Ltr Rept-08, 'Review of Sys Analysis in DCPRA:Electrical ...

EtJCLOSURE 3

REVIEW OF THE DCPRA: LETIER REPORT-08

A REVIEW OF SYSTEM ANALYSIS IN THE DCPRA:ELECTRIC POWER SYSTEMS

(Except Diesel Generator and Diesel Fuel Transfer Systems)

G. BozokiR. Fitzpatrick

M. Sabek

December 1989

Risk Evaluation GroupDepartment of Nuclear Energy

Brookhaven National LaboratoryUpton, NY 11973

Prepared forU.S. Nuclear Regulatory Commission

Washington, DC 20555Contract No. DE-AC02-76CH00016

FIN A-3958

9ppg2y03gc} 900ii9PDR ADOCK 05000275P pDG

r' f

I

1. INTRODUCTION

~~1.1 ~Ob'ective

The objective of the present letter report is to summarize the results todate of reviewing the unavailability analyses of the following electric powersystems of the DCPRA:1

~ Nonvital Electric Power System~ Vital 125V DC System

~ Vital AC System

~ Unit 2 Vital AC and DC Systems~ Instrument AC System

The observations obtained by reviewing the unavailability analyses of theDiesel Generators and the Diesel Fuel Transfer System of the DCPRA weredescribed in two previous letter reports.

'his

report reflects BNL's current understanding of the subjectsystems~'8 and as such must be considered interim results. Final results willbe provided in the NUREG/CR to be issued at the end of the project. That willreflect, at that time, any additional supporting input submitted by PG&E aswell as any direct feedback on these preliminary findings.

1.2 Or anization of the Re ort

Section 2 provides condensed descriptions about the configurations andfunctions of the above electric power systems. It also describes thedependency of these systems on support equipment, the surveillance andmaintenance conditions, the unavailability modelling in the DCPRA, and theoriginal PRA results. The purpose of this approach is to present the readerstand alone documentation to which the review's findings can be directlycompared. Section 3 contains the results of the BNL review and presents thecurrent preliminary findings.

DCPRA-08 December 5, 1989

L

V

I

2. UNAVAILABILITYMODELLING OF ELECTRIC POWER SYSTEMS

'

2.1 General

The electric power systems are analyzed in the DCPRA as a series of topevents in the support system event trees.

The electric systems and the associated top events are as follows:

Electric System Top Event Designator

Nonvital Electric Power SystemVital 125V DC SystemVital AC Power System, Unit 1Vital AC and DC Power, Unit 2Instrument AC Power System

OG, NVDF, DG, DH

AF, AG, AH, SF, SG, SHBF, BG, BHIl, I2, I3, I4

The subsequent sections provide the condensed descriptions of theelectrical system analyses. Figure 2.1 shows an overall schematic of theelectrical distribution for Unit 1. The definitions and success criteria ofthe associated top events are detailed in Tables 2.1a through 2.1f.

2.2 Nonvital E1ectric Power S stem

2.2.1 Function Confi uration 0 eration

The functions of this "nonvital." electric power system are:

~ To provide power to the plant's vital (4.16kV) and nonvital (12kV and4.16kV) buses during normal operation.

~ To provide power to the plant's 4.16kV and 12kV buses during startup,plant trips, or situations when the plant is not able to shed loadsdown to house levels.

~ To transfer power generated at Diablo Canyon to PGSE's distributionsystem.

DCPRA-08 -2- December S, 1989

I

The first function is provided by the plant main generator. Under normal.operating conditions the main generator supplies power to the 4.16kV vitalbuses and to the nonvital 12kV and 4.16kV buses (see Figure 2.1 and in moredetail Figure 2.2). Power is generated at 25kV and auxiliary transformer 11

drops this voltage down to the 12kV level to power nonvital 12kV buses D andE. Auxiliary transformer 12 drops the 25kV down to the 4.16kV level to powerthe 4.16kV vital F, G, H, and nonvital E, D buses.

The second function is satisfied by t'e 230kV system (switchyard). Underplant conditions when the main generator cannot supply house loads (seeabove), the 230kV switchyard provides power to the 12kV and 4.16kV buses.Startup transformer 11 (SU11) delivers power to the 12kV SU (startup) bus.This bus supplies power to the nonvital 12kV E, D buses and to startuptransformer 12 (SU12). Startup transformer 12 has two secondary sides: oneside supplies 4.16kV to the vital F, G, H, and the nonvital D buses and theother side supplies also 4.16kV to the nonvital E bus. The breaker OCB 212 isnormally closed (one can identify it in Figure 2.2). It connects the 230kVswitchyard to the plant via the startup transformers. Thus, the secondaryside of SU12 is energized at all times down to the 4kV level. Breakers52HF14, 52HG14 and 52HH14 keep the vital F, G and H buses (Figure 2.2)separated from the standby power source. Given' loss of offsite power eventor a large drop in the load, the plant is designed to run back to house loads(about 50 MW) and not trip.

The third function is satisfied by the 500kV system. This system(switchyard) may also be used as a backup for the second function. To alignthe system for backup, however, requires long lasting (several hours) operatoraction, therefore it was not quantified in the event tree analysis. (It wasmentioned that it might be included among the recovery actions of offsitepower.)

DCPRA-08 3" December S, 1989

\

I1

2.2.2 Unavailabilit Modellin (Nonvital Electric Power System)

For the unavailability analysis the nonvital electric power system was

considered to be composed of two subsystems: the standby offsite power to the

4kV vital buses (F, G and H) and the nonvital 12kV buses (D and E). The

associated top events are: OG and NV. Top event OG questions the

availability of power from the offsite grid (230kV switchyard) to the 4.16kV

vital buses after an initiating event. Top event NV questions the

availability of the nonvital 12kV buses after a plant initiating event. The

success criteria of these top events are described=in Table 2.1a. Technical

Specification and FSAR4 requirements with respect to the operability of the

subsystems are also indicated. The reliability block diagrams of top events

OG and NV are shown in Figure 2.3. The diagram is constructed from blocks(supercomponents) whose boundaries are indicated in Figure 2.2 ~

The reliability block diagrams (Figure 2.3) show the dependencies on

other electrical systems: 230kV offsite power and dc power (dc train 12

supplies power to the controls of 12kV bus D and dc train 13 supplies thecontrols of bus E). Each of the plant switchyards (500kV and 230kV) has itsown battery (and battery chargers) providing motive power for its respectivecircuit breakers. It is claimed that given a loss of offsite power, the

charge on these batteries will last longer than the station batteries due tothe small loads. The 4.16kV buses E and D supply power to the 500kV and 230kV

switchyard battery chargers and air compressors, respectively. The auxiliarypower for the SU transformers is taken from the 4.16kV bus E. Both sets ofauxiliary and startup transformers require 480V power to operate cooling fansand cooling oil pumps. Buses 11D and 11E provide this power.

Upon loss of auxiliary power the 12kV buses automatically transfer to thestartup bus and all five 4.16kV buses automatically transfer from auxiliarytransformer 12 to startup transformer 12. Upon an SI signal the vital busestransfer immediately, the nonvital ones after the main unit trip.Simultaneously a signal opens the auxiliary feeder breakers and closes thestartup feeder breakers.

DCPRA-08 -4- December 5, 1989

I

~(

~ ~2,.2.3. uantification of To Event S lit Fractions (Nonvital Electric Power'

System)

The definitions of the boundary condition split fractions associated withtop events OG and NV are listed in Table 2.2a. The quantification of OG top

events involved the following assumptions:

~ Vhen the plant trips and the 500kV circuit breakers 532 and 632 do notopen, the nonvital 12kV and 4.16kV buses will not transfer over to the

startup power; i.e., feeders from the auxiliary transformers 11 and 12

need not open to keep the 500kV and the 230kV systems separated.~ Loss of offsite power initiator includes failure events to accomplish

load rejection to house loads.~ No credit for backfeed from 500kV.

~ Circuit breaker 212 may be bypassed for maintenance (by using airswitches 213 and 215).

The quantification of top event NV involved the assumption thatmaintenance of auxiliary feeder breakers does not contribute to the

unavailability since given an initiating event, the buses would be realignedto the backup startup power supply.

For both top events it was assumed that breaker maintenance is performed

in less than one hour, because usually they replace the existing breaker withan operable spare. Breaker overhauls are performed at every five or sixyears. Transformer maintenance is performed about once per year for about

eight hours. This is done while the plant is at power. Other preventativemaintenance activities are done during plant shutdown.

Table 2.3a presents the quantified values of the split fractions (entriesdenoted by PGGE). To provide complete information, besides the total value ofa split fraction (TTL) the table also indicates the main contributors, such as

unavailabilities due to hardware failures (HW), maintenance (MN), test (TS),

DCPRA 08 December', 1989

t :

and human error (HE). The table also provides the constituent parts of thehardware unavailability: the independent (HWI) and the dependent (HWD, i.e.,common cause) failures.

Notice, there is no contribution due to test and human error. TechnicalSpecifications require only system operability checks once every seven days byveri'fying correct breaker alignment and power availability.

The seismic analysis included only the 230kV offsite grid fragility. Allthe other components were assumed to have higher capacities and therefore theoffsite grid was considered to be the limiting case. It is mentioned that theswitchyard/plant isolation breakers 542 and 632, which are Westinghousesulfur-hexafluoride breakers will be replaced by seismically much betterqualified GE/Hitachi dead-tank SF6 breakers by the end of 1987.

2.3 Vital 125V DC S stem


The vital 125V dc system provides power to controls, protection circuitry(equipment) and instrumentation and annunciators throughout the plant. Thesystem is configured from three 125V dc subsystems: 125V dc train 11, 125V dctrain 12, and 125V dc train 13 (see Figure 2.1). Each subsystem consists of a60 cell 125V battery, a 125V distri4ution switchgear assembly, and a batterycharger. The battery chargers are located in the dc switchgear room (see alsoFigures 2.4.1, 2.4.2, and 2.4.3 for details). The switchgear assemblies eachinclude a completely enclosed 125V dc bus, circuit breakers, fuses, meteringequipment, and two distribution panels. One of the panels supplies the vitalloads and the other supplies the nonvital loads; they are physically separatedon the left and right sides of the switchgear. Breakers on the panels may beused to disconnect all non-Class 1E loads from the batteries.

A total of five battery chargers are supplied; three chargers serve twoof the 125V dc buses (ll and 12) and two chargers serve dc bus 13. Under


'ormal operation, each bus is powered by one battery charger and the batterycLiarger provides the dc power for the plant. Buses 11 and 12 share a singlebackup battery charger in case either primary charger should become

unavailable. A second battery charger is a backup charger for bus 13.Technical specifications require that chargers 11, 12, and 13 be the normallyaligned chargers. 480V vital buses power the battery charges (charger 11 frombus 1F, charger 12 from 1G, charger 121 from bus 1H, charger 131 from bus 1F,charger 132 from bus 1H). Each of the chargers is connected to a dc busthrough a thermal-magnetic breaker located in the dc switchgear. Manualtransfer is required to align the backup battery charger.

Distribution panels 11 and 12 are connected to their respective buses bydrawout (manually operated air) breakers. Panel 13 is hardwired to its bus.The batteries are sized to provide sufficient power to operate the dc loadsfor the time necessary to safe shutdown should a 480V ac source to one or morebattery chargers be unavailable. Batteries have a minimum two hour capacity.Should a failure occur on any 125V dc circuit on panel 11 or 12, the breakerto this circuit would trip to isolate the failure. If the circuit breakerfailed the drawout breaker would trip to isolate the whole panel from thebattery (i.e., would cause the loss of all the loads). For panel 13 there isno drawout breaker. The isolation of this panel would have to occur through a3000A fuse. Natural ventilation is sufficient for the battery rooms tomaintain safe levels of hydrogen gas generated during charging.

The most, important loads on the 125V dc system are: the inverters, the4kV feeder breaker controls, the diesel generator controls, control room mainannunciator system and the 480V motor control center relay boards. Detailedlists of loads are given in Figures 2.4.1 through 2.4.3.

2.3.2 Unavailabilit Modellin Vital 125V DC S stem

For unavailability modelling, the vital 125V dc system was considered asa three train system: after an initiating event the unavailability of one,two and three trains were determined. Three top events are associated with


I '0

'he model: DF, DG and DH, where the first letter identifies the dc power andthe second the vital ac bus to which it supplies control power. These topevents question the availability of vi.tal 125V dc power on dc buses (anddistribution panels) 11, 12 and 13, respectively. The success criteria forthese top events are described in Table 2.lb. Technical Specification andFSAR requirements with respect to the operability of the system are alsoindi'cated. A representative reliability block diagram for the top events DF,DG and DH is shown in Figure 2.5. The diagram is constructed from blocks(supercomponents) whose boundaries are indicated in Figures 2.4.1, 2.4.2, and2.4.3, respectively. Notice, top events DG and DH contain similar componentsto the blocks for top event DF; however, for top event DH, there aredifferences in blocks 1 and 3. Block DH-1 does not contain the circuitbreaker that blocks DF-1 and DG-1 have, and block DH-3 .has one more fuse thanblocks DF-3 and DG-3. The reliability block diagram shows that the model isconservative because the failure of a battery charger does not immediatelyfail the system. (In some PRAs the battery charger and battery are treated asparallel components, but it is not always true that a battery charger'scapability is sufficient to function adequately without its associatedbattery.)

The reliability block diagram (Figure 2.5) also shows the dependency onother electrical systems: the vital 480V buses. There is no common causefailure mode modelled between the three dc trains (except seismic andventilation; ventilation is needed-to supply cooling to the 125V dc switchgearrooms which also house the battery charger, but ventilation is powered by the480V buses).

2.3.3 uantification of To Event S lit Fractions Vital 125V DC S stem

Technical Specifications restrictions, that one train may be unavailabledue to maintenance at any one time, introduce certain dependencies between thetrains and this renders the split fractions conditional on the success orfailure of the preceding dc train in the event tree. A single trainunavailability will be the sum of the hardware unavailability (HW) and the


l '

maintenance (MN) unavailability. Since there are no scheduled tests performedr'esulting in an unavailable dc train, there is no test contribution to theunavailability.

The definitions of the boundary conditions and the associated conditionaltop event split fractions are listed in Table 2.2b. The quantification of thetop 'event split fractions involved the following assumptions:

~ Redundant battery chargers and associated breakers are given creditonly during charger/breaker performance test and charger/ breakermaintenances.

~ Panel feeder breaker (dc trains 11 and 12) maintenance is included inthe maintenance of the panel itself.

~ Vital 480V ac buses 1F, 1G, 1H are available.~ During switching of ac power to the battery chargers, the batteries

supply power to the loads.~ All scheduled maintenance and testing is performed in a way that does

not disable the system during power operation.

Table 2.3b presents the quantified values of the conditional splitfractions; CSF. To provide complete information the table also indicates thetotal value of a split fraction (TTL) and other contributors. The dominantcontributors to the hardware failure are battery failure on demand and batterycharger failure during operation.

In terms of seismic failures, the batteries, buses and breaker panels aremodelled. (Seismic failures of the battery charger are modelled with thevital ac syst: em.) The auxiliary building is modelled with the dc system,because failure of the dc system impacts all the important support andfrontline systems.


E 0

I

' 2.4 Vital AC S stem - Unit 1


The function of the vital ac system is to provide power to safety relatedequipment under all foreseeable conditions.

The DCPRA considered this system as composed of six subsystems: Three ofthe subsystems are the 4.16kV (F, G, H) and 480V (1F, 1G, 1H) vital ac busesand the associated hardware at Unit 1, the other three are the standby startupfeeder breakers to these buses (see Figures 2.1 and 2.7.1).

During normal operation the 4.16kV system is powered through aux'iliarytransformer 12. The standby power source is the 230kV system via the startuptransformers SU11 and SU12 and the 12kV startup (SU) bus. The 480V vitalbuses 1F, 1G, and 1H are fed from the 4.16kV vital buses F, G, H,respectively, through 4160/480V transformers. The control power to the 4.16kVbreakers is provided by the 125V dc system (manual transfer is also possible):

DC panel 11 to 4.16kV bus F

DC panel 12 to 4.16kV bus G

DC panel 13 to 4.16kV bus H

In the case of an auxiliary feeder breaker trip the 4 '6kV busesautomatically transfer to the standby sources. Transfer is also initiated byvarious plant conditions listed in Table 2.4. This table shows the transfersand the diesel states as a function of plant conditions. The transfer usuallyoccurs after a short delay (.8 sec) to allow for voltage decay. Usually onlylow voltage loads operated by magnetic controllers (such as containment fancoolers) are tripped and restarted. In the case when there is an SI signal orin other conditions the transfer is immediate, the "loads do not strip" (seethese notes also in the table) and the diesels start. If there is a LOSP,direct transfer to the diesel occurs. If in 10 sec 'after a transfer to the

" startup transformer undervoltage was detected on the vital buses, a 2/2 relay


4 '

1

'ogic (relays 27HFB3 and 24HFB4) would start the diesel and load stmiigpiiagCould occur in 20 seconds.

In order that a transfer could occur, certain permissives lava@ eu bxe

satisfied.

For transfers without and with an SI signal:Presence of the initiating signal.

2. No undervoltage on the startup transformer.3. No electrical fault on the bus.4.

5.

Startup and diesel feeder breaker tripped.Transfer to diesel not in progress.

6. Auto transfer switch cut in main control room.

For transfer to the diesel:1. Vital bus undervoltage.2. No electrical fault on the bus.3. Diesel is up to rated voltage.

Table 2.4 also lists the most important loads on the 4.16kV ~ream. XID8

. loads on the vital 480V buses are: primary makeup water pumps, lli@e3aE„battery chargers and inverters, diesel generator auxiliary loads,. vemaiilaztSanm

fans and containment fan coolers.

The 4.16kV switchgear is located indoors and requires ventQmiina';, tom

breakers are in individual cubicles cooled by fans powered from tree assaxrzmaxd:

480V bus. The 480V ac and 125V dc vital switchgear compartments (l'see: FHgpara.

2.6b) are supplied cooling air by two trains of supply and exhaust fans'., Xte.

power supplies to these trains are 480V buses 1F and 1H. Each rrnnn hm: mx

inlet and outlet duct with a fuseable link fire damper. The inaclVmraenc:

closing of the fire dampers was included in the unavailability DDldW a8: tSe:

vital ac system.

t DCPRA-08 Dccexktaa Di„ ll989!

I

l '0

'he failures of the vital ac system represent potential for emma.

initiation: loss of a 4.16kV train could result in loss of componmtr. ccmLmg:

water or auxiliary saltwater. Loss of 480V could cause a loss of ar&cRgIamr

ventilation (later a loss of inverters, instrument buses) and triggw a, plhnuc

trip.

2.4.2 Unavailabi1it Model1in (Vital AC System - Unit 1)

The Unit 1 vital ac electric system unavailability model is rcgnasinzeaB

by six top events corresponding to the six electric subsystems. mesa'. xm"AF, AG, AH, and SF, SG, SH. In the electrical support system event erne amp

events AF, AG, and AH question the availability of vital ac power m' i)8%V

buses F, G, H and 480V buses 1F, 1G, 1H, respectively. Top events SF;. SE,. BB

question the closure of circuit breakers 52HF14, 52HG14, 52HH14 su~ilyi~ng,

4.16kV buses F, G, H, respectively, from the startup transformer foli3Javfizg a

plant trip. The success criteria for these top events are describedi mini Xdii3e

2.1c. Technical Specification and FSAR requirements with respect toi tHe.

operability of the system are also indicated. The reliability bloat dUiargrmm:

of both types of top events, AF and SF are shown in Figure 2.6. Tke dKzgnains

are constructed from blocks (supercomponents) whose boundaries are iizm9zaiuxB

in Figures 2.7.1 and 2.7.2. The reliability diagrams also show the. dhgmxihmcy

on dc power. If any dc train is unavailable, the corresponding ac emiiin Kx

also assumed to be unavailable.

2.4.3 uantification of To Event S lit Fractions (Vital AC System - Uh@t 3)

The quantification of the top events associated with the vita] aa. ~eminvolved the following assumptions:

~ The 4.16kV switchgear room does not require ventilation.~ The two trains of fans for the 480V switchgear rooms would roe Bei cma

for maintenance at the same time.~ Detection of power loss on the 4.16kV/480V buses would be imeWm~e

(not by the weekly surveillance check).

DCPRA-08 -12- Iborm6ea', 29B9

'

' Maintenance of 4.16kV breakers would only take one hour (replacement ofa spare breaker).

~ Breakers, buses, transformers for ac trains require infrequentmaintenance.

Common cause failure was assumed between breakers to open (auxiliaryfeeder breakers) and to close (startup feeder breakers) on demand. These

common cause failures were assumed to be recoverable (even for three trains)for all accidents except for large and medium LOCAs, because of theinsufficient time available. Recovery would consist of operator action tomanually operate the feeder breakers in the 4.16kV switchgear rooms.

Due to the common cause failure (and recovery) as well as TechnicalSpecification dependencies, the split fractions evaluated are conditional on

the success or failure of the preceding top events in the electrical supportsystem event tree. The dependency on the dc system has also complicated thequantification of the vital ac systems split fractions. Table 2.2c lists thedefinitions of the boundary conditions and the associated conditional topevent split fractions. The quantified values of the conditional splitfractions are listed in Table 2.3c (entries denoted by PG&E).

Notice that the maintenance contribution to the unavailability is smallbecause the components modelled require infrequent maintenance. There are no

test or human error contributions because relevant tests are done duringshutdown and human errors committed would be detected before resumingoperation.

Seismic unavailability is modelled for the following plant components:~ Turbine Building Shear Wall~ 125V DC Battery Chargers~ 4.16kV/480V Transformers~ Turbine Building Strut~ 4.16kV Switchgear (in the case of when the strut failed and when not

failed)


'0

C

:~ 4.16kV Safeguard Relay Panel (for bus transfer in the case when the

strut failed and when not failed)~ 4.16kV Unit 2 Bus F Potential Transformer (in the case of when strut

failed and when not failed).

2.5 Vital AC DC S stems Unit 2

2.5.1 General

This system is modelled in the DCPRA primarily to determine theunavailability of the Unit 2 Auxiliary Saltwater System, where a crosstie toUnit 1 is beneficial. For seismic initiators the crosstie is not modelled.

2.5.2 Functions Confi uration 0 eration

The vital ac/dc system of Unit 2 is modelled in the DCPRA for the casewhen offsite power is unavailable. The systems function, during such an

event, is to provide motive and control power to the engineered safety loads(Auxiliary Saltwater System) of Unit 2. The system was analyzed to determinethe unavailability of the combined 4.16kV ac, 480V ac, and 125V dc power tothese loads.

The system, similarly to the vital ac and dc systems of Unit 1, was

considered to be composed of three -subsystems representing the three vital acand dc trains of Unit 2. Correspondingly, there are three top eventsassociated with the subsystems: BF, BG and BH. These top events describe theunavailabilities of:

Unit 2, 4.16kV bus F, 480V bus 2F, and 125V dc train 21; Top Event BF.Unit 2, 4.16kV bus G, 480V bus 2G, and 125V dc train 22; Top Event BG.

Unit 2, 4.16kV bus H, 480V bus 2H, and 125V dc train 23; Top Event BH.

The configurations and operations of the buses and trains are similar tothose of Unit 1 described in Sections 2.3 and 2.4.

DCPRA-08 December S, 1989

E '0

'.5.3 Unavailabilit Modellin Vital AC DC S stem-Unit 2

Top events BF, BG, and BH are equivalent to the combined top events AF

and DF, AG and DG, AH and DH previously discussed. The reliability blockdiagram for top event BF is shown in Figure 2.8. Block diagrams for topevents BG and BH are similar. The diagrams are constructed from blocks(supercomponents) whose boundaries are indicated in Figures 2.9.1 and 2.9.2.Block 4 (backup charger 2-21) is treated as being unavailable; thus the blockdiagram reduces to five blocks in series. The success criteria of the topevents are described in Table 2.1d. Technical Specifications and FSAR

requirements with respect to the operability of the system are the same as

those given in Table 2.1b and 2.1c for Unit 1 and are therefore not repeated.

2.5.4 uantification of To Event S lit Fractions Vital AC DC S stem-Unit 2

Unit 2 ac/dc train H is slightly different from trains F and G. Train H

has one less breaker but one additional fuse. This difference is notmodelled. It does not affect the results since the two failure frequenciesare of the same order.

The assumptions concerning the failure rates of the components, test and

maintenance conditions, common cause failures and recoveries, operationalconditions, human errors, etc. are the same described in Sections 2.3 and 2.4for the Unit 1 vital dc and ac systems.

Due to Technical Specification dependencies and common cause failures,the quantified split fractions are conditional on the success or failure ofthe preceding top events in the electrical support system event tree. The

definitions of the boundary conditions and the associated conditional topevent split fractions are shown in Table 2.2d. The quantified values of theconditional split fractions are given in Table 2.3d (entries denoted by PG&E).

One can see from the data that there are only small maintenance and no

test or human error contributions to the unavailability of top events BF, BG,

DCPRh-08!

December 5, 1989

t

L1 "

:and BH. This is a consequence of the assumptions made; the contribution tot.ge maintenance unavailability is small because the components modelledrequire infrequent unscheduled maintenance (during operation) and tests.Scheduled maintenance and tests that would make the system unavailable aredone during shutdown and it is unlikely that any human error committed wouldnot be detected before resuming operation.

Seismic unavailability was not explicitly modelled. It was assumed thatseismic failures for similar components are correlated and do not allowrecovery by crosstying buses. Thus, it was decided that seismicunavailability does not impact the model.

2.6 Instrument AC S ste


The function of the instrument ac system is to maintain a supply of 120Vac to the vital instrument loads of the plant unit. The system consists offour channels: I, II, III, and IV. Channels I, III, and Channels II, IV aresomewhat different: for Channels I and III, each involves two inverters andtwo distribution panels;, while for Channels II and IV, each represents onlyone inverter and one distribution panel. There are three power sources forthe inverters:

~ 480V vital bus,~ 480V vital bus via a battery charger, and~ 125V dc battery.

The inverters feed the 120V ac panels. In addition, there is a standbytransformer/regulator set (transformer) that may substitute for one of theinverters (when the inverter is in unscheduled maintenance). Forclarification, more details are given in the following system descriptiontable (see also Figure 2.1):

DCPRh 08 -16- December 5, 1989

'0

:Channel Panel

Instrument AC System Description

Su ort S stemsPanel For Inverters For X-r

Power Sources 480V AC 125V DC 480V AC

IV

PY-11PY-llaPY-12PY-13PY-13aPY-14

Inv.ll, X-rInv.11a+, X-rInv.12, X-rInv.13, X-rInv.13a*, X-rInv.14, X-r

1F1F1G1H1H1H

111112131312

1G1G1G1G1G1G

*Inverters 11a and 13a are not safety related (only supplemental) equipment;they are required for modelled systems in the plant model, e.g., the 10% steamdump valves.

Adequate cooling to the inverters is maintained by the 480V switchgearventilation (the non-reviewed Top Event SV questions its availability). One

has to keep in mind that the dc trains supply support power to the actrains'herefore,after a plant trip if a dc train is unavailable, the associated ac

train will also be unavailable. It is clear from the above table that forChannels I, II, and III there is such dependency. Channel IV is differentbecause its dc and ac support systems are independent.

Among the instrument ac system loads the most important are the NuclearSteam Supply System (NSSS) instrumentation and the Solid State ProtectionSystem.

For operating the inverters there is no preferred source of power; theinverter has an input diode, which gates the highest instantaneous voltagesource. The 480V ac and 125V dc feeder breakers are closed. Plant statisticsshow that 90% of the load is supplied by the dc source and 10% is supplied bythe ac source. If both sources fail the standby transformer may be used tosupply any one of the power panels. The transformer is fed from vital bus 1G

by the breaker 52-1G-43. If an inverter failed it would take 15 minutes torealign a panel to the standby transformer (close the feeder breakers).

DCPRh-08 December 5, 1989

C

:'

Given loss of ac power, the inverter switches to the battery withoutdelay. After ac is restored (diesel generator) there is a 40 second delay toswitch back to 480V ac to allow voltage to stabilize. Loss of ac power to theinverters is alarmed in the control room.

No scheduled maintenance is performed on the inverters while at power.Testing is done during refueling (18 month intervals). The availability ofthe instrument ac system is very important for plant safety. Loss of two

instrument ac channels could lead to a plant trip; if this happens while theplant is above 10% power, the plant will trip because the instruments indicatethat a RCP has failed. In addition, even a loss of one channel could resultin a plant trip, because loss of power to steam flow control instruments (onthe Hagan racks) may cause wrong steam flow control, which could then cause a

plant trip.

2.6.2 Unavailabilit Modellin Instrument AC S stem

Four top events represent the channels of the instrument ac system. Theyare: Il, I2, I3, and I4. These top events are in the mechanical and actuationsystems support event tree (not in the electrical support event tree). Theyquestion the availability of 120V instrument ac distribution Channels I, II,III, and IV, respectively. The success criteria of these top events aredescribed in Table 2.1e. Technical Specification and FSAR requirements withrespect to the operability of the system are also indicated. The reliabilityblock diagrams of the top events are shown in Figure 2.10. The diagrams areconstructed from blocks (supercomponents) whose boundaries are marked inFigures 2.11.1 through 2.11.4 . The reliability diagrams also show thedependency on the supporting power supplies (notice the difference for topevent I4).

2.6.3 uantification of To Event S lit Fractions Instrument AC S stem

The quantification of the top events associated with the instrument acsystem involved the following main assumptions:


IE :

: ~ Although the inverters have both an ac and a dc power source, thebreakers for these sources are modelled as being both required; thiswas done to reduce the number of split fractions and boundaryconditions. The procedure is conservative.

~ There is no common cause failure mode between instrument ac systemchannels.

~ Any or all of the instrument channels may be in maintenance and alignedto the backup transformer. This assumption is considered to be

conservative since the plant is required to shutdown when more then one

panel is not powered from its inverter source.~ To realign a distribution panel to the backup power supply ( 15

minutes) the channel is considered to be unavailable. No, human erroris assumed in aligning the backup.

The top event boundary conditions were determined on the availabilitiesof the support systems to the inverter and the backup transformer. They arelisted in Table 2.2d. Each top event has essentially three boundaryconditions. For Top Event I2, two additional split fractions are required forseismic events; these are I23 and I24. These conditional split fractionscalculate the conditional probability of failing instrument Channel II, givenfailure of instrument Channel I for boundary condition 1 and boundarycondition 2, respectively.

Table 2.3d presents the quantified values of the (non-conditional andconditional) split fractions (see entries denoted by PG&E), Notice, thatthere is no contribution due to common cause failures, test and human errors.(Technical Specifications require only the verification of the alignment ofthe'buses at least once every seven days.) The maintenance contributionappears because of the time period required to align the backup transformerfor unscheduled maintenance of an inverter.

For seismic initiators, only the inverters, process control and

protection racks, and pressure delta-p transmitters were modelled. The


~ . :

:remaining components have median fragilities greater than log and therefore

vere not modelled.

DCPRh-08 -20- December 5, 1989

I

I1 :0

5 ~I ~

1~5 ~

B K

~ ~

5

~' ~;

4

~I ~ I»

4('3 RlkkOPr APC) 63 &) C9 44 )

rrI ~

1~ ~ I» relIi+

HoTQ()AH)RE5

L~ ~ I: N

»IIV

I kl~ . Itr

t t'YI

((4AQI~QPJ g3 ('D (V)

44)o~r4)Kvl~

«I I rp~ ~ ~ ~ Ipe

~ 13I

,0 ~O- "g"'"4

'IIW rll~

j)NN Ctrl Mete

~ r

tr ~ «N ~

«IJk N CPCC4

ete~I ~

JKO=-CI-+

art ce

r M«I Jf,.~ V ~

~ 'Ie4» I \

V»IA.~C'"""bwJ~I «Nwr~I ~

~ 4 ICarIpr wk

00&-I "

'I

4C 4«kt~l

~ rt«N

ICW4NILL~Nl\ 4I» ~

-H~6-O4:O™

Ce I«»

Ret ~

..EIree

Ie ~~ PC

le 4PIIWP I~ I »PN

~V~«W te

~ I I~ Nle

II ~I, ~ kr 41 I »» I 111114 e»l ~

Itetlf «v ( IIIN I I NllM tlL-~43 I MtW ~ IW~Ve

4 4

fa ~ I~ IwI~ ~ 44 I

pet I«II~

pI~Ml( If lktt ltllt ( IMI

«» M ~ I LI ~

M tl ~N teI ~ IVI

I I~ ' ~ ~ I art

44 tl4 v«

e& ~ PIN 4VV\ ~

k ee

~rwav ~ a v» N

N

"H

( etr. ~ ( Nkel

rr»MCMN

\ te ~ I N

~ ace

«vv prrr

(e«N (kWk«MP

& 7—

N

ka Mt

~ Vkl M PI~ VIIr C«C ~ ~ C«ll t~ ~ PC I~ I

NN ~ (

IVIPv» te » ev» Npr» wl « ~ ~

IVII( ( arellr» 44 ~

M Pe~v I~

)Nret

N«p av 4 CN ar»v»4 Ne rvt '4I I te ~rt

~44 ( ( 11«e ~ lewd If 11 \ ~

~.I» MI re» H

Mepv pr «p»rp I r

I»rl ) )N I ~Pe I ) )II«I~ Nr I ) )IVI~1« tre) IVI

$ 4«~ ~ NM ~ Ir ~

N

~ » 4'I ~

~ w»re $4.4

~ I 14\1

err VII

N.'v')e~ I

~VWII~ '~

MW«teN lk«

kr Al'I

~ ' ~

I N ~ I~ IIIV ~ "

~I.N I~ I:k '

wa ) weaN«I I~ 4 N ~ ~ It

t(4~1egQ

~ ek ~

11 k Nek11 Pe ~ ~ ~

~ I ~ ~

LI~,I ~

L Nal IIC 4»w tr ~ NV Vawee ~N 4«pw e»ae IN 4llce«er tace

~\ v««c tp ~ I ~ I«r» N It ««IN mal» pv ~rcl wlvt NNI»1 vi vrve» rel»N It pe Ne«IIC I ~ Ck«II«k IN rr VV IN rel w 1«'r 41ll'Iet rae I ~ I Ce ~,

tr'p1 4 «I N «ere Ctr W It ~rre cere ~ el «IVI Vr«W N QI.e 4 \NN4 ll» 4IIN«r ~

~ - '4 tcptc4NI tepette. Ile~ 4141CIP,"'.( ( 411«4 C»k« I

.

t-.'igure

2.2. 500/230/25/4.16kV Electric Power Systems, Diablo Canyon. Marked areasrepresent supercomponents of nonvital electric power system top eventsOG and NV.

I

I

t

: 125V DC 13 OROFFFSIIE

POWER

12 IEV BUS 0

12+V BUS E

125V DC 12 OROFFSITEPOWER

Top Event OG

230.kVOFFSITE POWER

POVIER TO12.kv LEVEL

POWER TOi IEV LEVEL

BACKFEEDFROM 500.kV

500 kvOFFSITE POWER

I'LOCK3

NOT USED INAVANTI F I CATION

Top Event NG

Figure 2.3. Reliability block diagrams for nonvital electricpower system top events OG and NG.

DCPRA-08 23- December 5, 1989

4

t '0

~ 1 ~

4 ~

9 8 80

I IGC IIOIIOCOT'IIIIII~ I I~ I I

0

~ ~ ~ ~ ~ I ~ ~

~ ~

I

I -'0

5

'n N'k

~~ I~

PM

S(~ss ~HsN ssh ~ I ~ Ks~

~ sss ek «Klect ~ ' ~ ~ osa~\ 4 ~ ~ ~ eanl svs ~ ~ ea

leasl ~ IQ~ SW lNSI

~ ~

Its ~

~ I'stot eo ~

1vs ~

«eases ~ sht I«ac Iltt«VII

P~ I

I I~

~ ~

~eo

n stttnc so oH tt.eels «I so esKs 1

~ .soot aHII Ka Nloenr ~ ~ SH OO OSSesse N 'IKO OH Ks It

~ J~ Stets ~

«4 N ~

44'4O

~~

~ 4

t tnSiva( lLw

~ H It sls ~

~et n sist~ H

n' Isl

n NII~ H~~ n ini

~H HlN sl.inlI St enl

' n.itn~H~ n elis

CslH IHS~co I IH(as(a st

~ ksce cca s ~ c«cc~« IKN %«OCl

~ tes stc H~ Nial N

ate \ I(CO stl(H l«la ~

'KINNi~~ el %Italo ~ lsi

~, sl ee «Ca«sl ss(lse

c'Il ~ (CHHSCH «N~ IOS( OSO H(KSIKksea (Nse«N~ I«laos ~ e«ell ~

I~ stsl

114th

I~ elsl

n ni~

It nso

n'nn~t sn ~

n'nh~I'n~

n eln

n eln

t heL SNI(~ 'H

C~

~ H ~st'ji~ H ~e~H

~44

~H

IN~ I

«CS(H SKSO v«hola«sre(4 I I lass ~ I~ 4 etio«tv«tto la oo 4HI%(i cl et cosk stealer levee llt««SOK \Ovl( H«SKS 144

'IVI«VNKIH N S4 ~

co s«a tsksk 'KI sl

hse K(H~ s ~ CIS

«Csl ~ eelNess OKe nJI~t\I KCIK ~Na t«$ ~ ~ t

HH SVO«o ss( ~ ~ sc

~ I ~ \ Ika%IVIVIIH I«I%( H «osskCOSH( Nllveslso(PSH( N I ~

SpsCC

«h savse elowv le ha

Icth W IV IW «ssH(MC Kl~ I%sa sstslt %No «4 . N el%i ha S9«

st il

~soJ(OJIII tie~

~ H7O

It stet

n sist

n ~ ISI

n-ens

sH Ii InlHt~n elh~et ~

~I's ~nHeIH It elle

n nel~C~~I n ~I~ C 'S-

n sni en

~I ssh~

~I'IIH

~I KH

~I slotIH~

n ~ Ill ~

„4,-9~HO ~H

~I.slel 94~tt ~H

~l.illa~~ SHn ihl~

Han.sne ™

~ ee ae «N~el %((1 N C

~ ~ ~ I Hel«N NN~SSH SO«l SKSH

HH haa~H sill ~Il~ et ssNIK I~~ 4(K (Nsa«NcsKasss«K( NCS 4 «N IKtoetllslsl lslCNKiss Io

'l'H

le %44~KNSK II I

~ J

+sgt~li IV(lena «(NS OKI OK CIK Ones(a N Ol C(N(~ ~ I ~ IIK

Kl IK«(N Io Il(ItN(ls N lc Clwt o less N Ness ~ sc 4«ll~ahe«OIIK (VVII~ Os CIKOI~ tKH(al H«% N «v ~ (Il IOH~t,tN ev ~ Iles(HONK Chkn ~ sv Kl IHIS %HH K Vv ~ 1%% I ~N.HO ov al HH.~.c., «sshoa ~ sh as ea ev.cNieces( ~ N4slt«I tc hoa ~I ~ I~ 4

Nss(as I Kl~ H ~ Itt

~ Kc hv Net(N1. O(C OK N hcaL Kc OK Nn CNK(O ~otL loll Oe CS(CHICK 4(elCCC li«NNCCNN 4 C

L shOE lIKkll~ Ov Kla'I ~Isl II%K( St%i(a la ~

~, SN«l Ilk Kll~ W KillNel HN SsSsca oes I((~ t4

IlGBR QfOl RfillfPts~~ lanai

~lish~ Knee~ a%its ~~ ~lh«

~ %hei

1 Stl PL'Ol+OlCICHHRO OI .1 S i7 '~ OS ~

~ .I Ltt~ «l 4s c~l ~ Hs V I Vel

I

o(SL S(ecs&a~ ~

I

aa ~

la«7V Os«H I

4 47 Lf ~

~ ~ ~ e

level ~ lvKsl~ eo ~ eH ask@sol1% «4 ~ tc ~ see

~ I «4 cewh4 o ~

~KiikQl oo Islss 4 shoe«~ wwe

w sow

4450lS5 6 d 9 I(S~(( 4'Qo)I

Figure 2.4.2. Vital 125V dc power system, marked areas represent supercomponentsfor top event DG.

I

9 C

~ttt 4<o 4%SO

%1 oe SI

~e ~ ~

'N ~ )I

41K4I ou ~H ~ Io

~OO OO ~

~ 0 ~ OO ~ ~ IN ~ Oe

t~ KWN ~ I(Nt «e\ ~ ~ 40too «el ~ ~ ~Ih «0% ~ ~

~ N '4

SI se 14

M 0>l

41 ~ (te<«NN 0~e ~ N

lf ~ I~

~ IW ~ aol 00~VL

I

O—-II HI

its lo« ere

~ 'litSe«I t(~ OUI I~ ~ t(~ tel ~ III(0o)Irow JI'INt<toll KO tt(UIII

~ ~~

0 ~~ ~~ ~~ <r ~

~ ~ s

4

0I r-

~4

e~KO ~«O H ~

ol ~ )4

~tt ~H

O ~O

~4

'VK(

~ 4<)u Cle ~ ~ VLCC ~~ «4 N«K sow< Tt~ KKKO CDI It ~ LH~ 0W(a«0 e«sole ™4

TOao No< 4oaNS ~ ott<4 o«a Tt~ Nll Ke IoloC ~ I«fo(H INIO<Do«L ID<K(~ I> 00>

~elt K(IN ~ ~ IH«I «e> ~ ~ 1

KIKolft«444KDL I«e(a«t one<i«0 ~ ~ ON fM ONKtl %I%K CL(C ItC «Nt loll< g'~ KK« K ~ II~ I

~ ItCH

VKC

4 W--CO.OH

II ssl ~ 'HHt

K ~ S ~ ~

~ttK s>ot TO

Il.ont I)0

II on>~~ttTs~I'IKONt

N ~)N Ts~4

N-lue 4

It ~ IN o40

II ~ Io)

~I'lie)

11 Nol

If 1>o ~

~I ~ )It

M ' llI~I IKI

~I Il)~

~I' KI~4

ll IN (IHHKist H ~

%lasso« oooo%I ol QJ~wws ~ It of ~

~Utero I>~ Ko O<0

~I Inl

I ~ N tnlrc4 n.tnsNt

II ~ )o ~

~tt~5C II ISN

4 st.o>o ~

W N ~ )otNlW st ssn

~N tl On>

~,I ~ \ ~ S cs4% K<I 04

I NC«04~I~ 4 ~ 4 4 ~ I

«a%fat lrlooCt IKL 00KOK~ 04

ot otH KCKite H

~t C I «Nell~Ct ~

Dao(�

'l

~ I O ~ ) Le%laos V'/l ~

~ tNI'N <«t'eu ~~ Nall ~ ~oo ~

Stt ~ SNO ~ I~~ ol%atolo K~ 4 I~ l44 tHKtoea col»VN IaWtl

~04Cl

SSso<»<l(oo MQ.~ 4c eo ~

~I(us ua 0 ~ Deu ossa SN0~N LK 4 %«OCI SN S(il IN

I<' ll~

~HII' 114

ll ~ )N~tt

~I ~ ) ~ 0»

II ~ 1st~tt

~I NN OH

~tl>1 ~ )N Ott

~ 4I~ ' l)t

\ ttII ~ 1) ~

I I ~ I et llaol VKLH 4

L-'OK C«l CU~O I

Iw ea oe ooi I>t> ~

1' ~ .N ~ INO ~DO KCI.V

Ateo «4 ea 0norLk sr«Hsawvrov~N ea Kle~~el Mcl I)4

~N D<N«uoceaNOco I De oo«N

~«N ~ ar ooN ~~1 lt I(<l OOKL

I%VV%I~Inew<l le

N~)I ~

Kl tuoelts fool'll taKL> 00 4 («oooo)IN I~ van It( oui ~~ Kwvll C <vulffV CIKUf Ouo IN DK( N otl l(l% fataH,tH ov tl eao. ~.C,I o(HVIL C CVKII~ 4o aol IH(~ DN~ N tf ~ Ill >44St,Ht «t ~ I Isao.LL onsaw Iou ~ t «I av l4<l(~ sl% ~ ~ H.ton~I~ K SKO ~ H IHO~on<of c saut H litt

~vI KC DC 4<OH HS) ~ )L KC DC K aaH Hn IL a(c ow 4) ~ caUKO litt4 ~ Ilf ao ~ Lt<NKas NoK(~ IH OHtl<K«a ~ CDoeol <leuall IH ~ ~ %41 ~L ~IKll~ Dl ocul W KLH OlaC II%K( So)K ~ I I OK ~ o)NN4 SIK(l LIKKKO W Kist 0(K NH So)ol ~ 4% KCI ts ON ~ )IINI Sow< ~ IK KKO w ouol HN oHO so)K ~ oo) 'KH av tN ~ I)sol

- q~gKQ ~~ galg wirgtlii0W&MYU860UV ~ Wlo< ~ Ke 4%

O I ~ ~ ~ ~

T ~ ~ I

VO

~ I Col ~ tKK«0 w Ko ~ ~Iuaw~ n «4 ~ eo ~ essetl Ke(rm o«

OK«K I l W «HNK LODV~ 4 ~ 0 445076«

I 5 6 C 8 9 1 0/oo ««S'.fg

Figure 2.4.3. Vital 125V dc power system, marked areas represent supercomponentsfor top event DH.

l4

l '

1

125V DCDSTRIBUTIONPANEl 11

125V DCBUS 11

125V DCBATTERY 11

4125V DCBATTERYCHARGER 11

480V ACBUS 1F

Figure 2.5. Reliability block diagram for vital 125V dc powersystem top event DF (block diagrams for top eventsDG and DH are similar).

DCPRh-08 -27- Daaambar 5, 1989

'I

:125V DC 11

4%VBUSWORK

480VBUSWORK

Top Event AF

125V DC 11

... STAR%UPFEEDERBREAKER

1S

Top Event SF

Figure 2.6. Reliability block diagrams for vital ac electricpower system top events AF and SF.


l '

H ~ 11 N ~

gt) N ~

IM(H 1 wtln CCCSCJv r ~ ot (Hr(H

\C

P«t) 4 t ~

~ V

N

~ ~ 1 ~

~ oo '1«

o(HO rf Iieet cll /Hoor»f IC~ ~ Irl rl o»t ~ 1 ~

~ VH«r ~v o«Hr(» (~ (~~r ~ rh~ 1 ~ HI(~ ~ (~ » ~ 1 Hl~ ~ re~ ~ loco«~V ~ 1\ V Oo ~

Ier(C'.

t ~ 4 ev

~1 *1 1~ (C

~ retroSt

AP-IB~ ~

-l A6.IB .1

t HfP1 ~ ~ Jor I(

«H»oroA%~ oiewlrr J ~

ASS(gi(~SC) I.«Iud r~ro

~ ofo aire» «~ore <Off«:I~ ~ roo»owetrr Jl

1Hen Hoso»r rr~ »«»or (»1 (I

~ ~ O O MMtrr 1 ~I

~H Ol 1vlv Igl rv

4 1" i~tO(CireH~P

ol ~ IC

~1(lI«lCoo ~ I V

~ I'Or A')M tl»ll lkr

A'tlitretl

'--"1I"-'--I"-"'O

H

tJ I

e rro ~ lor.Pelf tl ~ 4 k oe

1 I

&3~rroW

['""I

«1»

IHOH

~M (H(r ve

I

::Pj Qr

~enN»e

reo 1 ~ N'N

el (JrJ(Jtt rwc

rlf

lr~ V Illwrr« H:C JCOHH 1

eeoc(~ r«

~H( ISO

krlrK

1{g Irlost rgwr.~ 1 ~ r ~ 1~ «rf4 «rrIro 'V 0

m~ll Vrl

11 r,o» '(1~Ot COI( roofI t«ceo»«tlr jl

~ «(«otJ( W ~

» H(NICfr e II

Vc«oc Hcvle o I(re 1 oolCClf ot ov Ho II'illc JI(v, [=-j l-'] iol C / IHJ ce»*

. L-,3

1A«(HNCi 4 «letl CVJ or ICCPJI

)t,PI

~ 1 111

Nvt JHC(rof ter»If ge«N JII((rorrnH»tscH«rreerne (oI ~ r«oo~ I~ I~ IIIC»1Ier ~

«0» go((torte IOHHWMJPC IHC H HH Ol(HN(op ~ ~ toot 1I «) VJCI»HJH 1

'c)QH Akcno) I JHlceHOV(H »1 El

1 ~ ot 1 (H(1

~ ~ ~ t Her*~ 4 ~ o (L/1 tH~ » ~ ~ ~ ( ~ rn

g Cgtov)r otr>r»wvtoo trrlMtt Htw(IC

lrr Jl ICKHI J litAN Ht(g

C~Cte4w~/Roo» Mor rroo're« Mer t

J I»le rtv«JO

rtf~ cer I Ae't

r ~ ~ rr ~t« ~ ~ ~ r«rrr(re'C ~V CSC twtJSCHvo»re«nv e(Ilrr IJH Jt

AO(lrv r(JPOI'e lof5

AHHNJ oevtteIrr1S CVi(I

; (IP-". i)tl «fNe (( re ern.

~~NeooH 1«ckt C CW

mn one

eot)HS(tAr 1(»»« IHIP«rcr wwn

~ J 1

elr~all

J HeIII It

cv frJf era I)ec 4

H ot 4 Orc A I«(wee AN)AO ee ~ I M AOVC ~

rCtron I

I Wrc(11(H(» H ~ 1 C

IIHOHrr(frMoot%.C'HCC

cev l Oner (Hc.ANJ

C»OOCS JH«rrr«cef rcrvtr>I«H~ 1 e»f AVI» rt NHAert ltr«r«» Hrl~ JH( tre l»wn NN r««t ~ rvr««rH(Alr AO 1 ~

1 ~ I opr ~

AK-H»« 'C(V ~ Air(

~telv~~(g~»v( (or

(»onI color»»t»Crr ot.S

IHC»o ro (

~v HHHe HgoC I)

I PQ~~>~RQQIzgglv lolrc lerret

Cv S."-o--'PjI)!jP

II I CHJ):

SC(PCDttfffI«'llPH%.0 i ck ~

ass) It)So«ri

I 1 ~

KYUQvuUVliQM5AfGY RQATS

'HOSHCCC CCK OKJov

CCO SCICCO1 KACC~ IOCS

OclfCO CllfO1H«e ~ ~ (HH o 1HHO ~ «ro H 1

~1

43751 IC

fl1 ~ ee gjl

SIW 4CH ot»v cv(MAe

C~/r (ecol PI (H

CerrACJ f »IIC ~50 rillre(iI ~ ''-o I4 1 5 0 «Hotlrr JJ

1

Figure 2.7.1. Vital ac power system, marked areas represent supercomponents(blocks) for top events AF, AG, AH, and SF, SG, SH.

:0

~ ~ ~ ~ 'm~ ~ ~

' ~ ~ ~ ~

~ ~ ~ ~

I

C '0

480VBUS 2F

125V DCDISTRIBUTIONPANEL 21

125V DCBATTERY21


4.16 kVBUS F

480VBUS 2F

BACKUP CHARGER 221 NOT MODELED;ASSUMED UNAVAILABLE

BLOCK DIAGRAMSFOR TOPEVENTS BG AND BH ARE SIMILAR


480VBUS 2H

pigure 2.8. Reliability block diagram for Unit 2 vital ac/dc system+

top event BF>*.

DCPRh-08 3i- December S, 1989

C :

SI!CI~ 4

cr)'al dieter flee): 4'KW' » SW V~1/et ovl» v e«i~ ~ \ QC »» ~

!

I ~ «\ ~ II 0 5

~ 4 n« ow»wodd»4 IN»e I

gamer ~ fv)slev» (Aevoer»C!!or ~ N/Jrl» wr ~ I'4

~ t»»IN I »»»» I ~ IM~«I »

~ F ~ 0~ W/I~ re

~ N ~ 4 W/1 ~ F ~~ ~ Is e«~ /AA 4t» ulrto»N

1

tr»4«e /AOVI *»u wit/ v

~Krrtoet Iw~ I ~ 4~ 4 I~ IlIIN~IAI'

Jt JAI«deed

riroeoct lov

~ N KIVNW»~»S v tvr

~I't~

Aiu '0» Tr I'I'$0«otft 0» /Celrr ~

OJO Irffrlfrwfcn~ >V frÃ~f V»/« I

~ » t1f Of Nr ~~ ~ »O /14N~ I oeo Ifrrr

~ W O»~ ~ 1 ~ ~ »

C4

9 t(e/

~(BF

Bcc I'3

BFcoc2

eF/3(o(2

I

5

I45

~1WII~ I Fr« \t

Ntf AO t

!Or""~ 1 04 N/rfr

I 44%4»tIAt J 4

1 ~

~ wf~ ~ ~44 4»44«

«V

I~ II~I/O

~j

e0 NSFKA« N V

TIllfJC

~ lie 41»Clfl

rf tu~1 K

S

~ 41B6!

I » Q leek

F R

FileKetr»flI» I1 '» wr»J 4

t,c'loc)C

8(v~Cock

3 ~111 lr~ 4

Ao

VI F

t

e/lfKAlt/ I!»CCfJ

B(tIJ C

1.

Nf1

nsv Jc JFJ N cc

tt

QH t Kee

to rer WI

Bcocsc

Nt Mt If tr/CJC«ff« NOAH ON/4)

~ pnn»K

~ 4w

~~ 4

Au

~

t) rvif)n'V>4 tf/ ««MW!

~IO r 4~fc/ J ~

~e le»weI f«CP«w

Q I.o Cir.

5 tQfi

OI CSCSC,

Sr

AlNt lr~ K I »I~Oflfft C

~Ncr/t OWCCL"'~CNwr r

440 Aetrrecn

Cer J+4

«Ot~4»rfef I«ISr'lreWJJ~rr1

«eefevnro«ewer «1 JI 4 ~ 14»KN/At J'4

~»I 141 ~ttrf'r+~ )Sfrrv vr «4«n~I»»N oK Jr «I cw»N AN)

~ IINO Jrl trf~ An teto)rrBF

+ 44)V 4

A1

~ II

~4044JF wnOr

/AA t. CI ~ IS t«NN/AA F<

r~ <I)4+ /felt 4~ 4 If

j ~ tt) 5

» 11» 44»«'W Ir

51 ~ 44 CO/A~4$

)

»»«14v K"eo

ISIS Ck

«Ntv It f~eILco

JVI~Il rfltet

~»

Q fee«~>l C!I~WV lwIfr

~t ~ I~ 1»lI«I5 N»»w

IOOVQI« Iu nle«

cwc»AP ce«FFN ANJnt tK0 lu, rwn

SJ

~ef ~»»/VI t FOteecpr wnI Kr)40 e»te/4A JK

gp~t(IKN Aw:14 ww Aw/e)

rwv renne Nllrc Ceri JIIten iov rr d td0

t~ Crf JFS't' /N«4u efftc

Itr»SANOVC

45

rJlcoftc>le» linvurf

Jrwel I /I4«tI» IS

/I N

Hw4CI «et

Nn

re/r teA»4»CAF/tncullt of tvntrtt

dntr IlkII i»le Alte

55 fervf(tltw» 11 ~ ONoet orr I »It~ IACP wI'5

~«Q) ct«flee«et K«C/ctt«V~ ~ 0«FJK I«AntrJccltvtrAuc»f/Nf

~ cell« Jtf«dl rJ/onftcfredrc rc

n e»r

~IO I~«KWJ e»I4»fc» wnc Ktc Ce ww

/AV 0 '4

4 wrtIwee«4 N ~ 4

Ie u««4»» ttf»44«FAn

~ Nl Nlw«r N reerue «l N Nwfn»NJrevcItt Ir N I»rr

rw ee IC»K

! ~C ~

w

rtw~»1 fr

~ fr V I~I»N«»I

IO

wrro

~1 IN4

4N ~

f1«rNe» N

r~I

»ew'NN N

N«l'! I ~O

/ IIO rl»I«i1»» le

rwN»F

~ 1 w

0 w»4N»l~

~1 wNNO ~~ ~

~Fw

11 411

4 31 jhow ffrfllpA/ft 49/ . 5 1 ~ 1/ »ww.,tu

I«NWISVFIN'a <C»NNsR rice'15 IIyj~

i» «Ate»NIFC ~ t

!eveli'/rePrew 45 j ~

«ver

(c>

IC

» I ~

54KlC lerC Dllcel«foc 5feles«JO/elcll»K5

04k4 ceofteNN ~ ~ ~ ~ 4»41»

(w vi ~ Sgf

~ Ae»w I44I220 o

Figure 2.9.1. Unit 2 vital ac/dc power system, marked areas represent supercomponents (blocks) for top events BF, BG, BH.

C '

85 88t

cACOIICter~AIAr«tf

TOP GvanlTS BF,8G,B1

COD ICr- ggr- )~AlarJ j OO'll- IIIIE~—

Jt tf-CJc- I ICCf I I I

J

I I

CJl.tr.ll

IIt

JI I IJO IIIIrIl»J,

IIII

I

Sc fr JSI ICV»VC

CI I» lr

FS

ICVl«l I IJCIIIIC

i CBrit ~ Ij

O

II „III,

IIIIIIIIII .II .IIt

fr,tf~ II.~ I~ ICVA

ft» D» Ct IJ J ~

l»rl»

I) AOO OAIVCVFO. A»CA tr«AIll

j:lrvycycr f4'lylcrF»K

IL ~J, Jt ID'» C I J<+J I I.c» I.t J.IDII

Ir«A ra..'r IIcryArCIIVAK Cr IVAN@ J.lr IJ I.l

~ ~

g ZM

colcrcIC Jr«VIfAIAJrtff

DCAC»l»C J»OD

cc Irr

J llr JIS

Ct IJO

COIF» FOOADtfAIC.I«rca «le

JVCIJ

BI'-I.OCIC.

B+

5

t VDJ

CVFDt

t CDI

IJIDOC I CC.DJF

I»rf J»vftllrvIcrra II

O'I'rsrro v /»

tc~ OO vrFI.

C.IDIt»ICO «II»

llr ~ II

I'Ot,»fitCllf»t J.Iao tttt«AAJC

r»L

rJO IIIIsf

I

I

ror«JFFIfc»ocrII oct ct Irr

aJFCI ll OVIFVC«$ ACC JVCCICIAVCICCFIO»yrrarKCIIFrrcrcIco.IJ ran src,tee,clif crtc«IAFJD

OV BEDS. I«rrrAl'SO Cl.,

8~ >I.o CkAllyltla«VDIDO rrfAI»NOYW

VillIS tIICtP. G. & E. CO

q P7723t»ttt ~

D1AGR Q:X.l. g.

Figure 2.9.2. Unit 2 vital ac/dc power system, marked areas represent supercomponents (blocks) for top events BF, BG, and BH.

t 0

125V DC11

125V DC12

480V AC1H

ViTAlINSTRUMENTCHANNEL I

4

VITALNSTRUMEMTCHANNEL IV

BACKUP

BACKUPTRANSFORMERREGULATOR

BACKUP

BACKUPTRANSFORMERREGULATOR

480V AC1G

480V AC1G

Figure 2.10. Reliability block diagrams for instrument ac system top events, I1* and Z4.

'

To

)S ~ ~ os

I sl f e«la a« ~ » I

M I

~I'ec IS ~

I

fOT3-

~ 'K R

II 4sl ~ I«ea e«es~ s« C e«ll»

1>S>1'I

~ II I~ >M

~I

t

~ I~ ~

I

~ sss e\ as«a~ ws

~ el I ~ e ~

s ~

14«oe Ml IL INI ~ ~ I~sae s«h ser, s«'Ks ~ S ~

MN

el »st ~I

g, )ice

4

Li ee IJ

~ eclfv IN>t l«M~ N« ~ \ e«Itw(I

Ne~ 1«N»

lliN

T.".T

i!>). f>s)

Kl

IKO

sib.sib KL

s)b.s)ss '<M

~INC 1'I

14(SC l IS< $>< LfS < t SVNI » Na~«JK4 e I pi Illa

>V L1I«4 No«

Ll

~ I ~- 'i,l~ee

! / I~ e«et«MIO> eae

I I I4 vvs«OK>K eoa

Nlt«NVNN ISV

Isel~ t

<I~

e ~ I««»kJsf I I

~ ~

eo Ilt « ~

N ~~ »es ~ 1

»« I'IN>We

~oe~ Ie «eRl It

0

KMNS

4 4 e«e Iel ev se'IV

No

~ e ~ Ivteo ev 01» N«~vt4

. I-Pent'

~

Q)s ..O~', "~ —Q+-QAQ

s

«tel» «4NNa el'N ~ V

—"Qc'4— NK(et WN~ I Ne«II ~ \e M

~I I~ 'll

%}.if'Vi~»el es«Vai» IN> ~ll CI ~ ee Maes ~ e

voo h 444

e

'

)~t tl4 VIIt CLLLN Se(ISN sf>Lie t(LLLS

Bi.,a. 0

0 Ne ee ~

I ~ ~IN~ 'll

)col>

C

sr ~s() ~ ~

~coho

feei ~~ ~

~>t

bise~ IS C ~ I Cot~ ~ 4 so« oe«o

Re<Csea e~~ sl

esc ~ «f lfcoI»V 4~ sl

~II( IN>l ICOJLS

Cee»V«he KN ~tPK CR ~ I <h'JCMN (OVPO ll

'I>seel ~ Ic ~ c«e ~~I ~ I«tl

~ 1Ms w(ce 4 )"ICV lute ~

+III~ VW

~Ksev ~ Ie RPOL ~ ~ Nw 1>eave leecse ~ I, ~ o ~>I ~ ~

p«l NC >Vat ~ st~lee« «fs~ sfsg 4 l»tl M"

~ ~I

~ ~ I

~sfI I~

H'L Cosa ~I C 4v io>M to«e~Ke pe DISll I CV ~

~>C ~ «> V COe»sr ~

c K4K ~ RRIw«t lc» ce ~

ols ~ (eelsVPK ~

SLe( ~

~ a(P ~ I l(es (4a)ee teIM INMe ~'l

s

CCP No ~ IKIOt« ~ C(t1<ewe ds«ea«L

NKRN <ILL<0

RO I» tKO

Vsh ~

~ ~ le«alia IS ~ I(»KM~~ WaK ~ I(ROIl Ns tel ~ teI Ileo (I ~ )»- )1

>Me e Mo1

~ 1>1

~ a. w» shesos ~ ~ al A >N. epIe(ltl >1 LN«e

agacR,

~ « ~ I LK>H' M«N e«~ I ~ lev LL ef4»a 4»N tc

IN~II ( NlI='---'=",,=.".===I="--!'.I-'.f;.Z

Is«t N f~e

V~ I

Vo ) wcP eveoTszl., zz,za, r+~ Ne~s ~

~ ~ sl

e ~

~ ~ ~~l~

I~ I ~1«N~I ~ 11

~ ell I It CN~ .r <Me«a soot

1 1st

e I~ v'I o«l lo cst'O'sse sole~ ~ I~ MN ~ cs e» ce ~

I ~ s ~Rt 4 Caa ~

~scl er l>4 Iaah ~~s(l er lf(4 OP«V ~CKP ~ sRVO COV

Seei( CMleis 4 I Sl ~ Oht' Wo Kelt

V SSOCLI~ > ~

VlK ~

~ Ke er tao>'R I ~ (4 ~

V\c IVII~ >CMIi>CSN.~.OJ<(

~S( ~ s« V4IVIV ~

Kv ~ Mo(ev vlN's>II

~ oolNOII~L>VI Cetess ~

~ ~ ~ s>~Kl ae le(0l(ll 'I't'4

~el ~ (o»OR 4Se ~ >VI I SC ~ Cs«

I~ ~ I»Is1401( teal\ eee

tKO (Lse

NIMMMC«4

~ Mhee Ores( ~IOCKI~ POP'N ~

. Pfh5rHBR5M~ ell~tIe> I

~se I~ ~

RSI(SI~ OLe O4 LKoKO IO K CLM(0 al PN IIK~ Ne«K R«N(C a«tee Noh(

~ e

CCr Kist 4 ~ ~ I ~

~ ~ N Se>V Was

IteK ~~ e I

Vsh ~>M

oslo» >' ~ RIWC tKIO~ PKO <LLL

) ~We Sel (Oreol w~~ St eK

~ I s( ~ R ~ ll 41le Klff. 0~ stv4 es(R ~~ I s(el«t Vl~ IS ~ KS

1 0' Iis

~ IMto

IMs

-IKllQQfii)Rlill(9

g g HKOJHHBH'llHTHBH)(8)

%5)) 'V 0 VR'VV V 0

9l,ock<~CK(o(IC SSSSC

~ o. SNN Illss eM ~ el sal to . It(«VI OI l«l ~ Qo

se IK<Ktpls,»is

11»l ~ ~ I ~Nli~ SV SO ~ ~ I ~ IN~~ IM IA> ~ K Mess

~ SWO CM»O

p»Nec 4 ~ ev ls«se' (etv~ N«W,e f

~ e(Vol 3 c.—I Z hitaa<KLL r~s- VL<«N VP ~ e « IMlt Ol

«Los( tee«ee.(I~ I NN r<JN - t'4.le«CV«e

~ ee ~ ss le ~

ggzjT=:. TT.isesY» (MKC

we ' V <'RMl

43754) 0c 0 iso« 'vs)hi

~f~ . see> Ia«le( ~ sl>wc ~ itl Nc tsc Mtlst

1, IK>s It«lf ILIR>Rll Ms>N

~, S>KIC ll 1 Ke(e ~ Keel 4I>C IKIO eC Se (,OK ~ I>setI, slahc lie( Kt(~ ~ KIM slee Iasi ~ ec sa I soKM~ . Lish< IIKKII~ ~ Kist ~ lsC IKI~ K Se ~ thiltL slsQC IIKKR~ ~ Kl~ t tisC lass ~ K le 1 eos>oo

el, 1<K>allC ~ s«o ~ I>M I»lies» I eC lti>( ~ l«sth, slw( ~ I 4 Kel~ ~ Kiss tlsc sist oc ~ sel ~ \ I, wlel~ I, IIKL<LIK KR~ ~ Kiss ~ esC otte lelh OO IIC~ N ~ IM I~ ll«s( \OK >41( ~ ~ Ksal ~ IeC et» Soles ~ tVL R( ~ le ~ Shel>L 0«see M(acvs«a( weel ~ oh MMIN

Figure 2.11.2. Instrument ac system, marked areas represent supercomponent for top events I1, I2, I3, and 14.

'0

4 ~ ~

~ N

~ ~~ I IHI~ I I~ H I'"'rP(lfIsr mft s.

I ~ I~

' ts«r

~0«

~. IN

) 0

~0 tal i(I IIt CK(I~ ~ fitlt sflise <KI(f

ckIah

~ Ill~ \

~Vr 's NE 'lL'III~ I~

~tat $ «ss Iat'h IKI I II

I~

~I'0( NI

oljQigfr

9'

g'I

1< eo tlI'

I EIIH ~ I« ~ sc~ ~ lav (IH

It%f1

)(C~

Ogv

«Cl I ~ salsaNVa II ~ II4 ~ I ~

)~ II I(

~ '

~ sos as ~~ ~ ro ofI«I AI

I

~ \ ~~ ~ Is ( II coo ~0~ ~ CD(W NH~

~ 1ave «scoot ~ ' ~Kl t CIO ~ s

~ si~Ke «I Vlt

I IlNK IKN

Ol I~ ~ Ho(ev Ha4a( Qe'N', ~(as trees( ~ vr

~r, cls 4 CKK~ I~ CC svs N gl

%look asc ~ (er ~N.It ~ Ir»

Ns %«<CD»Pt SNI ~Ws

~ Sask

~ Srak.,-. r

Sas, oo

~eis ace rc ~apl rits<i ~ IVSI

I ot

~ I~t. 01

'3r,o,~ ~II ~t

~II PH I I Cat~ NS(s svs ~

~ (~ ae vsRl ICH ~

~ Co N VCOHor ~C Ka« ~ IiII~

I~ I(H (0

I ss) g( 0

Ca ~ ksaOK ~ Iv4

%ask~ t~ ~

ltaK ~

~ce I~ sc sK0KN IHN

~ ~ t olStsK ~

«I' ~ CCe Ne ~ IKI~Iei 1 C($3I!I a««t' St I%V( HIHVHEIS«K» (KS(%~ tie~la« ak ep OKE

~ ~ Io«H(~ I~ al(VVII~tease< ~ l(«atl I~ Ort VlI IS ~ Kl ~ .w..-)(

Ie040 ore

~ lot

CSKLJI I»le~if%

~e. Llr ~ lte~«I 4 I HI IN It

~ Kl~ I al $«WI8 Lc)cg

V le ~

~ e«)«0 4 I~ IssI~

~js

Iot'Ie %1 ~

Il Hit'I ~l«EIIN WIS tr N~ ooe apl«or

I refI

~ I., f)'

~

) s<s

Ilo

~ ~sggQ':«C((H SHND«rl~ H'4 ~.\ r

Iss ~

~IS C ~ lt (oe' <o Ia« ID(~

~ Ca w NelMI ~ (0$ ~

NSC I SI ~ ~ ICINIs<%0%.~,<(SI~aCE «I SIC0

IHH ~Voce ~ 0N(u ase<Dr«(cf <0 ~

(DI«c 'i ba «hSV(l~ tr rl(~~Ilsl ciwv(aII ~ sl

~ cawvN~(ll

~ala (svw NSt ~ I0% (Ipl (re

I'O ~ (VISSNK ~sall Ne0KI

Kaka«le 1'll teal

o~tl

IoaoC

~ ~~o ~ ~NZ-~

~ II%It

I~ sl

I~II

II»~Itt. Iso~i

~oe~ ~ 'I

~ 0 I HI DH ls C ~~ S«40 NKOI''VESV Ce I

~ ~ ~o . S(f ~ Clh 0

Ncl «I 'vce tres ~

Io» IKIee IINNsrel ~cre ~ elalK ca ~

$011(a Cet I (Dl

IINSI'IK ~

~ tares( ~ IS ~ Itos«II ~, Osesv< Il(va4 II«s ~ OI NNHI ~ ~tt

~tr ~tN

L

csa(Lsf fei(IISLI($(1

~ L srrI«l I ~I VI 4 . It(«(tl al les ~

BLack

I ~ ~C(e KINN ~ ~ I ~

~ 0 It(eerii~~(tsl \I~ a(t

~I<11 lkla~ >st t I~

I ~ I~ ~~oo 1(IWC la%le

teo H

~101

~ Its ~

Vslo

KVastl sosJv 0: eve LH

Iala I Crf N.Vlfl ~

Vvt H vsN 0

LI

Iorf~ 'I

r 0

~ ~ Ihao «VLL ~

I'NI

Naeoo ~

EL o«

(Ph

i!)(

f.".f

!fNl.mlflb. $ (ff

Ks

Ks

lees

IN 1'IDIwla«W 0D

IE Iev wa«ah OD

I oeov Nsa««o OD

ale ~0 ~N ~

VI~ Hs ~ Ol

IVVI

«HI%VS

LEON Ilceo««V«

~ ~ ~ 'ws Ieo I«so\era co«

~Theet rt~ PJR&

IBI.(f)I( Kf~

~i sC.SS

K.sa SI

f',(h. iN <Ni

~IOH 0<v«KH Hv

~rests V w OVEN

~I

~aev «Eeoc«v INI Cs ~

vs< ~

~ SI ~ I~

~ss I~ I

:.J.Ss Iat» seeps ~ ~ ~

h EOL

T0P EVENTSZ f., ZZ,Z'S, X+

NIHN IKIE(t

~ OKEM Is(as< ~(K«is wvs(~

. MMLlRR5MOOI(%(

~ VLI oE 4< ~ co Io K cs(e(o al OH Isk~ aee«( ster<( OK(u fepc(

4 KVOS .IL

QQlQ 'tiffIT RBllO)

Q Q QXEUEHEtkH4I3)T~HMiIp)WM |) 0 VC)VV V74

«0 laKole K0,47Qo

~ 0 ~

~, lar Iarasl ~ oerSKC ~ IN KC DE Noftl

L ~ IK(( l(K KK~ ~ Kiss ~ loC lks~ K %0 ~ .Ik ~ lsfslI ilk(i(IK Kl(~ 1 Kist ~ (0C sell ~ K le I sol(N4 'IIW( ll E Kll~ ~ Kl~I ~ Ik %0%I ~ IC $0 ~ rollfl

'fire< (I E Kilt~ Kist ~ Ik IKN K I 1 oolsseH, Ic EHIIC ~ Iopa ~ Ite I \'IoIN I K isi»~ ~ Ihot4, IIKI(IIVKll~ ~ IC(at tlsC Itis Ic 1 Is< ~ \ ~, tNNIIt, lira( IIE Kh~ ~ KI~ I OIOC Olr loll( Ok Sl(I 01, ~ ls% ~

~Iw( IIKKl(~ ~ I<les ~ lac slr Is%I( ~ «h %les te ~ II'I~ I~ 0, I«le« eo(ac«we( Dias( ~ ek ltr)I~

-

«0«H

'I I OK I> MMEPI<FPi~rraso ~ I Bat

~ ersa~ ~ ~ I H 4 ~ Is

~ DNH SH O ~as« Da «K\%$ «DNs0 ~ 4 ««fs Iv

~o«<II (wee%

I ~

SVS't 4 CHOO

I >1 ~ Sf i(if(fifo%luis

Ice«

II�«I eke 44 Iaaf el IAsr .I~ D 4 «CDe v

Ioes

Not,

«0 IV

Slrll IIVIEII~ 0H 0II ~ tl«sp

~IN ars ~ H 4 sos ~~wl~ <Hr«

VNcvK los o toss«' totrs~ «Hr« ~ «

Ks43754) 0

io lsD'll»

Figure 2.11.2. Instrument ac system, marked areas represent superoomponent for top events I1, I2, 13, and I4,

'

l

0429'

I.H Sl

~OA

~ ) 0=

l)I r 'sr

~ ~

~ Isa Iv,la I ~ N»or ~ s sr ~~ M'sr

1 ~ ~ ~ lst ~

~

)IKI

~

~I«I~~I

4>

~ A')Kgs'le

~ ~~HO~ It INO 4

~ IE)t K/I'E\I

N»ss r I.sl. I <"I~ »~sa v v <>sos)I soI

IK»

>4t

~I H ~II I

,(N".

QAQ.

-3E-

~Alps I

)L<.oe Oo

I<II>o N I~ tr ~ slrr<»r Iw

I» ~

)K

) sct

%VCR

K-'» — cc)cart>N~lal rars ~ ~ ~ tooer wl

lAINt 0( ()(LtlI l'or ~M«a» ~ D

~ E,c(N

0)EI

:."'..I:A%

)Ml'C"I> VL

Wctt ~ IW ko>»:I .....IMel» Iw K leo>

. I --I..I:

I.I Is( Nr M»a>K 0»

4 Mwsir>»w ore

IH

))Ec.rl))) 1(N ow>wo»IAMH NH

~I H 1'I

~I II 11

He«I H 4» I»>VN ~ ~

1gloss. I)',EL cw orvw tear«r <>eo

CI ~

cs ~

(~ I>OK N»<<>Ia sa

lo as>st

NS~ I~ S ~

rer

V»D Ia<»l

~ ~ <»»>Ira or ea» H >0> ~HM~ ( OWVIvs sr Os» Il rw~ao ~ e Hr~ sir>rk '

~

0

sr lae) k ~ , t.l>~

I I~

~ ~ ~ ~~ ~ > ~

V

)«I l>r~ N~l»tolN

~rs BL.oak 1

I~ ~ I»ICMICK I ~s ~CD«a t»II t>sl~kl >Hero»ca er HN O>rr '( ll»a r Hco trow I'~Ia ~

~ So>K~ I ~

'ar ~ rasa» wa o A<D»» ccl coec»a>I I sr ors ~ ss ~

~ VsKI N

aka ar s>N ~s~aKSI ' '

~ Il~ l>>K

ce»>o Kt((lso ~ ~ I~

I) tsa K a>II()~ > 01

~ V>K~ ~ N

ll(C ~ Kr~O

~ ~ 11)IIL»C 4el»44rl~ >KAK~~ ~ IMOSI~ Il ~Ita>ka<. »t<Ws«K<ar

Is sssor ~ 40I I) Oak«

NN Ial~'e

~ ~ IIws c»e ~ cr ~Iwr >ol ~

va I se oka N cDI

~ J s ~ okl ao s<c4I~ s ~

IVW ' 'NL~"E'D'~S

~ I» ~ «W Cek'I l~I ( I CM

~ all N Ok>t AON>K

~ ItaWK ~

I>N ~

~cr ~ ~ ~ Iososc

Y>KI IN~t' ~ cce err ~ aloK»a o')tII)s~ So>K ~

~ S>>K ~ta IL

II~ II~s~ I~ I~

~ I~ S ~

~ I It~ I ~ SI

~ I>N

~ ssa

~ I4<a~s~ >>N

a )Isa

Ss ~ Sa»aa~~ ss

— ~ )—„4—-) (cN

Itta j Iaa

I I

rwae ~ sw II~ I ~

~>sls ~ .~()~ l«lS>>K

~ s ~ s)at<cot< ~ )»HN»lors ~~ II C)) H ~ I~»Ls«ce sea t"™~>r ~ ~ s

S>>0( ~ ~~ I ls

~ wrasse «Na ~™»ls)K~ oral ~ ~ 1~ > I)

l>aK~ sot)

Ds~ I~II

S>w(~ » Il

1>co r( ~ I4CICc ~ I 4 ~ c(N ~ osis~ le CO ~ N)S ~ SVL lk Sl C» ~ R>1 ~ S))~ l»4)

1>aol Ia.t>

EDIOIE NrrKI(DANI(k>» ~ le (K))~>aa(

»4 Irsl I«It~IC Ial)CCA

lose(

~NcM LKKIHL»r Krl

~ka Se ~ la So>>st~ol Is» err ssNe ~ ~ ~ I os lpssr I Ia CC)(AS>O tasal ~ NOC

~IHN~ VC»(~

~ tkaeV WH(~lac»st oor ~ (~

~ st>C» W»c ~ >>DWK ~~ ce IIK lasso( CM><MN

ToP FvEt4TZf

4I oae OK IKH(a tt N cststo ~I ow ~ IK4 oee«NWCCWar'P(t

~l(if@ IsI, ll»lc ILK teste ~ Kist ~IK le)la K Ie ~ O«sill>II>kit IIKKI(~ ~ Klw Ot k I Sla >C le ( OK ~ )s)ot), ~Ir>t ~ I 4 K>II~ KLN ~ I C I lla K Se K OK M)tl>4, Isaac lie( Ktl~ ~ KI~ I ~IK ~ LN K N 1 ~ DC oo)lloN S»A( LIK Kl(~ ~ Kiss ~ I C elle OC 1>NI» OK ~ stirD )IKL(ll 4 Ks(~ ~ Ksol ~:sC sar Ss)I( ~ O<S S(CI II OK 'It's ~

I, Nell( ~ Ial ~ Itr I Lla >C S 1>( s ~ ~ ~ ~ DO ol>o ~~ Q l.sat> Iw(os(K ~ KC OK Nlsls ~ Isalt K ~ III~ >»I a( De < ~ ~ ~ s

s trace DIKL«c I w»(~, Kc Iec ICN11I ~, liltV Nc(lol(k arl((s Ors ~ SNI~

QQM WIT EElllllE)

B

CCKLJLIKAAACJCS(AC ~ I

~t I tsoE Ita~ ow l' ' A Ioo. >0

Ckl>l ~ 'I )»a»i

~t ~ I D lsl DO Sll)O~ ~t cjc(K N( c«all)st~e)EAAA))(C

~t, SUK, ~ SNIkl ~ ~ 1 aal a ~ Iklol ol Sr»sl

~cr Dc sc(INa '(»r HvkoaeDr»I ~ s

<~j9 0 YUC9AUY Q~ s>k

e»s»»»a al saki

»~ ~ I v oeo(—W>LKLWOM—.

JIS»l V C~ 4

4 c)DK» ~ I L Ms ~ »

HI ~ LL ~ ~ 0» IS>OA l I~»

~M~ V Aekl)'e 'I

Ss»t llrKaa ~ ass ~ tsasow~ IN I Is\«w k 1 )>la

~ I at Cw»»»

~kkk 4 1 ar hlcrk IMMC 1

445290 79 N' <N'r

E Is» ruO( 0 s»a»»»t «e

Figure 2.11.1. Instrument ac system, marked area represents a supercomponent for top event I1.

IN ~4» ~ ~

'I ~

~e 'I ~)

11 CK Kl ~ »li. IOCK)tl'IC((S

[ltg(()C

gL cd;Is>S Sa

l«st I t»N ~ I~ « ICf) AS l))'IL)1I,

j ~ i .i.esite ses»s~ILKareso ~

N ~

I»la

~t'll 11 ~L

Ss W liII east» Nssa «st~ NN < rs Lr»ll)A

~ 1

la«(aa I lst»Massa ~ Ila t.i

~ ~ s ~~IS (~ ll C ~~'4 SW sert

~ra wNK ~ .Us ~~ I

Kl ECH ~ ~~ is)

~I Vlo ~

~ s'IOILC I»II st

1< I~ ~ sealer Ht ~ IW

('~( FY'~tat eesas«e rr l st(ll ~ I CA'LSsel ~ Eovsre N s»siSlaw) Llc ~ <we ~

si ~ (»isMa Vs«NNCNla I ~

~reer ~ lo sess< ~ ~ . ss/~ti lie wr N«e ~ L ~ ~ ~L»IN ~ ~

N4 je~s~OL~ MCIKH

»OllaCCL) ~ C r IS

~I~ Ca» II CN~'e)W taro

~ s ~I S ~ N(IW 41~l~ 1<vI I

'»I osn w liceI»H ~cwrws s«lc ~

~K I~ li» <4el

~ t wl ~ IrtsSti» ~

gll~ lsaaC ~

~ Ke It ll»aCE~KLS I LN

~IN t'

«v Ke ~ S»eotw ~ C(Lg>1

~ t 1(ILMC MS»<SU»~ OS<<(» CSS((4

~ I'leV ~ss No ia» OKI l~ ss

Isa» a

~ I»<~ I(~ h ~ Il»rite,llis\r< tc(reliMSO»a«~ I) t&L, l

<IN WI Iit

4

gs

' OS-Q~g~I,

IeL ~ ~) re ~

ariesI~~

ssl

'I

~ tt laIN 'sil IL Nile

~ ~ »s~ Owl ~ I ~

% ' ll~ ~

4 sacs ~«s

Nw ~ ts lii'O IWC I I

Kw 5»» Nl'N' ecl ~ SI

Ll

r~I leli ~

1»~ rvslw I»so Iw I ~~ w»»NKaw

L C~ 1 ~

Ie~ Na )Ko ~ ., )r

4 ~

) sc4

5

S

I

O-QSseel< ~ iwte

sl ~ ~ ~N I.'rw

ist

MIN I~ CM~I < ~ sir IN<0

~ra W NOIKI ~ COO ~

MIC salle IIC~ IllCI )'(!LESS»<(~aC ~ W )SCI

~VIVI ~I( ie 0 sea(»e HojW ( j'f('~<v(I~ taar<ll ~isis< (etvsl ~

I I ~ II~rl w li(0

~(ll 'O'UL'4~el (I sllil Nslasvi LK I ( ~

I~ ~ last)<till t»ll I»S

~Xa CLCS

~ ss ~HS NM S ~ CNV IMI~ tewa

~ s ~ t '4 era w (NtIs I KI ~ Cle ~

)I K ~t ~ ' I »esca w silo wvl ~

lait" IKLrl IICO eistH ~

cre ~ U4lsec COH)S)S(U <M Wle CDI

I~)II Ns OEI at

I4)I ~Ka I't(<CS

~ liaK ~~ ~

C(e Kiss N I I I ~

Sere SSIN»»,lc Kts ~ ll»aC(

~aa» i»la~ NI'st~alt

e~ Ss t I~ SCIL»C lello

W. je

el

~ ~s ~

~ ~

I~ I ~~so U»I~ N

s

I~il~stsisU(LI

~ss ~

~ 4 ~~ Via(

~sloe ss\ cer»1 t~tl

~ Vaa<

~ NKN(o IS IlC»sc I I~ s4fesva( il(isa~I sll»41 eer Il tres tt

IIN ~tla

ISI

I, K,jN,~ta )

~ Ut~N ~ 4

~ffrI~ I

Ejhf'ail

fiNf j.f jj ira

Ejb.cjf( w

LC C')C CSCVICCVISS(

«NOVINMas» Moose as J h

er( w

I

~ Ile

L.Ileal »sa II« '» Mv

MM I.

i%a

I i»lo»a»re ore

I I I

lrl~ ~

Sa

~ alar» sr~Uses. ~rss ~N

»NI'N st 4

rws~»ssosl

~lw»1

eel»wlea s»r ~ «I~

U

~ C iwrtri s» s ele r NMe»l ew

Efb. Effc (ceo

~t'IC )S

~I ~

A%. E)jj c»i

C IAIOM«vr4«IC role 0»e»w 4»

~UOH rls(UN< ~ li»a»Mt 4 e»MNW

M

»OH»(a(sar» IHi ~\I

Clt

«I

~I~ ii»s

»ass~ V sss

Kl II~

~ lsSt IN)t we as ~ I ~

N NOL

MINN0»aa(0

~ trier ia( ~ 4( ~LOCO<st wrs( ~

rtt(5(~ r<t NC OKM(0 ltK CIWO 41 OM II 1~ aaoeL NUKE

~Macr SILK<

~, Nsa I»NI(1 sas)KC IIN KC NC NON)L Wsa S»EIS( ~ MS)K< ~SN, wlljtL i»le IOWI ~ I,ILOLs~ Nile1. ela Ljw ~ lel(» lalsllel,L I»lo K Ill(~ sea< ~ ~ sl ~ I I~ w ttN0 willisI, II«( l(K Kill~ Kiss ~ I C i»lo IC Se t,tw ~)l)s'I~ l)WC II» Kl(~ ~ Kiss ~ IK tello K Sa 1 ssltNL slwc l)K Kll~ ~ Ksat ~ IK Iesl ~ ac sa ~ s»ttlL II«< IIKKl(~ ~ i(LN ~IK Iesl ~ OC 1 1 N)Aa

IL IcK»lie ~ laces ~ )N I»saswas sc Sell( ~ ~ )IIN~ I~ ll»UE l(K KK~ ~ OELas ~ ial OAI tC 1 \'sle I \, ~ s)ss)Il, IIWE IIKKilo ~ Kiss N C iwt )sill ~ 1 K(~ sl ~ ll) 1~ ll«lII l Kl(1 ~ Kiss ~ IK aws Sais( tvl KC ~ M, ~ siss)ss. I»ter tKKvaac ~ 0»asl ~ ew awa)N

~0 NW ItwIrll»rlI« le~rvl as sess ~

CIKLl(jm(4~(5(SLl(S

~ 0 lair ItNi ass 5 » aal ia . telrv( ~ 'I s»s»s

BLock)fly% Sjjf1j Rfjljo)

g U3KDH~Hs))BTHjsSji.ll)7L W .L 5 C

'5 VNV.Q V )4

»4 IN<»IKs.~Qo.

~ 0

»4 N Le«N0 ~ ~ «1 <N eta a»OS«OVL

KL»\ee»L 4 II \ ~ vl tN wlKre» Mwsaseswrewtsti rweist<~s ~«\ N <~L

I f< ~ «Lws~ ~ ~ ~ ~

~ «~»<wwl

ss

'L

*OL rvo)SC S j)ECCL) Ca)L ~ iL'C Lg

~ I» II » I wa telNswctes»oa~ «NLVO tw

~» Sl

~ I~ lti~» sa

~ 4 ~ ~

11'44 I ~ IMMtl~ w 4 ~ as tsas as

~its I»se ~ ~ K \sissNWICNWUe~ r~risk ~ I a» Isa<we iew»

~ w»sre I s «<rc

43754) 0'o f~-" l"l

Figure 2.11.2. Instrument ac system, marked areas represent supercomponent for top events Ii, I2, 13, and 14.

e

0

14(%(C (SC (1( YSLSS~ ~

/I )ot I%a~ ~ I

~t saw)«I ~ IN t«s ~ t» IlNH (»IKWts« ~

I ~ ~ f)HL«s

) s(l (swCi

~ lee LLVOP~O ~ 1

i'if I)st It telrsit

~~

I

)0(l

FAMI)c~ soo I~

i so«

~ "I~I N

~ 4A

)etreI ~

«Ciloe Wfe IW I)o~He (Oa«IIV

Ltl((

) sCI

I

I~Avr)A

"5i '

fill:("'f.IKL

'%flan.rt'h

'(ffs.csf). Kv~1'a ~ I

~1'I It)%(.cfff cvs

KISOVII«s«'1 ~ Is I

-.I -'-J.:-I -t"l.v IMws«sv e»I I,l.4 «v a««e No a»cvwsao«es«o«

~vr« IKKvrl«Nsr

wrw sl a«(wawtie

«WI OWVKVIWI

«sK ««I or «I~wo

~ r

)LK

I.'

CI ~

CS ~

~ ~ I«N «s

«HeIINt

~I Lrtst

~« ~ st

IHi««I e«o

~ II'SN

a KaslL

~ OM«slas ~ ~ I«L4 v ~

4 r«~ I.I«r«I

Lrs t«soiv v o«o~«so e»

.Yf&AFale aLe« s«l

w )~ s ~

~'N

'%VdVY ~

KV 4)«St sA

~. I

~e

~op gvFHT X 3

~ of% Oer IN (ro(~ C»r« rKS~ Oae w reitI KI ~ ao ~~ re)C I Ll~~ ~ It tie)S()~ OKS W LS»~ I tel ~~ Ifws r«( or vl~ ce«AI 'l'f« w

~ Itaa~ «I ewe~ ~ S «I ~ SW l«e IIII ) )NILet W re S ~ OSN~ as(tl, ~ I~ er' iso(1~ w KL~ CSC~ VCO '« ~ IKIC~ (NS Cl~ Kti«C I «WOWee SOS«it) SLK)t~ Oal K(NSV awiai ew «Is K«N

s)s)st~ so II

~ 1st~se w~ ! '

~ )SI

~ Nl). t~ Its

~)llKeeyy)

Iso, V

~ Is(~SSC««III C»V

eat"'f rsc ~ »cool~ II~1.w)(f 1(re ~

tls ~~sce ae vcoc«s «ac car1«sc (« Ir e«tstt N wse 14

~ St«C ~~ LfI

%toe ~~lll

~cr ) ~ s«K(~ I~r«%1 i«so

~ )VKem( erie

~ 1st WL 1%(

~ f)i O 'ti«o« ar),«tsc

Host ao IS%«~

~ l«ISIS ~ IS ~I(v (ls ~, wsee«i sic«I~ \ «)oe ~ I«

I I IS

1 se

Ccf(SAfV)Tfsf4'(S(t

so« i s 1 «i fe(KVS IS VW)

)1Ir irt tts It«

~ Ill~1 o«os evc rcr is

~ ) I ~

s« les lIC I Ifa ~ I~ M~ls S(C((S ~ (III% s«s)

VLK I) I~

~ 1 s ~

VIOC~) \'I

VOK~Ni«SOS W«fa~Ke O'ire

~I Is

~ I ~I

o« Kilo

lc '(LK)

~! I)~N~ I Iff~ I 11

Ia)INL~ 4 e

~IVWILH atilt l(~ae NN(i«o

~ «I~

~rsK~ ss I~

~ Iree~ I s ~

S«K~ «e

VsK~ I II~ 1 H ~ Irc aow cw

~ st~ I Il

~I' cf Isset Kist

~S f«NSC ~ )e CoriSN Ie«W tlatI«1 sw KL~ ~

II ll~ «s~o

s ~ IV(I~ OHNCIVI~ s) car«Le

1« Ir ~ ~ ssV

~ ~-) lfr frIes

I ~

~ tts

~ ~~4 )Ir eo ISIS KI I ~

CIICLQ) fo)ff~(%(CSe I slit st«Cs I~

assi 4o.l 4 IN. orIK(tl Ol O«

CKs

f eiaolt Sass( ~

~Hoar o«NI~LocNL~ t«rest

~ sr(C» OK«a so«K(K IIa Lw so)sic (asses 4

CPI«I ~

~ oct oc v(N(t lo K ((tel I~ Ies IIK~ saoal sore(

aces« %oK(

ALIIS')ILN

N)fit~ rifle~ r« N~ Is) ~ )~ )SI«) Ls oiQIS)lss

Ll(S~I(« ~ IN Wist~ ~ ~

NQENf QfElf Rllll[0'fI II ~~~>~) @3

F98 'PTUSAUY~ lr oe ~ L(ctsa~o ea I«cat Ke,~

Las ~ o

Qoov «ss«»« ~

~t+ I4 )IWC ~ IV Kfa ~ ICllf~Isl Wfe K e I~ SIWC Lw Ks(l 1 KLLI ~ (I4 lo)se K Irss )Iwc LIN cs(e ~ Kisf ~ I I I Lse sc 1 )O IIWC lla K«s ~ Kisf ~ ILC I Ve K I I ONt ls «C lsv Kilo ~ KLH ~ so4 ~ Is\ K I V(~ osO ~ I«i( lsoi KKI~ KLH ~se oott %i%I( «4 1(CI se ~ lrCI, %(N«IIC l(N sfto I %I ~ LC ls)fir ~ ee~ 'Q I,)sss Isa(tl(ol~. INSI~ SC 1 ~ NE

Io rl ~ sl ~ ~ .A

~ L v»rwe««« ~ Si«v cwcc

Nr s»«o ~

~Wl

s ovso«e«a '««QJ+ eo 'Sra C ~ ~

O s«ss'«We««~S S»w a

6

%s csl ~ I«« I(~ s» NI ~ O«lo~(H ws«N ~ H )o)ssa

~I« ~ L Kr~ ««(vK v\ ~ Is ~ INsc sara«

e « Iw, ~

~ 'IS44529)

9 w o«slo ~g~ g ] C 0 fac«os« «st«

Figure 2.11.3. Instrument ac system, marked area represents a supercomponent for top event I3.

l :0

81 82

Colfdt/(CrimAIIIOVCf

do IF"III:-)- St-t/~I I

1 I II II--5 II I

O- 5 I

11 15 tl I

I

IIII

AIINL

II

AIIIOS. tddltO- Igd- C

~I

St

5 /O I'I1 /IVNW

I-ISS 11 Iv vi

81.oCka

DICft

IIIII

IIIIIIIIII

II5

III

IIII

''

III

I ~

/CO 555 I t ~tiI.ti 1/

[C

Aorft OS

/d tt~ SOOtoll1'I

Oti tl

I NO tl1

Ado OAIVCVtto,AACAIAAIIlt

l*ifdlliANJt /o.to 1.5 ~.iol I

DtrttivAN.t./O IS td tid

iov(lIN"AN.~ t /P ll 1-1 tdot fi

i K'VIVIAIIAA ~I I ig INO'I I.i I/Ot

5 W . ~

~Altfii/NI id it t 1 I/Ovt

dl Ilfi1 IiitI Pit 11 tfdwtI' I '

t iid ttd

BLock

Fldoi I Ct.titi

Iltd1'VV/OIIOV

Ad/it II

~ ~

S.NO ni

/VCiIi,CtI /A'55I/td StS

~ i~

51 11 Iit1 IO

3 ~ O/AFAIV AN cL lotto

CdiCACIC SOVI%/AIASIIA/f

/IACIIIIICSVOI/

CL/Od

t NO Sto

CL ISO

COAAIPOAPCVAIC. FAAVOVC

~ FDSI /lit

Odd V It/I.Lfg.dttt

Avl.

1 /OO~ oo v AAIt./Dt dtdvtt(

/Pl ~ /DI1 il

ldd VAttOddfttttfCIIOCNIAN CC IOO

littCIIt DAN/COS AV/ SVCCIALAVCCCCtidH/POAIOKAILVOAMtttd

11 II/IS SVC Sii Ctt(COLCOIAICDDV dt/55 AVNFAViiv CS,

/Vifttt/AVDtdc /rCA II.NO'(OOToP EVE'HTST~, «. X3, Xl

VivititRCII

107723Sttttf ~

!AGRQHll2.l 9-+Figure 2.11.4. Instrument ac system, marked areas represent supercomponents for top events Il, I2, I3, and I4.

:0

:Table 2.1a

Top Event Definitions and Success CriteriaElectrical Power SystemsNonvital Electric System

Top EventDesignator Top Event Definition Top Event Success Criteria

OG Nonvital ac power from 230kVswitchyard.

Power is maintained from the230kV switchyard down to the4.16kV vital buses F, G, H for 24hours following an initiatingevent.

Nonvital ac power from 12kVbuses,

One of two 12kV buses (D, E)transfers to standby offsitepower source and remain energizedfor 24 hours following

an'nitiatingevent.

FSAR Success Criteria:Explicitly are not specified, however one can infer the following:

1. If the unit trips, the unit must switch to the 230kV system viathe'tartuptransformers to maintain power to the plant loads.

2. If the 230kV syst: em is unavailable, the vital 4.16kV buses must beisolated from both the auxiliary and startup power systems so that thediesel generators may supply the load.

, Technical S ecificat ons (LCOs):1. For continuous operation, two independent offsite circuits must be

maintained (one 500kV and one 230kV line).2. If one offsite circuit is lost it must be restored within 72 hours or

else the unit must shutdown.3. If one offsite circuit and one" diesel generator is out of service they

must be restored within 12 hours.


:0

~ g Table 2.1bTop Event Definitions and Success Criteria

Electrical Power SystemsVital 125V DC System


DF 125V DC Power Each dc power train is successfulif it remains de-energized for 24hours following an initiatingevent. If ac power is lost eachbattery is required to power eachtrain for two hours, and providepower to its respective dieselgenerator.

FSAR Success CriteriaExplicitly are not specified, however, one can infer that in the event thatany or all 480V vital buses are lost, the 125V batteries will provide dccontrol power necessary to shut, down safely the plant.

Technical S ecifications LCOsIf one battery or charger or both are inoperable, restore within two hours orbe in hot standby within the next six hours or in cold shutdown within thefollowing 30 hours.


I '

: Table 2.1cTop Event Definitions and Success

Criteria'lectrical

Power SystemsVital AC System - Unit 1


AF, AG, AH Vital AC Buses Each 4.16kV bus is successful if itisolates from the auxiliary power sourceand each 4.16kV and 480V vital trainremains energized for 24 hours,(Success of this event implies thatgiven failure of top event OG thecorresponding diesel generator muststart and load to power the equipmentsupplied from the vital train. Failureof this event means that vital ac is notavailable even if the startuptransformer and the diesel could supplyac power.)

SF, SG, SH Startup Feeder Breakers Each standby startup feeder breaker toeach 4.16kV bus is successful if itenergizes the bus and remains energizedfor 24 hours. (These top events areasked if the corresponding top eventsAF, AG, AH are successful. Success ofthese top events and of OG implies thatvital ac power is available on thecorresponding buses. If OG fails andthese top events are not asked thecorresponding diesels must start andload to power the equipment from thesebuses.)

FSAR Success Criteria:During a plant trip or loss of offsite power, the system must maintain powerto at least two of three vital 4.16kV buses. Any two of the three vital busesare adequate to serve at least the minimum required ESF loads of a unit.

Technical S ecifications LCOs~ With one 4.16kV and/or associated 480V vital buses not energized, must re-

energize within eight hours or be in hot standby within the next six hoursand cold shutdown within the following 30 hours.

~ Loss of diesel generator 13 which supplies vital bus F of both units wouldrequire both units to shutdown if not restored within 72 hours.

~ If one diesel or one offsite circuit is unavailable the other two powertrains must be verified within one hour and the unavailable source restoredwithin 72 hours.

DCPRA-08 -41- December S, 1989

I

:Table 2.1d

Top Event Definition and Success CriteriaElectrical Power Systems

Vital AC/DC System - Unit'

Top EventDesignator Top Event Definition Top Event Success CriteriaBF, BG, BH Vital AC/DC Electric Power

Subsystems of Unit 24.16kV bus (F,G,H) at Unit 2,480V bus (2F,2G,2H) and 125V dcpanel (21,22,23) respectively,must remain available for 24hours. (The success of top eventBF implies that if offsite poweris not available, swing diesel 13aligns to Unit 2, power isavailable at the associatedbuses.)


:

: Table 2.1eTop Event Definition and Success Criteria

'lectricalPower SystemsInstrument AC System


IlI2I3I4

Instrument AC Channels Each channel is successful if120V ac power to the loads on theinstrument ac distribution panels(panels PY-11, PY-lla for ChannelI, panel PY-12 for Channel II,panels PY-13, PY-13a for ChannelIII, and panel PY-14 for ChannelIV) is maintained for 24 hours.

SAR Success Criteria: Similar to that applied in the modelling.

Technical S ecifications LCOs : With one vital instrument ac bus notenergized by its associated inverter or with one inverter not connected to itsassociated dc bus, re-energize the vital instrument bus from another sourcew'ithin two hours or be in hot standby within six hours and cold shutdownwithin 30 hours; re-energize the vital instrument ac bus from its associateddc bus within 24 hours or be in hot standby within the next six hours and incold shutdown within the following 30 hours.


:0

: Table 2.2aBoundary Condition and Split Fraction Identificati.'ons for

Top Events OG and NVNonvital Electric Power System

Top Event

OG

Split Fraction ID

OG1OGF

NV1NV2

Definition

Given offside grid success.Given offside grid failure

(guaranteed failure).

Given all support available.OG succeeded, dc 12 or dc 13failed.

OG failed, dc 12 and dc 13failed (guaranteed failure).

Table 2.2bBoundary Condition and Split Fraction Identifications

for Top Events DF, DG, and DHVital 125V DC System

Top Event Split Fraction ID Definition

DF DF1 Vital 480V bus 1F available.

DG DG1DG2DGF

Vital 480V bus 1G available, DF succeeded.Vital 480V bus 1G available, DF failed.Guaranteed failure.

DH DH1

DH2

DH3

DH4

Vital 480V bus 1H available,DG succeeded.Vital 480V bus 1H available,DG failed.Vital 480V bus 1H available,succeeded.Vital 480V bus 1H available,failed.

DF succeeded,

DF succeeded,

DF failed, DG

DF failed, DG

DCPRA-08December 5, 1989

I :0

Table 2.2cBoundary Conditions and Conditional Split Fraction Identification

for Top Events AF, AG, AH, and SF, SG, SHVital AC System - Unit 1

Top Split FractionEvent Identification Definition

AF AF1

AFA

AFF

All support available, with recovery from commoncause breaker failure.All support available with no recovery from commoncause breaker failure.Guaranteed failure.

In the following the notations: DF-S, DF-F, and DG-S, DG-F, represent the success (S) and failure (F) ofdc trains 11 and 12, respectively. The notation AF-S, AF-F, AG-S, and AG-F represent the same for actrains F and G, respectively.

AG AG1AG2AG3AGAAGBAGCAGF

DF-S, AF-S, with recovery.DF-S, AF-F, with recovery.DF-F, with recovery.DF-S, AF-S, no recovery.DF-S, AF-F, no recovery.DF-F, no recovery.Guaranteed failure.

AH1AH2

AH3AH4AH5AH6AHAAHB

AHCAHDAHEAHGAHF

DF-S, DG-S, AF-S, AG-S, with recovery.DF-S, DG-S, AF-S, AG-F, or DF-S, DG-S, AF-F, AG-S,with recovery.DF-S, DG-S, AF-F, AG-F, with recovery.DF-S, DG-F, AF-S or DF-F, DG-S, AG-S, with recovery.DF-S, DG-F, AF-F or DF-F, DG-S, AG-F, with recovery.DF-F, DG-F, with recovery.DF-S, DG-S, AF-S, AG-S, no recovery,DF-S, DG-S, AF-S, AG-F or DF-S, DG-S, AF-F, AG-S, norecovery.DF-S, DG-S, AF-F, AG-F, no recovery.DF-S, DG-F, AF-S or DF-F, AG-S, AG-S, no recovery.DF-S, DG-F, AF-F or DF-F, DG-S, AG-F, no recovery.DF-F, DG-F, no recovery.Guaranteed failure.

SF SF1SPA

All support available with recovery.All support available, no recovery.


t 0

'able 2.2c (Continued)


Xn. the following the notation B stands for "bypassed"state.

SG SG1SG2SG3SGASGBSGC

SF-S,SF-F,SF-B,SF-S ISF-F,SF-B,

with recovery.with recovery.with recovery.no recovery.no recovery.no recovery.

SH SH1SH2SH3SH4SH5SH6SHASHBSHCSHDSHESHG

SF-S,SF-S,SF-F,SF-S,SF-F,SF-D,SF-S,SF-S

1

SF-F,SF-S I

SF-F,SF-D,

SG-S, with recovery.SG-P or SF-P, SG-S, with recovery.SG-F, with recovery.SG-D or SP-D, SG-S, with recovery.SG-D or SF-D, SG-F, with recovery.SG-D, with recovery.SG-S, no recovery.SG-F or SF-F, SG-S, no recovery.SG-F, no recovery.SG-D or SF-D, SG-S, no recovery.SG-B or SF-B, SG-F, no recovery.SG-B, no recovery.

DCPRA-OS -46- December 5, 1989

4 :

: Table 2.2dBoundary Conditions and Conditional Split Fraction Identification

for Top Events BF, BG, BHVital AC/DC System - Unit 2


BF

BG

BH

BF1

BG1BG

BH1BH2BH3

Offsite grid failed, OG-F.

OG-F, ac/dc train F Unit 2 successful, BF-S.OG-F, ac/dc train F Unit 2 failed, BF-F.

OG-F, BF-S) BG-S.OG Fy BF S > BG F or OG Fy BF Fy BG SOG-F, BF-F, BG-F.

Table 2.2eBoundary Conditions and Split Fraction Identification

for Top Events Il, I2, I3, and I4Instrument AC System

Top Split FractionEvent Identification

Il IllI12I1F

Definition

DC11 succeeded AC 1F succeeded or failed and AC 1Gsucceeded; DF-S, AF-S, AG-S or DF-S, AF-F, AG-S.DF-S, AF-S, AG-F or DF-S, AF-F, AG-F.DF-F, guaranteed failure.

I2 I21I22I23I24I2F

AG-S.DG-S,AG-S,DG-S,DG-Fi

AG-F.Il-F.AG-F,,I1-F.guaranteed failure.

I3

I4

I31I32I3F

I41I42I4F

DH-S, AH-S, AG-S or DH-S, AH-F, AG-S.DH-S, AH-S, AG-F or DH-S, AH-F, AG-F.DH-F, guaranteed failure.DG-S, AH-S, AG-S or DG-S, AH-F, AG-S.DG-F, AH-S or AG-F, DG-S (AH-S or AH-F).DG-F, AH-F, guaranteed failure.

DCPRh 08 47- December 5, 1989

:

'able 2.3aUnavailability Values (Split Fractions) for the

Nonvital Electric Power SystemTop Events OG and NV

TopEvent Case Cele. TTL HW HWI HWD TS

CommentMN HE ¹

OG OG1 PG&E 7.629-4 4.813-4BNL 7.592-4 4.841-4

4.813-44.841-4

0.00.0

2.816-42.751-4

OGF PG&E 1.0BNL 1.0

NV1 PG&E 1.629-4 1.621-4BNL 1.623-4 1.616-4

8.471-64.561-6

1.537-41.570-4

7.645-77.688-7

NV2 PG&E 2.455-3 2.285-3BNL 2.460-3 2.293-3

NV3 PG&E 1.0BNL. 1.0

2 ~ 131 32.136-3

1.537-41.570-4

1.705-41.677-4

DCPRA-08 48 December 5, 1989

:0

: Table 2.3bUnavailability Values (Conditional Split Fractions)

for the Vital 125V DC System

TopEvent Case Gale. CSF TTL HW HWI TS

CommentMN HE ¹

DF DF1 PG&E 7.056-4 7.050-4BNL 7.175-4 7.175-4

6.855-46.975-4

1.952-52.003-5

DG DG1 PG&E 7.051-4 7.050-4BNL 7.175.-4 7.175-4

6.855-46.975-4

1.952-52.003-5

DG2 PG&E 7.024-4 7.164-7BNL 7.170-4 5.144-7

6.892-74.865-7

2 ~ 724-82.794-8

DH

DGF PG&E 1.0 1.0BNL 1.0 1.0

DH1 PG&E 7.004-4 7.004-4BNL 7.129-4 7.129-4

6.808-46.929-4

1.952-52.003-5

DH2 PG&E 6.977-4 7.131-7BNL 7.124-4 5.112-7

6.860-74.833-7

2.715-82.785-8

DH3 PG&E 6.977-4 7.131-7 6.860-7BNL 7.124-4 5.112-7 4.833-7

DH4 PG&E 6.962-4 1.093-9 1.051-9BNL 7.119-4 3.662-10 3.371-10

2.715-82.785-8

4.181-112.911-11

DCPRh 08 $ 9 December 5, 1989

:

:Table 2.3c

Unavailability Values (Conditional Split Fractions)for the Vital AC System

TopEvent Case Gale. CSF TTL HW HWI HWD TS

CommentMN HE ¹

AF AF1 PG&E 6.922-4BNL 7.002-4

AFA PG&E 7.392-4BNL 7.453-4

6.922-4 6.569-47.002-4 6.645-4

7.392-4 7.039-47.453-4 7.096-4

6.568-46.644-4

6.568-46.644-4

1.003-71.036-7

4.713-54.524-5

3.526-53.568-5

3.526-53.568-5

AG AG1 PG&E 6.921-4BNL 7.001-4

AG2 PG&E 8.371-4BNL 7.827-4

AG3 PG&E 6.922-4BNL 7.002-4

6.922-47 002 4)as AF1

1.077-6 1.029-65.480-7 5.006-7

6.922-47 002 4)as AF1

9.720-74.414-7

5.699-85.923-8

4.805-84.742-8

AGA PG&E 7.126-4BNL 7.195-4

7.392-47 453 4)as AFA

AGB

AGC

PG&E 5.179-2BNL 3.537-2

PG&E 7.392-4BNL 7.453-4

2.770-5 2.765-52.636-5 2.631-5

7.392-47 453 4)as AFA

9.720-74.414-7

2.668-52.587-5

5.128-85.064-8

AH1 PG&E 6.921-4BNL 7.001-4

AH2 PG&E 8.005-4BNL 7.617-4

AH3 PG&E 4.724-2BNL 2.771-2

AH4 PG&E 6.921-4BNL 7.001-4

AH5 PG&E 8.371-4BNL 7,827-4

AH6 PG&E 6.922-4BNL 7.002-4

6.922-47.002-4 as AF1

1.077-65 480 7)as AG2

1.656-8 1.644-8 '.876-9 1.357-81.519-8 1.513-8 2.933-10 1.484-8

6.922-4002 4)as AF1

1.077-680 7)as AG2

6.922-47 002-4

1.153-105.359-11

DCPRA-08 -50 Dacaebar 5, 1989

'II 0

Table 2. 3c (Continued)

TopEvent Case Gale. CSF HWE TS

CommentMN HE

AHA PG&E 6. 921-4BNL 7.001-4

7.392-47 453 4)as AFA

AHB PG&E '.419-2BNL 2.765-2

AHC PG&E 3.028-1BNL 2.459-1

AHD PG&E 7.126-4BNL 7.195-4

AHE PG&E 5.179-2BNL 3.537-2

2.770-52.636-5)as AGB

6.232-6 6.229-66.483-6 6.480-6

7.392-47'453 4)as AFA

2.770-52.636-5)as AGB

2.876-9 6.226-62.933-10 6.480-6

2.882-92.816-9

AHG PG&E 7.392-4BNL 7.453-4

7.392-4 )as AFA

SF SF1 PG&EBNL

SFA PG&EBNL

1.598-31.583-3

1.708-31.696-3

1.598-3 1.533-31.583-3 1.520-3

1.708-3 1.643-31.696-3 1.634-3

1.533-31.520-3

1.533-31.520-3

2.448-72.604-7

1.100-41.137-4

6.500-56.288-5

6.500-56.288-5

SG SG1 PG&E 1.598-3 1.598-3BNL 1.583-3 1.583-3

SG2 PG&E 1.740-3 6.446-6 6 '57-6 6.115-6 1.420-7BNL 1.674-3 2.651-6 2.459-6 2.310-6 1.494-7

SG3 PG&E 1.598-3 1.598-3SF1BNL 1.583-3 1.583-3

SGA PG&E 1.645-3 1.708-3BNL 1.631-3 1.696-3

1.891-71.912-7

SH

SGB PG&E 5.312-2 6.947-5 6.926-5 6.115-6BNL 3.995-2 6.777-5 6.756-5 2.310-6

SGC PG&E 1.708-3 1.708-3BNL 1.696-3 1.696-3

SH1 PG&E 1.598-3 1.598-3)BNL 1.583-3 1.583-3

6.315-56.525-5

2.032-72.054-7

DCPRh-08 December 5, 1989

I1 :0

Table 2. 3c (Continued)

TopEvent Case Calc. CSF TTL HWI TS ~

CommentMN HE ¹

SH2 PG&E 1 ~ 699-3 6.446-6BNL 1.650-3 2.651-6

SH3 PG&E 3.033-2 1.051-7 1.041-7 6.496-8 3.912-8BNL 1.595-2 4.228-8 4 '82-8 3.511-9 3.831-8

1.053-94.639-10

SH4 PG&E 1.598-3BNL 1.583-3

1.598-31 583 3)as SF1

SH5 PG&B- 1.740-3BNL 1.674-3

6:446-62.651-6)as SG2

SH6 PG&E 1.598-3BNL 1.583-3

1.598-31 583-3

SHA PG&E 1.598-3BNL 1.583-3

1.708-3696 3 ) as SFA

SHB PG&E 4.421-2BNL 3.133-2

SHC PG&E 2.901-1BNL 2.471-1

SHD PG&E 1.645-3BNL 1.631-3

6.947-5

1.634-5 1.633-51.674-5 1.673-5

1.708-31.696-3 as SFA

6.496-8 1.626-53.511-9 1.673-5

1.315-81.274-8

SHE PG&E 5.312-2 6.947-5BNL 3.995-2 6.756-5

SHG PG&E 1.708-3 1.708-3BNL 1.696-3 1.696-3

* All of these conditional split fractions involve powers (>2) of unavailabilities whosequantifications require convolutions of unavailability distributions. Since for auditcalculations BNL used point value approximation the BNL results should be considered aslower limits of the correct (PG&E) values.


Table 2.3dUnavailability Values (Conditional Split Fractions) for

the Vital AC/DC System - Unit 2

TopEvent Case Gale. CSF TTL HW HWI HWD TS

CommentMN HE ¹

BF BF1 PG&E 1.440-3 1.440-3 1.386-3BNL 1.431-3 1.431-3 1.376-3

1.386-31.376-3

1.074-71.036-7

5.410-55.571-5

BG BG1 PG&E 1.440-3 1.440-3 BFlBNL 1.431-3 1.431-3

BH

BG2 PG&E 1.476-3 2.930-6 2.775-6BNL 1.471-3 2.105-6 1.952-6

BH1 PG&E 1.440-3 1.440-3BNL 1.431-3 1.431-3

2.713-61.892-6

6.182-85.930-8

1.546-71.533-7

BH2 PG&E 1.476-3 2.930-6BNL 1.461-3 2.105-6

BH3 PG&E 1.187-2 2.439-8 2.390-8BNL 8.486-3 1.786-8 1.754-8

7. 794-92.603-9

1.610-81.493-8

4.884-103.262-10

*These conditional split fractions involve powers (>2) of unavailabilities whose quantificationre convolutions of unavailability distributions. Since for audit calculations BNL usedvalue approximation the BNL results should be considered as lower limits of the correct

E) values.


E 0

'able 2.3eUnavailability Values (Split Fractions and Conditional Split

Fractions) for the Instrument AC SystemTop Events: Il, I2, I3, I4

TopEvent Case Cele. CSF HWI TS

CommentMN HE ¹

I2

I11 PG&EBNL

I12 PG&EBNL

I21 PG&EBNL

I22 PG&EBNL

1.152-31.144-3

1.736-31.744-3

5.757-45.179-4

8.677-48.718-4

1.133-31.125-3

1.133-31.125-3

5.666-45.627-4

5.666-45.627-4

1.133-3 0.01.125-3 0.0

1.133-3 0.01.125-3 0.0

5.666-4 0.05.627-4 0.0

5.666-4 0.05.627-4 0.0

1.817-51.847-5

6.020-46.182-4

9.088-69.236-6

3.010-43.091-4

I23 PG&E 5.757-4BNL 5.718-4

I24 PG&E 8.677-4BNL 8.718-4

I4

I31 PG&EBNL

I32 PG&EBNL

I41 PG&EBNL

I42 PG&EBNL

1.152-31.144-3

1.736-31.744-3

5.757-45.719-4

8.677-48.718-4

1.133-31.125-3

1.133-31.125-3

5.666-45.627-4

5.666-45.627-4

1.133-3 0.01.125-3 0.0

1.133-3 0.01.125-3 0.0

5.666-4 0.05.627-4 0.0

5.666-4 0,05.627-4 0.0

1.817-51.847-5

6.020-46.182-4

9.088-69.236-6

3.010-43.091-4

DCP1UL-08 -54- December 5, 1989

1 :0

: Table 2.4Vital 4.16kV Bus Loading

Plant Condition 4 '6kV Bus OperationDiesel Operation

Start Load

Lose 500kV +shed load

Lose 500kV +230kV shed load

Stay on aux. transformer.

Stay, on aux. transformer.

No No

Yes No

Lose 500kV +unit trip

Transfer to startup transformer. No No

Two 500kV Transfer to startup transformer,breakers open + loads don't strip.unit trip

No No

Unit trip + SI Transfer to startup transformer,loads don't strip.

Yes No

SI (alone) Transfer to startup transformer,loads don't strip.

Yes No

Unit trip + LOSP Transfer to diesel.(all)Unit trip + LOSP Transfer to diesel.+ SI

Yes Yes

Yes Yes

Loads:s

~ 480 MCC*~ Auxiliary Saltwater~ Centrifugal Charging~ Reciprocating Charging~ Component Cooling WaterSafety InjectionResidual Heat RemovalContainment Spray **Auxiliary FeedwaterContainment Fan Coolers* (MCC load)

Bus FF11

Bus G

G

2232

Bus HH

322224

~ System used during normal operation.* These never trip (except containment fan coolers).** Load only if "P" (Phase B) signal is present.


'

RESULTS OF THE BNL REVIEW

3.1 General

The unavailability analysis of the Electrical Power System in the DCPRA

was reviewed by BNL with an emphasis on completeness and adequacy in modellingthe electrical systems. In addition, to check for calculationalinconsistencies, all of the split fractions (w/o seismic) were recalculated(audited).

3.2 Observations on the Unavailabilit Modellin of Electric Power S stem

The review of the Electric Power Systems resulted in the followingobservations and questions.

3.2.1 Nonvital Electric Power S stem

1. The startup transformers (SU-ll and SU-12) are depicted in the nonvitalelectric power system description (Figure D.2.1-1, Sheet 4) as somewhat

complex systems; e.g., transformer SU-11 has two cooling oil pumps and 25

cooling fans (powered via breaker 52-11D-23 from bus 11D 480V) as well as

radiators. They can carry only up to 60-70% of the load without cooling.The analysis apparently neglected the unavailabilities due to failure and

maintenance of these subcomponents and the unavailability of the bus. As a

result, split fraction OG1 seems to be somewhat underestimated.

2. It is not clear if the switch yard/plant breakers (542 and 632) have

already been replaced by "seismic resistant" Hitachi breakers or not. Ifnot, their seismic contribution might be relevant.

3. Assumption 2 for quantifying Top Event OG states that failure events toaccomplish load rejection to house loads are included in the loss of power

initiator. How big is this contribution and how was it estimated2


I

4. Block 3 shown in Figures 2.2 and 2.3 was not developed at the equationlevel, It is said that it might be modelled as a recovery action if it isneeded. Please identify which power recovery action(s) includes it, if

any'.2.2

Vital 125V DC S stem

1. The DCPRA does not mention ground fault testing of the batteries.'his'E

is performed at some nuclear plants as often as once per shift. Is therea potential failure of loss of a vital dc bus due to operator errorassociated with this test (e.g., push a dc bus trip breaker switchinstead of the ground fault test switch)7 Is there any potential toloose a vital dc bus due to operator error during the operability testsof the batteries required at each seven

days'.

Figure 2.1 as well as Figures 2.4.1 and 2.4.2 indicate a bus tie between

dc buses 11 and 12 (which might be in use during maintenance) ~ The

system analysis does not consider common cause failures between dc

trains. It is known however that a bus tie has the potential tocompromise the independence of the dc trains. Please explain the reason

for the omission of the bus tie from the unavailability model of the dc

system.

3a. It is not clear which are theWalues of the split fractions for topevents DF, DG and DH for station brownout (unit blackout) and blackoutinitiators. After battery depletion (assumed in the dc power analysis tobe two hours) their values are 1, or is recovery assumed2~

3b. In modelling of the electrical recovery actions, the DCPRA states(p.3-5-18): "based on the actual plant operation data, PG&E electricaldesign personnel estimated an extended battery availability of more than12 hours with no reduction in dc loads during a station blackout." Inthe unavailability analysis of the diesel generator it was assumed thatthey are unrecoverable after depletion of the dc batteries. Depletion


0

I 0

time was taken to be 12 hours. Please clarify the consistency of the

assumptions used for battery depletion time in the DCPRA (2 hours or 12

hours) and its impact on accident sequences where battery depletion isimportant (operation of turbine driven AFW pump, etc.).

4. The unavailability model does not reflect the following potential operatorfailure that may occur when given a LOOP: the battery chargers are

automatically tripped and procedure requires that the battery chargers be

manually restored.

5. The analysis is tacit about a potential loss of air to the drawout breakerson distribution panels 11 and 12.

3,2.3 Vital AC S stem Unit 1

1. The system analysis stated that the 4.16kV switchgear room needs cooling(heavy equipment being used during normal operation) via cooling fans. The

unavailability modelling of the syst: em assumes that the 4.16kV switchgearroom does not require ventilation. The analysis seems to be contradictory.

2. The 480V switchgear room ventilation was considered so important that a topevent was dedicated to it (Top Event SV; not reviewed)„ Why was then the"failure of fire damper" in the 480V switchgear room (a fairly infrequentevent) included in the top event'nalysis of the vital ac system and not inthat of the switchgear room2

3; Manual operation of malfunctioning 4.16kV feeder breakers was considered as

an acceptable recovery action for top events AF, AG, AH as well as SF, SG,

and SH in the case of all initiators except large and medium LOCAs. Why

was it not applied for the 12kV breakers, i.e., for top event HV/

4, The failures of the hardware (relays, electronics) associated with thepermissives (allowing/disallowing power source transfer) were not modelled.Whys

DCPRA-OB -5B- December 5, 19B9

0

~

~ ~3.2.4 Vital AC DC S stem - Unit 2

The Unit 2 ac/dc system unavailability is modelled in the DCPRA as a

combination of the vital ac and dc systems of Unit 1 with the only differencethat Unit 2 components are substituted for the Unit 1 components. This

approach compels BNL:

1. to reiterate all the observations made in the previous two sections(Sections 3.2.2 and 3.2.3) also with respect to the Unit 2 vital ac/dcsystem, and

2. to disagree on the assumptions made in the analysis about maintenance,

tests and human failure contributions to the total unavailability. Thislatter item is detailed below.

The DCPRA apparently overlooked the fact, that throughout a time periodwhile Unit 1 is in operation, Unit 2 will have one refueling (and/or severalcold shutdowns). During a refueling (or cold shutdowns) the components of the

Unit 2 vital ac/dc system will be subjected to longer lasting scheduled

maintenance tests, required by Technical Specifications, etc. which can renderthe various trains of the vital ac/dc system unavailable for protractedperiods of time. The contributions due to these scheduled maintenance/test:

activities to the total unavailability of the vital ac/dc systems is believedto be not negligible. BNL assumes that each Unit 2 ac/dc train will be

unavailable at least for ten days as a minimum between consecutive refuelingsof Unit 1 (1.5 years); therefore, the lower limit of the unavailability of the

top events BF, BG, and BH would be:

101 5 365

1.862-2

This value alone is an order of magnitude higher than the majority ofconditional split fractions (BF1 through BH2) listed in Table 2.3d.

According to BNL, the conditional split fractions associated with the topevents BF, BG, BH should be requantified and their impact to the total core

damage frequency should be reevaluated before the truncation of the non-


II

: leading sequences (i.e., for the non-reduced unavailability model of theunit).

It is not clear to the reviewers why the seismic contributions wereneglected from the Unit 2 vital ac/dc systems unavailability analysis, whilethey were considered rather important for the vital ac/dc systems of Unit 1.The subject of the unavailability analysis of Unit 2 ac/dc system was not toprovide power recovery to Unit 1 by crosstying buses, but given a loss ofoutside power, to provide power to the Unit 2 vital loads, particularly to theauxiliary saltwater system. Seismic events can potentially disrupt the powersupplies to this system.

Assuming longer equipment outages and seismic contributions to BF, BG,

and BH, it seems that new sequences (due to a coupling of seismic and non-seismic failures at Unit 1 and Unit 2) will appear and contribute to the totalcore damage frequency. This expectation is based on the similar conditionsthat arise when e.g., the swing diesel is in overhaul or the train associatedwith BF is unavailable. These types of new sequences were neatly calculatedin the PG&E's diesel generator allowed outage time study.6 A similarcalculation here would also be beneficial.

3.2.5 Instrument AC S stem

1. The unavailability analysis of the Instrument AC System assumes no common

cause failures between the instrument ac system's channels. On the otherhand, the analysis calls attention to the condition that two or moresimultaneous instrument ac channel failures, in fact even one channelfailure, result in a reactor trip, i.e., instrument ac channel failuresrepresent a potential event initiator. Indeed, the DCPRA identified by theMaster Logic Diagram (MLD) method the "Loss of Instrument AC Power" as aninitiator category;category and states

MLD-20. However, the DCPRA did not analyze this event(see Table C.1-3 of DCPRA): "a failure mode and effect

analysis shows that failure of more than one- instrument channel is a lowfrequency event and is not included as a separate initiating event." Table


C.1-4 reiterates: "plant will be tripped by loss of RCP if more than one

instrument ac channel failure occurs. Random failure of more than one

passive system is extremely low frequency event and therefore is notincluded as a separate initiating event. However, multiple failure ofinstrument channels due to external causes (e.g., earthquake and 480V

switchgear ventilation) are addressed."

In order to check whether the DCPRA's claim about the negligible occurrence

frequency of multiple instrument channel failures is valid or not, thereviewers looked at the results of a recent BHL study conducted on

inverter aging. According to this study, in the nine years from 1976 to1984 (i.e., during 720 reactor years of operation) there were 42 reactortrips that resulted from (multiple) inverter failures, i,.e , 058

trips/reactor year. From 1984 to 1986 (i.e., during 308 reactor years) 57

reactor trips occurred due to (multiple) inverter failures, i.e., 185

trips/reactor year (in both cases the majority of the trips occurred duringhigh power operation).

Each reactor trip has the potential for impacting safety because of the

additional equipment response and operator actions generally needed tobring the plant to a safe and controlled condition. In the DCPRA thereactor trip initiator, RT, and the associated event tree does not account

for events of the above type, since the RT event tree is not conditionedfor simultaneous guaranteed failure of more than one instrument ac channel.

The closest event tree involving simultaneous guaranteed failures ofinstrument ac channels is the one associated with the initiator "Loss ofOne DC Bus" with an initiator frequency; L1DC 3.32-2/year.

In order to make a rough estimate about the impact of the neglection of theloss of instrument ac power initiator from the DCPRA model to the core

damage frequency, the simplest way is to increase the value of the L1DC

initiator, e. g., by the weighted average of the above reactor tripfrequencies, i.e., 0.96 trips/reactor year. Then, the new value of the


C

0

initiator would be: L1DC - 0.96 + .0332 - .129/year and the associated

sequences would be multiplied by a factor of .129/.0332 3.89. (PG&E may

wish to perform a more accurate plant-specific Bayesian updating for the

loss of instrument ac power initiator and requantify the associated

(correctly conditional) event tree.)

As concerns reactor trips due to a single instrument channel failure it isremarked on p.3.6-4: "credit was taken for modifications made to the unitsto prevent certain types of transient events, such as reactor trip caused

by loss of certain instrumentation bus and safety injection actuation afterreactor trip or turbine trip due to overly sensitive instrumentation in the

main steam lines."

It would be very useful for PG&E to describe these'odifications and

indicate which part of the DCFSAR describes these modifications more

precisely.

2. Figure 3.1 shows the distribution of causes of inverter failures for LER

events in the 1984-1986 period (figure is also taken from Reference 7).One observes that 18% of the inverter failures were caused by personnelerror (made during unscheduled maintenance, test, etc.). Therefore, itwould seem that human error contributions should be included in the splitfractions of the instrument ac system.

3.3 Results of the Audit Calculations

In order to scrutinize the quantified values of the split fractionsthemselves, BNL performed audit calculations for each of the split fractionsassociated with each of the boundary conditions. Seismic split fractions were

not checked. The reason for the detailed audit was that these electricalsystems associated split fractions determine the support system event tree:some of the fault trees because of their simplicity, were originally "hand

calculated" in the DCPRA. In the BNL calculations the SETS code and locallygenerated PC software were used. In these audit calculations the same

,I DCPRA-08 -62- December 5, 1989

4

0

assumptions, input data, human error probabilities as well as maintenance and~ ~

t!est frequency and duration values were used as in the DCPRA.

The results obtained by the audit calculations are presented in Tables 2.3a

through 2.3d. They are denoted by "BNL" to be compared with the values givenin the DCPRA (denoted by "PG&E").

By comparing the PG&E and BNL results, one can see that there is an overallagreement between the data. The agreement is even better if one takes intoaccount that BNL used point estimates while PG&E used a Monte-Carlo approach

in the split fraction quantification.

3.4 Comments on the LOOP Initiator

concerning solar magnetic storms. This subject would not normally be a

concern in a PRA, however, the article includes a map which shows all ofCalifornia within a "high-potential" zone and includes a discussion withspecific examples that demonstrates a real threat to power grid integrity.Based upon this article, BNL believes that PG&E should evaluate whether or notthis phenomenon would have an impact on the derivation of their LOOP initiatorfrequency.

3.5 Conclusions

The BNL review identified several inconsistencies and omissions in theunavailability modelling of the Diablo Canyon electrical power systems. The

inconsistencies resulted in several questions to be discussed with PG&E. The

combined results of the omissions (e.g... the neglection of scheduledmaintenance and required test contributions to the total unavailabilities ofUnit 2 ac/dc trains; the neglection of the initiator "Loss of Instrument AC

Power" ) may result in underestimation of the expected core damage frequency ofUnit 1.

-63- December 12, 1989

-4

'ith this letter report BNL concludes its review of the system analysisportion of the DCPBA.

DCPRA-06 -64- Oacembee 5, 1989

Percent of Failures

Unknown

Person ne18

Wear6

Elec. Transient15

Overheating10

Loose Connection7

Other8

Figure 3.1. Inverter failure causes (1984-1986 LERs).


C

() ~

I

< ~ ~Q

EFERENCESr Final report on the Diablo Canyon Long-Term Seismic Program, Pacific Gas

and Electric Co., Diablo Canyon Power Plant, Docket Nos. 50-275 and 50-323,July 1988.

2. G. Bozoki, R. Fitzpatrick and M. Sabek, "A Review of System Analysis in theDCPRA: Diesel Generator and Diesel Fuel Transfer Systems," Letter Report-07/Rev.l, July 1989.

3. G. Bozoki, R. Fitzpatrick and M. Sabek, "A Review of the Diablo CanyonPower Plant Diesel Generator Allowed Outage Time Study," September 1989.

4. Units 1 and 2 Diablo Canyon Power Plant, "Final-Safety Analysis ReportUpdate," Pacific Gas and Electric Co., December 1988.

6.

7.

PG&E letters to NRC signed by J.D. Shiffer, No. DCL-88-238, October 10,1988, No. DCL-88-260, October 28, 1988, No. DCL-88-285, November 29, 1988,No. DCL-88-297, December 9, 1988, No. DCL-89-010, January 16, 1989.Diesel Generator Allowed Outage Time Study, Pacific Gas 6 Electric Company,May 1989.

W.E. Gunther, R. Lewis and M. Subudhi, "Detecting and Mitigating BatteryCharger and Inverter Aging," NUREG/CR-5051, BNL-NUREG-52108, August 1988.R.B. Worrel and D.W. Stack, "A SETS User's Manual for the Fault TreeAnalyst," Sandia National Laboratories, NUREG/CR-4075, SAND77-2051,November 1978.

9. "A Storm From the Sun," EPRI Journal, July/August 1989, pp. 14-21.

( DCPRh 08 -66- December 12, 1989

~i

r n,lP

t

II

h

Date post:	16-Oct-2021
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Ltr Rept-08, 'Review of Sys Analysis in DCPRA:Electrical ...

Documents