ML20247G449

From kanterella
Jump to navigation Jump to search
Forwards Info on Development of risk-based Insp Guide for Facility as Followup to & 890222 Telcon.Technique Used to Produce risk-based Insp Guide to Differ from Method Being Described in Encl Rept
ML20247G449
Person / Time
Site: Callaway Ameren icon.png
Issue date: 03/24/1989
From: Alexion T
Office of Nuclear Reactor Regulation
To: Schnell D
UNION ELECTRIC CO.
References
NUDOCS 8904040233
Download: ML20247G449 (49)
v  d  e


Text

- _ _ _ - - _ _ _ - _ - _ - _ _ _ _ _ - _ _ _ _ _ _ - _ _ _ _

p j l s March 24, 1989-Docket No. 50-483 , DISTRIBUTION:

N Docket F Hess. NRC & Local PDRs

'PDIII-3 r/f f GHolahan MVirgilio JHannon TAlexion PKreutzer

..,Mr. Donald F. Schnell OGC-WF1 EJordan Vice President - Nuclear BGrimes ACRS(10)

Union Electric Company PDIII-3 Gray SLong Post Office Box 149 RBarrett

~

KCampe.

St. Louf , Missouri 63166

Dear Mr. Schnell:

SUBJECT:

DEVELOPMENT OF A RISK-BASED INSPECTION GUIDE FOR CALLAWAY The' enclosed information on our Risk-Based Inspection Guide (RIG) project is provided.to you as a followup to our February 1,1989 letter and as agreed during our telephone conversation on February 22, 1989. It has been taken from a NUREG/CR report that is currently.in preparation. That report will describe the ments (PRA's) .Because production of RIG's Callaway from does notplant-specific have a PRA now, probabilistic riskwe the technique assess-will use to-produce the RIG will differ from the method being described in this report. However, the format of the Callaway RIG and its uses in the NRC's inspection efforts will be the same. Hopefully, our' telephone discussions adequately addresse'l our technique for identifying most of the important system .

failure modes without having -a PRA to work from.

If you would like to discuss any of this information further, please feel free to contact me at (301) 492-1387 orSteveLongat(301)492-3162.

Sincerely,

/s/

Thomas W. Alexion, Project Manager Project Directorate III-3 Division of Reactor Projects - III, IV, V and Special Projects Office of Nuclear Reactor Regulation

Enclosure:

As stated cc: See next page 1

A Ul&fl.

PD/PDIII-3 Office: LA/PDUI-3 PM/ I PRAB PRAB Surname: TAlex t Slongd a , t ,9Hannon PKfeuner Date: y /89 $ / W 89 J /zy /89 J/.23/89 .7 /89/J/2Y/89 8904040233 890324 PDR ADOCK 05000483 O PDC I I(

____________________a

g .

Mr. D, F. Schnell Callaway Plant Union Electric Company Unit No. I cc:

Dr. J. O. Cermack Mr. Bart D. Withers

.CFA Inc. President and Chief 4 Professional Dr.,~ Suite 110 Executive Officer Gaithersburg, MD 20879 Wolf Creek Nuclear Operating Corporation Gerald Charnoff, Esq. P. O. Box 411 Thomas A. Baxter, Esq. Burlington, Kansas 66839 Shaw, Pittman, Potts & Trowbridge 2300 N Street, N. W. Mr. Dan I. Bolef, President Washington, D. C. 20037 Kay Drey, Representative Board of Directors Coalition Mr. T. P. Sharkey for the Environment Supervising Engineer, St. Louis Region Site Licensing 6267 Delmar Boulevard Union Electric Company University City, Missouri 63130 Post Office Box 620 Fulton, Missouri 65251 U. S. Nuclear Regulatory Commission Resident Inspectors Office RR#1

'Steedman, Nissouri 65077 Mr. Alan C. Passwater, Manager Licensing and Fuels Union Electric Company Post Office Box 149 St. Louis, Missouri 63166 Manager - Electric Department Missouri Public Service Commission 301 W. High Post Office Box 360 Jefferson City, Missouri 65102 Regional Administrator U. S. NRC, Region III 799 Roosevelt Road Glen Ellyn, Illinois 60137 Mr. Rcnald A. Kucera, Deputy Director Department of Natural Resources P. O. Box 176 Jefferson City, Missouri 65102

l . . .

4

4. APPLICATIONS OF RISK-BASED INSPECTION GUIDES Risk-Based Inspection Guides are intended to provide Resident Inspectors with risk insights that are applicable to a wide variety of inspection activities mquired by the NRC Inspection Manual. The Manual contains the Inspection Procedures used by NRC for all mutine and occasional inspection activities. Section 2515.10 of the Manual discusses use of PRA insights and references Appendix C, which describes the Guides and lists those that are presently available. In addition, risk insights from the Guides can be useful during planning for a variety of team inspections, including Safety System Functional Inspections, Maintenance Team Inspections, and Operational Safety Assessment Risk-Based Inspections. The examples provided below illustrate several of the methods for using risk insights from the Guides during the planning or conduct of inspections.

NRC Tn e tinn & nnal 2515 - This chapter delineates the routine

. inspection activities for power reactors after they have completed their initial power ascension testing. Under Inspection Procedum (IP) 71707, Resident Inspectors are rnquired to perform specified activities on daily, weekly, monthly and longer periods.

During daily tours of the control room and reviews of operations' logs, familiarity with the accident sequencee and system failure modes described in the RIG will aid in recognizing situations that are potentially risk significant. Important system line-up errors are often detectable by control room observations.

Required weekly activities include walking down one plant system, with considerable latitude allowed to the inspector for determining the thoroughness of this inspection. Although each system in the plant should be covered eventually, the relative risk significance indicated by the RIG can be used in detemining the order for selecting the systems, and more importantly, the thoroughness of the inspection for a particular system. The modified system walkdown tables provided in the P.IG should be used to ensure that the most risk significant ite r we iraluded in even the most abbreviated walkdowns.

Inspections of maintenance activities are required on approximately monthly intervals, using IP 62.13. Similarly, monthly inspections of surveillance activities are required, using IP 61726. The inspector is urged to begin his inspections of this type by directly observing the licensee's perfomance of a maintenance or surveillance activity that is important to risk. The inspector can use the system and component importance f nfomation in the RIG to help identify the most risk significant maintenance and surveillance activities scheduled during the appropriate periods.

Enfety System Functional Te m Inneectinnn (RRFT) - These are conducted in accordance with Appendix D to Manual Chapter 2515 at the discretion of the NRC's Regional Office. They am intensive inspections thn go into great depth on a single system. They usually begin with verification that the system design is consistent with its design mquirements, progmss through the adequacy of installation, history of operation, adequacy of surveillance and maintenance procedures, and include a detailed walkdown of the system.

i 4

e The infomation in the RIG can be useful in selecting a system for this inspection and for ensuring that important failure andaa are included in the inspection planning process.

Main +mnan,,. 'ramm Tname+ 4 ana - These are intensive inspections of a plant's maintenance program that are being conducted in accordance with~

Temporary Instruction 2515/97 at each plant during the 1988-89 period.

Part of the inspection procedure involves selection of specific equignent for detailed review of maintenance procedures, moords, and failure infomation. The infomation contained in the RIG can be used to ensure that components with high risk significance are chosen for the inspection sample and that their important failure modes are adequately addressed by the maintenance program.

Rink-hama nnaratinnn1 hfaty nna parfnman,,. A -_eam nt rnnRPAT - These team inspections am conducted at the discretion of the NRC Regional Office in accordance with IP 93804. They focus on a plant's ability to respond to the accident sequences that dominate its core melt frequency.

Preparation usually involves direct extraction of importance infomation from' the plant's PRA. However, infomation in the RIG can also be utilized if time or expertise is not available for analyzing the FRA.

Approxir*.tely 40 basic events that contribute the most to core melt frequency are chosen for inspection. These usually include both component failums and operator actions. Thorough inspections of the components are planned, including direct inspection and reviews of maintenance, surveillance and calibration recortis and procedures.

Operator actions are reviewed through accident simulation exercises, reviews of Emergency Operating Procedures and plant walkthroughs. In all of these activities, the role of the equipment and operator actions in particular accident sequences is used to check for adequacy under the conditions that would be imposed by the accidents.

During any inspection of a system or an individual component, it is l useful to consider the type of failures that create significant risk and the circumstances under which these failures are important. For instance, if the RIG indicates that failure of a nomally open valve to remain open is significant during a transient, then inspection should concentrate on verifying that the valve is in the open position, ensuring that the diak has not separated frem the stem, and examining the efficacy of the measures used by the licensee to ensure that the valve is not inadvertently closed. In contrast, if the RIG indicates that failure of a valve to open under Station Blackout conditions is an important step toward core melt, the inspector would concentrate his attention on those things that could prevent the valve from opening, with special emphasis on the conditions created by loss of AC power.

An experienced inspector's knowledge of failure mechanisms, used in conjunction with the failure modes infomation provided by the RIG, can effectively focus inspection efforts for the smatest safety benefit.

r, ..

g DRAFT Febmary 23, 1989 METHODOLOGY FOR PRODUCTION OF RISK-BASED INSPECTION GUIDES Risk-Based Inspection Guides (RIGS) present inspectors with PRA insights at three different levels: the accident sequence, the system, and the basic event level. With a level 3 PRA, there are several possible risk measures that could be used to detemine the relative importance of a sequence or system or basic event. These include the contribution to the core melt frequency, the probability of early fatalities, and the total population dose. Each of these measures is likely to produce a significantly different ranking. For instance, LOCAs outside of containment usually do not contribute much to the

_ core melt frequency. However, they often contribute substantially to the early fatality probability. The differences in rankings for the different risk measures are due to the effects of the accident mitigation systems (eg, containment, containment Epray) and to the assumptions about severe accident phenomena (e.g., direct containment heating). Because the amount of uncertainty increases substantially in going from core melt msults to radiological release msults, and because many of the available FRAs do not go beyond com melt (level 1), the NRC has chosen to use the core melt fmquency as the risk measure for the RIGS calculations. However, this does not provide a means for ranking the accident mitigation systems, which are certainly important to public health and safety. Therefore in addition, inspector attention is directed separately to these systems. The list of accident mitigation systems may be derived directly if the plant has a level 3 PRA. If the plant's PRA goes only to level 1 or 2, the list can be based on insights derived from analysis of several level 3 FRAs for similar plants.

In the discussions that follow, it is assumed that com melt frequency is the risk measure being used to establish mlative importance of sequences, cystems and components. Ranking of accident sequences according to their contributions to core melt frequency is a straightfomani process; the

. frequencies of the cutsets assigned to each sequence simply are totaled and the results sorted into decreasing order. Most published PRAs contain a ranking of this type. However, sequence definitions used by PRA analysts sometimes are drawn more narrowly than the definitions that inspectors find useful for understanding the results. For instance, FRA reports may pmvide rank ordered lists that intersperse several small LOCA sequences, several ATWS sequences, and several LOSP sequences. A better way to provide the infomation to the inspector is by combining the probabilities of similar sequences to establish the ranking, and then, for each general sequence type, describing i the important variations in the path that the sequence can take. (The core melt frequencies for each of the sequence variations may still be of interest to inspectors, so they are usually included with the descriptions.)

At the system and basic event levels, them are two somewhat different insights that can be useful to inspectors. One is the contribution of the system or component to the com melt frequency. This can be detemined by calculating one of the importance measurer that includes the mliability of  ;

the system or component. The Fussell-Vesely, Risk Reduction, and Inspection

N 2 ______________,

h, *e 4

e Importance Measures all provide essentially similar rankings of this type. I The other insight of interest is the increase in the core melt frequene that  !

results when the system or component is out of service. The Risk Achievement ,

Importance Measure provides this insight (The Birnbaum Importance Measure can '

be used also because it provides essentially the same rankings).1 Usually, calculation of these importance measures is complicated by the stmeture of the PRA. Considerable approximation may be required if they have to be i calculated from published PRA results, without the benefit of computerized plant models.

If the PRA has produced core melt cutsets that go to the basic event level, then it is straightfomard to calculate the importance of the basic events (i.e. , component failures and operator errors) with respect to core melt. In this case, calculation of the systems' importance requires assigning the various basic events to the appropriate systems. Then, for each system, it is necessary to sum the frequencies of the cutsets containing one or more of the events assigned to that system. It should be noted that the importance of a system is not the algebraic sum of the importances of that system's basic events. Summation of compor.ent importances would constitute multiple countir6 of the same cutsets for any system that has redundancy of trains or components, since some cutsets wil1 contain two or more components in the system, both of which must fail'to cause core melt. Usually, FRAs that produce core melt cutsets at the basic event level truncate the cutsets at a selected number or below a selected core melt frequency contribution. If the number of cutsets available after truncation is too small, it may not result in a very accurate calculation of the Birnbaum importances. This is because calculation of Birnbaum Importance for a system or component involves setting its failure probability equal to 1.0, which changes the affected cutset frequencies by large factors, potentially making truncated cutsets relatively more important than many that were not tmncated. A small number of cutsets also may result in identification of very few of the important components in some systems.

In contrast to the above case, many PRAs produce core melt cutsets that are composed of event tree top events. Typically, most of these top events are supported by fault trees that derive system unavailability from the basic

. events for a particular system. Calculation of the total core melt frequency requires linking of the fault trees to the event trees. The linking is done with plant support states and it accounts for interactions /ccaron dependencies l

1The Birnbaum Importance Measure for a system / component is the difference between the core melt probabilities assuming that it will always fail and assuming that it will never fail. The Rick Achievement Importance Measure is the difference between the core melt probabilities assuming that the system / component has its normal level of reliability and assuming that it always fails. The Risk Achievement measure differs from the Birnbaum measure by the amount that the system / component normally contributes to the core melt frequency. (That amount is also known as the Risk Reduction Importance Measure.) For systems that have high reliability (ie, about 10-2 failure per demand), the Birnbaum Measure is within a few percent or less of the Risk Achievement Measure. These two importance measures therefore produce essentially the same rank ordering of systems for nuclear power plants.

7 - .

=....

a. . . - --.. .... ._ _.

a

  • l

. I of systems. In this case, some approximation is mquired to evaluate the importance of the basic events to core melt. As in the previous case, system importance is determined first by assigning the events in the core melt sequences to the appropriate systems. Then, for each system, the frequencies )

of the cutsets involving one or more events for that system are summed.

Calculation of a basic event's importance to a system *e unavailability can be i accomplished using the fault tme for that system. Ranking components within a eystem according to their importance to that system's unavailability is not necessarily the same as ranking them accortling to their importance to core melt. For instance, in IMRs, notor driven pumps are as important as the turbine driven pump in the auxiliary feedwater system fault tree. Yet the turbine driven pump is often more important to core melt because it appears in the station blackout sequences and loss-of-emergency-bus sequences that do not mquire failure of the notor driven pumps. In this case, the RIG developer usually will have to make do with the importance of the basic events to system unavailability. Some subjective rearrangement of the resulting ranking may be appropriate to account for the support states associated with dominant -

accident sequences.

The methods used by many PRAs create special problems for determining the importances of support system and their components. Support systems often do not appear in the event trees, and their fault trees may not have been solved.

However, support systems have been shown to be very important for some reactore,, so they should not be ignored. When the support systems am not treated in a manner equivalent to the front-line systemc. the method for detemining their importances requires ad hoc development to take advantage of whatever information the FRA does contain. If computerized plant nodels are available, linking the support system fault treea to the sequence event trees and remnning the code may be practical. More commonly, the support system importances have to be estimated by determining those event tree top events that can be caused by failure of each sup .4 system (or train thereof) and by assigning the cutsets containing those events to the support systems as well as to the systems that are involved explicitly. In cases where the event tmes are relatively small, their associated event definitions may so broad that most of them will be applicable to failure of nost or all of the support systems. If so, in order to avoid gross overestimation of the importance of the support systems, it will be necessary to estimate fractional probability contributions for each support system to each event in the trees. These fractions can then be used as weighting factors when summing the affected cutset probabilities for each support system. It is not possible to precisely state a formula for deriving the weighting factors that is appropriate to all PRA methodologies currently in use. The goal is to estimate importance measures for support systems in a manner that is reasonably consistent with the importance measures calculations for the front line systems.

y - :,; .------ =- .:

x ,- . =:. _ .- ; .

p ilses }

ATTACHMENT 1

' SAMPLE RISK-BASED ,

INSPECTION GUIDE BASED ON THE PEACH BOTTOM ATOMIC POWER STATION UNIT 2 I

(Contains Sections 1 - 7, and selected Appendices from the

. Peach Bottom Risk Inspection Guide) 30 l

..g l

1. INTRODUCTION f This inspection guide has been prepared to provide inspection guidance based on review of the NUREG/CR-4550/ Peach Bottom Probabilistic Risk Assess-ment (PRA)I. The guidance should be used to aid in the selection of areas to inspect and is not intended either to replace current NRC inspection guidance or tn constitute an additional set of inspection requirements. The informa-tion contained herein ic based almost entirely on the Peach Bottom PRA issued in 1986. Hence, recent system experience, failures, and modifications should be considered when reviewing these tables. Since plant modifications are nor-mally an ongoing process it is recommended that relevant changes be catalogued so that this inspection guidance can be periodically revised as required.
2. DOMINANT ACCIDENT SEQUENCES The Peach Bottom PRA has a number of different accident sequences that contribute significantly to overall core damage frequency (CDF), which is 8.2E-6/ year. The sequences that dominate core damage frequency at Peach Bottom are grouped below by their initiating events.

Station Blackout (86% of core damage frequency) sTaioN BLM,KOUT ,

ses

- Anticipated Transients E

Without Scram (ATWS) (12%) . LOCAS and TAANSIENT 2s Intermediate LOCA (1%)

Transient with Loss em of Core Cooling (<1%) -

12 5

- Large LOCA (<1%)

31

- ~

Each of these dominant accident sequence groups is composed of several similar but distinct sequences of systems failures. There are five dominant station blackout sequences (three short-term and two long-term), four dominant ATWS sequences (two dependent and two independent of containment failure), and four loss-of-core-cooling sequences (two LOCAs and two transients). Because of similarities, the sequences have been grouped and summarized below.  !

2.1 Station Blackout Sequences (86% CDF) 2.1.1 Short Term Blackout There are two sequences resulting from short-term station blackout which comprise a total of 56% of core damage frequency:

a) The first is characterized by transients leading to station blackout (loss of all AC power) as a result of coincident DC power failures.-

The loss of DC power causes failure of the diesel, High Pressure Coolant Injection (HPCI), and Reactor Core Isolation Cooling (RCIC) systems which results in the loss of all core and containment cool-ing. Without the restoration of AC/DC pouer in 30-to-40 minutes, primary system inventory boils off and core damage results.

In addition, AC power recovery is affected by the DC power loss severely hampering the recovery process for reclosing breakers, etc. Instrumentation in the plant is also significantly degraded under these circumstances. For these reasons, the probability of 32

power recovery is considered negligible in the required 30 minute time frame to prevent core damage (54%).

b) The second is very similar to the above except; there are no DC common mode failures. The diesels , HPCI, and RCIC fail by other mechanisms.

'Ihese sequences may include RCS depressurization by the ADS (if DC power is available) or by a stuck open SRV. However, low pressure core cooling is not functional without AC power, so this only affects whether core damage occurs with the RCS at high pressure or low pressure.

2.1.1 Long Term Blackout I There is one major damage state resulting from long-term station blackout which contributes to 30% of core damage frequency. It is characterized by transients leading to a long-term station blackout (loss of all AC power).

Core cooling is successful with either HPCI or RCIC providing coolant inj ec-tion until about six hours into the sequence. At that time, the batteries l

deplete, affecting the ability to continue operation of these systems. With-l l

out AC power recovery within three hours of battery depletion, core damage results. While the primary system may be initially at relatively low pres-1 j sures, depletion of the batteries causes loss of ADS /SRV control. Core damage 1

occurs either at high pressure conditions or at low pressure conditions caused

! by a stuck open relief valve.

l 33 l

l L___---__------_-__-.--__-__--------

2.2 Anticipated Transients Without ' Scram ( ATWS) (12% CDF)'

There are two major damage states attributable to ATWS scenarios com-prising 7% and 5% CDF respectively, 2.2.1 ATWS with Core Damage Independent of Containment Failure This plant damage state is characterized by an ATWS with their Main Steam Isolation Valve (MSIV) closure or an event with MSIVs initially open but sub-sequently closed. This isolates the primary system under high power condi-tions, thereby rapidly increasing the pressure and temperature conditions within containment since RHR cooling under these circumstances is inadequate.

At this point, there are two pathways leading to core damage:

1) The Standby Liquid Control ( SLC) system is started within ~4 minutes into the accident, but initial HPCI failure under high power conditions and operator f ailure to rapidly depressurize the vessel (so that low pressure systems can be used immediately) lead to a core damage event.

Subsequent containment failure may or may not occur depending on the need for, and success or f ailure of, containment venting (5% CDF).

OR, 34

\

2) Timely start of the SLC system is not performed or it fails from being left in an inappropriate configuration af ter the last test of the sys-tem. Cure cooling is maintained for a short time (~1/4 hour) before HPCI fails because of high pool temperature. The operator then fails to rapidly depressurize (so that low pressure systems can be used) which leads to core damage. Subsequent containment f ailure may or may not occur depending on the need for, and success or failure of, containment venting (2% CDF).

. 2.2.2 ATWS with Core Damage Dependent Upon Containment Failure This plant damage state is ' characterized by an ATWS with either MSIV closure or an event with MSIVs initially open but subsequently closed. This isolates the primary system under high power conditions, thereby rapidly in-creasing the pressure and temperature conditions within containment since RHR cooling under these circumstances is inadequate. Timely SLC system start is-not perf ormed or it f ails because it was lef t in an inappropriate configura-tion after the last test of the system. ADS is not inhibited, resulting in vessel blowdown. Low pressure system operation and control are successful.

Venting of the containment is not successful.

The status of the ;ontainment determines how core damage occurs. Three general containment conditions assumed are:

35

j

. I e

a) containment leak failures, -

) '

b) no containment failure at least up until vessel breach, and c) ' catastrophic containment failure.

Cases a) and b) preclude continued operation of the low pressure cooling systems. This is because maximum air pressure to the SRVs is -100-to-125 psig, which is under the estimated 150+ psig pressure for containment failure.

Therefore, the vessel remains pressurized and all core cooling is lost. Case c) depressurizes the containment, .but the saturated conditions in the pool cause f ailure of Low Pressure Core Spray (LPCS) and RHR ' pumps. Condensate and High Pressure Service Water (HPSW) -are either not available or the operator fails to start their injection into the core; core damage results (5% CDF).

2.3 LOCAs or Transients With Loss of Core Cooling (2% CDF) 2.3.1 Intermediate LOCA Subsequent to an intermediate size LOCA, HPCI successfully operates for about two hours until pressure in the primary system can no longer support l

operation of the HPCI steam turbine. Low pressure inj ection systems are l

required to provide sufficient flow, but they fail. Core damage results soon af ter (1% CDF).

1 '

36 l

w___-______-____-__

=

2.3.2 Large LOCA Subsequent to a large LOCA, there is failure of the low pressure systems resulting in a core damage event (<1% CDF).

2.3.3 Transients with Loss of the Power Conversion System

1) This plant damage state is characterized by a transient causing loss of the Power Conversion System (PCS). Early loss of all core cooling occurs because of failures associated with the high pressure systems and the inability of the available low pressure systems to inj ect because of miscalibration of the low reactor pressure permissive circuitry. This latter event disables LPCS and LPCI, as well as HPSW injection which uses the LPCI injection paths. Without recovery of the PCS and accompanying condensate or feedwater.in about 30 minutes, core damage results. The vessel can, and will likely be, depressurized with ADS leading to core-damage under low pressure conditions in the reactor vessel (<1% CDF).
2) Similar to (1) above, this state involves a transient causing loss of the

, g PCS and early f ailure of all injection. Injection loss is because of failures associated with the high pressure systems, ADS, and operator failure to manually depressurize so that low pressure systems can be used. Core damage results in about 30 minutes without recovery (<1%

CDF).

37

4

~

3. SYSTEM PRIORITY LIST The Peach Lottom systems have been ranked in Table 1 according to their importance in preventing. core damage. Two different rankings are provided for use under two types of circ umstances. Under normal conditions, the left-hand column should be used. For degraded or inoperable systems, the right-hand column should be used, as discussed below. Other plant systems not appearing on these lists are generally of lesser importance than those that are included here.

The two system prioritization lists have been included in Table 1 because they provide different types of risk insights that are useful in the inspec-tion process. The left-hand column indicates the system's contribution to the core damage frequency as provided by the Fussell-Vesely Importance Measure, given that the system is operating with the reliability assumed by the PRA. i Generally, when planning an inspection without knowledge of specific system-problems, those systems that contribute most to core damage frequency should be given priority attention in order to most efficiently minimize risk.

However, when one or more systems exhibit unusually high f ailure rates or unusual types of f ailures, then the probabilities x;sumed in the PRA are not really appropriate for the f ailures of those systems. While their problems persist, the affected systems contribute more to the risk of core damage than is indicated by the left-hand column. The increase in the core damage l

38 L _ -- _- -- - )

t Table 1 - (Hypothetical) System Priority Ranking ByContributionjoCore ByRiskSignificanceof{he Damage Frequency System Being Unavailable Emergency Power Reactor Protection i Containment Venting Emergency Service Water Emergency Service Water Reactor Protection Emergency Power Automatic Depressurization Emergency Ventilation Standby Liquid Control Standby Liquid Control High Pressure Coolant Injection Containment Venting Low Pressure Coolant Injection Automatic Depressurization High Pressure Coolant Injection Reactor Core Isolation Cooling Reactor Core Isolation Cooling

., Emergency Ventilation Low Pressure Core Spray Control Rod Drive Control Rod Drive Low Pressure Core Spray Condensate /Feedwater Condensate /Feedwater Containment Sprays Containment Sprays High Pressure Service Water High Pressure Service Water Instrum;.nt Air Instrument Air Shutdown Cooling Shutdown Cooling Suppression Pool Cooling Suppression Pool Cooling Notes:

1. The ranking in column 1 is appropriate to use for systems that are func--

tioning normally. It is based on the Fussell-Vesely Importance Measure, which is the system's contribution to the core damage frequer:y, assum*r.;

that the system is operating with normal reliability.

l

2. The ranking in co*umn 2 is appropriate to use for determining the signifi-cance of known system degradation or inoperability. It is based on the

. Birnbaum Importance Measure, which indicstes the increase in the core damage freq1ency that results when the sys'.em is assumed to be inoperable.

3. The containment systems shown on these lists are ranked with respect to their contributions to core damage frequency, only. Their importance for accident consequence mitigation was not considered.
4. The dashed lines represent significant differences between importances of systems that are adjacent in the lists. Systems not separated by dashed lines should be assumed to have importances approximately equivalent to each other, within the precision of the PRA quentification.
5. The containment spray system, shutdown cooling system and suppression pool cooling system have been combined under the residual heat removal system in the inspection tables that follow.

39

.~ .

frequency when the system is inoperable $s indicated by the right-hand column, based on the Birnbaum Importance Measure. The right-hand column can be used to estimate how much more important these systems have become when they are having problems. ( Af fected systems with high rankings in the right-hand col-umn should be considered to have become much more important than indi;ated by their rank in the left-hand column, while systems with lower rankings in the right-hand column would have smaller increases above the rank indicated in the left-hand column.) Similarly the right-hand column is the appropriate choice for estimating the risk significance of inspection findings that indicate a system is inoperable or degraded.

Adj acent systems on the list should be considered to have approximately equal contributions to risk because of the uncertainties in the FRA. Where the dif ference between importance measures of adjacent systems is significant, they have been separated by the dashed lines.

4. COMMON CAUSE FAILURES The failure of multiple items from some common cause can be very signifi-cant to risk. The Peach Bottom PRA has identified several common cause f ail-ures that are particularly important:

Loss of offsite power, Common mode f ailure of the DC batteries, .

Common mode f ailure of diesel generators, ADS valves fail because of a common cause.

l 40 l

l

Other common cause failures, not considered to be as important as those above, are identified in the f ailure mode tables which follow.

5. IMPORTANT HUMAN ERRORS (Including Recovery Actions)

Human errors can be very significant to overall plant risk. The Peach Bottom PRA has identified several human errors as particularly important con-tributors to risk:

ti Pre-Accident Errors

1) Miscalibration of the reactor pressure sensors (PISL-2-3-52A-D) shared by the Low Pressure Core Spray (LPCS) and Low Pressure Coolant Inj ection (LPCI) systems.

While a low probability event, this error could cause failure of the-LPCS, LPC1, and High Pressure Service Water (HPSW) system (which injects through the LPCI line) since low reactor pressure permissives to open the injection valves in these lines would become unavailable.

2) Failure to restore the correct standby alignment cf the Standby Liquid Control (SLC) system after test. Failure to restore certain valve after tests of the SLC system could cause recirculation of the borate solution rather than injection into the vessel upon a real demand. Although the valves are painted to direct closure after the tests, there are no con-trol room position indicators.

l I

41

~

5.2 Post-Accident Errors

1) Operator fails to initiate Standby Liquid Control within four minutes of ATWS.
2) Operator controls level with HPCI too low. Following an ATWS, at 100'F l

torus temperature since power is above 3% and an SRV is open, the opera--

tor must lower reactor pressure vessel level by terminating and prevent-ing all injection into the vessel, except boron injection and control rod drive, until power is below 3% or all SRVs are shut or the top of the active fuel (TAF) is reached. As the TAF is reached, HPCI must be throt-tied to maintain the level. .One outcome is operator f ailure by maintain-ing the level too low.

Upon f ailure of automatic ADS initiation:

3) The operator fails to rapidly depressurize the primary system (using the ADS valTcs), or
4) The operator f ails to operate the non-ADS SRVs manually.

Other human errors are also identified in Table D1, Plant Operations Inspection Guidance.

42

6. SYSTEM INSPECTION TABLES Taken together, the systems ranked by their risk importance in the first column of Table 1 contribute 95% of the core damage frequency for Peach Bottom. For each of those systems, inspection guidance is provided in the form of a f ailure mode table, an abbreviated walkdown checklist, and a simpli-fled system diagram. Each of these is explained in detail below.

l In using these tables, however, it is essential to remember that other systems and components are also important. If, through inattention, the f ail-ure probabilities of other systems witre allowed to increase significantly, their contributions to risk might equal or exceed that of the systems in the following tables. Consequently, a balanced inspection program is essential to i

ensuring that the licensee is minimizing plant risk. The following tables allow an inspector to concentrate on systems and components that are most significant to risk. In so doing, however, cognizance of the status of-systems performing other essential safety functions must be maintained.

43

s -.

'.. i APPENDIX A Table AI System Failure Modes The introduction to this table provides a brief description of the system and the success criteria used for the system in the PRA. (Note that the PRA success criteria may be different from the success criteria contained in the FSAR).

The entries in this table are the dominant events (component failures, operator errors, etc.) contributing to system failure, provided in rank order according to their risk significance. Since most systems are designed with redundant trains, it will generally take more than one of these events to fail the entire system. No effort has been made to list all of the combinations of the events that are sufficient to produce system failure because that is usually apparent from the system description in the introduction. Where- ;

single events are sufficient to fail the entire system, that is noted in the brief discussion of the event. For certain events that are important primar-

, ily because of the circumstances of a particular accident sequence, that information is also noted.

Inspection focussed on the items in the table will address approximately 95% of the risk for that system. Because PRAs do not contain the detail necessary to attribute the listed failures to the most probable specific root causes, it is necessary for the inspector to draw from his experience, plant operating history, ASME Codes, NRC Bulletins and Information Notices, INPO 44

l . . . .

1 .

SOERs, vendor notices and similar sources to determine how to actually conduct his inspections of the listed items. Were appropriate, codes have been j included following each event description to indicate which licensee programs / activities provide inspectable aspects of the risk. These codes are as follows:

PC - Periodic calibration activities, p';ocedures and training.

PC - Periodic testing activities, procedures and training.

MT - Preventive or unscheduled maintenance activities, procedures and training.

OP - Normal and emergency operating procedures, check-off lists, train-1 ing, etc.

TS - Technical specifications.

ISI - In-service inspection.

Table AI Modified System Walkdown -

This table provides an abbreviated version of the licensee's system checklist, where available, but includes only those items which are related to the dominant failure modes. It is generally much less than the normal check-list. It can be used to rapidly review the line up of important system components on a routine basis. . Caution should be observed when using the checklists, since they are based on certain versions of the licensee's system operating instructions. Valve numbers used are those identified in the licensee system checklists, or P&ID's.

45 o

4 6 Figure AI - Simplified System Diagram A simplified line diagram is provided for each system treated. These are intended to aid in visualizing the system configuration and the location of the components discussed in the two tables. Since they are neither complete nor controlled, they should not be used in place of up-to-date P& ids during inspection activities.

e O

46

APPENDIX B <

Table B1 . Plant Operations Inspection Guidance This table is a collection of all of the risk significant operator actions listed in the preceding system tables. It is provided as a cross reference for use in observing operator actions and training.

Table B2 - Surveillance and Celebration Inspection Guidance ,

This tale is a collection of all of the risk significant components listed in the preceding system tables that are considered to be significantly influenced by surveillance and calibration activities. It is provided as a cross reference to assist in selecting risk important activities for observa-tion during inspections of thu licensee's surveillance and calibration pro-grams. ---

Table B3 - Maintenance Inspection Guidance This table is a collection of the risk significant components listed in the preceding system tables that are considered to be significantly influenced 1

l

'uy maintenance activities. It is provided as a cross reference to assist the inspector in selecting risk i:;portant activities for observation during inspections of the licensee's maintenance program. Important factors include

( the frequency and duration of maintenance as well as errors that degrade the component or render it inoperable when it is returned to service.

47

. .+

APPENDIX C Table C1 - Containment and Drywell Walkdown Table Decause they are normally inaccessible during operation, a separate walk-down checklist is provided for those components listed in the preceding system tables that are located inside the containment or drywell. This is intended for efficient inspection of those items when the opportunity arises.

8 48

., *9 *

~

7. REFERENCES
1. A.M. Kolaczkowski, et al., " Analysis of Core Damage Frequer.cy From Internal Events; Peach Bottom, Unit 2," NUREG/CR-4550, SAND 86-2084, Volume 4, Sandia National Laboratories, Albuquerque, NM, October 1986.
2. NUREG/CR-5022, " System Analysis and Risk Assessment," System (SARA)

User's Manual Revision 3 and Softvare, Idaho National Engineering Laboratory, September 1987.

~

e h

I 50

?. . * ' .

i i

PEACH BOTTOM ATOMIC POWER STATION, UNIT 2  ! l RISK BASED INSPECTION GUIDE l Low Pressure Core Spray (LPCS) System Table A3-1 Importance Basis and Failure Mode Identification CONDITIONS THAT CAN LEAD TO FAILURE.

Mission Success Criteria The purpose of the Low Press 6re Core Spray (LPCS) System is to provide a makeup coolant source to the reactor vessel during accidents in ,which vessel pressure is low. ADS can be used in conjunction with LPCS to attain a low enough system pressure for injection to occur. LPCS is a two loop system consisting of motor-operated and manual valves and.-

two 50% capacity motor-driven pumps per loop. Injection of flow from any two LPCS pumps to the reactor constitutes system success. The LPCS pumps take water from the.

suppression pool and can be manually religned to the CST. LPCS is automatically initiated and controlled. The operator may be required to manually start the system if an automatic actuation failure occurs. The operator can stop or control flow during ATWS if required.

1. Common Cause Miscalibration of Reactor Pressure Sensors I LPCS will not actuate unless system pressure is sufficiently low. (PC)
2. ESW PS-5 Hardware Failures: CV 513 Fails to Open or Manual Valve XV 502 Plugs ESW PS-5 is the common injection line to all of the LPCS pump and room coolers.

Failure of pump room cooling is assumed to fail the LPCS pumps in four hours. (MT, PT)-

3. Operator Fails to Backup LPCS Actuation LPCS is automatically actuated but the opertor may be required to manually

= . actuate the system given auto failure. (OP) l t

. 4. Common Cause Miscalibration of Reactor Water Level Sensors f

Given sufficiently low system pressure, low reactor water level sensors actuate LPCS. (PC)

5. MOV 12A/B Fall to Open Failure of injection lines PS-13 and PS-27 disable LPCS. (MT, PT)
6. Bus 4160A/B/C/D Power Permissive Sensors Fail Failure of Bus 4160 A or C causes failure of PS-13, while failure of Bus 4160 B or D disables PS-27. (MT, PT) l 51
7. LPCS Pump A/B/C/D Fail i Failure of three of the four LPCS pumps or one pump in conjunction with the alternate loop's injection line disables LPCS. (MT, PT)
8. ESW PS-8 Fails and Operator Fails to Switch to EHS Mode Maintenance on MOV 0498 disables ESW PS-8, the primary heat sink discharge  ;

line; unavailability of the primary heat sink requires that the emrgency heat sink mode be l actuated. EHS Mode is also disabled by ECW pump failure or MOV 0841 failing to open  !

(PS-19). (MT, OP, FT)

9. LPCS, LPCI Low Reactor Pressure Sensors C&D/A&B Fail LPCS and LPCI share actuation logic. The low pressure systems will not actuate unless reactor pressure is sufficiently low. (MT, PT)
10. MOV llA/B Out for Maintenance

~

See item 5. above. (MT, PT)

11. MOV SA/B/C/D.Out for Maintenance Pump discharge lines are disabled when they are '.31ocked for MOV maintenance.

(MT, PT)

12. MOV 26A/B Fail to Remain Closed PS-12 and PS-26 are discharge lines to the suppression pool. These lines will divert flow from LPCS reactor injection. (MT, OP, FT) 52

e d

, n PEACH BOTTOM ATOMIC POWER STATION, UNIT 2 RISK. BASED INSPECTION GUIDE Low Pressure Core Spray (LPCS) System TABLE A3 2 MODIFIED SYSTEM WALKDOWN Desired Actual Pow.Sup. Required Actual Description ID No. Location Position Position Breaker # Location Position Position LPCS & INJ MOV CR Panel Auto 52 3621 MCC Closed Line MOV's 12A CO3 Closed 20B36 LPCS A MOV CR Panel Auto 52 3952 MCC Closed it'J Line 12B CO3 Closed 20B39 MOV's Emer. Aux. E.12 CR Panet AM. I. 152 1501 Emer. Aux Closed Swgr. Bus C26A Indic. S wgt.

-4 kV 20A15 Emer. Aux. E.22 CR Panel A M. 1. 152 1601 Emer. Aux Clored Swgr. Bus C26B Indic. Swgr.

4 kV 20A16 Emer. Aux. E.32 CR Panel A M. 1. 152 1701 Emer. Aux Closed Swgr. Bus C26C Indic. Swgr.

4 kV 20A17 Emer. Aux. E.42 CR Panel A M. 1. 152-1801 Emer. Aux Closed Swgr. Bus C26D Indic. Swgr.

4 kV 20AIS LPCS Pump 2A CR Panet Auto 152 1504 Emer. Aux Closed ,.

P37 CO3 Swgr.

20A15 LPCS Pump 2B CR Panet Auto 152 1604 Emer. Aux Closed P37 CO3 Swgr.

20A16 LPCS Pump 2C CR Panel Auto 152 1703 Emer. Aux Closed P37 CO3 Swgr.

20A17 LPCS Pump 2D CR Panel Auto 152 1803 Emer. Aux Closed P37 CO3 Swgr.

20A18 ECW Pump MDPA C See Note I PS 12 MOV Cont. SW Closed 52 3823 MCC BKR Discharge 26 A CR Panel 20B38 Closed Line MOV CO3 53

~

PEACH BOTTOM ATOMIC POWER STATION, UNIT 2 RISK. BASED INSPECTION GUIDE Low Pressure Core Spray (LPCS) System TABLE A3 2 MODIFIED SYSTEM WALKDOWN Desired Actual Pow.Sup. Required Actual Description ID No. Location Position Position Breaker # Location Position Position PS 26 MOV Cont. SW Closed $2 3932 MCC BKR Discharge 26 B CR Panel 20B39 Closed Line MOV CO3 Note 1: For failure of EHS Modt by ECW Pump failure or MOV 0841 Failing to open - See A2-3 ESW.

l

- 54

i TABLE A3 2 REFERENCE DOCUMENTS TITLE I.D. NO. REV DATE Systems Procedures:

Core Spray - Normal - Value Line up S.3.4.E.2 6 6/24/87 System Descriptions:

Core Spray 3.4 1 1/09/80 4

Training Plans:

Doc Type 284 - Core Spray 035d 3 7/07/87 Electrical One Line No.: -

Standby Diesel Gen. & 4160 Volt Emerg. E-8 10 5/06/86 Power System, Unit No. 2 Sheets I&2 P&lD's No.:

Core Spray Cooling System M 362 31 9/14/87 Sheets 1&2 55

n g -

ah3,

,M' a

. . m

. i,

,W-n .** s a a -

es yt

_ hDn t

I a

_ r m

a&d t

P n am t

mmg c e

^.

,~

.~

- f f ehA efR t

$ n oP w c i ne oh

- i.

?. - .

m x..

h i

t a

m e

I

&e s

Daf i

t t

n n

r

~<

h S

c m

P s l

t a pr ueal eit r

r e c t a e t

s y el ep S ht pec2 s h Q

e?u

?

y a

r

'.c et r

ci p ad T'

i S t a r e V e e mhi aM.9 .g C

r o et i hc ne i

l nkI - e s

s a r di m u e i I t

m s f i s i .I

$ ;', u e l d

c- pet r

e s P mra ne 1 h' ,

, m w o

i s pm e

r arpcb u o

w L y

... s o l s

  • a O n e ad m 9. =

n 1

r e wd 3

.... n w

o. .

A mal l 24 .

a ,~

. n.

a e i sRr g Pt 3 ,~ r r t e u i n g n ceo m i ih s

nmy a, i.

F wt a

. . N 'm t

a a at a a dr hi Te .

n ci t i

r s e I

m i

m E h N . aO m E E

I Tins t

5 1 . E e

[: ^,h a

t o

m N a

,2 E_

n 'e

" uw4 ,3 l

"d S

E

  • . *a E

i "o

N' *sa t

. M_

I

,l m

g

s . -

s .s= -

4 PEACH BOTTOM ATOMIC POWER STATION, UNIT 2 i RISK BASED INSPECTION GUIDE l TABLE B1 - PLANT OPERATIONS INSPECTION GUIDANCE Recognizing that the normal system lineup is important for any given standby safety system, the following human errors are identified in the PRA as important to risk.

SYSTEM FAILURE DISCUSSION

~

\

Emergency Service Operator Fails to Initiate EMS Mode Table A21. Isem 8

'Jater, (ESW) ,

Low Pressure Cote Operator Fails to Backup LPCS Actuation Table A31. Item 3 Spray (LPCS)

Operator Fails to Switch to EHS Mode Table A31. Item 8 MOV 26A/B Fail to Remain Closed Table A31, Item 12 Residual Heat Re. Operator Fails to Backup LPCI Actuation Table A5-1, Item LPCI 3 moval (RHR)

Operator Fails to Switch to EHS Mode Table A31, Item LPCI-6 Operator Fails to Aligo CS Mode Table AS-1, Item CS 1 Operator Fails tb Switch to EHS Mode Table A5-1, Item CS 7 Operator Fails to 16 hiate or Align SDC Mode Table AS-1, Item SDC 1 Operator Fails to Switch to EHS Mode Table A51, Item SDC-7 Operator Fails to Align SPC Mode Table AS 1, Item SPC-1 Operator Fails to Switch to EHS Mode Table AS 1 Item SPC-6 Automatic Operator Fails to Manually Depressurize the Table A6-1 Item 2 Depressurization, Reactor Given Auto Failure (ADS)

Control Rod Drive Operater Falls to Realign CRD for Injection Table A7-1, Item 1 (CRD)

Standby Liquid Con- Operator Fails to Start SLC Table A10-1, Item 1 trol (SLC)

Failure Due to Improper Realignrnent Follow- Table A10-1, item 2 ing Test Failure to Reclos'e Manual Test Valve F041 Table A10-1. Item 3 after Suction Test High Pressure Service Operator Fails to Align HPSW for Injection Table A11-1, Item 1 Water (HPSW) '

57

,' PEACil BOTTOM ATOMIC POWER STATION, UNIT 2

~

RISK BASED INSPECTION GUIDE TABLE B2 - SURVEILLANCE AND CALIBRATION INSPECTION GUIDANCE The listed components are the risk significant components for which surveillance and/or calibration should ininimize failure.

SYSTEM FAILURE DISCUSSION Emergency Electric Unit 2 Battery A/B/C/D Fails Table Al 1, Item 1 Power (EPS)

Common Mode Failure (s) of Additional Bat. Table Al-1, Item 2 teries DG El/E2/E3/E4 Fail to Start or Run or Out Table Al 1, Item 3 for Maintenance Common Mode Failure (s) of Additional Diesel Table Al 1, Item 4 Generators DG Actuation Fails Table Al-1. Item 5 Failure of Diesel Generator Room Cooiers Table Al 1. Item 6 Emergency Service ESW Valve MV0498 Fails to Open or Is Out Table A2-1. Item 1 Water (ESW) for Maintenance ESW Pump A Fails to Stan or Run or Is Out Table A21, Item 2 for Maintenance ESW Pump B Fails to Stan or Run or Is Out Table A21, Item 3 for Maintenance ESW Valve AV21 Fails to Open or Is Out Table A21, Item 4 for Maintenance ESW Valve AV22 Fails to Open or Is Out *t acle A2-1, Item 5 for Maintenance ESW Valve AV23 Fails to Open or Is Out Table A21. Item 6 for Maintenance ESW Valve AV24 Fails to Open or Is Out Table A2-1, Item 7 for Maintenance ECW Pump Fails to Stan or Run or Is Out Table A21. Item 9 for Maintenance ESW Valve MV0841 Fails to Open or Is Out Table A21, Item 10 for Maintenance ESW Valves CV515A/B Fail to Open Table A21, Item 11 ESW Valve CV513 Fails to Open Table A21, item 12 58 I

i l

Low Pressure Core Common Cause Miscalibration of Reactor Table A3-1 Item 1 Spray (LPCS) Pressure Sensors ESW PS-5 Hardware Failures: CV 513 Fails Table A31, item 2 to Open or Manual Valve XV 502 Plugs Common Cause Miscalibration of Reactor Table A3-1. Item 4 Water Level Sensors MOV 12A/B Fail to Open Table A31 Item 5 Bus 4160A/B/C/D Power Permissive Sensors Table A31, Item 6.

Fail LPCS Pump A/B/C/D Fail Table A31. Item 7 ESW PS-8 Fails Table A3-1 Item 8 LPCS, LPCI Low Reactor Pressure Sensors Table A31. Item 9 C&D/A&B Fail '

' MOV 26A/B Fail to Remain Closed Table A3-1. Item 12 Residual Heat Re- Common Cause Miscalibration of Reactor Table A5-1, Item LPCI 1 -

moval (RHR) Pressure Sensors ESW PS 5 Hardware Failures Table A5-1, Item LPCI 2 Common Cause Miscalibration of Reactor Wa- Table A51 Item LPCI-4 ter Level Sensors MOV 25A/B Fail to Open Table AS-1, Item LPCI-5 ESW PS 8 Fails Table A51, Item LPCI-6 LPCI, LPCS Low Reactor Pressure Sensors Table A5-1, Jtem LPCI 7 A&B/C&D Fail MOV 154A/B Out for Maintenance or Table A5-1, item LPCI-9 Plugged CV 46A/B Fail to Open Table A5-1, Item LPCI 11 Common Cause Miscalibration of High Table A51, item CS-2 Drywell Pressure Sensors ESW PS-5 Mardware Failures Table A51. Item CS-3 MOV 26A/B Fail to Open or Out for Mainte- Table A51. Item CS 4 nance MOV 31A/B Fail to Open or Out for Mainte. Table A51. Item CS 5 nance RHR Control Logic A/B Circuitry Fails Table A51 Item CS-6 ESW PS 8 Fails Table A51 Item CS-7 LPCI, LPCS High D ywell Pressure Sensors Tabie A5-1, item CS 8 A&B/C&D Fail HPSW MOV 2804A/B and MOV 2486 Fail to Table AS 1, Item CS 9 Open or Out for Maintenance 59 i

~

.. MOV 17 Fails to Open or is Out for Mainte. Table A5-1, item SDC-2 nance

. MOV 18 Fails to Open or Is Out for Mainte. Table AS-1, Item SDC 3 nance ESW PS-5 Hardware Failures Table AS 1, item SDC-4 MOV 25A/B Fail to Open or Out for Mainte- Table A51, Item SDC 5.

nance RHR Control Logic A/B Circuitry Fails Table A5-1,' Item SDC ESW PS-8 Fails Table A5-1. Item SDC 7

'- Table A51, Item SDC Il -

CV 46A/B Fail to Open ESW PS 5 Hardware Failures Table AS-1 Item SPC-2 MOV 34A/B Fail to Open or Out for Mainte- Table A5-1, ' Item SPC-3 nance MOV 39A/B Fail to Open or Out for Mainte. Table A5-1 Item SPC-4 nance RHR Control Logic A/B Circuitry Fails Table AS 1, Item SPC 5 ESW PS-8 Fails Table A51, Item SPC-6 HPSW MOV 2804A/B and MOV 2486 Fail to Table A51, Item SPC-7 j Open or Out for. Maintenance Automatic Common Mode ADS Valve Failute Table A6-1, Item i Depressurization (ADS)

Common Mode Non-ADS Valve Failure Table A6-1 Item 3 Control Rod Drive MDPB Fails to Start or Run or Is Out for Table A7-1, Item 2 (CRD) Maintenance MDPA Fails to Continue to Run or Is Out Table A7-1, Item 3 for Maintenance

~

High Pressure Cool- HPCI Turbine-driven Pump Fails or Is Out Table A8-1, Item 1 ant Injection (HPCI) for Maintenance

. MOV 19 Fails to Open or Is Out for Mainte. Table A8-1, Item 2 nance MOV 14 Fails to Open or Is Out for Mainte- Table A8-1, Item 3 nance MOV 20 Plugs or Is Out for Maintenance Table A8-1, Item 6 PCV 50 Fails or Is Out for Maintenance Table A8-1, Item 7 ESW PS 5 Hardware Failures: Check Valve Table A8-1, Item 8 CV 513 Fails to Open or Manual Valve 502 Plugs Check Valve CV 18 Fails to Open Table A8-1, Item 9 Check Valve CV 32 Fails to Open Table A8-1, Item 10

(

60 1

7, . . .

HPCI Flow Controller FICJ3-108 Fails Table A8-1, Item 11 Check Valve CV 65 Fails to Open Table A8-1, Item 12 l

1 MOV 57 or MOV 58 Fail to Open Table A8-1, Item 13 Check Valve CV 61 Fails to Open Table A8-1, Item 14 Reactor Core Isola- RCIC Pump Fails to Start or Run or Is Out Table A9-1, Item 1 tion Cooling (RCIC) for Maintenance MOV 132 Fails to Open or Is Out for Main- Table A9-1. Item'2 tenance -

,,, PCV 23 Fails or Is Out for Maintenance Table A9-1, Item 3 MOV 131 Fails to Open or Is Out for Main- Table A9-1, Item 4 tenance MOV 21 Fails to Open or Is Out for Mainte- Table A9-1, Item 5 nance MOV 20 Plugs or Is Out for Maintenance Table A9-1, It*'l I -

ESW PS-5 Hardware Failures: Check Valve Table A9-1, Item 9 CV 513 Fails to Open or Manual Valve 502 Plugs RCIC Flow Controller FIC-91 FaiIs Table A9-1. Item 10 CV 50 Fails to Open . Table A9-1 Item 11 CV 22 Fails to Open Table A9-1, Item 12 MOV 41 or MOV 39 Fails to Open Table A9 .1, Item 13 CV 40 Fails to Open Table A9-1, Item 14 PS-1 Hardware Failure: MOV 18 Plugs or CV Table A9-1, Ite.m 15 19 Fails to Open Standby Liquid Con- Failure Due to Improper Realignment Follow- Table A10-1, Item 2 trol (SLC) ing Test .,

Failure to Reclose Manual Test Valve F041 Table A10-1, Item 3 after Suction Test One of Two Check Valves in Injection Line Table A10-1, Item 4

, Feb Pump Suction Inlet Valve XVil Plugs Table A10-1, Item 5 Check Valves in Both Pump Discharge Lines Table A10-1, Item 6 Fail to Open SLC Pumps Fail to Start or Run or Are Out Table A10-1, Item 7 for Maintenance High Pressure Service MOV 174/176 Fail to Open Table A11-1, Item 2 Water (HPSW)

RHR MOV 25B Fails to Open ' Table A11-1, Item 3 CV 5 Fails to Open Table A11-1, Item 5 61 J

.. *. a

=

'* ~

Manual Valve XV 516A Fails to Remain Table A11-1 Item 6 Closed RHR CV 46B Fails to Open Table A11-1, Item 7 HPSW MOV 2804A/B and MOV 2486 Fail to Table A11-1. Item 8

. Open or Out for Maintenance i

, le e.

e e

e w

62

..i PEACil BOTTOM ATOMIC POWER STATION, UNIT 2 RISK-BASED INSPECTION GUIDE TABLE B3 - MAINTENANCE INSPECTION GUIDANCE The components listeil here are significant to risk because of unavailability for mainte-nance. The dominant contributors are usually frequency and duration of maintenance, with some contribution due to improperly performed maintenance.

SYSTEM FAILURE DISCUSSION Emergency Electric Unit 2 Battery A/B/C/D Fails Table Al-1, Item 1 Power (EPS)

Common Mode Failure (s) of Additional Bat- Table A11, Item 2 teries DG El/E2/E3/E4 Fail to Start or Run or Out Table Al 1. Item 3 for Maintenance Common Mode Failure (s) of Additional Diesel Table Al-1, Item 4-Generators DG Actuation Fails -

Table Al 1, item 5 Failure of Diesel Generator Room Coolers Table Al 1, item 6 Emergency Service ESW Valve MV0498 Fails to Open or Is Out Table 'A2-1. Item 1 Water (ESW) for Maintenance ESW Pump A Fails to Stan or Run or Is Out Table A21, Item 2 for Maintenance ESW Pump B Fails to Stan or Run or Is Out Table A21, item 3 j for Maintenance ESW Valve AV21 Fails to Open or Is Out Table A2-1, item 4 for Maintenance ESW Valve AV22 Fails to Open or Is Out Table A21, Item 5 for Maintenance ESW Valve AV23 Fails to Open or is Out Table A2-1, item 6

. for Maintenance ESW Valve AV24 Fails to Open or Is Out Table A21. Item 7 for Maintenance ECW Pump Fails to Start or Run or Is Out Table A21, Item 9 for Maintenance ESW Valve MV0841 Fails to Open or Is Out Table A2-1, item 10 for Maintenance i

ESW Valves CV515A/B Fail to Open Table A21, item 11 ESW Valve CV513 Fails to Open Table A21. Item 12 l

63 l

,.r .

'o

  • Low Pressure Core ESW PS-5 Hardware Failures: CV 513 Fails Table A31. Item 2 Spray 'LPCS) to Open or Manual Valve XV 502 Plugs MOV 12A/B Fail to Open Table A31, Item 5 Bus 4160A/B/C/D Power Permissive Sensors Table A31, Item 6 Fail LPCS Pump A/B/C/D Fail Table A3-1 Item 7 ESW PS-8 Fails Table A31. Item 8 LPCS, LPCI Low Reactor Pressure Sensors Table A3-1, Item 9 C&D/A&B Fail MOV llA/B Out for Maintenance Table A31 Item 10 MOV SA/B/C/D Out for Maintenance Table A31, Item 11 MOV 26A/B Fail to Remain Closed Table A31, Jtem 12 Residual Heat Re- ESW PS-5 Hardware Failures Table A5-1. Item LPCI 2 moval (RHR)

MOV 25A/B Fail to Open Table A51, Item LPCI 5 ESW PS-8 Fails Table A51, Item LPCI-6 LPCI, LPCS Low Reactor Pressure Sensors Table AS 1, Item LPCI 7 A&B/C&D Fail MOV 26A/B Out for Maintenance Table A5-1, Item LPCI-8 MOV 154A/B Out for Maintenance or Table AS 1, Item LPCI-9 Plugged MOV 39A/B Out for Maitenance Table AS-1, Item LPCI-10 CV UA/B Fail to Open Table A5 I, Item LPCI.il ESW PS 5 Hardware Failures Table A51. Item CS-3 _

MOV 26A/B Fail to Open or Out for Mainte- Table A5-1. Item CS-4 nance MOV 31A/B Fail to Open or Out for Mainte. Table AS 1. Item CS 5 nance RHR Control Logic A/B Circuitry Fails Table AS 1, Item CS-6 ESW PS-8 Fails Table AS 1, item CS 7 LPCI, LPCS High Drywell Pressure Sensors Table A51, Item CS 8 A&B/C&D Fail HPSW MOV 2804A/B and MOV 2486 Fail to Table A51, Item CS-9 Open or Out for Maintenance MOV 39A/B Out for Maintenance Tas AS-1, Item CS 10 MOV 17 Fails to Open or is Out for Mainte- Table AS-1, Jtem SDC-2 nanCC MOV 18 Fails to Open or Is Out for Mainte. Table A51, Jtem SDC-3 nance l

64

. t =

a "s '

? ,

ESW PS 5 Hardware Failures . Table A5-1. Item SDC 4 MOV 25A/B Fail to Open or Out for Mainte. Table A51. Item SDC-5 nance RHR Control Logic A/B Circuitry Fails Table A5-1. hem SDC-6 .

ESW PS-8 Fails and Operator Fails to Switch Table A5-1 Item SDC-7 to EHS Mode

~

MOV 39A/B Out for Maintenance Table AS 1, Item SDC-8 MOV 26A/B Out for Maintenance Table A5-1, Item SDC-9 s,, MOV 154A/B Out for Maintenance Table AS-1, Item SDC-10 CV 46A/B Fail to Open Table AS 1. Item SDC-Il ESW PS-5 Hardware Failures Table A51, Item SPC-2 MOV 34A/B Fail to Open or Out for Mainte- Table AS 1, Item SPC-3 mance MOV 39A/B Fail to Open or Out for Mainte. Table A5-1 Item SPC-4 nance RHR Control Logic A/B Circuitry Fails Table A5-1. Item SPC-5 ESW PS-8 Fails -

Table A5-1, Item SPC-6 HPSW MOV 2804A/B and MOV 2486 Fail to Table AS-1, item SPC-7 Open or Out for Maintenance Automatic Common Mode ADS Valve Failure Table A6-1, Item 1 Depressurization (ADS)

Common Mode Non-ADS Valve Failure

  • Table A6-1. Item 3 Control Rod Drive MDPB Fails to Start or Run or Is Out for Table A7-1. Item 2 (CRD) Maintenance "

MDPA Fails to Continue to Run or Is Out Table A7-1, Item 3 '

for Maintenance High Pressure Cool. HPCI Turbine-driven Pump Fails or Is Out Table AB-1, Item 1 ant Injection (HPCI)

~

for Maintenance

, MOV 19 Fails to Open or Is Out for Mainte- Table I8-1. Item 2 nance MOV 14 Fails to Open or Is Out for Mainte- Table A8-1, Item 3 nance MOV 57 Is Out for Maintenance Table A8-1, Item 4 MOV 17 Is Out for Maintenance Table A8-1, Item 5 MOV 20 Plugs or Is Out for Maintenance Table A8-1, Item 6 PCV 50 Fails or Is Out for Maintenance Table A8-1, Item 7 ESW PS 5 Hardware Failures: Check Valve Table A8-1, Item 8 CV 513 Fails to Open or Manual Valve 502 Plugs 65

od ,

4 9

Check Valve CV 18 Fails to Open ' Table A8-1, Item 9 Check Valve CV 32 Fails to Open Table A8-1. Item 10 HPCI Flow Controller FIC-23108 Fails Table A8-1, Item 11 Check Valve CV 65 Fails to Open Table A8-1. Item 12 Check Valve CV 61 Fail to Open Table A8-1, Item 14 Reactor Core Isola- RCIC Pump Fails to Start or Run or Is Out Table A9-1 Item 1 tion Cooling (RCIC) for Maintenance MOV 132 Fails to Open or is Out for Main. Table A9-1, Item 2 tenance PCV 23 Fails or Is Out for Maintenance Table A9-1, Item 3 MOV 131 Fails to Open or Is Out for Main- Table A9-1, Item 4 tenance MOV 21 Fails to Open or Is Out for Mainte- Table A9-1. Item 5 nance MOV 18 Is Out for Maintenance Table A9-1, Item 6 MOV 39 Is Out for Maintenance Table A9-1, Item 7 MOV 20 Plugs or is Out for Maintenance Table A9-1. Item 8 ESW PS-5 Hardware Failures: Check Valve Table A9-1, Item 9 CV 513 Fails to Open or Manual Valve 502 Plugs RCIC Flow Controller FIC-91 Fails Table A9-1, Item 10 CV 50 Fails to Open Table A9 Item 11 CV 22 Fails to Open Table A9-1, Item 12 CV 40 Fails to Open Tahle A9-1. Item 14 PS 1 Hardware Failure: MOV 18 Plugs or CV Table A9-1, Item 15 19 Fails to Open Standby Liquid Con- Failure Due to Improper Realignment Foilow- Table A10-1. Item 2 trol (SLC) ing Test Failure to Reclose Manual Test Valve F041 Table A10-1,' Item 3' after Suction Test One of Two Check Valves in Injection Line Table A10-1, Item 4 Fails Pump Suction Inlet Valve XVil Plugs Table,A10-1. Item 5 l Check Valves in Both Pump Discharge Lines Table,A10-1. Item 6 Fail to Open SLC Pumps Fail to Sort or Run or Are Out Table A10-1, Item 7' ;

for Maintenance High Pressure Service MOV 174/176 Fail to Open Table A11-1, Item 2 ,

Water (HPSW)

{

9 66

[.

.1

..*** e' l o .* '

. s. ,

< . RHR MOV 25B Fails to Open Table A11-1, Item 3 i RHR MOV 154B Is Out for Maintenance Table A11-1, Item 4 i-CV 5 Fails to Open Table A11-1, Item 5 Manual Valve XV 516A Fails to Remain Table A11-1, Item 6

,- Closed RHR CV 46B Fails to Open Table A11-1, Item 7 FPSW MOV 2804A/B and MOV 2486 Fail to Table A11-1, Item 8.

Open or Out for Maintenance f

4 O

e Ne e

e 67 w-_-----__ - - - - - - -

~ .. ....,

, a.. ,

,f '

",[ APPENDIX C

' PEACH BOTTOM ATOMIC POWER STATION, UNIT 2 RISK BASED INSPECTION GUIDE TABLE C CONTAINMENT AND DRYWELL WALKDOWN Discussion Since the drywell is generally inaccessible during normal plant operation, those compo-nents listed in the preceding tables which are located either within the drywell or otherwise in the containment are listed below:

Desired Actual Description ID No. Location Position Position

1. SLC Inboard CV 17 Containment Locked Stopcheck - Handwbeel Open .
2. RHR System CV 46A Containment Open Check Valves CV 46B .

Open Other Valves in Containment - Not in Top 95% Risk (A) RCIC MV 15 Containment Open CV 1 Containment Open HV 1 Containment Locked Open (B) HPCI MV 15 Containment Open _

CV 1 Containment Open HV 2 Containment Open (C) SLC HV 18 Containment Locked Open (D) RHR HV 81 Containment Open

, A&B Containment Open MV 18 Containment Closed e

68

jl 5 i '

o% - /

(

U C S

=

W R P C B B C B C R B C B C B C C C H

R A C B C B C C C y B C B C B C C C C Wa Dp r

S A C B C B C C C C E s r B C B C B C B C N

I Wleo L Do T C A C B C B C B C N

O V B C C C R R F S A C C C R N I

O A B B C B F R S T D XS & A A B C B I

M RE S T

A S T M D B C B B C C B

)

C C E R MY S T

S C A C B B C C 6

(

B C C Y

"T MR S

  • O E W )

- D T O N F 8 T P

(

P I

L M B C C C X OU I T D B S N I B C B C B C N O C E fN l

R P P CO F L A C B C B C P A A E S C C C PE I S B B B

" C C LN A C B B C C AE CD C I N ) )

TE I C 9

(

9 EP R C

(

C B C HE -

TD O I C ) )

P P 9 9 Y H (

C

(

C B C

- H C )

3

)

3 1 L ( (

D S C C C .

C _

E L S _

B D A O T R I

I I 1 I I I I 1

_ )

7 )

_ ( W 8

(

n C. g r

e i o p

)

4 n t ( i w a o) l o

o LoW t )

P e ('oenm s C 2

(

C o

)

W a dL i

t s

rl e( S u

r G eC s

W m f t /

oB S o f mC C I B s n

r B o C(R l

O EA D I I R I iA T R g

r el e .

_ vb d

_ ea r e

_ wi r e

h ose w d

o p

r n t i 5

s n r. . C

_ i t

t c A e

s

/o n S i s

_ wif a p no u

l n m r l o u p

e pve is s l al u e c c v l

e ma e m is d

l p

t i s n ee o yi o S m S L

. =

) ) )

7 8 9

( ( (

r

) e b

W n S a B c T

( )

S .

r P t

e .

F aW (

WS B m e e

icR ny vh .

r ei t

SW i r

a S w nS gd ioB f ne cRe o

i t

e s lots - t oh s iu o P s r t lo Br o n c et o e r ib ne id Fe m b n a r n eg r Tcu a TahiS l c

=

) ) )

4

(

5 6

( (

)

e P i c

O v r

e e

c O S u

.L

( g d e

.'re i n

l r

d l w i i e o n w c P B n .

e e r I

I d

n t o m y

e d t c

v g p e f f a i e e c e D3 cd n O n e R r4 ed d f o o dnye e n o f

)

d t s o) I t p

't n

en pl dndd e ea o e ed L s ssW oS v% i 0

o l B D5 C e r o s sR

( pe oN t e e( f y 1 dl e e

- pa l =

m u

mr ue ob s D r s s t a s w e mitr yr s s oo E t n oat A AW Lf l L I CP nE B = = =

A === o ) ) )

1 2 3 T ABCN ( ( (

li' [

I l!)4] lli .!

' t s ', e

~

c s g'.

e

'* G MN I OL C B B C B B C A OO R O C

S P C A F

T R W B C B C C B C A O C P L P C -

U . B S R A C B C B C C A E S )

H M R 6 C A I (

T E A B '

RT _

OS -.

FYS T S

)

5

)

5

)

5 N C ( ( ( C C C A XT I I C C C RR _

TO _

APP B C A C C C A C )

MU W S

7

(

) B )

d " S R A C A C C C 'A C 7 P MR (

n OE o

C TH I )

( TT I I C 3

( A C _

D OO B

X N I

D HO C C )

N D I

C 3 A C AS I

(

E E E P PC I

P "

A N )

LE I C 3 A C AD (

CN I E TP EE I HD I I

A B C C C C T

OM PE YT G HS A I

D I B C C C C Y _

S _

2 D I A B C C C C E

L B

A T

P S

O A C -

I I I

I I

I I I I

I I

I A B A B

)

S

. P W F(

r C n o C s g

e A i t p y i n

w y) a o) S l o r ) o c( LoW t

P) I 4 e 4 n .

o n) w ( e s C t

o C e)( e2 o m a r t

iP s r )(

g P W u r G dL sC e P m

fS f

eG m C S

B t

s /r oB e r

o o

O(O n C(R i l E (D D R I A i

F R w

ll,!ijtlllI

od i n b

t i

_ a ly n icer a l

a c d u

_ i

_ ns i s t

r )

S a P s .re p F

op s (

pr i dt o m m oc e r a e t

t s

e s y y .

CR S SW A nS

. e N, ioB  :

c R

,l t gl r eb t nt n e y e'vla e e t mei e l a md ol r p v Pp r un Ot e a

/a e t

r e s p es r

u Wwa r n e i Ft o I d

=

) ) ) 8 5 6 7

( ( (

s a .

h s p

G o D o m l o

r h ht .

f c o r

a E b e d.e . .

w r m o

p r t g r

a n o u t i f r

c s r t o c a t

o Gt s W y S t

s a D r il h r o s iba P f of y

w a

r e O d r e d ms O et r t l u u L i ub a e s

sB s q s

e en ie A g. m r d r w s e u s t .

o h

" c Cm t

s a s a

  • E A Bi t E

= = = = .

) ) ) )

1 2

( 3 4

( ( (

9 e

c ne d

n epe e e c cd n ne

) ede dn d dnye

'tn t n

e pl e e a p o d e ed C

ndd o e r

( pe oN t e e 2 d. lpa l =

D r e mitr y r t

E n oat L I CPn E B

A === -

o T ABCN l

Retrieved from "https://kanterella.com/w/index.php?title=ML20247G449&oldid=3217449"