Text

Nonproprietary Advanced Passive Plant Protection Sys Fmea
	ML20044F125
Person / Time
Site:	05200003
Issue date:	04/30/1993
From:	Birsa J, Morandini S, Wiesemann J; WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:	;
Shared Package
ML19311B054	List: ET-NRC-93-3891, Forwards Nonproprietary WCAP-13662 & Proprietary WCAP-13594, Advanced Passive Plant Protection Sys FMEA, Rev 0 Documenting Failure Modes & Effects Analysis.Proprietary WCAP-13594 Withheld,Per 10CFR2.790; ML20044F121; ML20044F125;
References
	WCAP-13662, WCAP-13662-R, WCAP-13662-R00, NUDOCS 9305260475
	Download: ML20044F125 (65)
	v • d • e

mwyeuw 5:7v Tmx +7

. c "7

n e y grge n:

y". p g m,g.. y*

.c j g. p.. (c.

.,,: : t y.

f

W w.

.y n

r y.

,y ;'

,f. y. ' "

sy s

y 4.Sc w:i +

ga

7 m-

..wa.u.;,3

...-_.a._

u

,,. m :.

y #

-,.,.g

.,sp

?)g

' ?*}?'}rg,

d? '

j

', q :

i- #

o y

rm_

r n

gn me

~,

1

}jq "h

$f 3,6 a

t )

s -

1

, qf a 4

r e

.usw;st.

.h, g l;g}

l

+.

3,

%:$ p" s

r+.

7, ;

.d

,b

].(f

'P (W T,

+ m e-m3 - msmM, '

1 fM g}

? r.[

i 3

.y fy r

~,

>/

-,of r

4 a.;: -

..y

c. ;o:.

e 9

w sl.{' <-

5,,f 3

g, 1

.n

4 4

7 j,.

.aw,.

j

w..

~- t u l,.4 s

..i 4

M

> ^ bb

...WW

[.~%1M-1 N-* 8 '/* O N M'

b b-g,'

Q y,

c

. sg e, _

n,.\\-

c-1, 4

,s r,:

s l'..

i'..:/,

.'l1

, +

d

,i h i

3.:

n

.x,

,d

' j.

s y:

d u

e-m k

Q i ti'..L, i

7 f:,-,

u

=

r, 1

r..,

n t,.

,. U c

3 V_

(

k g4

.y..

m. y'l

[f 7,

,a q

.- q.3

.3

.z u p.:

s

--f e

o, t

s.

n

/

64

+

'.; p 8

i

\\

s,

_,j*

f.%

i

>r,

..,6h4 r

r y

t.

,J O:

y r

I

A t

r s

y

'8 ' ?.n1 a

p

~-

t. 3 ie s

m.

a$

m-v:

m

+

nt ;,

s i

,I,4 4

.'s

{

t

?

.n, A_.

.A 1:

g m._.

lW

[

f.,

p n

/

c

. :p.

,a..,

p a

. mM x

~-

., w19a i

r t

s oc s

, 3, c.-

y~ ^p%o,Q r y

, f, "

l-x, f.y c

8

+

'e

{&

.lg

' ', l'y,-'

1 "y

( ~~

, ',g,

7 y

y e

n 4,;e e

p_ _ ':.. '

E.

t e '

s g

.S 7,- )

i >

a

-u 7

s

,,i; ; y

.I <

Fs i

f,.y p

t i

4 et..

..n y

-x

(

3 A

4

-. s r

q ;-

r i u

^

g'.-

{ --.,3 r

a-,J, i

t.

n.

i x

x

'1

~~ >

.p;

.y_

jo, d

4 s...

I a,+

o 4

j r f :;.

j r,

t.,,.'.

. f.f'-

s'h l

4 o.: o. e,

Q:1 g.; g y:q w s -;34w&g&p

> ^ N.

Q f

w

,k Th, -

Oh b

4 u

.. ~.

m 3

'< g

sp %

p}y ';

n

,u

,? $.

, g x'.

> m. g

y

.c u,>

r,

g c

.\\

...?'_)

p

+,,

a

3,

+

q

)

s s

=

^

s s

vN.b. '

'.m

. n u

. f f ~'

, s.

+

,x e

qy 4

y ~&... A c

. W b

q 1

, y -

r 4m.

4 q

.,w y(,,,

c o

n'.,

y

.j>v x

7

+

a:,

m N ]i ;

y e smm.amag..

i

_l 9305260475 930520

+

L, 90 @4J:6L PDR ADOCK 05200003 E"'

~.s WM%@;isyd;/ #>

W A

PDR mn,A:n.cs & m,,,atu;;aa:a;,wsu.

m-jg,y;;f _.

-,... - en. w - - w

.._.?'_'

a.

..e

....,. +.

~ '.~.*

p.

, _ ~.

.,$ '.U. k., [ [ ' J '. :. '.,.],..'j,. ' 'f...;

ve

..

F g.:. ~;.

.. ' '. ';.?. $}..-,.,. ' '.

' '.}'

+

+ ' '.

r

. 9

3.. (.%;.,....',.-y;.

.v.-'.

...-e :

4... *, -; ;.. _,. -..'., *.

9._.,,. ;. h. ;..%.

- v...t.,,fy.a ;,% y ;b. t *..

n.

.a....

<k..,-

v

..e.

'^'.G

~

@4M.fy

,. n g.'. M... ;9,, ;. ',, '.. ; -

.. -. ~..... ".,p.s.;.

- Q',....;,.

l

.e ;.

~. 9. is..,.- 4. :. ;,..

...e y y.,..:

..-.e

..s c

........s.-

L. - h as im m.g.. "..,,. : ;.

s__ '...

.. :. - ~.; ;.-

.v..

'. g..a ',13,'o..4 t,, ;,,,, "... ~...,., - :

,..- y.

7.

-3

??..- ic

--'..r.,.. ;.-

G:,..c^;; ] Q,.[;.,.. $..... l.x.\\,y /.. ' f. :: 4>. : ;.),'.,

sd,6.,';.

y.*,

.., j. ;; :,.x

>;;p

.,_ _ p ;.,-- _ : :. -.-

y, _ _

_y..,,._

w v./

.;m.

~r,

.. >. :r; ; _.,l..?~...~.,'

.vi.

~

T'..,.s...u,

?

...c,

.'f;'::a:. %,Q.g V;h. y, m

a. u..,q'&=. m:... : w.,

'.M

"., A L i:T:\\.!Q ;:.."'"':!.

. ; ?L,G; : "U. 0.h 4$.' 0..Vn li;,' < m 's n'"&'

.1

?'

.. ', n.:.

,u.

v

.a.. '..

s.

.A vf..y e...

. y : pgf.%@ur..

r.:w

... - p. T,;.

4

.s

.,....-..~;,; :... ".:.

c..

e.

,u., @J;. :

?

.. ~.... :,

.e Q ',$}, g* :}.'. i..%,3.g). A.*'pm..+;>p;.

,g.y.,-f...4

.; y+. s. %.i.9;". 6,.-^ k;.;, flV..l T. d'.,}l 3 }. :_...,.. q. '.._ ;. L l : '

..*.c

,n.% c ;;s s.

. t..

n..

.., s, :.;

(..,._ g. y,;.y. N *' y.

, g,;,.;::;g.,:f,._,3;..(,y..

p.

-, : 4,.

.,.,(<..,_.

.....n

. py.; _..,y ::_. _..

gS;';}, g: W. ' %g?&y. :

}.h:'_:;g!'Q,.y. 3;l, i R..) :. Q'

' i -u *Q y 6 4 1',.O(: _",., _...

,g>.

.l.._.

Ly; y

li;.,:;;T '.ch.,G^,'..;(; y

h. l..,3.%g.n{.

).L."Q':. (y,. *ji.';._l.g:} ;_;:y, f.;.;.,'q' l+', y_ q.j. 'f,.f T...

- :.,, t,.' ;. if::. v. 6. ; e ;;,4

';:.: Q:t J; e;c.3e

,,a ;3. '

,'y t

.w;g.

,s

,u...,

_{

v

.. _._.g ; :; t g -

4

.z.

.... - q:; q -.

r 4...;. yv.v. a.;Q... y %g, g.

.g g ?ta;- y.-.a -..

. p. n. :... g g.%.Q! *Ny & Q.'Q;g. g u.:, '. :

-M

.... : -. -- Q..Q.2-;;

.._;;p:W g q;9' Y:l.f..h;'.'.'k.:..,,

.Y.'*.,h, i; % g:.y;. s.

1.2 ':.5;.pV..L

...[~

.g.

JY,g, N;:l{hy4.h;y;_._ $. ' }; ;.,. h..5, " _ -,' *

~..,

.,j

.QhNfN j':[, ~ W :? llQ.$*P.

).

Y 0 YY$.

l

[ f..'

.,l.^

j bNAf h. :

.h.b.

N. $

'kbN

e. yf...:n..w,. l:., n.,.~!

+

n. s.., m.. 4 s....

...y p::: p..pm., ;; ': ~'.'g ;. ;lw.l.. v.a s.,,. :.,<7>ft g:?;. :,.. i w n

...s.

n. a m..: .c.< y.. ; w :.w,,.

/..

e.... -.

....: ~..

- L

^...p b

4,,a.i.

,., 4 7...

y..'-.

,'..s-^

. q, ; A;...

.,h?

'. - ' 't%.;J. :.,y;,s -,'ls -'.?.*

t. _ g h. Y.g.*?

N . -

'N.

k, t

4. T.,.5;. %r,l':. ~,

y, = q

.s

a y_.'

^

'.s

.,V

-,,7 :. J,.

p.

o 4.%p w '<ty'. - -

P y

re.,

. n ;. Q.g.....1; :

...,.& y. 4 (;;e...

n.g

..Q:

.,y:,)..WQ.;;Q;,;...V{,.

.:. 1

-- 2.'...:

:.:*.a.9:.?y; f s@l% g :$.'_

,.s.a.

-.. ;p:y4.:-

r.._.:

q:s -

...,a i...

s e..

...u,r.

y

.Y. a &: i %w'..,.,.

4.R*)

u.

G.,g'.. C :. :

yu f.

' -.. o _ ;.

.y g&.l.;n s.;

p n

%,.,v u,% ^ Y t. ' y%ys Qy,e

. a.,".:.,%v....,'.

m-.. g ;. q

.. :.::s,..

{..i,4. s. -

s 4..

'.g [y*y., y

.?,.

,.a

", :. M..%.yg, g f.h

,y s.q::.

.w,,e b

f.,

4.....,;".-3.."'*,. 'n:'yl,; Df.s.% Y:' 7 ^ h,yy,p q,.g 4 -

w..

l :.,i s ' ' '. ^.,

.?

' d. m ll; gC; s 9.g../;A,.a' ;,6p. Aer

.l

.s l.

T,.

J.....

.c.,.; p. 3.. s.. 9. s t.,s.

,, v..- c e.

5.s.

y

.J...

-.r...-. : ~ -

, M:m

.5.:..r

,e,,

e..v -

..s..~ n m ', -

a

.e,.

4.a,i. %.4,

. t '3 s p,.Q^p ;.'4

?

t r

g,e

,.f,.

.l. h *sYf'r. ;

,-). q..;_;.lf.%;g;. ?.'. +,Y;'$y.. 4 t.

N.:$N R.

W ".. -.-

E Y:

?

g Q4,y u g.p:? 'lW:a-G >...... : ". '.. '

.1 -

'.. ' "&p* 6:.*$p3, O':,.*%. l :.,,m W ri4.:!'

4

^ '

u

-' L'

' ' ^ '". - '

.i s. wt t'f.; r

. a.. - (

,.x{p!??'

'l

-b.

.;. 1,.9. %Q &. {f.h., g..

~

m

<r.

%. r&.%;s;.;.,s. 'sf L3,.@%.,.(2 p'.'.hr,t Wr$.

?.

k*...

.,t../;. te.. '

e NA

&l: :y L f'H.'#Y _f Q A G.

'.:6*'

n

' r ?'!. l'}.fc.Qf. h.,hf. o;f

4

.'. t a,'... k.s..y

\\*<

.... '. x - c.

' ~.,,,.. 1;'. s'.:!n '.. : ' ; ' ?!.,,. :-;:

. u y!.j.. y; '.,::"9.q,.;*.:.

s ? '. o r.%A. : z.~s.%,

4~

'2% :m:9: 4 :v m, - 1&.,~.,s,'n..

..., r y. ' ':. :.., g y,. w

. / ; '.v.S yg:J. ytyy.'<. ;.%

g; c. ~:v'. x

.u

' -w.

q % } i. iM; ' :. ;

s %',k' _ j,,( ji . al.".M /f;.#)_ s... c

..',;.'..... " -, %n. h; * '..:.....

. c.._.e.,,.

pn s q. g r l T_ _.: y. -... *.' 7 / ".

"~:

d N..... y

.%e.

.(

. f g '/. ;l R t;.

,[,L*.,'g., 'y.0,'.,[ ',',,. [; p.. g.f., e

.r. ll.[ lEj.,

9fi. 'y 'y [ l' f '. '**,.'.,f...,t 1 "',

^j

..'..,s'.-p'y'gr,sy;Rlln t.ri._,; f y,y.. i i

.., '.,,.,.. T '.~;K.,.....f;.f gin t *z,; ',*. '.

1:

..;..,...7,

,. [..

'.4

^. -

^.a

.',_'se.*

y-

.. * '.., - l::', ';..

." f k,'l

t

,1

<A; ;,; ' '. s.cj.....,sn

..c..

,-;d

...,3

,..a

.., : n.,

o.

.':_-,i'c....-.'.o;",.. ;(.:C;

- :.. e

.....*+':+,.'a

....,a:*.=y,,-

c t.4...

4. mc.., '. ~_.,,-:-:

%,.... -m:.

l

. n

i,.e

t..

-*n

. w ;.,. : f..-.o:..

e U.'.v,' a f. : y. 0

.n.. %<

,,?

,s '.,

6

, ~..,....f-

, ;l ^(... "_ '. ':.{ 3 f; '_ ',ej;,'R;y\\., :y '<).'.;;;:y,.;

f

,.y -,'.. K' f_

i

,* y :. '. l '. i.

7i t.:;

.e --

4........ y.. f ;.

j'.,.,......-

l

.t

,.y.-

... -.->... ;...q,.....

.. :....s......

;;. ',.? j -_, L:;..' W;,;)...,,

-......;. ),. -".

a.

- ~,.:n v.. n:..

e..~,

~,.,....

-.\\. -+ :

m-

.., i.

e

- ~:.. y*,qp... '!.'.

'....s'y._l

. p.:~

.q _ e.,c'-

.,e..

.;.".. ;. ' <; :-:, ~

u ::

..e

. ;,. _.. ;t...c.;y. ::._...:.._..

e.-

r

.a

.;y.1

'.a a

-.., -... _. +

'. ; /.,'

'.,'-'I.

.. $*, *. ': 4,,.

.. :..; ?. '.i $ ' 'J

e

.r..

....,".-(;.

.,,,e.g..: -

'., ~ ^... *

........:;..,d 2

~, '

[.--'..'Y,.-

.:%...;....n.r c

i

..., '.,6.

-., ;.. q ' ; :.

.,t

.....,,:..s.

. -.1 y....

,c,.

a

~ ;...:..'.: :..

s%

.f : :

..v.:.-'?

.,;,y......- '._; - -,

..a

..v.

s t'

f 1: '.,. _; '*; _l

.. :: - ' %'*. ll ;.

,3.:. ',

.._e..

"...i-...,..

.L ~..).'.I ; ".....

c,

.- ' ?..'.'.

,,r..

~. ;

' c :-

., Q, -

. f. :.,..,..*.,.b,,,t..O'-

4. '.. '... '

s

.r.(..

e

.. 'y,.: Q. *. :

r.*. :..

%...,K -..

... s.

s..

,...: y - l......::.k :+; ' :. ;,..:

.: ~;-.

.'s...

r.

4-

?

t. ;,*; [ ' i.,.

y

,, *s:

,W

.4

.:[..

G_,n-,..

..;, ;; f,._.

J.g :..-

..a

.-..: :.. : : r. ':...:. :t':?:.ye i... yf. '.,.

,: y:

9.:

vr -

..y.;.

s

.....,A, C a :

t

...'.~.,...'.~,,u;,.,-. : *,'. :c;.... ' ',.. y..,.., -,...,..

:~.:-

...s

+' '..

l':

.c

,^....',: ',,,+-..;,-

..,... - m.'._:

'a s...

...,..:.:'..;.c...

,a

.ny_,

AD _

..,v_..

s., :.

.s.

..,.. ;:- l

.,...;n,..: -.

.>".,.a._

s

=6' *'.,y

': :\\.f,*;. o:.l,

-n 3............-

,e.'.. e.'..., ", u,j,:u"'i. : r,,.g *..

c.

...,c..y,..: f,, ;;., _...

,..e

. s ;..:-

p ':-.

. ';:., :i;

'l 4

c' ;.......;e=.,-

w r._ e

..?

c.

y..e '.,

s.

.. ;..' - :: c p

a.., :; ;c.

.a..,

.n.. a:

.g

.,,c..,,-

.O.,..'

s.,'.;; :p.:: t:..

'. v

'.-s'"* - ; ;; ::.:".'

~

.. ; s : o..

n f :p%. 'f '., ' *Q*,*. 'm,;... :.. -

.y p..

'&;sx.\\, 4_;.'*

- ^*:..?

'q;4,;;.';s?ef ?f :

_.,,.,'t,l,p',.a,... L. 'w, ',7

" ': p ::-l '

. 2

. R

1

o,f,.e b;'f.,;:-). }U:. '} ',f* i

.M:,<

i

.,,'**;.,_,'.-, ', h

, l; :::

l *-.,, ; L j;. i ? '. rl"I ;, :q l, q~ _%;l?.,M

..t 3.

J. s. ;., ;,,., ;... '- -.

's,,.. l } f,. h r

c. * :.,

i?;..

y 4M.

.. ;.*.'",,j.,';,,,, -.-

,i....q,7.,;,,...,...,pw"

3.,

v,.<,',;;.*.....

vs ". 'u...v.. -

.V

,g

.,g.-

,F..

,T'

. :... s

.r

. ::. y -

. [ * \\; - !

.c

.h.;.1, e. :p..

w. -. i..

,,,1g :.,,.:,;;.,.. r. s n... :.,. ~ c..v,

..;....(..

c.3..,.+...,.;.._

..-.-,. <.. A>

.;...-1

~

y.

u,...

.p....,. :. -

, :::.?

- ; ~..:

y;... A,, '.. :..; ( ",

y,. p, '.,. :- ~ ; * ; y.

f,.f..

....:.,.a,...

. ~

u -

c.

.w.

y

1. s. -

u. w-r..... -.,.w.

p

. ~.

. 3 k {:..f., j. '.:,,.:.;,.,j. ;; fyr.-

K:-

M

..-..,. J: ; <.-

z.

_. -.- ~., _,,. _

,e y.'...

.,, : b.,...

s.

?. :

s

.p.,

-g

.; _... ; _ l-,..;n... "..' p.:........Ar

,.y:.. :; *

. e..g. :. _.

c.

. " =..

-.c4

. ~..s..

g.

g

....,.M,/..

e,.....

3-J

,t l.

.....,. ~,..v i'.

^

-<. '."j:.%

U * '.. '.:s..,. ':.. ' : ',

~.s.

.t z.

' U

~ -

h '-*

,l..,...;.'.'".:*.

.1,s i

.... ' _ d.

-t.;.:.

,..e.

z

" :

M. f.-.,.. ' w :. h.. m.

V .h~.,a.1

.t. '.:

g:,.l..... ".,

>.,.s.>;.'.~.:*.

.. ~.

.:s. 3. ; "',., '.y,

^r 1

y

'. ','c...<. ',.

.. y ?.; ;'y r ;...; T...' :g *.... y

0. ' p..,,. :-*

..': b

,7 f :: - ".

. f p

.s.s

_... y-L..

c'-

. ;, n. *. r

.s...

.1 ll-; " -

a. J.

....s.

'. l;.3,"...~ ::..... ' -

%,U._.':*c,*--

..,.,, *..4 n

.t

-.....,..z,y_.,-

,a

't.

- n

.S '

.-..'..'r,,J., ( ;;.

~.

.....c.. $ :

a

...-;~....., -. -.

.- a.n.,

c." :.-..+'(

- ~ ' - -

.3,'<,,.

2 l. f.,.

..; ' '.w,.

a

.-.... r: 1.... '

N".","'..*'.,*..:'*v.g

{ -' '.{*' ', '. _. *n '. : l :' * ;. ' :

p f.E l..'i_.,"._

~,,;,,..'.f'3

,. l : l ':

'l.f

-' ;' ;,'. X [., j. :f, *..,0. :

.>.:..i..;-

..,.:.?

s,j :;,!.;

'..y:,o

..: :q." Q.,... y

,,y.,;. :

u., ; ;., -

9,.i.*.. d' ;,.._,....

3

..?

' '(' '

g-. _ _,

'!.;,^.f : .';h,p., g':,l j',W '>. ' '; L; r *:

?..':,, "'l. l:' L :..f ^. ' 'M.

.,. ;M M.:...tr j ';

e.L

- '^^

^

...v:w.#l h. j ' l * (,,,*. l' ; *. l. '.;;L..:' ' '

..;9

.;,- ' l ' ^.'. ' l

;vy

g. Y'.:.

' f ",4Qll0,. ::.',.?:,% n b; e in, a. ' :n '..: } x ,.:ek._ y-l*}., *:%,.'.. [ ~ l:. -.;g^ _.f. }..ll. -':,:: y m M. s."',.... - -

- s.

'

. ~. ' - ' - ~ .A ; s.-...~::- -

..,c

, ?.s. ; ; :^.. :. ..,s , w; -. .r.... , e . c.s.

: - s

.Y '. <:. lQ. -[.0 ' J ;;el.,;, [;::.;:....... 7w .. _ i1l.'[ - ' .u

l WESTINGHOUSE CLASS 3 WCAP-13662 f s Advanced Passive Plant Protection System FMEA 8 (C) WESTINGHOUSE ELECTRIC CORPORATION 19,3, 9 A heense as reserved to the U.S. Govemment unoer contract DE4Cc3-90sF16495. O WESTINGHOUSE PROPRIETARY CLASS 2 . This cocument contains mformacon propnetary to Westnghouse Eisetne Corporaten; it is submitted n confdence and as to be used soiety for the purpose for wtuch st es fumtshed and retumed upon roguest. This ecument and such informaron is not to be reproduced, transmined. disclosed or used orerwise in whole or m paft without authon2abon of Westnghouse Electne Corporaten. Energy Systems Busness Urvt. subpet to the legends contained hereof. GOVERNMENT LIMITED RIGHTS: (A) These data are subrrutted with hmried nghts under Govemment Contract No. DE-AC0340SF18495. These data may be reprodaced and used by the Govemment with the express lrnetaten that they wd! not, without wntlen pomuseon of the Contractor, be used for purposes of manufacturer nor dscioned outade the Government except that the Govemment may decioso these data outade the Govemment for the foliowing purposes, if any, provded that the Govemment makes such dacbsure sutgoct to probbeton agasnst furter use and dedoeurs: (I) This 'propnetary data

may be dadosed for evaluation purposes under the fastnctons above.

(II) The 'propnetary deta' may tw dacbsed to the Enoctnc Power Flesearch Institute (EPRI), e4ectne utikty representatrves and their drect consuttants, excludng droct commercial competitors, and the DOE Nabonal Laboratonee under the proNtxtons and restnctons above. i (B) This notco shall be marked on any reproducbon of these cata, en whole or m part Q WESTINGHOUSE CLASS 3 (NON PROPRIETARY) EPRI CONFIDENT!AUOBLIGATION NOTICES: NOTICE: 1E 2O sOa O5 O CATEGORY: A EB DC ODDE OF O O DOE CONTRACT DELIVERABLES (DELIVERED DATA) Subject to speerhed excoctons, dacbsure of this data is restncted until September 30,1995 or Desa;ps Certicahon urder DOE contract DE-AC33-90sF1849s. wNehever is later. Westinghouse Electric Corporation Energy Systems Business Unit Nuclear And Advanced Technology Division P.O. Box 355 Pittsburgh, Pennsylvania 15230 @ 1992 Westinghouse Electric Corporation All Rights Reserved

AP600 DOCUMENT COVER SHEET Fonn 582C2D(Mn)[WPxxec1DJ APs00 DB USE ONLY Pages Anached oone mu AP600 DOCUMENT NO. REVISION NO. DATED CONTROLLED COPY NUMBER: GW-JJ-002 0 April, 1993 ASSIGNED TO: ALTERNATE DOCUMENT NUMBER: WCAP-13662 (NP) ATTACHMENTS DESIGN AGENT ORGANIZATION: Westinghouse PROJECT: AP600 TITLE: Advanced Passive Plant Protection System FMEA t t WORK BREAKDOWN #: 2.2.8.2 This section incorporates the following design changes DCP s/Rev.: l i i t I E (C) WESTINGHOUSE ELECTRIC CORPORATION 19.D A UCENSE 5 RESERVED TO THE U.S. GOVERNMENT UNDER CONTRACT DE-ACD3-90SF18495. l O WESTINGHOUSE PROPRIETARY CLASS 2 i THs DOCUMENT CONTAINS NFORMATON PROPRIETARY TO WESTINGHOUSE ELECTRC CORPORATON: IT IS SUBMITTED N CONFCENCE AND S TO BE USED f SOLELY FOR THE PURPOSE FOR WHCH IT IS FURNtSHED AND RETURNED UPON REQUEST. THis DOCUMENT AND SUCH INFORMATON IS NOT TO BE REPRODUCED, TRANSMITTED, DISCLOSED OR USED OTHERWSE N WHOLE OR IN PART WITHOUT PRIOR W"4fTTEN AUTHOR 2ATON OF WESTNGHOUSE ELECT 8bc. r CORPORATON, ENERGY SYSTEMS BUSNESS UNIT, SUBJECT TO THE LEGENDS CONTANED HEREOF. GOVERNMENT LIMITED RIGHTS: (A) THESE DATA ARE SUBMITTED WITH UM'TED ROHTS UNDER GOVE*lNMENT CONTRACT NO. DE-AC0340SF184es. THESE DATA MAY BE REPRODUCED AND USED BY THE GOVERNMENT WITH THE EXPRESS LIMITATON THAT THEY WILL NOT. WTTHOUT WRtTTEN PERMISSION OF THE CONTRACTOR, BE USED I FOR PURPOSES OF MANUFACTURER NOR DSCLOSED OUTSCE THE GOVERNMENT; EXCEPT THAT THE GOVERNMENT MAY DISCLOSE THESE DATA OUTSDE -f THE GOVERNMENT FOR THE FOLLOWN3 PURPOSES, IF ANY, PROVDED THAT THE GOVERNMENT MAKES SUCH D$ CLOSURE SUEUECT TO PROHIBITON AGANST FURTHER USE AND DISCLDSURE: l (I) TH$

PROPRIETARY DATA
MAY BE DSCLOSED FOR EVALUATON PURPOSES UNDER THE RESTRCTONS ABOVE.

(ll) THE

PROPRIETARY DATA
MAY BE DSCLOSED TO THE ELECTRC POWER RESEARCH INSTITUTE (EPRI) ELECTRC UTIUTY REPRESENTATfVES AND

{ THEIR DIRECT CONSLLTANTS, EXCLUDING DIRECT COMMERCML COMPETff0RS AND THE DOE NATONAL LABORATORIES UNDER THE PRCMIBITONS AND RESTRCTONS ABOVE. (B) TH$ NOTICE SHALL BE MARKED ON ANY REPRODUCTON OF THESE DATA, IN WHOLE OR N PART. l 0 WESTINGHOUSE CLASS 3 (NON PROPRIETARY) j i EPRI CONFIDENTIAUOBLIGATION NOTICES: NOTICE: 10 20 3 04 05 O CATEGORY: A@ B DC DD0E DF D l 8 DOE CONTRACT DELIVERABLES (DELIVERED DATA) l SUBJECT TO SPECFIED EXCEFTONS. DISCLOSURE OF THIS DATA IS RESTRCTED UNTL SEPTEMBER 30,1995 OR DEscw CERTIFCATON UNDER DOE CONTRACT DE-AC03-90SF18495, WHCHEVER $ LATER. 1 I ORIGINATOR SIGNATURE /DATE i

5. Morandini

).}llMpipt,);,gs[ 4 - T'9 A.3 l AP600 RESPONSIBLE MANAGER B. Reid hb N9l5 i

AP600 STANDARD INTERNAL REVIEW SHEET Form 58203A (3-91) AP600 DOCUMENT NO. GW-JJ-002 REVISION 0 ALTERNATE DOC. NO. WCAP-13662 DESIGN AGENT ORGANIZATION Westinghouse TITLE Advanced Passive Plant Protection System FMEA WORK BREAKDOWN STRUCTURE NUMBER: 2.2.8.2 W PROPRIETARY CLASS: Class l Class 11 Class 111 X EPRI CONFIDENTIAUOBLIGATION NOTICES: NOTICE: 10 20 3 G 4 0 50 CATEGORY: AGBOCODOEOFO REVIEWS SIGNATURE DATE COMMENTS

1. ORIGINATOR

[ '/f[ysa d //a c Q 2 9 - fz;, S. Morandini

2. AP600 RESPONSIBLE MANAGER (1) (2) h'[p,

$f2ffy3/ B. Reid OTHER REVIEWS

3. B. McIntyre AIN 4'

4. N. Liparulo L/

6

5. D. Sharp h,d' /&,/

9'/.2 fff 3

6. R. Bruce w[g JT/93

7. T. Anders6n J/2/

8. 9. 10. (1) Approval indicates that all materials, manufacturing and interface concems have been addressed. (2) Approval of the responsible manager signifies that all intemal reviews have been obtained and all comments resolved. Mandatory Review and Approval THIS SHEET SHOULD BE MAINTAINED INTERNAL TO THE AP600 PROGRAM 0011.FRM i

t I Form SB202C (3'92) EPRI CONFIDENTIAUTY I OBUGATION NOTICES NOTICE 1: i The data m this document is subject to no confidentahty obhgatons. l NOTICE 2: The data in this occument is prepnetary and confidental to Westr gnouse Electnc Corporation and/or its Contractors. It is l forwarded to recipient under an obhgabon of Conficence and Trust for limrted purposes only. Any use, disclosure to unauthonzed persons or copying of this document orparts thereofis prohibited except as agreed to m advance by the Electne Power Research Insttute (EPRI) and Westinghouse Electne Corporation: Recipient of this cata has a duty to inquire of EPRI and/or Westinghouse as to the ur.as of the informabon contained herein that are permitted. NOTICE 3: l The data in this document is propnetary and confidental to Wesenghouse Electne Corporaton and/or its Contractors. It is f forwarded to recipient under an obhgaton of Confidence and Trust for use only m evaluation tasks specifically authonzed by the Electne Power Research inattute (EPR4 Any use, dsclosure to unauthonzod persons, or copymg this document or parts thereof is prohibited except as agreed to in advance by EPRI and Westnghouse Electne Corporaton. Recipent of this data has a duty to inquire of EPRI and/or Westinghouse as to the uses of the mformatNI contamed herem P 't are permitted. This document and any copes or excerpts tnereof that may have been generated are to be retumed to Wesbnghouse, drectly or through EPRI. when requested to do so. NOTICE 4: The data m this document is propnetary and confdental to Westngnouse Electne Corporaton an$or its Contractors. It is l bemg revealed in confidence and trust onty to Ernployees of EPRI and to certain contractors of EPRI for hmated evaluaton tasks authonzed by EPRI. Any use, esclosure to unauthonzed persons, or copying of this document or parts thereof is l prohibited. This Document and any copies or excerpts thereof that may have been generated are to be retumed to i Westnghouse, drectly or tnrough EPRI. when requested to e so. NOTICE 5: t The cata in this documentis propnetary and conidental to Westrnghouse Electne Corporaton and'orits Contractors. Acuss to this data is given m Confidence and Trust onty at Westnghouse facdites for hmited evaluaton tasks assmed by EPRI. t Any use, dsclosure to unauthonzed persons, or copying of this document orparts thereofis prohibited. Neither this document { nor any excerpts therefrom are to be removed from Westnghouse facdites. i ? l EPRI CONRDENTIAUTY / OBUGATION CATEGORIES CATEGORY *A* (See Dehvered Data) Consists of CONTRACTOR Foreground Data that is contained in an issued reported. CATEGORY *B" (See Dehvered Data) Consists of CONTRACTOR Foreground Data that is not contaired in an issued report except for computer programs. CATEGORY *C" l Consists of CONTRACTOR Background Data except for computer programs. r CATEGORY "D" Consists of computer programs developed in the course of performmg the Work. i CATEGORY *E* Consists of computer programs developed pnor to the Effeceve Date or after the Effectrve Date but outado the scope of the i Work. I CATEGORY *** Consists of administratrve plans and administratrve reports. DERNITIONS DEUVERED DATA Conststs of documents (e.g. specificabons. drawings reports) which are generated unoer tre DOE contract DE-ACO3-90SF18495. 0010.FRM J

e WCAP-13662 Rev 0 i t Westinghouse Proprietary Class 2 Version exists as WCAP-13594 y t FAEA of Advanced Passive Plant Protection System i Prepared by: S.J. Morandini J.J. Birsa J.S. Wiesemann S. Kilim I i i s I i 1 b r April 1993 i J

1 -i Westinghouse Proprietary Class 3 f TABLE OF CONTENTS 1. Introduction 1 i 2. Methods 1 l 3. Description of System to be Analyzed and its Mission I f 4. Analysis Boundaries and Failure Modes.......................... 3 4.1 Microprocessor chassis: 3 l 4.1.1 Functional processor (M12)......................... 3 i 4.1.2 Iogic processor (M03).................. 5 4.1.3 Data highway controller (M51)..... 6 4.1.4 Parallel input / output (I/0) board (M19)................... 6 4.1.5 Isolated parallel I/O board (M56) 7 4.1.6 Analog input processor (M40) 7 { 4.1.7 Universal memory expansion board (M28)................ 8 4.1.8 Serial Communications Controller (M48)...... 9 4.2 Termination frame assembly.............................. 9 4.2.1 Analog input board (EAI).......................... 9 4.2.2 RTD Input Board (ERI).......................... 10 4.2.3 Digital (Contact) Input Board (ECI).................... I1 l 4.2.4 Digital (Contact) Output Board (ECO) 12 4.2.5 Reactor Coolant Pump Speed Sensor Input Board (ESI)....... 12 4.2.6 Power Interface (2/3 Voted) Output Board (EPO)... '....... 13 l 4.2.7 Power Interface Relay Driver Board (EPR) 14 4.2.8 Power Interface. (Contact) Input Board (EPI) .............14 4.2.9 Optical Datalmk Transmitter Board (ETX).............. 15 4.2.10 Optical Datalink Receiver Board (ERX)................ 16 4.2.11 Data Highway Transceiver Board (EHX)............... 16 4.2.12 I/O Bus Extender Board (EBE)..................... 17 4.2.13 I/O Bus Selector Board (XTS) .....................17 4.3 Dynamic trip bus.................................... 18 4.3.1 Dynamic Trip Bus Clock Unit Board (DCU).......'...... 19 4.3.2 Dynamic Trip Bus Iagic Unit (DLU).................. 19 4.3.3 Power Converter Board (EPC)...................... 21 4.4 Nuclear instrumentation input modules (NIMOD)................22 i 4.4.1 Source Range Configuration .......................22 4.4.2 Intermediate Range Configuration.................... 22 l 4.4.3 Power Range Configuration........................ 23 i 4.4.4 High Voltage Power Supply (DNH)................... 23 4.4.5 Low Voltage Power Supply (DNL).................... 23 j 4 i i

I i -1 l Westinghouse Proprietary Class 3 1 l 4.4.6 Nuclear Instmmentation Amplifier Modules (DNI).......... 24 4.4.6.1 Source Range Input Board ...................24 4.4.6.2 Source Range Interface Board................. 25 4.4.6.3 Intermediate Range Input Board................ 25 4.4.6.4 Intermediate Range Interface Board.............. 26 4.4.6.5 Power Range Input Board.................... 26 4.4.6.6 Power Range Interface Board.................. 27 i 4.4.7 Soume Range Preamplifier (AAS).................... 27 4.5 Other cabinet modules............................... 28 4.5.1 DC power supply chassis (ACP)..................... 28 4.5.2 Cabinet cooling assembly (AUB)..................... 29 4.5.3 Power Distribution Assembly (APP) ..................29 4.6 Nuisance Failums and Cascading Failures........ ........30

5. Identification of failure categories...............................

30

6. Descdption of envimamental conditions...........................

31 i

7. Conclusions

......... 31

8. Refe rences.....................................

. 31 1 i l l l I I 1 ii

Westinghouse Proprietary Class 3 f TABLES i i I. Boards Used in Protection System 2. FMEA of Advanced Passive Plant Protection System ~i FIGURES i 1. Protection and Safety Monitoring System (PMS) Architecture j 2. Protection and Safety Monitoring System j 3. Engineered Safety Features (ESF) Subsystem j 4. Reactor Trip Subsystem j 5. Global Trip Subsystem 6. Trip Enable Subsystem 7. Nuclear Instrumentation Signal Processing and Control (NISPAC) 8. Dynamic Trip Bus 1 i 6 k c Iii

. = i 1 i Westinghouse Proprietary Class 3 .l t Acronyms and Definitions ADS: Automatic Depressurization System A/D, D/A: Analog to Digital, Digital to Analog CMOS: Complementary Metal Oxide Semiconductors CRC: Cyclic Redundancy Check E PROM: Electrically Erasable Programmable Read Only Memory 2 EPROM: Erasable Programmable Read Only Memory EMI: Electromagnetic Interference I ESFAC: Engineered Safety Features Actuation Cabinet FMEA: Failure Modes and Effects Analysis I&C: Instmmentation and Control I/O: Input / Output IPC: Integrated Protection Cabinet MDM: Multibus Diagnostic Monitor NISPAC: Nuclear Instrumentation Signal Processing and Control PAL: Programmable Array Logic PLC: Protection Logic Cabinet PLS: Protection Logic System PMS: Protection and Safety Monitoring System PRA: Probabilistic Risk Assessment RAM: Random Access Memory RFI: Radio Frequency interference ROM: Read Only Memory [ RTD: Resistance Temperature Detector j AOK Imop: A series loop thmugh the input / output cards mounted in a cabinet i that verifies that the input / output cards are energized. Board Failure: Failure of the board under consideration, due to out of range readings, open circuit when normally closed, closed circuit when normally open, Random Access Memory (RAM) error, Read Only Memory (ROM) error, multiplexer ermr, bus interface error, l central processing unit (CPU) error, timer error, power supply or interface fault, or input / output ermr. Channel Bypass Mode: Disables the individual channel bistable trip function which forces j the associated logic to remain in the non-tripped state until the i bypass is removed. Used during test operations. 4 Channel Trip Mode: Interrupts the individual channel bistable outputs to the logic to I force the function into a tripped or actuated state. iv l e

=. t { Westinghouse Proprietary Class 3 i Fault Tolerance The ability of an instmmentation and control system to continue ' i design basis operation after the occurrence of a failure within the system. Partial Actuation: Actuation demand on one channel, 2/4 channels required for ) actuation. Partial actuation has no effect on plant operation. i ? Partial Trip: Trip demand on one channel, 2/4 channels required for trip. 7 Partial trip has no effect on plant operation. 2 Self-testing: Diagnostics which include RAM tests, EPROM/E PROM tests, numeric data processing tests, crystal time base checks, calibration checks, CRC checks, and deadman timer checks. y I 2 b t V i

I Westinghouse Proprietary Class 3 i i f 1. Introduction i The purposes of this FMEA are as follows: - To evaluate the effects of various failure modes on the operational success of the f system - To list potential failures and identify the importance of their effects - To assist in the objective evaluation of design requirements related to redundancy, failure detection systems, fail-safe characteristics, and automatic and manual override. This FMEA is consistent with the guidance presented in ANSI /IEEE Std 352 and associated documents, as shown in section 8 of this document. ( r 2. Methods i The guidance given in References 2 and 3 is followed. The single failure criterion is applied to this analysis. j Results show that single failures of the PMS have no effect on plant operation. Certain unlikely failures in the logic cabinets can initiate end device actuation (nuisance failures). l These actuations constitute the single component failure criterion included in the fluid i systems design basis. See section 4.6 of this document for a discussion of nuisance failures. i 3. Description of System to be Analyzed and its Mission l The Protection and Monitoring System (PMS) performs the following functions: i - determines if plant safety limits have been exceeded - automatically trips the reactor - actuates engineered safeguards equipment l - provides safety grade plant monitoring, prior to, during, and after an accident or l plant transient l The protection and safety monitoring system architecture is shown in Figure 1. In this architecture, related functions are grouped into cabinets. Cabinets are then connected into systems by means of hard wired conductors, datalinks, and data highways. The cabinets also { communicate between systems through a plant wide highway termed the Monitor Bus. l t The I&C architecture is arranged in a hierarchical manner. Below the Monitor Bus are the j systems and functions that perform the protective, control, and data monitoring functions. ] t 1

7 Westinghouse Proprietary Class 3 This analysis examines the Protection and Safety Monitoring System (PMS). Included in the PMS are the Integrated Protection Cabinets, the Engineered Safety Features Actuation Cabinets, and the Protection Logic Cabinets. The Protection and Safety Monitoring System l provides actuating signals to the reactor trip breakers and to the Engineered Safety Features l equipment in the event of an accident. The Integrated Protection Cabinets contain the reactor trip subsystem, the trip enable subsystem, the global trip subsystem, the dynamic trip bus, the engineered safety features subsystem and communications subsystem. These cabinets, their related sensors and reactor trip switchgear, are four-way redundant. The Engineered Safety Features Actuation Cabinets (ESFACs) perform system-level logic j calculations such as initiation of Safety Injection. They receive inputs from the Integrated Protection Cabinets and the control room. T The Protection Logic Cabinets provide the capability for on-off control ofindividual plant loads for Class IE applications. They receive inputs from the ESFACs and the control room via the Main Control Room Multiplexers. The Protection and Safety Monitoring System provides four instrumentation channels and I outputs to four actuation or trip logic trains for each protective function. An exception to this are the start-up feedwater functions which have two instrumentation channels, and employ 1/2 logic. Reactor trip functions and Engineered Safety Features _ Actuation functions, with the exception of the startup feedwater functions, have four independent channels (sensors). Where four channels are provided, a 2/4 logic with bypass is provided so that a channel may be taken out of service (or fail) without any loss of protective function. Redundant channels and trains are electrically isolated and physically separated. Electrical power for the Protection and Safety Monitoring System instrumentation is obtained from four separate uninterruptable instrument buses. The use and availability of the four buses is related to the Protection and Safety Monitoring System instrumentation in the following ways: Each of the four instrument buses is assigned to one of the safety divisions. i The design of the I&C will prevent the loss of a single bus from putting the ] plant in an unprotected condition. l Upon loss of power, the solid state switches in the Instrumentation and Control Cabinets transfer to a nonconducting or open circuit state. In other words, all Instrumentation and Control Cabinet outputs will deenergize. J 2

Westinghouse Proprietary Class 3 Instrument channels are arranged so that loss of any one bus will not force a e reactor trip. (e.g. the 2/4 reactor trip logic will revert immediately to a 1/3 trip logic.) Coincident loss of any two buses will trip the reactor immediately. Table 1 lists the boards of the protection system which are considered in this FMEA, and i_ the location of each board. The protection system is described in detail in Reference 1. 4. Analysis Boundaries and Failure Modes This FMEA examines the components required to perform the functions listed above. T' o lowest level of line replaceable units, circuit boards, is analyzed. Not included are the fu,al i actuated devices. The FMEA is documented in Table 2. The circuit boards which are discussed below are analyzed. Common mode failures are not addressed here, but are evaluated in Reference 4. Due to the failure detection provided by self-testing and redundancy, most single circuit board failures are detectable. A small portion of failures for selected boards could be undetectable, but only if they were to occur in the brief time between self tests. This failure mode was examined and concluded to be an inconsequential failure contributor due to the small portion of failures of this type with respect to the total possible board failures, and due to the limited time window between self tests. Because of the small chance of undetectable failures, this analysis examines only the detectable failures, such as those which overtly cause 4 loss of function. 4.1 Microprocessor chassis: 4.1.1 Functional processor (M12) The functional processor performs the major computations required to achieve the specific function of the microprocessor chassis subsystem in which it has been installed. Tasks performed by the functional processor include: movement of data between subsystem memories or I/O registers for input or output, on-line compensation of analog inputs, conver-sion ofinput data to engineedng units, computations, and diagnostic testing. Parity-checking of RAM is used to deteca corruption of data. An onboard numeric data co-processor is used in subsystems that perform floating point arithmetic. The functional processor also has a serial port to accommodate a maintenance terminal that is used for off-line diagnostics. A functional processor is included in all subsystems as the subsystem host processor, except where a logic processor is provided. l 3 i I

Westinghouse Proprietary Class 3 t i [- o f I 'i yus I Colored LEDs (Light Emitting Diodes) are available on the functional processor to provide i indication of the processor's operational status. i l The M12 board is present in many different applications: I -Integrated protection cabinets (IPCs) - Engineered safety features subsystem i - Reactor trip subsystems i - Global trip subsystem - Trip enable subsystem i - Nuclear instrumentation signal processing and control (NISPAC) subsystem - Engineered safety features actuation cabinets (ESFAC) subsystems - Protection logic cabinets j Figures 2 - 8 show the subsystems present in the protection system. l Failure modes for the M12 include the following: 3 - Failure to compute l - Failure to read - Failure to write - Failure to store - Failure to address I - Failure ofinterrupts l 4 i t

Westinghouse Proprietary Class 3 l These can be summarized as: i - Functional failures: Feilures which corrupt normal sequential processing of main

code, i

- Data failures: Failures which do not inhibit the main processing, but alter the input l and output data which is needed and produced by the main code. - CMOS and PAL logic failures: Those failures involving Complementary Metal-Oxide Semiconductors (CMOS) and other MOS family devices, as well as Programmable Array Logic (PAL) devices, which can potentially fail logically, i giving unexpected input / output characteristics, rather than at a classical stuck-at high or low failure state. Possible effects of these failures for IPC usage are inadvertent partial trip, inadvertent partial actuation, partial trip failure, or partial actuation failure. These will have no effect on plant operations due to the 2/4 logic and the presence of the three remaining nedundant channels. l For ESPAC applications, a single detectable failure would have no effect due to fault tolerance in the logic cabinet design, accomplished by means of failure detection and corrective actions such as bypass of the channel. Redundant design allows the three remaining channels to continue operation. A small portion of ESFAC failures could be undetectable during the brief time window between self-test cycles. During this time, a failure of the false good health status type or erroneous signal generation could result. 4.1.2 Logic processor (M03) l The logic processor is provided in Protection Logic Cabinets to prform logic calculations on the input signals acquired by the Logic Bus data highway controller or a local I/O board and to generate logic outputs to be sent to the power interface I/O boards. There are four i logic processors in each Protection Logic Cabinet. Two logic processors reside in each of two functional logic subsystems. Logic processors serve as the subsystem host processors in l each functional logic subsystems. s The logic processor performs the computations required to achieve the specific funedon of the microprocessor chassis subsystem in which it has been installed. Tasks performed by the logic processor include: movement of data between subsystem memories or I/O registers for l input or output, computations, and diagnostic testing. Parity-checked RAM is used to detect cormption of data. [ J i l l 5 j 4

Westinghouse Proprietary Class 3 ya.o The M03 is similar to the functional processor, but is used where no floating point or math coprocessor is required, such as in the logic cabinets. A single M03 failure would have no effect on plant operation, due to fault tolerance in the logic cabinet design. Tids is accomplished by means of failure detection and corrective actions such as bypass of the failed channel. Redundant design allows the three remaining channels to continue operation. l 4.1.3 Data highway controller (M51) [ The data highway controller is a microprocessor tsased board that provides the interface between a subsystem host processor and a data highway transceiver (I/0) board. The data highway controller receives outgobig data from the processor board in on-board shared memory via the IEEE STD 796 bus, performs the necessary formatting and conversions on this data, and transfers this data to a local (on-board) communications controller which transmits the data to the transceiver board. Incoming data is received from the transceiver board by the local communications controller, interpreted and converted, and placed in the on-board shared memoaf, where it is accessed by the subsystem host processor board via the IEEE STD 796 bus. l }(a.d Failure modes for the data highway controller include data transmission errors, and bus i errors. Single failures have no effect due to fault tolerance in logic cabinet design. This is accomplished by means of failure detection and corrective actions such as bypass of the failed channel. Redundant design allows the three remaining channels to continue operation. 4.1.4 Parallel input / output (1/0) board (M19) 1 The handling of individual logic signals, such as contact inputs and light outputs, in a microprocessor chassis subsystem is accomplished by means a parallel input / output board. r Output data is transferred from the subsystem host processor to I/O registers on this board, 1 ) then from these registers to output ports. Inputs are sampled at input ports and stored in I/O registers on the board to be accessed by the subsystem host processor. [ i )(a.c) 1 [ A 6

i Westinghouse Proprietary Class 3 l l '1 J pui l .l Failure of this board can result in a bus failure, and can result in a panial trip or partial actuation, depending on the microprocessor subsystem in which the board is used. For l instance, failure of a board used in a subsystem whose function is to generate a reactor trip I can cause a partial trip, but not a panial ESF actuation. Conversely, failure of a board used in an ESF actuation subsystem but not a reactor trip subsystem will generate partial ESF actuation. Table I shows board application details. i 4.1.5 Isolated parallel I/O board (M56) j In the few instances where subsystem to subsystem I/O is regmred, optical coupled I/O is utilized on the isolated parallel I/O board. Other than this board having fewer I/O lines and the input lines being provided with optical isolation, this board functions identically to the parallel I/O board (M19). Output data is transferred from the subsystem host processor to j I/O registers on this board, then from these registers to output ports. Optically isolated inputs i are sampled at input ports and stored in I/O registers on the board to be accessed by the j subsystem host processor. l [ i y-> t i Failure of this board can cause a bus failure, and can result in a partial trip or panial j actuation, depending on the microprocessor subsystem in which the board is used. For instance, failure of a boaW used in a subsystem whose function is to generate a reactor trip can cause a panial trip, but not a partial ESF actuation. Conversely, failure of a board used i l in an ESF actuation subsystem but not a reactor trip subsystem vdll generate partial ESF j actuation. Table 1 shows board application details. ? 9 4.1.6 Analog input processor (M40) 1 I The Analog Input Processor is a microprocessor based I/O board that convens analog input ) signals to digital data and performs digital signal conditioning (i.e. averaging, filtering algorithms, etc.) on this digital data. The filtered digital data is then placed in shared l memory for access by the subsystem host processor via the IEEE Std. 796 bus. Each analog input processor supports up to eight differential analog input channels. The analog input l processor performs analog to digital conversion, signal status checks, input calibration 1 readings and onboard diagnostics. Filtered input data is provided to the subsystem host processor for calibration calculations. [ ) 7 i i

I .Ii l Westinghouse Proprietary Class 3 i jta.r) 1 [ J(a,e) Failure of this board can cause a partial trip or partial actuation, depending on the l microprocessor subsystem in which the board is used. For instance, failure of a board t sed i in a subsystem whose function is to generate a reactor trip can cause a partial trip, but not a partial ESF actuation. Conversely, failure of a board used in an ESF actuation subsystem but nw n mactor trip subsystem will generate partial ESF actuation. Table I shows board .pnficatic details. l 4.1.? Universal memory expansion board (M28) i A general purpose memory board is used in instances where the subsystem host processor does not possess sufficient memory to perform its required functions. Access to the memory-i is via the IEEE STD-796 bus and is functionally identical to the subsystem host processor _j onboard memory. [ r h 5 l t I a ? = I t a t i h ya.a> i t 8 l i

Westinghouse Proprietary Class 3 i i Possible effects of M28 failures for IPC usage are inadvertent partial trip, inadvertent partial actuation, partial trip failure, or partial actuation failure. These have no effect on plant operations due to the 2/4 logic and the presence of the three remaining redundaret channels. l For ESFAC applications, a single detectable failure would have no effect due to fault tolerance in the logic cabinet design, accomplished by means of failure detection and corrective actions such as bypass of the failed channel. Redundant design allows the three f remaining channels to continue operation. A small portion of ESFAC failures could be undetectable during the brief time window between self-test cycles. During this time, a failure of the false good health status type or erroneous signal generation could result. i 4.1.8 Serial Communications Controller (M48) This board provides multiple serial data link communication functions for subsystem host [ processors. It is used to provide communications within cabinet sets between the various subsystems and also with the ponable test /mamtenance stauon. 1 I t (Mh For IPC applications, the effect M48 board failures can be a partial trip or partial actuation, j depending on board usage. For ESFAC applications, single failures have no effect due to fault tolerance in logic cabinet design, accomplished by means of failure detection and corrective actions such as bypass of the failed channel. Redundant design allows the three remaming channels to continue operation. 4.2 Termination frame assembly i 4.2.1 Analog input board (EAI) The analog input board rmvides an interface between field sensors and an associated analog input processer (M40 analog to digital conversion board). Each analog input board provides [ ]"' analog input buffer / translator channels and [ ]'"' isolated log. power supplies. i i [ . ]'"' sensor inputs. l [ i .I l 5 r 9 l. i a

Westinghouse Proprietary Class 3 ]' The analog input board is mounted in a slot in the termination frame at the rear of an instmment cabinet. The analog input board provides IEEE STD-472-1974 Surge Withstand Capability and overvoltage protection for all field conductors. The board is keyed to prevent the insertion of an incorect board in a termination frame. [ i Failure of this board can cause a partial tr.'p or pamal actuation, depending on the subsystem in which the board is used. For instance, failure of a board used in a subsystem whose function is to generate a reactor trip can cause a partial trip, but not a partial ESF actuation. Conversely, failure of a board used in an ESF actuation subsystem but not a reactor trip subsystem will generate partial ESF actuation. Table I shows board application details. 4.2.2 RTD Input Board (ERI) l 1 The RTD input board provides an interface between 4-wire RTD's (Resistance Tempenture Detectors) and an associated analog input processor (M40 analog to digital conversion j board). Each RTD input board provides [ ]' analog input buffer / translator channels l and [ ]' isolated RTD power supplies. [ ]' [ l L l l 10 l

Westinghouse Proprietary Class 3 t [ pul i The RTD input board is mounted in a slot in the termination frame at the rear of an l ~ instrument cabinet. The RTD input board provides IEEE STD-472-1974 Surge Withstand j Capability and overvoltage protection for all field conductors. The board is keyed to prevent the insertion of an incorrect board in a termination frame. Failure of this board can cause a partial trip or panial actuation, depending on the i subsystem in which the board is used. For instance, failure of a board used in a subsystem whose function is to generate a reactor trip can cause a partial trip, but not a partial ESF actuation. Conversely, failure of a board used in an ESF actuation subsystem but not a l reactor trip subsystem will generate partial ESF actuation. Table I shows board application details. i 4.2.3 Digital (Contact) Input Board (ECI) t The digital input board provides an interface between field contacts and an associated parallel I/O board (M19 digital input / output board). Each digital input bor.. d provides [ ]'") [ digital input channels, capable of handling a combination of up to [ ] ](") Each digital input channel provides an [ independent contact wetting power supply at 48 VDC, contact debounce and filtering, signal conversion, signal injection for autotest, and electrical isolation functions for the field mputs. j l I l i ]'"' l' The digital input board is mounted in a slot in the termination frame at the rear of an instrument cabinet. The digital input board provides IEEE STD-472-1974 Surge Withstand Capability and overvoltage protection for all field conductors. The board is keyed to prevent t the insertion of an incorrect board in a term' ation frame. m i Failure of this board can cause a partial trip or partial actuation, depending on the subsystem in which the board is used. For instance, failure of a board used in a subsystem whose j function is to generate a reactor trip can cause a partial trip, but not a partial ESF actuation. Conversely, failure of a board used in an ESF actuation subsystem but not a reactor trip subsystem will generate partial ESF actuation. Table I shows board application details. i 11 ) a i a

Westinghouse Proprietary Class 3 4.2.4 Digital (Contact) Output Board (ECO) The digital output board provides the necessary signal translation for a parallel I/O board (M19 digital input / output board) in a microprocessor chassis subsystem to drive loads external to the instrumentation cabinet. Each digital output board provides [ ]' relay contact output. The digital output board also contains a deadman timer to disable output transition upon failure of the associated parallel I/O board. The digital output board is mounted in a slot in the termination frame at the rear of an instrument cabinet. The digital output board provides IEEE STD-472-1974 Surge Withstand Capability and overvoltage protection for all field conductors. The digital output board provides Class IE isolation for its [ ]' output channels. The board is keyed to prevent the insertion of an incorrect board in a termination frame. Failure of this board can cause a partial trip. 4.2.5 Reactor Coolant Pump Speed Sensor Input Board (ESI) The reactor coolant pump speed sensor input board provides the interface for the magnetic speed sensor mounted on a reactor coolant pump. [ y..o [ y.,, The reactor coolant pump speed sensor input board is mounted in a slot in the termination frame at the rear of an instrument cabinet. The reactor coolant putap speed sensor input board provides IEEE STD-472-1974 Surge Withstand Capability and overvoltage protection for all field conductors. The board is keyed to prevent the insertion of an incorrect board in a termination frame. Failure of this board can cause a partial trip. 12 ,e 6, [

Wedaghouse Pmpr.etary Class 3 4.2.6 Power Interface (2/3 Voted) Output Board (EPO) The power interface output board provides an interface between field loads, field contacts, and [ ]) logic processors (M03) via each logic processor's I/O bus controller daughterboard. Each power interface output board provides [ ]' contact outputs to drive plant loads. Each power interface output board also provides a group of [ ]'*d digital input channels, each channel capable of handling a [ ]' contact input. [ ] ' There are [ ]' independent microprocessors on the power interface output board that drive the output contacts through a 2/3 voting circuit. The microprocessors also sense the input contact positions and each transmits the data on its respective I/O bus. [ ]' The power interface output board provides a fast shutoff option that internipts power to die load when certain input contacts close. This is intended to directly stop movement of a motor operated valve when the torque switch actuates without a command being required from the logic processors. The power interface output board is mounted in a slot in the termination frame at the lear of an instrument cabinet. The digital input board provides IEEE STD-472-1974 Surge Withstand Capability for all field conductors. The board is keyed to prevent the insertion , of an incorrect board in a termination frame. Failure of this board can cause inadvenent actuation or actuation failure of end device. 13

Westinghouse Pmprietary Class 3 i 4.2.7 Power Interface Relay Driver Board (EPR) i The power interface relay driver board provides an interface between field loads and [ ]'"' logic processors (M03) via each logic processor's I/O bus controller daughter-board. Each power interface relay driver board provides [ ]'"' contact outputs to drive 3 plant loads. There are [ ]t"' independent microprocessors on the power interface relay driver board that drive the output contacts through a 2/3 voting circuit. I 3 i I f t i e D ]'"' I The power interface relay driver board is mounted in a slot in the termination frame at the rear of an instrument cabinet. The digital input board provides IEEE STD-472-1974 Surge j Withstand Capability for all field conductors. The board is keyed to prevent the insertion of an incorrect board in a termination frame. i Failure of this board can cause inadvertent actuation or actuation failure of end device. 4.2.8 Power Interface (Contact) Input Board (EPI) The power interface input board provides an interface between field contacts and [ ]'"' i logic processors (M03) via each logic processor's I/O bus controller daughterboard. Each l power interface input board provides [ ]("> digital input channels, each channel capable of handling a [ ]'"' contact input. Each group of channels is provided with an independent contact wetting power supply at 48 VDC. [ l ]5"'. There are [ ]'"' independent microprocessors on the power l 14 l l

I Westinghouse Proprietary Class 3 i l i interface input board that sense the contact positions and each transmits the data on its respective I/O bus. 1 s The power interface input board is mounted in a slot in the termination frame at the rear of an instmment cabinet. The digital input board provides IEEE STD-472-1974 Surge Withstand Capability for all field conductors. The board is keyed to prevent the insertion of an incorrect board in a termination frame. Failure of this board can cause inadvenent actuation or actuation failure of end device. i 4.2.9 Optical Datalink Transmitter Board (ETX) The optical datalink transmitter board provides interface capability between serial communications controllers (M48) in a microprocessor chassis subsystem and external instrumentation cabinets or systems over optical datalink media. The optical datalink transceiver board provides [ ]' optical datalink output channels for communications to external instrumentation cabinets. The optical datalink transmitter board has[ ]' internal datalmk channels for communications inside the instrumentation cabinet. The optical datalink transmitter board performs the required signal translation between the internal and external communications channels. L b 6 i ](* The optical datalink transmitter board is mounted in a slot in the termination frame at the rear of an instrument cabinet. The board is keyed to prevent the insertion of an incorrect board in a termination frame. Failure of this board or interconnecting fiber optic lines can cause a partial trip or panial l actuation, depending on the subsystem in which the board is used. For instance, failure of a board used in a subsystem whose function is to generate a reactor trip can cause a partial trip, but not a partial ESF actuation. Conversely, failure of a board used in an ESF j actuation subsystem but not a reactor trip subsystem will generate partial ESF actuation. l Table 1 shows board application details. 15 i i

i Westinghouse Pmprietary Class 3 l 4.2.10 Optical Datalink Receiver Board (ERA)

i The optical datalink receiver board provides interface capability between serial communications controllers (M48) in a microprocessor chassis subsystem and external instrumentation cabinets or systems over optical datalink media. The optical datalink transceiver board provides [

]' optical datalink input channels for l communications to external instmmentation cabinets. The optical datalink receiver board has j [ ]' internal datalink channels for communications inside the instmmentation cabinet. [ ]'. The optical datalink receiver board performs the required signal translation between the internal and external communications channels. 1 [ i 2 a l { j I i ~ [ ]' l The optical datalink receiver board is mounted in a slot in the termination frame at the rear 'I of an instrument cabinet. The board is keyed to prevent the insertion of an incorrect board i in a termination frame. 1 Single failures of this board, or interconnecting fiber optic lines, can cause a partial trip for a IPC usage. Single failures of this board, or interconnecting fiber optic lines, for ESFAC usage will have no effect due to failure detection and 2/4 logic in the ESFAC. 4.2.11 Data Highway Transceiver Board (EHX7 i 1 The data highway transceiver board provides an interface between up to [ ]' data i highway controllers (M51) residing in a microprocessor chassis subsystem and an external data highway. The external data highway can be either a fiber optic data highway, an electrical data highway, or both. The data highway transceiver board performs the required signal translation between the internal and external communications channels. The data highway transceiver board acts as a repeater between the active internal and external com-munications channels; an incoming message on any channel is retransmitted on all the 4 16 l e

i i i Westinghouse Proprietary Class 3 l remainmg configured channels. The data highway transceiver board is mounted in a slot in the termination frame at the rear of an instmment cabinet. The board is keyed to prevent the insertion of an incorrect board in a termination frame. Single failures of this board have no effect due to fault tolerance in the logic cabinet design. This is accomplished by means of failure detection and cormctive actions such as bypass of l 4 the failed channel. Redundant design allows the three remaining channels to contmue operation. f 4.2.12 I/O Bus Extender Board (EBE) t [ I }ta.c) a i I (

y.,

Failure of tius board can cause inadvertent actuation or actuation failure of end devices. i i 4.2.13 I/O Bus Selector Board (XTS) i i 1 i j a 17

Westinghouse Proprietary Class 3 i r i ](") i l Single failures of this board have no effect due to fault tolerance in logic cabinet design. This is accomplished by means of failure detection and corrective actions such as bypass of the failed channel. Redundant design allows the three remaining cl annels to continue operation. 4.3 Dynamic trip bus The dynamic trip bus is a specialized assembly used in the Integrated Protection Cabinets that performs the final combinational logic that implements the reactor trip function. This i 1 assembly is composed of a backplane on which are mounted two speciahzed circuit boards, j and a special output board. [ i ]("' The dynamic trip bus assembly contains control switches and indicators to support operator interaction functions, therefore, it is located at the level of operator interaction panels in the cabinet. { [ t -j t 3 i t [ H J (M) 18

I Westinghouse Proprietary Class 3 4.3.1 Dynamic Trip Bus Clock Unit Board (DCU) I i i i t f t )(a.e> l I Failure of this board can cause a partial trip. t l 4.3.2 Dynamic Trip Bus Logic Unit (DLU) l The dynamic trip bus logie unit (DLU) circuit board contains the building blocks, dynanue logic unit circuits, that implement the combinational logic used for the dynamic trip bus l function. [ f f i h f I i 19 { } l

) 4 Westinghouse Proprietary Class 3 l l [ i (E#) i 3 ( 1 I t 't ? ) f a i t t t i i b i i ? k i } t I l i s I 'f ? 20 i 1 1 6

f Westinghouse Proprietary Class 3 f I F t t P i l r I ? )(u) Failure of this board can cause a partial trip. l 4.3.3 Power Converter Board (EPC) The power converter board is the last stage of the dynamic trip bus. [ l r Jtu) The power converter board is mounted in a slot in the termination frame at the rear of an instrument cabinet. The board is keyed to prevent the insertion of an incorrect board in a termination frame. 21 3 li b

t Westinghouse Proprietary Class 3 Failure of this board can cause a partial trip. 4.4 Nuclear instrumentation input modules (NIMOD) The Nuclear Instrumentation signal conditioning circuitry is provided in the form of power supply and amplifiet modules that are located in a chassis in the Integrated Protection Cabinets, and preamplifiers located external to the cabinets, close to the detectors. Because three types of detectors are required for the entire range of nuchar flux to be monitored, there are also three configurations for the nuclear instrumentation signal conditioning. Keying is used for all modules and circuit boards to prevent insertion of the wrong module or circuit board into a slot. 4.4.1 Source Range Configuration l 1 The lowest of the three ranges of nuclear instrumentation channels is the source range, which measures thermal neutron flux in the range of[ ]d and is used during plant shutdowns, refueling, and startups. [ ]) i Failure modes for one channel of the source range instrumentation could cause incorrect signals to be generated, and a partial trip could be initiated. 4.4.2 Intennediate Range Configuration The next of the three ranges of nuclear instrumentation channels is the intermediate range, f which measures thermal neutron flux in the range of [ ]' and is - used during plant shutdowns, and startups to overlap the source and power ranges. I ](*') W d 22 .I

l Westinghouse Pmprietary Class 3 l l i Failure modes for one channel of the intermediate range instrumentadon could cause j incorrect signals to be generated, and a partial trip could be initiated. 4.4.3 Power Range Configuration j The highest of the three ranges of nuclear instrumentation channels is the power range, which measures thermal neutron flux in the range of[ i ](*# and is used during plant power operation. i [ 1 + ](*d t Failure modes for one channel of the power range instrumentation could cause incorrect signals to be generated, and a pardal trip could be initiated. t 4.4.4 High Voltage Power Supply (DhT) i i The high voltage power supply is one of three modules that comprise a Nuclear l Instrumentation Module (NIMOD). The high voltage power supply provides the necessary { voltage and current to operate the nuclear detectors in a channel. The high voltage power supply is provided with three different output voltage configurations in order to power the three types of nuclear detectors used for the source range, intermediate j range, and power range channels. The high voltage power supply's AC power connector i is electrically keyed to prevent installation of an incorrect high voltage power supply in a t ~ NIMOD. Short circuit protection and current limiting is provided for all types. Failure modes for the high voltage power supply could cause signal failure or a wrong output t to be generated, resulting in a partial trip. l t 4.4.5 Low Voltage Power Supply (DNL) The low voltage power supply (DNL) is one of three modules used to comprise a Nuclear l Instrumentation Module (NIMOD). The low voltage power supply provides the necessary voltage to operate the electronic assemblies in a NIMOD. [ i 23 I f

t Westinghouse Proprietary Class 3 i pas) Failure modes for the low voltage power supply could cause signal failure or a wrong output to be generated, resulting in a panial trip. 4.4.6 Nuclear Instrumentation. Amplifier Modules (DNI) ~ Each amplifier module consists of an input board and an interface board mounted in a DNI module, together these form an amplifier module appropriate to the type of detector used for the channel. The input boards in the DNI modules provide the necessary low level signal conditioning circuits required by the [ ](*') detectors in the Nuclear Instntmentation Channels. The interface boards provide the necessary interfaces between the input cards and the standard microprocessor system cards (NISPAC) used for signal conver-l sion and processing. Failure modes for the nuclear instmmentation amplifier module could cause signal failure or a wrong output to be generated, resulting in a partial trip. 4.4.6.1 Source Range Input Board i The source range input board amplifies, conditions, and isolates the signal from the source range detector as part of its function of inputting this signal into the Integrated Protection Cabinets. The source range input board provides input attenuation and amplification, pulse discrimination, buffering, and shaping, test circuitry interfaces, and output isolation to the. audio count rate amplifier. I i .I s 'I i { t 1 24 i t

Westinghouse Pmprietary Class 3 J(a.el Failure of the source range input board could cause a panial trip. 4.4.6.2 Source Range Interface Board The source range interface board contains the interface and isolation circuits required by the source range NIMOD to communicate with the NISPAC computer. The source range interface board provides muldplexing and buffering of analog signals and optical isolation of digital signals for the NISPAC computers, and buffering and conditioning of analog test signals and optical isolation of digital control lines for the automatic tester interface. [ i J(a.e) i Failure of the source range interface board could cause a partial trip. 4.4.6.3 Intermediate Range Input Board f The intermediate range input board amplifies, conditions, and isolates the signal from the intermediate range detector as pan of its function ofinputting this signal into the Integrated Protection Cabinets. The intermediate range input board provides variable gain input i amplification and test circuitry interfaces. i J 25 l = W m

I Westinghouse Pmprietary Class 3 }(u) Failure of the intermediate range input board could cause a partial trip. 4.4.6.4 Intermediate Range Interface Board l The intermediate range interface board contains the interface and isolation circuits required by the intermediate range NIMOD to communicate with the NISPAC computen. The inter-mediate range interface board provides multiplexing and buffering of analog signals and i optical isolation of digital signals for the NISPAC computers, and buffering and conditioning of analog test signals and optical isolation of digital control lines for the automatic tester l interface. [ 1 j(u> Failure of the intermediate range interface board could cause a partial trip. i 4.4.6.5 Power Range Input Board i The power range input board amplifies, conditions, and isolates the signals from the power range detectors as part ofits function ofinputting these signals into the Integrated Protection Cabinets. The power range input boards. provide [ ]" channels each of current to voltage ~ amplifiers for four separate input channels. [ ? L

) Westinghouse Proprietary Class 3 i t ]'"' Failure of the power range input board could cause a partial trip. 4.4.6.6 Power Range Interface Board 1 The powa range interface board contains the interface and isolation circuits required by the [ power range NIMOD to communicate with the NISPAC computer. The power range interface board provides multiplexing and buffering of analog signals and optical isolation of digital signals for the NISPAC computers, and buffering and conditioning of analog test signals and optical isolation of digital control lines for the automatic tester interface.- I f ]("'. i Failure of the power range interface board could cause a partial trip. { 4.4.7 Source Range Preamplifier (AAS) The source range preamplifier (AAS) amplifies the [ ]'"' pulses produced by the source range detector and transmits these to the source range amplifier in the Integrated Protection Cabinets. This enables the signal conditioning electronics for the source range detector to be located in the Integrated Protection Cabinets. [ (M) 27 1 + e

Westinghouse Proprietary Class 3 I y..o Failure of the source range preamplifier could cause a partial trip. 4.5 Other cabinet modules 4.5.1 DC power supply chassis (ACP) The DC power supply chassis is a standard dual power supply module that is used to provide combinations of voltages to drive IEEE STD 796 boards, I/O boards, or both. Each DC power supply chassis contains [ ]() switching power supply units, and [ T switches and potentiometers, mounted on the front panel, for separate on/off control and output voltage adjustment. Up to three DC power supply chassis can be mour.ced in an instmment cabinet. [ y..a Power and signal connections are made by means of modular connectors at the rear of the DC power supply chassis. These connectors are assembled and keyed in such a fashion that only an identical unit, with the same input and output conGguration, can be connected in place of a removed unit. Each of the two power supplies mounted in the DC power supply chassis is provided with an on/off switch on the front panel. Each of the voltage outputs of a power supply is provided with an adjustment potentiometer on the front panel. In addition, the 15 VDC power supply units have an indicator light and test jacks on the front panel. (The voltages supplied by the triple voltage power supplies used for IEEE STD 796 circuit cards, have test jacks mounted on the associated M Card chassis.) Loss of the DC power supply chassis can cause dependent board failure. Effects of this are a partial trip / actuation for IPC applications. For ESFAC and logic cabinet applications, single failures have no effect due to redundancy in the logic cabinet design. Detected faults are bypassed, and the remaining channels continue operation. 28

Westinghouse Propdetary Class 3 4.5.2 Cabinet cooling assembly (AUB) The Cabinet Cooling Assembly is a modular assembly, mounted at the top front of an instrument cabinet to provide movement of cooling air throughout the cabinet. Each cabinet cooling assembly contains [ ](*') centrifugal blowers or [ ](* cooling fans, each operating from a separate AC power source. e Power connections are made by means of modular connectors at the rear of the Cabinet Cooling Assembly. These connectors are assembled and keyed in such a fashion that only an identical unit, with the same input can be connected in place of a removed unit. l Failure of the cooling assembly can cause elevated temperatures in the respective cabinet. 4 Note that the cabinets can still operate without active cooling (not for prolonged periods of time), but that the lifespan of the electronics is improved with cooling. 4.5.3 Power Distribution Assembly (APP) The Power I;;stribution Assembly filters, distributes, and sequences incoming AC power for an iridividual instrument cabinet. The assembly consists of a chassis, into which [ ]' Power distribution modules are fitted. Each module contains all the electrical components required for filtering, power-on sequencing, and branch circuit overcurrent protection for ~ [ ]) separate branch circuits. 1 ) I I e f 1 t I ](*') l 1 Failure of the power distribution assembly can cause dependent board failure. Effects of this 4 are a panial trip / actuation for IPC applications. For ESFAC and logic cabinet applications, i j single failures have no effect due to redundancy in the logic cabinet design. j l 29 J I t \\

i Westinghouse Proprietary Class 3 4.6 Nuisance Failures and Cascading Failures 5 The IPC has a single power feed. A partial trip could occur if power were lost to one division. Trip logic would be as follows: l - 2/3 logic in ESF i - 1/3 in reactor trip subsystem j 2/4 reactor trip breakers would remain; the other sets would be in bypass. A concurrent failure could initiate a plant trip. l t End devices could possibly be actuated by certain failures (nuisance failures). The possibility of cascading failures arising from a single failure in the protection system was i considered. Due to the isolation and the fail-safe design of the protection system, no possible I cascading failures were identified. No failures were identified which could disable multiple j channels. i

5. Identification of failure categories i

i i t i Possible failure modes include: - Failed high l - Failed low t j - Failed open 4 - Failed closed I - Random Access Memory (RAM) error l l - Read Only Memory (ROM) error - Programmable Array Logic (PAL) error j - Multiplexer error l l - Bus interface error j - Central Processing Unit (CPU) error 3 - Timer error l - Power supply or interface fault l - Input / output error l All these may be summarized by

board fault". Consequences arising from each failure l

mode are discussed if they are unique. l r i e r l- ) 1 1 1 l 30 l l l l l I 4 e l

Westinghouse Proprietary Class 3

6. Description of environmental conditions All the I&C systems are located in ground benign conditions (per Mil Hdbk 217). Fires, I

floods, seismic events, etc. are analyzed separately in the PRA, and were found to be negligible contributors to risk, due to the design of the passive systems which respond in the event of an accident, and the spatial separation of these systems in the design. However, the i passive plant design employs features to minimize risk, such as separation of protection channels, so that the effects from a single event are minimized. Effects from a site-wide event are analyzed in the seismic margins assessment, found in the AP600 Standard Safety Analysis Report.

7. Conclusions A failure modes and effects analysis was performed on the protection system, and is shown in Table 2. The multiple protection channels, diversity, and fail-safe design of the protection system preclude single-point failures. Through the process of examining all feasible failure modes, it is concluded that the advanced passive plant protection system maintains all safety functions during single point failures.

8. References 1.

AP600 Instmmentation and Control Hardware Description, WCAP-13382, R0, Westinghouse Electric Corporation, May 1992. 2. ANSI /IEEE Std. 352-1987, " General Principles of Reliability Analysis of Nuclear Power Generating Station Safety Systems." 3. IEEE Std. 577-1976 "IEEE Standard Requirements for Reliability Analysis in the Design and Operatien of Safety Systems for Nuclear Power Generating Stations" 1 4. AP600 Instrumentation and Control Def-nse-in-Depth and Diversity Report, WCAP-13633, April 1993. L l l 31

Westinghouse Proprietary Class 3 l i l Table 1: Boards Used in Protection System 1 i CARD DESCRIPTION STYLE IPC-RT IPC-ESF ESFAC LOGIC e CAB [ ](a.r) [ yo, ( y. [ l'"' ) [ f"#) i ,[ f"' i i r-i p ]'"' p

f. -.

j j( r"' i [ F"' ) l [ T"' [ y"> g yn, 1 .i [ f"' i 1 i 4 [ T I 1 [ r"' 1 [ pui ) ( yo, [ r'> 7 f, 7 yn> g yo, [ T"' i 32

Westinghouse Proprietary Class 3 CARD DESCRIPTION STYLE IPC-RT IPC-ESF ESFAC LOGIC CAB [ j<ui [ j< o [ j<ui [ j <.,> [ l' I [ l'"' [ j< > [ j <.o [ j<.o [ j<.o [ ji. [ j<.o Notes

1. For Manual System level Actuation 33

j i Westinghouse Pmprietary Class 3 l i i i i l l I Table 2: FhEA of Advanced Passive Plant Protection System 34

i ,?19b Rev.O FMEA of Advanced Passive Plant Protection System Westinghouse Pnyrietary class 3 l e NAME FAILURE MODE METilOD OF DETECrlON EFFECT ON PROTECflON SYSTEM l

1. Functional Processor (M12) la Functional failures - failures

[ Failed channel bypassed, inadvertent which corrupt normal partial trip or partial actuation, partial sequential processing of trip failure or partial actuation failure (( main loop code for IPC applications. These will have no effect on plant operation due to the 2/4 logic and the presence of three l'" remaining channels. For ESFAC applications, failures would have no effect due to fault tolerance in logic cabinet design, accomplished by means of fai1ure detection and corrective actions. Redundant design allows the three remaining channels to continue operation. 35

4/93 Rev.O FhlEA of Advanced Passive Plant Protection System we,ingwu rnyrie.ry cim 3 / NAh1E FAILURE h10DE h1ETHOD OF DETECTION EFFECT ON PROTECTION SYSTEh! lb Data failures - failures [ ]") Failed channel bypassed, inadvertent which do not inhibit the partial trip or partial actuation, partial l rnain loop processing, but trip failure or partial actuation failure i alter the input and output for IPC applications. These failures data which is needed and will have no effect on plant operation produced by the main loop due to the 2/4 logic and the presence code of three remaining channels. For ESFAC applications, detectable failure would have no effect due to fault tolerance in logic cabinct design, accomplished by means of failure detection and corrective actions. Redundant design allows the three remaining channels to continue operation. 36

4/93 Rev.O FMEA of Advanced Passive Plant Protection System we.tingw.e entnet.n ct.. 3 NAME FAILURE MODE METIIOD OF DETECTION EFFECT ON PROTECTION SYSTEM Ic CMOS and PAL logic [ Failed channel bypassed, inadvertent failures partial trip or partial actuation, partial trip failure or partial actuation failure for IPC applications. These failures will have no effect on plant operation due to the 2/4 logic and the presence ]'" of three remaining channels. For ESFAC applications, detectable failure would have no effect due to fault tolerance in logic cabinet design, accomplished by means of failure detection and corrective actions. Redundant design allows the three remaining channels to continue operation.

2. Logic Processor Same as for functional

[ ]"' Single M03 failures would have no (M03) processor. effect on plant operation, due to fault tolerance in logic cabinet design, accomplished by means of failure detection and corrxtive actions. Redundant design allows the three remaining channels to continue operation. 37

4/93 Rev.O FMEA of Advanced Passive Plant Protect!cn System we,r' ghouse Prnprietary Cisas 3 m NAME FAILURE MODE METIIOD OF DETECTION EFFECT ON PROTECTION SYSTEM

3. Data liighway Failure of message transfer,

[ Single failures have no effect due to Controller (M51) message altered in shared fault tolerance in logic cabinet design, memory, failure of message ]"' accomplished by means of failure transfer from shared detection and corrective actions. memory to output port, Redundant design allows the three message corrupted, or remaining channels to continue message altered in shared operation. memory. 4, Parallel I/O Bus failure, board failure [ Failure of this board can result in bus board (M19) failure, and can result in a partial trip ]"' or partial actuation, depending on the microprocessor subsystem in which the board is used.

5. Isolated Parallel Board failure

[ Failure of this board can cause a bus 1/0 board (M56) failure, and can result in a partial trip l ]"' or partial actuation, depending on 'he microprocessor subsystem in which the board is used.

6. Analog Input Board failure

[ Failure of this board can cause a l Processor (M40) partial trip or partial actuation, ]"' depending on the microprocessor subsystem in which the board is used. 38 9

4/93 Rev.O FMEA of Advanced Passive Plant Protection System Westinghouse Pnyrietary Class 3 NAME FAILURE MODE METHOD OF DETECTION EFFECT ON PROTECTION SYSTEM l

7. Universal Board failure

[ Failed channel bypassed, inadvertent Memory Expansion partial trip or partial actuation, partial board (M28) l'" trip failure or partial actuation failure for IPC applications. Ecsc will have no effect on plant operation due to the 2/4 logic and the presence of three remaining channels. For ESFAC appi; cations, detectable failure would have no effcct due to logic cabinet design, accomplished by means of failure detection and corrective actions. Redundant design allows the three remaining channels to continue operation. 39

4/93 Rev.O FMEA of Advanced Passive Plant Protection System Westinghouse Pnydetery Class 3 I V NAME FAILURE MODE METHOD OF DETECTION EFFECT ON PROTECTION SYSTEM

8. Serial Board failure - data failure

[ Possible effets of M48 failures for Communications IPC usage are inadvertent trip or Controller (M48) l'" inadvertent partial actuation, partial l I trip failure, or partial actuation failure. For ESFAC applications, single failures have no effect due to fault tolerance in logic cabinet design, accomplished by means of failure detection and corrective actions. Redundant design allows the three remaining channels to continue operation.

9. Analog input Board failure

[ Failure of this board can cause a board (EAI) partial trip or partial actuation, l'" depending on the subsystem in which the board is used. See Table I for board application details.

10. RTD Input Board failure

[ Failure of this board can cause a Board (ERI) partial trip or partial actuation, l'" depending on the subsystem in which the board is used. See Table I for board application details. 40

4/93 Rev.O Fh1EA of Advanced Passive Plant Protection System we. ting = rnrriet.ry ci.. 3 NAh1E FAILURE h10DE h1ETilOD OF DETECTION EFFECT ON PROTECTION SYSTEh!

11. Digital Board failure

[ Failure of this board can cause a (contact) Input partial trip or partial actuation, I board (ECI) ]"' depending on the subsystem in which the board is used. See Table I for board application details.

12. Digital Board failure, transmission

[ Failure of this board can cause a (contact) output failure partial trip. board (ECO) ]"'

13. Reactor Board failure

[ Failure of this board can cause a Coolant Pump partial trip. 1 (RCP) Speed Sensor ]"' I input Board (ESl)

14. Power Board failure

[ Failure of this board can cause Interface (2/3 inadvertent actuation of actuation voted) Output board ]"' failure of end device. (EPO)

15. Power Board failure

[ Failure of this board can cause Interface Relay inadvertent actuation of actuation Driver board (EPR) ]"' failure of end device. e 41

4/93 Rev.O FMEA of Advanced Passive Plant Protection System Westinghouse htyrietary Cisne 3 NAME FAILURE MODE METIIOD OF DETECrlON EFFECT ON PROTECTION SYSTEM

16. Power Board failure

[ Failure of this board can cause Interface (Contact) inadvertent actuation or actuation ,l ~. Input Board (EPI) ]"' failure of end device.

17. Optical Board failure, transmission

[ Failure of this board can cause a Datalink failure partial trip or partial actuation, Transmitter board ]"' depending on the subsystem in which (ETX) the board is used. See Table 1 for board application details.

18. Optical Board failure, receiver

[ Single failures of this board can cause Datalink Receiver failure a partial trip for IPC usage. For board (ERX) ]"' ESFAC usage, single failurcs of this board have no effect due to 2/4 logic in the ESFAC.

19. Data flighway Board failure

[ Single failures of this board have no Transceiver board effect due to fault tolerance in logic (EllX) ]"' cabinet design, accomplished by means of failure detection and corrective actions. Redundant design allows the three remaining channels to continue operation. 42

4/93 Rev.O FMEA of Advanced Passive Plant Protection System Westinghmise PrrTrietary Clan 3 NAME FAILURE MODE METilOD OF DETECTION EFFECT ON PROTELTION SYSTEM

20. I/O Bus Board failure

[ Failure of this board can cause Extender Board inadvertent actuation or actuation (EBE) l'" failure of end devices.

21. I/O Bus Board failure

[ Single failures of this board have no Selector board effect due to fault tolerance in logic (XTS) ]"' cabinet design, accomplished by means of failure detection and corrective actions. Redundant design allows the three remaining channels to continue operation.

22. Dynamic Trip Board failure

[ Failure of this board can cause a Bus Clock Unit partial trip. (DCU) ju,

23. Dynamic Trip Board failure

[ Failure of this board can cause a Bus logic Unit j'd partial trip. (DLU)

24. Power Board failure

[ Failure of this board can cause a Converter Board ]"' partial trip. (EPC) 43

4/93 Rev.O Ph1EA of Advanced Passive Plant Protection System Wecinghouse Pnyrietary Class 3 a-- e 2 NAh1E FAILURE h10DE h1ETilOD OF DETECT 4 6' EFFECT ON PROTECTION SYSTEh!

25. Source Range Instrumentation or board

[ A partial trip could be initiated. Instrumentation failure j'"

26. Intermediate Instrumentation or board

[ A partial trip could be initiated. l Range failure l'" Instrumentation

27. Power Range Instrumentation or board

[ A partial trip could be initiated. Instrumentation failure l'"

28. liigh Voltage lloard failurc

[ Signal failure or a wrong output could Power Supply ]'" be generated, resulting in a partial (DNil) trip. 29, Low Voltage Board failure [ Signal failure or a wrong output could Power Supply ]'" be generated, resulting in a partial (DNL) trip.

30. Nuclear Board failurc

[ A signal failure or wrong output could Instrumentation l'" be generated, resulting in a partial Ampliner hiodules trip. (DNI)

31. Source Range Pre-amp failure (board

[ Failure of the source range Preampli6cr (A AS) failure) l'" preampliner could cause a partial trip. 44

4/93 Rev.O FhlEA of Advanced Passive Plant Protection System Westinghmee Proprietary Clan 3 NAME FAILURE MODE METHOD OF DETECTION EFFECT ON PROTECTION SYSTEM

32. DC Power Power supply failure

[ Failure can cause dependent board Supply Chassis failure. An inadvertent partial trip or (ACP) inadvertent partial actuation failure ]"' can result for IPC applications. For ESFAC and logic cabinet applications, single failures have no effect due to redundancy in the logic cabinet i design. Failures are detected, and corrective actions taken. Redundant design allows the three remaining channels to continue operation.

33. Cabinet Power supply failure, filter

[ Dependent cabinet could operate for a Cooling Assembly plugs. period of time with elevated (AUB) temperature (not prolonged). ]"' N 45

4/93 Rev.O Fh1EA of Advanced Passive Plant Protection System Wecinghouse Pnyrietary Ctese 3 w NAh1E FAILURE h10DE h1ETilOD OF DETECTION EFFECT ON PROTECTION SYSTEht

34. Power Power supply failurc

[ Failure can cause dependent board Distribution failure. Possible effects of these Assembly (APP) failures for IPC usage are inadvertent T" partial trip or inadvertent partial actuation. For ESFAC and logic cabinet applications, single failures due to fault tolerance in logic cabinet design, accomplished by means of failure detection and corrective actions. Redundant design allows the three remaining channels to continue operation.

35. Sensors Fail high, fait low, fail as-

[ A single sensor can be used for is, drift high or drift low. multiple functions, such as reactor f" trip, ESF, DAS, QDPS, or validation. Failed channel would be alarmed and bypassed. w 46

TO DDS TO DDS TO DDS TO Dos o 4' i, i o o a u TO <, n m n TO TO DEDICATED OVALIFIED SOFT CONTROLS b)k) DISPLAYS U CONTROLS () () () () C ()()()() B C iiit i, f 8 TO PLS A zq : -m- / / - l 7Y / / /~~7 s / i 1 / o i s / / b-F / o ~~ S f' L__/ /

g pfTEGRATED lA

s /

enoTrenon CABMET8 /A I TO DAS era i N L L / TT LOG D CAS rWO CAs --j / ~/ ~/ C 8 ,._ / _/ _/ 9 A <, ii ir < b ESF ACTUATIONS FIGURE 1: PROTECTION AND SAFETY MONITORING SYSTEM (PMS) ARCHITECTURE THIS FIGURE IS FOR ILLUSTRATIVE PURPOSES ONLY

8,C Figure 2 : Protection and Safety Monitoring System

a,c i Figure 3: Engineered Safety Features (ESF) Subsystem ~ s.... tn E E$F Dnw Sw. 02>1993

a,c l i Figure 4: Reactor Trip Subsystem. f 4 E RT DAW $M C2/'04) I - - - - - - - - - - - - - - - - - - ' - - ^ - - - - - - - - "

a,c l Figure 5: Global Trip Subsystem. FitE GT Dnw SK 04 t? 71

p e F. U. o i g C e 8 w W 4 h l 8 9 0 e O e 4 0 w Q, X U) .O 3 CO _a) .O CG C LU Q. c >~ 9 O e Q w) c) : LL 4

G.9 8 4e e9eep

) e a,c l 1 l l l j Figurs 7; Nuclear Instrumentation Signals Processing and Control (NISPAC) f fLE MSPAC D*tW SM Ot to'91 i

m a,c 1 1 Figure 8: Dynamic Trip Bus - Intermediate i evel Functional Block Diagram Fit E OfB tt DAW SM 04V791 1 i ]}}

ML20044F125

Text

Navigation menu

Search