ML20080F298
| ML20080F298 | |
| Person / Time | |
|---|---|
| Site: | Browns Ferry  |
| Issue date: | 10/31/1983 |
| From: | Baxter D, Bruske S, Morken D EG&G, INC. |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| CON-FIN-A-6477 EGG-EA-6353, NUDOCS 8402100421 | |
| Download: ML20080F298 (157) | |
Text
.__ _. _ . _ _ . . -
EGG-EA-6353 OCTOBER 1983 REPORT CONCERNING THE EFFECTS OF CONTROL SYSTEM FAILURES ON OVERFILL /0VERC00 LING EVENTS AT BROWNS FERRY D. E. Baxter S. J. Bruske D. J. Marken Idaho National Engineering Laboratory Operated by the U.S. Department of Energy gi ,
p {;, .[ '*
-- . e__ da.
yL ,
b SE
" WW f -j t .;_
.y u n c-s^^Y~1C M SM W Ls .
w.L.
~
eQ2:W'?t%wn* . _ _ . . ,
W
=Ab
~ ,[v., ~~
9 -
- -= , ep" ..-
. ? ,,,..,.
.s,,, :
~
'Qn.- -
~
%e p . .
- EY This is an informal report intended for use as a preliminary or working document l
1 Prepared for the 1 U. S. NUCLEAR REGULATORY COMMISSION II Under DOE Contract No. DE-AC07-76ID01570 FIN No. A6477 Q G b E b idaho 8402100421 831031 PDR ADOCR 05000 S
EGG-EA-6353 i
REPORT CONCERNING THE EFFECTS OF CONTROL SYSTEM FAILURES ON OVERFILL AND OVERC00 LING EVENTS AT BROWNS FERRY
'O. E. Baxter S. J. Bruske
- 0. J. Morken Published October 1983 EG&G Idaho, Inc.
Idaho Falls, 10 83415 Prepared for the U.S 4. clear Regulatory Commission Under CG' Cor.t *act No. OE-AC07-76ID01570 Fld No. A6477
~
5
', t .
1 h I
/-
.\ ~- J' g - F ), - . i "V ' * ,
, s , , , . ,
o
. e e
l I
l ABSTRACT Recently, concerns dealing with the possibility that certain accidents or transients could be made more severe by control system failures or malfunctions have been raised. These concerns have been documented under Unresolved Safety Issue (USI) A-47, Safety Implications of Control Systems. Specific concerns dealing with overfill and overcooling events are included in USI A-47.
This EG&G Idaho, Inc. , report presents the study performed to evaluate the effects of postulated control system failures on overfill and overcooling events at the Browns Ferry Nuclear Power Plant.
e 4
J 11 l
l
s
- FOREWORD This report is supplied as part of the " Safety Implications of Control System Failures A-47" study being conducted for the U.S. Nuclear Regulatory Commission, Office of Nuclear Reactor Regulation, Division of Safety Technology by EG&G Idaho, Inc., NRC Licensing Support Section.
The U.S. Nuclear Regulatory Commission funded the work under the authorization E&R 20-19-50-51-5, FIN No. A6477.
O 111
^ - - ' ' ' --
CONTENTS .
ABSTRACT .............................................................. 11 FOREWORD .............................................................. iii
SUMMARY
............................................................... iv
- 1. INTRODUCTION ........ ............................................ 1
- 2. METHOD OF ANALYSIS ............................................... 2
- 3. ASSUMPTIONS ...................................................... 5
- 4. SYSTEM DESCRIPTION ............................................... 6
- 5. CONCLUSIONS ...................................................... 7
- 6. REFERENCES ....................................................... 9 APPENDIX A--SAFETY IMPLICATIONS OF CONTROL SYSTEMS (A-47)
SIGNIFICANT SYSTEMS SELECTION CRITERIA ........................... 11 APPENDIX B--0VERFILL/CVERC00 LING FAILURE MODE AND EFFECTS ANA LY S I S ( FM EA ) TAB LES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17 APPENDIX C--0VERFILL AND/0R OVERC00 LING POTENTIALLY SIGNIFICANT SYSTEMS LIST AND DISCUSSIONS ..................................... 35 APPENDIX 0--DETAILED REVIEW TABLES FOR OVERFILL AND OVERC00 LING TRANSIENTS ....................................................... 49 APPENDIX E--STATISTICAL ANALYSIS TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 APPENDIX F--0VERFILL AND OVERC00 LING POSTULATED TRANSIENT
- SCENARIOS ........................................................ 113 APPENDIX G--DOCUMENTED OVERFILL AND OVERC00 LING TRANSIENTS . . . . . . . . . . . . 131 l
4 iv-
s -
SUMMARY
The purpose of this study is to determine which system or systems if any at commercial Boiling Water Reactor (BWR) units could initiate, contribute to or aggravate any overfill or overcooling events. These events have been identified as significant concerns for plant safety by the Nuclear Regulatory Commission.
A study of the Nuclea- Power Experiences1 and Licensee Event Reports for the years of 1980 through 1982 for all BWR units was performed to identify all events of these types which have occurred. Independent of this study a non-mechanistic Failure Mode and Effects Analysis was performed for each of these events. The results of these two studies produced a list of significant systems of concern. These systems were then processed through a detailed study to determine what mechanism was available to create the failure or operation of concern. These failures were then ranked and a probability of occurrence assigned to each. These rankings were then combined with engineering judgment and.pestulated transient scenarios were developed.
These postulated transients are considered to be potentially more severe than those presented in the Final Safety Analysis Report.
Conclusive documentation that verifies these assumptions requires completion of computer modeling and analysis of these transients. ~
O I W
(
y l
i r 4
REPORT CONCERNING THE EFFECTS OF CONTROL SYSTEM FAILURES ON OVERFILL AND OVERC00 LING EVENTS AT BROWNS FERRY
- 1. INTRODUCTION EG&G Idaho Inc., is technically supporting the Nuclear Regulatory Commission in their efforts to resolve the generic issue A-47, Safety Implications of Control systems. The concern of the A-47 study is to datermine if any accidents or transients can be initiated or made more severe than previously analyzed as a result of control system failures or malfunctions. Specific concerns dealing with reactor vessel overfill and overcooling events are included in the A-47 study. This report addresses only the nverfill and overcooling events. Later reports will cover other events of cencern.
This report addresses the analysis performed to evaluate the effects of control .ystem (non safety grade) failure or malfunction and their potentia ~. f.,r causing or contributing to an overfill or overcooling event.
e l
e 1
l l
.-y
-, c
a 1
- 2. METHOD OF ANALYSIS
~
The evaluation of control system failures or malfunctions on reactor vessel overfill and/or overcooling events at boiling water reactors (BWR) was performed in two separate phases. Each of these phases utilized a '
slightly different methodology.
The first phase of this study was to identify all the control grade systems used for plant control at the boiling water reactor sites, and then identify those systems which could be postulated to cause or contribute to an overfill or overcooling event. A review of the Browns Ferry Final Safety Analysis Report (FSAR) provided a list of 56 systems, both safety grade and control grade, which are capable of affecting reactor plant performance, safety and control. Safety grade systems were incluced to ensure that all plant operations and evolutions were completely analyzed.
However, failures of safety grade systems, other than single failures, were ,
not taken into consideration for this report as it was not the intent of this report to identify multiple safety grade system failures, although there have been documented cases, but rather control grade system failures. The complete list of systems identified and analyzed is contained in Appendix 8.
The second phase of this study was to develop a set of criteria which could be used to establish which system failures or operations would have a significant impact on the various events of concern. The listing of the ,
criteria developed for the entire A-47 study is contained in Appendix A.
For this report on overfill and overcooling only Criteria 1 and 2 of Appendix A are applicable.
In order to determine which systems have a potential for affecting or causing an overfill or overcooling event two separate approaches were utilized. These two methodologies were performed separate of each other to '
preclude as much commonalty as practicable. The first approach entailed a
. detailed review of the Licensee Event Reports and the Nuclear Power
i Experiences for a specific group of BWRs for the years 1980 threugh 1982. The review was focused around any and all events that were 2
g e or could be classified as overfill or overcooling events. This detailed review oroduced several instances which caused or contributed to an overfill and/or overcooling event. In several cases water level was
~
actually raised high enough to cause flooding of the main steam lines and several instances of cooldown rates exceeding 100*F/hr wers documented. A
. composite listing of several of these events as documented in the Nuclear 1
Power Experiences is contained in Appendix G.
The second approach utilized was to perform a Failure Mode and Effects Analysis (FMEA) for eacn of the events. The FMEA tables are contained in Appendix B. During the course of producing the FMEA all of the systems were subjected to a very broad and liberal interpretation of Criteria 1 and 2 of Appendix A. n utilizing these interpretations, systems which were postulated to be capable of causing or contributing to either of these events were designated as potentially significant systems .ind placed in a further detailed review status. The listing of those systems designated as potentially significant along with a brief discussion explaining the plant conditions and system failure mode of concern are contained in Appendix C.
Systems which were not selected as being potentially significant for these events were rejected from further review. These systems have been identified in Appencix B along with the reason or reasons for rejection.
The potentially significant systems were then subjected to a detailed review to determine if mechanistic failures could be postulated to cause the system failure of concern. These mechanistic failures were identified *
, and ranked according to the effect of the failure and the relative 1.ikelihood of its occurrence. The detailed review tables are contained in Appendix'O and the statistical calculations are contained in Appendix E.
Transient scenarios were then developed utilizing these tables and engineering evaluations. The postulated scenarios are contained in Appendix F and are considered to be more severe than those prescnted in the s Browns Ferry Final Safety Analysis Report. Included in Appendix F is a listing of additional systems that have the potential to cause or aggravate l
f .
( e the transient and may be used in additional transient studies based on the results of the computer simulation and analysis of what appears to be a i worse case at this time. .
The next phase of this task requires computer modeling and analysis of
- these worse case transients. These studies could produce additional transient scenarios of concern as previously mentioned. These additional transients will be documented in a future amendment to this report or will be presented in an additional report and, if required', will be computer modeled and analyzed. ,
e e
e 9
4 e e l
4 l
m - - n>
s .
- 3. ASSUMPTIONS The assumptions utilized in each phase of this study are contained in their respective appendices.
e 9
O O
i .
l l
5 i
. o 4 SYSTEM DESCRIPTION The systems which were evaluated in the FMEA tables were extracted
~
from the systems as identified in the Browns Ferry Final Safety Analysis Report (FSAR). The systems which were evaluated represent the major -
nonsafety grade control systems which are used for reactor plant control.
Many systems have several subsystems or support systems associated with them which were not specifically listed in the FMEA. However, failures of these systems were factored into the analysis by considering a support or subsystem failure to result in a non-mechanistic failure of the major system.
9 e
e e
I l
6
- 5. CONCLUSIONS Although defining the actual consesuences of an overfill or overcooling event are considered beyond the scope of this task, it could be postulated that an overfill to the point of water entering the main steam lines could cause main turbine damage and the possibility exists of main steam line damage due to the static loading of water. Additionally, thermal stresses and the possibility that safety sy stems which are connected to the main steam system coulc be disabled or damaged by water loading are concerns. For example the high pressure coolant injection (HPCI) turbine might be disabled, main steam isolation valves and safety relief valve (s) could be damaged due to thermal stresses or water loadings. Similarly overcooling concerns dealing with thermal shock and structural damage have been postulated.
The scenarios postulated in Appendix F identify concerns with control system failures as they relate to overfill and overcooling transients. It must be recognized however, that due to the dynamic ature of nuclear power plants and their associated control systems, definitive conclusions concerning the effects of system failures cannot be made without verifying these postulated effects through computer simulation.
Recognizing these limitations, the postulated scenarios indicate potential problems with regard to overfill and overcooling transients resulting from the design and operation of the reactor feedwater and control system. -
These postulated scenarios are consistent with the guidance provided in Standard Review plan Section 7.1, Appendix B, Item 3.
! Specifically, the reactor feadwater system is considered a control system and is not subjected to the requirements established for safety I
related systems. The scenarios in Appendix F postulate single active failures which can cause or significantly contribute to overfill and j overcooling transients.
l l
\
7 l l l
. o Based on the concerns associated with overfill and overcooling events, the reactor feedwater and control system apoarently does not meet the intent of Standard Review Plan Section 7.7, III, 5.
Recommendations at this time include:
- 1. A thorough evaluation of the consequences of overfill and overcooling transients and defining of the safety significance of each.
If it is determined that these transients have safety implications, a cost versus benefit study should be performed to evaluate the following possible solutions.
- 1. Reevaluation of the overcooling and overfill transients by the licensees and proposed modifications to existing safety systems .
to preclude the effects of these transients.
- 2. Provide additional systems designated as '" Interlock Systems Important to Safety" to preclude the postulated effects of these transients.
- 3. Reclassification of the reactor feedwater system as a " System Important to Safety" as defined in Standard Review Plan Section 7.1 Appendix A and upgrading the system to meet the ,
applicable criteria.
Y 8
- 6. REFERENCES
- 1. Nuclear Power Experiences BWR-2; Nuclear Power Experiences a division of S. M. Stoller Corporation, 1919 14th Street Suite 550, Boulder Co. 80302-5386. Phone (303)449-7220.
9 e
e 9
1
APPENDIX A SAFETY IMPLICATIONS OF CONTROL SYSTEMS (A-47)
SIGNIFICANT SYSTEMS SELECTION CRITERIA 9
1 11
APPENDIX A SAFETY IMPLICATIONS OF CONTROL SYSTEMS (A-47)
SIGNIFICANT SYSTEMS SELECTION CRITERIA
- 1. Any control grade system or t t failure, either initiating or aggravating, which results in an ur. desired increase in reactor coolant inventory to the point where water enters the main steam line will be recommended for further review.
The Browns Ferry bounding transient analysis presented in the FSAR for increase in reactor coolant inventory is a "Feedwater Controller Failure-Maximum Demand, 115% Feedflow". The addition of feedwater is terminated 5 seconds after transient initiation by the reactor vessel high water level trip.
The design basis accident for this event is a main steam line break outside of containment. This accident is terminated by closure of the main steam isolation valves.
- 2. Any control grade system or component failure, either initiating or aggravating, which results in an undesired reactor vessel water temperature decrease beyond the bounds of the present FSAR analysis will be recommended for further review.
The limiting transient for this event in the Browns Ferry FSAR '
analysis is the " Loss of Feedwater Heater (s) equivalent to a 100*F Decrease in Temperature." This represents the maximum temperature decrease obtainable through tripping or bypassing of heaters caused by a single event.
i -
There is no cesign basis accident identified for the decrease in reactor coolant temperature event.
l
- 3. Any control grade system or component failure, either initiating or aggravating, which results in an undesired nuclear system pressure 13
increase, positive reactivity increase or a reactor core coolant flow increase beyond the bounds of the present Final Safety Analysis Report (FSAR) analysis results will be recommended for further review.
The limiting transient for a nuclear pressure increase event in the Browns Ferry FSAR analysis is the " Loss of Condenser Vacuum". This represents the instantaneous loss of vacuum and closure of the turbine stop valves and bypass valves, therefore, all stored energy must be dissipated through th'e relief valves.
There is no cesign basis accident identified for the pressure increase event.
The limiting transient for a positive reactivity increase event in the Browns Ferry FSAR analysis is a " Continuous Rod Withdrawal During Reactor Startup." This represents the most severe transient. The reactor is just critical at room temperature and a high worth, out of sequence, rod is continuously withdrawn.
The design basis accident for a po'sitive reactivity increase event is a rod crop (ejection) and is terminated with a reactor trip.
The limiting transient for a reactor core coolant flow increase event in the Browns Ferry FSAR analysis is " Recirculation Flow Controller Failure--Increasing Flow." This represents the fastest rate at which flow can be increased with the reactor power level at the most optimum level to maximize the severity of the transient.
There is no design basis accident identified for the increase reactor core coolant flow event.
I 1
l
- 4. Any control grade system or component failure, either initiating or
! aggravating, which results in an undesired reactor vessel inventory decrease or a reactor core coolant flow decrease beyond the bounds of ~
the present FSAR analysis results will be recommended for further review. -
l 14
The limiting transient for a' reactor vessel inventory decrease event presented in the Browns Ferry FSAR is " Loss of Feedwater Flow from High Power." This represents the maximum anticipated rate of inventory decrease due to the high steam flow rate.
The design basi: accident for the decrease in inventory event is a loss of coolant accident caused by a circumferential break of the recirculation system crosstie with the crosstie valve (s) open.
The limiting transient for a reactor core coolant flow decrease event in the Browns Ferry FSAR analysis is a " Recirculation Pump Seizure."
This represents the fastest flow cacrease possible through any single failure or operator action.
There is no design basis accident identified for a decrease reactor core coolant flow event.
- 5. Any control grade system or component failures which are projected to cause transients identified as incidents of moderate frequency (Anticipated Operational Occurrences) to occur at a rate significantly more frequent than once per year, or failures which are projected to cause transients identified as infrequent incidents to occur more than once during the lifetime of a plant, or failures which are projected to cause limiting faults (Design Basis Accidents) will be recommended for further review.
- 6. Any control grade system or component failures which would adversely affect any assumed or anticipated operator action during the course of a particular event or result in manual or automatic actuation of Engineered Safety Features, including the Reactor Protection System or result in exceeding any Technical Specification safety limit will be recommended for further review.
15 5
APPENDIX 8 OVERFILL /0VERC00 LING TRANSIENTS FAILURE MODE AND EFFECTS ANALYSIS O
e i
l 17 t
)
n ) ) )
i a o 1 I 2 7 r is m se m 4e s e e tau t t 2t Ai c i I i ras r eCii , . o , e e dD 2C n e lbnn IC /C d n o o n aoeo a a ns i l o
l f li ict ipr pi id i
ai d d lpe cAa n n I n n e e e pl e p p p Ae c p p p 5 S A A A
( ( ( (
- e - h - W -
n t - - n e c n n t y s e- ou n. n n- er n en nn5 1
e- d nthi t r oe n i dtb ern t eawi o er t ru ihw wo toerinioM t r s l eeth pv arr ov ot t e ov oel psi d e i pvtdtt e oeee pvhirosab uif ot o at poel a po oanel e
h nnspo een enu sf u t en e
hn f oso e oldl ah uuuut e ot r eoh nsas f o f
t ai p p c iao hnssst h nsse rso h aawi ha t assec t ae eis t aa seti e aa t cos t asr rersa nov ep e
eoel r ettlo p o. eo ecn eo h eotill emro vt sl so r
i a
heecret aoe . v aenht oeu ett v
aee heee n a vtt rna n pi h t
vtttdpm a o l ue h e n s u tl vt n a
h ei e2 caheuc o
vttl s l
t r usn ht t a htl tidr t aoab t sdt e o ya e si l
a t ucdl ue obnliai ud obl sh e us t us ob n d w e er t ud oblt weo hr . obageo t une nt sfh S
F niioacs r n ti ua ro tio brrn. niaioh niunw pd nirnv eee t
I f o
dt e vf nh e et r oa rtht ansnnn
- a. rtt an ldtt rropt v ara dtfil roeoai as e
dt rt alft rrd raouiin S luot ss ao n l nssfd o ngrv bt uo Y t c
oc uel t
pcti eiw o
eog uoge pcn o c n sd p uo ocdamaoc n ntl luona oci gi n q y enreee
- h. sahag p ustd p i h iunu h nra n h L e 5 racTi n arbnll arl srl aat l enit rb A f o td ti o auo oo ooc a srat eet essbsroronneooa o t gsai f s nl s s o eohds N E eenl .eo eent t rso s o )e s s c f pcTli A rseukt o rse ec eec r rsr eecdkh . eennr rsrl n rseinrld e y eersoo rsee r u
oh uuionoc a s wi p r uuig n uue u u e ui e e uuili cl a uuvvet o.wc n l asnda l av avorst S licn a aehev r e icnilh a ico l
i cowh ua l aso icnonif r nt e i l
caol rn aueerdhi T al ut a a saw a aco rl a rvl C
f tt ort a sho t f oroo f or f orn c f orrirea f oo ltruca senws e n e sll tt owr t o t oel e e tt et v e , maean creh e t
E rl e e pedh e f
sll weea eal ovv eal ett sll eal sll ovlt eal eu stl esl oiuid t.
d pd u l sllt eal sdat ef vcoee .
d cd vk al s f hiil eao hiivaa hii hiiol of hiine no hli y n n of raa Ttfflht Ttforr Ttf Ttft(wo E TLf araaw T Lf s ai n o g v t D p f o n t o N o A t o ie d p
nl e l e
e r
e v e u E e t n r i ve ro u l
a l s D d o
ei vt a q v ao vl O M da f e
r c M e al nu o l
a l
ao r n u ut E u i c r
g n e d i
d R
t ri oce h'.
w i c U
l a in .
ee e iv ivr u F er pv nr d dl L t e eu n I m aa t ol a
ps os I lai a e r a f A t f r t v n or e t n
t F s y owo ey t p e nr eo w tt .
lf up S t t S o re ee re rg.
T ef rv er end t lf va vu N hr ga w ds lue l ds vin dna a
E it Hs o ,
Inr il ae ao nl aem npe I L o Fr ic I od S _
N _
A R y T y e l p
rh p .
eb G he et v e u s
N n t r . oro h o er , t e I i hhe df m ft a hm L t gt w e e c u o rnt o e 0 n u
odp ios nos mt 0 rn uiy or F har C t o qt s ec if e R n lt rey t h E e wec tl lalt e t
losa eop osf V s y se hrp sso 0 f er t pu ie S v s vr
/ s s sc s erd e.
l rl err a L ooo d s.
L I
rt r t ct ise vsl idonm ti e F nan oeo oec vcat oams rru reey
- R Crc Ppn Prrs E
V n m O o t e
it s y
. la S s
- B u f ee m c se nv e
i r ei il t
X s c tl se La I y e yR V D S R S m e an ea N r rr E oe t e au tl St P ct es l s a
P as ce inl ey o A RS lur fP las PI 5
s APPENDIX fl. (continued) i, Ilcable A-47 Selection Criterla System System Function Appendia A Systen Failure Made if fect of f allure (Scenario Olscussion) 1:eactor Core Provides makeup water to the f ailure to stop makeup flow on Isolation and Standby reactor vessel from various These failures appear to have the poten- I and/or 2 I'coling Systems high level or inadvertent start- tlat to cause or contribute to an over. (Appendia C, item 3) sources whenever the vessel is up een not required. fill or overcooling transient.
Isolated.
Fallure to provide the required These failures should not have the poten- None makeup flow to the vessel. tial to cause or contribute to an over-fill or overcooling transient as the lack of makeup flow would cause no level
- lacrease and no cooling.
I:esidual Heat Removal Provides for heat removal from failure to supply the required these failures shousa not have the poten. Ilone System the primary system during normal heat removal.
shutdown and accident tial to cause or contribute to an over-fill or overcooling transient as failure
. condit ions. to rem ve heat does not result in a coollag transient and the heat addition rate is not suf ficient to cause a significant vold formation and subsequent to .
O level rise.
Fallure to control the heat These failures should not have the poten- 2 removal rate. tial to cause or contribute to an over- (Appendia C, item 4) fill transient as the increased coollag would cause vold collase and level shrink. The encess coollag could cause or contribute to an overcooling
. transient.
I:eactor Water Cleanup Provides filtration and lon Failure to provide letdown flow These failures appear to have the poten-Lystem enchange to malatain the reactor when necessary.
I water purity. Also serves as a tial to cause or contribute to an over- (Appendia C, ites 5) letdown path during startup. fill transient but should not cause or contribute to an overcooling transient as the volume of the system in comparison to 9 the primary system is insignificant.
Failure to stop letdown flow These failures should not have the poten- Ilone s when required. Llal to cause or contribute ta en over-fill or overcooling translent as the flow out would tend to lower level and the lower level would tend to aid a heatup vice cooldown situation.
L l . . . ,
/#PENDIX B. (continued)
Appilcable A-41
. Selection Criteria Appendia A Systes System Function System Fallure Mode Effect of Failure genarloOlscussion)
Primary Containment Provides automatic isolation of Failure to affect isolation when These failures shou 1J not have the poten- leone System and Reactor the primary system and reactor required. 1941 to cause or contribute to an over-Vessel Isolation vessel to prevent a release to fill or overcooling translent as the Control System the environs. system is designed to contain the primary ccolant af ter a design basis accident but does not directly provide coolant or cooling to the core.
Inadvertent isolation when not These f ailures should not have the poten- Ilone reautred. Llal to cause or contribute to an over-fill or overcooling transient as the systec is designed to contain the primary coolant af ter a design basis accident but does not direct 6y provide coolant or cooling the the core.
Secondary Containment Provides backup isolation to the Failure to affect isolation when Thes' f ailures samid not have the poten- Ilone to System primary containment to prevent regelred, tial to cause or contribute to an over-releases to the environs. fill or overcoollag transient as the systens is designed to contain any .
releases from the primary containment but does not directly provide coolant cr cooling to the core.
Inadvertent isolation when not These failures should not have the poten- Ilune
. required. tial to cause or contributt to an over-fill or overcoollag transient as the system is designed to contain any release from the primary containment but does not directly provide coolant or cooling to the core.
P.eactor Protection Provides protection to the Failure to provide the required These failures should not have the poten- Ilone System reactor system and fuel from trips and isolations.
damage due to out of tolerance Llal to cause or contribute to an over-fill or overcoollag transient as the conditions. system is safety grade, redundant and would rep lre multiple failures to fall to provise any required trips or tscletion that may have an affect on
- these transients and multiple safety grade failures is beyond the scope of this task.
W lsPPENDIX B. (continued)
Applicable A.47 Selection Criteria System System Function Appendia A System Failure hie ifrect of failure [5cenarioDiscussion)
Inadvertent trips and these failures appear to have the poten.
1solations. 2 tial to cause or contribute to an over. (Appendix C. Item 8) coollag translent even though system is safety orade because the system is falling in the safest mode.
Fore Standby Coollag Provides protection free excess Failure to initiate cooling of rentrol and fuel clad temperatures in the these failures should not have the poten- lione the core when required. (f al to cause or contribute to an over-Instrumentation System event of a breach la the nuclear process barrier that results in fill or overcooling transient as f ailure a less of reactor coolant, to initiate would result in a loss of level and heatup situation.
Failure to terminate cooling of These failures appear to have the poten- I and/or 2 the core upon reaching high tlal to cause or contribute to an over-vessel water levels or (AppendiaC, item 6) fill or overcooling transient.
laadvertent initiation of cooling systems wlen not required.
N N fleutron Monitoring Systee Monitors the neutron flum level Indicates higher than actual These failures should not have the poten.
of the core over the range of levels. leone shutdown to full power. tlal to cause or contribute to an over-fill overcFw. ling transient as the system has no direct capabilities to provide coolant or cooling to the reactur vessel.
Indicates lower than actual These failures should not have the poten. Ilone levels. tlal to cause or contribute to an over-
- fill or overcoollag transient as the system has no direct capabilities to provide coolant or cooling to the reactor vessel.
8:efueling Interlocks Restricts the movements of System I' allure to restrict movements These failures should not have the poten- flone refueling equipment and control uhen necessary.
rods during refueling to prevent tlal to cause or contribute to an over- .
a criticality. fill or overcooling translent as the system has no direct or ladirect capabilities to arovide coolant or coollag to the reactor vessel.
Failure to allow movements when These failures should not have the poten- Ilone necessary, tial to cause or contribute to an over-fill or overcooling transient as the system has no direct or Smitrect capabilities to provide coolant or coollag to the reactor vessel.
e
, e e
! ( .
t ifPENDIX B. (continued) t Applicable A-41 Selection Criteria Systee System Function Appendia A System Failure Mode If rect of f ailure (5cenario Olscusslon)
Reactor Manual provides the means to manipulate laadvertent rod withdrawal. or These failures appear to have the poten- I, Control and Control the control rods for gross ejection.
Rod Drive Systems reactivity control.
tial to cause or contritete to en over- (Appendia C. Item 7) fill transient but not an overcoollag transient as the power increase would add heat to the vessel vice cause coollag.
Inadvertent rod (s) Insertion These f ailures appear to have the poten- 2 while at power. tial to cause or contribute to an over- (Appendia C. flee 1) coollag transient but not an overtill as the power decrease would tend to cause veld collapse and level shrink vice swell.
Reactor vessel Monitors and transalts informa- Transaits or Indicates higt.er lastrumentat ion tion concerning the conditions These failures appear to have the poten- None than actual conditions, tial to cause or contritete to an over-e ulthin and of the reactor fill or overcooling transient but will be vessel,
..to covered in a later phase of this study ca because it sfiects operator actions. f Transaits or Indicates lower These failures appear to have the poten- None than actual conditions. tial to cause or contribute to an over-fill or overcooling transient but will be covered in a later phase of this study because it affects operator actions.
Feedwater Control provides the necessary signals High flow rate.
System to maintain the required feed- These failures appear to have the poten- I and/rr 2 flow to malatain proper reactor tlal to cause or contribute to am cver. (Appendia C. Stem 9) fill or overcooling transient.
vessel level.
Low flow rate. These f ailures should not have the poten- Nune
. llel to cause or contrltate to an uver-fill or overcooling translant as low feed flow will cause a loss of level and a heatup probles vice cocidown. .
pressure Regulator and provides the necessary control Inadvertent opening of turbine Twbine fenerator
- These failures appear to have the poten- I and/or 2 to malatale the twbtne load and governor or bypass valves. Llal to cause or contribute to ar. over- (Appendia C. Item IO)
Control System reactor pressure at prescribed levels. fill or evercoollag transient.
Inadvertent closing of turbine These failures should not have the poten- None governor or bypass valves. tial to cause or contribute to an over-fill or overcooling transient as the sudden pressure lacrease results in veld i collapse. level shrink, power lacrease and a ietup vice cooldawn transient. '
e
APPENDIX B. (continued)
Applicable A-47 Selection Criterla System System Function Appendia A Systes Failure Mode iffect of Failure (Scenario Olscussion) l*rocess Radiation Monitors various lines for Indicates higher than actual .
f6miltoring System These failures should not have the poten- leone radioactive eaterials released levels of radiation. tlal to cause or contribute to an over-to the environs by process fill or overcooling transient as the liquids and gases or through systes has no direct or indirect process System failures.
capabilities to provide coulant or cooling to the reactor vessel.
Indicates louer than actual These failures should not have the poten- Ilone levels of radiation. tial to cause or contribute to an over-fill or overcoollag transient as the system has no direct or indirect capabilities to provide coolant or cooling to the reactor vessel.
Area Radiation Monitors for radiation at Indicates higher than actual Manitoring Systee These failures should not have the poten- alone various locations within the levels, tial to cause or contribute to an over-reactor building. turbine fill or overcoollag translent as the
- building and radmaste Owlldlag. system has no direct or indirect g capabilities to provide coolant or cooling to the reactor vessel.
Indicates louer than actual These failures sleould not have the poten- flone levels. Llal to cause or contribute to an over-fill or overcoollag transient as the system has no direct or Indirect capabilities to provide coolant or coollag to the reactor vessel.
- Site favironmental Monitors for natural ane other Indicates higher than actual l'adiation Munitoring These f ailures should not have the poten- Ilone radiation levels outside the levels. tial to cause or contribute to an over-System plant.
fill or overcooling transient as the system has no direct or Indirect capabilities to provide coolant or cooling to the reactor vessel.
Indicates lower than actual These failures should not have the poten- IIune levels. 18a1 to cause or contribute to an over-fill or overcooling transient as the system has no direct or Indirect capabilities to provide coolant or coolimp to the reactor vessel.
b
, . e
APPENDIX B. (continued)
Appikable A-47 Selection Criteria Systen Appendia A System function System failure Mode Effect of failure 15cenarioDiscussion{
Health Physics Lab Monitors for abnormal radiation Indica,tes higher than actual Ihese failures should not have the poten- Hone I:adla:4n Monitorf.') levels within the health physics level. tial to cause or contribute to an over.
Systes lab. fill or overcooling transient as the system has no direct or indirect capabilities to provide coolant or .
coollag to the reactor vessel.
Indicates lower than actual Ihese failures should not have the puten- hone level. tial to cause er contribute to an over-
, fill or overcooling trantlent as the system has no direct or indirect capabilities to provide coolant or cooling to the reactor vessel.
frocess Computer Monitors and logs process verl- Provides higher than actual Systee These failures should not have the poten- None ables and provides certain outputs.
analytical conputations, tial to cause or contribute to an over-fill or overcoollag transient as the ta system has no direct capabilities to cri r provide coolant or cooling to the reactor vessel.
Provides lower than actual Ihese failures should not have the poten. Mone outputs. tial to cause or contribute to an over-fill or overcooling transient as the system has no direct capabilities to provide coolant or coollag to the reactor vessel.
I:ackup Control Systen Provides the capability to shut Inability to shut down the I an4/or 2 down the reactor and operate These failures appear to toan have reactor or stop makeup flows required emergency systems from from remote locations, tial to cause or contribute over.the poten- ,(Appendia C, item II) fill or overcooling translent, locations outside the control g room in the event the control room must be evacuated. Inadvertent shutdown of the N e failures appear to have the poten. I and/or 2 ,
reactor or startup of emergency Llal to cause or contribute to an over. (Appendia C, ites ll) makeup systems from remote fill or overcooling transient.
locations.- ,
filesel Generator Provides the necessary services failures that result in a loss Systems - failures of this type should not have the hne to ensure the diesel generators of service which prevents the potential to cause or contribute to an are capable of coming on line diesel from coming on line and overfill or overcooling transient as the and supplying electrical power. supplying electrical power. systems are safety grade, redundant and would require multiple failures to ,
prevent all of the diesels free coming on line and supplying the required power.
APPENDIX B; (continued) i Applicable A-47 Selection Criteria Systen System Function Appendix A System failure Mode Effect of Failure (Scenario Olscussion) floreal, A:sillary Power Provides the power source for f ailure to provide the 'e+stred Systen* r these failures appear 'o have the poten- hone the unit annilleries througit power to the unit auallfarles. tial to cause or contribute to an over-various transformers. fill or overcooling transient h t are evaluated within the Individust systems supplied by this power source.
i Standby AC Power Supply System
- Provides an energency impply of failure to provide the necessary these failures should not have the poten. None electrical power to emergency power to the designated and safety equipment. equipment. 1941 to cause or contribm != an over.
fill or overcooling tran. lent as the
. system is safety grade,aedundant and
- would require enslttple isilures to
/, ,
prevent the supplying of power to the equipment. Failures of the equipment supplied by this systes are evaluated within those systems.
4
,* T50 V DC Power Supply Provides the' power source for failure to provide the necessary These failures should not have the poten.
Systes* the engineered safety f eatures power to the designated Mane
$ of one unit and the safe shut-'
down loads of the other two equipment.
llel 20 Cause or contribute to an over*
fill or overcooling transient as the units, system is safety grade, redundant and j would require multiple failures to prevent the supplying of power to the equipment. Fallures of the equipment supp16ed by this systee are evaluated within those systems.
120 V AC Power Supply ' Provides power to equipment Systen* failure to provide the necessary ~ These failures appear to have the poten- hune through; a) 120 V instrument and power to the designated tial to cause or contribute to on .over-s control power, b) plant pre. - equipment. fill or overcooling transient but are ferred and nonpreferred 120 Y evaluated within the ladividual systems system and c) unit preferred supplied liy this power source.
120 V AC system.
Ausillary DC Power Supply Systee* Provides 48 V power to the plant Failure to provide the required These f silures appear to have the poten- None communications and annunciators power to the designated tlal to cause or contribute to an over- .
systems during all modes of equipment, fill or overcoollag transient but are operations, y / evaluated within the individual systems supplied by this power source.
tiquid Radmaste System Provides for the collection, fatfure to provide the required These fallures appear to have the poten.
storage and disposal of the None 4
. collection , storage or disposal 1841 to contrlbute to an overf tll liquid radweste generated at the of Ilvsid reewaste. transient bet are lasignificart for this unit. study and these failures should not have the putential to cause or contribute to an overcooling transient as the system has no direct capabilities to supply coollag to the reactor vessel.
O .
I e
16PPENDIX B. (continued)~ ,
Applicable A-47 Selection Criteria System Systen Function Appendia A Systen Failure Mode Effect of Failure (scenario Discussion)
Solid Raduaste Systee Provides for the collection, Failure to provide the required These failures should not have the poten-storage and disposal of the None collection, storage or disposal tial to cause or contribute to an over-solid radmaste generated at the of solid radwaste. fill or overcooling transient as the unit. system has no direct or Indirect caoabil-lties to provide coolant or coeling to the reactor vessel.
Gaseous madmaste provides for the collection. Failure to provide the required These failures should not have the poten- lione System storage and disposal of the collection, storage or disposal tial to cause or contribute to an over-gaseous radwaste generated at of the gaseous radmaste. fill or overcoollag transient as the the unit. system has no direct or Indirect cap-abilltfes to provide coolant or cooling to the reactor vessel.
flew Fuel Storage System Provides for the dry storaoe of Failure to store the fuel safely These failures should not have the poten. Ilone new fuel untti ready for core and effectively.
loading, tial to cause or contribute to an over-fill or overcoollag translent as the y system has no direct or ladtrect capabil-Sties to provide coolant or cooling to the reactor vessel.
Spent Fuel Storage Provides for the storage of System spent fuel untti ready for failure to store the spent fuel These failures should not have the poten- hone safely and effectively. tial to cause or contribute to an over-shipment. fill or overcoollag transient as the system has no direct or ladirect capabil-itles to provide coolant or coollag to the reactor vessel.
- Imel Pool Coollag and Provides for water cleanup and failure to maintain water teep- These failures should not have the poten.
Cleanup System coollag of the spent fuel pool. erature or purity requirements. Llal Ilone to cause or contribute to an over-fill or avercooling transient as the system has no direct cr ladirect capabil-Sties to provide coolant or cooling to the reactor vessel. .
Reactor Sullding Provides coollag water to Loss of coollag water to Closed Coeling Water designated aualliary plant These failures should not have the poten- hune System designated equipment. tial to cause or contribute to en over-equipment during both normal and fill or overcoollag trau tent as the emergency conditions.
System has no direct capabilities to provide coolant or coollag to the reactor vessel and loss of equipment cooling will not be transeltted to the reactor vessel.
f k i t
liPPENDIX B.. (continued) '
gf '
1 -
\ Applicable A-47 Selectlen Criteria
. Appendia A
$rstee _ _ System Functlan System f ailure IInde Effect of fellurc ($cenarle afscussten)
Tuessive coollag water to Ttiese f ailures should not have the poten- Dona s designated equipment. Slal to cause er centribute to M over-fill er esercooling teansient at thc g ^ system has ne direct capabilities to provide coolant er cooling to the reacter .
vessel and onessive coelles of the '
i egulpment util wt he treeseltted to the reacter vessel in cowgh mapitude to be t si p lficant.
Ram Coollsy teater - Preeldes cooling water to the less of coaling water flows. These failures should not have the petem-Systee Eh system and the turbine None essociated egulpment. llel to cause er centrlhete to an over-
- fill er evercoaling transient as the 5 J- system has no direct capahllities to '
? provide Seelant er coollag to the reacter vessel.
I g Escessive s*>ullag water flows.
' These failures should not have the poten- None
+a.
k Llal to cause er centrlhete to an over-fill er esercoollag translent as the system has ne direct capabilities to provide coolant er coollag to the reacter vessel.
Ree Service lister Provides cooling water te mis- less of cooling water fleus.
s' System These failures sha.1d not haire the potea- liene
, cellaneous plant egulpment and yard watering sgply. tial to cause or ccetribute to an ever-fill ce evercooling transient as the srstee has ne direct er Indirect capahlt.
"v ', 8tles ts provide coolant er caellas to j'.
the reacter vessel.
% ., i Eocessive cooling water flows. These failures should not have the poten- Ihane f
Llal to cause er centrihete to as ever-
~
~ -
fill er evercoollag transient es the
',' '
- systes has ne direct er Indirect capahll- ,
' ' ltles to provide coolant er cooling to the reacter vessel.
- Residual lleet teauval Provides cooling water to the less of cooling water flows. These failures should not have the poten-lAlst) Service Water RIA system and the emergency IIene System a equipment coollag water system.
, tial to cause cr contrlhute to an over-fill or overcoollag transient as the less
' of flew usuld cause a heatup transient i vice cooldeun and unless there is a failure of the heat eschenger th!s system cannot provide coolant to the reacter -
vessel.
. i
- 9 m e e
APPENDIX 8. (continued) ,
Applicable A-47
- election Crlterla System Appendia A Systee Function System f ailure eeude Ef fect of Failure ( L aarlo Olw ussion)
Estessive cooling water flows. These failures appear to have the poten- 2 tlal to cause or restribute to an over- (Appendla C, item 12) cooling transbent het should not cause er contrlhete to an overfill transient unless there has been an additional failure of a heat enchanger tube which is determined to be insign6ficant for this transient as the volume of flow mould regstre encessive Llee to be of a problee for everftll.
f aergency feluipment Provides cooling water flows to toss of cooling water flows.
f.oeling 16ater System These f ailures slausle not have the poten- Ihane essential egelpment ehering acci- Llal to cause er contribute to an ever-dent situations. fill or evercooling transient as the less of flew mould create a heatup transient and unless there was failure of a heat eschenprthissystemdoesnothavea capaht.ity to provide coolant to the 73 reacter vessel, to Escessive cooling water fleus. These f ailures appear to have the poten- 2 tial to cause er contribute to an over. (Appendia C, item 13) cooling transient but should not cause er contrlhete to an overfill transient unless there has been an additional fallse of a heat enchanger and nultiple failures of safety grade systems is beyond the scope of this task.
I tre Protection Provides the plant with the Fallure to provide the necessary These f ailures should net have the poten-Lystema reepstred fire grotection cid Ilune fire protection.
fire conatants, Llal to cause er contr6hete to an over-fill er evercooling transient as th; system has ne direct capabilities to provide coolant er coollag to the reacter vessel and any failures within other .
systems caused by these failures are evaluated within the ladiviehaal systees.
Inadvertent actuetten. These failures should not bare the poten- Ilone llel to cause or contr4heste to an over-fill er overcooling transient as the system has ne direct capabilities to provide coolant er coollag to the reacter vessel and any f allures within eti.er systees caused by these f ailures are evaluated within the individual system.
l#PENLIX B. (continued)
Applicable A-4f Selection Criteria Systee AppendIa A Systee Function Systee f ailure NJe Ef f ect of Failure (Scenario Olscussion)
Heating. Ventilation Provides the plant alth the f ailure to provide suf ficient these fa; lures should mt have the poten-
.nd Air Conditioning none necessary beating, ventilating .16V or air conditioning. tial to cause or contretste to an over-Systems
- and air conditionlag. fill or overcoollag transient as the system has no direct capabilities to provide coolant or coollag to the reactor vessel and any failures eithin other systees caused by these failures are evaluated ulthin the Individual system.
ProwlJes escessive IEW or air these failures should not have the poten- kne condit ioning. tial to cause or contribute to an over-fill or overcoollag transient as the system has no direct capabilities to prowlJe coolant or coollag to the reactor vessel and any f ailures within other systems caused by these failures are evaluated ulthin the ladividual systee.
Iteminerallied Ifater Provides the necessary denin- Fallure to provide the necessary These falleres sinuld not have the poten-y System erallaed water for plant matemp quantitles of deelnerallied and other uses, tlat to cause or contribute to an over.
Ihane wat er. fill or overcoollag transient as this would cause a coolant shortage and sub-seguent heatup vice cooldown.
1 Failures resulting in an ences- These f allures appear to have the poten- leone sive amount of desinerallred tial to cause er contribute to an over-water being supplied. fill or overcoollag transient but are considered lasignificant as it uuuld require f ailures of several systems to cause the escess coolant to get to the reactor vessel.
fantrol and Service Supplies air to all pneumatl- Control or service air pressure these failures appear to have the poten. None Air Systems
- cally operated lastruments, falls low.
controls and final operators tlal to cause se contribute to an over-fill or overcuelleg transient 1.ut evalua- .
Such as control valves. Rien of systan failures caused by these Ballures is covered in the inJlvidual systees af fected by these f ailures.
Control or service air pressure These failures should not have the poten- Ihwie falls higIt. Llal to cause or contrlhete to an over-fill or overcoollag transient.
. I
. 1
/,PPENDIX B. (continued)
AppIlcable A-47 Selection Criteria
- Systee System Function Appendia A System Fallure Ilmie Effect of Fallure (Scenerlo Olscussion[
Potable Water and Supplies drid ing mater and Loss of flou.
$amitary Systems water to the restrooms. Ibese f ailures should not have the poten- home tial to cause or contribute to an over-fill or overcoollag transient as the system has no direct er Indirect capabil-Itles to provide coolant or coollag to the reactor vessel.
High flou. These failures should not have the poten- Ilune 1941 to cause or contribute to an over-fill or overcooling transient as the system has no direct or inJirect capabil-Itles to provide coolant or cooling to the reactor vessel.
Igulpment and Floor Collects and seenves Isralmage $ystee Orain piping clogged or valve (s) These failures should not have the poten- . Ilone noncontanlaated liquid mastes f all closed. .
free the plant, tial to cause or contribute to an over-w -
fill or overcoollag transient as the .
--* system has no direct or ladirect capabil-ltles to provide coolant or cooling to the reactor vessel.
, Drain pIplag break or valve (s) These failures should not have the poten. Ilone fall open, tial to cause or contribute to an over-fill or overcoollag transient as the systse has no direct or ledtrect capabil-Sties to provide coolant or coollag to the re xtor vessel.
I' recess $amplieg $amples process liquids and Sample system valve (s) fall Systees gases to deteretae plant These failures should not have the poten- lione open.
performance, 19a1 to cause or contribute to an over-fill or overcooling transient as the system has no direct er ladirect capabil-Sties to provide coo' ant or coollag to the reactor vessel. -
Sample systen valve (s) fall these fallures should not have the poten. Ilone closed, tlal to cause or contribute to an over-fill or overcoollag transient as the system has no direct or ledtrect capabil-Itles to provide coolant or coollag to the reactor vessel.
Plant Communications provides laterplant and latro- System failure. These t' allures should not have the poten-plant communications. Ilone tlal to cause or contribute to an over-fill or overcoollag transient as the system has no direct or ledtrect capabil-
- itles to provide coolant or coollag to the reAtor vessel.
l#ENDIX B. (continued)
AppIlcable A.47 Selection Criteria System Srstee f unction Appendia A Systee Fallure ehde irrect of failure (Scenarlo Discussion) tighting Systaan Provides lightlag for plant Power supply or component These failures should not have the poten- lione operation. failure. Elal to cause or contribute to an over-fill or overcooling transient as the system has no direct or indirect capabil-Sties to provide coolant or em ollag to the reactor vessel.
hesillary Beller Supplies buildlag heat and steam High steam pressure.
Systos for systees testing prior to or These failures should not have the poten- lime during startup. Llat to cause or contribute to an over-fill or overcooling transient as the system has no direct capabilltles to pro.
vide coolant or cooling to the reactor
- vessel without on inadvertent erroneous valve manipulation by the operator.
Operator error as an Intilating event, is i beyond the scope of this task and allt not be addressed.
w Lou steen pressure.
fu These failures should not have the poten- Ihne tial to cause or contribute to an over-fill or overcoollag transient as the system has no direct or Indirect capabil-Sties to provide coolant or coollag to the reactor vessel.
Turbine Generator Iltillies steam produced la the TransteM power lacrease.
System reactor to produce electric These failures appear to have the poten- I and/or 2 power. tial to cause or contribute to an over- (Appendia C. Stes 14) fill or overcoollag translent.
Transient pouer decrease. These failures shou W not have the poten. lione Llal to cause or contribute to an over-fill or overcooling transient as the sudden drop In steam flou ulli collapse wolds and cause a pcuer lacrease uhlth results in a heatap situation. ,
Insin Steam Syston tellvers steam from the reuctor Steam flow failures high.
system to the lealm, RfP 19C1, these failures aopcar to have the poten- I anJ/or 2 and3CICturbinesasmeIlas tlal to cause or contribute to an over- (Appendia C, Itee 15) ausillary steam loads. fill or overcoollag transient, Steam flou f ailures lou. These failures simuld not have the poten- Ilone tial to cause or contribute to an over.
fill or overcoollag transient as the sudJen drop in steam fIco allI result in a veld collarse, power tacrease and a heatup situation.
9 . *
- IPPENDIX 8. (continued)
Appilcable A-47 Selection Criteria System Systen Function Appendia A Systes failure NJe Effect of Failure (Scenario Discussion [
Main Condenser System provides a heat sink for the Loss of condenser vacuum.
steam leaving the turbine gen- These fallares should not have ll=e poten. Ihme erater during power operations. tlal to cause or contribute to as over-fill or overcoollag translent as time loss of vacuum will result in a turbine trip and vold collapse which would cause level shrink and a heatup translent.
Increase of condenser vacuum. These failures should not have the poten- none llal to cause or contribute to en over-fill or overcooling tracslent as any increase la vacuus above normal would be minlaal and any steam flow changes would .
be lasignificant for this stuJy.
Tur16 tee Bypass Systee provides a bypass arouad tre typass valve (s) fall open.
turbine directly to the conden- These failures appear to have the poten- I and/or 2 ser for excess steam flow, tial to cause or contribute to an over- (Appendia C. Stee 16) e fill or overcooling transient.
u Sypass valve (s) f all closed.
These failures should not have the poten- ihmie tlal to cause or contribute to an over-fill or overcoollag transient as the sudden drop la steam flow will result la sold collapse and a poner increase which shrinks level and heats up the system.
landenser Circulating provides a heat sink for Circulating water flow f alls 18ater System cnndensing enhaust steam free -
These failures should not have the poten- leune low. tial to cause or contrihete to a2 over-power generation operations. fill or overcnollag transient as loss of flow would cause a loss of vacuum and resultant trips.
Circulating water flow falls These fattures should not have the poten- none high.
1841 to cause or contribute to an over-fill or overcoollag transient as the ,
lacrease flow could only increase vacuus a alaloal amount which results le as lasignificant change for this study.
Condensate and provides feedwater to the Feactor-feedwater reactors condensate storage and Feedwater/condessate flow falls These failures appear to have the poten- I and/ur 2 high. 18a1 to cause or contribute to an over-System transfer. (Appendla C. Iten IF) fill or overcoollag translent.
Feedwater/ condensate flow falls These failures should not have tle poten- lime low, tlal to cause or contribute to an over-fill or overcooling transient as the loss of flow would result in a loss of level and a heatup vice coaldown situation.
IMEN0lX B. (continued)
Applicsble A-4f Selectica Criteria System System Function Appendia A Systee Failure Mnde if fect of Fallure (Scenario Olgussion)
Standby 1.lguld Provides a bactmp method to make Falls to actuate des required.
t'entrol system These failures should not have the poten. Ilone the reactor subcritical. tial to cause or contribute to an over-fill translent.
Inadvertent actuatloa. These falleres appear to have the potes. IIune tial to cause or contribute to an over-fill transient, huuever, the capacity of the system is lasofficient to be of significant concers for this study.
Falleres are evaleated withis individual systees. .
6s b
. i I
t e
S 4 . e e a
APPENDIX C OVERFILL AND/OR OVERC00 LING POTENTIALLY SIGNIFICANT SYSTEMS LIST AND DISCUSSIONS F
4 a
35
APPENDIX C OVERFILL AND/OR OVERC00 LING POTENTIALLY SIGNIFICANT SYSTEMS LIST AND DISCUSSIONS
- 1. Reactor Recirculation System Overfill. Overcooline Overfill Failure Mode: Low flow rate; loss of flow.
Plant Conditions: High power level; high reactor vessel level.
Discussion: A loss of one or both recirculation pumps or rapid speed reduction of operating recirculation pump (s) would create a level swell due to cecrease heat removal capability which causes voids to increase.
Since the level was high at the beginning of the transient it is possible to exceed the high level limits.
Overcooling Failure Mode: Inadvertent startup of a cold recirculation loop or recirculation control failure--increasing flow.
Plant Conditions: Any power level.
~
01scussion Inadvertent startup of a cold recirculation loop or a control failure that increases flow reduces the void content of the coolant flowing through the core leading to an overcooling transient of short duration.
. 37 4
- 2. t!uclear System Pressure Relief System Overfill, Overcooling -
Overfill '
Failure Mode: Inadvertent opening of a safety or relief valve.
Plant Conditions: Any power level; high reacto vessel level (due to manual control of the feedwater control system).
Discussion: One or more of the relief or safety valves failing open causes a rapid loss of pressure, voids will be increased and with the high initial reactor vessel level an overfill transient may occur. .
Overcooling Failure Mode: Inadvertent valve coening or failure to close uoan demand.
Plant Conditions: Any power level.
s Discussion: An inadvertent opening or failure to close causes a removal of the heat content of the reactor coolant in the vessel and could lead to or contribute.to an overcooling transient.
- 3. Reactor Core Isolation an,d Standby Cooling Systems Overfill, Overcoolina t
Failure Moce: Inadvertent actuation; failure to stop makeup on -
l high levcl.
l l 38 l
Plant conditions: Any power level, any reactor vessel level.
Overfill Discussion: Inadvertent actuation of HPCI or RCIC pumps could cause an overfill transient to occur. Failure to stop HPCI or RCIC pumps at the high level switch setpoint could cause reactor vessel level to exce3a the high level limits.
Overcooling Discussion: Inadvertent actuation of HPCI or RCIC oumps or a failure to stop makeup when required, causes cool water to be sent through the core which could lead to or aggravate an overcooling transient.
- 4. Residual Heat Removal Sv' tem (RHRS)
Overcooling Failure Mode: Failure to control the rate of heat removal.
Plant Conditions: Shutdown.
Discussion: Failure of the RHRS to control the rate of heat -
removal may result in exceeding the allowable
. reactor coolant system cooldown rate or limit.
- 5. Reactor Water Cleanup System Overfill Failure Mode: Failure to provice letdown flow when required.
Plant conditions: Low power level; high reactor vessel level.
39
Discussion: This transient typically should only be a problem when the reactor is being started up*from shutdown conditions. Failure to allow letdown flow during startup could create a high level situation as the reactor comes to power. An excess coolant problem, *
- that could be handled by the letdown system, during power operation could better be compensated for by decreasing feedwater flow and steaming cff the excess coolant.
- 6. Core Standby Cooling Control and Instrumentation System Overfill, Overcoolino Overfill I'
Failure Mode: Failure to terminate core cooling upon reaching the high level switches; inacvertent initiation of
~
cooling systems when not required.
Plant Conditions: Any power level; any reactor vessel level.
Discussion: Failure to shutdown core cooling systems upon reaching high level limits or inadvertent startup of core cooling systems when not required will cause or .
contribute to the reactor vessel level exceeding the high level limit.
Overcoolinq Failure Mode: Inadvertent initiation of the cooling systems when not required or failure to terminate core cooling when required.
Plant Conditions: Any power level.
40
Discussion: Either of the above failures could cause or contribute to an overccoling transient by decreasing tne temperature of the coolant that flows through the core.
- 7. Reactor Manual Control and Control Rod Drive Systems Overfill. Overcoolino Overfill Failure Mode: Inadvertent rod withdrawal; control rod ejection.
Plant Conditions: Anv power level; high reactor vessel level.
Discussion: The sudden power spike will cause increased void formatien and the resultant level swell could exceed the high level limits.
Overcooling .
Failure Mode: One or acre rods insert while at power.
Plant Conditions: High power level.
Discussica- One or more rods inserting while at power causes
- heat to De removed at a rate faster than it is being added to the coolant and could lead to an overcooling transient.
l
- 8. Reactor Protection System Overcooling Failure Mode: Inadvertent reactor trip.
41 i
l
[
g Plant Conditions: Any power level.
Discussion: Inadvertent reactor trip with subsequent failure of the turbine to trip would result in cooldown of the system to the point of main steam isolation valve '
closure on low pressure. This cooldown may be in excess of allowable limits.
- 9. Feecwater Control System Overfili, Overcooling Overfill Failure Mode (s): High automatic feed flow rate failure without subsequent hign level trip; high feed flow in ,
manual control without a high level trip.
Plant Conditions: Any power level; any reactor vessel level.
Discussion: This system has a known failure mode that causes it to fail at 115% of normal 100% feed flow rate. This failure if incurred coincident with failure of the high vessel level switches will cause the vessel level to exceed the high level limits. An operator .
running the feed system in manual control could cause the vessel level to exceed the high level limits.
Overcooling Failure Mode: Feedwater flow rate fails high.
Plant Conditions: Any power level. '
42
Discussion: The addition of excessive feedwater has the potential to cause or contribute to an overcooling transient as cold feedwater is added at a faster rate than the core heat addition rate.
- 10. Pressure Regulator and Turbine Generator Control System Overfill. Overcooling Failure Mode (s): Inadvertent opening of turbine governor or bypass valves.
Plant Conditions: Any power level; high reactor vessel level.
Overfill Discussion: When the turbine governor valve or bypass valve
^
opens steam flow increases, reactor pressure drops, the voids increase in size and the reactor vessel level increases due to swell. This could be sufficient to cause the vessel level to exceed the high level limits.
Overcooling Discussion: This failure could cause or contribute to an -
overcooling transient since the failure causes the removal of heat from the coolant in the reactor vessel at a rate faster than the heat addition rate.
- 11. Backup Control System Overfill, Overcooling Failure Moder Inadvertent startup of HPCI, RCIC from a remote
. location or failure to shutdown on a high level.
43
P Plant Conditions: Any power level; any reactor vessel level.
Overfill Discussion: Any problem that could cause an inadvertent startup -
of a RCIC or HPCI pump has the potential to cause or contribute to an overfill transient due to the ability to raise the vessel level when not required.
Overcooling Discussion: Any problem that could cause an inadvertent startup of a RCIC or HPCI pump has the potential to cause or contribute to an overcooling transient due to the ability to cool the water in the reactor vessel at a faster rate than the core heat addition rate. ,
- 12. Residual Heat Removal Service Water System (RHRSW)
Overcooling Failure Mode: Excessive cooling water flow.
Plant Conditions: Shutdown.
Discussion: Failure of the RHRSW which could cause an excessive cooling water flow, could contribute to an overcooling transient by decreasing the RHR temperature, resulting in an excessive cooldown rate to the reactor coolant system.
~
- 13. Emergency Equipment Cooling Water System (EECWS)
Overcooling -
Failure Mode: Excessive cooling water. flow.
. 44
.3 Plant Conditions: Shutdown.
Discussion: Failure of the EEC'dS which could cause an excessive .
cooling water flow, could contribute to an overcooling transient by decreasing the RHR
, temperature, resulting in an excessive cooldown rate t
to the reactor coolant system.
- 14. Turbine Generator System Overfill, Overcooling Failure Mode: Transient power increase.
Plant Conditions: Any power level: high reactor vessel level.
Overf111 Discussion: A sudden power demand will cause increased void formation and reactor vessel level swell which could exceed high level limits.
Overcooling Discussion: A sudden demand will cause additional heat removal from the reactor coolant and could contribute to or
- cause an overcooling transient since heat removal could be at a higher rate than the core heat being added to the coolant.
l
- 15. Main Steam System Overfill, Overcooling Failure Mode: Steam flow fails high or steam flew to auxiliary loads fails low. .
45
~ --
4 Plant Conditions: Any power level; high reactor vessel level.
Overfill Discussion: An increased steam flow will cause increased void -
formation and level swell which could exceed high level limits.
Overcooling i
Discussion: An increased steam flow will cause increased heat removal from the reactor coolant and could contribute to or cause an overcooling transient. A decreassd auxiliary steam flow to the feedwater heaters could cause or contribute to an overcooling transient.
l
- 16. Turbine Bypass System Overfill. Overcooling Failure Mode: Bypass valve (s) fail open.
Plant Conditions: Any power level; high reactor vessel level.
Overfill Discussion: An increased power demand on the reactor will cause
! increased void formation and level swell which could exceed high level limits.
i i
(
4 l
46 -
Overcoolina Discussion: An increased power demand on the reactor will cause increased heat removal from the reactor coolant and could cause or contribute to an overcooling transient.
- 17. Reactor Condensate and Feedwater Systems Overfill, Overcooling Failure Mode: High condensate /feedwater flow.
Plant Conditions: Any power level; any reactor vessel level.
Overfill Discussion: A failure _in the condensate or feedwater system that causes an inadvertent feed flow increase has the
~
potential to increase the .eactor vessel level beyond the high level limits.
Overcooling
~
Discussion: A failure in the condensate or feeowater systems which causes an inadvertent increase of feedwater ~
flow has the ability to cause or contribute to an
, overcooling transient as cold feedwater may be added at a higher rate than the core heat addition rate.
If shutdown, an inadvertent increase of feedwater flow may cause an excessive cooldown rate, and result in an overcooling transient.
47
=
APPENDIX 0 DETAILED REVIEW TABLES FOR OVERFILL AND OVERC00 LING TRANSIENTS 9
9 e
9 5
49
4 APPENDIX 0 CETAILED REVIEW TABLES FOR OVERFILL AND OVERC00 LING TRANSIENTS 1
4
- 1. INTRODUCTION 1
This report section addresses the mechanistic analysis of the transients identified in the Failure Mode and Effects Analysis (FMEA) for overfill and overcooling transients from Appendix B. It determines the i mechanistic means by which failures of the identified systems occur.
Control logic. instrumentation, electrical power and pneumatic and hydraulic interf' aces for each system identified by the FMEA as requiring further review have been analy:ed.
i The results of these analysis were tabulated and assigned system impact and probability of occurrence values based on the criteria for ranking control system failures. Fault effect designations are A, B or C i depending on whether the failure results in adverse effects.in two or more-
- systems of concern, one system of concern, or a negligible effect on any of .
the systems of concern respectively. The values assigned to the failure probability category (ie) 1, 2, or 3 were assigned dependent upon the failure rate calculations performed in Appendix E. They were assigned a 1 for failures considered "likely" with a calculated unavailability between 1 and 1 x 10'0 failures considered "unlikely" with a calculated unavailability between 10 -6 and 10'O were assigned a 2, and failures ~
which are considered " extremely unlikely" with a calculated unavailability qf less tnan 1 x 10'O were assigned a 3. A transient category of 1 is an overfill transient and 2 is an overcooling transient.
- 2. ASSUMPTIONS The following assumptions were utilized in performing the mechanistic
. failure mode analysis:
i 51 e
, - - . , - . -.- ..y. ,
- 1. Current drawings, Final Safety Analysis Report (FSAR), Technical Specifications, and other pertinent Browns Ferry documents were used to the extent of their availability. Where these documents were not available, Dest engineering assumptions based on experience, knowledge of other BWR plants and engineering ,
~
judgments were used as a generic substitute in making the evaluation.
t
- 2. Only the systems identified in the general postulated scenarios developed from the FMEA and the mnde of failure for each system as described in those scenarios were evaluated for mechanistic failure modes.
- 3. There would be no corrective action taken by the operator during the first ten minutes following the postulated failure.
4 The potential for human error as an initiating event was not 4
considered in these analyses.
- 5. Unacceptable transient frequency, adverse effects on operator actions, challenges to the ESF, and Technical Specifications safety limit violations will be evaluated against LERs, NPEs,1 NTOLs and other studies, on those systems, identified by the computer transient analyses to be sign 31 cant, and which were not included in this mechanistic analysis. .
i l
f
\
l e
APPENDIX D BROWNS FERRY A-47 IE&C ANALYSES System: Reactor Recirculotton Systee f ailure Muse: t ow Flow Hate or losTof Flow
, Failures in other Systems Caused fifect of failure i frent initiator producing Fallure Mode Failure Rate
- Fault Effect Probability Transieng by Event lattletor in Ott.er Systeests) Designations Category Category Iecirculation pump falls to continue to run I a 10-5/hr mane Isone due to mechanical / electrical pump / mote & 4 1 Iallure, l'ecirculation pumps f all to continue to run 1 10-5/hr for leone stone due to mechaulcal/ electrical pump / motor each pump B 3 i failures. (tuo or more pumps)
Generator field breaker falls open or trips I a 10-5/hr leone lione laadvertently on recirculation motor- s i I esenerator set.
toss of unit avulltery and startup trans- I a 10-5/hr for Turbine generator Turblae trip formers causing a trip of both recirculation each circuit feedwater A 3 1
,- retor-generator sets, loss of condensate and break er booster pumps ta Control and service air loss of compressors Condenser circulating loss of heat sink mater Raw cocling water loss of Inat sink Reactor building closed toss of heat sink cooling water less of cooling water to 16 sets from I a 10-5/hr pump leone teosted coollag mater. leone S 3 I falls to run la coollag water systee I a 10-i/hr MOV laadwertently closes Iallure of master controller to slalaum speed I 10-6/hr leone Ilone demand due to electronic f ailure(s). a l I.
Fallure of section or discharge valve to I a 10*I/hr alone reeals open due to either electrical or Ilone 3 2 2 sarchanical f ailures, f ailure of one or more jet pumps in one or 6 a 10-6/hr for alone f.oth loops. lione B 2 flanges on each 1 jet pump pair
APPENDIX D BROWNS FERRY A-47 IE&C ANALYSES Systee: Reactor accirculation System (contlaued) failure Itude; tau Flos Rate or loss of Flou (con *laued)
Failures in Other Systems Caused Ef fect of failure fuent faltletor producine Failure llade Failure Rate, b_, f uent initiator in Other Systeests) Fault If fect Probability Category transleng Deslanations Catewry f ecirculation pg motor-generator scoop tube 3 a 10*F/hr stane leone f alls causlag the recirculotten pumps to B 2 2 decrease speed.
f ecirculation pg anter-generator f ailure I a 10-6/hr leone leone S due to electrical /sechanical f ailure of motor 2 2 or generator.
'There ars to be a possible common mee leone list determined for this ISOC failure tween this systes and other systees assigned for report allt be ISO ISO l.2 through f ailures ulthin the 16 eating, this report evaluated folloulag rentilatten and Air Candittaming Systees. computer model I tre Protection System and Electrical Power slaulat ions.
$ Systes.
- a. Free Appendia E Table 1.
- c. 100 = To be Determined.
4
. .. . ._m m -....a __ ;. _
.-. .m. . . _ _ _
+-
APPENDIX D BROWNS FERRY A-4/ IEI.C ANALYSES Systas: Reactor Recirculation System
'f ailure flode: Nigh Flow Hate Failures in Other fuent Initiator producine f ailure Bhule Fallge Systems Caused Ef fect of Failure Fault Ef fect probability Transieng Rate by f uent Initiator in Other Systees(s) Des lanat ions _ Category Cat e,wy Ilectronic failure within mester controller that I a 10/hr Ilone none S causes recirculatten pesups to accelerate to 4 2 meslass speed.
f acirculatten pump ester-generator scoop tube 3 a 10'I/hr tiene mene lallere that causes recirculatten pemps to 5 2 2 lacrease speed.
sn an *There appears to be a possible consun node failure between this systen and other systems leone not determined for this it0C les ISO 2 assigned report, will be eval-thremgh f ailures within the strating and Air for this ated following computer renditioning Systems. Fire protection Systtes and report model slaulations liectrical Pouer Systems.
- a. Free Appendes E. Table 1.
l.. 1--overf tll transient 2-4vercooling transient.
, c. TSD a is Se Setermined.
4 l
r' f e e gnn e
. t sy m
2 1 1 2 2, 1
2 .
ry l
a ft y
t iy r
lio bg O ae S bt 2 I i 2 I oa rC P
ts cn eo fi
_._ ft Ea n
O S
t g li B # a 8 I us ae FD i
es rt us l
e i e
. at Fs y e e e e C fS n m n m O o r o o e o S
_ N h m h I t e ch S et fG E f S En i Y
L A s N i A r r h
_ C e o hdt t
r n g e t ea Osl o i D E& nat ui f
eum I
dbil X iCn e l e I ssi nl od iif os D 7 emt ren mt rud o mn 5 N 4- ut e l sw e eri E yt t .t et P A iaS y e e e e et at a druul P Y F
b n n m n ol pu t pamm A R N o
m e
h o o oevoi h Nrecs R
E F r r r h hr d h e /e /e / /
S g 8 v 5v 3 8 ds N ee
- l l
- ei W
l t l a 10a oa v l v 0
4
'U I
nht gt r O aR are ar a a ei nsrp o
F R e v e osoe B l Ip Ip I I Nafr a
V sl f ea e t rc . .
l n , eui t l
e .
i o e v
rl r n B r p el uit e
- e t v a l a c i s
m e e if e e u r d o wo e s
la v e v
a l n o
t p fhE a t
s s M e o vne l a
g r y s u o t dp v eud t S e e don r r d t e
l o o ora g f P u n d u no f
e mht n l a
le f l e e d et i a sio l i p t l l o
l e g o
F a o r o
)
s oe s r e
r mmt me c o
c s
osu B h ( ot e r n e e s e o c st e ei n v v t s t yo v r n i l r l e esr o u pe c a o a e e s
sO u v t a
v upr u l
br P
e d
o f u f d
r d n ee 1 2 rt r e t o gi g shr .
P n sti e . d se tr e P i l
c a g n
ina in ooF p
l b
t n ne r e e
ng n d . a e i e o r i en e anal r T i m
t s v t v n pi p s r a e l e ome o e . na et S
yd a
i t
r u
a v
p o- tl t bmA el E r e
_ n i s nl n ot o a
_ r I n s o e ea t D a e r e. tsryt i u.
t t t e :
i r re re ssn. d n l l
e p g er er b l
c e t
n n t
at vu vu r asCm e os e i p
ud e e i mf dl dl ei p f
r o m o w r r ei ai ai ph et A e T
. M t o i m W rr na na pths v *
- e Pe If If a n
t y S e e
e- 0 mr eu r een r - 0 t l o )
a
)
b
)
c
)
d . reir F I 1 si e ( ( ( ewhe ya n
( btt u I eio . . .
Sf O ' b wP a b c uh c ii
A a
h APPEN0lX D BROWNS FERRY A-47 IE&C ANALYSES
' o System: Reactor Core Isola *.lon Cooling Systee i !-
f ailure ige: Inadvertent 54 artup
< i Failures in Other Effect of fuent$lnitiator Pro.eucing Fallere Ibde Systems Caused by Fallere la feelt Ef fect Probability Transieng Failure Rate s twent Initiator Other systems (s) Deslenations Category Category 1[ ICIC starts free I out of 2 taken telce low water 3 a 10-5,g, arcg
$g,,ts NPCI terrt seitches f alling Iom.C
' for each met Starts alst B ~3 I.2
.1 s v or CSS Starts core spray Olesel generators Starts diesels i ', - a .- AOS ADS permissive
- f ITIC s; arts from 1 % 1c wiring to Jelays 134-K2, I a 10'8/hr leone B mnd E3 st-octing to pomer. Instlating turbine steam.
esame 2 l.2 >
supply valve FCV 75-8 epening. ,
" ICIC starts from contacts 2-21 on manual control c' I a 10-8/hr Home leone B
~
seltch II574-th f alling closed. 2, l.2
'There appears to be a possible connen mde f ailure home lbt determined for 1904 e ISS 188 l,2
, !=etmeen this sy tee and other systems through assigned ' this report. elll ,
f allures within the Centrol Air. Fire Protection and for this be evaluated Ilectrical Systees. . report following computer s .
u dei slastattons s'
.-'s
- a. From Appendia f. Table 1.
li. I-overfill transient. 2--overcooling transient.
.c. Safety grade settches. , .
. d.' ISO e To to Botesalmed.
/ .-
\ 5 e
s V
I 4
APPENDIX D BROWNS FERRY A-47 IE&C ANALYSES Systee: Reactor fore Isolation Cooline Systes
! allure IGie: Systen. Talls to 5hataoun J
Falleres in other f ailurg Systems Caused Effect of Fallure Fault Effect Probability Event Initiator ProMine Fallure Mode Rate by f uent Initiator Transicag in Other $rstems(s) Desienations Catenary Cat etwr Circuit breater to the 250 V dc MDV to ICC 1 a 10-5/hr toss of power to: pelief valve system has A I f alls open causing loss of control pouer used to a. 3 ADS valves eight other salves on a l.2 close valve. b. 2 relief valves separate power supply.
(valves close)
Breeter 882 on lev 90 K falls open causing loss I a 10-5/hr leone None 8 I of coitrol power used to close valve. l.2 I aut of 2 tulce reacter vessel high mater level 3 m 10-5/hr leone leone B 3 sensers LIS 201A 20 K. 208A 200c c fall open.
(calibration 1.2
, shift)
Ioss of centrol logic due to fuse 13A-F9 or F-10 2: IO-6/hr lione hone 8 falling open, 3 1.2 toss of control air to turbine trip valve l n 10-9/hr leone lione a ICV 78-9 Valve falls open. (per 12 ft
- 2 8,2 section)
- Ibere appears to be a possible common mode mone IIet determined for ited ISO 100 1.2 failure between this systen and other systems assigned for this report util through failures ulthin Centrol Air. Fire this report be evaluated l'retectles. IIeatin9. Ventilation and Air following camputer toneltloning and E wirical Power System. model slaulations s
- e. Fran Appendis f. Table 1.
- c. Safety grade sultchisoard, peuer supply and sultches.
- d. 700 = is Be Seteralned.
e 9
4 9 . S e
.. APPENDIX D 'E BROWNS FERRY A-47 IE&C ANALYSES 4
System: Neoctor Water Cleanup System y
Iallure IGE FaTiure to rrovise tetouwe Flow When eequired '
Failures in 4
- Other Systems U-'
' g . Caused by Event Initiator Producing Failure Mode Event Ef fect of Failure Fault Ef fect xFrobability Transieng Failure mate
- tattlater in Other Systees(s) Designations. -Category Category I: lowdown valve PCV 69-15 c, loses dd Le pressure sensor 3 a 10-5/hr ' Mune None 8-f5 69 15A or 8 fallsae. 1 -4 liand controller HC 69-15 f alls in " valve closed" mode. 3 a 10-5/hr Anne None B 2 I *
~ toss of control air will cause PCV 69-15 to close. I a 10-9/hr/12 ft None kne 8 2 I m
e Solenoid valve controlling air to blowdown valve falls 'l n 10*3/d None None l causing blowdown valve to close. 5 I
- f%ere appears to be a possible commuin failure None Not IBOC 180 q 1.etween this system and other system through failures 100 I assigned for determined (s ' i
- s' within Control Air and Electrical Power Systems. this report for this report will beevaImated 1 -
following coe wter
~ model simulations
".y s
\
% a. From Appendia i. Table'l. '
t - b. I--overfill transient; 2--overcosting transtht.
- c. ISO = To Se Determined.
e v
4
APPEhDlX D BROWNS FERRY A-47 IE&C ANALYSES System: Core 5taney Cooline Control and Instrament System failure Meee: urts 5yslem Falls to 5hulduun Automatically failures in Otiser Systems Caused by Event initiator Pro &ing Failure Mode Event Ef fect of Failure f ault lifect probabil.sy transkag Failure Rate
- Initiator in Other Systees(s) Designations Categoe n Mg Mechdalcal or hydraulic f ailure of the turbine trip valve I a 10'3/demaeul hone None 8 1 1.2 (CW 7J-18 to close.
I out of 2 teen tulce. Reactor hi uater level 3 a IO'S/hr f or Nune hone 4 3 1.7
. sulkhes LAS 2035, 2030, 2088. &BDpf all open. each g Wiring tres the reactor high water level suitches to the control relay logic f alls open i,r shorts to ground, I a 104/hr home Nune t I 1.2 l'out of 2'tdon tulce reactor mater level sensers 3 a 40-5/hr for home mene s 3 *7 L15 73-sea. 588. Sec. 580' f all low af ter reactor each mater level has lacreased above low level NPCI lattiatlen.
Manual control suttch for NPCI pump f alls in the start I a 10-8/hr home home B 2 1.2 comedstlen preventlag the pump from shuttlag duun.
. a. From Appendia E. lable 1.
- h. 5-. overfill transient. 2--overcoollag translent.
- c. Saf ety grade suliches. .
D G.
. . f
APPENDIX D BROWNS FERRY A-47 IE&C ANALYSES Systes: Core Standby Cooling Control ami lastrument System Fallure Mo3ei hPIrlEcHenr5Gtup f ailures in Other Effect of Failure Systems Caused by f ailure la f ault Eifett Probability Iransient Event Initiator Producing Failure Mode pate* Event Instlator other Systems ( i Des.gnations Category Cat e.w[
l out of 2 tasten twice reactor low water level Callbeat ion RCic Starts RCIC A 3 sensors. LIS J-58 A, 5, C. DC f all low, shift N6a Starts lum 4.2
- 3 a 10-5/hr C55 5 tarts care spray for each Diesel generators Starts diesel gewrators A05 A05 permissive I out of 2 taken twice containment high pressure Calibration NHR 5 tarts RIR A sensors P5 S4 58A, S. C. DC fall closed. 3 1,2 shif t 3 a 10'b/hr for each cn Wiring from reactor low water level sensors or I a 10-8/hr None Mane contalanent high pressure sensurs f all shorted to hot 8 2 1.2 for each bus.
Switch contacts on manual sultches H513-16C or I a 10-8/hr ione honc 8 15 16-16 fall N.O. to N.C. 2 5,2 for each Mechanical or pneimatic f ailure open of turbine I a 10-8/d home control valve causing inadvertent start of HPCI hohe a 2 1,2 turtalpe.
there appears to be a possible conson mode f ailure hone Not determined 1804 between this system and other systems through f ailures assigned for this report, 150 180 l.
within the Control Air, Fire Protection and Electrical for this will be evaluated Power systems. report following computer model simulations *
- a. From Appendia E lable 1.
- c. Safety grade switches. *
- d. 100 = 1o Be Determined.
7 APPENDIX D BROWNS FERRY A-47 IE&C ANALYSES Systee: Reactor Manual Control and Control Rod Delve System failure Mode: Inadvertent Rod Withdrawal or tjection failures in Other Systems Caused by Event Ef fect of f ailure fault Effect Probability Transieng Event Instlator Producinq f ailure Mode Failure Rate
- Initiator in Other Systees(s) Designations Cat egory Catevry inadvertent rod withdramal caused by:
- a. Sultch $1-51-IX(typ. of 183) contacts falling I a lo-8/hr for None None 8 3 I shorted; control timer contacts f all closed; suitcl.es I a 10-8/r relay Kl. K2, K14 KI5, K16er K32 contacts f all for refays I a 10-shorted, and sultch 53 contacts f all shorted. for timer le. Hydraulic control valve $-40A and 5-408 rupture or I a 10-8/hr per None leone B 3 I or inadvertently open. valve
- s. Relay KIA18-03, KIA22-03 contacts f all open; A5GS I a 10-8/hr fo mone hone B 3 I tamp dhmmer f alls die, rod out Indication lamp relaysIa10g/hr ci falls to Indicate, rod morth einfelter f alls, and and lames M rod seguence control systems fall. fordip/hrfor I a 10 systees Single rod ejection caused by:
- a. Rod uncoupled, red drive unit is driven to full I s 10-0/hr for alone hone 5 3 I ulthdrawn position and the stuct rod releases, failure,Ia10 good /hr ejecting to full out position. for stuck rod
- b. Sed compilng (sped) failuret rod uncouples, both I a 10-6/hr for hone None hydraulle control valves $404, 5408 rupture or fall B 3 I lwe to open positlen and hydraulle pressure increases spudfag/hrfor I 10-
. due to f ailure of valve 3-20 and stabiliser valves, valves
- r. Ilmcoupled rod or mechanical failure of rod drive, I a 10-6/hr for hone Ilone B 3 I reactor manual control system output logic falls, and logic, and hydraulle pressure lacreases dae to failure la compilng/hrfor I a 10 hydraulle supply. valves
- n. from Appendis E. Table 1.
H0ft: All SMR reactor plants have ad lastalled rod ejection restrain ~ng structure to help protect against possible rod ejection.
e S $ . E g -_.- -
APPEN0lX D BROWNS FERRY A-47 IE&C ANALYSES System: Condensate and Feedwater Control
. fallure Mode: Misiireeduater F low sate Failures in Other Failure Systems Caused Iffect of failure Fault Eifect Prahability Event Initiator Producing f allure Mode Rate
- by Event initiator Ir.nsteng inOther$rsteestsL jDel 3nations Cato2gn [a.tegorn Startup bypass feeduater ilos too high when bypass I a 10-6/hr mone line level controller input signal LC3-53. 253-53 mome 8 I l.2 LM3-60 or PI3-61 f alls high during startup or shutdown or level detector 113-60 signal to bypass control I a 10-6/hr None hone B tells lou euring startup or shutdown. l 1.2 Feeduater pusy running too fast and reactor at low pressure:
m a. Malfunction of the f eeduater turbine governor. I a 10-6/hr Norse None ca b I l.2
- b. Malfunction of the throttle valve or feedwater I a 10-6/hr hone None 8 controller. l 1.2
- c. Reactor level rentroller f alls in high demand I a 10-6/hr hone hone setting. 3 I,2
- Ihere appears to be a possible common mode hone hot determined for this 160C 150 f ailure between this system and other systems assigned report, allt be 180 l.?
through failures ulthin the Control Air and for this evaluated folloulag Electrical Olstralution systems. report computer model slaulations
- a. From Appendia f. Table 1.
- c. Thu = to se Determined.
APPENDIX 0 BROWNS FERRY A-47 IE&C ANALYSES Systee: Turbine Generator Control Systee failure 9163e: Inadvertent Opentne of Mine Governor or Supass Valve Falleres in
.0ther Systems ,
feent initiator proucing Failure E de Falluge Caused by Ef fect of Failure fault Effect Probability Transieng
, Rate Event Initiator in Other Systees(s) Destonations Category Cat egoes f HC control valve output logic f alls high causing control I a 10-6/hr stone skane I valves to open. B l.2 Iontron valves fall in the open position due to electro or I a 80~8/hr Isone lione 5 leeunatic f ailure. 2 1,2 llandseltch 115-47 162 falls to the "Open Valves
- condition. I 10*8/hr h M 3 2 1,2 flC bypass valve output logic f alls high causing valves to I a 10-6/hr hone lione
- w. 8 I I,2 Spass valve (s) f alls to the open position due to electro or I a 10*8/hr alone leone B feeunatic failure. 2 1,2
'There appears to be a possible conson oude f ailure between Ilone flot determined ISOC this system and other systees through failures ulthin 130 ISO I,2 assigned for this l'entrol Air and Electrical Olstribution systems. for this report, util be report evaluated folloulag computer audel simulations
- a. Free Appendia E. Table 1.
l.. 1--overfill transient, 2--overcoollag transient,
- c. 150 = To Be Determined.
O e
e
+ 6 e g
g _ .
ny e
isgJ n
2 2, 2
- 12 aAI r
I (
l 1 1 i_
t y
l y ib g D
8 ae I I 2 I 1 bt
- oa rC P
t s t n eu f t l t E a 0 n 8 lig t 8 B s B 1 us ae fD
]
es r[
us l n i e at F sy e e e e C fS t n n n 0 o r o o o 8 S r N N N N 1 E t e ch S et Y fO f
L A Ein N
A ry C eb r ,d e h o tt D E& tdt Oea si dra eou l
e I npl d X nut ea os l
7 i ai s Cn imrv r eg mno
. D es I es nri H 4- rat ti eiet ehb wt a L lurn e e dt oul P A t e l s v n o n o
e n
e n trll ll pumm P Y ayE IS N o o o ei o oi A R N N N mf wfcs R
E h F x S ,
e r N e r o f
W t o a f d O k r r r e R e h tr. h h nt gr B r a 5
/ / / / io 5 8 5 sp l - - - - se l
a 0 o 0 0 ar 1 e l 1 1 F v es al a a a ni .
a oh t I v I I I mt n .
i e
s n
a s m n r e
v 5 o
r e
p e t d
d e l a 0 A
f o o g o v n l m i n
M y f
o p e l a n l e t o or o r e e f . e memhe o f r s c lu a u s r oth r i s l e
v eu vl cot e v
a i l li o
w f r o f a a v
a a ledn nim . u.
vf . .
l F
g n f o ibahe tt 1 2 t f e smis sewy m
a i
c ie ,
t le ie v ll a ot s e t
, d e
e u lt e l pss t
ts n n d ef u e . er v yen a a S
t o ri o re asroui T l i
m r r p ed n eu r e or esl . na s r e
mhg a i r r
ut p e rl ui rt ua biit hab u E r
t e
e tH o sn si o s a s r otfi a t D t sf s epe t r s
ia eo rp l e nht i
d l e
n : t pl l
a c
. rh pc ro p
segs n l S
ie l i e reui awoD e t ai n es fi g el t
e t
o et r p
p f
r o
Moip i r so ru rl pehl A e t um el o s oi
- e t n
mor v m l mp a pb t a esi c m o
'ov- O
=
mru e
e u
rf o laol vr r or o otro ruet ermr r I S
tl f n F I t t elt c sl ya ee e
e p Sn en ee hise .
SI U o no nu 1 a yl . . .
Do Ac Oc Od *f sE a b c t
mu
APPENDIX D BROWNS FERRY A-47 IE&C AfiALYSES System: Male Steam Fathere Mode: tow Steam flow to Austllary toads f ailures la Uther Systems Caused by Event Ef fect of f ailure Event Initiator Prooucine Failure Nde f ailure Rate
- Initiator inOtherSystemsW Mf anit fifect Probability ignattuns Catraory Iransteng Catego 2s Loss of steam supply to feedwater heater when one or more I a 10~8/hr per None None B motor operated extraction steam supply valves closes (ulring valve 2 2 shorted to power).
One or more f eedmater heater level controller output f alls 3 m 10-5f g,r per None None 8 high causing estraction steam supply valves to close. 1 2 controller cn
- *Ihere* appears to be a possible common mode failure between
- lione assigned Not 180C 180 160 this system and other systems through f ailures within the for this report determined 1.2 Electrical Distributton system. for this report, will be evaluated followlag comput ?r mudeI slaulatlons
- a. from Appendis E. Table 1.
- h. 1--overfill transient. 2--evercouling tran. lent,
- c. 100 = lo Be Determined. -
8 . . g e
b APPENDIX D BROWNS FERRY A-47 IE&C ANALYSES
'5ystem: Ener treent Cooling Water system
_Fallure 6:Lncy EIL I rovioes Giessive Coollne Water F16e to RHR System F ailures in other Systems Caused by Effect of Event Inittator Producing Failure Mode Event Failure in Fault Ef fect Probability Iransteng Failure Rate
- Initiator other Systeests) _ Designations Categ loe tatequrs Manual switch on EECW5 pump C3 or 03 shorts causing puny (s) to I a 10* 8/hr per RHit service leecreased or B start ane ev4g or Mud 48 to open causing a flow path to the RHR 3 i L. water system inadvertent water
. service water system. pumpst{thr I a 10* flow from LLCW5 MOVIa10*fer /hr to RHR per itHR5W5 cn manual saltches N
- lhere appears to be a possible caemun oude f ailure between hone assigned hot 180' this system and other systems through f ailures within the ISD IBD 2 for this report de terairwd Control Air and Electrical Distribution systems. for this report, will be evaluated following computer model slaulations
- a. From Appendis [. lable 1.
- b. 1--overfill transient. 2--overcooling translent.
, c. 180
- to Be Determinted.
APPENDIX U BROWas FERRY A-47 IE&C AtlALYSES System: Residual Heat Reen, val75 53 Iallure 140de: Iallure to Control Sate of Heat Removal failures in Other Sys tems Caused by Effect of Event initiator Producinq f ailure Nde Event Failure in Fault Ef fect Probability Isansieng Talinre Rate, Initiator Other Systeests) Desi9 nations Categoey CategorL stHR systee inadvertently actuated in Low Pressure Coolant Injection (LPCI) mode:
- a. toss of of fsite power one reactor pressure appears to be 5 a lo None r None 8 3 2 14SO psig causing LPCI lajection valves to open. (8 a 10 hr) -
of power for losg/hr for I a 10-switch g .b. iPCI one-uut-of-two taken twice logic f alls. I a irr6/br None None 8 3 g
- c. High drywell pressure and reactor low pressure I a lo-8/hr per hune permissives f all. hone 8 3 2 sultch
- u. Reactor vessel low level switches Ll53-584. LI53-588 3 m 10-5/hr per Systees are HPCI. RHit. A 3 2 LIS3-580.LI53-580 (one-out-of-two taken twice) fall. switch C5C. Diesel actuated by level (calibration generators. sultctes shift) arms the A05
- Ihere appears to be a possible common mode f ailure between lione assigned for flot 180C IBO 180 this systee and other systees through f ailures within the , this report determined t
Control Air and Electrical Olstribution system. for this
- report, will be evaluated followlag computer
- nodeI slaulatlens
- a. From Appendia E. lable 1.
- c. 180 = lu se Determined.
0 . . g y
APPENDIX D BROWNS FERRY A-47 IE&C ANALYSES
'ystem: Residual iteat Removal Service Water System (RitR5W)
I allure IGiile: Encessive Cooling water riou Failures in Other Systees
(.used by Ef f ect of G.as Failure in f ault Ef fect Probability Transieng Event initiator Producinq failure stode Fallure Rate
- Inttsator Other Systems (s) Category Destenations Category f:llR5W Pump Al or A2 or 81 or 92 or Cl or C2 or DI or 02 eanual I a 10*8/hr per None lione B 2 2 sulich shorts causlmg one or more pumps to start in addition to pump starter I35t5tf pumps that have been previously initiated. failure f low contrci valve FCV 23-40, FCV 24-52, FCV 23-34 or TCV23-46 I a 10*i/hr per none leone t 2 2 from RitR heat exchangers fall open due to valve f ailure, sultch control valve f ailure or controller f ailure. I a 10*8/hr per per sultch failure m I a 10*i/hr per so controller failure
- Ibre appears to be a possible common made failure between hone assigned slot ISOC this system and other systems through f ailures ulthin the 180 180 2 for this report determined Control Air and Electrical Olstribution systems. for this report, will be evaluated following computer model simulations
- a. from Appendia E. Table I.
le. I--overfill transient, 2--overcoollag transient. .
- c. 100 = in Se Determined.
1
APPErtDIX D BROWNS FERRY A-47 IE&C ANALYSES System: Reactor Control and Drive system fallure Mudes One or kre Rods laserMile at power Iallures in Other Systees Caused by Ef fect of Events f ailure en Fault Effect Probability transieng Event Initiator Producing Failure Mode Fallure Rate
- OtherSystees(s) Deslunations Initiator Categor n C g te n lasertion of rod (s) uhlte 41 power:
Insert drive valve 50-404 and insert enhaust valve 50-400 f all I a 10-8/hr per hone hone 8 )
open. (Typical of 185 units) value t
Rod selection relay K32 contacts f all closed and K16 relay I a 10-8/hr per hone hone a 3 contacts f all closed. 2 relay contact
-a o
Relay K32 and Switch 5? and rod worth staleirer persistre f alls I a 10-8/hr per hone Nune # 3 2 closed. (lypical of 185 units) relay contact
'lhere anpears to be a possible commne mode f ailure between this home assigned hot 18DC ISD lit 0 2 system and other systees through f ailures within the Electrica] for this report . determ6aed Distribution system. for this report, will be evaluated following computer model simulations
- a. f rom Appendia E. Inble 1.
- c. 100 = to se Determined.
I .
(
1 L. '
e
- b APPENDIX E STATISTICAL ANALYSIS TABLES 9
e 71
APPENDIX E STATISTICAL ANALYSIS TABLES The following presents the calculations performea to support the probability category assignment on the IE&C Analysis Taoles. The concept analyzec was, given some transient has already occurred, then what is the probability that an additional fault woulo occur to potentially make tro transient more severe. This concept requires the calculation of the unavailability and the following equations were used to calculate the basic event unavailability as appropriate.
Nonrepairable Events i = 1 - e***
< it (for x t < 0.1)
Repairable Events i = 1 + At [1 - e (x + 1/t)t)
< j .i*l-(for t > 2 t)
~
< it (for it < 0.1 and t > 2 t )
The symbols are as follows: a is unavailability, 4 is the total cutsets or combinations of unavailabilities,1 is the failure rate, t is the mission time (usually taken as the time to mitigate the transient), and t is the fault duration. The fault duration is cefined as one-half the time to detect the fault plus the repair time.
A component may be in operation or in standby. For example, a single valve (no bypass around the valve) may be normally open in.an operational 72
System. If this valve shoulo remain open given a transient nas already occurrea, then the component is nonrepairable over the transient mission time and the unavailability is given by the equation for nonre'pairable events. Associated with this valve may be some control logic. For the valve to close, two contacts must open. The logic is tested once per month per the Technical Specification at which time a f aulty contact would be discovered. One contact coula open but the valve will not close until the second contact opens and since the contacts are redundant, the failed contact can be repaired once it has been detected. The contact unavailability is then given by the ecuation for a repairable event.
The repatrable unavailability equation is also used for a standby system to determine the procability of failure at demana. Once a standby system is cemanoed and beccmes operational, the nonrepairable m.wallability equation is generally usea (except where there is reatocancy) to cetermine the probability of failure to operate over the mission time.
4 The following calculations also identify any assumptions that had to be rnoe regaraing the mission time or the test interval if there was not a Tec' iical Specification to cover component testing.
The following probability categories were assignea to the calculated unavailabilities:
From: 1 to 1 x 10-6 = Category 1 .
-6 1 x 10 to 1 x 10 -8 = Category 2 less than 1 x 10 -8 = Category 3 It shoulo be noted that these unavailabilities appear extremely low, however, thry are calculations indicating the probability that a failure
, occurs curing a-given I hour perica. The categories assigned to the atfferent unavailabilities were arbitrarily assignea so that single active f ailures w mia be a Category I and multiple failures woulo be a Category 3.
73 1
1
- , , . _ . - , . - m w y , m, . - - ,p-,_
P.ECIRCULATION PUMP FAILURE
- 1. Failure of Pumps to Continue to Run--given start case considered is -
failure of pump / motor unit, excluoing control circuits (two conditions consioereo: Failure of I pump, failure of 2 pumps)._ .
Detection of failure is considereo to be imiaediate but pump is not repairacle.
3=At t = mission time = 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />
~
i = (1 x 10" /hr)(1 hr) = 1 x 10 for 1 pump PC = 1
~
i = (1 x 10-5)(1 x 10-5) = 1 x 10-10 for 2 purrps PC = 3
- 2. Trip of One Recirculation Pump.- -
Generator field breaker fails open or inadvertently trips. Mode of -
f ailure is br eaker-premature transfer (from Table G-1). Assumptions:
nonrepairable event; mission time is I hour.
a = (1 x 10" /hr)(1 hr) = 1 x 10-5 .
PC = 1
- 3. Trip of both recirculation MG rets. (Loss of auxiliary ano startup transformers).
Failure in tras.., formers could be attributed to f ailure with'in the - "
transformer (internal) or failure of the auton:atic breakers associateo -
with the transformer. -
i Ja-i
The moce considerea was failure of the automatic transfer breakers (from Taols G-1, premature transfer = 1 x 10-5/hr). It is assumea that the trip would be aetected immediately but tnat only'one transformer is requirea for operation.
Mission time = 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> i = 1 x 10' per transformer
-O 5 = (1 x 10-5)(1 x 10~ ) = 1 x 10 fcr both transformers PC = 3
- 4. Same occurrence as 3 above.
Loss of boosted cooling water ano isolation valve MOV 24-738. Boosted l raw water cooling system is suppliea by raw water system. Combination of f ailure in boostea system plus closure of MOV 24-738 ts required to fail both NG sets. Assumed same conaitions as 2 and 3 above. System
, is operational, ana requirea for cooling MG sets.
MOV--failure to remain open = 1 x 10-7/hr ,
System--failure of pump to continue to run =-l x 10-5/hr ij = lt = (1 x 10' /hr)(1 hr).= 1 x 10 -5 pump
~ ~
~
32 = At = (1 x 10 /hr)(1 hr) = 1 x 10 valve 5 = (1 x 10-5)(1 x 10~7) =-I x'10-12 PC = 3
, 75
- 5. Failure of master controller, to minimum speed cemana.
Master controller causes run-back of both recirculation pumps to '
minimum speed. Failures in other auxiliary portions, that affect controller operation, could also fail, but failure considered is .
failure of the master controller. This failure ultimately would cause ~
run-back of the recirculation pumps. It is assumed that run-back of recirculation pumps is immeciately detected.
-6 -6 i = (1 x 10 /hr)(1 hr) =-1 x 10 PC = 1
- 6. Failure of suction or oischarge valve to remain open.
~7 ~
i = (4 x 10 /hr)(1 hr) = 4 x 10
- PC = 2
- 7. Failure of one or more jet pumos.
Failure is assumed to be a flange failure of a jet pump pair.
-6 3 = (20)(6 x 10 /hr)(1 hr) = 1.2 x 10"#
PC = 1
- 8. Recirculation pump motor / generator scoop tube failure, resulting in oecreased speea'of the recirculation pumps.
i
~7 ~
i = (3 x 10 /hr)(1 hr) = 3 x 10 -
PC = 2
- v. Recirculation pump motor / generator failure, due to failure of either the motor or the generator. -
~
~
-6 i
a = (2)(1 x 10 /hr){1 hr) = 2 x 10 i PC = 1
! 76 I
NUCLEAR SYSTEM PRESSURE RELIEF SYSTEM One or More Pressure Relief Valves Open l '. Wiring to Valve Actuator--shortea to power (control circuit).
Consicereo failure of a single valve sufficient in severity to result in transient.
Nonrepairable; mission ~ time = 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />
-8 ~
i = (1 x 10 /hr)(1 hr) = 1 x 10 for one valve PC = 2
- 2. Premature Opening of Valve--due to setpoint drift, cetected immeaiately, I hour mission time i = (1 x 10' /h.r)(1 nr) = 1 x 10' PC = 1 I
- 3. Inaovertent opening--due to solenoid valve failure, detected immeciately, I hour mission time.
l l
-3 3 = (1 x 10-3/a)(1 cemand) = 1 x 10 PC = 1
- 4. Inaavertent opening--due to mechanical failure of relief-valve, j aetectea immeaiately, I hour mission time.
i = (l x 10' /hr)(1 hr) = 1 x 10 -
PC = 2 77
REACTOR CORE ISCLATION COOLING SYSTEM RCIC Inaovertent Start ,
- 1. 1 ott of 2 taken twice reactor water low level sensors fail -
low--Technical Specifications require that this instrumentation receive an instrument check one/ day, however, a low level is alarmed.
Combinations of faults are 58A and 58C, 58A and 58D, 588 and 58C, 588 and 530. The failure mooe is calibration shift ano failure rate per sensor of 3 x 10-5/hr. Given that a transient has already occurred ano that RCIC initiation' would make the transient worse, then the E is:
a = ;t = (3 x 10 -5
/hr)(1 hr) = 3 x 10 -5 for one sensor A = (3 x 10-5)(3 x 10-5) = 9 x 10-10 for both sensors
~
X = 3 x 10 for all fault combinations ,
PC = 3
- 2. Logic Wiring to Relays--fault would be detected immediately. Given that a transient has already occurred and that RCIC initiation would make the transient worse, then the 5 is:
~ '
a = (1 x 10" /hr)(1 hr) = 1 x 10 PC = 2
- 3. Contacts Fail Closed--same as 2 above.
, RCIC Fails to Shutdown Automatically Basic assumption is that RCIC has successfully started ano is now requireo to shutoown. Under this condition, RCIC is an operating system.
- 78 l
- 1. Loss of power cus--power bus coulo fail curing time when RCIC is requireo ano not be aetected until RCIC shutdown is requireo. Assumeo that RCIC is requireo to operate for I hour ano no repair'.
a = At = (1 x 10' /hr)(1 hr) = 1 x 10 -5 PC = 1
- 2. Loss of Breaker--same as 1 above.
- 3. Loss of High Level Switenes--I of 2 twice must fail..
Switches:
a = (3 x 10-5/hr)(1 hr) = 3 x 10 per switch i
5 = (3 x 10' )(3 x 10-5) = 9 x 10 10 for loss of both switches 5 = 3 x 10' for all combinations PC = 3 t
Calibration shift used as most likely failure mooe for high water level sensors. Instrument check once/ cay; however, there is a high level alarm. -
- 4. Fuses Fail Doen--there are 2 fuses. Conditions the same a's 1 above.
! = -6 i (1 x 10-6/hr)(2 fuses)(1 hr) = 2 x 10 ,
PC = 1 i
79 l
6 w v
- 5. Loss of control air, failure rate is for pipe rupture. Assumea 1200 feet of piping, no repair, ano that control air coula f ail curing the time that RCIC is required to operate.
~
A = (1 x 10-9/hr - 12 f t section)(100 - 12 f t sections)(1 hr)
= 1 x 10-7 PC = 2 However, there may be a solenoid valve in control air that coula inaavertently closed which woula have an ranging from 10-6 to l'0- 8 depenaing on type of wire fault.
e e
e 80
REACTOR WATER CLEANUP SYSTEM Failure to Provice Letdown Flow When Recuired '
- l. Blow 0cwn Valve Closes Oue to pS-ISA Incicating Low--it appears that the letoown valve is only useo during startup, not during a high reactor water level transient. If the valve fails to open, startup procedures will be discontinued. Thus, the valve must have closed and remainea closeo for some period of time. Given tnat some transient has already occurred ano the letoown valve should remain closeo:
-5 i = tt = (3 x 10 /hr)(1 hr) = 3 x 10' PC = 1
- 2. Hano Controller HC 69-15 f ails in valve closed mode.
Same as 1 above, PC = 1.
- 3. . Loss of Control Air--assuming 1200 f t. of piping, no repair, and a i mission time of I hotir.
A
~9 i = (1 x 10 /hr - 12 f t section)(100 - 12 f t section)(1 hr)
= 1 x 10-7
~
PC = 2 There may De a valve that could inadvertently close which would have an of 2 x'10-5 to 2 x 10-7 depending on type of wire fault. _For all cases it appears PC = 2.
2
- 4. Loss of Control Air, from solenoid valve failure causing closure of PCV 69-15.
Using the same assumptions :s under 1 above:
81
.. . - _ . --. _-.. . = . _ . .- __ . - _ . . ._. . - . .- __ - . . .
- . 0 1
i
~
- - 7 -7 a = (3 x 10 /hr)(1 hr) = 3 x 10 1
PC = 2 -
1 I .
J 1
5
.l 9
f e
82 i
I
'~ -
w - . . . - . , . + r n --.- -
e v -
. . = .-
,+-
REACTOR RECIRCULATION SYSTEM HIGH FLGW i
- 1. Failure of Master Controller to maximum pump speed.
Master controller causes spontaneous acceleration of both recirculation pumps to maximum speed. Failures in other auxiliary portions, that affect controller operation coula also fail, but the f ailure consioereo is a failure of the master controller. It is _
assumea that acceleration of the recirculation pump is immeaiately oetecteo.
-6 i = (1 x 10 /hr)(1 hr) = 1 x 10 -6 PC = 1
- 2. Recirculation Pump Motor-Generator Scoop Tube Failure, resulting in increased pump speed.
~
i = (3 x 10'7/hr)(1 hr) = 3 x 10 PC = 2 9
83
CORE STANOBY COOLING CONTkOL AND INSTRUMENTATICri SYSTEM 4
HPCI Inaovertent Start '
- 1. Reactor Low Water Level Sensors Fail--l out of 2 taken twice reactor .
water low level sensors fail low--Technical Specifications require that this instrumentation receive an instrument check one/ day, however, a low level is alarmeo. Combinations of faults are 58A.and 58C, 58A and 580, 588 ana 58C, 58B ano 580. The failure mooe is calibration shift ano failure rate per sensor of 3 x 10-5/hr. Given that a transient has already occurred and that HPIC initiation would make the transient worse, tnen the A is:
-5 ~
a = At = (3 x 10 /hr)(1 hr) = 3 x 10 fcr one sensor
~
A = (3 x 10-5)(3 x 10-5) = 9 x 10-10 for both sensors 5 = 3 x 10 ~9 for all fault combinations "
PC = 3
- 2. Containment High Pressure Switches Fail--per the Technical Specifications, a functional test is performed once/ month, calibration once/3 months, and no instrument check. Calibration shift would be -
oetected ouring the functional test; however, there is a high pressure alarm.
-5 a = At = (3 x 10 /hr)(1 hr) = 3 x 10 -5 for 1 sensor A =-(3 x 10-5)(3 x 10-5) = 9 x 10-O for loss of 2 sensors I = 3 x 10' for all combinations PC = 3 -
84
V s, .
l' Reactor low Level or Con _taintrent Pressure Wiring--wire faults for
~
3, either' level or pressure would be detected immeciate}y. Given that a
" transient his already occurr$d and that inadvertent HPCI ' initiation
, ' would make the transient worse. -
" -8 i =
(1 x 10 /hr)(l nr) = 1 x 10'
- , s PC = 2 -
- 4. Either of Two Switch Contactt Fail--cetectec immeaiately. Given that
, a transient has alreacy occurred ana that inacvertent HPCI initiation woulo make the transient worse, then:
i(= A t= (1 x 10 -fhr)(1 hr) = 1 x 10 -8(for one switch) a i'
=
i 2-x 10"8 (for 2 swiiches)
, ,, PC = 2-
- 5. Turbine Control Valve Fails Goen--causing spontaneous startup of HPCI turbine.
s, .
-8 i = (1 x 10 /d)(1 demand)=1x15-8' PC = 2 HPCI Fails to Shutoown Automatically +
- 1. Turoine Trip Valve Fails to Close-- ,
= -3 i
i (1 x 10-3/d)(1 demano) 3
= 1 x 10
. \ .
PC = 1 's s.
s q s
, Q, ^
r[ ~
i ,
.\ - s.
_r -y .
i '
.- - 85~ >
l . .
s + 3 .
y . -
N g_ 1 s , 'w
,J =
n' .. . .
't 5 _ _
- 2. Reactor Water High level Switches--l of 2 taice must f ail.
Switches:
- i i = (3 x 10" /hr)(1 hr) = 3 x 10 -5 per switch
- A = (3 x 10-5)(3 x 10-5) = 9 x 10-10 for loss of both switches A = 3 x 10-9 for all comoinations PC = 3 Calibration shift used as most likely failure mode for high water level sensors. Instrument check once/ day; however, there is a high level alarm.
- 3. Reactor Water High Level Wiring Fault--
i i = (1 x 10"D/hr)(1 hr) = 1 x 10-6 PC = 1
- 4. Reactor Low Water Level Sensors Fail--There is a low water level alarm. Calibration shift is assumed. .
i = (3 x 10-5/hr)(1 hr) = 3 x 10 -5 per sensor A = (3 x 10-5)(3 x 10-5) = 9 x 10-10. for 1 combination l I = 3 x 10"' for all combinations PC = 3 '
86 i.
O e s '
2s
/
- 5. Manual CorNol Switch Fails in sta'rt moce thereb) preventing the pump from shutting cown
~8 -8 a = (1 x 10 /hr)(1 hr) r 1 x 10 ,
- PC = 2 c ,
/*
/.
i
/
/
s'
,s e
z#
! ,4
{ .
1
.h '
(
3 '
- ~ 1 J-a r
/ i
? "
g' , f t
- [~
87
1 i REACTOR MANUAL CONTROL AND CONTROL ROD ORIVE SYSTEMS Inaovertent Rod Witharawal *
- 1. Switch SI contacts short and timer contacts short ana relay .
(Kl + K2 + K4 + K15 + K16 + K32) contacts short ano switen S3 contacts short.
I The relay contacts nave the longest fault auration, these coula short prior to startup. However, due to the number of faults that must occur the fault duration would have to be on the oroer of 10 50 hours5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br /> before the probability category would equal 10-4
- 2. Hydraulic Control Valves Rupture, (S-40A and S-408) Open, or Fail Open.
Wire / logic faults that would cause these valves to open would probably
- ce more likely at 1 x 10-6/hr per valve during low power operations
! tnan rupture at 1 x 10'0 /hr per valve. At ncrmal power operations, inaavertent rod withcrawal should not be a concern due to Technical '
, Specification requireinents on reactivity limits. Premature transfer of a circuit breaker probably does not apply. Safe airection woula be fully inserted on loss of power so it woula appear that these valves do not fail open. Control valve faults woulo only be a proDiem during
, startup or shutcown anc this is still questionaole since the Rod Worth j Minimizer and Rod Sequence Control Systems must be operational. ,
Assuming that c transient has already occurred, then the 5 is:
1 a = (1 x 10 /hr)(1 hr) = 1 x 10 -6 per valve
- 6 A = 1 x 10-12 for both valves PC = 3 88
1
- 3. Below 20% power, the RSCS is requireo per Technical Specifications to be operaole. Below 20% power the RWM should be operable or a secono operator must verify that the console operator is following the control rod program. If the above Technical Specification a
, requirements cannot be met, shutdown is required immeciately.
Single Roo Ejection
- 1. For eacn control rod curing startup check:
4 i = (1 x 10'0/hr)(1 hr) = 1 x 10-6 for one failure I
i A = (1 x 10-6)(1 x 10-6) = 1 x 10'I for both failures The above assumes I hour for check of each control roo which is overly conservative but easier to work with. There are 185 control roos.
A = ( 1 x 10-12)( 185) = 2 x 10-10 PC = 3 2,3. The roo ejection restraining structure should limit the rod travel to 3/4-l". Given that a transient has already occurred and that the single rod ejection is an additional fault, that 1 x 10'0/hr applies to all valves (valves can only rupture or have a wiring short to -
power) and that there are two stabilizer valves.
i = (1 x 10-6/hr)(1 hr) = 1 x 10'0 for speed failure
-8
- a = (1 x 10 /hr)(1 hr) = 1 x 10 -8 for valves 540A, 54CB, 3-20 ano stabilizer valves 89
~ ~ ~
I = (1 x 10 )(1 x 10 )(1 x 10 )(1 x 10" )(1 x 10" )(1 x 10-8) = negligible speed 540A 540B 3-20 STAB-1 STAB-2 PC = 3 In the secono case, the logic would De comon to all control rods.
i = ( 1 x 10-6)(1 x 10-6)(185)(1 x 10-8)(185)(1 x 10' )(185)
, log ic coupling CR 540A CR 5408 CR i = negligible PC = 3 e
e a
9 90
, CONDENSATE AhD FEEDWATER CONTROL SYSTEM Hign Feeawater Flow Rate -
- 1. Startup Bypass Feeawater Flow--too high
- a. Line level controller input signal fails high for consideration of fault only curing startup and shutcown, assuming that the transient has occurred.
Then:
-6 -6 5 = (1 x 10 /hr)(1 hr) = 1 x 10 PC = 1
- c. Detector signal, fails low same as a.
- 2. One Feedwater Pump--running too fast, cetection is assumea to be t immediate:
-6
- a. a = (1 x 10 /hr)(1 hr) = 1 x 10 -6 PC = 1
~
- b. Same as a.
- 3. All Feedwater Pumos Running Fast--
Reactor level controller fails in high aemand setting. Assuming that analysis sheet is correct as stated, one common reactor level controller, failing in high cemand can cause inadvertent speec-up of all feeawater pumps.
91
e l
l l
7
-6 i = ( 1 x 10 /hr)(1 hr) = 1 x 10' PC = 1 i = (3 x 10-5/hr)(1 hr) = 3 x 10-5 1 sensor
- 5 = (3 x 10-5)(3 x 10-5) = 9 x 10-0 for 2 sensors
-9 A = 3 x 10 for all comoinations PC = 3 9
. 92
l TURBINE GENERATOR CONTROL SYSTEM Turbine Generator Control Valves (TGCVs) Inaovertently Open '
Basic assumption is that TGCVs inadvertently opened when turbine is not available, such as curing startup or af ter a turbine trip given that the TGCVs successfully closeo. A mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> was used for startup. For the TGCVs this is somewhat conservative. A 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> mission time was usea for the case where the TGCVs open after a successful turbine trip.
- 1. EHC Logic Fails High--Given that a transient has already occurred, that the TGCVs inadvertently opening would make the transient worse, ao repair, and a mission time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, the 4 is:
-6 ~0 a = At = (1 x 10 /hr)(1 hr) = 1 x 10 PC = 1
- 2. TGCVs Fail in Open Position--the failure mode woulo be a wire fault that would cause one or more valves to inadvertently open. The wire fault failure rate woulo be 1 x 10-8/hr. Thus, 2 should reflect the correct wire fault with PC = 2.
- 3. Hanoswitch Fails--Same as 2 above. This should reflect the correct .
wire / contact fault with PC = 2.
Turbine Bypass Valves (TBVs) Inadvertently Open Basic Assumption is that turbine is available, but that the TBVs inadvertently open.
1
- 1. EHC Logic Fails High--Given that a transient has .already occurred, tnat inaovertent opening of a TBV woulo make the transient worse, no.
repair, and a mission time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />; then the 5 is:
l 93
8 O
-6 -6 i = A t = ( 1 x 10 /hr)(1 hr) = 1 x 10 PC = 1 ~
- 2. Bypass Valves Fail to Open Position--The failure mode would be a wire -
fault that would cause one or more TBVs to open. A wire fault failure rate is 1 x 10~0/hr. This present failure mode should reflect the correct wire fault with PC = 2.
Turoine Bypass Valves (TBVs) Fail Open (Fail to Close)
Basic assumption is that TBVs are requireo to close. This may occur after a turbine trip given that the TBVs have successfully opened and are now requireo to close or ouring a startup. A mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> was useo for startup which is conservative with respect to the TBVs.
- 1. EHC Output Logic Fails High--given that a transient has occurred, that a turbine trip was either the transient initiator or occurred as a result of the transient, that failure of the TBVs will make the -
transient worse, no repair and a 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> mission time, then the X is:
-6 i = At = (1 x 10' /hr)(1 hr) = 1 x 10 PC = 1
- 2. Bypass Valves Fail in Open Position--Assumption is that f ailure of any one TBV to close is failure to stop TbV operation.
i = 1 x 10-3/0 per valve a = 9 x 10' for failure of any 1 of 9 TBVs to close
~
PC = 1 94 -
MAIN STEAM SYSTEM Hign Steam Flow '
- l. One or More Pressure Relief Valves Open from setpoint drift--Browns Ferry plant utilizes 13, Target Rock, 2 stage, pilot operated, combination safety-relief valves. Failure rate for inadvertent opening (premature opening) of a code safety or relief valve is 1 x 10-5/hr. The valves themselves have no associated control s system (for safety code application). In a BWR plant application, there is no access curing operation for repair. Assumed nonrepairable 9
and I hour mission. Opening of a single valve can initiate the transient,
-5 i = At = (1 x 10 /hr)(1 hr)(13 valves) = 1 x 10-4
~
PC = 1
- 2. Automatic Depressurization System (ADS) Valves f ail open cue to 1 control logic failure.
-5 -5 a = (1 x 10 /hr)(1 hr) = 1 x 10 PC = 1
- 3. Controllable Pressure Relief Valve Fails Open 'aue to switch failure.
i = (1 x 10-8/hr)(1 hr) = 1 x 10-8 PC = 2
- 4. Pressure Relief Valve Fails Open due to pilot operator failure.
3 = (1 x 10-5/hr)(1 hr) = 1 x 10'0 PC = 1 95 l
i
.. . . =_- ._ . .. .. -
i Low Steam Flow to Auxiliary Loads I
- 1. One or more Motor Operated Extractor Steam Supply Valves Close--
Conditions assumed as stated on analysis sheet: Loss of steam supply to one feedwater heater is limiting conoition, sufficient to initiate transient.
Wiring shorteo to power. Nonrepatrable. Mission time = 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
I l
For control circuit 1 x 10-8/hr
~0 -8 3 = (1 x 10 /hr)(1 hr) = 1 x 10 PC = 2
- 2. One feedwater heater level controller output fails high.
Same as 1 except assumed calibration shift as fault condition.
-5 3 = (3 x 10 /hr)(1 hr) = 3 x 10 -5 PC = 1 O
96 l
l
1 EECWS PROVIDES EXCESSIVE COOLING WATER FLOW TO RHR
- 1. Manual switen shorts on EECWS pump (s) and a motor operate'o valve (MOV) inaovertently opens are the most likely faults if it is assumed that RHR Service Water has alreacy been required (i.e., is alreacy in service). Assuming a one hour mission time and no repair:
1
-8 ~0 a = (1 x 10 /hr)(1 hr) = 1 x 10 for manual switch short or MOV A = (1 x 10-8)(1 x 10-8) = 1 x 10-16 for both switch ano MOV PC = 3 -
i i .
I f
O 1
l 97 i
J RHR FAILURE TO CONTROL RATE OF HEAT REMOVAL
initiation will make the transient worse, a one hour mission time, and no repair, then the unavailability is: .
a = (8 x 10'0/hr)(1 hr)
- 8 x 10' for LOSP
-8 ~
i = (1 x 10 /hr)(1 hr) = 1 x 10 for pressure switch A = (8 x 10-6) (1 x 10-8) = 8 x 10'I# No calibration shift because pressure instrument is 1 out of 2 twice.
Switch fault is more likely.
PC = 3 In reality, the probability may be even less likely oue to the fact .
that the valves cannot physically open even if an open signal is-present because the pressure is too high.
- 2. Low Pressuae Coolant Injection (LPCI) Logic--given the same assumptions as above ,
-6
'A = (1 x 10 /hr)(1 hr) = 1 x 10 -6 for one logic unit
~ ~
5 = (1 x 10 )(1 x 10' ) = 1 x 10 for failures of 2 units l
't
'A = (1 x 10-12) 4 combinations = 4 x 10-12 PC = 3 l
98
1
- 3. Hign Drywell and Reactor Pressure--given the same assumptions as above:
-8 '
i i =
(1 x 10-8/hr)(1 hr) = 1 x 10 for drywell switch
-8 for reactor pressure switch i (1 x 10~8/hr)(1 hr) = 1 x 10 A
(1 x 10'0)(1 x 10-8) = 1 x 10-16 for failure of both i
PC = 3
- 4. Reactor Vessel Low Level Switches--given the same assumptions as above:
-5 -5 a = (3 x 10 /hr)(1 hr) = 3 x 10 for one level instrument
)
-10 t
i = (3 x 10-5)(3 x 10-5) a 9 x 10 for f ailure of 2 instruments A = (9 x 10-10)(4 combinations) = 4 x 10-9 !
PC = 3 3
t 6
3 99
RHRSW PROVIDES EXCESSIVE COOLING WATER FLOW
- 1. Manual Switch Shorts--given that a transient has already occurreo ano that excessive cooling will make the transient worse, a ore hour mission time and no repair. .
1
~0 -8 I
3 = (1 x 10 /hr)(1 hr) = 1 x 10 4
- PC = 2
- 2. Flow Control Valve Fails Open--given same conditions as above.
~7 3 = (1 x 10 /hr)(1 hr) = 1 x 10' PC = 2 O
o s
9
- 100
INSERTION OF RODS WHILE AT POWER
- 1. Drive and Exhaust Valves Fail--given that a transient has alreaoy occurred, that scram would make the transient worse, a one hour j
mission time, and no repair:
-8 ~
i = (1 x 10 /hr)(1 hr) = 1 x 10 for each valve i = (1 x 10~0)(1 x 10~0) = 1 x 10-16 for both valves 1
A = (1 x 10'ID) (185 valve sets) = 2 x lu-I for 185 sets of valves PC = 3
. 2. G1ven that the same conditions as 1 above apply, then the
, unavailability value is the same. PC = 3.
- 3. Since three items must fail versus the two items discussed above, and given that the same conditions as 1 above apply, then the set of faults will be even less likely than 1 above. PC = 3.
I i
i i
I G
l 101 l
t I
- - , 9 .
TABLE E-1. STATISTICAL ANALYSIS TABLE Failure Error Component and Failure Mode Rate Factor Remarks
- 1. Pumps: From proposed NREP data base--Reference 1.
- a. Motor: Pump and motor; excludes control circuits.
Failure to start on demand IE-3/d 10 -
Failure to run, given start IE-5/hr ' 10
- b. Turbine: Pump, turbine, steam and throttle valves, and governor.
Failure to start on demand 1E-2/d 10 gj Failure to run, given start 1E-5/hr 3
- c. Diesel: Pump, diesel, lube oil system, fuel oli, suction and exhaust air, and starting Failure to start 1E-3/d 3 system.
Failure to operate IE-4/hr 30
- 2. Valves: Catastrophic leakaye valves assigned by engineering judgement; catastrophic -
- a. Motor operated: leakaqe assumes the valve to be in a closed state, then the valve fails.
Failure to remain open IE-7/hr 3 from Reference 1 except as noted.
e s
- e
TABLE E-1. (continued)
Failure Error Component and Failure Mode Rate Factor Remark s
- 2. Valves (continued)
Failure to open/close 1E-3/d 10 Rupture 1E-8/hr 10 from WASH-1400--Reference 2. -
- b. solenoid operated:
Failure to operate (open or IE-3/d 3 close)
Rupture 1E-8/hr 10 .;ased on WASH-1400--Reference 2.
E
- c. Air / fluid operated valves:
Failure to operate (open or 1E-3/d 10 close)
Failure to remain open 3E-7/hr 100 from IEEE-500--Reference 3.
Rupture IE-8/hr 10 from WASH-1400--Reference 2.
- d. Check valves:
Failure to open 1E-4/d 3 1E-7/hr 10 Failure to close IE-3/d 3 1E-6/hr 10 Internal leakage ,
(catastro'p hic) 1E-8/hr 100
r TABLE E-1. (continued)
Failure Error Component and f ailure Mode Rate Factor Remarks
- 2. Valves (continued)
- d. Check valves (continued):
Rupture 1E-8/hr 10 From WASH-1400--Reference 2.
- e. Manual valves:
Failure to operate (open or IE-4/d 3 Failure to operate is dominated by human close) error; rate is based on one actuation per IE-7/hr 10 month.
Rupture 1E-8/hr 10 Based on WASH-1400--Reference 2.
- f. Code safety valves:
Fall to open IE-5/d 3 Premature open IE-5/hr 3 From WASH-1400--Reference 2.
Fall to reclose (qiven valve IE22/d 10 open)
- g. Relief valves:
Failure to open IE-4/d 10 Premature open IE-5/hr 3 From WASH-1400--Reference 2.
Failure in close, given open 2E-2/d 3
- s ,
TABLE E-1. (continued)
Failure Error Component and Failure Mode Rate Factor Remark s
- 2. Valves (continued) .
- h. Test valves, flow meters, orifices:
Fall to remain open (plug) 3E-4/d 3 Rupture 1E-8/hr 10
- 1. Stop check valves:
_. Failure to open 1E-4/d 3 8
- 3. Switches: Where torque / limit switches are used as parts of pumps / valves, switch failure rate
- a. Limit: included in pump / valve failure rate. From Reference 1 Failure to operate 1E-4/d 3
- b. Torque:
Failure to operate IE-4/d 3 .
- c. Pressure:
Failure to operate IE-5/d 3
- d. Manual:
Fall to transfer IE-4/d 10 P
TABLE E-1. (continued)
Failure Error Component and Failure Mode Rate factor Remarks
^
- 4. Switch Contacts: From WASH-1400--Reference 2. s Failure of N0 contacts to close, 3E-7/hr 3 '
given switch operation Failure of NC contacts by opening, lE-7/hr 3 given no switch operation
, Sheet across N0/NC contact 1E-8/hr 10
- 5. Circuit Breakers: Includes all components of the circuit breaker mounted on drawout frame. From SR Failure to transfer (open or close) IE-3/d 10 Reference 1.
Premature transfer 1E-5/hr 10 For sizes 4kV and smaller.
- 6. Fuse: .
Failure to open IE-5/d 3 From WASH-1400 Premature open IE-6/hr 10 From proposed NREP data base--Reference 1.
- 7. Bus: From proposed NREP data base--Reference 1.
Failure 1E-8/hr 3 All modes
- 8. Transformer: ,
From proposed NREP data base--Reference 1.
Failure (open ckt or short) 1E-6/hr 3 All modes E
e e e e 9 e
TABLE E-1. (continued)
Failure Error Component and Failure Mode Rate Factnr Remarks
- 9. Emergency Diesel (complete plant): Engine frame and associated moving parts, generator coupling, governor, static Failure to start 3E-2/d 3 exciter, output breaker, lube oil system, fuel oII, suction and exhaust air, starting Failure to run (emergency 1E-3/hr 10 system; excludes starting air compressor conditions, given start) and accumulator, fuel storage, load sequencers, and synchronizers. From Reference 1.
- 10. Relays:
Fail to energize IE-4/d 3 From WASit-1400--Reference 2.
5
" Failure to transfer (open or IE-4/d 10 From Reference 1.
close)
Short across N0/NC contact lE-8/hr 10 From 1ASil-1400--Reference 2.
Coil (open or short) 1E-6/hr 10 From Reference 1. '
- 11. Battery Power System (wet cell): Assunes out-of-spec cell replacement.
From Reference 1. -
Fails to provide proper output IE-6/hr 3
- 12. Battery Charger: From proposed NREP data base--Reference 1.
Failure to operate 1E-6/hr 3
- 13. DC-Motor-Generator: From proposed NREP data base--Reference 1.
Failure to operate . 1E-6/hr 10
TABLE E-1. (continued)
Failure Error Component and Failure Mode Rate Factor Remarks
- 14. Wires: Consistent with IEEE-500 data for 1000 circuit feet. From Reference 1 except Open circuit IE-6/hr 10 as noted.
Short to ground IE-7/hr 10 Short to power (control circuit) 1E-8/hr 10 Short to power (power circult--
line to line) IE-6/hr 3 From IEEE-500--Reference 3.
- 15. Solid State Devices High Power For more detailed information, see Applications:
g MIL-HDB:'-217C . From Reference 1.
~ Fails to function IE-6/hr 10
- 16. Solid State Devices Low Power See MIL-HDBK-217C. From Reference 1.
Application Fails to function IE-6/hr 10
- 17. Terminal Boards: Values given are per terminal. From .
Reference 1.
Open connection IE-1/hr 10 Short to adjacent circuit lE-7/hr 10
- 18. 9amper:
- From Reference 1.
Failure to operate IE-3/d 10 o
O 4- g ,
TABLE E-1. (continued) i Failure Error Component and Failure Mode Rate Factor Remarks
- 19. Motor: From WASH-1400--Reference 2. Electric motor.
Failure to start 3E-4/d 3 Failure to run IE-5/hr 3
- 20. Motor Starter:
All modes 2E-7/hr 10 Spurious operatica, falls to open/close, fails to interrupt on opening. From IEEE-500--Reference 3.
cs
- 21. Pipe (per section): Per 12-f t section. From WASH-1400-Reference 2.
Rupture
<3-in. rupture IE-9/hr 30
>3-in. rupture IE-10/hr 30
- 22. Heat Exchanger: From proposed NREP data base--Reference 1.
Tube leak IE-9/hr 10 Per tube. .
Shell leak lE-6/hr 10 Plugged lE-6/hr 10 From IREP/ Browns Ferry--Reference 4.
- 23. Strainer / Filter (liquid): For clear fluids; contaminated fluids or fluids with a heavy chemical borden should Plugged .
lE-5/hr 10 he considered on a plant-specific basis.
Reference 1.
TABLE E-1. (continued)
Failure Error Component and Failure Mode Rate Factor Remark s
- 24. Clutch: From WASil-1400--Reference 2.
Mechanical failure to operate 3E-4/d 10 Electrical failure to operate 3E-4/d 3 Premature' disengagement IE-6/hr 10
- 25. ~ Instrumentation General--(includes: From proposed NREP data base--Reference 1.
. transmitters, amplifiers, and output devices):
o
- 26. Compressors:
All modes 4 .17E- 30 From IEEE-500--Reference 3.
6/hr
- 27. Chiller: .
Falls to operate 8E-6/hr 10 From Reference 5.
- 28. Fans (CoolingTower):
All modes 1.24E-6/hr 10 From Reference 3. ~
TABLE E-1. (continued)
Failure Error Component and Failure Mode Rate Factor Remarks
- 29. Fans (HVAC)
All modes 2.22E-6/hr 3 From Reference 3.
- 30. CIS Valves Values derived from Reference 6. A PWR plant was chosen with the largest number
- a. Air operated of CIS valve leakage failures. Failure rates are based on number of failures, Leakage 4.2E-6/hr 10 calendar hours from date of initial criticality for the time period of .
January 1, 1976 to December 31, 1978, and
_, b. Check Valve valve population which was obtained from Leakage the specific plant's inservice testing 3.8E-5/hr 10 program.
- 31. Filters (air):
Failure 8.0E-7/hr 30 from Reference 8.
- 32. Power Loss of offsite power (LOSP) 1.0E-5/hr From Reference 7. .
Loss of Unit Auxiliary 3.0E-3/hr Failure rate is the square root of the LOSP Transformer (UAT) failure rate.
Loss of Reserve Auxiliary 3.0E-3/hr Failure rate is the square root of the LOSP Transformer (RAT) failure rate
- 33. Flanges Rupture / Leak 3.0E-7/hr 30 From Reference 2.
TABLE REFERENCES I
- 1. A. J. Oswala et al., Generic Date Base for Data Mocels Ch' apter of the National Reliability Evaluation Program (NREP) Guice, EGG-EA-5887, '
June 1962.
- 2. Reactor Safety Study: An Assessment of Accident Risks in U.S.
Commercial Nuclear Power Plants, WA5H-1400 (NUREG 75/014),
"~
OctoDer 1975. s
- 3. IEEE Guide to the Collection ana Presentation of Electrical.
t iectronic, and densing Component Reliaoility Data f or Nuclear-Power Generating Stations, IEEE 5ta 500-1977, June 1977.
- 4. S. E. Mays et al., Interim Reliability Evaluation Program: Analysis of the Browns Ferry, Unit 1 Nuclear Plant, Appendix C--Sequence
- Quantification, huREG/CR-26023 EGG-2199, July 1982.
- 5. R. H. Nicholls and O. Gokcek, Reliability Data for the CRBRP Shutdown Heat Removal System, CR8RP-GEFR-00554, August .1981.
- 6. R. J. Nicholls and O. Gokcek, A Reliability Assessment of the Clinch River Breeder Reactor Plant Shutdown Heat Removal System, CRBRP-GEFR-00552, January 1982.
- 7. McClymont, A. S., and Poehlman, B. W., ATSW: A reappraisal; Part 3:
Frequency of Anticipated Transients, EPRI NP-2230,1982.
- 8. R. P. Dawkins and J. A. 0.erdiger, Component Failure and Repair Data:
Gasification--Comoined-Cycle Power-Generation Units, EPRI-AP-2205 DE82 902081, Feoruary 1982.
a I
4 112-
$ 0 % 5 lm 4
b
+ e I
e bM A+
4 8
i
\
APPENDIX F ..
' OVERFILL AND CVERC00 LING POSTULATED TRA.1SIENT SCENARIOS t
L by b
\
e g.
. W '-
% \
l g i N
Nx s
A <
t
.s ,
i t
113 l
( {
- - w v"'
n ,
t 4
\g _ .
e h'
APPEN0!X F SCENARIOS SECTION
- 1. INTRODUCTION This phase of the overfill and overcooling report was performed to identify transient and accident scenarios which have the pctential to produce results which would be more limiting than those presented in the Browns Ferry Final Safety Analysis Report.
- 2. ASSUMPTIONS
- 1. A single safety grade component failure may be assumed.
- 2. Multiple control grade failures may be assumed.
- 3. A single occurrence which results in multiple failures is considered to be a single failure.
- 3. SEQUENCE OF EVENTS FOR OVERFILL ACCIDENT 3.1 Browns Ferry Licensing (FSAR) Accident Analysis Main Steam Line Break Accident: The reactor is assumed to be at design power with vessel level and pressure normal for the initial -
conditions. The steam pipe is assumed to be instantly severed by a circumferential break. The break is physically arranged so that coolant discharge through the break is unobstructed. These assumptions result in the fastest depressurization rate of the nuclear system.
The steam flow through both ends of the break increases to the value limited by critical flow considerations. The flow from the upstream side
. of the break is limited initially by the main steam line flow restrictor.
The flow from the downstream side of the break is limited initially by the 115 l
i
- t' downstream break area. The decrease in steam pressure at the turbine inlet initiates closure of the at ni steam lire isolation valves within about
, 200 milliseconds after the' break occurs. Also, main steam line isolation valve closure signals are generated as tne differential pressures across the main steam line flow restrictors increase above isolation setpoints. -
The instranents sensing flow restrictor differential pressures generate
, isolationyignalswithinabout500millisecondsafterthebreakoccurs.
A reactor scram is' initiated es' the main stream line' isolation valves
/ begin to close. In addition.to the scram initiated from main steam line isolation valve closure, voids generated in the mocerator during deoressurization contribute significant negative reactivity to the core even before the scram 1.s complete. 'Because the maic steam line flow
,/ restrictors are sized for the main steam line breas accident, reactor
/ vess'el water level remains above the top of the fuel throughout the transient. .
The steam flo'w rate throuch the upstream side of the break increases fram the initial valu'e of 1000 lb/sec in the line to 2000 lb/sec (about 200% of rated flow for one steam line) with critical flow initially
, oycurring at the flow restrictor. The steam flow' rate was calculated using anfidealnozzlemocel. Tests conducted on a scale model over a variety of r s pressure, temperature, and moisture conditiens have been used to j
i substantiate'tne flow models capability to predict the steam flow behavior in the presence 'of a flow restrictor. -
.Thesteamflowratethroughthedownstream$sideofthebreakconsists of equal flow components from each of th'e unbroken' lines. The pipe i
l resistance and local res,trictions in the unbroien lines result in critical l flow initially occurring'at the downstream side break location. The steam
~
, flow rate in each of the unbroken lines increases from an initial value of
' ~
1000 lb/sec to ISM lb/sec.
.t The total steam flow rate leaving the vessel is approximately
[ ', 6600 lb/sec, which is in excess of the steam generation rate of
\ /
l 116
i 4000 lb/sec. The steam flow-steam generation mismatch causes an initial depressurization of the reactor vessel at a rate of 35 psi /s,ec. The formation of bubbles in the reactor vessel water causes a rapid rise in the water level. The analytical mode causes a rapid rise in the water level.
- Thus, the water level reaches the vessel steam nozzles at 2 to 3 seconds after the break. From that time on a two phase mixture is discharged from the break. The two phase flow rates are determined by vessel pressure and mixture enthalpy. The vessel depressurization is calculated using a digital computer code in which the reactor vessel is modeled as five major
- nodes. The model incluces the flow' resistance between nodes, as well as 4
heat addition from the core.
Two phase flow is discharged through the break at an almost constant rate until late in the transient. This is the result of not taking credit for the effect of valve closure on flow rate until isolation valves are far enough closed to establish critical flow at the valve locations. The slight decrease in discharge flow rate is caused by depressurization inside the reactor vessel. The linear decrease in discharge flow rate at the end of the transient is the result of the assumption regarding the effect of
. valve closure on flow rate after critical flow is established at the valve location.
-The following total masses of steam and liquid are discharged through the break prior to isolation valve closure:
- Steam 25,000 pounds- -
Liquid 160,000 pounds Analysis of fuel conditions-reveals that no fuel rod perforations due j to high temperature occur during the depressurization, even with the l
conservative assumptions regarding the operation of the recirculation and
~
feedwater systems. MCHFR remains above 1.0 at all times during the transient. No fuel rod failures due to mechanical loading during the depressurization occur because the differential. pressures resulting from the transient do not exceed the the designed mechanical strength of the 1
core assembly.
117 l
---s -- n
After the main steam line isolation valves close (10.5 sec),
depressurization stops and natural convection is established through the reactor core. No fuel cladding perforation occurs even if the stored thermal energy in the fuel were simply redistributed while natural convection is being established; cladding temperature would be about -
1000*F, well below the temperatures at which cladding can fail. Thus, it is concluded that even for a 10.5 second main steam line isolation valve closure, fuel rod perforations due to high temperature do not occur'. For shorter valve closure times, the accident is less severe. After the main steam line isolation valves are closed, the reactor can be cooled by operation of any of the normal or standby cooling systems. Since the MCHFR never drops below 1.0, the core is always cooled by very effective nucleate boiling.
3.2 Secuence of Events Initial conditions: 100% design power with reactor vessel level and pressure normal for the initial conditions.
Time Event (Seconds) 100% operation steady-state. O Steam line rsptures, auxiliary a-c 10 power is lost, recirculation pumps and feedwater pumps are tripped.
Reactor trip is initiated due to the 10.2 loss of steam pressure at the turbine.
Main steam isolation valves start to 10.5 close from signal generated across the flow restrictor nozzle.
Water enters the main steam lines as a 11.5 steam-water mixture due to excessive swell due to void formations.
Feedwater flow is' terminated as 14 turbine-driven feedwater pumps stop. -
Main steam isolation valves close and 20.5 the overfill accident is terminated.
118 -
l
l
- 4. POSTULATED MORE SEVERE ACCIDENT Through the course of this study there have been no failures of control grade systems or components identified that could create a more severe accident or aggravate the documented accident. It is terminated by safety grade components and systems which would have to sustain multiple failures to preclude termination of the accident.
Multiple failures of safety grade components and systems is beyond the scope of this task.
- 5. SEQUENCE OF EVENTS FOR OVERFILL TRANSIENT 5.1 Browns Ferry Licensing (FSAR) Transient Analysj,s Failure of the feedwater flow controller in the maximum demand (115%
flow) mode.
The transient was initiated from the low end of the analytical automatic flow control range (68% rated power) producing a more severe steam / feed flow mismatch and level transient than would be produ.ed at higher power. The feedwater pumps were assumed to accelerate to thein maximum capability of 115% of rated flow.
Sensed and actual water level increase during the initial part of the transient at about 4.0 inches /second. The high water level main turbine
- trip and feedwater turbine trip was initiated at 5 seconds when sensed level had increased about 19-21 inches preventing excessive carry-over from damaging the turbines. Scram occurs simultaneously with the turbine trip,
~
limiting the neutron flux peak and fuel thermal transient so that no fuel damage occurs.
The turbine bypass system opens to limit the pressure rise. The lower set relief valves open only momentarily and no excessive overpressure of' 119 1
the nuclear system process barrier occurs. The bypass valves close at about 24 seconds, bringing the pressure in the vessel under control during '
reactor shutdown.
Although lower initial power conditions would result in more rapid '
increases in level, this case represents the maximum thrt .t to fuel clad and nuclear system process barriers. Obviously, no power transient will occur if the reactor is shut down.
5.2 Seouence of Events Initial conditions: 58% rated power reactor feedwater system in automatic.
Time Event (second) 68% rated power 0 Feed pump accelerates to 10 ,
115% of rated flow High level trip setpoint 15 Main turbine trips Feedwater turbine trips Reactor scram Main turbine bypass valve (s) open
- 6. POSTULATED MORE SEVERE TRANSIENT The same initial conditions will be assumed. 68% rated power, feedwater system in automatic. As indicated in Appendix 0 and Appendix E, I
l there is a relatively high probability of failure for the selected level instrument and it is assumed to be the initiating event.
L 120 j-I
W This failure is assumed to result in an indicated low level and corrasponding increase in feed flow rate to 100% or greater.
The result of this initiating event is assumed to be a reactor water
. level increase of approximately 3.0 inches /sec or greater. If an aggravating failure of a second reactor. level circuit is assumed, the main turbine and feed pump turbine high level trips will be disabled (2 out of 3
~
high levels required for trips).
Based on these assumptions it can be postulated that in approximately 32 seconds water will reach the main steam line nozzles and begin to enter the steam lines. (Assumed initial level of 561 inches and main steam line nozzles at 658 inches).
6.1 Sequence of Events Initial conditions: 68% rated power reactor feedwater system in automatic normal reactor vessel water level 561 inches.
Time Event (second)
~
68% operation 0 Selected level circuit fails low 10 feed pump accelerates to 100% or greater High level trip setpoint reached 15 -
2 out of 3 level trip fails low Water reaches main steam line 42 nczzles at 658" level 6.2 Discussion In applying the normal assumotions used for licensing reviews this is coesidered to be a valid scenario of concern. An initiating event was assumed and an accitional active failure was assumed.
121
Since these reactor water level circuits are not censidered safety related or designed to safety grade standards it could further be assumed l that on a generic basis a single event such as a loss of power bus or a seismic event could cause failure of two or more level circuits.
Additional failures which were identified as potential initiators or aggravators were considered to be bounded by the postulated more severe transient scenario. For example, inadvertent HPCI and/or RCIC initiation could be assumed, but redundant safety grade high level switches are installed to terminate flow from these sources. See Table F-1 for a complete listing of additional failures.
6.3 Conclusions Althougn defining the actual consequences of an overfill transient are considered beyond the scope of this task, it could be postulated that main .
turbine damage could be caused by this scenario and the possibility of main steam line damage due to the static loading of water is also possible.
Additionally thermal stresses and the possibility that safety systems which are connected to the main steam system could'be disabled or damaged by water loading are concerns. For example the high pressure coolant injection (HPCI) turbine might be disabled, main steam isolation valves and safety relief valve (s) could be damaged due to thermal stresses or water loadings.
Operator action might be postulated to terminate the transient or limit the consequences by manually tripping the feed pump and/or reactor and/or the main turbinc. However, based on the time frame involved (less ,
than 1 minute) neerator action is not considered.
6.4 Additional Analysis Reauired The consequences of this postulated scenario cannot be predicted at ,
! this time. In a later phase of this study ccmputer simulations will be performed to determi.'a the control system response and to calculate nuclear and thermal hydraulic responses to this scenario. Additional aggravating l 122 1
1
~
failures can be postulated at that time to verify suspected minimal effects. Systems which are suspected of being susceptible to common mode failures will be modeled and the effects of the failures will be analyzed.
Insight gained from the computer simulation will be used to postulate other potentially significant scenarios and to determine which systems have a negligible effect. System failures which produce scenarios more severe than previously analyzed will then be evaluated to determine if the specific scenarios are applicable on a generic basis.
TABLE F-1. OVERFILL POSTULATED AGGRAVATING FAILURES System Ranking Postulated Effects Recirculation pumps B1 Could cause level swell and 4
(low flow) *(C.M.F.1) slightly faster level rise Reactor water cleanup system B1 Disables letdown path (not (letdown failure) normally used)
- ( C . M . F. 1,2 )
Control rod drive system B3 Rod withdrawal--increase in (rod withdrawal) reactor power
- ( C . M. F. 1,2,4)
Main steam system B1 Could cause level swell and (relief or safety open) slightly faster level rise
- ( C .M . F. 1,2 )
Turbine generator system 81 Could cause level swell and (power increase) slightly faster level rise
- (C .M . F. 1,2,4)
Turbine bypass system B1 Could cause level swell and
~
(inadvertent open) slightly ' faster level rise
- ( C .M . F. 1,2,4)
HPCI RCIC RHR CSS system A3 Could cause faster level rise (inadvertent start)
- ( C .M. F. 1,2,3,4)
Common Mode Failure (C.M.F) 1--Electrical, 2--Control and Service Air, 3--Heating, Ventilation and Air Conditioning, 4--Fire Protection.
, 123 l
i
- 7. SEQUENCE OF EVENTS FOR OVERC00 LING ACCIDENT 7.1 Browns Ferry Licensinc (FSAR) Accident Analysis There is no identified design basis accident for the overcooling event ;
in the Browns Ferry FSAR.
- 8. POSTULATED MORE SEVERE ACCIDENT During the course of this study there has been no control grade component or system identified whose operation or failure either singularly or in combination with or without safety grade components or systems that could result in a design basis accident for an overcooling event.
- 9. SEQUENCE OF EVENTS FOR OVERC00 LING TRANSIENT 9.1 Browns Ferry Licensino (FSAR) Transient Analysis Events that result directly in a reactor vessel water temperature decrease are those that either increase the flow of cold water to the vessel or reduce the temperature of water being delivered to the vessel.
The event that results in the most severe transient in this category is the loss of feedwater heater.
A feedwater heater can be lost if the steam extraction line to the -
heater is shut, the heat supply to the heater is removed, producing a gradual cooling of the feedwater. The reactor vessel receives cooler feedwater which produces an increase in core inlet subcooling. Due to the negative void reactivity coefficient, an increase in core power results.
The loss of 100 F of the feedwater heating capability represents the maximum heat loss expected by a single heater (or group of heaters) which .
can be tripped or bypassed by a single event. The reactor is assumed to be at design power conditions on automatic recirculation flow control whe'n the ,
heater is lost. For this analyzed case, the feedwater flow delay time of approximately 25 seconds between the heaters and the feedwater sparger is neglected. The plant would continue at steady-state conditions during this
.24
I
)
I delay period. The recirculation flow control system responds to the power increase by reducing core flow so that steam flow from the reactor vessel to the turbine remains essentially constant through the tra'nsient. Neutron flux increases aoove the initial value to produce turbine design steam flow with the higher inlet subcooling. Normally the reactor would be on the manual flow control, and this neutron flux increase would have reached within 1% of the scram setting. In the case with automatic control, reactor power settles out slightly below the scram setting, but with core fiow recuced to about 90%. The average power range monitors provide an alarm to the operator at about 20 seconds after the cooler feedwater reaches the reactor vessel. Because nuclear system pressure remains essentially constant during this transient, the nuclear system process barrier is not threatened by high internal pressure. All fuel parameters remain below the limiting values at which fuel damage could occur.
This transient is less severe from lower power levels for two main reasons: (a) lower initial power levels will have initial fuel parameter values less limiting than the values assumed here; and (b) the magnitude of the power rise decreases with the initial power condition. Therefore, transients from other reactor operating states or lower power levels within operating state F will be less severe.
9.2. Sequence of Events Initial conditions: 100% design power reactor recirculation system in automatic. ~
Time Event (Seconds) 100% operation 0 Feedwater heater (s) is loss and 10 feedwater temperature decreases 100*F.
' Recirculation flow decreases to compensate for the power increase and thus maintain steam pressure to the turbine generator constant.
Average power range monitors alarm to 30 inform the operator of the transient.
125
= wh-
- 10. POSTULATED MORE SEVERE TRANSIENT The same initial conditions will be assumed.
- 100% design power; reactor recirculation system in automatic control. .
The initiating event for this transient will be an inadvertent startup i of the High Pressure Coolant Injection (HPCI) pump. This is further aggravated by the loss of one feedwater heater string. The subsequent heat loss to the reactor vessel appears to be capable of exceeding the previously analyzed transient. As the colder water enters the reactor vessel the power should commence increasing and recirculation flow should decrease to maintain steam pressure constant at the turbine generator.
Il 10.1 Seouence of Events Initial Conditions: 100% design power; recirculation flow in automatic Time Event (Seconds) l 100% operation 0 Inadvertent HPCI startup with 10 simultaneous loss of feedwater heater string causing an overall cooling of the reactor vessel water in excess of 100*F. -
< Recirculation flow decreases to maintain steam pressure constant at the inlet to the turbine-generator.
Averace power range monitors a alarm to inform the operator of the power increase
- a. Time to be supplied by computer model.
126
)
i l l
l 10.2 Discussion In utilizing normal licensing review assumptions this' scenario is l consicered valid and appears to be of concern. An initiating event was assumed and then was aggravated by failure of a nonsafety related system.
During the course of this study there have been several system failures .
identified that have the potential to contribute to an overcooling event.
These failures, when considered singularly, appear to be of no consequence to this type of transient. However, when they are considered in conjunction with other failures, a serious overcooling transient could result. The actual consequences attributable to this transient in forms of excessive thermal shock to primary components or possible damac2 due to core thermal limits being exceeded are beyond the scope of this task.
Additional system or component failures which have a potential to aggravate or contribute to an overcooling transient but were considered to be bounded by the postulated scenario are summarized Table F-2.
10.3 Conclusions The ability to factually state that any of these failures either singularly or in combinations will actually cause an overcooling transient more severe than previously analyzed or create a thermal shock possibility is beyond our capabilities for this portion of this task and will require significant efforts to run computer models and affect final determinations.
10.4 Additional Analysis Recuired The consequences of this postulated scenario cannot be-predicted at this time. In a later phase of this-study computer simulations will be performed to determine the control system response and to -calculate nuclear and thermal hydraulic responsesuto this scenario. Additional aggravating failures can be postulated at that time to verify suspected minimal effects. Systems which are suspected of being susceptible to common mode failures will be nodeled and the effects of the failures will be analyzed.
Insight gained from the computer simulation will be used to postulate other 127
.. .. . _ . .~ _ - _. -.
. o potentially significant scenarios and to determine which systems have a negligible effect. System failures.which produce scenarios more severe than previously analyzed will then be evaluated to determine if the -
i specific scenarios are applicable on a generic basis.
j i
2 e
1 e b
4 4
l k
?
128
TABLE F-2. OVERC00 LING POSTULATED AGGRAVATING FAILURES Failure S. stem / Component Failure Mode Ranking Postulated Effect Reactor Core -
Failure to shutdown A-2 Continued flow of Isolation Cooling automatically relatively cold System water to the reactor
- (C.M.F. 1,2,3,4) vessel causing excessive cooldown rate.
Inadvertent startup B-2 Produces a supply of when not reouired cold water to be pumped into the reactor vessel.
Primary Overpressure Inadvertent opening B-1 Causes an increased Protection System of a relief or steam flow from the
- ( C . M. F. 1,2 ) safety valve reactor vessel and additional cooldown i of the primary water.
Reactor Flow controller B-1 Causes increased Recirculation Flow fails in the high recirculation flow System flow mode and higher heat
- (C.M.F. 1) transfer rate and therefore a cooling transient to the bulk of the coolant.
Core Standby Cooling Failure of High B-1 . Continued high flow Control and Pressure Coolant rate of relatively Instrumentation Injection (HPCI) cold water to'the -
System system to shutdown reactor vessel may
- ( C .M. F. 1,2,3,4 ) automatically
- result in an excessive cooldown rate.
Inadvertent startup B-2 Provides a high
. of HPCI system when volume source of not required relatively cold water to the reactor vessel.
129
. . l TABLE F-2. (continued)
Failure 1 System /Comconent Failure Mode Ranking Postulated Effect Feecwater Control High feedwater flow B-1 High feedwater flows System rate and failure to - at low power will
- ( C .M . F. 1,3,4) shutdown on high cause a cooling level transient.
Electro-Hydraulic Inadvertent opening B-1 This would cause Control System (EHC) of turbine governor increased steam flow
- ( C . M . F. 1,2,4) or bypass valve (s) and subsequent cool-down as heat is being extracted at a rate faster than it -
is being added.
Resieual Heat Excessive heat B-3 During shutdown the Remcfal System (RHR) removal rate due to potential exists to
- Residual Heat Excessive heat B-3 Inadvertent startup Removal Service removal rate due to of-idle pumps or water System increase flow rates
"( C .M . F. 1,2,3,4) flow control valve failures could cause
. the RHR system to be cooled beyond allowable limits and therefore the primary system could be overcooled.
Common Mode Failure (C.M.F) 1--Electrical, 2--Centrol and Service Air, 3--Heating, Ventilation and Air Conditioning, 4--Fire Protection.
l 130
APPENDIX G 00CUMENTED OVERFILL AND OVERC00 LING TRANSIENTS e
131
o .
l t
1 APPENDIX G DOCUMENTED OVERFILL AND OVERC00 LING TRANSIENTS The following transients have been quoted from the referenced volumes of the Nuclear Power Experiences.1 These excerpts are copyrighted and 1
permission to use them has been received from NPE for this report.
- 1. OVERFILL TRANSIENTS Nuclear Power Experiences Vol. BWR-2 IX. Instr. & Cont.
F. process Syst.
- p. 1, 2 and 3
- 3. LEVEL RECORDER PEN STICKS - PARTIAL ELOWDOWN CABLE DAMAGE Oresden 2 - June 70 (power escalation testing)
The reactor was at 75% power when a spurious signal from the electrohydraulic control of the turbine caused the turbine-control valve to open from 75% to the load-reference setting of 80% and all the turbine-bypass valves to open (115% of rated flow). The turbihe then tripped and caused a reactor scram. At time 3 see the pressure-vessel water-level monitors tripped because of steam-bubble collapse. The resulting increase in feedwater (FW) flow cause the 2 operating Rd pumps to trip off due to low suction pressure. At time 7 sec one feedwater pump restarted automatically but delivered water at a varying rate, apparently due to suction pressure variations.
At 22 see the turbine-bypass valves closed, apparently due to disappearance of the spurious signal. At 33 see the main steam-line valves closed automatically due to low pressure (<850 prig) in the pressure vessel. At this time the water level in the pressure vessel was varying over a wide range owing to the pressure changes and FW cooling influencing both the 133 -
void volume and water volume. At about 50 sec, the water level was rising again, but the level-indicator chart pen being observed by the operator stuck. Not knowing that the level was still increasing, the operator -
switched the FW control to manual and further increased the flow rate.
Before it was discovered that the pen was stuck, the water level had risen .
enough to flood the main steam lines and the isolation-condenser steam line. At 1 min and 30 sec, the stuck pen was discovered (by tapping the case) and the FW flow was reduced to minimum but could not be reduced to zero owing to leakage past the valves.
The continued input of water coupled with after-heat from the reactor core and closure of the main steam line valves caused the pressure to begin increasing rapidly. The isolation-condenser system war actu:ttj sanually, but it was shut off immediately due to a too-low trip setting of the condensate-return-line flow required by an erroneous Tech Spec. (This error had already been discovered, and steps were being taken to correct .
the trip-setting requirements.) The fact that the condenser was not operating was not discovered until several mins later. An. attempt to reopen the main-steam-line valves to dump steam through the turbine-bypass valves failed because the valves had not been reset from the earlien trip that had closed them. When the reactor pressure reached '.050 psig at 3 min and 45 sec, the operator manually opened an electromatic pressure reTief valve to dump steam to the pressure-suppression pool until the pressure-fell to 960 psig at 5 min and 38 sec. This action had to be repeated at 6 min. At 6 min and 3 sec, a 2 psig dry-well pressure initiated an ECCS ~
start, isolated the reactor-building ventilation, and actuated the standby gas-treatment system. This was followed by automatic tripping of the recirculation pumps and automatic startup of the standby diesel l generators. The low pressure spray and LPCI systems started'but did not l inject because the reactor pressure exceeded the pump head of both L
systems. The HPCI system started but did not inject, because it had been j
valved out earlier for repairs after proof-testing its backup systems as provided for in the Tech Specs. Actual injection by this system would have been automatically inhibited by the high-water signal from the pressure vessel water level monitors. .
134 l
l l
Intermittent manual opening of relief valves controlled the reactor-vessel pressure between 840 anc 1097 psig until the isolation condenser was reset and manually actuated at about 9 min and 45 sec and was opsrated for 5 to 15 min before being intentionally isolated by the operator. An area survery showed no radioactivity outside the containment system.
At 13 min and 8 sec, erratic signals started from the reactor power instrumentation and indicated steam or water damage to cables or connections in the drywell. By 30 min the operating FW pump had been trippec manually, and the water level was being held by the ~60 gpm provided by the CR0 pumps. The reactor-vessel pressure was decreasing without intentional venting owing to leakage through safety valves, which apparently had opened at about the time the first pressure-relief valve was operated. The temperatures within the drywell were checked at this time on the local recorder. The highest temperat.ure at the moment was 205 F, but the recorder had run out of paper, so that the temperature history during the incicent was lost. The pressure in the drywell was still above 5 psig, but the actual value was not known because the high-range pressure monitor was out of service. To reduce the dry well pressure, the operator opened a 2 in. line to the standby gas-treatment system. The stack off gas radioactivity increased from 10,000 to 25,000 Ci/sec over a period of about 1/2 hr and then subsided.
At time 1 hr and 15 min, the reactor-vessel pressure was down to 200 psig, and the water level was under control. The main-steam-line valves had been
~
opened, and the vessel was being vented through the turbine-bypass valves to the main condensar. The pressure in the drywell was still above 5 psig, so 5 of the 7 dry well cooling units were put into service. By time 2 hr the dry well pressure was down to 2.2 psig and could be monitored by the low pressure monitor that was in service.
Radiation surveys showed that no significant release to the environment had occurred. Samples taken in the dry well indicated about 100 times the MPC
~
of I-131 (82 times the next days. Operations and radiation protection personnel equipped with air packs entered the drywell the next day to make a radiation survey and to obtain Staplex air samples. The radiation level
. 135
was about 1 R/hr. They observed water cascading from the upper part of the dry well from the vicinity of one of the main steam lines on which were mounted an electromatic relief valve and 2 safety valves. '
Since the radiciodine level in the dry well was not falling rapidly enough, flow to the standby gas-treatment system was increased and allowed to draw air from the building as a sweep through the dry well. By 2 days after the incident, personnel were able to enter the dry well for a preliminary damage inspection. Two safety valves on one main steam line were being held slightly open by the positions of their operating handles, which had apparently been struck by the jet from a 3rd safety valve mounted on an adjacent main steam line.
Damage was confined to equipment within the drywell and was caused by the steam and water discharged through the safety valves. A total of about 30 ft of thermal insulation needed replacement on one main steam line, a feedwater riser, and a recirculation riser. Low resistance was found in 5 valve motors, a floor drain pump motor, and a dry-well-cooling blower motor. Seven dry-well electrical penetrations had small leaks through the inboard sides of their double seals. Two of 4 SRM cables were shorted or open. Four of 8 IRM cables had low insulation resistances. Ninety-three local PRM cables were shorted,10 were open, and 61 were operable. Control cables to the TIP indexer were shorted. Two safety valves were jammed partly open owing to their lifting levers having been rotated by the steam and water jet from a 3rd safety valve.
- Damage to plastic connector caps and cable insulation indicated that temperatures in excess of 250 F had occurred. Calculations based on steam conditions in the dry well indicated that the max temperature could have been no higher than 320*F and that the wall temperature was much less.
Tempilstick marks on the walls indicated that 200*F was not exceeded. The .
containment-structure design temperature is 281*F at 0 psig.
The max pressure experienced by the pressure vessel and the main steam lines during the incident was determined to be less than the design
-pressure.
136 l
Tests with new samples of local PRM cables revealed that failures of center conductors occurred by buckling at as low as 220*F and that drifting of the center conductor caused shorts at as low as 300 F. This type of failure was enhanced by handling abuse, twisting, and crowding in ducts. Not all tests produced failure, even up to 500*F for 1 hr. Since these cables are vendor specified for continuous operation at 275*F, the same kind of cable was reinstalled but with great care and with less crowding in ducts. SRM and IRM cables were not tested, since it was known that their temperature ratings were less than that of the local PRM cables. They were replaced with a new type of cable having a temperature rating of 350*F. New ducts were provided to separate the SRM and IRM cables from the local PRM cables to avoid crowding. The TIP indexer control cables were replaced with new cables rated for 300*F.
The main-steam-lir.e safety valves that lifted were inspected and tested in accordance with the manufacturer's recommended criteria and the ASME and Illinois Boiler Cede requirements. Their associated rupture disks were replaced, and the valves were oriented so that damage to other equipment by their discharge wculd be minimized. Since lifting levers on the valves were not required oy the ASME Code, approval to remove them was requested from the Illinois Boiler Board.
Motors on all valves were dried and passed inspection. One of 7 cry-well-cooling blower motors had to be replaced. All leaks in the inboard electrical penetration seals were repaired. The FW control system was improved to minimize control-valve leakage, insensitivity of flow control, and low suction trip caused by pump-runout conditions.
The sequence and starting times of the EECS components were not according l
to design during the incident, although their actual use was not required.
, The system controls were revamped to conform to the design requirements.
The condensate-return-isolation trip point on the isolation condenser was raised from 120 to 300% of normal flow to agree with the design intent and the operating conditions. The Tech Specs were revised to reflect this.
l 137 l
The electrohydraulic-control system, in which the sourious signal that triggered the incident originated, was revised to minimize noise pickup.
Specifically, the malfunctioning device, a potentiometer located at some ~
distance from the pressure-amplifier card, was replaced with a ceramic potentiometer located near the pressure-amplifier card, and some associated .
terminals were eliminated. Cables from the electrohydraulic-control adjustment panel were rerouted so that the signal cables were separated from power cables. A control circuit relating the automatic load-following circuits, the recirculation-flow-control system, and the electrohydraulic-control load-frequency-control circuit was rearranged to eliminate the possibility of introducing erroneous voltages to the electronydraulic-control canel.
Although the actions of ti.e operators resulted in a safe and more or less orcerly shutcown despite equipment malfunctions, a review of events indicated that the exist 1ig procedures were not altogether adequate. Much ,
emphasis had been placed ca the dangers of allowing the pressure-vessel water level to fall below the top of the fuel, but not enough emphasis was given to the dangers of high water-level situations. Both the normal and emergency operating procedares were reviewed and revised to place more emphasis on the seriousnes; of high-water problems. The standby gas-treatment system was used as a venting path to reduce the pressure in the dry well when the only knowledge of the pressure there was that it was greater than 5 psig. This was done under closely ~ controlled conditions and through a 2 in. bypass line rather than the 18 in, line provided. The ~
gas-treatment system, however, was designed to operate at near atmospheric pressures and was tested at only 1.5 psig. Therefore, it was felt that a safer procedure would have been to reduce the dry-well pressure to below 2 psig by concensing steam with the torus sprays' or, if necessary, the dry-well sprays before venting to the gas-treatment system. New procedures and revisions of existing procedures were issued to establish this. .
The abnormal part of this incident began with the loss of water-level .
control, which was caused by the operator observing a water-level indicator that had a_ stuck pen. .
138 w +
i It was known that the isolation condenser needed a greater condensate-return-line capability, however, it appears that no special procedures regarding its use and limitations were observed'. After initial actuation of the condenser, several minutes elapsed before the operator was aware that it had almost ineaediately quit functioning.
The duration of the outage was ~1 1/2 mas. (gb,od) i 4
e 139
Nuclear Power Experiences Vol. SWR-2 -
XVI. Operational Probs.
C. Misc.
- p. 2 and 3
- 7. OPERATOR PLACES FW SYSTEM IN MANUAL, THEN COULD NOT CONTROL TRANSIENT Nine Mile Pt. 1 - Dec 71 Routine testing of the reactor protection high/ low level water level sensors was being conducted while the plant was at 601 MWe. The sensor support was accidentally bumped causing each high level trip sensor to operate resulting in a turbine trip. A reactor scram resulted from the turbine anticipatory trip signal because the load was greater than 45%.
9 Following the scram, the reactor water level decreased rapidly due to void collapse. The FW control system responded by overfeeding, as it should, when in the automatic mode. The FW system was left in the automatic mode for ~20 sec after the scra.n, and then switched to the manual mode, because the FW flow to the reactor was high in the operation's opinion.
Manual action was too slow and excessive FW flow continued to the reactor.
FW flow was reduced to zero at ~2 min after water overflowed into the main steam lines. Several operations of the electromagnetic relief valves occurred for ~17 min after which reactor level was brought under -
control. The emergency condenser was then placed in service to control reactor pressure.
Investigation of the FW system has shown that the control response is adequate to handle the transient after a scram. The decision by an operator to place the system in manual is a judgment decision based on the l interpretation of the instrumentation he is observing. Once he has made the decision and goes to the manual mode; he must be extremely dexterous as level varies so rapidly for the first few minutes following the scram that it becomes almast impossible to differentiate the variables and perform the correct manipulations in the ' required interval. At this time, level was 140
1
! . . I l
near the +3 ft level, and flow was greater than 6 X 106 lbs/hr. Flow was 6
4 reduced to 2 X 10 lbs/hr at 2 min after the scram. Data 1.ndicated that
~
overflow of water into the steam lines occurred about 2 min after,the scram. Some FW flow continued for the next 2 min before being reduced to Zero.
They concluded that placing the FW system in manual when fast response is required may cause a level problem if the operator coes not pay close attention to the system during the transient. 'A review of expected system response was given to the operators. (kr oc) e e
9 4
141
Nuclear Power Experiences Vol. BWR-2 -
IX. Inst. & Cont. -
D. Turbine Cycle
- p. 6 and 7
- 19. FEEDWATER TRANSIENT - ORYWELL PRESSURIZED Dresden 3 - Dec 71 The plant was at 792 MWe when a condensate booster pump tripped. Personnel heard noises coming from the pump just prior to the trip, however, complete teardown and inspection of both the condensa*.e pump and booster pump revealed no damage. Recorder charts revealed no anomalous behavior. The pump is tripped automatically on undervoltage or overcurrent. The pump motor breaker showed no trip target. .
Loss of the cump resulted in a low FW pump suction pressure condition, since 2 condensate booster pumps are inadequate to supply the required 4
water at that power level. The 2 operating FW pumps tripped on low suction pressure. The standby reactor FW pump started automatically when the operating FW pumps tripped. The standby pump reaches full flow in
~6 sec. Following the decrease in FW input, the reactor water low level trip scrammed the reactor at 14 sec.
Reactor water level continued to decrease and reached a low point of
-20 in. (~123 in above top of fuel). Level then began to increase and the operator took manual action in anticipation of a rapid level increase.
When reactor water level reached -12 in., it appeared to hesitate and the operator attempted to increase level. Level began to increase rapidly, and as soon as the operator verified that level was increasing, he again reduced the manual output control potentiometer to zero. As reactor water level came through zero, the operator started closing the FW regulating j valve motor operated isolation valve, again in anticipaticn of a ' rapid O
142
k i
< \ .
1 i-
', \-
l level \ increase. As the valve closed, Pd flow was reduced from 5.7 X 10 6 6
to 2.3 X 10 lb/hr. At some time dur.ing the closure of this valve, it s o
,st'alled due to high dp across the gate. s
. .g b
When the standby reactor Pd pump started, t flow increased to.the point where
'the 1W regulating valve went'into a "rdnout" condition (flow control mode). This was substantiated 'by variou's ins'trumentation.
s . ,
.\a 'I. ~'
The FW regulating valve locked out in an ope:1 position.'pubsequenttesting indicated that the lockout condition was probably caused by low air pre sure which resulted from rapid movement pf the valv0.
Reactor pressure decreased following the pump trip due to shrinkage from the cold FW, and initially, loss of steam to the turbine. Atti min 5 sec, main steam line low pressure of 850 psigJinitiated,a Group, I $3olation signal and the PiSIV's closed. "
!i
' Reactor pressure reached a low coint of 795 psig. At that coint FW input
{ and decay heat caused reactor pressure to increase. Reacto+ water level
'N continued to increase and the low reactor water level trip tutomatically reset at 1 min 21 sec'. Reactor water level continued to increase from a FW input of ~5.7 x 10 6'lb/hr and reached the high water level trip point of +48 in., at which'pcint the turbine stop valves tripped. The control valves had already closed while attempting to maintain pressure.
Reactor pressure continued to increase from FW input and the operator
, manually cut in the isolation condenser. But reactor water level was above the isolation condenser supply nozzel and since the condenser was l' essentially operating as a water to water heat exchanger, it had little effect on pressure. The level reached the level of the main'stiam lines at
~2 min 45 sec, and began to fill them. A safety valve I!!ted. Pressure j had reached 1020 psig and decreased rapidly when the valve opened. At this l~
point water had probably filled most of the steam lines. It is believed that the safety valve did not lift from pressure actuation. Primary system water released to the drywell- through the safety valve flashea to steam,
, and pressurized the drywell. Drywell pressure reached 2 psig at 5 min' l \
143
.k 3.
-h . [ , .. ! - *
I 11 sec, and the reactor containment high pressure trip was actuated. This started both diesel generators, the core spray pumps, and LPCI pumps automatically. Tne HPCI receised an initiation signal, but tripped on high reactor water level. The reactor recirculation pumps tripped and a containment isolation (Group II) was initiated. All ECCS subsystems -
functioned as designed.
Drywell pressure continued to increase, due to input from the safety valve, and peaked at 20 psig at ~6 min 30 sec. The safety valve remained open '
for ~1 1/2 min : 30 sec.
At 7 min, suppression cooling was initiated via recirculation of the torus water through the containment cooling heat exchangers. The torus sprays were not placed in service.
At 8 min, the first indications of LpRM failure were observed. At this point the shutdown condition of the reactor had already been observed. At 13 min the operator tripped the operating reactor feed pump. At this time reactor water level was ~130 in. Reactor pressure peaked at 1025 and dropped to 980 psig when the reactor feed pump was tripped. Reactor pressure then began to increase again due to decay heat input.
At ~23 min a reactor high pressure sensor tripped and reactor pressure peaked at 1044 psig. Reactor pressure then decreased due to loss of water
~
inventory when an unsuccessful attempt was made to place the cleanup dimeneralizer system in -service. Pressure dropped to 950 psig and again began to increase from decay heat input. A check of the trip indicated that it was set lower than the other 3 sensors. At ~3 hr 47 min containment pressure had decreased to 4.5 psig.
At ~4 hrs, a jumper was installed to permit opening the reactor water sample isolation valves so that a sample could be collected. Reactor blowdown to reduce water level could not be established without first collecting a water samcie and high level isolates the sample line.
144
- ;p
/
v s Analysisindi.catednormalactivityandreactorwaterblowdownviathe cleanuo system was established at 5 hrs. Vessel water' level had increased to +45 in. at this time due to continued input of water from the CR0 system.
, At -12 hrs, drywell pressure had decreased to 1.75 psig and the containment high pressure trips auto,matically reset. ECCS systems no longer had an initiation signal and these systems were returned to standby conditior, and the drywell coolers were restarted manually.
At ~13 nrs, reduction of reactor water level to below the main steam lines was initiated and at -17 hrs, level had been decreased to +76 in.
Analysis of the first sample of containment atmosphere indicated radioactivity slightly above normal.
, Controlled cooldown of the primary system continued using the cleanup system. At ~33 hrs reactor pressure had been reduced to 180 psig and the shutdown cooling system was placed in service.
Additional drywell atmosphere sample analysis indicated reduced radioactivity level at ~40 hrs, drywell deiner. ting, was instituted. At 44 hrs an initial entry was made for atmospheric sampling. Radioactivity levels were low and the first entry for drywell inspection was made
~46 hrs after the incident.
The following eouipment was damageo:
- The rupture discs un 4 of the 8 safety valves were ruptured. This may not be related to the incident since this condition had been encountered previously. Additionally one safety valve rupture disc was completely blown out.
- An electromatic valve solenoid operator was damaged by the steam jet from a safety valve. One steam discharge " rams horn" on the safety valve was directed towards the electromatic valve. The cover on the solenoid i
145
. e e
i assembly of this valve was blown off. The holding coil circuit of the solenoid assembly was found open. Wiring te a position indicating limit switch was also damaged, rendering the position indication inoperative. -
- Miscellaneous insulation and paint was damaged. .
- Sections of ventilating duct in the vicinity of the steam jet were dislodged.
l - Essentially all of the LPRM cables were found damaged.
i 4
- One containment cooling fan motor was found to have a ground caused by moisture in the containment. Tne other 6 cooling fan motors were found to be in good condition.
j .
l 1
4 e
l 146
-,-,a - 9 . ,o - y -
i e
e .
- 2. OVERC00 LING TRANSIENTS Nuclear Power Experiences Vol. BWR-2 IX. Instr. & Cont.
D. Turbine Cycle
- p. 20 and 21
- 71. FAILED COUNTER CARD IN EHC SYSTEM, MODE SWITCH NOT IN RUN - SCRAM, BLOWOOWN, FAST C00LDCWN Cooper - Nov 80 - 93% power A reactor scram occurred during an APRM functional test. Following the scram the reactor coolant temperature change exceeded the normal cooldown
, rate of 100'F/hr. The apparent cause of the occurrence was attributed to a failed counter card [W-Hogan 398522) in the Digital Electrohydraulic Control System for the main turbine. The failed card caused the main steam bypass valves to remain open following the scram. The 825 psig reactor pressure closure of the MSIV did not occur because the " mode" switch was manually taken out of "Run" shortly after the scram.
The main steam bypass valves control reactor pressure during startup and after a reactor scram when the MSIV's are open.
During this event, the reactor depressurized from ~1000 to ~210 psig in 9 min. This caused the reactor vessel metal temperature to decrease
~150*F during the next hour. This temperature transient was similar to the " stuck open relief valve" transient and was not limiting in the reactor vessel thermal cycles analysis at that time.
The failed component was replaced and tested. A review of the operator
, actions during tests of that type and actions following scrams were being reviewed. (icq) 147
. e a
Nuclear Power Experiences Vol. BWR-2 '
V. Recire, Steam, Relief
- C. Relief & Safety Valves
- p. 72
- 238. RELIEF LIFTED - EXCESSIVE COOLDOWN RATE Peach Bottom 3 - June 79 - 95% power A main steam relief valve lif;ed spontaneously causing torus water volume 3
to reach 130,675 ft 2.6% above the Tech Spec limit of 127,300 ft3 .
After the relief valve opened and attempts to reclose it were unsuccessful, the reactor was manually scrammed. The reactor cool-down rate reached a max of 114*F in I hr 14*F above the Tech Spec limit of 100*F/hr. The relief valve was open for about 95 min, being reseated when reactor pressure was reduced to 135 psig.
The relief valve (Target Rock) was replaced with another qualifiec valve.
The valve that lifted was sent to Wiley Lab for inspection to etermine the reason for failure. A VT of the drywell ano torus interior and exterior was performed prior to return to power, and all areas were found to be in satisfactory condition. The duration of the outage was 44 hr. (gbc)
S I
l 148 I
l .
y Nuclear Power Experiences Vol. BWR-2 XVI. Operational probs. '
C. Misc.
- p. 113 and 114 446. SCRAM, LOW REACTOR PRESSURE - CONDENSATE INJECTED INTO VESSEL, EXCESSIVE C00LOOWN RATE Hatch 2 - Nov 78 (power ascension testing) - shutdown Due to an injection of condensate water into the reactor vessel following a reactor scram from rated pressure, reactor pressure decreased due to main turbine seals supplied by nuclear steam to below condensate booster pump pressure and allowed condensate water to be injected into the reactor
, vessel through the Rd lines, resulting in a cooldown rate of 119'F/hr exceeding the max cooldown rate of 100 F/hr. The MSIV's were closed and injection of condensate water to the vessel stopped. Reactor coolant temperatures were back within limits in 15 min. l l The cause of the event was personnel error. During the scram and vessel depressurization, personnel allowed condensate water to ce injected into the reactor vessel when pressure decreased below the condensate booster pump discharge pressure, thus causing the rapid cooldown. Personnel were cautioned about reactor pressure decreases below a system pressure that could inject into the vessel during an emergency condition and to observe pressure decrease and level increase very closely in transient conditions to prevent exceeding reactor cooldown rates. Evaluation of the occurrence confirmed that due to evaluation of other temperatures indications for overall reactor coolant systems and by observing reactor vessel metal
, temperatures ( AT's), that no significant stress occurred to the reactor vessel or coolant systems.
(fkb) 149
Nuclear Power Experiences Vol. BWR-2 -
XVI. Operational Probs.
C. Misc.
- p. 89 327. REACTOR PRESSURE INDICATOR MAINTENANCE AFFECTED PRESSURE RECORDER -
LOW REACTOR PRESSURE ALLOWED CONDENSATE BOOSTER PUMP INJECTION -
EXCESSIVE COOLDOWN Brunswick 1 - Feb 77 - shutdown i
The reactor had been scrammec due to a low condenser vacuum turbine trip and the reactor was being cooled down slowly (~40 F/hr). RCIC was being used to maintain reactor vessel water level and the Startup Level Control Valve was in manual and open 60%. During the cooldown, reactor pressure -
decreased to less thar, condensate booster pump discharge pressure
(~400 psig). This allowed the condensate booster pumps to feed the RPV.
Reactor vessel level increased rapidly and reactor vessel temperature decreased due to the cold FW addition. RCIC tripped on high reactor vessel level. The outlet valves on the No. 5 FW heaters were shut and the startup level control valve was shut to terminate the reactor vessel level increase and subsequent cooldown. However, the cooldown between 1300 and 1400 was 110*F, which exceeded the Tech Spec max allowed cooldown rate.
An I&C Technician was performing maintenance on a reactor pressure indicator, which was reading ~200 psig high. This required the level selector switch to be set to the Level "A" position. However, in the Level "A" position both the reactor pressure indicator and reactor pressure recorder were supplied with the same pressure compensating signal that supplied the reactor water level control system. Although the operator who .
was watching the reactor pressure recorder did realize that actual reactor pre:sure was ~200 p>ig lower than indicated on the indicator, he did not l
realize that the pressure recorder was also affected. Therefore, as actual pressure decreased to 400 psig, the condensate booster pump began to supply FW to "the RPV. This event was'to be reviewed by all licensed personnel.
150
l All Shift Foremen and Control Operators were to be cautioned to more closely review any maintenance work which might affect this instrumentation. All licensec personnel were to be instruc'ted to use and compare all available indication and not to linger on one indication.
i (dlu) .
1 1
s e 4
i i
i i
4
~
i f
l l
l 151 t .
a C
- 6. REFERENCES
- 1. Nuclear Power Experiences EWR-2; Nuclear Power Experiences a division of S. M. Stoller Corporation, 1919 14th Street Suite 350, Boulder Co. 80302-5386, Phone (303)449-7220.
e e
e 152