NSD-NRC-97-5151, Forwards W Responses to NRC RAI Re AP600 Level 1 PRA
| ML20148D821 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 05/23/1997 |
| From: | Mcintyre B WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| NSD-NRC-97-5151, NUDOCS 9706020115 | |
| Download: ML20148D821 (12) | |
Text
,
Westinghouse Energy Systems Box 355 Electric Corp'ir:: tion Pittsburgh Pennsylvania 15230-0355 NSD-NRC-97-5151 i
DCP/NRC0886 Docket No.: STN-52-003 l
May 23,1997 Document Control Desk U.S. Nuclear Regulatory Commission Washington, DC 2055.5 ATTENTION: T.R. QUAY
SUBJECT:
AP600 RESPONSE TO REQUESTS FOR ADDITIONAL INFORMATION
Dear Mr. Quay:
Enclosed are the Westinghouse responses to NRC requests for additional information pertaining to the AP600 Level 1 PRA. Specifically, responses are provided for RAls 720.374, 720.380, 720.381, 720.384, and 720.385. The OITS numbers associated with the RAls are 5122,5128,5129,5132,and 5133, respectively.
Except for RAI 720.381, these responses close, from the Westinghouse perspective, the RAls, and the Westinghouse status column will be changed to " Closed." For RAI 720.381, the Westinghouse status will be changed to " Confirm-W." The NRC should review these responses and inform Westinghouse of the status to be designated in the "NRC Status" column of the OITS.
Please contact Cynthia L. Ilaag on (412) 374-4277 if you /. ave any questions concerning this transmittal.
L~. McIntyre, Manager Ar Brian A Advanced Plant Safety and Licensing jml Enclosure cc:
J. Sebrosky, NRC (w/ Enclosure)
J. Flack, NRC (w/ Enclosure)
N. J. Liparulo, Westinghouse (w/o Enclosure) 9706020115 970523 PDR 4 DOCK 05200003 A
PDR e
126A wpf
Enclosure to Westinghouse Letter NSD-NRC-97-5151 May 23,1997 1
l 1
1 l
j 4
I i
m.4.pr
NRC REQUEST FOR ADDITIONAL INFORMATION 1 81 Question: 720.374 Several cutsets include more than one CCF of sensors and transmitters together with operator action (s), such as #40 and #59. Please verify that all these I&C common cause failures do not adversely impact the human error probabilities (as calculated in the PRA) and provide documentation of your finding in the focused PRA,
Response
Cutsets #40 and #59 belong to the quantification output file for the baseline sensitivity study that was requested by the NRC and provided via Westinghouse letter NSD-NRC-96-4913, dated December 13,1996 and NOT the focused PRA. However, these cutsets and the general concern of the NRC regarding modeling of human errors with failed
!&C signals are also applicable to the baseline and focused PRAs.
Cutset #40: IEV-ATWS
- CCX-XMTR
- CCX-XMTR195
- ATW-MAN 03 This core damage cutset involves an ATWS event with loss of main feedwater (IEV-ATWS) with common cause failure of multiple transmitters (CCX-XMTR
- CCX XMTR195) and failure of the operator to trip the reactor via PMS (ATW-MAN 03). This cutset belongs to the sequence in which the PMS trip function fails and PRHR actuation fails (DAS is assumed to fail by definition of the sensitivity study).
The basic event CCX-XMTR is conservatively assumed to fail the pressurizer narrow range pressure signal and the steam generator narrow range level signals, which feed the automatic PMS trip functions credited for this event (Iow narrow range SG level and high pressurizer pressure trip functions) and feed the credited automatic actuation signal for the PRHR (low narrow range SG level coincident with low startup feedwater flow). This common cause failure event is also conservatively assumed to fail the wide range SG water level signal, even though diversity exists between the SG narrow range and SG wide range signals.
The CCX-XMTR195 failure event models failure of the pressurizer narrow range level signal, which fails the automatic PMS trip on high pressurizer level.
These sensor common cause failures must be fail-as-is failure modes, since failure high or low will lead to automatic PMS reactor trip.
Given common cause failure of the above sensors, the operator will still have the following indications available that will clearly define the need for reactor trip:
Main Feedwater Flow Signal / Alarm Over Temperature Delta-T Trip Alarm (see NOTE below)
High temperature alarms (hot leg temperature, Tavg)
Rod Control System Response In automatic mode, rods step in at high rate when Tavg begins to climb In manual mode, a temperature deviation alarm is indicated 1
720.374-1 T Westinghouse
e NRC REQUEST FOR ADDITIONAL INFORMATION
==- mu w.
Secondary side response:
Turbine runback / trip Generator trip NOTE: Although the over tem;c;4ye delta-T automatic PMS trip function is not credited in the PRA, this function will initiate a trip even in the presence or the fail-as-is failure mode of the pressurizer narrow range pressure signal.
If this automatic trip funct;on were credited, it would take still another hardware failure (such as common cause failure of temperature signais) to fail to trip the reactor. Therefore, credit to this automatic trip function would reduce the associated cutsets by orders of magnitude.
Based on the above discussion, the operator is expected to recognize the need and trin the reactor given the I&C common cause failures currently modeled in the PRA.
Cutset #59: IEV-TRANS
- CCX-TRNSM
- IWX-XMTR
- REN MAN 04 This core damage cutset starts with a transient with main feedwater initiating event (IEV-TRANS), followed by multiple transmitter common cause failures and failure of the operator to initiate IRWST recirculation. The basic event CCX-TRNSM represents failure of the main and startup feedwater flow sensors, and failure of other low differential pressure measurements such as component cooling water flow and service water flow. IWX-XMTR represents failure of the IRWST tank level sensors, and REN-MANN models the human error for manual IRWST recirculation.
The REN-MAN 04 operator action is described as failure to recognize the need and failure to open the recirculation 4
valves during a LOCA or transient eveat, given that the IRWSTlow-level signal fails, preventing automatic actuation of sump recirculation. In that reprd, the I&C common cause failure of the IRWST level instrument has no impact 1
on operator action REN-MANN. The feedwater and other low differential pressure instrumentation has no impact on this operator action.
In performing this acuon, the cues used by the operator are high containment sump level, low reactor coolant system pressure, and awareness that IRWST injection was initiated (injection check valves indicating open position). Details on this operator action are provided in Section 30.6.36 of the PRA Revision 7.
PRA Revision: None.
720.374-2 W Westinghouse
NRC REQUEST FOR ADDITIONAL INFORMATION
- _i? "iEg l
Question: 720.380 j
The staff could not find in the PRA an explanation of the assumed common cause failure probability for the reactor trip breakers (failure to open). In Chapter 32 of the PRA (Data Analysis and Master Data Bank), the failure rate of PWR reactor trip breakers is listed to be 3E-3/d (page 32-13) while the common cause multiplier for a group of four breakers is listed as 6E-2 (page 32-27). This implies a much higher CCF probability for the reactor trip breakers than the 8.lE-6 value currently used in the AP600 PRA. In page 32-13, however, it is mentioned that a different failure rate was used in the PRA and that this was explained in Chapter 26 of the PRA. The staff was unable to find such explanation in Chapter 26. Please explain how the assumed CCF probability for the reactor trip breakers was calculated. Compare the calculated Also, please list the reasons the AP600 reactor trip breakers are assumed to be significantly more reliable than similar breakers in operating and evolutionary PWR reactor designs.
j
Response
f The common cause failure probability of the PMS reactor trip breakers is based on information from IEEE-std-500 and the ALWR URD.
The failure rate for the reactor trip breaker is derived from IEEE-std-500. The failure rate for a molded case,3 Pole breaker is assumed, which is 1.2E-06/hr for all failure modes. To find the percentage of failure modes that correspond to the failure to open failure mode, an average of all breaker types in IEEE-std-500 for the fail-to-open/ break current modes is calculated. This results in an approximate 10% apportionment of the total failure rate to the fail to-open/ break current failure mode. By assuming that the breakers are tested quartetty, the unavailability j
of a single breaker would be:
Unavailability =- (total failure rate) * (10% of all failure modes)
- T/2
=~ (l.2E 06/hr) * (0.1)
- 1095 hrs
=- 1.3E-04 Using a beta factor of 0.06 from the ALWR URD for failure of 4/4 reactor trip breakers yields a common cause failure unavailability of 7.9E 06. This value for common cause failure of the reactor trip breakers was used in the proprietary PMS reactor trip model. In the non proprietary version of that fault tree, higher level modules were developed to represent the detailed cutset combinations of the proprietary fault tree. The residual PMS trip unavailability was conservatively added to the common cause failure of the reactor trip breakers, since this event causes failure of both the automatic and manual trip of the PMS. This residual unavailability brings the total common cause failure of the reactor trip breakers to open to 8.lE-06/ demand.
In order to serify the failure rate for the reactor trip breakers, an NPRDS search was performed for reactor trip breakers for Westinghouse plants over the last 10 years. The search focused on both the total failure rate, and the failure to open failure mode for the breakers. The failure rates calculated by NPRDS support the values of total j
failure rate and percentage of failure modes used in the above unavailability calculation.
l W Westinghouse
_. = -. -. -..-.
- - -. ~....
t t.
NRC REQUEST FOR ADDITIONAL INFORMATION
=p
=
=
l l
Comparing the AP600 PRA common cause failure of reactor trip breaker value to t;.A' used in an evolutionary PWR PRA shows that the AP600 PRA value is larger (worse) than that used by another vend::. In fact, in this case the evolutionary PWR PRA claims higher reliability for the entire primary trip system as compared to the common cause l
failure of reactor trip breakers value used in the AP600 PRA.
i PRA Revision: None.
e l,
i l
720.380-2' W Westinghouse
e e
NRC REQUEST FOR ADDITIONAL INFORMATION i
- =
ms Question: 720.381 In Chapter 26 of the PRA (page 26-3) it is stated that "the value of 1.8E-06 failures / demand is used for mechanical j
failure of multiple rod cluster control assemblies to insert." Please explain why this failure does not appear in the submitted cutsets (for both baseline and focused PRA).
l
Response
A' hough the text in Chapter 26 discusses failure of rods to insert due to mechanical failure, this failure event is not modeled in the PRA. Due to an editorial oversight, this text, which was present in the revision 0 PRA assessment, was not removed. He reason for not including mechanical failures of control / shutdown rods to insert is provided in subsection 6.5.2 of the AP600 PRA.
PRA Revision:
The following change to PRA Chapter 26 will be provided in Revision 10 of the AP600 PRA:
Section 26.1, page 26-2:
Reactor Trip S: := :ct rip sys::= := be b ck= den, funha in:c : m xp= :: :y :m:: t: := : - rip ::ga:! system =d th: ecat:c! red on.:==h= ism sy ::=
l Bree Few reactor-trio-signal-related trees are developed in this section. Rese are RTPMS, RTPMSI, RTSTP.
These trees, described later in this chapter, form the models that are used to evaluate the availability of the reactor trip system to shut the reactor down in a swift and safe manner.
Re cent:c! :cd dav==h= ism dexcip:!c i: p cvided i
- P6T SS? 9 Subx::ica 39 A
^ de: iled dexnp: ion of==:= rip :: fc=d :- SS?.R See:!ca .2. Nc:: $2: t = =: ne fau!: ::= made!: fe t: =n::c! red d:We m=h=i -
^:=nm=: cf S: CRDhh :: = fc!!: ::
The picbabih:y of a mech =ien! f^.i!=: cf1: c& :c in=3 i: !.SE ^6. Ri =:umn 3T pczc 3:=: cf ep===
weh nc muhip!: fr.!!== cf :cd :!=:= =n::c!==mb!!= (:n c c mc= tcd :!=:n :=tc! =2mb!!= fai!!ng :c Sun), := ing cf==mb!y mc===: := y ece
=k:, addi::c=! :=:: during =fu !!ag, = :==g: =mbc cf
- =i= : pc y:= cf :pp mim ::!y 8, =d = cv=ag: cf 25 =nect :cd===b!!= pc p!=-
".i: =!=!::ica j
cze== $2: t=: i: 2 0.5 p:cbabiE:y $r:1: n=: f;i!=: c'cu!d be fai!=: cf mu!:ip!: :cd==mMin. Each cf t=
1 czump:ic= :::pp!!=b!: c 1: AP600 p!= ".::ff=: cf $: in;==: in pcu= y:=: u culd4: duce $c p cbebi!!ty of m=h=!=! f:itu= cf muip!: :c& :: i.=c F=====ti:
, t: =!= '..SE ^6 f=:==/&m=d i: med f=
mech =!=! fai!=: c' mu!:ip!: rod :!=:= cen:::! =xmblin :: in=r:
720,381-1 W Westinghouse
t NRC REQUEST FOR ADDITIONAL INFORMATION 5=.
==
11-L*-
Question: 720.384 The staff has asked Westinghouse (RAls #2808 and #3258 in OITS and during the June 25, 1996, meeting) to explain how the contributions of spurious ADS valve actuations to the various LOCA initiating event frequencies were calculated. Westinghouse responded by (1) sumrnarily describing a general aporoach for calculating the frequency of spurious actuation of ADS valves due to faults in I&C systems and (2) inficating that the requested information is provided in Chapters 3 and 26. However, the staff are still unable to tind in the PRA adequate documentation explaining how the reported contributions to LOCA initiating event frequencies (i.e.,1.8E-8/yr to the intermediate LOCA, LIE-8/yr to the medium LOCA and 5.4E-5/yr to the large LOCA) were derived. Please explain. Also, please list the reason (s) the frequency of spicious actuation (by PMS or DAS) of two stage #4 ADS squib valves (which according to the criteria reported in Tab'e 3-2 of PRA contributes to a large LOCA) is much higher than the frequency of spurious actuation of only one s'. age #4 squib valve (which cutributes to the medium LOCA initiating event frequency).
Response
Chapter 3, section 3.5 includes a clear summary of the calculation for spurious ADS actuation due to valve failures, including failures during test. The details of the I&C assessment for spurious ADS actuation are referred to Chapter 26 of the PRA. Since some of the design details and data points were determined to be proprietary, the details of the I&C assessment were removed from the submitted version of the PRA. Since adequate details concerning the valve failures has been presen;ed in the PRA, this discussion focuses on the details of the I&C assessment for spurious ADS actuation.
Fault tree ADS-IC83 models the failure logic in which the protection and safety monitoring system (PMS) could cause any line of the automatic depressurization system (ADS) to spuriously open. Quantifying this fault tree rwxlel yields a yearly spurious failure frequency of 4.41E-05/ year. The diverse actuation system (DAS) also provides i means of manually actuating the ADS. The DAS yearly spurious failure frequency is estimated at 1.0E-05/ year.
These total yearly spurious failure frequencies include events that result in one of three LOCA cases: intermediate LOCA (NLOCA), medium LOCA (MLOCA), or large LOCA (LLOCA). Table 3-2 in chapter 3 of the PRA contains a list of different ADS spurious line opening combinations and which LOCA caegory that these failure scenarios belong. The following approach is used to determine the yearly frequencies of each of the three LOCA cases for either I&C system causing spurious actuation of the ADS.
Method The method for apponioning the total yearly spurious failure frequencies is as follows:
a.
Postulate the different failure modes of the system and document the effect of the failure in terms of the number of ADS lines that could open due to the failure.
b.
Inspect the cutsets of the ADS-IC83 fault tree model and assign each cutset to the failure modes determined in the previous step.
c.
Sum each of the failure modes'cutsets and assign those subtotals to the appropriate LOCA case as described in Table 3-2 in Chapter 3 of the PRA.
[ W85tiflgh0llS8
NRC REQUEST FOR ADDITIONAL INFORMATION N
2.
Assign the estimated DAS total yearly spurious failure frequency based upon the system specifications for avoiding spurious failures.
3.
Apportion the DAS total yearly spurious failure frequency to the different LOCA cases using the same percentage breakdown as in the PMS system.
4 Sum the PMS and DAS yearly spurious failure frequency for each LOCA case to find the total I&C contribution to yearly spurious failure frequency.
Apportion the PMS yearly spurious failure frequency to each of the three LOCA cases The method for assessing the I&C frequency of ADS actuation is similar to an FMEA approach in the sense that the effects of the different failure modes are categorized by the number and type of ADS lines that open. The fault tree that models the spurious failure logic, ADS-IC83, is then inspected, and cutsets are trouped according to the appropriate scenario. These scenarios are then assigned to the appropriate LOCA events as part of the initiating event frequency.
The following failure scenarios are postulated for the PMS as causing spurious ADS act.:ation. The PMS yearly spurious failure rates are calculated as follows:
1.
Failure Causes: Multiple Sensor failures, Multiple Process Cabinet (Integrated Protection Cabinet ESF subsystems) Failures, Common Mode Failure of Software.
Failure Effect: All stages, all lines (LLOCA)
Assumptions:
a.
All common mode software failures lead to the initiation of the ADS sequence, and therefore are included in the LLOCA event.
b.
The PMS manual signal path is assumed to be much more reliable than the automatic signal paths and is not modeled.
2.
Failure Cause: Failures of actuation logic or protection logic output groups within Train A (not including output card failures)
Failure Effect: The following ADS lines may open: Stage I line 1 stage 3 line 1, stage 4 line 1, and stage 4 line 3. Plant effect is a LLOCA event.
Assumption: Failures in a given output logic cabinet will cause all of the valves in the associated division to open.
3.
Failure Cause: Failures of actuation logic or protection logic output groups within Train B (not including output card failures)
Failure Effect: The following ADS lines may open: Stage I line 2 stage 3 line 2, stage 4 line 2, and stage 4 line 4. Plant effect is a LLOCA event.
Assumption: Failures ia a given output logic cabinet will cause all of the valves in the associated division to open.
720,384-2 3 Westinghouse
NRC REQUEST FOR ADDITIONAL INFORMATION iis E=
2 g
4.
Failure Cause: Failures of actuation logic or protection logic output groups within Train C (not including output card failures)
Failure Effect: The following ADS lines may open: Stage 2 line 1, stage 4 line 1, and stage 4 line 3. Plant effect is a LLOCA event.
Assumption: Failures in a given output logic cabinet will cause all of the valves in the associated division to open.
5.
Failure Cause: Failures of actuation logic or protection logic output groups within Train D (not including output card failures)
Failure Effect: The following ADS lines may open: Stage 2 line 2, Stage 4 line 2, and Stage 4 line 4. Plant effect is a LLOCA event.
Assumption: Failures in a gisen output logic cabinet will cause all of the valves in the associated division to open.
i 6.
Failure Cause: Multiple output driver card failures causing the two series MOVs in either line of stage I to open.
Failure Effect: Single stage I line opens (NLOCA) 7.
Failure Cause: Multiple output driver card failures causing the two series MOVs in either line of stage 2 or stage 3 to open.
4 Failure Effect: Single stage 2,3 line opens (MLOCA) 4 8.
Failure Cause: Multiple output driver card failures causing a single squib valve in stage 4 to open.
Failure Effect: Single line in stage 4 opens (MLOCA) 1 Assumptions: It is assumed that, for each squib valve, there are two divisions that could cause the squib valve to actuate. For each division's actuate signal, two separate signals are required to actuate a squib valve. The two separate signals are assumed to come from separate and diverse boards (e.g. a power interface board and a contact closure board). For this assessment, the same data is used for each output board.
j The cutsets show that the common cause software events, IPC cabinet failure combinations, sensor failure combinations, and output logic group cabinet failures dominate the results. Since all of these failure modes lead to the LLOCA event, the LLOCA case dominates the results. Only a few cutsets involving multiple random failures represent failures in which only one ADS line spuriously opens.
Calculate the estimated DAS total yearly spurious failure frequency The DAS provides a manual means for actuating the ADS system. The DAS is designed such that no single credible failure shall cause an inadvertent reactor trip or inadvertent ESF safeguards actuation. Additionally, the switches used for the diverse actuation system manual actuation shall be protected from accidental operation. Based on these specifications and based upon the calculated frequency of the automatic PMS ADS actuation function, the DAS manual spurious failure frequency is conservatively assigned to be 1.0E-5/yr. All of the DAS spurious failure frequency is lumped into the LLOCA event.
e t
- NRC REQUEST FOR ADDITIONAL INFORMATION 4
Results l
Based upon the above discussion, the I&C spurious failure frequencies are apportioned as follows.
PMS Spurious Manual DAS Spurious Total Event I&C Event Failure Scenarios Failure Frequency Failure Frequency Spurious Failure Frequency LI OCA 1,2,3,4, and 5 4.4E-05/ year 1.0E-05/ year 5.4E-05/ year MLOCA 7 and 8 1.lE-08/ year 1.lE 08/ year NLOCA 6
1.8E-09/ year 1.8E-09/ year The Large LOCA event accounts for most of the failure frequency because all failure combinations involving inputs to the actuation logic (sensors, Integrated Protection Cabinet ESF subsystem hardware and ESF Actuation Cabinet hardware), and failures of software could cause the ADS sequence to be initiated, or could open multiple lines of ADS. Also, failures of protection logic cabinets are assumed to cause a Large LOCA since these cabinets are responsible for actuating multiple valves. The failure events that would cause single lines to actuate are limited to the multiple random failures that would open the series MOVs in stages I,2 or 3, or the multiple random output card failures that would cause a single squib valve in stage 4 to open.
He details of this analysis, including the data inputs to the fault tree analysis and the resulting cutsets, are documented in a Westinghouse proprietary calculetion note.
PRA Revision: None.
N 8d'#
NRC REQUEST FOR ADDITIONAL INFORMATION
- =...,
3 ib!
Ouest;on: 720.385 f
In addition to I&C faults, electrical faults (e.g., hot shorts in cables somewhere between a protection logic cabinet and the operator of a squib valve) can cause spurious operation of squib valves. EPRI's Utility Requirements Document (pages A.A-12 and A.A 19; Revision 5.6) recommends a spurious actuation failure rate for explosive (squib) valves cf 4E-7/hr. Please explain why this failure mechanism was not considered in the AP600 PRA.
Response
]
It is not clear what failure mechanisme are considered in the ALWR URD data for spurious operation of squib valves. It appears that the failure rate was derived from zero failures over a number of operating hours, which does not provide useful information regarding failure u echanisms to be considered in the assessment.
Regarding hot shorts in electrical cables, it is believed that fires would be the most probable cause of hot shorts in electrical cables, and Westinghouse has included explicit treatment of these fire-induced hot shorts of electrical cables in the fire assessment. Other hot short failure mechanisms, such as insulation degradation or mechanical damage to insulation, are expected to be very low frequency events for nuclear plant safety-grade cabling. However,it is assumed that the design for ADS cabling will include features that would further minimize the probability that hot shorts could actuate the ADS squib valves. It is expected that multiple cable shorts would need to occur in order for the potential for a spurious squib valve actuation to exist. Multiple cable shorts, except in the case of fire, are assessed to be extremely. !ikely events and would not impact the LOCA initiating event frequencies.
PRA Revision: None.
W85tiligh00S8 m