ML20049H257
| ML20049H257 | |
| Person / Time | |
|---|---|
| Issue date: | 01/31/1982 |
| From: | Chiramal M NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD) |
| To: | |
| Shared Package | |
| ML20049H258 | List: |
| References | |
| FOIA-82-104, TASK-AE, TASK-C201 AEOD-C201, NUDOCS 8202180432 | |
| Download: ML20049H257 (41) | |
Text
__
)
SAFETY CONCERN ASSOCIATED WITH REACTOR VESSEL LEVEL INSTRUMENTATION IN B0ILING WATER REACTORS
?
by the 0FFICE FOR ANALYSIS AND EVALUATION OF OPERATIONAL DATA January 1982 i
Prepared by: Matthew Chiramal f
Frank Ashe
\\
Note:
This report documents results of studies prepared by the Office
~
for Analysis and Evaluation of Operational Data with regard to several operating events. The findings contained in this report are provided in support of other ongoing NRC activities concerning these events. Since the studies are ongoing, the report is not necessarily final, and the findings do not represent the position or requirements of the program office of the Nuclear Regulatory Commi ssion.
pp%9/1#93ZXA
b.
I TABLE OF CONTENTS PAGE EXECUTIVE
SUMMARY
1 1.
BACKGROUND............................
3 2.
DISCUSSION OF SAFETY CONCERN..,.................
3 2.1 Description of Reactor Vessel Level Instrumentation Monitoring Normal or Narrow Range.............
4 2.2 Effect of Instrument Line Failure on Plant Protection and Control Systems...............
9 2.3 The Safety Concern and Related Regulations..........
12 2.4 Possible Unanalyzed Sequeisce of Occurrences......... 14 3.
FINDINGS..............................
18 4.
CONCLUSION............................
19 5.
RECOMMENDATIONS....
.<d....................
19
/
j#
LIST OF FIGURES
?
J Figure - 1 REACTOR VESSEL LEVEL INSTRUMENTATION...........
5 Figure - 2 VESSEL WATER LEVEL BLOCK DIAGRAM.............
8 APPENDIX A EVENTS INVOLVING BWR LEVEL INSTRUMENTATION........ 21 e
I 1
EXECUTIVE
SUMMARY
Our review of operating reactor events involving boiling water reactor (BWR) vessel level instrumentation has shown several cases where interaction between plant control systems and protection systems is evident.
This interaction is basically due to fluid coupling and sharing of instrument sensing lines by the l
attached sensors that monitor vessel level and provide input to the protection and control systems.
i Our review of-these cases has raised the safety concern of a single failure causing a control system action that (1) results in a station condition requiring protective action and, at the same time, (2) prevents proper actuation of protec-tion system channels designed to protect against such a condition. We believe the physical installation of certain BWR level instrumentation may not fully meet the intent of the regulations for the separation of ' protection and control systems and the single failure criteria, as delineated in General Design Criterion 24.
Based upon operating experience, we believe that a single. random failure in the instrument sensing lines should now be considered in implementing IEEE 279-1971.
In this study we have not conducted a detailed plant specific review of level instrumentation installation, but have confined ourselves to a general evaluation.
This study addresses the interaction between feedwater control,, reactor protection, primary containment isolation, and emergency core cooling systems. The effect of the interaction may vary from that detailed in this study depending on the i
details of the installation of the instrumentation.
We plan to expand the scope l
of the study later to consider the effects of interactions due to level instru-mentation pennissive interlocks provided to the recirculation pump control and l
residual heat ' removal systems.
. This report is -intended to introduce the safety concern related to BWR vessel level instrumentation.
We note that similar fluid coupling problems could exist between control and protection system instrumentation that monitor
' other parameters such as steam flow, water flow and liquid levels at both BWRs and PWRs.
However, our initial review of operating reactor events has identified the BWR vessel level instrumentation system specifically as one that involves such problems. We plan to continue our reviews o~f operating experiences at both BWRs and PWRs for events involving similar problems that could affect safe operation of nuclear plant units.
e
- b. 1.
BACKGROUND-In the design of the instrumentation used in control and protection systems, conscious effort has been made to physically separate the different sensors used.
In reviewing BWR vessel level instrumentation drawings of operating plants provided in FSARs and in other associated documentation (e.g., NED010139,
" Compliance of Protection System to Industry Criteria: GE BWR NSSS," June 1970),
we note that the sensors used for control systems were shown mounted on instrument lines that are separate from other instrument lines associated with sensors used in protection systems. However, review of operating experience and a few of the "as built" instrumentation drawings show that sensors for protection and control systems may be mounted on common instrument lines.
This study is based on Licensee Event Reports (LERs) and Nuclear Power Experiences (NPEs) involving BWR level instrumentation. The events are listed in Appendix A. The events cited are examples of how occurrences involving instrument lines and/or related items can lead to erroneous reactor vessel level indications.
The problem of control and protection system interaction studied here is applicable to operating BWRs and those with construction pennits.
2.
DISCUSSION OF SAFETY CONCERN There have been a number of documented events involving potentially. erroneous l
indications by reactor vessel water level instrumentation at operating BWRs (Appendix A). The events in general show that a single failure involving one of the instrument legs connected to the level measuring differential pressure cells could affect all instruments connected to either or both legs.
A review of each 1
l event shows that the effect on the plant varies, depending on the instruments 1
affected and on the funct' ion of those instruments. Thus, the initiating failure i
o.
) either led to a plant trip or was detected and corrected by the plant operators without significantly affecting plant operation. Our review ranged further afield to consider the control and protective functions of the instruments involved.
BWR vessel water level is measured by means of differential pressure senseu across two instrument lines.
In general, operating BWRs use four constant reference legs and seven variable legs (see Figure 1 for a typical installation).
The constant reference is obtained by means of constant head condensing chambers.
Two of the condensing chambers have a temperature compensated column and an auxiliary head chamber. The other chambers have no temperature compensation.
The level instruments connected to temperature compensated reference legs are used to monitor vessel water level in the accident or wide range (typically -155 to +60 inches with instrument zero 528 inches above vessel zero.) The two without temperature compensated reference legs are used for nonnal or narrow range level instrumentation.(zero to 60 inches with instrument zero 528 inches above vessel zero.) These reference legs are also used for instr'uments that
~
monitor water 1evel inside the core shroud (-100 inches to +200 inches with instrument zero 360 inches above vessel zero.) A fifth reference chamber is for the water level instrumentation in the refuel range (zero to +400 inches with instrument zero 528 inches above vessel zero.)
Rev'iew of the LERs raised a concern regarding the level instrumentation that monitors the nonnal or narrow range of the vessel water level. This is discussed bel ow.
2.1 Description of Reactor Vessel Level Instrumentation Monitoring Normal or Narrow Range The level instruments that monitor nonnal or narrow range of the vessel water level are connected across two pairs of instrument lines (See Figure 1). One pair of instrument lines has the following level instruments:
)
8
,o f'
f
- W I
N C
t se T $.
vN n
4u u2 I
C0 N
t,
T C
1 O a
/A RN L-.
$I e7 HO lI 2
ST RK 4
YI A 8
M65 Ms e
lw_I M L lI G
A M
9' g
3 3
N RRO 4
s50C E
P S
I u2 PI Ny S
Q S
- E V ON
~
q 2
I R
SOA, E T4
=
PP MI 8
dr M C. O I L3 R NRR s
T o s
E TT R
\\
Gn S
TAEE lL*
OHATNN L R,E O 8 8 bi y
s3
-I J
R N8 1
f u200 C, C i
PBNCRR W
[
M EYUU C
8 s
TT t5 S
U R,G R f
L '6 N
)
T2 4
8 I W
u3 P8LACC C PkMCC O
PsIRR D
Ll R HER A
O s3 0C I
I
(
E WK o2 CEDP.D D 8
OC ET NN H
S 2
RATMAA U4 LO IRAI I Y
3 OL g
,g l
ll t
3 TARCC RR On R N T
TSSSHH U8 U
T I M N
S' As XA I$
0 UH L #
T4 S
0O 0 0 AC L
L O
3 R
{l T
- = * -
T n
II A A N
o S'C AA 5
0 it 3
8 IL3 s1 8
h a
68 0
0 55 2
2 t
33 3
3 u3 PA n
I l S
S T
e S3 f
m LL U IL 8
R E
u 6
W r
1 O
s t
'J L
n 8
I j
lev y
e l
le ss
~,
L e
tE E
V gV S O
yOS R r
gBEE O
.z tAVZ tc l
6 a
"9 "2
e 6
R 8
S 3
I
+
A j
C I
G C
E N
A O
R SR
- L P
I S R
A U
NE WE T
4 0
G N
4 E8 ss s1 OT R
4 I
OM u3 LN E
G is, F
NA L3 SI G
W o
J
[
O N O
TW J
L P
A M
UO 0
3 S
a S
T5 L
AO 6,
N ss G
L-3 O
E lL 4 R
M P
3 T
M YO" t.
fj W-.
N J
O A C. "
t F
C 3 lI 3
WP 3
g g
RM" 8
S s; T
G 3
AE U3 r,
y0 lI 2
YT*
o t-e f
q 3
S2 9
g 8
s5 g
J T5 C
u2 U3 0B u3 ll N
MN w
m 3
s6 s0 A u2 E-y4^
A.
u3
/
KS T5 e
1
- Y 5
L MJ g1 I
A IN I
hD 1
LA 3
s 0
li if w
sR RR 9
p t
u2 EP 8
AT
,3 u
n T5 O
T A
R N q
s8 H O g/
A u20A C
t Rt N
/
J
~
- a. '
LIS 3-208A and 3-208B LIS 3-203A and 3-203B LIS 3-184 LT 3-206 and LT 3-53 The constant reference leg associated with these instruments is also used as the reference for the shroud level monitor LITS 3-52.
The other pair of instrument lines has:
LIS 3-208C and 3-2080 LIS 3-203C and 3-2030 LIS 3-185 LT 3-60 The constant reference leg is also used by shroud level monitors LITS 3-62 and LT 3-62.
The functions performed by these instruments are as follows:
LIS 3-208 A, B, C, D HPCI and RCIC turbine trip on high vessel level.
LIS 3-203 A, B, C, D Scram and primary containment isolation on low level. HPCI and RCIC turbine trip on high level.
LIS 3-184 and LIS 3-185 Auto blowdown permissive on low level.
LT 3-53,LT 3-60 and 3-206 Feedwater control system inputs
( A high water level trip of the main and reactor feedwater turbine is also provided by the feedwater control system).
a LITS 3-52 and LIS 3-62 Containment spray ' interlock on low-l ow-l ow l evel.
The physical arrangement of these level instruments on two separate sets of instrument lines is such that the A and B sensors are connected to one set of instrument lines and the C and D sensors to another set. These sensors provide input to protection channels in the plant protection and emergency core cooling l
systems. The protection system and energency core cooling system logic arrange-ments for these BWR instrument channels are the usual one-out-of-two-twice
?/ configuration using channal ( A OR C) AND (B OR D) arrangement.
The two sets of instrument lines are separated and isolated in their physical connection to the reactor pressure vessel. Thus, the arrangement of these level instruments asso-ciated with the plant protection system meets the Single Failure Criterion of IEEE 279-1971, paragraph 4.2.
The same instrument lines, however, also have reactor vessel level control transmitters (LT 3-53 and LT 3-206 on one set; LT 3-60 on the other) mounted on them. These transmitters provide input to the plant's feedwater control system (See Figure 2). Each transmitter provides an output signal ranging from 10-50 ma, which represents the nomal water level ranging from zero to +60 inches at nomal operating pressure.
Corrections for water density changes are made by reactor pressure measurements.
Signals from pressure tra'nsmitters (shown on Figure 2) are applied to level correction amplifiers to. accomplish this. Each of the three corrected level signals is applied to an alam unit. The three alam unit outputs are connected in a two-out-of-three ~ coincidence logical to provide high water level trip (+54 inches) to the main and reactor feedwater turbines.
The three corrected signals are also displayed in the control room, as are the three pressure monitors. The corrected level signal from either transmitter LT 3-53 or LT 3-60 is selected by the controt room operator for use in the feedwater control system.
The selected level signal is recorded'in the control
- room.
It is also supplied to two alam units, the feedwater bypass valve con-troller, a level flow error summing device, and the feedwater control mode selector switch (one or three element control).
For BWRs in general, eight reactor vessel level indicators and two recorders are provided in the main control room to aid the operator. High and low level
8-PRESSURE COMPENSATION
.~~~
PRESS A PRESS B PRESS C LEVEL 9
'E LEVEL E
, LEVEL bPil t,T3_ S3 5
SP/l L1340
?
AP/l l Lf 3_2 Ofe T
T T
PROP -
1
}
A o
o 0
i l
T_ _ _ _ _ _ L _ _ _ _ _ _ _T_ _ _ _ _ _ _ _ _ _ _ _ _ _T HIGH LEVELTURBINE J_
TRIP (2 OF 3 COINCIDENCE) y gy,g CR LZ1-60 L13 2 'S fSELECTOR
' s LEVEL SWITCH LEVEL LEVEL-B C-
.A g
9 WATER LEVEL
~
FW PUMP TRIP INTERLOCK o
O A/
RECIRCULATION iLOW H
REDUCTION HIGH/ LOW
~
ALARM UNIT
~
REACTOR VESSEL WATER LEVEL i f TOTAL FEEDWATER FLOW VALVE LEVEL ;
4 CONTROLLER i
LEVEL
- FEED l
+
FLOW 3
'1
~~
LEVEL / FLOW CR (ERROR NEnv0RK MODE SELECTOR SWITCH SUMMER)
(1 OR 3 ELEMENT CONTROL)
PROP a
AMP MASTER STEAM / FEED FLOW ERROR
'i Figure d".,
Vessel Water Level Block Diagram
.~-
l
_y:~
. /
digital inputs to the control room annunciator system and the plant computer system also infom the operator of vessel level status.
The control room indicators and recorders are:
i l
(1) two level indicators (LI 3-52 and LI 3-62) and one level recorder i
(LR 3-62) onitor the shroud level. These i1struments are normally pegged high at +200 inches,during power operation; (2) one level indicator (LI 3-55) monitors the refueling range (zero to +400 inches);
(3) two level indicators (LI 3-46A and LI 3-46B) monitor the accident range (-155 inches to + 60 inches);
~
(4) three level indicators (LI 3-53, LI 3-60 and LI 3-206) monitor nomal range (zero to +60 inches). A reactor level / feed flow two pen recorder in the control room also continuously monitors the level signal selected for the feedwater control system (either LI 3-53 or LI 3-60 signal).
L During normal power operation, five indicators and one recorder (numbers 3 and 4 above) would be used by the operator to monitor level. Control room alarms would alert the operator to abnormal conditions. The refueling range level I;
indicator (number 2 above) is not calibrated for operating conditions and is not used during nomal operation.
J 2.2 Effect of Instrument Line Failure on Plant Protection and Control Systems i
l A failure in the instrument line connected to the constant head condensing chamber (e.g. equalizing valve leak, excess flow check valve leak, drain l
o.
. valve leak, etc.) could cause the reference leg level to decrease. This decrease in reference leg level would cause all the differential pressure instruments connected to that line to indicate false high reactor vessel water level.
Referring to Figure l',
if such a failure was to occur in' the reference leg of the normal range level sensors A and B, then LIS 3-208A&B, LIS 3-203 A&B, LIS 3-184, LT 3-53 and LT 3-206 would all sense an increasing level.
If LT 3-53 was selected by the control room operator for the level input to the feedwater control system (with the feedwater control mode switch I
in either the one or three element control), then the feedwater' tystem would reduce feedwater f1N into th'e reactor vessel. This would. tend to decrease the actual reactor vessel water level.
If pr'ompt operator action is not taken to manually control the feedwater system, then
)
eventually the vessel level would reach the low level scram setpoint.
'j However, scram level sensors LIS 3-203A!B would' sense a high level and would not actuate. Therefore, LIS 3-203C&D on the redundant instrument
~
lines would be required to provide the necessary protective action.
In such an event the control room level indicators, recorders and alams would be providing ambiguous level information to the operator.,The two accident range indicators (LI 3-46 A&B) would'still show true level, but only one of the normal range level indicators (in this inskance L13-60) would indicate true level. The other two namal range level indicators (LI 3-53 and LI 3-206), as weli'as the level recorder pen, would show an erroneous high level.
If, on the other hand, the failure was to occur in the reference leg associated with normal level sensors C and D (i.e.,
k
. LIS 3-203 C80, LIS 3-208 C&D, LIS 3-185 and LT 3-60) and if LT 3-60 was selected for level input to the feedwater control system, the effects would be similar, with the following exceptions:
(1) only one nomal range level indicator
.(LI 3-60) and the level recorder would show the erroneous increasing level; and (2) the high level turbine / reactor trip would not occur, since only one of the three level transmitters associated with the feedwater control system would be affected.
In either case, during the ensuing plant transient, both high and low level alams could be actuated in the control room.
Depending on the type of instrument failure, the plant would soon experience a low level scram from the redundant unaffected instrument channels and perhaps a high level turbine trip / reactor trip. All of these conflicting indications'and automatic actions could hamper timely and correct operator response to such an event. Automatic plant response must be relied upon to teminate and control the t'ransient.
This is confimed by operating experience (see Apendix A) which shows-several cases where operators did' not respond to such events and automatic protective action was needed to teminate the transient.
If the failure in the instrumentation causes a very gradual decrease in the reference leg level, then actual reactor level could fall to the low level scram setpoint (because of the feedwater control system action) before the false level appearing to level sensors in the. failed instrument legs rises to the high level turbine trip setpoint. Low level reactor scram muld occur due to actuation of redundant level sensors (LIS 3-203 C&D) on the other instrument lines. Eventually, the spurious high level sensed could l
4
\\
\\.,
l l
I cause main and reactor feedwater turbine trips on two-out-of-three coincidence high level from the alann units in the feedwater control system.
If, on the other hand, the rate of increase of spurious level is faster, a high level trip (two-out-of-three high level) of the main and reactor feedwater turbines (and consequent reactor trip due to main turbine trip) could occur before the vessel level reaches the low level scram setpoint.
In either case, the i
failure would cause a spurious high ievel to be sensed. The control system L
would then cause a reduction in the true vessel level, which could require the protective action of low level scram of the reactor.
This interaction between the feedwater control system and the reactor protection system is the safety concern in that the initiating instrument line failure could cause adverse feedwater control system action requiring low vessel level protective actions and, at the same time, would also prevent proper action of certain low level protection system channels.
2.3 The Safety Concern and Related Regulations General Design Criterion 24 on separation of protection and control systems states, "The protection system shall be separated from control systems to l
the extent that failure of any single control system component or channel, I
or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves j
intact a system satisfying all reliability, redundancy, and. independence requirements of the protection system.
Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired."
In the BWR level instrumentation system, a single failure in the sensing line that causes control system action, does not leave intact a system satisfying all reliability, redundancy and independence requirements for the low vessel level protective function.
- p. IEEE 279-1971 paragraph 4.7.3 on control and protection system interaction states, "Where a single random failure can cause a control system action that results in a generating station condition requiring protectise action and can also prevent proper action of a protective system channel designed to protect against the condition, the remaining redundant protection channels shall be capable of providing the protective action even when degraded by a second random failure." This requirement cf IEEE 279 augments the requirement of General Design Criterion 24 on leaving intact a protection system satisfying all reliability, redundancy, and independence requirements of the protection system on failure of any single control system component or channel.
IEEE 279-1971 is, however, limited in scope to the protection system devices and circuitry from sensor to actuation device input terminals. NRC has interpreted this to exclude the fluid sensing lines.
Based upon operating experience, we'believe that a single random failure in the sensing line should now be considered in implementing IEEE 279-1971.
(It is noted that the 1977 and 1980 editions of IEEE Standard 603, which are later versions of IEEE 279-1971, do address the subject of sensing lines and include them as part of the protection system.)
Applying the requirement of paragraph 4.7.3 to the instrumentation system under discussion, the single random failure is the decreasing reference leg level and the resulting control system action is lowering of the actual l
vessel level, which would require a low level protective action. Two protection channels (LIS 3-203A&B) are prevented from perfoming their protective actions, 1eaving redundant channels (LIS 3-203C&D) to provide the required protective l
l I
function.
If a single active failure is now postulated in one of the two
' remaining channels., then the required automatic protective actions will not occur at the low water level scram setpoint. Further, if one of these four channels is inoperable due to maintenance or required surveillance, and is not placed in a trip condition, then this would tend to exacerbate the safety concern since the single failure of a decreasing reference leg could defeat the associated automatic protective actions at the low water level scram setpoint.
Under these cpnditions the infonnation provided in Section 2.2 of this report continues to be valid and appears to make the concern more significant. However, since the technical specifications allow the level instrument system to remain in this degraded mode (that is, three operable channels and one inoperable non-tripped channel) for a period of up to only two hours this aspect may not be significant in the broader context of the concern.
v The above concern can be extended to all designs where the protection system uses a one-out-of-two-twice logic (i.e., A or C'and B or D) to initiate protective action. Even if only one protection system channel is coupled to a control system channel (say A), and if the single random failure causes a control system action requiring protective action and also prevents proper action of the protection system channel, a further single active failure of one particular remaining redundant protection system channel (C), will prevent the required protective actions associated with these protection channel s.
2.4 Possible Unanalyzed Sequence of Occurrences t
Level instrumentation sensor LIS 3-203A through D provide the following l
protective actions i
)
. (1) Scram (2) Primary containment isolation (3) HPCI and RCIC turbine trip (4) Start standby gas treatment system (SBGTS)
When two channels (LtS 3-203A&B) sense a spurious high level and a random failure is postulated in one of the remaining redundant channels (LIS 3-203C or D) the protective actions are affected as follows:
(1) Scram - Low level scram will not occur.
(2) Primary containment isolation due to low level will not occur.
(Typically Group 2, 3, and 6 valves are affected.) The following pipelines will not isolate:
RHR reactor shutdown cooling supply RHR reactor head spray Reactor water cleanup system Drywell equipment drain discharge Drywel1 flow drain discharge Drywell purge inlet Drywell main exhaust Suppression chamb'er exhaust valve bypass, Suppression chamber purge inlet Suppression chamber main exhaust Drywell exhaust valve bypass l
Suppression chamber drain RHR flush and drain vent to suppression chamber Drywell purge and vent outlet Dr'ywell makeup Suppression chamber makeup l
Exhaust to SBGTS
. However, if isolation of the above pipelines were truly needed, excluding the lines associated with the reactor water cleanup system, it would still be obtained by other diverse means which initiate on high reactor bu'l ling ventilation exhaust radiation and/or high drywell pressure.
(3) HPCI and'RCIC turbines will receive a high level trip signal (when LIS 3-203 A&B, connected to one set of instrument lines, reaches spurious high level of +54 inches, and if either LIS 3-203C or D, connected to the other set of instrument lines, is postulated to fail high).
(4) SBGT system will not receive on automatic start signal.
The event initiated by the instrument line failure will c'ontinue and the reactor vessel level will decrease due to reduced or even tenninated feedwe+er fl ow.
If the operator does not take corrective actions, the vessel level will reach the low-low level and the level instrumentation monitoring the accident or wide range, specifically sensors LIS 3-56A thru D, will initiate.
closure of MSIVs which in turn will cause a reactor scram. Sensors LIS 3-58A through D will sense conditions necessary to initiate HPCI, RCIC, ADS and core spray systems. Scram under these conditions *would occur at an actual vessel level which is considerably below the normal low level scram.
(Current safety analyses nonna11y assume that a scram occurs directly from the low level instrumentation, which is defeated under these conditions, and not indirectly by the way of MSIVs from the low-low level instrumentation.)
Further, when the MSIYs close, this action will tend to collapse the voids contained in the vessel fluid and will further decrease the fluid level in the reactor vessel.
)
. In addition, due to the presence of high level trip interlock signals (item 3 above), automatic operation of HPCI and RCIC would not occur in some designs since the high level trip signal takes precedence over the low-low level start initiation signal. This situation of a decreasing water level in the vessel, coupled with (1) scram which is initiated at a vessel level lower than the nomal low level scram, and (2) the unavailability of automatic operation of safety grade high pressure injection, systems, appears to be an unanalyzed sequence of occurrences.
A typical scenario initiated by a level instrumentation reference leg failure would be as follows:
The loss of the reference leg in the nomal range level instrumentation causes a spurious increasing level to be sensed by the feedwater control system, leading to a decrease in actual vessel level.
By the same failure, two low level protection system channels are disabled. When the vessel level reaches the low level setpoint, reactor scram and primary containment isolation would nomally occur due to actuation of redundant low level protection channels on the unaffected instrument lines.
A postulated signal failure in the redundant low level protection channels, however, could disable the low level reactor scram. The spurious high level sensed by the instrumentation of the affected instrument line could cause a turbine trip which would, in turn, scram the reactor or, based on the various indications available in the control room and time pemitting, an alert operator could initiate manual scram and cohtainment isolation. HPCI and RCIC could be manually started if not locked out by the failed instrumentation. Otherwise, low pressure emerg'ency core cooling would have to be initiated to provide water to the vessel.
If no manual action is taken, when low-low vessel level is reached MSIV closure and associated scram will occur.
Automatic ECCS actuation will also be initiated.
Based on the availability of these various means of automatically and manually accomplishing the required protective actions, we do not consider the postulated control system protection system interaction precipitated by hydraulic effects l
t
an immediate safety concern; however, we do consider that the safety concern needs to be addressed.
- 3. FINDINGS (1) The physical arrangement of reactor vessel water level instrumentation in operating BWRs is such that hydraulic coupling exists between sensors that provide input to the feedwater control system and to'the plant protection systems. The level instrumentation that monitors the operating range is physically arranged so that sensors which separately provide input to the feedwater control system and to two channels of the reactor protection system and ECCS are connected across common instrument lines.
(2)
Certain single failures in the instrument lines can'cause a decrease in the reference leg level or affect the variable leg level of the vessel level instrumentation. The ensuing spurious level is sensed by the feedwater control system and two channels of the protection system.
The spurious level sensed by the control system could cause the system to respond adversely, resulting in a plant condition requiring protective action.
(3)
Mor.!over, such a failure causing incorrect control system response would also prevent proper action by two of the protection channels.
If a random failure is now postulated in one of the remaining redundant two channels, then the protective function will not occur automatically from the nonnal low level protective instrumentation.
This could lead to a plant condition which appears to be unanalyzed.
(4) The operator is presented with conflicting information which may prevent him from taking correct and timely actions.
~
o, (5) The situation outlined above suggests that selected BWR level instrumen-tation systems may not meet the intent of the regulations for operation of protection and control systems single failure criterion as delineated in General Design Criterion 24.
4.
CONCLUSION BWR operating experience has shown that a single failure in an instrument sensing line 'could affect all level sensors that share the same sensing line.
There also have been events where interaction has occurred between control systems and protection systems.
Our review of these operating experiences has raised the safety concern of a single failure in the BWR vessel level instrumen-tation, causing a feedwater control system action that could 1) result in a condition requiring protective actions and, at the same time, 2) prevent proper action of the reactor protection cystem channels designed to protect against such a condition. We also consider that certain level instrumentation configuration in operating BWRs may not fully meet the intent of General Design Criterion 24.
Based upon operating experience we believe that a single random failure in the instrument sensing lines should now be considered in implementing IEEE 279-1971.
Although we do not consider the postulated control system-protection system interaction an immediate concern we do consider that the safety concern and associated problem need to be addressed.
\\
5.
RECOMMENDATIONS (1)
Action should be implemented to assure that automatic and manual safety-related low-low level start and high pressure injection functions of HPCI and RCIC turbines are not prevented or delayed by the non-safety-related high level trip.
For example, the control system of HDCI and
~
> RCIC turbines could be modified to provide a low-low level start signal which overrides the high level trip signal.
(2)
Action should be implemented to assure that protective functions are provided in spite of any adverse control system-protection system inter-action in the trarrow range level instrumentation.
For example, the protective functions provided by the narrow range level sensors could also be provided by the wide range level sensors (In employing the wide-range level instrumentation, the desired output signal quality in tenns of sensitivity, resolution, accuracy and repeatability must be considered to assure that the initiating signals achieve the required protective function.). This approach would be consistent with the concept of
" alternate channels" as defined in paragraph 4.7.4.i of IEEE Standar'd 279-1971.
(3)
Control room operators should be trained to. recognize spurious vessel.
level indications, and procedures should be provided for corre:tive actions to mitigate the consequences of potential transients that may be caused by level instrumentation malfunctions.
We believe that the BWR emergency procedure guidelines provide the best vehicle for the definition of appropriate corrective actions in the event o.f level instrumentation malfuncti,ns.
)
. APPENDIX A EVENTS INVOLVING BWR LEVEL INSTRUMENTATION The events cited are examples of how occurrences. involving instrument lines and related items can lead to erroneous vessel level indications. The event descrip-tions are quoted directly from the Licensee Event Reports and Nuclear Power Experiences.
?
Plant Name Date of Event Event Description Oyster Creek 1 March 1970 During a surveillance test on the reactor I
high pressure scram pressure switches, it was observed that the sensing line to the high pressure scram pressure switch had developed a leak at a " Swage-Lok" fitting l
which caused a level indicator to fail up-sc al e.
An attempt was made to tighten the fitting and the leak increased, causing the excess flow check vaive in the primary r
pressure sensing line to close. The result was a zero pressure signal to the pressure sensors mounted on this rack.
(High Pressure Scram, High Pressure Isolation Condenser Actuation, Condenser low Vacuum Scram By-pass, Core Spray Valve Pennissive, Triple Low Level Auto Depressurization, level Transmitter to Feedwater Control System, Reactor Pressure Indicator Trans-mitter and Auto Relief Yalve Pressure).
l
1 i
- Plant Name Date of Event Event Description I
Since the Protective Instrumentation Limiting Conditions for Operation cculd not be met, the operators were notified to prepare for a plant shutdown.
Subsequently, it was detemined that the
' single failure of this sensing lin prevented the operation of both isolation condensers upon recaiot of a reactor high pressure signal.
Emergency condenser isolation on pipe-break was still operable as was emergency condenser ' actuation by low-low level and manual operation from the control room.
Plans were to detennine the wiring modifications neesssary to establish the ability of the emergency condensers.to.
operate on a high pressure signal in the event of a loss of a single pressure sensing-line.
In the meantime, operating
[
L personnel were made aware of the situation and reminded that plant emergency procedures call for verification of automatic action and manual initiation of such actions required.
Peach Bottom 2 Sept. 8, 1976 During routine surveillance testing, contain-ment spray pemissive switch LIS-2-2-3-73A was
I
. Plant Name Date of Event Event Description i
found to be inoperative. Because the redundant B loop was operable and a manual override is provided for this switch, there was no safety hazard. Cracked bellows on a Yarway Model 4418CE level switch.
Millstone 1 Sept. 1973 During a plant startup, a discrepancy of 15 inches was noted between the two indepen-dent reactor level sensing columns. The mismatch was such that half of the RPS, ECCS and primary containment isolation system level switche's were seeing an indicated level that was higher than the actual level in the reactor. The mismatch could result in late initiation signals for the systems in a situation where a failure occurred in the level switches that were reading properly.
An investigation revealed a valve that is normally used for filling the system was leaking.
The water was being drained from the reference column at a. rate greater than the make up rate by condensation in the level column condensing pot. A loss of' water from the reference column in a device such as this causes the indicated level to rise.
- s. Plant Name Date of Event Event Description The valve was replacec and the indicated levels converged such that they were within the requirements of the Technical Specifications.
Monticello 1 July 13, 1975 During nonnal operation a small leak (75-01T) developed in a reactor pressure gauge. The leak lowered the reference Teg level for the Scram and ECCS initiating Yarway level instruments connected to the same process tap causing incorrect level indication.
Redundant Yarways were operable. No previous similar occurrences., Pressure Gauge isolated (AD-50-263/75-12).
A leak developed in the Bourdon tube of Heise Model C MM 7646 0-1500 psig pressure gauge.
Brunswick 2 May 1976 During start up a level indicating switch (Yarway) malfunctioned due to an internal leak.
The associated instrument channel was manually tripped.
The cause of the occurrence was the threaded pipe inside 'the instrument housing leaked because of a crossed thread.
Browns Ferry 2 Aug. 14, 1977 During start up from Cold Shutdown, reactor i
(LER 77-03L) water column "B" reference leg was low, pro-ducing a +20 inch error in two reactor water j
. Plant Name Date of Event Event Description low-level scram switches.
Redundant switches were operable and in service. The reference leg was refilled and water level agreement confirmed. This was not a l
repetitive problem.
'The integrity of all sensing lines and valves external to the drywell was confirmed.
The apparent cause was either evaporation r
of water from the reference leg during cold shutdown, or inadvertent operation of equalizer or drain valves.
. Cooper Jan. 1976 Cold shutdown. While maintenance was being performed in the drywell, a rusty spot was noticed on some insulation close to the reactor. Upon further investigation, it was determined that a crack in the two inch instrument sensing line on vessel pene-tration N-11A had developed outside the safe end weld, in the heat affected zone (HAZ) 1/2 inch from the weld center.
History of this weld showed the original weld failed the RT and was cut out and rewelded. The second weld failed the RT l
and was repaired. The third weld passed the RT.
O i l Plant Name Date of Event Event Description The failure was the result of material failure in the HAZ of the two inch schedule 80 ASTM-A-312 GRTP-304 Stainless steel pipe. This instrument tap fed the low leg of the scram and primary containment
, isolation level switches, auto blowdown pennissive level switches, reactor feed-water control and wide range level indications.
Cooper Dec. 1977 While at 75% power, during a plant tour, it was noted that three reactor level instru-ments were reading high upscale. Further investigation revealed that the instrument line exces flow check valve ~ was leaking s
around the body nut. The leak at the valve caused the condensing chamber and ref-erence leg level to decrease, thus causing instrunfbnts associated with that sensing line to read upscale.
Brunswick 2 March 1978 Technicians were perfonning a test while at 97% power (reactor water level inside shroud) on a Yarway instrument when the main turbine and feedwater pump turbines tripped, causing a reactor scram.
c
. Plant Name Date of Event Event Description The scram occurred as a result of a pressure change in the common level instrument refer-ence leg which apparently actuated the N004 instruments. The pressure change apparently occurred due to the bellows movement in the
, instrument being calibrated. No personnel error was detected.
They were shutdown for 25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br />.
An investigation was to be perfonned to detennine the most suitable instrument arrangement and test. procedures necessary to prevent reference leg pressure changes.
The investigation was to' consist of an industrial survey and a design review.
Dresden 2 May 1979 During start up the main turbine tripped on high water level.
It was discovered that a packing leak existed on the isolation valve for the local pressure indi, cation, PS-263-60B.
The "B" reference leg drained to an abnonnally low level through the packing leak. This resulted in an upscale reading on all the Yarways on instrument rack 2206.
The "B" reference leg root valve was shut to isolate the leak which isolated the following components:
1
- Plant Name Date of Event Event Description PS-263-55C, 550, LIS-263-58A, 58B, 72B, 72D, and LITS-263-59B.
A control systems technician -
locally isolated PI-263-60B (local pressure indication) and PS-263-55D (reactor high pressure scram) via their common sensing line
, root valve. The "B" reference leg root valve was then opened and the reference leg filled.
Since the Technical Specifications require two instrument channels per trip system, an orderly reactor shutdown was begun immediately.
The packing was tightened and subjected to a hydro of 1000 psi.
No leaks were discovered, s
The isolation valves for PS-263-55D and PI-263-60B were opened and the common sensing line root valve was opened, returning the system to nonnal.
Monticello 1 Sept. 23, 1979 During normal operation a leak developed in a (LER 79-019/03L-0) reacto& pressure gauge. The leak lowered the reference leg of the scram 'and ECCS Yarway level switches connected to the same process tap. As a result, the Yarways indicated a false high level and would not have tripped within the settings specified in sections 3.1.1 and 3.2.B of Technical Specifications.
l l
?, Plant Name Date of Event Event Description Redundant level instruments were operable.
One previous similar occurrence reported in A0 50-263/75-12.
Pressure gauge is Heise Model C, 81/2 inch dial, 0-1500 psig, H03 Stainless Steel Bourdon Tube. Small crack
, discovered in Bourdon Tube, most probable cause is fatigue.
Gauge isolated and removed.
New gauge with wide range and improved Bourdon tube material to be installed on different process tap.
Brunswick 1 May 8, 1980 During normal surve'illance, the cap covering (LER 80-048/03L-0) the calibration adjustment screw on reactor level instrument,1-B21-LIS-N031B, was leaking water. The leak was repaired and Pressure Test 3.1.7PC, Reactor low level #2 and #3 calibration and functional test was performed on the instrument Switch #2 of the instrument would not actuate. The reportable limit is >194.63 inches ap' plied water. This event did not affect the health and safety of the public. The calibration adjustment screw cap gasket was replaced, the contacts of switch #2 were cleaned. Pressure Test 3.1.7 PC was performed satisfactorily and the instrument was returned to service.
- Plant Name Date of Event Event Description Fitzpatrick 1 Nov.
3', 1980 During normal operation while conducting (LER 80-084/03L-0) surveillance to satisfy Technical Specifica-tions Table 4.1-1, reactor water level switch 02-3-LIS-101B or 101D was found less conser-vative than allowed by Technical Specification
, Table 3.1-1 on three occas' ions between 11/3/80 and 11/25/80.
Redundant level switches were within Technical Specification limits and in each case the level switches were immediately recalibrated to within its limits.
No significant hazard existed. See attachment for additional details.
Probable cause was personnel error which resulted in the introduction of air in level sensing line. Back flushing of sensing lines to remove air eliminated problem.
Review of procedure does not indicate need for change.
Brunswick 1 Jan. 20, 1981 During normal plant operati' n reactor instru-o (LER 81-016/03L) ment penetration (RIP) valve, X-53C, shut with a Control Air Supply Failure Alann, and isolated the variable leg to reactor level instruments B 21-LIS-N017A and B 21-LI-3331, which resulted in a reactor scram on low l evel. 'This event did not affect the heal.th or safety of the public.
o
' Plant Name Date of Event Event Description An exhaustive investigation failed to reveal a definite cause for the RIP valve closure.
This investigation included a leak check on the valve control air supply, a timed leak check of the valve bellows and a visual inspection
, of the valve and the valve high flow isolation swi tch. This is considered an isolated event, as system air pressure was nonnal and no other valves isolated.
Browns Ferry 2 March 31, 1981 During normal operations while decreasing load (R0 50-260/81014) for M/G set mainten'ance, the Reactor Water Level Instrumentation indicated full upscale resulting in a turbine trip. There was no hazard to the health or safety of the public.
Instruments affected were:
2-LITS-3-52; 2-LIS-3-203A, B; 2-LIS-3-184. The technical specifications were fully complied with at all times. Equalizing valve, on 2-LI'TS-3-52 was partially open. Closed equalizing valve, verified reactor water instruments operable.
Browns Ferry 3 May 25, 1981 During startup, following a maintenance outage, (LER 81-027/03L-0) reactor water level instrumentation 3-LIS-3-203A and B indicated full upscale and were declared inoperable. There was no danger to the health and safety of the public. Redundant systems were available and operable.
I
. Plant Name Date of Event Event Description Reference leg was lost on the water column for undetennined reasons, causing the Barton model 288 A, bellows type indicating switch, to indicate full upscale. The water leg was backfilled and the instruments returned
,to operable status.
Oyster Creek Sept. 5, 1981 On September 5,1981 at approximately 0100 (LER 81-36/03L) hours while performing a flush of Core Spray System I piping, one reactor water level indicator showed a high level while all other level indicato'rs remained stable and in agreement. The flush in progress was immediately terminated and an investigation was initiated to determine the cause of the high level indication.
It was found that the instrument reference leg was not filled with water which ci sed an erroneous high level reading on the instrument in' question. The failure of this instrument resulted in the loss of one of two level instrument channels in each of two level instrument systems.
It should be noted that there are no piping connections between the Core Spray System and the affected water level instrumentation reference 1.eg. This t
". 1 Plant Name Pate of Event Event Description was confinned by a hand over hand walkdown of the reference leg piping.
The cause of the decrease in reference level head could not be determined. There is no connection which can be inferred between t the loss of reference leg and the flush evolution.
The reactor water level instrument in question
~
provides various Reactor Protection Safeguard System functions associated with Reactor Scram, Core Spray initiation, Isolation Condenser initiation and ATWS Recire Pump Trip.
Since redundant instrumentation, which was operable, also provides these functions and since the Reactor was shutdown, vented, and less than 212*F, the safety significance of this event is considered minimal. Addition-ally, it should be noted that no change in actual reactor water level occurred as a result of this event.
The reference leg for the affected level instrument was backfilled with condensate j
i which restored it to an operable condition.
i A hand over hand walkdown of the Reference Leg System for proper configuration together
0 Plant Name Date-of Event Event Description with a check of the instrument connected to the reference leg for leakage was performed with no abnormalities noted.
(The following event-description is taken from the INP0-NSAC Analysis and Evalua-tion Report of April 1981 on "High Pressure Core Cooling Systen Malfunction at t
Hatch 1.")
Hatch 1 June 26, 1980 At 6:49 am, on June 26,1980, Hatch-1 was operating at 99.4% of rated power. Operating conditions appeared normal.
Reactor pressure indicated 990 psig.
Both reactor feedwater pumps, and both reactor recirculation pumps were running. The reactor water level was nonnal at about +37 inches.
f At 6:49:09 am, the GEMAC A and C reactor water level channels signaled that the level had quickly risen to +58 inches.
With 2 of the 3 GEMAC channels indicating a high level, a number of automatic actio'ns occurred.
The reactor feedwater pumps and the turbine /
generator were tripped. Subsequently, the reactor scrammed.
There are three GEMAC transmitters of reactor water level connected to 2 separate hydraulic systems that sense reactor water level. The
4 o.
7o Plant Name Eate of Event Event Description GEMAC A and C channel transmitters are connected to one of the hydraulic systems.
Two Barton transmitters are also connected to this same hydraulic system. The GEMAC B channel transmitter, and two other Barton
' transmitters, are connected to the other hydraulic system that senses reactor level.
l Only the GEMAC A and C channels signaled high reactor water level. The GEMAC B channel did not signal a high level. More-over, one second after the GEMAC A and C channels picked-up on high water level, 2 Barton transmitters signaled low reactor water level at +12.5 inches. Within 4 seconds, all four Barton channels signaled that the reactor water was at +12.5 inches.
Summarizing, GEMAC channels A and C said' the watbr level in the reactor was high, and 4 other channels said it wa's low.
Within 2 seconds after the start of the event, four channels indicated that the reactor pressure had risen to 1045 psig.
Within 4 seconds, four Barton transmitters signalled a low reactor water level and triggered the isolation of some of the reactor support systems.
Increased system
. Plant Name Date of Event Event Description pressure and a decreased reactor water level are anticipated responses to a total loss of feedwater and turbine / generator trip.
Within 16 seconds, safety / relief valvc operation, combined with the operation
, of the turbine steam bypa'ss systems; had brought the pressure down to 1030 psig. With the decreased pressure, increased void
. formation caused the reactor water level to rise several inches and by 28 seconds, the reactor low water 1.evel had cleared, indicating that the reactor water level had recovered to at least +15 inches.
Thirty nin'e seconds after the event began, all four Barton channels alarmed a second time, indicating that the reactor water level had again dropped below +12.5 inches. The GEMAC channels showed similar levels. The reactor pressure was now s'eady at about 890 t
psig.
At 47 seconds, a signal was received that closed the main steam line isolation valves.
All but one of the closure signals are alarmed on the computer. The low reactor water level (-38") closure signal is not
O y Plant Name Date of Event Event Description al armed.
None of the computer alarms asso-ciated with the closure signals were activated.
This indicated that the low reactor water level closure signal was the most likely source of the MSIV closure and that reactor
' water level had dropped to -38".
At 95 seconds a feedwater pump was started, but because the main steam line isolation valves had been closed, the pump ran for only about 10 seconds. The HPCI turbine received a signal to start automatically.
However, the initial high. flow of stemn to 4
the turbine caused an instrument that monitors for high steam line flow (symptom of a steam pipe break), to activate erroneously and close the two containment isolation valves in the steam line to the HPCI turbine. The HPCI turbine ran momentarily and stopped.
During this period, operators also were attempting to start the RCIC systen.
However, the RCIC system would not start and continue to run.
It remained inoperable throughout the event.
'e 7g
^ Plant Nane Date of Event Event Description, Operators reset the HPCI system isolation signal that had been triggered by the high steam flow surge on the initial startup attenpt. They then opened the inboard isolatiori valve in the HPCI turbine steam esupply line, wSile leaving' the outboard valve closed.
But again, for reasons unknown, an additional isolation signal activated,
[
calling for closure of the closed outtioard l
valve. Operators then closed the. inboard l
val ve.-
At three minutes into the event the following conditions existed:
The main steam line r
isolation valves were closed. There was no feedwater supply to the reactor. Heat had been generated in the reactor faster than it was removed. The reactor pressure had risen to apprBximately 1100 psig and was being controlled by the safety /ralief valves. The steam was now removing the decay heat to the suppression pool.
About 5 minutes after the event began, the operators tried a different HPCI turbine l
l start-up strategy. They closed the HPCI turbine steam supply valve. This valve
J~
~
r a.
Plant Name Date of Event Event Description is located downstream of the two isolation valves and upstream of the HPCI turbine 7
stop and control valve. They then reset the isolation signal that had o.ccurred during t
the previous start attempt, and opcned
[
' the inboard and outboard isolation valves.
The isolation signal was cleared, and with a i
low reactor water level signal still present, s
the HPCI steam supply valve opened automatically.
The HPCI turbine started, and supplied water to the reactor vessel, t
Seven and one-half minutes after the event began, the water level in the reactor was
~
~
again close to normal.
t b
=
I l
. A.
Washington Public Power Supply System P.O. Box 968 3000 GeorgeWashingtonWay Richland, Washington 99352 (509)372-5000 February 1, 1982 GO-1-82-0041 Docket Nos:
50-509 50-513 9
Mr. William J. Dircks Executive Director for Operations U. S. Nuclear Regulatory Comission Washington, D. C.
20555
Dear Mr. Dircks:
Subject:
TERMINATION OF SUPPLY SYSTEM NUCLEAR' PROJECTS 4 AND 5 (WNP-4andWNP-5)
On January 22,~1982, the Washington Public Power Supply System Board of Directors adopted a resolution terminating the Supply System's Nuclear Projects Nos. 4 and 5.
Construction work on these two (2) projects essentially was halted by the Supply System in July 1981, with the intent that an extended construction delay would continue until June 30, 1983.
We advised the staff of this construction deferral by letter to Mr. H. R. Dent'on dated October 26, 1981.
Thos'e projects were under construction pursuant to Construction Permits CPPR-174 and CPPR-155, respectively.
At the time that work was halted, WNP-4 was 24% complete and WNP-5 was.16% complete.
The Supply System has developed a plan for termination of these projects which contemplates two phases.
Phase One involves efforts to sell the l
plants intact to a new owner.
The Supply System will maintain the plant structures and equipment in a licensable condition at least through Phase One and possibly thereafter, and will comply with the conditions of the Construction Permits and the requirements of NRC regulations.
We intend by and during these efforts to retain the Construction Permits.
We are willing to meet with your staff.to brief it on details of the efforts contemplated.
i Phase Two of the tennination plan will comence only after the Supply System determines, subject to the rights of the Participants and Pacific Power and Light (10% owner of WNP-5), that it is no longer prudent to expect that the projects can be sold in their entirety within a reasonable time and without unreasonable expense.
No definite time period has been l
set for completion of the first phase and initiation of the second.
/
6 c.'
/b
W. J. Dircks
~
Page 2 February 1, 1982 WNP-4/5 Termination In Phase Two, plant equipment and materials will be sold or otherwise disposed of in a prudent manner, in accordance with applicable contractual and legal procedures..
With regard to WNP-4, the application for an Operating License for Wh/-
1 and WNP-4, including the FSAR; FER cnd General Information Document, was submitted to the NRC on November 25, 1981 Because we intended at that time to resume construction of WNP-4 following the extended delay, the application addressed both WNP-1 and WNP-4.
Recent events dictate that the application address only WNP-1 now and until further notice.
Very truly yours, R. L. Ferguton Managing Director GbS/sm cc: HR Denton NRC V Stello NRC EG Adensam NRC 1\\ Schwencer NRC RH Engelken NRC Region V NS Reynolds D&L l
h n
I l
-