ML19322E311
| ML19322E311 | |
| Person / Time | |
|---|---|
| Site: | Rancho Seco |
| Issue date: | 03/12/1980 |
| From: | Thatcher D Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML19322E291 | List: |
| References | |
| NUDOCS 8003270157 | |
| Download: ML19322E311 (50) | |
Text
{{#Wiki_filter:( 'N q) U"1TED STATES OF A!'. ERICA IlVCLEAR REGULATORY, C0:474ISSION BEFORE THE AT0l41C SAFETY AND LICEflSING BOARD In the liatter of ) ) SACRAf4 ENTO 14UtilCIPAL UTILITY Docket No. 50-312 (SP) DISTRICT (Rancho Seco Nuclear Generating Station) flRC STAFF TESTIl40NY OF DALE F. THATCHER RELATIVE TO THE INTEGRATED C0flTROL SYSTEf4 (Board Question 16) Q 1. Please state your name and your position with the NRC. A. My name is Dale F. Thatcher. I am an employee of the U. S. Nuclear Regula tory Comission. I was responsible for the review and evaluation ' of instrumentation and control systems for Babcock & Wilcox (B&W) operating -reactors fol1 wing the Three Mile Island Unit 2 (TMI-2) incident. 9 Q 2. Ha've you prepared a statement of professional qualifications? A. Ye. A copy of r.y statement of professional qualifications is attached to s ' the"NRC Staff Testimony of Dale F. Thatcher Relative to Direct Initiation Of Off-Normal Conditions In The Feedwater System ' filed in this proceeding. There I also explain the nature.of iry responsibilities with respect to the Rancho Seco Nuclear Generating Station. Q 3. What is the purpose of your testimony? I A. The purpose of my testimony is to respond to Board Question 16 which states: t Board Question 16 S!4UD, the licensee, has done insufficient analysis of the l failure mode and effects analysis of the integrated control system, and therefore, Rancho Seco is unsafe and endangers the health and safety of Petitioners, constituents of Petitioners and the public. .] d q 270 g003
. Q 4. Describe the Rancho Seco Integrated Control System (ICS). A. The ICS includes four subsystems. The four subsystems are the unit load demand control, the integrated master control, the steam generator control, and the reactor control. The system philosophy is that control of the plant is achieved through feed-forward control from the unit load demand control. The unit load demand control produces demands for parallel control of the turbine, reactor, and steam generator feedsater system through respective subsys tems. The integrated master control (IMC) is capable of automatic turbine valve con-trol from mi6tmum turbine load to full output. The steam generator control.is ~ capable of automatic or tanual feedwater control from startup to full output. The reactor control is dtsigned for automatic or manual operation above 15% output and for manual operation below 15%. The basis function of the ICS is matching megawatt generation to unit load demand. The ICS does this by co-ordinating the steam flow to the turbine with the rate of steam generation. To accomplish this efficiently, the following basic reactor / steam-generator requirements are satisfied: 1 t 1. The ratios of feedwater flow and Btu input to the steam generator are bal-anced as required to obtain the desired steam conditions. 2. Btu input and feedwater flow are controlled: a. To compensate for changes in fluid and energy inventory requirements at each load. b. To compensate for temporary deviatfor.s in feedaater temperature re-sulting from load change, feed, tater heati.ng system upsets, or final steam pressure changes. Q'5.. What function is the Rancho Seco ICS intended to perform? A. The ICS provides the proper coordination of the reactor, steam generator, feed- ~ water control, and turbine under all operating conditions., Proper coordination consists of producing the best load response to the unit load demand while recognizing the capabilities and limitations of the reactor, steam generator, feedsater system, and turbine. Ilhen any single portion of the plant is at an operating limit or a control station is on manual, the ICS design uses the limit or manual station as a load reference. The ICS maintains constant average reactor coolant (RC) temperaturc between 15 and 100% rated power and constant steam pressure at all loads. Optimum unit performance is maintained by limiting steam pressure variations; by limit-ing the inbalance between the steam generator, turbine, and the reactors; and by limiting the total unit load demand upon loss of capability of the steam generator feed system,'the reactor, or the turbine generator. The ICS provides limiting actions to ensure proper relationships between the generated load, turbine valves, feedwater flow, and reactor power. In performing its functions, the ICS interacts with, i.e., it receives inputs from and provides outputs to, a number of other related plant control systems. For example, in controlling the reactor there is inter-l action with control rod drive system, in controlling feedwater there is interaction with the feedwater pump control and the feedwater valve control, and in controlling the turbine there is interaction with the turbine electro-hydraulic control (EHC) system and the main steam valves such as atmospheric dump valves and turbine bypass valves.
l i 9 In some operating B!.% plents int.luding TI'.I 2 and T..nths Sece, the ICS also controls auxiliary (energency) feedwater ficw during itss cf r.ain feedwater or loss of all reactor coolant pumps via control valves responding to steam generator level signals. Q 6. With specific reference to the TMI-2 incident, does the ICS pose a safety concern in the view of the NRC Staff with rdgard to its function to: automatically ~ regulate auxiliary fe'edwater ' flow? A. At the time of the TMI-2 event, a specific safety concern was expressed with regard to the reliance on the ICS to regulate auxiliary feedwater flow for loss of main feedwater. Q 7. What was the nature of that concern? A. There w6s concern 'that the ICS could fail or malfunction in some manner to prevent the supply of emergency feedwater when required. Subsequent investigation suggests that the ICS at TMI-2 did perform its intended function. Q 8. Have any steps been taken at the Rancho Seco facility to deal with the ICS conce s relative to auxilfary feedwater flow raised by the TMI-2 incident? If so, indicate what steps have been taken. A. As a result of the Comission Order of May 7,1979, the Rancho Seco plant was to develop and implement operating procedures for initiating and controlling auxiliary feedwater independent of ICS control. In the NRC Staff " Evaluation of Licensee's Compliance with the NRC Order dated May 7,1979; " Docket No. ~ 50-312, dated June 27, 1979, page 13, we concluded that the Rancho Seco plant could initiate and control auxiliary feedwater independent of ICS including starting the pumps and controlling the AFW bypass valves. Based on the measures l l
taken at Rancho Seco to initiate and control auxiliary feedwater independent of tlie ICS, the Staff concluded that continued operation of Rancho Seco was ~ acceptable. Q 9. Will any future steps be taken at Rancho Seco facility relative to the ICS and its function to control auxiliary feedwater flow? If so, please identify what those actions will be and the time frame within which they will be completed. A. Yes. In a letter dated October 18, 1979, J. J. Mattimoe to D. Eisenhut, the licensee comitted to install a safety grade auxiliary feedwater control system independent of the ICS. The licensee has comitted to implement these requirements during the 1981 refueling outage. This would completely remove the initiation and control of the auxiliary feedwater system from ICS. In addition, the system would meet requirements equivalent to those outlined in response to Question 10 of "NRC Staff Testimony of Dale F. Thatchar Relative to Direct Initiation of Reactor Trip Upon The Occurrence of Oft-Nomal Conditions In The Feed. vater System". Q 10.. For each step identified in response to Question 9 above, indicate why the Rancho Seco facility may continue to operate in the interim prior to co@lete implementation of the action to be taken. A. The implementation of the safety grade requirements will help ensure a highly ~ reliable automatic initiation and control of auxiliary feedwater in the long term. However, in the interim, the procedures in place at Rancho Seco provide a fully independent method to initiate and control AFW should the ICS fail. See: " Evaluation of Licensee's Compliance with the NRC Order dated May 7, 1979," pp.12-13 (June 27,1979). This coupled with the improvements in overall reli-
f . ability of the Rancho Seco auxiliary feedwater system (See: Testimony of Phil Matthews in Response to Board Question CEC 1-6) provides assurance that the Rancho Seco auxiliary feedwater system will perform its function as required.. Q 11. With specific reference to the TMI-2 incident, does the ICS pose a safety concern in addition to that related to auxiliary feedwater flow? A. A general safety concern was expressed with regard to the complex role of the ICS in overall plant control, and whether or not it performs this f;nction satisfactorily. In order to determine the potential contribution ' the ICS in plant upsets, the staff concluded that further investigation was needed. Q 12. What furthat investigations are preserktly in progress? A. The NRC Staff believed that a failure r: ode and effects analysis of the ICS would provide a more comprehensive understanding of this control system and provide necessary guidance for determining the need for further requirements with respect to the ICS. The licensee committed to submit a failure mode and effects analysis (FMEA) of the Integrated Control System to the NRC Staff as soon a: practicable. The Cormiission Order of May 7,1979 confirme'd that this would be carried out in the long term. A failure mode and effects analysis is a' systematic procedure for identifying the modes of failure of a system and for evaluating their A FMEA is considered (as stated in IEEE 352-1975, "IEEE Guide consequences. for General Principles of Reliability Analysis of Nuclear Power Generating Station Protective Systems") to be the first general step of a reliability analysis. It can potentially provide some early useful information 'and 1 provide a basis for later studies and/or analyses. Typically a FMEA has been utilized as a tool to help syster.atically evaluats niant safety sYsteT@ (RWh 90 th@ reactorJrotection and engineered
safety features actuation system) to deter..ine if a single failure can prevent the system safety function. It is a requirement that for plant safety systems no single failure shall prevent the system safety function. Plant control systems such as the integrated control system (ICS) have typically not been required to meet this single failure criterion. However, for any system, including a control system, a FMEA can be used to identify failure modes which could lead to undesirable consequences. B&W has performed an FMEA on the integrated control system (ICS) as part of its reliability analysis of the ICS. The other part of the reliability analysis is a review of the ICS' " Operating Experience". The FMEA and Operating Experience are documented in B&W Report BAW 1564, " Integrated Control System Reliability Analysis". Based on the overall reliability analysis, the report makes recommendations to be evaluated on a plant-specific basis. The reconmendations highlight areas in which B&W believes improvements could potentially contribute to improved overall operation of the facility. The majority of the recommendations involved areas outside the ICS itself, and were not specific in nature because of the design differences which exist in these areas at the different plants. Therefore, based on the reconmendations, the NRC Staff requested (by letter dated November 7, 1979) that all B&W licensees evaluate the report's recommendations and include followup action plans. We are presently evaluating the responses. In addition, Oak Ridge National Laboratory (ORNL) has reviewed the B&W report for the NRC Staff and reported its results in a Report Review, " Integrated Control System Reliability Analysis," trans-mitted to the Staff on January 21, 1980. A copy of the ORNL report is attached to this testimony.
f In addition, the NRC has one study underway entitled " Integrated Reliability EvaluationProgram(IREP)." Although this program is still being developed, j it does have as one of its objectives to identify the risk significance of the close-coupling of primary and secondary coolant systems and of the system interactions originating in the Integrated Control System at B&W reactor plants. The results of this program may give some indication of the relative signifi-cance of the Integrated Control System in the overall risk from operation of B&W plants and, as a result, help determice the need for further study. Q 13. What are the Staff conclusions in this area? A. The Staff concluded that each plant needed to evaluate (as requested) its specific design with respect to the potential for improvement as summarized in the report by B&W. From the ORNL Review, it appears that although the ICS and related control systems contain aress which can potentially be improved, the ICS itself has, proven to have a low failure rate and it does not appear to precipitate a significant number of plant upsets. Specifically, the examination of the failure statistics revealed that only a small number of ICS malfunctions resulted in reactor trip (approximately 6 of 162). From this data, ORNL concludes that the system is failure tolerant to a significant degree. In addition, ORNL has suggested areas for further study. We are in the process of reviewing the ORNL final report and will determine any further action to be required by the licensee. Q 14. Based on the Staff's review, are any further steps contemplated for the Rancho Seco facility relative to the ICS.? A. The Staff's preliminary evaluation of the licensee's response (dated January 21, 1930, J. J. Mattimoe to R. Reid) to our November 7,1979 request indicates
9-that the licensee is impl6m nting modifications or is in the process of evaluating modifications related to the recorsnandations of the B&W report (BAW-1564). The licensee is implementing a power supply modification related to the recomendation of the B&W report. This modification is intended to increase power supply reliability and is to be completed during the January 1980 outage. Other recorrmandations are being evaluated by the licensee, but at this time, no specific actions have been defined. The Staff is continuing to study and review this area as I indicated in my response to Question 13 above. However, the Staff has made no further specific recommendations in this area at this time. Q 15. Explain why continued operation of the Rancho Seco facility is permissible prior to completion of the studies which the Staff has underway. A. The bases for continued operation prior to the completion of all studies and/or analyses is that, although there are areas which could potentially be icproved, the present ICS has proven to hav,e a low failure rate and does not initiate a significant number of plant upsets. In addition, ORNL has concluded that the analysis (BAW-1564) shows that anticipated failures of and within the ICS are adequately mitigated by the plant safety systems, and that many potential failures would be mitigated by cross checking features of the control system without challenging the plant safety systems. l 1 I -. -m
DALE F. THATCHER PROFESSIONAL OUAllFICATIONS INSTRUMENTATION & CONTROL SYSTEMS BRANCH DIVISION OF SYSTEMS SAFETY I am a Senior Reactor Engineer in the Instrumentation and Control Systems Branch, Division of Systems Safety, Nuclear Regulatory Comission. From May to December 1979, I was assigned to the Bulletins and Orders Task Force as a technical reviewer in the area of instrumentation and control. Just prior to this assignment I was a member of the NRR team which aided in the Three Mile Island Recovery Operation. In the ICSB, my primary responsibility is to perform technical reviews of the design, fabricatfor., and operation of instrumentation and control systems for nuclear power plants. This review encompasses evaluation of applicant's safety analysis reports, generic reports and other related information on the instrumentation and control designs. I graduated from Lehigh University with a Bachelor of Science Degree in Electrical Engineering in June 1971.. From my graduation in June 1971 until my employment at the Comission, I was an Instrumentation Engineer with Gilbert Associates. Inc., an Architect-Engineering company located in Reading, Pennsylvania. My responsibilities included the design and evaluation of various instrumentation and control systems including primarily the areas of reactor protection systems and other safety systems for various domestic nuclear power plants. I joined the Regulatory staff of the Atomic Energy Commission in March 1974 as a Reactor Engineer. Since then, I have participated in the review of instrumentation control and electrical systems of numerous nuclear power stations and standard plant designs. In addition, I have participated in the formulation of related standards and regulatory guides. I am a member of the Institute of Electrical and Electronics Engineers (IEEE) and have participated in the development of IEEE Standard 379-1977, "IEEE Standard Application of the Single Failure Criterion to Nuclear Power Generating Station Class IE Systems" and other proposed standards. 9 I
.o c, INSTRUMENTATION AND CONIROLS DIVISION e Report Review: Integrated Control System Reliability Analysis ** Review by J. L. Anderson S. J. Ditto R. S. Stone Oak Ridge National Laboratory Oak Ridge, Tennessee 37830 e R. A. Hedrick A. F. McBride J. R. Penland I Science Applications, Inc.t s b e
- Research sponsored by the Division of Systems Safety, U. S. Nuclear Regulatory Commission under Interagency Agreement No. 40-544-75 with the U. S. Department of Energy under contract W-7405-eng-26 with the Union Carbide Corporation.
e*By R. L. Dungan, L. L. Joyner, G. P. Bennett, and C. W. Tally, Babcock & Wilcox, BAW-1564 (August 1979).
- Under Subcontract No. 62B13819C with the Union Carbide Corporation.
2 1. INTRODUCTION l The Instrumentation and Controls Division of the Oak Ridge National Laboratory (ORNL) was requested by the U. S. Nuclear Regulatory Commission (NRC) to review a report entitled Integrated Control Qatem ReliabiZity AnaZysis, by the Babcock and Wilcox Company (B W).1 In this document (hereinaf ter referred to as the "BW analysis") BW states their analysis of the effects of postulated failures in the BW integrated control system (ICS) on the operation of the nuclear steam system (NSS). The object of the review by ORNL was to determine che adequacy of the BW analysis. The BW snalysis had been submitted in response to shutdown orders from the NRC to all B W-designed plants (hereinafter referred to as the "NRC orders").2 The " Executive Summary" of the NRC orders directed the BW control system analysis to address the following NRC concerns: " Plant design features unique to the B W plants (e.g., OTSG and ICS) should be evalu-ated with regard to interactions in coping with transients. The miti-gating systems (e.g., HPI) should also be included in the study." The NRC also directed analysis of other specific concerns in Sect. 8.2.3 of the NRC orders, which are rephrased as follows: (a) The role of control systems (in this case the ICS) and their significance to safety. (b) The rate at which transients initiated by control failures challenge the plant safety systems. (c) The rate at which transients initiated outside the control system are not successfully mitigated by the control system. (d) Identification of realistic plant interactions resulting from failure in nonsafety systems, safety systems, and operator actions. (Failure modes and effects analysis is indicated.) 1. R. L. Dungan, L. L. Joyner, G. P. Bennett, and C. W. Tally, Integrated Control System Reliability Analysis, Babcock & Wilcox, BAW-1564 (August 1979). 2. Staff Report on the Generic Assessment of Feedbater Transients in Pressurized Water Reactors Designed by the Babcock & Wilco: Company, U. S. Nuclear Regulatory Connission, NUREG-0560 (May 1979). e 6
3 Finally, additional concerns were expressed in Appendix Y of the NRC orders, and pertinent excerpts are paraphrased as follows: The NRC staff l has ascertained that B&W-designed reactors appear to be unusually sensi-l tive to certain off-normal transient conditions originating in the secondary system. The features of the B&W design that contribute to this sensitivity are: (1) the design of the steam generators to operate ~ with relatively small liquid volumes in the secondary side; (2) the lack of direct initiation of reactor trip upon the occurrence of off-normal conditions in the feedwater system; (3) the reliance on an integrated control system (ICS) to automatically regulate feedwater flow; (4) the actuation before a reactor trip of a pilot-operated relief valve or the primary system pressurizer (which, if the valve were to stick open, could aggravate the event); and (5) the low steam generator elevation relative ~ to the reactor vessel, which provides a smaller driving head for natural circulation. Because of these features, B&W-designed reactors depend greatly on the reliability and performance characteristics of the auxiliary feedvater system, the ICS, and the emergency core cooling system (ECCS) to recover from frequent, anticipated transients, such as loss of offsite power and loss of normal feedwater. This, in turn, places a large burden on the plant operators to cope with off-normal system behavior during such anticipated transients. The administrative action required of B&W by the NRC was that "the licensee vill submit a failure mode and effects analysis of the ICS to the NRC staff as soon as practicable." 2. GENERAL FINDINGS OF ORNL REVIEW submitted in response 'to' the NRC orders deals only The B&W analysisl narrowly with the ICS itself and not"at all with the plant systems it l controls and with which it interacts. With note of the concerns expressed and the guidance given in the NRC orders, the B&W analysis is more notable for what it does not include than for what it does include. With reference to the " Executive Summary" of the NRC orders, the B&W analysis does not deal with interactions or with transients, except those that might be initiated by limited signal or component failures (one at a time) within the ICS. Neither does the report deal with mitigating systems such as HPI, as suggested. In fact, consideration of all events is concluded with reactor trip; interactions with ECCS are not mentioned, even though to some extent the ICS (auxiliary feedwater) is a part of the ECCS. 4 The significance of the ICS to safety (item a) is not addressed. l The rate at which transients initiated by control failure challenge ~ the plant safety systems (item b) is dealt with only to a limited extent. Only control failures within the ICS cabinets are considered, and then only to reactor trip. No significant control, instrument, or power
/ 4 failures external to the ICS cabinets are considered, even though several such failures have occurred in operating plants. Transients initiated outside the control system (item c), whether or l not successfully mitigated by the ICS, are not addressed, except in tabu-lations of operating experience. Identification of interactions (item d) resulting from failures in safety or nonsafety systems or operator actions is notably absent. Also notably absent is any consideration of the sensitivity of the B W plant design to feedwater transients, to performance--either normal or abnormal-of the ICS, or to reliance on the pilot-operated relief valve for successful maneuvering. In summary, the report deals only with a very limited scope of fail-ures, essentially within the ICS cabinets; the only significant measure of response is whether a reactor trip would occur. Because of this limited scope, the results are necessarily of limited value. The following ORNL review takes into account this limited scope and attempts to evaluate the analysis presented and, also, to suggest additional work which might be needed. 2 3. THE ORNL REVIEW PLAN The ORNL review plan was that first we would identify the concerns and need for a BW snalysis of the ICS. Then, from that statement of need, we would establish specific objectives for the BW analysis report. From the statement of objectives, the BW analysis would be evaluated relative to their methodology by which the objectives were to be achieved and to the adequacy of th_eir implementati,on of the methcdology. ~This basic plan resulted in two classes of comments concerning the B W analysis: " Methodology" and " Implementation." Based on these two sets of consnents, major concerns were identified and evaluated, from which the adequacy of the B W reliability analysis of the ICS was assessed. Finally, from NRC areas of concern and from the ORNL evalua-i l tion of the BW analysis, we derived a set of recommended actions that would lead to an achievement of the original study objectives desired by the NRC. Several questions were submitted to BW to obtain clarification and expansion of some concerns expressed in our preliminary review of the analysis. These questions and the BW responses are included as Appendix A. Because of the once-through steam generator, the BW NSS responds rapidly to secondary system perturbations. (This sensitivity was a key consideration in the analysis of the Three Mile Island accident.) In any \\
\\ l 5 \\ l l evaluation of potential or real abnormal events, evaluation of the ICS is a principal requirement because of its influance on the course of the events. The task of evaluation of the ICS is made complicated by the following engineering considerations: 1. The complexity of the ICS due to its feed-forward approach as augmented by feedback fine tuning. 2. The complexity of the plant response to control actions. 3. The sensitivity of the plant and a definition of what constitutes failure of the ICS (e.g., instrument drift not normally associated with failure might be sufficient to initiate an ICS-induced transient). An understanding of the sensitivity of the BW NSS response to ICS actions enables identification of the following objectives for analysis of tha BW control system: 1. Estimate the probability that an ICS failure can initiate an accident. This estimation must be based on an objective evalua-a tion of the system. ~ i 2. Identify design def
- ciencies.
3. Identify design festiires that influence the probability of accident initiation. 4. Evaluate the capability of the ICS to respond properly to ? probsble events, and estimate the impact of adverse actions of the ICS. I:i the following sections, we discuss tha methodology selected to ~ meet the preceding objectives (Sect. 4), discuss and evaluate the implementation of the selected methodology to evaluate the BW ICS (Sect. 5), and recommend further work to address the role of control systems in the safety of nuclear power plants (Sect. 6). 4 MEIHODOLOCT SELECTION The methodology selected for the reliability evaluation of the ICS consisted of three parts: failure modes and effects analysis (IMEA), systems simulation, and operating data collection and analysis. In con-capt, the FMEA is used as a predictive tool to estimate which failures within and without the ICS can lead to plant transients. A simulation model is used to study in more detail the effect of postulated failures identified by the FMEA. Finally, from collection and analysis of operating data, information is obtained for comparison of what has occurred with what has been predicted. From such comparisons, the validity of overall conclusions may be determined. m,,-
6 The following paragraphs identify and discuss the bases for concerns with the methodology selected. 4.1 Scope of Analysis As part of the ongoing evaluation by the NRC staff, the initial concerns with the ICS were broaden 2d into a more general concern about control systems and the interaction of safety and nonsafety systems as mentioned in the introduction of this review. The broader concerns were not considered explicitly in the ICS study. Our review attempts to answer several questions. First, does the B&W analysis present a fair and complete representation of the ICS? Second, do the failures selected for analysis and the results stated provide the insight to allow valid conclusions to be drawn? Third, can this type of study, based on failures within or at the boundaries of the ICS, adequately evaluate the potential imps.ct of the ICS on the safety of the plant? Fourth, if the enrwer to the prt:vious question is "no," uhat other information is necessary? 2 We believe that-the usefulness of the BEI analysis is limited because the ICS is boimded so narrowly. A control system, particularly one claimed as " integrated," should include sensing, signal conditioning, and actuating equipment ano perhaps power supplies-if not primary power sources. The system being controlled includes a number of process loops that are highly interactive and which as2st of ten operate within rather narrow individual constraints. The B&W analysis does not aidress these t inte ractions. The failures se'lected by B&W for analysis are based on failures of functional blocks. Although it is recognized that functions cap fail because af equipment failures, it is not clear that there are no undis-closed couplings or interactions of blocks. An example of common elements that may involve multiple blocks is the arrangement of power supplies and their protective features (fuses, breakers, etc.). Additionally, the B&W analysis is seldom carried beyond reactor trip, if that occurs. While it is of interest to know that a failure causes a trip, it is also of interest to know whether a trip is actually needed and whether the trip lays all problems to rest. To some extent, the B&W analysis discusses the effect of operator posttrip action, but many of the scenarios and with the trip. Although the ICS controls the operation of equipment that is important during posttrip situations, the B&W analysis does not pursue this necessary consideration. For example, it is suspected that some possible failure ~ modes of the ICS could inhibit initiation of auxiliary feedwater (AFW). Also some failures in the ICS possibly could initiate a loss of feedwater and also could inhibit auxiliary feedwater via the flow control valves. These possibilities are not addressed, presumably because they are plant specific. i
7 Hessures are underway to make initiatica and control of AW independent and safety grade. l Inasmuch as the ICS participates so directly in the coordination of the generation, transport, and removal of heat, it influences the behavior of the whole plant, even to the extent that it could magnify anomalous behavior that originates outside itself. Malfunctioning valves have required manual intervention for operation during startup, probably because the automatic systems (ICS) could not cope. It would not be impossible for peculiar equipment interactions or operating conditions to place the ICS at such a disadvantage that it would respond, although as designed, in an undesirable way. A basic question, from a safety viewpoint, is the following: Can the ICS cause the plant to misbehave in a credible way so that the protec-tion system (and ESF's) cannot adequately handle it? Hopefully the answer is no, but a corollary question might also be asked: Does the ICS increase or decrease the rate at which the protective features are being called upon to cope with real hazards? These questions are not unique to the ICS. They are concerns to be ddressed in an analysis of any control system; however, they cannot be anwered meaningfully by consideration of only a relatively small portion or the entire control structure, such as the ICS as limited in the BW analysis report. It is clear that the BW andlysis.vas an attempt to respond to loosely defined concerns on a short time schedule. It describes some problems that can arise,' but falls short as an in-depth evaluation. The supple-mentary operating statistics indicate that the control system is of reason-able reliability, but they also give a somewhat hazy image of a system that has some performance deficiencies. It does not appear to be an unworkable system, but it falls short of being.a strong influence for safety. The"broade. concerns are summarized as f'ollows: 1. Other control systems. These include other automatic control systems such as the nonnuclear instrumentation (NNI) makeup flow and PORY controls and turbine-generator controls. Failures within these control systems can affect the performance of the ICS and other key systems simultaneously. Of particular concern, for instance, l is the postulated failure of power supplies in the NNI. In addition I to automatic controls, the plant operator is himself part of a control loop between the NNI indications and the controlled components. 2. Controlled components. As identified by the historical data, plant trips are caused more by failures of controlled components than by failures of automatic control systems. As previously identified, l ( interactions among control systems (including human operators) and controlled components may result in a transient, even though no spe nii:ic equipment has failed.
8 3. Control system inputs. The ICS r.nalysis considered single "high" or " low" ICS inputs. Failure of sensor signals to other control systems, including human operators, should be studied in detail. Such failures are of particular concern, since they may have a simultaneous adverse effect on ICS performance and/or the perform-1 ance of other critical systems. The study should include multiple failures due to common causes (e.g., power supplies) or undetected failures. Failures of input signals at midscale should be studied because they may remain undetected and thus contribute to multiple component failures. 1 4.2 Multiple Failures j The FMEA is a culitative reliability engineering technique for evaluation of the effects on system operation of single, postulated I failures within the system or within subsystems interconnected to the principal system. The IMEA starts with contributing events and traces them upward through the system hierarchy to determine the overall effects. The PMEA is suited to the perfurmance of single-failure analyses; it is not a convenient technique for addressing multiple-failure situations. This inability to address multiple failures in the B&W ICS may be significant since, as acknowledged by BEW, failures may occur in the ICS without being anndaciated, such as those of signal limiters and auctioneers...A failed auctioneer, for instance, might have no effect on ICS performance until called upon to implement a cross limit initiated by another ICJ failure. Since sufficient evidence to the contrary does not exist, multiple-failure-induced transients may have a significant probability. An alternative or augmenting technique is fault tree analysis, since fault trees are suited to handling m61tiple failure situations. The ICS reliability study identified major events in which the ICS could partici-pate:. loss of main feedwater, steam generctor overrill, secondary depressurization through turbine bypass or atmospheric dump valves, and, possibly, combinations of these events due to instrument power failure. It may be advisable to analyze fault trees on these major events, tracing through the system " top down" to identify the faults that could l Induce the specific event. This analysis would identify sets of multiple failures and estimates of their probability. Specifically, an inter-esting fault tree might be developed for a " top" event of loss of feedwater, using the equipment block diagram rather than the functional block diagram used in the B&W analysis. (Section 5.1.1 states the reasons for using an equipment diagram.) From the results of this analysis, one l might judge whether it would be worthwhile to develop fault trees for other major events.
9 4.3 Participation in Teedwater Oscillations The methodology that was selected cannot evaluate the possible l involvement of the ICS with FW oscillation. At least two regimes of oscillation have been identified: one in the power range from 15 to 20%, with a period of 3 to 90 s, and a second at %0.3 Hz, which occurs during operation up to 70% of full power in some plants. The ICS does partici-pate in these two regimes, and it is possible that its effect could cause the plant to trip. Further, the ability of the plant systems, including the ICS, to withstand such perturbations has not been determined. It is not clear that the effect of such oscillations has been included in the plant duty cycle. Because much is unknown concerning the dynamic response and stability of the plant control system (a broader definition of the ICS), we believe that a dynamic performance analysis should be made to better understand the dynamic characteristics, including system esc 111ation. Some topics suggested for study are as follows: 1, The dynamic response of W pump control is generally slower than that of FW valves. Will transition from valve to pump control of FW cause stability problems? 2. Do the pressavizer controls ettempt to mitigate,of~to amplify pressure oscillations? How are the pressurizer and the ICS inter-dependent with regard to stability? 3. Are oscillations caused or mitigated by the ICS? }. 4. What conditions could lead to plant instability? 4.4 System Simulation' The objective of system simulation is to evaluate the effect of postulated failures upon the NSS. This is, in concept, an excellent technique, inasmuch as evaluation using an operating plant would be prohibitively expensive and possibly dangerous. Likewise, an intuitive estimation of the effect of postulated failures on the system would be inadequate because the system response to inputs from the ICS is too l complex for such a simplified technique. Thus, system simulation is an appropriate technique, with a caveat that any simulation is limited in its y ability to predict system response. The strengths and weaknesses of the simulation technique chosen, POWER TRAIN IV (PT-IV), are addressed in Sect. 5.2. 1 1 l l
10 5. EVALUATION OF IMPLI. MENTATION OF METHODOLOGY In this section we presume that the BW method described in BAW-1564 is adequate for evaluation of the ICS. The results reported below cvaluate - the manner in which the methodology is applied to the ICS. The results of this evaluation are described in the three sections corresponding to the FNEA, POWER TRAIN sinulation, and operating data. 5.1 Failure Modes and Effects Analysis 5.1.1 Functional versus hardware basis An FMEA can be performed on either a functional flow block diagram of the ICS or an equipment block diagram. The two are not necessarily the same, and results based on the functional flev block diagram may be misleading relative to the actual configuration of hardware. l For maximum utilization of an M A for a real system, the FMEA l should be performed on an equipment block diagram., The functional flow IMEA provides little, if any, Lasis for e en a judgmental estimation of failure probability. This is exemplified in Table 4-5 of the BW analysisl where almost all functional failures of the ICS result in a trip. However, as implemented in ICS hardware, the functions have cross limits that can prevent trip. conditions. Thus, the analysis, as presented,- does not reflect beneficial features of the ICS. Specifically, fault tolerance of the system cannot be evaluated, although plant data suggest that the ICS has a considerable degree of fault tolerance. The BE Table 4-5 shows only one of the 39 functional blocks whose failure does not produce a trip. Eqwever, operating data shows that only 6 of the 47 actual ICS equipment failures resulted 4.n a trip. Unless portions of an IMEA on the equipment block diagram can be l performed, the impact of using the functional rather than the equipment diagram cannot be evaluated completely. As noted in Sect. 4.2, a fault tree using the equipment block diagram would have been a better method of analysis. 5.1.2 off-normal conditions The serious safety problems experienced in operating reactors have, in general, involved multiple failures, or sometimes a single failure compounded by operator error. Without deserting the probability-justified single-failure criterion, it would be instructive to examine the conse-quences of single hardware failures occurring during operation with less than a full complement of coolant pumps or with certain control functions
11 in the manual mode. These are allowed conditions of operation; their occurreace is not unconsnon. Under the same probability guidelines that mandate investigation of ATWS situations, it is not unreasonable to l examine the consequences of single ICS failures during off-normal con-ditions of plant operation. a Where control failures are postulated under conditions of degraded heat removal capabilities, a scram may not always be the final action to be considered. If reactor cooling must be followed from full power da r.o the shutdown mo,.de, PT-IV does not appear to have a dynamic range to follow the decreasing power nor the command of nonlinear effects to deal with the interim transient. Additional investigation of ICS component failures under off-normal conditions would be desirable, particulcrly where ope' ation is on two pumps and such ICS failures occur as a "close r valve" malfunction in one steam generator's startup control valve actua-i tor. In addition, it would be desirable to follow postscram heat removal with a blowdown-competent code, at least for a few extreme cases, in order to demonstrate the medium-term consequences of the event and the adequacy of the PT-IV predictions. I l, The B&W analysis asserts that ICS actions have averted more trips than they have caused. Although this assertion is not pertinent and is probably true, the data presented do not substantiate the casertion. - ~ 5.1,.3 Power supplies The evaluation of power supply failures was limited. Although a loss of input power was listed as a failure, the effects of the failure were not evaluated. Failures of power conditioning equipment internal to the ICS. were not considered except for their potential contribution to "high" or " low" failures or to single internal ICS functions and to singic ICS output signals." The B&W reportl states that power supp.1y failures could not be considered in greater detail because plant-to-plant design variations were too' great, the failure modes and effects were too l complex, and the time allocated for the study was too brief to permit l such an analysis. In the B&W analysis, power supplies are listed as a l subject for additional study. 5.1.4 Effect of postulated failures From the limited B&W evaluation of postulated failures, it is diffi-cult to assess the need for further evaluation or for potential design modifications. As an example, the FMEA describes the effect of steam generator overfill as "... overcooling of the primary, and possible loss of pressurizer inventory and/or level indication."* However, in the sum-mary of an NRC-B&W Operating Plant Licensees Meeting, the effects of the Ref. 1, p. 4-33.
12 same transient were described as follows: "The resultant carry-over of liquid into the main steam lines could lead to equipment damage to both the main turbine and any auxiliary turbines (i.e., AW pump turbines) being supplied steam from the main steam system. In addition, the carry-over could lead to excessive waterhammer. It is also possible that the weight of the water in the steam lines could cause excessive stresses on the piping system and pipe supports."3 Regardless of how appropriate either description is, the latter description would place a greater emphasis on the potential need for remedial action. 5.2 ' System Simulation A more accurate assessment of the response of a plant to ICS failures, we believe, could be achieved by simulating a failure with sufficient equipment that would be capable of following the transient resulting from the simulated failure. The equipment needed would be modules capable of responding to simulated failures of the NSS, ICS, and BOP over a wide range of parameters. Although no such global simulation capability exists, simlators that can encompass some combination of the three systems over a limited range of the parameters of interest are available. POWER TRAIN IV (PT-IV), was chosen as the simulator and was adapted to the lower loop, once-through steam generator configuration. It has all thre e systems, NSS, ICS, and BOP, modeled, but its thermo- ~ dynamic, fluid mechanic, heat transfer, and core power applicability ranges are restricted. Since evaluation of the ICS deals with failures that result in large changes in process parameters, e.g., steam generator dry out or flooding, the ability of PT-IV to adequately follow the resulting transients is ~ susp:ct. For example, many of the undercooling transients are stated to cause a probable overpressure reactor trip; however, due to the changing core inlet temperature, DNBR trips may be more likely. Since the parameter that guides the system directly relates to ICS action, pressure and temperature, individually, will result in different plant transients and effects on the NSS even though both may cause trip. The impact of the limitations of the PT-IV simulation on the overall results is l not fully understood; however, the need for using engineering judgment relating to the PT-IV results has been indicated. Although we would prefer a simulation tool with complete capability, i in the context of state of the art, PT-IV is adequate. Its deficiencies do not greatly affect the overall results, since a reactor trip is the 3. R. A. Capra, "NRC Sumary of Meeting Held on August 23, 1979, with the Babcock & Wilcox Operating Plant Licensees' to Discuss Recent (Post l l TMI-2) Feedwater Transients," (September 13, 1979), p. 2. 1
13 terminating point for the analysis. However, if a more detailed evaluation of system effects is desired, it will be necessary to develop a more sophisticated system simulation tool. 7 MEA Table 4-3 is an extensive study of the impact of single ICS input failures on system behavior. Under the guidelines assumed, this was a good study, but it is questionable whether much would be gained by further pursuit of this particular approach. To begin with, a great deal of the information in Table 4-3 could be determined by a knowledgeable, a priori examination of an ICS flow sheet, without resort to simulation. Where simulation has been and should be used, it is not apparent that conditions are so far from design point that a linearized model would not be acceptable. The reason is that a reactor trip from any out-of-range variable would appear to call a halt to a study of further conse-quences. From a case by case examination, this response also seems justifiable; no single ICS input failure appears to cause safety problems that a scram would not cure. 5.3 Operating Data The historical failure frequency of ICS components, the fraquency of i ICS initiated transients, and the actual response of operating plants to I component failures were evaluated, using the records of transients at B&W operating plants. This section complies adequately with the B&W commit- 'nent. Since the scope was not limited to ICS failures, even the more general control system concerns recently raised by the NRC are addressed in the section entitled " Operating Experience." As shown in Fig. 5.1 of " Operating Experience," only 2% of commercial, operating plant trips were caused by internal ICS failures (excluding power supplies). Of the remaining trips, one-third were caused by operator technician errors and two-thirds by ICS interactions with controlled equipment, failures of controlled equipment, ICS inputs (including power supplies), and failures of other control systems. Therefore, Laternal ICS failures are not a major causative factor of transients that produce trips. The MIBF's (mean time between failures) for the ICS equipment are consistent with expected values for equipment of that generation (for both the 721 and the 820 series). The 820 series equipment appears to be auch more reliable than the 721, but there are insufficient data to state that the apparent large differences are statistically significant. l Although the operating data indicate a relatively low probability of ICS failure, the data should not be regarded as a source of insight into the sensitivity of the plant to the ICS. W 4
14 6. EVALUATION AND RECOMMENDATIONS 6.1 Operating Experience R.aliance on the ICS or on automatic control in general to regulate feedvater and other plant parameters is not a shortcoming as might be inferred from current suspicion of the ICS; instead it is a significant asse't to plant safety and availability. That the system does not perform ~ perfectly in all situations or that it may induce plant upsets when it fails is only to be expected. Thus, one should criticize only the de- ~, ficiencies and not automation in general. Customer satisfaction and acceptance of the ICS is high and at least as favorable as competitive designs. i It is clear that the ICS, either through its own failure or through its response to real or unreal plant conditions, can alter plant operation ) in undesirable ways. However, other effective control systems, including good and bad operators, can also do this. For example, feedwater pumps and valves, bypass valves, and atmospheric dump valves can be misoperated; ) control modes can be improperly altered; loop balances can be upset; and j many other anomalies can be caused or exacerbated by the ICS. Neither i i is this surprising, nor is this necessarily a cause for alarm. The ICS l has features thati are effective in mitigating the effaces of some of its own failures and those of its auxiliaries. These include load, rate, and cross limits,-which are useful but not infallible. We find no evidence that the ICS provides more frequent or more severe challenges to the PPS i (plant prote'etion system) than other control systems of similar scope, nor do these challenges exceed the PPS capability. The coordination of nuclear power generation with load requirements under system constraints of pres-sure, temperature, and the like is a complicated task. Ihe development of a system such as the ICS required consideration of many problems too i complex for an operator to handle during a minor (or major) plant dis-turbance. The response of the ICS is far better and more predictable than l that of an operator, given the same information. While we agree that the ICS should not be classed as a protective system, we believe that there should be more concern for avoiding, as well as detecting, degradation of failures within the system. Failures in control systems do affect safety through their impacts upon the rate of challenge of the protection system. The economic costs are obvious. Better control equals better safety, but the quantification of the gain is difficult. Examination of the failure statistics in the B&W analysis (notably Table 5-8) l reveals that only a small number of ICS malfunctions resulted in reactor trips (approximately 6 of 162). These data, supported by conversations j with plant operators, demonstrate that the system is failure tolerant to a significant degree. This feature is also evidenced by noting the large number of postulated failures in the FMEA that could result in a reactor trip, compared with the experienced low trip rate in practice. The positive results of the PMEA and operating experience of the ICS show that the control system itself has a low failure rate and that it does not instigate a sig-nificant number of plant upsets. The analysis further shows that anticipated
15 failures of and within the ICS are adequately mitigated by the PPS and that many potential failures would be mitigated by cross-checking features of the control system without challenging the PPS. The manufacturer contends, and we agree, that (1) the system prevents or mitigates many more upsets than it creates, and (2) the system is gener-ally superior to manual or fragmented control schemes. The performance deficiencies that have been suggested relate mostly to the ability or inability of the system to deal with major operational upsets, with maneu-i vering through different plant acJes as from hot standby to low power, and with component problems such as velve leakage or pump response. Since these performance characteristics are not the subject of the B&W analysis, they are not emphasized in this review. Instead, in this review a broader scope of system performance was investigated, but to a limited extent. The following suggestions for further study are offered: 1. An analysis of overall plant stability, including the participation of the ICS in system oscillations and other specific ICS actions, such as control of feedwater after a turbine trip and other anticipated transients. 2. Development of an appropriate full-plant simulator co evaluate the interaction of the prin.ary, secondary, and control systems. ~ This latter suggestion is a generic problem beyond the scope of the B&W analysis, implying a need for NRC sponsorship. The simulator would have to be an advancement over corrent tools, one that would combine all systems and still'have an acceptable parameter and transient range. Analog systems alone are not likely to be adequate for the purpose. A hybrid system would be the most applicable computer system based on our current views of the operat;ional upsets te be covered. 6.2 Failure Modes and Effects Analysis Our evaluation of the DfEA as performed and reported in the B&W analysis suggests several concerns and reconsnandations for future investigation. 1. As discussed in Sect. 4 of this review, the functional block DfEA approach may have been selected as an economic expedient and may not have been the optimum technique for deriving the information desired. If further pursuit of the failure consequences of the ICS is desired, we recommend that a fault tree for loss of feedwater be developed, based on equipment diagrams rather than functional blocks. This would allow assessment of the significance of multiple failures and some j verification of the adequacy of the use of functional block diagrams. We are satisfied that failures within the ICS itself do not constitute a significant threat to plant safety and that further analysis of this type may not be economically justifiable.
16 2. The FMEA would have been of greater significance if it had been expanded to include other systems with which the ICS interacts, such as the nonnuclear instrumentation (NNI) and its power and signal sources. In particular, the analysis should have considered midscale failures and off-normal initial conditions. It is not evident that redoing the analysis at this point to include this information would be worthwhile. 3. Power supply failures have caused and are continuing to cause significant plant upsets. They should be evaluated in detail, and specific recomendations for their upgrading should be reported. 4. The simulation tools used in these studies are deficient in their dynamic range and component details. Nonetheless, they served a useful purpose. It is our opinion that more detailed analyses would not provide significantly more enlightening information for purposes of the FMEA. 6.3 Coments on BW Recomendations 6.3.1 ICS related Our comments on the BW recommendations are as follows: 1. NNI/ICS power supply reliability: We concur that this is an area needing attention, going somewnat beyond supply reliability per se. Although our review of this subject has not been comprehensive, { problems of system arrangement and channeling and selection of input signals appear to need improvement. In at least two plants, a single power supply failure can result in a loss of virtually all signals to the ICS. Since power supply arrangements are specific for each plant, individual attention by plants is indicated. 2. Reliability of input signals from the NI/RPS system to the ICS, specifically the RC flow signal: The background for this recommen-dation was not described by B W. We concur that this subject deserves attention for the same considerations as discussed in the preceding recommendation. 3. ICS/ BOP system tuning, particularly feedwater condensate systems and the ICS controls: The concern behind this recomendation may be broader than tuning. We believe that the dynamic performance of these systems should be studied in relation to the entire plant response, including the effects of control limitations, such as valve and pump-speed responses, on plant stability. Since there is a tight coupling between the secondary system which is controlled by the ICS and the primary system with its important considerations of pressure and pressurizer level, including the primary system within the ICS may be worthy of investigation as a potential control improvement.
17 6.3.2 Balance of plant For the balance of the plant B&W recommends the following: 1. Equip the turbine drive in the u.ain feedwater pump with a minimum speed control to prevent a loss of main feedwater or a loss of indication of main feedwater. i 2. Install means to prevent or mitigate the consequences of a stuck-open startup valve in the main feedvater line. 3. Install means to prevent or mitigate the consequences of a stuck-open valve in the turbine bypass line. We concur with these recommendations. e m I I l l l l i i I I l ? 1 1
19 / r t APPENDIX A: " QUESTIONS AND RESPONSES 1 s ~ e e e 4 e O 8 e 9 e o S 9 m b 9
20 Af ter a preliminary review of the BW analysis, we submitted several questions to B W to obtain an expansion or clarification of information l presented in their report or to obtain other information not contained in the report which may be germane to the review. BW invited the reviewers, NRC staff members, and representatives of the Toledo Edison and Duke Power Companies to their facilities in Lynchburg, Virginia, to hear their responses to the questions. This meeting was October 23, 1979. The questions and the reviewers interpretation of the responses follow. The reviewers have added some additional interpretations and observations summarized from the group discussion. QL.* hre may be a significant difference between failure mdes or con-ditions uith an FWA that are based on functional block diagrams rather than on equipment block diagrams. Were the functional failure assumptions conpared with actual equipment failure modes to assure that they are realistic and meaningful? R. Functional block diagrams were used to reduce the scope of the effort and allow the analysis to be accomplished in the requested time frame. As stated in their report and in discussions, BW believes that the functional approach is adequate and that very few cbservations would be in error in { a result of this choice. C. An example of a possible incorrect or incomplete conclusion arising from this approach is that failure considerations of the turbine bypass valve control do not include details of vnether condenser cooling is available and whether the control will be transferred to the condenser i dump or to the atmospheric dump. Also not considered is operator response or interference / interaction. This example was selected because the recom-mandations of the BW analysis include additional analysis of bypass valve failure. Q2. Att assumotions of ICS signal input failure appear to be either high or tou, with some attempt to identify a "uorst case. " Some of the operable plants under revieu potentially could experience midscale failures. k re is some evidence that some midscate failures could be vorse than high or tou failures, as experienced by % plant selected as typical, Rancho Seco. Are hre plans for including midscale failures in the analysis and hcu is the validity of the analysis compromised by not including midscale failures? R. BW considers (1) midscale and multiple-input signal failures to be either outside the boundaries of the ICS or outside the scope of the review as determined by BW, and (2) the high or low signal assumptions to be the worst case for single failures. Q, question; R, response by BW; and C, comment by ORNL reviewers.
21 C. We find no specific evidence to confirm this assumption. With regard to multiple-input signal failures, operating experience confirms that this is a highly credible event which can result from the single failure of a l Power supply in the NNI in the input signal selection circuitry. An example of such a failure is the Rancho Seco event of March 20, 1978. We believe that the BW decision not to include consideration of failures beyond the actual ICS cabinet terminals is a serious shortcoming of the analysis, especially since considerable operating experience indicates that power supplies are not reliable. BW recommends further analysis of the ICS and NNI power supplies based on this operating experience. ~ Q3. Virtually att of & events / failures considered in h analysis appear to be based on "nomat" conditione, that is, when att plant equip-1 ment is pnctioning at nominal design points. Our timited infom: tion ngarding the same operating experience suggests that many of the abnormat occurrences vere the direct result of some plant equipment not functioning; for example, thne primary pumps instead of four vere running, one instead of tuo fee &Jater pumps was running, one or more hand / automatic stations uas in manual, to name three instances. Since these seem to be the more signif-icant initial conditions for unsatisfactory ICS perfomance, hou is their omission justified? Wen any of hee " interesting" events analyzed but not reported? l ', R. BW did not miss any significant transients or protective system challenges by not inel,uding off-normal, initial. conditions. No unreported snalyses were performed from off-normal conditions. C. Since B W did not confirm this contention, we find it difficult to support. Our evaluation of plant events involving the ICS is that the majority of these events occurred from off-normal initial conditions and/or with some function (s) of the ICS in manual-or, tracking modes This experi-ence would tend to deny their assertion. Q4. Vr.at process uas used to detemine the "effect on the NSS"? Neither the technique nor the justification is included in the analysis. What verification techniques vere anplcyed for the " effects" analysis? R. The effects were evaluated by knowledgeable people with plant experience. Q5. The PCTER TRAIN IV (PZ-IV) oods obviously has a limited ability to simulate the NSS and BOP responses. Hou significant is this limitation on the analysis? In particular: la) Describe the extent to which the simulation was used to predict nautta. (b) Describe errors and uncertainties which might have resulted from the Limited dynamic range and functional d2 tait of the simulation. (c) Describe to what eatent the simulaticn resulta vete verified with plant data.
l 22 (d) DescMbe the extent to uhich the simulation was valid or invalid for each of the individual plants and their diffennces, especialty feed-water systems. (e) Was the simulation capable of dealing with off-normat opention, such as three pMaxxry p:enps or partial manual opemtion? l R. PT-IV was used in about 75% of the cases to evaluate the effects on-the NSS, along with supplemental " engineering judgment." This code has the following features: two steam generators modeled in continuous space and discrete time; steam lines; feedwater pumps; feedwater heaters; condenser; pressurizer; turbine dynamics; and valves. The primary system includes pump characteristics programned fror. other codes as a table and appropriate transport lags (%10 s). The pressurizar modeling includes the effects of l surge flows, spray flows, internal flows with condensation and flashing, heaters, and safety and power-operated' relief valves. The ICS model uses a dedicated digital computer (EAI-640) and is a digital model of an analog system utilizing functional blocks. One feedwater valve model is used to represent all FW valves. The limiting ranges of PT-IV are reported to be: primary pressure of 1500-3000 psi, secondary pressure of 500-1500 pas., temperatute (primary and secondary) of 400-700'F, and feedvat.er temperature of 350-700*F. a The hybrid model uses two EM-680 analog computers and one CDC-1700 digital computer. Due to computer limitations, there is not much detail of the feedwater system. A more cocrplete model (not PT-IV) would include pump drafns, flash tank levels, and condensate pumps, as well as main feed pumps. The condensate pumps have suction pressure trips that sometimes actuate when the interceptor valves close. This is not acdeled. Turbine trip is the transient used to check the code with plant data. The validity of'the comparison is judgmental. The model is not valid at low powers. l C. Within the limitations of the effects considered and the comparisons of the effects with plant data, we expect the results of PT-IV to be reasonably valid. Q6. The ability of the ICS to nspond pnperty to its design basis and other pwbable conditions is nor addnesad. That is, design probleme associated with nomxt opention or axnsuvering are not included, untase a failun is assumed. This nuxy be outside the scope of the NRC nquest, but the intenations of the ICS feedvater systems observed in opemting plants indicate that this nxy be a valid concern. Were the design pwbtams and component limitations associated with expected normat opem-tion analyzed and documented? Are these analyset available? l l R. BW has no strong motivation to improve the performance of the ICS. Its utility customers have no significant unresolved complaints about the ICS.
l 23 C. Subsequent discussions with three plant owners confirm this acceptance. Q7. Is then any connection, physical or phenomenological, betueen nactor protection system (RPS) sensors and IW inputs? Which canon signals, if any, initiate trip, and what is the possibility that comon-signal or signal-conditioning failures could initiate a plant t u nsient through the IW, requiring a naponse of the RPS to such signals. R. RPS signals are used by the ICS with suitable buffering. The redundancy provided in the RPS satisfies the requirements of IEEE-279. Q8. FNE'A categories for "causes," detection," and 4ropagation potential" vould yield helphi infonnation. Has this type of infomation been gener-ated and is it availahte? R. Identification of component causes is not considered necessary. Detection of component failures is not warranted, considering the low failure rate. The propagation potential for failures in analog systems is difficult to predict. 4 Q9. The impact of power supply failures appears to be inadequately addressed, especially considering that events of much mre significance than those analysed have occurred at openting vian+s. Ecu is the i omission of these considentions justified, and h mre comprehensive power supply failure analysis available? R. Power supply reliability is a probles for the customers to resolve. It is a recognized problem that must be resolved plant by plant. This is one of the principal reconnendations of the report. Q10. A s'ignificant number of trips appear to have occurred when portions of the system vere in a mnual mode of operation. What fraction of time is it estimated that cont.ol stations are in a mnual mode, and what are the problems associated with this wde of operation of the ICS? l R. No data are available for the ' manual operating mode. Manual modes are judged to be used most of ten for startup and testing. The ICS is not designed to deal with many abnormal situations (e.g., odd alignment of equipment). Q11. Hou veti does historical failure data on Im 721 and 820 compare with predictions based on nominal behavior? Is there evidence of accelerated t failure? R. A higher " burn-in" failure rate was experienced, but it has leveled i l off. The long-term failure rate remains level. TMI-1 and Oconee 1, 2, and 3 are 721 models. All others are 820 models. Q12. hitiple failures are not annunciated. Therefore, uncorrected failures my exist untit other failures occur, resulting in effective multiple failures. It appears that multiple failure situations my have
0 24 a significant probability of occurrence. Hou is the emission of multiple failure considentions justified in the analysis? Might fault tn e analysis have been a better technique for addressing the concerns sxpressed and producing the naults requested? R. The effort required to conduct a fault tree analysis is considered excessive. The FMEA report addresses failures considered to be "important." C. The limited scope of the FMEA casts some doubt on this position. Q13. The analysis does not include infomation to substantiate the B&W noomendation that impwvement is needed in pouer supplies, signat selec-tion, and signat niiability. Please supply the analysis or the infomation which led to this neommendation. In particular, does BG have specific ncomendations to impwve the failure totemnce of the IW7 R. No additional data are available. Q14. Openting a:pariance nports and ont infomation not incl *ded in l the analysis suggest that the IW and the BCP system, including the OTSG, are sensitive to " tuning" and component pwbiems, such as feeduater valve t speed and leakage. Describe the extent to which these pwbtems are sicnificant, how they have led to nisopention and RPS chattenges, and hou they night be avoided. Are " tuning" pwbtems inherent to this type of plant, or do they nynsent design deficiencies uhich can be corrected? R. The adequacy of tuning is based on customer acceptance. According to Licensee Event Report statistics, BW plants have fewer total reactor trips and fewer feedwater trips than either of the other PWR types. Q15. Many Licensee Event Reports, as veil as this analysis, indicate that the opentor is imoticated in a large number of occurrences of poor ICS opention. M:ny of these events also involve slightly off-normat conditions such as nonstandard pump and valve alignment. Do these events nynsent design deficiency, opentor twining deficiency, or a combina-tion of these? Does B&W have neomendations to correct these deficiencies and on what schedute can they be implemented? R. Most Problems occur due to maintenance, testing, or equipment problems that require manual intervention. Also, the system is not designed for fully automath startup. l e D
i 25 APPENDIX B: TRANSMITTAL LETTERS Y e O 9 e 4 e O l l l e I t l s I h e
36 +( aee. wried STATES y,yc( g NUCLEAR REGULATORY COMMISSION , s a wasmoten, o. c.2 ossa k August 22,1979 MEMORANCUM FOR: DISTRIBUTION FROM: R. A. Capra, 8&W Project Manager, Project Management Group Bulletins & Orders Task Force r SUBJECT,- INTEGRATED CONTROL SYSTEM RELIABILITY ANALYSIS l. As part of the long-tenn portion of the Comission Orders of May,1979, each of the B&W operating plants was direct 6d to perform a failure modes and effects analysis of the integrated control system (ICS). B&W performed this analysis for each Itcensee. 2. B&W has completed the analysis and forwarded ten copies of their repcrt, " Integrated Control System Reliability Analysis - BAW1564 - August 1979," via a letter from J. H. Taylor (B&W) to 0. F. Ross (NRC) dated August 17, 1979. 3. The organization who will perfonn the itview of this document has not been determined yet; however, I am.aaking dt stribution of the ten copies we have received as indicated below. I have requested that 50 additional copies be reproduced for further distribution. Ta. Cw l R. A. Capra, B&W Project Manager Project Management Group Bulletins & Orders Task Force Distribution: M 1etter only Novak (1) G. Mazetis C. Nelson Heltames(1) P. Matthews R. Ingram Israel (1) D. Thatcher W. Gamill Rosztoczy (1) F. Ashe D. Eisenhut Satterfield (1) P. Norian S. Lewis Capra (1) R. Reid L. Brenner Docket files (1) G. Vissing M. Mulkey POR (1) D. Garner D. Davis Reproduction (1) M. Fairtile as
f 27 Eabcock&Wilcox Pcwor Generation Group P.O. Son 126o. Lyncreurs. Va. 245C5 Teleonone: (804) 384 51:1 August 17, 1979 Dr. D. F. Ross, Jr. Deputy Director Divisien of Project Management Office of E clear Reactor Regulation U.S. Nuclear Regulatory Comissien Washingten, D.C. 20555
Subject:
Integrated Control 'ystem Reliability Analysis S Gentlemen: Transmitted herewith are ten ecpies of the Integrated Centrol System (ICS) Reliability Analysis, BAW-1564. BSi perfomed this analysis at the reqvest of the NRC, based on concerns steming from the DfI-2 incident. Althcugh the ICS performed exactly as designed during the DtI-2 incident, it was brought under scrutiny since it was both the . con. trol system for Auxiliary Feedwater and one of the major differences between B4W and other PWR designs. This analysis supports BGV's previcus positien - the ICS is a reliable centrol system that promotes NSS availability by maintaining the conditiens, providing runbacks, plant on line during nor::'a1 and upset i and minimi:ing reactor trips. If you have any questicas, please call (Ext. 2317). .Very uly ycurs & j .}T//J' $ James H. Taylor. Manager, Licensing JHT:dsf Encl. cc: R. B. Borsum (35W) R. A. Capra (NRC) B6W Owners Group Subcomittee (list attached) l O The Saecock & Wilcos Comoany / Estaosesned 1867
28 Babcock &Wilcox B6WOwnersGroupTMI5 Subcommittee FPC CPC Florida Power Corporation Consumers Power Company P. O. Box 14042 1945 West Parnall Road St. Petersburg, FL 33733 Jackson, MI 49203 Attn: E. C. Simpson (Bert) Attn: T. J. Sullivan (Terry) DPCO GPU Duke Power Company GPU Service Corporation P. O. Box 33189 260 Cherry Hill Road Charlotte, NC 28242 Parsippany, NJ 07054 Attn: D. C. Holt (Dave) Attn: R. F. Wilson (Dick) SMUD Sacramento Municipal Utility District 6201 S Street Sacramento, CA 95813 Attn: S. Andersch (Stan) AP5L Arkansas Power 6 Light Company P. O. Box 551 Little Rock, /2 72203 Attn: D. G. Mardis (Dave) TECO. gg Toledo Edison Company Edison Plaza 300 Madison Avenue Toledo, OH 43652 Attn: C. R. Domeck (Chuck) MET ED Metropolitan Edison Company P. O. Box 542 Reading, PA 19603 Attn: J. F. Fritzen (Jef.Q i
( Babcock & Wilcox 29 ,,, g,nmm g,cx ~ P.O. Scz 1260. t.yne.u, v 2:5 Tels;;hene: (SD A) 234 5111 r-.. - April 28, 1979' .. ~ Mr. Harold R. Denton, Di ree.cor Office of Nuclear Reactor Regulation '.- g/ I , U.S. Nuclear Regulatory Cor:raission 9 c 9 g 7920 Norfolk Avenue ~ Bethesda, Maryland 20555 g Mr. Denton:.
Subject:
Integrated Control System R .3 As committed by Sabco'ck & Oilcox in J. H. MacMillan's letter to you l on April 26, 1979, please f.ind attached both the Schedule and scope l for a Reliability Analysis of the Integrated Control System and the l schedule fo'r developing an Auxiliary Feedwater-{cntrc+-independent of the Integrated Control-Ssytem. o It is our unders tanding' that the commii:nlent to ccinpla.te these items 1s not a prerequisite to plant restart. - i If you have any questions, please call me (Ext. 2'817). Very' truly yours. ,c } ~ -
- 4... ~
......,..w,. ,......q. J. H. Taylor.. Manager, Licensing ~ ~~..:..- ........ -~. : t JHT/wl. cc:. R. 8. Sorsum (85V, Bethesda) ~ bec: E. R. Kane ~ 1X.'.'E'. S uh rke'l ~ R. E. Ham . D. D. Fai rb rathe r ~ C'. J. B ra zi ll R. E. Vascher J. H. MacMillan ~. ~ . ' f., ~- t
c::pc and.%.hedule for a Relisbility Analysis of io the IntegratcB Control Systed (ICS) ........c... ~ ^... ..a ,q~.- ..1 s
Purpose:
To prepare an;ICS Reliability Analysis including - ~ a Failure Modes and Effects Anal.' sis'(FMEA) as committe ~ by. Babcock.4 Wilcox.. Thia.... analysis wi11' identify sources' of' transient's., if'any, initiated by the ICS': and devel.op.re. commended.design improvements which-may: be neces.ary to re. duce the frequency of those'.transicits. This'.'analys'is wiif concentrate on ICS failure modes ,that could" affect the feedwater system, emergency.. feedwater' system;; pressurizer level, and reactor coolant - system pres,sure.. .... ;. s. :.. ~..' v.
- ..- r
-l - ,,c..,*.'..:...... ......7..:.-. u.: 1; Scope: .. -(1) Two teams of: engine ~ers'have been' dispatched to the presently. opera. ting'PIsnts to c'oll'ect data and determine the ICS's role". in eac..h trarisient, with, ' . 'part'icular^ emphasis on ' transients. involving feedwater (FW).I~. emergency fe=dwa ter '. (AF1-lC), pressurizer' level and' reactor. coolant system (RC3) 'pressu. ~ ~ re. Data. ..,." *will be~ returned to NPGD for input into' the ICS g ~ . ? reliabilitf". ana. 'f. sis. Data from other plants will - l ... also be obtained. with th'e ass.istance of sitei personneZ (2) A FMEA will be perform"d,by NPGD,to the ICS module-level....The FMEA. will include ' identification of U.e fail..ure. modes for hardware external.to the ICS. ~ This will consist of input signals fo.r temperaturs,. pressure, RCS 6 FW flow, pump status, and power., (3) After-id$ntificatioii of'ossible failure modes,- p the, effects of these failurcs on the plant will be determined' by plant siniufa. tion., The er.phasis .~ will be' on failu'rc.s.. that-affect or chs11ca a the- '. ~ ', .,,.FW,'AFWC, press'uriz'cr[1cyc1andpressure,.s PORV. ....'s, ~ ESFAS, and safcty valv.,es.. f,J d./. ... ~...., \\ . :........ '.. v-b. ...g.... . s. D 9
- y. *,...,
t . = - <= -
g g n ..m z................,.. ,'n of ICS failure modes which cause undesirshic ~
- J.
r.esponses in the ICS will be listed. 7.._.. (5). Perfor.mance of,the ICS,d.uring norma.l p1snt tran- ...v ....s ents,will be' considered in the ICS snslysis. i ..,c .. ~..-:...".~. (6).:.: IEEE 352 will be' u. sed as 's guide for FMEA for=st ' . 2.... :.,... nnd. c. o..n..t e n t. :...G. z. .s. ... :f.. Q...........,. :. g.:.. Schedule: (1).On-si,te transie.nt data collection: 4/26/79.. -. J.. . f. : ' :,.,,,,;.a.. :.,g;5_ ....q: zy7abgy Sjgj7g,. h (2) Definition G boundary of systed to be ans19zcdi.. ' 4/25/79.through 5/2/79.'.". f, (3) Identification'of failure modes: 5/2/79 through 5/11/79. ..,v j - (4)'.' Simul'at'e fail'ure -mod'es'.and determine p]snt e f fech ~ 5/2/79 through 5./25/79. '.....(.3).. Generation of FMEA tables: 5/9/79 through. l ~ ' 6/1/ 7 9..." ..:'l d ~;
- ^ '
....-(6).. Rel.f ability. repor.t narrative: 5/2./79 through ~ ' /;f. 4: ../11/79..
- ..~
6 ..('l). ' List.i.ng' of". potential hUdware m'odifications:.- ~ S/16/.79.though.6/20/79. s s.: .- ^ ' T ~ (8) Revie'w and pr.epare lettier report for subaittal c..{.[..~.,..tcMRC3]6/15/79'through6/27/79{ _?, ,. ~. '. : M.. ~.....,..: c.... .. a'....... .7
- m..
.: ~;. ... r... .. ; +. '. . c.... ....,...o, .s.
- .... f.
..c..,. .s. D .....w .. :..... :~.. n. g .....e.,... y .s.. i .. ;.s.,.. < ~:.... . v.. ?. c:............-..c.- .y : ..c. .....=. .y ..u ..,y.... .w v.- ... s. u.. ~,. .a. . w.:, ..,.3. '.. 1..... ..-. r..,...: ....... i. +a.. <. < > ~.. .~ ..m. v.- . ~..... .ag.. s. ? ., =..,.,.. =.. e . *:...,,.,,.... * =,,... ,?**,
- l
..; L. :,... - . ; r... -
I f ,##]*YS'C" 32
Description:
The Auxiliary Feedw'ater control System (ANCS)' will be ccmpictcly' separated from the Integrated Cont.c.ol Sys. tem..(ICS).;. The general ..... pe r fo rman ce..... -cri teria for the,ANCS are.: :.. s. ~. ..:.., -- (1).. The AWCS' will control the auxiliary.feedwa'ter flow and V... /. _i 7 ,0..',. deliver ~wate'r to' the steam generators wi th ' coni:rol features- : ' ...... -.to. minimize,. reactor cooiant sys tem fluc.. tuations...:. y....rc . ~p..:.t (2).,.The AFWCS wil,1 centrol, auxiliary fe:ed. vater. flow to the cux-..a-..,.. 1 ..;.11ary.feedwater no.d.1cs.of.the.s team ge.nera. tor;s and wi.ll.u. ..t :; s, .a be able. to ach.ieve and' main ta in sa fe shut.dekn. from th..e " ' '.i...
- .s-
.following' plan't configurations:1...,.
- c..
~
- m.. ;s'
.v- ..f + (b). loss of forced reactor coolant 'flowl. -..s (a) loss of ma.in feedwa ter. .a ~ 5 -- (3).The AFWCS will include,proyisions for ' ontro.l of. m c ..a c ~ a.. steam pressure during operat..i on...an the plant..configurat.non modes identi fied Ih (2) 'a.bove. '.:.., . E -' n.: ~ . ~ Th.e hardware in the AFVCS will... .g q... v .f. a,.,;,.. .l. .n.--w.. r ... ;.y - e.. Criteria:. confor m to, the following.ghneral.,,... ......... ~. cri terla: - '..:. i. ;... -......,. .z. ...... w....:n.~-- ". P..... (1). 11ie AFVCS.w111. ' be indepe...nden,t of the..I CS. '.. - (2) Ho single ' random failure,in the AFVCS kill pre ecn.t the ~'.#'%.,n,' ~ . ',. system froY... controlling the.y-auxiliar%y feedwater flew to... :- ..y both steam generators.. %.:. -3 .. ",. (3). Standard non-1E commerciai" nuclear"e.quipment will be used.;3.o. ..:. ~ . a. (4)" -The AFWC5 will have prqvisicns for9anuai,anff automatic '.'.,T '-- - 6.0 - actua. tion.L..2 .4 '.@. V. ; y;; G. ~
- ': %. ~ -
.. m 1 ~ .... ?.,.
- n..., a..,.
.g. .. - - ~. ..:. ~.,. : ..c 1 '.., '.1..y.:... wxx...
- .'.edul e:
, ]. ~ ). Complete design " (1 - s ::...c- -i '.j. <;O - , 06/01/79 1.'- L ' '. . (2). 'I s s ue. ... n. sytem descr,ption to NRC...;. g.-,..;e,,,g,.y i
- A
.(3).and. Customers ~.' .?.;2$. *.':..'.. D'?.. l- 06/08/79
- . ' 1. 5.?
~~ ....a..:... ......nufacture (based on Customer Ma .. and URC.concurrcnce by,06/15/79),-.i.\\. : 08/10/7h:...-ji.i ~ 4.L -l-:. .; n, :.: %a.5... 7 '.. (%)..,.H,i,nir6um shipnent and in's ta 11ationf.i...I.6..;.,'. ".'M . Y. J '.........<.'..me is.30 days. Exac t..i n..s t a l l a t i.on ". L.. ~~ ~ t! ..!J:..V., .:. ~. P.. s. M.,. '..,... ..?* . ee s .... y t.. .to.be, sc, heduicd b; c.u t ua l '.a g r.c.cm:n t. ;:,:;;: M: :',o.:. i (. :.. : r..t h...e N. RC... +: :. g. s ;. :.g,..~.:
- .p..
o ... :.'..w ?. o f,.t..he l.. .d.. ~, ;: .n, : ::::.n,. .: c...p:<..r, acensce ...y .... r : ~.a n .,.. >.t., ... v..~.......... ..;.t.: ,.. ~. .f.: .2 ...t. :. >. ..wy.76: :.%T r :. L' u. ........%; W:,s .., ; n..... ;,. w....
- ~~. P,......;.,.-v..y...'-tal%'~'.a,A.
. a... y. .r.... j.
- R '.s
,u .. ? .' ' ^ :
4 33 APPENDIX C: UTILITY SUBMITIALS RELATING TO THE B&W RELIABILITY ANALYSIS 0 9 e = e 4 { I e
- .,[
34 DIJKE POWER COMPA.NT [ Powsm Eun. nmo ' ? 422 Socra Caracu Srazzr. Caumarre. N. C. asaae o ..wam os..a ca, a August 31, 1979 v.c p.u...., seu.P = inem.c 4.u c. srs..oes ,Mr. Harold R. Denton, Director Office of Nuclear Reactor Regulation U. 5. Nuclear Regulatory Commission Washington, D. C. 20555 Attention: Mr. D. F. Ross, Jr., Director Bulletins and orders Task yorce g Re: Oconee Nuclear Station Docket Numbers 50-269, -270, -287 9
Dear Mr. Denton:
~ Vith regard to your letter dated August 21, 1979 concerning identificat*.,e and resolution of long-term generic issues related to the Commission orders of May _, ~ 1979, the folleving information is provided: 1. Failure node and effects analysis of the Integrated Control System. The Integrated Control System Reliability Analysis, submitted by Babcock and Wilcox in a letter d ted August 17, 1979 has been reviewed by Duke Power Cenpany. This det=.snt is considcred to be applicable to the sys-tem at Oconee Nuclear Sn.:fon. 2. Conti=ued coerator trai-:. and drillist. The response to this.:. x111 be submitted by September 21, 1979. 3. Upersde of the anticip..._. resetor trip to safety grade. l No additional infor= m : requested. l' 4 Auxiliarv/e=creenev feci :.ter system reliability analyses. Duke Fever Company vill pc.rticipate in the auxiliary feedvater syste= reliability analyses p:ca:am proposed by 3&W in a letter dated Au;; st 16, 1979 from J. H. Taylor to D. F. Ross, NRC. A final report of the results of the analysis for Oconee vi.11 he provided by December 3, 1979. I
l/ 7 7 A 35 b r AAKANSAS POWER & LIGHT COMPANY PUST UFFICE BOX 551 UTTLE HOCK. AMANSAS 77dCD (501)3716 August 31, 1979 ~- l 1-089-19 \\s - g-Director of Nuclear Reactor Regulation b ATTN: Mr. R. W. Reid, Chief g Operating Reactor Branch i4 M U. S. Nuclear Regulatory Commission. Washington, D. C. 20555
Subject:
Arkansas Nuclear one-Unit 1 Docket No. 50-313 License No. DPR-51. i Long - Term Generic I'ssues _(File: 15101 Related to May 17, 1979 order h.-. Gentlemen: In accordance with' the request of Dr. D."F. Ross' letter of August 21', 1979, we have reviewed Enclosure 1 of that letter and provide the following responses to Items.1, 4, 5, 7 and 8. ~ I_ tem l' The failure modes and effects analysis of the Integrated Con-trol System (ICS) was provide:i - . letter from James H. Taylor' to Dr. D. F. Ross, Jr., dated Au;ust 17, 1979. The report, entitled " Integrated Control 6,ry sm Reliability Analysis", also includes a reliability asse.. ment of the ICS plant operating expe'rience. We have r:.'iewed this report and basi-cally endorse it as applicable t our system. Specific areas of difference are limited and ul_1 be addressed in our response to necessary system or procedur::. changes, if your. review should come to that conclusion. Our operating experience has lead us to believe the ICS it a reliable control system. l \\. l l l
g' SMUD 36 4 50 SACRAMENTO MUNICIPAL UTILITY otsTRicT O 21 s street. Boa 1st30. sacramento. California 95813. (310 41: August 31, 1979. Mr. D. F. J i Bulletins a[ toss, Jr., Director nd Orders Task Force' Office of Nuclear Reactor Regulatfort ~ U. S. Nuclear Regulatory'Conraission Washington, D. C,. 20555 ~~ ~ Docket No. 50-312' Rancho Seco Nuclea'r Generating Station, Unit No. l l
Dear Mr. Ross:
The Sacrament'o Municipal Utility District has reviewed your letter of August: 21, 1979 requesting information ca seteral items. The i following provides that information which is due today and is listed by item number of enclosure 1 to your letter. ~ 1. On August 17, l979 Mr. James H. Taylor of B&W transmitted .the Integrated Control Sysu Reliability analysis, BAW-1564,' to you. We have reviewed this report and find it generally applicable to Rancho Seco Unit 1 and endorse the conclusions 'and recomendations of the repcrt. 4. On August 16, 1979 Mr. J. H. Taylor o' ~ ti provided you with a scope and schedule for the auxiliuy .2dwater system reliability analysis. Rancho Seco R.;.. is the' lead plant for this analysis which will be avatic::.) by the dates provided in Mr. Taylor's letter. 5. 'In response to your concerns over th
- .-.al-mechanical
' conditions in the reactor vessel duri.;.ecovery from small breaks with extended loss of all feed.':::r, the District comits to have the Sabcock and Wilc: .. pany perfom an analysis on this subject. The result: :
- this analysis should 1
be available by December 21, 1979. ~ 7 The' District cemits to provide the infe:mation listed in Attachment A to the enclosure to yet.r letter by the following dates. These dates supersede our commitment to Harold Denton on July 26, 4 979 to provide additional small break analysis information by September 15, 1979. The required analyses will be performed by the Babcock and Wilcox 1 Company. m_fUUUmnn/R - nnnno m annnnna mano =m n^^ ^ ^ ^ " ~ " ^ " ' ^ ^ ^ ^ ^ ^ ^ ^ ^ ~ ~ ^ ^ ^ ^ ~
, s# e, a* S. 4 37 r 'O Tetsco % EDISON Docket No.'50-346 LowEu. E. ROE Licanse No. NPT-3 L %. Serial No. 538 August 31, 1979 Director of Nuclear Reactor-Regulati-Attention: Mr. Robert W. Reid, Chief Operating Reactors Branch No. 4 Division of Operating Reactors United States Nuclear Ragulatory Commission Washington, D.C. 20555
Dear Mr. Reid:
This letter is in respon'se to Mr. D. F. Ross's letter of Au' gust 21, 1979 (Log No.48 to all Babcock & Wilcox Operating Plants. Attachment A addresses items 1, & 4 re-lating to requirements of the Davis-Basse Nuclear Power Station, Unit 1 Order of Maf 16, 1979. Additionally, items 5, 7 and 8 of the subject letter are addressed ."~ Very truly yours ~ ] bcL 0 psd t I.IR/T.IM R. N. Capra ~ Project Y.anage:aent Croup Bulletins and Orders Task Force U. 5. Nuclear Regulatory Commission Washington, D. C. 20555 9 ) 3 l D l L/. THE TELEDO ECSON COMPANY EDISCN PLAZA 3CO MAD $CN AVENUE TCLECO. CHIO 43552
r .,r. 38 pocket No. 50-346
- .icense No. NPT-3 Ssrial No. 538 t
August 31, 1979 k Attachment A Items ci' NRC Letter g No. 423) 21, 1979 (TECo Log .-August l 1 of the subject The iteia numb ~er*N1oW'are cTmsistadt with 'tho~se BY Enc ~ ~ l System (ICS) letter. Iten 1_ - Failure Mode and Effects Analysis of the Incagrated Contro 17, 1979. The ICS Reliability Analysis (BAW-1564) was pub h the following deviations. Page 4-1, Section 4.1.1 1. 1 POR7 setpoint is 2400 psig. e Davis-Besse Unit 2300 psig/1985 psig. 3 RPS setpoints: Page 4-6, Section 4.2.3 1 ..e 90: Davis-Besse rate of change is limited to 3% per minute s 2. full poder and below 20% full power. Page 4-9, Section 4.2.3.5 l d During a reactor trip, the atmospheric vant valves are modu 3. i t by 155 psi. when the turbine header pressure exceeds its s ~ loss of condanser vacuum or loss of Circulating Water punps. Page 4 4, Section 4.2.3.6 r The throttle pressure error signal is modified in the same ma /125 psi bias versus as for the atmospheric vent valves but with a 50 .75/155 psi bias. Page 4-11, Section 4.2.3.10 d Error must be greater than +0.95% or less than -0.95% for ro 5. movement. Page 4-11. Section 4.2.3.11 10% Feedvater demand is modified when the arror is greater t 6. d r input on a or less than -5%.. This change was te reduce fee uate load rejection. Page 4-47, Table 4-4, Itea 5-22, Failure Mode-opeu 5 to 55% At Davis-Bessa Unit 1, the feedvater valves are about 4 7. l the RCS open, and a signal to open these valves vould overeco and result in a low pressure trip. h to affect the The above deviations a,re noted, but are not significant enoug J results and conclusions of this report.
.;;.i;.;;.? .3"5Y ence 39 N EDGg ~ 4j e 'g. .s-se Florida .P..o..w...e..r. August 31, 1979, hn File: 3-0-3-a-3 \\\\ ~ g \\ Mr. D. F. Eoss, Jr. 9 Director 9 Bulletins and Orders Task Force of fice of Nuclear Raactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555
Subject:
Crystal River Unic 3 l Docket No.,50-302 l Operating License No. DPR-72 Identification and Resolution of'Long-Term Generic ~ l : Issues Related to the Commissior. Orders of May 1979 t A
Dear Mr. Ross:
j Florida Power Cor oracion received your letter of August 21, 23, 1979, On August 1979, identifyiis eight long-term issues related te the Order which must be re-solved for Crystal River Udit 3 and the other B&W Cperating Plants. These eight (8) items were identified and briefly ciscussed in Euclosure 1 of your letter. In your discussion of Items 1, 4, T 7, and 8, you requested Florida P.over Corporation to provide additional '.::c maties and our schedule for resolution of these five (5) items by August.t!. ~ 7.*. In that regard, Florida Power Corporation here.t;- :.::its, as Attachment 1 to this letter,,our response to your August 21,1. 7.. aquest for additional j information. If you reg ire further discussior, concerning our. :rponse, please contact us. J l Very truly yours, i 1 FLORIDA POVER CORPORATION /.Nj/,W..
- ,w.o
- s.*
e_.4 / ", C. C. Moore Asiaistant Vice President Power Production J GCMakcF06(D5) Attachment h M.M g
a-
..M
i r. } .a ATTACHMEYf 1 Response to Ross I.etter of August 21, 1979 l* Item 1 - Faf. lure Mode and Affects Analysis of the Integrated Control System .On August 17,1979,- 8&W submitted to you for your review, copies of the report entitled ~BAW-1564 Integrated control System (ICS) Reliabltity Analysis". ^ This letter is to advise you that this report is applicable to Crystal River Unit 3. Although this was' a gener'ic report developed by B&W,.hnd. there are dif-ferences in the secondary system designs at. the various S&W plants, we feel that j the conclusions reached in this report can be applied to. Crystal River Unit 3. ) Florida Power Corporation is presently reviewing the 'reconusendations listed in Section 3 of this report to determine what possible changes are necessary c.c Crystal R1,ver Unit 3 to* enhance reliability and safety. Item 4 - Auxiliary / Emergency Feedwater System Reliability Upgrade This letter is to inform you of Florida Power Corporation's cocusiement to the ATV/EFV System Reliability Study penposed by B&W and discussed with you snd your , staff on July 19, 1979', and August 9,1979. The draft report for Crystal River Unit 3 will-be submitted by October 22. 1979, and the first report will be submitted by December 3,1979. ~ ~ N tj Item 5 - Detailed Analysis of the Thermal-Mechanical Conditions in the Reactor Vessel' During Recovery. f rsa Small Breaks With htended 1.oss of All Feedwater The above, analysis will be submitted by December 21, 1979. Irem 7 .Small Break 't.0CA Analysis The followidg is our schedule of response to i.he si:t T items contained in Attachment A of your letter: 1) A. Report will be submitted on December ! . '.19. 8. Report will be submitted on Septemb.... l, 97 9. 2) A. Report will be submitted o'. . ptemte. . ~., '979. 8. In response to this request, we are pm-sihg three (3) options i in preference of order: 1) Provide a statement by Se ptembe r **'- 1979, that swa small ~ break with,sux111ary feedwter will pressurize cla-system to. i the PORY setpoint. ~ 2,). Protide by December 30, 1979, a quallcative annenn=ent of thre transient. 2 3) Provide core analysis by February 1,1980, using 0.01 f t g/* brusk with no AFW available. '~ l Ve are presently proceeding with option #1, unless otherwise j notified by the NRC,by September 7,1979. ^* CCMekcF06(DS) ,w
g Tohle 4-S. Mmt'tQ FAltopt Mnma t No. lotunt NAleE MDE titlCT ist N55 RfACIOR TRIP M MADc5 Functional: 2 Modified Turbine Nigh the ICS pulse
- ullt send a continaou, lacrease Nigh RC Pressure IC5:
4-2-13 Header Pressure demand to the turbine ilt causin.j a throttle g Error pressure decrease. The large pressure error detector transfers the turbine titC to manual . Iso probles after in s5 seconds. The ICS assumes the tracking reactor trip eaJe and the feedpater and reactea lacrease to meet tne s45 load increase. ihe erroneous andilleJ thrnttle pressure error causes a mis. r..trh betweess ll.a 1855 stean psoduction and the tui h te e os= r.st ism. T%e pressure decrease is limited at s100 psf by the turbine initial oressure recanlaser. R.*actnr t?ln on hioh Af. pressure is possitele. I '*' Issantially the same response as Fallure ikule Nigh RC Pressure
- lligh" encept peessure rists and is terminated If power es40s, by turbine I.y-pass valve action.
.tio probless after reactor trip sm e V o e Functional: 3 Turbine Control Fallure is very stall r to failure of functional IC5: 3-6-l block 2. above. I m. a D" n On 3c" So w O M .}}