ML20236E535
| ML20236E535 | |
| Person / Time | |
|---|---|
| Site: | Rancho Seco |
| Issue date: | 07/31/1987 |
| From: | Gore B, Huenefeld J Battelle Memorial Institute, PACIFIC NORTHWEST NATION |
| To: | NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION V) |
| References | |
| CON-FIN-B-2803 NUREG-CR-4768, NUREG-CR-4768-V02, NUREG-CR-4768-V2, PNL-6032-2, NUDOCS 8707310413 | |
| Download: ML20236E535 (87) | |
Text
{{#Wiki_filter:' NUREG/CR-4768 PN L-6032-2 Vol. 2 .i' 6 Methodology and Application of Surrogate Plant PRA Analysis to the Rancho Seco Power Plant Final Report 1 = Prepared by B. F, Gore, J. C. Huenefeld Pacific Northwest Laboratory Operated by Battelle Memorial Institute Prepared for U.S. Nuclear Regulatory Commission [O73hQ h2 i L- --------------
..., w j a 4 i NOTICE I l This report was prep & red as an account of work sponsored by an agency of the UnitM States Government. Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any legal liability of re-sponsibility for any third party's use, of the results of such use, of any information, apparatus, pioduct or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights. ( NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from nne of the following sources:
- 1. The N RC Public Document Room,1717 H Street, N.W.
Washington, DC 20555
- 2. The Superintendent of Documents, U.S. Government Printing Of fice, Post Of fice Box 37082.
Washington, DC 20013 7082 j
- 3. The National Technical Information Service, Springfield. VA 22161 I
Although the listing that follows represents the majority of documents cited in NRC publi cions, it is not intended to be exhaustive. Referenced documents available for inspection and copying for a fee from the NRC Public Docu-m)nt Room include NRC correspondence and internal NRC memorandc; NRC Of fice of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and apphcant and hcensee documents and correspondence. The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances. Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission. Documents available from public at J special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional! reports can usually be obtained from these libraries. Documents such as theses, dissertations, foreign reports and translations, and non NRC conference proceedings are availabic for purchase from the organization sponsoring the publication cited. Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Division of Information Support Services, Distribution Section, U.S. Nuclear Regulatory Commission, Washington, DC 20555. Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available . there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the i l American National Standards institute,1430 Broadway, New York, NY 10018. l
N NUREG/CR-4768 PNL-6032-2 Vol. 2 Methodology and Application of Surrogate Plant PRA Analysis to the Rancho Seco Power Plent i Final Report Manuscript Completed: March 1987 Date Published: July 1987 Prepared by B. F. Gore, J. C. Huenefeld c nd, A 352 Prepared for Division of Reactor Safety and Projects Rsgion V U.S. Nuclear Regulatory Commission Washington, DO 20555 NRC FIN 82803 k l
f
SUMMARY
This report presents the development and the first application of generic probabi_listic risk assessment (PRA) information for identifying systems and components important to public risk at nuclear power plants lacking plant-specific PRAs. A methodology is presented for using the results of PRAs for similar (surrogate) plants, along with plant-specific information about the plant of interest and the surrogate plants, to infer important failure modes for systems of the plant of interest. This methodology, and the rationale on which it is based, is presented in the context of its application to the Rancho Seco plant. The Rancho Seco plant has been analyzed using PRA information from two surrogate plants. This analysis has been used to guide development of considerable plant-specific information about Rancho Seco systems and components important to minimizing pubic risk, which is also presented herein. i Methodology This methodology is conceptually straightforward. It requires the identification of important safety system and component failure modes for the j l surrogate plants from their PRAs. This is followed by an analysis of the plausibility and significance of such failures at the plant of interest based on a detailed comparison of plant-specific system characteristics. This information is then used to infer important failure modes for systems at the target plant. These failure modes are then used to identify components, power supplies and operations most important to minimizing public risk from the largest plants. In this analysis, prevention of core melt has been used as a measure of risk minimization. This approach is generic in that it is based upon the many functional and design similarities of power plants made by the same NSSS vendor. (Babcock and Wilcox is the NSSS vendor for Rancho Seco, as well as for ANO-1 and Oconee Unit 3,thetwosurrogateplantsusedinthisstudy.) Plant differences are accommodated by including comparisons of specific system designs and by making inferences of the significance of surrogate plant failure modes to the target plant. This requires that considerable subjective judgment be exercised by analysts, and that analysts be quite knowledgeable in the design and operation of the plants addressed. Project Accomplishments This project was commissioned by NRC Region 5 to generate information to be used during inspection planning in the near term, until a PRA is performed for Rancho Seco. Consequently, development of Rancho Seco-specific information useful to inspectors in the planning and performance of inspections was a significant project objective. Within the three man-months of effort allotted to the project, the following was accomplished. iii
Analysis of three PRAs (one for ANO-1 and two different ones for Oconee Unit 3), including identifiution dominant cut sets (specific failure sequences) associated with more than 85% of the core melt probability for each plant. Analysis of the dominant cut sets, including identification and categorization of system components and failure modes involved in important failure sequences leading to core melt; also calculation the Fussel-Vesely (F-V) Importance for all systems where failures led to core melt. Use of plant specific information to determine which of the failure modes identified from the surrogate plant PRAs were plausible at Rancho Seco for six safety systems; also estimation of approximate values of the F-V Importance of these systems at Rancho Seco. The systems addressed were: High Pressure Injection l Low Pressure Injection Emergency Feedwater Vital AC Power DC Power Service Water These systems were selected because of their importance to the prevention of core melt. They function together to keep the core covered and remove heat from it during accidents. Identification of Rancho Seco components and associated failure modes corresponding to the major failure modes identified from the PRAs for four of the above systems. This information was developed from system descriptions used for operator training, piping and instrumentation diagrams, electrical drawings, and operating procedures. The four systems addressed were those which physically transport heat from core: High Pressure Injection Low Pressure Injection Emergency Feedwater Service Water For each of the systems identified above, Rancho Seco plant-specific information has been developed for each of the major failure modes identified from the PRAs. Components of primary importance, such as pumps and valves, which must operate on a safety features actuation signal, are identified. Support system components essential to their functioning, such as electrical buses and breakers supplying motor and control power, and cooling water valves and fan coolers, are also identified. Other components, whose failure or l misoperation can prevent one or more trains of these redundant systems from functioning (e.g., manual and check valves) are also identified. i f iv
System Failure Modes System failures identified in the surrogate plant PRAs were categorized as follows. These categories were then used to organize the Rancho Seco-specific information which is presented in Section 5, of this report. HPI and LPI Systems Common HPI/LPI BWST suction header valve failure or mispositioning BWST inability to supply flow HPI System (These failures are most important in the single-pump train) pump failure e discharge v'alve failure or mispositioning e LPI System pump failure a discharge valve failure or misnositioning a throttle valve failure or mispositioning recirculation test valves to BWST left open RB sump or RCS suction valve failure interfacing LOCA a EFW System pump failure e discharge valve failure or mispositioning e suction loss from CST a test and crosstie valve mispositioning Service Water System (NSRW and SWS Systems) pump failure header valve failure or mispositioning cooler valve failure or mispositioning Conclusions As a result of this work the following conclusions have been drawn: Surrogate plant PRAs can provide many insights useful for inspection planning. Careful study and intercomparison of the methods and assumptions used in the surrogate plant PRAs, and of the details of system designs at the target and surrogate plants, is essential to the successful application of this methodology. v
i i Compared with performing a plant-specific PRA, this method is quite timely and cost-effective. The strongest point of this approach is the inference of important system failure modes using PRA results and plant similarities and differences. The weakest point of this approach is the uncertainty in the inference of i quantified results. l i The use of two or three PRAs helps to highlight how plant differences relate to PRA outcomes. 1 l l l l 1 1 I i l l l l vi
A, ACKNOWLEDGEMENTS Our heartfelt thanks are extended to Lou Miller and Bill Albert of NRC Region 5, who made it possible for us to perform this first application of generic PRA analysis. We also wish to thank Al Toth, our Region 5 Project Monitor, for his interest and support and for many helpful suggestions during the course of our work. Thanks are also extended to the authors of the documents from which figures have been reproduced (in Volume 2) for permission to copy them. In particular, we thank the Electric Power Research Institute for permission to reproduce copyrighted figures from "Oconee PRA: Probabilistic Risk Assessment of Oconee Unit 3," NSAC-60, Volumes 1-5, 1984. i I ) vii
l c CONTENTS
SUMMARY
iii vii ACKNOWLEDGEMENTS.'.............'.............
1.0 INTRODUCTION
1.1' 2.1 t
2.0 CONCLUSION
S.......................... 3.0 METHOD............................. 3.1 4.0 COMPARIS0N OF SYSTEMS AND THEIR F-V IMPORTANCES 4.1 4.1 HIGH PRESSURE INJECTION SYSTEM COMPARIS0N ......... 4.3 4.1.1 Failures of Suction from the BWST 4.9 4.2 LOW PRESSURE INJECTION SYSTEM COMPARIS0N ......... 4.9 4.2.1 Failure of Suction from the BWST.......... 4.14 1 4.15' 4.2.2 Other LPI System Failures 4.3 EMERGENCY FEEDWATER SYSTEM COMPARIS0N........... 4.15 4.4 VITAL AC POWER SYSTEM COMPARISON 4.20 4.5 DC POWER SYSTEM COMPARISON...........:..... 4.24 j 4.6 SERVICE WATER SYSTEM COMPARIS0N.............. 4.29 l 5.0 INSPECTION IMPLICATIONS FOR RANCHO SECO SYSTEMS 5.1 5.1 5.1 HPI SYSTEM........................ 5.1.1 Failure or Mispositioning of HPI Suction Header Valves....................... 5.2 5.1.2 HPI Pump Failure.................. 5.2 5.1.3 Failure or Mispositioning of HPI Discharge (Injection) Valves................. 5.4 5.1.4 Inability of the BWST to Supply Flow........ 5.5 5.1.5 Failure or Mispositioning of Manual and Check Valves 5.7 1 J ix J
5.2 LPI SYSTEM......................... 5.8 5.2.1 Failure or Mispositioning of LPI Discharge Valves 5.8 5.2.2 Failure or Mispositioning of LPI Throttle Valves.. 5.9 5.2.3 Open Recirculation Valves to the BWST 5.9 5.2.4 LPI Pump Failure.................. 5.10 5.2.5 Failure of LPI Recirculation Suction Valves 5.10 i 5.3 EMERGENCY FEEDWATER SYSTEM 5.11 5.3.1 Pump Failure to Start or Run............ 5.12 5.3.2 Loss of Suction from the CST............ 5.14 5.3.3 Failure or Mispositioning of Discharge Valves 5.15 5.3.4 Mispositioning of Test and Cross-tie Valves 5.16 5.4 SERVICE WATER SYSTEMS................... 5.17 5.4.1 Nuclear Service Raw Water System.......... 5.17 5.4.1.1 Pump Failure to Start or Run....... 5.17 5.4.1.2 Mispositioning of Header Manual Valves.. 5.20 5.4.1.3 Erroneous Isolation of Coolers...... 5.20 5.4.1.4 Failure of Pump Room Cooler Fans..... 5.21 5.4.2 Nuclear Service Cooling Water System........ 5.21 5.4.2.1 Pump Failure to Start or Run....... 5.21 5.4.2.2 Failure or Mispositioning of Flow Valves. 5.22 5.4.2.3 Reactor Building Emergency Cooler Problems. 5.23 6.0 CHANGES AT ANO-1........................ 6.1 I REFERENCES ............................. R.1 X
FIGURES 4.4 4.1 ANO-1 High Pressure Injection System.............. 4.5 4.2 Oconee Configuration of the High Pressure Injection System... 4.6 4.3 Rancho Seco High Pressure Injection Flowpath.......... 4.10 4.4 AN0-1 Low Pressure Injection System.............. 4.11 l 4.5 Oconee Low Pressure Injection and Recirculation System..... 4.12 4.6 Rancho Seco Low Pressure Injection Flowpath 4.16 4.7 ANO-1 tmergency Feedwater System................ 4.17 4.8 Oconee Emergency Feedwater System............... 4.18 4.9 Rancho Seco Auxiliary Feedwater System............. 4.21 4.10 ANO-1 Emergency AC Electrical System.............. 4.22 4.11 Oconee Auxiliary Electrical Power System............ 4.12 Rancho Seco Vital 4160 VAC and 480 VAC Schemes......... 4.23 4.25 4.13 ANO-1 DC Power System..................... i 4.14 Oconee 125-volt DC Instrumentation and Control Power System 4.26 4.27 4.15 Rancho Seco Vital 120 VAC and 125 VDC 4.30 4.16 ANO-1 Service Water System.................. 4.17 Oconee Schematic of the Low Pressure Service Water System 4.31 4.32 4.18 Oconee Low Pressure Service Water Loads 4.19 Oconee Low Pressure Service Water to Air Handling Units 4.33 4.34 4.20 Rancho Seco Nuclear Service Raw Water System.......... 4.35 4.21 Rancho Seco Nuclear Service Cooling Water System 5.3 5.1 Rancho Seco High Pressure Injection Flowpath.......... 5.6 5.2 Rancho Seco Low Pressure Injection Flowpath 5.13 5.3 Rancho Seco Auxiliary Feedwater System............. 5.18 5.4 Rancho Seco Nuclear Service Raw Water System.......... 5.19 5.5 Rancho Seco Nuclear Service Cooling Water System........ xi i
e TABLES 4.1 Fussell-Vesely Importance of Major Events and Plant Systems... 4.2 4.2 Important HPI System Failure Modes from PRA Analyses 4.7 4.3 Important LPI System Failure Modes from PRA Analyses 4.13 4.4 Important EFW System Failure Modes from PRA Analyses 4.19 4.5 Important Vital AC System Failure Modes from PRA Analyses.... 4.24 4.6 Important DC Power System Failure Modes from PRA Analyses.... 4.28 4.7 Important Front Line Systen, Failures Caused by SWS Failures Identified from the PRA Analyses 4.37 xii
1.0 INTRODUCTION
Probabilistic Risk Assessments (PRAs) have been used by NRC inspectors to focus their efforts on systems and components where accident probabilities are most sensitive to performance degradation (Higgins 1986; Higgins 1984; Hinton and Wright 1986a; Hinton and Wright 1986b). However, many plants lack PRA analyses which may be used for this purpose. Rancho Seco is one of these. The work repcoted in this document was commissioned by NRC Region 5 to provide information useful in the planning of inspection activities at Rancho Seco during the near term, until a PRA is performed for the plant. The project actually had two objectives. Development of a methodology for utilizing PRA i information from surrogate plants when addressing plants lacking plant-specific PRAs, was one objective. The other was the actual development of Rancho Seco-specific information. This project was subject to significant schedule and budgetary constraints. Results were needed for the planning of a forthcoming inspection. Funding was provided for three man-months of effort, to include development of the method, its application using specific surrogate plant PRAs, and the developnient of Rancho Seco-specific information. As a consequence, the project did not include a formal methodology development phase. Starting with a general idea of what had to be accomplished, we went straight to work extracting information from the surrogate plant PRAs and detrmining how it could be used to achieve the project objectives. Our results are reported in the context of this development effort. Section 3.0 presents a general description of our approach. Details are elaborated in Sections 4.0 and 5.0, which describe the analyses and their results. These sections also discuss specific decisions which were made and the rationale on which they were based. From this combination of general description and elaboration by example the interested reader may readily acquire the insights which were developed during this project. During the three man-months of effort devoted to this project, three PRAs for Babcock and Wilcox plants used as surrogates for Rancho Seco were analyzed: one for AN0-1 (Kolb 1982) and two dif ferent PRAs for Oconee Unit 3 (Sugnet, et al. 1984; Kolb, et al. 1981). The details of the PRA analyses are not presented in this volume, but rather in the " Task One" report (Gore 1986) prepared at the i completion of the project's first phase. ] l In Task One the results of the three surrogate plant PRAs were reviewed to identify each of the primary accident sequences leading to core melt. Due to the limited scope of this study, the analysis was confined to events leading to core melt; containment failure mechanisms or resulting radioactivity releases I were not addressed. For the same reason, we did not address accident sequences resulting from external factors such as earthquakes, fires, floods or tornados. Our analysis addressed the most probable accident sequences leading to core melt. In PRA terminology these are referred to as dominant cut sets. For each PRA we found that at least 85% of the core melt probability was associated with roughly 50 dominant cut sets. The Task One report lists these dominant cut sets and their probabilities for each of the PRAs addressed. 1 i 4 1.1 1 l
I Our analysis then addressed these lists, which are of comprehensible size and can be studied without use of a computer. In Task One, for each of the dominant cut sets, events in the failure sequences (cut set elements) were correlated with systems in which the failures occurred. An analysis was performed on the tabulated cut sets to determine the relative importance of the various systems involved. For each system, calculations were made of the Fussel-Vesely Importance (Lambert 1975) resulting from each PRA analysis. The F-V Importance is the fraction of the total core melt probability to which an event, component, or system contributes. (Itis obtained by summing the core melt probabilities for all cut sets involving I failures of the system and dividing by the total core melt probability. It l 1s thu:: both conceptually and computationally straightforward.) The F-V l Importance measure is also used further in this present analysis. This report presents the results of further analyses of the information l from the Task One report. The general description of our approach presented l in Section 3.0 on Methods is followed by a detailed comparison of systems and exected failure modes at the ANO-1, Oconee and Rancho Seco plants for six systems important to plant safety: High Pressure Injection, Low Pressure Injection, Emergency Feedwater, Vital AC Power, DC Power and Service Water. Failure modes expected to be import W .c the Rancho Seco plant were inferred from the surrogate plant PRAs by means of a detailed comparison of system similarities and differences between the three plants. An estimated value of the F-V Importance for each of these Rancho Seco systems was also inferred on the basis of this comparison The system comparisons and their results are presented in Section 4.0. l Section 5.0 presents Ranche Seco-specific information for use in inspection i planning. This information is organized around system failure modes inferred to be important from analysis of the surrogate plan PRAs and comparisons with Rancho Seco. Information is presented for four systems: HPI, Lrf, EFW and i Service Water. This information was developed from Rancho Seco i perator training manuals (Sacramento Municipal Utility District), piping and instrumentation diagrams, electrical drawing, and operating procedures. For each of these four systems, Section 5.0 identifies the major failure modes inferred from the PRA analyses and presents specific information on the primary components associated with these failure modes at Rancho Seco. Component numbers, buses and breakers supplying motor and control power, position during normal operations, and procedures controlling operations are identified. Accompanying discussions identify the relative importance inferred for these failure modes and implications for the inspection process. l Section 6.0 identifies some design changes which have been made at AN0-1 since performance of the PRA for that plant. The impact of these changes on our work is briefly discussed. Due to the approach utilized in this work, where system similarities and differences are compared between plants, the Rancho Seco failure modes identified herein remain relevant despite such subsequent changes in the surrogate plants. 1.2 1
2.0 CONCLUSIM This project was undertaken based on the premise that PRAs for Babcock and Wilcox plants contain much information useful in analyzing and understanding potential failures in B&W plants for which PRAs have not yet been performed. 1his premise has been confirmed. Clearly many important insights into the functioning and potential failures of similar B&W safety-related systems are to be found in existing PRAs. More importantly, however, it was also assumed that information directly useful to the NRC inspection process at a target plant lacking a PRA could be extracted from PRAs of surrogate plants. It was further assumed that this information could be identified and compiled quickly and efficiently compared with the effort required for performance of a plant specific PRA. These assumptions have been borne out by our project results. In three man-months of effort we have analyzed three PRAs, identified significant failure modes leading to core melt for safety-related systems, identified and explained differences between results obtained in the different PRAs on the basis of PRA assumptions and plant-specific system design and operational differences, related the results to our target plant, and identified critical components, i their power supplies and operational conditions. The successful performance of this activity required synthesis and inference, as opposed to deterministic reduction. By limiting the number of participants, it was possible to develop a broad overall understanding of the structure and results of the PRAs studied, and to interrelate results impacting various systems. This was particularly important for this first attempt, and it will also be.important to the success of subsequent applications of this j method. This is not necessarily a weakness of the approach, however, since i the approach was specifically developed to allow a limited-scope analysis. It is also necessary that the analysts be knowledgeable about system functions, operation, and the interactions between the various systems and components. This analysis was performed by experienced, NRC-certified Babcock and Wilcox plant operator license examiners. The most powerful feature of this approach is the inference of important system failure modes expected at the target plant from study of the surrogate plant PRAs combined with analyses of plant similarities and differences. The use of more than one PRA is helpful in highlighting how plant differences affect the PRA outcomes. The comparison of two PRAs for the same plant was also useful to indicate how differences in assumptions and approach can likewise influence the PRA results. The calculation of the F-V Importance for the various system failure modes identified in each PRA proved to be a useful tool.for quantifying the significance of the failure modes at the surrogate plants. The weakest feature of this approach is the inability to quantify the results for the target plant. Although numerical estimates of F-V Importance values were inferred for several systems on the basis of comparisons of plant designs and PRA approach, these inferences must be considered to have a high degree of uncertainty. 2.1
This was a limited study, constrained by both schedule and budget. It has succeeded in using PRA-derived information to focus and bound efforts to identify failure modes important to the Rancho Seco plant, and in identifying plant-specific components and procedures related to these failure modes. However, project efforts and results were resource limited. We believe that considerable additional useful information could be developed with modest additional effort. In summary, we have developed a method for identifying and compiling failure mode information for plants which lack PRAs, using PRA results from similar plants. We have applied this method to identify expected failure i modes for important safety-related systems at the Rancho Seco nuclear power { plant. Finally, we have used this information to structure a compilation of { Rancho Seco design and operational information. Although design changes at j the surrogate plants and at Rancho Seco will have changed the details of the 1 reference PRAs and details of the comparative analysis, the information in this report remains a valid compilation of safety significance. l l i 2.2 {
i I l f 3.0 METHOD The information developed in the first phase of this project, along with ' sign and operational information for the ANO-1, Oconee and Rancho Seco plants, further analyzed to infer system components and failure modes likely to o i be involved in failure event sequences leading to core melt at Rancho Seco. This anlysis is presented in Section 4.0 of this report for each of the six systems which were addressed within the resource constraints. This analysis involved several steps. For each system addressed, failure event sequences q (dominant cut sets) listed in the Task One report (Gore 1986) were first reviewed. In the Task One report, this information was presented in Table 1 for the AN0-1 PRA (Kolb 1982), Table 2 for the Oconee PRA performed in 1984 by Duke Power and EPRI (Sugnet 1984), and Table 3 for the carlier Oconee PRA i performed in 1981 as part of the Reactor Safety Study Methods Applications Program (Kolb, et al. 1981). The two PRAs performed for Oconee Unit 3 will be referred to many times q in the subsequent discussion. For the sake of convenience and clarity, j henceforth we shall refer to the Duke /EPRI PRA (Kolb 1982) as the "0conee" j PRA, and the one performed as part of the Reactor Safety Study Methods i Applications Program (Sugnet 1984) as the "Oconee-RSSMAP" PRA. j l In Task One each of the dominant cut sets listed for each of the PRAs was studied. This involved about 50 cut sets per PRA, listed in Tables 1, 2 and 3 of the Task One report. This was done to determine which cut sets involved failures of which systems. That information was then used to determine the F-V Importance value for each system. Calculation of the F-V Importance l for a system required summing the core melt frequency associated with each l cut set to which the system contributed, and dividing by the total core melt l frequency. Thus, the F-V Importance of a system is the fraction of the total l core melt frequency to which failures of that system contribute. 1 l Our analysis for this report delves more deeply into the details of the dominant cut sets tabulated in the Task One report. For each system studied, an analysis of the definitions of the cut set elements (presented in Appendix A of the Task One report) was performed to determine how or why the system failed. In most cases these failures have been classified into a few major types of failure modes (e.g., pump failures, failures of key valves, etc.). For each of these failure modes we have then calculated its F-V Importance for l each of the PRAs. We did this as we did it for the system as a whole - by summing the core melt frequency associated with each failure mode and dividing by the total core melt frequency. For each system, then, we have compiled a table of the major failure modes by which the system contributes to core melt. This table also lists l the PRAs in which each failure mode contributes, and its corresponding F-V Importance. This information is presented in Section 4.0, as part of sections I explicitly discussing each system analyzed. As one might expect, the ANO-1 i systems having high F-V Importance did not always agree with those from the l Oconee systems. In fact, agreement between the results of the two Oconee l i 3.1
PRAs was often poor, indicating significant differences between the analyses and their underlying assumptions. In addition to identifying the major failure modes of each system for each of the PRAs, we examined the design and operation of the systems at the ANO-1, Oconee and Raceno Seco plants. This was done to identify similarities and differences between the systems at the three plants, in order to understand why the PRA results differed among themselves, and what that might imply for Rancho Seco. For each system we examined piping and instrumentation diagrams (P& ids), system descriptions, discussions in the PRA reports, and Ra,cho Seco P& ids, system descriptions (Sacramento Municipal Utility District) and operating procedures. The first result of the system comparisons was the determination of whether specific failure modes identified in the surrogate PRAs are plausible at Rancho Seco. "any of the identified failure modes are plausible at Rancho Seco because j the system designs for the Babcock and Wilcox primary systems are similar. However, there are many significant differences. For example, differences in the details of parallel piping and valving in the outlet from the Borated Water Storage Tank (BWST) and the inlets to the HPI and LPI headers signifi-cantly affect the F-V Importance of some failure modes. For each system, these detailed interplant comparisons and Rancho Seco failure mode plausibility determinations are presented in the corresponding sections within Section 4.0. For all but one of the systems discussed, we made an estimate of the overall F-V Importance of the corresponding system at Rancho Seco. This estimate was based on subjective judgment, and involved several factors. l These included:
- 1) the design of the system, including redundancies and I
potential single failure points: 2) power supplies and their redundancy; and l
- 3) the combinations of failures found in the dominant cut sets of the three PRAs.
For each system the factors on which the estimate w" based are discussed. We consider the estimation of numerical F-V Importance values for systems to be the weakest part of this analysis. PRA results depend quite heavily on the assumptions used in the analysis, and considerable differences exist between F-V Importance values calculated for the two Oconee PRAs. Consequently, similar l differences would be possible between the results of two different PRAs done for Rancho Seco. Nevertheless, we have made the estimates based upon reasonable, rational arguments. The development and discussion of these arguments helps to focus attention, both ours and the reader's, on factors importalt to system failure modes. Consequently, we feel that the exercise of estimation was worth doing, even though we lack confidence in the numerical accuracy of the estimates. Section 5.0 of this report presents system-specific information for the Rancho Seco plant. Subsections address each of the four systems which we were able to analyze within our resource constraints. These subsections are organized around the major failure modes identified from the PRA analyses I which are plausible at Rancho Seco. 3.2 I 1 l 1 l L--- - _ - -- 9
Our discussions of Rancho Seco failure modes go beyond the specific effects of components identified in the PRAs for two reasons. First, since we-were not starting from a plant specific PRA with clearly identified critical components, a broader focus is clearly appropriate. Second, we wanted to document in a usable fashion as much as possiblelof the' system specific information which we collected for this project. This objective was also important to our sponsor. We have, therefore, attempted to present a rather complete discussion of potential failure modes for the Rancho Seco systems which we have analyzed.' These discussions are organized around the failure modes identified as Important from review of the surrogate PRAs. In addition to identifying the primary components associated with the failure modes (e.g., motor-operated valves which must respond to an SFAS signal), we have also included information on related components of lessor F-V Importance (e.g., associated check valves which could bind on their seats, or manually operated valves subject to mispositioning).. Reference is also included to Rancho Seco operating procedures which contain valve lineup check lists for normal and SFAS standby operation. This information was developed from review of Rancho Seco systems descriptions used for operator training, P&lDs, electrical drawings, and operating procedures. Despite our attempt at completeness in identifying potential failure modes for Rancho Seco systems, we believe that many others could be identified with modest additional effort. However, we note once again that this was a limited study, constrained by both schedule and budget. Furthermore, it was undertaken to use PRA-derived information to focus and bound the effort. This has been acco- 01shed. Results are presented in the body of this report. l t e e 3.3
4.0 COMPARISON OF SYSTEMS AND THEIR F-V IMPORTANCES In this section we make a detailed comparison of. safety-related systems - at the ANO-1, Oconee and Rancho Seco. plants. Comparisons'have been made for the HPI, LPI, EFW, Vital AC Power, DC Power and Service Water systems. Other systems were not addressed due to project resource constraints..These systems were selected because of their importance to the prevention of core melt. They function together to keep the core covered and remove heat from it during accidents. i For each of these systems we present system diagrams for each of the-plants and discuss major' system similarities and differences. This information is then used in analyzing the results of the ANO-1, Oconee and Oconee-RSSMAP PRAs, to explain similarities and differences between their results. To the extent possible, we have correlated the results of each~of the PRAs with specific system characteristics of. each plant. This was done by classifying each of the dominant cut set elements into a limited number of failure mode categories (e.g., pump failures, failures of key valves, etc.). These important failure modes are tabulated within each of the system discussions presented in this section. These tables also list the F-V Importance for each system failure mode. (Failure mode'importance is calculated i as system importance was; by summing the core melt frequency associated with each dominant cut set containing it, and dividing by the total core melt frequency.) As an example of such a correlation, consider a single. valve whose failure to actuate would disable one entire train of a redundant safety features system. In the PRA, failure of this valve would show up in several of the dominant cut sets, and it would have a high value of F-V. Importance. This correlation may then be used to trigger study of the corresponding Rancho Seco system to determine whether design similarities make it subject to the same failure mode. The tables listing the PRA-derived failure modes and their importances also identify the plausibility of each failure mode for the Rancho Seco plant. This was determined by analyzing the Rancho Seco system design. Although many of the failure modes identified from the surrogate plant PRAs are plausible at Rancho Seco, notable' exceptions exist.due to plant design differences. Detailed discussions of systems characteristics and of failure mode plausibility. and significance at Rancho Seco are presented for each of the systems addressed in the following subsections. These estimates were based on subjective judgment, and involved several factors: design of the system, including redundancies und potential single failure points; power supplies and their redundancy; and the combinations of-failures found in the dominant cut sets of.the three PRAs. The following subsections discuss the factors on which each estimate was based. Table 4.1 presents values of F-V Importance estimated for the Rancho' Seco systems analyzed in this study, along with calculated values of F-V Importance of ANO-1 and Oconee systems from the Task One report. As was discussed in Section 3.0, these numerical. estimates of F-V Importance for 4.1 L
Rancho Seco systems were' based on subjective judgment and are. highly uncertain. The analyses which developed these estimates helped-to focus attention on factors important to system failure modes, and thus contributed to other aspects of the study. Fussell-Vesely Importance(a) TABLE 4.1. of Major. Events and Plant Systems i F-V Importance Calculated i from PRA Results Inferred F-V~ j for Selected - j RanchoSeco(b) Oconee 1 Event or System-ANO-1 Oconee RSSMAP Systems Operator Error 0.14 0.42 0.44 LOCA 0.19 0.24 0.33 Loss of Offsite Power 0.22 0.03 0.13 Core Cooling: HPI 0.07 0.07 0.04' O.05(c) j LPI BWST/HPI Suction 0.17 0.004 0.03 0.1(c) Failure LPI fails to supply 0.12 0.24 0.06 flow Electrical: DC Power 0.46 0.2 Vital AC 0.14 0.02 0.03 0.12 Emergency Feedwater 0.31 0.10 0.04 0.2 Main feedwater 0.62 0.19 0.61 Service Water 0.03 0.28 0.19 .(b) Safety Relief Valves 0.17 0.02 0.24 Reh: tor Trip (RPS) 0.07 -0.09 0.05 Instrument Air 0.05 Reactor Vessel Rupture 0.02 (a) The F-V Importance is-the fraction of the total core melt probability resulting from sequences (cut sets) involving the event or system. (b) Due to the limited nature of this study, F-V Importance inferences were only made for five systems. Although the Service Water system was also addressed, we decided not to infer ~a value due to the uncertainties involved (see discussion). (c) HPI suction from the BWST is controlled by valves assigned to the LPI system. Consequently the true F-V Importance of HPI failure is the sum of the values for the HPI systems and for the associated valves in the LPI system. For Rancho Seco this value is 0.15. 4.2
4.1 HIGH PRESSURE INJECTION SYSTEM COMPARIS0N j System flow diagrams for ANO-1, Oconec and Rancho Seco are shown in Figures 4.1, 4.2 and 4.3, respectively. From these figures it may be seen that the All three systems are quite similar, although important differences exist. plants use three essentially identical HPI pumps, two manifolded together in one injection train and one in a second, separate train. Flow from each train j splits and enters each of two RCS cold legs. Discharge valving differs slightly. Both ANO-1 and Rancho Seco have four discharge valves, one serving each cold leg line. This provides somewhat greater redundancy than for Oconee, which has two discharge valves, one in each train located upstream of the At Oconee, however, the discharge valve in the single-pump train flow split. is normally open (not so for AN0 and RS), reducing the probability of flow blockage due to discharge valve failure to open. Differences in suction valving to the HPI pumps are more significant, and discussion is complicated by the LPI system interface. At all three plants each of the two HPI trains receives water from the BWST through an MOV which opens o;; an ESF signal. At ANO-1 and Rancho Seco, each of these MOVs supplies a common header serving both HPI and LPI. In the ANO-1 PRA, these valves were assigned to the LPI system. To maintain parallelism of treatment, we likewise consider the Rancho Seco MOVs located at the BWST outlet to belong to the LPI system. As a consequence, for AN0-1 and Rancho Seco there are no HPI suction valves which may fail to open to supply water for HPI injection. At Oconee two MOVs are located in the HPI train suctions, and two other MOVs are located in the LPI train suctions. Consequently, at Oconee the HPI system contains two MOVs which may fail to open and supply HPI suction. Another difference between the plants is noted here, although it actually belongs to the LPI system. Both ANO-1 and Oconee have a single BWST outlet line with a normally open manual valve located upstream of the M0Vs which feed the HPI suction headers. Closure of this valve is one of the failures found in the dominant cut sets for these plants. At Rancho Seco, there are two BWST outlet headers, each with a locked open manual valve upstream of the suction header MOV. Important HPI system failure modes identified in the FRAs for these plants are listed in Table 4.2. F-V Importance values calculated for these failure modes are also listed. Examination of this information yields two important conclusions. First, overall HPI system F-V Importance is low, not exceeding 0.07. This results from high overall system reliability, and from the assignment of the ANO-1 inlet header tiOVs to the LPI system. The second' conclusion is that e significant difference exists between the F-V Importance of mechanical failures at ANO-1 and Oconee. Thus, all of the AN0-1 system F-V Importance results from failures in the single-pump train downstream of the inlet header MOVs (which are assigned to the LPI system). In' contrast, this failure is not even identified in the Oconee PRA dominant cut sets considered here, and in the Oconee-RSSMAP PRA it has a much smaller F-V Importance. The explanation of this difference lies in the reliability of electric power supply at the two plants. 4.3 i
8 0 4 l 2 CY v V B 7 3 sr R E eE I 0 M E G tC V 8 U PL R ta T V P L0 A 0A B H 0H S f O Y M 0 A ^4 cC V I A OC C 3 5 "T S S P 1 R 3t LD B O R F4ED I 2 L P 0 L 4 OS A n8 B 3 rT o5 t ON R 3 V V rE CY TAR 1U lu g B di 2 6 g 5 g 5 S M J j " P N M n V P p. I 8 u O Y A m MR A 5 e P P 8 8 L S l ut t D u s 0N B H N 7AR y S A 0 n 6 o 3 i P t S t c C 1 2 A B e 4 4 t V I gt 5 C l t S 3 S 2 j U 3 l 2 C U u n U H N M U N lu M gs I H H f A E ~ 0 0 e 2 2 r U U M H uss g y e 3 r k2 n P t2 6 j u 0 l 2 F L i h U n 2 1 J M 2 2 4 4 1 t 7 g D 3 2 3 5 D 2 1 2 0 v i 2 U 3 t 2 t C i H U 1 H 0 N U u u 3 3 N M 1 t l ( 5 l k 3 d f ( 2 O U I N 7 N 1 j 1 Oth1 0 A rg a 2 4 v 3 2 5 3 C 2 3 S t 5 t 7 2 C v 1 3 0 E C l H t 2 4 2 u 2 L U V 0 H C k7 to 5 E 0 C 2 R 3 2 t U S u C vt M R R C U O T 7 G 2 I 3 2 3 4 5 8 1 t F 3 2 v 4 4 2 U 3 1U U C 1 M U M M N j J ( d I ~ s 8 2 6 A 4 2 0 5 A 3 15 1 2 2 v U 3 l t2 1 4 4 C V U U C N U M P f M 1 M j b d I T I NT d IO 4 T 4 4 4 4 LC $ AE J E N 'SI l
ZR From LPI cooler ] G. discharge LVL (LPR system) +- Inside RB l 3HP-120 l h 3HP-3 H P- '0 9 RCP-C 3^' M g lh Ep outlet 3HP-3HP-26 3H P-3HP-3HP-g RCP-3A2 M 3HPl 1g4 ES-1 open 118 106 105 3HP-3HP-HP-P3A 103 101 outlet 3HP Orifice G 126 ES-1 on ld'Q 3HP-410 1 11 h L 3HP-24 l ES-11 Q l opend L HP-P3B ES-1 or h OES-2 on I @nON l 3HP-3HP-I 110 109 3H P-From To RCP l 167 LDST 3HP. seals P-409 e gg j 3HP-l h 25 I "S l N ope _ Orifice l p E 3HP. O M_- 153 3HP. 3HP-27 3HP-3HP-3HP-Q -*-t<G-188l ES-2 open 148 114 113 3HP-3HP-HP-P3C 3HP. Orifice l ES-2 on 102 152 1 l From LPI M cooler discharge (LPR sys' tem) 3LP-3LP-From BWST inside RB 57-56 (LPI system) FIGURE 4.2. Oconee Configuration of the High Pressure Injection System 4.5 d
W6 vO A LR CO r C A U A
- D H2 OE T
E V 5 E S L M 2 L DOS R UP tC E - A M uN RE A 'I ME OMP SEP V0 OE R U GM O6 T R P T T M2 RRU A R E - OES E TM s g E G RE 'B M N CE 6 g a .S T A Y A R - 0 A E 8 AM hT2 E 4 R . w6 CC E G H a 0 H2 EE N N0 DE YA F 5 AH MT CC E X OA DE RE FM MT OA NE FH 3 h VrOsh J e r F 52 L K j N u A N E A T T ET 2 S AD T 4 O R f 5 AO X^0 h T C Rt N A 3 c M4 gCI t T A M 2 N E C 8 a 5 MCsEc 5 NR v p GOO ONR 2 yCS ROO w SO FCB 3 o e.5 S E ,,2 0 3 /O . N ,/Mt ^ l ~ r- ' M F t S 4 v 3 F IM6 7 s S C L R S S0 n I N I o CR V1. i E U A O C C RT L L I L t E 3 L 4 NI R S E O c I X a-s . L 4 O I XO X P 0 e ML A OE i C . u s N a C 6 j R S T a n TS s 1 R E C E EU C I P E R RT P R EP M E U M R M U 5 t fU e S se N tJ N $Pe r P u t P5 I S e T EN 8 ML 3 M A OE P2 E m3 u RO 0 R 0 Pl " T $ U - 6 2 s T 7 P T - EP - C CP s ~ v - MS tu0 a + g T R gT H E e 4 N s0 m 8 J G C J HI $ O s N r y M I P Td 5 0 4 S 2 2 5 h S ei 6 O 8 O 3 oi 4 g O 3 e/M M 0 2 2 /M i E F t F 6 H O O s 5 o s c 5 3 s X0 XO i ' O i o O 4 e s e X0 S 1 u n 8 M i S s s W h S L 2 C c C 4 L L n g O. Ra L A S C F 2 H S 3 T M 0 E E0 E 4 S D p 8 E 0 W O p F F 8 3 F E 4 8 3 a F 2 F 3 2 3 2 2 A E S s F O 3 a 3 e O O 2 R e 2, . 3 s a e i U C s 43 "N3 n s,. 5 S 3 H 2 u 2 G p r - v {I-2 2 M 2 i ) v-F 2 y v I V v v-4L s S F 3 r O S s 0 E 4 I3 40
- 2 I-v
' M I F s 7 S 5 5gg 0 4 6 , 0 4g 3 0 g M 2 S 2g M 5 1 6 4 R v is 0 E Ogg H 3 0 V Fl3 O s s L e u ' u I e.S 4 s e F s O N 7 L 0 T N 0 ./M 2 A Y3 3 6 T M O AI 8 N 0 ET 5 s 2 A L QS SC ed E L M L
- J v
O O N H O
- s Tt C OS C DA R O" L
O "P L O O C P R T O C C .O 'E AM. O T L A C O s O AML 'C EE R T S P $ E P t EE 2 RT S C OY E C P S S P R T 3L R C OY E C v R TS L R 1 OO 5 E OR TP
TABLE 4.2. Important HPI System Failure Modes from PRA Analyses PRAs Where significant Plausibility Failure Modes Plant Importance At Rancho Seco 1. Pump failure or fail-AN0 0.07 Yes ing closed of any valve OC-RSM 0.03 i in the single-pump i train (after inlet i headerMOV) 2. Failure to open of OC -0.01 No(a) the inlet header MOV OCORSM 0.01 in the single-pump train 3. Failure to open of OC-RSM 0.02 No(*) the inlet header MOV in the two-pump train 4. Common mode failure to OC 0.01 No(a) open of inlet header MOVs to both the two-pump and single-pump trains (human error) 5. Failure to open of a OC-RSM 0.02 No(b) single, common ESF dis-charge valve in the two-pump train 6. ESF channel 1 fails DC-RSM 0.01 Yes 7. System damage due to OC 0.05 Yes over pressure during ATWS (a) The inlet header MOVs at ANO-1 and Rancho Seco serve both LPI and HPI. Only at Oconee are there separate MOVs for LPI and HPI inlet headers. In the ANO-1 PRA the two inlet header valves were assigned to the LPI system. That assignment has been maintained in this analysis, for both ANO-1 and Rancho Seco, to maintain parallelism of treatment. Thus, at-ANO-1 and Rancho Seco, there are no inlet header MOVs in the HPI system. (b) Flow from the two-pump train discharge splits and passes through separate MOVs on its way to the two RCS cold legs at Rancho Seco. i 4.7
Examination of the ANO-1 cut sets involving HPI failure shows that the majority of them involve failures of Vital AC power buses or 125 VDC buses. In contrast, none of the corresponding Oconee of Oconee-RSSMAP cut sets involve power failures. At either plant, one entire train of HPI can be failed by l either loss of 4160 VAC motive power or 125 VDC control power. If this should happen, a total failure of HPI injection leading to core melt can result from failures attributed to only one train of HPI. At ANO-1, the probability of l such failures is significant, whereas this is not the case at Oconee. Thus the F-V Importance of the HPI system is seen to be dependent on the reliability of electrical power systems as well as on HPI system details. To infer an F-V Importance for the Rancho Seco HPI system thus requires consideration of both HPI system differences and electrical power system differences. On the basis of system suction and discharge valving differences, Oconee may overstate Rancho Seco system F-V Importance, but not ANO-1. Consequently, the ANO-1 F-V Importance value should provide an upper bound, to be adjusted based on considerations of electric power system reliability. The Oconee electrical power systems contain considerably more redundancy than those at ANO-1 and at Rancho Seco. ANO-1 has two separate 4160 VAC vital power buses. During normal operation they are powered by the unit auxilliary transformer and the unit startup transformer. During emergencies, each is powered by a separate EDG. These buses are not cross-tied during normal operation, although this could be done in an emergency. Rancho Seco's two 4160 VAC vital buses are each powered by a separate startup transformer from the grid during normal operation, and by a separate EDG during emergencies. Additional redundancy is being added: two additional EDGs, to power non-vital 4160 VAC buses which could be cross tied to the vital buses in an emergency. At Oconee, the two separate 4160 VAC vital buses have a greater variety of supply. Each may be powered by a startup transformer from the grid. Each may be powered by an auxilliary transformer supplied by any of the three Oconee units. Emergency power is supplied by two hydroelectric generators, either of which may supply either of the buses by either an underground-dedicated l line or an overhead line. Yet another source of emergency power is provided by a line from the two combustion turbines at the nearby Lee steam station. Acccrding to the Oconte PRA, the probability of loss of a vital bus powering i an HPI pump at Oc) nee is only 15 percent of the probability at AN0-1. The Oconee 125 VDC system is also more redundant than those at AN0-1 and i Rancho Seco. ANO-1 has two 125 VDC buses, each powered by a battery, and a battery charger from one of the EDG AC trains. A third battery charger serves J as a standby for either bus. Rarcho seco has four 125 VDC buses, each powered by a separate battery and a battery charger. Two standby battery chargers are also provided. For each bus the normal and standby battery chargers are connected to opposite trains from the EDGs. Thus the Rancho Seco 125 VDC system is slightly more redundant than the AN0-1 system. ] l The Oconee 125 VDC system is similar to the ANO-1 system in that it has j two independent buses, each powered by a battery and a battery charger from l one of the EDG AC trains, plus a standby battery charger. Each of these two j buses powers two sub-buses through an isolating diode assembly. The increased ] 4.8
reliability of this system results from the fact that each of the sub-buses is simultaneously powered by a.125 VDC bus in Unit 1 through the isolating diode assembly. Each sub-bus would remain powered, without even a momentary switching delay, should either (or both) of the Unit 3125 VDC buses fail. Such a failure would not result in a reactor-trip, and consequently loss of a 125 VDC bus is not listed as an initiating event in the Oconee PRA analysis. From the above discussion it is clear that the loss of one train of HPI due to loss of Vital AC power or 125 VDC power is much less likely at Oconee than at AN0-1 or Rancho Seco. With respect to core melt probability, this effect is believed to far outweigh the effects of the minor HPI systems. differences discussed above. Consequently, we infer that the F-V Importance for the Rancho Seco HPI system should be similar to that for the ANO-1 system. Because Rancho Seco has four station batteries, and soon will have four EDGs, HPI system importance should be somewhat smaller than for ANO-1. We infer an F-V Importance for the Rancho Seco HPI system of 0.05. 4.1.1 Failures of Suction from the BWST As we discussed above, the HPI system suction from the BWST at Rancho Seco is controlled by valves assigned to the LPI system. Failure of one of these valves prevents operation of the corresponding HPI train when responding to a small break LOCA, SGTR, or loss of all feedwater. Consequently, to get a true measure of the F-V Importance of the HPI system it is necessary to add the HPI System F-V Importance value estimated above to the F-V Importance value estimated in the LPI section for failures of suction from the BWST, 0.1. The result is a composite value representing the F-V Importance of the entire HPI flow path. This value is 0.15. 4.2 LOW PRESSURE INJECTION SYSTEM COMPARIS0N System flow diagrams for AN0-1, Oconee and Rancho Seco are shown in Figures 4.4, 4.5 and 4.6, respectively. Although Oconee has three LPI pumps compared to two for ANO-1 and Rancho Seco, during operation one is normally valved out and does not automatically actuate. The three systems are similar in that they all have two independent trains, each containing a high flow, low head pump.which takes suction from the BWST through a motor operated valve, and delivers flow through a cooler and a motor operated discharge valve to one of the core flood nozzles of the reactor vessel. The Rancho Seco system differs from the ANO-1 and Oconee systems in its connection to the BWST. At the latter two plants, the BWST has a single outlet line containing a locked open, manually operated isolation valve. Rancho Seco has two BWST outlet lines, each with its own locked open manual valve. This increased redundancy reduces the probability of system failures due to loss of BWST suction, a failure mode contributing to system F-V Importance at AN0-1 and Oconee. Important LPI system failure modes identified in the PRAs for.these plants are listed in Table 4.3. F-V Importance values calculated for these failure modes are also listed. ) 4.9
== k o O n I g W O i uJ t L W S C B C a RE ~ - i i 4 s3 o N A OI W f g" T I R O B FH 3 uJL 0 5 hl 0 ~ y C 4 S Y P S Op A M G A r T u 8y 8 o P R U Hr3 I 9 A S D aL k 8 ts b Ot J J n i SL g f SJ j8 TS o v 8 R k C o F O NO T tH R f D 4 ^ 0 18 4 8 1 V I TW 8 l S { H C H g ~ l r 4_B D lD 5, g E O 'A I L I j A g l J q H P V D B A 4 B 4 3 3 P P w MD A 8 M J WD 2 H 0 H 9 F S S S g S( M A r A T P i P Y Y H H B lA B N8 3 3 H H D D 8 5 3 E 8 3 2 2 4 S 4 l S A 1 V V C L L P C J Y S O P q T H j l T E YO S t0 A V A T 8 7 8 B t 8 i H D D d 0 t yrC 0 0 A oT A 4 l 4 4 4 aF 2 3 T l v v H H C C D D s l h M1 8 H S D OL. d ( TE CS ) ' AS Ef S v 7 8 t 8 t4 H 3 D l H H \\- D D ~ ( ) M _ OT 8 >FCT R F2 3y l
"2 y ) ',eW ,ts aA M_ H ,w( mo oA r o M1n F ea, I m 0 P ~ e B R t d s p. e 8 k y S( g2 io S c T L W ( d 1 n s p n P 5 a le m o L 5 l W B '8 F ] l1N n Wofuu 3 Ik H p 3 - p i 1A s 8 S Bit tng t 2 a ' W 6 5 m Ik oluen a -P 6 6 A P T p ic o u T cph P ou ' 1I L r s o l ~H 3 L L 3 3 P 4 e c i c T H 1 r r ) r g\\ i 9 3 s 2_ c r ) 2,od e 3 p N 2 e A .d s R 2 7> g y 3 s e T [- - cb n 1 s a 2 (E= 2 - S 2 op d S 1 E r Pl y ) r n o me L( 20 a p P 9 , - h 3 -P 2g 4o P" 1 S4 L 2 4X L 1 ( P P n 1 P L2 rL L L E S 3 o 3 3 3 ( 3 E i T t 1 ( c h 7_ 6 4 e BN 5 P p S j - h S B L 3 n A B 3 3 I 3 3 p p m 5 8 u e m Pa p r Q r s u P L h p y u 3 a ya 3 p s r s p S 3I d) e d 8 C a s B A S" lo e 0 B r 3 1 - h ( (h I SX 8 38 3 R E s P R S P3e B B 5 P14 i 3 3 w 3 L3 t3 3 o P 3 4 L h L 3 P2X h h 9 SM 7 e P4 L3 S B e L3 3 B 3 3 n 3 T o h h c / 2 O ] 9 1 0 3 P 1 L 8 9 A A 3 3 3 1 2 R 5 3 p 3 p 4 m 5 W S 4 m ) W u ) W P 3 u n p ne S L e S 1 xP-P 1Xh h W p P 3 E p P W o L o t L R t S 3 1 P 4 3 S 3 3 3 U P S L S G L E( 3, E( i 3 1 I r. / 2 9 F n 9 ] r@ W2 P-1 2 W - bP L t { 3 h 3 4 WP 3 3 3 1 4-S2 ^ L P P7 P Uh A 5 p 3 L L L m N L uC p }h [l E" 3 ~8 4 ) 8 P Vk 1 H SW ,P T J p 1 3 E( ,L 6 P P0 S L L4 3 1 3 3 E( l !l l ! l l l g l ! ll 3 y 1 7 B 3 4 Pe d 4P8 6 3 o t4 p P L lo do 13 L 3 ~ fe3A lo r 3 e 2 f 8 i r AC1 ny 1 1 1 o e 2 3 F 4 u a 1 F r C r 1 r s p o F ,3 r C F C L s C C F s h3 C 3 e 3 3 C P 3 A*gW
o c T = E u m c 4 s o A"" ws maw u ld.oy - o. u s o o e1c o o ,o mc , n. a c s s = .,.o ~,. vo ,M e o.o a, Y{ tY= I Ce ] n Q"_-l,,o - r-t u Re t - n, 0" g u I , o. s o, u .o Do u o Wg l, bJY-s, e3 r a T1 lt @TlM v mW ,. s u v a o r u z e n .s ) $(G ,c s s n s _o o a .r s J, ,~- n e ssa mI o , a r ,= w ll . t ,e e E. ,, = c ~ ~ a p s ew
- f. a/"
o n v 9 r y m cs e i
- u
,= e oc2 sn
- c.-
r e ".,.o N ** oM u -{ 7m [
- o
= r
- o a
m s
- t
.y 'a-AQ. sn .s C O
- e g
1 ~ ,* o. cg 2 , o _'z 1y c, oc o O-J>" et ot f rl I a. , e { Ac. ,. ~.' t s _7 c _- u p' c o
- s a
- g.
H_"g, Me. o 4, ca
- o. -
r gr g e o. s z r s n t c e n. o .p u st tt ots /~ v< r se E f gzt t t nz o s 3 .n 4
- a..
f ,=at .e-i c/ s-e oo y-mJly, C L .u x s.
- o. - - r t
e. ,,4 o q, s P c U o .m .o t t =8 E E .c. s a r s a a m M .t
- u. yT =e a._ *h s
a-R .c w, v _.s l o O e o o. o= e o T R 2 5 o. =. -, r F C u n A s a s s lp 22 a ,. ~ ly +t E n m @ 4 ]a s. R sn o- >3 =
- o,% 9 9
2 o s. m Is. a s = o s - o o. o o v @Ugt pA% '~sa s ~ o s s. a ts
- c m
s e . a o 6 e .u l* 2 =- s t t T +'. 'M. ", er v t mr H e @ n. @U.e sm oo u F w ca o o. .o 4 . @ 5, . f n n
- v. 6 eo e, D s
5 t 2 r t o n.,vd>s c o.o T
- 7 2_Tl sm
.c. o k ,o a. E t
- s. = q,
=- o== ~'4 l r u = N .s =.J 'f f, = w ._.j m,J 6 s -2 gT c n = f, s s c oo o ^ mo Co ~ : D o Pm. + t ot e* TF 3 w w o ' p_s, Me -
- pg7, s
.c 8' e . f-T C s o o. l,,
- s. n_
s. s "/ R T ~ E. bv u ,s A o '. m. D E T A R t C s B .._~
i TABLE 4.3. Important LPI System Failure Modes from PRA Analyses i PRAs-Where Significant Plausibility Front Line System Failure Plant Importance At Rancho Seco Suction from BWST Fails 1. Single manually oper-ANO 0.05 No(a) ated BWST outlet 0C 0.004 isolation valve closea 0C-RSM 0.02 2. Failure to open of ANO 0.12 Yes MOV between BWST and 0C-RSM 0.01 one of the LPI suction headers 1 3. BWST fails to supply OC 0.003. Yes flow due to: low level, cold weather heating failure, vacuum breaker failure Other LPI Failures 4. Pump discharge valve OC-RSM 0.08 Yes fails to open or pump fails to run, failing either LP injection, or recirculation to HPI 5. Pump fails due to OC 0.06 Yes cavitation on high flow (operator error or throttle valve failure) 1 6. Open recirculation valves OC. 0.01-Yes i to BWST (Human Error) OC-RSM 0.14 7. Recirculation operation OC _0.01 Yes i fails due to failure of OC-RSM 0.02 suction valve from RB sump or RCS 8. ESF initiation channel OC-RSM 0.01 Yes fails 9. System damage due to over-OC 0.04 Yes pressure during ATWS
- 10. Interfacing LOCA OC-RSM(b)
Yes (a) Rancho Seco has two BWST outlets, each with its own manual valve. (b) Procedural changes after 0C-RSM analysis greatly reduced probability-i prior to _ subsequent Oconee PRA analysis. Not included in system importance calculations. 4.13 l J
l The following discussion is divided into two sections. The first of these addresses LPI system failures resulting in loss of suction from the l BWST, and the second addresses other system failures. The reason for this l distinction is that at Rancho Seco, and at ANO-1, HPI suction from the BWST requires that valves assigned to the LPI system open to allow flow into a common HPI/LPI suction header. Consequently, failure of one of these valves to open fails the corresponding trains of both HPI and LPI. 4.2.1 Failures Of Suction From The BWST The first of these is inadvertent closure of the single manual BWST outlet valve discussed above. Since Rancho Seco has two parallel trains from the BWST, independent failures of two such valves are much less probable, and the F-V Importance of this failure mode at Rancho Seco is expected to be zero. The second listed failure mode is due to failure to open of the motor operated valve providing suction for one of the LPI trains from the BWST. The Oconee PRA states that these valves are normally open; hence no F-V Importance value results. HowcVer, the Oconee-RSSMAP PRA treats them as normally closed. The F-V Importance calculated for this failure mode for the AN0-1 PRA is twelve times that for the Oconee-RSSMAP PRA, despite the fact that the valve failure probabilities used differ by only a factor of three. It is tempting to conclude that the difference between F-V Importance values calculated for LPI inlet header valve failures for ANO-1 and Oconee-RSSMAP is due to the fact that at ANO-1 this also fails suction to the corresponding train of HPI, but not at Oconee where separate valves are used. This is only part of the reason, however. (The sum of the F-V Importances of the corresponding HPI inlet header valve failures in the Oconee-RSSMAP PRA is only 0.03 compared with 0.12 for AN0-1.) A significant additional factor affecting the F-V Importance of the LPI system relates to the reliability of 4160 VAC and 125 VDC electric power at these plants. This is discussed extensively in the section on the HPI system and is only sumarized here. Loss of one train of either of these power sources disables one train of HPI. The lesser reliability of these power sources at ANO-1 enhances the F-V Importance of LPI system failures which would disable the second train by failing its suction to the BWST. As is discussed extensively in the sections addressing AC and DC power supply, the Rancho Seco electrical systems are much more similar to those at ANO-1 than at Oconee. As a consequence, the F-V Importance of this failure mode for Rancho Seco is expected to be similar to, though perhaps somewhat smaller than that for ANO-1. On the basis of the above discussions, for Rancho Seco we estimate an F-V Importance of 0.1 for LPI suction valve failures which disable both corresponding trains of HPI and LPI. 4.14
4.2.2 Other LPI System Failures Given that LPI suction is achieved, the LPI system may fail to provide flow when needed due to hardware failure or operator errors. These failure modes were not included in the dominant cut sets at ANO-1, although they were included in the analysis. They are found in dominant cut sets in the Oconee and Oconee-RSSMAP PRAs, however, although resulting F-V Importance values from these PRAs differ considerably. Consequently, estimation of an appropriate F-V Importance value for such failures at Rancho Seco is highly approximate. The Oconee-RSSMAP PRA finds a significant F-V Importance for system hardware failures preventing flow. The Oconee PRA does not yield such a result, but finds a correspondingly high F-V Importance for operator error-induced damage to the LPI pumps. Both the Oconee and Oconee-RSSMAP PRA dominant cut sets include system failure to provide flow due to the human error of leaving the recirculation valves to the BWST open (e.g., after surveillance testing of the pumps). The F-V Importance value calculated for the Oconee-RSSMAP PRA is more than ten times that for the Oconee PRA, however, due to estimates of possible common mode errors affecting this operation. The differences in the results of these two analyses for the same plant provide and indication of the uncertainty of these estimates, and of estimated F-V Importances for Rancho Seco. We assume that the more recent, more extensive Oconee PRA results are better than the Oconee-RSSMAP results. In addition, we asssume that the F-V Importance results for Rancho Seco for these failures is intermediate between the zero value from the ANO-1 PRA and the Oconee result. Based on these arguments we estimate a F-V Importance value for Rancho Seco LPI system failures other than those associated with suction valve failures of 0.06. i l i 4.3 EMERGENCY FEEDWATER SYSTEM COMPARISON System flow diagrams for ANO-1, Oconee and Rancho Seco are shown in Figures 4.7, 4.8 and 4.9, respectively. Significant differences exist between these systems, which are best characterized as differences in redundancy of components and flow paths. These differences provide a logical basis for interpreting the different values of F-V Importance calculated from the PRAs for ANO-1 and Oconeee, and for inferring an intermediate. value for Rancho Seco. The Oconee system has the greatest redundancy, with three independent EFW pump trains feeding the two SGs. Each of the motor driven EFPs takes suction on upper storage tank (UST) A through a common line with normally open valves. Each feeds a different SG through separate discharge control valves. The turbine-driven EFP takes suction from a different source, UST B. It discharges to a header which splits, with each side feeding one of the SG lines just upstream of its flow control valve., 4.15
E YAC T m mT C H l S OCS a A N pf S> R h R C E D f2 C N I 0l iI $r C U OS 1iN ra I ~ a t e s 8 g is SML (nN H 8 O. 2 5 't e C, C 2 eL v f m e C 1, I WS 3 S MS W S C R MS S C dSl e t w r aa 2 s 0 8 EK ,.V2 3 0 C t 0 6 aLI 5 2 t l v e %N C r v ? s I '8 uI C = eI 3 ) V. r O C \\ ] e { k 3 1 4 hS {A 8 19 O @F 0 2 2 s V Y w S' v C C A F 28 B N 2 t C. i t 4 u L V w L f 3 l L F r I 4 M Y V C C N E O C vI RC 3 4 oT A N T t 0 p'0 4 tA U V r L t 4 L A s nUr $f t C vO E I S 0 ol tr t 4 i 7 O U 2 4 uCs D V g F T L iW L 1 1 n1 C T t A 5 L f F 0 2 N 0 aC o 4 7 v Y mE er UT 2 c* 4 c C 4 eSt uCE T 2 2 T a HtC AC v 2 Hi T B Q v AE nt 0 V t C Vv eE0 VV C t_ r [ l t L eR1 3 hA e J 3 A A 6 OV OV 3 2 T - T 3 r 3 2 1 8 6 3 yt HC y QC Y u V t 0 F T N d H A A A E _t 8 j, t gY E E T 2 2 S E 2 V C 6 8 t 2 2 V Y ~t C Y C i s 4 4 A t 8 i g l t 2 Y r V - C 0i 0 C B 1A 1^ 5 V T g0 6 V s C e 0 k hO
iliJ W re8 Wd3 F aO ,S EMS 1 7 3 A+.2 J W D W3 W F 3 r2 ) D3 A D 3 2 3 F F 3 B Gl e S a -l l R m o r +3 f:g T o K n 9 h3 wD 8 8 4
- w 1
W r W 5 W F . e r xt e F 8 D 3 4 3 s, a D ,t u o ag 3 3 aW-a F 7 Gl F wp 3 4 W 8 m% @,a 9: e. e m mC DA W D S e I u w r ol e F or c v , i p 3 T o r r v F e F n r 3 S p e 6 3 F m E 3 s 1 e 3 t p W ms y i 6 D os F r 3 W s 3 FW W 3 g p Ae W D D MOI.I F m M,_, F D e 3 r t M. 3 s 4 y 3 W8 S n Wxe I 4 D 3 r d 7 38 F 3 e 3 3 F W t W W0 a Dsa 4 F 1 x D D W *, D0 F xW w F 3 d 3 t 9 1 3 ~ L P L ee g 1J C ( F P 1 Wd t 2 F c 01 W3 e D1 y r 3 W ts F a i d W 3 nn 9 >fD EmUa D9 e 2 n 2 8 e 7 e F 3 9 3 F O g-A,3_ 3 g 6 W 3 3 e W r E 7 D W n 9 D e 3 D m 3 W - x3 3 3 W7 W5 F E xD1 R 3 W D 3 D7 ey D0 3 8 F 3 F 3 F 2 e p L 3 P k g e i n g d ( gJ Z 1 A j o 0J 3 ) 4 58 < Ws c 4 8 I at >,9 W 4 D 7 O 3 u. 3 2 W 3 0 9 D p 1 0 1
- 3. :
! 3 W ,D> 8 D F 3 3 3 hD D W W W W F m(W t D D 3 F 3 e 3lg ) r. 3 ,9 3 0 F 7 4 F F 3 3 i D 3 3 O N" W E R c ( U p F 8 8 3 7 G 3 83 3 I W F W D o t D _5 oe-F W-F n 3 3 r D' 2 ,8 MdW; v 3 toi n F eWN m 3 3 r 3 a v eiF r r E e t d S 983 8 8 9 XD 7 __W W 3 DNe p D [( -W =, F F 3 3 F m sp 7 D t 3 6 a 8 8 F 3 n sF 1 6 W oe;- m. 2 W 1 r d eg0 D D F n t a F F O 3 C W y A 3 ( s T g2 e / S o F, o-ta 2 TT t ms m. 2 g u SA oet g0 gega o ne U F d. sg 1 F - T r y A s s oc A L
M e E e n T r S e Y e S = r c. E a .o e a R e v s. r se o T -u o 4-A, n 3 W z D 3, s s E = s e a E ,i s ,iliggi,if,gi!3iflIl .it!*l ,II l:II;*_ ,f. F ~, Gu _s r Y x s. c .f s.- IL c R r A x,.. ~. _ 'E eo - s I n X ',.. xe r-U ns o t, au
- o. *
=s ,so
- e
.= s A e O oi e." s. ) .) OC ..s. i,.s s. r e ~ .e .c a .e 4 ,c 4 .mi( r-en e.i e= .e a r ,v - i s ai,t 3 X2 X s.
- s m
&,c t -.s l i Xs r s s , o ,a A)"
- w u
e a s s c c r, ,as s rs. y e s s c. p m c. a S 1- ) s r. , ) '( 3 f e i r g {_4, ( ( c_ g m t a n w y s g g' d e s e s. g s F s .Q , t l-y l r e a , g, ', i l -- J i t t. = - r s x u a . o. xs e s A e r i i o o. lt c e =- ) s e t.n j2
- .s:~
e S s. o n3, ,,>i, ) ) ) 5 h i,, ( ( Oc Wo. c z -s na Ns.- R C . s* %f-7>- ) f i s' e. 4 ^ L .G t t Wo o ~ s c e e 9 ~ $* s a s C.Mv > m(:t i,o /.v' ce 4 s s \\ s. r z 1, r et i f, s. s t,.s ? s - s E e r f R r:
- m f
G
- s.-
a U s ^ I A F ,,m ~ _. s. , A s-2 C c. c c > s. u. L J. [ f d r E ^ s .n e oxe. s. c.s m r f ,c xa om
- w., -
x .r i, f eo .c e as i, .-,, i_ r 9A e ( , t =~ o 4 3- ) ), s). f- )() (, c s p c w z ,[ o s 3' w,. /- ' >. ( \\ - ,. -e 4.*-@
i i -The ANO-1 system, in contrast to Oconee, has the least redundancy. ANO-1 has one motor driven EFW pump and one TDEFP. They are fed by a common header from the CST, and each discharges to one SG. (Normally closed cross-ties - between discharge lines do exist in both plants, however.) Important EFW system failure modes identified in the PRAs for these plants are listed in Table 4.4. F-V Importance values calculated for the identified failure modes are also listed. For AN0-1, the high overall system F-V - Importance is seen to result from potential loss of the TDEFP, its suction, or discharge. Such a failure, combined with an electrical failure disabling the motor-driven EFP, fails all EFW supply. TABLE.4.4. Important EFW System Failure Modes from PRA Analyses PRAs Where i Significant Plausibility Component Failure Modes Plant Importance At Rancho'Seco 1. TDEFP fails due to ANO 0.23 -Yes pump, local valve, or OC 0.02 steam supply problems 2. Loss of suction from AN0 0.01 Yes the CST (UST) OC 0.08 3. TDEFP discharge valve ANO 0.07 Yes flow control failure 4. TDEFP fails because OC-RSM 0.03-No I suction valve is load shed on LOP 5. Multiple failure com-OC-RSM 0.02 Yes-binations (in 3 parallel lines) of pump and dis-charge valves, causing total flow loss 6. System response during OC 0.01 -Yes ATWS not fast enough to prevent RCS overpressure-ization and LOCA For Oconeee the system F-V Importance is considerably lower,'and is dominated by human error in the failure to maintain adequate UST level. The Oconee-RSSMAP analysis does not identify this. error so strongly, Land yields an even lower F-V Importance value. For Oconee-RSSMAP the'most'Important failure is loss-of the TDEFP suction which could result during loss of offsite power, from load shedding of an important valve in the suction train, i 4.19 i
For Rancho Seco, the EFW system F-V Importance is inferred to be intermediate between ANO-1 and Oconee values. Like ANO-1, the Rancho Seco I system contains only two EFPs. However, one of them, P-318, is driven by both an electric motor and a steam turbine, which increases system redundancy. Also, each pump has a separate suction header to the CST, and the outlet headers are connected by a normally open cross-tie line. Offsetting this increased redundancy is the fact that loss of 125 VDC bus SOB will both prevent auto start of the turbine drive and fail 4160 VAC power control =for the electric drive of the common-drive pump. On the basis of these arguments we have inferred a rather high F-V l Importance for the RS EFW system of 0.2. 4.4 VITAL AC POWER SYSTEM COMPARIS0N One-line circuit diagrams for ANO-1, Oconee and Rancho Seco are shown in Figures 4.10. 4.11 and 4.12, respectively. ANO-1 and Rancho seco are seen to be quite similar, in that each has two 4160 volt buses normally powered by separate trains from the grid, and each powered by a separate diesel generator during a loss of grid power. Although not shown on Figure 4.12, Rancho Seco is adding two additional diesel generators to power non-vital buses, which could be cross-tied to the vital buses in an emergency. The Oconee system differs from the ANO-1 and Rancho Seco systems in several ways. Oconee, as ANO-1 and Rancho Seco, has two 4160 volt main feeder buses. However, they are not usually fed through separate trains, under either normal or emergency conditions, (although this is easily achieved). A primary factor i behind this design difference is the 87 MW capactiy of the two Keowee hydro-j electric generators used for emergency power, compared with the 3 MW capacity of the diesel generators used at AN0-1 and Rancho Seco. When connected through overhead lines from the station switchyard, either of the two Keowee units can carry the entire unit 4160 volt load without load-shedding. With load shedding, when connected through the dedicated underground line to transformer CT-4, either can carry the entire unit vital power load. ) The Oconee 4160 volt main feeder buses are normally powered by either the plant auxiliary transformer 3T or the startup transformer CT3. If offsite power is lost, they can still be powered through CT3 by either of the two Keowee units. In addition, they can be powered from the station 4160 volt standby buses, which are fed by 4160 volt power from either Oconee Unit 1 or 2, OR by either of the two Keowee units through the underground line to transformer-CT4, OR by a dedicated overhead line from the Lee Steam Station served by either of two Lee combustion turbines. Important Vital AC Power system failure modes identified in the PRAs for these plants are listed in Table 4.5. F-V Importance values calculated for the important failure modes are also listed. Upon initial examination it may seem surprising that failure of all AC power sources has a smaller Importance l than failure of a single bus or MCC. However, this simply reflects the fact that, given power failure to one bus or power supply train, failures of other systems are more likely than failures of all remaining power sources. In the ANO-1 PRA the HPI and LPI systems are the ones primarily involved. 4.20
Al - DO I 00 E l t t t t ? 9 309 ) 308)NO 310,' NO diO)No 408)NO 4 C9 ), 5 4 3 01 4 01 d + 74460 4160 M XS XS 80 480 t ? ? 7 Si2 ) SI3)NO 613)NO 612 ) d d d Y Y Y Y 3 A A 1 1 1 1 ?? T T T 1 $22, 532,' 52' ) 4 21 ) 6,4)622; U d d d d d i Y Y Y86 T962 552 85 l l I, 311 I)5843B 61438) 6338I J5 . e 4-4 4., Yll 003 004 Y24 Yl3 B ATT l BATT Y22 TO OC E!R$ SEtu" )5## )*** " l) 8 )CHRG INVERTERS yn, i l \\ N0 ly0 DC POWER SYSTEM k..wAw%h AL'. Ct
- 07T BREAKER $
ARE N0aMALLy CLOSED M6 UNLESS GTMERwtSE NOTED 005
- 5
~~ BATTERY CHARGE TO DC power SYSTEM FIGURE 4.10. ANO-1 Emergency AC Electrical System 4.21
From 13.8-kV Keowee From Lee station and_ To 500-kV From 230-kV underground 100-kV overhead j switchyard switchyard feeder feeder n a n - a Main stepup Transformer Transformer transformer 3 CT4 CT5 3TA 3TB (Standby source (Standby source (,[N11 (d (AN22(4-from Keowee) from Lee) g S2(j (g E11 E22 j f l SL1 SL2 Unit 3 j.- e e n \\ Trans- ' Trans-former &M mm former 3T 6.9 kV 6.9 kV CT3 (Normal source) - (Startup source) 4160-V standby bus 1 (SB1) 4.16 kV 4.16 kV = 4160-V stanaby bus 2 (SB2) b =' (o (oe,N1 (e - (o (or,S2 -(o E1 E2 S1 N2 9 a 4,160-V main feeder bus 1 (MFB1) ~ 7~ I i l 476d-V main feeder bus 2 (MFB2) I (<, 3TC-14 (o,3T D-1 (,>3TD-14 (o,3T E-1(ol,3TE-14 (o3TC-1 g 3TC' 3TD 3TE FIGURE 4.11. /Oconee Auxiliary Electrical Power System 4.t22 3 ct 3
p 8 0 2 S t 0 !iIl C L 4 C "4 42 M r 0 s r"9 S i u i U4
- o. [x B
B r i 0 n" 0t O 4 s E* 1 A T r i i iilI] ll 4 ,i} m._ i i, 48 0 %A C 4 i i 7_ 9 0 1 P ij iiL i 0 0 l4 l s E G e l 4 8 R R m 1 E l h A e m_ hlilL L I R m7_. G t t i R C c G A Y S H I C A C [ l 1 A 71l1_ i Y L 1 V R } S Y E A B l 0 R R T y__ l E E T 0 8 M T A l 1 4 @ )3 7 i I_ 2 R T B l B RO A AF B O d l E S T n JT u 4 l L N O a l X C A T ( UR C L l l NT A aT I V NE l OC 0 l B-rL t 6 l Tv .AIllL l ) AR 1 O. MFllL TE 4 p (N SS A / - D l 4 D a I 7 l I_ lt B t B i JP I C u R 4 E I V 47ll 1_ GR R B o S-l aT I G 8 e 4 c I A E I 1 ) C R S l B I A R @ (3 At E o G Y i G h 4riL R C D I X E R N c T Y A A I n I lt T R A E C a A""T A R l I ) D T Y 6 I R O. O A E S } e U I N T D u x B [ T T 2 rE ( 0 A 1 R"i O J_> I 1 B FIlL llii T 4 O sI 4 I E qi] R I U m7 7l l_ r i G ff#'_ I F r R r E EM I CR' kR iO' m% pl 4 r l1ilL v F' i S* EN sA' C l R 4 T i, i S 7-U i, i 8 B 4 l2 hjilL A O g AG S L T gIl N N C AI C C PM M 0U 1P A ~w ll
- l!
I TABLE 4.5. Important Vital AC System Failure I Modes from PRA Analyses PRAs Where Significant Plausibility failure Modes Plant Importance At Rancho Seco 1. Failure of all onsite ANO 0.01 (a) Yes AC power sources OC 0.001 OC-RSM 0.03(a) 2. Failure of'one bus or ANO 0.13 Yes MCC OC 0.02 (a) The probability of total AC power loss estimated in the Oconee PRA is an order of magnitude smaller than that estimated in the Oconee-RSSMAP PRA. j To infer an Importance for the Rancho Seco Vital AC system, we reason primarily from the similarity between the ANO-1 and Rancho Seco systems. In these plants the provision of two separate emergency power trains, each powered by a different diesel generator, results in a situation where failure of one EDG to start or to run directly fails one of the two trains of HPI. Due to the greater capacity and redundancy of the emergency power sources at Oconee, emergency safeguards functions are less dramatically affected by single failures. Consequently, we expect the Rancho Seco system importance to be similar to that for ANO-1. Due to the provision of two additional EDG units at Rancho Seco it is reasonable to expect a somewhat higher system reliability, despite the fact that manual actions would be required to cross-tie to non-vital i buses. Consequently, we infer a F-V Importance value for the Rancho Seco Vital AC Power system of 0.12. 4.5 DC POWER SYSTEM COMPARIS0N One-line circuit diagrams for ANO-1, Oconee and Rancho Seco are shown in Figures 4.13, 4.14 and 4.15, rccpectively. Both ANO-1 and Oconee have two main 125 VDC buses, each powered by a station battery and a battery charger, with a standby battery charger shared between the two buses. Rancho Seco has I four 125 VDC buses, each powered by a separate battery and battery charger. l These buses are paired into two separate power trains, and a standby battery j charger is provided for each train. In the Oconee system, power flows from the two main distribution buses l to four sub-buses called power panels. This Oconee system is unique-in that each of these power panels has an alternate supply of 125 VDC power from a corresponding set of buses and batteries in Unit 1. This backup power supply l 1s connected through a network of isolating diodes (as is the normal supply) l such that on loss of the normal supply the power panels remain powered without even a momentary switching delay. Due to this arrangement, loss of the normal l supply-does not even cause a reactor trip. As a consequence, in the Oconee and Oconee-RSSMAP PRAs loss of a 125 VDC bus is not listed as an initiating event. 4.24
A t 2 8
- 6 6
) B 6" M A 2 8 O 9T 4 1 R I 2 2 o 1 F 2 6 I) InE L SR A A 5 v 0 4 1 2 t 6 6 B 1 ) s M 2 ) O 8 R 4 C A 2 5 F A A c 2 o 4 t4 jE 3 0 2 I) 0 S 4 C R 6 1 8 4 5 2 4 6 4 0 } 2 y 0 2 o 3 2 A 0 6 2 2 8 o 1 2 m iJ A R e 2 t m 1 s 2 e 0l) 2 y 2 0 D S 2 2o r J ^ e I w c o 0 P 8 c 5 2^ 4 A 2 2 2 C 2 0 - i 6 8 ! O 6 0 I D 5 4 0 } 5 B I 1 O N A4 ^ A cos a 2 i t I) A e u 3 z n 1 i A z o I) u tt 4 a O C U o E A A c U I R 3 O o I )3 S A I B 3 s o U 2 n 2 R I S 4 0 i ) C G D a A S I m]0 B A 2 3 8 F n I )e 1 S 5 i [ R 1 4 o z 5 B 5 s ) a M O A R C 5 4 F A 4 0 5 n]2 I 8 2 I v 1 S 1 I) A } R 4 =9T i 6 S 5 S B o ) M D 1 At FR 4 5 a fm u I
llll r Cd n s& n ' e 'c )a t ) c xO b nD ) d , t ) r - b 3 ef c, b Iu 'C mdDmK I V V r i e3 eV Du3 oi" eKt 1 r s w3 uA
- 3. tsd 2
pt ' o( p s5 r s C 1 d' g r e a2 pemr e1 Cnn dB r teR I ia ryr ou tte gB g yw cg dDDAC laK e o 3 3 aC \\, g a o i i d( twV r h p6F d nt i I u gd ah3 e S e r ae4 K er 1 m Bc 3 uCVS( 0 .e z e n1 3
- a sCa ai -
H f 6o ( 4. 0 nspV s b 1 O 64 J) 6 t al - e t ,i 2t r e r 0 s , e 1 / / K n e2 u Vn N V vV3 Io onw1 b - a d .B 22 e V. T a o 0 p m ( i p r c 0 00 4 e 2 e t 2 r tc / t 1 i1 w 0 0 w V aC s C B3 o 2 2 o I n y 5 B 1 C 2 p 1 / VX ,l_ [; y 4 g o S M2 0 er 1 S O - 3 N 0 tat r 2 la tou e 0 0 V g lc w 0 6 e t o 6 C O O C s. s w P /g / i N N] MP A s dA V x gY A. - k r teR e l c - 3 [\\ fs laK o u S - lr 0 o 3 C 0 n u r ybry3 - te 6 a gd r er t n T r a n der ,i nt e 6o o t y b taag - e 1 a .k C ,le C br y' S Vn h - k C e. ir - a d c K MO A. 0 p 4 n O O L V X gY A. r 2 e a /g - 3 / N N 0 A. [A 0 w 0 s 2 o n 1 p 6 A o er C i I. go O tat t C c a M3 d lou Sr S N l a t Vg Ce VX V .A t l wd n - 3 5 aC e I4or e r 0 2 B3 0 pa 1 1 o m 6 1I , etb u r V. V tu e r Br - 0 n O e0t elew2 n 2 pa t mp s / yr N d no1 e 1 e o npo m8 o o n ) regA ( c i u1 T I a lt d t aC t r hCn r V a h 3 e c & )a tsK D) r Bc 3 D C C f DM( dI D s st lt nieef l s a.3 t ia al dDa nV la K vh -I l t b u r mV(3Wb i c ( t e5le6 . C, vMt o is C o i l w o T s2 t nC 6 s1 n1 BI t s a a nr V u pd p tsV1, ee K n e Vmf 5 k r 3 C a n, s n 0 un 2 C wA aB2 tst 1 r a M1 8 o hV I 1 r S p VX cK na 0 T ( e 3 o3 e 0 A) A n 6 .C mC r ly o eD oD r e b c w3 o f 1 fs r em O ( s pA pu 7 l j nd e _a os ub i - r r i s Ce k cI l - _T d a n i h & t a: 4 t e B n cc [ C 1 d U n ] Vo I 2 ) 4 A - i [ 7 A 3 I t 5 tu 1 V n# 2 b ] 3 ei E l A K e 1 n n 3 m. R t q ( u v n e is [ 7 r U a u At 0 G r d fj3 L h g s2 C i lein1 I l F F nt s e na u ] I l j e atib S h v k C 1i g g J I t A D t L c3 J ta s T i t ~ [ 7~ Sd _j - ] 3~ e r "] v eh a m fs tc n i - a w (L r s {l l l i_ - T { l 3e l l
BATTERY BATTERY BATTERY BATTERY BA BC BB BD 125 VDC 125 VOC 125 VDC 125 VDC BUS SOA BUS SCC BUS SOB BUS SOD F- ; [- p-r-7 q [---- q j _ _,_ _, l____j j_- __i i_- __i 1 4 I l 4 l l J I l 4 l 1 l l 1 I l L.__ E_J l___ C__j L__r L__r_j a MdBA H4BC H488 M4BD VOC VDC VDC VOC BATTERY BATTERY BATTERY BATTERY CHARGER CWAACER CHAAGER CHARGED 480 480 480 480 VAC VAC VAC VAC (FROM 480 VAch [FROM 480 VAC) [FROM 480 VAC) [FROM 480 VAC) MCC 2Al ) \\ MCC 2 Al / \\ MCC 281 / \\ MCC 2B 1 / H4EAC HwBBD VAC [ L} I25 12 5 7 VAC STANDBY STANDBY BATTERY BATTERY CHARGER CHARGER 480 g 480 125 VDC VAC 12 5 VDC o 125 VOC VAC 125 VDC (FROM 480 VAC) [FROM 480 VAC). MCC 2BI / ( MCC 2 At b b NVERTER SIA INVERTER SIC INVERTER SIB INVERTER 510' i i a 1 i I I I e
==.,,- I .m.
==. t 1 I e I i I .mm_ _ san. i I l an. men i i mm. m i l amo ass. I .sm eu. i .= I i .=. I 1 1 i 1 mm. [ l I l l l I l ) 120 VAC 60 Hz 120 VAC 60 Hz 120 VAC 60 Hz 120 VAC 60 Hz I BUS SI A BUS SIC BUS SIB BUS SID FIGURE 4.15. Rancho Sec0 Vital 120 VAC and 125 VDC j l 4.27
1 Important DC Power system failure modes identified in the PRAs for these plants are listed in Table 4.6. F-V Importance values calculated for the important failure modes are also listed. Due to the much smaller probability of DC bus loss and subsequent associated core melt at Oconee, none of the dominant cut set failure sequences contain such failures. This results in zero Importance values for the two Oconee PRAs. TABLE 4.6. Important DC Power System Failure Modes from PRA Analysis PRAs Where Significant(a) Plausibility Front Line System Failure Plant Importance At Rantho Seco 1. Common mode failure ANO 0.20 Yes(b) of both (all) station batteries ) 2. Simultaneous indepen-AN0 0.09 Yes dent failure of both (all) batteries or both (all) main dis-tribution buses 3. Failure of a single AT 0.17 Yes station battery or main distribution bus (a) Due to backup power supplies from Oconee Unit 1 the probability of these failures leading to core melt is much lower at Oconee than at ANO-1. (b) Rancho Seco has four station batteries and associated main distribution buses. However, they are aligned into just two independent power trains. The loss of one particular battery in each power train could fail both trains of HPI or EFW, In the ANO-1 PRA the greatest single contribution of DC Power system failures to core melt probability is the common mode failure of both station batteries due to improper surveillance and maintenance activities. However, procedural changes made as a result of the study are believed to have greatly reduced this probability. Assuming that surveillance procedures at Rancho Seco preclude testing of more than one battery by the same personnel on the same day, this common mode failure of all station batteries should have a small probability and associated F-V Importance there. In the ANO-1 PRA the simultaneous independent failure of both station batteries or of both main 125 VDC buses is a significant contributor to core melt probability. At Rancho Seco the simultaneous failure of all four station batteries would be expected to be considerably less likely. However', Rancho Seco does not have four independent DC power trains, but just two, with loads divided between two buses / batteries each. In each train, one of the buses 4.28
i l supplies control power, and the other supplies motive power for motor-operated Safety Features Valves. In each train, loss of control power results in loss of the corresponding train of HPI and EFW. As a consequence, we expect the Importance of failures of both DC power trains at Rancho Seco to be quite j similar to that at ANO-1, though it may be somewhat smaller. i In the ANO-1 PRA the most Important failure mode is failure of one 125 i VDC bus (failing the corresponding train of HPI and EFW), in combination with j simultaneous independent failures of the opposite trains of HPI and EFW. This failure mode is equally valid at Rancho Seco. As discussed above, in each of the 125 VDC power trains one bus supplies control power to components in the corresponding trains of HPI and EFW. Thus, failure of this bus will fail these corresponding HPI and EFW trains. Consequently, we expect the Importance of this failure mode at Ranch Seco to be similar to that at ANO-1. On the basis of the above arguments we infer a F-V Importance of 0.2 for the DC Power system at Rancho Seco. 4.6 SERVICE WATER SYSTEM COMPARISON System flow diagrams for ANO-1, Oconee and Rancho Seco are shown in Figures 4.16, 4.17, 4.18 and 4.19, and 4.20 and 4.21, respectively. The ANO-1 system has three pumps, as opposed to two in the Oconee and Rancho Seco systems. However, during normal operation only two are in use, and only these operating pumps receive a safety features actuation system (SFAS) signal. The ANO-1 system has two redundant loops which are cross-tied during normal operation, but which are automatically isolated upon receipt of a safeguards actuation signal. In the ANO-1 PRA analysis no credit is given for one loop backing up j the other during an SFAS condition. ANO-1 system loads are not shown in the figure. They are: 1. Reactor Building Cooling system cooling coils 2. Diesel generator jacket heat exchangers 3. HPI pump lube oil coolers 4. HPI pump room air coolers 5. Circulating water pumps bearing lubrication 6. LPI/RB Spray pump room air coolers 7. LPI pump bearing coolers 8. LPI system heat exchangers 9. RB Spray pump bearing lube oil coolers. Loads for the Oconee system are similar to those for ANO-1, with two important exceptions. Since Oconee emergency AC power is hydroelectric, no EDG cooling is required. An important additional load, however, is cooling for both of the Oconee motor driven EFW pumps plus the steam turbine driven EFW pump and its turbine oil cooler. The two low pressure service water (LPSW) headers at Oconee are cross tied by locked open manual valves, and either one of the two pumps can supply loads during normal or emergency conditions. During normal operation one of the pumps is operating. The other is in standby and starts automatically on receipt of an SFAS signal. 4.29
8 ) I DN C C N A N I T I N N S N N U U N R R I D D D E E E N M M U U U S S S A S c, S g S 4 A A A p ( p ( e ( D O ( m e t C f s T
- y0 A'O A
l 8 t y f'd 1 c S O 0 r e t a W e c iv r e Td C 3 A k0 2 2 S 0 0 0 U0 0 1 O N A 0 4 6 4 4 4 6 6 6 6 3 J 3 V V V 1 C C C 4 6 ug E R U G I F 1 d )4 4 5 6 4 M 6 6 3 3 E 1 3 M T 1 V Iv 0 S 8 C v E 2 C C 8 T 3 Y S v 3 ES V Y C D C ES T 6 6 I E iaE T R A DT t AA 4N [ DT VEA V E Rr T NV EG S 9 N I f Y LG T N N C S T IL I L E O A I O N NR OO I !L OO L E TC f OT 4 UOA 4 X TC ACV S 2 7S V S SPD OA rD 'oA OOO $tL O TLL s.to a
W S W its) 4 9 6 0 n4 P S 7 - u1 rE P r L A W oli r n ia g L . [_ ia n e 5J r C Td u d W6 W9 W3 W7 W C l - aF B S9 nr io i ng S3 S P1 S3 0 e le S r h( P1 P 7 3 p1 i o L inlo v o P oe H L L L rd c b o W2 PE mp E r c u P T S9 a m P1 te 1 3 u 1 J S p H W8 r S3 W W e r r to P1 S 8 C lo 4 e p o2 o Wt e W1 L P l C cm 1 ua d sl lv S n n S9 l l p P o a u s ua P1 egv io Hitc1 e H r r ^ 3 / er ee We i a S t nt n W 9 b w P o n ni S8 W W u L cU r 4 P1 S8 A H P2 C T H C B r r e e d d a W m a e S e H o H r H F UA W7 W2 W S2 S3 S P1 P1 P L L L VA O' W7 e S1 W8 g L' W4 ic P 5 n S1 S1 f L P5 ik P5 ir c j O E L L a P P p W5 W2 B l MS2 MP1 1 J p S2 S2 eg m O. P1 P1 r L e L ndt r u d L a p efee h a e v k c o W4 W1 h s S2 i yc r is T r h d c a e d P1 p + j - n lo g s r mn L L a o o W ep gmc C ui w tor k " p c k eu C a c ~ Mmp o O. p a T e B L f E p p ip m f P mA A 1/ u u e p p W9 ic W2 W3 f S0 i S1 S1 W W1 W n W6 P5 O P 5 P5 r n ee S2 L L L S S3 ia SP P1 P P1 r r L c L L L S D P P k P rL [ 1 1 J 1 1J . v ie W0 3, O. o 2 S2 1 s P1 L s L o e 4 r n 9 cli -WW C C CC ,*w~ i-
\\ mI p g/ oP mHu r ) F p 8 C 0 1 4 08 W W 56 . W 2 2 S S W 2 WS SS O. P Sx L l P L L L ge P S P EE r P a L ya " L h e cs 6 B id W W W 1 2 S S WS P 9 9 P r g I S P L 1 L o n e-ns P 7 L tcd tnin E t r t g Wx i oi L onp n t e clam li iJ al ta f S e iuvl u L J /(5 d a ou o P Rb eop j W Rc c 5 e S e g P t 1 n r r g es A r a L o h innre t 8 cd ot 1 e c a s al po W e W 6 WS ic id Rb o iumo f c S P S P ir 1 [ l c L } P L O W t t L C aA C aB e e E h e P P I h r r P P e P yl yl e 1J L ao L ao 4 co co W ec W W W5 W W W4 W W ec W 1 7 8 6 d S d P j S S 0 S 7 7 S S0 S S5 S 7 7 P P 4 P P P4 P P P L L L L L L L L L L ~ pF L r e o g ( W5 t W 1 J r a P1 w1Ch S6 r 1 Cc L C o r i lte l F d i W2 W3 W F 4 O S6 S6 S 6 6 8 ~ 6 6 W P1 P1 P1 1 1 r L L e L r o ul ta art e X o s t S S W1 7 7 c9 8 r v P P 4 4 S5 id 4 5 en la L L 1 1 po 3 1 P1 W in v mc L W W W W7 r wS S T S6 e h l L L L S l S t o P P P1 L Fi P P b F l L V B G T h 9 W8 W W 5 I I S4 S 1 S P1 P P fL A L L ep W '" W L - lJ S m r 9 u W0 P " 6 S6 s u s r e spr S6 L 5 P_ 1 W74 d e e P1 1 WM l r nl a S4 7 poo L eH P27 io t H 2 h cc ige W3 S h P Hnj S5 L i P1 l O L 9 e V r gr A G oWra x-T tach mW W2 W4 l r c oS S5 S5 wCsh P1 o i P P1 P l d r FH L W5 L F 1 S5 P1 L
- .M
I From ] neader) X B LPSW-403 3LPSW-y 4 260 n I LPSW-y LPSW-y 375 a 382 n t LPSW- ('J y 3LPSW-LPSW-y LPSW-i 383 DL l n 357 360 n 376 l LPSW-LPSW-LPSW-y LPSW-y LPSW-y LPSW-y
- 358 361 377 n 378 a 384 n 385.n Air-Air-Air-Air-handling handling handling handling unit unit unit unit 3-2 3-1 3-7 3-8 l
J X LPSW-LPSW-y LPSW-y LPSW-LPSW y LPSW-y 359 362 f 379 a 380 386 n 387 41 LPSW-y LPSW-381 n 388 u u y v To storm To storm To storm To storm - drains drains - drains drains FIGURE 4.19. Oconee Low Pressure Service Water to Air Handling 4.33 l'
"kII "ki? j$, 1 ) g! i I I '1g i 11 1 fd is!lti l 4' H h h Il IlI !!I .l i ,1 i I ij,h , n.... ETo' g , 'lm i"id T t {e {ll ] l:[ l:[. ll ~l ns;o....cll !u..!:t w.,I.{ 11 I n ..: p n T in I.d I fii I,Ili 1%U[8 f;l i PI t; 3 !I I l I l; 1' 3 1 j'l lj I l I tip list _t 3\\ j u = L 0 l 1[i \\ l 11 l !.Nl 8 ! ', .ti?.,' m. l 11 \\ )l. 1, nn cc: e s, i, !:I m.- m'> x.-. _ L h I ~ ~YE d#I.;!.e C-
- Dpl = 11;!
'h t.> 1: B c ~ I I" 3,! 3 5! I E l 0 C -- { gi 1, C 3s3:= ist n o l. 12 e I , i u e Il 3 II f ' "'~ " ^"" = ' ' " " 'u2 5 !! @ sp @ l q i >- n -- +;. '-b nJa,! a l 'i.I.:! g I o li b.6' -rtv!; s 8; 1 l I. I 'M II U+ i, l i sii .i 8 U> b h f ~ s ilir=l '!- N, pi !1:! s m 1
- r1 i.L:(i p
m 1 -j g A gj l$ 37 C " ] '{. )eI "h "g ~ai i. m s e ll! I!! 2 iI E !g6..,~ L,m1 ni (j" j $41jp! m) ,C : ,j 1 in 7' C 3 l j;; jg i* hi \\ !! @ I)'@!n g1' ii i>-- .!(D ' 'y!; ~ __ i i l .i. I i y1 3 IIi Jl 4.34 l l
v,n ho a " r= U E e T ,M r ,.4 T,, ,J. ,,.'aI w t4 t.s .s ,g-sm e rr" ,0 t s ,e e ,0 ta t ,s 4 o ,n' i a ,E' e ,n" a 0 0. ,.4 E - v ,D* C e s r .n Ho g s w t i 4 u. s g s n. .t g f.- -\\- s a 7 . a r m0 e s e a gL t s s.4 .0.m C . e - l 4 0 a T ,JJ i q l u ~ evf = N. @C E e u f. = 0 o r na C. t ~ 3 yS.a H }< I c E s a .s S D = e = s C..,.a.m. e r 0 C t r t R.e 4 it T M eJ W - i O .o 0 g s 0 e .u TB S D Cu T 0 vCT 4. 5 A t- .C e 0 U e 0 s. e.t I C 5 a E ? N A L0u 5 N s E. R l G= E E s C0e a 0 s O .r u Gs A rG 4 .o e T
- u. N.- +_
tC 1 a R t N R L C C. 8 o C.EO a. r a = - E a t e O s o tt. s =f e utC =Ec a m 7 ~ a 80 = F .I 8 .H=. 5 ,g, N-8' n O 0 0 0 o g
- f. s
- c. :-
,,9 0.., , 0 ,o o .W s F ps w EC WS I ,0 T s S R 0 3 s 2 4 0 0 ,0 0 0-0 E, 0 ,0 F' F0 0 2 S t S. I-5 M Au7 5 0 0 1 t e ,'g-; W 8 F ,4 0 m. 5 ,O. F O ) 0 S .4 g 9 i. W o F t. t t FW* ; 1 S FO ,0 E su u F C C. ,O 0 5 S 9 4 2 0 0 0 0- ,0 T T 0 F 0 0 ,0 F0 5 5 S 5 =, +_ ,n 0 S ,2 E ,0 a. . N _. u ,C 0-O s ,0. 0. 4 0= sa - 4._R 0 E 0 0 o c C, s a F0 0 A C,,.e D eta 5
- 0 C
gT I u,i s A 9 S .v s. z S a. O t CT 3 8 E. S a s I 4 l nG. ] a. s ass. e h. t r. m.a t 3 M fe. tu 0 L t C0 c S I c u
- P S.
4 eeC P .u t t n F o i o u .t illl T 5 h i P g n p 0 M. E 4 .F ,0 T .t T .R O .A .i t. m o n er I t F. c la 4o s 3 .sO . n a >= F s' . u. s 5 s S S N a H. t O O s. )'S .a g-l,. 4 .,E I 2 T 'o j w L-
- T
'[, F F ._ s. S s S q e g s ,.g tc g O g C g a 0 5 g i , 0 2 se 4 .s a j Mw e E 4 e = .r. %,r. t t s t 3 t o rt e e t g m a t ,0 a . s ga 4 s-e o to a 9 t en tAc n. ,a C s t 7. 4 i
- o. se e a
=. e y yv 3.. ,6 ?r m 5 s o 0 a. T 4 _. 4 O e C 4 45 Fe 4 c = 9n F' un 3.W*
j At Rancho Seco the Nuclear Service Raw Water (NSRW) System cools the Nuclear Service Cooling Water (NSW) system, which contains the LPI coolers and the RB Cooling units. The NSRW System itself cools the HPI and LPI/RBS pump lube oil coolers, the emergency pump room air coolers, and the EDGs. Thus, it carries basically the sau loads as at ANO-1. The Rancho Seco NSW and NSRW systems each consist of two independent and redundant loops, either of which can remove the entire decay heat load during a normal or emergency cooldown. Table 4.7 lists the failures of front line systems caused by service water system failures which are found in the dominant cut sets of the PRAs. The values of F-V Importance calculated for these failures are also listed. As extensively discussed in the following paragraphs, a review of these results, and the details of the PRA analyses which produced them, points out fundamental differences in the assumptions and analyses of the various PRAs. With regard to SWS failure, these differences are so great that we cannot reasonably estimate an F-V Importance value for Rancho Seco, except to state that it is potentially large. We remind the reader that our calculations of F-V Importance values involve summing core melt frequencies from dominant cut sets. Other methods hhve been used for assigning Importance values to support systems in other analyses. In particular, calculating support system Importance as the sum of the values of Importances for systems supported has been used (Taylor 1986). From Table 4.7 it is seen that failure of the SWS is important for different reasons in each of the three PRAs studied. In the ANO-1 PRA, the dominant cut sets containing SWS failures all lead to core melt via failures of one or both trains of the HPI system. Most of these failures are in conjunction with LOCAs of varying sizes (i.e., inability to maintain inventory), although some occur with an AC bus failure (which fails one train of HPI) and an independendent EFW system failure (i.e., loss of heat removal opens safety / relief valves, with makeup capability failed). The F-V Importance of these failures is small (0.03). In the Oconee-RSSMAP PRA, all of the dominant cut sets containing SWS failures lead to core melt via the loss of heat removal and makeup capability. At Oconeee the LPSW system cools not only the HPI pumps, but the EFW pumps as well. Failure of this system, therefore, leads to open safety valves and loss of makeup capability. The F-V Importance of these failures is large (0.19). At Rancho Seco the EFW pumps are cooled by their own discharge flow. Consequently, it is tempting to estimate a F-V Importance for the Rancho Seco SWS system which is intermediate between the two values listed above, probably closer to the low AN0-I value. However, the results of the Oconee PRA greatly complicate this determination. In the Oconee PRA all of the dominant cut sets containing SWS failures lead to core melt via RC pump seal LOCAs induced by the loss of seal injection (HPI failure) caused by the loss of the LPSW system. The effects of SWS loss on EFW operation are not discussed in addressing these failures, although fault trees clearly incorporate the effects of SWS loss on EFW pump operation; 4.36 i
the existence of an RCS leakage pathway through the seals apparently provides a sufficient failure mechanism to cause core uncovery and melt. The F-V Importance of these failures is quite large (0.28). TABLE 4.7. Important Front Line System Failures Caused by l SWS Failures Identified from the PRA Analyses PRAs Where Significant Plausibility - Front Line System Failure Plant Importance At Rancho Seco 1. HPI train fails due ANO 0.03 Yes to local fault in j corresponding SWS-train 2. LPI recirculation fails 00 0.002 Yes due to LPI cooler loss from SWS flow blockage 3. RCP seal leaks at OC 0.27 Yes tripped RCPs due to loss of HPI seal in-jection caused by SWS loss 4. RCP seal LOCA caused OC~ 0.01 No(a) by operator failure to trip RCPs within 15 minutes of loss of'all seal cooling (seal in-jection plus component cooling loss) due to i SWS loss 5. Total cooling loss 0C-RSM 0.19 No(U) (EFW and HPI feed / bleed) due to SWS loss i (a) Seal cooling of operating RCPs at Rancho Seco is not failed by NSRW loss. The Component Cooling System rejects heat to the circ water canal via the Plant Cooling Water System. (b) At Rancho seco the EFW pumps are cooled by a portion of their own discharge flow, not by the SWS. I Two RCS' leak rates are associated with the RCP seal LOCAs addressed in i the Ocopee PRA. The larger leak rate is 100 gpm per pump, developing within one hour of operator failure to trip the RCPs prior to 15 minutes after loss of all seal cooling. (The cause of seal cooling loss would be seal injection 4.37 j
i loss due to HPI failure, and loss of heat removal from the component cooling system to the failed LPSW system.) This failure has only a small F-V Importance,.however (0.01). The RCP seal 'eak rate having the largest F-V Importance in the Oconee PRA (0.27) is small - 15 gpm per pump for a non-rotating pump, developing I within one hour of loss of seal injection and component cooling. However, I the resulting total leak rate exceeds the makeup capability of the Oconee Standby Shutdown Facility, and the discussion in the PRA states that this, therefore, leads to core melt. (Interestingly enough, these cut sets also l incorporate the assumption that the operators fail (with a 10% probability) to utilize the SSF for emergency seal injection after HPI is lost. From the above discussion it is clear that considerable differences exist between the assumptions made in tne Oconee and Oconee-RSSMAP PRAs, particularly with respect to the loss of RCP seal cooling and the effects of seal leakage. The obvious question then becomes, how did the ANO-1 PRA address this topic? In the ANO-1 PRA, the effects of RCP seal cooling loss to non-rotating RCPs were not modeled. The rationale for this approach is discussed in a section on analysis uncertainties. The justification for omitting this effect is that an experiment has shown that "... significant leakage did not occur for 56 hours following interruption of seal cooling to a (new) static Byron Jackson RCP seal." Furthermore, an assumed leakage of 10 gpm per pump would not yield core uncovery for 16 hours, which "...should be ample time to perform the recovery actions necessary to restore the HPI system and prevent a core melt." The AN0-1 PRA uncertainty discussion also presents the results of calculations assuming a 70 gpm per pump leakage from uncooled static RCP seals. Predicted core uncovery in 5-6 hours reduces the HPI recovery likelihood, and l results in increasing the total core melt probability by a factor of three. Not all of this increase would be attributable to SWS failures, since onsite and offsite electrical upsets can also result in loss of RCP seal cooling. Neverthetass, calculation of an F-V Importance using the results of this analysis yield a value of 0.24 for the SWS (compared with 0.03 from Table 4.7). From the above discussion, it is clear that differing assumptions of RCP seal leakage effects are used in the PRAs studied here, and'that they profoundly affect the results of the analyses. What are the implications of this for the Rancho Seco SWS7 Rancho Seco uses Bingham-Willamette RCPs, as does Oconee Unit 3. Seal cooling (other than direct seal injection) for these pumps is provided by an external heat exchanger, through which water is circulated by an auxilliary impeller on the pump shaft. Consequently, for a non-rotating pump this cooling source is lost regardless of whether cooling water is supplied to the pump cooler. This distinction is noted because at Rancho Seco this pump cooler is not cooled by the SWS. (Instead, it is cooled by the Component Cooling Water system, which is cooled by the Plant Cooling Water System using water from 4.38
5.0 INSPECTION IMPLICATIONS FOR RANCHO SECO SYSTEMS This'section presents system-specific information for four of the systems analyzed in Section 4.0. We could not analyze all.six of the systems due to resource constraints. We chose to analyze the four systems which physically transport heat from the core:- HPI, LPI, EFW, and Service Water. Other systems could be analyzed similarly with modest additional resources. This information was developed from review of Rancho'Seco systems descriptions used for operator training, P& ids, electrical prints, and operating procedures. For each system, the presentation is organized around the plausible Rancho Seco failure modes identified from the surrogate plant PRAs. Rancho Seco components associated with the major failure modes are identified (e.g., motor-operated valves, which must respond to a safety. features actuation signal) along with their sources of motor and control' power. We have also identified related components of lesser importance (i.e., check valves, which could bind on their seats, or manually operated valves subject to mispositioning). Information on the lesser-importance components is included for two reasons. First, since we were not starting from a plant specific PRA, a broader focus is clearly appropriate. Second, we wanted to document, in a usable fashion, as much as possible of the system specific information which we collected for this project. This documentation was an important goal of our project. 5.1 HPI SYSTEM In previous sections, the BWST and its outlet vo ves were treated as 3 part of the LPI System because of system assignments made in PRAs for other plants. In this section, however, we consider the entire flow path from the BWST to be part of the HPI System. We have introduced this change for functional reasons. In most situations where injection is required, it is HPI', not'LPI, that is needed. The need for LPI results mainly from large break LOCAs, and when operation in the " piggy-back" mode requires LPI to supply HPI suction from the RB sump. Even during large break LOCAs LPI suction is soon shiftea to the RB sump, after the BWST is exhausted. Therefore, it is functionally appropriate to treat the entire HPI flowpath as part of the HPI system. l l Based on review of Tables 4.2 and 4.3, the following system failure modes are expected to be significant contributors to core melt frequency at Rancho j Seco. 1 1. Failure or mispositioning of HPI suction header valves. 2. HPI pump failure, j 3. Failure or mispositioning of HPI discharge valves. 4. Inability of the BWST to supply flow. 5. Failure or mispositioning of manual and check valves. 5.1
L In the following sections each of these failure modes is discussed with specific reference to the Rancho Seco HPI system as shown 'in Figure 5.1 (copy {. ofFigure4.3). 5.1.1. Failure Or Mispositioning Of HPI Suction Header Valves' As.seen in Tables 4.2 and 4.3, the F-V Importance of.this failure modet is high, particularly in the ANO-1 PRA. Maintenance,-surveillance, line-up-checks and operating procedures are important to ensure the operability of< MOVs and_ correct positioning and locking of manual valves. Failure of suction to either train of HPI can result from fail'ure of its MOV suction header valve to open on receipt.of an SFAS signal-or from mispositioning of its locked open manual isolation valve to the closed position. These valves and their power supplies'are: A train: MOV SFV-25003, MCC-S2A1 brkr 2A137; manual BWS-001 B train: MOV SFV-25004, MCC-S2B1 brkr 2B146; manual D13-002. 5.1.2. HPI Pump Failure In the normal system lineup, HPI pump failure is more serious in the B train. This is because it contains;only pump P-238B, and it is~ isolated by locked closed manual. valves from the A train which contains_both pump P-238A-and the makeup pump P-236. However, when the crosstie valves are positioned so that the makeup pump is paralleled with the B train, the A train becomes more important. As seen in Table 4.2, both HPI pump and valve failures have a significant F-V Importance in the single-pump train.- This Importance is equally shared s between pump and valves. Careful inspection attention is warranted to ensure that the operability of both HPI pumps.and=of the makeup pump is. maintained, i since either HPI pump may be' lined up individually, and the operability _of-the makeup pump is what makes the parallel-pump train less important. HPI pump failure can result from failure of 4160 VAC pump motor power or-125 VDC control power to operate the 4160 VAC motor power breaker. It can also result from failure of the breaker trip / closing coil circuitry, or failure to reset lockouts (reset of the "486 relay" requires operation.of the local pistol-grip switch to the " TRIP-RESET" position). It can also' result'from failure of the auxiliary lube oil pump to provide lubrication during startup before the main gear driven pump can take over.- HPI pump failure can also result from failure of the Nuclear Service. Raw Water System, which cools the HPI pump lube oil and the pump' room coolers, and from. failure of the room ccoler' fans. 5.2 c
W D E T T C eA .a A E s s O e .e e L t Os , v. e t E T I .e N aL. C. a t a U an D' s L' lI wS g e e E. oS s .e. .tN". ? e .E Ome m t v O.P . "/ s T T .e O .r I'" I. Ii .e _ "a ' -j'.-* C' a A s
- ~
,e e f hT3 e s C, = 0 V F5 = ,e. ,..,e 0 Fw0 5,3k C a ss a a ,f x. s ,e x.a.- ,a p S m c u e B e t s R t ,C a a - .sC .O s Y e a c,s e W e s .o. 0 ,C. R 3
- S 3
~ - vt i 2 8 * .= w 0 e s, 0 S e3 n 3 E
- g, I ^
l u~ A A g R. L s g S S 0 x x. x0 C e a s ts e s s S C. ..~ .e 5 s ),
- E.e f.
uu e m. p .,.a qb. u s .= ,s. s
- Ds a
\\: s ,= S P.a s e. ,m,. s S 5 Ees o e, ma .e = ,r,- o-pea t. ce c T - esE 'e .n 3 g,. = C e ,.e r1.__ e > t e eJ .s. . a .m r.p .s F ss [ e =
- x..
A'.,. .m n S x x. M,~ F m M S n y "3. 1 S. m-1 yE m 3 L g = S FT 5 M 0 E E n, s F5 F 2 m. se S O s S 9,;,, Ju@ )' - E a t N w v a s .e y<. 3, 0 6 x. y c e s, .N y 3 4. g s. .-i .e 3 t .i .,4 8 s v. F s ,.a-u Mt n r 8 .#s 2 S b 0 7 T 8A s 3 a i L c d* s N ee e 'a O 1 C, P a w O C.. E SA S L* . O O 0 C O TC -c E. e O C s < S A t, ., m
- e t
S. i r a f . v f .c T SL T,t e )A f.
Sources of electrical power required for operation of the HPI pumps are: HPI Pump P-238A Motor power: 4160 VAC bus 4A, brkr 4A04 Control power: 125 VDC panel SOA, brkr A08 Lube oil power: 480 VAC MCC-S2A1, brkr 2A102 HPI Pump P-238B Motor power: 4160 VAC bus 48, brkr 4B07 Control power: 125 VDC panel SOB, brkr 808 Lube oil power: 480 VAC MCC-S2B1, brkr 2B102 5.1.3. Failure Or Mispositioning of HPI Discharge (Injection) Valves The HPI system has four motor-operated discharge valves, each injecting flow into one of the four RCS cold legs. Thus, the failure of one valve will not fail an entire train of HPI. However, as is discussed below, common mode failures are possible. After passing through the HPI discharge valve, injection flow passes through two more valves before entering the RCS. In three of the injection lines, these are a locked open stop check valve and a final check valve. In the line to the D RC pump, a motor-operated valve is used instead of a stop check valve. This MOV is used to provide an alternate source of pressurizer spray by diverting flow from this HPI line. Mispositioning of this MOV, or of a stop check valve, or check valve binding could fail injection flow to one or more of the four RCS injection points. Due to the use of separate discharge valves for each cold leg the F-V Importance of single valve failure is low. Hardware operability and procedure aspects of surveillance and maintenance which may affect multiple valves, are important to minimize the probability of common mode failure. The motor-operated safety features injection valves receive motor and control power from the vital 125 VDC system. Failure of one DC battery / bus causes a common mode failure of motor power to both valves in one train. Failure of one DC battery / bus causes a common mode failure of control power to all of these valves when they are in the normal electrical lineup; however alternate power from a second battery / bus in the opposite electrical train is available. These valves and, where appropriate, their power supplies are: SFV-23809 (train A): motor power panel SOC, brkr C05 control power (normal) panel SOA - H45DA5, brkr DSAS-11 control power (alternate) panel SOB - H45DB00, brkr DSB00-14 stop check valve SIM-040 check valve SIM-041 5.4
SFV-23811 (train A): motor power panel SOC, brkr C08 control power (normal) panel SOA - H45DAS, brkr DSAS-13 control power (alternate) panel SOB - H45DB00, brkr DSB00-15 stop check valve SIM-036 check valve SIM-037 SFV-23810 (train B): j motor power panel SOD, brkr D03 control power (normal) panel SOA - H45DAS, brkr DSAS-15 control power (alternate) panel SOB - H45DB0, brkr DSB010 MOV HV-23801 check valve SIM-050 SFV-23812 (train B): motor power panel S00, brkr DOS control power (normal) panel SOA - H45DA5, brkr DSAS-12 j control power (alternate) panel SOB - H45DB0, brkr DSB0-11 stop check valve SIM-047 check valve SIM-049 1 5.1.4. Inability Of The BWST To Supply Flow BWST failure modes include loss of level, blockage caused by boric acid j crystallization due to heater loss, and failure of the two tank. vents to equalize pressure. These failure modes have low probability, and as seen in Table j 4.3, the F-V Importance of this failure mode is low. No particularly important areas of emphasis were identified. BWST level loss could result from loss of indication and alarm. Failure of LI-25001 would fail all control room level indication. Failure of LI-25008 would fail all backup indication (local) and the LO-Lo level alarm. Boric acid crystallization is prevented by heaters which maintain the BWST temperature above 75 degrees F. Loss of thermostatic control, 480 VAC heater power or manually switching heaters off could cause tank cooling resulting in crystallization. Boric acid crystallization in the BWST outlet headers is prevented by the Header Warming Pump P-251 which recirculates header contents back to the BWST. This pump and associated manual valving is shown in Figure 5.2. Failure of recirculation could result from loss of pump power from 480 BAC motor control center MCC-S2El, from mispositioning of manual valves BWS-005, 006, 007, 009, or 011, or from failure of check valves BWS-003, 004, 008 or 010. 5.5
l '.- b\\ $'+ 5 w r =d l ga I k I = } 5 h i Eh 'lI
- I
-? - o 3i - \\. -,, i s, 1..
- Ili il
.l. o 4 11 = s- .I. I' l li (( wfgl i gi II 15 g a i; H- .t. r 15 H C'). = l H-~ n @--l?. I Ch 5 kF .s. ) t= E ' i,'. s w N ~, i 2E i e gi 4 ( e-Lg ~" r el si e e i In ) b; g. a o a o v. $*b p;g. L rgi 7? W l j C Y[f igt
- ~I 5
un f!) fa h i i F1 i y$, ] g %..,s @-K e \\ ~
- c. a:
i t .i }E .i. h$,fh lS;I i. e I. ~ s., nygbh ~ I5, - I,) [8 . {f k h. k f +- s 3 v g$s I! Y, I e5 s. d o* 1, li ', i r = e gg .\\d 49 "*j..yi = "G o S e ** A 3 1 ,1, ( I h li a x o E 75 ,85 i ,p r n TS
- h, d
- - l-i-h.h3 k
- .rgr e-I
'I
- E. !!
{. a ? 5)--v F r Q rl q a. gg i i v E~ i
- , I"P'2 t j @-h. g a
l,e d g 1; !! 1 i W sE! 8 3; e n .:=' bI w t 'a hi f~ II
- 5..
sA 8 s, I.. u,, bi =
- i Il x-5.6
~
5.1.5. Failure Or Mispositioning Of Manual And Check Valves Between the MOV suction and discharge valves of the HPI system each train contains manually operated valves and check valves on both the suction and discharge sides. These are: Train A suction: manual SIM-051, SIM-053; check SIM-052 discharge: manual SIM-059; check SIM-058 Train B suction: manual SIM-042, SIM-044; check SIM-043 discharge: manual SIM-046; check SIM-045 Mispositioning of the normally open manual valves, or binding of the check valves could cause loss of flow from the corresponding HPI pump. HPI system valve lineups are listed in operating procedure A.15. Lineup i verification requirements are also given. ) Makeup pump P-236 is normally crosstied to HPI train A by locked open manual valves, and isolated from train B by locked closed manual valves. Mispositioning of the normally open crosstie valves could remove the redundancy provided by the MVP to train A. Hispositioning of the normally closed crosstie valves, crossconnecting the separate trains, could allow a pipe failure in one train to fail the other train as well. These crosstie valves are: manual crossties to train A - suction: SIM-054, SIM-055 (locked open) discharge: SIM-038, SIM-039 manual crossties to train B - suction: SIM-056, SIM-057 (locked closed) discharge: SIM-068, SIM-069 The F-V Importance of these manual and check valves is low.
- However, proper surveillance of valve hardware and lineup should be maintained.
Heat Removal Necessary For HPI Operation j The Nuclear Service Raw Water System cools the HPI and makeup pump lube oil coolers and the emergency pump room air coolers. Closure of any of the j manually operated inlet or outlet valves for these coolers could result in i failure of the corresponding HPI pump. These valves are: I Train A - pump lube oil cooler: NSW-013, NSW-014 pump room air cooler: NSW-061, NSW-062 i Train B - pump lube oil cooler: NSW-015, NSW-017 pump room air cooler: NSW-067, NSW-068 Makeup pump - lube oil cooler: NSW-016, NSW-018 pump room air cooler: NSW-065, NSW-066 l 5.7 t
Failure of the fan motors in either of the emergency pump room coolers could likewise result in failure of the corresponding HPI/MU pump. These fans are powered by 480 VAC motor control centers: Train A: MCC-S2A1, brkr 2A116 Train B: MCC-S2B1, brkr 2B119 Makeup pump: MCC-S2B1, brkr 18117 normal MCC-S2A1, brkr 2A118 alternate 5.2 LPI SYSTEM In this section we consider the system flowpath from the HPI/LPI/RB Spray suction header to the reactor vessel. The BWST and the suction header MOVs (SFV-25003,4) are discussed in the Section 5.0 because their proper functioning is essential to the achievement of HPI injection flow. Based on review of Table 4.3, the following system failure modes are expected to be contributors of medium to low F-V Importance to core melt frequency at Rancho Seco. Performance of proper maintenance and surveillance of system hardware, proper system lineup, and proper implementation of procedures should be maintained. 1. Failure or mispositioning of LPI discharge valves 2. Failure or mispositioning of LPI throttle valves 3. Open recirculation valves to the BWST 4. LPI pump failure 5. Failure of LPI recirculation suction valves 6. Interfacing LOCA. In the following sections each of these failure modes is discussed with specific reference tc, the Rancho Seco LPI system as shown in Figure 5.2 (copy of Figure 4.6). 5.2.1 Failure Or Mispositionino Of LPI Discharge Valves Each train of LPI discharges to the reactor vessel core flood nozzles through a motor-operated safety features valve, followed by a stop check valve and a final check valve. Failure of a MOV to open on demand, or mispositioning of it or a stop check valve, or check valve binding, will thus fail one of the independent LPI trains. These valves, and power supplies for the MOVs are: Train A: SFV-26005, 480 VAC MCC S2A1, brkr 2A138 stop check valve DHS-015 check valve RCS-001 Train B: SFV-26006, 480 VAC MCC S2B1, brkr 2B147. stop check valve DHS-016 check valve RCS-002 l 5.8
2 Each train of LPI may also discharge through a normally. closed MOV to the corresponding train of HPI, allowing HPI operation with suction from the .RB sump after the BWST is emptied (piggy: back-mode).- - Failure of this MOV to open will thus prevent HPI operation in,the recirculation mode. These valves and their power. supplies are: Train A: HV-26007, 480 VAC MCC S2A1, brkr 2A139 Train B: HV-26008, 480 VAC MCC S2B1, brkr 2B148. 5.2.2 Failure Or Mispositioning Of LPI Throttle Valves After passing through the decay heat removal (DHR) coolers, flow in eac'h LPI: train is throttled by a' M0V.. Temperature-control during DHR. operation is achieved by balancing flow through each cooler with flow through a line bypassing it.- This bypass flow is controlled by a.MOV which.is closed.during LPI injection operation; "For each LPI train, flow through the DHR cooler is prevented if the MOV throttle valve ~ fails to open adequately on receipt of an SFAS signal. In-addition, LPI pump damage may result if excessive flow is allowed. This can result from failure of the-MOV in the open position; from the bypass M0V.failing open; or from operator error in failing to recognize and control excessive - LPI flow. This operator error is likely to affect both LPI. trains, and thus represents a potential common mode failure of the LPI system. Yet another failure mode is possible if flow is allowed to bypass the coolers in the LPI recirculation mode. This could' result-in pump failure due to overheating. LPI throttling valves involved in these failure modes and their' power supplies are: Train A throttiing: SFV-26039, 480 VAC MCC-S2A1:brkr 2A106 bypass: HV-26037, 2A107 Train B throttling: SFV-26038, 480 VAC MCC-S2B1 brkr 2B163 bypass: HV-26038, 2B142 5.2.3 Open Recirculation Valves to the BWST Quarterly surveillance testing requires LPI pump flow measurements using the 8-inch recirculation line to the BWST. Operator failure.to close manual . valve DHS-033 in this-line would fail LPI train 8 directly, sincelthe cross-tie valve, HV-26047, leading to this line is: normally open. If the cross-tie valve, HV-26046, from train A were also left open, this.would provide a common 1 mode failure of all LPI. A similar failure mode could also result following recirculation tests to the Spent Fuel Pool,.if proper valve. alignment was not restored.- LPI train independence would be lost if cross-tie valve HV-260046 were left open after use or testing. In this case, a piping failure in one train would fail both trains. 5.9 r 1
1 Valves.used in recirculation testing, and their power supplies, are: manual recirculation valve: DHS-033 Train A cross-tie valve: HV-26046, 480 VAC MCC-S2A1, brkr. 2A164 q Train B cross-tie valve: HV-26047, 480 VAC MCC-S281, brkr 2B165 .q 5.2.4 LPI Pump Failure j LPI pump failure can result from failure of 4160 VAC pump motor power or. 125 VDC control power to operate the 4160 VAC motor power breaker. It can j also result from failure of the breaker trip / closing coil circuitry, or failure 4 to reset lockouts (reset.of the "486 relay" requires operation of the local l pistol-grip switch to'the " TRIP-RESET" position). 4 Water (NSRW)p failure can also result from failure of the Nuclear Service Raw LPI pum System or failure of the Nuclear Service Cooling Water-(NSW) System. Failure of the NSRW system would remove cooling from the pump bearing lube oil and the pump room coolers. Failure of fans in the pump room coolers would also fail pump room cooling. Failure of the NSW system would remove { cooling from the LPI heat exchangers, resulting in pump overheating when in the LPI recirculation mode. The LPI pumps and their sources of motor and contol power are: LPI Pump P-261A Motor power: 4160 VAC bus 4A,' brkr.4A05 Control power: 125 VDC panel SOA, brkr A08 LPI Pump P-2618 Motor power: 4160 VAC bus 48, brkr 4B09 Control power: 125 VOC panel SOB, brkr 808 5.2.5. Failure Of LPI Recirculation Suction Valves Failure of.the MOV suction valves to the RB sump will prevent LPI operation in the recirculation mode. In some cases recirculation from the RCS may be required if RCS inventory is being maintained, and failure of either of the sequential MOVs in the drop line will preclude this mode of operation. These valves and their power supplies are: A train: HV-26105, 480 VAC MCC-S2A1 brkr 2A171 B train: HV-26106, 480 VAC MCC-S2B1'brkr 2B151 RCS drop line valves: HV-20001, 480 VAC MCC-S2A1 brkr 2A171 HV-20002, 480 VAC MCC-S2B1 brkr 2B107 Failure Or Mispositioning Of Other Valves Each LPI pump train has check and manual isolation valves at the suction and discharge of each. pump. Check valve binding or manual valve closure would-fail injection flow in either train. -These valves are: 5.10 l l u
Train A manual valves: DHS-005, DHS-011 check valves: DHS-003, DHS-007 Train B manual valves: DHS-006, DHS-012 check valves: DHS-004, DHS-008 LPI system valve lineups are listed in operating procedure A.8. Lineup verification requirements are also given. Heat Removal Necessary For LPI Operation The Nuclear Service Raw Water System cools the LPI pump bearing lube oil I coolers and from the emergency pump room air coolers. Closure of any of the manually operated inlet or outlet valves for these coolers could result in failure of the corresponding LPI pump. These valves are: Train A - pump lube oil cooler: NSW-055, NSW-057 pump room air cooler: NSW-063, NSW-064 Train B - pump lube oil cooler: NSW-056, NSW-058 pump room air cooler: NSW-069, NSW 070 Failure of the fan motors in either of the emergency pump room coolers could likewise result in failure of the corresponding LPI pump. These fans j are powered by 480 VAC motor control centers: ] Train A: MCC-S2A1, brkr 2A124 Train B: MCC-S2B1, brkr 2B123 The Nuclear Service Cooling Water System cools the LPI/DHR coolers which remove heat from LPI water recirculated from the RB sump. Heat is then transferred to the NSRW system in the NSW coolers. Closure of any of the normally open MOVs at the inlet or outlet of the coolers in the NSW system, or of the manual valves in the NSRW system, could result in failure of the l corresponding LPI pump. These valves and their 480 VAC power supplies are: l Train A - NSW valves: SFV-26017, MCC-S2A1 brkr 2A140 SFV-26019, 2A141 NSRW manual valves: NRW-001,NRW-003 Train B - NSW valves: SFV-26016, MCC-S2B1 brkr 2B149 SFV-26018, 2B150 NSRW manual valves: NRW-002, NRW-004. 5.3 EMERGENCY FEEDWATER SYSTEM 1 l Based on review of Table 4.4, the following system failure modes are l expected to be contributors of medium F-V Importance to core melt frequency j at Rancho Seco. Performance of proper maintenance and surveillance of system hardware, proper system lineup, and proper implementation of procedures should be maintained. i l i 5.11
1. Pump failure to start or run. 2. Loss of suction from the CST. 3. Failure or mispositioning of discharge v;1ves. 4. Mispositioning of test and cross-tie valves. In the following sections each of these failure modes is discussed with specific reference to the Rancho Seco EFW system as shown in Figure 5.3 (copy ofFigure4.9). 5.3.1 Pump Failure To Start Or Run Pump P-318 - Turbine and Motor Driven Pump Auto start is accomplished by supplying steam to the pump turbine. This requires that the steam supply valve SFV-30801 control be postitioned to " Auto"; otherwise auto start will be defeated. It also requires that the motor.. control splines have been reengaged by reseting the overspeed trip control. Starting of the motor drive for the pump is manual, and in addition, requires use of a special key operated switch if 4160 VAC vital bus 4B is powered by its EDG. Auto start of this pump requires successful operation of one or more of the following: SFAS channel 2B RCP motor power monitor channels B and D MrJ header pressure switches PSL-31757 and PSL-31758. Pump start requires: steam valve control power 125 VDC panel SOB, brkr 803 or motor power 4160 VAC bus 4B, brkr 4B10 control power 125 VDC panel SOB, brkr B08. Thus loss of 125 VDC panel SOB provides a commoa mode failure of both turbine and electric motor power to this pump. i Cooling is provided by EFW water supplied from the pump s first stage. Manual outlet isolation valves from the pump bearing cooler, FWS-703, and from the turbine bearing cooler, FWS-711, must le open. The minimum flow recirculation path to the condenser must be open to prevent pump overheating during low flow conditions. Manual valve FWS-051 must be locked open. Pump cavitation and destruction could result from back-leakage from the steam generator through check valves FWS-061 and FWS-047 heating the casing and lowering NPSH. 5.12
t,s 1w e s s gglglgIl .ilillg' g,* .gil.iI,,i .'Ii! 8, .n 1 X s.: m,: ,4 e n u : ,e , =., sw e. ,, w t sn i . r,, i s s, ,%oe
- s o
x
- u. m.
t e, e, .,s ) ) /, l w s s. r cw s' s. c n .a i ca ee m - ' i* ( .v, n ( t ,c m .a v -s s ,5 lae,i X 'xa.s x,. _ s"e, o n ..l a c t a S' ,o .we = e I m w,e n ,v w e c s _5 w n"s e n s s o, m a e c 7 3 e s i n y ,j) n g p&;r,,. g ( t ( t s y S . s t T4( - /, r e s e r. n e s t s. g, a I w a, d i e + J s e n' I 3 e 9, F ~ s "o y e, n Ys. rn r a i. 84 lb,. i l 4 N i n 6 x 4 ~ <i3 u .t_ !2 i A ( i,, ) e ) ) e o t ( ( .x. e.. c e c S c Ns. c o hJ_. -}.. g j, _. ), ) h 3 - ( c ^ 9e: ~ n f, g. a S - n =.,. 's. R s:u te - ov,. e ,.v y. e s r rt s m v.s t s g t:= en T 3 ^ e ,s 5 2 i. "e i i E l ^ R c ( U .x.- uy c G E S } 8 (h I ll ^ tD F N ,.C g
- ~,
e C ^ g y' a 5 ec-s s-o s.- n.^A.s, ) r ~ f ,a u t c a e , m. g, f. e '( r ,s .,',,c.. {. ( i *,. * -.,,.,,.C.A>t' s ( ) @1_ t , v os ,c F c. w ,g,,s ( w c> s 3 >,s s
- sy3, s
- ~,-
t; iuia
Pump P-319 - Electric Motor Driven Pump Auto start of this pump requires successful operation of one of the following: SFAS channel 2A RCP motor power monitor channels A and C MFW header pressure switches PSL-31759 and PSL-31760. It also requires that the control be placed in " Auto" except for SFAS initiated starts. Pump start requires: motor power 4160 VAC bus 4A, brkr 4A06 control power 125 VDC panel SOA, brkr A08. Cooling is provided by EFW water supplied from the pump first stage. The manual outlet isolation valve from the pump bearing cooler, FWS-702, must be open. The minimum flow recirculation path to the condenser must be open to prevent pump overheating during low flow conditions. Manual valve FWS-050 must be locked open. Pump cavitation and destruction could result from back-leakage from the steam generator through check valves FWS-062 and FWS-048 heating the casing and lowering NPSH. 5.3.2 Loss Of Suction From The CST Losc of section from the condensate storage tank (CST) can result in pump destruction. Possible causes include loss of level, breach of the tank, inability to make up, loss of heat tracing, and failure or mispositioning of valves in the suction lines. Loss of CST level could result if indication were lost. There is only one level transmitter on the CST, LIT-35803. Howevt.r, there are three level switches with annunciators to alert operators to High, Low, and LO-LO levels; LSH-35806, LSL-35808, and LSLL-35807. CST breach could result from physical damage or from plugging of the tank vent, with a failure of the nitrogen purge system. Inability to make up to the CST could result from plant air failure to pneumatic valves in the Makeup Demineralized system. The entire EFW system is located outside at Rancho Seco, and all lines are heat traced. Power is supplied from the 480 VAC vital buses 2Al and 2Bl. 5.14
The suction line from the CST to each EFW pump contains two locked open manual valves which could be mispositioned and one check valve which could bind on its seat. These are: Train A (Pump P-319) manual valves FWS-046, MCM-058 check valve MCM-060 Train B (Pump P-318) manual valves FWS-045, MCM-057 check valve MCM-059, t 5.3.3 Failure Or Mispositioning Of Discharge Valvcs Each EFW train has two parallel discharge valves to its steam generator. One valve ir pneumatically controlled by the ICS to maintain SG level at 30" if RCPs are iperating, and at 50% on the operating. range if not. In parallel is a motor operated safety features valve which opens fully on an SFAS signal. The pneumatic valves fail open on loss of instrument air. On loss of ICS power they fail to a pre-throttled position to prevent overcooling. Failure modes which would result in their failing shut include mechanical binding, leaving them hand-jacked in the shut position, misalignment at the valve actuator, or leaving their control switches in the "Close" position. The motor-operated safety features valves would not open on and SFAS signal if 480 VAC motor power or 125 VDC control power were lost. Additional valves in each train include a check valve and a locked open manual isolation valves at the discharge of each pump, and downstream of the flow control valves discussed above. These valves and their power sources (where applicable) are: Train A (Pump P-319) pneumatic ICS valve FV-20528 SFAS valve motor power SFV-20578, MCC-2A1 brkr 2A122 control power panel SOA, brkr A05. l pump discharge check valve FWS-048 manual isolation valve FWS-054 system discharge check valve FWS-062 manual isolation valve FWS-064 5.15
Train B (Pump P-318) l pneumatic ICS valve FV-20527 SFAS valve motor power SFV-20577, MCC-2B1 brkr 2B160 control power panel SOB, brkr B05 pump discharge check valve FWS-047 manual isolation valve FWS-053 system discharge check valve FWS-061 manual isolation valve FWS-063 5.3.4 Mispositioning Of Test And Cross-tie Valves The EFW pump discharge lines are crossconnected by a full diameter (6") header. This header is normally open, although motor operated valves are located at each end to allow isolation. Mispositioning of these valves could block cross flow if either of the EFW pumps fail. A second, smaller (1") cross-tie exists through lines connecting to the SG drain booster pumps. Manual valves in this cross-tie are normally closed. Cross-tie valves and their power supplies (where appropriate) are: Train A (Pump P-319) side HV-31827 - motor power 480 VAC bus 2A1, brkr 2A108 control power 125 VDC bus SOA, brkr A05 FWS-125, FWS-127 Train B (Pump P-318) side HV-31826 - motor power 480 VAC bus 2B1, brkr 2B159 control power 125 VDC bus S0B, brkr 805 FWS-126, FWS-128 Quarterly EFW pump testing requires use of the full-flow test recirculation line to the LP condenser. This line taps off the crossconnect header between the two normally open MOVs. If this line were left open it could provide a common mode failure of the system by allowing EFW discharge to bypass the SGs and to flow directly to the condenser. It should be noted that the EFW pumps are tested individually, with the crossconnect header isolated from the train not being tested. Consequently, this testing provides a mechanism which could lead to inadvertent crossconnect isolation if appropriate valve lineups are not restored after testing. The test flow line to the condenser contains the following normally closed valves: FWS-055 manual valve FV-31855 pneumatic valve. The air operated valve will fail closed on either loss of air or loss of power to the positioning solenoids. Mispositioning or mechanical binding could fail it in the open position. Under EFIC (Emergency Feedwater Initiation and Control) system control this valve will close upon an EFIC initiation. 5.16
EFW valve lineup checklists are listed in operating procedure A.51. Lineup verification requirements are also given. 5.4 SERVICE WATER SYSTEMS This section discusses failure modes expected to be significant contributors to core melt frequency at Rancho Seco, based on review of the SWS failures in the dominant cut sets of the PRAs studied. Failure modes are discussed with specific reference to the Rancho Seco systems: the Nuclear Service Cooling Water System and the Nuclear Service Raw Water System as shown in Figures 5.4 and 5.5 (copies of Figures 4.20 and 4.21). The following failure modes are expected to be significant for the NSRW system at Rancho Seco. 1. Pump failure to start or run. 2. Mispositioning of L ader manual valves. 3. Erroneous isolation of coolers. 4. Failure of pump room cooler fans. 5.4.1 Nuclear Service Raw Water System In the following sections each of these failure modes is discussed with specific reference to the Rancho Seco NSRW system. 5.4.1.1 Pump Failure To Start Or Run The NSRW system is comprised of two trains. They are cross-connected, but they are separated by locked closed manual valves. Consequently, failure of a pump removes cooling to all of the ESF components cooled by NSRW in the corresponding train; the HPI and LPI/RB Spray lube oil coolers, the emergency pump room air coolers, the EDG coolers, and the NSW coolers which receive heat from the LPI coolers and the RB emergency cooling units. Periodic surveillance testing, maintenance activities (including proper use of procedures), and the assurance of availability of electric power are important to ensure that the operability of these pumps is maintained. Motor power for the NSRW pumps is from the 4160 VAC vital buses, and control power for breaker operation providing automatic start on SFAS signal receipt is from the 125 VDC vital buses. NSRW Pump P-472A Motor power: 4160 VAC bus S4A, brkr 4A07 Control power: 125 VDC bus SOA, brkr A08 NSRW Pump P-472B Motor power: 4160 VAC bus S48, brkr 4B08 Control power: 125 VDC bus SOB, br,Kr 808. 5.17
'N Tr k !:! T 1, 19 i L6 1 I oj. I o .11 !I ilg! @:.i:
- 99;i l
+il ' 11 :*nI r., i Il i .... i i,, i 'i l g; t I r ,,1 .,i. r iy si i i, ,; r l i Ia j 1 " i != h 11 I I I U L,. ij i J.*~i i; li ;)., U - U m: l .i i i g e -{i tr v (M..gl I3 .il i 8-4 g T3 3 is, I.i i / e, i m
- . i.
,! i i t. je i.
- i Il i
1 : s m' !l* f! lll 11 ( ID n gi .s M il \\ fd ( afr \\ 3 -(il. 1l p. 9
- 9 a e
i!!: 2 i 1 73
- =. _7.m. -..y 3
iy iy _ _g,3_ _
- l.
g ,h,; c r +i
- es 8,
I, nn i $!Dql.5I! -c @ t.h li )*
- j
_w.m .. g. s y 0 I s i il ;I. .:1, - -, =.. _ w iii .l e c my i;; )4 edi j g' i m g 1 li.: 1,'s N '
- 4. F g
/ !!(lC IID() I i!!! H8 O E r'-- g s 0;: --(i}- .. ' ' ' 7, sedg_. J:Id g il,.l-e li v li G,y -/', 8[. o
- 1 m
g -i b f d = i; Jg', eig.1i,j Ii o o it! n !!i \\ l1; i II: 1, '7 !.h.d -ll dia g m 1;3gA !r o
- ,1 l'
Tl l' jr
- =
s1 s' ~ s. li IIn.n ~ s. ,,,. d 4 (?p;! "A-C.
- +0-m.3 j
u. l i i, ljeul i it! il!!=1 ill1 ml 4 i i s l 11 Y-e, m. m.m.==.Mr.-ill c "i ,y p!, _A .i: =q t I. I Li 4 1 ,I ( !!;I'*Ih I s g; i ! )- I!,'1y l $ lj! gi; l i 3[ ti lii sq. 5.18
e j 7 .s t.e: .f.. t t.t. tal. emts f s e,. es. ca f.E.- a .c ~ w,
- a.,.
p y t. l e s m e t j ,iI o, ( s a y e. -e-S
- s. > -
t. ..p_D.. u. a. e n. r se ,a,L. c s, s 0 C a t t ~ a = s 0 .u T .o 0 a. s 9 e. 0 t C 0 e. 0 9 ~ '. e.- - s . o C a l s. W .,r. ,E. .E t c ..G c c. q. u ,n h t c c ... w. _.am g ntc _ M *.4 s . E a s e o .a n .te ~ i e rIL = 9 l = .( 0 o -2 o E l .M, o o I C o f 0 i.. t 0 a.. mg 0 o e .j 9 o s ._.a e s, ay, , g e.-e i c c c .8 F e ey ,s ,t s. s g sr w. n 0 , g v o 0 o ,o. ,0 ,g t r u. N@J: s S t r e c o e j o s Op. E W r. s. S ,o. ,C. s F e , rw i S S 5 - sv h s. t. O s ,O S g c. o 5 S ai ,o l S o o r
- .g
.u. e o a ,M g 1 0 0 ,o. ,0* ,0* e ,o F0 F0 l s S S 5 c w .s M.. o. u N 2 S 0 E O a C ,o. S .s F0 F 0* O* c.. ,o O o }
- c..
s S S c L.. s.. 9 u e. e c S .,.a,.".. 4_. e..- t o ,4s ,. w 1.. o c., h 4 .e 3 e u.< s. e c n .s e n. h a R i et evP et
- gIili, a
.r I o, ~. E = 5 o.e en s st . _L, w 5 nou e.v n i._. e e 8 o o .0 R e l. ?. nY. 2 U g-2 G
- v f
9 . WF e f I ,e.. s S S i.- F o O. ~ F 8 .s E E n. n. . Me %, t-w. .+- .er. .r m A c t t. t c t O .n. e .e. .c s. s. t ,O .e .C t t .L. eL te. ,e ,w , v s .o .o ,o. t. s n u ~ ce Ca Et =.t i .g ,.= , n w* e lIl
In addition to maintaining the pump hardware operable, it is important to ensure that the onset of ESF conditions results in a start signal to the Automatic start signals for pumps A and B are provided by SFAS channels pumps. 1A and IB, respectively. 5.4.1.2 Misoositioning Of Header Manual Valves The NSRW system valves are manually operated. Although power supplies and power actuators for the valves are not a consideration, maintenance and preventive maintenance of valves and manual operators, and valve lineups are important. System lineups for operating and SFAS standby conditions are listed in enclosures to operating procedure A.25, along with verification requirements. These may be used for system walkdown checks. g The NSRW system is cooled by spraying water exiting from the coolers into the air. Cooling efficiency depends upon ambient conditions and the fraction of flow which is allowed to bypass the spray nozzles and discharge directly into the pool. For each train, the flow split between spray and bypass is controlled by a mechanically interlocked pair of valves located at the spray pool. These are normally operated in the " spray" position. -1 The supply of NSRW water to the ECCS pumps and room coolers is controlled by a locked open header inlet valve in each train. Inlet header and discharge valves are: Train A: cooler inlet header valve NRW-019 interlocked spray / bypass valve NRW-041 Train B: cooler inlet header valve NRW-020 interlocked spray / bypass valve NRW-042 The inlet and discharge headers of Train A and B are cross connected by lines containing four valves each, which are locked closed during SFAS standby. These valves are: inlet header cross-tie valves NSW-006, NSW-008, NSW-009, NSW-010 outlet header cross-tie valves NSW-005, NSW-007, NSW-059, NSW-060 5.4.1.3 Erroneous Isolation Of Coolers NSRW flow through coolers for the emergency diesel generators, HPI, LPI and for the emergency pump room coolers is provided by the following manual valves which are required to be locked open for SFAS standby operation: Train A EDG water cooler NRW-005, NRW-007 HPI pump oil cooler NSW-013, NSW-014 MU pump c,il cooler NSW-016, NSW-018 LPI pump oil cooler NSW-055, NSW-057 RB Spray oil cooler NSW 026, NSW-025 5.20
HPI pump room cooler NSW-061, NSW-062 MV pump room cooler NSW-065, NSW-066 LPI/RBS room cooler NSW-063, NSW-064 Train B EDG water cooler NRW-006, NRW-008 HPI pump oil cooler NSW-015, flSy-017 LPI pump oil cooler NSW-056, NSW-058 RB Spray oil cooler NSW 011, NSW-012 HPI pump room cooler NSW-067, NSW-068 LPI/RBS room cooler NSW-069, NSW-070 5.4.1.4 Failure Of Pump Room Cooler Fans Emergency pump room ' coolers start automatically when their associated pumps start on an SFAS signal. Compliance with operability requirements, in addition to performance of proper maintenance and surveillance of system hardware, proper system lineup, and proper implementation of procedures are important for these. Operation of pump room coolers is discussed in operating procedure A.14. Cooler fan power supplies are from the following 480 VAC motor control centers: Train A HPIP room cooler A-529A fan MCC-S2A1, brkr 2A116 MVP room cooler A-529B fan MCC-S2A1, brkr 2A118 - alternate LPIP room cooler A-529D fan MCC-S2A1, brkr 2A124 Train B HPIP room caoler A-529C fan MCC-S2B1, brkr 2B119 MVP room cooler A-529B fan MCC-S2B1, brkr 2B117 - normal LPIP room cooler A-529E fan MCC-52B1, brkr 2B123 5.4.2 Nuclear Service Cooling Water System The following failure modes are expected to be significant for the NSW system at Rancho Seco. 1. Pump failure to start or run. 2. Failure or mispositioning of flow valves. 3. RB emergency cooler problems. In the following sections each of these failure modes is discussed with specific reference to the Rancho Seco NSW system. 5.4.2.1 Pump Failure To Start Or Run The NSW system is comprised of two trains, as is the NSRW system. The trains are not cross-connected except through a' common supply line from the AFW system. Manual valves in this line are locked closed during SFAS operation. 5.21
Consequently, failure of a pump removes cooling to all of the ESF components in that train of NSW. This includes the LPI coolers and the RB emergency cooling unitt. Periodic surveillance testing, maintenance activities (including proper use of procedures), and the assurance of availability electric power are important to assure that the operability of these pumps is maintained. I Motor power for the NSW pumps is from the 480 VAC vital buses, and control power for breaker operation providing automatic start on SFAS signal receipt is from the 125 VDC vital buses. NSW Pump P-482A Motor power: 480 VAC bus S3A, brkr 3A18 Control power: 125 VDC bus SOA, brkr A05 NSW Pump P-4828 Motor power: 480 VAC bus S38, brkr 3B18 Control power: 125 VDC bus SOB, brkr 805. NSW pump start is prevented, and each pump will trip, if level in the corresponding NSW surge tank decreases to three inches. In addition to maintaining the pump hardware operable, it is important to ensure that the onset of ESF conditions results in a start signal to the pumps. Automatic start signals for pumps A and B are provided by SFAS channels 1A and 1B, respectively. 5.4.2.2 Failure Or Mispositioning Of Flow Valves The major flow paths of the NSW system contain both manual and MOV valves. Assurance of availability of power supplies, MOV Operability, verification and maintenance and preventive maintenance activities are important. System lineups for operating and SFAS standby conditions are listed in enclosures to operating procedure A.24, along with verification requirements. These may be used for system walkdown checks. Each NSW train contains a locked open manual valve at the pump suction. A locked open manual valve is also located in the line connecting the train to the corresponding NSW surge tank. Two normally closed manual valves are located in series in the lines connecting each train to the EFW system. In addition, MOV safety features valves are located at the inlet and outlet of each LPI cooler. These valves and their 480 VAC vital power sources (where appropriate) are: Train A: pump suction manual valve NSW-003 surge tank line manual valve NSW-001 EFW connection manual valves FWS-113, FWS-114 LPI cooler inlet valve SFV-26017, MCC-2A1 brkr 2A140 LPI cooler outlet valve SFV-26019, MCC-2A1 brkr 2A141 5.22
Train B: pump suction manual valve NSW-004 surge tank line manual valve NSW-002 EFW connection manual valves FWS-111, FWS-112 LPI cooler inlet valve SFV-26016, MCC-281 brkr 2A149 LPI cooler outlet valve SFV-26019, MCC-2B1 brkr 2A150 5.4.2.3 Reactor Building Emergency Cooler Problems NSW flow through the RB emergency coolers is provided by locked open manual valves which are throttled to achieve proper flows, and by MOV safety features valves at the inlet and outlet of each cooler. Assurance of availability of power supplies, MOV operability verification, and maintenance and preventive maintenance activities are important. These valves and their 480 VAC vital power sources (where appropriate) are: Train A: Cooling unit A manual valves NSW-083, NSW-084 inlet MOV SFV-50005, MCC-2A1 brkt 2A147 outlet MOV SFV-50009, MCC-2A1 brkr 2A149 Cooling unit C manual valves NSW-085, NSW-086 inlet MOV SFV-50007, MCC-2A1 brkr 2A148 outlet MOV SFV-50011, MCC-2A1 brkr 2A150 Train B: Cooling unit B manual valves NSW-087, NSW-088 inlet M0V SFV-50006, MCC-2B1 brkr 2B155 outlet MOV SFV-50010, MCC-2B1 brkr 2B157 Cooling unit D manual valves NSW-089, NSW-090 inlet MOV SFV-50008, MCC-2B1 brkr 2B156 outlet MOV SFV-50012, MCC-281 brkr 2B158 5.23
6.0 CHANGES AT ANO-1 Late in the project, after the Task One report was prepared and failure mode analyses for some of the systems had been performed, we were informed of plant design changes made at ANO-1 which significantly affect the PRA for this plant. This information was received by telephone from the project manager of an effort to computerize the ANO-1 PRA, which would allow input of plant conditions on a real-time basis. The result of that effort was the PRISM code (Campbel? et al. 1985), which has recently been revised to make it correspond to present plant design and operational status. We have not received documentation of the changes discussed, but nevertheless discuss their relevance to our work. The design changes instituted at ANO-1 remove initiating events from the PRA analysis due to changes in the electrical power supply to the MFW system. Previously, loss of either one vital AC or DC bus would trip the plant and fail the power conversion system. This dependence has been removed. The F-V Importance values which we have calculated for the AN0-1 vital AC and DC power systems would be considerably reduced by these changes. How do these results affect our work and conclusions? Based on the similarity between the Rancho Seco and ANO-1 electrical systems we have inferred a moderatly high F-V Importance value for these systems at Rancho Seco. If it were determined that Rancho Seco were immune to loss of a vital AC or DC bus as a transient initiating event, we would revise this estimate downward. However, it is by no means certain that vital bus loss would not trip the Rancho Seco reactor. We have pursued this question by telephone discussions at the plant site, and have learned that they have a Deterministic Failure Group which is presently addressing this question. No analysis results are yet available. Since Rancho Seco cannot dismiss this question easily, and has supported its relevance by formally addressing it, we feel our analysis presented in this document on the basis of the earlier ANO-1 design is acceptable for the present purpose. If additional resources were to be directed to extending our work, however, we would recommend that this topic be restudied using documented results from the rnised ANO-1 PRA. For the sake of completeness we include here a brief discussion of other results from the ANO-1 PRA revision. There are basically two additional effects, one of which increases the F-V Importance of vital AC power supply and partially compensates for the reduction discussed above. We have been told that, despite the removal of the vital-power-loss initiating events and associated dominant cut sets, the revised value of calculated total core melt frequency has not changed much. This results from incorporation of two new effects. 6.1
I The first compensating effect is an increase in the estimated core melt frequency due to loss of offsite power with failure of both EDGs (station blackout). This results from revisions in the analysis of extended blackouts lasting eight hours or more. This increase will clearly increase the F-V Importance of the Vital AC system, compensating to some extent for reductions due to the design changes to this system. The second compensating effect is an increased probability of safety / relief valve operation and failure to reseat. ANO-1 now operates with the PORV block valve closed, increasing the probability that safety valves will i be actuated. This, in combination with an increased probability of HPI failure due to room cooling effects, helps to increase the core melt frequency back near that originally estimated. Thus, the F-V Importance of the SRV would be increased. I We have neither the time, budget nor information necessary to revise our analysis to incorporate these PRA changes. However, we note that the effects could clearly be incorporated - they do not challenge the validity of our approach any more than they challenge the validity of the PRA approach. The primary effect of the changes noted above would be to adjust estimates of system importances. However, the major system failure modes identified from the surrogate plant PRAs would still remain relevant. Consequently, the valve lineups, power supply dependencies, and effects of support system losses identified herein remain relevant for Rancho Seco. 6.2
REFERENCES Campbell, 0. J., V. H. Guthrie, G. F. Flanagan. 1985. " Operational Phase of Inspection Prioritization." In Proceedings of Thirteenth Water Reactor Safety Research Information Meeting ed. A. J. Weiss. NUREG/CP-0072, Vol 1, pp. 19-34. Gore, B. F. 1986. Rancho Seco Power Plant Inspection Guidance Derived from PRAs for Surrogate Plants: Task One Report. PNL-6032-1, Pacific Northwest Laboratory, Richland, WA. Higgins, J. C. 1986. Probabilistic Risk Assessment (PRA) Applications. NUREG/CR-4372, U.S. Nuclear Regulatory Commission, Region I, King of Prussia, PA. Higgins, J. C., S. M. Wong, M. A. Azarm, and W. T. Pratt. 1984. Limerick Systems Prioritization and Inspection Program Recommendations. A-3451, Brookhaven National Laboratory, Upton, NY. ( Hinton, M. F. and R. E. Wright. 1986. Pilot PRA Applications Program for Inspection at Indian Point 2. EGG-EA-7136, Idaho National Engineering Laboratory, Idaho Falls, ID. Hinton, M. F. and R. E. Wright. 1986. PRA Applications Program for Inspection at Seabrook Station Draft Report. EGG-EA-7194, Idaho National Engineering Laboratory, Idaho Falls, ID. Kolb, G. J., et al. 1982. Interim Reliability Evaluation Program: Analysis of the Arkansas Nuclear One - Unit 1 Nuclear Power Plant. NUREG/CR-2787, Sandia National Laboratories, Albuquerque, NM. Kolb, G. J., S. W. Hatch, P. Cybulskis and R. O. Wooton. 1981. Reactor Safety Study Methodology Applications Program: Oconee #3 PWR Power Plant. NUREG/CR-1659/2 of 4, Sandia Nuclear Laboratories, Albuquerque, NM. Lambert, H. E. 1975. " Measures of Importance of Events". In Reliability And Fault Tree Analysis, ed. R. E. Barlow et al., pp. 77--100. SIAM Press, Philadelphia, PA. Sacramento Municipal Utility District. Nuclear Generating Station Systems Training Manual. Sacramento Municipal Utility District, Sacramento, CA. Sugnet, W. R., G. J. Boyd, S. R. Lewis, et al. 1984. Oconee PRA, A Probabilistic Risk Assessment of Oconee Unit 3. NSAC-60 Electric Power Research Institute, Palo Alto, CA. Figures from this copyrighted report are reproduced by perr.ssion of EPRI. Taylor, J. H., R. Fullwood, and A. Fresco. 1986. Probabilistic Safety Study Applications Program for Ins 3ection of the Indian Point Unit 3 Nuclear Power Plant. NUREG/CR-4565, Brook 1aven National Laboratory, Upton, NY. R.1
NUREG/CR-4768 VOLUME 2 PNL-6032-2 DISTRIBUTION No. of No. of Copies Copies 0FFSITE OFFSITE U.S. Nuclear Regulatory Commission D. J. Campbell J. G. Partlow JBF Associates, Inc. EWS-360 1000 Technology Park Center Knoxville, TN 37932 R. W. Starostecki EWW-322 J. C. Higgins Brookhaven National Laboratory B. K. Grimes Upton, NY 11973 EWW-341 J. H. Taylor L. Whitney Brookhaven National Laboratory EWS=346 Upton, NY 11973 U.S. Nuclear Regalatory Commission A. Fresco Region 1 Brookhaven Nati)nal Laboratory Upton, NY 11973 S. Collins B. Hillman M. F. Hinton W. F. Kane EG&G Idaho, Inc. Idaho Falls, ID 83415 U.S. Nuclear Regulatory Commission Region 2 R. Wright EG&G Idaho, Inc. M. Ernst Idaho Falls, ID 83415 A. Gibson F. Jape K. Canady A. Herdt Duke Power Co. l P.O. Box 33189 U.S. Nuclear Regulatory Commission Charlotte, NC E8242 Region 5 W. A. Sugnet 10 A. Toth (6) Electric Power Research Institute A. E. Chaffee 3412 Hillview Avenue J. Crews Palo Alto, CA 94303 J. B. Martin L. Miller R. Pate Distr.1
NUREG/CR-4768 VOLUME 2 PNL-6032-2 DISTRIBUTION No. of No. of Copies Copies OFFSITE ONSITE G. J. Kolb 29 Pacific Northwest Laboratory Sandia National Laboratories Albuquerque, NM 87185 W. J. Apley T. T. Claudson A. D'Angelo L. R. Dodd NRC Senior Resident Inspector B. F. Gore (10) Rancho Seco Nuclear Power Plant J. C. Huenefeld (5) 14440 Twin Cities Road C. H. Imhoff Herald, CA 95638 W. J. Scott B. D. Shipp T. V. Vo Publishing Coordination (2) Technical Report Files (5) Distr.2
~ac,oa. 3x u s. ~ucuma nioutaroav co-uissio~ ' woa r ~uMa a ""~ a r'oc "" * ** ~' o ** NUREG/CR-4768 ?,"j " 2 BIBLIOGRAPHIC DATA SHEET Volume 2 ni,~sta io~s o~ rue aanass PNL-6032-2 / 2 ritLE.No. TirLg 3 Lt.v t 8 6.N= Methodol y and Application of Surrogate Plant PRA Analysis the Rancho Seco Power Plant ,,,,,,,,,,,cy,,, ..u r,,o a,,, September gl,p/ MONTH vE.a 1986 B. F. Gore 6 o.f EgEPOm f 'S$vt3 p yo~,- V.. J. C. Huenefeld July 1987 , n, oo m.o o.a ~,z. T io~ ~. .~o . L,~o.oo in ". u c, e naoacr r.s eaa u~'r ~uMaa Pacific Northest 'L oratory PO Box 999 ,,,~ oa p~ r ~uona BgE*03 Richland, WA 99352 ,,,Pe ~,e., ~ e e.. ~,,,,,e ~ ~.... _... ......,__~c. .. ~. - - o r Division of Reactor Safet nd Projects 8 ( Region V Final Report U. S. Nuclear Regulatory Co .'ssion f ' " " ' C " " ' " * " " * * " " Washington, D. C. 20555 / 4/86 to 9/86 r 12 SUPPLEMENT.8t v NOTES T / e......c,_.,., This two-volum report presents the% ,r dgveloppent and first application of a methodology for using generic PRA information to i'dentgfy risk-important systems and components at a plant lacking a PRA. The methodckogy requires the detailed analysis of both similarities and differences between rehted plants. It is applied in an analysis of the Rancho Seco plant using informatigf ffpm PRAs for the ANO-1 and Oconee plants. It is generic, drawing upon the func,tfonal%nd design similarities of B&W plants, yet it incorporates considerable plant specificity %hrough the detailed comparative analysis of systems. Volume 1 presents theranalysis &{ the surrogate plant PRAs. Dominant cut sets leading to core melt are idehtified and dg'alyzed to determine the Fussel-Vesely Importance of plant systems. IWVolume 2 the cqminant cut sets are further analyzed to studiedtodeterminetheplaus/ntsystemfailurdgmodes. identify and categorize import The Rancho Seco plant is then ibility and importahce of similar failure modes for: HighPressureInjection,Lo[PressureInjection, rgency Feedwater, Service Water, Vital AC power and DC ?ow systems. Plant-specif information is then presented identifying Rancho Seco mponents, power supplies, nd operating modes associated with the failure modes r the first four of these syl ems. i.oocuue~r.~.sn,.. u - us oisca,voas 's y, g rv PRA, risk analys , generic PRA applications Rancho Seco, co onents important to risk Unlimited it sEcuairy cL.55i8tCarioN < r.., y,,, .ioe~rg.eas,on ~e soreaus Unclassified i 78 8 r.r)0rt) t, NvM84a O8 P.GEs 18 9RtC E
- U. $, GOWE RNME nit PRINf lNO Cff !CE 1997-191-692 60160
UNITED STATES NUCLEAR REGULATORY COMMISSION '"EN/AYe"OfrNIrS*" WASHINGTON, D.C. 20555 ,yjU"E. f g OFFICIAL BUSINESS PENALTY FOR PRIVATE USE,4300 120555078877 1 1AN1GP US NRC-0 ARM-ADM DIV 0F PUB SVCS POLICY & PUB MGT BR-POR NUREG W-537 WASHINGTON OC 20555 l _}}