ML16256A316
| ML16256A316 | |
| Person / Time | |
|---|---|
| Site: | Waterford  |
| Issue date: | 08/25/2016 |
| From: | Entergy Operations |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML16256A115 | List:
|
| References | |
| W3F1-2016-0053 | |
| Download: ML16256A316 (162) | |
Text
WSES-FSAR-UNIT-37.2-1Revision 10 (10/99)7.2REACTOR PROTECTIVE SYSTEM7.
2.1DESCRIPTION
7.2.1.1System DescriptionThe Reactor Protective System (RPS) consists of sensors, calculators, logic, and other equipmentnecessary to monitor selected Nuclear Steam Supply System (NSSS) and containment conditions and to effect reliable and rapid CEA insertion (reactor trip) if any or a combination of the monitored conditions approach specified safety system settings. The system's functions are to protect the core and Reactor Coolant System (RCS) pressure boundary for defined anticipated operational occurrences (AOOs) and also to provide assistance in limiting the consequences for certain postulated accidents. Four measurement channels with electrical and physical separation are provided for each parameter used in the direct generation of trip signals, with the exception of Control Element Assembly (CEA) position. Atwo-out-of-four coincidence of like trip signals is required to generate a reactor trip signal.By passing of one channel is allowed for testing, maintenance, etc., while maintaining a two-out-of-three system. Manual reactor trip is also provided.The reactor trip signal deenergizes the control element drive mechanism (CEDM) coils, allowing all CEAsto drop into the core. Once initiated, the protective action goes to completion. Return to operation requires operator action.7.2.1.1.1Trips 7.2.1.1.1.1High Linear Power LevelThe high linear power level trip is provided to trip the reactor when indicated neutron flux power reaches apreset value. The flux signal used, is the average of the three linear subchannel flux signals originating in each nuclear instrument safety channel. The trip setpoint is nominally 108 percent of full power.Pretrip alarms are initiated below the trip value to provide audible and visible indication of approach to atrip condition.7.2.1.1.1.2High Logarithmic Power LevelThe high logarithmic power level trip is provided to trip the reactor when indicated neutron flux powerreaches a preset value. The flux signal used is the logarithmic power signal originating in each nuclear instrument safety channel. The nominal setpoint is equal to or less than 0.257 percent of rated thermal power. The trip may be manually bypassed by the operator above 10
-4 percent of rated thermal powerand is automatically reinstated when thermal power is equal to or less than the reset point of the bistable.Pretrip alarms are initiated below the trip value to provide audible and visible indication of approach to atrip condition. The trip bypass also bypasses the pretrip alarms.
WSES-FSAR-UNIT-3 7.2-2 Revision 304 (06/10) 7.2.1.1.1.3 High Local Power Density (DRN 04-1097, R14)
The high local power density trip is provided to trip the reactor w hen calculated core peak local power density reaches a preset value. The preset value is that value which w ould cause fuel centerline melting.
The calculation of the peak local power density is per formed by the core protection calculators (CPCs), which compensate the calculated peak local power density to account for the thermal capacity of the fuel.
A trip results if the compensated peak local power densit y reaches the preset value. The calculated trip assures a core peak local power density below that wh ich would result in exceeding the safety limit for peak fuel centerline temperature. The nominal trip setpoint for peak local power density is 21 kw/ft. The effects of core burnup are considered in the determinati on of the local power density trip. The trip may be manually bypassed by the operator below 10
-4 percent of rated thermal power and is automatically reinstated whenever power increases is greater than or equal to 10
-4 percent. (DRN 04-1097, R14)
Pretrip alarms are initiated below the trip value to provide audible and visible indication of approach to a trip condition.
7.2.1.1.1.4 Low Departure from Nucleate Boiling Ratio
(EC-13881, R304)
The low departure from nucleate boiling ratio (DNBR) trip is provided to trip the reactor when the calculated DNBR approaches a preset value. The calculation of DNBR is performed by the CPC based on core average power, reactor coolant pressure, reacto r inlet temperature, reactor coolant flow, and the core power distribution. The calculated DNBR set point includes allowances for sensor and processing time delays and inaccuracies. A trip is generated wi thin the CPCs before violation of a minimum DNBR of 1.26 (CE-1 correlation) in the limiting coolant c hannel in the core during defined anticipated operational occurrences. (Due to hardware limitations, the CPC algorithm will retain the CE-1 Correlation, while Technical Specifications reflect t he current critical heat flux correlation and corresponding SAFDL limit.)
The trip may be manually bypassed below 10
-4 percent of rated thermal power and is automatically reinstated whenever thermal power is greater than or equal to 10
-4 percent. This trip bypass also bypasses the pretrip alarm.
(EC-13881, R304)
The DNBR and Local Power Density trip signals are also generated by any of the following conditions:
a) CPC operating space limits are exceeded for t he hot pin axial shape index integrated one pin radial peak, maximum and minimum cold leg temperatures, and the primary pressure.
b) Opposing cold leg temperature difference exceeds its setpoint (which varies with power level).
c) Reactor power exceeds the variabl e overpower trip setpoint. The tr ip setpoint is larger than the steady state reactor power by a c onstant offset but is limited in how fast it can follow changes in reactor power. There is a ceiling for the trip set point which is available as an alternate to the High Linear Power Level Trip for events with a la rge temperature decalibration. Also, a floor setpoint is provided based on excore detector signal noise at low power.
d) The maximum hot leg temperature approaches the coolant saturation temperature.
e) The CPC system is not set in the normal operating configuration.
WSES-FSAR-UNIT-3 7.2-3 Revision 14 (12/05)f) Reactor coolant pump shaft speed drops below its setpoint value. The low DNBR trip incorporates a low pressurizer pressure floor of 1860 psia (nominally). At this pressure, a low DNBR trip will automatically occur.
Pretrip alarms are initiated above the trip value to provide audible and visible indication of approach to a trip condition. 7.2.1.1.1.5 High Pressurizer Pressure The high-pressurizer pressure trip is provided to trip the reactor when measured pressurizer pressure reaches a high preset value. The trip set point is nominally 2350 psia.
Pretrip alarms are initiated below the trip setpoint to provide audible and visible indication of approach to a trip condition. 7.2.1.1.1.6 Low Pressurizer Pressure The low pressurizer pressure trip is provided to trip the reactor when the measured pressurizer pressure falls to a low preset value. The trip setpoint is nominally 1684 psia for normal operation. At pressures below 2000 psia, this setpoint can be manually decreased to 400 psi below the existing pressurizer pressure, to a minimum value of 100 psia. This insures the capability of a trip when required during plant cooldown and depressurization. The minimum trip setpoint can be manually bypassed below pressurizer Pressure of 400 psia. During plant startup, the bypass is automatically removed when pressurizer pressure is greater than or equal to 500 psia. As pressure is increased greater than or equal to 500 psia the low pressure setpoint automatically increases, maintaining a 400 psi separation between the plant
pressure and the setpoint. Pretrip alarms are initiated above the trip setpoint to provide audible and visible indication of approach to a trip condition. 7.2.1.1.1.7 Low Steam Generator Water Level The low steam generator water level trip is provided to trip the reactor when measured steam generator water level falls to a preset value. Separate trips are provided from each steam generator. The trip setpoint is nominally set at a level above the lower instrument nozzle, which corresponds to 27.4 percent
of the distance between the lower and upper instrument nozzles. Pretrip alarms are initiated above the trip setpoint to provide audible and visible indication of approach to a trip condition. 7.2.1.1.1.8 Low Steam Generator Pressure (DRN 05-130, R14) The low steam generator pressure trip is provided to trip the reactor when the measured steam generator pressure falls to a low preset value. The trip setpoint is set at 666 psia during normal operation. At steam generator pressures below 900 psia, the operator has the capability to manually decrease the setpoint to less than 200 psi below the existing system pressure. This is used during plant cooldown.
During startup this setpoint is automatically increased and remains less than 200 psi below generator
pressure.(DRN 05-130, R14)
WSES-FSAR-UNIT-37.2-4Pretrip alarms are initiated to provide audible and visible indication of approach to a trip condition.7.2.1.1.1.9High Containment Pressure The high containment pressure trip is provided to trip the reactor when measured containment pressurereaches 17.1 psia. The trip is provided as additional design conservatism (i.e. additional means of providing a reactor trip). The high containment pressure trip setpoint is selected in conjunction with the high-high containment pressure setpoint to prevent exceeding the containment design pressure during a design basis LOCA or main steam line break accident.Pretrip alarms are initiated to provide audible and visual indication of approach to a trip condition.7.2.1.1.1.10High Steam Generator Water LevelA high steam generator water level trip is provided to trip the reactor when measured steam generatorwater level rises to a high preset value.Separate trips are provided from each steam generator. This trip setpoint is nominally set at a level whichcorresponds to 87.7 percent of the distance between the lower and upper instrument nozzles. The trip is an equipment protective trip only.Since credit is not taken for equipment protective trips in the safety analysis of the plant, they do not fallwithin the scope of IEEE 279-1971. However, in order to preserve uniformity of function and design, the high steam generator level trip function meets the design bases listed in Subsection 7.2.1.2. The high steam generator level trip is incorporated in the same manner as any other trip function (four testable, redundant channels) and meets all the requirements of IEEE 279-71.The High Steam Generator Level Trip function can be manually bypassed to prevent unnecessary planttrips during low power levels when steam generator level control is difficult. The bypass is initiated and removed manually only. The trip bypass also bypasses the pretrip alarm; however, high level annunciation is still available from the Feedwater Control System.Pretrip alarms are initiated to provide audible and visible indication of approach to a trip condition.
7.2.1.1.1.11Manual Trip A manual reactor trip is provided to permit the operator to trip the reactor. Actuation of two adjacentpushbutton switches in the main control room will cause interruption of the ac power to the CEDM power supplies. Two independent sets of trip pushbuttons are provided; either one of which will cause a reactor trip. There are also manual reactor trip switches at the reactor trip switchgear.The remote manual initiation portion of the reactor trip system is designed as an input to WSES-FSAR-UNIT-3 7.2-5 Revision 14 (12/05)the reactor trip circuit breaker switchgear. This design is consistent with the recommendations of NRC Regulatory Guide 1.62 (Oct. 1973). The amount of equipment common to both automatic and manual initiation is kept to a minimum. Once initiated, the manual trip will go to completion as required in Section
4.16 of IEEE Standard 279-1971. 7.2.1.1.1.12 Low Reactor Coolant Flow Trip (DRN 03-7, R12-B)A low reactor coolant flow trip is provided to trip the reactor when the pressure differential across the primary side of either steam generator decreases below a setpoint. A separate trip is provided for each steam generator. This function is used to provide trip for a reactor coolant pump sheared shaft event.
Refer to Figure 7.2-10. A trip is initiated when the pressure differential across the primary side of either steam generator decreases below a nominal setpoint of 19.00 psid. Pretrip alarm is not required for this
function.(DRN 03-7, R12-B)7.2.1.1.1.13 Reactor Trip On Turbine Trip (DRN 04-384, R14)A reactor trip on turbine trip is provided to trip the reactor when power is greater than 65 percent and the turbine trips. This trip is provided only to prevent a challenge to the pressurizer relief valves. It is not credited in any safety analysis. The trip function can be manually enabled or defeated at reactor powers greater than 65 percent. Below 65 percent power, the trip function is automatically bypassed. (DRN 04-384, R14)The reactor trip on turbine trip system has four testable, redundant channels with a key operated bypass switch for each channel. A pretrip alarm is not provided as it is impractical in this application. 7.2.1.1.1.14 Reactor Trip On Loss of Load A reactor trip on loss of load is provided to trip the reactor in the event of a loss of load in which the main turbine runs back, but does not trip, with the reactor power cutback system unavailable. The trip is generated from the loss of load circuitry in the steam bypass control system and is used to actuate the reactor trip from turbine trip circuitry. The loss of load trip is a non-safety two-out-of-two redundant actuation system which replaces the loss of load function in the reactor power cutback system with a loss of load trip in the reactor trip on turbine trip circuitry. The loss of load trip carries the same basic function as the reactor trip on turbine trip, i.e., it is used to prevent a challenge to the primary relief valves. The system has capability to provide selection between the loss of load reactor trip and reactor power cutback on loss of load. The selection is made via a key switch located on CP-2 and is used to provide flexibility in the system when reactor power cutback system is out of service. 7.2.1.1.2 Initiating Circuits 7.2.1.1.2.1 Process Measurements Various pressures, levels, and temperatures associated with the NSSS and the containment are continuously monitored to provide signals to the CPCs and the RPS trip bistables. All WSES-FSAR-UNIT-3 7.2-6 Revision 12 (10/02)protective parameters are measured with four independent process instrument channels. A detailed listing of the parameters measured is contained in section 7.5.
A typical protective channel, as shown on Figure 7.2-1, consists of a sensor and transmitter, instrument power supply and current loop resistors, indicating meter and/or recorder, and trip bistable/calculator inputs.
The piping, wiring, and components of each channel are physically separated from that of other like protective channels to provide independence. The output of each process parameter transmitter is a current loop. Signal isolation is provided for plant monitoring computer inputs. Each channel is powered from a
separate uninterrupted ac bus.
7.2.1.1.2.2 CEA Position MeasurementsThe position of each CEA is an input to the CPC/CEA calculator portion of the RPS. These positions are measured by means of two redundant reed switch assemblies on each CEA (Figure 7.2-2).
Each reed switch assembly consists of a series of magnetically actuated reed switches spaced at intervalsalong the CEA housing and wired with precision resistors in a voltage divider network. A magnet attached to
the CEA extension actuates the adjacent reed switches, causing voltages proportional to position to be transmitted for each assembly. The two assemblies and wiring are physically and electrically separated
from each other.As is the case for the process instrument channels above, the wiring and components of each channel arephysically and electrically separated from that of other like protective channels. Each channel is powered
from a separate vital ac bus.Each CEA is instrumented by redundant CEA reed switch position transmitters. One set of the redundant signals for all CEAs is monitored by one CEA calculator and the other set of signals by the redundant CEA
calculator.TheCEAs are arranged into control groups that are controlled as subgroups of CEAS. The subgroups aresymmetric about the core center. The subgroups are required to move together as a control group and should always indicate the same CEA group position.Each CEA calculator monitors the position of all CEAs within each control subgroup. Should a CEA deviatefrom its subgroup position, the CEA calculators will monitor the event, sound an annunciator, and transmit an appropriate deviation "penalty" factor to the CPCS. This will cause trip margins to be reduced. This
assures conservative operation of the RPS, as any credible failure of a CEA reed switch assembly will result in an immediate operator alarm and conservative RPS trip margins.(DRN 01-1104; 02-1478)
The CEA calculators display the position of each regulating and shutdown CEA to the operator in a bar chartformat on a cathode ray tube (CRT). Optical isolation is utilized at each CEA calculator output to the CRT display generator. The operator has the capability to select either CEA calculator for display.(DRN 01-1104; 02-1478)
WSES-FSAR-UNIT-37.2-7Revision 10 (10/99)The CPCs utilize 22 selected "target" CEA position reed switch signals as a measure of subgroup andgroup CEA position. The CPCs utilize single CEA deviation penalty factors from the CEA calculators to modify calculational results in a conservative manner should a deviating CEA be detected by either CEA calculator. The detailed signal paths of CEA position intelligence within the RPS are shown in Figure 7.2-
- 3. Figure 7.2-4 details the overall signal paths of all CEA position information. As shown in Figure 7.2-4, a separate CEA position system, which counts the CEA motion demand pulses for each CEA, is utilized for the plant monitoring computer functions, including the Core Operating Limit Supervisory System (COLSS) function.The plant monitoring computer drives two digital indicators for operator display of the CEA position pulsecount system. One indicator displays the position of the group selected, and one displays the position of the individual CEA selected by the operator at the reactor control panel CP-2.7.2.1.1.2.3Excore Neutron Flux MeasurementsThe excore nuclear instrumentation includes neutron detectors located around the reactor core and signalconditioning equipment located within the containment and the Reactor Auxiliary Building. Neutron flux is monitored from source levels through full power operation, and signal outputs are provided for reactor control, reactor protection, and for information display. There are eight channels of instrumentation: two are startup channels, two are control channels, and four are safety channels (see Figure 7.2-5).The four safety channels provide neutron flux information from near startup neutron flux levels to 200percent of rated power covering a single range of approximately 2 x 10
-8 to 200 percent power (10decades). Each safety channel consists of three fission chambers, a preamplifier and a signal con-ditioning drawer containing power supplies, a logarithmic amplifier (including combination counting and mean square variation techniques), linear amplifiers, test circuitry, and a rate-of-change of power circuit.
These channels feed the RPS and provide information for rate-of-change of power display, DNBR, local power density, and overpower protection. The Excore Channel required for 1OCFR50 Appendix R requirements is mounted in the remote shutdown room in a cabinet beside LCP 43. In the event of a control room/cable vault fire, the Appendix R excore drawer is connected to the safety channel D preamplifier/filter assembly for logarithmic neutron flux indication.The detector assembly provided for each safety channel consists of three identical fission chambersstacked vertically along the length of the reactor core. The use of multiple subchannel detectors in this arrangement permits the measurement of axial power shape during power operation.The fission chambers are mounted in holder assemblies which in turn are located in four dry instrumentwells (thimbles) at the primary shield. The wells are spaced around the reactor vessel to provide optimum neutron flux information.Preamplifiers for safety channels A&B fission chambers are mounted outside the primary shield wall.Regulatory Guide 1.97 Safety Channels (C&D) preamplifiers are located in the Reactor Containment Building wing area.
WSES-FSAR-UNIT-3 7.2-8 Revision 14 (12/05)Physical and electrical separation of the preamplifiers and cabling between channels is provided. The excore neutron flux monitoring safety channels are designed, manufactured, tested, and installed to the identical design, quality assurance and tasting criteria as the remainder of the signal generating and
processing equipment for the signals utilized by the RPS. 7.2.1.1.2.4 Reactor Coolant Flow Measurements (DRN 00-531, R11-A)The speed of each reactor coolant pump motor is measured to provide a basis for calculation of reactor coolant flow through each pump. Two metal discs each with 44 uniformly spaced slots about its periphery are scanned by two proximity devices. The metal discs are attached to the pump motor shaft, one to the upper portion and one to the lower portion. Each scanning device produces a voltage pulse
signal, the frequency of which is proportional to pump speed. (DRN 00-531, R11-A)These signals are transmitted to the CPCs which compute the flowrate. Adequate separation between probes is provided. The reactor coolant pump speed measurements are calibrated based on the average time between successive pulses at a given value of pump speed. (DRN 03-2061, R14)
The volumetric flowrates calculated for each pump are summed to give a vessel flow. The vessel flow is corrected for core bypass and density and the result is the core mass flowrate. At design, full-power conditions the sensitivity of reactor coolant density to changes in reactor coolant inlet temperature and
RCS pressure is typically -0.06935 lb m/ft 3 - F and 0.0006689 lb/ft 3 - psi, respectively. At any given reactor coolant volumetric flowrate, the percentage change in mass flowrate is equal to the percentage change in density from a given base density. Thus, for a design full power reactor coolant density, the above sensitivities are equivalent to a decrease of 0.15 percent in mass flowrate per degree increase in inlet temperature, and an increase of 0.0015 percent in mass flowrate per psi increase in primary coolant system pressure. The above sensitivities are used with the design, full-power mass flowrate in a manner that assures conservative calculated mass flowrate relative to the actual mass flowrate. (DRN 03-2061, R14)The reactor coolant pump speed measurement system is designed, manufactured, tested, and installed to the identical design, quality assurance, and testing criteria as the remainder of the signal generation
and processing equipment for signals utilized by the RPS. 7.2.1.1.2.5 Core Protection Calculators Four independent CPCs are provided, one in each protection channel. Calculation of DNBR and local power density is performed in each CPC, utilizing the input signals described below. The DNBR and local power density so calculated are compared with trip setpoints for initiation of a low DNBR trip (Subsection 7.2.1.1.1.4) and the high local power density trip (Subsection 7.2.1.1.1.3). Two independent CEA calculators are provided as part of the CPC system to calculate individual CEA deviations from the position of the other CEAs in their subgroup. As shown in Figure 7.2-6, each CPC receives the following inputs: core inlet and outlet temperature, pressurizer pressure, reactor coolant pump speed, excore nuclear WSES-FSAR-UNIT-37.2-9 instrumentation flux power (each subchannel from the safety channel), selected CEA positions, and CEAdeviation penalty factors from the CEA calculators. Input signals are conditioned and processed. The following calculations are performed in that CPC or the CEA calculators:a)CEA deviations and corresponding penalty factors:1)Single CEA deviation in a subgroup calculated by CEA calculators 2)Subgroup deviations in a group calculated by CPCs 3)Groups out of sequence calculated by CPCsb)Correction of excore flux power for shape annealing and CEA shadowingc)Normalized reactor coolant flowrate from reactor coolant pump speedd)Core average power from reactor coolant temperature and flow informatione)Core average power from corrected excore flux power signalsf)Axial power distribution from the corrected excore flux power signals g)Fuel rod and coolant channel planar radial peaking factors, selection of predetermined coefficientsbased on CEA positionsh)DNBR i)Comparison of DNBR with a fixed trip setpoint j)Local power density compensated for thermal capacity of fuel k)Comparison of compensated local power density to fixed local power density setpointl)CEA deviation alarm (CEA calculator)Outputs of each CPC are:a)DNBR trip and pretripb)DNBR margin (to control board indication)c)Local power density trip and pretripd)Local power density margin (to control board indication)e)Calibrated neutron flux power (to control board indication)
WSES-FSAR-UNIT-37.2-10Revision 8 (5/96)f)CEA withdrawal prohibit on DNBR or local power density pretrip or CEA misoperation.g)Hot pin axial shape index (to control board indication)
Each calculator is mounted in the auxiliary protective cabinet with an operator's display and control modulelocated on the main control board. From the four modules an operator can monitor all calculators, including specific inputs or calculated functions. The operators module for channels B and C are able to access the CEA calculators in those channels.The system utilizes data links from the CEA calculators and the CPCs to the Plant Monitoring Computer.Each link is electrically isolated from the others and functions independently of the others. The Plant Monitoring Computer provides a backup monitoring capability in addition to the plant operating personnel by providing periodic comparisons of sensor channel inputs and checking of calculated results of the Core Protection Calculators.Failure of the Plant Monitoring Computer will in no way affect the operation of the-Core ProtectionCalculators. All data and control lines for each data link are optically isolated to assure that no failures at the Plant Monitoring Computer will affect the Core Protection Calculators or the CEA Calculators. These optically isolated data links are designed such that open circuits, short circuits, or the application of the highest credible potential to the isolator output will not affect performing its intended function. Further, all data transfers are initiated by the Core Protection Calculators and data lines allow only one way data transfer from the Core Protection Calculators to the Plant Montoring Computer.Data transmission is controlled by the CPC Central Processing Unit and the resident programs in memoryonly and is in no way dependent upon the status of the plant monitoring computer.The optical link allows unidirectional data transmission to the plant monitoring computer. This feature,combined with the inherent isolation of the optical link, prevents the plant monitoring computer fromaffecting calculator operation.No credit is taken for the operation of the Plant Monitoring Computer in determining the reliability of theCore Protection Calculators or in determination of the required interval for periodic testing.7.2.1.1.2.6Trip GenerationExcept for the CPCs, and reactor trip on turbine trip, signals from the trip parameter processmeasurement loops are sent to voltage comparator circuits (bistables) where the input signals are compared to setpoint trip values. Whenever a channel trip parameter reaches the trip value, the channelbistable deenergizes the bistable output. The bistable output relay deenergizes trip relays. Outputs of the trip relays are in the trip logic (refer to subsection 7.2.1.1.3).The trip bistable setpoints are adjustable from the PPS cabinet. Access is limited, however, by means ofa key-operated cover and administratively controlled by Technical Specifications. In addition, each PPSdoor (front and rear) is provided with a key lock.
WSES-FSAR-UNIT-37.2-11If any door is opened, an annunciator will indicate cabinet access. All bistable setpoints are capable ofbeing read out on a meter located on the PPS cabinet.Pretrip bistables and relays are also provided.
The reactor trip on turbine trip is generated externally of the PPS cabinets from a two-out-of-three relaylogic in the turbine trip circuitry. The two-out-of-three turbine trip generates a trip input on all four PPSchannels. The PPS cabinet retains its two-out-of-four redundancy. Being non-safety related, this trip differs from others in that the input signals from the turbine circuitry energize to actuate the trip logic in the PPS. The PPS logic, however, retains its deenergize-to-trip function as described in subsection 7.2.1.1.3.7.2.1.1.3LogicTripping of a bistable (or trip contact opening in the case of a calculated trip) results in a channel trip whichis characterized by the deenergization of three bistable trip relays.Contacts from the bistable relays of the same parameter in the four protective channels are arranged intosix logic ANDs, designated AB, AC, AD, BC, BD, and CD, which represent all possible two-out-of-four combinations. To form an AND circuit, the bistable trip relay contacts of two like protective measurement channels are connected in parallel (e.g., one from A and one from B). This process is continued until allcombinations have been formed.Since there is more than one parameter that can initiate a reactor trip, the parallel pairs of bistable triprelay contacts for each monitored Parameter are connected in series (Logic OR) to form six logic matrices. The six matrices are designated AB, AC, AD, BC, BD, and CD.Each logic matrix is connected in series with a set of four matrix output relays (matrix relays). Each logicmatrix is powered from two separate 120V vital ac distribution buses through dual dc power supplies as shown on Figure 7.2-7. The power supplies are protected from overload by means of input and/or outputfuses or circuit breakers.The contacts of the matrix relays are channelized into four trip paths.
Each reactor trip path is formed by connecting six contacts (one matrix relay contact from each of the sixlogic matrices) in series. The six series contacts are in series with the initiation output relay. The initiationoutput relays serve to deenergize the trip switchgear circuit breakers as discussed in Subsection 7.2.1.1.4.7.2.1.1.4Actuated Devices The above logic causes the deenergizing of the four trip path output relays whenever any one of the logicmatrices is deenergized as described. Each trip path output relay in turn will cause two trip circuit breakers in the trip switchgear to open. (see Figure 7.2-7)Power input to the trip switchgear comes from two full-capacity motor-generator sets, sothat the loss of either set does not cause a release of the CEAs. Each line passes through two trip circuit breakers (each actuated by a separate trip path) in series so that, although both sides of the branch lines must be deenergized to release the CEAs, there are WSES-FSAR-UNIT-3 7.2-12 Revision 14 (12/05)(DRN 01-1104, R12)two separate means of interrupting each side of the line. Upon removal of power to the CEDM power supplies, the CEAs fall into the reactor core by gravity. (DRN 01-1104, R12)Two sets of two manual trip pushbuttons are provided to open the trip circuit breakers, if desired. The manual trip completely bypasses the trip logic. As can be seen in Figure7.2-7 both manual trip pushbuttons in a set must be depressed to initiate a reactor trip. They may be depressed sequentially or
simultaneously.The trip switchgear is housed in a separate cabinet from the RPS. In addition to the trip circuit breakers, the cabinet also contains current monitoring devices for testing purposes and a bus tie circuit breaker. 7.2.1.1.5 Bypasses
The bypasses listed in Table 7.2-1 are provided to permit testing, startup, and maintenance.
The DNBR and local power density bypass, which bypasses the low DNBR and high local power density trips from the CPC, is provided to allow system tests at low power when pressurizer pressure may be low or reactor coolant pumps may be off. The bypass may be manually initiated if thermal power is below
10-4 percent and is automatically removed when the power level is equal to or greater than 10
-4 percent.
The RPS/ESFAS pressurizer pressure bypass is provided for system tests at low pressure, including CEA tests. The bypass may be manually initiated if pressurizer pressure is below 400 psia and is automatically removed if pressurizer pressure increases above 500 psia. The high logarithmic power level bypass is provided to allow the reactor to be brought to the power range during a reactor startup. The bypass may be manually initiated above 10
-4 percent of rated thermal power and is automatically removed when thermal power is equal to or less than the reset point of the
bistable.(DRN 04-384, R14)A PPS manual bypass is provided for the reactor trip on turbine trip function when reactor power is greater than 65 percent. The bypass function can be enabled when the Reactor Power Cutback System (RPCS) is available to reduce reactor power when a turbine trip occurs. When the RPCS is not available, the trip bypass is manually disabled. The trip bypass is automatically enabled when reactor power is less than 65 percent. A key operated switch is provided for each channel. (DRN 04-384, R14)An additional key operated switch located on CP-2 is available to enable or disable the turbine trip inputs to the PPS. This bypass switch is operated independent of reactor power. The combination of all bypass switches enables full functional testing of the system. The trip channel bypass is provided to remove a trip channel from service for maintenance or testing.The trip logic is thus converted to a two-out-of-three basis for the trip type bypassed; other type trips that do not have a bypass in any of their four channels remain in a two-out-of-four logic. The bypass is manually initiated and manually removed. The circuit utilized to accomplish the trip channel bypass is shown in Figure 7.2-8. This circuit, which is repeated for each type trip contains an electrical interlock
which allows only one channel for any one type trip to be bypassed at one time.
WSES-FSAR-UNIT-3 7.2-13 Revision 305 (11/11)
(EC-22790, R305)
The High Steam Generator Level Trip Bypass is pr ovided to prevent unnecessary reactor trips on High Steam Generator Level during low power operations and pl ant startup when level control is difficult. Since the trip is not safety related, the bypass is manually initiated and removed and controlled by Administrative Procedures. The bypass is operated by four keyswitches, one per channel, located on CP-7. (EC-22790, R305)
(DRN 99-2462, R11)
The Reactor Coolant Flow-Low Trip Bypass is prov ided to permit the performance of Control Element Drive Mechanism maintenance with a low flow conditi on in the Reactor Coolant System. The bypass is automatically removed at a preset reactor power level. The bypass is operated by four key switches, one per channel, located on CP-7. (DRN 99-2462, R11)
All bypasses are annunciated visibly and audibly to the operator.
7.2.1.1.6 Interlocks
The following interlocks are provided:
a) Trip Channel Bypasses
An interlock prevents the operator from bypassi ng more than one trip channel at a time for any one type of trip. Different type trips may be simu ltaneously bypassed, either in one channel or in different channels.
b) Matrix Tests
During system testing an electrical interlock w ill allow only the matrix relays in one of the six matrix test modules to be held at a time. Figure 7.
2-7 shows this interlock. The same circuit will allow only one process measurement loop signal to be perturbed at a time. The matrix test and loop perturbation switches are interlocked so that only one or the other may be done at any one time.
c) Nuclear Instrumentation Test
Placement of a nuclear instrument drawer calib ration switch to other than the "operate" position or removal of any level test switch from the "off" position will cause a power trip test interlock to trip low DNBR and high local power density bistables in the affected channels. Placement of a linear or logarithmic calibration switch to other than the "operate" position will cause a channel high power level or high logarithmic power level tr ip. The log trip test potentiometer is combined with the matrix relay hold and bypass channel test interlock so that only one of these functions may be tested at any one time.
d) Core Protection Calculation Test
The low DNBR and high local power density channel trips are interlocked such that they must be bypassed to test a CPC channel.
7.2.1.1.7 Redundancy
Redundant features of the reacto r protective system include:
a) Four independent channels, from process sensor through and including channel trip relays. The CEA position input is from two independent channels; WSES-FSAR-UNIT-37.2-14b)Six logic matrices which provide the two-out-of-four logic. Dual power supplies are provided forthe matrix relays;c)Four trip paths, including four control logic paths and four trip path output relays; d)Two sets of manual trip pushbuttons with either set being sufficient to cause a reactor trip; e)AC power for the system from four separate vital instrument buses. DC power for the tripswitchgear circuit breakers control logic is provided from two separate battery buses. Loss of one battery system will result in reactor trip.The result of the redundant features is a system that meets the single failure criterion, can be testedduring reactor operation, and can be shifted to two-out-of-three logic.The benefit of a system that includes four independent and redundant channels is that the system can beoperated, if need be, with up to two channels out of service (one bypassed and another tripped) and still meet the single failure criteria. The only operating restriction while in this condition (effectively one-out-of-two logic) is that no provision is made to bypass another channel for periodic testing or maintenance. The system logic must be restored to at least a two-out-of-three condition prior to removing another channel for maintenance.7.2.1.1.8Diversity The system is designed to eliminate credible multiple channel failures originating from a common cause.The failure modes of redundant channels and the conditions of operation that are common to them areanalyzed to assure that a predictable common failure mode does not exist. The design provides reasonable assurance that:a)The monitored variables provide adequate information during design basis events(design basis events are listed in Subsections 7.2.2.1.1 and 7.2.2.1.2).b)The equipment can perform as required.
c)The interactions of protective actions, control actions and the environmental changes that cause,or are caused by, the design basis events do not prevent the mitigation of the consequences of the event.d)The system will not be made inoperable by the inadvertent actions of operating and maintenancepersonnel.In addition, the design is not encumbered with additional components or channels without reasonableassurance that such additions are beneficial.The system incorporates functional diversity to accommodate the unlikely event of a common mode failureconcurrent with any of the accident conditions listed in Subsection 7.2.2.1.2.
WSES-FSAR-UNIT-37.2-157.2.1.1.9TestingProvisions are made to permit periodic testing of the complete reactor protective system, with the reactoroperating at power or when shut down. These tests cover the trip actions from sensor amplifier input to the bistables through the protective system and the trip switchgear. The system test does not interfere with the protective function of the system. The testing system meets the criteria of IEEE Standard 338-1971, IEEE Trail-Use Criteria for the Periodic Testing of Nuclear Power Generating Station ProtectiveSystems, and is consistent with the recommendations of NRC Regulatory Guide 1.22, Periodic Testing ofProtection System Actuator Functions (February, 1972).The individual tests are described briefly below. Overlap between individual tests exists so that the entireRPS can be tested. Frequency of accomplishing these tests is listed in the Technical Specifications. On January 30, 1985 (W3P85-0245) LP&L provided the NRC with an evaluation demonstrating that the then existing RPS functional test intervals were consistent with the maintenance of high RPS availability.7.2.1.1.9.1Sensor CheckSensors are checked by comparison with similar channels that should indicate identical information. Alsoevery sensor is checked periodically as outlined in the Technical Specifications for proper input and output. After bypassing the respective bistable, input is supplied through test connections and outputs 4-20 made and 0-10 vdc are measured for proper calibrations.7.2.1.1.9.2Trip Bistable TestsTesting of the trip bistables is accomplished by manually varying the input signal up to or down to the tripsetpoint level on one bistable at a time and observing the trip action.Varying the input signal is accomplished by means of a trip test circuit consisting of a digital voltmeter anda test circuit used to vary the magnitude of the signal supplied by the measurement channel to the trip input. The trip test circuit is interlocked electrically so that it can be used in only one channel at a time. A switch is provided to select the measurement channel, and a pushbutton is provided to apply the test signal. The digital voltmeter indicates the value of the test signal. Trip action (deenergizing) of each of the bistable trip relays is indicated by individual lights on the front of the cabinet, indicating that these relays operate as required for a bistable trip condition.When one of the bistables of a protective channel is in the tripped condition, a channel trip exists and isannunciated on the control room annunciator panel. In this condition, a reactor trip would take place uponreceipt of a trip signal in one of the other three like trip channels. The trip channel under test is therefore bypassed for this test, converting the RPS to a two-out-of-three logic for the particular trip parameter. In either case, full protection is maintained.7.2.1.1.9.3Core Protection Calculator Tests The purpose of both the automatic and periodic testing of the DNBR/LPD Calculator System isto contribute to high system reliability by means of failure detection, and to call attention to system performance not within prescribed limits. The automatic and periodictests provide a means of checking, with a high degree of confidence, the operational WSES-FSAR-UNIT-37.2-16availability of system input sensors and all devices used to derive the final system output signal.Automatic On-Line TestingThe automatic on-line testing consists of three separate checks: (1) internal self-checking of the inputdata, (2) internal self-checking of the calculator and (3) an external watchdog timer that monitors the execution of the cyclic scheduling mechanism. Although failures in the on-line system are expected infrequently, the automatic on-line testing is provided to assure high continuous system reliability beyond that provided in typical analog calculated trips.The protection algorithms will check the reasonability of input sensor data against predeterminedmaximum and minimum values. The CEA Calculator checks raw CEA position data against high and low values of +10 volts dc and +5 volts dc. Raw data which reads between 0 - 5 or 10 - 15 volts dc is deemed unreasonable. If a sensor is found to be out-of-range, the affected calculator will generate the proper annunciation signal.To provide a check on system software and to detect time frame overruns, an external "watchdog timer" isinstalled as part of the Data Input/Output Subsystem.The watchdog timer will light the CPC or CEAC failure light at the Operator's Module directly.For all other failures detected during automatic on-line testing, the affected calculator will set its outputs inthe fail-safe state, such as "trip" for a CPC. If recovery from the failure is possible, the system will maintain its outputs in the safe state and execute Auto-Restart, followed by initialization, followed by normal operation.Further on-line testing capability is provided by continuous status indication and information read out fromeach Core Protection Calculator. Continuous displays of the following information is provided to the operator:a)DNBR marginb)Local power density margin c)Calibrated neutron flux powerCross checking of the four channel displays can be made to assure the integrity of the calculator. Themajority of the calculator failures will result in anomalous indications from the failed channel that can be readily detected by the operator during cross checking.In addition, each protection channel is equipped with an Operator's Module which provides another level ofassurance of the functional integrity of the calculator channels.Periodic TestingThe DNBR/LPD Calculator System is periodically and routinely tested to verify itsoperability. A complete channel can be individually tested without initiating a reactor trip, and without violating the single failure criterion. The system can be checked from WSES-FSAR-UNIT-37.2-17the sensor signal through the bistable contacts for low DNBR and high local power density in the PlantProtection System. Overlap in the checking and testing is provided to assure that the entire channel is functional.
The minimum frequencies for checks, calibration, and testing of the Core Protection Calculator system have been included in the Technical Specifications.Periodic testing of the DNBR/LPD Calculator system is divided into two major categories, (1) on-linesystem tests and (2) off-line performance diagnostic tests. Off-line testing is further subdivided into twocategories, performance testing and diagnostic testing. Performance testing is used to check the numerical accuracy of the calculations. Diagnostic testing is used as an aid to troubleshooting whenever the performance tests or the on-line tests (interchannel comparisons) indicate the presence of a failure.
Permanent mass storage units will be used for storage of the test programs.On-line System TestThe on-line portion of the periodic testing consists of comparisons of like parameters among the fourprotective channels. Comparisons are made using the digital displays on the Operator's Module and the analog meters on the control board. Comparisons of like analog and digital inputs give assurance that theanalog and digital multiplexers and the A/D converters are functioning properly. These comparisons alsogive assurance that data are being properly entered into and retrieved from the data base. Comparisons of intermediate and final calculated parameters verify the performance of the protection algorithms and the analog display meters on the control board.Calibration of the A/D converters is checked by displaying the reference voltage supplies which areconnected to each calculator.Off-line Performance TestBefore off-line testing is initiated, the channel to be tested is bypassed at the Plant Protection System andthe trip logic is changed to two-out-of-three for the DNBR and local power density trips. Interlocks are incorporated in the Plant Protection System to prevent bypassing more than one channel at a time. Toinitiate off-line testing a key is required and only one key is provided. This ensures that only one channel can be placed in the test mode at a time.The performance test uses the calculator data base to verify numerical accuracy of the calculations. Thedata base is divided into three areas, namely, raw input data, filtered input data and calculated values.The raw data area contains the last samples of raw analog and digital data. The filtered data areacontains averaged input data, filtered input data, past samples of input data needed for dynamic compensation, and dynamically compensated data. The calculated values area contains intermediate and final calculated values and calibration constants which are updated periodically.During performance testing, the permanent mass storage unit is used to load test inputsdirectly into the data base. For each set of test inputs, the expected calculated results are also loaded and compared with the values calculated by the protection algorithms. If agreement is achieved, the test program prints the expected results and the actual results on the Teletype and proceeds to the next set of test data. If agreement is not achieved, the test program halts at that point unless restarted by the operator. Dynamic effects in WSES-FSAR-UNIT-37.2-18the calculations are tested by loading the filtered data area of the data base with test values representingpast values of time varying inputs.
From the standpoint of the calculator software structure, the performance tests are virtually identical to the on-line functions. Only two differences exist from the normal functions of the calculators. First, the calculator outputs are in a fail-safe condition for the duration of the tests, and second, the algorithms use data derived from the permanent mass storage unit instead of the Data Input/Output subsystem. The algorithms themselves, however, do not recognize the data source or that they are executing in the test mode.As a final check, the individual instructions in protected memory are compared with an image of theinstructions stored on the permanent mass storage unit to ensure the integrity and demonstrate the "reliability" of the protection algorithms during the life span of the DNBR/LPD Calculator System.Off-Line Diagnostic TestsAfter a given failure is detected by a performance test, on-line test, or on-line diagnostic, hardwarediagnostic programs are provided to aid in locating (to the module level) and correcting malfunctions.7.2.1.1.9.4Logic Matrix TestThis test is carried out to verify power operation of the six two-out-of-four logic matrices, any of which willinitiate a bonafide system trip for any possible two-out-of-four trip condition from the signal inputs fromeach measurement channel.Only the matrix relays in one of the six logic matrix test modules can be held in the energized positionduring tests. If, for example, the AB logic matrix hold pushbutton is held depressed, actuation of the other matrix hold pushbuttons will have no effect upon their respective logic matrices.Actuation of the pushbutton will apply a test voltage to the test system hold coils of the selected fourdouble coil matrix relays. This voltage will provide the power necessary to hold the relays in their energized position when deactuation of the bistable trip relay contacts in the matrix ladder being tested causes deenergization of the primary matrix relay coils.The logic matrix to be tested is selected using the system channel trip select switch. Then while holdingthe matrix hold pushbutton in its actuated position, rotation of the channel trip select switch will release only those bistable trip relays that have operating contacts in the logic matrix under test. The channel tripselect switch applies a test voltage of opposite polarity to the bistable trip relay test coils, so that themagnetic flux generated by these coils opposes that of the primary coil of the relay. The resulting flux will be zero, and the relays will release. A simplified diagram of this testing system is shown in Figure 7.2-9 using the AB matrix.Trip action can be observed by illumination of the trip relay indicators located on thefront panel and by loss of voltage to the four matrix relays, which is indicated by extinguishing indicator lights connected across each matrix relay coil. During this test, the matrix relay "hold" lights will remain on, indicating that a test WSES-FSAR-UNIT-37.2-19voltage has been applied to the holding coils of the four matrix relays of the logic matrix module undertest.The test is repeated for all six matrices and for each actuation signal. This test will verify that the bistablerelay contacts operate correctly and that the logic matrix relays will deenergize if the matrix continuity is violated. The opening of the matrix relay contacts is tested in the trip path tests (see Subsection 7.2.1.1.9.5).Each logic matrix test module provides the associated test circuitry for both the RPS and ESFAS logicmatrices. The system channel trip select switch permits the selection of the desired actuation logic matrix to be tested as can be seen in Figure 7.2-7.7.2.1.1.9.5Trip Path/Circuit Breaker TestsEach trip path is tested individually by depressing a matrix hold pushbutton (holding matrix relays),selecting any trip position on the channel trip select switch (opening the matrix), and selecting a matrixrelay on the matrix relay trip select switch (deenergizing one of the matrix relays). This will cause one,and only one, of the trip paths to deenergize, causing two trip circuit breakers to open. CEDMs remain energized via the other trip circuit breakers.The dropout lamps shown on Figures 7.2-7 and 7.2-9 are used to provide additional verification that thematrix relay has been deenergized, (e.g., the 6AB-1 matrix relay contact energizes the dropout lamp).
Since the matrix test modules are also utilized for the ESFAS logic matrix testing, this dropout lamp is also shared via contacts 1AB-1 through 5AB-1 as shown on Figure 7.2-7. Proper operation of the actual trip path matrix relay contacts is verified by the trip path lamp located on the trip status panel.Proper operation of all coils and contacts is verified by lights on a trip status panel; final proof of openingof the trip circuit breakers is the lack of indicated current through the trip breakers.The matrix relay trip select switch is turned to the next position, reenergizing the tested matrix relay andallowing the trip breakers to be manually reset.This sequence is repeated for the other three trip paths from the selected matrix. Following this the entiresequence is repeated for the remaining five matrices. Upon completion, all 24 matrix relay contacts and all four trip paths and breakers will have been tested.7.2.1.1.9.6Manual Trip Test The manual trip feature is tested by depressing one of the four manual trip pushbuttons, observing a tripof two trip breakers, and resetting the breakers prior to depressing the next manual trip pushbutton.7.2.1.1.9.7BypassesThe system bypasses, as itemized in Table 7.2-1, are tested by appropriate test circuitry. Testing includesboth initiation and removal features.
WSES-FSAR-UNIT-3 7.2-20 Revision 14 (12/05) 7.2.1.1.9.8 Response Time Tests (DRN 03-2061, R14)
Response time tests of the RPS, required at refueling intervals are described in the Technical Specifications. RPS response times are listed in the TRM. (DRN-03-2061, R14) 7.2.1.1.10 Vital Instrument Power Supply
The vital instrument power supply for the RPS is described in Chapter 8.
7.2.1.2 Design Bases The RPS is designed to assure adequate protection of the fuel, fuel cladding, and RCS pressure boundary during anticipated operational occurrences. In addition, the system is designed to assist the
Engineered Safety Feature System (ESFS) in limiting the consequences of certain postulated accident conditions. To ensure that these design bases are achieved, the reactor must be maintained within the limiting conditions of operation, as defined in Technical Specifications and the limiting safety system
settings implemented consistent with Technical Specifications.
The system is designed on the allowing bases to assure adequate performance of its protective function:
a) The system is designed in compliance with the applicable criteria of the AEC, General Design Criteria for Nuclear Power Plants, Appendix A of 1OCFR50, July 15, 1971.
b) Instrumentation, function, and operation of the system conforms to the requirements of IEEE standard 279-1971, Criteria for Protective Systems for Nuclear Power Plants.
c) System testing conforms to the requirements of IEEE Standard 338 1971, Trial Use Criteria for Periodic Testing of Nuclear Power Generating Station.
d) The design of the system is consistent with the recommendations of Regulatory Guide 1.53, Application of the Single-Failure Criterion to Nuclear Power Plant Protective Systems (June, 1973), and Regulatory Guide 1.22, Periodic Testing of Protection System Actuation Functions (February, 1972).
e) The system is designed to determine the following generating station conditions in order to provide adequate protection during anticipated operational occurrences:
- 1. Core power (from logarithmic power circuits)
- 2. Reactor Coolant System pressure
- 3. DNBR in the limiting coolant channel in the core
- 4. Peak local power density in the limiting fuel pin in the core
(DRN 03-2061, R14) 5. Steam generator water level (DRN 03-2061, R14)
WSES-FSAR-UNIT-37.2-21f)The system is designed to determine the following generating station conditions in order toprovide protective action assistance to the ESFS during accidents:1.Core power 2.RCS pressure 3.Steam generator pressure 4.Containment pressure 5.Steam generator level 6.DNBR in the limiting coolant channel in the coreg)The system is designed to monitor all generating station variables that are needed to assureadequate determination of the conditions given in listings e and f above, over the entire range ofnormal operation and transient conditions. The full power nominal values and the maximum and minimum values that can be sensed for each monitored plant variable are given in Table 7.2-2.The type, number, and location of the sensors provided to monitor these variables are given inTable 7.2-3. There is no spatial dependence resulting from the location of sensors that affects the functional design requirements identified in Subsection 7.2.2.h)The system is designed to alert the operator when any monitored plant condition is approaching acondition that would initiate protective action.i)The system is designed so that protective action will not be initiated due to normal operation of thegenerating station.Nominal full power values of monitored conditions and their corresponding protective action (trip)setpoints are given in Table 7.2-4.The selection of these trip setpoints is such that adequate protection is provided when all sensorand processing time delays and inaccuracies are taken into account. Response times and sensor accuracies used in the safety analyses are provided in Chapter 15.The trip delay times and uncertainties provided in Chapter 15 are representative of the manner inwhich the reactor protective system and associated instrumentation will operate. These quantities are used in the transient analysis done in Chapter 15. Actual RPS uncertainties and delay times will be obtained from calculations and tests performed on the RPS and associated instrumentation. The verified system uncertainties are factored into all RPS settings and/or setpoints to assure that the system adequately performs its intended function when the errors and uncertainties combine in an adverse manner.
WSES-FSAR-UNIT-37.2-22j)All system components are qualified for environmental and seismic conditions in accordance withIEEE Standard 323-1971, and IEEE Standard 344-1971. Compliance is addressed in Sections 3.10 and 3.11. In addition, the system is capable of performing its intended function under the most degraded conditions of the energy supply, as addressed in Chapter 8.7.2.1.3Final System DrawingsElectrical wiring diagrams, block diagrams, final logic diagrams, and location layout drawings are listedand provided by reference in Section 1.7.The differences between the logic diagrams and schematics submitted in the PSAR and those in theFSAR are discussed in Subsection 1.3.2.7.2.2ANALYSIS7.2.2.1IntroductionThe RPS is designed to provide the following protective functions:a)Initiate automatic protective action to assure that acceptable RCS and fuel design limits are notexceeded during specified anticipated operational occurrences.b)Initiate automatic protective action during certain postulated accident conditions to aid the ESFS inlimiting the consequences of the accident.A description of the reactor trips provided in the RPS is given in subsection 7.2.1.1.1. Subsection 7.2.2.2provides the bases for all the RPS trips and Table 7.2-4 gives the applicable nominal trip setpoints.Most of the trips in the RPS are single parameter trips (i.e., a trip signal is generated by comparing asingle measured variable with a fixed setpoint). The RPS trips that do not fall into this category are asfollows:a)Low Pressurizer Pressure TripThis trip employs a setpoint that is determined as a function of the measured pressurizer pressureor that is varied by the operator.b)Low Steam Generator Pressure TripThis trip employs a setpoint that is determined as a function of the measured steam generator pressure or that is varied by the operator.c)High Local Power Density TripThis trip employs a setpoint that is calculated as a function of several measured variables.d)Low DNBR TripThis trip is calculated as a function of several measured variables.
WSES-FSAR-UNIT-3 7.2-23 Revision 14 (12/05)
The low DNBR and high local power density trips are provided in the CPCS. All RPS trips with the exception of the steam generator differential pressure trip and reactor trip on turbine trip are provided with a pretrip alarm in addition to the trip alarm. Pretrip alarms are provided to alert the operator of an approach to a trip condition and play no part in the safety evaluation of the plant.
Each RPS setpoint is chosen to be consistent with the function of the respective trip.
The adequacy of all RPS trip setpoints, with the exception of the low DNBR and high local power density trips, is verified through an analysis of the pertinent system transients reported in Chapter 15. These analyses take into account all calculational and measurement uncertainties and system delay times related to the respective trips. Limiting trip delay times and uncertainties are given in Section 15.0. The manner by which these delay times and uncertainties will be verified is discussed in subsection 7.2.1.2.
The adequacy of RPS trip functions, with the exception of the low DNBR and high local power density trips, is verified through analysis of the pertinent design basis events reported in Chapter 15. These analyses utilize an analysis setpoint (i.e., assumed trip initiation point) and system delay times related to the respective trip functions. The analysis setpoints, along with instrument uncertainties provide the basis
for the calculation of the final equipment setpoints.
7.2.2.1.1 Anticipated Operational Occurrences (DRN 04-1097, R14)
The anticipated operational occurrences that are accommodated by the system are those conditions of normal operation that are expected to occur one or more times during the life of the plant. In particular, the occurrences considered include single operator errors or single component or control system failures resulting in transients which could lead to a violation of acceptable plant and fuel design limits if protective
actions were not initiated. (DRN 04-1097, R14)
The fuel design and reactor coolant pressure boundary (RCPB) limits used to define the RPS design are:
a) The DNBR, in the limiting coolant channel in the core, shall not be less than the DNBR limit.
b) The peak local power density, in the limiting fuel pin in the core, shall not be greater than 21 kw/ft, the safety limit corresponding to the onset of centerline fuel melting.
c) The RCS pressure shall not exceed those values permitted by the applicable ASME Code,Section III.
The anticipated operational occurrences that were used to determine the system design requirements
are: (DRN 01-1104, R12; 02-1478, R12) a) Insertion or withdrawal of CEA groups, including: (DRN 01-1104, R12; 02-1478, R12)
WSES-FSAR-UNIT-37.2-24 Revision 12 (10/02)1.Uncontrolled sequential withdrawal of CEA groups2.Out-of-sequence insertion or withdrawal of CEA groups(DRN 01-1104)3.Deleted(DRN 01-1104)4.Excessive sequential insertion of CEA groups(DRN 01-1104)b)Insertion or withdrawal of a CEA subgroup including:
(DRN 01-1104)1.Uncontrolled insertion or withdrawal of a CEA subgroup2.Dropping of one CEA subgroup3.Misalignment of CEA subgroup comprising a designated CEA group(DRN 01-1104)c)Insertion or withdrawal of a single CEA including:
(DRN 01-1104)1.Uncontrolled insertion or withdrawal of a single CEA(DRN 01-1104)2.Dropped CEA(DRN 01-1104)3.A single CEA sticking, with the remainder of the CEAs in that group moving4.A statically misaligned CEAd)Uncontrolled boron dilution.
e)Excess heat removal due to secondary system malfunctions.
f)Change of forced reactor coolant flow resulting from a complete loss of power to one or more reactor coolant pumps.g)Inadvertent pressurization or depressurization of RCS resulting from anticipated single control system malfunctions.h)Change of normal heat transfer capability between steam and RCS systems resulting from improper feedwater or a loss of external load and/or turbine trip.i)Loss of preferred ac power.
j)Uncontrolled axial xenon oscillations.
k)Asymmetric Steam Generator Transient (due to instantanous closure of MSIV)7.2.2.1.2Accidents The accident conditions for which the system will take action are those unplanned events under any conditions that are expected to occur once during the life of several stations and arbitrary
combinations of un-planned events are degraded systems that are never expected to WSES-FSAR-UNIT-3 7.2-25 Revision 14 (12/05)occur. The consequences of most of these accidents will be limited by the ESFS; the RPS will provide action to assist in limiting these conditions for those accidents but does not have the major role in assuring that the plant is maintained within the applicable safety limits. The accident conditions for which
the RPS will provide protective action assistance are: a) RCS pipe rupture, including double-ended rupture of the largest pipe in the RCS.
b) Ejection of any single CEA.
c) Steam system pipe rupture, including a double-ended rupture.
d) Steam generator tube rupture.
e) Reactor coolant pump shaft seizure.
f) Reactor coolant pump sheared shaft. (DRN 04-1097, R14)7.2.2.2 Trip Bases(DRN 04-1097, R14)The RPS consists of fourteen trips in each RPS channel that will initiate the required automatic protective action utilizing two-out-of-four coincidence. A brief description of the inputs and purpose of each trip is presented in Subsections 7.2.2.2.1 through 7.2.2.2.14.7.2.2.2.1 High Linear Power Level Trip
a) Input Neutron flux power from the excore neutron flux monitoring system.
b) Purpose (DRN 03-2061, R14) To provide reactor core protection against rapid reactivity excursions. (DRN 03-2061, R14) 7.2.2.2.2 High Logarithmic Power Level Trip a) Input Neutron flux power from the excore neutron flux monitoring system.
b) Purpose To assure the integrity of the fuel cladding and RCS boundary in the event of unplanned criticality from a shutdown condition, resulting from earlier dilution of the soluble boron concentration or uncontrolled withdrawals of CEAS. In the event that CEAs are in the withdrawn position, automatic trip action will be initiated. If all CEAs are inserted, an alarm is provided to alert the operator to take appropriate action in the event of an unplanned criticality.
WSES-FSAR-UNIT-3 7.2-26 Revision 14 (12/05)7.2.2.2.3 High Local Power Density Trip a) Inputs 1. Neutron flux power and axial power distribution from the excore neutron flux monitoring system 2. Radial peaking factors from CEA position measurement system (reed switch assemblies) 3.T power from coolant temperatures and flow measurements b) Purpose (DRN 04-1097, R14) To prevent the linear heat rate (kW/ft) in the limiting fuel pin in the core from exceeding the value corresponding to the safety limit of peak fuel centerline temperature in the event of defined
anticipated operational occurrences. (DRN 04-1097, R14)7.2.2.2.4 Low DNBR Trip a) Inputs
- 1. Neutron flux power and axial power distribution from the excore neutron flux monitoring system 2. RCS pressure from pressurizer pressure measurement 3. T power from coolant temperatures and flow measurements 4. Radial peaking factors from CEA position measurements (reed switch assemblies)
- 5. Reactor coolant mass flow from reactor coolant pump speed
- 6. Core inlet temperature from reactor coolant cold leg temperature measurements
b) Purpose (DRN 03-2061, R14) To prevent the DNBR in the limiting coolant channel in the core from exceeding the fuel design limit in the event of defined anticipated operational occurrences. In addition, this trip will provide
a reactor trip to assist the ESFS in limiting the consequences of the steam generator tube rupture, steam line break and reactor coolant pump shaft seizure accidents. The Core Protection Calculators (CPCs) contain several trip functions, such as Low Departure from Nuclear Boiling Ratio (DNBR) trips, that are credited in some safety analysis. (DRN 03-2061, R14) 7.2.2.2.5 High Pressurizer Pressure Trip a) Input Reactor coolant pressure from narrow range (1500-2500 psia) pressurizer pressure measurement.
WSES-FSAR-UNIT-37.2-27b)PurposeTo help assure the integrity of the RCS boundary for any defined anticipated operationaloccurrences that could lead to an over-pressurization of the RCS.7.2.2.2.6Low Pressurizer Pressure Trip a)InputReactor coolant from wide range (0-3000 psia) pressurizer pressure measurement.b)PurposeTo provide a reactor trip in the event of reduction in system pressure, in addition to the DNBR trip,and to provide a reactor trip to assist the ESFS in the event of a LOCA.7.2.2.2.7Low Steam Generator Water Level Trips a)InputLevel of water in each steam generator downcomer region from differential pressuremeasurements.b)PurposeTo provide protective action to assure that there is sufficient time for actuating the emergencyfeedwater pumps to remove decay heat from the reactor in the event of a reduction of steam generator water inventory.7.2.2.2.8Low Steam Generator Pressure Tripsa)InputSteam pressure in each steam generator.b)PurposeTo provide a reactor trip to assist the ESFS in the event of a steam line rupture accident.7.2.2.2.9High Containment Pressure Trip a)InputPressure inside reactor containmentb)PurposeTo assist the ESFS by tripping the reactor coincident with the initiation of safety injection.
WSES-FSAR-UNIT-37.2-287.2.2.2.10High Steam Generator Levelsa)InputLevel of water in each steam generator downcomer region from differential pressuremeasurements.b)PurposeTo prevent excessive moisture carryover from the steam generators from reaching the turbine,which could result in damage to the turbine. This trip is not required to fulfill the protective functions given in Subsection 7.2.2.1.7.2.2.2.11Low Reactor Coolant Flow Tripa)InputPressure differential measured across the steam generator primary side.b)PurposeTo provide a reactor trip in the event of a reactor coolant pump sheared shaft.7.2.2.2.12Reactor Trip On Turbine Trip a)InputTurbine trip (Subsection 15.2.1.2.1 defines the probable causes of a turbine trip).b)PurposeTo prevent a challenge of the pressurizer relief valves. This trip is not required to fulfill theprotective functions given in Subsection 7.2.2.1.7.2.2.2.13Reactor Trip on Loss of Load a)InputThe loss of load trip is generated from the loss of load circuitry in the steam bypass controlsystem.b)PurposeTo provide reactor protection for loss of loads events in which the main turbine runs back but doesnot trip.
WSES-FSAR-UNIT-37.2-297.2.2.2.14Manual Tripa)InputThe manual trip is initiated by actuation of two adjacent pushbutton switches in the main controlroom which causes interruption of the ac power to the CEDM power supplies.b)PurposeTo allow the operator to trip the reactor manually.7.2.2.3Design7.2.2.3.1General Design Criteria Appendix A of 10CFR50, General Design Criteria for Nuclear Power Plants (July 7, 1971) establishesminimum requirements for the principal design criteria for water cooled nuclear power plants. This paragraph describes how the requirements that are applicable to the RPS are satisfied:a)Criterion 1: Quality Standards and RecordsThe quality assurance for the design of equipment and components is described in the QAProgram Manual. These procedures will assure that the system will be described in accordance with required codes and standards.b)Criterion 2: Design Bases for Protection Against Natural PhenomenaThe design bases for protection against natural phenomena are described in Sections 3.3, 3.4, 3.10 and 3.11.c)Criterion 3: Fire ProtectionThe design basis for fire protection is described in Subsection 9.5.1.d)Criterion 4: Environmental and Missile Design BasesEnvironmental design bases are described in Section 3.11. Missile design bases are described inSection 3.5.e)Criterion 5: Sharing of structures, Systems, and ComponentsNo RPS components are shared with future or existing reactor facilities.f)Criterion 10: Reactor DesignThe RPS, in conjunction with the plant control system and Technical Specificationrequirements, provides sufficient margin to trip setpoints so that, (1) during normal operation protective action will not be initiated, and (2) during anticipated WSES-FSAR-UNIT-37.2-30operational occurrences, fuel design limits will not be exceeded. Typical margins far each tripparameter are shown in Table 7.2-4.g)Criterion 12: Suppression of Reactor Power OscillationsThe axial power distribution is continually monitored by the RPS and factored into the low DNBRand high local power density trips. This assures that acceptable fuel design limits are notexceeded in the event of axial power oscillations. Allowances are made in the trip setpoints forazimuthal power tilts.h)Criterion 13: Instrumentation and ControlSensor ranges are sufficient to monitor all pertinent plant variables over the expected range ofplant operation for normal and transient conditions. All variables that affect plant and fuel design limits are monitored by the RPS. The safety-related information readout for plant monitoring is described in Section 7.5.i)Criterion 15: RCS DesignThe high pressurizer pressure trip and high logarithmic power level trip are provided to helpassure the integrity of the RCS boundary.j)Criterion 20: Protection System FunctionsThe RPS will monitor all plant variables that affect plant and fuel design limits. These limitsare given in Subsection 7.2.2.1.1. A reactor trip will be initiated to prevent these limits from beingexceeded for all the anticipated operational occurrences that are listed in Subsection 7.2.2.1.1.k)Criterion 21:Protection System Reliability and TestabilityFunctional reliability is ensured by compliance with the requirements of IEEE Standard 279-1971,as described in Subsection 7.2.2.3.2. Testing is in compliance with IEEE standard 338-71, and consistent with the recommendations of Regulatory Guide 1.22 (Feb, 1972) described in Subsection 7.2.2.3.3. It should be noted that GDC-21 is satisfied even with one channel bypassed.l)Criterion 22:Protection System IndependenceThe RPS independence is assured through redundancy and diversity as described in Subsections 7.2.1.1.7 and 7.2.1.1.8.m)Criterion 23:Protection System Failure ModesThe protective system is designed to fail into a safe state in the event of loss of power supply,disconnection of the system, or module removal, as noted in Subsection 7.2.2.3.2. Where protective action is required under adverse environmental conditions during postulated accidents,the components of the system are designed to function under such conditions.
WSES-FSAR-UNIT-37.2-31n)Criterion 24:Separation of Protection and Control SystemsThe protection system is separated from the control systems.o)Criterion 25:Protection System Requirements for Reactivity Control MalfunctionsThe RPS is designed to ensure that acceptable RCS and fuel design limits are not exceeded forthe reactivity control malfunctions stated in Subsection 7.2.2.1.1.p)Criterion 29:Protection Against Anticipated Operational OccurrencesThe RPS is designed to assure a very high probability of accomplishing the protective functionsgiven in Subsection 7.2.2.1.7.2.2.3.2Equipment Design CriteriaIEEE Standards 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations,establishes minimum requirements for safety-related functional performance and reliability of the RPS.This subsection describes how these requirements listed in Section 4 of IEEE Standard 279 are satisfied.4.1 "General Functional Requirement"The RPS is designed to limit reactor fuel, fuel cladding, and coolant conditions to levels within plant andfuel design limits. Instrument performance characteristics, response time, and accuracy are selected for compatibility with and adequacy for the particular function. Trip setpoints are established by analysis ofthe system parameters. Factors such as instrument inaccuracies, bistable trip times, CEA travel times, valve travel time, circuit breaker trip times, and pump starting times are considered in the design of the system.4.2 "Single Failure Criterion"The protective system is designed so that any single failure within the system shall not prevent properprotective action at the system level. No single failure will defeat more than one of the four protection channels associated with any one trip function. The wiring in the system is grouped so that no single faultor failure, including either an open or shorted circuit, will negate protective system operation. Signal conductors are protected and routed independently.a)The following is an evaluation of the effects of specific single faults in the analog portion of thesystem:1)A loss of signal in a measurement channel initiates channel trip action forthe low pressurizer pressure, low steam generator water level, and low steam generator pressure trips.
WSES-FSAR-UNIT-37.2-32Revision 7 (10/94)2)Shorting of the signal leads to each other has the same effect as a loss ofsignal. Shorting a lead to a voltage has no effect since the signal circuit is ungrounded.3)Single grounds of the signal circuit have no effect. Periodic checking of thesystem will assure that the circuit remains ungrounded.4)Open circuit of the signal leads has the same effect as a loss of signal.b)The following is an evaluation of the effects of specific single faults in the logic portion of thesystem:1)Inadvertent operation of the relay contacts in the matrices will be identifiedby indicating lights.2)Shorting of the pairs of contacts in the matrices will prevent the matrixrelay sets from being released. Such shorts are detectable in the testing process byobserving that the matrix relays cannot be dropped out. Testing is accomplished bysuccessive opening of the logic matrix contact pairs.3)Shorting of the matrices to an external voltage has no effect since the matrixis ungrounded. The testing process will indicate accidental application of potential to the matrix. Equipment is provided to detect grounds on the matrices.4)The logic matrices will each be supplied by two power sources. Loss of asingle power source has no effect on plant operation. Loss of power to a logic matrix initiates a trip condition.5)Failure of a matrix relay to deenergize will not prevent a trip since thereare six matrix relay contacts in series in the trip path and any one contact initiating trip action will cause the action to be completed.6)The failure of one trip breaker or control circuit has no effect since thereare two trip breakers with independent control circuits in series, either of which will provide the necessary action.7)Single grounds or accidental application of potential in the trip pathcircuits have no effect since the circuit is ungrounded. Testing and observation of ground detectors will indicate these problems.8)The CEDM power supply circuits operate ungrounded so that single grounds haveno effect. The CEDMs are supplied in two groups by separate pairs of power supplies to further reduce the possibility of a CEA being improperly held. The CEDM loadrequirements are such that the application of any other local available supply would not prevent CEA release.4.3 "Quality Control of Components and Modules" The quality assurance control measures applied to these systems and components are described WSES-FSAR-UNIT-37.2-33Revision 7 (10/94)in the QA Program Manual. These measures include appropriate requirements for design review,procurement, inspection, and testing to ensure that the system components shall be of a quality consistent with minimum maintenance requirements and low failure rates.4.4 "Equipment Qualification"The RPS meets the equipment requirements described in Section 3.10 and 3.114.5 "Channel Integrity"Type testing of components, separation of sensors and channels, and qualification of cabling are utilizedto ensure that the channels will maintain the functional capability required under applicable extremes of conditions relating to environment, energy supply, malfunctions, and accidents.Loss of, or damage to, any one path will not prevent the protective action. Sensors are connected so thatblockage or failure of any one connection does not prevent protective system action. The process transducers located in the containment are specified and rated for the intended service. Components that must operate during or after the LOCA are rated for the LOCA environment. Results of type tests are used to verify these ratings.In the main control room, the nuclear instrumentation and protective system trip paths are located in fourcompartments. Mechanical and thermal barriers between these compartments reduce the possibility of common event failure. Outputs from the components in this area to the control boards are isolated or arerouted in a channelized cable system. The isolators provided assure that shorting, grounding, or theapplication of the highest available local voltage does not cause channel malfunction. Where signals originating in the RPS feed the computer, signal isolation is provided; where the RPS is feeding annunciators, isolation is ensured through the use of relay contacts.4.6 "Channel Independence"The locations of the sensors and the points at which the sensing lines are connected to the process loopwere selected to provide physical separation of the channels, thereby precluding a situation in which a single event could remove or negate a protective function. The routing of cables from protective systemtransmitters as arranged so that the cables are separated from each other and from power cabling tominimize the likelihood of common event failures. This includes separation at the containment penetration areas. In the main control room, the four nuclear instrumentation and protective system trip channels are located in individual compartments.Mechanical and thermal barriers between these compartments minimize the possibility of common eventfailure. Outputs from the components in this area to the control boards are isolated or are routed in a channelized cable system. The isolator provided assure that shorting, grounding, or the application of the highest available local voltages (120V ac, 125v dc) do not cause channel malfunction.The criteria for separation and physical independence of channels are based on the need for decouplingthe effects of accident consequences and energy supply transients and for reducing the likelihood of channel interaction during testing or in the event of a channel malfunction.
WSES-FSAR-UNIT-37.2-344.7 "Control and Protection System Interaction"a)"4.7.1 Classification of Equipment"No sensors are common to the RPS and any control system. The RPS is separated from thecontrol instrumentation systems so that failure or removal from service of any control instrumentation system component or channel does not inhibit the function of the protective system.4.8 "Derivation of System Inputs"This criterion requires that insofar as is practicable, system inputs are derived from signals that are directmeasures of the desired variables. Variables that are measured directly include neutron flux, temperatures, and pressures. Level information is derived from appropriate differential pressure measurements. Flow information is derived from reactor coolant pump speed measurement.4.9 "Capability for Sensor Checks"The RPS sensors are checked by cross-checking between channels. These channels bear a knownrelationship to each other, and this method ensures the operability of each sensor during reactor operation.4.10 "Capability for Test and Calibration"Testing is described in subsection 7.2.1.1.9 and is in compliance with IEEE Standard338-1971, as discussed in Subsection 7.2.2.3.3.4.11 "Channel Bypass or Removal from Operation"Any one of the four protective system channels may be tested, calibrated, or repaired without detrimentaleffects on the system. Individual trip channels may be bypassed to effect a two-out-of-three logic on remaining channels. The single failure criterion is met during this condition. Testing of each of the two CEA position input channels can be accomplished in a very brief time period. Probability of failure of the other system is acceptably low during such testing periods.4.12 "Operating Bypasses"Operating bypasses are provided as shown in Table 7.2-1. The operating bypasses are automaticallyremoved when the permissive conditions are not met. The circuitry and devices which function to remove these inhibits are designed in accordance with IEEE Standard279-1971.4.13 "Indication of Bypasses"Indication of test or bypass conditions or removal of any channel from service is given by lights andannunciators. Operating bypasses that are automatically removed at fixed setpoints are alarmed and indicated.
WSES-FSAR-UNIT-37.2-354.14 "Access to Means for Bypassing"A key is required to gain access to the means for bypassing a protective system channel. An interlockprevents the plant operator from bypassing more than one of the four channels of any one type trip at any one time. All bypasses are visually and audibly annunciated.4.15 "Multiple Setpoints"Manual reduction of setpoints for low pressurizer pressure and low steam generator pressure trips areallowed for the controlled reduction of pressurizer pressure and steam generator pressure as discussed in Subsections 7.2.1.1.1.6 and 7.2.1.1.1.8. The setpoint reductions are initiated by a control board mounted pushbutton which, upon actuation, adjusts the setpoint to a value at a preselected increment below the operating pressure which exists at the time the pushbutton is actuated. A separate pushbutton is provided for each protection channel. This method of setpoint reduction provides positive assurance that the setpoint is never decreased below the existing pressure by more than a predetermined amount.The setpoint is automatically increased by the RPS as the measured pressure is increased.4.16 "Completion of Protective ActionOnce it is Initiated"The system is designed to ensure that protective action (reactor trip) will go to completion once initiated.Operator action is required to clear the trip and return to operation. Protective action is initiated when the reactor trip circuit breakers open. Protective action is completed when the CEAs arrive at their full-in position.4.17 "Manual Initiation"A manual trip is affected by depressing either of two sets of trip pushbuttons, therefore no single failurewill prevent a manual trip. The two pushbuttons in a set need not be depressed simultaneously.4.18 "Access to Setpoint Adjustments, Calibration and Test Points"A key is required for access to setpoint adjustments, calibration and test points. Access is also visibly andaudibly annunciated.4.19 "Identification of Protective Action"Indication lights are provided for all protective actions, including identification of channel trips.4.20 "Information Readout"Means are provided to allow the operator to monitor all trip system inputs, outputs, and calculations. Thespecific displays that are provided for continuous monitoring are described in Section 7.5.
WSES-FSAR-UNIT-3 7.2-36 Revision 14 (12/05) 4.21 "System Repair" Identification of a defective input channel will be accomplished by observation of system status lights or by testing as described in Subsection 7.2.1.1.9. Replacement or repair of components is accomplished with the affected input channel bypassed. The affected trip function then operates in a two-out of three-
trip logic.
4.22 "Identification" All equipment, including panels, modules, and cables associated with the trip system are marked in order
to facilitate identification.
(DRN 03-2061, R14) 7.2.2.3.3 Testing Criteria (DRN 03-2061, R14)
IEEE Standard 338-1971, Trial Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems, September 1971, and Regulatory Guide 1.22, Periodic Testing of Protection System Actuation Functions (February, 1972) provide guidance for development of procedures, equipment, and documentation of periodic testing. The basis for and the scope and means of testing are described in this
subsection.
(DRN 03-2061, R14) Since operation of the RPS will be infrequent, the system is periodically and routinely tested to verify its operability. A complete channel can be individually tested without initiating a reactor trip, without violating the single failure criterion, and without inhibiting the operation of the system. The system can be checked from the sensor signal through the power supply circuit breakers of the control element drive mechanisms. The RPS can be tested during reactor operation. The sensors can be checked by comparison with similar channels or channels that involve related information. Minimum frequencies for checks, calibration, and testing of the RPS instrumentation are given in the Technical Specifications.
RPS response times are listed in the TRM. Overlap in the checking and testing is provided to assure that the entire channel is functional. The use of individual trip and ground detection lights, in conjunction with those provided at the supply bus, assure that possible grounds or shorts to another source of voltage will
be detected. (DRN 03-2061, R14)
The testing scheme is presented in detail in Subsection 7.2.1.1.9.
The response time from an input signal to the protection system trip bistables through the opening of the trip circuit breakers is verified by measurement during plant startup testing. Sensor responses are
measured during factory acceptance tests.
7.2.2.3.4 Environmental and Seismic Criteria
IEEE Standard 323-1971, Trial-Use Guide for Qualifying Class 1 Electrical equipment for Nuclear Power Generating Station, was used as a design basis for the RPS. Compliance with this criterion is detailed in
Section 3.11.
IEEE Standard 344-1971, Guide for Seismic qualification of Class 1 Electrical Equipment for Nuclear Power Generating Station, was used as a design basis for the RPS. Compliance with this criterion is
detailed in Section 3.10.
WSES-FSAR-UNIT-37.2-377.2.2.3.5Single Failure CriterionIEEE standard 379-1972, Guide for the Application of Single Failure Criterion to Nuclear PowerGenerating Stations, was used as a design basis for the RPS. Compliance with the single failure criterion is detailed in Subsection 7.2.2.3.2.7.2.2.3.6Regulatory Guides Discussions of regulatory guides applicable to RPS are found in Subsection 7.1.2.
7.2.2.4Failure Modes and Effects AnalysisA failure modes and effects analysis for the RPS is provided in Table 7.2-5. Figure 7.2-10 shows theinterface logic diagram of the RPS. The analysis is for the protective system portion of the figure for the sensors, bistable coincidence logic, and actuating devices.
WSES-FSAR-UNIT-3 TABLE 7.2-1 Revision 14 (12/05) REACTOR PROTECTIVE SYSTEM BYPASSESTitle Function Initiated By Removed By Notes DNBR and local power power density bypass Disable low DNBR and high local power density trips Key-operated switch (1 per channel) if power is <10
-4%Automatic if power is >10%Allows lower power testing RPS/ESFAS pressurizer pressure bypass Disables low pressurizer pressure trip and SIAS Key-operated switch (1 per channel) if pressure <400
psia Automatic if pressure is >
500 psiaAllows testing at low pressure and allows depressurization below 400 psia without
initiation of undesired safeguards action High log power level bypass Disables high logarithmic power level trip Manual switch (1 per channel) if power is >10
-4%Automatic if power is <10% Bypassed during reactor startup Trip channel bypass Disables any given trip channel Manually by controlled access switch Same switch Interlocks allow only one channel for any one type trip to be bypassed at one time (DRN 04-384, R14) Reactor trip on turbine trip Disables reactor trip on turbine tripKey-operated (1 per channel) Automatic if power is >65% Additional key operated switch is provided on CP-2. This enables/disables reactor trip on turbine trip inputs to PPS. Operation is independent of reactor power (DRN 04-384, R14) Hi S/G level trip bypass Disables HI S/G level trip Key operated switch; administratively controlled accessSame switch Non-safety operating bypass allows S/G level control during startup (DRN 99-2462, R11) Reactor Coolant Flow-Low Disable low reactor coolant flow-low trip Key operated switch; administratively controlled Automatic if power level (excore) is >8.5 x 10
-5%Allows low reactor coolant flow maintenance of RTSG (DRN 99-2462, R11)
WSES-FSAR-UNIT-3 TABLE 7.2-2 Revision 307 (07/13)
REACTOR PROTECTIVE SYSTEM MONI TORED PLANT VARIABLE RANGES
Monitored Variable Minimum Nominal (full power)
Maximum Neutron flux power, % of full
power 2x10-8 100 200 (DRN 03-2061, R14)
Cold leg temperature, F 465 543 615 Hot leg temperature, F 525 601 675 DRN 03-2061, R14)
Pressurizer Pressure (narrow
range), psia 1,500 2,250 2,500 Pressurizer pressure (wide
range), psia 0 2,250 3,000 CEA positions full in NA full out (DRN 00-524, R11-A)
Reactor coolant pump speed, rpm 0 1,183 1,200 (DRN 00-524, R11-A) (DRN 8460, R307)
Steam generator water level (narrow range) 0 64.4% 100% (DRN 03-2061, R14)
Steam generator pressure, psia 0 832 1,200 DRN 03-2061, R14; EC-8460, R307)
Containment pressure wide
range (CSAS), psia 0 14.7 30 Containment pressure wide
range (CSAS), psia 0 14.7 40 Low Reactor Coolant Flow (SG
primary side differential
pressure), psid 0 32 50 WSES-FSAR-UNIT-3 TABLE 7.2-3Revision 10 (10/99)REACTOR PROTECTIVE SYSTEM SENSORSMonitored VariableTypeNumber of SensorsLocationNeutron flux powerFission Chamber12Biological ShieldCold leg temperaturePrecision RTD8Cold leg pipingHot leg temperaturePrecision RTD8Hot leg piping Pressurizer pressure (wide range)Pressure transducer4(a)PressurizerPressurizer pressure (narrow range)Pressure transducer4PressuizerCEA positionsReed switch assemblies2/CEAControl element drive mechanismReactor coolant pump speedProximity device4/pumpReactor coolant pump Steam generator levelDifferential pressuretransducer4/steam generator(a)Steam generatorsSteam generator pressurePressure transducer4/steam generator(a)Steam generatorsContainment pressurePressure transducer4(a)Containment structureSteam Generator Differential PressureDifferential PressureTransducer4Steam Generators(a)Common with engineered safety feature actuation system.
WSES-FSAR-UNIT-3 TABLE 7.2-4 Revision 307 (07/13)
REACTOR PROTECTIVE SYSTEM DESIGN MARGINS
Nominal Value Nominal Margin Type (full power) Trip Setpoint (Nominal) (d) to Trip
High logarithmic power level NA 0.257% NA
High linear power level 100% power 108% power 8% power
Low DNBR 1.79 1.26 (a) 0.53 High local power density, kW/ft 13.4(peak) 21 (a) 7.6 High pressurizer pressure, psia 2,250 2,350 100
Low pressurizer pressure, psia 2,250 1,684 (c) 566 Low steam generator water level Normal 27.4%(b) NA (DRN 05-130, R14; EC-8460, R307) Low steam generator pressure, psia 832 666 (c) 166 (DRN 05-130, R14; EC-8460, R307)
High containment pressure, psia 0 17.1 NA
Reactor Coolant Flow-Low NA >19.1 psid NA
(a) Calculated value (to be compared to setpoint) conservatively considering all sensor time delays, and processing time delays , and inaccuracies to ensure that trip occurs sufficiently prior to core safety limits. (b) % of the distance between the level instrument nozzles above the lower nozzle.
(c) Setpoint can be manually decreased as pressure is reduced and is automatically increased as pressure is increased. (d) The nominal setpoint values correspond to the equipment setpoints given in the Technical Specifications. The setpoints used in the safety analyses are given in Chapter 15 for each event and result in more severe consequences t han the equipment setpoints.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 1 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsRPS Measurement Channel, Reactor Flux (e.g. Channel A), Figure 7.2-10Ex-Core FluxMonitor (68)LowLoss of HVpower supply.
Breakdown in insulation
resistance Loss of data, erroneous data.Possible HI PWR DENS trip.
High startup channel alarm.Not annunciating.Automatic sensor validity test. 3-channel comparison.
Periodic manual test.3-channel redundancy(4th channel bypassed)channel placed intrip modeMakes reactor triplogic for HI LINPWR, HI LOG PWR,LO DNBR and HI PWR DENS 2-out-of-2
coincidence.Reactor trip logicfor HI LOG PWR, HI LIN PWR, LO DNBR and HI PWR DENS trips must be converted to1-out-of-2 by placingappropriate bistables in affected channel in the tripped state.HighDetector shorts, con-tinuous ionization.Erroneous dataAnnunciating.Pre-trip and trip HI LIN PWR alarm.
Nuclear instrument inoperative alarm.3-channel redundancy(4th channel bypassed) channel placed in trip mode.Makes reactor triplogic for HI LIN PWR, LO DNBR, and HI PWR DENS 1-out-
of-2 coincidence.
Power reduction signal (PRS) logic 1-out-of-2 coinci-
dence.Reactor trip logic forHI LOG PWR, HI LIN PWR,LO DNBR and HI PWR DENStrips must be converted to 1-out-of-2 by placing appropriate bistables in affected channel in the tripped state.Ex-Core PowerLevel (N.I.) (69)LowLoss of ampli-fier power supply. Ampli-fier failure.Loss of data. Affects localpower density (LPD) and cali-brated nuclear power calcula-tion. Possible (LPD) channeltrip. Erroneous data.Annunciating. Auto-matic sensor valid-ity test. 3-channel comparison. Periodic manual tests.Channel trips, system changes to 1/2 for HI LPD, HI LIN PWR, HI LOG PWR, DNBR.Makes reactor triplogic for HI LIN PWR, HI LOG PWR, LO DNBR and HI PWR DENS 1-out-of-2
coincidence.Operator can trip failedEX-CORE FLUX MONITOR function at the HI LOG PWR,HI LIN PWR, LO DNBR and HIPWR DENS bistable and place system in 1-out-of-2 for
these trips.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 2 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsRPS Measurement Channel, Reactor Flux (e.g. Channel A), Figure 7.2-10 (cont.)Ex-Core PowerLevel (N.I.)
(69) (cont.)HighInput failure.Amplifier failure.Possible LPD, HI Linear PWR,and HI LOG PWR channel tripsAnnunciating pre-trip and low trip HI LIN PWR alarm.
Nuclear instrument inoperative alarm.Channel trip, sys-tem changes to 1/2 for HI LPD, HI LIN PWR, HI LOG PWR, DNBR.Makes reactor tripfor HI LIN PWR, LODNBR, and HI PWRDENS 1-out-of-2.Operator can trip failedEX-CORE FLUX MONITORfunction at the HI LOG PWR, HI LIN PWR, LO DNBR and HI PWR DENS bistable and place system in 1-out-of-2 for these trips. Measurement Channel, Core Protection Calculators, Channel A (Typical), Figure 7.2-10 Core OutletTemperature T hot (80)LowPower supplyfailure. RTDbridge networkfailure.Reduces T power.Annunciating. Auto-matic sensor validity test. 3-channelcomparison. Plan computer monitor and alarm. Periodic test.3-channel redundancy.(4th channel bypassed)
Channel in tripped mode.Reactor trip logicfor LO DNBR and HI PWR DENS is con-
verted to 1-out-of-2.Calculated values of DNBcalibrated nuclear power and local power density (LPD) will change. System
can be converted to 1-out-of-2 logic for thoseaffected trip functions by the operator.HighRTD opens ornetwork fail-
ure.Increases T power. Possiblechannel trips (DNBR, LPD).Annunciating.Reactor trip logicfor LO DNBR and HI PWR DENS is con-
verted to 1-out-of-
2.Core InletTemperature T cold (82)One spur-ious low.Power supplyfailure. RTDbridge networkfailure.Increases T power. Possiblechannel trips (DNBR, LPD).Annunciating. Auto-matic sensor validity
test. 3-channelcomparison monitorand alarm. Periodic
test.3-channel redundancy.(4th channel bypassed)
Channel in tripped mode.Reactor trip logicfor LO DNBR and HI PWR DENS is con-
verted to 1-out-of-
2.System can be converted to1-out-of-2 logic for those affected trip functions by
the operator.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 3 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects Measurement Channel, Core Protection Calculators, Channel A (Typical), Figure 7.2-10 (cont.)Core InletTemperature Tcold (82)
(cont.)One spur-ious high hRTD opens net-work failure.Decrease in T power.Annunciating.Reactor trip logicfor LO DNBR and HI PWR DENS is con-
verted to 1-out-of
2.Reactor CoolantPump Flow (84)One spuri-ous loss of
trans-missionPower supplyor pulse am-plifier failure.
Mech-anical damage
to sensor.Loss of data. LO DNBR channeltrip possible.Annunciating. Plantcomputer monitor and alarm. Trip
status indication.3-channel redundancy.(4th channel bypassed) channel in tripped mode.Reactor trip logicfor LO DNBR is con-
verted to 1-out-of-
2.Sensor transmits pulses.Pulse rate related to flow.
Operator can convert system to 1-out-of-2 trip logic for LO DNBR. Measurement Channel, CEA Position Transmitters, Figure 7.2-10Non-target CEAPosition (149)LowShorted resis-tor, power supply mal-function.Erroneous data input to oneCEA calculator.Annunciation, auto-matic sensor validity test. CEA deviation.A penalty factoris initiated in the CPC's (operat-ing temperaturemargins reduced).One CEA calculator willshow CEA deviation to all CPC calculations. Possible reactor trip will occur.HighShorted resis-tor, powersupply mal-function.Erroneous data input to oneCEA calculator.Annunciation, auto-matic sensor valid-ity test. CEA devia-tion.Other than actual positionShorted resis-tors, shorted reed switches, power supply malfunction.Erroneous data input to oneCEA calculator.Annunciation. Auto-matic sensor valid-ity test. CEA devia-tion.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 4 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects Measurement Channel, CEA Position Transmitters, Figure 7.2-10 (cont.)Non-tareget CEAPosition (149)
(cont.)Off scaleBroke wire,open resistor, electrical short, power supply mal-function.Loss of data.Annunciation, auto-matic sensor validity
test.Target CEAPosition (87)LowShorted resis-tor, power supply mal-function.Erroneous data input effectsDNBR and LPD calculation.Annunciation, auto-matic sensor validity
test. 3-channel comparison.Makes reactor triplogic for LO DNBR and HI PWR DENS
1-out-of-2.Possible trip in onesafety channel. Trip affected will show CEA deviation.HighShorted resis-tor, power supply mal-function.Erroneous data input to CPCcalculator, and (one) CEA calculator.Annunciation, auto-matic sensor validity test. CEA deviation.
Other than actualposi-tionShorted resis-tor, shortedreed switches,power supply malfunction.Erroneous data input to CPC'sand (one) CEA calculator.Annunciation, auto-matic sensor valid-ity test. CEA devia-tion.Makes reactor triplogicPossible trip in onesafety channel. Trip affected will show CEA deviation Off scaleBroke wire,open resistor, electrical short, power supply mal-function.Loss of data.Annunciation, auto-matic sensor validity test. CEA deviation.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 5 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects Measurement Channel, Core Protection Calculator, Figure 7.2-10Control ElementAssembly Calcu-lator (88)No data output Loss of acpower, input/
output failure.
Data linkfailure.
Arithmetic, logic or memory failure.Loss of CEA position display.Annunciating alarmon CPC operator's module.Loss of CEA positiondisplay from failedCEAC watchdog timer.Possible DNBR orLPD trip.Erroneous data outputCEA positionsensor fail-ure, input/
output failure
Data link failure.
Arithmetic, logic ormemory failure.Erroneous calculated values.Possible DNBR or LPD trip.Annunciating alarmon CPC operator'smodule. Comparison of CEA position displays.With other channel inbypass state, CPC applies penalty factor of largestpossible outputfrom CEAC.Possible DNBR orLPD trip.Core ProtectionCalculator (89)TrippedLoss of acpower. Input/
output failure Arithmetic,logic, or mem-ory failure.
Sensor failure.Loss of control board displays.Annunciating PPSalarm on channel trip. Three channel comparisons. Annun-ciating watchdog timer.3-channel redundancy.4th channel bypassed.Reactor trip logicfor DNBR, LPD andCWP is converted to
1-out-of-2.Computer shuts down in or-derly sequence upon loss ofac power and resumes normal operation when power is
restored.System is converted to 1-out-of-2 logic for DNBR, LPD and CWP.Stays inuntripped stateInput/outputfailure.Arithmetic,logic, or mem-ory failure.
Sensor failureErroneous calculated results.3-channel compari-sons. Annunciating watchdog timer.3-channel redundancy.Trip channel bypass.Reactor trip logicfor DNBR, LPD and CWP is on coinci-
dence of 2-out-of-2 remaining channels.Computer shuts down in or-derly sequence upon loss of ac power and resumes normal operation when power is
restored.System must be converted by operator to 1-out-of-2 logic for DNBR,LPD,and CWP.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 6 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsMeasurement Channel, Steam Generator Water Level, (e.g., Channel A), Figure 7.2-10SG No. 2Level Signal
(51)SG No. 1Level Signal
(55)Off (low signal level)Sensor fail-ure,dc power supply fail; open circuit.Low steam generator water level signal to channel bist-able. Low level bistable (B/S) changes logic state and trips channel for steam generator.
High level (B/S) will not tripwhen required.Annunciating; pre-trip and trip alarms on low steam generator water level.3-channel redundancyfor HI SG level trip and LO SG level trip (4th channel bypassed).Reactor trip andEFAS logic for
affected steam generator low water level is converted
to 1-out-of-2 and reactor trip and ESFAS logic foraffected SG LOlevel trip is con-
verted to 2-out-of-
2 coincident.
Operator can convert theHI SG level trip and ESFAS logic for the affected SG to 1-out-of-2 by placingthe affected channel inthe tripped state.
On (high signal level)Sensor fail-ure, component failure.High steam generator water level signal to channel bist-able. Low level B/S will not trip when required. High level B/S changes state and trips channel for affected SG.Annunciatingp;pre-trip and tripalarms on HI water level signal.3-channel redundancy.For high and low SG level trips (4thchannel bypassed).Reactor trip andEFAS logic for
affected steamgenerator highwater level is con-
verted to 1-out-of-
- 2. The reactor trip and ESFAS logic for the affected SG low level trip is con-
verted to 2-out-of
2 coincident.
Operator can convert thelow SG level trip logic for the affected SG to 1-out-of-2 by placing the affected channel in the tripped state.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 7 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsMeasurment Channel Pressurizer (wide range) Channel A (Typical), Figure 7.2-10Wide rangePZR pressure (press) signal
(61)One fails"on" (High
pressure signal level).Sensor fail- ure,component failure.High PZR press signal to: LOPZR PRESS B/S. LO PZR PRESS B/Sdoes not trip for a bonafidecondition.Periodic test; 4channel comparison.3-channel redundancy.(4th channel bypassed)Reactor trip logicfor LO PZR PRESS is
converted to 2-out-of-2 coincidence and CIAS, SIAS logic LO PZR PRESS 2-out-of-2 coincidence. CSAS logic is converted
to 2-out-of-2 LO PZR PRESS and 2-
out-of-3 HI-HI CONT
PRESS.Back-up for SIAS is thecontainment pressuremeasurement channel.
Operator must convert reactor trip logic for LO PZR PRESS to 1-out-of-2 by placing affected channel in the tripped
state.One fails"off". (Low
pressure signal level).Sensor fail- ure;dc power supply fail; open circuit.Low PZR press signal to LO PZR PRESS B/S. Bistable changes logic state and initiates channel trip.Annunciating; pre-trip and trip alarms in channel.3-channel redundancy.(4th channel bypassed).Reactor trip logicfor LO PZR PRESS is
converted to 1-out-
of-2 coincidence, and CIAS, SIAS logic LO PZR PRESS 1-out-of-2 coincidence.CSAS logic is con-
verted to 1-out-of-2 LO PZR PRESS and 2-out-of-3 HI-HI CONT PRESS.Measurement Channel, Pressurizer (PZR) (narrow range), Figure 7.2-10PZR NarrowRange Pressure(PRESS) Signal
(91)On (High pressure signallevel).Sensor fail-ure, componentfailure.High PZR press signal to HIPZR PRESS B/S and calculator.HI PZR PRESS B/S will changelogic state and initiate channel trip.Annunciating; pre-trip and trip alarms in HI PZR PRESS channel.3-channel redundancy.(4th channel bypassed).Reactor trip logicfor LO DNBR is con-
verted to 2-out-of-2 coincidenced, and 1-out-of-2 coinci-dence for HI PZRPRESS. CWPbecomes 1-out-of-2 coinci-dence for HI PZR
PRESS.Operator must convert LODNBR trip logic to 1-out-of-2 by placing the affected LO PZR PRESS B/S in the tripped state.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 8 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsMeasurement Channel, Pressurizer (PZR) (narrow range), Figure 7.2-10 (cont.)PZR NarrowRange Pressure (PRESS) Signal
(91) (cont.)
Off (Low pressure signallevel).Sensor fail-ure; dc power supply fail;open circuitl.LO PZR PRESS B/S will decreaseDNBR margin and initiate LO DNBR channel trip. HI PZR PRESSB/S will not trip for bonafidecondition.Annunciating; pre-trip and trip alarms in LO DNBR channel.3-channel redundancy.Trip channel bypass.
(4th channel bypassed).Reactor trip logicfor LO DNBR is con-
verted to 1-out-of-2 coincidence, and for HI PZR PRESS 2-out-of-2 coinci-dence.CWP logic becomes 2-out-of-2 coincidence for this parameter.Operator must convert HIPZR PRESS trip logic and CWP logic to 1-out-of-2 by placing affected HI PZR PRESS B/S in the tripped state.Measurement Channel Steam Generator (SG) Pressure Channel A, (Typical), Figure 7.2-10S/G PressureSignal No. 2 (27)S/G PressureSignal No. 1
(42)One spuri-ous off, (Low signal level).Sensor fail-ure; dc power supply fail;p open circuit.Low steam generator pressuresignal to SG low pressure (LO PRESS) bistable (B/S) in RPS and ESFS channels, SG Low Pres-sure, SG-1>SG-2, and SG-2>SG-1 B/S's. B/S's change their logicstate and initiates channeltrip in SG LO PRESS for reactor TRIP, MSIS actuation and EFAS.Annunciating;pre-trip and trip alarms on low steam
generator pressure.3-channel redundancy.2-steam generators.
Trip channels bypassed if less than SG press.
Pretrip setpoint.Reactor trip logicfor steam generator steam pressurelevel is converted to 1-out-of-2.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 9 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsMeasurement Channel Steam Generator (SG) Pressure Channel A, (Typical), Figure 7.2-10 (cont.)S/G PressureSignal No. 2
(27)S/G PressureSignal No. 1
(42) (cont.)One spuri-ous on, (High sig- nal level).Sensor fails;component failureHigh steam generator pressure signal to SG LO PRESS, SG-1>SG-2, and SG-2>SG-1 B/S's in RPS and ESFS. SG-2>SG-1 or SG-1>SG-2 B/S will change logic status and channel will tripwhen a bonafide low pressurecondition exists in affected steam generator.Annunciating; peri-odic test. 3-chan-nel comparison.3-channel redundancy.2-steam generators.Reactor TRIP, MSISand EFAS logic for low steam generator steam pressure is
converted to 1-out-
of-2 coincidence for considered steam generator. Systemwill operate on non-failed SG pressure.Measurement Channels, Containment Pressure Signal, Figure 7.2-10ContainmentPressure Signal (6)ON (goeshigh)Componentfailure.High CONT PRESS signal to: HICONT PRESS bistable in RPS channel, and HI CONT PRESS B/S's in ESFS channels. B/S's change their logic state, and initiate channel trip for highcontainment pressure for RPSTRIP, CIAS, SIAS, and MSIS actuations. High containment
pressure channel trip for CSAS, HI-HI CONT PRESS trip still required.Annunciating;pre-trip and trip, and alarm-on highcontainment pressureESF channel indica-tion.3-channel redundancy.(4th channel bypassed).Reactor trip logicfor high contain-ment pressure is
converted to 1-out-of-2 and CIAS, SIAS, AND MSIS logic forhigh containment pressure 1-out-of-2.
CSAS logic is con-
verted to 1-out-of-2 HI CONT PRESS
and 2-out-of-3 HI-HI CONT PRESS.
Reactor trip logic forhigh containment pressure and CIAS, SIAS, and MSISlogic for high containmentpressure must be converted to 1-out-of-2 by placing the affected B/S's in the tripped state.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 10 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsMeasurement Channels, Containment Pressure Signal, Figure 7.2-10 (cont.)ContainmentPressure Signal
(6)
(cont.)OFF (goeslow)Componentfailure.Low CONT PRESS signal to: HICONT PRESS B/S in RPS channel, and HI CONT PRESS B/S's inESFSchannels. B/S's in channel do not change their logic state and trip for bonafide high containment condition.Not annunciating;periodic test.
3-channel comparison.3-channel redundancy.(4th channel bypassed).Reactor trip logicfor high containment pressure is convert-
ed to 2-out-of-2 coincidence and CIAS, SIAS and MSISlogic for high con-tainment pressure 2-out-of-2 coinci-
dence. CSAS logic is
converted to 2-out-of-2 HI CONT PRESS and 2-out-of-3 HI-HI CONT PRESS.ContainmentPressureSignal (221)ON (goeshigh)Componentfailure.High containment pressuresignal to HI-HI CONT PRESS B/Sin ESFS channel. B/S changes state and partially trips
CSAS channel.Pre-trip alarmannunciated, HI-HI CONT PRESS.3-channel redundancy.(4th channel bypassed).CSAS actuation logicbecomes 1-out-of-2 HI-HI CONT PRESS
and 2-out-of-3 LO PZRPRESS or HI CONT PRESS>OFF (goeslow)Componentfailure.Low containment pressure signalto one HI-HI CONT PRESS B/S, B/S will not change logic state for valid HI-HI CONT PRESS condition.Not annunciating.Detectable byperiodic PPS test.3-channel redundancy.
(4th channelbypassed).CSAS actuation logicbecomes 2-out-of-2coincidence HI-HICONT PRESS and 2-out-of-3 LO PZR PRESS or HI CONT
PRESS.When failure is detected,CSAS actuation logic must
be converted to 1-out-of-2 HI-HI CONT PRESS and 2-out-of-3 LO PZR PRESS or HI CONT PRESS by manuallytripping affected HI-HICONT PRESS B/S.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 11 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsMeasurement Channel, Refueling Water Tank (RWT) Level, Figure 7.2-10RWT LevelSignal (1)
Off (goeslow)Failed sensor;dc power supply failsLow RWT level signal to REFUELTANK LO LEVEL bistable in ESFS channel. Bistable changes logicstate and initiates channeltrip for RAS acutation in ESFS.Annunciating; pre-trip and trip PPS alarms.3-channel redundancy.
(4th channel bypassed).Makes RAS logic forlow refueling water level 1-out-of-2.Operator must convert RASlogic for refueling water tank level to 1-out-of-2 by placing the B/S in the tripped state.
On (goeshigh)Sensor fails;component failure.High RWT level signal to REFUELTANK LO LEVEL bistable in ESFS channel. Bistable will not change logic state in RAS chan-nel when bonafide low RWT level condition exists.Not annunciating,periodic test,3-channel comparison.3-channel redundancy.Makes RAS logic forlow refueling watertank level 2-out-of-2 coincidence.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 12 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBypass (RPS), Low Pressurizer Pressure Trip, Channel (Typical), Figure 7.2-10Manual BypassPZR PRESS (59)OFFComponentFailureUnable to bypass LO PZR PRESSB/S in channel for power levels
less than 10
-4%, B/S in channelwill change logic state for lowpressurizer pressure during
start-up.Annunciating; bypasslight not lit for channel. Channel trip during start-up, pre-trip and trip PPS alarms.3-channel redundancy.(4th channel bypassed).Reactor SIAS, CIAS and CSAS trip logic for LO PZR PRESS is
converted to 1-out-of-2 during startup For CSAS a 2-out-of-3 HI-HI CONT PRESS is also required.Operator must convertSIAS, CIAS, and CSAS triplogic for LO PZR PRESS to 1-out-of-2 by placing B/S in tripped state.ONComponentshort to power supply.LO PZR PRESS B/S in permanentbypass for all pressure levels.
B/S will not change logic state for low pressurizer pressure conditions, and channel A will not trip for bonafide pressure
signal.Bypass light is litfor channel and by-
pass is plantannunciated.3-channel redundancy.(4th channel bypassed).Reactor SIAS, CIAS, and CSAS trip logic for LO PZR PRESSduring start-up andnormal operation 2-out-of-2 coincidence For CSAS a 2-out-of-3 HI-HI CONT PRESS is also required.Bypass Low PZR Pressure Trip Channel A (Typical), Figure 7.2-11PressurizerPressure Auxiliary BistableChannel AHigh (Out-put relays energized)Amplifierwithin bistable
failsLow pressurizer pressure tripbypass will be automatically removed once pressurizer pres-sure reaches the preset value.Periodic PPS testing.3-channel redundancy.(4th channel bypassed).Once a bypass isplaced on the bistable, it will not be automatically removed.If bypass is manually removed,system will function normally.Low (Inputrelays de-energized)Amplifierwithin bistable
fails, Opto-isolator failsThe low pressurizer pressuretrip cannot be bypassed in channel
A.Periodic PPS testin orwhen attempting to initiate bypass.3-channel redundancy.(4th channel bypassed).During a conditionof low pressurizer pressur, the bi-stable will be tripped in
that channel regardless of the position of the bypass switch.The other channels are unaffected.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 13 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBypass Low PZR Pressure Trip Channel A (Typical), Figure 7.2-11 (cont.)AK21Coil openSustainedovervoltage.The low pressurizer pressuretrip cannot be bypassed in channel
A.Periodic PPS testing orwhen attempting to initiate bypass.During a condition oflow pressurizer pressure, the bist-able will be tripped in that channel regardless of the position of the bypass switch.The other channels are unaffected.Coil shortDeterioration of insulationAttempting to bypass low pres-surizer pressure under condi-tion of low pressure will place a severe load on the relay driver.Under this abnormal load the relaydriver may fail.
If the driver gfails short, the results will be the same as those listed for failure of channel A auxiliary logic power supply. See dc power distribution.If the driver fails open, the resultswill be the same as those listed for an open relay coil.AK21Contact in relay
latching circuitOpenDeterioration of contact.Low pressurizer pressure cannot bebypassed in channel A.Periodic PPS testing orwhen attempting to initiate a bypass on this function.During a condition oflow pressurizer pressure, the bistable will be tripped.LP PZR PRESS trip logis is 1-out-of-2 (4th channel bypassed).
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 14 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBypass Low PZR Pressure Trip Channel A (Typical), Figure 7.2-11 (cont.)AK21Contact in relay
latching circuitShortWelded contactBypass wil not lock out auto-matically.Periodic PPS testing.Bypass annunciating.B/S remains by-passed above 400 lb/in.2a unlessmanually removed.LO PZR PRESS trip logic willbe 2-out-of-2 until bypass manually removed.(4th channel bypassed).Low PZRpressure trip bypass switch contact bypass circuitContact shortsMechanicalfailure.Trip automatically - Low pressurizerpressure bypassed in the affectedchannel when PZR PRESS AUX B/S setpoint permits bypass condition.Periodic PPS testing.Bypass condition before manual action.During a condition oflow perssurizer pressure, the bistablewill be bypassed.If a bypass is required, theother two channels may be byhpassed as they areunaffected by the fault. (4thchannel bypassed).Contact openMechanicalfailure.Bypass transistor will not switch"on". Low PZR PRESS trip will not be bypassed when desired.Unable to bypass.Status light not lit.Redundant channel.TripThe low pressurizer pressurebypass circuits in the other two channels are unaffected and will respond properly. (4th channel bypassed).ContactNormalContact shortsMechanicalfailure.Bypass transistor remains "off"and bypass condition will not latch on.Status light not lit.Redundant channel.TripOperator would have to holdbypass switch in BYPASSposition to maintain bypass inthis channel.Contact openMechanicalfailure.Bypass transistor cannot switch "off"manually.Unable to manuallyremove bypass, status light statys lit.Redundant channel.,NoneFunction of circuit is notimpaired, nuisance.AK22CoilOpenSustainedovervoltage.Low pressurizer pressure trip bypassfor the affected channel will not be activated when demanded.Periodic PPS testing,status light not lit.Redundant channel.No bypass.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 15 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBypass Low PZR Pressure Trip Channel A (Typical), Figure 7.2-11 (cont.)AK22Coil (cont.)ShortDeterioration ofInsulationAttempting to bypass low pres-surizer pressure under condi-tions of low pressue will place a severe load on the relay driver. Withthis abnormal load, the relay drivermay fail. If the driver fails short, the results will be the same as those listed for an open relay coil Contact in latchcircuitContact shortsMechanicalfailure.Bypass transistor will remain latched"ON" after bypass switch is turned to "NORMAL". LO PZR PRESS trip will be bypassed.Unable to unlatchtransistor manually, status light lit.Redundant channel.B/S will remain by-passed above 400 lb/in.2 a.LO PZR PRESS trip logic goes to 2-out-of-2. (4th channel bypassed).Contact openMechanicalfailure.Unable to latch bypass transis-tor "ON"; LO PZR PRESS B/S will not bypass.Status light not lit.Redundant channel.Trip Contact inannunciator circuitContact short OpenMechanicalFailure.Annunciator and status light activated.No annunciation.AlarmNo status indication.Redundant channel.NuisanceNoneManual HighPower (70) High Log Power Permissive (71)OFFComponentfailure.Unable to bypass High Log PowerB/S in channel for power levels greater than 10-4%, B/S in channel will change logic state for high log power conditions during startup and power operations.Annunciating; bypasslight not lit for channel.
Channel A trip duringstartup, pre-trip and tripPPS alarms.3-channel redundancy.(4th channel bypassed).
Reactor trip logic forHigh Log power is
converted to 1-out-of-2
coinci-dence during start-
up.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 16 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBypass (RPS) High Log Power Trip Channel A (Typical), Figure 7.2-10 (cont.)Manual HighPower (70)
High Log Power Permis-sive (71)(cont.)ONComponentshort to power supply.High Log Power B/S for ChannelA in permanent bypass for all power levels, B/S will not change logic state for high log power level changes, and chan-nel A will not trip for bonafide condition.Bypass light is litfor channel and bypass is plant annunciated.Light is lit for channel andbypass is plant annunciated. 3-channel redundancy.
(4th channel bypassed).Reactor trip logicfor High Log powerduring startup and normal operastion is
converted to 2-out-
of-2 coincidence.Operator must convert reactortrip logic for High Log power to 1-out-of-2 by placing the affected B/S in the tripped state.Bypass (RPS) High Log Power Trip Channel A (Typical), Figure 7.2-10 (cont.)OperatingBypass (230)OFFComponentfailure.Unable to automatically bypassCWP feature in channel whenpower level is less than 10
-4%F.P. Affected channel (e.g., A) will change logic state during startup operation.Channel CWP alarm.3-channel redundancy.(4th channel bypassed).CWP logic is con-verted to 1-out-of-2 coincidence during startup operations or when power level is less than 10
-4% F.P.RPS trip feature is not affected.May cause nuisances. Rod withdrawal prohibit during startup if two CWP bypasses
fail.CWP Permis-sive (231)ONComponent short.Automatic CWP bypass feature (forpowsr levels less than 10-4%, F.P.) for channel(e.g., A) is in permanent bypass for all power levels. This channel will
not auto-matically respond to a CWP when condition in the channel requires it.Bypass light plantannunciation.3-channel redundancy.(4th channel bypassed).Automatic CWP logicis converted to 2-out-
of-2 coinci-dence logic during startup operation orwhen power level is less than 10
-4% F.P.RPS trip feature is not affected.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 17 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBypasses, High Log Power Trip, Channel A (Typical), Figure 7.2-11Bypass RelayAK26Coil openSustainedovervoltage.The CPC constantly receives aninput which is indicative that the power level is greater than
10-4% of full power.Periodic PPS testing.DNBR trip cannot bebypassed at the CPC operator's module.Coil shortDeterioration of insulationShorted coil will cause auxil-iary logic power supply voltage to be reduced to approximately zero when the power level is below 10-4% of full power. TheCPC constantly receives an input which is indicative that the power level is greater than 10
-4% of fullpower.Contact toCPC short.Welded contactThe fact that power has exceeded 10-4% of full power isnot transmitted to the CPC in the affected channel.Periodic PPS testing.DNBR trip can bebypassed at the operator's module of the CPC even at power levels in excess
of 10-4% of full power.DNBR trip logic will go to2-out-of-2 if DNBR tripbypassed at operator's moduleof CPC (4th channel assumed to be bypassed at B/S).
Contact toCPC openDeterioration of contact.The CPC receives a signal whichconstantly indicates that the power level is greater than
10-4% of full power.Periodic PPS testing.DNBR trip cannot bebypassed at the CPC operator's module in the affected channel.Bypass RelayAK27Coil openSustainedovervoltage.High Log power trip bypass can-not be obtained in channel A.Whenever a bypass ofHigh Log power isattempted in the affected channel. Periodic PPS testing.Bistable will be trippedwhen the power level exceeds 1 to 2% full power.The other three channels are unaffected and can be bypassed. Bypassing the other 3 channels precludes a trip caused by high log power as a coincidence of at least twochannels is required to producea trip.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 18 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBypasses, High Log Power Trip, Channel A (Typical), Figure 7.2-11 (cont.)Bypass RelayAK27 (cont.)Coil shortShorted coil will cause auxil-iary logic power supply voltage to be reduced to approximately zero when the power level exceeds 10
-4% fullpower.N.O. con-tactin bistable by-pass circuit
shortWelded contactHigh Log power trip is continu-ously bypassed in the affected channel regardless of power level.Periodic PPS testing.Bistable is contin-ually bypassed.System becomes 2-out-of-2 forthis parameter. (4th channel bypassed).
N.O. con-tact inbistable bypass cir-cuit openDeterioration of contactThe High Log power trip bypassOFF indicator will go off when the bypass switch is depressed and the power level is less than 10
-4% fullpower.Periodic PPS testing.NoneSafety function not impaired.
N.C. con-tact in annunciator
circuit shortWelded contactThe plant annunciator will notannunciate when power in the channel has exceeded 10
-4% fullpower and there is no bypass.Periodic PPS testing.The Operator will notbe made aware of the fact that a bypass can be placed on High Log power for this channel.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 19 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBypasses, High Log Power Trip, Channel A (Typical), Figure 7.2-11 (cont.)Bypass RelayAK27 (cont.)
N.O. con-tact in the annunciator
openDeterioration of contactThe plant annunciator willannunciate High Log power level bypass permissive even when thepower level is below 10
-4% fullpower.Periodic PPS testingNoneSafety function not impaired.High Log PowerLevel Manual Bypass SwitchSolenoid openMechanicalfailure of wire, sus-tained over-voltageHigh Log power level trip bypasspushbutton will not latch in the on position.Placing a bypass on thefunction in the affected channel.High Log power leveltrip bypass can only be obtained by holding in the push-button. Release of the pushbutton will allow the bistable to betripped.Bypassing of the function in theother three channels will prevent the system from tripping due to high log power.Solenoid shortDeterioration ofinsulationAttempt to bypass High Log powerlevel trip in the affec-ted channel will cause the out-put of the auxiliary logic power supply to be reduced to approximately zero volts. Release of pushbutton will restore the output of the supply.Placing a bypass on thefunction.High Log power leveltrip bypass cannot beobtained in thechannel. While the bypass is being attempted, the auxiliary logic supply output will be reduced to zero (See DC Power Dis-tribution Failure of Auxiliary Power Supply).N.O. con-tact in trip
bist-able cir-cuit
openMechanical failure, contact deterioration.,High Log power level trip bypasscannot be obtained in affected channel.Placing a bypass on thefunction.Bistable will be trippedwhen the power level exceeds 1 to 2% full power.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 20 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBypasses, High Log Power Trip, Channel A (Typical), Figure 7.2-11 (cont.)High Log PowerLevel Manual Bypass Switch (cont.)N.O. con-tactin trip bist-able cir-cuit shortedMechanicalfailure, welded
contactBypass of the function will beautomatic when the power level exceeds 10
-4% full power.Periodic PPS testing.Bistable will beautomatically by-passed when powerlevel exceeds 10
-4%full power.High Log power trip logic will go to 2-out-of-2. (4th channel bypassed).
N.O. con-tact to pre-
trip bistable openDeterioration of contact, mechanical failure.The pre-trip bistable for highlog power can be tripped even in the presence of a bypass.Pre-trip is annun-ciated on the plant annunciator.NoneSafety function of ckt is notimpaired.N.O. con-tact to pre-trip in the
closed positionWelded con-tact, mechan-ical failure.The pre-trip bistable for high logpower cannot be tripped.Periodic PPS testing.Pre-trip circuit isineffective.The operator will not be madeaware that a trip of the high log power bistable is being
approached.Bypass (RPS), LO DNBR & Hi Pwr Density, Channel A (Typical), Figure 7.2-11Manual Bypass (221)OFFComponentfailure.Unable to bypass LO DNBR or HIPWR density in channel for power
level less than 10
-4% F.P. affectedchannel (e.g.,A) will change logic state during startup operation.Channel trip duringstartup annunciating.3-channel redundancy.(4th channel bypassed).
Reactor trip logic forLO DNBR or HI PWR density is con-verted to 1-out-of-2 coincidence during startup.ONComponent shortLO DNBR or HI PWR density bist-ables for channel A in perma-nent bypass for all power levels, and bistable will not change logic statefor bonafide signal.Bypass light plantannunciator.3-channel redundancy.(4th channel bypassed).
Reactor trip logic forLO DNBR or HI PWR density is con-
verted to 2-out-of-2
coincidence logic.LO DNBR and HI PWR densitytrip logic can be converted to 1-out-of-2 by manually tripping B/S's in affected channel.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 21 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBypasses, Bistable, Channel A (Typical), Figure 7.2-11Bypass RelayContact AXKB6-7 or ASKI-4Contact openDeterioration of contact.Bypass of the affected function willnot be indicated on the bistable trip annunciator or on the PPS remotecontrol module.Periodic testing or whenbypassing during operation.No operational effectupon logic matrices.Contact used for annunciationonly. System safety function not impaired.Contact shortWelded contactA bypass will be continuouslyindicted on the bistable trip annunciator panel and the PPS remote control module.Periodic testing ornoticing one of the bypass lights.No operational effectupon logic matrices.Contact used for annunciationonly. System safety functioon not impaired.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 22 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBypasses, Bistable, Channel A (Typical), Figure 7.2-11 (cont.)BypassASKA6-5 AXK1-5Contact openDeterioration of contactPlant annunciator will indicate abypass condition on a bistable in channel A even if no bypass is present.Bypass will beannunciated on plant annunciator.No operational effectupon logic matrices.Contact used for annunciationonly.Contact shortWelded contactPlant annunciator will not indicate abypass when Bistable 1 is bypassed in channel A.Periodic PPS testing.No operational effectupon logic matrices.Contact used for annunciationonly.Bypass RelayCoil AXKA6(ASKB6)OpenSustainedovervoltage,Mechanical failure.Bistable 6 in channel A cannot bebypassed for the RPS (ESF)function.Periodic PPS testing.If the bistable istripped, the system is converted to 1-out-of-3 for the affected parameter to
produce a reactor (ESF) trip.The ESF (RPS) function notaffected as a different relay is used to bypass the bistable contacts used in the ESF (RPS) matrices.ShortDeterioration ofinsulationNo symptoms until an attempt ismade to bypass Bistable 6 in channel A. Inserting the bypass will force the supply voltage down and cause all bypasses in channel A tobe removed.Periodic PPS testing orwhen attempting to bypass the bistableIf the bypass isattempted, it will result in the loss of all bypass capability for that channel.If that particular bypass is notattempted, there will be noeffect upon the other bypass circuits in that channel.Bypass SwitchAXS-1Contact S1or BXS-1 Contact S2 or CXS-1 Contact S3 or DXS-1 Contact S4The nor-mally off postionWelded con-tact, mechanical failure.It will not be possible to by-pass Bistable 1 in the channel.Periodic PPS testing orwhen attempting to bypass bistable 1 in the channel.If the bistable istripped, the system is
converted to 1-out-of-3 logic for the affected function and cannot be made 2-out-of-3 by bypassing.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 23 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBypasses, Bistable, Channel A (Typical), Figure 7.2-11 (cont'd.)Bypass SwitchAXS-1 Contact S1 or BXS-1Contact S2or CXS-1 Contact S3 or DXS-1 Contact S4 (cont.)The nor-mally on positionWelded con-tact, mechanical failure.Bistable 1 in the channel will bebypassed regardless of the position of the switch.Bypass is annunciatedon the plant annunciator.System will be 2-out-of-3 for that function.It is possible to bypass the 2bistable in any one of the other channels simply by engaging the appropriate bypass switch.
Engaging the switch willremove the bypass from thechannel and will place it in the desired channel.Bypass SwitchAXS-1 ContactNormally onpositionMechanicalfailure.Bistable 1 will be bypassed inchannel A. If an attempt is made tobypass bistable 1 in another channel, neither bist-able will be bypassed.Bypass annunciated onplant annunciator.Actuation is depen-dent on a 2-out-of-3 coincidence for the affected parameter.Normally offpositionMechanicalfailureIt will not be possible to bypassbistable 1 in channel A.Periodic PPS testing.During testing of thebistable or failure in the trip condition, the system becomes any
one of three for the affected parameter.Bypass SwitchBXS-1 or CXS-1 orDXS-1Contact S1Normally offpositionWelded con-tact, mechani-cal failure.A bypass on bistable 1 in theaffected channel will override a bypass placed in the system by the affected switch.Periodic PPS testing.No effect upon nor-mal system opera-tion, i.e., only one of
the four affected bistables can be bypassed at one time.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 24 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBypasses, Bistable, Channel A (Typical), Figure 7.2-11 (cont'd)AXS-1 orBXS-1 or DXS-1 Contact S2AXS-1 orBXS-1 or DXS-1 Contact S3AXS-1 orBXS-1 or CXS-1 or Contact S4Normally onpositionWelded con-tact, mechani-cal failure.It will not be possible to bypassbistable 1 in the affected channel.Periodic PPS testing orwhen attempting to bypass bistable 1 in the affected channel.If the bistable istripped, the system becomes any one of
three for the affected function and cannot be made 2-out-of-3 by bypassing.Bypass RelayCoil AXK-1OpenSustainedovervoltageBistable 1 in channel A cannot bebypassed.Periodic PPS testing orwhen attempting tobypass the bistable.If the bistable istripped, the systembecomes any 1-out-of-3 logic for the affected function, and cannot be made
2-out-of-3 by bypassing.ShortDeterioration ofinsulationNo symptoms until an attempt ismade to bypass bistable 1 in channel A. Inserting the by-pass will force the supplyvoltage down and cause allbypasses in channel A to be removed.Periodic PPS testing orwhen attempting to bypass the bistable.If the bypass isattempted, it will result in the loss of all bypass
capa-bility for that channel.If that particular bypass is notattempted, there will be noeffect upon the other bypass
circuits in that channel.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 25 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBistables, RPS Trip, EFAS, and PPS Alarm, Channel A (Typical), Figure 7.2-10HI CONTPRESS (24)
SG-2>SG-1 PRESS (39)SG-1>SG-2PRESS (48)SG-2 LO LVL (52)Off (goeslow)Open circuit,dc power supply failureBistable relays in RPS channel logicdeenergize, and a portion of the 2-out-of-4 coincidence changes logic state. Channel trip occurs in both pre-trip and trip circuits.Annunciating; pre-trip, trip PPS alarms.3-channel redundancy.(4th channel bypassed).Reactor trip logic is converted to 1-out-of-2 coinci-dence for like parameters.SG-1 LO LVL (59)HI LIN PWR (72)HI LOG PWR (75)LO DNBR (92)
HI PWR DENS (96)SG-2 HI LVL (134)SG-1 HI LVL:
(135)On (goeshigh)Componentfailure, driftsetpoint notadjusted.Bistable relays in RPS channelremain energized, and channel A isinoperative. Channel will not trip forbona fide pre-trip and trip signal.Not annunciating.Periodic test. Set-pointreadout from plantcomputer.3-chanel redundancy. (4thchannel bypassed).Reactor trip logic is converted to 2-out-of-2 coinci-dence for likeparameters.Reactor trip logic must be converted to 1-out-of-2 by manually tripping affected B/S
if possible.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 26 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBistables, RAS, Channel A (Typical), Figure 7.2-10Refueling TankLO Level (2)
Off (goeslow)Open circuit, dcpower supply failureBistable relays in ESFS channellogic deenergizes, and "A" portion of the 2-out-of-4 coincidence changes logic state. Channel trip occurs inRPS logics.Annunciation; pre-trip,trip PPS alarm.3-channel redundancy.(4th channel bypassed).Converts ESFS RASlogic to 1-out-of-2
coincidence.
On (goeshigh)Componentfailure. Set-point driftBistable relays in ESFS chan-nels remain energized for chan-els A conditions. Channel trip will not occur for RAS circuit for bona fide signals.Not annunciating.Periodic test. Set-point readout by plant computer.3-channel redundancy.(4th channel bypassed).Converts ESFS RASlogic to 2-out-of-2
coincidence..Reactor trip logic must beconverted to 1-out-of-2 when failure is detected by tripping either the bypassed channel or the affected channel.Bistables, RPS, MSIS, EFAS, and PPS Alarm, Channel A (Typical), Figure 7.2-10SG-2 LO PRESS (30)Off (goeslow)Open circuit;dc power supplyfailureBistable relays in RPS and ESFSchannel logic deenergizes, and "A"portion of the 2-out-of-4 coincidencechanges logic state. Channel trip occurs in MSIS and RPS logic.,Annunciating; Trip PPSAlarms.3-channel redundancy.(4th channel bypassed).Converts RPS andESFAS MSIS logic to 1-out-of-2 coinci-
dence.SG-1 LOPRESS (45)
Off (goeslow)Component failure, set- point not adjusted.Bistable relays in RPS and ESFSchannels remain energized for channel A conditions. Channel trip will not occur for MSIS and RPS circuit for bona fide signals.Periodic test. Set-point readout by plant computer.3-channel redundancy.(4th channel bypasses).Converts RPS andESFS MSIS logic to 2-out-of-2 coinci-
dence.Reactor trip logic must beconverted to 1-out-of-2 when failure is detected by tripping either the bypassed channel orthe affected channel.Bistables, CSAS and PPS Alarm, Channel A (Typical), Figure 7.2-10HI-HI CONTPRESS (7)Off (goeslow)Open circuit,dc power supply failureBistable relays in ESFS channellogic deenergizes, and "A" portion of the 2-out-of-4 coin- cidence changes
logic state.Annunciating redun-dancy pre-trip, trip alarm.3-channel redundancy.LO-LO PZR pressure on HI CONT PRESS channelConverts ESFS CSASlogic on: HI-HI CONT PRESS to 1-out-of-2
coincidence.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 27 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBistables, CSAS and PPS Alarm, Channel A (Typical), Figure 7.2-10 (cont.)HI-HI CONTPRESS (7)
(cont.)Channel trip occurs in HI-HI CONTPRESS portion of CSAS logics.in ESFS required for CSAS. (4th channel bypassed).
dence, and LO-LOPZR Press or HI CONT PRESS 2-out-of-3 coincidence.
On (goeshigh)Componentfailure. Set-point not adjusted.Bistable relays in ESFS channelremain energized for channel A conditions. Channel trip will not occur for HI-HI CONT PRESS
portion of CSAS circuit for bona fide
signals.Not annunciating.Periodic test. Set- pointreadout by plant computer.3-channel redundancy.(4th channel bypassed).Converts ESFS CSASlogic on: HI-HI CONTPRESS to 2-out-of-2 coincidence, and PZR PRESS or CONT PRESS 2-out-of-3
coincidence.CSAS logic for HI-HI CONTPRESS must be converted to 1-out-of-2 when failure is detected by tripping either thebypassed channel or the affected channel. CSAS still requires input from LO PZR PRESS or HI CONT PRESS BTU's which remain 2-out-of-3
logic.Bistable, RPS, SIAS, CIAS, CSAS and PPS Alarms, Channel A (Typical), Figure 7.2-10LO PZR PRESS (62)Off (goeslow)Open circuit, dcpower supplyfailureBistable relays in RPS and ESFSchannel deenergizes, and "A"portion of the 2-out-of-3 coincidence changes logic state. Channel trip occurs in LO PZR PRESS portion of RPS, CSAS, SIAS, and CIAS logics.
Annunciating, PPS pre-trip, trip alarm.3-channel redundancy.(4th channel bypassed).Converts ESFS's,CSASc SIAS and CIAS logic on: LO PZR PRESS to 1-out-of-2 coincidence, on HI-CONT PRESS to 2-out-of-3 coincidence, and CSAS on HI-HI CONT PRESS to 2-out-of-3 coincidence.
Converts RPS logic to 1-out-of-2 coincidence.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 28 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBistable, RPS, SIAS, CIAS, CSAS and PPS Alarms, Channel A (Typical), Figure 7.2-10 (cont.)LO PZR PRESS (62) (cont.)
Off (goeshigh)Componentfailure. Set-point not adjusted.Bistable relays in RPS and ESFSchannels remain energized for channel A conditions. Channel tripwill not occur for LOW PZR PRESSportion of RPS, CSAS, SIAS and CIAS circuit for bona fide signals.Not annunciating.Periodic test. Set- point readout from plant computer.3-channel redundancy.(4th channel bypassed).Converts ESFS'sCSAS, SIAS and CIAS logic on: LO-LO PZR PRESS to 2-out-of-2
coincidence, on HI CONT PRESS to 2-out-of-3 coincidence,and CSAS on HI-HI CONT PRESS to 2-out-of-3 coincidence.
Convert RPS logic to 2-out-of-2 coincidence.Reactor trip logic and ESFSactuation logic for LO PZRPRESS must be converted to 1-out-of-2 when failure is detected by tripping either the bypassed channel for the affected channel.Other parameter input (HI-HICONT PRESS, HI-CONT PRESS) still remain 2-out-of-3coincidence for their ESFS actuations.Bistable, SIAS, MSIS, CSAS, CIAS and PPS Alarm, Channel A (Typical), Figure 7.2-10HI CONTPRESS (13)
Off (goeslow)Component drift.Open circuit dc power supply.Bistable relays in ESFS channel forhigh containment pressure logic deenergizes and "A" portion 2-out-of-3 coincidence changes logic state. Channel trip occurs in HI-CONT PRESS portion of SIAS,MSIS, CSAS and CIAS logics.Annunciating; PPSpretrip, trip alarms.3-channel redundancy.(4th channel bypasses).Converts ESFS'sSIAS, MSIS, CSAS and CIAS loigc on: HI CONT PRESS to 1-out-of-2 coincidence.
LO PZR PRESS to 2-out-of-3 coincidence, and CSAS on HI-HI CONT PRESS to 2-out-of-3 coincidence, and CSAS on HI-HICONT PRESS to 2-out-of-3 coincidence.
On (goeshigh)Componentfailure, drift setpoint not adjusted.Bistable relays in ESFS channel forhigh containment pressure logic remain energized. Channel A will not trip for bona fide high containment pressure conditions.'Not annunciating;Periodic test; set-point readout from plant computer.3-channel redundancy.(4th channel bypassed).Converts ESFS'sSIAS, MSIS, CSASand CIAS logic on: HI CONT Press 2-out-of-2
coincidence.Other parameter input (LO PZRPRESS) still remain 2-out-of-3 coincidence. ESFS logic for HI CONT.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 29 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBistable, SIAS, CSAS, MSIS, CIAS and PPS Alarm, Channel A (Typical), Figure 7.2-10 (cont.)HI CONTPRESS (13)
(cont.)CSAS logic on HI-HICONT PRESS to 2-out-of-3 coincidence,and CIAS, CSAS andSIAS on LO PZR PRESS to 2-out-of-3
coincidence.PRESS must be converted to1-out-of-2 when failure is detected by tripping either the bypassed channel or the affected channel.Bistables, RPS Trip, CWP, and PPS Alarm, Channel A (Typical), Figure 7.2-10HI PZR PRESS (65)Off (goeslow)Open circuit, dcpower supply.Bistable relay in RPS channel logicdeenergizes and "A" portion of both CWP and RPS 2-out-of-3 coincidence changes state. Channeltrip occurs in both pre-trip and trip circuits.Annunciating. Pre-tripand trip PPS alarm.3-channel redundancy.(4th channel bypassed).Converts reactor tripCWP logic on HI PZR PRESS to 2-out-of 2
coincidence.When failure is detected,reactor trip and CWP logic for LO PZR PRESS must be
converted to 1-out-of-2 by tripping either the bypassed chanel or the affected channel.Bistable, EFAS Summer, Channel A (Typical), Figure 7.2-10SG-2 LO LVLand SG-2 PRESS Auctioneer Summer (85)OnShorted relay contact(s).Unable to initiate EFAS channel tripinput to EFAS logic.Not annunciating.Periodic test.3-channel redundancy.(4th channel bypassed).
Converts logic forEFAS to 2-out-of-2 coincidence.When failure is detected, EFASmust be converted to 1-out-of-2by tripping bypassed channel.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 30 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBistable, EFAS Summer, Channel A (Typical), Figure 7.2-10 (cont.)
AND SG-1 LO LVLand SG-1 PRESSAuctioneer Summer (86)OffBroken wire.Unwarranted channel trip input toEFAS 2-out-of-3 logic.Annunciating, periodic test.EFAS logic is 2-out-of-3 selection.
Converts logic forEFAS to 1-out-of-2
coincidence.Two-out-of-four Coincidence Logic, EFAS Auctioneer, Channel A (Typical), Figure 7.2-10SG-2 PRESSAuctioneer (34)ShortElectrical short.Unable to initiate EFAS channel tripinput to EFAS 2-out-of-3 logic when steam generator low level occurs.Not annunciated.Periodic testing.3-channel redundancy.Manual initiation (4th channel bypassed).
Converts logic forEFAS to 2-out-of-2
coincidence.When failure is detected, EFASlogic must be converted to 1-out-of-2 by tripping the channel that is bypassed.SG-1 PRESSAuctioneer (35)OpenBroken wire,loss of power to relay.Unwarranted channel trip input toEFAS 2-out-of-3 logic if steam generator low level occurs.Not annunciated,periodic testing.EFAS logic is 2-out-of-3selective. (4th channel bypassed).
Converts logivc forEFAS to 1-out-of-2coincidence on
occurrence of steam generator low level.Bistables, EFAS Bistable Logic, Channel A (Typical), Figure 7.2-12A7-6(A8-6)Contact shorts.Welded contactBistable relays of channel A that areused in the logic matrices of EFAS-1 (EFAS-2) will not deenergize for avalid trip condition.Periodic PPS test.Actuation logic forEFAS-1 (EFAS-2) is
converted to 2-out-of-2.
(4th channel assumedto be bypassed).When failure is detected,EFAS-1 (EFAS-2) actuation logic must be converted to 1-out-of-2 by tripping the bypassed channel. The failed channel can then be bypassed.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 31 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBistable, EFAS Bistable Logic, Channel A (Typical), Figure 7.2-12 (cont.)A7-6(A8-6) (cont.)Contact opensDeterioration of contact.Actuation conditions for EFAS-1(EFAS-2) are changed from: SG1 pressure > SG2 pressure or SG1 not low pressure, and SG1 low level(SG2 pressure > SG1 pres-sure or SG2 not low pressure and SG2 low level) to: SG1 pressure >
SG2 pressure or SG1 not low pressure (SG2 pressure > SG1 pressure or SG2 not low pressure) channel will be tripped at normal operating conditions.Bistable trip will beannunciated.Actuation logic forEFAS-1 (EFAS-2) is
converted to 1-out-of-2.
(4th channel bypassed).A11-6(A12-6)Contact shortsWelded contactActuation conditions for EFAS-1(EFAS-2) for affected channel are changed to: SG1 pressure >
SG2 pressure and SG1 low level(SG2 pressure > SG1 pressure andSG2 low level) channel will not trip for the condition: SG1 not low pressure and SG1 low level. (SG2 not low pressure and SG2 low level).Periodic PPS testing.EFAS actuation logicfor: SG low level and SG not low pressure is
converted to 2-out-of-2.
(4th channel assumed to be bypassed).When failure is detected, EFASlogic must be converted to 1-out-of-2 by tripping the channel.Contact opensDeterioration of contact.Actuation condition for affectedEFAS-1 (EFAS-2) chan-nel becomes SG1 low level (SG2 low level).Periodic PPS testing.EFAS actuation logiceffectively becomes 1-
out-of-2 because affected bistable will trip whenever a low SG
level condition occurs.4th channel assumed to bebypassed.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 32 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBistables, EFAS Bistable Logic, Channel A (Typical), Figure 7.2-12 (cont.)A19-6(A20-6)Contact shortsWelded contactActuation conditions for affectedEFAS-1 (EFAS-2) chan-nel become:
SG1 not low pres-sure and SG1 low level (SG2 not low pressure andSG2 low level) Channel will not tripfor condition: SG1 pressure > SG2 pressure and SG1 low level (SG2 pressure > SG1 pressure and SG2 low level).Periodic PPS testing.EFAS actuation logicfor condition: SG1 pressure > SG2 pressure and SG1 low level (SG2 pressure >
SG1 pressure andSG2 low level) is converted to 2-out-of-2.
(4th channel assumed to be bypassed).When failure is detected, EFASlogic must be converted to 1-out-of-2 by tripping the channel.Contact opens.Deterioration of contact.Actuation condition for affectedEFAS-1 (EFAS-2) chan-nel becomes SG1 low level (SG2 low level).Periodic PPS testing.EFAS actuation logiceffectively becomes 1-
out-of-2 because affected bistable will trip whenever a low SG
level condition occurs.4th channel assumed to bebypassed.Bistable Logic, EFAS Inverter,Channel A (Typical)Figure 7.2-10SG-2 LO PRESS Logic Inverter (28)
AND On (Low PRESS signal)Relay or con-tact shorted.See relay All-6 contacts (relay A12-6contacts). Inverter consists of normally closed contacts from SL LO PRESS bistable relays.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 33 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBistable Logic, EFAS Inverter, Channel A (Typical), Figure 7.2-10 (cont.)PRESS LOGICSG-1 LO Inverter (29)
Off (high signal)Relay failure,broken wire.See ALL-6 relay contacts (relay A12-6 contacts). Inverter con-sists of normally closed con-tacts from SG LO PRESS bistablerelays.2-out-of-4 Coincidence Logic, PPS Trip, Figure 7.2-10HI CONTPRESS (26)SG-2 LOPRESS (41)SG-1 LOPRESS (50)Logic matrixOFF (e.g., AB matrix)Componentfailure, power supply pair failure.Reactor trip occurs due to logiccoincidence corresponding to two
channel signals in the 2-out-of-3 logic matrix cir-cuits. AB logic matrix initiate RPS trip actuation.Annunciating; pre-trip, trip PPS alarms.Reactor protectivesystem trip.Requires failure of twoindependent relay contacts orredundant power supplies in AB logic matrix.SG-2 LOLVL (54)SG-1 LOLVL (58)LO PZRPRESS (64)Logic matrixON (e.g., AB matrix).Componentfailure.Logic matrix corresponding to ABchannel will not respond to a bona fide condition. Reactor will not tripwhen signal originates only in the A,B channels.Not annunciating,periodic test.Assuming either C or Dchannel bypassed.
RPS trip logic reverts to a selective 2-out-of-3 logic for a particu-lar parameter.When failure is detected, RPStrip logic can be con-verted to 1-out-of-3 by tripping the bypassed channel or trip logic can be converted to 2-out-of-3 by removing bypass from C or D and bypassing A or B.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 34 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic, PPS Trip, Figure 7.2-10 (cont.)HI PZRPRESS (67)HI LINPWR (77)HI LOGPWR (77)LO DNBR (94)
HI PWRDENS (98)LOSS OFLOAD (104)SG-1 HILVL (44)SG-2 HILVL (43)2-out-of-4 Coincidence Logic, Pre-Trip, Trip Alarm Auctioneer,Channel A (Typical), Figure 7.2-10ALARMAuctioneer
(113)OnComponentFailureSends 1-out-of-4 pre-trip,trip, or 1-out-of-4 actuation trip path alarms to plant annunciation without valid trip calling for it.Annunciating PPSchannel alarm.Nuisance PPS alarmsounding.Operator must check system todetermine if bona fide signal exists or if there is a failure in the PPS alarm circuit.OffComponentfailure.Loss of alarm signal for actu-ator path. ESF and RPS protec-tive action will still occur with alarms on other channels.Not annunciating,periodic test.No pre-trip alarm foraffected parameter.Operator will be unaware ofproblem until test.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 35 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic, Plant Computer Auctioneer, Channel A (Typical), Figure 7.2-10ComputerAuctioneer (116)OnComponentfailure.Sends signals from each tripbistable to plant computer. Alarm routine is activated with no signal calling for it.Computer readout.Redundant actuator path.Nuisance; plantcomputer alarm sub-routines invoked. No effect upon PPS.Operator must check system todetermine if bona fide signal exists or if there is a failure inthe PPS alarm circuit.OffComponentfailure.Loss of computer signal forparticular bistable. ESF and RPS protective action will still occur with alarms on other channels.Not annunciating;periodic test.Redundant actuator path.ESF and RPS alarms,within the scope of the plant computer, will be activated by 2 paths
instead of 3. No effect
upon PPS.Operator will be unaware ofproblem until test.RPS Auctioneer (106)OpenBroken wire.
Loss of trip pathpower supply.Unwarranted channel trip.Annunciated. Breakerindication lights andphase current monitors.
Logic for PPS trip 1-out-of-3 selective orany 2-out-of-3.ShortElectrical shortFailure to initiate RPS channel tripwhen required.Not annunciated.Periodic testing.Redundant trip paths.Logic for RPS trip2-out-of-3 selective.2-out-of-4 Coincidence Logic, Reactor Matrix, AB (Typical), Figure 7.2-13Matrix relayOpen coilSustainedvoltageTrip path with contact of that relay init will be deenergizedTrip will be annunciatedon plant annunciator.Trip path logic is selective2-out-of-4 coincidence.The system has one oftwo parallel actuation
circuits open.Remaining trip paths areunaffected; each trip path is formed by one set of contactsfrom each set of logic matrixrelays.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 36 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic, Reactor Matrix, AB (Typical), Figure 7.2-13 (cont.)6AB-1 or 6AB-2 or6AB-3 or 6AB-4Shorted coilDeterioration ofinsulation.The shorted coil may cause thedriver to fail open or fail short. If the driver fails open, the symptoms will be the same as described above. If the driver fails short, the power supply will be shorted, producingsame symptoms as loss of thepower supply. (See dc power distribution sheets.)Trip Relay DriverShortTransient voltage in circuit.One of the trip paths will not be de-energized should a bona fide trip exist in the affected logic matrix.Periodic PPS testing.Remaining matrix relays are unaffected.System will stillrespond to a legitimate trip condition.The matrix relays in the other 5logic matrices are unaffected. A trip in any of these matrices will cause a trip in all four trip
paths.OpenTransientcondition in circuit.One of the four matrix relays will bede-energized causing one of the trippaths to be de-energized.The plant annunciatorwill annunciate the trip.A minimum of two trippaths must be de-ener-gized to initiate a reactortrip. The three other matrix relays in that logic matrix
are unaffected and thus will not de-energize any other trip paths unless a bona fide trip condition exists.The reactor trip circuitbreaker switchgear will be partially enabled.A bona fide trip condition oranother selective single failure is required to produce a trip.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 37 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic, Reactor Matrix, AB (Typical), Figure 7.2-13 (cont.)Bypass RelayContactAXK1-1 orBXK1-1Contact short.Welded contactThe AB logic matrix is notresponsive to a concurrent trip of the A1 and B1 bistable.Periodic PPS testing.Assuming either C or Dchannel bypassed, RPS trip logic reverts to a selective 2-out-of-3 logic for a particular parameter.When failure is detected, RPStrip logic can be con-verted to 1-out-of-3 by tripping the bypassed channel or trip logic can be converted to 2-out-of-3 by removing bypass from C or D and bypassing A or B.Contact openDeterioration of contact.It is not possible to bypass thecontact of bistable A1 (B1) in thismatrix.Periodic PPS testing.A trip condition of bistable associatedwith this contact cannot be bypassed, thus placing the system in a selec-
tive 2-of-3 for the parameter being monitored bhy bist-able 1. During testing the matrix will be sensitive to a trip of theassociated bistable.The contacts of the affectedbistable will be bypassed in the other two logic matrices, rendering those matrices incapable of causing a trip for that parameter.Open coilBypass indicators will notilluminate when bypass switch isdepressed. It is not possible tobypass the bistable relay contacts in the three logic matrices affected by the particular bistable.Bypass indicator doesnot illuminate when the bypass is attempted.
Bypass not annunciated on plant annunciator.Any trip of the bistablewill make the system
sensi-tive to a trip of any of
the three other equivalent bistables.
Cannot revert system logic to 2-out-of-3 particular channel.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 38 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic, Reactor Matrix, AB (Typical), Figure 7.2-13 (cont.)Bistable RelayContact N.O. con-tact fails closedWelded contactfailure of relay driver.The reactor trip AB logic matrix willnot respond to the tripping of the 1 bistables.Period PPS testing.Asssuming either C orD channel bypassed, RPS trip logic revertsto a selective 2-out-of-3 logic for a particular parameter.When failure is detected, PPStrip logic can be converted to 1-out-of-3 by tripping the bypassed channel or trip logic
can be converted to 2-out-of-3 by removing bypass from C orD and bypassing A or B.
N.C. con-tact fails closedWelded contactThe reactor trip AB logic matrix ispartially enabled. The occurrence of a trip of the complementary bistable relay will cause deactivation of matrix relays.Periodic PPS testing.For the affectedparameter the system converts to selec-tive 1-out-of-3 logic or anyh 2-or-3 to produce an actuation.
N.O. con-tact fails
open.Deterioration of contact.The reactor trip AB logic matrix ispartially enabled. The occurrence of a trip of the complementary bistable relay will cause deactivation of matrix relays,.Bench test.AB Matrix becomes halftripped.For the affectedparameter the system
converts to selective 1-out-of-3 logic or any 2-
or-3 to produce an actuation.Worst single failure inconjunction with this eventwould be the failure of the C-Ch Bistable in the untrippable state. Trip logic would then become 2-out-of-2.Both form C contacts fail
in the N.O.
position.Open relay orcoil, failure of relay driver.The reactor trip AB logic matrix ispartially enabled. The occurrence of a trip of the complementary bistable relay will cause deactivation of matrix relays.Annunciated on plantannunciator. Displayed on plant bistable annunciator.
For the affectedparameter, the system
converts to selective 1-out-of-3 logic or any 2-
or-3 to produce an actuation.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 39 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic, Reactor Matrix, AB (Typical), Figure 7.2-13 (cont.)Bistable Relay Contact (cont.)2-out-of-4 Coincidence Logic, CSAS, SIAS, MSIS and CIAS, Figure 7.2-10HI-CONT PRESS (15)One logicpair fails failures. OFF (e.g., AB Matrix)Componentfailures.Spurious actuation of SIAS, MSIS,and CIAS. Condition for CSASactuation becomes 2-out-of HI-HI CONT PRESS>Annunciating. CIAS,SIAS, and MSIS alarms.Multiple independentcomponent failuresrequired.ESFS goes into SIAS,CIAS, and MSIS mode.One logic pair fails ON(e.g., ABMatrix)Componentfailures.Logic Matrix corresponding to ABchannel of HI CONT PRESS. Will not respond to a valid signalcoincidence in the A and Bchannels, and MSIS, CIAS, and SIAS will not actuate.Not annunciating.Periodic test.Assuming that eitherthe C or D channel for HI CONT PRESS is bypassed; MSIS, CIAS, and SIAS actuation logic goes toa selective 2-out-of-3 state.When failure is detected, CIAS,MSIS, and SIAS actuation logic for HI containment must be converted to 1-out-of-2 logic by tripping whichever channel of C and D is not bypassed. (Note: If Bypass can be removed from bypassed channel, logic can be
converted to 2-out-of-3 by bypassing either channel A or channel B).LO PZR PRESS (127)One logicpair fails OFF (e.g., AB Matrix)Componentfailures.Spurious actuation of SIAS andCIAS. Condition for CSAS becomes 2-out-of-4 HI-HI CONT PRESS.Annunciating. CIAS andSIAS alarms.Multiple independentcomponent failures required.ESFS goes into SIASand CIAS mode.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 40 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic, SIAS, and CIAS, Figure 7.2-10LO PZR PRESS (127)One logic pair fails ON (e.g., AB matrix)Componentfailures.Logic matrix corresponding to ABchannel of PZR PRESS will not respond to a bona fide con- dition.Safety injection con-tainment coolingwill n ot occur if signal originates only in the A,B channels.Not annunciating,periodic test.Assuming that eitherchannel C or D for LO PZR PRESS is bypassed, SIAS and CIAS actuation logic
goes to 2-out-of-3 state.When failure is detected, SIASand CIAS actuation logic must
be converted to 1-out-of-2 by tripping whichever channel of C and D is not bypassed.HI-HI CONTPRESS (9)Logic OFFComponent (e.g., AB failure matrix).ComponentfailuresHI-HI CONT PRESS signal occursfor containment spray due to logiccoincidence of two channel signals in the 2-out-of-3 logic matrix circuit.
AB logic matrix gate initiates HI-HI CONT PRESS portions of CSAS actuation.Not annunciating;indicated on PPS matrix text module, peridic test.LO PZR PRESS, HICONT PRESS channel in ESFS required for CSAS.Makes ESFS andCCAS sensitive to HI CONT PRESS signals.
RAS, MSIS, SIAS,CIAS and RPS tripactuation remain status quo. Other PPS functions unaffected.Requires failure of twoindependent relay contacts sets, redundant dc power supply in AB logic matrix.
Coincidence logic still remain
2-out-of-3.
Logic ON(e.g., AB matrix).Componentfailures.Logic matrix corresponding to ABchannel will not respond to a bona fide condition. HI-HI CONT PRESS portion of CSAS actuation will not occur when signal originates only in the A, B channels.Not annunciating,periodic test.Assuming that eitherchannel C or D for HI-HI CONT PRESS is bypassed, Hi-HI CONT PRESS portion of CSAS becomes 2-out-
of-3 selective.When failure is detected, HI-HICONT portion of CSAS actuation logic must be
converted to 1-out-of-2 bytripping whichever, channel ofC and D is not bypassed.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 41 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic, MSIS, Figure 7.2-10S.G. 2 LOPRESS (32)S.G. 1 LOPRESS (47)Logic OFF(e.g., AB matrix).Componentfailures.Main steam isolation occurs due tologic failure correspond8ing to two channel signals in the 2-out-of-3 logic matrix circuit. AB logic matrixgate initiated ESFS MSIS actuation.Annunciating PPS MSISalarm.Requires multipleindependent component failures.Other PPS functions unaffected.Requires failure of theindependent relay contact sets; redundant dc power supply in AB logic matrix.
Logic ON(e.g., AB matrix).Componentfailures.Logic matrix corresponding to ABchannel to affected SG will not respond to a bona fide con- dition.Main steam isolation unable to occurwhen signal originates in the affected SG AB channels.Not annunciating,periodic test.Assuming that eitherchannel C or D for low SG pressure is bypassed, MSIS logic for affected SG becomes 2-out-of-3 selective.When failure is detected, MSISlogic for affected SG must be
converted to 1-out-of-2 by tripping whichever channel of C and D that is not bypassed.2-out-of-4 Coincidence Logic RAS, Figure 7.2-10Refueling TankLow Level (4)Logic Matrix OFF (e.g.,
AB matrix).Componentfailures.Recirculation initiation signal occursdue to logic failure corresponding to two channel signals in the 2-out-of-3 logic matrix circuits. AB logic matrix gates initiate ESFS RAS actuation.
Annunciation PPS RASalarm.Requires multipleindependent component failures.Makes ESFS go intoRAS mode. Other PPS
functions are
unaffected.Requires failure of twoindependent relay contacts sets; redundant dc power supplies in AB logic matrix. If failure occurs, RAS signal closes valves from RWT and opens valve between sump and SI system.Logic MatrixON (e.g., ABmatrix).Componentfailures.Logic matrix corresponding to ABchannels will not respond to a bonafide condition. Re-circulation actuation will not occur when signal originates only in the A, B channels.Not annunciating,periodic test.Assuming that channelC or D for REFUELING TANK LO LEVEL is bypassed, RAS logic becomes 2-out-of-3
selective.When failure is detected, RASlogic must be converted to 1-out-of-2 by tripping whichever channel of C and D that is not bypassed.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 42 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence EFAS, Figure 7.2-10EFAS-2Logic (128)Logic OFF(e.g., AB matrix).Componentfailures.Emergency feedwater actuation(EFAS) occurs due to logic failure corresponding to two channelsignals in the 2-out-of-3 logic matrix circuit.Annunciating PPS EFASalarm.Main feed system willcompensate for excess feedwater. Requires multiple independent component failures.Makes ESFS go intoEFAS mode. Other PPS functions
unaffected.Requires failure of twoindependent relay contact sets, redundant dc power supply in AB logic matrix.
Logic ON(e.g., AB matrix).Componentfailures.Logic matrix corresponding to ABchannel of affected SG will notrespond to a bona fide condition.EFAS will not occur when signal originates on the affected SG A, B
channels.Not annunciating,periodic test.Assuming that channelC or D for the inputs to the affected EFAS is bypassed, actuation logic for the affectedEFAS becomes 2-out-of-3 selective.When failure is detected, EFASlogic must be converted to 1-out-of-2 by tripping whichever channel C or D is bypassed for all EFAS inputs.2-out-of-4 Coincidence Logic Engineered Features, CSAS-RAS-EFAS AB (Typical), Figure 7.2-13Logic MatrixRelay Contact CSASA17-1 or B17-1 N.O. con-tact fails closed.Welded contact.The AB logic matrix for the affectedfunction does not respoond to the tripping of the bistable.Periodic PPS testing.See Table 7.2-5, sheets 41, 42, and 43; "Failure Mode-
Logic ON."See Table 7.2-5, sheets 41, 42,and 43; "Failure Mode-Logic
ON." RASA18-1 or B18-1Failure of relaydriver.EFAS-1A19-1 or B19-1EFAS-2A20-1 or B20-1 WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 43 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic Engineered Features,CSAS-RAS-EFAS AB(Typical),Figure 7.2-13(cont.)Logic MatrixRelay Contact CSASA17-1 orB17-1 RASA18-1 or B18-1EFAS-1A19-1 or B19-1EFAS-2A20-1 or B20-1 (cont.)N.C con- tact fails closed.
N.O. con-tactfails open.Welded contact.Deterioration of contact.The AB logic matrix for the particularfunction is partial-ly activated. The occurrence of a trip of the complementary bistasble relay will cause the matrix to produce a trip.The AB logic matrix for the particularfunction is partially activated. The occurrence of a trip of the complementary bistable relay will cause the matrix to produce a tripPeriodic PPS testing.Periodic PPS testing.A bypass function is builtinto the circuit that allows byhpassing of the failedcontact, preventing thatmatrix from producing a
trip.AB matrix is halftripped.Actuation logic foraffected function becomes 1-out-of-3selective or any 2-out-of-3.AB matrix is halftripped.Actuation logic fortheaffected function becomes 1-out-of-3 selective or any 2-out-
of-3. (4th channnel bypassed).Bypass of the function alsodisables the other two logicmatrices associated with thatbistable. Logic then becomes 2-out-of-3. Without a bypass, the logic for the affected function is a selective 1-out-of-4 or any 2-out-of-4.Both form C contacts fail
into the N.O.
position.Open relay coil.Failure of relaydriver.The AB logic matrix for the particularfunction is partially activated. The occurrence of a trip of the complementary bistable relay willcause the matrix to produce a trip.Annunciated on plantannunciator.A bypass function is builtinto the circuit that allows bypassing of the failed con-tact, preventing that matrix from producing a
trip.AB matrix is halftripped.The logic for the affectedfunction is a selective 1-out-of-3 or any 2-out-of-3. (4th channel bypassed).
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 44 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic Engineered Features,CSAS-RAS-EFAS AB(Typical),Figure 7.2-13(cont.)Logic MatrixRelay Bypass Contact CSASAXK17-1 or BXK17-1 RASAXK18-1 or BXK18-1EFAS-1AXK19-1 orBXK19-1EFAS-2AXK20-1 or BXK20-1Contact shorts.Contact open.Welded.Deteriorated contact.The logic matrix for the functionassociated with this contact will not respond to a trip of the bistable.It is not possible to bypass thebistable relay contact in this matrix.Periodic PPS testing.Periodic PPS testing.See Table 7.2-5, sheets 41, 42, and 43;"Failure Mode- Logic ON."A trip condition of thebistable asso-ciated with this contact cannot be bypassed, thus the matrix will be half tripped.During testing of thebistables, the matrix will be sensitive to a
trip of the associated bistable.See Table 87.2-5, sheets 41,42, and 43; "Failure Mode
Logic ON."The contacts of the affectedbistable will be bypassed in the other two logic matrices rendering those matrices immune to any trip condition.Open coil.Bypass indicators will not illuminatewhen bypass switch is depressedIt is not possible to bypass thebistable relay contacts in the three logic matrices affected by the particular bistable.Bypass indicators OFF.Bypass not annunciated on plant annunciator.An invalid trip of theassociated bistable will half trip three logic matrices.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 45 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic, Engineered Features, CIAS/SIAS AB (Typical), Figure 7.2-13Logic MatrixRelay Contact A6-9 or B6-9 N.O. con-tact fails closed.Welded contact.Failure ofbistable relaydriver.The AB matrix for CIAS/SIAS will notrespond to a trip of the bistable.Assuming that eitherchannel C or D for LO PZR PRESS is bypassed, SIAS and CIAS actuation logic
goes to 2-out-of-3 state.When failure is detected, SIASand CIAS actuation logic must
be converted to 1-out-of-2 by tripping whichever channel of C and D is not bypassed.N.C con-tact fails closed.Welded contact.The AB logic matrix for CIAS/SIASis partially tripped. A trip of the complementary bistable relay will cause deactivation of the matrix relays.Periodic PPS testing.The AB matrix forCIAS/SIAS is halftripped.The CIAS/SIAS logic will be aselective 1-out-of-3 logic, orany 2-out-of-3 logic, or any 2-out-of-3 signals.
N.O. con-tactfails open.Deterioration of contact.The AB logic matrix for CIAS/ SIASis partially tripped. A trip of the complementary bistable relay will cause the deactivation of the matrix relays.Periodic PPS testing.The AB matrix forCIAS/SIAS is half tripped.The CIAS/SIAS logic will be aselective 1-out-of-3 logic or any 2-out-of-3 signals.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 46 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic, Engineered Features, CIAS/SIAS AB (Typical), Figure 7.2-13 (cont.)Logic MatrixRelay Contact A6-9 or B6-9 (cont.)Both form C contacts fail
into the N.O.position.Open relay coil,failure o9f relay driver.The AB logic matrix for CIAS/ SIASis partially tripped. A trip of the complementary bistable relay willcause deactivation of the matrixrelays.Annunciated on plantannunciator.The AB matrix forCIAS/SIAS is half tripped.The CIAS/SIAS logic will be aselective 1-out-of-3 logic or any 2-out-of-3 signals.Logic MatrixRelay Contact A16-1 or B16-1 N.O. con-tact fails
closed.Welded contact.Failure ofbistable relay driver.The AB logic matrix will not respondto a trip of the bistables.Periodic PPS testing.Assuming that eitherthe C or D channel for HI CONT PRESS is bypassed; MSIS, CIAS, and SIAS actuation logic goes to a selective 2-out-of-3
state.When failure is detected, CIAS,MSIS and SIAS actuation logicfor HI CONT must beconverted to 1-out-of-2 logic by tripping whichever channel of C and D is not bypassed. (Note: If bypass can be removed from bypassed channel, logic can be
converted to 2-out-of-3 by bypassing either channel A or channel B).
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 47 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic,Engineered Features,MSIS,CIAS/SIAS AB(Typical)Figure 7.2-13 (cont.)Logic MatrixRelay Contact A126-1 or B16-1 (cont.)
N.C. con-tact fails closed.Welded contact.The AB logic matrix for the affectedfunctions is partially tripped.
Occurrence of a trip of thecomplementary bistable relay willcause deactivation of the matrix relays for those functions.Periodic PPS testing.AB matrix is halftripped for MSIS and one parameter of CIAS/SIAS.MSIS logic will be a selective 1-out-of-3 logic or any 2-out-of-3 signal. CIAS/SIAS will be the same as MSIS for one parameter.
N.O. con-tactfails open.Deterioration of contact.The AB logic matrix for the affectedfunctions is partially tripped.
Occurrence of a trip of the complementary bistable relay will cause deactivation of the matrix relays for those functions.Periodic PPS testing.AB matrix is halftripped for MSIS andone parameter ofCIAS/SIAS.MSIS logic will be a selective 1-out-of-3 for that parameter.CIAS/SIAS will be the same asMSIS for one parameter.Both form C contacts fail into the N.O.position.Open relay coil,failure of relay driver.The AB logic matrix for the affectedfunctions is partially tripped.
Occurrence of a trip of thecomplementary bistable rlay willcause deactivation of the matrix relays for those functions.Annunciated on plantannunciator.AB matrix is halftripped for MSIS and one parameter of CIAS/SIAS.MSIS logic will be a selective 1-out-of-3 signal. CIAS/SIAS will be the same as MSIS for one parameter.Logic MatrixRelay Contact Bypass Relay AXK16-1 or BXK16-1Contact short.Welded contact.The AB logic matrix wsill notrespond to a trip of the associated bistables.Periodic PPS testing.Assuming that eitherthe C or D channel forHI CONT PRESS is bypassed; MSIS, CIAS, and SIAS actuation logic goes to a selective 2-out-of-3
state.When failure is detected, CIAS,MSIS and SIAS actuation logic for HI CONT must be converted to 1-out-of-2 logic by tripping whichever channel of Cand D that is not bypassed.(Note: If bypass can be removed from bypassed channel, logic can be
converted to 2-out-of-3 by bypassing either channel A or channel B).
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 48 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic,Engineered Features,MSIS,CIAS/SIAS AB(Typical)Figure 7.2-13 (cont.)Logic MatrixRelay Contact Bypass Relay AXK16-1 orBXK16-1 (cont.)Contact open.Deterioration of contact.It is not possible to bypass thebistable in the AB matrix.Periodic PPS testing.A trip condition of the bistable associated with this contact cannot be bypassed, thus the matrix wsill be half tripped for oneparameter of CIAS/SIAS, and MSIS.
During testing of the bistables the matrix will be sensitive to a trip of the associate bistable.The contacts of the affectedbistable will be bypassed in theother two logic matricesrendering those matrices immune to any trip condition for one parameter of CIAS/SIAS and MSIS.Open coil.Bypass indicator will not illuminatewhen bypass switch is depressed.
Bistable contacts in logic matrices cannot be bypassed.Bypass indicators ofbypass not annunciated on plant annunciator.A trip of the associatedbistable will half trip three logic matrices.Logic MatrixBypass RelayContactAXKB6-9 or BXKB6-9Contact short.Welded contact.The AB logic matrix will not respondto a trip of the associated bistables.Periodic PPS testing.Assuming that channelC or D for LO PZR PRESS is by-passed, SIAS and CIAS actuation logic
goes to 2-out-of-2 state.When failure is detected, SIASand CIAS actuation logic must
be converted to 1-out-of-2 by tripping whichever channel of C and D is not bypassed.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 49 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic,Engineered Features,MSIS,CIAS/SIAS AB(Typical)Figure 7.2-13 (cont.)Logic MatrixBypass Relay Contact AXKB6-9 orBXKB6-9 (cont.)Contact open.Deterioration of contact.It is not possible to bypass thebistable in the AB matrix.Periodic PPS testing.A trip condition of thebistable asso-ciated with this contact cannot be bypassed, thus the matrix will be half tripped for theCIAS/SIAS functions.The contacts of the affectedbistable will be bypassed in the other two logic matrices rendering those matrices immune to any trip conditions for the CIAS/SIAS functions.Open coilBypass indicator will not illuminatewhen bypass switch is depressed.Bistable contacts in logic matrices cannot be bypassed.Bypass indicators off.Bypass not annunciatedon plant annunciator.A trip of the asso-ciated bistable will halftrip three logic matrices.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 50 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic, CSAS, SIAS and CIAS Auctioneer, Channel A (Typical), Figure 7.2-10LOW PZRPRESS/HI CONT PRESSAuctioneer (18)Logic OFF(e.g., AB matrix).Componentfailure, dc power supply pair failure.The LO PZR PRESS/HI CONT PRESS auctioneer consists of a
series of connections of contacts from the LO PZR PRESS and HI CONT PRESS hbistables. See Table 7.2-5, sheets 46 through 50.
Logic ON(e.g., AB matrix).Componentfailure.The LO PRESSURIZER PRESS/HICONT PRESS auctioneer consists of a series of connections of contacts from the LO PZR PRESS and HI CONT PRESS bistables.
See, sheets 46 through 50.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 51 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic, Engineered Features, MSIS AB (Typical), Figure 7.2-13Logic MatrixBypass Relay Contact AXKB11-9 orBXKB11-9 orAXKB12-9 or BXKB12-9Contact short(e.g., AB matrix).Welded contact.The AB logic matrix will not respondto trip of either the A or the B bistables associated with the
contact.Periodic PPS testing.Assuming that eitherchannel C or D for low SG pressure is bypassed, MSIS logic for affected SG becomes 2-out-of-3 selective.When failure is detected, MSISlogic for affected SG must be
converted to 1-out-of-2 by tripping whichever channel of C and D that is not bypassed.Contact open(e.g., AB matrix).Deterioration of contactIt is not possible to bypass thebistable relay contact in the affected matrix.Periodic PPS testingA trip condition of thebistable asso- ciated with the faulty component cannot by bypassed in the AB matrix.Open coil.Bypass indicators will not illuminatewhen bypass switch is depressed. Itis not possible to bypass the bistable relay contact in the three logic matrices affected by the bistable.Bypass indicator off.Bypass not indicated on plant annunciator.An invalid trip of theassociated bistable will half trip three logic matrices.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 52 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic, Engineered Features, MSIS AB (Typical), Figure 7.2-13 (cont.)Logic MatrixRelay A11-9 or B11-9 orA12-9 orB12-9 N.O. con-tact closed (e.g., AB matrix).Welded contact, fail-ure of bistable relay driver.The AB logic matrix will not respond to trip of the asso-ciated bistable.Periodic PPS testing.Assuming that eitherchannel C or D for low SG pressure is bypassed, MSIS logic for affected SG becomes 2-out-of-3 selective.When failure is detected, MSISlogic for affected SG must be
converted to 1-out-of-2 by tripping whichever channel of C and D that is not bypassed.N.C con-tact closed (e.g., AB matrix).Welded contact.The AB logic matrix for the functionis partially activated. The occurrence of a trip of the complementary bistable relay will cause the matrix to be tripped.Periodic PPS testing.AB matrix is halftripped for one of theparameters being monitored.Logic fo rthe function is aselective 1-out-of-3 logic or any2-out-of-3 signals for one parameter and any 2-out-of-4 for the other parameter.
N.O. con-tact open.Deterioration of contact.The AB logic matrix for the functionis partially acti-vated. The occurrence of a trip of the complementary bistable relay will cause the matrix to be tripped.Periodic PPS testing.Ab matrix is halftripped for one of the parameters being monitored.Both C contacts fail
into the N.O.position (e.g.,AB matrix).Open relay coil,failure of relay driver.The AB logic matrix for the functionis partially acti-vated. The occurrence of the complementary bistable relay will cause the matrix to be tripped.Annunciated on plantannunciator.AB matrix is halftripped for one of the parameters being monitored.Logic for the function is aselective 1-out-of-3 logic or any 2-out-of-3 signals for one parameter and any 2-out-of-3 for the other parameter.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 53 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic, MSIS Auctioneer, Channel A (Typical), Figure 7.2-10SG LowPressure Auctioneer (33)See Table 7.2-5, sheets 51 and 52 for analysis of auctioneering circuit.2-out-of-4 Coincidence Logic, Engineered Features, CSAS-EFAS-MSIS-CIAS/SIAS, AB (Typical),Figure 7.2-13Logic MatrixRelay DriversShortedVoltage transient in circuit.ONe of the trip paths will not bedeenergized should a bona fide trip exist in the affected logic matrix.Periodic PPS testing.The three other matrixrelays have independent drives and will open 6 of the 8 trip breakers.Trip of logic matrix willnot be transmitted to one of the four trip
paths for the affectedfunction.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 54 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic, Engineered Features, CSAS-EFAS-MSIS-CIAS/SIAS, AB (Typical),Figure 7.2-13 (cont.)Transistor &Associated Componentsdriving "AB"Relay CoilsOpen.Voltage transient in circuit.ONe of the four matrix relays will bedeenergized causing one of the trip paths to be activated.The plant annunci-ator will annunciate the activation of a trip
path.The three other matrixrelays have independent drives.One of the four trip paths for the affected function will be tripped.A bona fide trip condition oranother selective single failure is required to complete the actuation. The path logic is 2-out-of-4 selective or any 3-out-of-4.Matrix Relays CSAS 3AB-1, 2,3,4
RAS 4AB-1,2,3,4 EFAS-1 7AB-1,2,3,4 EFAS-28AB-1,2,3,4MSIS 5AB-1,2,3,4 CIAS/SIAS 2AB-1,2,3,4Coil open.Coil shortMechanicalbreak in coil winding.Insulationbreakdown.A trip path is de-energized.Trip path with contact of that relay init will be de-energized.Periodic PPS testing.Trip annunciated on plant annunciator.Periodic PPS testing.Trip annunciated on plant annunciator.Each trip path is drivenfrom a separate relay, hence the other three trip
paths are unaffected.Each trip path is drivenfrom a separate relay, hence the other three trip
paths are unaffected.One of the four trip paths for the affected function is always tripped.One of the four trip paths for the affected function is always tripped.The shorted coil may cause thedriver to fail open for fail short. If the driver fails open, the symptoms will be the same as described above. If the driver fails short, the power supply will be shorted, producing the same symptoms as loss of the power supply. (See dc power distribution PS. F, PS. G, or PS. H.)
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 55 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other Effects2-out-of-4 Coincidence Logic CEA Withdrawal Prohibit (CWP), Figure 7.2-10Core ProtectorCalculator (121)Logic open.Open circuit.CWP occurs due to logic coinci-dence corresponding to two-channel signals in the 2-out-of-3 logic matrix circui
- t. Logic initiatesCWP actuation.Annunciating CWPalarm.CWPEffect upon CEDM's: Inability toraise CEA's.HI PZR PRESS (150)Logic short.Short circuit.The logic matrix will not respond to abona fide condi-tion. CWP will not occur when signal originates in any channel.Not annunciating,periodic test.Loss of CWP.CWP is not required for plantsafety.CWP Auctioneer (151)Auctioneer open.Open Circuit.CWP occurs due to logic corre-sponding to core protection calculation or HI PZR PRESS 2-out-of-3 logic.Annunciating CWPalarm, periodic test.CWPTrip Path, CSAS Blocking, Channel A (Typical) Figure 7.2-10Auto CSASPermissive (10)OpenRelay failure,broken wire.Unwarranted channel trip of CSAS.Plant annunciation,.Indication lights.CSAS actuation logic is 2-out-of-3 selective. (4th channel bypassed.)
Logic for CSAS 1-out-of-2 selective.One permissive per trip path.ShortRelay failure,electrical short.Failure to initiate CSAS channel tripwhen required.Not annunciating.Routine testing.
Logic for CSAS 2-out-of-2.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 56 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsOne-out-of-four Coincidenced Logic, RPS Alarm, Figure 7.2-10REFUEL TANKLO LEVEL (3)
SG-2 LO PRESS (31)SG-1 LOPRESS (46)
HI-HI CONT PRESS (8)
HI CONT PRESS (14)
HI CONT PRESS (25)
SG-2 SG-1 PRESS (40)SG-1 SG-2PRESS (49)
SG-2 LO LEVEL (53)
SG-1 LO LEVEL (57)
LO PZR PRESS (63)
HI PZR PRESS (66)
HI PWR DENSITY (97)
OFF (goeslow)ON (goeshigh)Componentfailure.Componentfailure.Pre-trip alarm circuit acti-vated.Loss of alarm signal for singlechannel. Protective action will still occur with alarms on other channel.Audible and visual PPSalarm in control room.Not annunciating,periodic test.Redundant channel.Nuisance alarm.Make alarm logic 1-out-of-2. (4th channel bypassed).Operator must check system todetermine if bona fide trip exists or if there is a failure in the alarm circuit.Operator will be unaware ofchannel failure until test.SG-2 HI LVL (136)
SG-1 HI LVL
(137)
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 57 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, RPS, Channel 1 (Typical), Figure 7.2-14Relay Contact6AB-1 or 6BC-1 or 6BD-1 or6AC-1 or6CD-1 or 6AD-1Shorted.Welded contact.A bona fide trip of the logic matrixassociated with the failed component will not cause de-energization of the trip path in the affected channel.Periodic PPS testing.The trip path is lost for that par-ticular logic matrix.
Reactor trip thus
converts to a selective 2-out-of-3 trip path.Each trip path uses a contactfrom a different relay, thereforethe remaining three trip pathswill be de-energized should a bona fide trip occur. The affected trip path will, however, respond properly to the action of the five other logic matrices.Open.Deterioration of contact.One of the RPS trip paths is de-energized.Trip is annunciated onthe plant annunciator.Reactor trip con-verts to any 1-out-of-3 selective or any 2-out-of-3 trip paths, Reactortrip converts to any 1-out-of-3 selective or any 2-out-of-3-trip
paths.To produce a trip still requireda 2-out-of-3 coincidence of the appro-priate bistables.To produce a trip still requires a2-out-of-3 coincidence of the appropriate bistables.Either CircuitBreakerOpen, either or both contacts.Deterioration of contacts.Relay whose contacts are used inthe reactor trip circuit breaker switchgear will be de-energized.
Relay that provides indication for PPS status panel, PPS remote module and plant annunciator will be de-energized.Annunciated on plantannunciator.Short both contacts.Welded contactsmechanicalfailure.The circuit breaker will not open,should a fault exist in the ac portionof one of the RPS trip circuits.Periodic PPS testing.No effect.Short one contact.Welded contact.NoneBench test.No effect.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 58 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, RPS, Channel 1 (Typical), Figure 7.2-14 (cont.)
Resistor 2Kohms R1 or R3Open.Overvoltage,environmental
effects.The PPS calibration and test panelfails to indicate the opening of one of the solid state relays in the RPS trip path.Periodic PPS testing.No effect uponfunctional opera-
tion of trip circuit.R2 or R4Decrease invalue.Overvoltage,environmental
effects.Indicator may be brighter than usual.Bench test.There are two equalresistors in the circuit. The operating range of the indicator is such that it will operate indefinitely even with one of the resistors
shorted out.No effect uponfunctional opera-tion of trip circuit.Increase invalue.Overvoltage,environmental
effects.Effect will not be detectable untilresistance increases sufficiently to cause indicator to be in off state.Periodic PPS testing.No effect uponfunctional opera-tion of trip circuit.FusesOpen.Transient overcurrent condition.The trip path is de-energized.Trip is annunciated onplant annunciator.Reactor trip con-verts to 1-out-of-3 selective or any 2-out-of-3 trip paths.To produce a trip will require a2-out-of-3 coincidence of the appropriate bistables.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 59 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, RPS, Channel 1 (Typical), Figure 7.2-14 (cont.)SSR3 or SSR4Input open.Voltagetransient.The relay whose contacts are used in the reactor trip cir-cuit breaker switchgear will be de-energized.Annunciated on plantannunciator.One of the four tripinputs to the reactor trip circuit breakerswitchgear will be de-energized.To produce a trip still requires a2-out-of-3 coincidence of the appropriate bistables.Input short.Voltage transientIf there is a trip present in the trippath, the fault will not be noticeable.If there is no trip present, the supplyvoltage will be momentarily reduced to zero. The fuses in the trip circuit will open and the circuit will de-energize the relay which provides aninput to the reactor trip circuitbreaker switchgear will be in the tripped condition (de-energized).
The momentary drop in power may also cause all of the other trip paths using the same power supply to be tripped momentarily. Since all trip paths, with the exception of EFAS-1 and EFAS-2, have lockout circuits, they will remain in the tripped condition.Tripped pathsannunciated on plant annunciator.Trip paths with theexception of EFAS-1 and EFAS-2 will be tripped in the affected channel. A reactor trip will exist in the affected channel.Actuation still requires a 2-out-of-3 logic coincidence of the appropriate bistables.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 60 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, RPS, Channel (Typical), Figure 7.2-14 (cont.)SSR3 or SSR4 (cont.)Output short.Voltage transientoverload.The PPS calibration and test paneldoes not indicate the opening of one of the SSRs in the trip path.Periodic PPS testing.There are two SSRs in thecircuit, either one can open the circuit thatprovides a trip to thereactor trip circuit breaker switchgear.No effect uponfunctional operation of
trip circuit.Output open.Voltage transientoverload.The relay whose contacts are usedin the reactor trip circuit breaker switchgear will be de-energized.Annunciated on plantannunciator.One of the four tripinputs to the reactor trip circuit breaker switchgear will be de-energized.To produce a trip still requires a2-out-of-3 coincidence of the appropriate bistables.
Resistor R5 or R6Decrease in resistance.Environmental effects.NoneBench Test.There are two equal resistors in the series circuit. The operating range of the SSR is such that it is still within limits if one of the resistors is
shorted.,No effect upon thefunctional opera-tion of the system.OpenEnvironmental effects.The PPS status panel will indi-cate that the trip path in the affected channel is de-ener-gized.Periodic PPS testing.No effect upon thefunctional opera-tion of system.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 61 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, RPS, Channel 1 (Typical), Figure 7.2-14 (cont.)
ResistorR5 or R6 (cont.)Increase in resistance.Environmental effects.There will be no symptoms until the resistor has increased in value to about 2,000 ohms. Valuesexceeding that may cause problemslike those listed for the failed open mode.Resistor R7 orR8 250 ohmDecrease in resistance.Environmental effects.No Symptoms.Bench Check.Two equal resistors in theseries circuit. The operating range of the
SSR is such that it is still being operated within limits with one of the
resistors shorted.
No effects upon thefunctional operation of system.Open.Environmental effects.The actuation reset indicator will beflashing when the PPS is in the test mode, indicatin that a trip path has been de-energized.Periodic PPS testing.The malfunctioning of thiscomponent does not affect the functional operation of the circuit.No effect upon thefunctional operation of the system.Increase in resistance.Environmental effects.There will be no symptoms until the resistor has increased in value to about 2,000 ohms. Values exceeding that may cause problems like those listed for the failed openmode.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 62 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, RPS, Channel 1 (Typical), Figure 7.2-14 (cont.)Indicator SSR1Output open.Voltage transientoverload.The affected trip path will indicate a trip on the PPS status panel.Periodic PPS testing.No effect uponoperation of trip path.Component does not effectfunctional operation of circuit.
Used for indication purposes only.Input open or short.Voltage transientThe affected trip path will indicate a trip on the PPS status panel.Periodic PPS testing.Resistors in the input ofthe SSR limit the current that the SSR may dra from the cir-cuit should the input of the SSR short.No effect uponoperation of trip path.Component does not affectfunctional operation of circuit.Used for indication purposes only.Output shortVoltage transientA bona fide RPS trip in the affectedchannel wsill not indicate on the PPS status panel.Periodic PPS testing.No effect uponoperation of trip path.Component does not affectfunctional opertion of circuit.Used for indication purposesonly.Test SSR2Output open,input open.Voltage transientoverload.The actuation reset indicator will beflashing when the PPS is in the test mode, indicating that a trip path has been de-energized.Periodic PPS testing.No effect uponoperation of trip path.Component does not affectfunctional operation of circuit.
Used for test purposes only.Input short.Voltagetransient.The acutation reset indicator will beflashing when the PPS is in the test mode, indicating that a trip path hasbeen de-energized.Period PPS testing.Resistors in the input ofthe SSR limit the current that the SSR may drawfrom the circuit should theinput of the SSR short.No effect uponoperation of trip path.Component does not affectfunctional operation of circuit.
Used for test purposes only.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 63 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, RPS, Channel 1 (Typical), Figure 7.2-14 (cont.)Test SSR2 (cont.)Output shortVoltage transientoverload.A bona fide RPS trip in the affectedchannel will not cause the PPS actuation reset indicator to flash when the test mode is selected.
No reset circuit flashing in test.No effect uponoperation of trip path.Component does not affectfunctional operation of circuit.
Used for test purposes only.Trip Path, Engineered Features, RAS-MSIS-EFAS,CIAS/SIAS,CSAS Channel A (Typical), Figure 7.2-15Relay ContactAB Contact (Typical)RAS-4AB-1MSIS-5AB-1 EFAS-1-7AB-1EFAS-2-8AB-1CSAS-3AB-1 CIAS/SIAS-2AB-1Shorted.Open.Welded contact.Deterioration of contact.A bona fide trip of the logic matrixwith the failed component will not cause de-energization of the trip path in the affected channel.The trip path will be de-energized.Periodic PPS testing.Trip is annunciated onthe plant annunciator.The trip path isinoperative for that particular logic matrix.
Actuation is dependent upon a selective 2-out-of-3 remaining trip
paths.Trip path logic convertsto 1-out-of-3 selectiveor any 2-out-of-3.Since each trip path used acontact from a different coil, the remaining three trip paths willbe de-energized if a bona fidetrip is present.Actuation still requires a 2-out-of-3 coincidence of the appropriate bistables.FuseOpen.Tranient overcurrent condition.The trip path will be de-energized.Trip is annunciated onthe plant annunciator.Trip path logic convertsto 1-out-of-3 selective or any 2-out-of-3.Actuation still requires a 2-out-of-3 coincidence of the appropriate bistables.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 64 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, Engineered Features, RAS-MSIS-EFAS,CIAS/SIAS,CSAS Channel A (Typical),Figure 7.2-15 (cont.)Test SSROutput open,input short.Overloadvoltage transient.The acutation reset indicator will beflashing when the PPS is in the test mode, indicating that a trip path hasbeen de-energized.Periodic PPS testing.Current limiting resistorsR5 and R6 prevent malfunctioning ofthiscomponent from affectingthe functional operation of
the circuit.None.Safety function of circuit notimpaired.Output short.Voltage transientoverload.The actuation reset indicator on thePPS will not flash when the trip path with the faulty component is exercised.Periodic PPS testing.None.Safety function of circuit notimpaired.Latching Circuit SSR Output open,input open, input short.Overloadvoltage transient.The trip path will be de-energized.Trip is annunciated onthe plant annunciator.Actujation converts toa selective 1-out-of-3 logic tri0p path, or any
2-out-of-3.To obtain an acutation stillrequires a 2-out-of-3 coincidence of the appropriate bistables.
Output shorted.Voltage transientoverload.The trip circuit will not lock out.Should the bistable switch from a tripped to untripped to tripped etc.,
the trip circuit will follow the
fluctuations.The trip circuit will notremain in the tripped condition but will follow the action of the series string of matrix relays
contacts.The actuation circuit should notfollow any fluctuating conditionfor under a trip condition all four trip paths should be de-energized and three will be locked in that state. Since a contact of a locked in trip path is in series with the trip path whch is not locked in, the circuit that is locked in will mask any operations of the circuit that does not lock in.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 65 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, Engineered Features, RAS-MSIS-EFAS-CIAS/SIAS,CSAS Channel A (Typical), Figure 7.2-15 (cont.)
250 ohm Resistor R1 or
R2Open.Environmental effects.The trip path will be de-energized.Trip path de-ener-gization is annun- ciated on the plant annunciator.Actuation converts to aselective 1-out-of-3 logic trip path, or any 2-out-of-3.Actuation still requires any 2-out-of-3 coincidence of the bistables.Decrease in resistance.Environmental effects.No symptoms.Bench check.Two equal resistors in the series of circuit. Operating range of the SSR in the
latching circuit is such that it is still within limits if one
of the resistors is shorted.None.Safety function of circuit notimpaired.Increase in resistance.Environmental effects.There will be no symptoms until resistor has increase in value toabout 2K ohms. Values exceeeding that will cause problems similar to those listed for the failed open mode.250 ohm Resistor R3 or
R4Decrease in resistance.Environmental effects.No symptoms.Bench check.Two equal resistors in theseries circuit. The operating range of the
SSR is such that it is still within limits if one of the resistors is shorted.None.Safety function of circuit notimpaired.OpenMechanicalfailure.The PPS status panel and PPSremote module will indicate a trip for the affected function.Periodic PPS testing.None.Safety function of circuit notimpaired.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 66 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, Engineered Features, RAS-MSIS-EFAS,CIAS/SIAS,CSAS Channel A (Typical), Figure 7.2-15 (cont.)
250 ohm Resistor R3 or
R4 (cont.)Increase inreistance.Environmental effects.There will be no symptoms until the resistor has increased in value to about 2K ohms. Values exceedingthat will cause problems like thoselisted for the failed open mode.
250 ohm Resistor R5 or
R6Decrease in resistance.Environmental effects.No symptoms.Bench check.Two equal resistors in theseries circuit. The operating range of the
SSR is such that it is still being operated within limits with one of the resistor shorted.None.Safety function of circuit notimpaired.Open.Mechanicalfailure.The actuation reset indicator will beflashing when the PPS is in the test mode, indicating that a trip path has been de-energized.Periodic PPS testing.None.Safety function of circuit notimpaired.Increase in resistance.Environmental effects.There will be no symptoms until the resistor has increased in value toabout 2K ohms. Values exceedingthat will cause problems like those listed for the failed open mode.Indicator SSROutput open,input open.Voltagetransient.A trip will constantly be indicated on the PPS status panel and the PPS remote module for the function and channel affected.Periodic PPS testing.None.Safety function of circuit notimpaired.Input fails short.Voltagetransient.A trip will constantly be indi-cated on the PPS status panel and the PPS remote module for the function and channel affected.Periodic PPS testing.Resistors in the input ofthe SSR limit the current that the SSR may draw from the cir-cuit should the input of the SSR short.None.Safety function of circuit notimpaired.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 67 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, Engineered Features, RAS-MSIS-EFAS-CIAS/SIAS,CSAS Channel A (Typical), Figure 7.2-15 (cont.)Output fails.Voltagetransient.A bona fide trip for the function andchannel affected will not be
indicated on the PPS status panel and the PPS remote module.Periodic PPS testing.NoneSafety function of circuit notimpaired.Remote ManualTrip Path P/BOpen.Mechanicalfailure, deterioration of
contact.The trip path will be de-energized.Trips is annunciated onthe plant annunciator.The actuation cir-cuit converts to 1 or 2
out of the three remaining logic trip
paths.A 2-of-3 coincidence of theappropriate bistables is still required to produce an actuation. Another selective fault could also produce an actuation.Short.Mechanicalfailure.A trip cannot be introduced into thetrip path manually.Periodic PPS testing orwhen attempting tomanually introduce a
trip.That particular circuitcannot be trippedmanually.The other three trip paths arenot affected by the failure.Lockout ResetP/BOpen.Mechanicalfailure, deterioration of
contact.It will not be possible to reset theaffected trip path once it is de-energized.Periodic PPS testing orwhen attempting to reset the trip path after a trip.
Trip path de-energized annunciated on plantannunciator.Trip circuit cannot bereset once tripped.
Actuation logic will be 1-out-of-3 selective or any 2-out-of-3.Short.Mechanicalfailure.The trip circuit will not lock out.Should the series string of contactschange state, the initiation relays will follow the action of the string.Period PPS testing.None.The actuation circuit should notfollow any fluctuations, forunder a trip condition all fourtrip paths will be de-energized, the result of which being the locking in of the three trip paths without faulty components. One of the locked in cir-cuits will thus mask any operations of the circuit which is not locked in.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 68 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, Engineered Features, SIAS-CSAS-CIAS Channel A (Typical), Figure 7.2-16SIAS or CIASLockout Reset P/BOpenMechanicalfailure, deterioration of contact.It will not be possible to reset theaffected trip path once it is de-energized.Periodic PPS testing orwhen attempting to reset the trip path after a trip.Trip path de-energization annunciated on plant annunciator.Trip circuit cannot bereset once tripped.
Actuation logic will be
1-out-of-3 selective or any 2-
out-of-3.ShortMechanicalfailureThe trip circuit will not lock out.Should the control circuit change state the initiation relays will follow the action of the control circuit.Periodic PPS testing.None.The actuation circuit should notfollow any fluctuations of the trip circuit, for under a trip condition all four trip paths will be de-energized, resulting in the locking in of the three trip paths without faulty components. One of the lockedin circuits will thus mask anyoperations of the circuit which is not locked in.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 69 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, Engineered Features, SIAS-CSAS-CIAS Channel A (Typical), Figure 7.2-16 (cont.)SIAS or CIASor CSAS Test
SSR Output open,input open.Input short.Voltage transientoverload.Voltage.The actuation reset indicator will beflashing when the PPS is in the test mode, indicating a trip path hasbeen deenergized.The acutuation reset indicator will beflashing when the PPS is in the test mode, indicating that a trip path has been de-energized.Periodic PPS testing.Periodic PPS testing.Current limiting resistorsprevent malfunctioning of this component from affecting functional operation of the circuit.None.None.Safety function of circuit notimpaired.Safety function of circuit notimpaired.Output shortVoltage transientoverload.The actuation reset indicator on thePPS will not flash when the trip path with the faulty component is exercised.Period PPS testing.None.Safety function of circuit notimpaired.SIAS or CIASor CSASIndicator SSR Output open,input open.Voltage transientoverload.A trip will constantly be indicated on the PPS status panel and PPSremote module for the function and channel affected.Periodic PPS testing.None.Safety function of circuit notimpaired.Input short.Voltagetransient.A trip will constantly be indi-cated on the PPS status panel and PPS remote module for the function and channel affected.Periodic PPS testing.Current limiting resistorsprevent malfunctioning of this component from affecting functional operation of the circuit.None.Safety function of circuit notimpaired.Output short.Voltage transientoverload.A bonafide trip for the function andchannel affected will not be
indicated on the PPS status panel and the RPS remote module.Periodic PPS testing.None.Safety function of circuit notimpaired.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 70 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, Engineered Features, SIAS-CIAS-CSAS Channel A (Typical), Figure 7.2-16 (cont.)Relay Contact2AB-1 or 2BC-1 or 2BD-1 or2AC-1 or2CD-1 or 2AD-1Shorted.Welded contact.The trip path will not be de-energized when a valid trip signal is received from the affected 2-of-4 coincidence matrix.Periodic PPS testing.The trip path isinoperative for that particular logic matrix.
Actuation is dependent upon selective 2-out-
of-3 trip path for theaffected functions(SIAS, CIAS, CSAS).A trip condition sensed by alogic matrix will de-energize all
four trip paths, thus the loss of one trip path should not prevent actuation of the function(s).Open.Deterioration of contact.One of the trip paths for SIAS andCIAS will be de-energized, and the trip path for CSAS will be partially tripped. (Two con-
ditions are required for CSAS, one of them will appear to be satisfied.)Trip is annunciated onthe plant annunciator.Trip actuation be-comes 1-out-of-3 selective or any 2-out-
of-3.Actuation still requires a 2-out-of-3 coincidence of the appropriate bistables.SIAS AuxiliaryOpen coilSustainedovervoltage.One of the paths to the initia-tion relays of the affected CSAS tripchannel will be open (two conditions
are required for CSAS, one of those conditions will be satisfied).Periodic PPS testing.No effect unless theother trip condition is also present. If the other condition ispresent, a trip will bepresent in one CSAS
trip circuit.Actuation still requires a 2-out-of-3 coincidence one of the bistables for both of the parameters that are monitored for CSAS.Shorted coilDeterioration ofinsulation.A shorted coil will cause the fuse(s)supplying the SIAS and CCAS trip paths in the affected channel to open. This will result in a trip in the SIAS and CCAS trip paths. The CSAS trip path will also be partially tripped.Trips are annunciatedon the plant annunciator.Trip actuation convertsto 1-out-of-3 selectiveor any 2-out-of-3.Actuation still requires a 2-out-of-3 coincidence of theappropriate bistables for each
of the functions.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 71 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, Engineered Features, SIAS-CIAS-CSAS Channel A (Typical), Figure 7.2-16 (cont.)SIAS AuxiliaryRelay Contact.Short.Welded contact.The CSAS trip path with the affectedcomponent will not respond to a trip condition.Periodic PPS testing.One CSAS trip path isinoperative. Actuation is dependent upon aselective 2-out-of-3remaining trip paths for
CSAS.When a trip condition issensed, all four trip paths will be de-energized, thus the loss of one trip path should not prevent actuation.Open.Deterioration of contact.One of the paths to the initi-ation relays of the affected CSAS trip channel will be open (two
conditions are required for CSAS, one of those condi-tions will be satisfied).Periodic PPS testing.No effect unless theother trip condition isalso present. If theother condition is also present, a trip will be present in one CSAS
trip circuit.Actuation still requires a 2-out-of-3 coincidence of the bistable. (Therefore, a coincidence of 2-out-of-3 of the bistables monitoring thepertinent parameter isrequired.)Relay Contact3AB-1 or 3BC-1 or 3BD-1 or 3AC-1 or 3CD-1 or 3AD-1Shorted.Welded contact.The CSAS trip path containing theaffected component will not respondto a trip from the logic matrix in which the faulty component is located.Periodic PPS testing.The trip path isinopertive for that particular logic matrix.
Actuation is dependent upon a selective 2-out-of-3 of the remainingtrip paths.A trip condition sensed by alogic matrix will de-enerize all
four trip paths, thus the loss of one trip path will not prevent acutation.Open.Deterioration of contact.One of the CSAS paths to theinitiation relays of the affec-ted trip channel will be partially enabled. (Two condi-tions are required for CSAS, one will
be satisfied.)Periodic PPS testing.No effect unless aSIAS trip is alsopresent. If SIAS is present, a trip will be present in one CSAS
trip circuit.Actuation still requires a 2-out-of-3 coincidence of the appropriate bistables and the presence of an SIAS trip.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 72 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, Engineered Features, SIAS-CIAS-CSAS Channel A (Typical), Figure 7.2-16 (cont.)
Resistor R3 or R4 or R9 orR10 orR15 or R16 Open.Decrease in resistance.Mechanicalfailure.Environmental effects.The PPS status panel and PPSremote module will indicate a trip for the affected function.No symptoms.Periodic PPS testing.Bench check.There are two resistors inthe series circuit. The operating range of the SSR is broad enough to tolerate a short in one of the resistors.None.None.Safety function of circuitnot impaired.Safety function of circuit notimpairedIncrease in resistance.Environmental effects.There will be no symptoms until the resistor has increased in value to approximately 2000 ohms. Values exceeding that will cause the same problems as those listed for the failed open condition.
Resistor R1 or R2 or R7 or R8 or R13 or R14Open.Mechanicalfailure.The trip path containing the affectedcomponent will be de-energized.Trips are annunciatedon the plant annunciator.Actuation converts to aselected 1-out-of-3 or any 2-out-of-3.Actuation still requires a 2-out-of-3 coincidence of the appropriate bistables.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 73 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, Engineered Features, SIAS-CIAS-CSAS Channel A (Typical), Figure 7.2-16 (cont.)
Resistor R1 or R2 or R7 or R8 orR13 or R14 (cont.)Decrease in resistance.Environmental effects.No symptoms.Bench check.There are two equal resistors in the series circuit. Operating range of the SSR in the latching
circuit is such that even with one of the resistorsshorted the device will stillbe within the operating
range.None.Safety function of circuit notimpaired.Increase in resistance.Environmental effects.There will be no symptoms until the resistor has increased in value to approximately 2K ohms. Values exceeding that will cause the same problems as those listed for the failed open condition.
Resistor R5 or R6 or R11 or R12 or R17 or R18 Open.Decrease in resistance.Mechanicalfailure.Environmental effects.The actuation reset indicator will beflashing when the PPS is in the test mode, indicating that a trip path has
been de-energized.No symptoms.Periodic PPS testing.Bench check.There are two equal resistors in the series circuit. The operating range of the SSR is broad enough to tolerate a short
in one of the resistors.None.None.Safety function of circuit notimpaired.Safety function of circuit notimpaired.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 74 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsTrip Path, Engineered Features, SIAS-CIAS-CSAS Channel A (Typical), Figure 7.2-16 (cont.)
Resistor R5 or R6 or R11 orR12 orR17 or R18 (cont.)Increase in resistance.Environmental effects.There will be no symptoms until the resistor has increased in value to approximately 2K ohms. Values exceeding that will cause the same problems as those listed for the failed open condition.Fuse F1 or F2Open.Transient overcurrent condition.The SIAS and CIAS trip paths in thatchannel will be de-energized. The CSAS trip path will be partially enabled.Trip are annunciated onthe plant annunciator.Trip actuation convertsto 1-out-of-3 selective or any 2-out-of-3 trip
paths.Actuation still requires 2-out-of-3 coincidence of the appropriate bistables.SIAS or CIASor CSAS Remote Manual P/BOpen.Mechanicalfailure, deterioration of
contact.The trip path with the faultycomponent will be de-energized.Trip is annunciated onplant annunciator.The actuation circuit converts to a selected 1-out-3 trip paths for the function in questionor any 2-out-of-3.A 2-out-of-3 coincidence of theappropriate bistables is still required to produce an actuation.Short.Mechanicalfailure.A trip cannot be introduc ed into thetrip path manually.Periodic PPS testing orwhen attempting tomanually introduce a trip.One of the four trip paths for the affectedfunction cannot betripped manually.A manual trip can still begenerated for the function in question by depressing thecorrect pair of remote manualpushbuttons in the three
unaffected trip circuits.
WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 75 of 119) Revision 309 (06/16)
PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS
Name
Failure Mode
Cause
Symptoms and Local Effects
Including Dependent Failures Method
of Detection Inherent
Compensating Provision Effect
Upon
PPS Remarks
and
Other Effects Actuators, RPS-Trip, Channel A (Typical), Figure 7.2-10 CEA Drop (111) One CEA fails to drop.
Inadvertent
CEA drop.
CEA mechanical failure.
CEDM coil
failure. None - safety analytses assume most reactive CEA stuck out of core
on trip. Possible change in calculated DNBR and local power density margins.
CEA position indicator.
Annunciate, CEA deviation alarm, CEA
position indication, dropped CEA indicator.
Reduced operating margins. Inadvertent drop of four symmetric
CEA's. CEDMCS logic element failure.
Possible change in calculated DNBR and local power density margins. CEA position indica-tion, dropped CEA
indicator. Reduced operating margins. (LBDCR 14-021, R309)
Open CEDM Power Supply
(108) No single failure modes. One CEDM MG set, trip circuit
breaker, or trip
path actuates or
fails to actuate.
A single failure of MG set or TCB will not initiate or prevent a reactor
trip during routine operation.
Plant annunciation and status indicator lights for vcircuit breakers and
phase current.
Redundant MG set, and trip paths. None. May initiate reactor trip, turbine trips or block steam bypass (if Tave is low). If single failure
occurs during testing. [*] (LBDCR 14-021, R309)CEDM Bus Under Voltage
(107) Off Shorted or opened UV relay
coil. Reduces turbine trip to 1/3 logic and steam bypass block to 1/3 logic.
Annunciated indicator lights. Logic converts to 1-out-of-3 coincidence.
On Mechanically jammed relay. Turbine trip and steam bypass block becomes 2/3 logic.
Not annunciated.
Periodic testing. Logic converts to 2-out-of-3 coinci-
dence. Off Shorted or opened UV relay coil while testing
another UV relay. Initiates turbine trip and steam bypass block.
Plant reactor trip annunciator and UV
indicator lights. Steam bypass blocked only if Tave is low.
(LBDCR 14-021, R309)
[*] CLARIFYING REMARK: Related entry (i.e. #108) governing context is single failure directly related to CEDM power opening (or low output) based on supporting the safety function of removing-power/dropping-CEAs/tripping. Beyond said governing context, it is acknowledged that OE has evidenced single failure vulnerability (but with trip result noted as already bounded in FMEA Table) for initiating trip from MG high output scenarios which can unload unaffected MG with it tripping on low output along with affected MG subsequently failing on high output resulting in si multaneous loss of both MGs and inadvertent/initiated trip (noting no single failure vulnerability relative to supporting the safety function). (LBDCR 14-021, R309)
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 76 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, RPS-Trip, Channel A (Typical), Figure 7.2-10 (cont.)Manual Trip (105)No trip output.Mechanicallyjammed switch.Failure to open associated reactortrip circuit breakers (TCBs) when
actuated.Not annunciated.Periodic testing.None.Redundant pair of manual tripPB's available.Trip output.Wiring open or shorted.Opening of associated TCBs,changes selective 2-out-of-4 to selective 1-out-of-3 logic.Annunciated. Breakerindication lights and phase current monitors.
Logic converts to 1-out-of-3 selective.Actuators, RPS-Trip, (Path No. 1-Typical), Figure 7.2-7ActuationRelay (K1-K4)Coil open.Broken wire,sustained overvoltage.Unwarranted channel trip.Annunciated. Breakerindication lights and phase current monitors.Trip path no. 2.Logic for RPS trip converts to 1-out-of-3 selective or any 2-out-
of-3.Trip path no. 3 and 4 unaffected, and redundant.Coil short.Deterioration ofinsulation.Unwarranted channel trip.Annunciated. Breakerindication lights and phase current monitor.Trip path no. 2.Logic for RPS trip converts to 1-out-of-3 selective or any 2-out-
of-3.Trip path no. 3 and 4 unaffected, and redundant.
Output contact to
under-voltage trip coil open.Broken wire, contact failure.Unwarranted channel trip.Annunciated. Breakerindication lights and phase current monitors.Trip path no. 2.Logic for RPS trip converts to 1-out-of-3 selected or any 2-out-of-3.Trip path no. 3 and 4 unaffected, and redundant.
Output contacts to shunt trip
coils closed.Contact failure, shorted contact.Unwarranted channel trip.Annunciated. Breakerindication lights and phase current monitors.Trip path no. 2.Logic for RPS trip converts to 1-out-of-3 selective or any 2-out-
of-3.Trip path no. 3 and 4 unaffected, and redundant.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 77 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, RPS-Trip (Path Nol. 1-Typical), Figure 7.2-7 (cont.)ActuationRelay (K1-K4)
(cont.)Output contacts to
under-voltage trip coil closed.Shorted contact, contact failure.Failure to initiate RPS channel tripwhen required.Periodic testing.Redundant channel trippath to shunt trip coil.Logic for RPS Trip converts to 2-out-of-3
selective.Any valid trip condition will de-energize all three remaining trip
paths.Output contacts to shunt trip coils open.Contact failure,broken wire.Failure to initiate RPS channel tripwhen required.Periodic testing.Redundant channel trippath to undervoltage trip coil.LOgic for RPS Trip converts to 2-out-of-3
selective.Manual Trip (1.2)Contact toundervolt-age trip coil opens.Contact failure,broken wire.Unwarranted channel trip.Annunciated. Breakerindication lights andphase current monitors.Logic for RPS Trip converts to 1-out-of-3 selective or any 2-out-of-3.Contacts toshunt trip
coils closed.Contact failure, shorted contact.Unwarranted channel trip.Annunciated. Breakerindication lights and phase current monitors.Logic for RPS Tripconverts to 1-out-olf-3
selective.
Contacts to under-voltage trip
coil closed.Contact failure, shorted contact.Failure to initiate manual channeltrip when required.Periodic testing.Automatic RPS trip,manual trip for shunt trip coil.None.Contacts toshunt trip coils open.Contact failure,broken wire.Failure to initiate manual RPSchannel trip when required.Periodic testing.Automatic RPS trip,manual trip for undervoltage trip coil.None.Undervoltagetrip coil.Coil open.Broken wire,sustainedovervoltage.Unwarranted channel trip.Annunciated. Breakerindication lights andphase current monitors.None.Logic for RPS con-verts to 1-out-of-3selective or any 2-out-of-3.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 78 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, RPS-Trip (Path Nol. 1-Typical), Figure 7.2-7 (cont.)Undervoltagetrip coil (cont.)Coil short.Deterioration ofinsulation.Unwarranted channel trip.Annunciated. Breakerindication lights and phase current monitors.None.Shunt Trip CoilCoil open.Broken wire,sustained overvoltage.Local shunt coil trips.Periodic testing.Undervoltage trip coil.Logic for RPS con-verts to 1-out-of-3 selective or any 2-out-
of-3.Coil shorts.Deterioration ofinsulation.Shorted coil will cause breakerssupplying 125V-dc to trip, in turncausing under-voltage trip coil to lose voltage.Annunciated. Breakerindication lights andphase current monitors.Logic for RPS con-verts to 1-out-of-3selective or any 2-out-of-3.125 VDC Bus (1-4)LowOpen, short,blow fuse.Unwarranted channel trip.Annunciated. Breakerindication lights and phase current monitors.None.Logic for RPS trip converts to 1-out-of-3 selective or any 2-out-
of-3.480V. 3-PhaseBus (1,2)LowOpen, short,open input breaker.MG from unaffected bus has anincrease in load.Annunciated. Breakerindication lights, MG set voltage and current.None.None.There are two MG sets for plantavailability and they will havea no effect on the RPS tripsystem.MG (1,2)MCB (1,2)
M (1,2)Output LowMotor orgenerator failure, breaker failure.Increased load on the unaffectedMG.Annunciated. Breakerindication lights, MG set voltage and current.None.Shorted output lines.Increased load on the unaffectedMG.Annunciated. Breakerindication lights, MG set voltage and current.None.Possible reactor shutdown if the short results in a loss 9of both MG sets.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 79 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, RPS-Trip (Path Nol. 1-Typical), Figure 7.2-7 (cont.)TCB (1-8)Main Breaker
contactsClosed.Mechanical short.Failure to initiate RPS channel tripwhen required.Periodic testing.Redundant trip paths.Logic for RPS trip converts to 2-out-of-3
selective.Open.Mechanicalshort, broken wire.Unwarranted channel trip.Annunciated. Breakerindication lights and phase current monitors.Logic for RPS trip converts to 1-out-of-3 selective or any 2-out-
of-3.Bus Tie TCB-9Closed.Mechanical short.None.Annunciated. Breakerindication lights.None.Open.Mechanicalshort, brokenwire.None.Periodic testing.None.CEDM PowerSupply Undervoltage RelaysOpen.Shorted under-voltage relay or (open coil or
contact).Unwarranted channel trip for turbinetrip and steam bypass block.Annunciated. Indicating lights.Logic for turbine tripand steam bypass block is 1-out-of-3
selective.Closed.Mechanicallyfailed.Failure to initiate channel trip forturbine trip and steam bypass blockwhen required.Periodic testing.Redundant channel trip.Logic for turbine tripand steam bypassblock is 2-out-of-3
coinci-dence.CurrentMonitoringLowOpen or shorted sensor.None.Indicating light.None.None.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 80 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, RPS-Trip Channel A (Typical), Figure 7.2-10TurbineControls (109)Not part of the plant protectionsystem.RPS SteamBypass System (110)
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 81 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, Core Protection Calculator, Channel A (Typical), Figure 7.2-10CEA DeviationAlarm (112)OffShorted input.Failure to annunciate when required.Not annunciating.Periodic test.Redundant channel.Operator will be unaware ofCEA deviation alarm failure
until test.OnOpen input.Unwarranted annunciation.Audible and visual PPSalarm in control room.Nuisance alarm.Operator must check system todetermine if bona fide trip exists or if there is a failure in the alarm circuit.Actuators, Plant Computer, Figure 7.2-10PlantComputer (117)OffLoss of CPU.
Loss of ac power.No effect to PPS. All input;/ outputdata transsmision is isolated. No credible failure can prevent the PPS from performing its intendedfunction.Annunciating. Plantannunciator.None.Actuators, Alarm, Channel A (Typical), Figure 7.2-10Trip Alarm (114)OnComponentfailure.Annunciating horn is activated andalarm lights are lit.Annunciating. Audible, visual.Nuisance alarm.Operator must check system todetermine if alarm is valid.Pre-Trip Alarm (115)OffComponentfailure.Alarm does not occur for bona fidecondition.Not annunciating.Periodic test.Redundant lights. Processinstrumenta-tion alarm.No alarm for ESF orRPS actuation.Operator will become aware ofproblem if it should exist by other plant conditions andmeter indications.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 82 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, RAS, Channel A (Typical), Figure 7.2-10RAS (5)Initiation RelayShort(Fail ON)Relay failure,electrical short.Unable to initiate RAS channel tripwhen required.Not annunciating.Indication lights.
Periodic testing.Two relays must fail toprevent a RAS channel
trip.Logic for RAS con-verted to 2-out-of-3
selective.Two solid state relays per trippath. A single relay failing short does not prevent requiredactuation.
Open(Fail OFFRelay failure,loss of relay driver.Unwarranted RAS channel trip.Plant annunciation.Indication lights.
Periodic testing.RAS actuation logis is 2-out-of-3 selective.Logic for RAS con-verted to 1-out-of-3
selective.Single relay failing open doesnot trip either A or B train. It only trips one of the 4-channels to a train.Actuators, MSIS, Channel A (Typical), Figure 7.2-10MSIS (37)Initiation RelayShort(Fail ON)Relay failure,electrical short.Unable to initiate MSIS channel trip,when required.Not annunciating.Indication lights.Periodic testing.Two relays must fail toprevent a MSIS channel trip.Logic for MSIS con-verted to 2-out-of-3 selective.Two solid state relays per trippath. A single relay failure shortdoes not prevent requiredactuation.
Open(Fail OFF)Relay failure,loss of relay driver.Unwarranted MSIS channel trip.Plant annunciation.Indication lights.
Periodic testing.MSIS actuation logic is 2-out-of-4 selective.Logic for MSIS con-verted to 1-out-of-3
selective.A single relay failing open doesnot trip either A or B train. It only trips one of the 4-channels to a train.Actuators, MSIS Manual, Channel A (Typical), Figure 7.2-10RemoteManual ESF (56)OpenDirty switchcontacts, brokenwire.Unwarranted channel trip of MSIS.Annunciated. Indication lights.Logic for MSIS con-verted to 1-out-of-3 selective.One manual switch per trip path.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 83 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, MSIS Manual, Channel A (Typical), Figure 7.2-10 (cont.)RemoteManual ESF (56)
(cont.)ShortSwitch failure.Failure to manually initiate MSISchannel trip when required.Not annunciated.Periodic testing.Select other manual tripswitch pair. Automatic MSIS when required.Logic for MSIS con-verted to 2-out-of-3 selective manual.Selective 2-out-of-4 to actuate.Actuators, CSAS, Channel A (Typical), Figure 7.2-10CSAS InitiationRelay (12)Short (one fail ON)Relay failure(s),electrical short.Failure to initiate CSAS channel trip,when required.Not annuncated.Indication lights.
Periodic testing.Two relays must fail to prevent a CSAS channel
trip.Logic for CSAS con-verted to 2-out-of-3
selective.Two solid state relays per trippath. A single relay failing short does not prevent requiredactuation.
Open (onefail OFF)Relay failure(s),loss of relay driver.Unwarranted CSAS channel trip.Plant annunciation.Indication lights. Period testing.CSAS actuation logic is 2-out-of-4 selective.
Logic for CSAS con-verted to 1-out-of-3
selective.A single relay failing open doesnot trip either A or B train. It only trips one of the 4-channels to a train.Actuators, CSAS-Manual, Channel A (Typical), Figure 7.2-10RemoteManualESF (38)OpenDirty switchcontacts, broken wire.Unwarranted channel trip of CSAS.Annunciated. Indication lights.Logic for CSAS con-verted to 1-out-of-3
selective.One manual switch per trip path.ShortSwitch failureFailure to manually initiate CSASchannel trip when required.Not annunciated. Periodtesting.Select other manual tripswsitch pair. Automatic initiation when required.Logyic for CSAS con-verted to 2-out-of-3 selective for manual.Selective 2-out-of-3 to actuate.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 84 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, SIAS, Channel A (Typical), Figure 7.2-10SIASInitiation Relay
(22)Short (one fails ON)Relay failure,electrical short.Failure to initiate SIAS channel trip.Not annunciated.Indication lights.
Periodic testing.Two relays must fail toprevent a SIAS channel
trip.Logic for SIAS con-verted to 2-out-of-3
selective.Two solid state relays per trippath. A single relay failing short does not prevent requiredactuation.
Open (onefails OFF)Relay failure,loss of relay driver.Unwarranted SIAS channel trip.Plant annunciation.Indication lights. Period testing.SIAS actuation logic is 2-out-of-4 selective.Logic for SIAS con-verted to 1-out-of-3
selective.A single relay failing does nottrip either A or B train. It only trips one of the 4-channels to a train.Actuators, SIAS Manual, Channel A (Typical), Figure 7.2-10RemoteManual ESF (23Open.Dirty switchcontacts brokenwire.Unwarranted channel trip of SIAS.Annunciated. Indication lights.Logic for SIAS con-verted to 1-out-of- 3 selective.One manual switch per trip path.Short.Switch failure.Failure to manually initiate SIASchannel trip when required.Not annunciated.Periodic testing.Select other manual tripswitch pair. Automatic initiation when required.Logic for SIAS con-verted to 2-out-of-3
selective.Selective 2-out-of-4 to actuate.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 85 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsINTENTIONALLY DELETEDActuators, CIAS, Channel A (Typical), Figure 7.2-10CIAS InitiationRelay (17)Short.Relay failure(s).Failure to initiate CIAS channel trip,when required.Annunciated. Indicationlights. Periodic testing.Two relays must fail toprevent a CIAS channel trip. CIAS actuation logic is 2-out-of-4 selective.Logic for CIAS con-verted to 2-out-of-3
selective.Two solid state relays per trippath. A single relay failing short does not prevent required actuation.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 86 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, CIAS, Channel A (Typical), Figure 7.2-10 (cont.)CIAS InitiationRelay (17)
(cont.)Open.Relay failure(s).
Loss of relay driver.Unwarranted CIAS channel trip.Plant annunciation.Indication lights.
Periodic testing.Logic for CIAS con-verted to 1-out-of-3
selective.A single relay failing open doesnot trip eithr A or B train. It onlyh trips one of the 4-channels to a train.Actuators, CIAS, Channel A (Typical), Figure 7.2-10 (cont.)EFAS-2Initiation Relay
(132)
EFAS-1 Initiation Relay
(133)Short (one fails ON)Relay failures,electrical short.Failure to initiate EFAS channel tripwhen required.Not annunciating.Periodic testing.Tewo relays must fail toprevent an EFAS channel
trip.Logic for EFASbecomes 2-out-of-3
selective.Two solid state relays per trippath. A single relay failing short does not prevent required actuation.
Open (onefails OFF)Relay failures,loss relay driver.Unwarranted EFAS channel trip.Plant annunciation.Indication lights.
Periodic testing.Actuation logic is 2-out-of-4 selective.Logic for EFAS is converted to 1-out-of-3
selective.A single solid state relay failingopen does not trip either A or B train. It only trips one of 4 inputs to the 2-out-of-4selective logic for each train.RemoteManual ESF
(79)Open.Dirty swsitchcontacts, broken wire.Unwarranted channel trip of EFAS.Annunciated. Indication lights.4-channel redundancy.Logic for EFAS is converted to 1-out-of-3
selective.One manual switch per trip path.RemoteManual EFS
(81)Short.Switch failure.Failure to manually initiate EFASchannel trip when required.Not annunciated,periodic testing.Select other manual tripswitch pair.Logic for EFAS is converted to 2-out-of-3 selective for remote manual.Selective 2-out-of-4 to actuate.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 87 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, CIAS-Manual, Channel A (Typical), Figure 7.2-10RemoteManual ESF (78)Open.Dirty switchcontacts broken wire.Unwarranted channel trip of CIAS.Annunciated. Indication lights.Logic for CIAS con-verted to 1-out-of-3
selective.One manual switch per trip path.Short.Switch failure.Failure to manually initiate CIASchannel trip when required.Not annunciated.Periodic testing.Automatic CIAS actuationavailable.Logic for CIAS con-verted to 2-out-of-3
selective.Selective 2-out-of-4 to actuate.Actuators, ESF Selective 2-out-of-4 (Typical), Figure 7.2-17SSR-1 (SSR-2) for SIAS and CIASOutput open.Overload,broken wires,voltage transient.Unwarranted channel trip.Channel trip isannunciated.Actuation circuit converts to 1-out-of-3 selective.A 2-out-of-3 coincidence of theappropriate bistables is stillrequired to obtain an actuation.Output short.Voltage transientoverload.Failure to initiate a channel trip whenrequired.Period testing.Redundant channels.Actuation circuit converts to 2-out-of-3
selective.The redundant actuation circuitis unaffected by the fault and will respond properly.Input openVoltagetransient, broken wire.Unwarranted channel trip.Channel trip isannunciated.Actuation circuit converts to 1-out-of-3
selective.A 2-out-of-3 coincidence of theappropriate bistables is still required to obtain an actuation.Input shorted.Voltagetransient.Results in a blown fuse in the trippath and an unwarranted channel
trip in both actuator l ogic circuits forSIAS and CCAS.Channel trip isannunciated.Actuation circuit converts to 1-out-of-3
selective.A 2-out-of-3 coincidence of theappropriate bistables is still required to obtain an actuation.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 88 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, ESF Selective 2-out-of-4 (Typical), Figure 7.2-17 (cont.)SSR-1A(SSR-2A) for CIAS, RAS, MSIS,EFAS-1,EFAS-2, CSASOutput open.Overload brokenwire, voltage transient.Unwarranted channel trip.Channel trip isannunciated.Actuation circuit converts to 1-out-of-3
selective.A 2-out-of-3 coincidence of theappropriate bistables is still required to obtain an actuation.
Output shorted.Voltage transientoverload.Failure to initiate a channel trip.Periodic testing.Redundant channels.Actuation circuit converts to 2-out-of-3
selective.The redundant actuation circujitis unaffected byh the fault and will respond properly.Input open.Voltagetransient, brokenwire.Unwarranted channel trip.Channel trip isannunciated.Actuation circuit converts to 1-out-of-3 selective.A 2-out-of-3 coincidence of theappropriate bistables is still required to obtain an actuation.Input shorted.Voltagetransient.Results in a blown fuse in the trippath and an unwarranted channel trip in both trains of actuator logic
circuits.Channel trip isannunciated.Actuation circuit converts to 1-out-of-3
selective.A 2-out-of-3 coincidence of theappropriate bistables is still required to obtain an actuation.120V-acVital BusLowBreaker open.Loss of power supply output.Annunciation.Redundant power supplyOne channel of powersupply is left for either the valve or pump actuation relays.Power SupplyLowPower supplyfailure. Shorted annunciator relay.Loss of power supply output.Annunciation.Redundant power supply.One channel of powersupply is left for either the valve or pump actuation relays.P/AAnnunciation RelaysOpen coil.Sustainedovervoltage, broken wire.Erroneous annunciation of powersupply failure.Annunciation.Redundant power supply.None.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 89 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, ESF Selective 2-out-of-4 (Typical), Figure 7.2-17 and 7.2-18P/SAnnunciation relays (cont)Shorted coilDeterioration ofinsulationLoss of power supply output.Annunciation.Redundant power supply.One channel of powersupply is left for either the valve or pumpactuation relays.Output openDeterioration ofcontact, broken wireErroneous annunciaton of powersupply failure.Annunciation.Redundant power supply.None Output shortedWelded contactFailure to annunciate power supplyfailure when required.Periodic testing.NonePower SupplyAuctioneering diodeOpenVoltage transientoverloadLoss of power supply output.Periodic testing.Redundant power supply.One channel of powersupply is left for either the valve or pump actuation relays.ShortedVoltage transientoverloadLoss of isolation between redundantpower supplies.Periodic testing.NoneReset switchOpenBroken wire,mechanicalfailure,deterioration of
contactFailrue to reset actuation relayswhen required.Periodic testing.Redundant reset switchNoneManual tripOpenDeterioration ofcontact, broken wireUnwarranted channel trip.Annunciation. Indicatinglight.Actuation circuit conv erts to 1-out-of-3
selective.ClosedWelded contact,mechanical failureFailure to initiate a channel trip whenrequired.Periodic testing.Redundant trip path.Actuation circuit cannotbe tripped manually.Automatic actuation remains 2-out-of-3 selective.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 90 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, ESF Selective 2-out-of-4 (Typical), Figure 7.2-17 and 7.2-18 (cont.)Lockout relayOpen coilBroken wire,sustained overvoltageUnwarranted channel trip.Annunciation. Indicatinglight.Actuation circuit converts to 1-out-of-3
selective.If failure is result of a shortacross coil, the excess current will result in dc path circuitbreaker open.Contact openDeterioration ofcontact broken wireUnwarranted channel trip.Annunciation. Indicatinglight.Actuation circuit converts to 1-out-of-3
selectiv e.Contact shortWelded contactFailure to lockout a channel tripwhen required.Periodic testing.NoneThe actuation relays wouldbecome energized without being reset when the SSR's are energized.AnnunciationdiodesOpenVoltage transientoverloadUnwarranted channel trip.Annunciation.Actuation circuit converts to 1-out-of-3
selective.ShortVoltage transientoverloadUnwarranted annunciation ofchannel trip.Annunciation.None.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 91 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, ESF Selective 2-out-of-4 (Typical), Figure 7.2-17 and 7.2-18 (cont)Circuit Breakerin dc PathShortWelded con-tact, mechan-ical failureNo dc overload protectionBench test.NoneOpenDeterioration of
- contact, mechanical failure.Unwarranted channel trip ofactuation relays for all valves or for all pumps.Annunciation, indicating lights.Complete Train not actuated.Actuation circuit converts to 1-out-of-3 selective. Also, the
affected valves or pumps will actuate.Only the valves or the pumps,but not both, in oned Train of a Safety System will be actuated.
In the case of valve actuation, Safety System protected by check valves. In case of pump actuation Safety System protected by valves, and pumps protected by Recirc.Lines.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 92 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, ESF Selective 2-out-of-4 (Typical), Figure 7.2-17 and 7.2-18 (cont)Test relaysCoil, open shortCoil failurebroken wire, short across Failure to test the affected actuationrelay when required.Periodic testing.NoneContact openContact failure,broken wireUnwarranted trip of the affectiveactuation relay.Indicating lights.Complete train will not actuateContact shortedContact failure short Failure to test the affected actuationrelay when required.Periodic testing.NoneActuation relayCoil openBroken wire,sustainedovervoltageUnwarranted trip of a group ofactuation devices.Indicating lights.All pumps or valves forthe affected train will not actuateIf failure was result of ashort, the excesscurrent will result in anoccurrence similar to the circuit breaker in dc
path openShorted coilContact openDeterioration ofinsulationContact failure,broken wireWill cause circuit breaker supplyingpower to the actuation relays associated with either the valves of pumps to be tripped.Unwarranted trip of a group ofactuation devices.Annunciation. Indicating lights.Indicating lights.All of the valves orpumps for the function will be actuated. Circuit for the pumps or
valves converts to selective 1-out-of-3.Actuation devices assigned of affected group will actuate.Only the v alves or the pumps,but not both, in one Train of a Safety System will be actuated.
In the case of valve actuation Safety System protected by check valves. In the case of pump actuation Safety System protected by valves, and pumps protected by Recirc.
Lines.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 93 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, ESF Selective 2-out-of-4 (Typical), Figure 7.2-17 and 7.2-18 (cont)Actuationrelays (cont)Contact shortContact failure shortFailure of group of actuation devicesfrom actuating when required.Indicating lights.One group of valves orpumps in one train will
not actuate.There are two trains for eachfunction. The equivalent train will perform normallyDiode AcrossActuation relay or lockout relay OpenShortBroken wire,diode failureDiode failure shortExcess arching of contacts in series path.Results in opening of circuit breakerin dc path and the valve or pump actuating relays becoming de-energized.Exces wear of contactsAnnunciation. Indicatinglights.Full Train not activatedNoneFull actuation convertsto 1-out-of-3 selective.Valve or pump group is actuated.Only the valves or the pumps,but not both, in one Train of aSafety System will be actuated.In the case of valve actuation Safety System protected by check valves. In the case of pump actuation Safety System protected by Recirc. Lines.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 94 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsActuators, CEA Withdrawal Prohibit (CWP) Channel A (Typical), Figure 7.2-10CWP (119)OffShorted con-trol leads to CEA control systemFailure to prohibit CEA motion whenrequired.Periodic tests.NoneRPS trip is back-up.OnOpen controlleads to CEA control systemUnwarranted CWP.CWP annunciationwithout having input parameters
annunciasting, inability to move CEAs out.NoneRPS trip is back-up.Actuators, Power Recorder, Channel A (Typical), Figure 7.2-10PowerRecorder (118)HighComponentfailureHIgh recorder trace, EX-CORE VScalibrated power deviation alarmDeviation alarm.4-redundant channelsNoneAll output data from PPS buffered.LowComponentfailureLow recorder trace, EX-CORE VScalibrated power deviation alarm.Deviation alarm.4-redundant channelsNoneDC Power Distribution, PPS Cabinet, Bistable Annunciator Power Supply, Figure 7.2-19ChannelBistable Annunciator Power supply (PS-N)No outputOpen fuse topower supplyPre-trip, trip and bypass in-dicator on PPS bistable trip panel and remote status panel will fail to indicate condition of bistable for thatchannel.Periodic PPS testing.None WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 95 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsDC Power Distribution, PPS Cabinet, Bistable Annunciator Power Supply, Figure 7.2-19 (cont)ChannelBistable Annunciator Power Supply(PS-N) (cont)Low outputvoltageFailure internalto supplySymptoms will depend upon theseverity of the undervoltage. The system may operate normally or may exhibit the same symptoms as for no
output.If the undervoltage is severe enough to generate the same symptoms as when no output is available, the failure will be detected during Periodic PPS testing.NoneHigh outputvoltageFailure internalto supplySymptoms will depend upon theseverity of the overvoltage. The system may operate normally or component failures may be induced that result in an erroneous display.If errors are induced inthe display, the problem will be uncovered by thePeriodic PPS tests.DC Power Distribution, PPS Cabinet Bistable Bypass Circuit Power Supplies, Figure 7.2-19P. S. L. orP. S. M.No outputOpen fuse toPower supply, failure internal to supplyNo operational symptoms.Periodic PPS testsTwo power supplies onein the channel and one in an adjacent channel are auctioneered, either one of them is capable of supplying the entire load.
Thus loss of a singlesupply does not affect thesystem.NoneBypass circuit in the affectedchannel is dependent upon the continued operation of the remaining supply.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 96 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsDC Power Distribution, PPS Cabinet Bistable Bypass Circuit Power Supplies, Figure 7.2-19 (cont)P. S. L. orP. S. M. (cont)Low outputvoltageFailure internalto supplyNo operational symptoms.Depending ujpon theseverity of the undervoltage, the problem may or may notbe detected duringPeriodic PPS testing.High outputvoltageFailure internalto supplySymptoms will depend upon theability of the components to tolerate the overvoltage. Two possibilities exist:a. Overvoltage causes individualcomponents to open, making itimpossible to bypass the function.b. Overvoltage causes individualcomponent to fail short. The result of a shorted component is to reduce the supply voltage to essentially zero. The symptims of no supply voltage is inability to bypass the bistables in the affected channel.Periodic PPS testing orwhen attempting to bypass the affected function.Periodic PPS testing.Unable to bypass the affected functions in the particular channel.Bistables in affectedchannel cannot be bypassed.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 97 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsDC Power Distribution, PPS Cabinet Bistable bypass circuit power supplies, Figure 7.2-19P. S. J.No outputOpen fuse topower supplyFailure internalto supplyThe CEA withdrawal prohibit matrixis partially enabled.It will not be possible to generateany of the following bypasses in the affected channel.a. Low pressurizer pressure tripbypassb. Loss of load trip bypass
- c. HI LOG POWER logic trip bypass.The DNBR and high tripped.Power supply failureannunciated on plantannunciator. The CWPindicator on the PPS calibration and test panel will be off.Power supply failureannunciated on plant annunciator. The CWP indicator on the PPScalibration and testpanel will be off.The CEA withdrawalprohibit signal converts
to a 1-out-of-2.If a condition existssuch that a bypass is required for any of the
functions listed, the bypass cannot be obtained.The bypass circuits in the otherthree channels are unaffected.
It will be possible to bypass the function (s) in the other three channels, thus inhibiting any trip action forthe function (s) in question.Low outputvoltageFailure internalto supplySYmptoms will depend upon theseverity of the undervoltage. The system may exhibit no symptom ormay show one or more of thesymptoms listed for no output.Power supply failureannunciated on plant annunciator. The CWP indicator on the PPS calibration and test panel will be off.If a condition existssuch that a bypass is required for any of the
functions listed, the bypass cannot be obtained.If a system exhibits anysymptom s, the problems should be uncovered duringPPS testing.High outputvoltageFailure internalto supplySymptoms will depend upon howwell the components can tolerate the overvoltage. Should the overvoltagecause components t9o fail, thefailures will be such that it will be difficult to generate a bypass in th
affected circuit.Periodic PPS testing.All funcitons may notbe affected however
those that are affected will have the effects listed above.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 98 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsDC Power Distribution, PPS Cabinet, Trip Path Power Supplies, Figure 7.2-19P. S. K.No outputOpen fuse topower supply, failure internal to supplyThe trip paths for all ESF func tionsand the RPS trip path will all be de-energized in the affected channel.This will open one side of all theselective 2-out-of-4 actuation circuits, and one side of the RPS
actuation circuit.De-energized trip pathsare annunci-ated on the plant annunciator.The actuation circuitsfor all ESF will have one of their two paths
de-energized, and the RPS will have one ofits two paths de-energized.A 2-out-of-3 coincidence is stillrequired to produce an actuation.Low outputvoltageFailure internalto supplySymptoms will depend upon theseverity of the undervoltage. The system may exhibit no symptoms or may show symptoms exactly the same as those for no output. The undervoltage could also be such that some trip paths are de-energizedwhile others remain energized.If any trip paths are de-energized the trips will be annunciated on the plant annunciator.If the system is operatingproperly with low voltage in the untripped con-dition, a trip condition will cause a trip. This is so because the trip circuits are designed such that a trip condition causes removal of voltage from the relay coils.One side of some ofthe actuation circuits may be open.If any actuation circuits haveone half of their actuation
circuits open, a coincidence of any two of the three channels is still required to generate anactuation.High outputvoltageFailure internalto supplySymptoms will depend on theseverity of the overvoltage and theability of the affected circuits to tolerate the overvoltage.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 99 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsDC Power Distribution, PPS Cabinet, Trip Path Power Supplies, Figure 7.2-19 (cont)P. S. K.(cont)The effect of an overvoltage might be:a. No symptomsb. Cause some of the solid staterelays in the trip circuits to fail to
open.Not detectable untilabnormal operation isobtained. (See ESFTrip Circuts)NoneOnly one of the four tripchannels can be affectedFailure of the input side of thesolid state relay can only result in the opening of the output
side.
An open on the output is a trip condition.DC Power Distribution, PPS Cabinet, ESF 2-out-of-4 Coincidenced Logic Power Suplies, Fig. 7.2-19P. S. F. or P. S. G.
or P. S. H.No outputOpen fuse topower supplyFailure in-ternal to supplyOne half of the matrix relays for allESF functions in the affected 2-out-of-4 channels (i.e. AB, BC, etc) willbe de-energized.Power supply failureannunciated on plant annunciator. Power supply indicator will beoff. Trip paths that arede-energized are annunciated on plant
annunciator, PPS status panel and PPS remote modules.The four matrix relays ofeach function are divided into two relays. Each group of two is powered from a separate power supply. Failure of one supply causes only one half of the trip paths to bede-energized.Two trip paths for allESF functions will betripped. The actuation logic for each function will be half tripped as the trip paths affected are both in the same leg of the selective 2-out-of-4 actuation
logic.Actuation of any of the functions still requires a coin cidence of any two channels.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 100 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsDC Power Distribution, PPS Cabinet, ESF 2-out-of-4 Coincidence Logic Power Supplies, Fig.7.2-19P. S. F. or P. S. G.
orP. S. H.(cont)Diode con-nected to the
output of the supply is openOne half of the matrix relays for allESF functions in the affected 2-out-of-4 channels (i.e. AB, BV, etc) will
be de-energized.Trip paths that are de-energized are annunciated on plant annunciated on plant
annunciator, PPS status panel and PPS remote modules.The four matrix relays ofeach function are dividedinto two groups of two relays. Each group of two is powered from a separate power supply.
Failure of one supply causes only one half of the trip paths to be de-energized.Two trip paths for allESF functions will be tripped. The actuation logic for each functionwill half tripped as thetrip paths affected are both in the same leg of the selective 2-out-of-4 actuation logic.Actuation of any of the functions still requires a coincidenced of any two
channels.Low outputvoltageFailure internalto supplySymptoms will depend upon theseverity of the undervoltage. The symptoms may range from normaloperaton to the same symptoms as for no output.If any trip paths are de-energized, the trips will be annunciated on the plant annunciator.If the system is operatingproperly with low voltage in the untripped condition, a trip condition will definitely cause a trip as the circuits are designed such that a trip conditioncauses removal of voltagefrom the relay coils.Some trip paths maybe tripped as a consequence. Some of actuation circuits may be half tripped.If any actuation circuits are halftripped, a coincidence of any two of any two of the three channels is still required togenerate an actuation.High outputvoltageFailure internalto supplySymptoms will depend on theseverity of the overvoltage and theability of the affected circuits to
tolerate theNot detectable untilabnormal operation isobtainedOnly 2 of the 4 matrixrelays in each logic matrix can be affected.None WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 101 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsDC Power Distribution, PPS Cabinet, ESF 2-out-of-4 Coincidence Logic Power Supplies, Fig. 7.2-19 (cont)P. S. F.
or P. S. G. orP. S. H.
(cont)overvoltage. Symptoms may be:a. Normal operation.
- b. Causes some of the drivers to failshorted, resulting in inability to de-energize the affected matrix relay.Periodic PPS testing.Assuming that allparameters in one ofthe two unaffectedchannels are bypassed (i.e. channel D), the actuation logic for all ESF functions becomes 2-out-of-3
selective.When failure is detectedactuation logic for ESF functionsmust be converted to 1-out-of-2 by tripping all parameters in the unaffectedchannel that is not in bypass.c. Causes some of the matrix relaydrivers ormatrix relays to fail open.This will cause a trip in some of thetrip paths.Plant annunciation of trip paths.A maximum of two trippaths for each function can be activated becauseof the separation of thematrix relays into two groups, each powered by a separate supply.Trip of affected tripcircuits and half trip of
associated actuation
circuits.A coincidence of any 2-out-of-3 channels is still required for actuation of any ESF function.DC Power Distribution, RPS 2-out-of-4 Coincidence Logic Power Supply, Figure 7.2-19P. S. C. or P. S. D.
orP. S. E.No outputOpen fuse topower supplyFailure internalto supplyOne half of the matrix relays for theRP fun ction in the affected 2-out-of-4 channels (i.e., AB, BC, etc.) will be de-energized. This will cause one of the parallel paths of the actujation circuit to be de-energized.Power supply failureannunciated on plant annunciator.Trip paths that are de-energized are annunciated on the plant
annunciator, PPS statusThe four matrix relays ofeach logic matrix are divided into two groups of two relays. Each group of two relays is powered from a separateTwo trip paths for RPSwill be tripped. The RPS actuation logic will be half tripped as the trip paths affected ar4e both in the sameTo obtain reactor trip acoincidence of any two
channels is still required.Another selective single failurecan also cause a reactor trip.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 102 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsDC Power Distribution, RPS 2-out-of-4 Coincidenced Logic Power Supply, Figure 7.2-19 (cont)P. S. C. or P. S. D.
orP. S. E.(cont)panel, PPS remotemodules.power supply. Failure ofone supply causes only one half of the actuation circuit to be opened.leg of the selective 2-out-of-4 actuation
logic.Diode con-nected to the supply is openOne half of the matrix relays for theRP function in the affected 2-out-of-4 channels (i.e., AB, BC, etc.) will be de-energized. This will cause one of the parallel paths of the actuation circuit to be de-energized.Trip paths that are de-energized are annunciated on the plant
annunciator, PPS status panel, PPS remote modules.The four matrix relays ofeach logic matrix aredivided into two groups oftwo relays is powered from a separate power supply. Failure of one supply causes only one half of the actuation circuit
to be opened.Two trip paths for RPSwill be tripped. The RPS actuation logic will be half tripped as the trip paths affectedare both in the sameleg of the selective 2-out-of-4 actuation
logic.To obtain a reactor trip acoincidence of any two
channels is still required.Low outputvoltageFailure internalto supplySymptoms will depend upon theseverity of the undervoltage. The system may operate normally or may exhibit the same symptom described
above.If any trip paths are de-energized, it will be annunciated on the plant
annunciator, PPS status panel, and PPS remote modules.If the system is operatingproperly with low voltage, a trip condition willdefinitely cause a trip asthe circuits are designed such that a trip condition causes removal of voltage from the relay coils.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 103 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsDC Power Distribution, PPS 2-out-of-4 Coincidence, Logic Power Supplies, Figure 7.2-19 (cont)P. S. C. or P. S. D.
orP. S. E.(cont)High outputvoltagedFailure internalto supplySymptom will depend upon theseverity of the overvoltage and the ability of the affected circuits to tolersate the condition. The effects of an overvoltage might be:a. No symptomsb. Causes one or more of soolidstate relays to fail openNot detectable untilabnormal operation is obtained. (See RPS Trip Circuit)NoneOnly 2-out-of-4 matrix relaysare affected by the overvoltaged. Failure of the
input side of the solid state relay can only result in opening the output side of the relay. An open on the output side is a trip condition.DC Power Distribution, PPS Cabinet, Bistable Power Supplies, Figure 7.2-19P. S. A. or P. S. B.No outputOpen fuse topower supplyFailure internalto supplyNo operational symptomsAnnunciation on plantannunciator. Power supply indicator will be
off.Two power supplies, onein the channel and one in an adjacent channel are auctioneered, either one of them is capable of supplying the entire load.
Loss of one of the
supplies does not affect the system.NoneBistables in affected channel are dependent upon the continued operation of the remaining supply WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 104 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsDC Power Distribution, PPS Cabinet, Bistable Power Supplies, Figure 7.2-19 (cont)P. S. A. or P. S. B.
(cont)Low outputvoltage.Failure internalto supply.No operational symptoms.Depending upon theseverity of the undervoltage, theproblem mahy or maynot be annunciated.Two power supplies, onein the channel and one in an adjacent c hannel are auctioneered, either one of them is capable of supplying the entire load.
Loss of one of the supplies does not affect the system.NoneBistables in affected channel are dependent upon the continued operation of the remaining supply.High outputvoltageFailure internalto supplySymptoms will depend upon how thebistables respond to the overvoltage if the bistables fail to operate.PPS testing.If bistables fail tooperate, logic becomes
2-out-of-2 (4th channel by-passed).When failure is detected, triplogic must be converted to 1-out-of-2 by tripping the bistables in one of the unaffected channels.If the bistables tripBistable tripsannunciated on planttrouble annunciator.Logic becomes anyone of two for thoseparameters being monitored by the tripped bistables (4th channel by-passed).DC Power Distribution, 2-out-of-4 Coincidence Logic, Figure 7.2-19P. S. A -P. S. B AuctioneeringDiodeOpen.Transient in circuit.No operational symptom s.PPS periodic test.Two power sources areavailable for the bistables.None.Bistables are dependent uponcontinued operation of the remaining power supply.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 105 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsDC Power Distribution, 2-out-of-4 Coincidence Logic, Figure 7.2-19 (cont)P. S. A. -P. S. B.
Auctioneering Diode (Cont)ShortTransient incircuitNo operational symptomsPPS periodic testPower supplies arecurrent limiting hence there should be noproblem if both suppliesare operating normally.NoneRAS Train A or B, Actuation Logic, Figure 7.2-19RAS Actuation Logic Circuit
(200)Train A actuation logic output fails "On" (or train B)Componentfailure (s); short
circuitsRas train A not actuated whenrequired. (One sump line valve remains closed, one low pressure injection safety pump remains running during RAS)Periodic tests (RWT lowlevel alarm, LPSI pump status light in control room)RAS train B is fully redundantLoss of RAS train A(Recirculation done by oneHPSI pump. Other pumprunning but no recirculating water from sump due to closed sump valve)Train A actuation logic output fails "Off" (or train B)Multiplecomponent failures; multiple open circuitsUnwarranted train A ActuationIndividual RAS actuatedcomponent indication; meters; alarms; periodic
tests.Multiple independentcomponent failures required.1/2 RAS activatedRequires failure in the samemode of two logic components, one valve from RWT closed, one valve between sump and SI system open.RAS Train A or B, Actuation Relays, Figure 7.2-10RAS ActuationRelay (201)One fails"On", train A(or train B)ComponentfailureAssociated RAS actuated device willnot respond when requiredPeriodic testingRedundant RAS trainavailable (i.e., train B)Partial loss of RAStrain A WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 106 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsRAS Train A or B, Actuation Relays, Figure 7.2-10 (cont)RAS ActuationRelay (201)
(cont)One fails"off", train A (or train B)ComponentfailurePartial actuation of RAS train A. SeeSheets 90, 91, 92, and 93 for
failures and effects.Individual actuated RAScomponent indication; meters; alarms; periodic tests.Does not inhibit fullactuation of RAS when required; Redundant trainavailable (i.e., train B).RAS train A partiallyinitiated.Actuation system is designedsuch that single component failure will not actuate entiretrain.MSIS Train A or B, Actuation Logic, Figure 7.2-10MSISActuation Logic Circuit
(202)Train A actuation logic output fails "on" (or train B)Componentfailure(s); short
circuit.MSIS train A not actuated whenrequired.Periodic testsMSIS train B is fully redundantLoss of 1/2 MSIS train AIf called upon, MSIV will closeby action of the solenoid activated by train BTrain A actuation logic output fails "Off" (or train B)Multiplecomponent failures; multipleopen circuitsUnwarranted MSIS Train Aactuation. Solenoid activated by train A will call for valve close.Individual MSISactuated component indication; meters; alarms; periodic tests.Reactor TripReactor tripRequires failure in the samemode of two logic components.
MSIV will close resulting in a Reactor Trip.MSIS Train A or B, Actuation Relays, Figure 7.2-10MSISActuation Relay (203)One fails"On" Train A (or train B)ComponentfailureAssociated MSIS actuated solenoidwill not respond when required.Periodic testingRedundant (MSIS)available (i.e., train B)Partial los of MSIStrain AWhen called for, one MSIVvalve will r4eceive a B signal, other will receive A and B
signals.One fails"Off" train A (or train B)ComponentfailureUnwarranted partial actuation ofMSIS train A. Solenoid A of one MSIV is called to close valve.Individual actuatedMSIS component indication; meters; alarms; periodic tests;
reactor tripPartial MSIS actuation.One MSIV closes causing reactor trip.One MSIV closed.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 107 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsCSAS Train A or B, Actuation Logic, Figure 7.2-10 CSASactuation logic circuit (209)Train A actuation logic outputfails "on" (ortrain B)Componentfailure(s); short circuitCSAS train A not actuated whenrequired.Periodic testsCSAS train B is fully redundantLoss of CSAS train AIf called upon, redundantcontainment spray will be provided by one pump and
header.Train A actuation logic output fails "Off" (or train B)Multiple com-ponent failures; multiple open circuitsUnwarranted CSAS train A actuation(One spray pump, and one spray
valve activated)Individual CSASactuated componentindication meters,alarms; periodic tests.Independent failures ofredundant components1/2 CSAS activatedActuation system is designedsuch that single componentfailure will not actuate entiretrain. Requires failure in the same mode of two logic components.CSAS Train A or B, Actuation Relays, Figure 7.2-10 CSASActuation Relay (205)One fails"On" train failure A (or train B)ComponentfailureAssociated CSAS actuated deviceswill not respond when requiredPeriodic testingRedundant CSAS trainavailable (i.e. train B)Partial loss of CSAStrain APartial loss of 1/2 CSASsystem, operation can start pump or open valve from manual control.One fails"Off" train A (or train B)ComponentfailurePartial actuation of CSAS train A.Affected component in CSAS controlled by actuator is called to
service.Individual actuationCSAS component indication; meters; alarms; periodic testDoes not inhibit fullactuation of VCSAS when required; redundant train available (i.e., train B)Partial initiation of 1/2 CSASActuation system is designedsuch that single component failure will not actuate entire train.See Sheets 90, 91, 92, and 93 for failures and effects.Either train A spray pumpoperation with valve closed, or spray valve open and pump off
- not both.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 108 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsSIAS Train A or B, Actuation Logic, Figure 7.2-10SIAS actuation logic circuit
(206)Train A actuation logic outputfails "on" (ortrain B)Componentfailure(s), short circuitSIAS train A not actuated whenrequired.Periodic testsSIAS train B is fully redundantLoss of SIAS train AIf call upon, redundant safetyinjecton will be provided by LPSI, HPSI pumps and MOVs in train BTrain A actuation logic output fails "Off" (or train B)Multiplecomponent failures; multipleopen circuitsUnwarranted SIAS train A actuation.One low pressure one high pressure safety injection pump, andassociated MOVs are activated.Individual SIAS actuatedcomponents indication;meters; alarm; periodic testsIndependent failures ofredundant componentsrequired1/2 SIAS is initiatedActuation system is designedsuch that single componentfailure will not actuate entiretrain. Requires failure in the same mode of two logic components.SIAS Train A or B, Actuation Relays, Figure 7.2-10SIAS actuationrelay (207)One fails"on" train A (or train B)ComponentfailureAssociated SIAS actuated deviceswill not respond when requiredPeriodic testingRedundant SIAS trainavailab le (i.e., train B)Partial loss of SIAStrain AWhen called for, partialdegredation of LP or HP safety injec tion system in train A, train B unaffected and willoperate as designedOne fails"Off" train A (or train B)ComponentfailureUnwarranted partial actuation ofSIAS train A. Affected components in SIAS controlled by actuator is called to service.See Sheets 90, 91, 92 and 93 for failures and effects.Does not inhibit fullactuation of SIAS whenrequired; Redundant train available (i.e. train B)Partial initiation of trainA of SIASActuation system is designedsuch that single componentfailure will not actuate entiretrain.One component in LP HPsafety injection system (either pump or MOV) will be activated
- no SI occurs.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 109 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsINTENTIONALLY DELETEDCIAS Train A or B, Actuation Logic, Figure 7.2-10CIASActuation Logic circuit
(208)Train A actuation logic output fails "on" (or train B)Componentfailure(s); short circuitCIAS train A not actuated whenrequired.Periodic testsCIAS train B is fully redundantLoss of CIAS train A WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 110 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsCIAS Train A or B, Actuation Logic, Figure 7.2-10 (cont)CIAS Actu-action Logic circuit (208) (cont)Train A actuation logic outputfails "Off" (ortrain B)Multiplecomponent failures; multiple open circuitsUnwarranted CIAS train A actuationIndividual CIAS actuatedcomponent indication; meters; alarms; periodic
testsIndependent failures ofredundant components1/2 CIAS is initiatedActuation system is designedsuch that single component failure will not actuate entire train. Requires failure in the same mode of two logic components.CIAS Train A or B, Actuation Relays, Figure 7.2-10 (cont)CIAS Actu-action Relay
(209)One fails("On" train A (or train B)ComponentfailureAssociated CIAS actuated deviceswill not respond when required.Periodic testingRedundant CIAS trainavailable (i.e., train B)Partial loss of CIAStrain AOne fails"Off" train A (or train B)ComponentfailureUnwarranted partial actuation ofCIAS train A. Affected component in CIAS controlled by actuator is called to service. See Sht. 90, 91, 92 and93 for failures and effects.Individual actuated CIAScomponent indi-cation; meters, alarms; periodic testsDoes not inhibit fullactuation of CIAS when required; redundant train available (i.e., train B)Partial initiation of trainA of CIASActuation system is designedsuch that single component failure will not actuate entire trains.EFAS-1 or 2, Actuation Logic Auxiliary Relay, Figure 7.2-10ESFAS-1Actuation Logic Auxiliary Relay (211)or EFAS-2Actuation Logic Auxiliary Relay (210)One fails"On" (i.e.
channel A)Componentfailure short circuitFailure to initiate EFAS channel tripand failure to open associated SF emergency feed valve when required.Periodic testingESFAS actuation logic is2-out-of-4 selective; EFAS SG emergency feed flow
paths are 2-out-of-4 selectivceESFAS actuation logicand emergency DSG feed flow paths
converted to 2-out-of-3
selectiveEffect is identical to failure ofassociated EFAS initiation relay WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 111 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsEFAS-1 or 2, Actuation Logic Auxiliary Relays, Figure 7.2-10EFAS-1 Actu-ation Logic Auxiliary Relay
(211)orEFAS-2 Actuation Logic Auxiliary Relay (210)
(cont)One fails"off"Componentfailure; open
circuit; short circuitUnwarranted EFAS channel tripsignal is generated and associated SG emergency feed valve opensEFAS actuation logicannunciation; SF emergency feed valve indicationEFAS actuation logic andSG emergency feed flow
paths are 2-out-of-4
selectiveEFAS actuation logicand emergency SG feed flow paths
converted to 1-out-of-3
selectiveEffect is identical to failure ofassociated EFAS initiation relayEFAS-1 or 2, Actuation Logic, Figure 7.2-10EFAS-1 Actu-ation LogicCircuit (213)Train A actuationlogic out-putfails "on" (or train B)Componentfailure(s); short circuitEFAS train A not actuated whenrequiredPeriodic testsEFAS train B is fully redundantLoss of EFAS 1, or 2train A orEFAS-2 Actu-ation Logic Circuit (212)Train A actuation logic out-put fails "off" (or train B)Multiplecomponent failures; open
circuitsUnwarranted partial actuation ofEFAS train A. See Sht. 90, 91, 92,and 93 for Typical failures and
effectsIndividual actuatedcomponent indication;meters; alarms; periodic
tests.Redundant train B stillavailablePartial initiation ofEFAS 1, or 2 train A.'Actuation system is designedsuch that single componentfailure will not actuate entiretrain; redundant emergency feed valves to each SG prevent feed on unwarranted EFAS actuation due to actuation logic failure in either train.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 112 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsEFAS-1 or 2, Actuation Logic, Figure 7.2-10 (cont)EFAS-1 Actu-ation Relay
(215)One fails"on" train A (or train B)ComponentfailureAssociated EFAS actuated deviceswill not respond when required.Periodic testingRedundant train available(i.e., train B)Partial loss of EFAStrain ASG emergency feed valves arenot operated from actuation relays; therefore feed can beinitiated when required to eitherSG.EFAS-2 Actu-ation Relay
(219)One fails"off" train A (or train B)ComponentfailureUnwarranted partial actuation ofEFAS train A. See Sht. 90, 91, 92 and 93 for typical failures and
effects.Individual actuatedEFAS component indication; meters; alarms; periodic testsDoes not inhibit fullactuation of EFAS when required; redundant train available (i.e., train B)Partial initiation ofEFAS train AActuation system is designedsuch that single component failure will not actuate entire train; SG emergency feed valves are not actuated from actuation relays; therefore inadvertent feed cannot resultfrom this failure.Logic Matrix/Trip, Path Test Circuit, Figure 7.2-20Test powersupplyHigh voltage outputInternal failureDepends upon ability of componentsto sustain overvoltagePossible power supplyindicator light inoperative.Unable to test PPSeffectively. PPS trips for logic under test.No effect upon operation of PPS. Overvoltage condition may cause failure of affected bistable test coils when matrix hold pushbutton is depressed during test. Test power supply indicator light is inoperative before test sequence starts andoperator will not continue testing until trouble shooting is complete.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 113 of 119)Revision 7 (10/94)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsLogic Matrix/Trip, Path Test Circuit, Figure 7.2-20 (cont)Test powersupply (cont)Possibilities:a. Matrix test system channel tripselect, and RPS channel trip selectswitchy fail closed or open.b. Bistable test coils fail open or shortc. Bistable test coil surgesuppression diodes fail open of shortMatrix hold light willremain on after test.
Drop out light will remain on for matrix relay trip test selector switch and system channel trip selector switch position.Test power supplyindicator inoperative, bistable relay indicating light will stay on after matrix test switch is released indicating a bistable trip. Matrix relay Hold and Drop-out lights will be inoperative.Low or No outputvoltageInternal failureMechanicaldamage Input undervoltageInput CRTbreakerNo test capabilityTest power supply andmatrix relay hold indicator lights inoperative.Unable to test PPSNo affect upon operation of PPS WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 114 of 119)Revision 7 (10/94)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsLogic Matrix/Trip, Path Test Circuit, Figure 7.2-20 (cont)Matrix Test Select Switch(e.g., ABMatrix)Open matrixcircuit contactsMechanicalfailureContactdeteriorationUnable to energize matrix relay testcoils which inhibits matrix responsewhen selected pair of contacts in AB logic matrix is actuated. Matrix will
pass test signal as bona fide
actuation signal (e.g., CSAS)Matrix relay Hold lightsdo not illuminate when switch is placed in Matrix Hold position.Surveillance test would be aborted based on lack of Hold lightindication. Spurioustrip would be avoided.This failure mode is onlycredible during surveillance testing when the test circuits are energized.Closedmatrix relay circuit contactsMechanicaldamageWelded contactsMatrix relay test coils remainenergized, preventing reactor trip initiated by same matrix.Matrix relay Holdindicator lights remain
on.AB matrix isinoperable. The other five matrices are
unaffected.Proper operation of the ABmatrix can be restored by deenergizing the test circuit.Open bistable relay circuit contactsMechanicalfailureContactdeteriorationUnable to energize any systemchannel trip select switch or RPS
channel trip select switch, bistabletest relay coils.Un able to releasebistable relay. No trip indicator lights.None. Unable toconduct Matrix logic test for AB matrix.
No effect on operation of PPS.Operator cannot test bistables, pair associated with matrix logic (e.g., AB)
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 115 of 119)Revision 7 (10/94)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsLogic Matrix/Trip, Path Test Circuit, Figure 7.2-20 (cont)Matrix test select switch(e.g., ABMatrix) (cont)Closed -bistable relay circuit contactsMechanicaldamageWelded contactsBistable relay test coils connected tosystem channel trip selected switch remains energized during test.Bistable relay trip andlogic trip indicator lights
on.Surveillance test would be aborted based on logic trip light being on with matrix test switch in the OFF position.
Spurious trip would only occur if the system channel tripselect switch was notin OFF position.System channel trip selectswitch is normally left in the OFF position.System Channel Trip Select SwitchInter-mittent contact (open)MechanicaldamageContactdeteriorationUnable to energize bistable relaytest coils associated with system channel trip select switchNo bistable test lightindicationUnable to test logicmatrices for affected system channel tripRPS ChannelTrip SelectSwitchInter-mittent contact (open)MechanicadamageContactdeteriorationUnable to energize bistable relaytest coils associated with test switch position.No bistable test light attest switch position location.Unable to test logicmatrices for affected bistable pair.
No affect on operation of PPS.Reactor Protection System, Logic Matrix/Trip Path Test Circuit, Figure 7.2-20Bistable relay test coil (e.g.,
A1-1)OpenOvervoltageMechanicalkdamageUnable to energize affected bistabletest coil to initiate relay trip for the particular parameter under test.Bistable test light stays offUnable to test thatportion of logic matrices completely for the parameter under
test No affect on operaton of PPS.ShortMechanicaldamageTedst power supply will be reducedcto approximately zero.Power supply indicatorlight inoperativeUnable to test logicmatrices completely.Deterioration ofinsulationBistable relay test coil cannot beenergizedBistable test light stays off WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 116 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsLogic Matrix/Trip, Path Test Circuit, Figure 7.2-20Matrix relay tripselect switchInter-mittent contact (e.g.,
position 1)MechanicaldamageContactdeteriorationMatrix relay test coils for the affectedposition (e.g., 1) remain de-energizsed during test period.Matrix relay holdindicator light inoperative.AnnunciationReactor trip couldoccur during bistable relay trip test.Matrix relay test coil (e.g.,
1AB-1)OpenOvervoltageMechanicaldamageUnable to energize affected test coilto inhibit matrix relay tripMatrix relay holdindicator lights do not illuminateUnable to conduct test of trip path (e.g., 1) for affected matrix logic (e.g., AB)
No affect on operation of PPS.ShortDeterioration ofinsulationMechanicaldamageTest power supply will be reduced toapproximately zeroPower supply and matrixhold indicator lights do not illuminateUnable to conduct test of trip path (e.g., 1) for affected matrix logic (e.g., AB)
No affect on operation of PPS.Matrix relayhold indicatorsOpenOvervoltageMechanicalTest coil state cannot be visuallydetermined.VisualPeriodic testNoneNo affect on operation of PPS.Matrix relay drop-out indicatorsOpenOvervoltageMechanicaldamageMatrix relay state cannot bedetermined.VisualPeriodic testNoneNo affect on operation of PPS.Bistable Relay Trip Test Circuit, Figure 7.2-20PPS Cali-bration and Test Panel Trip test pushbutton (PB-) (e.g.,
Channel A)OpenMechanicaldamageContactdeteriorationUnable to energize bistable relay trip test circuit and supply test signal to selected for test.No bistable tripindicationNoneNo affect on operation of PPS.May not be able to test bistables in affected channel (e.g., channel A)
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 117 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsBistable Relay Trip Test Circuit, Figure 7.2-20 (cont)PPS Cali-bration and Test PanelTrip test pushbutton (PB-)(e.g.,
Channel A)
(cont)ClosedMechanicalWelded contactsBistable relay trip test circuitenergized when test signal power supply is turned on.Bistable in test indicatorDepressing matrix hold pushbutton and/or reducing signal level below trip level.Half logic matrix tripcould occur during
testingOperator will be aware ofproblem as soon as test power supply is turned on and before
test sequence starts.Trip TestCircuit Relay (K-1, e.g.,
Channel A)Open coilOvervoltageMechanicaldamageUnable to energize trip test circuit.The contacts which connect the bistable selected for test to the test signal will not be energized.No trip signal indicationSelected bistablerelays cannot be tested in affected channel (e.g., A)No affect on operation of PPS.Shorted coilDeterioration ofinsulationMechanicaldamageTest power supply could be reducedto approximately zero.Test power supplyindicator light will extinguish. No signal reading on DVM.Selected bistablerelays cannot be tested in affected channel (e.g, A)No affect on operation of PPS.Contact openDeterioration ofinsulationUnable to energize trip circuit.Bistable selected for test cannot beconnected to the test signal.No trip signal indication.Selected bistablerelays cannot be testedin affected channel(e.g., A)No affect on operation of PPS.Contact openDeterioration of contactMechanicaldamageUnable to energize trip circuit.Bistable selected for test cannot be connected to the test signal.NO trip signal indicationSelected bistablerelays cannot be tested in affected channel (e.g., A)No affect on operation of PPS.Contact shortWelded contactTrip test circuit remains energized.Possible signal readingonDVM.Bistable trip indicationBistable select and meterinput switch in off position.Should test signal beinputted half logic matrix trip trip can occur during test only.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 118 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsChannel Test Logic, Nuclear Instrument Drawer, Figure 7.2-20NI Drawer LogLevel Trip Test Switch(S2)(e.g.,Channel A)
Open contacts AMechanicaldamage, contact deteriorationUnable to transmit test signal to nextchannel (e.g.B) when next channel
is selected for test.No response of nextchannel during test. No bistable trip indication.Unable to testchannels B, C, D nuclear drawer No affect on operation of PPS.BUnable to test channel A whenconducting channel test. Relay, AK 60, will not energize when test is
run.No response fromchannel under test. No bistable trip indicationUnable to test channelA nuclear drawer No affect on operation of PPS.DUnable to transmit selected test signal to log level trip circuitry.No bistable tripindication.Unable to test channelA nuclear drawer No affect on operation of PPS.Closed contacts AMechanicaldamage, welded
contactsUnable to disconnect next channel,when channel A is under test.
Interchannel interlock during test is overriden.Multichannel bistable tripindicationPossible reactor tripduring test.Operator must deliberatelydepress channel A test switch coincidenced with other channel to initiate inadvertent
tripBUnable to discard channel A fromtest during test program.Multichannel bistable tripindicationPossible reactor tripduring test.NI Drawer TestRelay (AK60)
(e.g.,A)Open coilOvervoltage,mechanical damageUnable to energize relay contactswhich transmit test signal to log level trip circuitry when channel is under
test.No bistabled tripindicationUnable to test channelA nuclear drawer.
No affect on operation of PPS.Short coilDeterioration ofinsulationTest power supply may reduce toapproximately zero.No bistable trip light.Power supply test lightnot lit.Unable to test channelA nuclear drawer.
No affect on operation of PPS.
Open contactsDeterioration of contactMechanicaldamageUnable to transmit selected test signal to log level trip circuitry.No bistable tripindication.Unable to test channelA nuclear drawer.
No affect on operation of PPS.
WSES-FSAR-UNIT-3Table 7.2-5 (Sheet 119 of 119)PLANT PROTECTION SYSTEMFAILURE MODE AND EFFECTS ANALYSIS NameFailure Mode Cause Symptoms and Local Effects Including Dependent Failures Method
of
Detection Inherent Compensating Provision Effect
Upon PPS Remarks
and Other EffectsChannel Test Logic, Nuclear Instrument Drawer, Figure 7.2-20 (cont)NI Drawer TestRelay (AK60)
(e.g., A)(cont)Short contactsDeterioration ofcontact, welded
contactInterlock feature of relay AK60 isinhibited, cannot cause multi-test condition with failure in A channelBench test.Design of inhibit circuitwould not allow trip condition if failure occursin A channel.Possible to have areactor trip during test.Operator must deliberatelyactuate the channel test switches to obtain trip affect.Log Trip leveladjust (R8)
Open orinter-mittentFailed resis-tiv elementOperator will be unable to trim test signal level.DVTMUnable to test channelA nuclear drawer.
WSES-FSAR-UNIT-3 Table 7.2-6 (Sheet 1 of 2) Revision 14 (12/05) (DRN 03-2061, R14)This Page Intentionally Left Blank DRN 03-2061, R14)
WSES-FSAR-UNIT-3 Table 7.2-6 (Sheet 2 of 2) Revision 14 (12/05) (DRN 03-2061, R14)This Page Intentionally Left Blank DRN 03-2061, R14)