ML12314A391

From kanterella
Jump to navigation Jump to search

17877-0002-100, CR-3 Inadequate Core Cooling Mitigation System Reliability Assessment 2
ML12314A391
Person / Time
Site: Crystal River Duke Energy icon.png
Issue date: 05/31/2012
From: Hirt M
Curtiss-Wright Flow Control Corp, SCIENTECH
To:
Office of Nuclear Reactor Regulation
References
3F1112-02, TAC ME6527 17877-0002-100
Download: ML12314A391 (82)
v  d  e


Text

Proj. No: 17877

.,.CR-3 ICCMS RAM 17877-0002-100 Page 1 of 82 Task 2 - ICCMS 100% Design FMEA CR-3 Inadequate Core Cooling Mitigation System Reliability Assessment 2 Document Number- 17877-0002-100 Scientech, Project 17877-0002 Revision 0 May 2012 Prepared By:

M. B. Hirt Reviewed By:

Reviewed By:

Task 2 - Reliability Assessment for CR-3 ICCMS

RProj. No: 17877 0-5.0! cmpaiw

%( IINTEC(H ICR-3 ICCMS RAM 17877-0002-100 Page 2 of 82 Task 2- ICCMS 100% Design FMEA Revison 0 Revis~ion0 THIS PAGE IS INTENTIONALLY BLANK Task 2 - Reliability Assessment for CR-3 ICCMS

Proj. No: 17877

__ _

,1SOYINTIEC1I CR-3 ICCMS RAM Task 2 - ICCMS 100% Design FMEA 17877-0002-100 Page 3 of 82 Pev3sof 8 Revision 0 Table of Contents

1.0 INTRODUCTION

............................................................................................................................... 4 2.0 INTENDED USE OF ANALYSIS RESULTS ................................................................................ 5 3.0 TECHNICAL APPROACH ................................................................................................................. 6 4.0 APPLICABLE SCIENTECH QAM/SOPS .................................................................................... 10 5.0 ASSUMPTIONS .............................................................................................................................. 11 6.0 RESULTS ........................................................................................................................................ 13

7.0 CONCLUSION

S .............................................................................................................................. 16

8.0 REFERENCES

................................................................................................................................ 17 Appendix A - Complete ICCMS Block Diagram for FMEA ..................................................................... 73 List of Tables Table 7 ICCMS FMEA at 100% Design ........................................................................................... 18 Task 2 - Reliability Assessment for CR-3 ICCMS

Proj. No: 17877

____ CR-3 ICCMS RAM SNIT-H Page 4 of 82 Task 2 - ICCMS 100% Design FMEA Revision 0

1.0 INTRODUCTION

An extended power uprate (EPU) is being implemented for Progress Energy's Crystal River Unit 3 Nuclear Station (PLANT). As a component to the EPU, Progress Energy has initiated a project to design and install a new Inadequate Core Cooling Mitigation System (ICCMS). The ICCMS shall be utilized to perform three Loss of Coolant Accident (LOCA) mitigation actuations.

Additionally, the ICCMS shall serve as Reg. Guide 1.97 Post Accident Monitoring Instrumentation.

The three LOCA mitigation actuations are: 1) automatic tripping of the RCPs within one minute of a reactor trip with a loss of sub cooling margin (LOSCM) in the Reactor Coolant System (RCS); 2) automatic raising of the SG level control to the ISCM set point within 20 minutes of a reactor trip and LOSCM in the RCS; and 3) automatic actuation of the Fast Cooldown System (FCS), which shall actuate the Atmospheric Dump Valves (ADVs) in Fast Cooldown mode.

Actuation of the ADVs will occur within 10 minutes of a reactor trip and LOSCM, coupled with an inadequate High Pressure Injection (HPI) flow as measured by the ICCMS.

The three Reg. Guide 1.97 Accident Monitoring indications are 1) subcooling margin; 2) superheat; and 3) HPI flow margin.

The overall project includes a reliability program which includes the RAM analyses consisting of Task 1: Reliability Assessment, Task 2: Failure Modes and Effects Analysis, and Task 3:

Manufacturer's Data Collection. The purpose of this report is to document the analysis performed for Task 2 at the 100% design phase.

Task 2 - Reliability Assessment for CR-3 ICCMS

Proj. No: 17877

____ CR-3 ICCMS RAM Task 2 - ICCMS 100% Design FMEA 17877-0002-100 Page 5 of 82 Revision 0 2.0 INTENDED USE OF ANALYSIS RESULTS A FMEA is a systematic procedure for identifying the modes of failure and for evaluating their consequences. The essential function of an FMEA is to consider each major part of the system, how it may fail (the mode of failure), and what the effect of the failure would be on the system (the failure effect).

Some purposes of a FMEA are:

1. To assist in selecting design alternatives with high reliability and high safety potential during early design phases
2. To ensure that all conceivable failure modes and their effects on the operational success of the system have been considered
3. To list potential failures and identify the magnitude of their effects
4. To develop early criteria for test planning and the design of test and checkout systems
5. To provide a basis for quantitative reliability and availability analyses
6. To provide historical documentation for future references to aid in the analysis of field failures and consideration of design changes
7. To provide input data for tradeoff studies
8. To provide a basis for establishing corrective action priorities
9. To assist in the objective evaluation of design requirements related to redundancy, failure detection systems, fail-safe characteristics, and automatic and manual override As part of the CR-3 ICCMS Risk and Reliability effort, a FMEA was performed at two stages in the design, corresponding to the 60% design and the 100% final design and was done following the guidance provided in ANS/IEEE Std 352-1987 [1]. The goals of the analysis are to:
  • Demonstrate that the ICCMS meets the single failure requirement.
  • Demonstrate that the ICCMS has no credible common mode failures.
  • Identify any assumptions used as a basis for meeting the single failure requirement.
  • Identify any single failure or undetectable failures.

This analysis was performed according to the guidelines established in the CR-3 ICCMS RAM Project Plan [2] and Task Plan 2 [3].

Task 2 - Reliability Assessment for CR-3 ICCMS

aProj. No: 17877

______ CR-3 ICCMS RAM 17877-0002-100 SC,,NTR, Task 2 - ICCMS 100% Design FMEA Page 6 of 82 Revision 0 3.0 TECHNICAL APPROACH The process used to develop a FMEA is outlined below. In this approach, modules are defined as the typical part replacement / repair level in the field. Components are assembled to create the modules. The modules are combined to constitute the system.

1. Identify the functional required performance of the system
2. Identity the system boundaries and modules
3. Identify significant failures of the modules, and their consequences
4. Display the above information in a table
5. Evaluate overall system reliability relative to the information above and identify potential problems.

The comprehensive list of modules considered for the analysis was assembled into Table 7-1 at the current 100% design.

At the 100% Assessment stage the modules that have been excluded from the FMEA, with approval of the CR-3 Engineer, are as follows, with detailed reasoning in Step 3 of this section:

  • Structures such as the cabinets and supporting materials.
  • Support Systems such as AC power, however the DC power trains and supplies has been included.
  • Passive secondary systems such as the online monitor and status light panel, as well as non-safety status light signals and event point signals.

Details of the steps in the FMEA process are defined below.

Step 1: Identify the functional required performance of the system The system functional requirements are taken from the system design specification and the functional requirements documents. These were reviewed and the functional requirements of the ICCMS are defined as:

1. Automatic tripping of the RCPs within one minute of a reactor trip with a LOSCM
2. Automatic raising of the SG level control to the ISCM set point within 20 minutes of a reactor trip and LOSCM
3. Automatic actuation of the Fast Cooldown System, which shall actuate the ADVs in Fast Cooldown mode within 10 minutes of a reactor trip and LOSCM coupled with an inadequate HPI flow as measured by the ICCMS
4. RG 1.97 safety displays: subcooling margin, superheat, and HPI flow margin The three safety functions are accomplished by redundant Train Trip Modules (TTMs) that operate with 2/3 logic and receive channel trip signals from three individual and isolated Task 2 - Reliability Assessment for CR-3 ICCMS

I Proj. No: 17877

___ _ CR-3 ICCMS RAM Task 2- ICCMS 100% Design FMEA 17877-0002-100 Page 7 of 82 Revision 0 channels. Each of the three functions has a pair of TTMs. The overall system function is illustrated in Figure 3-1 taken from the ICCMS Functional Specification [6].

Figure 3-1 ACTUATIONO3 3 O3 F3 OF OF TRA.N R61,97 WET Step 2: Identity the system boundaries and modules The analysis was performed at the module level. Only modules that directly impact the ability of the ICCMS to perform one or more of the required functions were considered in the FMEA. A one Channel, one trip train block diagram [5] was provided by the design team, and from this a complete block diagram [Appendix A] was created containing all modules for all channels and trip trains that were considered in the FMEA. This complete block diagram, here after referred to as "the block diagram" in this report, was used to identify system boundaries and subsystems, and is presented in Appendix A. The list of modules considered in the FMEA, as well as its inputs, and its outputs, are defined in Table 7-1. The modules and subsystems that were excluded, and reasoning for exclusion, are listed below:

1. Structural elements of the cabinets housing the ICCMS modules were excluded. These were not considered for the FMEA because structural failure is outside the scope of this task, and not a part of the ICCMS core system.
2. The AC power to the cabinets was excluded from the FMEA because it is outside the system boundaries of the ICCMS, see assumption 6 in section 5 for a more detailed Task 2 - Reliability Assessment for CR-3 ICCMS

Proj. No: 17877 SCR-3Task CR-3ICCMS ICCMS RAM 10nM 17877-0002-100 Page 8 of 82 2- ICCMS 100% Design FMEA Revision 0 explanation. The DC power supplies and power monitors that are within the system boundaries were included.

3. Status lights and event points, and the modules that these signal paths consist of were excluded from the FMEA. These are Non Safety modules, and cannot directly impact any of the three ICCMS safety functions of the ICCMS. Both are used as redundant methods of failure detection; however their failure will not disable or spuriously trip any of the three safety functions of the ICCMS, or any of its subsystems. There is one exception to this, a failure of the contact output that begins one of the status lights or event points signal paths could disable all of the other contact outputs that share the same input, this will occur ifthe failure is a short on the input side of the contact module.

To account for this, a remark was added to each module in the FMEA where the output goes directly into a bank of contact outputs, stating that an electrical short on the input side of any of the contact outputs will disable all of the signal paths that these modules lead to, and the effect will be identical to a fail low / no signal of the module (directly preceding the contact outputs), and a list of the contact outputs was provided.

4. The online safety monitor (OLM) and the modules that it consists of were excluded from the FMEA. These are Non Safety modules, and cannot directly impact any of the three safety functions of the ICCMS. The OLM is used for failure detection; however failure of the OLM cannot disable or spuriously trip any of the three ICCMS safety functions, or any of the subsystems.

Step 3: Identify significant failures and their consequences The impact of each failure mode was determined for each module output. The effect that each failure had on the three safety functions was then individually analyzed. The FMEA was able to be performed with limited design information because it is not primarily concerned with rate of occurrence or frequency of failure. The basic questions answered by the FMEA are as follows:

1. How can each part conceivably fail?
2. What mechanisms might produce these modes of failure?
3. What could the effects be if the failures did occur?
4. Is the failure in the safe or unsafe direction?
5. How is the failure detected?
6. What inherent provisions are provided in the design to compensate for the failure?

It should be noted that this FMEA has been performed at the Module level. Each module is composed of many components that can individually fail in multiple ways, resulting in module failure. When these component failures are viewed from the module level, the modes of failure are greatly reduced since only the effect on the module output is considered. For example:

"output fails high", "output fails low", and "no output", are typical module failure modes that can be caused by any number of component failure mechanisms inside the module. As a result it is not possible to document failure mechanisms at the Module Level.

Step 4: Display the above information in a table, chart, or other format Task 2 - Reliability Assessment for CR-3 ICCMS I

Proj. No: 17877

_____

'S,,FNT,,, Task CR-3 2 - ICCMS ICCMS RAM 100% Design FMEA 17877-0002-100 Page 9of 82 Revision 0 The impacts and consequences identified in Step 3 are documented in Table 7-1.

Step 5: Evaluate overall system reliability relative to the information above and identify potential problems The overall impacts on the system reliability were considered at the 100% design stage. This involved reviewing the impacts of the failures of each individual module on the three ICCMS safety functions and RG 1.97 displays after the FMEA had been completed for the final design stage. The results of this analysis are presented in section 6 below.

Task 2 - Reliability Assessment for CR-3 ICCMS

Proj. No: 17877 MA _E S"F"EC CR-3 ICCMS RAM Task 2 - ICCMS 100% Design FMEA 17877-0002-100 Page 10 of 82 Revision 0 4.0 APPLICABLE SCIENTECH QAM/SOPS SCIENTECH standards for performing all consulting services are subject to the SCIENTECH Quality Assurance Manual [4]. The Scientech Quality Assurance Manual outlines the specific procedural requirements related to the control and assurance of technical quality. It is the policy of Scientech to perform all technical work in compliance with the Scientech Corporate Quality Assurance requirements, and to perform work related to nuclear power plant safety in accordance with the requirement of Title 10 of the Code of Federal Regulations, Part 50, Appendix B. Safety-related activities of the Generation Services Division personnel are subject to the reporting requirements of the Code of Federal Regulations, Title 10, Part 21. The Scientech Quality Assurance Manual documents a systematic program to assure that all activities affecting the quality of nuclear work implement that policy.

Task 2 - Reliability Assessment for CR-3 ICCMS

Proj. No: 17877 SCR-3 ICCMS ICCMS 100% Design FMEA RAM 17877-0002-100 Page 11 of 82

,Task 2- Revision 0 5.0 ASSUMPTIONS The analysis presented in this report is based on the block diagram developed for this FMEA

[Appendix A]. This diagram was used to provide insights into the operational impacts of system faults and following signal paths beginning to end. The following assumptions were made when analyzing the failure modes and effects of the modules.

1. Status lights, event points, the online monitor, and structural elements of the ICCMS were not included in the FMEA analysis for reasons stated in section 3.
2. For modules that output either a high (12V) or low (OV) signal, it was assumed that they can fail in only two ways: high and low/no signal. Failing high was considered to be at 12 V, failing low/no signal was considered to be at 0 V.
3. For modules that output an analog signal over a range, for example a 2-10V signal that equates to 0-800 gpm, it was assumed that the modules can fail in one of two ways:

high, and low/no signal, just as the strict 0 or 12 V modules were. In reality these modules can fail over the entire range of their calibration (2-10 V) as well as outside this range (< 2 V or > 10). Wherever these signals exist in the ICCMS, they are eventually compared with another analog signal that is either calculated or measured by the system and can have any value over the same range of voltage or current. The outcome of this comparison is used to trip certain functions of the system, such as the LOSCM signal or the LOHPIFM signal. Therefore the effect of a single failure of one of these analog signals is highly dependent on not only where in its range it has failed, but also the status of the signal that it is compared with. In order to capture all possible effects of a single failure of this nature, all possible combinations of failure with respect to the comparison signal were postulated in this analysis. For example, the different effects for a signal that has failed high and is higher than the comparison signal, and the same signal that has failed high but is lower than the comparison signal were included in the FMEA.

4. Environmental conditions were not considered in the scope of this FMEA. The system was designed to work in the temperature range of 40-120 degrees Fahrenheit, with no fan cooling to the cabinets or any individual module. Non Safety modules in the Online Monitor have fan cooling, but these are not considered in this FMEA (see section 3, step 2).
5. External inputs into the ICCMS were considered outside of the scope for this FMEA.

These include AC power to each cabinet and HVAC to the room containing the ICCMS.

The scope of this FMEA is to consider every possible single failure that can happen to the ICCMS at the module level, and the system boundary is at the power supplies for each channel and train, therefore the AC power to these modules was not considered.

Similarly, cooling to the room containing the ICCMS is outside the system boundaries and therefore excluded from the FMEA.

Task 2 - Reliability Assessment for CR-3 ICCMS

Proj. No: 17877 Tas CR-3 ICCMS RAM

-ICCMS 100% Design FMEA 17877-0002-100 Page 12 of 82 Task 2- 1Revision 0

6. EMI/RFI filters, identified throughout the block diagram [Appendix A] as IZ-01-FILx, IZ-02-FILx, and IZ-03-FILx, were considered individually in this FMEA. It is recommended that each of these be given a unique ID tag.
7. The Fiber Optic Transmitter and Receiver components of both the channel trip modules and train trip modules were relocated from inside these modules to the backplane.

These were considered as individual modules even though they are technically an internal component to the CTM and TTM modules. For the CTM Fiber Optic Transmitters (FOT), it was assumed that the laser diode cannot fail in a lighted state because it contains no inherent energy source and would require a concurrent upstream failure in order to apply voltage to light the laser diode, while this FMEA is performed on the basis that only a single failure can occur at one time. Even if such a failure were to occur, it would be enveloped by the failure-HIGH of the corresponding CTM, which is an event listed in the FMEA.

8. This FMEA assumes no failures due to operator error or mispositioning of selector or test switches. However, the impact of the selector switch or test switch contacts mechanically failing open or closed (the same as if mispositioned by operator error) is accounted for in the FMEA in the failure effects of modules that contain selector and test switches.
9. This FMEA assumes no failures due to maintenance error in calibration or setup of instrumentation since calibration data sheets are provided.
10. This FMEA assumes no failures due to maintenance error in surveillance testing, equipment component maintenance, and mispositioning of test switches during testing since surveillance procedures are being developed.

Task 2 - Reliability Assessment for CR-3 ICCMS

Proj. No: 17877

_ ,..

VI PIM 01, CR-3 ICCMS RAM Task 2 - ICCMS 100% Design FMEA 17877-0002-100 Page 13 of 82 Revision 0 6.0 RESULTS Table 7-1 presents the FMEA developed for the ICCMS system at the 100% design. The impact of each failure mode for each module was evaluated for all three safety functions and the RG 1.97 displays. By considering the effects of each failure in this way, cascading failures that cause loss of partial or total system functionality were encompassed and identified within the analysis.

The Fiber Optic bridge between the Channel Trip Modules and Train Trip modules provide isolation between single failures on the Channel side and Train side. Failures on the Channel side could only affect the Train Trip logic (turning a single or multiple Train Trip Modules into 1/2 or 2/2 modules instead of 2/3). Failures on the Train side could not affect the Channel side.

No single failure that would disable any or all of the three safety functions was found. Eleven single failures that would spuriously trip one or all of the safety functions were identified. These failures are listed below. No common mode failures were identified.

1. RCP Train Trip Modules: if either of these Train Trip modules fails high, then all four RCPs will be spuriously tripped. These modules have the following ID tags:
a. IZ-01-03-06
b. IZ-02-03-06
2. RCP #1 Trip Contact Output and associated Power Relay: these modules occur after the Train Trip modules in the signal path, and if either the Contact Output or Power Relay to the RCP Switchgear fails high then that RCP will be spuriously tripped. These modules have the following ID tags:
a. IZ-01-03-04A
b. IZ-02-03-04A
c. IZ-01-RLY1
d. IZ-02-RLY1
3. RCP #2 Trip modules Contact Output and associated Power Relay: these modules occur after the Train Trip modules in the signal path, and if either the Contact Output or Power Relay to the RCP Switchgear fails high then that RCP will be spuriously tripped.

These modules have the following ID tags:

a. IZ-01-03-04B
b. IZ-02-03-04B
c. IZ-01-RLY2
d. IZ-02-RLY2
4. RCP #3 Trip modules Contact Output and associated Power Relay: these modules occur after the Train Trip modules in the signal path, and if either the Contact Output or Power Relay to the RCP Switchgear fails high then that RCP will be spuriously tripped.

These modules have the following ID tags:

Task 2 - Reliability Assessment for CR-3 ICCMS

Proj. No: 17877

_____ CR-3 2 - ITask ICCMS RAM CCMS 100% Design FMEA 17877-0002-100 Page 14 of 82 Revision 0

a. IZ-01-03-04C
b. IZ-02-03-04C
c. IZ-01-RLY3
d. IZ-02-RLY3
5. RCP #4 Trip modules Contact Output and associated Power Relay: these modules occur after the Train Trip modules in the signal path, and if either the Contact Output or Power Relay to the RCP Switchgear fails high then that RCP will be spuriously tripped.

These modules have the following ID tags:

a. IZ-01-03-04D
b. IZ-02-03-04D
c. IZ-01-RLY4
d. IZ-02-RLY4
6. EFIC ISCM Setpoint Train Trip modules: if either of these Train Trip modules fails high, then the EFIC ISCM Setpoint function is spuriously activated. These modules have the following ID tags:
a. IZ-01-03-08
b. IZ-02-03-08
7. EFIC ISCM Setpoint Contact Outputs: these modules occur after the Train Trip module in the signal path, and if either of them fails high then the EFIC ISCM Setpoint function is spuriously activated. These modules have the following ID tags:
a. IZ-01-03-05A
b. IZ-02-03-05A
8. FCS Initiation Train Trip modules: if either of these Train Trip modules fails high, then the FCS Initiation function will spuriously activate, specifically both MSV 25 and MSV 26 will spuriously open. These modules have the following ID tags:
a. IZ-01-03-10
b. IZ-02-03-1 0
9. FCS Initiation (MSV 25) Contact Outputs and the associated Fiber Optic XTMR modules: if either of the Contact Outputs fails high, or if either of the FO XTMRs fails light, MSV 25 will spuriously open. These modules have the following ID tags:
a. IZ-01-03-05B
b. IZ-02-03-05B
c. IZ-01-FX1
d. IZ-02-FX1 Task 2 - Reliability Assessment for CR-3 ICCMS

LProj.

_

V,,NfTEC II¶CR-3 ICCMS RAM Task 2- ICCMS 100% Design FMEA No: 17877 17877-0002-100 Page 15 of 82 Revision 0

10. FCS Initiation (MSV 26) Contact Outputs and the associated Fiber Optic XTMR modules: if either of the Contact Outputs fails high, or if either of the FO XTMRs fails light, MSV 26 will spuriously open. These modules have the following ID tags:
a. IZ-01-03-05C
b. IZ-02-03-05C
c. IZ-01-FX2
d. IZ-02-FX2
11. Actuation Train Power Supply Time Delay Relays: if either of these modules fails to provide the time delay it is designed to, all three Safety Functions may spuriously actuate, as the train actuation modules could power up before the channel trip modules, and the correct channel trip signals may not be established. These modules have the following ID tags:
a. IZ-01-TDR1
b. IZ-02-TDR1
c. IZ-01-TDR2
d. IZ-02-TDR2 Task 2 - Reliability Assessment for CR-3 ICCMS

Proj. No: 17877 CR-3 ICCMS RAM Task 2- ICCMS 100% Design FMEA 17877-0002-100 Page 16 of 82 Revision 0

7.0 CONCLUSION

S As part of the task to determine the reliability of the Inadequate Core Cooling Mitigation System (ICCMS), a FMEA was developed for the system. The result of the FMEA yielded no single failures that would disable any of the primary Safety functions of the system, and no common mode failures of system modules.

Eleven single failures were identified that could spuriously actuate one or all of the three Safety Functions of the system; however the impact of these is minimal from the risk and reliability standpoint. These failures are listed above in Section 6.0, and can be divided into four groups.

Group A consists of failures 1 through 5 above, and are failures that cause actuation of one or all of the RCPs. Group B consists of failures 6 and 7 above, and are failures that cause spurious actuation of the EFIC ISCM Setpoint. Group C consists of failures 8 through 10 above, and are failures that cause spurious actuation of FCS Initiation. Group D consists of failure 11 above, which is a failure of the TDRs in the actuation train power supply signal path and can cause spurious actuation of all three safety functions. Discussion of these single failure groups and their acceptability based on IEEE 379-2000 [7] guidelines is below.

Group A - Single failures causing one or all RCPs to trip are considered to have acceptable safety consequences because even though one spuriously tripped RCP will likely cause a reactor trip, and all four spuriously tripping will definitely lead to a reactor trip, this worst case scenario will not lead to any core damage or radiation release. The plant will enter shutdown through the normal and controlled procedure.

Group B - Single failures causing the EFIC ISCM Setpoint to change are considered to have acceptable safety consequences because they will not result in a reactor trip, and will furthermore be immediately obvious to operators, who can then take corrective actions.

Group C - Single failures causing FCS Initiation, specifically the opening of MSVs 25 and 26, are considered to have acceptable safety consequences because they will not result in a reactor trip, and will furthermore be immediately obvious to operators, who can then take corrective actions.

Group D - Single failures causing all three Safety Functions to actuate are considered to have acceptable safety consequences because of the reasons stated above for groups A, B, and C.

Task 2 - Reliability Assessment for CR-3 ICCMS

Proj. No: 17877 MOE__CR-3 ICCMS RAM Task 2- ICCMS 100% Design FMEA 17877-0002-100 Page 17 of 82 Revision 0

8.0 REFERENCES

1. ANS/IEEE Std 352-1987 "IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Safety Systems," November 21, 1987.
2. "CR-3 ICCMS Project Plan," Revision 1, Scientech, October, 2011.
3. "CR-3 ICCMS Task Plan 2," Revision 0, Scientech, October, 2011.
4. "Quality Assurance Manual," Scientech, Inc., Revision 8, September 31, 2011.
5. "ICCMS BLOCK DIAGRAM, GENERAL," file named: NUS-A304DB Revision 3 ICCMS Block Diagrams.pdf, 02-21-2012.
6. "ICCMS Functional Specification", file named: NUS-A304SA Rev. 1, July 11, 2011.
7. IEEE 379-2000, "IEEE Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems," IEEE-SA Standards Board, September 21, 2000 Task 2 - Reliability Assessment for CR-3 ICCMS

I Proj. No: 17877

__

,I

._

(D TSL CR-3 ICCMS RAMF 17877-0002-100 Page 18 of 82 Task 2 - ICCMS 100% Design FMEA Revision 0 I Table 7 ICCMS FMEA at 100% Design I Task 2 - Reliability Assessment for CR-3 ICCMS

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 19 of 82 S( Ill' I i~( II Revision 0 Table 7 ICCMS FMEA at 100% Design Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays

_Setpoint function I I The modules listed below are specific to the RCP trip function RCP # 1/2/3/4 Power Train A and B RCP Trip RCP Fail Closed Spurious RCP trip (only 1 NA NA No effect on either of the Online Monitor This represents a single failure, in that Relay Trip Relays for #1/2/3/4 of the 4 RCPs) RG 1.97 displays. one of the 4 RCPs will spuriously trip.

IZ RCP #s 1-4 Status Light / Event Point This is not a single failure that would RLY1/RLY2/RLY3/RLY4 Triggered Alarms disable any of the safety functions of IZ Output: the ICCMS.

RLY1/RLY2/RLY3/RLY4 Open = norm, Periodic Testing Close = trip I Fail Open Disables ability of the NA NA No effect on either of the Online Monitor The other RCP Trip Train will perform affected train to trip the RG 1.97 displays. actuation if required.

RCP (only 1 of the 4 Status Light/ Event Point RCPs). Triggered Alarms Periodic Testing EMI/RFI Filter EMI/RFI Filters Filter the Fail Low/ Disables ability of the NA NA No effect on either of the Online Monitor The other RCP Trip Train will perform IZ-01-FILx individual RCP No Output affected train to trip the RG 1.97 displays. actuation if required.

IZ-02-FILx trip signals to RCP (only 1 of the 4 Status Light / Event Point remove EMI RCPs) Triggered Alarms Periodic Testing RCP # 1/2/3/4 Contact Module Name: Trip RCP Fail Closed Spurious RCP trip (only I NA NA No effect on either of the Online Monitor This represents a single failure, in that Output COM2500 #1/2/3/4 of the 4) RG 1.97 displays. one of the 4 RCPs will spuriously trip.

IZ-O1-03-04A, 04B, 04C, Train A/ B RCP Status Light / Event Point This is not a single failure that would 04D W's 1-4 Train Trip Triggered Alarms disable any of the safety functions of IZ-02-03-04A, 04B, 04C, Signals the ICCMS.

04D Periodic Testing Output:

OV = norm, 12V = Fail Open Disables ability of the NA NA No effect on either of the Online Monitor The other RCP Trip Train will perform trip affected train to trip the RG 1.97 displays. actuation if required.

RCP (only 1 of the 4 Status Light/ Event Point RCPs) Triggered Alarms Periodic Testing

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 20 of 82

%( li-I', I IA Li Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays

_setpoint function I I RCP Train A/B Trip Module Name: Trip RCPs (all 4) IFail High Spurious RCP trip (all 4) NA NA No effect on either of the Online Monitor The Fail High scenario represents a Module TTM 2500 RG 1.97 displays. single failure, in that all 4 RCPs will IZ-01-03-06 Train A/B RCP Status Light / Event Point spuriously trip. This is not a single IZ-02-03-06 Train Trip Module Triggered Alarms failure that would disable any of the

- trips when 2 out safety functions of the ICCMS.

of 3 signals Periodic Testing (channels) trip or Inthe Fail Low scenario, the other RCP when module trip Trip Train will perform actuation if switch closes. required.

Output: Train Trip Module accepts three fiber 0V = norm, 12V= optic inputs and trips when 2 out of 3 of trip the signals are in their trip states, or wvhen the module trip switch is engaged.

Dnce tripped, it remains tripped regardless of status of trip inputs, when trip condition no longer exists a remote reset signal or the module reset switch will clear trip condition.

Contains train bypass switch which prevents module from tripping regardless of status of inputs. Bypass switch overrides existing trip conditions.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 6W~&CQnUW~ Task 2 - ICCMS 100% Design FMEA Page 21 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCSfunction RG 1.97 Displays Setpoint function Fail Low / Disables ability of the NA NA No effect on either of the Online Monitor No signal affected train to trip all RG 1.97 displays. Does not trip on loss of power.

four of the RCPs Status Light / Event Point Triggered Alarms These are double-width modules.

Periodic Testing This modules output is also the input to six Contact Outputs per actuation train, 2 of which are Non Safety modules (ID tags IZ-01/02-03-12A and IZ-01/02 128), four of which are Safety modules that lead to the RCP trip power relays (ID tags IZ-01/D2-03-04A, IZ-01/02 048, IZ-01/02-03-04C, and IZ-01/02 04D). If any of these Contact Output modules shorts on the input side, it will also short the other 5 Contact Outputs for the affected actuation train. This has the same effect as a Fail Low / No Signal failure of this module.

Train A/B RCP Trip FOR No Module Name Convert the light Fail Low / Makes the RCP Train Trip NA NA No effect on either of the Online Monitor This module was moved from inside the Backplane Train A/B RCP signal from the No Signal Module 1/2 for the RG 1.97 displays. Train Trip Module to the backplane, and Trip Fiber Optic three RCP (only one of affected ICCMS actuation Status Light / Event Point does not have a unique IDtag.

Receiver (light to Channel Trip FO the three train. Triggered Alarms voltage) Backplanes into FORs) three voltage Periodic Testing Output: signals that are OV = norm, 12V processed by the Fail High Makes the RCP Train Trip NA NA No effect on either of the Online Monitor trip Train Trip (only one of Module 2/2 for the RG 1.97 displays.

Module the three affected ICCMS actuation Status Light / Event Point FORs) train. Triggered Alarms Periodic Testing

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 22 of 82 S4JILNII Hop Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint function Ch. 1/2/3 RCP Trip FOT No Module Name Convert the Fail Dark Makes the RCP Train Trip NA NA No effect on either of the Online Monitor This module was moved from inside the Backplane Ch. 1/2/3 RCP voltage signal (only one of Module 1/2 for the RG 1.97 displays. Channel Trip Module to the backplane, Trip Fiber Optic fromthe RCP the two affected ICCMS actuation Status Light / Event Point and does not have a unique ID tag.

Transmitter Channel Trip FOTs) train. Triggered Alarms (voltage to light) Module into a fiber optic signal Periodic Testing Output:

light = norm, dark

= trip The modules listed below are specific to the EFICISCM nt Function EMI/RFI Filter EMI/RFI Filters Filter the EFIC Fail Low / NA Reduces the system NA No effect on either of the Online Monitor The other EFIC ISCM Setpoint Trip Train IZ-O1-FILx ISCM Setpoint No Output redundancy to 1/1 trains RG 1.97 displays. will perform actuation if required.

IZ-O2-FILx trip signal to for the EFIC ISCM Status Light / Event Point remove EMI. Setpoint function Triggered Alarms Periodic Testing Train A/B EFIC ISCM Module Name: Provide the EFIC Fail Closed NA Spurious EFIC ISCM NA No effect on either of the Online Monitor This represents a single failure, in that Trip Contact Output COM2500 ISCM Setpoint Setpoint trip RG 1.97 displays. either of these components will cause a IZ-O1-03-O5A Train A / B EFIC trip signal Status Light / Event Point spurious trip of the EFIC ISCM Setpoint IZ-02-03-OSA ISCM Trip Contact Triggered Alarms function. This is not a single failure that Output would disable any of the safety Periodic Testing functions of the ICCMS.

Output:

open = norm, Fail Open NA Reduces the system NA No effect on either of the Online Monitor The other EFIC ISCM Setpoint Trip Train close = trip redundancy to 1/1 trains RG 1.97 displays. will perform actuation if required.

for the EFIC ISCM Status Light / Event Point Setpoint function Triggered Alarms Periodic Testing

CR-3 ICCMS RAM Proj. No: 17877 17877-W002-100 Task 2 - ICCMS 100% Design FMEA Page 23 of 82 S( Ill' I I-5y Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays

_Setpoint function I I Train A/B EFIC ISCM Module Name: Trip EFIC ISCM Fail High NA Spurious EFIC ISCM NA No effect on either of the Online Monitor The Fail High scenario represents a Train Trip Module TTM 2500 Setpoint level Setpoint trip RG 1.97 displays. single failure, in that it will cause a IZ-01-03-08 Train A/B EFIC Status Light / Event Point spurious trip of the EFIC ISCM Setpoint IZ-02-03-08 ISCM Train Trip Triggered Alarms function. This is not a single failure that Module - trips would disable any of the safety when 2 out of 3 Periodic Testing functions of the ICCMS.

signals (channels) trip or when Inthe Fail Low scenario the other EFIC module trip ISCM Setpoint Trip Train will perform switch closes. actuation if required.

Dutput: Train Trip Module accepts three fiber DV= norm, 12V= optic inputs and trips when 2 out of 3 of trip the signals are in their trip states, or when the module trip switch is engaged.

Once tripped, it remains tripped regardless of status of trip inputs, when trip condition no longer exists a remote reset signal or the module reset switch will clear trip condition.

Contains train bypass switch which prevents module from tripping regardless of status of inputs. Bypass switch overrides existine trio conditions.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 CW Task 2 - ICCMS 100% Design FMEA Page 24 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint function Fail Low / NA Reduces the system NA No effect on either of the Online Monitor No signal redundancy to 1/1 trains RG 1.97 displays. Does not trip on loss of power.

for the EFIC ISCM Status Light / Event Point Setpoint function Triggered Alarms This is a double-width module.

Periodic Testing This modules output is also the input to three Contact Outputs per actuation train, 2 of which are Non Safety modules (IDtags IZ-01/02-03-13A and IZ 01/02-03-13B), one of which is a Safety moduleis the EFIC ISCM Setpoint Train Trip signal (ID tag IZ-O1/02-03-05A). if any of these Contact Output modules shorts on the input side, it will also short the other 2 Contact Outputs for the affected actuation train. This has the same effect as a Fail Low / No Signal failure of this module.

Train A/g EFIC ISCM No Module Name Convert the light Fail Low/ NA Makes the EFIC ISCM NA No effect on either of the Online Monitor This module was moved from inside the Setpoint Trip FOR Train A/B EFIC signal from the No Signal TIM 1/2 for the affected RG 1.97 displays. Train Trip Module to the backplane, and Backplane ISCM Setpoint EFIC ISCM (only one of ICCMS actuation train. Status Light / Event Point does not have a unique IDtag.

Trip Fiber Optic Setpoint Channel the three Triggered Alarms Receiver (light to Trip FO FORs voltage) Backplane into a Periodic Testing voltage signal I Output: that is processed Fail High NA Makes the EFIC ISCM NA No effect on either of the Online Monitor OV = norm, 12V = by the Train Trip (only one of TTM 2/2 for the affected RG 1.97 displays.

trip Module the three ICCMS actuation train. Status Light / Event Point FORs) Triggered Alarms Periodic Testing

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 25 of 82 S('Iff. IF(Il Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpolnt function Ch. 1/2/3 EFIC ISCM No Module Name Convert the Fail Dark NA Makes the EFIC ISCM NA No effect on either of the Online Monitor This module was moved from inside the Setpoint Trip FOT Ch. 1/2/3 EFIC voltage signal (only one of Setpoint TTM 1/2 for the RG 1.97 displays. Channel Trip Module to the backplane, Backplane ISCM Setpoint from the EFIC the two affected ICCMS actuation Status Light / Event Point and does not have a unique IDtag.

Trip Fiber Optic ISCM Setpoint FOTs) train. Triggered Alarms Transmitter Channel Trip (voltage to light) Module into a Periodic Testing fiber optic signal Output:

light = norm, dark

= trip Ch. 1/2/3 EFIC ISCM Module Name: Trip Ch. 1/2/3 Fail Low / NA Makes the EFIC ISCM NA No effect on either of the Online Monitor Channel Trip Module accepts three 0-12 Setpoint Trip CTM2500 EFIC ISCM No Signal Setpoint TTM 1/2 for RG 1.97 displays. V inputs, two of which trip it IZ-01-04-08 Ch. 1/2/3 EFIC Setpoint both ICCMS actuation Status Light / Event Point immediately, one of these is the IZ-02-04-08 ISCM Setpoint trains. Triggered Alarms channel critical module withdrawl IZ-03-04-08 Trip Signal signal,the second is disabled and Periodic Testing grounded. The third input trips the Output: module after a variable delay, this input OV = norm, 12V= is LOSCM. The module trip switch also trip trips it immediately.

The trip resets automatically upon return of all trip signals to untripped states.

The module trips on loss of power.

CR-3 ICCMS RAM Proj. No: 17877 17877-"002-100 Task 2 - ICCMS 100%Design FMEA Page 26 of 82 S4IIp14 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint function Fail High NA Makes the EFIC ISCM NA No effect on either of the Online Monitor Module has channel bypass switch Setpoint TIM 2/2 for RG 1.97 displays. which prevents tripping regardless of both ICCMS actuation Status Light / Event Point input states. Bypass overrides existing trains. Triggered Alarms trip condition.

Periodic Testing This modules output is also the input to two Non Safety Contact Outputs per channel, IDtags IZ-01/02/03-04-05C and IZ-O1/02/03-04-OSD. If any of these Contact Output modules shorts on the input side, it will also short the EFIC ISCM Setpoint Channel Trip signal, which will have the same effect as a Fail Low/ No Signal of this module The modules listed below are specific to the FCS Initiation function Fiber Optic XMTR No Module Name Send trip signal Fail Light NA NA Spurious opening of MSV No effect on either of the Online Monitor This represents a single failure, in that it IZ-01-FX1/FX2 Fiber Optic XMTR the FCS Initiation 25 or MSV 26 RG 1.97 displays. will cause the spurious opening of one IZ-02-FX1/FX2 to MSV-25 / MSV- MSV's (25 and Status Light / Event Point of the MSVs. This is not a single failure 26 (FX1 / FX2) 26) Triggered Alarms that would disable any of the safety functions of the ICCMS.

Output: Periodic Testing dark = norm, light I

= trip Fail Dark NA NA Reduces the system No effect on either of the Online Monitor The other FCS Initiation Trip Train will redundancy to 1/1 trains RG 1.97 displays. perform actuation if required.

for the Initiate FCS Status Light / Event Point function Triggered Alarms Periodic Testing EMI/RFI Filter EMI/RFI Filters Filter the trip Fail Low / NA NA Reduces the system No effect on either of the Online Monitor The other EFIC ISCM Setpoint Trip Train IZ-01-FILx signal to the FCS No Output redundancy to 1/1 trains RG 1.97 displays. will perform actuation if required.

IZ-02-FILx Initiation MSV's for the Initiate FCS Status Light / Event Point (25 and 26) to function Triggered Alarms remove EMI.

Periodic Testing

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100%Design FMEA Page 27 of 82 S(lCEII(

Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint function Train A/B FCS Contact Module Name: Send trip signal Fail Closed NA NA Spurious opening of MSV No effect on either of the Online Monitor This represents a single failure, in that it Output COM2SOO the FCS Initiation 25 or MSV 26 RG 1.97 displays. will cause the spurious opening of one IZ-01-03-05B/05C Train A/B FCS MSV's (25 and Status Light / Event Point of the MSVs. This is not a single failure IZ-02-03-OSB/05C Initiation Contact 26) Triggered Alarms that would disable any of the safety Outputs to MSV's functions of the ICCMS.

25/26 Periodic Testing Output: Fail Open NA NA Reduces the system No effect on either of the Online Monitor The other EFIC ISCM Setpoint Trip Train open = norm, redundancy to 1/1 trains RG 1.97 displays. will perform actuation if required.

close =trip for the Initiate FCS Status Light / Event Point function Triggered Alarms Periodic Testing Train A/B FCS Initiation Module Name: Send FCS Fail High NA NA Spurious opening of MSV No effect on either of the Online Monitor The Fail High scenario represents a Train Trip Module 1TM2500 Initiation signal 25 and MSV 26 RG 1.97 displays. single failure, in that it will cause the IZ-01-03-10 Train A/B FCS to MSV's (25 and Status Light/ Event Point spurious opening of both MSV 25 and IZ-02-03-10 Initiation Train 26) Triggered Alarms 26. This is not a single failure that would Trip Module disable any of the safety functions of Periodic Testing the ICCMS.

Output:

OV = norm, 12V= In the Fail Low scenario the other EFIC trip ISCM Setpoint Trip Train will perform actuation if required.

Train Trip Module accepts three fiber optic inputs and trip when 2 out of 3 of the signals are in their trip states, or when the module trip switch is engaged.

Once tripped, it remains tripped regardless of status of trip inputs, when trip condition no longer exists a remote reset signal or the module reset switch will clear trip condition.

Contains train bypass switch which prevents module from tripping regardless of status of inputs. Bypass

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 28 of 82 S4E1 tr Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode _Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays function lSetpont Fail Low / NA NA Reduces the system No effect on either of the Online Monitor ,w," ,,UV ,, ,Ub b U 1P Wu,,uLuu,,.

No signal redundancy to 1/1 trains RG 1.97 displays.

for the Initiate FCS Status Light / Event Point Does not trip on loss of power.

function Triggered Alarms These are double-width modules.

Periodic Testing This modules output is also the input to four Contact Outputs per actuation train, two of which are Non Safety modules (IDtags IZ-01/02-03-14A and IZ 01/02-03-14B), two of which are Safety modules that provide the MSV Open signals (ID tags IZ-01/02-03-OSC, IZ-01/02-03-05C. If any of these Contact Output modules shorts on the input side, it will also short the other 3 Contact Outputs for the affected actuation train. This has the same effect as a Fail Low / No Signal failure of this module.

Train A/B FCSInitiation No Module Name Convert the light Fail Low / NA NA Makes the FCS Initiation No effect on either of the Online Monitor This module was moved from inside the FOR Backplane Train A/B FCS signal from the No Signal TrM 1/2 for the affected RG 1.97 displays. Train Trip Module to the backplane, and Initiation Fiber three FCS (only one of ICCMS actuation train Status Light / Event Point does not have a unique IDtag.

Optic Receiver Initiation the three Triggered Alarms (light to voltage) Channel Trip FO FORs)

Backplanes into a Periodic Testing Output: voltage signal OV =trip, 12V = that is processed Fail High NA NA Makes the FCS Initiation No effect on either of the Online Monitor norm by the Train Trip (only one of TIM 2/2 for the affected RG 1.97 displays.

Module the three actuation train Status Light / Event Point FORs) Triggered Alarms Periodic Testing

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100%Design FMEA Page 29 of 82 07*0IWcIliAI Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint function Ch. 1/2/3 FCS Initiation No Module Name Convert the Fail Dark NA NA Makes the FCS Initiation No effect on either of the Online Monitor This module was moved from inside the Trip FOT Backplane Ch. 1/2/3 FCS voltage signal (only one of TIM 1/2 for the affected RG 1.97 displays. Channel Trip Module to the backplane, Initiation Trip from the FCS the two ICCMS actuation train Status Light / Event Point and does not have a unique IDtag.

Fiber Optic Initiation FOTs) Triggered Alarms Transmitter Channel Trip (voltage to light) Module into a Periodic Testing fiber optic signal Output:

light = norm, dark

=trip Ch. 1/2/3 FCS Initiation Module Name: Send Ch. 1/2/3 Fail Low / NA NA Makes the FCS Initiation No effect on either of the Online Monitor Channel Trip Module accepts three 0-12 Trip CTM2500 trip signal to FCS No Signal TTM 1/2 for both ICCMS RG 1.97 displays. V inputs, two of which trip it IZ-01-04-10 Ch. 1/2/3 FCS Initiation Train actuation trains Status Light / Event Point immediately, one of these is the IZ-02-04-10 Initiation Trip Trip Module Triggered Alarms channel critical module withdrawl IZ-03-04-10 Module signal,the second is disabled and Periodic Testing grounded. The third input trips the Output: module after a variable delay, this input OV = trip, 12V = is LOHPIFM. The module trip switch also norm trips it immediately.

The trip resets automatically upon return of all trip signals to untripped states.

The module trips on loss of power.

CR-3 ICCMS RAM Proj. No: 17877 6Wr W Task 2 - ICCMS 100% Design FMEA 17877-0002-100 Page 30 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint function Fail High NA NA Makes the FCS Initiation No effect on either of the Online Monitor Module has channel bypass switch TTM 2/2 for both ICCMS RG 1.97 displays. which prevents tripping regardless of actuation trains Status Light / Event Point input states. Bypass overrides existing Triggered Alarms trip condition.

Periodic Testing This modules output is also the input to two Non Safety Contact Outputs per channel, ID tags IZ-01/02/03-04-12C and IZ-01/02/03-04-12D. If any of these Contact Output modules shorts on the input side, it will also short the FCS Initiation Channel Trip signal, which will have the same effect as a Fail Low / No Signal of this module.

Ch.1/2/3 LOHPIFM Trip Module Name: Send Ch. 1/2/3 Fail High NA NA Makes the FCS Initiation No effect on either of the Online Monitor Alarm Module accepts an input and a IZ-01-05-14 ALM2S00 LOHPIFM signal TTM 1/2 for both ICCMS RG 1.97 displays. setpoint, and when the setpoint IZ-02-05-14 Ch. 1/2/3 Loss of to FCS Initiation actuation trains Status Light / Event Point exceeds the input the module trips. The IZ-03-05-14 High Pressure Ch. Trip Module Triggered Alarms input is the measured HPIF total, and Injection Flow the setpoint is the calculated HPIF REQ.

Margin Trip Periodic Testing When the input drops below the setpoint by a small fixed hyteresis the Output: LOHPIFM comparator resets. An internal voltage signal is provided for use as a setpoint.

OV = norm, 12V=

trip Fail Low / NA NA Makes the FCS Initiation No effect on either of the Online Monitor A permissive signal starts a variable No signal TTM 2/2 for both ICCMS RG 1.97 displays. delay. If the permissive clears the delay actuation trains Status Light / Event Point timer resets. Atrip requires the Triggered Alarms permissive and the comparator output.

Periodic Testing The module does not trip on loss of power

Proj. No: 17877 CR-3 ICCMS RAM CW* Task 2 - ICCMS 100% Design FMEA 17877-0002-100 Page 31 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays

_Setpoint function I I The modules listed below are specific to the RG 1.97 HPIFM Display Ch. 1/2 HPIFM Display Module Name: Provide the Fail High NA NA NA Operator sees a false Online Monitor IZ-04-FI1 HPIFM -800 to operator with a (not indication of a IZQO4-F12 +800 gpm digital display of necessarily high/positive HPIFM. The Status Light / Event Point the HPIFM at limit) other channel HPIFM Triggered Alarms Output: No displays the correct electrical output, value. Periodic Testing provides a digital display of the HPIFM from -800 to +800 gpm Fail Low NA NA NA Operator sees a false Online Monitor (not indication of a necessarily low/negative HPIFM. The Status Light / Event Point at limit) other channel HPIFM Triggered Alarms displays the correct value. Periodic Testing Fail to NA NA NA Operator cannot see the Online Monitor function HPIFM on this display.

(no number The other channel HPIFM Status Light / Event Point is displays the correct Triggered Alarms displayed) value.

Periodic Testing EMI/RFI Filter EMI/RFI Filters Fail Low / NA NA NA Operator cannot see the Online Monitor IZ-01-FILx No signal HPIFM on this display.

IZ-02-FlLx The other channel HPIFM Status Light / Event Point displays the correct Triggered Alarms value.

Periodic Testing Ch. 1/2 HPIFM Analog Module Name: Converts the Fail High NA NA NA Operator sees a false Online Monitor Output Module 0iOM2500 analog voltage [not indication of a IZ-01-O5-09B signal for HPIFM necessarily high/positive HPIFM. The Status Light / Event Point IZ-02-OS-098 Dutput: 4 - 20 mA to an analog Atlimit) other channel HPIFM Triggered Alarms

=-800 to 800 current signal displays the correct 9pm value. Periodic Testing

Proj. No: 17877 CR-3 ICCMS RAM 17877-0002-100 6WC k QW Task 2 - ICCMS 100% Design FMEA Page 32 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag Na. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint function Fail Low NA NA NA Operator sees a false Online Monitor (not indication of a necessarily low/negative HPIFM. The Status Light IEvent Point at limit) / other channel HPIFM Triggered Alarms No Signal displays the correct value. Periodic Testing Ch. 1/2 HPIFM Signal Module Name: Accepts the Fail High ( NA NA NA Operator sees a false Online Monitor IZ-01-0S-10 ALM2500 HPIFM signal as not indication of a IZ-02-05-10 Ch. 1/2 HPIF well as the necessarily high/positive HPIFM. The Status Light/ Event Point Alarm Module LOSCM signal. at limit) other channel HPIFM Triggered Alarms The LOSCM displays the correct Output: 2-10V DC signal is a value. Periodic Testing

= -800 to 800 permissive signal gpm that enables the Fail Low NA NA NA Operator sees a false Online Monitor HPIFM signal to (not indication of a be passed to the necessarily low/negative HPIFM. The Status Light / Event Point output. at limit) / other channel HPIFM Triggered Alarms No Signal displays the correct value. Periodic Testing Ch. 1/2/3 HPIFM Module Name: Subtracts the Fail High NA NA NA Will input a falsely high Online Monitor Difference Module DIF2500 Ch. HPIF REQ signal [not value for the HPIFM into IZ-01-06-02 1/2/3 HPIFM from the Total iecessarily the affected channels Status Light / Event Point IZ-02-06-02 Difference HPIF Signal and at limit) HPIFM Alarm Module. If Triggered Alarms IZ-03-06-02 Calculator Dutputs the itoccurs during a LOSCM difference. the operator will see a Periodic Testing Output: 2-10V DC falsely high HPIFM value

= -800 to 800 on the affected channels gpm display. If it occurs during normal operation there will be no effect. The Dther HPIFM display will

,till be correct.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 33 of 82 p IIf.I Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detectlon RCP Trip function Change EFIC to ISCM Initiate FCSfunction RG 1.97 Displays Setpoint function Fail Low NA NA NA Will input a falsely low Online Monitor (not value for HPIFM into the necessarily affected channels HPIFM Status Light / Event Point at limit) / Alarm Module. If it Triggered Alarms No Signal occurs during a LOSCM the operator will see a Periodic Testing falesly low HPIFM value on the affected channels display. If it occurs during normal operation there will be no effect. The other HPIFM display will still be correct.

The modules listed below are specific to the RG 1.97 SCM/S display function SCM/SH Display Module Name: Provide the Fail High NA NA NA Operator sees a false Online Monitor IZ-04-TI1 SCM/SH -800 to operator with a (not indication of a IZ-04-TI2 +800 deg F digital display of necessarily high/positive SCM/SH. Status Light / Event Point display either the at limit) The other channel Triggered Alarms degrees of SCM SCM/SH displays the Output: no or SH. correct value. Periodic Testing electrical signal output, digital Fail Low NA NA NA Operator sees a false Online Monitor display output (not indication of a between -800 and necessarily low/negative SCM/SH. Status Light / Event Point

+800 deg F at limit) The other channel Triggered Alarms SCM/SH displays the correct value. Periodic Testing Fail to NA NA NA Operator cannot see the Online Monitor function SCM/SH on this display.

(no number The other channel Status Light / Event Point is displayed SCM/SH displays the Triggered Alarms correct value.

Periodic Testing

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 CP*:rCorrypony Task 2 - ICCMS 100% Design FMEA Page 34 of 82 SkAl N I 1 4 t I Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint function Incore Indicator Light Module Name: Provide the Fail to NA NA NA If the SCM(-err)(t/c) Online Monitor IZ-04-TI3 Incore Indicator operator an Function signal is selected for IZ-04-TI4 Light indication that (no light display, the operator Status Light / Event Point the Incore T/C emitted) does not know what Triggered Alarms Output: White SCM signal is signal is being displayed Indicator Light being displayed on the affected SCM/SH Periodic Testing display. If one of the other two signals is selected, there is no effect.

RTD Indicator Light Module Name: Provide the Fail to NA NA NA If the SCM(-err)(RTD) Online Monitor IZ-04-TI5 RTD Indicator operator an Function signal is selected for IZ-04-TI6 Light indication that (no light display, the operator Status Light / Event Point the Resistance emitted) does not know what Triggered Alarms Output: White Temperature singal is being displayed Indicator Light Detector (RTD) on the affected SCM/SH Periodic Testing SCM signal is display. If one of the being displayed other two signals is selected, there is no effect.

Superheat Indicator Module Name: Provide the Fail to NA NA NA If the SH(nom) signal is Online Monitor Light Superheat operator an Function selected for display, the IZ-04-TI7 Indicator Light indication that (no light operator does not know Status Light / Event Point IZ-04-TI8 the Superheat emitted) what singal is being Triggered Alarms Output: White (SH(nom)) signal displayed on the affected Indicator Light is being SCM/SH display. Ifone of Periodic Testing displayed the other two signals is selected, there is no effect.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 35 of 82 0T.*:rC I Ii.

Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint function EMI/RFI Filter EMI/RFI Filters Filter the Fail Low / NA NA NA If one of the filters to the Online Monitor There are 4 unique EMI/RFI filters per IZ-01-FILx SCM/SH signal No Signal indicator lights fails, then SCM/SH display channel, one for each of IZ-02-FIlx that is selected that indicator light will Status Light / Event Point the indicator lights and one for the for display, as fail to function on Triggered Alarms signal being displayed.

well as the three demand, possibly indicator light resulting in the operator Periodic Testing signals not knowing which signal is being displayed. If the filter to the display itself fails, then no signal will be displayed, the other display channel will still have the correct reading.

Ch. 1/2 SCM/SH Signal Module Name: Converts the Fail High NA NA NA Operator sees a false Online Monitor Converter AOM2S00 analog voltage (not indication of a IZ-01-0S-09A signal for necessarily high/positive SCM/SH. Status Light / Event Point IZ-02-OS-09A Output: 4 - 20 mA SCM/SH to an at limit) The other channel Triggered Alarms

= -800 to +800 analog current SCM/SH displays the deg F signal correct value. Periodic Testing Fail Low NA NA NA Operator sees a false Online Monitor (not indication of a necessarily low/negative SCM/SH. Status Light / Event Point at limit) / The other channel Triggered Alarms No Signal SCM/SH displays the correct value. Periodic Testing SCM/SH Indicator Lights Module Name: Carry's the Fail Open NA NA NA If the affected Indicator Online Monitor Ch. 1/2 Contact Output COM2500 indicator light Light is selected, the IZ-01-05-08A/08B/08C signal from the operator will not know Status Light / Event Point IZ-02-05-08A/088/08C Output: open = Display Select which signal is being Triggered Alarms off, close = on Module to the displayed actual Indicator Periodic Testing Lights

Proj. No: 17877 CR-3 ICCMS RAM 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 36 of 82 SA.xcnw-rVI£(

Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint function Fail Closed NA NA NA If the affected Indicator Online Monitor Light is selected, then there is no effect. If the Status Light / Event Point affected Indicator Ught is Triggered Alarms not selected, or gets switched from, then the Periodic Testing operator will see two Indicator Lights on and not know which is correct.

Ch. 1/2 SCM/SH Display Module Name: 1ccepts the Display NA NA NA the affected channel Online Monitor In Normal -toggle between the two Select Module DSM2500 SCM(-err)(t/c), Signal Fails dispiays an incorrectly SCM signals on demand IZ-01-05-07 SCM/SH Display SCM(-err)(RTD), High (not high SCM or SH signal, Status Light / Event Point IZ-02-05-07 Select and SH(nom) necessarily depending on which is Triggered Alarms On Reactor Trip - switch to SCM(-

signals, one of at limit) selected. The other err)(t/c) but retain toggle function Output: There are which is selecte d :hannel SCM/SH display Periodic Testing 4 outputs, 1 that for display. It is correct. When SH(+err) goes positive, switch to goes to the also accepts the Display NA NA NA The affected channel Online Monitor SH(nom)

Display Module, SH(+err) and Rx Signal Fails displays an incorrectly the other 3 go to Trip signals Low (not low SCM or SH signal, Status Light/ Event Point When SH(+err) goes negative, switch Indicator Lights. which are used necessarily depending on which is Triggered Alarms back to one of the SCM(-ERR) signals.

for display at limit) / selected. The other Display Signal selection when No Signal channel SCM/SH display Periodic Testing Output: 2-10V DC the plant is not in i is correct.

= -800 to +800 normal operatir deg F conditions. It Incore NA NA NA If the SCM(-err)(t/c) Online Monitor also accepts a Indicator signal is not selected for Indicator Signal momentary Light Signal display, the operator Status Light / Event Point Output: open = pushbutton inpuut Fails High does not know which Triggered Alarms off, close = on that toggles indicator light is correct between the for the affected display. If Periodic Testing SCM(-err)(t/c) the SCM(-err)(t/c) signal and SCM(- is selected there is no err)(RTD) signals effect

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 37 of 82 SC(uN IFctII Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFICto ISCM Initiate FCS function RG 1.97 Displays I_ _ _ _etoint fun t in Incore NA NA NA If the SCM(-err)(t/c) Online Monitor Indicator signal is selected for Light Signal display, the operator Status Light / Event Point Fails Low does not know what Triggered Alarms singal is being displayed on the affected SCM/SH Periodic Testing display. If one of the other two signals is selected, there is no effect.

RTD NA NA NA If the SCM(-err)(RTD) Online Monitor Indicator signal is not selected for Light Signal display, the operator Status Light / Event Point Fails High does not know which Triggered Alarms indicator light is correct for the affected display. If Periodic Testing the SCM(-err)(RTD) signal is selected there is no effect RTD NA NA NA If the SCM(-err)(RTD) Online Monitor Indicator signal is selected for Light Signal display, the operator Status Light / Event Point Fails Low does not know what Triggered Alarms singal is being displayed on the affected SCM/SH Periodic Testing display. If one of the other two signals is selected, there is no effect.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100%Design FMEA Page 38 of 82 07*XCIH\ HA Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint function Superheat NA NA NA If the SH(nom) signal is Online Monitor Indicator not selected for display, Light Signal the operator does not Status Ught / Event Point Fails High know which indicator Triggered Alarms light is correct for the affected display. If the Periodic Testing SH(nom) signal is selected there is no effect Superheat NA NA NA If the SH(nom) signal is Online Monitor Indicator selected for display, the Light Signal operator does not know Status Light / Event Point Fails Low what singal is being Triggered Alarms displayed on the affected SCM/SH display. If one of PeriodicTesting the other two signals is selected, there is no effect.

Entire DSM NA NA NA The SCM/SH display for Online Monitor Fails to the affected channel fails Function to display anything, and Status Light / Event Point none of the indicator Triggered Alarms lights work.

Periodic Testing Ch. 1/2 SCM/SH Display Module Name: Sends the toggle Fail Low / NA NA NA Causes Display Select Online Monitor Select Toggle Contact CIM2500 SCM/SH switch signal into No Signal Module to continue Input Display Select the Display displaying the previously Status Light / Event Point IZ-01-0S-06A Module Toggle Select Module selected SCM signal, Triggered Alarms IZ-O2-05-O6A Contact Input regardless of operator input into the toggle Periodic Testing switch. The SCM/SH display will still automatically toggle to the SCM(-err)(t/c) display upon Rx trip.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 06w&CQW Task 2 - ICCMS 100%Design FMEA Page 39 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCSfunction RG 1.97 Displays Setpoint function EMI/RFI Filter EMI/RFI Filters Filters the SCM Fail Low / NA NA NA Causes Display Select Online Monitor IZ-01-FILx toggle switch No Signal Module to continue IZ-02-FILx signal displaying the previously Status Light / Event Point selected SCM signal, Triggered Alarms regardless of operator input into the toggle Periodic Testing I_ switch Ch. 1/2 SCM Toggle No Module Name Allows the Fail to NA NA NA Causes Display Select Online Monitor Pushbutton Ch. 1/2 operator to function Module to continue IZ-04-TS1 Incore/RTD switch the displaying the previously Status Light / Event Point IZ-04-TS2 Selector SCM/SH display selected SCM signal, Triggered Alarms Pushbutton between the T/C regardless of operator and RTD SCM input into the toggle Periodic Testing measurements switch Ch.1/2/3 SCM (-ERR) Module Name: Subtracts the Fail High NA NA NA The SCM(-err)(t/c) signal Online Monitor T/C Difference Module DIF2500 Ch. incore Temp (not will falsely be high, and if IZ-01-06-04 1/2/3 SCM (-ERR) signal from the necessarily it is selected for display Status Light / Event Point IZ-02-06-04 T/C Difference Tsat (-err) signal at limit) the operator will see a Triggered Alarms IZ-03-06-04 Module and outputs the falesly high reading for difference the affected channel. The Periodic Testing Output: 2-10V DC other channel SCM/SH

= -800 to +800 display will still be deg F correct.

Fail Low NA NA NA The SCM(-err)(t/c) signal Online Monitor (not will falsely be low, and if necessarily it is selected for display Status Light / Event Point at limit) / the operator will see a Triggered Alarms No Signal falsely low reading for the affected channel. The Periodic Testing other channel SCM/SH display will still be correct.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 6~&CQWF Task 2 - ICCMS 100% Design FMEA Page 40 of 82 S&ifI' I LA~I-I Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays

__________ ________ _______ _____ ___________ Setpoint function _ _ _ _ _ _ _ _ _ _ _ _ ______ _ _ _ _ _ _ _ _ _

Ch. 1/2/3 SH (NOM) Module Name: Subtracts the Fail High NA NA NA The SH(nom) signal will Online Monitor Difference Module DIF2SOO Ch. Tsat (nom) signal (not falsely be high, and if it is IZ-01-06-07 1/2/3 SH (NOM) from the Incore necessarily selected for display the Status Light / Event Point IZ-02-06-07 Difference Temp signal and at limit) operator will see a falesly Triggered Alarms IZ-03-06-07 Module outputs the high reading for the difference affected channel. The Periodic Testing Output: 2-10V DC other channel SCM/SH

= -800 to +800 display will still be deg F correct.

Fail Low NA NA NA The SH(nom) signal will Online Monitor (not falsely be low, and if it is necessarily selected for display the Status Light / Event Point at limit) / operator will see a falsely Triggered Alarms No Signal low reading for the affected channel. The Periodic Testing other channel SCM/SH display will still be correct.

Ch. 1/2/3 SH (+ERR) Module Name: Subtracts the Fail High NA NA NA The SH (+ERR) signal will Online Monitor Difference Module DIF2500 Ch. Tsat (+err) signal (not falsely be high, and if it is IZ-01-06-09 1/2/3 SH (+ERR) from the Incore necessarily falsely positive then it Status Light / Event Point IZ-02-06-09 Difference Temp signal and at limit) will make the DSM Triggered Alarms IZ-03-06-09 Module outputs the module incorrectly difference display the SH(nom) Periodic Testing Output: 2-10V DC signal on the SCM/SH

= -800 to +800 display for the affected deg F channel. The other SCM/SH channel will still be correct.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA S( lr'.t1" II Page 41 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCSfunction RG 1.97 Displays Setpoint function Fail Low NA NA NA The SH (+ERR) signal will Online Monitor (not falsely be low, and If it is necessarily falsely negative then it Status Light / Event Point at limit) / will make the DSM Triggered Alarms No Signal module incorrectly switch the display from Periodic Testing the SH(nom) signal to one of the SCM signals for the affected channel.

The other SCM/SH channel will still be correct.

Ch. 1/2/3 SH (NOM) Module Name: Subtracts the Fail High NA NA NA The SCM(-err)(RTD) Online Monitor Difference Module DIF2S00 Ch. RTD Temp signal (not signal will falsely be high, IZ-01-06-05 1/2/3 SCM (-ERR) from the Tsat (- necessarily and if it is selected for Status Light / Event Point IZ-02-06-05 RTD Difference err) signal and at limit) display the operator will Triggered Alarms Module outputs the see a falesly high reading difference for the affected channel. Periodic Testing Output: 2-1OV DC The other channel

= -800 to +800 SCM/SH display will still deg F be correct.

Fail Low NA NA NA The SCM(-err)(RTD) Online Monitor (not signal will falsely be low, necessarily and if it is selected for Status Light / Event Point at limit) / display the operator will Triggered Alarms No Signal see a falsely low reading for the affected channel. Periodic Testing The other channel SCM/SH display will still be correct.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 42 of 82 54 lAUNI I-A'. Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to I$CM Initiate FCSfunction RG 1.97 Displays Setpoint function Ch. 1/2/3 Tsat (nom) Module Name: Take in the Fail High NA NA NA The SH(nom) signal will Online Monitor Signal Generator GEN2500-2 selected RCS (not falsely be low, and if it is IZ-01-06-06 Ch. 1/2/3 Tsat pressure (from 1Znecessarily selected for display the Status Light / Event Point IZ-02-06-06 (nom) Signal 01/02/03-06-12) at limit) operator will see a falsely Triggered Alarms IZ-03-06-06 generator signal and low reading for the generate a new affected channel. The Periodic Testing Output: 2-10V = signal indicating other channel SCM/SH 120-920 deg F the Nominal display will still be Saturation correct.

Temperature of the RCS Fail Low NA NA NA The SH(nom) signal will Online Monitor (not falsely be high, and if it is necessarily selected for display the Status Light / Event Point at limit) / operator will see a falesly Triggered Alarms No Signal high reading for the affected channel. The Periodic Testing other channel SCM/SH display will still be correct.

Ch. 1/2/3 Tsat (+err) Module Name: Take in the Fail High NA NA NA lhe SH (+ERR) signal will Online Monitor Signal Generator GEN2500-2 selected RCS [not falsely be low, and if it is IZ-01-06-08 Ch. 1/2/3 Tsat pressure (from IZ necessarily falsely negative then it Status Light/ Event Point IZ-02-06-08 (+err) Signal 01/02/03-06-12) at limit) mill make the DSM Triggered Alarms IZ-03-06-08 generator signal and module incorrectly generate a new switch the display from Periodic Testing Output: 2-10V = signal indicating the SH(nom) signal to 120-920 deg F the Saturation one of the SCM signals Temperature for the affected channel.

(+err) of the RCS rhe other SCM/SH

hannel will still be correct.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 43 of 82 S( lit' lk-4A-I Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag NO. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint function Fail Low NA NA The SH (+ERR) signal will Online Monitor (not falsely be high, and if it is necessarily falsely positive then it Status Light / Event Point at limit) / will make the DSM Triggered Alarms No Signal module incorrectly display the SH(nom) Periodic Testing signal on the SCM/SH display for the affected channel. The other SCM/SH channel will still be correct.

Ch. 1/2 RTD Temp Module Name: Convert the RTD Fail High NA NA NA The SCM(-err)(RTD) Online Monitor Signal Converter AIM2500 RTD Temp signal from (not signal will falsely be low, IZ-01-05-11 Temp Signal a current to a necessarily and if it is selected for Status Ught / Event Point IZ-02-05-11 Converter voltage at limit) display the operator will Triggered Alarms see a falsely low reading Output: 2-10V DC for the affected channel. Periodic Testing

=120-920 deg F The other channel SCM/SH display will still be correct.

Fail Low NA NA NA The SCM(-err)(RTD) Online Monitor (not signal will falsely be high, necessarily and if it is selected for Status Light / Event Point at limit) / display the operator will Triggered Alarms No Signal see a falesly high reading for the affected channel. Periodic Testing The other channel SCM/SH display will still be correct.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 07.*;f conw-V Task 2 - ICCMS 100% Design FMEA Page 44 of 82 I-Et fil Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint function EMI/RFI Filter EMI/RFI Filters Filter the RTD Fail Low / NA NA NA The SCM(-err)(RTD)

IZ-01-FILx Temp signal for No Signal signal will falsely be high, IZ-02-FILx EMI. and if it is selected for IZ-03-FILx display the operator will see a falesly high reading for the affected channel.

The other channel SCM/SH display will still be correct.

The modules listed below are used for both the FCS Initiation function as well as the RG 1.97 HPIFM Display.

Ch. 1/2/3 HPIF Req Module Name: Take in the Fail High INA NA If this occurs during a If this occurs during a Online Monitor Signal Generator GEN2500-2 selected RCS reactor trip then it makes LOSCM, the HPIFM IZ-01-06-01 Ch. 1/2/3 HPIF pressure (from IZ the FCS Initiation TIM Display for the affected Status Light / Event Point IZ-02-06-01 Req Signal 01/02/03-06-12) 1/2 for both ICCMS channel reads low and Triggered Alarms IZ-03-06-01 generator signal and actuation trains. If it negative, between -800 generate a new occurs during normal and 0 gpm depending on Periodic Testing Output: HPIF signal indicating operation there is no what the total HPIF is. If Required the required flow effect. it occurs during normal 2-10V = 0-800 rate of HPI into operation there is no gpm the RCS which is effect.

used as the setpoint for if HPI is required. Fail NA NA If total HPIF is higher If total HPIF is higher Online Monitor Constant than the failed reading than the failed reading (anywhere for HPIF Req, the effect for HPIF Req, the effect Status Light / Event Point in signal on the system will be the on the system will be the Triggered Alarms range) same as a Fail Low/No same as a Fail Low/No Signal for this module. Signal for this module. Periodic Testing Iftotal HPIF is lower than If total HPIF is lower than the failed reading for the failed reading for HPIF Req, the effect on HPIF Req, the effect on the system will be the the system will be the same as Fail High for this same as Fail High for this module, module.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA sCWr~Ii Page 45 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to iSCM Initiate FCSfunction RG 1.97 Displays

________

_______ ~~~~Setpoint function _ _ _ _ _ _ _________

Fail Low / NA NA Makes the FCSInitiation If this occurs during a Online Monitor No signal TTM 2/2 for both ICCMS LOSCM, the HPIFM actuation trains. Ensures Display for the affected Status Light/ Event Point the HPIFM will be channel reads high and Triggered Alarms positive, so the affected positive between 0 and channel will never trip. 800 gpm depending on Periodic Testing what the total HPIF is. If it occurs during normal operation there is no effect.

Ch. 1/2/3 Total HPI Module Name: Sum the 4 HPI Fail High INA NA Makes the FCS Initiation If this occurs during a Online Monitor The summation module does not have a Flow SUM2500 Loop flow rates TTM 2/2 for both ICCMS LOSCM, the HPIFM limiter so if the inputs are above/below IZ-01-07-13 Total HPI Flow and provide 1 actuation trains. The Display for the affected Status Light / Event Point the 2-10V range then the output of the IZ-02-07-13 Summer signal LOHPIFM signal for the channel reads high and Triggered Alarms sum module can be outside the 2-10V IZ-03-07-13 corresponding to affected channel can positive between 0 and range. If it is below 2V it will actually Output: HPIF the total flow never trip because the 800 gpm depending on Periodic Testing send a negative flow rate measurement.

2-10V = 0-800 rate. total HPIF signal will what the total HPIF is. If gmp always be higher than it occurs during normal the HPIF REQ signal. operation there is no effect.

Fail NA NA If total HPIF is higher If total HPIF is higher Online Monitor Constant than the failed reading than the failed reading (anywhere for HPIF Req, the effect for HPIF Req, the effect Status Light / Event Point in signal on the system will be the on the system will be the Triggered Alarms range) same as a Fail High for same as a Fail High for this module, this module. Periodic Testing If total HPIF is lower than If total HPIF is lower than the failed reading for the failed reading for HPIF Req, the effect on HPIF Req, the effect on the system will be the the system will be the same as Fail Low/No same as Fail Low/No Signal for this module. Signal for this module.

Proj. No: 17877 CR-3 ICCMS RAM awýtwc-yw-w lllý sk-')Vý I EA f4 Task 2 - ICCMS 100%Design FMEA 17877-0002-100 Page 46 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCsfunction RG 1.97 Displays

_Sepoint function Fail Low / NA NA If this occurs during a If this occurs during a Online Monitor No signal reactor trip, then it LOSCM, the HPIFM makes the FCS Initiation Display for the affected Status Light / Event Point TrM 1/2 for both ICCMS channel reads low and Triggered Alarms actuation trains. If it negative, between -800 occurs during normal and 0 gpm depending on Periodic Testing operation there is no what the total HPIF is. If effect. it occurs during normal operation there is no effect.

Ch.1/2/3 HPI Module Name: Senerate the Fail High INA NA This may disable the This will cause the total Online Monitor As indicated in the effects column, the 1A/1B/1C/1 SQRAT GEN2S00-1 individual HPI affected FCS Initiation HPIF to read high, which effect of the failure of this module is IZ-01-07-06/07/08/09 Ch. 1/2/3 HPI loop channel, causing the FCS will cause the HPIFM Status Light / Event Point highly dependent on where in it's range IZ-02-07--06/07/08/09 measurement measurement Initiation TTM to become display to read high if it Triggered Alarms itfails as well as the state of the HPIF IZ-03-07--06/07/08/09 signal generator signals of the 2/2 for both ICCMS occurs during a LOSCM, REQ signal.

for loops A/B/C/D actual flow rates, actuation trains. This will and may cause it to read Periodic Testing these are then happen if the total HPIF postive or negative Output: summed by the measurement reads incorrectly, depending on 2-10V = 0-200 Total HPI Flow higher than the HPIF REQ what the HPIF REQ is. If gpm nodule signal. If the total HPIF the high total HPIF is >

measurement remains the HPIF REQ then the below the HPIF REQ HPIFM display will read signal than this has no high and positive. If the effect. The HPIF REQ high total HPIF is < HPIF signal ranges from 300- REQ then the HPIFM 660 gpm. display will read high and negative. If this occurs during normal operation there is no effect

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 47 of 82 sCW'i'I Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM initiate FCS function RG 1.97 Displays setplait fnto Fail NA NA If total HPIF is higher If total HPIF is higher Online Monitor Constant than the failed reading than the failed reading (anywhere for HPIF Req, the effect for HPIF Req, the effect Status Ught / Event Point in signal on the system will be the on the system will be the Triggered Alarms range) same as a Fail High for same as a Fail High for this module. this module. Periodic Testing If total HPIF is lower than If total HPIF is lower than the failed reading for the failed reading for HPIF Req, the effect on HPIF Req. the effect on the system will be the the system will be the same as Fail Low/No same as Fail Low/No Signal for this module. Signal for this module.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 48 of 82 SCIlt't IJf( 11 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detectiht RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays iSetpoint function III Fail Low/ NA MA If this occurs during a This will cause the total Online Monitor Mo signal reactor trip, then it may HPIF to read low, which reduce the FCS Initiation will cause the HPIFM Status Light / Event Point 1TM logic to 1/2 for both display to read low if it Triggered Alarms ICCMS actuation occurs during a LOSCM, trains.This will occur and it may cause it to Periodic Testing when the fail low of the read postive or negative single HPIF loop incorrectly, depending on measurement causes the what the HPIF REQ is. If total HPIF signal to read the total HPIF is < the lower than the HPIF REQ HPIF REQ then the HPIFM signal, which will cause a display will read low and spurious trip of the negative. If the total HPIF compartor ( actual HIPF is > the HPIF REQ then vs. HPIF REQ) in the the HPIFM display will LOHPIFM alarm module. read low and positive. If If the fail low does not this occurs during normal cause the total HPIF to operation there is no read lower than the HPIF effect.

REQ then there is no effect. If this failure occurs during normal operation there is no effect.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 49 of 82 SCIH' ri ii Revision 0 Module Name and ID Desciption Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCSfunction RG 1.97 Displays ISetWont fun.tion Ch. 1/2/3 HPI siP Module Name: Provide the Fail High NA NA This may disable the This will cause the total Online Monitor As indicated in the effects column, the 1A/18/ iC/D AIM2500 individual HPI affected FCS Initiation HPIF to read high, which effect of the failure of this module is IZ-01-07-01/02/03/04 Ch. 1/2/3 HPI loop channel, causing the FCS will cause the HPIFM Status Light / Event Point highly dependent on where in it's range lZ-02-07-01/02/03/04 measurement for measurements Initiation TTM to become display to read high if it Triggered Alarms it fails as well as the state of the HPIF IZ-03-07-01/02/03/04 loops A/B/C/D which are then 2/2 for both ICCMS occurs during a LOSCM, REQ signal.

converted to actuation trains. This will and may cause it to read Periodic Testing Output: flow rates by the happen if the total HPIF postive or negative 2-10V = 0-160 signal generators measurement reads incorrectly, depending on inwc higher than the HPIF REQ what the HPIF REQ is. If signal. If the total HPIF the high total HPIF is >

measurement remains the HPIF REQ then the below the HPIF REQ HPIFM display will read signal than this has no high and positive. If the effect. The HPIF REQ high total HPIF is < HPIF signal ranges from 300- REQ then the HPIFM 660 gpm. display will read high and negative. If this occurs during normal operation there is no effect.

Fail NA NA If total HPIF is higher If total HPIF is higher Online Monitor Constant than the failed reading than the failed reading (anywhere for HPIF Req, the effect for HPIF Req, the effect Status Light / Event Point in signal on the system will be the on the system will be the Triggered Alarms range) same as a Fail High for same as a Fail High for this module, this module. Periodic Testing If total HPIF is lower than If total HPIF is lower than the failed reading for the failed reading for HPIF Req, the effect on HPIF Req, the effect on the system will be the the system will be the same as Fail Low/No same as Fail Low/No Signal for this module. Signal for this module.

CR-3 ICCMS RAM Proj. No: 17877 17877-0O02-100 Task 2 - ICCMS 100% Design FMEA Page 50 of 82 s~n~r,.l1& Ii Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint funmction Fail Low/ NA NA If this occurs during a This will cause the total Online Monitor No signal reactor trip, then it may HPIF to read low, which reduce the FCS Initiation will cause the HPIFM Status Light / Event Point TTM logic to 1/2 for both display to read low if it Triggered Alarms ICCMS actuation occurs during a LOSCM, trains.This will occur and it may cause it to Periodic Testing when the fail low of the read postive or negative single HPIF loop incorrectly, depending on measurement causes the what the HPIF REQ is. If total HPIF signal to read the total HPIF is < the lower than the HPIF REQ HPIF REQ then the HPIFM signal, which will cause a display will read low and spurious trip of the negative. If the total HPIF compartor ( actual HIPF is >the HPIF REQ then vs. HPIF REQ) in the the HPIFM display will LOHPIFM alarm module. read low and positive. If If the fail low does not this occurs during normal cause the total HPIF to operation there is no read lower than the HPIF effect.

REQ then there is no effect. If this failure occurs during normal operation there is no effect.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 51 of 82 07.* ou-ry14.

Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpolnt function EMI/RFI Filter EMI/RFI Filters Filter the Fail Low/ NA NA If this occurs during a This will cause the total Online Monitor As indicated in the effects column, the IZ-01-FILx individual HPI No Signal reactor trip, then it may HPIF to read low, which effect of the failure of this module is IZ-02-FILx flow reduce the FCS Initiation will cause the HPIFM Status Light / Event Point highly dependent on where in it's range IZ-03-FILx measurement T-M logic to 1/2 for both display to read low if it Triggered Alarms it fails as well as the state of the HPIF signals from each ICCMS actuation occurs during a LOSCM, REQ signal.

of the 4 loops trains.This will occur and it may cause it to Periodic Testing when the fail low of the read postive or negative This module can fail anywhere in it's 2-single HPIF loop incorrectly, depending on 10 V range as well as above or below measurement causes the what the HPIF REQ is. If the 2-10V range. If it fails below the 2V total HPIF signal to read the total HPIF is < the lower limit it will actually output a lower than the HPIF REQ HPIF REQ then the HPIFM negative flow rate reading. For the signal, which will cause a display will read low and purpose of this FMEA, failure of this spurious trip of the negative. If the total HPIF module as high, and low/no signal is comparator ( actual HIPF is > the HPIF REQ then only considered, and all possible vs. HPIF REQ) in the the HPIFM display will relative state of these failures LOHPIFM alarm module, read low and positive. If compared to the HPIF REQ signal are If the fail low does not this occurs during normal taken into account.

cause the total HPIF to operation there is no read lower than the HPIF effect.

REQ then there is no effect. If this failure occurs during normal operation there is no effect.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 52 of 82 SCp~ t41 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. mode Detection RCP Trip funston Change EFIC to ISCM Initiate FCS function RG 1.97 Displays RCPfunction Tr~~p lfuncion n _______ ____________

function I II The modules listed below are common to all three safety functions (and no RG 1.97 displays). _________

Ch. 1/2/3 RCP Trip Module Name: Send the RCP Fail Low / Makes the RCP Train Trip Makes the EFIC ISCM If this occurs during a No effect on either of the Online Monitor Channel Trip Module accepts three 0-12 IZ-01-04-06 CTM2500 Trip signal to all No Signal Module 1/2 for both Setpoint Train Trip reactor trip, then it RG 1.97 displays. V inputs, two of which trip it IZ-02-04-06 Ch. 1/2/3 RCP three Safety ICCMS actuation trains. Module 1/2 for both makes the FCS Initiation Status Light / Event Point immediately, one of these is the IZ-03-04-06 Trip Signals Function ICCMS actuation trains. Train Trip Module 1/2 for Triggered Alarms channel critical module withdrawl actuation trains. both ICCMS actuation signalthe second is disabled and Output: The RCP Trip trains. If it occurs during Periodic Testing grounded. The third input trips the 0 V = trip, 12 V Safety Function normal operation then module after a variable delay, this input norm uses this directly there is no effect, is LOSCM. The module trip switch also as input Into trips it immediately.

T-M 2/3 logic.

The FCS Initiation The trip resets automatically upon and EFIC ISCM return of all trip signals to untripped Setpoint Safety states.

Functions use this as input into The module trips on loss of power.

other logic in the signal path Fail High Makes the RCP Train Trip Makes the EFIC ISCM Makes the FCS Initiation No effect on either of the Online Monitor Module has channel bypass switch before the 1TMs Module 2/2 for both Setpoint Train Trip Train Trip Module 2/2 for RG 1.97 displays. which prevents tripping regardless of ICCMS actuation trains. Module 2/2 for both both ICCMS actuation Status Light / Event Point input states. Bypass overrides existing ICCMS actuation trains, trains. Triggered Alarms trip condition.

Periodic Testing This modules output is also the input to two Non Safety Contact Outputs per channel, IDtags IZ-01/02/03-04-04C and IZ-01/02/03-04-04D. If any of these Contact Output modules shorts on the input side, it will also short the RCP Channel Trip signal, which will have the same effect as a Fail Low / No Signal of this module rrain A/B TTM Reset Module Name: Reset Train Trip Fail High Spurious reset of TTM after a trip condition has cleared. No effect on either of the Online Monitor

.ontact Input CIM2500 Module RG 1.97 displays.

Z-01-03-02A Train A/B manual Status Light / Event Point Z-02-03-02A train reset signal Triggered Alarms for all three functions Train Periodic Testing Trip Modules

Proj. No: 17877 CR-3 ICCMS RAM d1Wr Task 2 - ICCMS 100% Design FMEA 17877-0002-100 Page 53 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays

_Set___nt function I Fail Low/ Fail to reset TTM on demand No effect on either of the Online Monitor Output: No signal RG 1.97 displays.

OV = norm, 12V= Status Light / Event Point reset Triggered Alarms Periodic Testing EMI/RFI Filter EMI/RFI Filters Filter the TIM Fail Low / Fail to reset TTM on demand No effect on either of the Online Monitor IZ-O1-FILx reset signal and No Output RG 1.97 displays.

IZ-02-FILx remove EMI Status Light / Event Point Triggered Alarms Periodic Testing Train A/B TTM Manual No Module Name Reset Train Trip Fail Closed Spurious reset of TrM after a trip condition has cleared No effect on either of the Online Monitor Reset Train A/B Train Module RG 1.97 displays.

IZ-04-SW3 Trip Module Status Light/ Event Point IZ-04-SW4 Manual Reset for Triggered Alarms all three functions TTM's Periodic Testing Output: Fail Open Fail to reset TTM on demand No effect on either of the Online Monitor open = norm, RG 1.97 displays.

closed = reset Status Light/ Event Point Triggered Alarms Periodic Testing Contact Input Module Name: Trip Ch. 1/2/3 to Fail High Trips the affected Trips the affected If this occurs during a No effect on either of the Online Monitor IZ-01-04-14B CIM2500 all functions, channel and makes the channel and makes the reactor trip, then it trips RG 1.97 displays.

IZ-02-04-14B Ch. 1/2/3 Critical when a critical RCP Train Trip Module EFIC ISCM Setpoint Train the affected channel and Status Light/ Event Point

[Z-03-O4-14B Module module is 1/2 for both ICCMS Trip Module 1/2 for both makes the FCS Initiation Triggered Alarms Withdrawl withdrawn from actuation trains ICCMS actuation trains. TTM 1/2 for both ICCMS the given actuation trains. If it Periodic Testing Output: channel occurs during normal OV = norm, 12V= operation there is no trip effect.

Proj. No: 17877 CR-3 ICCMS RAM 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 54 of 82 X~ALN~ ii"1 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpolnt function Fail Low / Prevents a critical Prevents a critical Prevents a critical No effect on either of the Online Monitor No signal module withdrawal from module withdrawal from module withdrawal from RG 1.97 displays.

being detected, disabling being detected, disabling being detected, disabling Status Light / Event Point an immediate trip of the an immediate trip of the an immediate trip of the Triggered Alarms affected channel upon affected channel upon affected channel upon critical module critical module critical module Periodic Testing withdrawal withdrawal withdrawal The modules listed below are common to all three safety functions and the HPIFM RG 1.97 display.

Ch. 1/2/3 LOSCM Module Name: Compared the Fail High Makes the RCP Train Trip Makes the EFIC ISCM If this occurs during a Enables the HPIFM Online Monitor Alarm Module accepts an input and a IZ-01-05-12 ALM2500 Tsat signal with Module 1/2, both ICCMS Setpoint Train Trip reactor trip, then it display for the affected setpoint, and when the input exceeds IZ-02-05-12 Ch. 1/2/3 LOSCM Incore Temp actuation trains Module 1/2, both ICCMS makes the FCS Initiation channel. Status Light / Event Point the setpoint the module trips. The input IZ-03-05-12 Alarm Module signal. If the actuation trains TIM 1/2 for both ICCMS Triggered Alarms is the Incore Temp and the setpoint is incore temp is actuation trains, If it the Saturation Temp calculated from Output: higher, then the occurs during normal Periodic Testing RCS pressure. When the input drops OV = norm, 12V = comparator trips operation there is no below the setpoint by a small fixed trip and waits for a effect. hyteresis the comparator resets.

confirmed Rx trip signal to trip that A permissive signal starts a variable channels LOSCM delay. If the permissive clears the delay signal. When timer resets. Atrip requires the both conditions permissive and the comparator output.

are satisified, this module sends The module does not trip on loss of the LOSCM Ch. Fail Low / Makes the RCP Train Trip Makes the EFIC ISCM Makes the FCS Initiation Disables the HPIFM Online Monitor power Trip signal into No signal Module 2/2 for both Setpoint Train Trip Train Trip Module 2/2 for display for the affected all three ICCMS actuation trains. Module 2/2 for both both ICCMS actuation channel. Status Light / Event Point This modules output is also the input to functions ICCMS actuation trains, trains. Triggered Alarms two Non Safety Contact Outputs per channel, ID Tags IZ-01/02/03-05-05A Periodic Testing and IZ-01/02/03-05-058. If any of these contacts short on their input side, they will also short the LOSCM signal for the affected channel, which has the same effect as a Fail Low / No Signal for this module.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 55 of 82 SA IFNI i 4 fI Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag NO. Mode _____ete_______________tion______________

RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint function I The following modules are common to all three safety functions, as well as all RG 1.97 displays.

Ch. 1/2/3 Reactor Trip Module Name: Send Ch. 1/2/3 Fail High If this occurs during a If this occurs during a If this occurs during a If this occurs during a Online Monitor This output of this module also serves Logic RXT2500 reactor trip superheat event, then it superheat event, then it superheat event, then it superheat event, then it as input into two Contact Inputs, as well IZ-01-O5-04 Ch. 1/2/3 Reactor signal makes the RCP Trip TrM makes the EFICISCM makes the FCS Initiation enables the HPIFM Status Light / Event Point as being the Reactor Trip signal. These IZ-02-0S-04 Trip Confirm 1/2. If it occurs during TTM 1/2. If it occurs UTM 1/2. If it occurs display for the affected Triggered Alarms Contact Outputs, ID tags IZ-01/02/03-05 IZ-03-05-04 Signal normal operation there is during normal operation during normal operation channel. 05A and IZ-01/02/03-05-051, are part of no effect, there is no effect. there is no effect. Periodic Testing the signal path for an event point and Output: Rx Trip This failure will also status light, which are Non-Safety OV= norm, 12V= cause the SCM/SH modules and excluded from this FMEA.

trip display to switch to the However if any of these Contact SCM(-err)(t/c) signal. Outputs shorts, it will also short the Reactor Trip signal for the affected Fail Low / Makes the RCP Initiation Makes the EFIC ISCM Makes the FCS Initiation Disables the HPIFM Online Monitor channel, and have the same effect as if No signal Train Trip Module 2/2 for Setpoint Train Trip Train Trip Module 2/2 for display for the affected this module (Reactor Trip Logic) has both ICCMS actuation Module 2/2 for both both ICCMS actuation channel. Status Light / Event Point failed low.

trains. ICCMS actuation trains, trains. Triggered Alarms No effect on the SCM/SH display Periodic Testing Mooule Name: Seno inuiviuUal Fall Hign A single talied breaker (nign or low) will not cause a spurious Rx trip, ana NO immediate impact, Unline Monitor IZ-01 CIM2500 breaker trip therefore have no immediate impact on any of the three ICCMS functions. see reasoning to the left.

01A/018/02A/028/03A Zh. 1/2/3 Trip signal into Fail Low/ However, it will impact the logic that controls Rx trip. Status Light / Event Point

/038 Breaker reactor trip logic. No signal Triggered Alarms IZ-02 VB/C1/C2/D1/D The following Alow B+C1+C2 OWAOIB/02A/028/03A z combinations C1 + C2 + D1 + D2 Periodic Testing

/031B will trip the Rx IZ-03-OS- A high B

)utput: trip logic:

O1A018/02A/02B/03A 3V = open (trip),

D1+D2

/03B 12V = close A+ B (open) 8+C1+C2

ýnorm) A 1+ 0D2 C1+ C2 + D1 + D2 B+C1+C2 Blow A+DI+D2 C1 + C2 + D1 + C1 + C2 + D1 + D2 D2 B high A C1 + C2 A +D1+D2 C1 + C2 + D1 + D2

Proj. No: 17877 CR-3 ICCMS RAM 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 56 of 82 0S* i~f?' Ii 4 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays serp__nt function C1 low A+B AD+ D2 C1 high A+B A 1+ 0D2 B+C2 C2 + DI+ D2 C2 low A+g A + DI+D2 C2 high A+B A1+D1+ D2 B + C1 Cl + D1 + D2 D1 low A+B B+C1+C2 Di high A+B A +D2 B + C1 + C2 C1 + C2 + D2 D2 low A+8 B+C1+C2 D2 high A+B A,+D1 8+CI+C2 C1 + 2 + D1 EMI/RFI Filter EMI/RFI Filters Filter the reactor Fail Low / See the effect on the system for the trip breakers above. The Fail Low effects No immediate impact, Online Monitor A filter precedes each trip breaker, IZ-01-FILx trip breaker No Output will be the same, but there are no Fail High effects, see reasoning above, listed above.

IZ-02-FILx signals to Status Light / Event Point IZ-03-FILx remove EMI. Triggered Alarms Periodic Testing

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 57 of 82 S& IIZJ\ I 1-4. H Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays SSetont function I I Tsat(-err) Signal Module Name: Provide the Fail High Makes the RCP Trip TTM Makes the EFIC ISCM Makes the FCS TTM 2/2 Disables the HPIFM Online Monitor Generator GEN2500-3 saturation 2/2 for both ICCMS Setpoint TTM 2/2 for for both ICCMS actuation display for the affected IZ-01-06-03 Ch. 1/2/3 TSAT-1 temperature to actuation trains. The both ICCMS actuation trains. The failed channel channel. Status Light / Event Point IZ-02-06-03 (TIC) the LOSCM failed channel will never trains. The failed channel will never be tripped Triggered Alarms IZ-03-06-03 Alarm Module, be tripped since will never be tripped since saturation temp This failure will also Output: T-sat calculated from saturation temp will since saturation temp will always be higher cause the SCM(-err)(t/c) Periodic Testing 2-10V = 120-920 the reactor always be higher than will always be higher than incore temp. and SCM(-err)(RTD) degrees F coolant pressure. incore temp. than incore temp. signals to read positive and high for the affected channel, and depending on the operating conditions (normal or during a Rx trip) one of these is displayed on the SCM/SH display.

Fail If T-incore is lower than the failed reading for Tsat(-err) then this failure will have the same effect as a Online Monitor Constant Fail High for this module.

(anywhere Status Light / Event Point in signal If T-incore is higher than the failed reading for Tsat(-err) then this failure will have the same effect as a a Triggered Alarms range) Fail Low/No Signal for this module Periodic Testing

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 58 of 82 0V * :CIE-?'I s [

Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays

_Setpont function Fail Low / If this occurs during a If this occurs during a If this occurs during a If this occurs during a Online Monitor No signal reactor trip, then it reactor trip, then it reactor trip, then it reactor trip it will enables makes the RCP Trip TIM makes the EFIC ISCM makes the FCS Initiation the HPIFM display for the Status Light / Event Point 1/2 for both ICCMS Setpoint TTM 1/2 for TTM 1/2 for both ICCMS affected channel. If it Triggered Alarms actuation trains. If it both ICCMS actuation actuation trains. If it occurs during normal occurs during normal trains. If it occurs during occurs during normal operation there is no Periodic Testing operation there is no normal operation there is operation there is no effect on the HPIFM effect, no effect, effect, display.

This failure will also cause the SCM(-err)(t/c) and SCM(-err)(RTD) signals to read negative and low for the affected channel, and when not in superheat operating conditions one of these is displayed on the SCM/SH display.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 07.1k 00wa" Task 2 - ICCMS 100% Design FMEA Page 59 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Methodof Failure Remarks C f oa.D y of F[i lure rag No. Mode Tethod Initiate FCS function RG 1.97 Displays eecio RCP Trip function Changee EFIC to ISCIM isetpotnt functiUon RCS Press. Selector Module Name: Select between Fail High Makes the RCP Trip TTM Makes the EFIC ISCM Makes the FCSTTM 2/2 Disables the HPIFM Online Monitor This module accepts three analog inputs IZ-01-06-12 ALM2SOO two pressure 2/2 for both ICCMS Setpoint TTM 2/2 for for both ICCMS actuation display for the affected 0 f 2-10V signals, one from the LOW IZ-02-06-12 Ch. 1/2/3 inputs, LOW actuation trains. The both ICCMS actuation trains. The failed channel channel. Status Light / Event Point ,ange RCS Pressure signal (0-600 psig),

IZ-03-06-12 Pressure Select Range and WIDE failed channel will never trains. The failed channel will never be tripped Triggered Alarms 0 ne from the LOW Range RCS Pressure Module Range, and be tripped since will never be tripped since saturation temp This failure will also siignal (0-2500 psig), and one from the output the saturation temp will since saturation temp will always be higher cause the SCM(-err)(t/c) Periodic Testing V lIDERange RCS Pressure Signal (0-Output: Reactor Coolant always be higher than will always be higher than incore temp. and SCM(-err)(RTD) 2 500 psig). The output signal voltage of 2-10 V = 0-2500 Pressure as a incore temp. than incore temp. signals to read positive tlhis module is 2-10V corresponding to O-psig variable voltage and high for the affected 2 500 psig.

to the Ch. 1/2/3 channel, and the HPIF REQ, Tsat(- SH(nom) and SH(+err) The RCS LOW Range Pressure signal (0-err), Tsat(nom), signals to read low and 600 psig range) is compared with a 500 and Tsat(+err) negative for the affected p sig setpoint, and if the LOW Range signal generator channel. SH(+err) reading s ignal is above the setpoint of 500 psig modules. negative causes one of (4on the 0-600 psig signal range), then the SCM signals to be tlhe WIDE Range RCS Pressure (0-2500 displayed on the SCM/SH Psig) is selected as the output for this display. n*odule. If the LOW Range signal is below the setpoint of 500 psig (on the 0-600 psig signal range) then the LOW Fail The effect of a Fail Constant will vary depending on where in the signal range this module fails, as well as Online Monitor Range pressure (scaled 0-2500 psig) is Constant the status of other signals in the system. Because of this, the effect will be the same as either the Fail slected as the output for this module.

(anywhere High or Fail Low/No Signal of this module. It is not possible to know which without knowing where in the Status Ught / Event Point in signal range it is failed, as well as other signal statuses. Triggered Alarms range)

Periodic Testing

Proj. No: 17877 CR-3 ICCMS RAM 17877-DD02-100 Task 2 - ICCMS 100% Design FMEA Page 60 of 82 S( IL!.5 £4.

Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint function I Fail Low / If this occurs during a If this occurs during a If this occurs during a If this occurs during a Online Monitor No signal reactor trip, then it reactor trip, then it reactor trip, it makes the reactor trip it will enable makes the RCP Trip T'M makes the EFIC ISCM FCS TrM 1/2 for both the HPIFM display for the Status Light/ Event Point 1/2 for both ICCMS Setpoint TIVM 1/2 for ICCMS actuation trains. If affected channel and Triggered Alarms actuation trains. If it both ICCMS actuation it occurs during normal cause the display to read occurs during normal trains. If it occurs during operation there is no low or negative. If it Periodic Testing operation there is no normal operation there is effect. occurs during normal effect. no effect. operation there is no effect on the HPIFM display.

This failure will also cause the SCM(-err)(t/c) and SCM(-err)(RTD) signals to read negative and low for the affected channel, as well as the SH(nom) and SH(+err) signals to read positive and high for the affected channel. SH(+err) being positive causes the SH(nom) signal to be displayed on the SCM/SH display.

Proj. No: 17877 CR-3 ICCMS RAM 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 61 of 82 scill', I-E 1-4 Revision 0 Module Name and ID Description Funcon Failure Effect on System Method of Failure Remarks Tax NO.

LOW Range RCS Tag No.

Module Name:

1 Mode Provide the LOW Fail High RCP Trip function KP Trip function Chanme EFIC to ISCM funge ctiDeecno Initiate FCS function If it fails high then the WIDE Range Pressure will always be used for the RG 1.97 Displays If this occurs when the Detection Online Monitor Pressure AIM2500 Range RCS affected channel, which could be ok if the WIDE Range Pressure is the correct RCS pressure is within IZ-01-06-13 Ch. 1/2/3 LOW Pressure to the pressure to use, but it could also lead to a wrong pressure signal and the LOW Range, it will Status Light / Event Point IZ-02-06-13 Range RCS Pressure Select corresponding wrong saturation temperature and HPIF REQ signals. These make the HPIFM display Triggered Alarms IZ-03-06-13 Pressure (in) Module incorrect signals would be a high sat. temp and low HPIF REQ, which could unreliable for the cause a failure to recognize LOSCM, and make the TTM's for all three functions affected channel. Periodic Testing Output: of the ICCMS system 2/2.

2-10V = 0-600 If the RCS pressure is psig within the LOW Range this will also cause the SCM(-err)(t/c) and SCM(-

err)(RTD) signals to read positive and high for the affected channel, and the SH(nom) and SH(+err) signals to read negative and low for the affected channel. SH(+err) being negative causes one of the SCM signals to be displayed on the SCM/SH display If it occurs when the RCS pressure is in the WIDE Range (>500 psig) then there is no effect on either RG 1.97 displays.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Cr Task 2 - ICCMS 100% Design FMEA Page 62 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays ISetpoint functionI Fail The effect of a Fail Constant will vary depending on where in the signal range this module fails. Because Online Monitor Constant nf this, the effect will be the same as either the Fail High or Fail Low/No Signal of this module. It is not

[anywhere possible to know which without knowing where in the range it is failed. Status Light/ Event Point in signal Triggered Alarms range)

Periodic Testing Fail Low/ If it fails low then the LOW Range Pressure will always be used, more If this occurs during a Online Monitor No signal specifically the lower limit of the low range pressure (0 psig), and reactor trip it will enable correspondingly a lower limit of the sat. temp. (197 F). This would trip the the HPIFM display for the Status Light / Event Point LOSCM comparator, and if it occurs during a reactor trip then the LOSCM affected channel and rriggered Alarms signal will be tripped, spuriously tripping the affected channel for the RCP Trip cause the display to read and EFIC ISCM Setpoint functions, making the TTM's for those functions 1/2. low or negative. If it Periodic Testing The lower limit of the pressure signal also causes the HPIF REQ signal to go occurs during normal high, to 658 gpm, which may trip the LOHPIFM signal during a reactor trip if operation there is no HPI flow hasn't started, or hasn't increased above 658 gpm by the time the effect on the HPIFM RCPs trip and LOHPIFM time delays have expired, making the FCS Initiation display.

function TTM 1/2 for the affected channel. If it occurs during normal operation, there is no effect for all three functions.

This failure will also cause the SCM(-err)(t/c) and SCM(-err)(RTD) signals to read negative and low for the affected channel, and the SH(nom) and SH(+err) signals to read positive and high for the affected channel. The SH(+err) signal being positive causes the SH(nom) signal to be displayed on the SCM/SH display.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 6E&O* Task 2 - ICCMS 100% Design FMEA Page 63 of 82 S(IIT Iull'hl Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag NO. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays

_Setpoint function I EMI/RFI Filter EMI/RFI Filters Filter the LOW Fail Low / If it fails low then the LOW Range Pressure will always be used, more If this occurs during a Online Monitor IZ-01-FILx Range RCS No Output specifically the lower limit of the low range pressure (0 psig), and reactor trip it will enable IZ-02-FILx pressure signal correspondingly a lower limit of the sat. temp. (197 F). This would trip the the HPIFM display for the Status Light / Event Point IZ-03-FlLx to remove EMI. LOSCM comparator, and if it occurs during a reactor trip then the LOSCM affected channel and Triggered Alarms signal will be tripped, spuriously tripping the affected channel for the RCP Trip cause the display to read and EFIC ISCM Setpoint functions, making the TIM's for those functions 1/2. low or negative. If it Periodic Testing The lower limit of the pressure signal also causes the HPIF REQ signal to go occurs during normal high, to 658 gpm, which may trip the LOHPIFM signal during a reactor trip if operation there is no HPI flow hasn't started, or hasn't increased above 658 gpm by the time the effect on the HPIFM RCPs trip and LOHPIFM time delays have expired, making the FCS Initiation display.

function TrM 1/2 for the affected channel, If it occurs during normal operation, there is no effect for all three functions.

This failure will also cause the SCM(-err)(t/c) and SCM(-err)(RTD) signals to read negative and low for the affected channel, and the SH(nom) and SH(+err) signals to read positive and high for the affected channel. The SH(+err) signal being positive causes the SH(nom) signal to be displayed on the SCM/SH display.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 64 of 82 0T*:li-"V U I Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. jmode Detection RCP Trip function Change EFIC to ISCM Initiate FrCS function RG 1.97 Displays iSetpoint functionI WIDE Range RCS Module Name: Provide the Fail High Since this FMEA is assuming only a single failure, if the failure is this module Ifthe WIDE Range Online Monitor Pressure k1M2500 NVlDE Range RCS then that ensures the LOW Range Pressure signal is correct (for the scope of pressure is selected IZ-01-06-14 Ch.1/2/3 WIDE Pressure to the this model). The LOW Range Pressure is what determines which pressure when this module fails Status Light / Event Point IZ-02-06-14 Range RCS Pressure Select signal is used (<=500 = LOW, >500 = WIDE) so the effect of a failed WIDE then the HPIFM display Triggered Alarms IZ-03-06-14 Pressure (in) Module Range signal is highly dependent on what the RCS Pressure currently is. will be unreliable for the affected channel. Periodic Testing Dutput: If the WIDE Range Pressure is selected when this module fails, then a Fail High Z-10V =0-2500 will cause the maximum Tsat signal, 669 deg F at 2500 psig, to be input into Ifthe WIDE Range psig the temperature comparison, therefore the incore temp will most likely never pressure is selected this exceed it and the affected channel cannot trip, reducing the TTM logic for all will also cause the SCM(-

three functions to 2/2. If the LOW Range Pressure is selected, then a fail high err)(t/c) and SCM(-

will have no effect on any of the three functions of the system. err)(RTD) signals to read positive and high for the affected channel, and the SH(nom) and SH(+err) signals to read negative and low for the affected channel. SH(+err) reading negative forces one of the SCM(-err) signals to be displayed on the SCM/SH display.

If it occurs when the LOW Range pressure is selected no effect on either RG 1.97 display.

Fail lithe LOW Range Pressure is selected when this module fails, then it will have no effect on any of the Online Monitor Constant three safety functions.

(anywhere Status Light / Event Point in signal Ifthe WIDE Range Pressure is selected when this module fails, then it can have the same effect as either Triggered Alarms range) the Fail High or Fail Low/No Signal of this module, or no effect at all. Which effect, if either, it has is dependent on where in the signal range that it fails, and it is impossible to determine which effect it will Periodic Testing have without knowing this.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 6CJ6'7! 4Contpju, Task 2 - ICCMS 100% Design FMEA Page 65 of 82 S.IIS"UHII Revision 0 Module Name and ID Descrption Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection FRCPTri*ucIof Change EFIC to ISCM Initiate r-cs functon  !RG 1.97 Displays*

I ",, Setpoit fu ItI Fail Low/ Since this FMEA is assuming oniy a single failure, if the failure is this module If the WIDE Range Online Monitor No signal then that ensures the LOW Range Pressure signal is correct (for the scope of pressure is selected this model). The LOW Range Pressure is what determines which pressure when this module fails Status Light / Event Point signal is used (<=500 = LOW, >500 = WIDE) so the effect of a failed WIDE then the HPIFM display Triggered Alarms Range signal is highly dependent on what the RCS Pressure currently is. will be enabled for the affected channel, and Periodic Testing If the WIDE Range Pressure is selected when this module fails, then a Fall Low cause the display to read will cause the minimum Tsat signal, 212 deg Fat 0 pslg, to be input into the low or negative.

temperature comparison, therefore the incore temp will almost always be higher and the comparator will likely trip, and if it occurs during a reactor trip If the WIDE Range then the LOSCM signal will be tripped, spuriously tripping the affected channel pressure is selected this For the RCP Trip and EFIC ISCM Setpoint functions, making the TTM's for those will also cause the SCM(-

Functions 1/2. The lower limit of the pressure signal also causes the HPIF REQ err)(t/c) and SCM(-

signal to go high, to 658 gpm, which may trip the LOHPIFM signal during a err)(RTD) signals to read reactor trip if HPI flow hasn't started, or hasn't increased above 658 gpm by negative and low for the the time the RCPs trip and LOHPIFM time delays have expired, making the FCS affected channel, and the Initiation function TTM 1/2 for the affected channel. If it occurs during normal SH(nom) and SH(+err)

Dperation, there is no effect for all three functions. signals to read positive and high for the affected channel. SH(+err) reading positive forces the SH(nom) signal to be displayed on the SCM/SH display.

If the LOW Range pressure is selected then there is no effect on either RG 1.97 display.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 66 of 82 St lfIHA Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag NO. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays I I~~setpont fonicton II EMI/RFI Filter EMI/RFI Filters Filter the WIDE Fail Low / Since this FMEA is assuming only a single failure, if the failure is this module Ifthe WIDE Range Online Monitor IZ-01-FILx Range RCS Mo Output then that ensures the LOW Range Pressure signal is correct (for the scope of pressure is selected IZ-02-FILx Pressure signal this model). The LOW Range Pressure is what determines which pressure when this module fails Status Light / Event Point IZ-03-FILx to remove EMI. signal is used (<=500 = LOW, >500 = WIDE) so the effect of a failed WIDE then the HPIFM display Triggered Alarms Range signal is highly dependent on what the RCS Pressure currently is. will be enabled for the affected channel, and Periodic Testing If the WIDE Range Pressure is selected when this module fails, then a Fail Low :ause the display to read will cause the minimum Tsat signal, 212 deg Fat 0 psig, to be input into the low or negative.

temperature comparison, therefore the incore temp will almost always be higher and the comparator will likely trip, and if it occurs during a reactor trip Ifthe WIDE Range then the LOSCM signal will be tripped, spuriously tripping the affected channel pressure is selected this for the RCP Trip and EFIC ISCM Setpoint functions, making the TTM's for those will also cause the SCM(-

functions 1/2. The lower limit of the pressure signal also causes the HPIF REQ Lrr)(t/c) and SCM(-

signal to go high, to 658 gpm, which may trip the LOHPIFM signal during a Lrr)(RTD) signals to read reactor trip, making the FCS Initiation function TTM 1/2 for the affected negative and low for the channel. If it occurs during normal operation, there is no effect for all three affected channel, and the functions. SH(nom) and SH(+err) signals to read positive and high for the affected

hannel. SH(+err) reading positive forces the SH(nom) signal to be displayed on the SCM/SH display.

Ifthe LOW Range pressure is selected then there Is no effect on either RG 1.97 display.

Proj. No: 17877 CR-3 ICCMS RAM 17877-0002-100 Task 2 - ICCMS 100%Design FMEA Page 67 of 82 S(lz? IPI Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tagl No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays fSetpoint function I I HI Select Module Name: Select between 8 Fail High If this occurs during a If this occurs during a If this occurs during a If this occurs during a Online Monitor IZ-01-08-14 AUC2S00 incore reactor trip, then it reactor trip, then it reactor trip, then it reactor trip, it will enable IZ-02-08-14 Ch. 1/2/3 Temp. thermocouple makes the RCP Trip TTM makes the EFIC ISCM makes the FCS Initiation the HPIFM display for the Status Light / Event Point IZ-03-08-14 Incore temperatures 1/2 for both ICCMS Setpoint TrM 1/2 for TIM 1/2 for both ICCMS affected channel. If this Triggered Alarms (which ideally actuation trains. If it both ICCMS actuation actuation trains. If it occurs during normal Output: Tincore should be occurs during normal trains. If it occurs during occurs during normal operation there will be Periodic Testing 2-10V = 120-920 identical), and operation there is no normal operation there is loperation there is no no effect on the HPIFM degrees F choose the effect. no effect. effect. display.

highest one. This is then provided This failure will also to the LOSCM cause the SCM(-err)(t/c)

Ch. Alarm signal to read low and Module. negative, and the SH(+err) and SH(nom) signals to read positive and high, causing the SH(nom) signal to be displayed on the SCM/SH display.

Fail The effect of a Fail Constant will vary depending on where in the signal range this module fails, as well as Online Monitor constant the status of other signals in the system. Because of this, the effect will be the same as either the Fail ianywhere High or Fail Low/No Signal of this module. It is not possible to know which without knowing where In the Status Light / Event Point n signal range it is failed, as well as other signal statuses. Triggered Alarms "ange)

Periodic Testing

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Page 68 of 82 r S(1 ' -

Revision 0 rModule Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag NO. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCSfunction RG 1.97 Displays Setpoint function Fail Low/ Makes the RCP Trip TTM Makes the EFIC ISCM Makes the FCS Initiation This will disable the Online Monitor No signal 2/2 for both ICCMS Setpoint TTM 2/2 for TTM 2/2 for both ICCMS HPIFM display for the actuation trains. The both ICCMS actuation actuation trains. The affected channel. Status Light / Event Point failed channel will never trains. The failed channel failed channel will never Triggered Alarms be tripped since will never be tripped be tripped since This failure will also saturation temp will since saturation temp saturation temp will cause the SCM(-err)(t/c) Periodic Testing always be higher than will always be higher always be higher than to read high and positive, incore temp. than incore temp. incore temp. and the SH(+err) and SH(nom) signals to read negative and low. One of the two SCM signals (T/C and RTD) will be displayed on the SCM/SH display.

Ch. Incore Temp Module Name: Provide the HI Fail High It this occurs during a reactor trip, then it makes all three functions IIM's 1/2. If this occurs during a Online Monitor Failed thermocouples have a bypass IZ-01 AIM2500 Select module If it occurs during normal operation there is no effect. reactor trip, it will enable available, since they cannot be replaced 01/02/03/04/05/06/07 Ch. 1/2/3 Incore with the 8 incore the HPIFM display for the Status Light/ Event Point at power.

/08 Temp thermocouple affected channel. If this Triggered Alarms IZ-02 #1/2/3/4/5/6/7/8 temperatures occurs during normal 01/02/03/04/05/06/07 operation there will be Periodic Testing

/08 Output: no effect on the HPIFM IZ-03 2-10V = 0-2500 display.

01/02/03104/05/06/07 degrees F

/08 This failure will also cause the SCM(-err)(t/c) signal to read low and negative, and the SH(+err) and SH(nom) signals to read positive and high, causing the SH(nom) signal to be displayed on the SCM/SH display.

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 07*;fCanw-y Task 2 - ICCMS 100% Design FMEA Page 69 of 82 SCWNI'B-1j Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays

_Setpoint function I Fail If the failed temperature sensor fails higher than the other 7 sensors, then this If the failed temperature Online Monitor Constant could have the same effect as the Fail High of this module. For this to happen, sensor fails higher than (anywhere the failed signal must be higher than the Tsat(-err) signal. the other 7 sensors, then Status Light / Event Point in signal this could have the same Triggered Alarms range) If the failed temperature sensor fails lower than any of the other 7 sensors, effect as the Fail High of then this will have the same effect as a Fail Low/No Signal of this module, this module. This effect is Periodic Testing dependent on the status of the three Tsat signals If the failed temperature sensor fails lower than any of the other 7 sensors, then this will have the same effect as a Fail Low/No Signal of this module.

Fail Low / Reduces the HI Temp selector redundancy to 1/7 temperature signals, but No effect on either of the Online Monitor No signal does not impede safety funcitons. RG 1.97 displays.

Status Light / Event Point Triggered Alarms Periodic Testing EMI/RFI Filter EMI/RFI Filters Filter the Fail Low / Reduces the HI Temp selector redundancy to 1/7 temperature signals, but No effect on either of the Online Monitor IZ-01-FILx individual incore No Output does not impede safety functions. RG 1.97 displays.

IZ-02-FILx temperature Status Light / Event Point IZ-03-FILx signals to Triggered Alarms remove EMI.

Periodic Testing

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 6W&CQMUWW SCIII'.t Clxi Task 2 - ICCMS 100% Design FMEA Page 70 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCSfunction RG 1.97 Displays

_Setpoint function Thermocouple No Module Name Convert Fail High If this occurs during a reactor trip, then it makes all three functions TTM's 1/2. If this occurs during a Online Monitor Failed thermocouples have a bypass Transmitter Ch. 1/2/3 thermocouple If it occurs during normal operation there is no effect. reactor trip, it will enable available, since they cannot be replaced IZ-a1- Thermocouple signal to a the HPIFM display for the Status Light / Event Point at power.

TT1/TT2/TT3/Tf4/Trs/ Transmitter current that goes affected channel. If this Triggered Alarms TT6/TT7iTT8 #1/2/3/415/6/7/8 into the incore occurs during normal temp. modules operation there will be Periodic Testing Output: no effect on the HPIFM 4-20 mA = 0-2500 display.

degrees F This failure will also cause the SCM(-err)(t/c) signal to read low and negative, and the SH(+err) and SH(nom) signals to read positive and high, causing the SH(nom) signal to be displayed on the SCM/SH display.

Proj. No: 17877 CR-3 ICCMS RAM 17877-0002-100 Task 2 - ICCMS 100% Design FMEA Cwteor.....4110, Page 71 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function FIG1.97 Displays

_Se____nt function I Fail If the failed temperature sensor fails higher than the other 7 sensors, then this If the failed temperature Online Monitor Constant could have the same effect as the Fail High of this module. For this to happen, sensor fails higher than (anywhere the failed signal must be higher than the Tsat(-err) signal. the other 7 sensors, then Status Light / Event Point in signal this could have the same Triggered Alarms range) If the failed temperature sensor fails lower than any of the other 7 sensors, effect as the Fail High of then this will have the same effect as a Fail Low/No Signal of this module. this module. This effect is Periodic Testing dependent on the status of the three Tsat signals If the failed temperature sensor fails lower than any of the other 7 sensors, then this will have the same effect as a Fail Low/No Signal of this module.

4 4 4 Fail Low / Reduces the HITemp selector redundancy to 1/7 temperature signals, but No effect on either of the Online Monitor No signal does not impede safety functions. RG 1.97 displays.

Status Light / Event Point Triggered Alarms Periodic Testing

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Task 2 - ICCMS 100% Design FMEA 07.*c15f. co4. lx Page 72 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Isepoiet functin II The following modules make up the ICCMS power supply and are common to all 3 safety functions and RG 1.97 displays.

Ch. 1/2/3 Power Supply Module Name: Provide power to Fail Low / The affected channel trps on loss of power, which makes all three functions Disables the input signals Online Monitor Monitor PSM2S00 the channel No Output Train Trip Modules 1/2 because the affected channel is tripped on loss of to the affected channels IZ-01-04-01 Ch. 1/2/3 Power modules (inside power. RG 1.97 displays (both Status Light / Event Point IZ-02-04-01 Supply Monitor specific channels HPIFM and SCM/SH). The Triggered Alarms IZ-03-04-O1 cabinet). Accepts displays themselves are Output: +24V DC the two powered off of external Periodic Testing individual MCB sources, but the channel power failure of the inputs will supply trains effectively disable them.

This failure also disables all 8 TTs for the affected channel, disabling the corresponding 8 MCB recorder channels of RG 1.97 indication.

Fail High - Given that this analysis only considers a single failure, and the input to the PSM is from 24 Volt power Online Monitor loss of supplies, this failure mode will have no effect on any of the trip functions, or the RG 1.97 displays. Each voltage module has onboard voltage regulation that should compensate for the loss of regulation in the PSM, Status Light / Event Point regulation and the PSM can only fail as high as the individual power supply input Is allowed to vary (-24.5 volts). Triggered Alarms Periodic Testing Channel 1/2/3 Power No Module Name Convert 120V AC Fail Low / Reduces the redundancy to 1/1 channel power supplies for affected channel. No effect on either of the Online Monitor Supply #1/#2 Channel 1/2/3 power to +24V No Output No effect to the system safety functions because the second channel power RG 1.97 displays because IZ-01-PS1/PS2 Power Supply DC power for supply is still operational. the second channel Status Light/ Event Point IZ-02-PS1/PS2 41/112 channel power power supply is still Triggered Alarms IZ-03-PS1/PS2 supply. operational.

Dutput: +24V DC Periodic Testing

Proj. No: 17877 CR-3 ICCMS RAM 07.1k;fCQ"W-Y I-F (- f-I Task 2 - ICCMS 100% Design FMEA 17877-0002-100 Page 73 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initate FCS function RG 1.97 Displays

_Setpoint function I Fail High - Reduces the redundancy to 1/1 channel power supplies for the affected No effect on either of the Online Monitor loss of channel. No effect to the system Safety functions because the PSM protects RG 1.97 displays because voltage against overvoltage the second channel Status Light / Event Point regulation power supply is still Triggered Alarms operational.

Periodic Testing Channel 1/2/3 2 amp No Module Name Provide Spurious Reduces the redundancy to 1/1 channel power supplies for affected channel. No effect on either of the Online Monitor fuse #1/#2 Ch. 1/2/3 AC overcurrent blow No effect to the system safety functions because the second channel power RG 1.97 displays because IZ-01-F1/F2 Power Input Fuse protection to the supply is still operational. the second channel Status Light / Event Point IZ-02-F1/F2 (2 Amp) channel power power supply is still Triggered Alarms IZ-03-F1/F2 supply operational.

Output: 120V AC Periodic Testing Fail to open Afailure to blow may cause damage to the PSM for the affected channel, from No effect on either of the Online Monitor (blow) the conditions that caused the fuse to need to blow, however the opposite RG 1.97 displays because side of the PSM would continue to work with the unaffected power supply, the second channel Status Light / Event Point and provide power to the affected channel. Therefore there is no effect on any power supply is still Triggered Alarms of the three safety functions, operational.

Periodic Testing Train A/B Power Supply Module Name: Provide power to Fall Low / Reduces the overall system redundancy to 1/1 trains. Does not trip the No effect on either of the Online Monitor Monitor PSM2500 the train No Output affected train because TTM's do not trip on loss of power RG 1.97 displays, the IZ-01-03-01 Train A/B Power modules (inside modules that make up Status Light / Event Point IZ-02-03-O1 Supply Monitor specific trains the signal paths are Triggered Alarms cabinet). Accepts powered from the Output: +24V DC the two channel power supplies Periodic Testing individual train power supply Fail High - Given that this analysis only considers a single failure, and the input to the PSM is from 24 Volt power Online Monitor trains loss of supplies, this failure mode will have no effect on any of the trip functions, or the RG 1.97 displays. Each voltage module has onboard voltage regulation that should compensate for the loss of regulation in the PSM, Status Light / Event Point regulation and the PSM can only fail as high as the individual power supply input is allowed to vary (-24.5 volts). Triggered Alarms Periodic Testing

CR-3 ICCMS RAM Proj. No: 17877 17877-0002-100 Cp Task 2 - ICCMS 100%Design FMEA Page 74 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays

_Setpoint function Train A/B Power Supply No Module Name Convert 120V AC Fail Low / Reduces the train power redundancy to 1/1 train power supplies for affected No effect on either of the Online Monitor

  1. 1/#2 Train A/B Power power to +24V No Output train. No effect to the system safety functions because the second train power RG 1.97 displays, the IZ-O1-PS1/PS2 Supply #1/#2 DC power for supply is still operational. modules that make up Status Light / Event Point IZ-02-PS1/PS2 train power the signal paths are Triggered Alarms IZ-03-PS1/PS2 Output: +24V DC supply. powered from the channel power supplies Periodic Testing Fail High - Reduces the redundancy to 1/1 train power supplies for the affected train. No No effect on either of the Online Monitor loss of effect to the system Safety functions because the PSM protects against RG 1.97 displays, the voltage overvoltage modules that make up Status Light/ Event Point regulation the signal paths are Triggered Alarms powered from the channel power supplies Periodic Testing Train A/B Time Delay No Module Name Provide a 5 sec. Fail on loss Reduces the train power redundancy to 1/1 train power supplies for affected No effect on either of the Periodic Testing Relay #1/#2 Train A/B Power time delay of power train. No effect to the system safety functions because the second train power RG 1.97 displays, the IZ-01-TDR1/TDR2 Supply #1/#2 before powering (normally in supply is still operational. modules that make up IZ-02-TDR1/TDR2 Time Delay Relay up the train trip energized the signal paths are modules, after state) powered from the Output: 120V AC the channel trip channel power supplies modules.

Fail to May cause spurious actuation of any or all of the TTM's for all three Safety No effect on either of the Periodic Testing This represents a single failure, in that it provide functions. RG 1.97 displays, the may cause spurious actuation of all delay on modules that make up three safety functions of the ICCMS.

restoration the signal paths are This is not a single failure that would of power powered from the disable any of the safety functions of channel power supplies the ICCMS.

Train A/B 0.5 amp fuse INo Module Name Provide Spurious Reduces the train power redundancy to 1/1 train power supplies for affected No effect on either of the jOnline Monitor

  1. 1/#2 Train A/B AC avercurrent blow train. No effect to the system safety functions because the second train power RG 1.97 displays, the IZ-01-F3/F4 Power Input Fuse protection to the supply is still operational. modules that make up Status Light/ Event Point IZ.02-F3/F4 (0.5 Amp) train power the signal paths are Triggered Alarms supply powered from the Output: 120V AC channel power supplies Periodic Testing

CR-3 ICCMS RAM Proj. No: 17877 6W&~ S( lLr~ I I-4~ii Task 2 - ICCMS 100% Design FMEA 17877-0002-100 Page 75 of 82 Revision 0 Module Name and ID Description Function Failure Effect on System Method of Failure Remarks Tag No. Mode Detection RCP Trip function Change EFIC to ISCM Initiate FCS function RG 1.97 Displays Setpoint function I Fail to open A failure to blow may cause damage to the PSM for the affected train, from No effect on either of the Online Monitor (blow) the conditions that caused the fuse to need to blow, however the opposite RG 1.97 displays, the side of the PSM would continue to work with the unaffected power supply, modules that make up Status Light / Event Point and provide power to the affected train. Therefore there is no effect on any of the signal paths are Triggered Alarms the three safety functions. powered from the channel power supplies Periodic Testing Note 1 - All module ID's start with IZ,the next two numbers signify which cabinet they are in. Cabinet 01 indicates Train A and Channel 1 modules, Cabinet 02 indicates Train B and Channel 2 module, Cabinet 03 indicates channel 3 modules, cabinet Note 2 - Row 1 is for Multiplexer modules, row 2 is blank in cabinets 1 / 2 and is for the online monitor in cabinet 3, row 3 is for Train A / B modules in cabinets I / 2 and blank in cabinet 3, rows 4 through 8 are for channel 1 / 2 / 3 modules in Note 3 - NA indicates that the module(s) are not applicable to that safety function, as they are not part of any signal train for that function.

Proj. No: 17877

___

,,(11 CR-3 ICCMS RAM Task 2 - ICCMS 100% Design FMEA 17877-0002-60 Page 76 of 82 Revision 0 I Appendix A - Complete ICCMS Block Diagram for FMEA I Task 2 - Reliability Assessment for CR-3 ICCMS

i/V =--L7 Trip Channel 1 I IN Cabinet 1*

  • Shaded Modules on MCB IN iFOý LJLiIN* -

7 D *~ ~F6

~ F FO

-. - at, A - W1 A

A 1f;m v/I I

I z Page77

IN Ivv Trip Channel 2 IN r.m. Cabinet 2*

. .

  • Shaded Modules on MCB IN r.o-.

IN

~LY

-I OR a I/V _

TiP , FO[

- INV

.o- ,~' F0 0R a Ti

~ JI,~ FO-A -

Lo---

-D A -

U A -

Ll;jz V/1 -

I/V Page 78

I/V I/V I/V Trip Channel 3 I/V Cabinet 3 I/V jl-ý I/V

> I/V j

I/V IN

>

J

'40R IN IN

ý:-IORV I/V P pg- /V

_ _ I IF

,F 7

......

Page 79

FCS Initiation Train A Cabinet 1*

  • Shaded Modules on MCB FCS Initiation Train B Cabinet 2*
  • Shaded Modules on MCB Page 80

EFIC ISCM Setpoint Train A Cabinet 1*

  • Shaded Modules on MCB 2-1Fi TRAIN A EFIC 1 FILTER TRIPOUTPUT Train A Power Supply See FCS Initiation Sheet 4 EFIC ISCM Setpoint Train B Cabinet 2*
  • Shaded Modules on MCB 2Z-02-Fibx fTRAIN 8 EFX EMVI/ýRFI -EEL ISCMV FILTERT TRIPOUTPUT SCM LEVEL.

R TOTR~AIN I9.3 EFIC Train B Power Supply See FCS Initiation Sheet 4 Page 81

Page 82

Retrieved from "https://kanterella.com/w/index.php?title=ML12314A391&oldid=2092171"