PRA Application Program for Inspection at Oconee Unit 3

ML20236E225
Person / Time
Site:	Oconee
Issue date:	10/31/1987
From:	Gore B, Harris M, Vo T Battelle Memorial Institute, PACIFIC NORTHWEST NATION
To:	NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION I)
References
CON-FIN-B-2602 NUREG-CR-5006, PNL-6291, TAC-M66591, NUDOCS 8710290130
Download: ML20236E225 (65)
v • d • e

Text

, .

c, w -- g  :

. p ,

.;,n .. ; W

il :

L E

• 4. ; f Y. . ,8 @p;'

+NUREG/CR-5006;: ,

WlP.

y.

i y ,

D-b.l' ,l

'\-

1;[. } ; 'i..

' 1 h . io  :

.)<,l;3 ~l-7_ -_,'

. . . - 5-' / . i l

'b !

.e,f

,i Al r:

'k,>vy ' .

y

%( w_ ., _.PRK Applications Program for

j K

s ilnsaectidWatiOconee r! ' '~

.[' ,

^

Unit ,

3" '

r

d{g

fh6V , u i!, : '

w/

'~K<

l;;

u

.ilom

'll,'

, 3. .

?.f ; . '

J f

fftl

-; m n ,

~

• ' ' +;$

,~,

g

/.

w. ,

^

Prepared by' B. F. Gore, T. V. Vo, M. S. Harris Pacific Northwest Laboratory Prepared for U.S.- Nuclear Regulatory Commission 4 .- - - - - _ - - - - _ - _ _ .

U N 0

~ ^

G <

O fi A&. mm  ; n@ m%n ;yf < 4"YL n.; ,

m. x .' 4 l .m.. b; hh '

~

g %m- @MA%31dj M y ;i s , . .. , ,

e .

' 'i e '

i a

m JV )'

. i W@Nh;W, 1/ h, . WW9Wia .,

1 ,,

$ , s R

( NOTICE ? <

y s s

.'x<,

wh m ?q. ~< a

2:

vi  ; + <

d

,; y; f 7 . < , . , .

X' Mhinepo'rt .was prepared;as an account'of work sporisored'by an' agency dtheMnited 5t'ates - 1 i c @M;7CN v[f

.GovernmenO Neitherfthe ' United ? States ,Governrnentinor any[ agency thereof, orSany, of;their; s j h r f t ([emplo'yeesMakes"anyj warranty,fexpressedf s orylmplieil, or assumesfan'y'dle 7h"phhJ, p'",

pioduct;o(process' disclosedLi.nLthis report / or represents that its use by.such third party 'would- -

d

~

Ynot infring'e privately owned rightsh '

y '

3 es 4 M <

, -.y q M. iM 7, j s

• 4 (fI l

' ex 4

~ , ,

-n a.

,h.

w,m - ';

+ y

. Fi .{

g yd

~

i v ,

s

. ' NOTICE ,

, t pl, , < .

4 . 2 Availability'6f Reference' Materials' Cited in N RC Publications > ,

f, y R .4t .. ; > .

, . . , . , ...., -.;. '. ' ...: '; . P ,

t Most documents cited in. NRO publ.iCations will be available from 'one of the followin, g sourc.esi , cis' s

{mjf

.m. .. . . -

1, >The NBC Public Document Room,1717 H StreeG N.W.

a '

s 9 9(

Wa

. ' Washingt,on/ DC 205550 > >

n;: e' -

u- J- <

, .a%L -

t n >

_s .,, "g*

kio ; E2, { The Sherintendent of Do00meNrs, U.S[Governn$ent Pr$tini Of fice[ Post Of fice Box'37082,

?"

Washington; DC 20013;7082l ,

J ;

h

' f t' Q1

^ r e >

.: 3J The Nationhl Technical Idt$rma' tion Service, Springfield [VA 22161 :-

- .- . .. 'L

.. --s .

c u

J Although'the li .ng that follows represents the majority of documents cited in NRC publications? ' . '

'f

^ ' '

M Lids not intended to be eshaustive[ y 1 Referenced documents available fbr(inspection"and$opying for a fee from the'NRC Public Docu  ?

' ment Roort; include NFIC correspondence and' intern'al NRC memorandaiNRC Office of 1nspectioh ? @

and Enforcement ' bulletins,! circulars, information notice's,sinspection' and, investidatio'n 'notide'sj

1. S Licensee. Event Reportsivendor Eeports and correspo'ndence: Commission papers; and applicant and . ~

'. licensee documents'and correspondence.'

a

)

The following document (in the NUREG series am available' for purchase from the GPO Sales Programt formal NRC staff and contractor reports,s NRCsponsored conference proceedings and j

-NRC booklets'and brochures. Also available are Regulatory Guides, NRC regulations in the Code or- d

^ federal Regulations, and Nuclear Regulatory Commission issuances.

, Documents 'available fr'o m the National Technical information -Service ~ include NUREG series ^

j

+ j" ' ' reports and technica) reports prepared by other federal agencies and reports prepared by the' Atomic , d y s ,

Energy Commission, forsrunner agencV to the Nuclear Regulatory Commission. 1u

^

. Documents available from public and sp. ,ial technical 1.ibraries include all open literature iterns, j such as books, journal and periodical articles, and transac1 ions. Federal Reg / ster notices, federal and I0 state legislation, and congressional reports can usually be obtained from these libraries.

? Documents such as theses, dissertations, foreign reports and translations, and non NRC conference 4 proceedings are' available for purchase from the organization sponsoring the publication cited.

H: '.

1 1:

' Single copies of NRC draft reports are available free, to the extent of supply, .upon written request to the 'Div'ision of Information Support Services, Distribution Section, U.S. Nuclear ,

Regulatory Commission, Washington l DC 20555. 1

{

M Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at.the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available j there for reference use by the public. Codes and standards are usually copyrighted and may be 3 purchased from the originating organization or, if. they are American National Standards, from the j American National Standards institute,1430 Broadway, New York, NY 10018. 3

)

. 1

NUREG/CR-5006 PRA Applications Program for Inspection at Oconee Unit 3 1

ate u shed ct r1

. Gore, T, V. Vo, M. S. Harris Paci c N hwest Laboratory Richland, WA 99352 Prepared for Division of Reactor Projects Region i U.S. Nuclear Regulatory Commission King of Prussia, PA 19406 NRC FIN B2602 l

l I

\

SUMMARY

The Probabilistic Risk: Assessment (PRA) Applications Program for inspection at Oconee Unit 3 was performed for the NRC at Pacific Northwest Laboratory operated by Battelle Memorial Institute for the U.S. Department of Energy. .

.This program applies a previously developed methodology to identify and present risk-based information which is useful for the planning and performance of powerplant inspections.

The extensive PRA for Oconee-3 performed by the Electric Power Research Institute (EPRI) (Sugnet et al.1984) has been analyzed to identify plant ,

systems and components important to minimizing public risk. This information- l has been tabulated and correlated with inspection modules from the NRC Inspection and Enforcement (IE) Manual (NRC 1984) which are used by inspectors l

in the planning and performance of inspections. The body of this report -

consists of a series of-tables, organized by system and prioritized by importance to public risk, which identify components associated with 98% of.

the inspectable public risk due to plant operation.

Following~a section describing important accident iaitiators and sequences

-identified in the PRA, tabulations are presented for eight systems ordered according to risk importance. Three tables are' presented for each system.

The first identifies the failure modes by which each component contributes to risk. The second correlates each compon* t with the IE inspection modules most related to ensuring component reliability. The third provides a modified system check off list identifying the proper line-up of each component during normal operation.

The tabulations were developed by the following analysis procedure. First, the plant systems were ordered according to their importance to public risk.

To accomplish this, the dominant cut sets representing more than 98% of the core melt probability were listed. Effects of plant damage, containment failure and radioisotope release probabilities from the PRA were used to assign a risk value (man-rem per year) to each cut set. Systems were then ordered according to risk by calculating the fraction of the total plant risk attributed to' involved failures of components from each system [this is the Fussel-Vesely Importance measure (Hentley 1981)]. Systems were then selected from the ordered iii 1

- --_ -_ _ __ __ _ J

list until more than 98% of the risk importance was accounted for. Second, ,

for each selected system, the fault tree from the PRA was re:nalyzed to rank system components according to their importance to system failure. For each system, components were selected for inclusion in the tabulations until more than 95% of_the system failure probability had been addressed, with an even-higher proportion included for the more important systems.

The tables thus present, in decreasing order of system risk impurtance, the failure modes, applicable inspection modules, and a check off list of operational states for all components associated with 98% of the inspectable risk associated with plant operation. This information allows an inspector to readily identify risk-important systems and components when developing an inspection plan, and when walking down systems in the plant.

]

The information presented in this document allows an inspector to L concentrate his efforts on risk-important systems. However, it is essential that inspections not focus exclusively on these systems. Other systems which perform essential safety functions, but are absent from the tables because of high reliability and redundancy, must also be addressed to ensure that their risk importance is not increased by allowing their reliability to decrease through lack of inspection and attention. A balanced inspection program is essential. This information represents but one of the many tools to be used by experienced inspectors.

l iv l

l

.i J a.

1 f

~ ACKNOWLEDGEMENTS'

- Thanksareextended_toBill(SugnetofEPRI,JprojectmanagerofLtheOconee

. 3 PRA,=for many discussions:during the performance of_this analysis. . His confirmation of _our interpretations of the link between core melt cut sets and.the associated public risk :(following containment failuregby various modes,;

.with various? radioisotope release fractions) greatly improves our confidence

' in the correctness of our results-. :Thanks are also extended to our Project

. Manager-from NRC Region 1, Bernie Hillman, for inviting us. to join the ongoing program to which this analysis contributes. We'also wishuto thank our-

. colleagues'at Brookhaven National Laboratory.and the Idaho National Engineering Laboratory for many d'iscussions. In particular, we'thank Ron Wright of INEL-

- for providing us with. a. version of'the IRRAS computer code specially adapted

~ for-use.on an IBM /PC.

.i i

i l

V i l

l

'l

n_-___. _ _ .

1 CONTENTS SUW4AR Y . . , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii ACKNOWLEDGEMENTS .......-..................... v

1.0 INTRODUCTION

. . . . . . . . . . . . . . .-. . . . . . . . . . . . . 1.1' 2.0 ANALYSIS OF THE OCONEE-3 PRA . . . . . . . . . . . . . . . . . . . . . 2.1 gg b.1 CALCULATION OF SYSTEM IMPORTANCES . . . . . . . . . . . . . . . 2.1 .

2.2 CALCULATION OF COMP 0NENT IMPORTANCES -. . . . . . . . . . . . . 2.4 2.3 PREPARATION OF TABLES . . . . . . . . . . . . . . . . . . . . . 2.5 1

2.4 CONCLUSION

S AND RECOM4ENDATIONS.. . . .-. ... . . . . . . . . 2.6 3.0 IMPORTANT ACCIDENT INITIATORS AND SEQUENCES ............ 3.1 3.1 LOSS OF LOW-PRESSURE SERVICE WATER .........-.... 3.2 .

v 3.2 ~ FEEDWATER LINE BREAK ..................... 3.2 ,

3.3 LOSS OF INSTRUMENT AIR .................... 3.3 3.4 LOSS OF 0FFSITE POWER (LOP) . . . . . . . . . . . . . . . . . . 3.3 )

1 3.5' TURBINE OR REACTOR TRIP , . . . . . . . . . . . . . . ... . . . 3.3 j j

3.6 LOSS OF MAIN FEEDWATER .................... 3.3 3.7 LARGE LOCA ..........................

3.3 J 3.8 SMALL BREAK LOCA ....................... 3.4 3.9 REACTOR VESSEL RUPTURE .................... 3.4 l 1

3.10 TRANSIENTS WITHOUT SCRAM (ATWS) . . . . . . . . . . . . . . . . 3.4 3.11 STEAM GENERATOR TUBE RUPTURE ................. 3.4 i 3.12 INTERFACING SYSTEM LOCA . . . . . . . . . . . . . . . . . . . . 3.4 1 3.13 TURBINE BUILDING FLOODS . . . . . . . . . . . . . . . . . . . . 3.5 l 4.0 SYSTEM INSPECTION PLANS ...................... 4.1 4.1 REACTOR BUILDING SPRAY. SYSTEM . . . . . . . . . . . . . . . . . 4.2 l 4.2 REACTOR BUILDING COOLING SYSTEM . . . . . . . . . . . . . . . . 4.6 vii

I ,1, f '

m 1 IfG i.

l T4 CONTENTS -(Continued)  !

J/{ll^  ;

4.3 CONDENSER CIRCULATING WATER SYSTEM . . . . ., . . . .. . . . . . 4.10 4.4 ~ SAFETY RELIEF VALVE SYSTEM . . ... . . . . ...;. . . . . . . . 4.13 4.5 LOW-PRESSURE INJECTION SYSTEM . . . . . . . . . . . . . , . . . . 4.16 4.6 STANDBY SHUTDOWN FACILITY - HIGH-PRESSURE INJECTION SYSTEM . . 4.20 4.7- LOW-PRESSURE SERVICE WATER SYSTEM . . . . . . . . . . . . . . . 4.23 . --i H

4.8 EMERGENCY FEEDWATER S'YSTEM .-. ... . . . .. . . . . . . . . . . 4.27 i REFERENCES. . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . . R.1

?

e TABLES l

n 3.1 Initiating Event Categories . . . . . . .-.. ... . . . . . . . . . . 3.2 4.1A Reactor Building Spray System Failure Mode Identification. . . .'. 4.2 4.18 IE Modules for Reactor Building Spray System Inspection . . . . . . 4.4 4.1C Hodified Reactor Building Spray System Walkdown ... . . . . . . . . 4.5 4.2A Reactor Building Cooling. System Failure Mode Identification . . . . 4.6 4.28 IE Modules for Reactor Building Cooling System Inspection . . . . . .4.8 4.2C Reactor Building Cooling System Walkdown. . . . . . . . . . . . . . 4.9 4.3A Condenser Circulating Water System Failure Mode Identification. ... 4.10-4.3B IE Modules for Condenser Circulating Water System Inspection. . . . 4.11 4.3C Modified Condenser Circulating Water System Walkdown. . . . . . .,. 4.12 4~4A Safety Relief Valve System Failure Mode Identification. . . . . . . 4.13 4.4B IE Modules,for Safety Relief Valve System Inspection. . . . . . . .. 4.14 4.4C' Modified Safety Relief Valve System Walkdown. . . . . . . . . . . . 4.15 4.5A- Low Pressure Injection System Failure Mode Identification . . . . . 4.16 viii l

L

I TABLES (Continued) 4.5B IE Modules for Low-Pressure Injection System Inspection . . . . . . 4.18 4.5C Modified Low-Pressure Injection System Walkdown . . . . . . . . . . 4.19 4.6A Standby Shutdown Facility - High-Pressure Injection System Failure Mode Identification . . . . . . . . . . . . . . . . . . . . 4.20 l 4.68 IE Modules for Standby Shutdown Facility - High-Pressure Injection System Inspection . . . . . . . . . . . . . . . . . . . . 4.21 L 4.6C Modified Standby Shutdown Facility - High-Pressure Injection System Walkdown . . . . . . . . . . . . . . . . . . . . . . . . . . 4.22 4.7A Low-Pressure Service Water System Failure, Mode Identification . . . 4.23

.' 4.78 IE Modules for Low-Pressure Service Water System Inspection . . . . 4.25 4.7C Modified Low-Pressure Water System Walkdown . . . . . . . . . . . . 4.26 4.8A Emergency Feedwater System Failure Mode Identification. . . . . . . 4.27 l 4.8B IE Modules for Emergency Feedwater System Inspection. . . . . . . . 4.29 4.8C Modified Emergency Feedwater System Walkdown. . . . . . . . . . . . 4.31 e

f h

ix

i

1.0 INTRODUCTION

This work was performed for the V. S. Nuclear Regulatory Commission (NRC) as part of an extensive program to develop PRA-based information for use in the planning and performance of nuclear powerplant inspections. Due to the broad scope of this program, project work has been divided among three national laboratories, each of which concentrates upon a partic.ular reactor type.

Thus, the Brookhaven National Laboratory analyzes'BWR plants and the Idaho i National Engineering Laboratory analyzes Westinghouse PWRs. Pacific Northwest l

Laboratory analyzes PWRs from both Babcock and Wilcox and Combustion Engine-ering, due to the smaller number of plants from these vendors.

In this particular project, information from the extensive Oconee-3 PRA performed by EPRI (Sugnet et al. 1984) has been used to identify plant systems and components important to minimizing public risk, and to identify failure modes for these components. This information has been tabulated and correlated with inspection modules from the NRC Inspection and Enforcement (IE) Manual (NRC 1984) which are used by inspectors in the planning and performance of inspections. The body of this report consists of a series of tables, organized by system and prioritized by importance to public risk, which identify com-ponents associated with 98% of the inspectable risk due to plant operation (external events including earthquakes, tornadoes, fires, and floods are not included in the analysis).

Previous studies in this program (Hinton 1986, Higgins 1986) have addressed how PRA-based information may be best incorporated into inspection planning, performance and evaluation. The conclusion of this previous work was that the existing IE Manual provides a logical and effective framework for inspection planning. This manual contains an extensive sequence of inspection procedures, or modules, addressing functional areas such as calibration, surveillance, maintenance, Emergency Safeguards Function (ESF) system walkdown, etc. It also contains a methodology for selecting the inspection modules to be per-formed, plus guidance on the frequency at which modules should be performed.

It was concluded that this manual should be retained as the general framework for inspection planning. PRA-based information, which is necessarily plant specific, should be provided for each plant. This information should then be 1.1

if -

d

/s k~ ia, b

'used in the inspection. planning process,'to help focus on areas'where public-risk'is most sensitivesto performance degradation.

The NRC program is, therefore, directed toward the preparation of a series of plant-specific appendices to the IE. Manual, each of which contains plant-

. specific information of similar. safety significance. These appendices are

.' structured according;to a common format. Each appendix begins with a'descrip ~

tion of accident initiators-and sequences important.a_t thi plant.- This.is followed by a. listing.of plant. systems associated with,98% of the inspectable W ,

r plantLrisk, which is' ordered according:to the impo' tan'ce of'each system to~

.public risk. Foreachsystemaddressed,'the:componentis'associatedwith95%

Lof_the probability-of system failure are identified and ranked according to importance. Three tables-are presented for each system. The-first! identifies.

<the failure modes by which each component contributes to risk. The second ]

correlateseachcomponentwit'htheIEinspection'mbdulesmostrelatedtoen-suring component' reliability. The third provides a modified system check off list identifying the proper line-up of each component during~ normal operation.

The body of this report' presents the plant-specific appendix developed for- I the Oconee-3 plant.- It follows the format described above.

J PRAs have been performed for less than one_ quarter of the -nation's nuclear plants. Consequently, a significant aspect of the NRC program a$ dresses the development of generic' insights wh'ich may be utilized to guide inspection "

planning for plants without a PRA. As plant specific appendices are developsd I the information is reviewed to identify. dominant generic contributors to risk,I including initiating events, accident. seq'uences, important systems and com4 j ponents, component failure modes, significant human errors, and common cause ~

failures.

'The compilation of generic insights resulting frcm the analysis of PRAs identifies systems and componentsF which may have risk,importance at other plants. For application to a spscific site, plant-specific information must be used to evaluate the relevance and applicability of the generic insights. Uj

.i u for instance, important functions may be performed by different systems at '

l different plants. Or, systems may be either more vulnerable (single failure [

dependencies)orlessvulnerable(redundancies)atdifferentplants. PNL has performed an analysis of the Rancho Seco plant (no PRA) using the results of 1.2  ;

/

6

-j i

PRAs for the ANO-1 and Oconee-3 plants, plus a detailed comparison of system designs at the three plants (Gore and Huenefeld 1987). EG&G and Brookhaven are performing similar studies using generic insights and plant-specific information to address plants for which PRAs have been performed (Higgins et al. 1987).

Future comparison of results from those studies with results obtained from analyzing the plant-specific PRAs will provide an indication of how effective j this approach is in identifying important systems and components.

Aswasay[tifdabove,thisdocumentpresentstheresultsofadetailed analysis of the cost recent PRA performed for the Oconee-3 plant. Generic

!./

applications are' bot vidressed li herein. The analysis approach is discussed in 1/>

Section 2. The results'of the analysis are presented in Sections 3.0 and 4.0,accordingtothegabove-describedformatforplant-sphificappendicesto.,

the IE Manual. ,

, .o 4 ->

'l //

i#

/ \

f i

, 1.3 t

- . w M I P 4 "

s s

4y ,

s

'k ,.

• Y 2.0 ANALYSIS OF THE OCONEE-3 PRA 1 ~/ '

s I

The analysis consisted of three major steps to produce the tables presented at the end of this document. The first .tep was the calculation of risk impor-tance for each system from information in the PRA. This was used to select ., .v systems to be analyzed for component imp'ortances jTlwsecpnd steRwas the re-analysis of system fault trees from the PRA to dhulate compgInt impor- 3 tances. The third step was the correlation. of, components with failure modes, 1 and with inspection modules relevani to maintaining pomponent reliability. N 3 u These steps are discussed below. )b, , yp7 =

s 7' ('

l. ( i

' (

' i ' i 2.1 CALCULATION OF SYSTEM IMPORTANCES u

s, L v. . .a The selection of syst. ems for detailes fault tree anafysin require:1 'that [ ,? -

they be ranked according ko an apprordate measure ot risk.' The Oconee-3 PRA \y, i

is a level 3 PRA; it' addresses the probabilities of tore melt, of, subsequent q h s

/

containment failure, and of radionuclides teleases and subsequent radiation , _

doses to the public. Consequently, it was possible to base the determination , m of system importance on public rhk, $s measured by the expected annual radi- E ation dose to the public. This.is appropriate, since the mission of the NRC 3 istheprotectionofpublichedithandsafety, i The Fussel-Vesely (F-V)}Importance (Henley 81) measure applied to risk 1

n was selected to rank system and component importance in this study. It is the fraction of the total risk which results from failures involving the system -

or component of interest. Thus, high values of F-V Importance identify systems '

whicharethegreatestcontrfi$torstorisk. In addition, the increase in risk due to a given percentage increase in system failure probability, h also .

highestforsystemswithhighestF-VImportancevalues.}Thuse this measure identifiesnotonlythesystemswhicharethegreatestcontribuirstorisk, but also those for which risk is mort sensitive to perford nce 9 degradation.

It is therefore the logical measure to use for ranking system importance for inspection attention to ensure that safety performance is maintained.

The analyses in the PRA document address a wide variety of event sequences (cut sets) which may lead to. core melt, it.cluding both internal and s exterr.a1 events. Internaleventsarethoserest!tingfromthefailureo$sistemsto 2.D

! 4

Km 5 '

yo [ function'due to equipment or operational failures. External events (including Z earthquakes, tornadoes, fires and floods) are external to the system boundaries, Mandcc,'3resultincommon~causefailuresofredundant, safety-relatedequipment.

l0uranalysisdidnotaddressearthquakes, tornados,firesorexternal floqingfortworeasons. First, inspection of' system hardware cannot affect theinitiaffonfrequencyofsuchevents. Second, the probability of subsequent

• compon'ent failures, given occurrence of the initiating event, is altered by damage, caused by the event, so that the beneficial results of inspections of

~

systemhardwgreareovercomebytheeventitself. Our analysis focused on event sequences involving failures associated with the operation and maintenance of system hardware and controls. We have referred to this as inspectable

(

risk, in contrast to risk from external events which inspections cannot effec-s tively protect against.

[i In addition to internal events involving failures associated with system hardware and operations, our analysis also addressed flooding due to internal g 3 }cvents. Specifically, a leak or rupture in the Condenser Circulating Water

[3 (CCW) system might release several hundred thousand gallons per minute of

% water into the basement of the turbine building which houses many systems of safety significance. Since the PRA-predicted contributions to core melt fre-

.quency for these internal flooding events were of the same magnitude as those for internal events, they were also included in the analysis. It is for this reason that the CCW system, which in most plants is of minimal safety sig-

.nificance, is found high on the list of prioritized systems in this analysis.

/.

• The appendices of the Oconee PRA contain an exceptionally complete item-ization of cut sets leading to core melt. Cut sets are listed which contribute I more than 95% of the core melt probability due to internal events (182 of

^

them),andallofthecutsetsleadingtoturbinebuildingfloodingarelisted I m '(167 cut sets). Calculation of system (F-V) importance was therefore possible

, by summing the risk associated with each cut set which involved system failure, and, dividing by total risk. This sounds deceptively simple, yet the analysis was surprisingly complicated as is explained below.

The PRA event sequences are grouped into six core-melt bins, which are related to general typer of event progression and containment response. Ex-ymples include large LOCAs (loss of coolant accidents), small LOCAs, and various

% 2.2

,t x

\ '

-7 L s .

>d

other. transient types. Each of these core melt bins was associated with up to five plant da' mage bins, which were correlated with containment safeguard states. The probability of radionuclides release for each core melt event thus incorporated the probability of failure of Reactor Building (RB) Spray, RB Cooling, Low Pressure Injection (LPI) cooling and timing and sequencing of such failures. Release magnitude and isotopic content was also correlated with event sequencing and system functioning (e.g., fission product entrainment by RB spray, when functioning). Thus, each plant damage bin was correlated with up to six release categories, each of which was subsequently associated with a public risk per unit frequency of occurrence.

Due to the complete documentation of the PRA analysis, it was possible to identify quantitative branching ratios between core melt bins and plant damage bins, and between groupings of cut sets in each plant damage bin. These were obtained from tables in Appendix H of the PRA. Transfer functions tabu-lated in Chapter 10 were then used to calculate the frequency of releases in the six release categories from the plant damage bin frequencies. Lastly, release consequences listed in Chapter 12 were used to associate consequences to the public in terms of man-rem per release with each release category.

Some assumptions were necessary to make assignments to individual cut sets.

However, these assumptions were confirmed correct in telephone discussions with W. R. Sugnet, EPRI project manager for the PRA (Sugnet et al. 1980 Ultimately, it was possible to associate a risk (expected dose in man-rem per l year) with each cut set. These values of risk were then used in the calcula-tions of system importance.

l The system tables are presented in order of calculated system importance.

RB Spray and RB Cooling head the list, because containment failure due to failure of one or both of these systems is involved in most radionuclides re-leases. The system having the next largest risk importance is the Condenser Circulating Water system, the potential source of turbine building flooding which is involved in almost half of the cut sets. F-V Importance values cal-l l

culated for these systems all exceed 50%.

Two other systems have particularly large values of F-V Importance, with l both exceeding 25%. These are Safety Relief Valves (SRVs), and Low Pressure Injection (LPI) system. This is driven by two individual cut sets, each having 2.3

an anomalously high risk importance of 18%. In one of these cut sets, the containment is bypassed due to a steam generator tube rupture'with a stuck l open SRV, where upon radionuclides are released directly to the environment.

LPI is involved because core melt results when suction to the BWST is lost.

In the second cutset, a large turbine building flood caused by CCW system failure renders inoperable all feedwater, HPI and LPI, and RB Spray and RB Cooling. This causes core melt, containment failure, and large radioactivity releases.

All other systems have F-V Importances less than 5%. The systems addressed in the tables of Section 3 account for almost 99% of the total F-V Importance(a) of all systems.

2.2 CALCULATION OF COMPONENT IMPORTANCES Construction of the tables presented at the end of this report required the identification of components associated with at least 95% of the system failure probability for each of the systems selected for anlaysis. This re-quired a reanalysis of the fault trees presented in Appendix A of the PRA document to identify the components most important to system failure. It was not possible to extract information with this degree of detail from the cut sets published in the PRA because, in general, the cut set elements were not basic events. Instead, many contained " module" elements, which combined the effects of several possible failures causing the final result (i.e., failure of a pump, or of its suction or discharge valves located in a single run of piping, any of which would prevent flow through the line).

An effort was made to avoid reanalysis of the system fault trees by using information developed during the original study. The EPRI project manager of the PRA study, W.R. Sugnet, was contacted. However, the EPRI files had been sent to Duke Power Company for use by their risk analysis group. Duke Power was responsive to our request for information, and sent us computer files which they had developed from the EPRI study. Unfortunately, however, it was (a) The sum of all F-V Importances is greater than 100 percent, as is usually the case 2.4

s,#*

not possible to assemble the needed information on component availabilities with sufficient completeness, and a reanalysis was deemed necessary.

For systems selected for analysis, the system fault tree published in 9

( the PRA was reanalyzed using the Integrated Reliability and Risk Analysis (IRRAS) computer code (Russell 1987) run on an IBM-PC. Other analysis methods were used for three systems: Safety Relief Valves (SRVs), CCW and Standby Shutdown Facility - High Pressure Injection (SSF-HPI). Fault tree gates and component reliability data from tables in the PRA appendix were input to the code and processed with an integrated fault tree analysis package. IRRAS identified the dominant minimal cut sets, and quantified the fault trees by ordering cut sets by probability. IRRAS also calculated the F-V Importance of both cut sets and of system component failure's. The calculated importance of the component failures was then used to select components for inclusion in the tables. For all systems analyzed, components comprising more than 95% of the total component importance were selected for tabulation, with an even higher proportion included for the more important systems.

Considerable care was required in checking the input information supplied to IRRAS for analysis because the code version available lacked error-diagnostic capability to check that the input produced a coherent fault tree. Thus, an input error could effectively remove a segment of a tree from analysis. In addition to careful checking of input against the reference fault tree, cal-culated system and module event failure probabilities were subsequently compared against values published in the PRA. Final values calculated agreed well with published values for all systems.

2.3 PREPARATION OF TABLES For each system, the components selected for inclusion in the tables were grouped according to type for discussion of failure modes (e.g., pump suction and discharge MOVs in parallel trains). For many components, cut set elements indicatedmorethanonefailuremode(e.g.,failuretooperate,operatorfailure toinitiate,inappropriatechangeofposition). These failure modes were grouped and addressed for each component type in the system failure mode identi-fication tables.

2.5

l The characteristics of each component were assessed to determine what types of inspection would be most appropriate for ensuring component reliability. l This'information was then used to prepare a table for each system correlating l each of the relevant IE inspection modules with components which should be  !

addressed when the module is used in inspections of the system. Also included in this table was a cross correlation with the failure modes which would be minimized by the given type of inspection. For instance, pump failure to start and run is addressed in IE inspection modules for Surveillance, Opera- j tional Safety Verification, and ESF System Walkdown. It is also addressed l

through the Maintenance module, in terms of minimizing unavailability due to I maintenance scheduling and work.

For each system, an abreviated system walkdown table was prepared addres-sing only the selected significant system components. This table identifies the normal operating state or position of each component determined to be risk-significant from the PRA. It was compiled using information from the PRA, and also from plant systems descriptions, operator training information, and plant drawings. In most cases, it was possible to correlate and verify this information using system lineup tables from plant operating procedures.

In general, these tables are considerably shorter than lineup tables in pro- 1 cedures. They therefore allow an inspector with limited time available for i

system walkdowns to concentrate on risk-significant components, while minimizing the possibility that he may overlook something important.

2.4 CONCLUSION

S AND RECOMMENDATIONS In this project we have identified the systems and components most import-ant to public risk during operation of the Oconee-3 power plant. They are identified in Tables 4.1 through 4.8. Systems are addressed in the order of decreasing importance, as determined by the fraction of the total risk to the public attributed to the failure of each system. This information has been developed from, and is consistent with, the comprehensive PRA analysis of the Oconee-3 plant performed by EPRI (Sugnet et al. 1984). Additional plant changes may require that it be updated in the future.

The RB Spray and RB Cooling systems are the most important systems for minimization of public risk. This is because most radionuclides releases from 2.6

the plant involve failure of the containment, due to failure of one or both of these systems. The Condenser Circulating Water system is also a very import-ant system because of the possibility that breach of the large diameter piping l

l and components in this system, which is fed by gravity flow from Lake Keowee, could result in uncontrolled flooding of the turbine building causing common cause failures of many important plant systems including feedwater, emergency core cooling systems, and the RB Spray and Cooling systems. Each of these three systems is involved in failures which contribute between 50 to 80% of the plant risk.

Two other systems are particularly important, and are involved in failures which contribute between 25 and 50% of the plant risk. These are the Safety Relief Valves and the LPI systems. They are both involved in high-consequence fa!1ures where core cooling fails and radionuclides escape via a steam generator tube rupture and stuck open steam safety valve, bypassing the containment.

Each of the other systems addressed is involved in less than 5% of the l total plant risk. Cumulatively, more than 98% of the plant risk is addressed l

by the systems in the tables. Overall, the dominant contributor to public risk in all systems is human error in the operation, maintenance or surveillance of these systems.

l The information in these tables allows an inspector to identify quickly l

the components most important to public risk--a combination of failure proba-bility and of the consequences of the failure. This information allows the inspector to direct attention to these components preferentially. In par-ticular, by using the system walkdown tables the inspector can rapidly review the line-up of important system components on a routine basis. The inspector may also use these tables when selecting systems for the performance of more detailed inspection activities.

In using these tables, however, it is essential to remember that other systems are also important for other reasons. For example, the llPI and Reactor Protection systems are absent from the tables, primarily because of their intrinsic reliability and redundancy, despite the fact that they perform essen-tial safety functions. If, through inattention, the failure probabilities of such systems were allowed to increase significantly, their risk significance might exceed that of systems in the tables. Consequently, a balanced inspection 2.7

0

- program isiessential to minimizing plant' risk.- The tables allow an inspector to. concentrate on_ systems'of highest risk importance. In so doing, however, he must maintain cognizance of the status'of systems performing other' essential

- safety functions, and ensure that their reliability is maintained.

-'l 2.8

3.0 IMPORTANT ACCIDENT INITIATORS AND SEQUENCES The analysis in the Oconee-3 PRA addresses a wide variety of event sequen-ces leading to core melt. Both internal events (those resulting from failure of systems to function due to equipment or operation 61 failures) and external events (external to system boundaries, e.g., earthquakes, tornacoes, fires and l

external flooding) are addressed. Our analysis addressed only internal. events for two reasons. First, inspection of system hardware cannot affect the ini-tiation frequency of external events. Second, the probability of subsequent component failures, given occurrence of an external event, is altered by the damage caused by the event, so that the beneficial results of inspections are overcome by the event itself. We thus focused on what may be called "inspec-table risk", in contrast to risk from external events which inspections cannot effectively protect against.

Our analysis addressed two very different types of internal events. In addition to the usual types of event sequences composed of essentially indepen-dent failures of various systems, we also addressed turbine building flooding resulting from a breach of the Condenser Circulating Water (CCW) system.

Turbine building flooding events generally resulted in common cause failures of various important systems, including Main and Emergency Feedwater (MFW and EFW),HPI,LPI,and/orRBSprayandRBCooling,.dependingonthesizeand location of the CCW system break. These event types are therefore discussed separately.

Core melt event sequences are categorized according to initiating event type. The thirteen event categories are. listed in Table 3.1, along with the annual core melt frequency calculated in the PRA for each category.

Following an initiating event, various types of event sequences are pos-sible. These have been further categorized in the following discussions, where we identify the event sequence categories most likely to lead to core melt.

3.1

TABLE 3.1. Initiating Event Categories Mean annual core-melt Initiating Events frequency Plant transients Loss of service water 1.3E-5 Feedwater-line break 4.8E-6 Loss of instrument air 3.2E-6 Loss of offsite power 2.4E Turbine or reactor trip 1.8E-6 Loss of main feedwater 1.2E-6 Other transients 2.6E-6 Loss-of-Coolant Accidents (LOCAs)

Large 9.0E-6 Small 6.1E-6 Reactor-vessel rupture 1.1E-6 Transients 'iithout scram 6.0E-6 Steam-generator tube ruptures 2.7E-6 Interfacing-system LOCA 1.4E-7 Turbine-building floods 8.8E-5

( 3.1 LOSS OF LOW-PRESSURE SERVICE WATER (LPSW) 1

1. LPSW failure fails HPI and Component Cooling. This fails Reactor Coolant (RC) Pump seal cooling, resulting in seal leakage without RCS makeup capability.

2. . LPSW failure fails EFW pumps. Independent failure of MFW and the turbine driven EFW pump (TDEFP) cause SRVs opening, with failure to reclose. LOCA without RCS makeup results.

3.2 FEEDWATER LINE BREAK Ily Large feedwater line break drains common water source for MFW and EFW. Operators fail to provide feedwater from other source. HPI cooling fails independently.

l :.

3.2

3.3 LOSS OF INSTRUMENT AIR (IA)

1. IA failure fails MFW and EFW. (Only TDEFP is available, with special procedure which fails.) Operators fail to initiate HPI cooling.

2. IA failure fails inlet valve to Letdown Storage Tank (LDST), which eventually fails HPI when operators fail to open valves to BWST. RCP seals fail without Component Cooling, causing a LOCA without HPI.

3.4 LOSS OF 0FFSITE POWER (LOP) i

1. and 2. LOP fails Instrument Air, with subsequent failures as for IA failures 1 and 2 above.

3. LOP fails IA and MFW. EFW is lost through independent failures and operator errors. HPI cooling is initiated and works for 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> until BWST inventory is depleted. Recirculation from RB sump fails due to improper initiation.

3.5 TURBINE OR REACTOR TRIP

1. MFW and EFW fail independently after trip. Operators fail to initiate HPI cooling.

2. After reactor trip, SRVs are opened due to spurious pressurization caused by pressurizer heaters or HPI. SRVs fail to reclose. HPI is initiated and injection works, but recirculation fails.

3.6' LOSS OF MAIN FEE 0 WATER

1. After loss of MFW, EFW fails due to opertor errors and hardware failures. Operators fail to initiate HPI cooling.

3.7 LARGE LOCA

1. LPI injection functions after the LOCA, but operators fail to initiate recirculation from RB sump.

2. LPI injection and recirculation functions after the LOCA, but high flow develops. Operators fail to throttle flow and LPI pumps cavitate and fail.

3.3

l

3. LPI fails after LOCA due to various hardware faults and operator errors.

3.8 SMALL BREAK LOCA

1. RB Spray is initiated by the LOCA. Operators fail to throttle spray, and BWST inventory is depleted in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. Operators fail to cor-rectly implement HPI recirculation from RB sump.

2. HPI is initiated by the LOCA and empties BWST inventory in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

Recirculation fails due to operator errors or hardware failure. '

3. HPI fails after the LOCA due to valve failures, BWST faults, or operator errors.

3.9 PEACTOR VESSEL RUPTURE

1. Vessel suddenly fractures under normal, upset or test conditions.

3.10 TRANSIENTS WITHOUT SCRAM (ATWS)

1. MFW fails after the transient. Either HPI or long term cooling fail subsequently.

2. Pressure surge causes LOCA. HPI fails, partly due to pressure surge.

3.11 STEAM GENERATOR (SG) TUBE RUPTURE

1. HPI fails after SG tube rupture, due to human errors and suction valve hardware faults.

2. LPI' fails after SG tube rupture, during recirculation due to hardware and human failures.

3. After SG tube rupture, main steam relief valve opens and fails to close on the affected SG. Long term cooling fails"due to loss of supply for injection / recirculation caused by failure to refill the BWST, or failure to open LPI suction valves from the RCS.  !

3.4

3.12 _ INTERFACING' SYSTEM LOCA

1. Valves separating RCS from LPI system fail resulting in an interfacing system LOCA. LPI fails immediately due to damage to LPI pumps or later because there is no water in the RB sump for recirculation.

3.13 TURBINE BUILDING FLOCDS Significant modifications to the plant have been performed as a result of the initial PRA analysis, which indicated an unacceptably high core melt frequency associated with flooding due to breach of the Condenser Circulating l

Water system. These modifications reduced the calculated core melt frequency by a factor of 70, to 8.8E-5 per year which is the value presented in Table 3.1. This resulting value is still quite large, and exceeeds the contribution to core melt frequency of all of the other internal events addressed herein.

For the unmodified plant, any flood from the CCW system exceeding 15,000 gpm (drain capacity) would have failed the MFW and EFW systems, and the HPI pumps. Furthermore, gravity flow from Lake Keowee through the CCW system would continue even after the pumps were stopped because the turbine building basement is 25 feet below the normal lake level. Subsequent plant modifications and other actions include:

sealing doors and penetrations between turbine and auxiliary building to six feet above the basement floor closing cross connections between the three units changing auxiliary system alignments so that backflow from the lake would be limited installation of controls to allow closing of all CCW pump discharge valves from the control room installation of unambiguous alarms indicating flooding modifications to procedures and improved training to protect auxiliary building equipment from flood effects.

Maintaining the effectiveness of these improvements is clearly important to minimizing core melt frequency due to turbine building flooding effects.

3.5

Subsequent to the plant' modifications, the PRA analysis was redone and published in the PRA document. This analysis identifies four major categories of event sequences leading to core melt for the modified plant. Each of these contributes about equally to the core melt frequency listed in Table 3.1.

These categories are:

1. Flood fails all feedwater. Pressurizer SRVs open, one fails to reseat.

HPI fails due '.o loss of service water cooling or to flooding exceeding the six foot high barriers to the auxiliary building.

2. Flood fails all feedwater and HPI, as above. SRV reseats, but Standby Shutdown Facility (SSF) fails to provide backup cooling.

3. Flood fails all feedwater and HPI, as above. SSF functions, but operators fail to provide long term suction supplies for SSF pumps due to actions to isolate flood or other hindrance from flood.

4. Flood fails all feedwater. HPI functions. Long term cooling fails because the flood fails LPSW for decay heat removal. Backup cooling with the SSF fails.

3.6

4.0 SYSTEM INSPECTION PLANS Tables are presented for each of the systems selected in the analysis which identify important system failure modes, IE modules applicable to the inspection of system components, and the required position of each important

l. componentduringnormalsystemoperation(i.e.,systemwalkdownchecklist).

The systems are presented in decreasing order of risk importance, and together comprise more than 98% of the public risk associated with plant operation.

4.1

l 4.1 REACTOR BUILDING SPRAY SYSTEM TABLE 1A. REACTOR BUILDING SPRAY SYSTEM FAILURE MODE IDENTIFICATION TheReactorBuildingSpraySystem(RBSS)isastandbysafetysystemand

' has no normal operating function. It is aligned in the standby mode during normal plant operation, with the pumps off and in automatic control, the discharge motor-operated valves closed, and all other motor-operated and manual valves open. The system is automatically activated on a signal of high reactor building pressure. At least one of the two trains of RBSS is required for system success. This system is important for public health, not for preventing plant damage.

Conditions that Lead to Failure

1. Human Error-System Operation Inhibited, or Failure to Restore Valves 3BS-12, 13, 17, 18, and 21, or Failure to Restore P3A and P3B Switchgears After Test These are failures of the operator, including misdiagnosis of spurious l spray operation when it is actually required, or human error failure to-realign a valve or restore a switchgear at the end of a test, plus failure to discover the error. The valves are pump discharge manual valves 3BS-12, 3BS-17, and the manual test valves 3BS-13, 3BS-18 and 3BS-21 which may be left in the test position. These errors are addressed by emergency l procedures, proper post-test surveillance, which should be reviewed and observed.

2. Reactor Building Pumps 3A and 3B Fail to Start or to Run Failure of pumps 3A and 3B will prevent waterflow from being provided to the spray headers. The important failure causes are random hardware failures, and human errors in following procedures. Operator awareness, surveillance and lineup for standby operation should be observed and reviewed.

3. Failure of Motor-0perated Discharge Valve MOV 3BS-1 and M0V 3BS-2 to Open These motor-o)erated valves must be opened to allow flow from the pumps to the spray leaders. The dominant failure cause is random hardware failure. A contributing failure cause is human error failure to manually activate them. 0)erator awareness, surveillance and lineup for standby operation should )e observed and reviewed.

4. RBS Pump Trains Unavailable Due to Maintenance and Testing This includes both scheduled and unscheduled maintenance and testing.

The timely performance of maintenance and testing should be reviewed and observed to minimize this unavailability.

4.2

5. RBS Pumps' Suction Valves MOV 3BS-3 and MOV 385-4, or Check Valves 385-11, 38S-16, 3BS-14 and 3BS-19 Transfer Closed or Fail to Open on Demand The valves are pumps' suction motor-operated valves 3BS-3, 3BS-4, and discharge check valves 385-11, 385-16, 3BS-14, and 3BS-19. Check valves should be locked open. The important failure causes are human error and random electrical or hardware failures. Operator awareness, surveillance and lineup for standby operation should be observed or reviewed.

4.3

i

-TABLEilB. IE-MODULES FOR REACTOR BUILDING SPRAY SYSTEM INSPECTION' Failure (a)

Module Title' Components Mode

61701- Surveillance (Complex) Control Switches P3A,P3B 1 Pumps 3A,38 2.

Monthly Surveillance Control _ Switches P3A,P38, 1;

'61726-Observation- 38S-12, 385-13,-385-17, 3BS-18,-3BS-21 Pumps 3A,3B 2 MOV 3BS-1,.MOV 38S-2 3 MOV-3BS-3, M0V-385-4, 5

-385-11, 3BS-14, 3BS-16, 3BS-19

-62700- Maintenance Pumps.3A,3B 4 71707.. Operational Safety 385-12,'3BS-13, 3BS-17 1  !

Verification 3BS-18, Switches P3A, P3B J RBSS Pumps 3A, 3B 2 M0V 385-1, M0V_385-2 3 MOV 3BS-3, M0V 3BS-4, 5 3BS-11', 3BS-14, 3BS-16, 3BS-19 71710 ESF System Walkdown 38S-12, 3BS-13, 3B5-17 1 l 3BS-18, Switches P3A, P3B  !

' 2 RBSS Pumps 3A, 3B MOV 3BS-1, MOV 38S-2 3 MOV 3BS-3, M0V 385-4, 5 385-11, 3BS-14, 3BS-16, l

3BS-19 l

(a) See Table 1A for failure identification.

4.4 l l

1

TABLE 1C. MODIFIED REACTOR BUILDING SPRAY SYSTEM WALKDOWN Component Component Required Actual Number Name Location Position Position Electrical Pump 3A RBSS Pump 3A Breaker TC Racked in Pump 3B RBSS Pump 3B Breaker TD Racked in l Pump 3A RBSS Pump 3A Control Power Switch On Pump 3B RBSS Pump 3B Control Power Switch On

MOV 385-1 RBSS Pump 3A Discharge Valve Breaker XS1 Closed M0V 385-2 RBSS Pump 3B Discharge Valve Breaker XS2 Closed M0V 385-3 RBSS Pump 3A Suction Valve Breaker XS1 Closed M0V 3B5-4 RBSS Pump 3B Suction Valve Breaker XS2 Closed Valves MOV 3BS-1 RBSS Pump 3A Discharge Valve Closed MOV 385-2 RBSS Pump 3B Discharge Valve Closed M0V 385-3 RBSS Pump 3A Suction Valve Closed MOV 3BS-4 RBSS Pump 3B Suction Valve Closed 3BS-11 RBSS Pump 3A Discharge Check Valve Open 3BS-12 RBSS Pump A Manual Discharge Valve Open 385-13 RBSS Pump A Manual Test Valve Closed 3BS-14 RBSS Pump 3A Discharge Check Valve Open 3BS-16 RBSS Pump 3B Discharge Check Valve Open 3BS-17 RBSS Pump B Manual Discharge Valve Open 3BS-18 RBSS Pump B Manual Test Valve Closed 3BS-19 RBSS Pump 3B Discharge Check Valve Open 3BS-21 RBSS BWST Manual Test Valve Closed 4.S

1 4.2 REACTOR BUILDING COOLING SYSTEM TABLE 2A. REACTOR BUILDING COOLING SYSTEM FAILURE MODE IDENTIFICATION ,

1 The Reactor Building Cooling System (RBCS) is a nonnally o)erating system /

that provides the principal means for cooling the reactor auilding. The l operation of each of the three fans is controlled from the control room. l Typically, during power operation two of the three fans are operating at high speed, with LPSW supplying the two coolers associated with these fans. The third fan is usually on standby and will start automatically if one of the operating fans fails.

Conditions that Lead.to Failure j l

1. Fans 3A, 38, and 3C Fail to Run i 1

This is the )rimary contributor to system failure to provide cooling to the reactor auilding._ The failure cause is random hardware failures of 4 these three fans. Testing of the fan not in use according to the Technical 1 Specifications should minimize the probability of failure.

2. Operating Fans Fail to Run and Non-Operating Fan Fails to Start and Run Failure of any combination of two out of three fans will prevent sufficient cooling air flow to the reactor building. Testing of the fan which is not in use according to Technical Specifications should minimize the probability of failure.

3. Operating Fans Fail to Run and Non-Operating Fan in Maintenance Non-operating fan in maintenance unavailability is significant in conjunction with hardware failures of the operating fans. Review of the practices associated with scheduled and unscheduled maintenance of this fan should be performed.

4. Motor-0perated Damper to RBCS Common Duct Header Fails to Open This motor-operated damper must open to allow flow from the fans to reactor building. Observation of maintenance, surveillance, and system lineup should be done.

5. Dropout Plates 3A, 3B and 3C Fail to Drop In the post-LOCA situation, the RBCS dropout plates are designed to drop off, providing an independent air flow path for each of the fan and cooler units. Maintenance and surveillance of these plates should be observed j or reviewed to minimize these failures.

I i

l 4.6 1

1 *

6. lSf: art l Switches 3'12, 313. and 314LImproperly Positioned *

. Failure of this: system is' dominated by the human error.of mispositioning-

'the start switches'312,~313 and 314. This error, if undetected, leads.

~

Edirectly to system failure. Review of the.0perating Procedures and' Lyerification of the' Check-off Lists should minimize the probability of,

' failure.

t i

i r .-

)

4.7 -l u_-___-- - - _ - - - - - - _

TABLE 28. IE MODULES FOR REACTOR BUILDING COOLING SYSTEM INSPECTION Failure (a)

Module Title Components Mode 61701 Surveillance (Complex) Motor-0perated Damper 4 61726 Monthly Surveillance Fans 3A,38,3C 1,2 Observation Motor-Operated Damper, 4 Dropout Plates 3A,3B,3C 5 Start Switches 312,313, 6 314 62700 Maintenance Fans 3A,38,3C 3 Motor-0perated Damper 4 62703 Monthly Maintenance Fans 3A,38,3C 3 Observation Motor-0perated Damper 4 71707 Operational Safety Fans 3A,3B,3C 1,2 Verification Motor-0perated Damper, 4 Dropout Plates 3A,38,3C 5 71710 ESF System Walkdown Fans 3A,3B,3C 1,2 Motor-Operated Damper 4 Dropout Plates 3A,3B,3C 5 Start Switches 312,313, 6 314 (a) See Table 2A for failure identification.

4.8

I TABLE 2C. ' REACTOR-BUILDING COOLING SYSTEM WALKDOWN

'l Component Component Required Actual'

' Number Name Location Position Position Electrical Fan 3A.- RBCS Fan 3A Breaker- Racked in Fan 3B- RBCS Fan 3B Breaker Racked in Fan.3C RBCS Fan 3C Breaker Racked in M0 Damper A. RBCS Motor-0perated Damper A Breaker Closed  :

M0 Damper B RBCS Motor-0perated Damper B Breaker Open l M0 Damper C RBCS Motor-0perated Damper C Breaker Closed l

{

Components

-l 1

Fan 3A . RBCS Fan 3A Start Switch 312 High j Fan 38 RBCS Fan 3B Start Switch 313 Stop i Fan 3C RBCS Fan 3C Start Switch 314 High i M0 Damper A . RBCS Damper A Open 1 M0 Damper-B RBCS Damper B Closed  !

M0 Damper C RBCS Damper C Open Dropout-Plate Dropout Plate 3A Closed  ;

3A.  !

Dropout Plate Dropout Plate 3B Closed 38.

Dropout Plate Dropout Plate 3C Closed

.3C l

1 1

1 4.9  !

4.3 CONDENSER CIRCULATING SYSTEM TABLE 3A. CONDENSER CIRCULATING WATER SYSTEM FAILURE MODE IDENTIFICATION The Condenser Circulating Water (CCW) system is a normal operating system that provides cooling for the front line systems. The CCW system consists of four pumps for each Oconee unit. The pumps are located on the intake structure in the intake canal. Under normal conditions, three of the pumps are running. The pumps feed into six 78-in.-diameter pipes and rise- from the floor into the three sections of the v.ain condenser. A similar set of six pipe sections are on the discharge side that drop down into the floor and join each other below floor level. The outlet ~

pipes rise back to the level of Lake Keowee and discharge into this lake.

Conditions that Lead to Failure

1. Condenser Discharge Valves A0V 3CCW-20, 21, 22, 23, 24, or 25 Fail to Close These are air-operated valves for the CCW system. They must all be closed following a breach of the system to terminate floocing of the turbine building. The important failure causes are the result of the relay coil failure to energize and random valves hardware failure. Surveillance and maintenance of these valves should be reviewed and observed.

2. CCW Pump-Discharge Valves M0V 3CCW-10, 11, 12, or 13 Fail to Close on Demand These are the CCW system pump-discharge motor-operated valves. After a breach of the system, they must all be closed. The important failure causes are the contacts of the manual override switch for pump-discharge MOVs failing to open and valves hardware failure. Surveillance and maintenance of these valves are significant preventive measures.

3. Condensate Coolers A0V 3CCW-81, MV 3CCW-75, 76, 77, 78, 79, 80, 82, or .

F Fail to Close Failure of these valves to close during system breach conditions will allow backflow through the condensate coolers. The dominant failure cause is random hardware failure. A contributing cause is operator failure to close these valves. Operator awareness, surveillance, and maintenance of these valves should be reviewed or observed to maintain reliability.

4.10

TABLE 3B. IE MODULES FOR CONDENSER CIRCULATING WATER SYSTEM INSPECTI0tl Failure (a)

Module Title Components Mode 61701 Surveillance (Complex) A0V 3CCW-20, 21, 22 1,3 23, 24, 25, 81 MOV CCW-10, 11, 12, 13 2 MV 3CCW-75, 76, 77, 80 3 82, 87 61726 Monthly Surveillance A0V 3CCW-20, 21, 22 1 Observation 23, 24, 25, 81 M0V CCW-10, 11, 12, 13 2 MV 3CCW-75, 76, 77, 80 3 82, 87 71707 Operational Safety A0V 3CCW-20, 21, 22 1,3 Verification 23, 24, 25, 81 MOV CCW-10, 11, 12, 13 2 MV 3CCW-75, 76, 77, 80 3 82, 87 71710 ESF System Walkdown A0V 3CCW-20, 21, 22 1,3 23, 24, 25, 81 MOV CCW-10, 11, 12, 13 2 MV 3CCW-75, 76, 77, 80 3 82, 87 (a) See Table 4A for failure identification.

4.11

TABLE 3C. MODIFIED CONDENSER CIRCULATING WATER SYSTEM WALKDOWN Component Component Required Actual Number Name Location Position Position Electrical

'A0V CCW-20 Condenser 3A CCW Discharge Valve Relay Coil Closed A0V CCW Condenser 3A CCW Discharge Valve Relay Coil Closed A0V CCW-22 Condenser 3B CCW Discharge Valve Relay Coil Closed A0V CCW-23 Condenser 3B CCW Discharge Valve Relay Coil Closed A0V CCW-24 Condenser 3C CCW Discharge Valve Relay Coil Closed A0V CCW-25 Condenser 3C CCW Discharge Valve Relay Coil Closed A0V CCW-81 Condensate Coolers 3A, 3B Discharge Valve Relay Coil Closed MOV CCW-10 Pump 3A CCW Discharge Valve Breaker Closed M0V CCW-11 Pump 38 CCW Discharge Valve Breaker Closed M0V CCW-12 Pump 3C CCW Discharge Valve Breaker Closed M0V CCW-13 Pump 3D CCW Discharge Valve Breaker Closed Valves A0V 3CCW-20 Condenser 3A CCW Discharge Valve Open A0V 3CCW-21 Condenser 3A CCW Discharge Valve Open A0V 3CCW-22 Condenser 3B CCW Discharge Valve Open A0V 3CCW-23 Condenser 3B CCW Discharge Valve Open A0V 3CCW-24 Condenser 3C CCW Discharge Valve Open A0V 3CCW-25 Condenser 3C CCW Discharge Valve Open A0V 3CCW-81 Condensate 3A, 3B, CCW Discharge Valve Open M0V 3CCW-10 Pump 3A CCW Discharge Valve Open M0V 3CCW211- Pump 3B CCW Discharge Valve Open MOV 3CCW-12 Pump 3C CCW Discharge Valve Open M0V 3CCW-13 Pump 3D CCW Discharge Valve Closed {

MV 3CCW-75 Condensate Coolers 3A, 3B CCW Inlet Valve Open MV 3CCW-76 Condensate Cooler 3A CCW Inlet Valve Open MV 3CCW-77 Condensate Cooler 3A CCW Outlet Valve Open MV 3CCW-78 Condensate Cooler 38 CCW Inlet Valve Open MV 3CCW-79 Condensate Cooler 38 CCW Outlet Valve Open MV 3CCW-80 Condensate Coolers 3A, 3B CCW Outlet Valve Open l MV 3CCW-82 Condensate Coolers 3A, 38 CCW Outlet Valve Open MV 3CCW-87 Condensate Coolers 3A, 3B CCW Outlet Valve Open i

I 4.12

g lc, '

pS 4.4: SAFETY RELIEF VALVE' SYSTEM ^

Q, >. , ,.

TABLE!4A. SAFETY RELIEF VALVE SYSTEM FAILURE MODE IDENTIFICATION 9  ;< 'r i ,

The safety relief valves 6r

- reactor.-coolant system .'>(RCS) During normal primary pressure bpe, ration the[contro'1 pressurizer-  ? system is pa establishes and maintains.the RCS pressure withir, prescribed limits and provides a steam surge chamber and a water reserve to accommodate changes. i 1

in the density of.the reactor coolant.. .Under abnormal conditions, the relief valves on the-)ressur,izeFare the means of external pressure relief for the RCS. Also, tie sygfem/can'be em)1oyed together with main steam

! safety valves to release pressure,when t1e heat removal through the secondary system;is not:available.

, e

(

f,.

Conditions'that Lead to Failure

-1. Pressurizer Relief Valves RC-67, RC-68 Fail to-Close After' Steam Relief-

-The' required. position for these valves is " closed" once the pressurizer- 1 pressure has. decreased.below the relief valve set point. The failure  !

mode is random hardware, failures of all these-valves. Surveillance and i, maintenance of these valves should be reviewed or? observed. 'l 1

2.' Main Steam Safety Valves (MS-1 through MS-8) Fail to Close After Opening-The' failure modes are failure to close after opening, or failure to reclose f after a reactor trip. The important failure' cause is random hardware .

1 failures.. Surveillance and. maintenance of these valves should be reviewed -l or observed. ia cs

+

}

j '1 1

l l

y 1 4 i y' 1 1

' s,i 4.13 1

e 6,

~

J"

.. m .;_

i h_f . _ _ , _ 4 _  ?

v, }

.(

l c

TABLE 4B.- IE MODULES FOR SAFETY RELIEF VALVE SYSTEM INSPECTION j M. y . {

' Failure (a) ]

- Module Title' Components'>L Mode j 61701: Surveillance (Complex) Pressurizer Reilief' 1

.. Valves .

t Main Steam Sj,fety Walk, s 4 2 j 61726' . Monthly Ekelilance Pressurizer Relief o 1 Observat ou Valves- .

,4,"

f: , .\ ;/.yb j.F j Main Steam' Safety Nalvesif'2'

, . . , . i; 8 .8 ; , , . . pi y 71707L . Pressurizer Relief > 1 .l f/Jpertt;ien'a1 Safety, /

kby ,. i . p.

. Verif t:ation >1 Valves

f Main Steam Safety Valves- 2

' ^

717101.

j ESF System Walkdown Pressurizer Relief 1 Valves 4b

, t .<

Main Steam Safety Valves 2

, /

= (a) See Table 4A for-failure identification. '

.F o

.y lf/I /' i 3

3*'; e.

.)

/ ' .1

,f,0 ,.

;(

,m ,

.t['

1

., l ,

.t Qt y

y ,

A s-Q7 -  ?

,' l f (

i r

$ l' I\ 4.14  !

g 8: ,\

.,j ]

-c

,i  ;

i Q l Yl > > '. ,q r ,. ,

\. ' ' .

3. .

s 0 -

t, , j TABLE 40. MODIFIED SAFETY RELIFT VALVE SYSTEM WALKDOWN 1'

(

' 'g

( <

.t Component C01ponent ~

Required Actual Number tec,6 tion Position Position

,Kam.

RC-67 Pressurizer Relief' Valve Closed 3

'/ ' ' 9 Pre'ssurizer Relief Valve RC-68 -

Closed s

1 WV MS-1 Main Steam Safety Valves  ;

Closed ,

, t through 4 8

'l e

i i s

r 1 \_

i k ,

i i \.

)

)

.5 .

.q r \ -

,, *N c ,\

\

3 g

i 1

j t x,,,

\ ')

t /

M

./ j h' aj g \

, .i l

)

, g

(\ z ., c .

'/ 4 i

1 l r I

(

4.15 l -

,\  ;

, L, ,

s ,

( } 4

_ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ___ _ _ _i_. __ .

,I 7

g.

4.5 {0W-PRESSUREINJECTIONSYSTEM TABLE SA. LOW-PRESSURE INJECTION SYSTEM FAILURE MODE IDENTIFICATION The low-pressure injection system is designed to perform both normal and emergency functions in several modes of operation. Under normal

", con 61tions, the most frequently used function is Decay Heat Removal (DHR) k* after a; shutdown. The system is also used to supply water for auxiliary

'1 spray to the pressurizer, to maintain the proper reactor-coolant

\-/ temperatures for refueling, and to provide a means for filling and draining the fuel-transfer canal. The emergency functions are Low-Pressure 3 ,

Injection (LPI) and Low Pressure Recirculation (LPR). In the LPI mode, l

!A the system provides two flow paths for injecting borated water from the

'N Borated-Water Storage Tank (BWST) into the reactor vessel after a Loss-Of-Coolant Accident (LOCA). In the LPR mode, it also provides two flow i

J' paths for recirculating the reactor coolant spilled in a LOCA from the m reactor-building emer ency sum) back to the reactor vessel. The LPR mode can also be coup ed with ligh-pressure pumps to provide high-pressure gh, recirculation.

Conditions that Lead to Failure i 1. Operator Failure to Throttle Flow After Switching to the Hot Sump Water for Suction This is the dominant failure for the low head recirculation mode. The operator has a> proximately 15 minutes to throttle flow and prevent pump cavitation. T1e recirculation procedure contains warnings and instructions about high-flow conditions. Operator awareness of criteria for throttling and adherence to emergency procedures is important.

2. Operator Falls to Manually Realicn Suction from the BWST to the

,j Reactor Building Emergency Sump c uring Recirculation The realignment of the LPI sump suction is a manual operation and is initiated on receiving a low-level alarm from the BWST. Both suction valves to the reactor-building emergency sump M0V LP-19 and 20 need to

,jh be opened for low pressure recirculation. Operator awareness of criteria gh for switchover and adherence to emergency procedures is important.

1I, 3. Operator Fails to Turn LPI Pumps 3A, 3B off for Small LOCAs in 2 to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />

>\ t>,,

,[ For small LOCAs the Reactor Coolant System (RCS) pressure remains above the shuteff head of the LPI pumps. For some LOCAs the LPl pumps may be automatically initiated and will deadhead on minimum-flow recirculation.

In these cases, the pumps will overheat if not turned off in 2 to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.

Verification and review of the emergency procedure and check-off lists should reduce the probability of failure.

4.16

)m s

4. Coupled Human Error-Failure to Close Valves LP-40, 41, and 42 After Test These are failures to realign or close a valve at the end of a test, and failure to discover the error. The valves are manual valves allowing recirculation test flow to BWST, LP-40, 41, and 42. They should be locked closed. These errors are addressed by proper post-test surveillance, which should be reviewed and observed.

5.- BWST Discharge Valves MOV LP-17, and 18 Fail to Open on Demand These are isolation valves for the LPI system suction from the BWST.

They must both be open following a LOCA. The dominant failure cause is random hardware. failure. A contributing cause is operator failure to open these valves. Power availability, operator awareness, surveillance, and maintenance of these valves should be reviewed or observed to maintain reliability.

6. Discharge Throttle Valves M0V LP-12, and 14 Failure The failure modes are failure to throttle under high-flow conditions. The dominant failure cause is operator failure to throttle these valves. The contributing cause is failure of a power supply to MOVs LP-12 and LP-14.

0)erator awareness, sower availability, surveillance, and maintenance of tiese valves should 3e reviewed or observed to maintain reliability.

7. LPI Pumps 3A and 38 Fail to Start or Run The failure modes are failure to start, and failure to run. These hardware failures are a small contributor to the risk that can be minimized by reviewing or observing pump surveillance, and by testing and maintenance.

8. LPI Pumps 3A and 3B Unavailable Due to Maintenance Maintenance unavailability of the LPI pumps is important for the high head recirculation mode. It is also a small contributor to the risk in the low head recirculation mode, in conjunction with a random hardware failure on the other LPI train. Maintenance activities should be reviewed or observed to minimize this unavailability, by enhancing the timeliness and correctness of maintenance.

9. Manual Valves LWD-99 and 103 Fail to Close The principle failure is human error in leaving manual drain valves LWD-99 and 103 open during power operation, creating a leakage path from the sump during a LOCA. This leakage path can cause direct flooding of the HPI pump rooms and thus lead to a failure of LPI recirculation.

Verification and review of the operating procedure and check-off lists should minimize the probability of failure.

4.17

4 TABLE SB. IE MODULES FOR LOW PRESSURE INJECTION SYSTEM INSPECTION Failure (a)

,' Module- Title Components Mode 61701 Surveillance (Complex) LPI Pumps 3A, 38 7 61726 Monthly Surveillance M0V LP-19,20 2 Observation LP-40,41, 42 4 M0V LP-17,18 5 MOV LP-12,14 6 LPI Pumps 3A, 3B 7 LWP-99, 103 9 62700 Maintenance LP-40, 41, 42 4 LPI Pumps 3A,3B 8 62703 Monthly Maintenance LP-40, 41, 42 4 Observation LPI Pumps 3A, 3B 8 71707 Operational Safety MOV LP-19,20 2 Verification LP 40, 41, 42 4 M0V LP-17, 18 5 MOV LP-12, 14 6 LPI Pumps 3A, 3B 3,7

. LWD-99, 103 9

., 71710 ESF System Walkdown M0V LP-19,20 2 LP 40, 41, 42 4 M0V LP-17, 18 5 M0V LP-12, 14 6 LPI Pumps 3A, 3B 7 LWD-99, 103 9 (a) See Table 5A for failure identification.

l 1

4.18 l

l

TABLE 50. MODIFIED LOW PRESSURE INJECTION SYSTEM WALKDOWN Component Comp'nent Required Actual Number Ntme Location Position Position Electrical Pump 3A LPI Pump 3A Breaker 3TC Racked in Pump 3B LPI Pump 3B Breaker 3TD Racked in MOV LP-12 LP cooler "B" Outlet Breaker 3XL Closed MOV LP-14 LP cooler "A" Outlet Breaker 3XN Closed M0V LP-17 LP "A" line to RB Isolation Breaker 3XS1 Closed MOV LP-18 LP "B" line to RB Isolation Breaker 3XS2 Closed MOV LP-19 RB Emergency Sump Isolation Line A 3XS3 Closed Breaker MOV LP-20 RB Emergency Sump Isolation Line a 3XS2 Closed Breaker Valves MOV LP-12 Discharge throttle valve CR Throttled M0V LP-14 Discharge throttle valve CR Throttled M0V LP-17 LP "A" line to RB isolation CR Closed M0V LP-18 LP "B" line to RB isolation CR Closed MOV LP-19 RB Emergency Sump Isolation Line A CR Closed MOV LP-20 RB Emergency Sump Isolation Line B CR Closed LP-40 BWST manual test valves A4-452W Locked closed LP-41 BWST manual test valves A4-452 Closed LP-42 BWST manual test valves A4-452W Closed LWD-99 Manual drain valves Closed LWD-103 Manual drain valves Closed l

4 4

4 4.19

V -

R q ,

s 4.6 STANDBY SHUTDOWN FACILITY - HIGH PRESSURE INJECTION SYSTEM

-TABLE 6A. STANDBY SHUTDOWN FACILITY .HIGH PRESSURE INJECTION SYSTEM FAILURE

' MODE'IDENTIFICATI0N'

!TheStandbyShutdownFacility-HighPressureInjection(SSF-HPI) system.

is a. separate,. bunkered ~ installation that is being constructed at 0conee

.to; provide a secure-means for attaining.and maintaining a hot shut-down condition in all three Oconee Units. For the purposes of this analysis, the'SSF-HPI was' assumed to be in operation. The SFF-HPI was designed principally 'to' provide core-cooling'for incidents-of-industrial' sabotage,  !

fires:, and flooding. When operable,'it will.also provide an alternative j supply of cooling water for internal or external events that result in

. failure of normal and emergency. plant systems.

Conditions that Lead'to Failure-1 1.. Motor-Operated Valves SSF-HP-398 or SSF-SF-82 Fail'to Open on Demand These are isolation valves for the SSF system. They must open following an abnormal event, e.g., flooding. The important. failure cause is' random  ;

hardware failures. Surveillance and maintenance of'these valves should be reviewed or observed.

2. Human Error-Failure to Close Valves SSF-HP-417 or SSF-HP-405 After Test

, 1 This is failure to realign a valve at the end of a test, and failure to

~. discover the error. ' Valves are SSF high pressure cooler return' valves SSF-HP-417 and SSF-HP-405. They should be closed. These errors are  ;

addressed by proper post-test surveillance, which should'be reviewed or observed.

3. SSF Make-up Pump SSF-RC Fails to Start or Run These are random hardware failures. The failure modes are failure to start, or failure to run. These failures can be minimized by reviewing or observing pump surveillance, and by checking system lineup for standby  ;

operation. l 4'-. SSF Make-up Pump Unavailable Due to Maintenance

.This includes both scheduled and unscheduled maintenance. The performance of maintenance should be reviewed to ensure that efficient scheduling is done, and that repairs are performed correctly, minimizing downtime.

4.20

TABLE 68. IE MODULES FOR STANDBY SHUTDOWN FACILITY-HIGH PRESSURE INJECTION SYSTEM INSPECTION Failure (a)

Module Title Components Mode 61701 Surveillance (Complex) SSF-HP-398 1 SSF-SF-82 1 SSF-HP-417 2 SSF-HP-405 2 SSF RC Pump 3 61726 Monthly Surveillance SSF-HP-398 1 Operation SSF-SF-82 1 SSF-HP-417 2 SSF-HP-405 2 SSF RC Pump 3 62700 Maintenance SSF RC Pump 3,4 71707 Operational Safety SSF-HP-398 1 Verification SSF-SF-82 1 SSF-HP-417 2 SSF-HP-405 2 SSF RC Pump 3 71710 ESF System Walkdown SSF-HP-398 1 SSF-SF-82 1 SSF-HP-417 2 SSF-HP-405 2 SSF RC Pump 3 (a) See Table 6A for failure identification.

4.21

TABLE 6C. MODIFIED STANDBY SHUTDOWN FACILITY-HIGH PRESSURE INJECTION SYSTEM WALKDOWN Component Component -Required- -Actual Number Name location Position ' Position Electrical

.SSF-HP-398 SSF RC Makeup Filter Discharge Valve Closed Breaker SSF-SF-82 SSF RC Suction Valve' Breaker Closed SSF-HP-405 HP Coolers Return Valve Breaker. Closed SSF-HP-417 Spent Fuel Storage Pool Return Closed

Valve Breaker SSF RC Pump SSF RC Makeup Pump Breaker Closed Valves SSF-HP-398 .SSF RC Makeup Filter Discharge' Valve . Closed SSF-SF-82 SSF RC Suction Valve Closed SSF-HP-405 HP Coolers Return Valve Closed SSF-HP-417 Spent Fuel Storage Pool Return Valve ~ Closed 4.22

4.7 LOW-PRESSURE SERVICE WATER SYSTEM TABLE 7A. LOW-PRESSURE SERVICE WATER SYSTEM FAILURE MODE IDENTIFICATION Low-Pressure Service Water (LPSW) is a normally operating system that supplies cooling water to a number of loads. One pump is in operation sup)1ying coolant to two main headers while the other pump is in standby.

Bot 1 headers are supplied by the single operating pump. The crosstie to other units is normally closed. During normal shutdown, flow to the decay-heat coolers is controlled manually. Emergency operation involves changes in LPSW flow to most of the associated loads. Both pumps are started on receipt of engineered safeguards actuation signals. In this analysis, LPSW pump A is assumed to be operating, and pump B is in standby.

Conditions that Lead to Failure

1. Insufficient Flow from CCW Suction Source and from Units 1 and 2 These failure modes lead to failure of both LPSW trains. The important failure cause is random hardware failures. A contributing cause is operator failure to open valves from other units. Operator awareness, surveillance, and maintenance should be reviewed or observed to improve reliability.

2. Operating Pump (A) Fails and Operator Fails to start the Second Pump (B)

The failure modes are pump failures to run, and operator failure to start the standby pump. The important failure cause is random hardware failures.

A contributing cause is operator failure to start the standby pump.

Reviewing or observing pump surveillance, and checking system lineup for standby operation should minimize these failures.

3. Operating Pump (A) Fails and the Second Pump (B) Fails to Start or Run Failure of these two pumps will prevent sufficient service water flow to the discharge headers. The important failure cause is hardware failure.

Testing of the pump which is not in use according to the Technical Specifications should reduce the probability of failure.

4. Operating Pump (A) is out for Maintenance and the Second Pump (B)

Fails to Continue Running Maintenance unavailability of the normally operating pump in conjunction with a single hardware failure of the second pump is a significant contributor to LPSW failure. Review of the practices associated with scheduled and unscheduled maintenance observations or review of surveillance of these pumps should be performed.

4.23

5. Combination Failures of Suction Valves M0V LPSW-120, 123, or Manual Isolation Valves LPSW-122, 125, or Crosstie Manual Valve LPSW-132 One of the two LPSW pumps is required to supply the designated nuclear headers for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following an initiating event. Coupled failure of these valves in the closed position will prevent service water flow to the designated headers. Testing of these valves according to Technical Specifications should minimize the probability of failure.

[

I 4.24 L__________ _ _________._____.__________________ _ ___ _ ___ _ __ ___ _ _ __ _ _ ____

TABLE 78. IE MODULES FOR LOW-PRESSURE SERVICE WATER SYSTEM INSPECTION Failure (a)

Module Title Components Mode 61726 Monthly Surveillance CCW Suction Source 1 LPSW Pumps A, B 2,3 M0V LPSW-120, 123, 5 HV LPSW-122, 125, MV LPSW-132 62700 Maintenance Pumps A,B 4 62703 Monthly Maintenance CCW Suction Source 1 Observation LPSW Pumps A, B 2,3 MOV LPSW-120, 123, 5 MV LPSW-122, 125, MV LPSW-132 71707 Operational Safety CCW Suction Source 1 Verification LPSW Pumps A, B 2,3 MOV LPSW-120, 123, 5 MV LPSW-122, 125, MV LPSW-132 71710 ESF System Walkdown CCW Suction Source 1 LPSW Pumps A, B 2,3 M0V LPSW-120, 123, 5 MV LPSW-122, 125, MV LPSW-132 (a) See Table 7A for failure identification l

4.25

TABLE 7C. MODIFIED LOW-PRESSURE SERVICE WATER SYSTEM WALKDOWN Component Component Required Actual Number Name Location Position Position Electrical Pump A LPSW Pump A Breaker 3TC Racked in Pump B LPSW Pump B Breaker 3TD Racked in-MOV LPSW-120 LPSW Pump A Suction Valve Breaker 3XGA Closed MOV LPSW-123 LPSW Pump B Suction Valve Breaker 3XGA Closed Valves MOV LPSW-120 LPSW Pump A Suction Valve CR Open MOV LPSW-123 LPSW Pump B Suction Valve CR 0)en LPSW-122 LPSW Pump A Discharge Valve L-47-S- T1rottle locked LPSW-125 LPSW Pump B Discharge Valve L-46-S Throttle locked _

LPSW-132 LPSW Cross-Connect Valve L-46/47 Open 1

l 1

{

4.26

4.8 EMERGENCY FEEDWATER SYSTEM TABLE 8A. EMERGENCY FEEDWATER SYSTEM FAILURE MODE IDENTIFICATION The Emergency Feedwater (EFW) system is used to supply feedwater to the steam generators when the main feedwater system is not available, in order to remove energy store in the core and primary coolant. The EFW system provides a sufficient secondary-side steam generator heat sink for cooling down the Reactor Coolant System (RCS) from a reactor trip at

)ower operation to conditions at which the decay-heat removal system can j 3e valved in.

Conditions that Lead to Failure

1. Turbine-Driven Emergency Feedwater Pumps Fail to Start or Run This is the )rimary contributor to secondary system failure to provide cooling to tie steam generators. The failure modes are turbine-driven emergency feedwater pump failure to start or run in conjunction with loss of instrument air. The important failure cause is the loss of instrument air. Contributing causes are random hardware failure or operator failure to start the pump. Observation or review of surveillance, maintenance, and lineup of this pump will maintain availability.

2. Combination of Air-0perated Valves A0V FDW-315, 316 Fail Closed and Solenoid Valves SV-200, 201 Fail to Deenergize The flow of emergency feedwater to the steam generators is controlled by means of control valves FDW-315, and FDW-316. Each control valve can be manually operated from the control room by energizing another three-way solenoid valve, SV-200 for steam generator A and SV-201 for steam generator B. Failure of these valves will prevent sufficient cooling to the steam generators. Causes of failure are multiple hardware failures, and errors in procedures. Power and instrument air availability, operator awareness, surveillance, and maintenance of these valves should be reviewed and observed to improve reliability.

3. Motor-Operated Valve MOV 3C-391 Fails to Open and Manual Valve 3C-157 Fails to Close To successfully align the steam-driven pumps to the hot well in case the Upper Storage Tank (UST) level drops below 5 feet, motor-operated valve MOV 3C-391 must be opened from the control room and the normally locked-open manual valve 3C-157 must be closed. Again, failure of these valves will prevent sufficient cooling to the steam generators. The important failure cause is operator failure to switch off the steam-driven EFW pump and align it to the hot well. A contributing cause is random hardware failure. Verification and review of the operating procedure and check-4.27 L

1 off lists, surveillance, and maintenance should be reviewed or observed to improve reliability.

l

4. Motor-Driven Pumps 3A and 3B Fail to Start or Run Failure of motor-driven pumps 3A and 3B contributes significantly to the failure of steam generator cooling. The dominant failure cause is random hardware failure. A contributing cause is the loss of power supply to these pumps. Power availability, surveillance, and maintenance of these pumps should be reviewed or observed to improve reliability.

5. Emergency Feedwater Pump Unavailable Due to Maintenance This failure is a significant contributor to secondary system failure to-provide cooling to the steam generators. Maintenance unavailability in conjunction with hardware failure of other pumps is the most important contributor. Review of the )ractices associated with scheduled and unscheduled maintenance of taese pumps should be performed.

6. Combination of Check Valves FDW-232, 233, 317 or 318 Fail to Open These are discharge header check valves for EFW. Failure of these valves in the closed position will prevent EFW flow to the designated steam generator. Testing of these valves according to Technical Specifications should reduce the probability of failure.

7. Human Error Failure to Open Valves A0V 3C-196 or Failure to Close MV FDW-88 After Test This is a failure to realign a valve or leave it closed at the end of the test, and failure to discover the error. The valves are air-operated recirculation flow path valve A0V 3C-196 and manual recirculation test valve MV FDW-88. Valve A0V 3C-196 should be o)ened and valve MV FDW-88 should be closed. These errors are addressed )y proper post-test surveillance, which should be reviewed or observed.

8. Turbine-Driven EFW Trip Valve MS-93 Fails to Open Failure to open would lead to a loss of steam-driven feedwater pumps if the main feedwater pumps are started and the MFW pump discharge pressure exceeds 750 psig. The important failure cause is random hardware failure.

Surveillance and maintenance of this valve should be reviewed or observed.

4.28

TABLE 88. IE MODULES FOR EMERGENCY FEEDWATER SYSTEM INSPECTION Failure (a) '

Module Title Components Mode 61701 Surveillance (Complex) TD EFW Pump 1 A0V FDW-315,316 2 SV-200,201

! M0V 3C-391, 3

! MV 3C-157 MD EFW Pumps A,8 4 A0V 3C-196, 7 MV FDW-88 MS-93 8 61726 Monthly Surveillance TD EFW Pump 1 Observation A0V FDW-315,316, 2 SV-200,201 MOV 3C-391, 3 MV 3C-157 MD EFW Pumps A,B 4 FDW-232,233,318,318 6 A0V 3C-196, 7 MV FDW-88 MS-93 8 62700 Maint enance TD EFW Pump 1 MD EFW Pumps A,B 5 62703 Monthly Maintenance TD EFW Pump 1 Observation MD EFW Pumps A,8 5 71707 Operational Safety TD EFW Pump 1 Verification A0V FDW-315,316, 2 SV-200,201 M0V 3C-391, 3 MV 3C-157 MD EFW Pumps A,8 4 FDW-232,233,317,318 6 A0V 3C-196, 7 MV FDW-88 MS-93 8 4.29

TABLE 88. (cont'd.) .

Failure Module Title Components Mode 71710 ESF System Walkdown TD EFW Pump' 1 A0V FDW-315,316, 2 SV-200,201 MOV3C-39), 3 MV 3C-157 MD EFW Pumps A,B 4 l FDW-232,233,317,318 6 l A0V 3C-196, 7 1

MV FDW-88 l

MS-93 8 (a) See Table 8A for failure mode identification.

4.30

. j 4

TABLE 8C. MODIFIED EMERGENCY FEEDWATER SYSTEM WALKDOWN Component Component Required Actual Number Location Position Name Position i Electrical MS-93 Main Steam Trip Valve Breaker Closed SV-200 Solenoid Valve-Breaker Closed SV-201 Solenoid Valve Breaker Closed MOV 3C-391 EFW pumps to Hotwell Valve Breaker Closed i TD'EFW Pump TD EFW Pump Breaker Racked in MD EFW Pump 3A MD EFW Pump 3A Breaker Racked in MD EFW Pump 3B MD EFW Pump Sb Breaker Racked In 1

AIC A0V FDW-315 Steam Generator A Control Valve On A0V FDW-316 Steam Generator B Control Valve On A0V 3C-196 Air-Operated Recirculation Flow Path On i MV FDW-88 Air-0perated Recirculation Test Valve On  :

Valves SV-200 Solenoid Control Valve Closed SV-201 Solenoid Control Valve Closed A0V FDW-315 Steam Generator A Control Valve Closed A0V FDW-316 Steam Generator B Control Valve Closed i A0V 3C-196 Air-Operated Recirculation Valve Open  ;

MOV 3C-391 EFW Pumps to Hotwell Valve Closed EV FDW-232 EFW Pumps to Steam Generator 3A Open l

Suction Valve EV FDW-233 EFW Pumps to Steam Generators 38 Open Suction Valve EV FDW-317. EFW Pumps to Steam Generators 3A Open Suction Valve EV FDW-318 EFW Pumps to Steam Generators 3B Open Suctica Valve a MS-93 Main Steam Trip Valve Closed  !

MV-FDW-88 TD EFW Recirculation Test Valve Closed i MV 3E-157 EFW Pumps to Hotwell Control Valve Open i i

4.31 l

REFERENCES Gore, B. F. and J. C. Huenefeld. 1987. Methodology and Application of Surrogate Plant PRA Analysis to this Rancho Seco Power Plant. NUREG/CR-4768, PNL-6032. USNRC Region 5, Walnut Creek, California.

Henley, E. J. 1981. Reliability Engineering and Risk Assessment. Prentice Hall Inc., Englewood, New Jersey.

Higgins, J. C. 1986. Probabilistic Risk Assessment (PRA) Applications.

l NUREG/CR-4372. USNRC Region 1, King of Prussia, Pel.uylvania.

1 Higgins, J. C., J. H. Taylor, A. N. Fresco, and B. F. Hi iman. 1987.

Generic Safety Insights for Inspection Boiling Wat<3r Reactors. TANSA0 54, 235 American Nuclear Society, LaGrange Park, Illinois, Hinton, M. F. and R. E. Wright. 1986. Pilot PRA Applications Procram for Inspection at Indian Point 2. EGG-EA-7136. Idaho, Inc., Idaho Fa' ls, Idaho.

Russell, K. D., et al. 1987. Integrated Reliability and Risk Analysis.

NUREG/CR-4844. Idaho National Engineering Laboratory, Idaho Falls, Idaho.

Sugnet, W. R., G. J. Boyd, S. R. Lewis, et al. 1984. Oconee PRA, A Probabilistic Risk Assessment of Oconee Unit 3. NSAC-60 Electric Power Research Institute, Palo Alto, California.

USNRC Inspection and Enforcement Manual. 1984. Chapter 2515: Operations USNRC Office of Inspection and Enforcement, Washington, D.C.

R.1

NUREG/CR-5006 PNL-6291 DISTRIBUTION-No. of No. of Copies Copies 0FFSITE OFFSITE U.S. Nuclear Regulatory Comission J. C. Higgins J. G. Partlow Brookhaven National Laboratory EWS-360 Upton, NY 11973 R. W. Starostecki J. H. Taylor P-415 Brookhaven National Laboratory Upton, NY 11973 B. K. Grimes EWS-360 A. Fresco Brookhaven National Laboratory U.S. Nuclear Regulatory Comission Upton, NY 11973 Region 1 M. F. Hinton S. Collins EG&G Idaho, Inc.

B. Hillman Idaho Falls, ID 83415 W. F. Kane R. Gallo K. Canady Duke Power Co.

U.S. Nuclear Regulatory Comission P.O. Box 33189 Region 2 Charlotte, NC 28242 M. Ernst J. Munre W. A. Sugnet A. Gibson W. Dean Electric Power Research Institute F. Jape C. Costo 3412 Hillview Avenue A. Herdt S. Lawye,' Palo Alto, CA 94303 T. Peebles J. C. Bryant U.S. Nuclear Regulatory Comission NRC Resident Inspector Region 5 Oconee Nuclear Station Highway 183/130 A. Toth Seneca, SC 29678 A. E. Chaffee J. Crews J. B. Martin L. Miller R. Pate R. Zimennan Distr.1

DISTRIBUTION No. of Copies ONSITE 32 Pacific Northwest Laboratory T. T. Claudson L. R. Dodd B. F. Gore (10)

M. S. Harris (5)

C. H. Imhoff W. J. Scott B. D. Ship T. V. Vo (p) 5 Publishing Coordination (2)

Technical Report Files (5) l.

Distr.2

L

~, u ne u s. nuctsasi nsoutaroav couuissio= > apoa r ~uus ta **** *, reoc ao ae s *>'ve L'o', 3 BIBUOGRAPHIC DATA SHEET NUREG/CR-5006 /

2 ritta .~o

,~ir o~s ou r aivias. PNL-6291 /

ritte 3 La.vsst.N.

(f PRA Appl tion Program for Inspection at Oconee Unit 3 <

. ogswo r cou,ureo l uon, j l

,s.n i s .ur oam June //g 1987 B. F. Gore, T. ff e o.ra ne, oar issuno

. Yo, M. S. Harris o ~ , ,, ,,,,,

, . .. o. . so o.a... ,, , ,o ~. . ~ o u. ,t,~o .oo . n ,,,,. e. C ,

OcI' ber 1987

. ,.9xcra.sm.. v~a ~uusia Pacific Northwest L ratory

//

of~oc...,~uu...

PO Box 999 4 Richland, WA 99352 B2602 to SPo,50seiNG OHG.Nat.r#0N N.us .No .it .oOmt$$ fiacr de u 4 a Cadet 2' t1 TV,6 o, RE,om t Division of Reactor Proje '

Region I Technical U.S. Nuclear Regulatory Co sion ***a'*""a<o"~~~~~'

King of Prussia, PA 19406 i, su,,u ue ~ r. ~o rn 1 /I 12/86 to 6/87 7

43 95rm.c r (J00 wores or 'esst k [

The extensive Oconee-3 PRA performed EPSI has been analyzed to identify plant systems and components important to minimizin uplic risk, and to identify the primary failure modes of these components. This infor on has been tabulated, and correlated with inspection modules from the NRC Inspect and Enforcement Manual. The report presents a series of tables, organized by syst . a' prioritized by public risk (in person-rem per year), which identify components ssoc ed with 98% of the inspectable risk due to plant operation. External events (earth kes, tornadoes, fires and floods) are not addressed because inspect 6s cannot .frectly minimize the risks from these events; however, flooding caused y the breac f internal systems is addressed. The systems addressed, in descendin rder of risk ortance, are: Reactor Building Spray, RBCooling,CondenserCirculayngWater,Safet lief Valves, Low Pressure Injection, Standby Shutdown Facility-Hi W Pressure Injection Low-Pressure Service Water, and Emergency Feedwater. This r nking is based on the ssel-Vesely measure of risk importance,i.e.,thefrac;'onofthetotalriskwhighinvolvesfailuresofthesystem of interest. #

3. oocuo. ~1.~.t . .. . . . . ..p. ,onc..,ro . . . ,.,,, .; r.

PRA, risk analy s, PRA applications Unlimited Oconee, compon ts important to risk .

Se SE CVRf r V C L.58',8C.riON

< ir. n,

, io ~ri. ... ,o i ~ o o ri s g i unclassified Iinre e.g.rgy 17 Nuotta o, **Ges is ,mict

• U. S.CO VC R hg hi PA thilkG Cf f lCC e %S7-737-79?i60736

t

{;t t -s +1 p ,

,. )-

s Olr e t

, , , 1

", i. ';s . .. , , $ UNITED STATES , ,.l. "

r $PECIAL POURTH.CLAS$ RATE MUCLEAR REGULATORY COMMISSION.' '

'0S'?jsM[?"*' -

, WASHINGTON,' D.C. 20555 ;- < ,,,,ng o,

, H ei} , '.4

, OFFICIAL BUSINESS - .

>:- > PENALTY FOR. PulVATE USE, $300 ;

- 1,

g .

, ?.'

.-\

'z ;.

t, f. ..

14 ;-

i $

?

\) ((

T 1

3 f --

g.;

5 t

~$ g l

l t '

'd I _ _ __, ___m_,_ ,____