ACCESSION NBR:80FAC IL:50 275 D i

50"323 DiAUTH INANE

BLEYPD ~ CD

WHEELERzD,MDCATEPC ~ LE

REC IP, NAME

4lREGULATORY "INFORMATION DISTRIBUTION SYSTEM (RIDS)

10140353 DOC ~ DATE: 80/09/30 NOTARIZED: NO D

ablo Canyon- Nuclear Power Planti Unit 1E Pacific Ga 05000275ablo Canyon Nuclear Power Planti Unit 2E Pacific Ga 05000323

AUTHOR AFF IL'I ATION,Pi,ckard Lbwe 8 Garricki Inc.P'ijckard Lbwe L Garricki Inc.Pickard I bwe 8 Garricki Inc.

RECIPIENT AFFILIATION

SUBJECT; "Rel i abi 1 i ty Anal ysi s of Diablo Canyon Auxi l i arySysP" Revision 3 ~ 56K. +Cp4,

DISTRIBUTION CODE: BOOIS COPIES RECEIVED:LTR J ENCLTITLE: PSAR/FSAR AMDTS and Related Correspondence

NOTES:J Hanchett w/1- copy all material,

Feedwater

SIZE:~+

0500027505000323

RECIPIENTID CODE/NAME

ACTION: A/D L'ICENSNGLEEgJ ~

INTERNAL: ACCID EVALl BR26CHEM ENG BR 08CORE, PERF'R 10EMERG PREP 22GEOSCIENCES 14HYD/GEO BR 15ILE 06LIC QUAL- BRMECH ENG BR 18NRC PDR 02OP LIC BRPROC/TST REV 20R SESS BR22'

IL 01S ,.i ENG BR25

COPIESLA'TR ENCL

1 0

1 0

1 1

1 1

1 1

1 01 1

2 231

1

,,11 1

1 1

1 1

1 1

1 1

RECIPIENTID CODE/N

AiRE.'IRAGlIA,F.BUCKLEYpB~ 04

AUX'YS BR 07CONT SYS BR 09EFF TR SYS BR12EQUIP QUAL. BR13HUM FACT~ ENG BRILC, SYS BR 16LIC GUID BRMATLI'NG BR 17MPAOELDPOHER SYS'R 19QA BR 21REAC SYS BR 23SIT ANAL BR 24SYS INTERAC BR

COPIESLTTR ENCL"

1 0

1

1 1

1 1

1 1

1

1 1

1 1

1 1

1 1

1 0

1 0

1 1

1

1 1

1 1

1 1

EXTERNAL: ACRSNSIC

?705

16 161 1

LPDR 03 1 1

OCT g 5 t98P

TOTAL NUMBER OF COPIES REQUIRED: LTTR P8'NCLI

b c

.->a

ATTACHMENT 1

Res onse to NRC 'estion RegardinDesign Basis of Auxilia Feedwater S stem Flow Re uirements

Part (d) of the Nuclear Regulatory Commission letter dated March 10, 1980,requests that Pacific Gas and Electric Company supply information necessaryto determine the design basis of PG&E's Diablo Canyon AFW system flowrequirements and to verify that the AFW system will meet those requirements.

The requirements for the Auxiliary Feedwater System were set forth in Section, V-7 of the Westinghouse Steam Systems Design Manual for PGGE Diablo Canyon

Units 1 and 2 (WCAP-7451). Design flows for the Diablo Canyon AuxiliaryFeed Pumps were specified by Westinghouse early in the plant design (seeattached telegram dated 6-21-69). PGGE, therefore, requested that Westinghouseprovide a submittal addressing the items stated in the NRC document. Theirresponse, provided as an attachment to Westinghouse letter PGE-4245, isattached.

The Westinghouse evaluation did not address design margin, as requested inEnclosure 2, Question 3 of the NRC letter. Pump sizing and design margin,however, are discussed in Section 10.4.8 of PGGE's Final Safety AnalysisReport for the Diablo Canyon Site, Units 1 and 2 (see attached Page 10.4-17of FSAR). That discussion indicates that p'ump sizing included sufficientdesign margin to allow for pump recirculation flow, pump wear and level control.

fR~&mbmi~OR REPRODUCTION, MUST-

4t ~

cg><~ "vV;FSTERN UNlc'Xi a-.arm

UV ce.Ui'X GF0 gy JRl P, .Pfh. t~'~V(~r-7)

. QL'. YHSEA i3 PQlfVL" m ~r-,rsaJ-;lm r.a 6/+S/6ef"'AQXFXC 0,".~ c': KLEGTRXC C0

'CAPP) Hfzd<."-f fc7. Sr~~: >~i.:Cr.'".Z C,SuF g~<O6

Ar tEVHGMR .i> Cr'BEN

NK +8~ cjhg~d

Vol:LD CN~FL!?is NQLXAf~T t-'i=.FD FJ~EP flAGf$8 k8 QQ GPÃ HbiOR @XV'... W~~O 4<i M)".".Ntl: OflXVEi'e ~ DQTH 5'PlP8 70 O=t;KVEA VlATM'FaJÃ

A'f Bl""XiHKiGYCAB &KiiCA70<% PRKZCURi: VKVf) ALE SAPTTf VlCYCC'. B.QPKNC .""'0 XYiL<h<K F." D ~=!.XliKAY'Q"'SKSc f>AIPk I'-VPg Pt;g~ 7Q.

~

~

K" CiAVFD I~ )'Fll fiUB LLYeC;i3 YM&4y 'ig:rQ BOO PKl Y(8 UDH... /'-F~P

~ eVO <l-Sll~~~ -~

~ ~

~. 8Fc395: PAcE 2

TEF~ C"=~!".=".?ATO~ Pil='~~~E @I?'~~ 0~~ ~AG~ 2 OF LCTTlP JAli~f"iV N'P "Cyl56 AVTAOllFC'~?i~RECT"9 70 'O.'= CURyK $KbT QXTH

OUR LB"KB OA'jEO "AY 'j') - Peg'S VO Pi~ 22%o0 L - He'll l c.s - „.Tcv arses:s c!,ax~i ';-nxva v<sTxj:"~or ATo~zcPGVEA MVXl~l".OMS PZYTBD'JriGH PEA

!~'p

l

~ I

1-2

Attachment to letter PGE-4245

uestion 1

a. Identify the plant transient and accident conditions considered inestablishing AFWS flow requirements, including the following events:

1) Loss of Main Feed (LMFW)2) LMFW w/loss of offsite AC power3 LMFW w/loss of onsite and offsite AC power4) Plant cooldown5) Tur bine trip with and without bypass6 Main steam isolation valve closure7 Main feed line break8) Main steam line break9) Small break LOCA

10) Other transient or accident conditions not listed above.

b. Describe the plant protection acceptance criteria and correspondingtechnical bases used for each initiating event identified above.The acceptance criteria should address plant limits such as:

1) Maximum RCS pressure (PORV or safety valve actuation)2) Fuel temperature or damage limits (DNB, PCT, maximum fuel

central temperature)3) RCS cooling rate limit to avoid excessive coolant shrinkage4) Minimum steam generator level to assure sufficient steam gener-

ator heat transfer surface to remove decay heat and/or cool down

the primary system.

Res 'onse to l.a

The Auxiliary Feedwater System serves as a backup system for supplyingfeedwater to the secondary side of the steam generators at times when

the feedwater system is not available, thereby maintaining the heat sinkcapabilities of the steam, generator. As an Engineered SafeguardsSystem, the Auxiliary Feedwater System is directly relied upon toprevent core damage and system overpressurization in the event of .

transients such as a loss of normal feedwater or a secondary system piperupture, and to provide a means for plant cooldown following any planttransient.

Following a reactor trip, decay heat is dissipated by evaporating waterin the steam generators and venting the generated steam either to thecondensers through the steam dump or to the atmosphere through the steamgenerator safety valves or the power-operated relief valves. Steamgenerator water inventory must be maintained at a level sufficient toensure adequate heat transfer and continuation of the decay heat removalprocess. The water level is maintained under these circumstances by theAuxiliary Feedwater System which'delivers an emergency water supply tothe steam generators. The Auxiliary Feedwater System must be capable offunctioning for extended periods, allowing time either to restore normalfeedwater flow or to proceed with an orderly cooldown of the plant tothe reactor coolant temperature where the Residual Heat Removal System

1-3

4478A

can assume the burden of decay heat removal. The Auxiliary FeedwaterSystem flow and the emergency water supply capacity must be sufficientto remove core decay heat, reactor coolant pump heat, and sensible heatduring the. plant cooldown. The Auxiliary Feedwater System can also beused to maintain the steam generator water levels above the tubesfollowing a LOCA. In the latter function, the water head in the steamgenerators serves as a barrier'o prevent leakage of fission productsfrom the Reactor Coolant System into the secondary plant.

DESIGN CONDITIONS

The reactor plant conditions which impose safety-related performancerequirements on the design of the Auxiliary Feedwater System are asfollows for the Diablo Canyon Units 1 and 2.

Loss of Main Feedwater TransientLoss of main feedwater with offsite power availableStation blackout (i.e., loss of main feedwater without offsitepower available)

Secondary System Pipe RupturesFeedline ruptureSteamline rupture

Loss of all AC Power

Loss of Coolant Accident (LOCA)

Cooldown

Loss of Main Feedwater Transients

The design loss of main feedwater transients are those caused by:

Interruptions of the Main Feedwater System flow due to a malfunctionin the feedwater or condensate system

Loss of offsite power or blackout with the consequential shutdown ofthe system pumps, auxiliaries, and controls

Loss of main feedwater transients are characterized by a reduction insteam generator water levels which results in a reactor trip, a turbinetrip, and auxiliary feedwater actuation by the protection system logic.Following reactor trip from a high initial power level, the powerquickly falls to decay heat levels. The water levels continue todecrease, progressively uncover ing the steam generator tubes as decayheat is transferred and discharged in the form of steam either throughthe steam dump valves to the condenser or through the steam generatorsafety or power-operated relief valves to the atmosphere. The reactorcoolant temperature increases as the residual heat in excess of that ,.

dissipated through the steam generators is absorbed. With increasedtemperature, the volume of reactor coolant expands and begins fillingthe pressurizer. Without the addition of sufficient auxiliary

x-4

4478A

feedwater, further expansion will result in water being dischargedthrough the pressurizer safety and/or reli ef valves. If the temperaturerise and the resulting volumetric expansion of the primary coolant arepermitted to continue, then (1) pressurizer safety valve capacities maybe exceeded causing overpressurization of the Reactor Coolant Systemand/or (2) the continuing loss of fluid from the primary coolant systemmay result in bulk boiling in the Reactor Coolant System and eventuallyin core uncovering, loss of natural circulation, and core damage. Ifsuch a situation were ever to occur, the Emergency Core Cooling Systemwould be ineffectual because the primary coolant system pressure exceedsthe shutoff head of the safety injection pumps, the nitrogen over-pressure in the accumulator tanks, and the design pressure of theResidual Heat Removal Loop. Hence, the timely introduction of suf-ficient auxiliary feedwater is necessary to arrest the decrease in thesteam generator water levels, to reverse the rise in reactor coolanttemperature, to prevent the pressurizer from filling to a water solidcondition, and eventually to establish stable hot standby conditions.Subsequently, a decision may be made to proceed with plant cooldown ifthe problem cannot be satisfactorily coirected.

The blackout transient differs from a simple loss of main feedwater inthat emergency power sources must be relied upon to operate vital equip-ment. The loss of power to the electric driven condenser circulatingwater pumps results in a loss of condenser .vacuum and condenser dumpvalves. Hence, steam formed by decay heat is relieved through the steamgenerator safety valves or the power-operated relief valves. The calcu-lated transient is similar for both the loss of main feedwater and theblackout, except that reactor coolant pump heat input is not a consider-ation in the blackout transient following loss of power to the reactorcoolant pump bus.

The station blackout transient serves as the basis for the minimum flowrequired for the smallest capacity single auxiliary feedwater pump forthe Diablo Canyon Units. The pump is sized so that any single pump will

. provide sufficient flow against the steam generator safety valve setpressure (with 3X accumulation) to prevent water relief from the pres-surizer. The same criterion is met for the los of feedwater transientby the operation of any two pumps, where A/C power is available.

Secondar S stem Pi e Ruptures

The feedwater line r upture accident not only results in the loss offeedwater flow to the steam generators but also results in the completeblowdown of one steam generator within a short time if the ruptureshould occur downstream of the last nonreturn valve in the main orauxiliary feedwater piping to an individual steam generator. Anothersignificant result of a feedline rupture may be the spilling ofauxiliary feedwater out the break as a consequence of the fact that theauxiliary feedwater branchg line may be connected to the main feedwaterline the region of the postulated break. Such situations can result inthe injection of a disproportionately large fraction of the total

1-5

4478A

auxiliary feedwater flow (the system preferentially pumps water to thelowest pressure region) to the faulted loop rather than to the effectivesteam generators which are at relatively high pressure. The systemdesign must allow for terminating, limiting, or minimizing that fractionof auxiliary feedwater flow which is delivered to,a faulted loop orspilled through a break in order to ensure that sufficient flow will be

- delivered to the remaining effective steam generator(s). The concernsare similar for the main feedwater line rupture as those explained forthe loss of main feedwater transients.

Main steamline rupture accident conditions are characterized initiallyby plant cooldown and, for breaks inside containment, by increasingcontainment pressure and temperature. Auxiliary feedwater is not neededduring the early phase of the transient but flow to the faulted loopwill contribute to an excessive release of mass and energy to contain-ment. Thus, steamline rupture co'nditions establish the upper limit onauxiliary feedwater flow delivered to a faulted loop.. Eventually, how-ever, the Reactor Coolant System will heat up again and auxiliary feed-water flow will be required to be 'delivered to the non-faulted loops,but at somewhat lower rates than for the loss of feedwater transientsdescribed previously. Provisions must be made in the design of theAuxiliary Feedwater System to limit, control, or terminate the auxi liaryfeedwater flow to the faulted loop as necessary in order to preventcontainment overpressurization .following a steamline break inside con-tainment, and to ensure the minimum flow to the remaining unfaultedloops.

Loss of All AC Power

The loss of all AC power is postulated as, resulting from accident con-ditions wherein not only onsite and offsite AC power is lost but also AC

emergency power is lost as an assumed common mode fai lure. Batterypower for operation of protection circuits is assumed available. Theimpact on the Auxiliary Feedwater System is the necessity for providingboth an auxiliary feedwater pump power and control source which are notdependent on AC power and which are capable of maintaining the plant athot shutdown until AC power is restored.

Loss-of-Coolant Accident LOCA

The loss of coolant accidents do not impose on the auxi liary feedwatersystem any flow requirements in addition to those required by the otheraccidents addressed in this'esponse. The following description of, thesmall LOCA is provided here for the sake of completeness to explain therole of the auxiliary feedwater system in this transient.

Small LOCA's are characterized by relatively slow rates of decrease inreactor coolant system pressure and liquid volume. The principal con-tribution from the Auxiliary Feedwater System following such small LOCAsis basically the same as the system's function during hot shutdown orfollowing spurious safety injection signal which trips the reactor.Maintaining a water level inventory in the secondary side of the steam

4478A

l-6

generators provides a heat sink for removing decay heat and establishesthe capability for providing a buoyancy. head for natural circulation.The auxiliary feedwater system may be utilized to assist in a systemcooldown and depressurization following a small LOCA while bringing thereactor to a cold shutdown condition.

Cooldown

The cooldown function performed by the Auxiliary Feedwater System is a

partial one since the reactor coolant system is reduced from normal zeroload temperatures to. a hot leg temperature of approximately 350oF.The latter is the maximum temperature recormended for placing theResidual Heat Removal System (RHRS) into service. The RHR systemcompletes the cooldown to cold shutdown conditions.

Cooldown may be required following expected transients, following an

accident such as 'a main feedline break, or during a normal cooldownprior to refueling or performing reactor plant maintenance. If ther eactor is tr ipped following extended operation at rated power level,the AFWS is capable of delivering sufficient AFN to remove decay heatand reactor coolant pump (RCP) heat following reactor trip while main-taining the steam generator (SG) water level. Following transients oraccidents, the recommended cooldown rate is consistent with expectedneeds and at the same time does not impose additional requirements onthe capacities of the auxiliary feedwater pumps, considering a single.failure. In any event, the process consists of being able to dissipateplant sensible heat in addition to the decay heat produced by thereactor core.

4478A

l-7

Response to 1.b

Table 1B-1 summarizes the criteria which are the general design basesfor each event, discussed in the response to guestion l.a, above.Specific assumptions used in the analyses to verify that the designbases are met are discussed in response to guestion 2.

The primary function of the Auxi liary Feedwater System is to providesufficient heat removal capability for heatup following reactor trip and

to remove the decay heat generated by the core and prevent system over-pressurization. Other plant protection systems are designed to meetshort term or pre-trip fuel failure criteria. The effects of excessivecoolant shrinkage are evaluated by the analysis of the rupture of a mainsteam pipe transient. The maximum flow requirements determined by otherbases are incorporated into this analysis, resulting in no additionalf1 ow requirements.

4478A

1-8

TABLE 18-1

Criteria for Auxiliary Feedwater System Oesign Basis Conditions

Conditionor

Transient

Loss of Main Feedwater

Station Blackout

Steamline Rupture

Feedline Rupture

Classification*

Condition II

Condition II

Condition IV

Condition IV

Criteria*

Peak RCS pressure not toexceed design pressure. Noconsequential fuel failures

(same as LHFK)

10CFR100 dose limitscontainment design pressurenot exceeded

10 CFR 100 dose limits.RCS design pressurenot exceeded

Additional OesignCriteria

Pressurizer does not fillwith 1 single motor drivenaux. feed pump feeding 2 SGs

Hone

Core does not uncover

Loss of all A/C Power N/A Same as blackout assumingturbine driven pump

Loss of Coolant

Cooldown

Condition III

Condition IV

N/A

10 CFR 100 dose limits10 CFR 50 PCT limits

10 CFR 100 dose limits10 CFR 50 PCT limits

100oF/hr557oF to 350oF

*Ref: ANSI H18.2 (This information provided for those transients performed in the FSAR).

uestion 2

Describe the analyses and assumptions and corresponding technical justi-fication used with plant condition considered in 1.a above including:

'a 0

b.

c ~

d.

e.

Maximum reactor power (including instrument error allowance) at thetime of the initiating transient or accident.

Time delay from initiating event to reactor trip.

Plant parameter(s) which initiates AFWS flow and time delay betweeninitiating event and introduction of AFWS flow into steamgenerator(s).

Minimum steam generator water level. when initiating event occurs.

Initial steam generator water inventory and depletion rate beforeand after AFWS flow commences —identify reactor decay heat rateused.

f.

9,

Maximum pressure at which steam is released from steam generator(s)and against which the AFW pump must develop sufficient head.

Minimum number of steam generators that must receive AFW flow; e.g.,1 out of 27 2 out of 47

h. RC flow condition —continued operation of RC pumps or naturalcirculation.

J ~

k.

n.

Maximum AFW inlet temperature.

Following a postulated steam or feed line break, time delay assumedto isolate break and direct AFW flow to intact steam generator(s).AFW pump flow capacity allowance to accommodate the time delay andmaintain minimum steam generator water level. Also identify credittaken for primary system heat removel due to blowdown,

Volume and maximum temperature of water in main feed lines betweensteam generator(s) and AFWS connection to main feed line.

Operating condition of steam generator normal blowdown followinginitiating event.

Primary and secondary system water and metal sensible heat used forcooldown and AFW flow sizing.

Time at hot standby and time to cooldown RCS to RHR system cut intemperature to size AFW water source inventory.

4478A

1-lo

Response to 2

Analyses have been performed for the limiting transients which definethe AFWS performance requirements. These analyses have been providedfor review and have been approved in the Applicant's FSAR.Specifically, they include:

Loss of Main Feedwater (Station Blackout)Rupture of a Main Feedwater PipeRupture of a Main Steam Pipe Inside Containment

In addition to the above analyses, calculations have been performedspecifically for Diablo Canyon Units No. 1 and 2 to determine the plantcooldown flow (storage capacity) requirements. The Loss of All AC Poweris evaluated via a comparison .to the transient results of a Blackout,assuming an available auxiliary pump having a diverse (non-AC) powersupply. The LOCA analysis, as discussed in response 1.b, incorporatesthe system flows requirements as defined by other transients, and there-fore is not performed for the purpose of specifying AFWS flow require-ments. Each of the analyses listed above are explained in furtherdetail in the following sections of this response.

Loss of Main Feedwater (Blackout)

A loss of feedwater, assuming a loss of power to the reactor coolantpumps, was performed in FSAR Section 15.2.8 for the purpose of showingthat for a station blackout transient, a single motor driven auxiliaryfeedwater pump delivering flow to two steam generators does not resultin filling the pressurizer. Furthermore, the peak RCS pressure remainsbelow the criterion for Condition II transients and no fuel failuresoccur (refer to Table 1B-1). Table 2-1 summarizes the assumptions usedin this analysis. The transient analysis begins at the time of reactortrip. This can be done because the trip occurs on a steam generatorlevel signal, hence the core power, temperatures and steam generatorlevel at time of r eactor trip do not depend on the event sequence priorto trip. Although the time from the loss of feedwater until the reactortrip occurs cannot be determined from this analysis, this delay isexpected to be 20-30 seconds. The analysis assumes that the plant isinitially operating at 102K (calorimetric error) of the Engineered Safe-guards design (ESD) rating shown on the table, a very conservativeassumption in defining decay heat and stored energy in the RCS. Thereactor is assumed to be tripped on steam/feed mismatch coincident withlow steam generator level, allowing for level uncertainty. The FSARshows that there is a considerable margin with respect to filling thepressurizer. A loss of normal feedwater transient with the assumptionthat the two smallest auxiliary feedwater pumps and reactor coolantpumps are running even results in more margin.

This analysis establishes the capacity of the smallest single pump andalso establishes train association of equipment so that this analysisremains valid assuming the most limiting single failure.

4478A

Rupture of Main Feedwater Pi e

The double ended rupture of a main feedwater pipe downstream of the mainfeedwater line check valve is analyzed for the Applicant's 17 x 17 FuelFSAR Amendment. Table 2-1 summarizes the assumptions used in thisanalysis. Reactor trip is assumed to occur when the unaffected steamgenerators are at the low level setpoint (adjusted for errors) and thefaulted loop is assumed to be empty. This conservative assumption maxi-mizes the stored heat prior to reactor trip and minimizes the ability ofthe steam generator to remove heat from the RCS following reactor tripdue to a conservatively small total steam generator inventory. As inthe loss of normal feedwater analysis, the initial power rating was

assumed to be 102K of the ESD rating. Although the AFWS at DiabloCanyon Units No. 1 and 2 would allow delivery of auxiliary feedwater totwo intact loops automatically in 1 minute, the FSAR analysis shows thecase where no auxiliary feedwater flow is assumed until 10 minutes afterthe break. At this time it .is assumed that the operator has isolatedthe AFWS from the break and the minimum flow requirement of 440 gpm

(total) coneences. The criteria listed in Table 1B-1 are met.

This analysis may establish the capacity of single pumps, establishesrequirements for layout to preclude indefinite loss of auxiliary feed-water to the postulated break, and establishes train associationrequirements for equipment so that the AFWS can deliver the minimum flowrequired in 10 minutes assuming the worst single failure.

Rupture of a Main Steam Pi e Inside Containment

Because the steamline break transient is a cooldown, the AFWS is notneeded to remove heat in the short term. Furthermore, addition ofexcessive auxiliary feedwater to the faulted steam generator will affectthe peak containment pressure following a steamline break inside con-tainment. This transient is performed at three power levels for severalbreak sizes. Auxiliary feedwater is assumed to be initiated at the timeof the break, independent of system actuation signals. The maximum flowis used for this analysis, considering a case where runout protectionfor the largest pump fails. Table 2-1 sumnarizes the assumptions usedin this analysis. At 10 minutes after the break, it is assumed that theoperator has isolated the AFWS from the faulted steam generator whichsubsequently blows down to ambient pressur e. The criteria stated inTable 1B-1 are met.

This transient establishes the maximum allowable auxiliary feedwaterflow rate to a single faulted steam generator assuming all pumps oper-ating, establishes the basis for runout protection, if needed, andestablishes layout requirements so that the flow requirements may be metconsidering the worst single failure.

4478A

Plant Cooldown

Haximum and minimum flow requirements from the previously discussedtransients meet the flow requirements of plant cooldown. This opera-tion, however, defines the basis for tankage size, based on the requiredcooldown duration, maximum decay heat input and maximum stored heat inthe system. As previously discussed in response lA, the auxiliary feed-water system partially cools the system to the point where the RHRS maycomplete the cooldown, i.e., 350oF in the RCS. Table 2-1 shows theassumptions used to determine the cooldown heat capacity of theauxiliary feedwater system.

The cooldown is assumed to commence at the maximum rated power, andmaximum trip delays and decay heat sour ce terms are assumed when thereactor is tripped'. Primary metal, primary water, secondary systemmetal and secondary system water are all included in the stored heat to

'e

removed by the AFWS. See Table 2-2 for the items constituting thesensible heat stored in the NSSS.

This operation is analyzed to establish minimum tank size requirementsfor auxiliary feedwater fluid source which are normally aligned.

4478A

TABLE 2-1

Sumnary of Assumptions Used in AFWS Oesign Verification Analyses

Transient

a. Hax reactor power

b. Time delay fromevent to Rx trip

c. AFWS actuation sig-nal/time delay forAFMS flow

d. SG water level attime of reactor trip

Loss of Feedwaterstation blackout

102% of ESO rating(102$ of 3579 HWt)

2 sec

lo-lo SG level1 minute

(low-low SG -levelfeed mismatch) OX

NR span

2 sec 2 sec

low-low SG level1 minute

(low-low SG level +steamfeed mismatch)3 at 20K NR span1 at tube sheet

C001doNI Hain Feedline Break

3470 (Unit f1) 102% of ESO rating3496 (Unit f2) (102K of 3579 HWt)

Hain Steamline Break

0, 30, 102% of rated(percent of 3425 HWt)

variable

Assumed imnediately0 sec (no delay)

N/A

e. Initial SG inventory 79,300 ibm/SG (attr ip)

106,000 ibm/SGat 519oF

95000 ibm/ruptured SG consistent with power

Rate of change before5 after AFMS actuation

decay heat

f. AFM pump designpressure

g. Hinimum f of SGswhich must receiveAFW flow

See FSAR

Figure 15.2.-29

FSAR Figure 15.1.-5

1112 psia

2of4

N/A turnaround "1910

sec.

1112 psia

N/A

1112 ps i a

2of4

FSAR Fig. 15.1-5 FSAR Figure 15.1.-5

N/A

FSAR Fig. 15.1-5

N/A

N/A

h. RC pump status Tripped at reactor trip Tripped Tripped at reactor trip All operating

Haximum AFW

temperature

Operator action

k. HFK purge volume/

l. Normal bl owdown

m. Sensible heat

n. Time at standby/timeto cooldown to RHR

120oF

none

100 ft3/435oF

none assumed

see cooldown

2 hr/4 hr

100oF

N/A

450 ft3/430oF

none assumed

Table,2-2

2 hr/4 hr

120oF

10 minutes

385 ft3/435oF

none assumed

see cooldown

2 hr/4 hr

equal to main feedtemperature

10 minutes

800 ft3/loop (fordryout time)

none assumed

N/A

N/A

o. AFX flow rate 440 GPH - constant variable(min. requirement)

440 gpm - constantafter 10 min.)min. requirement)

1890 GPH (constant) tobroken SG. 2080 GPH forrunout protection failure(max. requirement)

TABLE 2-2

Sunmary of Sensible Heat Sources

Primary Water Sources (initially at ESD power temperature and inventory)- RCS fluid- Pressurizer fluid (liquid and vapor)

Primary Metal Sources (initially at ESD power temperature)— Reactor coolant piping, pumps and reactor vessel- Pressurizer- Steam generator tube metal and tube sheet- Steam generator metal below tube sheet- Reactor vessel internals

Secondary Water Sources (initially at ESD power temperature andinventory)

- Steam generator fluid (liquid and vapor)- Main feedwater purge fluid between steam generator and AFWS piping.

Secondary Metal Sources (initially at ESD power temperature)- All steam generator metal above tube sheet, excluding tubes.

4478A

1-15

Sltaaa Iataaaa»OO

~loal st[AHLINC ALON t»av LTCAIAUaac[oacao[st VEH Low Dat ~ io[NTIALStaala lilac Paastvva PACSSVALOh Low la»O

(SvaaTT) (L»CLT 1)

RacasvosacoIs Low pscssvhsccsa

RS 5 5 Sat 4 C

as»cCT [)SC OC TC

J

covTNNaacllT Mcssvsc

1%ET

(HC[TTC 4)

T TOST~ I ~ a ~ I

I

'SATCTTlaNLCTHNACTVAIIOI

sort I

pavval ALTUATICN Tsoaa acvt[ROL ooaso

I

!

AIAOavtl[LC~Iaaatall

~ JalaaalKas

a»t.ala»as 4LA»»t ass»

ola a)

Ra[paCas

HOHloa

~ C

COI[TNV4 CasTAataOALTS ATT

. DSTacToos

I~covTROL RoostAIICAalovsl olt

'h Vs

~~taaOC I[,(NCTTS S)

(scTR)4 HPN[

YCIO ICSO INCcsooh 4 [Lola so caos a so cUVl ao

CUacscv[T [ca[tata[ah ocAcloNO CSCL ~4 TRI ~

'START UP ol~ Ts SET C1 C)CNELTOI

HOT% 4) (HOTR la) (HOTS 4)

SATCGUAODSCCOUCHCC

(UCSO '9a

Ia ~ I'C

Lola ~

~Iaaa»4SNP tat»hNOS

HAO

Looo aTSLalUPL

salsa»aa»'

LOOP«twasvaisola »ALL

5

AETop aaaah

MOTOOa ta»o aac»»oalsaR» c\IIH Talttotlas povooa»ll cap oltsaop

salsH [IUIIDHYAVL AC[LATEataaao a»oaaoapNTY [LCH caloaao[ Achsalsoo 4 Essoc[EDoLY Is hosts Ha»a '1 Ttpws ARE SRÃpAD saaaULTANCDUELa[LAI~ a»OIAUHTAUY~ CLIIRDH POR LIDOPIASD»IAaaaaaHI ooovoaaoo oopaoaoo po4 SSRaaa Act[ALTIDHAN OACOCaata'ITPACslaavll(Osl OO OPPAOAPO ARO OE ONOOCIITO

~ RNcLoooo OCUUITTTV Ic Nop DUTI clp 'THO SAsooas oootMTEIAAND IO aaOT OCOPtDAHT.

(HOT% C) AUCILPTLTTCCDNAT\O

~Vtav ~~l 1 tl

»ATE

SLTC TTIvtacllos

II[)IOTE 4

[H[caavcT [otv[ «'IllCAV COO.[aa Stat[(

St[I[4 ssos,6

(IIOTE 4 NOTE 4

ltaalACTvaTsar

I ~I[OLATOaatvatc A

IIOTC EI »l ~

Lasw A ~ aaa» ~ISOIATIOE t[vsaa[H» aasaal oacT )tsaasc o IsoLA[lcN ssosatatv

alsC LI visa ~

4 ALso cvcooo TI4 oaaa»oo aaaaw w ovaoaLLEL wstH TI4 L\oocaaaoDETOAAA LPao EICIP'aaU»4

ILHUcsoaR oloaohsUPIIL Y o»otoaa sooaaoNco oooUIREAAE llsCPECISIEO [Tt+

~ ooaasaoa4IIIS Aooaal vsoHIDLSALUT soaaso To[LA»RHEO) oo'Tl»LTloss DPTIIE AATLAATIDHovsataL VIALa»OTcAULE Tvooo ooaapoHCHISTOOEIURH 1CI'Tlol POS[tlCH HOLD PRaOCI 'TDTHE AO»CHI'P 'Tish

'l TTTCIPATVO ooaaoalOH OICLUOOS THE'TIPIII[sOS ALUAIAPO SOODAIATOR

. o scoacE aa»ATER sv Atoaa IsovapoH pi Usoo ctv Y s p RoousoooSll4 OEOUHOAA[l'aaataaa ~ RSET CCtaoahlll OP vsaaD AIOILOHTARYOSHIOOLE OHTHE OOHSOOL OOAROS CHO PO[t EACH TDNH

Figure 2-1 Auxiliary Feedwater Actuation Logic

Question 3

Verify that the AFW pumps in your plant will supply the necessary flowto the steam generator(s) as determined by items 1 and 2 above consider-ing a single failure. Identify the margin in sizing the pump flow toallow for pump recirculation flow, seal leakage and pump wear.

Response to 3

Figure 3-1 schematically shows the major features and components of theAuxiliary Feedwater System for Diablo Canyon Unit 1 and 2. Flow ratesfor all of the design transients described in Response 2 have been metby the system for the worst single failure. The flows for those singlefailures considered are tabulated for the various transients in Table3-1, including the following:

A.B.C.D.E.F.

A/C Train FailureTurbine Driven Pump FailureMotor Driven Pump FailureLCV Failure (Turbine Driven Pump System)LCV Failure (Motor Driven Pump System)AFWS check valve failure (failure to closeon reverse flow)

Operator intervention within 10 minutes is required in order to meet theminimum fow requirements on the Feedline Rupture and the maximum flowrequirements for the Main Steamline Break Inside Containment.

4478A

TABLE 3-1

Auxiliary Feedwater Flow(1) to Steam GeneratorsFollowing an Accident/Transient with Selected Single Failure - GPM

Single Failure

Accident/TransientElec. Train

FailureTO PumpFailure

MD PumpFAi lure

LCV FailureTOAFP Sys.

'CV FailureMDAFP Sys.

CV(2)Failure

1. Loss of Hain FW

2. Feedline Rupture

3. Blackout

4. Cooldown

5. Main SteamlineRupture

a 6. Main steamline

1320

(3)

1320

1320

(3)

<1000

880

440

880

880

440

<1000

1320

(3)

1320

1320

(3)

<1000

1540

440

1540

1540

440

<1800

1540

440

1540

1540

440

<1000

1760

440

1760

1760

440

<1000

Notes:

(1) Items 1 thru 5 are minimtm expected flows to intact loops; item 6 is maximum possible flow tothe faulted loop.

(2) Including only those CYs in the AFWS. "Failure" is inferpreted as failure to close on reverseflow; failure of the CV to open to permit flow in the normal direction is not considered.

(3) Ten minute operator action is required to isolate AFW flow to faulted loop. Prior to operatoraction, flow is 0 gpm to unfaulted loops; after operator action, flow is >440 gpm to unfaultedloops.

'l

COIICTrl'5AlfDT4AACC

TAII<ACDI frV tuMP ILcolhc

~MIII III M

LCV ND

~CV p TIIA IIIiDIIIVC14PIIIIP

LCr.oo

kV.CIj

f1 IICHATLhTAMIL

RArl rrkICR417K

u -III

PCT gI LCV IDT

MAINfLV «D

~KC

DCI IlohrAALLT Otlrl VALVTrM - TIIROTTLVD VALVaM - IIOhMALLVCIOCCO VALVa

OTOIL OtahATOD VALVD OhACOTOh DRIVCJ4 PIIMP

OLCCTAO IIVDRAlILICfrIORMALLTOPcH) VALVE

I+M4 CHCCIC VALVC

0PD FLOIVQLSMt.ICT'IIIIDIHg

DIIITI

frIOTOTLODIVCICfIIMf$(I)

CCv DC

LCV.115

LCV IOD

MAI V

OS

ICV 444

fCV 441

Figure 3-1 Auxiliary Feedwater System

The turbine-driven auxiliary feed pump is the preferred source of auxiliaryfeedwater. The turbine-driven auxiliary feed pump design point is 930 gpm

at 3,000 feet discharge head. This rating includes a recirculation flow of50 gpm, with a 'net flow of 880 gps available to supply the steam generators.Driving steam for the turbine-driven auxiliary feed pump is taken from two

of the four main steam lines upstream of the main steam isolation valves and

is exha sted to the atmosphere. Only one steam supply is required forturbine operation.

As shown in Figure 10.3-1, each of the two steam supply lines to theturbine-driven auxiliary feed pump is provided with a separate, normallyopen, motor operated isolation valve. A normally closed, motor-operatedstop valve is located in the steam supply line to the turbine inlet. Duringnormal operation, the steam supply line is pressurized up to this stop valve,with steam available to operate the turbine-driven auxiliary feed pump when a

control signal is received to open the stop valve.

The motor-driven auxiliary feed pumps are powered from the vital buses.They are available for standby service in the event of loss of normal power

sources, when there is insufficient steam to operate the turbine-drivenauxiliary feed pump, or when the turbine-driven auxiliary feed pump isunavailable. Each motor-driven auxiliary feed pump design point is 490 gpm

at 3,000 feet discharge head. This rating includes a recirculation flow of50 gpm, with a net flow of 440 gpm from each pump available to supply thesteam generators.

The design head of 3,000 ft exceeds the required head of 2,533 ft to allowsufficient margin for pump wear and level control.

Controls for the Auxiliary Feedwater System are described in detail inChapter 7. In addition to the manual actuation of the auxiliary feed

pumps, the following signals provide for automatic actuation.

1-20

( ~uly 1978) 10. 4-17 Amendment 65

I

PLG-O~4O

REv|:szoN 3

RELIABlLITYANALYSIS OFDIABLO CANYON'AUXILIARY

FEEDVfATER SYSTEjVI

by

Dennis C. BleyDavid M. Wheeler

Carroll L. CateDaniel W. Stiiiwell

B. John Garrick

Prepared forPACIFIC GAS AND ELECTRIC COMPANY

San Francisco, CaliforniaSeptember 1980

8pzpyyp

PlCKARD, LOVVE AND GARRlCK, INC.CONSULTANTS —NUCLEAR POWER

IRVINE, CALIFORNIA WASHINGTON, D.C.

ACKNOWLEDGEMENTS

The Reliability Analysis of Diablo Canyon Auxiliary Feedwater System(AFWS) benefited from the expertise of the Pacific Gas and ElectricCompany (PG&E) engineering staff and the Diablo Canyon operations andmaintenance staffs. They reviewed the AFWS model and provided detailedinformation on the plant hardware and practices.

The authors are especially grateful to Roy Fray, Senior ReliabilityEngineer of PG&E, who provided strong overall direction to the project aswell as detailed engineering review. Gary Jeung, Reliability Engineer ofPG&E, provided technical assistance throughout the study and acted asliason between the PLG and PG&E staffs. At Diablo Canyon, Tim Martin<Senior Operator, and Don Backens, Supervisor of Maintenance, providedfrequent and essential help to the study team.

TABLE OP CONTENTS

Section

1 ~ STATEMENT OP PURPOSE

2 ~ SUMMARY

Pacae

3 ~ INTRODUCTION AND SCOPE3.1 Background3.2 Auxiliary Peedwater System Description

3.2.1 'echanical System3.2.2 Instrumentation and Controls3.2.3 Procedures

3.3 Scope

88llll

131922

4. METHODOLOGY 25

5. SYS5.1

5.25.3

5.4

5.5

TEM ANALYSISSystem Models5.1.1 System Pault Tree5. 1. 2 Computer Programs5.1.3 DataRandom PailuresTest and Maintenance5.3.1 Testing5.3.2 MaintenanceHuman Interaction5.4.1 Human Inaction5.4.2 Human Error/Common CauseCommon Cause Analysis5.5.1 Common Cause Analysis5.5.2 Results of Common Cause Analysis

353535363737494950515155555556

6 ~ RES UI TS

7 . REPERENCES

APPENDIX A: PAULT TREE

APPENDIX B: COMPONENT DATA SHEETS

63

73

A-1

B-1

LIST OF TABJ ES ANO FIGURES

Table

3456789

10ll121314151617

18192021'2

23

Summary of Results - Conditional Unavailabilitiesof the Diablo Canyon AFWS

Auxiliary Feedwater Systems At Westinghouse-DesignedOperating Plants and Combustion Engineering-Oesigned Operating Plants

AFWS Instrumentation At Diablo CanyonDominant Random Failure Cutsets for Diablo Canyon AFWSTable of ManufacturersTable of Equipment Locations At Diablo CanyonComponent List - NRC DataComponent List - Plant Specific DataPump Train Maintenance UnavailabilityCommon Cause - Mechanical or Thermal Generic CausesElectrical Generic CausesChemical or Miscellaneous Generic CausesSusceptibility LibraryCommon Cause Candidates for SusceptibilityCommon Cause Candidates, Common ManufacturerCommon Cause Candidates for Similar PartsSummary of Results Conditional Unavailabilities of

the Diablo Canyon AFWSLoss of Main Feedwater - NRC DataLoss of Hain Feedwater - Plant Specific DataJoss of Offsite Power - NRC DataLoss of Offsite Power - Plant Specific DataLoss of All AC Power - NRC DataJoss of All AC Power - Plant Specific Data

Pacae

141829383940445257575758606162

64666768697071

~ei ere

A-1

Conceptual Block Diagram of the Auxiliary FeedwaterSystem

Reliability Characterizations for AFWS Designs inPlants Using the Westinghouse NSSS

Simplified Block Diagram of the Auxiliary FeedwaterSystem

Simplified Core Cooling Event TreeDiablo Canyon Auxiliary Feedwater SystemBoundary of AnalysisSimplified Fault TreeCause Tree for the Diablo Canyon Auxiliary Feedwater

SystemDiablo Canyon Auxiliary Feedwater System Fault Tree

~ 910122326

27A-3

I STATEMENT OP PORPOSE

A study was made of the reliability of the Diablo Canyon AuxiliaryFeedwater System for Pacific Gas and Electric Company of San Francisco,California. The purpose of the study was to provide a thorough andcomprehendible assessment of the overall reliability of the system, toidentify important contributors to unreliability, and to evaluate theimpact of possible improvements. A principal aim of the study was to usethe most applicable data in the analysis with due regard for the truerange of uncertainty in this information. In'ddition, to makecomparisons with NRC analyses more directly visible, calculations usingthe standard NRC data base have been included.

2 ~ SUMMARY

This report shows that in the emergency mode the Diablo Canyon Auxil-iary Feedwater System [1-6] is very reliable. Redundancy, separation,availability during testing, and recoverability make the system remark-ably sound. Key contributors to the system unavailability are detailedbelow. Given the already low unavailability in comparison with similarsystems at other plants and probably with other systems at Diablo Canyon,substantial efforts to improve Auxiliary Feedwater System reliabilitycannot be justified. Before implementation, even minor changes should beexamined carefully to determine any detrimental effects as well as toevaluate costs.

The emergency function of the Auxiliary Feedwater System (AFWS) is toprovide heat removal for the primary system when the main feedwatersystem is not available. A conceptual block diagram of the AFWS is shownin Figure 1. Water is supplied through three pumps to each of four steamgenerators. The AFWS must provide this function during small Loss ofCoolant Accidents (LOCA) as well as during transients that lead to a lossof main feedwater. The AFWS provides initial cooling to prevent over-pressurization of. the primary system and has sufficient preferred watersupply to maintain hot standby conditions for 2 hours followed by a cool-down to 350 F. The system is also used during normal plant startup,shutdown, and hot standby conditions. Requirements for success underemergency conditions are that flow from a least one pump (400 gpm) bedelivered to at least one steam generator within 30 minutes of the ini-tial demand.[7,8,9)

The unavailability characteristics of the AFWS were calculated basedon system design and plant procedures as of July 1980. Two differenceshave been noted between the current design and the actual equipmentinstalled in the field. First, new electro-hydraulic valve actuators andassociated cir'cuitry have been specified to replace a design with anespecially poor performance record. Second, the AFWS turbine steam iso-lation valve, FCV-95, will be powered by DC rather than the existing ACarrangement. Furthermore, all plant procedures are currently under revi-sion.

The AFWS analysis determines the system minimal cutsets, i.e., thesmallest groups of combined component failure modes that lead to systemfailure. It further catalogs the causes for specific component failuremodes and evaluates their likelihood of occurrence. The causes consi-dered include:

~ Random independent failures

~ Test and maintenance

~ Human error

~ Common cause failures

REVISION 2

TURBINEPUMP

WATER SOURCE

MOTOR DRIVEN PUMP

STEAM GENERATOR

MOTOR DRIVEN PUMP

FIGURE 1. CONCEPTUAL BLOCK DIAGRAM OF THE AUXILIARYFEEDWATER SYSTEM

Environmental common cause effects (such as vibration) are examinedwithin isolated areas (rooms) of the plant. Plant-wide common environ-mental problems such as seismic excitation were not evaluated. PGaE hasalready performed a detailed seismic evaluation of the Diablo CanyonNuclear Power Station that included an analysis of the effects of theAFWS [10j. That analysis was reviewed extensively by the NRC.

Two sets of data are used in separate quantifications. The NRC pointestimate data from NUREG-0611 [11] is identified here as NUREG-0611Data. Data most applicable to the Diablo Canyon AFWS that includesuncertainty has been identified as Plant-Specific Data. The threespecific cases described in NUREG-0611 are analyzed:

1. LMFW — transient initiated by interruption of the main feedwatersystem (reactor trip occurs) and offsite AC power remains avail-able.

2. LMFW/LOOP - transient initiated by loss of offsite AC power andreactor trip occurs (main feedwater system is interrupted by theloss of offsite power). Onsite emergency AC power sources aretreated probabilistically.

3. LMFW/only DC power available - transient is initiated as initem 2 above, but onsite emergency AC power sources are unavail«able.

Note that these cases lead to conditional unavailability calculationsthat are coupled with distinct states of electric power. Results aredisplayed in Table 1 for each of the three cases and each data set. Theresults based on NRC bata are compared with the corresponding NRC resultsfrom NUREG-0611 for other Westinghouse PHRs in Figure 2.

The comparison with other Westinghouse plants shows that Diablo" Canyon is grouped with the higher reliability units. This is not sur-prising. The only single point vulnerability of the hardware system atDiablo Canyon is failure of the single suction valve 1-671 from the con-densate storage tank (CST) and this failure is recoverable from the con-trol room. The operator can trip AFWS pumps or open the suction valvefrom the alternative supply header (raw water) . He is warned of the suc-tion valve failure by a low 'suction pressure alarm (large white annuncia-tor), low pump discharge pressure indication, and erratic pump currentindication in the control room. He may be warned verbally by in-plantoperators who hear the pumps cavitating.

Test and maintenance contributions are limited by Technical Specifi-cations on allowed AFW train outage time. The system starts with alllevel and flow control valves (LCVs and FCVs) in the wide open position.Thus, on failure of the electro-hydraulic actuator system to operate, theLCVs will not block flow. Flow is not cut back until rising steamgenerator levels are established. Because of the redundancy of onsite ACpower (diesel generator) to key AFWS components, loss of off-site ACpower does not seriously degrade AFWS reliability. Finally, the

4

REVISION 2

TABLE 1. SU5151ARY OF RESULTSCONDITIONAL* UNAVAILABILITIES**OF THE DIABLO CANYON AFWS

Contributors toUnavailability

Loss of HainFeedwater

Loss of HainFeedwater Due to Loss

of Offsite Power

Loss of Hain Feedwaterand Loss of All AC Power

NRC

Data

Nonrecoverable random failures 1.4 x 10 7

Plant-Specific

Data

4.4 x 10 7

(3.4 x 10 13)

NRC

Data

6.7 x 10 6

Plant-Specific

Data

1.5 x 10 5

(3.0 x 10 9)

NRC

Data

3.7 x 10"3

Plant-Specific

Data

7.5 x 10 3

(5.6 x 10 5)

HViH Vl0

Nonrecoverable test andmaintenance

Human error

Common cause (all LCVsincorrect position after test)

3.0 x 10 6

3.3 x 10 5

6.5 x 10 7

2.7 x 10-6(6.5 x 10 13)

1.7 x 10 5

(4.6 x 10-6)

6.5 x 10 7

(4.0 x 10 8)

2.1 x 10 5

3.3 x 10 5

6.5 x 10 7

2.4 x 10 5

(3.0 x 10 9)

1.7 x 10 5

(4.6 x 10-6)

6.5 x 10 7

(4.0 x 10-8)

8.0 x 10 3

3.0 x 10 4

6.5 x 10 7

8.0 x 10 3

(2.2 x 10 5)

2.9 x 10(3.6 x 10 5)

6.5 x 10 7

(4.0 x 10 8)

Other

Total 3.7 x 10 5 2.1 x 10(4.6 x 10-6)

6.1x 10 5 5.7x 10 5

(4. 6 x 10-6)1.2 x 10-2 1.6 x 10-2

(1.1 x 10 4)

*The total unavailabilities as well as the individual contributions given in this table are not actual systemunavailabilities but are system characteristics conditional on specific states of electric power as follows!

LHFW: Offsite AC power is continuously available.LHFW/LOOP: Offsite AC power is unavailable--diesel generators may or may not accept load.LHFW/Loss of All AC: All AC power is unavailable; DC power is available.

**Unavailability is the fraction of times the system will not perform its function when required.

+Epsilon "E" is used to indicate a negligible contribution to unavailability.

( ) Variance or Average — squared deviation from the mean.

TRANSIENT EVENTS LMFW LMFW/LOOP LMFW/LOSS OF ALLAC

I~ H

H S0

RELIABILITY

PLANTS

HADDAMNECK

SAN ONOFRE

PRAIRIE ISLAND

SALEM

ZION

YANKEE ROWE

TROJAN

INDIAN POINT

0 IABLO CANYON

KEWANEE

H. B. ROBINSON

BEAVER VALLEY

GINNA

PT. BEACH

COOK

TURKEY PT.

FAR LEY

SURRY

NO. ANNA

LOW MED HIGH LOW MED HIGH LOW MED HIGH

UNAVAILABILITY 10 10 10 '10 10" 10 10 10 1.0 "10

~TABLEAND ALLVALUES EXCEPT DIABLOCANYON ARE TAKEN FROM NUREG-0611[8]DIABLOCANYON VALUE IS BASED UPON CALCULATIONSUSING THE NRC DATA

10-2 10

FIGURE 2. RELIABILITYCHARACTERIZATIONS FOR AFWS DESIGNS INPLANTS USING THE WESTINGHOUSE NSSS*

system does not depend upon AC power for successful operation. The tur-bine pump bearings are air cooled. In the event of a high ambient airtemperature, a backup water drip is supplied to assist in cooling thesebearings. The valves which control the flow to these bearings are self-actuated temperature control valves which do not require air or electricpower for operation.

The dominant contributors to the unavailability of the Diablo CanyonAFWS are human error and test and maintenance. Highest on the list isthe random failure of CST outlet valve 1-671 combined with no humanaction to save the AFWS pumps within 5 minutes. Next on the list of dom-inant contributors is random failure of CST outlet valve 1-671 combinedwith successful human action to save the pumps but no human actionrestoring the water supply. Third is turbine pump maintenance combinedwith random failures in other components. These three dominant contribu-tors are responsible for about SOS of the unavailability.

It is possible to imagine modifications in hardware and proceduresthat have potential to reduce the impact of the dominant contributors.Some examples are given in Chapter 6. However, the system is alreadyvery reliable, i.e., no serious deficiencies have been identified. Nochanges should be made without a careful evaluation of all costs andbenefits including the chance that a change aimed at improvingreliability could actually degrade it.

REVISION 2

3. INTRODUCTION AND SCOPE

3.1 BACKGROUND

The purpose of this study is to analyze the reliability of the Auxil-iary Feedwater System (AFWS) of the Diablo Canyon Nuclear Station illus-trated in Figure 3. The auxiliary feedwater system supplies feedwater tothe steam generators during normal plant startup, shutdown, and hotstandby conditions. It also serves an important emergency function byproviding cooling water to remove decay heat from the core. To place theAFWS emergency function in perspective, we consider what options forcooling are available to a core following extended high power opera-tions. The simplified core cooling event tree of Figure 4 provides aframework for discussion. Following an initiating event that leads toloss of main feedwater (turbine trip, reactor trip, LOCA, etc.), coreheat can be removed via the primary coolant system in two ways< throughthe steam generators (steam production in the secondary side) or directlyby reactor coolant blowing down through a valve or rupture. If a LOCA islarge enough to remove the decay heat, sufficient makeup flow must bedelivered to the reactor to avoid core uncovery. The design mode of heatremoval is by steam generator cooling (steam reliefs or dumps). Forcontinued success of this mode, feedwater must be supplied by the AFWS orby restoring main feedwater. Even if all feedwater supplies fail,successful core cooling can be provided by primary bleed and feed.Recent analyses by Westinghouse [8 and 9] show that one high pressureinjection pump combined with the opening of both power operated reliefvalves can supply sufficient bleed and feed cooling to prevent coredamage. In this report we address only the reliability of the AFWS. Forcases that involve loss of AC power, only the feed systems can providecooling since the makeup pumps cannot run.

The analysis determines the system minimal cutsets< i.e., thesmallest groups of combined component failure modes that lead to systemfailure. It further catalogs the causes for specific component failuremodes and evaluates their likelihood of occurrence. The causes con-sidered include:

~ Random independent failures

~ Test and Maintenance

~ Human error

~ Common cause failures

Results are quantified twice—once using NRC generic point value datataken from NUREG-0611 (11] and a second time using data we assess to bemore applicable to the system actually installed at Diablo Canyon. Theresults are similar for both data sets as shown below.

REVISION 2

STEAM GENERATOR l

CONDENSATE

STORAGE

TANK

TURBINE PUMPSTEAM GENERATOR 2

FIREWATERTANK

RAW WATERRESERVOIR

MOTOR DRIVEN PUMPSTEAM GENERATOR 3

MOTOR DRIVEN PUMP

STEAM GENERATOR 4

FIGURE 3. SIMPLIFIED BLOCK DIAGRAM OF THE AUXILIARYFEEDWATER SYSTEM

INITIATINGEVENT

(LEADING TOLOSS OF HAIN

FEEDWATER)

NO RAPIDSUSTAINED

LOSS OFPRIMARYCOOLANT

LEVEL

STEAMGENERATOR

COOLING WITHAFWS OR HAIN

FEEDWATER

SUFFICIENTPRIMARYHAKEUP

FIDW*

NO.RESULT

YES 1 SUCCESSFUL CORE COOLING

NO 2 SUCCESSFUL CORE COOLING BUT MUST REGAIN MAKEUP

. FLOW TO PERMIT CONTROLLED COOLDOWN3 SUCCESSFUL CORE COOLING

4 POTENTIAL CORE DAMAGE

5 SUCCESSFUL CORE COOLING

6 POTENTIAL CORE DAMAGE

*INCLUDES SUCCESSFUL OPENING OF PORVs IF REQUIRED FOR FEED AND BLEED COOLING.

FIGURE 4. SIMPLIFIED CORE COOLING EVENT TREE

~ System frequency of failure* using NRC data is:

1.6 x 10"4/year.

~ System frequency of failure* using plant specific data is:

9.5 x 10 5/year.

In the report, conditional unavailability is evaluated for the threespecific electric power conditions considered by the NRC in NUREG 0611:

~ Offsite AC available

~ No offsite AC available

~ No AC available.

Note that these cases lead to conditional unavailability calculationsthat are coupled with distinct states of electric power.

3 ' AUXILIARYFEEDWATER SYSTEM DESCRIPTION

3.2.1 Mechanical S stem

The AFWS consists of two motor driven pumps and one turbine drivenpump as shown in Figure 5. Each motor driven pump (490 gpm at3,000 feet) normally supplies two steam generators through electro-hydraulic level control valves. The turbine driven pump (930 gpm at3,000 feet) is normally lined up to supply all four steam generatorsthrough individual normally open motor-operated valves. The system cansucceed in removing the decay heat from the core if sufficient flow fromany one pump (400 gpm) is delivered to any one steam generator. Naturalcirculation cooling for the core has been shown to be satisfactory toprevent core damage if there is sufficient water level on the secondaryside of at least one steam generator and if the primary system retainssufficient water to keep the core covered even if the primary sidecontains water and steam mixture. [8]

\

The primary source of water for the AFHS is the Condensate StorageTank (CST). This tank is Seismic Category I and is located adjacent tothe Unit Auxiliary Building. The CST is maintained at approximately178,000 gallons which provides sufficient inventory to mai.ntain the plantat hot standby for 8 hours after a reactor trip. The backup water sourcefor the AFWS is the Fire Water Storage Tank (FWST). Operator action isrequired to manually align the FWST to the AFW pump backup suctionheader. An alternate, lower quality, backup supply of water is provided

*System frequency of failure is calculated based on an average frequencyof demand with offsite AC power available of 4/year (3 losses of mainfeed and one ECCS actuation per year) and without offsite AC of .2/year(NRC data and plant specific data —one loss of offsite AC in 5 years —arethe same) .

REVISION 3

CUNOINSATE1'IORAGITANK AUX fW tVL4SS SIEAMGINtRATORS

fCV 1ST M QMfCVSS

ISSM LCV100

lNII

fIRIWATERTANK

SI 11

fCV~ IS

TURSINEDfIIV EN

tUMt

LCV I I0

MAtlIW

SCVASS

140

HVl lV

0

RAW WATtR0 1 I1 0 V0 IR

0-t80

SS

OTSS 0-284 I.TSI

SCV~11

I~ 1

LCV I II

M ICV '101

MAINfW

110

141

fCVASS

141

SCVO1QM

~I LCV 100

110 MS

LCV I IS

~4010RDRIVEN~VMSS

MANIfWICVA40

LEGINO

PC( NORMALLYOSEN VALVE

~ NORMALLYCLOSED VALVE

gM MOTOROttRAltDVALVEORINSIOR DRIVt N tVMt

ettUULtC CSEEATEO TSLTE

~ CRICK VALVI

1 TISISINt DRIVE

LCV I I1

M LCV 101

MAINSW

1SS

ICY 441

151

FIGURE 5. DIABLO CANYON AUXILIARYFEEDWATER SYSTEM

by the Raw Water Storage Reservoir. This source is always aligned to theAFW pump backup suction header and is isolated in accordance with plantemergency operating procedure requirements before pump suction is shiftedfrom the CST to the FWST.

The motor driven pumps are powered from separate 4,160 VAC vitalbuses. These vital buses are powered by separate emergency dieselgenerators. The turbine driven pump receives steam from two of the foursteam generators. The steam from each of the two steam generators passesthrough a normally open motor-operated valve to a common turbine supplyheader. The turbine steam supply isolation valvei FCV 95's normallyclosed and opens automatically in response to an actuation signal. Thisvalve is presently AC powered but will be shifted to a DC supply beforethe plant is operated. The system is analyzed in this report with the DCpower modification installed.

The Diablo Canyon Auxiliary Feedwater System is similar in manyrespects to other operating plants. Table 2, Auxiliary Feedwater SystemsAt Westinghouse-Designed Operating Plants And Combustion EngineeringDesigned Operating Plants compare some of these aspects.

3.2.2 Instrumentation and Controls

The control of steam generator water level is dependent upon thepumps in service. The motor-operated flow control valves in the turbinedriven pump discharge lines are controlled by separate 3-positionswitches in the main control room. The switches allow for opening, clos-ing, or stopping the valves. To fully open or close these valves, theswitch for an individual valve must be held in the open or close posi-tion. The individual switches are spring return to stop. These valvesare normally in the full open position. The electro-hydraulic levelcontrol valves (LCVs) in the motor driven pump discharge lines arenormally in the full open position with their controllers set to AUTO.Automatic control of each LCV responds to the associated steam generatorlevel. There is an overriding valve closure signal on low pump dischargepressure to protect the motor driven pumps from runout. The LCVs failopen on loss of, power and will not respond to the steam generator levelunless the associated auxiliary feedwater pumps are running.* A toggleswitch is provided on the AFWS panel in the control room to bypass thepump-running interlock. The override switch permits valve closure forsurveillance testing. None of the valves in the auxiliary feedwaterlines to the steam generators receive an automatic open signal in reponseto AFWS actuation.

The AFWS pumps and motor-operated valves may be operated from theMain Control Board or the Hot Shutdown Panel. Instrumentation availableto the operator is presented in Table 3. This instrumentation allows foroperator control of the system and aids in diagnosing problems in thesystem.

*The LCVs on the turbine-driven AFW pump and all motor-operated valves inthis system fail as-is on a loss of electric power.

13

REVISION 2

TABLE 2. AUXILIARYFEED'WATER SYSTEMS AT WESTINGHOUSE-DESIGNEDOPERATING PLANTS AND COMBUSTION ENGINEERING-DESIGNED

OPERATING PLANTS [ll]*

Westinghouse-Designed Plants

PlantNo. of Pumps/Type of Drive Capacity

AFWS Modeof Initiation Comments

Beaver Valley 1 1-Steam Driven

2-Motor Driven

Steam:

Motor:(each)

700 gpm 92696 ft350 gpm 92696 ft

Automatic

HV)M AO

Diablo Canyon 1 a 2 1-Steam Driven

2-Motor Driven

Steam:

Motor:

930 gpm 91312 psid490 gpm 91370 psid

Automatic

Automatic

D. C. Cook 1 & 2 1-Steam Driven**

1-Motor Driven**

Steam:

Motor:

900 gpm 92714 ft.450 gpm 92714 ft.

Automatic Per unit motor pumpssupply both units

Farley 1 1-Steam Driven

2-Motor Driven

Steam:

Motor:(each)

700 gpm 91268 psig350 gpm 81268 psig

Automatic

Ginna 1-Steam Driven

2-Motor Driven(normal AFWS)

Steam:

Motor:(each)

400 gpm 91131 psig200 gpm 91114 psig

Automatic

*Table (except for Diablo Canyon) taken from NUREG-0611 [1]**Note: See Comments column.

TABLE 2 (continued)

Westinghouse-Designed Plants

PlantNo. of Pumps/Type of Drive Capacity

APWS Modeof Initiation Comments

2-Motor Driven(standby AFWS)

Motor: 200 gpm Manual

Haddam Neck 2-Steam Driven Steam: 450 gpm 91000 psia

Manual

H. B. Robinson 1-Steam Driven

2-Motor Driven

Steam:

Motor:(each)

600 gpm 91300 psi300 gpm 91300 psi

Automatic

Indian Point 2 & 3 1-Steam Driven*

2-Motor Driven*

Steam:

Motors(each)

800 gpm 91350 psig400 gpm 91350 psig

Automatic Per unit

Kewaunee

North Anna 1

1-Steam Driven

2-Motor Driven

1-Steam Driven

2-Motor Driven

Steam:

Motor:(each)

Steam:

Motor:(each)

240 gpm 92850240 gpm 92850

700 gpm 92800350 gpm 92800

Automatic

Automatic

*Note: See Comments column.

TABLE 2 (continued)

Westinghouse-Designed Plants

PlantNo. of Pumps/Type of Drive Capacity

AFWS Modeof Initiation Comments

Prairie Island 1 6 2 1-Steam Driven*

1-Motor Driven*

Steam:

Motor:

220 gpm 01200 psig220 gpm 91200 psig

Automatic Per unit motor pumpnormally feeds oppositeunit steam generator

Point Beach 1 & 2 1-Steam Driven*

1-Motor Driven*

Steam:

Motor:(each)

400 gpm 91192 psig200 gpm 91192 psig

Automatic Per unit motor pumpsupplies both units

Salem 1 1-Steam Driven

2-Motor Driven

Steam:

Motor:(each)

880 gpm 91550 psi440 gpm 91300 psi

Automatic

San Onofre 1

Surry 1 & 2

1-Steam Driven

1-Motor Driven

1-Steam Driven*

2-Motor Driven*

Steam:

Motor:

Steam:

Motor:(each)

300 gpm 91110 psi235 gpm 91035 psi

700 gpm 92730 ft.350 gpm 62730

Manual

Automatic One pump each APW

system can feedopposite unit

*Note: See Comments column.

TABLE 2 (continued)

Westinghouse-Designed Plants

PlantNo. of Pumps/Type of Drive Capacity

APWS Modeof Initiation Comments

Trojan 1-Steam Driven

1-Diesel Driven

Steam:

Diesel:

960 gpm 63400960 gpm 93400

Automatic

Turkey Point 3 & 4 3-Steam Driven*for both units

Steam:(each)

600 gpm 92775 ft.

Automatic One pump normallysupplies each unit-3rd pump is backup foreither unit

Yankee Rowe 1-Steam Driven* Steam: 90 gpm 91200 psi

Manual *Charging and safetyinjection systems serveas backup

Zion 1 & 2 1-Steam Driven*

2-Motor Driven*

Steam:

Motor:(each)

900 gpm 93099 ft.450 gpm 63099

Automatic Per unit

*Note: See Comments column.

TABLE 3. APWS INSTRUMENTATION AT DIABLO CANYON

Indication Comments

Auxiliary feedwater flow

Steam generator water level

APW pump discharge pressureAFW pump suction pressureCST water levelPWST water levelRaw water storage tank levelSteam generator .pressureTurbine driven pump rpm

Motor driven pumps amps

Valve position indicationsDirect valve position indication

(8 open)

One flow indicator per steamgenerator.Wide range and narrow rangefor each steam generator,high and low level, alsoalarmed.One per pump.

Low pressure alarm only.Low level also alarmed.

All motor-operated valves.Electro-Hydraulic LVCs

18

The motor driven AFW pumps start automatically on steam generatorlow-low level in any one steam generator, on a Safety Injection (SI)signal, on auto trip of the main feed pumps, or on an associated vitalbus transfer to diesel power. FCV-95 opens automatically to start theturbihe driven AFW pump on steam generator low-low level in any two steamgenerators or loss of power to the Reactor Coolant Pump buses (sensed bybus undervoltage devices).

3.2.3 Procedures

Diablo Canyon Maintenance Procedures E-87 for AFWS pump motors andM-27 and M-28 for AFWS pumps and turbine require completion of perfor-mance tests (using surveillance test procedures). The tests verify pumpoperability following maintenance. The following Diablo Canyon surveil-lance test procedures affect the AFWS:

1. V-2B Auxiliary Feedwater and Containment Spray Valves-Exercises about half of the active AFWS valves duringrefueling outages. Not important to this analysis.

2. V-2U Steam Generator Related Valves - Exercises the remain-ing active AFWS valves during refueling outages. Notimportant to this analysis.

3. V-3P4 Exercising RWSR Supply to Auxiliary Feedwater Pumps,FCV-436< FCV-437. This test is performed when steampressure exceeds 100 psig to verify proper operabilityof these motor operated valves and their indicatinglights. Improper completion of the test could leavethe AFWS pumps'ecirculation valves 32, 168, and 169in the closed position.

4 ~ P-5A(6A) Performance Test of Motor-Driven (Steam-Driven) Auxil-iary Feed Pumps - These extensive tests verify properpump performance over a wide range of operating condi-tions. It is performed following major maintenanceand at five year intervals (Test P»6A is not yetwritten).

5 ~ P-5B(6B) Routine Surveillance Test of Motor-Driven (Steam-Driven) Auxiliary Feedwater Pumps — These tests arerun monthly to verify operability of the AFWS pumps.The remotely operated level control (flow control)valve is closed; the pump is test operated on recircu-lation; the LCVs (FCVs) are bumped open to verify flowto the steam generators; the pump is stopped; the LCVsare opened fully with their controllers left in manual(FCVs are opened fully). Procedure P-5B and itschecklist are being revised to require operating andrestoring the pump-running interlock override toggleswitch in the control room and to specify that thecontrollers be returned to automatic. This reportanalyzes the plant with those changes in place. The

19

REVISION 2

three pumps are tested sequentially so the commonhuman failure of leaving all LCVs and FCVs shut mustbe analyzed.

6. P-6C Overspeed Trip of Steam-Driven Auxiliary Feed Pump-This test is conducted following refueling outages andverifies the turbine protection feature.

The test procedures are important to this study in several respects.They verify the continued operability of standby equipment that muststart on demand. They ensure no common cause problems are developing inan unmonitored fashion. They can uncover degradation or aging beforecomplete failure occurs. They are also the primary source of randomfailure-on-demand data. The tests also may have negativeimpacts--especially due to improper restoration to normal service.

The following two Diablo Canyon Operating Procedures apply to theAFWS:

l. A-5 Steam Generators - Describes the use of the AFWSduring startup (to about 58 power) and shutdown, andthe transfer to and from main feed pumps. It alsodiscusses hydrostatic testing and steam generatorlevel recovery using the AFWS.

2 ~ D-1 Auxiliary Feedwater System - Provides detailed(valve-by-valve) instructions for startup, operation,shutdown and clearance, and abnormal operation of theAFWS.

These operating procedures have litle impact on the reliability study.However, neither procedure mentions the pump-running-interlock override-toggle-switch on the AFWS panel in the control room and neither proceduretells the operator how to set up the electro-hydraulic LVCs for thestandby (normal) condition.

Every emergency operating procedure (EOP) that applies to transientsleading to reactor trip calls upon (or should call upon) the AFWS. Theexisting Diablo Canyon EOPs are inconsistant in their discussions of theAFWS. Some ignore it; some say to check that the pumps have started;some say only to throttle AFWS flow; etc. None warn the operator thatall pumps could be lost quickly (in less than about 5 minutes) on loss ofsuction. None explain how to shift suction supply. Improvements couldincrease the likelihood of effective operator response to recoverablefailures. The existing EOPs are discussed below.

1. OP-1 Loss of Coolant Accident - Does not mention the AFWS orrefer to other EOPs. For small breaks, initiation ofsteam dump to assist cooldown is specified. Neither AFWSnor primary bleed and feed are discussed.

~ 20

Revision 3

Steam Line Break — Directs the operator. to isolate AFW toa faulty. steam generator in a subsequent action, but doesnot mention startup or verification of APWS flow.

Peedwater Line Break - I ists actuation of APWS as anautomatic action. An immediate operation action is toverify that the pumps have started and a subsequentoperator action is to isolate a faulty steam generator.

Loss of Electric Power - I ists two APWS automaticactions. Pirst, turbine pump start> and second, followingdiesel generator loading, motor pump start. The immediateoperator actions for AVOWS are good--check all pumpsstarted, valves open, and flow to the steam generators.The subsequent actions include shutdown of the turbinepump at )20% level and continued motor pump operation inAUTO,

Reactor Trip without Safety Injection - Immediate operatoractions include checking for an adequate heat sink byverifying steam dump valves open and, if main feedwater islost, checking the APWS pumps started. The subsequentactions bring the APWS on line if not already running andverify correct operation by status lights, AFWS pressuresand flows, and LCVs in AUTO above 33%, level.

Loss of Condenser Vacuum - Lists the start of both motordriven APWS pumps as automatic actions. Immediateoperator actions include verifying that all automaticactions have occurred. A subsequent action is to controlAH<S flow to each steam generator to prevent excessivecooldown and/or water hammer.

Control Room Inaccessability - APWS pumps are checkedrunning and are used to control steam generator levelsat 33% as subsequent actions after the operator has movedto the hot shutdown panel.

Loss of a Reactor Coolant Pump - The immediate and subse-quent operator actions fall into two cases, with and with-out reactor trip. Only the reactor trip case is ofinterest. The first immediate action is to follow thetrip procedure, but this action is followed by a series ofadditional immediate and subsequent actions much lessdetailed than in the reactor trip procedure. The onlyreference to the APWS is a subsequent action to regulatesteam generator levels by use of the auxiliary feedwaterpumps.

Loss of Feedwater Plow - Lists the start of the motordriven APWS pumps as an automatic action along with thepossible start of the turbine pump. The immediate

21

operator actions include checking that the reactor hastripped (the reactor trip procedure is'ot mentioned),checking that the motor driven pumps have started, check-ing the valves open and flow into the steam generators.Also, under ATWS, the turbine pump is started, valves arechecked open, and flow into the steam generators isverified. The subsequent actions call for maintenance ofsteam generator levels using AFWS pumps and checking theturbine pump started should low-low level occur in any twosteam generators.

The emergency procedures are undergoing revision at this time. Mosthave been altered and most correct the concerns cited above. The newprocedures are expected to be approved within the next few months. A newEmergency Operating Procedure, OP-0 Reactor Trip with Safety Injection,has been written. This procedure is a general diagnostic which directsthe operator to other procedures for subsequent actions. It mentions acheck on the AFW pump flows and other general procedures that are to befollowed. It consolidates the others into a more cohesive package andavoids many of the previous inconsistencies.

3.3 SCOPE

The Diablo Canyon auxiliary feedwater system is analyzed as presentlydesigned and as maintained and operated under the procedures presentlyexpected to be in effect when operations begin, with two exceptions.First, the AFWS turbine steam isolation valve, FCV-95, will be powered byDC rather than'the existing AC arrangement. The DC power modification isincluded in this analysis. Second, direct valve position (8 open) formotor pump train LCVs will be installed.

Two sets of data are used in separate quantifications. The NRC pointestimate data from NUREG-0611 is identified here as NRC DATA. Data mostapplicable to the Diablo Canyon AFWS and including uncertainty has beenidentified as Plant-Specific Data. The three specific cases described inNOREG-0611 are analyzed:

1. LMFW - transient initiated by interruption of the main feedwatersystem (reactor trip occurs) and offsite AC power remains avail-able.

2. LMFW/LOOP - transient initiated by loss of offsite AC power andreactor trip occurs (main feedwater system is interrupted by theloss of offsite power). Onsite emergency AC power sources aretreated probabilistically.

3. LMFW/only DC power available - transient is initiated as initem 2 above, but onsite emergency AC power sources are unavail-able.

The boundary of the analysis is pictured in Figure 6. The turbinesteam supply from the steam generators and all of the auxiliary feedwater

22

WATERSUPPLY

POWERSUPPLY

SGAUXILIARYFEEDMfATERSYSTEM

rHUMANINTERACTION

AFWSACTUATIONSIGNAL

FIGURE 6. BOUNDARY OF ANALYSIS

system components are included directly in the analysis. The watersupplies themselves are not analyzed in detail. However, the pipingsystems and valves that deliver water to the auxiliary feedwater systemare included. Electrical power supplies are outside the boundary of theanalysis and are considered as discussed in Cases l, 2, and 3 above. TheAPWS actuation signal is outside the boundary of the analysis. Theanalysis is conducted conditional on the presence of an AFWS actuationsignal. Pinally, some human interactions are included within theanalysis and some are outside the boundary. Within the boundaries thehuman interaction through test and maintenance as well as operatorresponse to system failure on demand are considered.

24

4 NETHODOI OGY

The approach taken in this study is to separate the reliabilityproblem into two logically distinct modules--determination of minimalcutsets of e ui ment failure modes and determination of cause sets, i.e.fcauses that can bring about failures of the equipment cutsets.

The first step is to develop a detailed fault tree of the system.That tree is developed down to the level of basic component failuremodes, such as "value PCV-95 fails to open." Thus when the minimal cut-sets of this fault tree are determined, they represent groups of equip-ment functional failure modes that must occur together if the system isto fail. Those cutsets are characteristic of the system hardware alone.

A simplified fault tree for the Diablo Canyon APWS is shown inPigure 7. The TOP event "NOIP (No Or Insufficient Plow To At Least OneSteam Generator)" can only occur as a result of NOIP to all four steamgenerators. NOIP to each steam generator can only occur if there is NOIPfrom the motor pump section AND from the turbine pump section. NOIP froma pump section can only occur on NOIP from all water sources or failureswithin the pump section. The detailed fault tree is shown in Appendix A.

The second step is to tabulate the possible causes for each failuremode. A single equipment functional failure mode may be caused by randomindependent faults, test and maintenance, common or independent humaninteractions, common environmental conditions such as high temperature orflooding, aging, etc. Entire cutsets may fail due to any single cause orcoincident combinations of causes.

The cause tree for the Diablo Canyon APWS, Pigure 8, lays out theoverall solution approach of this report. NOIP to at least one steamgenerator can only occur if one or more failure mode cutsets are failed.Such failures must be caused by

Nonrecoverable Random PailuresOR

Independent Human ErrorsOR

Test and Maintenance in Conjunction With Other Causes

OR

Common Cause PailuresOR

Other Pailure Causes.

25

NO IF TO ATLEAST ONESTEAM GENERATOR

NOIF TOSG 1

NOIF TOSG 2

NOIF TOSG,3

NOIF TOSG4

NOIF TOSG tt

NOIF FROMMOTORDRIVEN PUMPSECTION {MOPS)

NOIF FROM TURBINEDRIVEN PUMPSECTION {TOPS)

NOIF FROMPUMP SECTION

NOIF TOPUMP SECTION

NOIF THROUGHPUMP SECTION

NOIF FROMCOND STORE

TANK

NOIF FROMFIR EWATE R

TANKSYSTEM

NOIF FROMRAW WATER

SYSTEM'NO OR INSUFF ICIENT FLOW

FIGURE 7. SIMPLIFIED FAULT TREE

26

NO IF TO ATLEAST ONESTEAM GENERATOR

COMMONCAUSE

NONRECOVERABLERANDOMFAILURES

TEST ANDMAINTENANCE

OTHER

INDEPENDENTHUMANERRORS

,HDIMO4

ENVIRONMENTALFAILURES

AGINGFAILURES

TEST AND MAINTENANCEON TURBINE DRIVENPUMP TRAIN

TEST AND MAINTENANCEON EITHER MOTORDRIVEN PUMP TRAIN HUMAN

ACTION

HUMANINACTION

HUMANFAILURES OTHER SYSTEM FAILURE

(EXCLUDINGTURBINE TRAIN

TEST ANDMAINTENANCE

TURBINEPUMP TRAIN

TEST ANDMAINTENANCE

SYSTEM FAILURE(EXCLUDING

MOTOR TRAINTEST AND

MAINTENANCE)

MOTORPUMP TRAIN

TEST ANDMAINTENANCE

HUMANFAILURETO RECOVER

-RECOVERABLEFAILURES

FIGURE 8. CAUSE TREE FOR THE DIABLO CANYON AUXILIARYFEEDWATER SYSTEM

Note that a recoverable random failure does not cause system failureunless the operator fails to take successful action to recover from thefailure. Recoverable failures are those that can be corrected beforesome time criteria is exceeded. Por example, the APWS is successful ifoperation occurs within 30 minutes of demand. However, on failure ofsuction supply, all the pumps will fail due to cavitation damage if theyare not stopped within 5 minutes. Other combinations of failure causeswere examined for the APWS, but only those listed in Pigure 8 made sub-stantial contributions to system unavailability.

The most important cutsets (with respect to random independentfailures) are listed in Table 4. Random failures of some of the basicevents are recoverable and must be combined with human error probabil-ities before final quantification. Table 4 is basic to the analysis thatfollows. Por example, when the test and maintenance cause is introducedinto, say, the turbine pump train, the turbine pump train failure modesare activated. Then the remaining cutset elements identify the otherfailures that must occur to cause system failure. Details of theanalysis and results are given in the following sections.

28

TABI E 4 DOMINANT RANDOH PAILURE CUTSETS FOR DIABLO CANYON APWS(Recoverable and Nonrecoverable Failures)

TABLE 4.A.l. Loss of Hain Peedwater - NRC Data - Pailure to Start on Demand

Rank Cutsets Unavailability CutsetImportance

CutsetCumulativeImportance

PBV1671C 1.0 x 10 4 99.66 99.66

Basic Events

Rank Basic Event Description Unavailability Importance

PBV1671C Butterfly valve 1671 CSTplugs or transfers closed.

1.0 x 10 4 99.66

TABLE 4 (continued). DOHINANT RANDOH FAILURE CUTSETS FOR DIABLO CANYON AFWS

TABLE 4.A.2. Loss of Hain Feedwater - Plant-Specific Data—Failure to Start on Demand

Rank Cutsets Unavailability CutsetImportance

CutsetCumulativeImportance

PBV1671CPPHO 1 2N J PPHTURBN g PPHO 1 3NPPH01-2N, PTBCTRLS, PPM01-3N

5.20 x 10 5

2.16 x 10 7

1.80 x 10 7

98.480.410.34

98.4898.8999.23

Basic Events

Rank Basic Event Description Unavailability Importance

PBV1671C

PPH01-3N

PPH01-2N

PPHTURBN

PTBCTRLS

Butterfly valve 1671 CST

plugs or transfers closed.

Hotor driven pump 1-3 failsto operate.

Hotor driven pump 1-2 failsto operate.

Turbine driven pump failsto operate.

Turbine controls or turbinefail.

5.2 x 10 5

6.0 x 10 3

6.0 x 10 3

6.0 x 10 3

5.0 x 10 3

98.48

1.19

l. 19

0.67

0.56

TABl E 4 (continued). DOMINANT RANDOM FAILURE CUTSETS FOR DIABLO CANYON AFWS

TABLE 4.B.1. Loss of Offsite Power - NRC Data - Failure to Start on Demand

Rank Cutsets Onavailability CutsetImportance

CutsetCumulativeImportance

PBV1671CPETAC4HS, PTBCTRLSi PETAC4FSPETAC4HSi PM00095Si PETAC4FS

1 x 10"45.5 x 10-62.7 x 10-6

85.084.662.33

85.0889.7492.07

Basic Events

Rank Basic Event Description Unavailability Importance

PBV1671C

PETAC4FS

PETAC4HS

PTBCTRLS

Butterfly valve 1671 CSTplugs or transfers closed.

Electric train (withBus 4160F) has no output.

Electric train (withBus 4160H) has no output.

Turbine controls or turbinefail.

lxl04

3.7 x 10-2

3.7 x 10-2

4.0 x 10 3

85.08

12.98

12.98

6.15

PH00095S Motor operator FCV-95 failsto operate.

2.0 x 10 3.07

TABLE 4 (continued). DOMINANT RANDOM PAILURE CUTSETS POR DIABLO CANYON APMS

TABLE 4.B.2. Loss of Offsite Power — Plant-Specific Data-Pailure to Start on Demand

Rank Cutsets Unavailability CutsetImportance

CutsetCumulativeImportance

PBV1671CPETAC4HS,PETAC4HS,PETAC4HS,PETAC4HS,PPM01-2N,PETAC4HS,PPH01-2N,

PPHTURBN,PTBCTRLS,PH00095S,PPHTURBNiPPHTURBN,PTBCTRL S,PTBCTRLSq

PETAC4FSPETAC4FSPETAC4FSPPH01-3NPETAC4FSPPH01" 3NPETAC4FS

5.2 x 10-58.2 x 10-66.8 x 10-61.6 x 101.3 x 10 61.3 x 10-61.1 x 101.1 x 10-6

65.8710.40

8.672.031.691.691.411.41

65.8796.2784.9486.9788.6690.3591.7693.17

Basic Events

Rank Basic Event Description Unavailability Importance

PBV1671C

PETAC4FS

PETAC4HS

PPHTURBN

PTBCTRLS

PPH01-3N

PPH01-2N

PH00095S

Butterfly valve 1671 CSTplugs or transfers closed.

Electric train (withBus 4160F) has no output.

Electric train (withBus 4160M) has no output.

Turbine pump fails tooperate.

Turbine controls or turbinefailMotor driven pump 1-3 failsto operate.

Hotor driven pump 1-2 failsto operate.

Hotor operator FCV-95 failsto operate.

5.2 x 10

3.7 x 10 2

3.7 x 10 2

6.0 x 10"3

5.0 x 10 3

6.0 x 10 3

6.0 x 10 3

i.l7 x 10

65.87

28.41

28.41

15.01

12.51

4.61

4.61

2.43

TABLE 4 (continued). DOMINANT RANDOM PAILURE CUTSETS POR DIABLO CANYON APWS

TABLE 4.C.l. Loss of All AC - NRC Data - Failure to Start on Demand

Rank Cutsets Unavailability CutsetImportance

CutsetCumulativeImportance

PTBCTRLSPMO0095SPMV0095QPPV0039QPPMTURBN

4.0 x 10 3

2.0 x 10"31.1 x 101.1 x 10 3

1.0 x 10 3

40.8120.4011.2211.2210.20

40.8161 2172.4383.6593.85

Basic Events

Rank Basic Event Description Unavailability Importance

PTBCTRLS Turbine controls or turbinefail.

4.0 x 10 3 40.81

PM00095S

PMV0095Q

Motor operator PCV-95 failsto operate.

Motor valve FCV-95 failsclosed.

2.0 x 10 3

1.1 x 10 3

20.40

11.22

PPV0039Q.

PPMTURBN

Motor valve PCV-39 failsclosed.

Turbine pump fails tooperate.

1.1 x 10

1.0 x 10 3

11.22

10.20

TABLE 4 (continued). DOMINANT RANDOM FAILURE CUTSETS FOR DIABLO CANYON AFWS

TABLE 4.C.2. Loss of All AC — Plant-Specific Data-Failure to Start on Demand

Rank Cutsets Unavailability CutsetImportance

CutsetCumulativeImportance

PPMTURBN

PTBCTRLSPM00095SPPV0039Q

6.0 x 10 3

5.0 x 10"31.17 x 10 3

7.58 x 10 4

43.8136.518.545.53

43.8180.3288.8694.39

Basic Events

Rank Basic Event Description Unavailability Importance

PPMTURBN

PTBCTRLS

PM00095S

PPV0039Q

Turbine pump fails tooperate.

Turbine controls or turbinefail.Motor operator FCV-95 failsto operate.

Pressure valve PCV-39 failsclosed.

6.0 x 10 3

5.0 x 10 3

1.17 x 10 3

7.58 x 10 3

43.81

36.51

8.54

5.53

5. SYSTEM ANALYSIS

5.1 SYSTEM MODELS

5.1.1 S stem Pault Tree

A fault tree was constructed to model the failures that must occur toprevent successful system operation. The top event is defined as no orinsufficient flow to at least one steam generator. Sufficient flow isdefined as the flow from at least one pump train delivered to at leastone steam generator. The simplified fault tree of Pigure 7 (Chapter 4)shows that for the system to fail we must fail to deliver sufficient flowto each of the four steam generators. In each case this requires thatthere is no or insufficient flow through the steam generator inlet valvesection or that there is no or insufficient flow delivered to that sec-tion. Secondly, we must have no or insufficient flow from either motordriven pump (i.e., both must fail) and no or insufficient flow from theturbine driven pump. Pinally, there is no water from any of the threepotential water sources. This complete fault tree model is presented inAppendix A where the system is modeled down to the level of major compo-nents. Included were the pumps, valves, electrical supply, motor opera-tors, and turbine and control mechanisms. Not modeled were drain lines,drain valves, piping, and connected lines which are small in size, i.e.,system components whose failure rates are very low compared to the onesincluded in the model. The AFWS is modeled from the water sources to thesteam generators. Electrically, it is modeled from the bus to thesystem. The crossties between the motor driven pumps have minimal effecton system performance in the emergency mode. Because their failure wouldnot be a significant contributor to unavailability and because theirelimination greatly simplifies the fault tree logic, the crossties arenot modeled in the fault tree.

The priority of water supplies is: a) the Condensate Storage Tank;b) the Pirewater Storage Tank; c) the Raw Water Storage Tanks.

NUREG-0611 cases 1 and 2—the loss of main feedwater and the loss ofoffsite power--are identical as far as the number of cutsets. Thisoccurs because the APWS has not changed. The only difference betweenthese cases is that the electricity is now supplied by diesel generatorsinstead of offsite power sources. Loss of all AC is a much differentstate, however. All AC powered components are failed and the systembecomes much more vulnerable to lower order cutsets, as is borne out bythe following table.

35

ScenarioCutset Order

2 3

Loss of Main Feedwater

Loss of Offsite Power

Loss of All AC 13

2 784

2 784

All of the cutsets that contributed a significant unavailability werecalculated. No higher order cutset could have individually contributedany significant unavailability because any contribution of a 4-event cut-set would be less than 0.68 of a maximum 3-event cutset.

5.1.2 Com uter Pro rams

The computer programs that are used by Pickard, Lowe and GarrickfZnc., to process information in system reliability analyses are in thepublic domain and are hvailable through the Argonne Code Center. Thecodes are the most current. versions of computer packages that have beenin use for many years. Most of the computer programs were used insupport of the Reactor Safety Study, NASH-1400, and have been modified asdevelopments are made to reduce computer cost or improve output presenta-tions. The computer programs used on this project are RAS, [12] andCOMCANZZ-A, [13] and MOCARS.[14]

Reliability analysis system, RAS, is a combination of codes that doqualitative and quantitative fault tree analysis. FATRAM (method ofobtaining cutsets) KZTT (kinetic tree theory), and COMCAN (commom causefailure analysis) are the core elements for RAS. FATRAM is known as a"top down" method for determining cutsets or pathsets for a fault tree.The tree top is developed for its inputs until it is resolved to thebasic events in the model. The super sets are then eliminated leavingthe minimal cutsets. Kinetic tree theory is the methodology used next topredict the system reliability characterisitics (quantitatively) from thecutsets developed by FATRAM. These codes use the rare event approxima-tion in quantifying reliability.

RAS also includes the COMCAN routines necessary to perform a commoncause failure analysis on fault trees. This common cause analysis usesthe minimal cutsets as input to the algorithm. Searches are then carriedout through other libraries of information supplied to the routines bythe user to identify those cutsets that have a single cause of failurefor each component.

36

REVZQZON 2

COMCANII-A

The II-A version of COMCAN presently stands separately from RAS.Incorporation is forthcoming. A principal advantage of COMCANII-A isthat it allows the common cause analysis to be completed on a much largertree without the need for "pruning" and analysis of each pruned branch.

MOCKERS

The Monte Carlo sampling program, MOCARS, is a marked improvementover SAMPLE which was used in the Reactor Safet Stud . MOCARS readilyaccepts the cutsets as they are prepared in RAS. A Monte Carlo routingis then used to determine the distribution for the reliability character-istic in question. Improvements in MOCARS make it readily usable forapplications other than fault tree analysis.

5.1.3 Data

Tables 5 and 6 index equipment manufacturers and plant locations.This information is used later in component tabulations.

NRC Data

The data used for the point estimate quantification as requested bythe NRC is taken from Appendix 3 of NUREG-0611.(ll] The source for that

~

~~

data was primarily WASH-1400. [15] In some cases such generic datamisrepresents equipment actually installed in a specific plant. Usingpoint estimates masks the plant-to-plant variability as the primarysource of uncertainty in the data as used in WASH-1400. A complete list-ing of this data source is provided in Appendix B. Additional informa-tion including fault tree coding, location, and manufacturer is inTable 7.

Generic and Plant-Specific Data

A plant specific data book for Diablo Canyon is provided inAppendix B. Here the best available data to describe the specific equip-ment in place at Diablo Canyon is presented. It is based upon genericdata that includes a wide uncertainty band to account for plant-to-plantvariability and where sufficient Diablo Canyon specific data is availablethose generic distributions have been updated to account for the specificequipment and practices in place at Diablo Canyon. The data was summa-rized along with fault tree coding, location, and manufacturer informa-tion in Table 8.

5 ~ 2 RANDOM FAILURES

Random system failures reflect the system malfunctions that occur asa result of random component failures. The coincidental failure of eachcomponent in an AFWS cutset results in a system random failure. Theserandom failures can be divided into two types, nonrecoverable and recov-erable. This situation does not include, and should be differentiatedfrom, test and maintenance, common cause, and independent human errors.

37

REVISION 2

t

TABLE 5. TABLE OP MANUPACTURERS

Company Code

A & M

Allis Chalmers AC

Armco

Byron Jackson

Continental

Control Components, inc.

Pederal Pacific

Pisher (combined for analysis with Woodward)

General Electric

Honeywell

ITT General Controls

James B. Clow

Limitorque

~ Louis Allis

BJ

CC

GE

JBC

LQ

LA

Lukenheimer

Mission

Pacific Gas and Electric Company

Pittsburgh - Des Moines

Velan

Westinghouse

Woodward (combined for'nalysis with swisher)

PGE

PD

Unknown (Blank)

38

TABLE 6. TABLE OP EQUIPMENT LOCATIONSAT DIABLO CANYON

Location Code

Electrical Location

Large Room Near Pumps

Motor Driven Pump Room

Outside

Condensate Storage Tank Room

Secondary Water Valve Room

Turbine Driven Pump Room

LORP

STRP

SWVP

TPRF

39

TABLE 7. COMPONENT LIST — NRC DATA*

Components Code Location ManufacturerFailure Rate"

x 10-6(per hour)

RepairTime

(Hrs)

l.2 ~

3 ~

4 ~

5-6.7 ~

8.

AC ElectricAC ElectricAC ElectricAC ElectricAC ElectricDC ElectricDC ElectricDC Electric

TrainTrainTrainTrainTrainTrainTrainTrain

F (480 VAC)G (480 VAC)H (480 VAC)F (4160 VAC)H (4160 VAC)F (125 VDC)H (125 VDC)G (125 VDC)

PETAC1FSPETAC1GSPETAC1HSPETAC4FSPETAC4HSPETDC1FSPETDClHSPETDClGS

ELEFELEFELEFELEFELEFELEFELEFELEF

W

W

W

GE

GEFPFPFP=

14141430301.21.21.2

~H'H 00 Failure On Demand

9.10.11.12.13 ~

14.15.16.17.18.19

'0.

21.22.23.24.

Butterfly Valve 121 (10")Butterfly Valve 124 (10")Butterfly Valve 159 (6")Butterfly Valve 162 (6")Butterfly Valve 180 (6")Butterfly Valve 183 (6")Butterfly Valve 280 (8")Butterfly Valve 1-297 (8")Butterfly Valve 1-671 (10")Check Valve Near FCV-438 (16")Check Valve Near FCV-439 (16")Check Valve Near FCV-440 (16")Check Valve Near FCV-441 (16")Check Valve Near Valve 121 (10")Check Valve Near Valve 135 (4")Check Valve Near Valve 137 (3")

PBV0121CPBV0124CPBV0159CPBV0162CPBV0180CPBV0183CPBV0280CPBV1297CPBV1671C6CV0438X6CV0439X6CV0440X6CV0441XPCV0121QPCV0135QPCV0137Q

TPRFTPRFMPRFMPRFMPRF

MPRF

SWVF

TPRFSTRFLORFLORFLORFLORFTPRFTPRFOUTF

CCCC

C

CACACC

AAAAM

VV

lx104lx104lxl04lx 104lx104lxl04lxl04lx10lx104lxl04lx104lx104lx104lxl04lxl04lxl04

*Additional details are provided in Appendix B.

TABLE 7. COMPONENT~T - NRC DATA* (continued)

Components Code Location Manufacturer Failure On Demand

HVlMO

25. Check Valve26. Check Valve27. Check Valve28. Check Valve29. Check Valve30. Check Valve31. Check Valve32. Check Valve33. Check Valve34. Check Valve35. Check Valve36. Check Valve37. Check Valve38. Check Valve39. Check Valve40. Check Valve41. Check Valve42. Check Valve

Generator 243. Check Valve

Generator 344. Strainer 9745. Intake Gate46. Intake Gate47. Motor Operat

Near Valve 140 (3")Near Valve 142 (3")Near Valve 147 (3")Near Valve 151 (3")Near Valve 153 (3")Near Valve 155 (3")Near Valve 157 (3")Near Valve 159 (6")Near Valve 169 (4")Near Valve 171 (3")Near Valve 176 (3")Near Valve 180 (6").Near Valve 190 (4")Near Valve 196 (3")Near Valve 198 (3")Near FCV-436 (8")Near FCV-437 (8")Between Steamand Turbine PumpBetween Steamand Turbine Pump

263264or for FCV-95

PCV0140QPCV0142QPCV0147QPCV0151QPCV0153QPCV0155QPCV0157QPCV0159QPCV0169QPCV0171QPCV0176QPCV0180QPCV0190QPCV0196QPCV0198QPCV0436QPCV0437Q

PCVOSG2Q

PCVOSG3QPFL0097HPIG0263CPIG0264QPM00095S

OUTFOUTFOUTFLORFLORFLORFLORFMPRFMPRFOUTFOUTFMPRFMPRFLORFLORFTPRFMPRF

OUTF

LORFSWVF

OUTFOUTFLORF

VVVVVVVM

VVVM

VVVM

M

lxl04lxl04lxl04lxl04lxl04lxl04lxl04lxl04lxl04lxl04lxl04lxl04lxl04lxl04lxl04lxl04lxl04lxl04lxl04lxl08lxl04lxl042x103

TABLE 7. COMPONENT LIST — NRC DATA* (continued)

Components Code = Location Manufacturer Failure On Demand

~ HU)M h)0

48.49 ~

5051.5253.54.55.56.57.58.59.60.61.62.63.64.65.66.6768.69.70.71.7273.

Motor Operator for LCV-110Motor Operator for LCV-illMotor Operator for LCV-113Motor Operator for LCV-115Motor Operator for FCV-436Motor Operator for FCV-437Motor Operator for Pump 1-2Motor Operator for Pump 1-3Motor Operated Valve FCV-37Motor Operated Valve FCV-38Motor Operated Valve FCV-95Motor Operated Valve MOV-106Motor Operated Valve MOV-107Motor Operated Valve MOV-108Motor Operated Valve MOV-109Motor Operated Valve LCV-110Motor Operated Valve LCV-illMotor Operated Valve LCV-113Motor Operated Valve LCV-115Motor Operated Valve FCV-436Motor Operated Valve FCV-437Motor Driven Pump 1-2Motor Driven Pump 1-3Turbine PumpPressure Valve 39Turbine Pump Controls & Turbine

PM00110SPM00111SPM00113SPM00115SPM00436SPM00437SPM001-2SPM001-3SPMV0037CPMV0038CPMV0095QPMV0106CPMV0107CPMV0108CPMV0109CPLV0110SPLV0111SPLV0113SPLV0115SPMV0436QPMV0437QPPM01-2NPPM01-3NPPMTURBN

PPV0039QPTBCTRLS

OUTFOUTFLORFLORFTPRPHPRPMPRFMPRF

OUTFLORFLORFOUTFOUTFLORFLORFOUTPOUTFLORPLORFTPRFMPRP

MPRFMPRP

TPRFLORFTPRF

ITTITTITTITTC

C

LALAVVVCC

CC

CC

CC

CC

CC

CC

CC

C

C

BJBJBJH

WWP

1.1 xlx1 x11

1.11.11.11.1

1 x1 x

1.14

10 3

1010 3

101010 3

10 3

1010 4

10 4

10 3

10 4

10 4

10 4

10 4

1010 3

10 3

10 3

10 3

10 3

101010 3

10 3

10 3

TABLE 7. COMPONENT L ST — NRC DATA* (continued)

Components Code Location Manufacturer Failure On Demand

HMM 4l0

74.75.76.

77.78.79.80.81.82.83.84.85.86.87.88.89.90

'1.

92.93.94.95.96.97.98.99.

100

'ondensateFire WaterRaw Water RTanksGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate ValveGate Valve

135137140142147151153155157169171176190196198268269272273283284FlF2F3

Storage TankTankseservoir Storage

5TKOOOOLPTKFIREL

PTKRAWNLPXV0135CPXV0137CPXV0140CPXV0142CPXV0147CPXV0151CPXV0153CPXV0155CPXV0157CPXV0169CPXV0171CPXV0176CPXV0190CPXV0196CPXV0198CPXV0268CPXV0269CPXV0272QPXV0273CPXV0283CPXV0284CPXVOOFlcPXVOOF2QPXVOOF3Q

STRFOUTF

OUTFTPRFOUTFOUTFOUTFOUTFLORFLORFLORFLORFMPRFOUTFOUTFMPRF

LORFLORFOUTFOUTFOUTFOUTFSWVF

SWVFOUTFOUTFOUTF

PDPD

PGE

VVVVVVVVVVVVVVVJBCJBC

LLLCC

1 x1 x1 x1 x1 x1 x1 'x

1 x1 x1 x1 x1 x1 x1 x1 x1 x1 x1 x1 x1 x1 x1 x1 x1 x1 x

10-810-8

10-810 4

10 4

10 4

10 4

10 4

10 4

10 4

10-410 4

10 4

10 4

10 4

10 4

10 4

10 4

10 4

10 4

10 4

10 4

10 4

10 3

10 4

10 3

10

TABLE 8 COMPONENT LIST — PLANT SPECIFIC DATA*

Components Code Location ManufacturerFailure Rate

x 10-6(per hour)

RepairTime**(Hrs)

HV)H0

l.2 ~

3 ~

4 ~

5.6.7 ~

8.9-

10.11.12.13.14.15.16.17.18.19.20.21.22.23.24

'5.

AC Electric Train F (480 VAC)AC Electric Train G (480 VAC)AC Electric Train H (480 VAC)AC Electric Train F (4160 VAC)AC Electric Train H (4160 VAC)DC Electric Train F (125 VDC)DC Electric Train G (125 VDC)DC Electric Train H (125 VDC)Butterfly Valve 121 (10")Butterfly Valve 124 (10")Butterfly Valve 159 (6")Butterfly Valve 162 (6")Butterfly Valve 180 (6")Butterfly Valve 183 (6")Butterfly Valve 280 (8")Butterfly Valve 1-297 (8")Butterfly Valve 1-671 (10")Strainer 97Intake Gate 263Intake Gate 264Motor Operator for LCV-110Motor Operator for LCV-illMotor Operator for LCV-113Motor Operator for LCV-115Motor Operated Valve FCV-37

PETAC1FSPETAC1GSPETAC1HSPETAC4FSPETAC4HSPETDClFSPETDClGSPETDClHSPBV0121CPBV0124CPBV0159CPBV0162CPBV0180CPBV0183CPBV0280CPBV1297CPBV1671CPFL0097HPIG0263CPIG0264QPM00110SPMO0111SPM00113SPM00115SPMV0037C

ELEFELEFELEFELEFELEFEI EFELEFELEFTPRFTPRFMPRFMPRFMPRFMPRFSWVF

TPRFSTRFSWVF

OUTFOUTFOUTFOUTFLORFLORFOUTF

W

W

W

GE

GE

FPFPFPC

C

C

C

C

C

ACACC

ARM

ARM

ITTITTITTITTV

14 '14 '14.43030ll.2ll.211.2

~ 43~ 43~ 43~ 43.43.43

43.43.43

5.4237

.3720202020

~ 37

8

8

8

8

8

2

2

2168168168168168168372

1095121

28121121273273273273273

*Additional details are provided in Appendix B.**Repair Time is generally dominated by the test interval identified in the technical specifications.

TABLE 8. COMPONENT LIST — PLANT SPECIFIC DATA* (continued)

Componentsk

Code Location - ManufacturerFailure Rate

x 10-6(per hour)

RepairTime**(Hrs)

HV)H Ln0

26.27.28.29.30.31.32.33

'4.

3536.37.38.39.40.41.42.43.44

'5

'6.

47.48.49.50.

FCV-38LCV-106LCV-107LCV-108LCV-109LCV-110LCV-111LCV-113LCV-115

ank

Motor Operated ValveMotor Operated ValveMotor Operated ValveMotor Operated ValveMotor Operated ValveMotor Operated ValveMotor Operated ValveMotor Operated ValveMotor Operated ValvePressure Valve 39Condensate Storage TFire Water TanksRaw Water ReservoirGate Valve 135Gate Valve 137Gate Valve 140Gate Valve 142Gate Valve 147Gate Valve 151Gate Valve 153Gate Valve 155Gate Valve 157Gate Valve 169Gate Valve 171Gate Valve 176

PMV0038CPMV0106CPMV0107CPMV0108CPMV0109CPLV0110SPLV0111SPLV0113SPLV0115SPPV0039Q5TKOOOOLPTKFIRELPTKRAWNLPXV0135CPXV0137CPXV0140CPXV0142CPXV0147CPXV0151CPXV0153CPXV0155CPXV0157CPXV0169CPXV0171CPXV0176C

LORFOUTFOUTFLORFLORFOUTFOUTFLORFLORFLORFSTRFOUTFOUTFTPRFOUTFOUTFOUTFOUTFLORF

LORF'ORF

LORFMPRFOUTFOUTF

VCCCC

CCCC

CC

CC

CCCC

H

PDPD

PGE

VVVVVVVVVVVV

~ 37~ 37-373737

.37

.37

.3737

2. 775.0001F 00010001

~ 37~ 37~ 37~ 37~ 37.37~ 37-37.37.37.37.37

730730730730730273273273273273

4

4

4

730730273730273730273730273273'273273

TABLE 8. COMPONENT LIST — PLANT SPECIFIC DATA* (continued)

Components Code Location ManufacturerFailure Rate

x 10-6(per hour)

RepairTime**(Hrs)

~ HV)H Q0

51. Gate Valve 19052. Gate Valve 19653. Gate Valve 19854. Gate Valve 26855. Gate Valve 26956. Gate Valve 27257. Gate Valve 27358. Gate Valve 28359. Gate Valve 28460. Gate Valve Fl61. Gate Valve F262. Gate Valve F3

PXV0190CPXV0196CPXV0198CPXV0268CPXV0269CPXV0272QPXV0273CPXV0283CPXV0284CPXVOOFlcPXVOOF2Q

PXVOOF3Q

MPRFLORFLORFOUTFOUTFOUTFOUTFSWVF

SWVF

OUTFOUTFOUTF

VVVJBCJBC

37~ 37~ 37~ 37.3737

~ 37.37~ 37-37.37.37

273273273

109510951095109510951095109510951095

Failure on Demand

63. Check Valve64. Check Valve65. Check Valve66. Check Valve67. Check Valve68. Check Valve69. Check Valve70. Check Valve

NearNearNearNearNearNearNearNear

FCV-438 (16")FCV-439 (16")FCV-440 (16")FCV-441 (16")Valve 121 (10")Valve 135 (4")Valve 137 (3")Valve 140 (3")

6CV0438X6CV0439X6CV0440X6CV0441XPCV0121QPCV0135QPCV0137QPCV0140Q

LORFLORFLORFLORFTPRFTPRFOUTFOUTF

AAAAM

VVV

.0001

.0001

.0001-0001.0001-0001.0001.0001

TABLE 8. COMPONENT LIST — PLANT SPECIFIC DATA* (continued)

Components Code Location Manufacturer Failure on Demand

~ MVl gO

71.72.73 ~

74.75.76.7778.79.80.81.82.83.84

'5.

86.87.

88.

89.90.91.92.93.94

'5.

Check Valve Near Valve 142 (3")Check Valve Near Valve 147 (3")Check Valve Near Valve 151 (3")Check Valve Near Valve 153 (3")Check Valve Near Valve 155 (3")Check Valve Near Valve 157 (3")Check Valve Near Valve 159 (6")Check Valve Near Valve 169 (4")Check Valve Near Valve 171 (3")Check Valve Near Valve 176 (3")Check Valve Near Valve 180 (6")Check Valve Near Valve 190 (4")Check Valve Near Valve 196 (3")Check Valve Near Valve 198 (3")Check Valve Near FCV-436 (8")Check Valve Near FCV-437 (8")Check Valve Between Steam

Generator 2 and Turbine PumpCheck Valve Between Steam

Generator 3 and Turbine PumpMotor Operator for FCV-95Motor Operator for FCV-436Motor Operator for FCV-437Motor Operator for Pump 1-2Motor Operator for Pump 1-3Motor Operated Valve FCV-95Motor Operated Valve FCV-436

PCV0142QPCV0147QPCV0151QPCV0153QPCV0155QPCV0157QPCV0159QPCV0169QPCV0171QPCV0176QPCV0180QPCV0190QPCV0196QPCV0198QPCV0436QPCV0437Q

PCVOSG2Q

PCVOSG3QPM00095SPM00436SPM00437SPM001-2SPM001-3SPMV0095QPMV0436Q

OUTFOUTFLORFLORFLORFLORFMPRFMPRFOUTFOUTFMPRFMPRFLORFLORFTPRFTPRF

OUTF

LORFLORFTPRFTPRFMPRF

MPRFLORFTPRF

VVVVVVM

VVVM

VVVM

M

VLQC

C

VC

-0001.0001-0001.0001.0001.0001.00010001

.0001

.0001

.0001

.0001

.0001

.0001+0001.0001

.0001

.0001

.00117

.00470047

.001F 0010001

.0004

TABLE 8. COMPONENT LIST — PLANT SPECIFIC DATA* (continued)

Components Code Location Manufacturer Failure on Demand

96. Motor Operated Valve FCV-43797. Motor Driven Pump 1-298. Motor Driven Pump 1-399. Turbine Pump

100. Turbine Pump Control a Turbine

PMV0437QPPM01-2NPPM01-3NPPMTURBNPTBCTRLS

MPRFMPRF

MPRFTPRFTPRF

C

BJBJBJHHF

0004~ 006.006.006.005

HM AM CO0R

Nonrecoverable random failures for the APWS are those which cannot berepaired within a specific time frame. The duration of the time framedepends on system demands and component capabilities.

Recoverable failures require action for success when a failureoccurs. Section 5.4 on human interaction will elaborate on the subjectof recovery by repair of the system.

As a comparison of random failure rate contribution to unavail-ability, with no recovery, Table 4 lists the dominant cutsets and basicevents (component failure modes) for the three study scenarios.

5e3 TEST AND MAINTENANCE

5.3.1 ~Testin

Testing of the APWS consists primarily of surveillance testing tosatisfy the plant technical specifications and ASME Section XI require-ments.

Monthly testing is performed on each APW pump. Por each pump testthe level control valves in the pump discharge lines are closed and thepump is started manually (from the Control Room or the Hot ShutdownPanel). Each pump is then run for at least five minutes to allow forstabilization of the system. Required pump data is then taken andrecorded. After pump data has been taken, each level control valve inthe pump discharge is sequentially cracked opened to verify the asso-ciated flowpath operability. The APW pump under test is then stopped andthe level control valves are opened fully. Successful completion of thepump monthly test requires that the APW pump develop minimum differentialpressure on recirculation flow, and the associated level control valvesand flowpath to the steam generator are operable. The pump tests areperformed sequentially. During the test, if the APWS is required tooperate, the operator must restore the level control valves to automatic.

Every eighteen months the automatic starting circuits of the APW

pumps are tested. Satisfactory completion of this test requires that theAPW pump start upon receipt of a simulated automatic start signal.

All valves in the flowpath that are not locked, sealed, or otherwisesecured in position are verified to be in the correct position monthly.This test does not require valve cycling.

The condensate storage tank (CST) is checked operable every 12 hoursby verifying the volume of water contained in the CST. When the firewater tank is the source of water to the APWS, the volume of water con-tained in the firewater tank is verified every twelve hours.

e

49REVISION 1

5.3.2 Maintenance

The plant technical specifications limit the amount of time an auxil-iary feedwater pump or auxiliary feedwater pump train may be out ofservice to 72 hours and limit the out of service time for the condensatestorage tank to 4 hours without the firewater tank and 7 days with thefirewater tank.

All system components were reviewed for possible contribution tomaintenance unavailability. Generic data was reviewed in conjunctionwith this component review to identify prevalent failure modes and theeffect of the associated maintenance on system operation. The followingis a brief discussion of the results of this review.

Hardware Pailures Mechanical Com nents)

Packing replacement and adjustment is the dominant cause of mainte-nance on valves. In most cases, this maintenance can be performed withthe valve in the correct position for system operation (fully open orfully closed). Valve repairs requiring disassembly of the valve>although not frequently occurring, may have a major impact on systemavailability due to system isolation requirements necessary to safelyperform this maintenance. Those valves which require full APWS shutdownin order for repair also require a plant shutdown (per technical specifi-cations) and, therefore, do not contribute to the maintenance unavail-ability of the AFWS. Those valves requiring maintenance which only needa single APW pump train to be shut down do contribute to maintenanceunavailability of the AFWS. Valves which are periodically cycled< whichhave a throttling action, or which are in a high energy system are thedominant contributors to this unavailability. The steam supply valve tothe turbine driven APW pump, PCV-95, is the only valve in the systemwhich is periodically cycled, performs a throttling action, and is in ahigh energy system. PCV-95 maintenance is included in the maintenanceunavailability of the turbine driven pump train.

Pump maintenance consists of a range of actions from major dis-assembly to packing adjustment. For the AFW pumps, most maintenanceperformed requires isolation of the pump from the system and, therefore,contributes to the maintenance unavailability of the pump train.

The maintenance on large motors ranges from inspection and cleaningto major disassembly. The prevalent failure mode is bearing failurewhich requires partial disassembly of the motor. All maintenance of theAPW pump motors contribute to maintenance unavailability and is includedin the pump train maintenance unavailability.

Turbine maintenance can range from simple adjustments to major dis-assembly. A review of Licensee Event Reports from January 1972 to April1978 revealed only one reported failure of a turbine in an APWS. Thisfailure was due to a casing steam leak discovered during startup afterroutine maintenance had been performed. Turbine failure is included inthe maintenance contribution to unavailability of the turbine driven pumptrain'.

50

Electrical Failures Controls etc.

Motor operated valve (MOV) control circuit failures occur withmoderate frequency. Repair generally consists of troubleshooting anddefective component replacement or adjustment. Only one valve in theAFWS receives an automatic open signal upon system demand, FCV-95- Allother MOVs are in the correct position for system operation and failureof the control circuit does not affect system operation. During repairof a MOV control circuit, manual operation of the valve is always avail-able. For these reasons, control circuit failures for MOVs are notincluded in the maintenance unavailability contribution. ~

AFW pump motor breakers and control circuits require periodic mainte-nance and repair. Because the 4160V breakers are interchangeable between4160V cubicles, and spare breakers are available, major breaker repair isnot included in the maintenance unavailability of the motor driven pumptrains. All other control and breaker maintenance is included in theunavailability of the motor driven AFW pump trains.

Data

Plant historical records for maintenance actions were available forthis analysis; however, because the plant is not yet operating, this datawas not used in determining the maintenance unavailability of the differ-ent pump trains, instead generic values from WASH-1400, the ReactorSafety Study, were used.

From WASH-1400, the expected frequency of pump maintenance is one actevery 4.5 months. This maintenance is assumed to include the pump< thedriver (turbine or motor), and associated control circuits. The mainte-nance duration ranged from a few minutes to several days. The planttechnical specifications limit this maintenance duration to 72 hours.The lognormal mean maintenance act duration is 19 hours. For FCV-95 theexpected frequency of maintenance is also one act every 4.5 months with aduration of several minutes to one day. One day is selected as the limitfor maintenance of this valve because of its size, location, and avail-ability of replacement parts. The lognormal mean maintenance act dura-tion for FCV-95 is 7 hours. FCV-95 maintenance contribution is includedwith the turbine driven AFW pump maintenance unavailability contribution.

Based upon the preceding discussion, Table 9 presents the maintenanceunavailability contributions for AFW pump trains.

5. 4 HUMAN INTERACTION

5.4.1 Human Inaction

The likelihood of human inaction has been quantified using a delayedexponential model combined with judgmentally assigned histograms on eachparameter. The relative frequency that the operator fails to act ismodeled by the following equation:

t(5

51

REVISION 2

TABLE 9. PUMP TRAIN MAINTENANCE UNAVAILABILITY(Includes FCV-95)

Pump Unavailability Calculation

1-3 (motor driven)

1-2 (motor driven)

l-l (turbine driven)

PCV-95

1 act4.5 months

1 act4.5 months

1 act4.5 months

1 act4.5 months

720 hours/month

x 720 hours/month

x 720 hours/month

720 hours/month

= 5.86x10 3

= 5.86x10 3

= 5.86xIO 3

Turbine Pump Total = 5.86 x 10 3 + 2.16 x 10 3 = 8.02 x 10 3

52

where

5 = recognition time, i.e., the delay time required for the operatorto realize he should take action,

mean time for the operator to take action following recognition,

and

t = time since the initiating event.

Thus, the relative frequency that the operator fails to act before time 5is 1. With increasing time after 5, it becomes more likely that theoperator takes the correct action. This is represented by the failurefrequency decaying exponentially with a mean time of T. Because thismodel would generate failure frequencies assymptotically approachingzero, modifications would be required to use it for extended timeperiods. In the present analysis, the times of interest are less than 30minutes. Distributions have been assigned to both 5 and T. They weredeveloped following talks with operators, supervisory personnel, andengineers, and after reviewing operating histories at other plants. Thejudgments take into account the high stress conditions in the controlroom during emergencies along with the competing demands for theoperators'ime. Delay time () has been assigned the following discretedistribution:

Probabilit5(minutes)

0.10.33

0.8 0 '10

For operations that can be carried out within the control room, hasbeen assigned the following distribution:

Probabilit 0.1 0.8 0 1

TgR(minutes) 0.33 1.5 10

For actions that require sending an operator to a remote location, hasbeen assigned the following distribution:

Probabilit 0.1 0.8 0.120

Based on the delayed exponential model for operator action and the abovedistributions, failure frequency at 5 and 30 minutes following the ini-tiating event have been obtained as follows:

53

Mean Variance

Actions in Control Room

f (5 minutes)f (30 minutes)

.28

.007(.29) 2

(.02) 2

Actions Outside Control Room

f (5 minutes)f (30 minutes)

.67

.044(.17) 2

( 07)2

These failure frequency distributions are used in the following analysesto evaluate the probability that an operator takes correct action follow-ing a recoverable system failure.

The operator has the capability to recover from a loss of the follow-ing components:

1. Turbine Driven Auxiliary Peedwater Pump Trip.

The dominant contributor to turbine driven auxiliary feedwaterpumps failure to start on demand is a failure of the turbinecontrols; primarily due to turbine trip on overspeed duringstartup. The operator may manually reset the overspeed trip, ortake control of the turbine driven APW pump if during a demandthis pump did not operate. The frequency of failure for theoperator failing to take action within 30 minutes is f = 0.044mean with 0.005 variance.

2. Pailure of Condensate Storage Tank Outlet .Valve.

The CST outlet valve, event PBV1671C, is one of the dominantcontributors to failure for the cases analyzed. This failurewas analyzed in detail to discover possible mitigating plantfeatures. There are two readily available sources of water forthe APWS. In order of preference they are the Firewater StorageTank and the Raw Water Reservoirs. The Raw Water Reservoirs arenormally lined up to the plant service header that supplies theAPWS. This source must be manually isolated and the Pire WaterStorage Tank lined up to this header. The control room opera-tors have a low suction pressure alarm for all three APW pumpsin the control room. This alarm provides the operator withindication of the failure of the CST outlet valve or the CST.The operators action is then to stop the running APW pumps andorder the lineup shifted to the Pirewater Storage Tanks. Thefrequency of failure of the operators to secure the APWS pumps

54

is 0.282 mean with a variance of 0.084. This must occur within5 minutes to prevent pump damage. The frequency of failure ofthe auxiliary plant operator for correctly shifting the APWS

water supply lineup is 0.044 mean with a variance of 0.005.This action must occur within 30 minutes.

3. PCV-95 Pailure to Open

PCV-95 is the only motor operated valve in the APWS whichreceives an automatic open signal. Pailure of this valve toopen due to control system failures is recoverable by the auxil-iary plant operator within 30 minutes of demand. The frequencyof failure of the auxiliary plant operator to open PCV-95manually within 30 minutes is 0.044 mean with a variance of0.005.

5.4.2 Human Error/Common Cause

A review of existing plant procedures revealed a possible human errorpotential for periodic pump testing which occurs monthly. During thesetests, the level control valves, NOV-106 through 109 for the turbinedriven pump, and LCV 110, ill, 113, and 115 for the motor driven pumps,are closed and the pumps are run in the recirculation mode for a minimumof 15 minutes. At the completion of these tests, the pumps are securedand the level control valves are opened. The human error is the error offailing to open the level control valves after the flow test.

Prom WASH-1400, the failure per test for the case--operator inadver-tently leaves valve in the wrong position, is 5 x 10 4. Por more thanone valve (coupled errors), the value is 1 x 10 4. The total failureprobability for all level control values being left in the incorrectposition after test is 1 x 10 4. Given this condition and a demand onthe auxiliary feedwater system the probability of no flow to any steamgenerator due to LCVs being closed is the probability of the originalerror, 1 x 10 , (RP=10) times the operator error of failure to takeaction to open any valve from the control room within thirty minutes.This probability is 6.5 x 10 3 with a variance of 4 x 10 4. Thetotal contribution for this common cause operator error is therefore6.5 x 10 7.

5 ' COMMON CAUSE ANALYSIS

5.5.1 Common Cause Anal sis

The method used to perform the common cause failure analysis is basedon the system logic model. Qualitative failure characteristics areidentified for each basic event. A search is then performed to identifythose combinations of basic events that result in system failure andshare qualitative failure characteristics. Barriers between components,both physical and administrative, are considered in the analysis. Theresults of the common cause search are groups of cutsets identified bycommon failure characteristics and absence of barriers.

55REVISION 1

There is an extremely large array of failure causes that must beconsidered in a comprehensive common cause failure analysis. Thesefailure causes have been grouped into two major categories and these twocategories have been further subdivided. Por each subdivision a genericcause. of failure has been identified. The first division is made on thebasis of barriers that can be erected to the cause of failure in order toprevent it from failing the entire system. The barriers that exist areeither procedural or physical. The failure causes, also called qualita-tive failure characteristics of the basic event or "susceptibilities" arecategorized by criterion based on barriers to the failure cause.

The Pirst Criterion

A qualitative failure characteristic, or a susceptibility, is acommon link when physical barriers cannot be erected to prevent thepropagation of the failures, and procedural barriers must then beerected. Typical common links used in a common cause analysis are:

ManufacturerTest/MaintenanceOperatorMotive PowerInstrument PowerInstallationCalibrationSimilar Parts

The common links of manufacturer and similar parts were used in thisanalysis.

The Second Criterion

The causes of failure that can be stopped by physical barriersidentifies those causes as susceptibilities. Listings of susceptibil»ities used in this study are shown in Tables 10, ll, and 12.

The coding of failure sensitivity to causes of failure is given foreach generic component type in Table 13. The final information thatneeds to be coded for the auxiliary feedwater system common causeanalysis is the physical location of the basic events. Table 6 definedplant locations and the physical location of each component'n theanalysis was listed in Tables 7 and 8 earlier in this chapter.

5.5.2 Results of Common Cause Anal sis

Cutsets with common susceptibilities were found in only one loca-tion. Even though there were hundreds of cutsets generated by the APWSmodel only 9 in the electric trains had a common susceptibility and loca-tion; all 9 were three-event cutsets. The others contained basic eventsthat were in different, well separated parts of the system. The 9 commoncause candidates for susceptibility were in the instrument room whereparts of all of the electric trains come together.

56

TABLE 10. COMMON CAUSE — MECHANICAL OR THERMAL GENERIC CAUSES

Symbol Generic Cause Sources

Impact Pipe whip, water hammer, missiles, earth-quakes, structural failure

Vibration

Grit

Stress

Rotating machinery

Airborne gritThermal stresses and bending moments

Temperature Pire, lightning, welding equipment, coolingsystem faults, electrical short circuits

Preezing Water freezing

TABLE ll. ELECTRICAL GENERIC CAUSES

Symbol Generic Cause Source

Conducting medium

Out-of-tolerancevoltage

Moisture, pipe rupture

Supply malfunction, lightning

Out-of-tolerancecurrent

Short circuit, power surge

TABLE 12 ~ CHEMICAL OR MISCEJ LANEOUS GENERIC CAUSES

Symbol Generic Cause Sources

0 Corrosion

Explosion

Galvanic or other corrosion

Explosions, missiles

57

TABf E 13. SUSCEPTIBILITY LIBRARY

(Based on Tables 10, ll and 12)

Component Code

Table 10Mechanical or

ThermalCauses

Table llElectrical

Causes

Table 12Chemicalor Other

Causes

Butterfly Valve

Check Valve

Electric Train

Level Control Valve

Motor Operator

Motor Valve

Pump

Pressure ControlValve

BV

CV

LV

MO

PV

I, V

Ii V

I, T, Gg V

I, T, V

I, Tg Gg V

I, T, V

Ii Tg V

I, T, V

Mq Vi I

Mi Vi I

0, B

0, B

Turbine

Tank or Reservoir

Gate Valve

TB

TK

XV

Ii Tg,V

Ig Vg P

Ig V

58

Table 14 shows the specific susceptibility the 9,electric train cut-sets were vulnerable to. They include: conducting medium, impact,temperature, corrosion, grit, vib'ration, and explosion.

In the case of common manufacturer or similar parts there were 5,798and 773, respectively. The former category was dominated by Velan, avalve manufacturer, and check and gate valves made up most of the cutsetsin the later category.

Table 15 shows a list of all the manufacturers represented in theAFWS, and Table 16 lists the different part categories.

59

REVISION 2

TABLE 14. COMMON CAUSE CANDIDATES FOR SUSCEPTIBILITY+

Cutset Order

Susceptibility Location

Conducting Medium

Impact

Temperature

Corrosion

ELEF

Grit

Vibration

Explosion ELEF

*These cutsets are susceptible to the same generic causes and are located in the samerooms. Their contributions to unavailability depend upon the likelihood of a genericcause of sufficient mangitude occurring in the given res.

TABLE 15. COMMON CAUSE CANDIDATES, COMMON MANUPACTURER

Cutset Order

Manufacturer

Allis-Chalmers

Armco

A & M

Byron Jackson

Control Components, Inc.ContinentalPederal PacificPisher/Woodward

General ElectricHoneywell

ITT General ControlsJames B. Clow

Louis AllisLimitorqueLukenheimer

Mission

Pittsburgh - Des Moines

Pacific Gas 6 ElectricVelan

Westinghouse

12

10

224

16

1296 2688 1280 256

TABLE 16 'OMMON CAUSE CANDIDATES FOR SIMILAR PARTS

Minimum Cutset Order

Part

Butterfly Valves

Check Valves

Electric Train

Level Control Valves

Motor Operator

Motor Control Valves

39 197 295 133 ll

Pump

Pressure Control Valves

Turbine or TurbineControls

Tank or Reservoir

Gate Valves 25 27 10

6 RESUJ TS

The results presented in this chapter show that in the emergency modethe Diablo Canyon Auxiliary Peedwater System is very reliable. Redun-dancy, separation, availability during testing, and recoverability makethe system remarkably sound. These results follow from the detailedfault tree given in Appendix A, the data from Appendix B, and theanalysis described in Chapter 5. They are based on the failure of theauxiliary feedwater system to deliver sufficient flow to at least onesteam generator. Approximately 30 minutes are available from the time ofreactor trip until auxiliary feedwater is required based on normal steamgenerator water inventories. Other considerations reduce the time foroperator intervention significantly. A dominant system failure modeoccurs due to a blockage in the butterfly valve that connects the conden-sate storage tank water supply to the three auxiliary feedwater pumps.Under this condition, with no automatic transfer to other water sources,the operators have less than approximately 5 minutes to respond to pre-vent permanent damage to all three pumps.

The results for all three initiating event cases from NUREG-0611 aregiven in Table 17. Point values based on NUREG-0611 data are tabulatedalong with means and variances based on plant specific. data. 1n allcases the dominant contributors to conditional unavailability are humanerror (inaction) or test and maintenance. Nonrecoverable random failuresmake a small contribution because of extensive redundancy in the APWS.Por the "loss of All AC Power" case the nonrecoverable random failurecontribution is much higher, because only a single nonredundant turbinepump and train exists (the redundant AC sources being failed by defini-tion) .

The common cause contribution is primarily due to a common humanfailure following testing: leaving all LCVs in the closed positionfollowing testing. This is a recoverable failure and the unavailabilitycontribution includes the 30 minute response time for operator interven-tion. Other common cause contributions (except seismic, which was notevaluated) were found to be negligible when compared to the tabulatedvalues. Referring to common cause results, Tables 14, 15, and 16 inChapter 5, only nine third-order cutsets were found with common suscepti-bilities in common locations. They are electrical train cutsets that arewell protected from the following identified susceptibilities:

Conducting Nedium - None present. Even if brought into the area, theequipment is protected.

impact - No sources present; well protected from portable sources.

Temperature - Pire is a possibility, but would need to be widespreadand severe to cause damage. Such fires have very low probability ofoccurrence and fire protection equipment must failCorrosion - No source of sufficient moisture; regular maintenance.

63

TABLE 17. SUHHARY OP. RESULTSCONDITIONAL* UNAVAILABILITIES**OP THE DIABLO CANYON APWS

Contributors toUnavailability

Loss of HainPeedwater

Loss of HainPeedwater Due to Loss

of Offsite Power

Loss of Hain Peedwaterand Loss of All AC Power

NRC

Data

Plant-Specific

Data

NRC

Data

Plant-Specific

Data

NRC

Data

Plant-Specific

Data

Nonrecoverable random failures

Nonrecoverable test andmaintenance

1.4 x 10 7

3.0 x 10-6

4.4 x 10 7 6.7 x 10-6(3.4 x 10 13)

2.7 x 10 2.1 x 10(6.5 x 10 13)

1.5 x 10 5

(3.0 x 10 9)

2.4 x 10 5

(3.0 x 10 9)

3.7 x 10 3

8.0 x 10 3

7.5 x 10 3

(5.6 x 10 5)

8.0 x 10 3

(2.2 x 10 5)

MM0

Human error

Common cause (all LCVsincorrect position after test)

3.3 x 10 5

6.5 x 10"7

1.7 x 10 5

(4.6 x 10-6)

6.5 x 10 7

(4.0 x 10 8)

3.3 x 10 5

6.5 x 10 7

1.7 x 10 5

(4.6 x 10-6)

6.5 x 10 7

(4.0 x 10-8)

3.0 x 10 4

6.5 x 10 7

2.9 x 10 4

(3.6 x 10 5)

6.5 x 10 7

(4.0 x 10 8)

Other

Total 3.7 x 10 5 2.1 x 10 5

(4 .6 x 10-6)6.1 x 10 5 5.7 x 10 5

(4.6 x 10-6)12x10-2 1.6x10 2

(1.1 x 10 4)

*The total unavailabilities as well as the individual contributions given in this table are not actual systemunavailabilities but are system characteristics conditional on specific states of electric power as follows:

LHPW: Offsite AC power is continuously available.LHPW/LOOP: Offsite AC power is unavailable--diesel generators may or may not accept load.LHPW/Loss of All AC: All AC power is unavailable; DC power is available.

**Unavailability is the fraction of times the system will not perform its function when required.

+Epsilon "E" is used to indicate a negligible contribution to unavailability.

( ) Variance or Average - squared deviation from the mean.

Grit - Portable sources could be a problem but equipment is wellprotected and heavy dirt not generated during power operations.

Vibration - No significant sources.

Explosion - Very unlikely only portable sources and they are care-fully controlled. Sufficient separation exists to offer some protec-tion.

The PQaE systems interaction program is systematically lowering the like-lihood of even single component failures due to environmental factors.The most significant impediment to common environmental causes at DiabloCanyon is the separation factor. Only the nine third order cutsetsdiscussed above have all basic events in the same location.

Common manufacturer (thousands of candidates), similar, parts (severalhundred candidates), and similar parts built by the same manufacturer(fewer candidates) have some potential for mischief. However, nearly allof the basic events are Velan valves —many check valves along with a fewgate valves. Since these components are tested regularly during surveil-lance tests and normal operations and are maintained regularly, theyshould have shaken out most manufacturer related problems. Furthermore,they are in different rooms as shown above and are therefore subjected todifferent environments. 'Common mode failures are quite unlikely now thatthe test program is established.

For a more detailed examination of the dominant contributors tounavailability, the results summary of Table 17 is broken down by theNUREG-0611 electric power cases into Tables 18 through 23. These tablesare essentially self-explanatory. They display the dominant contribu-tors, causes, and component failure modes for each case. Por the "Lossof Hain Peedwater" case (LHPW-Tables 18 and 19), the dominant contribu-tors for both data sets are three human error cases. Two of the casesinclude the CST outlet valve 1-671 failed closed combined with an opera-tor failure. One operator error is failure to trip the pumps within5 minutes and the other is tripping the pumps in 5 minutes but failing torestore suction supply in the next 30 minutes. The human common cause ofleaving all LCVs shut and failing to recover also ranks high. The nextthree contributors are all due to test and maintenance.

The "Loss of Hain Feedwater Due to Loss of Offsite Power" case(Tables 20 and 21) has the same dominant contributors as for LHPW exceptthat turbine pump train test and maintenance (TaH) has moved up in impor-tance. With NRC data, turbine train T&H ranks second, nearly tied forfirst with the failure of 1-671 and no operator action to save the pumpswithin 5 minutes. With plant specific data the same top two contributorsare again nearly tied but here turbine train T&H is ahead. Electrictrain failures to the motor pumps, while the turbine train is down formaintenance, are primarily responsible for the increased importance oftest and maintenance.

65

DOMINANT CONTRIBUTORS TO CONDITIONAL UNAVAILABILITY

TABLE 18 'OSS OP MAIN PEEDWATER

NRC Data

Rank Event Description Unavailability

Human Error: CST outlet valve 1-671closed and no operator action to trip theAPWPs (5 minutes) .

2.82 x 10 5

2 Human Error: CST outlet valve 1-671 closedand APWPs tripped and no operator action torestore a water supply (30 minutes).

4.40 x 10 6

Test and Maintenance: Turbine driven APWP

down for maintenance and random systemfailures.

1.08 x 10 6

Test and Maintenance: Motor driven APWP

1-3 down for maintenance and random systemfailures.

9.19 x 10

Test and, Maintenance: Motor driven APWP

1-2 down for maintenance and random systemfailures.

9.19 x 10

Common Cause--Human Error: All LCVs inincorrect position after test and nooperator action to open LCVs (30 minutes).

6.50 x -10 7

Human Error: Turbine controls failure orFCV-95 controls failure and no operatoraction to restart turbine driven pump(30 minutes) .

1.31 x 10 7

Nonrecoverable Random Failure: Motors forAFWP 01-2 and 01-3 fail and FCV-95 does notopen (mechanical failure).

1 76 x 10-8

66REVISION 1

DOMINANT CONTRIBUTORS TO CONDITIONAL UNAVAILABILITY

TABLE 19. LOSS OF MAIN FEEDWATER

Plant Specific Data

Rank Event Description Unavailability

Human Error: CST outlet valve 1-671 closedand no operator action to trip the AFWPs

(5 minutes) .

Human Error: CST outlet valve 1-671 closedand AFWPs tripped, and no operator actionto restore water supply (30 minutes).

Test and Maintenance: Turbine driven AFWP

down for maintenance and random systemfailures.

1.47 x 10 5

2.24 x 10-6

8.94 x 10"7

Test and Maintenance: Motor driven AFWP1-3 down for maintenance and random systemfailures.

9.21 x 10

Test and Maintenance: Motor driven AFWP1-2 down for maintenance and random systemfailures.

9.21 x 10 7

Common Cause--Human Error: All LCVs inincorrect position after test and nooperator action to open LCVs (30 minutes).

6.50 x 10 7

Human Error: Turbine controls failure orFCV-95 controls failure and no operatoraction to restart turbine driven pump(30 minutes).

Nonrecoverable Random Failure: Motordriven AFWPs 1-2 and 1-3, and turbinedriven AFWP fail mechanically.

2.82 x 10

2.15 x 10 7

67REVISION I

DOMINANT CONTRIBUTORS TO CONDITIONAL UNAVAILABILITY

TABLE 20 LOSS OP OFPSITE POWER

NRC Data

Rank Event Description Unavailability

Human Error: CST outlet valve 1-671closed and no operator action to trip theAFWPs (5 minutes).

2.82 x 10

Test and Maintenance: Turbine driven AFWP

down for maintenance and random .systemfailures.

1.53 x 10

Human Error: CST outlet valve 1-671 closedand APWPs tripped and no operator action torestore a water supply (30 minutes).

Test and Maintenance: Motor driven APWP

1-3 down for maintenance and random systemfailures.

4.4 x 10-6

3.00 x 10-6

Test and Maintenance: Motor driven AFWP

1-2 down for maintenance and random systemfailures.

3.00 x 10 6

Nonrecoverable Random Pailure: Pailure ofelectric buses P and H and PCV-95 does notopen (mechanical failure).

Nonrecoverable Random Pailure: Pailure ofelectric buses P and H and PV-39 failsclosed.

1.50 x 10-6

1.50 x 10-6

Nonrecoverable Random Failure: Failure ofelectric buses P and H and turbine drivenpump fails mechanically.

1.37 x 10"6

Common Cause--Human Error: All LCVs inincorrect position after test and nooperator action to open LCVs (30 minutes).

6.50 x 10 7

10 Human Errors Turbine controls failure orFCV-95 controls failure and no operatoraction to restart turbine driven pump(30 minutes).

3.18 x 10

68REVISION I

~ ~ ~ ' ~ ~ ~ 0 ~

~ ~ ~

~ ~

~ ~ ~ ~

~ ~

~ ~ ~ ~

~ ~ ~ ~

~ ~

~ ~ ~

~ ~ ~ ~ ~

~ ~ ~ ~

~ ~

~ ~ ~ ~ ~ 0 ~ ~ ~

~ ~ ~ ~ ~

~ ~

~ ~ ~ ~

~ ~ ~ ~

~ I I

~ ~

~ ~ ~ 4 ~ ~ ~

~ ~ ~ ~

~ ~

~ ~

~ ~

~ ~ ~ ~

~ ~ ~ ~

DOMINANT CONTRIBUTORS TO CONDITIONAL UNAVAILABILITY

TABLE 22. LOSS OF ALL AC POWER

NRC Data

Rank Event Description Unavailability

Test and Maintenance: Turbine pump traindown for maintenance.

8.02 x 10 3

Nonrecoverable Random Failure: FCV-95does not open (mechanical failure).

1.10 x 10 3

Nonrecoverable Random Failure: PV-39 doesnot open (mechanical failure).

1 10 x 10 3

Nonrecoverable Random Failure: Turbinepump fails (mechanical failure).

1.0 x 10

Human Error: Turbine controls failure orFCV-95 controls failure and no operatoraction to restart pump (30 minutes).

2.64 x 10 4

Nonrecoverable Random Failure: turbinetrain valve, check valve 135.

1.00 x 10 4

Nonrecoverable Random Failure: turbinetrain valve, gate valve 135.

1.00 x 10 4

Nonrecoverable Random Failure: turbinetrain valve, butterfly valve 124.

1.00 x 10 4

Nonrecoverable Random Failure: turbinetrain valve, butterfly valve 121.

1.00 x 10 4

10 Nonrecoverable Random Failure: turbinetrain valve, check valve 121.

1.00 x 10 4

Human Error: CST outlet valve 1-671 closedand no operator action to trip the AFWPs

(5 minutes) .

2.82 x 10

12 Human Error: CST outlet valve 1-671 closedand AFWP tripped and no operator action torestore a water supply (30 minutes).

4.40 x 10-6

13 Common Cause —Human Error: All LCVs inincorrect position after test and nooperator action to open LCVs (30 minutes).

6.50 x 10

70

REVISION 2

DOMINANT CONTRIBUTORS TO CONDITIONAL UNAVAILABILITY

TABLE 23 LOSS OP ALL AC POWER

Plant Specific Data

Rank Event Description Unavailability

Test and Maintenance: Turbine pump traindown for maintenance.

8.02 x 10 3

Nonrecoverable Random Failure: Turbinepump fails (mechanical failure).

6.0 x 10 3

Nonrecoverable Random Pailure: PV-39 doesnot open (mechanical failure).

Human Error: Turbine controls failure orFCV-95 controls failure and no operatoraction to restart pump (30 minutes).

Nonrecoverable Random Pailure: Manualvalve 135 transfers closed.

7.54 x 10 4

2.71 x 10 4

2.70 x 10 4

Nonrecoverable Random Pailure: Checkvalve 135 fails closed.

9.99 x 10 5

Nonrecoverable Random Pailure: PCV-95fails closed (mechanical failure).'.99 x 10 5

Nonrecoverable Random Pailure: Checkvalve 121 fails closed.

9.99 x 10 5

Human Error: CST outlet valve 1-671closed and no operator action to trip theAFWP (5 minutes).

1.47 x 10

10 Human Error: CST outlet valve 1-671 closedand APWP tripped and no operator action torestore a water supply (30 minutes).

2 29 x 10-6

Common Cause--Human Error: All LCVs inincorrect position after test and nooperator action to open LCVs (30 minutes).

6.50 x 10 7

71REVISION 1

The "Loss of Main Peedwater and Loss of All AC" case (Tables 22and 23) is quite different. Now only the turbine train can be available,so single element cutsets in the turbin'e train move to the fore. Toppingthe list is turbine pump train test and maintenance, followed by a longlist of single failures. This case shows that even with multiplefailures leading to a complete loss of all AC power, the AVOWS shouldoperate successfully (only a 1'8 chance of failure) .

Although the system unavailability is already very low, it isinstructive to list possible system modifications that have potential tofurther reduce the unavailability. To improve unavailability the modifi-catons must attack the dominant contributors of Tables 18 through 21.For example, consider the following possible modifications and thedominant contributors they address.

~ Low Pump Suction Pressure Trip - Failure of 1-671 and no actionto protect the pumps within 5 minutes.

~ Improved Emergency Procedures - All human recovery actions.

~ Redundant CST Outlet Valves - Pailure of 1-671 and humanfailures to recover.

~ Automatic Shift to Alternative Supply - Pailure of 1-671 andhuman failure to recover (raw water is low grade, but a pipingrearrangement could put firewater on the header).

~ Reduce Prequency of Pump Maintenance - Test and maintenance(eliminate any nonessential maintenance, consolidate mainte-nance< etc.).

~ Reduce Duration of Pump Maintenance Outage - Test and mainte-nance (additional preplanning, training, etc.) .

Of these PGaE is presently revising all emergency operating procedures.A word of warning is appropriate. Some of these changes could createmore problems than they solve: for example, automatically shifting to alow grade water supply could seriously damage the steam generators.-Purthermore, since many of these options are aimed at a single cause offailure, accomplishment of any one enormously decreases the value ofthose remaining. Finally, because the system is already very reliable,no .serious deficiencies have been identified. No changes should be madewithout a careful evaluation of all costs and benefits including thechance that a change aimed at improving reliability could actuallydegrade it.

72

7 ~ REFERENCES

1. Diablo Canyon FSAR, Chapters 8 and 9.

2. Diablo Canyon P&IDs for Auxiliary Feedwater, Main Steam, Firewater,and Raw Water Makeup.

3. Diablo Canyon Schematics for AFW pumps and motor-operated valves.

4. Diablo Canyon Technical Specifications for Auxiliary Feedwater,Condensate Storage Tank, Electric Power, and Instrumentation Systems.

5. AFW System Operating, Emergency and Surveillance Procedures.

6. Discussions with members of the Diablo Plant Staff in theOperations, Maintenance, Startup, and Technical Groups.

7. Letter No. PGE-4255, from W. C. Gangloff, Westinghouse ElectricCorporation, to D. V. Kelly, Pacific Gas and Electric Company,entitled "Pacific Gas and Electric Company Nuclear Plant, DiabloCanyon Site, AFWS Reliability Study Success Criteria."

8. Anderson, T. M., et al, "Report on Small Break Accidents forI1

Westinghouse NSSS System," WCAP-9601, June 1979.

9. Tauche W., "Loss of Feedwater Induced Loss of Coolant AccidentAnalysis Report," WCAP-9744, May 1980.

10 Pacific Gas and Electric Company, Department of Engineering,"Analysis of the Risk to the Public from Possible Damage to theDiablo Canyon Nuclear Power Station from Seismic Events," DocketsNo. 50-275-OL and 50-323-0L, August 1977.

ll. USNRC, "Generic Evaluation of Feedwater Transients and Small BreakLoss-of Coolant Accidents in Westinghouse Designed OperatingPlants," NUREG-0611, January 1980.

12. Users Guide for the Reliability Analysis System (RAS) Computer Code,TREE-1168, developed by EG&G> IDAHO, Inc., at the Idaho NationalEngineering Laboratory (INEL), September, 1977.

13. COMCAN II-A, A Computer Program for Automated Common Cause FailureAnalysis, TREE-1361, developed by EG&G, IDAHOi Inc., at the IdahoNational Engineering Laboratory (INEL), May, 1979.

14. MOCARS: A Monte Carlo Code for Determining the Distribution andSimulation Limits, Scott D. Mathews, developed by EG&G< IDAHO, Inc.,

~ ~ ~

~

~

Julyi 1977.

15. U.S. Nuclear Regulatory Commission, "Reactor Safety Study: AnAssessment of Accident Risks in U. S. Commercial Nuclear PowerPlants," WASH-1400, 1975.

73

REVISION 3

APPENDIX A

DIABLO CANYON

AUXILIARYFEEDWATER SYSTEM

FAULT TREE

DIABLO CANYON AUXILIARYFEEDWATER SYSTEM FAULT TREE

A fault tree model was constructed to represent the AFWS of theDiablo Canyon plant. It defines the modes necessary to fail the system.The following pages show the basic fault tree. From this basic fault tree,the system scenarios were calculated.

A-2

NOIF TO ATLEAST ONESTEAM GENERATOR

TOP

NOIF TOSG1

NOIF TOSG2

NOIF TOSG3

NOIF TOSG4

G1 ~ 1 ~ 1 G2-1-2 G3-14 G4-14

INOIF ~ NO OR INSUFFICIENT FLOW)

FIGURE A-1. DIABLO CANYON AUXILIARYFEEDWATER SYSTEM FAULT TREE(Sheet 1 of 23)

NOIF TOSGa

Ga I.a

NOIF THRUSGaVALVESECTION

NOIF TOSGaVALVESECTION

Ga-2.3

NOIF FROM MOTORDRIVEN PUMPSECTION IMDPS)

NOIF FROM TURBINEDRIVEN PUMPSECTION ITDPSI

Ga-2.7 G a.24

FIGURE A-3. (continued)(Sheet 2 of 23)

NOIF THRUS.G. aVALVESECTION

H01M IO

SG a CHECKVALVE gFAILS CLOSED

FEEDWATER LINEaCHECK VALVEq FAILS OPEN ANDLEAKTO MFGS

SG aGATEVALVEIITRANS CLOSED

147

153

157

PCV0140O

PCV01470

PCV0153Q

PCV0157O

6CV0438X

2 6CV0439X

6CV0440X

6CV0441X

140

147

153

157

PXV0140C

PXV0147C

PXV0153C

PXV0157C

FIGURE A-1 (continued)(Sheet 3 of 23)

NOIF FROMMOPS

G a-2.7

NOIF TOSG a MOPSVALVESECT

NOIF THRUSG a MOPSVALVESECT

G a.3-3

FIGURE A-1 (continued)(Sheet 4 of 23 )

NOIF FROMTOPS

G a-24

NOIF THRUSG a TDPSVALVESECT

NOIF TOSG aTDPSVALVESECT

G 11-7

NOIF THRUTOPS VALVESECT

NOIF FROMWATER SOURCES(TOPS)

NO POWER TO DCELECTRICALTRAIN IG

G'I1-6

2'I 22

PETDCIGS

FIGURE A-1 (continued)(Sheet 5 of 23)

W

M0I

O

NOIF TOSG G MOPSVALVESECT

G ae-3

p p1.2 41H PETAC4HS

1 2 41H PETAC4HS

1 3 41F PETAC4FS

1-3 41F PETAC4 FS

NO IF THRUMOPS P

NOIF FROMWATER SOURCESIMOPS)

NO POWER TO MOTORORIVEN PUMP P FROMELECTRIC TRAIN 0

G64

10

FIGURE A-1 (continued}(Sheet 6 of 23)

NOIF THRUSG 6 MDPSVALVESECT

SG a MOPSVALVEFAILURE

I2

FIGURE A-1 (continued)(Sheet 7 of 23)

NOIF FROMWATER SOURCES(MOPS)

10

NOIF FROMCONDENSATESTORETANKSECT tMDPS)

G74

NOIF FROMSECONDARYWATER SOURCES(MOPS)

G7-3

13

NOIF THRUCONDENSATESTORE TANKVALVES (MOPS)

NO IF FROMCOND STORETANK

G7.S

15 14

.FIGURE A-1 (continued)(Sheet 8 of 23)

NOIF THRUMOPS P

MOTOR DRIVEN. IUMPP

OPERATOR 6FAILS

MOTOR DRIVENPUMP PFAILS MECH

MOTOR DRIVENPUMP P GETS NOPOWER FROM DCELECTRIC TRAIN Q

MOTOR DRIVENPUMP PBUTTERF LYVALVE1 TRAN CLOSED

V W

MOTOR DRIVENPUMP P GATEVALVEKTRANS CLOSED

MOTOR DRIVENPUMP P CHECKVALVEmFAILSCLOSED

1-2 1.2 PMO01-2S 1-2 PPM01-2N 3140 PETDC1HS 162 PBV0162C

1-3 1.3 P MOO 1-3S ~ 1-3 PPM014N 113D PETDC1FS 183 PBV0183C

1.2 169 PXV0169C 169

1-3 190 PXV0190C 190

PCV0169Q

PCV01900

FIGURE A-1 (continued)(Sheet 9 of 23)

A-11

REVISION 2

SG AMDPSVALVEFAILURE

12

Pg

~ HN IM0

SG aMDPSGATE VALVEc TRANS CLOSED

SG a MOPSCHECK VALVEI TRANS CLOSED

LCVW MOTOROPERATOR FAILS

LCV-9FAILS CLOSED

1

2

171 PXV0171C 171C

176 PXV0176C 176C

PCV0171Q

PCV0176Q

LCV110

PMO0110S

'M00111S

PLV01109

PLV01118

2 3 PXV0198C 198C PC80198Q PMO01158115 PLV0115S

2 4 196 PXV0196C 196I. PCV0196Q LCV113 PM00113S PLV0113S

FIGURE A-1 (continued)(Sheet 10 of 23)

13

NOIF FROMSECONDARYWATER SOURCES{MOPS)

G7.3

NO POWER TO ACELECTR ICALTRAIN F

NOIF THRUSECONDARYWATER VALVESECT {MOPS)

NOIF FROMSECONDAR YWATER TANKS

BUTTERFLY. VALVE1.297

TRANS CLOSED

17 IB

PETAC1FS PBV1297C

FIGURE A-l (continued)(Sheet ll of 23)

NOIF FROMCOND STORETANK

14G74

MU) IH0

COND TANKWATER LEVELINS UF F ICI ENT

COND TANKBUTTERFLYVALVE 1-671TRANS CLOSED

5TKOOOOS PBV1671C

FXGURE A-1 (continued)(Sheet. 12 of 23)

NOIF THRUCONDENSATESTORC. TANKVALVES IMDPS)

15

NOIF THRUCOND STORETANKMOPSVALVESECT

NOIF THRUMDPS VALVESET 1-3

NOIF THRUMOPS VALVESET 1-2

G1-7-1 G2-7-1

CHECK VALVE180 FAILSCLOSED

BUTTERFLYVALVE180TRANS CLOSED

CHECK VALVE159 FAILSCLOSED

BUTI'ERFLYVALVE159

TRANS CLOSED

PCV01800 P BV0180C PCV0159Q PBV0159C .

FIGURE A-1 (continued)(Sheet 13 of 23)

NOIF FROMSECONDARYWATER TANKS

16 G94

NOIF FROMFIREWATERTANKSYS

NOIF FROMRAW WATERSYS

18

FIGURE A-1 (continued)(Sheet 14 of 23)

NOIF THRUSECONDARY WATERVALVESECT. IMDPSI

17

SEC WATER SOURCEMOTOR OPERATED—VALVEFCVP37FAILS CLOSED

CHECK VALVE437 FAILSCLOSED

.HVl IMO

PCV0437Q

FCV437 MECHFAILUREWON'T OPEN

FCV437 MOTOROPERATORFAILURE

PMV0437Q PMO0437S

FIGURE A-1 (continued)(Sheet 15 of 23)

NOIF FROMFIRE WATERTANKSYS

18

NOIF THRUFIRE TANKVALVESECT

FIRE TANKWATER LEVELINSUF FIG IENT

G1-1 0-1

H IMM M0

GATE VALVEF1TRANS CLOSED

PARALLELVAI.VES FAIL

PTKFIREL

G2-10-1

PXVOOI-1C

GATE VAI.VEF2 FAIIS

'I.OSED

GATE VALVEF3 FAIIDCLOSED

PXVOOF2Q PXVOOF3Q

FIGURE A-1 (continued)(Sheet 16 of 23)

NOIF FROMRAWWATERSYS'1EM

19

NOIF THRURAWWATERVALVESECT

RAWRESERVOIRWATER LEVELINSUFFICIENT

GI 10-2

PTKRAWM.

'AEG

E17 IMO

GATE VALVE4286TRANSCLOSED

STR 97IN HIS ITS F LOW

NOIF THRUPARALLELFLOW

02.1 0.2

GATE VALVE0 283TRANS ClOSED

BUTTERFLYVALVE0-280TRANS CLOSED

PXV028lC PFum97H PXV0283C ~rawaeoc

NOIF THRUA SECT

NOIF THRU8

SECl'S

IOG G4.100

GATE VALVE4263TRANS CLOSED

GATE VALVE4273TRANS CLOSED

GATE VALVE0.268TRANS ClOSED

GATE VALVE0272FAILSCLOSEO

GATE VALVE0260TRANS CLOSED

GATE VALVE4266FAILSCLOSED

PIG0263CI

PXV02730 PXV0268C PXV02720 PXV0269C PIG02640

FIGURE A-1 (continued)(Sheet 17 of 23)

NOIF THRUSG a TOPSVALVESECT

SG a TOPS GATEVALVECTRANSFERSCLOSED

SG a TDPS CHECKVALVEd FAILSCLOSED

SG a TOPS MOV

INTRANS

CLOSED

137

142

151

155

PXV0137C 'I 37 PCVOI 370

PXV0142C 142 PCV01420

PXV0151C 151 PCV01510

PXV0155C 155 PCVOI 55O

LCV106LCV107LCV108LCV109

PMV0106C

PMV0107C

P MVOIOSC

PMV0109C

FIGURE A-1 (continued)(Sheet 18 of 23)

NOIF THRUTDPS VALVESECTION

21

TDPS CHECKVALVE12$FAILS CLOSED

TOPS GATEVALVEITSTRANS CLOSED

FAILURE OFTURSINEDRIVEN PUMt

TURBINE tUMtSUTTERFLYVALVEI'lTRANS CLOSED

G111 2

PXVOISEC PSVOITSC

Ul IH h)0

FCVOSFAILSCLOSED

PCV40TRANS CLOSED

NOIF STEAMTO TUR SINEDRIVENtUMP

TURSINECONTROLFAILURE

TURSINE tUMtMECH FAILURE

G2112 GS 11.2

FCV40MECH FAIL

FCVOSMOTOROt FAIL

NOIF FROMSG IG

NOIF FROMSG1.2

PTSCTRLS ttMTUR0 N

GS II4 GS II4

CHECK VALVEFROM SG TFAILSCLOSED

FOESTRANS CLOSED

CHECK VALVEFROMSG2FAILS CLOSED

FCVGTTRANS CLOSED

PCVOSGSG PMV002SC ~mFIGURE A-1 (continued)

(Sheet 19 of 23)

PMV002TC

22

NOIF FROMWATER SOURCES)TOPS)

G116

NOIF FROMCOND ENSATESTORE TANKITDPS)

G124

NOIF FROMSECONDARYWATER SOURCESPOPS)

G12%

NOIF THRUCONDENSATESTORE TANKVALVES )TOPS)

NOIF FROMCOND STORETANK

G76

FIGURE A-1 (continued)(Sheet 20 of 23)

NOIF FROMSECONDARY WATERSOURCES ITDPS)

23 G124

NO POWER TOBUS 1G

NOIF THRUSECONDARY WATERVALVESECT{TOPS)

NOIF FROMSECONDARYWATER TANKS

G94

BUTTERFLYVALVE1.297TRANS CLOSED

25 16

PETACI GS PBV1297C

FIGURE A-l (continued)(Sheet 23. of 23)

NOIF THRUCONDENSATESTORE. TANKVALVES

NO IF THRUCOND STORETANKTOPSVALVESECT

COND STO TANKTOPS BUTTERFLYVALVE121TRANS CLOSED

COND STORE TNKTDPSCHECKVALVE121FAILS CLOSED

PBV0121C PCV01210

FXGURE A-1 (continued)(Sheet 22 of 23)

NOIF THRUSECONDARY WATERVALVESECT. {TOPS)

25

V7 IM h)0

SEC WATERSOURCE MOTOROPERATED VALVEFCV436 FAILSCLOSED

CHECK VALVED436FAILS CLOSED

PCVO436Q

FCV436WON'T OPEN

FCV436 MOTOROPERATORFAILURE

PMV0436Q PMO0436S

FIGURE A-1 (continued)(Sheet 23 of 23)

l J

0

APPENDIX B

DIABLO CANYON AUXILIARYPEEDWATER SYSTEM

COMPONENT DATA SHEETS

~ NRC DATA

~ PLANT SPECIFIC DATA

~ MTTR CALCULATION BASES

~ DATA REFERENCES

NRC DATA

The point estimate data is used to permit comparisons with other NRC

analyses. It may not be applicable to Diablo Canyon since theplant-to-'lant.variability (uncertainty) of the source data is lost when point

estimates are used. The data sources for this section are NUREG-0611 andWASH-1400

[Note: The data identified in NUREG-0611 is the same data used inWASH-1400.)

B-2

REVISION 2

CHECKED

APPROVEO

DATE

DATE

Picl<ard, Lowe and Corricl<, Inc.CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardIrvine, Calitornia 92714

JOB NO.

SHEET OF 17

AVAILABILITYOATA SHEET BY DATE

ITEM; AC Electrical (4160 VAC)

OVERALL FAILURE RATE: FAIL/HR, REPAIR TliiIE'RNRC DATA

Reference

1. WASH-1400, Appendix IIr Volume 2, the failure rate is 30 x 10 6 F/hrrand a repair time of 8 hours.

2. WASH-1400, Appendices III and IV for failure of diesel to start or loadgiven loss of offsite power is 3.7 x 10"2/demand.

SPECIFIC COMPONENTS

PETAC4FSPETAC4HS

No power from AC Electric Train F (4160 VAC)No power from AC Electric Train H (4160 VAC)

B-3REVISION 2

CHECKED

APP ROVED

DATE

DATE

AVAILABILITYOATA SHEET

Picl<ard, Lowe and Carricl<, Inc.CONSULTANTS . NUCLEAR POWER

17840 Skypark BoulevardIrvine, California 92714 SHEET

BY

OF

0 ATE

gOB flO. 381 PGSTE

AC Electric Train (480 VAC)

OVERALL FAILURERATE'-6 FAIL/HR. REPAIR TIME'RNRC DATA

Reference

1. WASH-1400, Appendix II, Volume 2, the failure rate is 14 x 10"6 F/hr,and a repair time of 8 hours.

SPEC IF IC COMPONENTS

PETAClFSPETAC1GSPETAClHS

No power from AC Electric Train F (480 VAC)No power from AC Electric Train G (480 VAC)No power from AC Electric Train H (480 VAC)

B-4

REVZSION 2

, CHECKED

APP ROVED

DATE

DATE

Pickard, Lowe and Garrick, Inc.CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardIrvine, California 92714

JDB flO 381 PGGE

SHEET OF

AVAILABILITYOATASHEET BY DATE

ITEM. DC Electric Train ( 125 VDC)

OVERALL FAILURE RATE: FAIL/HR. REPAIR

TIME'RC

DATA

Reference

1. WASH-1400r Appendix II, Volume 2, the failure rate is 1.2 x 10 6 F/hr.and a repair time of 2 hours.

SPECIFIC COMPONENTS

PETDClFSPETDClGSPETDC1HS

No power from DC Electric Train F (125 VDC)No power from DC Electric Train G (125 VDC)No power from DC Electric Train H (125 VDC)

B-5

REVXSION 2

CHECKED

APP ROVED

DATE

DATE

AVAILABILITYDATASHEET

Picl<ard, Lowe encl Carriclc, lnc.CONSULTANTS . NUCLEAR POWER

17840 Skypark BoulevardIrvine, CaHtornia 92714 SHEET 4

BY

'DE 1T

DATE

JOB tIO. 381 PGSrE

ITEM:

OVERALL FAILURERATE'utterfl

FAIL/HR. REPAIR

TIME'RC

DATA

Reference

1. WASH-1400 and NUREG-0611, the point value estimate of probability offailure on demand for manual valves (plugged) is 1 x 10"4.

SPECIFIC COMPONENTS

PBV0121CPBV0124CPBV0159CPBV0162CPBV0180CPBV0183CPBV0280CPBV1297CPBV1671C

Valve transfers closedValve transfers closedValve transfers closedValve transfers closedValve transfers closedValve transfers closedValve transfers closedValve transfers closedValve transfers closed

or pluggedor pluggedor pluggedor pluggedor pluggedor pluggedor pluggedor pluggedor plugged

B-6

REVISION 2

CHECKEO

APPROVED

OATE

OATE

Pickard, Lowe and Carricl<, Inc.CONSULTANTS. NUCLEAR POWER

17840 Skypark BoulevardIrvine, California 92714

gOBgO. 381 PGSE

SHEET5

DF17

AVAILABILITYOATASHEET BY DATE

Valve, Check

OVERALL FAILURE RATE: 10 FAIL/HR. REPAIR Tlib1E: MR

NRC DATA

Reference

1. WASH-1400 and NUREG-0611, the point value estimate of prob-ability of failure on demand for check valves is 1 x 10 4.

SPECIFIC COMPONENTS

6CV0438X6CV0439X6CV0440X6CV0441XPCV0121QPCV0135QPCV0137QPCV0140QPCV0142QPCV0147QPCV0151QPCV0153QPCV0155QPCV0157QPCV0159QPCV0169QPCV0171QPCV0176QPCV0180QPCV0190QPCV0196QPCV0198QPCV0436QPCV0437QPCVOSG2QPCVOSG3Q

ValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValve

opensopensopensopensfailsfailsfailsfailsfailsfailsfailsfailsfailsfailsfailsfailsfailsfailsfailsfailsfailsfailsfailsfailsfailsfails

and does not closeand does not closeand does not closeand does not closeclosedclosedclosedclosedclosedclosedclosedclosedclosedclosedclosedclosedclosedclosedclosedclosedclosedclosedclosedclosedclosedclosed

B-7

REVISION 2

Picl<ard, Lowe and Garricl<, Inc.

17840 Skypark BoulevardAPPROVEQ QATE Irvina, California 92714

AVAILABILITYDATASHEET

D'OR BIO.381 PGSfE

SHEET OF

BY~AM/M>'ATE~~Strainer or Filter

ITEM:10-8

OVERALL FAILURERATE'AIL/OENIANOREPAIR TIME: HR.

NRC DATA

Reference

1., WASH-1400, The point value estimate of probability of failure on demandfor strainers or filters is 1 x 10-8.

SPECIFlc COMPONENTS

PFL0097H Filter plugs or leaks

B-8

CHECKEO

APPROVEO

OATE

OATE

Pickard, Lowe encl CRrricl<, Inc.CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardIrvine, Calitornta 92714

JOB gO 381 PG&E

SHEET7

OF17

AVAILABILITYOATA SHEET BY OATE

Motor Operator, AC Reversible (480 V)

OVERALL FAILURE RATE' FAIL/HR REPAIR TIME'RNRC DATA

Reference

1. WASH-1400 and NUREG-0611, the point value estimate of prob-ability of failure on demand for motor operatorsis 2 x 10 3 F/demand.

SPECIFIC COMPONENTS

PM00095SPM00110SPM00111SPM00113SPM00115SPM00436SPM00437S

Motor operatorMotor operatorMotor operatorMotor operatorMotor operatorMotor operatorMotor operator

failsfailsfailsfailsfailsfailsfails

to performto performto performto performto performto performto perform

functionfunctionfunctionfunctionfunctionfunctionfunction

B-9

REVISION 2

CHECKEO

APPROVEO

OATE

OATE

AVAILABILITYOATA SHEET

Pickard, Lowe ancJ Carricl<, Inc.CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardIrvine, Calilornia 92714

JOB NO 3 8 1 PG&E8 17

SHEET DE

BY DATE

Motor Operated Valve

OVERALL FAILURE RATE: FAIL/HR. REPAIR

TIME'RC

DATA

Reference

l. WASH-1400 and NUREG-0611, the point value estimate of prob-ability of failure to open on demand for motor valves is1.1 x 10-3.

2. WASH-1400 and NUREG-0611, the point value estimate or prob-ability of failure on demand (plug) for motor valves is1.0 x 10 4.

SPECIFIC COMPONENTS

PMV0037CPMV0038CPMV0095QPMV0106CPMV0107CPMV0108CPMV0109CPLV0110SPLV0111SPLV0113SPLV0115SPMV0436QPMV0437Q

MotorMotorMotorMotorMotorMotorMotorMotorMotorMotorMotorMotorMotor

valve fails mechanicallyvalve fails mechanicallyvalve fails to openvalve fails mechanicallyvalve fails mechanicallyvalve fails mechanicallyvalve fails mechanicallyvalve fails mechanicallyvalve fails mechanicallyvalve fails mechanicallyvalve fails mechanicallyvalve fails to open

'alvefails to open

or plugsor plugs

or plugsor plugsor plugsor plugsor plugsor plugsor plugsor plugs

(Ref. 2)(Ref. 2)(Ref. 1)(Ref. 2)(Ref. 2)(Ref. 2)(Ref. 2)(Ref. 2)(Ref. 2)(Ref. 2)(Ref. 2)(Ref. 1)(Ref. 1)

'-10

REVISION 2

CHECKEO

APPROVEO

BATE

OATE

Picl<ard, Lowe an(i Garricl<, Inc,CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardIrvine, California 92714

gOB NO. 381 PG&E

SHEET OF

AVAILABILITYOATA SHEET

Pump, Centrifugal 500 to 2499 gpm

BY OATE

OVERALL FAILURERATE'AIL/HR. REPAIR TIII1E: HR

NRC DATA

Reference

1. WASH-1400 and NUREG-0611, the point value estimate of the prob-ability of failure on demand is 1 x 10-3.

SPECIFIC COMPONENTS

PPM01-2NPPM01-3N

Pump fails to perform functionPump fails to perform function

B-11

REVISION 2

CHECKED DATE

APPROVEO DATE

AVAILABILITYOATA SHEET

Picl<ard, Lowe and Carricl<, Inc.CONSULTANTS ~ NUCLEAR POWER

17840 Skypark BoulevardIrvinc, Calitornia 92714

JOB HO 381 PGSE

SHEET10

OF17

BY DATE

Motor Operator, Induction Squirrel Cage 3500 — 4999 VAC

OVERALL FAILURE RATE' FAIL/HR. REPAIR TIIIE:

NRC DATA

Reference

1. WASH-1400 and NUREG-061lr failures per demand = 4 x 10

SPECIFIC COMPONENTS

PM001-2SPM001-3S

Motor operator fails to perform functionMotor operator fails to perform function

B-12

REVESZON 2

CHECKED

APP ROVED

DATE

DATE

Picl<ard, Lowe an<i Carricl<, Inc.CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardIrvine, California 92714

JOB NO 381 PG&E

17SHEET OF

AVAILABILITYDATASHEET BY DATE

ITEM Pressure Valve

OVERALL FAILURE RATE: ~ 0011 FAIL/HR. REPAIR TIKIE: HR

NRC DATA

Re fer ence

1. WASH-1400 and NUREG-0611, the point value estimate of the prob-ability of failure on demand is 1.1 x 10"3.

PPV0039Q

SPECIFIC COMPONENTS

Valve is closed and will not open

B-13

REvtsZON 2

CHECKED

APPROVEO

DATE

DATE

AVAILABILITYOATA SHEET

Pid<ard, LOWC and GarriCI<, lnC.CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardIrvine, California 92714 SHEET

BY

OF17

OATE

JOB ffO 3 8 1 PG&E

ITEM Condensate S torage Tank

OVERALL FAILURERATE'AIL/HR. REPAIR TIME: HR

NRC DATA

Reference

l. WASH-1400, Appendices III and IV, this failure was treated as similarto a rupture of loss of fluid case so the value1 x 10""F/demand was assigned.

SPECIFIC COMPONENTS

5TKOOOL Insufficient water level

B-14

REvzszoN 2

CHECKEO

APPROVEO

OATE

OATE

Pickard, Lowe and Garricl<,'nc.CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardIrvine, California 92714

JOB gO 381 PGSE

SHEET OF

AVAILABILITYOATA SHEET BY OATE

Turbine Pump

OVERALL FAILURE RATE: FAIL/HR. REPAIRTIME'RNRC DATA

Reference

l. WASH-1400 and NUREG-06llr the point value estimate of the prob-ability of failure on demand is 1 x 10

PPMTURBN

SPECIFIC COMPONENTS

Pump fails to perform function

B-15

REVZS10N 2

Picl<ord, Lowe and Corricl<, Inc.*

I „gQ 17840 Skypark BoulevardAPPROVEO OATE Irvine, California 92714

AVAILABILITYOATA SHEET

gOG gO 381 PG&E

SHEET OF

BY~~ DATE ~FcTurbine Pump Controls

-3OVERALL FAILURE RATE: FAIL/DEMANO REPAIR TIME'R.

NRC DATA

Reference

1. WASH-1400, Appendices III and IV, failures per demand = 4 x 10

SPECIFIC COMPONENTS

PTBCTRLS Controls fail to.perform function or turbine fails to start

B-16

CHECKED

APP ROVED

DATE

DATE

Picl<ard, Lowe anci GRrrick, Inc.CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardIrvine, California 92714

gOB IIO 381 PGGE

SHEET15

OF17

AVAILABILITYOATASHEET BY DATE

ITEM: Fi re WateL Tank

OVERALL FAILURERATE'AIL/HR. REPAIR TIME:

NRC DATA

Reference

1. WASH-1400, Appendices III and IV, this failure was treated as similarto a rupture of loss of fluid case so the value1 x 10 " F/demand was assigned.

SPECIFIC COMPONENTS

PTKFIREL Insufficient water level

B-17

REVISION 2

CHECKEO

APPROVEO

OATE

OATE

AVAILABILITYOATA SHEET

Picl<ard, Lowe and Garricl<, Inc.CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardIrvine, California 92714

17

OATEBY

JOB flO. 3 8 1 PG&E16

SHEET

Raw Water Reservoir

OVERALL FAILURE RATE..10 FAIL/HR. REPAIR TIME: HR

NRC DATA

Reference

1. WASH-1400, Appendices III and IV, this failure was treated as similarto a rupture of loss of fluid case so the value1 x 10"8 F/demand was assigned.

SPECIFIC COMPONENTS

PTKRAWNL Insufficient water level

B-18

REVXSION 2

CHECKED

APPROVEO

DATE

DATE

Pickard, Lowe an(l Garricl<, Inc.CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardIrvine, Calitornia 92714

JOB NO. 381 PG&E

SKEET OF17

AVAILABILITYOATA SHEET

Valve, Manual Gate or Intake Gate

OVERALL FAILURE RATE FAIL/KR.

BY

REPAIR Tlh'IE:

DATE

KR

NRC DATA

Reference

1. WASH-1400 and NUREG-0611, manual valve 1 x 10"4 failures/demandfor plugging or transferring closed, and 1 x 10-3 failures/demandfor'failing to open or plugs.

SPECIFIC COMPONENTS

PXV0135CPXV0137CPXV0140CPXV0142GPXV0147CPXV0151CPXV0153CPXVOlSSCPXV0157CPXV0169CPXV0171CPXV0176CPXV0190CPXV0196CPXV0198CPIG0263CPIG0264QPXV0268CPXV0269CPXV0272QPXV0273CPXV0283CPXV0284CPXVOOFlcPXVOOF2QPXVOOF3Q

Valves transfer closedValves transfer closedValves transfer closedValves transfer closedValves transfer closedValves transfer closedValves transfer closedValves transfer closedValves transfer closedValves transfer closedValves transfer closedValves transfer closedValves transfer closedValves transfer closedValves transfer closedValves transfer closedValves will not openValves transfer closedValves transfer closedValves will not openValves transfer closedValves transfer closedValves transfer closedValves transfer closedValves will not openValves will not open

or plugor plugor plugor plugor plugor plugor plugor plugor plugor plugor plugor plugor plugOL" plugor plugor plug

or plugor plug

or plugor plugor plugor plug

B-19

REVISION 2

PLANT SPECIPIC DATA

The plant-specific data includes uncertainty and is judged to beapplicable to Diablo Canyon. The sources are listed in the table and thevalues include data from the plant when it was available.

B-20

CHECKED

APP ROVED

DATE

DATE

Picl<ard, Lowe and Gorricl<, lnc.CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardIrvine, California 92714

gOBffO 381 PG&E

SHEET1

OF16

AVAILABILITYOATA SHEET BY OATE

ITEM. AC Electric Train (480 VAC) 4160 VAC

OVERALL FAILURE RATE'4 x 10 FAIL/HR REPAIR TII1E;

PT ANT SPECIFIC DATA

Reference

1. WASH-1400, Appendix II, Volume 2, range factors from 3 to 10 forelectrical components, and a failure rate of 14 x 10 6 F/hr,and a repair time of 8 hrs.

2. WASH-1400, Appendices III and IV, range factors from 3 to 10 forelectrical components, with a loss of offsite power, individualdiesels fail to start 3.7 x 10 2/demand/diesel.

SPECIFIC COMPONENTS

PETAC1FSPETAC1GSPETAC1HSPETAC4FSPETAC4HS

No power from ACNo power from ACNo power from ACNo power from ACNo power from AC

Electric Train F (480 VAC)Electric Train G (480 VAC)Electric Train H (480 VAC)Electric Train F (4160 VAC)Electric Train H (4160 VAC)

B-21

REVISION 2

CHECI<EO

APPROVEO

OATE

OATE

AVAILABILITYOATA SHEET

Picl<ard, Lowe an<i Carricl<, inc.CONSULTANTS . NUCLEAR POWER

17840 Skypark BoulevardIrvine, CalHornia 92714

JOB NO. 381 PGRE

SHEET 2OF

16

BY DATE

ITEM: DC Electr ical Train 125 VDC)F

OVERALL FAILURERATE'6 FAIL/HR. REPAIR TIME: HR

PLANT SPECIFIC DATA

Reference

1. WASH-1400, Appendix II, Volume 2, range factors from 3 to 10 for,electrical components, and a failure rate of 1.2 x 10 6 F/hr,and a repair time of 2 hrs.

2. The repair time is based on technical specifications.

SPECIFIC COMPONENTS

PETDClFSPETDClGSPETDClHS

No power from DC Electrical Train F (125 VDC)No power from DC Electrical Train G (125 VDC)No power from DC Electrical Train H (125 VDC)

B-22

REVISION 2

Picl<ard, Lowe and Carricl<, Inc.CHECKEO + ~ BATE ~ 4 CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardAPPROVEO OATC E ED lrvine, California 92714

AVAILABILITYOATA SHEET

16OF

DATE ~<BY

JOR IIO 381 PGIEE

3SHEET

Valve, Manual ButterflyITEM:

0. 43 x 10-6OVERALL FAILURE RATE FAIL/HR.

variesREPAIR TIME: HR.

PTANT SPECIFIC DATA

Reference

l. NPRDS, pg. 343 (4-11.99 inch Butterfly valves)2 failures in 4.631 x 106 hours = 0.43 x 10 6 failures/hour.

2. WASH-1400, Appendices III and IV, range factor = 3.

3. The repair times are based on technical specifications surveillancetimes, system actuations, and system demands (i.e., startup andshutdown) . (168 hrs.)

4. The repair times are based on technical specifications. (1,095 hrs.)

5. The repair times are based on technical specifications. (121 hrs.)

SPECIFIC COMPONENTS

PBV0121CPBV0124CPBV0159CPBV0162CPBV0180CPBV0183CPBV0280CPBV1297CPBV1671C

NormallyNormallyNormallyNormallyNormallyNormallyNormallyNormallyNormally

open valveopen valveopen valveopen valveopen valveopen valveopen valveopen valveopen valve

transfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closed

(Refs. 1,(Ref s. 1,(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,

2, 3)2, 3)2, 3)2. 3)2. 3)2, 3)2. 3)2, 4)2r 5)

B-23

CHECKEO

APPROVEO

OATE

OATE

AVAILABILITYOATA SHEET

Picl<ord, Lowe an<i Carricl<, lnc.CONSULTANTS ~ NUCLEAR POWER

17840 Skypark BoulevardIrvine, CalifornIa 92714

JOB NO 3 8 1 PGEFE

SHEET4

OF16

BY 0 ATE

Va lve, Check

OVERALL FAILuRE RATE: 1 x 10" FAIL/HR. REPAIR TIME: HR

PLANT SPECIFIC DATA

Ref erence

l. WASH-1400 Fail to open 1 x 10 4/Demand Range Factor (RF) = 3Reverse leak 1 x 10"7/hour RF = 3

SPECIFIC COMPONENTS

6CV0438X6CV0439X6CV0440X6CV0441XPCV0121QPCV0137QPCV0135QPCV0140QPCV0142QPCV0147QPCV0151QPCV0153QPCV0155QPCV0157QPCV0159QPCV0169QPCV0171QPCV0176QPCV0180QPCV0190QPCV0196QPCV0198QPCV0436QPCV0437QPCVOSG2QPCVOSG3Q

ValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValve

open and does not closeopen and does not closeopen and does not closeopen and does not closefails closedfails closedfails closedfails closedfails closedfails closedfails closedfails closedfails closedfails closedfails closedfails closed

'ailsclosedfails closedfails closedfails closedfails closedfails closedfails closedfails closedfails closedfails closed

B-24

REVXSZON 2

Picl<ard, Lowe and Garricl<, Inc.CHECKEO ~ IlATE~i+ CONSULTANTS . NUCLEAR POWER

~i 0 17840 Skypark BoulevardAPPROVEO OATE Irvine, California 92714

AVAILABILITYOATASHEET

OF 16

-.E ~ruaBY

D'OR IIO 381 PGSE

SHEET

Strainer or FilterOVERALL FAILURE RATE'. 42 x 10 FAIL/HR. REPAIR TIME. 28

PLANT SPECIFIC DATA

Reference

1. WASH-1400, Appendices III and IV, range factor = 10

2. NPRDS, pg. 124 '4 failures (all types) in 2.582 million hours= 5.422 x 10 6 F/hr.

The repair time for a strainer or filter is 28 hours.

SPECIFIC COMPONENTS

PFL0097H Filter plugs or'eaks

B-25

Picl<ard, Lowe and Garricl<, Inc.CHECKED I)'~ DATE ~ ~ CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardAPPROVED '+ DATE Irvine, California 92714

AVAILA8ILITYOATA SHEET

Motor Operator, AC Reversible (480 V)

SHEET

BY

OF 16

DATE Q<<'-

JOB IIIO381PGGE

OVERALL FAILURERATE'AIL/HR. REPAIR TIME'see belo"gR.

Pl'ANT SPECIFIC DATA

Reference

1. NPRDS, pg. 243 (motor polyphase 480 VAC) 53 failures in12.405 x 10~ hours or 4.3 x 10 6 F/hr.

2. WASH-1400, Appendices III and IV, range factor for operators, valvesand controls is 3.

3. The repair time based on monthly test and 6 actuations per year(273 hours).

4. The failure on demand is calculated by multiplying Reference 1 and 3for 1.17 x 10-3 F/demand.

5. The repair time based on quarterly cycling (1095 hours) .

6. The failure on demand is calculated by multiplying Reference 1 and 5for 4.7 x 10 3 F/demand.

7. The failure rate is based on engineering judgment as no representativedata is known, failure rate is 20 x 10 6 F/hr.

SPECIFIC COMPONENTS

PM00095SPM00110SPMOOlllSPM00113SPMi00115SPM00436SPivl00 4 3 7S

MotorMotorMotorMotorMotorMotorMotor

operatoroperatoroperatoroperatoroperatoroperatoroperator

loss of functionloss of functionloss of functionloss of functionloss of functionloss. of functionloss of function

(Ref. 4)(Refs. 3, 7)(Refs. 3, 7)(Refs. 3, 7)(Refs. 3, 7)(Ref. 6)(Ref . 6)

B-26

CHECKEO 4L ~ OATE

4'PPROVEO~+ OATE

AVAILABILITYDATASHEET

Picl<ard, Lowe and Gorricl<, Inc.CONSULTANTS ~ NUCLEAR POWER

17840 Skypark BoulevardIrvine, Californfa 92714

J08 NO. 381 PG&E

SHEET 7 'F 16

8Y t4 pgyE ~fCMotor Operator, Induction Squirrel Cage 3500 - 4999 VAC

OVERALLFAILURE RATE: 1 x 10-3 FAIL/DEMAND REPAIR TIME: HR.

PLANT SPECIFIC DATA

Reference

1. EGG Pump Report supplied values that yielded a 1 x 10 3 F/demand.

SPECIFIC COMPONENTS

PM001-2SPM001-3S

Motor operator fails to perform functionMotor operator fails to perform function

B-27

CHECK EO

APPROVED

AVAILABILITYOATA SHEET

Picl<ard, Lowe and Gorricl<, Inc.OATE ~ ~ CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardOATE Irvine, California 92714 SHEET

BY

,8 16OF

OATE ~C~

JOB NO 381 PGSTE

ITEM:Motor Operated Valve

0.37 x 10-6OVERALL FAILURE RATE: FAIL/HR.

variesREPAIR TIME: HR.

PLANT SPECIFIC DATA

Reference

1. NPRDS, pg. 377 10 failures in 27.162 x 106 hours = 0.37 x 10-6 F/hr;

2. WASH-1400r Appendices III and IV, range factor is 3, and a failure perdemand of 1 x 10 4 for valve plugging.

3. The repair time is based on monthly test and 6 actuations/year (273) .

4. The repair time is based on system actuations (6/year) (730).

5. A failure per demand was calculated by multplying References 1 and 3 for1 x 10 4 F/demand.

SPECIFIC COMPONENTS

PMV0037CPNV0038CPMV0095QPMV0106CPMV0107CPMV0108CPNV0109CPLV0110SPLV0111SPLV0113SPLV0115SPMV0436QPNV0437Q

MotorMotorMotorMotorMotorMotorMotorMotorMotorMotorMotorMotorMotor

valve fails mechanically or plugsvalve fails mechanically or plugsvalve fails to open (Ref. 5)valve fails mechanically or plugsvalve fails mechanically or plugsvalve fails mechanically or plugsvalve fails mechanically or plugsvalve fails mechanically or plugsvalve fails mechanically or plugsvalve fails mechanically or plugsvalve fail@ mechanically or plugsvalve fails to open (Ref. 5)valve fails to open (Ref. 5)

(Refs.(Refs.(Refs.(Refs.(Refs.(Refs.(Refs.(Refs.

1, 4)1, 4)1, 4)

4)1, 3)lr 3)1, 3)1, 3)

(Ref s. 1, 3)(Ref s. 1, 3)

B-28

Picl(ard, Lowe and Corricl<, Inc.CHECKED 1IA DATE TP A'ONSULTANTS - NUCLEAR POWERr ,- TO 17840 Skypark BoulevardAPPOOVEO ."J DATE Irvine, California 92714

AVAILABILITYOATA SHEET

JOB ffO. 381 PGE E

SHEET OF

OT . 7/- DATE ~SKI

Pump, Centrifugal 500 to 2499

OVERALL FAILURE RATE: 6 x 10-3FAILIDEMAND REPAIR TIME: HR.

PJANT SPECIFIC DATA

Reference

l. WASH-1400, Appendices III and IV, range factor — 3.

2. EGG Pump Report supplied values that yielded a 6 x 10-3 F/demand.

SPECIFIC COMPONENTS

PPM01-2NPPM01-3N

Pump fails to perform functionPump fails to perform function

B-29

Picl<ard, Lowe an(l Carricl<, tnc.CHECKED ~i~~ DATE ~ CONSULTANTS - NUCLEAR POWER

1 7840 Sky pa rk BoulevardAPPROVEO DATE ~ 'rvine, California 92714

AVAILABILITYDATASHEET

JOB NO.

BY ~++~ DATE

ITEM. Turbine Pum

OVERALL FAILURERATE'AIL/OEMANoREPAIR TIME: HR.

PLANT SPECIFIC DATA

Reference

l. WASH-1400, Appendices III and IV, range factor - 3.

2. EGG Pump Report supplied values that yielded a 6 x 10 3 F/demand.

SPECIFIC COMPONENTS

PPNTURBN Pump fails to perform function

B-30

Picl<ard, Lowe and Carricl<, Inc.CHECKEO U/ SATE C CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardAPPROVEO OATE ~ IrvIne, California 92714

AVAILABILITYOATA SHEET

JOB NO 381 PGGE

SHEET ll OF 16

BY OATE ~~ITEM: Pressure Valve

OVERALL FAILURE RATE: FAIL/HR. REPAIR TIME'R.PLANT SPECIFIC DATA

Reference

1. NPRDS, pg. 383 3 Failures in 1.081 x 106 hours = 2.775 x 10

2. WASH-1400, Appendices III and IV, the range factor is 3.

3. The repair time is based on monthly testing, and 6 actuations per year.(273 hrs.)

PPV0039Q

SPECIFIC COMPONENTS

Valve is closed and will not open

B-31

CHECKED

APPROVED

DATE

DATE

AVAILABILITYOATA SHEET

Picl<ard, Lowe and Carricl<, Inc.CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardIrvine, California 92714

JDB IID 381 PG&E

$ HEET 12 OF16

BY DATE

Condensate Storage Tank

OVERALL FAILURERATE'AIL/HR. REPAIR TIME: 4

PLANT SPECIFIC DATA

Ref erenceL

l. WASH-1400, Appendices III and IV, the failure rate is 1 x 10 10 F/hr.and the range factor is 30.

2. The repair time is based on the tank being monitored once' shift.

SPECIFIC COMPONENTS

5TKOOOOL Insufficient water level

B-32

REVISION 2

~r

Picl<ard, Lowe and Carricl<, lnc.

17840 Skypark BoulevardAPPIIOVEO +5 DATE Irvine, California 92714

AVAILABILITYOATA SHEET

JQQ gO 3 8 1 PG&E

$ IIEET 13 OF 16

sv ~<8<+< DaTE ~<Turbine Pump Controls and Turbine

OVERALL FAILURE RATE' x 10 FAIL/DEMAND REPAIR TliVIE: HR.

PCANT SPECIFIC DATA

Reference

1. EGG Pump Report supplied values that yielded a 5 x 10 3 F/demand.

SPECIFIC COMPONENTS

PTBCTRLS Controls fail to perform function, turbine fails to start

B-33

CHECKED

APPROVED

DATE

DATE

Picl<ard, Lowe an<i Carricl<, Inc.CONSULTANTS - NUCLEAR POWER

17840 Skypark BoulevardIrvine, CaliIornia 92714

JOB NO. 381 PG&E

SHEFT 14 OF 16

AVAILABILITYOATA SHEET BY 0 ATE

ITEM:

OVERALL FAILURERATE'nk -10 FAIL/HR. REPAIR TIME' HR

PLANT SPECIFIC DATA

Re fer ence

1. WASH-1400, Appendices III and IV, the failure rate is 1 x 10-10 F/hr.and the range factor is 30.

2. The repair time is, based on the tanks being monitored once a shift.

SPECIFIC COMPONENTS

PTKFIREL Insufficient water level

B-34

REVISION 2

CHECKED

APP ROVED

DATE

DATE

Pickard, Lowe and Carricl<, Inc.CONSULTANTS . NUCLEAR POWER

17840 Skypark BoulevardIrvine, California 92714

JOB NO 3 8 1 PG&E15 16

SHEET OF

AVAILABILITYOATA SHEET BY 0 ATE

Raw Water Reservoir

OVERALL FAILURE RATE: FAIL/HR. REPAIR T IF%I E:

PLANT SPECIFIC DATA

Reference

1. WASH-1400, Appendices III and IVr the failure rate is 1 x 10 10 F/hr.and the range factor is 30.

2. The repair time is based on the reservoir being monitored once pershift.

SPECIFIC COMPONENTS

PTKRAWNL Insufficient water level

B-35

REVZSION 2

E-

CHECKEO

APPROVEO

OATE

OATE

AVAILABILITYOATA SHEET

Picl<ard, Lowe a'nd Garricl<, Inc.CONSULTANTS ~ NUCLEAR POWER

17840 Skypark BoulevardIrvine, California 92714

>OBfiO. 381 PGSE

SHEET 16 OF

BY OATE

ITEM: Valve Manual Gate or Intake Gate

OVERALL FAILURE RATE: FAILlH R. REPAIR TIME: v s

PLANT SPECIFIC DATA

Reference

1. NPRDS, pg. 377 (4-11.99 inch gate valve) 10 failures in 27.162 x 106hrs.or .37 x 10-6 F/hr.

2 ~

3 ~

4 ~

5 ~

WASH-1400, Appendices III and IV, range factor 3.

Repair time based on quarterly cycling (1095 hours) .

Repair time based on monthly testing and 6 actuations/year (273

Repair time based on 6 actuations per year (730 hours)

hours) .

6 ~ Repair time based on monthly testing, 6 actuations/yeastartups/shutdowns per year (121 hours).

SPECIFIC COMPONENTS

r, and 10

PXV0135CPXV0137CPXV0140CPXV0142CPXV0147CPXV0151CPXV0153CPXV0155CPXV0157CPXV0169CPXV0171CPXV0176CPXV0190CPXV0196CPXV0198CPIG0263CPIG0264QPXV0268CPXV0269CPXV0272QPXV0273CPXV0283CPXV0284CPXVOOF1CPXVOOF2QPXVOOF3Q

ValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValveValve

transfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closedwill not opentransfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closedtransfers closedwill not openwill not open

B-36

REVISION 2

or willor willor willor willor willor willor willor willor willor willor willor willor willor willor willor willor willor willor willor willor willor willor will

not opennot opennot opennot opennot opennot opennot opennot opennot opennot opennot opennot opennot opennot opennot.opennot open

not opennot opennot opennot opennot opennot opennot open

(Refs. 1,(Refs. 1,(Refs. 1,(Refs.. 1,{Refs. '1,(Refs. 1;(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,{Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,(Refs. 1,

21 5)21 5)

4)5)4)5)4)5)4)4)4)4)4).4)4)6)6)3)3)3)3)3)3)3)3)

212/2/2/2/2/2121212/212/2/21212/2/2/2/2/2/2/2/2, 3)

MTTR CALCULATION BASES

1. For butterfly valves on the pump suction side, calculations werebased on 10 tests per year, 6 actuations per year, and 10 startups orshutdowns,

MTTR = ~ 168 hrs.8 760(10+10+6) (2)

2. For components tested quarterly, calculations were based on 4 testsper year,

MTTR =4 2

= 1,095 hrs.8,760

3. For components tested according to technical specifications, 1 testevery 31 days,

MTTR = 31 24(2)

~ 372 hrs.

4. For intake gates, the calculations were based on 20 tests per year,6 actuations per year, and 10 startups or shutdownsg

8,760(20+10+6) (2)

121 hrs.

5. For components in the motor-driven pump train on the pump dischargeside, calculations were based on 10 startups or shutdowns and6 actuations per year,

8,760

B-37

DATA REPERENCE SOURCES

Reference Source Date

NPRD, Nuclear PlantReliability Data System1978 Annual Reports ofCumulative. System andComponent Reliability,NUREG/CR0942

National Technical Infor-mation Services Spring-field, VA 22161

1979

2 ~ WASH-1400 Reactor SafetyStudy NASH-1400 (NOREG-06ll) Appendix III

U.S. Nuclear RegulatoryCommission

1975

3 ~ EG&G Data Summaries ofLicensee Event Reports ofPUMPS at O.S. CommercialNuclear Power PlantsNUREG/CR-1205

National Technical Infor- 1980mation Service, Spring-field, VA 22161

B-38