ML20151E011
| ML20151E011 | |
| Person / Time | |
|---|---|
| Site: | Vermont Yankee File:NorthStar Vermont Yankee icon.png |
| Issue date: | 07/15/1988 |
| From: | Burns K, Dykes A PLG, INC. (FORMERLY PICKARD, LOWE & GARRICK, INC.), VERMONT YANKEE NUCLEAR POWER CORP. |
| To: | |
| Shared Package | |
| ML20151D945 | List: |
| References | |
| NUDOCS 8807250327 | |
| Download: ML20151E011 (85) | |
Text
.
I I
I I
I I
IMPACT OF ALTERNATE TESTING ON COMPONENT AND SYSTEM AVAILABILITY I
By K. J. Burns A. A. Dykes
- l l
l1
,I Yankee Atomic Electric Company Nuclear Services Division 1671 Worcester Road Framir.3 am, Massachusetts 01701 h
'E
- Pickard, Love and Garrick, Inc.
6625R/2.169 l
fr777 A,503 A7 890'?
O Sooo l
TV h vocK 90G e
t l
d ABSTRACT Current Vermont Yankee Technical Specifications require "alternate" testing,of !certain systems / subsystems when specific other engineered
- safeguards, systems / subsystems are out of service.
The systems involved are primarily Emergency Core Cooling and Emerger.cy Electric Power Systems. The tests are required immediately and/or daily after a system or subsystem is decis ed out of service. Th!s study quantifies the impact of these alternate testing requirements on the availability of the tested systems / subsystems.
Compone-*s subsystem, and syst:
unavailabilities to perform their intended function upon demand are calculated for two representative systems:
the Core Spray System and the diesel generators.
The analysis accounts for unavailability due to both demand-related aad time-related failures.
The analysis also accounts for unavailability during repair of failures caused by demand-related, time-related, and test-related mechanisms.
The results show that daily testing results in a higher unavailability than testing performed at a monthly surveillance interval, due to the increased. number of demand-related and test-related failures.
Sensitivity studies show-that these results are valid over a wide range of reasonable input data.
All other systems involved in the alternate testing requirements were reviewed in coutext of the results obtained for the Core Spray System and
' diesel generators. This review concluded that the trend for these other systems was the same, i.e., daily testing produces higher unavailability than
-monthly testing.
The overall conclusion of this study is that removal of the current alternate testing requirements will result in the affected systems being more available to accomplish their safety functions. 6625R/2.169
i TABLE OF CONTENTS 1
Page ABSTRA0T..........................................................
11 LIST OF TABLES....
v LIST OF FIGURES...................................................
vi
1.0 INTRODUCTION
1 2.0 APPR0ACH..........................................................
3 3.0 CONCEPTS USED IN UNAVAILABILITY ANAL 1_IS..........................
5 3.1 Types of Component Unavailability...........................
5 3.2 Types of System Unavailability..............................
6 3.3 Types of Component Failures.................................
6 3.4 Types of System Failures....................................
9 4.0 CORE SPRAY SYSTEM.................................................
12 4.1 System Description..........................................
12' 4.2 Main Components.............................................
12 4.3 Operating Modes..............
13 5.0 CORE SPRAY, SINGLE TRAIN UNAVAr
.ITY...........................
18 5.1 Unavailability Mode1........................................
18 5.2 Input Data..................................................
19 5.2.1 Generic Failure Dcta................................
19 5.2.2 Vermont Yankee-Specific Data........................
19 5.2.3 Human Error Data....................................
21 5.3 Results.....................................................
21 L
5.3.1 Base Case...........................................
21 5.3.2 Sensitivity Stud 1es.................................
22 5.3.3 Individual Comronei.t Unavailabilities...............
23 6.0 CORE' SPRAY, TWO TRAIN UNAVAILABILITY..............................
39 6.1 Mode 1.......................................................
39 6.2 Input Data..................................................
40 6.3 Results.....................................................
40 7.0 DIESEL CENERATOR COMPONENT M0 DEL..................................
44 8.0 TREATMENT OF COMMON CAUSE FAILURES................................
47
-111-6625R/2.169
TABLE OF CONTENTS (Continued)
Page 9.0 APPLICATION TO OTHER SYSTEMS......................................
50 9.1 Diesel Generators...........................................
50 9.2 Uninterruptable Power Supply................................-
50 9.3 Automatic Depressurization. System...........................
51 9.4 Standby Gas Treatment System................................
51 9.5 Other Pumping Systems.......................................
52
10.0 CONCLUSION
S.........................
56 11.0' REFERENCES........................................................
57 APPENDICES A Fault Tree Model for Core Spray. System...................
A-1 B Description of Observed Failures for Vermont Yankee Core Spray System........................................
B-1 C Diesel Generator Data....................................
C-1 i
-iv-6625R/2.169
LIST'0F TABLES Number Title Page
-4.1 State of Operable Components in Various Modes 16 5.1 Components That Contribute to Unavailability of One Train 25
.5.2
. Component Contributions to Subsystem Unavailability 26 L5.3 Formulas for Component Unavailability Terms 27 5.4 Equation for Calculating Total Unavailability for One Train 28 5.5 Generic Failure Data 29 5.6 Vermont Yankee Component Failure Data 30 5.7 Vermont Yankee Component Failure Rates 31 5.8 Failures Rates Used in Base Case Analysis 32 5.9
_ Repair Times Used in Base Case Analysis 32 5.10 Data Used for Human Error 33 6.1 Additional Generic Data Used in Two-Train Model 42 6.2 Data Used for Alternate Power Soucces 42 9.1 Active Components in Safety-Releted Systems 54
-v-6625R/2.169
LIST OF FIGURES
-Number Title Page 1-1 Alternate Testing Requirements 2
3-1 Illustration of Time-Related Unavailability for Different Test Intervals 10 3 Illustration of Time-Related, Demand-Related, and Test-Related Unavailabilities for Different Test Intervals 11 4-1 Functional Diagram for Core Spray System 17 5-1 Sensitivity to Test Interval 34 5-2 Sensitivity to Valve - 11/12 Failure Rate 35 5-3 Sensitivity to Standby Failure Fraction 35 5-4 Sensitivity to Test Caused Failures 36 5-5 Sensitivity to Valve Repair Duration 36 5-6 Pump Failure Contribution 37 5-7 MOV-12 Failure Contribution 37 5-8 Pump and MOV-12 Contributions 38 6-1 Impact of CCF on CSS Unavailability 43 7-1 Diesel Generator Unavailability - Sensitivity to Test Interval 45 7-2 Diesel Generator Unavailability - Sensitivity to Failure Rate 46 A-1 Core Spray System Fault Tree - Two Trains on Standby A-2
-vi-6625R/2 169
1.0 INTRODUCTION
1 1
'The Vermont' Yankee In-Service Testing Program provides for periodic testing to assure operability of components and systems. The Vermont Yankee Technical Specifications (Reference 1) currently require more frequent, "alternate" testing of certain emergency systems vben certain other emergency Oystems or. subsystems are out of service. Most other Boiling Wa' - Reactors (BWEs) do not have these alternate testing requirements, since alternate testing is not a'part of the BWR Standard Technical Specifications.
Figure 1-1 shows the current Vermont Yankee alternate testing requirements. As an example, assume one train of the Core Spray System is out of stervice. Figure 1-1 shows that the other train of core spray must be tested immediately and daily thereafter until the train that is out of service is made operable. or. until the reactor is shut down by the Limiting Condition of Operation (LCO) time limit. Figure 1-1 shows that LPCI subsystems and the diesel generators must also be tested immediately.
' Vermont Yankee has submitted a proposed Technical Specification change (Reference 2) to eliminate these alternate testing requirements.
In order to complete their review of this proposed change, the NRC has requested (Reference 3) additional information that quantifies the effect of alternate testing on component and system availability.
Analyses v re performed to quantify the impact of alternate testing on the availability of affected systems. This report presents the results of these analyses.
_1-6625R/2.169
o tiyt s A
n e eC t
I 5
I C
A I
K I
C A
IC9 I
4 soA 1
e ta g n n A
A rir el e t ow I
I l oo A CT e
c i r A
A se rtea I
I dw e
S c
A A
! r TN ve t rt I
I E
s ea a
f fSw D
R I
t U
n Q
eg n
E v r rl 4
A A
R ll I
so t o I
I I
s G
nC t
N o
n I
C e
T m
S er E
s i
T r
u o
q t
A A
A A
C e
l a R
T er A
se I
I I
I I
I g
en n
N
~
J e i
R DC t
E s
T e
T L
m A
e e
t t
I s e
A a
A A
I Cy I
n Ps 1
Lb I
I I
re u
t S
l 1
A E
s ey A
A A
r R
re o
U qr G
Cp I
I I
I I
ta I
S r
F ene C
y l
vdo l
ct A
r e
Jt ms om ew t f.
t
$tC sD ysd bn u a
/
S w
y es
,e nlt) t r o b
- u. s i a 7
7 7
7 G
0 7
5 7
7 7
7 7
7 tpS f
t r r
J 3
1 J
t I
ae ve e
n rp v(D er O
ea eo pnw SC t
A.
OIC
)
u c.
4 v
)
)
)
)
)
)
)
)
)
)
)
)
n 7
3 4
7 2
3 2
3 7
2 2
1 3
D.
C u
0 A.
A.
A.
0 C.
C.
0 0
C.
r.
C.
H.
8 0
- e o
)
..i t
net cec 4
5 S.
5 5
5 5
5 5
3 5
5 7
1 nt ee
!SS 4
4 4
4 4
4 4
4 4
4 4
4 4
4 cce dl
(
(
(
(
i
(
(
(
(
(
(
(
(
(
(
nd, i
N et e
y n
e e >.s t c l m a
o e
e t
Rtr t
n be r
r u g e
ag y
e at r
l p
t t r c
nr l
y r
ct n rs too S
P s1 s
r i r r1 e
)
6o 9
ve e1 t
C s
n s
S eIn ey r
ps ntut e
1 t1 t
rt t o t
s I
e ese J
no K
K 6 r i
mh e
o ea l o o
C l
t er t
er r
oo Fn m
Sw AC K
n R
D sCT t t. C C
t
(
o IS CC 5
t wI
i I
a 2.0 -APPROACH The systems involved in Vermont Yankee's alternate testing requirements can be divided into two major categories:
1.
Emergency Core Cooling Systems, consisting mainly of piping, pumps, and valves.
i 2.
Emergency Electric Power Systems.
One representative system from each category was chosen for quantification. They are:
1.
Core Spray (Emergency Core Cooling).
2.
Diesel Generatocs (Emergency Electric Power).
Since most affected systems are Emergency Core Cooling Systems, the emphasis of this analysis was on the Core Spray System. The following two situations were analyzed:
1.
Availability of one core spray train when the other train is out of service.
2.
Availability of both core spray trains when some other system / subsystem is out of service.
These are the two situations whereby a system / subsystem would be tested under the alternate testing requirements.
The diesel generators are treated with a single-component analysis. A single-component model for one diesel generator is quantified to show the impact of alternate testing on diesel generator unavailability.
Based on the results obtained for the Core Spray System and diesel generators, the dominant contributors to unavailability of the system and of 6625R/2.169
individual components are identified. This information is then used to draw r
c:nclusions for the other systems listed in Figure 1-1.
The factors considered in this study provide a conservative treatment of the proposed elimination of alternate testing.
The benefits of testing, i.e., decreased potential for an undetected failure, are quantified.
- However, cnly some of the potential drawbacks are quantified, i.e., increased univailability due to repair of demand-related and test-related failures.
Other drawbacks are-not included. This is not because they are less irportant, but rather be ause they are very difficult to quantify.
The drawbacks of alternate testing that have not been quantified include:
1.
Reduced reliability due to equipment degradation from excessive testing.
2.
Potential for unnecessary shutdowns that result in plant transients and challenges to safety systems.
3.
Potential for plant transients initiated during surveillance tests.
4.
Diversion of operating personnel time and attentior..
5.
Increased radiation exposure to operating personnel.
These drawbacks have been noted in NUREG-1024 (Reference 7).
' Rsference 7, in its guidance for enhancing the safety impact of Technical Specifications, states that surveillance frequencies have been established bIsed on deterministic analyses and engineering judgement.
It states further that engineering judgement, with the aid of probabilistic studies, should be the basis for any changes.
The analysic presented in this report is a probabilistic study that provides a quantitative basis for the proposed change. 6625R/2.169
3.0 CONCEPTS USEI; IN UNAVAILABILITY ANALYSIS This~section defines and explains the main concepts involved in gnalyzing the unavailability of components and systems.
For this analysis, we define unavailability as follows:
Unavailability of a component or system is the probability that the component or system is unable to aedomplish its intended function when actuated.
The types of component unavailability are described below.
3.1 Types of component Unavailability Failures - If a component fails to perform its function when actuated, this is terned "failure." The unavailability due to potential failure is expressed as the probability that the component will not perform its function when actuated. There are several types of "failures," as described in Section 3.3.
Test Override - Some components are made unavailable by isolating them during the test. "Test override" refers to the time period in which the normal function of a component is inhibited by the test.
Repair - If a test is performed and a component is failed or damaged, this component must be repaired. The component is unavailable until it is repaired and successfully tested.
Scheduled Maintenance - We assume that unavailability due to scheduled maintenance is independent of the testing policy.
This is a conservative e.ssumption, since more frequent testing may actually lead to increased component wear, which in turn would require more maintenance.
Human Error - This refers to the unavailability due to potential human errors which result in failure to restore the component to an operable state after the test. 6625R/2.169
l.
1 a
3.2 Types of System Unavailability System unavailability is determined by the individual component
]
unavailabilities. System unavailability, however, depends on the alignment or i
"mode" of a system since each mode may involve different components with different types of unavailabilities. The three main alignments and their sources of unavailability are:
Alignment Fot'rce of Unavailability Before Test Potential Failures During Test Test Ovarride After Test Repair, luman Error 3.3 Types of Component Failures Component failures affect component unavailability in two ways.
- First, the probability that a failure will occur upon demand or in standby during sae interval between teste rcpresents an unavailability of a component to perform its function.
Second, a test introduces an unavailability due to the time to repair and restore a failed component to an operable state.
The types of component failures used in this analysis are described below.
Time-Related - These are failures due to some time-related mechanism.
We assume that all components are within their design life, such that time-related failures are random in time.
Thus, the failure rate (failures per hour) is assumed to be constant (X). The unavailability at time t, equal to the probability that a time-related failure will occur before time t, is:
-t Q (t) = 1 - e
= Xt (for At <<1) 6625R/2.169
\\
where:
Q unavailability due to potentia 1' time-related failure t
A E
failure rate t
E time since last successful test Figure.3-la plots Q as a function of time. Note that Q = 0 after t
a successful test (t=0) since the test confirms operability, and that Q increases linearly with increasing time. Over the time between tests T, the average unavailability due to time-related failures is represented by:
f Q (t)dt f At dt
, XT o t o
Q
=
t T
T 2
shown as the dotted line on Figure 3-la.
Example - If a valve is normally open, there is a chance that dirt could accumulate or corrosion could occur and cause the valve to stick open, failing to close when desired.
If the probability of this occurrence having occurred and remaining undetected increases as time goes on, this is an example of a time-related failure.
This failure mechanism occurs while the valve is in a "standby" mode.
Thus, time-related failures are sometimes called "standby failures." If standby failures are the only source of unavailability considered, then more frequent testing would reduce unavailability.
This is clear f rom Figure 3-it which shows that the average unavailability for the jagged Q curve is smaller than that for the triangle in Figure 3-la.
Demand-Related - Demand-related failures are attributable to the shoco or transition that occurs when a component is demanded. Each time the component is demanded, it has a probability of failure due to a demand-related mechanism.
This probability is independent of the elapsed time since the last 6625R/2.164
w successful tect.
If a failure occurs during a test, and the component is repaired, the probability of another failure at the next test (regardless of when it is performed) remains the same (equal to the failure rate per demand).
Example - Each demand of a motor-operated valve imposes certain stresses on the valve and its motor operator. Thus, each demand has the potential to cause a failure due to mechanisms such as vibration and excessive torque.
Such failures are demand-related failures and are independent of standby-time.
Test-Related - Test-related failures are attributed to degradation of s component that requires repair, but would not have prevented the component from performing its safety function. The degradation is a result of the test demand.
For the purposes of this analysis, test-related failures are not considered functional failures. Functional failures are failures that prevent the compenent from performing its safety function.
In this analysis, all f unctional failures are classified as either time-related or demand-related.
Example - A valve is normally open and remains open to satisfy its safnty function.
If a test closes the valve but fails to fully reopen it, the component will be declared inoperable and repaired. This is a test-related failure of the component since the safety function was not af' acted before the test (valve open), may not have been affected cfter the test (valve mostly open), but required a repair time for which the component was unavailable.
At each test, a component can be found failed due to either time-related, demand-related, or test-related mechanisms. Regardless of the mechanism, the component will be unavailable during the repair time.
Unavailability during the repair time is determined by the prabability that a failure will be found at the test and by the repair time itself. 6625R/2.169
Thus, if a random demand of a component were to occur, the component c:n be unavailable for three main reasons:
l ~. The component failed in standby, or 2.
The component failed on demand, or 3.
the compcnent is under repair.
This is illustrated schematically in Figure 3-2a.
Figure 3-2b shows that more fraquent testing results in more repair of demand-related and test-related failures, both of which are a result of the test demand.
The average unavailability of a component or system is minimized when tha sum of standby unavailability and repair unavailability is minimized. Any dscrease in test interval involves a trade-off between decreasing the standby untvailability and increasing the repair unavailability.
3.4 Types of System Failures System f ailures can result f rom individual component f ailures or f rom conbinations of component feilures. Components can fail due to time-related or demand-related f ailures, thus causing time-related or demand-related failures of the system.
Test-related failures of components result in test-related failures of the system. However, test-related failures of the system can also result from time-related and demand-related f ailures of components which are only required to perform the test, but ara not required for the system to accomplish its safety function.
Example - A system has a valve which is used only for tests. The valve is normally closed to allow emergency flow to the core, but opens during a flow test to cause water to flow back to its source through the test line. This normally closed valve is in its safety position while closed. Any failure (time-related, demand-related, or test-relsted) of this valve which occurs during the test requires that the system be declared inoperable and repaired. This is a test-related failure of the system.
1 6625R/2.169
a)
\\
U 0
5 S
Average Unavailabiity Ew T
Time b)
D 0
E>
Average Unavailability
,/"
,/
T/3 Time FIGURE 3-1: Illustration of Time-Related Unavailability for Different Test Intervals a) Test Interval T b) Test Interval T/3 (Assumptions:
- Test and repair times are neglected,
- Other types of unavailabilities are not presented) a)
N N J' t
D 5
g Average Unavailabilit_y E
w i
fR l
T Time b)
\\\\\\
\\\\\\
\\\\\\
Averag,e Unavailabilit_y g
N i;
- 8 A A
A
/
!. T l
R T/3 Time FIGURE 3-2: Illustration of Time-Related, Demand-Related and Test-Related Unavailabilities for Different Test Intervals a) Test Interval T b) Test Interval T/3 Legend:
Contributions to Unavailability:
~~~
Time-Related Failures Repair of Test Introduced Demand Failures Demand-Related Failures Repair of Test-Related Failures
-=
Repair of Time-Related Failures
~.y
"4.0 ' CORE SPRAY' SYSTEM
4.1 System Description
l The function of the Core Spray System is to-inject water into the core during a Lops-of-Coolant Accident (LOCA). The system has two independent trains, as shown in the schematic Figure 4-1.
The main components in a single train of the Core Spray System are described below.
4.2 Main Components Pump Suction Valve (V-7) - This valve is normally.open and is controlled by a keylock switch in the Control Room..With this valve open, the core spray pump draws suction from the suppression pool.
- Manual Pump Suction Valve (V-8) - This valve is normally closed, allowing pump suction f rom the suppression pool. This valve is only opened (and V-7 closed) during plant shutdown to allow testing of the aystem with pump suction from the Condensate Storage Tank (CST). This test during plant shutdown injects water into the reactor vessel, hence, demineralized water from the CST is preferred.
Core Spray Pump - Each pump (a vertically mounted centrifugal type) delivers about 3,000 gpm at design conditions. This pump is normally on standby. An accident initiation signal (low-low reactor vessel water level t.nd low reactor pressure, or high drywell pressure) actuates the pump motor and starts the pump. During a flow test of the system, this pump is started and run, and the design flow rate is verified.
Test Bypass Valve (V-26) - This valve is normally closed.
During a-flow test of the system, this valve is opened to allow flow that is taken from the suppressicn pool to be returned to the suppression pool. This valve receives a "close and do not open signal" whenever an accident signal is present. During a flow test, if there is no accident signal, this valve can be opened and throttled to achieve the design flow rate. 6625R/2.169
Pump Discharge Bypass Valve (V-5) - This valve is normally open.
Its purpose is to provide a minimum flow bypass to prevent the pump from overheating. This protection is needed whenever the pump starts and the discharge valve (V-12) and the test valve (V-26) are closed.
Once the discharge line flow of the core spray pump reaches about 300 gpm, the V-5 valve is automatically closed.
Inboard Discharge Valve (V-12) - This valve is normally closed.
When an actuation signal is received and reactor pressure is reduced below the 350 psig low pressure permissive, V-12 opens to allow water to enter the reactor vessel.
Outboard Discharge Valve (V-11) - This valve l'. normally open.
It cannot be cycled when a system actuation signal is present.
It is closed for testing of the V-12 valve, and can only be reopened when V-12 is closed or when the system actuation signal is present.
Manual Isolation Valve (V-14) - This valve is located inside the drywell and is normally locked open.
4.3 operating Modes There are four major "modes" or alignments for the Core Spray System, namely:
1.
Standby.
2.
Injection.
3.
Flow test.
4.
Valve Test.
Standby Standby is the normal mode, when there is no test or accident signal.
This is the mode shown in Figure 4-1.
The states of all active components for this mode are summarized in Table 4.1..
6625R/2.169
Q Injection Injection is the mode under which core epray satisfies its safety function of providing water to the reactor vessel. The states of all active components for this mode'are summarized in Table 4.1.
Comparing the standby mode to the injection mode, we see three changes for injection to occur:
1 1.
The pump must start and run.
2.
V-5 remains open for a time, then closes.
3.
V-12 must open.
U Flow */est The co.nponent states during tne full flow test are summarized in Tsble 4'.1.
Comparing the flow test mode to the injection mode, we see two changes for injection to occur:
1.
V-26 must close.
2.
V-12 must open.
Valve Test During the valve tests, the system is in standby mode except for the valves which are being tested at'a given point in time. Valves V-5 and V-26 are cycled one at a time such that only one valve would not be in its standby position at any time.
Valve V-11 must be closed for V-12 to be tested.
- Thus, there is some time when both Valves V-11 and V-12 are not in their standby positions.
All of these valves (V-5, V-26. V-11, and V-12) receive signals to move to their safety positions upon an accident signal.
For the Core Spray System, the unavailability due to "test override" is negligible. This is because all components receive actuation signals during the test and are designed to be able to respond. A small "test override" 6625R/2.169
unavailability during the test is expected due to potential failures of components, which must change state to go from test to injection mode, but would not have needed to change state to go from standby to injection mode.
This, as well as other sources of unavailability, are accounted for in the model described in Section 5. 6625R/2.169
e' TABLE 4.1 State of Operable Components in Various Modes Standby Injection Flow Test Valve Test
- V-7 Open Open Open Open V-8 Closed Closed Closed Closed Pump Idle Running Running Idle V-26 Closed Closed Open Open/ Closed V-5 Open Open/ Closed Open/ Closed Closed /Open V-12 Closed Open Closed Open/ Closed V-11 Open Open Open Closed /Open V-14 Open Open Open Open
$r l
Valves shown as open/ closed and closed /open are cycled one at a time during valve testing. 6625R/2.169
\\
ll n
=
g th Y.
A T
~
7 (P
N f
2,
.I I
i, g
~A-
&_eo h-i,,
l a
M pII c i, '
eg E
T S
(
Y S
l v9 s
Y E it 1
i x
c A
E-
, T eS m R
r, P
T E
S E
g" R
x O
x s
C x.-
i.
R xo*
i T
A O
F e.
A M
8 A
3 R
i e
G l
P I
e D
s f
L
/
A g*^
NO B
I T
4 N
C
, Te E
r U
S w v
k-E rt x
s F
T c
3 1
,o h.
g _ =
g __ 4 4
ql
,Ia c.
l l
E R
U G
I F
I*,
h
,l
.E 's 1
4
/
O 3
t T
h..
e.='
- s u
2_'
\\
lll l
.1
,I I
Il l
5.0 CORE SPRAY, SINGLE TRAIN UNAVAII).3ILITY 5.1 Unavailability Model This section addresses the Technical Specification requirement to test one train of the Core Spray System when the other train is out of service.
As shown in Section 4, there are no redundant components within a single train of the Core Spray System. Therefore, we can identify the following for each
- 3 alignment of a single core spray train:
l Components that must change state for injection to occur.
o 9
Components that change state during the tests, hence, have the o
1 l
potential for a failure that requires repair.
1 l
l l
Components in each of these categories, for each alignment, are summarized in Table 5.1.
Recall frce Section 2.0 that:
1.
Components that need to c hange state for inject'on have an unavailability due to failure upon demand, or due to time-related failures that have occurred while in standby.
"Failure" here means functional failure, hence, includes only time-related and demand-related failures.
2.
Components that are exercised during the test can fail and require repair due to time-related, demand-rela 3ed, and test-related causes.
With this in mind, we list all contribut'.ons to unavailability of one train in Table 5.2.
The equations used to cal'.ulate the dif ferent types of unavailability are shown in Table 5.3.
The total unavailability of one train is the sum of the standby, flow
$~~
test, and valve test contributions since an actuation signal can occur while in any of these modes. The formulas given in Table 5.3 are used to calculate
~18-6625R/2.169
.1
l the individual contributions. The sum total is represented by the eqcation shown in Table 5.0 Input dats for this equation are described in Sect!on 5.2.
P l
i 5.2 Input Data
- J l
Data are required for the pumps and valves of the Core Spray System.
l Data for each component are input to the model.
The output of the model is l'
unavailability for each component and for the system.
4 5.2.1 Generic Failure Data Generic data were obtained from Reference 4.
The data represent an average over many plants (BWR and PWR) and over many systems. Data are d
provided for ach ":ype" of component.
Fcr our porposes, the applicable generic failure ds;a include:
-J.
o Failure of a Motor-0perated Valve (MOV) to open a close.
,1 o
Failure of a standby motor-driven pump to start.
o Failare of a standby motor-driven pump to continue to run once started.
9, The generic data are given in the form of a dictribution -
a characterized by a mean, median, 5th and 95th percentile. Values from g
Reference 4 are presented in Table 5.5.
N' 5.2.2 Vermont Yankee-Specific Data Vermont Yankee plant-specific data are more appropriate than generic data for a
'snt 1 it' analysis. However, the number of riant-epecific demands and obser
.res arc n.111 compared to the generic totals.
- Thus, tres is more dif ficult to characterize.
the distribution c
't-specii 4
e 6625R / 2.169 s*.
o
~ _ _ _ _ _ _ _. _, _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _.. _ _ _ _. _ _ _.. _ _ _ _,___ _ _ _ _ _ _. _ _ _ _. _ _ _. _ _ _ _ _ _ _ _ _ _ _______ _ _ _ _ _ _ _ _ _ _
Our approach war to first tabulate the Vermont Yankee-specific data.
We then "updated" the generic data with plant-specific date using Payesian calculations (Reference 4).
The result is a probability-of-failure-distribution that reflects the observed Vermont Yankee failure data.
Ver, ant Yankee data were gatbared by reviewing core spray test results and component failure records. A summary of the observed failure data is shown in Table 5.6.
I 1
1 Table 5.6 groups the Vermont Yankee failure data into three "types" of components:
1.
V-11, V-12.
The V-ll and V-12 (discharge line) valves are both high speed, 8" motor-operated gate valves. Thus, a single failure rate is used to represent both valves.
2.
V-5, V-26.
The V-5 (minimum flow bypass valve) is a 3" gate valve, and the V-26 (full flow test valve) is an 8" globe valve. These valves are grouped together to differentiate them from the V-11 and V-12 valves, silice V-5 and V-26 operate with slower stem speed.
A single failure rate is used to represent the V-5 and V-26 valves.
3.
Core spray pump, failure to start. No failures to run were observed.
For each type of component, failures were further categorized as to whether thev were time-related, demand-related, or test-related. This categorization was based on a review of the maintenance records for each failure which identify the root cause for failure. Appendix B discusses each failure and the reasons for its classification.
l 1
Table ' ' shows the Vermont Yankee-specific component f ailuro rates 1
based only oc. plant data. Table 5.8 shows the failure rates obtalaed by the Bayesian update, which are used as the base case in this study. Table 5-9 1
l shows the repair durations used for the base case analysis.
l l 1 l
6625R/2.169 l
1
5.2.3 Human Error Data e
The model accounts for the potential for human error during testing that leaves the system in an inoperable state following the completion of the test. A potential inoperable state ir misalignment or de-energization of a crit.ical componant.
For this study, the human error rate for these types of failures was based on Reference 6.
The Core Spray System surveillance does not require that the components be de-energized. Some valves are cycled out of their standby position, but in the event of a true demand, the actuation signal causes them to realign automatically. Given the robustness of the system with respect to human error, the failure rate is based on one error of omission, with two levels of checking, following a written procedure.
Table 5,10 contains the epplicable data and results.
5.3 Results 16 Using the model of Section 5.1 with the data of Section 5.2, the unavsilability of a single train of core spray was quantified for various test intervals. This section presents the results.
5.3.1 Base case c
w Figure 5-1 shows the average unavailability over the test interval as a function of test inter */al for the base case input data of Section 5.2.
The
- g. ' '
unavailability decreases sharply with increasing test interval over the one-day-to-several-week portion of the curve. Unavailability reaches its mirimum with approximately one month between tests. For longer test I
intervals, unavailability increases slowly.
We see frcm this figure that the average unavailability is higher for a daily test than for a monthly test. This difference represents the gain in availability for one train of core spray due to eliminating daily alternate tests and instead testing only periodically at the current monthly interval.
Higher unavailability for daily tests is due to the increase in repair of demand-related and cest-r21sted f ailures.
These failures are a direct result of the test demand. 6625R/i.169 7
r i
t x
5.3.2 Sensitivity studies s
a Additional calculations were performed to investigate the sensitivity of the results to the input data used.
Important input parameters were varied one at a time over a range of reasonable values. Results of these sensitivity studies are presented in Figures 5-2 through 5-5.
Figure 5-2 varies the functional f ailure rate for V-11 and V-12.
This failure rate includes both time-related and demand-related failures.
We see that for all values of the failure rate considered, daily testing produces higher unavailability than monthly testing. This difference increases as the total failure rate increases.
Figure 5-3 varies the time-related (standby) f ailure f raction, f,,
from 0 to 1.
kith f, = 0, all functional failures are demand-related.
With f, = 1, all functional failures are time-related. We see from Figure 5-3 that daily testing produces higher unavailability for all values of f '
s Even if all f ailures were time-related (f, = 1), the unavailability for daily testing is greater than for monthly.
This is due to test-related failures.
Figure 5-4 varies the failure rate for test-related failures. We see
~
that daily testing produces higher unavailability than monthly testing over the range of test-related failure rates considered. This cifference becomes greater as the test-related failure rate is increased. Even if the test-related failure rate is very small, the curve for daily testing is still higher due to demand-related failures.
Figure 5-5 varies the duration for repair of f ailures. We see that the 9-i unavailability for daily testing is higher than fo.' monthly testing, even for unrealistically low repair times.
The additional unavailability due to daily testing increases with increasing repair time.
1 I
.t e
r e s 6625R/2.169
<x
.~
5.3.3 Individual component Unavailabilities For one core spray train in standby mode, the two components that must change state for injection to occur are the pump and V-12.
The contributions to unavailability of these two important components are discussed below.
Figure 5-6 shows the results fo; a single core spray pump. We see that the "standby" contribution increases as the test interval increases.
This is expected since the probability of time-related failures is increasing.
However, the "test" contribution decreases as the test interval increases.
This is because the probability per test of demand-related and test-related failures is constant, hence, the unavailability due to repair of these failures decreases as the test is performed less often. These two effects combine to yield a total unavailability that decreases rapidly as the test interval is increased up to about 20 days. The unavailability then increases slowlv as the test interval increases beyond one month.
Figure 5-7 plots the same type of information for V-12.
The overall trends are the same.
Note, also, that the overall trends for one train of the Core Spray System are the same as for the individual components. Figure 5-8 plots the resulte for the pump, V-12, and the complete train. At long test intervals
(>30 days), the system unavailability is equal to the sum of the pump and V-12 contributions. However, fcr short test intervals, the total unavailability is much larger than the sum cf the pump and V-12 contributions.
This implies that for short test intervals, failuces of other components contribute significanti; to the subsystem unavailability. These other component failures can be considered test-related failures, since these components are not normally required for core spray to accomplish its safety function. Thef are l
required only for testing purposes.
As stated above, consideration of only the pump an V-12 components d
accurately characterizes the unavailability of a single train of the Ccre l
Spray system for long test intervals. Rosever, for short test intervals. 6605R/2.1^9 l
l
~
cons 1deration of only the pump and V-12 underestimates the unavailability of a j
single.tti.in. Thus, consideration of only the pump and V-12 leads to a conservative estimate of the increased unavailability in going from long to
'short test intervals. This conclusion is noted since it is applicable to other systems. That is, we can simplify the analysis for other systems by only considering those compenents that must change state for the system safety function to be accomplished. Consideration of components that change atate only during the test will result in even higher unavailability for short test intervals. 6625R/2.169
id s
$i STABLE 5.1
- Components That' Contribute to Unavailability of One Train Components That Components That Change State for Change State Allanment' Injection During Test ~
t Standby' V-12 (fail to open)
' Pump (fail to start)*
- Flow; Test
-V-26 (fail to close)
V-5 (fall to close or open)
V-12 (fail to open)
V-26 (fail to open or close)
Pump (fail to run)**
Pump (fail.to start or run);
Valve-Test V-26 (fail to close)
V-5 (fail to close or open)
V-11 (fall to open)
V-26 (fail to open or close)
V-12-(fail to open)
V-11 (fail to close or open)
Pump ~(fail to start)
V-12 (fail to open or close)
NOTE:. V-5 is the minimum flow bypass valve. The function of this valve is to prevent the pump from overheating while the pump discharge valve is closed. We assume that failure of V-5 would not result in failure of the pump.
- Actually, the pump must start and run to successfully accomplish its safety function.
We' assume that failures of the pump to run once started depend only on mechanisms that occur while the pump is running, and are independent of mechanisms that occur while in standby or resulting from the shock of startup. This means that the probability of the pump to run once started does not depend on when the test was last performed.
Thus,' failures to run once started under an actual accident demand are not affected by the testing
~
policy.
- Failures of the pump to continue to run once started are considered under the flow test alignment since these failures affect the testing policy.
If the pump f alls to run for the duration of the flow test, it is takea out of service and repaired. The pump is unavailable during this repair duration.
Thus, failures to run during the test affect the unavailability of the pump to perform its function if an actual accident demand were made.
i ' -
6625R/2.169 P
J
,n,,.
n au..
~e-n
ac TABLE 5.2 Component Contributions to Subsystem Unavailability.
Standby Alignment V-12 Demand-related and time-related f ailures.
-Pump Demand-related and time-related failures to start.
Flow Test Alignment V-26 Fall to close while misaligned.
V-5 Repair of demand-related, time-related and test-related failures.
V-26 Repair of demand-related, time-related, and test-related failures.
Pump Repair of demand-related, time-related, and test-related failures to start and failures to run.
NOTE:
V-12 fail to open contribution was already accounted for in standby alignment. V-12 remains on standby during the flow test.
Valve Test Alignment V-26 Fall to close while misaligned.
V-11 Fail to open while misaligned.
V-5 Repair of demand-related and test-related failures V-26 Repair of demand-related and test-related failures NOTE:
V-5 and V-26 time-related failure repair contributions were accounted for in flow test alignment.
V-11 Repair of demand-related, time-related and test-related failurer.
V-12 Repair of demand-related, time-related, and test-related failures.
NOTE:
Pump fail to start cont.ibution was already accounted for in standby alignment. Pump remains on standby during the valve test.
t
! l 6625R/2.169 l
TABLE 5.3 Formulas for Component Unavailability Terms Unavailability Equation Explanation Demand-Related Failure Q
N failur'e rais per demand.
D D
Time-Related Failure at Time t Q (t) = At Q
E probability that failure has occurred g
sometime before t (see Section 3.3).
A E
standby failure-rate (per hour).
Average Time-Related Unavailability g,M Over Test Interval t
2 T
E test interval.
Avarage Demand-Related Valve T
me va ve s a spos M oned during test.
t t
Unavailability While Mispositicaed QDT During Test T
8 Average Valve Unavailability R
[2QD + AT + Q ] T 2Q E
probability of ?
J...d-related failure Due to Repair T
D 6
6 dM.
AT E
probability of time-related failure before. test at time T.
Q Probability of test-related failure T
(per test).
T time to repair component.
R Avsrage Pump Unavailability R
Due to Repair D+
+OT + Yt] E A
run-related failure rate (per hour).
=
R T
E time pump is run during test. 6625R/2.169 y
3_,
TABLE 5.4 Equation for Calculating Total Unavailability for One Train Total unavailability for one train.
Qtot
=
(QD+
)
V-12 standby.
+ IQD. start +
)
Pump standby.
T
+ (Q
]
V-26 failure while misaligned for flow test.
D T
+ ((2QD+
+9)
)
V-5 repair after flow test.
T T
+ [(2QD + AT + Q )
]
V-26 repair after flow test.
T T
+ ((QD^
- 9T + Y t)
Pump repair after flow test.
T
+ (Q
]
V-26 while misaligned for valve test.
D T
+ [Q
]
V-11 while misaligned for valve test.
D TR D + N ) p)
V-5 repair after valve test.
+ ((2Q T
+ ((2QD+OT T]
V-26 repair after valve test.
T
+ [(2QD+
+O)
}
V-Il repair after valve test.
T T
+ [(2QD+
+S repa r a er va ve est.
T
+ Human Error Probability of undetected human error that leaves one train inoperable.
NOTEt Values of QD* A* QT* T, and Tt are different for different R
components.
4 96 s
TABLE 5.5 Generic Failure Data **
Percentile C'omponent Failure Mode Units Mean 5th 50th 95th Motor-Operated Fail to Open Failures 4.3E-3 7.3E-4 2.8E-3 1.1E-2
' Valve.
or Close per Demand Upon Demand
- Standby Motor-Fail to Failures 3.3E-3 2.2E-4 1.6E-3 1.0E-2 Driven Pump
. Start per Demand.
Upon Demand
- Standby Motor-Fall to Run Failures 3.4E-5 2.8E-6 1.8E-5 8.2E-5 Driven Pump per Hour i
l l
0 Failure upon dennand does not reflect cause of failure. The cause can be due to demand-rel.1ted or time-related mechanissa.
C* From Reference 4.
l ;,
6625R/2.169
- o.
TABLE 5.6 Vermont Yankee Component Failure Data (Core Spray System)
- Datg MR No.
Component Failure Description Failure Type 2/1/74 74-0174 11A.
Motor burned up while opening.
Drive Demand-Related motor gear key jam.
2/5/74 74-0198 11A Motor. burned out due to torque switch Test-Related-failure after valve successfully closed.
12/8/74 74-1744 11B Motor overload alarm and smoke due to Test-Related torque switch failure after valve successfully closed.
-7/8/75 75-0793 11B Motor burned out due to torque switch Test-Related failure after valve successfully closed.
2/2/76 76-0186 11A Motor casing broke off and fell to floor.
Demand-Related 9/5/87 87-2130 11A Locked motor rotor while closing.
Valve Demand-Related binding due to burrs on wedge guide.
(0.5)
Time-Related (0.5) 3/31/88 88-0756 11B Motor failure while closing. Loose Demand-Ralated motor pinion gear key.
~12/8/87 87-3122 SA Motor ground.
Insulation damaged due Demand-Related to pinching.
2/3/88 88-0243 26A Valve stops at intermittent position Test-Related and will not fully close.
6/6/84 84-0806 Pump A Power cable found with slice in Incipient insulation.
failure.
Assigned a 0.1 potential for failure. 6625R/2.169 f
.m TABLE 507 l-Vermont Yankee Component Failure Rates (1)
(2)
Number of (4), (5)
(5)
Number of Time-Related Test-Related Number of '
Functional Test-Related Component Functional Failures Fraction Failures Test Demands Failure Rate Failure Rate V-11. V-12 4
0.5/4 = 0.12-3 2388 1.7E-3/ demand 2.5E-3/ test.
V-5, V-26 1
0 1
2388 4.2E-4/ demand 8.4E-4/ test Pump (Start) 0.1
'(3) 0
.565 1.8E-4/ demand 1.0E-3/ test (6)
Pump (Run) 0 0
141 operating hours (1) Functional failures include demand-and time-related failures.
(2.) Time-related fraction = (time-related failures)/(functional failures).
(3) No evidence to support calculation of time-related fraction.
(4) Plant to-date estimate, based on average number of tests per year for 1983-1988.
(5) Valves have two demands (open, c'.ose) per test.
(6) Evldence for test-related failu,e rate is <1.8E-3.
We assume 1.0E-3 per. test. 6625R/2.169
TABLE 5.8 Failure Rates Used in Base Case Analysis, (1)
(1)
(2)
(2)
Mean Functional Percentiles Time-Related Test-Related Component Failure Rate 5th 50th 95th Fraction Failure Rate V-11. V-12 2.1E-3 8.3E-4 1.7E-3 3.2E-3 0.2 2.5E-3 V-5, V-26.
1.2E-3 2.5E 9.5E-4 2.1E-3 0.2 8.4E-4 Pump (Start) 1.1E-3 1.6E-4 7.1E-4 2.8E-3 0.5 1.0E-3 Pump (Run) 3.4E-5 2.8E-6 1.8E-5 8.1E-5 (1) Generic data "updated" by Vermont Yankee data.
(2) Vermont Yankee data (no generic data available).
TABLE 5.9 Repair Times
- Used in Base Case '.nalys is Time to Repair Pump 20 Hours Time to Repair Motor-0perated Valve 15 Hours CAssumed values.
Plant-specific valve repair times ranged from 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to 76 hours8.796296e-4 days <br />0.0211 hours <br />1.256614e-4 weeks <br />2.8918e-5 months <br />. No pump failures were observed in plant-specific data. Applicable gin ric data (Reference 4) for mean time to repair was 18.9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> for a motor-operated valve and 28.7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> for a pump. 6625R/2.169
~
s
,- i TABLE 5.10 Data Used for Human Error
- NUREG/CR-1278 Human Error Rate Description Table Reference Per Demand Error of. Omission, 20-7, Item (2)
.003 Procedure With Checkoff,
. Long List >10 Items Failure to Detect Error.
20-22, Item (1)'
.1 -
Checking Poutine Tasks, Checker Using Written Materials, Failure Detect Error Failure to Detect Error, 20-22 -Item (8)
.5 Second Checker, Routine i
Task Resultant Human Error = (.003)(.1)(.5) = 1.5 E-4/ test
- From Reference 6. 6625R/2.169 l
1 00 1
a i
0 i 8 LAV i
6 A
I F
)S TT Y
N A
SE D
D
(
EN i
L E
TP A
V E
R D
E ON I
TN 0
I T
N i 4 T
IA S
YR E
T T
T S
MS C
C i
TEN I
O S
N i 0 2
E S
1 5
E R
U O
0 G
I 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1
0 F
2 1
t 1
1 1
1 1
1 1
1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0, 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 O 0 0 O 0 C 0 0 0 0 0 0 0 0 0 gZ$6U 1O 3 f[o t
ricuRE 5-2: SENSITIVITY TO VALVE-11/12 FAILURE RATE ONE CSS TRAN, INDEPDdDDR FMLURE!
0.10 0.09 -
0.08 -
0 0.07 -
e3 0.06 -
o 0.05 -
0.04 -
u 0.03 -
0.02 -
0.01 -
0.00
-4
-3.6
-3.2
-2.8
- 2.4
-2
- 1. 6 LOC OF FNLURE RATE 0
DNLY TESTS
+
WONTHLY TESTS i
FIcURE 5-3: SENSITIV11Y TO STANDBY FAILURE FRACTION ONE CSS TP.8.'N, INDEPD40DR FNLURES 0.026 0.024 -
0.022 -.
0.020 0.018 -
o C.016 -
0.014 -
1 0.012 -
0.010 -
w 0.008 -
C.006 -
t 0.004 -
0.002 -
0.000 0
0.2 0.4 0.6 0.8 1
FFACT10N T1ut-RELATED STM40trf FNLURES O
cwt.Y TESTS uoNTHLY TESTS L
- u..
' '. )
3
- FIGURE 5-41 SENSITIVITY TO TEST CAUSED FAILURES ONC CSS TMN. INDO'Cioth7 FAWRL5 0.16 0.15 -
0.14 -
1
'0.13 -
O.12 -
.g 0.11 -
k-0.10 -
0.09 -
0.08 -
0.07 -
0.06 -
0.05 -
u 0.04 -
0.03 -
0.02 -
0.01 3; m
0.00
-4
-3.6
-3.2
-2.8
-2.4
-2
- 1,6 P
LOC (PROS OF TUT CMJSED FRWRES)
O DALY TCr.3
+
MONTHLY TESTS FIGURE 5-51 SENSITIVITY TO VALVE REPAIR DURATION ONE CSS TMN. INDEPDiotNT FNWRES 0.032 3
0.030 -
0.028 -
1 0.026 -
0.024 -
0.022 -
n 0.020 -
b 0.018 -
O.0t 6 -
i 0.014 -
0.012'-
O.010
- 0.008 -
0.006 -
0~04 3 0.002 0
4 8
12 16 20 24 28 REPMR DURATM (HOURS) 0 04LY TESTS
+
WONRY TESTS e
~36-
,L w
FIGURC 5-6: PUMP FAILURE CONTRIBUTION-
' TO COP,E SPP.AY UNAV/Jt.AS UTY 37-i ;' ',
1.9E 1.8E-03 -o 1.7E a 1 1.6E 1.SE 1.4E f 1.3E r 3 1.2E I 9.0E l,it 1.0E 8.0E 7.0E -
. W 6.0E '
5.0E,
4.0E 3.0C-04 --
2.00 -
g" 1.0: 0.E+00 f
C
,5 0
20 40 60 30 100 TEST INTERVM., (DAW)
O W TEST
+
STANOBY 4
TOTAL FIGURE 5-7:
MOV-12 FA! LURE CON falBUTION To CORE SPRAY UNAVNLA8'UTf 0.006 0.005 -
g r
0.004 -
C l0.003-
-m
-~
I
^
0 C'! -
,7 1
6 0.00l -
0.000 a* ~,
,~
0 20 40 60 80 100 TEST INTUNM. (DAW) 0
/ LOW TEST
+
STANt*N TOTAL '
[
~
y Oe o
-a
~ (n Z
-8 0;
i-~
D h
m' a5 O'
B h
o El
_O Z-O3 7
O-3 (N o I
G-
$ N m
o
> 's
+,_ S O
3-O
.)O O
2 Q
o
[]
Z4
~ON O_
2 a
c.
D 1
O_
E j-2
[
j o
O
~' I I
I I
I I
I i
I i
I i
l i
l i
I I
I w
O mmb on4 nNe ommN em*nN e o a
855555555558888888888 i
d00dd d
0d 00 06 d
ONYW3C NOdn A.tritGY1tVAYNn 30W3AY
, i l
6.0 CORE SPRAY. TWO TRAIN UNAVAILABILITY If a train of either the diesel generators or LPCI is inoperable.
Figure 1-1 shows that the Core Spray System must be tested daily.
This section calculates the change in unavailability of both core spray trains due to a change in test interval.
6.1 Model The two-train model follows the same general approach that was used for a single train.
In the two-train model, we are concerned with three categories of components:
1.
Components that need to change state for injection to occur.
2.
Components that are exercised during the test.
3.
Components not affected by the test, such as the actuation signal and passive failures.
Category 1 components can cause unavailability upon demand due to demand-related or time-related mechanism. Category 2 components can cause unavailability by requiring repair after the test.
Category 3 components are included in the two-train model of core spray because their failure in one train, coupled with an active or tested component failure in the other train, can result in a significant fraction of the system's unavailability.
Passive failures include spurious trips of circuit breakers, pipe breaks, and loss of the emergency buses for other than active component mechanisms. A combination of one Category 1, 2, or 3 component failure in one train with a Category 1, 2, or 3 component failure in the other train will make the system unavailable.
All combinations of components that could fail the system were developed using the fault trees in Appendix A.
The sum of all these failure 6625R/2.169
l
,4' modes (cut sets) is' quantified to yield the total system unavailability, including the standby (between tests), flow test, and valve test contributions.
l Common cause f ailure of identical ' components was considered in this gnalysis. That is, single-component cut sets were used to account for single common cause mechanirms that could fail two identical components (one in each I
train). The common cause event failure rates were calculated using the beta factor model (Reference 5).
6.2 Input Data Data used to quantify the one-train model were used for the two-train model as well. Generic data (Reference 4) were used to account for common cause and for support system (electrical power systems) failure rates.
These cdditional generic data used in the two-train model are shown in Tables 6.1 dnd 6.2.
6.3 Results The results for unavailability of both trains of the Core Spray System are shown in Figure 6-1.
Unavailability is plotted as a function of test intervn1 for two cases: one with, and the other without, common cause failures.
We see that the overall trends for the two-train system are the same as for th s single train, and, as for the individual components. The unavailability decreases as the test interval is increased from one day, reaching a minimum at about one month. Unavailability then rises slowly as the test interval is further increased.
The magnitude of the unavailability at each test interval is higher then common cause is included.
This is expected since consideration of dependent failures, due to common cause, increases the total failure rate.
Note, however, that the overall trend (higher unavailability for daily tests and minimum unavailability for monthly tests) is the same regardless of whether common cause is included. This is because common cause failures ;
6625R/2.169 J
1 i
contribute to increased demand-related and test-related failures, as well as contributing to increased time-related failures.
Thus, as expected, the curve in Figure 6-1 shifts upward, but exhibits the same general shape. The shape of the curve is determined by the trade-off between demand-related plus test-related failures, and time-related failures.
These results support the elimination of alternate testing of the Core Spray System since daily testing of the Core Spray System increases the system unavailability. This conclusion is true, regardless of which other system is out of service.
6625R/2.169
F TABLE 601 Additional Generic Data
- Used in Two-Train Model Common Cause Beta Factor for MOV Fail to Open 4.2E-2 Common Cause~ Beta Factor for Pump Fail to Start 6.7E-2 Common Cause Beta Factor for Diesel Generator Fail to Start 1.5E-2 1 Diesel Generator Failure to Start 2.1E-2 Diesel Generator Failure to Run ((1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />) Once Started (per hour) 1.7E-2 Diesel Generator, Test-Related Failure Rate 1.0E-3**
Diesel Generator Time-Related Failure Fraction 0.5**
- From Reference 4.
C* Assumed values. No generic data available.
TABLE 6.2 Data Used for Alternate Power Sources Time Source Available Unavailability Dominant Contributor Startup Any
.0025/ Demand one of two circuit breakers Transformer fails to close on demand.
Vernon Long
.01/ Demand Human Error - Failure to Hydropower Medium
.1/ Demand operate two circuit Short 1.0/ Demand breakers.
Auxiliary Long
.1/ Demand Human Error - Insufficient Transformer Medium 1.0/ Demand time to isolate generator.
Backfeed Short 1.0/ Demand B 6625R/2.169
~
h,.
IMPACT OF CCF ON CSS UNAVAILABILITY FIGURE 6-1:
TWO TRAINS ON UNE 1.5E-03 1.4E.
1.3E O
{ 1.2E-03 -O 2y 1.1E y 1.OE,
m 0
3 9.OE 8.OE m-j 7.OE 6.0E Z D 5.0E ta q.
0 4 k
.0E -
D 3.0E g i
2.0E :
1.OE -
0.0E+00 i
0 20 40 60 80 100 i
TEST INTERVAL (DAYS)
O WITH CCF
+
WITHOUT CCF 1
4 3--
t 7.0 DIESEL GENERATOR COMPONENT MODEL The current alternate testing policy requires that when one diesel g:nerator is declared inoperable, the other diesel generator must be tested immediately and daily thereafter.
In this section, we investigate how the citernate tests impact the availability of the operable diesel generator.
We model the diesel generator as a single component. This component is
_casigned failure rate.s based on diesel generator data for fail to start and fail to run once started. Generic data was updated to reflect the observed Varmont Yankee failures since the Vermont Yankee failure rates are substantially lower than industry averages. Appendix C describes the generic cnd Vermont Yankee-specific diesel data. The updated failure parameters are used in the single-couponent model to calculate unavailability of a single diesel generator.
Figure 7-1 shows the unavailability of a single diesel generator as a function of its surveillance test interval.
It can be seen from Figure 7-1 that daily testing results in a higher average unavailability than monthly tssting. This is primarily due to the repair of demand-related failures to start and of test-induced run failures. This figure provides strong support for not testing the diesel generators on a daily interval.
Figure 7-2 is the result of an analysis of the sensitivity of the rssults in Figure 7-1 to the failure rate of the diesel generators. The unavailability of a diesel generator tested on a daily basis is compared to that of one tes*ed on a monthly basis over a range of reasonable diesel failure rates.
The figure indicates that daily testing produces a higher unavailability over the entire range of values, again providing strong support for eliminating daily testing of the diesel generators.
Industry studies on diesel test frequencies support this conclusion.
R;ference 8 documents evidence that fast starts of diesel generators causes cccelerated degradation. As stated in NUREG-1024, fast starts are required only for larga break loss-of-coolant accidents with loss-of-of f-site power.
This combination represents a very low probability event. However, d; gradation caused by fast starts will make the plant more vulnerable to higher probability events (e.g., loss of all ac power). 6625R/2.169
4 w-
~
i FIGURE 7-1:. DIESEL GENERATOR UNAVAILABU._'TY f
SENSITIV11Y TO TEST INTERVAL 0.030 1
f 0.028 -
0.026 -
l 0.024 -
i U.
3 0.022 -
O O.020 -
z O
h B;
O.018 -
M O.016 -
2m 0,o14 -
5 t
0.012 -
y 0.010 -
O.008 -
l k
a to 0.006 -
l 0.004 -
0.002 -
0.000 i
i i
i i
i.
O 20 40 60 80-100 TEST INTERVAL (DAYS)
~
4 o
-o I
-o
\\
3 0
2
]
~ '
E a N d
>C l N
&z N
w8 Z
5
~) g s
T
$+
a og H
i
<c b e
o
-a W
E5 W5 o@
o Z
o e
s C)
-j
__)
W ec:
m W
e
-T b
O 8
00 7
~
o n
W I
I I
I I
I I
I I
I I
8 2
8 8
8 R
8 8
?
8 R
S 8
e o
q q
q q
q q
q q
q d
d d
o o
o o
o O
O O
O GNYW3G NOdn JdnlGVilVAVNn 30VM3AV _. _
8.0.TREA*IMENT OF COM40N CAUSE FAILURES This section addresses the requirement to demonstrate operability of citernate safety systems immediately when other safety-related equipment is taken out of service.
It will address the two general circumstances under
-which a train of a safety system might be taken out of service - those involving a functional failure, and those which do not.
A functional failure is one that prevents a component, train, or system from performing its safety function should a demand for it occur. The latter will be addressed first.
When a train of a safety system is taken out of service for maintenance or repair that does not involve a functional failure, it is clearly cdvantageous to eliminate the requirement to perform alternate testing.
Section 5.3 has demonstrated that surveillance testing at daily intervals increases the unavailability of both pumps and valves in safety systems over a wide range of failure rates. Consequently, the primary reason for immediate testing of alternate systems is to verify that they have not failed due to some common cause. When no functional failure has occurred, this motivation is removed.
Common cause events are a subset of depender:t events in which two or more component fault states exist at the same time, or in a short time interval, that are a direct result of a shared common cause. According to NUREG/CR-4780 (Reference 5), common cause events can be thought of as resulting from the coexistence of two factors.
The first provides a susceptibility for components to fail or become unavailable from a particular root cause. The second is a linking or coupling mechanism that creates the conditions for multiple components to be affected by the same cause. A key determinant of the potential for common cause events is the existence of engineered or operational defenses within the plant against unanticipated equipment failures. The identification of potential common cause component groups and development of procedures to systematically evaluate events for the root causes and coupling mechanisms is an effective m*thod for minimizing the occurrence of unanticipated multiple failures.
The following paragraphs describe how Vermont Yankee accomplishes these tasks.
i l 6625R/2.169 L
In responae to a functional failure of a safety system. Vermont Yankee's operations and maintenance procedures have provisions to facilitate the detection and elimination of potential common cause failures. They also cot.tain review requirements to increase assurance that common cause mechanisms have been identified and eliminated.
Vermont Yankee Procedure AP-0010.. "Occurrence Reports," gives guidance on plant evaluation and administration of potential reportable occurrences, cnd the preparation and review of Licensee Event Reports.
The procedure directs that any member of the plant staff discovering an event that could be considered a Licensee Event Report, 10CFR21 reportable, "Fire Occurrences," or NPDES noncompliance notify his Department Head and the Shif t Supervisor of the svent or condition. As soon as possible, the Department Head or Shift Supervisor fills out Form VYAPF 0010.01, "Potential Reportable Occurrence (PRO)." This form provides both a description of the event and a traceable decision path regarding its reportability. Sufficient supporting evidence must be included with the PRO form to justify its disposition either as requiring a report or as a nonreportable event.
The PRO is reviewed by numerous levels of management at the plant including the Engineering Support Supervisor, Technical Services Superintendent, and Plant Manager. To emphasize their importance, Procedure AP-0010 repeats the criteria for LER reportable events. The specific requirement to investigate the possibility of a common cause event is contained in 10CFR50.73(a)(2)(vii).
If the possibility of a common cause mechanism is identified, appropriate tests and/or inspections can be accomplished to verify the condition and determine possible corrective actions.
Vermont Yankee Procedure 0021, "Maintenance Requests," specifies a number of controls and reviews for the evaluation and repair of equipment malfunctions. The procedure requires close coordination between the Operations and Maintenance Departments and permits the specification of independent inspections and additional testing requirements.
Vermont Yankee Procedure 0200, "Maintenance Program " contains instructions for the coordination and control of preventative and corrective maintenance. This procedure contains specific instructions to assist maintenance personnel in the identification of the root cause of failures. 6625R/2.169
Form VYAPF 0200.03 outlines a number of specific items for maintenance personnel to consider while investigating the root cause of the failure or other conditions to identify why the maintenance was required.
This form is svaluated by maintenance supervisors and referred to Maintenance Engineering for further evaluation as required.
If necessary, the form can be compared with the file of completed forms that is maintained at the plant on similar squipment to track trends and provide information that could' lead to the identification of common cause failures.
In light of the many requirements for the plant to take immediate and concentrated action to identify and repair safety-related equipment within the Limiting Conditions for Operation (LCO), the prescriptive requirement to test alternate systems immediately may be counterproductive.
Immediate testing requirements divert a significant amount of manpower from the identification of the root cause of the failure and the analysis necessary to determine what testing or inspections of alternate systems might be most ef fective to pursue. Depending on the event, the alternate functional tests currently required by the Technical Specifications may or may not be sufficient for revealing the common cause mechanism. This assessment can be made as part of the evaluation process. The elimination of immadiate testing requirements would permit a more reasoned approach toward the assurance of safety function availability, with the resulting allocation of plant resources towards solving the problem at hand.
i 6625R/2.169
9.0 hPPLICATION TO OTHER SYSTEMS Uf This section discu.ses the requirement to test other systems'that contribute to the safety function when a train of a specified system has been declared inoperable. Figure 1-1 of the introduction summarizes these requirements as they currently exist. That figure shows that, depending on the system train that has failed, other systems may be required to undergo
)
either an immediate test or an immediate test followed by the daily repetition of that test. With_the exception of the diesel generators, Uninterruptable
' Power Supply (UPS), Automatic Depressurization System (ADS), and Standby Gas Treatment System'(SGTS), every system listed in the figure pumps and routes water for either cooling or, in the case of the standby liquid control, reactivity control. Therefore, the assessment of the alternate testing requirements will address the diesel generators, UPS, ADS, and SGTS individually, while treating the water pumping systems as a group.
9.1-Diesel Generators Section 7.0 demonstrates that the unavailability of a diesel generator is increased by daily testing. This conclusion is independent of which out-of-service system generates the requirement to test the diesels.
9.2 Uninterruptable Power Supply The Uninterruptable Power Supply (UPS) provides power to operate recirculation loop valves and the LPCI injection valves via an inverter that converts de into ac.
The inverter is powered by a de power supply that also charges a battery bank.
In the event there is a loss of ac power and the output voltage of the rectifier declines, the battery bank will automatically pick up the inverter load so that the valves will continue to receive an uninterrupted supply of electricity required to change position. Whenever a demand for the LPCI injection valve to change position is made, the rectifier and inverter portion of the UPS is exercised.
The batteries are challenged only when there is a concurrent loss of ac power to the rectifier. However, 6625R/2.169
the batteries are very reliable and are not subj9eted to the monthly testing currently required for the Emergency Core Cooling Systems.
Consequently, the
~
test of the LPCI function provides sufficient verification that the UPS is providing power to opernte the valves.
Testing of the LPCI function is addressed in Section 9.5.
v 9.3 Automatic Depressurization System The Automatic Depressurization System (ADS) is designed to lower pressure in the reactor pressure vessel to enable the Low Pressure Injection Systems to pump coolant to the core.
In conjunctica with the Low Pressare Injection Systems, the ADS provides backup for the High Pressure Coolant Injection (HPCI) System.
In the event that HPCI is declared inoperable, the current Technical Specific 3tions require the ADS to be tested immediately and daily thereafter.
ADS is accomplished by opening pressure relief valves in the main steam line that discharge to the suppressicn pool, which condenses the steam. Since the operation of the valves cannot be tested without causing a trip, the actuation logic is tested. The ADS logic test requires that the ADS valves be de-energized so that they cannot respond to an actuation signal.
If a real demand for the valves to operate were to occur, the availability of the system would be limited by the onerators' ability to reactivate the valves.
The actuation logic is very reliable. The ADS tasts ara normally accomplished once each operating cycle. The alternate testing requirement represents a large increase in the frequency of tests. The high reliability of the actuation logic and the necessity to de-energize the safety relief valves to test the logic clearly argue against any ADS logic alternate testing.
i.
9.4 Standby Gas Treatment System Although it pumps primarily gas, the SGTS unavailability can be l
considered to behave in a manner similar to the Core Spray System. The 1
1 1
' 6625R/2.169 l
t
sw generic f ailure rates (Reference 4) associated with the SGTS fan and dampers are 2.93 E-3/d and 1.52 E-3/d, respectively. These are roughly equivalent to l
those of the motor-driven pumps and motor-operated valvea in the Core Spray System.
In addition, there is no reason to believe that the SGTS time-celated failure fraction or test-related failure rate will be significantly different
.qg from the Core Spray System. Therefore, the conclusions of the Core Spray System analysis also apply to the SGTS.
9.5 Other Pumping Systems Failures of active components tend to dominate the unavailability of the individual trains of the coolant systems. The types and quantity of active failures for a train of each coolant system are listed in Table 9.1.
Each train has either one pump per tra!.n or, in some cases, two in parallel.
Each train also has at least one valve that must change pos! tion for injection to occur. Because of the similarity in the types and numbers of components j
that must actively function during a true demand, conclusions based on the quantitative results for the Core Spray System are used in the evaluation of t
the testing requirements in Figure 1-1 for other pumping systems.
The results of the Core Spray System evaluation provide strong evidence that daily testing of standby cooling systems decreases their availability.
Sensitivity studies in Section 5.3 demonstrate that daily testing produces larger unavailability than monthly testing over the range of values that l
l important failute and repair parameters could reasonably have. Since the operation of the other cooling systems in the plant also involve the same geraric types of components, their failure rates and repair durations can be expected to fall within the range of calculations done on the Core Spray System. This assertion is supported by the generic data base prepared by Pickard, Lowe and Carrick, Inc. (Reference 4).
In that data base, for example, the failure rate for all types of safety-related valves to operate ranges from a high of 4.27E-3/ demand for PORVs to a low of 1.25E-4/ demand for turbine : top / control valves. Theref ore, it may be concluded that the daily repetition of tests should be discontinued for all systems under any postulated failure. -
6625R/2.169
lk*
Justification for discontinuing the prescriptive requirements for immediate testing of other cooling systems is the same as that presented for d
the Core Spray System, and perhaps even stronger. The requ red common initiating cause and coupling mechanism will not be nearly as strong between diverse systems as it is between two trains of the same system. The diacontinuance of the immediate alternate testing Technical Specifications does not mean that the search for common cause failures will not continue to be emphasized. Vermont Yankee recognizes that, despite the weaker coupling mechanism, the potential for common cause f ailures among diverse systems does.
exist.
It maintains a cross-reference file by type of equipment of completed Forms VYAPF 0200.03 for the specific purpose of assisting in the identification of common cause failures and potential wearout mechanisms.
The assessment of the failure includes consultation of this file as appropriate to ensure that the full implications of the failure are being addressed.
The l
l elimination of immediate prescriptive testing of other systems would encourage a more focused inveseigation of the root cause of the failure and its possible coupling mechanisms, so that the most ef f ective tests and inspections can be performed.
4 e
T 4
0 o
O s
Y.
1 6625R/2.169
~
e s
(
TABLE 9.1 Active Components in Safety-Rrlated Systems l
Valves / Train l
System /
Pumps /
That Open or Other/
Subsystem Train Close Train Comments l
Standby 1 of 2 1 of 2 One train with interconnectcc Liquid redundant components.
Centrol Core Spray 1 of 1 1 of 1 LPCI (RHR) 1 of 2(1) 1 of 1(1)
(1) Success criteria for all but large break LOCA.
(2) Success with either suppression chamber Containment 1 of 2(1) 1 of 1 and cooling or spray valves.
Cooling 1 of 2(2)
(3) RHR heat exchanger bypass (RHR) 1 of 1(3) valves must close as well.
RHR Service 1 of 2 1 of 1 Water Service 3 of 4(1)
Manually Perterms active function Water Actuated while unit is operating.
Valves as (1) Trains A & B Required interconnected.
Alternate Uses RHR Manually Cooling Service Activated Water Pumps Valves HPCI 1 of 1(1) 4 of 4 1 of 1(2)
(1) Steam turbine driven pump.
e (2) Auxiliary oil pump for startup.
ADS X(1) of 4 Valves cannot be cycled while unit is operating.
(1) Success criteria depends on trans!.ent.
l RCIC 1 of 1(1) 3 of 3 (1) Steam turbine driven l
pump.
I Diesel 1 of 1(1)
(1) Valve I service water I-Generators cooling.
d
. 6625R/2.169
~
i I
a w
TABLE 9.1 Active Compments in Safety-Related Systems (Continued) l Valves / Train System /
Pumps /
That Open or Other/
Subsystem Train Close Train Comments Standby Cas 2 of 2 1 of 1(1)
(1) Blowers Treatment UPS 1 of 1 Inverter operates Battery continuously, must accept 1 of 1 load change.
[
inverter e 6625R/2,169
2
10.0 CONCLUSION
_S_
Detailed calculations for the Core Spray System and diesel generator ;
provide a quantitative basis for concluding that removal of the alternate g 9 c; testing requirements increases availability of these systems, hence increases p:gy#{.
~
plant safety. Sensitivity studies, including analyses for individual l,.*f
,f, w
components, indicate that this conclusion is valid for all components / systems
--e
- .', ~. A-g,
.d
.(
included in alternate testing over a wide range of failure parameters.
e-n s>-*.
l
~..
}
, _.D ;-
?
' '\\.#.f '
Ne
..a t :' ;--
e
' 4, ' ~ n&_' y E
"I,s.$r [ : p; g I
M~ ' :, *.
L
[k,If si ~[R E-E LliBMEE!
I m.3. c t k' g
=
.+
.g m
Y. [> - ;<..]..
y c
.s t
(
, 'r
,,_[
?g{>,eu K, a / y g
,e 7
.w-L e
l*
p
. vm
-i--
rs;; :....
r t
, '?.
$, 'y
^
,=. '., -
,4,
3 e
T4
- + ~
... y
,.e,. : '-
...g*g f. '
r...
,s.
E E 'a ',.
.. +4 6625R/2.169 g
'. s
,(
y $.
- ]
b
'.
- 5 #.I.
' :3
....',. u.,
4:
11.0 REFERENCES
1.
Vermont Yankee Technical Specifications.
2.
Letter, VYNPC to USNRC, "Surveillance Testing of ECCS and SLC Equipment; Supplement 1 to Proposed Change No. 85." FVY 87-112, dated December 7, 1987.
3.
Letter, USNRC to VYNPC, "Request for Additional Information -
Surveillance Testing of ECCS and SLC Ecuipment (TAC No. 66873),"
NVY 88-077, dated May 9, 1988.
4.
Pickard, Lowe and Garrick, Inc., "Probabilistic Risk Assessment Data Base for Light Water Reactors " PLG-0500 August 1988.
5.
NUREG/CR-4780, "Procedures for Treating Common Cause Failures in Safety and Reliability Studies," January 1988.
6.
NUREG/CR-1278, "Handbook of Human Reliability Analysis with Emphasis en I
Nuclear Power Plant Applications," prepared by A. D. Swain and E. E. Guttmann.
7.
NUREG-1024, "Technical Specifications - Enhancing the Safety Impact,"
prepared by Task Group on Technical Specifications, November 1983.
8.
Failures Related to Surveillance Testing of Standby Equipment," Volume 2:
Diesel Generators, EPRI NP-4264, September 1985.
O M 6625R/2.169
1
\\
/
APPENDIX A FAULT TREE MODEL FOR CORE SPRAY SYSTEM N
s 1
I l
l l
l l
l e
6625R/2.169 f
b
APPENDIX A
+ -. P ;
L.
Fault Tree Model for Core Spray System y,d \\q n l
i. -4,ca,,
N>2..,;p This appendix discusses the development of the Core Spray System (CSS) g
, f fault tree used to obtain cutsets for the cases where both trains of the CSS s,. 4 f
-.:.t 8 are on-line.
- .-? i, -J ' l y,.,....
. r
..- /
. g.,
- h. s.,
The following rules and assumptions were used in constructing the fault m
i.h' ;'.. Y ;.
tree:
...,f>. v.
y
,[.:%..
.[d '. 4,.1) 1.
Only active component failures are modeled explicitly in a train g
E that is on standby. These components are assumed to have the
. - 7M
. }%
r V
potential for common cause failures with their cotnterpart j
components in the opposite train.
ch (4$.4.-I.,
2.
The possibility of passive failures, failures of the actuation W6ff: ?
a.,.. r; y signal, and loss of of f-site power are accounted for by basic
.hk.. L T.
P events with constant, order-of-magnitude unavailability estimates.
1 *s U
/
].,. dg m
i.,
y These events, which are not affected by the alternate testing k.J f
B--
Technical Specifications, are included to permit a more complete
{
r modeling of the combinations of failures that can occur.
. (A.
- -s m
.. y r_
3.
The total time required for testing is very small compared with the 0-0 e
t,h test interval. This assumption results in a slight overestimation ih f
of system unavailability and a shorter optimal test interval.
~ );
1.;. s.. -
<r
=_
9 @. -
- .l, 4.
Off-site power is assumed to be available in the fault tree c.
representing the effects of testing.
The unavailability of these
{7. Va. ph if*:>
=
systems is adequately accounted for in the standby fault tree.
, g '*? %
j.I
.d 5.
The likelihood of passive failures and failures of the actuation if ', g. ;.
signal are small compared to the failure rates of components that
. p; must change state. Therefore, these failures are not included in gr.:.,',: .!
the single train analysis of Section 5.0.
',: *i / ',
4v/
?.. ; j A-1
,s.
~
6625R/2.169
, ~, [
g
)
t v.
.i I.N $ '
P-
Disk PLG 5,YAEC 2003 01;1 of 8 LErdS2
- EVENT PCT ? 'RTHER DE'VELOPED CORE SPf%Y SYSTEM FALS TO NJECTWATER NTO
= BASIC EVENT RP/ UPCf4 DDAAPO A OR B = NDEDEtCENT FAtLURE Or A OR B O
= COMMON CAUSE FELURE WITH OPo0 SITE TRAN f
I I
TRAW B FAfLS TRAIN A FAILS (SHEET 2)
A A
T I
l PASSIVE ACTIVE TEST RELATED FALURES FA: LURES FMLURES AP r%
I I
VALVE V 1412A CORE SPRAY toACTUATOt1 PORMALLY PUMP A FAILS TO StGNAL AT CLOSED FAlLS PROVIDE COMG'ENTS CLOSED ADEQUATE WATER AS T
T I
I.
I LE PO POVXR PO PC7.YER CORE SPRAY 3, j g
,8 FROM BLS 4 PL?.4P A FA:LS FAILS TO OPEN (SHEET 3)
UPON DEMAND (SHE T 4)
TO START 1
m m
V12A V12AB PSA PSAB FIGURE A-1.
CORE SPRAY SYSTEM FAULT TREE TWO TRAINS ON STANDBY (Sheet 1 of 8)
A-2
P
.~~9 Disk PLG 5,YAEC 2L60 01;2 of a p- ; '-
r-i
.., e' ~
.h"
" ^
+
s,h /..' 'f[
i:
-. y g A
',.q. g ;
',%.'. O,N 4
R l'.
. :)
,' 7
.f
-. ~
- TRAIN B FAfLS TO 0
g NJECTWATER
' J
^'
WTO RPi/ UPCW 1
DEMNO
-' 'I
~
.o.
. 3 x_'
.. k..; ;.'..
,..?
'hN.'s M.'
p k.:.%kV,.-
=!
f;
!b.
) '?
PASSIVE ACTIVE TEST.RELATED
~.t :
f FArLURES FA! LURES FAILURES g.,3-
- ri l
'X,;.,.. ; :.;
,y.<.
V/f f 3,.,i y.....,,, 37 BP 9
g ', n, %.
[k.% ).-?h,l*
y > g,)
g m
F l
l
=
ei 6
VALVE V 1412B CORE SPRAY
'y,/f j
toACTUATOJ g
hyy.f., 3y[
SIGNAL AT CLOSED FAlLS PROV10E COAPO4EPRS
~
CLOSED ADEOUATE WATER m;.. C. g.'y
~
y>
4
- . n.
- :
. I s
.* A:
yjfp"t'\\ '< g 1
-*5-VALVE NO POWER to AC PCtWER CORE SPRAY
'4'i.'
r V H 12B FROJ MCC88 FRO.t BUS 3 PUMP B FAfLS
!..i FAILS TO OPEN (SHEET 5) g UPCt4 CEMNJD (SHEET 6)
TO START r
N, i... ' ' ~ -
- ['[ 5
[4 5
-l/fkif T
T MN{
[
rh ff,' ' N:,. e y
n.
V12B V12AB PSB PSAB Ji ' ' ' '. 5
,.- ^1,.'+-.';
r
..g
,v.
~~
FIGURE A-1 (Sheet 2 of 8)
A-3
?....
g -
9 h,i <' i t
r
~
.,T
.; A v.-rj(... f
,<. t ' 4 n
Disk PLG 5, YAEC 2060.01; 3 of 8 NO POWER FROM MCC98 2
i
(
p
~,
e,.
b G
PASSIVE NO POWER v
FAILURES FROM BUS 9
. - g ',
v.
y
.. ;y'; >
4f"%...
g
,3 AP T
.s y"
y F
,rm i $
' {.
a fi ' ]. '
['T, !. f NO POVER PASSIVE a ', E.' a.,,.
FROM BUS 4 FAILURES y
i 4*..
. ; e.,. '
n r%
=
TRANSFORMER LOSS OF POYER OTHER PASSIVE T 9 FAILS TO BUS 4 FAILURES (PASSIVE)
(SHEET 4)
[Edl{@
ik"9-3 j.!
AP 6
-:- :;%p
~
p-c
% ' 4. :,
FIGURE A-1 (Sheet 3 of 8)
.~?. fi. '
.s
.j-A-4 c.t,i ; Jg
Disk PLG 5,YAEC 2040 ct:4ef a Y
-r t
i i
I;E ' 5 J.
I -f [ 2, 5
PASSNE LOSS C/ PCrNER FA: LURES TOBt/J4
'f;' ; g e 6\\
,ings - '
w
.f;4 Y.\\
k]!ihh w-m i
I I
I
- O POPOWIR PO PCMIR
^
FROA BUS 2 FROA DG A S T y
.e I
r I
l r
PCrNER FRO 8A tcPov,5 eacA ocA m
AUXIUARY LNfT START UP TFW4SFCA'JER TRANSFOFWER S
AW W
5 I=
FIGURE A-1 (Sheet 4 of 8)
A-5 L
F G
W Disk PLG 5, YAEC 2060.01; 5 cf 8 NO POWER 4
FROM McCaB 4
n r%
PASSIVE NO POVER FAILURES FROM BUS 8 BP NO POWER PASSIVE FROM BUS 3 FAILURES BP TRANSFORMER LOSS OF POWER OTHER PASSIVE T 8 FAILS TOBUS3 FAILURES (PASSIVE)
(SHEET 7)
BP 7,
L:
FIGURE A-1 (Sheet 5 of 8)
A-6 e
1 l
Disk PLG 5,YAEC 2003 01; 6 cf 8 l
1 l
FC AC POWER FFOABUS3 5
PASSrVE LOGS OF POWER FA! LURES TO BUS 3 7
O BP i
ED D' 9 PC POWER to POwtR FRCfA BU31 FRCfA DGB n
A I
T I
I PC PChVER FFOJ to PCfATR FRCfA DGB DC,3 Uh'T AUX 1LIARY LtJfT START UP TA JGFORMER TRVEFCRAER l
AUX SU FIGURE A-1 (Sheet 6 of 8)
A-7 s
m.
I-h O
s.
'o CD<
b L'
O O
G N
d i
>d
- /
o n
u g.5 9
o W
. t*
3 o
,_y.
o g
=b
,o
>b L
w>r U
h, W O
>H
~
W C
O
'~
- > e ;-
m
.6C g
RUE uor so 5
w 4y sb m
L s-o
/
E p
4 O
.C V) 4o a
- 6 b 3n 55 D-w a..
B y
a g t.e LJ,h.-
N C -ru LL cn 4k W
O D
W
'48 1 -
>0 N
n
.=
i 1
m(
?.
t sg m>
7 m'9y 4,8 w
c3 6
l sag i-MDs
>0 unu g
C 2
O l
w W59 g
0 t
i
- sus, w
O y
n w
b aua g
A-8 1
l
I o
^
O
.O g
a V
O W
O Y.
- y
. ~~_
S sa m
g g
G v:o l
f, g
' 0 l
N
~
l 4d r
sb V
m t
w 9o w
M
~
Wg
~
G,O 3 *- ;*
rc
&C*
4
<DE D.
uoe hw O
4d i-n i
sb np su O
co
+2 CJ m
Ch 4
5 mO 0
~
4 l~
~
5b b
o 7
m LAJ tu R E ('
~
Ltj O
C W
(g D
n bbw erru g
m(
t ya h
a 40 l-y NO to
$.n e<
k I.
3-Lo m,,, a tu w
w
~'
f,J[
&f
.~
aa
>0 m
uod g
I
~
cn O
O b
e k$$
O
[d m
Ph a
w 0
/
d APPENDIX B DESCRIPIION OF OBSERVED FAILURES FOR VERMONT YANKEE CORE SPRAY SYSTEM e
l l
l u
O I
I u
6625R/2.169
APPENDIX B Description of Observed Failures for Vermont Yankee Core Spray System Vermont Yankee component failure data for the Core Spray System was presented in Section 5.2.2 (see Table 5.6).
The observed failures were classifi-d as either time-related, demand-related, or test-related (see Section 3.3) in order to determine overall failure rates for each "type" of failure. The "type" of failure is an important input to the unavailability model.
Below we list each failure of a Core Spray System component, along with f
its classification arid reasons. The reasons were based on engineering judgement using the failure descriptions and root cause analyses of the Vermont Yankee Maintenance Department.
February 1, 1974. V-11-A f
The V-11-A valve motor burned up while attempting to open after being closed for the test. This valve is normally open, but it is closed in order to test Valve V-12-A.
This would imply that the failure was test-related, since V-ll-A is normally in its safety position (open). However, we conservatively classified this f ailure as demand-related, since the V-ll and V-12 valves are grouped together to calculate a single failure rate.
The same failure could potentially have occurred in the V-12 valve.
The f ailure was classified as demand-related because the motor burned out due to jamming of the drive motor gear key. This loosening of the key + s judged to be a result of the shock that occurs when the component is demanded. No standby, time-related mechanism for this failure was evident.
February 5, 1974. V-11-A The V-ll-A valve motor burned out due to f ailure of the valve operator torque switch after the valve had been fully closed for the test. This was B-1 6625R/2.169 1
APPENDIX B l
(Continued) classified as a test-caused failure for two reasons. First, the V-ll-A valve is normally in its safety position (open) during standby, and only needs to change state for success of the system during the valve timing test.
- Second, the same failure of the V-12-A valve would not prevent it from accomplishing its safety f unction.
For core spray to succeed, the V-12 valve must cycle once (open). The observed failure of the V-11-A valve was after the valve had successfully cycled.
December 8, 1974, V-ll-B This failure is classified as test-related for the same reason as the previous failure of V-11-A.
The motor overload alarm and smoke (motor burnout) occurred after the valve had successfully cycled.
July 8, 1975, V-ll-B This failure is also classified as test-related for the same reasons.
The torque switch failure and motor burnout occurred after the valve had successfully cycled.
February 2,1976, V-11-A This failure was classified as demand-related. The f ailure was a motor casing which broke off and fell to the floor. We judged the cause to be due to the shock of the demand on the valve and its motor.
September 5, 1987. V-ll-A l
This involved failure of the V-ll-A valve to close. The same failure mechanism could be postulated for the V-12 valves; hence, this failure was not classified as test-related. The failure mechanism was valve binding due to burrs on the wedge guide. The bir. ding was likely due to fcrees on the valve stem associated with the demand to close. However, the burrs on the B-2 6625R/2.169
APPENDIX B (Continued) wedge guide may have been caused by dirt accumulation which damaged the wedge guide on previous demands. We classified this failure as both time-related (50%) and demand-related (50%).
March 31, 1988 V-ll-B This failure was classified as demand-related. The shock of the demand to close was judged to be the cause of the motor pinion gear key breaking and becoming wedged between the motor pinion gear and worm pinion gear.
December 8, 1987, V-5-A The cause of the V-5-A motor ground was determined to be pinching of wi.- insulation.
This was a result of new wiring splices for this relatively small motor casing. This failure was classified as demand-related because it was attributed to desigt and maintenance changes, not to time-related mechanisms while in standby.
February 3, 1988. V-26-A The V-26-A failed to fully close after a test. This failure was l
classified a test-related since the only function of V-26 is to allow a flow test to be performed. This failure of the V-26 valve is test-related because it does not represent a potential failure mode for the other valves.
June 6, 1984, Pump A This was not a failure of the core spray pump, but rather evidence to suggest a possible failure mode. The slice in power cable insulation would likely not prevent the core spray pump from operating. However, in the potentially harsh environment of an accident, we felt there was some potential
(~10%) for failure due to a short circuit.
B-3 6625R/2.169
] e 9
APPENDIX C DIESEL GENERATOR DATA k
4 e
M/
6625R/2.169
APPENDIX C Diesel Generator Data This appendix presents a summary of diesel generator data.
The industry generic data from Reference 4 is presented in Table C-1.
A description of Vermont Yankee diesel failures is given in Table C-2.
Table C-3 summarizes the Vermont Yankee failure rates. Note that for fc*'ures to run, "slight" leakage was assumed to result in failure occurring af ter ot.
kaur, while "significant" leskage was assumed to result in failure before one hotr.
The generic data, updated by the Vermont Yankee data using Bayesian l
calculations (Rsference 4), is provided in Table C-4.
This data is used in the diesel generator inavailability model.
l l
l l
l l
l i
C-1 6625R/2.169
'\\
APPENDIX C (Continued)
TABLE C-1 Generic Data
- for Diesel Generators Percentile Mean 5th 50th 95th Failure to Start
-(failures / demand) 1.82E-2 2.71E-3 1.20E-2 5.16E-2
-Failure.to Run (<1 hr)
(failures /hr) 1.41E-2 1.20E-3 7.55E-3 4.58E-2
- From Reference 4.
I f
1 l
l l
i-C-2 6625R/2.169 1
i
s APPENDIX C (Continued)
TABLE C-2 Vermont Yankee Diesel Generator Failures Date NPE No.
Description Failure Type 07/14/74 57 Die jection manifold overflow Fail to Start bal.
ve stuck open. Engine i
star
_uel and fails to start.
l l
05/76 173 Diesel trips after one minute of Fail to Run l
operation due to high crankcase pressure.
(<1 hr)
Caused by clogging of ejector supply orifice or ejector body in crankcase breather and Jupply system.
08/25/76 126 Slight fuel leakage due to normal engine Fail to Run vibration loosening mechanical (assumed >l br) connections at fuel header.
06/23/77 173 Diesel trips after 13 minutes due to Fall to Run high crankcase pressure. Caused by
(<l hr) loose connection in air ejector supply piping from normal vibrations.
07/26/77 367 Diesel fails to start due to air start Fail to Start l
solenoid valves bound closed by debris in air line.
12/19/77 201 Diesel trips on high crankcase pressure Fail to Run after 15 minutes. Supply air hose to
(<1 hr) 4 crankcase eductor loosened due to normal engine vibration and insufficient clamp l
tightness.
01/24/78 204 Diesel trips on high jacket coolant Fail to Run temperature after 7.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. Caused
(>l hr) by setpoint drift of high jacket coolant temperature trip switch.
05/81 385 Diesel shut down during surveillance Fail to Run due to substantial coolant leakage at (assumed <1 hr) cylinder cooling water jacket outlet.
Caused by a failed gasket.
10/05/82 478 Slow start due to check valve failure Fail to Start
- on fuel oil return line from diesel cylinders to fuel oil day tank.
C-3 6625R/2.169
APPENDIX C (Continued)
TABLE C-2 Vermont Yankee Diesel Generator Failures (Continued)
Date NPE No.
Description Failure Type 01/14/83 549 Slow start (0.8 seconds over Fail to Start
- specifications) due to dirt in check l
valve on excess fuel return line. Rubber seat was defective; valve would not seat tightly.
l l
08/26/83 549 Diesel fails to start due to failure of Fail to Start diesel stopping relay solenoid which l
interrupted flow to diesel.
10/12/83 549 Noted water near diesel generator air Fail to Run start check valve. Air start check valve stuck open due to loose nut on valve spring retainer.
- Slow starts are conservatively treated as failures to start.
In actuality, a slightly slower start (i.e., by 0.8 seconds) would likely not impac t the ability of the diesel to accomplish its safety function.
C-4 6625R/2.169
APPENDIX C (Continued)
TABLE C-3 Dp sel Generator Failure Data Summary
- Failures to Start 5
Failures to Ran (total) 7
(<1 hr) 4 l
(>l hr) 3 e
Total Number of Tests 702 Assuming 52 tests per year for 13.5 years. The average number of tests per year for Years 1981 through 1988 was 52.
Total Operating Hours 702 Assuming all tests were at least g
for <1 hr Runs one hour ("alternate" tests are for one hour).
Total Operating Hours 7 x 324 = 2,268 Assuming 24 monthly tests per for >l hr Runs year for 13.5 years (324 tests). Monthly tests last eight hours; hence, seven hours after the first hour for each test.
Failure Rate to Start 7.lE-3 (5/702)
Failure Rate to Run (<1 hr) 5.7E-3 (4/702)
Failure Rate to Run (>l hr) 1.3E-3 (3/2,268) l l
h
\\
4
- Based on data between 7/74 and 1/88.
C-5 6625R/2.169
'E
_______________m
O APPENDIX C (Continued)
TABLE C-4 Diesel Failure Rates Used in Unavailability Model l
Mean Percentiles Time-Related Failure Rate 5th 50th 95th Fraction Fail to Start 7.98E-3 3.25E-3 6.62E-3 1.27E-2 0.5(2)
Fail to Run (<1 hr) 6.06E-3 1.92E-3 4.90E-3 1.03E-2 h
1 J
n t
(1) Generic data updated by Vermont Yankee data.
(2) Based on the five observed failures for Vermont Yankee and engineering judgement.
C-6 6625R/2.169 i
e
__ _ _. _. _. _ _ _ _. ____ _