Text

Report Entitled Palisades Plant Reactor Protection System, Common Mode Failure Analysis
	ML18347A885
Person / Time
Site:	Palisades
Issue date:	03/31/1975
From:	; Consumers Power Co
To:	; Office of Nuclear Reactor Regulation
References
	Download: ML18347A885 (173)
	v • d • e

I

1,.

I.

I I

1

'I

1 I

I,,

1 I

" I

11.

1 PALISADES PLANT REACTOR __ PROTECTION SYSTEM

. COMMON MODE FAILURE ANALYSIS Consumers Power Company Docket 50 - 255

License DPR - 20 March 1975 I ! -----

I I

I I_

I I

I 1.0 2.0 3.0 4.0 TABLE OF CONTENTS INTRODUCTION

SUMMARY

AND CONCLUSIONS REACTOR PROTECTION SYSTEM DEFINITION 3.1 3.2 3.3 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8 3.3.9 3.3.10 Reactor Protection System - Overview Definition of System Boundary Definition of Reactor Portection System Trip Modes High Power Level - Reactor Trip High Power Rate-of-Change - Reactor Trip Low Flow, Reactor Coolant - Reactor Trip Low Water Level, Steam Generator - Reactor Trip Low Pressure, Steam Generator - Reactor Trip High Pressurizer Pressure - Reactor Trip Thermal Margin/Low Pressure - Reactor Trip Loss of Load, Turbine Trip - Reactor Trip High Containment Pressure - Reactor Trip Manual - Reactor Trip REACTOR PROTECTION SYSTEM FAIL URE ANALYSIS 4.1 4.2 4.2.1 4.2.1.l 4.2.1.2 4.2.1.3 4.2.1.4 Single Failure Analysis Common Mode Failure Analysis Combinations of Failures High Power Level (RT#l)

High Power Rate-of-Change (RT#2)

Low Flow, Reactor Coolant (RT#3)

Low Water Level, Steam Generator 1 (RT#4) i 1-1 2-1 3-1 3-2 3-3 3-8 3-8 3-8 3-9 3-10 3-10 3-11 3-11 3-13 3-13 3-14 4-1 4-1 4-2 4-5 4-5 4-6 4-11 4-17

I I*

I,,

I I_

I I

I 4.2.1.5 4.2.1.6 4.2.1.7 4.2.1.8 4.1.2.9 4.2.1.10 4.2.1.11 4.2.1.12 4.2.2 4.2.2.1 4.2.2.2 4.2.2.3 4.2.2.4 4.2.2.5 4.2.2.6 4.2.2.7 4.2.2.8 4.2.2.. 9 4.2.2.10 APPENDIX A APPENDIX B TABLE OF CONTENTS (cont'd)

Low Water Level, Steam Generator 2 (RT#5)

Low Pressure, Steam Generator 1 (RT#6)

Low Pressure, Steam Generator 2 (RT#7)

High Pressurizer Pressure (RT#8)

Thermal Margin/Low Pressure (RT#9)

Loss of Load, Turbine Trip (RT#lO)

High Containment Pressure (RT#ll)

Manual (RT#l2)

CMF A During Transient Loss of Electrical Load Load Increase Loss of Feedwater Loss of Primary Load Loss of Normal Electrical Power Inactive Primary Loop Startup Rod Withdrawal Primary System Depressurization Boron Dilution Small Line Break PALISADES PLANT REACTOR PROTECTION SYSTEM FAILURE MODE AND EFFECTS ANALYSIS REFERENCES ii 4-17 4-17 4-17 4-20 4-20 4-20 4-24 4-29 4-29 4-31 4-36 4-38 4-41 4-43 4-46 4-46 4-48 4-49 4-50 A-1 B-1

I I

LIST OF TABLES I

Table Page I

4.1 Common Mode Failure Preventive Measures 4-3 I

4.2 FMEA Summary for RT#l 4-7 I __

4.3 Trip Logic Matrix Input Relay Schedule 4-10 I

4.4 FMEA Summary for RT#2 4-12 4.5 FMEA Summary for RT #3 4-15 I

4.6 FMEA Summary for RT#4 4-18 I

4.7 FMEA Summary for RT #6 4-19 I

4.8 FMEA Summary for RT#8 4-21 I

4.9 FMEA Summary for RT #9 4-23 I

4.10 FMEA Summary for RT#lO 4-25 I

4.11 FMEA Summary for RT#ll 4-28 I

4.12 Effect of External Phenomena on the RPS 4-35 I

I I

I iii I

I I

LIST OF FIGURES I

Figure Page 2.1 Summary of ATWS Consequences and Scram Functions 2-3 I

Available to Interrupt the Transient 3.1 Reactor Trip Logic Diagram 3-15 I

3.2 Reactor Protection System Functional Diagram 3-16 I

3.3 High Power Level Reactor Trip Logic Diagram 3-17 I

3.4 High Rate of Change of Power Reactor Trip Logic 3-18 Diagram I

3.5 Primary Coolant Low Flow Reactor Trip Logic Diagram 3-19 I

3.6 Steam Generator 1 Low Water Level Reactor Trip 3-20 Logic Diagram I

3.7 Steam Generator 2 Low Water Level Reactor Trip 3-21 Logic Diagram I

3.8 Steam Generator 1 Low Steam Pressure Reactor Trip 3-22 I

Logic Diagram 3.9 Steam Generator 2 Low Steam Pressure Reactor Trip 3-23 I I Logic Diagram I

3.10 High Pressurizer Pressure Reactor Trip and Thermal 3-24 Margin/Low Pressure Reactor Trip Logic Diagram I

3.11 Thermal Margin/Low Pressure Reactor Trip Logic 3-25 Diagram I

3.12 Loss of Turbine Load Reactor Trip Logic Diagram 3-26 I

iv I

I

I I

I Figure 3.13 3.14 3.15 3.16 4.1 4.2 4.3 4.4 LIST OF FIGURES (cont'd)

Page Containment High Pressure Reactor Trip Logic 3-27 Diagram Reactor Protection System Cabinets 3-28 Power Rate of Change Trip and Pre-Trip Interface 3-29 with RPS Zero Power Mode Bypass Logic Diagram 3-30 Automatic RPS Response for Anticipated Transients 4-4 at the Palisades Plant Typical Array of Failures Required to Inhibit RPS RT 4-9 Failure Combinations Required to Inhibit RT#2 4-14 Failure Combinations Required to Inhibit RT#l 0 4-27 v

I I

I

1.0 INTRODUCTION

In September 1973, the Regulatory Staff of the United States Atomic Energy Commission issued WASH-1270, Technical Report on Anticipated Transients Without Scram for Water-Cooled Power Reactors (Reference 1). Appendix A of WASH-1270 set forth the licensing position on anticipated transients without scram (ATWS) for licensees and for construction or operating permit appli-cants. Three licensing positions were delineated, with the applicable position for a given plant identified in Appendix B of WASH-1270.

The Palisades Plant is in Class I.C. of the above referenced licensing position statement. Specifically, for the Palisades Plant, the applicable licensing posi-tion is:

"The need for backfitting of plant changes to mitigate the conse-quences of A TWS in plants for which neither the AEC construction permit-stage Safety Evaluation Report nor the Advisory Committee on Reactor Safeguards Report identify ATWS as a continuing area of review should be considered on an individual case basis.

11 The corresponding implementation statement presented in Section II.C of WASH-1270 is:

11 1.

Analysis of A TWS Consequences.

An analysis should be made of the consequences of anticipated plant transients in the event of a postulated failure to scram. The analysis should show whether

a.

calculated reactor coolant system transient pressure exceeds a value such that the maximum primary stress in the system boundary is equal to that of the 11 emergency conditions 11 as defined in the ASME Nuclear Power Plant Components Code,Section III, or 1-1

I I

I

b.

effects of the A TWS event result in significant fuel cladding degradation or significant fuel melting, or

c.

calculated containment pressure exceeds the design pressure of the containment structure.

2.

Review of Reactor Shutdown System Design.

A review of the reactor shutdown system design should be made with the aim of identifying areas that it might be particularly vulnerable to common mode failures. "

This report presents the results of the reactor shutdown system review for the Palisades Plant as required by Section II.C. 2 of the above implementation program.

1-2

I I

I 2.0

SUMMARY

AND CONCLUSIONS The Reactor Protection System (RPS) provides for automatic reactor shutdown whenever plant conditions exceed allowable operating limits. In response to Section II.C.2 of WASH-1270 (Reference 1), the Palisades Plant RPS de-sign has been reviewed in detail to determine the system vulnerability to both single and common mode failures. Analyses were performed to determine if hypothesized single and common mode failures could inhibit any of the auto-matic or the manual reactor trip functions. An integrated RPS Failure Mode and Effects Analysis (FMEA) was generated to establish a baseline for evaluat-ing the system vulnerability to both single and common mode failure. The FMEA was generated at the system level on a functional basis (i.e., signal flow level).

This approach evaluates the effects of failures observable at the interfaces be-tween RPS modules (inputs/outputs) and the effect propagated on the total sys-tem operation.

The FMEA demonstrated that no single RPS equipment failure could inhibit the actuation of any required protective reactor trip (RT) function. The two RPS anticipatory RT functions, high power rate-of-change, and loss of load-turbine trip, are both vulnerable to single failures which would inhibit the automatic RT actuation.

The high power rate-of-change RT is a precursor to the protective high power level RT function. When only one of the high power rate-of-change RPS chan-nels is in the bypass mode, at least four individual RPS equipment failures would be required to inhibit both the anticipatory and the primary trip functions.

If none of the associated RPS channels are in bypass, at least five individual failures would be required to inhibit both trips.

The loss of load, turbine trip RT is a precursor to the protective high pressur-izer pressure RT function. At least four individual RPS equipment failures would be required to inhibit both the anticipatory and the primary trip functions.

2-1

I I

I The Common Mode Failure Analysis (CMFA) was developed for both individual RT modes and for the integrated RPS which incorporated all the RT modes avail-able at the Palisades Plant. Each transient was evaluated separately, consider-ing the trip functions which would initiate reactor trip and the trip system de-fenses against common mode failures of those trip functions.

Figure 2.1 presents a summary of the ATWS transients considered, their con-sequences, and the reactor trips which would be expected to interrupt each transient. The consequence analysis for each transient is documented in Ref-erence 2. Because of the conservatisms incorporated into the design of the Palisades Plant, only three of the transients considered would result in a de-sign limit being exceeded if no reactor trip occurred. These are the loss of electrical load, the loss of feed water, and the loss of normal electrical power.

The consequences of these three are such that there would be no release of fission products from the fuel, the primary system pressure would remain less -

than the hydrostatic test pressure limit, and the containment pressure would*

remain within its design limit even without reactor trip. Figure 2.1 also shows that a minimum of two trips would be actuated to terminate each transient. The single failure analysis and common mode failure analyses for these transients show that the reactor trip system incorporates recognized defenses against fail-*.

ures which would inhibit a trip. These defenses include functional diversity, equipment diversity, safe failure modes, and periodic inservice testing. It is concluded that there is a high degree of assurance that the system will fulfill its function and interrupt these transients, should they occur.

Of the remaining seven transients which were analyzed, none resulted in a de-sign limit being exceeded. Nevertheless, the A TWS analysis shows that three of these - load increase, complete loss of primary flow, and rod withdrawal at full power - would be interrupted by two or more trip functions. The same defenses against common mode failures in the reactor trip system exist, pro-viding a high degree of assurance that these transients will be interrupted by a reactor trip.

2-2

['..:>

I w Transient Severity Without Scram Automatic Reactor Trip Modes Available at the Palisades Plant ANTICIPATED TRANSIENT EVENTS

_.;i c

§ e c (I)

(I) 'O 0 (I)

E (I)

~ £E c..

.. :l

-.; :l

'O

µ "

(I) 'O c E "

c "

l c 0

-c ~

0 (I)

µ. "'()

11. 11.

()ii::

1 Loss of electrical load D

T D

2 Load increase D

D D

3 Complete loss of feedwater D

T D

4 Complete loss of primary flow D

D D

5 Loss of normal electrical power i N

T D

6 Inactive primary loop start-up I

D D

D 7

Rod withdrawal at full power D

D D

8 Primary system depressurization I D

D D

9 Boron dilution D

D D

10 Small line break I

D D

D i

NOTES:

1.

D designates parameter within design limits during transient.

RTlfl E

E I

2.

N designates DNBR less than 1.3 during transient. No clad perforation.

3.

T designates pressure did not exceed hydrostatic test pressure during transient.

4.

E designates trip signal generated early in the transient (within first minute/.

c

"' 0 0

()

0..

~2

~

0 (I)

....1 <>:

RT#3 E

E L

L

5.

designates trip signal generated after 1 minute but before 10 minutes into the transient.

6.

L designates trip signal generated late in the transient (after 10 minutes),

7.

Low steam generator pressure closes main steam isolation valves and causes tur:iine trip.

FIGURE 2. I L

E L

L L

E L

L L

L RT#6 L

I L

L L

RT#7 L

I L

L L

RT#8 E

I E

E

SUMMARY

OF ATWS CONSEQUENCES AND SCRAM FUNCTIONS AVAILABLE TO INTERRUPT THE TRANSIENT

'--c c;...

\\" "

(I)

E 11.

a;:::

.c 0 E-<....1 RT#9 I

I L

L L

I L

I I

£i

+i:: ~

(I) 0..

() 11.

c

E "'

.c µ

°' c

~ T!

~(I)

E-< E-<

~ E RT#IO RTlFll E

I L(7) 1(7)

I 1(7)

E L

L(7)

L(7) 1(7)

I I

I Four transients - inactive primary loop startup, primary system depressuri-zation, boron dilution, and small line break - would result in actuation of only one trip function during the transient and prior to operator action assumed in the ATWS analyses. No reactor design limits are exceeded during any of the transients noted above. Since the effects propagated by each of these transients are so mild, only a single plant operating parameter traverses outside the nor-mal operating envelope and initiates a scram signal. Since only one trip mode is responsive to each of these mild transients, no functional diversity or equip-ment diversity can exist to provide protection against common mode failures.

Functional and equipment diversity is the primary defense against CMF's caused by design and manufacturing errors. No credit can be taken for equipment di-versity in the RPS trip trains. The trip train is defined as all equipment be-tween the output relays in either auxiliary trip units or bistable trip units and the reactor trip relays which remove the AC input power to the rod clutch power supplies. All components that perform an identical function in the trip train (e.g., trip unit output relays, logic matrix trip relays, M coils,... ) have similar.

design and/or performance specifications. Protection against CMF's due to design or manufacturing deficiencies of the above components is achieved by periodic testing which ensures that all the equipment is operational and would be responsive to valid scram signals.

In consideration of each A TWS transient and its consequences, and the exist-ing defenses against common mode failures, it is concluded that the Palisades Plant RPS incorporates adequate defenses against common mode failures.

2-4

I I

I 3.0 REACTOR PROTECTION SYSTEM DEFINITION The reactor protection system of the Palisades Plant consists of all the sensor instrumentation, amplifiers, trip units, logic circuits, actuation circuits and other equipment as required to monitor selected nuclear steam suppy system conditions, and is designed to reliably effect a rapid reactor shutdown in the event of an off-normal state of operation. The system functions to protect the reactor core. This rapid shutdown is called a reactor scram.

The reactor is protected against the following conditions which automatically effect a rapid reactor shutdown (see Figure 3.1):

1.

High Reactor Power Level

2.

High Rate-of-Change of Reactor Power

3.

Low Reactor Coolant Flow

4.

Low Steam Generator Water Level

5.

Low Steam Generator Steam Pressure

6.

High Reactor Coolant Pressure

7.

Reactor Thermal Margin/Low Reactor Coolant Pressure

8.

Loss of Turbine Load

9.

High Containment Pressure In addition, a manual actuation system is provided to allow the operator to scram the reactor.

3-1

I I

I The high power rate-of-change and the loss of turbine load scram functions are not required as primary reactor protective functions, as defined in the Palisades Plant Technical Specification (Reference 3). The high power rate-of-change RT is provided to protect the reactor against an uncontrolled con-trol rod withdrawal while the core is at very low power levels. This is an anticipatory trip which is not required to protect the reactor since the princi-pal reactor protection function is provided by the high power level trip (Ref-erence 4). The loss of turbine load reactor trip is also an anticipatory trip which is not required to protect the reactor since the primary trip is high primary system pressure (Reference 5).

In general, the reactor protection system consists of four independent protec-tive channels. Each primary safety parameter is monitored by four indepen-dent measurement channels. Each of these measurement channels provides a trip signal to a protective channel when the primary safety parameter exceeds allowable limits. A trip signal from any two-out-of-four protective channels causes a reactor scram, except for high rate-of-change of reactor power which requires a one-out-of-two measurement channel trip signal to scram the reactor, and loss of turbine load which requires a one-out-of-one measure-ment channel trip signal to actuate two relays, each providing a two-out-of-four protective channel trip signal to scram the reactor.

3.1 Reactor Protection System - Overview Reactor scram in the Palisades Plant functions generally in a two-out-of-four mode. Four independent measurement channels (A, B, C, D) each monitor high reactor power level, low coolant flow, high coolant pressure, thermal margin/

low coolant pressure, low steam generator water level, low steam generator pressure and high containment pressure (see Figures 3. 3, 3. 5, 3. 6, 3. 7, 3. 8,

3. 9, 3. 10, 3.11 and 3. 13). Individual channel trips occur when the measure-ment reaches a preselected or an automatically calculated trip setpoint.

3-2

~

I I

I I I

I I

I The individual channel trips are combined in multiple two-out-of-four logic, meaning all combinations of two-out-of-four channel trips due to the same safety parameter, such as high reactor power level, can initiate a reactor scram. Each two-out-of-four coincidence logic combination provides trip signals to one-out-of-six coincidence logic matrix units (AB, AC, AD, BC, BD, CD), each of which trips and opens the contactors in the AC supply to the control rod drive clutch power supplies (see Figure 3. 2). This de-energizes the magnetic clutch holding coils and releases the control rods to drop into the core causing a reactor scram.

3.2 Definition of System Boundary The Reactor Protection System is housed in four cabinets in the control room.

The cabinets consist of the following parts (see Figure 3. 14) :

0 Bistable trip units 0

Auxiliary trip units 0

Coincidence logic matrices 0

Clutch power trip circuits 0

Clutch power supplies 0

Sensor power supplies 0

Reactor protection testing system There are four measurement channels with remote sensors which are com-pletely independent and isolated from each other. Each of these protective channels monitors the following nuclear steam supply parameters (see Figures

3. 3 through 3.13):

3-3

I I

I

1.

Reactor Power Level

2.

Rate-of-Change of Reactor Power

3.

Reactor Primary Coolant Flow

4.

Water Level Steam Generator No. 1

5.

Water.Level Steam Generator No. 2

6.

Steam Pressure Steam Generator No. 1

7.

Steam Pressure Steam Generator No. 2

8.

Pressurizer Pressure

9.

Reactor Thermal Margin/Low Pressure

10.

Loss of Turbine Load

11.

Containment Pressure The signal output from each measurement channel is fed to the input of either a bistable trip unit or an auxiliary trip unit in the corresponding channel cabinet of the Reactor Protection System (see Figure 3. 2).

The sensors for high rate-of-change of power and loss of turbine load are re-spectively arranged in a one-out-of-two and a one-out-of-one configuration.

The bistable trip units, fed from any one nuclear steam supply system param-eter, have their output contacts arranged in six coincidence logic matrices, identified as AB, AC, AD, BC, BD and CD to represent all possible two-out-of-four combinations of trip signals (see Figure 3. 2). Each coincidence logic 3-4

I I

I matrix, when tripped, trips four matrix relays, which in turn provide trip signals to each of two trip circuits that interrupt the AC power to the clutch power supplies, thereby de-energizing the magnetic clutches that hold the control rods and causing a reactor scram.

The control rod mechanism clutches are separated into two groups (see Figure

3. 2). The clutches in each group are supplied in parallel with low voltage DC power by an ungrounded feed line. Two AC to DC converters supply each feed line to prevent release of the clutches and control rods in the event one converter fails. The converters on each side are each supplied by a preferred (vital) AC bus to assure a continued source of power. Each feed line has two interrupters in series which are each actuated by a trip signal from any one-out-of-six coincidence logic matrix output relays. Although both vital feeds must be de-energized to release the clutches, there are two separate means of interrupting each feed. This arrangement allows the testing of the protective system.

Provisions are made to bypass any one of the four protective channels, associ-ated with a RT mode, with a key-operated switch and change the logic for that particular RT mode to a two-out-of-three logic while maintaining the other protective RT modes in a two-out-of-four logic. If the bypass is not effected, an out-of-service channel assumes a tripped condition, which results in a one-out-of-three RT mode logic.

Provisions are also made to permit periodic testing of the complete reactor protection system, while the reactor is at operating power levels or when shut down. These tests cover the trip actions from sensor input to the protective system to the output to the clutch power supplies. The system test does not inhibit the protective function of the system.

The testing system is completely isolated from the protective system circuitry itself (see Figure 3. 2). Failure of any part of the testing system does not prevent proper operation of the reactor protection system.

3-5

I I

II I

I I

I Isolation of the testing circuitry is accomplished by utilizing an isolated test power supply and double coil relays. One coil is normally used in the pro-tective system circuitry and the other coil is used in the testing system circuit.

The double coil relays permit system testing without bypassing or inhibiting protective functions. Depending on the relay action required, the coil in the testing circuit, which is used to provide a magnetic flux in the relay core, aids or bucks the magnetic flux produced by the coil in the circuit of the protec-tion system. This feature allows all trip test switches to be located in the circuitry of the test system, thus providing complete isolation of the two sys-tems.

During reactor operation, the measuring channels are checked by comparing the outputs of similar channels and cross-checking with related measurements.

The trip units are tested by inserting a voltmeter in the circuit, noting the signal level, and initiating a test input which is also indicated on the voltmeter.

This provides the necessary overlap in the testing process and also enables the test to establish that the trip can be effected within the required tolerances.

The test signal is provided by an external test signal generator which is con-nected to the trip unit at the signal input terminals. With the test signal generator connected, the desired signal is selected and then inserted into the trip unit by depressing the manual test switch. The test circuit permits various rates-of-change of signal input to be used. Trip action (opening) of each of the trip unit relays is indicated by individual lights on the front of the trip unit. The pretrip alarm action is indicated by a separate light.

The sets of trip relays at the output of each coincidence logic matrix are tested one at a time. The test circuits in the logic permit only one pair of coincidence matrix logic relays to be tripped while one set of matrix output relays can be held at the same time. The application of hold power to one set of matrix out-put relays denies the power source to the other sets. In testing a logic trip set, e.g., AB, a holding current is initiated in the test coils of the logic trip relays by turning the matrix relay trip test switch to "off" and depressing 3-6

I I

I the matrix logic AB test pushbutton switch. Operation of the matrix trip test switch de-energizes a parallel pair of module trip relays. With the ladder-logic relay contacts open, the logic trip relays may be de-energized one at a time (by rotating the matrix relay trip test switch) to initiate a half-trip. In-dicator lights on the trip relay coils and on the DC power supply AC feed lines provide verification that coil operation and half-trip conditions have occurred.

The capability to test relays Kl through K4 associated with the reactor pro-tection system 11trip/reset 11 function, has been provided. The zero power mode bypass relays and their contacts can be tested with the reactor at power (see Figure 3. 15). These relays can be tested as part of the normal reactor protection system tests by varying the intermediate range channel output above and below 10-4% power.

A manual reactor trip is provided to permit the operators to scram the reactor (see Figure 3. 2). Manual actuation of either of two independent reactor scram pushbutton switches in the main control room causes direct interruption of the AC power to the power converter units supplying DC power to the electro-magnetic clutches of the drive mechanisms. One manual trip pushbutton in-terrupts the control power to the holding coils of four M coil relays, whose con-tacts break AC power to the clutch power supplies. The second pushbutton interrupts power to the undervoltage coils of two circuit breakers which dis-connect all AC power to the clutch power supplies.

The boundary of the Reactor Protection System being analyzed includes the sensors, the bistable and auxiliary trip units, the coincidence logic, matrices, the clutch power trip circuits, the clutch power supplies, the reactor protec-tion testing system, and all interconnecting wires, cables, piping and their associated conduits, trays and channels.

3-7

I I

I

,1 I I II I

I I

3.3 Definition of Reactor Protection System Trip Modes Rapid reactor trip or scram is effected on the following conditions:

3.3.1 High Power Level - Reactor Trip See Figures 3. 1, 3. 2, 3. 3 and 3. 14. A reactor trip at high power level (neutron flux) is provided to shut down the reactor when the indicated reactor power ex-ceeds a preselected value. The high power trip signals are initiated by two-out-of-four coincidence logic from the four power range safety channels. Dur-ing normal plant operation with all coolant pumps operating, reactor trips are initiated when the reactor power level exceeds a nominal value of 106. 5% of indicated full power. This trip level represents a reactor power of no greater than 112% of full power when instrument and calorimetric errors are taken into account. Provisions are provided to select different trip points for various com-binations of primary coolant pump operation.

The power range channels are equipped with a range change switch to in-crease the indicated power by a factor of 10. By use of the range change switch, indicated power is increased to provide full-scale indication at

12. 5% power. This action also decreases the overpower trip from 106. 5% to

10. 65% to provide overpower trip protection during low power operation.

3.3.2 High Power Rate-of-Change - Reactor Trip See Figures 3.1, 3.2, 3.4, 3.14, 3.15 and 3.16. A reactor trip for high rate-of-change of reactor power is provided to protect the reactor against an uncon-trolled control rod withdrawal while the core is at very low power levels.

Two wide-range channels take signals from fission chambers and cover a range greater than ten decades. The wide range signals are effected by using a combi-nation of counting and mean square variation techniques which also provide good 3-8

I I

I rejection of background gamma signals to provide an operating range from startup to full power.

A reactor trip is initiated if the rate-of-change of reactor power exceeds 2. 6 decades per minute, over a range of about 10-4% to 15% power, by either of the two wide-range channels. The trip signal is automatically bypassed below 10-4% and above 15% power. High rate-of-change of power alarms are initiated at 1. 5 dpm over the operating range of 10-4% to 15% power by the two wide-range channels.

This is an anticipatory trip which is not required to protect the reactor since the primary trip is high power level trip (Reference 4).

3.3.3 Low Flow, Reactor Coolant - Reactor Trip See Figures 3.1, 3. 2, 3. 5, 3.14 and 3.16. A reactor trip is provided to protect the core from a power to flow mismatch. There are four reactor coolant pumps with flow in each measured by sensing differential pressure between the coolant pump suction line and the primary coolant input line to the associated steam generator. The flow measurement signals are provided by summing the output of the differential pressure transmitters to provide an indication of total coolant flow through the reactor. A reactor trip is initiated by two-out-of-four coin-cidence logic from either of the four independent measuring channels when the flow function falls below a preselected value.

Provisions are made in the reactor protective system to permit operation at re-duced power if one or more coolant pumps are taken out of service. For this mode of operation, the low flow trip points and the overpower trip points are simultaneously changed, thus providing a positive means of assuring that the more restrictive settings are used. The flow trip selector switch is equipped with RPS channel physical separation and electrical isolation.

3-9

I I

I Pretrip alarms are initiated if the coolant flow function approaches the minimum required for reactor operation at the corresponding power level. The zero power mode bypass switch, a key-operated switch, allows the low reactor cool-ant flow trip to be bypassed for subcritical testing of control rod drive mecha-nisms. The zero power mode bypass switch also bypasses both the steam gen-erator low steam pressure trips and the thermal margin/low pressure trip.

The zero power mode bypass is automatically reset above 10-4% power by sig-nals from Nuclear Instrumentation (NI) wide range logarithmic Channels 3 and

4. NI Channel 3 resets the zero power mode bypass on RPS Channels A and C.

NI Channel 4 resets the bypass on RPS Channels B and D.

3.3.4 Low Water Level, Steam Generator - Reactor Trip See Figures 3. 1, 3. 2, 3. 6, 3. 7, and 3. 14. Low steam generator downcomer water levels will cause a loss-of-heat-removal capability from the primary coolant system.

A reactor trip signal is initiated by two-out-of-four logic from four indepen-dent downcomer level differential pressure transmitters on each steam gen-erator. Pretrip alarms are actuated to provide for annunciation of approach to reactor trip conditions.

3.3.5 Low Pressure, Steam Generator - Reactor Trip See Figures 3. 1, 3. 2, 3. 8, 3. 9, 3. 14 and 3. 16. A reactor trip on low steam generator secondary pressure is provided to protect against excessively high steam flow caused by a steam line break. An abnormally high main steam flow from either steam generator will cause the secondary pressure to drop rapidly.

Four pressure transmitters on each steam generator actuate trip units which are connected in a two-out-of-four coincidence logic to initiate the reactor protective action if the steam generator pressure drops below a preselected 3-10

I I

I value. Signals from any two of the four indicating meter relays from either steam generator will close the main steam isolation valves on both steam gen-erators. Pretrip alarms are also provided.

The zero power mode bypass switch, a key-operated switch, allows the steam generator low steam pressure trips to be bypassed for subcritical testing of control rod drive mechanisms. The zero power mode bypass switch also by-passes the low reactor coolant flow trip and the thermal margin/low pressure trip. The zero power mode bypass is automatically reset above 10-4% power by signals from NI Channels 3 and 4.

3.3.6 High Pressurizer Pressure - Reactor Trip See Figures 3. l, 3. 2, 3. 10 and 3. 14. A reactor trip for high pressurizer pres-sure is provided to prevent excessive blowdown of the primary coolant system by relief action through the pressurizer power-operated relief or safety valves.

The trip signals are provided by four narrow range independent pressure transmitters measuring the pressurizer pressure.

A reactor trip is initiated by two-out-of-four coincidence logic from the four independent measuring channels if the pressurizer pressure exceeds a preset pressure (1950 psia). This signal also opens the power-operated relief valves.

Pretrip alarms are initiated if the pressurize*r pressure exceeds a preset pres-sure (1900 psia).

3.3.7 Thermal Margin/Low Pressure - Reactor Trip See Figures 3. 1, 3. 2, 3.10, 3.11, 3.14 and 3.16. A reactor trip is initiated by a continuously computed function of primary coolant pressure and thermal power to prevent reactor conditions from violating a minimum departure from 3-11

I I

I nucleate boiling ratio (DNBR). At constant coolant flow, the temperature rise in the reactor is a function of power so that the variable trip can be effected by the adjustment of a pressure trip setpoint with reactor inlet and outlet cool-ant temperatures. At partial flow conditions, the changes in coolant tempera-ture are such that the low thermal margin protection is continued with no change required in the pressure setpoint function. The variable pressure

. t.

d b th f t"

PT.

= A TH t - BTC ld - C

tnp setpom is compute y

e unc ion, np o

o The reactor trip signal is initiated by a two-out-of-four coincidence logic from four independent safety channels, and audible and visual pretrip alarms are actuated to provide for annunciation on approach to reactor trip conditions.

The output from temperature transmitters on the hot and cold legs of each steam generator is combined by the summer units. The summer unit sub-tracts the cold leg temperature from the hot leg temperature. These signals are sent to the auctioneering unit. The auctioneering unit compares the sig-nals from Loop 1 and Loop 2 and passes the one which represents the higher power. The output of the auctioneering unit is limited to a lower value which represents a minimum pressure of 1750 psia at nominal operating pressures of greater than 1800 psia; for nominal operating pressure of 1800 psia, this mini-mum is set at 1650 psia. This pressure is the minimum pressure, or "floor",

below which pressure reactor trip will always occur.

The output of the auctioneering unit is sent to the trip unit and is used as a variable setpoint for the trip unit. The trip unit compares the primary system pressure with the variable setpoint from the auctioneering unit and trips if the system pressure is less than the setpoint. The zero power mode bypass switch, a key-operated switch, allows the thermal margin/low pressure trips and three additional trips to be bypassed at low power level. The zero power mode by-pass is automatically reset above 10-4% power by signals from NI Channels 3 and 4.

3-12

I I

I 3.3.8 Loss of Load, Turbine Trip - Reactor Trip See Figures 3. 1, 3. 2, 3. 3, 3. 12, 3. 14 and 3. 15. A reactor trip will automatically be initiated after a turbine trip occurs. A turbine low auto stop oil condition occurs with all turbine trips. The reactor trip will be initiated when the turbine auto stop oil pressure decreases, causing the auto stop oil pressure switch con-tacts to close and energize two turbine trip auxiliary relays. Each auxiliary relay will provide a reactor trip signal to two of four protective system chan-nels. The loss of load reactor trip is an anticipatory trip which is not required to protect the reactor since the primary trip is high primary system pressure, and is automatically bypassed when any three of the four power range safety channels indicate less than 15% full power.

3.3.9 High Containment Pressure - Reactor Trip See Figures 3.1, 3.2, 3.13 and 3.14. A reactor trip is initiated on high contain-ment pressure.

Four independent pressure switches actuate trip units which are connected in a two-out-of-four coincidence logic to initiate the reactor protective action when the containment pressure reaches 5 psig.

This reactor trip is in addition to the thermal margin/low pressure trip to ensure that the reactor is tripped before the safety injection sequence (SIS) and containment spray are initiated.

A pretrip alarm occurs when the containment pressure reaches 3 psig. This alarm is not generated by RPS equipment.

3-13

I I

I 3.3.10 Manual - Reactor Trip See Figures 3. 1 and 3. 2. A manual reactor trip is provided to permit the opera-tors to trip the reactor. Manual actuation of either of two reactor trip push-button switches in the main control room causes direct interruption of the AC power to the DC power supplies feeding the electromagnetic clutches of the control rod drive mechanisms.

3-14

I I

LINEAR I

ION CHAMBERS FLUX MONITOR I

FISSION COUNTERS LOGN FLUX MONITOR DIFFERENTIAL I

PRESSURE TRANSMITTERS CORE FLOW SUMMER I

LEVEL TRANSMITTERS LEVEL SIGNAL I

LEVEL TRANSMiTTERS LEVEL SIGNAL I

PRESSURE TRANSMITTERS PRESSURE SIGNAL I

I f

I PRESSURE TRANSMITTERS PRESSURE SIGNAL.

I

~

PRESSURE TRANSMITTERS PRESSURE SIGNAL I.

TEMPERATURE SENSORS I

TURBINE LOW AUTO STOP TM/LO PRESSURE SIGNAL TURBINE TRIP OIL PRESSURE I

SWITCH SIGNAL PRESSURE PRESSURE I

SWITCHES MANUAL I

PUSH - BUTTONS SIGNAL MANUAL PUSH-BUTTON ACTUATED

'.. ~

I

-: *~

6111-~01-0 I

NO OF CHANNELS 4

0, 8/

8, 8,

\\.

8 /

\\

©,

HIGH REACTOR POWER LEVEL HIGH RATE OF CHANGE OF REACTOR POWER LOW REACTOR COOLANT FLOW LOW STEAM GENERATOR # I WATER LEVEL LOW STEAM GENERATOR *2 WATER LEVEL LOW STEAM GENERATOR #1 STEAM PRESSURE LOW STEAM GENERATOR "2 STEAM PRESSURE 0

/

HIGH REACTOR COOLANT PRESSURE 0~

REACTOR THERMAL MARGIN/ LOW REACTOR COOLANT PRESSURE

©,

LOSS OF TURBINE LOAD 0 J HIGH CONTAINMENT PRESSURE

-\\.

/'

MANUAL TRIP

\\.

214

~

F AUTO BYPASS

)-

-4 BELOW 10 %

2/4

'1 ABOVE 15 %

AUTO-MANUAL

)-

2/4 ZERO POWER BYPASSED 2/4 2/4

1' AUTO-MANUAL

)- ZERO POWER 2/4

.1 BYPASSED REACTOR DE-ENERGIZE e--

DROP TRIP ROD DRIVE t--

RODS t--

OR CLUTCHES SCRAM AUTO-MANUAL

)-

ZERO POWER 2/4

I BYPASSED

\\

2/4 AUTO-MANUAL

)-

2/4

- I ZERO POWER BYPASSED AUTO-BYPASS

)--

3/4 214 BELOW 15%

214 112 FIGURE 3.1 REACTOR TRIP LOGIC DIAGRAM 3-* l:;

I I

I 1NPUT5o

>lOM P'.-A.1.. 1."T V~R\\,..6U!.~ (SEE TP.~Lf.. 1-TYP\\CP.l or (1-4Po.NW~LS A,6,C.(.O.)

@ c.HANNE.LS Po;6

~ATR\\JC "TR.IP T~ST

'5WliC:H PREFERRED a-c POWE'2_

e:.\\Js 2.,

\\Z.0 v a-c.

Ir I

I

=il 1'-~~~p.~~:*

I

(>EE >!OTC *) I I

I I

I

@* Cl-IANMCLS

/

i I

______ J C4~Ni-.IC::L5 Z.,ALL CO""Ti\\.CT5 S1-1.0WN F"~ ~C.L"'(~

OE*'E"l~RG>Z.CO C.ONOITIOM.

LA.CM ~IP-UW.*T Ha:i nv£ ~) ltEL.A'1'5 I TidtEf.

{:~;..._~ 'S~ roR Tit*.. P* MG \\..OGilC liM"'nhCI:.~

A*~ T~Ru C*O.OME !I) ~o" AtWOTE l'l:C*TIUP

......... R*.., *NNUNC I P,,TIOt-;, ON.E!tl!UI'. RC.a.ctC.

...-~1?.:i..'-llt.R'°" 11o,,N,1,,pJ""C.'"Tlc.I A.M~

~

SC.Qi...C.t..i\\1ti..L CV(NT* -REC'ORDlt.16.

PREf:E~REO a*..:. 'P=-.... ER r~:.. 5

, z..:- v 1 c

!(~

\\ -----, i-------.

~:"*

~-

FIGURE 3.2 REACTOR PROTECTION SYSTEM FUNCTIONAL DIAGRAM 3-16

I I

I 1

I 581-00Z-0 POWER RANGE SAFETY CHANNELS DUAL SECTION UNCOMPENSATED IONIZATION CHAMBER DETECTORS LINEAR AMPLIFIERS POWER SUMMERS MANUAL TEST HIGH POWER LEVEL BISTABLE TRIP UNITS MANUAL FLOW TRIP SELECTOR SWITCH HIGH POWER LEVEL AUXILIARY TRIP UNITS SEQUENCE OF EVENTS RECORDER PRETRIP ALARM TRIP ALARM I

2 A

B 3

0 - 120V. A.C.

FROM PREFERRED

{VITAL) BUS I -

TYPICAL A

B 3

CHANNEL "B" 2/4 ACTUATE REACTOR SCRAM A

B 3

CHANNEL "c" CHANNEL '11;9 A

B 3

4 CHANNEL "D" FIGURE 3.3 HIGH POWER LEVEL REACTOR TRIP LOGIC DIAGRAM 3-17

I I

I 5111-003-0 WIDE RANGE LOGARITHMIC CHANNELS RATE OF CHANGE OF POWER FISSION COUNTERS PREAMPLIFIERS DUAL SECTION COMPENSATED IONIZATION CHAMBER DETECTORS SUMMING AMPLIFIERS POWER RATE OF CHANGE AMPLIFIERS LINEAR AMPLIFIERS MANUAL HIGH RATE OF CHANGE OF POWER BISTABLE TRIP UNITS POWER SUMMERS MANUAL TEST INHIBIT RATE TRIP BELOW 10-4% POWER BISTABLE TRIP UNITS MANUAL TEST INHIBIT RATE TRIP ABOVE 15% POWER AND PERMIT LOSS OF LOAD TRIP ABOVE 15% POWER BISTABLE TRIP UNITS I

3 f-t::

ID m

J:

~

z

@- 120 V.A.C. FROM PREFERRED (VITAL)

BUS I-TYPICAL.

- AUTO PERMIT/INHIBIT SIGNAL TO LOSS OF LOAD REACTOR SCRAM -

SEE FIGURE 3.12 ID ID i:

J:

~

HIGH RATE OF CHANGE OF POWER AUXILIARY TRIP UNITS SEQUENTS OF EVENTS RECORDER PRE TRIP ALARM TRIP ALARM CHANNEL #5 A

B f-ID

z:

~

POWER RANGE SAFETY CHANNELS POWER LEVEL CHANNEL #6 A

B ACTUATE REACTOR SCRAM CHANNEL #7 A

B CHANNEL #8 A

B FIGURE 3.4 HIGH RATE OF CHANGE OF POWER REACTOR TRIP LOGIC DIAGRAM 3-18

I I

1.:

I I

581-004-0 DIFFERENTIAL PRESSURE TRANSMITTERS DIFFERENTIAL PRESSURE INDICATORS SUMMERS PDT 0112 AA POI CHANNEL ~'!/.'

PDT 0112 AB MANUAL FLOW TRIP SELECTOR.*

SWITCH 3

2(D41------+--------------~

PUMPS POWER SUPPLIES POWER SUPPLIES SEQUENCE OF EVENTS RECORDER PRETRIP ALARM TRIP ALARM MANUAL TEST PRIMARY COOLANT FLOW INDICATORS I

F 0102A ou

IO "Cl I

00

-E de AUTO-MANUAL ZERO POWER BYPASS.

TRIP SIGNAL MANUAL BYPASS KEY SWITCH TO DATA PROCESSOR Fl 0102A E9 120V.A.C. FROM PREFERRED (VITAL)

BUS I. -

TYPICAL.

CHANNEL"B" F

0102B Fl 0102B PDT 0122DB POI 0122DB de 2

ACTUATE REACTOR SCRAM CHANNEL "C" F

0102C Ft 0102C PDT 0122DC POI 0122DC 3

de 3

CHANNEL"D" F

01020 Fl 01020 4

4 de FIGURE 3.5 PRIMARY COOLANT LOW FLOW REACTOR TRIP LOGIC DIAGRAM 3-19

I I

I 1*

I 581-005-0 LEVEL TRANSMITTERS POWER SUPPLIES CHANNEL "A'.'.

LT 0751A L

0751A 0

MANUAL TEST ---~

c E

POWER

-~

SUPPLIES

~

B ISTAB LES LOW STEAM GEN. I WATER LEVEL TRIP UNITS SEQUENCE. OF EVENTS RECORDER PR~TRIP ALARM TRIP ALARM I

STEAM GENERATOR*

WATER LEVEL INDICATORS LA LI 0751A de.

TRIP SIGNAL

@ - 120 V.A.C. FROM PREFERRED (VITALI BUS I-TYPICAL CHANNEL "B" LT 07518 L

07518 LI 07518 de 2

2/4 ACTUATE REACTOR SCRAM CHA*NNEL "C" LT 0751C L

0751C LA 0751C LI 0751C 3

de 3

CHANNEL "D" LT 07510 L

0751D LI 0751D 4

de 4

FIGURE 3.6 STEAM GENERATOR I LOW WATER LEVEL REACTOR TRIP LOGIC DIAGRAM 3-20

I 1-I I

I I

I 581-006-0

... ~.,'

\\

LEVEL TRAN~MITTE_RS POWER SUPPLIES CHANNEL "A -

LT 0752A L

0752A

()

MANUAL TEST ----c E

POWER SUPPLIES

BISTABLES LOW STEAM GEN. 2 WATER LEVEL TRIP UNITS SEQUENCE OF EVENTS RECORDER PRETRlP AL ARM I

. TRIP ALARM __

STE~M GENERATOR 2 WATER LEVEL INDICATORS 0

II)

I 0

LI 0752A de TRIP SIGNAL

@ - 120 V.A.C. FROM PREFERRED (VITAL) BUS I-TYPICAL r

CHANNEi..:**e" -

LT 07S2B L

07528 07528 LI 07528 de 2

2/4 ACTUATE REACTOR SCRAM CHANNEL "C".*

LT 0752C L

0752C LA LI 0752C 3

de 3

CHANNEL "D"

.LT 07520 L

0752D

LA 07520 LI 0752D 4

de 4

FIGURE 3.7 STEAM GENERATOR 2 LOW WATER LEVEL REACTOR TRIP LOGIC DIAGRAM

'3-21

/

\\

_1

I I

I.

I I

,,51-007-0 PRESSURE TRANSMITTERS POWER SUPPLIES.

MANUAL TEST Bl STABLES POWER SUPPLIES LOW STE AM GEN. I STEAM PRESSURE TRIP UNITS SEQUENCE OF EVENTS RECORDER PRETRIP ALARM TRIP ALARM I

STEAM GENERATOR I STEAM PRESSURE INDICATORS-CONTROLLERS CHANNEL "A" PT 0751A p

0751A 0751A de TRIP SIGNAL MANUAL BYPASS KEY SWITCH TO OSCILLOGRAPH PIC 0751A

~

120 V.A.C. FROM PREFERRED (VITAL) BUS I -TYPICAL CHANNEL "B" PT 0751B p

2 0751B B

de PA TO DATA PROCESSOR PIC 0751B 2

2/4 ACTUATE REACTOR SCRAM CHANNEL "c" PT 0751C p

3 0751C c

de PA 0751C TO DATA PROCESSOR PIC 0751C 2/4 CLOSE STEAM LINE ISOLATION VALVES SG I 62 CHANNEL* "[j" PT 0751D 4

p 0751D 3

de PA TO DATA PROCESSOR PIC 4

0751D 4

FIGURE 3.8 STEAM GENERATOR I LOW STEAM PRESSURE REACTOR TRIP LOGIC DIAGRAM 3-22

I I

I*.

581-008-0 PRESSURE TRANSMITTERS POWER SUPPLIES CMANNEL "A" PT 0752A p

0752A MANUAL TEST ~-~~

BISTABLE*S POWER SUPPLIES LOW STEAM GEN. 2 STEAM PRESSURE TRIP UN ITS SEQUENCE OF EVENTS RECORDER PRETRIP ALARM TRIP ALARM I

STEAM GENERATOR 2 STEAM PRESSURE INDICATORS.,...

CONTROLLERS 0

IO I

0 de

___r........... __._..___ AUTO-MANUAL ZERO POWER BYPASS PA 0752A TRIP SIGNAL MANUAL BYPASS KEY SWITCH TO OSCILLOGRAPH PIC 0752A e-120 V.A.C. FROM PREFERRED (VITAL) BUS I -TYPICAL CHANNEL "B" PT 0752B PA 0752B e

de TO DATA PROCESSOR PIC 0752B 2

2/4 ACTUATE REACTOR SCRAM CHANNEL "C" PT 0752C p

0752C PA c

de TO DATA PROCESSOR.

214 CLOSE STEAM LINE ISOLATION VALVES SG I El2 3

CHA.NNEL "D" PT 0752D p

0752D 4

de TO DATA PROCESSOR.

PI.C 0752D FIGURE 3.9 STEAM GENERATOR 2 LOW STEAM PRESSURE REACTOR TRIP LOGIC DIAGRAM 3-23

I I

1-I I-1-

I I

I:

I 581-009-0 PRESSURE TRANSMITTERS Bl STABLES POWER SUPPLIES POWER HIGH PRESSURIZER PRESSURE TR IP UNITS SEQUENC~ OF EVENTS RECORDER PRETRIP ALARM TRIP ALARM 2/4 LOGIC FOR RELIEF VALVES MANUAL TEST-----.

SEQUENCE OF EVENTS RECORDER PRETRIP ALARM TRiP ALARM POWER SUPPLIES TM /LO PRESSURE BISTABLE TRIP UNITS SIGNAL FAILURE ALARM METER RELAYS PRESSURIZER PRESSURE OPTICAL METER RELAYS LO PRESSURE SIS BLOCK LO-LO PRESSURE SIS MANUAL BYPASS KEY SWITCH MANUAL BYPASS KEY SWITCH ALARM B - VARIABLE TM-PRESSURE SETPOINT SIGNAL I

10-50 MA FROM AUCTIONEERING UNIT-SEE FIGURE 3.11 9-120V.AC FROM PREFERRED (VITALI BUS I -TYPICAL ALARM ALARM ACTUATE REACTOR SC RAM CHANNEL "D"

~

FIGURE 3.10 HIGH PRESSURIZER PRESSURE REACTOR TRIP AND THERMAL MARGIN/LOW PRESSURE REACTOR TRIP LOGIC DIAGRAM 3-24

I I

I 581-010-0 CH-ANNEL -"A" TEMPERATURE TE TE

- TE TE SENSORS Ol 12CA OIL2HA 0122CA 0122HA TT TT TT Tt TEMPERATURE T.RANSMITT ERS 0112CA 0112HA 0122CA OL22HA TEMPERATURE INDICATORS TM/LO PRESSURE TRIP SET POINT COMPUTERS I

AUCTIONEER ING UNITS PY Ol 12A PY 0102A PY 0122A

~

120 V.A.C. FROM PREFERRED (VITALI BUS I -TYPICAL.

rAJ - VARIABLE TM-PRESSURE SETPOINT SIGNAi:. TO SIGNAL V

FAILURE ALARM METER RELAY-SEE FIGURE 3.10 0 - SET POINT EQUATION CONSTANT "c" CHANNEL "B" TE TE TE TE 0112CB 0112HB 0122CB 0122HB 2

PY PY 0112 B 0122B 2

PY 0102B CHANNEL.. c....

TE TE TE TE 0112CC OH 2 HC 0122C 0122HC TT 0122HC PY PY 0112C OL22C 3

PY 0102C TE 01I2CD 4

PY 01120 CHANNEL

_ 11 0 11 TE TE 01 L2HD 0122CD 4

PY 01020 PY 01220 TE 0122HD 4

TT 0122HD FIGURE 3.11 THERMAL MARGIN/LOW PRESSURE REACTOR TRIP LOGIC DIAGRAM 3-25

I I

.1 I

I I

I 581-011-0 TURBINE TRIP RELAYS POWER SUPPLIES AUTO INHIBIT SIGNAL*

LOSS_ OF LOAD AUXILIARY TR IP UNITS SEQUENCE OF EVENTS RECORDER I

PRE TR IP ALARM TRIP ALARM A

305-L TURBINE LOW AUTO STOP OIL PRESSURE SWITCH TIME DELAY RELAY CHANNEL 11A 1

de TRIP SIGNAL MANUAL BYPASS KEY SWITCH

@-120 V.A.C. FROM PREFERRED (VITAL)

BUS I -TYPICAL.

-CONDITION EXISTS WHEN 3-0UT-OF-4 POWER RANGE SAFETY CHANNELS INDICATE < 15% FULL POWER-SEE FIGURE 3.3 63 AST-2 462 TOO CHANNEL 118 11 B

de 2/4 ACTUATE REACTOR SCRAM 305-R 2

c CHANNEL "c" CHANNEL "D" de 3

de D

4 FIGURE 3.12 LOSS OF TURBINE LOAD REACTOR TRIP LOGIC DIAGRAM 3-26

I I

I 581-012-0 PRESSURE SWITCHES POWER SUPPLIES CONTAINMENT HIGH PRESSURE AUXILIARY TRIP UNITS SEQUENCE OF EVENTS RECORDER TRIP ALARM I

PS 1801 de TRIP SIGNAL A

~

120 V.A.C. FROM PREFERRED (VITAL) BUS I -TYPICAL.

PS 1802 B

de 2/4 ACTUATE*

REACTOR SCRAM PS 1803

.2 c

PS 1804 de 3

D de :

4 FIGURE 3.13 CONTAINMENT HIGH PRESSURE REACTOR TRIP LOGIC DIAGRAM 3-27

I I

~

CLUTCH POWE'Jt SUpPL'/

A'i':>S:Y

~

CLUTCH POWER "51.JPf'\\..'1 A~!:.*y I

LOCAiED l"-1 RE.AR OF CABINET I

I I

0 NUCLEAR INSTRUMENT/\\\\ ION AND R[ ACTOR PR01 ECTIVE *~vs Ti;:M I

I I

--40

--~

!... I-C>

{01'111)

--1a (Dw1z.)

w I

~

tD cc

.!!! 120 Vacl

~c Bus 1 mm

~

e:::.c:

.._u

~~

~

ca.>

a.. 'l6

!/)

All Auxiliary Relays Are Located in Reactor Pro-tective System Cabinet Ass'y me O::m

~B 26 )

a.>.!!? 120 Vac{

g'~ Bus 1

~g 25 26 Pre-Trip Rate Aux TU ATU-2 Closed

> 15% F. P.

12ovacr~

Bus2 l--=--i__J 120 Va~

Bus 2 25 22 26

+

Pre-Tnp

Trip Rate Aux TU BTU-2 0

CD Closed

>15% F. P.

. !i?,\\T-1;!3 f t I

0 C~losed 120 vacr Bus 4 l I

25 22 Open > 10-4% F. P.

I 25

~

Open ) 10-4% F.P.

120 Vac Bus 3 26

-4

)10 loF.P.

120 Vac Bus 4 2f Open > 10-4% F. P.

Open > 2. 6 dee Pl}*-u

}!ft /----~

I I

/"'/

I I

I

/

Open> 1.5 dee p~m.

/

/Open> 1.5 dee p~m.

,/

~

1__

/

I I

I

\\

I

\\

I

\\

Trip Pre-Trip Rate Aux TU CTU-2 Pre-Tnp Trip Rate Aux TU DTU-2

+

0 0

+

0 0

+

15Vdc 0

0 15Vdc 15Vdc 0

15Vdc 15Vdc 15Vdc 15Vdc

@=Contacts in Bistable Units in Drawers of the Nuclear Instrumentation The arrows indicate in what circuits these-contacts are utilized.

FIGURE 3.15 POWER RATE OF CHANGE TRIP AND PRE-TRIP INTERFACE WITH RPS

+

15Vdc

I I,

I I

I II I

Relay Contacts for

+ 15V Automatic Removal of Zero Power Mode Trip Bv.pass (Open

> io-~ % Fu II Power and Operated by Power Level Trip Unit in Logarithmic T Channel)

+15V

+15V T T Closur;e Required for Bypass

\\

Manual Switch

""'- Labe I ed "Zero Power Mode Trip Bypass" Low Reactor Coolant Bi stable Trip Un its Flow x

X =Analog Input Signal Low Steam Pressure SG 1 x

Low Steam Pressure SG 2 x

TM I Low Pressure x

With + 15V Applied to Bistable Trip Un it: No Trip Regardless To Level of Input Analog Sign al Without +15V Applied to Bistable Trip Unit: Trip According to Level of Input Analog Signal I

Same Arrangement for Other 3 Channels FIGURE 3.16 ZERO POWER MODE BYPASS LOGIC DIAGRAM 3-30

I I

I I*

I 4.0 REACTOR PROTECTION SYSTEM FAIL URE ANALYSIS 4.1 Single Failure Analysis A Failure Mode and Effects Analysis (FMEA) was generated for the RPS to deter-mine the system vulnerability to single failures and to establish a system perfor-mance baseline for the Common Mode Failure Analysis (CMFA). The FMEA investigated each available RPS trip mode to determine if any single equipment failure could inhibit the actuation of a required protective trip. The hypothe-sized failures were also analyzed to determine the effect on the integrated RPS Reactor Trip (RT) function. The FMEA is attached as Appendix A.

The analysis demonstrated that no single RPS equipment failure could inhibit the actuation of any required protective RT 1 s. The two RPS anticipatory RT 1s, high power rate-of-change, and loss of load-turbine trip, are both vulner-able to single failures which would inhibit the trip actuation.

The high power rate-of-change RT (RT#Z) is provided to protect the reactor against an uncontrolled control rod withdrawal while the core is at very low power levels. This is an anticipatory trip which is not required to protect the reactor since the primary trip is the high power level trip (RT#l) (Ref-erence 4). Review of Appendix A, Table A-2 indicates that RT#Z is vulnerable to single failures which would disable the automatic scram function only if one of the RPS RT#2 channels was in the bypass mode. If no RPS RT#Z channels are in bypass, a single equipment failure cannot inhibit the RT#Z function.

The loss of load, turbine trip RT (RT#lO), is an anticipatory trip which is not required to protect the reactor since the primary trip is high primary system pressure (RT#8) (Reference 5). Table A-10, Appendix A, indicates that the following single failures will disable the anticipatory RT#lO function:

4-1

-1

I I

I I.

I I

I 0

0 0

4.2 Turbine auto stop pressure switch (63/AST-2) contacts fail open.

Time delay relay (462/TDO) fails to the tripped state.

Loss of power to the two turbine trip relays 305-L and 305-R. The relay power source is 125 VDC from panel D21, breaker 72-212.

Common Mode Failure Analysis

.Common mode failures (CMF's) have been generally defined as multiple unit failures due to a single cause. The cause of failure may be separated

.into five broad and generic categories:

Functional Deficiency 0

Equipment design deficiency 0

Operation and maintenance errors 0

External phenomena 0

External normal environment Table 4. 1 presents a summary of preventive measures which are available to prevent CMF 1 s. Each of the generic failure causes were addressed in the CMFA.

The CMFA was developed for both the individual RT modes and for the inte-grated RPS which incorporated all the RT modes available at the Palisades Plant. The responsiveness of all available reactor trip modes to each antici-pated transient was evaluated. The trip mode sequence evaluation assumed that the preceding trip mode (s) did not actuate. Figure 4.1 presents a sum-mary of the RT's available at the Palisades Plant during each of the transients.

4-2 1

I I

.I I

I I

I TABLE 4.1 COMMON MODE FAIL URE PREVENTIVE MEASURES FAIL URE CATEGORY External normal environment Design.deficien*cy*

1 Operational or Maintenance errors External phenomena Functional deficiency 4-3 POSSIBLE PREVENTIVE MEASURES Functional diversity Design administrative controls Operational administrative controls Safe failure modes Proven design Standardization Equipment diversity Functional diversity Physical separation Design administrative controls Safe failure modes Equipment diversity Functional diversity Operational administrative controls Equipment diversity Functional diversity Physical separation Design administrative controls Safe failure modes Equipment diversity Functional diversity Design administrative controls Equipment diversity

AUTOMATIC REACTOR TRIP MODES AVAILABLE AT THE PALISADES PLANT High -

High Low Low Low Low Low ANTICIPATED Power Power Flow Level Level Press Press TRANSIENT Level Rate Reactor Level SG#2 SG#l SG#2 EVENTS of Coolant SG#l Change RT#l RT#2 RT#3 RT#4 RT#S RT#6 RT#?

1 Loss of electrical load 2 Load increase E

L L

3 Complete loss of feedwater E

E I

I 4 Complete loss of primary flow E

L L

5 Loss of normal electrical power I

E E

E 6 Inactive primary loop start-up E

7 Rod withdrawal at full power I

L L

8 Primary system depressurization L

L L

9 Boron dilution I

L L

10 Small line break L

L L

NOTES:

1.

2

3.

E L

Designates trip sl.gnal generated early in the transient (within first minute).

Designates trip signal generated after 1 minute but before 10 minutes into the transient.

Designates trip signal generated late in the transient (after 10 minutes).

4.

Low steam generator pressure closes main steam isolation valves and causes turbine trip.

FIGURE 4.1 High Thermal Turbine Pressur-Margin/

Trip izer Low Press Press RT#B RT#9 RT#lO E

E I

L(4)

I I

L{4)

E L

L(4)

E L

E I

L 1'4)

I L{4)

L 1'4)

I I

1(4)

High Containment

. Press RT#ll I

I L

AUTOMATIC RPS RESPONSE FOR ANTICIPATED TRANSIENTS AT THE PALISADES PLANT

I I

I The detailed results of the CMFA are most significant when evaluated from the viewpoint of the integrated RPS responsiveness to an anticipated reactor transient. Figure 4.1 presents the integrated RPS design baseline for deter-mining the overall impact of potential CMF's on the RPS responsiveness to the anticipated reactor transients.

4.2.1 Combinations of Failures The first step in the CMFA involves identification of the combinations of failures or events required for system failure. The FMEA generated the baseline data for the analysis of events and failure combinations which must exist to cause th~ loss of a RT function. Each RT function which is part of the Palisades Plant RPS design was investigated to determine the combination of failures required to inhibit the function. The following sections denote the possible failure combinations which would inhibit each RPS trip function.

4.2.1.1 High Power. Level (RT#l)

The RT#l function was previously described in Section 3. 3.1. For the purpose of this analysis, the system components were grouped into the following three major functional elements which could fail to a non-tripped condition and inhibit this required protective RT.

0 Sensor /RPS channels 0

Coincidence logic matrix input relays 0

Clutch power supply trains.

The first functional element, sensor /RPS channels, includes all components from the sensor to the RPS auxiliary trip unit. The second functional element is' the three output relays (Kl, K2, and K3) of each RPS auxiliary trip unit.

4-5

I I

I The third group, clutch power supply train, includes all components from the four output trip relays associated with each of the six trip matrices to the four M coils (Ml, M2, M3, and M4).

Table 4.2 presents a summary of the RT#l FMEA (Appendix A, Tables A-1 and A-13) and lists the possible component failures which would propagate a non-tripped state in a major functional element. Figure 4. 2 shows the failure com-binations of major functional elements which would have to occur to inhibit a RT on high power level (RT#l).

4.2.1.2 High Power Rate-of-Change (RT#2)

The RT#2 function was previously described in Section 3. 3. 2. For the purpose of this analysis, the system components were grouped into the following four major functional elements which could fail to a non-tripped condition and in-hibit this anticipatory RT.

0 Sensors 0

RPS channels 0

Coincidence logic matrix input relays 0

Clutch power supply trains.

The first functional element, sensors, includes all components from the sensor.

to the input of the nuclear instrumentation channel bistable units. The second functional element includes all components from the nuclear instrumentation bistable units to the RPS auxiliary trip unit output relays. The coincidence logic matrix input relay and clutch power supply train functional elements in-clude the same equipment complement that was previously defined for RT#l.

4-6

~------~~--------~-

TABLE 4.2 FMEA

SUMMARY

FOR RT#l Failed Component Failure Mode Failure Effect Uncompensated ion chamber A or B Fail low Sensor/RPS channel func-II Output signal constant tional element fails to un-II Short across signal line tripped state.

Linear Amp, ion chamber A or B Fail low II Output signal constant II Short across signal line High voltage power supply Loss of output Bi stable Unit 7 Fail untripped (4 pump operation)

Bistable Unit 6 Fail untripped (3 pump operation)

Bistable Unit 2 Fail untripped (2 pump operation)

Auxiliary trip unit Fail untripped RT#l channel bypass switch Fail closed

I co Failed Component Auxiliary trip unit output relay Kl, K2, or K3 Logic matrix output relay (e.g., ABl, AB2, AB3, or AB4)

M coil Ml, M2, M3, or M4 TABLE 4. 2 (cont'd)

Failure Mode Fails to energized state (hung up)

Fails to energized state (hung up)

Failure Effect Coincidence logic matrix input relay cir~uit fails to untripped state.

See Table 4. 3 for specific.

relay/logic matrix sched-ule.

Clutch power supply train fails to untripped state.

RPS Failure Sensor/RPS Clutch Power Supply Array Channels Logic Matrix Input Relays Trip Train ID No.

A B

c D

AB AC AD BC BD CD 1

2 3

4 1

x x

x 2

x x

x 3

x x

x 4

x x

x 5

x x

x 6

x x

x 7

x x

x 8

x x

x 9

x x

x 10 x

x x

11 x

x x

x 12 x

x x

x 13 x

x x

x 14 x

x x

x 15 x

x x

x 16 x

x 17 x

x X = Trip Inhibiting Failure FIGURE 4.2 TYPICAL ARRAY OF FAli URES REQUIRED TO INHIBIT RPS RT

I I

1*

I I

Channel RPS "'-"-

Output Chann~~elay

~

A B

c D

TABLE 4.3 TRIP LOG IC MA TRD{ INPUT RELAY SCHEDULE Kl K2 K3 AB AC AD AB BC BD AC BC CD AD BD CD 4-10

I I

I Table 4.4 presents a summary of the RT#2 FMEA (Appendix A, Tables A-2 and A-13) and lists the possible component failures which would propagate a non-tripped state in a major functional element. Figure 4. 3 shows the combinations of major functional element failures which would have to occur to inhibit a RT on high power rate-of-change (RT#2).

4.2.1.3 Low Flow, Reactor Coolant (RT#3)

The RT#3 function was previously described in Section 3. 3. 3. For the purpose of this analysis, the system components were grouped into the following three major functional elements which could fail to a non-tripped condition and in-hibit this required protective RT.

0 Sensor /RPS channels 0

Coincidence logic matrix input relays 0

Clutch power supply trains.

. The first functional element, sensor/RPS channels, includes all components from the sensor to the bistable trip unit output relays. The second functional element is the three output relays (Kl, K2, and K3) of each bistable trip unit.

The clutch power supply train functional element includes the same equipment that was previously defined for RT# 1 (Section 4. 2. 1. 1).

Table 4.5 presents a summary of the RT#3 FMEA (Appendix A, Tables A~3 and A-13) and lists the possible component failures which would propagate a non-tripped state in a major functional element. Figure 4. 2 shows the combinations of major functional element failures which would have to occur to inhibit a

RT on low reactor coolant flow (RT#3).

4-11

TABLE 4.4 F MEA

SUMMARY

FOR RT#2 Failed Component Failure Mode Failure Effect Fission counter Fail low Sensor functional element II Output signal constant fails to untripped state.

II Short across signal line Pre amp Fail low II Output signal constant II Short acres s signal line High voltage power supply Loss of output Pulse amp and count rate circuits Loss of output II*

Fail low II Loss of supply voltage from preferred AC bus Summing amp Low signal level output JI Constant signal level.

output 11..

Loss of supply voltage from

preferred AC bus

Failed Component Power rate-of-change amp II II

~

1 Nuclear inst. sys. bistable unit (#2 w

or #4)

Auxiliary trip unit RT#3 channel bypass switch Auxiliary trip unit output relay Kl, K2, or K3 Logic matrix output relay (e.g., ABl,

AB2, AB3, or AB4)

M coil Ml, M2, M3 or M4 TABLE 4. 4 (cont'd)

Failure Mode Low signal level output Constant signal level output Loss of supply voltage from preferred AC bus Fail untripped Fail untripped Fail closed Fails to energized state (hung up)

Fails to energized state (hung up)

Fails to energized state

. (hung up)

Failure Effect Sensor functional element fails to untripped state.

(continued)

RPS channel functional element fails to un-tripped state.

Coincidence logic matrix input relay circuit fails to untripped state. See Table

4. 3 for specific relay /logic matrix schedule.

Clutch power supply

. train fails to untripped state.

RPS Sensor Failure Channel RPS Channels Logic Matrix Input Relays Clutch Power Supply Array Trip Train ID No.

3 4

A B

c D

AB AC AD BC BD CD 1

2 3

4 1

x x

2 x

x 3

x x

4 x

x 5

x x

6 x

x x

7 x

x x

8 x

x x

9 x

x x

10 x

x x

11 x

x x

12 x

x x

13 x

x x

14 x

x x

15 x

x x

16 x

x x

x 17 x

x x

x 18 x

x x

x 19 x

x x

x 20 x

x x

x 21 x

x 22 x

x X = Trip Inhibiting Failure FIGURE 4. 3 FAIL URE COMBINATIONS REQUIRED TO INHIBIT RT#2

TABLE 4. 5 (cont'd)

Failed Component Failure Mode Failure Effect Bistable trip unit output relay Fails to energized state Coincidence logic matrix Kl, K2, or K3 (hung up) input relay circuit fails to untripped state. See Table

4. 3 for specific relay /logic matrix schedule.

~ ---

Logic matrix output relay (e.g., ABl, Fails to energized state Clutch power supply train AB2, AB3, or AB4)

(hung up) fails to untripped state.

M coil Ml, M2, M3, or M4 Fails to energized state (hung up)

I I

I 4.2.1.4 Low Water Level, Steam Generator 1 (RT#4)

The RT#4 function was previously described in Section 3. 3. 4. The grouping of the major functional elements, which could fail to a non-tripped condition and inhibit this required protective RT, is similar to that presented in Section 4.2.1.3 for RT#3. Table 4.6 presents a summary of the RT#4 FMEA (Appen-dix A, Tables A-4 and A-13) and lists the appropriate functional element component failure. Figure 4. 2 shows the combinations of major functional element failures which would have to occur to inhibit a RT on low water level, steam generator 1 (RT#4).

4.2.1.5 Low Water Level, Steam Generator 2 (RT#5)

The RT#5 function was previously described in Section 3. 3. 4. The complement of equipment associated with the RT#5 function is identical to that presented for the RT #4 function in Section 4. 2. 1. 4. The analysis summarized in Section 4.2.1.4 is directly applicable to the RT#5 function. The RT#5 FMEA is pre-sented in Appendix A, Table A-5.

4.2.1.6 Low Pressure, Steam Generator 1 (RT#6)

The RT#6 function was previously described in Section 3. 3. 5. The grouping of the major functional elements, which could fail to a non-tripped condition and inhibit this required protective RT, is similar to that presented in Section

4. 2.1. 3 for RT#3. Table 4. 7 presents a summary of the RT#6 FMEA (Appendix A, Tables A-6 and A-13) and lists the appropriate functional element compo-nent failures. Figure 4. 2 shows the combinations of major functional element failures which would have to occur to inhibit a RT on low pressure, steam generator 1 (RT#6).

4.2.l.7 Low Pressure, Steam Generator 2 (RT#7)

The RT#7 function was previously described in Section 3. 3. 5. The complement of equipment associated with the RT#7 function is identical to that presented for 4-17

Failed Component Channel SG level transmitter II II

~

1 Bistable trip unit I-'

CX>

RT#4 channel bypass switch Bistable trip unit output relay Kl, K2, or K3 Logic matrix output relay (e.g., ABl, AB2, AB3, or AB4)

M coil Ml, M2, M~, or M4 TABLE 4.6 FMEA

SUMMARY

FOR RT#4 Failure Mode Fail high Output signal constant Loss of low pres sure tap input Fails untripped Fail closed Fails to energized state (hung up)

Fails to energized state (hung up)

Failure Effect Sensor/RPS channel functional element fails to the untripped state.

Coincidence logic matrix input relay circuit fails to untripped state. See Table

4. 3 for specific relay/

logic matrix schedule.

Clutch power supply train fails to untripped state.

~

I

(,D Failed Component Channel SG pressure transmitter II Bistable trip unit RT#6 channel bypass switch Bistable trip unit output relay Kl, K2, or K3 Logic matrix output relay (e.g.,

AB2, AB3, or AB4)

M coil Ml, M2, M3, or M4

ABl, TABLE 4. 7 FMEA

SUMMARY

FOR RT#6 Failure Mode Failure Effect Fail high Sensor/RPS channel Output signal constant functional element fails to untripped state.

Fail Untripped Fail closed Fails to energized state Coincidence logic matrix (hung up) input relay circuit fails to untripped state. See Table

4. 3 for* specific relay/

logic matrix schedule.

Fails to energized state Clutch power supply train (hung up) fails to untripped state.

Fails to energized state (hung up)

I I

I*

I I

I I*

I the RT#6 function in Section 4. 2.1. 6. The analysis summarized in Section 4.2.1.6 is directly applicable to the RT#6 function. The RT#7 FMEA is pre-sented in Appendix A, Table A-7.

4.2.1.8 High Pressurizer Pressure (RT#8)

The RT#8 function was previously described in Section 3. 3. 6. The grouping of the major functional elements, which could fail to a non-tripped condition and inhibit this required protective RT, is similar to that presented in Section 4.2.1.3 for RT#3. Table 4.8 presents a summary of the RT#8 FMEA (Appendix A, Tables A-8 and A-13).and lists the appropriate functional element compo-nent failures. Figure 4. 2 shows the combinations of major functional element failures which would have to occur to inhibit a RT on high pressurizer pressure (RT#8).

4.2.1.9 Thermal Margin/Low Pressure (RT#9)

The RT#9 function was previously described in Section 3. 3. 7. The grouping of the major functional elements, which could fail to a non-tripped condition and inhibit this required protective RT, is similar to that presented in Section.

4.2.1.3 for RT#3. Table 4.9 presents a summary of the RT#9 FMEA (Appendix A, Tables A-9 and A-13) and lists the appropriate functional element compo-nent failures. Figure 4. 2 shows the combinations of major functional element failures which would have to occur to inhibit a RT on thermal margin/low pressure (RT#9).

4.2.1.10 Loss of Load, Turbine Trip (RT#lO)

The RT#lO function was previously described in Section 3. 3. 8. For the pur-pose of this analysis, the system components were grouped into the following major functional elements which could fail to a non-tripped condition and in-hibit the anticipatory RT.

4-20

Failed Component Channel pressurizer pressure transmitter II II II Transmitter power supply II Bistable trip unit RT#8 channel bypass switch Bistable trip unit output relay Kl, K2, or K3 Notes:

TABLE 4. 8 FMEA

SUMMARY

FOR RT#8 Failure Mode Fail low(l}

Output signal constant Loss of high pressure tap(2)

Open signal line (l)

Loss of output (l)

Loss of supply voltage (l}

from preferred AC bus Fail untripped Fail closed Fails to energized state (hung up)

Failure Effect Sensor/RPS channel functional element fails to the untripped state.

Coincidence logic matrix input relay circuit fails to untripped state. See Table

4. 3 for specific relay/

logic matrix schedule.

1. The failure will inhibit an RT#8 channel trip but will propagate a RT#9 channel trip (low pressure).

2. In add~tion to generating an RT#9 channel trip, the failure (e.g., ruptured sensing line) will cause a sudden drop in the primary coolant system pressure and thus generate a scram on low primary coolant pressure (RT#9}.

~----~-

.i:>.

I N

N Failed Component Logic matrix output relay (e.g.,

AB2, AB3, or AB4)

M coil Ml, M2, M3, or M4

ABl, TABLE 4. 8 (contd)

Failure Mode Failure Effect Fails to energized state Clutch power supply train (hung up) fails to untripped state.

Fails to energized state (hung up)

Failed Component Channel pressurizer pressure transmitter II TM/low pressure bistable trip unit II II Setpoint auctioneer RT#9 channel bypass switch Bistable trip unit output relay Kl, K2, or K3 Logic matrix output relay (e.g., ABl,

AB2, AB3, o~ AB4)

M coil Ml, M2, M3, or M4 TABLE 4.9 FMEA

SUMMARY

FOR RT#9 F aiklre Mode Fail high (l)

Output signal constant Fail untripped Variable setpoint signal fails low Constant setpoint signal Open output signal line Fail closed Fails to energized state (hung up)

Fails to energized state (hung up)

Failure Effect Sensor/RPS channel functional element fails to the untripped state.

Coincidence logic matrix input relay circuit fails to untripped state. See Table

4. 3 for specific relay/

logic matrix schedule.

Clutch power supply train fails to untripped state.

Note: 1. The failure will inhibit an RT#9 channel trip but will propagate a RT#8 channel trip (Mgh pressura).

I I

I I'

I I

I 0

Sensor Train 0

Auxiliary relays 0

RPS channels 0

Logic matrix input relays 0

Clutch power supply trains.

The first functional element, sensor train, includes all components from the sensor to the turbine trip auxiliary relays. The second functional element is the turbine trip auxiliary relays. The third element includes all components from the auxiliary relay contact pairs to the auxiliary trip unit output relays.

The logic matrix input relay and clutch power supply train functional elements include the same equipment complement that was previously defined for RT#l through RT#9.

Table 4.10 presents a summary of the RT#lO FMEA (Appendix A, Tables A-10 and A-13) and lists the possible component failures which would propagate a non-tripped state in a major functional element. Figure 4. 4 shows the com-binations of major functional element failures which would have to occur to inhibit a RT on loss of load, turbine trip (RT#lO).

4.2.1.11 High Containment Pressure (RT#ll)

The RT#ll function was previously described in Section 3. 3. 9. The grouping of the major functional elements, which could fail to the non-tripped condition and inhibit this required protective RT, is similar to that presented in Section

4. 2.1.1 for RT#l. Table 4.11 presents a summary of the RT#ll FMEA (Appen-dix A, Tables A-11 and A-13) and lists the appropriate functional element com-ponent failures. Figure 4. 2 shows the combinations of major functional element failures which would have to occur to inhibit a RT on containment high pressure (RT#ll).

4-24

---~---~-~-----~---

~

I N

en Failed Component Pressure switch, turbine auto stop Time delay relay Turbine trip relay power source (125 VDC pnl D21, bkr 72-212)

II II Turbine trip relay 30SR or *3osL Auxiliary trip unit RT#lO channel bypass switch Auxiliary trip unit output relay Kl, K2, or K3 TABLE 4.10 FMEA

SUMMARY

FOR RT#lO Failure Mode Contacts fail open Contacts fail open Loss of output Short across source Open output line Fails to de-energized state Fails untripped Fails closed Fails to energized state (hung up)

Failure Effect Sensor train functional equipment fails to un-tripped state.

Auxiliary relays fail to untripped state.

RPS channel functional element fails to un-tripped state.

Coincidence logic matrix input relay circuit fails to untripped state. See Table

4. 3 for specific relay/

logic matrix schedule.

~-----------

TABLE 4.10 (cont'd)

Failed Component Failure Mode Failure Effect Logic matrix output.relay (e.g., ABl,

Fails to energized state Clutch power supply train AB2, AB3, or AB4)

(hung up) fails to untripped state.

M coil Ml, M2, M3-, or M4 Fails to energized state (hung up)

Sensor Clutch Power RPS Aux**

Failure Train Relay RPS Channels Logic Matrix Input Relays Supply

- Array Trip Train ID No.

L R

A B

c D

AB AC AD BC BD CD 1

2 3

4 1

x 2

x x

3 x

x 4

x x

5 x

x 6

x x

7 x

x x

8 x

x x

9 x

x x

10 x

x x

11 x

x x

12 x

x x

13 x

x x

14 x

x x

15 x

x x

16 x

x x

17 x

x x

x 18 x

x x

x 19 x

x x

x 20 x

x x

x 21 x

x x

x 22 x

x 23 x

x X = Trip Inhibiting Failure FIGURE 4.4 FAIL URE COMBINATIONS REQUIRED TO INHIBIT RT#lO

.i:..

I N co Failed Component Channel pressure switch II Auxiliary trip unit RT#ll channel bypass switch Auxiliary trip unit output relay Kl, K2, or K3 Logic matrix output relay (e.g.,

AB2, AB3, or AB4)

M coil Ml, M2, M3, or M4 ABl I TABLE 4.11 FMEA

SUMMARY

FOR RT#ll Failure Mode Failure Effect Fails low Sensor/RPS channel Open sense line functional element fails to untripped state.

Fails untripped Fails closed Fails to energized state Coincidence logic matrix (hung up) input relay circuit fails to untripped state. SeeT.able

4. 3 for specific relay/

logic matrix schedule.

Fails to energized state Clutch power supply train (hung up) fails to untripped state.

Fails to energized state (hung up)

I I

I

4. 2.1. 12 Manual (RT#l2)

The manual reactor trip function (RT#l2) was analyzed to determine if the failure of any equipment associated with this function could inhibit an auto-matic scram actuated by RT functions #1 through #12. The analysis, which is documented in Appendix A, Table A-12, disclosed that the failure of any single device associated with the RT#l2 function would not degrade the capability of the RPS to initiate an automatic scram.

4.2.2 CMFA During Transient The second step in the CMF A evaluates the overall effect of potential CMF 's on the integrated RPS responsiveness to the following anticipated reactor

. transients.

1.

Loss of electrical load

2.

Load increase

3.

Loss of feedwater

4.

Loss of primary flow

5.

Loss of normal electrical power

6.

Inactive primary loop startup

7.

Rod withdrawal

8.

Primary system depressui:-ization

9.

Boron dilution

10.

Small line break.

4-29

I I

The Combustion Engineering (CE) Topical Report (Reference 2) was evaluated for each of the postulated ATWS events to determine the severity of the conse-quences and the potential scrams available at the Palisades Plant that would interrupt the transient. The ATWS consequences calculated for the generic plant in the CE Topical Report are more severe than the consequences propa-gated by a similar event at the Palisades Plant. The parameters that differ be-tween the Palisades Plant and the CE generic plant which are significant in re-ducing the severity of the hypothesized transients at the Palisades Plant are:

0 Rated thermal power 0

Operating pressure 0

Pressurizer relief area 0

Pressurizer water volume.

Rated thermal power for the Palisades Plant is 2200 Mwt (2560 Mwt for the CE generic plant). Operating RCS pressure for the Palisades Plant is 1800 psia (2250 psia for the CE generic plant). Total relief area for the Palisades Plant is 0. 076 ft2 (0. 0541 ft2 for the CE generic plant). Both the Palisades Plant and the CE generic plant have a total primary pressurized volu-me of 1500 n3. However, the pressurizer water volume is 540 ft3 for the Palisades 3

Plant as compared to 769 ft for the CE generic plant. The peak primary coolant system pressures calculated for the generic plant during an ATWS are significantly higher than that expected for the Palisades Plant. Figure 4.1, which presents a summary of the RT modes available during each of the ATWS events, provided the integrated RPS design baseline for the CMFA. The generic causes of potential RPS CMF's and the preventive measures existing at Palisades were analyzed and evaluated for each of the postulated transients. The results of the integrated CMFA's are summarized in the following sections.

4-30

I I

I 4.2.2.1 Loss of Electrical Load The postulated loss of electrical load transient could be caused by generator trip, loss of condenser vacuum, or turbine trip. Loss of condenser vacuum or generator trip will propagate a turbine trip. The most probable cause of the loss of load transient is a turbine trip. After turbine trip, low auto stop oil pressure immediately generates a RT#lO signal. On turbine trip, the turbine isolation valves will close, rapidly increasing secondary pressure and causing the safety valves to open. Due to the decrease in heat transfer capability to the secondary system and the accompanying increase in coolant temperature, the primary pressure will rapidly increase. During the first few seconds of the transient, high pressurizer pressure trip signals will be generated (RT#8) and the pressurizer relief valves will open.

Initially, primary system pressure will increase and it will continue to increase until it peaks at approximately 180 seconds into the transient and then subse-quently decreases.

At 600 seconds the operator manually actuates the Safety Injection Actuation Signal (SIAS). The concentrated boron solution will reach the reactor core in approximately 150 seconds and initiate reactor shutdown. At 600 seconds the operator manually actuates the auxiliary feedwater system, which has the capacity of 6% of full power feed water flow. This will remove the decay heat from the reactor core.

During the initial phase of the transient, steam dump to atmosphere and steam bypass to the condenser (if there is no loss of vacuum) are available to remove energy from the primary coolant system. If no credit is taken for the steam dump and condenser bypass, the pressurizer relief and safety valves in con-junction with the steam generator safety valves and the feedwater system pro-vide an adequate means to remove heat and make the transient consequences acceptable.

4-31

I I

I The peak reactor coolant system (RCS) pressure generated during this transient will not exceed 2534 psia at the Palisades Plant (Reference 6). The peak RCS pressure does not exceed either the RCS safety limit (2750 psia) or the RCS hydrostatic test limit (3125 psia) for the Palisades Plant (Reference 3). The peak pressure developed during this transient may rupture the pressurizer quench tank rupture disk and pressurize the containment. If the high contain- '

ment pressure reaches the setpoint for RT#ll and SIAS (5 psig) before 600 seconds into the transient, an automatic SIAS and RT#ll would be independently actuated.

During the course of this transient no unacceptable consequences are reached.

The primary coolant system pressure does not exceed the safety limits. The limits. The minimum transient DNBR in the hot channel remains greater than

1. 3 and no fuel damage occurs. Containment pressure is controlled by an auto-matic and independent SIAS if the high pressure setpoint of 5 psig is achieved during the transient. Two reactor trip signals, turbine trip and high pres-surizer pressure, would be generated by the RPS early in the transient. High containment pressure RT and SIAS signals may be generated prior to 600 seconds.

Table 4.1 presents a summary of preventive measures which have been success-fully utilized to prevent CMF's. Specific preventive measures provided by the existing RPS against the various generic causes of CMF's are discussed in the following paragraphs.

Functional Deficiencies: Both functional diversity and equipment diversity exist in the RPS design. Two independent RT modes (high pressurizer pres-sure and turbine trip) which monitor dissimilar plant operating parameters can initiate a scram early in the transient. Both RT's are initiated by a change in pressure (turbine auto stop oil pressure and pressurizer pressure), how-ever, the means of generating each RT signal is different. The high pres-surizer pressure scram signal is developed by a bistable trip unit which moni-tors an analog pressure signal generated by a force balance pressure trans-mitter. The turbii:e trip scram signal is generated when the turbine auto stop 4-32

I I

I pressure switch contacts close on low pressure and energize the turbine trip relays. The actual scram signal to the RT coincidence logic matrix is generated by an auxiliary trip unit which monitors the turbine trip relay contacts. N.o credit was taken for the enhanced RPS functional and equipment diversity available from the high containment pressure RT because containment over-pressurization may not exceed 5 psig.

Design or Manufacturing Deficiencies: The functional and equipment diversity discussed in the preceding paragraph is the primary defense against design or

manufacturing deficiencies. However, no credit can be taken for equipment di-versity between the output relays in either the auxiliary trip units (ATU's) or the bistable trip units (BTU's) through the M coils, because *all components that have an identical function in the RPS RT train (e.g., trip unit output re-lays, logic matrix trip relays, M coils,... ), have similar design and/or per-formance specifications. Protection against CMF's due to design or manufactur-ing deficiencies of the above components is achieved by periodic testing which ensures that all the equipment is operational and would be responsive to valid scram signals.

Operating or Maintenance Errors: The functional and ~quipment diversity be:-

tween RT#8 and RT#lO is reflected in the differences in calibration and main..;

tenance procedures. No single common mode error was hypothesized that could inhibit both of the RT modes responsive to the loss of electrical load transient.

External Phenomena: External phenomena such as fire, flood, missile, and earthquake could propagate the following effects on the RP$.

0 Loss of sensor channel signal 0

Severance of sense line 0

Open circuiting of sensor channel cables 4-33

I I

I

! I

'I I

I I

I 0

Loss of RPS channel signal 0

Loss of power.

The effect of these hypothesized functional system level failures was evaluated for each RT mode. The results are summarized in Table 4.12.

The RPS is not vulnerable to CMF's caused by external phenomena during the loss of electrical load transient due to the available safe failure modes, physical separation, functional diversity, and equipment diversity. Even if no credit is taken for the actual separation and isolation that exists in the RPS design, Table 4. 12 shows that no single hypothesized generic failure could inhibit both RT#8 and RT#lO due to the complementary safe failure modes.

External Normal Environment: Proven hardware and design concepts have been incorporated as part of the RPS design philosophy. Standard, reliable equip-ment or components have been included throughout the RPS design. The operat-ing envelope design specifications for all RPS equipment are compatible with both the plant environment during normal operation and the environment propagated by the anticipated reactor transients. In addition to the standardization of com-ponents with proven designs, the following measures, which are recognized preventive measures against CMF's propagated by external normal environment, are normally part of the Palisades Plant RPS design and/or part of the day-to-day plant operation routine.

0 Functional diversity 0

Design administrative* controls 0

Operational administrative controls 0

Safe failure modes 0

Equipment diversity.

4-34

I I

I

]

TABLE 4.12 EFFECT OF EXTERNAL PHENOMENA ON THE RPS Reactor Trip Mode 0 "'

"'c:

c:

01 Q)

Cf)~

'H Q) 0 c:

"' c:

0.c:

,_.:iO

1. High Power Level NT

2. High Power Rate of Change NT

3. Low*Flow, Reactor Coolant CT

4. Low Water Level, SGl CT

5. Low Water Level, SG2 CT

6. Low Pressure, SGl CT

7. Low Pressure, SG2 CT

8. High Pressurizer Pressure CTA

9. Thermal Margain/Low Pressure CT

10. Loss of Load, Turbine Trip NT

11. High Containment Pressure NT CT=

Failure causes RPS channel trip RT=

Failure. causes reactor trip NT =

Failure inhibits RPS channel trip NA =

Not applicable RTA =

Failure causes RT #9 due to low primary pressure CTA = Failure causes RT #9 channel trip CTB = Failure causes channel trip if both lines are severed 4-35 Possible Failures Q) w c:

c:

Q) 01 Q)

Cf)

.s :0

.c:

0

'H 0

0 Cf)

Q) p..

u...

0::

u

-~ 0 c:

0"'

'H 0.....

c:

Q)

Q) c:

Q)

> c:

ID Cf)

"' §,

ID.,...

p. 'H 0.....

Cf),_.:i 0

0

...:IC!)

NA NT CT NA NT CT RTA CT CT CTB CT CT CTB CT CT CT CT CT CT CT CT RTA CTA CT RTA CT CT RT NT CT NT CT CT u

.=:

0

p......

..... p.

~ ~

'H Cf) 0 Ul ID

"';s:

0 0

,_.:i p..

CT CT CT CT CT CT CT CT CT CT CT

I I

ll I

I I

I I,

I I

I No CMF, caused by external normal environment, was hypothesized which would inhibit any automatic reactor trip mode (RT#l through RT#ll).

4.2.2.2 Load Increase The load increase transient, which was analyzed in the CE Topical Report (Reference 2), was initiated by the accidental opening of the steam dump and bypass valves which will relieve 45% of full power steam flow. The transient consequences are less severe for the Palisades Plant because the accidental opening of the steam dump and bypass valves will not relieve more than 40%

of full power steam flow. The load increase transient will immediately propa-gate a high power level trip signal (RT#l). The thermal margin/low pressure*

trip (RT#9) signals will be generated during the intermediate period of the*

transient.

Similar to the loss of electrical load transient, the operator will manually initiate safety injection at 600 seconds. After safety injection, reactor power will sharp-ly decrease, and primary coolant pressure will decrease to a level which will generate the low pressurizer pressure trip signals. Simultaneously with the

decrease in coolant pressure, the steam generator level and pressure will de-crease and ultimately low steam generator level and pressure trip signals will occur (RT#4, #5, #6, and #7). The main steam isolation valves will also close on low pressure signals from any two of the four meter relays associated with either steam generator. A turbine trip will result and generate RT#lO signals.

The consequences of the load increase transient are mild. The power excur-sion is limited by the negative power coefficient and the minimum transient DNBR in the hot channel will remain well above 1. 3. Since the effect propa-gated by the transient is mild, only one RT mode, high power level (RT# 1),

will be initiated early in the transient.* During the intermediate period of the transient, the thermal margin/low pressure trip (RT#9) is initiated. Late in the transient, after the manual actuation of safety injection, five RT modes will 4-36

I I

I,,

I I

I be initiated; low level-steam generator 1 and 2, low pressure-steam generator 1 and 2 and turbine trip. The CMFA will only take credit for RT#l and RT#9 because the remaining RT's occur so late in the transient. Specific preventive measures provided by the existing RPS against the various causes of CMF's are discussed in the following paragraphs.

Functional Deficiencies: Two independent RT modes, high power level and thermal margin/low pressure, which monitor dissimilar plant operating parameters, can initiate a scram prior to operator intervention 600 seconds into the transient. *These trip modes provide both functional and equipment diversity in the RPS equipment during this transient. The high power level scram signals are developed by bistable trips in the RPS nuclear instrumentation

system (NIS) drawers. RPS ATU's which monitor the bistable outputs will trip and propagate the RT# 1 scram signal to the RPS trip logic matrix. The thermal margin/low pressure scram signal is developed by a BTU which moni-tors an analog pressure signal generated by a force balance pressure trans-mitter. The BTU has a variable trip setpoint which is automatically deter-mined by the hot and cold leg temperatures of the primary coolant loops.

. Design or Manufacturing Deficiencies: The functional and equipment.diversity discussed in the preceding paragraph is the primary defense against design or manufacturing deficiencies. For the reasons discussed for the loss of elec-trical load transient, the RPS design between the trip unit output relays and the M coils is vulnerable to design and manufacturing deficiencies. As before, protection against CMF's, caused by these deficiencies, is achieved by periodic testing which ensures that all the equipment is operational and would be responsive to valid scram signals.

Operating and Maintenance Errors: The functional and equipment diversity between RT#l and RT#9 is reflected in differences in calibration and mainte-nance procedures. No single common mode error was hypothesized that could inhibit the RT modes responsive to the load increase transient before operator 4-37

I I'

I I

I.,

I intervention. It should be noted that an operator error could delay the actua-tion of RT#l if the operating plant configuration changed from four coolant pump operation to three and the flow trip select switch was left in the four pump position. While RT#l could be delayed if the transient occurred simulataneouly.

with change in pump configuration, the low coolant flow trip (RT#3) would be immediately initiated due to the operator error.

External Phenomena: The RPS is not vulnerable to CMF's caused by external-.

phenomena during the load increase transient due to the available safe failure.

modes, physical separation and equipment diversity. Even if no credit is taken for the actual separation and isolation that exists in the -RPS design, Table 4. 12 shows that no single hypothesized generic failure. could inhibit both**

RT#l and RT#9 due to the complementary safe failure modes.

External Normal Environment: The discussion presented for the loss of elec-trical load transient (Section 4. 2. 2.1) is applicable for all the ATWS events.

4.2.2.3 Loss of Feedwater The loss of feedwater transient was analyzed for two conditions. The first analysis considered partial loss (50%) of feedwater. The second analysis considered the more severe reactor transient, total loss of feedwater.

At the beginning of the partial loss of feed water transient, steam generator water level will drop in the affected steam generator and initiate the low level.

trip (either RT#4 or #5).

Due to the increase in primary coolant temperature and pressure, the reactor power level will decrease slightly; Once the affected steam generator inventory decreases to the point that the heat transfer coef-ficient from the primary to secondary decreases, reactor power will decrease at a higher rate until a new equilibrium level of appro:X:imately 70% is achieved.

A high pressurizer pressure RT signal will be initiated prior to 600 seconds* --

into the transient. The consequences of the partial loss of feed water transient are not severe. T.he reactor power level will achieve equilibrium at a new, lower level once the initial transient effects have diminished.

4-38

I I

I I I

I I

I The total loss of feed water is a severe reactor transient. The CMF A will eval-uate the RPS vulnerability to CMF 's during the total loss of feed water transient.

The initial reactor response to this transient is similar to that discussed for the partial loss of feedwater transient. At the beginning of the transient a low steam generator water level RT signal will be generated by both steam generators..

Similar to the partial loss of feedwater transient, the heat transfer from primary to secondary starts decreasing as a result of the decrease in steam generator in-ventory. The primary coolant temperature will increase and reactor power will decrease until a new equilibrium level is achieved at decay heat levels. Concur-rent with the increase of reactor primary coolant temperature, the RCS pres-sure will increase and generate a high pressurizer pressure trip signal (RT#8).

RCS pressure will continue increasing rapidly for approximately 200 seconds until a peak pressure is reached. Steam generator pressure will decrease, resulting in low steam generator pressure trip signals (RT#6 and #7) and the closing of the main steam isolation valves. The closing of the valves will gen-erate a.turbine trip and the associated scram (RT#lO) *. The thermal margin/low pressure trip signals will also be generated prior to 600 seconds into this severe reactor transient.

The RCS pressure calculated for the CE generic plant during the loss of feed-water transient achieved a maximum value of 3406 psia. Due to the differences between the CE generic and the Palisades Plant which were dipcussed in Section

4. 2. 2, the consequence of the loss of feedwater transient for the Palisades Plant is less severe. It is concluded that the peak RCS pressure should not exceed the Palisades Plant RCS hydrostatic test limit of 3125 psia.

The total loss of feedwater transient also propagates the maximum energy release to the primary containment. Discharge through the pressurizer valves will cause the quench tank rupture disk to open and vent*into* containment. The re-*

sultant containment overpressurization will not exceed design limits. No fuel melting or fuel clad damage will occur during this severe transient.

4-39

I I

I I,,

I I

Specific preventive measures provided by the existing RPS against the various causes of CMF 1 s are discussed in the following paragraphs.

Functional Deficiencies: Two RT modes {RT#4 and #5), initiated by low steam generator level, are available to scram the reactor early in the transient. Func-tional diversity and equipment diversity are achieved by the numerous trip modes listed below, which monitor dissimilar plant operating parameters and can initiate a scram prior to possible operator intervention 600 seconds into the transient.

0 High pressurizer pressure (RT#3) 0 Low steam generator pressure {RT#6 and #7) 0 Turbine trip {RT#lO) 0 Thermal margin/low pressure {RT#9) 0 High containment pressure (RT#ll).

Design or Manufacturing Deficiencies: The functional and equipment diversity denoted in the preceding paragraph is the primary defense against design or manufacturing deficiencies. The RPS design between the trip unit output re-lays and the M coils are vulnerable to design and manufacturing deficien-cies. As discussed in Section 4.2.2.1, protection against CMF's caused by these deficiencies is achieved by periodic testing which ensures that all equip-ment is operational and would be responsibe to valid scram signals.

Operating and Maintenance Errors: The functional and equipment diversity derived from all the trip modes responsive to the complete loss of feedwater transient is reflected in differences in calibration and maintenance procedures.

No single common mode operating or maintenance error was hypothesized that could inhibit all trip modes responsive to this transient.

4-40

I I

1 I

I External Phenomena: The RPS is not vulnerable to CMF 1s caused by external phenomena during the complete loss of feedwater transient due to the avail-able safe failure modes, physical separation and equipment diversity. Even if no credit is taken for the actual separation and isolation that exists in the RPS design, Table 4. 12 shows that due to the complementary failure modes existing in the RPS design, no single hypothesized generic failure could inhibit all the trip modes responsive to the transient (RT #4, #5, #6, #7, #8,

9, #10, and #11).

External Normal Environment: The discussion presented for the loss of electrical load transient (Section 4. 2. 2. 1) is applicable for all the A TWS events.

4.2.2.4 Loss of Primary Flow The loss of all coolant pumps was the hypothesized cause for the loss of pri-mary flow transient. During the period of pump coastdown, a low coolant flow trip signal (RT#3) is generated. Primary coolant pressure and temperature will increase and reactor power will decrease during the period of decreasing flow and generate the high pressurizer pressure trip signals (RT#8). The minimum transient hot channel DNBR is also achieved during this period.

The minimum DNBR drops below 1. 4 but does not achieve the 1. 3 threshold.

The reactor power level becomes stable at approximately 80% of full power once the natural coolant flow is established.

600 seconds into the transient the operator manually actuates the SIS. The con-centrated boron solution will reach the reactor core in approximately 150 seconds and initiates a reactor shutdown. After SI, reactor power decreases rapidly and stabilizes at decay heat levels. Later in the transient, thermal margin/low pressure, low steam generator level, low steam generator pres-sure and turbine trip signals are generated. The turbine trip is caused by the closure of the main steam isolation valves.

4-41

I I

I.,

I' I

I I

I The consequences of this transient are mild. The peak RCS pressure is well below the design limits and the minimum hot channel DNBR is in excess of the 1.3 threshold. The CMFA will only take credit for RT#3 and RT#B because the remaining RT's occur so late in the transient. Specific preventive measures provided by the existing RPS against the various causes of CMF's are dis-cussed in the following paragraphs.

Functional Deficiencies: Two independent RT modes, high pressurizer pressure and low coolant flow, which monitor dissimilar plant operating parameters are available to scram the reactor early in the transient. These trip modes provide both functional diversity and equipment diversity during this transient. The sensors associated with each trip mode are of the generic force balance trans-mitter classification.. The transmitters and power supplies associated with each trip mode are not only different models, but they are manufactured by different companies. No CMF, caused by functional deficiencies, was hypothe-sized which would inhibit the actuation of RT#3 and RT#B during the loss of primary flow transient.

Design or Manufacturing Deficiencies: The functional and equipment diver-sity discussed in the preceding paragraph is the primary defense against CMF 1 s caused by design or manufacturing deficiencies. Some portions of the RPS design are vulnerable to CMF's caused by design or manufacturing de-ficiencies. This subject was discussed in detail during the analysis of the loss of electrical load transient (Section 4. 2. 2. 1).

Operating and Maintenance Errors: The functional and equipment diversity between RT#3 and RT#B is reflected in differences in calibration and mainte-

. nance procedures. No single common mode error was hypothesized that could inhibit the RT modes responsive to the loss of primary flow transient before operator intervention. It should be noted that an operator error could delay the actuation of RT #3 if the operating plant configuration changed from three coolant pump operation to four and the flow trip select switch was left in the 4-42

I I

I*

I I

I 1)1 I

I three pump position. While RT#3 could be delayed if the transient occurred simultaneously with change in pump configuration, the high power level trip (RT#l) would be immediately initiated due to the operator error.

External Phenomena: The RPS is not vulnerable to CMF's caused by external phenomena during the loss of primary flow transient due to the available safe failure modes, physical separation and equipment diversity. Even if no credit is taken for the actual separation and isolation that exists in the RPS design,.

Table 4.12 shows that no single hypothesized generic failure could inhibit both RT#3 and RT#8 due to the complementary safe failure modes.

External Normal Environment: The discussion presented for the loss of elec-trical load transient (Section 4. 2. 2. 1) is applicable for all the ATWS events.

4.2.2.5 Loss of Normal Electrical Power Upon loss of normal electrical power a turbine trip will occur and initiate the.

reactor trip signals (RT#lO). Shortly thereafter, the low coolant flow trip signals (RT#3) will also occur. In the following seconds both low steam gen-erator level trip signals (E.T#4 and #5) and high pressurizer pressure signals (RT#8) occur. The emergency diesel generators start automatically and within 30 seconds will be capable of carrying full load.

The reactor power level will start decreasing and primary coolant pressure will increase. As a result of the increase in primary coolant pressure, the pressurized quench tank rupture disk will open and the containment will begin to pressurize. This will eventually result in the high containment pressure reactor trip signal (RT#ll) and an automatic SIAS at approximately 300 seconds.

Once the boron reaches the mid-core the transient is essentially terminated.

The.increase in reactor coolant temperatures and pressures is terminated prior to the automatic SIAS due to a combination of reduced heat generation-steam 4-43

I I

I flow mismatch and reactor coolant flow stabilization at natural circulation levels; Late in the transient, thermal margin/low pressure trip signals (RT#9) will occur.

During the initial portion of this transient the hot channel DNBR undergoes a rapid decrease as a result of the increased reactor coolant temperature combined with the decreased reactor coolant flow. The resultant minimum DNBR will be *

slightly less than 1. 3.

The RCS pressure calculated for the CE generic plant during the loss of normal electrical power transient reached a maximum value of 2985 psia which is less than the Palisades Plant RCS hydrostatic test limit of 3125 psia.. The consequence of the loss of normal electrical power transient for the Palisades Plant is less*

severe due to the differences between the CE generic plant and the Palisades Plant. These differences are presented in Section 4. 2. 2.

Analysis of this transient assumed that manual action is taken, based on emer-gency procedures, to 1) actuate the steam generator atmosphere dump valves 20 minutes subsequent to initiation of the transient, and 2) cool the plant by means of the atmosphere dump valves, to a hot standby temperature of 525F in less than 45 minutes subsequent to initiation of the transient, the maximum possible radioactivity release was determined to be less than the limits given in 10CFR 100. During this analysis, it was also assumed that 1) AC offsite power is not restored and action is initiated to put the plant in a cold shut-down condition; 2) Atmosphere release is required until the reactor coolant temperature is reduced to the point where shutdown cooling can be initiated at 300F; 3) The shutdown cooling system is employed to remove decay heat,*

thus terminating release of steam.

Specific preventive measures provided by the existing RPS against the varioui;

causes of CMF 1s are discussed in the following paragraphs.

Functional Deficiencies: Functional diversity and equipment diversity are*

achieved by the numerous trip modes listed below, which monitor dissimilar.**

plant operating PB;ramters and can initiate a scram early in the transient.

4-44

I I

I

I I

I I

0 High pressurizer pressure (RT#B) 0 Low coolant flow (RT#3) 0 Low steam generator level (RT#4 and #5) 0 Turbine trip (RT#lO)

Design or Manufacturing Deficiencies: The functional and equipment diversity denoted in the preceding paragraph is the primary defense against CMF's caused by design or manufacturing deficiencies. Some portions of the RPS de-:-

sign are vulnerable to CMF' s caused by design or manufacturing deficiencies.

This subject was discussed in detail during the analysis of the loss of elec-trical load transient (Section 4. 2. 2. 1).

Operating and Maintenance Errors: The functional and equipment diversity between RT#3, #4, #5, #8 and #10 are reflected in differences in calibration and maintenance procedures. No single common mode error was hypothesized that could inhibit all of the RT modes responsive to the loss of normal electrical power transient. It should be noted that an operator error could. delay the actua-.

tion of RT#3 if the operating plant configuration changed from three coolant pump operation to four and the flow trip select switch was left in the three pump posi-tion. While RT#3 could be delayed if the transient occurred simultaneously.

with change in pump configuration, the high power level trip (RT#l) would be immediately initiated due to the operator error.

External Phenomena: The RPS is not vulnerable to CMF's caused by external phenomena during loss of normal electrical power transient due to the avq.Hable.

safe failure modes, physical separation and equipment diversity.. Evenif no.

credit is taken for the actual separation and isolation that exists Jn t.he R.PS design, Table 4.12 shows that no single hypothesized generic failure could in-

. hibit all of the available trip modes due to the complementary safe failure modes.

4-45

I I

-I External Normal Environment: The discussion presented for the loss of elec-trical load transient (Section 4. 2. 2. 1) is applicable for all the ATWS events.

4.2.2.6 Inactive Primary Loop Startup The analysis of this transient postulated that the reactor had one loop idle and two pumps in operation. Reactor power was 50% of rated power. The analysis dii:;closed (Reference 2) that the reactor power level would increase and achieve equilibrium at a new higher level after an inactive loop startup. The only trip mode responsive to this transient is the high power level trip (RT#l).

The inactive primary loop transient is very mild. No fuel limits are exceeded.

Since the transient is so mild the resultant perturbation to primary reactor operating parameters is not excessive. Only one parameter (reactor power) traverses outside of the normal operating envelope and initiates scram signals.

Since only one trip mode is responsive to this mild transient, no functional.

diversity or equipment diversity can exist. Table 4. 2 presents a listing of ;.

equipment failures which would inhibit a RT#l RPS channel trip. Based on the data presented in Table 4.2, numerous CMF's could be hypothesized which would inhibit the actuation of RT#l. No attempt was made to even evaluate the*

credibility of any hypothesized CMF because their consequence is not signi-ficant.

4.2.2.7 Rod Withdrawal The rod withdrawal from full power is another mild transient. The rod with-drawal takes place at a relatively slow speed. The high power trip signal (RT#l) does not occur until approximately 90 seconds after the start of the transient. Subsequently, the high pressurizer pressure trip signal (RT#8) is initiated. Once rod withdrawal. ceases, the reactor power achieves a new equilibrium at a higher power.

4-46

I I

I 600 seconds into the transient the operator initiates the SIAS. When the boron reaches the mid-core, approximately 150 seconds later, reactor power starts decreasing and eventually achieves a new equilibrium at decay heat levels.

The RCS pressure decreases and a thermal margin/low pressure trip signal (RT#9) will also occur. The low steam generator pressure trips (RT#6 and

7) will also occur and the main steam isolation valve will close, tripping the turbine and causing a reactor trip (RT#lO) signal. Finally, a low steam generator water level trip signal will occur.

The consequences of this transient are mild. RCS pressure will not exceed design limits and the minimum hot channel DNBR during the transient will remain well above the 1. 3 threshold.

The CMFA will only take credit for RT#l and RT#S because the remaining RT's occur so late in the transient. Specific preventive measures provided by the existing RPS against the various causes of CMF's are discussed in the follow-*

ing paragraphs.

Functional Deficiencies: Two independent RT modes, high power level and high pressurizer pressure, which monitor dissimilar plant operating parameters can initiate a scram prior to operator intervention 600 seconds into the transient.

These trip modes provide both functional and equipment diversity in the RPS equipment during this transient.

Design or Manufacturing Deficiencies: The functional and equipment diversity discussed in the preceding paragraph is the primary defense against CMF's caused by design or manufacturing deficiencies. Some portions of the RPS are vulnerable to CMF 1 s caused by design or manufacturing deficiencies. This sub-ject was discussed in detail during the loss of load transient (Section 4.2.2.1).

Operating and Maintenance Errors: The functional and equipment diversity between RT#l and RT#S is reflected in differences in calibration and mainte-nance procedures.. No single common mode error was hypothesized that 4-47

I I

I could inhibit the RT modes responsive to the rod withdrawal transient before

operator intervention. It should be noted that an operator error could delay the actuation of RT#l if the operating plant configuration changed from four coolant pump operation to three and the flow trip select switch was left in the four pump position. While RT#l could be delayed if the transient occurred simultaneously with change in pump configuration, the low coolant flow trip (RT#3) would be immediately initiated due to the operator error.

External Phenomena: The RPS is not vulnerable to CMF 1 s caused by external phenomena during the rod withdrawal transient due to the available safe failure modes, physical separation and equipment diversity. Even if no credit is taken for the actual separation and isolation that exists in tl)e RPS design, Table 4.12 shows that no single hypothesized generic failure could inhibit both RT#l and RT#8 due to the complementary safe failure modes.

External Normal Environment: The discussion presented for the loss of elec"""

trical load transient (Section 4. 2. 2.1) is applicable for all the ATWS events.

4.2.2.8 Primary System Depressurization This transient is initiated by the unexpected opening of a safety valve. During.

the initial period of the transient, reactor power will remain constant. RCS

pressure decreases and ultimately generates a thermal margin/low pressure trip signal (RT#9). Once the pressure is reduced to the saturation point of the reactor vessel outlet plenum and hot legs, the RCS pressure and temperature will continue to decrease, but at a lower rate.

600 seconds into the transient the operator will.initiate SIAS. When the boron

solution reaches mid-core, approximately 150 seconds later, reactor power*

will rapidly decrease until a new equilibrium is established at decay he~t

levels. Concurrently with the decrease in power level, the steam generator pressure and water levels decrease and initiate trip signals R T#4, #5, #6, and #7. The low steam generator pressure signal will close the main steam isolation valves which will cause turbine trip and the associated scram signal (RT#lO).

4-48

I I

I No unacceptable consequences are generated by this mild transient. The mini-mum hot channel DNBR is in excess of 2. 0. The CMF A will only take credit for RT#9 because the remaining RT signals are generated late in the transient after the operator initiates SIAS. Since only one trip mode is responsive to this mild transient prior to operator intervention, no functional diversity or equip-:-

ment diversity exists. Table 4. 9 presents a listing of equipment failures which would inhibit a RT#9 RPS channel trip. Based on the data presented in Table

4. 9, numerous CMF 's could be hypothesized which would inhibit the actuation of RT#9. No attempt was made to even evaluate the credibility of any hypoth-esized CMF because their consequence is not significant.

4.2.2.9 Boron Dilution As the boron dilution evolves, reactor power will increase slowly causing an increase in the RCS pressure and temperature. The resultant pressure may not be large enough to initiate the high pressurizer pressure trip signal (RT#8). The CMFA takes no credit for RT#8. The postulated boron dilution*

transient will propagate a high power level trip (RT#l) approximately 600 seconds into the transient.

600 seconds into the transient the operator will initiate SIAS. When the boron solution reaches mid-core, approximately 150 second~ later, reactor power will rapidly decrease until a new equilibrium is established at decay heat levels.

The RCS pressure will also decrease rapidly, resulting in a thermal margin/

low pressure trip (RT#9). Concurrently with the decrease iri power level, the steam generator pressure and water levels decrease and initiate trip signals RT#4, #5, #6, and #7. The low steam generator pressure signal will close the main steam isolation valves which will cause turbine trip and the associated scram signal RT#lO.

No unacceptable consequences are generated by this mild transient. The mini-mum hot channel DNBR is slightly less than 3.0. The CMFA will only.take credit for RT#l because the remaining RT signals are generated late in the 4-49

I I

I transient after the operator initiates SIAS. Since only one trip mode is re-

sponsive to this mild transient prior to operator intervention, noftinctional diversity or equipment diversity exists. Table 4. 2 presents a listing of equipment failures which would inhibit a RT#l RPS channel trip. Based on the data presented in Table 4.2, numerous CMF's could be hypothesized wnic_h would inhibit the actuation of RT#l. No attempt was-made to even evaluate the credibility of any hypothesized CMF because their consequence is not significant.

4.2.2.10 Small Line Break The postulated small line break transient was caused by the rupture of the _*.

largest primary instrument or sample line. The available charging flow at the Palisades Plant is not sufficient to balance the reactor coolant lost through the ruptured line. Consequently,. RCS pressure arid pressurizer le.vel wil~

_crease and generate a thermal margin/low pressure trip (RT#9) signal. The reactor power level remains constant during the transient until after SIAS..

600 seconds into the transient the operator will initiate SIAS. When the boron solution reaches mid..,core, approximately 150 seconds later, reactor power will rapidly decrease until a new equiµ.brium is established at decay heat levels..

Concurrently with the decrease in power level, the steam generator pressure and water levels decrease and initiate trip signals RT #4, #5, #6, and #7. 'I'he low steam generator pressure signal will close the main steam isolation valves which will cause turbine trip and the associated scram signal (RT#lO).

No unacceptable consequences are generated by t~is mild transient~ The m:frif.;...

mum hot channel DNBR is in excess of 3. 0. The CMFA will only take credit.

for RT#9 because the remaining RT signals are generated late i:n the tr~nsi~ht,

after the operator initiates SIAS. Since only one trip mode fs responsive to this mild transient prior to operator intervention, no functi~nal diversity cir equip-ment diversity exists. Table 4. 9 presents a listing of equipment failu~es which..

4-50

.ctL.

I I

I would inhibit a RT#9 RPS channel trip. Based on the data presented in Table 4.9, numerous CMF's could be hypothesized which would inhibit the actua-tion of RT#9. No attempt was made to even evaluate the credibility. of any hypoth-.

esized CMF because their consequence is not significant.

4-51

I I

I APPENDIX A PALISADES PLANT REACTOR PROTECTION SYSTEM FAIL URE MODE AND EFFECTS ANALYSIS

I I

APPENDIX A I

TABLE OF CONTENTS I

Page I

1. 0 INTRODUCTION A-1 I

2.0 ANALYSIS BASELINE A-2 I

3.0 ANALYSIS WORKSHEETS A-3 I

I I

I i

I I

LIST OF TABLES I,

Table Page I

A-1 REACTOR TRIP #1, HIGH POWER LEVEL A-5 I

A-2 REACTOR TRIP #2, HIGH RATE-OF-CHANGE A-14 I

A-3 REACTOR TRIP #3, LOW FLOW, REACTOR COOLANT A-22 I

A-4 REACTOR TRIP #4, LOW WATER LEVEL, SG#l A-28 A-5 REACTOR TRIP #5 I LOW WATER LEVEL I SG#2 A-31 I

A-6 REACTOR TRIP #6 I LOW PRESSURE I SG#l A-35 I

A-7 REACTOR TRIP #7 I LOW PRESSURE I SG#2 A-39 I

A-8 REACTOR TRIP #8, HIGH PRESSURIZER PRESSURE A-43 I*

A-9 REACTOR TRIP #9, THERMAL MARGIN /LOW PRESSURE A-47 I

A-10 REACTOR TRIP #10, LOSS OF LOAD, TURBINE TRIP A-55 I

A-11 REACTOR TRIP #11, HIGH CONTAINMENT PRESSURE A-58 I

A-12 REACTOR TRIP #12, MANUAL A-60 I

. A-13 REACTOR TRIP MA TRIX AND TRIP TRAIN A-63 I

I ii I

I

I I

I

1. 0 INTRODUCTION This Appendix presents the Failure Mode and Effects Analysis (FMEA) for the Palisades Plant Reactor Protection System (RPS). The analysis was generated to establish a baseline for evaluating the RPS vulnerability to both single and common mode failures which would inhibit a required reactor trip from going to completion.

A-1

I, I

I I

I I I

I I

I 2.0 ANALYSIS BASELINE The RPS reactor trip modes, which are available at the Palisades Plant, are defined in Section 3. 0 of the Palisades Plant Reactor Protection System Failure Analysis. The principal source of data utilized for defining the existing RPS configuration was the Palisades Plant Final Safety Analysis Report through Amendment 28 (Docket 50-255), and the Palisades Plant Technical Specifica-tions (Revision date November 27, 1974). Detailed system drawings were utilized to supplement the documentation noted above.

A-2

I I

I 3.0 ANALYSIS WORKSHEETS To establish a basis for performing a comprehensive reactor protection system failure analysis, a complete and integrated FMEA was conducted on the RPS design. The FMEA was generated at the system level on a functional basis (i.e., signal flow level). This approach evaluates the effects of failures ob-servable at the interfaces between RPS modules (inputs/outputs) and the ef-fect propagated on the total system operation. The significance of each failure on system operation was considered from two aspects:

0 Failure of the RPS to function when required 0

Inadvertent operation of the RPS when not required.

The analysis worksheets present the following data for each hypothesized failure in a tabular format:

0 Failure identification or reference number 0

Description of failed component 0

Failure mode at the component/system level 0

Failure symptoms and local effects (dependent failures included) 0 Failure detection 0

Inherent compensating provisions 0

Effect on RPS.

Individual RPS components, and in some instances a group of components, are assigned a reference nui:nber in the analysis worksheets (e.g., 1. O, 2. O, A-3

I I

I

3. O,... ). When more than one failure mode is applicable to a specific component a secondary level of reference is applied (e.g., 1. 1, 1. 2, and 1. 3 reference the discussions for three failure modes associated with component 1. 0). When the discussion and format of the analysis worksheets (e.g., failure symptoms and local effects, failure detection, inherent compensating provisions, and effect on the RPS) are similar or applicable for more than one component failure, the initial discussion is normally referenced in lieu of repeating an identical or similar discussion. If the total FMEA for a component (all failure modes included) is directly applicable for another component, the initial analyses are jointly referenced by the primary component reference number (e.g., 1. 0).

The analysis workshe_ets have been grouped into 13 tables. Tables A-1 through A-12 evaluate those portions of the integrated RPS design that are unique to the 12 reactor trip modes available at.the Palisades Plant. Table.2\\-13 evaluates the RPS trip train components that are common to all modes of reactor trip.

A-4

No.

1.1 1.2 1.3 1.4 2.0 3.0 TABLE A-1 FAILURE MODE AND EFFECTS ANALYSIS PALISADES PLANT REACTOR PROTECTION SYSTEM REACTOR TRIP #1, HIGH POWER LEVEL Failure Symptoms and Local Effects Method of Inherent Compensating Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects Uncompen-Fail High The summed output of Chamber A and B Channel Trip and RPS 2/4 logic inhibits RT#l logic is half One invalid channel trip sated Ion will trip the pre-trip and trip bistable Pre-Trip Alarms for spurious RT and rod with-tripped and changed may be bypassed for R1*1.

Chamber A units associated with 4, 3, and 2 pump RT#l drawal prohibit function.

to a 1/3 configuration When one channel ls by-(Channel 5 system operation. This will propagate When the failure ls dlag-passed, R1*1 logic changes Nuclear a channel trip signal from the aux.

nosed and isolated by to a 2/3 configuration.

Inst. System, channel trip unit. One of the three plant personnel, the chan-RI' S-Channel pre-trip bistable units will generate a nel function may.be re-A) trip signal in the rod withdrawal pro-stored by switching the hibit logic.

failed ion chamber out of the summing circuit and doubling the signal gener-ated by the operational ion chamber.

Fail Low The sudden decrease of signal level Dropped Rod Alarm Only 2/4 channels are re-RT4t 1 logic ls changed will generate a dropped rod signal quired to trip to actuate to a 2/3 configuration.

which will initiate turbine runback.

RT4tl.

Output The constant signal level generated by Flux Tilt De-See 1.2. While the See 1. 2 Signal the ion chamber will bias the summed vlation Alarm failure does not inhibit a Constant channel output.

channel trip, it will delay the trip until the signal level from the associated ion chamber is sufficient to compensate for the low level bias from the failed chamber.

Short Across The effect of the failure ls the same See l. 2 See 1. 2 See 1. 2 Signal Lines as fall low (1. 2).

or Open Sig-nal Line Uncompen-All Modes Ion Chambers A and B are identical in sated Ion configuration. The FMEA for Chamber Chamber B A is applicable for Chamber B.

(Channel 5)

Linear All Modes The FMEA for Chamber A (item 1. 0) ls Amplifier applicable for all modes of the linear Chamber A amplifier.

i::o I

0)

TABLE A-1 (cont'd)

RPS FMFA Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Includlng Dependent Failures Detection Provision Effects on RPS 4.0 IJnear All Modes See 3. 0 Amplifier Chamber B 5.1 High Voltage Loss of The power supply is common to both See 1. 2 See 1. 2 See 1. 2 Power Supply Output ion Chambers A and B. The effect of the failure is the same as 1. 2.

5.2 Off Nominal Both ion chambers will generate erron-See 1.1 and 1. 2 See 1.1 and 1.2 See 1.1 and 1. 2 Output eous outputs. No significant opera-tional impact unless the summed output signal is driven to an extreme condi-tion. See l.1 and l. 2 for details.

5.3 Loss of All bistable units will go to the tripped See l. l See 1.1 See 1.1 Input Power state.

Supply (Pnl Yl 0, Bkr il3) 6.0 Power Summer All Modes The FMFA for ion Chamber A is appli-cable for all modes of the summer.

7.0 Subchannel All Modes The subchannel comparitor is buffered None required.

None Comparitor from both ion Chamber A and B signals (Chamber A) in the RPS circuits. No failure of the comparitor can propagate a fault in the RPS circuits.

8.0 Subchannel All Modes See 7.0 None required.

None Comparitor (Chamber B) 9.0 Subchannel All Modes See 7. 0 None required.

None Deviation Comparitor 10.0 Power Invalid The failure does not induce secondary Status Check of The indicator is buffered None Indicator Indication failures.

Power Indicators from the active RPS circuits No indicator failure can

propagate a RPS failure.

RFACTOR TRIP ii Remarks and Other Effects See 1.2 See 1.1

TABLE A-1 (cont'd)

RPS FMEA REACTOR TRIP #1 Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 10.1 Bistable Unit Fails Tripped The bistable output relay is de-When 2 or 3 Pumps None required if 2 or 3 None when 2 or 3 See 1.1 7

(Setpoipt energized and drops out. The Channel are On Line, Peri-pumps are on line. When pumps are on line.

Exceeded)

A aux. trip unit relays (Kl, K2, and K3) odic Test or Panel 4 pumps are on line, RPS When 4 pumps are on are de-energized (via the flow trip set-Status Check.

2/ 4 logic inhibits spurious line the RT#l logic is point select switch) when the plant is When 4 Pumps On RT due to a single channel half tripped.

operating with 4 coolant pumps.

Line, Channel Trip trip.

Alarm for RT# 1.

10.2 Fails Un-Channel A trip for RT#l is disabled Periodic Test Only 2/4 channels are re-When 4 pumps are on tripped when 4 pumps are on line.

quired to trip to actuate line, RT#l logic is RT#l.

changed to a 2/3 con-figuration.

10.3 Loss of Input The bistable will go to the tripped state See 10.1 See 10.l See 10.1 Power Supply See 10.1.

(Pnl YlO, Bkr #13) 11.1 Bistable Unit Fails Tripped The bistable output relay is de-When 4 Pumps are When 4 pumps are on line, When 4 pumps are on 3

(Setpoint energized and drops out. The channel On Line, Channel RPS 2/ 4 logic inhibits a line, RPS rod w !th-Exceeded) aux. trip unit pre-trip relay is de-A Pre-Trip Alarm spurious rod withdrawal drawal prohibit func-energized when the plant is operating prohibit command.

ti on is half tripped.

with 4 pumps.

The associated logic is changed to a 1/3 configuration.

11.2 Fails Un-The Channel A aux. trip unit pre-trip Periodic Test Only 2/4 channels are re-When 4 pumps are on tripped function is disabled when 4 pumps are quired to trip to actuate the line, the rod with-on line.

rod withdrawal prohibit drawal prohibit logic function.

is changed to a 2/3 configuration.

11.3

Loss of Input The bistable will go to the tripped state See 11.1 See 11.1 See 11.1 Power Supply See 11.1.

(Pnl Y!O, Bkr #13) 12.1 Bistable Unit Fails Tripped The bistable output relay is de-When 2 or 4 Pumps None required if 2 or 4 None when 2 or 4 See 1.1 6

(Setpoint energized and drops out. The Channel are On Line, Peri-pumps are on line. When 3 pumps are on line.

Exceeded)

A aux. trip unit relays (Kl, K2, and K3) odic Test or Panel pumps are on line, RPS 2/ 4 When 3 pumps are on are de-energized (via the flow trip set-Status Check.

logic inhibits spurious RT line, the RT#l logic is point select switch) when the plant is When 3 Pumps c.re due to a single channel half tripped.

operating with 3 coolant pumps.

On Line, Channel trip.

Trip Alarm for RT# 1

TABLE A-1 (cont'd)

RP>: FM ::A REAGrOR TRIP #1 Failure Symptoms and Local Effects Method of*

Inherent Compensating No.

Name Mode Including Dependent Failures Detectlon Provision Effects on RPS Remarks and Other Effects 12.2 Bistable Unit Fails Un-Channel A trip for RT#l is disabled Periodic Test Only 2/ 4 channels are re-When 3 pumps are on 6

tripped*

when 3 pumps are on line.

quired to trip to actuate line, RT# 1 logic is RTiH.

changed to a 2/3 configuration.

12.3 Loss of Input The bistable will go to the tripped See 12.1 See 12.1 Seel2.l Power Supply state. See 12.1.

(Pnl YlO, Bkr #13) 13.1 Bistable Unit Fails Tripped The bistable output relay is de-When 3 Pumps are When 3 pumps are en line, When 3 pumps are on 4

(Setpoint energized and drops cut. The Channel One Line, Channel RPS 2/ 4 logic inhibits a line, RPS rod with-Exceeded)

A aux. trip unit pre-trip relay is de-A Pre-Trip Alarm spurious rod withdrawal drawal prohibit func-energized when the plant is operating prohibit command.

tion is half tripped.

with 3 pumps.

The associated logic is changed to a 1/3 configuration.

13.2 Fails Un-The Ghannel A aux. trip unit pre-trip Periodic Test Only 2/4 channels are re-When 3 pumps are on tripped function is disabled when 3 pumps are quired to trip to actuate line, the rod with-on line.

the rod withdrawal pro-drawal prohibit logic hibit function.

is changed to a 2/3 configuration.

13.3 Loss of Input The bistable will go to the tripped See 13.1 See 13.1 See 13.1 Power Supply state. See 13.1.

(Pnl YlO, Bkr #13) 14.l Bistable Unit *Fails Tripped The bistable output relay is de-When 3 or 4 Pumps None required if 3 or 4 None when 3 or 4 See 1.1 2

(Setpoint energized and drops out. The Channel are On Line, Peri-pumps are on line. When pumps are on line.

Exceeded)

A aux. trip unit relays (Kl, K2, and K3) odic Test or Panel 2 pumps are on line, RPS When 2 pumps are on are de-energized (vb the flow trip set-Status Check.

2/4 logic inhibits spurious line, the RT# l logic point select switch) when the plant is When 2 Pumps are RT due to a single channel is half tripped.

operating with 2 coolant pumps

On Line, Channel trip.

Trip Alarm for RT# l 14.2 Fails Un-Channel A trip for RT#l is disabled Periodic Test Only 2/4 channels are re-When 2 pumps are on tripped when 2 pumps are on line.

quired to trip to actuate line, RT# l logic is RT#l.

changed to a 2/3 configuration.

i::o I

(.0 RPS FMEA No, Name 14.3 Bistable Unit 2

15.1 Bistable Unit 5

15.2 15.3 16.I Aux. Trip Unit 16.2 16.3 TABLE A-1 (cont'd)

REACTOR TRIP 4H Failure Symptoms and Local Effects Method of Inherent Compensating Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects Loss of Input The bistable will go to the tripped See 14,l See 14.1 See 14.l Power Supply state. See 14.1.

(Pnl YlO, Bkr 4fl3)

Fails Tripped The bistable output relay is de-When 2 Pumps are When 2 pumps are on line, When 2 pumps are on (Setpoint energized and drops out. The Channel On Line, Channel RPS 2/ 4 logic inhibits a line, RPS rod with-Exceeded)

A aux. trip unit pre-trip relay is de-A Pre-Trip Alarm spurious rod withdrawal drawal prohibit func-energized when the plant is operating prohibit command.

tion is half tripped.

with 2 pumps.

The associated logic is changed to a 1/3 configuration.

Fails Un-The Channel A aux. trip unit pre-trip Periodic Test Only 2/ 4 channels are re-When 2 pumps are on tripped function is disabled when 2 pumps are quired to trip to actuate line, the rod with-on line.

the rod withdrawal prohibit drawal prohibit logic

function, is changed to a 2/3 configuration.

Loss of Input The bistable will go to the tripped See 15.1 See 15.1 See 15.1 Power Supply state. See 15.1.

(Pnl YlO, Bkr #13)

Fails Tripped The trip relays (Kl, K2, and K3) to the Channel A Trip RPS 2/ 4 logic inhibits a RT#l logic is half One invalid channel trip may RPS 2/4 logic matrix are de-energized Alarm for RT# 1 spurious RT due to a single tripped and is changed be bypassed for RT#l. Wher and drop out.

channel trip.

to a 1/3 configuration. one channel is bypassed, RT#l changes to a 2/3 con-figuration.

Fails Un-Channel A trip for RT#l is disabled.

Periodic Test Only 2/4 channels are re-RT#l logic is changed tripped quired to trip to actuate to a 2/3 configuration.

RT#l.

Pre-Trip Fails The pre-trip relay, KS, is de-energized Pre-Trip Alarm The rod withdrawal prohibit No effect on the RPS Tripped and drops out and generates a rod with-logic required 2/4 power RT#l function.

drawal prohibit signal.

range pre-trip signal to actuate. This logic inhibit:

spurious actuation.

TABLE A-1 (cont'd)

RPS FMFA REACTOR TRIP #1 No.

16.4 16.5 16.6 16.7 17.1 17.2 Name Aux. Trip Unit Failure Mode Symptoms and Local Effects Including Dependent Failures Method of Detection Pre-Trip Fails The pre-trip relay (KS) cannot drop out Periodic Test Untripped and generate a rod withdrawal prohibit signal.

Relay Kl or K2 or K3 Fails to Energized State The Channel A trip function is degraded. Periodic Test Only 2/3 trip relays will drop out when the bistable trips. 1 of 6 RPS trip modules cannot actuate RT#l.

Inherent Compensating Provision Effects on RPS Remarks and Other Effects Only 2/4 power range See 16.3 channel pre-trip signals are required to actuate the rod withdrawal prohibit function.

See 16.2 RT#l logic is degraded. Only 1 of 6 trip modules Channel A trip is only are required to actuate an 2/3 effective.

RT.

Relay Kl or Partial Channel A trip. 1 of the 6 RPS Status Check of See 16.1 1 of the 6 RPS trip modules is half tripped for RT# 1.

K2 or K3 Fails trip modules is half tripped.

Bistable Trip Relay to De-ener-gized State Loss of Input Power Supply (Pnl YlO, Bkr lH3)

Manual Switcr Jams or Binds (Flow Trip Setpoint Select)

Contact Set Fails Open The aux. trip unit will go to the tripped state. All channel trip and pre-trip relays are de-energized. See 16.1 and 16.3.

Lights Channel A Trip and Pre-Trip Alarm for RT#l Switch position cannot be changed. No Cannot Change effect until required to change the num-Switch Position ber of coolant pumps on line. The When Required position of this switch determines the fixed setpoints for RT#l and RT#3.

The voltage input signal to the aux.

trip unit through the bistable output re-lay is open circuited and trips the channel trip or pre-trip sections of the aux. trip unit. Either channel aux.

trip unit trip relays or the pre-trip re-lays are de-energized and drop out.

(The contact set is assumed to be as-sociated with the bistable for channel trip or pre-trip.)

Either Channel Trip Alarm for RT#l or Channel Pre-Trip Alarm for RT# 1 See 16.1and16.4 If number of pumps on line is constant, none are re-quired. If the number of pumps on line changes,

either RT# 1 or RT#3 will be immediately actuated on all channels. No channel trip is completely inhibited by an invalid setpoint. The channel trip is delayed un-til a more severe transient condition (e.g., lower flow rate or higher power level) is achieved.

RPS 2/ 4 logic inhibits either spurious RT or rod withdrawal prohibit func-.

tion.

See 16.1and16.4 If the number of pumps on line is constant,* no effect. If the number of pumps is decreased, RT#3 2/4 logic is aci:u ated and scrams the reactor. If the number of pumps is increased, RT#l 2/4 logic is actu ated and scrams the reactor.

Either RT# 1 or the rod withdrawal prohibit function is half tripped The logic changes to a 1/3 configuration.

3 position switch. Position

1 - 4 pump operation.

Position #2 - 3 pump opera-tion. Position #3 - 2 pump operation.

One invalid channel trip may be bypassed for RT#l. When one channel is bypassed, both the RT and pre-trip logic changes to a 2/3 con-figuration.

I::<

I 1--1 TABLE A-1 (cont* d)

RPS FMFA No.

17.3 18.1 18.2 18.3 18.4 19.0 20.l Name Failure

. Mode Manual Switct Control Set (Flow Trip Fails Closed Setpoint Select)

Manual Switct Fail Open (Trip #1 By-pass Channel A)

Fail Closed Single Con-tact Set -

Fails Open Single Con-tact Set -

.Fails Closed Bistable Unit All Modes 8

Bistable Unit Fails Tripped l

(Setpoint Exceeded)

Symptoms and Local Effects Including Dependent Failures No effect. This is the normal contact position. If the switch position cannot be changed due to a contact failing closed, see 17.1.

The key lock switch is N. 0. and is only used to remove an invalid trip and change the RT configuration to 2/3.

Three separate switch contacts in parallel with the three normally open contacts of the trip unit close and in-hibit a valid channel trip.

See 18.1 l of the 3 bistable trip relays is dis-abled.

The bistable is not associated with and is buffered from the RPS circuits. No fault in the bistable can propagate the HPS circuits.

The bistable unit de-energizes an auxiliary relay when tripped. The relay N. C. contacts provide a signal to rate trip (RT#2) inhibit logic to bypass the trip. The relay N. O

contacts provide a signal to RT #10 to remove the auto-matic bypass. The bistable normally trips when the reactor power level is greater than 15%. When the power level is less than 15%, the channel A trip for RT#2 is bypa-s*sed and the trip Method of Detection Periodic Test Status Check.

Light above Switch is Illuminated Periodic Test Periodic Test Panel Status Chee<:

and Bypass Alarm Inherent Compensating Provision The switch is N.O. during normal plant operation.

See 16.2 Seel8.l See 16. 1 None required.

During normal plant op-eration (reactor power greater than l 5%), none are required because the bistable is normally trip-ped. If reactor power level is less than l 5%, the RPS 2/4 logic inhibits spurious RT due to a single RT#lO channel trip. Only 2/ 4 channels are required REACTOR TRIP #1 Effects on RPS Remarks and Other Effects An invalid Channel A I key is available for use trip cannot be by-with the 4 bypass switches passed to remove the (Channel A, B, C, andD).

half trip condition.

Only I channel trip may be RT#l logic cannot be bypassed.

changed to a 2/3 con-figuration.

See 16.2 l of the 3 bistable unit trip relays cannot be bypassed after an in-valid channel trip. l of the 6 trip logic (2/4) modules will be half tripped.

1 of the 6 RPS trip logic modules cannot actuate RT#l.

None During normal plant operation (power above l 5%), no effect on RT#2 or RT#l 0.

RPS FMEA No.

20.l (cont'd) 20.2 20.3 21.l 21.2 21.3 22.l Name Bistable Unit 1

Low Voltage Power Supply Range Switch Failure Mode Fails Un-tripped

Loss of Input Power Supply (PnlYlO, Bkr #13)

Loss of Out-put Off Nominal Output Loss of Input Power (Pnl YlO, Bkr #13)

Fails in Low Range Posi-tion (XlO)

TABLE A-1 (cont'd)

Symptoms and Local Effects Including Dependent Failures for RT#l 0 is not bypassed.

RT#lO Channel A trip is bypassed.

RT#2 Channel A trip is enabled when reactor power is above 1 o-43.

The bistable will go to the untripped state. See 20.1

All Channel A power range bistables will go to the tripped state. All by-passes generated by this channel will go to the unbypassed state.

The ion chamber signal conditioning equipment will generate erroneous out-puts. No significant operational im-pact unless the chamber outputs are driven *to an extreme condition. See

l. l, l. 2 and l. 3 for details.

The effect of the failure is the same as 21.1.

The channel high power level trip is actuated when reactor power is greater than 10. 6 53

During normal plan*t operation, a channel trip (RT#l) is generated.

Method of Detection Panel Status Check and Bypass Alarm Status Panel Check Channel Trip and Pre-Trip Alarms See 1

1 and 1

2 See 21.1 See 16.l Inherent Compensating Provision to trip to actuate RT#2 when reactor power is greater than 1 o-43 and less than 153.*

When reactor power level is greater than 153, only 2/4 RPS channels are re-quired to trip t6 actuate RT#lO. RPS 2/4 logic in-hibits spurious RT due to a single RT#2 channel trip.

See 20.l RPS 2/4 logic inhibits spurious RT due to a single channel trip.

See 1

1 and l

2 See 21.l See 16.l Effects on RPS The RT#lO logic ls changed to a 2/3 configuration. RT#2 logic ls half tripped lf Channel A RT#2 bl -

stable trips above 1 o-43 reactor power.

If RT#2 Channel A trips, the logic ls changed to a 1/3 configuration.

See 20.1 RT#l logic is half tripped and changes to a 1/3 configura-tion.

See 1. 1 and 1

2 See 21.1 See 16.1 REACTOR TRIP #1 Remarks and Other Effects

\\

RPS FMEA No.

.22.2 23.0 24.0 I 25.0 i

i I

Name Range Swltch Channel B Components Channel C Components Channel D_,

Components TABLE A-1 (cont'd)

Failure Sympt6ms and Local Effects Method of Inherent Compensating Mode Including Dependent Failures Detection Provision Falls in Nor-In low power operation (less than Status Check of None requlred durlng mal Range l 0

6 5% reactor power). the channel Power Level normal operation.

Position (Xl) high power level trip ls delayed until Meters the power level exceeds 10. 65%.

All Modes All high pwer level instrumentation and trip channels (A, B, C, D) are identical in configuration. The FMEA for Channel A components (items 1-22) is applicable for all channels.

All Modes See 23.0 All Modes See 23.0 REACTOR TRIP ltl Effects on RPS Remarks and Other Effects During low reactor power operation, the RTltl loglc is changed to a 2/3 configura-tion.

The Channel B power source ls Pnl Y20, Bkr il3.

The Channel C power source is Pnl.*Y30, Bkr il 3.

The Channel D power source is Pnl Y40, Bkr i 13.

No.

1.1 1.2 1.3 1.4 2.1 2.2 2.3

. 2.4

2.s 3.1 TABLE A-2 FAILURE MODE AND EFFECTS ANALYSIS PALISADES PLANT REACTOR PROTECTION SYSTEM REACTOR TRIP #2, HIGH %TE-OF-CHANGE Failure Symptoms and Local Effects Method of Inherent Compensating Name Mode Including Dependent F allures Detection Provision Effects on RPS Remarks and Other Effects Channel 3 Fail High High signal level to Channel 3 nuclear RT#2 Channel Pre-None RT#2 when not in auto RT#2 is automatically by-Fission instrumentation and trip logic circuits.

Trip and Trip Alarms matic bypass.

passed below 10-43 and Counter If reactor power is less than io-43, above 15% of full reactor the zero power mode switch will be dis-power.

abled on two RPS channels. Two pre-trip and two channel trip signals will be generated and propagate channel trips on two RPS aux trip units.

Fail Low The zero power mode switch will not Status Check of Only 1/2 Rate of Change RT#2 sensor inputs are be automatically di sabled on 2 RPS Channel 3 and 4 Channels (3 or 4) are re-degraded to a 1/1 con channels. The RT#2 function is dis-Indicators quired to actuate RT#2.

figuration and the trip abled on two RPS channels.

logic changes to a 2/2 configuration.

Output Sig-The constant signal disables the chan-See l.. 2 See 1.2 See l. 2 nal Constant nel RT#2 function.

Short Across The effect of the failure is the same See 1. 2 See 1.2 See l. 2 Signal Lines as fail low.

or Open Signal Line Pre Amp Output Sig-The effect of the failure is the same See 1.1 See 1.1 See 1.1 (Channel 3) nal High as 1.1.

Output Sig-The effect of the failure is the same See l. 2 See 1.2 See l. 2 nal Low as l. 2.

Output Sig-The effect of the failure is the same See 1.2 See 1. 2 See 1. 2 nal Constant as 1.3.

Short Across The effect of the failure is the same See l.*2 See 1. 2 See 1. 2 Signal Lines as 1.4.

or Open Signal Line Loss of Any See l. 2 See L2 See 1.2

.See 1.2 Input Power Supply (Pnl Y30, Bkr #13)

High Voltage Loss of Out-The effect of the failure is the same Detector Operating See l. 2 See 1. 2 Power Supply put as 1.2.

Voltag.e Alarm

TABLE A-2 (cont'd}

RPS FMEA REACTOR TRIP i2 Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 3.2 High Voltage Off Nominal The fission counter may generate er-See 1.1and1.2.

See 1.1 and 1.2 See 1.1and1.2 Power Supply Output roneous outputs. If voltage drops 15%

Possible Detector below the normal operating level, the Operating Voltage voltage supply alarm is actuated. No Alarm significant operational impact is propa-gated by the high voltage failure unless the detector output signal is driven to an extreme condition. See 1.1 and 1.2 for details.

3.3 Loss of Input All bistables will go to the tripped See 1.1 See 1.1 See 1.1 Power Supply state.

(Pnl Y30, Bkr il3) 4.1 Low Voltage Loss of Out-See 3.1 See 1. 2 See 1.2 See l. 2 Power Supply put 4.2 Off Nominal See 3.2 See 1.1 and 1.2 See l. l and 1. 2 See 1.1 and 1.2

.Output 4.3 Loss of Input All bistables will go to the tripped See 1.1 See 1.1 See 1.1 Power Supply state.

(Pnl Y30, Bkr il3) 5,1 Pulse Amp Loss of Out-Low level input to summing amplifier See 1,2 See 1. 2 See 1.2 and Count put (Fail Low) would propagate the same effect as the Rate Circuits the channel fission counter failing low.

I.

See 1, 2, 5.2 High Output I

The effect of the failure is the same See 1,1 None RT when not in auto-Signals as 1.1.

matic bypass.

5.3 Loss of Power See 5.1 See 1,2 See 1. 2 See l. 2 Supply (Pnl Y30, Bkr il3) 6,1 Summing Amp High Signal The effect of the failure is the same See l, l None RTi2 when not in Level Output as 1.1.

automatic bypass, 6.2 Low Signal The effect of the failure is the same See 1,2 See 1.2 See 1.2 Level Output as l. 2.

i::-

1 en TABLE A-2 (cont 1 d}

RPS FMEA Failure Symptoms and Local Effects Method of Inherent Compensating No, Name Mode Including Dependent F allures Detection Provision 6.3 Summing Amp Constant Sig-The effect of the failure is the same See 1.3 See 1.3 nal Level as l. 3.

Output 6.4 Loss of Power See 6. 2 See 1.2 See 1. 2 Supply (Pnl Y30, Bkr lfl3)

I 7.1 Power Rate of High Signal Rate bistable units 1, 2, 3, and 4 trip. RT#2 Channel Trip None I

Change Ampli Level Output Two pre-trip and two channel trip sig-and Pre-Trip Alarms fier nals (A and C) are generated and propa-I gate channel trips on two RPS aux trip units. The failure does not propagate I

any effect on the zero power mode by-pass switch operation.

I 7,2 u

Low Signal The RTlf2 function is disabled on two Status Check of See 1. 2 Level Output RPS channels.

Channel 3 and 4 I

Rate of Change

! i Indicators i

I 7.3 Output Sig-See 7.2 See 7.2 See 1.2 nal Constant 7.4 Loss of Power See 7.2 See 7.2 See 1.2 Supply (Pnl Y30, Bkr #13) a.a HV Bistable All Modes The bistable is not associated with and None required,

unit is buffered from the RPS circuits

The bistable provides an alarm if the detec-tor operating voltage falls below 15%

of the normal value. No fault in the bistable can propagate a fault in the RPS circuits.

9.1 Flux Bistable Fails Tripped The bistable is tripped during normal Periodic Test RPS 2/4 logic inhibits Unit 2 (Setpoint plant operation. When tripped, the spurious RT during zero Exceeded) unit provides a signal to disable the power mode testing.

zero power mode bypass on one of the four RPS channels, REACTOR TRIP lf2 Effects on RPS Remarks and Other Effects See 1.3 See l. 2 RT#2 when not in auto-ma tic bypass.

See l. 2 See 1. 2 See 1. 2 None None during normal Bistable trips when reactor plant operation.

power level exceeds 10-4%

of full power

TABLE A-2 (cont'd)

RPS FMEA REACTOR TRIP #2 Failure Symptoms and Local Effects Method of Inherent Compensating No, Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects I

9.2 Flux Bistable Falls Un-The zero power mode bypass is not Periodic Test Only 2/4 RPS channels are RT#3, 6, 7 and 9 logic I

Unit :2 tripped automatically disabled when reactor required to trip to actuate is changed to a 2/3 power exceeds 1 o-43. RT#3, 6, 7, anc RT4"3, 6, 7, and 9

The configuration.

I 9 trips are inhibited on one RPS chan-zero power mode bypass I

nel.

switch is the primary i

means to enable or disable the function, The bistable unit provides an. automatic backup for operator action during controlled testing.

9.3 Loss of Input The bistable will go to the tripped Periodic Test See 9.l See 9.1 Power Supply state, See 9.l.

(Pnl Y30, Bkr #13)

~

10.0 Flux Bistable All Modes Flux bistable unit 3 is identical to unit Unit 3

2. Unit 3 provides signals to a differ-ent RPS channel. See 9

0 above for details.

11.0 Flux Bistable All Modes The bistable ls a spare unit with no None required, None I

Unit l RPS circuit interface.

12.0 "Rate Bistable All Modes See 11.0 None required, None Unit l 13.l Rate Bistable Falls Tripped Unit 3 provides a pre-trip signal and RT#2 Pre-Trip Bistable unit 5 doesn't No effect which can Bistable trips when power Unit 3 (Setpoint rod withdrawal prohibit signal to two Alarms on 2 interface with the RPS degrade the RPS capa-rate of change exceeds 1. 5 Exceeded)

RPS channels. The rod withdrawal pro-Channels scram function.

bil!ty to scram.

decades per minute, hibit function is actuated, 13.2 Fails Un-Loss of RT#2 pre-trip alarm on 2 RPS Periodic Test See 13.l See 13.l tripped channels (A and C), The rod with-drawal prohibit (high rate of power change) function is degraded to a 1/1 I

configuration. The prohibit trip logic configuration is changed to 1/2.

13,3 Loss of Input The bistable will go to the tripped See 13.1 See 13.l See 13.l Power Supply state. See 13.1.

(Pnl Y30, Bkr 4"13)

TABLE A-2 (cont'd)

RPS FMEA No.

Name 14.l Rate Bistable Uftlt 2...

14.2.

14.3 15.0 Rate Bistable Unit 4 16.0 Channel 3 Rate of Change Indicator 17.0 Channel 3 Power Ind!-

ca tor 18.0 All Nuclear Channel 4 Components 19,1 Channel A Aux Trip Unit Failure Mode Fail Tripped (Setpolnt Exceeded)

Fails Un-tripped Loss of Input Power Supply (pnl Y30, Bkr lfl3)

All Modes Incorrect

Indication Incorrect

~ Indication All Modes Fails Tripped Symptoms and Local Effects Including Dependent F allures The bistable output relay ls de-energized and drops out. The RTif2 aux trip unit input ls de-energized and propagates a RPS channel trip.

The associated RPS RTif2 channel ls functionally disabled and cannot trip.

The bistable will go to the tripped state. See 14.1.

Rate bistable unit 4 ls identical to.unit

2.

Unit 4 provides trip signals to a different RPS channel. See 14.0.

This failure does not induce secondary failures or propagate any effect on the RPS function.

See 16.0 Both wide range logarithmic channels (Channels 3 and 4) are identical in con-figuration. The FMEA for Channel 3 components (items 1.0-17.0) ls appli-cable for both channels

The trip relays (Kl, K2, and K3) to the RPS 2/4 logic matrix are de-energized and drop out. The effect of the failure is the same as 14.1.

Method of Detection RTif2 Channel Trip Alarm Periodic Test See 14.l Status Check of Channel 3 and 4 Indicators See 16.0 See 14.l Inherent Compensating Provision RPS 2/4 logic inhibits spurious RT due to a single channel trip

Only 2/ 4 channels are re-quired to trip to actuate RTif2.

See 14.l The indicator ls buffered from active RPS circuits.

See 16.0 See 14.l Effects on RPS RTif'2 logic is half tripped and is chang-ed to a 1/3 configura-tion.

RTif2 logic ls changed to a 2/3 configura-tion.

See 14.l None None See 14.l REACTOR TRIP if2 Remarks and Other Effects One invalid channel trip may be bypassed for RT#2.

When one channel is by-passed, RTif2 logic changes to a 2/3 configuration.

The nuclear Channel 4 power source is Pnl Y40, Bkr jfl3.

The RTif2 trip and pre-trip signals are automatically bypassed when reactor power level is less than 10-43 and greater than 15%.

One invalid channel trip may be bypassed at any time for RT#2. When l channel ls bypassed, the RTif2 trip logic changes to a 2/3 configuration.

TABLE A-2 (cont'd)

RPS FMEA REACTOR TRIP lf2 Failure Symptoms and Local Effects Method of Inherent Compensating No, Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 19.2 Channel A Fails Un-Channel A trip for RTlf2 is disabled, Periodic Test See 14. 2 See 14.2 Aux Trip tripped The effect of the fa!liire is the same Unit as 14.2.

19.3 Pre-Trip The pre-trip relay KS is de-energized Rod Withdrawal None No effect on the RPS Fails Tripped and drops out and generates a rod with-Prohibit Alarm RTlf2 function.

drawal prohibit signal. The rod with-drawal prohibit trip function is actual-ed on any 1/4 rate of change pre-trip signal.

19,4 Pre-Trip The pre-trip relay (KS) cannot drop out Periodic Test Only l/ 4 rate of change See 19.3 Fails Un-and generate a rod withdrawal prohibit pre-trip signals are re-tripped signal.

quired to actuate the rod withdrawal prohibit func-

tion, 19.S Relay Kl or The Channel A trip function is degrad-Periodic Test See 19.2 RTlf2 logic degraded.

Only l of 6 trip modules are K2 or K3 ed. Only 2/3 trip relays will drop out Channel A trip is only required to actuate a RT.

Fails to En-when the trip unit trips. l of the 6 RPS 2/3 effective.

ergized State trip modules cannot actuate RTlf2.

19.6 Relay Kl or Partial Channel A trip. l of the 6 RPS Status Check of Seel4.l l of the 6 RPS trip K2 or K3 trip modules is half tripped.

Aux Trip Unit Trip modules is half trip-Fails to De-Relay Lights ped for RTlf2.

energized State 19.7 Loss of Input The aux trip unit will go to the tripped Channel A Trip and See 19.1and19.3 See 19.1and19.3 See 19.1 Power Supply state. All channel trip and pre-trip Pre-Trip Alarm for (Pnl YlO, relays are de-energized, See 19.1 and RTlf2. Rod With-Bkr lfl3) 19.3.

drawal Prohibit Alarm 20.l Channel A Falls to De-When power range bistable unit 8 trips Periodic Test None No effect on the RPS Aux Relay energized at > l 5% reactor power, the aux relay (K 22)

State will not pull in and bypass the RTlf2 aux trip unit (ATU-2) pre-trip function.

When the power rate of change exceeds

1. S decades/min., the rod withdrawal prohibit function is actuated. See 19.3.

20.2 Fails to The aux trip unit pre-trip function is Periodic Test Non'e No effect on the RPS Energized bypassed, The rod withdrawal prohibit RTlf2 function.

State function power rate of change actuation

-TABLE A-2 (cont'd)

RPS FEMA REACTOR TRIP #2 Failure Symptoms and Local Effects Method of Inherent Compensating No, Name Mode Includlng Dependent Failures Detectlon Provision Effects on RPS Remarks and Other Effects

20.2 Channel A Fails to loglc changes to a 1/3 configuration.

(cont'd)

Aux Relay Energized (K 22)

State 21.l Channel A Fails to De-When power range bistable unlt 8 trips Periodic Test or See 14.l See 14.1 See 14.1 Aux Relay energized at > 15% reactor power, the aux relay Channel A RT#2 (K 25)

State will not pull ln or bypass the trlp sig-Trip Alarm nal to the aux trip unlt. When the power rate of change exceeds 2. 6 decades/mln., the aux trip unit will trip and generate an RPS channel trip.

See 14,1.

21.2 Fails to The atix trip unlt channel trip function Periodic Test See 14.2 See 14.2 Energized is bypassed.

State J

22.l Channel A Fails to When rate of change bistable unlt (#2)

See 20.2 and 21.2 See 20.2 and 21.2 See 20,2 and 21.2 Aux Relay Energized trlps at> 10-4% reactor power, the aux (K 26)

State relay will not drop out and remove the bypass on.both the"channel trip and pre-trip signal to the aux trip unlts.

The effect of the failure is the same as 20.2 and 21.2.

22.2 Fails to De-The aux trip unlt channel trip and pre-See 20.1 and 21, 1 See 20.1 and 21.1 See 20.l and 21.l energized trip ls not automatically bypassed State when reactor power is less than lo-43, 23,l

. Manual Fail Open The key lock switch is N,0, and is Periodic Test The switch is N.O. during An invalid Channel A 1 key is available for use Switch (Trip only used to remove an invalid trip and normal plant operation.

trip cannot be bypass-with the 4 bypass switches

2 Bypass -

to change the RT configuratioh to 2/3 *.

ed to remove the half (Channels A, B, C and D),

Channel A) trip condition. RT#2 Only 1 channel trip may be logic cannot be chang-bypassed.

ed to a 2/3 configura-tion.

23.2 Fail Closed Three separate switch contacts in par-Status Check.

Seel4.2 See 14.2 allel with the three normally open con-Light above Switch tacts of the aux trip unlt relays close is Illuminated and inhibit a valid channel trip.

23.3 Single Con-See 20.1 Periodic Test See 23.1 1 of the 3 bistable tact Set -

unlt trip relays cannot Fails Open be bypassed after an invalid channel trip,

TABLE A-2 (cont'd)

RPS FMEA REACTOR TRIP jf2 Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 23.3 -

Manual Single Con-l of the 6 trip logic (cont'd)

Switch frrip tact Set -

(2/4) modules will be lt2 Bypass -

Falls Open half tripped.

Channel A) 23.4 Single Con-l of the 3 aux trip unit trip relays is Periodic Test See 14.2 l of the 6 RPS trip tact Set -

disabled.

logic modules cannot Falls Closed actuate RTlf2.

. 24.0 Channel B All Modes All high rate of change (RTlf2) RPS trip The Channel B power source Components channels (A, B, C, D) are identical is Pnl Y20, Bkr jfl3.

in* configuration. The FMEA for Chan-nel A (items 19 - 23) is applicable for all channels.

25.0 Channel C All Modes See 24.0 The Channel C power source Comp0nents is Pnl Y30, Bkr lfl3.

zs.o Channel D All Modes

_See 24.0 The Channel D power source Components is Pnl Y40, Bkr lfl3.

No.

1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 TABLE A-3 FAILURE MODE AND EFFECTS ANALYSIS PALISADES PLANT REACTOR PRO'J'ECTIO_N SYSTEM REACTOR TRIP #3 I LOW FLOW I REACTOR COOLANT Failure Symptoms and Local Effects Method of Inherent Compensating Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects Channel A Fall High High analog flow signal (high voltage)

Status Check of Only 2/4 channels are re-RT#3 logic is changed Flow (dp) to Channel A flow instrumentation and Coolant Flow Indi-quired to trip to actuate to a 2/3 configuration.

Transmitter trip logic. The output from 4 Channel cators (1 Indicator RToF,3.

(PDT 0112AA)

A flow transmitters (1 unit for each for each channel) coolant pump) is summed prior to the flow instrumentation and trip logic.

Fail Low Low analog flow signal to channel in-strumentation and trip logic.

When the flow transmitter is monitor-Channel Trip and RPS 2/ 4 logic inhibits RT#3 logic is half One invalid chanr:el trip ing a coolant loop that has an operat-Pre-Trip Alarms for spurious RT due to a single tripped and is changed may be bypassed for R'.r#3.

ing pump, the channel low flow trip RTif3 channel trip.

to a 1/3 configuration. When ':me channel is by-will be actuated.

passed, RT#3 logic changes to a 2/3 configuration.

When the flow transmitter is monitor-Status Check of See 1, l None while the cool-ing a coolant loop with the pump not Coolant Flow lndi-ant pump remains off.

opercting, the differential of the sum-ca tors med signal level will not be sufficient to generate a channel low flow trip.

Output Signal Constant analog signal level to chan-Periodic Test/

See 1.1 See 1.1 Constant nel flow instrumentation and trip logic. Calibratio:i Channel A trip is disabled.

Open Signal The effect of the failure is the same See 1. 2 See 1. 2 See 1. 2 Line as fail low.

Signal Line None None The current loop is uf'-

None Shorts to grounded.

Ground Loss of High The loss of the input will generate a See 1. 2 See 1. 2 See 1. 2 Pressure Tap low flow signal. See 1. 2.

Input Loss of Low The loss of the input will generate a See 1.1 See 1.1 See 1.1 Pressure Tap high flow signal. See 1.1.

Input Loss of Both The loss of both inputs will generate a See 1. 2 See 1. 2 See 1. 2 Pressure Tap low flow sign al. See 1. 2.

Inputs I

i::-

1

.N

.w TABLE A-3 fror*"*'d)

\\-

.:..L.

RPS FMEA REACTOR TRIP #3 Failure Symptoms ar.d Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Fallures Detection Provision Effects on RPS Remarks and Other Effects 2.0 Channel A All Modes All 4 Channel A flow transmitters are Flow (dp) identical. The FMEA for transmitter Transmitter PDT 011 ZAA is applicable for all units.

(PDT 0112BA) 3.0 Channel A All Modes See 2. 0 Flow (dp)

Transmitter (PDT 0122CA) 4.0 Channel A All Modes See 2. 0 Flow (dp)

Transmitter (PDT 0122DA) 5.1 Power Supply Loss of Out-All channel transmittern have this com-Cr.annel Trip and RPS 214 l0gic inhibits RTi3 logic is half 5 Unit put mon power supply. The chan"lel lo*N Pre-Trip Alarms for spurious RT due to a single tripped anci ls changed 45 VDC flow trip will loe actuated.

RT4f3 channel trip.

to a 1/3 configuration.

(F 0102A) 5.2 Off Nominal The 4 transmitters will generate erron-See 1. 1 and 1

2 See 1

1 and 1

2 See 1

1 and 1

2 See 1. 2 Output eous outputs. No significant operation al impact unless the summed transmit-ter output is dri v.en to an extreme c:on-dition. See 1.1, 1

2 and 1. 3 for de-tails.

5,3 Loss of Input The effect of the failure is the same as See 5.1 See 5.1 See 0::.1 Power Supply 5.l.

(Pnl YlD, Bkr #-5)

I 6.0 Coolant Flow Invalid In-The indicator monitors flow (dp) trans-Stalus Check ot The indicator is isolated

!~*one Indicator dication rriitter PDT onzAA. The failure does All Channel Coolant from the *active RPS cir-(PDI Oll 2AA) not induce. secondary failures.

flow Indicators cuits so that an ind!::;at<'f failure w!ll not *propagate an RPS failure. lf the meter ls shorted out of the instrumentation loop cir-cuit, the transm!tter will compensate and maintain valid signal levels for nor-mal RPS operation.

~.-*

. ~..

TABLE A-3 (cont'd)

RPS FMEA REACTOR TRIP #3 Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effr:-.:Ls on RPS Remarks and Other Effects 7.0 Coolant Flow Al! Modes All Channel A flow (dp) indicators are Indicator identical. The FMEA for PDI 0112AA is (PDI 0112BA) applicable for all units.

8.0 Coolant Flow All Modes See 7.o Indicator (PDIO l 22CA))

9.0 Coolant Flow All Modes See 7. 0 Indicator (PDI0122DA) 10.0 Channel A Invalid In-The meter indicates the summed Chan-See 6. l See 6.1 None Coolant Flow dlcatlon nel A coolant flow. The failure does Indicator not induce secondary failures.

11.1 Manual Fall Open The keylock switch ls N.o. and is During Zero Power RPS 2/4 logic inhibits None During zero power testing Switch (Zero only closed for system tests when the Reactor Tests, spurious RT due to the Channel A trips #3, 6, 7, 9 Power Mode reactor ls subcritlcal (less than 10-43 Channel Trip and I numerous trips generated may each be bypassed by Trip Bypass -

power). Channel A trips #3, 6, 7 and Pre-Trip Alarm for I in Channel A. During the channel bypass switch Channel A) 9 are not bypassed during zero power RT 3, 6, 7, and 9 I zero power testing, Chan-for each tnp mode.

reactor tests.

nels B, C, and Dare bv-passed -=:nd thus eliminate the pas sibili tv of a spur-I lous RT.

I 11.2 Fall Closed

\\'lhen the reactor ls subcritlcal, Chan-Swltch Bypass When reactor power is None dur:ng. normal nel A trips #3, 6, 7, and 9 are inhibit-Position is Annun-greater than l o-43. slg-plant operation. Dur-ed by the application of +lSV to the bi-elated nal s from the power level

ing zero power tests, stable trip units.

trip units automatically the swltch is N.C.

disable the bypass by re-moving the +15 Volts at the bistable trip unlts.

TABLE A-3 (cont'd)

RPS FMEA REACTOR TRIP i3 No.

11.3 11.4 12.l 12.2 12.3 13.l Name Manual Switch (Zero Power Mode Trip Bypass -

Channel /lJ Manual SY{ it Ch (Flow Trip Setpoint Select)

Bistable (PA Ol02A)

Failure Mode Contact Set Fail Open Contact Set Fail Closed Jams or Binds Contact Set Fail Open Contact Set Fail Closed Fails Tripped (Input Below Setpoint)

Symptoms and Local Effects Including Dependent Failures Contact set 2 only interacts with trip i3. Channel A trip i3 is not bypassed during zero power tests.

When the reactor is subcritical, Chan-nel A trip i3 is inhibited by the appli-cation of +15 V to the bistable trip unit.

Method of Detection During Zero Power Tests, Channel Trip and Pre-Trip Alarms for RTi3 P erlodic Te st Switch position cannot be changed. No Cannot Change effect until required to change the num-Switch Position ber of coolant pumps on line. The pas! When Required tion of this switch determines the fixed setpoints for RTil and RTi3.

The bistable trip module setpoint refer-ence voltage is lost (zero). The input signal voltage can never be less than the setpoint. The bistable unit trip is disabled.

No effect. This is the normal contact position. If the switch position can-not be changed due to a contact failing closed, see 12.1.

The bistable trip relays (Kl, K2, and K3) to the RPS 2/4 !ogle matrix are de-energized and drop out. The effect of the failure is the same as 5.1

Periodic Test Periodic Test See 5.1 Inherent Compensating Provision During zero power tests, the RPS 2/4 logic inhibits a spurious RTi3 due to a single channel trip. The 3 other channels are by-passed to eliminate the possibility of a spurious trip.

See 11.2 If number of pumps on line ls constant, none are re-quired. If the number of pumps on llne changes, either RTil or RTi3 wlll be immediately actuated on all 4 channels. No chan-nel trip ls completely in-hibited by an invalid set-polnt. The channel trip ls delayed until a more severe transient condition (e.g.,

lower flow rate or higher power level) ls achieved.

Only 2/4 channels are required to trip to actuate RTi3.

None required.

See 5.1 Effects on RPS None See 11.2 If number of pumps on line ls constant, no effect. If the number of pumps is decreased RTi3 2/4 logic ls ac-tuated and scrams the reactor. If the number of pumps is increased, RTil 2/4 logic is ac-tuated and scrams the reactor.

RTi3 !ogle ls changed to a 2/3 configuration.

None See 5.1 Remarks and Other Effects 3 position switch. Pos il -

4 pump operation. Pos i2 -

3 pump operation. Pos i3 2 pump operation.

The contact set ls assumed to be associated with the RTi3 channel trip setpolnt rather than the pre-trip alarm setpoint.

r

:.

I N

CJ)

RPS FMEA No.

Name 13.2 Bistable (PA 0102A) 13.3 13.4 13.5 14.1 Manual Switch (Trip

3 Bypass -

Channel A) 14.2 14.3 14.4 TABLE A-3 (cont'd)

REACTOR TRIP #3 Failure Symptoms and Local Effects Method of Inherent Compensating Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects Fails Un-Channel A trip for RT#3 is disabled.

Periodic Te st See 12.2 See 12. 2 tripped*

The effect of the failure is the same as 12.2.

Loss of Input The bis table will go to the tripped See 5.1 See 5.1 See 5.1 Power Supply state. See 13.1.

(Pnl YlO, Bkr #5)

Relay Kl or The Channel A trip function is degraded Periodic Te.st See 12.2 RT#3 logic ls degrad-Only 1 of 6 trlp modules are K2 or K3 Only 2/3 trip relays will drop out when ed. Channel A trip is required to actuate a RT.

Fails to En-the bistable trips. 1 of the 6 RPS trip only 2/3 effect! ve.

ergized State modules cannot actuate RT#3.

Relay Kl or Partial Channel A trip. 1 of the 6 RPS Status Checks of See 5.1 l of the 6 RPS trip K2 or K3 trip modules is half tripped.

Bistable Trip Relay modules is half tripped Fails to De-Lights for RT#3.

energized State Fail Open The keylock switch is N.O. and is only Periodic Test The switch is N. 0. during An invalid Channel A l key is available for use used to remove an invalid trip and to normal plant operation.

trip cannot be by-with the 4 bypass switches change the RT configuration to 2/3.

passed to remove the (Channels A, B, C, and D).

half trip condition.

Only l channel trip may be RT#3 logic cannot be bypassed.

changed to a 2/3 con-flgura ti on.

Fail Closed Three separate switch contacts in par-Status Check.

See 12. 2 See 12. 2 allel with the three normally open con-Llght above Switch tacts of the trip unit close and inhibit is Illuminated a valid channel trip.

Single Con-See 14.l Periodic Test See 14.l l of the 3 bistable tact Set unit trip relays cannot Fail Open be bypassed after an invalid channel trip.

1 of the 6 trip logic (2/4) modules will be half tripped.

Single Con-l of the 3 bistable trip relays is dis-Periodic Test See 12.2 1 of tl)e 6 RPS trip tact Set abled.

logic modules cannot Fail Closed actuate RT#3.

TABLE A-3 (cont'd)

RPS FMEA REACTOR TRIP #3 Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 15.0 Channel B All Mopes All primary coolant flow instrumenta-The Channel 8 power source Components tion and trip channels (A, 8, C, D) are is Pnl Y20, Bkr #5.

identical in configuration. The FMEA for Channel A components is applicable for all channels.

16.0 Channel C All Modes See 15.0 The Channel C power source Components is Pnl Y30, Bkr #5.

17.0 Channel D All Modes See 15.0 The Channel D power source

_Components is Pnl Y40, Bkr #5.

I I

No.

1.1 1.2

1. 3 1.4 1.5 1.6

1. 7 1.8 2.1 2.2 TABLE A-4 FAILURE MODE AND EFFECTS ANALYSIS PALISADES PLANT REACTOR PROTECTION SYSTEM REACTOR TRIP #4, LOW WATER LEVEL, SG#l Failure Symptoms and Local Effects Method of Inherent Compensating Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects Channel A Fail High Analog high water level signal (high Status Check of Only 2/4 channels are re-RTlf4 logic ls changed Level Trans-voltage) to channel water level instru-SGlfl Water Level quired to trip to actuate to a 2/3 configuration.

mitter mentation and trip logic. Channel A Indicators or RTlf4.

(LT 0751A) trip is disabled.

Periodic Test Fail Low Analog low water level signal to chan-Channel Trip and RPS 2/4 logic inhibits RTlf4 logic ls half One invalid channel trip nel trip logic. Channel A low water Pre-Trip Alarms for spurious RT due to a single tripped and ls changed may be bypassed for RTlf4.

level trip actuated.

RTlf4 channel trip.

to a 1/3 configuration. When one channel is by-passed, RTlf4 logic changes to a 2/3 configuration.

Output Signal Constant analog water level signal to Periodic Te st/

See 1. l See 1.1 Constant channel water level instrumentation Calibration and trip logic. Channel A tnp ls dis-abled.

Open Signal The effect of the failure is the same See 1. 2 See 1. 2 See 1. 2 See l. 2 Line as fail low.

Signal Line None None The current loop is un-None Shorts to grounded.

Ground Loss of High The loss of the input will generate a See 1. 2 See 1. 2 See 1. 2 See 1. 2 Pressure Tap low level signal. See 1.2.

Input Loss of Low The loss of the input will generate a See 1.1 See 1.1 See 1.1 Pressure Tap high level signal. See 1.1.

Input Loss of Both The loss of both inputs will generate a See 1. 2 See 1. 2 See 1. 2 Pressure Tap low level signal. See 1. 2.

Inputs Power Supply_ Loss of Out-The effect of the failure is the same See 1. 2 See 1. 2 See 1. 2 See l. 2 (L 0751A) put as 1. 2.

Off Nominal The level transmitter will generate See 1. 1 and 1

2 See 1. 1 and 1. 2 See 1. 1 and 1. 2 See 1. 2 Output erroneous outputs. No significant op-erational impact unless the transmitter output is driven to an extreme condi-tion. See 1.1, 1

2 and 1. 3 for de-tails.

- i-..

TABLE A-4 (cont'd)

RPS FMEA REACTOR TRIP lf4 Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 2.3 Power Supply Loss of Input The effect of the fallure ls the same See 1.2 See 1. 2 See 1. 2 See 1. 2 (L 0751A)

Power Supply as 1.2.

(Pnl YlO, Bkr jfS) 3.1 Bl stable Falls Tripped The bistable trip relays (Kl, K2, and See 1. 2 See 1. 2 See 1. 2 See 1. 2 (LA°0751A)

(Input Below K3) to the RPS 2/ 4 logic matrix are de-Set point) energized and drop out. The effect of the failure is the same as 1. 2.

3.2 Fails Un-Channel A trip for RTlf4 is disabled.

Periodic Test See 1.1 See 1.1 tripped The effect of the failure is the same as 1.1.

3.3 Loss of Input The bistable will go to the tripped See 1. 2 See 1. 2 See 1. 2 See 1. 2 Power Supply state. See 3.1.

(Pnl YlO, Bkr jfS) 3.4 Relay Kl or The Channel A trip function is degrad-Periodic Test See 1.1 RTjf6 logic ls degrad-Only 1 of 6 trip modules are K2 or K3 ed. Only 2/3 trip relays will drop out ed *. Channel A trip required to actuate a RT.

Fails to En-when the bistable trips. l of the 6 is only 2/3 effective.

ergized State RPS trip modules cannot actuate RTjf4.

3.5 Relay Kl or Partial Channel A trip. lofthe6RPS Status Check of See 1. 2 l of the 6 RPS trip K2 or K3 trip modules is half tripped.

Bistable Trip Relay modules is half tripped Fails to De-Lights for RT#4.

energized State 3.6 Short Aero s s The effect of the failure is the same as See 3.1 See 3. l See 3.1 Input the bistable failing tripped (see 3.1)

The instrumentation loop transmitter will compensate for the load loss and maintain valid signal levels for the additional instrumentation components in the loop.

4.0 Indicator Invalid Indi-The failure does not cause local effects Status Check of The indicator is isolated None (LI 0751A) cation or induce secondary failures.

SG#l Water Level from the active RPS circuits Indicators so that an indicator failure will not propagate an RPS failure. If the meter is shorted out of the instru-mentatlon loop circuit, the transmitter will compen-

i: :.

I N

CJ:)

RPS FMEA Failure No.

Name Mode 2.3 Power Supply Loss of Input (L 0751A)

Power Supply (Pnl YlO, Bkr #5) 3.1 Bistable Fails Tripped

{LA 0751A)

(Input Below Setpoint) 3.2 Fails Un-tripped*

3.3 Loss of Input

. Power Supply

. (Pnl YlO, Bkr #5) 3.4 Relay Kl or K2 or K3 Fails to En-ergized State 3.5 Relay Kl or K2 or K3 Fails to De-energized State 3.6 Short Across Input 4.0 Indicator Invalid.Jndi-(LI 0751A) cation i- -

TABLE A-4 (cont'd)

REACTOR* TRIP #4 Symptoms and Local Effects Method of Inherent Compensating Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects

. The effect of the failure is the same See 1.2 See 1. 2 See 1.2 See 1. 2 as 1. 2.

The bistable trip relays (Kl, K2, and*

See 1. 2 See 1. 2 See 1. 2 See 1. 2 K3) to the RPS 2/4 logic matrix are de-*

energized and drop out. The effect of the.failure is the same as 1. 2.

Channel A trip for RT#4 is disabled.

Periodic Test See 1.l See 1.1 The effect of the failure is the same as 1.1.

The bistable will *go to the tripped See 1. 2 See 1, 2 See 1. 2 See 1. 2 state

See 3.1

The *channel A trip function is degrad-Periodic Test See 1.1 RT#6 logic is degrad-Only 1 of 6 trip modules are ed. Only 2/3 trip relays will drop out ed. Channel A trip required to actuate a RT.

when the bistable trips. 1 of the6 is only 2/3 effective.*

RPS trip modules cannot actuate RT#4.

Partial Channel lrtrip. l of the 6 RPS Status Check of See 1. 2 1 of the 6 RPS trip trip modules is half tripped *.

Bistable Trip Relay modules is half tJ:ipped Lights for-RT#4.

The effect *Of the failure is the same as SeH 3.. 1 See 3.L See 3.1 the bistable failing tripped (see 3.1).

The instrumentation loop transmHter will compensate for the load loss and maintain valid signal levels for the additional instrumentation c.omponents in the loop.

The failure does not cause local effects Status Check of The indicator is isolated None or induce secondary failures.

SG#l Water Level from the active RPS circuits Indicators so that an indicator failure will not propagate an RPS failure. If the meter is shorted out of the instru-mentation loop circuit, the transmitter wlll compen-

. :.~

- i.-1

....... _J

~

I w 0

RPS FMEA Failure No.

Name Mode 4.0 Indicator (cont'd)

(LI 0751A) 5.1 Manual Fail Open SY(itCh (Trip

'4 Bypass -

Channel A) 5,2 Fall Closed 5.3 Single Con-tact Set -

Fails Open 5.4 Single Con-tact Set -

Fails Closed 6,0 Channel B All Modes Components 7,0 Channel C All Modes Components :_

a.a Channel D All Modes Components TABLE A-4 (cont 1d)

REACTOR TRIP lf4 Symptoms and Local Effects Method of Inherent Compensating Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects sate and maintain valid signal levels for normal RPS operati-0n.

The keylock switch is N.o. and is Periodic Test The switch is N.O. during An invalid Channel A 1 key is available for use only used to remove an invalid trip and normal plant operation, trip cannot be by-with the 4 bypass switches to change the RT configuration to 2/3.

passed to remove the (Channels A, B, C, and D).

half trip condition.

Only 1 channel trip may be RT#4 logic cannot be bypassed.

changed to a 2/3 con-figuration.

Three separate switch contacts in par-Status Check.

See 1,1 See 1.1 allel with the three normally open con-Light above Switch tacts of the trip unit close and inhibit is Illuminated a valid channel trip.

See 5.1 Periodic Te st See 5.1 1 of the 3 bistable unit trip relays cannot be bypassed afte~ an invalid channel trip.

1 of the 6 trip logic (2/4) modules will be half tripped.

1 of the 3 !:-!stable trip relays is dis-Periodic Test See 1.1 1 of the 6 RPS trip abled.

logic modules cannot actuate RT#4.

All SG#l water level instrumentation The Channel B power and trip channels (A, B, C. D) are source is Pnl Y20, identical in configuration, The FMEA Bkr #5.

for Channel A components is applicable for all channels, See 6.0 The Channel C power source is Pnl Y30, Bkr #5.

See 6. 0 The Channel D power

§~~r,r~ is Pnl Y40,

No.

1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 2.1 2.2 TABLE A-5 FAILURE MODE AND EFFECTS ANALYSIS PALISADES PLANT REACTOR PROTECTION SYSTEM REACTOR TRIP #5 I LOW WATER LEVEL I SG#2 Name Channel A Level Transmitter (LT 0752A)

Failure Mode Fail High Fail Low Output Signal Constant Open Signal Llne Signal Line Shorts to Ground Loss of High Pressure Tap Input Loss of Low Pres sure Tap Input Loss of Both Pressure Tap Inputs Symptoms and Local Effects Including Dependent Failures Analog high water level signal (high voltage) to channel water level instru-mentation and trip logic. Channel A trip is disabled.

Method of Detection Status Check of SG#2 Water Level Indicators or Peri-odic Test Analog low water level signal to channel Channel Trip and trip logic. Channel A low water level Pre-Trip Alarms for trip is actuated.

RT#S Constant analog water level signal level to channel water level instrumen-tation and trip logic. Channel A trip is disabled.

Periodic Test/

Calibration The effect of the failure is the same as See l. 2 fail low.

None The loss of the input will generate a low level si~al. See 1. 2.

The loss of the input will generate a high level signal. See 1.1.

The loss of both inputs will generate a low level signal. See 1. 2.

None See 1.2 See 1.1 See 1. 2 Power Supply Loss of Output The effect of the failure is the same as See 1. 2 (L 0752A)

1. 2.

Off Nominal Output The level transmitter will generate erron See 1.1 and 1. 2 eous outputs. No significant operation-al impact unless the transmitter output is driven to an extreme condition. See 1.1, 1. 2 and 1. 3 for details.

Inherent Compensating Provision Effects on RPS Remarks and Other Effects Only 2/4 channels are re-quired to trip to actuate RTiS.

RTiS logic is changed to a 2/3 configuration.

RPS 2/ 4 logic inpibits RT#S logic is half:

spurious RT due to a single tripped and is changed channel trip.

to a 1/3 configuration.

See 1.1 See 1. 2 T-he current loop is un-grounded.

See 1.2 See 1.1 See 1.2 See 1.2 See 1.1 and 1. 2 See 1.1 See 1.2 None See 1. 2 See 1.1 See 1. 2 See 1. 2 See 1. l and 1. 2 One invalid channel trip may be bypassed for RT#S.

When one channel is by-passed, RT#S logic changes to a 2/3 configuration.

See 1. 2 See 1. 2 See 1. 2 See 1. 2

t:<

I w N

TABLE A-5 (cont'd)

RPS FMFA Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision 2.3 Power Supply Loss of Input The effect of the failure is the same as See 1.2 See 1.2 (L 0752A)

Power Supply 1.2.

{Pnl YlO, Bkr iS) 3.1 Bistable Fails Tripped The bistable trip relays (Kl, K2, and See 1. 2 See l. 2 (IA 0752A)

(Input Below K3) to the RPS 2/4 logic matrix are de-Setpoint) energized and drop out. The effect of the failure is the same as 1. 2.

3.2 Fails Un-Channel A trip for RT#S is disabled.

Periodic Test See 1.1 tripped The effect of the failure is the same as 1.1.

3.3 Loss of Input The bistable will go to the tripped See l. 2 See l,2 Power Supply state. See 3.1.

(Pnl YlO, BkdS) 3.4 Relay Kl or The Channel A trip function is degraded. Periodic Test See 1.1 K2 or K3 Fails Only 2/3 trip relays will drop cut when to Energized the bistable trips. 1 of the 6 RPS trip State modules cannot actuate RT#S.

3.5 Relay Kl or Partial Channel A trip. 1 of-the 6 RPS Status Checks of See 1. 2 K2 or K3 Fails trip modules is half tripped.

Bistable Trip Relay to De-Lights energized State 3.6 Short Acres s The effect of the failure is the same as See 3.1 See 3.1 Input the bistable failing tripped (See 3.1).

The instrumentation loop transmitter will compensate for the load loss and maintain valid signal levels for the additional instrumentation components in the loop.

RFACTOR TRIP #5 Effects on RPS Remarks and Other Effects See I. 2 See l. 2 See 1.2 See 1.2 See 1.1 See 1.2 See 1.2 R'.!'#6 logic is degraded. Only 1 of 6 trip modules Channel A trip is only are required to actuate a 2/3 effective.

RT.

1 of the 6 RPS trip modules is half tripped for RT#S.

See 3.1

i::-

1 w

w RPS FMFA No, Name 4.0 Indicator (Ll 0752A) 5.1 Manual Switch (Trip jfS Bypass Channel A) 5.2 5.3 5.4 TABLE A-5 (cont'd)

RFACTOR TRIP jf5 Failure Symptoms and Local Effects Method of Inherent Compensating Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects Invalid The failure does not cause local effects Status Check of The indicator is isolated

None, Indication or induce secondary failures.

SGlf2 Water Level from the active RPS circuits Indicators so that an indicator failure will not propagate an RPS failure. If the meter ls shorted out of the lnstru-mentation loop circuit, the transmitter will compen-sate and maintain valid signal levels for normal RPS operp.tion

F!'lil Open The keylock switch is N.o. and is only Periodic Test The switch is N. 0. during An invalid Channel A 1 key ls available for use used to remove an invalid trip and to normal plant operation.

trip cannot be by-with the 4 bypass-switches change the RT configuration to 2/3

passed to remove the (Channels A, B, C, and D).

half trip condition, Only 1 channel trip may be RT4f5 logic cannot be bypassed.

changed to a 2/3 configuration.

Fail Closed Three separate switch contacts in Status Check Light See 1.1 See 1.1 parallel with the three normally open Above Switch is contacts of the trip unit close and in-Illuminated hib!t a valid channel trip.

Single Con-See 5.1 Periodic Test See 5.1 1 of the 3 bistable tact Set -

unit trip relays cannot Fails Open be bypassed after an invalid channel trip.

1 of the 6 trip logic (2/4) modules w!ll be half tripped.

Single Con-l of the 3 bistable trip relays is dis-Periodic Test See 1.1 1 of the 6 RPS trip tact Set -

abled.

logic modules cannot Fails Closed actuate RT4f5.

TABLE A-5 (cont'd)

RPS FMFA RFACTOR TRIP jf5 Failure Symptoms and Local Effects Method of Inherent Compensating No, Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 6.0 Channel B All Modes All SGlf2 water level instrumentation The channel B power source Components and trip channels (A, B, C, D) are is Pnl Y20, Bkr lf5.

identical in configuration. The FMFA for Channel A components is applicable for all channels.

7.0 Channel C All Modes See 6. 0 The Channel C power source Components is Pnl Y30, Bkr lf5.

s.o Channel D All Modes See 6. O The Channel D power source Components is Pnl Y40, Bkr lf5.

i::.

I w en No.

1.1 1.2 1.3 1.4

1. 5

1. 6 2.1 2.2 2.3*

3.1 TABLE A-6 FAILURE MODE AND EFFECTS ANALYSIS PALISADES PLANT REACTOR PROTECTION SYSTEM REACTOR TRIP #6 I LOW PRESSURE I SG#l Failure Symptoms and Local Effects Method of Inherent Compensating Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects Channel A Fail High Analog high pressure signal (high volt-Status Check of Only 2/ 4 channels are re-RT#6 logic is changed Pressure age) to channel pressure instrumenta-SG#l Pressure quired to trip to actuate to a 2/3 configuration.

Tran sml tter tion and trip logic. Channel A trip is Indicators or RT#6.

(PT 0751A) disabled.

Periodic Test Fail Low Analog low pressure signal to channel Channel Trip and

-RPS 2/4 logic inhibits RT#6 logic ls half One invalid channel trip trip logic. Channel A low pressure Pre-J:rip Alarms for spurious RT due to a single.tripped and ls changed - may be bypassed for RT#6.

trip actuated.

RT#6 channel trip.

to a 1/3 configuration. -Nhen one channel is by-passed, RT#6 logic changes to a 2/3 c_onflguration.

Output Signal Constant analog pressure signal level Periodic Test/

See 1.1 see 1.1 Constant to channel pressure instnimentation C alibratlon and trip logic. Channel A trip ls dis-abled.

Open Sig.nal The effect of the failure is the same as See 1. 2 See 1. 2-See 1. 2 See 1. 2 Line fail low.

Signal Line None None The current loop ls un-None Shorts to grounded.

Ground Loss of Pres-See 1.4 See L2 See 1. 2 See 1. 2 See 1. 2 sure Tap Input Power Supply Loss of Out-The effect of the failure ls the same See l. 2 See 1. 2 See 1. 2 See 1. 2 (P 0751A) put as 1.2.

Off Nominal The pressure transmitter will generate See 1.1and1.2 See 1.1 and 1. 2 See 1.1and1.2

3ee 1. 2 Output erroneous outputs, No significant op-erational impact unless the transmitter output ls driven to an extreme condl-tlon. See 1.1, 1. 2 and 1, 3 for details.

Loss of"Input The effect of the failure ls the same See 1. 2 See 1. 2 See 1. 2 See 1. 2 Power:Supply as i.-2.

(Pnl YlO Bkr #5)

Bistable Fails Tripped The bistable trip-relays (Kl, K2 and K3)

See 1. 2

-See 1. 2 See 1. 2 See 1, 2-(PA 0751A)

(Input Below. -

to.the RPS 2/4 logic matrix are de-Setpoint) energized and drop out. The effect of the fa'ilure is the same as 1. 2.

RPS FMEA No.

3.2 3.3 3.4 3.5 3.6 4.1 4.2 Name Bistable (PA 0751A)

Indicator

(!>IC 0751A)

TABLE A-6 {cont'd)

Failure Mode Fails Un-trtpped Loss of Input Power Supply (Pnl YlO, Bkr iS)

Relay Kl or K2 or K3 Fails to En-ergized State Relay Kl or K2 or K3 pails to De-energized State Short Aero s s Input Invalid Indi-cation Loss of Power Source (l>nl YlO Bkr lFS)

Symptoms and Local Effects Including Dependent F allures Channel A trip for RTi6 is disabled.

The effect *of the failure is the same as 1.1.

Method of Detection Periodic Test The bistable wlll go to the tripped See l

2 state. See 3.1.

The Channel A trip function is degrad-Periodic Test ed. Only 2/3 trip relays will drop out when the bistable trips.* l of the 6 RPS trip modules cannot actuate RTi6.

Partial Channel A trip. l of the 6 RPS trip modules ls half tripped.

The effect of the failure is the same as the bl stable failing tripped (see 3.1)

The instrumentation loop transmitter wlll compensate for the load loss and maintain valid signal levels for the additional instrumentation components in the loop.

Status Check of Bistable Trip Relay Lights See 3.1 The failure does not induce secondary Status Check of failures. 2/4 pressure meter relays are. SGil Pressure required to trip on low pressure to auto-Indicators matically shut both SGl and SG2 isola-tion valves. Depending on the direc-tion of the meter error, this function ls changed to either a 1/3 or 2/3 logic configuration.

The meter re.acting remains valid. The.

None meter relay is de-energized and change the isolation. valve close logic to a 1/3 configuration.

Inherent Compensating Provision See 1.1 See 1. 2 See 1.1 See 1.2 See 3.1 The indicator ls isolated from the active RPS cir-cuits so that an indicator failure will not propagate an RPS failure. If the meter is shorted out of the instrumentation loop cir-cuit, the transmitter will compensate and maintain valid signal levels for nor-mal RPS operation.

None required for RPS operation.

Effects on RPS See 1.1 See 1. 2 RTi6 logic is degrad-ed. Channel A trip is only 2/3 effective.

l of the 6 RPS trip modules is half trip-ped for RTi6.

See 3.1 None None REACTOR TRIP i6 Remarks and Other Effects See 1. 2 Only l of 6 trip modules are required to actuate a RT.

TABLE A-6 (cont'd)

RPS FMEA REACTOR TRIP #6 Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 5.1 Manual Fail Open The keylock switch is N.O. and is Periodic Te st The switch is N. 0. during An invalid Channel A 1 key is available for use Switch (Trip only used to remove an invalid trip and normal plant operation.

trip cannot be by-with the 4 bypass switches

6 Bypass to change the RT configuration to 2/3.

passed to remove the (Channels A, B, C, and D).

Channel A) half trip condition *.

Only 1 channel trip may be RT#6 logic cannot be bypassed.

changed to a 2/3 con-figuration.

5.2 Fail Closed Three separate switch contacts in par-Status Check.

See 1.1 See 1.1 allel with the three normally open con-Light above Switch tacts of the trip unit close and inhibit ls Illuminated a valid channel trip.

5.3 Single Con-See 5.1 Periodic Test See 5.1 1 of the 3 bistable tact Set*-

unit trip relays cannot Fails Open be bypassed after an invalid channel trip.

l of the 6 trip logic (2/4) modules will be half tripped.

5.4 Single Con-1 of the 3 bistable trip relays is dis-Periodic Test See 1.1 1 of the 6 RPS trip tact Set -

abled.

logic modules cannot Fails Closed actuate RT#6.

6.1 Manual Fail Open The keylock switch ls N.O. and is During Zero Power RPS 2/4 logic inhibits None During zero power testing Switch (Zero only closed for system tests when the Reactor Tests, spurious RT due to the Channel A trips #3, 6, 7, 9 Power Mode reactor is subcritical (less than 10-43 Channel Trip and numerous trips generated may each be bypassed by Trip Bypass -

power). Channel A trips #3, 6, 7, and Pre-Trip Alarm for in Channel A. During zero the channel bypass switch Channel A) 9 are not bypassed during zero power RT#3, 6, 7, and 9 power testing, Channels for each trip mode.

reactor tests.

B, C, and Dare bypassed and thus, eliminate the possibility of a spurious RT.

6.2 Fail Closed When the reactor is subcritical, Chan-Switch Bypass When reactor power is None during normal nel A trips #3, 6, 7, and 9 are inhibit-Position is An-greater than l o-43' sig-plant operation. Dur-ed by the application of +15 V to the bi nunclated nals from the power level ing zero power tests, stable trip units.

trip units automatically the swltch is N.C.

disable the bypass by re-moving the +15 Volts. at the bistable trip units.

L

x::-

1 w

co RPS FMEA No.

Name 6.3 Manual SWitch (Zero Power Mode Trip Bypass -

Channel A) 6.4 7.0 Channel B Components 8,0 Channel C Components 9.0 Channel D Components TABLE A-6 (cont'd)

REACTOR TRIP #6 Failure Symptoms and Local Effects Method of Inherent Compensating Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects Contact Set 2 Contact set 2 only interacts with trip During Zero Power During zero power tests, None Fail Open

6. Channel A trip #6 is not bypassed Tests, Channel the RPS 2/4 logic inhibits during zero power tests.

Trip and Pre-Trip a spurious RT#6 due to a Alarms for RT#6 single channel trip. The 3 other channels are by-passed to eliminate the possibility of a spurious trip.

Contact Set 2 When the reactor is subcritical, Chan-Periodic Test See 6. 2 See 6. 2 Fail Closed nel A trip jf6 is inhibited by the appli-cation of +15 V to the bistable trip unit, All Modes All SGifl pressure instrumentation and The Channel B power source trip channels (A, B, C, D) are identical is Pnl Y20, Bkr jfS.

in configuration, The FMEA for Channel A components is applicable for all chan nels.

All Modes See 7.o The Channel C power source is Pnl Y30, Bkr jfS, All Modes See 7. 0 The Channel D power source is Pnl Y40, Bkr jfS.

i::-1 w

c.o No.

1.1 1.2 1.3 1.4 1.5 l.6 2.1 2.2 2.3 3.1 TABLE A-7 FAILURE MODE AND EFFECTS ANALYSIS PALISADES PLANT REACTOR PROTECTION SYSTEM REACTOR TRIP #7, LOW PRESSURE, SG#2 Failure Symptoms and Local Effects Method of Iilherent Compensating Name Mode Including Dependent F allures Detection Provision Effects on RPS Remarks and Other Effects Channel A Fail High Analog high pressure signal (high volt-Status Check of Only 2/4 channels are re-RT4f7 logic is changed Pressure age) to channel pressure instrumenta-SGi2 Pressure quired to trip to actuate to a 2/3 configuration.

Transmitter tion and trip logic, Channel A trip is Indicators or RT4f7.

(P 0752A)

disabled, Periodic Test Fail Low Analog low pressure signal to channel Channel*Trip and RPS 2/4 logic inhibits RT4f7 logic is half One invalid channel trip trip logic. Channel A low pressure Pre-Trip Alarms spurious RT due to a tripped and is changed may be bypassed for RTi7.

trip actuated.

for RTi7 single channel trip.

to a 1/3 configuration. When one channel ls by-passed, RTi7 logic changes to a 2/3 configuration.

Output Sig-Constant analog pressure signal level Periodic Test/

See 1.1 See 1.1 nal Constant to channel pressure instrumentation and Calibration trip logic. Channel A trip is disabled, Open Signal The effect of the failure is the same See l. 2 See l. 2 See l. 2 See 1. 2 Line as fail low.

Signal Line None None The current loop ls un-None Shorts to grounded.

Ground Loss of Pres-See 1.4 See l. 2 See l. 2 See 1.2 See 1. 2 sure Tap Input Power Supply Loss of Out-The effect of the failure is the same See 1. 2*

See 1.2 See l. 2 See 1. 2 (P 0752A) put as l. 2.

Off Nominal The pressure transmitter will generate See l. l and l, 2 See l

l and l

2 See l. l and 1. 2 See 1. 2 Output erroneous outputs. No significant op-erational impact unless the transmitter output ls driven to an extreme. See l

l, ~

2 and l

3 for details.

Loss of Input The effect of the failure ls the same See 1. 2 See 1. 2 See l. 2 See 1. 2 Power Supply as l. 2.

(Pnl YlO, Bkr.j!-5)

Bistable Fails Tripped The bistable trip relays (Kl, K2 and K3)

See. l. 2 See l. 2 See l. 2 See l. 2 (PA 0752A)

(Input Below to the RPS 2/4 logic matrix are de-Setpoint) energized and drop out. The effect of the failure is the same as l. 2.

i::o I

.I:>.

0 RPS FMEA No.

3.2 3.3 3.4 3;5 3.6 4.1 4.2 Name Bistable (PA 0752A)

Indicator (PIG 0752A)

TABLE A-7 (cont'd)

Failure Mode Fails Un-tripped Loss of Input Power Supply (Pnl YlO, Bkr #5)

Relay Kl or K2 or*K3 Fails to En-ergized State Relay Kl or K2 or K3 Fails to De-energized State Short Across Input Invalid Indi-cation Loss of Power Source

{Pnl YlO, Bkr #5)

Symptoms and Local Effects Including Dependent Failures Method of Detection Channel A trip for RT#7 ls disabled.

Periodic Test The effect of the failure is tie same as 1.1.

The bistable will go to the tripped See 1.2 state. See 3.1.

The Channel A trip function is degrad-Periodic Test ed. Only 2/3 trip relays will drop out when the bistable trips. 1 of the 6 RPS trip modules cannot actuate RT#7.

Partial Channel A trip. 1 of the 6 RPS Status Check of trip modules is half tripped.

Bistable Trip Relay Lights The effect of the failure is the same See 3.1 as the bistable failing tripped (see 3.1). The instrumentation loop trans-mitter will compensate for the load loss and maintain valid signal levels for the additional components In the loop.

The failure does not induce secondary Status Check of failures. 2/4 pressure meter relays are SG#2 Pressure required to trip on low pressure to auto-Indicators matically shut both SGl and SG2 isola-tion valves. Depending on the d!rec-tion of the meter error, this function is changed to either a 1/3 or 2/3 logic configuration.

The meter reading remains valid, The*

None meter relay is de-energized and *change!

the isolation valve close logic to a 1/3 configuration.

Inherent Compensating Provision See 1.1 See 1.2 See 1.1 See 1. 2 See 3.1 The indicator is Isolated from the active RPS cir-cults so that an indicator failure will not propagate an RPS failure. If the meter is shorted out of the instrumentation loop cir-cult, the transmitter will compensate and maintain valid signal levels for nor-mal RPS operation.

None required for RPS operation.

REACTOR TRIP #7 Effects on RPS Remarks and Other Effects See 1.1 See 1. 2 See 1. 2 RT#7 logic "1s degrad-Only 1 of 6 trip modules are ed. Channel A trip is required to actuate a RT.

only *2/3 effectJve.

1 of the 6 RPS trip modules is half trip-ped for RT#7.

See 3.1 None None

~

TABLE A-7 (cont'd)

RPS FMEA No.

5.1 5.2 5.3 5,4 Name Manual Switch (Trip

7 Bypass -

Channel A)

Failure Mode Fail Open Fail Closed Single Con-tact Set -

Fails Open Single Con-tact Set -

Fails Closed Symptoms and Local Effects Including Dependent Failures The keylock switch Is N,0. and is only used to remove an invalid trip and to change the RT configuration to 2/3.

Three separate switch contacts in par-allel with the three normally open con-tacts of the trip unit close and inhibit a valid channel trip.

See 5,1 1 of the 3 bistable trip relays is dis-abled.

6,1 Manual Fail Open The keylock switch is N.0. and is only closed for system tests when the reactor is subcritical (less than 10-43 power). Channel A trips #3, 6, 7, and 9 are not bypassed during zero power reactor tests.

Switch (Zero Power Mode Trip Bypass -

Channel A) 6.2 6.3 Fail Closed When the reactor is subcritical, Chan-nel A trips #3, 6, 7, and 9 are inhibit-ed by the application of +l S V to the bi-stable trip units.

Contact Set 3 Contact set 3 only interacts with trip Fail Open

7. Channer A trip #7 is.not bypassed during zero power tests.

Method of Detection Periodic Test Status Check.

Light above Switch is Illuminated Periodic Te st Periodic Test During Zero Power Reactor Tests, Channel Trip and Pre-Trip Alarm for RT 3, 6, 7, and 9 Switch Bypass Position is An-nunciated Inherent Compensating Provision The switch is N, 0. during normal plant operation.

See 1.1 See 5.1 See 1.1 RPS 2/4 logic inhibits spurious RT due to the numerous trips generated in Channel A. During zero power testing, Channels B, C, and Dare bypassed and thus, eliminate the possibility of a spurious RT.

When reactor power is greater than 1 o-43' sig-nals from the power level trip units automatically disable the bypass by re-moving the +15 Volts at the bistable trip units.

During Zero Power During zero power tests, Tests, Channel Trip the RPS 2/4 logic inhibits and Pre-Trip Alarms a spurious RT#7 due to a Effects on RPS An invalid Channel A trip cannot be by-passed to remove the half trip condition.

RT#7 logic cannot be changed to a 2/3 con-figuration.

See 1.1 1 of the 3 bistable unit trip relays can-not be bypassed after an invalid channel trip trip. 1 of the 6 trip logic (2/4) modules will be half tripped.

1 of the 6 RPS trip logic modules cannot actuate RT#7.

None None during normal plant operation. Dur-ing zero power tests, the switch is N.C.

None REACTOR TRIP #7 Remarks and Other Effects 1 key is available for use with the 4 bypass switches (Channels A, B, C, and D).

Only 1 channel trip may be bypassed.

During zero power testing Channel A trips #3, 6, 7, 9 may each be bypassed by the channel bypass switch for each trip mode.

I

~

N RPS FMEA No.

Name 6.3 Manual (cont'd)

Switch (Zero Power Mode Trip Bypass -

Channel A) 6.4 7.0 Channel B Components a.o Channel C Components 9.0 Channel D Components TABLE A-7 (cont'd)

REACTOR TRIP #7 Failure Symptoms and Local Effects Method of Inherent Compensating Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects Contact Set 3 for RTlf7 single channel trip. The Fail Oj;len 3 other channels are by-passed to eliminate the possibility of a spurious trip.

Contact Set 3 When the reactor is subcritical, Chan-Periodic Test See 6. 2 See 6. 2 Fail Closed nel A trip #7 is inhibited by the appli-cation of +15 V to the bistable trip

Unit, All Modes All SGif2 pressure instrumentation and The Channel B power source trip channels (A, B, C, D) are identl-is Pnl Y20, Bkr #5.

cal in configuration, The FMEA for Channel A components ls applicable for all channels.

All Modes See 7.O The Channel C power source is Pnl Y30, Bkr #5.

All Modes See 7. 0 The Channel D power source is Pnl Y40, Bkr 1'*5.

I

No.

1.1 1.2

r

:o 1.3 I

,J:>,

w 1.4 1.5 1.6 2.1

-2. 2 TABLE A-8 FAILURE MODE AND EFFECTS ANALYSIS PALISADES PLANT REACTOR PROTECTION SYSTEM REACTOR TRIP #8, HIGH PRESSURIZER PRESSURE Failure Symptoms and Local Effects Method of Inherent Compensating Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects Channel A Fail High High analog pressure signal (high volt-Channel Trip and.

RPS 2/4 logic inhibits RT1f8 logic is half One invalid channel trip Pressure age) to channel pressure instrumenta-Pre-Trip Alarms for spurious RT1f8 trip due to tripped and is chang-may be bypassed for RT1f8.

Transmitter tion and trip logic. Safety Injection RT1f8 a single channel trip.

ed to a 1/3 configura-When one channel is by-(PT 0102A)

System low pressure coincidence logic Only 2/ 4 channels are re-tion. RT jf9 logic is passed, RT1f8 logic chai:iges changes from 2/4 to 2/3. The logic to quired to actuate RT1f9.

changed to a 2/3 to a 2/3 configuration.

open the pressurizer power operated configuration.

relief valves is half tripped and change<

I One invalid channel trip from 2/4 to 1/3.

Fail Low Low analog pressure signal (low volt-Channel Trip and RPS 2/4 logic inhibits RT1f9 logic is half age) to channel pressure instrumenta-Pre-Trip Alarms for spurious RT1f9 trip due to tripped and is chang-may be bypassed for RT1f9 tlon and trip logic. Safety Injection RT1f9 a single channel trip.

ed to a 1/3 configura-When one channel is System low pressure coincidence logic Only 2/ 4 channels are re-tion. RTjf 9 logic is bypassed, RT1f9 logic is half tripped and changes from 2/ 4 quired to actuate RTjf 8.

changed to a 2/3 con-changes to a 2/3 configur-to 1/3.

figuration.

ation.

Output Sig-Constant analog pressure signal to Periodic Test/

Only 2/ 4 channels are re-RT1f8 logic is changed nal Constant channel pressure instrumentation and Calibration quired to trip and actuate to a 2/3 configuration.

trip logic. All Channel A trip logic is either RT1f8 or RT1f9.

RT1f9 logic is changed disabled. Safety Injection System low to a 2/3 configuration.

pres sure coincidence logic changes from 2/ 4 to 2/3. The power operated relief valve logic also changes from 2/4 to 2/3.

Open Signal The effect of the failure is the same See 1. 2 See 1. 2 See 1. 2 See 1. 2 Line as fail low.

Signal Line None None The current loop is un-None Shorts to grounded.

Ground Loss of High See 1.4 See 1. 2 See 1. 2 See 1. 2 Pressure Tap Input Power Supply Loss of The effect of the failure is the same See 1. 2 See 1. 2 See 1. 2 See l. 2 (P 0102A)

Output as l. 2.

Off Nominal The pressure transmitter will generate See 1.1 and 1, 2 See 1. 1 and 1. 2 See l

1 -and 1, 2 See l. 2 Output erroneous outputs. No significant op-erational impact unless the transmitter output is driven to an extreme condi-tion

See 1.1, l. 2 and l. 3 for details.

I

TABLE A-8 (cont'd)

RPS FMEA REACTOR TRIP jf8 Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 2.3 Power Supply Loss of Input The effect of the failure is the same See l.2 See 1. 2 See 1.2 See 1. 2 (P 0102A)

Power *supply as 1.2.

(Pnl YlO Bkr jfS) 3.1 Bistable Fails Tripped The bistable trip relays (Kl, K2, and Channel Trip and RPS 2/4 logic lnhiblts RTlf8 !ogle ls half One Invalid channel trip (PA 0102AH)

(Setpolnt K3) to the RPS 2/4 !ogle matrix are de-Pre-Trip Alarms spurious RT due to a sin-tripped and 1 s c:Oang-may be bypassed for RTlf8.

Exceeded) energized and drop out. The logic tn for RTlf8 gle channel trip.

ed to a 1/3 configura-When one channel ls by-open pressurizer relief valves changes tlon.

passed, RTlf8 logic changes from 2/ 4 to 1/3

to a 2/3 configuration.

3.2 Falls Un-Channel A trip for RTlf8 ls disabled.

Periodic Test Only 2/4 channels are re-RTlf8 logic is chang-tripped The logic to open pressurizer relief quired to trip to actuate ed to a 2/3 conflgura -

valves changes from 2/ 4 to 2/3.

RTjfB.

tlon.

3.3 Loss of Input The bi stable will go to the tripped See 3.1 See 3.1 See 3.1 See 3.1 Power Supply state. See 3.1.

(Pnl YlO, Bkr jfS) 3.4 Relay Kl or The Channel A trip function is degraded Periodic Te st See 3. 2 RTlf8 logic is degrad-Only 1 of 6 trip modules K2 or K3 Only 2/3 trip relays will drop out when ed. Channel A trip are required to actuate a Fails to En-the bistable trips. l of the 6 RPS trip ls only 2/3 effective. I RT.

ergized State modules cannot actuate RTiFB.

3.5 Relay Kl or Partial Channel A trip. 1 of the 6 RPS Status Check of See 3.1 l of the 6 RPS trip K2 or K3 trip modules is half tripped.

Bistable Trip Relay modules ls half trip-Falls to De-Lights ped for RTlf8.

energized State 3.6 Short Across The effect of the failure is the same See 3. 2 See 3. 2 See 3. 2 Input as the bistable faillng untrlpped (see 3, 2). The instrumentation loop trans-mitter will compensate and maintain valid signal levels for all additional instrumentation and trip components in the loop.

4.1 Pressure Invalid The failure does not cause local ef-Status Check of.

The indicator is isolated None Indicator Indication fects or-induce secondary RPS failures. Pressurizer Pres-from the active RPS clr-(PIA Ol02ALL) sure Indicators cults so that an indicator failure will not propagate an RPS failure.

TABLE A-8 (cont'd)

RPS FMEA REACTOR TRIP #8 Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 4.2 Pressure Short Aero s s The meter will indicate low. The Lo-Lo Pressure The instrumentation loop No effect on the RPS.

Indicator Input Safety Injection System (SIS) low pres-Alarm and Status transmitter will com-(PIA 0102ALL) sure coincidence logic is half tripped Check of Pressure pensate for the loss of and changes from 2/ 4 to 1/3.

Indicators load and maintain valid signal levels for normal RPS operation.

I 4.3 Loss of Power The meter reading remains valid. All Lo-Lo Pressure None required for RPS None Source meter relays are de-energized. The Alarm (Pnl YlO, SIS low pressure coincidence logic Bkr #5) changes from 2/4 to 1/3.

5.1 Manual Fail Open The key lock switch is N. 0. and is Periodic Test The switch is N. 0. during An.invalid Channel A 1 key is available.for use Switch (Trip only used to remove an invalid trip and normal plant operation.

trip cannot be bypa s s-1 with the 4 bypass switches

8 Bypass -

to change the RT configuration to 2/3,

ed to remove the half (Channels A, B, C, and D).

Channel A) trip condition. RT!t8 Only 1 channel trip may be logic cannot be chang* bypassed, ed to a 2/3 conflgura-tion.

5.2 Fail Closed Three separate switch contacts ln par-Status Check.

See 3, l See 3.1 allel with the three normally open con-Light above Switch I

tacts of the trip unit close and inhibit is Illuminated a valid channel trip.

l 5.3 Single Con-See 5.1 Periodic Te st See 5.1 1 of the 3 bistable l

tact Set -

unit trip relays cannot Fails Open be bypassed after an invalid channel trip.

1 of the 6 trip logic (2/4) modules will be half tripped.

5.4 Single Con-l of the 3 bistable trip relays is dis-Periodic Test See 3.1 l of the 6 RPS trip tact Set -

abled.

logic modules cannot Fails Closed actuate RT#8.

6,0 Channel B All Modes All pressurizer pressure instrumenta-The Channel B power source Components tion and trip channels (A, B, C, D) are ls Pnl Y20, Bkr #5.

identical in configuration. The FMEA for Channel A components is applicable for all channels.

TABLE A-8 (cont'd)

RPS FMEA REACTOR TRIP jfS Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 7.0 Channel C All Modes See 6.0 The Channel C power source Components ls Pnl Y30, Bkr lFS.

8.0 Channel D All Modes See 6.o The Channel D power source Components ls Pnl Y40, Bkr lFS.

No.

1.0 2.0 3.0 4.1

4. 2 4.3 4.4 4.5 4.6 TABLE A-9 FAILURE MODE AND EFFECTS ANALYSIS PALISADES PLANT REACTOR PROTECTION SYSTEM REACTOR TRIP #9, THERMAL MARGIN/LOW PRESSURE Failure Symptoms and Local Effects Method of Inherent Compensating Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects

-Channel A All Modes Common pressurizer pressure instru-Pressure mentation loops are associated with Transmitter RPS RT#8 and RT#9 trip circuits. See (PT 0102A) the FMEA presented on Table A-8 (item 1

0) for the detailed analysis.

Pressure All Modes See l. 0 above and Table A-8., item Tran.smi tter 2.0.

Power Supply Pressure All Modes See 1. 0 above and Table A-8, item Indicator 4.0.

(PIA 0102ALL)

TM/Low Fails Tripped The bistable trip relays (Kl, K2, and Channel Trip and RPS 2/4 logic inhibits RT#9 logic is half One invalid channel trip Pressiire (Input Signal K3) to the RPS 2/4 logic matrix are de-Pre-Trip Alarms spurious RT due to a sin_-

tripped and is chang-may be bypassed for RT#9.

Bistable Below Set-energized and drop out. RT#9 channel for RT#9 gle channel trip.

ed to a 1/3 configura-When one channel is by-(PA0102A) point)*

trip signals are generated.

tion.

passed, RT#9 logic changes to a 2/3 conflgura tion.

Fails Un-Channel A TM/low pressure trip for Periodic Test Only 2/4 channels are re-

RT#9 logic is changed tripped RT#9 is disabled.

quired to trip to actuate to a 2/3 configuration.*

RT#9.

Variable The high setpoint will cause the bi-High Setpolnt See 4.1 See 4.1 Setpoint stable to trip when the input pressure Signal Alarm and Signal signal falls below the setpoint. See Channel Trip and Fails High 4.1.

Pre-Trip Alarms Variable The low setpolnt signal inhibits a valid Low Setpoint See 4. 2 See 4. 2 Setpbint channel trip. The effect of the failure Signal Alarm Signal is the same as 4. 2.

Fails Low Constant The constant level setpolnt signal will Periodic Te st/

See 4

1 and 4, 2 See 4. 1 and 4. 2 Setpoint not impact RPS RT#9 operation signifi-Calibration

- Signal cantly unless the signal level goes to an extr.eme (high or low)

See 4.1 and

4. 2 for details.

Relay Kl or The Channel A trip function is degrad-Periodic Test See 4. 2 RT#9 logic is degrad-Only 1 of 6 trip modules K2 or~3 ed. Only 2/3 trip relays will drop out ed. Channel A trip are required to actuate a Fails to En- ** when the *bistable trips. 1 of the 6 RPS is only 2/3 effective.

RT.

ergized State trip modules cannot actuate RT#9.

TABLE A-9 (cont'd)

RPS FMEA REACTOR TRIP #9 Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 4.7 TM/Low Relay Kl or Partial Channel A trip. 1 of the 6 RPS Status Check of See 4.1 1 of the 6 RPS trip Pressure K2 qr K3 trip modules is half tripped.

Bistable Trip Relay modules ls half trip-Bistable Fails to De-Lights ped for RT#9.

(PA Ol02A) energized State 4.8 Loss of Input The bistable will go to the tripped See 4.1 See 4.1 See 4.1 Power Supply state. See 4.1.

(Pnl YlO, Bkr #5) 4.9 Short Aero s s The effect of the failure is the same See 3. 2 See 3.2 See 3. 2 Input as the bistable failing tripped (see 4.1). The instrumentation loop trans-mltter will compensate for the load loss and maintain valid signal levels for all additional instrumentation and trip components in the loop.

5.1 Variable Invalid The failure docs not cause local cf-Status Check of The indicator is isolated None Setpoint Indication fects or induce secondary RPS failures. All Setpoint from the active RPS cir-Indicator Indicators cults so that an indicator (PIA 0102A) failure will not propagate an RPS failure.

5,2 Short Across The meter will indicate low and initiate Lo Pressure Alarm The instrumentation loop No effect on the RPS.

Input low pressure annuncaltor.

and Status Check transmitter will compen-of Indicator sate for the loss of load and maintain valid signal levels for.normal RPS op-eration.

5.3 Loss of Power The meter reading remains valid. !'Jl Hi and Lo Pressure None required for RPS None Source meter relays are de-energized. Both Alarms operation.

(Pnl YlO, the hi and lo pressure alarms are actu-Bkr #5) ated.

6.1 Setpoint Output Fails The effect of the failure is the same See 4.3 See 4.1 See 4.1 Auctioneer High as 4.3.

Unit (PY 0102A) 6,2 Output Falls The low output disables the channel Low Setpoint See 4.2 See 4. 2 Low thermal margin trip function. The Signal Alarm output of the unit is Ii ml ted to a lower value which represents a minimum pres-

TABLE A-9 (cont'd)

RPS FMEA REACTOR TRIP #9 Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 6.2 Setpoint sure of 1750 psia at nominal operating (cont'd)

Auctioneer pressures of> 1800 psia; for nominal Unit operating pressure of 1800 psia, this (PY 0102A) minimum is set at 1650 psia.

6.3 Constant Out The effect of the failure is the same See 4: 5 See 4.5 See 4. 5 put Signal as 4.5.

6.4 Open Output The effect of the failure is the same See 4.4 See 4. 2

. -8ee 4. 2 Signal Line as 4.4.

6.5 Loss of The auctioneer will pass the large st Periodic Test or The failure will not inhibit Pas sible delay of the Pvar 1 Input signal (either Pvar 1 of Pvar 2) if the Status Check of a channel trip. The chan-channel trip, Only level ls greater than the preset floor Setpolnt Indicators nel trip will be delayed if 2/4 channel trips are limit.

the failure propagates a required to actuate setpolnt lower than the RT#9.

nominal value.

6.6 Loss of See 6.5 See 6.5 See 6. 5 See 6. 5 Pvar 2 Input 6.7 Loss of Power The effect of the failure is the same See 4.4 See 4,4 See 4.4 Supply as 4.4.

(Pnl )YlO, Bkr #5) 7.1 Pvar l Low Output The effect of the failure is the same Periodic Test See 6. 5 None Setpoint Signal as 6.5.

Computer (PY 0112A) 7.2 High Output The auctioneer will select the largest See 4. 3 See 4.1 See 4.1 Signal of the two setpoint computer outputs to generate the TM trip setpoint. The effect of the failure ls the same as 4.3.

7.3 Loss of Con-See 7.1 Periodic Test See 6. 5 None stant Current Input (P 0112A) 7.4 Loss of Loop The computer will generate a signal Periodic Test See 6. 5 None 1 or 2 Hot equivalent to a low pressure value.

Leg Input The effect of the failure ls the same as 7.1.

TABLE A-9 (cont'd)

RPS FMEA REACTOR TRIP jf9 Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 7.5 Pvar l Loss of Loop The computer will generate a signal See 4.3 See 4.1 See 4.1 Setpoint l or 2 Cold equivalent to a high pressure value.

Computer Leg Input The effect of the failure is the same (PY Oll2A) as 7.2.

7.6 Loss of Power The effect of the failure is the same Periodic Test See 6.* 5 None Supply as 6.5.

(Pnl YlO, Bkr i5) 8.0 Pvar 2 All Modes The FMEA for PY Ol l 2A (item 7. 0 above)

Setpoint is applicable for PY Ol 22A.

Computer (PY Ol22A) 9.1 Constant Loss of Out-The effect of the failure is the same Periodic Test See 6. 5 None Current put to Loop 1 as 7.3.

Source.

(P 0112A) 9.2 Loss of Out-See 9.1 Periodic Test See 6. 5 None put to Loop 2 9.3 Loss of Out-The output of the auctioneer unit goes Low Setpoint See 4. 2 See 4. 2 put to Both to the low limit signal level. This Signal Alarm Loops limit generates the channel low pres-sure trip setpoint at 1750 psia at nomi-nal operating pressure > 1800 psia; or 1650 psia for a nominal operating pres-sure at 1800 psia.

9.4 Loss of Input The effect of the failure is the same Low Setpoint See 4. 2 See 4. 2 Power Supply as 9.3.

Signal Alarm (Pnl YlO, Bkr i 5) 9.5 High Output The effect of the failure is the same See 4. 3 See 4.1 See 4.1 to Loop 1 as?.2.

9.6 High Output See 9. 5 See 4.3 See 4*.1 See 4.1 to Loop2 9.7 High Output See 9. 5.

See 4. 3 See 4.1

- See 4.1 to Both L-oops

_J

TABLE A-9 (cont'd)

RPS FMEA REACTOR TRIP #9 Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 10.l Temp Trans-Fail High High signal level to the loop setpoint See 4.3 See 4.1 See 4.1 mitter Loop l computer. The computer will generate Hot Leg a high signal level output. See 7. 2.

(TT-0112HA) 10.2 Fail Low Low signal level to the loop setpoint Periodic Te st See 6.5 None computer. The computer will generate a low signal level output. See 7.1.

10.3.

Constant The constant output signal will not See 10.l and 10.2 See 10.1 and 10.2 See 10.1and10.2 Output Signal impact RPS RT#9 operation significantly unless the signal-level goes to an ex-.

treme (high or low). See 10.l and 10.2.

10.4 Loss of Input The effect of the failure is the same Periodic Te st See 6. 5 None Power Supply as fail low. See 10.2.

(Fnl YlO, Bkr #4) 11.l Temp Element Fail High The effect of the failure ls the same See 4.3 See 4.1 See 4.1 Loop l" Hot as 10.1.

Leg (TE Oll2HA) 11.2 Fail Low The effect of the failure is the same Periodic Test See 6.5 None as 10.2.

11.3 Constant The effect of the failure is the same See 10

1 and 10

2 See 10.l and 10.2 See 10.l and 10.2 Output Signal as 10.3.

12.l Temp Trans-Fail.Low High signal level to the loop setpolnt See 4.3 See 4.1 See 4.1 mitter Loop 1 computer. The computer will generate Gold Leg a high signal level output. See 7. 2.

(TT-Oll2GA) 12.2.

Fail High Low signal level to the loop setpoint Periodic Test See 6. 5 None computer. The computer will generate a low signal level output. See7.1.

12.3 Constant The constant output signal will not See 12;1 and 12.2 See 12.1and12 *. 2 See 12. 1 and 12. 2 Output Signal impact RPS RT#9 operation significantly unless the *signal level goes to an ex-.

treme (high or low)

See 12. l and 12.2.

i: :.

I CJ1 N

I I

I TABLE A-9 (cont'd)

RPS FMEA REACTOR TRIP #9

~.

~*

Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 12.4 Temp Trans-Loss of Input The effect of the failure ls the same as Periodic Test See 6. 5 None mltter Loop. 1 Power Supply fall low. See 12.1.

Cold Leg (Pnl YlO, (TT-0112CA)

Bkr jf4) 13.l Temp Element -Fail Low The effect of the failure ls the same See 4. 3 See 4. l See 4, l Loop 1 Cold as 12.1.

Leg (TE 0112CA) 13.~

Fail High The effect of the failure ls the same P erlodlc Te st See 6. 5 None as 1'2.2.

13.3 Constant The effect of the failure ls the same See 12.1and12.2 *See 12.1 and 12. 2 See 12. 1 and 12. 2 Output Signal as 12.3.

14.0 Loop 1 Cold Invalid The failure does not cause local effects Status Check of The indicator ls isolated None Leg Temp Indication or induce secondary RPS failures.

Temp Indicators from the RPS circuits so Indicator that an indicator failure (TI 0112CA}

will not propagate an RPS failure.

15.0 Loop 1 Hot Invalid See 14.0 See 14.0 See 14.0 None Leg Temp Indication Indicator (TI Oll 2HA)*

16.0 Loop 2 All Modes Both loop 1 and loop 2 temperature in-Components strumentation and signal processing channels are identical in configuration.

I The FMEA for loop 1 components (items 10 - 15) is applicable for loop 2 com-ponents.

17.1 Manual Fail Open Th<! key lock switch is N.O. and ls Periodic Test The switch is N. 0. during An invalid Channel A l key ls available for Bse Switch (Trip only used to remove an invalid trip and.

normal plant operation.

trip cannot be bypass-with the 4 bypass swltche s jf9 Bypass*-

to change the RT configuration to 2/3.

eci to remove the half (Channels A, B, C, and D).

Channel A) trip condition. RT#9 Only 1 channel trip may be

log le. cannot be chang bypassed.

ed to a 2/3.conflgura-tion.

17.2 Fall Closed Three separate switch contacls Jn par-Status Check.

See 4. 2 See 4. 2 allel-with the three normally open coh-' Light above Switch tacts of the trip unit close and* inhibit.

is Illuminated a valid channel trip.

I i

I I

J

TABLE A-*9 (cont'd)

RPS FMEA REACTOR TRIP #9 Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode

1ncluding Dependent Failures Detection P.rovision Effects on RPS Remarks a!ld Gther Effects 17.3 Manual Single C.on-See***.l-7.1 Periodic Test Seel7.l 1 of the 3 bistable Switch (Trip tact Set -

unit trip relays cannot il'9 Bypass -

Fails Open be bypassed after the Channel A) invalid channel trip.

l of the 6 trip logic (2/4) modules will be half tripped.

17.4 Single Con-l of the 3 bistable trip relays is dis-Periodic Test See.;. 2 l of the 6 RPS trip tact Set -

abled.

I loglc: modules canuuL Fails Closed actuate RT#9.

I 18.l Manual Fail Open The key lock switch is N. O. and ls During Zero Power RPS 2/4 logic inhibits

!\\T~:mc D'.!:-i::; zero p0wer ~esting, Switch only closed for system tests when the

]{eactor Tests, spurious RT due to the Channel A trips #3, 6, 7,9 (Zero Power reactor is subcritlcal (less than 10-43 C I-.annel Trip and numerol1 s trips generated may each be bypassed by Mode Trip power). Channel A trips #3, 6, 7, and Pre-Trip Ala!":n for in Ch:!nnel A. Du.ring I

the channel bypass switch Bypass -

9 are not bypassed during zero power RT#3, 6, 7, and 9 zero µewer tao ting, chan-for each trip mode.

Channel A) reactor tests.

nels B, C, al'.!d Dare by-passed and thus eliminate the J)Ossibility of a spur-

~.. *. '

ious RT.

18.2 Fail Closed When the reactor is subcritical, Chan-Switch Bypass

'Nhen reactor power is None during normal nel A trips il'3, 6, 7, and 1l are inhibit-Po.;ition ls An-greater than l a-43, sig-plant operation. Dur-ed by the application 0f +15 V to the nunc!uted nals from thu po*11er level lng zer*:> power tests, bistable trip units.

trip units automatically the switch is N.C.

disable the bypass by re-mc*.rir1g the +15..,.clts at the bi stable tr lp units.

I I

18.3 Contact Set Contact set 4 only interacts with trip During Zero ?rn:;0r During ZE.:ro power tests, I

4 Fail Ope::

"-0 Channel A trip *;79 is net t:....-p.;.;55d Tests, Ch<innal the RF'.> 2/4 lo'1i<: inhibits I

I rr.....

duririg zero power tes.ts.

I Trip and Pre-Tri..;

I a spurious "RT#9 Uue tci a I

, Al at rns for RT4f9 I sl Dgle ct-:iai:.ri<=-!. trip. The I

I

.') other c~~!".1.*2.i:; are b:::-

I I

J pasged 1'.i ell:*:1ioute t!-,E.

I I

I I po:3 sibilily of a spurious I tnp.

I I

18.4 Contact Set When the reactor is subcriticai, Chan-Periodic Test I See 6. 2 I See 6. 2 4 Fail Closed nel A trip #9 is inhb!ited by the 3ppli-I cation of +15 V to the bistable crlp unit.

I J ____

I

TABLE A-9 (cont'd)

RPS FMEA REACTOR TRIP #9 Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 19.0 Channel B All Modes All thermal margin and low pres sure The Channel B power source Components instrumentation and trip channels is Pnl Y20, Bkr #4 and 5.

(A, B, C, D) are identical in configura-tion. The FMEA for Channel A compo-nents (items l - 18) is applicable for all channels, 20.0 Channel C All Modes See 19.O The Channel C power source Components is Pnl Y30, Bkr #4 and 5.

21.0

Channel D All Modes Seel9.0 The Channel D power source

~omponents ls Pnl Y40, Bkr #4 and 5.

.__j

i:-

1 c.n c.n No.

1.1 1.2 2.1 2.2 3.1 3.2 3.3 TABLE A-10 FAILURE MODE AND EFFECTS ANALYSIS PALISADES PLANT REACTOR PROTECTION SYSTEM REACTOR TRIP #10, LOSS OF LOAD, TURBINE TRIP Failure Symptoms and Local Effects Method of Inherent Compensating Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects Pressure Contacts The pressure switch is N.O. when the Periodic Test None RT#l 0 ls inhibited.

Single fault inhibits RT#l 0.

Switch, Fail Open turbine is operating.

The loss of load reactor Turbine Auto trip ls an anticipatory trip Stop which is not required to (63/ AST-2) protect the reactor since the primary trip is hiqh syste:n pressure (FSAR

7. 2. 3. 6).

Fail Closed The switch is normally closed when RT#lO ls Actuated None RT#lO ls actuated there is a loss of pressure in the auto when reactor power is stop oil. RT#l 0 is actuated if reactor greater than 1 5%.

power is greater than 15%.

Time Delay Fails to En-The relay normally cuts out (de-Periodic Test None RT#l 0 is lnhbited.

See 1.1 Relay erglzed and energizes) turbine trip relays (305L (462/rDO)

Tripped and 305R) 3 seconds after the auto State stop pressure switch closes. When the relay (TOO) fails to the tripped state, RT#l 0 cannot be actuated.

Falls to Un-The turbine trip relays 305L and 305R Periodic Test None required for the RPS None tripped State are constantly energized when the fanction.

the auto stop pressure switch ls closed.

Turbine Trip Loss of The effect of the failure is the same Control Circuit None RT#lO is inhibited.

See 1.1 Relay Power Output as 1.1.

U.V. Relay 374 UI Source (125 Alarm voe Pnl 021, Bkr 72-212)

Off Nominal No effect if turbine trip relays L and See 3.1 None RT#lO is inhibited.

See 1.1 Output R can be pulled in when required. If the relays cannot be pulled in, the effect of the failure ls the same as 1.1.

Short Across The effect of the failure ls the same Periodic Test None RT#lO is inhibited.

See 1.1 Output Lines as 1.1.

or Open Out-put Line

TABLE A-10 (cont'd)

RPS FMEA REACTOR TRIP #10 Failure Symptoms and Local Effects Method of Inherent Compensating No, Name Mode Including Dependent Failures Detection Provisio'n Effects on RPS Remarks and Other Effects 4.1 Turbine Trip Fails to En-N, C, contacts open and remove voltage Channel A and C None Spurious reactor trip Relay 305L ergized State from the Channel A and C aux trip unit Trip Alarms for results when reactor relays (Kl, K2, and K3).

RT#lO power level is above 15%.

4,2 Fails to De-Channel A and C aux trip units cannot Periodic Test 1/2 turbine trip relays are RT#l 0 trip logic is energized be tripped.

required to actuate RT#lO.

changed to a 2/2 State configuration.

5.1 Turbine Trip Fails to En-N,C, contacts open and remove volt-Channel A and B None See 4, l Relay 305R ergized State age from Channel B and D aux trip unit Trip and Pre-Trip relays (Kl, K2, and K3).

Alarms for RT#l 0 s.2 Fails to De-Channel B and D aux trip units cannot Periodic Test See 4. 2 See 4. 2 energized be tripped.

State 6.1 Channel A Falls Tripped The trip relays (Kl, K2,. and K3) to the Channel Trip and RPS 2/4 logic inhibits RT#l O logic is half One invalid channel trip Aux Trip Unit RPS 2/4 logic matrix are de-energized Pre-Trip Alarms for spurious RT#l 0 due to a tripped and ls chang-may be bypassed for RT#lO.

and drop out.

RT#lO single channel trip.

ed to a 1/3 configura-When a channel is bypass-tlon.

ed, RT#l 0 logic changes to a 2/3 configuration.

6.2 Fails Un-Channel A trip for RT#lO is disabled.

Periodic Test Only 2/ 4 channels are RT#lO !ogle is chang-tripped are required to trip to ed to a 2/3 configura-actuate RT#l 0.

tion, 6.3 Loss of Input The aux trip unit will go to the tripped See 6. l See 6. l See 6, l Signal Power state. See 6,1.

Supply (Pnl Y20, Bkr #13)*

6.4 Relay Kl or The Channel A trip function is degrad-Periodic Test See 6. l RT#lO logic is degrad-Only l of 6 trip modules K2 or K3 ed. Only 2/3 trip relays will drop out ed. Channel A trip ls are required to actuate a Fails to En-when the aux trip unit trips. 1 of the only 2/3 effect! ve.

RT.

ergized State 6 RPS trip modules cannot actuate RT

10.

6,5 Relay Kl or Partial Channel A trip, l of the 6 RPS Status Check of See 6. 2 l of the 6 RPS trip K2 or K3 trip modules is half tripped.

Aux Trip Unit modules is half tripped Fails to De-Trip Relay Lights for RT#lO.

energized State.

TABLE A-:10 (cont'd)

RPS FMEA REACTOR TRIP #10 Failure Symptoms and Local Effects Method of Inherent Compensating No, Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 7.1 Manual Fail Open The key lock switch is N. 0. and is Periodic Test The switch is N,0, during An invalid Channel A l key is available for use Switch (Trip only used to remove an invalid trip normal plant operation.

trip cannot be by-with the 4 bypass switches

10 Bypass -

and to change the RT configuration to passed to remove the (Channels A, B, C, and D).

Channel A) 2/3.

half trip c.ondition.

Only l channel trip may be RT#l 0 logic cannot be bypassed.

changed to a 2/3 con-figuration.

7.2 Fail Closed Three separate switch contacts in par-Status Check.

See 6.1 See 6.1 allel with the three normally open con-Light above Switch tacts of the aux trip unit relays close is Illuminated and inhibit a valid channel trip.

7.3 Single Con-See 7.1 Periodic Test See 7.1 l of the 3 bl stable tact Set -

unit trip relays can-Fails Open not be bypassed after an invalid channel trip. l of the 6 trip logic (2/4) modules will be half tripped.

7.4 Single Con-l of the 3 aux trip unit trip relays ls Periodic Test See 6.1 l of the 6 RPS trip tact Set -

disabled.

logic modules cannot Fails Closed actuate RT#lO.

a.o Channel B All Modes All loss of load (turbine trip) instru-The Channel B power source Components mentation and trip channels (A, B, C, is Pnl Y20, Bkr #13.

D) are identical in configuration. The FMEA for Channel A cqmponents (items

6. 0 and 7, 0) is applicable for all chan-nels.

9.0 Channel C All Modes See 8.0 The Channel C power source Components is Pnl Y30, Bkr #13, 10.0 Channel D All Modes See 8. 0 The Channel D power source Components is Pnl Y40, Bkr #13.

i: ::.

I CJl

()'.)

No.

l.l 1.2 1.3 1.4 2.1 2.2 2.3 2.4 2.5 3.1 TABLE A-11 FAILURE MODE AND EFFECTS ANALYSIS PALISADES PLANT REACTOR PROTECTION SYSTEM REACTOR TRIP #1 l, HIGH CONTAINMENT PRESSURE Failure Symptoms and Local Effects Method of Inherent Compensating Name Mode

Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects Pressure Fail High The N.C. prefrsure switch contacts Channel Trip Alarms RPS 2/4 logic inhibits RT#ll logic is half One invalid channel trip Switch -

open and remove voltage from the aux for RT#ll spurious RT#l l due to a tripped and ls changed may be bypassed for RT#ll.

Channel A trip unit trip relays (Kl, K2, and K3).

single channel trip.

to a 1/3 configuration. When one channel is by-(PS 1801) passed, RT#ll logic changeo to a 2/3 configuration.

Fail Low The N.c. pressure switch contacts Periodic Test Only 2/4 channels are re-RT#ll logic is chang-remain closed. Channel A high contain quired to trip to actuate ed to a 2/3 configura-ment trips are disabled for RT#ll.

RTlfll.

tion.

Open Signal The effect of the failure is the same See l. l See 1. l See 1.1 See 1.1 Line as fail high. See 1.1.

Open Sense

The effect of the failure ls the same Containment High See 1.2 See 1. 2 See 1. 2 Line as fail low. See 1. 2.

Pressure Test Aux Trip Unit Fails Tripped The trip relays (Kl, K2, and K3) to the See l.1 See 1.1 See 1.1 Bee 1.1 Channel A RPS 2/4 logic matrix are de-energized and drop out

Fails Un-Channel A trip for RTjfll is disabled.

Periodic Test See l. 2 See 1. 2 tripped Loss of Input The aux trip unit will go to the tripped See 1.1 See 1.1 See 1.1 See 1.1 Signal Power state. See 2.1.

Supply (Pnl YlO, Bkr #13)

Relay Kl or The Channel A trip function ls degrad-Periodic Test See 1. 2 RT'itll logic ls degrad-Only 1 of 6 trip modules K2 or K3 ed. Only 2/3 trip relays will drop out ed. Channel A trip ls are required to actuate an Fails to En-when the trip unit trips. 1 of the 6 RPS only 2/3 effective.

RT.

ergized State trip modules cannot actuate RTlfll.

Relay Kl or Partial Channel A trip. 1 of the 6 RPS Status Check of See 1.1 1 of the 6 RPS trip K2 or K3 trip modules is half tripped.

Aux Trip Unit Trip modules is half tripped Fails to De-Relay Lights for RTlfll.

energized State Manual Fail Open The keylock switch is N.O. and is Periodic Test The switch is N.O. during An invalid Channel A 1 key is available for use Switch (Trip only used to remove an invalid trip and normal plant operation.

trip cannot be by-with the 4 bypass switches

11 Bypass -

to change the RT configuration to 2/3.

passed to remove the (Channels A, B, C, and D).

Channel N half trip condition.

Only 1 channel trip may be RT#l l logic cannot be bypassed.

changed to a 2/3 con-figuration.

i::-1 (Jl

(.0 RPS FMEA No.

Name 3.2 Manual Switch (Trip ill Bypass -

Channel A) 3.3 3.4 4.0 Channel B Components 5.0 Channel C Components 6.0 Channel D Components TABLE A-11 (cont'd)

Failure Symptoms and Local Effects Method of Inherent Compensating Mode Including Dependent Failures Detection Provision Cffccts on RPS Remarks and Other Cffects Fail Closed Three separate switch contacts in par-Status Check.

See 1.1 See 1.1 allel with the three normally open con-Light above Switch tacts of the aux trip unit relays close ls Illuminated and inhibit a valid channel trip.

Single Con-See 3.1 Periodic Test See 3.1 1 of the 3 bi stable tact Set -

unit trip relays cannot Fails Open be bypassed after the invalid channel trip.

1 of the 6 trip logic (2/4) modules will be half tripped.

Single Con-1 of the 3 aux trip unit trip relays is Periodic Test See 1.1 1 of the 6 RPS trip tact Set -

disabled.

logic modules cennot Fails Closed actuate RTill

All Modes All high containment pressure trip chan-The Channel B power source nels (A, B, C, D) are identical in con-is Pnl Y20, Bkr il3.

figuration. The FMEA for Channel A components is applicable for all chan-nels.

All Modes See 4.0 The Channel C power source is Pnl Y30, Bkr jfl3.

All Modes See 4,0 The Channel D power source is Pnl Y40, Bkr il3.

No.

1.1 1.2 1.3 1.4 1.5 l.6 2.1 2.2 2.3 TABLE A-12 FAILURE MODE AND EFFECTS ANALYSIS PALISADES PLANT REACTOR PROTECTION SYSTEM REACTOR TRIP #12 I MANUAL Failure Symptoms and Local Effects Method of Inherent Compensating Name Mode Including Dependent Failures Detection P.rovision

[ffccts on RPS Remarks and Other Effects Reactor Trip Contact Set

-Cannot de-energize the undervoltage Periodic Test Manual trip switch 2 pro-The RT#l 2 actuation Pushbutton 1-1 Fail coil of breaker CB-1 which powers vides a backup capability function is reduced

1 Closed clutch power supplies PSl and PS3.

to remove power from

.to a 1/1 configura-clutch supplies PSl and tion.

PS3.

Contact Set Clutch power supplies PSl and PS3 are Clutch Power Redundant p:>wer supplies One of the two pairs 1-1 Fail de-energized.

Supply Alarm PS-2 and PS-4 can support of redundant clutch Open the clutch power require-power supplies re-ments and inhibit a spur-mains operative.

ious RT.

Contact Set Cannot de-energize the undervoltage Periodic Te st Manual trip switch 2 pro-The RT#l 2 actuation 1-2 Fail coil of breaker CB-2 which powers vides a backup capability function is reduced to Closed clutch power supplies PS2 and PS4.

to remove power from a 1/1 configuration.

clutch supplies PS2 and PS4.

Contact Sflt Clutch power supplies PS2 and PS4 are Clutch Power Redundant power supplies One of the two pairs 1-2 Fail de-energized.

Supply Alarm PSl and PS3 can support of redundant clutch Open the clutch power require-power supplies re-ments and inhibit a spur-mains operative.

ious RT.

Switch Fails Spurious RT.

RT Alarms None Spurious RT.

Open Switch Fails The switch is closed during plant op-Periodic Te st Only 1/2 trip switches RT1U 2 actuation is Closed eration and would not be detected.

are required to actuate reduced to a 1/1 con-a manual scram (RT#l 2).

figuratior..

Reactor Trip Contact Set Cannot de-energize relay Ml and thus Periodic Te st Contact set 2-2 can de-None. Either manual Pushbutton 2-1 Fail remove the AC input power to clutch energize relay M2 which trip switches can

2 Closed power supplies P Sl and P S3.

is redundant to relay Ml.

actuate a scram.

Contact Set Relay Ml is de-energized and drops Clutch Power Redundant power supplies One of the two pairs 2-1 Fail out. The AC input power to clutch Supply Alarm PS2 and PS4 can support of redundant clutch Open power supplies PSl and PS3 is re-the clutch power require-power supplies re-moved.

ments and inhibit a spur-mains operative.

ious RT.

Contact Set Cannot de-energize relay M2 and thus Periodic Test Contact set 2-1 can de-None. Either manual 2-2 Fail remove the AC input power to clutch energize relay :v!l which trip s\\l,1itches can Closed power supplies PSl and PS3.

is redundant to relay M2.

actuate a scram.

TABLE A-12 (cont'd)

RPS FMEA REACTOR TRIP #12.

Failure Symptoms and Local Effects Method of Inherent. Compensating No.

Name Mo.de Including Dependent Failures Detection Provi-sion Effects on RPS Remarks and Other I:ffects

--2.4 Reactor trip Contact Set Relay M2 is de-energized and drops Clutch Power Redundant power _supplies One.of the two pairs Pushbutton 2-2 Fail out. The AC input power to clutch Supply Alarm PS2* and PS4 can support of redundant clutch i2 Open

-power supplies PSI* and PS3 is re-the clutch power require-power supplies re-moved.

ments and inhibit a spur-.

mains operative.

i<:>us R.T.

2.5 Contact Set Cannot de-energize relay M3 and thus Periodic Test Contact set 2-4 can de-

.None. Either manual 2-:l Fail remove the AC input power to clutch energize relay M4 which trip switches -can Closed power supplies PS2 and PS4.

is redundant to relay M3.

actuate a scram.

2.6 Contact Set Relay M3 is de-energized and drops Clutch Power Redundant power supplies One of the two pairs 2-3 Fail out. The AC input power to clutch Supply Alarm PSl and PS3 can support of redunda_nt clutch

Open power supplies PS2 and PS4 is re-the.clutch power require-power supplies re-

moved, ments and inhibit a spur-mains.operative.

ious RT.

2.7 Contact Set Cannot de-energize relay M4 and thus Periodic Test.

Contact set 2-3 can de-None. E!ther*manual 2-4 Fail remove the AC input power to clutch energize relay. M3 which trip switches can Closed power supplies PS2 and PS4.

ls redundant to relay M4,

actuate a scram.

. -2.8 Contact Set Relay M4 is de-energized and drops Clutch Power Redundant power supplies

One of the two pairs-

2-4 Fall out. The AC input power to clutch.

PSl and PS3 can support of redundant -clutch Open power supplies. P S2 and P.S4 is re-the-.clutch power require-power supplies re-moved.

ments and 1nhibit a spur-mains operative.

iou.S-RT_.

2.9 Switch Fails Spul"ious RT.

RT Alarms*

None

-Spurious RT.

Open 2.10 Switch Fails The switch is closed *during-plant op-.

Periodic Test Only *1/2 trlp switches RT#l 2 actuation is Cfosed era ti on -and would not be -Oetected,..

are required to actuate a

.reduced to a.1/1 -con-.

manual scram *(RT#l 2).

figuration.

~

I Q)

N No.

, 1.0 2.0 3.* 1 3.2 4.1 4.2 5.1

) -.*- I-..

TABLE A-13 FAILURE MODE AND EFFECTS ANALYSIS PALISADES PLANT REACTOR PROTECTION SYSTEM REACTOR TRIP MATRIX AND TRIP TRAIN Failure Symptoms and Local Effects Method of Inherent Compensating Name Mode Including Dependent Failures Detection Provision Cffccts on RPS Remarks and Other Cffects Clutc;:h. Power Loss of Out-Relay Kl is de-energized and drops Clutch Power Redundant clutch power One-Of the two pairs Supply PSl put out. This causes relays Ml and M2 Supply Alarm

.supplies PS2 and PS4 in-of redundant clutch to be de.:.energized. AC power from hibit spurious RT.

power supplies re-panel Y30 is removed from PSi and PS3.

main operative.

Clutch Power Loss of Out-Relay K3 is de-energized and drops out. See 1. 0 See 1. 0 See 1. 0 Supply PS2 put This causes relays Ml and M2 to be de-energized. See 1. O.

Relay Kl Fails to En-Relay is normally energized when PSl Periodic Test Relays Kl *and K3 both pro-Loss of automatic time ergized State and P S3 are operational. When PSl vide the inhibit to auto-delay of scram manual and PS3 are de-energized via a scram, matic reset.

reset function. The the relay is de-energized. When de-logic to inhibit auto-energized, contacts from the relay in-matic reset of scram h!bit automatic reset of the scram is changed to a 1/1 (energize *power supplies PSl and PS2)

' configuration.

after the conditions that initiated the scram are removed. The automatic time delay associated with manual scram r-eset (relay BWll-KTD-1) is disabled.

Fails to De,-

The effect of the failure is the same See 1.0_

See 1.0 See 1. 0 energized

-as 1.0.

State Relay K3 F ail's to En-Relay is normally energized when PSl Periodic Test Relays Kl and K3 both The logic to inhibit ergized State and P S3 are operational. When PSl provide the inhibit to automatic reset of and PS3 are de-energized via a scram, automatic reset.

scram* is changed to the.relay ls de-energized. When de-energized, contacts from the relay in-a 1/1 configuration.

hibit automatic reset of the scram (energize power supplies PSl and PS2) after the conditions that initiated the scram are removed.

Fails to De-The effect of the failure ls the same See 1. O See 1.0 See 1.0 energized as 2.0.

State Time Delay Fails to En-The trip reset switch cannot enable PSl Periodic Test Redundant power supplies One of the two pairs Relay (BWll -

ergized State and P S3 to be energized after a scram.

P S2 and P S4 can be en-of redundant clutch KTD-1) ergized after a scram by power supplies remain the reset switches.

operative after scram reset.

r;.

I O'l w

RPS FMEA No.

Name 5.2 Time Delay Relay (BWll-KTD-1) 5.3 6.1 M Coll, Relay Ml 6.2 7.1 Trip Relay ABl 7.2 B.l Trip Relay ACl B.2 9.1 Trip Relay ADl 9.2 TABLE A-13 (cont'd)

REACTOR TRIP MATRIX AND TRAIN Failure Symptoms and Local Effects Method of Inherent* Campen sating Mode Including Dependent Fallures DeteCtion Provision Effects on RPS Remarks and Other Effects Fails to De-The aut-0matic time delay associated Periodic Te st None Loss of automatic energized with manual scram reset is disabled.

time delay on scram State re set function.

Loss of Power The effect of the failure is the same Periodic Te st None See -S. 2 Supply (Pnl as 5.2.

Y20)

Fails to En-RT signals from JIBl, ACl, ADl, BCl, Periodic Test Redundant signals to re-RT logic to PSI and ergized State BDl, CDl, and manual trip switch 1-1 dundant relay M2 remove P S3 changes from a are di sabled.

AC input power to clutch 1/2 configuration to power supplies P Sl and 1/1.

PS3.

Fails to be-The clutch -power supplies PSl and PS3 Clutch Power Redundant clutch power One of'tii.e two pairs energfzed.

are disabled

Supply Alarm supplies PS2 and PS4 in-of redundant clutch State hibit _spurious RT.

power supplies remain operative.

Fails to En-Relay Ml cannot be de-energized when Periodic Test The tripped logic matrix See 6.1 ergized State the associated logic matrix (e.g., AB) relay #2 (e.g., AB2) is tripped.

will de-energize relay M2 and remove power from power supplies P Sl and P-63.

Fails to De-Relay Ml is de-energized and drops See 6. 2 See 6.2 See 6. 2 energized out. See 6.2.

State Fails to En-See 7.1 See 7.1 See 7.1 See 6.1 ergized State Fails to De-See 7.2 See 6. 2 See 6.2.

See 6. 2 energized State Fails to En-See 7.1 See 7.1

-See 7.1 See 6.1 ergized State Fails to De-See 7.2 See 6. 2 See 6. 2 See 6.2 energized StatB

~--

""'---~--*- y------

TABL"E A-13 (cont'd)

RPS FMEA REACTOR TRIP MATRIX AND TRAIN Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 10.l Trip Relay Fails to En-See 7 ;1 See 7.1 See 7.1 See 6.1 BCl ergized State 10.2 Fails to De-See 7.2 See 6. 2 See 6. 2 See 6. 2 energized State 11.1 Trip Relay Fails to En-See 7.1 See 7.1 See 7.1 See 6.1 BDl ergized State 11.2 Fails to De-See 7.2 See 6. 2 See 6. 2 See 6. 2 energized State 12.l Trip Relay Fails to En-See 7.1 See 7.1 See 7.1 See 6.1 CDl ergize~ State 12.2 Fails to De-See 7. 2 See 6. 2 See 6.2 See 6.2 energized State 13.l Isolation Loss of Out-Relay Ml is de-energized. See 6.2.

See 6. 2 See 6.2 See 6. 2 Transformer put 13.2 Loss of Input The effect of the failure is the same See 6.2 See 6. 2 See 6. 2 Power Supply as 13.l.

(Pnl Y30) 13.3 Open Output See 13.2 See 6.2 See 6. 2 See 6. 2 Line or Short Across Out-put 13.4 Single Short None Ground Fault The system has a floating None to Ground on Llght ground.

Output Line 14.0 Isolation Fail Open Relay Ml is de-energized. See 6.2 See 6. 2 See 6. 2 See 6. 2 Tran stormer Fuse

TABLE A-13 (cont'd)

RPS FMEA REACTOR TRIP MATRIX AND TRAIN Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 15.1

MQoil, Fails to En:-

RT signals from AB2, AC2, AD2, BC2, Periodic Test Redundant signals to.re-RT logic to PSl and Relay M2 ergized State BD2; CD2 and manual trip switch 1-2 dundant relay M2 remove PS3 changes from a are disabled.

AC input power tc clutch 1/2 configuration to power supplies P Sl and.

1/1.

PS3.

15.2 Fails to De-The clutch power supplies PSl and PS3 Clutch Power Redundant clutch power One of the two pairs energized are disabled.

Supply Alarm supplies PS2 and PS4 in-of redundant clutch State hibit spurious RT.

power supplies remain operative.

16.1 Trip Relay Fails to En-Relay M2 cannot be de-energized when Periodic Test The tripped logic matrix See 15.l AB2 ergized State the associated logic matrix is tripped.

will de-energize matrix relay #1 (e.g., ABl) will de-energize relay M2 and remove power from power supplies P Sl and PS3.

16.2 Fails to De-Relay M2 is de-energized and drops See 15.2 See 15. 2 See 15.2 energized out. See 15.2.

State 17.1 Trip Relay Fails to En-See 16.1 See 16.l See 16.l See 16.l AC2 ergized State 17.2 Fails to De-See 16.2 See 15.2 Seel5.2 See 15. 2 energized State 18.1 Trip Relay Fails to En-See 16.l See 16.1 See 16:. l See 16.l AD2 ergized State 18.2 Fails to De-See 16.2 See 15. 2 See 15.2 See 15. 2 energized State 19.l Trip Relay Fails to En-See 16.l See 16.l See 16.1 See 15.l BC2 ergized State

i

:.

I

0)

(j)

RPS FMEA No.

Name 19.2 Trip Relay BC2 20.1 Trip Relay BD2 -

20.2 21.1

'l'rip Relay CD2 21.2 22.l Isolation Transformer 22.2 22.3 Z2.4 23.0 Isolation Transformer Fuse TABLE A-13. (cont'd)

REACTOR TRIP MATRIX AND TRAIN Failure Symptoms and Local Effects Method of Inherent Compensating Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects Fails to De-See 16.2 See 15. 2 See 15.2 See tS.2 energized State Fails to En-See 16.1 See 16.1 See 16.1 See 15.1 ergized State Fails to De-See 16.2 See 15.2 See 15. 2 See 15. 2 energized State Fails to En-See 16.l See 16.1.

See 16.1 See 15.1 ergized State Fails to De-See 16.2 See 15. 2 See 15. 2 See 15.2 energized State Loss of Out-Relay M2 is de-energized. See 15.2.

See 15. 2 See is. 2 See 15. 2 put Loss of Input The effect of the failure is the same.

See 15.2

.Seel5.2 See 15.2 Power Supply as 22.l.

(Pnl Y30)

Open Output See 22.2 See 15. 2 See 15. 2 See 15.2 Line or Short Across Out-p_ut Single Short None Ground Fault The-system has a floating None to Ground on Light ground.

Output Line F.ail Open Relay M2 is de-energized. See 15.2.

See 15.2 See 15.2 See 15. 2

~-~~*~~-~--*~-~

.. *~-~~---~=----------=-

TABLE A-13 (cont'd)

'RPS FMEA REACTOR TRIP MATRIX AND TRAIN Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 24.l Transformer Loss of Out-CBl undexvoltage coil will drop out, Clutch Power See 15. 2 See 15.2 Tl put open CBI and de-energize the input to Supply Alarm PSI and PS3.

24.2 u

Loss of Input See 24.1 See 24.1 See 15.2 See 15.2 (Pnl Y30) 24.3 u

Open Output See 24.1 See 24.1 See 15.2 See 15.2 Line or Short Across Out-put 24.4 Single Short None Ground Fault The system has a floating None to Ground on -

Light ground.

Output Line 25.l Circuit Fail Open Clutch power suppli<0s PSI and PS2 are Clutch Power See 15.2 See 15.2 Breaker CBI de-energized.

Supply Alarm 25.2 Pail Closed Manual trip switch #1 is disabled.

Periodic Test Redundant reactor trip Manual reactor trip CB will not drop out due to undervolt-switch can actuate scram.

switch configuration age or overcurrent.

reduced to 1/1.

26.0 Reactor Trip All Modes Both reactor trip trains #1 and #2 are Train #2 identical in -configuration. The only Components difference-is in preferred bus inter-faces. Panel Y40 supplies power to the clutch power supplies and panel Y30 supplies power to the automatic reset inhibit time delay relay. TheFMEA for the train #1 components (items 1 -

25) is applicable for train #2.

27.l AB Matrix Loss of Out-None

Rack Status Light Redundant power supply The power supplies Power Supply put Check PS6 will hold in the 4 available to hold in PSS matrix trip relays.

the 4 trip relays are reduced to a 1/1 con-figuration. The re-actor will scram if the remaining power supply output fails.

27.2 Loss of Input None See 27.1 See 27.1 See 27.1 Power Supply (Pnl YlO)

- ~. -

i::-

1

0) co TABLE A-13 (cont'd}

RPS FMEA REACTOR TRIP MATRIX AND TRAIN Failure -

Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent F allures Detection Provision Effects on RPS Remarks and Other Effects 27.3 AB Matrix Short Aero s s All 4 matrix trip relays are de-energizec RT Alarm None Spurious RT.

Power Supply Output and cause relays Ml, M2, M3, and

~-

PSS M4 to be de-energized and drop out.

Power is then removed from the input to all clutch power supplies.

27.4 n

Single Short None None The system has a floating None to Ground on ground.

Output Line 28.l PSS I salation Loss of Out-None See 27.l See 27.1 See 27.1 Transformer put 28.2 Loss oflnput None See 27.l See 27.1 See 27.1

_Power Supply (Pnl YlO) 28.3 Open Output None See 27.1 See 21.l See 27.l Line or Short

.Across Out-put 21!.4

' Single Short None Periodic Test The system has a floating None to Ground on ground.

Output Line 29,0 PSS Fuse Fail Open None See 27.1 See 27.1 See 27.l 30.l AB Matrix Loss of Out-None See 27.1 Redundant power supply See 2-7.1 Power Supply put PSS will hold in the 4 PS6 matrix trip relays.

30.2 Loss of Input None See 27.1 See 30.l See 27.1 Power Supply (Pnl Y20) 30.3 Short Across See 27.3 RT Alarm None Spurious RT.

Output

i

:.

I O'l to TABLE A-13 {cont 1-d)

RPS FMEA No.

30.4 Name AB Matrix Power Supply PS6 Failure Mode Single Short to Ground on Output Line None Symptoms and Local Effects Including Dependent Failures 31.l PS6 Isolation Loss of Out-None.

Transformer put 31.2 Loss of Input None Power Supply (Pnl Y20) 31.3 Open Output None Line or Short Across. Out-put 31.4 Single Short None to Ground on Output Llne 32.0 PS6 Fuse Fail Open None 33.l.

Matrix Logic Fail Open The switch is N.o.. and only closed AB Test during test of AB logic. During test, Switch the test power supply (PSl 7) cannot hold in the matrix trip relays.

33.2 Fail Closed The AB trip matrix relays are held -ln when the test power supply is energiz-ed. No hold in power can be applied to the trip relays of any other matrix.

34.l AB2*Matrlx Jams or Cannot continue test of AB. matrix. If Relay Trip Binds the switch binds in the off position, Test Switch power will remain on all 'holding coils for the trip relays. The AB matrix logic relay may still be tested. If the switch binds in position 1, 2, 3 or 4, the as-sociat~d trip relay will drop out when the matrix logic relays.are tested. See

7. 2 for details.

None Method of Detection See 27. l See 27.l See 27.1

None See 27.l At the Start of Lagle Test, the Trip Relay "Hold" Lights Would Not Illumi-nate When PSl 7 is En-ergized, the Matrix AB Trip Relay "Hold' Lights

Are Illuni -

nated

periodic Te st Inherent Compensating Provision See 27.4 See 30.1 See 30. l See 30.l See 27.4 See 27.l None None See 6.2 REACTOR.TRIP MATRIX AND TRAIN Effects on RPS None See 27.l See 27. l See 27. l None See 27.l Unable to test trip logia without generat-ing a spurious RT.

See 33.l See 6. 2 Remarks and Other Effects

TABLE A-13 (cont'd)

RPS FMEA REACTOR TRIP MATRIX AND TRAIN Failure Symptoms and Local Effects Method of Inherent Com_pensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other. Effects 34.2 AB2 Matrix Contact Set

.The selected trip relay will not drop Periodic Te st The failure has no effect RPS tests erroneously Relay Trip Fails Open out when* the matrix logic relays are on the operational RPS indicate a trip relay Test Switch (Position 1, cycled.

equipment.

is hung up.

2,3,or4) 34.3 Contact Set None Switch Checkout None required.

None Fails Open (Off Position) 35.1 AB Logic Jams or Binds Cannot test AB matrix logic relay.

Periodic Te~t None Unable to test AB Matrix Trip in Off Posi-matrix trip logic re-Test Switch ti on lays.

35.2 Jams or Binds When In test mode, the relay pair (e.g. Periodic Test The tripped relays will be See 35.1. Possible in Position 1, Al-1 and Bl-1) associated with the restored to the untrlpped spurious scram when 2, *** or N switch positions will drop out.

state when the AB matrix the system is taken logic test switch is open-out*of test.

ed. However, when the switch is opened, a race condition will exist which may generate a spurious scram.

35.3 Falls Open The selected pair of matrix logic relays *Periodic Te.st The failure has no effect RPS tests erroneously

{Position 1, will not drop out durlng*test.

on the operational RPS indicate a trip relay 2, *** or N) equipment.

is hung up.

35.4 Contact Set None Switch Checkout None required.

None Falls Open in Off Position 36,0 AC Trip All Modes All six reactor trip matrices (AB, AC, AC trip matrix power supply Matrix AD, BC, BD, CD). are identical in con-Interfaces are:

Components figuration except.for the AC preferred PS7 - Pnl YlO bus.interfaces. The FMEA for the AB PSS - Pnl Y30 trip matrix components (items 27 - 35) is applicable for all matrices.

37.-o AD Trip All Modes See36.0 AD trip matrix power supply Matrix Interfaces are:

Components PS9 - Pnl YlO PSlO - Pnl Y40 38.0 BC Trip All Modes See 36.0 BC trip matrix power supply Matrix Interfaces are: PSll - Pnl Components Y20; PSl 2 - Pnl Y30

TABLEA-13 (cont'd)

RPS FMEA REACTOR TRIP MATRIX AND TRAIN Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provision Effects on RPS Remarks and Other Effects 39.0 BD Trip All Modes See 36.0 BD trip matrix power supply Matrix interfaces are:

Components PS13 - Pnl Y20 PS14 - Pnl Y40

~

40.0 CO.Trip All Modes See 36.0 CD trip matrix power supply Matrix interfaces are:

Components PSl 5 - Pnl Y30*

PS16 - Pnl Y40 41.l Test Power Loss of Out-The power supply is normally de-During Test, the The power supply is only Unable to test. trip Supply PS17 put energized except during test. During Trip Relay "Hold" required for trip logic logic without generat-test, the matrix trip relays cannot be Lights Would Not testing when the plant is ing a spurious RT.

held in.

Illuminate in operation.

41.2 Loss of Input The effect of the failure is the same See 41.l See 41.1 See 41.l

Power Supply as loss of output. See 41.l.

(Pnl YlO) 41.3 Open.Output See 41.2

see 41.1 See 41.l See 41.l Line or Short Across Out-put 41.4 Single Short None Periodic Te st The system has a floating None to Ground on ground.

Output *une 42.l PSI 7 Isola-Loss of Out-See 41.2 See 41.1 See.41.1 See 41.l tion Trans-put former 42.2 Loss of Input See 41.2 See 41.l See 41.l See 41.l Power Supply (Pnl YlO) 42.3 Open Output See *41.-2.

See 41,l See 41.l See 41.l Line. or Short Across Out-put 42.4 Single Short None None The system has a floating None to Ground on ground.

Output Line

TABLE A-13 (cont'd)

RPS FMEA REACTOR TRIP MATRIX AND TRAIN Failure Symptoms and Local Effects Method of Inherent Compensating No.

Name Mode Including Dependent Failures Detection Provisidn Effects on RPS Remarks and Other Effects 43.0

-psl7 Fuse Fall Open The effect of the fa!lure is the same See 41.1 See 41.l See 41.1 as 41.2.

~

I I

I APPENDIX B I

REFERENCES I

I I

11 I

'I I

I I

1.

2.

3.

4.

5.

.6.

. 7.

RE;FERENCES WASH-1270, Technical Report on Anticipated Transients Without Scram, Regulatory Staff, U. S. Atomic Energy Commission, September 1973.

Topical Report, Anticipated Transients Without Scram, Combustion Engineering, Inc., CENPD-158.

Palisades Plant Technical Specifications, Revised February 11, 1975, Section 2. 3.

Palisades Plant, Final Safety Analysis Report, Consumers Power Company, Section 7'. 2. 3. 1.

Ibid, Section 7. 2. 3. 6.

Personal communication frpm R. B. Sewell, Nuclear Licensing Admin-istrator, Consumers Power Company, to A. Giambusso, Deputy Director for Reactor Projec;::ts, Directorate of Licensing, USAEC, Docket 50-255, November 1, 1974.

Palisades Plant Technical Specifications, Revised Feoruary 11, 1975, Section 2. 2.

B-1

ML18347A885

Contents

Text

SUMMARY

1.0 INTRODUCTION

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML18347A885

Text

SUMMARY

1.0 INTRODUCTION

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search