ML16256A316

From kanterella
Jump to navigation Jump to search
09 to Final Safety Analysis Report, Chapter 7, Instrumentation and Controls, Section 7.2
ML16256A316
Person / Time
Site: Waterford Entergy icon.png
Issue date: 08/25/2016
From:
Entergy Operations
To:
Office of Nuclear Reactor Regulation
Shared Package
ML16256A115 List: ... further results
References
W3F1-2016-0053
Download: ML16256A316 (162)
v  d  e


Text

WSES-FSAR-UNIT-3 7.2-1 Revision 10 (10/99) 7.2 REACTOR PROTECTIVE SYSTEM 7.

2.1 DESCRIPTION

7.2.1.1

System Description



The Reactor Protective System (RPS) consists of sensors, calculators, logic, and other equipment necessary to monitor selected Nuclear Steam Supply System (NSSS) and containment conditions and to effect reliable and rapid CEA insertion (reactor trip) if any or a combination of the monitored conditions approach specified safety system settings. The systems functions are to protect the core and Reactor Coolant System (RCS) pressure boundary for defined anticipated operational occurrences (AOOs) and also to provide assistance in limiting the consequences for certain postulated accidents. Four measurement channels with electrical and physical separation are provided for each parameter used in the direct generation of trip signals, with the exception of Control Element Assembly (CEA) position. A two-out-of-four coincidence of like trip signals is required to generate a reactor trip signal.

By passing of one channel is allowed for testing, maintenance, etc., while maintaining a two-out-of-three system. Manual reactor trip is also provided.



The reactor trip signal deenergizes the control element drive mechanism (CEDM) coils, allowing all CEAs to drop into the core. Once initiated, the protective action goes to completion. Return to operation requires operator action.

7.2.1.1.1 Trips 7.2.1.1.1.1 High Linear Power Level



The high linear power level trip is provided to trip the reactor when indicated neutron flux power reaches a preset value. The flux signal used, is the average of the three linear subchannel flux signals originating in each nuclear instrument safety channel. The trip setpoint is nominally 108 percent of full power.



Pretrip alarms are initiated below the trip value to provide audible and visible indication of approach to a trip condition.

7.2.1.1.1.2 High Logarithmic Power Level



The high logarithmic power level trip is provided to trip the reactor when indicated neutron flux power reaches a preset value. The flux signal used is the logarithmic power signal originating in each nuclear instrument safety channel. The nominal setpoint is equal to or less than 0.257 percent of rated thermal power. The trip may be manually bypassed by the operator above 10-4 percent of rated thermal power and is automatically reinstated when thermal power is equal to or less than the reset point of the bistable.



Pretrip alarms are initiated below the trip value to provide audible and visible indication of approach to a trip condition. The trip bypass also bypasses the pretrip alarms.

WSES-FSAR-UNIT-3 7.2-2 Revision 304 (06/10) 7.2.1.1.1.3 High Local Power Density (DRN 04-1097, R14)

The high local power density trip is provided to trip the reactor when calculated core peak local power density reaches a preset value. The preset value is that value which would cause fuel centerline melting.

The calculation of the peak local power density is performed by the core protection calculators (CPCs),

which compensate the calculated peak local power density to account for the thermal capacity of the fuel.

A trip results if the compensated peak local power density reaches the preset value. The calculated trip assures a core peak local power density below that which would result in exceeding the safety limit for peak fuel centerline temperature. The nominal trip setpoint for peak local power density is 21 kw/ft. The effects of core burnup are considered in the determination of the local power density trip. The trip may be manually bypassed by the operator below 10-4 percent of rated thermal power and is automatically reinstated whenever power increases is greater than or equal to 10-4 percent.

(DRN 04-1097, R14)

Pretrip alarms are initiated below the trip value to provide audible and visible indication of approach to a trip condition.

7.2.1.1.1.4 Low Departure from Nucleate Boiling Ratio (EC-13881, R304)

The low departure from nucleate boiling ratio (DNBR) trip is provided to trip the reactor when the calculated DNBR approaches a preset value. The calculation of DNBR is performed by the CPC based on core average power, reactor coolant pressure, reactor inlet temperature, reactor coolant flow, and the core power distribution. The calculated DNBR setpoint includes allowances for sensor and processing time delays and inaccuracies. A trip is generated within the CPCs before violation of a minimum DNBR of 1.26 (CE-1 correlation) in the limiting coolant channel in the core during defined anticipated operational occurrences. (Due to hardware limitations, the CPC algorithm will retain the CE-1 Correlation, while Technical Specifications reflect the current critical heat flux correlation and corresponding SAFDL limit.)

The trip may be manually bypassed below 10-4 percent of rated thermal power and is automatically reinstated whenever thermal power is greater than or equal to 10-4 percent. This trip bypass also bypasses the pretrip alarm.

(EC-13881, R304)

The DNBR and Local Power Density trip signals are also generated by any of the following conditions:

a)

CPC operating space limits are exceeded for the hot pin axial shape index integrated one pin radial peak, maximum and minimum cold leg temperatures, and the primary pressure.

b)

Opposing cold leg temperature difference exceeds its setpoint (which varies with power level).

c)

Reactor power exceeds the variable overpower trip setpoint. The trip setpoint is larger than the steady state reactor power by a constant offset but is limited in how fast it can follow changes in reactor power. There is a ceiling for the trip setpoint which is available as an alternate to the High Linear Power Level Trip for events with a large temperature decalibration. Also, a floor setpoint is provided based on excore detector signal noise at low power.

d)

The maximum hot leg temperature approaches the coolant saturation temperature.

e)

The CPC system is not set in the normal operating configuration.

WSES-FSAR-UNIT-3 7.2-3 Revision 14 (12/05) f)

Reactor coolant pump shaft speed drops below its setpoint value.

The low DNBR trip incorporates a low pressurizer pressure floor of 1860 psia (nominally). At this pressure, a low DNBR trip will automatically occur.

Pretrip alarms are initiated above the trip value to provide audible and visible indication of approach to a trip condition.

7.2.1.1.1.5 High Pressurizer Pressure The high-pressurizer pressure trip is provided to trip the reactor when measured pressurizer pressure reaches a high preset value. The trip set point is nominally 2350 psia.

Pretrip alarms are initiated below the trip setpoint to provide audible and visible indication of approach to a trip condition.

7.2.1.1.1.6 Low Pressurizer Pressure The low pressurizer pressure trip is provided to trip the reactor when the measured pressurizer pressure falls to a low preset value. The trip setpoint is nominally 1684 psia for normal operation. At pressures below 2000 psia, this setpoint can be manually decreased to 400 psi below the existing pressurizer pressure, to a minimum value of 100 psia. This insures the capability of a trip when required during plant cooldown and depressurization. The minimum trip setpoint can be manually bypassed below pressurizer Pressure of 400 psia. During plant startup, the bypass is automatically removed when pressurizer pressure is greater than or equal to 500 psia. As pressure is increased greater than or equal to 500 psia the low pressure setpoint automatically increases, maintaining a 400 psi separation between the plant pressure and the setpoint.

Pretrip alarms are initiated above the trip setpoint to provide audible and visible indication of approach to a trip condition.

7.2.1.1.1.7 Low Steam Generator Water Level The low steam generator water level trip is provided to trip the reactor when measured steam generator water level falls to a preset value. Separate trips are provided from each steam generator. The trip setpoint is nominally set at a level above the lower instrument nozzle, which corresponds to 27.4 percent of the distance between the lower and upper instrument nozzles.

Pretrip alarms are initiated above the trip setpoint to provide audible and visible indication of approach to a trip condition.

7.2.1.1.1.8 Low Steam Generator Pressure

(DRN 05-130, R14)

The low steam generator pressure trip is provided to trip the reactor when the measured steam generator pressure falls to a low preset value. The trip setpoint is set at 666 psia during normal operation. At steam generator pressures below 900 psia, the operator has the capability to manually decrease the setpoint to less than 200 psi below the existing system pressure. This is used during plant cooldown.

During startup this setpoint is automatically increased and remains less than 200 psi below generator pressure.

(DRN 05-130, R14)

WSES-FSAR-UNIT-3 7.2-4 Pretrip alarms are initiated to provide audible and visible indication of approach to a trip condition.

7.2.1.1.1.9 High Containment Pressure The high containment pressure trip is provided to trip the reactor when measured containment pressure reaches 17.1 psia. The trip is provided as additional design conservatism (i.e. additional means of providing a reactor trip). The high containment pressure trip setpoint is selected in conjunction with the high-high containment pressure setpoint to prevent exceeding the containment design pressure during a design basis LOCA or main steam line break accident.

Pretrip alarms are initiated to provide audible and visual indication of approach to a trip condition.

7.2.1.1.1.10 High Steam Generator Water Level A high steam generator water level trip is provided to trip the reactor when measured steam generator water level rises to a high preset value.

Separate trips are provided from each steam generator. This trip setpoint is nominally set at a level which corresponds to 87.7 percent of the distance between the lower and upper instrument nozzles. The trip is an equipment protective trip only.

Since credit is not taken for equipment protective trips in the safety analysis of the plant, they do not fall within the scope of IEEE 279-1971. However, in order to preserve uniformity of function and design, the high steam generator level trip function meets the design bases listed in Subsection 7.2.1.2. The high steam generator level trip is incorporated in the same manner as any other trip function (four testable, redundant channels) and meets all the requirements of IEEE 279-71.

The High Steam Generator Level Trip function can be manually bypassed to prevent unnecessary plant trips during low power levels when steam generator level control is difficult. The bypass is initiated and removed manually only. The trip bypass also bypasses the pretrip alarm; however, high level annunciation is still available from the Feedwater Control System.

Pretrip alarms are initiated to provide audible and visible indication of approach to a trip condition.

7.2.1.1.1.11 Manual Trip A manual reactor trip is provided to permit the operator to trip the reactor. Actuation of two adjacent pushbutton switches in the main control room will cause interruption of the ac power to the CEDM power supplies. Two independent sets of trip pushbuttons are provided; either one of which will cause a reactor trip. There are also manual reactor trip switches at the reactor trip switchgear.

The remote manual initiation portion of the reactor trip system is designed as an input to

WSES-FSAR-UNIT-3 7.2-5 Revision 14 (12/05) the reactor trip circuit breaker switchgear. This design is consistent with the recommendations of NRC Regulatory Guide 1.62 (Oct. 1973). The amount of equipment common to both automatic and manual initiation is kept to a minimum. Once initiated, the manual trip will go to completion as required in Section 4.16 of IEEE Standard 279-1971.

7.2.1.1.1.12 Low Reactor Coolant Flow Trip

 (DRN 03-7, R12-B)

A low reactor coolant flow trip is provided to trip the reactor when the pressure differential across the primary side of either steam generator decreases below a setpoint. A separate trip is provided for each steam generator. This function is used to provide trip for a reactor coolant pump sheared shaft event.

Refer to Figure 7.2-10. A trip is initiated when the pressure differential across the primary side of either steam generator decreases below a nominal setpoint of 19.00 psid. Pretrip alarm is not required for this function.

 (DRN 03-7, R12-B) 7.2.1.1.1.13 Reactor Trip On Turbine Trip

(DRN 04-384, R14)

A reactor trip on turbine trip is provided to trip the reactor when power is greater than 65 percent and the turbine trips. This trip is provided only to prevent a challenge to the pressurizer relief valves. It is not credited in any safety analysis. The trip function can be manually enabled or defeated at reactor powers greater than 65 percent. Below 65 percent power, the trip function is automatically bypassed.

(DRN 04-384, R14)

The reactor trip on turbine trip system has four testable, redundant channels with a key operated bypass switch for each channel. A pretrip alarm is not provided as it is impractical in this application.

7.2.1.1.1.14 Reactor Trip On Loss of Load A reactor trip on loss of load is provided to trip the reactor in the event of a loss of load in which the main turbine runs back, but does not trip, with the reactor power cutback system unavailable. The trip is generated from the loss of load circuitry in the steam bypass control system and is used to actuate the reactor trip from turbine trip circuitry. The loss of load trip is a non-safety two-out-of-two redundant actuation system which replaces the loss of load function in the reactor power cutback system with a loss of load trip in the reactor trip on turbine trip circuitry. The loss of load trip carries the same basic function as the reactor trip on turbine trip, i.e., it is used to prevent a challenge to the primary relief valves.

The system has capability to provide selection between the loss of load reactor trip and reactor power cutback on loss of load. The selection is made via a key switch located on CP-2 and is used to provide flexibility in the system when reactor power cutback system is out of service.

7.2.1.1.2 Initiating Circuits 7.2.1.1.2.1 Process Measurements Various pressures, levels, and temperatures associated with the NSSS and the containment are continuously monitored to provide signals to the CPCs and the RPS trip bistables. All

WSES-FSAR-UNIT-3 7.2-6 Revision 12 (10/02) protective parameters are measured with four independent process instrument channels. A detailed listing of the parameters measured is contained in section 7.5.

A typical protective channel, as shown on Figure 7.2-1, consists of a sensor and transmitter, instrument power supply and current loop resistors, indicating meter and/or recorder, and trip bistable/calculator inputs.

The piping, wiring, and components of each channel are physically separated from that of other like protective channels to provide independence. The output of each process parameter transmitter is a current loop. Signal isolation is provided for plant monitoring computer inputs. Each channel is powered from a separate uninterrupted ac bus.

7.2.1.1.2.2 CEA Position Measurements The position of each CEA is an input to the CPC/CEA calculator portion of the RPS. These positions are measured by means of two redundant reed switch assemblies on each CEA (Figure 7.2-2).

Each reed switch assembly consists of a series of magnetically actuated reed switches spaced at intervals along the CEA housing and wired with precision resistors in a voltage divider network. A magnet attached to the CEA extension actuates the adjacent reed switches, causing voltages proportional to position to be transmitted for each assembly. The two assemblies and wiring are physically and electrically separated from each other.

As is the case for the process instrument channels above, the wiring and components of each channel are physically and electrically separated from that of other like protective channels. Each channel is powered from a separate vital ac bus.

Each CEA is instrumented by redundant CEA reed switch position transmitters. One set of the redundant signals for all CEAs is monitored by one CEA calculator and the other set of signals by the redundant CEA calculator.

The CEAs are arranged into control groups that are controlled as subgroups of CEAS. The subgroups are symmetric about the core center. The subgroups are required to move together as a control group and should always indicate the same CEA group position.

Each CEA calculator monitors the position of all CEAs within each control subgroup. Should a CEA deviate from its subgroup position, the CEA calculators will monitor the event, sound an annunciator, and transmit an appropriate deviation "penalty" factor to the CPCS. This will cause trip margins to be reduced. This assures conservative operation of the RPS, as any credible failure of a CEA reed switch assembly will result in an immediate operator alarm and conservative RPS trip margins.

¨(DRN 01-1104; 02-1478)

The CEA calculators display the position of each regulating and shutdown CEA to the operator in a bar chart format on a cathode ray tube (CRT). Optical isolation is utilized at each CEA calculator output to the CRT display generator. The operator has the capability to select either CEA calculator for display.

(DRN 01-1104; 02-1478)

WSES-FSAR-UNIT-3 7.2-7 Revision 10 (10/99)

The CPCs utilize 22 selected "target" CEA position reed switch signals as a measure of subgroup and group CEA position. The CPCs utilize single CEA deviation penalty factors from the CEA calculators to modify calculational results in a conservative manner should a deviating CEA be detected by either CEA calculator. The detailed signal paths of CEA position intelligence within the RPS are shown in Figure 7.2-

3. Figure 7.2-4 details the overall signal paths of all CEA position information. As shown in Figure 7.2-4, a separate CEA position system, which counts the CEA motion demand pulses for each CEA, is utilized for the plant monitoring computer functions, including the Core Operating Limit Supervisory System (COLSS) function.



The plant monitoring computer drives two digital indicators for operator display of the CEA position pulse count system. One indicator displays the position of the group selected, and one displays the position of the individual CEA selected by the operator at the reactor control panel CP-2.



7.2.1.1.2.3 Excore Neutron Flux Measurements The excore nuclear instrumentation includes neutron detectors located around the reactor core and signal conditioning equipment located within the containment and the Reactor Auxiliary Building. Neutron flux is monitored from source levels through full power operation, and signal outputs are provided for reactor control, reactor protection, and for information display. There are eight channels of instrumentation: two are startup channels, two are control channels, and four are safety channels (see Figure 7.2-5).

The four safety channels provide neutron flux information from near startup neutron flux levels to 200 percent of rated power covering a single range of approximately 2 x 10-8 to 200 percent power (10 decades). Each safety channel consists of three fission chambers, a preamplifier and a signal con-ditioning drawer containing power supplies, a logarithmic amplifier (including combination counting and mean square variation techniques), linear amplifiers, test circuitry, and a rate-of-change of power circuit.

These channels feed the RPS and provide information for rate-of-change of power display, DNBR, local power density, and overpower protection. The Excore Channel required for 10CFR50 Appendix R requirements is mounted in the remote shutdown room in a cabinet beside LCP 43. In the event of a control room/cable vault fire, the Appendix R excore drawer is connected to the safety channel D preamplifier/filter assembly for logarithmic neutron flux indication.

The detector assembly provided for each safety channel consists of three identical fission chambers stacked vertically along the length of the reactor core. The use of multiple subchannel detectors in this arrangement permits the measurement of axial power shape during power operation.

The fission chambers are mounted in holder assemblies which in turn are located in four dry instrument wells (thimbles) at the primary shield. The wells are spaced around the reactor vessel to provide optimum neutron flux information.

Preamplifiers for safety channels A&B fission chambers are mounted outside the primary shield wall.

Regulatory Guide 1.97 Safety Channels (C&D) preamplifiers are located in the Reactor Containment Building wing area.

WSES-FSAR-UNIT-3 7.2-8 Revision 14 (12/05)

Physical and electrical separation of the preamplifiers and cabling between channels is provided.

The excore neutron flux monitoring safety channels are designed, manufactured, tested, and installed to the identical design, quality assurance and tasting criteria as the remainder of the signal generating and processing equipment for the signals utilized by the RPS.

7.2.1.1.2.4 Reactor Coolant Flow Measurements

(DRN 00-531, R11-A)

The speed of each reactor coolant pump motor is measured to provide a basis for calculation of reactor coolant flow through each pump. Two metal discs each with 44 uniformly spaced slots about its periphery are scanned by two proximity devices. The metal discs are attached to the pump motor shaft, one to the upper portion and one to the lower portion. Each scanning device produces a voltage pulse signal, the frequency of which is proportional to pump speed.

(DRN 00-531, R11-A)

These signals are transmitted to the CPCs which compute the flowrate. Adequate separation between probes is provided.

The reactor coolant pump speed measurements are calibrated based on the average time between successive pulses at a given value of pump speed.

(DRN 03-2061, R14)

The volumetric flowrates calculated for each pump are summed to give a vessel flow. The vessel flow is corrected for core bypass and density and the result is the core mass flowrate. At design, full-power conditions the sensitivity of reactor coolant density to changes in reactor coolant inlet temperature and RCS pressure is typically -0.06935 lbm/ft3 - F and 0.0006689 lb/ft3 - psi, respectively. At any given reactor coolant volumetric flowrate, the percentage change in mass flowrate is equal to the percentage change in density from a given base density. Thus, for a design full power reactor coolant density, the above sensitivities are equivalent to a decrease of 0.15 percent in mass flowrate per degree increase in inlet temperature, and an increase of 0.0015 percent in mass flowrate per psi increase in primary coolant system pressure. The above sensitivities are used with the design, full-power mass flowrate in a manner that assures conservative calculated mass flowrate relative to the actual mass flowrate.

(DRN 03-2061, R14)

The reactor coolant pump speed measurement system is designed, manufactured, tested, and installed to the identical design, quality assurance, and testing criteria as the remainder of the signal generation and processing equipment for signals utilized by the RPS.

7.2.1.1.2.5 Core Protection Calculators Four independent CPCs are provided, one in each protection channel. Calculation of DNBR and local power density is performed in each CPC, utilizing the input signals described below. The DNBR and local power density so calculated are compared with trip setpoints for initiation of a low DNBR trip (Subsection 7.2.1.1.1.4) and the high local power density trip (Subsection 7.2.1.1.1.3).

Two independent CEA calculators are provided as part of the CPC system to calculate individual CEA deviations from the position of the other CEAs in their subgroup.

As shown in Figure 7.2-6, each CPC receives the following inputs: core inlet and outlet temperature, pressurizer pressure, reactor coolant pump speed, excore nuclear

WSES-FSAR-UNIT-3 7.2-9 instrumentation flux power (each subchannel from the safety channel), selected CEA positions, and CEA deviation penalty factors from the CEA calculators. Input signals are conditioned and processed. The following calculations are performed in that CPC or the CEA calculators:

a)

CEA deviations and corresponding penalty factors:

1)

Single CEA deviation in a subgroup calculated by CEA calculators 2)

Subgroup deviations in a group calculated by CPCs 3)

Groups out of sequence calculated by CPCs b)

Correction of excore flux power for shape annealing and CEA shadowing c)

Normalized reactor coolant flowrate from reactor coolant pump speed d)

Core average power from reactor coolant temperature and flow information e)

Core average power from corrected excore flux power signals f)

Axial power distribution from the corrected excore flux power signals g)

Fuel rod and coolant channel planar radial peaking factors, selection of predetermined coefficients based on CEA positions h)

DNBR i)

Comparison of DNBR with a fixed trip setpoint j)

Local power density compensated for thermal capacity of fuel k)

Comparison of compensated local power density to fixed local power density setpoint l)

CEA deviation alarm (CEA calculator)

Outputs of each CPC are:

a)

DNBR trip and pretrip b)

DNBR margin (to control board indication) c)

Local power density trip and pretrip d)

Local power density margin (to control board indication) e)

Calibrated neutron flux power (to control board indication)

WSES-FSAR-UNIT-3 7.2-10 Revision 8 (5/96) f)

CEA withdrawal prohibit on DNBR or local power density pretrip or CEA misoperation.

g)

Hot pin axial shape index (to control board indication)

Each calculator is mounted in the auxiliary protective cabinet with an operators display and control module located on the main control board. From the four modules an operator can monitor all calculators, including specific inputs or calculated functions. The operators module for channels B and C are able to access the CEA calculators in those channels.



The system utilizes data links from the CEA calculators and the CPCs to the Plant Monitoring Computer.

Each link is electrically isolated from the others and functions independently of the others. The Plant Monitoring Computer provides a backup monitoring capability in addition to the plant operating personnel by providing periodic comparisons of sensor channel inputs and checking of calculated results of the Core Protection Calculators.





Failure of the Plant Monitoring Computer will in no way affect the operation of the-Core Protection Calculators. All data and control lines for each data link are optically isolated to assure that no failures at the Plant Monitoring Computer will affect the Core Protection Calculators or the CEA Calculators. These optically isolated data links are designed such that open circuits, short circuits, or the application of the highest credible potential to the isolator output will not affect performing its intended function. Further, all data transfers are initiated by the Core Protection Calculators and data lines allow only one way data transfer from the Core Protection Calculators to the Plant Montoring Computer.





Data transmission is controlled by the CPC Central Processing Unit and the resident programs in memory only and is in no way dependent upon the status of the plant monitoring computer.





The optical link allows unidirectional data transmission to the plant monitoring computer. This feature, combined with the inherent isolation of the optical link, prevents the plant monitoring computer from affecting calculator operation.





No credit is taken for the operation of the Plant Monitoring Computer in determining the reliability of the Core Protection Calculators or in determination of the required interval for periodic testing.



7.2.1.1.2.6 Trip Generation Except for the CPCs, and reactor trip on turbine trip, signals from the trip parameter process measurement loops are sent to voltage comparator circuits (bistables) where the input signals are compared to setpoint trip values. Whenever a channel trip parameter reaches the trip value, the channel bistable deenergizes the bistable output. The bistable output relay deenergizes trip relays. Outputs of the trip relays are in the trip logic (refer to subsection 7.2.1.1.3).

The trip bistable setpoints are adjustable from the PPS cabinet. Access is limited, however, by means of a key-operated cover and administratively controlled by Technical Specifications. In addition, each PPS door (front and rear) is provided with a key lock.

WSES-FSAR-UNIT-3 7.2-11 If any door is opened, an annunciator will indicate cabinet access. All bistable setpoints are capable of being read out on a meter located on the PPS cabinet.

Pretrip bistables and relays are also provided.

The reactor trip on turbine trip is generated externally of the PPS cabinets from a two-out-of-three relay logic in the turbine trip circuitry. The two-out-of-three turbine trip generates a trip input on all four PPS channels. The PPS cabinet retains its two-out-of-four redundancy. Being non-safety related, this trip differs from others in that the input signals from the turbine circuitry energize to actuate the trip logic in the PPS. The PPS logic, however, retains its deenergize-to-trip function as described in subsection 7.2.1.1.3.

7.2.1.1.3 Logic Tripping of a bistable (or trip contact opening in the case of a calculated trip) results in a channel trip which is characterized by the deenergization of three bistable trip relays.

Contacts from the bistable relays of the same parameter in the four protective channels are arranged into six logic ANDs, designated AB, AC, AD, BC, BD, and CD, which represent all possible two-out-of-four combinations. To form an AND circuit, the bistable trip relay contacts of two like protective measurement channels are connected in parallel (e.g., one from A and one from B). This process is continued until all combinations have been formed.

Since there is more than one parameter that can initiate a reactor trip, the parallel pairs of bistable trip relay contacts for each monitored Parameter are connected in series (Logic OR) to form six logic matrices. The six matrices are designated AB, AC, AD, BC, BD, and CD.

Each logic matrix is connected in series with a set of four matrix output relays (matrix relays). Each logic matrix is powered from two separate 120V vital ac distribution buses through dual dc power supplies as shown on Figure 7.2-7. The power supplies are protected from overload by means of input and/or output fuses or circuit breakers.

The contacts of the matrix relays are channelized into four trip paths.

Each reactor trip path is formed by connecting six contacts (one matrix relay contact from each of the six logic matrices) in series. The six series contacts are in series with the initiation output relay. The initiation output relays serve to deenergize the trip switchgear circuit breakers as discussed in Subsection 7.2.1.1.4.

7.2.1.1.4 Actuated Devices The above logic causes the deenergizing of the four trip path output relays whenever any one of the logic matrices is deenergized as described. Each trip path output relay in turn will cause two trip circuit breakers in the trip switchgear to open. (see Figure 7.2-7)

Power input to the trip switchgear comes from two full-capacity motor-generator sets, so that the loss of either set does not cause a release of the CEAs. Each line passes through two trip circuit breakers (each actuated by a separate trip path) in series so that, although both sides of the branch lines must be deenergized to release the CEAs, there are

WSES-FSAR-UNIT-3 7.2-12 Revision 14 (12/05)

(DRN 01-1104, R12) two separate means of interrupting each side of the line. Upon removal of power to the CEDM power supplies, the CEAs fall into the reactor core by gravity.

(DRN 01-1104, R12)

Two sets of two manual trip pushbuttons are provided to open the trip circuit breakers, if desired. The manual trip completely bypasses the trip logic. As can be seen in Figure7.2-7 both manual trip pushbuttons in a set must be depressed to initiate a reactor trip. They may be depressed sequentially or simultaneously.

The trip switchgear is housed in a separate cabinet from the RPS. In addition to the trip circuit breakers, the cabinet also contains current monitoring devices for testing purposes and a bus tie circuit breaker.

7.2.1.1.5 Bypasses The bypasses listed in Table 7.2-1 are provided to permit testing, startup, and maintenance.

The DNBR and local power density bypass, which bypasses the low DNBR and high local power density trips from the CPC, is provided to allow system tests at low power when pressurizer pressure may be low or reactor coolant pumps may be off. The bypass may be manually initiated if thermal power is below 10-4 percent and is automatically removed when the power level is equal to or greater than 10-4 percent.

The RPS/ESFAS pressurizer pressure bypass is provided for system tests at low pressure, including CEA tests. The bypass may be manually initiated if pressurizer pressure is below 400 psia and is automatically removed if pressurizer pressure increases above 500 psia.

The high logarithmic power level bypass is provided to allow the reactor to be brought to the power range during a reactor startup. The bypass may be manually initiated above 10-4 percent of rated thermal power and is automatically removed when thermal power is equal to or less than the reset point of the bistable.

(DRN 04-384, R14)

A PPS manual bypass is provided for the reactor trip on turbine trip function when reactor power is greater than 65 percent. The bypass function can be enabled when the Reactor Power Cutback System (RPCS) is available to reduce reactor power when a turbine trip occurs. When the RPCS is not available, the trip bypass is manually disabled. The trip bypass is automatically enabled when reactor power is less than 65 percent. A key operated switch is provided for each channel.

(DRN 04-384, R14)

An additional key operated switch located on CP-2 is available to enable or disable the turbine trip inputs to the PPS. This bypass switch is operated independent of reactor power. The combination of all bypass switches enables full functional testing of the system.

The trip channel bypass is provided to remove a trip channel from service for maintenance or testing.

The trip logic is thus converted to a two-out-of-three basis for the trip type bypassed; other type trips that do not have a bypass in any of their four channels remain in a two-out-of-four logic. The bypass is manually initiated and manually removed. The circuit utilized to accomplish the trip channel bypass is shown in Figure 7.2-8. This circuit, which is repeated for each type trip contains an electrical interlock which allows only one channel for any one type trip to be bypassed at one time.

WSES-FSAR-UNIT-3 7.2-13 Revision 305 (11/11)

(EC-22790, R305)

The High Steam Generator Level Trip Bypass is provided to prevent unnecessary reactor trips on High Steam Generator Level during low power operations and plant startup when level control is difficult. Since the trip is not safety related, the bypass is manually initiated and removed and controlled by Administrative Procedures. The bypass is operated by four keyswitches, one per channel, located on CP-7.

(EC-22790, R305)

(DRN 99-2462, R11)

The Reactor Coolant Flow-Low Trip Bypass is provided to permit the performance of Control Element Drive Mechanism maintenance with a low flow condition in the Reactor Coolant System. The bypass is automatically removed at a preset reactor power level. The bypass is operated by four key switches, one per channel, located on CP-7.

(DRN 99-2462, R11)

All bypasses are annunciated visibly and audibly to the operator.

7.2.1.1.6 Interlocks The following interlocks are provided:

a)

Trip Channel Bypasses An interlock prevents the operator from bypassing more than one trip channel at a time for any one type of trip. Different type trips may be simultaneously bypassed, either in one channel or in different channels.

b)

Matrix Tests During system testing an electrical interlock will allow only the matrix relays in one of the six matrix test modules to be held at a time. Figure 7.2-7 shows this interlock. The same circuit will allow only one process measurement loop signal to be perturbed at a time. The matrix test and loop perturbation switches are interlocked so that only one or the other may be done at any one time.

c)

Nuclear Instrumentation Test Placement of a nuclear instrument drawer calibration switch to other than the "operate" position or removal of any level test switch from the "off" position will cause a power trip test interlock to trip low DNBR and high local power density bistables in the affected channels. Placement of a linear or logarithmic calibration switch to other than the "operate" position will cause a channel high power level or high logarithmic power level trip. The log trip test potentiometer is combined with the matrix relay hold and bypass channel test interlock so that only one of these functions may be tested at any one time.

d)

Core Protection Calculation Test The low DNBR and high local power density channel trips are interlocked such that they must be bypassed to test a CPC channel.

7.2.1.1.7 Redundancy Redundant features of the reactor protective system include:

a)

Four independent channels, from process sensor through and including channel trip relays. The CEA position input is from two independent channels;

WSES-FSAR-UNIT-3 7.2-14 b)

Six logic matrices which provide the two-out-of-four logic. Dual power supplies are provided for the matrix relays; c)

Four trip paths, including four control logic paths and four trip path output relays; d)

Two sets of manual trip pushbuttons with either set being sufficient to cause a reactor trip; e)

AC power for the system from four separate vital instrument buses. DC power for the trip switchgear circuit breakers control logic is provided from two separate battery buses. Loss of one battery system will result in reactor trip.

The result of the redundant features is a system that meets the single failure criterion, can be tested during reactor operation, and can be shifted to two-out-of-three logic.

The benefit of a system that includes four independent and redundant channels is that the system can be operated, if need be, with up to two channels out of service (one bypassed and another tripped) and still meet the single failure criteria. The only operating restriction while in this condition (effectively one-out-of-two logic) is that no provision is made to bypass another channel for periodic testing or maintenance. The system logic must be restored to at least a two-out-of-three condition prior to removing another channel for maintenance.

7.2.1.1.8 Diversity The system is designed to eliminate credible multiple channel failures originating from a common cause.

The failure modes of redundant channels and the conditions of operation that are common to them are analyzed to assure that a predictable common failure mode does not exist. The design provides reasonable assurance that:

a)

The monitored variables provide adequate information during design basis events (design basis events are listed in Subsections 7.2.2.1.1 and 7.2.2.1.2).

b)

The equipment can perform as required.

c)

The interactions of protective actions, control actions and the environmental changes that cause, or are caused by, the design basis events do not prevent the mitigation of the consequences of the event.

d)

The system will not be made inoperable by the inadvertent actions of operating and maintenance personnel.

In addition, the design is not encumbered with additional components or channels without reasonable assurance that such additions are beneficial.

The system incorporates functional diversity to accommodate the unlikely event of a common mode failure concurrent with any of the accident conditions listed in Subsection 7.2.2.1.2.

WSES-FSAR-UNIT-3 7.2-15 7.2.1.1.9 Testing Provisions are made to permit periodic testing of the complete reactor protective system, with the reactor operating at power or when shut down. These tests cover the trip actions from sensor amplifier input to the bistables through the protective system and the trip switchgear. The system test does not interfere with the protective function of the system. The testing system meets the criteria of IEEE Standard 338-1971, IEEE Trail-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protective Systems, and is consistent with the recommendations of NRC Regulatory Guide 1.22, Periodic Testing of Protection System Actuator Functions (February, 1972).

The individual tests are described briefly below. Overlap between individual tests exists so that the entire RPS can be tested. Frequency of accomplishing these tests is listed in the Technical Specifications. On January 30, 1985 (W3P85-0245) LP&L provided the NRC with an evaluation demonstrating that the then existing RPS functional test intervals were consistent with the maintenance of high RPS availability.

7.2.1.1.9.1 Sensor Check Sensors are checked by comparison with similar channels that should indicate identical information. Also every sensor is checked periodically as outlined in the Technical Specifications for proper input and output. After bypassing the respective bistable, input is supplied through test connections and outputs 4-20 made and 0-10 vdc are measured for proper calibrations.

7.2.1.1.9.2 Trip Bistable Tests Testing of the trip bistables is accomplished by manually varying the input signal up to or down to the trip setpoint level on one bistable at a time and observing the trip action.

Varying the input signal is accomplished by means of a trip test circuit consisting of a digital voltmeter and a test circuit used to vary the magnitude of the signal supplied by the measurement channel to the trip input. The trip test circuit is interlocked electrically so that it can be used in only one channel at a time. A switch is provided to select the measurement channel, and a pushbutton is provided to apply the test signal. The digital voltmeter indicates the value of the test signal. Trip action (deenergizing) of each of the bistable trip relays is indicated by individual lights on the front of the cabinet, indicating that these relays operate as required for a bistable trip condition.

When one of the bistables of a protective channel is in the tripped condition, a channel trip exists and is annunciated on the control room annunciator panel. In this condition, a reactor trip would take place upon receipt of a trip signal in one of the other three like trip channels. The trip channel under test is therefore bypassed for this test, converting the RPS to a two-out-of-three logic for the particular trip parameter. In either case, full protection is maintained.

7.2.1.1.9.3 Core Protection Calculator Tests The purpose of both the automatic and periodic testing of the DNBR/LPD Calculator System is to contribute to high system reliability by means of failure detection, and to call attention to system performance not within prescribed limits. The automatic and periodic tests provide a means of checking, with a high degree of confidence, the operational

WSES-FSAR-UNIT-3 7.2-16 availability of system input sensors and all devices used to derive the final system output signal.

Automatic On-Line Testing The automatic on-line testing consists of three separate checks: (1) internal self-checking of the input data, (2) internal self-checking of the calculator and (3) an external watchdog timer that monitors the execution of the cyclic scheduling mechanism. Although failures in the on-line system are expected infrequently, the automatic on-line testing is provided to assure high continuous system reliability beyond that provided in typical analog calculated trips.

The protection algorithms will check the reasonability of input sensor data against predetermined maximum and minimum values. The CEA Calculator checks raw CEA position data against high and low values of +10 volts dc and +5 volts dc. Raw data which reads between 0 - 5 or 10 - 15 volts dc is deemed unreasonable. If a sensor is found to be out-of-range, the affected calculator will generate the proper annunciation signal.

To provide a check on system software and to detect time frame overruns, an external "watchdog timer" is installed as part of the Data Input/Output Subsystem.

The watchdog timer will light the CPC or CEAC failure light at the Operators Module directly.

For all other failures detected during automatic on-line testing, the affected calculator will set its outputs in the fail-safe state, such as "trip" for a CPC. If recovery from the failure is possible, the system will maintain its outputs in the safe state and execute Auto-Restart, followed by initialization, followed by normal operation.

Further on-line testing capability is provided by continuous status indication and information read out from each Core Protection Calculator. Continuous displays of the following information is provided to the operator:

a)

DNBR margin b)

Local power density margin c)

Calibrated neutron flux power Cross checking of the four channel displays can be made to assure the integrity of the calculator. The majority of the calculator failures will result in anomalous indications from the failed channel that can be readily detected by the operator during cross checking.

In addition, each protection channel is equipped with an Operators Module which provides another level of assurance of the functional integrity of the calculator channels.

Periodic Testing The DNBR/LPD Calculator System is periodically and routinely tested to verify its operability. A complete channel can be individually tested without initiating a reactor trip, and without violating the single failure criterion. The system can be checked from

WSES-FSAR-UNIT-3 7.2-17 the sensor signal through the bistable contacts for low DNBR and high local power density in the Plant Protection System. Overlap in the checking and testing is provided to assure that the entire channel is functional.

The minimum frequencies for checks, calibration, and testing of the Core Protection Calculator system have been included in the Technical Specifications.

Periodic testing of the DNBR/LPD Calculator system is divided into two major categories, (1) on-line system tests and (2) off-line performance diagnostic tests. Off-line testing is further subdivided into two categories, performance testing and diagnostic testing. Performance testing is used to check the numerical accuracy of the calculations. Diagnostic testing is used as an aid to troubleshooting whenever the performance tests or the on-line tests (interchannel comparisons) indicate the presence of a failure.

Permanent mass storage units will be used for storage of the test programs.

On-line System Test The on-line portion of the periodic testing consists of comparisons of like parameters among the four protective channels. Comparisons are made using the digital displays on the Operators Module and the analog meters on the control board. Comparisons of like analog and digital inputs give assurance that the analog and digital multiplexers and the A/D converters are functioning properly. These comparisons also give assurance that data are being properly entered into and retrieved from the data base. Comparisons of intermediate and final calculated parameters verify the performance of the protection algorithms and the analog display meters on the control board.

Calibration of the A/D converters is checked by displaying the reference voltage supplies which are connected to each calculator.

Off-line Performance Test Before off-line testing is initiated, the channel to be tested is bypassed at the Plant Protection System and the trip logic is changed to two-out-of-three for the DNBR and local power density trips. Interlocks are incorporated in the Plant Protection System to prevent bypassing more than one channel at a time. To initiate off-line testing a key is required and only one key is provided. This ensures that only one channel can be placed in the test mode at a time.

The performance test uses the calculator data base to verify numerical accuracy of the calculations. The data base is divided into three areas, namely, raw input data, filtered input data and calculated values.

The raw data area contains the last samples of raw analog and digital data. The filtered data area contains averaged input data, filtered input data, past samples of input data needed for dynamic compensation, and dynamically compensated data. The calculated values area contains intermediate and final calculated values and calibration constants which are updated periodically.

During performance testing, the permanent mass storage unit is used to load test inputs directly into the data base. For each set of test inputs, the expected calculated results are also loaded and compared with the values calculated by the protection algorithms. If agreement is achieved, the test program prints the expected results and the actual results on the Teletype and proceeds to the next set of test data. If agreement is not achieved, the test program halts at that point unless restarted by the operator. Dynamic effects in

WSES-FSAR-UNIT-3 7.2-18 the calculations are tested by loading the filtered data area of the data base with test values representing past values of time varying inputs.

From the standpoint of the calculator software structure, the performance tests are virtually identical to the on-line functions. Only two differences exist from the normal functions of the calculators. First, the calculator outputs are in a fail-safe condition for the duration of the tests, and second, the algorithms use data derived from the permanent mass storage unit instead of the Data Input/Output subsystem. The algorithms themselves, however, do not recognize the data source or that they are executing in the test mode.

As a final check, the individual instructions in protected memory are compared with an image of the instructions stored on the permanent mass storage unit to ensure the integrity and demonstrate the "reliability" of the protection algorithms during the life span of the DNBR/LPD Calculator System.

Off-Line Diagnostic Tests After a given failure is detected by a performance test, on-line test, or on-line diagnostic, hardware diagnostic programs are provided to aid in locating (to the module level) and correcting malfunctions.

7.2.1.1.9.4 Logic Matrix Test This test is carried out to verify power operation of the six two-out-of-four logic matrices, any of which will initiate a bonafide system trip for any possible two-out-of-four trip condition from the signal inputs from each measurement channel.

Only the matrix relays in one of the six logic matrix test modules can be held in the energized position during tests. If, for example, the AB logic matrix hold pushbutton is held depressed, actuation of the other matrix hold pushbuttons will have no effect upon their respective logic matrices.

Actuation of the pushbutton will apply a test voltage to the test system hold coils of the selected four double coil matrix relays. This voltage will provide the power necessary to hold the relays in their energized position when deactuation of the bistable trip relay contacts in the matrix ladder being tested causes deenergization of the primary matrix relay coils.

The logic matrix to be tested is selected using the system channel trip select switch. Then while holding the matrix hold pushbutton in its actuated position, rotation of the channel trip select switch will release only those bistable trip relays that have operating contacts in the logic matrix under test. The channel trip select switch applies a test voltage of opposite polarity to the bistable trip relay test coils, so that the magnetic flux generated by these coils opposes that of the primary coil of the relay. The resulting flux will be zero, and the relays will release. A simplified diagram of this testing system is shown in Figure 7.2-9 using the AB matrix.

Trip action can be observed by illumination of the trip relay indicators located on the front panel and by loss of voltage to the four matrix relays, which is indicated by extinguishing indicator lights connected across each matrix relay coil. During this test, the matrix relay hold lights will remain on, indicating that a test

WSES-FSAR-UNIT-3 7.2-19 voltage has been applied to the holding coils of the four matrix relays of the logic matrix module under test.

The test is repeated for all six matrices and for each actuation signal. This test will verify that the bistable relay contacts operate correctly and that the logic matrix relays will deenergize if the matrix continuity is violated. The opening of the matrix relay contacts is tested in the trip path tests (see Subsection 7.2.1.1.9.5).

Each logic matrix test module provides the associated test circuitry for both the RPS and ESFAS logic matrices. The system channel trip select switch permits the selection of the desired actuation logic matrix to be tested as can be seen in Figure 7.2-7.

7.2.1.1.9.5 Trip Path/Circuit Breaker Tests Each trip path is tested individually by depressing a matrix hold pushbutton (holding matrix relays),

selecting any trip position on the channel trip select switch (opening the matrix), and selecting a matrix relay on the matrix relay trip select switch (deenergizing one of the matrix relays). This will cause one, and only one, of the trip paths to deenergize, causing two trip circuit breakers to open. CEDMs remain energized via the other trip circuit breakers.

The dropout lamps shown on Figures 7.2-7 and 7.2-9 are used to provide additional verification that the matrix relay has been deenergized, (e.g., the 6AB-1 matrix relay contact energizes the dropout lamp).

Since the matrix test modules are also utilized for the ESFAS logic matrix testing, this dropout lamp is also shared via contacts 1AB-1 through 5AB-1 as shown on Figure 7.2-7. Proper operation of the actual trip path matrix relay contacts is verified by the trip path lamp located on the trip status panel.

Proper operation of all coils and contacts is verified by lights on a trip status panel; final proof of opening of the trip circuit breakers is the lack of indicated current through the trip breakers.

The matrix relay trip select switch is turned to the next position, reenergizing the tested matrix relay and allowing the trip breakers to be manually reset.

This sequence is repeated for the other three trip paths from the selected matrix. Following this the entire sequence is repeated for the remaining five matrices. Upon completion, all 24 matrix relay contacts and all four trip paths and breakers will have been tested.

7.2.1.1.9.6 Manual Trip Test The manual trip feature is tested by depressing one of the four manual trip pushbuttons, observing a trip of two trip breakers, and resetting the breakers prior to depressing the next manual trip pushbutton.

7.2.1.1.9.7 Bypasses The system bypasses, as itemized in Table 7.2-1, are tested by appropriate test circuitry. Testing includes both initiation and removal features.

WSES-FSAR-UNIT-3 7.2-20 Revision 14 (12/05) 7.2.1.1.9.8 Response Time Tests

(DRN 03-2061, R14)

Response time tests of the RPS, required at refueling intervals are described in the Technical Specifications. RPS response times are listed in the TRM.

(DRN-03-2061, R14) 7.2.1.1.10 Vital Instrument Power Supply The vital instrument power supply for the RPS is described in Chapter 8.

7.2.1.2 Design Bases The RPS is designed to assure adequate protection of the fuel, fuel cladding, and RCS pressure boundary during anticipated operational occurrences. In addition, the system is designed to assist the Engineered Safety Feature System (ESFS) in limiting the consequences of certain postulated accident conditions. To ensure that these design bases are achieved, the reactor must be maintained within the limiting conditions of operation, as defined in Technical Specifications and the limiting safety system settings implemented consistent with Technical Specifications.

The system is designed on the allowing bases to assure adequate performance of its protective function:

a)

The system is designed in compliance with the applicable criteria of the AEC, General Design Criteria for Nuclear Power Plants, Appendix A of 10CFR50, July 15, 1971.

b)

Instrumentation, function, and operation of the system conforms to the requirements of IEEE standard 279-1971, Criteria for Protective Systems for Nuclear Power Plants.

c)

System testing conforms to the requirements of IEEE Standard 338 1971, Trial Use Criteria for Periodic Testing of Nuclear Power Generating Station.

d)

The design of the system is consistent with the recommendations of Regulatory Guide 1.53, Application of the Single-Failure Criterion to Nuclear Power Plant Protective Systems (June, 1973), and Regulatory Guide 1.22, Periodic Testing of Protection System Actuation Functions (February, 1972).

e)

The system is designed to determine the following generating station conditions in order to provide adequate protection during anticipated operational occurrences:

1.

Core power (from logarithmic power circuits)

2.

Reactor Coolant System pressure

3.

DNBR in the limiting coolant channel in the core

4.

Peak local power density in the limiting fuel pin in the core

(DRN 03-2061, R14)

5.

Steam generator water level

(DRN 03-2061, R14)

WSES-FSAR-UNIT-3 7.2-21 f)

The system is designed to determine the following generating station conditions in order to provide protective action assistance to the ESFS during accidents:

1.

Core power 2.

RCS pressure 3.

Steam generator pressure 4.

Containment pressure 5.

Steam generator level 6.

DNBR in the limiting coolant channel in the core g)

The system is designed to monitor all generating station variables that are needed to assure adequate determination of the conditions given in listings e and f above, over the entire range of normal operation and transient conditions. The full power nominal values and the maximum and minimum values that can be sensed for each monitored plant variable are given in Table 7.2-2.

The type, number, and location of the sensors provided to monitor these variables are given in Table 7.2-3. There is no spatial dependence resulting from the location of sensors that affects the functional design requirements identified in Subsection 7.2.2.

h)

The system is designed to alert the operator when any monitored plant condition is approaching a condition that would initiate protective action.

i)

The system is designed so that protective action will not be initiated due to normal operation of the generating station.

Nominal full power values of monitored conditions and their corresponding protective action (trip) setpoints are given in Table 7.2-4.

The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays and inaccuracies are taken into account. Response times and sensor accuracies used in the safety analyses are provided in Chapter 15.

The trip delay times and uncertainties provided in Chapter 15 are representative of the manner in which the reactor protective system and associated instrumentation will operate. These quantities are used in the transient analysis done in Chapter 15. Actual RPS uncertainties and delay times will be obtained from calculations and tests performed on the RPS and associated instrumentation. The verified system uncertainties are factored into all RPS settings and/or setpoints to assure that the system adequately performs its intended function when the errors and uncertainties combine in an adverse manner.

WSES-FSAR-UNIT-3 7.2-22 j)

All system components are qualified for environmental and seismic conditions in accordance with IEEE Standard 323-1971, and IEEE Standard 344-1971. Compliance is addressed in Sections 3.10 and 3.11. In addition, the system is capable of performing its intended function under the most degraded conditions of the energy supply, as addressed in Chapter 8.

7.2.1.3 Final System Drawings Electrical wiring diagrams, block diagrams, final logic diagrams, and location layout drawings are listed and provided by reference in Section 1.7.

The differences between the logic diagrams and schematics submitted in the PSAR and those in the FSAR are discussed in Subsection 1.3.2.

7.2.2 ANALYSIS 7.2.2.1 Introduction The RPS is designed to provide the following protective functions:

a)

Initiate automatic protective action to assure that acceptable RCS and fuel design limits are not exceeded during specified anticipated operational occurrences.

b)

Initiate automatic protective action during certain postulated accident conditions to aid the ESFS in limiting the consequences of the accident.

A description of the reactor trips provided in the RPS is given in subsection 7.2.1.1.1. Subsection 7.2.2.2 provides the bases for all the RPS trips and Table 7.2-4 gives the applicable nominal trip setpoints.

Most of the trips in the RPS are single parameter trips (i.e., a trip signal is generated by comparing a single measured variable with a fixed setpoint). The RPS trips that do not fall into this category are as follows:

a)

Low Pressurizer Pressure Trip This trip employs a setpoint that is determined as a function of the measured pressurizer pressure or that is varied by the operator.

b)

Low Steam Generator Pressure Trip This trip employs a setpoint that is determined as a function of the measured steam generator pressure or that is varied by the operator.

c)

High Local Power Density Trip This trip employs a setpoint that is calculated as a function of several measured variables.

d)

Low DNBR Trip This trip is calculated as a function of several measured variables.

WSES-FSAR-UNIT-3 7.2-23 Revision 14 (12/05)

The low DNBR and high local power density trips are provided in the CPCS. All RPS trips with the exception of the steam generator differential pressure trip and reactor trip on turbine trip are provided with a pretrip alarm in addition to the trip alarm. Pretrip alarms are provided to alert the operator of an approach to a trip condition and play no part in the safety evaluation of the plant.

Each RPS setpoint is chosen to be consistent with the function of the respective trip.

The adequacy of all RPS trip setpoints, with the exception of the low DNBR and high local power density trips, is verified through an analysis of the pertinent system transients reported in Chapter 15. These analyses take into account all calculational and measurement uncertainties and system delay times related to the respective trips. Limiting trip delay times and uncertainties are given in Section 15.0. The manner by which these delay times and uncertainties will be verified is discussed in subsection 7.2.1.2.

The adequacy of RPS trip functions, with the exception of the low DNBR and high local power density trips, is verified through analysis of the pertinent design basis events reported in Chapter 15. These analyses utilize an analysis setpoint (i.e., assumed trip initiation point) and system delay times related to the respective trip functions. The analysis setpoints, along with instrument uncertainties provide the basis for the calculation of the final equipment setpoints.

7.2.2.1.1 Anticipated Operational Occurrences

(DRN 04-1097, R14)

The anticipated operational occurrences that are accommodated by the system are those conditions of normal operation that are expected to occur one or more times during the life of the plant. In particular, the occurrences considered include single operator errors or single component or control system failures resulting in transients which could lead to a violation of acceptable plant and fuel design limits if protective actions were not initiated.

(DRN 04-1097, R14)

The fuel design and reactor coolant pressure boundary (RCPB) limits used to define the RPS design are:

a)

The DNBR, in the limiting coolant channel in the core, shall not be less than the DNBR limit.

b)

The peak local power density, in the limiting fuel pin in the core, shall not be greater than 21 kw/ft, the safety limit corresponding to the onset of centerline fuel melting.

c)

The RCS pressure shall not exceed those values permitted by the applicable ASME Code,Section III.

The anticipated operational occurrences that were used to determine the system design requirements are:

(DRN 01-1104, R12; 02-1478, R12) a)

Insertion or withdrawal of CEA groups, including:

(DRN 01-1104, R12; 02-1478, R12)

WSES-FSAR-UNIT-3 7.2-24 Revision 12 (10/02) 1.

Uncontrolled sequential withdrawal of CEA groups 2.

Out-of-sequence insertion or withdrawal of CEA groups

¨(DRN 01-1104) 3.

Deleted (DRN 01-1104) 4.

Excessive sequential insertion of CEA groups

¨(DRN 01-1104) b)

Insertion or withdrawal of a CEA subgroup including:

(DRN 01-1104) 1.

Uncontrolled insertion or withdrawal of a CEA subgroup 2.

Dropping of one CEA subgroup 3.

Misalignment of CEA subgroup comprising a designated CEA group

¨(DRN 01-1104) c)

Insertion or withdrawal of a single CEA including:

(DRN 01-1104) 1.

Uncontrolled insertion or withdrawal of a single CEA

¨(DRN 01-1104) 2.

Dropped CEA (DRN 01-1104) 3.

A single CEA sticking, with the remainder of the CEAs in that group moving 4.

A statically misaligned CEA d)

Uncontrolled boron dilution.

e)

Excess heat removal due to secondary system malfunctions.

f)

Change of forced reactor coolant flow resulting from a complete loss of power to one or more reactor coolant pumps.

g)

Inadvertent pressurization or depressurization of RCS resulting from anticipated single control system malfunctions.

h)

Change of normal heat transfer capability between steam and RCS systems resulting from improper feedwater or a loss of external load and/or turbine trip.

i)

Loss of preferred ac power.

j)

Uncontrolled axial xenon oscillations.

k)

Asymmetric Steam Generator Transient (due to instantanous closure of MSIV) 7.2.2.1.2 Accidents The accident conditions for which the system will take action are those unplanned events under any conditions that are expected to occur once during the life of several stations and arbitrary combinations of un-planned events are degraded systems that are never expected to

WSES-FSAR-UNIT-3 7.2-25 Revision 14 (12/05) occur. The consequences of most of these accidents will be limited by the ESFS; the RPS will provide action to assist in limiting these conditions for those accidents but does not have the major role in assuring that the plant is maintained within the applicable safety limits. The accident conditions for which the RPS will provide protective action assistance are:

a)

RCS pipe rupture, including double-ended rupture of the largest pipe in the RCS.

b)

Ejection of any single CEA.

c)

Steam system pipe rupture, including a double-ended rupture.

d)

Steam generator tube rupture.

e)

Reactor coolant pump shaft seizure.

f)

Reactor coolant pump sheared shaft.

(DRN 04-1097, R14) 7.2.2.2 Trip Bases

(DRN 04-1097, R14)

The RPS consists of fourteen trips in each RPS channel that will initiate the required automatic protective action utilizing two-out-of-four coincidence.

A brief description of the inputs and purpose of each trip is presented in Subsections 7.2.2.2.1 through 7.2.2.2.14.

7.2.2.2.1 High Linear Power Level Trip a)

Input Neutron flux power from the excore neutron flux monitoring system.

b)

Purpose

(DRN 03-2061, R14)

To provide reactor core protection against rapid reactivity excursions.

(DRN 03-2061, R14) 7.2.2.2.2 High Logarithmic Power Level Trip a)

Input Neutron flux power from the excore neutron flux monitoring system.

b)

Purpose To assure the integrity of the fuel cladding and RCS boundary in the event of unplanned criticality from a shutdown condition, resulting from earlier dilution of the soluble boron concentration or uncontrolled withdrawals of CEAS. In the event that CEAs are in the withdrawn position, automatic trip action will be initiated. If all CEAs are inserted, an alarm is provided to alert the operator to take appropriate action in the event of an unplanned criticality.

WSES-FSAR-UNIT-3 7.2-26 Revision 14 (12/05) 7.2.2.2.3 High Local Power Density Trip a)

Inputs

1.

Neutron flux power and axial power distribution from the excore neutron flux monitoring system

2.

Radial peaking factors from CEA position measurement system (reed switch assemblies) 3.

T power from coolant temperatures and flow measurements b)

Purpose

(DRN 04-1097, R14)

To prevent the linear heat rate (kW/ft) in the limiting fuel pin in the core from exceeding the value corresponding to the safety limit of peak fuel centerline temperature in the event of defined anticipated operational occurrences.

(DRN 04-1097, R14) 7.2.2.2.4 Low DNBR Trip a)

Inputs

1.

Neutron flux power and axial power distribution from the excore neutron flux monitoring system

2.

RCS pressure from pressurizer pressure measurement

3.

T power from coolant temperatures and flow measurements

4.

Radial peaking factors from CEA position measurements (reed switch assemblies)

5.

Reactor coolant mass flow from reactor coolant pump speed

6.

Core inlet temperature from reactor coolant cold leg temperature measurements b)

Purpose

(DRN 03-2061, R14)

To prevent the DNBR in the limiting coolant channel in the core from exceeding the fuel design limit in the event of defined anticipated operational occurrences. In addition, this trip will provide a reactor trip to assist the ESFS in limiting the consequences of the steam generator tube rupture, steam line break and reactor coolant pump shaft seizure accidents. The Core Protection Calculators (CPCs) contain several trip functions, such as Low Departure from Nuclear Boiling Ratio (DNBR) trips, that are credited in some safety analysis.

(DRN 03-2061, R14) 7.2.2.2.5 High Pressurizer Pressure Trip a)

Input Reactor coolant pressure from narrow range (1500-2500 psia) pressurizer pressure measurement.

WSES-FSAR-UNIT-3 7.2-27 b)

Purpose To help assure the integrity of the RCS boundary for any defined anticipated operational occurrences that could lead to an over-pressurization of the RCS.

7.2.2.2.6 Low Pressurizer Pressure Trip a)

Input Reactor coolant from wide range (0-3000 psia) pressurizer pressure measurement.

b)

Purpose To provide a reactor trip in the event of reduction in system pressure, in addition to the DNBR trip, and to provide a reactor trip to assist the ESFS in the event of a LOCA.

7.2.2.2.7 Low Steam Generator Water Level Trips a)

Input Level of water in each steam generator downcomer region from differential pressure measurements.

b)

Purpose To provide protective action to assure that there is sufficient time for actuating the emergency feedwater pumps to remove decay heat from the reactor in the event of a reduction of steam generator water inventory.

7.2.2.2.8 Low Steam Generator Pressure Trips a)

Input Steam pressure in each steam generator.

b)

Purpose To provide a reactor trip to assist the ESFS in the event of a steam line rupture accident.

7.2.2.2.9 High Containment Pressure Trip a)

Input Pressure inside reactor containment b)

Purpose To assist the ESFS by tripping the reactor coincident with the initiation of safety injection.

WSES-FSAR-UNIT-3 7.2-28 7.2.2.2.10 High Steam Generator Levels a)

Input Level of water in each steam generator downcomer region from differential pressure measurements.

b)

Purpose To prevent excessive moisture carryover from the steam generators from reaching the turbine, which could result in damage to the turbine. This trip is not required to fulfill the protective functions given in Subsection 7.2.2.1.

7.2.2.2.11 Low Reactor Coolant Flow Trip a)

Input Pressure differential measured across the steam generator primary side.

b)

Purpose To provide a reactor trip in the event of a reactor coolant pump sheared shaft.

7.2.2.2.12 Reactor Trip On Turbine Trip a)

Input Turbine trip (Subsection 15.2.1.2.1 defines the probable causes of a turbine trip).

b)

Purpose To prevent a challenge of the pressurizer relief valves. This trip is not required to fulfill the protective functions given in Subsection 7.2.2.1.

7.2.2.2.13 Reactor Trip on Loss of Load a)

Input The loss of load trip is generated from the loss of load circuitry in the steam bypass control system.

b)

Purpose To provide reactor protection for loss of loads events in which the main turbine runs back but does not trip.

WSES-FSAR-UNIT-3 7.2-29 7.2.2.2.14 Manual Trip a)

Input The manual trip is initiated by actuation of two adjacent pushbutton switches in the main control room which causes interruption of the ac power to the CEDM power supplies.

b)

Purpose To allow the operator to trip the reactor manually.

7.2.2.3 Design 7.2.2.3.1 General Design Criteria Appendix A of 10CFR50, General Design Criteria for Nuclear Power Plants (July 7, 1971) establishes minimum requirements for the principal design criteria for water cooled nuclear power plants. This paragraph describes how the requirements that are applicable to the RPS are satisfied:

a)

Criterion 1: Quality Standards and Records The quality assurance for the design of equipment and components is described in the QA Program Manual. These procedures will assure that the system will be described in accordance with required codes and standards.

b)

Criterion 2: Design Bases for Protection Against Natural Phenomena The design bases for protection against natural phenomena are described in Sections 3.3, 3.4, 3.10 and 3.11.

c)

Criterion 3: Fire Protection The design basis for fire protection is described in Subsection 9.5.1.

d)

Criterion 4: Environmental and Missile Design Bases Environmental design bases are described in Section 3.11. Missile design bases are described in Section 3.5.

e)

Criterion 5: Sharing of structures, Systems, and Components No RPS components are shared with future or existing reactor facilities.

f)

Criterion 10: Reactor Design The RPS, in conjunction with the plant control system and Technical Specification requirements, provides sufficient margin to trip setpoints so that, (1) during normal operation protective action will not be initiated, and (2) during anticipated

WSES-FSAR-UNIT-3 7.2-30 operational occurrences, fuel design limits will not be exceeded. Typical margins far each trip parameter are shown in Table 7.2-4.

g)

Criterion 12: Suppression of Reactor Power Oscillations The axial power distribution is continually monitored by the RPS and factored into the low DNBR and high local power density trips. This assures that acceptable fuel design limits are not exceeded in the event of axial power oscillations. Allowances are made in the trip setpoints for azimuthal power tilts.

h)

Criterion 13: Instrumentation and Control Sensor ranges are sufficient to monitor all pertinent plant variables over the expected range of plant operation for normal and transient conditions. All variables that affect plant and fuel design limits are monitored by the RPS. The safety-related information readout for plant monitoring is described in Section 7.5.

i)

Criterion 15: RCS Design The high pressurizer pressure trip and high logarithmic power level trip are provided to help assure the integrity of the RCS boundary.

j)

Criterion 20: Protection System Functions The RPS will monitor all plant variables that affect plant and fuel design limits. These limits are given in Subsection 7.2.2.1.1. A reactor trip will be initiated to prevent these limits from being exceeded for all the anticipated operational occurrences that are listed in Subsection 7.2.2.1.1.

k)

Criterion 21:

Protection System Reliability and Testability Functional reliability is ensured by compliance with the requirements of IEEE Standard 279-1971, as described in Subsection 7.2.2.3.2. Testing is in compliance with IEEE standard 338-71, and consistent with the recommendations of Regulatory Guide 1.22 (Feb, 1972) described in Subsection 7.2.2.3.3. It should be noted that GDC-21 is satisfied even with one channel bypassed.

l)

Criterion 22:

Protection System Independence The RPS independence is assured through redundancy and diversity as described in Subsections 7.2.1.1.7 and 7.2.1.1.8.

m)

Criterion 23:

Protection System Failure Modes The protective system is designed to fail into a safe state in the event of loss of power supply, disconnection of the system, or module removal, as noted in Subsection 7.2.2.3.2. Where protective action is required under adverse environmental conditions during postulated accidents, the components of the system are designed to function under such conditions.

WSES-FSAR-UNIT-3 7.2-31 n)

Criterion 24:

Separation of Protection and Control Systems The protection system is separated from the control systems.

o)

Criterion 25:

Protection System Requirements for Reactivity Control Malfunctions The RPS is designed to ensure that acceptable RCS and fuel design limits are not exceeded for the reactivity control malfunctions stated in Subsection 7.2.2.1.1.

p)

Criterion 29:

Protection Against Anticipated Operational Occurrences The RPS is designed to assure a very high probability of accomplishing the protective functions given in Subsection 7.2.2.1.

7.2.2.3.2 Equipment Design Criteria IEEE Standards 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, establishes minimum requirements for safety-related functional performance and reliability of the RPS.

This subsection describes how these requirements listed in Section 4 of IEEE Standard 279 are satisfied.

4.1 "General Functional Requirement" The RPS is designed to limit reactor fuel, fuel cladding, and coolant conditions to levels within plant and fuel design limits. Instrument performance characteristics, response time, and accuracy are selected for compatibility with and adequacy for the particular function. Trip setpoints are established by analysis of the system parameters. Factors such as instrument inaccuracies, bistable trip times, CEA travel times, valve travel time, circuit breaker trip times, and pump starting times are considered in the design of the system.

4.2 "Single Failure Criterion" The protective system is designed so that any single failure within the system shall not prevent proper protective action at the system level. No single failure will defeat more than one of the four protection channels associated with any one trip function. The wiring in the system is grouped so that no single fault or failure, including either an open or shorted circuit, will negate protective system operation. Signal conductors are protected and routed independently.

a)

The following is an evaluation of the effects of specific single faults in the analog portion of the system:

1)

A loss of signal in a measurement channel initiates channel trip action for the low pressurizer pressure, low steam generator water level, and low steam generator pressure trips.

WSES-FSAR-UNIT-3 7.2-32 Revision 7 (10/94) 2)

Shorting of the signal leads to each other has the same effect as a loss of signal. Shorting a lead to a voltage has no effect since the signal circuit is ungrounded.

3)

Single grounds of the signal circuit have no effect. Periodic checking of the system will assure that the circuit remains ungrounded.

4)

Open circuit of the signal leads has the same effect as a loss of signal.

b)

The following is an evaluation of the effects of specific single faults in the logic portion of the system:

1)

Inadvertent operation of the relay contacts in the matrices will be identified by indicating lights.

2)

Shorting of the pairs of contacts in the matrices will prevent the matrix relay sets from being released. Such shorts are detectable in the testing process by observing that the matrix relays cannot be dropped out. Testing is accomplished by successive opening of the logic matrix contact pairs.

3)

Shorting of the matrices to an external voltage has no effect since the matrix is ungrounded. The testing process will indicate accidental application of potential to the matrix. Equipment is provided to detect grounds on the matrices.

4)

The logic matrices will each be supplied by two power sources. Loss of a single power source has no effect on plant operation. Loss of power to a logic matrix initiates a trip condition.

5)

Failure of a matrix relay to deenergize will not prevent a trip since there are six matrix relay contacts in series in the trip path and any one contact initiating trip action will cause the action to be completed.

6)

The failure of one trip breaker or control circuit has no effect since there are two trip breakers with independent control circuits in series, either of which will provide the necessary action.

7)

Single grounds or accidental application of potential in the trip path circuits have no effect since the circuit is ungrounded. Testing and observation of ground detectors will indicate these problems.

8)

The CEDM power supply circuits operate ungrounded so that single grounds have no effect. The CEDMs are supplied in two groups by separate pairs of power supplies to further reduce the possibility of a CEA being improperly held. The CEDM load requirements are such that the application of any other local available supply would not prevent CEA release.



4.3 "Quality Control of Components and Modules"



The quality assurance control measures applied to these systems and components are described

WSES-FSAR-UNIT-3 7.2-33 Revision 7 (10/94)



in the QA Program Manual. These measures include appropriate requirements for design review, procurement, inspection, and testing to ensure that the system components shall be of a quality consistent with minimum maintenance requirements and low failure rates.



4.4 "Equipment Qualification" The RPS meets the equipment requirements described in Section 3.10 and 3.11 4.5 "Channel Integrity" Type testing of components, separation of sensors and channels, and qualification of cabling are utilized to ensure that the channels will maintain the functional capability required under applicable extremes of conditions relating to environment, energy supply, malfunctions, and accidents.

Loss of, or damage to, any one path will not prevent the protective action. Sensors are connected so that blockage or failure of any one connection does not prevent protective system action. The process transducers located in the containment are specified and rated for the intended service. Components that must operate during or after the LOCA are rated for the LOCA environment. Results of type tests are used to verify these ratings.

In the main control room, the nuclear instrumentation and protective system trip paths are located in four compartments. Mechanical and thermal barriers between these compartments reduce the possibility of common event failure. Outputs from the components in this area to the control boards are isolated or are routed in a channelized cable system. The isolators provided assure that shorting, grounding, or the application of the highest available local voltage does not cause channel malfunction. Where signals originating in the RPS feed the computer, signal isolation is provided; where the RPS is feeding annunciators, isolation is ensured through the use of relay contacts.

4.6 "Channel Independence" The locations of the sensors and the points at which the sensing lines are connected to the process loop were selected to provide physical separation of the channels, thereby precluding a situation in which a single event could remove or negate a protective function. The routing of cables from protective system transmitters as arranged so that the cables are separated from each other and from power cabling to minimize the likelihood of common event failures. This includes separation at the containment penetration areas. In the main control room, the four nuclear instrumentation and protective system trip channels are located in individual compartments.

Mechanical and thermal barriers between these compartments minimize the possibility of common event failure. Outputs from the components in this area to the control boards are isolated or are routed in a channelized cable system. The isolator provided assure that shorting, grounding, or the application of the highest available local voltages (120V ac, 125v dc) do not cause channel malfunction.

The criteria for separation and physical independence of channels are based on the need for decoupling the effects of accident consequences and energy supply transients and for reducing the likelihood of channel interaction during testing or in the event of a channel malfunction.

WSES-FSAR-UNIT-3 7.2-34 4.7 "Control and Protection System Interaction" a)

"4.7.1 Classification of Equipment" No sensors are common to the RPS and any control system. The RPS is separated from the control instrumentation systems so that failure or removal from service of any control instrumentation system component or channel does not inhibit the function of the protective system.

4.8 "Derivation of System Inputs" This criterion requires that insofar as is practicable, system inputs are derived from signals that are direct measures of the desired variables. Variables that are measured directly include neutron flux, temperatures, and pressures. Level information is derived from appropriate differential pressure measurements. Flow information is derived from reactor coolant pump speed measurement.

4.9 "Capability for Sensor Checks" The RPS sensors are checked by cross-checking between channels. These channels bear a known relationship to each other, and this method ensures the operability of each sensor during reactor operation.

4.10 "Capability for Test and Calibration" Testing is described in subsection 7.2.1.1.9 and is in compliance with IEEE Standard 338-1971, as discussed in Subsection 7.2.2.3.3.

4.11 "Channel Bypass or Removal from Operation" Any one of the four protective system channels may be tested, calibrated, or repaired without detrimental effects on the system. Individual trip channels may be bypassed to effect a two-out-of-three logic on remaining channels. The single failure criterion is met during this condition. Testing of each of the two CEA position input channels can be accomplished in a very brief time period. Probability of failure of the other system is acceptably low during such testing periods.

4.12 "Operating Bypasses" Operating bypasses are provided as shown in Table 7.2-1. The operating bypasses are automatically removed when the permissive conditions are not met. The circuitry and devices which function to remove these inhibits are designed in accordance with IEEE Standard 279-1971.

4.13 "Indication of Bypasses" Indication of test or bypass conditions or removal of any channel from service is given by lights and annunciators. Operating bypasses that are automatically removed at fixed setpoints are alarmed and indicated.

WSES-FSAR-UNIT-3 7.2-35 4.14 "Access to Means for Bypassing" A key is required to gain access to the means for bypassing a protective system channel. An interlock prevents the plant operator from bypassing more than one of the four channels of any one type trip at any one time. All bypasses are visually and audibly annunciated.

4.15 "Multiple Setpoints" Manual reduction of setpoints for low pressurizer pressure and low steam generator pressure trips are allowed for the controlled reduction of pressurizer pressure and steam generator pressure as discussed in Subsections 7.2.1.1.1.6 and 7.2.1.1.1.8. The setpoint reductions are initiated by a control board mounted pushbutton which, upon actuation, adjusts the setpoint to a value at a preselected increment below the operating pressure which exists at the time the pushbutton is actuated. A separate pushbutton is provided for each protection channel. This method of setpoint reduction provides positive assurance that the setpoint is never decreased below the existing pressure by more than a predetermined amount.

The setpoint is automatically increased by the RPS as the measured pressure is increased.

4.16 "Completion of Protective Action Once it is Initiated" The system is designed to ensure that protective action (reactor trip) will go to completion once initiated.

Operator action is required to clear the trip and return to operation. Protective action is initiated when the reactor trip circuit breakers open. Protective action is completed when the CEAs arrive at their full-in position.

4.17 "Manual Initiation" A manual trip is affected by depressing either of two sets of trip pushbuttons, therefore no single failure will prevent a manual trip. The two pushbuttons in a set need not be depressed simultaneously.

4.18 "Access to Setpoint Adjustments, Calibration and Test Points" A key is required for access to setpoint adjustments, calibration and test points. Access is also visibly and audibly annunciated.

4.19 "Identification of Protective Action" Indication lights are provided for all protective actions, including identification of channel trips.

4.20 "Information Readout" Means are provided to allow the operator to monitor all trip system inputs, outputs, and calculations. The specific displays that are provided for continuous monitoring are described in Section 7.5.

WSES-FSAR-UNIT-3 7.2-36 Revision 14 (12/05) 4.21 "System Repair" Identification of a defective input channel will be accomplished by observation of system status lights or by testing as described in Subsection 7.2.1.1.9. Replacement or repair of components is accomplished with the affected input channel bypassed. The affected trip function then operates in a two-out of three-trip logic.

4.22 "Identification" All equipment, including panels, modules, and cables associated with the trip system are marked in order to facilitate identification.

(DRN 03-2061, R14) 7.2.2.3.3 Testing Criteria

(DRN 03-2061, R14)

IEEE Standard 338-1971, Trial Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems, September 1971, and Regulatory Guide 1.22, Periodic Testing of Protection System Actuation Functions (February, 1972) provide guidance for development of procedures, equipment, and documentation of periodic testing. The basis for and the scope and means of testing are described in this subsection.

(DRN 03-2061, R14)

Since operation of the RPS will be infrequent, the system is periodically and routinely tested to verify its operability. A complete channel can be individually tested without initiating a reactor trip, without violating the single failure criterion, and without inhibiting the operation of the system. The system can be checked from the sensor signal through the power supply circuit breakers of the control element drive mechanisms. The RPS can be tested during reactor operation. The sensors can be checked by comparison with similar channels or channels that involve related information. Minimum frequencies for checks, calibration, and testing of the RPS instrumentation are given in the Technical Specifications.

RPS response times are listed in the TRM. Overlap in the checking and testing is provided to assure that the entire channel is functional. The use of individual trip and ground detection lights, in conjunction with those provided at the supply bus, assure that possible grounds or shorts to another source of voltage will be detected.

(DRN 03-2061, R14)

The testing scheme is presented in detail in Subsection 7.2.1.1.9.

The response time from an input signal to the protection system trip bistables through the opening of the trip circuit breakers is verified by measurement during plant startup testing. Sensor responses are measured during factory acceptance tests.

7.2.2.3.4 Environmental and Seismic Criteria IEEE Standard 323-1971, Trial-Use Guide for Qualifying Class 1 Electrical equipment for Nuclear Power Generating Station, was used as a design basis for the RPS. Compliance with this criterion is detailed in Section 3.11.

IEEE Standard 344-1971, Guide for Seismic qualification of Class 1 Electrical Equipment for Nuclear Power Generating Station, was used as a design basis for the RPS. Compliance with this criterion is detailed in Section 3.10.

WSES-FSAR-UNIT-3 7.2-37 7.2.2.3.5 Single Failure Criterion IEEE standard 379-1972, Guide for the Application of Single Failure Criterion to Nuclear Power Generating Stations, was used as a design basis for the RPS. Compliance with the single failure criterion is detailed in Subsection 7.2.2.3.2.

7.2.2.3.6 Regulatory Guides Discussions of regulatory guides applicable to RPS are found in Subsection 7.1.2.

7.2.2.4 Failure Modes and Effects Analysis A failure modes and effects analysis for the RPS is provided in Table 7.2-5. Figure 7.2-10 shows the interface logic diagram of the RPS. The analysis is for the protective system portion of the figure for the sensors, bistable coincidence logic, and actuating devices.

WSES-FSAR-UNIT-3 TABLE 7.2-1 Revision 14 (12/05)

REACTOR PROTECTIVE SYSTEM BYPASSES Title Function Initiated By Removed By Notes DNBR and local power power density bypass Disable low DNBR and high local power density trips Key-operated switch (1 per channel) if power is <10-4%

Automatic if power is >10%

Allows lower power testing RPS/ESFAS pressurizer pressure bypass Disables low pressurizer pressure trip and SIAS Key-operated switch (1 per channel) if pressure <400 psia Automatic if pressure is >500 psia Allows testing at low pressure and allows depressurization below 400 psia without initiation of undesired safeguards action High log power level bypass Disables high logarithmic power level trip Manual switch (1 per channel) if power is >10-4%

Automatic if power is <10%

Bypassed during reactor startup Trip channel bypass Disables any given trip channel Manually by controlled access switch Same switch Interlocks allow only one channel for any one type trip to be bypassed at one time

(DRN 04-384, R14)

Reactor trip on turbine trip Disables reactor trip on turbine trip Key-operated (1 per channel)

Automatic if power is >65%

Additional key operated switch is provided on CP-2. This enables/disables reactor trip on turbine trip inputs to PPS. Operation is independent of reactor power

(DRN 04-384, R14)

Hi S/G level trip bypass Disables HI S/G level trip Key operated switch; administratively controlled access Same switch Non-safety operating bypass allows S/G level control during startup

 (DRN 99-2462, R11)

Reactor Coolant Flow-Low Disable low reactor coolant flow-low trip Key operated switch; administratively controlled Automatic if power level (excore) is >8.5 x 10

-5%

Allows low reactor coolant flow maintenance of RTSG

 (DRN 99-2462, R11)

WSES-FSAR-UNIT-3 TABLE 7.2-2 Revision 307 (07/13)

REACTOR PROTECTIVE SYSTEM MONITORED PLANT VARIABLE RANGES Monitored Variable Minimum Nominal (full power)

Maximum Neutron flux power, % of full power 2x10-8 100 200 (DRN 03-2061, R14)

Cold leg temperature, F 465 543 615 Hot leg temperature, F 525 601 675 DRN 03-2061, R14)

Pressurizer Pressure (narrow range), psia 1,500 2,250 2,500 Pressurizer pressure (wide range), psia 0

2,250 3,000 CEA positions full in NA full out (DRN 00-524, R11-A)

Reactor coolant pump speed, rpm 0

1,183 1,200 (DRN 00-524, R11-A)

(DRN 8460, R307)

Steam generator water level (narrow range) 0 64.4%

100%

(DRN 03-2061, R14)

Steam generator pressure, psia 0

832 1,200 DRN 03-2061, R14; EC-8460, R307)

Containment pressure wide range (CSAS), psia 0

14.7 30 Containment pressure wide range (CSAS), psia 0

14.7 40 Low Reactor Coolant Flow (SG primary side differential pressure), psid 0

32 50

WSES-FSAR-UNIT-3 TABLE 7.2-3 Revision 10 (10/99)

REACTOR PROTECTIVE SYSTEM SENSORS Monitored Variable Type Number of Sensors Location Neutron flux power Fission Chamber 12 Biological Shield Cold leg temperature Precision RTD 8

Cold leg piping Hot leg temperature Precision RTD 8

Hot leg piping Pressurizer pressure (wide range)

Pressure transducer 4(a)

Pressurizer Pressurizer pressure (narrow range)

Pressure transducer 4

Pressuizer CEA positions Reed switch assemblies 2/CEA Control element drive mechanism Reactor coolant pump speed Proximity device 4/pump Reactor coolant pump Steam generator level Differential pressure transducer 4/steam generator(a)

Steam generators Steam generator pressure Pressure transducer 4/steam generator(a)

Steam generators



Containment pressure Pressure transducer 4(a)

Containment structure Steam Generator Differential Pressure



Differential Pressure Transducer 4

Steam Generators (a)

Common with engineered safety feature actuation system.

WSES-FSAR-UNIT-3 TABLE 7.2-4 Revision 307 (07/13)

REACTOR PROTECTIVE SYSTEM DESIGN MARGINS Nominal Value Nominal Margin Type (full power)

Trip Setpoint (Nominal) (d) to Trip High logarithmic power level NA 0.257%

NA High linear power level 100% power 108% power 8% power Low DNBR 1.79 1.26(a) 0.53 High local power density, kW/ft 13.4(peak) 21(a) 7.6 High pressurizer pressure, psia 2,250 2,350 100 Low pressurizer pressure, psia 2,250 1,684(c) 566 Low steam generator water level Normal 27.4%(b)

NA (DRN 05-130, R14; EC-8460, R307)

Low steam generator pressure, psia 832 666(c) 166 (DRN 05-130, R14; EC-8460, R307)

High containment pressure, psia 0

17.1 NA Reactor Coolant Flow-Low NA

>19.1 psid NA (a)

Calculated value (to be compared to setpoint) conservatively considering all sensor time delays, and processing time delays, and inaccuracies to ensure that trip occurs sufficiently prior to core safety limits.

(b)

% of the distance between the level instrument nozzles above the lower nozzle.

(c)

Setpoint can be manually decreased as pressure is reduced and is automatically increased as pressure is increased.

(d)

The nominal setpoint values correspond to the equipment setpoints given in the Technical Specifications. The setpoints used in the safety analyses are given in Chapter 15 for each event and result in more severe consequences than the equipment setpoints.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 1 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects RPS Measurement Channel, Reactor Flux (e.g. Channel A), Figure 7.2-10 Ex-Core Flux Monitor (68)

Low Loss of HV power supply.

Breakdown in insulation resistance Loss of data, erroneous data.

Possible HI PWR DENS trip.

High startup channel alarm.

Not annunciating.

Automatic sensor validity test. 3-channel comparison.

Periodic manual test.

3-channel redundancy (4th channel bypassed) channel placed in trip mode Makes reactor trip logic for HI LIN PWR, HI LOG PWR, LO DNBR and HI PWR DENS 2-out-of-2 coincidence.

Reactor trip logic for HI LOG PWR, HI LIN PWR, LO DNBR and HI PWR DENS trips must be converted to 1-out-of-2 by placing appropriate bistables in affected channel in the tripped state.

High Detector shorts, con-tinuous ionization.

Erroneous data Annunciating.

Pre-trip and trip HI LIN PWR alarm.

Nuclear instrument inoperative alarm.

3-channel redundancy (4th channel bypassed) channel placed in trip mode.

Makes reactor trip logic for HI LIN PWR, LO DNBR, and HI PWR DENS 1-out-of-2 coincidence.

Power reduction signal (PRS) logic 1-out-of-2 coinci-dence.

Reactor trip logic for HI LOG PWR, HI LIN PWR, LO DNBR and HI PWR DENS trips must be converted to 1-out-of-2 by placing appropriate bistables in affected channel in the tripped state.

Ex-Core Power Level (N.I.) (69)

Low Loss of ampli-fier power supply. Ampli-fier failure.

Loss of data. Affects local power density (LPD) and cali-brated nuclear power calcula-tion. Possible (LPD) channel trip. Erroneous data.

Annunciating. Auto-matic sensor valid-ity test. 3-channel comparison. Periodic manual tests.

Channel trips, system changes to 1/2 for HI LPD, HI LIN PWR, HI LOG PWR, DNBR.

Makes reactor trip logic for HI LIN PWR, HI LOG PWR, LO DNBR and HI PWR DENS 1-out-of-2 coincidence.

Operator can trip failed EX-CORE FLUX MONITOR function at the HI LOG PWR, HI LIN PWR, LO DNBR and HI PWR DENS bistable and place system in 1-out-of-2 for these trips.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 2 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects RPS Measurement Channel, Reactor Flux (e.g. Channel A), Figure 7.2-10 (cont.)

Ex-Core Power Level (N.I.)

(69) (cont.)

High Input failure.

Amplifier failure.

Possible LPD, HI Linear PWR, and HI LOG PWR channel trips Annunciating pre-trip and low trip HI LIN PWR alarm.

Nuclear instrument inoperative alarm.

Channel trip, sys-tem changes to 1/2 for HI LPD, HI LIN PWR, HI LOG PWR, DNBR.

Makes reactor trip for HI LIN PWR, LO DNBR, and HI PWR DENS 1-out-of-2.

Operator can trip failed EX-CORE FLUX MONITOR function at the HI LOG PWR, HI LIN PWR, LO DNBR and HI PWR DENS bistable and place system in 1-out-of-2 for these trips.

Measurement Channel, Core Protection Calculators, Channel A (Typical), Figure 7.2-10 Core Outlet Temperature Thot (80)

Low Power supply failure. RTD bridge network failure.

Reduces T power.

Annunciating. Auto-matic sensor validity test. 3-channel comparison. Plan computer monitor and alarm. Periodic test.

3-channel redundancy.

(4th channel bypassed)

Channel in tripped mode.

Reactor trip logic for LO DNBR and HI PWR DENS is con-verted to 1-out-of-2.

Calculated values of DNB calibrated nuclear power and local power density (LPD) will change. System can be converted to 1-out-of-2 logic for those affected trip functions by the operator.

High RTD opens or network fail-ure.

Increases T power. Possible channel trips (DNBR, LPD).

Annunciating.

Reactor trip logic for LO DNBR and HI PWR DENS is con-verted to 1-out-of-2.

Core Inlet Temperature Tcold (82)

One spur-ious low.

Power supply failure. RTD bridge network failure.

Increases T power. Possible channel trips (DNBR, LPD).

Annunciating. Auto-matic sensor validity test. 3-channel comparison monitor and alarm. Periodic test.

3-channel redundancy.

(4th channel bypassed)

Channel in tripped mode.

Reactor trip logic for LO DNBR and HI PWR DENS is con-verted to 1-out-of-2.

System can be converted to 1-out-of-2 logic for those affected trip functions by the operator.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 3 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Measurement Channel, Core Protection Calculators, Channel A (Typical), Figure 7.2-10 (cont.)

Core Inlet Temperature Tcold (82)

(cont.)

One spur-ious high h

RTD opens net-work failure.

Decrease in T power.

Annunciating.

Reactor trip logic for LO DNBR and HI PWR DENS is con-verted to 1-out-of 2.

Reactor Coolant Pump Flow (84)

One spuri-ous loss of trans-mission Power supply or pulse am-plifier failure.

Mech-anical damage to sensor.

Loss of data. LO DNBR channel trip possible.

Annunciating. Plant computer monitor and alarm. Trip status indication.

3-channel redundancy.

(4th channel bypassed) channel in tripped mode.

Reactor trip logic for LO DNBR is con-verted to 1-out-of-2.

Sensor transmits pulses.

Pulse rate related to flow.

Operator can convert system to 1-out-of-2 trip logic for LO DNBR.

Measurement Channel, CEA Position Transmitters, Figure 7.2-10 Non-target CEA Position (149)

Low Shorted resis-tor, power supply mal-function.

Erroneous data input to one CEA calculator.

Annunciation, auto-matic sensor validity test. CEA deviation.

A penalty factor is initiated in the CPCs (operat-ing temperature margins reduced).

One CEA calculator will show CEA deviation to all CPC calculations. Possible reactor trip will occur.

High Shorted resis-tor, power supply mal-function.

Erroneous data input to one CEA calculator.

Annunciation, auto-matic sensor valid-ity test. CEA devia-tion.

Other than actual position Shorted resis-tors, shorted reed switches, power supply malfunction.

Erroneous data input to one CEA calculator.

Annunciation. Auto-matic sensor valid-ity test. CEA devia-tion.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 4 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Measurement Channel, CEA Position Transmitters, Figure 7.2-10 (cont.)

Non-tareget CEA Position (149)

(cont.)

Off scale Broke wire, open resistor, electrical short, power supply mal-function.

Loss of data.

Annunciation, auto-matic sensor validity test.

Target CEA Position (87)

Low Shorted resis-tor, power supply mal-function.

Erroneous data input effects DNBR and LPD calculation.

Annunciation, auto-matic sensor validity test. 3-channel comparison.

Makes reactor trip logic for LO DNBR and HI PWR DENS 1-out-of-2.

Possible trip in one safety channel. Trip affected will show CEA deviation.

High Shorted resis-tor, power supply mal-function.

Erroneous data input to CPC calculator, and (one) CEA calculator.

Annunciation, auto-matic sensor validity test. CEA deviation.

Other than actual posi-tion Shorted resis-tor, shorted reed switches, power supply malfunction.

Erroneous data input to CPCs and (one) CEA calculator.

Annunciation, auto-matic sensor valid-ity test. CEA devia-tion.

Makes reactor trip logic Possible trip in one safety channel. Trip affected will show CEA deviation Off scale Broke wire, open resistor, electrical short, power supply mal-function.

Loss of data.

Annunciation, auto-matic sensor validity test. CEA deviation.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 5 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Measurement Channel, Core Protection Calculator, Figure 7.2-10 Control Element Assembly Calcu-lator (88)

No data output Loss of ac power, input/

output failure.

Data link failure.

Arithmetic, logic or memory failure.

Loss of CEA position display.

Annunciating alarm on CPC operators module.

Loss of CEA position display from failed CEAC watchdog timer.

Possible DNBR or LPD trip.

Erroneous data output CEA position sensor fail-ure, input/

output failure Data link failure.

Arithmetic, logic or memory failure.

Erroneous calculated values.

Possible DNBR or LPD trip.

Annunciating alarm on CPC operators module. Comparison of CEA position displays.

With other channel in bypass state, CPC applies penalty factor of largest possible output from CEAC.

Possible DNBR or LPD trip.

Core Protection Calculator (89)

Tripped Loss of ac power. Input/

output failure Arithmetic, logic, or mem-ory failure.

Sensor failure.

Loss of control board displays.

Annunciating PPS alarm on channel trip. Three channel comparisons. Annun-ciating watchdog timer.

3-channel redundancy.

4th channel bypassed.

Reactor trip logic for DNBR, LPD and CWP is converted to 1-out-of-2.

Computer shuts down in or-derly sequence upon loss of ac power and resumes normal operation when power is restored.

System is converted to 1-out-of-2 logic for DNBR, LPD and CWP.

Stays in untripped state Input/output failure.

Arithmetic, logic, or mem-ory failure.

Sensor failure Erroneous calculated results.

3-channel compari-sons. Annunciating watchdog timer.

3-channel redundancy.

Trip channel bypass.

Reactor trip logic for DNBR, LPD and CWP is on coinci-dence of 2-out-of-2 remaining channels.

Computer shuts down in or-derly sequence upon loss of ac power and resumes normal operation when power is restored.

System must be converted by operator to 1-out-of-2 logic for DNBR,LPD,and CWP.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 6 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Measurement Channel, Steam Generator Water Level, (e.g., Channel A), Figure 7.2-10 SG No. 2 Level Signal (51)

SG No. 1 Level Signal (55)

Off (low signal level)

Sensor fail-ure, dc power supply fail; open circuit.

Low steam generator water level signal to channel bist-able. Low level bistable (B/S) changes logic state and trips channel for steam generator.

High level (B/S) will not trip when required.

Annunciating; pre-trip and trip alarms on low steam generator water level.

3-channel redundancy for HI SG level trip and LO SG level trip (4th channel bypassed).

Reactor trip and EFAS logic for affected steam generator low water level is converted to 1-out-of-2 and reactor trip and ESFAS logic for affected SG LO level trip is con-verted to 2-out-of-2 coincident.

Operator can convert the HI SG level trip and ESFAS logic for the affected SG to 1-out-of-2 by placing the affected channel in the tripped state.

On (high signal level)

Sensor fail-ure, component failure.

High steam generator water level signal to channel bist-able. Low level B/S will not trip when required. High level B/S changes state and trips channel for affected SG.

Annunciatingp; pre-trip and trip alarms on HI water level signal.

3-channel redundancy.

For high and low SG level trips (4th channel bypassed).

Reactor trip and EFAS logic for affected steam generator high water level is con-verted to 1-out-of-

2. The reactor trip and ESFAS logic for the affected SG low level trip is con-verted to 2-out-of 2 coincident.

Operator can convert the low SG level trip logic for the affected SG to 1-out-of-2 by placing the affected channel in the tripped state.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 7 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Measurment Channel Pressurizer (wide range) Channel A (Typical), Figure 7.2-10 Wide range PZR pressure (press) signal (61)

One fails "on" (High pressure signal level).

Sensor fail-ure, component failure.

High PZR press signal to: LO PZR PRESS B/S. LO PZR PRESS B/S does not trip for a bonafide condition.

Periodic test; 4 channel comparison.

3-channel redundancy.

(4th channel bypassed)

Reactor trip logic for LO PZR PRESS is converted to 2-out-of-2 coincidence and CIAS, SIAS logic LO PZR PRESS 2-out-of-2 coincidence. CSAS logic is converted to 2-out-of-2 LO PZR PRESS and 2-out-of-3 HI-HI CONT PRESS.

Back-up for SIAS is the containment pressure measurement channel.

Operator must convert reactor trip logic for LO PZR PRESS to 1-out-of-2 by placing affected channel in the tripped state.

One fails "off". (Low pressure signal level).

Sensor fail-ure; dc power supply fail; open circuit.

Low PZR press signal to LO PZR PRESS B/S. Bistable changes logic state and initiates channel trip.

Annunciating; pre-trip and trip alarms in channel.

3-channel redundancy.

(4th channel bypassed).

Reactor trip logic for LO PZR PRESS is converted to 1-out-of-2 coincidence, and CIAS, SIAS logic LO PZR PRESS 1-out-of-2 coincidence.

CSAS logic is con-verted to 1-out-of-2 LO PZR PRESS and 2-out-of-3 HI-HI CONT PRESS.

Measurement Channel, Pressurizer (PZR) (narrow range), Figure 7.2-10 PZR Narrow Range Pressure (PRESS) Signal (91)

On (High pressure signal level).

Sensor fail-ure, component failure.

High PZR press signal to HI PZR PRESS B/S and calculator.

HI PZR PRESS B/S will change logic state and initiate channel trip.

Annunciating; pre-trip and trip alarms in HI PZR PRESS channel.

3-channel redundancy.

(4th channel bypassed).

Reactor trip logic for LO DNBR is con-verted to 2-out-of-2 coincidenced, and 1-out-of-2 coinci-dence for HI PZR PRESS. CWP becomes 1-out-of-2 coinci-dence for HI PZR PRESS.

Operator must convert LO DNBR trip logic to 1-out-of-2 by placing the affected LO PZR PRESS B/S in the tripped state.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 8 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Measurement Channel, Pressurizer (PZR) (narrow range), Figure 7.2-10 (cont.)

PZR Narrow Range Pressure (PRESS) Signal (91) (cont.)

Off (Low pressure signal level).

Sensor fail-ure; dc power supply fail; open circuitl.

LO PZR PRESS B/S will decrease DNBR margin and initiate LO DNBR channel trip. HI PZR PRESS B/S will not trip for bonafide condition.

Annunciating; pre-trip and trip alarms in LO DNBR channel.

3-channel redundancy.

Trip channel bypass.

(4th channel bypassed).

Reactor trip logic for LO DNBR is con-verted to 1-out-of-2 coincidence, and for HI PZR PRESS 2-out-of-2 coinci-dence.

CWP logic becomes 2-out-of-2 coincidence for this parameter.

Operator must convert HI PZR PRESS trip logic and CWP logic to 1-out-of-2 by placing affected HI PZR PRESS B/S in the tripped state.

Measurement Channel Steam Generator (SG) Pressure Channel A, (Typical), Figure 7.2-10 S/G Pressure Signal No. 2 (27)

S/G Pressure Signal No. 1 (42)

One spuri-ous off, (Low signal level).

Sensor fail-ure; dc power supply fail;p open circuit.

Low steam generator pressure signal to SG low pressure (LO PRESS) bistable (B/S) in RPS and ESFS channels, SG Low Pres-sure, SG-1>SG-2, and SG-2>SG-1 B/Ss. B/Ss change their logic state and initiates channel trip in SG LO PRESS for reactor TRIP, MSIS actuation and EFAS.

Annunciating; pre-trip and trip alarms on low steam generator pressure.

3-channel redundancy.

2-steam generators.

Trip channels bypassed if less than SG press.

Pretrip setpoint.

Reactor trip logic for steam generator steam pressure level is converted to 1-out-of-2.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 9 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Measurement Channel Steam Generator (SG) Pressure Channel A, (Typical), Figure 7.2-10 (cont.)

S/G Pressure Signal No. 2 (27)

S/G Pressure Signal No. 1 (42) (cont.)

One spuri-ous on, (High sig-nal level).

Sensor fails; component failure High steam generator pressure signal to SG LO PRESS, SG-1>SG-2, and SG-2>SG-1 B/Ss in RPS and ESFS. SG-2>SG-1 or SG-1>SG-2 B/S will change logic status and channel will trip when a bonafide low pressure condition exists in affected steam generator.

Annunciating; peri-odic test. 3-chan-nel comparison.

3-channel redundancy.

2-steam generators.

Reactor TRIP, MSIS and EFAS logic for low steam generator steam pressure is converted to 1-out-of-2 coincidence for considered steam generator. System will operate on non-failed SG pressure.

Measurement Channels, Containment Pressure Signal, Figure 7.2-10 Containment Pressure Signal (6)

ON (goes high)

Component failure.

High CONT PRESS signal to: HI CONT PRESS bistable in RPS channel, and HI CONT PRESS B/Ss in ESFS channels. B/Ss change their logic state, and initiate channel trip for high containment pressure for RPS TRIP, CIAS, SIAS, and MSIS actuations. High containment pressure channel trip for CSAS, HI-HI CONT PRESS trip still required.

Annunciating; pre-trip and trip, and alarm-on high containment pressure ESF channel indica-tion.

3-channel redundancy.

(4th channel bypassed).

Reactor trip logic for high contain-ment pressure is converted to 1-out-of-2 and CIAS, SIAS, AND MSIS logic for high containment pressure 1-out-of-2.

CSAS logic is con-verted to 1-out-of-2 HI CONT PRESS and 2-out-of-3 HI-HI CONT PRESS.

Reactor trip logic for high containment pressure and CIAS, SIAS, and MSIS logic for high containment pressure must be converted to 1-out-of-2 by placing the affected B/Ss in the tripped state.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 10 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Measurement Channels, Containment Pressure Signal, Figure 7.2-10 (cont.)

Containment Pressure Signal (6)

(cont.)

OFF (goes low)

Component failure.

Low CONT PRESS signal to: HI CONT PRESS B/S in RPS channel, and HI CONT PRESS B/Ss in ESFS channels. B/Ss in channel do not change their logic state and trip for bonafide high containment condition.

Not annunciating; periodic test.

3-channel comparison.

3-channel redundancy.

(4th channel bypassed).

Reactor trip logic for high containment pressure is convert-ed to 2-out-of-2 coincidence and CIAS, SIAS and MSIS logic for high con-tainment pressure 2-out-of-2 coinci-dence. CSAS logic is converted to 2-out-of-2 HI CONT PRESS and 2-out-of-3 HI-HI CONT PRESS.

Containment Pressure Signal (221)

ON (goes high)

Component failure.

High containment pressure signal to HI-HI CONT PRESS B/S in ESFS channel. B/S changes state and partially trips CSAS channel.

Pre-trip alarm annunciated, HI-HI CONT PRESS.

3-channel redundancy.

(4th channel bypassed).

CSAS actuation logic becomes 1-out-of-2 HI-HI CONT PRESS and 2-out-of-3 LO PZR PRESS or HI CONT PRESS>

OFF (goes low)

Component failure.

Low containment pressure signal to one HI-HI CONT PRESS B/S, B/S will not change logic state for valid HI-HI CONT PRESS condition.

Not annunciating.

Detectable by periodic PPS test.

3-channel redundancy.

(4th channel bypassed).

CSAS actuation logic becomes 2-out-of-2 coincidence HI-HI CONT PRESS and 2-out-of-3 LO PZR PRESS or HI CONT PRESS.

When failure is detected, CSAS actuation logic must be converted to 1-out-of-2 HI-HI CONT PRESS and 2-out-of-3 LO PZR PRESS or HI CONT PRESS by manually tripping affected HI-HI CONT PRESS B/S.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 11 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Measurement Channel, Refueling Water Tank (RWT) Level, Figure 7.2-10 RWT Level Signal (1)

Off (goes low)

Failed sensor; dc power supply fails Low RWT level signal to REFUEL TANK LO LEVEL bistable in ESFS channel. Bistable changes logic state and initiates channel trip for RAS acutation in ESFS.

Annunciating; pre-trip and trip PPS alarms.

3-channel redundancy.

(4th channel bypassed).

Makes RAS logic for low refueling water level 1-out-of-2.

Operator must convert RAS logic for refueling water tank level to 1-out-of-2 by placing the B/S in the tripped state.

On (goes high)

Sensor fails; component failure.

High RWT level signal to REFUEL TANK LO LEVEL bistable in ESFS channel. Bistable will not change logic state in RAS chan-nel when bonafide low RWT level condition exists.

Not annunciating, periodic test, 3-channel comparison.

3-channel redundancy.

Makes RAS logic for low refueling water tank level 2-out-of-2 coincidence.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 12 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bypass (RPS), Low Pressurizer Pressure Trip, Channel (Typical), Figure 7.2-10 Manual Bypass PZR PRESS (59)

OFF Component Failure Unable to bypass LO PZR PRESS B/S in channel for power levels less than 10-4%, B/S in channel will change logic state for low pressurizer pressure during start-up.

Annunciating; bypass light not lit for channel. Channel trip during start-up, pre-trip and trip PPS alarms.

3-channel redundancy.

(4th channel bypassed).

Reactor SIAS, CIAS and CSAS trip logic for LO PZR PRESS is converted to 1-out-of-2 during startup For CSAS a 2-out-of-3 HI-HI CONT PRESS is also required.

Operator must convert SIAS, CIAS, and CSAS trip logic for LO PZR PRESS to 1-out-of-2 by placing B/S in tripped state.

ON Component short to power supply.

LO PZR PRESS B/S in permanent bypass for all pressure levels.

B/S will not change logic state for low pressurizer pressure conditions, and channel A will not trip for bonafide pressure signal.

Bypass light is lit for channel and by-pass is plant annunciated.

3-channel redundancy.

(4th channel bypassed).

Reactor SIAS, CIAS, and CSAS trip logic for LO PZR PRESS during start-up and normal operation 2-out-of-2 coincidence For CSAS a 2-out-of-3 HI-HI CONT PRESS is also required.

Bypass Low PZR Pressure Trip Channel A (Typical), Figure 7.2-11 Pressurizer Pressure Auxiliary Bistable Channel A High (Out-put relays energized)

Amplifier within bistable fails Low pressurizer pressure trip bypass will be automatically removed once pressurizer pres-sure reaches the preset value.

Periodic PPS testing.

3-channel redundancy.

(4th channel bypassed).

Once a bypass is placed on the bistable, it will not be automatically removed.

If bypass is manually removed, system will function normally.

Low (Input relays de-energized)

Amplifier within bistable fails, Opto-isolator fails The low pressurizer pressure trip cannot be bypassed in channel A.

Periodic PPS testin or when attempting to initiate bypass.

3-channel redundancy.

(4th channel bypassed).

During a condition of low pressurizer pressur, the bi-stable will be tripped in that channel regardless of the position of the bypass switch.

The other channels are unaffected.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 13 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bypass Low PZR Pressure Trip Channel A (Typical), Figure 7.2-11 (cont.)

AK21 Coil open Sustained overvoltage.

The low pressurizer pressure trip cannot be bypassed in channel A.

Periodic PPS testing or when attempting to initiate bypass.

During a condition of low pressurizer pressure, the bist-able will be tripped in that channel regardless of the position of the bypass switch.

The other channels are unaffected.

Coil short Deterioration of insulation Attempting to bypass low pres-surizer pressure under condi-tion of low pressure will place a severe load on the relay driver.

Under this abnormal load the relay driver may fail.

If the driver gfails short, the results will be the same as those listed for failure of channel A auxiliary logic power supply. See dc power distribution.

If the driver fails open, the results will be the same as those listed for an open relay coil.

AK21 Contact in relay latching circuit Open Deterioration of contact.

Low pressurizer pressure cannot be bypassed in channel A.

Periodic PPS testing or when attempting to initiate a bypass on this function.

During a condition of low pressurizer pressure, the bistable will be tripped.

LP PZR PRESS trip logis is 1-out-of-2 (4th channel bypassed).

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 14 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bypass Low PZR Pressure Trip Channel A (Typical), Figure 7.2-11 (cont.)

AK21 Contact in relay latching circuit Short Welded contact Bypass wil not lock out auto-matically.

Periodic PPS testing.

Bypass annunciating.

B/S remains by-passed above 400 lb/in.2a unless manually removed.

LO PZR PRESS trip logic will be 2-out-of-2 until bypass manually removed.

(4th channel bypassed).

Low PZR pressure trip bypass switch contact bypass circuit Contact shorts Mechanical failure.

Trip automatically - Low pressurizer pressure bypassed in the affected channel when PZR PRESS AUX B/S setpoint permits bypass condition.

Periodic PPS testing.

Bypass condition before manual action.

During a condition of low perssurizer pressure, the bistable will be bypassed.

If a bypass is required, the other two channels may be byhpassed as they are unaffected by the fault. (4th channel bypassed).

Contact open Mechanical failure.

Bypass transistor will not switch "on". Low PZR PRESS trip will not be bypassed when desired.

Unable to bypass.

Status light not lit.

Redundant channel.

Trip The low pressurizer pressure bypass circuits in the other two channels are unaffected and will respond properly. (4th channel bypassed).

Contact Normal Contact shorts Mechanical failure.

Bypass transistor remains "off" and bypass condition will not latch on.

Status light not lit.

Redundant channel.

Trip Operator would have to hold bypass switch in BYPASS position to maintain bypass in this channel.

Contact open Mechanical failure.

Bypass transistor cannot switch "off" manually.

Unable to manually remove bypass, status light statys lit.

Redundant channel.,

None Function of circuit is not impaired, nuisance.

AK22 Coil Open Sustained overvoltage.

Low pressurizer pressure trip bypass for the affected channel will not be activated when demanded.

Periodic PPS testing,status light not lit.

Redundant channel.

No bypass.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 15 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bypass Low PZR Pressure Trip Channel A (Typical), Figure 7.2-11 (cont.)

AK22 Coil (cont.)

Short Deterioration of Insulation Attempting to bypass low pres-surizer pressure under condi-tions of low pressue will place a severe load on the relay driver. With this abnormal load, the relay driver may fail. If the driver fails short, the results will be the same as those listed for an open relay coil Contact in latch circuit Contact shorts Mechanical failure.

Bypass transistor will remain latched "ON" after bypass switch is turned to "NORMAL". LO PZR PRESS trip will be bypassed.

Unable to unlatch transistor manually, status light lit.

Redundant channel.

B/S will remain by-passed above 400 lb/in.2a.

LO PZR PRESS trip logic goes to 2-out-of-2. (4th channel bypassed).

Contact open Mechanical failure.

Unable to latch bypass transis-tor "ON"; LO PZR PRESS B/S will not bypass.

Status light not lit.

Redundant channel.

Trip Contact in annunciator circuit Contact short Open Mechanical Failure.

Annunciator and status light activated.

No annunciation.

Alarm No status indication.

Redundant channel.

Nuisance None Manual High Power (70) High Log Power Permissive (71)

OFF Component failure.

Unable to bypass High Log Power B/S in channel for power levels greater than 10-4%, B/S in channel will change logic state for high log power conditions during startup and power operations.

Annunciating; bypass light not lit for channel.

Channel A trip during startup, pre-trip and trip PPS alarms.

3-channel redundancy.

(4th channel bypassed).

Reactor trip logic for High Log power is converted to 1-out-of-2 coinci-dence during start-up.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 16 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bypass (RPS) High Log Power Trip Channel A (Typical), Figure 7.2-10 (cont.)

Manual High Power (70)

High Log Power Permis-sive (71)

(cont.)

ON Component short to power supply.

High Log Power B/S for Channel A in permanent bypass for all power levels, B/S will not change logic state for high log power level changes, and chan-nel A will not trip for bona fide condition.

Bypass light is lit for channel and bypass is plant annunciated.

Light is lit for channel and bypass is plant annunciated. 3-channel redundancy.

(4th channel bypassed).

Reactor trip logic for High Log power during startup and normal operastion is converted to 2-out-of-2 coincidence.

Operator must convert reactor trip logic for High Log power to 1-out-of-2 by placing the affected B/S in the tripped state.

Bypass (RPS) High Log Power Trip Channel A (Typical), Figure 7.2-10 (cont.)

Operating Bypass (230)

OFF Component failure.

Unable to automatically bypass CWP feature in channel when power level is less than 10-4%

F.P. Affected channel (e.g., A) will change logic state during startup operation.

Channel CWP alarm.

3-channel redundancy.

(4th channel bypassed).

CWP logic is con-verted to 1-out-of-2 coincidence during startup operations or when power level is less than 10-4% F.P.

RPS trip feature is not affected.

May cause nuisances. Rod withdrawal prohibit during startup if two CWP bypasses fail.

CWP Permis-sive (231)

ON Component short.

Automatic CWP bypass feature (for powsr levels less than 10-4%, F.P.) for channel (e.g., A) is in permanent bypass for all power levels. This channel will not auto-matically respond to a CWP when condition in the channel requires it.

Bypass light plant annunciation.

3-channel redundancy.

(4th channel bypassed).

Automatic CWP logic is converted to 2-out-of-2 coinci-dence logic during startup operation or when power level is less than 10-4% F.P.

RPS trip feature is not affected.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 17 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bypasses, High Log Power Trip, Channel A (Typical), Figure 7.2-11 Bypass Relay AK26 Coil open Sustained overvoltage.

The CPC constantly receives an input which is indicative that the power level is greater than 10-4% of full power.

Periodic PPS testing.

DNBR trip cannot be bypassed at the CPC operators module.

Coil short Deterioration of insulation Shorted coil will cause auxil-iary logic power supply voltage to be reduced to approximately zero when the power level is below 10-4% of full power. The CPC constantly receives an input which is indicative that the power level is greater than 10-4% of full power.

Contact to CPC short.

Welded contact The fact that power has exceeded 10-4% of full power is not transmitted to the CPC in the affected channel.

Periodic PPS testing.

DNBR trip can be bypassed at the operators module of the CPC even at power levels in excess of 10-4% of full power.

DNBR trip logic will go to 2-out-of-2 if DNBR trip bypassed at operators module of CPC (4th channel assumed to be bypassed at B/S).

Contact to CPC open Deterioration of contact.

The CPC receives a signal which constantly indicates that the power level is greater than 10-4% of full power.

Periodic PPS testing.

DNBR trip cannot be bypassed at the CPC operators module in the affected channel.

Bypass Relay AK27 Coil open Sustained overvoltage.

High Log power trip bypass can-not be obtained in channel A.

Whenever a bypass of High Log power is attempted in the affected channel. Periodic PPS testing.

Bistable will be tripped when the power level exceeds 1 to 2% full power.

The other three channels are unaffected and can be bypassed. Bypassing the other 3 channels precludes a trip caused by high log power as a coincidence of at least two channels is required to produce a trip.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 18 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bypasses, High Log Power Trip, Channel A (Typical), Figure 7.2-11 (cont.)

Bypass Relay AK27 (cont.)

Coil short Shorted coil will cause auxil-iary logic power supply voltage to be reduced to approximately zero when the power level exceeds 10-4% full power.

N.O. con-tact in bistable by-pass circuit short Welded contact High Log power trip is continu-ously bypassed in the affected channel regardless of power level.

Periodic PPS testing.

Bistable is contin-ually bypassed.

System becomes 2-out-of-2 for this parameter. (4th channel bypassed).

N.O. con-tact in bistable bypass cir-cuit open Deterioration of contact The High Log power trip bypass OFF indicator will go off when the bypass switch is depressed and the power level is less than 10-4% full power.

Periodic PPS testing.

None Safety function not impaired.

N.C. con-tact in annunciator circuit short Welded contact The plant annunciator will not annunciate when power in the channel has exceeded 10-4% full power and there is no bypass.

Periodic PPS testing.

The Operator will not be made aware of the fact that a bypass can be placed on High Log power for this channel.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 19 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bypasses, High Log Power Trip, Channel A (Typical), Figure 7.2-11 (cont.)

Bypass Relay AK27 (cont.)

N.O. con-tact in the annunciator open Deterioration of contact The plant annunciator will annunciate High Log power level bypass permissive even when the power level is below 10-4% full power.

Periodic PPS testing None Safety function not impaired.

High Log Power Level Manual Bypass Switch Solenoid open Mechanical failure of wire, sus-tained over-voltage High Log power level trip bypass pushbutton will not latch in the on position.

Placing a bypass on the function in the affected channel.

High Log power level trip bypass can only be obtained by holding in the push-button. Release of the pushbutton will allow the bistable to be tripped.

Bypassing of the function in the other three channels will prevent the system from tripping due to high log power.

Solenoid short Deterioration of insulation Attempt to bypass High Log power level trip in the affec-ted channel will cause the out-put of the auxiliary logic power supply to be reduced to approximately zero volts. Release of pushbutton will restore the output of the supply.

Placing a bypass on the function.

High Log power level trip bypass cannot be obtained in the channel. While the bypass is being attempted, the auxiliary logic supply output will be reduced to zero (See DC Power Dis-tribution Failure of Auxiliary Power Supply).

N.O. con-tact in trip bist-able cir-cuit open Mechanical failure, contact deterioration.,

High Log power level trip bypass cannot be obtained in affected channel.

Placing a bypass on the function.

Bistable will be tripped when the power level exceeds 1 to 2% full power.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 20 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bypasses, High Log Power Trip, Channel A (Typical), Figure 7.2-11 (cont.)

High Log Power Level Manual Bypass Switch (cont.)

N.O. con-tact in trip bist-able cir-cuit shorted Mechanical failure, welded contact Bypass of the function will be automatic when the power level exceeds 10-4% full power.

Periodic PPS testing.

Bistable will be automatically by-passed when power level exceeds 10-4%

full power.

High Log power trip logic will go to 2-out-of-2. (4th channel bypassed).

N.O. con-tact to pre-trip bistable open Deterioration of contact, mechanical failure.

The pre-trip bistable for high log power can be tripped even in the presence of a bypass.

Pre-trip is annun-ciated on the plant annunciator.

None Safety function of ckt is not impaired.

N.O. con-tact to pre-trip in the closed position Welded con-tact, mechan-ical failure.

The pre-trip bistable for high log power cannot be tripped.

Periodic PPS testing.

Pre-trip circuit is ineffective.

The operator will not be made aware that a trip of the high log power bistable is being approached.

Bypass (RPS), LO DNBR & Hi Pwr Density, Channel A (Typical), Figure 7.2-11 Manual Bypass (221)

OFF Component failure.

Unable to bypass LO DNBR or HI PWR density in channel for power level less than 10-4% F.P. affected channel (e.g.,A) will change logic state during startup operation.

Channel trip during startup annunciating.

3-channel redundancy.

(4th channel bypassed).

Reactor trip logic for LO DNBR or HI PWR density is con-verted to 1-out-of-2 coincidence during startup.

ON Component short LO DNBR or HI PWR density bist-ables for channel A in perma-nent bypass for all power levels, and bistable will not change logic state for bonafide signal.

Bypass light plant annunciator.

3-channel redundancy.

(4th channel bypassed).

Reactor trip logic for LO DNBR or HI PWR density is con-verted to 2-out-of-2 coincidence logic.

LO DNBR and HI PWR density trip logic can be converted to 1-out-of-2 by manually tripping B/Ss in affected channel.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 21 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bypasses, Bistable, Channel A (Typical), Figure 7.2-11 Bypass Relay Contact AXKB6-7 or ASKI-4 Contact open Deterioration of contact.

Bypass of the affected function will not be indicated on the bistable trip annunciator or on the PPS remote control module.

Periodic testing or when bypassing during operation.

No operational effect upon logic matrices.

Contact used for annunciation only. System safety function not impaired.

Contact short Welded contact A bypass will be continuously indicted on the bistable trip annunciator panel and the PPS remote control module.

Periodic testing or noticing one of the bypass lights.

No operational effect upon logic matrices.

Contact used for annunciation only. System safety functioon not impaired.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 22 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bypasses, Bistable, Channel A (Typical), Figure 7.2-11 (cont.)

Bypass ASKA6-5 AXK1-5 Contact open Deterioration of contact Plant annunciator will indicate a bypass condition on a bistable in channel A even if no bypass is present.

Bypass will be annunciated on plant annunciator.

No operational effect upon logic matrices.

Contact used for annunciation only.

Contact short Welded contact Plant annunciator will not indicate a bypass when Bistable 1 is bypassed in channel A.

Periodic PPS testing.

No operational effect upon logic matrices.

Contact used for annunciation only.

Bypass Relay Coil AXKA6 (ASKB6)

Open Sustained overvoltage, Mechanical failure.

Bistable 6 in channel A cannot be bypassed for the RPS (ESF) function.

Periodic PPS testing.

If the bistable is tripped, the system is converted to 1-out-of-3 for the affected parameter to produce a reactor (ESF) trip.

The ESF (RPS) function not affected as a different relay is used to bypass the bistable contacts used in the ESF (RPS) matrices.

Short Deterioration of insulation No symptoms until an attempt is made to bypass Bistable 6 in channel A. Inserting the bypass will force the supply voltage down and cause all bypasses in channel A to be removed.

Periodic PPS testing or when attempting to bypass the bistable If the bypass is attempted, it will result in the loss of all bypass capability for that channel.

If that particular bypass is not attempted, there will be no effect upon the other bypass circuits in that channel.

Bypass Switch AXS-1 Contact S1 or BXS-1 Contact S2 or CXS-1 Contact S3 or DXS-1 Contact S4 The nor-mally off postion Welded con-tact, mechanical failure.

It will not be possible to by-pass Bistable 1 in the channel.

Periodic PPS testing or when attempting to bypass bistable 1 in the channel.

If the bistable is tripped, the system is converted to 1-out-of-3 logic for the affected function and cannot be made 2-out-of-3 by bypassing.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 23 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bypasses, Bistable, Channel A (Typical), Figure 7.2-11 (contd.)

Bypass Switch AXS-1 Contact S1 or BXS-1 Contact S2 or CXS-1 Contact S3 or DXS-1 Contact S4 (cont.)

The nor-mally on position Welded con-tact, mechanical failure.

Bistable 1 in the channel will be bypassed regardless of the position of the switch.

Bypass is annunciated on the plant annunciator.

System will be 2-out-of-3 for that function.

It is possible to bypass the 2 bistable in any one of the other channels simply by engaging the appropriate bypass switch.

Engaging the switch will remove the bypass from the channel and will place it in the desired channel.

Bypass Switch AXS-1 Contact Normally on position Mechanical failure.

Bistable 1 will be bypassed in channel A. If an attempt is made to bypass bistable 1 in another channel, neither bist-able will be bypassed.

Bypass annunciated on plant annunciator.

Actuation is depen-dent on a 2-out-of-3 coincidence for the affected parameter.

Normally off position Mechanical failure It will not be possible to bypass bistable 1 in channel A.

Periodic PPS testing.

During testing of the bistable or failure in the trip condition, the system becomes any one of three for the affected parameter.

Bypass Switch BXS-1 or CXS-1 or DXS-1 Contact S1 Normally off position Welded con-tact, mechani-cal failure.

A bypass on bistable 1 in the affected channel will override a bypass placed in the system by the affected switch.

Periodic PPS testing.

No effect upon nor-mal system opera-tion, i.e., only one of the four affected bistables can be bypassed at one time.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 24 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bypasses, Bistable, Channel A (Typical), Figure 7.2-11 (contd)

AXS-1 or BXS-1 or DXS-1 Contact S2 AXS-1 or BXS-1 or DXS-1 Contact S3 AXS-1 or BXS-1 or CXS-1 or Contact S4 Normally on position Welded con-tact, mechani-cal failure.

It will not be possible to bypass bistable 1 in the affected channel.

Periodic PPS testing or when attempting to bypass bistable 1 in the affected channel.

If the bistable is tripped, the system becomes any one of three for the affected function and cannot be made 2-out-of-3 by bypassing.

Bypass Relay Coil AXK-1 Open Sustained overvoltage Bistable 1 in channel A cannot be bypassed.

Periodic PPS testing or when attempting to bypass the bistable.

If the bistable is tripped, the system becomes any 1-out-of-3 logic for the affected function, and cannot be made 2-out-of-3 by bypassing.

Short Deterioration of insulation No symptoms until an attempt is made to bypass bistable 1 in channel A. Inserting the by-pass will force the supply voltage down and cause all bypasses in channel A to be removed.

Periodic PPS testing or when attempting to bypass the bistable.

If the bypass is attempted, it will result in the loss of all bypass capa-bility for that channel.

If that particular bypass is not attempted, there will be no effect upon the other bypass circuits in that channel.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 25 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bistables, RPS Trip, EFAS, and PPS Alarm, Channel A (Typical), Figure 7.2-10 HI CONT PRESS (24)

SG-2>SG-1 PRESS (39)

SG-1>SG-2 PRESS (48)

SG-2 LO LVL (52)

Off (goes low)

Open circuit, dc power supply failure Bistable relays in RPS channel logic deenergize, and a portion of the 2-out-of-4 coincidence changes logic state. Channel trip occurs in both pre-trip and trip circuits.

Annunciating; pre-trip, trip PPS alarms.

3-channel redundancy.

(4th channel bypassed).

Reactor trip logic is converted to 1-out-of-2 coinci-dence for like parameters.

SG-1 LO LVL (59)

HI LIN PWR (72)

HI LOG PWR (75)

LO DNBR (92)

HI PWR DENS (96)

SG-2 HI LVL (134)

SG-1 HI LVL:

(135)

On (goes high)

Component failure, drift setpoint not adjusted.

Bistable relays in RPS channel remain energized, and channel A is inoperative. Channel will not trip for bona fide pre-trip and trip signal.

Not annunciating.

Periodic test. Set-point readout from plant computer.

3-chanel redundancy. (4th channel bypassed).

Reactor trip logic is converted to 2-out-of-2 coinci-dence for like parameters.

Reactor trip logic must be converted to 1-out-of-2 by manually tripping affected B/S if possible.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 26 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bistables, RAS, Channel A (Typical), Figure 7.2-10 Refueling Tank LO Level (2)

Off (goes low)

Open circuit, dc power supply failure Bistable relays in ESFS channel logic deenergizes, and "A" portion of the 2-out-of-4 coincidence changes logic state. Channel trip occurs in RPS logics.

Annunciation; pre-trip, trip PPS alarm.

3-channel redundancy.

(4th channel bypassed).

Converts ESFS RAS logic to 1-out-of-2 coincidence.

On (goes high)

Component failure. Set-point drift Bistable relays in ESFS chan-nels remain energized for chan-els A conditions. Channel trip will not occur for RAS circuit for bona fide signals.

Not annunciating.

Periodic test. Set-point readout by plant computer.

3-channel redundancy.

(4th channel bypassed).

Converts ESFS RAS logic to 2-out-of-2 coincidence..

Reactor trip logic must be converted to 1-out-of-2 when failure is detected by tripping either the bypassed channel or the affected channel.

Bistables, RPS, MSIS, EFAS, and PPS Alarm, Channel A (Typical), Figure 7.2-10 SG-2 LO PRESS (30)

Off (goes low)

Open circuit; dc power supply failure Bistable relays in RPS and ESFS channel logic deenergizes, and "A" portion of the 2-out-of-4 coincidence changes logic state. Channel trip occurs in MSIS and RPS logic.,

Annunciating; Trip PPS Alarms.

3-channel redundancy.

(4th channel bypassed).

Converts RPS and ESFAS MSIS logic to 1-out-of-2 coinci-dence.

SG-1 LO PRESS (45)

Off (goes low)

Component failure, set-point not adjusted.

Bistable relays in RPS and ESFS channels remain energized for channel A conditions. Channel trip will not occur for MSIS and RPS circuit for bona fide signals.

Periodic test. Set-point readout by plant computer.

3-channel redundancy.

(4th channel bypasses).

Converts RPS and ESFS MSIS logic to 2-out-of-2 coinci-dence.

Reactor trip logic must be converted to 1-out-of-2 when failure is detected by tripping either the bypassed channel or the affected channel.

Bistables, CSAS and PPS Alarm, Channel A (Typical), Figure 7.2-10 HI-HI CONT PRESS (7)

Off (goes low)

Open circuit, dc power supply failure Bistable relays in ESFS channel logic deenergizes, and "A" portion of the 2-out-of-4 coin-cidence changes logic state.

Annunciating redun-dancy pre-trip, trip alarm.

3-channel redundancy.

LO-LO PZR pressure on HI CONT PRESS channel Converts ESFS CSAS logic on: HI-HI CONT PRESS to 1-out-of-2 coincidence.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 27 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bistables, CSAS and PPS Alarm, Channel A (Typical), Figure 7.2-10 (cont.)

HI-HI CONT PRESS (7)

(cont.)

Channel trip occurs in HI-HI CONT PRESS portion of CSAS logics.

in ESFS required for CSAS. (4th channel bypassed).

dence, and LO-LO PZR Press or HI CONT PRESS 2-out-of-3 coincidence.

On (goes high)

Component failure. Set-point not adjusted.

Bistable relays in ESFS channel remain energized for channel A conditions. Channel trip will not occur for HI-HI CONT PRESS portion of CSAS circuit for bona fide signals.

Not annunciating.

Periodic test. Set-point readout by plant computer.

3-channel redundancy.

(4th channel bypassed).

Converts ESFS CSAS logic on: HI-HI CONT PRESS to 2-out-of-2 coincidence, and PZR PRESS or CONT PRESS 2-out-of-3 coincidence.

CSAS logic for HI-HI CONT PRESS must be converted to 1-out-of-2 when failure is detected by tripping either the bypassed channel or the affected channel. CSAS still requires input from LO PZR PRESS or HI CONT PRESS BTUs which remain 2-out-of-3 logic.

Bistable, RPS, SIAS, CIAS, CSAS and PPS Alarms, Channel A (Typical), Figure 7.2-10 LO PZR PRESS (62)

Off (goes low)

Open circuit, dc power supply failure Bistable relays in RPS and ESFS channel deenergizes, and "A" portion of the 2-out-of-3 coincidence changes logic state. Channel trip occurs in LO PZR PRESS portion of RPS, CSAS, SIAS, and CIAS logics.

Annunciating, PPS pre-trip, trip alarm.

3-channel redundancy.

(4th channel bypassed).

Converts ESFSs, CSASc SIAS and CIAS logic on: LO PZR PRESS to 1-out-of-2 coincidence, on HI-CONT PRESS to 2-out-of-3 coincidence, and CSAS on HI-HI CONT PRESS to 2-out-of-3 coincidence.

Converts RPS logic to 1-out-of-2 coincidence.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 28 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bistable, RPS, SIAS, CIAS, CSAS and PPS Alarms, Channel A (Typical), Figure 7.2-10 (cont.)

LO PZR PRESS (62) (cont.)

Off (goes high)

Component failure. Set-point not adjusted.

Bistable relays in RPS and ESFS channels remain energized for channel A conditions. Channel trip will not occur for LOW PZR PRESS portion of RPS, CSAS, SIAS and CIAS circuit for bona fide signals.

Not annunciating.

Periodic test. Set-point readout from plant computer.

3-channel redundancy.

(4th channel bypassed).

Converts ESFSs CSAS, SIAS and CIAS logic on: LO-LO PZR PRESS to 2-out-of-2 coincidence, on HI CONT PRESS to 2-out-of-3 coincidence, and CSAS on HI-HI CONT PRESS to 2-out-of-3 coincidence.

Convert RPS logic to 2-out-of-2 coincidence.

Reactor trip logic and ESFS actuation logic for LO PZR PRESS must be converted to 1-out-of-2 when failure is detected by tripping either the bypassed channel for the affected channel.

Other parameter input (HI-HI CONT PRESS, HI-CONT PRESS) still remain 2-out-of-3 coincidence for their ESFS actuations.

Bistable, SIAS, MSIS, CSAS, CIAS and PPS Alarm, Channel A (Typical), Figure 7.2-10 HI CONT PRESS (13)

Off (goes low)

Component drift.

Open circuit dc power supply.

Bistable relays in ESFS channel for high containment pressure logic deenergizes and "A" portion 2-out-of-3 coincidence changes logic state. Channel trip occurs in HI-CONT PRESS portion of SIAS, MSIS, CSAS and CIAS logics.

Annunciating; PPS pretrip, trip alarms.

3-channel redundancy.

(4th channel bypasses).

Converts ESFSs SIAS, MSIS, CSAS and CIAS loigc on: HI CONT PRESS to 1-out-of-2 coincidence.

LO PZR PRESS to 2-out-of-3 coincidence, and CSAS on HI-HI CONT PRESS to 2-out-of-3 coincidence, and CSAS on HI-HI CONT PRESS to 2-out-of-3 coincidence.

On (goes high)

Component failure, drift setpoint not adjusted.

Bistable relays in ESFS channel for high containment pressure logic remain energized. Channel A will not trip for bona fide high containment pressure conditions.

Not annunciating; Periodic test; set-point readout from plant computer.

3-channel redundancy.

(4th channel bypassed).

Converts ESFSs SIAS, MSIS, CSAS and CIAS logic on: HI CONT Press 2-out-of-2 coincidence.

Other parameter input (LO PZR PRESS) still remain 2-out-of-3 coincidence. ESFS logic for HI CONT.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 29 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bistable, SIAS, CSAS, MSIS, CIAS and PPS Alarm, Channel A (Typical), Figure 7.2-10 (cont.)

HI CONT PRESS (13)

(cont.)

CSAS logic on HI-HI CONT PRESS to 2-out-of-3 coincidence, and CIAS, CSAS and SIAS on LO PZR PRESS to 2-out-of-3 coincidence.

PRESS must be converted to 1-out-of-2 when failure is detected by tripping either the bypassed channel or the affected channel.

Bistables, RPS Trip, CWP, and PPS Alarm, Channel A (Typical), Figure 7.2-10 HI PZR PRESS (65)

Off (goes low)

Open circuit, dc power supply.

Bistable relay in RPS channel logic deenergizes and "A" portion of both CWP and RPS 2-out-of-3 coincidence changes state. Channel trip occurs in both pre-trip and trip circuits.

Annunciating. Pre-trip and trip PPS alarm.

3-channel redundancy.

(4th channel bypassed).

Converts reactor trip CWP logic on HI PZR PRESS to 2-out-of 2 coincidence.

When failure is detected, reactor trip and CWP logic for LO PZR PRESS must be converted to 1-out-of-2 by tripping either the bypassed chanel or the affected channel.

Bistable, EFAS Summer, Channel A (Typical), Figure 7.2-10 SG-2 LO LVL and SG-2 PRESS Auctioneer Summer (85)

On Shorted relay contact(s).

Unable to initiate EFAS channel trip input to EFAS logic.

Not annunciating.

Periodic test.

3-channel redundancy.

(4th channel bypassed).

Converts logic for EFAS to 2-out-of-2 coincidence.

When failure is detected, EFAS must be converted to 1-out-of-2 by tripping bypassed channel.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 30 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bistable, EFAS Summer, Channel A (Typical), Figure 7.2-10 (cont.)

AND SG-1 LO LVL and SG-1 PRESS Auctioneer Summer (86)

Off Broken wire.

Unwarranted channel trip input to EFAS 2-out-of-3 logic.

Annunciating, periodic test.

EFAS logic is 2-out-of-3 selection.

Converts logic for EFAS to 1-out-of-2 coincidence.

Two-out-of-four Coincidence Logic, EFAS Auctioneer, Channel A (Typical), Figure 7.2-10 SG-2 PRESS Auctioneer (34)

Short Electrical short.

Unable to initiate EFAS channel trip input to EFAS 2-out-of-3 logic when steam generator low level occurs.

Not annunciated.

Periodic testing.

3-channel redundancy.

Manual initiation (4th channel bypassed).

Converts logic for EFAS to 2-out-of-2 coincidence.

When failure is detected, EFAS logic must be converted to 1-out-of-2 by tripping the channel that is bypassed.

SG-1 PRESS Auctioneer (35)

Open Broken wire, loss of power to relay.

Unwarranted channel trip input to EFAS 2-out-of-3 logic if steam generator low level occurs.

Not annunciated, periodic testing.

EFAS logic is 2-out-of-3 selective. (4th channel bypassed).

Converts logivc for EFAS to 1-out-of-2 coincidence on occurrence of steam generator low level.

Bistables, EFAS Bistable Logic, Channel A (Typical), Figure 7.2-12 A7-6 (A8-6)

Contact shorts.

Welded contact Bistable relays of channel A that are used in the logic matrices of EFAS-1 (EFAS-2) will not deenergize for a valid trip condition.

Periodic PPS test.

Actuation logic for EFAS-1 (EFAS-2) is converted to 2-out-of-2.

(4th channel assumed to be bypassed).

When failure is detected, EFAS-1 (EFAS-2) actuation logic must be converted to 1-out-of-2 by tripping the bypassed channel. The failed channel can then be bypassed.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 31 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bistable, EFAS Bistable Logic, Channel A (Typical), Figure 7.2-12 (cont.)

A7-6 (A8-6) (cont.)

Contact opens Deterioration of contact.

Actuation conditions for EFAS-1 (EFAS-2) are changed from: SG1 pressure > SG2 pressure or SG1 not low pressure, and SG1 low level (SG2 pressure > SG1 pres-sure or SG2 not low pressure and SG2 low level) to: SG1 pressure >

SG2 pressure or SG1 not low pressure (SG2 pressure > SG1 pressure or SG2 not low pressure) channel will be tripped at normal operating conditions.

Bistable trip will be annunciated.

Actuation logic for EFAS-1 (EFAS-2) is converted to 1-out-of-2.

(4th channel bypassed).

A11-6 (A12-6)

Contact shorts Welded contact Actuation conditions for EFAS-1 (EFAS-2) for affected channel are changed to: SG1 pressure >

SG2 pressure and SG1 low level (SG2 pressure > SG1 pressure and SG2 low level) channel will not trip for the condition: SG1 not low pressure and SG1 low level. (SG2 not low pressure and SG2 low level).

Periodic PPS testing.

EFAS actuation logic for: SG low level and SG not low pressure is converted to 2-out-of-2.

(4th channel assumed to be bypassed).

When failure is detected, EFAS logic must be converted to 1-out-of-2 by tripping the channel.

Contact opens Deterioration of contact.

Actuation condition for affected EFAS-1 (EFAS-2) chan-nel becomes SG1 low level (SG2 low level).

Periodic PPS testing.

EFAS actuation logic effectively becomes 1-out-of-2 because affected bistable will trip whenever a low SG level condition occurs.

4th channel assumed to be bypassed.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 32 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bistables, EFAS Bistable Logic, Channel A (Typical), Figure 7.2-12 (cont.)

A19-6 (A20-6)

Contact shorts Welded contact Actuation conditions for affected EFAS-1 (EFAS-2) chan-nel become:

SG1 not low pres-sure and SG1 low level (SG2 not low pressure and SG2 low level) Channel will not trip for condition: SG1 pressure > SG2 pressure and SG1 low level (SG2 pressure > SG1 pressure and SG2 low level).

Periodic PPS testing.

EFAS actuation logic for condition: SG1 pressure > SG2 pressure and SG1 low level (SG2 pressure >

SG1 pressure and SG2 low level) is converted to 2-out-of-2.

(4th channel assumed to be bypassed).

When failure is detected, EFAS logic must be converted to 1-out-of-2 by tripping the channel.

Contact opens.

Deterioration of contact.

Actuation condition for affected EFAS-1 (EFAS-2) chan-nel becomes SG1 low level (SG2 low level).

Periodic PPS testing.

EFAS actuation logic effectively becomes 1-out-of-2 because affected bistable will trip whenever a low SG level condition occurs.

4th channel assumed to be bypassed.

Bistable Logic, EFAS Inverter, Channel A (Typical)

Figure 7.2-10 SG-2 LO PRESS Logic Inverter (28)

AND On (Low PRESS signal)

Relay or con-tact shorted.

See relay All-6 contacts (relay A12-6 contacts). Inverter consists of normally closed contacts from SL LO PRESS bistable relays.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 33 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bistable Logic, EFAS Inverter, Channel A (Typical), Figure 7.2-10 (cont.)

PRESS LOGIC SG-1 LO Inverter (29)

Off (high signal)

Relay failure, broken wire.

See ALL-6 relay contacts (relay A12-6 contacts). Inverter con-sists of normally closed con-tacts from SG LO PRESS bistable relays.

2-out-of-4 Coincidence Logic, PPS Trip, Figure 7.2-10 HI CONT PRESS (26)

SG-2 LO PRESS (41)

SG-1 LO PRESS (50)

Logic matrix OFF (e.g., AB matrix)

Component failure, power supply pair failure.

Reactor trip occurs due to logic coincidence corresponding to two channel signals in the 2-out-of-3 logic matrix cir-cuits. AB logic matrix initiate RPS trip actuation.

Annunciating; pre-trip, trip PPS alarms.

Reactor protective system trip.

Requires failure of two independent relay contacts or redundant power supplies in AB logic matrix.

SG-2 LO LVL (54)

SG-1 LO LVL (58)

LO PZR PRESS (64)

Logic matrix ON (e.g., AB matrix).

Component failure.

Logic matrix corresponding to AB channel will not respond to a bona fide condition. Reactor will not trip when signal originates only in the A, B channels.

Not annunciating, periodic test.

Assuming either C or D channel bypassed.

RPS trip logic reverts to a selective 2-out-of-3 logic for a particu-lar parameter.

When failure is detected, RPS trip logic can be con-verted to 1-out-of-3 by tripping the bypassed channel or trip logic can be converted to 2-out-of-3 by removing bypass from C or D and bypassing A or B.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 34 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic, PPS Trip, Figure 7.2-10 (cont.)

HI PZR PRESS (67)

HI LIN PWR (77)

HI LOG PWR (77)

LO DNBR (94)

HI PWR DENS (98)

LOSS OF LOAD (104)

SG-1 HI LVL (44)

SG-2 HI LVL (43) 2-out-of-4 Coincidence Logic, Pre-Trip, Trip Alarm Auctioneer,Channel A (Typical), Figure 7.2-10 ALARM Auctioneer (113)

On Component Failure Sends 1-out-of-4 pre-trip, trip, or 1-out-of-4 actuation trip path alarms to plant annunciation without valid trip calling for it.

Annunciating PPS channel alarm.

Nuisance PPS alarm sounding.

Operator must check system to determine if bona fide signal exists or if there is a failure in the PPS alarm circuit.

Off Component failure.

Loss of alarm signal for actu-ator path. ESF and RPS protec-tive action will still occur with alarms on other channels.

Not annunciating, periodic test.

No pre-trip alarm for affected parameter.

Operator will be unaware of problem until test.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 35 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic, Plant Computer Auctioneer, Channel A (Typical), Figure 7.2-10 Computer Auctioneer (116)

On Component failure.

Sends signals from each trip bistable to plant computer. Alarm routine is activated with no signal calling for it.

Computer readout.

Redundant actuator path.

Nuisance; plant computer alarm sub-routines invoked. No effect upon PPS.

Operator must check system to determine if bona fide signal exists or if there is a failure in the PPS alarm circuit.

Off Component failure.

Loss of computer signal for particular bistable. ESF and RPS protective action will still occur with alarms on other channels.

Not annunciating; periodic test.

Redundant actuator path.

ESF and RPS alarms, within the scope of the plant computer, will be activated by 2 paths instead of 3. No effect upon PPS.

Operator will be unaware of problem until test.

RPS Auctioneer (106)

Open Broken wire.

Loss of trip path power supply.

Unwarranted channel trip.

Annunciated. Breaker indication lights and phase current monitors.

Logic for PPS trip 1-out-of-3 selective or any 2-out-of-3.

Short Electrical short Failure to initiate RPS channel trip when required.

Not annunciated.

Periodic testing.

Redundant trip paths.

Logic for RPS trip 2-out-of-3 selective.

2-out-of-4 Coincidence Logic, Reactor Matrix, AB (Typical), Figure 7.2-13 Matrix relay Open coil Sustained voltage Trip path with contact of that relay in it will be deenergized Trip will be annunciated on plant annunciator.

Trip path logic is selective 2-out-of-4 coincidence.

The system has one of two parallel actuation circuits open.

Remaining trip paths are unaffected; each trip path is formed by one set of contacts from each set of logic matrix relays.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 36 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic, Reactor Matrix, AB (Typical), Figure 7.2-13 (cont.)

6AB-1 or 6AB-2 or 6AB-3 or 6AB-4 Shorted coil Deterioration of insulation.

The shorted coil may cause the driver to fail open or fail short. If the driver fails open, the symptoms will be the same as described above. If the driver fails short, the power supply will be shorted, producing same symptoms as loss of the power supply. (See dc power distribution sheets.)

Trip Relay Driver Short Transient voltage in circuit.

One of the trip paths will not be de-energized should a bona fide trip exist in the affected logic matrix.

Periodic PPS testing.

Remaining matrix relays are unaffected.

System will still respond to a legitimate trip condition.

The matrix relays in the other 5 logic matrices are unaffected. A trip in any of these matrices will cause a trip in all four trip paths.

Open Transient condition in circuit.

One of the four matrix relays will be de-energized causing one of the trip paths to be de-energized.

The plant annunciator will annunciate the trip.

A minimum of two trip paths must be de-ener-gized to initiate a reactor trip. The three other matrix relays in that logic matrix are unaffected and thus will not de-energize any other trip paths unless a bona fide trip condition exists.

The reactor trip circuit breaker switchgear will be partially enabled.

A bona fide trip condition or another selective single failure is required to produce a trip.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 37 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic, Reactor Matrix, AB (Typical), Figure 7.2-13 (cont.)

Bypass Relay Contact AXK1-1 or BXK1-1 Contact short.

Welded contact The AB logic matrix is not responsive to a concurrent trip of the A1 and B1 bistable.

Periodic PPS testing.

Assuming either C or D channel bypassed, RPS trip logic reverts to a selective 2-out-of-3 logic for a particular parameter.

When failure is detected, RPS trip logic can be con-verted to 1-out-of-3 by tripping the bypassed channel or trip logic can be converted to 2-out-of-3 by removing bypass from C or D and bypassing A or B.

Contact open Deterioration of contact.

It is not possible to bypass the contact of bistable A1 (B1) in this matrix.

Periodic PPS testing.

A trip condition of bistable associated with this contact cannot be bypassed, thus placing the system in a selec-tive 2-of-3 for the parameter being monitored bhy bist-able 1. During testing the matrix will be sensitive to a trip of the associated bistable.

The contacts of the affected bistable will be bypassed in the other two logic matrices, rendering those matrices incapable of causing a trip for that parameter.

Open coil Bypass indicators will not illuminate when bypass switch is depressed. It is not possible to bypass the bistable relay contacts in the three logic matrices affected by the particular bistable.

Bypass indicator does not illuminate when the bypass is attempted.

Bypass not annunciated on plant annunciator.

Any trip of the bistable will make the system sensi-tive to a trip of any of the three other equivalent bistables.

Cannot revert system logic to 2-out-of-3 particular channel.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 38 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic, Reactor Matrix, AB (Typical), Figure 7.2-13 (cont.)

Bistable Relay Contact N.O. con-tact fails closed Welded contact failure of relay driver.

The reactor trip AB logic matrix will not respond to the tripping of the 1 bistables.

Period PPS testing.

Asssuming either C or D channel bypassed, RPS trip logic reverts to a selective 2-out-of-3 logic for a particular parameter.

When failure is detected, PPS trip logic can be converted to 1-out-of-3 by tripping the bypassed channel or trip logic can be converted to 2-out-of-3 by removing bypass from C or D and bypassing A or B.

N.C. con-tact fails closed Welded contact The reactor trip AB logic matrix is partially enabled. The occurrence of a trip of the complementary bistable relay will cause deactivation of matrix relays.

Periodic PPS testing.

For the affected parameter the system converts to selec-tive 1-out-of-3 logic or anyh 2-or-3 to produce an actuation.

N.O. con-tact fails open.

Deterioration of contact.

The reactor trip AB logic matrix is partially enabled. The occurrence of a trip of the complementary bistable relay will cause deactivation of matrix relays,.

Bench test.

AB Matrix becomes half tripped.

For the affected parameter the system converts to selective 1-out-of-3 logic or any 2-or-3 to produce an actuation.

Worst single failure in conjunction with this event would be the failure of the C-Ch Bistable in the untrippable state. Trip logic would then become 2-out-of-2.

Both form C contacts fail in the N.O.

position.

Open relay or coil, failure of relay driver.

The reactor trip AB logic matrix is partially enabled. The occurrence of a trip of the complementary bistable relay will cause deactivation of matrix relays.

Annunciated on plant annunciator. Displayed on plant bistable annunciator.

For the affected parameter, the system converts to selective 1-out-of-3 logic or any 2-or-3 to produce an actuation.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 39 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic, Reactor Matrix, AB (Typical), Figure 7.2-13 (cont.)

Bistable Relay Contact (cont.)

2-out-of-4 Coincidence Logic, CSAS, SIAS, MSIS and CIAS, Figure 7.2-10 HI-CONT PRESS (15)

One logic pair fails failures. OFF (e.g., AB Matrix)

Component failures.

Spurious actuation of SIAS, MSIS, and CIAS. Condition for CSAS actuation becomes 2-out-of HI-HI CONT PRESS>

Annunciating. CIAS, SIAS, and MSIS alarms.

Multiple independent component failures required.

ESFS goes into SIAS, CIAS, and MSIS mode.

One logic pair fails ON (e.g., AB Matrix)

Component failures.

Logic Matrix corresponding to AB channel of HI CONT PRESS. Will not respond to a valid signal coincidence in the A and B channels, and MSIS, CIAS, and SIAS will not actuate.

Not annunciating.

Periodic test.

Assuming that either the C or D channel for HI CONT PRESS is bypassed; MSIS, CIAS, and SIAS actuation logic goes to a selective 2-out-of-3 state.

When failure is detected, CIAS, MSIS, and SIAS actuation logic for HI containment must be converted to 1-out-of-2 logic by tripping whichever channel of C and D is not bypassed. (Note: If Bypass can be removed from bypassed channel, logic can be converted to 2-out-of-3 by bypassing either channel A or channel B).

LO PZR PRESS (127)

One logic pair fails OFF (e.g., AB Matrix)

Component failures.

Spurious actuation of SIAS and CIAS. Condition for CSAS becomes 2-out-of-4 HI-HI CONT PRESS.

Annunciating. CIAS and SIAS alarms.

Multiple independent component failures required.

ESFS goes into SIAS and CIAS mode.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 40 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic, SIAS, and CIAS, Figure 7.2-10 LO PZR PRESS (127)

One logic pair fails ON (e.g., AB matrix)

Component failures.

Logic matrix corresponding to AB channel of PZR PRESS will not respond to a bona fide con-dition.

Safety injection con-tainment cooling will n ot occur if signal originates only in the A,B channels.

Not annunciating, periodic test.

Assuming that either channel C or D for LO PZR PRESS is bypassed, SIAS and CIAS actuation logic goes to 2-out-of-3 state.

When failure is detected, SIAS and CIAS actuation logic must be converted to 1-out-of-2 by tripping whichever channel of C and D is not bypassed.

HI-HI CONT PRESS (9)

Logic OFF Component (e.g., AB failure matrix).

Component failures HI-HI CONT PRESS signal occurs for containment spray due to logic coincidence of two channel signals in the 2-out-of-3 logic matrix circuit.

AB logic matrix gate initiates HI-HI CONT PRESS portions of CSAS actuation.

Not annunciating; indicated on PPS matrix text module, peridic test.

LO PZR PRESS, HI CONT PRESS channel in ESFS required for CSAS.

Makes ESFS and CCAS sensitive to HI CONT PRESS signals.

RAS, MSIS, SIAS, CIAS and RPS trip actuation remain status quo. Other PPS functions unaffected.

Requires failure of two independent relay contacts sets, redundant dc power supply in AB logic matrix.

Coincidence logic still remain 2-out-of-3.

Logic ON (e.g., AB matrix).

Component failures.

Logic matrix corresponding to AB channel will not respond to a bona fide condition. HI-HI CONT PRESS portion of CSAS actuation will not occur when signal originates only in the A, B channels.

Not annunciating, periodic test.

Assuming that either channel C or D for HI-HI CONT PRESS is bypassed, Hi-HI CONT PRESS portion of CSAS becomes 2-out-of-3 selective.

When failure is detected, HI-HI CONT portion of CSAS actuation logic must be converted to 1-out-of-2 by tripping whichever, channel of C and D is not bypassed.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 41 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic, MSIS, Figure 7.2-10 S.G. 2 LO PRESS (32)

S.G. 1 LO PRESS (47)

Logic OFF (e.g., AB matrix).

Component failures.

Main steam isolation occurs due to logic failure correspond8ing to two channel signals in the 2-out-of-3 logic matrix circuit. AB logic matrix gate initiated ESFS MSIS actuation.

Annunciating PPS MSIS alarm.

Requires multiple independent component failures.

Other PPS functions unaffected.

Requires failure of the independent relay contact sets; redundant dc power supply in AB logic matrix.

Logic ON (e.g., AB matrix).

Component failures.

Logic matrix corresponding to AB channel to affected SG will not respond to a bona fide con-dition.

Main steam isolation unable to occur when signal originates in the affected SG AB channels.

Not annunciating, periodic test.

Assuming that either channel C or D for low SG pressure is bypassed, MSIS logic for affected SG becomes 2-out-of-3 selective.

When failure is detected, MSIS logic for affected SG must be converted to 1-out-of-2 by tripping whichever channel of C and D that is not bypassed.

2-out-of-4 Coincidence Logic RAS, Figure 7.2-10 Refueling Tank Low Level (4)

Logic Matrix OFF (e.g.,

AB matrix).

Component failures.

Recirculation initiation signal occurs due to logic failure corresponding to two channel signals in the 2-out-of-3 logic matrix circuits. AB logic matrix gates initiate ESFS RAS actuation.

Annunciation PPS RAS alarm.

Requires multiple independent component failures.

Makes ESFS go into RAS mode. Other PPS functions are unaffected.

Requires failure of two independent relay contacts sets; redundant dc power supplies in AB logic matrix. If failure occurs, RAS signal closes valves from RWT and opens valve between sump and SI system.

Logic Matrix ON (e.g., AB matrix).

Component failures.

Logic matrix corresponding to AB channels will not respond to a bona fide condition. Re-circulation actuation will not occur when signal originates only in the A, B channels.

Not annunciating, periodic test.

Assuming that channel C or D for REFUELING TANK LO LEVEL is bypassed, RAS logic becomes 2-out-of-3 selective.

When failure is detected, RAS logic must be converted to 1-out-of-2 by tripping whichever channel of C and D that is not bypassed.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 42 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence EFAS, Figure 7.2-10 EFAS-2 Logic (128)

Logic OFF (e.g., AB matrix).

Component failures.

Emergency feedwater actuation (EFAS) occurs due to logic failure corresponding to two channel signals in the 2-out-of-3 logic matrix circuit.

Annunciating PPS EFAS alarm.

Main feed system will compensate for excess feedwater. Requires multiple independent component failures.

Makes ESFS go into EFAS mode. Other PPS functions unaffected.

Requires failure of two independent relay contact sets, redundant dc power supply in AB logic matrix.

Logic ON (e.g., AB matrix).

Component failures.

Logic matrix corresponding to AB channel of affected SG will not respond to a bona fide condition.

EFAS will not occur when signal originates on the affected SG A, B channels.

Not annunciating, periodic test.

Assuming that channel C or D for the inputs to the affected EFAS is bypassed, actuation logic for the affected EFAS becomes 2-out-of-3 selective.

When failure is detected, EFAS logic must be converted to 1-out-of-2 by tripping whichever channel C or D is bypassed for all EFAS inputs.

2-out-of-4 Coincidence Logic Engineered Features, CSAS-RAS-EFAS AB (Typical), Figure 7.2-13 Logic Matrix Relay Contact CSAS A17-1 or B17-1 N.O. con-tact fails closed.

Welded contact.

The AB logic matrix for the affected function does not respoond to the tripping of the bistable.

Periodic PPS testing.

See Table 7.2-5, sheets 41, 42, and 43; "Failure Mode-Logic ON."

See Table 7.2-5, sheets 41, 42, and 43; "Failure Mode-Logic ON."

RAS A18-1 or B18-1 Failure of relay driver.

EFAS-1 A19-1 or B19-1 EFAS-2 A20-1 or B20-1

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 43 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic Engineered Features,CSAS-RAS-EFAS AB(Typical),Figure 7.2-13(cont.)

Logic Matrix Relay Contact CSAS A17-1 or B17-1 RAS A18-1 or B18-1 EFAS-1 A19-1 or B19-1 EFAS-2 A20-1 or B20-1 (cont.)

N.C con-tact fails closed.

N.O. con-tact fails open.

Welded contact.

Deterioration of contact.

The AB logic matrix for the particular function is partial-ly activated. The occurrence of a trip of the complementary bistasble relay will cause the matrix to produce a trip.

The AB logic matrix for the particular function is partially activated. The occurrence of a trip of the complementary bistable relay will cause the matrix to produce a trip Periodic PPS testing.

Periodic PPS testing.

A bypass function is built into the circuit that allows byhpassing of the failed contact, preventing that matrix from producing a trip.

AB matrix is half tripped.

Actuation logic for affected function becomes 1-out-of-3 selective or any 2-out-of-3.

AB matrix is half tripped.

Actuation logic forthe affected function becomes 1-out-of-3 selective or any 2-out-of-3. (4th channnel bypassed).

Bypass of the function also disables the other two logic matrices associated with that bistable. Logic then becomes 2-out-of-3. Without a bypass, the logic for the affected function is a selective 1-out-of-4 or any 2-out-of-4.

Both form C contacts fail into the N.O.

position.

Open relay coil.

Failure of relay driver.

The AB logic matrix for the particular function is partially activated. The occurrence of a trip of the complementary bistable relay will cause the matrix to produce a trip.

Annunciated on plant annunciator.

A bypass function is built into the circuit that allows bypassing of the failed con-tact, preventing that matrix from producing a trip.

AB matrix is half tripped.

The logic for the affected function is a selective 1-out-of-3 or any 2-out-of-3. (4th channel bypassed).

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 44 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic Engineered Features,CSAS-RAS-EFAS AB(Typical),Figure 7.2-13(cont.)

Logic Matrix Relay Bypass Contact CSAS AXK17-1 or BXK17-1 RAS AXK18-1 or BXK18-1 EFAS-1 AXK19-1 or BXK19-1 EFAS-2 AXK20-1 or BXK20-1 Contact shorts.

Contact open.

Welded.

Deteriorated contact.

The logic matrix for the function associated with this contact will not respond to a trip of the bistable.

It is not possible to bypass the bistable relay contact in this matrix.

Periodic PPS testing.

Periodic PPS testing.

See Table 7.2-5, sheets 41, 42, and 43; "Failure Mode-Logic ON."

A trip condition of the bistable asso-ciated with this contact cannot be bypassed, thus the matrix will be half tripped.

During testing of the bistables, the matrix will be sensitive to a trip of the associated bistable.

See Table 87.2-5, sheets 41, 42, and 43; "Failure Mode Logic ON."

The contacts of the affected bistable will be bypassed in the other two logic matrices rendering those matrices immune to any trip condition.

Open coil.

Bypass indicators will not illuminate when bypass switch is depressed It is not possible to bypass the bistable relay contacts in the three logic matrices affected by the particular bistable.

Bypass indicators OFF.

Bypass not annunciated on plant annunciator.

An invalid trip of the associated bistable will half trip three logic matrices.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 45 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic, Engineered Features, CIAS/SIAS AB (Typical), Figure 7.2-13 Logic Matrix Relay Contact A6-9 or B6-9 N.O. con-tact fails closed.

Welded contact.

Failure of bistable relay driver.

The AB matrix for CIAS/SIAS will not respond to a trip of the bistable.

Assuming that either channel C or D for LO PZR PRESS is bypassed, SIAS and CIAS actuation logic goes to 2-out-of-3 state.

When failure is detected, SIAS and CIAS actuation logic must be converted to 1-out-of-2 by tripping whichever channel of C and D is not bypassed.

N.C con-tact fails closed.

Welded contact.

The AB logic matrix for CIAS/SIAS is partially tripped. A trip of the complementary bistable relay will cause deactivation of the matrix relays.

Periodic PPS testing.

The AB matrix for CIAS/SIAS is half tripped.

The CIAS/SIAS logic will be a selective 1-out-of-3 logic, or any 2-out-of-3 logic, or any 2-out-of-3 signals.

N.O. con-tact fails open.

Deterioration of contact.

The AB logic matrix for CIAS/ SIAS is partially tripped. A trip of the complementary bistable relay will cause the deactivation of the matrix relays.

Periodic PPS testing.

The AB matrix for CIAS/SIAS is half tripped.

The CIAS/SIAS logic will be a selective 1-out-of-3 logic or any 2-out-of-3 signals.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 46 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic, Engineered Features, CIAS/SIAS AB (Typical), Figure 7.2-13 (cont.)

Logic Matrix Relay Contact A6-9 or B6-9 (cont.)

Both form C contacts fail into the N.O.

position.

Open relay coil, failure o9f relay driver.

The AB logic matrix for CIAS/ SIAS is partially tripped. A trip of the complementary bistable relay will cause deactivation of the matrix relays.

Annunciated on plant annunciator.

The AB matrix for CIAS/SIAS is half tripped.

The CIAS/SIAS logic will be a selective 1-out-of-3 logic or any 2-out-of-3 signals.

Logic Matrix Relay Contact A16-1 or B16-1 N.O. con-tact fails closed.

Welded contact.

Failure of bistable relay driver.

The AB logic matrix will not respond to a trip of the bistables.

Periodic PPS testing.

Assuming that either the C or D channel for HI CONT PRESS is bypassed; MSIS, CIAS, and SIAS actuation logic goes to a selective 2-out-of-3 state.

When failure is detected, CIAS, MSIS and SIAS actuation logic for HI CONT must be converted to 1-out-of-2 logic by tripping whichever channel of C and D is not bypassed. (Note: If bypass can be removed from bypassed channel, logic can be converted to 2-out-of-3 by bypassing either channel A or channel B).

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 47 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic,Engineered Features,MSIS,CIAS/SIAS AB(Typical)Figure 7.2-13 (cont.)

Logic Matrix Relay Contact A126-1 or B16-1 (cont.)

N.C. con-tact fails closed.

Welded contact.

The AB logic matrix for the affected functions is partially tripped.

Occurrence of a trip of the complementary bistable relay will cause deactivation of the matrix relays for those functions.

Periodic PPS testing.

AB matrix is half tripped for MSIS and one parameter of CIAS/SIAS.

MSIS logic will be a selective 1-out-of-3 logic or any 2-out-of-3 signal. CIAS/SIAS will be the same as MSIS for one parameter.

N.O. con-tact fails open.

Deterioration of contact.

The AB logic matrix for the affected functions is partially tripped.

Occurrence of a trip of the complementary bistable relay will cause deactivation of the matrix relays for those functions.

Periodic PPS testing.

AB matrix is half tripped for MSIS and one parameter of CIAS/SIAS.

MSIS logic will be a selective 1-out-of-3 for that parameter.

CIAS/SIAS will be the same as MSIS for one parameter.

Both form C contacts fail into the N.O.

position.

Open relay coil, failure of relay driver.

The AB logic matrix for the affected functions is partially tripped.

Occurrence of a trip of the complementary bistable rlay will cause deactivation of the matrix relays for those functions.

Annunciated on plant annunciator.

AB matrix is half tripped for MSIS and one parameter of CIAS/SIAS.

MSIS logic will be a selective 1-out-of-3 signal. CIAS/SIAS will be the same as MSIS for one parameter.

Logic Matrix Relay Contact Bypass Relay AXK16-1 or BXK16-1 Contact short.

Welded contact.

The AB logic matrix wsill not respond to a trip of the associated bistables.

Periodic PPS testing.

Assuming that either the C or D channel for HI CONT PRESS is bypassed; MSIS, CIAS, and SIAS actuation logic goes to a selective 2-out-of-3 state.

When failure is detected, CIAS, MSIS and SIAS actuation logic for HI CONT must be converted to 1-out-of-2 logic by tripping whichever channel of C and D that is not bypassed.

(Note: If bypass can be removed from bypassed channel, logic can be converted to 2-out-of-3 by bypassing either channel A or channel B).

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 48 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic,Engineered Features,MSIS,CIAS/SIAS AB(Typical)Figure 7.2-13 (cont.)

Logic Matrix Relay Contact Bypass Relay AXK16-1 or BXK16-1 (cont.)

Contact open.

Deterioration of contact.

It is not possible to bypass the bistable in the AB matrix.

Periodic PPS testing.

A trip condition of the bistable associated with this contact cannot be bypassed, thus the matrix wsill be half tripped for one parameter of CIAS/

SIAS, and MSIS.

During testing of the bistables the matrix will be sensitive to a trip of the associate bistable.

The contacts of the affected bistable will be bypassed in the other two logic matrices rendering those matrices immune to any trip condition for one parameter of CIAS/SIAS and MSIS.

Open coil.

Bypass indicator will not illuminate when bypass switch is depressed.

Bistable contacts in logic matrices cannot be bypassed.

Bypass indicators of bypass not annunciated on plant annunciator.

A trip of the associated bistable will half trip three logic matrices.

Logic Matrix Bypass Relay Contact AXKB6-9 or BXKB6-9 Contact short.

Welded contact.

The AB logic matrix will not respond to a trip of the associated bistables.

Periodic PPS testing.

Assuming that channel C or D for LO PZR PRESS is by-passed, SIAS and CIAS actuation logic goes to 2-out-of-2 state.

When failure is detected, SIAS and CIAS actuation logic must be converted to 1-out-of-2 by tripping whichever channel of C and D is not bypassed.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 49 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic,Engineered Features,MSIS,CIAS/SIAS AB(Typical)Figure 7.2-13 (cont.)

Logic Matrix Bypass Relay Contact AXKB6-9 or BXKB6-9 (cont.)

Contact open.

Deterioration of contact.

It is not possible to bypass the bistable in the AB matrix.

Periodic PPS testing.

A trip condition of the bistable asso-ciated with this contact cannot be bypassed, thus the matrix will be half tripped for the CIAS/SIAS functions.

The contacts of the affected bistable will be bypassed in the other two logic matrices rendering those matrices immune to any trip conditions for the CIAS/SIAS functions.

Open coil Bypass indicator will not illuminate when bypass switch is depressed.

Bistable contacts in logic matrices cannot be bypassed.

Bypass indicators off.

Bypass not annunciated on plant annunciator.

A trip of the asso-ciated bistable will half trip three logic matrices.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 50 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic, CSAS, SIAS and CIAS Auctioneer, Channel A (Typical), Figure 7.2-10 LOW PZR PRESS/HI CONT PRESS Auctioneer (18)

Logic OFF (e.g., AB matrix).

Component failure, dc power supply pair failure.

The LO PZR PRESS/HI CONT PRESS auctioneer consists of a series of connections of contacts from the LO PZR PRESS and HI CONT PRESS hbistables. See Table 7.2-5, sheets 46 through 50.

Logic ON (e.g., AB matrix).

Component failure.

The LO PRESSURIZER PRESS/HI CONT PRESS auctioneer consists of a series of connections of contacts from the LO PZR PRESS and HI CONT PRESS bistables.

See, sheets 46 through 50.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 51 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic, Engineered Features, MSIS AB (Typical), Figure 7.2-13 Logic Matrix Bypass Relay Contact AXKB11-9 or BXKB11-9 or AXKB12-9 or BXKB12-9 Contact short (e.g., AB matrix).

Welded contact.

The AB logic matrix will not respond to trip of either the A or the B bistables associated with the contact.

Periodic PPS testing.

Assuming that either channel C or D for low SG pressure is bypassed, MSIS logic for affected SG becomes 2-out-of-3 selective.

When failure is detected, MSIS logic for affected SG must be converted to 1-out-of-2 by tripping whichever channel of C and D that is not bypassed.

Contact open (e.g., AB matrix).

Deterioration of contact It is not possible to bypass the bistable relay contact in the affected matrix.

Periodic PPS testing A trip condition of the bistable asso-ciated with the faulty component cannot by bypassed in the AB matrix.

Open coil.

Bypass indicators will not illuminate when bypass switch is depressed. It is not possible to bypass the bistable relay contact in the three logic matrices affected by the bistable.

Bypass indicator off.

Bypass not indicated on plant annunciator.

An invalid trip of the associated bistable will half trip three logic matrices.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 52 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic, Engineered Features, MSIS AB (Typical), Figure 7.2-13 (cont.)

Logic Matrix Relay A11-9 or B11-9 or A12-9 or B12-9 N.O. con-tact closed (e.g., AB matrix).

Welded contact, fail-ure of bistable relay driver.

The AB logic matrix will not respond to trip of the asso-ciated bistable.

Periodic PPS testing.

Assuming that either channel C or D for low SG pressure is bypassed, MSIS logic for affected SG becomes 2-out-of-3 selective.

When failure is detected, MSIS logic for affected SG must be converted to 1-out-of-2 by tripping whichever channel of C and D that is not bypassed.

N.C con-tact closed (e.g., AB matrix).

Welded contact.

The AB logic matrix for the function is partially activated. The occurrence of a trip of the complementary bistable relay will cause the matrix to be tripped.

Periodic PPS testing.

AB matrix is half tripped for one of the parameters being monitored.

Logic fo rthe function is a selective 1-out-of-3 logic or any 2-out-of-3 signals for one parameter and any 2-out-of-4 for the other parameter.

N.O. con-tact open.

Deterioration of contact.

The AB logic matrix for the function is partially acti-vated. The occurrence of a trip of the complementary bistable relay will cause the matrix to be tripped.

Periodic PPS testing.

Ab matrix is half tripped for one of the parameters being monitored.

Both C contacts fail into the N.O.

position (e.g.,

AB matrix).

Open relay coil, failure of relay driver.

The AB logic matrix for the function is partially acti-vated. The occurrence of the complementary bistable relay will cause the matrix to be tripped.

Annunciated on plant annunciator.

AB matrix is half tripped for one of the parameters being monitored.

Logic for the function is a selective 1-out-of-3 logic or any 2-out-of-3 signals for one parameter and any 2-out-of-3 for the other parameter.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 53 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic, MSIS Auctioneer, Channel A (Typical), Figure 7.2-10 SG Low Pressure Auctioneer (33)

See Table 7.2-5, sheets 51 and 52 for analysis of auctioneering circuit.

2-out-of-4 Coincidence Logic, Engineered Features, CSAS-EFAS-MSIS-CIAS/SIAS, AB (Typical),

Figure 7.2-13 Logic Matrix Relay Drivers Shorted Voltage transient in circuit.

ONe of the trip paths will not be deenergized should a bona fide trip exist in the affected logic matrix.

Periodic PPS testing.

The three other matrix relays have independent drives and will open 6 of the 8 trip breakers.

Trip of logic matrix will not be transmitted to one of the four trip paths for the affected function.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 54 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic, Engineered Features, CSAS-EFAS-MSIS-CIAS/SIAS, AB (Typical),

Figure 7.2-13 (cont.)

Transistor &

Associated Components driving "AB" Relay Coils Open.

Voltage transient in circuit.

ONe of the four matrix relays will be deenergized causing one of the trip paths to be activated.

The plant annunci-ator will annunciate the activation of a trip path.

The three other matrix relays have independent drives.

One of the four trip paths for the affected function will be tripped.

A bona fide trip condition or another selective single failure is required to complete the actuation. The path logic is 2-out-of-4 selective or any 3-out-of-4.

Matrix Relays CSAS 3AB-1, 2,3,4 RAS 4AB-1,2,3,4 EFAS-1 7AB-1,2,3,4 EFAS-2 8AB-1,2,3,4 MSIS 5AB-1,2,3,4 CIAS/SIAS 2AB-1,2,3,4 Coil open.

Coil short Mechanical break in coil winding.

Insulation breakdown.

A trip path is de-energized.

Trip path with contact of that relay in it will be de-energized.

Periodic PPS testing.

Trip annunciated on plant annunciator.

Periodic PPS testing.

Trip annunciated on plant annunciator.

Each trip path is driven from a separate relay, hence the other three trip paths are unaffected.

Each trip path is driven from a separate relay, hence the other three trip paths are unaffected.

One of the four trip paths for the affected function is always tripped.

One of the four trip paths for the affected function is always tripped.

The shorted coil may cause the driver to fail open for fail short. If the driver fails open, the symptoms will be the same as described above. If the driver fails short, the power supply will be shorted, producing the same symptoms as loss of the power supply. (See dc power distribution PS. F, PS. G, or PS. H.)

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 55 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects 2-out-of-4 Coincidence Logic CEA Withdrawal Prohibit (CWP), Figure 7.2-10 Core Protector Calculator (121)

Logic open.

Open circuit.

CWP occurs due to logic coinci-dence corresponding to two-channel signals in the 2-out-of-3 logic matrix circuit. Logic initiates CWP actuation.

Annunciating CWP alarm.

CWP Effect upon CEDMs: Inability to raise CEAs.

HI PZR PRESS (150)

Logic short.

Short circuit.

The logic matrix will not respond to a bona fide condi-tion. CWP will not occur when signal originates in any channel.

Not annunciating, periodic test.

Loss of CWP.

CWP is not required for plant safety.

CWP Auctioneer (151)

Auctioneer open.

Open Circuit.

CWP occurs due to logic corre-sponding to core protection calculation or HI PZR PRESS 2-out-of-3 logic.

Annunciating CWP alarm, periodic test.

CWP Trip Path, CSAS Blocking, Channel A (Typical) Figure 7.2-10 Auto CSAS Permissive (10)

Open Relay failure, broken wire.

Unwarranted channel trip of CSAS.

Plant annunciation,.

Indication lights.

CSAS actuation logic is 2-out-of-3 selective. (4th channel bypassed.)

Logic for CSAS 1-out-of-2 selective.

One permissive per trip path.

Short Relay failure, electrical short.

Failure to initiate CSAS channel trip when required.

Not annunciating.

Routine testing.

Logic for CSAS 2-out-of-2.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 56 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects One-out-of-four Coincidenced Logic, RPS Alarm, Figure 7.2-10 REFUEL TANK LO LEVEL (3)

SG-2 LO PRESS (31)

SG-1 LO PRESS (46)

HI-HI CONT PRESS (8)

HI CONT PRESS (14)

HI CONT PRESS (25)

SG-2 SG-1 PRESS (40)

SG-1 SG-2 PRESS (49)

SG-2 LO LEVEL (53)

SG-1 LO LEVEL (57)

LO PZR PRESS (63)

HI PZR PRESS (66)

HI LIN PWR (73)

HI LOW PWR (76)

LO DNBR (93)

HI PWR DENSITY (97)

OFF (goes low)

ON (goes high)

Component failure.

Component failure.

Pre-trip alarm circuit acti-vated.

Loss of alarm signal for single channel. Protective action will still occur with alarms on other channel.

Audible and visual PPS alarm in control room.

Not annunciating, periodic test.

Redundant channel.

Nuisance alarm.

Make alarm logic 1-out-of-2. (4th channel bypassed).

Operator must check system to determine if bona fide trip exists or if there is a failure in the alarm circuit.

Operator will be unaware of channel failure until test.

SG-2 HI LVL (136)

SG-1 HI LVL (137)

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 57 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, RPS, Channel 1 (Typical), Figure 7.2-14 Relay Contact 6AB-1 or 6BC-1 or 6BD-1 or 6AC-1 or 6CD-1 or 6AD-1 Shorted.

Welded contact.

A bona fide trip of the logic matrix associated with the failed component will not cause de-energization of the trip path in the affected channel.

Periodic PPS testing.

The trip path is lost for that par-ticular logic matrix.

Reactor trip thus converts to a selective 2-out-of-3 trip path.

Each trip path uses a contact from a different relay, therefore the remaining three trip paths will be de-energized should a bona fide trip occur. The affected trip path will, however, respond properly to the action of the five other logic matrices.

Open.

Deterioration of contact.

One of the RPS trip paths is de-energized.

Trip is annunciated on the plant annunciator.

Reactor trip con-verts to any 1-out-of-3 selective or any 2-out-of-3 trip paths, Reactor trip converts to any 1-out-of-3 selective or any 2-out-of-3-trip paths.

To produce a trip still required a 2-out-of-3 coincidence of the appro-priate bistables.

To produce a trip still requires a 2-out-of-3 coincidence of the appropriate bistables.

Either Circuit Breaker Open, either or both contacts.

Deterioration of contacts.

Relay whose contacts are used in the reactor trip circuit breaker switchgear will be de-energized.

Relay that provides indication for PPS status panel, PPS remote module and plant annunciator will be de-energized.

Annunciated on plant annunciator.

Short both contacts.

Welded contacts mechanical failure.

The circuit breaker will not open, should a fault exist in the ac portion of one of the RPS trip circuits.

Periodic PPS testing.

No effect.

Short one contact.

Welded contact.

None Bench test.

No effect.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 58 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, RPS, Channel 1 (Typical), Figure 7.2-14 (cont.)

Resistor 2K ohms R1 or R3 Open.

Overvoltage, environmental effects.

The PPS calibration and test panel fails to indicate the opening of one of the solid state relays in the RPS trip path.

Periodic PPS testing.

No effect upon functional opera-tion of trip circuit.

R2 or R4 Decrease in value.

Overvoltage, environmental effects.

Indicator may be brighter than usual.

Bench test.

There are two equal resistors in the circuit. The operating range of the indicator is such that it will operate indefinitely even with one of the resistors shorted out.

No effect upon functional opera-tion of trip circuit.

Increase in value.

Overvoltage, environmental effects.

Effect will not be detectable until resistance increases sufficiently to cause indicator to be in off state.

Periodic PPS testing.

No effect upon functional opera-tion of trip circuit.

Fuses Open.

Transient overcurrent condition.

The trip path is de-energized.

Trip is annunciated on plant annunciator.

Reactor trip con-verts to 1-out-of-3 selective or any 2-out-of-3 trip paths.

To produce a trip will require a 2-out-of-3 coincidence of the appropriate bistables.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 59 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, RPS, Channel 1 (Typical), Figure 7.2-14 (cont.)

SSR3 or SSR4 Input open.

Voltage transient.

The relay whose contacts are used in the reactor trip cir-cuit breaker switchgear will be de-energized.

Annunciated on plant annunciator.

One of the four trip inputs to the reactor trip circuit breaker switchgear will be de-energized.

To produce a trip still requires a 2-out-of-3 coincidence of the appropriate bistables.

Input short.

Voltage transient If there is a trip present in the trip path, the fault will not be noticeable.

If there is no trip present, the supply voltage will be momentarily reduced to zero. The fuses in the trip circuit will open and the circuit will de-energize the relay which provides an input to the reactor trip circuit breaker switchgear will be in the tripped condition (de-energized).

The momentary drop in power may also cause all of the other trip paths using the same power supply to be tripped momentarily. Since all trip paths, with the exception of EFAS-1 and EFAS-2, have lockout circuits, they will remain in the tripped condition.

Tripped paths annunciated on plant annunciator.

Trip paths with the exception of EFAS-1 and EFAS-2 will be tripped in the affected channel. A reactor trip will exist in the affected channel.

Actuation still requires a 2-out-of-3 logic coincidence of the appropriate bistables.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 60 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, RPS, Channel (Typical), Figure 7.2-14 (cont.)

SSR3 or SSR4 (cont.)

Output short.

Voltage transient overload.

The PPS calibration and test panel does not indicate the opening of one of the SSRs in the trip path.

Periodic PPS testing.

There are two SSRs in the circuit, either one can open the circuit that provides a trip to the reactor trip circuit breaker switchgear.

No effect upon functional operation of trip circuit.

Output open.

Voltage transient overload.

The relay whose contacts are used in the reactor trip circuit breaker switchgear will be de-energized.

Annunciated on plant annunciator.

One of the four trip inputs to the reactor trip circuit breaker switchgear will be de-energized.

To produce a trip still requires a 2-out-of-3 coincidence of the appropriate bistables.

Resistor R5 or R6 Decrease in resistance.

Environmental effects.

None Bench Test.

There are two equal resistors in the series circuit. The operating range of the SSR is such that it is still within limits if one of the resistors is shorted.,

No effect upon the functional opera-tion of the system.

Open Environmental effects.

The PPS status panel will indi-cate that the trip path in the affected channel is de-ener-gized.

Periodic PPS testing.

No effect upon the functional opera-tion of system.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 61 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, RPS, Channel 1 (Typical), Figure 7.2-14 (cont.)

Resistor R5 or R6 (cont.)

Increase in resistance.

Environmental effects.

There will be no symptoms until the resistor has increased in value to about 2,000 ohms. Values exceeding that may cause problems like those listed for the failed open mode.

Resistor R7 or R8 250 ohm Decrease in resistance.

Environmental effects.

No Symptoms.

Bench Check.

Two equal resistors in the series circuit. The operating range of the SSR is such that it is still being operated within limits with one of the resistors shorted.

No effects upon the functional operation of system.

Open.

Environmental effects.

The actuation reset indicator will be flashing when the PPS is in the test mode, indicatin that a trip path has been de-energized.

Periodic PPS testing.

The malfunctioning of this component does not affect the functional operation of the circuit.

No effect upon the functional operation of the system.

Increase in resistance.

Environmental effects.

There will be no symptoms until the resistor has increased in value to about 2,000 ohms. Values exceeding that may cause problems like those listed for the failed open mode.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 62 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, RPS, Channel 1 (Typical), Figure 7.2-14 (cont.)

Indicator SSR1 Output open.

Voltage transient overload.

The affected trip path will indicate a trip on the PPS status panel.

Periodic PPS testing.

No effect upon operation of trip path.

Component does not effect functional operation of circuit.

Used for indication purposes only.

Input open or short.

Voltage transient The affected trip path will indicate a trip on the PPS status panel.

Periodic PPS testing.

Resistors in the input of the SSR limit the current that the SSR may dra from the cir-cuit should the input of the SSR short.

No effect upon operation of trip path.

Component does not affect functional operation of circuit.

Used for indication purposes only.

Output short Voltage transient A bona fide RPS trip in the affected channel wsill not indicate on the PPS status panel.

Periodic PPS testing.

No effect upon operation of trip path.

Component does not affect functional opertion of circuit.

Used for indication purposes only.

Test SSR2 Output open, input open.

Voltage transient overload.

The actuation reset indicator will be flashing when the PPS is in the test mode, indicating that a trip path has been de-energized.

Periodic PPS testing.

No effect upon operation of trip path.

Component does not affect functional operation of circuit.

Used for test purposes only.

Input short.

Voltage transient.

The acutation reset indicator will be flashing when the PPS is in the test mode, indicating that a trip path has been de-energized.

Period PPS testing.

Resistors in the input of the SSR limit the current that the SSR may draw from the circuit should the input of the SSR short.

No effect upon operation of trip path.

Component does not affect functional operation of circuit.

Used for test purposes only.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 63 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, RPS, Channel 1 (Typical), Figure 7.2-14 (cont.)

Test SSR2 (cont.)

Output short Voltage transient overload.

A bona fide RPS trip in the affected channel will not cause the PPS actuation reset indicator to flash when the test mode is selected.

No reset circuit flashing in test.

No effect upon operation of trip path.

Component does not affect functional operation of circuit.

Used for test purposes only.

Trip Path, Engineered Features, RAS-MSIS-EFAS,CIAS/SIAS,CSAS Channel A (Typical), Figure 7.2-15 Relay Contact AB Contact (Typical)

RAS-4AB-1 MSIS-5AB-1 EFAS-1-7AB-1 EFAS-2-8AB-1 CSAS-3AB-1 CIAS/SIAS-2AB-1 Shorted.

Open.

Welded contact.

Deterioration of contact.

A bona fide trip of the logic matrix with the failed component will not cause de-energization of the trip path in the affected channel.

The trip path will be de-energized.

Periodic PPS testing.

Trip is annunciated on the plant annunciator.

The trip path is inoperative for that particular logic matrix.

Actuation is dependent upon a selective 2-out-of-3 remaining trip paths.

Trip path logic converts to 1-out-of-3 selective or any 2-out-of-3.

Since each trip path used a contact from a different coil, the remaining three trip paths will be de-energized if a bona fide trip is present.

Actuation still requires a 2-out-of-3 coincidence of the appropriate bistables.

Fuse Open.

Tranient overcurrent condition.

The trip path will be de-energized.

Trip is annunciated on the plant annunciator.

Trip path logic converts to 1-out-of-3 selective or any 2-out-of-3.

Actuation still requires a 2-out-of-3 coincidence of the appropriate bistables.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 64 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, Engineered Features, RAS-MSIS-EFAS,CIAS/SIAS,CSAS Channel A (Typical),Figure 7.2-15 (cont.)

Test SSR Output open, input short.

Overload voltage transient.

The acutation reset indicator will be flashing when the PPS is in the test mode, indicating that a trip path has been de-energized.

Periodic PPS testing.

Current limiting resistors R5 and R6 prevent malfunctioning ofthis component from affecting the functional operation of the circuit.

None.

Safety function of circuit not impaired.

Output short.

Voltage transient overload.

The actuation reset indicator on the PPS will not flash when the trip path with the faulty component is exercised.

Periodic PPS testing.

None.

Safety function of circuit not impaired.

Latching Circuit SSR Output open, input open, input short.

Overload voltage transient.

The trip path will be de-energized.

Trip is annunciated on the plant annunciator.

Actujation converts to a selective 1-out-of-3 logic tri0p path, or any 2-out-of-3.

To obtain an acutation still requires a 2-out-of-3 coincidence of the appropriate bistables.

Output shorted.

Voltage transient overload.

The trip circuit will not lock out.

Should the bistable switch from a tripped to untripped to tripped etc.,

the trip circuit will follow the fluctuations.

The trip circuit will not remain in the tripped condition but will follow the action of the series string of matrix relays contacts.

The actuation circuit should not follow any fluctuating condition for under a trip condition all four trip paths should be de-energized and three will be locked in that state. Since a contact of a locked in trip path is in series with the trip path whch is not locked in, the circuit that is locked in will mask any operations of the circuit that does not lock in.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 65 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, Engineered Features, RAS-MSIS-EFAS-CIAS/SIAS,CSAS Channel A (Typical), Figure 7.2-15 (cont.)

250 ohm Resistor R1 or R2 Open.

Environmental effects.

The trip path will be de-energized.

Trip path de-ener-gization is annun-ciated on the plant annunciator.

Actuation converts to a selective 1-out-of-3 logic trip path, or any 2-out-of-3.

Actuation still requires any 2-out-of-3 coincidence of the bistables.

Decrease in resistance.

Environmental effects.

No symptoms.

Bench check.

Two equal resistors in the series of circuit. Operating range of the SSR in the latching circuit is such that it is still within limits if one of the resistors is shorted.

None.

Safety function of circuit not impaired.

Increase in resistance.

Environmental effects.

There will be no symptoms until resistor has increase in value to about 2K ohms. Values exceeeding that will cause problems similar to those listed for the failed open mode.

250 ohm Resistor R3 or R4 Decrease in resistance.

Environmental effects.

No symptoms.

Bench check.

Two equal resistors in the series circuit. The operating range of the SSR is such that it is still within limits if one of the resistors is shorted.

None.

Safety function of circuit not impaired.

Open Mechanical failure.

The PPS status panel and PPS remote module will indicate a trip for the affected function.

Periodic PPS testing.

None.

Safety function of circuit not impaired.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 66 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, Engineered Features, RAS-MSIS-EFAS,CIAS/SIAS,CSAS Channel A (Typical), Figure 7.2-15 (cont.)

250 ohm Resistor R3 or R4 (cont.)

Increase in reistance.

Environmental effects.

There will be no symptoms until the resistor has increased in value to about 2K ohms. Values exceeding that will cause problems like those listed for the failed open mode.

250 ohm Resistor R5 or R6 Decrease in resistance.

Environmental effects.

No symptoms.

Bench check.

Two equal resistors in the series circuit. The operating range of the SSR is such that it is still being operated within limits with one of the resistor shorted.

None.

Safety function of circuit not impaired.

Open.

Mechanical failure.

The actuation reset indicator will be flashing when the PPS is in the test mode, indicating that a trip path has been de-energized.

Periodic PPS testing.

None.

Safety function of circuit not impaired.

Increase in resistance.

Environmental effects.

There will be no symptoms until the resistor has increased in value to about 2K ohms. Values exceeding that will cause problems like those listed for the failed open mode.

Indicator SSR Output open, input open.

Voltage transient.

A trip will constantly be indicated on the PPS status panel and the PPS remote module for the function and channel affected.

Periodic PPS testing.

None.

Safety function of circuit not impaired.

Input fails short.

Voltage transient.

A trip will constantly be indi-cated on the PPS status panel and the PPS remote module for the function and channel affected.

Periodic PPS testing.

Resistors in the input of the SSR limit the current that the SSR may draw from the cir-cuit should the input of the SSR short.

None.

Safety function of circuit not impaired.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 67 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, Engineered Features, RAS-MSIS-EFAS-CIAS/SIAS,CSAS Channel A (Typical), Figure 7.2-15 (cont.)

Output fails.

Voltage transient.

A bona fide trip for the function and channel affected will not be indicated on the PPS status panel and the PPS remote module.

Periodic PPS testing.

None Safety function of circuit not impaired.

Remote Manual Trip Path P/B Open.

Mechanical

failure, deterioration of contact.

The trip path will be de-energized.

Trips is annunciated on the plant annunciator.

The actuation cir-cuit converts to 1 or 2 out of the three remaining logic trip paths.

A 2-of-3 coincidence of the appropriate bistables is still required to produce an actuation. Another selective fault could also produce an actuation.

Short.

Mechanical failure.

A trip cannot be introduced into the trip path manually.

Periodic PPS testing or when attempting to manually introduce a trip.

That particular circuit cannot be tripped manually.

The other three trip paths are not affected by the failure.

Lockout Reset P/B Open.

Mechanical

failure, deterioration of contact.

It will not be possible to reset the affected trip path once it is de-energized.

Periodic PPS testing or when attempting to reset the trip path after a trip.

Trip path de-energized annunciated on plant annunciator.

Trip circuit cannot be reset once tripped.

Actuation logic will be 1-out-of-3 selective or any 2-out-of-3.

Short.

Mechanical failure.

The trip circuit will not lock out.

Should the series string of contacts change state, the initiation relays will follow the action of the string.

Period PPS testing.

None.

The actuation circuit should not follow any fluctuations, for under a trip condition all four trip paths will be de-energized, the result of which being the locking in of the three trip paths without faulty components. One of the locked in cir-cuits will thus mask any operations of the circuit which is not locked in.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 68 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, Engineered Features, SIAS-CSAS-CIAS Channel A (Typical), Figure 7.2-16 SIAS or CIAS Lockout Reset P/B Open Mechanical

failure, deterioration of contact.

It will not be possible to reset the affected trip path once it is de-energized.

Periodic PPS testing or when attempting to reset the trip path after a trip.

Trip path de-energization annunciated on plant annunciator.

Trip circuit cannot be reset once tripped.

Actuation logic will be 1-out-of-3 selective or any 2-out-of-3.

Short Mechanical failure The trip circuit will not lock out.

Should the control circuit change state the initiation relays will follow the action of the control circuit.

Periodic PPS testing.

None.

The actuation circuit should not follow any fluctuations of the trip circuit, for under a trip condition all four trip paths will be de-energized, resulting in the locking in of the three trip paths without faulty components. One of the locked in circuits will thus mask any operations of the circuit which is not locked in.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 69 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, Engineered Features, SIAS-CSAS-CIAS Channel A (Typical), Figure 7.2-16 (cont.)

SIAS or CIAS or CSAS Test SSR Output open, input open.

Input short.

Voltage transient overload.

Voltage.

The actuation reset indicator will be flashing when the PPS is in the test mode, indicating a trip path has been deenergized.

The acutuation reset indicator will be flashing when the PPS is in the test mode, indicating that a trip path has been de-energized.

Periodic PPS testing.

Periodic PPS testing.

Current limiting resistors prevent malfunctioning of this component from affecting functional operation of the circuit.

None.

None.

Safety function of circuit not impaired.

Safety function of circuit not impaired.

Output short Voltage transient overload.

The actuation reset indicator on the PPS will not flash when the trip path with the faulty component is exercised.

Period PPS testing.

None.

Safety function of circuit not impaired.

SIAS or CIAS or CSAS Indicator SSR Output open, input open.

Voltage transient overload.

A trip will constantly be indicated on the PPS status panel and PPS remote module for the function and channel affected.

Periodic PPS testing.

None.

Safety function of circuit not impaired.

Input short.

Voltage transient.

A trip will constantly be indi-cated on the PPS status panel and PPS remote module for the function and channel affected.

Periodic PPS testing.

Current limiting resistors prevent malfunctioning of this component from affecting functional operation of the circuit.

None.

Safety function of circuit not impaired.

Output short.

Voltage transient overload.

A bonafide trip for the function and channel affected will not be indicated on the PPS status panel and the RPS remote module.

Periodic PPS testing.

None.

Safety function of circuit not impaired.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 70 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, Engineered Features, SIAS-CIAS-CSAS Channel A (Typical), Figure 7.2-16 (cont.)

Relay Contact 2AB-1 or 2BC-1 or 2BD-1 or 2AC-1 or 2CD-1 or 2AD-1 Shorted.

Welded contact.

The trip path will not be de-energized when a valid trip signal is received from the affected 2-of-4 coincidence matrix.

Periodic PPS testing.

The trip path is inoperative for that particular logic matrix.

Actuation is dependent upon selective 2-out-of-3 trip path for the affected functions (SIAS, CIAS, CSAS).

A trip condition sensed by a logic matrix will de-energize all four trip paths, thus the loss of one trip path should not prevent actuation of the function(s).

Open.

Deterioration of contact.

One of the trip paths for SIAS and CIAS will be de-energized, and the trip path for CSAS will be partially tripped. (Two con-ditions are required for CSAS, one of them will appear to be satisfied.)

Trip is annunciated on the plant annunciator.

Trip actuation be-comes 1-out-of-3 selective or any 2-out-of-3.

Actuation still requires a 2-out-of-3 coincidence of the appropriate bistables.

SIAS Auxiliary Open coil Sustained overvoltage.

One of the paths to the initia-tion relays of the affected CSAS trip channel will be open (two conditions are required for CSAS, one of those conditions will be satisfied).

Periodic PPS testing.

No effect unless the other trip condition is also present. If the other condition is present, a trip will be present in one CSAS trip circuit.

Actuation still requires a 2-out-of-3 coincidence one of the bistables for both of the parameters that are monitored for CSAS.

Shorted coil Deterioration of insulation.

A shorted coil will cause the fuse(s) supplying the SIAS and CCAS trip paths in the affected channel to open. This will result in a trip in the SIAS and CCAS trip paths. The CSAS trip path will also be partially tripped.

Trips are annunciated on the plant annunciator.

Trip actuation converts to 1-out-of-3 selective or any 2-out-of-3.

Actuation still requires a 2-out-of-3 coincidence of the appropriate bistables for each of the functions.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 71 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, Engineered Features, SIAS-CIAS-CSAS Channel A (Typical), Figure 7.2-16 (cont.)

SIAS Auxiliary Relay Contact.

Short.

Welded contact.

The CSAS trip path with the affected component will not respond to a trip condition.

Periodic PPS testing.

One CSAS trip path is inoperative. Actuation is dependent upon a selective 2-out-of-3 remaining trip paths for CSAS.

When a trip condition is sensed, all four trip paths will be de-energized, thus the loss of one trip path should not prevent actuation.

Open.

Deterioration of contact.

One of the paths to the initi-ation relays of the affected CSAS trip channel will be open (two conditions are required for CSAS, one of those condi-tions will be satisfied).

Periodic PPS testing.

No effect unless the other trip condition is also present. If the other condition is also present, a trip will be present in one CSAS trip circuit.

Actuation still requires a 2-out-of-3 coincidence of the bistable. (Therefore, a coincidence of 2-out-of-3 of the bistables monitoring the pertinent parameter is required.)

Relay Contact 3AB-1 or 3BC-1 or 3BD-1 or 3AC-1 or 3CD-1 or 3AD-1 Shorted.

Welded contact.

The CSAS trip path containing the affected component will not respond to a trip from the logic matrix in which the faulty component is located.

Periodic PPS testing.

The trip path is inopertive for that particular logic matrix.

Actuation is dependent upon a selective 2-out-of-3 of the remaining trip paths.

A trip condition sensed by a logic matrix will de-enerize all four trip paths, thus the loss of one trip path will not prevent acutation.

Open.

Deterioration of contact.

One of the CSAS paths to the initiation relays of the affec-ted trip channel will be partially enabled. (Two condi-tions are required for CSAS, one will be satisfied.)

Periodic PPS testing.

No effect unless a SIAS trip is also present. If SIAS is present, a trip will be present in one CSAS trip circuit.

Actuation still requires a 2-out-of-3 coincidence of the appropriate bistables and the presence of an SIAS trip.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 72 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, Engineered Features, SIAS-CIAS-CSAS Channel A (Typical), Figure 7.2-16 (cont.)

Resistor R3 or R4 or R9 or R10 or R15 or R16 Open.

Decrease in resistance.

Mechanical failure.

Environmental effects.

The PPS status panel and PPS remote module will indicate a trip for the affected function.

No symptoms.

Periodic PPS testing.

Bench check.

There are two resistors in the series circuit. The operating range of the SSR is broad enough to tolerate a short in one of the resistors.

None.

None.

Safety function of circuit not impaired.

Safety function of circuit not impaired Increase in resistance.

Environmental effects.

There will be no symptoms until the resistor has increased in value to approximately 2000 ohms. Values exceeding that will cause the same problems as those listed for the failed open condition.

Resistor R1 or R2 or R7 or R8 or R13 or R14 Open.

Mechanical failure.

The trip path containing the affected component will be de-energized.

Trips are annunciated on the plant annunciator.

Actuation converts to a selected 1-out-of-3 or any 2-out-of-3.

Actuation still requires a 2-out-of-3 coincidence of the appropriate bistables.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 73 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, Engineered Features, SIAS-CIAS-CSAS Channel A (Typical), Figure 7.2-16 (cont.)

Resistor R1 or R2 or R7 or R8 or R13 or R14 (cont.)

Decrease in resistance.

Environmental effects.

No symptoms.

Bench check.

There are two equal resistors in the series circuit. Operating range of the SSR in the latching circuit is such that even with one of the resistors shorted the device will still be within the operating range.

None.

Safety function of circuit not impaired.

Increase in resistance.

Environmental effects.

There will be no symptoms until the resistor has increased in value to approximately 2K ohms. Values exceeding that will cause the same problems as those listed for the failed open condition.

Resistor R5 or R6 or R11 or R12 or R17 or R18 Open.

Decrease in resistance.

Mechanical failure.

Environmental effects.

The actuation reset indicator will be flashing when the PPS is in the test mode, indicating that a trip path has been de-energized.

No symptoms.

Periodic PPS testing.

Bench check.

There are two equal resistors in the series circuit. The operating range of the SSR is broad enough to tolerate a short in one of the resistors.

None.

None.

Safety function of circuit not impaired.

Safety function of circuit not impaired.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 74 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Trip Path, Engineered Features, SIAS-CIAS-CSAS Channel A (Typical), Figure 7.2-16 (cont.)

Resistor R5 or R6 or R11 or R12 or R17 or R18 (cont.)

Increase in resistance.

Environmental effects.

There will be no symptoms until the resistor has increased in value to approximately 2K ohms. Values exceeding that will cause the same problems as those listed for the failed open condition.

Fuse F1 or F2 Open.

Transient overcurrent condition.

The SIAS and CIAS trip paths in that channel will be de-energized. The CSAS trip path will be partially enabled.

Trip are annunciated on the plant annunciator.

Trip actuation converts to 1-out-of-3 selective or any 2-out-of-3 trip paths.

Actuation still requires 2-out-of-3 coincidence of the appropriate bistables.

SIAS or CIAS or CSAS Remote Manual P/B Open.

Mechanical

failure, deterioration of contact.

The trip path with the faulty component will be de-energized.

Trip is annunciated on plant annunciator.

The actuation circuit converts to a selected 1-out-3 trip paths for the function in question or any 2-out-of-3.

A 2-out-of-3 coincidence of the appropriate bistables is still required to produce an actuation.

Short.

Mechanical failure.

A trip cannot be introduc ed into the trip path manually.

Periodic PPS testing or when attempting to manually introduce a trip.

One of the four trip paths for the affected function cannot be tripped manually.

A manual trip can still be generated for the function in question by depressing the correct pair of remote manual pushbuttons in the three unaffected trip circuits.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 75 of 119)

Revision 309 (06/16)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, RPS-Trip, Channel A (Typical), Figure 7.2-10 CEA Drop (111)

One CEA fails to drop.

Inadvertent CEA drop.

CEA mechanical failure.

CEDM coil failure.

None - safety analytses assume most reactive CEA stuck out of core on trip. Possible change in calculated DNBR and local power density margins.

CEA position indicator.

Annunciate, CEA deviation alarm, CEA position indication, dropped CEA indicator.

Reduced operating margins.

Inadvertent drop of four symmetric CEA's.

CEDMCS logic element failure.

Possible change in calculated DNBR and local power density margins.

CEA position indica-tion, dropped CEA indicator.

Reduced operating margins.

(LBDCR 14-021, R309)

Open CEDM Power Supply (108)

No single failure modes.

One CEDM MG set, trip circuit breaker, or trip path actuates or fails to actuate.

A single failure of MG set or TCB will not initiate or prevent a reactor trip during routine operation.

Plant annunciation and status indicator lights for vcircuit breakers and phase current.

Redundant MG set, and trip paths.

None.

May initiate reactor trip, turbine trips or block steam bypass (if Tave is low). If single failure occurs during testing. [*]

(LBDCR 14-021, R309)

CEDM Bus Under Voltage (107)

Off Shorted or opened UV relay coil.

Reduces turbine trip to 1/3 logic and steam bypass block to 1/3 logic.

Annunciated indicator lights.

Logic converts to 1-out-of-3 coincidence.

On Mechanically jammed relay.

Turbine trip and steam bypass block becomes 2/3 logic.

Not annunciated.

Periodic testing.

Logic converts to 2-out-of-3 coinci-dence.

Off Shorted or opened UV relay coil while testing another UV relay.

Initiates turbine trip and steam bypass block.

Plant reactor trip annunciator and UV indicator lights.

Steam bypass blocked only if Tave is low.

(LBDCR 14-021, R309)

[*] CLARIFYING REMARK: Related entry (i.e. #108) governing context is single failure directly related to CEDM power opening (or low output) based on supporting the safety function of removing-power/dropping-CEAs/tripping. Beyond said governing context, it is acknowledged that OE has evidenced single failure vulnerability (but with trip result noted as already bounded in FMEA Table) for initiating trip from MG high output scenarios which can unload unaffected MG with it tripping on low output along with affected MG subsequently failing on high output resulting in simultaneous loss of both MGs and inadvertent/initiated trip (noting no single failure vulnerability relative to supporting the safety function).

(LBDCR 14-021, R309)

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 76 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, RPS-Trip, Channel A (Typical), Figure 7.2-10 (cont.)

Manual Trip (105)

No trip output.

Mechanically jammed switch.

Failure to open associated reactor trip circuit breakers (TCBs) when actuated.

Not annunciated.

Periodic testing.

None.

Redundant pair of manual trip PBs available.

Trip output.

Wiring open or shorted.

Opening of associated TCBs, changes selective 2-out-of-4 to selective 1-out-of-3 logic.

Annunciated. Breaker indication lights and phase current monitors.

Logic converts to 1-out-of-3 selective.

Actuators, RPS-Trip, (Path No. 1-Typical), Figure 7.2-7 Actuation Relay (K1-K4)

Coil open.

Broken wire, sustained overvoltage.

Unwarranted channel trip.

Annunciated. Breaker indication lights and phase current monitors.

Trip path no. 2.

Logic for RPS trip converts to 1-out-of-3 selective or any 2-out-of-3.

Trip path no. 3 and 4 unaffected, and redundant.

Coil short.

Deterioration of insulation.

Unwarranted channel trip.

Annunciated. Breaker indication lights and phase current monitor.

Trip path no. 2.

Logic for RPS trip converts to 1-out-of-3 selective or any 2-out-of-3.

Trip path no. 3 and 4 unaffected, and redundant.

Output contact to under-voltage trip coil open.

Broken wire, contact failure.

Unwarranted channel trip.

Annunciated. Breaker indication lights and phase current monitors.

Trip path no. 2.

Logic for RPS trip converts to 1-out-of-3 selected or any 2-out-of-3.

Trip path no. 3 and 4 unaffected, and redundant.

Output contacts to shunt trip coils closed.

Contact failure, shorted contact.

Unwarranted channel trip.

Annunciated. Breaker indication lights and phase current monitors.

Trip path no. 2.

Logic for RPS trip converts to 1-out-of-3 selective or any 2-out-of-3.

Trip path no. 3 and 4 unaffected, and redundant.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 77 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, RPS-Trip (Path Nol. 1-Typical), Figure 7.2-7 (cont.)

Actuation Relay (K1-K4)

(cont.)

Output contacts to under-voltage trip coil closed.

Shorted contact, contact failure.

Failure to initiate RPS channel trip when required.

Periodic testing.

Redundant channel trip path to shunt trip coil.

Logic for RPS Trip converts to 2-out-of-3 selective.

Any valid trip condition will de-energize all three remaining trip paths.

Output contacts to shunt trip coils open.

Contact failure, broken wire.

Failure to initiate RPS channel trip when required.

Periodic testing.

Redundant channel trip path to undervoltage trip coil.

LOgic for RPS Trip converts to 2-out-of-3 selective.

Manual Trip (1.2)

Contact to undervolt-age trip coil opens.

Contact failure, broken wire.

Unwarranted channel trip.

Annunciated. Breaker indication lights and phase current monitors.

Logic for RPS Trip converts to 1-out-of-3 selective or any 2-out-of-3.

Contacts to shunt trip coils closed.

Contact failure, shorted contact.

Unwarranted channel trip.

Annunciated. Breaker indication lights and phase current monitors.

Logic for RPS Trip converts to 1-out-olf-3 selective.

Contacts to under-voltage trip coil closed.

Contact failure, shorted contact.

Failure to initiate manual channel trip when required.

Periodic testing.

Automatic RPS trip, manual trip for shunt trip coil.

None.

Contacts to shunt trip coils open.

Contact failure, broken wire.

Failure to initiate manual RPS channel trip when required.

Periodic testing.

Automatic RPS trip, manual trip for undervoltage trip coil.

None.

Undervoltage trip coil.

Coil open.

Broken wire, sustained overvoltage.

Unwarranted channel trip.

Annunciated. Breaker indication lights and phase current monitors.

None.

Logic for RPS con-verts to 1-out-of-3 selective or any 2-out-of-3.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 78 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, RPS-Trip (Path Nol. 1-Typical), Figure 7.2-7 (cont.)

Undervoltage trip coil (cont.)

Coil short.

Deterioration of insulation.

Unwarranted channel trip.

Annunciated. Breaker indication lights and phase current monitors.

None.

Shunt Trip Coil Coil open.

Broken wire, sustained overvoltage.

Local shunt coil trips.

Periodic testing.

Undervoltage trip coil.

Logic for RPS con-verts to 1-out-of-3 selective or any 2-out-of-3.

Coil shorts.

Deterioration of insulation.

Shorted coil will cause breakers supplying 125V-dc to trip, in turn causing under-voltage trip coil to lose voltage.

Annunciated. Breaker indication lights and phase current monitors.

Logic for RPS con-verts to 1-out-of-3 selective or any 2-out-of-3.

125 VDC Bus (1-4)

Low Open, short, blow fuse.

Unwarranted channel trip.

Annunciated. Breaker indication lights and phase current monitors.

None.

Logic for RPS trip converts to 1-out-of-3 selective or any 2-out-of-3.

480V. 3-Phase Bus (1,2)

Low Open, short, open input breaker.

MG from unaffected bus has an increase in load.

Annunciated. Breaker indication lights, MG set voltage and current.

None.

None.

There are two MG sets for plant availability and they will havea no effect on the RPS trip system.

MG (1,2)

MCB (1,2)

M (1,2)

Output Low Motor or generator failure, breaker failure.

Increased load on the unaffected MG.

Annunciated. Breaker indication lights, MG set voltage and current.

None.

Shorted output lines.

Increased load on the unaffected MG.

Annunciated. Breaker indication lights, MG set voltage and current.

None.

Possible reactor shutdown if the short results in a loss 9of both MG sets.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 79 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, RPS-Trip (Path Nol. 1-Typical), Figure 7.2-7 (cont.)

TCB (1-8)

Main Breaker contacts Closed.

Mechanical short.

Failure to initiate RPS channel trip when required.

Periodic testing.

Redundant trip paths.

Logic for RPS trip converts to 2-out-of-3 selective.

Open.

Mechanical short, broken wire.

Unwarranted channel trip.

Annunciated. Breaker indication lights and phase current monitors.

Logic for RPS trip converts to 1-out-of-3 selective or any 2-out-of-3.

Bus Tie TCB-9 Closed.

Mechanical short.

None.

Annunciated. Breaker indication lights.

None.

Open.

Mechanical short, broken wire.

None.

Periodic testing.

None.

CEDM Power Supply Undervoltage Relays Open.

Shorted under-voltage relay or (open coil or contact).

Unwarranted channel trip for turbine trip and steam bypass block.

Annunciated. Indicating lights.

Logic for turbine trip and steam bypass block is 1-out-of-3 selective.

Closed.

Mechanically failed.

Failure to initiate channel trip for turbine trip and steam bypass block when required.

Periodic testing.

Redundant channel trip.

Logic for turbine trip and steam bypass block is 2-out-of-3 coinci-dence.

Current Monitoring Low Open or shorted sensor.

None.

Indicating light.

None.

None.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 80 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, RPS-Trip Channel A (Typical), Figure 7.2-10 Turbine Controls (109)

Not part of the plant protection system.

RPS Steam Bypass System (110)

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 81 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, Core Protection Calculator, Channel A (Typical), Figure 7.2-10 CEA Deviation Alarm (112)

Off Shorted input.

Failure to annunciate when required.

Not annunciating.

Periodic test.

Redundant channel.

Operator will be unaware of CEA deviation alarm failure until test.

On Open input.

Unwarranted annunciation.

Audible and visual PPS alarm in control room.

Nuisance alarm.

Operator must check system to determine if bona fide trip exists or if there is a failure in the alarm circuit.

Actuators, Plant Computer, Figure 7.2-10 Plant Computer (117)

Off Loss of CPU.

Loss of ac power.

No effect to PPS. All input;/ output data transsmision is isolated. No credible failure can prevent the PPS from performing its intended function.

Annunciating. Plant annunciator.

None.

Actuators, Alarm, Channel A (Typical), Figure 7.2-10 Trip Alarm (114)

On Component failure.

Annunciating horn is activated and alarm lights are lit.

Annunciating. Audible, visual.

Nuisance alarm.

Operator must check system to determine if alarm is valid.

Pre-Trip Alarm (115)

Off Component failure.

Alarm does not occur for bona fide condition.

Not annunciating.

Periodic test.

Redundant lights. Process instrumenta-tion alarm.

No alarm for ESF or RPS actuation.

Operator will become aware of problem if it should exist by other plant conditions and meter indications.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 82 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, RAS, Channel A (Typical), Figure 7.2-10 RAS (5)

Initiation Relay Short (Fail ON)

Relay failure, electrical short.

Unable to initiate RAS channel trip when required.

Not annunciating.

Indication lights.

Periodic testing.

Two relays must fail to prevent a RAS channel trip.

Logic for RAS con-verted to 2-out-of-3 selective.

Two solid state relays per trip path. A single relay failing short does not prevent required actuation.

Open (Fail OFF Relay failure, loss of relay driver.

Unwarranted RAS channel trip.

Plant annunciation.

Indication lights.

Periodic testing.

RAS actuation logis is 2-out-of-3 selective.

Logic for RAS con-verted to 1-out-of-3 selective.

Single relay failing open does not trip either A or B train. It only trips one of the 4-channels to a train.

Actuators, MSIS, Channel A (Typical), Figure 7.2-10 MSIS (37)

Initiation Relay Short (Fail ON)

Relay failure, electrical short.

Unable to initiate MSIS channel trip, when required.

Not annunciating.

Indication lights.

Periodic testing.

Two relays must fail to prevent a MSIS channel trip.

Logic for MSIS con-verted to 2-out-of-3 selective.

Two solid state relays per trip path. A single relay failure short does not prevent required actuation.

Open (Fail OFF)

Relay failure, loss of relay driver.

Unwarranted MSIS channel trip.

Plant annunciation.

Indication lights.

Periodic testing.

MSIS actuation logic is 2-out-of-4 selective.

Logic for MSIS con-verted to 1-out-of-3 selective.

A single relay failing open does not trip either A or B train. It only trips one of the 4-channels to a train.

Actuators, MSIS Manual, Channel A (Typical), Figure 7.2-10 Remote Manual ESF (56)

Open Dirty switch contacts, broken wire.

Unwarranted channel trip of MSIS.

Annunciated. Indication lights.

Logic for MSIS con-verted to 1-out-of-3 selective.

One manual switch per trip path.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 83 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, MSIS Manual, Channel A (Typical), Figure 7.2-10 (cont.)

Remote Manual ESF (56)

(cont.)

Short Switch failure.

Failure to manually initiate MSIS channel trip when required.

Not annunciated.

Periodic testing.

Select other manual trip switch pair. Automatic MSIS when required.

Logic for MSIS con-verted to 2-out-of-3 selective manual.

Selective 2-out-of-4 to actuate.

Actuators, CSAS, Channel A (Typical), Figure 7.2-10 CSAS Initiation Relay (12)

Short (one fail ON)

Relay failure(s),

electrical short.

Failure to initiate CSAS channel trip, when required.

Not annuncated.

Indication lights.

Periodic testing.

Two relays must fail to prevent a CSAS channel trip.

Logic for CSAS con-verted to 2-out-of-3 selective.

Two solid state relays per trip path. A single relay failing short does not prevent required actuation.

Open (one fail OFF)

Relay failure(s),

loss of relay driver.

Unwarranted CSAS channel trip.

Plant annunciation.

Indication lights. Period testing.

CSAS actuation logic is 2-out-of-4 selective.

Logic for CSAS con-verted to 1-out-of-3 selective.

A single relay failing open does not trip either A or B train. It only trips one of the 4-channels to a train.

Actuators, CSAS-Manual, Channel A (Typical), Figure 7.2-10 Remote Manual ESF (38)

Open Dirty switch contacts, broken wire.

Unwarranted channel trip of CSAS.

Annunciated. Indication lights.

Logic for CSAS con-verted to 1-out-of-3 selective.

One manual switch per trip path.

Short Switch failure Failure to manually initiate CSAS channel trip when required.

Not annunciated. Period testing.

Select other manual trip swsitch pair. Automatic initiation when required.

Logyic for CSAS con-verted to 2-out-of-3 selective for manual.

Selective 2-out-of-3 to actuate.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 84 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, SIAS, Channel A (Typical), Figure 7.2-10 SIAS Initiation Relay (22)

Short (one fails ON)

Relay failure, electrical short.

Failure to initiate SIAS channel trip.

Not annunciated.

Indication lights.

Periodic testing.

Two relays must fail to prevent a SIAS channel trip.

Logic for SIAS con-verted to 2-out-of-3 selective.

Two solid state relays per trip path. A single relay failing short does not prevent required actuation.

Open (one fails OFF)

Relay failure, loss of relay driver.

Unwarranted SIAS channel trip.

Plant annunciation.

Indication lights. Period testing.

SIAS actuation logic is 2-out-of-4 selective.

Logic for SIAS con-verted to 1-out-of-3 selective.

A single relay failing does not trip either A or B train. It only trips one of the 4-channels to a train.

Actuators, SIAS Manual, Channel A (Typical), Figure 7.2-10 Remote Manual ESF (23 Open.

Dirty switch contacts broken wire.

Unwarranted channel trip of SIAS.

Annunciated. Indication lights.

Logic for SIAS con-verted to 1-out-of-3 selective.

One manual switch per trip path.

Short.

Switch failure.

Failure to manually initiate SIAS channel trip when required.

Not annunciated.

Periodic testing.

Select other manual trip switch pair. Automatic initiation when required.

Logic for SIAS con-verted to 2-out-of-3 selective.

Selective 2-out-of-4 to actuate.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 85 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects INTENTIONALLY DELETED Actuators, CIAS, Channel A (Typical), Figure 7.2-10 CIAS Initiation Relay (17)

Short.

Relay failure(s).

Failure to initiate CIAS channel trip, when required.

Annunciated. Indication lights. Periodic testing.

Two relays must fail to prevent a CIAS channel trip. CIAS actuation logic is 2-out-of-4 selective.

Logic for CIAS con-verted to 2-out-of-3 selective.

Two solid state relays per trip path. A single relay failing short does not prevent required actuation.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 86 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, CIAS, Channel A (Typical), Figure 7.2-10 (cont.)

CIAS Initiation Relay (17)

(cont.)

Open.

Relay failure(s).

Loss of relay driver.

Unwarranted CIAS channel trip.

Plant annunciation.

Indication lights.

Periodic testing.

Logic for CIAS con-verted to 1-out-of-3 selective.

A single relay failing open does not trip eithr A or B train. It onlyh trips one of the 4-channels to a train.

Actuators, CIAS, Channel A (Typical), Figure 7.2-10 (cont.)

EFAS-2 Initiation Relay (132)

EFAS-1 Initiation Relay (133)

Short (one fails ON)

Relay failures, electrical short.

Failure to initiate EFAS channel trip when required.

Not annunciating.

Periodic testing.

Tewo relays must fail to prevent an EFAS channel trip.

Logic for EFAS becomes 2-out-of-3 selective.

Two solid state relays per trip path. A single relay failing short does not prevent required actuation.

Open (one fails OFF)

Relay failures, loss relay driver.

Unwarranted EFAS channel trip.

Plant annunciation.

Indication lights.

Periodic testing.

Actuation logic is 2-out-of-4 selective.

Logic for EFAS is converted to 1-out-of-3 selective.

A single solid state relay failing open does not trip either A or B train. It only trips one of 4 inputs to the 2-out-of-4 selective logic for each train.

Remote Manual ESF (79)

Open.

Dirty swsitch contacts, broken wire.

Unwarranted channel trip of EFAS.

Annunciated. Indication lights.

4-channel redundancy.

Logic for EFAS is converted to 1-out-of-3 selective.

One manual switch per trip path.

Remote Manual EFS (81)

Short.

Switch failure.

Failure to manually initiate EFAS channel trip when required.

Not annunciated, periodic testing.

Select other manual trip switch pair.

Logic for EFAS is converted to 2-out-of-3 selective for remote manual.

Selective 2-out-of-4 to actuate.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 87 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, CIAS-Manual, Channel A (Typical), Figure 7.2-10 Remote Manual ESF (78)

Open.

Dirty switch contacts broken wire.

Unwarranted channel trip of CIAS.

Annunciated. Indication lights.

Logic for CIAS con-verted to 1-out-of-3 selective.

One manual switch per trip path.

Short.

Switch failure.

Failure to manually initiate CIAS channel trip when required.

Not annunciated.

Periodic testing.

Automatic CIAS actuation available.

Logic for CIAS con-verted to 2-out-of-3 selective.

Selective 2-out-of-4 to actuate.

Actuators, ESF Selective 2-out-of-4 (Typical), Figure 7.2-17 SSR-1 (SSR-

2) for SIAS and CIAS Output open.
Overload, broken wires, voltage transient.

Unwarranted channel trip.

Channel trip is annunciated.

Actuation circuit converts to 1-out-of-3 selective.

A 2-out-of-3 coincidence of the appropriate bistables is still required to obtain an actuation.

Output short.

Voltage transient overload.

Failure to initiate a channel trip when required.

Period testing.

Redundant channels.

Actuation circuit converts to 2-out-of-3 selective.

The redundant actuation circuit is unaffected by the fault and will respond properly.

Input open Voltage transient, broken wire.

Unwarranted channel trip.

Channel trip is annunciated.

Actuation circuit converts to 1-out-of-3 selective.

A 2-out-of-3 coincidence of the appropriate bistables is still required to obtain an actuation.

Input shorted.

Voltage transient.

Results in a blown fuse in the trip path and an unwarranted channel trip in both actuator logic circuits for SIAS and CCAS.

Channel trip is annunciated.

Actuation circuit converts to 1-out-of-3 selective.

A 2-out-of-3 coincidence of the appropriate bistables is still required to obtain an actuation.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 88 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, ESF Selective 2-out-of-4 (Typical), Figure 7.2-17 (cont.)

SSR-1A (SSR-2A) for CIAS, RAS,

MSIS, EFAS-1, EFAS-2, CSAS Output open.

Overload broken wire, voltage transient.

Unwarranted channel trip.

Channel trip is annunciated.

Actuation circuit converts to 1-out-of-3 selective.

A 2-out-of-3 coincidence of the appropriate bistables is still required to obtain an actuation.

Output shorted.

Voltage transient overload.

Failure to initiate a channel trip.

Periodic testing.

Redundant channels.

Actuation circuit converts to 2-out-of-3 selective.

The redundant actuation circujit is unaffected byh the fault and will respond properly.

Input open.

Voltage transient, broken wire.

Unwarranted channel trip.

Channel trip is annunciated.

Actuation circuit converts to 1-out-of-3 selective.

A 2-out-of-3 coincidence of the appropriate bistables is still required to obtain an actuation.

Input shorted.

Voltage transient.

Results in a blown fuse in the trip path and an unwarranted channel trip in both trains of actuator logic circuits.

Channel trip is annunciated.

Actuation circuit converts to 1-out-of-3 selective.

A 2-out-of-3 coincidence of the appropriate bistables is still required to obtain an actuation.

120V-ac Vital Bus Low Breaker open.

Loss of power supply output.

Annunciation.

Redundant power supply One channel of power supply is left for either the valve or pump actuation relays.

Power Supply Low Power supply failure. Shorted annunciator relay.

Loss of power supply output.

Annunciation.

Redundant power supply.

One channel of power supply is left for either the valve or pump actuation relays.

P/A Annunciation Relays Open coil.

Sustained overvoltage, broken wire.

Erroneous annunciation of power supply failure.

Annunciation.

Redundant power supply.

None.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 89 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, ESF Selective 2-out-of-4 (Typical), Figure 7.2-17 and 7.2-18 P/S Annunciation relays (cont)

Shorted coil Deterioration of insulation Loss of power supply output.

Annunciation.

Redundant power supply.

One channel of power supply is left for either the valve or pump actuation relays.

Output open Deterioration of contact, broken wire Erroneous annunciaton of power supply failure.

Annunciation.

Redundant power supply.

None Output shorted Welded contact Failure to annunciate power supply failure when required.

Periodic testing.

None Power Supply Auctioneering diode Open Voltage transient overload Loss of power supply output.

Periodic testing.

Redundant power supply.

One channel of power supply is left for either the valve or pump actuation relays.

Shorted Voltage transient overload Loss of isolation between redundant power supplies.

Periodic testing.

None Reset switch Open Broken wire, mechanical

failure, deterioration of contact Failrue to reset actuation relays when required.

Periodic testing.

Redundant reset switch None Manual trip Open Deterioration of contact, broken wire Unwarranted channel trip.

Annunciation. Indicating light.

Actuation circuit conv erts to 1-out-of-3 selective.

Closed Welded contact, mechanical failure Failure to initiate a channel trip when required.

Periodic testing.

Redundant trip path.

Actuation circuit cannot be tripped manually.

Automatic actuation remains 2-out-of-3 selective.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 90 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, ESF Selective 2-out-of-4 (Typical), Figure 7.2-17 and 7.2-18 (cont.)

Lockout relay Open coil Broken wire, sustained overvoltage Unwarranted channel trip.

Annunciation. Indicating light.

Actuation circuit converts to 1-out-of-3 selective.

If failure is result of a short across coil, the excess current will result in dc path circuit breaker open.

Contact open Deterioration of contact broken wire Unwarranted channel trip.

Annunciation. Indicating light.

Actuation circuit converts to 1-out-of-3 selectiv e.

Contact short Welded contact Failure to lockout a channel trip when required.

Periodic testing.

None The actuation relays would become energized without being reset when the SSRs are energized.

Annunciation diodes Open Voltage transient overload Unwarranted channel trip.

Annunciation.

Actuation circuit converts to 1-out-of-3 selective.

Short Voltage transient overload Unwarranted annunciation of channel trip.

Annunciation.

None.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 91 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, ESF Selective 2-out-of-4 (Typical), Figure 7.2-17 and 7.2-18 (cont)

Circuit Breaker in dc Path Short Welded con-tact, mechan-ical failure No dc overload protection Bench test.

None Open Deterioration of

contact, mechanical failure.

Unwarranted channel trip of actuation relays for all valves or for all pumps.

Annunciation, indicating lights.

Complete Train not actuated.

Actuation circuit converts to 1-out-of-3 selective. Also, the affected valves or pumps will actuate.

Only the valves or the pumps, but not both, in oned Train of a Safety System will be actuated.

In the case of valve actuation, Safety System protected by check valves. In case of pump actuation Safety System protected by valves, and pumps protected by Recirc.

Lines.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 92 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, ESF Selective 2-out-of-4 (Typical), Figure 7.2-17 and 7.2-18 (cont)

Test relays Coil, open short Coil failure broken wire, short across Failure to test the affected actuation relay when required.

Periodic testing.

None Contact open Contact failure, broken wire Unwarranted trip of the affective actuation relay.

Indicating lights.

Complete train will not actuate Contact shorted Contact failure short Failure to test the affected actuation relay when required.

Periodic testing.

None Actuation relay Coil open Broken wire, sustained overvoltage Unwarranted trip of a group of actuation devices.

Indicating lights.

All pumps or valves for the affected train will not actuate If failure was result of a short, the excess current will result in an occurrence similar to the circuit breaker in dc path open Shorted coil Contact open Deterioration of insulation Contact failure, broken wire Will cause circuit breaker supplying power to the actuation relays associated with either the valves of pumps to be tripped.

Unwarranted trip of a group of actuation devices.

Annunciation. Indicating lights.

Indicating lights.

All of the valves or pumps for the function will be actuated. Circuit for the pumps or valves converts to selective 1-out-of-3.

Actuation devices assigned of affected group will actuate.

Only the v alves or the pumps, but not both, in one Train of a Safety System will be actuated.

In the case of valve actuation Safety System protected by check valves. In the case of pump actuation Safety System protected by valves, and pumps protected by Recirc.

Lines.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 93 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, ESF Selective 2-out-of-4 (Typical), Figure 7.2-17 and 7.2-18 (cont)

Actuation relays (cont)

Contact short Contact failure short Failure of group of actuation devices from actuating when required.

Indicating lights.

One group of valves or pumps in one train will not actuate.

There are two trains for each function. The equivalent train will perform normally Diode Across Actuation relay or lockout relay Open Short Broken wire, diode failure Diode failure short Excess arching of contacts in series path.

Results in opening of circuit breaker in dc path and the valve or pump actuating relays becoming de-energized.

Exces wear of contacts Annunciation. Indicating lights.

Full Train not activated None Full actuation converts to 1-out-of-3 selective.

Valve or pump group is actuated.

Only the valves or the pumps, but not both, in one Train of a Safety System will be actuated.

In the case of valve actuation Safety System protected by check valves. In the case of pump actuation Safety System protected by Recirc. Lines.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 94 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Actuators, CEA Withdrawal Prohibit (CWP) Channel A (Typical), Figure 7.2-10 CWP (119)

Off Shorted con-trol leads to CEA control system Failure to prohibit CEA motion when required.

Periodic tests.

None RPS trip is back-up.

On Open control leads to CEA control system Unwarranted CWP.

CWP annunciation without having input parameters annunciasting, inability to move CEAs out.

None RPS trip is back-up.

Actuators, Power Recorder, Channel A (Typical), Figure 7.2-10 Power Recorder (118)

High Component failure HIgh recorder trace, EX-CORE VS calibrated power deviation alarm Deviation alarm.

4-redundant channels None All output data from PPS buffered.

Low Component failure Low recorder trace, EX-CORE VS calibrated power deviation alarm.

Deviation alarm.

4-redundant channels None DC Power Distribution, PPS Cabinet, Bistable Annunciator Power Supply, Figure 7.2-19 Channel Bistable Annunciator Power supply (PS-N)

No output Open fuse to power supply Pre-trip, trip and bypass in-dicator on PPS bistable trip panel and remote status panel will fail to indicate condition of bistable for that channel.

Periodic PPS testing.

None

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 95 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects DC Power Distribution, PPS Cabinet, Bistable Annunciator Power Supply, Figure 7.2-19 (cont)

Channel Bistable Annunciator Power Supply (PS-N) (cont)

Low output voltage Failure internal to supply Symptoms will depend upon the severity of the undervoltage. The system may operate normally or may exhibit the same symptoms as for no output.

If the undervoltage is severe enough to generate the same symptoms as when no output is available, the failure will be detected during Periodic PPS testing.

None High output voltage Failure internal to supply Symptoms will depend upon the severity of the overvoltage. The system may operate normally or component failures may be induced that result in an erroneous display.

If errors are induced in the display, the problem will be uncovered by the Periodic PPS tests.

DC Power Distribution, PPS Cabinet Bistable Bypass Circuit Power Supplies, Figure 7.2-19 P. S. L. or P. S. M.

No output Open fuse to Power supply, failure internal to supply No operational symptoms.

Periodic PPS tests Two power supplies one in the channel and one in an adjacent channel are auctioneered, either one of them is capable of supplying the entire load.

Thus loss of a single supply does not affect the system.

None Bypass circuit in the affected channel is dependent upon the continued operation of the remaining supply.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 96 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects DC Power Distribution, PPS Cabinet Bistable Bypass Circuit Power Supplies, Figure 7.2-19 (cont)

P. S. L. or P. S. M. (cont)

Low output voltage Failure internal to supply No operational symptoms.

Depending ujpon the severity of the undervoltage, the problem may or may not be detected during Periodic PPS testing.

High output voltage Failure internal to supply Symptoms will depend upon the ability of the components to tolerate the overvoltage. Two possibilities exist:

a. Overvoltage causes individual components to open, making it impossible to bypass the function.
b. Overvoltage causes individual component to fail short. The result of a shorted component is to reduce the supply voltage to essentially zero. The symptims of no supply voltage is inability to bypass the bistables in the affected channel.

Periodic PPS testing or when attempting to bypass the affected function.

Periodic PPS testing.

Unable to bypass the affected functions in the particular channel.

Bistables in affected channel cannot be bypassed.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 97 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects DC Power Distribution, PPS Cabinet Bistable bypass circuit power supplies, Figure 7.2-19 P. S. J.

No output Open fuse to power supply Failure internal to supply The CEA withdrawal prohibit matrix is partially enabled.

It will not be possible to generate any of the following bypasses in the affected channel.

a. Low pressurizer pressure trip bypass
b. Loss of load trip bypass
c. HI LOG POWER logic trip bypass.

The DNBR and high tripped.

Power supply failure annunciated on plant annunciator. The CWP indicator on the PPS calibration and test panel will be off.

Power supply failure annunciated on plant annunciator. The CWP indicator on the PPS calibration and test panel will be off.

The CEA withdrawal prohibit signal converts to a 1-out-of-2.

If a condition exists such that a bypass is required for any of the functions listed, the bypass cannot be obtained.

The bypass circuits in the other three channels are unaffected.

It will be possible to bypass the function (s) in the other three channels, thus inhibiting any trip action forthe function (s) in question.

Low output voltage Failure internal to supply SYmptoms will depend upon the severity of the undervoltage. The system may exhibit no symptom or may show one or more of the symptoms listed for no output.

Power supply failure annunciated on plant annunciator. The CWP indicator on the PPS calibration and test panel will be off.

If a condition exists such that a bypass is required for any of the functions listed, the bypass cannot be obtained.

If a system exhibits any symptom s, the problems should be uncovered during PPS testing.

High output voltage Failure internal to supply Symptoms will depend upon how well the components can tolerate the overvoltage. Should the overvoltage cause components t9o fail, the failures will be such that it will be difficult to generate a bypass in th affected circuit.

Periodic PPS testing.

All funcitons may not be affected however those that are affected will have the effects listed above.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 98 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects DC Power Distribution, PPS Cabinet, Trip Path Power Supplies, Figure 7.2-19 P. S. K.

No output Open fuse to power supply, failure internal to supply The trip paths for all ESF func tions and the RPS trip path will all be de-energized in the affected channel.

This will open one side of all the selective 2-out-of-4 actuation circuits, and one side of the RPS actuation circuit.

De-energized trip paths are annunci-ated on the plant annunciator.

The actuation circuits for all ESF will have one of their two paths de-energized, and the RPS will have one of its two paths de-energized.

A 2-out-of-3 coincidence is still required to produce an actuation.

Low output voltage Failure internal to supply Symptoms will depend upon the severity of the undervoltage. The system may exhibit no symptoms or may show symptoms exactly the same as those for no output. The undervoltage could also be such that some trip paths are de-energized while others remain energized.

If any trip paths are de-energized the trips will be annunciated on the plant annunciator.

If the system is operating properly with low voltage in the untripped con-dition, a trip condition will cause a trip. This is so because the trip circuits are designed such that a trip condition causes removal of voltage from the relay coils.

One side of some of the actuation circuits may be open.

If any actuation circuits have one half of their actuation circuits open, a coincidence of any two of the three channels is still required to generate an actuation.

High output voltage Failure internal to supply Symptoms will depend on the severity of the overvoltage and the ability of the affected circuits to tolerate the overvoltage.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 99 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects DC Power Distribution, PPS Cabinet, Trip Path Power Supplies, Figure 7.2-19 (cont)

P. S. K.

(cont)

The effect of an overvoltage might be:

a. No symptoms
b. Cause some of the solid state relays in the trip circuits to fail to open.

Not detectable until abnormal operation is obtained.

(See ESF Trip Circuts)

None Only one of the four trip channels can be affected Failure of the input side of the solid state relay can only result in the opening of the output side.

An open on the output is a trip condition.

DC Power Distribution, PPS Cabinet, ESF 2-out-of-4 Coincidenced Logic Power Suplies, Fig. 7.2-19 P. S. F.

or P. S. G.

or P. S. H.

No output Open fuse to power supply Failure in-ternal to supply One half of the matrix relays for all ESF functions in the affected 2-out-of-4 channels (i.e. AB, BC, etc) will be de-energized.

Power supply failure annunciated on plant annunciator. Power supply indicator will be off. Trip paths that are de-energized are annunciated on plant annunciator, PPS status panel and PPS remote modules.

The four matrix relays of each function are divided into two relays. Each group of two is powered from a separate power supply. Failure of one supply causes only one half of the trip paths to be de-energized.

Two trip paths for all ESF functions will be tripped. The actuation logic for each function will be half tripped as the trip paths affected are both in the same leg of the selective 2-out-of-4 actuation logic.

Actuation of any of the functions still requires a coin cidence of any two channels.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 100 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects DC Power Distribution, PPS Cabinet, ESF 2-out-of-4 Coincidence Logic Power Supplies, Fig.7.2-19 P. S. F.

or P. S. G.

or P. S. H.

(cont)

Diode con-nected to the output of the supply is open One half of the matrix relays for all ESF functions in the affected 2-out-of-4 channels (i.e. AB, BV, etc) will be de-energized.

Trip paths that are de-energized are annunciated on plant annunciated on plant annunciator, PPS status panel and PPS remote modules.

The four matrix relays of each function are divided into two groups of two relays. Each group of two is powered from a separate power supply.

Failure of one supply causes only one half of the trip paths to be de-energized.

Two trip paths for all ESF functions will be tripped. The actuation logic for each function will half tripped as the trip paths affected are both in the same leg of the selective 2-out-of-4 actuation logic.

Actuation of any of the functions still requires a coincidenced of any two channels.

Low output voltage Failure internal to supply Symptoms will depend upon the severity of the undervoltage. The symptoms may range from normal operaton to the same symptoms as for no output.

If any trip paths are de-energized, the trips will be annunciated on the plant annunciator.

If the system is operating properly with low voltage in the untripped condition, a trip condition will definitely cause a trip as the circuits are designed such that a trip condition causes removal of voltage from the relay coils.

Some trip paths may be tripped as a consequence. Some of actuation circuits may be half tripped.

If any actuation circuits are half tripped, a coincidence of any two of any two of the three channels is still required to generate an actuation.

High output voltage Failure internal to supply Symptoms will depend on the severity of the overvoltage and the ability of the affected circuits to tolerate the Not detectable until abnormal operation is obtained Only 2 of the 4 matrix relays in each logic matrix can be affected.

None

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 101 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects DC Power Distribution, PPS Cabinet, ESF 2-out-of-4 Coincidence Logic Power Supplies, Fig. 7.2-19 (cont)

P. S. F.

or P. S. G.

or P. S. H.

(cont) overvoltage. Symptoms may be:

a. Normal operation.
b. Causes some of the drivers to fail shorted, resulting in inability to de-energize the affected matrix relay.

Periodic PPS testing.

Assuming that all parameters in one of the two unaffected channels are bypassed (i.e. channel D), the actuation logic for all ESF functions becomes 2-out-of-3 selective.

When failure is detected actuation logic for ESF functionsmust be converted to 1-out-of-2 by tripping all parameters in the unaffected channel that is not in bypass.

c. Causes some of the matrix relay drivers ormatrix relays to fail open.

This will cause a trip in some of the trip paths.

Plant annunciation of trip paths.

A maximum of two trip paths for each function can be activated because of the separation of the matrix relays into two groups, each powered by a separate supply.

Trip of affected trip circuits and half trip of associated actuation circuits.

A coincidence of any 2-out-of-3 channels is still required for actuation of any ESF function.

DC Power Distribution, RPS 2-out-of-4 Coincidence Logic Power Supply, Figure 7.2-19 P. S. C.

or P. S. D.

or P. S. E.

No output Open fuse to power supply Failure internal to supply One half of the matrix relays for the RP fun ction in the affected 2-out-of-4 channels (i.e., AB, BC, etc.) will be de-energized. This will cause one of the parallel paths of the actujation circuit to be de-energized.

Power supply failure annunciated on plant annunciator.

Trip paths that are de-energized are annunciated on the plant annunciator, PPS status The four matrix relays of each logic matrix are divided into two groups of two relays. Each group of two relays is powered from a separate Two trip paths for RPS will be tripped. The RPS actuation logic will be half tripped as the trip paths affected ar4e both in the same To obtain reactor trip a coincidence of any two channels is still required.

Another selective single failure can also cause a reactor trip.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 102 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects DC Power Distribution, RPS 2-out-of-4 Coincidenced Logic Power Supply, Figure 7.2-19 (cont)

P. S. C.

or P. S. D.

or P. S. E.

(cont) panel, PPS remote modules.

power supply. Failure of one supply causes only one half of the actuation circuit to be opened.

leg of the selective 2-out-of-4 actuation logic.

Diode con-nected to the supply is open One half of the matrix relays for the RP function in the affected 2-out-of-4 channels (i.e., AB, BC, etc.) will be de-energized. This will cause one of the parallel paths of the actuation circuit to be de-energized.

Trip paths that are de-energized are annunciated on the plant annunciator, PPS status panel, PPS remote modules.

The four matrix relays of each logic matrix are divided into two groups of two relays is powered from a separate power supply. Failure of one supply causes only one half of the actuation circuit to be opened.

Two trip paths for RPS will be tripped. The RPS actuation logic will be half tripped as the trip paths affected are both in the same leg of the selective 2-out-of-4 actuation logic.

To obtain a reactor trip a coincidence of any two channels is still required.

Low output voltage Failure internal to supply Symptoms will depend upon the severity of the undervoltage. The system may operate normally or may exhibit the same symptom described above.

If any trip paths are de-energized, it will be annunciated on the plant annunciator, PPS status panel, and PPS remote modules.

If the system is operating properly with low voltage, a trip condition will definitely cause a trip as the circuits are designed such that a trip condition causes removal of voltage from the relay coils.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 103 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects DC Power Distribution, PPS 2-out-of-4 Coincidence, Logic Power Supplies, Figure 7.2-19 (cont)

P. S. C.

or P. S. D.

or P. S. E.

(cont)

High output voltaged Failure internal to supply Symptom will depend upon the severity of the overvoltage and the ability of the affected circuits to tolersate the condition. The effects of an overvoltage might be:

a. No symptoms
b. Causes one or more of soolid state relays to fail open Not detectable until abnormal operation is obtained. (See RPS Trip Circuit)

None Only 2-out-of-4 matrix relays are affected by the overvoltaged. Failure of the input side of the solid state relay can only result in opening the output side of the relay. An open on the output side is a trip condition.

DC Power Distribution, PPS Cabinet, Bistable Power Supplies, Figure 7.2-19 P. S. A.

or P. S. B.

No output Open fuse to power supply Failure internal to supply No operational symptoms Annunciation on plant annunciator. Power supply indicator will be off.

Two power supplies, one in the channel and one in an adjacent channel are auctioneered, either one of them is capable of supplying the entire load.

Loss of one of the supplies does not affect the system.

None Bistables in affected channel are dependent upon the continued operation of the remaining supply

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 104 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects DC Power Distribution, PPS Cabinet, Bistable Power Supplies, Figure 7.2-19 (cont)

P. S. A.

or P. S. B.

(cont)

Low output voltage.

Failure internal to supply.

No operational symptoms.

Depending upon the severity of the undervoltage, the problem mahy or may not be annunciated.

Two power supplies, one in the channel and one in an adjacent c hannel are auctioneered, either one of them is capable of supplying the entire load.

Loss of one of the supplies does not affect the system.

None Bistables in affected channel are dependent upon the continued operation of the remaining supply.

High output voltage Failure internal to supply Symptoms will depend upon how the bistables respond to the overvoltage if the bistables fail to operate.

PPS testing.

If bistables fail to operate, logic becomes 2-out-of-2 (4th channel by-passed).

When failure is detected, trip logic must be converted to 1-out-of-2 by tripping the bistables in one of the unaffected channels.

If the bistables trip Bistable trips annunciated on plant trouble annunciator.

Logic becomes any one of two for those parameters being monitored by the tripped bistables (4th channel by-passed).

DC Power Distribution, 2-out-of-4 Coincidence Logic, Figure 7.2-19 P. S. A -

P. S. B Auctioneering Diode Open.

Transient in circuit.

No operational symptom s.

PPS periodic test.

Two power sources are available for the bistables.

None.

Bistables are dependent upon continued operation of the remaining power supply.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 105 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects DC Power Distribution, 2-out-of-4 Coincidence Logic, Figure 7.2-19 (cont)

P. S. A. -

P. S. B.

Auctioneering Diode (Cont)

Short Transient in circuit No operational symptoms PPS periodic test Power supplies are current limiting hence there should be no problem if both supplies are operating normally.

None RAS Train A or B, Actuation Logic, Figure 7.2-19 RAS Actuation Logic Circuit (200)

Train A actuation logic output fails "On" (or train B)

Component failure (s); short circuits Ras train A not actuated when required. (One sump line valve remains closed, one low pressure injection safety pump remains running during RAS)

Periodic tests (RWT low level alarm, LPSI pump status light in control room)

RAS train B is fully redundant Loss of RAS train A (Recirculation done by one HPSI pump. Other pump running but no recirculating water from sump due to closed sump valve)

Train A actuation logic output fails "Off" (or train B)

Multiple component failures; multiple open circuits Unwarranted train A Actuation Individual RAS actuated component indication; meters; alarms; periodic tests.

Multiple independent component failures required.

1/2 RAS activated Requires failure in the same mode of two logic components, one valve from RWT closed, one valve between sump and SI system open.

RAS Train A or B, Actuation Relays, Figure 7.2-10 RAS Actuation Relay (201)

One fails "On", train A (or train B)

Component failure Associated RAS actuated device will not respond when required Periodic testing Redundant RAS train available (i.e., train B)

Partial loss of RAS train A

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 106 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects RAS Train A or B, Actuation Relays, Figure 7.2-10 (cont)

RAS Actuation Relay (201)

(cont)

One fails "off", train A (or train B)

Component failure Partial actuation of RAS train A. See Sheets 90, 91, 92, and 93 for failures and effects.

Individual actuated RAS component indication; meters; alarms; periodic tests.

Does not inhibit full actuation of RAS when required; Redundant train available (i.e., train B).

RAS train A partially initiated.

Actuation system is designed such that single component failure will not actuate entire train.

MSIS Train A or B, Actuation Logic, Figure 7.2-10 MSIS Actuation Logic Circuit (202)

Train A actuation logic output fails "on" (or train B)

Component failure(s); short circuit.

MSIS train A not actuated when required.

Periodic tests MSIS train B is fully redundant Loss of 1/2 MSIS train A

If called upon, MSIV will close by action of the solenoid activated by train B Train A actuation logic output fails "Off" (or train B)

Multiple component failures; multiple open circuits Unwarranted MSIS Train A actuation. Solenoid activated by train A will call for valve close.

Individual MSIS actuated component indication; meters; alarms; periodic tests.

Reactor Trip Reactor trip Requires failure in the same mode of two logic components.

MSIV will close resulting in a Reactor Trip.

MSIS Train A or B, Actuation Relays, Figure 7.2-10 MSIS Actuation Relay (203)

One fails "On" Train A (or train B)

Component failure Associated MSIS actuated solenoid will not respond when required.

Periodic testing Redundant (MSIS) available (i.e., train B)

Partial los of MSIS train A When called for, one MSIV valve will r4eceive a B signal, other will receive A and B signals.

One fails "Off" train A (or train B)

Component failure Unwarranted partial actuation of MSIS train A. Solenoid A of one MSIV is called to close valve.

Individual actuated MSIS component indication; meters; alarms; periodic tests; reactor trip Partial MSIS actuation.

One MSIV closes causing reactor trip.

One MSIV closed.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 107 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects CSAS Train A or B, Actuation Logic, Figure 7.2-10 CSAS actuation logic circuit (209)

Train A actuation logic output fails "on" (or train B)

Component failure(s); short circuit CSAS train A not actuated when required.

Periodic tests CSAS train B is fully redundant Loss of CSAS train A If called upon, redundant containment spray will be provided by one pump and header.

Train A actuation logic output fails "Off" (or train B)

Multiple com-ponent failures; multiple open circuits Unwarranted CSAS train A actuation (One spray pump, and one spray valve activated)

Individual CSAS actuated component indication meters, alarms; periodic tests.

Independent failures of redundant components 1/2 CSAS activated Actuation system is designed such that single component failure will not actuate entire train. Requires failure in the same mode of two logic components.

CSAS Train A or B, Actuation Relays, Figure 7.2-10 CSAS Actuation Relay (205)

One fails "On" train failure A (or train B)

Component failure Associated CSAS actuated devices will not respond when required Periodic testing Redundant CSAS train available (i.e. train B)

Partial loss of CSAS train A Partial loss of 1/2 CSAS system, operation can start pump or open valve from manual control.

One fails "Off" train A (or train B)

Component failure Partial actuation of CSAS train A.

Affected component in CSAS controlled by actuator is called to service.

Individual actuation CSAS component indication; meters; alarms; periodic test Does not inhibit full actuation of VCSAS when required; redundant train available (i.e., train B)

Partial initiation of 1/2 CSAS Actuation system is designed such that single component failure will not actuate entire train.

See Sheets 90, 91, 92, and 93 for failures and effects.

Either train A spray pump operation with valve closed, or spray valve open and pump off

- not both.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 108 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects SIAS Train A or B, Actuation Logic, Figure 7.2-10 SIAS actuation logic circuit (206)

Train A actuation logic output fails "on" (or train B)

Component failure(s), short circuit SIAS train A not actuated when required.

Periodic tests SIAS train B is fully redundant Loss of SIAS train A If call upon, redundant safety injecton will be provided by LPSI, HPSI pumps and MOVs in train B Train A actuation logic output fails "Off" (or train B)

Multiple component failures; multiple open circuits Unwarranted SIAS train A actuation.

One low pressure one high pressure safety injection pump, and associated MOVs are activated.

Individual SIAS actuated components indication; meters; alarm; periodic tests Independent failures of redundant components required 1/2 SIAS is initiated Actuation system is designed such that single component failure will not actuate entire train. Requires failure in the same mode of two logic components.

SIAS Train A or B, Actuation Relays, Figure 7.2-10 SIAS actuation relay (207)

One fails "on" train A (or train B)

Component failure Associated SIAS actuated devices will not respond when required Periodic testing Redundant SIAS train availab le (i.e., train B)

Partial loss of SIAS train A When called for, partial degredation of LP or HP safety injec tion system in train A, train B unaffected and will operate as designed One fails "Off" train A (or train B)

Component failure Unwarranted partial actuation of SIAS train A. Affected components in SIAS controlled by actuator is called to service.

See Sheets 90, 91, 92 and 93 for failures and effects.

Does not inhibit full actuation of SIAS when required; Redundant train available (i.e. train B)

Partial initiation of train A of SIAS Actuation system is designed such that single component failure will not actuate entire train.

One component in LP HP safety injection system (either pump or MOV) will be activated

- no SI occurs.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 109 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects INTENTIONALLY DELETED CIAS Train A or B, Actuation Logic, Figure 7.2-10 CIAS Actuation Logic circuit (208)

Train A actuation logic output fails "on" (or train B)

Component failure(s); short circuit CIAS train A not actuated when required.

Periodic tests CIAS train B is fully redundant Loss of CIAS train A

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 110 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects CIAS Train A or B, Actuation Logic, Figure 7.2-10 (cont)

CIAS Actu-action Logic circuit (208) (cont)

Train A actuation logic output fails "Off" (or train B)

Multiple component failures; multiple open circuits Unwarranted CIAS train A actuation Individual CIAS actuated component indication; meters; alarms; periodic tests Independent failures of redundant components 1/2 CIAS is initiated Actuation system is designed such that single component failure will not actuate entire train. Requires failure in the same mode of two logic components.

CIAS Train A or B, Actuation Relays, Figure 7.2-10 (cont)

CIAS Actu-action Relay (209)

One fails

("On" train A (or train B)

Component failure Associated CIAS actuated devices will not respond when required.

Periodic testing Redundant CIAS train available (i.e., train B)

Partial loss of CIAS train A One fails "Off" train A (or train B)

Component failure Unwarranted partial actuation of CIAS train A. Affected component in CIAS controlled by actuator is called to service. See Sht. 90, 91, 92 and 93 for failures and effects.

Individual actuated CIAS component indi-cation; meters, alarms; periodic tests Does not inhibit full actuation of CIAS when required; redundant train available (i.e., train B)

Partial initiation of train A of CIAS Actuation system is designed such that single component failure will not actuate entire trains.

EFAS-1 or 2, Actuation Logic Auxiliary Relay, Figure 7.2-10 ESFAS-1 Actuation Logic Auxiliary Relay (211) or EFAS-2 Actuation Logic Auxiliary Relay (210)

One fails "On" (i.e.

channel A)

Component failure short circuit Failure to initiate EFAS channel trip and failure to open associated SF emergency feed valve when required.

Periodic testing ESFAS actuation logic is 2-out-of-4 selective; EFAS SG emergency feed flow paths are 2-out-of-4 selectivce ESFAS actuation logic and emergency DSG feed flow paths converted to 2-out-of-3 selective Effect is identical to failure of associated EFAS initiation relay

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 111 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects EFAS-1 or 2, Actuation Logic Auxiliary Relays, Figure 7.2-10 EFAS-1 Actu-ation Logic Auxiliary Relay (211) or EFAS-2 Actuation Logic Auxiliary Relay (210)

(cont)

One fails "off" Component failure; open circuit; short circuit Unwarranted EFAS channel trip signal is generated and associated SG emergency feed valve opens EFAS actuation logic annunciation; SF emergency feed valve indication EFAS actuation logic and SG emergency feed flow paths are 2-out-of-4 selective EFAS actuation logic and emergency SG feed flow paths converted to 1-out-of-3 selective Effect is identical to failure of associated EFAS initiation relay EFAS-1 or 2, Actuation Logic, Figure 7.2-10 EFAS-1 Actu-ation Logic Circuit (213)

Train A actuation logic out-put fails "on" (or train B)

Component failure(s); short circuit EFAS train A not actuated when required Periodic tests EFAS train B is fully redundant Loss of EFAS 1, or 2 train A or EFAS-2 Actu-ation Logic Circuit (212)

Train A actuation logic out-put fails "off" (or train B)

Multiple component failures; open circuits Unwarranted partial actuation of EFAS train A. See Sht. 90, 91, 92, and 93 for Typical failures and effects Individual actuated component indication; meters; alarms; periodic tests.

Redundant train B still available Partial initiation of EFAS 1, or 2 train A.

Actuation system is designed such that single component failure will not actuate entire train; redundant emergency feed valves to each SG prevent feed on unwarranted EFAS actuation due to actuation logic failure in either train.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 112 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects EFAS-1 or 2, Actuation Logic, Figure 7.2-10 (cont)

EFAS-1 Actu-ation Relay (215)

One fails "on" train A (or train B)

Component failure Associated EFAS actuated devices will not respond when required.

Periodic testing Redundant train available (i.e., train B)

Partial loss of EFAS train A SG emergency feed valves are not operated from actuation relays; therefore feed can be initiated when required to either SG.

EFAS-2 Actu-ation Relay (219)

One fails "off" train A (or train B)

Component failure Unwarranted partial actuation of EFAS train A. See Sht. 90, 91, 92 and 93 for typical failures and effects.

Individual actuated EFAS component indication; meters; alarms; periodic tests Does not inhibit full actuation of EFAS when required; redundant train available (i.e., train B)

Partial initiation of EFAS train A Actuation system is designed such that single component failure will not actuate entire train; SG emergency feed valves are not actuated from actuation relays; therefore inadvertent feed cannot result from this failure.

Logic Matrix/Trip, Path Test Circuit, Figure 7.2-20 Test power supply High voltage output Internal failure Depends upon ability of components to sustain overvoltage Possible power supply indicator light inoperative.

Unable to test PPS effectively. PPS trips for logic under test.

No effect upon operation of PPS. Overvoltage condition may cause failure of affected bistable test coils when matrix hold pushbutton is depressed during test. Test power supply indicator light is inoperative before test sequence starts and operator will not continue testing until trouble shooting is complete.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 113 of 119)

Revision 7 (10/94)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Logic Matrix/Trip, Path Test Circuit, Figure 7.2-20 (cont)

Test power supply (cont)



Possibilities:

a. Matrix test system channel trip select, and RPS channel trip select switchy fail closed or open.
b. Bistable test coils fail open or short
c. Bistable test coil surge suppression diodes fail open of short Matrix hold light will remain on after test.

Drop out light will remain on for matrix relay trip test selector switch and system channel trip selector switch position.

Test power supply indicator inoperative, bistable relay indicating light will stay on after matrix test switch is released indicating a bistable trip. Matrix relay Hold and Drop-out lights will be inoperative.

Low or No output voltage Internal failure Mechanical damage Input undervoltage Input CRT breaker No test capability Test power supply and matrix relay hold indicator lights inoperative.

Unable to test PPS No affect upon operation of PPS

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 114 of 119)

Revision 7 (10/94)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Logic Matrix/Trip, Path Test Circuit, Figure 7.2-20 (cont)

Matrix Test Select Switch (e.g., AB Matrix)

Open matrix circuit contacts Mechanical failure Contact deterioration Unable to energize matrix relay test coils which inhibits matrix response when selected pair of contacts in AB logic matrix is actuated. Matrix will pass test signal as bona fide actuation signal (e.g., CSAS)

Matrix relay Hold lights do not illuminate when switch is placed in Matrix Hold position.

Surveillance test would be aborted based on lack of Hold light indication. Spurious trip would be avoided.

This failure mode is only credible during surveillance testing when the test circuits are energized.

Closed matrix relay circuit contacts Mechanical damage Welded contacts Matrix relay test coils remain energized, preventing reactor trip initiated by same matrix.

Matrix relay Hold indicator lights remain on.

AB matrix is inoperable. The other five matrices are unaffected.

Proper operation of the AB matrix can be restored by deenergizing the test circuit.



Open bistable relay circuit contacts Mechanical failure Contact deterioration Unable to energize any system channel trip select switch or RPS channel trip select switch, bistable test relay coils.

Un able to release bistable relay. No trip indicator lights.

None. Unable to conduct Matrix logic test for AB matrix.

No effect on operation of PPS.

Operator cannot test bistables, pair associated with matrix logic (e.g., AB)

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 115 of 119)

Revision 7 (10/94)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Logic Matrix/Trip, Path Test Circuit, Figure 7.2-20 (cont)

Matrix test select switch (e.g., AB Matrix) (cont)

Closed -

bistable relay circuit contacts Mechanical damage Welded contacts Bistable relay test coils connected to system channel trip selected switch remains energized during test.

Bistable relay trip and logic trip indicator lights on.

Surveillance test would be aborted based on logic trip light being on with matrix test switch in the OFF position.

Spurious trip would only occur if the system channel trip select switch was not in OFF position.

System channel trip select switch is normally left in the OFF position.



System Channel Trip Select Switch Inter-mittent contact (open)

Mechanical damage Contact deterioration Unable to energize bistable relay test coils associated with system channel trip select switch No bistable test light indication Unable to test logic matrices for affected system channel trip RPS Channel Trip Select Switch Inter-mittent contact (open)

Mechanica damage Contact deterioration Unable to energize bistable relay test coils associated with test switch position.

No bistable test light at test switch position location.

Unable to test logic matrices for affected bistable pair.

No affect on operation of PPS.

Reactor Protection System, Logic Matrix/Trip Path Test Circuit, Figure 7.2-20 Bistable relay test coil (e.g.,

A1-1)

Open Overvoltage Mechanicalk damage Unable to energize affected bistable test coil to initiate relay trip for the particular parameter under test.

Bistable test light stays off Unable to test that portion of logic matrices completely for the parameter under test No affect on operaton of PPS.

Short Mechanical damage Tedst power supply will be reducedc to approximately zero.

Power supply indicator light inoperative Unable to test logic matrices completely.

Deterioration of insulation Bistable relay test coil cannot be energized Bistable test light stays off

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 116 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Logic Matrix/Trip, Path Test Circuit, Figure 7.2-20 Matrix relay trip select switch Inter-mittent contact (e.g.,

position 1)

Mechanical damage Contact deterioration Matrix relay test coils for the affected position (e.g., 1) remain de-energizsed during test period.

Matrix relay hold indicator light inoperative.

Annunciation Reactor trip could occur during bistable relay trip test.

Matrix relay test coil (e.g.,

1AB-1)

Open Overvoltage Mechanical damage Unable to energize affected test coil to inhibit matrix relay trip Matrix relay hold indicator lights do not illuminate Unable to conduct test of trip path (e.g., 1) for affected matrix logic (e.g., AB)

No affect on operation of PPS.

Short Deterioration of insulation Mechanical damage Test power supply will be reduced to approximately zero Power supply and matrix hold indicator lights do not illuminate Unable to conduct test of trip path (e.g., 1) for affected matrix logic (e.g., AB)

No affect on operation of PPS.

Matrix relay hold indicators Open Overvoltage Mechanical Test coil state cannot be visually determined.

Visual Periodic test None No affect on operation of PPS.

Matrix relay drop-out indicators Open Overvoltage Mechanical damage Matrix relay state cannot be determined.

Visual Periodic test None No affect on operation of PPS.

Bistable Relay Trip Test Circuit, Figure 7.2-20 PPS Cali-bration and Test Panel Trip test pushbutton (PB-) (e.g.,

Channel A)

Open Mechanical damage Contact deterioration Unable to energize bistable relay trip test circuit and supply test signal to selected for test.

No bistable trip indication None No affect on operation of PPS.

May not be able to test bistables in affected channel (e.g., channel A)

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 117 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Bistable Relay Trip Test Circuit, Figure 7.2-20 (cont)

PPS Cali-bration and Test Panel Trip test pushbutton (PB-)(e.g.,

Channel A)

(cont)

Closed Mechanical Welded contacts Bistable relay trip test circuit energized when test signal power supply is turned on.

Bistable in test indicator Depressing matrix hold pushbutton and/or reducing signal level below trip level.

Half logic matrix trip could occur during testing Operator will be aware of problem as soon as test power supply is turned on and before test sequence starts.

Trip Test Circuit Relay (K-1, e.g.,

Channel A)

Open coil Overvoltage Mechanical damage Unable to energize trip test circuit.

The contacts which connect the bistable selected for test to the test signal will not be energized.

No trip signal indication Selected bistable relays cannot be tested in affected channel (e.g., A)

No affect on operation of PPS.

Shorted coil Deterioration of insulation Mechanical damage Test power supply could be reduced to approximately zero.

Test power supply indicator light will extinguish. No signal reading on DVM.

Selected bistable relays cannot be tested in affected channel (e.g, A)

No affect on operation of PPS.

Contact open Deterioration of insulation Unable to energize trip circuit.

Bistable selected for test cannot be connected to the test signal.

No trip signal indication.

Selected bistable relays cannot be tested in affected channel (e.g., A)

No affect on operation of PPS.

Contact open Deterioration of contact Mechanical damage Unable to energize trip circuit.

Bistable selected for test cannot be connected to the test signal.

NO trip signal indication Selected bistable relays cannot be tested in affected channel (e.g., A)

No affect on operation of PPS.

Contact short Welded contact Trip test circuit remains energized.

Possible signal reading onDVM.

Bistable trip indication Bistable select and meter input switch in off position.

Should test signal be inputted half logic matrix trip trip can occur during test only.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 118 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Channel Test Logic, Nuclear Instrument Drawer, Figure 7.2-20 NI Drawer Log Level Trip Test Switch (S2)(e.g.,

Channel A)

Open contacts A Mechanical damage, contact deterioration Unable to transmit test signal to next channel (e.g.B) when next channel is selected for test.

No response of next channel during test. No bistable trip indication.

Unable to test channels B, C, D nuclear drawer No affect on operation of PPS.

B Unable to test channel A when conducting channel test. Relay, AK 60, will not energize when test is run.

No response from channel under test. No bistable trip indication Unable to test channel A nuclear drawer No affect on operation of PPS.

D Unable to transmit selected test signal to log level trip circuitry.

No bistable trip indication.

Unable to test channel A nuclear drawer No affect on operation of PPS.

Closed contacts A Mechanical damage, welded contacts Unable to disconnect next channel, when channel A is under test.

Interchannel interlock during test is overriden.

Multichannel bistable trip indication Possible reactor trip during test.

Operator must deliberately depress channel A test switch coincidenced with other channel to initiate inadvertent trip B

Unable to discard channel A from test during test program.

Multichannel bistable trip indication Possible reactor trip during test.

NI Drawer Test Relay (AK60)

(e.g.,A)

Open coil Overvoltage, mechanical damage Unable to energize relay contacts which transmit test signal to log level trip circuitry when channel is under test.

No bistabled trip indication Unable to test channel A nuclear drawer.

No affect on operation of PPS.

Short coil Deterioration of insulation Test power supply may reduce to approximately zero.

No bistable trip light.

Power supply test light not lit.

Unable to test channel A nuclear drawer.

No affect on operation of PPS.

Open contacts Deterioration of contact Mechanical damage Unable to transmit selected test signal to log level trip circuitry.

No bistable trip indication.

Unable to test channel A nuclear drawer.

No affect on operation of PPS.

WSES-FSAR-UNIT-3 Table 7.2-5 (Sheet 119 of 119)

PLANT PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon PPS Remarks and Other Effects Channel Test Logic, Nuclear Instrument Drawer, Figure 7.2-20 (cont)

NI Drawer Test Relay (AK60)

(e.g., A)

(cont)

Short contacts Deterioration of contact, welded contact Interlock feature of relay AK60 is inhibited, cannot cause multi-test condition with failure in A channel Bench test.

Design of inhibit circuit would not allow trip condition if failure occurs in A channel.

Possible to have a reactor trip during test.

Operator must deliberately actuate the channel test switches to obtain trip affect.

Log Trip level adjust (R8)

Open or inter-mittent Failed resis-tiv element Operator will be unable to trim test signal level.

DVTM Unable to test channel A nuclear drawer.

WSES-FSAR-UNIT-3 Table 7.2-6 (Sheet 1 of 2)

Revision 14 (12/05)

(DRN 03-2061, R14)

This Page Intentionally Left Blank

DRN 03-2061, R14)

WSES-FSAR-UNIT-3 Table 7.2-6 (Sheet 2 of 2)

Revision 14 (12/05)

(DRN 03-2061, R14)

This Page Intentionally Left Blank

DRN 03-2061, R14)

Retrieved from "https://kanterella.com/w/index.php?title=ML16256A316&oldid=5164524"