ML20154G718
| ML20154G718 | |
| Person / Time | |
|---|---|
| Site: | Harris  |
| Issue date: | 02/28/1986 |
| From: | Fresco A, Papazoglou I, Youngblood R BROOKHAVEN NATIONAL LABORATORY |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| CON-FIN-A-3702 BNL-NUREG-51902, NUREG-CR-4311, NUDOCS 8603100084 | |
| Download: ML20154G718 (70) | |
Text
- . ..
NUREG/CR-4311 BNL-NUREG-51902
- - . _ - . - - . _ _ _ - . _ . - - . . _ . . _ . . - . - . _ _ . _ _ . . _ . _ . _ _ ~ . _ _ . .
h
.i Review of the Shearon Harris Unit 1 :
Auxiliary Feedwater System l Reliability Analysis Pr: pared by A. Frcsco, R. Youngblood, l.A. Paparoglou 4
i Brockhaven National Laboratory l
Pr:p: red for U.S. Nuclear Regulatory Commission l
[
t O h50 00 PDH l
I NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government not any agency thareof, or any of their j employees, makes any warranty, empressed or imphed, or assumes any legal habihty of te !
Sonnsibihty for any third party's use, or the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infrmge privately owned rights.
NOTICE
' Availabihty of Reference Materials Cited in NRC Pubhcations i i
Most documents cited in NRC pubhcations will be available from one of the followmg sources- l
- 1. The NRC Pubhc Document Room,1717 H Street, N W. j Washmgton, DC 20555
- 2. The Supermtemtent of Documents, U.S. Government Prmimg Olhce, Pmt Oller e Don 37082, Washmgton, DC 20013 7082 )
i
- 3. The National Technical Informaton Service, Sprmgfield, V A 22161 l Although the hsting that follows represents the majority of documents cited m NRC publicat ons.
it is not intended to be exhaustive.
Referenced documents available for mspection and copying for a fee from the NRC Pubhc Docu ment Room include NRC correspondence and internal NRC memoranda, N RC Of f ece of Inspection and Enforcement bulletins, circutars, information notices, inspection and investe9ation notices, Licensee Event Reports, vendor reports and correspondence; Commission papers, arut apphcant ami licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sales Program; formal NRC staff and contractor reports, NRC sponsored conference proceedings, and NRC booklets arxl brochures Also available are Regulatory Guides, NRC regulations in the Co* of federal Regulatmns, and Nuclear Reputatory Commission Issuances. \
l Documents available from the National Technical information Service mctude NUREG series reports amt technical reports prepared by other federal agencies and reports prepared by the Atomic i
Energy Commissen, forerunner agency to the Nuclear Regulatory Commission. l Documents available from pubhc and special technical hbraries include all open hterature items, .
such as books, pournal and periodical articles, and transactions. Fe*ral Register notices. f ederal and state legeslation, and congressional reports can usually be obtained f rom these ht raries Documents such as theses, dissertations, foreign reports ami translations, and non NRC conferetxe proceedings are avadable for purchase from the organitation sponsormg the pubhcation cited Smgle copics of NRC draf t reports are available free, to the entent of supply, upon written request to the Division of Technical Information and Document Control, U S Nucirar Requtatory Com mission, Washengton, DC 20%5.
Copies of mdustry codes and standards used in a sutatantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesia, Maryland, and are available l there for reference use by the pubhc, Codes and standards are usually copyrighted amt may be purchased from the originatmq organisation or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018. j
NUREG/CR-4311 BNL-NUREG-51902 Review of the Shearon Harris Unit 1 Auxiliary Feedwater System Reliability Analysis M:nuscript Completed: August 1985 D:ta Published: February 1986 Prepared by j A. Fresco, R. Youngblood, I. A. Papazoglou Brookhaven National Laboratory Department of Nuclear Energy Upton, NY 11973 Prcpared for Division of Systems integration Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission W;shington, D.C. 20666 NRC FIN A3702 i
l i
iii ABSTRACT This report presents the results of a review of the Auxiliary Feedwater System Reliability Analysis for the Shearon Harris Nuclear Power Plant (SHNPP)
Unit 1. The objective of this report is to estimate the probability that the Auxiliary Feedwater System will fail to perform its mission for each of three different initiators: (1) loss of main feedwater with offsite power avail-able, (2) loss of offsite power (3) loss of all ac power except vital instru-mentation and control 125-V dc/120-Y ' ac power. The scope, methodology, and failure data are prescribed by NUREG-0611, Appendix III. The results are com-pared with those obtained in NUREG-0611 for. Other Westinghouse plants.
i l
l
v TABLE OF CONTENTS Page ABSTRACT................................................................ iii L I S T OF F I GUR E S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii L I S T OF TA B L E S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii E X E CU T I V E SU MMAR Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
- 1. INTRODUCTION....................................................... 1
- 2. SCOPE OF BNL REVIEW................................................ 1
- 3. MIS SI ON SUCCES S CR I TER I A. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 4 SYSTEM DESCRIPTION................................................. 3
- 5. EME R GE NC Y 0P E R AT I O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 5.1 Loss of Mai n Feedwate r (LMFW) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 5.2 Los s o f O f f s i t e Powe r ( L 0 0P ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5.3 Loss of All ac (L0AC)......................................... 4
- 6. TESTING............................................................ 4
- 7. TECHNICAL SPECIFICATIONS........................................... 6
- 8. ASSUMPTIONS........................................................ 6 8.1 Maintenance................................................... 6 8.2 Operator Errors............................................... 8
- 9. RELIABILITY ANALYSIS............................................... 8 9.1 Qu a l i t a t i v e A s pe c t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 9.1.1 Mode of System Initiation.............................. 8 9.1.2 System Cont rol Fol l owi ng In i t i a ti on. . . . . . . . . . . . . . . . . . . . 9 9.1.3 Ef fects of Test and Maintenance Activities.. .. ... ... . .. 10 9.1.4 Avail abili ty o f Alternative Water Supplies. . .. .. . . . . . . . 10 9.1.5 Adequacy and Separation of Power Sources............... 10 9.1.6 Si ng l e-Po i n t Fa il ures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 9.1.7 Adequacy of Emergency Procedures'....................... 11 9.2 Quantitative Aspects.......................................... 11 9.2.1 Applicant's Use of NRC-Suggested Methodology and Data.. 11 9.2.1.1 Fault Tree Construction and Evaluation........ 11 9.2.1.2 Failure Dita.................................. 13 9.2.2 Ap pl i c a n t 's R e s ul t s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 9.2.2.1 Syste. Unavailabilities....................... 13 9.2.2.2 Dominant failure Modes and Conclusions........ 13 9.2.3 BNL Assessnent......................................... 14 9.2.3.1 Fault Trees................................... 14 9.2.3.2 ! allure Data.................................. 14 9.2.3.3 Sy stem Unava il abi l i ties . . . . . . . . . . . . . . . . . . . . . . . 15
vi
- TABLEOFCONTENTS(Cont.) i Page 9.2.3.4 Domi nant Fa il ure Mode s. . . . . . . . . . . . . . . . . . . . . . . . 15 9.2.3.5 General Comparison with Other Plants.......... 16 9.2.3.6 Gen e ra l . C omme n t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 R E F E R E NC E S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 APPENDIX A
- ~ SHNPP FSAR Section 10.4.9 " Auxiliary Feedwater System"..... A-1 APPENDIX B: SHNPP FSAR Technical Specifications " Auxiliary Feedwater System and Condensate Stora ge Tank ". . . . . . . . . . . . . . . . . . . . . . . . B-1 APPENDIX C: "NRC-Supplied Data for Purposes of Conduction a Comparative Assessment of Existing AFWS Designs and Their Potential Reliabilities"................................... C-1 l
t f
1 7
l t
I 1
I vii LIST OF FIGURES j Figure Title Page j 1 Comparison of Reliability of the SHNPP AFWS with that i of Other AFWS Designs in Plants using the Westinghouse NSSS................................................ xi l FSAR 10.4.9A-1 Shearon Harris Nuclear Power Plant-Unit 1 Auxiliary i Feedwater System Availability Study Simplified Flow Diagram........................................ xii i 2A SHNPP Auxiliary Feedwater System BNL Results -
Dominant Cut Sets - LMFW Case 1A - Applicant's Assumption: One Motor- Driven Pump Requi red.. . ... .. 19 28 SHNPP Auxiliary Feedwater System BNL Results -
Dominant Cut Sets - LMFW Case IB - BNL Assessment:
Two Motor-Driven Pumps Required..................... 21 3 SHNPP Auxiliary Feedwater System BNL Results -
Dominant Cut Sets - LOOP Case 2..................... 23 4 SHNPP Auxiliary Feedwater System BNL Results -
Dominant Cut Sets - LOAC Case 3..................... 25 FSAR 10.4.9A-1 Shearon Harris Nuclear Power Plant-Unit 1 Auxiliary Feedwater System Availability Study Simplified Flow Diagram......................................... 27 FSAR 10.4.9A-2 Shearon Harris Nuclear Power Plant-Unit 1 Auxiliary Feedwater System Availability Study Fault Tree-Loss of Main Feedwater (LMFW) and Loss of Offsite Power 28
( L O OP ) C a s e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
viii f
. LIST OF TABLES Table- Title Page 1 Unavailabilities of the SHNPP AFWS-Comparison of Applicant's Results with BNL Assessment........... xiii ,
. 2 Comparison of Data Assumptions....................... 33 [
1 3 Sumary of Applicant's Dominant Failure Modes........ 36 4 Definition of Disallowed Test and Maintenance Acts... 37 l
5 De fi ni tion of Top Event fo r LMFW. . . . . . . . . . . . . . . . . . . . . 38 1 6 Compa ri so n o f R e s ul t s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 i
e f
j -
I :
i J
l {
4 4
l 4
1 Y
l k
f 1 1 i
b t
ix l
EXECUTIVE
SUMMARY
I After the accident at Three Mile Island, a study was done on the reliability of the Auxiliary Feedwater System (AFWS) of each then-operating i plant with NSSS designe that study were presented in NUREG-0611(j)byAtWestinghouse. . the request The of the results NRC ( , Carolina Power i
and Light Company, an operating license applicant, pr,qv study of the Shearon Harris (SHNPP) Units 1 and 2 AFWSU)ided that was thedone NRCwith with a NUR EG-0611 used as a guideline. BNL has reviewed this study. The BNL conclusions are as follows ("High", " Medium", and " Low" refer to the NUREG-0611 reliability scale).
- 1. For an accident resulting in a loss of main feedwater (LMFW) with offsite power available:
- a. Appli:: ant's Case - Only one motor-driven pump (or the turbine driven pump) is required.le reliability of the AFWS is in the Hig;. range (Unavailability = 9.2E-6/denand).
- b. BNL Assessment - Both motor-driven pumps (or the turbine-driven pump) are required. The reliability of the AFWS is in the Med.
ium range. (Unavailability = 4.6E-4/ demand).
- 2. For a loss of offsite power (LOOP) resulting in a concurrent loss of main feedwater (LMFW): The reliability of the AFWS is in the High range. (Unavailability = 4.9E-5 / demand). Only one motor-driven pump is required.
- 3. For a loss of all ac power (LOAC), except for the 125-V dc/120-V ac vital instrumentation and control power systems, resulting in a con-current loss of main feedwater (LMFW): The reliability of the AFWS is in the Medium range. (Unavailability = 2.5E-2/ demand).
Results are summarized in Table 1. The SHNPP AFWS reliability is l compared with that of other AFWS designs in Westinghouse plants in Figure 1. I General Coments The following aspects of the AFWS should be highlighted:
- 1. Pump Discharge Isolation Valves Although there will be monthly verification that the manual suction iso-lation valve testing, it is stated in the SHNPP study (g)are open that the by virtue manual of the valves onpump the pumps' discharge headers will be closed to by-pass ficw to the Condensate Storage Tank through the mint-flow circulation lines. Since no position indication for either the suction or the discharge valves appears in the Control Room, if one or more of the valves were lef t closed af ter a test, this situation would remain undetected until the next pump test. However, given 30 minutes before steam generator boil-dry, the operator should be able to determine by steam generator level indication
- {
that the valves are closed and restore the valves to the open position, should I this be necessary.
- 2. Turbine-Driven Pump (TDP) Dependence on Train B 125-V de Power The TDP is dependent upon Train B 125-V dc power, does not appear to be in conflict with any of the short-term or long-term recommendations of NUREG-0611, as discussed in Subsection 9.2.2.2. Loss of Train B 125-V de power also incapacitates Motor Driven Pump B. Although consideration of loss of de power does not appear to be within the scope of NUREG-0611, de power is a significant shared support system, and, depending on the top event defnition for LMFW, loss of Train B de power may be a single failure.
- 3. Flow Control With LOOP and Only One Diesel-Generator Available As discussed in Subsection 9.1.2, upon LOOP, if Diesel-Generator A is unavailable, flow control of both moto r-dri ven pumps cannot be directly accomplished because the corresponding flow control valves are dependent upon Train A ac power. Similarly, if Diesel Generator B is unavailable, flow control of the TDP cannot be directly accomplished because its flow control valves are dependent upon Train B ac power.
4 Test and Maintenance Policies Because of the mixture of Train A and Train B power-operated valves on the pumps' discharge headers, confusion may result on the part of the plant operating personnel concerning which valves may or may not be tested or main-tained concurrently with any one pump without a detailed statement of the correct policy. Such a policy has not been provided in this report. ,
There appears to be a contradiction concerning the test interval of the pumps. Ref. 3 states that pumps are to be tested quarterly but the Technical Specifications in Appendix B state that the testing is to be performed at least once every 31 days.
xi
.,sient t wente LMfW L Mf W 'L OOP LMFW/ Lese et AN AC8 Piante Low %d ngii tow Wet hoh Low Wd ng>
y..
3,mP P A j, i t
sti ._. _ _ ,, . _ _, ._
d L _.,___
n.aa.,n Nnh e 4 0 San Onefre e e o._- 4
. _- . . _ .,. . _, . , , . _ , _ _ __. _ . _,_ _ _4 . _,, ,_.
P,a,ne Islead 41 4> 8 s.
o e. . . - ,,_.,. . . ,_.
4% .._,, . _ --
. ._e,_ . _.
luon e > 4>
Yankpe Rene e o i>
_,- . -,,_.,--. .,_..> _._.,_ J . . _ _ ... _. ,_,,_ _ . ,_ _,_,.
Y,opa 41 e o Iadean Poene (i e 4>
n . .. . e e o
- n. e n .,. e o s.. . v.u , 4 e e c.. e e o m e.. e e o ._ __ , __ ,_
c.o e e o v ., n e
e ._.. . _ ,. . _ _,__.,_
e __.. _ .._
r .., e e o s, ., e e Ne * ~,. e e ei I
= .-
.1, }. _. o. . ., v .. . .. u. . . . , .e. . , n , ... . ..,4 1 1
' Note The 4( sie for t*nt event et tiot the isme et thot f or the L M P W e.,el LMf V, t f >f.), '
1 l l
s Applicant's Results A B'll Assessment - Case 1A l e BflL Assessment - Case IB, 2. and 3 figure 1 Comparison of reliability of the SWlPP AfWS with that of other AFWS designs in plants usino the Westinghouse flSSS.
l l
l l
l
xii t_ <. ,: -<
3: . _
. ,l . .
11--a ==d1= ,m.n = =k;I ,.
i p,i
,i ,d,i e ,J:. -
I ~ wr n wi.n=:
,y,4 "i">
_. __ , ~, , p, a . i, r ..., 1_r .;,i _ >
,,L j. .. j
~'
mtl r . i ,'
v 11 N
..I
.., .I
.., i.li .t ., 1, I I,t f4, . ,l (4, , I,t (d, Id ivi i<d ;'., ! lyl 1:. l h'l dt i i di i i di di . ,l'l It
' !_ +i Ti.cL! 's
(' is .la c.!l;-
- a,,... s s ;.t, . .
Ifq>:
r.
- 1I! t. , i t i
.1 .
Is, i t
,p+i(,iii...i .y
.L. ,i , _4.i s t,- .i -
- ,i _
i 1
,,o.11.,.}ii!
i.
lal i i ,itil +i t,9 lt, - ").
/ $
la 8 I; h 12 i ,l
<;, .I l1 ; It> i;.<y .;,oy.- ;,og,s - - - - }
h ci o k, , t ..
2 i.. i ao O C' 3 ? 44 I
E.
g , ::
.} #' ;9_a l 5 si' I w1E 4 a*.$
xiii Table 1 Unavailabilities of the SHNPP AFWS -
Comparison of Applicant's Results with BNL Assessment APPLICANT'S RESULTS BROOKHAVEN NATIONAL LABORATORY ASSESSMENT Transient Mission Success A Mission Success A Mission Success B 1
- 1. LMFW 6.6E-6 9.2E-6 4.6E-4
- 2. LOOP 6.1E-5 4.9E-5 --
- 3. LOAC 1.9E-2 2.5E-2 --
NOTE: Mission Success A refers to LMFW only, wherein a flow of 450 GPM from the turbine-driven pump or one of the motor-driven pumps is adequate (possible only if the mini-7 Tow recirculation line is isolated).
Mission Success B refers also to LMFW only, wherein flow from both of the motor-driven pumps (or the turbine-driven pump) is required.
- 1. INTRODUCTION This report is a review by Brookhaven National Laboratory (BNL) of the Shearon Harris Nuclear Power Plant (SHNPP) Final Safety Analysis Report (FSAR)
Appendix 10.4.9A, entitled"AuxiliaryFeedwaterSystemAvailabily4 Analysi s ,"
prepared by Ebasco Services for Carolina Power and Light Company 1 After the accident at Three Mile Island, a study was done on the Auxiliary Feedwater Systems (AFWS) of all the then-operating plants. The l results obj; ned for operating Westinghouse-designed plants were presented in NUREG-0611\ . At that time, the objective was to compare AFWS designs; ac-cordingly, generic failure probabilities were used in the analysis, rather i than plant-specific data. Some of these generic data were presented in l NUR EG-0611. The probability that the AFWS would f ail to perfonn its mission l on demand was estimated for three initiating events:
1 (a) loss of main feedwater (LMFW) without loss of offsite power; .
l (b) loss of main feedwater associated with loss of offsite power 4
(LOOP);
- (c) loss of main feedwater associated with loss of offsite and.onsite I ac (LOAC). I
$ then, each applicant for an operating license has been re-quiredtjqcei to submit a reliability analysis of the plant's AFWS, carried out in a manner similar to that employed in the NUREG-0611 study. A quantitative l criterion Standard Review for AFWS Planreliability (SRP) for has been Auxiliary defined Systems Feedwater by the (HC H: in the current
"...AnacceptablepFWSshougdhaveanunreliabilityin 2 the range of 10- to 10- per demand based on an analysis using methods and data presented in NUREG-0611 and NUREG-0635. Compensating f actors such as other methods of accomplishing the safety functions of the AFWS or other reliable methods for cooling the reactor core during abnormal conditions may be con-sidered to justify a larger unavailability of the AFWS."
- 2. SCOPE OF BNL REVIEW The BNL review has been conducted in a rdance with the methodology, data, and scope of NUREG-0611, Appendix !!! . It has two major objec-tives:
(a) To evaluate the applicant's reliability analysis of the AFWS.
l l
1
-2 (b) ~ To provide ' an independent assessment, to the extent practical, of the AFWS unavailability.
Unavailability as used in this report has been defined as the "probabil-ity that the AFWS will not perform its mission on demand." The term unavail-ability is used interchangeably with unreliability. Specific goals of this review are then:
(a) To compare the applicant's AFWS with that of the operating plants studied in NUREG-0611 by following the methodology of the latter as closely as possible.
(b) To evaluate the applicant's AFWS with respect to the reliability goal set forth in SRP 10.4.9, i e., that the AFWS has unreliability in the range of 10-4 to 10-$ per demand, by using the above methodology.
The NUREG-0611 methodology and the BNL review specifically exclude ex-ternally caused common-mode failures such as those due to earthquakes, tornados, floods, etc., and internal failures caused by pipe ruptures.
- 3. MISSION SUCCESS CRITERIA The mission success criteria are described in Ref. 3.- Portions are extracted below.
"The total flow rates required for at least two of three steam generators to provide adequate protection for the core have been established by Westinghouse and are as follows: (1) 475 GPM for LMFW,(2) 400 GPM for LMFW/ LOOP, and (3) 380 GPM for LMFW/SB (Station Blackout equivalent to loss of all ac power).
The postulated top events are the failure of the AFWS to provide sufficient flow to at least two of the three steam generators (SGs) or less than 475, 400, 380 GPM total AFWS flow to less than two SGs for LMFW, LMFW/ LOOP , or LMFW/SB, respectively. . . . .
Consistent with the NRC request..., the scope of the top event spans only the availability of the system to start on demand fo r the three transients under con-sideration and does not include the reliability of the sys-tem to carry out this mission through the required duration (several hours)."
According to Table 10.4.9-1 of the FSAR (see Appendix A of this report),
the capacity of each of the two motor-driven pumps is 450 GPM including 50 GPM for recirculation. Thus, the net capacity is only 400 GPM, so that two l
- motor-driven pumps appear to be required for LMFW.. However, it is also stated in Appendix A that 380 GPM are required for:
(a) LMFW with no offsite power available (LOOP),
(b) Feedline rupture, (c) Steamline rupture, (d) Control room evacuation, (e) Loss of all ac power, (f) Loss of coolant accident (LOCA),
and that 500 GPM are required for loss of normal feedwater (LMFW). The reason for the difference is the application of more stringent and conservative acceptance criteria for Condition II events (e.g., loss of normal feedwater) than for Condition IV events (feedline rupture).
In addition, the applicant's fault trees shown in Figure 10.4.9A-2 of Ref. 3 appear to indicate that only one of the two motor-driven pumps (MDPs) is required for LMFW and LOOP. BNL has assumed that both of the MDPs are required for the LMFW case but only one for the LOOP case.
The' time to boil the steam generators dry was not given in Appendix A.
For purposes of calculating time available for operator action, BNL assumed this to be 30 minutes, based on NUREG-0611 information for other Westinghouse NSSS plants.
4 .- SYSTEM DESCRIPTION The BNL review of the AFWS reliability is based on the system as described in the SHNPP FSAR Section 10.4.9 currently on file in BNL's Nuclear Safety Library. This is provided as Appendix A of this report. The refer-enced flow diagrams have not been included in this report since the applicant has provided a simplified AFWS Flow Diagram (Figure 10.4.9A-1) in Ref. 3,
- 5. EMERGENCY OPERATION 5.1 Loss of Main Feedwater (LMFW)
Since offsite power is available, the two MDPs are started automatically upon loss of both Main Feedwater pumps. The pumps' flow is normally directed to the steam generators without any valve position changes required. The pumps' suction is supplied from the Condensate Storage Tank (CST) through a
single locked-open manual isolation valve 3CE-V27SAB-1. The alternative suction sources from the Emergency Service Water System (ESWS) Supply Headers are isolated from the' AFWS pumps by several normally closed motor-operated val ves. The transfer to these sources is manual and involves clearing the low suction pressure pump trips and opening the motor-operated isolation valves.
In the event that one of the MDPs is unavailable, the applicant assumed that
.the net capacity of 400 GPM from the other MDP is inadequate to meet the
' stated flow requirements of 475 GPM. Therefore, it was assumed that the recirculation line to the CST must be isolated to increase the pump capacity to 450 GPM. However, this is still below the 475 GPM requirements stated in Ref. 3 (and the 500 GPM requirement stated in Appendix A). The apparent discrepancy between the modeling and the stated success requirements remains to be clarified.
t 4 The turbine-driven pump 1X-SB -(TDP) must be manually started from the Control Room by opening the two normally closed, dc motor-operated Main Steam supply valves, . 2MS-V9SA-1 and 2MS-V8SB-1. The Turbine Stop Valve and the Turbine Governing Control Valve are normally open.
5.2 Loss of Offsite Power (LOOP)
This case is identical to LMFW with the following exceptions:
(a) The TDP is. automatically started via dc power.
(b) The MDPs are automatically started only 'af ter ac power becomes available, i.e., after startup and load sequencing of the two
! ' Emergency Diesel Generators.
(c) The net capacity (400 GPM) of one MDP is assumed by the applicant to'be sufficient to meet the flow requirements.
, 5.3 Loss of All ac (LOAC)
This case differs substantially from LMFW and' LOOP in that only the TDP is available and it must be started manually from the Main Control Board (MCB) or the Auxiliary Control Panel (ACP) by opening the Main Steam Supply valves, 2MS-V9SA-1 or 2MS-V8SB-1. Also, only the CST is available as a suction source since the motor-operated isolation valves from the ESWS are ac powered.
i 6. TESTING Although Ref. 3 states that system testing has no potential for causing common-mode system failures since there are no system tests which would simultaneously disable both system trains, the detailed application of this
> - policy is not clearly identified for the valves on both the NDPs' common dis-charge header and the discharge header of the TDP. For example, if testing of the TDP or the Train B flow control val ves on the discharge header is performed concurrently with testing of pressure control valve 3AF-P2SB-1 at i
- . . . . . , . . . ~ , . . - , - ,-- - m.m,, , . _ _
, 7
the outlet of MDPB, there would be no ostensible violation of the Technical Specificatiors (see Section 7.0) because all components, including the TDP, are on Train B only. Yet flow from both the TDP and MDPB would be blocked.
Therefore, BNL has assumed that no test (and/or maintenance) acts will be performed which will simultaneously block all flow to any one steam generator or block flow from more than one pump.
I Ref. 3 states that final technical specifications and operating procedures are not yet available so that typical technical specifications and system operating procedures were used. As per Ref. 3, particular component information is as follows:
Pumps The pumps are tested quarterly as per ASME Section XI, Subsection IWP.
To perform the tests, the manual isolation valves downstream of the pumps are closed to allow flow back to the CST through the minimum flow recirculation line. Each pump is manually started from the control room. Although the pumps are operating during the test, they are unavailable to provide flow to the SGS. BNL has assumed that the test unavailability is all represented in the pumps although the manual isolation valves technically are all closed simultaneously. Also, the applicant's assumption of quarterly testing is in conflict with the SHNPP Technical Specifications provided in the FSAR which state that the tests are to be performed monthly -(see Section 7). There-fore, BNL has assumed monthly testing.
In addition, Appendix A states that the pumps will be verified to start upon an Auxiliary Feedwater Actuation Signal (AFAS) at least once every 18 months (i.e., during refueling shutdown). This agrees with the technical specifications. Since this test is performed during shutdown, there is no contribution to AFWS unavailability.
Valves
- Ref. 3 states that all motor or hydro-motor operated valves will be l
tested quarterly to the position required to fulfill their function, in accordance with ASME Section XI, Subsection IWV. However, because the test is brief, lasting only for the stroke time of the valve, valve unavailability due i to test outage is very small, and was not included in the applicant's study.
Although there is merit to the applicant's contention, BNL considers this to be in conflict with the NUREG-0611 requirements that 0.86 hours9.953704e-4 days <br />0.0239 hours <br />1.421958e-4 weeks <br />3.2723e-5 months <br /> be assumed for valve testing. That value has been assumed in the BNL analysis.
Ref. 3 also states that each check valve subject to testing in accordance with ASME Section .XI, Subsection IWV, can be tested during the j testing of the pumps and power operated valves, and that if a system demand i were to occur either during or after testing, the check valve would be l returned to its proper position by the fluid forces of the system operation.
l Thus, it has been assumed that testing of the check valves does not contribute
to the system unavailability either by outage or by errors. BNL agrees with this assumption.
According to Ref. 3, monthly inspections are performed to verify that those valves in the flow path for the monthly pump tests are in the open position and, where applicable, a re locked. Each manual valve is locked open, except the recirculation mini-flow lines. It should be noted that inspection of locked-open valves appears- to exceed the ' requirements of the Standard Technical Specifications.
Control Circuits Ref. 3 states that the quarterly ASME Section XI tests for pumps and power operated valves is also a control circuit test. Thus, BNL finds that there is no additional unavailability caused by control circuit testing.
Actuating Logic It is beyond the scope of this review to verify the statement in Ref. 3 that, as demonstrated in FSAR.Section 7.3, testing of the AFAS logic does not affect generation of the AFAS on demand and thus does not contribute to AFWS unavailability.
Diesel Generators It is beyond the scope of this review to verify the statement in Ref. 3 that, as demonstrated in FSAR Section ' 8.3, testing of the diesel generators does not affect their ability to respond on demand, and thus does not contribute to AFWS unavailability.
- 7. TECHNICAL SPECIFICATIONS The SHNPP technical specifications currently on file in BNL's Nuclear Safety Library are provided in Appendix B and have been used by BNL as refer-ence material.
4
- 8. ASSUMPTIONS 8.1 Maintenance Although Ref. 3 states that system maintenance has no potential for i causing common mode failures because plant procedures will- prohibit maintenance which would simultaneously disable both system trains, the detail ed application of this poli cy is not clearly identi fied. It is particularly obscure for the SHNPP system as evidenced by the location of both Train A and Train B valves on both the MDPs' common discharge header and the discharge header of the TDP (see Figure 10.4.9A-1). If maintenance of, for l
l
example, M0V 2AF-V10SB-1 on the MDP line to SGA is required, there is no-obvious reason not to allow maintenance on flow control valve 3AF-FISA-1, even though each valve is on a different emergency bus.
Therefore, as stated previously in Section 6, BNL has assumed that no test or maintenance acts will be performed which will simultaneously block all flow to any one steam generator or block flow from more than one pump.
The applicant has made the following assumptions regarding maintenance in Ref. 3:
General <
There is little or no incapacitating maintenance planned . during plant operat1on ,less a component fails to function during. a periodic test.
Some components cannot be repaired while the plant is in operation.
Specific A. Pumps.
, 0.22(maint. acts / month) x 7(hr/maint. act) = 2.1 x 10-3/ demand 720 (hr/ month)
However, BNL finds that since the SHNPP technical specifications (Ap-pendix B) allow one of the pumps to be down for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the proper mainte-
'not 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />.
nance . outage This results in atime to assume pump according maintenance to NUREG-0611 unavailability is'19/ hourf, demand, which of 5.8x10 was used in the BNL analysis.
'B. . Valves ]
. Maintenance unavailability was assumed for power-operated valves only, as follows:
, 0.22(maint. acts / month) x 7(hr/maint. act) = 2.1x10-3/ demand 720 (hr/ month)
Maintenance on valves requires isolation (by closing adjacent valves) of the valve being worked on, introducing the possibility that the valves used for isolation could be 'lef t in the closed position. This is accounted for in the (applicant's) analysis by assigning a probability that the affected valves are left in the closed position.
BNL finds that 2.1x10-3/ demand is. the correct value for valve mainte-nance according to the analysis in NUREG-0611. With regard to the statement concerning isolation of other valves to allow maintenance on a particular power-operated valve, this is indeed true,'but often the number and location of other valves that must be closed will severely restrict the flowpaths to the steam generators. To be correct, these simultaneous closures should. be l
modeled into the fault . tree. However, since maintenance is assumed for power-operated' valves only, it is assumed that all maintenance is such that closure of any other valve besides the affected valve is not required, i.e.,
maintenance is performed on the valve actuator and its associated components only, and not on the valve body'or internal mechanism.
C. Diesel Generators The following maintenance unavailability for the diesel generators was assumed in Ref. 3:
gMAINT , 0.22(maint. acts / month) x 21(hr/maint. act) = 6.4x10-3/ demand 720 (hr/ month)
This is the correct value from NUREG-0611, 8.2 Operator Errors According to Ref. 3, it was assumed that the operator did not correct component failures, except the following:
- 1. The operator is assumed to be available to back up the automatic actuation of the AFWS. Failure of the operator to back up system t
automatic tree as event level actuation HE l', signals has and assigned been factoredof an unavailability into the fauj/
- 2. The operator is assumed to be available to change the AFWS pumps' suction source, from the Main Control Board, to the backup ESWS source if the primary source (the . CST) is unavailable. Failure of the operator to manually initiate backup ESWS has been factored into thefg/
5x10- demand. ultThi treesasisevent HE2, andvalue the correct also assigned from Table an unavailability III-2 of of NUREG-0611 for manual actuation of the AFWS from the Control Room considering a " dedicated" operator with 30 minutes available time to act (before steam generator boil-dry). This corresponds closely to the system under consideration.
- 9. RELIABILITY ANALYSIS 9.1 Qualitative Aspects 9.1.1 Mode of System Initiation
- 1. LMFW. As stated in Section 5, both MDPs start automatically upon loss of both MFW pumps. Should the MDPs fail to start, the TDP will start automatically upon low-low level in any two steam generators.
All three pumps can be manually started by the operator from the Control Room. Therefore, the applicant complies with Recommendation l
l
GL-1 of NUREG-0611 that : AFWS flow be automatically initiated using safety grade equipment and that manual start serve as a backup to t . automatic AFWS initiation.
- 2. LOOP. Both MDPs are automatically initiated once power is received from the diesel generators. The- TDP is also automatically initi-i ated. Should the LOOP signal fail to start the pumps, the MDPs will start upon low-low level in any one of the SGs and the TDP will start upon low-low level in any two of the SGs. All three pumps can '
again be manually started by the operator from the Control Room.
Therefore, the applicant still complies with recommendation GL-1 mentioned above.
- 3. LOAC. 'In this case, only the TDP is available. It is automatically started upon the concurrent LOOP signal, as in the other two cases, by opening either or both of the dc-operated Main Steam Supply MOVs, 2MS-V95A-1 and 2MS-V8SB-1.
The TDP is aligned to the CST, which is the sole suction source be-cause the normally closed MOVs isolating the ESWS, the alternative suction source, are ac powered. Therefore, the applicant complies with Recommendation GL-3 of NUREG-0611 which states that at least one AFW pump and its associated flow path and essential instrumenta-tion should automatically initiate AFW system flow and be capable of being operated independently of any ac power source .for at least two hours.
i l 9.1.2 System Control Following Initiation "
.i
- 1. LMFW. SG level control is maintained by the operator. manually mod-ulating the appropriate flow control valves' in the TDP and MDPs' supply lines. If for some reason the pump suction pressure de-creases to the level which causes the. pumps to trip, the operator would have to clear the pump trips on low suction pressure and open the motor-operated isolation valves on the connections to the ESWS.
i
- 2. LOOP. System control is basically the same as for LMFW. However, j
iT Eiesel Generator A is unavailable, the flow control valves on the common discharge header from both MDPA and MDPB (i.e., 3AF-F1SA-1, 3AF-F2SA-1, and 3AF-F3SA-1), would also become unavailable. This effectively prevents flow control on the MDP header even though MDPB itself is still available. One alternative possibility is to use the motor-operated isolation valves, 2AF-V10SB-1, 2AF-V23SB-1, and 2AF-V195B-1 also on the MDP common discharge header. However, these ,
valves may not have a means of partial opening or closing; if they are of fully open/ fully closed design, it may be dif ficult to use them for flow control. t If-Diesel Generator B is unavailable, flow from the TDP could not be modulated because the flow control val ves 3AF-F5SB-1, 3AF-F5SB-1, l
I
and 3AF-F6SB-1 also become unavailable. The situation is similar for the motor-operated isolation valves 2AF-V116SA-1, 2AF-V117SA-1, and 2AF-V118SA-1 as mentioned above.
Level control in such situations can still be roughly accomplished by alternately starting and stopping the appropriate pumps.
- 3. LOAC. Only the TDP is available and it is supplied from the CST.
T E alternative suction sources from the ESWS cannot be used because they are ac dependent. Under the conditions cited above, i.e.,
Diesel Generator B is unavailable, flow control via the flow control valves is difficult if not impossible. Level control can still be roughly accomplished by alternately starting and stopping the pump.
Although not shown on the Simplified Flow Diagram, Figure 10.4.9A-1, safety-grade flowmeters with Control Room indication and instrument channels powered from emergency busses have been provided to indi-cate flow to each steam generator. This appears to satisfy the re-quirements of Additional Short-Term Recommendation 5.3.3 of <
NUR EG-0611, 9.1.3 Effects of Test and Maintenance Activities This subject was discussed in Sections 6 and 8.
9.1.4 . Availability of Alternative Water Supplies The CST contains a minimum of 240,000 gallons dedicated for use in the AFWS. Transfer to the alternative ESWS supplies is performed manually from the Control Room as discussed previously. Specific emergency procedures for transferring to the ESWS supplies have not been provided in Ref. 3. The procedures should include criteria to infonn the operators when, and in what order, the' transfer to alternative water sources should take place, and should meet all other requirements described in Recommendation GS-4 of NUREG-0611.
Ref. 3 does state that redundant level indicators in the Control Room for the AFWS primary water supply (the CST) allow the operator to anticipate'the need to make up water or transfer to the alternative water supplies to prevent the occurrence of low pump suction pressure. It does not state whether redundant low level alarms are provided in the Control Room, or whether the low-low level of such alarms allows at least 20 minutes for operator action, as described in Additional Short-Tern Recommendation 5.3.1 of NUREG-0611.
9.1.5 Adequacy and Separation of Power Sources Table 10.4.9A-2 of Ref. 3 states that the AFWS provides two independent and diverse sources of feedwater, a motor-driven train and a turbine-driven train. The two motor-driven pumps are powered from the ESF (Engineered Safe-guard Features) electrical ac power distribution system. The turbine steam.
supply valves are dc motor-operated valves, one powered from the safety-related 125-V dc bus on Train A and the other on Train B. The Turbine Stop Valve (called the Trip and Throttle Valve in Appendix B) and the Turbine i ,
r l
l
- Governing Control Valve can be operated only by Train B 125-V dc. Power. See
! Table 10.4.9A-1 " Power Supplies."
9.1.6 Single-Point Failures Under the applicant's assumptions for mission success discussed in Section 3, BNL has not found any Single-point failures, the closest situation '
being inadvertent closure of the manual isolation valve, 3CE-V27SAB-1, at the CST, causing all three pumps to trip upon low pressure. However, the ESWS alternative sources could be utilized unless the pump trips failed to actuate and the ~ operator failed to act within the time available before pump damage could occur.
In contrast, in the BNL assessment, i f two MDPs are required for LMFW, luss of Train B 125-V ' dc power becomes a single-point failure. This is further discussed in Subsections 9.2.3.4 and 9.2.3.6.
9.1.7 Adequacy of Emergency Procedures The applicant has not yet provided emergency procedures but should do so in the future.
9.2 Quantitative Asoects
'9.2.1 Applicant's Use of NRC-Suggested Methodology and Data 9.2.1.1 Fault Tree Construction and Evaluation The applicant describes the construction of his fault trees, Figure 10.4.9A-2, Sheets 1 to 5, in Ref. 3 as follows:
The fault trees were constructed from the FMEA (independent failure analysis) and the common cause failure analysis.
The failures and combinations of failures that could defeat operation of the subsystem (including failures from other subsystems) were combined using conventional AND and OR gates.- Then the subsystems were arranged through a logic which related them to the " top event" specified in Sub-section 10.4.9A.2.1. This step was particularly complex for the AFS due to its extensive interconnection of re-dundant trains and the multiple ways in which it can successfully perfom its function.
To simplify the fault tree, only the failure contribut-ing component states (or event!.) from the FMEA, and not all possible causes of the state were incorporated into the fault tree. For example, if a valve being closed (unable to pass . fluid) was a contributor in the fault tree, " VALVE XX CLOSED" was included as the event in the fault tree rather than placing an OR gate in the tree with event inputs such as " VALVE XX CLOSED DUE TO j
MAINT", " VALVE XX CLOSED DUE TO ERROR", " VALVE XX PLUG-GED WITH DEBRIS", etc. The latter would generate an unmanageable number of cut sets, and would produce a computer analysis output which focused on causes of concern as opposed to component of concern, which is more useful . The causes and probabilities of each e' vent along with the rationale for their selection is li sted in Subsection 10.4.9A.5.1.
A single fault tree including all components considered in the study was first generated. This fault tree rep-resented the system under Case 2 and is given on Figure 10.4.9A-2. The Case 1 fault tree was then developed by applying the SETS FRMNEWFT procedure to the Case 2 fault tree with the PHI option to delete ac power failures (since offsite power is given to be present for this case) and by manually adding as a system failure the inability of the MDP recirculation lines to isolate when the only AFS pump available is a single MDP. The Case 3 fault tree was also developed by applying the FRMNEWFT procedure to the Case 2 fault tree, but. using the OMEGA option to assure ac power failure.
A SETS (5)lthough
, FRMNEWFT,the applicant states was used that the Form to represent CaseNew Fault itTree 1-LMFW, ' procedure seems of clear from the results that still only one MDP was assumed to be required for this case.
BNL has calculated the system unavailability for this assumption and also for the case in which two MDPs are required. The methodology and results are given in Section 9.2.3.
Also, although separation of all possible causes of a component failure into maintenance, human error, hardware fail ure , etc., produces a larger number of cut sets, we do not agree that focusing on the component of concern, rather than on the cause of concern, is more useful. To be able to identify
~ what percentage of the total unavailability is caused by maintenance or test-ing seems to be more useful since the capability of focusing on which compo-nent is involved in the bulk of the cut sets is also retained. For comparison purposes, it is also important not to assess double and triple maintenance cut sets, which the applicant's method implicitly does.
Figure III-2 of NUREG-0611, " Simplified Fault Tree Logic Structure-LOFW Transient," shows independent failures separately from test and maintenance c.tages. Thus, the applicant's method differs substantially from the NUREG-0611 guidelines. In the BNL analysis, test and maintenance have been identi-fied separately, as explained in Subsection 9.2.3.1 of this report.
The applicant's statement that the inability of the MDP recirculation lines to isolate when the only AFWS pump available is a single MDP was manually added to the cut sets generated by the fault tree refers to the discussion of Mission Success Criteria in Section 3. If 475 GPM are assumed
to be required .for LMFW and the net capacity of one MDP is 400 GPM, then isolation of the 50 GPM recirculation flow can increase the pump capacity only to 450 GPM. For this reason and the reasons discussed in Section 3, BNL has assumed that both MDPs are required for LMFW.
This matter is related to the definition of the top event,'as explained in Table.10.4.9A-2 of Ref. 3, and the segment of the tree .which defines "134 GPM to Each SG from MDPs" and _" Exactly One MDP Available." If the applicant has assumed in effect that the flow from two MDPs, or one MDP with'its recir-culation flow line isolated, is required for mission success in the'LMFW case, then the top event required differs from that shown in Figure 10.4.9A-2. The new top event can be created by adding " Failure of the Recirculation Line to be Isolated" as an AND gate with " Exactly One MDP Available."
9.2.1.2 Failure Data The applicant's failure data are shown in . Table 10.4.9A-3 of Ref. 3.
The data are in substantial agreement with the data prescribed in Table III-2 of NUREG-0611-(see Appendix C). The data assumptions by.the applicant and by BNL are compared in Tablp,)2.- Note that many NUREG-0611 data correspond. to values used in WASH-1400.P 9.2.2 Applicant's Results 9.2.2.1 System Unavailabilities The applicant's results, which are described in Ref. 3, are the follow-ing:
The overall system failure probability was determined from the minimal cut sets using the SETS COMTRMVAL procedure.
i This uses the rare event approximation which neglects the intersection corrections of independent events. Since the probabilities of the basic event in the fault tree are small, the rare event ' approximation is valid for this study. The results are as follows:
TRANSIENT li Case 1 6.6x10-6 Case 2 6.1x10-5 Case 3 1.9x10-2 BNL agrees that the rare event approximation is valid for this analysis.
9.2.2.2 Dominant Failure Modes and Conclusions The applicant's daninant cut sets are listed in Tables 10.4.9A-6,
, 10.4.9A-7, and 10.4.9A-8 of Ref. 3 for LMFW, LOOP, and LOAC respectively. The conclusions are summarized in Table 3.
t
In the case of LOOP,' the reason for the large contribution, 13.1%, of the 2-element cut set, (6900-V ac "A") - (125-V dc "B"), is that the TDP is dependent upon 125-V dc power from Train "B". This is indicated in Table 10.4. 9A-1 under " Power Supplies" where 125-V dc "B" is listed as the only source of power to valves 2MS-V8SB-1, TSV, and TGCV. According to Figure 10.4.9A-2, Sheet 4, the Turbine Stop Valve closes if, as a secondary failt.e, pump speed control is lost. This in turn is shown occurri.ng if Train B 125-V dc power is lost. MDPB is also incapacitated upon loss of Train' B .125-V dc power.
9.2.3 BNL Assessment _
9.2.3.1 Fault Trees_
Since the applicant has not identified test or maintenance outages as separate inputs on the fault tree, BNL has approached the problem in the fel-lowing manner.
First, each component which is subject to test or maintenance unavr.1-ability was identified on the fault tree. Then each of these components' basic failure events was converted to an OR gate consisting of the basic
. failure event, and the test and/or maintenance outages as inputs. The DELETE' TERM option of the SETS program was then utilized to eliminate' disallowed terms.
The underlying assumption in the test and maintenance policy is that any combination of simultaneous maintenance and/or test acts which shuts off all flow to any one steam generator or flow from more than one pump should be dis-allowed. The corresponding definition of DELETE TERM is shown in Table 4 It should be noted that the above definition does not preclude all simultaneous
~
test and/or maintenance on Train A and Train B components. For example, maintenance on both the motor-operated isolation valve and the electro-hydraulic motor-operated flow control valve in any .one of the flow paths to the steam generators could be performed simultaneously even though one is a Train A component and the other is a Train B component.
As previously discussed in the LMFW case, BNL has checked the system unavailability for the case 'in which 400 GPM, which is the net flow rate from either MDP when mini-flow recirculation is' accounted for, is sufficient for mission success. In ef fect, this means that one MDP is sufficient without isolation of the mini-flow recirculation line. This corresponds to' the applicant's fault trees as presented in Ref. 3, using the PHI option of SETS -
to zero out*ac power failures. The case where 500 GPM is required for LMFW as per FSAR 10.4.9 (see Appendix A), or ef fectively the flow from both MDPs, was also calculated. The comparative definitions of the two top events are shown in Table 5.
9.2.3.2 Failure Data A general comparison between the applicant's data and BNL's has already been shown in Table 2.
l
.- - .-.-- - _- . - - . _ - _ - - . _ . = _ . . . . . - . _ . - - - - .
9.2.3.3 System Unavailabilities The applicant's results and BNL's are compared in Tab e 6. Note that for LMFW, the system unavailability is much less than 1x10-]/ demand for the case of one MDP required but significantly exceeds 1x10-4 if two MDPs are required. This is to be expected because the cumulative unavailability of a two-train system, one of whose trains consists of two pumps, should be higher
'than that of not only the pure three-train system but also a two-train system in which each train consists of a single pump.
The probable reason why BNL's results for LOOP are slightly lower than the applicant's is that the effects of deleting disallowed test and mainte-nance acts for the LOOP case are magnified because of the large contribution from maintenance on the diesel-generators.
9.~2.3.4 Dominant Failure Modes
- 1. Case 1-LMFW.
A. One MDP Required. For this situation the dominant cut sets are failure of both suction sources by closure of valve 3CE-V275AB-1 at the CST conbined with human error in f ailing to transfer to the alternative ESWS sup-plies followed by failure of Train B 125-V dc power, incapacitating both the TOP and MDPB, in conjunction with various component failures which incapaci-tate MDPA. The next significant block of cut sets is spurious actuation of the steam generator line break isolation s ignal s. Cut sets that involve maintenance of one of the pumps combined with component failures incapaci-tating both of the remaining two pumps 're next in order (see Figure 2A).
B. Two MDPs Reauired. For this case, loss of Train B 125-V dc power is a single element cut set which eliminates both the TDP and MDP3. The next block of cut sets comprises the dual component type consisting of mainte-nance or test acts on the TDP or its associated valves combined with failures of MDPA or MDPB or conversely maintenance or test acts on MDPA or MDPB con-bined with failures of the TDP (see Figure 28),
- 2. Case 2 - LOOP.
The predominant cut sets are both double and triple type consisting of such failures as loss of Train B 125-V dc power combined with failure of DGA or test or maintenance acts on MDPA, maintenance on the TDP or its associated val ve s , and component failures of either diesel generator combined with failure of the opposite train pump. Also included is closure of valve 3CE-V275AB-1 at the CST combined with human error in failing to transfer to the alternative ESWS supplies (see Figure 3).
- 3. LOAC.
As expected, single-element cut sets predominate with the largest being maintenance on the TDP, followed by i nad ve rtent closure of the manual l
I l
5
isolation valves in the pump suction line, maintenance on or component i
failures of the turbine stop valve or governing control valve, etc. (see Figure 4).
9.2.3.5 General Comparison with Other Plants The SHNPP AFWS design is similar to that of many other plants in that it consists of. two motor-driven pumps and a third pump which is steam turbine driven. It appears to be fairly unusual in that both of its suction sources are safety-class design, i.e., the CST and the ESWS. The volume of water in the CST is sufficient to eliminate the need for any further operator actions-to maintain suction supply subsequent to AFWS initiation. The ESWS serves merely as a backup source which should be required only in a rare event. It is also somewhat unusual in that low suction pressure trips are provided for
~
all three pumps.
The two MDPs feed into a common discharge header which allows either pump to . supply all three steam generators. The TDP has a separate header which' supplies all three steam generators. The scheme for limiting AFWS flow to a steam generator undergoing depressurization does not restrict the flow of any pump to all three steam generators.
Depending upon what additiona events accompany a LMFW transient, the j flow from one MDP may not be sufficient. Therefore, in- the SHNPP design, the motor-operated recirculation line isolation valve of each MDP is automatically isolated when the other MDP fails to start or run, as indicated by under volt-4 age in the 6900-V ac emergency bus. This increases the flow of one MDP from 400 GPM to 450 GPM. The adequacy of this increased flow rate was discussed above in Section 3.
According to Ref. 3, the applicant will inspect locked-open manual valves dur'ing the monthly pump tests. This appears to exceed the requirements of the Standard Technical Specifications. <
9.2.3.6 General Comments The following aspects of the AFWS should be highlighted:
- 1. Pump Discharge Isolation Valves 4 Although there will be monthly verification that the manual suction iso-lation valves are open by virtue of the pump testing, it is stated in Ref. 3 that the manual valves on the pumps' discharge headers will be closed to by-pass flow to the CST through the mini-flow recirculation lines. Since no position indication for either-the suction or the discharge valves appears in the Control Room, if one or more of the valves were left closed af ter a test, this situation would remain undetected until the next pump test. However, l given 30 minutes before steam generator boil-dry, the operator should be able to determine by. steam generator level indication that the valves are closed i and restore the valves to the open position, should this be necessary.
f f
- 2. Turbine-Driven Pump Dependence on Train B 125-V dc Power The' lDP is dependent upon Train B 125-V de power, but this does not
- a ppear to be in conflict wi th any of the sho rt-term or long-tem recommendations of NUREG-0611, as discussed .in Subsection 9.2.2.2. Loss of Train B 125-V dc power also incapacitates MDPB. .Although consideration of loss o.f de power does not appear to be within the scope of NUREG-0611, dc power is a significant shared support system, and depending on the top event defnition for LMFW, loss of Train B de power may be a single failure.
- 3. Flow Control With LOOP and Only One Diesel-Generator Available As discussed in Subsection 9.1.2, upon . LOOP, if Diesel Generator A is unavailable, flow control of both MDPs cannot be directly accomplished because the corresponding flow control valves are dependent upon Train A ac power.
Similarly, if Diesel Generator B is unavailable, flow control of the TDP can-not .be directly accomplished because its flow control valves are dependent upon Train B ac power.
4 Test and Maintenance Policies Because of the mixture of Train A and Train B power-operated. valves on the pumps' discharge headers, confusion may result on the part of the plant operating personnel concerning which valves may or may not be tested or main-tained concurrently with any one pump without a detailed statement of the correct policy. Such a policy has not been provided in this report.
There appears to be a contradiction concerning the test interval ~ of .the pumps. Ref. 3 states that pumps are to be tested quarterly but the Technical Specifications in Appendix B state that the testing is to be performed at least once every 31 days.
REFERENCES
- 1. " Generic Evaluation of Feedwater Transients and Small. Break Loss-of-Coolant Accidents in' Westinghouse Designed Operating Plants," NUREG-0611, U.S. NRC (January,1980).
- 2. Letter from D.F. Ross, Jr. , U.S. NRC, to All Pending Operating License Applicants of Nuclear Steam Supply Systems Designed by Westinghouse and Combustion Engineering (March 10,1980).
- 3. " Auxiliary Feedwater System Availability Analysis," SHNPP FSAR Appendix 10.4.9A (April 18,1983).
- 4. " Auxiliary Feedwater System (PWR)," U.S. NRC Standard Review Plan 10.4.9, Rev.-2, NUREG-0800 (July,1981).
18-
- 5. Worrell, Richard B. and Stack, Desmond W., "A SETS Users Manual for the Fault Tree Analyst," NUREG/CR-0465 (November,1978).
- 6. " Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants - Appendices 3 and 4: Failure Data ," U.S. NRC, WASH-1400 (NUREG 75/014) (October,1975).
c--- -- ,--- ---,, - - . , . - - - - . . - - - - - , -
u;FW -
- Z.350 1-Ju HCZ ..I V; 7; A;2 2 1.ZinGE-G6 h0PAMG - 123YCCEF e 3 1.iI2GC-Gu 125VOCSF - i:O F S-A r ;
, -.;;; - J' .A T '..' ; A - 12;;;;;-
- 125VOCSF +
6 2. 4 2 0 0E- 0 7 MIVSSAC
- 125V O CBF +
7 2. 42 0 0E- 0 7 NIV6 SAC
- 125VOCSF +
8 1. 5 C 8 6E- 0 7 TOPHO
- MCPSAF
- MOPSSF +
9 1 32 0 0E- 07 CCVPiSAC
- 125V CC BF +
10 5. 4621E- 0 8 MA TSV
- M CP SAF
- NDPSSF +
11 5. 46 21E- 0 8 MATGCV
- MOPSAF
- MOPBSF +
12 5.2900E-08 LBIS1AAF
- LBIS1CAF +
13 5. 2 9 0 0 E- 0 8 LSIS1AB F
- LUISICAF +
14 5.290CE-08 LBIStBAF
- LBIS1CBF +
15 5. 29 0 0E- 08 LEIS 13BF
- LBIS1CBF +
16 5. 29 0 CE- 0 8 LBIS1AAF
- LBISiCBF +
17 5. 29 0 0E- 0 8 LBIS1ABF
- LEIS 1CBF +
18 5.2900E-06 LBIS1AAF
- LBIS1BAF +
19 5.2900E-08 LSIS1AAF
- LBIS189F +
EO 5. 29 0 CE- 0 8 LBISLA5F
- LEIS 1BAF +
21 5.2900E-08 LEIS 1ABF
- LBISISSF +
. E2 5.2 9 0 0E- 0 3 L8ISiSAF
- LBIS1CAF +
23 5.29 0 0E-0 8 LBIS1BBF
- L3IS1CAF +
24 5.2 C 2 CE- 04 TA TOP
- HOPSAF
- lt0PBSF +
Figure 2 A SK4PP Auxiliary Feedwater System Bril Results - Dominant Cut sets -
LMFW Case 1A - Applicant's Assumption: One Motor-Driven Pump Required (Sheet 1 of 2)
n _ -_ _ - _ _ _ _ - _ _ _ ___ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ -______ ___ -- - - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ .
l 25 4.8400E-Od 12 5 VOC S F
- 125VOCAF +
26 3.25382-08 MOPEMO
- MIV14SABC + MOPSAF +
27 3. 2 5 3 4 E- 0 8 HOPAMO
- HIV145tEC
- NOFBSF +
28 3.2538E-08 TOFM0
- hIV14 SAC
- PCPSAF +
29 3.2538F-08 TOPMO
- PIV15S A C ' MOPS AF +
30 3. 253 SE-0 8 TOPn3
- PIV6 SAC ' HDPBSF +
31 3.253 " -08 TOPM0 ' MIVSSAC
- HOPBSF +
32 2.9580E-08 NOFEMO
- TOPSABF
- MOPSAF +
~33 2.9580E-08 MCPA"O
- TOPSASF
- MOPBSF +
34 2. 8611E- 0 8 MIV14SABC
- MOP!AF ' NDPSSF +
35 2.6010E-08 TOPSASF
- MDPSAF ' MOPS SF +
36 2.3000E-08 LEISiABF ' CV155SABFC +
37 2.3000E-08 CV 153S ASFC ' LB ISIS AF +
38 2. 3 C 0 0E- 0 8 CV153S ABFC ' LE ISiCEF +
39 2. 3 0 0 0E- 0 8 CViS3S A6FC
- LS IS tBEF +
40 2.3000E-08 LEISLABF
- CV15 4S A2FC +
41 2. 3 C 0 CE- 0 8 CViS4S AE FC
- LBIS1CEF +
'2 2. 3 0 0 0E- 0 8 CV154S AB FC
- L8151C AF +
43 2. 3 C 0 0E- 0 8 LEIS 1 A AF
- CViS SS A3FC +
14 2. 3 0 0 0E- 0 8 LBIS1AAF ' CV154SABFC +
45 2.3000E-08 CV153SABFC ' LB IS 1C AF +
46 2. 3 0 0 0E- 0 8 LS IS10 A F
- CV 15 5 S AB FC +
47 2. 3 0 0 0E- 0 8 LEIS 12SF
- CViSSSASFC +-
48 2.2000E-08 CV1S AFC
- 125VO CBF +
Figure 2A (Cont.) (Sheet 2 of 2)
. T10NKDEL =
1 2.2C0CE-04 125VDCBF +
. 2 2. 95 8 C E-0 5 .TCPMO
- 13P3SF +
3 2.958CE-05 TDPMG
- 10PSAF >
4 1.071CE-05 MATSV
- 1373SF +
i 5 1.071CE-05 MATGC/
- 10P33F F 6 1.071CE-C5 MATSV
- M3PSAF +
7 1.071CE-05 MATGCV
- 10PSAF >
5 1.020CE-05 TATDP
- 10P3SF &
9 1.020CE-05 TATDP
- 13PSAF &
13 6.440CE-06 M3P3MO
- MIV14SA3C t 11 b.380CE-06 MOPAMO
- MIv14SA30
- j j 12 5.800CE-06 M3PSMO
- TOPSA3F &
13 5.3CCCE-06 M3PAMO
- TOP 343F &
14 5.61GGE-06 McPBSr
- MIV14SA30 +
15 5 61CCE-06 M9PSAF
- MIV14SA30 +
i 16 5.1C00E-06 M3P9SF
- TOPSA3F &
17 5.1C0CE-C6 M3PSAF
- TOPSA3F
- 18 3.480CE-06 TOPMo
- 2;V?iSAC &
19 3.480CE-06 TDPM3
- 30/P2S3C +
20 2.550CE-C6 HE2
- MIV275ASO &
21 2.31GCE-06 MAPCV3253
- 1IV14SA3C +
22 2.310CE-06 MAPC/31SA
- 1I/14SABC +
23 2.200CE-06 TA30P9
- MIV14SA3C
- 24 2.2CCCE-C6 TAMOPA
- MI/143A3C
- f Figure 2B SHflPP Auxiliary Feedwater System Bf1L Results Dominant Cut sets -
LMFW Case 1B - Bill Assessment: Two Motor-Driven Pumps Required (Sheet 1 of 2)
23 2.200CE-co IAM0PB
- MIV14SA3C &
24 2.20CCE-C6 TAMOPA
- MIV14S A3C +
25 2.10GCE-06 MAPCV3253
- T0*S43F +
, 26 2.1000E-06 MAPCVPiSA
- TOPS 4SF +
' 2 7. 2.0C00E-06 TAM 023
- TOPSA3F &
23 2.0CCCE-06 TAMOPA
- TOPSABF &
29 1.334CE-G6 M3PSM3
- TSVS3C
- 30 1. 3 34C E-C 6 M32A10
- TSVS3C & ,
31 1.2760E-06 TOPMG
- 125V30 A F &
32 1.260CE-C6 MATSV
- 20V21 SAC +
33 1 260CE-C6 MATGC/
- 3CV21SA +
34 1.2600E-06 MATSV
- 20VP2S3C &
35 1.26CCE-06 MATGOV
- PCV22SBO +
4 36 1.200CE-06 TATOS
- 20/21 SAC +
37 1.2COGE-C6 TATO)
- 20VP2SBC &
38 1.173CE-06 M3PSSC
- TS /S30 &
39 1.173CE-06 M32SAF
- TS133C &
40 1.122CE-C6 125V3CAF
- M313V$SSO &
Figure 2B (Cont.) (Sheet 2 of 2) l l
..__.._..m_._ _ -__.m____ - .
ggp a 1 0 . O U U 0 t. Un UGAf "
12WOI +
c 3 4 4 U U c. - " O I U r' N
- UOAP ' Lbdr +
1 4 09U0t 06 UUAP "
UGbt
- MIV27FAWc +
1 1
- . 5 9 U o t. 06 uuar -
DGBF ilv30sA8c +
, 2 c e 3 D U 0 t.= U D r1 t. c "
n k V d { b e. A+
b 1.8900E-06 MATSV
- DGAF
- DGBF +
7 1.8900E 0A MATGCV
- DGAF
- DG8F +
8 1.8000E 06 TATDP
- DGAF
- DG8F +
9 1.2760E-06 MDPAHO
- 125VDCBF +
10 1 1220'E-04 125VDCBF
- MDPSAF +
11 9.9000E 07 DGAF
- DGBF
- MIV14SABC +
12 9.0000E-07 OGAF
- DG0F e TDPSABF +
l I
13 8.8740E-07 TDPMO
- DGAF
- MDPBSF +
[1 14 8.8740E 07 TDPMO + DGBF
- MDPSAF +
15 4.6200E-07 MAPCVPISA
- 125VDCBF +
1 16 4.4000E 07 TAMDPA
- 125VDCBF +
17 3.2130E 07 MATSV
- DGAF
- MDPBSF +
1 18 3 2130E 07 HATGCV
- DGAF
- MDPBSF +
l 19 3.2130E 67 MATSV
- DG9F
- MDPSAF +
- 20 3 2130E-07 MATGCV
- DGBF
- MDPSAF +
! 21 3.0600E-07 TATDP
- DGAF
- HDPBSF'+
, 22 3.0600E-C7 TATDP
- DGBF
- MDPSAF +
L t i
t Figure 3 SHNPP Auxiliary Feedwater System Bfil Results - Dominant Cut sets -
LOOP - Case 2 (Sheet 1 of 2)
l 23 2 4200E 07 u!V6 SAC
- 125VOC8 F +
24 2.4200E-07 HIVSSAC
- 125VOCBF +
25 2.0700E 07 OGAF
- OGAF
- TSVsnC +
26 1.9140E 07 MOPBM0 + OGAF
- MIV14Sa8C+
27 1.9140E 07 TOPMO
- MIV14 SAC *-DGAF +
28 1.9140E 07 TOPHO + MIVISSAC
- OGAF +
29 1.9140E n7 TOPMO
- MIV6 SAC
- DGRF
- 30 1.9140E 07 TopMO
- MTV5 SAC
- DG8F +
31 1.9140E 07 HOPAMO + OG9F
- MIVlagaAC+
32 1.7400E n7 nopnMO e OGAF
- TOPSAAF +
33 1.7400E-07 MOPAMO
- DG8F
- TOPSAGF +
i 34 1.6830E n7 DGAF
- MIV14SABC
- u0PASF +
35 1.6830E-07 OG8r
- MIV14SABC
- MDPSAF +
36 1.5300E 07 OGAF
- TOPSA8F
- u0DRSF +
i 37 1.5300E 07 DG9F
- TOPSA8F
- MOPSAF +
38 1.5300E 07 OGAF
- OGBF.* TGCVS9C + '
39 1.5086E-07 TOPHO
- MOPSAF
- MDPBSF +
40 1.4030E-07 MADGA
- 125VOC0F +
41 1.3200E 07 PCVP1 SAC
- 125VOC9F + .
l 42 1 1016E 07 DGAF
- 480VACTBF
- HIVar sABC + ,
43 1.1016E 07 480VACTAF
- DG8F
- MIyp7sA8C
- 44 1.0440E 07 TOPM0 + PCVP2S9C
- DGAr +
45 1.0440E-07 TOPMO
- PCVP1 SAC
- OGBF +
Figure 3- (Cont.) (Sheet 2 of 2) i
L3AC ='
1 5.SC0CE-03 TOPMO +
2 5.100CE-03 MI127SA30 &
i
'. 3 5.1CCCE-03 MIV30SABO &
4 2.100CE-03 MATSV +
5 2 1CCCE-03 MATGCV &
- 6 2.0CCCE-03 TATDP +
l 7 1.100CE-03 MIV14SABC +
8 1.CC0CE-03 TOPSA3F & ;
9 2.300CE-04 TS/S30 +
10 2. 20 0 C E-0 4 125V1CSF &
l 11 1.7COCE-04 TGCVS3C 4 _
! 12 1.CCCCE-G4 C/43SA3FC &
4
! 13 1.0CCCE-C4 CV3SASFC t
- 14 2.6CiCE-05 MSM3V9 SAC
- MSH0/SS3C
- L 15 1.071CE-05 NAMSM319SA
- MSM3/8SB0 &
16 1.C71CE-C5 MANS 10V953
- MSM3V9 SAC +
t 17 4.41CCE-C6 14MSM0/954
- MAH31018SS +
is 4.412CE-06 MAFCVF633 ' 1AFC/r5SB +
l i 19 4.410CE-06 MAMJV11754
- MAF VF5Sa + !
l !
I.
. t l -
(
Figure 4 SHNPP Auxiliary Feedwater System Bill Results - Dominant Cut sets -
1 l
l LOAC - Case 3 (Sheet 1 of 2)
2C 4.41GCE-06 MAFC/F433
- 1AFC/F558 +
21 4.41CCE-06 MAM3V116SA
- NAF;VF5SB +
22 4.410CE-06 MAFCVF6S3
- 1AM0/118SA &
23 4.413CE-06 MAM0/1173A ' MAM3/113SA +
24 4.410CE-C6 MAFCVr4SS
- 1AMOV11SSA +
25 4.41CCE-06 MAMOV116SA
- 1AM31118SA &
26 4.410CE-06 MAFC/F453
- 1AFC/F6SG +
27 4.410CE-06 MAFCVr4S3
- iA10/117SA
- 28 4.41CCE-C6 MAMOV116SA
- MAF;/F653
- 29 4.410CE-C6 MAMOV116SA
- MAM)/117SA +
30 2.310CE-06 MAFCVF6S3
- 1IV33 sac +
31 2.310CE-06 MAMOV1175A
- MIV33S3C +
32 2.31CCE-06 MAFCVF4S3 ' 1I/33SSC t 33 2.3100E-06 MAMOV1165A
- MIV33SSC +
34 2.310CE-06 MAFCVF553
- 1IV35SBC +
35 2.310CE-06 MAFC/r5S3
- 1I/31SBS +
36 2.310CE-06 MANOV118SA
- MIV!6SBC +
37 2.3100E-06 MAM0/1135A
- MIV33S3C +
38 2.3100E-Ob NAFC/F6S8
- 1IV33SBC &
39 2. 310 C E- 0 6 MAMOV117SA ' MIV3 C S3C +
40 2.310CE-06 MAFC/F4S3
- iI/35SSC +
41 2 31CCE-06 MAMOV116SA ' MIV!6 SBC +
Figure 4 (Cont.) (Sheet 2 of 2)
1, 1
[ _. S 5 Tlh l t t i 7 .-
. .: ,a ,j
_a s s.m 3
. .. m a =
i e li f' f' 3-* 5Jj M,i JI . .
I fdi f II ,I II ,I
.m ,
e 4.i. '4 Ti; ww-i i ,i I :
6 TI l.
dj:ij L , ,-l yl.%$- ,
'3 Jq
- _~0;j f tG vij
- '..n_tg e{x4d.l
= _r
pN 1)
- r. t. i, ;.
i .l i,
- ., I n
- .I 22 1 I 'I 3 1 1
. . . . ~
m $ O4 s.s
?.
., a.1 > :_ , >., n. >s
,I; ; ; dI i e.;,1 .6 .1,-i n.I v , , i, *1. 4 m T. i 4
L.i --
i T2 -. 3 i :: .
il T2 Ti pji .
91 r35 @? g* 9 .$ T
- .3 3 *. .
s s . .
t I& 3, 1 - 4 1 . - g .
1, v.: 12 !. t , 1. .s t.
. I' v, I Ir.;
1 l '* 1 .d ni 11 1 1 1" 3 1_
3.r; 4.1 1 1 . . , . , ., ~ . m .>- ; -<. m s. 'j TT.v yI. * .l 2 gg g l (4h . . hi tr I.!,j!ji).
[v o .!! 1 1 : ,I.' i .a a . r I; I: I'l 2: I; I; I . 1 1 II" a3r';rk;s; 38- - ;s;> k;:sze:
3
! i !
, ,t ,?
- r ,
l' --
%c
- 3a' 3 E N
= .e. a
.22 E
g el n- 3b:
1 E* e g - .6 y ob i 2 :
4
- 2"B 4
- ' E
n
, i h.1 r ~ .'.! e , N
[ !!
g4 ;!je
!4; a-',icti -M d,> GLain
- ix,Li [9l e!l i.J K
i :';t': l ldi'Mi -J Q
r Jiid 7 " -
l'glf.d 1 ,. ' ,
?. 8 - i b' j _i n A 8' . p! . ! ,!I~ I,} 1"ti"
- I' lm (~T' L!fVl lli ff 1 --
sf1
_l! !.'is;t*y :. 4
-s;! g i'.ij g!,
- = f N r,-
'88
'! J; in '
6 j
l ,r mi i lv;. ;7 tls 6 t.___i *[ _,c:.q.
s'
- L_. gyv4
.g: !,
L_.y[En ,
~iii.,]~
.M j:-
M)!
lif i i 11!VI ,
h pm.
- b. A(LJ .
9i]
s:. o Da!'i O 11G3 O'Q E h Q: iL' <s , 5 du gn J'iv r!'uM CJ Lj O ;Frwii i
o it ;.r v P ai 4
%lE L ci,c;. !i -" - 3' D i i',
c7 !Ii'h")To,
' .fE"ja <3 h [r'I[jGsi ipG[is!! Y ' Q,r3Cl 5*,t<!;M<!
d1 ji i i[ol f<3 W"Eo:i t tym, Fo',
m m
i o
ea - gui
~!e.,--
l ;8' y ;f .
8
. L df] % ' ;8 9 p nlF
'l R-F;
-.,e V7 ;,.aa-r.l.
6 g T',Jn
~
wKsii"
~ w, p,1 OEn, WI c]
i i
iC 11J -, ,
c._ tu i!
,h';lm!!b!r' [ [Uo, E$ $
ma Jno L Lwoi wi -g il'.'" t
- l 32dI a$k g
,! b R
q pli i A ef
/ '
!si G !l!,N Eh:E h'y,N 50! Jig ;im 4 'bO a
O '--
bb Ji J"!OI
'i- 1 E $ d'j "
17m f=i":
F' ci;!j i 4iG 1.ro;.p m, !!!
U']G il 7 T, E2 g diit,n'+ u ii'::D 8 L -
e
!oe, r.ain nw w.Tirci lJi.;,/y a ir Jest 29=
==;
l__ Lis: i g ::-
]!!'.J"i a:a
- 3 ;;
E s ii
- s.A4 sM-1.b e. -L -
a at -,ah_.,- -..2.*-.e.-_4 e+,.AA-E. --..,.---4---.4-s--.i---*J, -wa ------4-..c.- Js. - __-r J_ ,s.--4 4. e e __. J . # - - -~ - -
l !
I I i !!!; ~
, J J'.
j .I I pa _!,li!
..!..iC'-
!!K,y IE.!;d;ag J ,-
t i i liRD.!iigO! :!jigil 1
ejr
'!'b:.,_li...
!*. :l'! l'" Jiid']l m r. II g i Ni G1 I f3 I
=
1 d 7,ig i e v lI
, -l!!3 C t!! d1'g' Nt mQi g
~
^
~$O!
1 a
Ij m!G ,
2l,h j 1 jd d d3 0 !
30!m f jil G ji G
- ~
"1 l'o i gi
-.!I GT!!Ol i
' G kiii '
{~ol !!
1 4n01 :
l {Oi 1
2
$$k yEi :g' 53 E:
guara f
- !!s
$ 5.!. I 33Ea 4 .,._5:E- !!
Eh _ t
!!si
, E f !!,,
!!!!E i i
?
I l
t
r501 - _.
- pG (tli;Of itOi r- rEOi i
L:gio . -
Efch{__Oif r {O; EO!
lr-fgOlE!i%{TJO!
b%; g, go!
AU hgoi gD Ol t F i LKOI m
4 $3 (kOHOI h' p yy[Boi m " {Ol 4_ciN Sol L r ,.
$!N.
C._
r-gj r .
eier 7 gU
. %mdi"g1 i 7 u.
-'l EJi !$g i 1
--" M: qs r ia git
- E G "rI '. JI!k ' g7*01 !!!
go ,t I!! 7 r-M- - !;g 19 EgLj.i&E !!"
1;w ;L 50! Qri l'
g"
- f.! 60!
&E"301 a!!
fi .
s!!
l kN EEkT Eb i fit #jg bicio: TH $ , hoi
(~-,__ _.
e --p e --n. -m.+e 4 2.G s
,3.9
+
fa--
[
%'O-6' i420' erg r~
gas g g ,,
uF r
'C
& gCI
, 3' e;ja t o
r 4
> g g gn u- goE s a upr i- W bgot wu Q g;oi go. ,
1
_As, ~
E01
<2
-j,13 Boi ~
@6 59 1-5 e%gt n
_grgT J{[
goi'h"Ddf3 k ye go[M do 1 i W' 7 3D1 I
tri;!h,<Q cn b G1 U,Ol M P hjol AM
& gT
' e AgolcBD1 B31 i
h
%B 5Ji mal ilu 05,{dh'~l@Ol f P
L op g d31} <
.g ,11.;
OE 801 m E 1 E mi o Ill sis
- G khI .
l 2t' e BDi - i go, LEol 1 I r
[
~
7 . MLL d 3Di ch r!3D' ED'vroi pm
*50' ;h%
foi bgahot go, i9Eot ANainkM Na ic oi {dhi
*s 1
1 0l m= 1 ei f '53!a gai E n e roi i, n O {a p i 1 01 l g* fg a ga i @l eso. o aemi s: n {cWioi{a@l,, fia@iLc i 50' I[f.gi k [. i 3DI g; e , ao, !;p 4 Vag $4 goi il! N- iP $m<Ra( gfoOda Fc$ !!!
, oi 1,!p Lt ogC@lr L e i s c h gE j" iOI ;;ji; Ei=Se,yc{g a .
tasa i i g i 8 01
r: Table 2 Comparison of Data Assumptions UNAVAILABILITY / DEMAND DESCRIPTION APPLICANT BNL 1
- 1. Maintenance
- a. Pumps 2.1x10-3 5.8x10-3
- b. Valves
- 1. Motor-operated 2.1x10-3 2.1x10-3
- 11. Electro-hydraulic motor-operated 2.1x10-3 2.1x10-3 iii. Manual 0 0 iv. Check l 0 0
' I
- c. Diesel Generators 6.4x10-3 6.4x10-3
- 2. Testing
- a. Pumps l 0 2.0x10-3
- b. Val ves (only for valves which are
- j. to be tested, not all valves) 4
- 1. Motor-operated 0
- 11. Electro-hydraulic motor-operated 0 3.9x10 3.9x10- 4
, iii. Manual 0 0 iv. Check 0 0
- c. Diesel Generators 0 0
- 3. Random Failures
- a. Human Errors
) Pre-Accident Nature 1
- 1. Valve inadvertently closed or
! open due to maintenance error l
- 1. Motor-operated electro-hydraulic motor-operated 5 x 10-4 5 x 10-4
- 2. Manual No operator recovery (Post- 5 x 10-3 5 x 10-3 Acc.) l With operator recov. (Post- 5 x 10-3 1 x 10-3 Acc.)
i
, <~,-,,-,wwn n - ,,----m---ee--,--,----.--n - ,,m-- -- ,,---wr -e -=w.,--- m- . - - - , -
Table 2 (Cont.) UNAVAILABILITY / DEMAND DESCRIPTION APPLICANT BNL Post Accident Nature
- 1. Valve inadvertently closed or due to control room error 0 0
- 11. Operator fails to manually initiate the AFWS pumps 5 x 10-4 5 x 10-4 111. Operator fails to transfer to ,
the backup ESWS suction sources 5 x 10-4 5 x 10-*
- b. Mechanical or Electrical Faults
- i. Plugging of all valves 1 x 10-4 1 x 10-4
- 11. Failure of mechanical components 1 x 10-3 1 x 10-3 Pumps, motor-operated valves (including electro-hydraulic) 111. Loss of pump motor cooling N/A N/A iv. Control circuit failure:
Active Pumps (Monthly tests) 3 3 < Valves (Quarterly tests) 4 6 xx 10 10-3 4 6 xx 10 10-3 Passive (Spurious) Pumps (Monthly tests) 1.3x10-4 1.3x10-4 Valves (Quarterly tests) 6.7x10-4 6.7x10 4 Line Break Isolation Signals 2.3x10-4 2.3x10-4
- v. Failure of actuation logic to .
pumns and power-operated valves 3 3 vi. Diesel-generator fails to start 7 3 xx 10-10 2 7 3xx 10 10-2 vii. 480V AC station service trans-former failure 7.2x10-4 7.2x10-4 viii. 125V DC power supply fails 2.2x10-4 2.2x10-4 ix. Auto 6900V under-voltage signal failure (for MDP recirculation 2.1x10-3 0 isolation valves)
- c. Sumation of Random Failures
- 1. Pumps
- 1. Motor-driven 5.1x10-3 5.1x10-3
- 2. Turbine-driven l 1.0x10-3 1.0x10-3 l
l l l
Table 2 (Cont.) UNAVAILABILITY / DEMAND DESCRIPTION APPLICANT BNL
- c. Summation of Random Failures (Cont'd)
- 11. Valves: (Flow Blockage Probability)
- 1. Motor-operated
- a. Position change required 7.6x10-3 7.6x10-3
- b. No position change req. 6.0x10-4 6.0x10-4
- 2. Electro-hydraulic motor-operated
- a. Pressure control 2.0x10-4 7.0x10-4
- b. Flow control 1.0x10-4 6.0x10 4 1
- 3. Manual (locked open) l
- a. No post-accident recovery possible 5.1x10-3 5.1x10-3
- b. Post-accident recovery possible 5.1x10-3 1.1x10-3 4 Check 1.0x10-4 1.0x10-4 111. Diesel Generators 3.0x10-2 3.0x10-2 l
l
Table 3 Summary of Applicant's Dominant Failure Modes
% OF TOTAL FAILURE DESCRIPTION UNAVAILABILITY
- 1. LMFW
- a. (TDP steam supply valves or TDP)-(MDPA)-(MDPB) 39.3-
+ (TDP steam supply supply valves or TDP)- i
[MDPA + MDPB)]-(one MIV in common MDP discharge j header) + (TDP steam supply valves or TDP)- 1 (two MIVs in common MDP discharge header) l
- b. Spurious signal generation of any two combined 9.6 line break isolation signals
- c. (One PCV)-(TDP steam supply valves or TDP)- 11.0
[(MDP opposite to PCV)+(one HIV in common MDP discharge header)]
- d. (One FCV)-(TDP steam supply valves or TDP)- 5.4 (one MIV in common MDP discharge header)
- 2. LOOP
- a. (6900V AC "A")-(6900V AC "B")-(TDP or steam 27.6 supply valves)
- b. (6900V AC "A")-(125V DC "B") 13.1
- c. (6900V AC "A")-(6900V AC "B")-(TDP manual 11.1 suctionisolationvalve)
- d. (6900V AC "A")-(6900V AC "B")-(two other 30.2 various basic events) l
- 3. LOAC
- a. (TDP manual steam isolation valve) 26.8
- b. (TDP manual suction isolation valve) 26.8
- c. (TDP) 16.3
- d. (TDP governing control valve) 12.1
- e. (TDP stop valve) 12.1
Table 4 Definition of Disallowed Test and Maintenance Acts f Let:
- 1. MDPA = MAPCVP1SA + TAPCVP1SA + MDPAM0 + TAMDPA + MADGA
- 2. MDPB = MAPCVP2SB + TAPCVP2SB + MDPBM0 + TAMDPB + MADGB 3 TDP = TDPM0 + TATDP + MATGCV + MATSV + MAMSMOV9SA MAMSMOV8SB
- 4. MDPSGA = MAM0V10SB + TAMOV10SB + MAFCVFISA + TAFCVFISA .
- 5. MDPSGB = MAMOV195B + TAM 0V19SB + MAFCVF3SA + TAFCVF3SA
- 6. MDPSGC = MAM0V23SB + TAM 0V23SB + MAFCVF2SA + TAFCVF2SA
- 7. TDPSGA = MAM0V116SA + TAM 0V116SA + MAFCVF4SB + TAFCVF4SB
- 8. .TDPSGB = MAM0V117SA + TAMOV1175A + MAFCVF6SB + TAFCVF6SB 4-
- 9. TDPSGC = MAM0V118SA + TAMOV118SA + MAFCVFSSB + TAFCVFSSB.
Defining DELETE as any combination which shuts of f all flow to any one steam generator or flow from more than one pump, we obtain: DELETE = MDPSGA - (TDP + TDPSGA) + e MDPSGB - (TDP + TDPSGB) + MDPSGC - (TDP + TOPSGC) + MDPA MDPB + TDP - (MDPA + MDPB) Note: MA = Maintenance Act on Component ID, except for MDPAMO, MDPBM0 and TDPM0 which are the applicant's terms for maintenance outage on MDPA, MDPB and the TDP, respectively. TA = Test Act on Component ID
Table 5 ' Definition of Top Event for LMFW j Case 1A - One MDP is Required "This case is defined in Table 10.4.9A-2 of Ref.3. Auxiliary Feedwater System function is not fulfilled if:
- 1. LT200SGA134SGB = (<200 GPM is delivered to SGA) -
(<134 GPM is delivered to SGB) or
- 2. LT200SGA1345GC = (<200 GPM is delivered to SGA) -
(<134 GPM is delivered to SGC) or
- 3. LT200SGB1345GA = (<200 GPM is delivered to SGB) -
(<134 GPM is delivered to SGA) of 4 LT200SGB134SGC = (<200 GPM is delivered to SGB) - (<134 GPM is delivered to SGC) or
- 5. -LT200SGC134SGA = (<200 GPM is delivered to SGC) -
(<134 GPM is delivered to SGA) or '
- 6. LT200SGC1345GB = <200 GPM is delivered to SGC) -
<134 GPM is delivered to SGB)
Therefore: TOP = LT200SGA1345GB + LT200SGA134SGC + LT200SGB1345GA + LT200SGB1345GC + LT200SGC1345GA + LT200SGC134SGB Case IB - Two MDPs are Required In this case, mission success occurs if > 250 GPM is delivered to each of any two steam generators. Mission failure is then: TOP = LT250SGA250SGB + LT250SGA250SGC + LT250SGB250SGC, where LT250SGA250SGB = (<250 GPM is delivered to SGA)-(<250 GPM is delivered to SGB) LT250SGA250SGC = (<250 GPM is delivered to SGA)-(<250 GPM is delivered to SGC) LT250SGB250SGA = (<250 GPM is delivered to SGB)*(<250 GPM is delivered to SGA)
Table 5 (Cont.) Since partial failures are not considered in this analysis, less than 250 GPM to a steam generator is functionally the same as less than 200 GPM to a steam generator. In the fault trees, these cases are represented by transfer symbols A-1, B-1, and C-1. The top event can be re-defined as TOP = (LT200CV153) - (LT200CV154) + (LT200CV153) - (LT200CV155)
+ (LT200CV154) - (LT200CV155) where (LT200CV153) - (LT200CV154) =
(<200 GPM f rom check valve 2AF-V153SAB-1 to SGA) - (<200 GPM from check valve 2AF-V154SAB-1 to SGB) LT200CV153) - (LT200CV155) =
<200 GPM from check valve 2AF-V153SAB-1 to SGA) -
(200 GPM from check valve 2AF-V155SAB-1 to SGC) (LT200CV154) - (LT200CV155) = (<200 GPM from check valve 2AF-V1545AB-1 to SGB) - (<200 GPM from check valve 2AF-V155SAB-1 to SGC) P I
. __ -. . _ _ _ _ _ _ . - _ _ _ . - _ _ _ _ _ _ _ _ . _ . . ~ __ _ , - - - . _ _ . _ - - - - _ _ _ _ _ _ _ - . _ . . _
-4 0- i
. l Table 6 Comparison of Results CASE APPLICANT BNL
- 1. LMFW A. One MDP Required 6.6 E-6 9.2 E-6 B. Two MDPs Required -----
) 4.6 E-4
- 2. LOOP 6.1 E-5 4.9 E-5 1
- 3. LOAC 1.9 E-2 2.5 E-2 1
I
A-1 APPENDIX A: S11NPP FSAR Section 10.4,9 " Auxiliary Feedwater System" 10.4.9 AUXILIARY FEEDWATER SYS7 M* The Auxiliary Feedwater System serves as a backup system for supplying feedwater to the secondary side of the steam generators at times when the
- normal feedwater system is not available, thereby maintaining the heat sink
- capabilities of the steam generator.. The system provides an alternate to the Feedwater System during start-up, hot standby and cooldown and also f unctions as an engineered safeguards system. In the latter function, the Auxiliary Feedwater System is directly relied upon to prevent core damage in the event of transients such as loss of normal feedwater or a secondary system pipe
! rupture. 10.4.9.1 Design Bases The Auxiliary Feedwater System ( AFS) is designed to supply sufficient quantities of feedwater to the secondary side of the steam generators to achieve stable hot stardby conditions and plant cooldown if necessary. [ Plant conditions which may be accompanied by the unavailability or a loss of normal feedwater and therefore require operation of the AFS are: a) Loss of main feedwater with of fsite power available b) Loss of main feedwater without of fsite power available (station blackout) c) Feedline rupture I d) Steamline rupture e) Control Room evacuation f) Loss of all AC power l g) Loss of coolant accident (LOCA) The causes and analyses of the auove events are discussed in Chapter 15. The flow requirements for the Auxiliary Feedwater System were established based on i these analyses, as well as upon the cooldown operations following these events. The auxiliary feedwater flow rates required to provide adequate 4 i protection for the core and to assure an emergency cooldown have been established by Westinghouse and are as follows: 1) 380 gpm for all of the above events except 2) 500 gpm for loss of normal feedwater. The reason for this difference is the application of more stringent and conservative acceptance criteria for Condition 11 events (e.g. loss of normal feedwater) than for Condition IV events (feedline rupture). The auxiliary feed pumps are capable of supplying to the steam generators 400 gpm each from the two motor driven pumps and 800 gpa from the turbine driven pump. Thus for Condition IV events, the AFS has the capability of supplying 200% of the required flow even with a failure of the largest pump.
- Further information contained in the TMI appendix.
J 10.4.9-1
A-2 For a transient or accident condition, the minimum flow is delivered to at least two ef fective steam generators withir. one minute of the automatic auxiliary feedwater actuation signal. Af ter any transient or accident, the system is capable of maintaining the required flow for a period of time (at least two hours) sufficient to attain stable zero load hot standby conditions. In addition, the Auxiliary Feedwater System provides sufficient flow (380 gpm minimum) to cool the plant from zero load hot standby conditions down to a reactor coolant hot leg temperature of 350F, where the Residual Heat Removal System is operated. The 350F RRR initiation temperature corresponds to a steam generator pressure of 125 psia with a reactor coolant pump operating or 100 psia if only natural circulation exists in the Reactor Coolant System. Although the Auxiliary Feedwater System f unctions as an emergency system, it also serves as an alternate feedwater system during hot standby and cooldown operations whenever conditions are such that shutting down the Feedwater System is advantageous. The Auxiliary Feedwater System will also be used to adjust steam generator water levels prior to and during plant start-up and to establish and maintain wet layup. conditions in the steam generators. Components and piping of the AFS from and including the containment isolation valves to the steam generator nozzle are designed and fabricated in accordance l with the requirements of ASME III, Class 2. Other AFS components and piping l are designed and fabricated in accordance with ASME III, Class 3 requirements. Section 10.4.9.3 contains additional information on safety-related design bases. l 10.4.9.2 System Description l 10.4.9.2.1 General Info rma tion The Auxiliary Teedwater System flow diagram is shown on Figure 10.1.0-3, 10.1.0-4, and 9.2.1-1 and the performance characteristics of its principal components are su=marized in Table 10.4.9-1. The Auxiliary Feedwater System ( AFS) consists of two motor driven pumps and one turbine driven pump with associated valves, piping, controls, and instrumentation. The system components are located in the Reactor Auxiliary Building in the engineered safety feature systems area with the exception of the condensate storage tank (CST), which is located in the Tank Building, and the supply piping to the steam generator which is located in the Containment Building. 10.4.9.2.2 Flow Path The motor driven and turbine driven auxiliary feedwater pumps normally take suction from the condensate storage tank (CST) via a common supply line. The CST is sized to maintain a minimum inventory of 240,000 gallons plus suf ficient margin for normal condensate system makeup and surges. The design basis for sizing the condensate storage tank is described in Section 9.2.6. Tank makeup water is supplied from the demineralized water storage tank through the demineralized water transfer pumps. 10.4.9-2
A-3 i The auxiliary feedwater pumps can also be remote manually aligned to take - suction from the Emergency Service Water System, in the event of a loss of the CST. (See Sections 9.2.1 and 9.2.5). There are two isolation valves for each connection between the AFS and service water. This prevents inadvertant leakage contamination of the auxiliary feedwater by impurities in the service water. The motor driven pumps discharge into a common header which supplies three independent lines, one for each steam generator. Each of these supply lines , contain check valves, motor operated isolation valves, and flow control valves , as described below. The turbine driven pump supplies three additional lines, one for each steam generator. Each of these supply lines also contains check valves, motor operated isolation valves, and flow control valves. This l arrangement thus provides two independent and diverse sources of feedwater, a motor driven train, and a turbine driven train. A single failure in either train will not affect the other. The motor driven supply and the turbine driven supply for each steam generator are connected together, and a common line with flow element carries the water through the steam and feedwater pipe tunnel into Containment and connects to i the auxiliary feedwater nozzle on the steam generator. Blockage of one of
; these common supply lines will not af fect flow in the lines to the other two l steam generators since these lines are independent. A ruptured supply line will be automatically isolated as a feedline rupture casuality described below.
10.4.9.2.3 Component Description The motor driven auxiliary feedwater pumps are powered from the redundant emergency busses A and B. In the event of loss of the normal power source, l power is supplied by the emergency diesel generators associated with these power busses. The motor driven auxiliary feedwater pumps are protected against excessive runout at low steam generator pressure by a electro-hydraulically operated pressure control valve in the discharge line from each pump. These valves maintain pump discharge pressure above a pre-set minimum value.
- The steam turbine driven auxiliary feedwater pump is powered by a single stage, solid wheel, non-condensing, horizontal split casing steam turbine which discharges to the atmosphere. .It is designed for start-up f rom a cold condition, and will operate with steam generator pressures ranging f rom 1200 psig to 105 psig.
Steam for the auxiliary feedwater pump turbine is supplied from two steam i generators and taken from the main steam lines upstream of the main steam isolation valves. The turbine steam supply valves are DC motor operated valves powered f rom the redundant vital DC busses. A check valve located l downstream of each steam supply valve will prevent loss of steam to the turbine drive in the event of a steam line break. ( i The . steam supply valves are normally closed and will receive a signal to open at the same time the turbine actuation signal is initiated. The turbine trip 4 1 t t 10.4.9-3
A-4 and throttle (T and T) valve is normally open. The turbine T and T valve requires solenoid actuation to allow a spring to close it. The solenoid is actuated by redundant overspeed trips; one mechanical and one electrical. The power supply for the trip solenoid is 125V DC, thereby maintaining only DC powered control for the steam driven pump. To allow remote opening of the turbine T and T valve, a DC motor operator is provided. The auxiliary feed-pump turbine is equipped with an electronic speed controller powered from a safety grade DC supply. This controller adjusts pump speed and therefore discharge pressure by opening or closing the turbine governor valve. Each stese generator auxiliary feedwater supply line f rom the motor driven auxiliary feedwater pump discharge header contains a Safety Class 2 motor operated auxiliary feedwater isolation valve in series with a Safety Class 3 electro-hydraulic operated flow control valve. Each valve on each steam generator auxiliary feedwater supply line is powered from redundant vital AC power trains. Each turbine driven pump steam generator supply line contains a Safety Class 2 normally open DC powered motor operated auxiliary feedwater isolation valve in series with a Safety Class 3 electro-hydraulic DC operated flow control valve. Thus, loss of all AC power will not affect the capability of the turbine driven pump to supply water to the steam generators. 10.4.9.2.4 System Operations The AFS is not normally operating except during cooldown, hot standby, or testing as described previously. It is lined up for automatic starting on any of the following signals: (a) Motor driven pumps:
- 1) Safety injection
- 2) Lo-Lo level in one steam generator
- 3) Loos of both main feedwater pumps
- 4) Loss of off-site power (b) Turbine driven pumps
- 1) Lo-Lo level in two steam generators
- 2) Loss of off-site power The AFS can also be started manually from the main control board (MCB) and from the auxiliary control panel (ACP). It is shut down manually.
The flow rate to each steam generacoe may be controlled manually from the MCB or ACP by modulating the appropriate flow control valves in the turbine and motor driven supply lines. 10.4.9.3 Safety Evaluation The AFS is capable of withstanding the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, and floods (see Chapter 3). In addition, all components of the AFS except the CST, are located within the Reactor Auxiliary Building and the Containment Building which provide protection against the effects of externally generated missiles. The CST is classified 10.4.9-4 l
A-5
' Safety Class 3, Seismic Category I. A concrete enclosure protects the tank from tornado, hurricane and missile damage. Components of the AFS located within the Reactor Auxiliary Building and Containment Building are protected against the effects of internally generated missiles by separation and l enclosures, see Section 3.5.1. All components of the AFS are protected against.the dynamic effects associated with high and moderate energy piping failures as described in Sections 3.6.1 and 3.6.2. The AFS has been designed
! to operate in the environment resulting during normal and accident plant conditions as described in Section 3.11. !. The Auxiliary Feedwater System is capable of performing its intended safety l function despite the single failure of any component. See Table 10.4.9-2 for j a summary of the failure mode and effects analysis for the AFS. I The ' system is designed with adequate provisions to manually initiate the ! protective actions of the system from the auxiliary control panel in the
- event the Control Room must be evacuated.
During normal power operation, pipe rupture in the main feedwater, high pressure portion of auxiliary feedwater (the high pressure portion of the AFS during normal power operation starts with the check valves adjacent to the auxiliary feed isolation valves and goes to t!.a steam generator nozzle), or Main Steam Supply System would be the most severe piping failure with respect to AFS performance requirements. These failures would result in a turbine and reactor trip; therefore, off-site power is assumed unavailable in accordance , with Branch Technical Position APCSB 3-1. Even with an assumed single active failure, the AFS would have more than adequate capacity to supply the required 380 gpm flow. l In the event of a steam line or main feedwater pipe break, the system util automatically terminate auxiliary feedwater flow to the affected steam l generator and is designed to assure that the minimum required flow race is l directed to the unaf fected steam generators. Each supply line from the AFS l motor driven pump discharge header is provided with a normally open, motor
~
operated, AC powered, isolation valve connected to the B-train ESF bus. In addition, an AC powered electro-hydraulic operated flow control valve l connected to the A-train ESF bus is provided in series with the isolation valve. This arrangement provides adequate redundancy for isolation of a faulted SC in the event of a single active failure of either valve. Similarly, each supply line from the AFS turbine driven pump header is provided with a normally open motor operated AC powered isolation valve connected to the A-train ESF bus. A DC powered electro-hydraulic operated l flow control valve is provided in series with the isolation valve and is powered through the B-train DC battery system. Thus, sufficient redundancy and power supply diversity is afforded in order to assure isolation of a faulted steam generator. Physical and electrical separation are maintained throughout the pump control, control signals, electrical power supplies, steam suppites and instrumentation essential for operation of each auxiliary feedwater pump. The motor driven AFS pumps are powered from the ESF electrical AC power distribution system, (Section 8.3.1). The controls associated with the turbine driven AFS pump are powered by the safety related 125 volt DC bus. The DC bus receives power 10.4.9-5
A-6 from both its own batteries and battery charger associated with the corresponding ESF electrical AC distribution division. See Section 8.3.2 for a description of the design basis for the on-site DC power system. Water han=er in the AFS is minimized by designing the system to remain full of water. The suction piping to the AFW pumps and part of the discharge piping are always under a positive head of water due to the higher elevation of the CST. The remainder of the discharge piping is pressurized to steam generator pressure. Void formation in the vicinity of the steam generator auxiliary feed nozzle during power operation is prevented by the tempering flow from the Feedwater System (Section 10.4.7). In addition, the AFS will be monitored for water hammer during the initial test program as described in , Section 3.9.2.1. I 10.4.9.4 Inspection and Testing Requirements The Auxiliary Feedwater System will undergo preoperational and start-up tests as described in Section 14.2.12. It will be verified that the system is not susceptible to hydraulic instabilities as part of the dynamic effects testing described in Section 3.9.2.1. Feriodic tests as required by the Technical Specifications, Section 16.2, will be performed. In-service inspection will be carried out in accordance with Section 6.6, and the pump and valve testing requirements of Section 3.9.6 will apply. 10.4.9.5 Instrumentation Requirements The following parameters will be displayed on the auxiliary control panel and on the main control board to provide the operator with sufficient information to monitor and operate the system. a) Condensate storage tank level b) Motor driven auxiliary feedwater pump discharge pressure c) Turbine driven auxiliary feedwater pump discharge pressure l d) Auxiliary feedwater flow to each steam generator e) Auxiliary feedwater pump status f) Auxiliary feedwater pump turbine speed and steam inlet pressure l g) Auxiliary feedwater regulating valve position n) Auxiliary feedwater isolation valve position
- 1) DC motor operated steam isolation valve position j) Service water supply to AFS valve position.
! A detailed discussion of ESF instrumentation and controls is given in . Section 7.3. l 10.4.9-6 f 4
. - - , - - - - - . . - - - . - . - - . - . - - - - - - . --.--.ye,-.,--- --. -,,c - - - - - - - - - - , .m- , , , - - - - - ~ - - - - - . - - - - - - - _ _ .
A-7 TABLE 10.4.9-1 AUXILIARY FEEDWATER DESIGN PARAMETERS
- 1) Auxiliary Feedwater Pumps '
Quantity 3 Driver 1 Turbine, 2 Motor Capacity (gpm each) 900 (turbine driven pump {I) 450(motordrivenpumps){2) TDH, psig 1265 SC Pressure, peig 1205(3) Pumping Temperature, 'T 32-125 Code ASME Section III Class 3 Seismic Category I
- 2) Piping and Valves Code ASME Section III Class 2 & 3 Seismic Category I
- 3) Condenpate Storage Tank Capacity, gal. 415,000 Minimum capacity, gal. 240,000 Design Pressure Atmospheric Code ASME Section III Class 3 Seismic I
- 4) Time to deliver full flow to at least two steam generators upon receipt of an actuation signal withouc l normal offsite and onsite l
power available (in See) 60 NOTES: i f (1) Includes 100 spo recirculation flow. (2) Includes 50 gpm recirculation. (3) Lowest safety valve setting plus 3 accumulation. l l 10.4.9-7 l
A-8 TABLE 10.4.9-2 FAILL'RE MODE AND EFFECTS ANALYS!$ AUXtLIART FEEnWATER SYSTEM Method of Inherent h Name Failure Pole Cause Effects Detection Compensatty _prowleton 1 Motor-Jriven Fatte to start Diesel Generator Lses of flow from Law preesure indt* Redundant turbine ATS pwsp falle to start this pump cation froe ATS driven AFS pump pump discharge 2 Turbine-driven Fatte to start DC Power Systee Lose of flow from Low preneure ReJundant motor AFS pump Fatture thte pump inJtcation from driven AFS pumpe AFS pump discharge 3a AFS teolation Fatte to close Control failure None Valve positten Automatic closure of valves to faulted SG or toes of power AFS flow control velve 3b AFS teolation Fatte closed Control failure Tesporary lose of Low flow inJtes- Redundant flow provtJed valves to intact SG flow free corre- tion and valve free other pumpe-valve epondtog pump position say be manually opened to reestab11eh flow 6a AFS flow con- Fatte to close Control fatture None Valve position Autoestic closure of trol valve to Faulted SG or lose of power AFS teoletion valve
- ob AFS flow con- Fatto closed Control fatture Teeporary lose of Low flow indice- Redundant flow provided trol valve to intact 50 flow from corre- tion and volye free other puepe-valve sponding pump poettion say be manually opened to reestabiteh flow I $4 AFS pressure Falle open control failure Escoestve pump Valve position Redundant pumpe control valve or eschanical runout when low discharge binding systee le shut- pressure.
ting down causing
- trip of actor.
l Sb AFS pressure Fatto closed Control fatture Lees of flow Velve poettien peJundant pespe l l eentrol valve or mechantcal high Jtecharge j binding preneure. l l l 10.4.9-8 i l l ( l l , i
~,
sm e,w ,- y -. . , - - , , . -n- -- w w e m pn----------,-a---~----e-nr----------- -,- ,,v-,w m --- ----,--s-v-,--w-t-,--e->-.,--w--.__
B-1 APPENDIX B: SHNPP FSAR Technical Specifications " Auxiliary Feedwater System and Condensate Storage Tank" FLANT SYSTEMS AUXILIARY FEEDWATER SYSTEM LIMITING CONDITION FOR OPERATION 3.7.1.2 At least three independent steam generator auxiliary feedwater pumps and associated flow paths shall be OPERABLE with:
- a. Two feedwater pumps, each capable of being powered from separate emergency busses, and
- b. One feedwater pump capable of being powered from an OPERABLE steam supply system.
APPLICABILITY: MODES 1, 2 and 3. ACTION: With one auxiliary feedwater pump inoperable, restore at least three auxiliary feedwater pumps (two capable of being powered from separate emergency busses and one capable of being powered by an OPERABLE steam supply system) to OPERABLE status within 72 hours or be in at least HOT STANDBY within the next 6 hours and in HOT SHUTDOWN within the following 6 hours. SURWILLANCE REOUIREMEhTS 4.7.1.2 Each auxiliary feedwater pump shall be demonstrated OPERABLE:
- a. At least once per 31 days by:
l 1. Verifying that each motor driven pump develops a discharge pressure of greater than or equal to Later psig at a flow of greater than or equal to later gpm.
- 2. Verifying that the steam turbine driven pump develops a discharge pressure of greater than or equal to Later psig at a flow of greater than or equal to Later gpm when the secondary steam supply pressure is greater than Later psig. The provisions of Specification 4.0.4 are not applicable for entry into MODE 3.
- 3. Verifying that each non-automatic valve in the flow path that is not locked, sealed, or otherwise secured in position, is in its correct position.
- 3/4 7-4 SENPP UNIT 1
B-2 PLANT SYSTE !S SLM'EII. LANCE REQUIRE.'!ENTS (Continued) 4 Verifying that each automatic valve in the flow path is in the fully open position whenever the auxiliary feedwater system is plar.ed in automatic control or when above 10 percent RATED THERMAI, P0bIR.
- b. At least once per 18 months during shutdown by:
- 1. Verifying that each automatic valve in the flow path actuates to its correct position oh a faulted steam l generator isolation test signal.
- 2. Verifying that each auxiliary feedwater pump starts auto-matically upon receipt of the following simulated test signals.
- a. Motor driven pumps
- 1) Steam Generator Water Level-low, low, or
- 2) Safety Injection
- b. Turbine Driven Pump
- 1) Steam Generator Water Level-low, low (2 Steam Generators) i 3/4 7-5 SICIPP LRIIT 1
r B-3 l I I PLANT SYSTEMS CONDENSATE STORAGE TANK i LIMITING CONDITION FOR OPERATION 3.7.1.3 The condensate storage tank (CST) shall be OPERABLE with a mini =um contained volume of 240,000 gallons of water. APPLICABILITY: MODES 1, 2 and 3. l ACTION: With the condensate storage tank inoperable, within 4 hours either:
- a. Restore the CST to OPERABLE status or be in at least HOT STANDBY within the next 6 hours and in HOT SHUTDOWN within the following 6 hours, or
- b. Demonstrate the OPERABILITY of the ultimate heat sink via the Essential Service Water System as a backup supply to the auxiliary feedwater pumps and restore the condensate storge tank to OPERABLE status within 7 days or be in at least HOT STANDBY within the next 6 hours and in HOT OHUIDOWN within the following 6 hours.
SURVEILLANCE REQUIREMENTS 4.7.1.3.1 The condensate storage tank shall be demonstrated OPERABLE at least once per 12 hours by verifying the contained water volume is within its limits when the tank is the supply source for the auxiliary feedwater pumps. 4.7.1.3.2 The ultimate heat sink via the Essential Service Water System
; shall be demonstrated OPERABLE at least once per 12 hours by opening the valves that supply service water to the auxiliary feedwater pump suction and verifying Essential Service Water header pressure whenever the service water system is the supply source for the auxiliary feedwater pumps.
3/4 7-6 SHNPP UNIT 1
l B-4 PIANT SYSTEMS ACTIVITY I.IMITING CONDITION FOR OPERATION 3.7.1.4 The specific activity of the secondary coolant system shall be less than or equal to 0.10 microcuries/ gram DOSE EQUIVALENT I-131. APPLICABILITY: MODES 1, 2, 3, and 4. ACTION: With the specific activity of the secondary coolant system greater than 0.10 microcuries/ gram DOSE EQUIVALENT I-131, be in at least HOT STANDBY within 6 hours and in COLD SHUTDOWN within the following 30 hours. SURVEILLANCE REQUIRIMENTS 4.7.1.4 The specific activity of the secondary coolant system shall be determined to be within the limit by performance of the sampling and analysis program of Table 4.7-1. l l l l l 3/4 7-7 SICJPP UNIT 1
C-1 APPENDIX C: "NRC-Supplied Data for Purposes of Conducting A Comparative Assessment of Existing A5NS Designs and Their Potential Re-liabilitien" Poin Value Estimata of Probabilf tr of* Failure on Demand I. Cc eenent (Hareware) Failure Data
- a. Yatves:
Manual Valves (Plugged) *1 x 10 4 Check Valves ~1 x 10 4 Meter-Ocersted Valves Meenanical Cemconents ~1 x 10-3
- Plugging Contribu fon ~1 t 10-4 Centrol Cf reuit (L: cal to Valve) w/Cuartarly Tests 6 x 10-3 w/ Monthly Tests *2 x 10-3
- b. P'_me s : ( 1 P'_ :o )
Mechanical Ccemenents *1 x 10-3 C:ntrol Cf ecui:
- w/Cuar:arly Tests 7 x 10-3
- w/Montaly Tes s 's
- 10-3
- c. Actuation Locic ~7 x 10-3 irr:r iac.:r: ar 2-10 (uo and d:wn) 1: cut suen values art not une.t:ectic far basic da s uncar:213:1es.
i l 1
i C-2 II. Test and Maintanance Outage Contributions:
- a. Calculational Apprcach l Test Outage
. 0 7gg7 ( hrs / test) ( tests / year) nrs/ year i I I
- 2. Maintanance Outage l 0 34737, 2 (0.22)( hrs /maint. act) l '
14u t
- b. Data Tables for Test and Maint. Cutages' ,
i i-SUMPARY CF TEST ACT CURATICN . I i Calculated Range on Test Maan Test Act i Comconent Act Duration Time, hr Duration Time, to, hr - Pumos 0.25 1 1.4 l Yalves 0.25 - 2 0.26 Ofesels 0.25 - 4 1.4 Instrumentation 0.25 - 4 1.4 f.CG-NCRMAL MCCE'.E3 MAI?iT2?lANC2 2C7 CURATICM ! Calcu14:sd
- Range on Maintenanca Mean Maintananca Act Component Act Ourstion Time, Mr Ourstion Time, to, hr
. Pumes 1/2 - 24 7 1/2 - 72 19 i Val ves 1/2 - 24 7 Ofesels 2 - 72 21 ,- 1/2 - 24 Instruments:fon 6 2 Ncca: inesa cata tseles were taken fr:m tne Aeactor Safety Study t I (*4A2H-14CO) for pureoses of :nis AFW systam sssessment.
'4here :ne plant tacnnical ssecifications placed limits on tne cutage durstion(s) sliewed for AFW system trsins, taf s taca scec limit was used to estimata ne mean durstion times for maintsnanca. In geners1, it was found :na: :ne outages t
allowed for satatananca dentna:ad : nose c:ntributions is AF'4 systam unavallantlitt fran cu sges que to tasting. i I l i
, l i
r
lit. Munan Acts & Errors - Failure Data: Estimated Human Error /Fallure Probabilities Mcdifying factors & Situations' With Valve Position With local Walk-Around & W/0 Either Indication in Control Roca Double Check Procedures Point value Est Est. on Point Value Est Est. on Point Yalt.e Est 3n Error Error Estimate Error Factor factor factor
- a. acts & Errors of A Pre-Accident Nature
- 1. Valses Mispositioned Curing Test /Maint (a) Specific Single Valve wrongly Selected out of A Peputation n of Valves Curing Conduct of a -2 -2 -2 b Test or Maintenance Act (X No. I y10 x1 1x 10 x11 10 10 z11 10 of valves in Fopulation at Choice) M i 20 2 (b) Inadvertently leaves Correct 4 3 10 2
10 valve in Wrong Positten 5 x 10 20 5 x 10 10
~4 ~3 1 x 10 20 1 x 10~ 10 3 x 10 10
- 2. Mare than one vahe is af fected (couples errors)
- 3. Miscalibration of Sensors /Electrica)
Relajs l -2
~3 10 10 (a) One sensor / Relay Affected - -
5 x 10 10 i (t) Hare than one Sensor / Relay 3 3 10 Affected - - 1 x 10 10 3 m 13
1 Time Actuation Needed Estimated Failure Estimated Failure overall ~ Estimated Prob. for Primary Frob. of other Estimate Error f actor Operator to (Backup) Control of failure on Overall Actuate AfwS Ra. Operator to Prchability Probability Actuate AfW5
- b. Acts i frrors of a Post-Accident Nature
- 1. Planual Actuation of AfW s) stem from Control Rcom h
3 (a) Considering " Dedicated
- Operator 5 af n. 2x10:3 -
10 to Actuate AfW system and Possible 0.5 (mod. dep.) 2 x 10'4 15 min. I x 10,4 5 54 10 10 Backup Actuation of AfwS 10 min. 5 m 10 .25 (Iow cep.) 10 10
~
(a) Ccasidering "Non-Cedicated" 5 min. 5m10lj - 5x10,j 10 Operator to Actuate AfW system 15 min. I m 10,3 0.5 (mod. dep.) 5 g310 10 and Possible Backup 30 min. 5 m 10 .25 (low dep.) 10 10 Acutation of AFW system
seaC 70m. 339 u 5 huCLib s.ttutt,OAv Co.eeiSS604
- Lt'un , Nu.et A es .paer e, F'OC e wee 4e
- e*s
'as'~ Bl:LIO RAPHIC DATA SHEET B - U EG 2 St4 iNSTItsCTIONS 04 f at atvanst 3 ,if tt .ND 5ve ,1,Lt J Lt.W E St.%.
Review of the Shearon Harris Unit 1 Auxiliary Feedwater System liability Analysis
.f..t.E.o..C..Lt.no
.t.-
oof j . w, c.i., AuaAt 1985
. A. Fresco, Youngblood, and I. A. Papazoglou ,,..
[(bruary,, , ,,'1986 ' " " "I ,,t_o..,.o..,..., .t.,...,~e...t.,,..,.C._ ~...t - Brookhaven Natio 1 Laboratory 7x . ... ~. . .~. . Upton, Ncw York 1973 [,,,o....,~,.... A-3702 10 $80%50464G OMG. Nil.,eom m..t .No s me .OO#t SS steerswe t. Caset a les ,'*t08AtPum, Division of Safety Te nology Final Office of Nuclear React Regulation U.S. Nuclear Regulatory nmission * *t a oo co t a t o <<-~~ ~~ Washington, DC 20555 II $9PPggyg e,.R v 40,t 5
,2 . r ..c ,m . , .,
This report presents the r uits f a review of the Auxiliary Feedwater System Reliability Analysis for th Sh ron Harris Nuclear Power Plant (SHNPP) Unit 1. The objective of this repo is to estimate the probability that the Auxiliary Feedwater System will fail o perform its mission for each of three different initiators: (1) loss of n feedwater with offsite power avail-able, (2) loss of offsite power, (3 lo of all ac power except vital instru-mentation and control 125-V dc/12 V ac ower. The scope, methodology, and failure data are prescribed by NUR -0611, ppendix III. The results are com-pared with those obtained in NUREG 611 for ther Westinghouse plants.
.. oow t... .s,........o o o.sk..,0.. ......s......
Reliability Analysis NUREG-0611 Auxiliary Feedwater Systems Unlimited Pump and Valve Failure Rates Sh: aron Harris Nuclear Power Pla Unit 1 .,os,..... o,. , t o o o . . . .. UNEfEsi fied Unclassified
, , ~ .. t . o . . . t is ,n.g t
UNITED STATES sncut rotatu ctass =2vi - NUCLEA][E?iULATORY COMMISSION *S'"jst!!'* "" , WASHINGTON, D.C. 20565 y;25,",o g ,, OFFICIAL BUSINESS PENALTY FOR PRIVATE USE. 4300 s 120555078877 1 lah US '4 R C ADM-DIV 0F TIDC POLICY F. PUU FGT EG-PDR NUREG 501 OC 20555
'$' A S H I N G T O N I
C I 25 > C m 4* m 1 m m
-4
- i m 21 m-4 M
m E.- N - m C D E' C-w- 4 Z r-4 9 m m m. N: D C D
- Di N
l \ . . . . . _ _ _ _ _ _ _ - - _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _}}