ML19296C294
| ML19296C294 | |
| Person / Time | |
|---|---|
| Site: | Farley  |
| Issue date: | 02/05/1980 |
| From: | ALABAMA POWER CO. |
| To: | |
| Shared Package | |
| ML19296C289 | List: |
| References | |
| NUDOCS 8002250540 | |
| Download: ML19296C294 (18) | |
Text
..
UNDETECTABLE FAILURES IN ENGINEERED SAFETY FEATUP.ES ACTUAI!ON SYSTEM Initial Report to the NRC: Westinghouse letter (NS 'MA-1250) to Mr. Victor Stello, Jr.,
dated November 7,1979 ('teport of 10CFR21)
Descriotion of Occurrence:
As a result of their continuing reviews of systems important to safety, Westinghouse identified an undetectable failure which could possibly exist in a circuit associated with Engineered Safeguards and which is required for reactor pro tectio n.
4
Background:
The design function of the circuit is a permissive to provide the operator, depending on plant conditions, the capability to manually reset and block safety injection. A failure analysis, which assumed a failure of the affected circuit in both of the redundant protection trains, was performed by Westinghouse and indicated that the system's ability to automatically initiate the protective function could be lost under certain conditions.
Design:
The P-4 permissive is used as an input to the Engineered Safety. Features Actuation System (ESFAS) to indicate the status (open or closed) of the Reactor Trip breakers. The P-4 permi::sive provides an interlock in the ESFAS to enable or defeat the capability to manually reset and block Safety Injection (SI).
In operation, the initiation of SI instantly trips the reactor and simul-taneously starts an electric timer. After a preset time interval, determined by plant specific system analyses, the timer effectively returns system control to the operators for manual reset and block of SI in order to either begin ECCS switchover from the injection phase to the recirculation phase or terminate SI.
The system permits manual reset and block of SI only if the P-4 permissive indicates that the trip breakers are open (i.e., the reactor is tripped).
- 8 0 032 50 Syo
Undetectable Failures in Engineered Safety Features Actuation System Paoe 2 During normal plant power operation, the P-4 permissive prevents manual actions which could electrically block SI.
Impl ementa tio n:
The P-4 permissive is derived from a switch contact operated via a mechanical
- age from the reactor trip breaker. When the breakers move (open or closed), the Oh contacts change position. The contacts are hardwired to the ESFAS input logic registers the trip breaker position to allow or prevent operator action as oed above.
Testing:
During normal plant operation ESFAS logic is required to be periodically tested. On the Farley Nuclear Plant which has a Solid State Protection System, this testing is performed via automatic self test circuits which verify system operability.
In addition, the reactor trip breakers are also periodically tested.
Potential Concern:
Currently, the tests described above do not provide for checking the operation of the P-4 contacts. Therefore, a potential failure of the P-4 contacts would be undetectable.
IEEE 379 requires that in the case of undetectable failures either (1) provide revised test schemes to identify failures or redesign to eliminate them, or (2) in system failure analyses demonstrate that the safety function can be assured assuming both the undetectable failures have occurred and a random single failure has also occurred.
ee e**
m
=-e**
e w es w eguemem w egy -
ee n=
w e si em -e o e esp-
,,e..mo
--,oco-4 mew-a-
w
Undetectable Failures in Engineered Safety Features Actuation System Pace 3 The failure modes of the P-4 contacts are (1) contacts fail to close when the reactor trip breakers open, or (2) contacts fail to open when the breakers are closed. Failure mode (1) could prevent the normal made of resetting and blocking SI and alter the sequence of switchover operations from injection to recirculation phase.
The consequences of failure mode (2) are such that following a previous initiation of SI and manual reset and block, the block of SI would remain following the reset of the reactor trip breakers, when the plant would return to power.
No credit can be taken for illuminated Control Board windows (lamp bulbs) which would alert the operators to the hazard. The regulations, as well as the accident analysis, require automatic protective action. The bulbs and their source (Demultiplexer) are not safety grade.
Corrective Action:
Alabama Power Company has incorporated a test sequence that incorporates provisions of the recommended Westinghouse test sequence.
(See Pages 10 and 11 of the Westinghouse letter.) Alabama Power Company's test sequence is listed in Preoperational Procedure 048-5-002, Reactor Protection and Safeguards Logic Preoperational Test. This procedure ensures proper monitoring during preoperational testing.
For a long-term solution, a design change is being processed to provide a P-4 monitoring light (designed, engineered, and placed in the By-pass and Permissive Status Panel). This will permit monitoring of the breaker position.
em gee g
9
.* ge me e e g-e wgee see m 4 g4p6m eaeg-e e
e ega
-- y e e eeu -- a mum W
- -N
++ume
=4ew6 = + eee 6 e= -e'e
= es
Undetectable Failures in Engineered Safety Features Actuation System Pace 4
==
Conclusion:==
If the P-4 permissive had remained uncorrected, it could have adversely affected the safety of operations of the Farley Nuclear Plant-Unit 2 at some time throughout the expected lifetime of the plant.
(a) This deficiency does not represent a breakdown in any portion of the Quality Assurance Program.
(b) This deficiency does constitute a deficiency in final design as approved and released for construction such that the design does not conform to the.
criteria and bases stated in the Safety Analysis Report or Construction Permit.
(c) This c6ficiency does not represent a significant deficiency in construction of,
.or significant damage to, a structure, system, or component.
(d) This does not represent a significant deviation from performance specifications.
..-e%e..--..
w
_w-m
.m e...
l "E-}APW-A-5081 g..
m Le%
i LV C'
Westinghouse Water Reactor Pu sn* morn Electric Corporation Divisions g3 Pr.:arp.Parycu !TO November 8,1979 S.O. APR 4705 Mr. O. Batum, Manager Nuclear Safety & Licensing Soutnern Company Services, Inc.
j-P. O. Box 2525 Birmingham, AL 35202
Dear Mr. Batum:
JOSEPH M. FARLEY NUCLEAR PLANT Reoortable Item - Undetectable Failure in the ESFAS Attached for your information and use is the Westinghouse letter to the 'NRC on the.
reportable item concerning an undetectable failure in the engineered safety features actuation system.
If you have'any questions on this subject, pleas'e co~ntact us.
Sincer F
N
. L. Vota Manager Southern ompany Projects
' LEE / nab cc:
- 0. Batum,ll,lA A. A. Vizzi, IL, lA F. E. Ehrensperger, IL, lA F. L. Clayton, IL, lA F. S. Moore, Jr., IL, lA W. G. Hairston, IL, lA B. E. Hunt, IL, lA H. O. Thrash, IL, lA 5
h
,f I
r.
Ne#WC" Water ezetor o
ytes:inghau:e Ele:trl:Ccrpcraticn Divisions e 23 P;::c.:rgn Fe.vz-a lsD0 November 7,1979 HS-T!M-2150 Mr. Victor Stello, Jr.
Director l
Office of Inspection and Enforcement U. S. Nuclear Regulatory Commission Washing ton, D. C.
20555
Dear Mr. Stello:
Undetectable Failure in Engineered Safetf Features Actuation System
Subject:
As a result of cur continuing reviews of systems important to safety, Westinghouse nas identified an undetectable failure which potentially could exist in a circuit associated with Engineered Safeguards and which is required for reactor protection.
'he specific circuit is described in the attachment. The design function of the circuit 1s a permissive to provide the operator, depending on plant con-ditions, the capability to manually reset and block Safety Injection.
A failure analysis,,which assumed a failure of the affected circuit in bot'h of the redundant protection trains (per IEEE-279), snowed that the system's ability to automatically initiate the protective function could be lost under certain conditions.
w.r %,p.
Despite the low probability of the events necessary to set up the conditions, the WRD Safety Review Cc:=ittee concluded on November 6,1979, that the poten-tial loss of the protective function is report 3 Die to the NRC under Title 10CFR Part 21 for operating plants and Title 10CFR50.55(e) for plants under construction.
g
\\
Detailed information, affected plants and reco= ended corrective action is contained in the attachment. This information has already been cet=unicated to the utility owners of the affected plants..
Please refer any questions to Mr. D. H. Rawlins, the Manager of Safety Standards in the Westinghouse Nuclear Technology Division.
Very truly yours, DUPLICATE DOCUMENT Entire document previously T;.'::,1:./ Le,.
entered into system under:
Attach =cnt N o.
of pages:
..