ML20076J857
| ML20076J857 | |
| Person / Time | |
|---|---|
| Site: | Three Mile Island  |
| Issue date: | 01/21/1980 |
| From: | James Anderson OAK RIDGE NATIONAL LABORATORY |
| To: | Satterfield R Office of Nuclear Reactor Regulation |
| References | |
| CON-FIN-B-0731, CON-FIN-B-731, TASK-*, TASK-GB GPU-0608, GPU-608, NUDOCS 8307060499 | |
| Download: ML20076J857 (25) | |
Text
__ . _ _ _
f$ N l
OAK RioGE NATIONAL o,.s m sa e, LABORATCRY I .~-. (
- UHl0N CARBIDE CORPORATION i hETHESFA'DrilCE NucttAs om$10N !
- . JAN 201980 ;
[l
- rost arrice aox x NPCD LICINSINC oas nioct. Tswwessse 27:so ,
l , -
January 21, 1980 ' '
kcFS .
R. E Satterfield, Chief '
Instrunentation and Control Systems Brar.ch Division of Systems Safety , .
Office of Nuclear Raactor Regulation
- U. S. Nuclear Regulatory Consnission -
Washington, D.C. 20555
- [ .
Dear Sirt Review of Babcock & Wilcox Report Integrated Control System Reliability Analysis BAW-1564 August 1979 l
r FIN # B-0731 NRC Technical Monitor: D. Thatcher Our final review of the subject report is submitted for your use. This issue inserporates revisions and reco=:endations made by your staff based on an es 11er draft submitted Sesember 4,1979,,
This report represents completion of all identified milestones of FIN # 3-0731.
9"" ";/ CL 2. - - -
John L. Anderson Reactor Systems Group Instrucentation and Controls -
Division JLA/gss Attachsent, *
. Distributions 5. N. 3111 Director, Division of Systa=s Safety, NRC Atta 1. L. Grenier A. F. McBride, SAI L. Beltracchi, NRC L. C. Oakes A. Oxforth, WRC I 1. 5. Booth J. R. Fenland, SAI'
. M- hl -
L Brodsky, DOE Lai A. Capra, NRC D. F. Boss, NRC L Chiranal, NRC R. S'. Stone l} 5. J. Ditto D. Thatcher, NRC . .
S. L Hanauer, NRC D. Tondi, NRC
[i L A. Eedrick D. 3. Trauger l I
.~_--..,_m
. m ... GPU GC) 7s i
flT. CAII. ist z.T gg M Catherine Cook ec.
~
I Doyle Reporting, Inc.,/af,/rcq
.g-r , ,
,; ,= .-----..z-
- 8307060499 800121 :;r*1 e.:2. -- L *-
~. -
'e PDR ADOCK 05000289 -
P HOL I.
i.
S
, _ _ - . , . -,,,.-,-__-,-,._--__---,-,,,,_,,,--.~,..4
. ..,e.-- .,.-%.. . - _ _,.
. r
.e. * ... .
-r lI
' * * =
y; - - . ,
d . . ,
i
. s.
w
- .. .; ,J
-._4 5 N
- q,
. n INSTRUMENTATION AND CONTROLE DIVISION ' E
! N , ,
i h ,
[ .
s 6:
e -
.i ,
3 aport Reviews .
- ~
J r
Integrated Control Systen Reliability Analysis ** [t,
[.1 v;
a t.. -
2-Review by 1' -
. ?c
.f R. S. Stons J. L. Anderson S. J. Ditto .
.. g
- 1 4
Oak Ridge National Laboratory -
' Oak Ridge, Tennessee 37830 Ir ',
l - - . ~
~
i :1 f
I R. A. Hedrick A.' y. McBride J. R. Penland .
Science Applications, c.t -
[
.s ..- z..
i .
L.
w .
I -
l4 i .
2 ,.
L 1
e '
L Research sponsored by the Division of Systens Safety, U. S. Nuclear 4 Regulatory Co=sission under Interagency Agreement No. 40-544-75 with the I
U. S. Depart =ent of Energy usJer contract V-7405-eng-26 with tne Union Carbide Corporation.
te .
By R. L. Dungan, L. L. Joyner, C. P. Bennett, and C. W. Tally, l 3abcock & Wilcox, 3AW-1564 (August 1979).
IUnder Subcontract No. 62313819C with the hion Carbide Corporation. h
=
'3 q .J
. o e
u
~'
~ ' ~ ~ --
7, : --' -
. =. .L;;. .... .x.
~. .. ..<..
._ z_. x__ ..G.;.h. _. :<.
8, 0
. li l , f.
h
, _ . . . . - . - _ , - . - , . _ , _ _ . - _ _ _ . - , . - - . _. - .__ ,, , ,. ,. _ . , - - - - _ ~ , ,
w---- -- - _ _ _ _ _ _ -___ _ __ _
. = - - ~ ,;. . .
q I :. . . . .
c I * . .
]
1 . . .
. y . ,
- . , ,. ,)d
, =l e
- 1. INTRODUCTION j '{
e - .
l .
i k' ,
i.
- u\
.! The Instrumentation and Controls Division of the Oak Ridge National 3 1.aboratory (ORNL) was requested by the U. S. Nuclear Regulatory Co= mission
' 1 (NRC) to review a report entitled Jr.tegr= red Control In System Relichility 1 Analysis, by the Babcock and Wilcox Company (B&W).1 this docuscar (hereinafter referred to as ths ."5W analysis") BW states their analysis 1 of the effects of postulated failures in the BW integrated The controlobject.of system l' (ICS) on the operation of the nuclear steam system (NSS).
g the review by ORNL van to determine the adequacy of the B&W analysis.
The B&W analysis had been submitted in response to shutdown orders from the NRC to all BW-designed plants (hereinafter referred to ,
as the "NRC orders").2 The " Executive sum =ary" of the NRC orders directed "the'B&W Plant design control ,
3 M system analysis to address the following NRC concerns: features uniqu i
[ ated with regard to interactions in coping with transients. The miti-t
'l The i
I
' gating syste=s (e.g., HP1) should also be included fa the study." 8.2.3 NRC also directed analysis of other specific ccacerns in Sect.
]J of the NRC orders, which are rephrased-as followst (a) The role of control systens (in this case the ICS) and their -
i
- significance to safety. '
1
- (b) The rate at which transients initiated by control failures challenge 'the plant safety systems. _. .
(c) The rate at which transients initiated outside the control system are not successfully ultigated by the control system. i (d) Identification of realistic. plant interactions resulting from '
failure in nonsafety syste=s,. safety systems, and operator v
actions. (yailure modes and effects analysis is indicated.) ,
- 1. R. L. Dungan, L. L. Joyner, C. P. Bennett, and C. W. Tally, y Integrated control System Reliabi! sty Analysis, sabcock s vilcos,
' BAW-1564 (August 1979). .
- 2. Staff Report cvs the Generic Assessment of Teed.L1ter Trans *ents in Pressuri:sd Water Reactors Designed by the B6 cock & Wilaos Company, U. g. Nuclear Regulatory Co ission, NUREG-0560 (May 1979). .
1
- ~= ::~.*= . i . *-1 . ...,.
g g
- i. - ' -' -
---. . . - ,, , . . . . .,;;. r - 2 ,;7.g., . .j,y . ,r . c .
, .- . .. - 7 . . ; . _ ,.y
~.~.-~~,~ .
.r*~~n
- '. :.S.J .m--)?. 'g, -
- et ,
1 IIk
'1 e t .
1
n> - -
-~~ - w : .. . . . . .g .
- i . [.z- ;,---
> .. 3 P1 .
- 1 .
x . .. d U .,. . . - av ..
. l.b I
d l .Q i
Finally, additional concerns were expressed in Appendix Y of the W eNRC NRC staff i orders, and pertinent excerpts are paraphrased as follows:
M has ascertained that BW-designed reactors appear to be unusually sensi- ; ;
. U tive to c'ertain off-normal transient conditions originating in the
. .$ The features of the BW design that contribute to secondary systen.
nT :
this sensitivity are: (1) the design of the steam generators to operate Qj with relatively small liquid volumes in the secondary side; (2) the lack b of direct initiation of reactor trip upon the occurrence of off-normal i
conditions in the feedvater systen; (3) the reliance od an integrated f-i l control systen (ICS) to automatica117' regulate feedvater flow;'(4) the ;
- actuation before a reactor trip of a pilot-operated relief valve on the primary system pressurizer (which, if the valve were to stiCh open, could aggravate the event); and (5) the low steam generator elev
- L gj circulation.
' ,p.3 Secause of these features, BW-designed reactors depend greatly on '-
't the reliability and performance characteristics of the auxiliary feedvater system, the ICS, and the energency core cooling systen (ECC
- loss of normal feedvater, this, in turn, places a larse burden on the s 1I t !' platt operators to' cope with off-normal system behavior during such '
[U -0' anticipated transients.
. .: The administrative action required of BW by the NRC was that "the gg S licenses will sgbait a failure node and effects analysis of the ICS to g ', the NRC staff as soon as practicable."
.j
- d ,
i .,a
- 2. CENERAL FINDINGS OF ORNL REVIEW - . -
,i '
h e B W analysis t subnitted in response ts the NRC orders deals only narrowly with the ICS itself and not at all with the plant systems it
..? With note of the concerns
- controls and with which it lateracts.
expressed and the guidance given in the NRC orders, the BW analysis is
- j. note notable for what it does not include than for what it does include.
With reference to the " Executive Sary" of the NEC orders, the SW analysis does not deal with interactions or with transients, except those .
- that might be initiated by limited signal or component failures (one at a tine) within the ICS. Neither does Inthe fact,report deal with of consideration nitigating all events g ;' systems such as HPI, as suggested.is ***cluded with reactor trip; int N- even though to sons extent the ICS (auxiliary feedvater) is a part of the j;
t ECCS.
g , .
The significance of the ICS to safety-(iten a) is not addressed.
The rate at which transients initiated by control failure challenge
- O {: the plant safety systens (iten b) is dealt with only to a limited extent.
' Only control failurcs within the ICS cabinets are considered, and then only to runer trip. :M sitt.'.fiGr.t. cx. trol, lustr r.ent, or pvr.r I.n i
. T
~.m..~
~'-
~
-r.. ..
..:.g.g.
- p.
D_ - --
. ,-_ _ , , , , - - - _ - - - - , , ,--r
-m- ,
.q' .' ! [
,,i .
4 [
. f.j ' . -., ,
F .
Y 1 failures external to the ICS cabinets are considered, even though several 4
-l l such failures have occurred in operating plants.
- _e
{*
7.n -l',
p Transients initigted outs *1de the control system (item c), whether or not successfully mitigated by the ICS, are not addressed, except in tabu- Y Ms
1ations of operating sxperience.
a
' .:f}.
-p . Identificatica of interactions (item d) resulting from failures in safety or nonsafety syste=s or operator actions is notably absent. ;
,,, gf Also notably absent is any consideratica of the sensitivity of the s.
3W plant design to feedvater transients, to performance-either normal. ;.
@Wy or abnor=al-of the ICS, or to reliance on the pilot-operated relief p.'
se valve for successful maneuvering.
l In sus =iary, the report deals only with a very limited scope of fail-
,, j j ures, essentially within the ICS cabinets; the only significant naasure of ;
h response is whether a reactor trip would occur. Because of this limited [
scope, the results are necessarily of limited value. The following ORNL review takes into account this limited scope and attempts to evaluate the ..
I'
< .d , one47ste presensed and, aise, to suggest ad4itiesel verk which might be ,
i needed. ,
g?
y.
- 3. THE ORNL REVIDI PLAN
- d ,
2^e ORNI. review plan was that first we would identify the' concerns -
and need for a BW . analysis of the ICS. Then, from that state =ent of need.
- we vould establish specific objectives for the BW a=alysis repote. yrom the statec,ent of objectives, the 3W ana. lysis vould be evaluated relative ?
fL '
to their methodology by which the objectives were to be achieved and to the adequacy of their i ple=entation of the methodology.
1.
J .
This basic plan resulted in two classes of co m ents concerning the ?
BW analysis: " Methodology" and "I=plementation." Based on these two 3 sets of consents, major concerns were identified and evaluated, froa f- , which the adeguacy of the SW reliability analysis of the ICS was {
assessed. yinally, from NRC areas of concern and from the ORNL avalua- [
tion of the SW analysis, we derived a set of recomended actions that vould lead to an achieve:ent of the original study objectives desired by *
-] :
the NRC.
- \
. Several guestions vere submi,tted to 3G to obtain clarification and E 1 expansion of Jone concerns expressed in our preliminary review of the b.
analysis, nese questiens and the EW responses are included as Appendix A.
3ecause of the once-through steam generacor, the BW NSS responds N rapidly to secc,ndary systen perturbaticus. (This sensitivity was a key c W
consideration in the analysis of the Three Mile Island accident.) In any d -
~
1 l t
. - . - - _ . . . _, , , , . __ ; 7 ,y, ,, ,,,,, - . ,, __ _ _
~
- .. , ;. \ . . .a y . .
-:.C Q L h* 1
~
- m \
- f .-
1
+
. - . ~.q -
l ,, .. + , \ .: .
~ .a%n -
- ,. s .t. . .
V . .'
t, 1
- y. .. .
- E '
evaluation of potential or eni abnor=al events, evaluation of the ICS is (f- - !] a principal requirement bec na of its influence on the course of the Q event <. The task of evaluation of the ICS is nade complicated by the following engineering considerations: -
h 1. ne co=plexity of the ICS due to its fee'd-forward approach , .
g as aug=ented by feedback fine tuning. ,# , ,
w .
I: - I 1. D e complexity of the plant response to control actions.
'~~
- 3. n e sensitivity of the plant and a definition of what consti.?ates g failure of the ICS (e.g., instrument drif t not normally associated i t
g with failure night be sufficient to initiate an ICS-induced transient) . .
An understanding of the sensitivity of the BW NSS response to ICS actions enables identification of the following objectives for .
i analysis of the 3W control systas .
^
W 1. Estimate the probability that an ICS failure can initiate an i accident. His estination"must be based on an objective evalua-
- ' tion of the systes. .
- 2. Identify design deficiencies.
- l 3. Identify design features that influence the. probability of accident initiation.
5 4 Evaluate the. capability of the ICS to respond properly to i
- U probable events, and estinate the impact of adverse actions . .
q of the ICS. . .. ;
'n . .
lj In the following sections, we discuss the methodology selected to l aset the preceding objectives (Sect. 4), discuss and evaluate the impleasatation of the selected methodology to evaluate the BW ICS (Sect. 5), and reco=nend further work'to address the role of control
- systens in the safety of nuclear power plants (Sect. 6).
- 4. NETEODOLOGI SELgCTICE
.i ne methodology selected for the reliability evaluation of the ICS
~
.I consisted of three parts: failure modes. and effects analysis (DEA),
systens simulation, and opsrating data collection and analysis. In con-cept, the m is used as a predictive tool to estimate which failures j' vithin and without the ICS can lead to plant transients. A sinnslation .
5 .
model is used to study in note detail the effect of postulated failures identified by the DEA. yinally, from collection and analysis of i
operating data, information is obtained for comparison cf what has occurred v*th that has 1 een predicted, yros such comparisons, the validity of
.. . . :. . .. y L: L u. .:..:. .
~n , p. . - . ..
. -~ - ~
,,, , . . . ..... - ,, l
. l 1
,, ... . , , -- . ,.. w., .._
I
, . . K '.-)_. .I. .
4
!(
. ',. I
___am,s_ _ . _ , _ _ _ . ,. -
- . . , _ _ , ,_.,,.y,..,,-,_.,,_m.,c.,,,-..,,,_9,_y,_.y , y. . . _ . -.,,9-,,_.gere $.-e-we-*P-F g 'T---
- 1. , r - _- - - --
yg .'
6 py .
- s. - *,
t pq -
( Q .
The fellowing paragraphs identify and discuss the bases for concerns with the methodology selected. .
- l. ,
4.1 Scope of Analysis .l
)
As part of the ongoing evaluation by the NRC staff, the initial i' concerns with the ICS vere broader-ad into a more general concern about
[ control systems and the interaction of safety and nonsafety systems as .
mentioned in the introduction of this review. The broader concerns vers
[U not considered explicitly in the ICS study.
Our review attempts to ansvar several questions. yirst, does the BW analysis present a fair and complete representation of the ICST Second, do the failures selected for analysis and the resultsThird, statedcan provide the insight to allow valid conclusions to be dravn? -
this type of study, based on failures within or at the boundaries of the ICS, adequately evaluate the potential impact of the ICS on the safety g of the plant? yourth, if the answer to the previous guestion is "no,"
vhat other information is necessary?
M Ve believe that the usefulness of the BW analysis is limited because the ICS is bounded so narrowly. A control system, particularly one clained as " integrated," should include sensing, signal conditioning, and actuating equipment and perhaps power supplies-if.not primary power Q sources. The system being controlled includes a number of process loops . -
M that are highly interactive and which must of ten operate within rathsr narrow individual constraints. The B W analysis does not address these interactions, g -.
g The failures selected by BW for an'alysis 'are based on failures
< of functional blocks. Although it is recognized that functions can fail
' because of equipment failures, it is not clear that there are no undis-
- closed couplings or interactions of blocks. An exa=ple of coinnon elements that may involve multiple blocks is the arrangement of power supplies and their protective features (fuses, breakers, etc.). Additionally, theWhile Q
u BW analysis is seldos carried beyond reactor trip, if that occurs.
it is of interest to know that a failure causes a trip, it is also of interest to know whether a trip is actually needed and whether the trip
- lays all problems to rest. - .
To some extent, the BW analysis discusses the effect of operator posttrip action, but many of the scenarios cad with the trip. Although the ICS controls the operation of equipment that is important during posttrip situations, the BW analysis does not pursue this necessary consideration. yor example, it is suspected that some possible failure J3 modes of the ICS could inhibit initiation of auxiliary feedvater (AN). .
Also some failures in the ICS possibly could initiate a loss of feedvater g and also could inhibit auxiliary feedvater via the flow control valves.
.g Ihese possibilities ars not addressed, presunably because they are plant o i specific.
l e
- a f
- ** "- * * " * * " " " emWw me e an empeeu.se pne esp ,pp,, ,, .__
,u,
" ' " ' ' - " " " ' ' " ' ,,- g , _ _
..a. - .
' * **
- _Y *e=W*k g a
!Y
]
- ,( -
r
y- -
s_-
q,- _. o 7. w s
.i 7 . .. .
- { .
- . . u.
= ..
l it if
.5 Measures are underway to inake initiation and control of ADT independent .
and safety grade. .
[
t Inasmuch as the ICS participates so directly in the coordination of I the generation, transport, and removal of heat, it influences the be.havior
'l of the whole plant, even to the extent that it could magnify anomalous ~
- behavior that originates outside itself. Ha1 functioning valves have 'g .
- required manual intervention for operation during startup, probably
- P ,
because the automatic systems (ICS) could not cope. It would not be .)
j impossible for peculiar equipment interactions or operating conditions !
to place the ICE at such a disadvantage that it would respond, although -
as designed, in an undesirable way. . .. ,
t , h
~
- A basic questica, from a safety viewpoint, is the folluvings Can, f.'
the ICS cause the plant to nisbehave in a credible way so' that the protec- [.
f- tice system (and 35F's) cannot adequately handle it? Hopefully the answer ,
is no, but a corollary question might aise be asked Does the ICS increase e, ..
or decrease the rate at which the protective features are being called upon .p to cope with real hazards? These questions are not unique to the ICS. -
I They are concerns to be addressed in an analysis of any control system; ..
however, they cannot be answered meaningfully by consideration of only a -
j 1
relatively s=all portion of .the entire control structure, such as the ICS i H as limited in the BET analysis report.
i u
- L'
It is clear that the BET analysis was an attempt to respond to loosely y
'f defined concerns on a short time schedule. It describes some problems L i that can 'arise, but falls short as an in-depth evaluation. .The supple-i J nentary operating statistics indicate that the control system is of reason-- .f able reliability, but' they also give a sosevhat hary image of a system thac g [.'
g has some performance deficiencies. It does not appear to be an unworkable -
systen, but it falls short of b,eing a strong influence for safety. .
(.
4 the broader concerns are su=narized as follovse
~
1, ;
- 1. Other control syste=s. These~ include other automatic control '.
systems such as the connuclear ins'trumentation (NNI) makeup flow
<l and PORV controls and turbine-generator controls. yailures within these control systa=s can affect the performance of the ICS and other d 1
.l key systems sinultaneously. CT particular concern, for instance,
- 1s the postulated failure of power supplies in the NNI. In additios ,
to automatic controls, the plant operater is himself part of a
- l control loop between the 1.31 indications and the controlled components. -
8
- 2. Controlled components As identified by the histories 1 data, plant *
, , trips are caused more by failures of controlled components than by fe failures of auta=atic control systems.
interactions a=ong control systen.1 (including human operators) and
/.s previously identified,
- controlled component.s may result in a transient, even though no L
g .
specific equipment has failed. !,
s -
g 4 - -
l .
I
, 1 .
1 . . .. - .
~
3 .: ~ . y. . ;
j -
. 1 a.,-y?. ' Y .
n- :e s -
j i
m ._
g,4 - *. . .,.
g . , ; ,- '
J .
l r 8 h*
- 3. Control system inputs. 7.c ICS analysis considered singic h' igha or " low" ICS inputs. Fa- re of sensor signals to other ccatrol l Q systems, including human cperators, should be studied in detail.' '
i til Such failures are uf particular concern, since they =ay have a ,
simitaneous adverse effect on ICS perfor=ance and/or the perform-
~
[g Q ance of other critical systems. The study should include multiple failures due to common causes (e.g., pouer supplies) or undetected 4
1 failures, yallures of input signals at midscale should be studied j - because they may remain undetected and thus contribute to multiple component failures. ,
t l lI 4.2 hitiple yailures
, a The FEA is a qualitative reliability engineering technique for
- g evaluation of the effects on system operation of single, postulated failures within the system or within subsystems interconnected to the ,
principal system. The FEA starts with contributing events and traces p them upward through the system hierarchy to determine the overall effects.
The TEA is suited to the perforr.ance of single-failure analyses; it is not a convenient technique for addressing multiple-failure situations.
This inability to address multiple failures in the EW'ICS may be significant since, as acknowledged by SW, failures may occur in the ICS without being annunciated, such as those of signal limiters and
- l auctioneers. A failed auctioneer, for instance, might have no effect
- on ICS performance until called upon to i=ple=ent a cross limit initiated I by another ICS failure. Since sufficient evidence to the contrary does
? not exist, multiple-failure-induced transients.may have e significant " -
I probability.
g An alternative or augmenting technique is fault tree analysis, since g fault trees are suited to handling multiple failure situations. The ICS reliability study identified major events in which,the ICS could partici-1e pates loss of main feedvater, steam generator overfill, secondary dePressurization through turbine bypass or at=ospheric dump valves, and, 15 l possibly, combinations of these events due to instrument power failure. -
It may be advisable to analyse fault trees on these major events.
[B tracing through the systes " top deva" to identify the faults that could induce the specific event. This an.elysis would ident.ify sets of multiple *
, g failures and estimates of their probability. Specifically, an inter-g esting fault tree night be developed for a " top" event of loss of feedwater, using the equipment block diagram rather than the functional block 1 diagram used in the BW analysis. (Section 5.1.1 states the reasons l for using an equipment diagran.) Trom the results of this analysis, one i* ,
might judge whether it would be vorthwhile to develop fault trees for other ,
. major events. . ,,
1.l e -
I.
- "; . . . . r.. - .. - , , . ,, .,.,,,
f
?e ,* .
4
. .T ' . . , . . . ,p . . .- .: - m , ,
y,,,_ ,_ __ _ _
. ~ ,~:?-l;. _,J,s}~ ;
~ % .
I
. .1 4
il'-
l
_ _ ~ _ . _ . _ . - _ _ . . _ _ _ _ _ _ - . _ _ _ _ _ . _ . _ _ _ , _ . . . _ _ _ . _ _ _ _ _ _ _ _ _ . _ _ _ , - . _ . . _ _ _ _ , . . _ _ _ . _ _ _ ,
--- ~~- -'
- a. .
~
. ,6
.p u-
.. 9 5 .. - . ,
p]g N
- e .
? '
l .
. at.
l Y6 4.3 Participation in Feedwater Oscillations l i . L -
l
- [.,y n
4,. '
l The methodology that was selected cannot evaluate the possible '
involvement of the ICS with W oscillation. At least two regimes of
- .f. -
4 :
oscillation have been identified:. one in the power range from 15 to 20T, ' '
3 with a period of 3 to 90 s, and a second at M).3 Hz, which occurs during operation up to 70 of full power in some plants. The ICS does partici-4 '
s
]' pate in these two regimes, and it is possible that its effect could cause .
the plant to trip. yurther, the ability of the plant systems, including cc, i
the ICS, to withstand such perturbations has not been determined. It is J
not clear that the effect of such oscillations has been included in the j P lant duty cycle. ~
y .
- [
w.
.c i Because much is unknown concerning the dynamic response and stability ':
of the plant control system (a broader definitios of the ICS), we believe d
] that a dynasic perfor=ance analysis should be made to better understand .
%q the dynamic. characteristics, including systen oscillation. Some topics
- suggested for study are as followns .
- 1. The dynamic response of W pump control is ' generally slower than E that of W valves. Will transition from valve to pump control of
- 4 h] .
- W cause stability problems? .
.< 2. Do the pressurizer controls atte=pt to mitigate or to amplify Il pressure oscillations? How are the pressurizar and the ICS inter-dependent with regard to stability? -
y y 3.
Are oscillations caused or nitigated by the ICS7 [c 4 Wha't c,onditions could lead to plant instability? ~"
(.
s 4.4 System Simulation . ,
, The objective of systen simulation is to evaluate the effect of '
.l postulated failures upon the NSS. This is, la concept, an eseellens
. teshaique, taasmuch as evaluaties using an operating plant would be
- prohibitively expensive and possibly dangerous. Likewise, an intuitive l-8 .,. estimation of the effect of postulated failures on the system would be '-
inadequate because the systen response to inputs from the ICS is toe complex for such a staplified technique. Thus, system simulation is an *
- i appropriate technique, with a caveat that any simulation is limited in its i ability to predict system response. The strengths and weaknesses of the '
j simulation technique chosen, FWER TRA1.4 IV (PT-IV), ate addressed la Sect. 5.2.
{l
,. l i.i gv - -
(' !
P.
a . ...
b%
gt .
- 1 -
L
- - - . . - - ~ . _ , . . . . , _
, , . . = . ;, , p. - .
n
. .t....
.~e. *g.w9
- 3 '.
<t
- g 's n . 1 l
. a._.. _.m -... ._ . _ _
. __ .:. , . - ,ygy -
,e ,
y i
' 10 .
9 . . . .
. Ei
- .\
j 5. EVALUATION OF IMPLD'.INTATION OF METHODOLOGY }
g -
l J In this section va presu=e that the B G method described in BAW-1564
-> is adequate for evaluation of the ICS. The results reported below evaluate
$ the manner in which the methodology is applied to the ICS. The results of L f this evaluation are described in the three sections corresponding to the .
3 IMEA, PC'4E1 T.uIN si=ulation, and operating data, f h ;
. 5.1 Failure Modes and Effects Analysis .
F 5.1.1 yunctional versus hardware basis -
An IMEA can be performed on either a functional flow block diagram of the ICS or an equi;=ent block diagram. Ihe two are not necessarily . .
the same, and results based on the functional flow block diagram may be I misleading relative to the actual configuration of hardware. ,
2 yor maximum utilisation of an FMEA for a rea.1 systen, the IMEA ,5 j j should be, performed on an equipment block diagram. I P The functional flow m provides little, if any, basis for even [
a judgmental eatization of failure probability. This is exemplified in Table 4-5 of the FE analysisi vhere almost all functional failures T
. of the ICS result in a trip. Ecvever implemented in ICS hardware, j
- he functions have cress li=its that
. prevent trip conditions. Thus, ..
[
the analysis, as presented, does not flect. beneficial features of the p
ICS. Specifically, fault tolerance of the sys' ten cannot be evaluated, L although plant data suggest that the ICS has a considerable degree of i fault tolerance. The BE Table .*.- S shcws only one of the 39 functional blocks whose failure dees not produce a trip. However, operating data i shows that only 6 of the 47 actual ICS ,eguipment failures resulted la
~
. , a trip,, *- b(,;.
Unless portions of an IMEA on the equipmen't block diagras can be -
performed, the impact of using the functional rather than the equipsant diagram cannot.be evaluated completely. As noted in Sect. 4.2, a fault
, tree using the equipment block diagraa would have been a better method i of analysis. .
5.1.2 off-no nal conditions .
- d. The serious safety problems experienced in operating reactors have,
$' - ta* general, involved =ultiple failures, o'r sometimes a single failure i
, compounded by operator error. Jithout deserting the probability-justified -
)
single-failure criterion, it would be instructive to examine the conse-
, quences of single hardware failures occurring during operation with less ,
than a full complement of coolant pumps or with certain control functions
-~..=c 'e x .
. . . ;.;. ;. n .*.,e ,.g,....-:-
s . .
c.
he . . ha *
~
l f i
l t,
. . k .-. --- . - . ~ . . . -
7 .
' . _w. r - - --gg---~~ ,
-~
~
n i
B in the manual mde.
These are allowed conditions of operation; their Under the same probability guidelines that occurrence is not uncocoon.
.l sandate investigation of AW S situations, it is not unreasonable to examica the consequences of single ICS failures during off-normal con-l , ditions of plant operation.
Where control failures are postulated under conditions of degraded '
l heat removal espebilities, a scram may not always be the final action tb be considered. If reactor cooling must be followed fron full power into
.the shutdown mode, PT-IV does not. appear to have a dycasic range to ]
follow the decreasing power nor the coccand of nonlinear effects to deal -
l
?, i Additional investigation of ICS component with the interim transient. )
fcilures under off-nor=al conditions would be desirable, particularly i where operation is on two pumps and such ICS failures occur as a "close )
/.
valve" malfunction in one steam generator's startup control valve actua-
'e toe. Ta additten, it would be desirable to follow postscraa heat removal . ,
with a blevdown-competent code, at least for a few extreme cases, in order ..
to demonstrate the medium-term consequences of the event and the adeguacy ;
of the FT-IV predictions.
4
! The BW analysis asserts that ICS actionc have averted more trips i
than they have caused. Although this assertion is not pertinent and
! is probably true, the data presented do not substantiate the essertico.
3 ~
5.1.3 power sunolies_ .,
9
' The evaluatics of power supply failures was limited. Although a loss .
"; of input power was listed as a failure, the effects of the failure were d not evaluated. yailures of power conditioning equipment internal to the ' -
ICS vere not considered except for their potential . contribution to "high" .
~
or " low" failures or to single internal ICS functions and to single ICS output signals. The BW report 1 states that power supply failures could not be considered in greater detail because plant-to-plant design variations were too great, the failure modes and effects were too
- complex, and the time allocated for the study was too brief to permit QEs such an analysis. In the SW analysis, power suppifes are listed as a .
subject for add.itional study.
5.1.4 Effect of postuinted failures ,
From the limited BW evaluation of postulated failures, it is diffi-I cult to assess the need for further evaluation or for potential design modifications. As an example, the T.wtA describes the effect of stesa generator overfill as "... overcooling of the primary, and possible loss
-g of pressuriser inventory and/or level indication."* However, fr. the sun- '
E mary of an NRC-BW Operating plant I.icensees Meeting, the effects of .the
!O e saf. 1, p. 4-33.
' ~*
G f
(
i
'~~- -
~e-------
. . . ,.m ..
^
'~
- .r
. M .. .. .: . '. ~
$EN'i= ,;.af_'==
. , gi i
~
.- ,-y- -- . _ _ . . - _ , , ,._.m. . _ , , , , . . _ _ _ , , , _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ , _ _ _ , _ _ , , _ _ _ _ _ _ _ _ . -
m,., _w.m
I r.=sm, =~ .. ., y =
i
- l 1h - . ,
l
\
- same transient were described as follows: "h resultant carry-over of I
,h f
liquid into the main steam lines could lead to equipment damage to both the sain turbine and any auxiliary turbines (i.e., ATV pu=p turbines)
!i .W being supplied steam from the main steam system. In addition, the carry-i ]-
~
4' over could lead to excessive waterha=ner. It is also possible that the a weight of the water in the steam lines could cause excessive stresses on
,], the piping system and pipe supports."3. Regardless of how appropriate p, either description is, the latter' description would place a greater .
l; emphasis on'the potential need for remedial action.
j ,
1
'. e : -
I '
5.2 System simulation ,
.d' dmoreaccurateassessmentoftheresponseofaplanttoICS failures, we believe, could be achieved by simulating a failure with suff& stent equipasst that voeld be estable of following the transient -
% resulting from the simulated fa41ure. The equipment needed would be .
modules capable of responding to simulated failures of the NSS, ICS, and p-30F over a vide range of parameters. Although no such global simulation capability exists, sinnslators that cas encompass some combination of 1
d' the three systems over a limited range of the parameters of interest i .} ,
are available.
l I
d POWER TRAIX IV (PT-IV), was chosen as the simulator and was 1 adapted to the lower loop, once-through steam generator configuration.
g It has all three systems, NSS. ICS, and 30F, modeled, but its thermo-
.; dynamic, fluid nachanic, heat transfer, and core power applicability f, ranges are restricted. .
. u . . .
?. Since evaluation of the ICS deals with failures that result in large
' changes in process. parameters, e.g., steam gaarator dry out or flooding,
'! the ability of FT-IV to adequately follow the resulting transients is
'sY suspect. For example, many of the undercooling transients are stated to
' cause a probable overpressure reactor trips however, due to the changing
~
core inlet temperature, DNSR trips may be more likely. Since the .
parameter that guides the systes directly relates to ICS action, pressure and temperature, individually, vill result in different plant transients and effects on the NS3 even though both may cause trip. The impact of,., ,
- y g the limitations of the PT-IV simulation on the overall results is * '
i not fully understood; however, the need for usins engineering judgment .
i relating to the PT-IV results has been indicated.
Although we would prefer a simulation tool with complete capability.
in the context of state of the art, FI-IV is adeguate. Its deficiencies do not greatly affect the overall results, since a reactor trip is the j 3. 1. A. Capra, "NRC Summary of Heating Hsid on August 23, 1979, with the Babcock & Wilcox Operating plant I.icensees' to Discuss Recent (Fost.
THI-2) Feedvater Transients," (September 13,1979), p. 8. . ,
~
l I . .
e.
' " ' ' W' ,.-' , ' - - , = =w- - - t = ;,- ,. -- =~
- } - -- j t
% P ,
~
'. J.G_.G.,C '.& .
(
- p -
l .
< k
- , - h
'- _ _ _ _ - - _ _ ,-_,-..,_,__e,,-_.,n,- ., ,,,,,m,, , - - - , -- , , , , , , _ _ , , . - ,.,e,-,
s 1 ?
u -
E.7 f.L terminating point for the analysis. However, if a note detailed evaluation s
of system effects is desired, it will be necessary to develop a more j 4, .
sophisticated system simulation tool. -
1 N, 7 MEA Table 4-3 is an extensive study of the inpact of single ICS input failures on system behavior. Under the cuidelines r.sst=ed, this was .
2.]
1
= good study, but it is questionable whether =uch would be gained by further pursuit of this particular approach. To begin with, a great deal j}
s l
of the information in Table to- 3 could be determined by a knowledgeable.
a priori examination of an ICS flow sheet, without resort to simulation.
Where simulation has been and should be used, it is not apparent that
(,* conditions are so far from design point that a linearized model vould not be acceptable.- The reason is that a reactor trip from any out-of-range variable would appear to call. a halt to a study of further conse-L quen:es. yron a case by case exanination, this response also seems justifiable; no single ICS input failure appears to cause safety problems that a scram would not cure. .
5.3 operating Data i
. The historical failure fi equency of ICS components, the frequency of I # ICS initiated transients, and the actual response of operating plants to cospnent failures were evaluated, using the records of transients at 3W operating plants. This section complies adequately with the 3ET commit,- .
,-t aant. Since the scope was not limited to ICS failures, even the more general control systen concerns.recently raises by the NRC are addressed in the section entitled " Operating Experience."
q -
As shown in yig. 5.1 of " Operating Experience," only 2% of commercial, -
operating plant trips were caused by internal ICS failures (excluding Power supplies). Of the remaining trips, one-third were caused by operator
'g technician errors and two-thirds by ICS interactions with controlled equipment, failures of controlled equipnent. ICS inputs (including power . ..
supplies), and failures of other control systems. Therefore, internal I ICs failures are not a major causative faster of transients that produes -
tripe.
t The Wr5T's (mean time between failures) for the ICS equipment are
' consistent with expected values for equipment of that generation (for . .
both the 721 and the 820 series). The 820 series equipment appears to be much more reliable than the 721, but there are insufficient data to
- ] state that the apparent large differences are statistically significant.
5J Although the operating data indicate a relatively low probability of
< ICS failure, the data should not be regarded as a source of insight into the sensitivity of the plant to the ICS. .
1 .
'~
_. _,=
- e. ,, . . ~ .
e
- *e e'
-g --ne p Y. ,* *,' * -
. {,
N,
' pt b
t -
( .
14 .
-o . .
i f
M - 6. EVALUATION AND RECOMENDATIONS
~~
6.1 Operating Experience l <,
Reliance on the ICS or on automatic control in general to regulate 5 t ll feedvater and other plant parameters is not a shortcoming as might be *
')
- v
- inferred from current suspicion of the ICS; instead it is a significant
,.' asset to plant safety and avrilability. That the system does not perform
' perfectly in all situations or that it may induce plant upsets when it.
i]w fails is only to be expected. 8 Thus, oss should criticize only the de- -
ficiencies and not automation.in general'. Customer satisfaction and *
[ acceptance of the ICS.is high and at least as favorable as competitive ,
designs. ,-
1 I'4 is clear that the ICS, either through its own failure or through
' its response to real or unreal plant conditions, can alter plant operation
- d in undesirable ways. However, other effective control systems, including goed and bad operators, can also do' this. For staaple, feedwater pumps I and velves, bypass ' valves, and staospheric dump valves can be alsoperated; a control modes can be improperly altered; loop balances can be upset; and j . many other anomalies can be caused or exacerbated by the ICS. Neither
- is this surprising, nor is this necessarily a cause for alarm. The ICS has features that are effective is mitigating the effects of some of its
^
l
' ' , own failures and those of its auxiliaries. These include load, rate, .
t and cross limits, which are useful but not infallible. We find no evidence that the ICS provides more frequent or more severe challenges to the PFS 1
J3 (plant protection system) than o'her t control systems of similar scope, nor ly '
de these challenges exceed the FFS capability. The coordination of nuclear
- power generation with load requirements under system constraints of pres-1
.1 j sure, temperature, and the like is a complicated Laak. The development of a systes such as the ICS required consideration of many problems toe l
! complex for se operator to handle during a minor (or ' major) plant dis-turbance. The response of the ICS is far better and more predictable than j that of an operator, given the same information. ., ,,
I t
'l While we agree that the ICS should not be classed as a protectfNa .
I 3 speten, we believe that shore should be more senessa for avet' ding, as well J
as detecting, degradation of failures withis the system. Failures in sontret j .a systems do affect safety through their impacts upon the rate of challasse j of the protection system. The economic costs are obvious. Better control i eguais better safety, but the quantification of the gain is difficult. ,
1 Examination of the failure statistics in the B&W analysis (notably Table 5-4)
' reveals that only a small avaber of ICS malfunctions resulted in reactor i
~
trips (approximately 6 of 162). These data, supported by conversations
! with pleet operators, demonstrate that the system is failure toleraat to J
a significant degree. This feature is also evidenced by mottag the large J number of postulated failures in the DEA that could result is a reactor -
1 trip, compared with the experienced low trip rate in practice. The positive l results of the DEA and operating experience of the ICS show that the control
- ' 1 g system itself has a low failure rate and that it does not instigate a sig-miticant number of plant upsets. The analysis further shows that anticipated J .
< ;j - .
.. a- 3- . ,- . - 7, - ,
7,' - - _-<
- S F'1 & '}i Q" .
. o 1 lI f
,?
. P l
,.,%,,,. . , _ , . . . -.m. , , _ , , , . , , . , . . . _.,..,.~,,.,__.,.,_.,_,,.._.,,9-----ra--->+7ew*y-'----Wm7--rM'd
e.
33
'( [
failures of and withia 'the ICS are adequately mitigated by the PPS and tha D many potential failures would be mitigated by cross-checking features of i the control system without challenging the PFS.
i h I
The manufacturer contends, and we agree, that (1) the system prevents i),. ally superior to manual or fragmented control schemes.or mitig De performance l '
i
% %ficiencies that have been suggested relate mostly t vering through different plant modes as free het standby to low i
'* wSth eesponent probleas such as valve leakage or pump response. power, Since and '
they are not emphasized in this review.these performance c2ppacteri ,
- .c .
Instead, in this review a broader
'. j t scope of systes performance was investigated, but to a limited extent. The following suggestions for further study are offered 1.
i < An analysis of overall plant stability, including the participation o e of the ICS in system oscillations and other specific ICg actions, l
such transients., as control of feedwater af ter a turbine trip and other anticipated
' pg , 2.
,y Development of* an appropriate full-plant simulator to evaluate the interaction of the primary, secondary, and control systems.
- This latter sugaestion f m 2 ----* - --ablem bevond ch-meaa- at the B&W
.. O Iana4ysas, aspaying a need
- for NRA sponsorshin-The simulator would have to i and still have an acceptable parameter andTrahsie'at3
~
Analog systens anne.D t D alone are not _likely to be adequate for the purposp/ A hybrid system *
- J -
ofould the be the most upsets applicable computer covered.sysses saaed on our current views operational to be -
1 6.2 yallure Mod'es and Effects Analysis -
Our ev'aluacion of the FMEA as performed and reported is the BW analysis suggests several concerns and recommendations for future investigation.
- 1 As discussed to Sect. 4 of this review, the functional block THEA approach may have been selected as an economic expedient and may not have If further beennuren'*
the optinua a' ' ' -
technique *=4t**=
for deriving the information desired.
4 we recommend thm* a faa1* *-== '^= emmeauanees 1a== af of cha Tre f( Ja=4 rad, a
b_ ses on equipment diarrans rather thma 'medwater be develooed, t aAAow assessment of the significance of multtele failures and sous ruaarfanal blocks. B is M d verification of the adequacy of the use of functional block diagrams.
Ve are satisfied that failures within the ICS itself do not constitute; a significant threat to plant safety and that further analysis of H this type may not be economically justifiable.
g .
g .
.. .- +- ,
, - . . s. w. . ., . . . . . . -
, ;-,' n , u. ',..* , ,
,, 3 .. /}t;q. ' .
. . 6
} '
~ ,.
o
, a *
--.,-,.--,.-r..%- ., - *-,,,,,_-w- --- - - - - - - - - , - - ---r . . , , - , --w-- -vw.+ - . - - + . , - . --
,i n * *. .
Q ,
16 +
- g ..
- 2. The NEA would have been of greater significance if it had been
- expanded to include other syste=s with which the ICS interacts, such as the nonnuclear instru=encation (NNI) and its power and signal sources. In particular, the analysis should have considered j i M midscale failures and off-normal initial conditions. It is not
!W evident that redoing the analysis at this point to include this o information would be sorthwhile.
l 3'. power supply failures have caused and are continuing to cause l '
significant plant upsets. They should be evaluated in detail, i and specifi,c recom:sendations for their upgrading should be reported.
- 4. The sinnlation tools used in these studies are deficient in their dynamic range and component details. Nonetheless, they served a
. ,1 - useful purpose. It is cut opinion that more detailed analyses would not provide significantly more enlightening infomation for purposes j r of the FMgA. -
1g 6.3 Comments on 36W Recommendations j u '
6.3.1 ICS rWlated Our comments on ths B&W reco=endations are as follows:
- 1. NNI/ICS power supply reliability: We concur that this is as area
.j, ,,,,* needing attention, going somewhat beyond supply reliability per se.
Although our review of this subject has not been comprehensive.
problens of system arrange =ent and channeling and selection of input
- l:q *.j , signals appear to need improvement. In at least two plants, a stagle power supply failure can result in a loss of virtually all signals j *
' to the ICS., Since power supply arrangenents are specific for each s" plant, individual attention by plants is indicated. ,
- r. 2. Reliability of input signals from the NI/Ry$ system to the ICS,
[ specifically the RC flow signals The background for this recossea-r .
dation was not described by 351. We concur that this subject deserves i pg attention *for the same considerations as discussed in the preceding recommendation.
[ 'Q
- 3. ICS/30p systes tuning, particularly feedvater condensate systems "
i and the ICS controls: The concern behind this recommendation may be
' broader than tuning. We believe that the
- dynamic performance of ,
these systems should be studied is relation to the entire plaat response, including the effects of control limitations, such as
/ valve and pump-speed responses, on plant stability. Since there is a tight coupling between the secondary system which is controlled by the ICS and the primary systes with its important considerations of pressure and pressurizer level, including the primary systes vsthin the ICS may be worthy of investigation as a potential control
- improvement.
. i
.:.v m
.m.* -
._w . ; m -m ..
to ' t = lg '.,1,* .,..,=.,.c-c.
.m r ". -
- =-
m.-- *
, m e
?"_ Y! . .
t: ,
" -
- F ,
I e
-. - _ - y_ _ - , , . -, -___,._.c _
um . . . . . . _
. - . . .. 3 l
17 t
6.3.2 Balance of plant ,
r
, l For the balance of the plant, BW reconnends the following: -
I
- 1. Equip the turbine drive in the main feedvater pump vich a minimum
- i. speed control to prevent a losa of main fiedvater or a loss of
}- indication of main feedvater.
- 2. Install means to prevent or mitigate the consequences of a stuck-open -
- . startup valve in the main feedvater line. - -
- 3. Install means to prevent or nitigate the consequences .of a stuckwpen
- valve in the turbine bypass line. ,
.- Va concur with these recocanandations. ,
'3. ;. .
il .
H :
- e. * -
6 g j .. . : . .
.i ,
1 .
- . e I .
I -
l -
',f .
B . .
4 e ,
g 1
3 - - , - - - .s s- , . ;-,--- -,,e _-n, ,g g. , v ,-- , ,, .y -- -, , --- D ee .
- _
[ . . .
i .
+1 (. .
4
?
w --. . . - - . .. .,.- ~ ..:
.. 1 e .v . .
e 19 e Ms
<81 l t .
i l
.1, ,
3,-
3 ,
i . .
t 1
(
1 i
0 n, -
J. ,
j .
, 1 e
'I q , . .
i '
! Q ,
APPENDIX A QUESTIONS AND RESPONSES l M .
I e
j, -
y
. .c . . . . .
- . ,L -
' e . * *
- I e g .
. e 4
g e .
9 O
e 9 ,
I$
' e w . #
e l t -
e
- e ,
e S
6 l
. *e 1
i I
1,m . .
. 4- r . *t .; . . . .m ~ , v .- - 7 :, - - . . - -
". p
, , . **?* . *. .* { . ,a *
. 4
.-~C.LlO i 3 -
- .q'.Y .. l
'f )
. . .. .. 1
,. . . . . . . . t. 1
- - . - . , . . . - .. ,~ - - - , . . . - - .,- - , . . , , - . . , - -.,. - - - - - - - - , -
o '
= .
3 4 After a preliminary review of the BW analysis; we submitted several questions to B W to obtain an expansion or clarification of informacion presented in their report 1 or to obtain other infore.ation not contained in the report which may be ger=ane to the review. IlW invited the reviewers, NRC staff nenbers, and representatives of the Toledo Edison and Duke Power Conpanies to their facilities in Lynchburg, Virginia, to hear their j; responses to the questions. This meeting was October 23. ,1979. .
The questions and the reviewers interpretation of the responses follow.
,i ?. The reviewers have added some additional interpretations and observations summarized from the group discussion. ,
.. * . . ' E QL.* Then any be a significant diffannee betueen failure nodes or con-ditions wish an D2A that are based on pesational block diagnr s msher than on equipment block diagnms. Were the f% national failun assw:ptions e coupared with actual equipment fatture nod.ss to assun that they an nettatia and near.ingfu11
_' \
R. yunctional block diagrans were used to reduce the scope of the effort and allow the analysis to be acco=plished in the requested time frame. As i .
stated in their report and in discussions, BW believes that the functional
- . approsci. is adequate and that very few observations would be in error as
, a result of this choice. ,
1 C. An example of a possible incorrect or incomplete conclusion arising
- "" , from this approach is that failure considerations of the turbine bypass
." valve control do not include details of whether condenser cooling is
',', available and whether the control will be transferred to the condenser
.. dunp or.co the at=ospheric du=p. Also not considered ~ is operator response ~
or interference / interaction. This example was selected because the recom
. ;d:z,;, 6 mandations of the BW analysis include. additional analysis of bypass valve r failure. .
G Q2. ALL asswptions of ICS signal input faiZure appear to be either high or Tou, with some etta.ps to idensi a "acrat case." Some of the apenble plants souter nutsu potenstaity ocu esperience nidsaale failuns. Then is some evidence that some n'isaata failures oculd be uorse than or 100 failuns, as o..perienced by the plant seteosed as typical, seco.
An then plans for including .-ilseale failuns in the analysis and how is the validity of the analysis acepnmised by not including aidsoais fatturest
)it R. BW considers (1) midscale and multiple-input signal failures to be either outside the boundaries of the ICS or outside the scope of the review as deteraLaed by BW, and (2) the high or low signal assumptions to be the
) worst case for single failures.
. I
- Q,' questions A, response by BWg and C, connent by OBNL reviewers. ,
< \
1
- ~'-r'--"'"-- . . .
q.
T: - . . ,. ,-
- ..*.._,..,._9-9 f.y _
.y.-..,, .
- ,. ; ;t. g > r.- ,
m,, . .
4 .
~
. \
l l
21 * .
I
- C.
We find no specific evidence to confi m this assu=ption. With regard t
to nultiple-input signal failures, operating experience confiras that this
,l R is a highly credible. event which can result from the sincia failure Anof a example i W;,
poser supply in the NNI in the input signal selection circuitry.
'i i of such a failure is the Rancho Seco event of March 20, 1978. We believe
[
l that the BW decision no'; to include consideration of failures beyond the b I actual ics cabinet temiumis is a serious shortcoming of the analysis, r .
E -
f especially since considerable operating experience* indicates that powerBW re
, t supplies are not reliable.
j' k NNI power supplies based on this operating experier.co. ,
s Y
' Virtually all of the events / failures considend in whenthe anE1y'e{s all plast equip.
W' 43.
appear to be based on %emsta eenditieney that se,iteited'infomation Wj Our nont is pnctioning at nominal design points.
~ ~
- tp
& regarding the sane operating esperience suggests that many of the abnormal -
occurrences unre the dinct result of some plant equipment not f\osationingy Q for ocarple, thne pria:ard pserps instead of four vere v.esning, 'I one f of tuo feedacter y e instances. Since t1ese seem. to be the acre signif-in nunual, to name it mt initial conditions for unsatisfactory ICS perfomance, how is their i
1 a
onrission Justified? Were any of these "intensting" er.ents analysed but l
not reportedF ,
M R. B W did not miss any significant transients or protectiveNo system unreported i
challenges by not including off-normal, initial conditions.
l . . .
g analyses were performed from o'ff-normal conditions.. ,
g' g, giace B&W did not confirm this contention, we find it difficult to C.
stlpport. . Our evaluation of plant events ' involving the ICS is that the j majority of these events occurred from off-normal initial conditic'ns and/or' '
.i with some function (s) of the Ics in manual or tracking modes. This experi- i ence would tend to deny their assertion.
Reither What pncess uas used to detenine the "effect on the RSS"? What i Q4 the teohnique nor the justification is included in the malysis.
pg verification techniques vere enplayed fet* the "effnets" asalysia?
Q; .
E. The effects vers evaluated by knowledgeable people with plant g'. -
- .e .
- The P%T.R T?AIN ZY (P:-D) code obviously has a limited ability to
\ QS.
sinutate the RSS and 30? responses. Eco significant is this liaritation on h the aietysis? Ds partiautert .
Mj . ,
' (a) Describe the extent to uhiah the sinulation uas used to pndfat results.
)
. i (b) Drearibe erNrs and totcartainties litich might have Nsulted fr0R the
' liarised dynanic range and pnctional detail of the siaulaties.
(a) Describe to uhat eatent the simulation resulta unre wrified with plant k data.
Y .
9 il e
. ,,g p 7 p--.,, e,,,
,mn . .~ ~
'6 "
'"e '
'G.
~- w Qv
.M1.:.:i.) s.t~' .; -
.S U.
t
- 9 - ., .
L -, ,
J ,J . t , ,
% e
. j '
22 ,
h (d) Describe the e tent to tisich the cimtat' ion uas valid or invalid for each of the indiviant plants and their differences, especially feed-l ;} uater systems.
i (e) Vas the simtation capable of dealing with o'ff-normat operation, such
! 11
- lJ - as threkprimarj psarps or partici manual opention?
5 R. FT-IV was used in about 75% of the cases to evaluate the effects on
' the NSS, along with supplemental " engineering judgment." This code has the
[, following features: two steam generators modeled in continuous space and discrete time; steam lines; feedwater pu=ps; feedwater heaters; condenser; M" .l pressurizer; turbine dynamics; and valves. D e primary system includes I
- - pump characteristics programmed from other codes as a table and. appropriate transport lags (%10.s). The pressurizer nodeling includes the effects of surge flows, spray flows, internal flows with condensation and flashing,
]
heaters, and safety and power-operated relief valves. The ICs model uses
' ' a dedicated digital computer (EAI-410) and is a digital model of an analog
systen utilizing functional blocks. One feedvater valve mode.1 is used to .
vepresent all TV valves.
De limiting ranges ,of pT-IV are reported to bet primary pressure af 1500-3000 pai, secondary pressure of 500-1500 psi, tauperature (primary f ,
and secondary) of 400-700*F, and feedvater temperature of 350-700*F.
The hybrid model uses two EAI-480 analog computers aad one CDC-1700 t
digital computer. Due to computer limitations, there is not much detail of the feodwater system. A care couplete model (not pT-IV) would include
, pump drains, flash tank levels, and condensate pumps, as well as main feed
-j pumps. The condensate pu=ps have suction pressure trips that sometimes '-
actuate when the interceptor valves close. Bis is not modeled. , Turbine
'.' trap se she trans&eas used se shook the sede with plant data. De validity of a comparison is judgmental. he 'model is not vaitd as low powers.
C. Within the limitations of the effects considered and the comparisons jj of the effects with plant data, we expect the results of pT-IV to be -
j reasonably valid. -
Q6.- The ability of the ICS to res to its design basis and ether pmbable conditions is nos sse %pand das Le, pn[rt design probtens a
- l. asseoiated with nomat gention er runeuvering
.nis my be cutsi ed t e hscope of the NRC request, an. net included, unless a
but failure the intenations is asswud. of the ICs fee &>ater systems observed in openting
) plants indicate that this way be a valid concem.
Were the dess.gn E
pubtems and corponent ti.nications associated eith arpeated normat open-i tion anstysed and doewwnted? An tasse analyses avsCable? .
- 3. 3&W has no strong motivation to improve the performance of the IC3,
! Its utility customers have no significant unresolved complaints about the
(
_ : IC3. ,
3.j .
1 f * .
~
- g ,g_- ., _ __ _
e ' ' * '"'- - = .- ,
.=' . ~.. ,,...:,..;,i.^ ,
'N'W *b f' ,
a -
I q .
o
- - - - - . . - ----..-.v.--.--- .v- - , - . - - - -
x-u v.. ... ..
n 7... .
g 23 .
1 $
[ : tt ,
l 4.
M 2
C. Subsequent discussions with three plant owners confim this acceptance. h.
Q1. Is there any connecticn, physical or phenomenological, betueen reactor , .
protection system (?25) sensors and IW inputs? Gich cc ::cn signals, if
}
~
any, initiate trip, and what is the possibility that cor=.:n-signat or .~
)
m signal-conditioning failures cculd initiate a plant tunsient thwugh the q
ICS, requiring a response of the R?S to such asgnals. ; _
q RPS signals are used by the ICS with suitable b'uffering. The redundancy R.
- provided in'the RPS satisfies the requirenents of IEEE-279 MA categories for "causes," detection," and "pwpagation potential" :
Q8.
f.
y .
vould yield helpfat infomation. Has this type of infomation been gener-y ated and is it cociZahl47 ,
- 1. Identification of component causes is not considered necessary.
Detection of component failures is not warranted, considering the low 7
failure rate. ne propai;ation potential for failures in analog systems is difficult to predict. ,,
(
y t
The im pact of power s:qptyttures appears to ha inadequately
- Q9.
cd ressed, faespecially c:nsidering that events of each more esgnif than those analyzed have occurred at operating plants. Ecu is the anission of these consideraticns Justified, and is more corgrehensive
) r t power supply feiture ensIysis cvaiIchi4F ,
s j' R. Power supply reliability is a proble:s for the custoners to resolve. ',
It is a recognized probles that must he resolved plant by plant. This is
' one of the principal recomendations of the report. .
7 ect to have occurred uhen portions Q10. A significant n's.ber of trips "
i of the system were in a manual nuda e operesien. Mas , ani tien of tinie ,
is it esti:r.ated that control stations are in a v.aal uhat are
' the problems associated uith this ecds of cperation of the 107
- 1. No data are available for the manual operating mode. Manual modes
' are judged to be used most of ten for startup *and testing. The ICS is .
'] not designed to deal with many abnormal situations. (e.g., odd alignment of equipment). -
I Q11.100 vett does historical failee d:ta on ICS 721 and 820 ocn: pare with predictions based on ncewinct behavior? Is there evidence of accelerated f
9 failurer i .
A higher " burn-in" failure rate was experienced, but it has leveled , ,
-) R.
off. The long-term failtre rate remains level. TMI-1 and ccones 1, 2,
- 1,
- and 3 are 721 models. All others are 820 models. .
Q12. Y.altiple failures are not annunciated. Therefore, uncorrected (
failures mcy ecist untit other failures occur, resulting in effective r
,Y nuttiple failurcs. It appears that ass 1tiple failure situations my have i
- ?
.I .
j .
j w--
'~'-ye-.,1'-
. . r /,1 , . . . . . - .
' '_ &-$u*. ..q sk , .
? ,
p
,i
]
n .. .
_ w - -...- :
)
g4 {*: . hNl 1-VW t
i ..
2s . .
u
'a a significent prchability of oc=:a : ence. Ecu h the cc:ission of i:;uttiple L&n S
- \'
failure censideraticns justified in the analysis? Might fault tree analysk have been a better technique fcr ""-essing the concern: e.-pressed and .
, I; ,
' producing the results requestad? ,
,4 R. n a effort required to cenduct a fault tree analysis is considered @
excessive. De D"'A report addresses f ailures considered to be "inportant."
-I ,
- h C.
- ne limited scope of the Da'A casts so=e doubt on this pos'ition.
r 1
QLS. Tas anctysis does not inc*a'.e infomat*cn to substantiate the BG )
recomendation that kymus=ent is needed in po er supplies, signal seisc- ..
tion, and signal rel*,ckiiity. Please s:qply the analysis or the infornation :.^
vhich led to this reco unda:*cn. In particular, does BG have specific reccer:endaticns to i.qrove the (ci~wre talarcr.ca of the IG7 .
j 1. No additional data are available.
Q16. Operating e=perier.ca reycris and ont iniczr:ation not included in y
the cnclysis suggest thc: ths G cnd the BC? system, including the CTSG, l
cre sensitive to "t:o:ing" and ccepenent probis~.s, such as feed.nter valve speed and lackage. escribe the eatent to chich these prchten:s are significant, hau thsy ha:ts ~ed to rkcpention and F25 chc11enges, and
- hev they r:ight be c:aidad. Are "t.a:ing" prcble.-:s inherent to thh tgpa i of planc, or do they rqnsent design defichncies uhich can be corrected? .
R. ne adequacy of tuning is based on custo=er acceptance. According g to Licensee Event 'Raport statistics BW plants have fever total reactor , .;
y trips and fever feedvatar trips than either of the other Ph*R. types.
0 Q15. Many ticenses Event Repcres, cs vett as this analysis, indicate :.
that the cperc:ce is imitec ed in a 1.~ge r:.a.ber of oce.a rences of poor ICS cperation. M:ny of these event,s c1so invcive slightly off-nomal 0, conditiens such es nc:s.,::ndard ;.rp cnd re!ve o!?gnment. Do these events represent design deficiency, cycrc cr twining deficiency, or a ocmbina-tion of these? Dces EG have recc.-r:end.:ticns to correct these deficisnaks -
and on uhat sc{.edals can they be irgte.-ented?
i '
R. Most Proble=s occur due to =aintenance, testing. or equ1Feest probtene that require manual intervention. Also, the system is not designed for g fully automatic startup.
i I.
e o..
G -
.b N, 4- - -
.. . . . . ~. * -
-*~.Ih..,.,,,,..**,
_A p
1.
~ 1
- _ l.
_ .- - . ._ . .