NUREG/CR-2248SAND 81-1625
co- w r_
Comanche Peak Steam Electric: Station, Units 1 and 2,' Auxiliary Feedwater System
Reliability Study Evaluation
_
Prepared by B. J. Roscoe
Sandia Phtional Laboratories
Prepared for % [j \U.S. Nuclear Regulatory 6- , ''
Commission q, g _y
p ,[3g
g?). $ n- c
E
"arr+.ff'
Cho!$h0$k5PDR
_ - - - - - _ _ _ _ - _ _ _ _ _ _ - _ _
. . . . - - - . ,
NOTICE
Thn report was prepand as an account of work sponsored by an agency of the,
United States Government Neither the United States Government nor any agencythereof, or any of their employees, makes any warranty, expressed or implied, orassumes any Icgalliability or respopubility for any third party's use, or the resultsof such uv. of any infortnation, apparatus product or process disclosed in thisreport, or represents that its use by such third party would not infnnge pnvatelyowned rights.
Available from>
| GPO sales ProgramDivision of Technical Information and Dxument ControlU.S. Nuclear Regulatory CommissionWashington, D C. 20553and
National Technical Information ServiceSpnngfield, Virginia 22161
$3.25,
GPO Printed copy price:
|
.
Availability of Reference Materials Cited in NRC Pub!ications
Most documents cited in NRC publications will be available from one of the following sources:
1. The NRC Public Document Room,1717 H Street., N.W.Washington, DC 20555
2. The NRC/GPO Sa'es Program. U.S. Nuclear Regulatory Commission,Washington, DC 20555
3. The Nationai Technical Information Service, Springfield, VA 22161'
Although the listing that follows represents the majority of documents cited in NRC publications, it is notintended to be exhaustive.'
Referenced documents available for inspection and copying for a fee from the NRC Public Documentt
Room include NRC correspondence and internat NRC memoranda; NRC Office of Inspection and Enforce-ment bulletins, circulars, information notic.es, inspection dnd investigation notices; Licensee Event.
Reports; vendor reports and coccspondence; Commission papers; and applicant and licensee documentsand correspondence.
]. The following documents in the NUREG series are available for purchase from the NRC/GPO Sales Pro-' gram: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC
booklets and brochures. Also available are Regulatery Guides, NRC regulations in the Code of FederalRegulations, and Nuclear Regulatory Commission Issuances.
Documents available from the National Technical Information Service include NUREG series reports andtechnical reports prepared by other federaf agencies and repcrts prepared by the Atomic Energy Commis-siore, forerunner agency to the Nuclear Regulatory Commission.'
Documents available from public and special technical libraries include all open literature items, such asi
books, journal and periodical articles, transactions, and codes and standards. FederaIRegister notices,,
j federal and date legislation, and congressional reports can usually be obtained from these hbraries.
Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference pro-cced;ngs are available for purchase from the organization sponsoring the publication cited.
Sing!e copies of NRC drafI reports are available free upcn written request to the Division of TechnicalInfor-mation and Droment Control, U S. Nuclear Regulatory Commission, Washington, DC 20555.
t_
*-wcW7 * 7pvr '-y- gt vg ey --t e hv m-- + 'y ypy--,,t.-c-=r-yea 1t v+c-p--+-i ger-i- v 1p- y m vyrq WW-yww eeve gy- y w- g -- y e-^**p.-gy--p--er'M-rg*wmyy- ggr yy 9tcw,- w--+v-*-7cwy y v- * w7% e e v%-+w ag-
NUREG/CR-2248SAND 81-1625
. _ - - _ _ _ - - _ _ _ _ _ _ _ _ - _ - _ _ _ _ _ - - - _ - - - _ -____ __ -__
Comanche Peak Steam ElectricStation, Units 1 and 2,Auxiliary Feedwater System
,
Reliability Study Evaluation
~;_-_.-.____---_-__.. _ _ _ _ _ - - _ - - - _ _ _ _ _ _ . _
Manuscript Completed: June 1981Date Published: September 1981
Prepared byB. J. Roscoe
Sandia National LaboratoriesAlbuquerque, NM 87185
Prepared forDivision of Safety TechnologyOffice of Nuclear Reactor RegulationU.S. Nuclear Regulatory CommissionWashington, D.C. 20555
i NRC FIN A1303,
|
l
i
|
|
, - - - _ - . . . , - . . . . . . . , . . . . . . _ _ . . _ , _ . . _ _ , _ . _ . _ _ - _ _ . , . - . _ _ . _ - . - _ _ . _ . - . _ _ - . . . . , _ _ . . . . _ _ _ _ . . _ . , . _ _ . . . , _ . . . _ . . . _ _ _ - , _ . . . - , _ _ _ _ .
-i-
ABSTRACT
The purpose of this report is to present the results of the
review of the Auxiliary Fe 3dwater System Reliability Analysis for
Comanche Peak Steam Electric Station, Unit Numbers 1 and 2.
,
__ . _ _ . _ _ _ _ . _ _ _ _ _ _ . _ _ _ _ _ _ - _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _
-ii-
ACKNOWLEDGEMENT
The author appreciates the review and comments on the draft
provided by Jack W. Hicknan of Sandia National Laboratories.
This report has extracted f reely f rom the referenced documents.
_ ~ , __ . . - _ . _- . _ _ _ . . . - _ - - - . _ _ - - - - ,
. . ~-. . - -. . .. . . - . -
t
1114
!
TABLE OF CONTENTS>
lPage
i i
.List of Figures v
4
Summary and Conclusions l''
l. Introduction 3
1.1 Scope and Level of Effort 4
1.2 Specific Review 4
2. AFWS System Configuration 5>
2.1 System Description 7;
i
2.2 AFWS System Support 13
2.3 Inspection and Testing Requirements 16
2.4 Instrumentation Requirements 17
2.4.1 General 17
2.4.2 Auxiliary Feedwater Flow Control 17
I 2.4.3 Feedwater Supply Control 19
2.4.4 Emergency Feedwater Supply Control 20
2.4.5 Display Information, Alarms, and Controls 20
3. Discussion 21
{ 3.1 Mode of AFWS Initiation 21
i! 3.2 System Control Following Initiation 22
;
3.3 Test and Maintenance Procedures andUnavailability 22
,
3.4 Adequacy of Emergency Procedures 23,
3.5 Adequacy of Power Sources and Separation of 231
Power Sources
3.6 Availability of Alternate Water Sources 24
3.7 Potential Common Mode Failure 24
3.8 Application of Data Presented in NUREG-0611 24
. _. _ . . - _ _ - __
;
1
|
t ivi
$ '
s
TABLE OF CONTENTS (Cont'd)Page~ s
# 3.9 Search for Single Failure Points 25iI 3.10 Human Factors / Errors 25i .
; 3.11 NUREG-0611 Recommendations Long- and Short-Term 25
3.11.1 Short-Term Generic Recommendations 25! 3.11.2 Additional Short-Term Recommendations 30f
3.11.3 Long-Term Generic Recommendations 341
; 4. Major Contributors to Unreliability 36
5. Conclusions 40,
! 6. Glossary of Terms 41
i 7. References 43|
1
1
l
i
;i
e
|
|
|
i
|1i
i
ir
h
i
|.
;
hi.
a
4
11
!4
,.
>
j= y. e w- -e - e e-~r 2 e.,.w--c e-, ,m w --e ew =, -- e a w *- a-e == c ,ew-+--we-v-m=w.-.-e w - + e+ ,,e - c w y-- y v -w ,-, p w y pw-yw.----w-eryw-yv--r-,=, y~4- , , - ,--v ,,-e .-=-,,yye-
V
LIST OF FIGURESPage
1. Auxiliary Feedwater System Simplified Flow 8Diagram
2. Comparison of CPSES AFWS Reliability to 39Other AFWS Designs in Plants Using theWestinghouse NSSS
.-. . .- . . . . . - - - , .-.
!
Summary and Conclusions
The accident at Three Mile Island resulted in many studies which
outlined the events leading to the accident as well as those follow-
ing. One of the important safety systems involved in the mitigation
of such accidents was determined to be the Auxiliary Feedwater System -
(AFWS). Each operating plant's Auxiliary Feedwater System was
studied and analyzed. The results were reported in NUREG-0611.(1)
The licensee of each nor. operating plant was inatructed(2) to
perform a reliability analysis of his Auxiliary Feedwater System
for three transient conditions involving loss of main feedwater in
a manner similar to the study made by NUREG-0611. Texas Utilities
Generating Company (TUGC), the licensee for Comanche Peak Steam
Electric Station, submitted a reliability report (3) to the U. S.
Nuclear Regulatory Commission in January 1981. This report was
reviewed by Sandia National Laboratories. The following conclusions
resulted from the review:
1. Texas Utilities Generating Company has satisfactorily complied
with the requirement to make a reliability study of their AFWS.
2. The AFWS of the CPSES, Units 1 and 2, has high reliability
relative to the reliability of AFWSs of operating plants for
the first case event, Loss of Main Feedwater. Quantitatively,
the unavailability of the system for this event is approximately
2 x 10-5 per demand. Qualitatively, the system is automatically
_ _ _ _ _ _ _ _ _ - _
-- - - -. -
!i-2-
a
$ '
t
e
initiated, highly redundant, has no. observed single point
vulnerabilities, and is tested periodically and following
realignment to ' demonstrate availability of flow path to thee
steam generators. Failure on demand is dominated by closure
of both valves in the suction lines. The unavailability for
!the second case event, Loss of Main Feedwater and Loss of
Offsite Power, is approximately 2.7 x 10-5 per demand, which
places reliability of 'the AFWS in the high range in comparison
with operating plants, if the reliability of the diesels is as
:
I high as .03. Failure on demand is dominated.by closure of
! both valves in the suction lines. The unavailability for the!
I third case event, Loss of Main Feedwater and Loss of All AC
', Power, is 1 x 10-2 which places the reliability in the medium.
range in comparison with operating plants. The turbine-driven
pump train has no identifiable ac power dependencies and is
automatically actuated. Failure on demand is dominated by
i
test and maintenance outage.
,
t
e
i
4
.4
J
l
ii
(
4,--w_. . . . , , , . _ , - - , , , - . . . , ,_r, , . _ , , , , , , . . . ..,,,,.._,,,g,.,,.,.,,..,,, ,,...,,.-,,a.~e., ,_,,r- . y-_ .. - .. :,., ..,.m.,7.,,,.w, , - . -
-5-
Also the methods used in NUREG-0611 were compared to those used in
the analysis. The specific findings are presented below in Sections
3, 4 and 5.
2. AFWS System Configuration|
The Auxiliary Feedwater System (5) is designed to provide a supply )
-of high pressure feedwater to the secondary side of the steam
generators for reactor coolant heat removal following a loss of
normal feedwater. It provides an alternate to.the main feedwater
during hot shutdown, cooldown, and startup operations. It also
provides a cooling source in the event of a loss-of-coolant accident
(LOCA) for small breaks. Furthermore, the system is used in the
event of a main steam line break, feedwater line break, Control
Room evacuation, and steam generator tube rupture.
The system functions over the full operating pressure range of the
steam generators, 125 psia to 1107 psia (maximum), and is capable
of supplying the minimum required flow of 470 gpm total to at least
two of the effective steam generators against a back pressure
equivalent to the accumulation pressure of the lowest set safety
valve plus the system frictional and static losses. The Auxiliary
Feedwater System is designed to preclude the effects of hydraulic
instability due to water hammer by supplying water to the secondary
side of the steam generator through a separate upper auxiliary
feedwater nozzle. This permits the cold auxiliary feedwater to
be heated as it comes down the side of the steam generator prior
to reaching the feedwater preheater.
_ _ _ _ _ _ _ - _ _ _
-6-
1
The water level in the steam generators is maintained at the proper
level to prevent a temperature rise in the RCS, which coald result! -
in the release of primary coolant through the pressurizer relief'
valves.
Suf ficient auxiliary feedwater flow is provided to permit operation
at hot standby for four hours, followed by a cooldown period, at a
cooldown rate of 50*F/hr, to reduce the T to 350*F, at which -avg
time the RHRS can be operated.
Two motor-driven pumps (MDP) and one turbine-driven pump (TDP) are
provided with sufficient capacity to ensure an adequate flow of1'
auxiliary feedwater following a feedwater line break accident
coincident with a single active failure.
All redundant components are physically separated from each other
by an arrangement of concrete barriers designed to preclude coinci-
dent damage to equipment in the event of a postulated pipe rupture,f
; equipment failure, or missile generation..
!
The system is classified as nuclear-safety-related and consists of
ANS Safety Class 2 and 3 piping and equipment, except for the non-
nuclear-safety condensate transfer pump and associated piping and
valves used to provide makeup and drainage for the Condensate4
Storage rank. Seismic Category 1 design criteria are considered
for all ANS Safety Class 2 or 3 components. The piping.is
designed to meet the requirements of Branch Technical Positions
e
s
4
-- . - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ . _ _ _ _ . _ _ _ _ _ _ _ _ . _ - . . _ _ _ _ _ _ . _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ . _ _ _ . _ _ _ . _ _ _ _ . _ _ _ _ . _ _ _ __ . _ _ _ _ _ _ _ _ _ _ . _ . . _ __
f U1
-7-
APCSB 3-1 and MEB 3-1. The system is designed in accordance with
10 CFR Part 50, GDC 2, 4, 5, 19, 44, 45, 46, and 57.
2.1 System Description
The Auxiliary Feedwater System is comprised of two electric motor-
driven auxiliary feedwater pumps and associated valves, piping, and
controls and a third turbine-driven auxiliary feedwater pump with
associated valves, piping, and controls, which-is independent of
the electrical power supply to the motor-driven pumps. A simpli-
fled flow diagram is shown in Figure 1. Three pumps are considered
adequate to prov- de redundancy to ensure an adequate supply of^
auxiliary feedwater following an accident, coincident with the,
single failure of a pump.
All three pumps normally draw sucticn from the Nuclear Safety Class
3 Condensate Storage Tank (CST). A single line supplies water
through locked-open valves to the suction of the motor-driven
auxiliary feedwater pumps, and a second line supplies water through
locked-open valves to the suction for the turbine-driven auxiliary
feedwater pump. Of the 500,000-gal capacity, 276,000 gal are
reserved for use as auxiliary feedwater. The rest of the tank
(224,000 gal) is used as condensate storage for the Demineralized
and Reactor Makeup Water System and Condensate System. The reserved
auxiliary feedwater cannot be drained by the non-nuclear-safety
systems because of the elevation of the outlet nozzles.
.
- - - - - - - - - - - - _ _ _ _ _ _ _ _ _ _ _ _ _ _ . . . _ _ _ _
|7,g
Condensa te N ", -
StorageTank
/ ~*"L.O. F.O. L.O.
F.O. L.D.-. L.0. * mL
_ g
L.O. L.0 p
-Phd ri d ,,--6. [Or,ain , _,I' Mc- -
N I
Main /TAT r. w.1 V
L.O. F.O. L.O..
.0. L.O.L.O. mL _1P" A
p i_
f'*Train 8
O 9"D- 'At
,v
g L.D. F.0. L.0.,
L.O. L.O.w-,
O-
V. --- @-E? V. -dC
_ -_
M- --
s.0.L.D. Turbine L.D. F.O. L.D. FAI i4. i
L4.FAI j
er. i.trK V15- / .0. . . L.O.
Key:
L.O. - Locked Open -t>lq Motor Operated COMANCHE PEAK S C.SFNAL SAFETY ANALYSG FtEPOrtTF.O. - Fails Open Pneumatic Operated Figure 1. Auxiliary Feedwater System UNITS I and 2
FAI - Fails As Is 4 Manual Operated
_ - _ _ . - _ _
_ _ _ _ _ - .- - - .-- _ -
;
-9
While the Conjensate Storage Tank is the preferred water supply,
another ANS Safet/ Class 3 alternate supply is provided. The
Auxiliary Feedwater System has the capability to draw suction from
the service water system (SWS) in the event of loss of the Conden-;
sate Storage Tank. Two normally closed, key-switch activated,
motor-operated butterfly valves in the SWS prevent polution of
the auxiliary feedwater by station service water.
,
Each motor-driven auxiliary feedwater pump is capable of delivering|j- 470 gpm, and the turbine-driven auxiliary feedwater pump is capablei
of dslivering 940 gpm to the steam generators. All three pumps
automatically deliver the flow within one minute following an
asixiliary feedwater actuation signal.
Each motor-driven pump normally feeds two steam generators. A nor-
mally closed interconnection between the motor-driven pump itischarge
lines permits either pump to feed all four steam generators. This
interconnection provides the operator with the means to maintain
the water level in all steam generators on a long-term basis follow-
ing a LOCA by operating either motor-driven puep. The pumps can be
manually started or stopped from the Control Room or the hot shutdown
panel.
The turbine-driven pump discharge line branches into four separate
lines each feeding one steam generator. Each of these lines is,
provided with a normally open, pneumatically operated feed regulator
-
__ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ . _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ . _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ . _ _ _ _ _ _
- . _ . . -
!,
-10-
,
control valve. The turbine-driven pump can be manually operated
i from the Control Room or the hot sh:.tdown panel.
j Each of the lines that connects the auxiliary feedwater pumps to
! the steam generators is provided with: a normally open, pneumati-!
cally operated feed regulator control valve; a flow-limiting orifice;
a check valve; and three isolation valves. Remote manual controli
t of the feed regulator control valve is provided from the Control
Room with provisions for local manual operation on the hot shutdowni
i panel. Air accumulators are provided for the pneumatically operated|
j valves with suf ficient capacity to permit remote valve closure in
i
the event of a secondary system break where local valve opaa lon
cannot be accomplished within the required time period following
.ithe incident. The valves are located near the auxiliary feedwater
pumps to allow local manual operation in the event of a Control Room1
evacuation.
The flow limiting orifices are provided to limit flow to a maximum
|of 1380 gpm, in the event of either a main feed line break or a main
steam line break inside containment.
1
i Downstream of the last isolation valve, each line from the motor--
driven pumps joins with a corresponding line from the turbine-driven
pump to form a common line that connects with an auxiliary feedwater
i nozzle on the steam generator.i
1
An orifice-type flow measuring device is located in each of thei
i.auxiliary feedwater lines to indicate grossly uneven flow to the
>
i
4
- _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ ____ ___ _ .
-11-
steam generators. Readout for these flow measuring devices is
located in the Control Room and on the hot shutdown panel. To
avoid the possibi1.ity of a single active failure stopping all
auxiliary feedwater flow to a steam generator, there are no
valves located in the common main feedwater lines.
The Auxiliary Feedwater System operates over an extended period of
time folloaing a LOCA. The two motor-driven pumps start automati-
cally and they provide an additional means for removing core residual
heat in the event for a LOCA for small breaks. During all LOCA
conditions, the system is used to maintain an adequate water level
above the tubes in the steam generators to prevent primary to second-
ary leakage. Either pump is capable of providing sufficient flow.
The operator shuts down the pumps at his discretion and manually
adjusts feed flow to individual steam generators.
All three auxiliary feedwater pumps start automatically af ter either
a main steam line break. At an early stage in the accident, the
operator isolates ti.e feedwater to the affected steam generator
which subsequently blows down to ambient temperature. AFWS flow is
not needed in the early phases; however, the system provides for the
cooldown of the unaffected steam generators to prevent the RCS from
being repressurized. Any pump is capable of providing sufficient
flow. The operator shuts down the pumps at his discretion.
All three auxiliary feedwater pumps start automatically af ter
the loss of the main feedwater system. Any of the three pumps iri
_ _ _ _ _ _ _ _ . _ _ _ _ _ _ . _ . _ _ . . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ . _ _ _ _ . . _ . . _ _ _. _ _ _ _ __ __ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ . _ _ _
-12-
( capable of providing sufficient flow to the steam generators to
allow the plant to be taken to a safe shutdown condition. The
operator shuts down the pumps at his discretion.
The operation of the Auxiliary Feedwater System following a steam
generator tube rupture is manually initiated. The two motor-driven
pumps are started manually and may be used to maintain the required
water level in the steam generators as the plant is shut down. The
operator identifies the affected steam generator and isolates it
and the operator shuts down the pumps at his discretion..
The operation of the Auxiliary Feedwater System following a Control~ Room evacuation is manually initiated and is controlled from the
hot shutdown panel. The operator maintains water level in the
steam generators with either the two motor-driven pumps or the
turbine-driven pump. If the Control Room remains inaccessible for,
an extended period of time, then the suction to the pumps is shif ted
from the Condensate Storage Tank to the SWS. The pumps are used to
maintain the required water level in the steam generators as the4
1
1
plant is shut down. Again the operator shuts down the pumps at his
discretion.
Each power supply train for the notor-driven pumps, control valves,
and instrumentation is supplied from a separate and independent
Class IE bus that is capable of supplying the minimum required power
for the safety-related loads required following a LOCA or loss of
,
-g
[
-13-
offsite power (blackout), or both. Each bus can be powered from
two independent 6Tfsite power sources or by the diesel generator
assigned to the bus.
2.2 AFWS System Support
In the event of loss of offsite power, the backup turbine-driven
auxiliary feedwater pump operates. The TDP train does not have
any auxiliaries requiring offsite or diesel-generated power.
For redundancy, steam for the turbine driver is supplied from *
two steam generators. Either supply can meet the turbine driver
requirements. The turbine steam supply valves are fail-open air-
operated types each with a pilot solenoid valve supplied from a
redundant Class 1E power supply.
The turbine speed control governor is of the mechanical / hydraulic
type, which is capable of maintaining the turbine at the high speed
setting without any outside sources of power.
During normal plant operation the turbine speed is controlled by
the speed setting signal which is converted to a pneumatic signal
for the turbine governor controls. Loss of this remote speed set-
ting signal and/or the air supply will result in the turbine running
at the high speed setting.
The ac power supply for the turbine speed setting signal is from the.
station inverters which are supplied from the 125 volts de batteries.
The air supply is from the station instrument air system.
. . . . .
___ _ ___ __ __ ____ __.
-14-
Safe shutdown of the unit relies upon the availability of the
Auxiliary Feedwater System. Loads which are required for the safe
shutdown of the unit are connected to the Class 1E power supply.
In the event of a LOCA or loss of all of f site power (LOSP), or
both, the motor-driven auxiliary feedwater pumps and their associated.
motor-operated valves are automatically sequenced onto their respec-
tive emergency buses as follows:
Start Time AfterComponent LOSP (sec.)
Motor-operated valves 10
Motor-driven auxiliary feedwater pumps'
40
Motor-operated valves stop automatically when valve action is
completed while the motor-driven auxiliary feedwater pumps must be
manually stopped.
f
In the event of a feedwater line break inside the containment, the
larger than normal flow is detected by the flow-measuring device
in the line.
Redundancy is provided throughout the Auxiliary Feedwater System'
and supporting systems to ensure safe plant shutdown with only one
motor-driven auxiliary pump by supplying the required flow to a
minimum of two steam generators while subject to a single active
*
<
-15-
failure in the .hort-term or a single active or passive failure in
the long-term. This flow is sufficient to maintain the unit in a
safe condition.
I
The Auxiliary Feedwater System is capable of withstanding adverse
environmental conditions. It is designed to seismic Category I
requirements, is located within tornado resisting structures, and
is protected from tornado-generated missiles. The Condensate Storage
Tank is designed against tornados and missile penetration. The
supply lines from the tank to the Safeguards Building are buried
underground and the auxiliary feedwater pumps are located in an
enclosed bay of the Safeguards Building at a floor elevation of
790 ft 6 in.
All redundant components (including pumps, controls, Class 1E power |
sources, and electric cable) are separated from each other by a
proper arrangement of barriers or suitable physical separation.
This barrier separation is provided to preclude coincident damage
to redundant equipment in the event of a postulated pipe rupture,
equipment failure, or missile generation. Each pump is situated in
a separate compartment and is protected by walls constructed to
seismic Category I requirements.
Two sources of flooding are considered. One source of flooding is
a pipe break in the auxiliary feedwater pump discharge. Separate
- - _ _ -__--_ _ - .-_
_ _ _ _ _ _ _ _ _ _ _ _ _ - - - _ - - . . -
-16-
compartment design, as well as access and drainage, prevents flood-\ing of adjacent equipment. 'Ihe second source of flooding considered
is a crack in a 24-in diameter 0.375-in wall, component cooling
water pipe that runs adjacent to the bay occupied by the auxiliary
feedwater pumps. This piping is considered a piping system contain-
ing moderate-energy fluids during reactor operation. Floor drains
are provided to accommodate any water leakage as a result of a
postulated crack.
Redundancy of cooling water source is ensured by a connection with |
the SWS, which is of Safety Class 3 design.
This backup source of water, which has lower quality standards than
those specified for steam generator feed, would be used only in case
of extreme emergency, when safety overrides water quality '
consideration.
Design of the Auxiliary Feedwater System is such that the effects
of water hammer are precluded by the use of a separate upper
auxiliary feedwater nozzle on the steam generator.
2.3 Inspection and Testing Requirements
All system comp % ents are tested and inspected in accordance with
the applicable codes. The system is capable of being tested while -
the plant is in operation. A test line to the Condensate Storage|
Tank is provided on each pump discharge. This provision allows
b,
_,_,_ _ _ _ _ _ _ _ - - - - _ - - - - - - - - - - - - - -
. ._
-17-
k each pump discharge valve to be closed. Test procedures provide
for manual check to assure reopening of this valve following
tests. Each pump can be started manually and recirculated back
to the tank. Only one pump at a time is tested and pressure and
flow indications at the pump discharge are used for checking the
pump performance.
2.4 Instrumentation Requirements,
2.4.1 General.
The instrumentation and controls for the Auxiliary Feedwater
System provide for automatic or manual and remote or local
operation of the system. Controls for ac mel operation of
the system at local stations and at the Hot Shutdown Panel
are provided in addition to auto / manual controls in the
Control Room. Controls from the Hot Shutdown Panel override
all other signals and activate an override alarm in the control
Room.
The signal that starts any of the three auxiliary feedwater pumps
closes the blowdown and sample line isolation valves for all the
steam generators.
2.4.2 Auxiliary Feedwater Flow Control
iDuring cooldown, the operator maintains the required steam
i generator water level by varying the auxiliary feedwater flow.
Motor-driven auxiliary feedwater pump flow to each steam
_ _ _ _ _ _ _ _
.- . . . - . .-. -
Y
1
'
_1g_
5
a
I
!
generator is remote manually controlled by feed regulator con-
trol valvedT" The valves are located near the pumps to allow,
,
manual operation. Cerdrol stations on the Main Control Board
and Hot Shutdown Panel enable the operator to control the flow
manually from the Control Room or f rom 'the Hot Shutdown Panel
in conjunction with a nearby patch panel for valve control.
A low pump discharge pressure automatically trips the control'
from manual flow cont.ut to automatic pressure control to
provide protection against pump cavitation and excessive load
on pump motor or diesel generator. Each auxiliary feedwater
regulator control valve is air-operated and is provided with
a nuclear safety-related air accumulator to permit valves to'
close in the event or a secondary system break with an instru-
ment air system failure. The valves fail-open on loss of air
,
or electric failure.i
;
,
| All controls for motor-driven pump A are electrical Train A.
f oriented; all controls for motor-driven pump B are electrical
Train B oriented; all controls for the turbine-driven pump arei
fed from the 125VDC System.
The turbine-driven pump starts and accelerates to design
conditions within 60 seconds. On loss of electrical power or i
air supply, the pump accelerates to maximum speed demand. p
Since the turbine-driven pump i, supplied with a fail-closed.,
trip and throttle valve, this valve is latched in the op .
t
..
, - - . . . - . , . , ,._,,m, , ,,, , . , _ , , , , - . . . , , , _ . , . , . _ , ,.
-19-
position. Two redundant steam supply lines, each with an air
operated supply valve, provide steam to start and accelerate
the turbine-driven pump. These air-operated valves fail-open,
ensuring that the pump accelerates to design speed on loss of
air supply or electrical power. Speed control is accomplished
with a 6 dward Electronic Speed Governor. A mechanical over-
speed trip device is provided to trip the turbine at 125 percent
rated speed. Manual speed control is from the Control Room,
the local control station, or the Hot Shutdown Panel. The
manual control from the Hot Shutdown Panel overrides all other
signals. There is speed indication on the Control Room Panel
and Hot Shutdown Panel --A at the local panel. The turbine-
driven pump is tripped by low suction pressure or by low oil
pressure with manual override of trips provided. The low oil
pressure trip is bypassed on a safety injection signal. Flow
from the turbine-driven pump to each steam generator is regulated
by control valves under manual control f rom either the Control
Room or the Hot Shutdown Panel. Each valve has an air accumu-
lator t o permit remote manual valve operation in the event of
an instrument air system failure.
2. . 3 Feedwater Supply Control
j Condensate Storage Tank makeup is automatically supplied when-
ever the tank level is below set point level. Makeup water can
be supplied manually from a main control board switch. Tank
4
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _
__ .. .. . . . _ _ _ .
-20-
level is indicated locally and remotely and high-high, high,
and low tank level alarms are provided. Redundant level
transmitters are used.
The Condensate Storage Tank supplies water to the auxiliary
feedwater pumps. The automatic starting of any auxiliary feed-
water pump initiates the automatic isolation of the Condensate
Storage Tank from all its other users. This ensures an adequate
water supply to the auxiliary feedwater pumps whenever they are
started.
The condensate transfer pump is manually started and stopped
from a main control board switch. The pump is automatically |
stopped in the event of an "S" signal or on low pump suction
pressure.
2.4.4 Emergency Feedwater Supply Control
Inlet motorized control valves are manually controlled by a
key lock switch to. admit service water to the suction of the
auxiliary feedwater pumps.
2.4.5 Display Information, Alarms, and Controls
Control switches and position indication lights are provided |
for all remotely operated valves.
d
The following display information and alarms, in addition to
thcae already mentioned, are provided in the Control Room: q
1
- - - - _ _ _ _ - _ _ _ - _ _ _ . - _ _ _ _ . _ _ _ _ _ _ _ _ . .
- - -
-21-
3 1. Suction pressure indication and low alarm for each
auxiliary feedwater puc.
2. Temperature indication for each steam generator auxiliary
feedwater line
3. Low pressure alarm for alternate feed supply from service
water system
4. Discharge pressure indication for each auxiliary feedwater
pump discharge; low pressure alarm for each of these
pressures; pressure indication on hot shutdown panel for
these pressures
5. Flow in the discharge line to each steam generator; indica-./
tion is also on the hot shutdown panel
6. Flow in the discharge line from each pumps
7. Alarms for local override control from the hot shutdown
panel; local indicators for temperature, pressure, flow,
and level are provided as shown on the flow diagram.
3. Discussion
3.1 Mode of AFWS Initiation\
The AFWS is initiated automatically. The MDPs will start on' (1) two out of four low-low water level signals in any steam
generator, (2) loss of both main feedwater pumps, (3) initiatior.
_ _ _ _ _ _ - _ _ - _ _ _ _ _ _ _
- -__ _____
|-22-
of a cafety injection signal, and (4) loss of of fsite power. The|
TDP starts on the generation of two out of four low-low water level
signals in any two of four steam generators or upon loss of offsite||
power. The automatic starting of any AFW pump initiates automatic |
1
isolation of CST from all its other users. In the event of low CST~
level, mak2 up water is automatically supplied.
3.2 P, stem Control Following Initiation
A'ter initiation proper flow is established by adjusting the MDP
discharge control valves and/or adjusting the TDP speed or discharge
control valves. When the reactor coolant average temperature is
reduced to 350*F the RHRS is placed into serv 2ce and the AFWS taken
out of service.
3. 3 Test and Maintenance Procedures and Unavailability
The technical specifications require that all valves be given in
service tests and inspections in accordance with the ASME Boiler
and Pressure Vessel Code (Section XI and applicable Addendc) for,
Safety class 1, 2, and 3 components. Also every 31 days there are
(1) pump discharge pressure and flow tests (2) non-automatic valve ,
I
position verification test and (3) automatic valve position
verification when the AFWS system is in automatic control. The
pumps and system are available on demand during all tests. During
<
shutdown the automatic starting of each pump and the functioning
of the automatic valves from closed to full open in the suction
line of each AFW pump f rom the NSWS are checked. There are no
_ _ _ _
-23-
coincident tests or mainter.snce of componenta within the AFWS.
There was no evidence that the actual Test and Maintenance Proceduresi
were reviewed in detail to assure that the above guidelines had been
observed.
3.4 Adequacy of Emergency Procedures
The Emergency Procedures were not, reviewed or included in the
analysis by TUGC. Emergency operation was discussed as part of the
SNL review and it was assumed that the emergency procedures would
be written to implement the emergency operations. TUGC stated that
it was committed to write procedures to cover when and how the pump
suction is aligned to the service water.
i!3.5 Adequacy of Power Sources and Separation of Power Sources
The motor-driven pumps, associated motor-operated valves and other
electrical equipment receive power from two identical but separate
4160V emergency buses. One bus "A" supplies one pump and "B" the
other. In the event of loss of of fsite power the two diesel
generators each supply one bus in a like manner. The TDP is supplied
with steam from two steam generators. The TDP is raot dependent upon
ac power. Redundant power sources enhance system reliability as
does the separation of these power sources which eliminates many
co-mon cause failure events.
_ _ _ . . _ _ _ _ - _ - - _ _ _ _ _ _ - - _ _ _ _ _ _ _ - -
-24-
3.6 Availability of Alternate Water Sources
For water of steam generator quality the preferred source is the
Nuclear Safety Class 3 Condenaate Storage Tank. The primary
alternate water source is the Service Water E stem which is safetyf
grade but not , steam generat >r quali ty. This source is available
by way of remote manual controlled valves. Switchover to the1
SWS is fast enough to prevent pump failure because of no water
supply at the pump intake.
3.7 Potential Common Mode Failure
A common mode, or more generally common cause, failure is a group
of component failures, with or without the same failure mode, that
are the direct result of the same event, cause or condition and
that leads directly to a specific system failure. TUCC reports
that no common cause failures were discovered through the analysis
that would result in both the TDP and the two MDP's not meeting the
AFW flow requirements. Based upon the site visit, where physical
barriers between major components were observed, and upon reviews)
of the P& ids and system descriptions, no significant potential
common cause fallares were identified.
3.8 Application of Data Presented in NUREG-0611
The report (3) contains a table which includes the fault tree events.
The fault tree was checked and all applicable components as shown
in Figure 1 were properly included. Although the report includes
the data in NUREG-0611 in the table of basic events, there was no
. .. ._ __ _ . . _ , . - - _ -_ _ _ . . __ _ _ - - _ . - ._- .-
-25-
quantified results presented. At the meeting at Comanche Peak
evidence was made available which showed that the analysis was made
in detail and that NUREG-0611 data were used.
3.9 Search for Single Failure Points
There were no single failure points (SF?) associated with case 1,
LMF, or Case 2, LMF/LOSP. For Case 3, LMF/ LAC, there were many
SFPs since Casa 3 describes a single channel system. Any SFP has
a major effect on the reliability of a redundant system and if any
are found, they should be thoroughly reviewed.
3.10 Human Factors / Errors
Human Factors / Errors were considered by TUGC where appropriate in
the fault tree. Failure of manual start and test and maintenance'
,
outages were found to be important contributors to system unavail-
ability, but they are not dominant contributors. Automation is a
major factor in decreasing the effect on reliability of these
types of events.
3.11 NUREG-0611 Recomm'ndations, Long- and Short-Term
3.11.1 Short-Term Generic Recommendations
I. Technical Specification Time Limit on AFW System TrainOutage
Recommendation GS-1
The licensee should propose modifications to the Technical
Specifications to limit the time that one AFW system pump
and its associated flow train and essential instrumentation
_ _______-_6_______m _ .-:--____ a
-. _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _
-26-
11
|,
Ican be inoperable. The outage time limit and subsequent)
action time should be as required in current Standard,
Technical Specifications; i.e., 72 hours and 12 hours,
respectively.
Response1
Comanche Peak has Westinghouse Standard Technical Specifi-
cations and :: such already has these requirements included
in the Technical Specifications.
II. Technica. Specification Administrative Contro); on Manual.
Valves - Lock and Verify Position.
Recommendation GS-2
The licensee should lock open single valves or multiple(valves in series in the AFW system pump suction piping
and lock open other single valves or multiple valves in
series that could interrupt all AFW flow. Monthly inspec-
tions should be performed to verify that these valves are
locked and in the open position. These inspections should
be proposed for incorporation into the surveillance require-
ments of the plant Technical Specifications. See Recommen-
dation GL-2 for the longer-term resolution of this concern. -
Response(
All manual valves in the auxiliary feedwater flowpath are
checked monthly to verify that they are locked open. This
requirement is included in the Comanche Peak Technical
Specifications. {
!
_ _ _ _ _
-27-
III. AFW System Flow Throttling - Water Hammer
Recommendation GS-3
The licensee should reexamine the practice of throttling
AFW system flow to avoid water hammer.
The licensee should verify that_the AFW system will supply
on demand sufficient initial flow to the necessary steam
generators to assure adequate decay heat removal following
loss of main feedwater flow and a reactor trip from '90%
power. In cases where this reevaluation results in an
increase in initial AFW system flow, the licensee -5culd
provide sufficient information to demonstrate ti..
required initial AFW system flow will not result . plant
damage due to water hammer.
Responsa
g Auxiliary feedwater flow is not throttled initially to
prevent water hammer. The required flow rate is available
within 60 seconds following the initiating event.
i IV. Emergency Procedures for Initiating Backup Water Supplies~
Recommendation GS-4
Leergency procedures for transferrin; to alternate sources
of AFW supply should be available to the plant operators.
These procedures shn91d include criteria to inform the
%
. .
. . . . . . _ _ _ _ _ . - - _ . - - _ . - - _ - - - . _ - . - - - _ - -
. _ . -
-28-
1
operators when, and in what order, the transfer to alternate
water sources should take place.
i
Response
CPSES will provide emergency procedures to inform the i
|
operator when, and in what order, the alignment to alternate
water sources should take place. The instrumentation and
controls utilized in the switchover logic will be safety
grade.
V. Emergency Procedures for Initiating AFW Flow Following aComplete Loss of Alternating Current Power
Recommendation GS-5
The as-built plant should be capable of providing the(required AFW flow for at least two hours from one AFW
pump train, independent of any ac power source.
Response
The auxiliary feedwater system at Comanche Peak is capable
of automatic initiation and of providing the required flow
for two hours independent of any ac power source. This is<
accomplished by means of the turbine-driven auxiliary feed-)Iwater pump and de motor-operated / solenoid valves at
appropriate locations in the system. The TDP will be run
for two hours without forced ventilation as part of the forty-
eight hour endurance test.
t
_ _ - _ _ _ _ - _ _ _ _ .
.. . . . _ . . .. .. .
-29-
VI. AFWS Flow Path Verification1
Recommendation GS-6
The licensee should confirm flow path availability of an
ATW system flow train that has been out of service to
perform periodic testing or maintenance as follows:
(1) Procedures should be implemented to require an
operator to determine that the AFW system valves are
properly aligned and a second operator to independently "
verify that the valves are properly aligned. ,
(2) The licensee should propose Technical Specifications
to assure that, prior to plant startup following an
extended cold shutdown, a flow test would be performed
to verify the normal flow path from the primary AFW '
s
system water source to the steam generators. The flow4
test should be conducted with AFW system valves in
their normal alignment.
eResponse
(1) Procedures will be developed to provide for double
vetrification of the auxiliary feedwater system align-
ment following maintenance activities. For normal
periodic testing of the system, no realignment of
manual valves is required so no verification of system
status is necessary.
>
__ _ _ _ . _
-30-
l1
(2) CPSES has the latest version of the Standard Technical
Specifications which provide adequate assurance of the
operability of the auxiliary feedwater system.
VII. Non-Safety Grade, Non-Redundant AFW System AutomaticInitiation Signals
Recommendation GS-7
The licensee should verify that the automatic start AFW j
system signals and associated circuitry are safety grade.1
1
Response
The CPSES auxiliary feedwater system employs safety-grade
automatic initiation signals and circuits.
VIII. Automatic Initiation of AFWS,d
Recommendation GS-8
The licensee should install a system to automaticallyI
initiate AFW system flow.,
Response
See response to Recommendation GS-7.
3.11.2 Additional Short-Term Recommendations
I. Primary AFW Water Source Low Level Alarm
Recommendation
The licensee should provide redundant level indication and
low level alarms in the control room for the AFW system
.. . . . .
. . .
.. - - - _ _ _ _ _ _ -
-_
-31-
primary water supply, to allow che operator to anticipate
the need to make up water or transfer to an alternative
water supply and prevent a low pump suction pressure condi-'
tion from occurring. The low level alarm serpoint should
allow at least 20 minutes for operator action, assuming
that the largest capacity AFW pump is operating.
Response
At the time of review the applicant had not provfded for
the appropriate 20 minute alarm. This has been recently
corrected in that the CST has a lt . -low level alarm when
the water level f alls to 28,700 gallons. If the largest
capacity pump draws down this capacity, the alarm will
give the operator 20 minutes warning time to turn on the
make-up to the CST or switch to an alternate source of
water.
II. AFW Pump Endurance Test
Recommendation
The licensee should perform a 72 hou. endurance test on
all AFW system pumps, if such a test or continuous period
of operation has net been accomplished to date. Following
the 72 hour pump run, the pumps should be shut down and
cooled down and then restarted and run for one hour.
Test acceptance criteria should include demonstrating
that the pumps remain within design limits with respect
- _ _ _ _
_-_ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ - . _ _ _ _ __
-32-
to bearing / bearing oil temperatures and vibration and
that pump room ambient conditions (temperature, humidity)
do not er.ceed environmental qualification limits for
safety-related equipment in the room.
Response
it is our understanding that the Staff has modified this
recommendation to perform a 48 hour endurance test on all
auxiliary feedwater pumps in lieu of the 72 hour test.
The motor-driven auxiliary feedwater pumps will be run,
for several days during the hot functional test period.
The exact time period and system configuration will be
documented. A 48-hour test of the TDP will be performed
as well as a two hour full flow test without ac dependent
forced ventilation.
III. Indicttion of AFW Flow to the Steam Generators
Recommendation
The licensee should implement the following requirements
as specified by Item 2.1.7.b on page A-32 of NUREG-0578:
(1) Safety-grade indication of AFW flow to each steam
generator should be provided in the control room.
(2) The AFW flow instrument channels should be powered
from the emergency buses consistent wit'n satisfying
-
-33-
,
the emergen.y power diversity requirements for the
AFW system set forth in Auxiliary Systems Branch
Technical Position 10-1 of the Standard Review Plan,
Section 10.4.9.
Response
AFW flow to each steam generator is indicated in the control
room. The components and instrument channels are safety.
grade and powered by independent emergency buses.
IV. AFWS Availability During Periodic Surveillance Teeting.
Recommendation
Licensees with plants which require local manual realign-
ment of valves to conduct periodic tests on one AFW
system train and which have only one remaining AFW train
available for operation should propose Technical Specifica-.
"
tions to provide that a dedicated individual cho is in
communication with the control room be stationed at the
manual valves. Upon instruction from the control room,
'this operator would realign the valves in the AFW system
from the test mode to its operational alignment.
Response
The auxiliary feedwater system design is such that no '
manually operated valves need to be repositioned during
periodic testing of the system. Those valves which must
.
at
|
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
1
-34-
|
be repositioned can be operated from the control room..
In the event the system is automatically actuated, thesce
valves will be actuated to their " safety" position.
3.11.3 Long-Term Generic Recommendations
I. Automatic Initiation of AFWS -
Recommendation GL-1
For plants with a manual starting AFW system, the licensee
should install a system to automatically initiate the AFW -
system flow. This system and associated automatic initi-
ation signals should be designed and installed to meet
safety grade requirements. Manual AFW system start and
control capability should be retained with manual start,
serving as backup to automatic AFW system initiation.
Rerponse
See response to Recommendation GS-7.
|
II. Single Valves in the AFWS Flow Path
Recommendation GL-2
Licensees with plant designs in which all (primary and.
alternate) water supplies to the AFW systems pass through
valves in a sing 1- flow path should install redundant
parallel flow patas (piping and valves).
O
_ - _ _ _ _ _ - _ _ _ _ _ .
||
-35-
'
Response
The Comanche Peak auxiliary feedwater system design has
redundant flow paths via redundant pumps, valves and
piping.
III. Elimination of AFWS Dependency on Alternating CurrentPower Following a Complete Loss of Alternating CurrentPower
Recommendation GL-3
At least one AFW system pump and its associated flow path
and essential instrumentation should automatically initiate
AFW system flow and be capable of being operated indepen-
dently of any ac power source for at least two hours.
Conversion of de power to ac power is acceptable.
Response
See response to Recommendation GS-5.
IV. Prevention of Multiple Pump Damage Due to Loss of SuctionResulting from Natural Phenomena
Recomm_endation GL-4
Licensees having plants with unprotected normal AFW system
water supplies should evaluate the design of their AFW
systems to determine if automatic protection of the pumps
is necessary following a seismic event or a tornado. The
time available before pump damage, the alarms and indica-
tions available to the control room operator, and the time -
necessary for assessing the problem and tcking action should
- - _ _ _ _ _ - _ - - .
I
-
-36-
|)
be considered in determinias whether operator action can
be relied on to prevent pump damage. Consideration should
be given to providing pump protection by means such as
automatic switchover of the pump suctions to the alternative
safety-grade source of water, automatic pump trips on low.
suction pressure, or upgrading the normal source of water
to meet seismic Category 1 and tornado protection require-
ments.
Responsei
The primary source and alternate cource are Nuclear Safety f
Class 3. The pumps automatically trip off on low suction
pressure. This trip can be over-ridden by manual control.
V. Non-Safety Grade, Non-Redundant AFWS Automatic Initiation ||Signals
(Recommendation G1-5
The licensee should upgrade the AFW system automatic
initiation signals and circuits to meet safety-grade require-i
ments.'
f
Response
See response to Recommendation GS-7.
4. Major Contr.ibutors to Unreliability
TUGC lists the following major contributo'rs to unreliability for
, each case.
- _ - - __ __-__- _
!-
-3-
1. Introduction
i The results of many studies pertaining to the Three Mile Island
CIMI) Nuclear Power Plant accident conclude that a proper func-.
tioning Auxiliary Feedwater System is of prime importance in
the mitigation of such accidents. Therefore, a letter dated
March 10, 1980,(2) stating U. S. Nuclear Regulatory Commission (
(NRC) requirements regarding the AFWS was sent to all operating,
license applicants with a Nuclear Steam Supply System (NSSS),
- designed by Westinghouse or Combustian Engineering.
Texas Utilities Generating Company i TUGC), the applicant for an,,
,.
operating license for the Comanche Peak Steam Electric Station,
(SES) which has a Westinghouse-designed NSSS, provided a response
in January 1981, in the form of a reliability analysis (3) which ||
was prepared for them by Texas Utility Services (TUS), Dallas,
Texas. The analysis was submitted as Part II.E.1.1 of the FSAR fo-
Comanche Peak SES and was received by SNL on March 9, 1981.
. The analysis makes a study of the failure of the AFWS to supply
sufficient flow to three of four steam generators.(5) The methodi
utilizes a simplified fault tree approach. It takes into account
* comoonent failure, outage due to test and maintetance, and human
errars.
s
-
Comments and questicns were recorded durino the review and submitted7,
to NRC on April 17, 1981. These questions were forwarded to TUGC
_
_..
-4-
by NRC. TUGC and its engineering firm, TUS, met with representatives
f rom NRC and SNL on May 6, 1981 at the Comanche Peak SES. At this
meeting a review of the Comanche Peak AFWS and the AFWS reliability
analysis was given by TUS and a tour of the AFWS was conducted by
TUGC. During the tour, observations were made to facilitate the
discussion period which followed. In the discussion period each of
the questions submitted on Aprit 17 were answered and discussed in
detail.
1.1 Scope and Level of Effort
This project undertakes a review of those portions of the reliability
analysis which (1) satisfy requirement (b) of the let'.or which.
states, " perform a reliability evaluation similar in method to that
described in Enclosure 1 (NUREG-0611) that was performed for operat-
ing plants and submit it for staff review," and (2) provide answers
to the short- and long-term recommendations of NUREG-0611 in response ,
to requirement (c) in the letter. The review was conducted according
to Schedule 189(4) which was submitted by SNL to NRC.
1.2 Specific Review
SNL reviewed the rellsbility analysis (3) submitted by Texas Utilities
Generating Company. Particular attention was directed toward
determining that the analysis addressed in depth the reliability of
the AFWS when subjected to three transient cases: (1) UHF, Lors of
Main Feedwater, (2) LMF/LOSP, Loss of Main Feedwater/ Loss of Of fsite i
Power, and (3) LMF/ LAC, Loss of Main Feedwater/ Loss of cll ac Power.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . - . _ _
_ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ - - --
1
! -37-
Case No. 1 - LMFW
The dominant (controlling) contributor to system unavailability was
found to be closure or blockage of both valves in the two suctiong
lines from the condensare storage tank.
Other important contributors to AFWS system unavailability were found |
|to be unscheduled maintenance of pumps and the testing of valves in j
the feedlines to each steam generator from the motor-driven pumps
and the turbine-driven pump.
The redundancy employed in the design of the CPSES AFWS was found
to be of the type whereby no obvious single faults (active components,
manual valves or human errors) were identified that dominate the
unavailability of the AFWS for a loss of main feedwater transient.
Case No. 2 - LMFW/ LOOP_
The dominant failure modes discussed above are not dependent on the
source of ac power (onsite or offsite) and thus are also the domi-
nant failure modes for this transient and the unavailability of the
AFWS. If the diesel generator failure probability were lower than
the used value, .03, Case 2 would show different failure modes thanm
Case 1. The slight reduction in AFWS system availability for this
transient is caused by a loss of redundancy in ac power sources
that results from a loss of of fsite power.
Case No. 3 - LMFW/LOAC
In this transient, loss of both offsite and onsite ac power is
postulated to occur with the coincident loss of main feedwater flow,
_ - _ _ _ _ - _ _ - _ _ .
(. - _.
g -38-
|
so that the available operating pump subsystems of the AFWS ara!
reduced to only the steam turbine-driven pump train. Thus, any#
single failures in this pump train alone would be sufficient to
fail the AFWS for this transient. The dominant contributors to
system unavailability for thie ;ase were found to include: (1) the
?.urbine-driven pump is offline for maintenance or testing..(2) the
valve in the pump suction line fails closed due to hardware fallute )1
or human error causing a loss of NPSH at the pump's suction.
SNL agrees with the above findings. No quantification of results,
!
was made by TUGC nor were results quantified in NUREG-0611. The
quantitative estimates were obtained subsequently from TUS andlchecked by SNL. For Case 1 the unavailability.of AFWS is 2.0 x 10-5'per demand while for Cases 2 and 3 the unavailability is 2.7 x 10-5
'
per demand and 1 x 10-2 per demand, respectively. These valves are
'plotted in Figure 2 along with the operating plant ratings which
were derived from NUREG-0611. The CPSES AFWS has high reliability
for Case No. 1, LMFW; high reliability for Case No. 2, LMFW/ LOOP;
and medium reliability for Case No. 3, LMFW/LOAC. Sandia agrees
with these ratings. "
There are two points which need to be resolved prior to operation.
These are:
(1) Test and Maintenance Procedures were not evaluated during the
review because they have not yet been accepted by the appli-
cant's manrgement. However, planned procedures have been
.. . .
- _ _ _ _ _ _ _ .
_ _ _ - _ _ _ . _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ - _ -
|
-39-
TOAN5 TENT EVENTS LMPw LM F W/ LOOP LMFW/LDS5 OF ALL AC
PLANTS LOW MED HsGH LOW MED MfGH LOW MED HICH
WE ETINGHOUSE
H ADD AM NECK 9 1> (>
|EAN ONOF ME S 9 q>-Hi
PA AIRif ISL AND 4> d > 4)
SALEM iH4 4HD d i
ZION G D 1>
YANKitROvyt S S d)
TCOJAN 4P G ()
INDIAN POINT d> G (E
arnANet e 8 t>
H B R O91NSON II G d>
StAvtmVALLtv d S q.'
ciNNA * e <>
PT.StACH S O 4 >
cooc e e oI TU3N E Y POINT 4 S <p
FAntry e e o,
suany a ehor.TM ANN A 4 3 r3:
| COMANCHE PEAK # * d'
' NOTE: THE SCALE FOR THIS CASE IS NOT THE SAMEAS THAT FOR THE LMFW AND LMFW/ LOOP.
(
Figure 2. Cociparison of CPSES AFWS Reliability to other AFWSDesigns in Plants Using the Westinghouse NSSS.
.
_ _ _ _ _ _ _ _ _ _ _ _ _ . _ _
.
..
. . _
|
-40-,
|
devised, and the planned procedures were used for the relia-
bility analysis. The planned procedures are adequate, but the
final procedures should be reviewed when they are accepted by
the applicant. In particular, the flow path test procedures
following maintenance or realignment should be made explicit.
(2) Emergency Procedures were not evaluated because they have notI
yet been accepted by the applicant's management. The AFWS
is automatically initiated, and emergency procedures for manual
|backup and changing the suction to the alternate source of
emergency feedwater are planned. When the procedures are
completed, they should be reviewed for adequacy. In particular,
the procedure for utilization of Service Water as an alternate
source should be made unequivocal.
5. Conclusions
It is concluded on the basis of this review that the applicant
Iwill have completed requirement (b) of the March 10, 1980 letter j
upon satisfactory resolution of the points discussed in Section 2
of this report.
The-AFWS of the Comanche Peak SES, Units 1 and 2, has high reli-
ability relative to the reliability of AFWSs of operating plants
for the first case event. Quantitatively, the unavailability of>
the system is approximately 2 x 10-5 per demt.nd for the first case
event. Qualitatively, the system is automatically initiated, highly
.
_m___ _ _ _ . _ _ _ . . _ _ _ _ _ _ . _ _ _ _ _ . . . _ _ _
-
-41-
redundant, has no observed single point vulnerabitities, and
is tested periodically and following realignment to demonstrate
availability of flow path to the steam generators. Failure on
demand is dominated by closure of both valves in the suction
lines. The unavailability for the second case event is approxi-
mately 2.7 x 10-5 per demand, which places reliability in the
high range; this result obtains in Case 2 for a diesel generator
f ailure probability of .03 which is an acceptable value. Failure
on demand is dominated by closure of both valves in the suction
lines. The unavailability for the third case event is'1 x 10-2,
which places the reliability in the medium-to-high range. The TDP
train has no identifiable ac power dependencies and is automatically
actuated. Failure on demand is dominated by test and maintenance
outage.
6. Glossary of Terms
AC Alternating Current
ac alternating current
AFW Auxiliary Feedwater
AFWS Auxiliary Feedwater System
ANS American Nuclear Society
ASME American Society of Mechanical Engineers4
CPSES Comanche Peak Steam Electric Station
CST Condensate Storage Tank
DC Direct Current
_ ___ ._
- - - . . . . . .. . - _ _ _ _ _ - - _ _ _ .
-42-
1
Glossary of Terms (Cont'd)
de direct current
FSAR Final Safety Analysis Report
ft feet
gpm gallons per minute
hr hour3
in inch
IEEE Institute of Electrical and Electronic Engineers
LAC Loss of all AC power
LMF Loss of Main Feedwater
LOCA Loss of Coolant Accident
LOSP Loss of Offsite Power
MDP Motor Driven Pump
NPSH Net Positive Suction Head
NRC Nuclear Regulatory Commission II
NSSS Nuclear Steam Supply System
psia pounds per square inch absolute
psig pounds per square inche gage
PWR Pressurized Water Reactor
RCS Reactor Cooling System
RHRS Residual Heat Removal System
S Siesmic )
SES Steam Electric Station
SFP Single Failure Point
_ _ _ _ _ _ _ - _ _ _ _ _ _ - _ _ _ _ _ _ _ _
_ _ _
-43-
Glossary of Terms (Cont'd)
SG Steam Generator
SNL Sandia National Laboratories
SSF Standby Shutdown Facilities
SWS Service Water System
T Temperature
TDP Turbine Driven Pump
Tavg Average Temperature
!TMI Three Mile Island 1
TUGC Texas Utilities Generating Company
TUS Texas Utilities Services
V Volt
F Degrees Fahrenheit
7. References
1. NUREG-0611 " Generic Evaluation of Feedwater Transients andSmall Break Loss-of-Coolant Accidents in Westinghouse-DesignedOperating Plants" dated January 1980.
2. Letter to all Pending Operating License Applicants of NuclearSteam Supply Systems Designed by Westinghouse and CombustienEngineering from D. F. Ross. Jr., Acting Director Division ofProject Management Office of Nuclear Reactor Regulation, Subject,Actions Required from Operating License Applicants of NuclearSupply Systems Designed by Westinghouse and Combustion Engineer-ing Resulting from the NRC Bulletins and Orders Task ForceReview Regarding the Three Mile Island Unit 2 Accident, dated
( March 10, 1980.
3. " Auxiliary Feedwater System Evaluation," Part II, E.1.1 of theFSAR for Comanche Peak Steam Electric Station, Unit Numbers1 and 2, dated January 30, 1981.
_ _ _ _ _ _ _ _ _ _ _ - _ _ - - _ _ _ _ .
.- __- - . .
-44-
i
4. Schedule _189 No. 1303-1 Title, " Review of Auxiliary FeedwaterSystem Reliability Evaluation Studies for Comanche Peak 182,Waterford 3, Watts Bar 1 and 2, and Midlevel' I and 2," dated
May 7, 1981.
5. " Auxiliary Feedwater System" Part 10.4.9 Comanche Peak SES/FSAR,January 31, 1979. ]
1
I
,
)
1-
. . . . . . . .. - _ _ _ _ _ - .-
~ --
-4 5-
Distribution:
U.S. Nuclear Regulatory Commission (130 Copies for AN)Distribution Contractor (CDSI)7300 Pearl StreetBethesda, Maryland 20014
Armand Lakner -
Office of Nuclear Reactor RegulationU.S. Nuclear Regulatory CommissionWashington, D.C. 20555
3141 L. J. Erickson (5)3151 W. L. Garner '.3)
(For DOE / TIC)3154-3 C. H. Dalin (2 5)
(For NRC Distribution to NTIS)4400 A. W. Snyder4412 J. W. Hickman (5)4412 B. J. Roscoe (2)8214 M. A. Pound
I
_ _
|1
||
1
'U"U.S. NUCLE AR REGULATORY COM dlSSION" " > NUREG/CR-2248
BIBLIOGRAPHIC DATA SHEET SAND 81-1625O TITLE AND SUBTsTLE IAdd Volume No.. s!noornarierel 2. floave blank)Comanche Peak Steam Electric Station, Unit Nos. 1 and 2Auxiliary Feedwater System Reliability Study Evaluation 3. RECIPIENT'S ACCESSION NO.
7 AUTHOR (Si 5. DATE REPCRT COMPLETED
| YEARM ON THB. J. Roscoe June 1981
9 PE RFORMING ORGANIZATION N AME AND MAILING ADDRESS //nclum I,p Codel DATE REPORT ISSUEDMONTH | YEAR i
Sandia Laboratories |September 1981Albuquerque, NM 87115s ,t ,,,, y,,, , , |
8 (Leave Nenki
12 SPONSORING ORG ANIZ ATION N AVE AND M AILING ADDRE SS (inclum lep Co<8el0. PROJE C1/T ASK/ WORK UNIT NO
Division of Safety TechnologyOffice of Nuclear Reactor Regulation ii CONTRACT NOU.S. Nuclear Regulatory CommissionWashington, D.C. 205b5 NRC FIN A1303
13 TYPE OF REPOH T PE RIOD COV E RE D I/nclus,ve deres!
Technical15 SUPPLE MENTARY NO TE S 14. (Leave o/uk/
16 ABSTR ACT (200 words or less!
The purpose of this report is to present the results of thereview of the Auxiliary Feedwater System Reliability Analisis forComanche Peak Steam Electric Station, Unit Numbers 1 and 2.
>
>
17 KE Y WQP PS AND DOCUME NT AN ALYSIS 1 ta DE SC RIP TORS
I
I1h IDF N Tif 'E HS OPE N E N DE D TE RVS
h
18 AV AIL ABILITY ST ATE YE N T 19 SE CURITY C L ASS (Th,s reporrl 21 NO OF PAGE SUnc l a s s i f i ori
Unlimited 20 sE CURI T Y CL ASS (TAs papf D PRICES
% RC W OHM 335 s 1 171
. _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _
UNITED ST ATES bf ]NUCLE AR REGULATORY COMMISSION $W ASHINGTON, D. C. 20%55
POST AGE AND FEES PAID bOFFICI AL BUSINESS U.S. N UCLE A R RE GU L ATOR Y
comuasSioMPE N ALTY FOR PRIV ATE USE, $300
LJ s
R
f|
C
C30$rI;
@<
r
120559104215 2 Ah [rUS NRC
ADM DXJAENT CONT E C L DE5 Asi tm=
POR r- :016 5iWA5141'JGT(". CC 205';S
96C5H<<=to$asCO<<
<hM
>t.
C {'>dio<Z{
|
,
(<
.
,
i
!
-