ML20128L858
| ML20128L858 | |
| Person / Time | |
|---|---|
| Site: | 05000601 |
| Issue date: | 06/28/1985 |
| From: | WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML19304B194 | List: |
| References | |
| NUDOCS 8507110476 | |
| Download: ML20128L858 (166) | |
Text
-- . -. . .. ._ - . . - _ . _ . . _ - . . -
d 3.0 PLANT SYSTEMS ANALYSIS In this section, plant systems and operator action faillure probabilities are quantified. For this purpose, fault tree analysis is used whenever applicable.
T i
3.1 ON-SITE EMERGENCY POWER 3.1.1 SYSTEM DESCRIPTION The On-site Emergency Power System is a major support system which supplies power to most front-line systems. It is required to ensure safe plant.
shutdown or to mitigate the effects of some postulated accidents. The on-site emergency power distribution system supplies power to all critical loads whether or not offsite power is available.
Normally, power is supplied by the plant generator. In the event of a unit trip (i.e., turbine, reactor or generator trip), of f site power becomes the power supply. Upon loss of all offsite power sources, the on-site emergency
- diesel generators supply power directly to both emergency buses.
The on-site emergency power supply is a self-contained system located within the plant. The emergency supply is comprised of two totally independent, diesel-driven generators. Each emergency generator is dedicated to one of the I two emergency buses and.,provides power to all emergency safety feature equipment and essential loads on that bus. Both diesels are fast started automatically and can accept loads within ten seconds of a loss of offsite i
power or receipt of an accident signal. The accident signal starts the diesel generators in anticipation of a possible loss of offsite power during or after i the accident, but the diesels are not connected to the buses unless the
! preferred offsite source is lost.
3.1.2 FAULT TREE ANALYSIS The fault tree for this analysis of the on-site emergency power system is shown in Figure 3.1-1. This section addresses the methods and calculations utilized in the analysis.
i l W_
APWR-PSS 3.1 -1 June, 1985 '
7943Q:1D 8507110476 850628 PDR ADOCK 05000601 K PM l
3.1. 2.1 SUCCESS CRITERIA The On-site Emergency Power System was modeled to determine the unavailability of power at the two emergency buses A and B. The system was modeled in terms l s of its response ~to a complete loss of offsite power. Success is the l availability of one of the two buses.
3.1. 2. 2 DEPENDENCE ON SUPPORT STATES Loss of on-site emergency power, both the loss of both buses and the loss of one bus cases, is modeled within the support states, since AC power is a
~
support system.
3.1.2.3 FAILURE MODEL Loss of power on an emergency bus is dominated by failure of the diesel generator to start, load or run for the mission time following loss of offsite power. The diesel generators to be used in this design will have at least 97%
j availability upon demand and during the mission time. Thus the failure 1
(c,c) probability for loss of power on one emergency bus is [ ]. Of this value, (0,c) [ ] is attributed to diesel generator unavailability due to maintenance.
This unavailability implies that each diesel generator will be in maintenance (c,c) for [ ] hours a year. The random failures due to all causes are assumed to (c c) sum to [ ].
The fault tree for this analysis appears in Figure 3.1 -1. The tree is quantified as presented in Section 3.1.3.1. Although no attempt was made to quantify the lower branches that appear on the fault tree, they were included s for the purpose of illustration.
3.1.2.3.1 RANDOM FAILURE MODEL
!a,c) As discussed, the portion of the [ ] unavailability of one emergency bus (C c) attributed primarily to the random failure of the bus is [ ].
W APWR-PSS 3.1-2 June, 1985 79430:10
i 4
4
! 3.1. 2 . 3 . 2 COMMON CAUSE MODEL The comon cause analysis was developed by using the Beta Factor method i described in the guidelines, Appendix 38.
1 The comon cause calculation for failure of two diesel generators to start and f run is as follows:
i l
CCF DG start and run = B 02T"E I (*)
3.1. 2 . 3. 3 TEST MODEL-i j Each diesel generator is tested monthly on a staggered basis so that one of j the two' diesel generators is tested every two weeks.
l .
Operational tests are performed during plant refueling shutdowns These tests l consist of diesel generator fast start and sequential loading in response to
! simulated accident and loss of offsite power signals. All protective relays, circuit breakers, load shedding devices and associated equipment are tested.
i The diesel generators are not unavailable during these tests.
, 3.1. 2. 3. 4 MAINTENANCE MODEL
?
No maintenance is scheduled for the on-site emergency power system during
- - normal reactor operation. Most preventative maintenance is performed during piant refueling outages. Unscheduled maintenance on the diesel generators may
! take place when problems are discovered during periodic testing. Minor
.I preventative maintenance may be performed when the diesels are taken out of service, but it is assumed that the duration of the maintenance event will not
, be extended due to preventative activities. ,
As discussed, the portion of the [ ] unavailability of one emergency bus (a,c) attributed to unscheduled maintenance of one diesel generator is ; ]. (a,c) i M APWR-PSS 3.1 -3 June,1985 7943Q:10
3.1.2.3.5 HUMAN ERROR MODEL Due to the high degree of protective instrumentation and operator awareness of diesel importance, it has been assumed that there are no human errors which could lead to component unavailability in the on-site emergency power system.
O As mentioned previously, there is no scheduled maintenance. Most preventative maintenance is performed during the scheduled plant refueling outages and unscheduled maintenance is performed only when periodic testing reveals component failure. It is further felt that the failure data for system O components implicitly includes contributions from operation errors, and explicittreatmentNsthereforenotnecessary.
All diesel generator testing is performed from the control room. Upon completion of the start and run test, the operator secures the diesel generator. The control switch, when released, returns to the normal auto-start position, allowing the diesel to be fast started automatically in the event of an emergency. Any switch failure would be alarmed insnediately, as would any other condition adversely affecting diesel generator operation.
O Unscheduled maintenance may be required if the results of monthly testing of the diesel generators are unsatisfactory. Upon completion of the repair, the diesel generator would be run for one hour at full load. This test is also performed from the control room as described previously.
3.1. 2. 3. 6 INPUT DATA
, The data used in this analysis was taken from the discussion presented in Section 3.1.2.3.1.
O 3.1. 3 FAULT TREE QUANTIFICATION l
The following sections describe the results of the quantification of the on-site emergency power system unavailability.
l
(
W APWR-PSS 3.1 -4 June,1985 7943Q:10
3 .1. 3 .1 SYSTEM UNAVAILABILITY CALCULATIONS I
For the loss of both buses case, the system was quantified by hand as follows: l O
system =ObusA
- Obuss
~
Occf = [ ] (a,c)
For the loss of one bus case, the system unavailability is simply [ ). (a,c) l l
In both calculations the value obtained (mean) was squared to obtain an estimate of variance.
3.1. 3. 2 DOMINANT CUTSETS For the loss of both buses case, the system failure is dominated by common cause failure of both emergency buses; approximately [ ] percent. (a,c)
For the loss of one of one bus case, the system is dominated by loss of power of the emergency bus due to random faults; approximately [ ] percent. (a,c)
O O
LO l
f W APWR-PSS 3.1-5 June,1985
'1943Q:10 4
. , - - . ~ , , . . - , , - - - - - - - . . . . - - - , _ - - - - - , - - - - - - , . - - - - - . - - - , - - . , - , - - - - ,-,-n - - - . - . , , - - - - - - - . - - *.
t .
l 1 ,
i s
t l i
i- O :
I t ,
4 P
! i l l i
i i !
I 1
1.
I 4
l l t 6 I
l FIGURE 31-2 i i
l i, ADVANCED PRESSURIZED WATER REACTOR
! PROBABILISTIC SAFETY STUDY !
! ONSITE EMERGENCY POWER SYSTEM l
[ (PROPRIETARY) .
e t
! k
~
l
, I i -
t- !
l I :
l l O ,
l l r I
O :
P I
3.2 INTEunne tu ravit.t.110N SYSTEM 3.2.1 SYSTEM DESCRIPTION 3.2.1.1 INTEGRATED PROTECTION SYSTEM The Integrated Protection . System (IPS) is structured of four divisions consisting of cabinets, electronics and other equipment that provide for protection of the plant. The IPS includes the equipment from processor input circuitry and manual actuation switch input circuitry through to the power switching devices Othat actuate the various component actuation devices controlled by the IPS. A supply of power f rom the 120 VAC vital bus is required for the IPS to function.
3.2.1.2 VITAL BUS SYSTEM The 120 VAC Bus System is a safety related, regulated 120 VAC support system.
It supplies control and instrument power to the plant protection systems.
The 120 VAC vital bus system normally uses offsite and on-site AC power from the main electric power system but can function independently upon loss of these normal power supplies via the battery and associated inverter.
The 120 VAC vital bus system is divided into four separate channels. The 120 VAC vital bus of each channel receives power from its own solid state inverter through a high speed static transfer switch. The primary source of power to each inverter is from a separate 480 VAC emergency bus through a rectifier.
Upon loss of rectifier output, a secondary DC supply to the inverter is immediately available. This supply is f rom the associated 125 VDC static battery charger and/or battery. Additionally, on loss of inverter output power, the high speed static switch automatically transfers a tertiary source of regulated 120 VAC power to the vital bus. This alternate source is provided from a second 480 VAC emergency bus through a 480 V to 120 V. stepdown Og and regulating transformer.
i M APWR-PSS 3.2-1 June,1985 7943Q:10
Each vital bus or channel provides a unique source of power to its O corresponding Engineered Safeguards Features (ESF) cabinet or Emergency Generator Loading Sequencer (EGLS) cabinet. Thus, total failure of the vital bus system is defined as loss of 120 VAC power to both trains in the ESF actuation and EGLS systems.
The loss of 125 VDC does not cause a direct loss of IPS divisions, but is equivalent to such a loss because it prevents actuation of components.
l The voltage of each 120 VAC vital bus is continuously monitored and displayed in the control room. An alarm is sounded in the control room upon a change of state in the static transfer switch due to loss of inverter output.
3.2.2 ANALYSIS AND RESULTS These systems were not analyzed specifically for this study, however Westinghouse in-house studies provide information useful in this instance.
N These in-house studies irdicate the Integrated Protection System / Vital Bus System unavailability value for failure of four IPS Divisions to be [ ]. (a c)
The dominant contributor to unavailability of the Integrated Protection System / Vital Bus System is the unavailability of 120 VAC vital bus power, contributing approximately 97%.
O O
l W APWR-PSS 3.2-2 . lune, 1985 7943Q:10
- . - - - __ _ . . . . _ . - - _ . - _ _ =
3.3 SERVICE WATER-COMPONENT COOLING WATER SYSTEM 3.3.1 SYSTEM DESCRIPTION The Service Water-Component Cooling Water (SW-CCW) system analyzed in this study utilizes a body of water s'uch as a river, lake, or ocean as the ultimate heat sink. There are no cooling towers, fans, basins, etc. in the system.
The SW-CCW system consists of four service water pumps and four con.ponent cooling water pumps connected in two trains, i.e., A and B pumps feed one set of heat loads and C and D pumps feed a second set of heat loads. The service water trains feed separate headers, therefore service water pumps A or B can feed either component cooling water HX A or B or both. The same situation applies to SW and CCW pumps C and D. The service water trains draw water from and return it to the body of water which is the ultimate heat sink for the 4
system.
i Service water pumps A and B feed through a single strainer as do trains C and D through their own single strainer. A standby strainer is provided for each pair of pumps. Dif ferential pressure gauges are provided across each of the four strainers to indicate the degree of cleanliness of the strainers during operation. In the event the dif ferential pressure indication approaches the specified limit, the standby strainer may be manually valved into service.
The operating strainer may be manually valved out and back flushed for cleaning.
During normal reactor operation, with all AC power available, one CCW pump, CCW heat exchanger, one SW pump and associated equipment and one SW strainer will be operating for each train, i.e., two of four CCW pumps, two of four heat exchangers, two of four service water pumps and two of four service water strainers. An equal number of components are in standby. For purposes of discussion, as well as the construction of the fault trees, CCW pumps A and C, heat exchangers A and C, service water pumps A and C and service water strainers A and C are assumed to be operating with components B and D in standby. Standby components are modeled to start and operate.
O W APWR-PSS 3. 3-1 June,1985
'1943Q:10 4
- , . - , - - , 7_,.m_ . _ - . . - - _ . - , ,,.--.-,,----,,,___.m,.,y. _
,_-r_,.-_m,--,---_,----___,.% ,, ..y- - . . - . , , - - - . _ _ , . . _ . - - - - . . _ . . . .
l l
i l
Under conditions of loss of of fsite power and diesel generator (s) startup, the operating pumps stop and must restart. Under conditions of loss of one bus, i the operating pumps stop and must restart when the diesel generator starts.
I SW-CCW system emergency operation requires the isolation of certain normal operation heat loads and the assumption of others (See Table 3.3-1). The heat loads are redundant and are divided between the two SW-CCW subsystems. l Group 1 heat loads correspond to components A and B and Group 2 loads correspond to components C and D.
, A simplified flow diagram of the Service Water-Component Cooling Water system appears in Figure 3.3-1.
3.3.2 FAULT TREE ANALYSIS The f ault tree analysis of the SW-CCW was performed in accordance with the guidelines of Section 3.10. The fault tree developed for the unavai. lability
- p. of both trains with offsite power available is presented in Figure 3.3-2 U (SW-CCW). The system components are listed in Table 3.3-2.
The unavailability of both trains in conjunction with the loss of offsite power which. requires running pumps to stop and restart is also studied.
To simplify the fault trees, subtree transfer techniques have been used which have created cutsets that are physically impossible. This is conservative since these cutsets do not exist in reality. These cutsets have been removed from the lists of dominant contributors although the values of these cutsets have not been removed from the unavailability values obtained from the quantifications.
The remainder of this section addresses the methods and calculations utilized in the analysis.
, O i
1 O W APWR-PSS 3.3-2 June, 1985
! 7943Q:10
3.3.2.1 Success Criteria The success criteria of the Service Water-Component Cooling Water system is affected by whether or not the non-emergency heat loads are isolated. In the 2
event all non-emergency heat loads are isolated, the following success criteria apply:
Either the Group 1 or Group 2 heat loads must receive adequate flow. Either one of the two component cooling water pumps with its associated heat 0- exchanger can provide adequate flow.
~
One service water pump and one service water strainer are adequate.
In the event all non-emergency heat loads are not removed, the following success criteria apply:
Either the Group 1 or Group 2 heat loads must receive adequate flow. If only one group is receiving flow and one of the heat loads in that group fails to isolate, then two CCW pumps and their associated heat exchangers must provide adequate, cooled flow. One SW pump and strainer supplying these two CCW heat exchangers are adequate for this case.
Further information about the heat and flow loads to be isolated and those to be valved in is detailed in Table 3.3-1.
3.3.2.2 Dependence on Support States The Service Water-Component Cooling Water system depends only on AC power for system operation. The offsite AC power available, loss of offsite power with l
(/ on-site AC power, loss of one bus and no power available cases have been analyzed. The SW-CCW is modeled and used as a support system itself. Refer
! to Sections 4.1.2 and 4.2.2 for calculations of support state split f ractions.
3.3.2.3 Random Failure Model l
l The following assumptions were utilized in the development of the fault tree for this analysis:
W APWR-PSS 3.3-3 . lune, 1985 7943Q:10 l , _ . - - . . . -
i
- 1. During normal reactor operation, with all AC power available, at least two pumps will be operating. It is assumej for the analysis that SW-CCW trains A and C are running and B and 0 are in standby. The SW-CCW mission time is assumed to be 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
O 2. During reactor operation with loss of of fsite power, the operating pumps are assumed to stop and to require restart.
- 3. During reactor operation with loss of one bus, the operating pumps are O assumed to stop and to require restart.
- 4. The heat exchangers and block valves that interface with dependent i
~
emergency systems, such as motor cooling, are not included in this analysis, but are included in the analyses of these dependent systems.
- 5. The heat exchangers and block valves for non-emergency systems are included in this analysis since their failure to isolate adversely impacts the SW-CCW system. This is very conservative since it takes no credit for operator isolation of non-essential loads.
- 6. Manual switchover from an operating SW strainer to a standby strainer in the event the operating strainer becomes clogged is modeled on the basis that the clogging will be relatively gradual, detectable and that action will be feasible within the twenty-four hour mission time.
- 7. Na credit is taken for the fact that the Residual Heat Removal system does not need SW-CCW cooling flow for long tern cooling for at least the first one-half hour into the emergency and possibly much longer.
O 3.3.2.4 Conunon Cause Analysis a
The common cause analysis of the SW-CCW system addresses potential conson cause failures between the a) standby SW pumps; b) normally running SW pumps; c) standby CCW heat exchanger motor-operated valves; d) standby CW pumps; O W APWR-PSS 3.3-4 June,1985 79430:10
l l
I e) operating CCW pumps; f) standby SW strainers; g) operating SW strainers; h) each pair motor-operated valves for non-essential heat loads. In those cases where the normally running pumps stop and must restart, the comon cause calculations assume that all 8 CCW and SW pumps are standby pumps and need to started. error common cause failure is discussed in O be Section 3.3.2.6.)
(Human Calculations:
O The random failure unavailability and beta factors are the same for both the service water pumps'and component cooling water pumps, so a single calculation will serve for both component types.
CCF SW-CWW start and run - B 02 T = 0.1 X 2.81E-03 = 2.81E-04
CCF SW-CCW run = B 02 T = 0.1 X 1.40E-03 = 1.40E-04
- 3. CCF calculation for motor-operated valves:
CCF MOV open = B 02 T = 0.1 X 5.77E-03 = 5.77E-04
CCF strainer operating = B 02 T = 0.1 X 7.20E-04 = 7.20E-05
CCF strainer standby = 82QT = 0.1 X 7.20E-04 = 2.95E-05 O W APWR-PSS 3.3-5 June,1985 7943Q:1D
. _ _ _ . . . . - -- _ .- _ _ = - _ _ - _ .
- 6. CCF calculation for operating and standby SW and CCW pumps restart and start and run (one of four success criteria):
- CCF all SW-CCW start and run 682T 0 + 4B 0 3T
- 0 U = 6( .1)(2.81E-03)3 + 4( .1/5)(2.81E-03)2 + ( .1/10)(2.81E-03) 4T
= 2.87E-05 The values were entered at the appropriate points in the fault tree. The methodology used and the beta factors and their development are described in Appendix 38.
- 7. The common cause failure of the isolation of the non-essential heat loads is estimated separately below. The contribution of the dominant cutsets resulting from this failure is added to unavailability calculated by the fault tree analysis. Note that this failure has not been nodeled in the fault tree.
For each set of notor-operated valves used in isolation of the heat loads 2 MOV + 0.1 (5.77 x 10 )
a comon cause failure of q = 89 = 5.8 x 10 .
For two such sets of valves, the total failure of isolating any of the
-4 -3 non-essential loads is q = 2 x 5.8 x 10 = 1.2 x 10 . Note that isolation of the heat ; loads to RCP motors is not included since there are two sets of two valves for isolation of that non-essential load.
3.3.2.5 Test and Maintenance Model i
Testing of components is not modeled because any test would not render the system inoperative. In addition, two of the four SW-CCW trains are running, on an alternating basis, during normal reactor operation.
Unavailability due to maintenance is included for the standby SW-CCW trains.
The methodology used and the quantification is contained in Appendix 38.
l O )( APWR-PSS 3.3-6 . lune, 1985 7943Q:10 i
t
-(
t Ay s.s .
i ,
x 3.3.2.6 Human Error Model ,
g ,
The Service Water-Component Cooling Water system has two of the four trabs operating on an alternating basis ' durigg' normal reactor oper'ation and the' isolation of various loads as well as the'startup of *the stindby trains during O an emergency is automatic. The system is' genera 1Ty xEat( sGject to human '
errors of omission or comission. x
'(
' i Nc- ,
The possibility of the clogging ofian operatir.g strainer is modsled'along with O those operations necessary to switchover to' the ' standby strainer. ' The switchover operations-modeling intiedes unavailabil,f ty dite' to hun.an Jerrors.
3 s, 't, s t The human error unavailability values were entered at the appropriate : points . .
in the fault tree. The methodt. logy used'.and the unavaiiuiility' values '
development are described in Appendix 39 ' .
i-
' s t
3.3.2.7 INPUT DATA 1,x- , 8
~- -
The component failure rate data used 'in 'these ans7yses was taken from the -
WAPWR master databank (SIMON. DATA, Acpendix 3B). This master data was supplemented by the common cause failhre calculations specific io these analyses. .
s z N. ,
The following assumptions were made re,garding, data: , s s
s Service water pump failure rites are based upon ; clear ' fluid service and may or may not apply to seawater ' service,-
s O
i Strainer failure rates are also based upon freshwater service and again may or may not apply to seawater.
Three different sets of input data were utilized'fo, quantification, assuming system symetry on the two power buses. The varia61es were the availability of 4160 VAC buses as follows: 1) offsite powr available; 2) loss of offsite power; 3) loss of one (either) power bus; and.4) loss of all AC electric power (both buses). , x .
O M APWR-PSS 3.3-7 -
. lune, 1985 7943Q:10 1
An input listing of component identifiers and associated probabilities for analysis of the SW-CCW with all power available is presented in Table 3.3-3.
l l
The input listings of component identifiers and associated probabilities for I analysis of the SW-CCW with' loss of offsite power and the SW-CCW with loss of one (either) power bus are not presented.
The loss of all electric power (both buses) is not necessary to model due to the unavailability of power to the pumps.
3.3.3 FAULT TREE QilANTIFICATION The following sections describe the results of the quantification of the SW-CCW unavailability.
3.3.3.1 System Unavailability Calculations The quantification of the SW-CCW fault tree was accomplished using the WAMCUT code to obtain the system and subsystem unavailability values. The WAMCUT code was used to identify the dominant cutsets and their contributions to system unavailability. The results are presented in Table 3.3-4.
The major cutsets derived for system failure and the relative probabilities are presented in Tables 3.3-5 and 3.3-6. The contributions of these cutsets to system unavailability are presented in the tables as relative percentages.
O O
O W APWR-PSS 3.3-8 June,1985 79430:10
l TABLE 3.3-1 HEAT LOADS TABLE FOR SW-CCW Group 1 Group 2 Normal Emergency Heat Load Name (Train AB) (Train CD) Reactor Reactor
( Operation Operation ON OFF ON OFF
- 1. Instrument Air Compressor X X X X
(}
- 2. RHR/CS pump miniflow X X X X
- 3. RHR/CS pump miniflow X X X X
- 4. HHSI,RHR/CS pump oil X X X X and motor
- 5. HHSI,RHR/CS pump oil X X X X and motor
- 6. Charging pung oil & water X X X X 7a. Waste disposal building X X X l
- b. Sampling X X X
. c. Miscellaneous X X X i
8a. BRS evaporator X X X
- b. Seal Injection HX X X X 4
- c. Miscellaneous X X X
- 9. Spent fuel pit HX X X X X
- 10. CCW pump motor X X X X l
l O 11. CCW pump motor X X X X
- 12. RCP thermal barrier X X X X and oil
- 13. RCP thermal barrier O
X X X X and oil l
O W APWR-PSS 3.3-9 June, 1985 7943Q:10
TABLE 3.3-1 (cont.)
HEAT LOADS TABLE Group 1 Group 2 Normal Emergency Heat Load Name (Train AB) (Train CD) Reactor ' Reactor O Operation Operation ON OFF ON OFF
X X X X
- 16. Letdown HX X X X 17a. Fan cooler (running) X X X X
- b. Fan cooler (running or X X (X) (X) X standby) 18a. RCP motor X X X X
- b. RCP motor X X X X
O M APWR-PSS 3.3-10 June, 1985 7943Q:10
. - . . . . - - . - .- -_. . - ~ _ . _ - . . _ _ . . . . _ - . - - - . . . _ . _ _ _ _ _ - . .
i i
i i
j TABLE 3.3-2 LIST OF COMPONENTS FOR SW-CCW i
l System Bus.A Bus 8 Tested Maintained Human Error Dependent Component Dependent (Note 1) (Note 2) (Note 3)
(a,c) 6 I
i
}-
i i
4 i4 i
i i
i _
1 f
i W APWR-PSS 3.3-11 June, 1985 4
i 7943Q:10 l
t e---new--m--we,--,ww+m w~aw-~~.e e. -.---s ~----==,w= = - - - * ~ ~ - ~ - - -
-- . .~. .. - - - - - . . . - _ .- _- . . - - - - _ - . _ = ._. . - - .
b l
l 1
)
, TABLE 3.3-2 (cont.)
LIST OF COMPONENTS System Bus A Bus 3 Tested Maintained Human Error Component Dependent Dependent (Note 1) (Note 2) (Note 3)
(a,e) l i
t 5
l l
1 1
i
, l i ,
i i
1 i
l i.
i j W APWR-PSS 3.3-12 June,1985
, 7943Q:10 4
.. ,- . . . - - . - . - - , , , -. - - . _ _ _ . , _ _ _ . . . , - , . _ . . . . . . . . _ _ _ _ _ . , . . - .-t
i TABLE 3.3-2 (cont.)
4 O LIST OF COMPONENTS i
1 System Bus A Bus B Tested Maintained Human Error Component Dependent Dependent (Note 1) (Note 2) (Note 3)
(a,c)
NOTES:
- 1. Testing does not render portions of the system inoperative. In addition, two of four SW-CCW trains are running, on an alternate basis, during all norinal reactor operation.
- 2. Service Water trains B and D, Component Cooling Water trains B and D and Service Water strainers B and D are assumed to be in standby and their components can therefore be maintained.
- 3. Human Error Symbols FR = Failure to restore after test or maintenance F0 = Failure to open O FC = Failure to close O
l M APWR-PSS 3.3-13 . lune, 1985 7943Q:10
l TABLE 3.3-3 SW-CCW COMPONENT FAILURE PROBABILITIES
(
O i O
O O
O O
June, 1985 3.3-14 W APWR-PSS 7943Q:10
1 i
t 1
)
TABLE 3.3-3 (cont.)
1 1 (a,c)
SW-CCW COMPONENT FAILURE PROBABILITIES
~
j i
)
a I i
i 1
\
l i
b d
t
< =
4 1
l f
(
1 t
i i
i 2
l 1
i i
i 1
i I
f 1
i t
1 g Apwg_pss 3.3-15 . lune, 1985 i
l 7943Q:10 l
d i
4 i
1 l
TABLE 3.3-3 (cont.)
(a,c)
SW-CCW COMPONENT FAILURE PROBABILITIES l ~
1 i
l 4
i .
i l .
i i
f ll
- l ,_
l W
APWR-PSS 3*3-16 June, 1985 79430:10 l
b TABLE 3.3-3 (cont.)
,_ SW-CCW COMPONENT FAILURE PROBABILITIES i
l i
i M APWR-PSS 3.3-17 June, iib 5 79430:10
i i :
i l
! l i
TABLE 3.3-3 (cont.)
,_ SW-CCW COMPONENT FAILURE PROBABILITIES l-1 f
3.3-18 June,5985 W APWR-PSS 79430:10 i
l
a l
TABLE 3.3-3 (cont.)
(a,c)
SW-CCW COMPONENT FAILURE PROBABILITIES l
l W APWR-PSS 3.3-19 June, 1985 1
7943Q:1D
i~
l TABLE 3.3-4 i
SUMMARY
OF RESULTS F0F. SW-CCW i
i l
Description SW-CCW System Unavailability I
w Mean Variance i -
l (a.c) l t
i i i
t 4
i l '
1 i
1 2
i 1
i 4
L@
i i
4 i >
i W APWR-PSS 3.3-20 . lune, 1985 t
1 7943Q:10 .
j t j
l i __ . . . _ _ _ -- - - _ - . _ _ _ _
o
! TABLE 3.3-5 DOMINANT CUTSETS FOR SW-CCW i
Unavailability of both SW-CCW trains j (all power available to both busis) i I
(a.c) 1 4
~
i l
1 4
I i
l i
l l
l l
k 4
I i
I W APWR-PSS 3.3-21 -
June, 1985 7943Q:10 l
f 1
1,
! TABLE 3.3-6
} DOMINANT CUTSETS FOR SW-CCW, LOSS OF ONE BUS 1'
1 Unavailability of one particular train l (all power available to the bus)-
I i
4 j Dominant Cutsets Relative Contribution (%) i 1
j l~ -
(a,c) i t
i i t 1
i I
i l
}
l' i
l i
l O
f r
i t
l t
W APWR-PSS 3.3-22 June, 1985 7943Q:10 9
_w -
O (tr,c)
O l
l l
l l I i
Figure 3.3-1 Simplified System Diagram Service Water Component Cooling Water System Trains A and B i
O t
O W APWR-PSS 3.3-23 June,1985 7943Q:10
. _ . . . _ _ . - _ , _ . . _ - . _ . _ _ , _ , , , _ - _ - _ . _ _ . _ _ - _ - . _ . _ _ . - - . ..,-_r,.,.,, _ . _ _ , _ _ __, _ _ - _ _ _ _ . -__ _ _- _ _ . , _ _ _ _ _ - - _ _ . _ - _ _ . _ __ . . __ _ . -
1 1
I i
1 1
2-f i
i O t
1 r
\
I l
O l
\
I l
i i
i i
FIGURE 3.3-2 f
l AWANCED PRESSURIZED WATER REACTOR 1
8 PROBABILISTIC SAFETY STUDY COMPONENT COOLING WATER SYSTEM (PROPRIETARY) l 1
l l
l i
O .
T O i O
d f
1 3.4 l INTEGRATED SAFEGUARDS SYSTEM 3.4.1 SYSTEM DESCRIPTION i
The Integrated Safeguards System (ISS) consists of four identical and separate mechanical subsystems. The ISS is powered by two separate and redundant emergency electrical power . trains and receives actuation signals f rom two separate and redundant actuation cabinets. One subsystem is shown
! schematically in Figure 3.4-1 in its normal valve alignment.
O The basic configuration consists of:
i
. o Four pumping subsystems each containing one high-head and one low-head pump.
o An emergency water storage tank located inside the containment building.
- o Four accumulators o Four core reflood tanks o Four residual heat removal heat exchangers I
O o Two spray additive tanks
! The accumulators, core reflood tanks and residual heat removal heat exchangers are located inside the containment building. The pumping subsystems are located in the auxiliary building and are kept physically separate f rom each
., other. Since only the pumps and their associated piping and valves are I
located outside containment, the ISS minimizes the components associated with any post-accident recirculation of highly radioactive fluid outside containment. It is proposed that each of the four ISS pumping subsystems be housed in separate containment pressure pump enclosures (CPPE). This total containment encapsulation concept for the ISS eliminates the potential for post-accident releases of highly radioactive liquid or gases into the auxiliary building and subsequently into the environment.
With the CPPE concept or with the more traditional filtered, vented pump compartment design, the four pumping subsystems, or modules, can be physically independent and are identical to each other. Each pumping module contains one W APWR-PSS 3.4-1 June,1985
, 79430:10 i
-__----.-_- -- -.= -. - . - - . - _ . . -
1 i
) O low-head pump, one low-head pump miniflow heat exchanger, one high-head pump Q and the associated piping and valves necessary for these pumps to perform their intended safety functions.
[ The high-head pumps, which perform the safety injection function, are aligned V to take suction from an Emergency Water Storage Tank (EWST) and to deliver
! coolant to the reactor coolant system via the Residual Heat Removal (RHR) heat l exchangers and the four separate reactor vessel injection nozzles. The EWST is located at a low elevation inside the containment building.
1 The low-head pumps'are primarily residual heat removal pumps, which are used for plant cooldown and during refueling operations to remove decay heat.
During residual heat removal operation they take suction f rom the Reactor Coolant System hot legs and recirculate coolant through the core via the RHR 5
heat exchangers and the four reactor vessel injection nozzles. However, during a LOCA or steam break accident, these pumps function as containment spray pumps. They are aligned to take suction f rom the EWST and deliver water to the containment spray ring headers on receipt of a high containment pressure actuation signal.
The four core reflood tanks provide a supplemental injection flow to the Reactor Coolant System (RCS) during the post accident reflood phase following an intermediate to large LOCA. The core reflood tanks represent a passive injection subsystem which. delivers coolant to the RCS via the four reactor vessel injection nozzles. This passive subsystem is a low pressure, high 4
resistance, low flow system.
The four accumulators provide a rapid reflood of the reactor vessel lower i s plenum and downcomer volumes following an intermediate to large LOCA. The accumulators represent a passive injection subsystem which delivers coolant to the RCS via the four RCS cold legs. The accumulators are a higher pressure, low res tance, high flow system.
O In the event that the normal CVCS letdown /boration capability was not available, feed and bleed emergency letdown /boration operation would be utilized to achieve a cold shutdown boration of the RCS prior to emergency W APWR-PSS 3.4-2 June, 1985 i
7943():10
, , - - , - , , ,-,,-,-,-----~-,--..,--,,n-,n----- -
--~-----,------m--.e-r,_--,--ev,
, - , , - , - > - - - - - - - - - - - - - - - , - - ,,n---- -g --- -- - -.,,_,, -
plant cooldown operations. Two emergency letdown lines are routed directly f rom the RCS hot legs to the EWST. The high-head pumps would be used during this operation to provide the borated makeup to the RCS f rom the EWST.
i Safety Injection The four high-head pumps are the safety injection pumps. In the event that a safety injection ("S") signal were initiated, these pumps would start automatically and inject coolant directly into the reactor vessel downcomer.
Each high-head pump is aligned to take suction f rom the EWST located inside the containment and to deliver directly to the reactor vessel. All valves in
! this flow path are normally open. Therefore, the only action required to
) -
establish emergency core cooling is the automatic starting of the high-head pumps. There are no piping interconnections between these four separate l high-head subsystems. The four high-head pumps are sized such that one high-head pump would be sufficient to prevent core uncovery for small LOCAs up to at least a break equivalent to a break of a 6 inch diameter pipe. Each I high-head pumping system is provided with a normally closed flow path to a j corresponding RCS hot leg. Several hours after a LOCA, all ISS pumping
{ systems could be temporarily realigned for hot leg recirculation to ensure termination of boiling within the core.
- In the event of a steam break accident, the high-head pumps inject borated water into the RCS with suf ficient shutdown reactivity to compensate for the l
change in the RCS volume and counteract the reactivity increase caused by the
! resulting system cooldown. The high-head pumps would continue injecting
! borated water following a steam break until the initial RCS volume had been reestablished with borated water to prevent the possibility of an uncontrolled return to criticality.
4 The EWST provides a continuous suction source for the high-head pumps thus
. eliminating the conventional realignment from the Refueling Water Storage Tank (RWST) to the containment sump. In the event of any LOCA, the coolant floods i the containment low spots and then spills to the EWST thus establishing a
- continuous recirculation path between the EWST, the high-head pumps, and the M APWR-PSS 3.4-3 June, 1985 7943Q:10
.l v ee r,- e %--we-mm-r--m,- -,...ww.-, - - . -. ,ww--e.,e, ,,,.w,,e,wmew,d.--,-,-,-
f RCS. Since the EWST is located inside the containment, the initial EWST water (Cec) temperature is approximately [~ ] compared to the minimum 32*F RWST temperature, thereby reducing the potential for thermal shock to the RCS. The 1 conventional realignment f rom the 32*F RWST water temperature to a maximum 300*F containment . sump water temperature imposes a thermal transient on the l safety injection equipment, which has been essentially eliminated by the EWST arrangement.
The four accumulators are primarily responsible for rapidly refilling the reactor vessel lower plenum and downcomer following a major blowdown of the RCS that would occur with a large or intermediate LOCA. The four core reflood i
tanks provide a diverse, passive means to reflood or supplement the reflooding of the core thus eliminating the need for large capacity low-head safety
) injection pumps. -
4 Since the core reflooding phase occurs over a finite time period and imposes the largest flow requirement on the safeguards punps, the core reflood tanks i provide a means to reduce the flow requirement on the pumping system as well as provide a diverse and passive means to meet the large break LOCA functional I
requirement, i
! One RHR heat exchanger is installed in each of four high pressure injection headers that are routed f rom the four high-head pumps to the four reactor J vessel ISS injection nozzles. These high pressure heat exchangers are located inside the containment building. In the event of a LOCA, these heat
! exchangers are available to remove heat from the EWST recirculation water regardless of the break size since they are located in the high-head pump to the reactor vessel flow path.
! The RHR/CS pumps can be manually realigned to provide back-up safety injection flow. For smaller LOCAs the operator would also have to depressurize the RCS i by opening the pressurizer PORVs or hot leg vents.
O l
W APWR-PSS 3.4-4 -
June,1985 79430:10 L___-__..__..,._,_. _ _ _ _ _ _ _ _ . . _ _a . _ _ _ _ _ . _
I 3.4.2 FAULT TREE MODEL j
ISS reliabilities for small LOCA (< 6") and large LOCA (> 6") events are 1 calculated for the Direct Vessel Injection design. Conunon cause and EWST failures are modeled, and are included in the fault tree quantification.
1 For both small and large LOCA events, three system failure probabilities are
- calculated. These are
!O
- 1. Failure probability for the injection phase.
- 2. Fai. lure probability for the recirculation phase.
4
- 3. Failure probability for the total mission time.
]
The failure probabilities calculated for small LOCA events are displayed in 1 Table 3.4-1. The failure probabilities calculated for large LOCA are j displayed in Table 3.4-2. Examples of fault trees used for small and large l LOCAs are given by Figures 3.4-2 and 3.4-3, respectively.
3.4.2.1 SUCCESS CRITERIA l For a small LOCA equivalent to a break of a 6 inch diameter pipe or smaller, l any one of four HHSI subsystems delivering flow to the RCS can prevent core melt. For a large LOCA, the four core reflood tanks and the four high-head i pumps provide eight separate means for injecting coolant directly into the i reactor vessel. Any combination of five of these eight components is j suf ficient to keep the peak clad temperature below 2200'F using Appendix K assumptions. Best estimate analysis was not assumed but it would show that one HHSI plus one or two CRT would prevent core melt.
l I Another success mode for both small and large LOCA is the operator realigning one RHR/CS pump to the RCS and, if necessary, opening the pressurizer PORV.
i 1
1 O M APWR-PSS 3.4-5 June, 1985 7943Q:10 i
__ . _ _ _ - - _ _ _ . _ _ _ _ _ _ _ . _ . _ ~ . _ _ _ _
h 3.4.2.2 DEPENDENCE ON SUPPORT STATES The electrical load associated with two of the four ISS subsystems is assigned to one of the two separate and redundant load groups or energency electrical power trains while the electrical loads associated with the other two ISS subsystems are assigned to the second emergency electrical power train. Two
- safeguards vital buses and two emergency diesel generators would be associated with the two emergency electrical trains.
s 3.4.2.3 RANDOM FAILURE MODEL i
The following assumptions were made in the development of the ISS fault tree:
- 1. Heat exchanger-related failures are not modeled for 1 and 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> injection l phase small LOCA.
- 2. The component cooling water valving for the RHR heat exchanger includes a normally open manual valve on the heat exchanger inlet and a motor-operated valve on the heat exchanger outlet that automatically opens at a set coolant temperature. No actuation failures are nodeled for this MOV, since even if actuation fails, operators have ample time to respond.
- 3. The component cooling water valving for each of the high-head safety injection pumps includes a normally open block valve on the component cooling water inlet and outlet flow lines.
I 3.4.2.4 COMMON CAUSE MODEL ,
i
! Connon cause was calculated according to WAPWR Fault Tree Guidelines.
4 Components which may fail due to connon cause include HHSI motor-driven pumps and the motor-operated valves on the outlet of the four RHR heat exchangers.
The consnon cause calculations are shown on Tables 3.4-3, 3.4-4 and 3.4-5.
W APWR-PSS 3.4-6 June, 1985
! 79430:10
F 3.4.2.5 TEST AND MAINTENANCE MODEL l The HHSI pumps are periodically tested on miniflow without realigning any
- valves. Therefore, the HHSI pumps are not made unavailable due to testing.
l j 3.4.2.6 MAINTENANCE MODEL i
j Unavailability of a pump train due to maintenance activities is modeled in l accordance with the fault tree guidelines.
1
, 3.4.2.7 HUMAN ERROR MODEL j
No operator actions are included in the modeling of the ISS system. Operator j actions are assumed to open HX cooling valves if automatic actuation fails, i
! 3.4.2.8 INPUT DATA
{
4 The input data for the one hour ISS and one hour large LOCA responses is shown by Tables 3.4-6 and 3.4-7.
3.4.3 FAULT TREE QUANTIFICATION The fault trees for small and large LOCA cases are quantified and the results are summarized below. Note that the tank unavailabilities for accumulators and CRTs are separately quantified as shown in Table 3.4-8. The system unavailability calculations for large LOCA, when only one division (two pumps) i is supported is given by Table 3.4-9.
- 3.4.3.1 SYSTEM UNAVAILA8ILITY CALCULATIONS i
i The system unavailability calculations by fault trees and hand calculations are sunnarized in Tables 3.4-1 and 3.4-2.
l
!O 3.4.3.2 DOMINANT CUTSETS The dominant cutsets for selected cases are given by Table 3.4-10.
W APWR-PSS 3.4-7 June, 1985 7943Q:10
TABLE 3.4-1 ISS FAILURE PROBABILITIES FOR SMALL LOCA Qse s 1 Train 1 Division htm (a,c)
O O Case Descriptions:
1 Hour: I hour mission time to be used in large LOCA fault tree 3 Hour: 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> mission time to be used for " injection phase" or short-term cooling 24 Hour: 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time to be used for failure of long-tem cooling with HX when containment fan coolers fail so that RHR HX cooling is needed 24 Hour: 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time to be used for failure of long-tem cooling no HX when containment fan coolers are available so that no HX cooling is needed O
W APWR-PSS 3.4-8 June, 1985
'l943Q:10
TABLE 3.4-2 ISS FAILURE PROBABILITIES FOR LARGE LOCA gast 1 Train 1 Division System
~
(a c)
O
Case Descriptions:
1 Hour: 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> mission time for short-term cooling; 24 Hour: 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time for long-term cooling when containment fan ,
with HX coolers fail so that RHR heat exchanger cooling is needed.
5 ,
24 Hour: 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time for long-term cooling when containment fan no HX coolers are available so that RHR heat exchanger cooling is not needed. .
O - i l
i f W APWR-PSS 3.4-9 June, 1985 79430:10 4
ww, -y,- ww m mww- w~ e ,v , wm _.
4 TABLE 3.4-3 i
COMMON CAUSE CALCULATION FOR 1-HOUR MISSION TIME k
i j Random Pump Failures:
-! Fail to Start -
- 1.34 x 10~3 Fail to Run -5
- 4.86 x 10 l, Circuit Breaker Faults Trip Circuit : 2.34 x 10 I
Actuation Circuit : 5.57 x 10-6 j Control Pdwer : 1.16 x 10 i Cooling Faults : N/A
) -
Total (QT ) = 1.74 x 10-3 I
1 4
i Comon Cause Calculations: i e i l
2/2 Pumps Fail: q = (0.1) (1.74 x 10-3) = 1.74 x 10 .
1 1
4/4 Pumps Fail: q=8 QT 4 = 1.7 x 10 l V= 3.0 x 10-10 l
3/4 Pumps Fail: -5 q=4839T=8.4x10 (4 combinations) l V= 7.1 x 10-8 2/4 Pumps Fail: q = 682 QT = 1.04 x 10-3 l
i V= 1.1 x 10 -0 i .
\
i i W APWR-PSS 3.4-10 , June, 1985 l 79430:10 i
>- 't ,
TABLE 3.4-4 COMMON CAUSE CALCULAT1'011S FOR 3-HOUR MISSION TIME Random Pump Failures: .
-3 Fail to Start : 1.34 x 10 -
Fail to Run : 1.46 x ?G
Circuit Breaker Faults O Trip Circuit Actuation Circuit 2.34 x 10 5.57 x 10 -6 Control Poser : 1.16 x' 10 Cooling Faults : N/A Total (OT.
I " ' 1.84 x 10-3
's I
i i Common Cause Calculations: '
s .
2/2 Pumps Fail: q = (0.1) (1.84 x 10-3) = 1.84 x 10 V= 3'.4 x 10 -0 s
4/4 Pumps Fail: q g (0.01) (1.84 x 10'3) = 1.84 x 10-5 3.4 i~10 -10 V= =
s O
s O
W APWR-PSS '3.4-11 June, 1985 7943Q:10 s
TA8LE 3.4-5 COMMON CAUSE CALCULATONS FOR 24-HOUR MISSION TIME Random Pump Failures:
Fail to Start . : 1.34 x 10 -3
-3 Fail to Run : 1.17 x 10 Circuit Breaker Faults Trip Circuit : 2.34 x 10 Actuation Circuit : 5.57 x 10-6 Control Power : 1.16 x 10 Cooling Faults : N/A Total (QT) = 2.86 x 10-3 Comon Cause Calculations:
2/2 Pumps Fail: q = 0.1 x (2.86 x 10-3) = 2.86 x 10 V= = 8.2 x 10 -8 4/4 Pumps Fail: q = (0.01) (2.86 x 10-3) = 2.86 x 10 -5 V= = 8.2 x 10 -10 3/4 Pumps Fail: q = 4(0.02) (2.86 x 10-3) = 2.29 x 10 (4 combinations) V= = 5.2 x 10 -8 2/4 Pumps Fail: q = 6(0.1) (2.86 x 10-3) = 1.7 x 10-3 (6 combinations) Y= = 2.9 x 10 -6 CCF of 2/2 HX cooling is estimated as q = 1.65 x 10-4 For this purpose, an estimate of MOV failure is used.
For 4/4 HX, a 84 value of 0.01 is used to get 1.65 x 10-5 Note that these estimates are for order of magnitude determination and do not reflect O any detailed analysis.
W APWR-PSS 3.4-12 June, 1985 7943Q:10 I
TABLE 3.4-6 INPUT DATA FOR 1-HOUR MISSION TIME FOR SMALL LOCA (a,c) t i
O O
.i i
i O
O O
W APWR-PSS 3.4-13 June,'T9ET 7943Q:10
_ - - _ . . - . . . . - . . . . - . . _ _ _ _ - = _ - ~ . - _ . . _
t i
1 1
U J
i TABLE 3.4-6 (cont.) ,
j INPUT DATA FOR 1-HOUR MISSION TIME FOR SMALL LOCA ( ,e) i
! I l ,
i i
i s !
I t l
1 i l 4
- {
t l !
i <
f !
1 i
i i
I i
1 l
i M APWR-PSS 3.4-14 June,1985 7943Q:1D
d f
! TABLE 3.4-6 (cont.) (a.c)
INPUT DATA FOR 1-HOUR MISSION TIME FOR SMALL LOCA s j i
I l
I
') l t
l t
i
+
4 f
I l
l I
i i' r
l i
1 3.4-15 June, 1985 w KPWR-PSS 79430:10
1 5
J TABLE 3.4-7 INPUT DATA FOR l-HOUR HISS 10N TIME FOR LARGE LOCA (a,c) 1 O
O l
i O
i l
O O
W APWR-PSS 3.4-16 June,1985 79430:10 1
I
] TABLE 3.4-8 QUANTIFICATION OF ACCUMULATOR AND CRT UNAVAILABILITIES l
- Random Failures of 1 Tank Train:
Check Valve fails to open : 3.2 x 10
- Check Valve fails to open : 3.2 x 10
-3 MOV Transfers closed; local faults : 2.6 x 10 O '
Total (QT ) = 3.2 x 10 Comon Cause Failure:
(Low tank pressure) q= 1 x 10 -6 2/3 Accumulators fail: q = 3 (3.2 x 10-3)2 + 1.0 x 10-6 = 3.2 x 10-5 (3 combinations)
V= = 1.0 x 10 -9
-6 4/4 CRTs Fail: q = 1.0 x 10
-12 Y = 1.0 x 10
- It is modeled that MOV local faults can be detected during refueling shutdown (18 months). Thus, the mean time interval for failure l
calculation is 8760 x 1.5 = 6570 hrs.
2 l
l O
t 0
l W APWR-PSS 3.4-17 .
June, 1985 79430:10
l TABLE 3.4-9 CALCULATIOR OF ISS FAILURE PROBABILITIES FOR LARGE LOCA WHEN ONLY ONE DIVISION (2 PUMPS) ARE SUPPORTED l l
Dominant Cutsets Mission Time (bv in5Dection) 1-HR 24-HR with HX 24 HR no HX (a,c)
I i
l 1
i
- See note on Table 3.4-5 for comments.
i r
l l W APWR-PSS 3.4-18 June,1985 j 79430:10
l i
i TABLE 3.4-10 !
i j DOMINANT CUTSETS FOR SELECTED CASES FOR ISS !
! i i !
! Cutsets Probability Small LOCA 3-HR Mission Time -
4 (a,c) l l
t .
!, .s i
i e i i
i !
i j
9 s
i I
i l'
1 J
i i l
i i
) W APWR-PSS 3.4-19 June, 1985 l
79430:10 i
i I. I
_ _ _ _ _ _ - _ _ . ~ . _ _ _ _ - . . _ _ _ . ._ . . _ _ _ . _ _ _ -
1 i
i i
. O i
i l' l i
!O
!' l i
FIGURE 3.4-2 r j- i I
ADVANCED PRESSURIZED WATER REACTOR PROBABILISTIC SAFETY STUDY ;
I INTEGRATED SAFEGUARDS SYSTEM l
SMALL LOCA l'
(PROPRIETARY) i i
l 4
O i
i O l
! l O l I I i
l i !
r 1 i i
!9 i
o-1 ,
i l
!o I
(
{-
1
- j. !
l i ;
i I'
FIGURE 3.4-3 !
f
- ADVANCED PRESSURIZED WATER REACIDR ,
PROBABILISTIC SAFETY STUDY
- l INTEGRATED SAFEGUARDS SYSTEM i i LARGE LOCA (PROPRIETARY) i I
I O I i
G O
I s
I
- - ~ ~ . ._ ..we-,,rw-,,,--<
O Eh O -
A n
O ia T
r m
e t
s y
S
. s dr a
u g -
f e -
a S
d -
e t
a r
g t
e i
n m
O a
r g
a iD m
e t
s y
S d
i e
f i
lp i
m S -
1 4
3 e
r u
ig O
F O
O x "340 g09$
P* 3 E5, $.
'I O
RESAR-SP/90 O PROBABILISTIC SAFETY STUDY
! WESTINGHOUSE
- ADVANCED PRESSURIZED l WATER REACTOR i
O
^ .
, ,,m -
iis s"~
O O STANDARD PLANT DESIGN l
O 3.5 CONTAINMENT SPRAY SYSTEM 3.5.1 SYSTEM DESCRIPTION The Integrated Safety System (ISS) containment spray system is designed to automatically provide sufficient flow to the containment spray ring headers to ensure that the following criteria are satisfied:
o In conjunction.with the containment fan cooling system, rapidly reduce the containment pres.sure and temperature following any loss of coolant accident (and steam break accident) and maintain them at acceptably low levels.
o Reduce the concentration and quantity of fission products released to the environment following postulated accidents, using accepted N.R.C.
calculational unthods such that the offsite radiation exposures are within the guideline values of 10 CFR 100.
1 o Suitable redundancy shall be provided to assure that the ISS containment spray safety function can be accomplished assuming a loss of either on-site or offsite power and the most limiting single failure.
o Complete coverage of the containment cross-sectional area shall be achieved with minimum' safeguards operation. The containment spray ring header layout and nozzle orientation and spacing shall ensure that the
, ' maximum containment volume coverage is obtained.
o The spray header design shall permit the operation of only one of the four ISS low-head pumping subsystems without exceeding the runout of the spray pump. The operation of one ISS spray system shall provide 50 percent containment coverage with 50 percent of the required flow. For an ISS powered by two emergency electrical power trains, spray subsystems assigned to the same electrical train shall deliver to a matched set of i
ring headers to obtain 100 percent coverage with a single failure of an electrical train.
I O W APWR-PSS 3. 5-1 June, 1985 7943Q:10 l
1
O '
To ensure the retention of the iodine in the EWST solution during long-term recirculation, the pH of the recirculation water should be (a,c) maintained between [. ]. All sources of borated water, such as the reactor coolant system, accumulators, core reflood tanks, and emergency water storage tank (EWST) shall be considered.
The four low-head pumps are primarily Residual Heat Removal (RHR) pumps which O would be used for normal plant cooldown and during normal refueling operations to remove the core Jecay heat. However, in case of a loss of coolant or steam break accident these low-head pumps would function as containment spray pumps.
The ISS containment spray system has a dual function of fission product removal and pressure suppression / heat removal following a major mass / energy release within the containment. However, a safeguard containment fan cooling system is provided as an integral part of the post-accident containment heat removal system, therefore the performance requirements for the ISS containment spray subsystem are based on providing sufficient flow to the containment spray ring headers to ensure coverage of the containment cross-sectional area with minimum safeguards operation.
In the event of a high containment pressure signal ("P" signal) during reactor power operation, the four low-head pumps would receive an automatic signal to start. Also, the valves' in the pump discharge headers would receive an automatic signal to open. The low-head pumps would function as containment spray pumps and would take suction from the EWST and deliver to the
~ containment spray headers which are located in the top of the containment building.
l (c,c) A design flow of approximately [ ] gpm has been established for a [ ]
foot diameter spherical containment. This design flow rate is based on an O assumed spray ring header layout and nozzle type, orientation and spacing that b would ensure that the maximum containment volume coverage was obtained. A SPRAC01713A spray nozzle has been assumed with a pressure drop of 40 psig at a spray nozzle design flow rate of 15.2 gpm.
O 3.5-2 June, 1985 M APWR-PSS 7943Q:10 l
1
\ Each low-head pump is capable of providing one-half of the design flow.
Therefore two of the four low-head pumps are required to meet the [ ] gpm (a,c) spray design flow rate.
Note that when spray recirculation is no longer required, the low-head pumps may be aligned for long-term safety injection recirculation, thereby providing 4 additional pumps for long-term core cooling when only one is needed. A 1 system diagram is included as Figure 3.5-1.
The low-head pumps;are single-stage, horizontal centrifugal pumps driven by a water-cooled induction motor. The primary function of these pumps is to recirculate coolant through the core and through residual heat removal (RHR) heat exchangers during plant cooldown and shutdown operations. During these operations the low-head pumps are aligned to take suction from the RCS hot legs and to deliver to the reactor vessel injection nozzles. In the event of a large LOCA or steam break these pumps function as containment spray pumps and take suction from the EWST and deliver coolant to the containment ring headers to perform the spray recirculation function. If spray recirculation is not required during a long-term post-accident core cooling phase, these low-head pumps can be aligned for direct vessel injection and can perform a long-term ECCS recirculation function. The low-head pumps are also used to return the refueling water from the refueling canal back to the EWST prior to plant start-up operations.
These pumps must be protected against extremely low flow or no flow operation. This requirement is satisfied by a miniflow heat exchanger in parallel with each pump. A flow path from the discharge header of each low-head pump is routed to the miniflow heat exchanger and from the miniflow heat exchanger to the pump suction. The shell side of the miniflow heat exchangers is connected to the component cooling water system. This heat exchanger is provided to protect the pumps from potential damage in the event they are started with all discharge flow paths blocked. It also eliminates O\ the need for routing these mini-flows outside the shielded and vented safeguards pump area.
O W APWR-PSS 3.5-3 June,1985
'19430:10
. _ _ . . - _ - .. .-. -. __ _ = _ - . . _ _ _ _ - . _ _ . . _ - . - .
l l
l 1
Component cooling water is recirculated through the shell of each heat exchanger to transfer the heat from the coolant to the ultimate sink.
3.5.2 FAULT TREE ANALYSIS The fault tree was developed according to the WAPWR Guide to Fault Tree Development in Section 3.10. All of the assumptions specific to this fault tree model are stated in Section 3.5.2.3. The containment spray fault tree is presented in Figure 3.5-2.
9 3.5.2.1 SUCCESS CRITERIA The success criteria for the ISS containment spray function fault tree is at least one of four containment spray subsystems delivering flow to the spray header. This criteria ensures that even without containment fan coolers the l
containment will not fail due to overpressurization.
i 3.5.2.2 DEPENDENCE ON SUPPORT STATES
, O Trains A and D of the Containment Spray System are dependent on 4160V Bus 1 A and trains C and D on 4160V Bus 18. Each train of the Containment Spray System has a motor-driven containment spray /RHR pump and one motor-operated j valve which depends on electric power.
3.5.2.3 FAILURE MODEL 3.5.2.3.1 RANDOM FAILURE MODEL 4 O The random failure fault tree model was developed according to the APWR Guide l to Fault Tree Development in Section 3.10. The assumptions used in the fault tree model for the containment spray system are as follows:
Full flow pump test is done only during refueling.
4 l
O M APWR-PSS 3.5-4 June, 1985 l
7943Q:10
O Pump test during operation is performed by ensuring that proper discharge head is developed when the pump is started and run on miniflow. During normal operation, the trains are never unavailable for test. Flow tests are performed following pump maintenance.
Component cooling valve CCWCD is not considered because misposition of the valve would not constitute a failure.
Parallel sets of valves are considered to have one valve on each MCC. MCC failures are approx.imated by circuit breaker failure to transfer closed.
3.5.2.4 COMMON CAUSE MODEL The comon cause modeling of the system is done in accordance with the comon cause guidelines in Section 3.10.3. All comon cause calculations are the product of a 6 and a random failure probability. Common cause failure to run and common cause failure to start are modeled for the motor-driven pumps.
Connon cause failure of various motor-operated valves which require position O- changes is also modeled in the fault tree. These include comon cause failure of valves 9011 A, B, C, and D. Table 3.5-1 contains the comon cause calculations for this system.
3.5.2.5 TEST MODEL The ISS provides a means for perforuing a total system and pump performance test during reactor power or shutdown operations. Each low-head and high-head pump can be aligned to take suction from the EWST and to discharge back into O the EWST via a system performance test flow path located downstream of each RHR heat exchanger. It is recomended that a full flow system and pump performance test be performed during each major refueling operation. The entire pump performance curve can be verified from miniflow to pump runout O during these tests. Quarterly miniflow tests (which would require no valve repositioning) are recomended for ISS pumps. In the event that the miniflow tests produce unacceptable pump characteristics, additional pump performance O W APWR-PSS 3.5-5 June, 1985 79430:10
V data can be obtained during reactor power operations. This system performance test capability may also be utilized should major pump maintenance or replacement be required during reactor power operations. Train test is not modeled in the fault tree because the trains are never unavailable due to test (j during normal operation.
\
3.5.2.6 MAINTENANCE MODEL Maintenance of the containment spray system is modeled for complete trains, not individual components.
3.5.2.7 HUMAN ERROR MODEL There are no operator actions required to initiate the containmant spray system, therefore human error does not affect the availability of the containment spray system.
q 3.5.2.8 INPUT DATA Table 3.5.2 lists all event identifiers, brief descriptions of the failure mode they represent, and the numbers used as input to the fault tree quantification. All numbers in this table are drawn from the data bank in Section 3.10.7.
3.5.3 FAULT TREE QUANTIFICATION 3.5.3.1 SYSTEM UNAVAILABILITY CALCULATIONS O
V The fault tree was analyzed using the WAMBAM computer code. For support state 3, the unavailability is 1.0 because of the dependencies of the system on electrical power. The unavailability value for one bus of electric power
':,c) available is [2.67E-03] and for both buses of electric power available is
,c) [3.01E-05].
O W APWR-PSS 3.5-6 . lune, 1985 7943Q:10
. - . . - _ . . . - _ . . . _ - - . - - . =-- . _ - _ . . _ _ ___ _ _ _ _ ____
l 1
.)
i 3.5.3.2 DOMINANT CUTSETS l
The WAMCUT computer code was used to obtain cutsets for the containment spray system fault tree model for all support states. The dominant cutsets for the 4
r containment spray system are listed in Table 3.5-3 along with the percent of '
i
- the unavailability which they contribute. !
i i
i -
l i '
t 2
4 1
f t
f i
{
W APWR-PSS 3.5-7 June,1985 ,
7943Q:10
TABLE 3.5-1 4
CONTAINMENT SPRAY SYSTEM COMMON CAUSE CALCULATIONS l I
Random Data Bank Random Failure l l
Failure Mode Source ID 8 Failure Mode Probability Result l
- ~
(a,c) i I
i l
t l
l l
l M APWR-PSS 3.5-8 June,1985 79430:10
i i
i i
l 1
1 i 4
4 TABLE 3.5-2 (a,c) j CONTAINMENT SPRAY SYSTEM COMPONENT FAILURE PROBABILITIES f
4.,
1 1
s e
i 1'
g ,
i 1
e i
i J
4 4
I 1
i i
i 1
e l
J i i 3.5-9 JN' N W*
APWR-PSS l
l 7943Q:10 i
l i
i.
O TABLE 3.5-2 (cont.)
(a,c)
CONTAINMENT SPRAY SYSTEM COMPONENT FAILURE PROBABILITIES l
O O
O O
O O M APWR-PSS 3.5-10 June,1 C 79430:10
i j
TABLE 3.5-2 (cont.)
(a,c)
CONTAINMENT SPRAY SYSTEM COMPONENT FAILURE PROBABILITIES i
e I
2 .
1 l
I l
1 1
i
)
l l
l i
l 1
W APWR-PSS 3.5-11 June, 1985 I 7943Q:10
. 44+, --- ---.--w.---- . - - . - , - . , . - - . - - - - - - - - . . _ , , _ , _ .e,-....,,.e.we
1 1
i I
4
} TABLE 3.5-3 CONTAINMENT SPRAY SYSTEM 4
DOMINANT CUTSETS Description Contribution (a,c) ,
i i
. t l
4
.I t :
1, ,
- l l
t l
t I
W APWR-PSS 3.5-12 June, 1985 7943Q:10
-'*wr- . ar w-w r* ew w-- ee - -a e ----e'- ^--e'-- - - - - - - - - - - - - - ~ ~ ---
l i
' t i
d I
l a iz
. e u
o** 2p "
i d B i es o t w !
t I
i :
! t i
1 u l
t i 1 ,
i l
i 1 t j.
f 1 i I4 i l
I c
c i 3
,ft a
e Figure 3.5-1 Simplified System Diagram Containment Sprays System i i
n l' .
W m
t _ . - _ _ _ _. . _ _ _ _
1 b
I d
u
\
4 ,
W lE e
.) * >
u o.. m 2 .
t M $
o o a
m ,
i J
l J.
u N . .
g 3 s
\
I i I
L ;
l '
1 i
a i I
l i
) U '
, c - '
t 3
.e l
e" j $ Figure 3.54 (cont.) Simplified Systern Diagram Containment Sprays System i
j i e 5' .D d
O v
,,--.a--,- ,---._--a. . - - - - . . - - . - - . - . . _ . . - _ - - - - - - - . _ - - - - - - - _ . _ . _ _ - - - . _
l i
4 4
i
!O i
g 1
!9 i
Ie l
J FIGURE 3.5-2 I
9 AWANCED PRESSURIZED WATER REACTOR PROBABILISTIC SAFETY STUDY CONTAINENT SPRAYS SYSTEM (PROPRIETARY) ,
1 I
i e
I i
l 0 -
l l
9
~
~
1 n.
b N
~
I O 3.6 CONTAINMENT FAN COOLER SYSTEM 3.6.1 SYSTEM DESCRIPTION
~
The reactor containment fan cooler system is designed to meet the following requirements:
A. During normal operation the system cools end dehumidifies the O containment.
B. Following a postulated loss-cf-coolant accident (LOCA), the reactor containment fan coolers provido the design heat removal capacity for the containment, assuming that the core residual heat is released to the containment as steam and witer.
C. The reactor containment fan cooler system and the integrated safeguards system (Section 3.4) share in removing heat from the containment building following a LOCA.
D. One fan cooler in each of two cooling water trains operates during a LOCA. This prevents the possibility of local boiling in the fan cooling coils which might occur if two fans per train were operated, and assures that the resultant temperature cf the cooling water does not exceed the safe maximum temperature.
E. The fan coolers operate in low speed with a lower than normal. airflow during LOCA to prevent motor overload.
l F. The containment coolers, including the fan and motor combination, are designed to remain operable in the accident environment.
G. The fan cooler housing is designed to withstand the maximum transient pressure rise associated with accident conditions.
H. The fan cooler housing is designed to drain the condensate which forms on the cooling coil surface under normal and accident conditions.
M APWR-PSS 3. 6-1 . lune, 1985 7943Q:10
s g l
O J. If the two running fan coolers fail, the operator must start the standby fan coolers.
The fan cooler system recirculates the containment air (or air-steam mixture in the event of a LOCA) through cooling coils to transfer heat f rom the containment atmosphere to the component cooling water (CCW) system. The fan cooler system consists of ffour identical fan cooler units, each having a vertical axial flow fan, a two-speed 480 VAC electric motor, a mist separator, and a CCW cooling coil. Each fan cooler has its own air distribution duct.
The air distribution duct routes the cooled air to various levels of the containment building and contains no dampers.
The fan cooler system is made up of two trains, each having two fan cooler units. Each train receives electric power from a separate redundant essential bus and is cooled by a separate redundant CCW train. A simplified diagram of the fan cooler system is shown in Figure 3.6-1. Fans associated with Train A receive power from essential bus A. Fans associated with Train B receive power from essential bus B.
Bypass lines are provided for each fan cooler and are designed to carry the full cooling water flow when the fan cooler is in maintenance. Only one fan cooler is out for maintenance at a time.
During normal operation a' maximum of three fan coolers will operate at high speed. The minimum number of fan coolers which will normally operate is assumed to be two; one cooler per train. Upon receipt of the safety injection signal the automatic control system for the fan coolers will switch the fan
( speed of one cooler in each train to low and will shut off the third fan cooler, if operating. The deenergized coolers are standbys for the operating coolers in their respective trains. While the safety injection signal is in effect, a standby cooler can be started manually if desired but the fans cannot be manually switched to high speed. None of the valves associated with O the fan coolers are required to move for post-LOCA containment cooling.
O W APWR-PSS 3.6-2 June, 1985 7943Q:10
l 1
3.6.2 FAULT TREE MODEL
! 3.6.2.1 FAULT TREE MODEL i
i The containment fan cooler fault, tree analysis is shown in Figure 3.6-2.
1 3.6.2.1 SUCCESS CRITERIA Any one of the four fan coolers will provide sufficient heat removal following
! a LOCA to maintain ,the containment pressure below the design value. Following a LOCA, the fan coolers work in conjunction with the containment spray system to reduce the containment pressure and temperature. However, one fan cooler can maintain the containment pressure below the design value without the assistance of the sprays. Therefore, the success criteria for the fan cooler system is one fan cooler unit available.
i 3.6.2.2 DEPENDENCE OF FAN COOLE.RS ON SUPPORT STATES Fan cooler train A depends on electric power and component cooling water from ESF bus A and CCW train A. Fan cooler train 8 depends on electric power and component cooling water from ESF bus B and CCW train B.
1 3.6.2.3 RANDOM FAILURE MODEL Random failure of a fan cooler to run was obtained from the Zion Probabilistic Safety Study. The random failure of a nonnally running fan cooler to switch to low speed and the random failure of a standby cooler to start were included in one data value so that it was not necessary, in the random model, to treat b two fan coolers as standby and two as running. However, the coninon cause model required some distinction between running and standby, as discussed in the common cause section. As the control and actuation circuits for the fan coolers have not yet been designed, the best available random failure data for control and actuation was selected from the master data file in Section 3.10.
, Since the fan motors are 480 volt, the control and actuation failure j probability for motor-operated valves (also 480 volt) were selected. The 1
)(APWR-PSS 3.6-3 .lune,1985 7943Q:10
@-rv-Fr wr-- g ry Ty~ z-yy- =----9--t-v v mispwWygweiee-mw-wy-w-wyw--wi-y =v-Wwf rr-vw+w - - - - - - - - - - ga-*-----m--w-+ we - -=w --*--"-
i i
!O non-standard control features associated with the stopping of only one of two operating fans in a train was lumped in the comon cause model.
3.6.2.4 COMMON CAUSE MODEL Comon cause modeling of the system was done in accordance with the common cause guidelines in Appendix 38. Comon cause calculations were the product of the 6 value and a random failure probability. Table 3.6-1 gives a sumary s,.) of the comon cause calculations. As indicated, a B value of 0.1 was used for all common cause calculations except for the comon cause failure of control and actuation circuits. A conservative 6 value of 0.4 was selected to account
. for additional comon cause effects associated with the activation of only one fan cooler per train with the S signal. Whereas with most fan cooler systems the activation of all four coolers would be considered success, the activation of four coolers in the APWR system (or three coolers, or two on the same train) does not constitute success. The conservative 6 value of 0.4 accounts for the additional complexity of control and actuation.
O Failure of standby fan cooler units and running units are treated as separate comon cause f ailures. One comon cause failure causes two coolers in the same operating mode to fail. Since the two coolers on a single train operate in the same mode, these two are linked by using a transfer in the fault tree.
The random failure modes 'and S's used apply to alternating pumps, with no distinction between running and standby at the time of the LOCA. Therefore, the common cause probabilities are equal for both sets of fan cooler units.
3.6.2.5 TEST MODEL It was assumed that the unavailability of the fan coolers would not be affected by testing since they do not have to be isolated.
O O M APWR-PSS 3.6-4 June,1985 7943Q:10
l (d3 3.6.2.6 MAINTENANCE MODEL J l
Only one fan cooler will be in maintenance at a time. When one fan cooler is ;
in maintenance, the other three fan coolers are modeled as not being in l maintenance. ,
3.6.2.7 HUMAN ERROR MODEL The only human error considered in the model was the failure to restore the manual cooling water bypass valve on the cooler following maintenance. Random failure to restore one or both of the manual cooling water block valves was not considered because this error would result in blockage of cooling flow to the normally-operating fan cooler and would be corrected immediately by plant operators. The connon cause failure to restore the bypass and block valve following neintenance was considered as this combination of failures would not result in a blockage of flow in the train.
3.6.2.8 INPUT DATA Table 3.6-2 lists the failure probabilities and variances for each event identifier. The dat. N taken f rom Section 3.10.
3.6.3 FAULT TREE QUANTIFICATION In this section, the results of the fault tree quantification and the dominant cutsets are presented.
3.6.3.1 SYSTEM UNAVAILABILITY CALCULATION Computed failure probabilities and variances for the fault tree top event titled, " Failure of Containment Fan Cooling System" are given in Table 3.6-3.
The calculated failure probability of the fan cooling system in the event of a LOCA in conjunction with a loss of offsite power is also given in Table 3.6-3. Loss of offsite power affects the common cause failure of fan coolers to start. Since two fan coolers are assumed to be in normal operation prior O W APWR-PSS 3.6-5 June,1985 7943Q:10
+ ,
i O to LOCA, only the stantiby coolers in each train are linked in the comon cause modeling of failure tb start when offsite power is available. However, the loss of offsite power results in the stopping of all four fans. Therefore, common cause failure to start is linked to all four fan coolers, even though only one cooler per train is started.
3.6.3.2 DOMINANT CUTSETS -
Dominant cutsets are listed in Table 3.6-4.
O O
O O M APWR-PSS 3.6-6 . lune, 1985 79430:10
TABLE 3.6-1 FAN COOLER COMMON CAUSE CALCULATIONS Failure Probability Description of Random, Failure for Two Coolers Due Random Failure _ Probability S to Comon cause (a,e)
O 'h Nott 1: This comon cause failure was modeled on a single cooler basis for O the standby coolers. Common cause failure to restore the bypass and block valves consists of three possible combinations:
close the bypass valve and open the inlet block valve, failure to Failure to close the bypass valve and open tt s outlet block valve, and failure to close the bypass valve and open both blo:k valves. Therefore, the comon cause failure probability was multiplied by a factor of 3.
O O WJ APWR-PSS 3.6-7 June, 1985 7943Q:10
--n-,-,e,- , , - . - ,----.-m---.v,e ,,w.-- -w-., --e-,-,,-,.-v, + -,,w, - - - - - , , , - ~ -
, ,w-- ----e -- --r-,-,,o -, - - - - - , - - - ,
1 i
TABLE 3.6-2 J INPUT DATA FOR FAN COOLER SYSTEM FAULT TREE i
i 3
(a,c) i J
i i
f i !
i 4
i
- l i
1 i
1 i
i f
i i
i i
1 1
1 I
l 4
I-1 4
I W APWR-PSS 3.6-8 June,1985 7943Q:10 i -
i O TABLE 3.6-3 CONTAINMENT FAN COOLER SYSTEM FAILURE PROBABILITY Probability of Failure and Variance for Fan Cooler System O Case Support State 2 Support State 1 Support State O Number Prob. Var. Prob. Var. Prob. Var.
O (See Note 2)
_. ._ (a.c)
O-Note 1: Support State 2 = All support systems available Support State 1 = Power on ESF Bus A unavailable, or CCW Train A unavailable Support State 0 = ESF Power or CCW unavailable Note 2: Case No. 1 is calculated assuming no loss of offsite power. Case No. 2 is calculated assuming a loss of offsite power.
~
O W APWR-PSS 3.6-9 June, 1985 7943Q:10
.c -. - _ . . - . . - _-_
l TABLE 3.6-4 DOMINANT CUTSETS FOR CONTAINMENT FAN COOLER SYSTEM (OFFSITE POWER AVAILABLE)
Percent of Cutset Description Unavailability (a,c)
O .
- O ,
4 1
6 i
O l
O ;
l l
O M APWR-PSS 3.6-10 June, 1985 7943Q:10
. Ow J
m e
t s
y S
s r
e lo 6
o C
n a
F t
n e
m i
n t
a n
o C
m a
r g
ia D
m t
e s
y S
d i
e f
i 4
lp i
m S
1 6
3 e
r u
ig
. F
.k" a.v . ,
c!_
. 0D3 4E4
. O" '"
}.
i h.
i i i
i i
J t
O l I
J l- FIGURE 3.6-2 i
}
i i
f
! AWANCED PRESSURIZED WATER REACIOR l PROBABILISTIC SAFETY STUDY l CONTAINENT FAN COOLERS SYSTEM l (PROPRIETARY) 1 S
O 1
O O
O V 3.7 SECONDARY COOLING 3.7.1 START-UP FFEDWATER SYSTEM 3.7.1.1 SYSTEM DESCRIPTION Whenever the main feedwater system is unavailable during startup/ shutdowns and standby, the start-up feedwater system (SUFW) provides feedwater flow to the steam generators. The SUFW is actuated automatically following a reactor trip. A motor-driven pump on normal AC supplies water to all four steam generators from the deaerator storage tank or the condensate storage tank.
The lines to each steam generator are identical in terms of valve location and type. The start-up feedwater system will be automatically isolated if any one of the four parallel sections receives low or no water supply. Please refer to the system schematic in Figure 3.7.1-1.
3.7.1.2 FAULT TREE N00EL FOR THE SUFW The SUFW is modeled in the fault tree shown in Figure 3.7.1-2. Table 3.7.1-1 lists all the components used in the fault tree model, their identifiers, failure modes, and the probability and varia'n'ce used for the quantification.
The data for the failure prcbabilities is drawn from the data bank described in Section 3.10.5.
3.7.1.2.1 SUCCESS CRITERIA FOR SUFW The success criteria for the SUFW is for the one pump to provide sufficient flow to all four steam generators.
! 3.7.1.2.2 DEPENDENCE OF SUFW ON SUPPORT STATES The SUFW i.s powered by offsite AC power and not by the emergency buses.
Therefore, there is a dependence on offsite AC power for the SUFW. The system is considered to be available for transients and other events which don't include either a loss of offsite power, loss of cooling water flow, or an actuation of the IPS.
W APWR-PSS 3.7-1 lune, 1985 7881Q:10
.i
3.7.1.2.3 RANDOM FAILURE MODEL FOR THE SUFW The random failure fault tree models were developed and applied according to the APWR Fault Tree Guide Lines in Section 3.10. The following assumptions are not addressed in Section 3.10, but apply to the SUFW fault tree analysis.
- 1. Common cause was not treated as an independent failure mechanism for the
~
components in this system since it consists of a single train of equipment. Common cause failure of all air-operated control valves has a O probability of 7 x 10 - , which is insignificant with respect to other system failures.9
- 2. The system is a control grade system and is not tested. However, the system is used for every start-up and shutdown operation. The analysis assumes that the system is used at least once upon reactor trip and is therefore operated ten times per year.
- 3. The mission time for the system is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
- O 4. The pump suction piping was assumed to include a manual block valve and a normally closed MOV to the deaerator storage tank.
', 3.7.1.2.4 MAINTENANCE MODEL OF SUFW Maintenance of the system is'modeled as a train. Table 3.7.1-1 lists all of j the components in the model and if they are maintained. The table also indicates which valves have failure to restore as a failure mode. It is assumed that train maintenance outages will be dominated by the pump, and that O any required valve repairs will occur when the pump is taken out of service.
l 3.7.1.3 FAULT TREE QUANTIFICATION FOR SUFW
- 3. 7.1. 3.1 SYSTEM UNAVAILABILITY CALCULATIONS FOR SUFW The fault trees were analyzed using the WAMCUT computer codes. The dominant
! cutsets are presented in Table 3.7.1-2. The system has an unreliability of O [ ] with a variance of [ ].
i i
&) W APWR-PSS 3,7 2 Jun .1985 7881Q:1D
H i
I j.
4 TABLE 3.7.1-1 l
INPUT DATA FOR START-UP FEED WATER SYSTEM 1
m 4
i (a,c) d i
4 I
i .. !
! i
- I i i
.t .
i i
I -
i i t
i I
1 [
e l
l l
1 i
i I
W APWR-PSS -
3.7-3 June, 1985 7881Q:10 1
l l
6----._-____ .,___ _
___.- ... -....--. -.. . , . - - . . _ _ . _ - _ . . - . . . - _ . . _ - _ - = _ _
J-I i
i.
i TABLE 3.7.1-1 (Continued) i i
INPUT DATA FOR START-UP FEED WATER SYSTEM i
, (a,e) i 4
i 4
1
- 0 !
J i l i
i l
i l
1 i i
I 4
i i
t-i i
l
@ P f
P
@ l r
t
@ W APWR-PSS 3.7 4 June, 1985 f
78810:10 l l
\
l
- - _ . . _ . . . _ _ _. =_. . -. _ .- - . .. =. _ _ . - .
I t
4 l TABLE 3.7.1-2 -
i 1 DOMINANT CUTSETS FOR START-UP FEED WATER SYSTEM Percent I. Description Contribution !
l (a,c) i 4
i 4
i i
i i ;
i 1
1 0
i 1
W APWR-PSS June, M85 l 3.7-5 l 7881Q:10 i
! _ _ _ _ _ __ _ _ . _ _ . _ _ _ _ _ _ _ ____ __ .~ -
i @ @ O O-O @ 9 ,
i w K i e
m a
o.. E
= t
& l o o '
M
- i i
I i
'l [
l -
?
m t
I i i
l
.. i o +
e A I 3 i
.en .e r a
w '
l e
- Figure 3.7.1 1 Simplified System Diagram Start-up Feedwater System l s r I
[
t
.i ;
I !
i
,t r
I 1
f I
--.-n, . - - - - -
i)
O O
O FIGURE 3.71-2 .
AWANCED PRESSURIZED WATER REACTOR O PROBABILISTIC SAFETY STUDY STARTUP FEEWATER SYSTEM l (PROPRIETARY)
I O
i.
O O .
3.7.2 EMEkutNcf FF.EDWATER SYSTEM 3.7.2.1 SYSTEM DESCRIPTION The Emergency Feedwater System (EFWS) functions as a heat removal system with the steam generator and steam generator relief valves and safety valves. It can operate independently from the main or startup feedwater system for emergencies or as required in startup, shutdown, or hot standby conditions.
However, the system is not normally used for this purpose. .
O The EFWS consists of;two identical subsystems. Each subsystem contains a motor driven and turbine driven pump which supply feedwater to two steam generators. Each subsystem is tied in to separate emergency buses. The EFWS is initiated by a signal from the reactor protection system or by low-low steam generator water level. The system is designed to deliver adequate flow to each of the four steam generators following a transient without the need for operator action for at least 30 minutes. A cavitating venturi is provided at the inlet of each. steam generator to limit the flow to [ ] gpm. This (a,c) serves to prevent pump runout, prevent steam generator overfill, and prevent excessive core cooldown. A single line diagram of the system is shown in Figure 3.7.2-1.
I Either of the four emergency feedwater pumps supplying one of the four steam generators will provide enough feedwater to remove decay heat and prevent a core melt.
3.7.2.2 FAULT TREE ANALYSIS The EFWS fault tree is shown in Figure 3.7.2-2. The success criteria for ATWS is later implemented at the top level logic. l l
I l
W APWR-PSS June, 1985
- 3. 7- 7 7881Q:10
3.7.2.2.1 SUCCESS CRITERIA FOR EMERGENCY FEEDWATER SYSTEM The success criteria for the EFWS is full pump flow from a single pump to a single steam generator for all initiating events except ATWS. The success criteria for an ATWS event is full pump flow f rom two pumps to four steam generators.
3.7.?.2.2 DEPENDENCE ON SUPPORT STATES One train of each subsystem depends on electric power. The other train in each subsystem has no support state dependencies since it is a steam turbine driven pump with fail-open valves.
3.7.2.2.3 FAILURE MODEL 3.7.2.2.3.1 RAND 0M FAILURE MODEL The random failure fault tree models were developed according to the APWR Guide to Fault Tree Development in Section 3.10. The following assumptions V are not addressed in Section 3.10 but apply to the EFWS fault tree:
! 1) Pump cooling is supplied by minimum flow lube oil cooler lines.
- 2) Success time for the EFW system is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
- 3) System testing is performed on a monthly basis.
3.7.2.2.3.2 COMMON CAUSE MODEL The only common cause failure considered is that of the pumps to start and to run, and air operated valves which must stroke. The 8 factor represents those common elements between two components which could cause their failure. The Bs for motor driven and turbine driven pumps both include failures pertaining j to the pump and the driver. A B of 0.1 was used for all common cause contributions.
l I O W APWR-PSS
- 3. 7-8 une, 85 7881Q:10
. - . . . . . __ - . ._ _=_. . _ _ - -
3.7.2.2.3.3 TEST AND MAINTENANCE MODEL The test and maintenance of the system is modeled by segments. Table 3.7.2-1 j lists all of the components and failure rates for a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time in
, the model and if they are tested or maintained. The table also indicates which valves have failure to restore as a failure mode.
3.7.2.2.3.4 HUMAN ERROR MODEL The only human errors modeled consist of failure to restore valves to their
! proper position following test or maintenance.
. 3.7.2.2.3.5 INPUT DATA The data for component failure values is taken from the WAPWR master databank (Section 3.10). An input listing of component identifiers and associated l probabilities is presented in Table 3.7.2-1.
l 3.7.2.2.4 FAULT TREE QUANTIFICATION 3.7.2.2.4.1 SYSTEM UNAVAILABILITY CALCULATIONS
! The fault trees were analyzed using the WAMCUT computer code. A total of nine cases were analyzed to provide input for the various support states. The
- three cases of full AC power availcble,1 AC power bus available, no AC power available were analyzed for the three situations of four intact steam 1
- generators, one faulted (three intact) steam generators, and ATWS. The failure probabilities and variance for each of the cases are shown in Table 3.7.2-2.
3.7.2.2.4.2 DOMINANT CUTSE1S The dominant cutsets are presented in Table 3.7.2-3.
O W APWR-PSS 3.7-9 June,1985 7881Q:10
lABLE 3.7.2-1 INPUT DATA FOR EFWS (a,c)
O i
b l l
=
I O .
O O
W APWR-PSS J m , 1985 3.7-10 7881Q:10
TABLE 3.7.2-1 (Cont)
INPUT DATA FOR EFWS (a,c) l i
I e :
I 1
l l l l i
I l I
O I W APWR-PSS 3.7-11 June, 1985 7881Q:10
TABl.E 3.7.2-1 (Cont)
INPUT DATA FOR EFWS (a,c) l l
1 l
l i
l l 1
l
\
i l
l I l 1
l I O 3 e
y APWR-PSS June,1985 3.7-12 7881Q:10
i 4
TABLE 3.7.2-1 (Cont)
INPUT DATA FOR EFWS (a,c) h i
4 i
i t
l l
l 4
l W APWR-PSS 3.7-13 June,1985 7881Q:10
TABLE 3.7.2-2 l
EFWS UNAVAILABILITY (24 Hours)
POWER POWER BUS POWER L
(a.c)
G-P
/
O :
1 i
/
I 9
I i
l t '
a l
l
- Variance [
i 1
i f@
i W APWR-PSS 3.7-14 June, 1985 '
7881Q:10 ,
l
[
4 1
1 1.
TABLE 3.7.2-3 r j
EMERGENCY FEE 0 WATER SYSTEM l DOMINANT CUTSETS 4
- 1. Four Intact Steam Generators (Full AC Power) l Description Contribution (a.c) l l
l i
I i
i l
l l
l t
l l
l l
l l
W APWR PSS 3.7-15 June, 1985 i
i 7881Q:10 1.
l l . - - . - _ _ _ _ _ _ -- _
TABLE 3.7.2-3 (Cont.)
II. Three Intact Steam Generators If steam generator A is faulted:
911cripLlon. Contribution (a.c)
O O
O 3,
W APWR-PSS 3.7-16 June,1985 7881Q:10
l inou a...<-4 wont.;
O If Steam Generator D is faulted: (Full AC Power)
Rescription Contribution
~
(a.c)
O ,
1 l
O O
O l
W APWR-PSS June, 1985 3.7-17 7881Q:10
! i J :
i l 1
1 1 1 1 t TABLE 3.7.2-3 (Cont.)
Description Contribution (a,c) !
l l
I L
i t
I f
l I
i t
i i
b 1
I l
l t
l t
i f
M APWR-PSS- 3.7-18 June,1985 7881Q:1D i
_._-.-------,_,---,----,---.----------~~r, - ~ ~ ~ ~ * ' ' ' " ' " " ' " ' " ' ' ~ ~ ' ' ' ' ~ ' ~ " ~
I 1
I f
ha vm t
- I t &
l l l
_ = N x, --
l i = X (
i .- _ o' k F O t l
l I
NO.I EWERGENCY Pur NO.1 4
y k
Taa1N l FEEDsATER I eUMPS 1 = Z, ao 0
= x f l _ . ._
l '
imioE l pu ,No.2 CONTAINWENT I
g....________________.._-....__..._...______.
- Za se c i = x
%,r l ~.
NQ 2 g
e : y i Pup w.a
' I k TRAIN l
l EhERGENCY A
r, l FEECeATER i euWes t
1 l l
~ 8 O ~
i g = N M- X, ss e l = X --
l - o-
=
i._..____....._________...__..._....__.....___.
Pu, No.3 : k :
O Figure 3.7.2-1 Emergency Feedwater Simplified System Diagram O
W APWR-PSS m, 85 3.7-19 7881Q:10 l
l
,___.____ ..-. .__.,.,,_,-m., , -
8
, i t
t t
LO 1
l 6
! (
l0 l
I 1 .
\
l I
!O I
I I I i ,
2 I
i
! I f
t i
FIGURE 3 7 2-2 .
i i
i AWANCED PRESSURIZED WATER REAC'lVR I- PROBABILISTIC SAFETY STUDY EMERGENCY FEEWATER SYSTEM )
(PROPRIETARY) i l
)
i l
L .
O l I
h l
l
'e ;
l l
. l t
l
l 3.8 BACK-UP SEAL INJECTION SYSTEM O 3.8.1 SYSTEM DESCRIPTION The Back-up Seal Injection Pump in the CVCS is designed to deliver the
- required flow of seal injection water to all four Reactor Coolant Pumps (RCPs) in the event that the normal seal injection flow is lost. The BSI consists of a positive displacement pump driven by a DC motor. The DC motor receives power from a DC generator driven by a small diesel motor. DC power is also available from AC sources if they are available. The system is a control grade system. .
1 A simple schematic of the system is shown in Figure 3.8-1.
3.8.2 FAULT TREE ANALYSIS The BSI is modeled in the fault tree shown in Figure 3.8-2.
p 3.8.2.1 SUCCESS CRITERIA The success criteria for the BSI is to provide sufficient flow to all four RCPs.
3.8.2.2 DEPENDENCE ON SUPPORT STATES Since the BSI has its own dedicated diesel generator power system, there is no dependence on support states.
3.8.2.3 RAND 0M FAILURE MODEL The random failure fault tree models were developed and applied according to the APWR Fault Tree Guidelines in Section 3.10. The mission time is 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
3.8.2.4 COMMON CAUSE MODEL Common cause was not treated as a failure mechanism for the components in this system since there are no comonalities between this system and any other.
O W APWR-PSS 3.8-1 June,1985 7881Q:10
p 3.8.2.5 its: nuutt The system is a control grade system and is not tested. However, the system is used to keep the accumulators full and for back-up CVCS seal injection.
The analysis assumes that the system is used at least once every three weeks and is therefore " tested" routinely.
3.8.2.6 MAINTENANCE MODEL Maintenance of the system is modeled by segments. Table 3.8-1 lists all of the components in the model and if they are maintained. The table also indicates which valves have failure to restore as a failure mode.
3.8.2.7 HUMAN ERROR MODEL Human error modeling consisted of failure to restore valves to the proper position following test or maintenance.
3.8.2.8 INPUT DATA Table 3.8-1 lists all the components used in the fault tree model, their identifiers, failure modes, and the probability and variance used for the quar.tification. The data for the failure probabilities is drawn from the data bank described in Section 3.10.5.
3.8.3 FAULT TREE QUANTIFICATION 3.8.3.1 SYSTEM UNAVAILA8ILITY CALCULATIONS
(
( The fault trees were analyzed using the WAMCUT computer code. Table 3.8-2 provides the results of'this analysis.
3.8.3.2 DOMINANT CUTSETS The dominant cutsets are also indicated in Table 3.8-2.
O b M APWR-PSS 3.8-2 , June, 1985 1
7861Q:10
TABLE 3.8-1 O INPUT DATA FOR BSI (a,c)
'f O
l l
l l
l I O .
O W APWR-PSS 3.8-3 June, 1985 7881Q:10
i i
t i
i TABLE 3.8-1
{ INPUT DATA FOR BSI (Cont) i 1 (a,c) i 1
1 1
i i
i I
l 4
4 1
t 4
i f
W APWR-PSS 3. 8-4 June,1985 78810:10
l TABLE 3.8-2 BACK-UP SEAL INJECTION UNAVAILABILITY AND DOMINANT CUTSETS 1
System Unavailability .
(a,c)
Variance _ _
Dominant Cutsets Description Contribution
- (a,c)
I
(
l ..
l l
l i
l I
l W APWR-PSS 3.8-5 June, 1985 I
7881Q:1D
! 1 i
l l
i w
e er m.
I o.. E m
==* l o a m
1 l
r w
i oo
! s l'
l I
I l
l i
}
I '
, c .
4 s ;
I
! r co -
m Figure 3.8-1 Simplified System Diagram Emergency Seal Cooling System p o
w i
I h
I l i l' 1
l l
I'
!e i
1 1
2 ,
4 f
f f
i :
i 4
O i
- l I
i !
- j. b l:
l FIGURE 3.8-2 ,
l
/
f- l i
ADVANCED PRESSURIZED WATER REACIOR
- PROBABILISTIC SAFETY STUDY t EMERGENCY SEAL COOLING SYSTEM
i (PROPRIETARY) !
1 l
l-r O
l g :
t O l h
. f i
l 1
l 3.9 STEAM GENERATOR OVERFILL PROTECTION SYSTEM 3.9.1 SYSTEM DESCRIPTION A Steam Generator overfill protection system has been provided to prevent water flow through downstream steam pipes and valves following, for example, a steam generator tube rupture accident. Preventing such flow increases the integrity of the steam generators isolation function by reducing the probability of both pipe failure and valve failure.
O The system consists of a four inch line and normally open motor operated valve that branches into two three inch lines with normally closed solenoid operated globe valves. These valves provide a safety grade steam generator blowdown to the Emergency Water Storage Tank (EWST). Valve actuation open occurs on high-high steam generator water level, and closure occurs on some lower level. The opening of either valve will prevent an overfill condition in the affected steam generator following a tube rupture. A simplified flow diagram of the system is presented in Figure 3.9-1.
3.9.2 FAULT TREE ANALYSIS 3.9.2.1 FAILURE TO PREVENT OVERFILL The fault tree of the system failing to operate upon the occurrence of increasing steam generator water level is presented in Figure 3.9-2.
3.9.2.2 SUCCESS CRITERIA Either one of two parallel solenoid valves must open upon demand to prevent steam generator overfill.
3.9.2.3 DEPENDENCE ON SUPPORT STATES 1
It is assumed that the solenoid operators are powered by 125 V DC power, and thus available independent of plant support state. If power supply is O W APWR-PSS 3.9-1 June,1985 5478Q:1D
.- . _ - . ._. - -. - _ _ - . - . _ _ . _- -~_- .
O 120 V AC, which is battery backed through an ihverter, it also is assumed to be available in all plant states. -
t 3.9.2.4 RANDOM FAILURE MODEL I
Random component failures include those that could cause the motor operated block valve to be closed when a demand is put on the system. Also, those failures which could cause the solenoid operated valves to fail to transfer to the open position are modeled.
- O 3.9.2.5 COMMONCAUS$MODEL Common cause failure of the redundant solenoid valves is modeled, utilizing a ,
beta factor of 0.1. No common cause failures between steam generators is modeled, since the demand on the system may be caused by a steam generator tube rupture, which affects a single SG.
3.9.2.6 TEST MODEL i
It is assumed for this analysis that a flow test, with verification of flow through both valves, will be performed at each refueling (18 month intervals).
3.9.2.7 MAINTENANCE MODEL If a system failure occurs during test, maintenance is assumed to restore the system to operability before power operation is resumed.
3.9.2.8 HUMAN ERROR MODEL Operator error in failing to open and electrically lock out motor operated valve 9780 is not considered a credible failure mode in this analysis, since closure of the valve is only anticipated for either isolation of a failed-open solenoid of valve, or following solenoid valve maintenance, which is a very low frequency event. Also, a system flow test following solenoid valve maintenance will assure that the MOV has been restored to its open position.
, W APWR-PSS 3.9-2 June, 1985 4
5478Q:10 i
3.9.2.9 INPUT DATA The input data the quantification of the fault tree is presented in Table 3.9-1.
3.9.3 FAULT TREE QUANTIFICATION 3.9.3.1 SYSTEM UNAVAILABILITY CALCULATION Quantification of the fault tree shows an unreliability of [ ] (a,c) with a variance of [ ] of the system on demand. Due to the long (a,c) period of time betweei) test, the local failure of the single MOV dominates the system unreliability. It is felt that this is a very conservative representation of system failure, since an actual failure mode of the subject valve consistent with failures that comprise the data base is incredible.
Most valve failures to the closed position, except for operator errors, are comprised of switch and control failures (power is locked out to this MOV),
and valve stem failure due to corrosion, which generally isn't applicable to the main steam or feedwater systems (failures have usually manifested O, themselves in non-filtered or purified water systems, such as service water).
Therefore, this result is considered to be conservative, and is used to maintain consistency throughout the systems analysis.
3.9.3.2 DOMINANT CUTSETS The dominant cutsets and their relative contribution to system unreliability are presented in Table 3.9-2.
O O
l O W APWR-PSS 3.9-3 June, 1985 5478Q:10
I-t i
i I
I, Iaole 3.9-1 l r ,
i l' Input Data For Steam Generator Overfill Protection System f j :
- (a,c) !
I i
i
?
1 ,
3 I
1 1
i i i i 1
i w .
j I i
)
i a
t i
! i l
1 1
1 l '
l l
1 l
l I
W APWR-PSS 3.9-4 June,1985 5478Q:10
i !
i )
i <
! l I
l Dominant Failure Cutsets of the Steam Generator l Overfill Protection System l Failure Description Contribution (%)
! Local failure of MOV 9780 94 (Fails closed) l Common cause failure.of both 6 j Solenoid Valves, 9783, 9784 ,
Fail to OPEN ON DEMAND I
I i
i l
a i
l I
I I
i i.
E i
i 1
i
[ :
i
- l 1
1 l
i I
i i
-W APWR-PSS 3.9-5 June, 1985 i
5478Q:10 i
l w w--- e n vwaww-w.-c-.._ ww-e-- ww_ _ ar%_
. . _ ~ _ . . . . . _ _ _ . . _ . . _ . . . _ . . _ _ . . _-. _ ._ ._ _ . _ _ . . . . _ _ . . . _ ___ ._._ _ _ _ _
1 E
I 13804 9 I (a,c) i i
1 l
4 i ,
i i
i i
i !
l J
i i
t 4
O l Figure 3.9-1 Simplified System Diagram - Steam Generator ;
Overfill Protection System i
W APWR-PSS 3.9-6 June, 1985 l
5478Q:10
..-....- - _..-._-- . . _ _ _ _ . - ~ _ _
! ,'r :f iql l tI: , 4 , ;. t t.!i ' !' l ii i!I ii
_ )
. C,
. 8
(
- D - C - 8 - A R 5 O 8 T
.. C .
AY N _
EDL U .
J
. RUL -
TI _
8
- RSFM E R 1
TYE E T 4 ATV WEO S 3 Y
2 DAR SF 2 1
- S ESO T N l S Z O _
A ICA I
T 9 ELCO RI PBN R 3 AA P
R U
NP C I
A F V
D A
1 1
l l
2 2
~
l .
l _
3
. 3 _
l l
4 4 l
_ l 5 5
. l l
m_ .
6 6
~
l l
_ 7 7 _
l l
8 8 a .
_ D _ C - 8 _ A _
, a !;{;1i!I iki?-i i jI! i
O U
3.10 GUIDE TO FAULT TREE DEVELOPMENT 3.10.1 FAULT TREE GUIDELINES 3.10.1.1 GENERAL In order to assure consistency in the system fault trees for the APWR Program, Westinghouse will follow a set of basic guidelines for their systems analyses. The guidelines have been developed with the intent of following the O\ principal methods now used in PRAs and as described in the "PRA Procedures Guide" (NUREG/CR-23U0, Revision 1) and also outlined in "Probabilistic Safety Analysis Procedures Guide" (NUREG/CR-2815, Jan,1984). Engineering judgement will be the final arbiter in taking exception to these guidelines and should be noted by the analyst in his/her tree documentation.
3.10.1.2 RAND 0M FAULT POSTULATION AND CONSIDERATION a) Pipe ruptures and orifice plugging are not considered as credible
) faults since their contribution to system fault, compared to that of other components, is insignificant.
Although a system may be in standby for long periods of time prior to the accident, other system faults such as valves being mispositioned, valves not opening / closing on demand, or pumps not starting and running on demand will dominate.
b) Misposition of normally open manual, air, and motor-operated valves prior to the accident due to human error and/or spurious control O- , signal will remain as a system fault, if credible (see test and maintenance Section 1.3).
c) Misposition faults of valves prior to an accident will not be included in the fault trees if the valve receives an automatic signal to return O W APWR-PSS 3.10-1 June, 1985 5478Q:10
l to .. .,,,...uie note unoer accioent conaitions. When opening time is !
critical for the accident condition, it should be evaluated on a case-by-case basis.
i d) Potential flow diversion paths will be included as system faults if a these paths contribute a flow diversion area that is greater than 5 percent of the desired flow path area. However, if the pressure differential between the desired path and the potential diversion path is extremely high, a flow area less than 5 percent in the diversion path may prove to be significant.
i e) Potential flow diversion paths isolated f rom the main flow path by normally closed valves will be treated as faults of the system. Valve misposition prior to the accident due to human error and/or spurious control signal will be considered a system fault, if credible.
f) No credit is taken in the first cut of the fault trees for alternate i
sources of cooling water or electric power even in the cases where the i
source can be remotely lined up from the control room.
g) Control circuit faults of components after successful initial operation will be considered only in those cases where the component is expected to receive an additional signal during the course of the accident to readjust or change its operating state.
h) Tank failures are included in the fault trees, but mechanistic failure of heat exchangers (coolers) to transfer heat due to plugging of the primary side and leakage (primary to secondary) are not.
J
~ 1) Check valves failing closed to flow in the forward direction and failing open to flow in the reverse direction will be included as credible events.
O V
W APWR-PSS 3.10-2 June,1985 54780:10
l I
i 3.10.1.3 tAuuS DUE TO TEST AND MAINTENANCE a) Maintenance unavailabilities will be treated at a train level; namely, a maintenance unavailability will be assigned to each maintainable train, not to individual components. Unavailability of components due to test or maintenance and human errors associated with failing to restore components to their operable state, following test or maintenance, will be included along with random hardware faults (see
, items d) and f)).
O In order to avoid counting test or maintenance faults that are not allowed by tech specs, such as having two trains of a system simultaneously out for test or maintenance, 'not' gates will be used where appropriate, making the test / maintenance of each train a mutually exclusive event.
b) Only those components whose failure is detected by normal testing conducted during power operation of the plant will be considered maintainable. Additionally, if maintenance on any component causes the plant to operate at less than nominal power then that component will still be considered to be maintainable.
c) The test mode of a pump and its associated valves and other components that prevent a system from meeting its design safety function will be considered as a cridible failure mode, unless automatically realigned within acceptable time limits.
d) The failure of test personnel to return valves or pump trains to their normal position after a test will be considered as a credible event if they 1) do not receive an "S" signal; and 2) are not alarmed or annunciated at the control board. This event will be considered equivalent to a random failure and will be included in the fault tree as " failure to restore component XXX after test".
b e) A component is considered maintainable if it can be flow isolated from the system by a manual valve or power operated valve (XV or AV) in series with the component. Check valves cannot be used to isolate a component for maintenance due to backflow leakage.
W APWR-PSS 3.10-3 June, 1985
I f) 1. .. . . . . . . . v i insaintenance personnel to return valves or pump trains to their normal position after valve or pump maintenance will be considered as credible events if (1) proper positioning can not be detected using the required pump flow test, (2) valve misposition is not immediately detected at the control board by alarm or annunciation, or 3) the component does not receive an "S" signal.
O Credit is not taken for control indication. If credible, th'is event will be considered equivalent to a random failure and will be included i
in the fault tree as " failure to restore' component XXX after l maintenance". Comon cause failure to restore valves will also be j O considered a.s discussed in Section 3.10.3.
g) Maintainable components will be separately addressed only if they cannot be considered in the maintenance of a train.
3.10.1.4 INCLUSION OF OPERATION ACTION a) Operator errors which fail to align valves or fail to operate other components in response to the accident will be included only for those
, components which are specifically identified in procedures as requiring operator manipulation.
1 3.10.1.5 HEATING, VENTILATION AND AIR CONDITIONING SYSTEM (HVAC)
Failures of HVAC are not deemed to be of significant contributors in system ;
failures. The major pumps have their own cooling through CCWS and do not I depend upon room cooling.
Also, the loss of switchgear room cooling will lead to a long term flow heat-up.
The loss of HVAC functions in the operating room can be countered by moving to the auxiliary shutdown panel in the auxiliary building.
1 M APWR-PSS 3.10-4 June, 1985 5478Q:10 l
1 11
-, . - - . - . , , , . . . _ . . ~ -
,,..,,w_,-. . . . ..- -,.,,w -
y
3.10.2 FAULT TREE CONSTRUCTION 3.10.2.1 GENERAL The fault tree construction shall be performed according to procedures suggested in SAND 81-0062 " Fault Tree Analysis Procedures for the Interim Reliability Evaluation Program (IREP)" (December 1980).
First, the fluid systems interfacing with the system of interest are to be determined from P and ids.
The system piping . drawings are to be simplified by canceling those pipe segments which either cannot affect system performance significantly, or contain normally closed manual valves which could only improve system performance if opened (i.e. some types of test and bypass lines).
On the basis of system failure criteria, system TOP event is set and a failure logic for the discharge ends of the system is developed as input to the TOP event.
The development of system fault trees is continued by working back through the system and considering, initially, only the basic faults at the segment or component level that will affect the system probability of failure.
Finally, the component fault logic is developed as shown in Section 3A.3.3.
3.10'.2.2 COMPONENT LOGIC MODULES Modular logic models have been developed for the following components to assure consistency between fault trees.
motor-driven pump (Fig. 3.10.2-1)
O -
turbine-driven pump (Fig. 3.10.2-2) motor-operated valve (Fig. 3.10.2-3 and Fig. 3.10.2-4)
M APWR-PSS 3.10-5 June,1985 l
5478Q:10
. _ _ _ _ _ _ _ _ _ . . _ - - - - _ _ _ z-_. _ __ _ _ _ _ _ _ _
. .= ._.- . . . _ .
soienola-operated valve (Fig. 3.10.2-5 and 3.10.2-6) air-operated valve (Fig. 3.10.2-7 and Fig. 3.10.2-8) check valve (Fig. 3.10.2-9) l manual valve (Fig. 3.10.2-10) heat exchanger (Fig. 3.10.2-11)
O -
tank (Fig. 3.10.2-12) test or maintenance at the train level (Fig. 3.10.2-13) failure to restore a component following test or maintenance (Fig. 3.10.2-14)
Each module should include the following types of events:
O Q -
local fault support system faults component unavailability due to test or maintenance.
The local fault is a basic event including a wide variety of causes resulting in the same failure mode. Component support systems could be the electric power, the control power, the actuation, the cooling water, the control system and other systems whose failure directly or indirectly affect component correct operation.
O The ESF (4160 V) electric power and essential service water are considered to be support systems.
O l
W APWR-PSS 3.10-6 June, 1985 5478Q:10
Control Actuation, and Loss of Control Power in Logic Modules The logic modules for pumps and valves (Figures 3.10.2-1 through 3.10.2-8) have basic undeveloped electrical faults involving the control circuit, the actuation circuit, and the power supplied to these circuits. The control circuit is made up of components such as switches, relays, contacts, and wiring that control the normal operation of the pump or valve. The actuation circuit is made up of switches and devices that automatically activate the s component for emergency safety-related operation upon receipt of an "S" or other ESFAS signal. The control power opens or closes the contact, relay, or circuit breaker that ~ connects or disconnects the source of main (or motive) power to the pump - or valve. The fault boundaries are shown on Figures 3.10.2-15 through 3.10.2-17. Figure 3.10.2-15 shows two motor-operated valves connected to the same bus in a motor control center. Loss of 480 'l power i affects both valves and therefore, a transfer out is used in the logic module to indicate that other valves or trains of the system may be affected.
j The classification of electrical faults into " control" and " actuation" is based on previous work done for Millstone Unit 3 Probabilistic Safety Study.
O O
W APWR-PSS 3.10-7 June, 1985 j 5478Q:10
0 I
-- l 3.10.2.3 FAULT EVENT IDENTIFICATION O '
The codes to be used for component failure identification will result in four to eight characters. The format of component failures in. system fault trees is XXYYYYZZ where: '
O
\
o XXisthecomponentidentificationcode(seeTabie3.10.2-1) o YYYY is the number individuating the single component in system P and I drawings (from one to four characters may be used) o ZZ is the specific component failure mode (see Table 3.10.2-2).
I a
. O l
l I
l l
O ,
lO l
i l
M APWR-PSS 3.10-8 June, 1985 <
5478Q:10 l
l r
i i - . _ _ . . . _ _ _ _ _ . . . _ . . _ . . _ . - - _ - . . _ . . _ _ . - - . . . . - _ , _ , . _ _ . -
COMPONENT IDENTIFICATION CODE i
AC = air cooler B= BREAKER BB = bus feed BC = circuit BT = trip / bypass BU = bus BX = battery charger BY = battery C= CIRCUIT CA = actuation CC = control 4 CT = trip i CP = control power O DA = damper DC = DC generator l DE - diesel engine DG = diesel driven generator DX = motor driven generator E= ELECTRONICS
, EB = comparator/ bistable EC = signal conditioning EG = general instrumentation EM = analog processing module ES = solid state device ET = terminal board FL = screen / filter FU = fuse i
-l W APWR-PSS 3.10-9 June, 1985 54780:10
O COMPONENT IDENTIFICATION CODE (Continued)
E= ELECTRONICS (Cont.) ,
HE = human error HX = heat exchanger IN = power inverter LG = logic gate O MC = motor control center OR = orifice ,
P1 = pipe P= PUMP .
PD = diesel driven PM = motor driven PT = turbine driven PS = loop power supply ,
O R= RELAY RE = regular RP = protective (overvoltage, overcurrent, underfrequency, etc.)
RT = time delay RM = radiation monitor S= SWITCH SB = pushbutton SL = level O SP = pressure SR = manual rotary ST = static transfer SV = valve limit / torque SS = scram system TK = tank TR = main / auxiliary transformers ,
M APWR-PSS 3.10-10 June, 1985 5478Q:10 v
St I
O COMPONENT IDENTIFICATION CODE (Continued)
T- SIGNAL TRANSMITTERS TD = differential pressure TE = temperature element TF = flow TL = level O TP = pressure TT = temperatsre V= VALVES l VA = air operated VB = butterfly ,
l VC = normal check VD = air operated check valve VE = stop check valve VM = motor operated .
VR = relief VS = solenoid operated VU = spring loaded safety valve VX = manual operated WR = wiring O
O W APWR-PSS 3.10-11 June, 1985 5478Q:10
J i
FAILURE MODES j l
H Failure Mode C Valve, Check, Fails to Open Valve, Manual, Transfers Closed
. Valve, Motor Operated, Transfers Closed 0 Valve, Manual, Transfers Open Valve, R'elief, Sticks Open valve, Motor Operated, Transfers Open Circuit Breaker, Spuriously Opens Q or D Valve, Manual, Fails to Operate Valve. Air Operated, Fails to Operate Valve, Solenoid, Fails to Operate Valve, Motor Operated, Fails to Operate Circuit Breaker, Fails to Close n
v HM HT Valves, All, Failure to Restore Following Maintenance Valves All, Failure to Restore Following Test FS Pump, Fails to Start FR Pump, Fails to Run M Component, Unavailable Due to Maintenance T Component, Unavailable Due to Test F Component, Miscellaneous Failure CC Common Cause P Plugged
't O
O W APWR-PSS 3.10-12 June, 1985 54780:1D .
i 4
O sulfen esiste PipF 1I52 F44La Geen n
g 6 4 I m syns m BIKI m sans m IIII F&eLS f6 BfMt FataB f6 AW C6BCWit MEMER COOLnM FAAf 8 F&A f 5 I
88 3 4063 eess sees i I 6 9 4 m 3333 m stra m 3333 Put IIII slecent getaste Castelf stantt test es Pipp tacLEA PJF GacLER FA.ts te staRf Fa.L3 75 l'Mt Faths TS em FA.L5ftem fair tattunt attua'tas CE '*t we 96ers vampt fff OLaca vArt end Out TS Samest 014 ft 58seen But te samm Sut fe cesses faAfs Ciscelf Fufs feassrCas C60sts taassetts c6asts f 44LACS 44-84 Fattett restatt ta.stt fa4Lents i
f (.
Figure 3.10.2-1 Logic Module MDP for 4160 VAC Motor-Driven Pump v
M APWR-PSS 3.10-13 - June,1985 54780:10
. . .- . .. . - - - . . - - . _ ~ ,
4 t
4 1
l 3
4 TU4SIBC DRnvCu PtPEP IIII FAILS
. /N 0008
[h
?
l } 0 PT IIII Pt IIII l Pt IIII FA.Ls TO IfMT FAILS 'O Rug PT SJPPLY $'CA's't?CM COO.lBC FAJLf 8 LOC A. F AJLf 8 LOCA FAJLit FAIL *
- r
. i j
000, Om /\000s
/\ 0004
[% [%
! l 4 Mof 0R OPCRA'CD AIR OPC44'CD PU'P C00ift PU CCG.[t VA fC ffff VA.ft 2222 SL0tt TA WC slo'EP cs 94 vt TRA45 CR$ ei0$fD 'TY ftAggrCat JJW TRA9srCas
> ri s. s'. i e .a-2 ,i*.LS TO OPCW
.s.ie.a-o eL0 r0 et0er0 d !
J me m, i b ma b
mr i
Figure 3.10.2-2 Logic Module TDP for Turbine-Driven Pump l
4 l
W APWR-PSS 3.10-14 June, 1985
\
5478Q:10
-.we-, -w,--,nw.---.n.r-,,-----,,..-n ,--wnm,,-,,,,_ , , ,,,,.L,,wr, - - , . , - _m_w,,, . . , , _ _ , - , . , , ,-
f 4
fef0m DPERA'10 VArt IIII TRAes'Ett OPC4 j (04 Cs05tD3 b
/N0001
[%
e t
m IRA 48'ERS C05fE OR 3rt4/C.08tB DUE AC'UA' ION F4JLf 8 70 LOCA FAJLf 8 a
M2 0003
, i COefn0. On Cosin0L 70wtt l AC'UA'108 15 HaiLASLE FAJLf8 e
/\ 0005 4
[%
i i CeufROL CiRCJif Ar f ua'10N LO3' 0F 400 F4f FAJLfs Cutculf FAJLis tite'ait rowEt 70 fet i
i i
000e e00r 4000 1
l l Figure 3.10.2-3 i Logic Module MOV for Motor-Operated Valve i Not Required to Move i
M APWR-PSS 3.10-15 June, 1985 i
5478Q:10 I
L... . , _ . . - . _ _ _ . - . . _ _ . . . . . _ . , . _ _ . . . _ . . _ _ - - _ . . . _ ___ _ .
. . _ _ .. .. - . . - -- - - . _ . . -. . - - ~ ~ - . . - ..
r i
4 1
FCf0R OPERA'CD F46FC IIII FALLS 70 (OPEu/
CLOSO
/\000,
[h l 4 4 3 m F Ails 70 LOS! 0F 440 TAF ConfR'i CIRCJ11 Af'UA'1Du CIRCJif MCA4[R WCu/C60800ut titefalt POWER F A4f 3 CIRCJIf FA478 LOCA FAJ678 70 LOCA FA475 'O m I
- "a "a 000. 000, ,,,,
Figure 3.10.2-4 Logic Module MV for Motor-Operated Valve Fails to Move 1
M APWR-PSS 3.10-16 June, 1985 1=
5478Q:10 i
i 9
, , - . , - - ,,n- ---n~--,-~m..-..-.--,-,-....-.,,,,,,n_n,,m_n,--,-_,_n ,an_,w .-_-,nn,,,__._---,,-----,,----_,--.w,,,
1 80LtB0iB OPERA't3 VAntt XIII TRA48FER$
Opts IOR CL0ffD)
/\
0003
[%
i vs taassrtas C0mfa0L On OPtu/CiestD Duc AcfvA'80s FAATS 1
TO LOCA FA4f 8 M3 0003 1
I las roc Comin0L C0nfa0L OR PedER 18 ACTUA' lou FAAf 8 HAiLAALE i
/\
0005 I [%
i
} I LOff SF B25 WOC CONTROL CIRCulf ACfuA'los COWfGOL PeutR FAAfs . 418CJtf FAAft
- 9 mr 0 0a a
Figure 3.10.2-5 Logic Module SOV for Solenoid-Operated j Valve Not Required to Move i
W APWR-PSS 3.10-17 June, 1985 5478Q:10
\
O O .
O .
2 "$ ,u.c
"" .'O!c,
/\
0 ,
r%
i e i i
O til LOCA F AAf 8 TO WC f FAnf t A AA 0002 0004 0005 i
i O .
Figure 3.10.2-6 Logic Module SV for Solenoid-Operated Valve Fails to Move W APWR-PSS 3.10-18 June, 1985 5478Q:1D
. . _ . __ . _ . . _ . . . . . _ _ _ m . . . . _ . . . . . _ . . . _ . ___ _.___m AeR OPER A'[D FA6TC IIII TRAN5'CRS OPEN (OA C608f03 i
l -
/N 0001 i
?
l T A 'RA45'[R$ COETAQ. OR OPCu/CiefED DUC AC'U4'80s FA478 i TO LOC A. F AA f 8 ,
M3 j 0003 6
4 13! #0C costa 06 Centp0. On Pedt4 18 A:fpA' log FA4f8 l AdA4LA LC
' l i
004
/\
0005 f%
LOS' Of its #DC C04tR06 C.ACJif AC'UA' lou CONTROL POWER FAAf 8 CIRCJ1f FA478 1
i e.0. eser oeos 4
l I Figure 3.10.2-7
! Logic Module A0V for Air-Operated t
Valve Not Required to Move 4
i
, W APWR-PSS 3.10-19 - June, 1985 l 5478Q:10 i
i s
I l
- n. . . . + .. . . - _ . ,, _ _ . . ~ . - . . . . . -, . _ . . . - - - .
. ~ - _ . . . _ - - _ . . . . . . _ ~ - _ - _ . . . . - - _ - . - . . ~ . - _ . . . . . . .
t 4
8 T
4 l'
4 l
l I
I i -
d A.A OPttA?ED .
4 NTE IIIII I FA&LS TO OPCW '
ISR CLOSU
.l i F
/,aN
[h i e 6 1 TA FALLS 'O LOSS OF 125 TDC COBTAOL CIRCJIf AC'UA'10e
) OPCWASet DUC CtWTROL Pedtt FA4f8 CiecJlf FA4f 8
?O LOC 4L FAAFS
.i I-
- eirs oui . n i '
t i
l l
r r
Figure 3.10.2-8 l Logic Module AV for Air-Operated Valve Fails to Move i
1 i
i i
W APWR-PSS 3.10-20 June,1985 -
! 54780:10 .
4
-we ,*wc-*-- ww w <sw_ _ _ _ _ -. _ - - - e w-v e, v em
i i
i 8
J. '
i 4
i, 1
4 1
Cn[ct VAVC IEEE FatLS f6 (OPEW/
l cLostl i
i i
l-Q W oi i
i l
l l i Figure 3.10.2-9 t
j Logic Module CV for Check Valve
! Excessive Leakage or Blocked i
a t r 4
M.BU A V AVC
! m2 nawc= i j (SPts/CiestDI l
1 4
i i
j mei ,
\
i
! i i
i
- Figure 3.10.2-10 l Logic Module XV for Manual Valve l
- l
. i k
i
~
, W APWR-PSS 3.10-21 June, 1985 1
{ 5478Q:10
.~_ . . _ = . . - . , . - _ . _ . ,.. - . _ . . _ . . . . . - _ . . ~ . . . _ . , - . . . . - _ . . . - . - . _ . - , _ - - . - . . - . .---_
i i
4-3 LOS' 0F seE A' J
CBCM46CR IIII
, C00iles I
J
}
/\
000i
[h .
t !
i
~!
l
FAeLS 'O Opts fRAusrERS Ci0$tD TRA43rtas CLotfD 1
1
} .
sees so04 ee0s i
i Figure 3.10.2-11 i
Logic Module HX for Heat Exchanger k
}
}
I I
l l
4 IITI f Agu F A.63
'O 8JPPLt OR 8
8t0LD WA'(R I
l 0 0i 4
i.
i -
1.
t ,
I
- Figure 3.10.2-12
! Logic Module TK for Tank 4
l M APWR-PSS 3.10-22 . lune, 1985
( 54780:10 l
l
. _ ~ ~_. - c .~~...-~c. . . - . . . - - . - - - - . - - - _ _ . . - - ~ ~ , . - . - - . . - - - - - ~ . - - - . - - - - . - - - . , -
f 4
I.
i 4
s Y
a i
t 1'
l
$i l'
(
i fRAIS A
, WAWAiLASLE DUC i f0 fttf OR g j MiBf ESASCC -
t l
f t
1 .i i
i t
I 4
FRAe5 S SOf f 44iB A 18 fCt' l UEnd AaLAst! DUC OR MiBILEA4CC 70 fEt' BR j MisfEmanCE 4
i j 2
/N 0004 j
/%
l i
f 4 1
TG4iB 3 15 TES' fRA.B A TA4iB A
' en M.stasA4CC JundA.LAstt put anAtA.LASLL DUt I i
f4 PurF f tsf 70 M.Bf tuAeCC i
i t
i e
s i
eeos i.
4 t
l 2,
1 1
i Figure 3.10.2-13 l: Logic Module TM for Train Test and Maintenance 1 !
l i !
j W APWR-PSS 3.10-23 June, 1985 i 1
i 54780:10 I i i 2 i
i i
4 5
'e-,.~w~ro..--w-,
,. - -...~..._- . .. - -. . . . - ~ . . . - - . - . . . . . . - - - - - - . . .-.-~..~-._..---.--~~na.. ..-._-...---.an-----
i i
1 e
a
!6
! t t
L0 l
s s 3
F A. LURE YO htt'att IIIIIII '
t FEt0Wlut ?tt' en u at Lahmet
}
k i
j
/\0005 ,
[%
I '
I i FA.LWRC fB FAILWRC f a Att'OAC att'Ott IIIIIII IIIIIII
, F06LOWitt ftti FELOWteG l
- eaa aftsauct i 1
4 000: een t
i i ;
e 1
i i
i i '
j- Figure 3.10.2-14 -
! Logic Module FTR for Failure to Restore Component Following Test and Maintenance i !'
i !
l >
r W APWR-PSS 3.10-24 June, 1985 i
{ 5478Q.10 t
t i {
1
.. +-._.- -..- _- . -. _ _ - _ , , , , . . n,,-
i s
i I .-
ui II" , MCC 400 VAC SUS
- 400 VAC
$.. 2 VITAL POWER
, ,-. ,. L----.. ---.
-.._.--- -----...__- ___._ ..-_.----_ - --.. - ._-_.J m .-
, g
,.-._..___.._.7 r--------------
I t
CIRCUIT
- i CIRCUIT o o s 7
e BREAMER l BREANER
- O O e l O l l j CONTROL . CONTROL e l CIRCUIT l 'l* CIRCUIT l *
. l 1
I .
l I i -
. - .l i l .
3 - l I
.I l 400 820 V l 400 120 V l CONT. TRANS. s CONT. TRANS.
L.-., . ... . _ _ ._.J '
L._.___. _.-- _.-. I r------ ---
--- i
- r---- ---
--1 I I i
) 1 l ACTUATION
, CIRCUIT l l ACTUATION l
, g CIRCUIT a
- f.
o I
t___________I l<___________,i g
j g p._._____..
.r--------~
__.7 --- --
-- 7 I I I I MOTOR START i
i I CONTACTS l i KEY TO FAtA.T BOUP0 ARIES:
. _ . O. .
(OPEN/CLOSE) -- -- 0-- *
} l .. . . C. . -- - - - -
1 'l -- -- -- I ACTUATION SYSTEM
..C--
y _. __ (
g .. .- ( ------- CONTROL SYSTEM l
]
l 4e0 v4C POWER 4
I. I. I I
1 4
i
.i .I l 1
t.
I l
___.) / t. _ _. . _ _ q 8
' THERMAL OVER.OAD SWITCH I i l
L._ TIERMAL OVERLOAO SWITCH
. ._.J L__. ._.J u
C M VALVE , M VALVE o o
.=
$ Figure 3.10.2-15. Motor -Operated Valves
$ Electrial Fault System Boundaries for Figures 3.10.2-3 and 3.10.2-4 l,
l i
i
O O O .
O O O 1
\ u. sz I D >
yg (_ _______
i 3 : :
1 M n i
O C r----' ---7 i
e i e
' l l .;;
i CONTROL i
12 VDC l SYSTEM l
' 'I i I !
i ACTUATION I i ! SYSTEM i F 1 I i i
$ i i
' ' l l 4
l l t____________;
i
. . L____. .____J e
) VALVE J SOLENOID i l
OPERATOR i
, , KEY TO FAULT BOUNDARIEE
, ------- ACTUATION SYSTEM Qv C -------
CONTROL SYSTEM i
-- DC CONTROL POWER SYSTtm i
& L_ _ _ _ _ _ _ _ _I r l
1 3 l I 3 i
i Figure 3.10.2-16. Solenoid-Operated and Air-Operated Valves i
Electrical and Control System Boundaries for Figures 3.10.2-5 Thru 3.10.2-8 i
i -_. _
o o o o o Q O 1
i
! o, iz 4160 VAC SWITCHGEAR AND BUS
! 0 > G
! 3 2 m m 4160 VAC 1
o
? '
SUPPLY 3
vi ,
! l 3
4 p__________ _ _ . _ . _ _ _ _
_ _ _ _j 8 8 I i i l I
'"I j l l l I i
ACTUATION AND I - -
e i I- -]
' l Uh UT U h l I
CONTROL CIRCUIT I' '
i I I I1 ,
I I 125 VDC l Ol O/ O l l l l , VITAL l : i g i POWER SUPPLY '
, l l l l
! L TRIP i i !
i ? l CIRCUIT l l l L _ _ __
S i i l i L__________ _ _ _ . ___ ___J l l t.________________.__.a I
i i '
KEY TO FAULT BOUNDARIES:
l ------- ACTUATION SYSTEM
TRIP CIRCUIT SYSTEM 1
M i
-- DC CONTROL POWER i
E I 5
) -
Figure 3.10.2-17. Motor-Driven Pump l 3 Electrical and Control System Boundaries for Figure 3.10.2-1 l
i
. 3.10.3 COMMON CAUSE MODEL
- 3.10.3.1 MODEL
, The following guidelines are used for common cause modeling in fault trees:
O A. Explicitly identifiable common cause sources, such as AC/DC power, service 1 water, component cooling water, will be specifically modeled with j transfers within the fault tree.
i f
o B. For common causes ' that are not explicitly addressed, the common cause I contribution will be either placed near the top of the tree, as shown by
- Figure 3.10.3-1 or at the component level as illustrated by Figure l 3.10.3-2.
i .
t j C. Common cause will be addressed at least for active components in the j system, e.g. pumps and valves that change position.
D. 8 factor approach will be used for cases involving 2 components / trains.
! The 8 factors to be used are given by Table 3.10.3-1 for active 3
components. Cosmon cause failure is obtained by multiplying the 8 factor i l times the appropriate random failure probability. For valves required to
- move, the 8 factor is applied to the sum of the random failure due to
] local faults plus failure due to control and actuation faults. For pumps, the 8 factor is applied to actuation, control, and trip circuit faults and j to random failures to start and run.
- e. For components not addressed in Table 3.10.3-1, if the analyst finds out that common cause potential exists and must be modeled, a B value of 0.1 is suggested, unless specific data can be found which results in a more f reliable reproduction of connon cause.
F. For modeling of highly redundant systems (3 or 4 component / train ,
i .
redundancy), the following extended 6 factor method will be used:
I The 82 ' 03 and 64 factors will be defined as follows:
W APWR-PSS 3.10-28 June, 1985
! 54780:10 4
i i
S g
= fraction of random failures of a given train / component that
\
will result in failure of a total of i specific train (s)/ Component (s) with i = 2,3,4.
For a system involving a m/n (m out of n trains or components) success criteria, the ~ equations to calculate the common cause contribution to system failure- are given by Table 3.10.3-2. The value of 8 1s 2
estimated conservatively as:
82"6 The other 6 fketors, based on engineering judgment, are estimated as follows:
1 03"5 0 2 0
04" 03* 2 The physical implications of the above definitions are as follows:
Changing a 1 out of 2 system to a 1 out of 3 system will decrease the system unreliability approximately by a factor of 5; adding a fourth redundant train / component will decrease the system unreliability by another factor of 2. No credit will be taken for a fifth train / component. Thus going from a 1/2 success criteria to a 1/4 success criteria will approximately improve system failure probability by an order of magnitude.
3.10.3.2 A CALCULATIONAL EXAMPLE The following example is provided to illustrate the above model for a 1/n success criteria.
O W APWR-PSS 3.10-29 June,1985 5478Q:10
t Given that LO QT = 1 train unavailability = 1.0 x 10 , -
,I j 8 = 8 = 0.1, 2
j O The following system . availabilities (Qs) are calculated using equations f rom t Table 3.10.3-2:
m/n
( System Unavailability Eauation
-22 1/1 1.0x10 g ,n i
1/2 1.1 x10
~3 Q3 =Q2,g0 2T 1/3 2.3x10~4 Qs =Q + 362 0 +00 3T '
1/4 1.1 x10~4 0 Qs"04T + 682 0 + 40 3 0 + "4 T I
! 1/5 1.1 x 10 -4 (no credit is taken for the fifth train) i The general equation for Q, is:
I
{ Q3 =Qg+Q cc ,
1 where Q cc is the common cause failure probability, and Q g is the random failure probability. For a 1/n system, QR is given by:
}
1 d
i OR"
- O 3.10-30 June, 1985
{ W APWR-PSS
- 54780
- 10 l
i
TABLE 3.10.3-1 COMMON CAUSE FAILURE TYPES i
Component / Failure Tvoe O Diesel Generators Pumps
- Running Pumps / fail to operate Alternating Pumps / fail to start i / fail to operate i i '/ fail to operate no command faults ;
Auxfeed Pumps / fail to start MOP
- / fail to operate NDP
/ fail to start TOP 4
/ fail to operate TOP
/ fail to start 00P
, / fail to operate 00P i Standby Pumps / fail to start
- / fail to operate i Valves
! A0V/ fail to open, close or operate i 4 '
i A0V/ improper valve configuration
- l MOV/ fail to open, close or operate i
MOV/ improper valve configuration
- i I
8 = 0.1 For the coeunon cause failures given above (explanation and justification for S = 0.1 will be included in final guidelines)
Improper valve configuration is failure to restore following test or maintenance, to be used if improper valve positions are not alarmed.
J 1
1 j
1 O W APWR-PSS 3.10-31 June,1985 j' 5478Q:10 J
(
i l
l 1
All four trains '
of system fail
?
4 i i r%
i
- Common Cause
^
Failures I
O m
4 Double Failures Triple Failures ]uadruple j Failures 3 2 l 682T 0 483T 0 80 4T i
i
}
Random Other Systen Failures Specific Common Causes
- OR QX r3
.i i
Figure 3.10.3-1 :
l
! Common Cause in Fault Tree: 1/4 System i
l l
l W APWR-PSS 3.10-33 June,1985 54780:10 i
l l
l
f 5
4 O
i i ,
!O o i
l
, i .
- i I l 1
Pump A Pump B Fails Fails p h '
i s
T l
O l A l i
i Start Comon Start Comon
, Failure of Cause Start Failure of Cause Start j Pump Rand.) Fail Pum Rand.; Failures t
t I
l 1
b j! Figure 3.10.3-2 Placement of Comon Cause At Component Level j
i 4
W APWR-PSS 3.10-34 June,1985 5478Q:10 4
3.10.4 HUMAN ERROR MODEL O 3.10.
4.1 INTRODUCTION
l The operator errors in fault trees will be considered for the following cases:
- 1. Failure to restore a com'ponent to its normal position after a test or
- maintenance action. ,
- 2. Failure to carry out an action specified by written procedures, if the action is needed for successful operation of the system in question.
If the operator actions are complicated in nature (e.g. consist of many subtasks), they may require special modeling in terms of diagnosis, action and recovery phases. In such cases, the human error modeling will be done outside
! cf the fault tree. The hardware and human error failure probabilities will be
]
combined at the top level of the formal fault tree structure.
i
, For human error probability calculations in f ault tree analysis, a data bank is constructed This data bank is sunnarized in Table 3'.10.4-1.
1 l
l*
!O l
4 O
W APWR-PSS 3.10-35 -
June, 1985 f $478Q:10 1
i n,-~-,- ~wwe---,-,m--.- ,m,a-g- -~ -
- O O O O O O O
! pf Error .
_ Error System Per Demand Variance Comuments l 1. Omission Failure to restore a manual All ESF 8.5x10-4 5.1 x10-7 ._
valve to normal position Systems
! af ter test or maintenance l act.
j
- 2. Omission Failure to restore a motor- All ESF 8.5x10 -5 5.1x10-9 Valve or' pump status displayed at driven pump or an air or Systems Control Board (C8) switch. Proce-motor operated valve to dures have short list of checkoff
, normal position after test provisions (S 10 special instruc-
) or maintenance act. tions).
- 3. Omission Failure to restore an All ESF 8.5x10-5 5.1x10-9 Valve or pump status displayed at C8 alarmed motor-driven Systems switch. C8 has valve out-of-position l
pump or an air or motor annunciator. Procedures have short operated valve to normal list of checkoff provisions (1 10 !
I position af ter test or special instructions). Currently no :
j maintenance act. credit is being taken for the '
i annunciator alarm.
1 l 4. Omission Failure to initiate correc- All ESF 8.1x10-2 1.0x10-2 Operator fails to initiate action ,
l tive action in response Systems given that 10 alarms are competing !
to multiple annunciators for his attention in stress situa-alarming closely in time. tion.
- 5. Omission Omission and failure to All ESF 8.1x10-3 1.0x10-4 An order of magnitude credit is taken j and recover from it (item 4 Systems for recovery from error No. 4 above.
j failure to above) when an important Service water is an important support j recover alarmed system fails. system which will be monitored. j 1
1[APWR-PSS 3.10 36 June, 1985 i i
3.10.5 TEST AND MAINTENANCE MODEL O Maintenance of system components is modeled' explicitly in' the fault tree developed for each systen.. The f requency 'of maintenance for each train was taken f rom the following: Zion Probabilistic Safety Study. Table 1.5.1-29 Indian Point Probabilistic Safety Study, Table 1.5.1-21 (Unit 2) and 1.6.1-19 O (Unit 3). Several assumptions w'ere made regarding the analysis of maintenance unavailability of components since there is no maintenance data on the APWR systems and to maintain consistency in the application of the model. The first assumption was that the maintenance f requency of given component.s was O the same as the arithmetic average of similar components in the above plants.
Frequency of mainte' nance for dif ferent plant components is presented in Table 3.10.5-1. The second assumption is that the times to restore components will follow a log-normal distribution, as assumer 1 for a prior distribution in the Zion study. This results in the use of the mean times to restore components in maintenance as derived on Table 3.10.5-2 (3 day LCO). A mean time to repair of 19 hrs is calculated from this generic model and is used for all systems. Any deviation that may exist between dif ferent systems can only be addressed as plant operating experience is gained, where the vierage time of maintenance of a specific component may be compared to that analyzed. The unavailability of a component or train is calculated as the product of maintenance f requency (hr ) multiplied by the mean time to restore (19 hr) and is given in Table 3.10.5-3. While these mean restoration times and frequencies of maintenance are just estimates, the model exists in a form that allows updating of the results as plant data is accumulated.
O O
W APWR-PSS 3.10-37 - June, 1985 5478Q:10
i l
J l
TABLE 3.10.5-1 O SPECIALIZED COMPONENT MAINTENANCE FREQUENCY DATA j Specialized Freauency Distribution
- Component Mean (Events / Hour) Variance Motor-Driven Emergency 1.48 x 10-4 1.55 x 10-9 T
Feedwater Pumps .
l Turbine-Oriven Emergency 2.96 x 10-4 7.53 x 10-9 Feedwater Pumps l Centrifugal Charging Pumps 1.45 x 10-4 1.07 x 10-9 i
Component Cooling Water Pumps 1.46 x 10-4 1.82 x 10-9 I Containment Spray Pumps 7.30 x 10-5 5.43 x 10-10 I
! Residual Heat Removal Pumps 6.90 x 10-5 5.24 x 10-10 Safety Injection Pumps 6.37 x 10-5 4.51 x 10-10 Fan Cooler Units 6.55 x 10-5 3.63 x 10-10 Diesel Generators 6.7 x 10-4 8.7 x 10-9 Essential Service Water Pumps 2.60 x 10-4 1.67 x 10-9 f SWS Strainers 5.0 x 10-5 2.5 x 10-9
- Distributions are assumed to be lognormal.
i i
)
O 4
O 4
4 W APWR-PSS 3.10-38 June, 1985 54780:10
~v,,---,-- --,,-,--,--n,-?-n.-,-cn,,
TABLE 3.10.5-2 PRIOR DISTRIBUTION FOR MEAN DURATION OF MAINTENANCE Component Inoperability Limit: 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> 1 I
Parameters characterizing range of lognormal duration distributions:
5th Percentile 95th Percentile (hours / event) Probability (hours / event) Probability 1.0 .05 2.0 .50 24 .05 3.0 .15 36 .05 Os 4.0 .10 48 .15 5.0 ' .05 60 .50 6.0 .05 72 .15 7.0 .05 84 .05 8.0 .05 96 .05 Distribution: Lognormal 5th percentile: 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> / event 95th percentile: 60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> / event Mean: 18.7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> / event Variance: 668 Basis: Only the most routine maintenance can be performed with a component p unavailability time (including removal and return to service operations) or
( less than two hours. The 72-hour time limit for operation dictates that major maintenance and repair activities be performed during cold shutdown periods.
The majority of relatively routine maintenance and some extensive repairs will be completed within two and' one-half days, given the high priority assigned to returning the equipment to service within the LCO limit.
Resulting Prior Distribution of Mean Duration of Maintenance:
D in 2 -
O !
s sii t 1 -
i 2
S.
I I I I I I I I I i I
o 4 a 12 16 20 24 28 32 as 40 44 48 52 56 60 l
MEAN DUR ATION, HOURS y APWR-PSS 3.10-39 June, 1985 54780:10
IMOLL J.IU.3-J MAINTENANCE UNAVAILA81LITIES 0 V
- 1. MDP train in maintenance EFWS 2.8 - 03 5.6 x 10-7
- 2. TDP train in maintenance.EFWS 5.6 - 03 2.7 x 10-6
- 3. MDP train in maintenance' Charging Pump *2.8 - 03 3.9 x 10-7
- 4. MOP train in maintenance CCWS 2.8 - 03 6.6 x 10-7
- 5. MDP train in maintenance CS 1.4 - 03 2.0 x 10-7
- 6. MDP train in maintenance RHR 1.3 - 03 1.9 x 10-7
- 7. MDP train in maintenarce ISS 1.2 - 03 1.6 x 10-7
- 8. MDP train in maintenance SWS 4.9 - 03 6.0 x 10-7
- 9. Fan Cooler Unit in maintenance 1.2 - 03 1.3 x 10-7 Fan Cooler System
- 10. Diesel Generator in maintenance DNP 1.3 - 02 3.1 x 10-6
- 11. Strainer in maintenance SWS** 9.5 - 04 9.0 x 10-7
%T = 19 hours2.199074e-4 days <br />0.00528 hours <br />3.141534e-5 weeks <br />7.2295e-6 months <br />
- Zion information only.
Based on an assumed 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> per year unavailability per strainer.
O .
O W APWR-PSS 3.10-40 June, 1985 5478Q:10
3.10.6 $UPPORT STATE MODEL ,
3.10.6.1 GENERAL GUIDELINES Essential 4160 voit power, service water (SW) and Integrated Protection System (IPS) are the three major support systems in APWR fault tree analysis. Loss of AC power in one essential b'us usually leads to the loss of one or more trains of a system. Loss of SW 1eads to the unavailability of subordindate cooling trains such as component cooling water and high pressure injection.
Loss of IPS is treated as the same as loss of SW or AC power.
Of ten, one fault tree can be used to analyze all of the support states. A component that lacks one of the necessary support states is assigned a failure probability of one and variance of zero at an appropriate basic fault. For example, the failure of a pump to run due to an unavailable bus can be indicated by substituting a f ailure probability of one and variance of zero at the basic fault labeled " fails to run due to random failures". When support states are available, the component random failure to run is based upon the f ractional rates given in Table 3.10.7-1. The following subsection 3.10.6.2 gives some additional modeling guidelines which the analyst should use to verify that each support state in correctly modeled.
3.10.6.2 USE OF PROBABILITY ONE AND VARIANCE ZERO IN SUPPORT STATE MODELING For systems made up of redundant trains, a probability of one and variance zero input will usually lead to the failure of the train. For most trees the ef fect of the one, zero input can be determined f rom inspection by applying the following rules:
- 1. If one or more of the inputs to an OR gate is probability one and variance zero, the output of the gate will also be probability one and variance zero.
- 2. If one of the inputs to an AND gate is probability one and variance zero, the output of the gate will be the same as if the one, zero input were removed from the gate.
W APWR-PSS 3.10-41 June, 1985 54780:1D
- 3. If one of the inputs to an M out of N combination gate is probability one and variance zero, the output of the gate will be the same as if the one, zero input were removed from the gate and M and N were each reduced by one.
WAMCUT was tested to determine how well it conformed to the three previously mentioned rules. Rule number 1 was confirmed in several tests of OR gates. Rule number 2'was tested by comparing a f ault tree with two redundant trains (one train having a one, zero input) with a similar tree having the failed train physically removed. The probability and variance determined by WAMCUT for the complete tree agreed exactly with that determined for. the modified tree. For rule number 3, fault trees having two-out-of-thre'e and three-out-of-four combination gates were tested. One of the trains in each tree was given a probuility one and variance zero, and a comparison was again made with modii- ed trees having the failed train removed. The WAMCUT-determined probability and variance of the complete two-out-of-three tree agreed exactly with that of the modified tree. However, small errors were found in the probability and variance of the three-out-of-four tree when the WAMCUT results were compared to those of the modified tree. The reason for the errors is not known but could be due to the use of unrealistically high test probabilities.
Since WAMCUT is not in complete conformance with rule number 3, modeling of support states in a system having a three-o'Jt-of-four combination gate must be checked against a modified tree. In order to be acceptable, the probability and variance of the complete support state model should differ from that of the modified model by less than 5%.
O O
W APWR-PSS 3.10-42 June, 1985 54780:10 l
l
1 l
3.10.7 DAIA BANK O A master data bank has been compiled to be used for the f ault tree analysis.
l In compilation of this data bank, a comparative study of the following data i sources has been carried out:
- 1. Westinghouse Data Bank as used in Millstone Unit 3 Probabilistic Safety Study (1982)
- 2. NREP Data Bank (NUREG/CR-2728) ;
- 3. NREP Data Bank"(NUREG/CR-2815)
- 4. Atwood Common Cause Studies (NUREG/CR-2098, 2099, 2770) t
- 5. IEEE Std. 500 Reliability Data (1984)
The data bank compiled for the WAPWR study is given by Table 3.10.7-1.
O J
l O
O W APWR-PSS 3.10-43 June, 1985 5478Q:10 l
. . - . . _ _ _ ...m _ _ _ _ ... _ - . _ ___ . . _ _ . _ .
i Table 3.10.7-1 Master Data Bank (a e)
.l i
I i
4 f
i i
l l
\
l
{
I l
i J
i
! M APWR-PSS 3.10-44 June, 1985 54780:10 1
+
1
- 4.,.--. - , , . .. -.,,- ,.,, -.n, _ . - - - - - - - -, - . . , _ -
, _ , , _ , . _ _ , . . - - , - - - . _ . - - _ - - - . . - - -I
4 Table 3.10.7-1 !
4 l j
i
- t MASTER DATA BANK (Continued) l 1 (a.c) 4 r
i
+
h ll 1
1 1
9
. l i
i i
i i
I i
t i
1 1
i l
3.10-45 June, 1985 l W APWR-PSS i I
t 54780:10 ,
f
t I
4 1
3 14 Die 3. lu. s-1 MASTER DATA BANK (Continued)
(a.e) 4 4
4 O
t f
I 1
t W APWR-PSS 3.10-46 June, 1985 5478Q:10
Table 3.10.7-1 )
4 MASTER DATA BANK (Continued) i (a.c)
J t
I l
i L r
P i
W APWR-PSS 3.10-47 June,1985 54780:10
- r,-- , - , , , - - - - - -
I 4
Table 3.10.7-1 MASTER DATA BANK (Continued)
(a,c)
J l.
I 4
i t
l l
i
, i l.
i .
3.10-48 . lune, 1985 W APWR-PSS 54780:10 1
l
MASTER DATA BANK (Continued)
(a,c) l l
l l
I l.
4 1
1 i
l i
i L
W APWR-PSS 3.10-49 June, 1985 54780:10
i 3.10.8 UNCERTAINTY GUIDELINES The treatment of uncertainty in the plant systems analysis is accomplished in several stages. First, basic statistical techniques are applied to the component data base to expand the failure rates of key components from point estimates to probability distributions of failure frequency. The method of O moments is used to propagate uncertainties through the system fault trees and to obtain estimates of the mean and variance of the event distribution. This is done by running the WAMCUT computer code. A log-normal distribution is
( used in this procedure and in situations where the variance does not exist it is approximated by.using the square of the mean.
Dominant accident sequences are then taken from the event trees where the mean and variance is calculated from each failed system. This is then applied to the method of moments and the results will be used to determine core melt frequency and risk quantification.
O O
M APWR-PSS 3.10-50 June, 1985 5478Q:10
3.
10.9 REFERENCES
- 1. . Zion Probabilistic Safety Study, 1981.
- 2. Indian Point Probabilistic Safety Study, 1982.
O O i 9
9 O
M APWR-PSS 3.10-51 June, 1985 5478Q:1D
3.11 SCREENING MODEL FOR OPERATOR ACTIONS IN EVENT TREES In this section a set of human error probabilities are assigned to the operator actions that are in the event trees. Fire operator actions are defined in the event tree nodes: '
O OFB Open pressurizer PORVs to initiate " feed and bleed" core cooling OST Termination of RCS leak following SGTR ORT Manual Reactor Trip following ATWS OLT ATWS Long-Term Shutdown, boration via CVCS ORH Operator Depre.ssurizes and Switches to RHR pumps after failure of all 4 SI pumps.
ORL Open pressurizer PORVs to depressurize RCS and terminate RCS leak following SGTR will failure of operator (OST) and failure of SG overfill protection system.
These operator Actions appear in the following initiating events:
OFB Transients Loss of Offsite Power, SGTR, Secondary Side Break, Small d LOCA, ATWS, OST SGTR ORT ATWS OLT ATWS ORH All events where SI cooling appears.
ORL SGTR The operator action failure probabilities assigned are sunenarized in Table
- 3.11-1.
The operator actions in support state 3 assume either recovery of power or ;
considers actions that are not dependent of support systems.
The operator action failures are estimated to be driven by cognitive errors O- rather than omission errors or failure of components. The probabilities used I are consistent with diagnostic HEP from NUREG-1278.
l W APWR-PSS 3.11-1 June, 1985
! 54780:10 l l
F -
l i'
i 4
l r
, TABLE 3.11-1 l
OPERATOR ACTION FAILURE PROBABILITIES '
Operator , Failure Probability by Support State Action SS1 SS2 SS3 1
OFB 0.005 0.01 - !
l r \
OST 0.01 0.01 0.1 ORT 0.01 0.01 0.1 i OLT 0.01 0.01 -
i ORH 0.01 0.01 -
ORL 0.01 0.01 -
i .
1 i :
I
+
Q L 1
l l
I i
W APWR-PSS 3.11-2 June, 1985 1 l
5478Q:10 l
1
- .-. . = .- -- - . - _ - - - _ _ _ _ _ -
3.12 LONG TERM COOLING O
The failure of long-term cooling is calculated in this section for various cases.
3.12.1 FO.R TRANSIENTS WITHOUT LOCA l
If no LOCA is in progress, the EFWS cooling is modeled to take care of long-term cooling. For this purpose, EFWS failure is already quantified for a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time. Thus, q = 0.0 for this case.
3.12.2 SMALL LOCA - CONTAINMENT FAN COOLERS AVAILABLE In this case, RHR heat exchanger cooling is not needed. From Table 3.4-1, the difference between 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> mission time failures is used for
, O failure of long-term cooling:
P (a,c) q = system 2
gj = 1 division 3.12.3 SMALL LOCA - CONTAINMENT FAN COOLERS UNAVAILABLE In this case, RHR heat exchanger cooling is needed. From Table 3.4-1, the difference between 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> mission time failures is used for failure of long-term cooling:
I q = system 2
(a,c)
O q) =
1 division
% W APWR-PSS 3.12-1 . lune, 1985 7881Q:10
In this case, RHR heat exchanger cooling is not needed. From Table 3.4-2, the difference between 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> mission time failures is used for failure of long-term cooling:
92 =
system (a,c)
Ri
=
1 division 3.12.5 LARGE LOCA - CONTAINMENT FAN COOLERS UNAVAILABLE In this case, RHR heat exchanger cooling is needed. From Table 3.4-2, the difference between 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> mission time is used for failure of long-term cooling:
4 = system (a,c) 2 4)
=
1 division The above calculations are summarized in Table 3.12-1.
i d
lO '
l O l l
l O W APWR-PSS 3.12-2 June,'1985 l 7881Q:1D I
.----,--,-----,,--,-,.,-,,,-----,------------,n--
- ~ - , - - - - - - - - - . -----.----.--.,-n, , , - - - , , _ ,
1 1
TABLE 3.12-1 O LONG-TERM COOLING FAILURE PROBABILITIES System 1 Division Case Failure Failure i (a,c) i Small LOCA i CFC available Small LOCA .
CFC fail Large LOCA CFC available Large LOCA CFC fail 9 i 1'
l J
O O
W APWR-PSS J ue, 1985 3.12-3
] 7881Q:10 l
. - - . . _ _ . _ _ _ _ _ _ _ - _ _ - . . _ _ _ . . . . . . , _ _ _ _ _ _ _ _ _ _ _ _ . - _ . _ - _ _ _ _ _ - _ _ _ _ _ . - _