ML20087F015
| ML20087F015 | |
| Person / Time | |
|---|---|
| Site: | 05000605 |
| Issue date: | 12/17/1991 |
| From: | Palomar J, Preckshot G, Wyman R LAWRENCE LIVERMORE NATIONAL LABORATORY |
| To: | NRC |
| Shared Package | |
| ML20087E987 | List: |
| References | |
| NUDOCS 9201220287 | |
| Download: ML20087F015 (123) | |
Text
.
i 1
A Defense-in-Depth and Diversity Assessment of the GE ABWR Protection System o
J. Palomar G. Preckshot R. Wyman December 17, 1991 Version 2
Lawrence Livermore National Laboratory Nuclear Systems Safety Program i
i DRAFT 00h05 O
l A
PDP l -.
1
. ~......
=. - - - -. -. - = -. -.
1 CMF Amfun DRAFT 12/17/91 Iabfo of Contena 1.Introduetion.........................................................................................................
1 1.1 Sponsor.........................................................................-.......................
1 1.2 Purpose.................................................................................................
1
- 1. 3 E x e e u t i v e S u m m a r y............................................................................
1 1.48ackgrouno..........................................................................................
2
3
- 2. T h e S co p e o f t h e A n aly s i s.............................................................................
5 2.1 Those items in the Scope of this Report..................................
5 2.2 Thoso 11 ems Not in the Scope of 1his Report..........................
7
- 3. Methods...................................................................................................................
7*
3.1 N U R E G 04 9 3 G uidelin e s................................................................
7 3. ? Ty pe 1 Failu re An alysis...................................................................
10
- 3. 3 Typ e s 2 a nd 3 Fail u ro An alysis....................................................
11 3. 4 T h e T r i p Ta b l e s...................................................................................
11
- 3. 5 S u m m a r iz i n g F i n d i n g s......................................................................
13 3. 6 G e n e r a l A s s u m p ti o n s......................................................................
13 3. 7 E v a l u a t i o n C r i t e r i a..........................................................................
21 3. 8 S o m e D i s c I a i m e r s..................................................................
21 4. D e s c ri p t t o n o f t h e D e s lg n...............................................................................
22 4. 1 D e s i g n B a s i s.......................................................................................
22 4. 2 A r c h i t e c t u r e............................................................................
24 4. 3 S i g n a I D i v e r s i t y..................................................................................
28
- 5. Findings..................................................................................................................
28 5.1 S ucce s sf ul C'pe ratio n........................................................................32 5. 2 A r e a s o f C o n c e r n......................................................................
32
- 5. 3 Dig ita i S y st o m s I s s u e s.................................................................... 37 5.4 Initiation of LPFL as Backup to RCIC or HPCF........................
37 5. 5 P I a n t M o n i t o r i n g................................................................................37 Referenoes...................................................................................................................
38 Acro n y m D e fi n it i o n s............................................................................................
39 A p p e n d i x A A n a 1 y s i s..........................................................................................
41 A p p e n d ix B O t h e r S y s t e m s................................................................................. 1 0 3
/ c p e n d i x C Trip Ta ble s....................................................................................... 1 0 5 Appe ndix D Shared Sig nal Anatys1s................................................................ 1 13
CMF Analysis DRAFT 12/17/91 l
Table of Floures Figure 1 Analysis Chart 12 Iiguro 2 Simple Echelon Diagram 19
{
E pure 3 Shared Signals 20 FJge o 4 System Architecture 20 Hgure 5 Signal Flow I 27 Figure 6 Signal Flow ll 29 Figure 7 Signal Flow Ill 30 Figuro 8 Summary of Vulnerabilitios 31 Figuro 9 Shared Signals 1 34 F;gure 10 Shared Signals ll 36
}
s I
l
DRAFT 12/17/91 A Defense in Depth and Diversity Assessment of the GE ABWR Protection System 1.
Introduction 1.1 Soonsor This assessment was conducted by 1.awrence Livermore National Laboratory personnel at the direction of the NRC as part of Task 8 under FIN L 1807.
The work was in eupport of the NRC's evaluation of the ALWR technologies.
The work started on October 15, 1991, and a first draft of the report was submitted to the NRC on December 4,1991.
1.2 Puroose General Electric Corporation has submitted design information for the Advanced Boiling Water Reactor (ABWR) to the Nuclear Regulatory Commission for certification under 10CFR Part 52, Subpart B.
The purpose of this report is to identify potential vulnerabilities with regard to defense in depth provided in the proposed ABWR protection system design which is part of that submlital (SAR Chapter 7).
This analysis provides a detailed assassment of diversity and defense in depth for this design.
1.3 Executive Summary This assessment is similar to that performed in NUREG 0493.
The primary concern of the assessment is the possibility of a causal failure of more than one echelon of defense.
This would result from some form of interdependence among echelons.
The three echelons of defense identified for the GE ABWR are control, scram and,the engineered safety features actuation system.
The objective of the assessment is to determine if postulated common modo failures could result in impairment of more than one echelon thus compromising defense in depth.
l
CMF Analysis DRAFT 2
DRAFT-12/17/91 The GE protection system was broken into blocks which are compatible with the architecture of the system and which allow an analysis to be performed according to the principles of the NUREG.
Charts were developed which aid the analysis of common mode-failures during design basis events.
A number of assumptions were l
made to allow the analysis to proceed where data on the design was missing or inadequate.
The charts and the assumptions made are fully documented in the report.
A number of vulnerabilities were identified.
The design has both diversity and defense in depth in many cases but the consequences of certain postulated common mode fallures in the digital units were found to result in inadequate defense in depth with respect to NUREG 0493 guidelines.
1.4 Background
Defense in depth is a principal of long stanalng for the design, construction and operation of nuclear reactors.
For reactor lac systems this has taken the form of three echelons:
Control System, Reactor Protection System (RPS) and Engineered Safety Features Actuation System (ESFAS).
Two of these systems, RPS and ESFAS, are Class 1 E safety systems and are designated as the Protection System.
The control system is not class 1 E.
Because the control system is a non safety system, no credit is allowed in a safety analysis for control system action and, in fact, the control system is assumed to challenge the protection systems by spurious or incorrect actions.
Diversity comes in several forms.
Signal diversity is the availability of several different sigrials to initiate a protective action.
For example, either high pressure or high reactivity, both of which occur for some events analyzed in this report, can initiate a scram of the teactor.
Equipment diversity is the provision of several different methods for providing the same safety function.
For example, for cooling the core of the ABWR, there is the Reactor Core Isolation Cooling (RCIC) system which uses a steam turbine driven pump to force water into the core in the event of a feedwater system failure, and there is the High Pressure Core Flooder (HPCF) which provides the same function with two electrically driven pumps.
And finally thero is diversity in def6nse in-depth which provides different systems in each echelon to accomplish the same f
m y _ _ _ _.. _ _. _ _ _._.... _ -.-. _ _ _ _ _. _ _ _
CMF Analvsis DRAFT 3
DRAFT 12/17/91 function.
For example ATWS, which is part of the ABWR control system, will scram the reactor under certain circumstances, providing a redundant method of scram outside the RPS, Analog systems employing defense in depth and diversity have comparatively long histories in reactor systems.
The introduction of digital systems into protection systems adds a new level of complexity to these_ systems and intruduces a potential for now common mode failures which must be considered whenever a new protection system is proposed.
In particular, the use of common i
software in the divisions of the safety system and in the control system provides a mechanism by which all protection divisions may fall simultaneously and_ cause the echelons of defense to be compromised. On the other hand, there are strong economic reasons using common software wherever possible, and this is encouraged by the notion that it is easier to verify and validate one software system and replicate it many times than to verify and validate many different systems.
Thus diversity and defense in depth may be reduced in systems using digital elements.
One of the first formal assessments by the NRC of defense in depth for Innovative technology was documen:ed in NUREG 0493, "A Defense in Depth and Diversity Assessment of the RESAR 414 Integrated Protection System," March,1979.
The method established in this NUREG is the oasis for the assessment presented in this report,-
1.5 Comoarison of ABWR to GESSAR 11 A review of GESSAR ll protection system _ design and the ABWR SAR leads to the conclusion that the functional requirements for -the ABWR protection _1 system are substantially similar to those for GESSAR ll.
Further, it is also concluded that the reactor protection
- and _ engineered safety features _ actuation strategies are not fundamenta!!y different-for the two-designs, The significant - difference with respect to defense in-depth considerations is(in the implementation of the functional requirements.
The GESSAR ll protection, control, and information systems are comprised: of analog instrumentation; the proposcd ABWR protection, control, and information systems are comprised of digital instrumentation.
This section presents a brief summary of V
e w
w-..#.,m44
-.-m.
.#,......uu,
._#..ww.,,,.ey.,
,.w._,ww,
,.g_.r,.,-y.-.,r-.ww.-,.,w,,-y,.-c.-7-m.g.w.,--,.ym,g..r-vv'vm---vvyr---=ry a
CMF Analysis DBAFT 4
DRAFT 12/17/91 differences in design implementation of the proposed ADWR instru;..antation as compared to GESSAR ll instrumentation previously reviewed.
Input sensor interfaces for the protection, control and information systems in the GESSAR 11 design are hardwired; in the ABWR design many of the inputs are multiplexed via fiber optic networks.
Essential and non essential multiplexor networks woro identified by GE for protection, control, and information functions.
Outputs from the protection and control systems in the GESSAR ll design are hardwired; in the ABWR design rnany of these outputs are multiplexed via the vmo fiber optic networks as used for inputs.
Protection logic is accomplished by hardwired logic in the GESSAR 11 design; protection lo0 c is accomplisned by software running on l
microprocessors in the ABWR design.
Control and information functions are accomplished by analog circuits and hardwired logic in the GESSAR ll desl0n; control functions are accomplished by software running on microprocessors and digital data networks in the ABWR design.
The potential for new common modo failure vulnerabilities that mi ht result from this design evolution arises from the following 0
differences in the ABWR design relative to GESSAR ll:
1)
Substantial reduction in the number of nuclear boiler system instruments accomplished by broad sharing of instruments for different systems and functions.
2)
The use of identical software elements in the digital systems for protection functions in different divisions.
3)
The use of identical t,0ftware elements in the digital systems for both protection and control functions.
4)
The use of hardware having more potential for vulnerability 16 electromagnetic intorference (EMI) or surge.
5)
The use of electronic hardware having increased thermal densities, therefore more sensitive to loss of HVAC (for j
example during a station blackout ovent).
I CMF Analysis-PRAFT
.s.
DFI A EI 12/17/91 Design -and ' qualification measures must be identified to address these vulnerabilities..
For example, the foregoing assumptions regarding identical software modules were made in the absence of any identifiable design requirements to the contrary, particularly in li;ht of the app!! cant's standardization objectives, t
i E'
2.
The Scope of the Analysis 2.1 Those ligms in thg.,jcap.g_of this Rgtgrt The protection system: bas two main units:
The reactor protection system (RPS) and the engineered safety features _ actuation system (ESFAS). The function of RPS is to inillate the scram of the reactor _
automatical!y for all design basis events.
This system is analyzed
.in detail, The E$FAS has a number of subsystems, some of which are examined in detail.
Those examined in detail are the emergency core cooling system (ECCS), the automatic depressurization system (ADS) and the-leak-detection.and isolatk1 system (LDalS).
Those. systems which
~are given a more cursoryf examination -(see Appendix B) are the.
wetwell/drywell sprays, suppression -pool cooling, standby gas treatment,. emergency-diesels, reactor building cooling - water, high
-pressure-gas supply, manual bypass and the essential HVAC system and ite-auxillaries.
The' anticipated transient without scram'.(ATWS)~ system is also 4
l considered in this ' analysis for events-where it-is..needed to back up
~
the RPS.
ATWS has two parts.
The first is. the alternate-. rod insertion function (ARI) and the second is the standby' liquid control system -(SLCS).
The> initiation-of ARI is analyzed whenever it is i
needed to. scrani the reactor but the SLCS design does not have sufficlontu detail for. an ' analysis.
.-. w-
.....~.a..........a
..~2...
.._-..,_,-.._,2__,s_,,._,-
.-._---_.a_..,.
CMF Analysis D R A FT.
.c.
DRAFT 12/17/91 Throo types of failures defined by section 2.4.2 of NUREG 0493 are in the scopo of this study. They are described as follows:
Type 1: 'Some failures have the capability to induco plant transients for which scram and/or ESF function is nooded.
Defense in depth analysis requires that any credible failure of this type should not significantly impair the safoty function.*
In a typical failure of this type, the sensor, channel, or block which fails (causing the transient) may also be required to mitigate the offects of the failure.
Type 2: " Alternatively, failures that do not indirectly cause plant transients requiring safety action could still impair the safety function.
Such failures would persist in general until they were discovered and repaired.
Such failures would have serious consequenen only if an ovent nooding safety action were to occur while the system was in the failed state, after the failuro had
- occurred, and before the failure was discovprod."
Typo 3:
..sFor each anticipated operational occurrence in the design basis occurring in conjunction with a CMF, sufficient signal diversity should be provided in the design so that the plant can be brought to a stable hot standby condition...."
The analysis of Appendix A regards failures of types 2 and 3 for the anticipated tranalents and faults of General Electric SAR Chapter 15.
For each event described by Chapter 15, except whero a more severo event encompasses the effects of a similar but loss sovoro event, a common modo tailure analysic was performed for sensor, channel and block failure as described by NUREG 0493 Guideline 7 and partly by Guideline 8.
General Electric categorizos the events of Chapter 15 into three frequency classes:
1.
incidents of moderate frequency ll.
infrequent events
'll. limiting faults Classes I and ll fall within the NUREG 0493 section 1.2.11 definition of " Anticipated Operational Occurrences" and class til matches the sectio 9 1.2.12 definition of " Accidents".
CMF Analysis DRAFT 7
DRAFT 12/17/91 The analysis of Appondix D regards failures of typo 1 for signals shared between the throo echolons of defenso.
For each such shared signal a conimon modo falluto is assumed that will force the reactor into an unsafe transient, if that is possible.
This analysis is mandated by NUREG 0493 Guidelino 8.
For the purposos of this report, the Definitions of section 1.2,of NUREG 0493 and the Block Concept of section 2.5 aro used in their entirety with modifications as noted to accommodate the differences in architecture between RESAR 414 and the GE ABWR.
2.2 Those items Not in the Scoco of this Reoort There are common modo failuros of identical sensors which could bo postulated.
These failures may not be limited to a particular model M may, because of common technology, occur in a largo number of l
devices sold by a manufacture, for measuring paramotors in different ranges and in some instances different paramotors.
For examplo, pressure transducers can be used for sensing pressure and also sensing liquid level by sensing differential pressures.
The focus of this assessment is on applications of innovativo technology and therefore this class of failure is not included in this analysis.
Power supply failures (zoro voltage) are not included in this analysis.
The scram solenoids for the reactor cause a scram if power is removed and this analyils does not go beyond that.
- Further, complex or insidious failures of the various power supplies of the system (high ripple, high voltage, intermediato voltage, surges) are not included in this analysis since in all cases there is not enough information about the hardwaro to be employed to be able to predict the offects of these failuros.
3.
Methods 3.1 NUREG 0493 Guidelines The Guidelines of NUREG 0493 section 3.3 are applied to this study as described below.
CMF Analysis DRAFT 8-DRAFT 12/17/91 3.1.1 Guideline 1 General Requirement
'The instrumentation system should provido throo ochelons of dafenso in depth: control, scram, and ESF.*
The General Electric design provides the required throo echolons.
3.1.2 Guideline 2 Method of Evaluation
'The instrumentation system should be subdivided into redundant channels, and each channel should be analyzed as consistin0 of blocks...
The output signals must be assumed to fall in a mannor that is credible but that produces the most detrimental consequences..."
The General Electric design consists of redundant divisions of sensors and logic.
The analysis in this study considers blocks as described in section 3.6.3.2, subject to architectural limitations described in sections 3.6.2.3 and 3.6.3.1.
Output signals are assumed to fall with the most detrimental consequences as described in section 3.6.1, Worst Case Assumptions.
3.1.3 Guideline 3 Postulated Common Modo Failure of Blocks
" Analysis of defense in depth should be performed by postulating concurrent failures of the same block or blocks in all rodundant channels."
The method of analysis of defonso in depth conforming to Guideline 3 is described in section 3.3 and analyses of various events are presented in detail in Appendix A.
3.1.4 Guideline 4 Use of Identical Hardware and Software Modules.
Treatment of identigal modules in this study according to Guideline 4 is described and motivated in sections 3.6.1.2, 3.6.2.2, and 3.6.5.4.
Sections 3.6.5.6 and 3.6.5.7 list assumptions that certain modules in the General Electric design are not identical.
1
~
CMF Analysis DRAFT s-
- DRAFT, 12/17/91 3.1.5 Guideline 5 Effect of Other Blocks During any postulated common mode failure, signals from failed blocks are propagated to downstream blocks which react correctly to the possibly erroneous signals.
3.1.6 Guideline 6 Output Signals Output signals are assumed to function one way; that is, failures cannot propagate backwards into an output.
3.1.7 Guideline 7 Diversity for Anticipated Operational Occurrences (Failure type 3, NUREG 0493)
General Electric, in their SAR Chapter 15, did not simulate reactor and protection system response for situations in which the preferred initiator signal failed.
This study uses GE simulation curves and trip set points to determine diverse initiators, if any (see sections 3.3, third paragraph, and 3.6.2.1).
Core cooling combinations described by General Electric (see section 3.6.6.4) are assumed to prevent a non coolable geometry of the core and violation of the integrity of the primary coolant pressure boundary.
Approved cooling combinations and containn,ent isolation are assumed to prevent violation of the intogrity of the containment.
3.1.8 Guideline 8 - Diversity Among Echclens of Defense Common modo failures postulated in accordance with Gu;delines 3 through 6 are considered in the studies in both Appendix A and D, with special attention being paid in Appendix D to signals shared between echelons and to failures caused by the same sensor needed to initiate rnitigation.
3.1.8.1 Control / Scram Failure type 1 (NUbEG 0493), same sensor causing a transient as requ; red to detect the transient, is considered for control system / scram system interactions in Appendix D.
Failure types 2 and 3 are studied in Appendix A.
1
CMF Analysis DRAFT 10 DRAFT 12/17/91 3.1.8.2 Control /ESF Failure type 1 (NUREG 0493), same sensor causing a transient as required to detect the transient, is considered for control
- system /ESF system interactions in Appendix D.
Failure types 2 and 3 are studied in Appendix A.
3.1.8.3 Scram /ESF Interconnections between scram and ESF "...(for interlocks providing I
for scram initiation if certain ESF are initiated, or ESF initiation when-.a scram occurs, or operating bypass functions)...* (NUREG-0493, par. :3.3.8.3) were considered, but none appear to exist.
There are, however, signals shared between the scram and ESF system, and these are considered in Appendix A and explicitly in Appendix D.
3.1.9 Guideline 9 Plant Monitoring The. Gene _ral Electric design transmits signals from the scram and ESF actuation systems to the control system for plant monitoring purposes.
Connections and software used to monitor the scram and ESF_ actuation systems are considered in section 5.5.
The possibility that Incorrect valuescreturned by the plant monitoring system may cause operators.to make adjustments that place the plant in an unsafe' condition or cause-it to operate outside regulatory limiting conditions-is considered in sections 5.2.2 and 5.5.
3.2-Tvoe '1 Failure Analvsls The -analysis of Appendix D considers failures of type 1 for signals
- shared between echelons, as shown by Figure 3.
Using Guideline 8 (section 3.1.8), each of-the eleven shared signals is examined to determine credible common mode failures. -and these failures are postulated - to-study _ tho reactions of the involved echelons acting
- together.
In the words of section-2.1, sixth paragraph, NUREG 0493,
'....- it is important that transients or control system failures needing protection systom action for safety not' also induce protection system failure."
While the emphasis is on transients
-induced by the-postulated failures, effects-of type 2 failures 'are also considered in case there may be inter echelon dependencies not discovered in the method described in section 3.3, following.
-r-#m-
.-v-.
.,m
.,,=*,,--.y....
.,-,e..~
.r.,
p
--,,,-.,..n.,r-r-m,--
i CMF Anal a DRAFT 11 DRAFT 12/17/91 3.3 Iypps 2 and 3 Failure Analysis in accordance with Guideline 7 (section 3.1.7) and the definitions of failure type 3, common mode failures were postulated and analyzed for each of the events of Chapter 15 of the SAR which required the invocation of the protection systems.
By including limiting faults of Chapter 15. failures of type 2 were also analyzed for design basis accidents for the ABWR.
To facilitate this analysis, a chart was developed to systematically record failed signals or blocks and to indicate the results of each failure.
This chart, together with l
explanations and illustrations, is shown in Figure 1, Analysis Chart.
For each event of Chapter 15 which chal!enged the protection system, a set of assumptions was made about the way the protection system would fall and also about facts which were unclear or unknown.
These assumptions were divided into general assumptions (section 3.6 of this report) an:! assumptions specific to the event being analyzed.
The starting place for_ the analysis of each event was the associated sequence table and the curves which appear in Chapter 15.
(The tables were, in fact, derived from the curves which are the output of computer simulation runs made by GE for the event.)
The General Electric analysis of Chapter 15 always assumed correct functioning of the protection system.
Where postulated common mode failures rendered primary protective action init!atrrs ineffective, it was necessary to combine assumptions, results of the simulations, i
knowledge of reactor physics and thermal hydraulic-characteristics to determine. secondary initiators if any existed.
Sensor channels were failed one at a time across all divisions simultaneously to determine if there was enough diversity and defense in depth to mitigate-the effects of the event.
General Electric logic diagrams (IBDs), system architecture (see Figure 4), and various amendments to the SAR (see References) were used to determine the probable reaction of the protection system to the challenge presented.
After the analysis of individual channels was complete,. system blocks
~
were failed-and the effect of Pe block failures analyzed in the same way.-
3.4 The Trio Tables To-assist in the analysis methods described in sections 3.2 and 3.3, a set of tables was made up, one for each mitigation system of the
A 5
e..
a tzi s
.c. s. e % t
- j E * * :
w
.c-..-
g E. E. e.
= = x.. c.
t E E d e.
t.csE.
- E-g.-
.,. e s z. t. a..,,.s.
ot'mgl 5.m. S"." E I
E
- m.g e
u-w
..s c..mt. a....,=
s a.
s s ; w.. m. x.
=c w
c[,o.s b
g w w-. w,. s e c a w
AA cC a"w n
w s o s. =,s.
- e g ; g, e cm.
- -.st.
u c.-
t-n e
=,
v..i,.c.T*g.
.e ga
- 2..
c."
- , e
.n u a
ga.Ba.
E c w
,e.. c,c -. - = c
- c.
m*s=.=~..c w
.c -..=.=.
e.ae w
.6 a
- e -
a,c-. -.c=....
.s 3
....-w
.w z
~
=2 e.,c.
eas f
f f
I.
l l
l l
= *
- O s=.w.e:
E, g
a, m...
w s,.
w
=r
.3a a.-
..c.
n g
r a. s.
=,w v s o
c 31 yL 3
g,.
W z= 3
.3sa
=. 3 e, ma
., c 6
=. - S,
,,m E w
g v. s.m -I ~c, *
- m* g.
2 d
n a
- 5
.e..
~
E' E
? n*
- cc o m 3n l;
z.A
%831
.5 c-a.
aEE***.~a~*
5 s.=-
n=7 ts=
- = 2.e =g, ". ".
c E. 1
=
m
' " =E I..
.,c a.
- 2. c a
.w. -
u2.
.e s w
c
. =e 5,.,
- sg=t a.3 E.g.
st,a m-3 E.,.
g a., 2.j. = x c
. =. c
,,. a.
=>
ce.sn.
s
_ x.
- s.. a v
E a.
g w
e e
ge.
jag gwagg;-as
=, t. e
[
cu,EaE2 m,,
ow6 a-m.=
..u
. s., m.,,
s*Sg
)
_ J
.E Stag,Ig.sa 3
s co.m s;
estwA a
,.[
352 w ao m mi o
e
... I. ~!. g. w
.w w
=
tg 2.,g
.g.
es**^
vi 3
ap,s j
n e's u m2 gs
.c v45Cd w w.
v
, e,a, 3 2 g g' I S
'.s 5
g m.
^'S W EEe g *3 3
.E3 s
f B "w E!
.,E,I smou way
- ==
oB2 2
=
e e.
nu f
j m
e
- o. t
=,,m n
w
= =
jr t,
e a
g z
iE *g f c ~.. r,
mo 7
r t
r-ten O O O
O 8 [_
a,,
O (so u m g y *{
- s. E 'Q' g,
E
,geIE nw s
E,*t
- t. N *
(sm uno t,
5 s.5
,^
we E
,s, m.
my w
.s.
6 e
e w ~u II'* DN
- d*
}
8 b
~
g, 8 A
-k
=g g 88 g g,.
.m.ticL
.kEi
.g e3 =g.
g.
hf 3
cA aw 44 g
e e=
S Et8 5IE&
-===-
- 5. 3 e
- 2.,
em6 Mad m=mu M
~
c i. p q
m vmv e>1L n e
E iC n 2
u n
f*^m
- M w
I
. H Mi_
m th^*1 twA E
_ y g
g 0-Ytit N
f f
,O.g 7
X 8
wO.
O t
==
g i
.m /
l.
g v
E..!. s a c.co. g mo J
3, 3
{. a.
s 4
a) d 2 f a 1
E c-Em.3 s
hI- ;1 'gl *,A"p l
l M p'j pg 8 M
g u
a l
.-53i'5 h
s a
i u
~-
.v a5g[g8g6 g a. >
5
.*5,
= E,.e a,
~
.o e
x a
W ri w
cw Analysis DRAFT 13 pRAFT 12/17/91 e
protection system.
These tables show all of the inputs to a 1
particular sub function of a trip action and the effeci of the trip once the necessary inputs are present, although the detailed logic is not shown.
These tables are used to consolidate information which may appear on a number of pages of the SAR so as to remind the reviewer' of the signals important to each protective function.
These tables appear in Appendix C.
3.5 Summarizina Findinas After the analyses of sections 3.2 and 3.3. wore complete I
(Appendices D: and A, respectively), the vulnerabilities revealed were summarized in section 5 of thls study.
3.6 General Assumotions The assumptions of this section apply to all of the analyses performed. ' They are categorized by their relationship to various GE documents or by their applicability.
3.6.1 Worst Case Assumptions l
3.6.1.1 Fellures are assumed to occur in the most limiting fashion possibic consistent. with hardware or
' software construction.
For example, a module which energizes to l trip is ~astumed to take no action, or a module which de energizes to tripLis assumed to failL so _ that it continues to block trip (NUREG -
0493 Guideline 2).
3.6.1.2 Software which is essentially Identical.
except-for constant or Laddress paramefprs is assumed to fall
- identically.
Identical software / hardware modules in separate divisions are assumed to fall simultaneously (NUREG 0493 Guideline
. 4). -
3.6.1.3 - Failures are-assumed to be latent and urd9tectable until strmsed by event-or accident, at which time the-failurs becomes ma'nifest.
3
~--L,,,q.-'e.
r w,
--...w.
.-,,,am..,-4.,.-.;n,
,-wy
, y
,,n.,
CMF Analysig DRAFT 14-DRAFT 12/17/9; 3.6.2 Assumptions based on GE texts 3.6.2.1 Reactor physics and thermal hydrau'ic analyset, as described by GE's Table 15.0 2 (Ref. 1) and the simulation curves in Chapter 15 are assumed to be correct.
Initial conditions and trip points described in Table 15.01 are used in conjunction with Table 15.0 2 and Chapter 15 simulation curves to determine secondary and tortlary trips, if needed.
3.G.D.2 Common software modules will be used for similar functions where they occur [Ref. 4].
This means that similar modules in each protection system division are assumed to have essentially identical software.
3.6.2.3 Se nso,' signals are intermingled once they enter the multiplexer system and are identified only by software [Ref. 4).
Signals entering at points other than the multiplexer are assumed to be identified only by software also.
See the discussion of signal channels below.
3.6.2.4 "Autodiagnostic software and hardware watchdog timers" [Ref. 4) are assumed to detect only malfunctions anticipated by software designers, but not unintended errors made by software designers.
3.6.3 Assumptions based on GE software structure For the purposes of this study a signal channel is defined as a sensor, signal conditioning circuitry, A to D converter if required, and all of the software which is needed to maintain the identity and integrity of the sensor signal through to where the signal is used in the process 1 Further, as long as a derived signa! is derived.;om only one sensor signal, the software which maintains the identity of i
inis derived signal.shall be considered as part of the original signal
- channel, if a derived signal is dependant on more than one sensor signal then this derived signal will have a unique identity and there will be defined a; derived signal channel which has all of the characteristics of a signal channel except for the sensor and its l
attendant signal processor and converter.
1This meets the definition of a channel as it appears in IEEE 279.
CMF Analysis DRAFT 15-DRAFT 12/17/91 3.6.3.1 A failure in a signal channel can be caused by a number of events calibration error, an error introduced when a software change is made, an existing error in the software which causes a channel to become corrupted, etc.
Based on General Electric's statements regarding common software modules (Ref. 4),
it is highly likely that software changes in all four divicions will be made as if only one change were being made. Thus it la conceivable that a common mode fai!ure of a channel can be introduced and be undetected for some time.
Therefore, one type of common mode failure assumed in this study is a channel failure occurring over all divisions of the protection system.
3.6.3.2 Another type of common modo failure assumed in this study is the simultaneous failure of all like modules (blocks) in all divisions.
Failure is assumed undetectable by downstream modules.
NUREG 0493 ' Measured Variable Blocks" (MVB) correspond to sensors, signal conditioning, analog to digital converters, remote multiplexing units (RMUs), transmission media, and control room multiplexing un!!s (CMUs) in the General Electric design.
NUREG 0493 " Derived Variable Blocks" (DVB) correspond to digital trip modules (DTMs) in the General Electric design.
NUREG-0493 " Command Blocks" (CB) correspond to trip logic modules (TLUs) in the General Electric design.
" Actuation Blocks" (AB) codespond to output logic units (OLUs), load drivers, or CMUs, transmission media, and RMUs in the General Electric design. The corresoondences stated are imprecise because of the intermingling which occurs in the General Electric multiplexing scheme and because the TLU has some of the characteristics of a DVB.
For this reasor, NUREG 0493 common mode block failure is assumed to occur in the multiplexer (MPX)2, the DTMs, and the TLUs.
3.6.4 Assumptions contrary to GE assumptions This study differs on several assumptions made in Amendment 18, Appendix 19N to the General Electric PRA for ABWR, submitted to the NRC on October 11, 1991.
2,3.6.4.1 Manufacturing error is considered a credible cause of common mode failure.
Errata sheets and buglists for delivered hardware are common occurrences for more complicated integrated circuits (such as microprocessors) and the 2The MPX consists of RMU, transmission media and CMU, considered as a unit.
CMF Analysis DRAFT 1s.
DRAFI 12/17/81 possibility of undetected design or manufacturing process error cannot be ruled out.
Furthermore, corrections 3 to printed circuit boards (PCBs) which use integrated circuits are common in the industry.
Both integrated circuit and printed circuit manufacturing
(
errors may not be obvious until an appropriate set of inputs, instruction sequences, and environmental conditions challenge the l
equipment.
3.6.4.2 Loss of data communication is only one of many failures which can occur in data communications systems.
Many faults are undetectable downstream.
One such fault is the transmission of plausible but incorrect data which is the fault assumed in this study.
3.6.4.3 Failure of a 'de onergize to trip" mode is possible anywhere software is involved.
L 3.6.4.4 Software self test and watchdog timers can detect only those errors anticipated by system designers.
it is assum9d in this study that all common mode failures which t
occur were not anticipated by-designers, otherwise they would have been fixed.
Therefore, it is assumed that failures of upstream blocks cannot be detected by downstream blocks.
3.6.5 -
Assumptions based on GE's logic diagrams
'It is impossible to tell from GE's logic diagrams-(IBDs and P & ids) where some logic functions are implemented.
Therefore, some of
. the Lfollowing assumptions are made with regard to the module location of signal and trip logic shown in General Electric IBDs in Chapter 7. of the. SAR.
-Some of the assumptions below, in particular 3.6,5.6, 3.6.5.7 and 3.6.5.9,' assert diversity which is speculative.
if this diversity does not axist in - the final product, the analysis v.ill change in the
'diremon - of - more vulnerability.
- 3. 6. 5.1 Logic -functions such as limit switches and:torqueL limit switches associated with motor operated valves or actuators are' assumed to be hardwired to the associated motor control center because of location and industry practice.
3 n the form of cut traces or wires soldered to the surface of the PCB.
1 r
. ~. -. - -
,-.,---,.<Z.
y.e.
%,s-~,,
,r
.,. ~-- -,,,
.,%,.~---m,,,.. -
,,,v
,*,,p, o,...,--
i CMP Ann!vsis DRAFT 17-DRAFT 12/17/91 3.6.5.2 Logic functions involving the positions
[
of valves, switches, or interlocks other than the valve directly being controlled are assumed to require the multiplexer and the TLU because of distance, wiring economy, and lack of indication by General Electric that this logic is implemented by directly wiring to the ruotor control center of interest.
i 3.6.5.3
" Manual" control switches are assumed to require the multiplexer and the TLU to be effective because 1
General Electric drawings Indicate that this is the case (see Gcneral Electric drawing 103E1805, sheets 1 5).
i 3.6.5.4 The Non Essential Multiplexer (NEMS) and the Essential Multiplexer (EMS) are identical with the exception of the sensors connected.
Both use essentially identical software
[Ref. 4).
A common mode failure in multiplexer software renders the NEMS and the EMS inoperative or transmitting erroneous but plausible = informaticn.
3.6.5.5 The Alternate Rod insertion (ARI) is Initiated-by signals passing through the NEMS and by one signal (low.
water level) passing through the EMS [Ref 5)..In the absence of other information, it is assumed; that the Standby Liquid Control System (SLCS) is initiated by the same signals as the ARI.
t 3.6.5.6 The DTM and the control system are sufficiently diverse that a failure in the DTM preventing scram does not imply a failure'of ARI.
3.6.5.7-The MPX and the DTM have diverse software so that a' failure in one does not imply a failure in the
- other,
.3.6.5.8 The TLU is the only unit that sends
.[
information to the control system for display to the operators.
Only status' and trip-information is sent.
'3.6.5,9 L The eight wide range. water level transmitters,.821 LT353A through H, are used as two presumably diverse groups A D and E H. It is assumed that these two sensor groups are treated separately in software so that a common mode channel failure of _one group does not affect the other group.
....,;.w,,
,.,_..m...
.~,-..,_,..,,,.,,_,_,m,._...
,,_..,,-,,im.__,.
CMF Analysis DRAFT 18 DRAFT 12/17/91 3.6.5.10 The ECCS initiation preference is:
1)
RCIC (water level 2, channel group B21 LT353(A D)),
4
- 2) HPCF (water level 1.5, channel group B21 LT353(E H)),
3)
LPFL (water level 1. channel groups B21 LT353(A D),(E H)).
1 3.6.6 Assumptions for echelon Defense in Depth (DID) 3.6.6.1 In all normal fuel configurations, the reactor control rods have at least the cold shutdown margin control of reactivity even with all recirculation pumps running at maximum flow.
3.6.6.2 The fuel rods will experience damage if uncoverad.or if significant bciling occurs at fuel rod surfaces.
Cladding damage is an unacceptable consequence.
3.6.6.3 The echelons of defense are the control system, the reactor protection system (RPS), and the engineered
- safety features (ESF). See Figure 2.
The only signals common to the echelons are shown in Figure 3.
Mitigating functions for ATWS events are to be implemented by GE as part of the control system.
3.6.6.4 The mitigation combinations described in : Amendment _14, Table 19.3 2 " Success Criteria to Prevent init!al Core Damage for Transients and LOCA Events with RPS Scram,
General Electric SAR, are assumed to be correct.
Because no data are given for events without scram, it is assumed in this study that
~
no combination of control system (excluding scram by ARI and FMCRD) and I'cF actions can compensate for failure to scram from full 'powr and lat unj.ceptable consequences will occur if this happens.
3.6.6.5 Manual actuation of scram or ESF mitigation-features is considered to be a backup defense if the-conditions M NUREG 0493 for manual actuation are met:
1)
The portlO d CMF does-not impair manual control from l
the control rv,s L
2)-
Sufficient information is available to the operator.
y 1
t+
P4+ ' -
'"W+
"M-*,T g.r-y-pgg fyraymy.
esy---3$*
,y-Ny-g7v'--vgge&wW M
-w yre-ew*y-C-p-
99 y mr-y W'WP m w rievn wwi-g W
-w wawre-y-ru-y wp m ygmwwww mr w m i m.v-e ve ='wn.-n ea-er r e%,
control system
/
\\
/
\\
/
\\
/
\\
/
\\
/
.g r
g
/
\\
/
RPS l
_ _ _ _ _ _ _ _ _,( ESFAS Y
i w/
I Figure 2 Echelon diagram showing possible interactions o
(dotted).
l
. -.------ =-..~..
i 20 Shared SIDnals
)
7 FWC NR water level
?
RPV dome pressure control system i ATWS
< @ RIP Shared Signals Pos 001(A D) Turbine stop valve 85%
j Shried Signals Pos 004(A D) Turbine fast close solenoid i
~
?
Peactor water level
/
\\
/
\\
/
/
g
/
\\
RPS ESFAS Shared Signals Nuclear monitor system Scram (scram follow)
Shared Signals PT 306(A D)
Drywell pressure LT 351(A D)
Reactor water level PT 301(A D)
Reactor vessel pressure Figure 3 Echelon diagram showing possible interactions (dotted) and shared signals.
l l
L CME _ Analysis
.QRAFT 21 DRAFT 12/17/91 l
3)
Sufficient time is available for operator
- analysis, decision, and action.
l 4)
Sufficient information and time are available for the operator to detect, analyze, and correct reasonably probable errors of operator function.
t For the purposes of this study, operator backup actions are assumed to require at least five minutes to be considered effective defense-l in depth brickup, t
3,7 -Evaluation Criteria The only criteria' for success is whether or not the protection system performs adequately with the failure.
Thus, if the RPS, ARI or SLCS shuts down the reaction il required by the postulated failure, that part of the protection system is deemed to have l
operated successfully, if the ECCS functions adequately to prevent damage to the core with the postulated failure, that part of the system is deemed to have worked successfully.
3.3 Some Disefalmers The reader of this report needs to understand-some issues so that l
there are no-misunderstandings of what the report contains, j
Further,- there are some parts which take some skill in i
interpretation and those items need to bo indicated to the reader.
3.8.1 The words " failure".. " common mode failure" and "CMF" are used interchangably.
The context should make clear when
' failure" means a CMF.
t 3.8.2
. The words "s e n s o r",
" channel" and " sensor i
channel" are used interchangably and context should make clear when this Interchangability is implied.
3.8.3
'The'CMF analysis charts do not stand alone and they vary from-chart-to chart in column and line heidings.
The assumptions and conclusions are a necessary part of an analysis and an understanding of the GE ABWR is required.
3.8.4 This analysis. does not claim to have found all 1
common modo failure vulnerabilities 'which may be in the design.
~
CMF Analvsis DRAFT 22 DRAFT 12/17/91 The primary purpose was to identify sensitivity to adverse interactions among the three dalense echelons.
4.
Description of the Design 4.1 Design Basis 4.1.1 Regulations and Standards Requirements Design basis requirements pertinent to defense in depth and diversity that have been identified by GE in the SAR for the ABWR design include the regulations and standards summarized in this
- section, 10 CFR 50 Appendix A, ' General Design Criteria' states in part in the Introduction that:
'The de'velopment of these General Design Criteria is not yet complete.... some of the specific design requirements for structures, systems.-and components important to safety have not as yet been suitably defined. Their omission - does not
. relieve any applicant from considering these matters in _ the design of a specific -facility and satishing ' the necessary safety requirements.
These matters include:
..(2) Consideration of redundancy and diversity requirements _
for fluid systems important _ to safety...the minimum acceptable redundancy and diversity of - subsystems 'and components within a
subsystem, and the-required interconnection and independence of.the subsystems have not yet been developed or defined. (see_ Criteria.34, 35, 38,' 41, and 44).
...(4)
Consideration of the possibility of systematic, nonran' dom, concurrent failures of redundant elements in thu design-of protectionL systems and reactivity-control-systems.
(See Criteria {2, 24, 26, and 29).
...There will be some water cooled nuclear power p! ants for which the General-Design Criteria are not sufficient and for which? additional criteria must be identified and satisfied in
' the interest of public safety.
In particular, it is expected that
..,... ~ -.,.,, -
t CMF Analvsls DRAFT 23 DRAFT 12/17/91
[
additional or different criteria will ao needed...for water.
I cooled nuclear power units of advanced design."
From the General Design Criteria of 10 CFR 50 Appendix A; 21)
" Protection system reliability and testability", requires in part that
"...no single failure results in loss of the protection system...'
22)
" Protection system independence" requires in part that
' Design technicoes, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to provont loss of the protection function."
I 23)
- Protection system failure modes" requires that: 'The protection system shall be designed to fall in a safe state or into a state demonstrated to be acceptable on some other i
defined basis if conditions such as disconnection of the system, loss of. energy (e.g., electric power, instrument air) or postulated adverse environments -(e.g., extreme heat or cold, fire, pressure,' steam, water, and radiation) are experienced.
l 24)
" Separation.of--protection and control systems" requires in part that: " Interconnection -of the protection and control systems chall be limited so as to assure that safety is not significantly impaired."
- 29) ~ " Protection against anticipated operational occurrer'ces' I
requires that: 'The protection and reactivity control-systerns.
shall be. designed to assure an extremely-high probability of accomplishing their safety-functions in-the event of anticipated. operational occurrences."
10: CFR 50.55a(h) requires that orotection systems meet the
' requirements of IEEE Std 279.
IEEE Std 279 includes the following requirements:
Single hallure Criterion.
Any sing.le failure within the l
"4.2 protection system shall not prevent prooor protective action at the system level when required.
l
.-.-,-,...,_._..._,,..,,,-.,___..,_,_,,,__---._.,-,.._.,.,,,_m,
CMF Analyn DRAFT 24-DRAFT 12/17/91 "4.7.4 Multiple Failures Resulting From a Credible Single Event.
Where a credible single event can cause a control system action that results in a condition requiring protective action and can concurrently prevent the protective action from those protection system channels designated to provid9 principal protection against the condition, one of the following must be met.
"4.7.4.1 Alternate channels, not subject to failure resulting from the same single event, shall be provided to limit the consequences of this event to a value specified by the design bases. In the selection of alternate channels, consideration should be given to (1) channels that sense a set of variables different from the principal channels, (2) channels that use equipment different from that of the principal channels to sense the same variable, and (3) channels that sense a set of variables different from those of the principal protection channels using equipment o'ifferent trom that of the principal protection channels.
Both the principal and alternate protection channels shall meet all the requirements of this document.
"4.7.4.2 Equipment, not subject to failure caused by the same credible single event, shall be provided to detect the event and limit the consequences to a value specified by the design bases.
Such equipment shall meet all the requirements of this document."
IEEE Std 603 1980 includes criteria substantially similar to the foregoing IEEE Std 279 requirements.
4.1.2 Other Design Basis Requirements GE has indicated to the NRC staff recently (Ref. 4) that standardization of hardware and software modules is a design objective.
4.2 Architecture The Instrumentation and Control System for the GE ABWR consists of three echelons (Figure 2), the Reactor Protection System (RPS), the Engineered Safety Features Actuation Systern (ESFAS or ESF), and
[
CMF Analysis DRAFT as-DR AFT 12/17/91 the control system.
A diverse method for scramming the reactor, anticipated trir without-scram (ATWS), is being implemented as part of the control system.
For the most part, these echelons are separate.
However, some signals are shared between echelons, and this is shown in Figure 3 with ATWS and RIP trip being made explicit.
The protectu n system for the GE ABWR is divided u.to four independent and redundant divisions, Voting takes place among the four divisions to decide on actions with two-out of four being enough for action.
A division bypass function !s available so that one division can be maintained while the other three vote in a two-out of three configuration.
If one division is bypassed, no other division can be bypassed.
Each division has its own set of sensors, each of which has an A to D converter if required, which are connected through either a multiplexer or directly to the digital processing system.
Following the multiplexer are two digital subsystems, a Digital Trip Module (DTM) which compares digital representations of analog signals against set points and delivers a decision (below, above) to the Trip Logic Unit (TLU) which performs combinatorial logic on various binary signals to determine a binary output.
This binary signal then passes to a final two out of four voter.
Binary signals from DTMs are also passed across divkions to all of the TLlh to allow voting in the TLUs also.
This is to avoid spurious cross channel trips.
Thus for each signal which can cauce a trip, a vote is taken among the si nals to determine if there are m at two signals which assert a 0
trip.
Then the division assertt s 16.
Finally, the divisions vote with two divisions sufficient to acte o trip.
In the RPS, the four divisions are identical.
Such is not the case in the ESFAS.
Whereas two-ost of four voting is maintained in ESFAS, there are a number of asymmstries which are not found in the RPS.
For the purposes of this analysis, the four divisions have been collapsed into one with the elements shown in Figure 4.
The einments shown a,re essentially those of the system architecture.
But they also serve as the blocks of a NUREG 0493 type analysis.
Thus, in the analysis, in addition to the channel fai!ures which make a particular sensor fe.il accoro"ug to assumption 3.6.3.1, the blocks of the figure are failed according to assumption 3.6.3.2.
Figure s shows the architecture with only the signals shared between
I J
U)
Lt.
26-o.
I u) i Or 0:
i i
w I
.I F8 0-
)
}
g Z
tg I
{
ljll i t
t i.!
_,S
_ Ej'
__f
__3 _f l}
j i
j i
iso fU i
i
_k i _$
o gi_k a
4.
a n
q a
81 I
T,,,3 q
Sg I l }l\\
I l1
- f I"{ }{
~{
g 7
gl r,c o
o o
gp jj gg gr----
r- - - g i
I l L._ _. -
J L__W=
_I o
o i
i o
j L=
_ l 1
gii
- };;
i I
1 i
~
l
'I
!}l y};
l syg +- 4,
i f
(
I m
i n
l
--]
l T
h? ?*
h?
f i
b
][
+
11}!
,l i
i i l i i
4 4
I i
t i
I g!r s!r i"k.
'H I I } i 8
gl + N, rj
_n.
- ; J t
I
' i f I
- =.3i' _ u_. _I f f r -
br _ _ _i
,8H i
i_
j,l!
l
- s:
o j I I!!N l
!! !!l I d ff !
I !
I !I a!
a i
11111H ia l i ! ! ! ! i l i l u D ! !
- !!i I m. til!!!
s-; n!2 e
s een
- : e e: S i,e A N ! !i FIsjj 5
i is s a 5 4 0 g s i r Ber$::
e t :
t re r t f l e r t z E b
U)
LL.
27 -
O.
i u) i OR c
i, w
I HEI 1
i 1
_i z
- E' :# :d :d :y. al18"Q-NII l I.,
I 5
Il
':gi_1 g,
g c
c u
i, r,:
1 4{
7{ l 5 is i:2 JE
- E i ll h!
l i
i c m
i i
ir-y, i _ _e _-
g
- i l
- f t________y_1 t__p___i 1-i 1
- l n
i fl!I ills j
i A
I 1
! !}l 111 i = t t s i I i I i Pl pli 91! l pJ = i i 31 l$ l i t a g l i i _t. = i ! i i HI s u r I " y" H e, H jlll! i t i + Iri I I I l = !._" d ' _i s i l S H ,_ _. _ l5 _i t i jj.! g, i i l }f i1 e r 1 I J, I, ] g i J 1 1 oa i 4 i n l a i i 1 3 pi i i l i l l I I ! l : uig 5 5 esp jpiil e t = -d s a g a u
- y:
i r
.~ CMF Analysis DRAFT-28-DRAFT 12/17/91 echelons- (compare with echelon diagram Figure 3). Signal flow is demonstrated in Figure 6 (the LT-353 signal that passes through the EMS) and in Figure 7 (turbine switches that enter the RPS DTM and are passed to the control system through an optical isolator). The documentation for how the MSLIVs are controlled is reasonably clear but exactly where control is exercised is. confused. On GE drawing 103E1805 sheets 1 - 5, the MSLIVs are shown as connected direct ly to the TLUs of the RPS. But those same drawings show the LDS as part of the ESFAS. On the IBDs for the LD&lS (LDS) are shown all of the logic for the actuation of the MSLIVs. Further, in Ref. 2, page -1 of ~ the List of Equipment Interface with the Essential Mux Signals- (sic), is shown-the MSIVs from which it could be inferred that the MSIVs are actuated through the multiplexer. It has been assumed for this analysis that the control of the MSLIVs rests in the ESFAS but that-the software which evaluates the various functions --for operating the MSLIVs runs on ' the DTM and TLU which also evaluate. RPS functions. Further, it is assumed that the actuation signals for the valves is hardwired from the RPS/MSIV TLUs to the valve load drivers. These assumptions blur the separation between PPS and ESFAS but do not affect the analysis. 4.3 - Sianal Diversity The Trip Tables (Aupendix C) show the diverse signals which are available to trip the various functions required by the protection ~ system. Not all signals are operative for each event of Chapter 15. This does not imply that there are failures but' only that certain signals do not cross necessary thresholds for every event. i l S. Findings f Documentation of the analyses performed as described in sections 0.2 and 3.3 is in Appendices-D and A, respectively. Figure 8 is a l chart summarizing _the. results of the analysis of Appendix A. A. l short discussion of. systems for which design is particularly sketchy appears' in Appendix B. This section summarizes the vulnerabilities'
- discovered during detailed analysis.
These findings cre valid only so far as the assumptions made are correct. If the assumptions are ignored or overlooked, meaning may be attached to the findings which is not real.
d M Lt. 29-ai m i O tr I w tr I l Z l _t i o i E _E o 1 I[E I g I( g x N I ] g >_ _ _ _ _ _ _ _ _ _ gI ,_ _n __ _ g) L______ J L__F___I i o e o I" " "" 11 in I g-n g 'I l}3 !}g I [ [ I i l l }!l5 k!l E b.I i i j ,__k l i }} I i-t 4 g 1 = = l I j l!,r M! I i i x, v.m 2.i D. t t .hPI I .t - ,,___a = e 1If I } I SE i I. i l, g 0 4 0 t e r e e i I I- }
I J -M l.L .20 CL. i u) i O CI: l LLI CC I ~~ j I F I i-i i z
- _I1 dL>i I O
i A 0 lC-i 11 :i l si i ,a
- E
- E l
i i l
- g
=n r 1 ~ i , _ _F f }} )) i g ~l L _ _ I_I _ _ _I i i o i Ijll !}}l i i i i !}l I i m i i kIl I = l[l l i i m I i-- $llh-1 i g i i ti {il 5!I 5!I I g + t i 2 ; l "lrl I I I = a i i L- -l i 1 3!'t 1 1 et !f i a 5's $ i i t i I -~~
P Y D ability ? e I 5 =d # 35 33 (E .. E E E E N
- 5
$s *Q _ _ *[5 o$<$ "$5 95 Legend. Summary } . g, e w se ojrE 2 O v E c gg E* E) EN s$ 3 =3 '3 23 22 2; g 4 8 6 3 o, ~jj ,2 blank - not irwAred or nat anocied m 00 J = m= 2e m c z. g..- 2. 3 gg, @2 e* o[Egg gw s - scram v>nerae.my Se$@co@d $* 3j E - ESFAS vulnerabetwy E R ee Chapter 15 mu mE a.2%5 $Esl
- o. d: 2E RS 4S SE E5$3 cE
- Even 1-isolation vulnerabiky. ..15.1 2 ~ E E E Runout 2 FWP 15.1.3 E- .E' E E Pressure Rea Fail 15.7.6 S S Inadv. Coolina - 152.1 E Plessure Rea Faa 15 2.2 E-Load Reiection 152.3 E Turbine Trio 152.4 E E E E' Inadv. MSIV Clos 2 - 15.2.5 E E E-E w Loss Cond. Vac. a 15.2.6 .E E E Loss Aux XFMR i 152.7 i E E E E Loss Feedwater 15.3.1 E E E. E-Trip all RIPS 1 15.4.1 j S Inadv. Rod Rem. ? 15.4.5 Punout RfPs 15.6.4 E E E E I g I Outside LOCA S S S l 15.6.5 E E E inside LOCA h I I E E S S 15.6.6 E E E q E. g g g Feedwater LOCA s 6 L Figure 8 '^Anerability summary of data in Appendix A [ h ~4
CMF Analysis DRAFT 32-DRAFT 12/17/91 The design analyzed is primarily an architecture and does not contain all of the necessary detail for a complete design. Where dett .. present, an analysis of the detail is presented. Where detail is inadequate, analysis of the architecture is presented. These findings reflect the state of the design. 5.1 Successful Oneration The analysis of Appendix A demonstrates that for many common-mode failures there is sufficient diversity and defense in depth in the protection systems to mitigate the effects of the failures. They will not be listed here because of the number. The reador is encouraged to examine the Appendix if he is interested in specific cases. 5.2 Areas of Concern No signal in the design presented crosses all three echelons of defense. There are, however, several signals which cross two echelons. Further, one block - the TLU - links two echelons and one block - the multiplexer - links all echelons. This section presents findings regarding those signals and blocks where vulnerabilities were found. This is the separation issue of NUREG 0493, section 2.4.2 More appears in Appendix D. 5.2.1 821-LT351 A D This is a set of four narrow range water level transmitters used for several functions. The functions of most interest are those of low-water-level scram and high water-level shutoff of the RCIC and HPCF. For RCIC it shuts down the whole system including the turbine. For HPCF it closes the injection valve. Thus these transmitters cross the RPS and ESFAS echelons (Figure 9), if this transmitter or its associated signal channel should stick in the high water-level state (>L8) the reactor would not scram on its normal low-water-level condition, RCIC would not initiate, and although the HPCF pumps would start, the HPCF injection valve L would not open. This can all be seen from the IBDs included in Chapter 7. Once the water level gets low enough, the MSLIVs will i close and a diverse reactor trip will be initiated when the MSLIVs are at 85% open. l
o CMF Analysis DRAFT 33 DRAFT 12/17/91 5.2.2 APRM The APRM produces a high flax scram for the RPS, provides information on which rod block determinations are made by the control system, provides neutron flux level used for automatic load following by the rod control system, and provides neutron flux level information for use by operators. Thus it links the control, manual control and RPS echelons (Figure 9). A failure of the APRM could prevent a rod block from occurring (this is not clear from the documentation) while simultaneously preventing a high flux scram from occurring. Under reporting neutron flux levels by the APRM has the potential for inducing high flux operation of the reactor either by automatic (Guideline 8) or manual control (Guideline 9) while preventing a high flux scram. This is a vulnerability that should be examined carefully. 5.2.3 B21 LT353A - D in the rather sketchy ATWS documentation [Ref. 5) it is stated that the SSLC provides water level information to the control system for initiating ARl on low water level. For this study it is assumed that the above sensor is the one used. This sensor is used to initiate RCIC in the ESFAS. This sensor thorefore links both ESFAS and the control system. Thus a failure of this sensor will prevent RCIC from initiating and will inhibit ARI should it be needed. However, if this sensor fails a diverse reactor low-water scram would be initiated by B21-LT351 A - D and a diverse initiation of HPCF would occur through B21-LT353E - H. 5.2.4 Multiplexer The multiplexer in this system links all three echelons. It carries low water level data and rod-separation information to the control system to initiate ARI and rod-block. It carries a large number of sic s to both ESFAS and RPS. (Some RPS signals are wired directly to sitner the DTM or TLU of the RPS.) This linkage could cause unacceptable failures by preventing scram when needed and simultaneously prevqnting ARI and the initiation of ECCS. (SLCS may be affected by this linkage, but there is no information on how SLCS is initiated automatically. It is stated in section 3 3.5.2 of the SAR that SLCS can be manually initiated.)
1 1 7 p control- [ system ( c I ATWS l ip Vulnerable Signals f f LT 353(?-7) Reacter water level / \\ /- \\ /- \\ /- \\ / \\ y-V -RPS ESFAS Vulnerable Signals Nuclear monitor system + Vulnerable Signals l D LT-351(A D) Reacter water level ~ Figure 9 (Echelon diagram showing shared signals which are vulnerable to causing multiple failures either by L induced transient (fault type 1) or by latent fault l (fault type 2).
CMF A6alvsig DRAFT 35 DRAFT 12/17/91 5.2.5 The TLU On GE drawing 103E1805, sheets 1 - 5, it is indicated that manual control of the ECCS from the control room is exercised through the TLU and the multiplexer. A failure of the TLU will not only prevent automatic initiation of the ECCS but will also prevent manual initiation of ti at system. Further, if the multiplexer fails in such a -way that initiation signals are inhibited, manual and automatic initiation of the _ECCS is similarly prevented, 5.2.6 High water level Although this assessment does not incluos detailed analysis of the control system, a potential problem was observed in the control system while searching the documentation and that problem is presented here. In the control system, the same water level sensors which are used to control feedwater flow are also used to initiate high water turbine trip. Thus a failure which could induce an off-normal condition also inhibits corrective action. The RPS does not trip on high water level but does scram on turbine stop valve closure, which -in._this case will not occur (Figure 10). Although high water level is not an -immediate danger to the reactor, the potential exists for this condition to remain for extended periods of time, it may be appropriate to review the effects of lengthy uncontrolled reactor high water level. '5.2.7 Local Control Valves, pumps, and other effectors may be inoperable - from local motor control centers if control room _ electronics fall or 'multiplexers fall. Logic diagrams-for - various-devices are unclear _ about _where logic functions are implemented and whether such functions -are interconnected through the multiplexers. Some of these-functions cari block operation of motor contactors according to-General Electric IBDs, For example, the HPCF injector valve (Figure l 7.3-1d HPCF IBD s,heet 4) may be inoperable from the local motoi control - center.
- Likewise,
.the HPCF pump (Figure 7.3-1c) may be I inoperable. Figure 7.3 3j mo F031 shows'a valve which looks like a correctly hardwired local motor control center (would work if remote electronics died), but this depends upm.; the assumption that i ?
_ _. c x:- Shared Signals LT452 (A C) FWC NR water level // . control syste l l-Trip I level i Shared Signals : / \\ Pos 001(A D) Turbine stoo valve 85% .\\ \\- \\ \\ \\ \\ /- \\ / \\' /- \\ f RPS ESFAS Figure 10' Echelon diagram showing shared water level signal (in control system) which may result in _ persistent high reactor water level. RPS will not scram because linkage is through turbine stop - valve switches.
CMF Analvsa DRAFT 37 DRAFT 12/17/91 logic functions that look like motor control centers really are motor control centers, b.3 Dioital Systems issues The digital systems (multiplexer,
- DTM, TLU) are the main vulnerabilities of the protection system.
Postulated common mode failures in these modules prevent initiation of the ECCS, MSLIV closure and in some cases suppress necessary reactor scram initiation and ATWS mitigation. Further, the DTM and TLU that operate the RPS also operate the MSLIVs which are part of ESFAS. This provides a strong link between the RPS and ESFAS echelons which might prove detrimental to safe operation. 5.4 Initiation of LPFL as Backoo to RCIC or HPCF The LPFL pumps start if either low water level in the reactor is sensed or high drywell pressure is sensed. This seems to be as it should be. However, the LPFL canriot get water into the RPV unless the vessel is de-pressurizcd. This requires the initiation of ADS and that requires botri high drywell pressure and low reactor water l level Thus LPP. is an effective backup to RCIC or HPCF only if a LOCA occurs within containment. L 5.5 Elant Monitorina The RPS and ESFAS are connected to the plant monitoring system by means for which there is no communication protocol specified or i
- known, it therefore cannot be determined whether the plant monitor significantly impedes RPS and. ESFAS or increases their complexity.
Failures of the digital units of the protection system (MPX, DTM, TLU) prevent the. transmission of protection system status to the operators. The consequences of this are undetermined. I 1 h
TCMF" Analysis DRAFT 38
- DRAFT, 12/17/91 l
References - 1) GE SAR, chapters 6, 7,15. 2) Additional information transmitted to James-Stewart (NRC) by R; W. Strong (GE) on October 22,1991. 3).. Answers to NRC concerns faxed by an unknown person (GE) to c -Jim Stewart and Chet Poslusny (NRC) on October 4,1991.
- 4).Viewgraphs presented by M. A. Ross and B. H. Simon (GE) to the NRC on October 10, 1991.
- 5) ATWS supplemental information presumably authored by.GE and faxed from' Jim Stewart (NRC) to Robert H. Wyman (LLNL) on October
-23, 1991.
- 6) lNUREG 0493, A Defense in Depth and Diversity Assessment of
- the RESAR 414 Integrated Protection System. Y e L l
CMF ' Analysis DRAFT 39-DRAFT 12/17/91 Acronym l Definition l Reference ABWR Advanced BWR GE ADS- ' Automatic Depressurization System GE APRM Average Power Range neutron Moni:or(NMS) GE 'ARI Altemate Rod Insertion function NRC ATIP Automated Traversing In-core Probe (neutron GE monitor) ATWS-Anticipated Transient Without Scram NRC BWR _ Boiling Water Reactor NRC CAM Containment Atmosphere Monitor system GE CPR Critical Power Ratio - GE CRD - Control Rod Drive GE CS Control Systems non-lE GE i DOD Depanment of Defense DTM Digital Trip Module GE ECCS Emergency Core Cooling System NRC EDG_ Emergency Diesel Gerierator support system GE EMS Essential Multiplexing System GE ESFAS Engineered Safety Feature Actuation System NRC FMEA Failure Modes and Effects Analysis' IEEE FPCS Fuel Pool Cooling and cleanup System GE H/LP High pressure / Low Pressure interlocks GE HECW. HVAC Emergency Cooling Water system GE HPCF High Pressure Cere Flooder GE HPIN High Pressure Nitrogen Gas Supply GE HVAC - Essential HVAC system GE LDS' Leak Detection and isolation System GE LOCA Loss of Coolant Accident NRC LPFL Low Pressure FLooder GE LPRM-Local Power Range Monitor (Neutron monitor) GE -MCPR Minimum Critical Power Ratio GE 1 MDT-Mean Down Time Fisher, art MRBM - Multi. channel Rod Block Monitor GE MSIV-Main Steam Isolation Valve GE ' MSLIV Main Steam Line Isolation Valve GE-MTBF - Mean Time Between Failures Fisher, art. MTDF Mean Time to Diagnose Fault Fisher, art MTDL Mean Time to Determine fault Location Fisher, art. MTRF' Mean Time to Replace Faulty component Fisher, art MTRv Mean Time to Rerum to Operation Fisher, art
CMF Analysis DRAl:T 40 D9 AFT 12/17/91 Acronym Definition Reference MTTF Mean Time To Failure GE NMS Neutron Monitoring System GE NBR Nuclear (or Nucleate) Boiling Ratio NSSS Nuclear Steam Supply System NRC OLU Output Logic Unit GE PRM - Process Radiation Monitoring GE PWR Pressurized Water Reactor NRC RCIC Reactor Core Isolation Cooling system GE RCPB Reactor Coolant Pressure Boundary GE RCW Reactor building Cooling Water system GE RHR Residual Heat Removal NRC RHR-SC RHR Shutdown Cooling GE RHR-SP RHR Suppression Pool cooling GE RHR-WD RHR Wetv< ell Drywell spray GE RIP Reactor Internal Pump GE RPS Reactor protection System NRC RRS Reactor Recirculation System GE RSS Remote Shutdown System GE 'SER Safety Evaluation Report NRC SACF Single Active Component Failure GE SAR Safety Analysis Report NRC SB&PCS Steam Bypass and Pressure Control System GE SGTS Standby Gas Treatment System GE SLCS Standby Liquid Control System GE SLU System Logic Unit (a form of TLU) GE SOE Single Operator Failure GE SPTM Suppression Pool Temperature Monitor GE STPT Simulated Thermal Power Trip GE SRD Safety Related Display GE SRNM Start-up Range Neutron Monitor (NMS) GE SRP Standard Review Plan NRC SRV Safety Relief Valve GE SSAPs Safety System Analysis Report NRC SSLC Safety. System Logic and Control GE .STS Self Te'st System GE TLU Trip Logic Unit GE UHS Ultimate Heat Sink GE V&V Validation and Verification
CMF Anawa DRAFT 41 _ DRAFT 12/17/91 Accendix A A1. Analysis This appendix contains the analysis deae of common mode failures (types 2 and 3) during Chapter 15 events as required by Guideline 7 of NUREG 0493. The ascumptions of section 3.6 above are applied to each event and also some special assumptions are made for each event. Each analysis consists of the special assurnptions, a chart like that of section 3.2 and a set of conclusions. 9 4
CMF Analysis _ DRAFT -42 DRAFT 12/17/91 A2. Runout of Two Feedwater Pumps - Event 15.1.2.2.1.2 This scquence of events for this event shown in Table 15.15. This is a limiting fault. A2.1 Soecial Assumotions.; 1) Failure of the turbine stop valve switch channel ultimately leads to either a high pressure scram or an APRM scram. The former occurs at about 18 seconds and the latter at about the same time. This is approximately the same time as the scram would have occurred had the stop valve switches operated correch/. See Cigure 15.1-3. 2) The high water level (L8) which initiates the turbine and feedwater pump trips is sensed by a transmitter which is part of the control system; this sonsor is assumed to operate correctly. It must be noted that if this sensor channel in the control system has a CMF which causes it to fail for this event that the reactor could fill up. A scram could possibly be initiated by high flux, but sending water to the turbine seems to be a possibility.
- 3) Stop valve switch status enters the RPS at the DTM.
See RAI response dated 10/4/91, number 9a, page 15. A2.2 Conclusions Failure 1 is actually two failures in one, if the transmit!cr sticks indicating permanent high water level the injection valve for HPCF will never open. If the transmitter sticks indicating permanent intermediate water level then the injection valve, once open, will never close and the reactor may overflow. (If the transmitter sticks at a permanent low level, there is a permanent scram initiated.) The behavior-of RCIC for failure 1 is straight forward, if the channel sticks below the high water level setpoint (L8) then the reactor may overflow. If the channel sticks at or above the high water level setpoint RCIC will not initiate. Mitigation for failures 3, 6 and 8 involves normal operation of the protection systems. For failure 15, the primary scram initiator is not available but either of the two secondary initiators will provide scram.
DBE 15.1.2 ,U, ? Feedwaer controller failure Event a 3 s y SE EE =$ Tame 15.1-5
- u. }
3 E S Q Q 15.1.2
- l oj 3e G
C c O' ai o$ rE Il, ~ 5 5 2 E O b E Sm *5 t 9"" 2 5 dO de th ~e oU '$ 0 >E r' t' X 2 3 >E - e Ee 3$ blank - not involved er not affected 5 m8 Plant g5 m 32 <, o xe &2 1e 3 3 55 8 jf Ef 3e 0 - not available due to postu'ated CMF <y 'I 5 a s 1 j. Parameter 'n 2 $3 $5 0a 3A IA 1E 3S 2 O F 4 2' "> 3> -a 1 to 11. actual n' daw parameter l '"['*' / O O O O O ECCS initiator 1 H: Water / 2 Level /O 3"[q[ Pressure O O O O seconaary scram initiator 7 4 High Drywell Pressure b "' a"ctnrity O O seconaary scram initiator e High MSL 6 Radiation 7 MSLIV 8 Earthquake 9 Nojln"o* V'**S O O O primary scram initiator CR0 to Pressure Low Mitigation 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 scram 9 9 9 9 9 9 5 0 3( ARI 3 HPCF M 1 O O O secondary cae cooier RClc M O 1 1 1 O O.O 1 Primary core conter LFFL O O O O O unavaitadie decause ADS wiH not initiae stcs MSLIV ads O O O O O ADS requires high dryweII pressure SRV Information O O O
n 'CMF Analysis DRAFT DRAFT 12/17/91 Mitigation for_ failure 2 involves initiation of the HPCF. 'For failures 10- and 11, scram is initiated by either the-primary or one of the secondary initiators. However, no ECCS is available and the core may become exposed. Manual actuation of the ECCS from the control room is also inhibited. See GE drawings 103E1805 sheets 1 - 5. Failure 12 requires ATWS to scram the reactor but again no ECCS is available either manually or automatically. The primary reactor scram initiators are the switches on the turbine stop valves.with high RPV pressure and high neutron flux providing diverse initiators. Much or all of this diversity-is lost with CMFs in the digital systems (MPX, DTM, TLU). Manual scram and ARI from the control system together with the RPS scrams described above provide defense in depth. Much of this depth is lost, however, with CMFs in the digital systems (MPX, DTM, TLU). RCIC_ provides' the: first level of ECCS with HPCF providing diversity. LPFL is not available for this event (see below). But CMFs of the digital systems. eliminate all diversity. The'only defense in depth for _ the-ECCS is provided by the manual controls in the control room. But these are inoperative with CMFs of teh MPX'or TLU. - It' sh'ould be noted that -LPFL' is never available because ADS will nev.er initiate. ADS-initiation requires high drywell pressure as well as low water level. See figure 7.3-2h. The design requirements for-this (RHR _ starting on either low water. level or high drywell pressure but ADS requiring both low level and high pressure) are not obvious and it is possible that there is an error in-the logic. i 4 ,e
GMF Analysis DRAFT 45-DRAFT 12/17/91 A3. Failure of Turbine Bypass and Control Valves Open This is event-15.1.3.1.2.2 and is the failure of all the turbine bypass valves 'and-lurbine control valves in the open state Table 15.1-7. This is a ; limiting-fault. A3.1 Soecial Assumotions: 1) Failure of the turbine stop valve switch channel ultimately leads to a high pressure scram. The high pressure scram occurs at -about 5 seconds after the start of the incident. This is approximately 2 seconds after the scram would have occurred had the stop _ valve switches operated correctly. See Figure 15.1-5. 2) The high water level (L8) which initiates the turbine and feedwater pump trips is sensed by a transmitter which is part of the-control system; this sensor is-assumed to operate correctly. If this sensor falls, then neither the turbine, feedwater pumps nor-the reactor will trip. If the feedwater control system does not or cannot control -the reactor level then sending water droplets to the turbine becomes a possibility.
- 3) Stop valve switch: status enters the RPS at the DTM. See RAI response. dated 10/4/91, number 9a page 15.
A3.2 Conclusions Failure 1 is actually-two: failures in one. If the transmitter sticks indicating _ permanent high water level the injection valve for HPCF will never open. If-the transmitter. sticks-' indicating permanent ~ intermediate Ewater level then the = injection valve, once open, will never close and the reactor may overflow. (If the transmitter sticks at a permanent low-level, there is a permanent scram initiated.) The behavior _ of,RCIC for failure 1 is straight forward. If the channel sticks below the high -water leesi _setpoint (L8) then the reactor may overflow. If the channel sticks-at or above the high , water level setpoint RCIC will not initiate. Failures 3 and _6 do not change system operation from normal. Failure 15 causes the scram to be initiated by a secondary initiator but. otherwise ' system operation is normal.
DBE 15.13 g 0 _2 Failure of turbine t ypass and control 15.13 u-g .s _y y @p {E valves open Event g Ty ge e e 6 e 6 E
- n a of E
e e o, os ys 43 2-e e c om ee gs LMCnd- !y !c g g !me 42 4e th e oN =50 N 00 $5* c5
- ti :
biar* - not inv*ed or not aneced x s <1 ; J >3gj>a 3g +a 2 0 - not avabble due to postu' ted CMF g >E Plant o S' gN ov x$ Be I5 a s 3 g 5 i t2 2 e og gy oa 2a ra 1 Parameter or 2 o s ,c a y 1 to i t - actuar iniaatng parameter sa % [*['*' / O O O O O ECCS initiator 1 He Water / 2 Levet /O 3(( Pressure O O O O secondary scram initiawr 4 High Drywe!! Pressure High ~- 5 Reactivity High MSL 6 Radiation 7 MSLIV 8 Earthquake g rd Valves O O O crimary scr=n ininator cRo 30 Pressure Low Mitigation 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 scram 9 9 9 9 9 O O 3 ARI 3 3 HPCF V 1 O O O secondary core :ooier RCIC 9f O 1 1 O O O 1 Primary cwe cooler LPFL O O O O una aitase becarse Aos win not ininate sLcs MSLIV ADS O O O O ADS requires high drywell pressure sRV information !O O O [ .t
_7 CMF Analvsis DRAFT 47-DRAFT 12/17/91 Failure 2 has a ~ normal scram-but the HPCF is initiated when RCIC fails to -start. For failure 10, the scram is normal but no ECCS is available to cool the core if needed. For failures 11 and 12,- ARI is required to scram the reactor and again there is no ECCS. Further, for failures 10 and 12, manual initiation of the ECCS from the control room controls is prevented because both the MPX and the TLU are needed for initiation. Closing of the turbine stop valve is the primary scram initiator with reactor high pressure providing a diverse initiator. This diversity vanishes for failures of the DTM or TLU. Dofense in depth for. reactor scram is provided by the control system with manual controls and ARI. RCIC and HPCF provide diverse methods for cooling the core. However, all diversity ' vanishes and _nothing is left with failures in the digital systems, it should be noted that although-LPFL will start automatically it.is never effective because ADS will never initiate. ADS initiat:on requires high drywell-pressure. See figure 7.3 2h. Defense in depth for the_ ECCS, is provided by manual initiation of the ECCS from the control' room, provided there is time for operator - action. Again, however, the depth ~ vanishes for MPX and TLU CMFs since not only does the ECCS not automatically. initiate but manual initiation from the control room is also prevented. See GE drawing 103E1805, sheets 1 - 5. If only. the DTM fails manual initiation still
- works, e
4--, ,y-m n 4 w .o,.
cuF Analysis-DRAFT 48 DRAFT 12/17/91 - A4, -Inadvertent Cooling of the Reactor - i This is' event 15.1.6 and is the cooling of the-reactor by inadvertent .] operation of the RHR heat exchanger Table 15,1-9. This event is a limiting ; fault. - A4,1 Soecial Assumotions: t 1) The TLU.is the only unit that sends information to the control system for -display. to the operators. - Only status information is
- sent,
- 2) -There is no backup scram for this incident since:
- a, There is'not enough pressuia to scram on high pressure and such a pressure cannot be reasonably expected to occur. b. Low-water level is not part of this-scenario. - c. No:other possible scram initiators are part of this scenario. 4 r e w v w -~,. + w ..w-y
~.... y m > g m r-m I > p E e co N m m a w to mm e 7 .vmLg-m o m o m m x o -4 mu g O p O B g moge m E mI m r-Dg TI Im rI rr E gI g8 58 52 kh k$ kR I 3 E 58 3S [$ $ 9.8 6 g ( E O < h R EC 7 R 4 g 5' a 8 w. fpl. at a = e~ t e a g' --/ CMF E 3 a / Groups 35iA-D Narrow level 353A D E - Wide level 353E H Wide level GHD Accum. Pressure U ywell Pressure HFv Pressure PHHM (MSL rad.) AFHM (run rad.) bHNM O O O (start rad.) MPX. DTM O .O O -TLu Accelerometers Mdiv. Position - Turbine Stop Valve Switch Turbine Control Valve Switch furbine Oil Pressure Sw. dog 3 O "a r g-Bgg -a a u 5.fch,. Il# i 4 lth-11 9. .4, a .y r I I -. ~.
1 t - CMF-Analysis DRAFT 5o-DRAFT 12/17/91 A4.2 Conclusions - 11 is-not; clear whether or not this is an unsafe common-mode failure,: Certainly if the SRNM system does r-! cause a scram then the = reactor.will.' _ keep cooling and the,wtron flux will keep increasing, making the core hotter and hotter,. This is, however, either start up orishut down mode-and the operators should be more alert ;than 'perhaps they would. be when in full power steady state operation. Thus they should catch-the problem prior to a disaster. <e The defense in depth and diversity hero -is essentially zero with the operators providing all of the backup to the SRNM. 4 a 9 T 4 i m
CMF Analysis DRAFT -51 DRAFT 12/17/91 AS. Inadvertent Closure of One Turbine Control Valve This is incident 15.2.1.1.2.1 and is the inadvertent closure of one main turbine control valve - Table 15.2-1. The incident is treated as a moderate frequency operational occurrence and classified as an anticipated operational transient. AS.1 Assumotions: 1) Neutron flux increases rapidly because of void reduction caused by reactor pressure increase. From Figuro 15.21, upper-righthand curve, failure to scram on neutron ; lux level should result in reactor dome pressure exceeding the scram trip point of 1105 psig (Table 15.01) at about 2.0 to 2.5 seconds into the incident. This causes an additic felay of 0.5 to 1.0 seconds over what would occur with neutron aux scram. The sequelae of this delay are unknown. Reactor water would decrease, but would not reach trip level before pressure trip (Figure 15.2-1, lower-lefthand curve). 2) MSLIVs do not close so that adsquate steam is available to maintain operation of the feedwater pumps, which in turn maintain the water level in the RPV. (Low turbine inlet pressure -will close the MSLIV, but the sensor for this parameter is upstream of the stop valve.) 3) Turbine fast solenoid valve switches will not actuate on inadvertent closure of a main turbine control value. 4) Reactor pressure indication enters the RPS through the EMS. APRM trip output enters the RPS through the TLU modules, i l
~' E DBE..15. 2.1 Incident - f ' Inadvenent CIesure Main Turtwee s s 95 wa _ *. vatve.Tabie 15.2-1 3 Y h2 _; f 2 Q k 3E 3th s5 50 Ha3 Esse I a! 8: 33 85 e ? Legend: bE,E Reactor g ;B nt e 2
- -- w oo- - *c=o 32 ce
. Parameter -. "Z N5"S O Q-O - TQ-cy o.j c5 c. - + a 8. Wo. +B E 5B 32 0 - w avm oue to pos_Wed CMF a. <-o,5 2-o 2n > we s a. t io 11 - actualinitiating parameter 1 Low Water Level O . ECCS initiator
- 2. Hi Water level 3 RPV Hion Pressure O
O O Secondary scram initiator 4 Hich Drywell Pressure 5 High Re 1+nty O O Primary scram initiator - 6 Hgh MSL Radiation 7 MSLIV l 8 Earthquake 9 - Turtyne Valves Closing 10 CRD Pressure low i uitigation '1-2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 CJ scram 1 3 5 5 O-ARD 3 HPCF oro scram O ncic o LPFL O stcs MSLIV ADS O sRv info O i O 9- 'rmi - g y s -w..a y .,n----
- r.. + - -..
__________2,__
CMF Analysic DRAFT 53 DRAFT 12/17/91 AS.2 DnclufDHS Common modo failure of the primary scram initiator channel (column 8) w"! result in a backup scram due to high pressuro. The control systt I will provido adequate core cooling (foodwater pump control) in 'll instances except for a failure of the multiplexor block, wbc'1 disables the foodwater control system (cclumn 10). Thir, also cisables all ESF mitigation and manual operation of ESF from the control room. DTM block failure results in a backup scram due to high pressure, but cooling is provided by the f 90dwater control system (column 11). Likewise, TLU talluro disablus RPS scram, but this is backed up by ARI and the foodwater control system (column 12). ESF is ineffect90 in both columns 11 and 12. In failuro 10 thorn is no diverso signal and no ocholon of defenso (inclursing operator manual action) which can actuate the Engincored Saf%
- aoatures, in all other failures, diversity and DlD provide both scram arid core cooling when challenged.
o 6
CMF Analysis DRAFT 54-DRAFT 12/17/91 A6. Pressure Regulator Downscale Failure This accident, event number 15.2.1.1.2.2, is the fallure of steam pressure regulator wherein all valves close attempting to go to zero pressure at the turbir.v inlet Table 15.2 2. The accidant is treated as a 0~3 time (plant lifetime) postulated occurrence and classified as a limiting _ fault. A6.1 Soecial Assumotions: 1) Neutron flux increases rapidly because of vold reduction caused by reactor pressure increase. From Figure 15.2 2, upper-righthand curve, failure to scram on neutron flux level should result in reactor dame pressure exceeding the scram trip point of 1105 psig (Table 15.01) at lest than 2.0 seconds into the incident. This causes an additional celay of less than 0.5 seconds over what would-occur with neutron flux scram. The sequelae of this delay are unknown. Reactor water-would decrease, but would not reach trip level before-pressure trip (Figure 15.2 2, lower-lefthand curve). 2) MSLIVs do not close so that adequate st9am is available 'to maintain operation of the feedwater pumps, which in turn maintain the water level in the -RPV. (Low turbine inlet pressure will close the MSLIV, but the sensor for-this parameter is upstream of-the stop valve.) 3) Turbine valve switches will not actuate on pressure regulation failure. 4) Reactor pressure indication. enters the RPS through the EMS, APRM trip output enters the RPS through the TLU modules.
.i'; 4t. ,'i. ' iiI'i t' !;l } 't tk .t,- ru '* c " d
- a" e
l n. P
- m d
A2
- m."#
r2 u o o t 5 a1 r l ~ u
- 2. r w o
1 g t a e t 5 n ,c e 1 ra e. o I' S 2 ntr r m MPr%w:"oI E et C s u n" C a, o r E 7 r o 0 ~ 2 .lI, 9 e' 1 8 1 .*m 2a 3* _3c53* 7 1 gE> " e%3* E=tc53" 6 1 5 4 7a 9 7c63* 5 1 coE;' > p# 4 1 $w E.6g* 3 1 l l i 3~ Q o 2 O 3 O ~ 1 i 2O Q S 1 1 xa. O Q 0 5 O O O O O 1
- rs 32*
9 6.' 5O o 3 3r 8 E sy1 3E-7 i ?2=e' > a.C 6 e2;e' _ *bO 5 r2aa" p23< ohsO 4 f;;_e .i =ha" 3 ?.LtN o4n 2 r** roEZ o4r 1 e s E@a e w v 6 v o s e e ta l s Ln k t r e ye So a V e r a e r ir i u en ru n 8 e w al P Du Mt V c ne s o t r e e s a t I h c m wv Wa Vh hs us Ds g
- 1 e
hc L t i v t Pe gre ga S a r rb Ro a F V oe io .m 2 ara Lt Hl RH HP u r m" I P C P L S D R C L S H1 M E TC CP g a C F C U S V 1 i 5 A1 ea 2 3 4 s 6 7 8 9 1 t R 0 i RP m 1 A H R L S M A S F
CMF Analysis DRAFT sc. DRAFT 12/17/91 AG.2 Conclusions Common mode failure of the primary scram initiator channel (column 8) will result in a backup scram due to high pressure. The control system will provide adequate core cooling (feedwater pump control) in all instances except for a failure of the multiplexer block, which disables the feedwater control system (column 10). This also disab;es all ESF mitigation and manual operation of the ESF from the control room DTM block failure results in a backup scram due to high pressure, but cooling is provided by the feedwater control system (colurnn 11). Likewise, TLU failure disables RPS scram, but this it packed up by ARI and the foodwater control system (column 12). ESF is ineffective in both columns 11 and 12. In failure 10, there is no diverse signal and no echelon of defense (including operator manual action) which can actuate the Engineered Safety Features, in all other failures, diversity and DlD provido both scram and core cooling whan challenged. Because this event is an accident and because ATWS is not classified as a safety
- system, it may fail due to relaxed maintenance requirements or exposure to harsh accident conditions.
c
I CMF Analysis-DRAFT 57 DRAFT 12/17/91 A7. Generator Load Rejection with Normal Bypass [, This incident, number 15.2.2.2.1.2, is generator load rejection with f normal bypass. Table 15.2 3. The incident is treated as a moderate frequency operational occurrence and classified as an anticipated cperational transient. t A7.1 Snecial Assumotiong 1) The primary reactor trip indication is actuation of the turbine fast closure solenoid valves. From Figure 15.2 3, upper lefthand curve, neutron flux increases rapidly because of void reduction -[ caused by reactor. pressure increase, reaching a peak of 137.1% ( NBR (Table 15.0 2) at about 0.7 seconds into the incident. Failure i to scram on turbine fast closure solenoid valve operation should be followed almost immediately by a neutron flux scram at 127.5%- NBR (Table 15.01). Fiom Figure 15.2 3, upper righthand curve, failure-to scram on neutron flux level should result in r reactor _ dome-pressure exceeding the scram trip point of -1105 psig.(Table 15.01) no.later than about 1.0 seconds into the incident. - 6 2)- MSLIVs do not close so that adequate' steam is available to maintain ~ operation = of the feedwater. pumps, which in turn maintain the water--level in the RPV. (Low. turbine intel pressure will close the MSLIV, but the sensor for this parameter' is upstream of the stop valve.) p
- 3) -Reactor pressure Indication enters the RPS through the EMS.
APRM1 trip output enters the RPS through the TLU modules, 1 Turbine valva statusjenters the RPS through the DTM modules. v i - -m. n n. 1_._-... _ _____ _ _; n _ _,.,. _.
i i. 1 5 Y tr .5 P% 90 5 pN 3 g g A g 4},8, 1 a .i 'i i D if ).;- } 2y 3 6g i r d e-uJ _L.J 3 l I 4 4{'Q)t< j 2 'es eJnsseJd b. IC 4Ur0Jn] eAlEA P!oWel0S ISO-l eviOJn1 O ") m . usaies orieA cfois evioJn1 e uog! sod y Af9W c') SJ818WOJ8lB00Y mi O O O O M O nio O O in ygn O O S o) O O O O O ( pel ucas) en
- WNHS, Ope > uns)_
WUdV fpes 1Sn) WW8d eansSeJd AdH 6enssaJd lied >0 m eensseJd wnD3V OHO 10^81 ept/A l NtCSC - le^et ep:/A ~~ 0 VC9C L cDAel moJJeN l 0 Vt90 9030JD -{ f g 5 b ho g dg f 5 -Y g & B_ v_ n a st a e 8? n 5 .li g i gP E t5 5? 5N 6t g 0-e f e9 e u. a au ss az za ze za a g, a S, g g g g 8 g g. E, g o. g o d s< 3 1 ~, n e o s cn < z z .J 1
I I 1 CMF Analysis - DRAFT 59 DRAFT 12/17/91 A7.2 Conclusions -Common mode failure of the primary scram initiator channel -(column 16) will result in a backup scram due to high flux. The control system _ will provide adequate core cooling (feedwater pump control) in all instances except for a failure of the multiplexer block, which disables the feedwater control system (column 10), i This also disables all ESF mitigation and manual operation of the ESF from the control room. DTM block failure results in a backup i scram due to high flux, but cooling is prov!ded _ by the feedwater control syttom (column 11). 1.ikewise, TLU failure disables RPS scram,- but this is bucked up by ARI and the feedwater control system (column 12). BSF is ineffective in both columns 11 and 12. ~ t 'In failure 10, there is no diverse signal and no echelon of defense (including _ operator manual action) which can actuate the Engineered l Safety Features, in all other failures, diversity and DID provide both 5 scram and core cooling when challenged. i r ~ t r
CMF Analysis DRAFT 60 D R A FT 12/17/91 AB. Generator Load Rejection with the Failure of All Oypass Valvos This accident, number 15.2.2.2.1.3, is generator load rejection with all bypass valves failing Tablo 15.2 5. The accident is treated as a one time (plant lifetime) postulated occurrence and classified as a limiting fault. This ovent is more stressing than generator load rejection with one bypass valvo failure and the analysis for total bypass failure is considered to encompass the analysis for one bypass failure. A8,1 Egm Assumotions 1) The primary reactor trip indication is actuation of the turbine fast closure solonoid valves. Frorn Figure 15.2 5, upper lofthand curvo, neutron flux increases rapidly because of void reduction caused by reactor pressure increase, reaching a peak of 157.6% NBR (Table 15.0 2) at about 0.6 seconds into the incident. Failure to scram on turbino fast closure solenoid valve oporation should be followed almost immediately by a neutron flux scram at 127.5% NBR (Table 15.01). From Figure 15.2 5, upper-righthand curvo, failure to scram on neutron flux level thould result in reactor dome pressure exceeding the scram trip point of 1105 psig (Table 15,01) no later than about 0.6 seconds into the incident. 2) MSLIVs do not close so that adequate steam is available to maintain operation of the feedwater pumps, which in turn maintain the water level in the RPV. (Low turbine inlot pressure will close the MSLIV, but the sensor for this parameter is upstream of the stop valvo.) 3) Reactor pressure indication entors the RPS through the EMS. APRM trip output enters the RPS through the TLU modules. Turbino valve status entors the RPS through the DTM modules. i
~ ~. -. - - - -... L i g y a .# e $ I1 g9 { ~ 1 8 p i I o a b m e e. '#S eJnss9Jd N l'O ouroani eAIFA P'0Wel0S !sP.JeUndinj O '8 m 4041*S eAleA l m dolg suican1 polltS0d v AlsW ? r m t1919Wode1830y m1 O O O N o M O nya O O D ~ ydn O O m O O O O O (peJi/els) WN89 ( peJ unJ) WUdV ( PeJ 1SW) W88d e;nsseJd Ad8 to e;nsseJa 1:9MA>0 g einssesd tunooy OHO 10Ael #PtM H 3090 n is^el op!M 0 YCSC leAoi moJJUN a vtse
- 'o /
i s I a a o g.. a gg 9 j
- g a B._ ~3 L
a os E 7 8" 9 e @,
- 8 ss >
I. f._g it t M 53 5t a Getimg g eq. a g e u. em mz zm zm ze s a 8 8,< eg e 1 m a p d 9 g a. H s u n z im a < a E = - -. -,. -
CMF Analysm . DRAFT .ca. DRAFT 12/17/g1 A8.2 Conclusions Common modo failure of the primary scram initiator channel (column 16) will result in a backup scram due to high flux. 'Iho control system will provido adequato coro cooling (foodwater pump control) in all instances except for a failure of the multiplexor block, which disables the foodwater control system (column 10). This also disables all ESF mitigation and manual oporation of the ESF from the control room. DTM block failure results in a backup scram duo to high flux, but cooling is provided by the foodwater control system (column 11). Likewise, TLU failure disables RPS scram, but this is backed up by ARI and the foodwater control system (column 12). ESF is inoffectivo in both columns 11 and 12. In failuro 10, there is no diverso signal and no echolon of defenee (including operator manual action) which can actuate the Engincored Safety Features. In all other failures, diversity and DID provide both scram and core cooling when challenged. Because this event is classified as a limiting fault and ATWS is not classiflod as a safety system, it may fail due to relaxed maintenanco requirements or exposure to harsh accident conditions.
1 QAF Analysis DRAFT 63-DR A FT 12/17/91 A9. lurbino Trip with Normal Bypass This incident, number 15.2,3.2.1.1, is turbino trip with normal bypass Table 15.2 6. The incident is treated as a moderate frequency operationni occurtonce and classified as an anticipated operational transient. A9.1 Soecial Assumotbns 1) The primary reactor trip indication is actuation of turbino stop valvo 85% switches. From F1 uro 15.2 6, upper lefthand 0 curvo, neutron flux begins to increase rapidly because of void reduction caused by reactor pressure increase, but the peak value reached in this simulation is 111.8% NBR (Tablo 15.0 2), due to simulated scram at 0.2 seconds (Figure 15.2 6 lower righthand curvo). If the turbine stop valvo switches fail, this incident is most similar to accident 15.2.1, pressure regulator downscalo falluto. From accident 15.2.1, failure to scram on turbino stop valvo 85% switches should be followed 1.2 seconds lator (Figure 15.2 2, lower righthand curve) by a neutron flux scram at 127.5% NBR (Table 15.01). From Figure 15.2 2, upper righthand curve, failure to scram on neutron flux level should result in reactor domo pressure exceeding the scram trip point of 1107 psig (Tablo 15.01) after an additional delay of 0.8 seconds. The effects of those additional delays are unknown. 2) MSLIVs do not close so that adequato steam is available to maintain operation of the feedwater pumps, which in turn maintain the water level in the RPV. (Low turbino inlet pressure will close the MSLIV, but the sensor for this paramotor is upstream of the stop valvo.) 3) Reactor pressure indication ontors the RPS through the EMS. APRM trip output enters the RPS through the TLU modulos. Turbino valvo status enters the RPS through the DTM modutos.
.(... ~-. ~ -..--.-...~ ._-.- -.--.-~_~.-.- lE i 4 ~ g f dL 8 al9,Ba
- l 3l
'il 8 4 a u a E Cf a h 5 F m s i v1 p# g h b 5 d w i O Ch w m e-WS eJnS59Jd-ts l'O eviaenj e^ieA p!oueios e aseguia;nt wo4*s a^ien doj3 eviaani o m m voa! sod w AISW n _ tJ819WOJ61f03y n11 O O O O! O M O Wla O O-m XdW O O 9 A O O O O O (Pe>IJels) WNB9 m ( peJ unJ) ~ WydV LPeJ 1SW) WUHd eJnsseJd e 0.dU einsseed _lleMOO m DJntseJd 'wnspy og0,, te^el opt /A NG090 n c le^el epi /A 0-YCEC g i le^el *0JJUN 0 VltC L sdnoJO g f g I h ho 2: dc f $ Y a $_ I_ t ok *ki ss P. E E .8 E 9 EE 5 g 8W it S =6 0 5; 51s d l lp M a [ris ez g 3 a a ze ze s 6 o n. r 9 d ~ g g w > c, o L e-N CS v m to k so Ch O l Z 03 ..,-__..~_...,;,.__...-...__....._.. _. _ - ~,.-
l .CMF Analysis DRAFT -es. DRAFT 12/17/91 l A9.2 Conclusions Common mode failure of the primary scram initiator channel (column 15) will. result in a backup scram due to high flux delayed approximately 1.2 seconds. Additional diversity is provided by reactor' vessel high pressure but with further delay of 0.8 seconds. The control system will provide adequate core cooling (feedwater pump control) in all instances except for a failure of the multiplexer j - block, which disables the feedwater control system (column 10). This also -disables all ESF mitigation and manual operation of the ESF from the control. toom. DTM block failure results in a backup scram. due to high flux, but cooling is provided by the feedwater i control system (column 11). Likewise, TLU failure disables RPS scram, but this is backed up by ARI and the feedwater control system (column 12). ESF is ineffective in both columns 11 and 12, i in failure 10, there-is no diverse signal and no. echelon of defense (including operator manual action) which can actuate the Engineered . Safety Features. In.all other failures, diversity and Dl0 provide both scram and core cooling when challenged. The effects of delays on fuel condition are not known. r I'! l l i I -,, ,,s, um,~ ,.,-,-,.,,,-,,..-.v---- .p, c,.,,am. ,+,,~,,.,,,-.-.x -,+.s,, .-.~-n-w-. 4 +, r+
CMF Analysis DRAFT os-DR A FT 12/17/91 A10. Turbino Trip with All Bypass Valves Falling This accident, number 15.2.3.2.1.3, is a turbine trip with all bypass valves failing Table 1S.2 8. The accident is treated as a one time (plant lifetime) postulated occurrence and classified as a limiting fault. This event is more stressing than turbine trip with one bypass valve failure and the analysis for total bypass failure is considered to encompass the analysis for one bypass failure. A10.1 Soecial Assumotions 1) The primary reactor trip indication is actuation of the turbir,e stop valve 85% switches. From Figure 15.2 8, upper lefthand curve, neutron flux increases rapidly because of void reduction caused by reactor pressure increase, reaching a peak of 137.5% NBR (Table 15.0 2) at about 0.8 seconds into the accident. Failure to scram on turbine stop velve 85% switches should be followed by a neutron flux scram at 127.5% NBR (Table 16.01) delayed by about 0.8 seconds. From Figure 15.2 8, upper righthand curve, failure to scram on neutron flux level should result in reactor dome pressure exceeding the scram trip point of 1105 psio (Table 15.01) no later than about 1.0 seconds into the incident. 2) MSLIVs do not close so that adequate steam is available to maintain operation of the feedwater pumps, which in turn maintain the water level in the RPV. (Low turbine inlet pressure will close the MSLIV, but the sensor for this parameter is upstream of the stop valve.) 3) Reactor pressure indication enters the RPS through the EMS. APRM trip output enters the RPS through the TLU modules. Turbine valve status enters the RPS through the DTM modules.
l DBE 15.23 } 5 2 Th inp =nwat Ws Accident ar i E _I 5 2# NS Mwe.TaNe im 15.23 =w .' d,,9 $*a Legend: th <8
- _E F-r
. "E 9 c <e E I 3ly r. oo 93: oe o a sa 3 - ' e o c c c 6 25 5I 5E 5E "** * "m'
- cue *e*po's#"C2"d
' Er x 2 3 y gr25 xe c2 12 x$ z5 x 13 1 8 oE 37: 3a 3$ Reactor 0 - not ar sfar,o C3F ,7, Z a. a o5oS OE O1 11 1d 46*O4 0 da ~> 1 b 11 - 8ed n**'a7 pen *r Parameter o 1 Low Water ECCS irut:av O Level 2 H Water level 3 RPV O O O Tm m Wh Hch Pressure 4 Hgh Drywen Pressure 5 Hgn O % - wtw Reactviv 6 Hgh MSL Radiation 7 MSUV j l 6 Earthouake j j 9 no varves O O O Pnmary scr== *=<= 10CRO Prossure low Mitigaten 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15-16i 17 18 19 20 So" 9 5 O 5 ARI 3 Dro sm HPCF O Rcic o LPFL O stcS MSUV ADS O SRV do O O
CMF Analysis DRAFT e8 DRAFT 12/17/91 A10.2 Conclusions Common modo failure of the primary scram initiator channel (column 15) will result in a backup scram due to high flux with a delay of approximately 0.8 seconds. Additional diversity is provided by reactor vessel high pressure. The control system will provide adequate core cooling (feedwater pump control) in all instances except for a failure of the multiplexer block, which disables the feedwater control system (column 10). This also disables all ESF mitigation-and manual operation of the ESF from the control room. DTM block failure results in a backup scram due to high flux, but cooling is provided by the feedwater control system (column 11). Likewise, TLU failure disables RPS scram, but this is backed up by ARI and the feedwater control system (column 12). ESF is ineffective in both columns 11 and 12. In failure -10, there is no diverse signal and no echelon of defense (including operator manual action) which can actuate the Engineered Safety Features. In all other failures, diversity and DID provide both scram and core cooling-when challenged. The accident is classified as a limiting fault. The ATWS is not classified as a safety system and may fall due to relaxed maintenance requirements or exposure to harsh accident conditions. 4 r w-- t e n v - v,,8-+ x v v a aw - er vs.sv",',ev-- aww.w-*vm---~-e-,svw -,---,,w, w -w wv-v',-, --ow-r .w-,---ww wr o
GdF Analysis DRAFT 89 DRAFT 12/17/91 A11. Inadvertent Closure of All MSLIVs This incident, number 15.2.4.1.2.1, is inadvertent closure of all Main Steam Line Isolation Valves Table 15.2 9. The incident is treated as a moderate frequency operational occurrence and classified as an anticipated operational transient. A11.1 Soecial Assumotions 1) The primary reactor trip indication is actuation of MSLIV 85% switches. From Figure 15.2 9, peak neutron flux level in this simulation is 105.7% NBR (Table 15.0 2), due to simulated scram at 0.4 seconds (Fi ure 15.2 9 lower righthand curve). If the 0 MSLIV switches fall, this incident is most similar to accident 15.2.1, pressure regulator downscale failure. From accident 15.2.1, failure to scrarn on MSLIV 85% switches should be followed 1.2 seconds later (Figure 15.2 2, lower righthand curve) by a neutron flux scram at 127.5% NBR (Table 15.01). From Figure 15.2 3, upper righthand curve, failure to scram on neutron flux level should result in reactor dome pressure exceeding the scram trip point of 1105 psig (Table 15.01) after an additional delay of 0.8 seconds. The effects of these additional delays are unknown. 2) RCIC is expected to be required because closure of MSLIV inhibits steam flow to feedwater pump turbines. Alternative mitigation is HPCF, followed by ADS blowdown and LPFL if HPCF f ails. 3) Reactor pressure indication enters the RPS through the EMS. APRM trip output enters the RPS through the TLU modules. Turbine valve status enters the RPS through the DTM modules.
DOE p 3324 3. g; ., 3 sem usuvcio re. 15 2.4 - E 1 .g m, y 5 22 ::is =m Tdie 5.29 og s a ql5 m a % o. o = u M. =b' B E 3 2 d 4 E EM EB *3 t,_^ i U' og ceIS B L a]. !r.
- b =o>. EEy 4e 6s.
as x 2; '; 6 ze ag ag s: ww* - =t w or me anee Reactor - ig V 2 cE 3 8 mT BE BB 32 0 - me avaiabe d>e m posatated CMF
- -)c5 c.
w Pammeter SZ "N5$"3 E ) mE2 o 2 a> o wm sa 0' O' C' 1-t e n -mM es pwww [ O O O O O 1 tow water Level ECCS iratiator ~ 2 He Water level q, g %,,% f t.- 3 RPV O O O ) Tentary iniaw f Hoh Pressure 4 Hgh Drywell i _ Pressure j .5 Hgh O O Reactiviiv % weum 6 Hgh MSL i, Ra6ation 7 7 MSLIV l Q Q Q %;gmy [ 8 Earirquake s 9 Turt3ne valves Closino 10 CRD r i Pressure low. I t I, annigation 1 2 3 4 5 6 7 8 9 ;10 11 12 13 14 15 16 17 18 19 20 scram - i 7-7 7 7-7 7 5 O 5 ARI 3 - DID Scrwn HPCF [ j Q Q Q O Smnbry em cmiing f RCIC yg Q j j j. O O O j Pnmary cwe cwling ( LPFL O O O O
===-=itable because ao Aos l stcs 4 usuv Aos o o o 'O f Aos.#m sgwry-en - [ sav-e l Wo i O O O l i I I-2 r ~ ...I
CMF Analysis _ DRAFT 71 DRAFT 12/17/91 A11.2 Conclusions Common mode failure of the primary scram initiator channel (column 14) will result in a backup scram due to high flux with a delay of approximately 0.8 seconds. Additional diversity is provided l by reactor vessel high pressure. Reactor core cooling is necessary and is provided by RCIC except as noted below (feedwater pumps are unusable because feedwater pump turbine steam supply is interrupted by MSLIV closure). Multiplexer failure (column 10) ~1 results in scram but complete failure of ECCS. DTM block failure results in a backup scram due to high flux, but again with complete failure of ECCS (column 11). TLU failure dit, ables RPS scram, but this is backed up by ARI (column 12). However, ECCS falls to operate. Columns 1 through 3 demonstrate water level channel failures. For failure 2. diverse initiation of HPCF backs up RCIC. For failure 1 there are -two possible modes of failure. If the transmitter sticks indicating-permanent high woter fevel the injection valve for HPCF will never open and RCIC turbines will not statt. ,lf the transmitter sticks indicating permanent intermediate or low water level then the injection valve, once open, will never close and the reactor may overflow. (If the transmitter sticks at a permanent low level, there is a permanent scram initiated.) LPFL will start but will be ineffective without-blowdown by the ADS. ADS blowdown will not occur until both low water level and high drywell pressure have existed for a timeout period, and high drywell pressure will not occur in this accident. Summarizing, reactor scram is initiated by diverse signals (failures [ 11 and 14) or by DID backup by ARI (failure.12). In failures 1,10, l-11, and 12, the control _ system is unable to provide DID core cooling L. and there is no diverse method-for_ automatic operation of any of the E ECCS features. Manual b. lowdown of ADS is possible-in failure 1 l allowing--LPFL to substitute for ineffective HPCF and RCIC. Manual operation of'ROIC or HPCF from the control room may be possible for i L failure 11, but is pt,ecluded in failures 10 and '12. Because this event is classified as a limiting fault and ATWS is not classified as a safety system, it may fall due to relaxed maintenance requirements or exposure to harsh accident conditions. i ,.,,-.a, u.u.-. ---- ~ _ _ _. _, -.... _ _ _ _ _, _. - ~ _. _ - _..,,. ...,m
CMF Analysis DRAFT 72-DRAFT 12/17/91 A12. Loss of Condenser Vacuum This incident, number 15.2.5, is loss of condenser vacuum - Table 15.2 14. The incident is treated as a moderate frequency operational occurrence and classified as an anticipated operational transient. A12.1 Soecial Assumotions 1) The primary reactor trip indication is actuation of turbine stop valve 85% switches. From Figure 15.210, upper lefthand curve, neutron flux begins to increase rapidly because of void reduction caused by reactor pressure increase, but the peak value reached in this simulation is 111.0% NBR (Table 15.0 2), due to simulated scram at 0.2 seconds (Figure 15.210 lower righthand curve), if the turbine stop valve switches fail, this incident is most similar to accident 15.2.1, pressure regulator downscale failure. From accident 15.2.1, failure to scram on turbine stop valve 85% switches should be followed 1.2 seconds later (Figure 15.2 2, lower-righthand curve) by a neutron ilux scram at 127.5% NBR (Table 15.01). From Figure 15.2 2, upper righthand curve, failure to scram on neutron flux level should result in reactor dome pressure exceeding the scram trip point of 1105 psig (Table 15.01) after an additional delay of 0.8 seconds. The effects of these additional delays ato unknown. 2) Reactor pressure indication enters the RPS through the EMS. APRM trip output enters the RPS through the TLU modules. Turbine valve status enters the RPS through the DTM modules, i, i i 1
t DOE .f-E, ? I5.2.5 g p E @6 WR _3. Loss of cc,ew vactasm. Table Incident 15.2-10 3 ) $$ _E 2 k h @@525 e p Legend $$ $$b o$ 'b e>$ @y 00 3 E3e I >E 5; $$ 35 a bra * - m' **f or m' aW x s Reactor 3 3 Parameter NZ N >f " "I cE
- o. E z g8 33 33 gE 0 - not avalate due to pos:ut=wf CMF l
c. ~ r o. N5 O' O' T' <emE2 o ea o ww +a 1 m u - w ouwww 1 Low Water / O O ECCS initator Levei / 2 Hi Water / - t w ei ./o Injecton and turtyne permrssnre a nev i O O O wiary mam initimor H<24 Pressure 4 Hgh Drywell 1 Pressure 5 Hgh Q Redyh Secondary scram ininw i i 6 Hgh MSL l i i g l l Raoat,r,n i i ~ 7 MSLIV i, I l M __$ I l f I ? I - [
- ._ { l _ I - % - =_
8 Earthquake j l l I i j L j i 3 9 Turtxne valves ciosina O O I OI i
- l. !I I e $< m iati==
t 10 CRD Pressure L.w i uitigation 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17' 18 19 20 scram 9 9 9 9 5 O 5l ARI 3 DtD scram hPCF 7' j Q l O O O Sem*ry cae cmrmg Reic og o 1 4 O o o. rnmary cae c=ame LPFL Q Q Q Q unavailable because no ADS stcs f MSLIV Aos o o o o. ADS regnres high drywell pressrae sRV i i Wo O O Oi l l g,- wm ,~
t CMF Analysis DRAFT 74 DRAFT 1 /91 i A12.2 Conclusions Common modo failure of the primary scram initiator channel (column 15) will result in a backup scram due to high flux delaycd l approximately 1.2 seconds. Additional diversity is provided by l reactor vessel high pressure but with further delay of 0.8 seconds. The control system will be ineffective in providing core cooling -because the MSLIVs are expected to close at 5 seconds due to low condenser vacuum. DTM block failure results in a backup scram due to high flux. Likewise, TLU failure disables RPS scram, but this is backed up by ARI (column 12). ESF is ineffective in columns 10 through 12. j Columns 1 through 3 demonstrate water level channel failures. For i failure 2, diverse initiation of HPCF backs up RCIC. For failure 1 there are two 'possible modes of failure, if the transmitter sticks Indicating permanent high water level the injection valve for HPCF - will never open and RCIC turbines will not start, if the transmitter sticks indicating permanent intermediate or low water level then the injection valve, once open, will never close and the reactor may overflow. (if the transmitter sticks at a permanent low level, there ic a permanent scram-initiated.) LPFL will start but will be ineffective without blowdown by the ADS. ADS blowdown will not occur until both low water level and high dtywell pressure have existed for-a timeout period, and high drywall pressure will not i occur in this accident. Summarizing,. reactor scram is_ initiated by diverse signals (failures 11 and 15) or by DID backup by ARI (failure 12)..In failures 1,10, 11, and 12, the control system isiunable to provide DID_ core cooling and there is no diverse _ method for automatic _ operation of any of the ECCS features. Manual blowdown of ADS is possible in failure 1 f allowing LPFl., to substitute for ineffective HPCF and RCIC. Manual , 'f V ol.er'ation of RCIC or HPCF from the-control room may be possible for failure 11, but is precluded in failures 10 and 12. c The effects of delay,s on fuel condition are not known. r .3-aw,*-s ..r..w --.-n----,,-e.-% --,e .w-- ,----v-_--e a-m,--,-r-,---e-, x,. ,,-..,,,-.-=,-r y. m i. ~ ..e--
CMF Analysis DRAFT 75 DRAFT 12/17/g1 A13. Loss of Auxillary Power Transformer i This incident, number 15.2.6.1.1.1, is loss of unit auxillary power transformer. Table 15.216. The incident is treated as a moderate l frequency operational occurrence and classified as an anticipated f operational transient. A13.1 Soecial Assumotions
- 1) The primary scram initiator is turbine fast closure solenoid valve operation. The event is similar to a load rejection.
From Figure 15.211, upper righthand curve, reactor pressure exceeds the trip setpoint of 1105 psig at about 2 seconds, providing a l diverse trip-to the turbine fast closure solenoid valve 85% switches. The General Electric simulation differs from a load rejection, however, in that neutron flux rises during the load rejection-(upper >lefthand curve, Figure 15.2 3) whereas it does not for this incident (upper lefthand curve, Figure 15.2 11). Since there does -not appear to be any significant difference between this incident and a load rejection during the.early stages, h!gh flux will be assumed to be another diverse trip, if needed.
- 2) General Electric SAR Chapter 15, paragraph 15.2.6.2.2.1, in sequence action 2, assumes immediate trip of half of all electrical-pumps. as a result of _ loss - of electrical power.-
It is assumed that this occurs because of load shedding caused by the reactor control system-rather than_ operation -of the _ protection system. The pumps tripped include five RIPS, one cond6nsate -pump; and two,9ondenser circulating water pumps.
- 3) Feedwater pump trips as described by sequence action 3, SAR Chapter _15, paragraph 15.2.6.2.2.1 are assumed.to occur.
- 4). Turbine trip occurs 'at 8 seconds after loss of unit auxiliary power transformer.
6)- MSLIV closure occurs-at about 28 seconds after loss of unit auxiliary power transformer. The loss of feedwater pumps and the closure of MSLIVs mako ECCS a necessity, since no other cooling means are available,
CMF Analysis DRAFT 7s-DRAFT 12/17/91 7) Reactor pressure indication enters the RPS through the EMS. APRM trip output enters the RPS through the TLU modules. Turbine valve status enters the RPS through the DTM modules. A13.2 Conclusions Common mode failure of the primary scram initiator channel (column 16) will result in a backup scram due to high flux with a delay-of approximately 0.8 seconds. Additional diversity is provided by reactor vessel high pressure. Reactor core cooling is necessary and-is provided by RCIC except as noted below (feedwater pumps are unusable because feedwater pumps are tripped and turbine steam supply is interrupted by MSLIV closure). Multiplexer failure (column
- 10) results in scram but complete failure of ECCS, DTM block failure results in a backup scram due to high flux, but again with complete failure of 'ECCS (column 11).
TLU failure disables RPS scram, but this is backed up by ARI (column 12). However ECCS falls to operate. Columns -1 thrrugh 3 demonstrate water level channel failures. For failure 2, divelse initiation of HPCF backs up RCIC, For failure 1 there are two iossible modes of failure. If the transmitter sticks indicating permanent high water level the -injection valve for HPCF will never-open and RCIC turbines :will not start, if the transmitter sticks' indicating permanent intermediate or -low water level then the injection valve, once open, will never close and the reactor may overflow. - (If the transmitter sticks at a permanent low level, there is a permanent scram initiated.) LPFL will start but will be ineffective, without blowdown by the ADS. ADS blowdown will not ocpurLuntil both -low water level and -high drywell pressure have -existed for a timeout period, and high drywell pressure will not occur in this-accident. 6
l u 5 I. }N. 't s a i i a i 8 5 5 y aE B B E 8 L = .a y H E -a
- n t.t 5
a .t ) .e 1' 8 3 -g-A w h 2 3 h 0 b E E I @{E.. I l, '( 4 ~c .c e n 8 z {.' p; g ( I s i' d '; I w E $ of w f 3 d j j j g R
- S oJn558Jd
~ s 90 avio;na eNeA p!oveios ited suican} O 5 m y wor *s *Nea m dots,euiaini e uovsod n AisW s;0leuJoselesey b n11 O O O O O M O O O O O n3a O O O m O O O O O YdW O O S m O O O O O (peJpeis) nnus ( pc4 una) midv O m m ( pe> 1sn) EHHd h oan55eJd AdH O e m OJn6S0>d lieVAJO 9JnS50Jd wnoov osa 9 iesei ens o n m g idhi?N O N m 0 vcsc o e **' Iv"i g $ hN M O O o m wne,y s t I 0 o$ +{.Ms s e a e_ 4 c h st a g :P h .8 d $ $b k I' hb h bI d h k Ob
- d p$
,e a m 2 E u. a S gg g as - az za zz za s w ua g a
- u. o g g g ac o
a- <.x e S d a m i ~ n e e s
CMF Analysis DRAFT 78 DRAFT 12/17/91 Summarizing, reactor scram is initiated by diverse signals (failures 11 and 16) or by DID backup by ARI (failure 12). In failures 1,10, 11, and 12, the control system is unablo to provide DID core cooling and there is no divuco method for autornatic operation of any of the - ECCS featuros. Manual blowdown of ADS is possihfe in failure 1, allowing LPFL to substitute for ineffective HPCF and RCIC, Manual operation of RCIC or HPCF from the control toom may be possible for failure 11, but is precluded in failures 10 and 12. Loss of un!t auxillary transformer and one startup transformer is not dealt with separately because the main difference, besides greater dependence-on diesel generators, is the additional trip of the last three reactor recirculating pumps, which -tends to-further reduce -reactivity. The consequences of this additional failure appear--to be 'less than those for failure of the unit aux!Ilary transformer alone, t p'} s I i i --- (i L s
CMF Analvs!s DRAFT 79 DRAFT 12/17/91 A14. Loss of Feedwater Flow l This incident 15.2.7, is loss of feedwater flow Table 15.218. The incident is treated as a moderate frequency operational occurrenco and classified as an anticipated operational transient. t A14.1 Goecial Atsumotions 1) The primary reactor trip indication is water level 3 indicated by the LT351(A D) narrow range water level transducer channel. Neutron flux and reactor vessel pressiste do not react quickly during this incident. Ultimately, the MSLIVs will close because of-level 1,5 water level switches or because of low turbine inlet pressure. Secondary reactor trip indication is therefore the i MSLIV 85% switches. Time delay to secondary trip is unknown. ARI at level 2 may beat the MSLIV switches. r 2) RCIC is expected to be required because feedwater pump turbines are not working. Alternative mitigation is HPCF. However, since there is no leak into the drywell, ADS will not blow down the reactor and LPFL is therefore not an alternative automatic cooling means. 3) Reactor. water level indication enters the RPS through the EMS, APRM trip output enters the RPS through the TLU modules. Turbine valve status enters the RPS through the DTM modules. ? L f' . ) i + e,+ r 3 rr --.e om', w--s,r*-,r-- er,-,.=-= .*ve-e u-, , e
l l 3 s 1 e a a J y g [: 4 0 W g 1 q 1, 1 E ll, 3 "9 1,N 1 g -t l [ .{ a r l tr V e .! al [,ll lo*L I 8 t 4, f Q 8 B i f3 u;. 'MS eJhS504d N D0 evioJn1-eAlCA p!Oup;0$ e ises eucJn1 uolieS e^iL'A u) _dolg eviOJn1 uonisod v hfSIN saieweJoissav-I m1_ O O O O O O O O Wla O O O *-0 0 0 O O yan O S N O O O O O (PeJl>risJ m WNH9 ( peJ uni) _ WHdV l' Ped 1SW) WUHd b eJnsseJd e AdB eJn650Jd. Hema >0 m eJnssedd wnooy cuo r le^el ePIM O m O e- ' 1a4 l O N O o,YCSc ^'I o.ygg$ a O O b sonoJo g j g dsf f( M b S Y g ci a i s & 54 i p .8 a E t f3. Ik.$h !! $I ko I hE 3 2 .I E F a sg d 8 { 0 8 g x a a < x m e s -n. ~ ,-...,,,~e, ~e -.-p
CMF Analysis DRAFT 81 DRAFT 12/17/91 A14.2 Conchisions Common mode failure of the primary scram initiator channel (column 1, low water level 3) as stuck at level 8 will result in a backup scram due to MSLIV 85% switches or by alternate rod insertion (ARI) caused by diverse water level sensing. Reactor core cooling is necessar,' and is provided by RCIC except as noted below. (feedwater pumpe are unucable because feedwater pumps are tripped and turbine steam supply is interrupted by MSLIV closure). L Multiplexe failure (column 10) results in scram but complete failure nf ECCS. DTM and TLU failures disable RPS scram, but this is backew up by ARI (columns 11 and 12). However, ECCS fails to
- operate, Columns 1 through 3 derronstrate water !evel channel failures.
For failure 2, diverse initiation of HPCF backs up RCIC. For failure 1 there are two possible modes of failure. If the transmitter sticks indicating permanent high water level the injection valve for HPCF will never open and RCIC turbines will not start. If the transmitter sticks indicating permanent intermediate or low water level then the injection valve, once open, will never close and the reactor may overflow. (If the transmitter sticks et a permanent low level, there is a permanent scram initiated.) LPFL will start but will be ineffective without blowdown by the ADS. ADS blowdown will not occur until both low water level and high drywell pressure have existed for a timeout period, and high drywell pressure will not occur in this acciden* Summarizing, reactor scram is initiated by diverse signals (fall" es 10 and 1) or by DID backup by ARI (failures 11 and 12), in failures 1, 10,11, and 12, the control system is unable to provide DID core cooling and there is no diverse method foi aitomatic operation of any of the ECCS features. Manual blowdown of ADS is possibic in failure 1, allowing LPFL tc substitute for ineffective HPCF and RCIC. Manual operation of RCiC or HPCF from the,, control room may be possible for failure 11, but is precluded in fa'. lures 10 and 12.
_ - ~.. CMF Analysis DRAFT 82-DRAFT 12/17/91 A15. Trip of All RIPS i This event, number 15.3.1.1.2.2, is the trip of all of the RIP 0 - Table 15.3 2. This is a limiting fault event. A15:1 - Soecial-Assumstions 1) Failure of the turbine stop valve switch channel ultimately leads to a high pressure scram. The high pressure scram occurs at about 2 seconds after the start of the incident. This is approximately the same time as the scram would have occurred had the stop valve switches operated correctly, See Figure 15.3 2. 2) The high _ water level' (L8)-which initiates the turbine and feedwater pump trips. is sensed by-a transmitter which is part of the _ control system; this sensor is presumed to operate correctly.
- 3) LStop valve switch status enters the RPS at the DTM. See RAI response dated 10/4/91, number 9a, page 15.
- 4) An APRM trip (STPT) does not occur.
A15.2 .Qnnetusions Failure 1 is actually: two failures in-one. If the transmitter s:Icks indicating. permanent high water level the injection -valve -for LiPCF will never open. _lf.:the.-transmitter - sticks. Indicating-permanent . intermediate water level then the injection valve, once open, will never close and. the reacto_r may overflow. (If the transmitter sticks at a permanent low level, there is a permanent scram initiated.). The. behavior of1 RCIC for failure L 1 is straight forward. _ If the channel--sticks belowf the high water < level setpoint -(L8) then the . reactor may overflow. If the channel st!cks at or above the high water.. level setpoint RCIC will not initiate. For failures 3 and 6 the _ system operates normally. For failure 15, i an alterna'e scram initiator is used but otherwise the system L behavesinormally. For failure 2, the RCIC fails to start but is backed up by the HPCF. L
' DBE '153.1 E.- E'
- Event
= ~5 d M gr $E -M. ' T.-ip of all RIPS. - Table 153-2 15 3.1-u_j D li; 2" 03 0_E_r~$ <y.
- g 'e _g E
3j oj 3e E E- '8 em EM E5 [2 =5 5 f2 %- >E 5e 3$ oE blar* - not W or not decked - Plant .- 3@ d chi e Oe $$ E ~ d-s t-x y' >E r*E <1$o!a s- ' g.T o T I* DE 3-
- g. 3g 62 3g 3$
0 - not available due to postulated CMF - 2-S Q H: mS n3 83 o o. a n. I a. Pa ameter - o s 2 c. 2s *> - c. 2. 1 to 11 - actuannmatrg pararnecer 1}"f" o/ O O. O O O ECCS initiator o 2 ' H Water - / Level : /O HPV 3 High Pressure O O O O seconaary xrarn initiator 4 High L'rywell ' Pressure High 5 Reactivity l High MSL-- .l. 6 f Radiation 7 MSLIV 3 Earthquake T ~ 9 urtune Valves Clo-ina O O O Primar3 xran initiaior CRD 10 Pressure Low switigation 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 scram 9 9 9 9 9 O O 3 ARI 3 3 3 HPCF V 1-O O O secondary core sw Rcic sVI O 1 1 O O O 1 Priwwy core crmb LPFL O O O O unavanadie decame Aos win not initia= sLcs Mstiv ADS O O O O -ADS requires high drywell& SRV-information O O O sp .g .m. F GMT" p V r- ' ' ' 'h -M
CMF Analysis DRAFT -r - DRAFT 12/17/91 For failure' 10 the scram is normal but there is no system for cooling of the core and the core may become exposed. For failures 11 and.12 e ARI is invoked. to scram the reactor and again there is no-core cooling if needed, in failures 10 and 12 there is no manual initiation of the core cooling machinery from the control room because these controls require the correct functioning of both the MPX and the TLU. See GE drawings 103E1805 sheets 1 - 5. Reactor scram initiation is provided by the turbine valves with RPV pressure 'providing a diverse trip. Power scram will probably-not provide other diversity because the trip of the RIPS reduces core reactivity. This diversity vanishes with CMFs of the digital system (MPX, DTM,'TLU). Manual scram -initiation and ARI from the control system provide -defense in depth for scram. RCIC and HPCF provide diverse methods for cooling the core. 'However,'_ all of.that diversity vanishes and nothing is left with any failures in the-digital systems, it should be noted that although LPFL may initiate on low water level, it is never available because ADS will never initiate. ADS initiation requires high drywell pressure. See figure 7.3 2h. Manual control provides defense in depth for th' ECCS providing e there. is time for the operators to-act-and ~ there are no failures in the TLU or MPX. With a failure in either one of those~ digital systems manual = initiation of any part of ECCS from the control room is-lost. See GE drawing 103E1805 ' sheets 1 - 5. If the high water level sensor in the control system fails to trip the turbine, there.-may be-undesirable consequences since there are no reacto'r trips available:- first, there may be_ water droplets sent to the turbine if the feedwater sontrol system does.not or can not keep
- the water level properly con _ trolled and second, there may be boiling at the fuel ~ rods with consequent fuel rod damage.
CMF Ana$ sis DRAFT- -85 DRAFT 12/17/91 A16. Inadvertent Control Rod Removal During Startup This event, -15.4.1.2, is an inadvertent control rod removal during start up. Refer to Table 15.4 2 and Figure 15.41. It is categorized as_ an infrequent incident. A16.1 Soecial Assumotions
- 1) Per GE ABWR SAR, the reactor is assumed to be in the critical condition before the incident, 0.001% rate power and 28600.
2) The neutron monitor scram initiation preferences are: Short Period Trip (SRNM) 15% power (APRM). No other automatic scram. initiators are available. For power - percentages below 15% the fuel is not damaged 3). -It'is unclear whether or not fuel damage will occur above iS%. In addition no -process evaluations were done on rod withdrawal error past 15% power. Thus, it is unclear if-any process variable other than SRNM or APRM will initiate a scram. 4) The feedwater pumps _ maintain reactor-water level above level
- 3. Thus, ARI and ECCS will not be challenged.
- 5) The SRNM signal does not go through the MPX or DTM and is directly transrnitted to the TLU.
o A 16.2 - Conclusions Mitigations; 8 and. 9 involve no_rmal operation of the_ _ protection ' systems. -A short period reactivity-increase detected by the SRNM is L the primary scram, initiator. If the-SRNM is not available -the-setdown-mode:of the APRM detects a high average neutron flux (15% L rated. power). Mit,igation 8 relies on the primary scram initiator, thus loss of-the APRM has no affect in this incident. Mitigation 9 -scrams on the secondary initiator-otherwise operation. is normal. In mitigation 12, the loss of the TLU will inhibit a scram. There are no other automatic initiating signals. ARI and RPS cannot initiate. The ECCS_is not challenged. e_ w
DBE Rod withdrawn! error -low power _E 15.4.1.2 (start-up). Table 15.4-2 and Accident Q 4 .e ac 15.4.1.2 E 21! Ece =M Figure 15.4-1 o}c_kI _b M$ $ 5.3 $ N 5 8 h$ $$ $$ d e'.i LUe oM =* $ Ua >0$y8 !' ! t-X 2 5 2# 6I 67 63 biank - not involved or not affected bE 3 li e$ 3 ins BE 3E O - not avastable due to postulated CMF Reactor ,7, Z5gP23 cc E
- a. E c a.5 cE S n3 m> 01 0'
Ca 1- <seE a o 2a -> +> +a 1 to n - acuamtiatm parameter Parameter a 1 Low Water Level 2 H Water Level 3 RPV Hiah Pressure 4 High Drywell Pressure 5 High O O Secondary scram initiator Reactivity 6 High MSL Radiation 7 MSLIV 8 Earthquake 9 Turtsne Valves Closing 10 CRD Pressure Low 11 Short Period Q Q Reactivity Nmary scram initbiw Mitiaation 1 2 3 4 5 6 7 8 9 10 11 12 13 14 ,15 16 17 Scram 11 5 O ARI HPCF RCIC LPFL SLCS MSLIV ADS SRV info Q
CMF Analysis DRAFT 87 DRAFT 12/17/91 The time the. operators may have to respond to this event before fuel rod damage can not be determined from the current information in the GE ABWR'SAR (Chapter 15.4, Table 15.4 2 and Figure 15.4-1). At start up the operators should have a heightened awareness. They should be monitoring the process variables very carefully and paying particular attention to any deviations from normal start up, if a deviation from normal start up is observed the operators.. should immediately scram the reactor. it is unclear whether or not this is an unsafe common mode failure scenario. The SRNM and APRM provide diversity for mitigations 8 and 9, while mitigation 12-has no diversity. Diversity does not exist for all possible CMFs for this incident. Defense in-depth is provided through the control room manual scram system. i
CMF Analvsis DRAFT 8s- _DB A FT 12/17/91 A17. Fast Runout of All RIPa This ovent, number 15.4.5.1.2.2, is a fast runout of all RIPS. Refer to Table 15.4 5 and Figure 15.4 3. This event is categorized as a limiting fault. A17.1 Soecial Assumotions 1) By interpretation of the first eight seconds of Figure 15.4-3 and Figure 4.4-1 the reactor variables will settle into a new steady state without a scram. Although the new steady-state may be above 100% of rated power. In this case no other scram initiators other than APRM will be sensed.
- 2) The turbine may be operating at a low enough power such tha',
the runout of the RIPS increases the reactor steam flow beyond the _ capability of the SB&?CS. The turbine control valve throttles to maintain constant pressure / flow and the 3B&PCS diverts steam flow at full capacity. In this case, the turbine control valve would not allow an increase in steam flow and the SB & PCS could not handle any additional steam flow,.herefore the reactor pressure will build and finally initiate a scram. 2) The feedwater pumps maintain reactor water level above level
- 3. Thus, ECCS will not be challenged.
- 3) The APRM signal does not 90 through the MPX or DTM and is directly transmitted to the TLU.
i
DBE ;33,43 Accident h E Fast runout ef all RIPS -- 15.4.5 .E E :. ae gs 8cs o$ Table 15.4-5 and Figure 15.4
- u-g E
i 8 = . 5, 5 g. mi os oi oEr _$_ #. 2- ',3 -3 E R 'E E gm Em 33 t'9'"o'. = y $$ a}. y3r 4e 4.u'J e oS 3 33 a Reactor. g;g n 'o"P mE be x-2 3 >* @I 5I 5E " * " "*d " " ' ## EB c. 3 8 mE
- a. E Parameter oZ N5$5 0 "- O "- C "- Q- - <~ aE 2 0
2 c. "s a BW 33 0 - not arae'at*r oue to postulated CMF > +> + n. 1 to 11 - acualiroating pa arneter 1 Low Water : . Level 2 Hi Water level 3 RPV Q Hioh Pressure PossiNe secondary scsam initiator 4 Hsh Drywell Pressure 5 High O O Prirnary scram mitiator Reactivity 6 High MSL Radiation 7 MStiv 8 Earthquake 9 Turtyne Varves Closing 10 CRD Pressure Low Mitigation 1 2 3 4 5 6-7 8 9 10 11 12 13 14 15 16 17 Scram 5 3/o O ARI 3 HPCF RCIC LPFL SLCS MStiv ADS SRY ir fo Oj y-
CMF Analysis DRAFT 90 DRAFT 12/17/91 A17.2 Conclusions 4 Mitigation 6' involves normal-operation of the protection systems. The APRM initiates a scram. Mitigation 8 considers two possible initial states, one leads to a scram while the other will not. The first initial state (8 3) is where the turbine ud the reactor are operating at low power. Thus when the. RIPS ra uut, a large amount of steam must be diverted by the SB&PCS.- Since the SG&PCS can only divert a limited amount of steam the reactor-vessel-pressure will build, eventually initiating a scram. -The second initial. state (8-0) is where the turbine and the reactor are operating at high power (near 100%) and the SB&PCS system is. diverting very little steam. In this case the SB&PCS can handle 1the. increased steam' flow due to RIP runout and the reactor system-will = simple go into another steady state. With a CMF in the APRMs a scram-is inhibited. This higher steady-state will be detectable by the operators at which time the operators may decide - upon.and implement a course of action. - Mitigation 12 considers the same.two. initial states as mitigation 8. The.first initial state.(12 3) leads to an ARI scram. The second initial ' state -(12-0) leads to a new process steady-state in - which mitigation depends on the operators.-
- The ECCS is not challenged.
Diversity exist for three of the five mitigations (6, 8 3,12-3).. The - other - two mitigations (8-0,12 0) have-no diversity. Diversity does not exist for all postulated CMFs. Defense in depth is provided through the control' room manuel scram. system. 9 f e t
l CMF Analysis DRAFT -91 DRAFT 12/17/91 A18. Steam Piping Break Outside Containment This event, number 15.6.4, is a steam system piping break outside of containment Table 15.6 4. This is a limiting fault. A18.1 Soecial Assumotions 1) The closure of the MSLIVs is initiated from the ESFAS. The documentation for how the MSLIVs are controlled is reasonably clear 'c ' exaciiy where control is 9rcised is confused. On GE drawing 103E1805 sheets 1 % MSLIVs are shown as connected directly to the TLi > W DS. 'ut those same drawings show the LDS as par, S. On the IBDs for the LD&lS (LDS) are shown all of g, actuation of the MSLlVs. Further, in Ref. 2, pe' of Uguipment Interface with the Essential Mux 6 shown the MSIVs from which it could be inter m>s MSIVt, are actuated through the multiplexer, it has been ruumed for this analysis that the control of the MSLIVs rests in the ESFAS but that the software which evaluates the various functions for operating the MSLIVs runs on the DTM and TLU which also evaluate RPS functions. Further, it is assumed that the actuation signals for the valves is hardwired from the RPS/MSIV TLUs to the valve load drivers,. These assumptions blurs the separation between RPS and ESFAS but do not effect the analysis. 2) All 16 flow sensor channels fail together. 3) Since the feedwater pump loses its steam supply with the closing of the MSLIVs (see paragraph 15.2.4.3.1), both RCIC and HPCF are needed to maintain the water level in the RPV. This may not be a necessity, but the scenario shows it. 4) The SB8PCS is oblivious to the break in the line (a really worst-case assumption) although it will not be able to do more than idle the turbine on the line. Thus no scram init:ating signa:s will come from the turbine. i 5) The low-turbine inlet pressure sensor channel is through the
- MPX,
. These sensors are different from - the first-stage-turbine-pressure sensors which connect directly to the DTM. See the material faxed to Stewart and Poslusny (NRC) on 10/4/91 from an unknown party in GE responding to NRC concerns, item number 9. 1
O C.MF Analysis DRAFT 92-D R A FT 12/17/91 Low pressure may not initiate the closing of the MSLIVs if the break is not too complete or is located far from the turbine inlet. A18.2 Conclusions Failure 1 is actually two failures in one, if the transmitter sticks indicating permanent high water level the injection valve for HPCF will never open, if the transmitter sticks indicating permanent intermediate water level then the injection valvo, once open, will never close and the reactor may overflow. (if the transmitter clicks at a permanent low level, there is a permanent scram initiated.) The behavior of RCIC for failure 1 is straight forward. If the channel sticks below the high water level setpoint (L8) then the reactor may overflow, if the channel sticks at or above the high water level setpoint RCIC will not initiate. For failure 8, scram is most likely to occur because of high pressure because the MSLIVs have closed successfully. However, a power scram may occur because the high pressure will increase the reactivity of the core. ECCS operates normally. For failures 2 and 3, the failure cf the low water level transmitters causes eith)r HPCF or RCIC to fall. it is not clear that both RCIC and HPCF are needed to keep the water level up in the RPV, but if both are needed and one fails LPFL cannot provide a backup since ADS is required and cannot initiate because the drywell pressure is normal. See figure 7.3 2h. For failure 11 everything operates normally. For CMFs 12,13 and 14 nothing works. All of the sensor channels which could close the MSLIVs come through the MPX, DTM and TLU. ' As long as the MSLIVs stay open, neither high reactor pressure nor high reactivity can'cause a reactor scram. Water level will probably be maintained in the reactor by the feedwater system since there is probably enough steam pressure to run the feedwater pumps. E v e n if
3 T y,*
- E C
bl g ji iib e = E 'i a EE 8 8 5 a m B f . J. 3af 5 .5 t a
- S h
a e f.l 3ji .E
- I
- E E
a
- S
- S g
8 Ku 5 ., E 3 ifa a h- ^s 4 .E m e e 1 r.= 3 a x li 2 m a 8 g 01'g.. Eil .1 { J 9 R 2 =h g$ SE:y 8 8 E 3 k I '{ o 8 ml8 k i w s ad 5 i 5 5 d 8 w ms sanssaid N tio suiqini 43*S erCA w to):uoc outoani 4M'^S 8^1eA ~~ dois ouinani m ml O O O O O O O O 3 O O O O O O O O nia O O O O O O O O O O O O O O O O Xdn O O O O O O D' 0 0 0 0 0 0 0 O M eun w a O e t - 0>qleJadwal _m_oog outQani O o e m eJnicJedwei tauunI wreig O m e m " j'y O M m cn IP$g"g*j O N e cn Ope > 7Sn) WUud' e;nssa Ag O m e m e;nssasa flamha l'^).7c7e O E O O cn O e le^aispim a vtst. O m o O O m O '*^*I".I*gf h N NNO n c) O e sdno>o e s g. 8 i iss !s mi ! ! is[ e e m z-sc - e n a eg sj e e sg aa a a 23 _I !$ lii! [92 61 se s3 43 s$5 -__ E a o a m m g a g a g g g g g j* 2
- y gg e
aa m:z.s -c ze s un- +m maa K n. e N n w sn w n o m o E <r 1 a u) 3< U) 5
CMF Analysis DRAFT 94-DRAFT 12/17/91 the water level falls to a low level ARI will not be-invoked. ARI is-initiated by low water level signals from the SSLC [Ref. 5). Closing of the MSLIVs limit switches is the primary reactor scram initiator - with high RPV pressure and high neutron flux scrams providing diversity. However, all three are linked in that the two diverse backup scrams depend on the MSLIVs closing. Therefore failures in the digital systems prevent scram from occurring. High steam line flow is-the primary initiator for MSLIV closure with tunnel temperature and turbine room temperature providing diversity. Low turbine inlet pressure is a third diverse initiator but it may not always function. Since all of these signals are processed through the digital system, the MSLIVs will not close frsr a CMF there. Manual controls provide defense in depth for both scram and closure of-the MSLIVs. ARI also provides DID for scram but for this event - ARI-fails when the digital systems fall because the MSLIVs do not
- close, if-they are manually closed then ARI may get invoked but if the operators are alert enough to close the MSLIVs -manually, they will probably manually scram the reactor also.
-RCIC and HPCF provide diverse means for cooling the core should that be req.Jired. The GE scenario indicates that both RCIC and HPCF are required to keep the core covered, which reduces the diversity somewhat but this-does not seem to be:a critical issue. As above, failure; of any of the digital systems eliminates all ECCS, LPFL is not available although it will initiate.~ LPFL requires-the operation of the ADS and ADS will not initiate because the drywell pressure remains normal. See figure 7.3-2h. .DID for in_itiation of the ECCS is provided by manual initiation from the control room, assuming there is t! m e for operator action. However, with the CMF of either the MPX or the TLU this manual initiation capability is cut.off, i l u
CMF Analvsh DRAFT DRAFT 12/17/91 A19. LOCA Inside Containment i This event, number 15.6.5, is a loss of coolant accident (LOCA) inside containment Table 6.3 2. This is a limiting fault. A19.1 -Soecial Assumotions '1) Any break;in the piping which causes this event will increase the drywell pressure sufficientir to trigger mitigating action. This is justified if the-break is a main steam line or a feedwater line. (Feedwater temperature is_422F and the flow is over 4000 - lb/sec. (Table 15.01). Therefore-it should flash as it enters the drywell and the volume-snould be adequate to increase drywell
- pressure to the trip -point (1.7 psig, figure 7.3 4c).
For other t (unidentified) breaks this. assumption is not so clear.
- 2) - A': number of signals mayDinitiate the clos!ng of the. MSLIVs -
" excessive steam flow, low turbine inlet-pressure, or low reactor water-level- (figure: 7.3 5, _ sheets 4 -- 7). - The first two are-L problematical since if a steam line-breaks the position.and extent c .of-the ; break may prevent them from initiating _ the valve closing and a= feedwater line break clearly will not increase the flow in the steam lines: or reduce the turbine inlet pressure. Low water Lievel appears-to be the only MSLIV trip-that can be counted on.
- However, after-the reactor scrams on low water level, if the-MSLIVs have not: closed, for -whatever reason, ultimately the MSLIVs will close 'on low turbine. inlet pressure.
3)- All signals: that : initiate / MSLIV L trips : come through the EMS. There-is:: some confusion on this-because -turbine first stage p pressure 7which trips the1 reactor enters the system at the RPS DTM. -But this signal is a bypass signal for start up rather than a trip. These items are covered in more detail in assumption 1. for j event 15.6.4. L [c u l: I: i
4 \\ DIE 15.6.5 m Y ' Loss of Coolant Accident Event a I d $8 RE $E -d -E jb $5 oy Table 6.3 ! 15.6.5 Ag a} e '5 8e ER G 3T OT g$T bg$$j b-t S e ,g o. $ r. $ N5 =w 6 2] E
- ~*
e 2-n g c o us gm oy tn 3. J rn 1 oc a m 2 S Piant Id$ $$ o@n.y h2 r[o.yjm [_g$s$ N d 3 g>5 j$>$$$ $" og a2 m3 n* H i: blank - not involved or not affec:ad e >3 g g3 0 - not available due to postulated CMF d Parameter - $$$3 gg O3
- 3. 3 <
n 2-O F s o. H> H n. <a ( n. 2 _a.a,5 t to 11 - actuat trutsating parameter $"f*'*' / O O O O O O O Primary scram and ECCS initiator 1 i He Water / j. 2 Level /0 1 , RPV
- Hioh Pressure l
4 7,ss To O O O O O Secondary scram initiato, Hayn 5 i Reactivity High MSL ~ g Radiation i 7 Msuv O Teniary scram iniiiator. i Turtune vaives ~ 3 Closino CRD 9 Pressure Low 10 Low Tudwie i inie,p, esso,, O O-O O Teniary scram initiator ( Mitigation 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 F scram 1 1 1 oo o 1 1 1 1 1 4 Ani O 1 1. j. .,HPCF $Vf 4 1 1 O O O 1 1 1 1 1. . All t;uee of the ECCS systems, j ' RCic. p( 1 4 1 O O O 1-1 1 1 1 RCIC, HPCF,and LPFL must be avaiale to mitisaic h etfecu of ] LPFL 1 1 1 1 O O O 1 O O 1 1 ihis aident r sLcs Msuv 1 1 1 1 O O O 1-1 1 10 1 Aos 1 1 1 1 O O O 1 - O O 1 1-Required for LPFL i sav insormat.on O O O 1 l =
CMF Analysis DRAFT DRAFT 12/17/91 A19.2 Conclusions For failure 1 scram will initiate on either of the two backup signals, nigh drywell pressure or MSLIV closure. Failure 1 is actually two failures in one. If the transmitter sticks indicating permanent high water level the injection valve for HPCF will never open. If the transmitter sticks indicating permanent intermediate water level then the injection valve, once open, will never close and the reactor may overflow. (if the transmitter sticks at a permanent low level, there is a permanent scram initiated.) The behavior of RCIC for failure 1 is straight forward. If the channel sticks below the high water level setpoint (L8) then the reactor may overflow, if the channel sticks at or above the high water level setpoint RCIC will not initiate. For failures 2, 3, 5,19 and 20 the system reacts in a reasonably- -normal fashion with scram occurring on time and all elements of the ECCS initiating as -they should. It should-be noted that the LPFL initiates on either the wide level A - D' transmitters or the E - H transmitters. Drywell pressure is needed to initiate scram, HPCF and RCIC as~ the various-low water level transmitters fail. The MSLIVs will close on low water level in the normal way except in 19 where low turbine inlet pressure is needed. For failures 17 and 1_8 scram and initiation of the high pressure parts of ECCS occur normally (Iow water level) but although LPFL will initiate, it is unavailable because ADS requires both the low water level switch and the high drywell pressure to initiate. This jeopardizes th'e core integrity. The MSLIVs close normally on low water level. For failure 10 'none of the protection systems will -initiate since all of the necessary signals are transmitted through the MPX. Manual initiation' of.the ECCS-from the control room is prevented _oecause these manual-controls operate through the MPX. See GE drawings 103E1805 sheets - 5. L control room is ava;I Manual scram of the reactor.from the-ilable since these pushbuttons are hard. wired to the scram solenoids. Again see GE drawings 103E1805 sheets 1 - 5.' Core exposure and_ significant fuel damage probable. r I
CMF Analysis DRAFT 98 DRAFT 12/17/91 For failure 11 and 12 ARI will scram the reactor but as in 10, above, - none of the ECCS will initiate automatically. In failure -11 manual initiation of the :ECCS 'can i accomplished from the control room - but a-failure of the TLU (fallu o 12)_ disconnects these controls as in ~
- 10. Core exposure and fuel damage is very likely.
For 'all failures except 10 through 12 the MSLIVs will close as required when. the water level gets low enough or the turbine pressure gets low enough. Low water level is 'the primary scram initiator with high drywell -pressure and closure of the 'MSLIVs providing diversity.
- ARI pro'vides: defense-in-depth for scram but for failures in the digital; systems most of this depth vanishes.
Manual scram is available at1all times but there may not-be encugh time for the operators act so this may not provide more depth to the defense. RCIC, HPCF andLLPFL provide diverse means for cooling the core. Failures in the Ldigital systems, however, prevent any. of these o systems from initiating. Manual initiation of the ECCS from the control room provides defense-in depth but-this-is not operational for a CMF of the MPX or "TLU. y T'
CMF Analysis DRAFT DRAFT 12/17/91 A20. Feedwater Line Break Outside Containment This event, number 15.6.6, is a break in a feedwater line outside containment - Table 15.6-15. This is a limiting fault. A20.1 Soecial Assumotions 1) Both RCIC and HPCF will normally be available to mitigate this event ano are adequate for the task. Table 15.6-15 states that RCIC is not available because the feedwater line is broken. This is not backed up by any other documentation and examination of other pertinent documentation leads to the impression that the statement is in orror, if one or the other of these systems fail, it is assumed that LPFL will turn on as required. 2) Low water level will normally trip the MSLIVs (figure 7.3 5, sheets 4 7). However, after the reactor scrams on low water level, if the MSLIVs have not closed, for whatever reason, ultimately the MSLIVs will close on low turbine inlet pressure. 3) All signals that initiate MSLIV trips come through the EMS. There is some confusion on this because turbine first stage pressure which trips the reactor enters the system at the RPS DTM. But this signal is a bypass signal for start up rather than a trip. Also, the MSL radiation trip enters the RPS at the DTM and is then passed to the ESFAS to initiate MSLIV trip. These items are covered in more detail in assumption 1 for event 15.6.4. i
g DBE '15.0S _2 . is Fecdwater line break outside 1 Event
- e
. T5 s-SS o$6WM $5 g$ comainment -Table 15.6-15 15.6.6' u.} 3 3 .Q G 3T T Oe 7j.*p c 2-oi aE rE E =g g g y e e em em eB 9m 22 Legend. UU 4g 4o th 3 aN IE>0 !"a 3' ! t- > :E 5I isI 4 >7 a Nar* - nevtWed w not anected x 2' o Plant mV I$ D2 2. E r2 o_h Parameter gE g32 38 _3E BE af V)g j li; O - not avadable due to postutated CMF I S Q. F a n o3: $5 > c. a c. I n. 2. 4_ o s a. s. 3 a, e > +> + n. 2a ap 1 to 11 - actualinmatog parameter - Low W ter V O O' O O O O. Primary xram and ECCS initiaer 1 Level / He Water / 2 Level /0 RPV 3 L High Pressure 4 High Drywell Pressure High 5 Reactivity High MSL 6 Radiation 7 Msuv O sec% eram initiamr Tu@ne Valves 8 csosino cso 9 Pressure Low 10 [n", D,e O O O O Tertiary scram initiator Mitigation 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 scram 7 1 1 O O O 1-1 1 ARI O 1 1 HPCF P1T O 1 O O O 1 1 1 Both RCIC H HPCFmay be regmred m RCic y[ 1 O OO O 1 1 1 = $ia'ain
- r
- I ia ihe r==c m r LPFL O
O C O O O Aos equimi ra un. sLcs usuv 1 1 1 O O O 1 10 1 ADS O O O O O O Aos requires high dry-eii pr. --e sRv information O O O i_
CMF Analysis DRAFT -101-DRAFT 12/17/91 A20.2 Conclusions For failure 1 scram is initiated by the MSLIVs closing. Failure 1 is actually two failures in one. If the transmitter sticks indicating permanent high water level the injection valve for HPCF will never open. If the transmitter sticks indicating permanent intermediate water level then the injection valve, once open, will never close and the reactor may overflow. (if the transmitter sticks at a permanent low level, there is a permanent scram initiated.) The behavior of RCIC for failure 1 is straight forward. If the channel sticks below the high water level setpoint (L8) then the reactor may overflow. If the channel sticks at or above the high water level setpoint RCIC will not initiate. For failures 2 and 3, the reactor scrams normally but only one of the two ECCS systems is available. If this is inadequate to maintain the water level in the reactor during cooldown, the core may become exposed because LPFL is unavailable since ADS will not initiate because the drywell pressure is not elevated. For failure 10 none of the protection systems will initiate since all of the necessary signals are transmitted through the MPX. Manual initiation of the ECCS from the control room is prevented because these manual controls operate through the MPX. See GE drawings 103E1805 sheets 1 - 5. Manual scram of the taactor from the control room is available since these pushbuttons are hard wired to the scram solenoids. Again see GE drawings 103E1805 sheets 1 - 5. Core exposure and significant fuel damage is guaranteed. I For failure 11 and 12 ARI will scram the reactor but as in 'l0, above, none of the ECCS will initiate automatically. In failure 11 manual initiation of the ECCS can be accomplished from the control room but a failure of the TLU (failure 12) disconnects these controls as in l
- 10. Core exposure and fuel damage is very likely.
Failures 17 and 18 are not particularly significant since the only unusual occurrence is the belated trip of the MSLIVs from low ) pressure as a result of the reactor running out of steam.
CMF Analvsis DRAFT 102-DRAFT 12/17/91 Low water-level is the primary scram initiator with closure of the MSLIVs providing diversity. Not all initiators are -functional for all CMFs and with any failure in the digital systems both initiators fail. Defense-in-depth is provided by ARI and, if there is enough time for the-operators to act, manual scram. Failures in the digital systems impair-this depth-with a failure in the MPX eliminating ARI, leaving manual initiation as the only means of scramming the reactor. RCIC and HPCF provide diverse means for. cooling the reactor core but this diversity-vanishes with any failure in the digital system. LPFL is never available for this event. LPFL requires the operation of the ADS and ADS will not initiate because the drywell pressure remains normal. See figure 7.3 2h. Manual-initiation of the ECCS from the control room provides defense in depth if there is enough time for the operators to act. These manual controls are cut off when either the MPX or the TLU f alls. . ~ - ~ -
CMF Analysis DRAFT -103-DRAFT 12/17/91 Anoendix B B1. Various Suncort Systems There_ are several systems contained within the protection system for which a detailed CMF analysis is impractical because of a lack of design information or unnecessary-because their tallure to activate automatically poses no setious risk to the reactor-system. For those systems for which we have inadequate information, the number of assumptions required would be so great that the analysis would be essentially meaningless. Further, these systems are not typically required to meet the challenges of Chapter 15. These systems are: 1). RHR/Wetwell and Drywell Spray Cooling Modes
- 2) RHR/ Suppression Pool Cooling Mode 3)- Standby Gas Treatment System
~4) Emergency' Generator Support Systems 5). Reactor Building Cooling Water System
- 6) Essential HVAC System-17)L HVAC Emergency Cooling Water System
- 8) - High. Pressure: Nitrogen Gas Supply System-Whatxcan be ;said about these systems is that they all may suffer-from the _same: problems that the ECCS suffers.- from if they_- are
- controlled through the -MPX, DTM, TLU systems.
That is, failures in - these digital 1 systems mry well prevent any-or all of these; systems from starting when required. Further, manual _ control-L from the - control-room may be prevented if the MPX or TLU falls in a common-mode,- ~ See GE drawing-103E1805 sheet 1. - 82. 'CRD Header Pressure Scram and Hiah Pressure Nitroaen Sucolv l The high' precure nitrogen supply system is required for scram but depends on the operators to make sure that the supply is adequate for-the action required. We presume that low pressure is l l
CMF Analvsis DRAFT -104 D R AFT 12/17/91 annunciated to the operators but a large leak rnight get ahead of them. Further, the CRD pressure scram scrams only if there is a leak in the purge water flow system. There maybe a link between these systems (high pressure nitrogen and CRD pressure scram) but it is obscure and that makes the ana' lysis weak, it is questionable whether scramming with a detected leak in the CRD header is a good idea. If the header system is leaking at 1000 psi and it is suddenly pressurized to 2000 psi there might be a disaster. B3. Saismic System The accelerometers are shown entering the SSLC in Ref. 2. The signals are shuwn on Figure 19N.1-1. However, in Ref. 3, concern number 9, no mention is made of the place that seismic signals enter the system. If the signals enter the SSLC at the DTM, a CMF of the DTM or the TLU will prevent scram for a seismic event, if they enter a little farther along at the TLU, then only a CMF of the TLU would preven 1 scram. Corruption of the channels is probably not an issue with these signals since there are three sets of accelerometers and a trip will occur if any one set functions correctly. B4. Manual Byoass Svstem The manual bypass system allows the bypassing of sensors and divisions of the protection system. The purpose is to allow maintenance of the various parts of the system while still maintaining-the protective function, The logic of section 7.2 shows that if one division is bypassed, the other divisions cannot be bypassed. However, since all of the logic is implemented by software,.a potential common mode failure is for the bypass of one divisiori to cause the bypass of all divisions thus eliminating any protective actions if protection is required. i
CMF Analysig DRAFT , o s. DRAFT 12/17/91 Apoendix C This appendix _ contains the Trip Tables which were used in this analysis. What the tables show are the inputs fer the various functions of the protection system together with actions which are triggered by the functions. 4
i Reacter Protection Cystem I y g i 3l Trip Table !$ i $ l Ou 8 E E .to it: ct i, M Input Sensors f h h f h h APRM/ UP (14) X X X Non-Coinc. Dis. Sw. X Reactor Mode Sw. X X X SRNM/ UP(14) X X X CRD Press Low CRD Press Bypass Sw. RPV/ PT 301(A D) X In. MSIV 85%LPOT 012 (A-D) X M MSIV : %/ POT'013 (A.D) X MSIV Bys-A X _MSigg,ss B_ X MSiv evnass c,_, X MSiv avpass D X Dw. I sensor Bypass X X X X X X X Div. Il Sensor Bypass J X X X X X X Div. lit Sensor Bypa'is X X X X X X X fv. tv Sensor evnass X X X X X X X RPV NR Water / LT-351 (A D) X MSL Radiation Hi / RT ni) X Bottom Horir Accel / ACS(Dh) y Bottom Vert Accel / ACS(bv) X Too Horir Accel / AC$dh) y Drywell/ PT-306 (A D) -TSV/ POS-001 (A D) y TFCW POS 004 (A.ry) y HTS Low Dil/ PS-00i (A D) X Turb 1st Sto/ ET;Q1' ( A D) X _ Reactor Action Y Sernen X X X X X X X X X X Mstv closure X
== i r,s - 6 _ emo hN. W w__. mm
-ECCS-HPCF 1 a Trip Table [} [ [ !i s II }g s a t o ni i input SenSOfS N io 7) fE 5E 4 n. A - Water level 1.5 LT 353 (E H) X X Drywell high pressure PT 306 (A D) X X Water level 8 LT 351 (A D) X X Suppressbn pool suction valve futil open switch X X Condensate pool suction valve full open switch .X X Suppression pool tevel X X_ concensate peot levei X X Manuai controi X X X X X X PB Reset X Pump suction pressure switch X X Cc9tainment flood level bypass X X Reactor action 'HPCF pumps inpoed on reautre reset to stop X HPCF flow to rpv disabled X X water intake from suooression cool -X water intake from condensate pooi X n ~ a' es os,.
pamil5gm g gE }*Si.s . g,g I EE l ECCS - RCIC gl.j _N gjgi_g m m 3j Iji jj Trip Table E o Ea a e pa gg $l 3JN.$jy @ghl \\ fj3) oj input sensors Drywell high pressure PT 306 (A D) X X X X X X X Reactor water level 2 LT 353(A D) X X X X X X X Reactor water level 8 L T 351(A.D) X X X Suppression pool water level hich LT 005(D.H) X Low pump suction pressure PT 303 X Leak detect X Condensate pool water levellow LT 001(D.h> X mov F031 position X Reactor action RCIC trio X X X X RCIC coolino water flowino into reactor X X X X X X sypass for testino X X suction valve lineuo X X e 9 f
l ECCS - ADS /SRV E F 7 0 7 d 1 e s W+l m o Trip Table .a.a.a.a a .s.a L s \\i [o i i input $0hSOf6 RPV pressure high PS MT010(A D) 71.4/76 6 X ~ ~ RPV pressure high PG M1011(A D) 77.1/77,3 _X RPV Dret.f ore hich PS Mit 1?(A D) 7P S'70 0 X .X RPV p'escute hgh PS MT013(A D) 73 5/78 7 -.X TIPV pressue high PS M10_14(A D) 74 ?>79 4 7 X RPV pressure hi0h PS M101L(A D) 74 9/1801 X ManuaIkYy operated switch H11 SRv con:rol TT'A X X X X Manual PBS Hit ads oper. I X X Menval PBS Hit ADS teset X X Reactor water level LS M1004tA D) X X Re:ctor water level LG M1004(E*HI X X Dryweliptessure PS MT019(A 0) X X 4 RHR pump cischarge pressure E11 PIS302(A C) X X RHR pump cischarte pressure _E11 PIS'103(A C) X X HFCS pump cischarge n'esture E22 PIS300(0.C) X X ]<POS pump ogc,harge pressure E22 PIS307(B C) X X Reactor action Leionoown X X I. - Pressure relief X X X X X X X ,j7 a .w.-- ew t e h' ~. l i l A .. ~
I ECCS - RHR/LPFL ki l [y dg,q 8 3 Trip Table L y itiput Sensors f j Drywellpressure PT 300(A.D) X Reactor watet level LT 3$3(A.0) X ~ ~ Reactor w?ter level LT.353(E.H) X Reactor vesselpressure PT 301(A.D) X RHR manualinitiate PDS X RHH PBS reset X pe, sol cenerator running, switch 7 X AC power available, switch 7 X RHR purnp svetion valve mov.F001(A.C) open $ witch 7 X ~ Shutdown suction tso valve mov.F002(A.C), switch ? X LOCA Trip X X X ? _7 =_ E98CtOf SCllon RHR t.PFL tripped LPFL pumping w, iter into core X X X \\ enum _. ensommenter ' I l N .4u4 4 l' 4 l __...~. ~
l LD & IS ! I usuv Trip Table fj ij l input Bensors MSL tunnel area amb;ent temp TS 2620(A D) _X MSL turbine area amb,ent temp IS 2621(A D) X Reactor water fevel 021 LS 7603(E H) X MSL turbine inlet pressure 021 PIS 7628(A D) X Main condenser vacuum D21 PS 2901(A D) X MSL (A) steam flow DPIS 7616(A D) y MSL (B) steam flow DPlS 2616(E H) X MSL (C) steam flow DPlS 2616(J M) -X MSL (D) steam flow DPIS 2616(N S) X Channel A sensor bypass switch X Channe! B sensor bypass switch X Channel C sensor bypass switch X Chatinel D sensor bypass twitch X Desion (14) TLU auto trip test switch X Reactor mode switch X _Divoon (14) main condensor vacuum bypass switch X RPS IBD Ref Doc 5 MSL Radiatica hioh X MSL (A D) MSIV (IB/00) Auto /Close switch X MSL (A D) MSIV (IB'OB) Test Close switch X 4 Reactor action t W J e
LD & IS E
- y*jyj"2N
- ,b b{3.{
g i j g$o Miscellaneousisolation Trip Table }}" RHR, RCIC, CUW, & 8 j y y g g input sensors 2
- c. 05 d b MSL Tunnel Ambient Temp TS 2620(A D)
X '~ ~ Rea:or water level LS Z603 3fA D) X ~ ~ Reactor water levelLS Z603(A D) X Reactor water level LS Z601(A D) X X X-X X X X X Reactor pressure PIS 2607(A.D) X X X ~~ Dryweilpressure PS 625(A D) X X X-X X X R/A, HVAC,or F/H area radiation hi0h (Ref Doc 6, D11) X X RHR area (A C) temp hich TS 2600(A D.E H J M) X X X ~ ~ " ~ PCv Div (13) isotation PB switch X X X X X X X X X X ~ ~ ~ PCV Div (13) reset PB switch X X-X X X X X X X X RCIC area temp high TS 2605(A D) X RCIC steam line pressure low PS 2007(A D) X Div (14) sensor bypai.s switch X X X X X RCIC steam line flow hich DPS 2606f A D) X RCIC PB isolation switch Div (1.2) X RCIC PB isolation reset switch X RCIC turbine exhaust pressure high (Ref. Doc 10 E51) X CUW mass diff flow high DMFS 2613(A.D) X CUW Hx Reo ambient temp high TS 2009(A D) X_ CUW Hx non Reg amoient temp high TS 2609(E H) X CUW valve room ambient temp hion TS 2009fJ M) X e Reactor action - H I 6 -9 --wy - -.e -e-y. m,.-g y.- m..--- =ame&,- te-,wiw-.+ ,,-, -,,9msy. ,mi, .,..g->-r g-4 e7 .ig .,y ,y e,-,.-wy .i,,---,-,,wmc,,,-,-rmw,
CMF Analysis DRAFT 113 pRAFT 12/17/91 Accend!LD D1. Shared signal analyses l In addition to the analyses performed under section 3.3 and results presented in section 5 of this report, eleven signals which are l shared between two or more echelons (see Figure 3 or Figure 5) are singled out for special attention in this section. The question asked is *can a sensor failure cause one echelon to challenge another and also inhibit the second echelon from mitigating the effects of the failure". For each shared signal this question is examined. i D1.1 Turbine valve 65% switches These switches:cause reactor scram upon load rejection or turbine trip. An optically isolated version of switch condition is passed to the control system where it is used to trip five reactor internal pumps, thereby reducing reactivity. The turbine valve switches do not serve as_ an input variable for a control process in the control system, so that there is no credible scenario in which failure of the turbine valve 85% switches will cause the control system to challenge either RPS or ESFAS Two types of failure are considered o possible: failure to indicate turbine valve closure and false i indication of turbine valve closure. D1.1.1 Failure to indicate closure Scenarios with turbine valve closure-have been considered in the review of Chapter 15 events 15.2.2 (generator load rejection) and '1.5.2.3 (turbine trip). Failure of the turbine valve switches results in scram due -to neutron. flux or high reactor vessel pressure. Insertion of all control rods will stop the reaction (assumption 3.6.6.1): and there is - diverse' signal (reactor dor"9 pressure) in the control system to cause internal pump trip. D1.1.2 ' False indication of turbine valve closure RPS will scram ie, reactor and five-intemal pumps will trip. Steam l pressure will-decrease and eventually, if no operator action occurs, low turbine inlet pressure or low = condenser-vacuum will cause the L MSLIVs to close. RCIC will start on low water level to continue reactor cooldown. The not result is an unplanned shutdown. l'
CMF Analysis DRAFT 114 DRAFT 12/17/91 D1.2 Nuclear monitor system The nuclear monitor system (NMS) provides trip inputs to the RPS and other NMS outputs are used in the control system for rod block and reactivity control. Operators may use flux level as a powor indication. The nuclear monitor system clearly has the potential to induce a reactivity transient caused by the control system which the RPS does not see. Two types of failure are considered: the neutron monitor system indicates significantly less flux than actually exists in the reactor and the monitor system Indicates more neutron flux than actually exists in the teactor. Oscillatory failures are not corsidered, and failures during startup are not considered. D 1.2.1 NMS indicates low !f the reactor is running under automatic load following control or the operator adjusts reactivity to rnatch an intended value, the reactor will operate at some percentage overpower. Making the wurst possible assumption, the reactor will exceed the 127% NBR trip point without scramming. There is insufficient information available to analyze the expected consequences because no General Electric simulation encompasses this event. Some possible scenarios are: 1) The reactor may be inadvertently driven prompt critical. 2) High vessel pressure may initiate a scram. 3) Generator protective relays may cause a load rejection. 4) Turbine protective relays may cause a turbin9 trip. D1.2.2 NMS indicates high lf the reactor is running under automatic load following control or the operator adjusts reactivity to match an intended value, the reactor will operate at some percentage underpower, Underpower operation will not challenge the safety of the reactor but there is a danger that operators will compensate by running at higher values of indicated neutron flux. l-D1.3 Scram The scram signal is generated by the RPS and is used by the control system to run the fine motion control rod drive all the way in during a scram. The scram signal is not an input variable to a control l
CMF Analysis DRAFT 115-DRAFT 12/17/91 process in the control system ano there is no credible scenarlo by which a failure can cause the control system to initiate a challenging transient which the RPS has not already soon. D1.4 EOC RPT Tho End Of Cycle Recirculating Pump Trip signal is generated by the RPS and is used by the courol system to trip four reactor recirculating pumps irn.aediately. The EOC RPT signal is not an input variable to a control process in the control system and there is no credible scenario by which a failuro can cause the control system to initiato a challenging transient which the RPS has not already seen. D1.5 Drvwell oressure Drywell pressure transducer signal PT 306 (A D) is shared between the RPS and the HPCF, RCIC, and LPFL of the ESFAS. In all casos it is used as a diverso trip or initiator signal, so that the only unsafo failure is failure to indicate high drywell pressure when it exists. Falso indication of high drywell prescure causes spurious trip, an annoying but safe failure. Failure of PT 306 was analyzed under Chapter 15 ovent 15.6.5, LOCA in containment, in this analysis, diverse signals (Iow water leve! low turbine inlet pressure) lead to reactor scram and emergency cooling actuation if high drywell pressure falls to do so, D1.6 Reactor water lev.ej Narrow range reactor water level transducer signal LT 351 (A D) is shared betwoon the RPS and the HPCF and RCIC of the ESFAS. The signal from this transducer is used to initiate scram (water level < L3), as a permissivo for the HPCF iniector valve (water lovel < L8), and as a permissive for RCIC steam turbines (water level < L8). A faihue that reports water level > L8 will disable all three mitigation actions.. Backup scram is available from ATWS (Alternato Rod Insortion), but LPFL will be ineffectivo as a backup for RCIC and HPCF (ADS does not operate) unless there is also high drywell pressure. Since this can occur with containment isolated, the reactor control system (feodwater control) is ineffective as a second echelon of defense. There is therefore insufficient diversity and defense in depth to initiate effectivo emergency coro cooling in the face of common rnode failure of the LT 351 (A D) water level transducer channels. l l
1 l CMF Analysis DRAFT -11e-D ~R A FT 12/17/91 D1.7 Reactor vessel nressure Reactor vessel pressure transducer signal PT 301 (A D) is chared betwoon the RPS and LPFL of the ESFAS. The si0nal from this transducer is used to initiato reactor scram (reactor pressuro > 1104 psig) and as a permissive for the LPFL injector valvo (reactor pressure < 457 psig). Failure of th.e signal channel indicatin0 mid-range affects both RPS and LPFL. Diverso methods of initiating scram are available, depending upon the situation. ATWS provides direct high pressure scram backup since it depends upon pressure switches which are diverso to PT 301. Most instances which result in high reactor vessel pressure also result in high neutron flux, causing scram by an alternato route. Common modo failure of PT. 301 (A D) does not, however, challenge ESFAS, since RCIC and HPCF are preferentially initiated on reactor water level, and HPCF provides diverse mitigation if LPFL is ineffective. There is therefore sufficient diversity and defense-in depth to compensate for common modo failure of the PT 301 (A D) pressure transducer channels. D1.8 Reactor water level Wide range reactor water level transducer signal LT 353 (? ?)4 is shared between the HPCF or the RCIC of the ESFAS, and ATWS in the control system. This signal is used to initiate Alternato Rod Insertion (ARI) in ATWS and one of RCIC or HPCF. The only unsafe failure of this signal channel is failure to indicate low water level when it exists. In this case, reactor scram will have already been initiated by diverse water level sensors in the RPS, and one of olther RCIC or HPCF will successfully initiate. There is therefore sufficient diversity and defense in depth to compensate for common mode failure of the LT-353 (? ?) water level transducer channels. D1,9 rWC NR water level The Feed Water Control (FWC) system narrow rango water level transducer (unknown designation) is shared between ATWS and the FWC. This signal is used in ATWS for recirculating pump trip and is 4Which four of the eight LT 353 (A H) transducers are shared is unclear trorn the General Electric SAR.
i CMF Analysis DRAFT s17 DRAFT 12/17/91 i i assumed to be used in FWC for water level maintenance. A failure of this channel in the FWG can result in a challenge to the reactor 1 protection system either directly (causing low water level) or indirectly (by high water level). If the challenge is low water level - (see the analysis of Chapter 15 event 15.2.7, loss of feed water flow), diverse water level sensors initiate scram and ESF operation, If the challenge is high water level, RPS and ESFAS do not react i until subsequent control system actions inillate turbine trip and low water level is sensed through diverse sensors See the analysis of Chapter 15-event 15.1.2, runout of two feedwater pumps. D1.10 SB & PC dome crossure The Steam Bypass and Pressure Control (SB & PC) dome pressure 4 transducer (unknown designation) is shared between ATWS and the SB & PC. This signal is used to initiate Alternate Rod insertion (ARI) in ATWS and is assumed to be used by SB & PC for steam i pressure maintenance. A failure of this channel in the SB & PC can result in a challenge to the reactor protection system either directly (by causing high reactor vessel pressure) or indirectly (by causing loss of reactor vessel pressure).- Both of these challenges have been dealt with in analyses of Chapter 15 events (event 15.2.1, pressure regulation failure high, and event 15.1.3, failure of all pressure regulation valves in the open state), in both cases, diverse signals initiate reactor scram and emergency core cooling,
- However, ATWS ARI is unavailable if-needed unless reactor water level drops below' L2.
t r b w h .....--_..._,_._____.___...~s., ,-m...... ._.m. ...~,,,,m_.... ...,,,-_.r
CMF Analy3h DRAFT 94 DRAFT 12/17/91 the water level falls to a low level ARI will not be invoked. ARI is initiated by low water level signals from the SSLC (Ref. 5). l Closing of the MSLIVs limit switches is the primary reactor scram i initiator with high RPV pressure and high neutron flux scrams providing diversity. However, all three are linked in that the two diverso backup scrams depend on the MSLIVs closing. Therefore failures in the digital systems prevent scram from occurring. High steam line flow is the primary initiator for MSLIV closure with tunnel temperature and t ur'bine room temperature providing diversity. Low turbine inlet pressure is a third diverse initiator but it may not always function. Since all of these signals are processed through the digital system, the MSLIVs will not close for a CMF there. Manual controls provide defense in depth for both scram and closure of the MSLIVs. ARI also provides DID for scram but for this event ARI fails when the digital syctems fail because the MSLIVs do not close. if they are manually ch. 'ri then ARI may get invoked but if the operators are alert enough is close the MSLIVs manually, they will probably manually scram the reactor also. RCIC and HPCF provide diverso rneans for cooling the core should that be required. The GE scenario indicates that both RCIC and HPCF are required to keep the core covered, which reduces the diversity somewhat but this does not seem to be a critical issue. As above, failure of any of the digital systems eliminates all ECCS, LPFL is not available although it will initiate. LPFL requires the operation of the ADS and ADS will not initiate because the drywell pressure remains normal. See figure 7.3 2h. D!D for initiation of the ECCS is provided by manual inillation from the control room, assuming there is time for operator action. However, with the CMF of either the MPX or the TLU this manual initiation capability is cut off. l I
CMF Analysis DRAFT 95 DRAFT 12/17/91 i A19. LOCA Inside Containment i This event, number 15.6.5, is a loss of coolant accident (LOCA) inside containment Table 6.3 2. This is a limiting fault. i A19.1 Soecial Assumotions 1) Any break in the piping which causes this event will increase the drywell pressure sufficiently to trigger mitigating action. This is justified if the break is a main steam line or a feedwater line. (Feedwater temperature is 422F and the flow is over 4000 lb/sec. (Table 15.01). Thereforo it should flash as it enters tne drywell and= the volume should be adequate to increase drywell-pressure to the trip point (1.7 psig, figure 7.3 4c). For other (unidentified). breaks this assumption is not so clear. 2) A number of signals may initiate the closing of the MSLIVs - excessive steam flow, low turbine inlet pressure, or low reactor water level (flgute 7.3 5, sheets 4 - -7). The first two are problematical since if-a steam line breaks the position and extent of the break -may. prevent them from -initiating the valve closing and ~a-feedwater line break clearly will -not increase. the-flow'_in the steam lines or reduce the turbine inlet pressure.. Low water level-appears to be the only MSLIV trip-that can be counted on. However, after the-reactor scrams on low water level, if the MSLIVs - have not - closed, - for -whatever reason, ultimately the MSLIVs1will close on-low turbine inlet pressure. 3) All signals-that initiate MSLIV trips come through the ' EMS. There is-some confusion on this. because turbine first stage pressure which --trips the reactor enters the system at-tha RPS DTM. But this signal is a bypass' signal for start up rather than a trip. _ These items are covered in more detall in assumption 1 for- . event 15.6.4c 4 r y ,,9->g,yg* p-wew .--,y-- .-w g --w. -,-t-*-Wm*ew+'. T-W--M'-rT<(W?WW--r*7 w *79 3 7 r-FMw.- z r rg =--"%'T ('WW ' 1Y ' ' ' ' * - ' - ' "*'?"T'N'**W" " " ' ' * ' '
5 {g } .I ,2* A fil l !E' h I i i
- g inl 3-l5 d {!
d g hk +,. d W h H on p k i ,""7: 4 O a y?l!*S le^el glt'M mo1 AtRW O O '~ 40l!MS 'sS8Jd tiew(Jn Cnv O O O e-h 4Dl!MSl8A01 N N 181PM E0V O O O t$eenss8Jd e PO ouiojn1 4DH*S #NEA to JonuoD euig>ni 43N*S 9^ lea 9 dolg wnoin t uoi O C int O O O N 0 0 0 O O O O Wla O O O O ~ O O O O O O xdW O O O S O O O O O O O O ('peJ pels). a WNHC ( peJ uru) WBdV ('PeJ 7SW) 8 WHHA l sJnss4Jd AAH e '50 d 110M eJnsseld v wnoav aun l'^'l O M v-T v-v- L P^gg O ~ l
- ^7.o';; KNo K n l.
sdnoap 2 8 %rsg } $s{ dWF s $ o[a e c e c 3 a ac .s s I gP i t5 60 63 6% m F es p- } . lng lo.g a e u. e us es zz za ze ze s a o n. = g g a d g g a E. SJ e e o w-Mz<ma w, n .s o, e < ze a .._, _ - _ _ _ -. _ -.}}