ML20246A359
| ML20246A359 | |
| Person / Time | |
|---|---|
| Site: | Calvert Cliffs  |
| Issue date: | 06/30/1989 |
| From: | Gore B, Harris M, Vo T Battelle Memorial Institute, PACIFIC NORTHWEST NATION |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| CON-FIN-B-2602 NUREG-CR-5187, PNL-6574, NUDOCS 8907060247 | |
| Download: ML20246A359 (109) | |
Text
I l
NUREG/CR-5187 PNIr6574 PRA Applications Program for Inspection at Calvert Cliffs E..t 1 Nuclear Power Plant ni Prepared by T. V. Vo, M. S. Ilarris, B. F. Gore Pacific Northwest Laboratory Operated by Battelle Memorial Institute Prepared for U.S. Nuclear Regulatory 1
Commission j?!' RBMK 8188lj,4 1
l AVAILABILITY NOTICE Availability of Reference Matenals Cded in NRC Publications Most documents cited in NRC publications will be available from one of the following sourros:
1.
The NRC Pubile Document Room, 2120 L Street, NW, Lower Level, Washington, DC 20555 1
2.
The Superintendent of Documents U.S. Government Printing Office, P.O. Box 37082 Washington, DC 20013-7082 3.
The National Technical information Service, Springficid, VA 22161 Althbugh the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.
Referenced docurnents available for inspection and copying for a fee from the NRC Public Document Room include NRC correspondence and internal NRC memoranda; NRC Offl;e of Inspection and Enforcement bulletins, circulars, information notices, inspection and Investigation notices; Licensee Event Reports; ven-dor reports and cor,espondence: Commission papers; and applicant and lleensee documents and corre-spondence.
The following documents in the NUR5G series are available for purchase from the GPO Sales Program:
formal NRC staff and contractor reports, NRC-sponsored conference procceJngs, and NRC booklots and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and NucIcar Regulatory Commission issuances.
Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports pr6 pared by the Atomic Energy Commis-sion, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legista.
tion, and congressional reports can usually be obtained from these libraries.
Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference pro-j ceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of NRC draft reports are ava:1able free, to the extent of supply, upon written request to the Office of Information Resouros Management, Distribution Section, U.S. Nuclear Regulatory Commission, Washington, DC 20555, i
Copies of Industry codes and standards used in a substantive manner in the NRC regulatory process are
)
maintained at the NRC Library,7920 Norfolk Avenue, Bethesda, Maryland, and are avellable there for refer-Ence use by the public. Codes and standards are usually copyr5ghted and may be purchased from the originating organization or, if they aro American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018.
l DISCLAIMER NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government.
Neither the United States Government nor any agency thereof, or any of their employees, makes any waianty, expresed or implied, or assumes any legal liability of responsibility for any third party's use, or the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe privatefy owned rights.
L; NUREG/CR-5187-PNIr6574 L
'PRA Applications Program for Inspection at Calvert Cliffs Unit 1 Nuclear Power Plant Manuscript Cornpleted: April 1989 Date Published: June 1989 Prepared by T. V. Vo, M. S. Ilarris,11. F Gore l
Pacific Northwest Laboratory Richland, WA 99352 Prepared for Division of Radiation Protection and Emergency Preparedness Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555
' NRC FIN H2602 i
i ABSTRACT j
The level one probabilistic risk assessment'(PRA).for Calvert Cliffs Unit 1.(CC-1) has been analyzed to identify plant systems and components important to minimizing public risk, as measured by system contributions to I
plant core melt frequency, and to identify the primary failure modes of these components. This information has been tabulated and correlated with 0.. spec-tion modules from.the NRC Inspection'and Enforcement Manual. 'The report presents a series of tables, organized by system and prioritized by risk importance, which identify components associated with o8% of the inspectable risk due to plant operation.
The systems addressed, in descending order of risk'importance, are:
Reactor Protection, Auxiliary Feedwater, DC, power, AC power,. Power Conversion, High Pressure Injection, Room Cooling, Salt Water, Safety Relief Valves, and Chemical Volume and Control.
This ranking is based on the Fussel-Vesely measure of risk importance, i.e., the fraction of the total core melt frequency which involves failures of the system of interest.
i iii E__ _ _ _ _ _ _ _ _. _ _
r
SUMMARY
The PRA Applications Program for inspection at Calvert Cliffs Unit 1 (CC-1) was performed for the U.S. Nuclear Regulatory Commission (NRC) at Pacific Northwest Laboratory (PNL). This program applies a previously i
developed methodology to identify and present information which is useful for the planning and performance of powerplant inspections.
The level one probabilistic risk assessment (PRA) for CC-1 (Payne 1984) has been analyzed to identify plant systems and components important to mini-mizing public risk, as measureu by system contributions to plant core melt frequency. This information has been tabulated and correlated with inspec-tion modules from the NRC Inspection and Enforcement (IE) Manual (USNRC 1984) which are used by inspectors in the planning and performance of inspec-tions.
The body of this report consists of a series of tables, organized by system and prioritized by risk importance, which identify components associ-ated with 98% of the core melt probability resulting from plant operation.
f Following a section describing important accident initiators and sequences identified in the PRA, tabulations are presented for ten systems.
f These system tables are ordered by system risk importance, as measured by the fraction of the total core melt probability associated with failures of each system.
Three tables are presented for each system.
The first table pre-sents the failure modes identified in the PRA for each important system com-ponent.
The second table correlates each component with the IE inspection j
modtles most related to ensuring component reliability. The third table i
provides a modified system check off list identifying the proper line-up of each component during normal operation.
The tabulations were developed by the following analysis procedure.
First, t12 plant systems were ordered according to system risk importance.
To accomplish this, the dominant cut sets representing more than 98% of the core melt probability were listed, and the fraction of the total core melt probability which involved f ailures of comp ments from each system was cal-j culated [this is the Fussel-Vesely Importance measure (Henley 1981)].
Sys-1 tems were then selected from the ordered list until more than 98% of the f
V l
l
p l
core melt probability was accounted for.
Second, for.each. selected system,
-the fault tree from the PRA was reanalyzed to rank system components accord-
-ing to their importance to system failure.
For each system, components were selected for inclusion-in the tabulations until more than 95% of the system failure probability had been addressed.
The tables thus present, in decreasing order of system importance, the failure modes, applicable inspection modules, and'a check off list'of normal operational state for all components associated with 98% of the core melt
. probability associated with plant operation.
This information allows an inspector to readily identify important systems'and components when develop-ing an inspection plan and when walking down systems in the plant.
The'information presented in this document allows an inspector to con -
centrate his efforts on systems important to the prevention of core melt.
i liowever, it is essential that inspections not focus exclusively on-these systems. Other systems which perform essential safety functions', but are absent'from the tables because of high reliability and redundancy, must also be addrested to ensure that their importance is not increased by allowing their reliability.to decrease. A balanced inspection program is essential.
This information represents but one of.the many tools to be used by experi-enced inspectors.
1 I
l i
I i
4
ACKNOWLEDGMENTS' Thanks are extended to A. C. Payne of Sandia National Laboratory, Project Manager of the Calvert' Cliffs Unit 1 PRA, for information which he provided concerning'the fault tree analyses'and many discussions duriag the performance of this analysis. This analysis was performed under sponsorship by'both NRC Headquarters (Technical Project Manager, Steve Long) and NRC Region 1 (Project Manager, Bernie Hillman.) We wish to thank both our project. managers for their insights and a smooth, efficient three-way interface. We also wish to thank.our colleagues at Brookhaven National Laboratory-(BNL) and at the_ Idaho National Engineering Laboratory (INEL) for many' discussions... In particular, we thank Ron' Wright 'of INEL' for providing us with a version of-the Integrated Reliability and Risk Analysis (IRRAS) fault tree analysis code specially adapted for use on an IBM-PC.
I i
vii i
E___________--
l r
CONTENTS AB S T RAC T................................................................ i i i
)
SUMMARY
v ACKNOWLEDGMENTS......................................................... vii l
1.0 INTRODUCTION
1.1 2.0 ANALYSIS OF THE CC-1 PRA.........................................
2.1 3
2.1 CALCULATION OF SYSTEM IMPORTANCES...........................
2.1 1
2.2 CALCULATION OF COMPONENT IMPORTANCES........................
2.3 l
1 2.3 PREPARATION OF TABLES.......................................
2.4 i
2.4 CONCLUSION
S AND RECOMMENDATIONS.............................
2.5 3.0 IMPORTANT ACCIDENT INITIATORS AND SEQUENCES...................... 3.1 i
3.1 ANTICIPATED TRANSIENTS WITHOUT SCRAM (ATWS).................
3.2 3.2 SMALL-SMALL LOCA............................................
3.2 3.3 LOSS OF 125 VDC BUS 11...............................-...... 3.3 3.4 LOSS OF 0FFSITE POWER.......................................
3.3 l
3.5 TRANSI ENTS REQUIRING PRIMARY RELIEF.........................
3.3 3.6 LOSS OF POWER CONVERSION SYSTEM (PCS).......................
3.4 3.7 STATION BLACK 0UT............................................
3.4 3.8 OT H E R T RAN S I E N T S............................................
3. 5 4.0 SYSTEM INSPECTION TABLES.........................................
4.1 4.1 REACTOR PROTECTION SYSTEM...................................
4.2 4.2 AUXILIARY FEEDWATER SYSTEM..................................
4.6 4.3 EMERGENCY DC POWER SYSTEM...................................
4.13 4.4 EMERGENCY AC POWER SYSTEM..................................
4.19 4.5 POWER CONVERSION SYSTEM.....................................
4.24 ix
l.
1.
l 4.6 HIGH PRESSURE SAFETY INJECTION SYSTEM.......................
4.31' i
{
4.7 EMERGENCY CORE COOLING PUMP ROOM COOLING SYSTEM............. 4.40 l
i 1
4.8 SALT WATER SYSTEM FAILURE MODE IDENTIFICATION............... 4.46
)
i 4.9 CODE SAFETY VALVES......................................... 4.55 I
l I
4.10 CHEMICAL AND VOLUME CONTROL SYSTEM..........................
4.58 l
4 5.0 CONTAINMENT PROTECTION SYSTEMS AT CC-1...........................
5.1 l
5.1 CONTAINMENT SPRAY SYSTEM....................................
5.2 1
I l
5.2 CONTAINMENT AIR RECIRCULATION AND COOLING SYSTEM............
5.2 l
REFERENCES..............................................................
R.1 I
TABLE OF ACRONYMS.........,............................................ A.1 l
1 X
i l
FIGURES l
l 4.1 Simplified Functional Diagram of the Reactor Protection System...
4.5
)
1 4.2 (Sheet - 1) Simpli fied, System Drawing of AFWS.....................
4.10
)
4.2 (Sheet 2) Simpli fied, ' System Drawing of AFWS.....................
4.11 4.3 'AFWS Support System Dependency Diagram............................ 4.12
)
l 4.4 Simplified System Drawing of Emergency AC and DC System.......... 4.17 4.5 Emergency DC Support System Dependency Di agram...................
4.18 4.6 Emergency AC Support System Dependency Diagram...................
4.23-4.7 (Sheet 1) Simpli fied System Drawing of MFWCS.....................
4.28 4.7 (Sheet 2) Simpli fied System Drawing of MFWCS.....................
4.29 4.8 PCS Support System Dependency Diagram............................
4.30 4.9 Simplified System Drawing of HPSI/R..............................
4.38 4.10 HPSI/R Support System Dependency Diagram.........................
4.39 4.11 Simplified System Drawing of ECCS Pump Room Cooling System.......
4.44 4.12 ECCS Pump _ Room Cooling System Dependency Diagram.................
4.45 4.13 Simpli fied System Drawing of SWS.................................
4.53 4.14 SWS Support System Dependency Diagram............................
4.54 4.15 Simplified System Drawing of CVCS................................
4.62 4.16 CVCS Support System Dependency Diagram...........................
4.63 5.1 Simpli fied System Drawing of CSS SDHX............................
5.3 5.2 CSS /SDHX Support System Dependency Diagram.......................
5.4 5.3 Simpli fied System Drawing of CARCS............................... 5.6 5.4 CARCS Support Dependency Diagram.................................
5.7 xi i
l
1 i
I i
l TABLES l
l 4
2.1 Calculated System Importance....................................
2.2 3.1.
Core Melt Frequencies Associated with Important Initiating Events 3.1 4.1A Reactor Protection System Failure Mode Identification...........
4.2 i
4.1B IE Modules for Reactor Protection System Inspection.............
4.3 l
4.1C Modified Reactor Protection System Walkdown.....................
4.4 j
i 4.2A Auxiliary Feedwater System Failure Mode Identification..........
4.6
]
4.28 IE Modules for Auxiliary Feedwater System Inspect 4 ;n............
4.8 j
1 4.2C Modi fied Auxiliary Feedwater System Wal kdown....................
4.9 l
4.3A Emergency DC Power System Failure Mode Identification...........
4.13 4.38 IE Modules for DC Power System Systen Inspection..
4.15 4.3C Modified Emergency DC Power System Walkdown.....................
4.16 4.4A Emergency AC Power System Failure Mode Identification...........
4.19 4.48 IE Modules for Emergency AC Power System Inspection.............
4.21 4.4C Modified Emergency AC Power System Walkdown.....................
4.22.
4.5A Power Conversion System Failure Mode Identification.............
4.24 4.58 IE Modules for Power Conversion System Inspection...............
4.26 4.5C Power Conversion System Walkdown................................
4.27 4.6A HPSI System Failure Mode Identification.........................
4.31 4.6B IE Modules for HPSI System Inspection...........................
4.34 4.6C Modified High Pressure Safety Injection System Walkdown.........
4.36 4.7A Emergency Core Cooling-System Failure Mode Identification.......
4.40 4.78 IE Modules for ECCS Pump Room Cooling System Inspection.........
4.42 4.7C ECCS Pump Room Cooling System Walkdown..........................
4.43 4.8A Salt Water System Failure Mode Identification...................
4.46 xii i
4.8B IE Modules for Salt Water System Inspection..................... 4.48 4.8C Modified Salt Water System Walkdown............................. 4.49 4.9A Code Safety Valves System Failure Mode Identification...........
4.55 4.9B IE Modules for Code Safety Valves System Inspection.............
4.56 4.9C Modified Code Safety Valve System Walkdown......................
4.57 4.10A Chemical and Volume Control System Failure Mode Identification..
4.58 4.10B Modified Chemical and Volume Control System Inspection..........
4.60 4.10C Modi fied Chemical and Volume Control System Walkdown............
4.61 4.11 Plant Operations Inspection Guidance............................
4.64 4.12 Surveillance Inspection buidance................................
4.65 4.13 Maintenance Inspection Guidance................................. 4.67 4.14 Quality Assurance / Administrative Control Inspection Guidance....
4.69 i
xiii l
(-
1.0 INTRODUCTION
This work was performed for the U.S. Nuclear Regulatory Commission (NRC) as part of an extensive program to develop information based on probabilistic risk analyses (PRAs) for use in'the planning and performance of nuclear powerplant inspections.
Due to the broad scope of this program, project work has been divided among three national laboratories, each of which concen-trates upon a particular reactor type. Thus, Brookhaven National Laboratory (BNL) analyzes plants powered by boiling water. reactors, and at Idaho l
National Engineering Laboratory (INEL) analyzes pressurized water reactor plants (PWRs) built by Westinghouse.
Pacific Northwest Laboratory (PNL) analyzes PWRs from both Babcock & Wilcox and Combustion Engineering.
In this particular project, information from the Calvert Cliffs Unit 1 (CC-1) PRA (Payne 1984) has been used to identify plant systems and campo-nents important to minimizing the probability of core melt, and to identify failure modes for these components. This information has been tabulattd and correlated with inspection modules from the NRC Inspection ard Enforcement (IE) Manual (USNRC.1984) which are used by inspectors in the planning and performance of inspections.
The body of this report consists of a series of tables, organized by system and prioritized by system importance, which identify components associated with 98% of the plant core melt probability.
Previous studies in this program (Hinton and Wright 1986, Higgins 1986) have addressed how PRA-based information may be best incorporated into inspection planning, performance and evaluation.
The conclusion of this previous work was that the existing IE Manual provides a logical and effect-ive framework for inspection planning. This manual contains an extensive sequence of inspection procedures, or modules, addressing functional areas such as calibration, surveillance, maintenance, engineered safety features (ESF) system walkdown, etc.
It also contains a methodology for selecting inspection modules for performance, plus guidance on the frequency at which mod, 'es should be performed.
It was concluded that this manual should be retained as the general framework for inspection planning.
PRA-based infor-mation, which is necessarily plant-specific, should be provided for each 1.1 i
J
7 a
l l
plant. This information should'then be used in the inspection planning i
process to help focus on areas where public risk is most sensitive to per-formance degradation.
The N C program is, therefore, directed towards the preparation of a series of plant-specific appendices to the IE Manual which contain plant-specific information of a common type and safety significance.
These appen-dices are structured according to a common format.
Each a;9endix begins with a description'of accident initiators and sequences important at the j
plant. This is followed by a listing of plant systems associated with 98% of the. plant core melt probability, which is ordered according to the importance of each system to plant damage.
For each system addressed, the components I
associated with 95% of the probability of system failure are identified and I
ranked according to their importance. Three tables are presented for each system. The first identifies the failure modes by which each component con-tributes to plant damage.
The second correlates each component with the IE l
inspection modules most related to ensuring component reliability.
The third provides a modified system check-off list identifying the proper line-l up of each component during normal operation.
For each system, a diagram is reproduced from the PRA which shows how the system depends on other support-ing systems. The body of this report presents the plant-specific appendix developed for the CC-1 nuclear power plant.
It follows the format described above.
1 In addition, a final section has been added,vhich discusses containment protection systems.
These systems are not involved in the prevention of core 1
melt, but are of fundamental importance to preventing or minimizing public risk due to the release of radionuclides, if a core melt should occur. This section discusses the Containment Spray System, and the Containment Air Recirculation and Cooling System and identifies failure modes for components in these systems which were found to be important in the analysis of the Level 3 PRA for Oconee Unit 3.
. PRAs have been performed for less than one quarter of the nation's nuclear plants.
Consequently, a significant aspect of the NRC program l
addresses the development of generic insights which may be utilized to guide 1.2 1
1
o q
l l
inspection planning for plants without a PRA. As plant-specific appendices
{
are developed, the information is reviewed to it'entify dominant generic contributors to risk, including:
initiating events, accident sequences, l
important systems and components, component failure modes, significant human
)
1 errors, and common cause failures.
J The compilation of generic insights resulting from the analysis of PRAs indicates systems and components which may have risk importance at other plants.
For application to a specific site, plant-specific information must be used to evaluate the relevance and applicability of the generic insights.
For-instance, important functions may be performed by different systems at different plants, or, systems may be either more vulnerable (single _ failure dependencies) or less vulnerable (redundancies) at different plants.
PNL has
)
performed an analysis of the Rancho Seco plant (no PRA) using the results of j
PRAs for the Arkansas Nuclear One Unit 1 and Oconee-3 plants, plus a detailed
]
comparison of system designs at the three plants (Gore and Huenefeld 1987).
INEL and BNL are performing similar studies using generic insights and plant-specific information to address plants for which PRAs have been performed (Higgins et al. 1987).
Future comparison of results from those studies with results obtained from analyzing the plant-specific PRAs will provide an
~
indication of hw effective this approach is in identify?ng important systems and components, l
1 As was noted above, this document reports the results of a detailed analysis of the PRA performed for the CC-1 plant.
It was not necessary to l
utilize generic insights in the performance of this analysis.
Rather, the results of this study will contribute to the database of generic information I
to be utilized in the analyses of plants which lack PRAs.
The analysis
. approach used in this study is discussed in the following Section 2.0.
The results of the analysis are presented in Sections 3.0 and 4.0, according to j
)
the above-described format for plant-specific appendices to the IE Manual.
For completeness, information on containment protection systems is presented in Section 5.0.
1 1.3 J
2.0 ANALYSIS OF THE CC-1 PRA The analysis required three major steps to produce the tables presented in Section 4.
The first step was the calculation of risk importance for each system from information in the PRA. This was used to select systems to be analyzed for component importances.
The second step was the re-analysis.of system fault trees.from the PRA to identify component importances.
The third step was the correlation of components and their dominant failure modes with inspection modules relevant to maintaining component reliability.
These 4
steps are discussed below.
2.1 CALCULATION OF SYSTEM IMPORTANCES I
The selection of systems for detailed fault tree analysis required that they be ranked according to an appropriate measure of risk. The CC-1 PRA is a level 1 PRA. Core melt probability is addressed in detail, with only a limited analysis of subsequent containment failure mechanisms, and radio-f nuclide releases to the public.
Consequently, for this study core melt
]
frequency is used as the risk measure used to rank system importance.
The Fussel-Vesely (F-V) Importance measure (Henley and Kumamoto 1981) applied to core melt frequency was selected as the specific risk measure used to rank systems and components.
The F-V Importance is the fraction of the total risk (core melt frequency) which results from failures involving the
{
system or component of interest. Thus, high values of F-V Importance identify systems which are the greatest contributors to risk.
In addition, the increase in risk due to a given percentage incre~
in system failure probability is also highest for systems with highest F-V Importance values.
Thus, this measure identifies not only the systems which are the greatest contributors to risk, but also those for which risk is most sensitive to performance degradation.
It is therefore the logical measure to use for ranking system importance for inspection attention, to ensure that safety performance is maintained.
Appendix C of the CC-1 PRA presents a detailed listing of initiating events and cut set elements, and associated unavailabilities (both with and i
2.1
i without recovery factors).
The dominant cut sets presented in the body of the PRA were selected from this list.
This listing of more than 400 cut sets was analyzed to determine system importances.
Each element of each cut set was analyzed to determine what system was responsible for the root cause failure represented by the cut set element. Core melt frequencies associated with each cut set were input to a spread sheet data file (recovery factors
]
due to operator action from the PRA were included).
This file was then
{
manipulated into system-based sub-files, each of which included data only i
from cut sets involving failures of components in a given system.
The F-V Importance of each system was then calculated by summirg the sub-files and dividing by the total from all of the cut sets.
Table 2.1 presents the relative system importances.
The Reactor Protec-tion System (RPS) has the highest F-V Importance, primarily due to the high probability of a cut set representing common mode failure of both reactor trip breakers to open given a presence of a trip signal, and no credit has been given for recovery actions. Auxiliary Feedwater System (AFW) follows, with each of these systems having an importance of approximately 20%.
TABLE 2.1.
Calculated System Importance System Relative Importance (%)
Emergency DC Power 10 Emergency AC Power 10 l
Room Cooling 6
Salt Water System 5
SRVs 4
Chemical and Volume Control 3
Total Relative Importance 98 2.2
The Emergency DC Power, and Emergency AC Power follow, with importance values of about 10%.
They are followed by the Power Conversion System (PCS),
the High-Pressure Safety Injection System (HPSI), the Room Cooling System, the Salt Water System (SWS), the Safety Relief Valves (SRVs), and the Chemical and Volume Control System (CVCS), all of which have importance values of between 3% and 10%.
It is important to note that the Low-Pressure Safety Injection (LPSI) system does not appear in the list of risk-important systems at Calvert Cliffs (Table 2.1).
Specific reasons are outlined below:
1.
The principal function of the LPSI system is to perform large-LOCA mitigating activities (i.e., inject borated water into the RCS to cool 1
the reactor core following a large LOCA, decay heat removal from the core for extended periods of time following a LOCA). Of the sixteen 1
dominant accident sequences identified in the PRA, none involve a large-1 LOCA initiating event. Therefore, since large-LOCA accident sequences do not dominate the accident sequence risk at Calvert Cliffs, then the j
system that is designed to mitigate these accident sequences should also i
not be a highly risk-important system.
2.
At Calvert Cliffs, the HPSI/R can draw directly from the sump and is the preferred system for recirculation.
The LPSI/R system is not normally l
used in the recirculation mode.
At other plants (e.g., B&W plants), however, the risk of LOCAs (specifi-cally large LOCAs) may be more dominant.
Therefore, the LPSI system at other B&W plants may have greater risk importance than that of Calvert Cliff's LPSI l
system.
l 22 CALCULATION OF COMP 0NENT IMPORTANCES l
Construction of the tables presented in Section 4 of this report i
requ red the identification of components associated with at least 95% of the l
t system failure probability for each of the systems selected for anlaysis l
2.3
(Table 2.1). This. required a ' reanalysis of the fault trees presented. in Appendix' B of the PRA document to identify the components most important to system failure.
For most systems selected for analysis, the system fault trees published in the PRA were reanalyzed using the Integrated Reliability and Risk Anclysis (IRRAS)- computer code (Russell et al.1987) run on an IBM-PC. Other analysis methods were used for three systems:
Reactor Protection; Power Conversion, and Safety Relief Valves.
Fault tree gates and component unavailability data were input to the code and' processed using the integrated fault tree analysis. package.
IRRAS -
. identified the dominant minimal cut sets and quantified the fault trees by ordering cut sets by probability.
IRRAS also calculated the F-V Importance of both cut sets and of system component failures.
The calculated importance of the component failures was then used to select. components for inclusion in the tables. For all systems analyzed, components comprising more than 95% of the total component importance were selected for tabulation.
2.3 PREPARATION OF TABLES
-j For'each system, the components selected for inclusion in the tables were grouped according to type for discussion of failure modes [e.g., pump suction and discharge motor-operated valves (MOVs) in parallel trains].
For many components, cut set elements indicated more than one failure mode (e.g.,
failure to' operate, operator failure to initiate, inappropriate change of j
position).
These failure modes were grouped and discussed for each component l
type in the system failure mode identificat;on tables.
j The characteristics of each component were assessed to determine what types of inspection would be most appropriate for ensuring component relia-I bility. This information was then used to prepare a table for each system correlating each of the relevant IE inspection modules with components which I
should be addressed when the module is applied to the system. This table also contained a crcss correlation to the failure modes which would be mini-mized by the given type of inspection.
For instance, pump failure to start and run is addressed in modules for Surveillance, Operational Safety Verifi-2.4 1
i
cation, and ESF System Walkdown.
It is also addressed through the Mainten-ance module, in terms of minimizing unavailability due to maintenance sched-uling and work.
For each system, an abbreviated system walkdown table was prepared addressing only the selected system components. This table identifies the normal operating state or position of each component determined to be risk
]
significant from the PRA.
It was compiled using information from the PRA, j
plant system descriptions, operator training information, and pimt drawings.
In many cases it was possible to correlate and verify this information using system lineup tables from plant operating procedures.
In general, these tables are considerably shorter than lineup tables in procedures. They
)
therefore allow an inspector with limited available system walkdown time to I
concentrate on risk-significant components, without concern that he may be overlooking something important.
1
2.4 CONCLUSION
S AND RECOMMENDATIONS In this project, we have identified the systems and components most important to risk during operation of the CC-1 power plant.
They are identi-fled in Tables 4.1 through 4.10.
Systems are addressed in the order of decreasing importance, as determined by the fraction of the total core melt frequency which involv2s the failure of each system.
This information has been developed from the PRA analysis of the CC-1 plant.
The RPS, AFW, Emergency DC, Emergency AC, and PCS Systems are the most important systems for minimization of core damage.
Systems of intermediate importance include the HPI, Room Cooling, and Salt Water Systems.
Lower importance systems include the Safety Relief Valves, and CVCS.
The information in these tables allows an inspector to identify quickly the components most important to risk--a combination of failure probability i
and the consequences of the failure.
For this analysis, the sole consequence considered was the occurrence or non-occurrence of a core melt.
Thus the risk turns out to be equivalent to the cut set occurrence probabilities.
This information allows him to direct his attention to these components pre-ferentially.
In particular, by using the system walkdown tables, the 2.5
inspector can. rapidly review the line up of important system components on a routine basis.
These tables may also be used when selecting systems for the performance or more detailed inspection activities.
In using these tables, however, it is essential to remember that other systems are also import snt.
If, through inattention, the failure probabil-e ities of other systems.were allowed to increase significantly, their risk-significance might exceed that of systems in the tables. Consequently, a balanced 'inspectior> program.is essential' to minimizing plant risk. The tables allow an inspector to concentrate on systems of highest risk impor-tance.
In so doing, however, he must maintain cognizance of the status of systems performing other essential safety functions, and ensure that their reliability is maintained.
2.6 l
3.0 IMPORTANT ACCIDENT INITIATORS AND SE0VENCES Two general types of accident initiators are addressed in'the PRA:
Loss of Coolant Accidents (LOCAs), and transients.
However, subsequent event j
sequences leading to core melt are not distinct,-because each of the tran-sient types addressed has the potential for inducing-LOCA events. The total.
core melt frequency for CC-1 was determined to be 1.30E-04/yr and censisted almost entirely of sequences with frequencies greater than 1.00E-06/yr.
Table 3.1 identifies the initiating event types and presents the annual core melt frequency estiiiiated in the PRA document for evente of each type.
l l
TABLE 3.1.
Core Melt Frequencies Associated with Important-Initiating Events Initiatino Event Annual Core-Melt Frequency Anticipated Transients 2.80E-05 Without Scram (ATWS)
Loss-of-Coolant Accidents (LOCAs) 2.66E-05 Small-Small (1.9" dia)
. Plant Transients Loss of 125 VDC Bus 11 2.10E-05
. Loss of Offsite Power 1.12E-05 Transients Recuiring Prima _ry Relief 7.70E-06 Loss of Seconc ary Heat Removal 7-.10E-06 Station Blackout 4.40E-06 All Other Transients 2.40E-05 The following discussion presents the various types of event sequences identified in the PRA as most likely to lead to core melt following occur-rence of these initiating events.
3.1 ANTICIPATED TRANSIENTS WITHOUT SCRAM /ATWS)
Sequence 1 - This sequence is an ATWS followed by reduced secondary heat removal capacity (i.e., PCS and/or auxiliary feedwater in a runback mode). The resulting imbalance between the energy production and 1
removal rates leads to the heat-up of the primary system and an increase t
3.1
in system pressure.
Primary system pressure boundary failure is expected to occur and result in core melt if the pressure exceeds the Service Level C limit (3200 psia). Such pressures can result in system j
damage severe enough to make continued reactor core cooling highly questionable.
Because of the short time before pressure exceeds Service Level C, no credit has been given for any recovery actions.
3.2 SMALL-SMALL LOCA (1.9" in dia.)
Sequence 2 - A small-small LOCA occurs followed by successful scram and operation of AFW and HPI, providing both secondary heat removal and primary system makeup. When the Refueling Water Tank (RWT) is depleted and switchover to recirculation occurs (anywhere from 4 to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> into the transient depending on the size of the leak), High Pre:,sure Safety Recirculation (HPSR) fails. Due to the lack of primacy makeup, the core then uncovers and core melt ensues.
The dominant contributors to this sequence are of two types:
- 1) failures of HPSR pumps combined with failure of room cooling; or 2) failures of the Component Cooling Water (CCW) system or Salt Water System (SWS) resulting in loss of HPSR pump seal cooling and failure of all HPSR pumps.
Sequence 3 - A small-small LOCA occurs and is followed by successful scram and secondary heat removal via the AFW system.
However, HPI fails and there is no makeup in the injection phase.
The initiator can be broken into two parts:
- 1) reactor coolant pump seal LOCAs; and 2) other j
small-small LOCAs.
The dominant contributors to this sequence are j
1 failure of either of the two valves in the common minimum flow recircu-I lation line. These valves are common to all High-pressure Safety Injection (HPSI), Low-pressure 'ifety Injection (LPSI), and Containment Safety Spray (CSS) pumps.
For the small-small LOCA case, if these valvc., should fail closed, the HPSI pumps are assumed to fail due to pumping against dead head for a significant period of time (i.e.,
greater than 10 minutes).
3.2 l
i 3.3 LOSS OF 125 VDC BUS 11 Sequence 4 - In this sequence, a failure of DC bus 11 results in a trip of Units 1 and 2 followed by failure of the PCS and AFW motor-driven pump 13, with degradation of the safety systems.
The plant scrams successfully, but AFW subsequently fails.
No credit is given for feed e
and bleed due to the low head of the HPI pumps. As a result of the lack of secondary heat removal, the core inventory boils off through the intermittent cycling of the power-operated relief valves (PORVs).
The dominant contributors to this sequence are single failures in the AFW turbine-driven pump 11 train combined with failure of the operator to start the locked-out turbine-driven AFW pump 12.
3.4 LOSS OF 0FFSITE POWER Sequence 5 - A loss of offsite power is followed by a transient-induced LOCA. AFW functions but HPSI fails.
Due to lack of primary system makeup, the cora uncovers in about I hour and core melt ensues.
The dominant contributors are various failures of AC power train A combined with failures of AC power train B.
Sequence 6 - A loss of offsite power is followed by failure of AFW.
The plant scrams successfully. As a result of the loss of secondary heat removal, the core inventory boils off through the cycling open of the PORVs. No credit is given for feed and bleed due to the low head of the HPI pumps.
The dominant contributors to this sequence are:
(1) failure of the AFW motor-driven pump due to failure of train A of onsite AC power combined with failure of the AFW turbine-driven pump 11, together with (2) failure of the operator to start the lockcd-out turbine-driven AFW pump 12, and (3) failure to restore offsite power in order to restart the motor-driven AFW pump.
3.5 TRANSIENTS REQUIRING PRIMARY RELIEF Sequence 7 - In this sequence, a transien
, quiring primary pressure j
relief occurs followed by a failure to scram (ATWS) and either failure j
i of emergency boration or induced LOCA due to a stuck open relief valve.
{
3.3 i
i
The primary system survives the initial pressure transient caused by a run back of the PCS as a result of the initiator.
However, due to the high initial rete of coolant loss and low rate of pressure reduction, core uncovery and melt occurs before successful HPSI coolant injection.
(This situation is unique to Calvert Cliffs design.)
The dominant contributors to this sequence are failure to scram combined with either failure of the operator to initiate emergency boration or failure of a relief valve to reclose.
Sequence 8 - A transient requires primary pressure relief followed by a loss of PCS and AFW. As a result of the loss of secondary heat removal, the core inventory boils off through the cycling open of the PORVs.
No credit is given for feed and bleed in this accident sequence.
The dominant contributor to this sequence is failure of 120V AC inverter #11 (which results in failure of the PCS and failure to actuate the motor-driven AFW pump) combined with various single failures of the AFW turbine-driven pump and failure of the operator to manually actuate the motor-driven AFW pump from the control room.
l 3.6 LOSS OF SECONDARY HEAT REMOVAL Sequence 9 - A loss of PCS occurs and is followed by a loss of AFW.
As a result of the loss of secondary heat removal, the core inventory boils off through the intermittent cycling of the PORVs.
The dominant contri-j butors to this sequence are:
- 1) the commori suction line valve fails
)
closed resulting in failure of all operating AFW pumps combined with failure of the operator to recover by realigning the AFW suction to an alternate supply and starting the locked-out turbine-driven AFW pump; or 2) simultaneous failures of both operating AFW pumps combined with failure of the operator to start the locked-out turbine-driven AFW pump.
3.7 STATION BLACK 0UT Sequence 10 - In this sequence, a loss of offsite power occurs followed by the loss of all onsite AC power.
The AFW system functions until battery depletion occurs approximately four hours into the accident 3.4
(offsite and onsite AC power not being recovered).
Due to a lack of secondary heat removci, the primary system coolant heats up and boils.
Within another two hours, core uncovery occurs followed by eventual core melt. All containment Heat Removal systems fail due to the loss of AC power.
1 3.8 OTHER TRANSIENTS Sequence 11 - In these sequences, a transient occurs, followed by failure to scram (ATWS) and an induced LOCA due to a stuck-open relief valve. The PCS is assumed to run back and the operator has successfully initiated emergency boration, and the primary system survives the ini-tial pressure transient. However, due to the high initial rate of coolant loss and the low rate of pressure reduction, core uncovery and melt occurs before pressure drops to the 1275 psi shutoff head of the HPI pumps.
The dominant contributor to this sequence is failure to scram combined with failure of a relief valve to reclose.
Sequence 12 - A transient occurs and is followed by a loss of PCS and AFW. As a result of the loss of secondary heat removal, the reactor core inventory boils off through the cycling open of the PORV3.
No credit is given for feed and bleed due to the information presented in the CC-1 PRA.
The dominant contributors to this sequence are:
1) operator fails to manually start AFW motor-driven pump, 2) local fault i
i of vital AC inverter #11, and 3) local fault of AFW turbine-driven pump j
and its associated valves.
I l
Sequence 13 - A transient is followed by a failure to scram and failure l
of emergency boration.
The reactor has survived due to an assessed PCS runback. Based on information presented in the CC-1 PRA, if the oper-ator fails to start shutting the reactor down within 20-30 minutes, then core melt will result. The dominant contributor to this sequence is failure to scram, combined with failure of the cperator to initiate emergency boration within 20-30 minutes.
l l
3.5 I
__________________A
l l
l 1
1 4.0 SYSTEM INSPECTION TABLES Tables are presented for each of the systems selected in the analysis which identify important system failure modes, IE modules applicable to the inspection of system components, and the required position of each important component during normal system operation (i.e., system walkdown checklist).
The systems are presented in decreasing order of risk importance, and together comprise more than 98% of the risk associated with plant operation. To provide useful information for the inspector, simplified system drawings and/or dependency diagrams are provided at the end of each section, with the exception of the SRV which is independent of all other systems, g
l 4.1 I
4.1 REACTOR PROTECTION SYSTEJ
' TABLE 4.1A.
REACTOR PROTECTION SYSTEM FA7 LURE MODE IDENTIFICATION The Reactor Protection System (RPS) continuously monitors selected Nuclear Steam Supply System'(NSSS) parameters which are essential to reactor protection. The RPS utilize; trip signals-from.various protective channels i
to de-energize and trip the reactor trip breakers. When the reactor trip breakers open, power is rerraved from the Control Element Drive Mechanism (CEDM) magnetic coils allowing the Control Element Assemblies (CEAs) to fall into the active fuel region of the core,'thereby inserting negative reactivity and making the reactor subcritical.
'The following failure modes were identified in the PRA document, which did not quantify the probabilities of these failures.
Londitions that Lead to Failure
~
1.
Reactor Trin Breakers Feedina CEDM Groups 1 and 2 Fail to Onen Simultaneous failure of reactor trip breakers feeding CEDM groups 1 and R
2 to open given the preserce of a trip signal is the primary contribution to failure of the reactor to trip.
The dominant failure cause is hardware failure of the trip breakers. A contributing cause is operator failure to trip these breakers manually.
Surveillance of the licensee's periodic testing and preventive maintenance activities and procedures in accordance with the Technical Specifications should reduce the probability of failure.
Operator training and awareness of Emergency Operating Procedures will enhance the probability of recovery.
2.
Control Rod Element Assemblies Fail to Insert Failure of the CEDM hold latches to release, or mechanical disruption of the reactor core could result in a failure to bring the reactor sub-critical during a scram condition.
Surveillance of the licensee's periodic testing and preventive maintenance activities and procedures in accordance with the Technical Specifications, and relevant NRC bulletins and information notices should reduce the probability of failure.
l 3.
Cable Fault in Groups 1 and 2 CEDM Power Buses i
During normal operation, the CEDMs hold the control rods withdrawn from the core in a static position by means of CEDM hold or gripper, which latches the rods by means of an applied magrietic field.
The control rods drop by de-energizing the magnetic coils.
Failure of the CEDM power supplies to de-energize the magnetic coils upon interruption of power contributes significantly to the failure to trip event. The cause is hardware-related cable fealts or shorts in groups 1 or 2 CEDM power buses.
The licensee's periodic testing activities in accordance with the Technical Specifications should detect preexisting failures of this type.
4.2
- - - - ---- -- U
l' l
TABLE 4.18.
IE MODULES FOR REACTOR PROTECTION SYSTEM INSPECTION 1
Failure (a)
Module Title Components Mode 41700 Training Reactor Trip Breakers 1
61701 Surveillance (Complex)
Reactor Trip Breakers 1
CEDM Power Buses 2
Control Rod Element Assemblies 3
1 61725 Surveillance Testing and Reactor Trip Breakers 1
Calibration Program CEDM Power Buses 2
Control Rod Element Assemblies 3
61726 Monthly Surveillance Reactor Trip Breakers 1
Observation CEDM Power Buses 2
Control Rod Element Assemblies 3
62702 Mainter.ance Reactor Trip Breakers 1
(Section 02.03, Preventive Control Rod Element Maintenance)
Assemblies 3
71707 Operational Safety CEDM Power Buses 2
Verification (a)
See Table 4.1A for failure identification.
I i
I 4.3 l
I TABLE 4.1C.
MODIFIED REACTOR PROTECTION SYSTEM WALKDOWN Component Component Required Actual
]
Nunber Name Location Position Position l
Walkdown is ineffective against risk significant RPS failures.
I l
l 4
i 4.4 1
1 r
5 f.
I Y*I
- I j
g.- &
>y.
I ~-
c ~r I
I 4
I
% e!:! IHHHHHH r
%y s'f
---o,
- ~, I
.,_.5 5
l IIIlli,
9 7,
Ii g
ij
.m-t g
4 i ~f '
i r4 W-4 U ~CMralll l
I C
.hf Jl t@
8 e
^
I I I 1
Q 3
I cm
{
%~
" P.Y-I I
.: E E
m i
i:f
-r ',
H h":
j Is t
g
' f "I 1
I
-% i, 1
E:
- if fl ":' C O C l i
k
--4f j:
2 e
lf[;
~
=L~. ~~
t ;I I l I
'Luj l
- q "f
u l
E li 8
- 8 j
t y-E &
II t
c u
I tr I
i
-I o
(" e l'
W 2 -}
~
n or e1 Es it G-i
,- W 8
8 y
s E
l iI
~
-r u
lj 1
31 g
=
o g
j 5
l.fg U
i I
e k
fE N h :}-
r; --
g.
y yl gf
,y!e.
s l-~n g
{,g' c i-I,,
v si' sli 8-C' v
e 5
t-J2 I
ll
!Il
"(
i e
(' : n e:stik NHHHHH t
- s u=!s r=%
--I h"J it; 91 i
1 E
- j (r-o
=etea8 - t' x-l
CE'T, il W
1Ij y
- q f*
m tit
~
m %
-4Q.,3.
II I
d
$"n 3
e liI m
jll t.
i l
!!!iij
)
Ig
'Il i
y lg D,-
g'Ii g
6'.3l f H HHH H F -[-
l I
--? "
l Th:r I
c Ev.
.v-
,3
--*T u
o i
r J
=
s ; g-T, tlJi N
o.
I Ir e.
t
(
ojF
- b h 'M-Q 2
f
.o
'.C g
=V @f,
~h 6 I
i 0
i
! M:
~~<-
ge
[
E !,
y a
.f
.E y
g
- 5 p.
i fue it yl
$1 g
8 m
e Y
L.n,)
Cr:
DC m
i L
s
- a.
=
(I 0.I 18 5
5 IE ! g If
- y,: = gg;5
- e 3
I;
.fr 6
sg I.
[.
4tCI I:sogg "I ;!
- f $ alh$5sh5Bf:
r r
b S
i II.I555.f.i!.!!.
Ii!
E
-aa.
4.5
4.2 AUXILIARY FEEDWATER SY$iEM TABLE 4.2A.
AUXILIARY FEEDWATER SYSTEM FAILURE MODE IDENTIFICATION The Auxiliary feedwater (AFW) System supplies feedwater to the steam gener-ators for evaporation permitting the removal of decay heat.
The AFW system is used to cool "e primary system to 300 F at which point shutdown cooling can be initiated.
The AFW is used whenever the Power Conversion System (PCS) is not available.
It consists of a pair of steam turbine-driven feed pumps
(#11 and 12) (one of which is locked-out) connected in parallel with a motor-driven feed pump #13.
Successful operation of the AFW is defined as the supply of a sufficient flow of feedwater to the steam generators to remove decay heat.
This is equivalent to flow from at least one pump through at least two of four headers.
Conditions that Lead to Failure i
1.
Motor-driven AFW Pump #1? Fails to Start or Run Failure of Pump #13 to operate could contribute to failure of flow through the AFW syster.
This failure, in combination with failure of the turbine-driven pump to provide flow to the steam generators, is the dominant contributor to system failure.
The dominant contributor to failure of pump #13 to start or run is a loss of electrical power at the 4KV bus.
Other significant contributors to this failure mode are random hardware failures of the pum) itself as well as failure of the electric power l
circuit breaker. 0)servation and review of surveillance, maintenance, and lineup of this pump will maintain reliability.
Training in Emergency Operating Procedures and system malfunction response will enhance recovery when possible.
2.
Turbine-driven AFW Pump #11 Fails to Start or Run i
Failure of Pump #11 to start or run could contribute to loss of AFW flow through the AFW system.
This failure, combined with a loss of electri-cal power to the mutor-driven pump and failure of the operator to start the locked-out turbine-driven pump #12, can lead to system failure.
The dominant contributors to failure of pump #11 are local hardware or elec-trical faults which cause failure to start. Observation and review of surveillance, maintenance, and lineup of this pump wi' maintain reliability, Training in Emergency Operating Procedurts and system malfunction response will enhance recovery when poss 1e.
l 3.
Manual Valves AFW-0103, -0904 Unavailable Due to Maintenance or Testing j
Manual valve 0103 closed blocks the discharge-flow from turbine-driven f
pump #11.
This, in combination with loss of power to the motor-driven l
pump #13, can lead to system failure.
Similarly, manual valve 0904 closed
)
will prevent discharge flow from motor-driven pump #13.
The dominant
)
i 4.6 j
I 1
)
l TABLE 4.2A (contd) j l
contributor to this failure made is valve and pump unavailability due to periodic maintenance or testing. A secondary failure mechanism is failure to restore a valve to the correct position following maintenance or test of an AFW pump.
Review of the periodic maintenance and testing procedures, including post-test surveillance, and adherence to the Technical l
Specifications should maintain valve availability.
]
4.
AFW Punjp #11 or Pumo #13 Unavailable Due to Maintenance l
l Failure of either Pump #11 or Pump #13 to be available when required
)
results in system degradation.
Failure of either of these pumps to j
operate while the other is out of service can lead to system failure.
Periodic maintenance, which causes pump unavailability, ia conjunction with hardware failure of the remaining pump is the dominant contributor to this failure mode. A review of the scheduled and unscheduled main-tenance practices should be performed in order to maintain availability.
5.
Manual Valve AFW-0161 Fails tr._Cmain Open Failure of this valve to remain open could prevent flow from the con-densate storage tank #12 to the Unit 1 AFW pumps, thus blocking flow to the steam generators. The dominent failure mechanism identified in the PRA for this failure mode is hardware failure of the valve.
(Valve intervals have been removed since the PRA was performed.)
6.
Pneumatic-Hydraulic Valves AFW-3987 or S903 Fail to Remain Open Failure of valve 3987 or stop valve S903 to remain open (plug) will prevent steam flow to the turbine-driven AFW pump #11.
This failure, in
{
combination with failure of the motor-driven pump, could lead to system failure.
The dominant failure mechanisms for these valves are local hardware failures. Observation and review of surveillance and maintenance procedures associated with these valves (including air availability) should ensure reliable operation.
l 7.
Pneumatic-Hydranlic Valves AFW-4522 or 4532 Unavailable due to i
l Maintenance Failure of valve 4522 or valve 4532 to remain open prevents flow to steam generators #11 and #12 respectively.
The dominant cause of this failure mode is periodic pneumatic valve maintenance. This includes both scheduled and unscheduled maintenance. The performance of maintenance should be reviewed to ensure that efficient scheduling is done, and that repairs are performed correctly, minimizing the unavailability of the valves.
1 1
I 4.7 I
l
._m
l TABLE 4.28.
IE MODULES FOR AUXILIARY FEEDWATER SYSTEM INSPECTION Failure (a)
Module Title Components Mode 41700 Training AFW Pump 13 1
AFW Pucp 11 2
Valves 0103,0904 3
61725 Surveillance Testing AFW Pump 13 1,4 and Calibration Program AFW Pump 11 2,4 Valves 3987,5903 6
Vahes 4522,4532 7
61726 Monthly Surveillance AFW Pump 13 1
Observation AFW Pump 11 2
Valves 0103,0904 3
Valve 0161 5
Valves 3987,5903 6
Valves 4522,4532 7
62700 Maintenance Program AFW Pump 13 1,'
AFW Pump 11 2,4 Valves 0103,0904 3
Valve 0161 5
Valves 3987,5903 6
Valves 4522,4532 7
62703 Monthly Maintenance AFW Pump 13 1,4 Observation AFW Pump 11 2,4 Valves 0103,0904 3
Valve 0161 5
Valves 3987,S90?
6 Valves 4522,4532 7
71707 Operational Safety AFW Pump 13 1,4 Verification AFW Pump 11 2,4 Valves 0103,0904 3
Valve 0161 5
Valves 3987,5903 6
Valves 4522,4532 7
71710 ESF System Walkdown AFW Pump 13 1,4 AFW Pump 11 2,4 Valves 0103,0904 3
valve 0161 5
Valves 3987,S903 6
Valves 4522,4532 7
(a)
See Table 4.2A for failure mode identification.
4.8
i TABLE 4.2C.
MODIFIED AUXILIARY FEEDWATER SYSTEM WALK 00WN Component Component Required Actual Number Name Location Position Position Electrical Pump 13 Circuit Breaker 27' Turb Racked in/
Bldg Closed Air MS-3987 Valve Air Supply W Wall On AFW-4522 Valve Air Supply E Wall On SRW Rm AFW-4532 Valve Air Supply E Wall On SRW Rm
)
Valves 4
AFW-5903 Stop Valve W Wall Open i
)
MS-3987 Pneumatic-Hydraulic Valve W Wall Open j
l AFW-4522 Pneumatic-Hydraulic Valve E Wall Open SRW Rm AFW-4532 Pneumatic-Hydraulic Valve E Wall Open SRW Rm j
j AFW-0103 Pump 11 Discharge Manual CST Outlet Open 1
Valve i
AFW-0904 Pump 13 Discharge Manual Valve SRW Rm Open AFW-0161 CST-12 Outlet Manual Valve (a)
Between Open CST 11&21 on Stand i
(a)
Valve internals have been removed since PRA, due to the high risk importance of this valve.
i 4.9
1
,1 3
{
- 3 1
1 NO 1
1 T
6 6
6 2
1 W
f 1
m F
O 2
0 NA 2
W W
W A
r F
S F
A A
7 A
W F
T A
f 5
3 o
1 0
1 3
3 0
1 8
g M
1 1
O O
n O
3 I
2 O
i W
W W
2 P
1 w
m M
I 1
F F
r A
a A
S A
A J
P r
P p
P t
u M
F M
D UN g
W U
U 2
p F
P 2
m P
S e
I 6
C A
W W
t 2
W wI 1
6 F
1 s
Nf 0
I 1
F r
F A
0 A
2 3
W W
9 A
y A
O 7
A 5
O S
0 O
O 0GW F
9 F
F A
A 6
W 4
T O
1 8
r 0
d ODA 4
8 W
A 9
e 0
O F
m O
i 9
W A
W f
A O
F F
i W
A A
l F
P-p A
S j m
p 7
i 2
3 S
0 5
0 5
2 3
4 3
4 3
5 5
2 1
W 4
4 W
3 T
)
s 5
2 I
1 4
5 W W
F 5 NC F
A 1
A 4 U/
W 4 F r
F WA A3 3
W 8
t O
e 5
6 r
2 e
A 2 3 F
T 4
9 A
7 7 A
9 9 W
O h
0 S
O O F
W 6
1 7
(
9 <5 WW A
F 5
2 6
A 3
H_A 9
rFM8
~
O 2
5 4
O 3
W >W 4
4 A
A 1
5 W
2 2
6 1
6 1
6 W
F 1
O 1
1 F
F f
1 A
A 5
5 F
W4 0
O 0
4 T
4 A
FW W
Wh W W
9OQ g9 0
E A
T r
NT A
A A
F r
A F
6 R
W A
U O
G 2
9 A
W 3
I qr r
F 1
1 O
0 A
W m
'A A
Q 1
C 2
1
/
1 Se i
l1~
iill I
I l
i l
<s 0"
M 3
2
?
Er NSI M O1 R
I OF*
.LM" tt SO' Eo 3 N i
MR' 4I S F #
~
0 6
7 s
1 f
,7,o MC F
1 t
9 9
o 0
o 4
C C
W w
),
w W
g F
F r
F
_A n
A A
A iw ar 3
4 D
1 1
9 9
w '/
CM C
m W
e F
F t
A A
sy S
de i
f 1
2 i
1 1
l 9
9 p
MN M
m W
W i
F F
S A
A 1
9 9
0 0
2 2
5 0
9 2
2
)
9 9
9 9
9 9
2 C
C C
C C
C w
W W
w W
W t
F F
F F
F F
.M A
A A
A A
A
.M e
KA e
XA I k
/~ f UE m
$ UE h
J AT a
AT S
B S
(
3 4
P E 0
P E 0
O V I'
9 OVgUC L
L-T T
A S
A g S
w 2
Y I
V F
A A
4 F
9 9
9 9
3 pV 9
E 3
R w
W F
T U
F T
M
,FW2W M E E w1 A
T A
G 1
I E r8 E
Ma*
f A L
,A*
D F
A t Et 9
,EPE Tu t EP T U VMK SO UevM SO t
IRUC TRU OP DFOL b*.~
m
~
V.lll
,i'
I I
s,%
ny
/
~
s
)
n (j
7 ::, ~.
7-I L
/
P
]
s v t
m 13 t
e 1
m R
w P
m tu t
s D
ar i
O
(
et t
g f
tt a
P rf 9
ss 7
i iI lt' s v W
D
/
t A
mPIS t.
y f
fI c
wf t
M Ms ne 7
t 1WF As te d
t t
r tv t
ig n
tf tp
?w(
ta e
e p
e s
l
)
e 1
i
(
D f
t
. t s'
.B m
. 8 t
e t
sy S
te pt
)
\\, g t
a t I
InM
(
/s r
itet tl o
st$
e tt p
me4 pu S
S W
F
'y A
3 4
E l
]
h R
1 I
9
[
U G
=
. J F
1 9
I
-l g q l'
f g
s.
a o
f, t
,.to s
19
=
t e
t 9
aO t
s.
e e
t.t Me 9
r
~a.,
'Js t
f ls
, t.
t,,
%a
- i i,I.t.
u a
t e a. 8 -
t bJ.gy ill!
I J
l L
{
4.3 EMERGENCY DC POWER-SYSTEM l
TABLE 4.3A.
EMERGENCY DC POWER SYSTEM FAILURE MODE IDENTIFICATION a
The 125V DC system provides continuous power for control, instrumentation, l
~
reactor' protection, and ESFAS.
It powers the vital 120V AC system, which is I
also included in this analysis.
The.DC power system creates.the field flashing l
and controls the diesel generator for the emergency'AC electrical system. -In j
addition, h DC power system provides control power to the emergency AC circuit
-1 breakers for the'4160V switchgear and powers the control valves in the AFWS.
The DC system is. composed of four separate trains, each consisting of a 125V DC battery, bus, battery charger, and control panels. Also included in this
.)
analysis are those components which supply power from the 125 VDC buses to their respective 120V AC buses. These components include the electric power inverters, circuit breakers, transfer switches, and power cables. Therefore the failure modes identified below reflect the four-way redundancy of the DC power system and indicate conditions that lead to failure of any one train of the DC power system.
1 4
Conditions that Lead to Failure
~{
1.
Failure of Inverters 11A, 128, 138, 14A 1
This is the dominant contributor to DC subsystem failure.
These inverters convert DC power to AC power for the 120V AC distribution panels.
Failure of any of these inverters results in loss of power to the affected 120V a
AC bus.
Failure of the inverter may be the result of failure of switches, I
or hardware or electronic component failures. Observation and review of the periodic maintenance and testing and surveillance procedures should maintain availability.
2.
Fault in Power Cables 11A, 128, 133, 14A Failure of any of these power cables which connect the 125V AC buses and 9
the 120V DC buses will result in loss of power at the corresponding'120V AC bus.
Failure of these power cables is typically the result of hardware failures.
Observation and review of the periodic maintenance, testing and surveillance procedures should maintain availability.
4 3.
Circuit Breaker 11A, 128, 133, 14A Fails Open i
Open circuit failure of any of these normally closed circuit breakers I
leads to loss of power at the res)ective 120V AC bus.
Hardware or electric component failures are tie dominant failure mechanisms.
Review of the periodic maintenance and surveillance procedures along with verification of proper breaker position should maintain breaker performance.
4.13 i
TABLE 4.3A (contd) 1 l
4.
Fault in Power Cable 20A, 268, 31B, 23A Failure in any of these power cables between the 125V DC buses and their respective batteries results in a loss of power to the affected 125V DC bus.
This failure, coupled with a loss of offsite power, results in loss of power at the respective 120V A? bus.
Hardware failures are the dominant failure mechanisms. Review of the periodic maintenance and surveillance procedures, as well as adherence to the Technical Specifica-tions, should maintain power cable performance.
5.
Failure of Battery 11A, 128. 13B, 14A Failure of any of these batteries results in a loss of power from the battery to its respective 125V DC bus.
This failure in combination with i
other failures can result in a loss of all power at the affected 125V DC bus.
Local faults of the battery itself are the dominant failure mecha-nisms for this failure mode. Periodic testing of battery voltage and specific gravity, in accordance with the Technical Specifications, as well as proper battery maintenance, should be reviewed and monitored.
6.
Circuit Breaker 20A, 268, 318, 23A Fails Open Failure of any of these nonnally closed circuit breakers in the open i
position leads to loss of power from the associated battery to their respective 125V DC bus.
This failure in combination with a loss of offsite power results in a loss of all power at the affected 125V DC bus.
Hardware or electric component failures are the dominant failure mechanisms.
Periodic maintenance and surveillance of these breakers should be reviewed and proper breaker position should be verified.
i 4.14 l
1
TABLE 4.3B.
IE MODULES FOR DC POWER SYSTEM INSPECTION Failure (a)
Module Title Components Mode E1725 Surveillance Testing Batteries 11A,128,138,14A 5
and Calibration Program 61726 Monthly Surveillance Inverters 11A,128,138,14A 1
Observation Power Cables 11A,128,138 2
14A Circuit Breakers 11A,128, 3
13B,14A Power Cables 20A,268,318, 4
23A Batteries 11A,128,13B,14A 5
Circuit Breakers 20A,26B 6
31B,23A 62700 Maintenance Program Inverters 11A,128,138,14A 1
Power Cables 11A,128,13B 2
14A Circuit Breakers 11A,12B, 3
13B,14A Power Cables 20A,26B,318, 4
23A Batteries 11A,128,138,14A 5
Circuit Breakers 20A,26B 6
31B,23A 71707 Operational Safety Inverters 11A,128,138,14A 1
Verification Circuit Breakers 11A,128, 3
13B,14A Power Cables 20A,26B,318, 4
23A Batteries 11A,128,13B,14A 5
Circuit Breakers 20A,26B 6
318,23A 71710 ESF System Walkdown Inverters 11A,128,138,14A 1
Circuit Breakers 11A,128, 3
13B,14A Batteries 11A,128,138,14A 5
Circuit Breakers 20A,268 6
318,23A Supply Switches and 1
Transfer Switches (a)
See Table 14.3A for failure mode identification.
J 4.15
(i TABLE 4.3C. MODIFIED EMERGENCY DC POWER SYSTEM WALKDOWW-LComponent Component-Required Actual.-
Number Name Location' Position Position.
Electricafa) 3-DC Su) ply DC Supply Switch to Inverter 11 Cable Closed Switc1
. Spreading Rm
.DC Su) ply DC Supply-Switch to Inverter 12 Cable Closed Switc1 Spreading Rm DC Supply-DC Supply Switch to Inverter 13 Cable Closed Switch Spreading Rm DC Su) ply DC Supply Switch to Inverter 14 Cable Closed Switc1 Spreading Rm-11 Inverter 11 Manual Transfer Switch Closed 12 Inverter 12 Manual Transfer Switch Closed 13 Inverter 13 Manual Transfer Switch Closed 14 Inverter 14 Manual Transfer Switch Closed 3311A Circuit Breaker 11A Closed 128 Circuit Breaker 12B Closed 13B Circuit Breakcr 13B Closed 14A' Circuit Breaker 14A Closed 20A Circuit Breaker 20A Closed 26B Circuit Breaker 26B C1csed 21B Circuit Bre'aker 31B Closed 23A Circuit Breaker 23A Closed (a)
Due to the integrated nature of the emergency DC power system, inspection of the inverters, power cables, and batteries should also be included in system walkdown procedures.
4.16 l
I.
l i
('
I L
1 I
I l
t.
- 1...g e s as i l ~ W3J v....o-g
.[-
e a
aws
- rr-b{,,.
- z g i Ma ase ll,a*
20" 03
[o.ri EU,
I
.3,....
r,:s ~
.r '
Ol' t'
j $ $ ','s.".!.-'%-
- I uu F8 E lb j' * - ls<X. ocM.-. 4l. ii *^ p %
a..
a
- o :. A,..a, :'%.F.a
.=
y[-
5
..I e
q g E ao
- .r y
e.
.o.
a ew "I
".--a -
6.r..... d5.$. 55 hje 2 l'l'"1
)
e
._io 3 is :....:
y s '.. - s.s.as i
g
~ -
5
.E
- no.r
- s.
. ~
E g y',L,
',s'is/
4, 2: I ga *:
.I '8
[ a:
or i
A: soTras. saav g,.a gg *
- }
g e
B i
I t, :mu
.- o :..
a.
1 4"5 e **s.
u"* lilw g E g.,y i
m j
0,"
E t.;;,
M* M.c.. I.
.I O
E r-= ~ J,'f,*3 on a s'h t i; -ia
-i o
,.E W. *.l a.
^
.e.-+-
e'..
- -*a c.r M,,, y
- l r h..{
g y
.. IAE
- S g**,,"'3J. ' Ice *9bd
'"""E
- 0
.=
f.o. a.
.g O. ~g::
C
- I
.. n. 3.:
r
'rs
.v
,7
..:.r -.J p..l E
a
.o.
.og
.gr
- . i. : e.
1..-
o.
oc
- . l ei..
- E,.
5.*, s.
- o..:= -
te:,i ** -
g i
.!.I g'
.g f
a o
^
t 2 i r-. a * -
C o
.i-E.
v.
.a
- - v5.. ;.
o s,
cn g
...i u
u '; :.
o s
~ ~ s..:2, 5
.E a?,* i.f i ai'
't; T.
__ T T
9f VU
- Ir 4
J t
- ..
- 2. :.x.:
o.
e e
i a,
,A s
=
c,,
s i
s e
.c
= :..
l e- :. -
E
((.'
eis }:s.t 3
i; :: g:
g r
e
- e D
m
.. :s
/ *T \\ !
. o<.1. d8:!* :iC j
-i -><
~ T~ 9.r?
g T
.t.
l gL.L-T 2
._.1
- n. I lA I
S j : l':e
,r.
i
-wt-( 'h.i
[::x
. I,:
gg y
a m
i
.- W in.
i
."o
.o.
g
,- E-.8 g.
3 w
Ei!
II
,I 0k 1
- aI. L
'Ti}I h
b
$I
- Sir,
,:A E
5 3,
^ -
- !. F.,~n-t g.
e E
- s :e g :.
Ag 1
-ei n
s U
,'~"~*l**H $ /
- D$**188
- - -[ih,~~.j
~ r r
r-" 1; g ~.
,i
..p
- r.,...... C.m, r
- a. * ::
=:r
.e. -.'
- 1*
.i..,..t.
z.
i w w
e...
e e
- b p.e s....
k e,.,. -- h.
E w
t
[E g.
l:tto 4W5
{g m
.1:
- e p
b i
E.
59
-de'r.Ri s
!= -
g[6:
- b.
,,i,.,,
,E c
[
e: 2 La r-~~-****
i
- rs
.,h s.i j
E m
....isilgl:
- E
{-".
.y...t..
E r p:'t:,-
s-g re n E
l E. L--::;f E ~..~20 '. ';, ;r.T.. 's
~
^
T Ii5-.a
=
qt.. I I E
- t-
{:.:gg C.
5 sl
...:. g.s:
- l y
.,I.
tv
(
g c
= ~. $4 af.i w bj - i-o r
g 3
Wii 1.
>>a*>5i av,einoa k...
J##
t,
- a.. rs,. :nw.
wanna ca
.e 4WI l
l 4
4.17 4
l l
l
m a'
a n '.
r rg i~a a
i D
. e.
)
y
- v. a
(
c n
<o e
dne y
p u
l
,v u.
I e
i-i D
me tsy S
tro p
p u
S C
D
.e 3
y
.v
[
c n
e gre
/v m
N
)
(
E 5
4 E
R U
a G
I F
n
<,,s.n
=.
- 1
V 4.4 EMERGENCY AC POWER SYSTEM TABLE 4.4A.
EMERGENCY AC POWER SYSTEM FAILURE MODE IDENTIFICATION The purpose of the emergency AC power system is to provide electrical power i
to components in vital systems which are needed to mitigate the cor;equences of LOCAs and tr6nsients. Among tb :se vital systems are those which shutdown the reactor, remove decay and sen..ble heat from the reactor coolant and the containment building, and limit the release of radioactive material from the contM nment.
The AC power is required for the operation of pumps, fans, and MOVs in these systems.
The emergency AC system is composed of two trains, each of which consists of a diesel generator (DG), 4160V switchgear, 480V load centers and motor control centers, 120V instrumentation panels, and the associated transformers and circuit breakers.
Therefore, the failure modes identified below reflect the redundancy of the emergency AC power system and indicate conditions that lead to failure of one train of the AC power system.
Conditions that Lead to Failure 1.
Diesel Generator 12 Unavailable Due to Unit 2 Requirements or Operator Error Failure of DG 21 (which normally supports CC-2) requires that DG 12 be aligned to Unit 2.
The loss of AC power due to DG 21 failure and sub-sequent alignment of DG 12 to Unit 2 is the dominant contributor to emergency AC power train failure at Unit 1.
This results in emergency AC power system degradation.
The dominant contributor to this failure mode is failure of DG 21 to start or run. A secondary contributor to this failure mode is operator failure to properly align DG 12 to Unit 1.
Observation and review of the diesel generator maintenance and testing programs will help maintain reliable performance. Operator training regarding emergency operating procedures for proper DG alignment should also be reviewed.
2.
Diesel Generator 11, 12 Fails to Start or Run Failure of either of the diesel generators to start or run when required will prevent emergency AC power from being sup)1ied to the corresponding safeguards component buses. When combined wit 1 a loss of offsite power, a total loss of emergency AC power can result. The dominant contributor to this failure mode is random hardware failures within the diesel generator itself.
A secondary contributor is failure of the DG room cooling system resulting in eventual failure of the DG to run, due to overheating. Observation and review of the DG maintenance and testing programs as well as review of the DG room cooling system maintenance program should maintain availability.
4.19
v
\\
-TABLE 4.4A (contd) 3.
Diesel Generator 11, 12 Unavailable due to Maintenance or Testing Failure of either of the diesel generators to be available when required will degrade system redundancy and therefore. increase the probability of failure of the emergency AC power system.
The dominant contributor to this failure mode is the downtime associated eith periodic maintenance of the DGs. A secondary contributor to this failure mode is failure to
, properly restore the DG following a test.
In order to assure maximum availability of the diesel generators, the periodic maintenance procedures should be reviewed, including post-test surveillance procedures, to ensure that efficient scheduling of maintenance is done and that repairs are performed quickly and correctly, minimizing DG downtime.
4.
Circuit Breaker 1103A, 1406B Fail to Operate Failure of either of these electric power circuit breakers results in failure of the affected diesel generator's power circuit output. This results in a failure of the DG to provide power to the corresponding safeguards component buses. The dominant contributor to this failure mode is failure of the system to automatically actuate the circuit 1
breakers. A secondary contributor is hardware or electric failures of the circuit breakers themselves. The circuit breaker automatic actuatior, system should be reviewed to maintain availability. Maintenance and surveillance of these electric power circuit breakers should also be reviewed and observed.
4.20 l
L-
L
.. v TABLE 4.4B. -IE MODULES FOR EMERGENCY AC POWER SYSTEM INSPECTION Failure (a)'
Module Title Components Mode 41700 Training DG-12 1
-61701-Surveillance (Complex)
DG-11,12' 2
61725 Surveillance Testing DG-11,12 2,3 and Calibration Program Breakers 1103A,14068 4
61726 Monthly Surveillance DG-11,12 2,3 Observation Breakers 1103A,14068 4
)
62700 Maintenar ce Program DG-11,12 2,3 Breakers 1103A,14068 4-62707 Operational Safety DG-11,12 2,3 Verification Breakers 1103A,1406B 4
71710 ESF' System Walkdow1 DG-11,12 2,3 Breakers 1103A,1406B
'4 (a)
See Table 4.4A for failure mode identification.
x 4.21
'T I
TABLE 4.4C.: MODIFIED EMERGENCY AC POWER SYSTEM WALKDOWN P
Component
. Component Required Actual Number Name Location Position Position Electrical
-j 1103A DG-11 4KV Bus 11 Feed Breaker 27' Switch-gear Rm Closed 1103A DG-11 Disconnect to Bus 11 27' Swite.h-gear Rm Closed 1406B DG-12 4KV Bus 14 Feed Breaker
~ 45' Switch-gear Rm Closed 14063 DG-12 Disconnect to Bus 14 45' Switch-gear Rm Closed DG-11 Diesel Generator 11 (a)
DG-12 Diesel Generator 12 (a)
(a)
Due to the integrated nature of the diesel generator failure to start or to run failure modes, the lineup of all automatic diesel generator support functions (service water, fuel oil, starting air, etc.) should be verified.
I 4.22 i
yg rg 1
4
{
ag t
g y
p g
g t
m y
ff g
a y
IS.
(
g I
m r
I 8,
1.
gW a
mtA8t i
ls D
f g
$m e
fs y
$e r
N n Ut c
u (J q
e.
n F
I pT t (W Iri e
t a
1 F, 5 dne ty tt p
i p jx jx
,n \\
\\v/v D
I dtg
-g e, g7, s
e
/,
\\
e
- g
/
tp u,,
me tsy S
tro ft p
p i..
u f'
S l
fin C
e s A
a s
f y
t e t s c
B.
t n
e p
s W e
rt a t gre
'8 t
m J :
y r
\\'
s-
\\
E l
t.
^T
/v s
I t9t..
/\\
,s l4' t'(
6 4
E R
U n
e G
9 i,
s i:
,at I
s F
s e e
r e
1, ttt t
4 t
..an
,its8 I%f Maul s fR.m
_. im s
.t e
s, s...
o t
,t's aS
- Js
- u i,
s e e
.9 s,
u.rw o
4.5 POWER CONVERSION SYSTEM TABLE 4.5A, POWER CONVERSION SYSTEM FAILURE MODE IDENTIFICATION The Power Conversion System (PCS) at Calvert Cliffs Unit 1 (CC-1) consists of the main feedwater and condensate system (MFWCS), and the steam generators.
The PCS is designed to transfer feedwater from the condenser hotwell to the steam generators, while, at the same time, raising the temperature and pressure, and controlling the chemical composition of the feedwater.
This system also controls the quantity of feedwater delivered to the steam generators. The PCS operates successfully to provide 5 percent full main feedwater flow to the steam generators if one train of the PCS remains in operation during a transient. One train is defined as one MFW pump, one condensate booster pump, one condensate pump, and the associated valves and piping.
Conditions That lead to Failure 1.
Failure of Turbine-Driven MFW Pumps 11 and 12 The adequate removal of decay heat after reactor trip requires a supply of at least 750 gpm of feedwater to one of the two steam generators at a pressure of approximately 800 psic. To provide this flow, at least one of the two feedwater pumps must be available.
If the transient initiator is the loss of one of the two main-feedwater pumps, failure of the other main-feedwater pump leads to a total loss of main feedwater. Main-feedwater pump failures are attributed to random fa.,ures of the pump, operator error in turning the pump off, a pump trip by trip circuits, j
loss of steam supply to the pump, or loss of cooling-water supplies for j
the pump. Operator training, awareness of Emergency Operating Procedures, proper maintenance, testing and surveillance should be reviewed and observed to reduce the probability of failure.
2.
Failure of Condensate Booster Pumps 11, 12, and 13
]
i One out of the three condensate booster pumps is required to supply the cooling-water flow to the main feedwater lines during the transient.
Simultaneous failure of three pumps will prevent sufficient flow of water to these lines.
The failure causes are due to a random failure of the pump, pump (s) in maintenance, trip or start circuit failures, loss of electrical power, or loss of cooling-water supplies for the pumps.
Proper l
l maintenance, surveillance, and testing of the pumps which are not in use, according to Surveillance Test Procedures, should reduce the probability of failure.
l l
4.24 f
L
l t
TABLE 4.5A (contd)
{
1 3.
Failure of Condensate Motor-Driven Pumps 11, 12, and 13 Three condensate motor-driven pumps are provided for the PCS.
At least i
one out of the three pumps must remain in operation during a transient.
Simultaneous failure of three pumps will prevent sufficient flow of water to the feedwater lines.
The important failure causes are hardware i
failure, loss of electrical power, or insufficient inventory of water in l
the hotwell. Proper maintenance, surveillance, and testing of the pumps I
which are not in use, according to Surveillance Test Procedure should I
reduce the probability of failure.
l 4.25 i
TABLE 4.58.
IE MODULES FOR POWER CONVERSION SYSTEM INSPECTION Failure (a)
Module Title Components Mode 41700 Training MFW Pumps 11,12 1
61725 Surveillance Testing MFW Pumps 11,12 1
Calibration Program 61726 Monthly Surveillance MFW Pumps 11,12 1
Observation Condensate Booster 2
Pumps 11,12,13 Condensate MD Pumps 3
4 11,12,13 62700 Mair,tenance MFW Pumps 11,12 1
J Condensate Booster 2
Pumps 11,12,13 i
Condensate MD Pumps 3
11,12,13 71707 Operational Safety MFW Pumps 11,12 1
Verification Condensate Booster 2
Pumps 11,12,13 Condensate MD Pumps 3
11,12,13 (a)
See Table 4.5A for failure identification, i
i 4.26
q i
TABLE 4.5C.
POWER CONVERSION SYSTEM WALKDOWN
'.ComponentJ Component Required Actual Number Name Location Position Position
{
Electrical MFW Pump 1
. Main feedwater Pump 11 Trip Closed Circuit Breaker i
MFW Pump 2 Main.Feedwater Pump 12 Trip Closed Circuit Breaker J
Booster Pump. Condensate Booster Pump 11' Racked in/
-11 Breaker Closed l
Booster Pump Condensate Booster Pump 12 Racked in/
12 Breaker Closed Booster Pump Condensate Booster Pump 13 Racked in/
13 Breaker Closed MD Pump 11 Condensate Motor-Driven Pump 11 Racked in/
Breaker Closed MD Pump 12 Condensate Motor-Driven Pump 12 Racked in/
Breaker Closed MD Pump 13 Condensate Motor-Driven Pump 13 Racked in/
Breaker Closed 1
i 1
4.27 J
'.I lI1
,. J[.
ii1l
+
M
~
M*.
s.
e t.
M
+e=
1 t
~
.~.
g.
'='..
f.
9 v
h t
e S
N M.
M C
W e
F M
fo
~.-H.-
g n
iw a
r D
m e
t t.
sy S
de m.
i f
i lpm
=
i S
e N.
Ns s
e
)
1 m
t T.:
mis yIs nl.
y*;.
T: ~.
e e
e e
h S
(
?
a 2
7 4
E R
U T
e G
4.-
I F
m e
mi._..
9i ylt y.
s t
i T..
1 T_ _.
t 4_
t.e m
i.
F s.
- i..
t.
e.
s.
i.
e_
i a
{.
N.
).
e m
M.
a.rc on l
l
di.i
.6
.I
.I I
Ih'Ih ih ik i
II Il Mi Mi Mi Mi Mi f""r l et ig g:
- I l
l ig tl I
t t
t 4
-s L j
g 'II il ?! tl ?!
?!
"j Z
[
T I I
I
[ ri,'
i il tI EI YI i.f.
T lql i st
?!
- l Tl fl M
z I
I v
- s l
5g II Il l
er l
l T8 o
I i
en 1
c 41
+1
'E i
r j
l l
m l
4!
'I 5
ti fa i
{!
I
}
'I t
i e
i e
i l'jlji, i91 i 91 I' I'.
- i u
i
.-. al' l A
w
,I li l
1 3
+
t!
Il i
=*
i i
,s
-i l
+
e.
4 I
l l
I E
F m
i ti g *i i
- 4 li m
I I
l N
E [ "h*t I!
gi 4
'I o
J 5
si it 7
1
'l
'l T
Yt Y 18 d.
tI
?!
l tl
'l 4
I r
4 It di ft
- 8 T8 8
E i
- o I
e l
m i
u.
l l
l i
l I!II IIII j!, Il, Il
^
.1 i
i i
e *! g *,.
. q!
I e, e
klg dl dl
.: l :: ' l:I l; b":l (D
\\
- s t
- .)
e j
i l
l I
l II I!
21 l
l i
i j
i 4
$l i
i i nI i !! l 4.29 l
i
\\
l l
t
O
%v 9 p
1 I
9 M,I 1
,s.
s t5, e_
s D,ei, t
8 mp_
y a
[
Q 1
F.,
.d g
]
.f
,,u g
1 s
trt, *M p e
W ".5 1
,o s",
Wl i.
Sst
,t g
v 8
gg, ttt.,,1.s gg, l
- A,,,o ft O
Q o
Sf.tw,.E 8 4 st i
I f1 f5 i
t
.I t.
.sB t',
.,t E
O SC.4n M
fT, W
a'S'tfte D
D 1,.ttt
.,,,tt 9
4 t
We 7,#,
/v Q
,(
n f
a oI,(* t
.. m i.,, -
l se.
s f;*t
...a I
(
f f
P#,
.tA
?
s-A ts
,, m
,?
t t' t ap 4M
,e,
.,t
.D U Ot e
s t
i l
O O
Q a, R
, i r,.
[
v,5 sf r
.t cN.
s
,y Ft
,P_
t,.
t, l
,(t,.
i.,
O O
Q a
e i
s g
r
,1
.s
\\v l
)
1 pi
(
/
, M, I
W e
's.
W fi
.te M
- p 1b t s t f t 8 sP,
,(
w
- . f 9',
A 1
l
)
f s
9
/y n
e
- o
. w l
s, 4, es l
,, i
(
t, l
Q n
i., i
,s, s.
.s l
y s
1.
t, F,~Z.. i A
4 f
4,.
f
-Fz 4
,r*
l i,
i
. - (-
/
,W
.s..,
s
,1 t
,n,
- i
.s,.
3
.s n s.
Fs i
a
,s
,t.
u
,e, s
..mo g
.l
4.6. HIGH PRESSURE SAFETY INJECTION (HPSI) SYSTEM
. TABLE 4.6A.
HPSI. SYSTEM FAILURE MODE IDENTIFICATI0N'
~
The primary purpose of the High Pressure Safety Injection (HPSI) System is to inject borated water from the Refueling Water Tank (RWT) into the Reactor Coolant System (RCS) to prevent the uncovering of the core for small reactor coolant pipe breaks, to delay the uncovering of the core for intermediate-sized pipe breaks, and to guarantee sub-criticality of the core.
~0nce.the RWT reaches a low level, the HPSI pumps are realigned to take suction from the containment sump for the recirculation mode.
In this recirculation mode, the HPSI system maintains a borated water cover over the core for extended peri ds of time following a LOCA.
The HPSI. System is a two-train, three-pump system which draws borated water from the RWT and injects it into the four RCS cold legs via four injection headers.
The success criteria for the HPSI system is defined as 1 of 3 pumps providing flow through 1 of 4 injection headers.
Conditions that Lead to Failure 1.
Containment Sump Values SI-4144 and 4145 Fail to Open On Demand After accident (e.g., LOCA), once the RWT reaches a low level, the HPSI pumps are automatically realigned to take suction from the containment sump for the recirculation mode through the sump isolation valves SI-4144 or 4145.
Failure of both sump valves to open when required could lead to inadequate core cnoling and eventual core-melt if not recovered.
The dominant contributors to this failure mode are operator failure to manually open containment sump valves or failure to realign the HPSI pumps from the RWT to the containment sump.
The secondary contributors are hardware or electrical failures of the valves. Operator training and awareness, verification and review of the Emergency Operating Procedures and check-off lists, surveillance, and testing of these valves should be reviewed and observed to minimize the probability of failure.
2.
Injection Valves. Fail to Operate There are eight normally closed HPSI injection valves which connect the two HPSI trains to four injection headers.
These valves are required to open upon receiving a Safety Injection Actuation Signal (SIAS).
Simul-taneous failure of these eight MOVs (SI-616,-617 -626,-627,-636,-637.-
646,-647) to open on demand leads to system failure. The dominant contributor to this failure mode is a loss of AC power from both 480V supply buses.
The power supply to these valves should be reviewed to ensure reliability.
In addition, operator training and awareness regard-ing emergency operating procedures should be reviewed to maintain adequacy.
4.31 1
' TABLE 4.6A (contd) 3.
Motor-operated Valves SI-659, -660 Fall to e main Open Failure closed of either of the two valves in the minimum flow recircu-lation line could cause the HPSI pumps to fail. This is-because a slow drop:in primary system pressure could result in p"mp heat up and. failure due to pumping against dead head for a significant period of time. - These valves are common to all HPSI, LPSI, and CSS pumps.
The dominant contributor to this-failure mode is valve plugging due to random hardware failures. The periodic testing and maintenance procedures for these valves should be reviewed to maintain reliability.
4.
HPSI Pump 11,12, or 13 Fail to Start or Run I
Failure of either of these pumps to start or run degrades the HPSI system redundancy.
Failure of any one of these pumps, in conJuction with failure of the remaining pumps to provide flow to the injection headers, can result in system failure. The dominant contributor to this failure mode is a loss of electric power from the 4KV bus to the pump.
Secondary contributors to this failure mode are hardware failures which cause the pump to fail to start on demand.
Periodic testing, maintenance, and surveillance of these pumps should be reviewed and observed to maintain high availability.
5.
Mot'or-Operated Valves SI-654, -656 Fail to Remain Open Failure of either M0V SI-654 or SI-656 prevents flow through one train of the HPSI system.
Failures of either of these trains, in combination with failure of the 480V bus which supplies power to the remaining train, results in system failure.
The dominant contributors to this failure mode are hardware failures. A secondary contributor to this failure i
mode is valve unavailability due to maintenance. The periodic' testing l
and maintenance (scheduled and unscheduled) procedures for these valves J
should be reviewed to help maintain maximum availability.
)
l 6.
Check Valves SI-410, -4146 Fail to Operate J
Failure of either of these valves to remain open results in an obstruction of flow to HPSI pumps 11 and 12. This failure, in combination with failure of the 4KV bus, which supplies power to pump 13, results in system failure.
The dominant contributors to this failure mode are hardware failures.
The periodic testing and maintenance procedures for these valves should be reviewed to help maintain high availability.
i 4.32
i l
l;
)
a b
i TABLE 4.6A (contd)
')
7.
Motor-0perated Valves SI-653, -655 Fail to Remain Open
)
1 Failure of these cross-tie valves to remain open degrades system redundancy and, in conjunction with failures of other components, could lead to system failure.
The dominant contributors to this failure mode are hardware failures. Review of the periodic testing, maintenance and surveillance of these valves, as prescribed by the Technical j
Specifications, should help maintain valve availability.
{
1
)
I l
4 l
i l
l l
4.33
. TABLE 4.6B.
IE MODULES FOR HPSI SYSTEM INSPECTION Failure (8)
Module Title Components Mode
.61725 Surveillance Testing Sump Valves SI-4144, 1
.l and Calibration Program
-4145 Valves SI-616,-617 2
f
-626,-627,-636,
-637,-646 -647 Valves SI-659,-660 3
HPSI Pump 11,12,13 4
Breaker 11A,128,13B 4
)
Valves SI-654,-656 5
{
Valve SI-653,-655 7
61726 Monthly Surveillance Sump Values SI-4144, 1
Observation
- 4145 l
Valves SI-616,-617 2
1 l
-626,-627,-636,
-637,-646,-647 Valves SI-659,-660 3
3 HPSI Pump 11,12,13 4
Breaker 11A,128,13B 4
s Valves SI-654,-656 5
1 Valves SI-410,-4146 6
Valve 51-653,-655 7
62700 Maintenance Program Sump Values SI-4145, 1
1
-4145 Valves SI-616,-617 2
I l
-626,-627,-636,
-637,-646 -647 Valves SI-659,-660 3
HPSI-Pump 11,12,13 4
Breaker 11A,128,13B 4
j Valves SI-654,-656 5
i Valves SI-410,-4146 6
Valve SI-653,-655 7
1 62703 Monthly Maintenance Sump Valves SI-4144, 1
Observation
-4145 Valves SI-616,-617 2
-626,-627,-636,
-637,-646,-647 Valves SI-659,-660 3
HPSI Pump 11,12,13 4
Breaker 11 A,128,138 4
1 Valves SI-654,-656 5
Valves SI-410,-4146 6
Valve SI-653,-655 7
l 4.34
k I
j i
O
. TABLE 4-6B(contd)
Failure (a)
- Module Title Components-Mode 71707.
Operational' Safety Sump Valves:SI-4144,-
1
. Verification
-4145 Valves SI-616,-617 2
-626,-627,-636,
-637,-646,-647 Valves.SI-659,-660-3-
'HPSI Pump-11,12,13 4
Breaker 11A,128,13B 4-Valves SI-654,-656 5
Valve SI-653,-655 7-71710
.ESF System Walkdown' Sump Valves SI-4144, 1
-4145 Valves SI-616,-617 2
-626.-627,-636,
-637,-646,-647.
Valves SI-659,-660 3
HPSI Pump 11,12,13-4 Breaker 11A,128,13B 4
Valves SI-654,-656 5
Valve SI-653,-655 7
(a) -See Table 4.6A for failure mode identification.
1 i
4.35 1
TABLE 4.6C. MODIFIED HIGH PRESSURE SAFETY INJECTION (HPSI) SYSTEM WALKDOWN Component Component Required' Actual
-Number Name Location Position
. Position Electrical 1108 HPSI Pump 11 Circuit Breaker 27' Switch-Racked in/
rpar Rm Closed 1408 HPSI Pump 12 Circuit' Breaker 45' Switch-P.acked in/
l-gear Rm Closed l
1410 HPSI Pump 12 Control Room Switch CR PTL 1410
.HPSI Pump 13 Circuit Breaker 45' Switch-Racked in/
gear Rm Closed 1410-
'HPSI Pump 13 Disconnect 45' Switch-gear Rm Closed l
SI-616 Motor-operated Discharge Valve Closed Breaker SI-617
. Motor-operated Discharge Valve Closed q
Breaker i
SI-626 Motor-operated Discharge Valve Closed Breaker I
SI-627-Motor-operated Discharge Valve Closed Breaker SI-636 Motor-operated Disc'narge Valve Closed Breaker SI-637 Motor-operated Discharge Valve Closed Breaker j
SI-646 Motor-operated Discharge Valve Closed Breaker l
SI-647 Motor-operated Discharge Valve Closed l
Breaker 1
4.36 i
f'> ( % ;
,1 '
e D,
y l
r y.
4.. '
'~ 1 TABLE 4.6C (contd)-
~
1 Component.:
Component Required Actual
'{
Number
-Name Location
' Position Position l
7 i
Valves SI-659 Minimum' flow recirculation valve Open SI-660 Minimum flow recirculation valve Open.
.l SI-654 Motor-operated valve Open
'SI-656 Motor-operated valve Open.
SI-4144.
Containment Sump recirculation 45' Aux.
valve Bldg.
Closed SI-4145 Containment' Sump recirculation 45' Aux.
valve Bldg.
Closed SI-616 Motor-operated Discharge. Valve Closed SI-617 Motor-operated Discharge Valve
. Closed SI-626 Motor-operated Discharge Valve SI-627 Motor-operated Discharge Valve Closed SI-636 Motor-operated Discharge Valve Closed SI-637 Motor-operated Discharge Valve Closed
$1-646
. Motor-operated Discharge Valve C,osed SI-647' Motor.-operated Discharge Valve C1osed SI-653 Motor-operated Cross-Tie Valve Closed (a)
SI-655 Motor-operated Cross-Tie Valve-Open (a) Normal. valve position is opposite to that given in the Calvert Cliffs PRA report. This valve is now closed to prevent runot:t of either running pump if the other one should trip.
4.37
.a*!
.t n _1
+a.
- s. ;.
I t A.,.
G.
f
~~
., ~
(
m.
.g.
3, V-l y
v" g
7 R
0.: e.a
~
q_t
/
t v
I S
P oq 1
m,
y-H
?
t r
f
- g. " &.
t a,..
v o
g x Q.
n
,. x_ Q,,,..
.o,.
.r.
i a,
w a:
a r
- c D
,.J m
t.
t.
t.
. y u
e y.
p-v t
t t
s m
N y
=
S i
de e.
i f
i l
p m
i S
9 4
u.
E R
U
]
G
~
I F
n
~.,_.
a.
m; e g ".,,
.... g
. i.c, gA.=
1
.t
.t
.i v
e v
v ri.
.i
.i
.t
.i
. v.
t v
v n-a
.t
.t v
u nt
.s
.u u
1 um tl
s
.D t.u
,8LA, tl P
tt R
,i E
,MU T
.1#fD 0
.ftL ttt0 E5 I
/
\\'l
/
/
/
\\
ns
/v I
M3 81
- N
/%
j\\
,r E
t r
i1t n
u3ttft U 3
I/
\\/
/
9i 3
\\
i5 f
I
\\v
>v
\\v.
2 q 3'
/
/
9tt o9 N
/N jN e
S 9R
,m sM t
is
- s..
.,t.
i,U t
. m.
9, m
.,w i
/v N /.
,v i.
t
\\/
g'
\\'
st
\\
I st
/\\
'/N
/X
'(
,n Is.,.
9oo
....s,
.t e
R 1
_R t
l 19 9
9 -
e a
t t
8 M
_i ev
=
t e.
t t
tefMI t
t a,
H t
.E f
14, 9,
$Mtf 1t 4
t 9
tHtJ
- p 8
8 ei r
t e t 5,e tw19M$
6 tMi It p,
t r
M11 f,
t
. o t
s 9
4 ti S
t, s
t n i"
b e
I 4.7 EMERGENCY CORE COOLING (ECCS) PUMP ROOM COOLING SYSTEM TABLE 4.7A.
ECCS PUMP ROOM COOLING SYSTEM FAILURE MODE IDENTIFICATION a
1 The purpose of the ECCS pump room cooling system is to prevent the room i
temperature from exceeding a nonnal limit of 110 F or an absolute limit of 120 F so that the equipment can operate in a design basis environment.
The components most susceptible to high temperatures are the air-cooled shaft seals on the containment spray pumps.
1 Conditions that Lead to Failure j
1.
Control Switches HS-5404 and 5404A Auto-Start Circuits Fail to Operate The ECCS room coolers will normally be on standby.
Each unit has an individual (OFF-AUTO-ON) control switch located in the control room.
The normal position of the control switches is AUTO so that tne fans start and the saltwater cooling valves open automatically.
Failure of the auto-start circuitry could prevent sufficient cooling-air flow to the ECCS room cooling units.
The failure causes are hardwa.e failures or loss of actuation signals.
Testing, maintenance, surveillance, and verification of these switches should be reviewed or observed. Operator training and awareness of Operating Procedures will enhance the system reliability.
2.
Air-Cooling Units' Fans Fail to Start or Run The system consists of two air-cooling units, one located in each ECCS compartment with the nominal capacities of 884,000 and 704,000 Btu /hr.
l The larger ca)acity cooling unit will be located in the east ECCS compartment, 1aving two HPSI/R pumps.
Each unit consists of direct-drive fans driven mot. ors and the associated hardware and electrical equipment.
1 Failure of fans to start or run when required will prevent air flow to the air-cooling units. The failure causes are hardware or electrical failures of the fans.
Periodic testing, maintenance, and surveillance of the fans in accordance with the Technical Specifications, should reduce j
the probability of failure.
3.
Temperature Controller Elements TE-5404 and TE-5405 Fail to Operate 1
The system control parameter is room temperature, measured oy temperature controller elements TE-5404 and 5405.
The normal range of operation is i
between 95 F and 104'F. As the room temperature increases to 104 F, the temperature control element actuates the pressure switch, turns on the fans and opens the saltwater inlet and outlet valves.
Failure of the temperature controller elements to operate either due to hardware or 4.40
il j
-TABLE 4.7A'(contd) electrical bus failures will prevent the cooling water from being supplied to the cooling units.
Testing, surveillance, and maintenance, in accordance with Technical Specifications, should maintain the system availability.
4.
Failure to Restore Air-Cooling Units' Fan Controls'Following Maintenance This failure mode is dominated by the human failure to restore the fan controls at the end of a test or following maintenance.
This error, if 2
undetected, could lead to system failure.
Verification and review of the system Operating Procedures and Check-off Lists should reduce the probability of failure.
l i
l l
l 4
1
{
4.41 I
i
i
-TABLE 4.78..IE-MODULES FOR ECCS PUMP ROOM COOLING SYSTEM INSPECTION' Failure (a)
. Module.
Title
~ Components-Mode
- 41700' Training-Control-Switches HS-5404, I
3 5404A-j j
61726-Monthly Surveillance Control Switches HS-5404, l'
j Observation 5404A i
Air-Cooling Units' Fans 2,4 l
Temperature' Controller.
3 I
Elements TE-5404,5405 j
62700 Maintenance Control Switches HS-5404, 1
5404A Air-Cooling Units' Fans 2,4 Temperature Controller 3
Elements TE-5404,5405 71707 Operational Safety Control Switches HS-5404, 1
l Verification 5404A Air-Cooling Units' Fans 2,4 Temperature Controller 3
Elements TE-5404,5405 i
71710 ESF System Walkdown Control Switches HS-5404, 1
-l 5404A Air Cooling Units' Fans 2,4 (a). See Table 4.7A for failure identification'.
4.42 I
l
l i
I j
TABLE 4.7C.
ECCS PUMP ROOM COOLING SYSTEM WALKDOWN Component Component Required Actual 1
Number Name Location Position Position Electrical
)
HS-5404 Air-Cooling Unit #11 Control Closed Switch Circuit Breaker 1
HS-5404A Air-Cooling Unit #12 Control Closed Sv; itch Circuit Breaker
]
Fans Air-Cooling Units' Fans Breakers Closed TE-5404 Air-Cooling Unit #11 Temperature Closed
)
Control Element Circuit Breaker TE-5404 Air-Cooling Unit #12 Temperature Closed Control Element Circuit Breaker
~
l Components HS-5404 Air-Cooling Unit #11 Control Switch Auto i
HS-5404A Air-Cooling Unit #12 Control Switch Auto I
i 4.43
e E R
Q w 9 D
t"E y
A a
H g
m e
1, t
@"h sy S
d g
5
'",lf't O
n P
i lg dF i
i C l
.i
{A o
s rt I I o
C m
o a
o R
p A
A m
1 u
4 r,
95 Ct R
VF P
S M
S t
t C
a A E T
C wS E
C.
t Y o
t S T
A f
T S
o gn i
w a
r OL D
,R A
R f m
i t9 e
O C
e C
t A
t M s
f c
aE y
C wS S
T T.
t Y
t S d
a e
V7 S
3d i
3.
h C1 f
9 i
l E
1 m
p i
S
)
S{,.,
2 I
A t
e e
S "
t h
H 5
S "3
I
(
S 3
S.o 1
P.
1
/
/.
4 D
i n
,w r,I g@,M t
3 Q
s C
M E
Q}p
,f S
t R
,i w
f O
U A t
,, S Wf G
F
'C 5
I t v A
F tS A
S R
t f M A t 2
r f f
5 tY tS a
S
.h
.l.
m a
r N,,
l x
g x,v cv a
5,,,
I M,,,
i f,,.
D ff y
c n
e d
n e
p e
- T o, D
l g,
nv P
M,,. I fs
),,.
m ti,,.
t e
t s
y S
g n
i l
.c o
)
s'.
sv o
w C
1. I
/\\
4..,
m f.
o T
t...
o a
R p
m u
P S
C
\\v C
)
s f, E
ft....
/N f...I
/
f E,.,
2 1
4 E
R 91 1
8
.=
U 1
G t
I s
t 3
F e
Le.4 4
'4b.f N
t.
9.
e f.
1e..f
=,,
8s t
y.Ag gy
4.8 SALT WATER SYSTEM TABLE 4.8A.
SALT WATER SYSTEM FAILURE MODE IDENTIFICATION i
The purpose of the Salt Water System (SWS) is to provide cooling water to the vital equipment, (e.g., ECCS pump room air coolers, Service Water System (SRWS) heat exchangers) during both injection and recirculation phases of emergency core coolin Water (CCW)g after a LOCA.
It also provides cooling water to Component Cooling l
heat exchangers during the recirculation phase..Two of the three 1
SWS pumps are required to supply the designated nuclear headers during the normal operation and following an initiating event.
Conditions that Lead to failure 1.
SRW Heat Exchangers' Outlet Throttle Valve SWS-5210 Fails to Operate During the recirculation phase, failure of the SRW heat exchangers outlet valve SWS-5210 to close (i.e., throttle) could cause the failure of cooling CCW heat exchanger 11 due to the system overload. Tne dominant failure causes are random electrical failures or valve control circuit fails. A contributing failure cause is human error failure to regulate the flow of salt water to meet the SRW cooling requirements. Operator training and awareness, surveillance and lineup for emergency operation should be reviewed and observed to minimize the probability of failure.
2.
Failure of CCW Heat Exchangers' Inlet or Outlet Valves Both loops of the SWS operate during normal operation. Upon receipt of a safety injection actuation signal, CCW heat exchangers 11 and 12 are isolated by the automatic closing of inlet and outlet valves SWS-5160, SWS-5162 and SWS-5206, SWS-5208 and SWS-5163, renectively. These valves will reopen to allow the cooling flow to the CCW 1 eat exchangers upon receipt of a recirculation actuation signal to initiate the recirculation phase.
Failure to close or open these valves on demand may cause system overload.
The important failure contributors are hardware or electrical failures or human failure to manually actuate these valves. Operator training and awareness, together with surveillance and testing of these valves in accordance with Technical Specification Surveillance Requirements should reduce the probability of failure.
3.
SRW Heat Exchangers or ECCS Pump Room Coolers' Inlet or Outlet Valves Fail to Operate The valves are SRW heat exchangers or ECCS pump room coolers' inlet and outlet pneumatic valves SWS-5150, SWS-5152 and SWS-5153, or SWS-5170, SWS-5173 and SWS-5171, SWS-5174, SWS-5175, respectively.
Failure of any of these valves to close or open when required could result in SWS cooling 4.46
,~
4 -
TABLE 4.8A (contd) failure.
The important failure contributors are electrical-or hardware failures.
Surveillance and testing of these valves, in accordance with l
Technical. Specification Surveillance Requirements, should reduce the probability of failure.
I 4.
Operatinc Pumps 11 and 12 Fail to Run and Non-Operating Pump 13 Fails to Start anc Run l
Failure of any combination.of two out of three pumps will. prevent suffi-cient SWS' flow.from being provided to the designated headers. Testing of the pump which is not in use, according to the Technical Specifications, should reduce the probability of failure..
1 4.47
I TABLE 4.88. :IE MODULES FOR SALT WATER SYSTEM INSPECTION:
Failure (a) l Module Title Components Mode
)
41700' Training _
SWS-5210, 1
SWS-5206,5208,5160, 2
5162,5163 l
61725 Surveillance Testing and SWS-5210, 1-Calibration Program SWS-5206,5208,5160, 2
5162,5163 '
SWS-5150,5152,5153, 3
5171,5173,5174,5175 Pumps 11,12,13 4
i 61726 Monthly Surveillance SWS-5210, 1
3 Observation SWS-5206,5208,5160, 2
i 5162,5163 SWS-5150,5152,5153, 3
5171,5173,5174,5175 Pumps 11,12,13' 4
62700 Maintenance SWS-5210, 1
SWS-5206,5208,5160, 2
i 5162,5163 l
SWS-5150,5152,5153, 3
I 5171,5173,5174,5175 Pumps 11,12,13 4
71707 Operational Safety SWS-5210, 1
Verification SWS-5206,5208,5160, 2
i 5162,5163 SWS-5150,5152,5153, 3
g 5171,5173,5174,5175 l
1 Pumps 11,12,13 4
71710 ESF System Walkdown SWS-5210, 1
SWS-5206,5208,5160, 2
i 5162,5163 i
SWS-5150,5152,5153, 3
4 5171,5173,5174,5175 l
Pumps 11,12,13 4
i 1
(a) See Table 4.8A for failure identificeon.
1 i
4.48 i
-_a
i TABLE '.8C.-
MODIFIED SALT WATER SYSTEM WALKDOWN 4
I Component Component Required Actual i
Number-Name
_ Location Position _ Position i
Electrical SWS-5210 SWS Heat Exchanger 11 Pneumatic Closed Outlet Valves Control Circuit Breaker SWS-5206 CCW Heat Exchanger 11 Pneumatic Closed Outlet Valve Control Circuit Breaker SWS-5208 CCW Heat Exchanger 12 Pneumatic Closed Outlet Valve Control Circuit Breaker SWS-5160 CCW Heat Exchanger 11 Pneumatic Closed Suction Valve Control Circuit Breaker SWS-5162 CCW Heat Exchanger 12 Pneumatic Closed a
Suction Valve Control Circuit Breaker SWS-5163 CCW Heat Exchanger 12 Pneumatic Closed Outlet Valve Control Circuit Breaker 1
SWS-5150 SWR Heat Exchanger 11 Pneumatic Closed Suction Valve Control Circuit Breaker SWS-5152 SWR Heat Exchanger 12 Pneumatic Closed Suction Valve Control Circuit Breaker SWS-5153 SWR Heat Exchanger 11 Pneumatic Closed Outlet Valve Control Circuit I
Breaker SWS-5171 ECCS Pump Room Cooler 11 Pneumatic Closed Outlet Valve Control Circuit Breaker SWS-5173 ECCS Pump Room Cooler 12 Pneumatic Closed Suction Valve Control C'rcuit Breaker 4.49 1
1 s
TABLE 4.8C (contd)
Component Component Required Actual Number Name Location Position Position Electrical i
SWS-5174 ECCS Pump Room Cooler 12 Pneumatic Closed i
SWS-5175 Outlet Valve Control Circuit i
Breaker i
1105 SKS Pump 11 Breaker 27' Switch-Racked in/
gear Rm Closed 1405 SWS Pump 12 Breaker 45' Switch-Racked in/
gear Rm Closed 1112/1412 SWS Pump 13 Breaker to Busses Racked in/
11/14 Closed 1112/1412 SWS Pump 13 Disconnect to either Closed /
Bus 11/14 Open Air SWS-5210 SWS Heat Exchanger 11 Pneumatic Under 11 Open Outlet Valve Air Supply HX SWS-5206 CCW Heat Exchanger 11 Pneumatic E End 11 Open Outlet Valve Air Supply CC HX SWS-5208 CCW Heat Exchanger 12 Pneumatic E End 12
.0 pen Outlet Valve Air Supply CC HX SWS-5160 CCW Heat Exchanger 11 Pneumatic W of 11 Open Suction Valve Air Supply CC HX SWS-5162.
CCW Heat Exchanger 12 Pneumatic SW of 12 Open Suction Valve Air Supply CC HX SWS-5163 CCW Heat Exchanger 12 Pneumatic E End 12 Open Outlet Valve Air Supply CC HX 3WS-5150 SRW Heat Exchanger 11 Pneumatic E Side Open Suction Valve Air Supply SRW RM SWS-5152 SRW Heat Exchanger 12 Pneumatic N of 11 Open Suction Valve Air Supply SRW PP SWS-5153 SRW Heat Exchanger 11 Pneumatic N Wall 5' Open Outlet Valve Air Supply SRW RM 4.50
TABLE 4.8C (contd)
Component Component Recyired Actual Number Name Location Position Position Air SWS-5171 ECCS Pump Room 11 Pneumatic W of 11 Open Outlet Valve Air Supply CC HX SWS-5173 ECCS Pump Room 12 Pneumatic S Side Open Suction Valve Air Supply CC Rm SWS-5174 ECCS Pump Room 12 Pneumatic S Side Open Outlet Valve Air Supply CC Rm SWS-5175 ECCS Pump Room 12 Pneumatic S Side Open Outlet Valve Air Supply CC Rm2 Valves SWS-5210 SWS Heat Exchanger 11 Pneumatic Under 11 Throttle (a)
Outlet Valve HX SWS-5206 CCW Heat Exchanger 11 Pneumatic E End 11 Open(b)
Outlet Valve CC HX SWS-5208 CCW Heat Exchanger 12 Pneumatic E End 12 Open(b)
Outlet valve CC HX SWS-5160 CCW Heat Exchanger 11 Pneumatic W of 11 Open(b)
Suction Valve CC HX SWS-5162 CCW Heat Exchanger 12 Pneumatic SW of 12 Open(b)
Suction Valve CC HX SWS-5163 CCW Heat Exchanger 12 Pneumatic E End 12 Open(b)
Outlet Valve CC HX SWS-5150 SRW Heat Exchanger 11 Pneumatic E Side Open Suction Valve SRW Rm SWS-5152 SRW Heat Exchanger 12 Pneumatic N of 11 Open Suction Valve SRW PP SWS-5153 SRW Heat Exchanger 11 Pneumatic N Wall 5' Open Outlet Valve SRW Rm l
SWS-5171 ECCS Pump Room 11 Pneumatic W of 11 Closed Outlet Valve CC HX l
l 4.51
TABLE 4.8C (contd) i Component.
Coi.iponent Required Actual
{
Number Name Location Position Position I
' Valves
'SWS 5173 ECCS Pump Room 12 Pneumatic S Side Closed
)
Suction Valve CC Rm-SWS-5174 ECCS Pump Room 12 Pneumatic S Side' Open(c) q Outlet Valve CC Rm SWS-5175 ECCS Pump Room 12 Pneumatic S Side Open(c) 1 Outlet Valve CC Rm (a)
Valve is opened to its maximum upon receipt of SIAS signal, and returned to the throttled position upon receipt of RAS signal.
(b)
Valves'are closed.upon receipt of SIAS signal, and reopened upon receipt i
of RAS signal.
(c)
Normal operating position of this valve has been changed since the PRA.
Position.no longer changes on a SIAS or RAS signal. Consequently, the risk importance of this valve is reduced from the value determined from tne'PRA.
i L
I 4.52 j
_ _ = - _ - _ _ - _ _ _ _ _.
S w
S
~ -
~
w S
3 4Sl t
r e
o l t 85e os S
w w
.O
,J{
e 0
C S
F 0
F O.
0
}
1 C O
3F 2 -
A F
S to F.
15.
$ O S N A
O g
O N
w
{
w S
SM i
f S
t.
jw O
S i
SR S
O.
4 F
i S
O..
0, C
3 F l
F w
S C
A 6.
S O
O.
. A tF F
t O C
4F C {
2 S N S
+
SN A
0.
w l qa.
O 3
A T
S C
w S
2 g1 $
O t A E p SM 3'M SN F
W w
S t
S S
i S
S C
w g
g*
F g.
S
,t C
O.
S C
Al SSF M
P C
3 M,
U w8 0
S M wt P
R S
I a
8 8
w O
C c
S 8
S C e S
R A
C H
c, C"
C E
F O.
1 0
O C
t E
8 O
>F A
SF C
=
aO N
- tO l
GS -
S S
C C
S t
N l
S S
t C
w8 yS O..
,.I S
w A
S S
S S
O w
O.
O A
S t F oF 3 F S
C o
a -
,.SH F
lt O S
A w
S l O C
t O "
S S
S M g'
t
- l.
C w
- SN S H F
w C
{
t w
A S
S S
S A
S S
S OHS w
w S
A 4gb C f.
V A
t t
L O
gj*hs ! $ E **
i A
O S
Et T
S S tE S
w PT O
S wS e
5 R
C Y
t 1
A S
t O
H O
0 4
C T
S S
S w
w ID S
S
/1['
~
l ~
1
/
p-et :
S t
t i
e-t 0
0 t
tw:
S S
t S
w w
S !
t S
S O
3 S
0 wl M
E S'
u NS 1
S 0
t F
O my Y
s 0
O R t S T
Y t
w NP t
t R
v o
o t
P O O S
wS S
s M
w wO C C OE Ct e
a t
r C L 0
t3 s
t O m a
Oe t
O T S o
e T A m
T P
p P
S S
w w
w S
S m
S*
80 0
\\/
\\o nv 78' W3
$M
/\\
J#
,Dt E
m
.3
.f4f
.tf a
r e g f
..ti g
7.fgSPa
- 9. tf a
p8Si i
4 g
D g
fl g.T,$
g.
,lL
- y.gt p
y s
c g
a e
n R
)t 0
no
\\v y
\\/
e t
t f
a
/T
/
d t) pt n
T S
- 1t e
a t
f, s1 p
2 a
f e
t e
a w
D I
8e 2
m 5
e n
9$
r t
9l i
k r
s i4t e
. m, y
t t
s9 N s
u.
t s
S 8.
e 8
t n tO 0
ns Av
\\'
\\/
- 9 t 49 f
6 f s
/X
/%
c..
. 0f r
9i.$ '__
S(
9 9
o 1I R
1 -t9' F
5 p
M i.m (
51t1 io i
p 9
t u
H. m W*
e f'
..s..,.
't 4
S f
e.eef e
tf d
ir S
W m.
S
.,m 4
.m.
1 4
E RU G
I F
g g
M a
M
.g a
e e a
sp eef s
t r
e tt 'Hf m
tI g
t B
i et t i
t g9 h
t99. h f 8
h gtteT m$ pI
=.
.u, e0 1 tSV s %
a
.@4 11
-4.9 CODE SAFETY VALVES (SRVs) l TABLE 4.9A.
CODE' SAFETY VALVES SYSTEM FAILURE MODE IDENTIFICATION CC-1. is equipped with two code safety valves on the pressurizer. ' These valves
'are entirely mechanical devices.
Their set points are 2500 and 2565 psia.
At least one valve must be operable when the plant is at power.
Under abnormal conditions, the code safety valves on the pressurizer are the means of external pressure relief for the reactor-coolant system.
Conditions That Lead to Failure-1.
Code Safety Valves For those conditions where the code. safety valves either are necessary to relieve system pressure or are only incidentally demanded, the valves must reclose or a transient-induced LOCA will result. The failure mode is random hardware failures of these valves.
Testing and maintenance of these valves should be reviewed or observed to maintain the reliability.
i I
4 4.55 i
l l
1 l
TABLE 4.98.
IE MODULES'FOR CODE SAFETY VALVES SYSTEM INSPECTION l
Failure (a)
Module Title Components Mode 61701 Surveillance (Complex) 1 61725 Surveillance Testing and 1
Calibration Program i
62700 Maintenance 1
71707 Operational Safety 1
Verification (a)
See Table 4.9A for failure identification.
i l
i I
4.56
TABLE 4.9C. MODIFIED CODE SAFETY VALVE SYSTEM WALKDOWN Component Component Required (a) Actual Number Name Location Position Position Walkdown is ineffective against failure of the code safety valves to reseat.
i 1
4.57
l.i i
I L
4.10 CHEMICAL AND VOLUME CONTROL' SYSTEM TABLE 4.10A. CHEMICAL AND VOLUME CONTROL SYSTEM FAILURE MODE IDENTIFICATION The Chemical and Volume Control System (CVCS) provides several major functions
during startup, normal operation, emergency condition, and shutdown of the reactor.
The reactor coolant system boron concentration is normally controlled by the makeup portion of the CVCS; however, there are occasions when it is necessary to borate at a rate that exceeds the normal, maximum capability of the makeup system.
In this situation, the CVCS is initiated either by a Safety Injection Actuation System (SIAS) or manually to rapidly inject concentrated boric acid into the reactor coolant system.
Conditions That Lead to Failure 1.
Operator Fails to Actuate the CVCS During a transient where SIAS and RPS actions are not initiated, operation of the CVCS in boron injection mode is completely dependent upon operator action. For example, following a slow and uncontrolled cooldown where SIAS or RPS actions are not initiated, immediate actions to be taken by the operator are:
switch the make-up stop valve handswitch to the " SHUT" position; open the charging pump suction valve; switch the make-up mode selector switch to the " BORATE" position; verify that the boric acid and charging pumps are running, etc.
Failure to perform any of the above actions could prevent the boric acid flow to the reactor coolant system.
Operator training and awareness, verification of the Emergency Operating Procedures Check-off Lists should minimize the probability of failure.
2.
Operating Charging Pumps Fail to Run and Standby Pump in Maintenance Two of the three charging pumps are required to supply the designated nuclear headers following an initiating event. Standby charging pump unavailable due to maintenance is significant in conjunction with hardware or electrical failures of the operating pumps.
Periodic testing, surveil-lance, and review of the practices associated with scheduled and unsched-uled maintenance of the pump should be performed.
3.
Motor-0perated Valve CVC-514 Fails to Open on Demand For emergency boration, a boric acid direct feed valve CVC-514 is provided.
This is a motor-operated valve located at the commo1 boric acid pump discharge which supplies concentrated boric acid directly to the charging pump headers.
Failure of this velve in the closed position following an initiating event will prevent boric acid flow to the reactor j
l 4.58 i
l l
i TABLE 4.10A (centd)
{
coolant system. The failure causes are random electrical failures or loss of SIAS. Periodic testing, maintenance, and surveillance of this valve according to the Technical Specifications should reduce the probability of failure.
4.
Boric Acid Pumps 11, 12 Fail to Start and Run At least one of the two boric acid pumps must be operable to provide l
concentrated boric acir' to two out of' the three charging pumps for injection into the reactor coolant system when the requirement arises due to a transient.
Failure of the pumps to start anc run will prevent boric acid flow to the reactor coolant system cold legs.
Periodic testing, maintenance, and surveillance of these pumps should be reviewed and observed to maintain reliability.
5.
Check Valve CVC-235 Fails to Operate i
This is charging pump suction check valve for CVCS.
Failure of this valve in the closed position will prevent boric acid fow to the designated cold legs. Testing and maintenance of this valve, in accordance with Technical Specifications, should reduce the probability of failure.
l 1
l l
4.59 l
L- __ _-_ _ -.
TABLE 4.10B. -MODIFIED CHEMICAL AND VOLUME CONTROL SYSTEM INSPECTION Failure (a)
Module Title Compor.ents' Mode' 41700' Training Make-up Stop Valve, 1
Charging Pumps 11,12,13 2 MOV CVC-514, 3
BA Pumps.11,12 4
61725 Surveillance Testing Charging Pumps 11,12,13 2 Program MOV CVC-514 3
BA Pumps 11,12 4
Check Value CVC-235 5
61726 Monthly Surveillance Charging Pumps 11,12,13 2 Observation MOV CVC-514 3
BA Pumps 11,12-4 62700 Maintenance Charging Pumps 11,12,13 2 MOV CVC-514-4 BA Pumps 11,12 3
Check Value.CVC-235 5
71707-Operational Safety Charging Pumps 11,12,13 2'
Verification Check Value CVC-514 3
BA Pumps 11,12 4
71710 ESF System Walkdown Charging Pumps 11,12,13 2 Check Value CVC-514 3
BA Pumps 11,12' 4
(a) See Table 4.10A for failure identification.
4.60
TABLE 4.10C. MODIFIED CHEMICAL AND VOLUME CONTROL SYSTEM WALKDOWN Component Component Required
. Actual Number Name Location Position Position Electrical i
BA Pump 11 Boric Acid Pump 11 Breaker MCC-114R Closed BA Pump 12 Boric Acid Pump 12 Breaker MCC-104R Closed j
1115 Charging Pump 11 Breaker 27' Switch-Racked in/
gear Rm Closed 1415 Charging Pump 12 Breaker 45' Switch-Racked in/
l gear Rm Closed
{
l 1104/1404 CP 13 Breaker from Bus 11/14 Racked in/
i Closed l
I 1104/1404 CP 13 Disconnect from Bus 11/14 Closed j
CVC-514 Boric Acid Direct Feed Motor-E Wall Closed Operated Valve Breaker BAST Rm i
Valves j
J CVC-514 Boric Acid Direct feed Motor-BAST Rm Closed 1
Operated Valve i
i 1
4.61 L__.__
v C
C C
V Y
9 2
C C
o C
1 s
D I
O tnCK C
N O A v
B A C
T
(
s
]-
1 1
2 C
1 1
1 D
2 nC K P
P P
t I Us i
O N I
M
~M s
M P
gP A
B A U
U OE M 0
6 P
C RKu T
1 1
T v4 F A P 2
2 C
C M
C -
V V
4 C C
C F
?
7 2
t 2
A 1
2 L o
6 2
2 O s
1
- R C
C T
- C C
ji C V
V N v
V C O "C
C 1
C8 EK 8
3 MN U A 1
2 xC 2
2 LT 2
-C O V
V V C
C4 s
1 3
s 2
C C
6 V
Y 8
C C
+
P k 1
h C -
1 VN 4
C 2 6 wM 8
1 0
6 25 P
8 7
P 7
1 C
p 99 1
1 M
V 33 C
U U
C g
C CQ G 3 P
CC CC%L P
V O
O p
V v
VV C
L C
G C
, 1 N1
,1 N1 I
9 8
I 5
G 1
1 g
G 3
R R
5 5
1 7
sQ 4
A Al 6
, 7 7
H C
C g
C 1
i 1
1 V
V Y
C -
C C
C C
C C
C C '^
A VW C'
v V
C R
2 8
E 6
G 7
7 6
ML C U.
1 N N 1
O 1
O A
Wt E
^
C L
C i
D O V V
V O C y
C C
C X
L TI
'E L
T E V
T A
A OE X.
O R
4 3
T f
Ef 8
8 L
f f
_ d N
1 1
E C
C G
V V
E N-2 R
C C
8 A
W i
2 O
1 C
D E
v T
N C
E I
L L
4
s.
I x
y '.
dV jT irtWI I
marga t
t gt i
gb D
a t
i e
Q/
iV t
c I st n i x.
,,T y
ttfB a 7i moNI 1
9 e
u l89 O
n 1
4 L
d 1
t 0
n y
t 4
I t
e a[
I p
4 e
t) 81 9
ft D
0 0
m O
3 A
I x.
AV 8
l e
s/
\\
L E
t 4
i f 9M
/N 4n fJ t
tt1t r
t f
c N'E-ta I
s Rt1i p
a f
(
F7t2$
te(S s1T ut
)
s y
tp 8
S r
i
- M t.
t M..
s.
r tc e.
fi.
s o
fe, t.-
p e8
,gg lR, ts.
r y
e p
,, g
'1 tv u
i 1
S y
V P
I
, p3 j
c.y5 5
S
,g v 4
C
,y
,,t
?
V
,gP 4
C 6
1 I
m9 4
sV 9
s E
tN RU
. 9
.0 G
I F
e s
e R
R
.N fw M'
tt eW
~
~
i i
TABLE 4.11.
PLANT OPERATIONS INSPECTION GUIDANCE i
i Recognizing that the normal system lineup is important for any given standby
]
safety system, the following human errors are specially identified as important to risk.
System Failure Discussion Reactor Protection System Switchover/ Recovery Failure Table 4.1A, Item 1 Auxiliary Feedwater System Improper Alignment / Recovery Table 4.2A, Item 3 Failure q
Emergency AC Power System Improper Alignment / Recovery Table 4.4A, Item 1 Failure Power Conversion System Switchover/ Recovery failure Table 4 5A, Item 1 High Pressure Safety Switchover/ Recovery failure Table 4.6A, Item 1 Injection System j
ECCS Pump Room Cooling Switchover/ Recovery Failure Table 4.7A, Item 1 l
System i
Post-Maintenance / Testing Table 4.7A, Item 4 j
Lineup Failure Salt Water System Feed and Bleed Control Table 4.8A, Item 1 Failure Switchover/ Recovery Failure Table 4.8A, Item 2 Chemical and Volume Switchover/ Recovery Failure Table 4.10A, Item 1 Control System 1
I 4.64 i
TABLE 4.12.
SURVEILLANCE INSPECTION GUIDANCE The listed com)onents are the risk significant components for which proper surveillance s1ould minimize failure.
System Component Discussion Reactor Pro-Reactor Trip Breakers Table 4.1A, Item 1 tection CEDM Power Buses Table 4.1A, Item 3 Auxiliary AFW Pumps 11,12,13(a)
Table 4.2A, Item 1,2 Feedwater Valve AFW-103,-904 Table 4.2A, Item 3 iystem Valve AFW-161 Table 4.2A, Item 5 Valves AFW-3987,-5903 Table 4.2A, Item 6 Vahes AFW-4522,-4532 Table 4.2A, Item 7 Emergency DC Inverters 11,12,13,14 Table 4.3A, Item 1 Power System Power Cables 11,12,13,14 Table 4.3A, Item 2 Circuit Breaker 11,12,13,14 Table 4.3A, Item 3 Power Cables 20,26,31,23 Table 4.3A, Item 4 Batteries 11,12,13,14 Table 4.3A, Item 5 Circuit Breakers 20,26,31,23 Table 4.3A, Item 6 Emergency AC DG-11,DG-12 Table 4.4A, Item 2,3 Power System Circuit Breakers 1103,1406 Table 4.4A, Item 4 Power MFW Pumps 11,12 Table 4.5A, Item 1 Conversion Condensate Booster Pumps 11,12,13 Table 4.5A, Item 2 System Condensate MD Pumps 11,12,13 Table 4.5A, Item 3 High Pressure Valves SI-616,617,626,627,636, Table 4.6A, Item 1 Safety 637,646,647 Table 4.6A, Item 2 Injection Valves SI-f59,-660 Table 4.6A, Item 3 System HPSI Pumps 11,12,13 Table 4.6A, Item 4 Valves51-654,-660 Table 4.6A, Item 5 Valves SI-410,-4146 Table 4.6A, Item 6 Valves SI-653,-655 Table 4.6A, Item 7 ECCS Pump Control Switches HS-5404,5404A Table 4.7A, Item 1 Room Cooling Air Cooling Units' Fans Table 4.7A, Item 2 System Temperature Controller Elements Table 4.7A, Item 3 TE-5404, 5405 l
Salt Water Valve SWS-5210, Table 4.8A, Iter
- System Valves SWS-5206,5208,5160,5162 Table 4.8A, Item 2 5163 Table 4.8A, Item 3 Valves SWS-5150,5152,5153,5171.
l 5173,5174,5175 l
SWS Pumps 11,12,13 Table 4.8A, Item 4 1
l l
4.65 1U-_
s TABLE 4.12-(contd).
System Component Discussion Code Safety.
. Code Safety Valves
-Table 4.9A, Item 1 Valves System i.
Chemical and Charging Pumps 11,12,13 Table 4.10A,-Item 2 Control Valve CVC-S14 Table-4.10A, Item 3 System BA Pumps 11,12 Table 4.10A, Item 4 (a) Although Eredit.was not given for AFW Pump #12 in the PRA (due to its
" locked out" position, proper surveillance should maintain readiness..
i 4.66 i
TABLE 4.13. MAINTENANCE INSPECTION GUIDANCE The components listed here are significant to risk because of unavailability for maintenance or testing. The dominant contributors are usually frequency of maintenance and duration of maintenance, with some contribution due to improperly performed maintenance.
System Component Discussion Reactor Reactor Trip Breakers Table 4.1A, Item 1 Protection CEDM Power Buses Table 4.1A, Item 3 System Control Rod Element Assemblies Table 4.1A, Item 2 Auxiliary AFW Pump 13 Table 4.2A, Item 1,4 Feedwater AFW Pump 11 Table 4.2A, Item 2,4 System Valves AFW-103,-904 Table 4.2A, Item 3 Valve AFW-161 Table 4.2A, Item 5 Valves AFW-3987,-S903 Table 4.2A, Item 6 Valves AFW-4522,-4532 Table 4.2A, Item 7 Emergency Inverters 11,12,13,14 Table 4.3A, Item 1 DC Power Power Cables 11,12,13,14 Table 4.3A, Item 2 System Circuit Breakers 11,12,13,14 Table 4.3A, Item 3 Power Cables 20,26,31,23 Table 4.3A, Item 4 Batteries 11,12,13,14 Table 4.3A, Item 5 Circuit Breakers 20,26,31,23 Table 4.3A, Item 6 Emergency DG-11,12 Table 4.4A, Item 2,3 AC Power Breakers 1103,1406 Table 4.4A, Item 4 System Power MFW Pumps 11,12 Table 4.5A, Item 1 Conversion Condensate Booster Pumps 11,12,13 Table 4.5A, Item 2 System Condensate HD Pumps 11,12,13 Table 4.5A, Item 3 High Pressure Valves SI-616,-617,-626,-627,-636 Safety
-637,-646,-647 Table 4.6A, Item 2 l
Injection Valves SI-659,660 Table 4.6A, Item 3 1
System HPSI Pumps 11,12,13 Table 4.6A, Item 4 Valves SI-654,-656 Table 4.6A, Item 5 i
I Valves SI-410,-4146 Table 4.6A, Item 6 Valves SI-653,-655 Table 4.6A, Item 7 ECCS Pump Control Switches HS-5404,5404A Table 4.7A, Item 1 Room Cooling Air Cooling Units' Fans Table 4.7A, Item 2 System Temperature Controller Elements Table 4.7A, Item 3 TE-5404,5405 4.67 L_ __ _
TABLE 4.13 (contd)
System Component Discussion Salt Water Valve SWS-5210 Table 4.8A, Item 1 System Valves 5206,5208,5160,5162,5163 Table 4.8A, Item 2 Valves 5150,5152,5153,5171,5173, Table 4.8A, Item 3 5174,5175 Pumps 11,12,13 Table 4.8A, Item 4 Code Safety Code Safety Valves Valves System Chemical and Charging Pumps 11,12,13 Table 4.10A, Item 2 Volume Control Valve CVC-514 Table 4.10A, Item 4 System BA Pumps 11,12 Table 4.10A, Item 3 Valve CVC-235 Table 4.10A, Item 5 4.68
L TABLE 4.14. QUALITY' ASSURANCE / ADMINISTRATIVE CONTROL INSPECTION GUIDANCE
'The failures listed here are the'ones-which the QA/ Administrative staff can affect. For example, QA should ensure that both regular and post-maintenance surveillance actually test for failure mode of concern for significant equipment. Also, in the case of equipment unavailabilities,-administrative control should work to minimize the plant risk.
System Component Discussion Reactor Reactor Trip Breakers Table 4.1A, Item 1 Protection CEDM Power Buses Table 4.1A, Item 3 System Control Rod Element Assemblies Table 4.1A, Item 2 Auxiliary AFW Pump 13 Table 4.2A, Item 1,4 i
Feedwater AFW Pump 11 Table 4.2A, Item 2,4 System Valves AFW-103,-904 Table 4.2A, Item 3 Valve AFW-161 Table 4.2A, Item 5 Valves AFW-3987,-5903 16tle 4.2A, Item 6 Valves AFW-4522,-4532 Table 4.2A, Item 7 l
Emergency Inverters 11,12,13,14 Table 4.3A, Item 1 DC Power Power Cables 11,12,13,14 Table 4.3A, Item 2 System Circuit Breakers 11,12,13,14 Table 4.3A, Item 3 Power Cables 20,26,31,23 Table 4.3A, Item 4 Batteries 11,12,13,14 Table 4.3A, Item 5 Circuit Breakers 20,26,31,23 Table 4.3A, Item 6 Emergency DG-11,12 Table 4.4A, Item 2,3 AC Power Breakers 1103A,1406B Table 4.4A, Item 4 System Power MFW Pumps 11,12 Table 4.5A, Item 1 Conversion Condensate Booster Pumps 11,12,13 Table 4.5A, Item 2 System Condensate MD Pumps 11,12,13 Table 4.5A, Item 3 High Pressure Sump Valves SI-4144,-4145 Table 4.6A, Item 1 Safety Valves SI-616,-617,-626,-627,-636 Injection
-637,-646,-647 Table 4.6A, Item 2 Valves SI-659,660 Table 4.6A, Item 3 i
HPSI Pumps 11,12,13 Table 4.6A, Item 4 l
Valves SI-654,-656 Table 4.6A, Item 5 Valves SI-410,-4146 Table 4.6A, Item 6 i
Valves SI-653,-655 Table 4,6A, Item 7 ECCS Pump Control Switches HS-5404,5404A Table 4.7A, Item 1 Room Cooling System l
4 4.69
TABLE 4.14 (contd)
System Component Discussion Salt Water Valve SWS-5210 Table 4.8A, Item 1 System Valves SWS-5206,5208,5160,5162, Table 4.8A, Item 2 5163 Table 4.8A, Item 4 Pumps 11,12,13 Code Safety Code Safety Valves Valves System Chemical and Charging Pumps 11,12,13 Table 4.10A, Item 2 Volume Control Valve CVC-514 Table 4.10A, Item 3 System BA Pumps 11,12 Table 4.10A, Item 4 4.70 l
F c
5.0 CONTAINMENT PROTECTION SYSTEMS AT CC-1 In the event of a core melt accident, the public risk due to radiation release is minimized by the containment building.
This analysis in this report has not addressed public risk, except through the probability of core melt, because the PRA which was analyzed is a " level 1" analysis and includes only a cursory analysis of release quantities and their effects.
If the containment functions as designed, the public risk resulting from a core melt will be small (e.g., TMI-2 accident), compared to the risk when
- containment fails with gross releases of radioactivity to the environment.
During severe accidents, the containment is protected by two systems,.the Containment Spray System (CSS) and the Containment Air Recirculation and Cooling System (CARC). They limit the temperature and pressure of steam and air in the containment, and reduce the airborne radioactivity by entraining it in water spray.
In the analysis of the Oconee-3 level 3 PRA (Gore, Vo, and Harris 1987),
where systems were prioritized on the basis of public risk, the most risk-important systems were found to be the containment spray and the containment l
air cooling (e.g., CSS and CARC) systems. This is because event sequences leading to significant radioactivity releases almost always involved failure of one or both of these systems, which then led to failure of the contain-ment.
In this section, we identify the components of the containment spray and air cooling systems which were found to be important in the Oconee PRA, and their dominant failure modes.
It is reasonable to expect that these compon-ents and failure modes are important at Calvert Cliffs also.
In each case, the modes identified contributed to 95% or more of the failure probability of the system. The importance of these systems and components to public risk j
should be kept in mind during inspection planning at Calvert Cliffs.
j 5.1 A
[
l 5.1 CONTAINMENT SPRAY SYSTEM Conditions Leading to failure in Oconee PRA 1.
Human Error - System operation inhibited or failure to restore valves or pump switchgear af ter testing.
Operator failure to restore correct system lineup for automatic pump l
start and flow to spray nozzles is the most important failure in the l
Oconee PRA.
l l
2.
Spray Pump failure to Start or Run Pump hardware or control circuit failures are important at Oconee, as are human errors in the associated procedures for surveillance or maintenance.
3.
Failure of Motor-Operated Discharoe Valve to Open (Calvert Cliffs Valves CSS-4150 and CSS-4151.) The dominant failure mode at Oconee is hardware failure, with human failure to manually actuate these valves when necessary being a contributing mode.
4.
_ Pump Trains Unavailable Due to Maintenance and Testing Both scheduled and unscheduled activities are included. Minimization of this time and conformance to Technical Specifications requirements are important at Oconee.
5.
Pump Suction Valves Fail to Open or Check Valves Stick Closed (Calvert Cliffs Valves SIS-4142 and SIS-4143.)
The dominant Oconee failure modes are human error, electrical failure, or hardware failures.
Lineup for standby operation and proper surveillance and maintenance are important.
Support system dependencies for the CSS are shown in Figures 5.1 and 5.2.
j 5.2 1
ll1il S
5N 4 t t r 4O 51 S
$A T
R N
E M
N t
A T
C' h1M I
k N
S 8
O 4M C
1 4
S 4O S
S l
F f S 3 A SA 4
4 F
R 1
1 t
G
- 9. g, '4 4
NRO9 5
S N
I LEXTAKgS IS A
1 g
WNg F
F E
Ag R
T 6
4 2
X 1
4 3
l 4
i S
1 D
1 4
I O
S 5
S Y1 Y
N t
3 A1 A'
R.
\\
P S
)
M P
P f
S PO MI SN F
S t
C UI T
P -
TP t
f M
S SM MM I
T P
o TU 3
C H
P 3 CP 2
S 1
3 g
3 0
r n
0 5
i 5
S w
S C
4 a
C.
2 4
1 r
3
. O D
0 O.
3 L
C OL O
S L
L S
m 2
S 3
C r
e e
6 t
e t
~
[g
~
3 j 9
8 3
A o
s 2
0 F
R S
y 5
s 5
5 g
S 5R Tt E
1 A
6 4
I E
S NA T
S S.
T T At 4
F 0
O E
N C
N*W T
NA S
5 S
W H 1
E d
A Wa f
EN W O GC C
C C
DG S
S S
O
}NW e
OGgD N N TN NO OG i
PN T I A t A
$PN f
MU ULH UtHg Mt i
OO I O C HO C O t CO SON SON C O l
C CE C
O CE O
p l
L L
C m
i 7
9 S
5 3
7 2
1 5
F 3
O.
S
< 6 S.
3 S
O O
O.
O 4
O L
4 0
F
> S OL S
S 1
S S
5 S
S S C.
S C
S 2 C
1 5
C3 O
3 C
0 S
L E
S t
S S
R 6
3 C
%(
C U
2 O
3 G
SV 0
I S
5 F
C P
S h
M 0
C 0
U 4
3 P'
3 3
0 I
O S
5 S
S P
S N O S L
t C
E S C Pt S
O.
R t
O.
t E 4
O4 SD S
F S
F 6
b S
P A S
S ?
%O.
A. C LE C.
T t
H 2
t S 0 S
3 T*2 3
TR N
0 t
1 0
1 L
NE Z E
S D
N"Z S
E N
P E
N S
C M A M"S S
O C
E 6 A *Y NI C
S M
S bA H S C
Y A
T 1
T N
1 S
M"2 A
I R
O PO O
1 C SN C O M
O 6
[w I
,l i
j{!i!
lll Ilfl
I J
/
Em L.
en to
.-c x
7
^
/x
/ s.
/_ s js js
,q) g 02 w
w v
v sj sf ooc W
Q.
GJ Q
b e
5 m
5 Er f.
m pI c J a
i f
- ,j r 5.
r o
Q.
C1.
m x
=c om Nmm U
r
^
^
n n
n n
0:
u v
v v
v
-y-
.,)
s cv.
m wcr
=>
e i
e=
I L
l'l*
2 i:
- j ;.,
= *
=e
.: l;, '.
.tf I f r
- r e
E
- crg
- f3ef gE g
9 ee.t et,
, f.
1 f E &'h
- E7
[' E f 1.T.E I
_7
- F r'z e.
l 1
I l
)
a l
I
(
I 5.4 i
1 i
)
b
- c, j 1
1 5.2 ' CONTAINMENT ~ AIR RECIRCULATION'AND COOLING SYSTEM 1
1 Conditions that Lead to Failure I
{
1.
Operating Fans Fail to Run and Non-Operatinc Fan Fails to Start and Run l
Fan failure due to hardware failt? e is the c ominant system failure mode 1
at'Oconee 1
2.
Operating Fans Fail to Run and Non-Operating Fan in Maintenance At Oconee, system failure due to fan maintenance unavailability in combination with hardware failures is a significant system failure mode.
3.
Motor-Operated Damper to Common Duct Header Fails to Open Damper misoperation is a significar.t failure mode at Ocon'ee.
4.
Dropout Plates Fail to Drop-Failure of fusible dropout plates to drop and open ductwork bypasses in a post-LOCA environment is a significant Oconee failure mode.
I 5.
Start $ witches Improperly Positioned Human error in positioning control switches, preventing proper automatic system operation, is also an important failure mode at Oconee.
Support system dependencies for the CARCS are shown in Figures 5.3 and 5.4.
5.5 j
a
i j
ji l!
ll4 f
3 T
O 8
1 F
D D
C C
A A
A
(
I F
F x
0 s
S C
C o
D O
1
=
=
T o
T T
S S
D u
Cd D
R T
C c
C E
C F
r C#
F P
U C
M D
A K
D
)
8 8
K 1
4 O
t y
A D
S
(
C N
1 X
F TT A
CD s
D
,N U"
3 C
s P
F S
C p
t F
X 2 t
C F
h g\\l 2
s F O g
C t
D k
2
=R E
C g
3 F
R3 3
U m
=f C
e w
EC LT N N OC AF OC FC s-)
Cr 1
3 CF F
K C
S 2
1 C
C 2)
P A
C I F
(
O TT 1
R r
M C (A K 2
A 6
T C
FC 0 D f
C f
D o
F S
=X A
C C X
R R2 2
F D
g
=1 C
E EC 6
n NM
_g L
LT
/_/
w 1
O OC AF i
OC FC X-D
)
F X
0 C
a O
2 CF F
1 C
C 1
2 r
C P )8 4
C D
R D
O.
(
T 1
N F
O O
N C(A X 2
m 5
T e
E F
T X
C O D C
t M
C s
I 9
N D
A 5
F 1
/. /
y
=X A
- C C E
D
~
I S
A Rt
=1 H
C F
EC C.g e T
1 F
d LT N N C
e N
OC A F O
OC F
N-i
)
)
C S
3 X
f 1
CF F
T t
2 C
1 C
C UE )4 A A
8 i
L 5
l O
(
(
/'
p 1
3 N
A P X D
2 l
m 8OLY 4 C
T i
R P (T P D
F S
D D
C C
/F F
C C) p
=K 8
F n4
=1 C
3 4
3 EC N
,g A
)
F F
K LT A N M
5 OC FF g-(
X 2
4
+
O 3 OC C
e F
1 D O 4 A
D RE 4
X CF F
M T
1
(
1 C
C 9
C D
4
)
O 0
C D D 2
U F
1 F C C O
G t
N D
A C F r T
C X
I 6
(
D MN C C C
9 F
C. u 5
T E F
C 1
SG n
1 C
T F
D C
X C D
K M
C 4
5 F
O )4 S C E
F 1
I C
T F 0 1
S DA D D
I C
C( M x
X R
K F
I F
C t
2 3
4 C,
C F
5 5
5 S
C 1
l e*
1
,=
t d
=
D D
N D
D xF C,%
C\\~
=
3 g
C
=
C e
g F
r 1
r N_'
F N=
F r
F A
A F
C C
A A
C C
4 F
o A 3 t
2 A
A
)
1 F
8 2 r
t A
A [2 A-t i
t
(
A t
f r
O 3
2 t
A-4 T
1 1
t f
D A
A A
C F
C iIl!i
s s
t s
r n\\
nv I.
ee tt marga i
D ycn S
)
E3 nX nv.
E
/
e P
d (1
ne I
p W
e P
D tr I
S t
tW%
e t
MMuM r
(
tl o
tftI p
pu S
s /,
s/
S E9
,\\
,V
)
nv M2 S
C RAC 4
5 E
Mt s /.
i' xv R
ft
,X i\\
U G
I F
v M
t t
s tt t
,W M gyt R
gpM e##t (af w
nl8
. smi r
S
- t%
t n
e l.
I
TABLE OF ACRONYMS AC Alternating Current-AFW Auxiliary Feedwater System
'ATWS-Anticipated Transient Without Scram 4
BA Boric acid BAST Boric Acid Storage Tank
.BWR'.
-Boiling-Wate rReactor CARC Containment Air Recirculation and Cooling h
CC CC -Calvert Cliffs 1 nuclear plant CCW Component. Cooling Water l<
CCW-Component Cooling Water CCW Component Cooling Water system CEA Control. Element Assembly CEDM Control Element Drive Mechanism CSS Containment Spray System CSS /SDHX.
Containment Spray System Shutdown Heat Exchangers-CTS
~ Condensate Storage Tank CVCS Chemical Volume Centrol System CVCS,CVC Chemical and Volume Control System DC Direct Current DG-Diesel Generator ESF Engineered Safety Features ESFAS Engineered Safety Features Actuation System F-V Fussell-Vesely (Importance)-
HPSI High-pressure Safety Injection HPSI/R High-pressure Safety Injection / Recirculation HPSR High-pressure Safety Recirculation HS Handswitch HX Heat Exchanger IBM-PC IBM Personal Computer IE' Inspection and Enforcement
'INEL Idaho National Engineering Laboratory IRRAS Integrated Reliability and Risk Analysis (computer code)
KV Kilo-volt LOCA Loss of Coolant Accident LPSI Low-pressure Safety Injection MD Motor-driven MFW' Main feedwater A.1
MFWCS Main'feedwater and Condensate System MOV' Motor-operated valve MS Main Steam NRC
. Nuclear' Regulatory Commission NSSS Nuclear Steam Supply Sy: tem PCS Power. Conversion System l-e L
PNL Pacific Northwest Laboratory L
PORV.
Pressure-operated Relief Valve PP PRA Probabilistic Risk Assessment PWR Pressurized Water Reactor QA Quality Assurance RAS RCS Reactor Coolant System l
RPS Reactor Protection System l
RWT Refueling Water Tank SI Safety Injection l
SIAS Safety Injection Actuation Signal SRV Safety Relief Valve SRW Service Water
'SRWS Service Water System SWS Salt Water System TE Temperature Controller Element
'TMI-2 Three Mile Island Unit 2 nuclear plant USNRC-Nuclear Regulatory Commission V
Volt (s)
A.2
)
_-------_---_----______--------_____J
b REFERENCES Gore, B. F.,. Vo, T.. V., and M. S. Harris.
1987.
PRA Application Program for Inspection at Oconee Unit 3.
NUREG/CR-5006, PNL-6291, Pacific Northwe f Laboratory, Richland, Washington.
- Gore,.B. F. and J. C. Huenefeld.
1987. Methodology and Application of c
Surrogate' Plant PRA Analysis to the Rancho Seco Power Plant. NUREG/CR-4768, '
Vols. 1&2, PNL-6032, Pacific Northwest. Laboratory, Richland, Washington.
Henley, E.. J. and H.: Kumamoto.
1981. Reliability Engineering'and Risk L
Assessment.. Prentice-Hall Inc., Englewood, New Jersey.
E>
Higgins, J. C.
1986. Probabilistic Risk Assessment (PRA) Applications.
NUREG/CR-4372, BNL-h3 REG-51914, Brookhaven National Laboratory, Upton, New York.
l*
Higgins, J. C., J. H. Taylor, A. N. Fresco, and B. M. Hillman.
1987.
Generic Safety Insights for Inspection Boiling Water Reactors. TANSA0 54, i
235 American Nuclear Society, LaGrange Park, Illinois.
Hinton, M. F. and R. 5. Wright.
1986.
Pilot PRA Applications Program for Ins)ection at Indian Point 2.
EGG-EA-7136, EG&G Idaho, Inc., Idaho Falls, Idalo.
Kirchner, J. R., et al.
1986. An Overview of the Plant Risk Status Information Management System.
J.B.F. Associates, Inc., Knoxville, Tennessee.
Payne, A.C., Jr.
1984.
Interim Reliability Evaluation Program: Analysis of the Calvert Cliffs Unit 1 Nuclear Power Plant.
NUREG/CR-3511, Vols. 1&2, SAND 83-2086, Sandia National Laboratories, Albuquerque, New Mexico.
Russell, K. D., et al.
1987.
Integrated 9eliability and Risk Analysis System (IRRAS) User's Guide - Version 1.0.
NURaiTCR-4844 (Draft), EGG-2495, EG&G Idaho, Inc., Idaho Falls, Idaho.
USNRC Inspection and Enforcement Manual.
1984.
Chapter 2515: Operations USNRC Office of Inspection and Enforcement, Washington, D.C.
/
R.1
_ _ - _ - _ - _ - - - _ _ _ - = _ - _ _ _
.NUREG/CR-5058 PNL-6574'~
I' DISTRIBUTION No. of No. of Conies Copies i
0FFSITE.
J. H. Taylor Bro % haven National Laboratory U.S. Nuclear Reaulatory Bldg. 460 Commission Upton, NY 1i973 B. K. Grimes-A. Fresco OWFN 9A-2 Brookhaven National Laboratory i
Upton, NY 11973 t
M. J. Clausen
'OWFN 9A-2 R. Gregg EG&G Idaho, Inc.
1 J. G. Partlow.
P.O. Box 1625 OWFN 12G-18 Idaho Falls, ID 83415 F. Congel 4
V. Prichett OWFN 10E-4 U.S. Nuclear Regulatory Commission R. Barrett.
Resident Inspector Office 0WFN'10A-2 Calvert Cliffs Lusby, MD.20657
-A. El-Bassioni OWFN 10A-2 R. W. Starostecki Deputy Assistant Secretary for
. 20
.S.
Long Safety, Health & QA OWFN 10A-2 U.S. Department of Energy Washington, DC 20585 K. Campe OWFN-10A-2 A. C. Payne Sandia National Laboratories J. Chung P.O. Box 5800 0WFN 10A-2 Albuquerque, NM 87115 U.S. Nuclear Reaulatory B. M. Hillman Commission - Reaion 1 DOE ES&H Office of Environmental Safety j
S. Collins
& Health W. F. Kane 1000 Independence Ave. S.W.
Washingtois, DC 20585 Distr.1
i i
i
)
No. of No. of Copies Copies ONSITE C. H. Imhoff 1
P. J. Pelto
{
38 Pacific Northwest Laboratory W. J. Scott i
D. A. Seaver i
R. C. Adams B. D. Shipp i
D. B. Cearlock F. A. Simonen T. T. Claudson T. V. Vo (10) j S. R. Doctor Publishing Coordination
{
L. R. Dodd Technical Report Files (5) j B. F. Gore (5)
M. S. Harris (5) j I
I J
l i
)
i Distr.2 M_
~
TAT NG OLP ITCR EE PW S O N P I
RR OA F E L
MC AU RN G
1 O T RI PN SU NS OFF ITI A L CC IL T P R P E A VL A A R C P
78 1
5
-RC
/G ERUN