Text

Seismic Margin Review of the Maine Yankee Atomic Power Station.Volume 2.Systems Analysis
	ML20206B318
Person / Time
Site:	Maine Yankee
Issue date:	03/31/1987
From:	David Jones, Moore D, Quilici M, Young J; ENERGY, INC., LAWRENCE LIVERMORE NATIONAL LABORATORY
To:	; NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
References
	CON-FIN-A-0461, CON-FIN-A-461 NUREG-CR-4826, NUREG-CR-4826-V02, NUREG-CR-4826-V2, UCID-20948, NUDOCS 8704090075
	Download: ML20206B318 (201)
	v • d • e

'

NUREG/CR-4826 UCID-20948 Vol. 2 Seismic Margin Review of the Maine Yankee Atomic Power Station Systems Analysis Prepared by D. L. Moore, D. M. Jones, M. D. Quilici, J. Young Energy incorporated Lawrence Livermore National Laboratory Prepared for U.S. Nuclear Regulatory Commission 8704090075 870331 AW ogoco3o$

P Pb R.

l

f~ .. , . .

NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any legal liability of re-sponsibility for any third party's use, or the results of such use, of any information, apparatus, product of process disclosed in this report, or represents that its use by such third party would l

not infringe privately owned rights.

1 NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:

1. The NRC Public Document Room,1717 H Street, N.W.

Washington, DC 20555

2. The Superintendent of Documents, U.S. Government Printing Of tice. Post Office Box 37082, Washingtor,, DC 20013 7082

3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications.

it is not intended to be exhaustive.

l Referenced documents available for inspection and copying for a fee from the NRC Public Docu-ment Room include NRC correspondence and internal NRC memoranda; NRC Office of. inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices:

Licensee Event Reports: vendor reports and correspondence; Commission papers; and applicant and licensee documents and correspondence.

I The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Aisc, available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission issuances.

Documents available from the National Technical information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.

Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.

Documents such as theses, dissertations, foreign reports and translations,and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited. g Single copies of NRC draf t reports are available free, to the extent of supply, upon written request '

to the Division of Technical Information and Document Control, U.S. Nuclear Regulatory Com-mission, Washington, DC 20555.

Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards institute,1430 Broadway, New York, NY 10018.

NUREG/CR-4826 )

UCID-20948 Vol. 2 Seismic Margin Review of the Maine Yankee Atomic Power Station Systems Analysis Manuscript Completed: February 1987 I Date Published: March 1987 l

Prepared by D. L. Moore, D. M. Jones, M. D. Quilici, J. Young Energy incorporated Kent, WA 98031 Under Contract to:

Lawrence Livermore National Laboratory 7000 East Avenue Livermore, CA 94550 Prepared for Division of Engineering Safety Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC FIN A0461 i

ABSTRACT This Systems Analysis is the second of three volumes for the Seismic Margin Review of the Maine Yankee Atomic Power Station. Volume 1 is the -

Summary Report of tne first trial seismic margin review. Volume 3, Fragility Analysis, documents the results of the fragility screening for the review.

The three volumes are part of the Seismic Margins Program initiated in 1984 by the Nuclear Regulatory Commission (NRC) to quantify seismic margins at nuclear power plants.

The overall objectives of the trial review are to assess the seismic margins of a particular pressurized water reactor, and to test the adequacy of this review approach, quantification techniques, and guidelines for performing the review. Results from the trial reviews will be used to revise the seismic margin methodology and guidelines so that the NRC and industry can readily apply them to assess the inherent quantitative seismic capacity of nuclear power plants.

iii

_.o

T/v,LE OF CONTENTS Section Page ABSTRACT................................................ iii L IS T O F T A B L ES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii L IS T O F F I G U R E S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

1. I N T R O D U CTIO N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

2. METHODCLOGY............................................ 2-1 2.1 G e ne ral A p p roa ch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.2 S tep 2 - Initial Systems Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.2.1 Gather System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.2.2 Classify Front-Line Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.2.3 Identify Group A Front-Line Components . . . . . . . . . . . . . . . . . 2-2 2.2.4 Classif y Support S ystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 2.2.5 Identify Group A Support System Components . . . . . . . . . . . . . 2-2 2.2.6 Identify Plant-Unique Features . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2.2.7 Prepare for First Plant Walkdowr. . . . . . . . . . . . . . . . . . . . . . . 2-3 2.3 S tep 4 - First Plant Walkdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2.3.1 Peer Review G roup M ee ting . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2.3.2 Plant Walkdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2.3.3 Plant S taf f Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 2.4 S tep 5 - S ys te m s M o deling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 2.4.1 R evie w Event Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 2.4.2 D ev elop Fault Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 2.4.3 D e v elo p D a ta B a se . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 2.4.4 Determine System Cut Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 2.5 S tep 6 - S econd Plant Walkdo wn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-S 2.6 Step 7 - Determine Minimal Cut Sets . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8 2.6.1 Finalize Ev e n t Tre es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8 2.6.2 Fin alize Fa ul t Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2.6.3 L in k F a ul t Tr e es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2.6.4 Determine Preliminary Boolean Equation . . . . . . . . . . . . . . . . . 2-9 2.6.5 Determine Final Boolean Equation . . . . . . . . . . . . . . . . . . . . . . 2-9 v

TABLE OF CONTENTS (Cont'd)

Section Page

3. S YSTE M S A N A L YSIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . '3-1 3.1 S ystem Iden tifica tion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .- 3-l' 3.1.l_ G roup A S ys te ms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .' 3-1 3.1.2 Systems Removed from Group A . . . . . . . . . . . . . . . . . . . . . . .' 3 3.2 Systems Analysis of Front-Line Systems. . . . . . . . . . . . . . . . . . . . . . . . 3-3 3.2.1 s Auxiliary Feedwater System . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 3.2.2 High Pressure Safety Injection System . . . . . . . . . . . . . . . . . . . '3-5

.3.2.3 Power-Operated Relief Valves (Feed and B leed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 3.3 Systems Analysis of Support Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 3.3.1 Component Cooling Water Systems . ._. . . . . . . . . . . . . . . . . . . 3-9 3.3.2 Service Water System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11 3.3.3 Electric Po wer System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13 3.3.4 A ctuation Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.4 Probability Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . f 3-16 4.

ACCIDENT SEQUENCE ASSESSMENT AND RESULTS . . . . . . . . . . . . . . . . . 4-1 4.1 Ev e n t T r ees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 4.1.1 N o L OC A C a se . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 4.1.2 S mall LO CA C ase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 4.2 Core D amage Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 4.2.1 T gLP g.......................................... 4-3 4.2.2 T g LD........................................... 4 4.2.3 S 2 0............................................ 4-4 4.2.4 S2 'P "-"

2******************************************

4.2.5 SLD...........................................

2 4-4 4.3 Boolean Equations for No LOCA and LOCA Cases. . . . . . . . . . . . . . . . . 4-4 4.3.1 N o L O C A C as e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 4.3.2 S m all LO CA Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 4.4 Plant-Level Boolean Equation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 vi

TABLE OF CONTENTS (Cont'd)

5. ENGINEERING AND METHODOLOGY INSIGHTS . . . . . . . . . . . . . . . . . . . . . 5-1 5.1 Engineering and Operational Insights . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 5.2 Insights on the Methodology and Execution . . . . . . . . . . . . . . . . . . . . . . 5-2 5.2.1 System Classification and Screening G uidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 5.2.2 Preparation for Walkdowns and Documentation. . . . . . . . . . . . . 5-4 5.2.3 Systems Analysis and Pruning Process . . . . . . . . . . . . . . . . . . . 5-4 5.2.4 Minimal Cut Set Evaluation Process. . . . . . . . . . . . . . . . . . . . . 5-5 5.2.5 Schedule and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 REFERENCES ............................................... R-1 APPENDIX A Identifiers and S y mbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 B Auxiliary Feedwater, System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1 C High Pressure Safety injection System . . . . . . . . . . . . . . . . . . . . . . . . . C-1 D Primary Pressure Relief System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-1 E Primary Component Cooling Water System. . . . . . . . . . . . . . . . . . . . . . E-1.

F Secondary Component Cooling Water System . . . . . . . . . . . . . . . . . . . . . F-1 G Service Water S yste m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-1 H Electric Power Syste m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-1 1 A ctua tio n S ys te m s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 vii

LIST OF TABLES 2-1 Definition of plant safety functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 3-1 Front-line system vs support system dependency matrix.................................................. 3-19 3-2 Support system vs support system dependency matrix . . . . . . . . . . . . . . . . 3-20 3-3 AFW screening overview table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21 3-4 Standard footnotes for screening overview tables . . . . . . . . . . . . . . . . . . . 3-22 3-5 A F W syste m cut se ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23 3-6 HPSI/CSPPCL screening overview table . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24 3-7 H PSI syst e m cut se ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

l 3-26 l

3-8 PORVs screening overview table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27 3-9 P ORY (no LOCA) cut sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28 3-10 PORV (s mall L OCA) cut se ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29 3-11 PCC screening overview table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30 3-12 SCC screening overview table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-32 l

1 3-13 SWS screening overview table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33 3-14 Electric power screening overview table . . . . . . . . . . . . . . . . . . . . . . . . .

3-34 3-15 Nonseismic event failure probability calculations . . . . . . . . . . . . . . . . . . .

3-37 4-1 Basic event descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 4-2 Sequence Tg LP g cutsets..................................... 4-3 4-3 Sequence T g LD cu t sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 4-4 S equence 2S D cu t se t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 4-5 Sequence S2 LP cutsets.....................................

2 4-11 4-6 Sequence 2S L D cut se ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12 4-7 Boolean equations for no LOCA and small LOCA accident sequences .....-......................................... 4-13 5-1 Systems analysis resource expenditure . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 A-1 Fault tre e sy m bols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 A-2 Fault tree event identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2 viii

LIST OF TABLES (Cont'd)

B-1 A uxiliary feedwater (A F W) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - B-1 B-2' A F W v alv e tab l e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -B-2 B-3 . AFW cooling require ments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-3 C-1 High pressure safety injection (HPSI) and containment spray pump area cooling (CSPPCL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1 C-2 H PSI /CS P PCL valve table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : C-3 C-3 HPSI cooling requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

.C-5 D-1 Prim ~ary pressure relief system (PPS) . . . . . . . . . . . . . .;. . . . . . . . . . . . . . D-1 E-1 Primary component cooling (PCC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : . E-1 E-2 P C C v alv e tab 1 e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-2 E-3 PC C cooling require ments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-3 E-4 P C C coolin g loads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-4 F-1 Secondary component cooling (SCC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-1 l 1

F-2 S C C v alv e tab l e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-2 i F-3 SCC cooling requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F-3 F-4 S CC cooling loads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -F-4 G-1 Se rvice water syste m (SWS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-1 G-2 S WS cooling requir e ments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-2 H- 1. ACpower............................................... .

H H-2 DCpower............................................... H-2 H-3 Diesel generator s (D G) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H H-4 DG cooling requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H-4 1-1 A ctua tio n syste ms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 ix

LIST OF FIGURES 2-1 Graphic representation of the screening operations (Figure 2-6 from NUREG/C R-4482) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 3-1 Auxiliary feedwater . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39 3-2 High pressure safety injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-40 3-3 Primary pressure relief . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41 3-4 Primary component cooling water . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42 3-5 Secondary component cooling water. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-44 3-6 Service water sys tem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-46 3-7 A C po wer syste m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-47 3-8 D C po w e r s ys t e m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-48 3-9 Die sel generator s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-49 4-1 Seismic event, LOOP event tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14 4-2 Seismic event, LOOP concurrent with small LOCA e v e n t tr e e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 B-1 Auxiliary feedwater system fault tree . . . . . . . . . . . . . . . . . . . . . . . . . . . B-4 B-2 Auxiliary feedwater system fault tree, pruned and merged................................................. B-9 C-1 High pressure safety injection system fault tree . . . . . . . . . . . . . . . . . . . . C-6 C-2 High pressure safety injection system fault tree, prune d a n d m erg e d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-16 D-1 Power-operated relief valve fault tree . . . . . . . . . . . . . . . . . . . . . . . . . . . D-2 D-2 Power-operated relief valve fault tree (no LOCA) prun e d a n d m erged . . . . . . . . . . . . . . . . . . . . . . ,. . . . . . . . . . . . . . . . . . . D-4 D-3 Power-operated relief valve fault tree (small LOCA),

prun e d an d m erged . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-7 E-1 Primary component cooling system fault tree . . . . . . . . . . . . . . . . . . . . . . E-6 x

LIST OF FIGURES (Cont'd)

Secondary component cooling system fault tree . . . . . . . . . . . . . . . . . . . . F-6' F - G-1 Service water system fault tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-3 .

H-5 H- 1. AC power (MCC 7A) f ault tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

H-6 H-2 AC power (MCC S A) f ault tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

H-3 Diesel generator I A fault tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ., H-7 I-1 Safety injection actuation system (Train A) fault I-2 ' )

tree....................................................

xi

l. INTRODUCTION This report documents the approach, results, and insights of the systems analysis tasks for the Seismic Margin Review of the Maine Yankee Atomic Power Station. This project is part of the Seismic Design Margins Program performed by Lawrence Livermore National Laboratory for the Nuclear Regulatory Commission. The purpose of a seismic margin review is to determine the capability of a plant to resist with high confidence an earthquake level greater than the design basis Safe Shutdown Earthquake (SSE). This seismic capacity is expressed as the earthquake acceleration level for which there is a high confidence of a low probability of failure (HCLPF value).

The objectives of this seismic margin review of the Maine Yankee Atomic Power Station are to:

e Provide an assessment of an actual plant's capability to withstand a specific earthquake level greater than the SSE.

e Demonstrate the use of the Expert Panel's approach (NUREG/CR-4334) and guidelines (NUREG/CR-4482) for seismic margin review, e Provide a basis for upgrading the Expert Panel's approach and guidelines, if improvements are needed.

e Provide a benchmark for possible future seismic margin reviews, including cost and time resources.

The overall approach for this seismic margin review, as detailed in NUREG/CR-4482 (Prassinos et al.,1986), was to:

e Select a review level earthquake.

e Determine the systems, components, and structures that are important to plant seismic capacity by applying a successive set of screening filters based on system function, nonseismic unavailability, and seismic fragility.

e Use plant walkdowns to gather information for the screening process, and for the determination of fragilities and plant seismic capacity, o Model the system and plant response to the review !cvel earthquake through fault trees and event trees, and develop a Boolean equation for the endpoint of core damage.

e Calculate the plant seismic capacity (HCLPF) using the Boolean equation and fragility information.

This report is Volume 2 of a three-volume report documenting the project results.

Volume I provides the overall project results, and Volume 3 provides the fragility and HCLPF analyses. Volume 2 provides the systems screening analysis, the logic models of the plant and systems, and the plant-level Boolean equation for core damage. Chapter 2 describes the methodology used in these systems analysis tasks. Chapter 3 provides the 1-1

results of the screening assessment and discusses each of the systems, including the detailed system fault tree models. Chapter 4 presents the plant event trees, and the Boolean equations. The resulting minimal cut sets are also discussed. Comments and conclusions on the methodology and seismic margin review process are presented in Chapter 5. References are given at the end of the report. The appendices contain definitions of abbreviations and symbols for the fault trees and basic events, and the actual system fault trees.

1-2

2. METHODOLOGY 2.1 General Approach The approach for the Maine Yankee seismic margins review followed the same eight steps outlined in Chapter 2 of NUREG/CR-4482 (Prassinos et al.,1986), which are graphically represented in Figure 2-1 (Figure 2-6 of NUREC/CR-4482). The systems analysis tasks involved Steps 2, 4, 5, 6, and 7. The extensive guidance on these steps in NUREG/CR-4482 will not be repeated here. Rather, this discussion will focus on the plant specific steps and considerations for the Maine Yankee review and any departure from the methodology described in NUREG/CR-4482.

2.2 Step 2 -Initial Systems Review The initial systems review consisted of seven tasks:

e Gather system information, o Classify front-line systems (Group A or Group NOT-A),

e Identify Group A front-line system components, o Classify support systems (Group A or Group NOT-A),

e Identify Group A support system components, e Identify any Group A plant unique features, e Prepare for first plant walkdown.

2.2.1 Gather System Information An initial information request was made to Yankee Atomic personnel. The information sources received included the Maine Yankee FSAR, systems training manuals, piping and instrumentation diagrams, electrical / actuation system schematics, Technical Specifications, emergency and abnormal operating procedures, surveillance, tagging and temporary modifications control procedures, and various structural specifications and calculations. From these sources, and from answers to specific questions asked throughout the review, the systems review was conducted.

2.2.2 Classif y Front-Line Systems For each initiating event to be considered, the Maine Yankee front-line systems were classified as Group A or Group NOT-A according to the safety functions listed in Table 2-l (Table 2-2 of NUREG/CR-4482). For a PWR, the Group A safety functions are reactor subcriticality, normal cooldown, and emergency core cooling (early). Based on guidance in NUREC/CR-4482, a seismic induced loss of offsite power (LOOP)is assumed for a margins review. With a LOOP, the normal cooldown systems would not be available, and are therefore not considered further. In addition, an initiating event which includes a small LOCA due to the seismic event, or a nonseismic event such as a reactor coolant pump seal LOCA, or a safety / relief valve stuck open was considered. Based on guidance from NUREC/CR-4482 medium and large LOCAs were not considered.

The impact of a containment isolation failure during no LOCA and small LOCA events was considered. It was deemed to be not important to core damage frequency for a LOOP transient, although it could af fect the accident source term and offsite dose. For 2-1

a small LOCA, failure of containment isolation could affect recirculation by an eventual loss of inventory in the containment sump, but this would only occur in the very long-term.

Given an emergency source of ac power, recovery actions such as refilling the RWST or manually isolating containment are likely. Therefore, potential impacts of containment isolation failure were not considered further.

From an understanding of Group A ' systems and chosen initiating events, preliminary event trees were developed to show the potential accident sequences leading from an initiating seismic event to core damage. Guidance in NUREG/CR-4482 suggested that event trees and schematics from the NRC sponsored Accident Sequence Evaluation j Program (ASEP) could be used. However, the ASEP event trees and system schematics 4 were not available for Maine Yankee, and the ASEP generic trees were too nonspecific for use in this analysis. Therefore, methods for event tree development from the IREP piocedures guide (Carlson,1983) and the PRA procedures guide _ (NRC,1983) were used. t 2.2.3 Identify Group A Front-Line Components Once the Group A front-line systems were determined, the components within these systems were identified. For each component, its function, necessary support systems such as power or cooling, normal status (operating, standby, open, closed), and failure -

mode (if applicable) were noted. Components of Group A systems that were not required to support the safety function were generally screened out. However, components which did not support the Group A function of the system but whose failure could cause the failure of a necessary component were identified. A primary example is a heat exchanger that is not required to remove heat during an accident, but is required to maintain its pressure boundary Integrity in order to assure system success. Components located on potential flow diversion paths from the main piping were also noted. Flow diversion paths less than one-third the size of the main piping or with flow restriction orifices were screened out only for open systems. For closed systems, all diversion paths were considered. Simplified schematics for the systems and components were -then developed for use in the first plant walkdown. More components were shown on the simplified system schematics than would be evaluated, such as manual valves,_ check valves and recirculation lines.- These components were included because they were needed to understand the system operation. All questions which arose and assumptions made were recorded for discussion during the walkdown.

2.2.4 Classify Support Systems Those systems which provide a required support function for the operation of a Group A front-line system were classified as Group A. In turn, some of the Group A support systems required the functions of other support systems, and these other support systems were also classified as Group A. From the components identified in the prior step, a front-line system versus support system dependency matrix was developed.

2.2.5 Identify Group A Support System Components In a manner similar to that described for Group A front-line systems, the Group A support system components were identified. Those support system components which do not support the Group A function of the system were screened out, unless their failure could cause the failure of a necessary component. The resulting !!st of support system components was used in developing a support system versus support-system dependency matrix. Simplified schematics were also developed for each Group A support system.

2 2.2.6 Identify Plant-Unique Features Any features (systems or components) unique to the Maine Yankee plant that could potentially affect the seismic margin of the plant were identified to be considered along with the Group A front-line and support systems. An example of a plant-unique feature is the dam and fire water pond at Maine Yankee.

2.2.7 Prepare for First Plant Walkdown In preparation for the first walkdown, several items were submitted to the fragilities analysis team as the system documentation became available. These items included the Group A component lists, the simplified system schematics, the preliminary event trees and the lists of the questions and assumptions to be discussed. The lists of components designated each component as required for Group A system operation, or as required for pressure boundary integrity only. Some of the system assumptions and bases listed were based on knowledge of other PRAs and required verification for Maine Yankee. At this point some alternate systems (such as the alternate shutdown decay heat removal Appendix R system) were still being evaluated and were included on the preliminary event trees prior to being screened out.

2.3 Step 4 - First Plant Walkdown The first plant walkdown provided an opportunity to accomplish three tasks:

e Hold a Peer Review Group meeting e Conduct the plant walkdown e Hold discussions with plant staff Each of these tasks contributed to the systems analysis. Documentation of the first walkdown included marked up schematics, revisions to system component lists, answers to questions, verification of assumptions, and new system information.

2.3.1 Peer Review Group Meeting During the Peer Review Group meeting, clarification on the treatment of several open items was sought. These items included whether or not to evaluate the boric acid transfer system for the reactor subcriticality function, long-term room cooling for pumps, and the initial switchover to recirculation from high pressure safety injection.

2.3.2 Plant Walkdown Several systems analysis tasks were to be accomplished in the first walkdown. Most important of these were:

e Verification of screening completed thus f ar using a checkoff list.

e Identification of the relationships between component layout and the timing for local recovery actions.

e Location of some components, such as the dicsci generator start circuits and load shed/sequencers.

2-3

e Identification of the impact of potential failures of the system components.

e Identification of possible physical interactions between Group A system components and other items (block walls, fire water).

e Walkdown of secondary component cooling water piping to check integrity and potential interactions.

In performing the walkdown it was useful to have the plant arrangement drawings in addition to the simplified system schematics. As the walkdown was conducted with the analysis team members divided into two groups, it became important for the groups to consult at the end of each day to compare notes and prepare for the next day.

2.3.3 Plant Staff Discussions Discussions held with members of the plant staff were to gain additional system information and answers to the questions existing at that point. Information on valve failure positions, normal positions of manual valves, unidentified instrument air and power supplies, and operating procedures would be used in completing the systems documentation. Also, simplified system schematics were verified and plant-unique features discussed.

2.4 Step 5 - Systems Modeling To complete the systems modeling task it was necessary tot e Review, update, and document the event trees and their success criteria.

e Develop and document fault trees for the front-line systems which are included in the event tree sequences, and for their required support systems.

e Develop a data base consisting of probability cutoffs for screening, and data for calculating component unavailabilities and human error probabilities, e

Determine the minimal cut sets for the front-line systems (including support system faults) to verify the fault tree logic and identify criticalitems to review during the second plant walkdown.

2.4.1 Review Event Trees During the first plant walkdown, severalinsights were gained which were used in revising the preliminary event trees. The types of revisions are illustrated by the fo!!owing:

e The recirculation function of the containment spray pumps (which provide water from the containment sump through the residual heat removal (RHR) heat exchangers to the high pressure safety injection (HPSI) pumps for long-term core cooling) were included. Specifically, the f ans, ducting and dampers which provide room cooling for the containment spray pump area were added to the HPSI system fault tree. Thus, f ailure of room cooling would eventually fail HPSI in the recirculation mode.

2-4

e The alternate shutdown decay heat removal (ASDHR) system was screened out of the analysis. The main control room panels were judged to be seismically sound, precluding the need for use of the alternate shutdown panel (ASP). Also, operation of the turbine-driven auxiliary feedwater (AFW) pump is required for ASDHR, and is already considered in the AFW system. Finally, the auxiliary charging pump is judged too small to replace the HPSI pumps for feed and bleed or core inventory makeup.

e The evaluation of the boric acid transfer (BAT) system was delayed and eventually screened out, because the reactor internals and control rod drive system were found to have high seismic capacity, thus eliminating the need for BAT.

e An anticipated transient without a SCRAM (ATWS) was not evaluated because the reactor internals and control rod drive system were found to have high seismic capacity.

Two separate event trees were developed, with different initiating events. One tree evaluates mitigating system success following a seismic event causing loss of offsite power (Tg). The second tree addresses system success following a seismic event which causes loss of offsite power, concurrent with a small LOCA (52)*

The final event trees are discussed in greater detail in Secti)n 4.1.

2.4.2 Develop Fault Trees Once the functions, success criteria, and support system interfaces for the Group A systems were identified, system fault trees were developed using standard techniques.

For each system, potential flow diversion paths were analyzed. A path was excluded if it met at least one of the following criteria, which are based on probabilistic arguments.

e There is a normally closed automatic valve isolating the line.

Exception: Include the path if interlocks exist which may prevent the valve from closing, and these interlocks are connected to a component or system which is modeled, or the interlock and valve are powered by opposite buses.

e There are two normally open valves on the line which will automatically close.

Exception: Include the path if the line up to the second valve has a potentially low seismic capacity (i.e., contains a heat exchanger or is not seismic class !). j e The line or flow restriction orifice is less than one-third the diameter of the main pipe.

Exception: Include the path if it is a closed system. However, the ability of the operator to isolate small leaks will also be taken into consideration.

During this process, additional questions and issues were raised. A list of these questions was complied for referral to the plant staff. It was necessary to include some diversion paths untilinformation was received which would allow screening of the path.

2-5 l

The components and paths identified by the above steps were used in developing the system fault tree logic. The fault tree symbols and event identifiers used are found in Appendix A. The first set of front-line and support system fault trees developed include every system component identified (unless it was screened out as a diversion path '

component). These fault trees would later be pruned using failure probability cutoffs.-

As seismic and nonseismic failure modes were not differentiated at this point, a specific component failure mode was not identified. Rather, an "XX" was used as a generic failure mode identifier. Support system faults are added to the tree as developed events. The support system fault trees would later be merged into the front-line system fault trees at these points. Failures of support systems were included at each component -

level rather than being combined at the top of the fault tree. Check valves were not

~

included in the fault tree logic based on their low unavailability. Manual valves normally in the correct position were also not included in the fault tree logic because of their low probability of being in an incorrect position. However, if a manual valve could be in an incorrect position and also fail all trains of a redundant safety system, then its probability of incorrect positioning was evaluated further to determine if it was below the screening probability cutoff.

Once the initial system fault trees were completed, preliminary front-line and support system cut sets (first, second, and third order) were obtained using Micro-PRANK. These cut sets were analyzed to verify the logic of the fault tree.

Following verification of the fault tree logic, probability cutoffs described in the following section were used to prune the fault trees. Seismic, random, common cause, test and maintenance, and human error failures were considered for each component.

Along with seismic failures of specific components, seismic failures of adjacent components, walls or buildings which may fall a component of interest were also considered. For seismic events screened in, the failure mode identifier "EQ" was used.

The same event names were used for several component failures if the seismic failure of the components was highly correlated. For example, CCW-HTX-EQ-4B5A represents the seismic failure of the PCC and the SCC coolers since they are identical and located adjacent to each other. All components with seismic HCLPFs greater than 0.3g, or nonseismic failure probabilities below the probability cutoffs were pruned from the fault tree. The support system inputs for these components remained on the tree. It took several passes to prune the fault trees as fragility calculations were finalized and system spatial dependencies were identified in the second walkdown.

Also pruned from the fault trees were any components which are isolated by valves removed from the tree in the step described above. This eliminated flow diversion paths which would be successfully isolated following the initiating event. Support system interfaces for these pruned diversion path components were also removed from the tree. The separation of instrumentation, racks, and impulse lines which make up the actuation systems included in the fault trees was also checked to determine if a single -

physical seismic interaction could fall multiple actuation channels. If there was sufficient separation (no more than one channel is failed by a physical seismic failure),

and the transmitters and racks were of high seismic capacity, then actuation system faults were pruned from the fault trees.

Upon completion of the pruning process, the fault tree "OR" gates- with zero or one remaining inputs were collapsed into their output gates. The "AND" gates which had one or more inputs removed were deleted from the tree. The pruned support system fault trees were then merged with the pruned front-line system fault trees. Developed events on the trees became the top gate of the support system tree to be merged at that point.

2-6

s The final result of the fault tree development process was a fault tree for each front-line system included in the event tree sequences. Each fault tree includes basic and undeveloped events representing the seismic and nonseismic failures of the front-line and support system components which were not screened out.

2.4.3 Develop Data Base A data base containing probability cutoffs and nonseismic failure data was developed to aid in pruning the fault trees. Seismic failure data from the fragilities team which was required in the component screening was included in the data base.

Generic component unavailability and failure rate data from ASEP was used to calculate random nonseismic failures. Beta factors from EPRI NP-3967 (Fleming,1985), with supplements from ASEP and other PRAs were used to develop nonseismic common cause unavailabilities for components. A list of components for which information on testing and maintenance is required was compiled for verification on the second walkdown. All of the components were adequately represented by generic ASEP test and maintenance unavailabilities. To determine probabilities for human errors and recovery, time based data from the IREP NUREG/CR-2787 (Kolb,1982) with some guidance from ASEP, was used.

In screening system components, seismic failures for those components with a HCLPF capacity calculated to be greater than 0.3g were screened out. Random, common cause, test and maintenance, and human error failures with probabilities less than the following guidelines were also screened out, e 0.01 if the failure leads to the loss of only one train in one system.

e 0.001 if the failure leads to the loss of all trains in one system.

e 0.001 if the failure leads to the loss of one train in multiple systems.

e Exception: If the failure probability is greater than the cutoff, but has a high probability of recovery, making the combined probability less than the cutoff, the component failure may be screened out.

Component unavailabilities, human error probabilities, and nonseismic common cause failure probabilities are presented for the components of interest in Chapter 3.

2.4.4 Determine System Cut Sets t

The final front-line system fault trees obtained from the steps described in Section 2.4.2 (pruned and merged with the support system fault trees) were analyzed to determine the first, second, and third order cut sets for the system. This minimal cut set evaluation before the second walkdown was not included in the NUREG/CR-4482 steps, but proved to be very useful. Micro-PRANK, a minimal cut set routine included in the personal computer based Fault Tree Workstation, was used for this analysis. The resulting cut sets aided in recognizing some criticalitems (especially unexpected single faults). These items were identified as warranting a speciallook in the second walkdown, and discussion with the plant staff. Among the items listed for further evaluation during the second walkdown were the new procedure for isolating portions of the PCC, the station transformers, and the containment spray pump area fans.

2-7

l l

2.5 Steo 6 - Second Plant Walkdown A second plant walkdown was performed to look at those items that had been added to l

the component list since the first plant walkdown. This included items such as block walls which may impact the major system components. Also, any questions which arose during the fault tree development task were discussed with plant personnel and, if necessary, a second examination given to the subject items. Plant-specific test and maintenance (planned and unpianned) data for important components (pumps and diesel generators primarily) was also gathered.

The second plant walkdown also provided an opportunity to discuss the seismic review methods and any issues which had arisen with the Peer Review Group. It was also a chance to support the fragility analysis team in their efforts to calculate component capacities, and to obtain a preliminary estimate of which components may be screened out due to sufficient seismic capacity.

2.6 Steo 7 - Determine Minimal Cut Sets In order to obtain the minimal cut sets and Boolean equations for the two event trees (no LOCA and small LOCA) the following steps were completed:

e Review and finalize the event trees.

e Review and finalize the fault trees.

e Link the fault trees according to the event tree sequences.

o Obtain a preliminary Boolean equation for each event tree.

e Repeat these steps to incorporate the complete fragility analysis results to obtain the final Boolean equations.

2.6.1 Finalize Event Trees The event trees produced in Step 5 were reviewed to determine consistency with the additionalinformation gathered during the second plant walkdown.

2.6.2 Finalize Fault Trees The pruned and merged front-line system fault trees developed in Step 5 were also reviewed to incorporate the answers to the questions discussed during the second walkdown, the test and maintenance data, and the preliminary fragility analysis results.

Screening overview tables were developed to trace the status of each system component. For each item, the tables list the component name, its screening status (in or out, for seismic and nonseismic failures), the reason for its screening status, the applicable event name, and the component unavailability or seismic capacity value used for comparison with the probability and HCLPF cutoffs.

These finalized pruned fault trees were used in determining the Boolean equations. As discussed in NUREG/CR-4432, it is possible to determine preliminary Booleans prior to pruning the system fault trees, but this would result in roughly an order of magnitude more cut sets. The method of using pruned fault trees was chosen because it is more efficient.

2.6.3 Link Fault Trees The f ault trees were first linked to form sequence level f ault trees, and then to form event tree level f ault trees. The pruned front-line system fault trees which had been 2-3

)

i L

l l

merged with the required pruned support system fault trees were linked in combinations which represent the various event tree sequences. For example, if failure of auxiliary feedwater along with failure of the high pressure safety injection system would result in core damage, these two system f ault trees were linked by an "AND" gate to create a larger fault tree which represents this core damage sequence.

l Once fault trees were developed for each sequence, the sequence level trees were linked to create a fault tree which represents an entire event tree. For example, given an initiating event, if there are three sequences, of which any one will lead to core damage, the fault trees for these three sequences were linked by an "OR" gate. These linked fault trees were then analyzed to determine the Boolean equation for each event tree.

2.6.4 Determine Preliminary Boolean Equation Analysis of the linked fault trees was performed in two stages to determine the Boolean equations. A first analysis was performed with the analysis routine Micro-PRANK. The linked sequence level f ault trees were analyzed separately for each sequence.

Once cut sets for each sequence were obtained, they were combined and reduced by hand to develop the cut sets for an entire event tree. In doing this,it was important to ensure that only minimal cut sets were included for the event tree level result. Since it was possible that an event that occurs as a single fault for one sequence appeared in a double fault for another sequence, when these sequence cut sets were combined the double faults containing that event were deleted.

After event tree level cut sets were determined in this manner, they were transferred to the fragility analysis team for preliminary plant HCLPF determination. Later, the large event treee level fe. ult trees were analyzed using VAX SETS to obtain more detailed Boolean equations. These equations were used to verify the results obtained from Micro-PRANK. Because this is a seismic review, only the cut sets which include at least one seismic event are of interest. Therefore, those cust sets that contained only nonseismic events (e.g., random, human error) were deleted from the Boolean equations.

2.6.5 Determine Final Boolean Equation When the component fragility analysis calculations had been finalized, those results were

. incorporated in the plant level Boolean equations. To do so, the steps described in Sections 2.6.1 through 2.6.4 were repeated. This resulted in a change in screening status for several components, which in turn altered the final Boolean. The final Boolean equations were used by the fragility analysis team in determining the final plant capacity.

2-9 l

Table 2-1. Definition of plant safety functions.

(Table 2-2 from NUREG/CR-4482)

IDE'ITIFICATICN OF SAFE"'Y FUNCTICNS

1. Reactor Subcriticality - shutting down the nuclear reaction such that the only heat being generated is decay heat. .

2, Normal Cooldown - providing cooling to the reactor core through the use of the normal power conversion sys tem, normally defined as the main steam, turbine bypass, condenser, condensate, and main feedwater subsystems.

3. Emercency Core Coolina (Earlv) - providing cooling to the reactor core in the early (transient) phase of an event sequence by the use of one or more emergency systems designed for this purpose. The exact timing of "early" is somewhat plant specific and sequence dependent. However, I for our purposes it can be deemed to be the time period during which these systems are initially called upon to operate.

4. Emeroency Core Coolina (Late) - providing cooling to the reactor core in the late (stabilired) phase of an event sequence by the use of one or more emergency systems designed for this purpose. In context with the above definition of "early", for our purposes " late" can be deemed to begin with the switchover to recirculation (for LOCAs) or with the achievement of residual heat removal conditions (for transients) .

5. Containment Heat Removal - removing heat from the containment to the ultimate heat sink during the late (stabilised) phase of an event sequence by the use of one or more safety systems designed for this purpose.

6. Containment Overoressure Protection (Early) - controlling the buildup of pressure in the containment caused by the evolution of steam by condensing this steam during the early phase of an event sequence by using one or more safety systems designed for this purpose. "Early" in the context of containment functions is not the same as "early" for core cooling. In this case "early" is deemed to be the time period commencing when this function is required, after the beginning of core melt when these systems are operating in the injection mode.

7. Containment OverDressure Protection (Late) - controlling the buildup of pressure in the containment caused by the evolution of steam by condensing this steam during the late phase of an event sequence using one or more safety systems designed for this purpose. In the context of the previous definition, " late" in this case is deemed to start when these systems are operating in the recirculation mode.

IDENTIFICATION OF THE FUNCTIONAL GROUPS FOR PWRS AND EWRS.

PWR Group A: Functions 1,2,3 Group NOT-A: Functions 4,5,6,7 + All plant functions not related to Safety l

BWR i Group A: Functions 1,2,3,4,5,6, 7 Group NOT-A: All plant functions not related to Safety l

2-10

Start Time axis 1 Select an earthquake review level Gather information ' . . * .* : ,. .

.. Gather information on on systems and sort , [. . /.,*l,*. ' the plant. Determine which Group A functions. [

Use information f.!'2

.. . . . 'Interaction [ broad classes or groups of

.. . . f . . /. _----. 3 components have HCLPF on Table 2.3 and ****:*. . .

values greater than the review R ef.1. , ;"*, /

11 /' level. Possibly identify plant-unique features.

.*. First plant walkdown:

I f f .[* ;*

Concentrate on identification of problems.

Emphasize systems interaction. Confirm

- h.4., . .

applicability of screening tools. Complete

. identification of plant-unique features.

e KEY: Task is performed by: .. ff . ,.;;;

Revision of systems

' * * *

relationships established

", ; . - Systems Analyst

. .? *

./.,.,,,,-

.*. : *;5 *

.2..Develop in Step f. fault 2.* trees and event trees.

l .*f.l Fragility Analyst

h Both Second plant walkdown:

Primarily fragility analyst for checks.

6 Collect specific data (size and other physical characteristics) of componenu requiring detailed analysis.

t

* ~ *

Determine minimal

,. ,. }* ; *.,*. , :* . l . *.

/' Finalize HCLPF value for cut sets for end- /, . . ; *. 7 ., /*l,*,*1 g components in final cut sets point core melt. *

.t*

(components not screened out).

1

. /.

v Margin assessment complete Figure 2-1. Graphic Representation of the Screening Operations (Figure 2-6 from NUREG/CR-4482).

2-11

i

3. SYSTEMS ANALYSIS This chapter presents the results of the systems modeling and quantification steps.

Section 3.1 discusses the identification of Group A systems, both front-line and support.

It also presents the basis for screening out potential Group A systems from further evaluation. Each Group A front-line system is then described in Section 3.2, and the fault trees and screening evaluations are presented. Section 3.3 provides similar information for the Group A support systems. The failure probability and unavailability bases for the components that could not be screened out immediately is presented in Section 3.4.

3.1 Svstem Identification The purpose of the system identification and classification was to determine which plant systems are potentially available to bring the plant to a safe shutdown following a seismic event. As discussed in Chapter 2, those front-line systems (with the necessary support systems) whose failure will result in failure of reactor subcriticality or loss of emergency core cooling (early) are designated as " Group A" systems. Unless there are plant unique features or other reasons for inclusion, all other systems are designated as

" Group Not-A" systems. Failures or successes of the Group Not-A systems are not evaluated.

9 3.1.1 Group A Systems Those systems identified as Group A which perform the reactor subcriticality and early core cooling functions are the reactor protection system (control rods and reactor internals), the auxiliary feedwater system, the primary pressure relief system (power-operated relief valves for feed and bleed), and the high pressure safety injection system.

Based on the fragility analysis of the reactor internals and the generic HCLPF for the control rod mechani:ms, the seismic capacity of this reactor subcriticality system was found to be adequate at the review earthquake level. Nonseismic failures of the system are below the probability screening cutoffs. Due to these findings, fault trees of the reactor internals and control rod mechanisms were not developed, and reactor suberiticality systems would not impact the plant HCLPF calculation.

Upon loss of the main feedwater system (due to loss of offsite power) and a corresponding drop in steam generator level, the auxiliary feedwater (AFW) system supplies water from the demineralized water storage tank or the primary water storage tank to the steam generators for decay heat removal. A minimum level must be maintained in at least one of the three steam generators for successful heat removal.

The power-operated relief valves (PORV), which with the safety relief valves comprise the primary pressure relief system, are used for bleeding the pressurizer in the reactor coolant system (RCS) during feed and bleed core heat removal. The PORVs are actuated by the operator for this function. If the scismic event is accompanied by a small LOCA, opening of only one PORV would provide sufficient feed and bleed capability. Otherwise, both PORVs must be opened.

The high pressure safety injection (HPSI) system is also required for feed and bleed capability, and for core cooling during a LOCA. The HPSI system provides borated vater 3-1

from the refueling water storage tank to the reactor coolant system loops for makeup during feed and bleed, and core cooling. Also included in the HPSI analysis are the fans which provide cooling for the containment spray pump area, and the valves which are required to operate to achieve recirculation. Although recirculation is not a Group A function, it is necessary to ensure the long-term operating ability of the containment spray pumps for emergency core cooling during recirculation. This departure from the NUREG/CR-4334 and 4482 guidelines is discussed in Chapter 5.

The necessary support systems identified for the Group A front-line systems are electric power (ac, de, and the emergency diesel generators), component cooling water (primary and secondary), service water, and actuation (primarily the safety injection actuation system, SIAS). Some air accumulators are also' required, but are included with the front-line systems they support. The front-line to support system relationships are shown in i the dependency matrix in Table 3-1. The support system - support system dependencies are shown in Table 3-2.

3.1.2 Systems Removed from Group A' Some systems which might be called upon to perform a required Group A function are the boric acid transfer system, the low pressure safety injection system, the safety injection tanks, the secondary pressure control system, and the alternate shutdown decay heat removal system. This section discusses the basis for not evaluating these systems in detail.

The boric acid transfer (BAT) system provides emergency boration from the boric acid storage tank to the RCS in the event of an ATWS or loss of shutdown margin. As the probability of failure of the reactor internals due to the review level earthquake or nonseismic event is insignificant, emergency operation of the BAT system is not likely to be required for prevention of core damage, and was excluded from further consideration.

The low pressure safety injection (LPSI) system and the safety injection tanks (SIT) provide sufficient borated water to flood and cool the core following a medium or large LOCA. As discussed in Chapter 2, only a small LOCA is postulated as concurrent with the seismic event. Therefore, the LPSI and SIT systems would not be required for core cooling. The feed and bleed actions by the PORVs and the HPSI system provide sufficient core cooling for transients or a small LOCA. Also, the LPSI pumps are not used in the recirculation mode at Maine Yankee.

The secondary pressure control system provides overpressure protection for the steam generators and main steam system piping by means of safety relief valves and an atmospheric steam dump valve. The safety relief valves are expected to open for pressure relief, and it is not of major concern if they should stick open, although the RCS would rapidly depressurize. If the HPSI system should fail, the atmospheric dump valve may be used to depressurize and cool the secondary system which in turn would cool the primary side, enabling the use of the LPSI system for depressurization. However, with the reactor coolant pumps made inoperable by loss of offsite power, there is no assurance that sufficient depressurization would occur (Fletcher,1931). The atmospheric dump valve may also be used for depressurization to enable the use of a low pressure water supply (such as fire water) to feed the steam generators in the event of AFW failure.

However, the procedure for this operation depends on use of the AFW system at the start of the procedure for initial cooldown. Due to these usage limitations and dependencies, the secondary pressure control system was not evaluated further.

3-2

The alternate shutdown decay heat removal (ASDHR) system provides an alternate means of controlling and monitoring a plant shutdown, and was designed to meet the Appendix R requirements for fire mitigation. The alternate shutdown panel (ASP) provides a remote monitor and control location, but as the main control room (MCR) panels were found to be of sufficient seismic capacity, use of the ASP is not necessary. The ASDHR system utilizes the turbine-driven AFW pump 'and the auxiliary charging pump to achieve shutdown. The turbine-driven pump is analyzed with the Group A AFW system, and the auxiliary charging pump is of too small a capacity to replace the HPSI pumps for feed and bleed or coolant makeup operations following a small LOCA. . Due to these limitations of the ASDHR system,it is not analyzed further as a Group A system.

3.2 Svstems Analysis of Front-Line Systems Information on the Group A front-line and support systems includes the Final Safety Analysis Report (FSAR), system piping and instrument diagrams (P&lDs), standard and .,

abnormal operating procedures (SOPS and AOPs), system training manuals, and system i analyses and calculations. Maine Yankee and Yankee Atomic personnel are a major source of information for questions and clarification.

Major items covered in the following system analysis discussion include the function of the system, success criteria, system components, boundaries of the system, support system interfaces, operator and recovery actions, necessary assumptions, bases for fault tree development, f ault tree logic, failure probabilities of events, fault tree pruning and merging logic, and system cut sets.

3.2.1 Auxiliary Feedwater System The auxiliary feedwater system is used to maintain a minimum level in the steam generators for decay heat removal, following loss of the main feedwater system. For system success, operation of at least one of the three AFW pumps is required to maintain a minimum water level in at least one of the three steam generators. The AFW system consists of the demineralized water storage tank (DWST), three pumps (two motor-driven and one turbine-driven), and associated flow control and isolation valves. Although the motor-driven pump trains at Maine Yankee are termed emergency feedwater, they will

! be classified as part of the auxiliary feedwater system in this report. A complete list of AFW components, valves and cooling requirements is included in Appendix B.

The two motor-driven pumps (located in the auxiliary feed pump house, el. 21 ft) start automatically on a steam generator low level signal. Upon loss of offsite power, the .

l diesel generator load sequencers restart the motor-driven pumps after a 20-second time delay. If necessary, the turbine-driven pump (located in the steam and feed pump valve area, el. 21 ft) is placed in service by the operator by aligning the steam inlet valves to the turbine drive. Flow to each steam generator is regulated by an air-operated flow control valve (located in the auxiliary feed pump area, el. 23 ft) which is paired with an ,

air-operated isolation valve. A schematic of the AFW system is shown in Figure 3-1.

Support systems required for AFW operation are 4160-V ac emergency power,125-V de 1

power, mstrument air (from various accumulators), and main steam to drive the turbine. I l

[ The following items were used as the basis for development of the fault tree logic:

e An alternate water supply for the AFW system is the primary water i storage tank (PWST). However, there is no check valve on the line between where the PWST feed joins the suction for the turbine-driven 3-3 l

pump and the DWST, making it possible for the PWST to be drained through a ruptured DWST. Therefore, the PWST is considered an alternate supply only for the motor-driven pumps, e A potential source of makeup to the DWST is from condensate makeup. As this makeup is supplied by gravity feed to the DWST, it could also be drained by a DWST rupture. Therefore, this source of makeup is not included in the analysis, e Sufficient separation of the steam generator instrumentation exists, such that a single physical seismic failure would not fail the complete AFW instrumentation and actuation systems. Based on the high .i seismic capacity of the racks and transmitters, the instrumentation is i not analyzed further in the analysis, l l

I e The turbine-driven AFW pump may be placed in service from the main control room or locally. Since the diagnostic portion of these two actions are related, this dependency is explicitly modeled in the fault tree. If the operator falls to place the pump in service from the control room, it is not likely that he will do so locally, o Check valve failures, random valve and MDP failures, and valve failure due to _ plugging, testing or maintenance are of low probability. Therefore, these failures are screened out of the analysis, e Because the AFW flow control and isolation valves fail open upon loss of instrument air or solenoid power, the related air accumulators and power supplies are not included in the fault tree.

o Because the AFW pump oil coolers are considered an integral part of the pumps, they are not shown as separate components in the fault tree.

e Several recovery actions are not included in the fault tree. These actions include opening the manual flow control bypass valves to allow flow, the use of fire water to maintain water level in the steam generators, and the potential. recovery of the main feedwater system. Inclusion of these recovery actions is judged not to impact the plant HCLPF significantly.

e The recirculation lines from the AFW pumps to the DWST are not included as potential flow diversion paths. Each recirculation line contains a flow restriction orifice and is less than the screening value of one-third the size of the discharge line.

e The lines off the AFW pump discharge to the main feedwater header are not included as potential flow diversion paths. Each line contains a normally closed manual valve.

e The line containing the chemical feed tank (TK-89) and pump (P-II5) is not included as a potential flow diversion path. The line is less than one-third the size of the AFW pump discharge line and contains a normally closed manual valve.

3-4

i e Of the valves which supply steam to the turbine-driven pump, two (MS-P-168 and MS-T-163) are air-operated and receive air from the same accumulator (TK-25). The third (MS-A-173) is mechanically operated and is locked open.

The basic fault tree for the AFW system is shown in Appendix B. This fault tree includes the AFW components, which have not been screened out at this point, and their required support system inputs. The faults for each component are nonspecific as to the type of failure. Specific failures (e.g., seismic, random, common cause) were added as each component was analyzed. Linear sections of the system are represented by pipe sngments (PS-1, PS-2, etc.). The top event is failure of the AFW system, this failure occurs through common cause failure of the AFW, failure of the main control room panels, or failure within the system to maintain a minimum level within any one of the steam generators. This latter event is caused by lack of flow through all three pairs of control and isolation valves, which in turn may be caused by lack of flow from all three AFW pumps.

From this basic fault tree, screening criteria described in the methodology chapter were applied to each component in order to prune the fault tree. These screening results are summarized in Table 3-3. The footnotes for Table 3-3, and for all the other screening tables, are listed on Table 3-4. Once the AFW fault tree was pruned. it was merged with the necessary support system fault trees. (Construction and pruning of the support system trees is discussed in Section 3.3.) The completed AFW system fault tree is presented in Appendix B. ,

Analysis of the pruned, merged fault tree is performed to determine the AFW system cut sets. A validity check of these cut sets ensures that the fault tree logic is correct. The minimal cut sets (first and second order) for the AFW system are listed in Table 3-5. For ranking purposes, this analysis assumes that the f ailure probability for each seismic event is 1.0. The HCLPF for these events will be developed by the fragility analysis team. The calculations for the failure probabilities of the nonseismic events are shown in Section 3.4.

The only singlet for the AFW system is AFW-CCF-FC-AFW, nonseismic common cause failure of the pumps or air-operated valves. Of the 23 double faults, the first 19 contain one or more seismic events. Seismic failure of the DWST will fail the turbine-driven AFW pump and the primary water supply for the motor-driven pumps. Failure of the PWST fails the motor-driven pump backup water supply. Seismic failure of the transformers, PCC/ SCC coolers, air conditioner chillers, circulation water pump house, DG day tanks, or f ailure to refill the DG fuel tanks will result in loss of power to the motor-driven pumps, as will common cause f ailure of the DGs.

3.2.2 High Pressure Safety injection System The high pressure safety injection system is used to supply makeup to the reactor coolant system for post-accident core cooling and during feed and bleed. For system success injection of borated water from the refueling water storage tank (RWST) to at least one RCS loop by operation of at least one HPSI pump is required. The HPSI system consists of the RWST, three motor-driven pumps (one is an installed spare), two pairs of RWST isolation valves, two pairs of pump discharge valves, and three pairs of injection isolation valves (one pair per RCS loop). Complete lists of the HPSI components, valves and cooling requirements are included in Appendix C.

3-5

Also included with the HPSI system are the two fans that provide cooling for the containment spray pump area. Although the containment spray pumps are used for recirculation, which is not a Group A function, it is necessary to ensure the long-term availability of these pumps. In part, this is accomplished by maintaining a cool operating environment. This departure from the NUREG/CR-4482 screening guidelines is discussed in Chapter 5.

A schematic of the HPSI system is shown in Figure 3-2. One HPSI pump (P-14A or B, located in the primary auxiliary building (PAB), el. 21 ft), is normally operating as a charging pump, the other (standby) pump is cutomatically started by a safety injection actuation signal (SIAS). The third pump (P-14S, also in the PAB) is a spare that uust be placed in service manually. Upon loss of offsite power, the diesel generator load sequencers restart the two in-service pumps. The pump suction valves on the RWST discharge open on a SIAS. One motor-operated valve of each pump discharge valve pair (HSI-M-41 and 42, located in the PAB, el. 23 ft) is opened upon a SIAS.

Support systems required for HPSI and containment spray pump area fan operation are 4160- and 480-V ac emergency power,125-V de power, primary and secondary component cooling, and safety injection actuation trains A and B.

The following items provided the basis for the fault tree logic:

e Failure of the spray chemical addition tank (SCAT), which is connected to and located adjacent to the RWST, may lead to failure of the interconnecting line and thus drain the RWST.

e Sufficient separation of the SIAS instrumentation exists, such that seismic failure of a rack or instrument would not fail the entire actuation system. Also, the operator is capable of initiating the actuation system. Therefore, SIAS instrumentation is not included further in the analysis.

e Control power for the motor-operated valves is assumed to be transformed off the bus which provides the valve motive power.

e Check valve failures, random valve failures, and valve failure due to plugging, testing or maintenance are of low probability. Therefore,-

these failures were not included in the analysis.

e Pipe ruptures were included only if screened in during the walkdowns.

e Because the recirculation mode is not a Group A function, flow from the residual heat removal heat exchangers to the HPSI pump suction header is not included in the fault tree.

e Several recovery actions are not included in the fault tree. These actions include opening the pump discharge valves which do not open on a SIAS, and placing the spare pump in service by opening manual valves and racking in the breaker. Their inclusion would not significantly impact the plant HCLPF.

i e Block wall VE 21-1,2 may fail the containment spray pump area fans l should it collapse.

l 3-6

I e The recirculation lines from the HPSI pumps to the seal water heat exchanger and volume control tank are not included as potential flow diversion paths. Each line contains a restriction orifice and is less than the screening c'teria of one-third the size of the discharge line.

e The lines from the boric acid transfer pump discharge, volume control tank and RHR heat exchangers to the HPSI pump suction header are not included as potential flow diversion paths. Each line contains a check valve to prevent backflow, ard either a normally closed motor-operated valve, or a MOV which closes upon a SIAS.

e The line from the P-14A suction to the suction of the auxiliary I charging pump (P-7), and the line from the RWST to P-7 are not included as potential flow diversion paths. Each line contains a motor-cperated valve, and the P-7 discharge line contains a normally closed manual valve.

e The lines from the HPSI pump discharge to the charging header are not included as potential flow diversion paths. Each line contait.s an air-operated valve (CH-A-32 and 33) which closes on a SIAS. The two lines combine and then split into three lines which go to the charging header, loop fill header, and seal water heater. The line to the charging header contains an MOV (CH-F-33) which closes on a SIAS.

The line to the loop fill header contains a normally closed flow control valve (CH-F-70). Downstream of the seal water heater is an isolation valve (SL-P-3) which also closes on a SIAS. As CH-A-32 and CH-A-33 are seismically sound, they will successfully isolate these lines and the regenerative heat exchanger and seal water filter.

The basic fault tree for the HPSI system is shown in Appendix C. This fault tree includes the HPSI components which were not yet screened out and their required support system inputs. The type of failure for the components is not specified. Specific failures (seismic, random, etc.) were added as each component was analyzed. The top event of the tree is loss of HPSI (short-term cooling) or recirculation (long-term cooling). This event may occur through failure of the main control room panels, failure of both spray pump area fans, or failure of the HPSI system. The latter failure is caused by a system common cause f ailure, or by a failure within the system which prevents injection to the RCS system. Loss of injection is characterized by lack of flow to any of the three RCS loops, which may be caused by loss of both HPSI pumps. There are several basic events involved in each pump and valve failure.

From the basic fault tree, the screening methods outlined in Chapter 2 were applied to each component in order to prune the tree. The results of this screening process are detailed in Table 3-6. Once the front-line system tree was pruned, it was merged with the pertinent support system f ault trees (described in Section 3.3). The final HPSI fault tree is shown in Appendix C. ,

Once pruned and merged with its support systems, the HPSI fault tree was analyzed to determine the system cut sets. These cut sets were used to verify the logic of the fault tree. The minimal cut sets and event cescriptions for the HPSI system are listed in Table 3-7. For ranking purposes, seismic failures were assumed at this point to have a probability of 1.0. HCLPFs were later assigned by the fragility analysis team. Failure probabilities for the nonseismic events have been calculated in Section 3.4.

3-7 l

Of the nine single faults for the HPSI system, six are seismic events. Seismic failure of the 4160- to 480-V transformers, the PCC/ SCC coolers, the air conditioner chillers, the circulation water pump house, or the DG day tanks; or failure to refill the DG fuel tanks or common cause DG failure leads to loss of power to both HPSI pumps and both spray pump area fans. HPSIis also lost upon the seismic failure of the RWST or common cause failure. There are two doublets, both of which consist of only nonseismic events.

3.2.3 Power-Operated Relief Valves (Feed and Bleed)

The power-operated relief valves (PORVs) are opened by the operator for feed and bleed. This action must take place within approximately 30 minutes of the initiating seismic event and loss of AFW. There are two sets of criteria for PORV system

, success. The first requires that both PORVs must be opened if a LOCA does not accompany the seismic event. The second requires that at least one PORY must be opened if a small LOCA occurs with the seismic event. In addition to the two PORVs, there is a motor-operated block valve for each PORV that must be open. A list of the system components is given in Appendix D.

The primary pressure relief system that includes the PORVs is represented in Figure 3-3.. The PORVs (located at el. 65 ft in the reactor containment) are opened remotely from the main control room for feed and bleed. The motor-operated isolation valves are normally open, but allow isolation of a PORV for maintenance or if it fails to reseat. At least one isolation valve must be open at all times. The only support system required for PORV operation is 480-V ac emergency power.

The following items provided the basis for the development of the fault tree logic:

o Control power for the PORVs and block valves is transformed off the bus which provides the valve motive power.

e The automatic pressure relief function of the PORVs and the safety relief valves is not of interest in this application of the PORVs (feed and bleed).

e Random, testing or maintenance probabilities of failure for the PORVs and block valves are low. These eve.nts were not included in the analysis.

e The pressurizer, pressurizer quench tank, quench tank cooler and quench tank pumps were not included in the fault tree analysis. A seismic f ailure (rupture) of any of these items will not hinder the feed and bleed function. The safety relief valves were also excluded from the fault tree.

e If the control switch for an isolation valve is in the "OFF" or "CLOSE" position,it must also be opened by the operator for feed and bleed.

The unpruned fault tree for the PORVs is shown in Appendix D. Included are failures for each of the system components and the required support systems. The events in this tree do not specify the types of f ailures, these will be added as the tree is pruned. The top event shows failure to support feed and bleed. This is caused by a common cause failure of the PORVs and block valves, by failure of the main control room panels, or by a system failure that prevents flow through both PORVs (for the case wich a small LOCA). For the case in which no LOCA has occurred, lack of flow :hrough only one 3-8

PORV will cause system failure. There are several events shown which may lead to loss of flow through a PORV.

From the fault tree described above, the screening methods from Chapter 2 were used to prune the tree. The results of applying these screening criteria to the system components are found in Table 3-3. The pruned PORV fault tree was merged with the necessary support system fault trees (developed in Section 3.3). The complete PORV fault trees are found in Appendix D.

The final PORY fault trees were analyzed to determine the system cut sets. The cut sets were then used to check the tree logic. Table 3-9 lists the minimal cut sets for the system when no LOCA has occurred. Table 3-10 lists the cut sets for the case when a small LOCA has occurred. For minimal cut set evaluation and ranking, the failure probabilities of the seismic events were assumed to be 1.0 for this analysis. HCLPFs will be assigned later by the fragility analysis team. The nonseismic probabilities were calculated as previously described.

For the case with no LOCA, any event which causes failure of one PORV is a single fault. This turns out to be all twelve events included in the fault tree, which includes five seismic failures. In addition to the faults described below, random failures of the DCs and failure to isolate portions of the PCC are included. There are no double or triple faults for this case.

For the small LOCA case, only those events which lead to failure of both PORVs make up the single-order cut sets. There are nine of these faults, five of which are seismic.

Seismic failure of the station transformers, PCC/ SCC coolers,' air conditioner chillers, circulation water pump house, DG day tanks, failure to refill the DG fuel tanks or DG common cause failure causes loss of power to both PORVs. Commen cause failure of the PORVs, or operator failure to actuate feed and bleed, will also fail the system. There are two system double faults, both of which include only nonseismic events. Both faults lead to PORV failure as a result of support system failures. There are no system triplets.

3.3 Svstems Analysis of Succort Systems The support systems which are required for operation of the Group A front-line systems described in Section 3.2 are primary and secondary component cooling water, service water, electric power and actuation. The analysis of these systems is similar to that for the front-line systems.

3.3.1 Component Cooling Water Systems Component cooling water consists of the primary component cooling water (PCC) system and the secondary component cooling water (SCC) system. PCC and SCC provide the cooling required by plant equipment for normal operation, and decay heat removal during cooldown or accidents. The PCC and SCC are redundant systems, in that PCC will provide cool:ng for one train of a front-lire system and SCC will provide cooling for the other train. Within the PCC and SCC systems, operation of at least one pump and one cooler are required for system success. Each system consists of a surge tank, two motor-driven pumps, two coolers (heat exchangers) and valves for isolating nonessential portions of the system. Complete lists of the components, valves, cooling requirements and cooling !aads are in Appendix E for the PCC, and Appendix F for the SCC.

Schematics of the PCC and SCC systems are shown in Figures 3-4 and 3-5 respectively.

One pump in each system (located in the turbine building at el. 21 ft) is normally 3-9

operating. The standby pump will start automatically on a supply header low pressure signal. Upon loss of offsite power, the diesel generator load-sequencer will start the pump which had been operating in each system, after a 10-second delay. If all four pumps were operating, only the preferred pumps (P-9A and P-10A) will be restarted. If a preferred pump fails to start, the alternate must be started manually. In each system, one cooler (also located in the turbine building at el. 21 ft) is normally in service. The cooler in standby has its cooling water outlet valve closed. As there must be flow through a cooler for system success, the cooler bypass valves (PCC-T-20 and SCC-T-23) must be closed. The cooler bypass and isolation valves are linked by a single operator and fail.to the full cooling position. The cooling water flows from the coolers to the non-isolated loads and is returned to the pump suction headers.

Support systems required for component cooling _ water availability are 4160-V ac

~

emergency power,125-V de power, and service water.

The following items provided the basis for the development of the fault tree logic:

e A new procedure change will instruct the operator to isolate portions of the PCC system following an earthquake if the PCC surge tank low level alarm is annunciated. This is accomplished by closing valves PCC-M-90, PCC-M-ISO, PCC-M-219, and PCC-A-268. It is assumed that failure or inability to close these valves will result in loss of PCC, due to a potential breach of the system pressure boundary.

Only those loads which are not isolated were included in the PCC fault tree.

e The nonseismic loads in the SCC system are isolated by. valves SCC-A-460 and SCC-A-461, which close automatically on a suction header low pressure signal, indicating a breach in the system pressure boundary. It is assumed that failure of these valves to close will result in loss of SCC. (Although it is on a return line, SCC-A-461 must close as there is no check valve to prevent backflow through the line.) Only those loads which are not isolated .were included in the SCC system fault tree.

e All four pump motors are equipped with drip-proof shields. It is judged that these shields will provide protection from potential spray from the fire water lines located over _the pumps if the lines break.

e it is assumed that control power for.the motor-operated valves is transformed off the same bus which provides the valve motive power.

e Check valve failures, random valve failures, and failure due to plugging, testing or maintenance are of low probability and are excluded from the analysis.

l e The instrument air supply for the SCC isolation valves is not modeled beyond the accumulator (TK-110) which is seismically designed. The accumulator inlet line contains two check valves to prevent depressurization, and TK-110 contains enough air to reposition the valves once and hold them closed for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

! e The chemical additive tank and supply line are not included as a potential flow diversion path in either system. The supply and return 3-10

l 1

Lines each contain a normally closed manual valve. (The PCC P&lD incorrectly shows these valves as normally open.)

e The gland leak-off tank (TK-93, 94), pump (P-II2,113), and filter (FL-69, 70) are not included as a potential flow diversion path in either system. Only a small amount of leak-off flow is present in comparison to cooling water flow.

e The surge tank vent, overflow and waste lines are not included as a potential flow diversion path in either system. The vent and overflow lines contain an automatic valve, and the waste line contains a normally closed manual valve.

e The recovery action of placing the standby cooler in service by opening the manual outlet valve is not included in the system fault trees. This action would not significantly change the plant HCLPF.

e The failure of the SCC line to the penetration coolers by the collapse of block wall VE 21-3,4 is included in the SCC system fault tree.

The basic fault trees for the PCC and SCC systems are shown in Appendices E and F, respectively. These trees include all system components and nonisolated cooling loads, along with the required support system inputs. As in the front-line system fault trees, the types of failures were not specified. The top event of each tree represents loss of cooling to the required safety system components. This event may occur by common cause failure of the cooling water pumps, f ailure of a nonisolated cooling load (breach in system pressure boundary), failure of the required system isolation to occur, or failure within the system to provide flow. The last event may be caused by lack of flow through the in-service cooler, or by loss of both system pumps. There are several events on the tree which may lead to these f aults.

The screening criteria described in Chapter 2 were applied to the cooling water system components in order to prune the PCC and SCC fault trees. The results of this screening are summarized in Tables 3-11 and 3-12 for PCC and SCC, respectively. The f ailure probability calculations and results are detailed in Section 3.4. Although the PCC and SCC coolers and the air conditioner chillers are located in separate systems, there is only one event for cooler seismic failure (CCW-HTX-EQ-4BSA) and one for chiller seismic failure (CCW-ACX-EQ-CHILL). This is because the coolers are located in the same area, and are identical components. The pruned cooling water fault trees were then merged into the front-line system trees. Therefore, the analysis of the merged front-line fault trees includes f ailures due to loss of PCC and SCC.

3.3.2 Service Water System The service water (SW) system is not directly a support system for the Group A front-line systems, but is a support system for the support systems required by Group A systems. It provides cooling for the PCC and SCC systems. Operation of at least one SW pump is required for system success. For PCC success there must be SW flow to the PCC cooler in service, and for SCC success there must be SW flow to the SCC cooler in service. The service water system consists of four traveling screens, four motor-driven pumps, and manual valves to align service water flow to the PCC and SCC coolers. Lists of the SW components and cooling requirements are in Appendix G.

3-11

A drawing of the SW system is shown in Figure 3-6. Two of the pumps (located in the circulating water pump house, el. 7 ft) are normally operating, the two standby pumps must be placed in service manually when necessary. Upon loss of offsite power all four pumps receive a start signal from the diesel generator load sequencer, the pumps are interlocked so only one in each pair will run to prevent overloading (i.e., if P-29A starts, P-29C will trip off). One PCC and one SCC cooler are normally in service. The PCC and SCC coolers in standby have their SW outlet valves closed. Service water flows from the PCC and SCC coolers to the seal pit. Support systems required for SW availability are 480-V ac emergency power and 125-V de power.

The following items provided the basis for the development of the fault tree logic:

e The capacity of the traveling screens is large enough that it is assumed to be unlikely for all four to be blocked badly enough to choke all four SW pumps. The screens are designed for the circulating water system, with much larger flows than the SW system. Also, the screens are heavily used only a few times a year, therefore they have been excluded from the analysis.

e The loss of all four SW pumps due to high water level in the pump house is judged to be improbable. An alarm is sounded at a 3-inch water level, and the circulating water pumps trip off at a 10-inch water level. As the SW pump motors are mounted above the pumps, a 10-inch water level is not threatening.

e All valves on the main SW lines, except for the standby cooler outlets and pump discharge header cross-tie, are assumed to be normally open.

e Check valve failures and plugging of manual valves are of low probability and excluded from the fault tree.

e The lines for the screen wash systems are not included as potential flow diversion paths, as they are less than one-third the size of the pump discharge header. Also the screen wash system and traveling screen motors are interlocked, with neither powered from an emergency bus. Thus upon loss of offsite power the screen wash system is inoperable.

e The mussel control pump and discharge line are not included as a potential flow diversion path, as it is normally isolated and only used in special operations, e All sample lines, pumps and collection tanks are excluded as potential flow diversion paths. These lines are considerably less than one-third the size of the main SW lines.

e Recovery actions, such as placing a standby cooler in service, are not included in the f ault tree. This does not significantly impact the HCLPF analysis.

e Collapse of the circulating water pump house will fail all four service water pumps.

3-12

1 l

l The service water system fault tree is shown in Appendix G. This tree includes nonspecific faults for each of the SW components, along with the required support system interfaces. The top event, loss of service water flow through the PCC/ SCC coolers, is caused by common cause failure of the SW pumps, or by a system failure which prevents flow to the coolers. The latter would be caused by isolation of all four coolers, or failure of all four ser/ ice water pumps.

Screening techniques from Chapter 2 were used to prune the SW system fault tree. The results of this screening process are listed in Table 3-13. Of all the front-line and support systems analyzed, the service water system is unique in that all system component f ailures (seismic and nonseismic) were screened out, leaving only the power inputs and circulating water pump house failure. When support system fault trees were merged with the front-line system trees, the power inputs were pruned to eliminate circular logic (SW fails PCC f ailing DG-1A f ailing Bus 7 failing SW pump A). Therefore the only f ault from the ser< ice water system in the front-line system cut sets is collapse of the pump house.

3.3.3 Electric Power System The electric power system consists of the emergency ac power (ACP) system, the dc power (DCP) system, and the onsite electric power (OEP) system (i.e., the diesel generators). The OEP system provides power to the emergency buses of the ACP system upon loss of offsite power. The ACP system provides operating power to the plant equipment, feeds the DCP system battery chargers, and provides 120-V ac power to plant instrumentation. The DCP system provides 125-V dc power to the switchgear, vital bus inverters, instrumentation and controls. The OEP system consists of two diesel generators (DGs), each with a fuel oil supply system, air starting system, and distribution and control panels. The ACP system consists of two 4160-V ac emergency buses, two 4160 to 480-V station transformers, two 480-V ac emergency buses, six 480-V ac emergency motor control centers (MCCs), and four 120-V ac inverters. The DCP system consists of four 125-V dc buses, each with a station battery and battery charger, and four distribution panels. Complete lists of the ACP and DCP system components are included in Appendix H. The OEP system components and cooling requirements are also in Appendix H.

Simplified schematics of the ACP, DCP, and OEP systems are shown in Figures 3-7,3-8, and 3-9. Both DGs (located in the turbine building auxiliary bay, el. 22 ft) are normally in standby. A DG is automatically started by a one-second loss of voltage on its associated emergency bus (Bus 5 for DG-1 A, Bus 6 for DG-1B). A DG will also start on a 10-second low voltage condition in its associated bus, concurrent with a SIAS (this case was not included in the analysis). A separate fault tree is constructed for each DG and each MCC (MCC 7B and 7B1, and MCC SB and SBl are treated as the same MCC as they are connected by a tie without a breaker). The 4160-V ac buses,480-V ac buses, and 125-V dc buses are included within the MCC fault tree logic. The 120-V ac buses and inverters were excluded as they supply instrumentation and actuation systems which were screened out. Also, for solenoid-operated valves requiring 120-V ac power, the batteries which feed the inverters have been shown as the inputs to the front-line systems. Support systems for the electric power system are PCC and SCC for the DG coolers.

The following items provided the basis for developing she fault tree logic:

e Cooling for the switchgear, cable tray, and battery rooms is provided by f ans FN-31 and FN-32. Upon loss of offsite power, ac power loads 3-13

are shed and only some reloaded by the load sequencer. It is assumed that there is sufficient load reduction to not require switchgear cooling for a long period of time, so the fans were removed from the fault tree.

e The diesel generator room exhaust fans must be operating, and the air intake and exhaust dampers open. It is assumed the dampers are powered off the same bus as the DG room fan.

o Because the operator must make a periodic check of the DG day tank fuel level, it is judged that the tank will not be allowed to drain :

through a broken vent line without some preventive action taken.

e It is judged that flooding of the diesel rooms is of low probability.

The curbs at the room entrances protect against external flooding from the Turbine Building and the threaded fire water piping in the rooms is normally dry. Heat and smoke are required to actuate the spray of aqueous foam.

e Replacement of the current lead-antimony station batteries with lead-calcium batteries will sufficiently raise their seismic capacity, e Relay chatter is not included in the analysis based on the guidance in NUREG/CR-4334 and 4482.

e Nonseismic circuit breaker failure is of low probability and excluded from the analysis.

e The bus cross-tie breakers are physically constructed to prevent closing unless one of the bus normal feed breakers are open.

Therefore no failures were postulated for spurious closure of the cross-tie breaker resulting in the failure of both buses, e

The tie from the 480-V ac buses to the inverters is a synchronizing tie, which ensures that the 120-V ac vital system is at the same frequency as the rest of the ACP system. The only power supply to the inverters is the batteries.

e Although there is a procedure for feeding a 125-V dc bus with an alternate battery (e.g., battery 3 to feed DC-1), this is a recovery action and is not included in the fault tree. Because the new batteries have high HCLPFs, this action is not significant to the plant HCLPF.

e Although the 480-V ac MCCs provide power to the battery chargers, this relationship is not shown on the fault tree as it would create circular logic (MCC 7A fails BC-1 failing DC-1 failing Bus 7 SWGR failing MCC 7A). For the purpose of starting the DGs, the required de power is only available from the station batteries.

e The logic of the diesel generator load shed/sequencers is not developed in the fault trees. As long as the relays of the sequencer i

are not physically damaged, the sequencer may be reset from the main control board (MCB) or from local panels near the DGs. Once 3-14

reset, loads on the sequencer may. be started from the MCB. The relays are located in the main electrical panelin the control room, e The diesel engine, generator, blower which cools the generator, air starting units, integral fuel tank and pumps, integral cooling water pumps, and lubricating oil system are treated as a single component in the f ault trees (DGIA and DGlB).

e The external DG fuel oil systems are represented separately in the fault trees. Each system consists of a day tank, an auxiliary fuel oil transfer pump and an underground fuel oil storage tank.

e The external DG air starting tanks are represented separately in the f ault trees. For each DG there are two air receiver banks, consisting of three compressed air tanks each. One bank is sufficient to start a DG.

e The auxiliary boiler fuel oil supply lines from the auxiliary fuel oil transfer pumps are not included as potential flow diversion paths.

Each line contains a normally closed air-operated isolation valve which fails closed.

e Refilling the integral fuel tanks by opening the manual valves is included in the f ault trees as this is an operating procedure performed approximately every 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . Refilling the day tanks by placing the oil pumps in service is also included in the trees.

e Some recovery actior.s are not included in the fault trees. This includes opening the manual valves between air receiver banks, and opening the manual valves which allow fire water to supply the DG coolers.

e The DG-1B cooler SCC outlet valve, SCC-T-305, is physically held open to provide continual flow through the cooler.

The f ault trees for MCC 7A, Bus 7, Bus 5, and dc Bus 1, for MCC 8A, Bus 3, Bus 6 and dc Bus 3, and for DG-1A are shown in Appendix H. The trees for MCC 7B, MCC 8B, and DC-1B are analogous to these. The top events of the MCC trees are failure of the MCC, due to faults within the MCC or failure of the 480-V bus. Loss of the 480-V bus is due to f aults within the bus, failure of the station transformer or failure of the 4160-V bus.

Loss of the 4160-V bus is due to f aults within the bus, f ailure of the DG, f ailure of the l

load sequencer, insufficient switchgear cooling or loss of the de bus. Failure of the dc bus is caused by f aults within the bus, failure of the battery or failure of the battery charger.

The top event of the DG f ault trees is loss of power output from the diesel generator, due to f ailure of the output or bus cross-tie breakers, failure of the DG control and distribution panels, loss of dc power required to start the DG, or failure of the DG.

Failure of the DG is caused by f aults within the diesel generator, failure of the fuel oil supply, f ailure of the DG start signal (caused by loss of bus voltage), failure of the air starting banks, failure of the room f an or dampers, or insufficient cooling of the engine.

The screening criteria were applied to the electric power system components to prune the fault trees. The results of this process are summarized in Table 3-14. The f ailure 3-15

probability calculations and results used are detailed in Section 3.4. The pruned electric power system f ault trees were then merged with the front-line system trees in order to determine the front-line system minimal cut sets. Faults from the electric power systems which will lead to front-line system failure are included in the front-line system cut set tables in Section 3.2.

3.3.4 Actuation Systems Various actuation systems are required to initiate engineered safeguards systems, these include the safety injection actuation system (SIAS), the containment isolation system (CIS), the containment spray actuation system (CSAS), the recirculation actuation system (RAS), and the reactor protection system (RPS). The AFW actuation system was included with the AFW system. Of these, SIAS is the only system required by the evaluated Group A systems. The SIAS consists of two trains both of which are actuated by the same four instrument channels (2/4 logic). These channels consist of instruments which measure pressurizer pressure and containment pressure. SIAS is actuated on low-low pressurizer pressure or high containment pressure. A list of instrumentation for the actuation systems is shown in Appendix 1.

Loss of power within a logic channel results in a channel trip. Loss of power in the actuation logic leads to an actuation signal. Loss of power also results in the disenabling of the SIAS block. For these reasons power inputs were not included in the SIAS fault trees. As sufficient separation of the instrument channels exists, the system was not modeled down to the sensor and relay level (undeveloped events).

The fault tree for SIAS Train A is shown in Appendix I. The fault tree for Train B is analogous to this. Operator actions to unblock and initiate SIAS are included in the trees. Since there is sufficient separation of the required instrumentation and there is operator ability to actuate the system, automatic actuation of SIAS is not judged to be an issue. Therefore, the SIAS inputs were pruned from the front-line and support system f ault trees and the SIAS f ault trees were not further developed.

3.4 Pro 5 ability Calculations The data for the probability calculations of the nonseismic common cause, random, test and maintenance, and operator failures are shown in Table 3-15. Unless otherwise stated, mean beta factors from EPRI NP-3967 (Fleming, et al., 1985) and mean unavailabilities and failure rates from ASEP were used in the calculations. The results were later converted to median values based on the following:

Error Mean to Median Factor Conversion 3 1.26 5 1.6 10 2.66 Median = Mean Conversion l The following items were used as the basis for the calculations:

e The automatic valves in the AFW system are air-operated, for which a beta factor was not found. These valves fail open on loss of air or 3-16

t I I f

1

{' power so the probability of common cause failure was judged to be below the screening cutoff value.

t ' !

e Steam binding'of the three AFW pumps was the major. common cause failure mode considered.

! e The HPSI common cause failure calculation does not include the spare pump, P-145. Common cause failure of the three pairs of injection l valves is below the cutoff value. . Common cause failure of the five -

remaining valve pairs (RWST. outlet, RHR heat exchanger isolation, ,

chargi g line isolation,' pump dis' charge, and recirculation _ sump valves was included in the calculation.-

e The time used in determining HPSI pump fail to run (FTR).(12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months )

~

is based on the expectation that after this time the LPSI pumps would be placed in sevice, or the auxiliary charging pump could be used.

1 l

e A beta factor of 0.08 was used for the PORVs. The beta factor for a PWR safety relief valve is 0.07, and for an MOV it is 0.08.

e The DG auxiliary fuel oil pumps are small (Iow head), but are located ,

in a relatively harsh environment. Therefore a beta factor of 0.11 was used. The probability _ of failure to run 'for 'these pumps is insignificant.

e The failure to start figure for random failure of the DGs is taken from ORNL data (Battle, .1985). The testing and maintenance

calculation reflects the estimate by _ Maine Yankee personnel of six days of T&M time per year.

e To place the turbine-driven AFW pump in service the' operator must open the steam supply valves and monitor the flow. The time allowed to do this is roughly 45 minutes. It is assumed that after 20 to-30 minutes of attempting to start the pump from the main control room (MCR) he would attempt _ to do so locally. The human error probability (HEP) for starting the pump from the control room is 0.05.

i

! e The operator may attempt to start the turbine-driven AFW pump _

locally after a hardware or actuation / power failure. It is assumed to take about 10 minutes to diagnose failure of the motor-driven pump, 10 minutes to_ attempt starting the TDP from ~ the MCR, and 10 minutes to get to the TDP to start it locally. The _ operator then has roughly 10 minutes lef t to start the pump. ~The HEP for 5 to 10 '

minutes is 0.25, and for 10 to 20 minutes is 0.10; the average is 0.18.

e To align the PWST to the motor-driven AF.W pumps, the pumps must be tripped to prevent cavitation-(5 to 10 minutes), and the manual valves from the PWST opened and the pumps restared before the SGs empty (30 to 40 minutes). Isolation of the DWST is not required due to the placement of check valves. The HEP for tripping the pumps is

0.25, and for opening the valves and restarting the pumps it is 0.03, for a total of 0.28.

q l

3-17 q 1

i

.j I

e The operator actions for feed and bleed are guided by the ERGS and FRGs. Various studies show the response time to be 15 to 45 ' minutes.

Because no plant specific study was available, the 20 to 30 minute HEP was used (0.05). This valve is higher than most other feed and bleed estimates (ASEP gives approximately 0.01), but the operators will first attempt to start the AFW pumps, and it is an earthquake situation.

e The new procedure for PCC isolation calls for the operator to close four valves from the MCR in the event of an earthquake with low level alarm on the PCC surge tank. If there are PCC ruptures inside !

containment, the operator may not have much time to perform this action, and indications other than the surge tank level alarm may not be checked or available. A 10- to 20-minute time period, with a 0.1 HEP, is used. Recovery is not considered likely.

o Appoximately every 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months the operator must refill the DG integral fuel tanks, and occasionally refill the day tanks from the underground storage tanks. The steps for this are included in the loss of offsite power procedures and are simple, but must be performed local to the DGs. Failure to do so would cause the DG to stop, making it necessary to reprime and restart. Because the procedure is not difficult to perform, and the failure is recoverable, a probability of 0.01 is used.

3-13

i Table 3-1. Front-line system vs support system dependency matrix.

SUPPORT SYSTEMS AC Power DC Power CCW SIAS IA FRONT-LINE Bus 5 -Bus 6 DC-1 DC-3 Train Train 4"

Bus 7 Bus 8 DC-2 DC-4 PCC ' SCC A B TK-25 SYSTEMS j

~

HPSI/

RECIRC P-14A X X to RCS X X P-14B.

X X to RCS X X FN-44A: X X

, FN-44B X 'X i

AFW P-25A X X X

P-25B

' i P-25C X X PORVs

,' PR-S-14 X PR-S-15 X Note: To determine the front-line system dependencies on the support systems, )

locate the front-line component in the first column and read across the row to find the support system dependencies.

3-19

5 Table 3-2. Support system vs support system dependeaCy matria.

. . . . _ . AC fyr._ ___ acfmr 4160V Bus 4tt0V Bus 120V Vjtal Rus

" DG 125v Bus CrW - SW SIAS HVAC IA=

SuPP0AI SYSTEM 5 6 FN- FN. (N. FN. ~1K7.

7 8 I 2 3 4 IA 2A l' 2 3 4 pCC SCC A B . 20A 24 8 33 32 . 310 AC 4160V 5 X X Power Bus 6 X X X X X X 480V F X Bus X 8 X X. I X

X .X 120V I Vital 2 X t

Bus 3 X 4 X . '

I W Diesel IA k

O Generator IB X

'X-X X

X X

DC 125V I X Power Bus 2 X X X 3 X X X 4 X X X.

X X CCW PCC X SCC X X X X X

X

$WS X X SIAS Channel A B X

'C X.

O 'I I

Act. SIS-A X

t 515-8 X

HVAC FN.20A I fN.200 X TN-31 ~X fH-32 X L

- Hote:

Toother

,the determine the support support systems. system dependencies on other support systems, locate the support system la the first Column,a and read across

~ ependenCles on the r

Table 3-3. AFW screening overview table.

Event l Value 2 Screening Logic Component

>0.39'.

AFW-A0V-XX-101 Out-High HCLPF >0.3g AFW-A-101 AFW-A0V-XX-201_

Out-High HCLPF >0.3g AFW-A-201 AFW-A0V-XX-301 l Out-High HCLPF r AFW-A-301 .

>0.3g AFW-A0V-XX-338 i Out-High HCLPF 'AFW-A0V-XX-339 AFW-A-338'

~

Out-High HCLPF AFW-A0V-XX-340 AFW-A-339 Out-High HCLPF AFW-A-340 ~~

Out-Integral to P-25A E-86A E-868 Out-Integral to P-25B i

E-86C Out Integral to P-25C i

Out-Group Not-A ( Atm. Steam Dump)- .

>0.3g MS-A-162 AFW-A0V-XX-A173 Out-High HCLPF --

MS-A-173 Out-Group Not-A (Atm. Steam Dump)

MS-N-161 Out-Group _Not-A (Aux. Steam)

MS-M-255 AFW-PCV-XX-P168 >0.39

' Out-High HCLPF >0.39 3 w MS-P-168- AFW-PCV-XX-T163 Out-High NCLPF

-h MS-T-163: ..

>0.5g AFW-MDP-XX-PTRNA :

Out-High HCLPF . .

P-25A AFW-TDP-LF-P258 . 8.0E-2' i In-Random (High HCLPF) >0.5g P-258 AFW-MDP-XX-PTRNC

P-25C Out-High HCLPF. Y T-1~ Out-Considered with TDP P-25B AFW-TNK-EQ-PWST' 'O.27-TK-16 .In-Low HCLPF AFW-TNK-EO-DWST. .

0.17 TK-21 .In-Low HCLPF AFW-TNK-E0-TK25 : NA (>0.39)'-

TK-25-(Accum.) In-Unknown HCLPF .

Out-A0Vs fail open on. loss of air TK-111 (Accum.) ---- . - . ,

TK-123 (Accum.) ;0ut-A0Vs' fail open on-loss _of Lair c

AFW-CCF-FC-AFW 2.0E-4 In-Comon Cause failure for-pumps and. A0Vs System d the component remained in,the analysis. The l .NA indicates that..a HCLPF was not available at the time of. screening, an i' value-in parenthesis is the HCLPF that was available.later.-

- 1, 2 -- See Table 3-4 ~ for standard _ footnotes on the screening overview tables. _

___a_-.t 4 E E -- - , . , - - -

=,- - r

Table 3-4. Standard footnotes for screening overview tables.

Footnote Number 1 i Events using the XX cause code are shown in the basic system fault trees. Events using.other cause codes (EQ, FC, etc.) are shown in the pruned system fault trees.

Components with no event listed were screened out without being added to a fault tree. Appendix A contains the definitions of symbols and abbreviations.

2 Values shown are the preliminary HCLPF capacity for seismic failures, or the calculated probability of failure for nonseismic failures.

3 Components which make up the various actuation systems, which were screened out based on separation and operator ability to actuate manually. These systems included:

SIAS-A, B (SIS-ACT-FA-TRMA, B)

Steam Generator Level (RPS-ACT-FA-SGLEV)

PCC Pump Discharge Pressure (PCC-PST-FA-ACTPP)

SCC Pump Discharge Pressure (SCC-PST-FA-ACTPP)

SCC Header Isolation Pressure (SCC-PST-FA-1750A, B)

DG Load Shed/ Sequencer (OEP-DGN-VF-A, BLDSQ)

DG Initiation - Bus Voltage (OEP-ACT-FA-BUS 5,6)

NA Indicates that a HCLPF was not available at the time of screening, and the component remained in the analysis. The value in parentheses is the HCLPF that was available later.

l 3-22

-l 1

Table 3-5. AFW system cut sets.

4.

1 Nonseismic Ranked Single Faults Probability AFW-CCF-FC-AFW 2.0E-04 1

i Nonseismic ..

Probability L i

Ranked Double Faults AFW-TNK-EQ-DWST SF-i AFW-TNK-EQ-PWST AFW-TNK-EQ-DWST . SF i ACP-TFM-EQ-57X68 SF CCW-HTX-EQ-4BSA AFW-TNK-EQ-DWST AFW-TNK-EQ-DWST SF 4 CCW-ACX-EQ-CHILL SF SWS-BKW-EQ-CIRC AFW-TNK-EQ-DWST AFW-TNK-EQ-DWST 'SF

OEP-TNK-EQ-TK62X

! AFW-XHE-FO-EFWXX AFW-TNK-EQ-DWST 2.8E-01 :

5.0E-02 AFW-XHE-FO-TRBMC ACP-TFM-EQ-57X68 AFW-TDP-LF-P25B 5.0E-02

} ACP-TFM-EQ-57X 68 CCW-HTX-EQ-4BSA AFW-TDP-LF-P25B 5.0E-02.

j AFW-TDP-LF-P25B 5.0E-02 4; CCW-ACX-EQ-CHILL SWS-BKW-EQ-CIRC AFW-TDP-LF-P25B 5.0E-02

[ 5.0E : OEP-TNK-EQ-TK62X AFW-TDP-LF-P25B AFW-XHE-FO-TRBMC . - 5.0E CCW-HTX-EQ-4BSA AFW-XHE-FO-TRBMC ' 5.0E-02 CCW-ACX-EQ-CHILL AFW-XHE-FO-TRBMC 5.0E-02

SWS-BKW-EQ-CIRC .

AFW-XHE-FO-TRBMC 5.0E-02 L

) OEP-TNK-EQ-TK62X OEP-XHE-FO-FUEL AFW-TNK-EQ-DWST - 1.0E-02 OEP-CCF-FC-DGN AFW-TNK-EQ-DWST - 2.6E-03 l OEP-XHE-FO-FUEL AFW-TDP-LF-P25B 5.0E-04 AFW-XHE-FO-TRBMC OEP-XHE-FO-FUEL ., 5.0E-04 OEP-CCF-FC-DGN AFW-TDP-LF-P23B ' 1.3E l- 1.3E-04 i

OEP-CCF-FC-DGN AFW-XHE-FO-TRBMC SF indicates that the cut set events are seismic failures, and their HCLPFs will be .

provided by the fragility analysis team.

I 3-23

Table 3-6. HPSI/CSPPCL screening overview table, r

Component Screening logic Eventl Value2 CH-A-32 Out-High HCLPF CH-A-33 HPI-A0V-XX-CHA32 >0.3g Out-High HCLPF HPI-A0V-XX-CHA33 >0.3g CH-F-38 Out-Is01ated by CH-A-32, 33 HPI-MOV-XX-CHF38 --

! CH-M-1 i CH-M-87 Out-Path ruled out as flow diversion ---

Out-Path ruled out as flow diversion ---

C S-M-1 Out-Group Not-A (Recirculation) ---

C S-M-2 Out-Group Not-A (Recirculation)'

C S-M-91 Out-Group Not-A (Recirculation) ---

C S-N-92 Out-Group Not-A (Recirculation)

E-34 t

E-67 Out-Path ruled out as flow diversion ---

Out-Isolated by CH-A-32, 33 HPI-HTX-XX-REGEN Y E-96 Out-Isolated by CH-A-32, 33 .--

% HPI-HTX-XX-SLWTR --

FL-34B Out-Isolated by CH-A-32, 33 HPI-FLT-XX-SLWTR --

FN-44A Out-High HCLPF FN-44B Out-High HCLPF C SS-FAN-XX-FN44A >0.3g CSS-FAN-XX-FH44B >0.3g H SI-M-11 Out-High HCLPF HSI-M-12 Out-High HCLPF HPI-MOV-XX-MV11 >0.3g -

H SI-M-21 Out-High HCLPF HPI-MOV-XX-HV12 >0.39 HSI-M-22 HPI-MOV-XX-MV21 '>0.3g Out-High_HCLPF H SI-M-31 Out-High HCLPF- HPI-MOV-XX-HV22 > 0.3g HSI-M-32 . Out-High HCLPF HPI-MOV-XX-HV31 >0.3g H SI-M-41 Out-High HCLPF HPI-MOV-XX-MV32 >0.3g HSI-M-42 Out-High HCLPF HPI-MOV-XX-MV41 >0.3g H SI-M-40 Out-Recovery only HPI-MOV-XX-MV42 >0.3g

' ~

ilSI-M-43 - Out-Recovery only H SI-M-50 Out-High HCLPF -

H SI-M-51 Out-High HCLPF

.HPI-MOV-XX-MV50 >0.39

. H SI-M-54 HPI-MOV-XX-HVS1 >0.3g Out-Group Not-A (Recirculation)

HSI-M-55 Out-Group Not-A (Recirculation).-

..n r

Table 3-6 (Cont'd)

Event l Value 2 Component Screening logic LSI-M-40 Out-Group Not-A (LPSI) ---

LSI-M-41 Out-Group Not-A (LPSI)

HPI-MDP-XX-PTRNA >0.59 P-14A Dut-High HCLPF >0.59 HPI-MOP-XX-PTRNB P-14B Out-High HCLPF ---

P-14S Out-Spare, recovery only P-61A Dut-Group Not-A (Recirculation) ---

P-618 Out-Group Not-A (Recirculation) ---

P-61S Out-Group Not-A (Recirculation)

Out-Isolated by CH-A-32, 33 HPI-MOV-XX-SLP3 SL-P-3 Y HPI-TNK-EO-RWST 0.21g g TK-4 In-Low HCLPF 0.599 Out-High HCLPF HPI-TNK-XX-SCAT ,

TK-54

>0.5g VE 21-1,'2 ' Out-Although failure impacts FN-44A, B, upgraded wall is of sufficient capacity In-Common cause failure for pumps & MOVs. HPI-CCF-FC-HPSI 2.lE-3 System 1, 2 - See Table 3-4 for standard' footnotes on the screening overview tables.

, Table 3-7. HPSI system cut sets.

j. <

, t: .

j .

' Nonseismic Ranked Single Faults s Probability ACP TFM-EQ-57X68 SF

i. HPI-TNK-EQ-RWST - SF CCW-HTX-EQ-4BSA 51 s CCW-ACX-EQ-CHILL ,

SP7 I SWS-BKW-EQ-CIRC SF' OEP-TNK-EQ-TK62X SF OEP-XHE-FO-FUEL 1.0E-02 OEP-CCF-FC-DGN 2.6E-03 OEP-CCF-FC-HPSI 2.lE-03 1

L P

' Nonseismic Ranked Double F$ilts - Probability i

PCC-XHE-FO-ISOL OEP-PSF-FC-DGIB 6.7E-03

OEP-PSF-FC-DG IB OEP-PSF-FC-DG I A - 4.5E-03 ,

. e

' [:,

SF indicates that the cut set events are seismic failures, and their HCLPFs will be provided by the fragility analysis team.

a.

4 34 gi '/ --

s, y 9

g s-

" 3-26'

, _ , , , , , . -nr-- <m--e -

2 s 's- -* "a * *N "" ' ' * 'Y

. -. . ._ . - _ _ , . . = - - ,

Table 3-8. PORVs screening overview table.

Screening logic ' Event l Value 2 Component E-2 Out- Not required for Group A (Feed.& Bleed) ---

Out-High HCLPF PPS-MOV-XX-PRM16 >0.39 PR-M-16 Out-High HCLPF PP S-MOV-XX-PRM17 >0.39 -

PR-H-17 PR- S-11 Out-Not required for feed and bleed --- --

P R- S-12 Out-Not required for feed and bleed --- --

PR-S-13 Out-Not required for feed and bleed --- --

PR- S-14 Out-High HCLPF PP S-50V-XX-PRS 14 >0.39 PR- S-15 Out-High HCLPF PP S-50V-XX-PRS 15 >0.39 In-Common cause failure for PORVs and PPS-CCF-FC-PORVs 8.0E-4 System Y block valves 0

1, 2 - See-Table 3-4 for standard footnotes for the screening overview tables.

-_ . -. 1

l Table 3-9. PORY (no LOCA) cut sets.

l Ranked Single Faults Probability CCW-HTX-EQ-4BSA SF CCW-ACX-EQ-CHILL SF SWS-BKW-EQ-CIRC SF OEP-TNK-EQ-TK62X SF ACP-TFM-EQ-57X68 -SF PCC-XHE-FO-ISOL 1.0E-01 OEP-PSF-FC-DG IA 6.7E-02 OEP-PSF-FC-DG1B 6.7E-02 PPS-XHE-FO-FDBLD 5.0E-02 OEP-XHE-FO-FUEL 1.0E-02 OEP-CCF-FC-DGN 2.6E-03 PPS-CCF-FC-PORYS 8.0E-04 No Double Faults SF indicates that the cut set events are seismic failures, and their HCLPFs will be provided by the fragility analysis team.

3-28

Table 3-10. PORV (small LOCA) cut sets.

Nonseismic Ranked Single Faults Probability CCW-HTX-EQ-4BSA SF CCW-ACX-EQ-CHILL SF SWS-BKW-EQ-CIRC SF.

OEP-TNK-EQ-TK62X SF ACP-TFM-EQ-57X68 SF PPS-XHE-FO-FDBLD 5.0E-02 OEP-XHE-FO-FUEL 1.0E-02 OEP-CCF-FC-DGN 2.6E-03 PPS-CCF-FC-PORVS 8.0E-04 Nonseismic Ranked Double Faults Probability PCC-XHE-FO-ISOL OEP-PSF-FC-DG IB 6.7E-03 OEP-PSF-FC-DG I A OEP-PSF-FC-DG IB 4.5E-03 SF indicates that the cut set events are seismic f ailures, and their HCLPFs will be- j provided by the fragility analysis team.

1 3-29

A Table 3-11. PCC screening overview table.

1 Component Screening Logic Event I- Value2 AC-1B In-Unknown HCLPF of chiller CCW-ACX-EQ-CHILL NA (0.389)

E-3A Out-High HCLPF E-4A PCC-HTX-XX-E3A >0.39 Out-Standby, recovery only E-4B In-Unknown HCLPF E-25 Out-High HCLPF CCW-HTX-EQ-4BSA NA (0.319)

E-54-1 thru 6 Out-High HCLPF PCC-HTX-XX-E25 '>0.39 E-82A Out-High HCLPF PCC-HTX-XX-E54X. >0.3g E-91B Out-High HCLPF PCC-HTX-XX-E82A

' >0.39 E-92B Out-High HCLPF PCC-HTX-XX-E918

>0.59 PCC-HTX-XX-E928

>0.39 P-9A Dut-High HCLPF P-9B Out-High HCLPF PCC-MDP-XX-PTRNA >0.5g PCC-MDP-XX-PTRNB

>0.59 P-7 Cooler' Out-High HCLPF i' P-12A Cooler Out-High HCLPF PCC-HTX-XX-P7

>0.59 hl P-14A Cooler Out-High HCLPF 'PCC-HTX-XX-P12A

>0.59 P-14S Cooler -Out-High HCLPF 'PCC-HTX-XX-P14A

->0.59 P-61A Cooler. ;0ut-Integral to pump. -PCC-HTX-XX-P14S

>0.59 -

P-615 Cooler Out-Integral to pump Penetration Coolers Out-High HCLPF -

PCC-HTX-XX-PEN PCC-A-53

>0.59 Out-Return line isolation only P

.PCC-A-216 ,0ut-High HCLPF --. .

L PCC-A-238 Out-Return .line isolation only - PCC-A0V-XX-AV216.

PCC-A-268 . ---

>0.39

' Out-High HCLPF. .

. --- 1 PCC-A-270 . PCC-A0V-XX-AV268 Out-Replaced in procedure.by PCC-A-268' ---

>0.3g ,

PCC-M-43 PCC-M Out-Return line ' isolation only ---

- Out-High HCLPF PCC-M-150 Out-High HCLPF PCC-MOV-XX-MV90

'PCC-M-219 >0.39 Out-High HCLPF PCC-MOV-XX-MV150 >0.3g-

.PCC-MOV-XX-HV219 >0.39-6

,,.- - , , , . . -- *--A--i w.~-- -._.__.____.__ _ _ _ . _ . _ . _ _ _

Table 3-11 (Cont'd) i Component Screening Logic Event I Value 2 Out-High HCLPF PCC-TCV-XX-TCV19 >0.3g PCC-T-19 >0.3g PCC-T-20 Out High HCLPF PCC-TCV-XX-TCV20

.Out-High HCLPF PCC-TNK-XX-SRGTK .>0.5g TK-5 System Out-Common cause failure of pumps PCC-CCF-FC-PCCW 1.4E-4 below cutoff (0.001)

NA indicates .that a HCLPF was not available at the time of screening, and the component remained in' the analysis. The y value in parentheses is the HCLPF that was available later.

1, 2 - See Table 3-4 for standard footnotes on the screening overview tables.

Table 3-12. SCC screening overview table.

Component Screening Looic EventI Value 2 AC-1A In-Unknown HCLPF of chiller CCW-ACX-EQ-CHILL NA (0.389)

AC-2 In-Unknown HCLPF of chiller CCW-ACX-EQ-CHILL NA (0.389)

E-3B Out-High HCLPF SCC-HTX-XX-E3B E-5A >0.39 In-Unknown HCLPF CCW-HTX-EQ-4BSA E-5B Out-Standby, recovery only ---

NA (0.319)

E-82B Out-High HCLPF SCC-HTX-XX-E82B E-91A Out-High HCLPF >0.39 SCC-HTX-XX-E91A >0.5g E-92A Out-High HCLPF SCC-HTX-XX-E92A >0.39 P-10A Out-High HCLPF P-10B SCC-HTX-XX-PTRNA >0.59.

Out-High HCLPF SCC-HTX-XX-PTRNB P-128 Cooier Out-High HCLPF >0.59 SCC-HTX-XX-P128 >0.59 P-14B Cooler Out-High HCLPF SCC-HTX-XX-P148 >0.5g P-61B Cooler Out-Integral to pump ---

Penetration Coolers Out-High HCLPF SCC-HTX-XX-PEN >0.5g SCC-A-460 .Out-High HCLPF SCC-A0V-XX-AV460 >0.39 SCC-A-461 Out-High HCLPF .

SCC-A0V-XX-AV461 >0.3g SCC-T-23 Out-High HCLPF SCC-TCV-XX-TCV23 >0.3g SCC-T-24 Out-High HCLPF SCC-TCV-XX-TCV24 >0.39 TK-59 Out-High HCLPF SCC-THK-XX-SRGTK >0.59-VE 21-3, 4 Out-Although failure impacts SCC line to ---

+

penetration coolers, wall has high HCLPF >0.59 t

System Out-Common cause failure of pumps below SCC-CCF-FC-SCCW l.4E-4 cutoff (0.001)

NA indicates that a HCLPF was not available at the time of screening, and the component remained in the analysis. The.

value in parentheses is the HCLPF that was available later.

1, 2 -

See Table 3-4 for standard footnotes on the screening overview tables.

Table 3-13. SWS screening overview table.

i I

Component Screening Logic Event l Value 2 Circ. Water Pump House In-Low HCLPF SWS-BKW-EQ-CIRC 0.309 E-4A Out-standby, recovery only --- --

Out-Seismic failure considered for CCW SW S-HTX-XX-E4B --

E-4B out-Seismic failure considered for CCW SWS-HTX-XX-ESA --

E-SA E-5B Out-Standby, recovery only --- --

P-29A Out-High HCLPF SWS-MDP-XX-PTRNA >0.59 P-29B Out-High HCLPF SWS-MDP-XX-PTRNB >0.59 P-29C Out-High HCLPF SWS-MDP-XX-PTRNC >0.59 Out-High HCLPF SW S-MDP-XX-PTRND >0.5g P-29D w

Out-Common cause failure of pumps below ' SWS-CCF-FC-PUMPS 1.4E-4 h System cutoff (0.001) 1, 2 - See Table 3-4 for standard footnotes on screening overview tables, i

.. . ., .- - - . .. .-,- . . . . - - . . . ~ - . . - . - --- -. .- -

4 Table 3-14. Electric power screening overview table.

Component Screening Logic Event I Value 2 120 VAC Bus 1 thru 4 Out-Included with MCB --- --

120 VAC Bus lA thru 4A Dut-High HCLPF ---

>0.39 125 VDC Bus 1 thru 4 Out-High HCLPF DCP-BDC-XX-BUS 1 (etc.) >0.3g 125 VDC Cab. DC/CE-1 Out-High HCLPF ---

>0.5g .

125 VDC Cab. DC/CE-2 'Out-High HCLPF ---

>0.5g

' Out-High HCLPF 125 VDC Panel DP/P ---

'>0.5g 125 VDC Panel-DP/BU Out-High HCLPF ---

>0.59 ,

480 VAC MCC 7A,7B,781 Out-High HCLPF .ACP-PSF-LP-MCC7A(B) >0.59 480 VAC MCC 8A,88,8B1 Out-High HCLPF ACP-PSF-LP-MCC8A(B). >0.5g .

480 VAC Bus 7,3 Out-High HCLPF ACP-PSF-LP-BHS7(8) >0.5g 4160 VAC Bus 5,6 Out-High HCLPF ACi-PSF-LP-BUS 5(6) >0.59 BATT-1 thru 4 Out-Assumed to be upgraded DCP-BAT-XX-BATI(etc.) >0.3g low connon cause failure DCP-CCF-LP-BATT 1.0E-4 U BC-1 thru 4 Out-High HCLPF DCP-BAT-XX-BCHl(etc.) >0.3g 3 j INVR-1 thru 4 Out-High HCLPF ---

0.34g Transformer X-507 In-Low HCLPF ACP-TFM-EQ-57X68 0.3g Transformer X-608 In-Low HCLPF- 'ACP-TFM-EQ-57X68 ~0.3g -

Bus Cross-Tie Breakers .0ut-High'HCLPF ACP-BKR-CC-3T5 >0.3g d

Out-High HCLPF 'ACP-BKR-CC-4T6 .>0.39 Main Control Board. Out-High HCLPF' MCR-ACT-XX-CHTRL >0.39 Electrical Control Board Out-High HCLPF .--- >0.5g

., Aux. Logic Cabinets .0ut-High HCLPF ~

>0.59

ESF. Aux. Panels. Out-High HCLPF '

>0.5g Air Cond.' Control Panel Out-High HCLPF

.- > 0. 5 g

.-- -- - . _ _ - _ _ - - ..- . . . . . _ . - _ . . . . = . . __ _ _ - . - - - - - _ _ _ _ _ _ _ . - _ _ _ - _ _ - - _ - _ _ _ _ _

i Table 3-14 (Cont'd)

Screening Logic Event i Value 2 Component l,

--- > 0.5g !

SPDS Cabinets Out-High HCLPF 3 Out-High HCLPF --- >0.59 I Instrument Racks Cable Trays 3 Out-High HCLPF --- >0.59

{.

Impulse Lines 3 Out-Based on train and channel separation --- --

In-Random and common cause failures, OEP-PSF-FC-DGIA 6.7E-2 DG-1A High HCLPF OEP-CCF-FC-DGN 2.6E-3 In-Random and common cause failures, OEP-P SF-FC-DG1B 6.7E-2 DG-1B High HCLPF OEP-CCF-FC-DGN 2.6E-3 l

DG Output Breakers In-Combined with DG failure OEP-BKR-00-ACBIA(B) w DG-1A,8 Engine Out-High HCLPF OEP-ACT-XX-1A(B)CTL. >0.39 Control Panels DG-1A,B Distribution- Out-High HCLPF OEP-ACT-XX-1A(B)CTL >0.5g Panels-DG-1A,8 Control Panels Out-High HCLPF OEP-ACT-XX-1A(B) CTL >0.5g DG-1A,B Air H et and Out-High HCLPF OEP-SOD-XX-AIRA(B) ->0.59 Exhaust Dampers OEP-MOD-XX-EXHA(B) >0.5g l FN-20A .Out-High HCLPF OEP-FAN-XX-FN20A >0.5g FN-208 Out-High HCLPF- OEP-FAN-XX-FN208 >0.5g l

FN-31 Out-Switchgear load. sufficiently decreased, ACP-FAN-XX-FN31.. --

fan cooling no longer required FN-32 Out-Switchgear load sufficiently decreased, ACP-FAN-XX-FN32 --

fan cooling no longer required s

! ~

Table 3-14 (Cont'd)

Component Screening Logic Eventi Value 2 P-33A Dut-High HCLPF OEP-MDP-XX-P33A >0.5g P-338 Out-High HCLPF OEP-MDP-XX-P33B >0.59 PCC-A-493 Out-High HCLPF OEP-A0V-XX-AV493 >0.39 SCC-T-305 Out-Chained open OEP-A0V-XX-AV305 --

SB 39-1 Out-Seismic failure impacts Group Not-A --- 0.35g components (FN-7A,B)

SB 39-2 Out-Seismic failure impacts components which --- --

were screened out (FN-32 exhaust duct)

SB El .39 floor Out-High HCLPF ---

0.35g

$ TK-28A Out-High HCLPF OEP-TNK-XX-TK28A >0.5g TK-28B Out-High HCLPF OEP-TNK-XX-TK28B >0.59 TK-62A In-Unknown HCLPF OEP-TNK-EQ-TK62X NA (0.43g)

TK-62B In-Unknown HCLPF OEP-TNK-EQ-TK62X NA (0.439)

TK-76A-1 thru 6 Out-High HCLPF OEP-TNK YX-76A-1(etc.) >0.5g TK-768-1 thru 6 Out-High HCLPF OEP-TNK-XX-76B-1(etc.) .>0.5g NA indicates that a HCLPF was not available at the time of screening, and the component remained'in the analysis. The value in parentheses is the HCLPF that'was available later.

1,2,3 - See Table 4 for standard footnotes on screening overview tables.

~

! Table 3-15. Nonseismic event failura probability calculaticns.

l i

Mean Unavailability j Event Beta or Failure Rate Time (hr) : Probability-i AFW-CCF-FC-AFW -- 1.0E-4 (steam binding) -- 1.0E HPI-CCF-FC-HPSI 0.08 (MOV) 3.8E-3 (MOV FTO) --

0.17 (MDP) 3.2E-3 (MDP FTS) --

5.3E-5/hr (MDP FTR) 12 2.lE-3 4

l PPS-CCF-FC-PORVs 0.08 (MOV) 3.8E-3 (MOV FTO) --

0.08 (SOV) 6.3E-3 (S0V FTO) -- 8.0E-4

}

i PCC-CCF-FC-PCCW 0.03 (MDP) 3.2E-3 (MDP FTS) --

5.3E-5/hr (MDP FTR) 24 1.4E-4

?> SCC-CCF-FC-SCCW 0.03 (MDP) 3.2E-3 (MDP FTS) --

t; 5.3E-5/hr.(MDP.FTR) 24' 1.4E-4 SWS-CCF-FC-PilMPS 0.03 (MDP) 3.2E-3 (MDP FTS) --

5.3E-5/hr (MDP FTR) 24 1.4E-4 4

OEP-CCF-FC-DGN 0.05 (DG) 2.lE-2 (DG FTS) --

1.26E-3/hr (DG FTR) 24 '2.6E-3 OEP-CCF-FC-P33X 0.11 (RHR pumps) 3.2E-3 (MDP FTS) --

3.5E-4 AFW-TDP-LF-P258 --

1.6E-2 (TDP T&M). --

3.2E-2 (TDP FTS) --

5.0E-2

.1,3E-4/hr (TDP FTR) 12

- DEP-PSF-FC-DGIA,B --

2.1E-2 (DG FTS) --

1.26E-3/hr (DG FTR) 24 1.6E-2 (DG TAM)~ --

6.7E-2

.0.05 AFW-XHE-FO-TRBPC, -- -- --

- _ _ _ ____ ._..-m -__ _ _ _ _ _ . _ . _ - - . _. . - . . _ _ _ . . _ - -. . . .

Table 3-15 (Cont'd)

Mean Unavailability Event Beta or Failure Rate Time (hr) Probability AFW-XHE-F0-TRBLO -- -- -,

0.18 AFW-XHE-F0-EFWXX 0.28 PP S-XHE-FO-FDBLD - --

0.05 PCC-XHE-F0-I SOL -- --

0.1 OEP-XHE-FO-FUEL -- -- --

0.01-Y M

l i ._ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

DEulNERAUZED l INSIDE WATER 3 CONTAINMENT 8

STORAGE TANK (DWST) i TK-21 : : CONDENSATE MAKEUP

1 , g oenero stelm ors

- 7 8

3 J L

^'*-^-3*" ^'*-^-3"'

T W .

E-1-3 8

DH><. : , I P-25A

)[ E : i I

! M from PWST (TK-16) i a

< ><l y 3 > J i r i 1

ta b

if i f f DH><I-Di AFW-A-339 AFW-A-201 D<. % E-1-2

%o ss

~

W 1 E 7"

Y ; I

> l><l [

i

^ P-258 # #

I k . ,. .. _ AIR ACC.

TK-25 ,

. sa

'f ',' WAIN a l, ; r i g I

US 173 MS-P-168 USE2 T 163' STEAM I

< ><H><. i 1 g j I f I 3~

i J h i f AFW-A-338 f AFW-A-101 I s t T '

-cH><l

" l

[ , r s

P-25C ; ,

R - h-- AIR ACC. AR ACC. -#-- R TK-123 TK-111 Figure 3-1 Auxiliary ~ Feedwater

m Seal Water t3 Woln Cootont Pumps O INSIDE St.-P-3 CONTAINMENT S REFUELING

] E 67 8 WATE 3 h +[.oTer'#'

T CH-F-38 ,

STORAGE I

TK- -tx: : TANK l l 54 e m j

1 (RWST)

Tg_4 ( E-96 J q ;{,

CH-F-70 8 g g {ogop Fi!!

HS-M-12 8

'HS-M-51 g HSI-M-50 -O ) -O : i to

_: = ( :: =-

8 HS-M-54 From HS!-M-11 3[ ][ Residual Heat Exchangers :

10 4 l HS-M-55 CH-A-33 I w I i l HS-M-40 1 W yg 8

[

T T HS-M-22 3 I

P-148 as_u_43 To 1 P g i BOP 2 m

n

c-HS-M-21 :

T HSI-M-42 g S 1 g P-14S !

HS-M-32 '

[ wcx: :: O l

[

T HS-M-43 ,l, 3

To N I : Loop 3 CH-A-32 P-14A HS-M-31 8

8 I

-l 3

Figure 3-2 High Pressure Safety injection 8

I TO PRESSURIZER

? QUENCH TANK l TK-8 PR-S-13 PR-S-12 PR-S-11 kJ PR-S-14 PR-S-15 PR-M-16 X-O O] PR-M-17

y u

~ -

RCS -

PuuP (SPRAY UNE)

PRESSURIZER E-2 REACTOR 4 >

(SURE UNE)

Figure 3-3 Primary Pressure Relief

1 i

COOUNG WATER RETURN PRIMARY

' COMPONENT COOLING SURGE TANK TK-5 COOUNG

-b4-b4-- 04 ; WATER (s) SUPPLY

, E-4A A

x P-98 i f 3 PCC-T-20 s :- -*

., .a DH)4-- -C 4 >4->4-- --b4--

PCC-T-19

+

E-4B P-9A 1

Figure 3-4 Primary Component Cooling Water

' i '

,liI!j g

, li lg l

3 l J( 4

._ 3 2

^ _ A L "s

_ c 9 " _

C P

9 yo A . .

(

J.

T u_H '

A

?c _ 1'

_ c c

_ : ' e i"

i ^ '

( l I'

^

'6 n

i s , : 2 0

i _ l ,

3 m ,

- _ ^ A e- - - _

e e

A

- "" _ C P

C u

r , . _ A

_ c

_ *e c

y {_ 1 : : :

2!'

l!!

lll _.

X

_ 8l Ig i' gli jil 3

X 21 c

) .

8 t 1

n 5 o 4 s a (

c 2 -

$ r

o. _' ' -

' ,a t

7 u- { ::: E

- 0 4 e -

e r

2 0

3 " 3 e ' c

'd

~

as r

E 2

7 E

- 3 ]

e r

u g

y ^

i F

c.

s. s.

AA a

7a f 2:

i rE 4 u

3k -

E c

s 4 o N

- Y s R L

P U

T P ' E U '

R S .g A

R R

E ,,u

_ E T

T 7 A

A vt i P W

W G C -- N qs

_ t [

N f -

- s J U

U '

4 O O r ' A

- O O l'~' j - C C 4 c u

- c P

^ -

- cc

^

' "I k e l'ip gJ si .'

u e ,

c.

5 lf jlj l lil iji- 4 :!

Il j

.llll{

G N RL Y UEP OTP OAU CWS o

s d 4 e - :

t las d 9N'Ac -

o a ^

c s . s io^

nc l '

d oc ns -

o .

4 T 32 )

W 5 t

r e

a A

)

s

( 8 W 5 5 g

- - n E E i l

A

- - o I .

3 3

- o

< C D- f% <

b- ( t 4

2 n 3 4 r- e n

M ^ -

(

) h

> c-c s

o p

^

. 3 m 2 3 o

- < < C U 01 T

c

- > A 0

> B 0 y C

1

e 1 1 r C-A TK S

X - M - a P P d n

o

c e

~ , _ _ S

(( 1 ( 5 3

d ' e

r t

e a ds loa s o W i F

g u

,i -

mc :.

l o n roc Fns f

i YT K N

RN AE G A U DNINT 95 ' 1 NOLE OP OG -

6 4

CM O R K A T " -

EO C U c c

SC S s G

N RR N U EU OTT OAE CWR wj,a l

r 2

- ) N X

TiL J OC A N X 1

)

nA X r L 3 J C A

Y

^

> 1t

- X e 1 a 5

6 1

C-C a SM f L 3

X -

c k 'bs

_ )

X -

,,L

,J N rA 1 t

n o

8 (

c

_ 2

) 1 0 -

(

1 P 5

'k 3 A1 ) e r

_. n u oS g nRE i L

O F

O )

C 5

(

[ - X A

2 P L 9 1 lJ E- X r

1;'J

- x 8

4 1

P 8

m.

Y 2

8 " N L - R P E U P 5 T u 0 3 :E R

s -

c: T C e C

- C s -

C S

- S ya I!l!li l4 l' i l ij! ' !!)lt. t tIii :l

T j RASH RACK w v, n -

SR-1D P-29D FLOW E-58 i

5 M SCC (S) Q M COOLERS P-29C if X

3r ( E-5A SR-1C LC

$ NO E-48 0

P-298 p h 3r COOLERS E-4A l 5 (S) l jTRASH RACK

-t>4-c+-

SR-1A P-29A TRAVELUNG FLOW SCREENS -+-

TO SEAL PIT Figure 3-6 Service Water System 3-46

l) l ,: iii j' ;';!I ,l! .,f } jj

l

,{i l

_ <g mCto*

+%O< AU

.C# u

(

/

_ u $ #%

ny wSo # # # #

z z y #%%r dE > w n 5 .

S 3

3 A C A B A 8 5 0 1 o 41 g x*E 1 5 4

4 4 A B 5 1

2 -

1 5o" 1 9 9 2 - P P

P P P P 8L. > $

i P P p P

_ Eb zn

_. za*83 f

._. $ < yM 4 E(g $k @*

j

_ # y J g g 8 D 9 9 A C 2 2 9 9 -

2 2 p -

p P P gy

_. E En q %O g EO ,>

t Q y#

L

_. J#T.7,7/##r/#r./.#7 ## 7y %%%%w~w

%%%%w%%www%% % %% %

r#d####/7/N 7 5

. 4 61 1 1 1

- - 1 1 S

0 SW

- - WS 2 8 5

0 04 42 2 3 1

1 0 91 1 5 -

A A 3 2 2 223 4 3 - - - - 3 3 - - - -

0 3 9 1 1 R R 2

- W W

-W- W-W 4 1- - 1

- 3

_ 2 3

- - N - R R P P N - - -

- W W P P N I I I C- uW - -W-W- M -W N P P r - F P F S I I S S S S -

F I I I

-I C H H H H H I

C C S S S S S C D- $ **

P CP H H H H H P b C-CEb CB gt . C C8L C C / # T. 7 A A

1 L

.E

- TN w#7 %% %%% Y BLC 1P .

PT

. cSAI GUIS oDP DSD

_ 4 0 5 1 5 5 5 5

- A B -

4 -

4 W 4 W M- 4 W-

- - - I - I I

S N S I

S N S

_ H F H H F H g,m ug > %'

11(l ,

i j 4 l

'ji!$..l! , '

V V I1 1 V1 V T2 A0 IT2 I T2 I 1 A0 A0 l T2 L

L A 0 4 L BAV 2

_ 3 L UC BAV BAV BAV l

S S UC UC S U S C

,4 4

,2 2

,3 ,1 .

A A 3 1 A A 4

- 2_ 3

- a A

n f

_ W -

s C C s 'c c u M .

_ l 4c s c l c

l 2c l c g c .

ll 8 A

7 Il a l

?' fc A l 7 -

A i

F g

u r

b .

e

_- 3 3

4 8

8

- 1 2

5 1

2 sg k 1 2

Ja E* b 1

_ 5 5 2

_. D V V 5 C O D V V -

C C sg D D

_. 2t -

C -

_ P D D d a( 3> b C -

o I S I D D w T S IS I e T T S r C C T A A C B B J. A 8$ C S 8 07 A

_ snk 4 gSf 2

!, b B

$.g 3

h. , 1 -

2_

8 s$

af b i

!s- s!wS. . b ae sS

!- ugn b -

. 4e s5 8g s5g b lll

[ TK-76A1 }--

[ TK-76A2 }-

Al BS

[ TK-76A3 }-.

a L UNITS To Auxilicry [ TK-76A4 b Boiler A [ TK-76A5 J--

] JT5 pAL(FC)

FFL-F-13 [ TK-76A6 }--

FUEL OIL -^ ;

. DAY TANK -2 TK-62A ACB DG1A

- A v BUS P-33A ( E-82A )

PCC RETURN UNDERGROUND p d L P

Pcc-A-453 Pcc-A-493 FUEL STORAGE j

PCC-492 T ~28A FIRE PROTECTION ?C ;

SYSTEM Fs-37 1 P 3ee_3o4 UNDERGROUND 4 L FUEL STORAGE Th 288 G- sec-T-303 g r SCC RETURN m

SCC SUPPLY : scc-T-305 3 E-828 3

> BUS P-33B 6

a

~

FUEL OIL DAY TANK ,

n

TK-629

ACB DG1B DG-18 n gAL(FC) PFL-F-27

( TK-7686 J- v

( TK-7685 J- 4T6

( TK-7684 3- Of Auxiliary J L STARTING Boiler { TK-7683 J- UNITS

( TK-7682 J-O f

( TK-7681 }-

t Figure 3-9 Diesel Generators 3-49

4. ACCIDENT SEQUENCE ASSESSMENT AND RESULTS In order to obtain the plant level Boolean equation which represents the cut sets for the accident sequences, two event trees were developed. These event trees, one which includes a small LOCA and one which does not, are described in Section 4.1. The core damage sequences that are derived from the event trees are discussed in Section 4.2.

The Boolean equations obtained from the analysis of each event tree are described in Section 4.3. Section 4.4 presents the plant-level Boolean equation.

4.1 Event Trees Because it was not feasible to enter the reactor containment, the review team could not inspect and verify the seismic capacity of the LOCA sensitive piping. Therefore, the a seismic event and loss of offsite power plant analysis was segregated into two cases:

with no LOCA, and a seismic event and loss of offsite power with a small LOCA. For this project a small LOCA is defined as one which requires the use of HPSI for core makeup. Based on data from other PRAs this would be a break in the range of roughly three-eighths inch to two-inch diameter. However, no plant-specific thermodynamic analyses were performed under this review to determine the actual size range. The first event tree considers a seismic event without a concurrent LOCA, the second tree considers a seismic event with a small LOCA. The minimal cut sets from the resulting accident sequences are then combined to determine the plant Boolean equation.

4.1.1 No LOCA Case The event tree for the first case is presented in Figure 4-1. This event tree depicts the success or failure of the various front-line mitigating systems in response to a seismic event with accompanying loss of ofisite power. The systems are displayed across the top of the figure. At each node in the event tree, success of the system is represented by the upward branch, and failure by the downward branch. Each path through the event i

tree represents a sequence. Those sequences that end with a status of "OK" have successfully mitigated the seismic event, and do not result in core damage. Those sequences that end with a status of "CD" have failed to provide all necessary safety functions, and result in core damage. They are identified by the abbreviation for the initiating event (in this case, event T 3) and the abbreviations for any front-line system failures (e.g., event L or P ).

g These core damage accident sequences are then evaluated using the system fault trees to determine the minimal cut sets and Boolean equations.

The initiating event for the first event tree is a seismic event which causes a loss of of fsite power, designated as T . Following this event the reactor must be made subcritical (event C). Potential accident sequences due to failure of the reactor subcriticality system were not evaluated further because the fragility analysis of the reactor internals and control rods found the seismic capacity to be greater than the review level earthquake. Nonseismic failures of the subcriticality system are also insignificant (approximately 3.0E-5 per demand).

Upon successful reactor subcriticality, the AFW system is used for core decay heat removal (event L). Successful operation of this system (at least one of three pumps feeding one of three steam generators) will provide core cooling (early) and prevent core damage. Core inventory makeup is not required because the reactor coolant system (RCS) is intact for this event tree. Failures of the RCS integrity (such as a safety relief valve LOCA or RCP seal LOCA) are analyzed in the next section.

f 4-1 l

Should failure of the AFW system occur, the operator should begin feed and bleed (event Pg). In this case with no concurrent LOCA, both PORVs (and the associated block valves) must be opened within approximately 30 minutes for system success. Failure to open both PORV lines (i.e., one or both remain closed) will result in inadequate core cooling and eventual core damage (sequence Tg LP1 ).

' Following the successful initiation of feed and bleed, the HPSI system (event D) must be used to provide makeup to the RCS. This requires at least one of two HPSI pumps (the l third pump is evaluated for recovery actions only) to provide injection to one of three RCS loops. Also included in HPSI success criteria is the long-term availability of the recirculation system. As discussed in Chapter 3, this included the availability of the containment spray pump area fans. Failure of the HPSI system is part of core damage sequence T1 LD.

4.1.2 Small LOCA Case i

The event tree for the second analysis is shown in Figure 4-2. For this case the initiating event is an earthquake that causes loss of offsite power, concurrent with a small LOCA (even: S 4 evaluateh . Larger LOCAs (beyond the makeup capacity of the HPSI system) were not based on the guidance in NUREG/CR-4334 and -4482 (Budnitz et al.,1985, and Prassinos et al.,1986). Ths small LOCA could be caused by nonseismic or seismic failures. The nonseismic failures considered were a stuck-open PORY or safety valve, a significant reactor coolant pump (RCP) seal LOCA (greater than about 20 gallons per minute per RCP), and a coincident small LOCA. Based on generic ASEP data, the probability of a stuck open PORV that is not isolated by the block valve, or the probability of a stuck-open safety valve is equal to or less than the screening value of 1.0E-3. The probability of a significant RCP seal LOCA wid the RCP seal design at Maine Yankee is' judged to be similarly low, based on discussions with Yankee Atomic.

Also, the probability of a nonseismic small LOCA coincident with the earthquake event and recovery time is very small (less than 1.0E-3). Therefore, nonseismic small LOCAs were screened out of the analysis.

The small LOCAs induced by seismic failures that were considered were a stuck-open PORV or safety valve, and small breaks in LOCA sensitive piping. Based on the fragility analysis team review, stuck-open PORVs or safety valves were judged to have HCLPFs greater than 0.3g, and were therefore screened out. However, because the review team was not able to inspect and verify the seismic capacity of small piping and impulse lines inside containment, the HCLPF of these lines is not known. Therefore, small LOCAs could not be screened out. The event tree for the small LOCA case is based on a seismic j

event that causes loss of offsite power and a small LOCA, and requires core inventory makeup for mitigation.

l Again the reactor must first be made subcritical (event C) and as described in Section

] 4.1.1, the subcriticality system has high seismic capacity. Therefore, failure of the i subcriticality function were not considered further.

Following successful reactor subcriticality, the AFW system is used for core decay heat removal (event L), with the same success criteria as described above. With the small LOCA, the HPSI system must be used to provide makeup to the RCS (event D). Failure of HPSI at this point (no pumps feeding any RC loop) will lead to core damage sequence S2 0.

4-2 m g ;--- + - - - -y+-+ 9 m - - y r w , - --,

I Failure of the AFW system to provide decay heat removal will require the use of feed and bleed. Due to the small LOCA the operator need only open one FORY (with its associated block valve) within 30 minutes to successfully initiate feed and bleed (event P2). Failure to open at least one PORY (i.e., both remain closed) within this time will result in sequence S2 LP2 . With successful PORV operation, HPSI is again required to provide RCS makeup (event D), with the same success criteria described previously.

Failure of AFW and HPSI result in core damage sequence 52 LD.

4.2 Core Damage Secuences 4.2.1 T yLP i To determine the cut sets for sequence TI LPi (seismic event with loss of offsite power followed by AFW f ailure, followed by PORY f ailure for feed and bleed) the pruned anu merged fault trees for the AFW system and the PORVs (no LOCA case) developed in Section 3.2 were combined. By combining these two trees with an "AND" logic gate, failure of both systems is required to result in the sequence (Tt LP 1 ). A description of the basic events that make up the accident sequences is found in Table 4-1.

The minimal cut sets for this sequence are listed in Table 4-2. As with the system cut sets, the seismic failures were arbitrarily assigned a probability of 1.0 for ranking purposes. There are no single faults which lead to this accident sequence. Of the double faults, some contain at least one seismic event, and others contain only nonseismic events (e.g., random, common cause, human error). The event ACP-TFM-EQ-57X68 (seismic failure of the station transformers) results in loss of power to both PORVs and both motor-driven AFW pumps. Seismic failure of the DWST (AFW-TNK-EQ-DWST) leads to failure of :he turbine-driven AFW pump, as does random failure of the TDP (AFW-TDP-LF-P25Bi and failure to place the pump in service from the MCR (AFW-XHE-FO-TRBMC). Seismic failure of the SCC and PCC coolers, the air conditioner chillers or the circulating water pump house (CCW-HTX-EQ-4B5A, CCW-ACX-EQ-CHILL, SWS-BKW-EQ-CIRC) leads to f ailure of both the PCC and SCC, which in turn fails both diesels. Seismic f ailure of the diesel day tanks (OEP-TNK-EQ-TK62X) also results in loss of both DGs. The loss of both diesels has the same effect as seismic failure of the transformers. Gerers11y, two separate faults are required to fail both the AFW motor-driven and turbine-driven pumps. An exception is the common ceuse failure of AFW.

4.2.2 T gLD The pruned and merged fault trees for the AFW system and the HPSI system were merged with an "AND" gate to determine the cut sets for this sequence (seismic event with loss of offsite power followed by loss of AFW, success of PORVs, and loss of HPSI).

The minimal cut sets for sequence Ti LD are found in Table 4-3. Again there are no single f aults. Most of the double faults contain at least one seismic event, the rest consist only of random, common cause or human failures. In this sequence, seismic f ailure of the transformers, SCC /PCC coolers, air conditioner chillers, circulating water pump house or DG day tanks leads to loss of power to both HPSI pumps, all HPSI motor-operated valves, and both motor-driven AFW pumps. The AFW f aults are the same as those described for sequence T3 LP or common cause f ailure (HPI-CCFg. Seismic FC-HPSI) results in HPSI ff ailure.

ailure of the RWST (HPI-TNK It is interesting to note that PCC-XHE-FO-ISOL, which leads to PCC f ailure, does not appear here with the double faults, as it does with sequence Ti LPg. This is because both r PCC and SCC must f ail to f ail HPSI, while f ailure of only one was necessary to f ail one of the two required PORVs.

4-3

l 4.2.3 SD 2 The faultfault tree.treeGiven for this sequence consists only of the HPSI pruned and merged system the initiating event (seismic event with loss of offsite power and a small LOCA) followed by initiation of AFW, failure of HPSI will result in core damage.

Thus the minimal cut sets listed in Table 4-4 for sequence S 2D are the same as those described for the HPSI system in Section 4.2.2.

4.2.4 S 2LP 2 Sequence- S y LP 2 is similar to sequence T LPi , but the PORV success criteria is different. For 5 2LE 2 nly one PORV must be gopened (i.e., both PORVs remain closed for failure). The, system fault trees combined to determine the sequence cut sets were those for AFW and PORVs (small LOCA), developed in Section 3.2. The minimal cut sets for this sequence are listed in Table 4-5. There are no single faults that lead to core damage.

The major difference between the second order cut sets for sequence S7LP nd for sequence T g LP i 2 is as expected,g s that the former do not contain any events which fail PCC only. This since both PORVs must fail (and thus both DGs) in addition to AFW failure to give sequence S2 LP2 . As PCC fails DG-1A, another event is needed to fail DG-1B.

4.2.5 S2LD

' The final sequence consists of the same events (and thus the same system fault trees) as sequence Tt LD, only the initiating events differ. Therefore, the cut sets for sequence S2LD listed in Table 4-6 are identical to those in Table 4-3.

4.3 Boolean Equations for No LOCA and LOCA Cases The Boolean equations for the core damage sequences with no LOCA and core' damage sequences with a small LOCA are given in Table 4-7. The numbers correspond to the basic events listed in Table 4-1. Only the first and second order faults which contain at least one seismic failure event are included in the Boolean equations. Although it is possible for core damage to occur through nonseismic failures only, these were not evaluated further for this seismic margins project. Also, the final HCLPF calculations determined that some of the seismic failure events had final HCLPFs greater than 0.3g, so they were pruned out.

The events included in the Boolean equations affect the systems as follows:

Event 4:

Seismic failure of the station transformers (ACP-TFM-EQ-57X63) also results in loss of power to all HPSI components, l both PORVs, and both AFW motor-driven pumps.

Event 7:

Seismic failure of the RWST (HPI-TNK-EQ-RWST) results in loss of HPSI.

! Event 3:

Seismic failure of the DWST (AFW-TNK-EQ-DWST) results in loss of the turbine-driven AFW pump (the motor driven pumps have the PWST as a backup).

l 4-4

Event 14: Nonseismic common cause failure of the DGs (OEP-CCF-FC-DGN) results in loss of power to all HPSI components, both .

l PORVs and both AFW motor-driven pumps.

I Event 15: Nonseismic common cause failure of the AFW system (AFW-CCF-FC-AFW) results in total loss of AFW.

Event 16: Operator failure to refill the DG day and/or integral tanks (OEP-XHE-FO-FUEL) leads to failure of both DCs, resulting in loss of power to all HPSI components, both PORVs and both AFW motor-driven pumps.

Event 17: Operator failure to place the AFW turbine-driven pump in service from the MCR (AFW-XHE-FO-TRBMC) results in loss of the TDP.

Event 20: Collapse of the circulating water pump house (SWS-BKW-EQ-CIRC) will fail all SW pumps, which in turn fails PCC and SCC due to lac!< of SW flow through the coolers. The effects of PCC and SCC failure are loss of both DGs due to lack of cooling, whicn results in a loss of power for all HPSI components, both PORVs, and both AFW mutor-driven pumps.

Event 22: Random failure of the AFW turbine-driven pump (AFW-TDP-LF-P25B) results in loss of the TDP.

Those numbered events in Table 4-1 that are not in this final list were either pruned because their final HCLPF was greater than 0.3g, subsumed into the above events because they were not in minimal cut sets, or were only in nonseismic cut sets.

4.3.1 No LOCA Case To determine the reduced Boolean equation for this event tree, sequences T3 LPi and T J D we-e combined with an "OR" gate, because occurtence of either of these sequences will w ' to core damage.

The combinations of events described above that make up the reduced Boolean cut sets lead to core damage as follows:

e Those cut sets that combine events 4 or 20 with events 8,15,17, or 22 result in both sequence gT LPt and iT LD. A fault from the first group (4 or 20) results in loss of all HPSI components, both PORVs and both AFW motor-driven pumps. A fault from the second group (8, 15, 17, 22) results in loss of the turbine-driven AFW pump, e Events 14 or 16 also lead to loss of HPSI, both PORVs, and both AFW motor-driven pumps. However, only the cut sets where one of these events is combined with event 8 are included in the Boolean. These lead to both T gLD and T ILP t. Coupling of 14 or 16 with 15,17, er 22 result in cut sets of two nonseismic events, which were screened out.

e Finally event 7 is combinea with 15 to give sequence Ti LD. Event 7 leads to HPSI failure, and 15 to AFW failure.

l l

4-5

4.3.2 Small LOCA Case To determine the Boolean equation for the second event tree sequences 5 D, S LP and S2 LD were combined with an "OR" gate because . occurre,nce of any 2one of 2 2 these

.sequences will cause core melt. The reduced Boolean for this event tree consists only of single faults. This is because each of these faults will cause failure of HPSI, because-this corresponds to sequence 25 D. No other system failures are required for core damage to occur. Essentially, the cut sets that would lead to the failures of AFW and one PORY,

' or AFW and HPSI, all fall out as nonminimal cut sets or consist only of nonseismic events and are screened out. The events which make up the small LOCA Boolean are 4, 7, and 20.

4.4 Plant-Level Boolean Equation Because the small LOCA sensitive piping could not be inspected and its seismic capacity verified, the Boolean equations for small LOCA and no LOCA cases were combined in two different ways. Sensitivity analysis could then be used_ to estimate the plant - ;

HCLPF. The sensitivity studies were performed by the fragility analysis team.

~

{ The first method used split fractions to express the conditional probability of a seismic induced small LOCA given the seismic event. The two Boolean equations in Table 4-7 j

were combined using these split fractions, and sensitivity studies can be performed by

] varying the split fractions.

1

6. The second method used an additional term for the small LOCA Boolean equation that represented the HCLPF of the seismic induced small LOCA. Sensitivity studies can then

. be performed by varying the small LOCA HCLPF valve.

t i

i l

I k

i i

j 4

f l

I 4-6

-. __ _ - , ,,-._.;-__.,,. -~ . __ . . _ . _ . - _ . . ., _ . _ . . . ,

Table 4-1. Basic event descriptions.

Nonseismic Description Probability Number Event Seismic failure of PCC/ SCC coolers SF 1 CCW-HTX-EQ-4B5A SF 2 AFW-TNK-EQ-TK25 Seismic failure of air tank for AFW AOVs Failure to align PWST to AFW MDPs 2.3E-01 3 AFW-XHE-FO-EFW XX Seismic failure of station transformers SF 4 ACP-TFM-EQ-57X68 Nonseismic common cause HPSI failure 2.lE-03 5 HPI-CCF-FC-HPSI Failure to open PORVs for feed and 5.0E-02 6 PPS-XHE-FO-FDBLD bleed Seismic failure of the RWST SF 7 HPI-TNK-EQ-RWST Seismic failure of the DWST SF 8 AFW-TNK-EQ-DWST Nonseismic common cause PORY failure 3.0E-04 9 PPS-CCF-FC-PORVS Failure to close PCC isolation valves 1.0E-01 10 PCC-XHE-FO-ISOL Random failure of diesel generator IB 6.7E-02 11 OEP-PSF-FC-DG IB Random failure of diesel generator IA 6.7E-02 12 OEP-PSF-FC-DG I A Failure to start AFW TDP locally 1.8E-01 13 AFW-XHE-FO-TRBLO Nonseismic common cause DG failure 2.6E-03 14 OEP-CCF-FC-DGN Nonseismic common cause AFW failure 2.0E-04 15 AFW-CCF-FC-AFW Failure to refill DG fuel tanks 1.0E-2 16 OEP-XHE-FO-FUEL AFW-XHE-FO-TRBMC Failure to start AFW TDP from MCR 5.0E-02 17 Seismic failure of DG day tanks SF IS OEP-TNK-EQ-TK62X Seismic failure of air cond. chillers SF 19 CCW-ACX-EQ-CHILL Seismic failure of cire. water pump SF 20 SWS-BKW-EQ-CIRC house Seismic failure of the PWST SF 21 AFW-TNK-EQ-PWST Random failure of the AFW TDP 5.0E-02 22 AFW-TDP-LF-P25B SF indicates that the event is a seismic related failure, and a HCLPF will be determined by the fragility analysis team.

4-7

Table 4-2. Sequence Tg LPg cut sets.

No Single Faults Nonseismic 1 Ranked Double Faults Probability !

ACP-TFM-EQ-57X 68 AFW-TNK-EQ-DWST SF

.' CCW-HTX-EQ-4B SA AFW-TNK-EQ-DWST SF CCW-ACX-EQ-CHILL AFW-TNK-EQ-DWST SF SWS-BKW-EQ-CIRC AFW-TNK-EQ-DWST SF OEP-TNK-EQ-TK 62X AFW-TNK-EQ-DWST SF ACP-TFM-EQ-57X68 AFW-TDP-LF-P25B 5.0E-02 AFW-XHE-FO-TRBMC ACP-TFM-EQ-57X68 5.0E-02 CCW-HTX-EQ-4B5A AFW-TDP-LF-P25B 5.0E-02 CCW-ACX-EQ-CHILL AFW-TDP-LF-P25B 5.0E-02 SWS-BKW-EQ-CIRC AFW-TDP-LF-P25B 5.0E-02 OEP-TNK-EQ-TK 62X AFW-TDP-LF-P25B 5.0E-02 CCW-HTX-EQ-4B5A AFW-XHE-FO-TRBMC 5.0E-02 CCW-ACX-EQ-CHILL AFW-XHE-FO-TRBMC 5.0E-02 SWS-BKW-EQ-CIRC AFW-XHE-FO-TRBMC 5.0E-02 OEP-TNK-EQ-TK 62X AFW-XHE-FO-TRBMC 5.0E-02 OEP-XHE-FO-FUEL AFW-TNK-EQ-DWST 1.0E-02 OEP-CCF-FC-DGN AFW-TNK-EQ-DWST 2.6E-03 OEP-XHE-FO-FUEL AFW-TDP-LF-P25B 5.0E-04 AFW-XHE-FO-TRBMC OEP-XHE-FO-FUEL 5.0E-04 CCW-HTX-EQ-4B5A AFW-CCF-FC-AFW 2.0E-04 CCW-ACX-EQ-CHILL AFW-CCF-FC-AFW 2.0E-04 SWS-BKW-EQ-CIRC AFW-CCF-FC-AFW - 2.0E-04 OEP-TNK-EQ-TK 62X AFW-CCF-FC-AFW 2.0E-04 ACP-TFM-EQ-57X68 AFW-CCF-FC-AFW 2.0E-04 OEP-CCF-FC-DGN AFW-TDP-LF-P23B 1.3E-04 AFW-XHE-FO-TRBMC OEP-CCF-FC-DGN 1.3E-04 PCC-XHE-FO-ISOL AFW-CCF-FC-AFW 2.0E-05 OEP-PSF-FC-DG 1B AFW-CCF-FC-AFW 1.3E-05 OEP-PSF-FC-DG I A ' AFW-CCF-FC-AFW l.3E-05 PPS-XHE-FO-FDBLD AFW-CCF-FC-AFW l.0E-05 OEP-XHE-FO-FUEL AFW-CCF-FC-AFW 2.0E-06 OEP-CCF-FC-DGN AFW-CCF-FC-AFW . 5.2E-07 PPS-CCF-FC-PORVS AFW-CCF-FC-AFW l.6E-07 SF indicates that the cut set consists entirely of seismic related failures for which HCLPFs will be determined.

l 4-8

Table 4-3. Sequence T1 LD cut sets.

L No Single Faults Nonseismic Ranked Double Faults Probability AFW-TNK-EQ-DWST SF ACP-TFM-eQ-57X68 AFW-TNK-EQ-DWST SF CCW-HTX-EQ-4B5A CCW-ACX-EQ-CHILL AFW-TNK-EQ-DWST SF-AFW-TNK-EQ-DWST SF SWS-BKW-EQ-CIRC OEP-TNK-EQ-TK 62X AFW-TNK-EQ-DWST SF ACP-TFM-EQ-57X68 AFW-TDP-LF-P25B 5.0E-02 AFW-XHE-FO-TRBMC ACP-TFM-EQ-57X68 5.0E-02 CCW-HTX-EQ-4BSA AFW-TDP-LF-P25B 5.0E-02 CCW-ACX-EQ-CHILL AFW-TDP-LF-P25B 5.0E-02 SWS-BKW-EQ-CIRC AFW-TDP-LF-P253 5.0E-02 OEP-TNK-EQ-TK 62X AFW-TDP-LF-P25B 5.0E-02 CCW-HTX-EQ-4BSA AFW-XHE-FO-TRBMC 5.0E-02 CCW-ACX-EQ-CHILL AFW-XHE-FO-TRBMC 5.0E-02 SWS-BKW-EQ-CIRC AFW-XHE-FO-TRBMC 5.0E-02 OEP-TNK-EQ-TK62X AFW-XHE-FO-TRBMC 5.0E-02

^

OEP-XHE-FO-FUEL AFW-TNK-EQ-DWST 1.0E OEP-CCF-FC-DGN AFW-TNK-EQ-DWST 2.6E-03 OEP-XHE-FO-FUEL AFW-TDP-LF-P25B 5.0E-04 AFW-XHE-FO-TRBMC OEP-XHE-FO-FUEL 5.0E-04 ACP-TFM-EQ-57X68 AFW-CCF-FC-AFW - 2.0E-04 CCW-HTX-EQ-4BSA AFW-CCF-FC-AFW 2.0E-04 CCW-ACX-EQ-CHILL AFW-CCF-FC-AFW 2.0E-04 CCW-BKW-EQ-CIRC AFW-CCF-FC-AFW 2.0E-04 OEP-TNK-EQ-TK 62X AFW-CCF-FC-AFW 2.0E-04 HPI-TNK-EQ-RWST AFW-CCF-FC-AFW 2.0E-04 OEP-CCF-FC-DGN AFW-TDP-LF-P25B 1.3E 4 OEP-CCF-FC-DGN AFW-XHE-FO-TRBMC 1.3E-04 AFW-CCF-FC-AFW OEP-XHE-FO-FUEL 2.0E-06

, AFW-CCF-FC-AFW OEP-CCF-FC-DGN 5.2E-07 i HPI-CCF-FC-HPSI AFW-CCF-FC-AFW 4.2E-07 SF indicates that the cut set consists entirely of scismic related failures for which.

HCLPFs will be determined.

r 4-9

l I

i Table 4-4. Sequence S2 D cut sets.

Nonseismic j Ranked Single Faults Probability j ACP-TFM-EQ-57X68 SF HPI-TNK-EQ-RWST 'SF CCW-HTX-EQ-4B5A SF CCW-ACX-EQ-CHILL SF SWS-BKW-EQ-CIRC SF OEP-TNK-EQ-TK 62X SF ,

OEP-XHE-FO-FUEL 1.0E-02 OEP-CCF-FC-DGN 2.6E-03 HPI-CCF-FC-HPSI 2.lE 1 1

Nonseismic

, Ranked Double Faults Probability 4

PCC-XHE-FO-ISOL OEP-PSF-FC-DG IB 6.7E-03 OEP-PSF-FC-DG IB OEP-PSF-FC-DGI A 4.5E-03 SF indicates that the cut set consists entirely of seismic related failures for which HCLPFs will be determined.

4-10

d

' Table 4-5. Sequence S 2 LP2 cut sets.

No Single Faults Nonseismic Ranked Double Faults Probability ACP-TFM-EQ-57X68 AFW-TNK-EQ-DWST SF AFW-TNK-EQ-DWST SF CCW-HTX-EQ-4B5A AFW-TNK-EQ-DWST SF

CCW-ACX-EQ-CHILL AFW-TNK-EQ-DWST SF

SWS-BKW-EQ-CIRC AFW-TNK-EQ-DWST SF OEP-TNK-EQ-TK 62X .

ACP-TFM-EQ-57X68 AFW-TDP-LF-P25B 5.0E-02 !

AFW-XHE-FO-TRBMC ACP-TFM-EQ-57X68 5.0E-02 CCW-HTX-EQ-4B5A AFW-TDP-LF-P25B 5.0E-02 CCW-ACX-EQ-CHILL AFW-TDP-LF-P25B 5.0E-02 SWS-BKW-EQ-CIRC AFW-TDP-LF-P25B 5.0E-02 OEP-TNK-EQ-TK62X AFW-TDP-LF-P25B 5.0E-02 CCW-HTX-EQ-4BSA AFW-XHE-FO-TRBMC 5.0E-02 CCW-ACX-EQ-CHILL AFW-XHE-FO-TRBMC 5.0E-02

! SWS-BKW-EQ-CIRC AFW-XHE-FO-TRBMC 5.0E-02 OEP-TNK-EQ-TK62X AFW-XHE-FO-TRBMC 5.0E-02 OEP-XHE-FO-FUEL AFW-TNK-EQ-DWST 1.0E-02 OEP-CCF-FC-DGN AFW-TNK-EQ-DWST 2.6E-03 OEP-XPE-FO-FUEL AFW-TDP-LF-P25B 5.0E-04 i AFW-XHE-FO-TRBMC OEP-XHE-FO-FUEL 5.0E-04 CCW-HTX-EQ-4BSA AFW-CCF-FC-AFW 2.0E-04 .

CCW-ACX-EQ-CHILL AFW-CCF-FC-AFW 2.0E-04 CCW-BKW-EQ-CIRC AFW-CCF-FC-AFW 2.0E-04 ,

OEP-TNK-EQ-TK62X AFW-CCF-FC-AFW 2.0E-04 ACP-TFM-EQ-57X68 AFW-CCF-FC-AFW . 2.0E-04 OEP-CCF-FC-DGN AFW-TDP-LF-P25B ' l.3E-04 AFW-XHE-FO-TRBMC OEP-CCF-FC-DGN 1.3E-04

PPS-XHE-FO-FDBLD AFW-CCF-FC-AFW l.0E-05 OEP-XHE-FO-FUEL AFW-CCF-FC-AFW 2.0E-06 OEP-CCF-FC-DGN AFW-CCF-FC-AFW - 3.2E-07 PPS-CCF-FC-PORVS AFW-CCF-FC-AFW l.6E-07 SF indicates that the cut set consists entirely of seismic related failures for which HCLPFs will be determined.

(

1 L 4-11

~. . . .-

Table 4-6. Sequence 5 LD cut sets.

2 l

No Single Faults .

Nonseismic Ranked Double Faults Probability ACP-TFM-EQ-57X68 AFW-TNK-EQ-DWST SF CCW-HTX-EQ-4BSA AFW-TNK-EQ-DWST SF l CCW-ACX-EQ-CHILL AFW-TNK-EQ-DWST SF SWS-BK W-EQ-CIRC AFW-TNK-EQ-DWST . SF OEP-TNK-EQ-TK 62X AFW-TNK-EQ-D WST SF ACP-TFM-EQ-57X68 AFW-TDP-LF-P23B 5.0E-02 AFW-XHE-FO-TRBMC ACP-TFM-EQ-57X68 5.0E-02 CCW-HTX-EQ-4B5A AFW-TDP-LF-P23B 5.0E-02 CCW-ACX-EQ-CHILL AFW-TDP-LF-P25B 5.0E-02 #

SWS-BKW-EQ-CIRC AFW-TDP-LF-P23B 5.0E-02 OEP-TNK-EQ-TK 62X AFW-TDP-LF-P253 5.0E-02 .

CCW-HTX-EQ-4P SA AFW-XHE-FO-TRBMC 5.0E-02 CCW-ACX-EQ-CHILL AFW-XHE-FO-TRBMC 5.0E-02 SWS-BKW-EQ-CIRC AFW-XHE-FO-TRBMC 5.0E-02 OEP-TNK-EQ-TK 62X AFW-XHE-FO-TRBMC 5.0E-02 OEP-XHE-FO-FUEL AFW-TNK-EQ-DWST 1.0E-02 OEP-CCF-FC-DGN AFW-TNK-EQ-DWST ' 2.6E-03 OEP-XHE-FO-FUEL AFW-TDP-LF-P25B 5.0E-04 AFW-XHE-FO-TRBMC OEP-XHE-FO-FUEL 5.0E-04 ACP-TFM-EQ-57X68 AFW-CCF-FC-AFW 2.0E-04 CCW-HTX-EQ-4BSA AFW-CCF-FC-AFW 2.0E-04 CCW-ACX-EQ-CHILL AFW-CCF-FC-AFW 2.0E-04 i

CCW-BKW-EQ-CIRC AFW-CCF-FC-AFW _ 2.0E-04 i

OEP-TNK-EQ-TK62X AFW-CCF-FC-AFW 2.0E-04 HPI-TNK-EQ-RWST AFW-CCF-FC-AFW 2.0E-04 OEP-CCF-FC-DGN AFW-TDP-LF-P23B 1.3E-04 OEP-CCF-FC-DGN AFW-XHE-FO-TRBMC 1.3E-04 AFW-CCF-FC-AFW OEP-XHE-FO-FUEL 2.0E-06 AFW-CCF-FC-AFW OEP-CCF-FO-DGN 5.2E-07 HPI-CCF-FC-HPSI AFW-CCF-FC-AFW 4.2E-07

SF indicates that the cut set consists entirely of seismic related failures for which HCLPFs will be determined.

i T

l 4-12

l l

Table 4-7. Boolean equations for no LOCA and small LOCA i accident sequences.

t No LOCA Case Core Damage = (4+20) * (8+15 + 17+22) + 8 * (14+16) + 7

15 Small LOCA Case Core Damage = 4 + 7 + 20 i

i 4-13

1 Seismic Reactor gjg Feed & Bleed LOOP Subcritical Actions HPSl/R Status Sequence T1 C L Pj D i

l 1 OK

, 2 OK i

E a Success 3 CD - Tj lD y Failure 4 CD TgLPg 5 Not Evoluoted Further Figure 4-1 Seismic Event, LOOP Event Tree

Seismic, LOOP Reactor Fecd & Blesd Subcritical AFW/W Actions HPSI/R Status Sequence LOCA P D 4

h C L 2 1 OK 2 CD Sp 3 OK i

G ^ Success 4 CD Sp V Failure 5 CD Sp2 6 Not Evoluoted Further Figure 4-2 Seismic Event, LOOP Concurrent with Small LOCA Event Tree

l

5. ENGINEERING AND METHODOLOGY INSIGHTS Based on the trial plant review, several insights into seismic margin studies have been gained. Section 5.1. discusses engineering and operational insights, and Section 5.2 discusses insights on the methodology and execution.

5.1 Engineering and Ooerational Insights One of the most valuable results of a seismic margins review is finding and streng'thening components and structures that may contribute to lower seismic capacity. Most of the items discussed below were noted during the two walkdowns or during..the systems analysis, although a few, like the installation of new station batteries,. were already planned. These changes have either already been performed or will be accomplished during the next refueling outage in March 1987.

1. The station service transformers, X-507 and X-608,' transform power from the 4160-V emergency buses to the 480-V emergency buses.- As

, discussed in Chapter 4,' failure of these transformers could lead to core damage in the case of a small LOCA, and contribute to core damage in the non-LOCA case. Because of their low seismic -

capacity, they are being upgraded during the outage.

2. Station batteries I and 3 are being replaced with new lead calcium-batteries that have high seismic capacity. If the older lead-antimony

batteries had failed due to a seismic event, core damage could have -

]

resulted.

, 3. Anchorages on the containment spray pump area. fans FN-44A and B ' !

l' will be strengthened. Failure of these fans could.have led to long term heat-up and failure of the containment spray pumps, with j subsequent failure of high pressure' safety recirculation if recovery

actions were not effective.

i

4. Stock wall VE 21-1 will be strengthened to prevent its . potential

collapse from failing the containment spray area fans FN-44A and B l discussed above.

' 5. Block wall YE 21-3 will be strengthened to prevent its potential '

collapse from rupturing a SCC pipe, and thereby failing SCC. This failure by itself would not have caused core damage.

6. The anchorages of the chillers for_the computer room air conditioners AC-1A and B and the lab air conditioner AC-2 will be strengthened.

Failure of the heat exchangers on these chillers could have failed.the pressure boundary integrity of the SCC and PCC, and resulted in core l damage upon loss of component cooling water.

7. A procedure was developed to isolate nonessential PCC lines and heat -

exchangers inside containment following a large. earthquake if the PCC surge tank low level alarm annunciates. - Although the PCC was designed to seismic standards, the project team could not enter 5-1

i containment to verify the capacity of the components. Isolating the-

, PCC lines provides assurance that any potential failure of the PCC pressure boundary integrity inside containment will not fail the entire.

PCC system. After examining the effect'of the isolation procedure on the system fault trees and Boolean equation, the minimal. cut sets showed that . a single failure still existed due to ~ selection of. an isolation valve powered by the opposite redundant train.' Failure of-that one power train would have failed both the SCC and the isolation of ' PCC. The isolation procedure was revised accordingly to remove this potential single failure. This is one example of the ability of the fault tree logic modeling process to find small details that ,could affect seismic capacity,. and to assist in formulating emergency.

procedures.

3. An 'unanchored monitor _ in ; the main ; control room pane' was -

anchored. Its impact on other components and the seismic capacity of the plant therefore did not have to be evaluated.

9.- The emergency lights were strapped and anchored.

10. A missing-bolt on the anchorage of some level transmitters for the RWST was replaced.

j 11. Loose pressurized gas cylinders, a welding machine, and some heavy parts near the containment spray pump area fans were moved or tied i

securely.

i

12. Anchorages for the DG day tanks were strengthened As can be seen, some of these changes had a major impact on the~ plant seismic capacity, while others probably did not. However, the changes brought :about by the formal exercise of performing walkdowns and developing and solving the system fault trees demonstrates the power of the techniques, and the usefulness of a seismic margins-review.

5.2 Insights on the Methodology and Execution

j. 5.2.1 System Classification and Screening Guidelines-1 i Overall, the guidance given in NUREG/CR-4334 and -4432 was very helpful in classifying the systems according to " Group A and "Not-A." However, there are three areas where the trial plant review has provided more insight.

p The f r st is with respect to the safety function of reactor subcriticality. This function can be performed by either the insertion of the control rods, or by boron injection using-l the boric acid transfer (BAT) system. Although the control' rod drive mechanisms are screened out in Table 5-1 of NUREG/CR-4334 for-review earthquake levels of 0.3 g,' the-reactor internals are not screened out based on insufficient information. This meant that both the reactor internals and the- BAT system components were. included in the information gathering process before and during the first walkdown. The BAT system is fairly complex, with '_ numerous components that are : not initially - screened ' out.

Appreciable resources were expended _ in gathering information concerning the BAT system. This was unnecessary after the. seismic capacity review -of the reactor internals. It would probably be more of ficient in future seismic margin reviews if initial 5-2

-_ - -_ _ . _ ~ . . . - _ __

effort is placed in verifying that the reactor internals have high :apacity, and_only look sit alternate means of subcriticality, such as the BAT system, if this is not the case. ' If ntcessary, this examination of alternate systems could be accomplished during the second waikdown.

The other two insights concern the safety function of emergency core cooling (early).

~

Guidance in NUREG/CR-4334 and -4482, based on evaluation of previous PRAs for PWR; plants, states that the emergency core cooling (early) function is included in Group A,

.while the emergency core cooling (late) function is in Group Not-A, and therefore is screened out of the analysis. There is the caveat that this screening is conditional on not '

finding any extremely gross plant-specific differences.-

l The systems analysis team therefore. included _ the initial switchover phase from emergency core cooling injection (early) to emergency core cooling recirculation (late) as a screening verification step in the first plant .walkdown.' While the guidelines are ambiguous, ; this screening verification included long-term area cooling for the racirculation systems. It was determined that the containment spray pump area cooling i fans FN-44A and B, and a block wall near the fans, VE-21, could not be screened out btsed on the first walkdown. Based on the plant Boolean equation for small LOCA, both.

of these items were single failures resulting in core damage in _ the long term if not recovered. HCLPFs for these item's had to be calculated in order to determine plant -

seismic capacity. As noted above, the utility will make changes . to these items to

~

increase their capacity so that they do not impact over'all plant capacity. Based on these findings, guidance in NUREG/CR-4334 and -4482 should be revised to insure . that potential failures such as these are explicitly evaluated during a seismic margins review. ,

f

For the transient case (no LOCA), the emergency core cooling (early) function is defined -

in NUREG/CR-4334 and 4482 as achievement of residual heat removal. The AFW or

i. EFW system at Maine Yankee or other PWR plants will achieve this balance within the i 4

first hour. For most PWR plants, irrecoverable failure of the emergency ac power [

, system (station blackout) will not prevent the turbine-driven AFW train from performing j early residual heat removal, and therefore satisfy the emergency core cooling (early)'

function. However, in the longer term without ac power, the station batteries would ~

deplete, resulting in loss of instrumentation and AFW control power. Core damage could 4 occur if de power is not restored, and manual control of the turbine-driven AFW train'or i

other feedwater source fails. Based on the guidelines, this long-term failure of AFW was

, screened out of the analysis. If it were assumed that battery depletion and loss of-instrumentation and control power results in loss of AFW and other feedwater sources, then the Boolean expression for the no LOCA case would be dominated by the seismic failure singletons that result in station blackout:

e Failure of the SCC and PCC heat exchangers E-5A and 4B i

e Failure of the station service transformers X-507 and 608 e Failure of the DG day tanks TK-62A and B e Rupture of SCC and PCC because of chiller heat exchanger failure i for the air conditioners AC-1A, IB, and 2 l e Structural f ailure of the circulating water pump house failing the SWS i

i Explicit guidance on the treatment of these long-term battery depletion sequences would be helpful.

5-3 i

5.2.2 - Preparation for Walkdowns and Documentation Based on the trial review, there are two areas where the project team experience could be helpful to future efforts. The first involves the-identification of components to be evt.luated during the first walkdown. . The identification .of the front-line system components was relatively . straightforward because of the detailed nature .of .the available information, and the small number of components. However, identification of -

supprt . system components was more difficult. This is because these systems are generally more complex, have many more components and branches, and _ are not generally documented as well. In addition, the references concerning interfaces between the front-line systems and support systems are often ambiguous. . Finally, the actual '

physical nature and location of some items, such as distribution cabinets and_ panels, is not shown on plant drawings or dccumentation. Based on this experience, there are two recommendations. First, when reviewing the plant information, emphasize the interfaces i with support systems such as ac and de power, cooling water systems, HVAC systems,

and instrument air systems. Document-the ambiguities for .later clarification. Second, t

plan to spend considerable effort tracing down these support system components during j l the first walkdown, and be prepared to make substantial revisions to the component list.

i The -second' insight concerns documentation and information transfer between the-systems analysis team and the fragilities team. Many of the components identified by the systems analysis team for HCLPF screening or evaluation were selected because 'of l the potential for component rupture to cause flow diversion ~ and consequent system <

failure. The component itself was not needed to fulfill a safety- function, but the 4

integrity of the component pressure boundary had 'to be assured -for overall system success. The common example was heat exchangers for nonesse_ntial equipment.whose

seismic rupture would fail a necessary cooling water system. Since it can ' make. a -

difference to the HCLPF assessment, the systems team must make a clear differentiation between components that are required to function for system success, and components that are required only to maintain pressure boundary integrity /

j 5.2.3 Systems Analysis and Pruning Process There are a number of insights concerning the systems analysis (fault tree) and pruning process which may be helpful to future seismic margin reviews. i

1. The procedure developed ; isolate the PCC lines and components

! inside containment, and the automatic rupture isolation system on the i SCC greatly reduced the number of components that had to be i considered for HCLPF evaluation. Both the systems' analysis and I fragilities analysis efforts would have been ' larger, and eventually a _

containment walkdown might have been necessary.

1 1 2. As discussed above, verifying the seismic capacity of the reactor internals to allow subcriticality decreased the effort which would -

have been required for the BAT system evaluation. '

I j 3. Early evaluation and screening out of potential recovery actions and'

alternate systems, such as the small positive displacement pump for j core cooling injection, reduced the number of components that required systems and fragility evaluations.

4. Being able to define all the components on one - skid as one supercomponent, such as the DGs, reduces the systems analysis effort, but the evaluation for the fragility team may not be reduced.

5-4

- =y

5. As the fault trees' are developed, it is useful to keep 'a list of the failure modes which should be considered-for each component. For example, the pump failure modes include fail to start, fail to run, and test or maintenance outage, as well as seismic failure, but the pump -

appears only once on the initial fault tree. This information is needed later for the quantification process.

6. In the initial trees it is necessary to include all the components that require support systems, including those components such as' m'otor- ,

operated or air-operated valves that will likely.be screened out later because of their. high HCLPF and low nonseismic unavailability.

Otherwise, if they are pruned from the initial trees, their dependency on support systems may be overlooked in the rest of the analysis.

Also, since - physical interactions - between the component and structures, such as block walls or restraints, must be checked, it is better to include the component in the initial fault trees.

7. Although a few seismic interactions, such as the possible impacts of potential seismically induced fires,' were not evaluated, the potential for firewater piping ruptures to damage equipment was reviewed.

The DG centrol panels and distribution panels were ' located ,under 1

firewater piping that .had considerable lateral sway. Upon i

investigation, however,it was determined that the piping was dry, and.

J two signals would be required to fill the piping. The probability of inadvertent actuation was therefore negligible. The PCC and SCC j pumps were also located under sprinkler nozzles, but the motor

housings for these pumps were designed to prevent water from entering. Therefore, ruptures of firewater piping were not evaluated to impact saismic capacity. <

4 l 5.2.4 Minimal Cut Set Evaluation Process Minimal cut sets were developed at four stages in this project.

1. Front-line system level cut sets using partially pruned fault trees,-

j including their support systems, ~ were developed just before the second walkdown to provide some guidance to the fragility team.

These pointed out some potentially important system minimal cut j sets. Although plant or sequence level cut sets could have been of -

additional assistance, because the fault trees were still fairly large the number of minimal. cut sets would have been large as well. The additional effort to develop plant level cut sets before the second walkdown is not judged to be an effective allocation of resources, but the effort to develop system cut sets is effective.

2. Immediately following the second walkdown, the fault trees were pruned based on the information gathered. Sequence and plant level minimal cut sets were then developed and transferred to the fragility team for use-in calculating the preliminary plant HCLPF. Because-some component HCLPFs were not yet calculated, these cut sets were still considered preliminary.

)

-1 l

5-5

3. The plant Boolean equations containing the minimal cut sets were revised by hand just prior to the draft report to the Peer Review Group to include additional fragility information.

4. Some final plant Boolean equations were developed by computer for this report.

Although this is more effort than originally planned, it is probably similar to that -

required in future seismic margin reviews.

5.2.5 Schedule and Resources The schedule for the systems analysis tasks was judged to be adequate. The resources

expended for each task are presented in Table 3-1. -these resources were adequate for an experienced systems analysis team. About 10 percent of these manhours are support and clerical resources.

)

d 4

i J

5-6

Table 5-1. Systems analysis resource expenditure.

i TASK MANHOURS 1 COLLECT INFORMATION First Round Information 20 1.1 1.2 Additional Specific Information 34 8

1.3 Visit AE 2 REVIEW PLANT INFORMATION 0

2.1 Review EQ Level 2.2 Initial Systems Review 60 2.3 Indentify Components for Group A 36 2.4 Initial Screening of Components 50 2.5 Design Analysis / Seismic Reports 0 3 PLANT WALKDOWNS 3.1 Target Areas for First Walkdown 50 3.2 Perform First Walkdown 84 3.3 Simplified Analysis 36 3.4 Document First Walkdown 34 3.5 Perform Second Walkdown 26 4 SYSTEMS MODELING 4.1 Develop Event Trees and Fault Trees 539 4.2 Derive Accident Sequences 70 4.3 Boolean Equation / Minimal Cut Sets 50 5 SEISMIC MARGIN EVALUATION 5.1 HCLPF - Components 5.1.1 HCLPF - CDFM 0 5.1.2 HCLPF - FAM 0 5.2 HCLPF - Plant Capacity 10 i 6 REPORTING 6.1 Internal Review of Report 22 6.2 Letter and Draft Final Report 253 7 MEETINGS 7.1 Project Team Meetings 104 7.2 Peer Review Group Meetings 22 7.3 NRC/ACRS/ Expert Panel Meetings 24 TOTAL 1532 l 5-7

REFERENCES

. Battle, R.E., Emergency - Diesel Generator Operating Excerience. 1931-1933, NUREG/CR-4347, Oak Ridge National Laboratory, Oak Ridge, Tennessee, July,1985.

Budnitz, R.J., Amico, P.3, Cornell, C.A., Hall, W.J., Kennedy, R.P., Reed,- 3.W., and Shinozuka, M., An Aporoach to the Quantification of Seismic Margins in Nuclear Power Plants, NUREG/CR-4334, UCID-20444, Lawrence ' Livermore National Laboratory, Livermore, California, July,1985.

4 Carlson, D.D., Interim Reliability Evaluation Program Procedures Guide, NUREC/CR-2728, SANDS 2-1100, Sandia National Laboratories, Albuquerque, New Mexico, January, 1933.

Fleming, K.N. et al., Classification and Analysis of Reactor Operating Experience Involving Decenden Events, EPRI-NP-3967, Electric Power Research Institute, Palo Alto, California, June,1935.

Fletcher, D.C., Accident Mitigation Following a Small Break with Coincident Failure of Charging and High Pressure Iniection for the Westinghouse Zion PWR, EGG-CAAD-5428, EG&G Idaho Inc., Idaho Falls, Idaho, April 1981.

i Kolb, G.3., Interim Reliability Evaluation Program: Analysis of the Arkansas Nuclear One - Unit 1 Nuclear Power Plant, NUREG/CR-2787, Sandia National Laboratories, Albuquerque, New Mexico, June,1982.

4 Nuclear Regulatory Commission, PRA Procedures Guide. NUREG/CR-2300, Washington, D.C., January,1983.

l

{

Prassinos, P.G., Ravindra, M.K., and Savy, 3.B., Recommendations to the Nuclear Regulatory Commission on Trial Guidelines for Seismic Margin Reviews of Nuclear Power Plants, NUREG/CR-44S2, UCID-20579, Lawrence Livermore National Laboratory, j Livermore, California, March,1986.

l R-1 l

I 1

APPENDIX A IDENTIFIERS AND SYMBOLS I

Table A-1. Fault tree symbols.

O AND GATE (AG) - Output fault occurs if all of the input faults occur. s I

OR GATE (OG) - Output fault occurs if at least one of m the input faults occur.

BASIC EVENT (BE) - An initiating fault requiring no further development.

I 1

I UNDEVELOPED EVENT (UE) - An event which is not developed further, because it is of insufficient consequence or information is unavailable.

DEVELOPED EVENT (DE) - An event that could be further developed or is developed elsewhere but is treated here as a primary event.

DESCRIPTION - Contains the description of an event.

TRANSFER IN - Indicates that the tree is developed further at the occurrence of the corresponding TRANSFER OUT.

i TRANSFER OUT - Indicates that this portion of the tree must be attached at the corresponding TRANSFER IN. i i

A-1

Table A-2. Fault tree event identifiers.

All basic, developed, undeveloped events and tab-or gates are to be coded with the following format.

XXX-YYY-ZZ-AAAAA where

]

XXX = System Identifier I YYY = Event & Component Type Identifier l ZZ = Failure Mode Code AAAAA = Selected by analyst, try to indicate what the failure involves (e.g., rather than PSiO, use PTRNA)

Gates should be labeled with an alphanumeric ID, e.g., AFWi, HPIS, etc.

A-2 l _ __ - - - - -

Table A-2 (Cont'd)

System Identifiers ACP AC Power System AFW Auxiliary Feedwater System

! CIS Containment Isolation System CSS Containment Spray System DCP DC Power System HPI High Pressure Safety Injection System MCR Main Control Room OEP Onsite Electric Power System PCC Primary Component Cooling Water System PPS Primary Pressure Relief System RAS Recirculation Actuation System RPS Reactor Protection System SCC Secondary Component Cooling Water System SIS Safety Injection Actuation System SWS Service Water System l

\

4 l

A-3

Table A-2 (Cont'd)

Event and Component Type Identifiers Air Cooling Heat Exchanger ACX Sensor / Transmitter Units:

Flow . FST Level LST Physical Position -ZST Pressure PST Radiation RST Temperature TST Flux NST.

Circuit Breaker BKR Calculational Unit CAL Electrical Cable CBL.

Signal Conditioner 'CND Control Rods:

Hydraulically-Driven CRH-Motor-Driven CRM Ducting DCT Motor-Driven Compressor MDC Motor-Driven Fan FAN-Fuse FUS Diesel Generator DGN Hydrogen Recombiner Unit HRU Heat Exchanger .HTX Inverter INV ElectricalIsolation Device ISO Air Cleaning Unit ACU Load / Relay Unit RLY Logic Unit LOG i Local Power Supply LPS l

l A-4 l

Table A-2 (Cont'd)

Event and Component Type identifiers MGN Motor-Generator Unit MOD Motor-Operated Damper SOD Solenoid-Operator Damper Pumps:

EDP Engine-Driven MDP Motor-Driven .TDP Turbine-Driven XSW Manual Control Switch REC Rectifier TSW Transfer Switch TFM Transformer TNK Tank Bistable Trip Unit TXX AHU Air Heating Unit BDC l Electrical Bus - DC BAC 4 Electrical Bus - AC Manual Damper XDM Pneumatic / Hydraulic Damper PND Battery BAT Valves:

Check Valve CKV Hydraulic Valve HDV SRV Safety / Relief Valve Solenoid-Operated Valve SOV Motor-Operated Valve MOV Manual Valve -

XVM Air-Operated Valve AOV TCV i Testable Check Valve EPV Explosive Valve A-5 i

Table A-2 (Cont'd) l Event and Component Type Identifiers Filter FLT Instrumentation and Control Circuit ICC Strainer STR Heater Element HTR Pipe Segment PSF Pipe Train PTF Actuation Segment ACS Actuation Train ACT AC Electrical Train TAC DC Electrical Train TDC Block Wall BKW Operator Action XHE Common Cause Event CCF Miscellaneous Aggregation of Events VFC Phenomenological Events PHN A-6

Table A-2 (Cont'd)

Failure Mode Codes

Valves, Contacts, Dampers Fail to Transfer FT Normally Open, Fail Open 00 Normally Open, Fail Closed (Position) OC Normally Closed, Fail Closed CC Normally Closed, Fail Open CO Valves, Filters, Orifices, Nozzles Plugged PG Pumps, Motors, Diesels, Turbines, Fans, Compressors Fall to Start FS Fail to Continue Running FR Sensors, Signal Conditioners, Bistable HI Fall High Fall Low LO

(

No Output NO Segments, Trains, and Miscellaneous Agglomerations Loss of Flow, No Flow LF Loss of Function FC Actuation Fails FA No Power, Loss of Power LP Failure (for miscellaneous fault agglomerations VF not based on segments or trains)

Hardware HW

Grouping of f ailure modes by events or components are only suggestions. The failure modes listed may be used for any applicable event or component type.

A-7 l

l..

3 Table A-2 (Cont'd)

Failure Mode Codes

Battery, Bus, Transformer No Power, Loss of Power Short LP Open ST OP Tank, Pipes, Seals,' Tubes, Walls Leak Rupture LK Seismic Failure RP EQ Human Errors Fall to. Operate Miscalibrate FO MC Fall to Restore from Test or Maintenance RE Normal Operations (unavailable due to planned activity)

Maintenance Test MA Test and Maintenance TE TM Non-Specified Failure XX

Grouping of failure modes by events or components are only suggestions. The failure modes listed may be used for any applicable event or component type.

A-8

f l

1 l

l APPENDIX B AUXILIARY FEEDWATER SYSTEM l

1 1

Tabl( B-1. Auxiliary feedwater (AFW).

Safety Function: Supply water to the steam generators to remove reactor decay heat when main feedwater is not available.

Systen Components:

TK-21 Demineralized Water Storage Tank Tanks:

TK-16 Primary Water Storage Tank Pumps: P-25A Emergency Feed Pump P-25B Auxiliary Feed Pump P-25C Emergency Feed Pump Turbines: T-1 Turbine for P-25B (Powered from Main Steam)

Valves: Refer to Valve Table Support Systems:

AC Power: P-25A 4160V Dnergency Bus 6 P-25C 4160V Emergency Bus 5 DC Power: P-25A 125V DC Distribution Cabinet 3 P-25C 125V DC Distribution Cabinet 1 Air: TK-111 Control A0Vs (AFW-A-101,201,301)

TK-123 Isolation A0Vs (AFW-A-338,339,340)

Turbine Steam TK-25 Control Valves (MS-P-168,MS-T-163)

HVAC: Pump Room Pump Cooling: E-86A P-25A Discharge Recirculation E-86B P-25B Discharge Recirculation E-86C P-25C Discharge Recirculation Actuation: Steam Generator low Level Instrumentation: Feedwater Control System (SG Level, Pressure)

B-1

Table B-2. AFW valve table.

Operating Valve Power Normal Position Fail Description (S0V) Position _ (Actuation) Position AFW-A-101 Flow control to SG E-1-1 120VAC 1A 0 0 0 (1201A1)

AFW-A-201 Flow control to SG E-1-2 120VAC 1A 0 0 0 (120181)

AFW-A-301 Flow control to SG E-1-3 120VAC 1A 0 0 0 (1201C1)

AFW-A-338 Flow control isolation valve (AFW-A-101) 120VAC 3A 0 0 0 (1205A)

? AFW-A-339

- Flow control isolation valve (AFW-A-201) 120VAC 3A 0 0 0 (12058)

AFW-A-340 Flow control isolation valve (AFW-A-301) 120VAC 3A_ 0 0 0 (1205C)

MS- A-173 AFW pump B turbine trip and throttle valve mechanical 0 latched open C MS-P-168 Turbina steam supply pressure control 120 VAC Bus ,4 0 0 0 (1106)

MS-T-163 Turbine steam supply control 125 VDC Batt 3 0 C(SIAS/CIS) C*-

(1102)

Fails open on loss- of solenoid power. .

Table B-3. AFW cooling requirements.

, P-25A e Oil cooler E-86A 4

e Recirculation to DWST P-25B e Oil cooler E-86B e Recirculation to D ,.

e Designed to operace under elevated temperature conditions P-25C e Oil cooler E-86C e Recirculation to DWST T-1 o Does not have a high temperature interlock Pump Room o Open door, portable fan j

i i

i B-3 1

h

Fall'RE J OF AFW AFht 8 a s

~ q FAILURE 70 ?

FAILURE OF COMMCN CAUSE KEEP MIN LEV PA!!! CONTROL FAILURE 5" AFW IN ANY 35 ROOM PANEL 3 W/ANY PUMP AF M CF 80-AFW AFW1A 8 MCR-ACT-4.1-CNTFL 0 0 0 f

NO FLOW FROM NO FLOW FROM NO FLOW FROM PS-1 PS-2 FS-3 AFW2 8 8 AFW3 AFW4 8 FA6E 2 I e , ,

FAILURE OF NO FLOW FROM FAILURE OF FAILURE OF NO FLOW FROM FAILUR$OF AFW-A-201 TO FS-7 AFW-A-!3? TO AFW-A-30! TO FS-7 AFW-A-340 TO ALLOW FLOW ALLOW FLOW ALLCW FLOW ALLCWFLOW-AFW-A0V-kI-201 AFh5 I i AFW-A0V-tI-339 AFW-ADV-EI-301 AFW5 AFW-A0V-tI-!40 0 / aa 2 0 0 &"' O 4

i s

Figure B-1 Auxiliary Feedwater System Fault Tree, f

B-4

ha FLOW FROM PS-1 8

AFW2 l

Ti .

FAILURE OF NO FLOW FRCM FAILURE GF AFW-A-101 TO FS-7 AFW-A ~33 10 ALLOW FLOW ALLOW Fi.0W AFM-A0V-XI-101 AFh5 8 AFW-A0'MI-339 0 0 0 i , i NO FLOW FROM NO FLOW FROM NO FLCW FROM

' FS-9 FS-9 FS-10

-l AFW6 8 AFWi i AFW12 8 hPAGE4 hPAGE5 i

. i FAILLRE TO FAILURE OF FAILURE OF AFW' IFAILUEE OF AFW FU.CE 9-253 IN OW3T (TK-21) TURSINE E IVE

)FUMPF-IES SERVICE T-1 AFW-iP-II-PTENB AFW6A I AFW-ThK-K1-55T AFW7A i 0 ^ "* 3

- 0 .

4, i

i FAILURE OF FAILCRE OF F m a.t ur nra i FAILUEE OF I"REI!.E i-! MS-A-173 Tu MS-?-162 TO MS-i-163 TO ALLOW FLCW ALLGW FiGW ALLOW Fi.0W AFW-iU?-61-il AFW-.VM W.t-A17; AFW-PCV-VI-P165- AFW-i"V-El-i!6; l,! g) a

\ ;. \,l o -

1 Figure B-1 (cont.)

B-5

FAILURE 70 PLACE P-259 IN SERVICE Ar#A i f

FAILURE TD FAILURE TO PLACE P-258 IN PLACE P-258 IN SERVICE SERVICE RENGTELY LOCALLY AF42 I . AFW6C 8 CPERATOR Fall NO POWER FROM I FAILURE OF OPERATOR FAIL OPERATCR TO START P-253 125 VDC BUS 4 MS-T-!63 A!H TO START P-2'.il FAILURE TO FROM CONTROL ACCUMULATOR, FRSM C MTROL START P-259 RDOM TK-25 ROOM LOCALLY AFW-IHE40-IRBMC DCP-SEC-LP-5US4 AFW-TNK-a.1-TK25 AFW-IIE-FO-TR6MC AFW-IHEJ0-TR6LD 0 0 0 0 0 f

Figure B-1 (cont.)

8-6

NO FLOW FRC3 PS-3 WW9 8 A

! \

t-T <

FAILURE 3F V I iNO 70WER FROM NO POWER FROM h0 STEA1 GEN NO FLGW 70 PUMP P- !C I'130VACSUS5 12! VDC 505 1 LW LEVEL ACT. F5-3

' :;6NAL I i AFM ".DP-t1-?TRisc 4?-iAC-8.P-iUS5 DCP-6DC-LP-iU51 RF5-4;i-F4-SGLEV AFW10 8 0 0 0 0 0i f

FAILURE OF NO FLOW FRCM IWST (TK-21) PS-15 AFW-TNK-(14WST AFWil 8 0 9

' iFAILERELF 0FEFATOR FW5T (TK-16) FAILERE TO LlHE UP PW5i AFW-INK-VI-?>5T AFW-XHE-FO-E?WII

( b Figure B-1 (cont.)

B-7

INGFLOWFROM l FS-10 AFW12 i Wi 4 , , .

N0 POWER FROM NO F0WER FROM NO STEAM SEN NO FLOW in FAILURECFAFWl FU.".P P-25A 4150 VAC SUS i 125 VDC SUS 3 LD'J LEVEL ACT. FS-10 S!6HAL AFW.iLP-MI-FIRNA ACP-BAC-LP-BUS 5 DC?-5DC-LP-iUS3 RFS-ACI-FA-5ELEV AFWl; 8 0 0 0 0 Q FAILURE OF NO FLOW FROM DWST (TK-21) PS-16 AFW-INK-41-DWSi AFW14 6 0 a f

FAILURE OF 0FERATOR FWST (TK-16) FAILURE TO LINE UP FWST AFW-TNK-31-FMST AFW-lhE-FO-FfWII

\

i Figure B-1 (cont.)

B-8

FAILURE TO KEEP MIN LEVEL IN ANY SG BY ANY PP AFW1 1-i

NO FLOW FROM NON-SEISMIC PS-7 COMMCN CAUSE FAILURE OF AFW AFW5 AFM-CCF -AFW f 6 i NO FLOW FROM NO FLOW FROM NO FLOW FROM

' PS-9 PS-B PS-II i

I- .AFW6 I AFW9 8 AFW12 i PAGE 2 PAGE 3 SEISMIC FAILURE TO 1%NDOM FAILURE OF THE PLACE P-25B IN .

FAILURE OF CWST (TK-21) SERVICE P-258 j

AFW-TNX -DWST AFW6A AFW TCP -Pla9 FAILURE TO FAILURE TO PLACE P-259 IN PLACE P-259 IN SERVICE FROM SERVICE MCR LOCALLY AFWB I AFWGC 8 i i SEISMIC FAILURE TO FAILURE TO FAILURE TO FAILURE OF FLACE P-2!9 IN PLACE P-25B IN PLACE P-259 IN MS-T-163 AIR SERV!CE FROM SERVICE FRCH SERVICE ACCUMULATOR MCR MCR LOCALLY AFW-TNK -TK25 AFW-XEE -IRBMC AFW-1HE -TRBMC AF'd-IHE -TRBLO l

l r

Figure B-2 Auxiliary Feedwater System Fault Tree, Pruned and Merged.

B-9

NO FLOW FRGM PS-S AFh9 8 1

POWER NOT SEISMIC NO FLCW TO AVAILABLE FROM FAILUREOF PS-S 4168 VAC BUS 5 TRANSFORMER (I-587,1-608)

ACP-BAC-8 -9U55 ACP-IFM -57168 AFW13 i f f POWER NOT- SEISMIC SEISMIC NO FLOW FROM AVAILABLE FROM FAILURE OF. FAILURE OF THE PS-15 DIESEL TRANSFORMER DWST (TK-21) 6ENERATOR 1A (I-507,I-6d8)

OEP-06N-LP-061A AFWit i 0 0 ACP-TFM-EE-57168'AFW-TK6 0 i f i SEISMIC NON-SEISMIC NO POWER FROM SEISMIC OPERATCR FAILURE 08 COMMON CAUSE DIESEL FA!LtRE OF THE FAILURE TO TRANSFORMER DG FAILURE GENERATOR 1A PWST (TK-16) CPEN PWST ISOL (I-587,I-6881 VALVES-ACP-TFM-tQ-57I68 OEP-CCF-FC-06N 061A1 i AFW-TR-E9-FWST AFW-IHE40-EFWII O O g 0 0:

SEISMIC FAULTS IN FAILUREREFILL NO PCC CCOLING FAILURE OF THE DIESEL FUEL TANKS TOllECESSARY DIEEELDAY SENEEATCR 1A (P!3,'.i.V) SAFETY SYSTEM TA E TK62A/B C2a UEP-iK-EG-iKa21 CSF-PSF-:C-!GIA DEP-IHE 50-FUEL PCC1 5 0 nm 0 Q,;

SEISMIC SEISMIC ' FAILURE TO SEISMIC FAILURE OF AC FAILURE OF CLOSE PCC FAILUREOF CHILLERS PCCl!CC COOLER ISCLATICN VLVSt CIRC WATER AC-!A/18/2 E-48/E '% PUMP HOUSE ISWSi.

CCW-ACI -CHILL CCW :1TI -465A PCC-GE -i!OL SWS-iKW -CIRC Figure B-2 (cont.)

B-10

NO FLOW FRCM PS-18 A'FW12 8'

,i t i POWER NOT SE:SMIC NO FLCW TO.

AVAILABLE FROM FAILURE THE FS-!B 4168 VAC SUS 6 TRANSFCRMER (I-587,-I-638)

ACF-SAC-LP-EUS6 ACP-IFM-EE-57I63 AFWII '

i a 0 r

Qi

' SEISMIC SEISMIC NO FLOW FROM F0WER NOT AVAILABLEFROM FAILCRE THE. FAILURE OF THE FS-16 DIESEL TRANSFORMER DMST (TK-21)

SENERATCR 19 (I-587,I-638)

DE?-0SN- -CSIS ACP-iFF -57168 AFW-INK -EWSi AFWI4 .8 SEISMIC NON-SEISMIC NO PCWER FROM SEISMIC- CFERATCR FAILURE THE CCMMCN CAUSE DIESEL FAILURE OF THE FAILURE TO TRA.%FORMER DS FAILURE GE:iERATOR 15 FWST (TK-16) CPEN FWST ISOL II-587. I-602) VALVES ACP-IFM-EE-57163 CES-CCF -DSN 0S191 AFM-INK -PWST .AF M HE -EFWII i . i .

SEISMIC FAULTS IN FAILURE REFILL NO SCC COOLING FAILURE OF TEE DIESEL FL'EL TANKS TO NECESSARY DIESELDAY SENERATOR 1B (F33.VLV) SAFETY SYSTEM I TANK TK6:A/B CCMP 8

GEP-iM-Es-iK621 QE?-?SF-FC-051B CEP-JHE-50-FUEL SCC 1 l

0 0 0 i 1

SEISMIC SEIEMIC SEIEMIC FAILURE OF AC FAILURE OF FAILURE OF CHILLERS FCC/ SCC COOLER CIRC WATER AC-IA/19/2 E-49/E-!A PURP HOUSE (SWE)

I CC H CI -ChlLL CC H i! -465A SWS-iKW -CIRC Figure-B-2 (cont.)

B-11 ;

\

i

I APPENDIX C HIGH PRESSURE SAFETY INJECTION SYSTEM i

I

Table C-1. High pressure safety injection (HPSI) and containment spray pump area cooling (CSPPCL).

Safety Function: Inject borated water into the reactor vessel immediately after a LOCA. Also for feed and bleed, post-accident core cooling and additional shutdown capability during rapid cooldown of RCS. Spray pump area cooling to ensure long-tenn availability of containment spray pumps.

System Components:

Tanks: TK-4 Refueling Cavity Water Storage Tank Puzps: P-14A(N.0.) Charging (HPSI) Pump P-14B (S) Charging (HPSI) Pump P-14S (Spare) tharging (HPSI) Pump Fans: FN-44A Spray Pump Area Fan FN-44B Spray Pump Area Fan i

Valves: Refer to Valve Table Support Systems:

AC Power: P-14A 4160V Emergency Bus 5 P-14B 4160V Emergency Bus 6 P-14S 4160V Emergency Bus 5/6 FN-44A 480V Emergency MCC 7B FN-44B 480V Emergency MCC 8B DC Power: P-14A 125V DC Distribution Cabinet 1 P-14B 125V DC Distribution Cabinet 3

, P-14S 125VDCDistributionCabinet{1;'3.-

Pump Cooling: P-14A PCC P-14B SCC P-14S PCC Motors Air Cooled Actuation: P-14A SIAS A P-14B SIAS B P-14S SIAS A/B <

FN-44A SIAS A l FN-44B SIAS B C-1 i

. _ . . _ . _ .~_ .m. _ , , _ . _ _

Table C-1 (Cont'd)

Additional Components Whose Failure May Lead to HPSI Failure E-34 Seal Water Heat Exchanger _ Isolated by E-67 Reactor Coolant Regenerative Heat Exchanger CH-A-32 and E-96 Seal Water Heater CH-A-33.

FL-34B Seal Water Supply Filter TK-54 Spray Chemical Addition Te.nk Catastrophic failure may cause failure of RWST and/or interconnecting line.

(

4 C-2

Table C-2. HPSI/CSPPCL valve table.

Operating Power Normal Position fail (SOV) Position (Actuation Position Valve Description 125VDC DC/CE-1 0 C(SI AS-A) C CH-A-32 HPSI pump B discharge to charging header 125VDC DC/CE-1 0 C( SI AS-A) C CH-A-33 HPSI pump A discharge to charging header Inlet to charging header 125VDC DC/CE-2 0 C(SI AS-B) C CH-F-38 MCC 8A C 0(SI AS-B) Al HSI-M-11 HPSI. train B to Loop 1 injection HPSI train A to Loop 1 injection MCC 7A C 0(SI AS-A) Al H SI-M-12 HPSI train B to Loop 2 injection MCC 8A C 0( SI AS-B) Al H SI-M-21

" HPSI train A to Loop 2 injection MCC 7A C 0(SI AS-A) Al H SI-M-22 HPSI train B to Loop 3 injection MCC 8A C 0(SI AS-8) Al HSI-M-31 HPSI train A to Loop 3 injection MCC 7A C 0(SI AS-A) AI HSI-M-32 HPSI train B discharge cross-connect to train A MCC 8A C C* AI HSI-M-40 HPSI train A discharge MCC 7A C 0(SI AS-A) Al H SI-M-41 HPSI train 8 discharge MCC 8A C 0(SI AS-8) Al H SI-M-42 HPSI train A discharge cross-connect to train B MCC 7A C C* Al H SI-M-43 RWST supply to HPSI pump A MCC 7B1 C 0( SI AS- A) Al HSI-M-50 C(RAS-A)

Open for recovery action.

__. - -- ~ . _ . _ -. - . . . _ _ _ - . - - - _ _ _ _ .. .. . .s . .

Table C-2 (Cont'd)

Operating Valve Description Power Normal Position Fall (SOV) Position (Actuation) -Position itSI -!Mi RWST supply to HPSI pump B MCC 8B1 C 0(SI AS-B) Al C(RAS)

H SI-M-54 Recirculation supply to HPSI pump B MCC 7B1 C AI 0(RAS-A)

HSI-M-55 Recirculation supply to HPSI pump B MCC 881 C 0(RAS-B) AI SL-P-3 RCP seal water inlet 125VDC DC/CE-2' O O' C(SIAS-B)

(211)

?#

f

Table C-3. HPSI cooling requirements.

.'F P-14A e Air-cooled motor o PCC cooled stuffing box (seals) e Shaft-mounted tube oil pump for bearings and gear (P-14A-2) e Electrical tube oil pump for standby cooling (P-14A-3).

P-14B e Air-cooled motor e SCC cooled seals e Shaft-mounted lube oil pump (P-14B-2) e Electrical lube oil pump (P-14B-3)

P-14S e Air-cooled motor e PCC or SCC cooled seals (PCC preferred) e Shaft-mounted tube oil pump (P-14C-2) e Electrical lube oil pump (P-14C-3)

Pump e Open area, natural circulatien Cubicles e Doors to fuel building, turbine building and the garage doors may be opened to increase flow.

l C-5

LCSS OF HPS!(SHCAT l

TEli) OR RECIRC (LC?iG TERM) hPI-CSI1

~

t e

LOSS :F H?Si FAILURE OF !?iSCFFIC:EST

^

MA!!!CONTRCLC3fAlhMT ! >

ROOM PANELS SF:Af FL'IP AREA C; CLING l

HP!1 3 MCR-ACI-II-CliRL CSSi

&~2 0 0 i +

FAILURE ;F FAILURE OF EIHAUST FAN EIHAUST FAN FN-44A FN-44B

8 CSS 2 C'53 8 I f g FAILURE OF CS NO PCWER FFUM FAILURE OF FA!UJRE OF CS NO PCNER FROM FAl'.L:RE :f PUMP AREA 460 VAC .1CC 78 FN-444 FUI'F AREA 480 VAC MCC 3B FN-449 EIHAUST FAN, L 731 ACTUATION EIHAUSI FAN, & 381 AC jai!C'i FN-44A FN-446 i

CSS-FAh-81-FN44A ACP-iAC-LF-E C7B CSS 4 i CSS-FAN-t1-FN445. ACP-:"AC-LP-dCCBS CSS 5 8 l ')

i . i NO ACTUAi!0N GPERATOR lNGACTUAfi3N CPERATOR FFCM SIAS FAILURE 70 ' FRO.1 SIAS FAIL'.'RE TO TFAIN A START CS PUMP TRA!!) B START "S FLTP FAN FN-44A,9 FAN FN-44,3 SI3-4CI-FA-IRNA CSS AHE-FO-FN441' !!S-4CT-FA-iRNB CSS-AhS-ES-FN441

( h }

N i

Figure C-1 High Pressure Safety Injection System Fault Tree.

C-6

l LOSS OF HPSI I

l HPil i I f

WO FLOW TO ANY OF 3 LOOPS CCMMO:1 CAUSE FROM ANY CF 2 FalLUitE OF PUMPS HPSI HPI-PSF-FC-PUMPS HPI-CCF-FC-HPSI 3 0 1 I f NO FLC3 TO NO FLON TO NO FLCW TO INJECi!GN LO3P INJECT 10N LOOP INJECi10N LOOP 1 2 3 HP12 8 HP!3 8 HP!4 . 8 PAGE 3 PAGE 5 i i NO FLOW FP.0M NO FLOW FROM PS-1 PS-4 HP132 6 HP!5 8 PAGE 7 i . , ,

TAILUP.E OF NG ?CdE5 FECM NO ACTUATION NO FLOW F~.0M iSI-M-Il TO 450 lAC MCC SA FROM SIAS PS-9

LLCW FLOW TRAIN B 8

s!-rt0V-81-Wil ACP-SAC-LP-4CC3A. SIS-ACI-FA-iRNB HPl:1 d PAGE 9

} <

Figure C-1 (cont.)

C-7 s

NO R0W TO l

INJECTION LOOP l 2 8

HP!3 0 l NO FLOW FROM NO FLOW FROM P!4 PS-5 HP!33 i HP134 i PAGE 4 E 1 f FAILURE OF NO POWER FROM NO ACTUAT!DN NO FLOW FROM HSI-M-21 TO 400 VAC MCC 9A FROM SIAS PS-9 ALLOW RCW TRAIN B HPI-MOV-tI-MV21 ACP-SAC-LP-MCCSA 315-ACT-FA-TRNB HPl;l 8 0 0 0 &='

Figure C-1 (cont.)

C-3

Al FL3W FROM PS-5 HP!;4 i A

i NO ACTUATION NO FLOW Fn0M FAILUAEOF N3 FCER FROM 480 VAC MCC 7A FROM SIAS PS-12 HSI-M-22TO TRAIN A ALLOW FLOW 8

HPI-ft0'HI-MV22 ACP-HC-1.P-MCC7A SIS-ACT-FA-TRNA HPl7

0 0 0 A'= '

i J

1 ,

j l l

l l

I Finure C-1 (cont.)

C-9

INOFL0d70 i!WE0iiO!! LOOP HFil 4 0:

~

NO R0W fnGM 'NO FLOW Fn .1 PS-3 PS-6 HP!19 8 iip 135 i PA6E 6 I i I FAILURE OF NO F M R FROM NO ACTUATION NO R0W FROM HSI-N-31TO 480 VAC E C BA FADM SIAS PS-9 ALLOW FLOW TRAIN 8 HPI-MOV-tI-MY31 ACP-8AC-LP-E C8A SIS-ACT-FA-TRN8 HPI:t i

. 0 0 0 />= '

4 1

l 1

1 Figure C-1 (cont.)

C-10

!ic FLI,i FRC3 FS-6 HFI5 '

e

$v NO ACTUATION NO FLOW FRGM FAILUAE 3F NO ?0WER FROM 480 VAC MCC 7A FRCM SIAS PS-12 HSI-4-!2 TO ALLull FLOW TRAlti A i

HPI-M0V-41-W32 ACP-5AC-LF- K C7A 515-ACI-FA-iRNA H?I7 PAGE 7

[ ,

i I

i Figure C-1 (cont.)

C-11

i' NO FLCW FROM FS-4

.HPl: 8 1 )

g i

i FARURE OF NO PCsE3 FRGM NO ACTUATICN NO FLOW FROM HSI-M-12TO' 400 VAC MCC 7A FROM S!A3 PS-12 ALLCW FLOW TRAIN A i

HPI-MOV-VI-MV!2 ACP-5AC-LP-SCC 7A SIS-ACI-FA-iRNA hP!7 8

, i .

FAILUREOF NO PChD FROM NO ACTUATION NO FLOW FROM FLOW DIVERSION HSi-M-41 TO 460 VAC MCC 7A FROM $1AS PS-20

TFF00SW PS-14 ALLCW FLOW TRAIN A 1

HPI-MOV-41-MV41 ACP-iAC-LP .iC;7A SIS-ACT-FA-iRNA HPl!6 '8 HFli 8 0 e o 7 b='

i i . i FAILURE OF NG FChE3 FRCM l NO FCWER FROM NO ACIi!ATION

^ NO FLOW FROM NO FCC C00L!bG -

FPSIFUMP 4160 GC 51!S ! 125 VDC SUS 1 FRCM SIAS FS-2: TO NECESSARY P-14A TRAIN 4 SAFETY SYSTEM C0t'P 8 HP!-iD?-VI-FIENA ACP-iAC-LP-iU5! DCP-EDC-LF-:-US! SlS-ACI-FA-IFN4 HFl!4 i n FCCi 8 lA A 4 1

, yl l

-- E1 w $,)

w e\,

t

+

i .

FAILUEE OF NO PChE3 FRCH ha ACTUATICN 4

hii % 10 460 VAC MCC 75 FROM SIA3 FAILUEE OF I

ALLCW FLCW L 731 TRAIN 4 F5Si i

1 HPI-s-tHvn ACP-iAC-LF .iCC:3 lii-4CT4A-irs RWsit e i, f) d, h (1 ./\. FA3E 9 .

l l

i i

1 i

Figure C-1 (cont.)

C-12 3-i s

FLOS DIVEF51 h THR005M PS-!A HP!? i n

U!

I FLOW TEROUGH FLCW THR005H FS-14 FS-25 OR F5-27 i

hP110 8 HP111 i

! - PAGE 10 I

lFAILUREOF NO ACTdATION

'tH-A-32 TO FROM SIAS STOP FLOW TRAIN A l

HPI-A0V-t!-CHA32 SINC!94-ifriA O O a

T 1

Figure C-1 (cont.)

C-12

.10 FLCW FROM iS-9 HP!21 3 e

b I i . , ,

1 FAILURE OF NO ACTUATION FLOW DIVERSICN NO FLOW FROM HSI-M-42 TO NOPOWERFCMl 400 VAC .1C; 2A FROM SIAS THROUGH PS-15 FS-1B f4. LOW FLON TEAINB PI.10V-VI-MV42 ACP-iAC-LP *CCSA SIS-ACT-FA-TRN5 -HP! 2 3 HP123 8 0 0 0 A="a L i , , i i FAILURE OF NO POWER FROM NO POWER FROM NO ACTUATION h0 FLOW FROM NO SCC C0 CLING HPSI PUMP 4160 VAC BUS 6 125 VDC BUS 3 FROM SIAS FS-24 TO NECESSARY P-14B TRAIN S SAFETY SYSTEM CCMP HPI-MEP-(I-PTRNB ACP-BAC-LP-5US6 DCP-50C-LP-SUS 3 SIS-ACi-FA-iRNB HF127 i SCCI i t

0 0 0 0 4 0 I i FAILURE OF NO POWER FROM fic ACTUATION HSI-M-S1 TO 450 VAC MCC SS FROM SIAS FAILURE CF ALLOW FLCW & 251 TRAIN 3 RWST '

HPI-MOV-VI-MV51 ACP-PAC-LP-MCCSB SIS-ACI-FA-TRNB RWST! I V -

FAILURE CF THS FAILURE OF THE FWST (TK-4) SCAT (TK-!4)

FAILS RWST HPI-INK-VI-RW5i HPI-MK-SI-iCAT

) ff Figure C-1 (cont.)

c.t a

RGW DIVERSION THROU6H PS-t!

l HP!22 1 0

I R0W THROUGH R0W THROUSH PS-26 CR PS-27 ,

FS-15 i

MP124 i HPilt e i

i i i

R0W DIVERSION FAILURE OF NO ACTUATION R0W 3IVERSION THROUGH PS-27 CH-A-33 TO FROM SIAS THROUGH PS-26 STOP FLOW . TRAIN A HPl!Q 8 HPI-ADV-II-CHA33 SIS-ACT-FA-TRNA HP123 i

O 0 Q . .

Q ,

FAILURE OF FAILURE OF RCS R0W THROUGH l FLOW THROUSH FS-26 REGENERAT!VE FS-27 FS-26 HI (E-67)

HPl2SA ' HP1239 I HPI-HTI-MI-REEEN e HP131 i

\ U

\

t g Q g 2

l FAILURE OF FAILG E OF NG ACTUATION IL-?-3 FAILS NO FCWER FRCM NO ACTUAT10N FAILSECF ,

SEAL MATER EEAL AATER CM-F-IS TO FROM SIAS

!; STCP RCW 125 VDC SUS : FROM SIAS HEATER iE-?6) FILTER STUP RCW TRAIN B iSS L WATER TRAll B (FL-348) 50L)

CCP-iDC-U-SUS 3 S!S-ACT-FA-inha HPI-Hil-ni-iLWTR HPI-FLT-kI-ELWTR HPI-dOV-61-C3F35 A SIS-ACT 21-40'i-11-iLF3

^

A p I}

!j V i '} b- i.- L i

I t

Figure C-1 (cont.) ,

l C-15

r i LCES OF HPSi(SHORT TERM) OR l

RECIRC (LONG

! TERM) hPI-CSI:

i LOSS OF ii?SI INSUFFICIENT CONTAINMT SPRAY PUMP AREA COOLING HPil i CSSI s PAGE 4 f .

PCNER NOT NO POWER FROM AVAILABLE FROM 480 VAC MCC 88 488 VAC NCC 78 L 881 CR 781 ACP-3AC-LP-MCC7B ACP-BAC-LP-dCC38 PAos 3 f

PCWER NOT SEISMIC AVAILABLE FROM FAILURE OF DIESEL TRANSFORMER GDERATCR 1A (I-397,I-688)

DEP-CSN-LP-CSIA ACP-IFM-cE-57iE8 f

0 0 NO POWER FRCM NON-SEISMIC DIEEEL CONMON CAUSE 6DERATOR lA DS FAILURE D61A1 i OEP-CCF-3CiEN I

Q 0 I f FAULTS IN DPERAIDR NO PCC CCOLING SE!!!!C OIESEL PAILu G TO TO NECE!!ARY FAILURE OF TFE SENERATOR IA RE9lu. Fun SAFETY SYSTEM DIE!!L DAY Ann CCMP TANK TX6"A/B OEP-P!F -061A CEP-INE FUEL PCC1 CU-ink -iK621 l

l l

Figure C-2 High Pressure Safety Injection System System Fault Tree, Pruned and Merged.

C-16

NO PCC CCOLING TO NECE!SARY SAFETY SYSTEM

CCltP L

PCCI SE!!MIC FAILURE TO SEIEMIC SE!DIC FAILUREOF CLOSE PCC FAILUREOF FAILURE OF AC PCC/ SCC CCOLE !!OLATION VLYS C!RC MATE CHILLES E-4BIE-S PU!!P HCUSE AC-1A118/2

(!WS!

CCW-feCI -GiiLL CCW :tTI -45 3 PCC-IHE -ISCL SWS-5KW -CIRC l

1, 1

l 1

l Figure C-2 (cont.)

C-17

P0llER NOT AVAILABLE FRON 488 VAC EC 88 8 831 ACP-3AC-LP-ECS3 f

POWER NOT SEISHIC AVAILA8LE FROM FAILUREOF O!ESEL TRANSFORMER SENERATOR 18 (I-587,I-6881 OEP-06N4.P-0618 ACP-TFM 9-57I48 U

i NO P0llER FRON NON-SE!SMIC i

DIESEL COMMON CAUSE SENERATOR 18 DE FAILURE i

I D6181 8 OEP-CCF-FC-06N Q 0 i

FALLTS IN OMATOR NO SCC COOLING SEISHIC OIEEEL FMuRC10 TONECESSARY FAILUREOFTHE l GENERATOR II REFlu. PUEL SAFETY SYSTEM OIESEL DAY f4Hns CCMP TANK TK&:A/8 i

GEP-PSF-FC-0618 OEP-INE 80-FUEL SCC 1 i ljEF-INK i-iK621 1

0 ~0 0 0 f

~

SE!!MIC SE!!MIC SEIE!C FAILURE OF AC FAILURE OF FAILUREOF

' CHILLERS PCC/ SCC COOLE CIRC llATE AC-!A/18/2 E-43/E-!A PUMP HOUSE (SiiS1

LCW-AC -CHILL I;CN-dTI -48!A liiiS-iK " -;IAC l

1 l

l l

l Figure C-2 (cont.)

C-18

- - _ _ _ _ _ _.__ ___. _---.. _ .-._ .-~_-____ _ -______.-. _ _.---_._ _ _._ -._..-____._- -

LOSS OF HPSl HPI! l t

i NO ROW TO ANY tm 3GMic, OF 3 LOOPS CCMRCN CAUSE FRCH ANY OF 1 FAILLIE OF PL'MPS HPSI HPI-PSF-FC-FUMPS HPI-CCF-FC-EPSI O O i , e i NO FLOW TO NO RGH TO NG FLCW TO INJECTION LOOP INJECi10N LSDP INJECil0N LOOP 1 2 3 i

i HP!3 i HP!4 i HPI2 PAGE F PAGE 7 i

I t NO R03 FECM NO R0W FROM -

t FS-1 FS-4 HEI!2 i HPI5 i PAGE i NO Ruii Fr.0M NO P0JER FECM

450 VAC MCC 2A PS-?

At?-BAC 8 ?MC;SA HF[21 8

) PAGE 10 F0WER NOT SE!!MIC AVAILABLE FROM FAILLTE 7 OIEEEL TRANSFCEMER GE.NERATCR 18 (I-537,1-i281 CEF-CGN 0618 ACP-iFM - 7163 Figure C-2 (cont.)

C-19

50 R 0W TO INJECTION LOOP 2

HPl! 8 I 4 NO R0W FROM ha FLOW FROM PS-2 PS-5 HPl!3 8 HPl!4 8 PAGE G NO PC'.iEn FROM NO P.0W FROM 460 VAC MCC GA PS-9 4

ACP-SAC-LP-dCCSA HP!21 8 tuc 4 PAGE tb i

1 i

1 1

i j

i i

I

Figure C-2 (cont.)

j C-20

NO FLOW FROM FS-5 HP!;4 I

~

l h3 FChis FRGM NG FLOW FRC.1 480 VAC MCC 7A FS-12 ACP-iAC-LP .1CC7A HP17 i FA6E T

POWER NOT SEISMIC AVAILABLE FROM FAILURECr DIESEL TRANSFORRER SENEPATOR 1A (I-387,I-638)

OEP-DENd -061A ACP-TFM ~ -57168 pu.e 1 4

4 1

1 1

i 1

l

~

1 Figure C-2 (cont.)

l C-21

.._..._7-.-...._ , . . . ,. -, ._,-, - _ . . . . , . . . . . . . . . _ _ , . . -_

!ic Fi.0W TO I!iJECTIG!i LC;P 3

HP!4 8

, i 0

l NO FLOW FROM M R0W FROM PS-3 PS-6 l

HP!19 i HPI35 i PAGE 8 NO POER FROM NO RJW FROM 480 VAC MCC 8A PS-9 ACP-94C-LP-MCC8A HP!;l I nos4 PAJE 10 I

J

FigureC-2(cont.)

C-22

i I

W FLOW FRGil PS-4 itP!35 8 W PONG FRS NO FLOW FRGH 4N V K EC 7A PS-12 i

EP-IAC -Ec7A HPI7 I t I, t

[PAeE 9 1

1 l

l l

t 4

i i

i l

l I

I FigureC-2(cont.)

C-23 1

1

NO FLOW FACN PS-4 HPI5 '

NO PC E R FROM M FLOW FROM 400 VAC KC 7A Pt-12 ACP-5AC-LP-E C7A HPIT I h Paa 4

! NO POWER FROM NO FLOW FROM

{ 440 VAC NCC D PS-20 j ACP-iAC-LP-EC7A HPll6 8 92&b PCER NOT NO FLOW FROM NO PCC COOLING AVAILA8LE FROM PS-23 TO MCESSARY DIESEL SAFETYSVITEM IEM RATOR 1A COMP i

i OEP-OSN-LP-081A HPll4 i PCC1 Pasi NE l

i NO PO R R FROM FAILURE OF TM 400 VAC KC TI RW87 (TK-4)

E731

}

! l ACP-!AC-LP-MCCIA HPI-TE 41-Rhii

6-: 0 4

i

Figure C-2 (cont.)

C-24

]

i h6 FLC3 FROM

PS-?

i .

HP!21 8 NG 7CWEP FROM NO FL53 FROM 440 VAC NCC 3A PS-18 ACP-SAC-l.P-f!CCSA W123 i PA6e 4 i i

! P0utt s i NO FL0u FROM NO SCC COOLING j AVAILA8LE FROM PS-24 TO NECESSARY

O!E!EL SAFETY SYSTEM BDERATOR 18 CCW i llEP-DIN -0018 W127 I IICC1

} tA6C .1 Pa6s 3

,I NO P0utR FROM FAILURE OF THE 440 VAC nCC se Rusi (TK-4) 6 III i

ACP-6AC-LP-McC88 Wl-ThK u-Rust l

he.osa i

i J

4 FigureC2(cont.)

C 25

I I

i APPENDIX D PRIMARY PRESSURE RELIEF SYSTEM l

I

1 Table D-1. Primary pressure relief system (PPS).

4 Safety Function: To provide feed and bleed capability. Also provides reactor coolant system overpressure protection.

i

! System Components:

i Valves: P R- S-14 Power-Operated Relief Valve P R- S-15 Power-0perated Relief Valve

~

PR-M-16 PORY Isolation Valve PR-M-17 PORV Isolation Valve l

I Support Systems:

AC Power: PR-S-14 480V Emergency MCC 7B PR-M-16 480V Emergency MCC 78 P R-S-15 480V Emergency MCC 8B PR-M-17 480V Emergency MCC 8B i

Actuation: Actuated by operator for feed and bleed

)

i t

I i

i 1

i i

1 l 0-1 L _ - .- . _ _ . _ .-- .. - - . - . . . _ . . - _ - . . . - - -

' FAILURE TO ELFPORT FEED 'a ELEED FLNCTIO!!

8 PP51 FORVs FAIL T3 . FAILURE OF' ~

CONMCN CAUIE CFE'i GMALL NAIN C NTP.C;.

FAILUEE OF LOCAHAS ROCMPA?6ELS PORV/ ROCK CCCURREO)

FPt-CC?- C-?Om1 Pf 32 i MER-4CT-11-CNTAL L 0 0 LDSS OF LD53 0F FUNCTI0ti0F FUNCT10M OF PS-1 PS-2 PFS4 i FFS 1 FAGE 2 I I I FAIL'JRE CF NO F0WER FROM GPERATGR FAILURE OF FR-i-l! TO 460 VAC MCC 68 FAILURE TO FR-N 17 TO ALLCWFLCW L 391 0 FEN FORY5 TO ALLCW FLOW REED PPS iGV-n! ;551', ACP-BAC-LP-MCC3B FFS tHE FO-FDRD FFS-P.0V tI-FPr!!7 0 0 0 0 Figure 0-1 Power-0perated Relief Valve Fault free.

0-2

4 1

L0530F

l. FijNCi! 3 EF l

i' FS-2 P

I PF55 1 L t FAILLAE OF NO ?CaER FROM ICPERATOR FAILLRE OF FR-i-14 TO 430 VAC MCC 75 FAILCRE TO PP M-16 TO ALLCW FLOW & 781 OPEN PORVS TO ALLCWFLOW 4 REED PFS-50M1-FR514 ACP-iAC-LP-MCC78 PPS-AHE FO-FDRD PPS a0MI P8M16

0 0 b 0 j

{

i j '

i i

4 l

)

i i

1 l

1 1

3 i

1 i

h

.)

Fiqure D-1 (cnnt.)

! D-3 ,

1 l - _. - - -- - --.-.-.-_- -

t

FA! LURE TO SUPPCRT FEED &

BLI D (NO

, LOCA) 8

PPSI 4

FAILURE OF AT NC.1-!!!SMIC LEASTONEPCRV COMMON CAUSE (UNA KE TO FAILURE OF

. OPEN! PORV/ N "X PPS2 i PPS 'lCF FC-POPYS 0 b

. i LOSS OF LOSS OF FUNCTION OF FUNCTION OF .

! 51 PS2 4

i' PPS4 i PPS$ I j hPAGE2 PAGE 3 1

i i

i l

I i

l f

i i

Figure 0-2 Power-Operated Relief Valve Fault Tree (No LOCA), Pruned and Merged.

0-4

i a

LOSIOF FUNCTION OF PS 1 PPS4 I i

PoutR MT FAIL M TO

! AYAILAOLE FROR OPERAftPNVI [

j 480 YK EC N F N FIEI 6 1 j 8 861 EIES

! ACP-8K-LP-RCCW 198-M 8 ,

! U i

P0utR MT It!IR!C !

j AVAILAILE FROM FAILUREOF i DIEltL TMNIFOMR f

00 G et0R II (I 507. I-6001 i

MP-08 -N!I ACP-tFR O-57141 I !

i i

j W P0utR FROR EN-StilRIC ;

IltSIL ComWICAust l IDSATR 18 N FAILURE l

l Mill i utP-CCF C 00R V i i , , .

I FAULi$ IN W"E NO SCC C00 LIM SE!!Ric - l

! O![!!L FAtWRC 2 TO MCtllARY FAILURt 0F M l EMPATOR II grr.L mgt $4FttY IVlttR O!!!ELSAY ',

j n%S CClf telet TX4*A/B ,

t

! i i OtP f!F-8C4418 utP-M40-FLtL ICCI I

! 0 0 -

Q i I T- - ,

{ SEllatt ItllRIC IE!!RIC l FAILURE OF M FAILURE OF FAILUREOF

WILLERS PCC/ECC00LG CIX BATH '

l' K 14/10/2 t40/t34 PURPN00st 18 4 )

1%Hg G ILL I,T N TI -453A 1rd 5K GIRC Flouren-2(cont.)

0-5

LCSS OF FWCTICN OF 62 PPS3 I i .

POWER NOT FAILURE TO AVAILABLEFRCM OPERATEPORVS 488 VAC MCC 78 FOR FEED %

OR 781 BLEED ACP-SAC -MCC78 PPS-IHE -FDBLO i

PCWER NOT SEISMIC AVAILABLE FROM FA! LURE F O!ESEL TRANSFCRMER GENERATCR 1A I M 87, M aBI DEP 0GN-LP-CGIA ACP-IFM -37168 ho PCWER CRCM NON !E!SMIC O!!!EL CCMMONCAUSE SENER%fCR!A CSFAILURE DGIAL CEF-CCF DGN i i i FAULTSIN Q?kRA1CM NO FCC CCOLING SE!!M!C O!ESEL , TAIL 2 4 7 TONECE$$ARY FAILURE CF TH[

GENEFATCR 14 n citt rust SAFETYSYSTEM O!E!!!, CAY taw d CCMP TANK TX6lA/]

CEP FSF FC 0GIA CEP tHE t0 *UEL PCC1 6 y p -Th F i-i4 :1 b U Q 6 i i 4 ?E!!MIC IEI!MIC FAILURE 10 SE!!MIC FAILUREOFAC FAILLRECF CLOSEFCC FAILUREOF CHILLERS PCC/!CCCCCLER !!?LAi!DNVLYS CIRCWATER ACIAllll! E 41/E !A PUMPHOUSE

(!WS)

I;cd 4C1- HMILL I;Cd sil 141 A PC; DEiG-!E uds-in H!AC U u U v Figure 0-2 (cont.)

06

F4!LullE TO SUPPORT FEE! n BLEED (SMALL LOCA)

PPSI i 0

f FAILURE OF 110ll-SEISMIC BOTH PORVS COIUSICAUSE-l (UNAILE TO FAILURE OF OPEN) PORV/ISOL PPS2 i PPS-CCF C-PORYS l 1 LOSS OF LOSS OF FUNCil0N OF FUNCTIONOF

! PORVI PORV2

! PPS4 8 PPS3 I hPAGE2 hPAGE3 I

f 4

l I

a i

l l

3

i l

I i

Figuro 0-3 Power-0perated Relief Valve Fault Tree (Small LOCA), Pruned and Merged.

07

LOSS OF FUNCTION 0F PCRV!

6 PFS4 I I POWER NOT FAILURE TO AVAILABLEFROM OPERATE PCRVS 488 VAC MCC 3B FOR FEED 6 PLEED ACP-BAC4.P-MCC2B FPS-fHE 50-FDBLD 0 d I

POWER NOT SE!SMIC AVAILABLEFRCM FAILURE THE O!ESEL TRANSFORMER 6ENERATOR 18 (I-!B7,I-6 bbl CEP-CGN-l.P-D618 ACP-TFM- Q 57148 U

f NO PCNER FROM NON-SEISMIC DIE!EL CCMMONiAUSE GENERATOR 18 06 FAILURE C6181 8 CEP-CCF4C 0GN 0 0 I I I FAULTS IN FAILUREREFILL NOSCCC00 LING SE!!MIC CIEEEL FUEL TANKS TONECESSARY FAILURE OF TE!

GENERATOR IB (P3 .VLVI SAFETYSYSTEM OIESELDAY COMP TANK TX4lA/S OEP PEF #C 0619 CEP IHE-iO-fuel SCCI i UEF-iM s IK621

!E!!3!C til!MIC !!!!MIC FAILL'RE CF AC FAILURECF FAILUREOF CHILLERS PCC/SCCCCCf.ER CIRCWATER ACIAllB/2 E 48/E !A PCMPHOUSE

!!WS) i;Cd ACX 2 OllLL I;Cd rtli 8 H 61A Udsitd62CIAC Figure 0-3 (cont.)

08 l

1 l

l LOSS OF FUNCTION OF PCRVC FPSC 4 i

POWER NOT FAILURE TO AVAILABLE FRCM GPERATE PORVS 488 VAC MCC 78 FOR FEED %

OR 781 BLEED ACP-3AC -MCC73 PFS-IHE -FESLD i

F0WER NOT SEISMIC AVAILABLE FROM FAILURETHE DICSEL TRANSFCRMER GENERATOR 1A (I '87, 1-6281 DEP-06N-LP-061A ACP-IFM rQ-57169 0 0 i

NO PCWER FFCM NON-SEISMIC C!ESEL CCMMON CAUSE GENEFATCR lA CG FAILURE DSIAl i CEP-CCF-FC-0GN FAULTS IN FAILUREFEFILL NOPCCCCOLINS SE!!M[C CIESEL FUEL TARS TO'4ECE55ARY FAILUREOFTE!

GENERATCR1A (P31.VLVI SAFETY SYSTEM OIE!!LCAY CCMP TAhK TK6*A/8 OEP PSF-8C ;GIA OEP fHE-50 FLEL FCC1 i UE?-ihAgi ful!

0 ,

0 >

0 4 0

SE!!MIC !E!!MIC FAILUPE 10 !E!!MIC FAILURE CF AC FA!LtRECF CLCSEPCC FAILUREOF CHILLEE9 FCC/SCCCCCLER !!0LATICN VLYS CIRCWATER AClAll8/2 E 49/E !A FUNP HCUSE I (DS)

CCd 0 1-G ILL CCd nit N i:A atC res-60 IScl ~G 6 0 as iu8-c!AC 1

Figure 0-3 (cont.) l 0-9

- - - ~ ~ - - - - _ _ _ _ _

APPENDIX E PRIMARY COMPONENT COOLING WATER SYSTEM i

Table E-1. Primary component cooling (PCC).

Safety Function: Provide cooling water required by plant equipment for normal operation and decay heat removal during cooldown or accidents.

l System Components:

i Tanks: TK-5 PCC Surge Tank Pumps: P-9A(N.O.) PCC Pump P-98 (S) PCC Pump Heat Exchangers: E-4A (S.) PCC Cooler E-4B (N.O.) PCC Cooler Valves: Refer to Valve Table Support Systems:

AC Power: P-9A 4160'l Emergency Bus 5 P-98 4160V Emergency Bus 5 DC Power: P-9A 125V DC Distribution Cabinet 1 P-98 125V DC Distribution Cabinet 1 HVAC: Turbine Building Cooling: P-9A 011 Cooled P-9B Oil Cooled Motors Air Cooled E-4A SWS E-4B SWS Actuation: P-9B Low PCC Header Pressure j l

l E-1

! Table E-2. PCC valve table.

Operating l Valve Description Power Normal Positfcn Fai1 (SOV) Position (Actuation) Position I

PCC-A-216 Return from penetration coolers 125 VDC DP/P O C(SI AS-A/CI S-A) C**

(3413)

PCC-A-238 Return from air recirc. coolers 125 VDC DP/BU 0 C(CSAS-B) C**

(3412)

, PCC-A-268 Return from CEA air coolers 125 VDC BATT 2 0 C(SI AS-B/CIS-B) C**

l 1

(3416)

PCC-A-493 DG-1A cooling water outlet O 125VDC (1730A)

PCC-M-43 PCCW outlet from RHR heat exchanger MCC 781 C O(RAS-A) AI m PCC-N-90 PCCW isolation to auxiliary building MCC 7A 0 C(RAS-A) Al l PCC-M-150 PCCW isolation to letdown heat exchangers MCC 7A 0 Al

' C(RAS-A)

PCC-M-219 PCCW isolation to containment MCC 7A 0 C(CIS-A) , Al PCC-T-19 Cooler supply temperature control pneumatic 0 0 0 PCC-T-20 Cooler bypass temperature control pneumatic C 0 C l **

Fail open on loss of solenolo power

I s

Table E-3. PCC cooling requirements.

P-9A e Air-cooled motor e Oil-lubed bearings i

i i

P-9B e Air-cooled motor 1

e Oll-lubed bearings i Turbine 1

Building e Natural circulation l

k i

1 1

a i

i l E-3

Table E-4. PCC cooling loads.

Loads location

AC-1B Control Room Air Conditioner Vent .& AC Equip. Rn, El . 39' 0" C-3A Waste Gas Compressor (E-88A)

C-3B Waste Gas Compressor (E-888)

E-3A Residual Heat Removal Exchanger Cont. Spray Pump Area , El . 14' 6"

E-25 Fuel Pool Heat Exchanger Fuel Bldg. , El . 25'0" E-29 Recovery Evaporator Distillate Condenser E-30 Recovery Evaporator Distillate Cooler E-31 Recovery Evaporator Bottoms Cooler E-34 Reactor Coolant Pump Seal Water Heat Exchanger i

E-35 High Pressure Drain Cooler

)

E-39A Neutron Shield Tank Cooler

! E-39B Neutron Shield Tank Cooler l E-44 Letdown Heat Exchanger

! E-45 Waste Evaporator Bottoms Cooler i E-46 Waste Evaporator Distillate Cooler i

E-53-1 CEA Drive Mechanism Air Cooler i

' E-53-2 CEA Drive Mechanism Air Cooler E-53-3 CEA Drive Mechanism Air Cooler i

E-54-1 Reactor Containment Air Recirculation Cooler Reactor Containment

E-54-2 Reactor Containment Air Recirculation Cooler Reactor Containment

! *E-54-3 Reactor Containment Air Recirculation Cooler Reactor Containment

" *E-54-4 Reactor Containment Air Recirculation Cooler Reactor Containment

E-54-5 Reactor Containment Air Recirculation Cooler Reactor Containment

E-54-6 E-70 Reactor Containment Air Recirculation Cooler Reactor Containment Pressurizer Quench Tank Cooler E-71A Degasifier Vent Condenser E-71B Degasifier Vent Condenser E-72A Degasifier Effluent Cooler E-728 Degasifier Effluent Cooler E-75 Waste Evaporator Distillate Condenser E-77A Reactor Coolant Sample Heat Exchanger l E-77B Reactor Coolant Sample Heat Exchanger E-81A Secondary Sample Heat Exchanger E-81B Secondary Sample Heat Exchanger E-81C i Secondary Sample Heat Exchanger l

E-82A DG-1A Cooler 1 *E-918 Safeguard (LPSI) Pumps Seal Leakage Cooler

E-92B Charging Pump Seal Leakage Cooler PAB, El. 13'6" E-93A Degasifier Vent Cooler i E-938 Degasifier Vent Cooler E-94 Waste Gas Compressors Af tercooler E-100 Blowdown Tank Cooler I

E-4 i

I i

Table E-4 (Cont'd) ,

I i

I Loads Location P-1-1 Reactor Coolant Pump ,

P-1-2 Reactor Coolant Pump P-1-3 Reactor Coolant Pump

P-7 Auxiliary Charging Pump PAB, El. 11'0" P-11 Recovery Evaporator Reboiler Pump

P-12A LPSI Pump Cont. Spray Pump Area, El .

14'6"

P-14A Charging Pump PAB, El. 21'0"

P-14S Charging Pump PAB, El. 21'0" P-19 Recovery Evaporator Distillate Pump P-20 Recovery Evaporator Bottoms Pump P-21 Waste Evaporator Reboiler Pump P-22 Waste Evaporator Distillate Pump P-65 Waste Evaporator Bottoms Pump P-66A Degasifier Pump P-66B Degasifier Pump

Containment Penetration Coolers (Penetrations 9, 29, 30, 31, 32, 45, 46, 53,54,55,62,64,65,66)

= PCC Loads not isolated by PCC-M-90, -150 or -219, whose failure may lead to failure of the PCC.

i E-5

NO FCC COGLIh6i TO.NECE527.RY EAFETY SYSTEM CO.M?

8 PCC1 FAILURE OF ' FAIL"FE OF PCC FAILUP. EOF??b.NOFLGW70 l 'Fi.0W DIVEK5I:N l LOA 3 IN PE-1 LCAD E-32A LOAD 'F-144) PS-1 FEC.1F5-1 C2tCM:T,USEf IDS-!AC00LER) PUMP COOLER FAILEFEOFPCCl SYSTEM PCC16 8 FCC riTI-II-ES2A PCC-HTI-t!-?t44 PC:2 i PCC3 i FCC-CCF-FC-?CCW PAGE 2 h.

PAGE 8-PAGE 4

{}

F l

l l

Figure E-1 Primary Component Cooling System Fault Tree.

E-6

l l

FAIL"RE 2F f LCAD IN PS-1 PC:;e i FAILL7.E GF PCC FAILURE CF PCC FAILURECF FAILURE OF PCC FAILURE GF PCC FAILURE CF PCC l LOAD P-145 LOAD - LGAD IN FS-1 LCAD AC-19 LDAD (P-7) LOAD P-1 A (PUMP COOLER) (PUMP COOLER) PENETEAil5N (CCNTROL R30M PUK COULER CCOLERS ACI PCCiss 8

?CC-ACI-41-AC;3 FRC dil-11 '? PCC-Hil-X1-PICA PCC-dT1-RI-?t45 PCC-HTI-8.1-FEN O r o fye s O

cicure E-1 (cont.)

E-7

FAILLRE OF L A0 IN PS-1 PCC15A I

\4 P FA LUR OF PCC UAE OF PCC FA L OF FA LURE OF PCC i A (R L (FUEL P0GL E-fit,EAFEB PP R LEM E-H~! 6 EXCHANGER) COOLER) Puy S SEAL CLR CLR (AIRREbiRC CLR)

PCC-dTI-t!-UA FCC-liTI-?I-E25 PCC-HTI-kI-E919 PCC-iiTI-tI-E928 PCC-HTI-tI-E 41 0 0 0 0 0 l

l

\

Figure E-1 Iccr:t,)

E-8

FLCW JIVERSIO:4 FRCM PS-1 8

PCCC

/

lqi FLOW DIVERSION FL2W DIVER 5ICN Fi.0W DIVERSIDM FLOW 31VER510N FLCW 31VER51CM THROUGli PS-5 THRGUSH ?i-6 THRCt:3n PS-2 TriRCl;GH F5-; THRCUGH PS-4 FCC13 8 PCC14 i FCC15 - a PCC11 i PCC12 8 PAGE 8 PAGE 5 hPAGE 6 hPAEE7 f {

i h3 POWER FRCM OPERATOR FAIL"RE OF PCC-5-150 TO 480 VAC MCC 7A FAILURETO SICP FLOW CLOSE PCC ISOL VALVES PCC-MOV-V.1-MV1"0 ACP-EAC-LP-MCC7A PCC-1HE-50-15CL 0 0 f Figure E-1 (cont.) l E-9

FLOW DIVERSION THROU3H FS-3 PCC12 i e

I I i FAILURE OF NO POWER FRC.1 GPERATOR-FCC-M-90 TO 480 VAC MCC 7A FAILURE TO

!iCP FLCW CLCSE PCC 150L VALVES PCC-10V-t!-dV90 ACP-2AC-LF .1CC7A FCC-1HE-80-ISOL 1 0 0 1

1 i

i i.

4 4

l Figure E-1 (cont.)

E-10

FLTA DIVERSICN l THROU3H PS-4 J lCCl; a NO PCWER FROM DPERATOR

.. FAILURE OF 450 VAC MCC 7A FAILORE TO PCC-M-119 TO CLOSE PCC ISCL SIGP FL3W VALVES' PCC-MGMI-MV219 ACP-SAC-LP-MCC7A PCC-lHE-FO-ISCL 0 0 0

?

l

)

l b

I l

l Figure E-1-(cont.)

E-11

, . , - _ . .-r. -- , , -

'FLCW JIVERSION lThR005!i FE-s FCC15 8 T- , ,

FAILURE OF. NO FCWER FROM NO ACTUATiGN FCC-4-Il6 TO 1:5 VOC SUS 1 FROM !!AS STOP FLOW TRAIN A-PCC-A0VgX-AV:16 DCP-iDC-Lo-EUSl SIS-ACT-FA-IRNA

-} if _ [f Figure E-1-(cont.)'

E-12

4 Fi.CW EEESICN '

IHREG H Fi-5 s

-l

?CC;4 '

,s 1

1 5

l 'FAILUREOF NO FChER FRGM ' lNGACT. SIGNAL' I FCC-4-253 70 125 VOC SUS 2 'iG CLOSE SiCF FLOW FCC-A-MB FCC 40V-VI-AV263 DCF-SEC-LF-5USL PCCC1 8 m .A .:

t() 4

) I !

GPERATCR NO ACTUATICN j

FAILURE TG FRCM SIAS CLOSE ?CC 15CL TRAIN A

) VALVEE 4

FCC-AHE 0-ISDL SIS-sti-FA-iENA F e i

4 f

1

)

i i

4 1

4 4

' i i

l l

Figure E-1 (cont.)

l

(-

E-13 I

l

NO R0W TO PS-1 PCC:

a i i i NO PCC R0W NO FLOW FROM NO Sii R0W TO FAILURE JF THRCUGH COULER PS-!! HI HEADER FROM FCC-T-20TO E-48 ANY OF 4 SW STCP FLCW

, PUMPS l

PCC-nTI-(I-E4B PCC: i- SW31 i PCC-TCV-41-ICV:0 0 0 0 0 I

FAILUREOF NO R0W FROM PCC-T-19 TO PS-12 ALLOW R0W PCC-TCV-(I-TCVi? PCC7 8 0 0 i I NO R0W FROM k0 R0W FROM FS-13 PS-14 PCC8 i PCC? i PAGE 10 FAILURE OF PCC lha PChER FROM NO POWER FECM FAILURE OF PCC PUMP P-?A 4150 VAC SUS 5 125 VDC SUS I SURGE TANK (TK-5)

PCC-MDP-41-? TRNA AC.5-EAC-LP-SU55 0CP-3DC-LP-5USL PCC-ThK-tI-5RGTK 0 0 0 0 l

Finnre E-1 (cont.)

E-14

NO FLOW ?nCM PS-14 PCC? I t'\

M i

i .

I POWE FROM FAILURE 7 PCC NO Ati. $13NAL FAILURE OF PCC NO POWER FROM 125 VOC SUS 1 SURSE TANK TO P-!B PUMP P-il 4160 VAC BUS 5 (TK-5)

PCC .90P-41-?iRNB ACP-SAC-LF-BUS 5 CCP-BOC-LP-iUSi FCC-INK-tl-iRSTK PCC10 1 0 0 0 ~0 0 t

FAILL9E OF PCC OPERATOR SIMDBY PUMP FAILURE TO Ati. SIGNAL PLACE P-98 IN SERVltE PCC-?ST -AC*PP PCC-IHE -F99 1

l Figure E-1 (cont.)

E-15 i

l APPENDIX F SECONDARY COMPONENT COOLING WATER SYSTEM

Table F-1. Secondary component cooling (SCC).

Safety Function: Provide cooling water required by plant equipment for normal operation and decay heat removal during cooldown or accidents.

System Components:

Tanks: TK-59 SCC Surge Tank Pumps: P-10A(N.0.) SCC Pump P-108 (S) SCC Pump Heat Exchangers: E-5A (N.0.) SCC Cooler E-5B (S) SCC Cooler Valves: Refer to Valve Table Support Systems:

AC Power: P-10A 4160V &nergency Bus 6 P-10B 4160V Emergency Bus 6 DC Power: P-10A 125V DC Distribution Cabinet 3 P-10B 125V DC Distribution Cabinet 3 Air: TK-110 Isolation valves

( SCC-A-460, 461)

HVAC: Turbine Building Cooling: P-10A 011 Cooled P-10B Oil Cooled Motors Air-Cooled E-5A SWS E-5B SWS Actuation: P-10B Low SCC Header Pressure l SCC-A-460, 461 Low Suction Pressure F-1

Table F-2. SCC valve table.

Operating Power Normal Position Fall Valve Description (50V) Position (Actuation) Position SCC-A-460 Non-seismic supply header stop 125 VDC 3 DP/BU 0 C 0 (1725A1 & A2)

SCC-A-461 Non-seismic supply header stop 125 VDC 3 DP/BU 0 C 0 (1725B1 & B2) t SCC-T-23 Cooler bypass tempe,rature control pneumatic C 0 C SCC-T-24 Cooler supply temperature control pneumatic.. 0 0 0 l

SCC-T-305 DG-1B cooler inlet temperature control 125 VDC 0.

, (17308)

L -

1 4

Table F-3. SCC cooling requirements.

J- l l

P-10A e Air-cooled motor e Oil-lubed t',tarings

! P-10B e ' Air-cooled motor i

e Oil-lubed bearings Turbine Building e Natural circulation l

1 f

'l .

4 4

1 i

I 9

l F-3 l

Table F-4. SCC cooling loads.

Loaos Location

AC-1A Computer Room Air Conditioner Vent & AC Equip. Am, El .39'0"-

AC-2 Lab Air Conditioner Vent & AC Equip. Rm, El.39'0" Office Area Air Conditioner AC-3 C-1A Control Air Compressor C-1B Control Air Compressor

C-1C Control Air Compressor

E-38 Residual Heat Exchanger Cont. Spray Pump Area, El .,14'6"

. E-6A Generator Hydrogen Cooler E-6B Generator Hydrogen Cooler

E-6C Generator Hydrogen Cooler

E-60 Generator Hydrogen Cooler E-7A Turbine Oil Cooler E-7B Turbine Oil Cooler i

E-8 Exciter Air Cooler i E-19A Generator Seal Oil Unit (Air Side)

E-198 Generator Seal Oil Unit (Hydrogen Side)

. E-20 Generator Leads Cooler Control Air Compressor Aftercooler E-21A

E-21B Control Air Compressor Aftercooler

E-21C Control Air Compressor Aftercooler Sample Cooler E-78A a E-788 Sample Cooler E-78C Sample Cooler

! E-78D Sample Cooler E-78E Sample Cooler E-78F Sample Cooler

E-79A Steam Generator Feed Pump Lube Oil Cooler l E-79B Steam Generator Feed Pump Lube Oil Cooler

. E-80A Electro Hydraulic Governor Oil Cooler j E-808 Electro Hydraulic Governor Oil Cooler

E-82B DG-1B Cooler l *E-91A Safeguards (LPSI) Pumps Seal Leakage Cooler

E-92A Charging Pump Seal Leakage Cooler PAB, El. 16'0" l E-101A Turbine Drive Main Feed Pump E-101B Lube Oil Cooler l *P-12B LPSI Pump - Cont. Spray Pump Area, El .14'6"

! *P-14B Charging Pump PAB, El. 21'0"

! +P-14S Charging Pump P-27A Condensate Pump i

l i

I F-4

Table F-4 (Cont'd)

Loacs Locations P-27B Condensate Pump P-27C Condensate Pump P-62A Heater Drain Pump P-62B Heater Drain Pump

Containment Penetrations Cooler Penetrations 9,29,30,31 Containment Spray Pump Area Penetrations 32,45,46,47,62 Primary Aux. Tunnel Area Penetrations 53,54,55,64,65,66 Main Steam Valve Area

Loads not isolated by non-seismic stop valves, whose failure may fail the SC C system.

+ P C C cooling perferred.

F-5

\

1 N3 3CC ::CLMG !

T3 NE:E55ARY I

. SAFE!Y 3Y3 TEM Lv. ...

Lu.

I \

m t

iFAIL'.FEJF FAIL'JAE :F iCCi iFAILLEE CF 3CC La Fi.:4 FRCM i FLCW JIt!E33ICN '

L:AC :.'s FS-11 LOAD E-5:3 'iLCA3(F-l'B) FS-10 ! TiiRCU3!i F3-1 C M CN CAUSE I

iCG-1B C:0LER) FLMP CCULER FAILLFE SF SCC SYSTEM SC::;, i SC:-Hil-(I-E5:3 SCC--TI-Kl-?!43 SCC: ' 8 SC:0 SCC-CCF-1C-SCCW

\

a/ net : o

) v

) /\nsE 3 i )

,d e

i I FAILURE OF NO FCWER FROM FAILURE OF N0 ISOLATICN_

SCC-A-460 & 125 VDC SUS 3 SCC-A-460 TO Sl5NAL 461 STCP FLOW (FS-17504,LD ACCuautATCR, liDR FRE55)

IK-110 l

SC:-in-41-AC110

-s, DCF-SCC-L?-EUS3 SCC-ADV-KI-A'l460 - SCC-PSI-FA-1750A a A

}

1 \1 1

Figure F-1 Secondary Component Cooling System Fault Tree.

F-6

FAILURE OF LOAD IN PE-!1 i

SCC 1A '

3 I e i FAILURE GF 3CC FAILURE OF iCC ! FAILURE OF SCC FAILCRE OF SCC FAILURE OF LOAD AC-!A LOAD AC-2 iLAB LOAD - LCAD P-12B LCAD IN F5-ll (C OM PUTER AC) FENE!RATICN (LPSI PUMP

, Roo'n AC) COOLERS CCCLER) l 3CC-Att-(I-ACIA ECC-ACl-41-AC: SCC-HTI-1X-FEN SCC-HTX,-11-?!3 SCCIS U U .

i FAILURE OF SCC FAILCRE CF SCC FAILLRE GF SCC LDAD E-33 (RHR LOAD LGAD E-9:A,CHE HEAT E otA,SAFEG FP 3EAL LEAK EICHANGER) FUMPS SEAL CLR CLR ECC-nil-41-E:s SCC-HTI-tI-E?tA SCC-HTI-k1-E92A 0 1 0 Figure F-1 (cont.)

F-7

NO FLOW FROM {

FS-10 8

SCC 2

, i i

NO SW FLCW TO NO SCC FLOW WO FLOW FRCM FAILLAE CF W1 HEACEE FKCM THFOUSH C00LER PS-4 SCC-i-2! TO ANY OF 4 SW E-!A STCP FLOW PUMPS SkS1 i SCC-riTI-t!-E:A SCC 6 i SCC-ICV-(I-ICV 23 0 0 0 0 i

FAILURE OF N0 pl0W FROM SCC-i-24 TO PS-6 ALLtW FLCW SCC-ICV-(t-TC'.'24 SCC 7 6 0 i 0,

i NO FLOW FROM NO FLOW FRCM PS-7 PS-9 SCCS ' SCC 9 6 FASE 4 )

, i FAILuntv.:w! NO ACWER FROM NO FCWER FFUM NO FLCW FRC;1 NO ACT, SIGNAL FU:t? P-105 4160 VAC BUS 6 125 VCC BUS 3 FS-9 TO P-10B SCC-SP-*I-FTENB AC?-3AC-LF-EUS5 LCF-tEC-LP-EU53 SCC 10 ' SCCl! 8

['} #

8 /\Fi.3E4 i $

L' h> y L d, IFmc.n e EC 0?EEATCR i' STANEifFUMF FAILUEE TO ACT,StinAL FLACE P-1(B !!!I I i t !lSErnCI '

ECC-:ii ;-*CTF:

St.-.rt,-;-E5 i1 b

Fiaure F-1 (cont.)

F-8

NO FLOW FROM PS-7 8

SCC 8 i i , i FAILURE OF SCC NO PC'a'ER FROM NO F0WER FROM NO FLOW FFDM PUMP P-10A 4160 VAC BUS 6 1C5 VDC BUS 3 FS-9 SCC-MDF-t!-?iENA AC?-EAC-LF-iUS6 LCF-BDC-LF-5US3 SCC 10 8 0 0 0 Q' FAILU n DF SCC FLOW DIVERSION SURSE TANK THROUSH PS-14 (TK-59)

SCC-TNK-11-SRSIK SCCl2 8 i

0 i 9 . i I

FAILURE OF NO ISOLAT10N NO F0WER FROM FAILURE OF SCC-A-460 L SISNAL 125 VDC EUS 3 SCC-A-461 TO 461 (PS-17:09,LO STOP FLOW ACCUMULATCR, HDP.FRESS)

TK-ito SCC-in -AC110 SCC-PST -17508 DC?-BDC -SUS 3 SCC-A0V -AV461 Figure F-1 (cont.)

F-9

' .- =-

APPENDIX G SERVICE WATER SYSTEM

Table G-1. Service water system (SWS).

Safety Function: Provide cooling for the PCC and SCC systems.

System Components:

Pumps: P-29A(N.0.) South SWS Pump (for SCC)

P-29B (S) South SWS Pump (for SCC)

P-29C (S) North SWS Pump (for PCC)

P-29D (N.O.) North SWS Pump (for PCC)

Heat Exchangers: E-4A( S) PCC Cooler E-4B(N.0.) PCC Cooler E-5A(N.0.) SCC Cooler I:-5B( S) SCC Cooler Support Systems:

AC Power: P-29A 480V Emergency Bus 7 P-29B 480V Emergency Bus 8 P-29C 480V Emergency Bus 7 P-290 480V Emergency Bus 8 DC Power: P-29A 125V DC Distribution Cabinet 1, P-29B 125V DC Distribution Cabinet 3, P-29C 125V DC Distribution Cabinet 1 P-29D 125V DC Distribution Cabinet 3 HVAC: Pump House Pump Cooling: Dump Discharge -

G-1

Table G-2. SWS cooling requirements.

P-29A e Pump discharge recirculation (safety class) e Raw water (preferred)

P-298 e Pump discharge recirculation (safety class) e Raw water (preferred)

P-29C e Pump discharge recirculation (safety class) e Raw water (preferred)

P-29D e Pump discharge recirculation (safety class) e Raw water (preferred)

Circ. Water Pump House e Natural circulation G-2

NO SB FLOW 70 HI HEADER FROM ANY OF 4 SW PUMPS 1

SWS1 I

k-i FAILURE OF SW CCMMON CAUSE SYSTEM FAILURE OF SW FUMPS SWS-CCF-FC-FUMPS SWS1A i i

) 0 t NO FLOW THRU NO FLCW THRU FS-2 PS-3 SWSI I SWS; I s

I\

H I I NO SW FLOW NO FLOW FROM NO SW FLOW NO FLOW FRCM THROUSH SCC FS-9 IFRCU3H FCC FS-9 COOLER E-SA C0CLER E-48 SWS-hil-tl-E A sis 4 i SWS-hTI tI-E4B SWS4 1 0 0 i 0 i A

i !

NO FLOW FACM h0 FLOW FROM ti0 FLOW FFCM NO FLOW FROM PS-5 FS-6 FS-7 FS-9 SWS5 i SWS5 8 ShS7 i 5355 '

PAGE 2 FAGE 4 7 _/\? AGE 3 FAILURE OF SW NO F0WER FRCM lid POWER FRUM FUMP ?-3D 460 VAC SUS 3 1:: '.'DC SUS :

iki-?Ef 81 3iEND ACP-SAC-3.F-iUES DC?-ESC-LP-ibi;

^

,. .A A

+: '

td V V Figure G-1 Service Water System Fault Tree.

G-3

NO :LN Fi.CM FS-i Shi: 8

/%

N6i FAILUEE ;F is NO F0WER FROM N0 ?0nER FROM 0FERATER FUPP ?-;5C 430 VAC SUS 7 125 VOC SUS 1 FAILURE 70 ETART STAN05Y SW FLP.FS SsS-30F-*I-?iRNC ACP-iAC -5U57 DCP-3DC -EUS1 SWS-OiE .:-FU.V5 Figure G-1 (cont.)

G-4

NO FLGW FEOM PS-7 8

SWS7 i

FAILURE OF SW NO POWER FROM l NO POWER FROM CPEPATOR PUMP P-295 490 VAC BUS 3 125 VDC SUS 3 FAILURE TO START STANLiY SW PUMPS SWS-MDP-U -PTRNB AC?-SAC-LP-iUSS DCP-30C-LP-3053 SWS-lhE-f0-PUMPS 0 0 0 0

(

Figure G-1 (cont.)

G-5 1

1

l

!NO FLOW FRC.1 FS-3 l

1 l iwis a ss

)

i I' i FAILUEE OF SW N0 ruat:t .~.t.1 NO ?CWER FROM FUMP P- 94 450 VAC BUS 7 125 VDC 2U5 1 SW5 :1DP-KI-PTENs

ACP-5AC-Lf-5U57 DCP-5DC-LP-iU51 A A

$ .h 'k ??

y y Figure G-1 (cont.)

G-6

.t*

.s 4

W APPENDIX H x

7 ELECTRIC POWER SYSTEM

~ .

4 4

~.

s f

E I

4 h

I w g . 4 > -

a p

1

Table H-1. AC power.

Safety Function: To provide operating power to plant equipment and 120V AC l power to plant instrumentation.

System Components:

Buses: Buses 5, 6 4160V &nergency Buses Buses 7, 8 480V &ne. gency Buses Buses 1-4, IA-4A 120V Vital Buses Transformers: X-507 4160V Bus 5 to 480V Bus 7 X-608 4160V Bus 6 to 480V Bus 8

$- Motor Control Centers: MCC 7A, 78 and 781 480V Emergency MCCs MCC 8A, 88 and 881 480V Emergency MCCs Inverters: INVR-1 120VAC Inverter INVR-2 120VAC Inverter INVR-3 120VAC Inverter INVR-4 120VAC Inverter

O Tupport Systems:

. AC Power: DG-1A Diesel Generator DG-1B Diesel Generator s

DC Power: DC-1 125 VDC Bus DC-2 125 VDC Bus DC-3 125 VDC Bus DC-4 125 VDC Bus HVAC: FN-31 Switchgear Room Supply Fan FN-32 Switchgear Room Exhaust Fan I

l

/

H-1 ,

Table H-2. DC power.

Safety Function: Provide DC power and control for switchgear, vital bus inverters, vital SOVs and instrumentation.

System Camponents:

Buses: DC-1 125 VDC Bus DC-2 125 VDC Bus DC-3 125 VDC Bus DC-4 125 VDC Bus Batteries : BATT-1 60 Cell Station Battery BATT-2 60 Cell Station Battery BATT-3 60 Cell Station Battery BATT-4 60 Cell Station Battery Battery Chargers:

BC-1 129V - 250A Charger BC-2 129V - 250A Charger BC-3 120V - 250A Charger BC-4 120V - 250A Charger Distribution:

DC/CE-1 Distribution Cabinet DC/CE-2 Distribution Cabinet DP/P Distribution Panel DP/BU Distribution Panel Support Systems:

AC Power: BC-1, 2 480V Emergency MCC 7 BC-3, 4 480V Emergency MCC 8 FN-31 480V Emergency MCC 7A FN-32 480V Emergency MCC 8A~ 4 HVAC: FN-31 Protected Switchgear Room Supply Fan FN-32 Protected Switchgear Room Exhaust Fan l

H-2

I Table H-3. Diesel generators (DG).

1 i

Safety Function: Provide electric power to the plant emergency buses when normal power is not available.

System Components:

Generators: DG-1 A( S) Diesel Generator DG-1B( S) Diesel Ge.1erator Pumps: P-33A Auxiliary Fuel Oil Transfer Pump P-33B Auxiliary Fuel Oil Transfer Pump Heat Exchangers: E-82A DG-1A Cooler E-82B DG-1B Cooler Tanks: TK-28A Auxiliary Fuel Oil Supply Tank TK-28B Auxiliary Fuel Oil Supply Tank TK-62A Diesel Generator Day Tank TK-62B Diesel Generator Day Tank Support Systems:

AC Power: DG-1A Distribution 480 VAC MCC 7A Panel DG-1A Engine 480 VAC MCC 7A Control Panel

DG-1B Distribution 480 VAC MCC 8A l Panel DG-1B Engine 480 VAC MCC 8A Control Panel P-33A 480 VAC MCC 7A P-33B 480 VAC MCC 8A DC Power: DG-1A Start 1 & 2 125 VDC Battery 1 Circuits and Control Power DG-1B Start 1 & 2 125 VDC Battery 3 Circuits and Control Power Air: TK-76-A1,A2,A3 DG-1A Air Receiver Bank TK-76-A4,A5,A6 DG-1A Air Receiver Bank TK-76-B1,B2,B3 DG-1B Air Receiver Bank TK-76-B4,B5,86 DG-1B Air Receiver Bank HVAC: FN-20A DG-1A Room Exhaust Fan FN-20B DG-1B Room Exhaust Fan Air Intake and Exhaust Dampers DG Cooling: E-82A PCC E-82B SCC Actuation: DG Start and Load Shed/ Sequencer H-3

Table H-4. DG cooling requirements.

DG-1A e The engine and turbocharger aftercoolers are water cooled by the PCC (or .

Fire Protection System), via E-82A and two cooling water pumps.

e The generator is air cooled by a blower driven by a gear off the engine camshaft.

DG-1B e The engine and turbocharger aftercoolers are water cooled by the SCC (or Fire Protection System), via E-828 and two cooling water pumps.

e The generator is air cooled by a blower driven by a gear off the engine camshaft.

Diesel e Combustion air via normally closed intake and exhaust dampers.

Rooms e Exhaust FN-20A and FN-20B.

I h

H-4

\

IFC"ER:10 i !

'A'iAILA*LE FROD :

' 460 7AC MCC 7A i AC?-SAC-LF-dCC7A i

t FCWER NCI FAULTS IN MCC 1 AVAILAILE FRCM 7A 460 VAC 505 7 ACP-EAC-LP-iU:, .sr--:r-3.F-dCC7A i

FAULTS IN 420 FAILERE OF F0WER NOT VAC SUS 7 4160-460V IFMR AVAILABLE FRCM 4160 VAC SUS 5 I-!07 l

ACP-SAC-LP-iUS5 ACP-FSF-3.P-EU57 n.

ACP-iFM-(1-1507

) v i .

i i i FAULTS IN 4160 INSUFFICIENT F0WER NOT FQWER NOT lFAULTSIN VAC BUS 5 SWITC:i6 EAR

DC-tA LCAD AVAIL FROM AVAILABLE FROM 125 VDC BUS 1 R00M C00 LING

'EEGUENCER DIEEEL 3E'l 1A 4

i :EP-EGN-4F-AL;SO CE?-55N-LP-EGIA DCP-iDC-LP-EUS1 ACP ?SF-LP-bus 5 ACP-PEF-50-55RCL l

! f l 1 i FAILURE CF DP. FAIL TO FAILURE OF STATION FAUli5 IN 1*5 C3.?0N CAUEE FAILURE ~5 SWITCliGEAR FLACE FAN IN E'liCHsEAR w

iATTERY ; VOC 215~. CAP. FAILURE *F PATTERY CliAREER 1 ROCM SUFFLY SERVICE FOR F.00M FETURN FAULTS : STAilCN FAN,FN-31 RECOVERY FAN,FN-32 PAfiERIES

, I CF-iAT-81-iAT1 EC?-iSC-41-EU5i DCF-CCF-LF-iAli DCP-isi.il-iClil ACP-FAN-11-FN31

- ACP-IHE-FC-FRTFN ACP

()

m (Im 0 ()

. ( bv }

1 t

l Figure H-1 AC Power (MCC 7A) Fault Tree.

H-5

l lFIcERtiCT t s/A*LA?LE FRC9 l 430#C.1CC3Aj i

r b r t AC?-iAC-L?-f.CCiA i r.

)

m I

l

'FGERti0i n.a72 :ta AVAIL;iLE FRCM M00 SA 490 /;C St5 3 AC?-iAC-LF-iU: nce . :.--LF-MCCiA

^

j)

L] ,

v s

PC'ER NOT FAULIS IN 450 FAILERE OF AVAILABLE FRCM VAC BUS 9 4150-4E0V IFMR 4160 VAC SUS 6 1-MS ACP-BAC-LP-iUS6 AC?-?5F-LP-iU55 AC?-IF,M-TI-1609 n

\mI m (L,l I g 1 l I FAULTS IN DG-lBLOAD F0iiER NOT AVAIL FROM

[IRNui FAULTS IR 4160 INSUFFICIENT

~./A!LABLEFROM .

AC BUS 6 E11TCHEEAR EECUENCER DIEEEL GEN 15 12 VLC SUS 3 503M CCOLI!;6

^EP-9GN-4F-iLD5E GEP-0$N-LP-EG1B LCP-3DC-LP-iUS3 bV h#

ACP-P5F-LF-iU36 ACF-FEF 5C-55FCL

)

i i , i

! i i EINICN FAuti5 IN 1 5 COMM5N Ch5E FAILU5t w nILURE OF C?, Fall 70 5ATTERY I FAILUPEOF VDC 015i. CAE. FAIUCRE CF EATTERY EWITCHGEM FLACEFANIN EWiiCHGEAR FAuli5 3 STAiltti CHAREEit3 f.CCM SUFFLY SERVICE FOR RCCM RETURN EATIERIE5 FAN,FN-Il RECCVERY FAN,FN-!:

CP-iAT-*I-iAT3 LEP-BLC-VI-iU53 EC?-CCF-LF-iAii DCP-3AT-VI-iCH3 ACF-FAN-XI-FN!! ACP-1HE-b- ) bv .

) b v bv b m

Figure H-2 AC Power (MCC 8A) Fault Tree.

H-6

F0WER NOT AVAILAELE FROR EIE3EL SENERATCR IA CEF-053-LP-061A v -

I

,iNO FCWER FFCM FAILURE 3F l h0 PLER FFCN l 03-iA OUTPUT EUS 3 70 5 IIE i 05-14CCNTRCL CCMMCN AUSE 1:5 VEC SUS ;

EREAXER FAILS EREAFEi FAIL 5 DIEEEL 5E:iERATOR in & DIsiRI20TICN FA!LUEE OF DGs TO CLCEE TO ~FE1 FANEL CEP-ACT-KI-1ACTL GE?-CCF ~C-06.s GC?-s0C-L?-itii DE?-5kR-00-ACB1A ACP-skR-':-;i: 051A1 4g g

! {n [-

7" 3.)

{m . i)

, , i N0 303 5 L;55 FAIL 3E OF D3 NO COMBUSTICM INSUFFICIENT FAULT 5 IN NO FUEL OIL AIR STARTING AIR S'JFPLY TO CCOLI!!S OF DIESCL SUFFLY TO OF VCLTAGE StSTEM AIR ENGINE DIEEEL ENSINE 3EhERATOR 1A DIESEL ENGINE SIGNAL FE:'!RS CEP-ACT-FA-FU51 DEiAs i CBIA11 i D51Al2 '

EP-?SF-bl-LS!A DSIA2 8 FAGE 3 () FAGE 4

( /FAGE2 i

Fall'JRE CF FAILURE OF Fall'JRE OF 031A AIR INLET 06-1A R05M DS-tA E1HAUST lAMFER TO ElHAUSi FAN, EAMPER TO ALLCW FLCW FN-20A ALLOW FLOW CEF-50D-(1-41RA GEF-FAN-VI-FN20A ~

GEP-MOD,,(1-EIHA

} )

i i

l l

i l

l Figur? H-3 Diesel Generator 1A Fault Tree.

H-7

i l INSUFFICIENT C00LI.'IG CF DIEEEL EN6I!E i-031A!2

f 2 I

NO PCC C00L!h6 FAILEREGF l 70 NECESSARY FCC-A-49;T3 SAFETY SYSTE.1 ALLOW FLCu

i,0ftP 1

FCCI _ GE?-K1 -AV4H i

t i

l I

i.

1 1

4 a

i i

t i

i n

i i

1 1

1 i

]

i 1

1 1

FigureH-3(cont.)

4 i

H-8 4

_ . _ . . . ~ . . . , . . - - - _ - _ - . _ . _ - _ . . . - _ - _ _ - - . - , _ . _ _ . _ , , _ . , , . , _ - . . - _ .

M FUEL Dil SUPPLY TO DIESR EMIE l

301A: 8 FAILURE CF OPERATOR NO FUEL 70 H -1A DAY FUEL FAILURE TO EN TY DAY TA E TAE,TK-i:A REFILL FUEL (TK-62A)

TAES HIA7 8 DEP-in6I-iK62A 0 I DEP-1HE-FO-FUR Q I f I FAILURE OF FAILURE OF OPERATOR M-1A H-1A AUI FUEL FAILURE TO COMCN CAUSE Ull0EREROUlle ::L PUMP, REFILL FUEi. FAILCRE OF AUI

! FUEL TANK, P-33A TANKS FUEL PU.MP TK-:tA 0EP-i m I-iK23A DEP- OP- U -P33A r OEP-C;F-SC-P33I O GEP-!.HE6. 0 r FUEL i

l l

r FigureH-3(cont.)

H-9

FAILliRE OF 3G AIR STARTING SYSTEliAIR RECVRS DGIAS '

O '

FAILURE 3F FAILURE OF I

16-lh DS-1A STARilh6 STARii!NG AIR AIR SAE 2 BAE 1 061AEA 8 DE!MB 8 i i i FAILURE OF FAILURE OF FAILURE OF FAILURE OF FAILURE 3F FAILURE OF D6-14 STARTIE DS-IA AIR D6-1A AIR D6-1A STARTING D6-1A AIR DG-1A AIR AIR TANK 1 STARTING TANK STARf!M TANK AIR TAE 4 STARTING TAE STARTING TAE 2 3 5 6 OEP-iE-WI-76A-1 OEP-iE -t!-76A-2 DEP-im 76A-3 OEP-TE -tI-76A-4 DEP-INK-XI-76A-5 OEP-TNK-t!-76A-0 0 0 0 0 0 Figure H-3 (cont.)

H-10 I

l l

APPENDIX I ACTUATION SYSTEMS i

Table I-1. Actuation systems.

Safety Function: To initiate the engineered safeguard systems.

System Camponents:

CIS Containment Isolation System CSAS Containment Spray Actuation System RAS Recirculation Actuation System i SIAS* Safety Injection Actuation System RPS Reactor Protection System

- High Pressurizer Pressure (PSR)

- Low Steam Generator Level (SG LEV)

Instruments: LIC-303 RWST Level (RAS-A)

AK,8K,CK LIC-304 RWST Level (RAS-B)

AK,BK,CK LT-1213 Steam Generator 1 Level (SG LEV)

A,B.C.D LT-1223 Steam Generator 2 Level (SG LEV) i A.B.C,0 LT-1223 Steam Generator 3 Level (SG LEV)

A,B C.D PIA-102 Pressurizer Pressure (SIAS, PSR)

A,B,C.D PS-2003 Containment Pressure (CIS)

A B.C,0,E,F PS-2009 Contai,1 ment Pressure (CSAS) i A,B.C,0,E,F PS-2J10 Containment Pressure (SIAS)

A,3,C,0 Support Systems:

AC Power: Channel A 120 VAC Vital Bus 1 1 Channel B 120 VAC Vital Bus 2 Channel C 120 VAC Vital Bus 3 Channel D 120 VAC Vital Bus 4 DC Power: CIS-A 125 VDC Batt 1 CIS-B 125 VOC Batt 3 CSAS-A 125 VOC Batt 1 CSAS-B 125 VOC Batt 3 RAS-A 125 VOC Batt 1 RAS-B 125 VDC Batt 3 SIAS-A 125 VDC Batt 1 SIAS-B 125 VOC Batt 3 l

l

SIAS is the only actuation signal included in the system FT.

l I-1

I NG ACTUATICN FRC:t!!A3 TEAIN A SIS-ACT-FA-iaNA 0i t

NO SIA5-A CPERATCit AUTCMATIC FAILUFF TO

. ACTUATION UNBLOCK /

ACTUATE 31AS

$15Al i Sli-fHE-FO-SIA3 r-0 ,

0 ELOCK NOT h0 SIAS REMOVED FFCM AUTCMATIC

!!AS-A INITIATION SIEA2 8 Si3-ACT-FA-!Nii i i CPERATOR !!AS BLCCK FAILURETO FAILO TO UNELOCX / O!!ENA:LE ACTUATE ilAS Si!-IHE-8C-51AS S15-ACT-FA-BLOCK 0 -

a d

Figure I-1 Safety Injection Actuation System (Train A) Fault Tree.

I-2

2 W S. kuCL41et.ULA,ORY COMMeles04 i At.b r %vwetd Ass eaes p. T,0C /s, 4e , is eaF#

8e#C Pones 33s

, NUREG/CR-4826 mi m: BIBLIOGRAPHIC DATA SHEET UCID-20948 us .si.uctio~io ,taevian Vo1. 2 3 fit Lt .No SUS,tT LS 3Lt.vtSL.NE S21smic Marg eview of the Maine Yankee Atomic Power Station Volume 2. Sys Analysis oo~,f'#""""'""....

l

. tur-o 4, Februpy 1987 f . o.. . .uoa , . w o D.L. Moore, D.M. s, M.D. Quilici and J. Young r-l n .a ch 1987 p Ptmsomue40 oma.%et., BON %.WE .NQ 1%. .QQ A E $$ f,4ce g. /g C.s., 3P [ ,CT,.nnWomEuNe,NvWgtA Energy Incorporated Kent, WA 98031 f

f .~ o u .~,~ - ..-

Under Contract to: Law ce Livermore National Laborat y Live , re, CA 94550 -

A0461

, . -o~soa , .. ,, ,,,,, ,, C , . . . . .. o, . ro ,

o.a.~ ,, . , ,u, . ... .~o . 4,~o .5 Division of Engineering Safe Office of Nuclear Regulatory' 'scarch Technical U.S. Nuclear Regulatory Commis on * "JuI['l"9SE~ ~~"

l!ashington, DC 20555 ( thru March, 1987 i,iv.,u ....... .o ..

g o .....<,a.. ,

% j This Systems Analysis is the secgnd4f three volumes for the Seismic Maroin Review of the Maine Yankee Atomic Powet$tation. Volume 1 is the Summary Report of the first trial seismic maroin rev . Volume 3 Fragility Analysis, documents the results of the fragili reening for the review. The three volumes demonstrate how the seismic carg the NRC Seismic Design Margins Prbegfam applied. ca,s review guidance (NUREG/CR-44 The overall ob,jectives of t e trial re iew are to assess the seismic marains of a particular pressurized wa r reactor, ah! to test the adequacy of this '

review approach, quantificati/ techniques, afk! guidelines for performing the review. Results from the trjal review will be% sed to revise the seismic maroin methodology and guidelines 70 that the NRC and' dustry can readily apply them to assess the inherent qua titative seimsic capa ty of nuclear power plants.

A

}.

..om-.,,...... .....< ,,o,<,..,c.,

%g

. it.tiv.~r Seismic Margin '* Unlimited

$31smic Analy. s g

't SGCynif v CLassisic Afeog

. ,e i s e .. . . .. o,. . ....... ', Endassified o a .4 , .,,,

Unclassified

o ...o...c..

% ..o.,a i\

\\

W. l. Covt #48t hi P.14 f l4G Cf f lCE e 1941 t t t -69 3 6'131

7 , 7_

7

./:

9 UNITED STATES

NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20066 NTkNEn wasee.

- naua .sen.o.c.

OFFICIAL BUSINESS PENALTY FOR PRIVATE USE,6300 c

f g- g 4 4

{f 'E$//

4 ;' *e . , I I .d. Y y n ,, ,

F g 0144 r' o l I ,f f t'w '* , ; x , .

n .1 *, j ,s .; r ag

'l U - p m ,, , f, A, c a g g C ,g c ,_

l 1

s 9

- - + 4 w , .- .- - .-wr_ r .

ML20206B318

Text

Navigation menu

Search