 3
MCC B51,52,61,62 4
DG1,DG2 5
71710 ESF System Walkdown Load Centers B5,6 1
Switchgear A3,4 2
MCC B56 3
MCC 851,52,61,62 4
DG1,DG2 5
(a)
See Table 4.7A for failure identification
)
4.34 i
=-.
I i'
TABLE 4.7C.
CLASS 1E AC POWER SYSTEM WALKD0kN 6
Component Component Required Actual Number Name Location Position Position 521 MCC B-51 Supply Breaker B5 Closed i
1 522 B-5 Supply to B-56 85 Closed j
l
'532 MCC B-52 Supply Breaker B5 Closed r
621 HCC B-61 Supply B6 Closed 614 MCC B-62 Supply Breaker B6 Closed 1
l 022 B-6 Supply to B-56 B6 Closed 512 B-5 Supply Breaker 85 Closed l
612 B-6 Supply Breaker
-86 Closed 30B DG-1 Output Breaker A3 Open
{
1 309 Al to A3 Tie Breaker A3 Closed i
310 A3 to A4 Tie Breaker A3 Open i
)
408 DG-2 Output Breaker A4 Open i
409 A2 to A4 Supply Breaker A4 Closed l
410 A4 to A3 Tie Breaker f.4 Open 301 Transformer X-5 Supply Breaker A3 Closed 1
i i
401 Transfomer X-6 Supply Breaker A4 Closed 513 B-5 to B-6 Tie Breaker B5 Open 613 B-6 to B-5 Tie Breaker B6 Open l
f 5143B Battery charger D03 Breaker BS1 Closed i
j DG1 Diesel Generator 1 Note a DG2 Diesel Generator 2 Note a j
a.
Due to the integrated nature of the diesel generator failure to start or to run failure modes, the lineup uf all automatic diesel support functions (service water, fuel oil, starting air, etc.) should be checked.
l 1
l j
4.35 j
1 l
4
4.8 SAFETY RELIEF VALVE SYSTEM TABLE 4.8A.
SAFETY RELIEF VALVE SYSTEM FAILURE MODE IDENTIFICATION The safety relief valves or primary pressure control system is part of the reactor-coolant system (RCS).
During normal operation the pressurizer establishes and maintains the RCS pressure within prescribed limits and provides a steam surge chamber and a water reserve to accommodate changes in the density of the reactor coolant.
Under abnormal conditions, the relief valves on the pressurizer are the means of external pressure relief for the RCS, Conditions that Lead to Failure 1.
Pressurizer Relief Valves RC-1001, RC-1002 Fail to Close After Steam Relief The required position for these valves is "closed" once the pressurizer pressure has decreased below the relief valve set point.
The failure mode is random hardware failures of these valves. Surveillance and maintenance of these valves, including setpoint testing and adjustment, should be reviewed or observed.
4.36
TABLE 4.88.
IE MODULES FOR SAFETY RELIEF VALVE SYSTEM INSPECTION Failure (a)
Module Title Components Mode 41700 Training-
' Pressurizer Relief 1
Valves 61701 Surveillance (Complex)
Pressurizer Relief 1
Valves 61725 Surveillance Testing and Pressurizer Relief 1
Calibration Program Valves 61726 Monthly Surveillance Pressurizer Relief 1
Observation Valves 62700 Maintenance Pressurizer Relief 1
Valves 71707 Operational Safety Pressurizer Relief 1
Verification Valves (a) See Table 4.8A for failure identification.
e d
l 4.37
TABLE 4.8C.
MODIFIED SAFETY RELIEF VALVE SYSTEM WALKDOWN Componen*
Component Required Actual Number Name Location Position Position Walkdown is ineffective against failure of the SRVs to reseat.
4.38
4.9 POWER CONVERSION SYSTEM l
TABLE 4.9A.
POWER CONVERSION SYSTEM FAILURE MODE IDENTIFICATION l
Power Conversion System (PCS) at ANO-1 is designed to provide feedwater to the secondary side of the steam generators which, in turn, transfers energy I
to the turbine generator system. Following a reactor trip, the PCS is also l
capable of delivering feedwater to the steam generators at a reduced rate to provide for decay heat removal. This is accomplished by throttling the PCS l
feedwater flow to a level commensurate with decay heat and allowing this water to boil off to the condenser or atmosphere.
1 1
Conditions That Lead to Failure 1.
Human Error-System Operation Inhibited, or Failure to Control the Startup Feedwater Valves CV-2623 or CV-2673 This is the primary contributor to system failure to provide cooling to the steam generators.
The failure cause is that, after reactor trip, the operator may assume control of the startup feedwater valves CV-2623 and CV-2673 and inadvertently cut off flow. A similar failure mode, however, can lead to excessive feedwater flow and hence a feedwater-pump trip on high steam-generator level. Operator training and awareness of Abnormal and Emergency Operating Procedures for system operation should be verified.
2.
Failure of Steam Driven Main Feedwater Pumps Failure of steam-driven feedwater pumps P1A and PIB contribute significantly to the failure of steam generator cooling.
The important failure cause following a reactor trip, with one feedwater pump automatically tripped after the reactor trip, is loss of the second feedwater pump due to loss of cooling or hardware failures.
These failures can totally interrupt main feedwater supply despite its initial l
availability during an accident. Operator training, awareness of Emergency Operating Procedures, and proper maintenance and surveillance should be reviewed and observed.
3.
Failure of Motor-Driven Condensate Pumps P2A, P28 and P2C Failure of these pumps will prevent sufficient cooling water flow to the main feedwater lines.
The important failure cause is hardware failure.
Proper maintenance and surveillance of these pumps should maintain their reliability.
4.39 I
e TABLE 4.98.
IE MODULES FOR POWER CONVERSION SYSTEM INSPECTION Failure (a)
Module Title Components Mode 41700 Training Control Feedwater 1
Valves CV-2623, 2673 Steam-Driven Feedwater 2
Pumps P1A, PIB 61701 Surveillance (Complex)
Control Feedwater 1
valves CV-2623, 2673 Steam Driven Feedwater 2
Pumps PIA, PIB 61725 Surveillance Testing and Control Feedwater 1
Calibration Program Valves CV-2623, 2673 Steam-Driven Feedwater 2
Pumps PIA, PIB Motor-Driven Condensate 3 Pumps P2A, P28, P2C 62700 Maintenance Control Feedwater i
Valves CV-2623, 2673 Steam-Driven Feedwater 2
Pumps PIA, PIB Motor-Driven Condensate 3 Pumps P2A, P2B, P2C 71707 Operational Safety Control Feedwater i
Verification Valves CV-2623, 2673 Steam-Driven Feedwater 2
Pumps PIA, PIB Motor-Driven Condensate 3 Pumps P2A, P28, P2C (a)
See Table 4.9A for failure identification 4.40
TABLE 4.9C.
POWER CONVERSION SYSTEM WALKDOWN Component Component Required (a) Actual.
Number Name Location Position Position Electrical l
105 Condensate Pump 2A Breaker Al Racked in 205 Condensate Pump 2B Breaker A2 Racked in 106 Condensate Puip 2B Breaker Al Racked in Valves CV-2623 Control Valve for Startup, Train 1 Open CV-2673 Control Valve for Startup, Train 2 Open I
l i
1 4.41
4.10 EMERGENCY FEEDWATER INITIATION AND CONTROL SYSTEM TABLE 4.10A.
EMERGENCY FEEDWATER INITIATION AND CONTROL SYSTEM FAILURE MODE IDENTIFICATION The Emergency Feedwater Initiation and Control (EFIC) System comprises three different logic systems:
the initiation system, vector system, and control system. The EFIC functions which pertain to prevention of steam generator overfill and to isolation of a steam generator if low steam generator pressure occurs. The system also provides for manual initiatior or shutdown of the emergency feedwater system, and for manual assumption of manual control of emergency feedwater after it has been automatically initiated.
Conditions That Lead to Failure 1.
Operator Fails to Manually Initiate EFIC System Given Failure of Logics or Cables This is the dominant failure for the EFIC system.
It involves operator failure to properly interpret the plant status and properly initiate the EFIC system, given the system failure. Operator training, awareness of proper procedures, and familiarity with associated controls should be assessed.
2.
Failure of Actuation Logic Elements 1,2,3AB,1,2,3AC,1,2,3BD, or 1,2,3C0, or Relays 4AB, AC, BD or CD Failure of actuation logic elements or relays will prevent outputs of the initiation logic from being provided to the emergency feedwater system.
The important failure causes are random electrical or hardware failures of the actuation logic element cables or their associated relays.
Calibration activities, surveillance, and maintenance should be revicwed or observed to maintain reliability.
3.
Failure of Control Logic Elements Simultaneous failure of four control logic elements, ABC1, ABC2, BCD1, and IP7B to function, given the presence of an actuation signal, will cause the EFIC system failure.
The important causes are hardware failures of the control logic elements or their associated cables.
Calibration, maintenance, and surveillance of these control logic elements should reduce the probability of failure.
4.42 l
L
TABLE 4.10B.
IE MODULES FOR EMERGENCY FEEDWATER INITIATION AND CONTROL SYSTEM INSPECTION Failure (a) l Module Title Components Mode 1
41700 Training Manual Initiation 1
Criteria 61701 Surveillance (Complex)
Cables, Actuation 2
Logic Elements 1,2,3AB, 1,2,3AC, 1,2,3BD, 1,2,300 Control Logic Elements 3
ABC1, ABC2, BCD1, IP7B 61725 Surveillance Testing and Cables, Actuation 2
Calibration Program Logic Elements 1,2,3AB, 1,2,3AC, 1,2,380, 1,2,300 Relays 4AB, AC, BD, CD Cables, Control Logic 3
Elements ABC1, BCD1, IP7B 61726 Monthly Surveillance Cables, Actuation 2
Observation Logic Elements 1,2,3AB, 1,2,3AC, 1,2,3BD, 1,2,3C0 Relays 4AB, AC, BD, CD Cables, Control Logic 3
Elements ABC1, BCD1, IP7B 62700 Maintenance Cables, Actuation 2
Logic Elements 1,2,3AB, 1,2,3AC, 1,2,380, 1,2,3C0 Relays 4AB, AC, BD, CD Cables, Control Logic 3
Elements ABC1, BCD1, IP78 4.43
TABLE 4.108.
(continued)
Failure (a)
Module Title Components Mode 71707 Operational Safety Cables, Actuation 2
Vertficstlon Logic Elements 1,2,3AB, 1,2,3AC, 1,2,380, 1,2,3CD Relays 4AB, AC, BD, CD Cables, Control Logic 3
Elements ABC1, BCD1, IP7B (a) See Table 4.10A for failure identification 4.44
TABLE 4.10C. MODIFIED EMERGENCY FEE 0 WATER INITIATION AND CONTROL SYSTEM WALKDOWN Component Component Required Actual Number Name Location Position Pcsition Walkdown is ineffective against risk significant EFIC system failures. However, power availability, proper switch positioning, etc., should be verified to maintain I
the system reliability.
l l
l 1
I l
l 4.45
. -. ~. -.
TABLE 11.
PLANT OPERATIONS INSPECTION GUIDANCE Recognizing that the normal system lineup is important for any given standby safety system, the following human errors are specially identified in the PRA as important to risk.
System RFailure Discussion High Pressure Injection Post-maintenance / Testing Table 4.2A, Items 3,8 Lineup Failure Switchover/ Recovery
- Table 4.2A, Items 4,5 Failure Feed and Bleed Control Table 4.2A, Item 7 Failure Low-Pressure Injection Switchover/ Recovery Table 4.3A, Item 2 Failure Post-Test / Maintenance Table 4.3A, Items 3,7 Lineup Failure Emergency Feedwater Switchover/ Recovery Table 4.6A, Items 1,2,4 Failure Power Conversion System FW Valves Lineup Failure Table 4.9A, Item 1 J
Switchover/ Recovery Table 4.9A, Item 2 Failure Emergency Feedwater Switchover/ Recovery Table 4.10A, Item 1 Initiation and Control Failure 1
P 4.46
. ~.
TABLE 12.
SURVEILLANCE INSPECTION GUIDANCE The listed components are the risk significant components for which proper surveillance should minimize failure.
System Component Discussion DC Power Battery Chargers D03, 004, D05 Table 4.1A, Item 1 DC Buses D01, D02 Table 4.1A, Item 3 Panels RS1, RS2, RS3, RS4 Table 4.1A, Item 4 Inverters Y11, Y13, Y22, Y24 Table 4.1A, Item 6-Battery Sets D06, D07 Table 4.1A, Item 7 Transformer Circuit Breakers Table 4.1A, Item 8 High Pressure HPI Pumps 36A,B,C Table 4.2A, Item 1 Injection Valves CV-1407, 1408 Table 4.2A, Item 4 Valves CV-1219, 1220, 1227, 1228 Table 4.2A, Item 5 Valves BW-2, 3 Table 4.2A, Item 8 Low Pressure Pumps P34A,B Table 4.3A, Items 1,2 Injection Valves DH-4A,B,8A,B, 2A,B, 3A,B Table 4.3A, Items 3,7 SWS Valves CV-3840,3841, 3821, 3822 Table 4.3A, Item 4 Valves CV-1405,1406, 1407, 1408, Table 4.3A, Item 5 1400, 1401 Service Water Valves CV-3820,3643 Table 4.4A, Item 1 Pumps 4A,B,C Table 4.4A, Item 3 Valves CV-3640,3642, 3644, 3646 Table 4.4A, Item 4 Valves CV-3641,3645 Table 4.4A, Item 5 Reactor Trip Breakers A,8 Table 4.5A, Item 1 Protection Trip Breakers C,0 Table 4.5A, Item 2 Trip Relays Table 4.5A, Item 4 Emergency TD Pump P7A Table 4.6A, Item 1 Feedwater MD Pump P78 Table 4.6A, Item 2 Valves CV2613-2663,2667,2617 Table 4.6A, Item 3 AC Power Load Centers B5,6 Table 4.7A, Item 1 MCC B56 Table 4.7A, Item 3 MCC B51,52,61,62 Table 4.7A, Item 4 DG1,0G2 Table 4.7A, Item 5 Safety Relief Pressurizer Relief Valves Table 4.8A, Item 1 Valve Power Control Feedwater Valves CV-2623, 2673 Table 4.9A, Item 1 Conversion Steam-Driven Feedwater Table 4.9A, Item 2 Pumps PIA, PIB Motor-Driven Condensate Table 4.9A, Item 3 Pumps P2A, P2B, P2C 4.47
TABLE 12.
(continued)
System Component Discussion Emergency Actuation Logic Elements Table 10.A, Item 2 Feedwater Initiation Control Logic Elements Table 10.A, Item 3 and control 4.48
TABLE 13. MAINTENANCE INSPECTION GUIDANCE The components listed here are significant to risk because of unavailability for maintenance or testing.
The dominant contributors are usually frequency of maintenance and duration of maintenance, with some contribution due to improperly performed maintenance.
System Component Discussion DC Power Battery Chargers D03,004, DOS Table 4.1A, Item 1 Distribution Panels 011, D21 Table 4.1A, Item 2 DC Buses D01, D02 Table 4.1A, Item 3 Panels RS1, RS2, RS3, RS4 Table 4.1A, Item 4 Motor Control Centers 851, 861 Table 4.1A, Item 5 Inverters Y11, Y13, Y22, Y24 Table 4.1A, Item 6 Battery Sets 006, 007 Table 4.1A, Item 7 Transformer Circuit Breakers Table 4.1A, Item 8 High Pres,sure HPI Pumps 36A,B,C Table 4.2A, Item 1 Injection Valves MU-18A,B,C, Table 4.2A, Item 2 Valves MU-20A,B,C, MU-19A,B,C Table 4.2A, Item 3 Valves CV-1407, 1408 Table 4.2A, Item 4 l
Valves CV-1219, 1220, 1227, 1228 Table 4.2A, Item 5 Valves MU-1211, 1213, 1314, 1215 Table 4.2A, Item 6 Valves BW-2, 3 Table 4.2A, Item 8 Low Pressure Pumps P34A,B Table 4.3A, Items 1,2 Injection Heat Exchangers E35A,B Table 4.3A, Item 1 Valves DH-4A,B, 8A,B, 2A,B, 3A,B Table 4.3A, Items 3,7 SWS Valves CV-3840,3841, 3821, 3822 Table 4.3A, Item 4 Valves CV-1405,1406, 1407, 1408 Table 4.3A, Item 5 1400, 1401 Valves CV-1428,1429 Table 4.3A, Item 6 Valves DH-13A,B,14A,B Table 4.3A, Item 8 Service Water Valves CV-3820,3643 Table 4.4A, Item 1 Valves SW-2A,B,C, 1A,B,C Table 4.4A, Item 2 Pumps 4A,B,C Table 4.4A, Item 3 Valves CV-3640,3642, 3644, 3646 Table 4.4A, Item 4 Valves CV-3641,3645 Table 4.4A, Item 5 Reactor Trip Breakers A,B Table 4.5A, Item 1 Protection Trip Breakers C,0 Table 4.5A, Item 2 Channels Wiring Table 4.5A, Item 3 Trip RGays Table 4.5A, Item 4 4.49 1
MBLE13.
(Continued)
System Component Discussion Emergency TD Pump P7A Table 4.6A, Item 1 Feedwater MD Pump P7B Table 4.6A, Item 2 Valves CV-2613,2663,2667,2617 Table 4.6A, Item 3 Valves CV-2800,2802, 2803, 2806 Table 4.6A, Item 4 AC Power Load Centers B5,6 Table 4.7A, Item 1 Switchgear A3,4 Table 4.7A, Item 2 MCC B56 Table 4.7A, Item 3 MCC B51,52,61,62 Table 4.7A, Item 4 DG1,0G2 Table 4.7A, Item 5 Safety Relief Pressurizer Relief Valves Table 4.8A, Item 1 Valve Power Control Feedwater Valves CV-2623,2673 Table 4.9A, Item 1
{
Conversion Steam-Driven Feedwater Pumps PIA, PIB Table 4.9A, Item 2 Motor-Driven Condensate Pumps P2A, Table 4.9A, Item 3 l
P2B, P2C Emergency Actuation Logic Elements Table 10.A, Item 2 Feedwater Initiation Control Logic Elements Table 10.A, item 3 and Control 4.50
TABLE 14. QUALITY ASSURANCE / ADMINISTRATIVE CONTROL INSPECTION GUIDANCE The failures listed here are the ones which the QA/ Administrative staff can l
affect.
For example, QA should ensure that both regular and post-maintenance surveillance actually test for failure mode of concern for significant equipment. Also, in the case of equipment unavailabilities, administrative control should work to minimize the plant risk.
System Component Discussion DC Power Battery Chargers D03, D04, DOS Table 4.1A, Item 1 Distribution Panels Dil, D21 Table 4.1A, item 2 DC Buses 001, D02 Table 4.1A, Item 3 Panels RS1, RS2, RS3, RS4 Table 4.1A, Ite,a 4 Motor Control Centers B51, B61 Table 4.1A, Item 5 Inverters Y11, Y13, Yd, Y24 Table 4.1A, Item 6 Battery Sets D06, 007 Table 4.1A, Item 7 Transformer Circuit Breakers Table 4.1A, Item 8 i
High Pressure HPI Pumps 36A,B,C Table 4.2A, Item 1 Injection Valves MU-18A,B,C, Table 4.2A, Item 2 Valves MU-20A,B,C, MU-19A,B,C Table 4.2A, Item 3 Valves CV-1407, 1408 Table 4.2A, Item 4 Valves CV-1219, 1220, 1227, 1228 Table 4.2A, Item 5 Valves MU-1211, 1213, 1214, 1215 Table 4.2A, Item 6 Valves BW-2, 3 Table 4.2A, Item 8 Low Pressure Pumps P34A,B Table 4.3A, Items 1,2 Injection Heat Exchangers E35A,B Table 4.3A, Item 1 Valves DH-4A,B,8A,B, 2A,B, 3A,B Table 4.3A, Items 3,7 SWS Valves CV-3840,3841, 3821, 3822 Table 4.3A, Item 4 Valves CV-1405,1406, 1407, 1408, Table 4.3A, Item 5 1400,1401 Valves DH-13A,B,14A,B Table 4.3A, Item 8 Service Water Valves CV-3820,3643 Table 4.4A, Item 1 Valves SW-2A,B,C, 1A,B,C Table 4.4A, Item 2 Pumps 4A,B,C Table 4.4A, Item 3 Valves CV-3540,3642, 3644, 3646 Table 4.4A, Item 4 Valves CV-3641,3645 Table 4.4A, Item 5 Reactor Trip Breakers A,B Table 4.5A, Item 1 Protection Trip Breakers C,0 Table 4.5A, Item 2 Trip Relays Table 4.5A, Item 4 Eme rgency TD Pump P7A Table 4.6A, Item i Feedwater MD Pump P7B Table 4.6A, Item 2 Valves CV-2613, 2663, 2667, 2617 Table 4.6A, Item 3 Valves CV-2800,2802, 2803, 2806 Table 4.6A, Item 4 l
4.51
TABLE 14.
(continued)
System Component Discussion AC Power Load Centers B5,6 Table 4.7A, Item 1-Switchgear A3,4 Table 4.7A, Item 2 MCC B56 Table 4.7A, Item 3 MCC B51,52,61,62 Table 4.7A, Item 4 DG1,DG2 Table 4.7A, Item 5 Safety Relief Pressurizer Relief Valves Table 4.8A, Item 1 Valve Power Control Feedwater Table 4.9A, Item 1 Conversion Valves CV-2623, 2673 Steam-Driven Feedwater Table 4.9A, Item 2 Pumps PIA, PIB Motor-Driven Condensate Table 4.9A, Item 3 Pumps P2A, P28, P2C Emergency Actuation Logic Elements Table 10.A, Item 2 Feedwater Initiation Control Logic Elements Table 10.A. Item 3 and Control m
4.52
REFERENCES Gore, 8. F. and J. C. Huenefeld.
1987. Methodology and Application of Surrogate Plant PRA Analysis to this Rancho Seco Power Plant.
NUREG/CR-4768, PNL-6032. USNRC Region 5, Walnut Creek, California.
Henley, E. J.
1981. Realiability Engineering and Risk Assessment.
Prentice Hall Inc., Englewood, New Jersey.
Higgins, J. C.
1986.
Probabilistic Risk Assessment (PRA) Applications.
NUREG/CR-4372. USNRC Region 1, King of Prussia, Pennsylvania.
Higgins, J. C., J. H. Taylor, A. N. Fresco, and B. M. Hillman.
1987.
Generic Safety Insights for Inspection Boiling Water Reactors.
TANSA0 54, 235 American Nuclear Society, LaGrange Park, Illinois.
Hinton, M. F. and R. E. Wright.
1986.
Pilot PRA Applications Procram for Inspection at Indian Point 2.
EGG-EA-7136. Idaho, Inc., Idaho Fa'ls, Idaho.
Ki rchner, J. R., et al.
1986. An Overview of the Plant Risk Status Information Management System.
J.B.F. Associates, Inc., Knoxville, Tennessee.
Kolb, G.
J., et al.
1982.
Interim Reliability Evaluation Program: Analysis of the Arkansas Nuclear One - Unit 1 Nuclear Power Plant. NUREG/CR-2787, Sandia National Laboratories, Albuquerque, New Mexico.
Russell, K. D., et al.
1987.
Integrated Reliability and Risk Analysis.
Idaho National Engineering Laboratory, Idaho Falls, Idaho.
USNRC Inspection and Enforcement Manual.
1984. Chapter 2515: Operations USNRC Of fice of Inspection and Enforcement, Washington, D.C.
R.1
NUREG/CR-5058 PNL-6394 DISTRIBUTION No. of No. of Copies Copies 0FFSITE OFFSITE U.S. Nuclear Regulatory Commission J. H. Taylor B. K. Grimes Brookhaven National Laboratory OWFN 9A-2 Upton, NY 11973 J. G. Partlow A. Fresco OWFN 9A-2 Brookhaven National Laboratory Upton, NY 11973 F. Congel OWFN 10E-4 M. F. Hinton EG&G Idaho, Inc.
R. Barrett Idaho Falls, ID 83415 OWFN 10A-2 R. Wright A. El Bassioni EG&G Idaho, Inc.
0WFN 10A-2 Idaho Falls, ID 83415 i
10 S. Long 4
Bill Johnson OWFN 10A-2 U.S. Nuclear Regulatory Commission Resident Inspector Office K. Campe ANO-1 OWFN 10A-2 One Nuclear Plant Road Russellville, Arkansas 72801 J. Chung OWFN 10A-2 R. W. Starostecki l
Deputy Assistant Secretary for U.S. Nuclear Regulatory Commission Safety, Health & QA Region i U.S. Department of Energy Washington, DC 20585 S. Collins W. F. Kane G. J. Kolb Sandia National Laboratories D. J. Campbell Albuquerque, NM 87185 JBF Associates, Inc.
1000 Technology Park Center Knoxville, TN 37932 J. C. Higgins Brookhaven National Laboratory Upton, NY 11973 Distr-1
No. of Copies ONSITE 29 Paci fic Nortnwest Laboratory T. T. Claudson L. R. Dodd
- 8. F. Gore (10)
M. S. Harris (2)
C. H. Imhoff P. J. Pelto W. J. Scott B. D. Shipp T. V. Vo (5)
PublishingCoordination(2)
Technical Report Files (5)
Distr-2
1 e,o.. m v i =veu.= n eout.roa v co==.ss.o=
' a.
- oa ' w.. e a *** ** ' *c *~ v +< ' ' * '
- '"',*/d?
UOGRAPHIC DATA SHEET NUREG/CR-5058 sei, sir uceiossosr...ivias PNL-6394
, r,v a.sa...a u 3 a.... <.u PRA Applications Pro m for Inspection at Arkansas Nuclear One
't 1
. o.ri.,cp w.,ario p
vi.,
we,,-
January 1988 i.w r-e 5 T. V. Yo, M. S. Harris, B.
Gore
,,,,, ' f " '"*'*,,,,
March 1988
,.... e.., e
.,,,.. o, ~..., o... ~. e m,
.,. c._
...e.c..r.7..v,,,-....
Pacific Northwest Laboratory 82602[,%.,,,,
.,,,,0, PO Box 999 Richland, WA 99352 s
....;s,e..,mm.,,,....,....,.._.m..,,,,_,..
,g....e....e.,
Division of Reactor Projects fechnical
' ' ' " * " " ' " ' * " ~ ' " ' ~ ~
uclear Regulatory Commission 4
King of Prussia, PA 19406 5/87 to 10/87
- 2 $wP86 5 5 %f..v NOT E$
e o..u.. :1 The ANO-1 PRA has been analyzed to identify pla systems and components important to minimizing public risk, and to identify and pr' y failure modes of these components. This information has been tabul ed, ' nd correlated with inspection modules from the NRC Inspection and Enforce. n't Ma 1.
The report presents a series of tables, organized by system and priorit ied by lic risk, which identify components associated with 98% of the in ectable ri due to plant operation.
The systems addressed, in descending or r of risk im tance, are: DC Power, High Pressure Injection, Low Pressure Inje lon, Service Wa
, Reactor Protection, Emergency Feedwater, Emergency AC Po r, Safety Relief ves, Power Conversion, and Emergency Feedwater Initiation and ntrol. This rankin is based on the Fussel-Vesely measure of ranking importa e applied to core melt obability, i.e., the fraction of the core melt probab' ity which involves failu of the system of interest.
s t e Doc..t % f.%. 6 v5'l - e.
'*0 3S 0
- fC.$
il. v.
(
t*
PRA, risk analysi PRA applications ANO-1, componen important to risk Unlimited
't liCLair v C6 all piCarrC %
g..,..
. ci %r....s o,e. i v
.ti..s Unclassified
- a. v
'nclassified j
....c...c..
)
,..4.
l
UNITED STATES gacet.ouars ctass oais NUCLEAR REGULATORY COMMISSION N5"js%E'5 "
WASHINGTON, D.C. 20555
,,,,, s, o.,
08FICIAL BUSINESS PENALTY FOR PRNATE USE, $300 1I;, '; 3's o7aq77 1 1 ?. 'll n G
. ; c c q 4. v _,.4
((V }C P'
' ', [ [
g
,']I_ { 7, Y "UN
>T R-ppe.a,,;,
"~
' *5HI*3T7N a4
,C
' n S r, 5 O
O cs O
O e
O e
4 M
- D)
O1 a
Ce CD
_