Other Transients Failure Modes & Effects Analysis & Rejected Sys Justification Rept, Preliminary Rept

ML20080E021
Person / Time
Site:	Browns Ferry
Issue date:	05/31/1983
From:	Baxter D, Beahm D, Bruske S EG&G, INC.
To:	NRC
References
CON-FIN-A-6477, REF-GTECI-A-47, REF-GTECI-SY, TASK-A-47, TASK-OR EGG-EA-6296-DRF, EGG-EA-6296-DRFT, NUDOCS 8402090310
Download: ML20080E021 (68)
v • d • e

Text

__ . _ _.. _ _ . . _ _ _

U f/

l EGG-EA-6296 l

MAY 1983 l

BROWNS FERRY OTHER TRANSIENTS FAILURE MODES AND t

l EFFECTS ANALYSIS AND REJECTED SYSTEMS JUSTIFICATION l

i REPORT s

D. E. Baxter D. M. Beahm S. J. Bruske Idaho National Engineering Laboratory PRELIMINARY 0::erated by the U.S. Cecartment of Energy

. , ,,e -

.3 ' . ;f5

+.

M

.; $ *".5;*

1

.h rS'., g-kb

'2 '

'3 J.N' .pr* '

.kn

• j' ~. ^,? .I ?.

1. "! $[. '

y M*Th ' " N '*I'm mer

'I J

'(y ' .%

^

, P,W 9. -, . .

. :-p- - w,g *<

pd

.my IL .-

sg m.y marmy names. um mme,

" -t- -

m _ . . . , . ' .a -- - II__ IS EP8!P='"" ME.'""" Tg. O E' ~

y- ?. ~.~**"__ $. _

• 4.~. . . .

w

"$h _, ,, ~ m- ' ' ~.7s, ~: - -

- * }it

.,4 -~sts:3lE M __._ .

.- g-~ ~==," ~~ _

M M,

',p rm4M-Z C. Th_Me._ .- .'D ..

4 ' *M Q Q- 2:" - "____

x.,,7' {'"*[, -

• M _m d, $cm. I.757.,;;

1,r(w .d 's 'h':- W YE t

Efga_e-e TT: ww Jan.WF4%s .q;N.IW.

=

0ci s N.2 .-

~

, ,.O l .

~

l l This is an informal report intended for use as a preliminary er working occument Prepared for the U.S. NUCLEAR REGULATORY COMMISSION Under DOE Contract No. DE-AC07-76ID01570 []

FIN No. A6477 EGcGio.no 8402090310 830531 PDR ADOCK 05000259 P PDR

t 9 l

l EGG-EA- 6296 9

4 l

4 1

j BROWN'S FERRY "0THER TRANSIENTS" FAILURE MODE AND EFFECTS ANALYSIS AND REJECTED SYSTEMS JUSTIFICATION REPORT

0. E. Baxter

0. M. Beahm l S. J. Bruske 4

i l

Published May 1983 i

EG&G Idaho, Inc.

i Idaho Falls, Idaho 83415

.i I

J l

Prepared for the U.S. Nuclear Regulatory Commission Under DOE Contract No. DE-AC07-76ID01570 FIN No.-A6477 I

I

g t  ?,

ABSTRACT Recently concerns dealing with the possibility that certain accidents or transients could be made more severe by control system failures or. '

malfunctions have been raised. These concerns have been document?d under Unresolved Safety Issue (USI) A-47, Safety Implications of Control Systems. This EG&G Idaho, Inc., report represents the first phase of a detailed study being performed to evaluate the effects of control system failures on anticipated transients and accidents. This first phase consists of the Failure Mode and Effects Analysis (FMEA) for the Brown's Ferry Other Transients. The FMEA has been performeo on all the major control grade systems identified in tne Brown's Ferry Final Safety Analysis Report (FSAR). This report also contains the postulated transient scenarios for the systems that have been selected for further in-depth reviews and the justification report for those systems selected as not ceing capable of creating or contributing to tne transient.

O 11

r 1 .

SUMMARY

The purpose of this study is to determine which system or systems at commercial Boiling Water Reactor (BWR) units could cause or contribute to any other transients. The other transients of concern are those transients tnat have been analyzed in the Final Safety Analysts Report (FSAR) with the 4

exception of the overfill and overcooling transients.

A study of the Nuclear Power Experiences and Licensee Event Reports for the years of 1980 to 1982 was performed in an attempt to identify all other transients of concern that have actually occurred. An independent nonmechanistic Failure Mode and Effects Analysis (FMEA) was performed on tne major centrol systems utilized at BWRs to determine which system failures or normal operations could result in any of the other transients.

The results of these reviews have indicated a need to perform in-depth detailed reviews of the major control systems to determine the total extent to which they can cause or contribute to any of the other tran.sients. The postulated basic scenarios of system failure or operation are included in this report to better define why a system has been selected for the in-depth reviews. The in-depth reviews will determine which systems will require modeling and the specific transient scenarios of concern and will be documented in a later report. .

iii

_ . . - _ _ . _ _ . . = _ _ - . _ _ _ _ _ - -_.

e, l

i i

1 .

4 FOREWORD i

1 i

i This report is supplied as part of the " Safety Implications of Control System Failures A-47" study being conducted for the U.S. Nuclear Regulatory j Commission, Office of Nuclear Reactor Regulation, Olvision of Safety j Technology by EG&G Idaho, Inc., NRC Licensing Support Section. ,

The U.S. Nuclear Regulatory Commission funded the work under the authort;:atton B&R 20-19-50-51-5, FIN No. A6477.

4 a

1 i

r iv

[

. m ,. -- . - _ - . . - . _,. -- . ,_, -

. .e.

LONTENTS ABSTRACT.............................................................. 11

SUMMARY

............................................................... iii FUREWORD .............................................................. iv

1. INTRODUCTION ..................................................... I

2. NETH00 0F ANALYSIS ............................................... 1

3. A S S U MP T I ON S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 4 SY STtM UE SC R I P T I ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

5. LONCLU510NS ...................................................... 4 APPENblX A--CRITERIA FOR SELECTANG SYSTEMS AND/uR COMPONENTS fur FURTHER REVIEW ............. ..................................... 5 APPENDIX B--0Tr.td TnANSIENTS FAILUkE MODE AND EFFtCT5 ANALYSIS ........ 11 APPENDIX C--0THER TRANSIENTS SCENARIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 SECTION A--INCREASE PRESSURE TKANSIENTS .......................... 29 SECTION 8--INCREASE REACTIVITY TRANSIENTS ........................ 33 SECTION C--DECREASE IN REACTOR VESSEL INVENTORY . . . . . . . . . . . . . . . . . . 38 SECTION 0--DECREASE IN VESSEL FLOW RATE . . . . . . . . . . . . . . . . . . . . . . . . . . 42 SECTICN C+-IhCREASE IN VESSEL FLOW RATE . . . . . . . . . . . . . . . . . . . . . . . . . . 44 SECTION F--FREQUENCY, GPERATOR ACTION AND ENGINEERED SAFETY FtATURES TRANSIENTS ........................................ 45 APPENDIX D--BROWNS FERRY OTHER TRANSIENTS STUDY REJECTdD SYSTEMS JUSTIFICATION .................................................... 55 l

I V

I

[

.e i

j .

! OTHER TRANSIENTS FAILURE MODES AND EFFECTS ANALYSIS

1. INTRODUCTION EG&G Idaho, Inc. is technically supporting the Nuclear Regulatory Commission in their efforts to resolve the generic issue on the Safety l

i Implications of Control System Failures A-47. The concern of the A-47 study is to determine if any accidents or transients can be initiated or

! made more severe than previously analyzed as a result of control system I

failures or malfunctions. This report addresses the analysis performed to i

determine if nonmechanistic system failures have the potential to cause or contribute to the severity of any other transients. Other transients l encompasses all of the transients analyzed in the Final Safety Analysis i Report with the exception of reactor overfill and overcooling transients l which nave been addressed individually in separate reports. It also j includes acditional items of concern which include, frequency of l transients, actuation of Engineered Safety Features Systems, actuation of Reactor Protection Systems and violations of the Technical Specification 4

safety limits.

4 By use of a Failure Mode and Effects- Analysis (FMEA) and postulated scenarios, the systems are processed and placed in a further review status or rejected from further review. Systems identified as requiring 'further review will be subjected to a detailed study to determine if any mechanistic failure potential exists to cause the undesired failure. These j systems will be evaluated and if necessary will be computer modeled.

Transients of significant concern will be analyzed and the results evaluated to provide recommendations for the resolution of Unresolved l Safety Issue (USI) A-47, Safety Implications of Control System Failures.

2. METHOD OF ANALYSIS i

A Failure Modes and Effects Analysis was performed to-determine which i

systems would require more detailed analysis.

i

. 1 i

-- , - -,,.. . , ,. - - o ...

The FMEA is a qualitative analysis which identifies possible

nonmechanistic system failure modes and evaluates the effect bf the failures on plant performance relating to other transients; the FMEA tables are contained in Appendix B.

3. ASSUMPTIONS The following assumptions were utilized in this FMEA. A complete listing of the A-47 selection criteria is included as Appendix A.

Any failures which could be postulated to meet the following criteria were recommended for further review.

1. Any control grade system or component failure, either initiating or aggravating, which results in an undesired nuclear system pressure increase beyond the bounds of the present Final Safety Analysis Report (FSAR) analysis results will be recommended for further review.

2. Any control grade system or component failure, eitner initiating or aggravating, which results in an undesired positive reactivity increase beyond the bounds of the present FSAR analysis results will be recommended for further review.

3. Any control grade system or component failure, either initiating

~

or aggravating, which results in an undesired reactor vessel fnventory decrease beyond the bounds of the present FSAR analysis results will be recommended for further reoiew.

4. Any control grade system or component failure, either initiating or aggravating, which results in an undesired reactor core coolant flow decrease beyond the bounds of the present FSAR l analysis results will be recommended for further review.

l i

2

e

5. Any control grade system or component failure, either initiating or aggravating, which results in an undesired reactor core cooiant flow increase beyond the bcunds of the present FSAR analysis results will be recommended for further review.

6. Any control grade system or component failures which are projected to cause transients identified as incidents of moderate frecuency to occur at a rate significantly more frequent than once per year, or failures which are projected to cause transients identified as infrequent incidents to occur more than once during the lifetire of a plant, or failures which are projected to cause limiting faults will be recommended for further review.

7. Any control grade system or component failures which would aaversely affect any assumed or anticipated cperator action duri.ng the course of a particular transient will be recommended for further review.

8. Any control grace system or component failures whicn result in manua! or automatic actuation of engineered safety features, including the reactor protection system, will be recommended for possible further in-depth review.

I

9. Any control grade system or component failures which result in.

exceeding any technical specification safety limit will be

- recommended for further review.

Operator error was not considered as a failure mode with respect to system operation. However, system failures which could affect correct or timely operator action were identified and recommended for further review.

. s L

w

's 4 . . , .

s m L

s 3

t r.

1 i ~<

t ' t

• O.

4 SYSTEM DESCRIPTION The systems which were evaluated in the FMEA tables were extracted from the systems as identified in the Browns Ferry Final Safety Analysis Report (FSAR). The systems which were evaluated represent the major nonsafety grade systems which are used for reactor plant control. Many systems have several subsystems or support systems associated with them which were not specifically listed in the FMEA. However, failures of these systems were factored into the analysis by considering a support or subsystem failure to result in a nonmechanistic failure of the major system.

5. CONCLUSIONS Utilizing the nonmechanistic, qualitative FMEA format, 25 of the 56 major control systems indicated a need for further, more detailed review.

These systems, with a brief discussion indicating failure mode of concern, plant conditions at which the failures would be most limiting and the postulated effects of the failures are listed in Appendix C.

The remaining systems and the justification for rejection are contained in Appendix 0.

1 5

4

. _ _ _ - _- .. .. u

a .

e l

l

/

APPENDIX A CRITERIA FOR SELECTING SYSTEMS AND/0R COMPONENTS FOR FURTHER REVIEW O

f I

t h

APPENDIX A CRITERIA FOR SELECTING SYSTEMS AND/0R COMPONENTS FOR FURTH R REVIEW

1. Any control grade system or component failure (initiator) which results in an undesired increase in reactor coolant inventory beyond the bounds of the present FSAR analysis will be recommended for further review. (The Browns Ferry bounding analysis presented in the FSAR for increase in reactor coolant inventory is a feedwater controller failure-maximum demand, 115P. feedflow. The addition of feedwater is terminated 5 s after transient initiation by the reactor vessel hign water level trip.)

2. Any control grade system or component failures (aggravating failures) which are projected to produce less conservative results for reactor coolant inventory increase analysis than those presented in the licensee's Final Safety Analysis Report (FSAR) will be recommended for further review.

3. Any control grade system or component failure (initiator) which results in an undesired reactor vessel water temperature decrease beyond the bounds of the present FSAR analysis will be recommended for further review. (The limiting event for this transient in the Browns Ferry FSAR analysis is tae " Loss of Feedwater Heater (s) equivalent to a 100*F decrease in temperature." This represents the maximum .

temperature decrease obtainable through tripping or bypasc2c.g ef heaters caused by a single event.)

4. Any control grade system or component failures (aggravating failures) wnich are projected to produce less conservative reactor vessel water temperature decrease analysis results than those presented in the Itcensee's Final Safety Analysis Report (FSAR) will be recommended for further review.

5. Any control grade system or component failure (initiator) which results in an undesired nuclear system pressure increase beyond the 7

' e bounds of the present Final Safety Analysis Reoort (FSAR) analysis results will be recommended for further review. (The limiting event for this transient in the Browns Ferry FSAR analysis is the " Loss of Condenser Vacuum." This represents the instantaneous loss of vacuum anc closure of the turbine stop valves and bypass valves, therefore, all stored energy must be dissipated through the relief valves.)

6.

Any control grade system or component failures (aggravating failures) which are projected to produce less conservat,1ve pressure increase analysis results than those presented in the licensee's FSAR will be s

recommended for further review.

7. Any control grade system or component failure (initiator) which results in an undesired positive reactivity increase beyond the bounds of the present FSAR analysis results will be recommended for further review. (The limiting event for this transient in the Browns Ferry FSAR analysis is a " Continuous Rod Withdrawal During Reactor Startup." This represents the most severe case which is with the reactor just critical at room temperature and a high worth out of sequence rod is continuously withdrawn.)

8. Any control grade system or component failures (aggravating failures) which are projected to produce less conservative positive reactivity increase analysis results than those presented in the licensee's FSAR will be recommended for further review.

9. Any control grade system or component failure (initiator) which results in an undesired reactor vessel inventory decrease beyond the bounds of the present FSAR analysis results will be recommanded for further review. (The limiting event for this transient presented in the Browns Ferry FSAR is " Loss of Feedwater Flow from High Power."

This represents the maximum rate of inventory decrease due to the high steam flow rate.)

8 g -me.

6

10. Any control grade system or component failures (aggravating failures) which are projected to produce less conservative reactor vessel inventory decrease analysis results than those presented in the licensee's FSAR will be recommended for further review.

11. Any control grade system or component failure (initiator) which

~

results in an undesired reactor core coolant flow decrease beyond the counds of the present FSAR analysis results will be recommended for further review. (The limiting event for this transient in the Browns .

Ferry FSAR analysis is a " Recirculation Pump Seizure." This represents the fastest flow decrease possible through any single failure or operator action.)

12. Any control grade system or component failures (aggravating failures) wnich are projected to produce less conservative core coolant flow decrease analysis results than those presented in tiie licensee's FSAR will be recommended for further review.

13. Any control grade system or component failure (initiator) which results in an undesired reactor core coolant flow i crease beyond the bounds of the present FSAR analysis results will to recommended for further review. (The limiting event for this transient in the Browns Ferry FSAR analysis is " Recirculation Flow Controller Failure--Increasing Flow." This represents the fastest rate at which flow can be increased with the reactor power level at the most optimum level to maximize the severity of the transient.)

14. Any control grade system or component failures (aggravating failures) which are projected to produce less conservative core coolant flow increase analysis results than those presented in the licensee's-FSAR will be recommended for further review. ,

15. Any control grade system or component failures which are projected to cause transients identified as incidents of moderate frequency to occur at a rate sig'ificantly more frecuent than once per year, or failures which are projected to, cause transients identified as 9

infrequent incidents to occur more than once during the lifetime of a plant, or failures which are projected to cause limiting faults will be recommended for further review.

16. Any control grade system or component failures which would adversely affect any assumed or anticipated operator action during i un course of a particular transient will be recommended for further review, h

17. Any control grade system or component failures which result in manual or automatic actuation of engineered safety features, including the reactor protection system, will be recommended for possible further in-depth review.

18. Any control grade system or component failures which result in exceeding any technical specification safety limit will be recommended for further review.

r 10 _,

APPENDIX B OTHER TRANSIENTS FAILURE MODE AND EFFECTS ANALYSIS a

11 l

i

I

'e APPENDIX B. OTHER TRANSIENTS FAILURE MODE AND EFFECTS ANALYSIS Applicable A-4 7 Selection System System function Systee Failure Mude Criteria Effect c,f Failure JApp. A)

1. Reactor Decirculation System Controls flow through the A. Hsgh flow rate. A. Failures of this type have the poten. 5, 6, 7 reactor vessel and thereby controls reactor power. 1848 to meet or esceed one er more of the 8, 13, 14 ,

Selection criteria established for other 17 transients or undesired situations.

8. L N flow rate. 8. Fallures of this type have the poten. 9, 10, ll, tial to meet or esceed one or more of the 17, 15. 17 selection criterla estabitsbed for other transients or undesired situations.

?. Ituclear System Pressure Beller provides the required overpres-System A. Inadvertent opening of a A. Failures of this type have the poten- 9, 10, 13, sure protection for the nuclear rellar or safety valve. tial to meet or enceed one or more of the 14, 15, 17

, supply system.

selection criteria established f or other truslents or undesired situations.

B. Failure to open when 8. Fallurfs of this type have the poten- hone g required to relieve excess w pressure. llal to meet or esteed one or more of the selection criteria estabitshed for other transients or undesired situations but should not as the systee is stfety grade and redundant.

3. Itain Steam Line Isolation Provides isolation of the A. Inadvertent ladividual A. Failures of this type have the poten- 5, 6, 7 Valves reactor vessel from the valve closure. Llal to meet or esceed one or more of the 8 II, 12, reealader of the steam system.

selection criteria established for other 17 transients or undesired situations.

8 Iradvertent ladividual 8. Failures of this type should not have ,Ilone .

valve opening or failure to the potential to meet or esceed any of close upon demand.

the selection criteria estabilshed for other translents or us. desired situations.

8 Reactor Core Isolation and Provides makeup water to the A. Failure to provide the Standby Cooling Systems A. Failures of this type have the poten. 9, 10, 15, reactor vessel from various required makeup water when sources whenever the vessel is necessary. tial to meet or exceed one or more of the 17 isolated. selection criteria established for other transients or undesired situations.

8. Inadvertent initiation of B. Failures of this type have the poten- 5, 6, 7 makeup water uhen not necessary. tial to meet or esceed one or more of the 8, 17 telection criteria estabilshed for other

. transients or undesired situations.

O

__- _ ____u _ ___________'

- ~,

g g 1.PPENDIX 8. (cofitinued)

Applicable A-4F 5 election Crlteria System Systee Funct8on System f ailure stade fifect of Fallure (App. A)

!.. Residual steet Removal System Provides for heat renovel free A. Failure to supply the A. Faltures of this type should not have bee the primary system during required heat removal. the potential to meet or enceed any of morawl, shutdown and accident the telection crite. la established for condit ions. ether transients or undesired situations as the systee is safety grade and redundant.

8. Provide eacessive heat 5. Tallures of this type should not have lione removal or heat removal idhen the potential to meet or exceed any of not required. the selection criterla estabilshed for other transients or undesired situations as the system is safety grade and redundant.

(. . Reactor Idater Cleanup System Frovides feltration and son A. f ailure to provide water A. Failures of this type should not have lione enchange to calatain the reactor cleanup or letdown flow the potential to meet or enceed any of ea mater purity. Also serves as a when required. the selection criteria established for

• 1eidoun path for encess coolant other transients or undesired situations.

during reactor startup.

8. Provide mater ci.anup or 3. Failures of this type have the poten- 9. 10 letdown flow when not required. Llal to meet or esceed one or more of the selection criteria established for other transients or undesired situations.

i. Pr6 mary Containment System and Provides automatic isolation of A. Fallare to af fect isolation A. Fallures of this type should not have kne Reactor Vessel Isolation the primary system and reactor when required. the potential to meet or enceed any of I

• Control System vessel to prevent a release to the selection criterla established for the environs. other transients or undesired situations as the system is safety grade and redundant.

8. Inadvertent isolation when 8. Failures of this type should not have leone ,

not required. the potential to set or eaceed any of the selection criteria established for other transients or undesired situations as the system is safety grade and redundant.

I

i 4

/.PPENDIX 8. (continued)

Applicable A-47 Selection j stem System Function System Fallure n>de Criteria Ef fect of Failure JApp. Al l' . Secondary Containment System Provides backup isolation to the A. Fallure to affect isolation primary containment to prevent A. Failures of this type should not have None when required. the potential to meet or exceed any of releases to the environs. the selection criterla established for other transients or undesired situations as the system is safety grade and redundant.

8. Inadvertent isolation when 8. Failures of this type should not have None not required, the potential to meet or exceed any of the selection criteria estabilshed for other transients or undesired situ.tlens as the system is safety grade and redundant.

9 Reactor Protection Systen Provides protection to the A. Failure to provide the reactor system and fuel from A. Failures of this type should not have None required trips, the potential to meet or enceed any of g damage due to cut of tolerance un conditions, the selection criteria established for other transients or undesired situations as the system is safety grade and redundant.

8. Inadvertent trips when not 8. Fallures of this type have the poten- None required.

e tial to meet or exceed one or more of the selection criteria established for other transients or undesired situations .s the system is safety grade and redundant.

10. Core Standby toollag Control Provides protection from excess A. Failure to inttlate coollag and Instrumentation System fuel clad temperatures la the A. Failures of this type have the poten- 15, 17 of the core when regulred. tial to meet or esteed one or more of the event of a breach in the nuclear process barrier that results in selection criteria established for other a loss of reactor coolant. transients or undesired situations.

8. Failure to terminate cool- 8. Failures of this type have the poten- 7. 8, IS, Ing of the core when required tlal to meet or escoed one or more of the li or inadvertent initiation of selection criteria established for other cooling systems when not transients or undesired situations.

required.

/.PPENDIX B. (continued) ,

Apolic ole A-4 7 5elec tion Criteria System System Function System Failure nide f f tect of f ailure A . A) ll,lieutron leunitoring Systee Munitors the neutron flus level A. InJlcate higher than actual A. Fallures of this type shneld not have None of the rea(tor core over the le vel, the potential to eret or esceed one or range of shutdown to full power, more of the selection criteria estab-lished for other transients or undesired situations as the systee is safety grade and redundant.

8. ladicate lower than actual 8. Failures of this type should not have mane level. the potential to meet or esteed one or more of the selection criteria estab-Ilshed for other transients or undesired situations as the systee is safety grade and redundant.

17. Befueling laterlocks Systen Restricts the movements of A. Iallure to restrict move- A. Fallures of this type have the poten. 7, 8, 15 refueling egulpment and control cent a W n requ ked. tial to meet or esceed one or wre of the rods during refuellnq to prevent selection criteria established for other

$ a criticality. transients and undesired situatinas. *

B. Fallure to allow movements 8. Failures of this type should not have hone l uhen required. the potential to meet or exceed any of the selection criteria established for other transients or undesired situations.

II. Reactor Manual Control and Provides the means to manipulate A. Inadvertent rod withdrawal A. Fillures of this type have the poten- 5, 6. F.

i. Control Rod Drive Systems the control rods for gross or ejeCilon. Lial to meet or eaceed one or sure of the 8. 15, reactivity control. selection criterla establist.ed for other I?

transients or u,1 desired sitgations.

. 5. ImaJvertent rod drop. B. Failures af this type have the poten- 15, 11 1 tial to meet or esceed one or nose of the I

• selection criterla established for other transients or undesired situations.

14. Reactor vessel Instrumentation Punitors and transmits informa. A. Iransmits or indicates A. Failures of this type have the poten- 16 System tion concerning the conditions higher than actual Conditions. tial to meet or enceed one or more of the ulthin and of the reactor selection criteria established for other vessel. transients or undesired situations.

B. Transmits or udicates lower 8. Failures of this type have the poten- 16 i

than actual condle tons. tial to meet or enceed one or more of the I telection criteria establisheJ for other transients or umlestred situations.

y .

IPPENDIX 8. (continued)

Applic able A.47 Selection System Sy. tem function Criteria

. ___ System Fallure pode Effect of failure _LA.22 AI ,

15. Feeduater Centrol System Provides the necessary signals A.

to maintain the required feed.

liigh flow rate. A. Failures of this type have the poten. 1, 8, 17 flow to maintain proper reactor tial to ineet or esteed one or more of the vessel level, selection criteria established for other transients or undesired situations.

8. Low flow rate. 8. Failures of this type have the poten. 9, IO, 17 tial to meet or enceed one or move of the selection criteria established for other translents or undesired situations.

16. Pressure Regulator and Provides the necessary control A. Inadvertent opening of furbine Generator Control A. Fallures of this type have the poten. 9, 10, 17 System to maintain the turbine load and tw bine governor or bypass Llan to meet or enceed one or more of the reactor pressure at prescrit.ed valves when not required. selection criteria established for other levels, transients or undesired situations.

8. Inadvertent closing of S. Failures of this type have the poten. 5, 6, 7, N turbine governor or bypass tlat to meet or esteed one or more of the 8, 17 i valves when not regulred. selection criteria established for other transients or undesired situations.

17. Process Radiation Ihnitoring Ilonttors various lines for A. Indicates higher than actJat A. Failures of this type should not have stone

.5ystem

' radioactive materials released levels of radiation. the potential to scet or esceed any of to the environs la process the selection criteria established for liquids and gases, other transients or undesired situations.

8. Indicates lower than actual 8. Failures of this type should not have lione levels of radiation, the potential to meet or esceed any of the selection criteria establisi.ed for other transients or undesired situations.

18. Area lladiation Monitoring Mnnitors for radiation at A. Indicates higher than actual A. Failures of this type should not have lione System various locations within the levels of radiation. the potential to meet or enceed any of reactor building. turbine building and radwaste building the selection criteria estabitshed for Other translents or undesired situations.

8. Indicates Power than actual 8. Failures of this type should not have lione levels.af radiation, the potential to meet or esceed any of

• the selection criterla established for other transients or undesired situations.

1.PPENDIX 8. (continued)

Applicable A.47

' Selection Sysy System function Criteria System f ailure 86>de __ fifect of failure D. A)

19. Site (avironsental Radiation Munitors for natural and other A. Indicates higher than actual A. f ailures of this type should not have flone Monitoring System radiation badground levels levels of radiation, outsida the plant.

the potential to meet or estead any of the selection criteria estabilshed for other transients or undesired situations.

8. Indicates lower than actual 8. f ailures of this type should not have hone levels of radiation, the pntential to meet or eaceed any of the selection Criteria established for other transients or undesired situations.

70. Health Physics tab Radiation Monitors for abnormal radiation A. Indicates higher than ar.tual A. f ailures of this type should not have Mode

.I N itoring System levels within the health physlCs radiation levels, the potential to meet or esteed any of lab. the selection criterla established for other transients or undesired situations.

8. Indicates lower than actual 8. Failures cf this type should not have Ilone g

03 radiation levels. the potential to meet or esteed any of the seier.tlon criteria established for other transients or undesired situations.

71. Process Computer System Monitors and records process A. Provides higher than actual verlebles and provides certain A. failures of this type have the poten- 16 outputs, analyt ic al comput at ions. llal to meet or esteed one or more of the t seter. tion criteria established for other transients or undesired situations.

8. Provides lower than actual 6 Failures of this type have the poten- 16 outputs, tial to meet or enre*d one or more of the select 6nn criteria established f or other transients or umfesired situations.

, 72. Sadeo Contral System Provides the capability to A. Inability to shut down flee A. f ailures of this type should not have Ilone

shut down the reactnr and reactor or start up the the pntential t.) aret or eeceed any of operate emergency systems emergency systems from res te the selection criters. established for from outside the control room locations, other tr ansients or ur6Jt

s tred situation *.

In the event the control rnos amist be evacuated. 8. Inadvertent shutdown of the 8. f allores of this type have the poten- 5. 6, 7 reactor or startup of emer- tlal to meet or esceed one or more of the 8. 15, genry systems from rem te incations, selectism critarla established for other 17 transients or undesired situations.

s e

/.PPENDIX 8. (continued) '

Applicaole A-47 Selec t ion Systese Sys tem f unc t ion Criteria '

System Failure Nde Ef fect of f ailure JApp.Al M. Diest 4 Cenarator Systems Provides the accessary services A. Fallures that prevent the A. failures of this type should not have bne to ensure the diesel generators diesels from starting. the potential to meet or exceed any of are capat$le of coming on line and supplying electrical power. the selectlen criteria established for other transients or undesired situations as the system is safety grade and redundant.

s. Failures that cause inad- 8. Failures of this type should not have Isone vertent startup of the the potential to meet or esceed any of diesels. the selection criteria established for other transients or undesired situations as the systee is safety grade and redundant.

F4.~ llonel Ausillary Power System Provides the power sources for A. Failure to provide the the unit austilarics through A. Failures of this type have the poten- Isone y- list e: Failures are evaluated varices transformers, required power to the unit emaillaries. ital to meet or enceed one or more of the within Individual systems. selection criteria established for other transients or undesired situations.

15. Standby AC Power Supply System Provides an emergency supply of A. Failure to provide the A. Failures of this type should not have leone electrlcal power to emergency regelred power to the the potential to meet or esceed any of Ilote: Failures are evaluated and safety equipment. . designated equipment.

within ladividual systems. the selection criteria established for other transients or undesired situations.

76. 250 v 90 Power Supply Systee' Provides the power source for A. . Failure to provide the the engineered safety features A. Failures of this type should not have finne required power to the the potential to meet or esceed any of Ihte: Failures are evaluated within ladividual systems. of une unit and the safe shut- . desipated equipment. the selection criterla estabIlshed for

' down Icads of the other two ,

un it s. other transients or undesired situations.

77. 120 V AC Power Supply System Provides power to egulpeent . A. Failure to provide the A. Failures of this type should not have leone through, (a) 170 V lastrument required power to the

.. Ilote: Failures are evaluated and control power, (b) plant the potential to meet or esceed any of

within ladividual systems. designated equipment. the selection criteria established for

. preferred and nonpreferred 120 V system and (c) unit other transients or undesired situations.

preferred 120 V system.

20. Ausillary DC Power Supply Provides 48 y power to the plant' A. Failure to provide the System communications and annunciator required power to the A. Fallures of this type have the poten- 16 systems during all omdes of des 6gnated equipment.

tial to meet or esceed one or more of the operation. ..

Selection criteria established for other translents or undesired situations.

IPPENDIX 8. (continued) i AppIlcable A.41 Selec t ion Criterla

. ty tes System function Systee failure ble Ef fect of f ailure _(App. A)

79. tleald ses aste Systee ProwlJes for the collection and A. Failure to provide the A. Failure of this type should not have None storage of the liquid radmaste required collection disposal the potentist to meet or esteed any of generated at the unit. Storage of liquid raJmaste. the selection criteria established for other transients or undesired situations.

30. Solid madmaste System Provides for the collection. A. Failure to provide the ' A. Failures of this type should not have None storage and disposal of the required collection, storage or the potential to meet or esteed any of solid redwaste generated at the disposal of solid redwaste. the selection criteria established for unit.

other transients or undesired situattws.

31. Gaseous Radwaste System Provides for the collection, A. Fallure to provide the A. Fallure of this type should not have None storage and disposal of the required collection, storage or the potential to meet or esceed any of gaseous radweste generated at disposal of the gaseous the selection criterla established for the unit. radmaste generated at the other translents or undesired situations.

un it .

ro 32. New fuel Storage System Provides for the dry storage of A. Fallure to store the fuel A. Failures of this type shculd not have None O

new fuel until ready for safely and effectively. the plential to meet or esteed any of loadlag. the selection criterla established for other transients or undesired situations.

33. Spent fuel Storage Systee Provides for the storage of A. Failure to store the spent A. Failures of this type should not have None spent fuel until ready for fuel safely and effectively. the potential to meet or esteed any of shipment.

the selection criteria established for

. other transients or undesired situations.

34. Fuel Pool Coollag and Cleanup Provides for water cleanup and A. Failure to maintain water A. Failures of this type should not have None System cooling of the spent fuel pool, leaperature or purity the potential to meet or esteed any of requireernts, the selection criteria established for other transients or undesired situations.

M. Reactor Building Closed Provides cooling water to 4. toss of cooling water to A. Failures of this type should not have None .

, Cooling llater System designated availlary plant designated equipment. the potential to meet or esceed one or 8

equipment during both normal and sure of the selection criteria estab.

emergency conditions, lished for other translents or undesired situations as the system is safety grade and redundant.

8. Estessive cooling water to 8. Failures of this type should not have None designated equepsent. the potential to mest or esteed any of the selection criterla established for other transients or undesired situations as the system is safety grade and redundant.

l.PPENDIX 8. (continued)

Appil:able A-47 l Selection Criteria .

J stem System function System Failure m>de Effect of failure JApp.A)

.4. Raw Cooling Water System Provides cooling water to the Loss of cooling water A. A. Fallures of this type have the poten- 9. 10 RSCCW system and the turbine flows, tial to meet one or more of the selection l

I associated equipment. criteria established for other transients '

or undesired situations.

8. f acessive cooling water 8. Fallures of this type should not have None flows, the potential to meet or esteed any of the selection criterla established for other transients or undesired situations.

31. Raw Service Water System . Provides coollag water to A. loss of cooling water A. Failures of this type should not have None miscellaneous plant equipment flows. the potential to meet or esteed any of and yard watering supply. the selection criteria established for other transients or undesired situations.

8. Excessive cooling water 8. Fallures of this (FPe should not have None ro flows. the potential to meet or exceed any of M

the selection criteria established for other transients or undesired situations.

34. RNt Service Water System Provides cooling water to the A. toss of cooling water A. f ailures of this type should not have None Rift system and the emergency flows. the potential to meet or esceed any of equipment coollag water system. the selection criterla established for other transients or undesired situations as the system is safety grade and redundant.

8. Escessive cooling water 8. Tellures of this type should not have None flows. the potential to meet or enceed any of the selection crit *erla estabitshed for other transients or undesired situations as the system is safety grade and redurulant .

L___ -

1.PPENDIX 8. (continued)

Applicable A-47 Selection y

S stem System fu jnc le,n System f ailure Made Criteria Effect of failure _(App. A)

39. (mergency Equipment Coollag Provides cooling water flows to 4. Loss of cooling water Water System essential equipment during A. Failures of this type should not have None flows. the putential to meet or esteed any of accident situations.

the selectlen criteria established for other transients or undesired situations as the system is safety grade and redundant.

8. Escessive coollag 8. failures of this type should not have hone flows, the potential to meet or esteed any of the selection criteria established for other transients or undesired situations as the system is safety grade and redundant.

80. Fire Protection System Provides the plant with the A. failure to provide the required fire protection and A. Failures of this type should not have None necessary fire protection, the potential to meet or enceed any of go fire combatants, to the selection criteria established for other transients or undesired situations.

B. Inadvertent actuation. 8. Falluees of this type should not have leone the potential to meet or enceed any of the selection criteria established for other transients or undesired situations.

f l. lleating, Ventilation and Provides the plant with the A. f ailure to provide Air Conditioning Systems nec ssary heating, ventilating A. Fallu es of this type shnelJ not have None

. sufficient H&V or air condl- the pnterellal to seet or escred any of and air conditioning. Llaning, the selection (rlteria established for other tr ansients or undesired sit sat 6uns.

B. Providing escessive it4V or B. f ailum of this type should not have None air conditioning. the potential to meet or esceed any of the selectinn criteria established f or .

Other transients or undesired situations.

i?. De.sinerallied Water System Provides the necessary deelnera. A. Failure to provide the lized water for plant makeup A. f ailures of this type shnold not have None necessary quantitles of the potential to meet or esteed any of and other uses, deminerallied water.

• the selection criteria established for other transients or undesired situations.

5. Failures resulting in an B. Failures of thIs type should not have None entessive annunt of deelnera- the potential to meet or enceed any of Ilred water being supplied. the selection criteria estabitshed for other transtents or undesired situations.

l s.

I.PPENDIX 8. (continued)

Applicable A.4 i Selettion Criterla Sgtem System function System failure stule Effect of failure _{ App.A) 8 3. Control and Service Air SuppIles air to all pneumatic- A. Control air pressure falls A. Failures of this type have the poten- None Systems (NOIE: A ir ally operated instruments, low, j tlal to meet or esceed one or more of the pressure f ailures are controls, and control valves. selection criteria established for other evaluated within ladividual translents or undesired sltuations but systems in Jepth studies.) are analyzed within the ladividual systems.

8. Control alr pressure falls 8. Failures of this type should not have None high. the potential to meet or exceed any of the selectlan criteria estabilshed f or other transients or undesired situations.

1. 4. Potable Water and Sanitary supplies drinking water and A. toss of flow. A. Failures of this type should not have None System water to bathrooms. the potential to meet or enceed any of the selection criteria established for to other transients or undesired situations.

W t l 8. High flow. 8. Falleres of this type should not have None  !

the potential to meet or esceed any of the selection criteria estabilshed for other transients or undesired situations.

85. (quipment and floor tralmage Collect and remove all noncon. A. Failure to provide the A. Fallures of this type should not have None System taelnated liquid wastes from required collection, and the potential to meet or exceed any of the plant, removal of Ilquid wastes free the selection criteria established for the plant, other transtents or undesired situations. ,

86. Process Sampling System Sample process Ilquids and gases A. Sample system valve (s) f all A. Failures of this type should not have None

• j to determine plant performance. open. the potential to meet or esceed any of '

the selection criteria established for other transients or undesired situations.

8. Sample system valve (s) fall 8. Failures of this type should not have None closed, l

the potential to meet or enceed any of j the selection criterla established for other transients or undesired situations. j

87. Plant Connianicatlans System Provide laterplant and intra. A. Systee failure. A. Fallures of this type should not have None plant commanications.

the potential to meet er esceed any of j the selection criteria estabitshed for

, other translents or undesired situations.

I k

l o _

I.PPENDIX B. (continued)

Applicable A.47 Selection Systee System Function System Failure m de Criteria fifect of Fallure 1 App.A)

88. t.lghting Systees provide lighting for plant A. System failure. A. f ailures of this type should not have none operation, the potential to meet or esteed any of the selection criteria estabilshed for other transients or undesired situations.

49. Aunillary daller System Supplies building heat and A. tow steam pressure. A. Failures of this type should not have None steam for systees testing prior the potential to meet or esteed any of to or during startup.

the selection criteria established for other transients or undesired situations.

(System used only during los temperature or low power operations to supply air ejectors and seal steam.)

8. High steam pressure. 5. Failures of this type should not have Nane g

the potential to meet or exceed any of

> the selection criteria established for other transients or undesired situations.

(System used only during low temperature or low power operations to supply air ejectors and seal steae.)

!4. Turbine Generator System Utillaes steam produced in the A. Transient power increase. A. f ailures of this type have the poten- 9. 10. II (See System 16 for Iurbine reactor to produce electric

! . Generator Control System) power, tlat to meet or esceed one or sure of the selection criteria established for other transients or undesired situations.

i B. Transient power decrease. S. Failures of this type have the poten- 5. 6. F.

l I tlal to meet or enceed one or more of 8. 17 l the selection criterla established for

- other transients e

• undesired situations. .

l ,

b b

f.PPENDIX B. (continued)

Applicable A.47 Selec t ion System System Function Criteria System Failure M>de fifact of Failure

51. Mala 5tese Systee JApg.1 Dellver steam from the acactor A. Steam flow falls high.

System to the Main, RIP, HPCI, A. failures of this type have the poten. None and RCIC tuvbtnes as well as llal to meet or esceed one or more of the aualliary steam loads, selection criteria established fur other transients or undesired situations but are caused by some other component con-netted to the main steam system and are evaluated within those systems.

8. Steam flow f alls low. 8. Failures of this type have the poten- skme lla) to meet or exceed one or an>re of the selection criteria established for other transients or undesired situations but are caused by some other component con-nected to the main steme system and are ,

evaluated within those systems.

g  !.2. Main Condenser System Provides a heat sink for the 4. loss of condenser vacuum. A. failures of this type have the poten- 6, 6, cri steam leaving the turbine 7, generator during power tlat to meet or enceed one or nuire of the 8, 17 operations. selection criterla established for other tramstents or undesired situations.

8. Increased condenser 8. failures of this type should not have None vacuum.

the potential to meet or enceed any of the selection criteria established for other transients or undesired situations.

• !d. Turbine Sypass System Provides a bypass around the A. Bypass valve (s) fall open.

turbine directly to the con- A. failures of this type have the poten- 9, 10, 17 denser for steam flow. tial to meet or exceed one or more of -

the selection criterla established for other transients or undesired situations.

8. Oypass valve (s) fall 8. Failures of this type have the poten- 7, 8. 17 closed.

tlal to meet or enceed one or more of the selection criteria established for other transients or undesired situations.

!.4. Condenser Circulating leater Provides a heat sink for con-Systes A. Circulating water flow A. Tallures of this type have the poten- 5, 6, densing asiused steam free falls low. 7, power generation. tlat to meet or exceed one or more of the 8, 17 selection criteria established for other transients or undesired situations, a

8. Circulating water flow 8. Failures of this type should not have hone falls high. the potentlal to meet or exceed any of the selection criterla established for other transients or undesired situations.

1.PPENDIX 8. (continued)

Applicable A.41 Selection

__ 5ystee System Function Criteria System f ailure M>de _(App. A)

Fifect of Fathe t5. Condensate and Reactor Provides feedvater to the A. Feedvater/ condensate flow feedwater System (See A. Failures of this type have the poten- 7, 8, 17 reactor; condensate storage falls high. tial to meet or esteed one or more of the System 15 for feedwater emd transfer.

Control Systeel selection criterla established for other transients or undesired situations.

S. Feehater/ condensate flow S. Failures of this type have the poten- 9, 10, 17 falls low. tlal to meet or esteed one or more of the selection criteria established for other transients or undeslred situations.

f 6. StanJby tiquid Control System Provides a backup method to A. Falls to actuate when A. Fallures of this type should not have leane ede the reactor subcritical. required. the potential to meet or esteed any of the selection criteria established for other transients or undesired $ltuations as the system is safety graJe and redunJant.

$ B. Inadvertent actuation. B. Failures of this type have the poten- Blone ,

tial to meet or escced one or more of the selection criteria established for other transients or undesired situations but the contribution would be insignifi-cant.

e e

8 I

l l

l l

l l

[

O APPENDIX C OTHER TRANSIENT SCENARIOS O

9 27

APPENDIX C OTHER TRANSIENT SCENARIOS SECTION A--INCREASE PRESSURE TRANSIENTS

1. Reactor Recirculation System Failure Mode: High flow rate Plant Condition: Any power level Discussion: The increased flow rate will cause reactor power to increase, thus causing heat input to exceed heat removal and pressure will increase.

2. Main Steam Line Isolation Valves Failure Mode: Inadvertent individual valve closure Plant Condition: High power level Discussion: The inadvertent closure of a main steam isolation valve will cause pressure to increase due to reduced heat removal with the same or higher power level.

3. Reactor Core Isolation and Stancby Cooling Systems Failure Mode: Inadvertent initiation of makeup system Plant Condition: Any power level 29

I io Discussion: Inaavertent startup of HPCI or RCIC would cause a

. power increase due to cool water infection with a resultant pressure increase which could exceed a pressure limit.

4 Reactor Manual Control and Control Rod Drive System Failure Mode: Inadvertent rod withdrawal or ejection Plant Condition: Any power level Discussion: Inadvertent rod withdrawal or ejection could cause a power increase and resultant pressure increase transient due .s increased heat input.

5. Pressure Regulator and Turbine Generator Control System Failure Mode: Inadvertent closing of turbine governor or bypass valve Plant Condition: High power level Discussion: Inadvertent closure of a turbine governor or bypass valve could cause a pressure increase due to the reduced steam flow from the reactor and the void depression may cause a power increase which could also increase pressure.

6. Backup Control System Failure Mode: Inadvertent startup of an emergency system Plant Condition: Hign power level 4

! 30 i

1 l

1 l

Discussion: Inadvertent startup of HPIC or RCIC from a remote location could cause a power increase with a resultant pressure increase.

7. Turbine Generator System Failure Mode: Transient power decrease Plant Condition: High power level Discussion: Failures of systems or components which can result in a trip of the turbine generator (i.e.) closure of the turbine control valve, could cause a rapid increase in reactor pressure because of the decrease in steam flow from the reactor.

B. Main Condenser System Failure Mode: Loss of condenser vacuum Plant Condition: High power level Discussion: The loss of main condenser vacuum may result in an overpressure transient since the loss of vacuum causes a trip of the turbine generator system by closing the turbine and bypass system valves which reduces the steam flow from the reactor.

9. Condenser Circulating Water System Failure Mode: Circulating water flow fails low Plant Condition: High power level r

l 31 l

i I

~

L

i r

i i

4

{

l Discussion: Failure of the condenser circulating water flow may cause or contribute to an overpr' essure transient as this failure would cause a loss of 4

condenser vacuum which in turn causes a trip of

'_ the turbine generator system as described above l i

under Main Condenser System.

i 4

i

+

i i

I I

i

+

t i

j t

t I

I i

32

l l

I o p . - -y ee-- -

,w e -+.,-g-,~,.~.g , s-g ,wv.,--,v., , , = - , -,n.m,+r,-# # . , - < ,[% - r.---

SECTION B--INCREASE REACTIVITY TRANSIENTS

1. Reactor Recirculation System Failure Mode: High flow rate Plant Condition: Any power level Discussion: The increased flow rate could cause a positive reactivity insertion with a subsequent power increase. The reactivity insertion could exceed the present FSAR analysis.

2. Main Steam Line Isolation Valves Failure Mode: Inadvertent individual valve closure

, Plant Condition: Any power level Discussion: Closure of an indivicual vah a may cause a pressura increase, voids to callaps,e and positive reactivity could increase thereby causing power to

• increase.

3. Reactor Core Isolation and Standby Cooling Systems .

Failure Mode: Inadvertent initiation of makeup when not required Plant Condition: Any power level Discussion: Initiation of one or more makeup systems may.cause the core water temperature to be recoced which could cause voids to collapse and positive reactivity to increase thereby causing oower to increase.

33

N y =

s 4 Core Stancby Cooling Cont ql and I'nstrumentation System Failure Mode: Icadvertent initiation wnen not required 3

Plant Condition: Any power level Discussion: Initiation of on or more makeup systems when not required could cause a collapsing of voids and a positive reactivity increase. This in turn could cause a power incr' ease.

5. Refueling Interlocks System Failure Mode: Failure to restrict movements when required Plant Condition: Shutdown--Refueling h Discussion: Failure of the system to restrict fuel mavements could cause the positive reactivity addition to exceed allowable limits. N N

6. Reactor Manual Control and Control Rod Drive System Failure Mode: Inacvertent rod withdrawal or efection Plant Condition. Any power level "

Discussion: Inadvertent withdrawal and rod ejections could add positive reactivity to the reactor and may exceed the allowable insertion rate limi*.s.

7. Reactor Vessel Instrumentation System Failure Mode: Transmitsorfindicatesiowerthanactuallevel

'*t x 4

34

\

() -

g' \ .

f Q y ,.e <*

__r_.__ _ - - - - - - - - - - - - - -

Plant Condition: Any power level Discussion: If the inst umentation system were indicating lower than actual level tne feed system would attempt to bring level to normal. The increase feed flow would collapse voids causing a positive reactivity insertion and a power increase.

8. Feedwater Control System Failure Mode: High flow rate Plant Condition: Any power level Discussion: Higher than required feed flow could cause a cooling of the reactor vessel water, collapsing of voids and a positive reactivity insertion. This could exceed reactivity insertion rate limits.

9. Pressure Regulator and Turbine Generator Centrol System Failure Mode: Inadvertent closing of turbine governor or bypass valve Plant Condition: Any power level .

Discussion: The inadvertent closing of a turbine governor valve could cause the pressure to increase, the voids to collapse and power to increase due to the positive reactivity increase. This could exceed a reactivity insertion rate limit.

10. Backup Control System Failure Mode: Inadvertent startup of emergency systems 35

____J

v Plant Condition: Any power level Discussion: The inadvertent startup of an emergency makeup system could cause void collapse and positive reactivity insertion due to the introduction of .

cooler water. Power would increase and the reactivity insertion rate limit could be exceeded.

11. Turbine Generator System Failure Mode: Transient power decrease Plant Condit;on: Any power level Discussion: A transient power decrease has the potential to cause a reactivity increase by decreasing the flow of steam from the reactor which causes coolant voids to decrease and this causes a reactivity increase.

12. Main Condenser System Failure Mode: Loss of condenser vacuum Plant Condition: High power level b

Discussion: A loss of condenser vacuum would cause steam flow from the reactor to decrease. This will cause voids to collapse and positive resctivity to increase. The reactivity insertion rate could exceed allowable limits.

13. Turbine Bypass System Failure Mode: Bypass valve (s) fail closed-Plant Condition: Any power level 36 m _

_ ________________.____u____._._____._ _

Discussion: While discharging steam to the main condenser through the bypass valve (s), if the valve (s) fail closed, this causes steam flow to decrease, and steam pressure to increase which causes voids to collapse in the reactor and a positive reactivity increase which could exceed allowable limits.

14 Condenser Circulating Water System Failure Mode: Circulating water flow fails low Plant Condition: High power level Discussion: A failure of the circulating water system flow while at high power could result in a positive reactivity increase since the loss of flow would cause a loss of condenser vacuum, steam flow would decrease, pressure would increase and voids would collapse and power would increase.

15. Condensate and Reactor Feedwater System Failure Mode: Feedwater flow fails high Plant Condition: Any power level .

Discussion: A failure in the feedwatee system that causes an inadvertent increase of feedwater flow has the potential to cause an overcool transient which could cause a positive reactivity increase.

4 37

l' -

____m_ _ ____ _.-__m____ __ ____._-.m.___m - _ __ .m_ - _ ____

SECTION C--DECREASE IN REACTOR VESSEL INVENTORY

1. Reactor Recirculation System Failure Mode: Recirculation Pump Seal Failure Plant Conditions: Any power level

]

Discussion: The failure of the recirculation pump seals will cause a loss of vessel inventory and if the failure occurs in conjunction with another failure could result in a transient that exceeds the loss t of coolant accident analysis.

2. Nuclear System Pressure Relief System Failure Mode: Inadvertent opening of a safety or relief valve Plant Condition: Ar.y power level Ofscussion: The inadvertent opening of a safety or relief

, valve will cause reactor vessel inventory to be exhausted to the torus or containment and the vessel inventory could deplete ceyond allowable low level limits. .

3. Reactor Core Isolation and Standby Cooling Systems Failure Mode: Failure to provide makeup when required Plant Condition: Any power level Discussion: Failuru of the system to' provide the required makeup water could allow the inventory to decrease below the allowable limits with possible subsequent cura damage.

38 9

. -- - --- -. _ = _ ._ -.

4 Reactor Vessel Instrumentation System Failure Mode: Transmits or indicates higner than actual level

, Plant Condition: Any power level Otscussion: Transmittal or indication of higher than actual level conditions could cause the feed system to decrease flow and inventory to deplete to less than allowable inventory limits.

5. Feedwater Control System Failure Mode: Loss of or low feedwater flow rate i

Plant Condition: Any power level Discussion: Loss of feedwater flow at high power level could cause a rapid loss of vessel inventory. If the vessel level is low at the onset of He transient allowable level limits could be exceeded.

6. Pressure Regulator and Turbine Generator Cor. trol System

Failure Mode: Inadvertent opening of a turbine governor or ,

bypass valve Plant Condition: Any power level Discussion: Inadvertent opening of a turbine governor or bypass valve could cause reactor vessel invertory to deplete at a rate faster than the feec system is replenishing it while in MANUAL and the allowable inventory low limit could be exceeded.

39 I l

l

o .

7. Reactor Water Cleanup System (RWCS)

Failure Mode: Inadvertent letdown when not required Plant Condition: Any power level Discussion: Inadvertent initiation of letdown flow through the ,

4 in. RWCS letdown line could result in an inventory decrease beyond allowable low level limits.

8. Raw Cooling Water System (RCWS)

Failure Mode: Loss of cooling water flow Plant Condition: Any power level Discussion: A loss of raw cooling water flow may cause or contribute to an inventory decrease'since the RCWS supplies cooling water to the reactor feedpump turbine oil coolers. A loss of cooling water would necessitate the shutdown of the feedwater pumps.

9. Turbine Generator System Failure Mode: Transient power increase Plant Condition: Any power level

(

, Discussion: An increased power transient may cause or contribute to an inventory decrease as the-increase in the rate of steam flow leaving the reactor vessel may exceed the flow of water entering the vessel if the feedwater system is in MANUAL.

l 40 i

1

• 'l

, =- -

10. Turbine Bypass System Failure Mode: Bypass valve (s) fail open Plant Condition: Any power level Discussion: The increased steam flow that would result from the bypass valve (s) failing open could cause an inventory decrease since the steam flow from the reactor may exceed the flow of feedwater to the reactor vessel if in MANUAL control.

11. Condensate and Reactor Feedwater System Failure Mode: Feedwater flow fails low Plant Conditios: Any power level Discussion: Feedwater flow failing low may cause or contribute to a decrease in coolant inventory since the steam flow from the reactor vessel may exceed the flow of feedw'ater entering the vessel, s

O e

I p

}

41 l' ' .

i .

i SECTION 0--DECREASE IN VESSEL FLOW RATE

1. Reactor Recirculation System Failure Mode: Low flow or loss of flow .

Plant Condition: Any power level Oiscussion: Loss of both recirculation pumos by seizure will cause a total loss of flow and the bounding analysis only covers seizure of one. It appears as though loss of both could be more severe.

2. Reactor Building Closed Cooling Water System (RBCCWS)

Failure Mode: Loss of cooling water to designated equipment Plant Condition: Any power level Discussion: A loss of cooling water to equipment supplied by the kBCCWS may cause or contribute to a reactor coolant flow decrease as the RBCCWS supplies cooling water to the recirculation pump and motor coolers. A loss of the cooling water would necessitate a shutdown or runback of the ,

recirculation pumps which results in a flow decrease through the reactor vessel.

3. Raw Cooling Water System (RCWS)

Failure Mode: Loss of cooling water flows Plant Condition: Any power level 42

j . .

1

Ofscussion

A loss of cooling water flow from the RCWS may j cause or contribute to a reac' tor coolant flow decrease as the RCWS supplies coolant water to the

recirculation pump M-G set coolers and the reactor building closed cooling water heat echangers. A l 4 loss of the cooling water would necessitate a shutdown or runback of the recirculation pumps.

I 1 ,

I I .

~

1 1

h I

k 5

f 4

f

~

a il i

l l

l l

I l 43^

I . -

.. . - , ,- . . . - , , - - ,, , , , . ~ - , :+ i. ,i

, i 1

j SECTION E--INCREASE IN VESSEL FLOW RATE 1

l. Reactor Recirculation System i Failure Mode: High flow rate Plant Condition: Optimum power level to maximize the consequences ,

Discussion: Failure of the M-G scoop tube drive circuit may

cause the speed of the recirculation pumps to be i

increased at a rate in excess of allowable limits.

i i

i 4

.1 7 i

O f

j 44 m - MOO f G

-.: y ,m, m e- o u m.- . . . - ~ e .- ,,.n._ - . e, . . . , s t.+v. .-

SECTION F--FREQUENCY, OPERATOR ACTION AND ENGINEERED SAFETY FEATURES TRANS!ENTS

1. Reactor Recirculation System Failure Mode: High or low flow Plant Condition: Any power level Discussion: Excessive flow changes in either the high or low direction have the potential to cause Engineered Safety Features actuations and/or Reactor Protection System trips.

2. Nuclear System Pressure Relief System Failure Mode: Inadvertent opening Plant Condition: Any power level Discussion: Inadvertent opening of a safety or relief valve may cause a pressure drop and could result in an ESF actuation. The number of inadvertent openings in a defined time period could be significantly greater than allowed.

3. Main Steam Line Isolation Valves Failure Mode: Inadvertent closure l

l Plant Condition: Any power level I

Discussion: Inadvertent closure of an individual isolation j valve could cause an ESF actuation.

45

4. Reactor Core Isolation and Standby Cooling System Failure Mode: Inadvertent initiation of cooling Plant Condition: Any power level Discussion: Inadvertent initiation of emergency cooling systems could create an additional Engineered Safety Features actuation and a violation of a Technical Specification safety limit.

5. Reactor Protection System Failure V:de: Inadvertent trips Plant Condition: Any power level Discussien: Inadvertent trips of the RPS and ESF systems produce challenges that could exceed the design limits for frequency of protective system actuations and therefore compromise the ability of the system to function when actually required.

6. Core Standby Ceoling Control and Instrumentation System Failure Mode: Inadvertent initiation of cooling systems Plant Condition: Any power level Discussion: Inadvertent initiation of one or more standby cooling system could result in a positive reactivity addition in excess of the allowable limits established for positive reactivity additions.

46

O

7. Neutron Monitoring System Failure Mode: Indicate higher or lower than actual levels Plant Condition: Any power level Discussion: The neutron monitoring system could cause undue operator errors by indicating more or less than actual levels and cause the operatcr to perform erroneous actions.

8. Refueling Interlocks System Failure Mode: FDlure to restrict movements Plant Condition: Shutdown--Refueling

)

Discussion: Failure of the interlocks system to restrict movements could result in a violation of reactivity limits and contribute to erroneous operator actions.

9. Reactor Manual Control and Contral Rod Drive Systems Failure Mode: Inadvertent rod withdrawal or rod ejection ,

Plant Condition: Any power level Discussion: Inadvertent rod withdrawal or ejection could cause reactivity to increase and power excursions.

Either of these could be in excess of allowable limits and both could contribute to pressure-excursions and ESF actuations.

Rod drops could cause power excursions which could result in an Engineered Safety Features actuation.

47 ,

W se - --

y

0 0

10. Reactor Vessel Instrumentation System Failure Mode:

• Transmits or indicates higher or lower than actual conditions Plant Condition: Any power level Discussion: Transmitting higher than actual conditions within the vessel creates a potential to cause or contribute to an inventory decrease situaticn.

Transmitting lower than actual conditions creates a potential for a positive reactivity addition that could be in excess of allowable limits.

Either of these conditions could cause an Engineered Safety Feature actuation if it isn't i

recognized soon enough and the feedwater control system is controlling from these signals.

11. Feedwater Control System Failure Mode: High flow or low flow rate Plant Condition: Any power level Discussion: High flow rate of the feedwater system may add ,

cool water to the vessel at a rate in excess of the heat addition rate. This could cause the voids to collapse and a positive reactivity addition which could exceed allowable limits and/or cause an Engineered Safety Features actuation. Low feedwater flow rates could cause a loss of vessel inventory beyond allowable low limits and could cause an Engineered Safety Features actuation.

48

4 .

12. Pressure Regulator and Turbine Generator Control System Failure Mode: Inadvertent opening or closing of turbine governor or bypass valvas Plant Condition: Any powar level Discussion: Inadvertent opening of turbine governor or bypass valves could cause steam flow to ince, ease, vessel pressure to decrease, and recirculation flow to increase. This could lead to a vessel inventory depletion if the feedwater control is in MANUAL and an Engineered Safety Features actuation.

Inadvertent closing of turbine governor or bypass vaTves could cause pressure increases, reactivity additions and coulo cause an Engineered Safety Features actuation.

13. Process Computer System Failure Mode: Indicates higher or lower than actual conditions Plant Condition: Any pcoer level Discussion: If the operator is using the outputs of the ,

process computer to control plant variables the possibility exists for the operator to perform an incorrect action due to erroneous information.

14. Backup Control System Failure Mode: Inadvertent startup of emergency systems Plant Condition: Any power level

. 49

Discussion: Inadvertent startup of safety systems could result in actuation of Engineered Safety Fe'atures and could be in excess of any allowable frequency for inadvertent starts.

15. Auxiliary DC Power Supply System Failure Mode: Failure to provide power Plant Condition: Any power level Discussion: Failure to provide the required power to the plant communication and annunciation system could result in the operator performing incorrect actions due to a lack of, or incorrect, communications or annunciations.

16. Turbine Generator System Failure Mode: Transient power increase or transient power decrease Plant Condition: Any power level Discussion: Transient power increases or decreases have the potential to cause or contribute to moderate frequency incidents that could cause automatic actuation of the Engineered Safety Features including the Reactor protection System. A transient power increase could cause a pressure decrease, main steam isolation valve closure, if pressure decreases to less than 825 psia, and a reactor scram due to MSIV closure. A transient power decrease such as a turbine trip could cause 50

s

• actuation of the reactor scram, as well as recirculation pump trip and bypass valve opening to limit reactor vessel pressure.

17. Main Condenser System Failure Mode: Loss of condenser vacuum Plant Condition: Any power level .

Discussion: Failures of the main condenser system which result in a loss of condenser vacuum have the potential to cause or contribute to moderate frequency incidents resulting in actuation of Engineered Safety Features. including the Reactor Protection System. The loss of vacuum transient could cause closure of the turbine stop valve (s) bypass valve (s) and a reactor scram.

18. Turbine Bypass Systen.

Failure Mode: Bypass valve (s) fail open or fail closed Plant Condition: Any power level Discussion: Failures of the turbine bypass system which result in the bypass valve (s) failing open could result in an automatic actuation of the Reactor Protection System since the steam pressure would decrease and the isolation valves may shut.

Failures which result in the bypass valve (s) failing closed may result in an automatic actuation of the protection system since the system pressure could increase and cause reactor power to increase.

51 L-

19. Condenser Circulating Water System Failure Mode- Circulating water flow fails low Plant Condition: Any power level Discussion: Failure of the circulating water flow may cause or contribute to an actuation of t eh Reactor Protection System as the loss of flow could cause a loss of condenser vacuum which initiates a turbine trip and reactor scram. This could be in violation of a moderate frequency incident if it occurs more than once per year.

20. Condensate and Reactor Feedwater System Failure Mode: Feedwater flow fails high or fails low Plant Condition: Any power level Discussion: Failures which cause feedwater flow to fail high may cause an actuation of the Reactor Protection System due to the reactivity addition to the reactor. The added cold water due to feedwater flow failing high could cause a cooldown rate that exceeds the Title 10 Code of Federal Regulations Part 50, Appendix G curve limits. Feedwater flow failing low could cause actuation of the Reactor Protection System due to a low reactor water level.

l 52

. .~.

t APPENDIX 0 BROWNS FERRY OTHER TRANSIENTS STUDY REJECTED SYSTEMS JUSTIFICATION 4

53 B

, e 1

APPENDIX 0 BROWNS FERRY OTHER TRANSIENTS STUDY REJECTED SYSTEMS JUSTIFICATION

1. INTRODUCTION During this phase of the study the Licensee Event Reports (LER) and the Nucle.ar Power Experiences (NPE) for the years 1980-1982 were reviewed and a Failure Mode and Effects Analysis (FMEA; Appendix B) was completed.

These were performed independently to ensure all possible system failures leading to transient situations were identified. The LERs and NPEs I reviewed produced several cases of transients of concern. The FMEA also identified the same systems as well as other systems as potential problems. The remaining systems were subsequently rejected from this study and the reason or reasons are documented within this section of this report.

2. ASSUMPTIONS The following assumptions were used to justify system rejection from further review.

2.1 Noncapable System Any system which through normal operation or failure has no apparent capability to create or contribute to any of the other transients was rejected, e.g. , Process Radiation Monitoring System.

2.2 Safety Grade System Any safety grade system which would require multiple failures to create or contribute to any of the other transients was rejected, e.g.,

Reactor Protection System.

I SS 1

l

2.3 Insionificant Contribution System Any system, which through normal operation or failure, would have an insignificant effect on any of the other transients was rejected, e.g.,

Standby Liquid Control System.

3. SYSTEM DISCUSSIONS 3.1 Residual Heat Removal System This system was rejected because it is safety grade, redundant and would require multiple failures to create or contribute to any of the other transients.

3.2 primary Containment System and Reactor Vessel Isolation Control System This system was rejected because it is safety grade, redundant and would require multiple failures to create or contribute to any of the other transients.

3.3 Secondary Containment System This system v'as rejected beccuse it is safety grade, redundant and would require multiple failures to create or contribute to any of the other .

transients.

3.4 Reactor Protection System This system was rejected because it is safety grade, redundant and would require multiple failures to cause or contribute to any of the other transients.

, 56

s

~

3.5 Neutron Monitoring System This system was rejected because it is safety grade, redundant and l would reouire multiple failures to cause or contribute to any of the other l transients.

l l

3.6 Process Radiation Monitoring System i

l This system was rejected because normal operation or failure of tne l system has no capability to create or contribute to any of the other transients.

3.7 Area Radiation Monitoring System This system was rejected because normal operation or failure of the system has no capability to create or contribute to any of the other tran s f er.ts.

3.8 Site Environmental Radiation Monitteing System This system was rejected because normal operation or failure of the system has no capability to create or contribute to any of the other transients.

3.9 Health Physics Lab Radiation Monitoring System This systta was rejected because normal operation or failure of the systam has no capability to create or contribute to ..ny of the other transients.

3.10 Diesel Generator Systems This system was rejected because it is safety grade, redundant and would require multiple failures to create or contribute to any of the other transients.

57 '

=

a j

3.11 Normal Auxiliary Power System This system was rejected because normal operation or failure of the system to supply components is covered during the individual component system reviews.

3.12 Standby AC 9ower Supoly System i

This sytem was rejected because failure of components suppifed by this safety grade system are evaluated during the individual system reviews.

3.13 250 V DC Power Supply System This system was rejected because failure of components supplied by t

this safety grade system are evaluated during the individual system reviews, 3.14 120 V AC Power Supply System This system was rejected because normal operation or failure of the system to supply components is covered during the individual component system reviews.

3.15 Liouid Radwaste System This system was rejected because normal operation or failure of the ,

system has no capability to create or contribute to any of the other transients.

3.16 Solid Radwaste System 4

This system was rejected because normal operation or failure of the system has no capability to create or contributeoto any of the other transients.

58 -

1-

~

, ~

m

. s 3.17 Gaseous Radwaste System This system was rejected because normal operation or failure of the system has no capability to create or contribute to any of the other transients, 3.18 New Fuel Storage System This system was rejected because normai operation or failure of the system has no capability to create or contribute to any of the other transients.

3.19 Spent Fuel Storage System This system was rejected because normal operation or failure of the system has no capability to create or contribute to any of the other transients.

3.20 Fuel Pool Cooling and Cleanup System This system was rejected because normal operation or failure of the system has no capability to create or contribute to any of the other transients.

3.21 Reactor Building Closed Cooling Water System ,

This system was rejected because it is safety grade, redundant and would recuire multiple failures to cause or contribute to any of the other transients.

3.22 Raw Service Wacer System This system was rejected because normal operation or failure of the system has no capability to create or contribute to any of the other transients.

59

3.23 Residual Heat Removal Service Water System This system was rejected because it is safety grade, redundant and would require multiple failures to create or contribute to any of the other transients.

3.24 Emergency Eouipment Cooling Water System This system was rejected because it is safety grade, redundant and would require multiple failures to create or contribute to any of the other transients.

3.25 Fire Protection System This system was rejected b'ecause normal operation or failure of the system has no capability to create or contribute to any of the other transients.

3.26 Heating, Ventilation and Air Conditioning Sys'tems These systems were rejected even though normal operation or failure of the systems has the capability to create or contribute to several of the other transients, the contribution is insignificant and is covered during the individual system reviews.

3.27 Domineralized Water System This system was rejected even though operation er failure of the system has the capability to contribute to several of the othe- transients, the contribution is insignificant and therefo.?9 nat of prime concern for this study.

l 60

- +

3.28 Control and Service Air Systems These systems were rejected because failure of the systems to supply components are covered in the individual component system reviews.

3.29 Potable Water and Sanitary Systems These systems were rejected because normal operation or failure of the

~

systems have no capability to create or contribute to any of the other transients.

3.30 Equioment and Floor Orainage System This system was rejected because normal operation or failure of the system has no capability to create or contribute to any of the other transients.

3.31 Process Samplina System This system was rejected because normal operation or failure of the system has no capability to create or contribute to any of the other transients.

• 3.32 Plant Communications System .

This system was rejected because normal operation or failure of the system has no capability to create or contribute to any of the other transients.

3.33 Lightino Systems These systems were rejected because normal operation or failure of the systems have no capability to create or contribute to any of the other transients.

61 i

a

3.34 Auxiliary Boiler System This sytem was rejected because normal operation or failure of the system has no capability to create or contribute to any of the other transients. ,

4 3.35 Main Steam System This system was rejected because it has no capability to cause or l contribute to any of the other transients and components connected to the

! main steam system are covered during the individual system reviews.

l 3.36 Standby Liould Control System This system was rejected even though operation or failure of the system has tne capability to contribute to several of the other transients, the contribution is insignificant and therefore not a prime concern for this study.

4

SUMMARY

In utilizing the nonmechanistic, qualitative FMEA format, 36 systems

) were rejected from further review. Any additions or deletions of systems will be justified and documented in future amendments to th.. report.

4 62.

. ~ ,

_- - -- . _- = _ - . - - . .

.. m

),",g P Ru 335 u s. nucle An s sGutAroav commiss10N BIBLIOGRAPHIC DATA SHEET EGG-EA-6296 4 TITLE ANO SugfiTLE 2 itene es ,ies Browns Ferry Other Transients Failure Modes and Effects '

Analysis and Rejected Systems Justification Report a Recipient s AcetssieN No 7 AufwoRiSI 5 OATE REPORT COMPLE TED

• " I"'" 1983 D. E. Baxter. D. M. Beahm, S. J. Bruske May 9 PERFORMING ORGANIZAflON NAME AND MAisiteG AoOREs3 /Inetwar /,a Codel DATE REPORi ISSUED MONTw lviam May 1983 EGaG Idaho, Inc. . g , ,, ,,,,,,

i Idaho Falls, ID 83415 8 ftene aneal 12 SPONSORING ORGAN 62 ATION NAME AND VAILING AoORE$$ t/scs w ar /.a Cedr#

10 PROJEcf TAsa,WORs UNet NO Division of Safety Technology Office of Nuciear Heactor Aegulation , , ,,y o U.S. Nuclear Regulatory Commission A6477 Washington, DC 20555 o Tv PE o, RE PORT ,. R. oo c o v e e o ,,,,,.. ...ri, l'J $yPPLEvt N T ARY NOTE S t o stem, or,*as til A85TH AC T (JLNJ eorver tw iessA This is an interim report which contains the failure modes and effects analysis for the Browns Ferry other transients, the general transient scenarios and '

the rejected systems justification report.

ir *E v woRos Amo occuuENT AN ALysis ira cEscRiptoms I

l l

l 17n eOE NilkiE RS OPEN ENCE O TERUS is Av 4iL Aaitif v st Artuf NT iv sa cewi f v et Ass i r i ,,,,,,, 2i so osPAc,cs I.imited distribution because report is subject Unclassi fied to change with final report issue.

Unbs's$[N[""

% =c soau m .....

l l

% *