ML20065F209
| ML20065F209 | |
| Person / Time | |
|---|---|
| Site: | Midland |
| Issue date: | 07/31/1982 |
| From: | Enzinna R, Swartzell S, Winks R BABCOCK & WILCOX CO. |
| To: | |
| Shared Package | |
| ML20065F199 | List: |
| References | |
| BAW-1743, NUDOCS 8210010284 | |
| Download: ML20065F209 (61) | |
Text
s,_,- o . - .m
-M M%p.9#s 4.C? , . .. _ , w, 9-@_y
- _. _.,'
p'CM m.m.g mG<W: -M 1 #.Q wW- r._M -
p*%E y,b.JWM MVEMnfMMg C.,,m,L;*?.}u: n m_M4M u n i"db*p DAUg@m n .mn k.g w ,
p*. ~'Q; A; n } n.% a v. m Mf. od:'d y'W sv ,, $ 4 m
. e
\.~. g & p Agw m . 9 q a,s:-4.; n..q$
s A w rs a : @w e d .g .Q., . m._ _
r%:n . ,9.% , .w. b Q5 .4)'. .
.n
>q$g. %;WhM&hQiyj&w&b:y4 %Wjifyy . lQ'-;R.u%g,Mw. h.,,m%
r v%a.q
- e. dq ~ p mwco A Cm & e&pm %%ay%Wpms,1.3 W4 y.,&=r:A W hi
.w-
.JX</p-wm, .wme BAW1743 W ..w 2.
n,, m g.n.m
.m. _s
,e,- . p M
spm ;w.
-m MMtm.m we-~.
mw_4,. .
.n. ,.z. p.?n W 3 _,
4wm.m*O>
s e-. ng w% - s mae..wr wewse su@M.,sg ,
.. %Jul..yg,
%1982 wmwq . _
- s. 'w. W,QWM xpm &., %, w=***.N fA m -lT'lJi-4,.M 'C&Ry r~mmmuW.w*mm
.MF.} % g % . o wwng a, m e .%._i.'s.; y'Q Rf.&w; rg. , m. # ."e. r*WW q,. g
- r. -
- Q y.*.Q i
- r.,% * . ^ _
- ww .nm%NkNTo'%Q,. w w.g r.
4 %lwp. M.f %g?.n%m wp~m'e]m,w& m<wTQQ p ..m.s&m@m 3y ihwN.L24 y' + sqA,y v, ._ ,wrQ :.fM _w< w Kj I;-
&&.-w M b WNy bpy0.p$ww&%.Qc. ,Q-
.%W'T.**g' y .,-C ;
i * .%, . 6, ;f i, :3 ,.
tw,y:p- c
. - . mym., L7 , '. . w)K.4. ,c s.,.n. . ,.. p, .wy- t,. g ,,,o .w . s.~,., _ , p, ..;
p 4. w,., w-. +w. ;. _ s 7 s ..,%.
.,.,u %y p.c y.g s _q x,J i y L ~*n
< --. . .n. e .L..,L: , ,e
. n;.
- s.g,y w; *'ps.d s... ,p,*,.%. u +p._ ,.Q A e ans
.e - y %.o2 .M + ., <.. Qm : / ,1 z v y ..; .. .>m-. ,m 5awr 413* m/~y ,1.a wry -3v pa <~r e t :, %g.n. ..; psp
+cw ,. ,. -
-& ;J esy M..s%:. > W _o s f? ,y;y t,A ;A s e%w.ybd gj e%
, t - .r a .:p % -
qar N3> .:49g. 5 ',;: g f A.
9 Q < Mag'qg . " 4 w h m.Q g. ys's,Q. N.\'A &ne r
,n
- if c..-..
.a. W Amd bW%yA,p u
~g. -. w. n,ce ~ .m
% +: p cmee. -...r=q a a . xoy--M>:n moag M'"Qy ma;v .wMpe ggg;c;mg a% J M-?smA,.m w .,. s,w-y'4,a ; , y- ., e .
m wn.,, p. r.w.. , w%w.m,, . . a, . , + . . wn,n.w,,m, v. m,
. +y p~.+,mr.n
, ~,. w_. .,._s .m. . m.x.. ww. .. . - .
ge m.#g. w w w. .q- ~ -.= . n+
,a . .
n.w ,
- t. wn%e . w .m. %,n - e.wam z,_ pw t W .Qx%%.:g y w,:g; w -.tr ~,.<.gs i Mm;m. m* m, m m em w 3. e%.a,p W- a. y ; %_
m+
L..m,.4.~ n,Wamy.fw t,3.,w@u --
- s. % . . _ ' %. %.%m.~w m A w. _ g-
- m'r p) m . 4. ,s ,9* . .,.e &m. s,,. e d'%,y. %
m., np.g=. e m..,.,ypm, m' ,. .m .
x.s.%,wa. % ,s.
~
,e r. . ,( i.,.c ,e a m u.< .n 7.:..,. _. ' . . ~
- f. r' is,4w+% .y ' sm 1,d* t . .. h.. c5 c 6 ;- r%.s
,.;* - 3.- z
.b ,. ,
Q. % p' $ Q'.. . c.4,,,l;A N
y,.if. , u. .c.), y. ..c u ',4' .'ys,w.sf .%,
% f 3 j ng > . . 'r f .p yt -
f.t .f* % s' vw. sv,,.---t > . o,t , y A %.s.*.
y,ht 4** . ' . ... ..J g .9,5 n.g . .
L.& ,- 'g,' - .A . ,t l
). Ag .,: : -4 .. n r.; p m .e - .
- s. n,1 y 4. .m c. aJ, r %
L ? t%. . ". A, y p .f, f. ,'*f,.afm, 4 e W , ,
- W ; ,r wg -
pww% n u. g. . . :g h 4- .
+=.~vcv. ;
~ K A;
_y J vv. 4 pr. n ' g Up }c.:9. 4:.4 w.pe. gyy ayp Aky m g&eyf).9...., :ya sy.pz-T z ~* u<&- 7. e . , . g;.k+en% . ;'ly6. , ,a..Q:p 9 ,.n,u: s.r u
^ ~ y' ~ y w . mv, 0, ,
A~. @g.,. ,3 , , ~.
% a. . :p:n.p n y,n as - s g p:nyn:s ynnw u :
o N
-- c' v s,
. m.M, sap w w T+ n e .
't?r e'
- o u .
._g ;- cp4 ,.;w3 QS8 pyy-a -a, p.-e g tr A%n ,rg c,t A
_- ._g.
&, .- w w, m~a./=lvk. v.%@9 .3s;*. .
sN
- m. w
,n..,c+.3
~ ,. , u..
4 a m1ya. m# .x . .e .- R ,7,.%w , . j p_,m . ; * .1.~-a 4
. e..7- .,s.w n. .
. .c g p f,4 *_g*. g-At- ,w - r p 4 ~y u s m, c m(, w .p_
p L k P7t@~m.,;% .t W<%m, . M.V W C d ',:_y.~. ' . g
'4
. ... ,%' ~:%, ,,, 3 -
.G S,qI *4-@a w W
- i
- w
.m . 7 <O.% 4 - w
_. 4 + ?. f. .% _ %. c g y "* g2. ?ue +: *%. A sna4'!. ;2 ^ -.
VF,O w- k" ,.y 6
w %m .., .%'Q Rwdv& ,, es,,Q gy:,jm,y. Vr.pg. . . <, 2n .-bsng.vys p ;. &a . w9.e. . :~s. ; .w .x@.n q> 4.e, .sw ;Q,:+:- m / .W. ;Wwa n, wt .x, y e
W. .'..M" e. -Q.q
~ ra - - . >
W E. -in-s.yEM.oM.MC, e m n x .w FA AY
,- m, n.
R % ,-
e s L enmany#v
, u . . , % .w w . w+w m- w w r.c wILURE -MODE . . . ~ ~ +. - - ~AND m - - EFF.ECT,S. .h.~m....,.
m -
aAN L SIS 4
m m
Wc.%.s.y %s .m.4 Q).r< sC,:y ., y '.', ,~. 0F.QMMLMIDLAND.NNI . %gg , 3l;. AND ICS ' .a m.,,
. . . . . , ,-@w.h.~% >
- < ' 4
- s y .w. u s. r. y. . m~ oor -.y. %.,. y,,,7 m. n, ,, .
~. .;;.m. . . . p.u. . ,.n .
.m.~
,n,.,
- ry p..m ..m~,y- ,,.. .~,./gp c. g j
'.'g_.w.f,.:,yj wo d - .4 p.w .44 e.n%e,., ,_f.,.+y,un. , , ,ep> w ,,q. y., ' - e,,-i
.gpmv n A+ f - y s p. s .
y u. a.A.4.x x.~, . m, c
.m m.gy.,n;,. wy ,,7 wg.- .
n r s s . . .
a a., o<n. 4. -.<:x..e.
a ..
~. .n.w - . .
,- . t,s w ..
- m-,
s .
m n as ... s.3n ' am;r w,m- ,
p., , nw w ~~ e a my 3; y ,w .~ pp wg,g au
, v .m , . . . , .~ ,, +
?
m~ x, - - ~ > ,
L ne no .;m~ . m, a'. ys -
Ii ?.)sy L4p. ,.y.( 3 '. .c q'; %- : a a
- r. m.,a&o.
o *-y . n ,. ~ ., .
w' ;g n- w .,:s
,m .t s
- 1 ' > < ,n.
",. y -L f.
R, -
...e .
~~4.,
5
'*%_*f,,,.. ~91 - ' k s G:'{ . . ) , ; e, > .*
r -
m',.R. s!.y~,+ . e.,'.. s,.. ..ss' m m.~ ..o. .A a - u. .
4 ..
..- 4
-. n .
~..
, _ am1 yw ~ m~y . -
<l9 2
_ % ., . <.A c.g os., ; Q. .. ?.,.. ,
W s h3,
, ~o s,.
- - n# a ; n <
U. y..Q. i . 4. , 'ia 1 pl. . T M.,d' ', .9 ,, , gi y'.& ' 5 n.: w. %.4.;. % . y7*<+ au cka s
m;w r . g. . y
- g. . n. m.+ w
- : , ~ -
D 'tf j b "'
Jm l. p M._ -" , ' , ~ , i <->
>p y. .;
s ,g..Q< Y~ : a crg>v %A . ,
. ,,- . w.a ..,-
.s.n q ,_
, - < % g, a<. -
... 4}p , % 1,,,a .y, W7e o J. m <- h,.
.L c>_
<.w.
p.~.% o 5 ,5 .
wp
,,...e - a s.
c f . 4 - >
g o .wm.~., w. . =,. s -.- .
e r m . . s m ~ w.u.gu .. , ; .:~p ,~. ,g . w . , . .,. .
- y. , .v. 4 y : ~y .w
,.. s. .v.g
,w ,
t -
/. i .
m -i -
+
a'Q. ,w.d). h ,-vy V
!h m . ..
., '.d *l* , u
- a. 4.- p g., <
r :-. . , ,.
s .
nb<.- >s 4 g- .. .
y .e".,.te' , ?,( . ,
- z. ..; q,.
, ,.? ,
- v. << Aq .
O 2.,
= w +_ -s s - ,
..o .. ,
,W. W y .g
- y c 4 ,1 f . *s . A *. e a
- 4. pm wy o g,.
,.,3 s %. . s , , , m% v-(m.g.h._@.. .,m n. m<- w$0-_; ,u ,-. c. ,
, ~ ~- a. ;.
. ,w< ,n..,wl. s s t.
e
...J+xQ: ptw3 3 . .d.s, _. A -
r-- ,v y g ;%,m<p; w <waa . . , p H.#. f 3: .b.y e
.W .'f% , we em .% ibw. . p 4 :_ . N m,. .*n . ;.
. h. 4, _' k' .'tw
( aswa r.
,'# . "ee _, a .% h
' . ' Wu wy
' w p' '.J? m f' ' M.,w 2 m
. T . "; *, A *<" 3u 4
- 1
. ,mn,J IJ ' A ' . ,
m
^
--3 y ', y * . . .. wc:c ..w.
l t. ri ' " i ,. sxp- < . g r. . .0 ;
. e , n< ' -
i, .
.^
- ,# m. ', . .s.o . w .x. - *y ,.
e
~,m . 4-.u
.j 1<
,, p*G, . ~y . w< e (w3. ,%s.pa j ,.
w .
3 , w59
,a, w
v..-s s .. , m.
,j . .m , - ,
- t. - -a ..,- t,.n. ,s - U a, . , m. m
. e. A g,v $ - w :s
./~> c .
,w s x
. c..sc. m. . , . . w.-
,.y.
r ...r.- ; u. ,,, .w, h-., ..r 3 .. ..<m i ..
e zM . . .;L %.,* . & nv,h,v s. m m, Q:y g %,2<,,
{ p Q.',, m..q
- =v.'
r s-.':Ty"4^,
n e j" A
. - g..',- .Q' .u g
m+a .m .o.,
ege ..o,
+ o m. p
. s < m-tw, . .y , a.=s . ,.uy; <xi ...
n a h- 4~cy e, %.g.,c m. .- x. 4 m : m; n s .J,
- ~
, , e - . < % .. . m ,
m +
m.a ." & n ;: -; ,
%.V a."
a %nMyd%m. ,:, 3,w,AniV: - . W : n ;s M. .Ms ui . 4.,Wf%s%c.. % w ~;, , < -Ai
,,e . m .sa m
? y%
4 . : D , :,.. s~ ac,
(,Ma.er W &w M .% 9?M $s ad, a@ <.#. $.NN m i %
M 44 l ' %%=
w_N. P .t .:'Nu s' y J .o f b .,w
( -
V*.
~ m_
- s
. h i T..
e&~%
, 'w I~ .
-.'[.< _ -
- vn-v .
~., n 4'
\'.-
C a e y.t,qy. ML M m- .m v. a'., p;;m' t;m, N.'$+' %';' .. 4.m.w 4.-
"v
[ ' il.'fJ n & mn . > > , c Q, e s,,, , g a g., 9 .y;.' g .-g w'f 4pg. E ! .#:m e'" p e-
? ;g a 4 ' ,, y .5 - Q m'
.. .-p <- i^
. y. J ~w TQ u C " . .:,o , C o '. - C ;r m' 2 "'
{.
t J.:4.w w"f pNa' % sW.tk vu '., 'f s '*Qv > ;y%'p;&% y}g ry,.g "; p :Q = l'b ~i' W p'UR*& g n'cm:n.: os v u 4 o mw. w .ws , w - +
g3% wommw%v+;,#m'4.' .m- M e w m .d. W w. e .%.u '- ~ %w.m# a c -
r a i 7.(.
@c 1;%jD
'. . -.a/A;f A d5
. ag, hcww M. AU&n a-ah. .D:. DMMMA T.'M,j,Ee;<*Q.N%pM@$4Y SN J46. :4K' M'* / mm
, A '.Z 8 / + Wp w
y . * . % ) . * . 4.m 4.TUR U " 6 +
+ /M
. ."', b,-
i 4 N
,_,.-[-* QV. N
- y T'
b w .s~ w nu.xy,w.:"
. wm e.<-e s.- w : m-v,.,n % gjt w+.m,w, m.rwyvua,w.ma ,
w m.&, % ., v v v -
wo-. "is ' . .m o- nL . a^ @4 %
p~ ;p~
- y.f ny ~ n w .m,n . wr ...~: s,.w..
- e, .ww w s. x,..w w o > w.gm,,,ww .n.,y,snm> m .. . ,, n.. & . ~ w , .e,,.,.v .c t, 4 ,,m v
%;f 7:.G.h4.Ap.j-s.. ~#.w , q Q w 4,'.ywg-im!.
h y ,%f pf,g p n,msp
' ~
c, {g.4 w* %, 4, -w L - -J ;
r,w :, ny yn.w'as W f.g ,t.4, J,g.
..,- p.;.uW+9w m
n:r. sw ws x- n.ngn.w w+q%.c .ww,-.y2,9gwwwgs~n. e.~ e.m ,w ~ . ~ .
nn.
. n: . s wm eu + .,. -
n, .
~ ~
R ..y g n a G4gm u.. g g ,g q;g yc,L.^t.9. Q cNj y g , g g 7 74 - t .
w
.c e - .A , . aa nav
~
m#m. qm _.m. ,:a 7 n~;* s,sm.s.~.~. > : ky. a .,v.s4.m/ m m ut:sw, a.ct:.:q m,
h- UQ h~],*xM. w. . u w :"w w W i*. A % "ir,,su A W A;.G,w n W.w x aw . wm tC' , &iMa w- m.m. y;~, wm.. . W %w b, v.1:. w, ;
4 <c n
> s- +
e scow e cm my QUA
% q' n.;c%11"%g92 w R - m 4 3.- w w& s, .
, ZA . , . WG A .
rb N $5 PDR ADOCK 05000329 v
o 8210010284 820923 WC Tc 3 N "My4 %
m e w w m C#W y.m mB @,. $ n
<~
"" Or v 4~ ^
5 n%. %-m. g
, w.w, E
PDm _R wm we .w, ;
wo,yyy. ~- sw2 .- m..~.^'*
,,w.. . &. -
s .
v . m. .,i
-. , .c .
c Q,:s' ~y L h<R E6. 'eq_g. eg,g,k*! L ,sz+gr. .u,R E;f,QMfs.Q,,gh.J,' 4 , .
z s a n?.st,eA + t i. m % Lo :w.: g y g..
BAW-1743 7
{
July 1982 f
6 I
i I
FAILURE MODE AND EFFECTS ANALYSIS OF THE MIDLAND NNI AND ICS I
l by R. S. Enzinna R. W. Winks "
S. D. Swartzell R. F. Broadwater M. 5. Kai
, W. E. Wilson Reviewed b : *i 1MfA) 'Dite' h/f&
/fj' /
l Approved by: ~ W [ 'Da t~e fV l
l i
BABC0CK & WILCOX Nuclear Power Group lJ-i Nuclear Power Generation Division P. O. Box 1260 Lynchburg, Virginia 24505 7,
i,
, Babcock & Wilcox b-
lI~ EXECUTIVE
SUMMARY
l' An analysis was undertaken to provide responses to NRC Questions 30.56 i
through 30.59 of the Midland Final Safety Analyses Report (FSAR). The NRC re-quest was to (1) identify power sources, sensors, or sensor impulse lines that serve two or more non-safety grade control functions, (2) demonstrate that failures would not result in consequences outside the bounds of the ex-isting FSAR safety analyses, and (3) ensure they were within the capability of operators and safety systems.
Potential transients, which could occur at the Midland plant for f ailures within the non-nuclear instrumentation (NNI) and integrated control system (ICS) were evaluated. It was shown that all f ailures evaluated resulted in plant responses that were bcunded by analyses included in the Midland FSAR and were within operator and safety systen capabilities.
Analysis of NNI and ICS f ailure nodes and effects included the following events:
- 1. Single instrument f ailures.
- 2. Power supply failures.
- 3. Common sensor impulse line f ailures.
The analysis of single instruments consisted of postulating f ailures of con-trol system inputs and outputs one at a time and evaluating their effects on the plant. All single instrument failures resulted in either plant responses l.
that are bounded by the FSAR analyses or operating anomalies not severe enough to be analyzed in the FSAR and well within operator capabilities.
NNI and ICS power supplies were investigated to detennine if a f ailure could l cause more than one control f unction to fail and to determine if the result-ing plant responses are bounded. The NNI and ICS designs incorporate redun-(, dant power supplied to each system with normal and backup a-c and d-c power auctioneered within the ICS, NNI-X, and NNI-Y cabinets. There are no s
j
- iii - Babcock s.Wilcox l.
credible single failures of external or internal power supplies that will result in loss of any NNI or ICS functions. However, for the purpose of analyzing plant response, losses of a-c and d-c power were postulated for the NNI-X, NNI-Y, and ICS. This evaluation shows that complete losses of a-c and d-c power for the NNI-X, NNI-Y, or ICS are bounded by the FSAR analyses.
The evaluation of common impulse line failures consisted of identifying sen-sor impulse lines, which provide signals to more than one control function, and evaluating the failure effects. The only common impulse lines identified where failures could simultaneously affect more than one non-safety grade con-trol function were pressurizer level and pressure taps. In addition, a com-mon line is shared with the NNI and the safety-grade reactor protection sys- ;
tem for the reactor coolant flow taps. The resultant plant responses to '
failures of these lines were evaluated and determined to be bounded by FSAR safety analyses.
1 I
I l\
, - iy - Babcock s Wilcox i
-, , - , . . -m-.= -- ,r-- ,-- , - - , ,-,,n , ,,, , , - - - - , , ., - - - - , . , , , - , . - , , , - - - - , - - - ,
en, - - -,
- - - - + -
f*
CONTENTS Page
(
1 t
- 1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 1.1. NRC Juestions ....................... 2 1.2. Objet'.ive .........................
3
, 2. CONCLUSIONS ...........................
5
- 3. SCOPE ..............................
5 3.1. Control Systems Included . . . . . . . . . . . . . . . . . .
6 3.2. Events Included ......................
3.2.1. Less of a Single Instrument ............ 6 3.2.2. Power Supply Failures ............... 6 3.2.3. Loss of Common Sensor Impulse Lines ........ 7 !
3.3. Failure Modes and Effects Analysis . . . . . . . . . . . . . 8 (
8 3.3.1. Component and Failure Mode Identification .....
3.3.2. Evaluation of Plant Response . . . . . . . . . . . . 8 9
3.3.3. Assumptions for Plant Response Analysis ......
3.3.4. Identification of Bounding Events ......... 9 10 3.3.5. Basis for Selecting Bounding Events ........
- 4. RESULTS .
Plant Response to Loss of Single Instruments . . . . . . . . 11 4.1.
Plant Response to Power Supply Failures 11
- 4.2. ..........
Plant Response to Loss of Common Sensor Impulse Lines 13 4.3. ...
13 4.4. Break in RC Flow Tap . . . . . . . . . . . . . . . . . . . .
e 1
-v- Babcock s,Wilcox 6.
)
List of Tables Table Page r
15 I
, 1. Midland NNI and ICS Signals . . . . . . . . . . . . . . . . . . .
I 2. Plant Response to Failures of Single ICS and Pressurizer Control inputs ................... 19
- 3. Plant Response to Failures of Single ICS Outputs ........ 27
- 4. Assumed Hand Switch Positions . . . . . . . . . . . . . . . . . . 31 Sa. ICS Input Signal Failures Due to NNI-X - 24 V de Power Supply Failure at Full Power ............... 34 Sb. ICS Input Signal Failures Due to NNI-X - 118 V cc Power Supply Failure at Full Power ............... 35 Sc. ICS Input Signal Failures Due to NNI-X - 24 V de Power Supply Failure at 30% Power . . . . . . . . . . . . . . . . 36 l
ICS Input Signal Failures Due to NNI-X - 118 V ac Sd.
Power Supply Failure at 30% Power . . . . . . . . . . . . . . . . 37 Se. ICS Input Signal Failures Due to NNI-Y - 24 V de Power Supply Failure at Full Power ............... 38 Sf. ICS Input Signal Failures Due to NNI-Y - 118 V ac Power Supply Failure at Full Power ............... 39 Sg. ICS Input Signal Failures Due to NNI-Y - 24 V de Power Sugply Failure at 30% Power . . . . . . . . . . . . . . . . 40 Sh. ICS Input Signal Failures Due to NNI-Y - 118 V ac !
Power Supply Failure at 30% Power . . . . . . . . . . . . . . . . 41 Si. Output Signals of the ICS Due to 118 V ac Power Failure at 100% Power Level (and 30% Power Level) . . . . . . . . 42 ,
Sj. Output Signals of the ICS Due to 24 V de Power I Failure at 100% Power Level (and 30% Power Level) . . . . . . . . 43
- 6. Plant Response to NNI/ICS Power Supply Failures . . . . . . . . . 44 i
- 7. Common Instrument Line Failures . . . . . . . . . . . . . . . . . 46 l
l l
List of Figures Figure
- 1. Sources of Sensor Input for the NNI and ICS . . . . . . . . . . . 48
- 2. NNI-X Power Distribution System, Schematic Diagram ....... 49
- 3. Response to Mid-Scale ESDD Failure at 30% Power . . . . . . . . . 50
- 4. Response to NNI-X 24 V de Power Supply Failure at 100% Power . . . . . . . . . . . . . . . . . . . . . . . . . . 51 ,
- 5. Predicted Response to Loss of Loop A RC Flow Input {
Signal to ICS . . . . . . . . . . . . . . . . . . . . . . . . . . 52 [
i
- vi - Babcock & Wilcox ,
.{
t.
l I' 1. INTRODUCTION f
, 1.1. NRC Questions
[ This report documents the evaluation perfonned in reply to an NRC request for
, additional information regarding answers to FSAR questions 30.56 through 30.59, which concern the Midland instrumentation and control system.1 The request is as follows:
Your responses to Questions 30.56 through 30.59 on control sys-tem failure concerns are incomplete. We requested that you iden-tify any power sources, sensors, or sensor impulse lines which provide power or signals to two or more control (functions) and demonstrate that failures of the power sources, sensors, or sen-sor impulse lines will not result in consequences outside the bounds of the Chapter 15 analyses or beyond the capability of operators or safety systems.
The evaluation required to answer the above concerns should consist of postulating failures which affect the major control systems (both in NSSS scope and B0P scope) and demonstrating that for each failure the resulting event is within the bounds of the accident analyses. The events considered should include but not necessarily f be limited to the following:
- a. Loss of any single instrument
- b. Break of any common instrument line
- c. Loss of power to any systems or equipment such as to any inverter, to any control group, or to any process rack.
l The initial conditions for the analysis should be within the full operating power range of the plant (i.e., 0-100%).
L I
- i.
ICSB, Question 3 attached to NRC Meeting Notice, October 23, 1981.
Sabcock & Wilcox l..
The response to Questions 30.56 through 30.59 should be revised to specifically identify non-safety grade control systems and the impact of the failure with reference to Chapter 15 analyses that insure that these events are bounded by the plant safety analyris.
Questions 30.56 through 30.59 of the Midland FSAR are:
Question 30.56 Identify those control systems whose failure or malfunction could seriously impact plant safety.
Question 30.57 Indicate which, if any, of the control systems identified in the response to request 30.56 receive power from common power sources. The power sources considered should include all power sources whose failure or malfunction could lead to failure or malfunction of more than one control system and '
should extend to the effects of cascading power losses due to failure of higher level distribution panels and load centers.
Question 30.58 Indicate which, if any, of the control systcms identified in the response to ,
request 30.56 receive input signals from common sensors. The sensors con-sidered should include, but should not necessarily be limited to, common hy-draulic headers or impulse lines feeding pressure, temperature, level, or other signals to two or more control systems.
Question 30.59 Provide justification that any simultaneous malfunctions of the control sys-tems identified in the responses to requests 30.57 and 30.58 resulting from failures or malfunctions of the applicable common power source or sensor are bounded by the analyses in Chapter 15 and would not require action or re-sponse beyond the capability of operators or safety systems.
1.2. Objective The objective of this study is to respond to the NRC request identified in section 1.1. The remainder of this report documents the evaluation required to answer those questions.
Babcock & Wilcox
r*
- il.
- 2. CONCLUSIONS The failure modes ar.. effects analysis (FMEA) performed for the Midland non-nuclear instrumentation (NNI) and integrated control system (ICS) and their related power suppplies demonstrates that the potential failures identified f
that result in a reactor trip lead to events which are bounded by the safety analyses contained in Chapter 15 of the Midland FSAR. The postulated fail-ures of the ICS and pressurizer controls are itemized and each is shown not to seriously impact plant safety, and none require action beyond the capabil-ity of safety systems or operators.
Not all failures will cause a reactor trip, and therefore, in the strictest sense, these failures result in plant conditions that are not bounded by the Chapter 15 Safety Analyses. Clearly these failures are much less severe than events presented by the SAR and are of a nature that do not require such anal-
, yses. These operational anomalies could be described or categorized by the resultant plant effects Benign: No plant change results l
i Stable: A new and different steady-state operating point is reached Quasi-equilibrium: A slow, gradual change results.
Single instrument failures were evaluated on a sensor-by-sensor basis. All single instrument failures evaluated resulted in either plant responses that are bounded by existing FSAR analyses or very mild and short duration transi-ents, which are not severe enough to be addressed in the FSAR.
The NNI and ICS have normal and backup a-c and d-c power supplies that are auctioneered within the NNI-X, NNI-Y, and ICS cabinets. Because of this de-sign, complete loss of a-c or d-c power to a rabirat is considered an unlike-ly event. However, for the purpose of this evaluation, the effects of hypo-
[ thetical power supply failures were analyzed. The evaluation showed that the plant can withstand a complete loss of a-c or d-c power to the NNI-X, NNI-Y, or ICS with consequences within the bounds of the FSAR analyses.
i.
Babcock s.Wilcox r l
The evaluation of common impulse lines identified common taps for pressurizer pressure and level. No other common line was identified whose failure could simultaneously affect more than ene non-safety grade control function. It was also found that reactor coolant (RC) flow taps in the NNI are shared with the safety-grade reactor protection system (RPS), this is a protection rather than a control system. The evaluation shows that plant responses to failures of these common impulse lines are bounded by FSAR safety analyses.
l I
Babcock &Wilcox
l r
.. l I'
I.
L' 3. SCOPE A FMEA was performed on selected control systems. Failure modes were postu-lated for power sources, sensors, and sensor impulse lines whose failure may lead to simultaneous failure of control systems. Plant response was evaluat-ed and a bounding FSAR safety analysis was identified for each applicable postulated failure.
3.1. Control Systems Included The evaluation required to answer the NRC request consists of postulating f ailures that affect the major non-safety grade control systems and demon-strating that the resulting event for each f ailure is within the bounds of the Midland FSAR Chapter 15 accident analyses. This evaluation specifically addresses failure or malfunction of the major non-safety grade nuclear steam system (NSS) and balance-of-plant (BOP) control systems. The following con-trol systems were included:
- 1. The ICS which includes the usual subsystems for reactor, turbine, and j' main feedwater (MFW) controls, in addition to the evaporator steam demand
' development system (ESDD).
I 2. Pressurizer controls, which include pressurizer heater, spray, and level (normal makeup) controls. These controls are supported by signals of the NNI.
- 3. Other miscellaneous plant controls (not given above) that have common l power supplies, share common sensor inputs, or thare common impulse lines are:
I
- a. Shared power supplies:
(1) The RC pump seal injection control function of the makeup and purification system.
, (2) Boric acid addition tank interlocks of the chemical addition system.
ll Note: Failures of power supplies for these functions produce no
. change of plant operation.
l' Babcock & Wilcox
!l.
- b. Shared sensor inputs:
(1) None.
- c. Shared sensor impulse lines (taps):
(1) A common tap for RC flow instrumentation supplies input to the ICS and RPS.
No other control systems were identified that shared sensor inputs, sen-sor impulse lines, or power supplies.
3.2. Events Included The failure events that have been postulated are:
- 1. Loss of any single instrument.
- 2. Power supply failures affecting more than one control function.
- 3. Loss of common sensor impulse lines.
Each of these failure events is described in detail in the following subsections.
3.2.1. Loss of a Single Instrument Failures of sensor inputs and control signal outputs of the control systems were postulated one at a time and the effects on plant response were evaluat-ed. Each input signal was postulated to fail instantaneously high.(+10 volts), midscale (zero volts), and low (-10 volts) for analog signals, and high and low for contact inputs. l i
Figure 1 is a simplified schematic illustrating the ICS, NNI, and sources of sensor input. Table 1 lists the input signals to the NNI-X, NNI-Y, and ICS cabinets and outputs. The bulk of all the input signals originate in the NNI system located throughout the plant. In addition, there are two other sources of input signals to the ICS - the turbine-generator and other B0P equipment.
3.2.2. Power Supply Failures
]
Control functions that receive power from common power supplies were identi-fied. Control system internal power supplies, in addition to inverters, high-er level distribution panels, and load centers, were investigated to deter-mine if failure or malfunction could cause failure or malfunction of multiple control functions.
l Babcock & Wilcox
The design of the external power supplies for the NNI and ICS incorporates redundant main and backup power sources from separate busses. The NNI-X, NNI-Y, and ICS each receive two redundant a-c power sources that are selected by an auto buss transfer logic and have two redundant d-c power supplies that are auctioneered within the NNI and ICS cabinets.
This configuration is very reliable and assures that there are no credible single failures of internal power supplies, inverters, higher level distribu-tion panels, or load centers that will result in failure of the NNI or ICS.
Because of the redundant nature of the NNI and ICS power supplies, single f ailure causes could not be postulated. However, for the purpose of analyz-ing plant response, complete losses of a-c and d-c power for the NNI-X,
, NNI-Y, and ICS were assumed. The specific towr supply failures analyzed consist of the following
- 1. NNI-X 24 V de failed to zero volts.
- 2. NNI-X 118 V ac failed to zero volts.
- 3. NNI-Y 24 V de failed to zero volts.
- 4. NNI-Y 118 V ac failed to zero volts.
- 6. ICS 118 Y ac failed to zero volts.
Figure 2 shows a simplified, single-line schematic of the power distribution system for the NNI-X. The power distributions for the NNI-Y and ICS are identical.
f The effects of failures of individual fuses, although not explicitly included 9 '
in the FMEA tables, are implicitly included in this evaluation. Sensors in the ICS and NNI are fused individually. The effects of single sensor fuse failures, therefore, are bounded by the evaluation of single instrument fail-ures. In addition, the worst credible impact of a fuse failure (although the f ailure mechanism has not been postulated) is an individual power supply fail-ure, which is bounded by the evaluation of the NNI-y, NNI-Y, or ICS power sup-ply failures.
3.2.3. Loss of Common Sensor Impulse Lines Failure of common sensor impulse lines, which could lead to failure or mal-( function of multiple control system inputs, were identified. This investiga-tion included the identification of common hydraulic headers, sensor taps, Babcock & Wilcox
'l
. I' and instrument lines feeding two or more control systen inputs. The failure modes analyzed consisted of breaks for common level, pressure, or flow mea-surements, and open and short circuits for tenperature measurenents. In addi- !
'J tion to common impulse lines in the major non-safety grade control systems, a ,
unique condition for RC flow taps exists. RC flow is input to the ICS and the safety-grade RPS.
Plant response was evaluated for each f ailure mode; this evaluation is de-scribed below.
3.3. Failure Modes and Effects Analysis 3.3.1. Component and Failure Mode Identification I
The postulated failure events for the evaluated control systems were compiled J into tables. Separate tables were prepared for loss of any single instru-ment, power supply failures, and loss of common sensor impulse lines. The f ailed components, failure modes, and control system input signals affected were itemized.
The FMEA tables also contain columns for description of the transient effects and the FSAR bounding event identification. The following sections describe how the effects and bounding events were detennined and itemized for each failure mode.
1 3.3.2. Evaluation of Plant Response The failure modes identified for loss of single instruments, power supply )
failures, and common sensor impulse line failures were the input for the ef-fccts analysis portion of the FEA.
Plant response to each of the identified failure modes was evaluated and itemized. In some cases plant response to the failure could be determined by {
engineering judgment or from previous analysis 2; in other cases the transient was run on a simulator for the Midland plant to predict or verify plant re- l sponse. In each case the predicted plant response was reviewed and verified by an experienced engineer with a good working knowledge of the plant, con- t I
trol systems, and operational experience at other B&W plants.
5I ntegrated Control Systen Reliability Analysis, BAW-1564, Babcock & Wilcox, August 1979. q Babcock & Wilcox
The simulator used to evaluate plant response was the digital nuclear steam supply simulator at Babcock & Wilcox's Advanced Controls Research Facility, which was modified to represent the Midland Unit 2 plant.
3.3.3. Assumptions for Plant Response Analysis The following assumptions were made in the evaluation of plant response:
- 1. The ICS is operating in a full automatic mode.
- 2. The operators do not manually switch any sensor or take manual control of any parameter / device during the transient.
- 3. The transient was evaluated for a period from the time the signals fail until a sufficient time past reactor trip to ensure adequate post-trip response, or if the reactor did not trip, the evaluation was run until a b new quasi-steady-state operating condition was achieved. (The evalua-tions usually were nJn for about 10 minutes if reactor trip did not occur.)
- 4. Midland Unit 2, which is designed to generate either 855 megawatts elec-tric or 40% process steam load combined with a power generation of 510 megawatts electric, was modeled.
- 5. Two power levels were established as initial conditions for the response to selected failures - 100 and 30% power. The lower value was selected to represent a typical low power operating condition. Low power evalua-tions were made when it was clear that the plant response would be signif-icantly different from the high power condition.
3.3.4. Identification of Bounding Events I The FMEA identifies, where appropriate, an FSAR transient that bounds the effect of each failure mode.
The failures can be divided into two categories: (1) those that cause a re-actor trip and (2) those that do not cause a reactor trip. The failures that do not cause a reactor trip result in very mild transients of short duration.
A slightly different final steady-state is reached from the pre-failure steady state. These transients are not severe enough to be addressed in a
. FSAR. Thus, no identification of bounding FSAR transients for these f ailures is made. For transients where a reactor trip is predicted, a bounding tran-sient is identified.
e Babcock s Wilcox l
P i
3.3.5. Basis for Selecting Bounding Events f Because the FSAR Chapter 15 analyses are prescribed for the Standard Review Plants for very definite sets of events each with specific initial conditions ,
and equipment failure assumptions, the SAR analyses will not always bear a "one-to-one" relationship with the failures evaluated by this study. There-fore, the following criteria were selected to permit the most appropriate alignment. For each condition the criteria for detennining whether the event is bounded by 1.he SAR analysis are given.
- 1. For events that did not result in trip, no bounding SAR analyses are ap-plicable. (Note, however, that the analyses that were performed showed acceptable results.)
- 2. For secondary plant events that did result in a reactor trip, the most dominant characteristic of the event was used to detennine the appropri-ate SAR analysis.
- a. For events characterized by total or partial loss of feedwater, the SAR total loss of feedwater event was selected. The event was con- >
sidered to be bounding if the SAR peak RCS pressure was greater than the event evaluated for this report.
- b. For events characterized by excessive feedwater, the SAR analysis was considered to be bounding if the feed flow increase was greater (the .
reference SAR analysis is 15.1.2.).
- c. For events characterized by loss of steam pressure through the tur-bine bypass, the SAR turbine bypass failure case was co.nsidered to be bounding if the steam flow increase was greater.
. 3. For events that affected rod control or improper signals to the control rods, no bounding SAR analysis was selected. A reactor trip will occur,
- and the rod control system action is terminated by the insertion.
l Babcock & Wilcox j l
.f L.
I i
- 4. RESULTS f 4.1. Plant Response to Loss of Single Instruments Failures of the ICS and pressurizer control inputs were evaluated on a sensor-by-sensor basis. The effects of high, midscale, and lov f ailures for each 1.utrument are presented in Table 2. A brief description of each antic-
- ipated transient, whether or not the reactor tripped, and the bounding safety analysis is presented. The effects of failures of single ICS outputs are presented in Table 3.
Figure 3 gives an example of plant response to a single sensor f ailure. The plant response was evaluated using the B&W Advanced Controls Research Facili-ty simulator. This example illustrates the expected response of the plant when the evaporator steam demand signal fails from 0% (off) to midscale or 50% of total steam demand. This transient does not lead to a reactor trip but achieves a new steady-state operating condition for the reactor and the turbi ne. This plant response is typical of many single input signal failures when no reactor trip is expected.
In general, failure of instruments in the high or low position (+10 or -10 V dc) is much less likely than a midscale failure (zero voics dc).
4.2. Plant Response to Power Supply Failures This section presents the evaluation results of the transient response ci the 4
Midland plant to specific NNI and ICS power supply f ailures that would result in loss of power to groups of ICS and pressurizer instruments.
The specific instruments affected by each power supply failure are dependent on the position of hand selector switches in the NNI that allow the operator l*
to select between redundant X or Y powered measurements of the same param-eter. For the purpose of evaluating power failure effects, specific hand se-lector switch positions were assigned. For conservatism, it was assumed that upon an NNI power failure, the operator would not switch hand selectors to k
. Babcock s Wilcox L
the " good" sensors. Table 4 shows the specific position assumed for each ,
selector switch in the NNI. In general, NNI-X powered sensors were selected for loop A measurements, NNI-Y powered sensors were selected for loop B mea-
_f surements, and average measurements were selected where available.
Each postulated power supply failure affects the plant controls by causing groups of ICS or pressurizer instruments to suddenly change from normal to false indications. Phnt response was evaluated by applying the false con-trol signals to the Midland plant simulator while operating at full and 30%
power levels.
Tables 5a through Sj pr' ant a list of the corresponding control system in-struments affected by each power supply failure. For both the full and 30% l plant power levels, the tables indicate the normal operating value of each instrument and the failed value, which was applied to the simulator.
The effects of the power supply failures on plant response are itemized in Table 6. The transient effects of each power supply failure are described and the FSAR analyses that bound the events are identified.
An example of plant response is illustrated in Figure 4. This figure represents the simulator nudel prediction of the transient effects of NNI-X '
24 V de power loss at 100% power.
Loss of NNI-X 24 V de from full power results in a rapid overheating tran-sient caused by loss of main feedwater to both steam generators. This tran- 1 sient is bounded by FSAR analysis 15.2.7," Loss of Main Feedwater." This d transient is described in more detail, along with the other power failures, in Table 6.
k.
1 Babcock & Wilcox
(-
a.
,. 4.3. Plant Response to Loss of Common Sensor Impulse Lines l-Table 7 identifies the control system inputs that share common taps, hydrau-lic headers, or instrument lines. Most of the common impulse lines identi-fied are taps that supply two measurements of the same parameter. The opera-tor selects one of the two measurements so that only one at a time is used for control. Thus, the failure has the same effect as loss of a single in-strument, which is described in Table 2.
l The only common impulse lines identified whose failure could affect more than one ICS or pressurizer control function were the pressurizer level and pres-sure taps. The transient resulting from break of these taps is described in Table 7 and is bounded by FSAR analysis 15.6.2, " Break in Instrument Lines or Lines From Primary System That Penetrate Containment."
One other commonality identified was the RC flow measurements shared between the ICS and the RPS. This is a special case because the RPS is a safety-grade protection system and not a control system. This failure is covered in section 4.4.
4.4. Break in RC Flow Tap The RC flow rate taps on loops A and B of the Midland primary system are shared between the ICS and the safety-grade RPS. The transmitters are ar-
- ranged on each loop so that two of four RPS channels and one of two ICS trans-mitters are on each tap.
- The transient that results from a failure of the loop A (or B) RC flow rate signal to the ICS when the plant is operating at full power has been run on the Power Train V (177-fuel assembly plant) simulator. Figure 5 shows sever-al parameters that were selected to indicate the nature of the transient.
The initial effect of the loss of a valid RC flow rate signal is to cause the loop A Btu limits circuit to suddenly generate a 0 lb/second feedwater (FW) flow rate to match the demand. Since the total FW flow rate is now less than the total FW demand, the FW flow rate to the loop B steam generator increas-es. The loop B FW control valve will open fully, while the loop A control valve is being stroked fully closed.
The cross limits circuit in the ICS senses that the actual total FW flow rate lr is less than the total FW demand signal and will attempt to reduce reactor l
k.
.- ~
l Babcock a Wilcox l
I power to match the total available FW flow. The rate of core power reduction I is approximately 25% per minute for beginning-of-life (BOL) conditions and slightly higher for end-of-life (E0L) conditions. f The reduction of FW flow rate caused by the loop A Btu limits circuit is f aster than the reduction in reactor power (which is limited by control rod insertion speed) and overheating of the RC system occurs. This will cause a reactor trip on the high RC pressure channel of the RPS less than 1 minute af-ter the failure of the loop A RC flowrate signal. This transient is bounded by FSAR analysis 15.2.7, " Loss of Main Feedwater."
l k
I f
Babcock s.Wilcox
,, L e.
l Table 1. Midland NNI and ICS Signals ICS ICS f Signal (transmitter) NNI-X NNI-Y in out
,. NR pressurizer pressure (2-1) -
(2-3) -
Pressurizer level (14-1) -
(14-2) -
(14-3) . -
Pressurizer temperature (15-1) -
(15-2) -
Reactor coolant flow ~
Loop A (IAS) - X or Y (IA6)
Loop B (1B5) - X or Y (186)
Total temperature comp. RC flow X or Y Thot Loop A (3A1) -
(3A2) i LoopB(3B1) -
(3B2)
Tcold Loop A (4A1) -
(4A3) l Loop B (4B1) -
(4B3)
Startup feedwater flow Loop A (3A) -
Loop B (3B) -
Feedwater temperature
- LoopA(IA1) - X or Y (IA2) -
Loop B (IB1) - X or Y (IB2)
Main feedwater flow t Loop A (2A1 - X or Y (2A2 Loop B (2B1 - X or Y (282) f Babcock & Wilcox
~ )
ll Table 1. (Cont'd) ll ICS ICS Signal (transmitter) NNI-X NNI-Y in out i Steam pressure Loop A (12A1) - X or Y (12A2) -
LoopB(12B2) - X or Y (12B1) -
Turbine throttle pressure '
"A"(16A) - X or Y "B"(168) -
Feedwater control valve AP LoopA(SA1) -
(SA2) -
Loop B (5B1) -
(5B2) -
Startup level LoopA(9A3) - X or Y (9A4) - ,
Loop B - X or Y Operate level Loop A (9A1) - X or Y '
(9A2) -
Loop B - X or Y Downcomer temperature Loop A A -
Loop B (8B1 -
(8B2 -
T/C main feedwater flow Loop A X Loop B Y T/C startup feedwater flow
Loop A X Loop B Y T/C reactor coolant flow Loop A X Loop B Y Main feedwater pump tripped Loop A -
Loop B -
l
~
I Loops A and B Tcold difference . X or Y ,
i i
Babcock a,Wilcox
- Table 1. (Cont'd)
ICS ICS Signal (transmitter) NNI-X NNI-Y in out f
Selected T hot X or Y Tave X, Y, or both Reactor coolant pump running Al .
A2 B1 B2 I
Reactor not tripped .
Both generator breakers tripped .
Turbine on high load limit .
Turbine on valve position limit .
Power / load unbalance .
Low condenser vacuum .
Condenser water not available .
Closed position of turbine valve 13-1 -
13-2 .
i 13-3 .
13-4 .
Turbine is tripped .
Turbine control on auto .
r j Generated megawatts .
Neutron power .
Asymmetric rod pattern exists .
Is turbine runback initiated .
ESDD
- i. Frequency deviation -
Startup feedwater valve >80% open Loop A .
Loop B -
Startup feedwater valve <50% open 7
Loop A .
Loop B -
Main feedwater block valve open Loop A .
Loop B .
t Babcock & Wilcox
)
Table 1. (Cont'd)
Signal (transmitter) ICS ICS NNI-X NNI-Y in out ,f AD valves position demand "A" -
"B" -
Open turbine valves -
Close turbine valves -
Open turbine valves 13-1, 2, 3, 4 -
Withdraw control rods -
Insert control rods -
Main feedwater valve demand Loop A -
Loop B -
Startup feedwater valve demand Loop A -
Loop B -
Open main feedwater block valve Loop A -
Loop B -
Close main feedwater block valve Loop A -
Loop B -
Request to trip turbine -
Main feedwater pump speed demand Loop A - 1 Loop B -
J 1
\
Babcock & Wilcox i l
_ -.~. - _ ._
Table 2. Plant Response to Failures of Single ICS and Pressurizer Control Inputs l Transtent M by E f fect Deactor trip Strals falls leo ef fect. Auctioneer takes lowe Ap signal. leo lea Loop A FW control 100 psi (high) valve ap inA 0 pst (low) FW pumps go to high speed stop in attempt to maintain 50 pst across FW tinittely valves. FW flow to both %s goes up, but FW control valves alli close to bring IW flow back to setpoint; thus, overteeding is ce*y temporary, les change to post-trip control in the event that a reactor trip occurs, encept that high pump speed causes higher pressure drop aCross IW valves (hence.
control util not be as smooth as normal).
feo effect 18 ap setpoint is less than 50 pstd; same general effect as low No mA 50 pst (midscale) .
fatture above if ap setpoint is a50 psid.
Loop B fu control IIA valve ap Same Information as for loop A.
NA Total temperature com- 160 apph (htgh) leo espected lepact to power level. No pensated K llow 0apph(Iou) Loss of K flow signal causes reactor runbeck to 151 at 205 per minute. tinittely RA 80 apph (ste- toss of K flow signal causes reactor runback to approstaately 501 at 205 tinithely due to sufficient HA scale) per miewte. K flow rate during runbeck.
Condenser dump and atmosphertC dump valves go full open. Turt tne throttle Tes f 5AA 15.l.3. *5 team pressure Regulator Turbine header pressure 1200 psta (high) stenfunction or f ailure Resulting in valves open for 5 seconds and then turbine transfers to manual and the IC5 util go late tracting mode. Steam pressure decreases, pese drops, and a re- lacreasing Steam flow" actor trip on low K pressure normally results.
600 psia (*om) Turbine throttle valve closes for 5 seconds to try to maintata setpoint Tes f5AA 15.2.2.
- toss of Esternal Elec-trical Lead and/or Turbine irlp*
y steam pressure. Af ter 5 seconds, turbine transfers to manual and this causes actual steam pressure to increase, uhtch causes trty of the reactor g
due to high K pressere. 5atisfactory secondary steam pressure control af ter reactor trip via the steam Ilne safety valves.
This is a minor upset and no significant plant response mill occur. Turbine he nA 900 psla (mid.
scale) util rasp open to reduce pressure to 885.
1200 psig (high) M.A Stu limits cause partial less of feed flow to SG.A. Simultaneously. tes f 5AR 85.2.7.
- toss of piste feedseter*
M outlet pressure.
loop A loop A bypass valves open. lef electric tracts down. Decrease in ini flow ulli cause reactor trip on high K pressure. Loop A bypass remains open af ter reactor trip.
Ito IIA O psig (lau) leo effect on 1955.
No lea 600 psig (old- leo effect on NSS.
scale) l
% outlet pressure. Results are the same as for loop A.
loop B fu temperature, loop A 500F (hlgh) If this failure occurs from 1005 load, the espected result is an increase of Hot probable from nigh load.
FW flow to 1801 times design flow. A momentary tracking condition util oc- l 37 cur but normal Tave and lose control util bring unit back to steady state. . l While possible, a reactor trop is not espected. Final load may be tilghtly l
{ higher than initially. It failure occurs at low load. a greater percentage increase in ItW util occur causing a higher probability of trip. The ef.
h g fect of a high f;; temperature on Stu limits at low power is to raise the eastnum TW flow allowed and adversely affect the 35T superheat protection to E the turbine.
k
=
0
$- 6 M
Table 2. (Cont'd)
Stenals falls Effect Reactor trip f rams tent bounded t,r Of (tam) Total IW demand would decrease approminately 40% due to Stu limits and each Probable f5AA 15.2.7 OTM will be underfed leading to a reactor trip on high RC pressure.
250f (stdscale) for high power operatloa, reduction in WW flow due to f ailed FW temperature Probable f 5AA 15.2.7 on Stu lletts will reduce ffW flow more than 101 and could cause a reactor trty on high RC pressure.
FW temperature, loop B Same as for loop A.
Itate fu flow. loop A 6.0 apph (l005 toop A FW control valve closes to try to maintain coastant Indicated fW flong, Tes f5AA 15.2.7 high) which reduces actual flee. The partial loss of FW causes overheating of primary system and trips reactor en high E pressure. Control after reactor trip ts not changed. Startup level control preveats total loss of FW in af-fected loop.
O apph (01, law) toop A fu valve will open fully. toop A TW valve ap will decrease teuerd Ves f 5AR 15.I.2. *feeenster System seal.
aers. Both IWW pimps will speed up. toop 8 valve closes to reduce loop a functions That Result la en lacrease flow, toop A M util be overfed and will cause a reactor trip on tem RC la feeesater fles*
pressure.
3.0 apph (505 Depends on tattial poner level; a high power level resembles a
- low
- fall. Probable, dependlag on re- f 5AR 55.l.2 or 15.2.7 eldscale) ure, only less severe. A low poner sevel would resemble a *high* failure actor poner level.
and amuld be less severe.
stata fu flow, loop 8 Same as for loop A.
' Startup FW flow. 201(high) Above appronlastely 151 FW flow, startup measurement is not used for con- unilhely h4 fu loop A test; therefore, its failure has no effect. (femin FW block valve is opee O when flow is $151.) Delen apprealmstely 151 flem hl fattere causes itms control valves to close until M level drops to lou evel llett dare fles 8
will be restored by level controller.
OS(low) he effect if Mitsv is open due to power 3151. If 8Wlav ts closed. loop A Probable for poner less f5AA 15.2.7 startup (5u) valve goes SOE open, causing the suttch from 50 to main for FW thna 155 flow Indicatloa. Subsequently, the 50 valve on loop A will cycle between 50 and 80s opea, causing block valve to open and close. A reactor trip on high AC pressure less than 155 pomer.
101 (oldscale) Either the 50 valve will open or close dependlag on tattial atW flow rate unlikely h4 (or power). Severity of these events is msch smaller than high and low fallures.
Startup FW flow. Same as for loop A.
loop B Tamperature copersated 80 apph (loos. This failure could cause an undesired re-rattof ag of FW flow, decreasing Yes 75AA 15.2.7
- RC flow, loop A high) loop S FW flow, and at high power levels very Itkely a reactor trip on high RC pressure. Control af ter reactor trip is not changed.
40 apph 501 This all1 cause loop A Stu lletts to reduce FW flow and louer loop A E Ves f5Aa 15.2.7 W midscale level. Overheettag util lead to a reactor trty on htsh SC pressure.
O apph (05. Iow) FW flow ullt re-ratie with WA gotag on low level llett and W8 feed flow Yes f 5AA 15.2.7 .
[
O lletted only by Stu lletts. For initial load of 1001, there is a met re-duction la FW flow. and reactor mill trip on high pressure. Control after O reactor trip is not changed.
en I
=:
O y
M .
i 1
.I
~~" "M
- p - ep W W W 6 W Wup.mase ewa
Table 2. (Cont'd)
Stenals Fatts Effect peactor trip Transtent bounded by Tamperature compensated Same as for loop A.
iiC flow. loop B SG-A operate level 1001 (high) toop A feed flow will be reesced until WA level decreases below high level les F5AA 15.2.7 Itatt. targe reduction of FW flow causes overheating of primary and reactor trty on high pressure. Control after reactor trip is not changed.
OS(low) No effect, encept that WA loses protection of having a high level limit. Ih RA 501 (midscale) Same as et since nomal setpoint is approstaately 87.51. In4 WB operate level 5ame as for WA.
SU level. WA 250 In. (htgh) He effect og operation above 201 power level. Below 201. FW flow is on low No (at power levels above F5AA 15.2.F level control. Prevents proper level control, and WA could toll dry. 201) 0 in. (Iow) FW control valves go full open and remain open af ter reactor trip. This Probable T5AA 15.l.2 mould cause an overf t11 of WA, overcoollag of the primary, and possible loss of pressurtser inventory and/or level indication.
125 in. (midscale) Same as the high fatture.
SU level. W 8 Same as for WA.
Selected reactor outlet 620F(high) This failure causes Teve to ter.rease 15-20F. Creating a large neutma error. Tes FSAA 15.1.2 temperature, loop A. Th The neutron error will cause rod Insertion and will generate a cross Ilmtt I to the FW controller that utl1 lacrease tetal FW flow in an attempt to cool AC5. The combinetten of rod lasertion a.id increased FW flow ut11 overcool U RCS and util likely cause a reacter trip probably at low RC pressure.
Control af ter reactor trip is unaffected. .
8 520F (Iow) Stu Itatts reduce feed flow to 2ere in loops A and S. Reactor trips on high Tes f 5AA 15.2.7 RC pressure very quickly because of reduction of feed flow to both 015Gs.
Control af ter reactor trip as not changed.
510F (midscale) This will cause a low Tave error. but ICS will probably adjust without caus- Unit hely mA Ing a reactor trip.
Selected reacter talet 620F (htsh) This failure ulli cause T ,e to suddenly escoed the setpotat and ICS will Probable 75AA 15.2.7 temperature loop A. T g insert rods and increase total Fu demand to restore Tave. Also. difference in cold leg temperatures util cause ICS to overfeed one 5G and underfeed the other. underfeeding will happen before rods are Inserted and RC5 will overheat. This will probably cause a reactor trip on high pressure.
520F A low to lower T N1 FW demand.peranwhile.
signal will develop from thisFW Tc will re-ratio failure flows.and pull rodsProbable ICS willWA Starving and ISAR 15.2.7 and overfeeding W 8. Again, reactor mould trip on high RC pressure due to overheettag RCS.
570F (midscale) This failure will cause Tave to esceed its setpoint. rods w111 Insert, and Probable f5AA 15.2.7 ATc utI1 re-adjust flows to both 015Gs. ICS and plant may adjust without a g reactor trip or eventually the reactor will trip on high RC pressure.
Op 8
x 9*
k -
o n- s M
s
Table 2. (Cont'd)
Stenals falls I f f ect Reactor try Transtent teunded by Reactor inlet tempera- et0F (* high. Feed flow to one % voes up untle flow goes down la other loop. If lattial probable f5AA 15.2.7 ture, loop A/B dif fer. - law) load is high enough, there utll be a net reductica of total feed flow due to ence, al g a Stu Italt holetag flou down in one M. and a resultant reactor trip on high pressure. Control af ter reactor trip is not changed.
Of(aldscale) leorsal operstloa. therefore, no ef fect. Ito liA Reactor average ten- 620f Continuous control rod lasertion. Cross llants util increese fu flow. Stu probable f54A 15.l.2 erature. T.,o Ilmits bring fu flow doom as llc outlet temperature goes down, but overcool-tag t$ sufficient to cause reacter trip on lou pressure. Control after re-actor trip is not changed.
. 520f (las) Reactor dammad goes to 1031 causing red pull. FW flow cumes dona due to probable I5AR 15.2.7 cross Itatts. Reactor trips on high pressure due to overtiesting. Control af ter reactor trip is not changed.
570F (eldscale) Ease as lou Th at or leu Tcoyg fattures above. Probable f 5AA 15.2.7 or ISAR 15.l.2 BC po p runntag signal falsely indicates initiates rumback from 100 to 751 or from 75 to 451 power level.at a rumback les h4 (any of four) pep not running rate = 501/stnute. Control af ter reactor trip is not changed.
. Does not indicate f alls to inttlate reduction in puuer level at 501/ minute, but change la total probable f 5AA 15.3.1. *5tagle and sheltiple Re-pump not runnlag RC flow util fattiste a 201/etaute reductica. Reactor trip expected, flum- acter Caetant pWay Trips
- to-flow trip on four peps 1001 power.
Reactor not tripped not tripped Ito effect until reactor trips. When reactor does trip. ICS cross lletts As inA i util reduce stM flow. Asses turbine is tripped by valle reactor signals otherutse. throttle valves will close slowly to maletale steam pressure.
Steam pressure controlled to 900 pst rather than 1015 pst after reactor trip.
Tripped (Spuri- ICS actica on MfW flew utth reactor actually at power ut11 not cause a real he h4 8 ously) reactor trip. Tuttine valves go to manual. IC5 util track, and plant util run back to 151.
Both generator breakers Irtpped ICS goes inte track and allt not respond to changes la load danand. 84f 11 0 h4 tripped calibration integral is blocted so that generated Inf may drif t high or low.
Poor control of sese should act lead to a reacter trip. Control after reac-tor trip is not changed, hot tripped 800 lapact until breakers actually trip. In the event a breaker trip occurs. Iba 11 4 the IC5 util still perfors adequately since high steam pressure allt trans-for turbine to manual, inducing a tracting condition.
Generated led 1000 led (high) po.er level goes done by about 151. Control after mactor trip is not 11e 8tA changed.
O lei (Iow) Steam flow rate ulli try to increase reactor power and TW flow allt be lle- Yes f 5AA 15.l.2 lied at about 1031. continued decrease is steam high flux setpotet. Beac-ter trty on high flua, s50 ftf (stdscale) Dependsag on tattial powr level, either high failure response, low failure Ves f 5AA 15.l.2 W respaase, or essentially no response (at midrange power levels).
99 teu condenser vacuum or falsely indicates Elther of these can cause tuttine bypass valves not to open. However, at- he Id
{ no condenser cooling loss of water and mospheric enhaust and safety valves are still available for pressure con-h w
mater vacuun trol af ter reactor trip, Sn
=
O V4 M
__ - --__. - . - _~ -
Qu Table 2. (Cont'd) s Sianals fatIs If fec t Aeactor tr1p Transteat bounded be raisely indicates furtine bypass valves would pass steam to non-ee ting condenser af ter tur- tio h4 vacuum and mater blne trip or a reactor trip and could cause dar. age to condenser.
when really not available furtilne is tripped f alsely indicates Turbine will be transferred to manual. ICS goes late track mode and util 10 0 RA trip when turbine follow actual generated MW. Turbine valves util control steam pressure to is running normal steam pressure setpoint. h1d seot lead to a reactor trip. If a reactor trip occurred, turbine would be tripped.
Falsely indicates Without turbine usually going to manual and tattiating tracting mode loss Yes F5AA 15.2.2 no turbine trtpped of turbine could cause overheating of 8C5 and high RC pressure trip of re-when there is actor.
Ilestron poser 1251(high) Contteuous control rod lasertion and ICS cross Ilmits cau< tag an increase Yes F5AA 15.1.2 la fW flow (to the Stu limit) combine to create an overcooling and a reac-ter trip on low RC pressure. Control after reactor trip is not changed.
01 (les) Continuous control rod withdrawal coupled with decreased FW flow will cause Tes FSAA 15.2.7 an overheating transient and a reactor trip on high RC pressure. Control
- af ter reactor trip 11 not changed.
62.51(midscale) Depend og on lattial power level, util cause either overcooling or over- Probable F5AA 15.2.7 or FSAA 15.l.2 heating and probably reactor trips.
, Asymmetric rod pattern Fault signal en- Aunidck to <601. 44.0 at 301/ minute rate. Control af ter reactor trip not No IIA esists ists tnet pattern changed.
to is okay Asmtric rod les change in plant operating conditions untti operator discovers it. He Unlikely 11 4 e pattern esists would initiate pmeer runback to 601.
but no signal is generated .
Loop A SU FW cortrol Falsely Indicates During low power startup this failure would prematurely open WW block No 11 4 valve *001 open >8)$ open valve, nrW control valve will be closed; however, some leakage through main valve is espected. Leatage steeld be small and can be compensated for by s11ght closure of 50 valves. Excessive leakage may cause 50 valve to close to 50%. At 50% a main block close signal util be generated and cycling of main block could occur.
Loop A SU FW control Falsely indicates For any power level .351 with su main block and main control valves all op- Fru eble F5AA 15.2.7 valve <50% open <50% open ereting, this signal would close WW block valve. This 15 a loss of MFW to
, OT5G-A at high power levels. Reactor will trip on high itC pressure.
Does not indicate During power decrease when $U valve is .50% open this fatture will not cause Unittely IIA
<50% open NW block valve to fully close automatically.
loop B SU FW control Same as for loop A.
g valve <50% open D
O' Main FW block valve Closed h14 t,ansfer ICS FW flow Input to Su flow. If at high load, the effect FSAA 15.2.7 or F5AA 15.l.2 O open loop A would be very slallar to low failure of ICS FW flow signal. One SG is over-g fed and the other is underfed. Reactor trips on either high or low itC pres-sure depending on Initial power level. Control af ter reactor trip is not g
changed.
P
=
O te M
l l
l I
l Table 2. (Cont'd) 5t gaals Falls E f fect Reactor trop transtent bounded by _
Open Would prevent transfer of fW flow Indication from main to 50 flow output. Isot empetted hA Would interfere unth accurate fW control during orderly shutduwn. Probably mould not cause a reactor trip. Control af ter reactor trip not changed.
flain FW block valve same as for loop A, open. loop A Loop A sWW y tripped falsely indicates Would initiate a power runback to 551 power at 501/ minute. With both IW Unlikely NA FW pump trip pumps actually runnlag it should not lead to a reactor trip.
Falsely indicates for a real FW pump trip at high power. FW flow to both OTSGs util suddenly Probable ISAR 55.2.7 IW pump is not decrease then increase as FW pimp speed increases to high speed stop. ICS tripped util attempt to reduce power by cross lletts but reactor alli probably trip on high RC pressure due to everheating.
Loop R 85W pump tripped Same as for loop A.
Pressurlier pressure 2500 psig (htgh) 5 pray valve is opened. Primary system will depressertae very slauly and Tes This is a mild transient, which does (narrousange) eventually a reactor trip on low RC pressure is espected. Control after re- not have a specific evaluation la the actor trip should be changed by operator action. le tereinste this tran- f5AR. This event is steller to a stent. operator should manually close spray block valve. This is a slem very, very small LOCA and, therefore.
transtant and operator has ample backup indication for diagnosts. Is bounded by f 5AR 15.6.2. *Rreak in Instruent Lines er Lines from Primary Systam that Penetrates Contalament"
' 1700psis(low) '
The spray valve util stay closed but all pressurlier heaters util come on. As hA ro As pressurtser pressure lacreases safety-grade PORV mill open to control
.h pressure. Control af ter reactor trip would not be changed. Reactor trip not espected. This is a slas transient and operator has ample backup ladt-8 cation for diagnosts.
2100 is (mid. Same as ime failure.
scale Pressurlaer level (se- 400 in. (high) leakeup valve allt close and K5 pressure and pressurtser level alli s1culy Possible (Iow RC pressure) This is a mild transient. which does lected) decrease due to letduun flow greater than makeup flow. This is a slow not have a specific evaluation in the transtant and operator has ample backup indication for diagnosis. f5AR. This event is steller to but less severe than a letdous line breas, and therefore is bounded by ISAR 15.6.2 200 in. (mid- hkeup valve util open to try to ratte level. Pressurtzer level util in. Possible (htph or los RC F5AR 15.5.1 " Inadvertent Opration of scale) crease and spray and PORV may operate to Ilmit RC pressure. This is a cy- pressure) (CC5 During Pomer Operetten clic pressure transtent. This is a slow transtant and operator has ample backup indication for diagnoils.
Oin.(ion) peakeup valves al11 open. RC pressure will increase. Pressurizer interlock Possible (high or low RC f5AR 15.5.1 alli be active but no heaters are required. Spray and PORV mill open to pressure) control RC pressure. This may also be a cyc1tc pressure transient. This is a slow transtent and operator has ample backup indication far degnosis.
CD -
8p Pressuriser temperature 750F (hlgh) This causes temperature compensated level to be high and makeup turned off. Tes (Iow RC pressure) This is a mild transient. which does real pressertier level decreases. This not being detected could cause not have a specific evaluation la the
{ (selec ted) heaters to go en with no water covering them and heaters may burn out. This F5AR. This event is'statlar to but is a slow transient and operator has ample Packup indication for diagnosis. less severe than a letdown line break, h
y and therefore is bounded by f5AR 15.6.2 ge 400F (midscale) This causes temperature compensated level to be leu. hkeup comes on to re- Yes(htghRCpressure) T5AR 15.5.8
. fill pressurtzer. Spray controls pressure. Reactor will trip on high RC pressure af ter spray nozzle is sutmerged. This is a slow transtert and op-g' erator has ample backup indicatio9 'or diagnosis.
O M
- ~ ~ ' . ' N h'
~ - . , , , - . * .gs.amusum W W _
%usummus* M e.u'* % emr#
_ 3 s e Table 2. (Cont'd)
E f f ect Reactor trip Transient bound'ed by I 5tpls falls Same as eldscale f ailure. Ves (htsh RC pressure) f5AR 15.5.1 of (low)
Any further increase in turbine demand shall be ignored. it is the equiva- ho M is turbine lead lle. Turbine is not ltedi load Itatted but lent to turbine valves being in manual and at a setpoint. Control after re-stgral says it is actor trip unchanged.
NA Turbine is really Additional increases in load demand util be folla ed. Potential damage to No load Itetted but turbine could occur if another protection signal does not take it off Inne.
signal says it is Control af ter reactor trip unchanged.
not .
Ito M Is turbine runback Loss of stator in a short flee it uould be harmful to turbine. Vibration levels could rise tattistedt coolant but no with a turbine trip to follow. Control af ter reactor trip unchanged. .i rumback initiated 1 on power
! h4 l No loss of stater ihts causes no problem but would be a nutsance and would need to be dis- No coolant but a covered and repatred before reloading turbine. Control after reactor trip l
i power rweack unchanged.
initiated l he itA Is turbine back-end Turbine is not This should prevent turbine from increasing load even though turbine is l flow Italtedt (Jnit 1) back-end flow- really not back-end flow 11mited and could accept more load. Control after [
lletted but sig- reactor trip unchanged.
mal says it is tio NA e Turbine is back- The purpose of the siphal is to prevent turbine from receiving any more load.
end flow-Itatted Without this signal and being really back-end flow-Iletted, any increase in but signal says load could potentially damage turbine. Control after reactor trip unchanged.
It is not I This is a poner reduction or step demi to ICS rening back FW and reactor. Not espected NA frequency deviation a3 Ha (high) l The FW res back faster than reactor pomert however, with a Itatter on fre-quency dettation, reactor should not trip.
no effect. ICS has no frequency deviation even ideen grte frequency is not he hA OHa(etdscale) 60 Ma and util adjust to adiatever new operating condition turbine has changed to. Control af ter reactor trip unchanged.
-3 Ma (los) This causes a step to in poner Itetted by 1051 reactor power. FW could re tiot expected NA j
up festar than reactor powert houever, with a limiter on frequency deviation, reactor should nec trip. Control af ter reactor trip ochanged.
i j
Turbine on valve post- Valve positten is Additional load will go to turbine. but since valves will not open further. Ito inA tion Ilmited lletted but sig- steam pressure may lacrease as much as 30 pst in both 5Gs. Control after mal falls to in- reactor trip is unchanged.
dicate limited Any addtttonal load request on turbine is ignored. Control after reactor too NA .
Valve position is not itelted but trip is unchanged.
pra signal indicates
{ tt is .
[
O power / load unbalanced signal Stenal says poner/ power / load unbalance signal is sent to ICS to switch into tracking mode, load unbalance but stranwhile, power / load unbalance signal in turbine controls is also trying leo NA O is not power / lead to lower turbine power to clear unbalance. It could run turbine back to 3t" unbalance 01 load. Control af ter reactor trip is unchanged.
P O
se M
E
Table 2. (Cont'd)
Signals falls E f f ec t Reactor trip _
f ranstent buended by Signal says no Power / load unbalance signal does not mort when turbine is really unbalanced. 800 NA power / lead unbal. Turb6ne may run unbalanced until another shutduun signal is created or tur.
ance but there is btne is runback on power / lead unbalance; 6.e.. only the signal to ICS f ailed.
IC5 would try to make demanded sepatts and muuld not switch to track until af ter turbine tripped. Control after reactor trip is unchanged.
Turbine bypass valve Closed Normally at power all turbine bypass valves are closed, so if closed indl. Ho NA closed cation failed close it upuld have no effect. Control af ter reactor trip
. util be pressure regulated by main steam safety valves and atmospheric dump l valves.
Open It could also fall to indicate open and may not be detected lamediately. Unitkely h4 Control after reactor trip is unchanged.
1500 (evaporator steam 40% of full power At I001 power. pouer plant is put late oscillations betueen high power and unlikely hA danand development sig. demand (high) runback of electric load. Valves to evaporatpas do not open. The same at nel) 301 power. but $10 usiks up to 1001 before escth 3tions start, les reactor trip is espected, but if oscillations continue, a lom NC pressure trly is possible. Control af ter reactor trip is unchanged. (A bigh failure of (500 is emnlikely.)
201 of full power demand (midscale) At 1001 power, the effect is same as a high f ailure; but at los power. ICS Unlikely NA levels out to 301 plus 201 or about 50% pouer level, no reactor trip es.
cept as before a possible leu NC pressure trip. Control after reacter trip 8 is unchanged.
fu 01 of full r ato effect because lattially at 01 demand for E500. No h4 m demand (lem a
I o
3" 98 I
=
(
M
- - **** , , . . e, ap SM .eum M W h W W w-
~ -- - _ _ _
Table 3. Plant Response to Failures of Single ICS Outputs I
Reactor trty Transient boun'ded by falls E f fect St enals Isos espected 24 Man increase Causes turbine valve to open at approstmately 101/ minute, decreasing steam lacrease turbine post-(hlgh) pressure and increasing Itse. When a 50 psi pressure error entsts for 5 sec-tion onds, turbine ut11 transfer to manuel and valve opening allt stop. 105 util go lato track and stabilise af ter a 51 load increase. A trip is unlikely.
Control af ter a reactor trip is not changed by tais failure.
- i IIA l
Itas decrease performance steller to an lacrease failure encept pressure increases and load Itot espected l Decrease turbine ps t- decreases approstaately 55 (decrease rate is faster than increase rate) be- l tion (high) fore the N55 stabilizes.
- NA Will hold turtine valves to their last position. Plant cannot be maneuvered. Ito Turbine posttlen As is (etdscale) l Ito turbine trip espected.
i Possible at high load FSAR 15.1.4.
- Inadvertent Opening of If any one of these valves is driven open, it is not a significant problem I
Turbine A and 8 bypass 3005 (high) Steam Generator Atmospheric Diamp or valves,ata *A* and '8* unless reactor trips. If this happens, secondary steam pressure cannot be Safety Valve
- or f 5mt 15.1.3. " Steam controlled to a1000 psig primary overcools, and pressuriser level may be pressure Segulator Italfunction or f all-exhaust valves lost. Bypass or exhaust block valve can be closed to maintain pressure. ure Resulting in increasing Steam flow" list espected h4 05 (low) If any one (or more) of these valves falls to open on demand, it is no prob-tem because the steam Ifne safety valves are available for secondary steen pressure control af ter reactor trip.
possible at high load but FSAR 15.1.4 or F5AR 15.l.3 505 (eldscale) If any one of these valves fall open, a stellar result to the 1005 fall open not as probable as 1005 could result, case.
8 Not espected IIA Allem start of any Yes/no Fallure can either prevent pumps from being started when they should or it AC penp can allow than to be started when they should not.
Itat espected MA I No tapact unless a pouer condition runback is present in CAO' If this oc-To CAD to peref t rod Inhibit curs, rods cannot be ulthdraun. The result is Tave may dre lou causing fic ulthdrawal (runback pressure to decrease.
Ilmit) 8tet espected IIA Not inhtbit ihls would allow rods to be ulthdrawn when en inhibit should esist.
Itot espected IIA Transfer re- 10e effect encept turbine goes to manual. ICS tracks generated fel. untch is Transfer turbine con - constant af ter transfer. 11e change to control after reactor trip.
trol to manual quested IIA Turbine util not transfer autenatically to manual when demanded. If a sub- llot espected Ito transfer sequent upset did require turbine to transfer to manual, such as an increase or decrease turbine position failure, event would be teretnoted by a reactor trip. A double f ault is required to cause a reactor trip. Control after trip is not affected.
WB on Stu Ifsit too effect on N55. These outputs for operator information only. .
WA on Stu llett X
R w
Sn Y
=
O 44 M
Table 3. (Cont'd)
Signals falls E f fect Reactor trip Translent bounded by M.s on ion ie.ei
%-A on low level fd limited by reactor No effect on N55. These outputs for operator information only.
Reactor Itatted by FW Ves/no lieutron error Withdraw control rods Withdraw when not No effect. The contacts for withdrawal are in series, therefore, tuo sets IInt espected M (tuo outputs) desired of contacts would have to fall before utthdrawal would occur.
Does not utthdraw Gods fall to respond ta a ulthdrawal signal. Results in Tave droop and Ilot espected M when utthdrawal possible AC pressure upsets.
desired lasert control rods lasert when not The tuo sets of contacts are la parallel, therefore, a failure ulll cause het espected M (tuo outputs) destred rod insertion. Ta.a alli decrease causteg RC pressure upsets.
Does not lasert No impact since both contacts must f all to prevent rod lasertion. Not espected M uhen desired Loop 8 open main FW Open when opening Slock valve is anly closed at low loads when %s are on level control. het espected M block valve not desired Will not interfere utth effective M level control unless leakage across a
main W control valve is large. Could impact accuracy of FW flew measure-ment. but this is not needed f6r control, M
h not open seen de-stred Will prevent automatic opening of the male FW block valve during startup.
Control after reactor trip not changed.
Not espected i
Loop A open main fu Sane as loop 8 open main fW block valve.
block valve loop 8 close main FW Close when clostag partial loss of FW to one M. ulth reactor trip following soon af ter (high Yes (htsh RC pressure) f5AA 15.2.7 block valve act desired DC pressure). Control after reactor trip not changed.
Det closed uten Block valve will not close automatically then it should. however, this not espectsd M clostag desired would not laterfere ulth effective % level control unless leaksgo across main fu control valve mere large.
Loop A close main fW Same as loop 8 esta fW block valve.
block valve peser to ICS entsts no Transfers Diamond CSD to manual or does not let operator go to automatic. Ilot espected M I*"I' II Tes Aute inhibit not active. Not espected M Large neutron error Large error Does not let operator go to automatic with Diamond CRO. Not espected M t entst (auto not large error Operator can transfer Otamond CR0 to automatic neen a large arrer eauss. Not espected M FW pimp S speed Nigh putting one feed pump on high speed stop ismid increase TW flow to both %s. Not espected th changer demand The effect would be partially or totally offset by an automatic speed de-crease of unaffected pimp. Reactor does not trty because W valves auto-g= ma*.?cally close to maintain FW flow at setpolat. No change to control af ter reactor trip.
p s
g M
- - - ~ _
__ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ ~ __ _ _ _ . _ _ _
Table 3. (Cont'd) '
Sienals Falls Effect Reactor tr:p _
Transtent boended by Low Causes decrease of feed flow to both SGs. Unaffected pump speeds up and FW Yes, if total FW flow is f5AR 15.2.7 control valves open to partially or *.otally offset loss in flow. Reactor less than can be accommo-
- trip on high pressure Itkely due to safercooling. No change to control dated by one NW pump, af ter reactor trip.
Midscale With one pump on midscale speed at high power, other pump will pick up to probable (at very high F5AR 15.2.7 maintain fW to %s and FW valves will open to maintain flow to % also. Ioads)
Once FW flow to SG and pressure drop across pumps is stabillzed, a reactor trip is not probable unless at high power initially and FW flow demand to
% has not bee satisfied. Therefore, an undercooling event of SGs would occur and a high RC pressure trip is probable. No change af ter reactor trip. At low power levels only one FW pump is operating. One IW pump at midscale speed would require adjustment by both MFW control valven and re-actor would not trip on low RC pressure.
TW pump A speed changer Same as pump 8 FW speed changer desund.
demand Loop B main FW valve Closed (low) At high power level, partial loss of TW flow to one % with reactor trip on probable (high RC pressure) F5AR 15.2.7 high pressure following shortly af ter valve closes. At low power. SU valve may be sufflctent, leo change to control af ter reactor trip.
Open (high) Effect at full load is not great because feed valve is nearly open. If failure llot espected 18A inttlates at lower load, flow to one % goes to above 105. IC5 reduces feed g flow to other % and partially compensates for entre feed flow in other SG.
As entra feed flow cools the primary, control rods pull to try to bring Tave to back to setpoint. Systam may reach steady state at a higher load condition sD without reactor trip. Yhts f ailure may cause reactor trip on low RC pressure
, if inttlated from a very low gnwer. 150 change to control af ter reactor trip.
Half open (mid- Partial loss of TW to one % *
- valve positten is closing with respect to probable (htgh RC pressure) F5AR 15.2.7 scale) Its last position bef)re falle z; otherwise. It will be an overfeed condt-tion for the converse case. For an overfeed condition. pumps util speed up to maintata pressure drop across value; rods will pull to maintain fave
, as long as cross limits are not laittated or Stu and high level limits are not exceeded causing a reactor trip. 100 change to control af ter reactor trip. For a partial loss of IW an undercooling of primary side is initiated with a high RC pressure reactor trip. No change to control af ter reactor trip, toop A main FW valve Same as for loop 8 main FW valve.
Loop 8 startup FW Open (htgh) No ef fect if operating at power (i.e. 50 valve is already open). If a SU Not espected NA vales valve remained open af ter reactor trip (or came open at very low power) one
- SG would be overf tlied, resulting in excessive cooldown cf the primary and possible loss of pressurtzer level. Startup block valve can be closed and flow controlled using main valve.
Closed (low) When su valve closes to 501. main FW block valve is shut causing total loss Yes (high RC pressure) f5AR 15.2.7 of TW flow to one %. Reactor trip on high pressure follows. Main block valve can be opened and affected W fed with mata f W valve.
Half open (mid. The same as a closed SU valve failure since midscale is 50% closed on 50 Yes (htgh RC pressure) F5AR 15.2.7 Q scale) valve, but a total loss of FW will not occer since valve reestas half open, y Reactor will still trip on high RC pressure. Main block valve can be opened and affected % fed with main FW valve.
Se
=
toop A startup FW valve same as for loop a startup FW valve.
n
- 4 X
1 I
i i
Table 3. (Cont'd) l S6gnal falls E f f ect Reactor trip Transtent bounded by Total FW flem. loop A total FW flee, loop 5 .
, Unit load control panel tedicattag ilghts unit lead demand set K flom runhack in .
effect 4'
Migh load llett in effect i
Lau .lmit la > No effect en NSS. These outputs for operater leforsetten only.
Less of fW pump
! rumheck to effect i Asymetric rod i runeck to effect i
Less of K pump run- t W hack in effect O
g unit master la ,
trockleg .
k So I
=
d' O sa j M
-. p -mus _.
ess - m w %_.
r-Table 4. Assumed Hand Switch Positions E Signals input Position s
Parameter to switch Hand switch selected RC fl w, loop A FT-1A5 FC-HSIA X (y) FT-1A6 RC w, loop B FT-1B5 RC-HSIB (y) FT-186 X T,h op A TT-3Al RC-HS3A X (y) TT-3A2 T h, lcop B y TT-3B1 RC-HS3B (y) TT-3B2 X T , lcop A c y
-4A1 RC-HS4A1 (y TT-4A3 Average RC-TY4A X T,[lopB c( TT-4B1 RC-H24B1 (y) TT-4B3 Average RC-TY4B X T , loop A RC-HS3A RC-HS3 h
loo B RC-HS3B Average Th RC-TY3 X T"V*, loop A RC-TY7A RC-HIS7 loop B RC-TY7B Tave, both loops RC-T(7 X Pre urizer level LT-14-1 RC-HS14 X (X LT-14-2 (y) LT-14-3 Pre surizer temperature 1 RC-HS15 X (y TT-15-2 Tc p A wide range
-4A2 RC-HS4A2 X (y) TT-4A4 l.
Babcock & Wilcox
. I Table 4. (Cont'd)
Signals input Position Parameter to switch Hand switch selected .1 T I 1 c (X)p B wide range TT-4B2 RC-HS4B2 (Y) TT-4B4 X Pressurizer pressure nar-row range (X) PT-2-1 RC-HS2-1 X (Y) PT-2-3 Pressurizer pressure wide range (X) PT-2-2 RC-HS2-2 (Y) PT-2-4 X Main FW temp., loop A (X) TT-1A1 SP-HSIA X (Y) TT-1A2 Temp. comp. MFW flow, i loop A (X) SP-FY2A1 SP-HS2A X MFW flow, loop A (X) FT-2A1 (Y) FT-2A2 Temp. comp. MFW flow, loop A (Y) SP-FY2A2 Main FW temp., loop B (X) TT-181 SP-HSIB 1 (Y) TT-182 X l Temp. comp. MFW flow, loop B (X) SP-FY2B1 SP-HS2B MFW flow, loop B (X) FT-281 ,
(Y) FT-2B2 Temp. comp. MFW flow, {
loop B (Y) SP-FY2B2 X Main steam press., loop A Il (X) PT-12A1 SP-HS12B ,
X (Y) PT-12A2 h
Main steam press., loop B (y) PT-1281 X (X) PT-12B2 i
Babcock & Wilcox !
5,1
L Table 4. (Cont'd)
Signals input Position Parameter to switch Hand switch selected Turbine header (throttle) pre re PT-16A SP-HS16 X (y) PT-16B MFW control valve AP, 0fX PDT-5A1 SP-HSSA X (y PDT-5A2 MFW control valve AP, fX PDT-5B1 SP-HS5B (y) PDT-5B2 X SG s rtup level, loop A
_ p, g y y) LT-9A4 SG startup level, loop B LT-9B3 SP-HS982 X (x LT-984 SG ncomer temp. , loop A TT-8A1 SP-HS8A X (Y) TT-8A2 SG ncomer temp. , loop B TT-8B1 SP-HS8B (y) TT-8B2 X Temp, comp. SG operate level, loop A SP-LY9Al SP-HS9Al X SP-LY9A2 i
Temp. comp. SG operate level loop B SP-LY981 SP-HS981 (y) SP-LY982 X Mak tank level LT-25-1 MU-HS25 X (y) LT-25-2 4
Babcock & Wilcox
i jl Table Sa. ICS Input Signal Failures Due to NNI-X - 24 V de Power Supply Failure at Full Power Original value Midscale value Item Parameter (normal) (0 volt) 1 Loop A RC flow, mpph 70.0 40.0 2 Total RC flow, mpph 140.0 80.0 3 Loop A and B Thot, F 600.0 570.0 4 ATc (nonnal state), F 0.0 0.0 (Tca=Tcb=556F) (Tea=Tcb=570F) 5 Tave, F 579.0 570.0
- 6. "A" S/U FW flow (no effect at high 1.0 0.50 power), mpph 7 "A" FW temperature, F 455 250 8 "A" FW flow, mpph 5.3 3.0 9 "A" steam pressure, psig 910 600 10 Turbine header pressure, psig 885 900 11 "A" FW valve AP, psid 35 50 12 "A" S/U level, in. 160 125 13 "A" operate level, % 60 50 14 Non-safety-grade pressurizer Off On(a) heaters 15 Pressurizer spray valve Off Off(a)
If Letdown flow control valve Partially open Closed (a) 17 Makeup flow control valve Partially open Open(a)
(a)For an overheating-type transient, the controls for these functions were assumed to fail to the position that would aggravate the trend of the transient regardless of the actual operational mode of these control sys-tems. {
l l
Babcock & Wilcox
b.
o Table 5b. ICS Input Signal Failures Due to NNI-X - 118 V ac Power Supply Failure at Full Power r
Original value Midscale value Item Parameter (normal) (0 volt) 1 Loop A RC flow, mpph 70.0 40.0 2 Loop A and B Th ot, F 600.0 570.0 3 "A" FW temperature, F 455 250 4 "A" FW flow, mpph 5.3 3.0 5 "A" steam pressure, psig 910 600 6 Turbine header pressure, psig 885 900
( 7 "A" FW valve AP, psid 35 50 I 8 A" S/U level, in. 160 125
, 9 "A" operate level, % 60 50 10 Non-safety-grade pressurizer Off On(a) heaters 11 Pressurizer spray valve Off Off(a) 12 Letdown flow control valve Partially open Closed (a) 13 Makeup flow control valve Partially open Open(a)
(a)For an overheating-type transient, the controls for these functions were assumed to fail to the position that would aggravate the trend of the transient regardless of the actual operational mode of these control sys-tems.
I i
l
- Babcock & Wilcox .
,i I\
Table Sc. ICS Input Signal Failures Due to NN1-X - 24 V de Power Supply Failure at 30% Power Original value Midscale value Item Parameter (normal) (0 volt) 1 Loop A RC flow, mpph 70.0 40.0 2 Total RC flow, mpph 140.0 80.0 3 Loop A and B Th ot, F 586.0 570.0 4 ATc (nonnal state), F 0.0 0.0 (Tca=Tcb=581F) (Tca=Tcb=570F) 5 Tave, F 579.0 570.0 6 "A" S/U FW flow (no effect at this 1.0 0.50 low power), mpph l I
7 "A" FW temperature, F 330 250 8 "A" FW flow, mpph 1.5 3.0 9 "A" steam pressure, psig 890 600 10 Turbine header pressure, psig 885 900 11 "A" FW valve AP, psid 35 50 12 "A" S/U level, in. 40 125 13 "A" operate level, % 10 50 14 Non-safety-grade pressurizer Off On(a) heaters 15 Pressurizer spray valve Off Off(a) 16 Letdown flow control valve Partially open Closed (a) 17 Makeup flow control valve Partially open Open(a) .f (a)For an overheating-type transient, the controls for these functions were assumed to fail to the position that would aggravate the trend of the transient regardless of the actual operational mode of these control sys-l tems. ,
i.
Babcock &Wilcox
I P b
Table 5d, ICS Input Signal Failures Due to NNI-X -- 118 V ac Power Supply Failure at 30% Power Original value Midscale value Item Parameter (normal) (0 volt) 1 Loop A RC flow, mpph 70.0 40.0 2 Loop A and B Thot, F 586.0 570.0 3 "A" FW temperature, F 330 250 4 "A" MFW flow, mpph 1.5 3.0 5 "A" steam pressure, psig 890 600 6 Turbine header pressure, psig 885 900 7 "A" FW value AP, psid 35 50 8 "A" S/U level, in. 40 125 9 "A" operate level, % 10 50 10 Non-safety-grade pressurizer heaters Off Off(*)
11 Pressurizer spray valve Off On(a) 12 Letdown flow control valve Partially open Open(")
13 Makeup flow control valve Partially open Closed (a)
(a)For an averheating-type transient, the controls for these functions were assumed to fail to the position that would aggravate the trend of the transient regardless of the actual operational mode of these control sys-tems.
t i
l1 i'
Babcock & Wilcox
l Table 5e. ICS Input Signal Failures Due to NNI-Y - 24 V de Power Supply Failure at Full Power Original value Midscale value Item Parameter (nonnal) (0 volt) 1 Loop B RC flow, mpph 70.0 40.0 2 ATc (normal state), F 0.0 14 (Tea=Tcb=556F) (Tcb=570F) 3 "B" S/U FW flow (no effect at high 1.0 0.50 power),mpph 4 "B" FW temperature, F 455 250 5 "B" MFW flow, mpph 5.3 3.0 6 "B" steam pressure, Psig 910 600 7 "B" FW valve AP, psid 35 50 8 "B" S/U level, in. 160 125 9 "B" operate level, % 60 50 10 Non-safaty-grade pressurizer heaters Off On(a) 11 Pressurizer spray valve Off Off(a) 12 Letdown flow control valve Partially open Closed (a) 13 Makeup flow control valve Partially open Open(a)
(a)For an overheating-type transient, the controls for these functions were assumed to fail to the position that would aggravate the trend of the transient regardless of the actual operational mode of these control sys-tems.
l i
Babcock &Wilcox
Table 5f. ICS Input Signal Failures Due to NNI-Y - 118 V ac Power Supply Failure at Full Power i
inal value Midscale value Item Parameter Orig (normal) (0 volt) 1 Loop B RC flow, mpph 70.0 . . . . ,
2 ATc (n rmal state), F 0.0 14 (Tea
=Tcb=556F) (Tcb=570F) 3 "B" FW temperature, F 455 250 4 "B" MFW flow, mpph 5.3 3.0 5 "B" steam pressure, psig 910 600 6 "B" FW valve AP, psid 35 50 7 "B" S/U level, in. 160 125 8 "B" operate level, % 60 50 9 Non-safety-grade pressurizer heaters Off On(a) 10 Pressurizer spray valve Off OffI ")
11 Letdown flow control valve Partially open Closed (a) 12 Makeup flow control valve Partially open Open(a)
(a)For an overheating-type transient, the controls for these functions were assumed to fail to the position that would aggravate the trend of the transient regardless of the actual operational mode of these control sys-tems.
t I
i 1
Babcock & Wilcox
I I
Table 5g. ICS Input Signal Failures Due to NNI-Y - 24 V de Power Supply Failure at 30% Power Original value Midscale value Item Parameter (normal) (0 volt) 1 Loop B RC flow, mpph 70.0 40.0 2 ATc (nonnal state), F 0.0 5 (Tca=Tcb=571F) (Tcb=566F) 3 "B" S/U FW flow (no effect at high 1.0 0.50 power),mpph 4 "B" FW temperature, F 330 250 5 "B" FW flow, mpph 1.5 3.0 6 "B" steam pressure, psig 890 600 7 "B" FW valve AP, psid 35 50 8 "B" S/U level, in. 40 125 9 "B" operate level, % 10 50 10 Non-safety-grade pressurizer Off Off(a) heaters 11 Pressurizer spray valve Off On(a) 12 Letdown flow control valve Partially open Open(a) 13 Makeup flow control valve Partially open Closed (a)
(a)For an overcooling-type transient, the controls for these functions were ac:Lmed to f ail to the position that would aggravate the trend of the transient regardless of the actual operational mode of these control sys-tems.
l
.I l
i l
l Babcock s.Wilcox ,l
Table Sh. ICS Input Signal Failures Due to NNI-Y - 118 V ac Power Supply Failure at 30% Power Original value Midscale value Item Parameter (nonnal) (0 volt) 1 Loop B RC flow, mpph 70.0 40.0 2 Tc (normal state), F 0.0 5 (Tca=Tcb=571F) (Tcb=566F) 3 "B" FW temperature, F 330 250 4 "B" FW flow, mpph 1.5 3.0 5 "B" steam pressure, psig 890 600 6 "B" FW valve P, psid 35 50 7 "B" S/U level, in. 40 125 8 "B" operate level, % 10 50 9 Non-safety-grade pressurizer Off Off(a) heaters 10 Pressurizer spray valve Off On(a) 11 Letdown flow control valve Partially open Open(a) 12 Makeup flow control valve Partially open Closed (a)
(a)For an overcooling-type transient, the controls for these functions were assumed to fail to the position that would aggravate the trend of the transient regardless of the actual operational mode of these control sys-tems, i
Babcock s.Wilcox i _ _ _ _ _
1 l
i
.J 1
i Table 51. Output Signals of the ICS Due to 118 V ac Power !
Failure at 100% Power Level (and 30% Power Level)
Original value Final value Item ICS output signal (normal) (abnormal) 1 Insert or withdraw rods In auto In manual 2 "A" and "B" MFW block valve Open Fails as is (open) 3 " Power to ICS exists" signal Yes No effect 4 "Large neutron error exists" signal No Noeffect(a) 5 "A" and "B" FW pump speed demand In auto (Inauto) 6 "A" and "B" MFW control valve position In auto s50%
7 "A" and "B" S/U FW control valve position In auto s50%
8 Turbine throttle valve position In auto In manual 9 "A" and "B" turbine bypass valve position Closed 50%
(a)With control rods and FW control valves in manual, a large neutron error will have no effect on the plant.
Note: For these transients pressurizer spray, makeup, and heater control actions were in automatic and normal.
t l
Babcock a.Wilcox
l l .
Table Sj. Output Signals of the ICS Due to 24 V de Power Failure at 100% Power Level (and 30% Power Level)
Original value Final value Item ICS Output Signal (normal) (abnormal) 1 Insert or withdraw rods In auto In manual 2 "A" and "B" MFW block valve Open Closed 3 " Power to ICS exists" signal Yes No effect 4 "Large neutron error exists" signal No Noeffect(a) 5 "A" and "B" FW pump speed demand In auto s60%(con-stant) 6 "A" and "B" MFW control valve position In auto s50%
7 "A" and "B" S/U FW control valve position In auto s50%
8 Turbine throttle valve position In auto In manual 9 "A" and "B" turbine bypass valve position Closed 50%
(a)With control rods and FW control valves in nanual, a large neutron error will have no effect on the plant.
Note: For these transients pressurizer spray, makeup, and heater control actions were in automatic and normal.
l Babcock & Wilcox
Table 6. Plant Response to NNI/ICS Power Supply Failures failure Reactor Transient bounded by FSAR No. Type of failure Description of transient tripped? analysis 1 Fall NNI-X 24 V dc This rapid overheating transient is caused by both loop A and B Btu Yes FSAR 15.2.7. " Loss of Main at 100% power limits reducing MFW flow to both OTSGs. The failure of Icop A Thot Feedwater" signal caused loops A and B Btu limits to generate a 0 lb/s FW de-mand signal. RC temperatures increased very rapidly, and the reactor tripped on high RC pressure. Emergency FW flow to both OTSGs main-tained the 2-foot low water level, and the high RC temperatures de-creased toward rormal post-trip values.
2 Fall NNI-X 118 y ac This is also a rapid overheating transient. Both loop A and B Btu Yes FSAR 15.2.7 at 100% power limits reduced MFW flow to the OTSGs. The rapid reduction in MFW flow was due to loop A Thot signal failing to 570F and causing a 0 lb/s FW demand signal in both loops. This transient is very simi- .
lar to failure No. 1. .
3 Fall NNI-X 24 V dc This is a moderate overheating transient with loop A and B Btu limits Yes FSAR 15.2.7 at 301 power reducing W W flows to both OTSGs. The initial power level was only 301, and the reactor tripped due to overheating of the RCS. EFW flow started automatically and maintained low water levels in both OTSGs.
' This is an upset transient with alid overheating followed by over- FSAR 15.1.2, "Feedwater Sys-4 Fall NNI-X 118 V ac Yes A at 305 power cooling. The reactor trip does not occur ouring overheating of the tem Malfunctions That Result
- RCS. Overheating was caused by loop A and B Btu limits reducing FW in an increase in Feedwater e flows to zero when loop A Thot signal failed to 570F. The turbine Flow" bypass valves opening to 50% depressurized both OTSGs and caused the overtooling of the RCS. EFW flow was started by low SG 1evel, and the decreasing OTSG pressure caused an increase in EFW flow rate to the OTSGs. Reactor tripped on low RC pressure.
5 Fall NNI-Y 24 V dc This is an overheating transient the trips the reactor on high RC Yes FSAR 15.2.7 at 100% power pressure. Each Stu limit is partially reduced, but not to the same value. Initially. loop B FW flow decreased to 0 lb/s, whereas loop A FW flow only decreased momentarily. However, a short time later.
loop A and B MFW flows had been reduced to 0 lb/s. During the same time, reactor power decreased before the reactor was tripped.
m 6 Fall NNI-Y 118 V ac Same transient as above. Yes FSAR 15.2.7 E at 100% power
$o 7 Fall NNI-Y 24 V dc This is a slid overheating and sustained overcooling transient that Yes FSAR 15.1.2 o at 30% power would trip the reactor on low RC pressure. Tave increased several de-
- grees F befcre overcooling was initiated. Loop B Btu limits decreased P , about 25%, and while the loop B FW flow was dropping rapidly, loop A
$ FW flow increased before dropping to zero. EFW flow restored water g levels in both SGs and permitted both SGs to hold nonnal steam pres-sure.
o M .
-- e-#
Table Sj. Output Signals of the ICS Due to 24 V de Power Failure at 100% Power Level (and 30% Power Level)
Original value Final value Item ICS Output Signal (normal) (abnormal) 1 Insert or withdraw rods In auto In manual 2 "A" and "B" MFW block valve Open Closed 3 " Power to ICS exists" signal Yes No effect 4 "Large neutron error exists" signal No Noeffect(a) 5 "A" and "B" FW pump speed demand In auto s60%(con-stant) 6 "A" and "B" MFW control valve position In auto s50%
7 "A" and "B" S/U FW control valve position In auto s50%
l 8 Turbine throttle valve position In auto In manual 9 "A" and "B" turbine bypass valve position Closed 50%
(a)With control rods and FW control valves in manual, a large neutron error will have no effect on the plant.
Note: For these transients pressurizer spray, makeup, and heater control actions were in automatic and normal.
l l
Babcock s Wilcox
Table 6. Plant Response to NNI/ICS dower Supply Failures l
? Failure Reactor Transient bounded by FSAR j No. Type of failure Description of traasient tripped? analysit 1 Fall NNI-X 24 V dc This rapid overheating transient is caused by both loop A and B Btu Yes FSAR 15.2.1,
- Loss of Main at 100% power limits reducing MFW flow to both OTSGs. The failure of loop A That Feedwater" signal caused loops A and B Btu limits to generate a 0 lb/s FW de-mand signal. RC temperatures increased very rapidly, and the reactor tripped un high RC pressure. Emergency FW flow to both OTSGs main-tained the 2-foot low water level, and the high RC temperatures de-creased toward normal post-trip values.
2 Fall NNI-X 118 V ac This is also a rapid overheating transient. Both loop A and B Btu Yes FSAR 15.2.7 at 100% power limits reduced MFW flow to the OTSGs. The rapid reduction in WW flow was due to loop A That signal failing to 570F and causing a 0 lb/s FW demand signal in both loops. This transient is very simi-lar to failure No. 1. ,
3 Fall NNI-X 24 V dc This is a moderate overheating transient with loop A and B Stu limits Yes FSAR 15.2.7 >
at 30% power reducing MFW flows to both OTSGs. The initial power level was only 30%, and the reactor tripped due to overheating of the RCS. EFW flow started automatically and maintained low water levels in both OTSGs.
' This is an upset transient with mild overheating followed by over- FSAR 15.1.2, "Feedwater Sys-4 Fall NNI-X 118 V ac Yes
- at 30% power cooling. The reactor trip does not occur during overheating of the ten Malfunctions That Result
- RCS. Overheating was caused by loop A and B Btu limits reducing FW in an increase in Feedwater a flows to zero wher loop A Thot s19 nal failed to 570F. The turbine Flow" bypass valves opening to 50% depressurized both OTSGs and caused the overcooling of the RCS. EFW flow was started by low SG 1evel, and the decreasing OTSG pressure caused an increase in EFW flow rate to the OTSGs. Reactor tripped on low RC pressure.
5 Fall NNI-Y 24 V dc This is an overheating transient the trips the reactor on high RC Yes FSAR 15.2.7 at 100% power pressure. Each Btu limit is partially reduced, but not to the same value. Initially, loop B FW flow decreased to 0 lb/s whereas loop A FW flow only decreased momentarily. However, a short time later,
' loop A and B MFW flows had been reduced to 0 lb/s. During the same time, reactor power decreased before the reactor was tripped.
g 6 Fall NN!-Y llB V ac Same transient as above. Yes FSAR 15.2.7 as at 100% power 7 Fall NNI-Y 24 V dc This is a slid overheating and sustained overcooling transient that Yes FSAR 15.1.2 O at 30% power would trip the reactor on low RC pressure. Tave increased several de-
- , grees F before overcooling was initiated. Loop B Btu limits decreased P , about 25%, and while the loop B FW flow was dropping rapidly, loop A I FW flow increased PAfore dropping to zero. EFW flow restored water y
e, levels in both SG5 and pennitted both SGs to hold normal steam pres-sure.
M
Table 6. (Cont'd)
Failure Reactor Transient bounded by FSAR f No. Type of failure Description of transient tripped? analysis .
8 Fall NNI-Y 118 V ac Same transient as failure No. 7. Yes FSAR 15.1.2 at 30% power 9 Fall ICS 118 V ac An overheating transient caused by MFW system closing to 50% capacity Yes FSAR 15.2.7 at 100% power leads to a reactor trip on high RC pressure. Tave increased signif t- ,
cantly, and RC pressure reached a peak of 241u psia before post-trip l cooling was initiated by the 50% open failure of the turbine bypass i valves, which caused steam pressure to vent down to 600 psig. '
l 10 Fall ICS 24 V dc This is an overheating transient with the MFW valves closing to 50% Yes FSAR 15.2.7 i and MFW block valves closing completely. The reactor tripped on high l at 100% power I RC pressure. The turbine bypass valves also failed to 50% open, and t
I both SGs vented down to 600 psi.
l 11 Fall ICS 118 V ac This is a long sustained overcooling transient that will lead to a Yes FSAR 15.1.3, " Steam Pressure at 30% power reactor trip on low RC pressure. The turbine bypass valves failed 50% Regulation Malfunction or open and depressurized both OTSGs. The MFW valves opened to 50%, but Failure Resulting in increas-SG 1evels dropped to the low level setpoint because the FW pumps were ing Steam Flow" approximately on the low speed stop.
' 12 Fall ICS 24 V dc This transient is siellar to No.11. Turbine bypass valves failed to
- at 301 power 50% open and MFW block valves closed. The reactor will trip on low RC um pressure.
I CD e
R,e P
sE EP o
M
Table 7. Comon Instrument Line Failures iallure
, No. Signals failure Effects Reactor tripped? Transient bounded by 1 PT-2-1. narrow-range Break in low This failure will try to energize all heaters. Assuming that Possible (Iow RC FSAR 15.6.2. " Break in pressurizar pressure tap falls this level was selected, the Pzr level indication fails low pressuee) Instrument Lines orLines (X) outputs low so heaters are turned off by low level interlock. Mabeup flow from Primary System That will increase and try to " refill" the Pzr. It will actually de- Penetrate Containment
- PT-2-2. wide-range crease in pressure and level will fall due to the LOCA effect ssurizer pressure of the tap break. Reactor could trip on low RC pressure. Con-trol af ter reactor trip needs operator attention due to tap LT-14-3. pressurizer break.
level (V) 2 PT-2-3. narrow-range Break in low Same as above. Possible f % RC FSAR 15.6.2 pressurizer pressure tap falls pressure)
(V) outputs low PT-2-4. wide-range pressurizer pressure (V)
LT-14-2. pressurizer level (X) 3 TE-15-1. pressurizer Open or short Only one Pzr temperature is used for temperature-cospensating See Table 2 See Table 2 e temperature (X) circuit fails the Pzr level aP signal. The other thermocouple is not used outputs low at all when not selected. Thus, this failure is equivalent to g fE, p,{2 e zer or high a single input signal failure.
' 4 LT-943. % startup Break in high Same as failure of single input signal. Operate level will See Table 2 See Table 2 level. loop A (X) tap falls fail high, and stattup level will fall high. but only the op.
LT-9Al* SG operate outputs high erste level high setpoint will take a controlled action and level. loop A (X) close FW control valves as previously described under operate level measurement failure.
5 LT-9A4 SG startup Same as above Same as above. See Table 2 See Table 2 level. loop A (V)
LT-k 2. SG operate level. loop A (V) 6 Loop 8 operate and Same a* above Same as far loop A level measurements.
startup level mea- .
surements 7 TE-8Al. SG downconer Open or short Same as a single input signal failure since downcomer temper- See Table 2 See Table 2 g temp. loop A (X) circuit atures have no control system action. Control after reactor trip unchanged.
g* TE-8A2. SG downcomer O temp, 1000 A (V) w 98
- E -
O O
M h w-w _
Table 7. (Cont'd)
Failure No, Signals failure Effects Reactor tripple Transtent bounded by 8 TE-881 & TE-882. SG Open or short Same as above. See Table 2 See Table 2 downconer temp. circuit loop 8 9 TE-IAl. FW temp. Open or short Since only one loop A FW temperature is selected this fall- See Table 2 See Table 2 loop A (I) circuit ure is equivalent to a single input fatture. High and low TE-1A2. FW temp. ur of loop A (or 8) FW temperatures are (.escribed in loop A (Y) ha 10 TE-181 & TE-182. FW Open or short Same as above. See Table 2 See Table 2 temp. loop 8 circuit 11 TE-4Al. Tc loop A (I) Open or short This failure is equivalent to a single input signal failure See Table 2 See Table 2 TE-4A2 Tc loop A circuit since the utde-range Tcold is not used for a control system wide range (X) input. Refer to Table 2 for high and low failures of the Tcold signal.
12 TE-481 & TE-482 Open or short Same as above. See Table 2 See Table 2 Tcajg loop 8 circuit 13 TE-443 & TE-4A4 Open er short Same as above.
Tcold loop A circuit
" 14 TE-4P3 & TE-484 Open or short Same as above.
e ,Tcold loop 8 circuit 15 TE-3A1. TH loop A Open or short Only one Thot in a loop is used for control. The other tsused See Table 2 See Table 2 (X) circutt for display. Thus, this failure is equivalent to a single in-TE-3A2. TH Ioop A Put signal failure. See Table 2 for both high and low failures gy) of Thot 16 TE-381 & TE-382 Open ce short same as above. See Table 2 See Table 2 TH loop 8 circuit X
R w
to I
O 6+
M o _ _ _ _ _ _ _ _ _ _
\
Figure 1. Sources of Sensor Input for the NNI and ICS RC SYSTEM TURBINE (PZR) h il (MU & LTOWN)
(PRI) (SEC)
BALANCE OF BAL ANCE OF PLANT 5 PLANT >
b n ,u I
(
If UU If if1f If
- NNI-X NNI-Y
=
BOP U U
ICS
d NI t
- 1 I
l 1
- i Babcock s.Wilcox
< ~
Figure 2. NNI-X Power Distribution System, Schematic Diagram AC-A POWER SUPPLY AC-8 POWER SLPPLY
+24 +24 l ,
WC C E N WC "
g o ll8VAC; ABT :
8VAC
' ~
-24 1 e -
w w _ -24 ~
. VOC VDC o
e i
i i !
I l
t i
. . , , Babcock s Wilcox
1 I I I i' i f f i i :- i : 1 - I : i . , ,
8 l
o l f n R Rj Rj 85 EE
= u 55 45 1 t I E s s I
E I I I
I I a a a
(a) .malud-A sM Pl*3 (P81*M l' %) AOU aa V
,, .g n 3 5 I I l o
3 I 33 R}
8 85 Ik=
u 85 EE t I n t s s 3 a .. 3 g g g g -.g g (E) 521M3 an (J) asageaaduseA Sq ioH g ii g l l l l g
1 '
g R4 8
R 2u EE E_
3I .g u J' .g:p 4* p ,
3 l -
3-* .
- g E t 1-g3 s s
-m
$ $ I I
- l m
[
=
(-4) >=nssana 3. ===2==
M, il g <i .g ,
'k
==
g E t b
1 .s
, 3 } s.
3.R I g- i-I is 8
c a.
.a i. li. .gf .gf E .g N .g N e a n s '
s
[
s s [
.g .g
- i i E E
- E i i
- 5 I I (z) 81Mf1 (MS V (Pe1*M 30 E) to1J AJ V og I a t g E i, .g g tj- 0 850 n
.nl 95 w
m 23 sg o s s
<F
) .* s a =
. \.
3 g a a
a R E R E E E R E E (zi naoa asoa (=q=0sem ="==M I 'I t s 1 t 8 8
'k '!
. u, .s;g s s s s s =
. . . .. . . . . e . . . . . o I!!IIIIIE I a I 5 I
<-w unm a w 4 2 I I i 1 ( l I i . I 1 1
.-.m. . . . _ _ . , . . _ , _ _ _ _ _ _ , ,
t I ( l . 1 I I I I I I I I I l 1
,s e
.s
.4 p
a ^
8 s ,
a l
% ' s ., 1 0
3" w "3 .s C =
3-S I. .a -
p i s 2
m{ ,
1" .s 03 3c . . . . . . .
AM I I. ..I I E I I I I
- (a) ** *1 2
'a C 1 1
s s o.s s
, .s .a 7 7 s3o sg 0
sl sl u w s s!. s s=.
a .a
.a ,
s
.a n e ; ......... e E63gaeasan - gaaea asaas -
(P.ge/J go g) nogJ gJ g (pejeg jo g) motj 3J y o.g .]
.: .a I
3 3 m
7 so T se 8 8
.s l-
.sl-
' I =p 'I =G
.R R s .s
.g
.a i s a=sasa==- ggggigiig u) - u -> > .= c., .3) ... y .
.-. -_ - . . _ . _ .