ML20097F333
| ML20097F333 | |
| Person / Time | |
|---|---|
| Site: | Oconee  |
| Issue date: | 07/31/1984 |
| From: | Broadwater R, Clapp N, Clark F OAK RIDGE NATIONAL LABORATORY, TENNESSEE TECH. UNIV., COOKEVILLE, TN |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| References | |
| CON-FIN-B-0467, CON-FIN-B-467 NUREG-CR-3692, ORNL-TM-9061, NUDOCS 8409180488 | |
| Download: ML20097F333 (50) | |
Text
.;
- o. ,
NUREG/CR-3692 ORNL/TM-9061 i
OAK RIDGE NATIONAL LABORATORY Possible Modes of Steam Generator Overfill Resulting from Control
= = = *'a = System Malfunctions at the
, Oconee-1 Nuclear Plant
, F. H. Clark
, N. E. Clapp R. Broadwater 4
, Prepared for the l Division of Engineering Technology i Office of Nucisar Regulatory Research U.S. Nuclear Regulatory Cmission
,, Under Interagency Agreement DOE 40-550-75 l
r
. (PERATEDBY MARTIN MARIETTA ENERGY SYSTEMS, INC.
- FDR T}lE UNITED STATES
- DEPARTMENT OF ENERGY g9jegegg P PDR
4 s; A' .
u-.
L
\'
Printed in the United States of America. Available from
- National Technical Information Service U.S. Department of Commerce 5285 Port Royal Road, Springfield, Virginia 22161.
Available from GPO Sales Program -
Division of Technical Information and Document Control U.S. Nuclear Regulatory Commission Washington, D,C, 20555 This report was prepared as an account of work sponscred by an agency of the United States G overnment. Neither the U nited S tates G overnment nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or ,
assumes any legal liability or responsibility for the accuraq, completeness, or usefulness of any informaten, apparatus, p oduct, or process disclosed, or represents that its use would not infringe p rivately owned rights. R oference herein
- to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Govemment or any agency thereof. The views and opinions of authors expressed herein do not necessanly state or reflect those of the United States Government or any agency thereof.
2 C
f 8
J
!i ,
I' s
- Wt y ,:, I
- ^
e- , ,
.\ r
.:. m, a
-3 NUREG/CR-3692-ORNL/TM-9061'
.vi s .NRC Dist'. R1, R4,~-RG.
Instrumentation.and Controls Division
'POSSIBLE MODES'0F STEAM GENEPATOR OVERFILL ~
RESULTING FROM CONTROL SYSTEM MALFUNCTIONS AT THE OCONEE-1 NUCLEAR PLANT- s F. H. Clark ~
N. E.'Clapp R..-Broadwater*
Manuscript Completed: February 28, 1984 Date Issued: July 1984 ,
- Tennessee Technological University, Cookeville.
Prepared for the Division of Engineering Technology Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Under Interagency Agreement 40-550-75 NRC Fin No. B0467 Prepared by.
- ~
Oak Ridge National Laboratory Oak Ridge, Tennessee 37831 operated by MARTIN MARIETTA ENERGY SYSTEMS, INC.
3 for the U.S. DEPARTMENT OF ENERGY under Contract No. -DE-AC05-840R21400
's )
T e
L _ a .. -
- l A
CONTENTS
- 1. Introduction..................................................... 1 1
1.1 Ge ne ral Co ns id e ra t io n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 l 1.1.1 Work Scope................................................ 1 1.1.2 Related Work Efforts...................................... 1 1.1.3 Approach ................................................. 1 1.1.4 Ou tline o f Thi s Re po r t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Steam Generator Overfill Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2.1 Scope of Steam Generator 0verfill......................... 2 1.2.2 Principal Results of Steam Generator Overfill Study. . . . . . . 3 1.2.3 Methods Used.............................................. 3 1.2.4 Ef f ects of Steam Generator 0verfill . . . . . . . . . . . . . . . . . . . . . . . 4 ,
l
- 2. Description Of once Through Steam Generator. . . . . . . . . . . . . . . . . . . . . 5 2.1 Functional Design of Steam Generator...............'......... 5 2.2 Steam Generator Controls.................................... 6 2.2.1 Operating Contro1.................................,....... 6 2.2.2 Steam Generator - Level Limits and Sensors . . . . . . . . . . . . . . . . . 13 2.2.3 High Level Main Feedwater Pump Trip Circuitry. . . . . . . . . . . . 15 ,
I
- 3. Systems Selected................................................. 16
- 4. Control System Failures That Contribute To Steam Generator 0verfill....................................................... 18 4.1 Classification of Failures................................. 19 4.2 Detailed Description of Failure Sequences.................. 22 4.3 Simulation Recommendations................................. 30
- 5. Possible Consequences of Steam Genera *.or Overfill................ 32 5.1 Direct Primary Side Effects................................ 32 5.2 Pos sible Secondary Si de Damage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
- 6. Te n ta t ive Conc lus io n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 5 References........................................................... 36 Appendix A - Information Sources..................................... 37 Appendix B - Steam Generator Tube Problems At Oconee 1............... 40 APPENDIX C - Review of Draf t By Duke Power Co . . . . . . . . . . . . . . . . . . . . . . . . 41 iii
N d
LIST OF ACRONYMS AFW Auxiliary,feedwater
. B&W Babcock and Wilcox BWR Boiling water' reactor
. CE Combustion-Engineering FMEA Failure mode and effects analysis
{
FSAR Final Safety Analysis . Report i FW Feedwater HPI High pressure injection ICS . Integrated Control System INEL Idaho National Engineering Laboratory LER Licensee Event Report LWR Light water reeactor MFW Main feedwater NNIS Nonnuclear Instrumentation System NPP Nuclear power plant NRC U.S. .Neclear Regulatory Commission ORNL Oak Ridge National Laboratory OTSG Once-through steam generator P&ID Piping & instrumentation diagrams PWR Pressurized water reactor RCS Reactor cooling system RC Reactor coolant SG Steam Generator SUV Startup valve v
I
.l' ABSTRACT
~
.c A study.has been made of control system failures which might lead to overfill of the steam generator in Babcock and Wilcox nuclear- plants.
-g The steam generator and.its control system are described. Only one-sequence has been found in which a single failure would lead to overfill, and in that case the final stages of the overfill would proceed rather slowly. Because of high _ level protective features.all other failure sequences we have examined require at least two failures to produce overfill; beyond the point of high level protection. Several
- sequences.are described in which high level protection features can be placed in ~an undetected failed state by a control system failure; a subsequent additional failure, occurring prior to the' detection .and -
correction of the first failure, ' could then produce system overfill.
Mechanical damage is identified which might be consequent upon steam generator overfill and water entry into the main steam line. Several
_s - ways of reducing the probability of steam generator overfill are suggested. No assessment has been made of the probability of occurrence of any of the sequences..
O S
4 vii
~1. INTRODUCTION 1.1 CENERAL CONSIDERATIONS 1.1.1 Work Scope-This work is conducted for the U.S. Nuclear Regulatory Commission (NRC) under FIN No. B0467, Safety Implications of Control Systems. It supports the resolution of Unresolved Safety . Issue A-47. The purpose of
'this contract is to determine whether nuclear power plant control systems, either in designed interaction or in credible malfunction, may interfere with the. action of safety systems or may put the plant into a -
failed state beyond the protection of the safety ' systems. The effort at Oak Ridge National Laboratory is limited to the study of Babcock and Wilcox Co. and Combustion Engineering Co. plants. Plants designed by other. vendors are under study at.the Idaho National Engineering Laboratory (INEL). The study is, therefore, intended to be generic by vendor. Because it is recognized.that detailed and realistic plant descriptive information is essential for a study;of this sort, data from two existing nuclear power plants, Oconee-1 and Calvert Clif fs-1, were used to represent the designs of Babcock and Wilcox and Combustion Engineering respectively. While some elements of the study may be unavoidably plant specific, the thrust of the study as a whole is
' generic. Work to date covers only . the Babcock and Wilcox design as represented by Oconee-1.
1.1.2 Related Work Efforts A number of other activities supported by NRC are related to or develop information related to this work. We have maintained close liaison with them.~ Included among t%em are:
- a. Plant Electrical System Evaluation, FIN B0816
- b. Evaluation of Pressurized Thermal Shock, FIN B0468
- c. Precursors to Potential Severe Core Damage Accidents, FIN B1583
- d. In-Plant Reliability Data Base For Nuclear Plant Components, FIN B0445.
- e. System Interactions in Nuclear Power Plants, FIN B0789 1.1.3 Approach 4
The general approach to this problem at JORNL is twofold: (1) a study of scenarios which could lead to' control system-initiated plant failures, produced in the failure mode and ef fects (FMEA) format, and based on plant design and procedure information, and (2) the supportive 1
l
2 development of.a hybrid computer model.for simulation of the nuclear power plant.--The plant simulation detailo much more explicitly than is customary the plant control system and its capabilities and effects.
The ' simulation will examine in detail important cases generated in the FMEA study. The simulation will im described fully in another report. -
The EHEA study, as it relates to the Babcoch and Wilcax steam generator overfill problem, is the subject of this report, and the
~
remainder of this report will deal with it.
1.1.4 Outline of This Report Section 1, the Introduction, deals with general program objectives and with.some of the results of this study. Section 2 is concerned with description of the steam generator and its controls. Section 3 relates what systems received.the most emphasis and why. Section 4 presents the failure modes ' considered, along with some possible failure scenarios.
The more casual reader might wish to skip some'of the material in. Sects.
2 through 4, but should in no event skip Sect. 2.2.2, 2.2.3, or 4.1.
Section 5 considers some possible consequences of a steam generator overfill; Sect. 6 makes some observations about possible design or procedure changes if they are felt to be necessary.
Appendices A, B, and C deal, respectively, with information sources, past steam generator tube problems at Oconee-1, and a review by .
Duke Power Co. of an early draft of this report.
1.2 STEAM CENER/. TOR OVERFILL
SUMMARY
1.2.1 Scope of Steam Generator Overfill There are four conditions of steam generator misoperation of interest to this project.
- a. Overfeed of the steam generator to the point where liquid water issues from its outlet. We shall consider this overfill.
- b. Overfeed of steam generator beyond pump trip level. We shall consider this overfill.
- c. Overfeed of the steam generator without exceeding pump trip level. However, primary coolant temperatures are lowered and ,
thermodynamic conditions at the turbine inlet may be off their operational norms. We shall consider this overcool.
- d. Underfeed of the steam generator. Primary coolant temperatures are increased, and thermodynamic conditions at the turbine inlet may be off their operational norms. In severe cases the steam generator may dry out.
-3 This report will concern itself principally with (a) and (b).
Succeeding reports will deal with (c).and (d).
1.2.2 Principal Results of' Steam Generator Overfill 4 Study-The following are the major results of the steam generator overfill study.
- a. There are' two high level protection features: a high level main feedwater pump trip and a high level main feedwater control valve closure. The system will not overfill under Main Feedwater action unless these features are defeated. They do not act on the auxiliary feedwater. (See Sects. 2.2.2 and 2.2.3).
- b. Both of the above protection features receive level indication -
from the same instrumentation. They are, therefore, subject to common cause failure (See Sect. 2.2.2).
- c. The main feedwater pump trip circuitry is separate from the Integrated Control System (ICS). Hence, a failure in this circuitry would affect the pump trip but not the high level control valve closure, which is governed by the ICS. There are several ways that the pump trip circuitry can be placed in undetected failed state. (See Sect. 2.2.3).
- d. A lou level indication overrides the high level control valve closure signal and creates a flow demand signal.
- e. A sufficient leak in the selected low level pressure tap; or its connecting pipe, or the packing of either blocking valve to which it connects can lead to steam generator overfill by the auxiliary feedwater system (AFW) . Such an overfill would be the result of a single failure. However, overfill by the AFW proceeds more slowly than overfill by the MFW, affording more time for corrective measures. The water pumped by the AFW, having less velocity, is likely to cause less mechanical damage than might water from the MFW. ,
All MFW overfill scenarios we have found require more than one failure. We have identified a number which are brought abcut oy two failures, the first of which leaves part of the system in an- undetected failed state. (See Sect. 4.1).
1.2.3 Methods Used Initially over one hundred plant systems were screened to estimate their probable importance to steam generator overfill. They were classfied according to:
)
~ r
4 l
s 4
- a. - potential 1to be the proximate cause of SG overfeed
- b. potential to . disable high level protection systems
- c. potential to affect the function of (a) or . (b) type systems ,
' d. whether they are . administratively removed from consideration, (by. reason of being dealt with in other contracts). ,
This classification is dealt with id Sect. 3.
~
_ The systems ' identified as important were then subject to intensive-study. Among the most important systems were the Integrated Control System, .the non-nuclear instrument system, the-feedwater system, the.
main ~ steam system, the reactor coolant system, and the instrument air system.
1.2.4 Effects of Steam Generator Overfill The assessment of mechanical damage is not a part of the scope of 3
this project. We have' .however, indicated some areas on . the secondary side that would be subject to unusual stresses and possible damage in the event of a serious overfill (See Sect. 5). Direct primary side effects stemming from steam generator overfill would initially be an overcooling and would require simulation for adequate assessment.
0 e
4 O
(
y .. - , . , . - . - , . . , . . - ,
s
- a a'
~
< !$h ,
b ..
- 2. 1 DESCRIPTION OF ONCE-THROUGH.' STEAM GENERATOR This section describes the functional design and the controls of
-t the steam-generator. -
2.1 FUNCTIONAL-DESIGN OF STEAM GENERATOR-The once-through' steam generator (OTSG) is_a straight-tube,
-' straight-shell heat exchanger. - The reactor coolant is on the' tube-side, ,
and the ' secondary ' fluid is on the shell side. The reactor coolant from
)< the reactor outlet enters the236-in. OTSG primary inlet. nozzle at a-temperature _ of about . 603*F. ' ' The reactor coolant gives up heat to .the secondary fluid _ as. it flows through the tubes and ~1 eaves through the two 28-in.-ID outlet nozzles:atra temperature of 555*F.
The tubes are: supported by tube support plates which have broached openings to permit flow between the plate and .the tube. The' support plates are fixed longitudinally by a system of support rods that are welded to the lower tubesheet. Spacer tubes are installed over the
- support. rods between each pair of adjacent support plates. This system
- permits positive placement of the supports within the cylindrical baffle.
The cylindrical baffle comprises two pieces: the lower section is bolted to the bottom tubesheet, and the upper section is welded to the shell just below the steam outlet nozzles. Alignment pins hold both sections radially in the shell.
Feedwater enters the OTSG through 32 spray nozzles connected _ to the 14-in.-0D main feedwater header. The condensing action of the' cold feedwater (455'F at full load) draws steam through the circumferential space between the upper and lower cylindrical baffles. This steam heats the feedwater rapidly to the saturation temperature sof about 535*F; this prevents thermal shocking of the shell. The flow of bleed steam is inherently self-regulating. Any change in feedwater flow changes the rate of condensation, thus changing the rate of bleed steam flow. -
A mixture of saturated ' steam and water forms in the downcomer of the OTSG. The level and density of the downcomer fluid are setsby the-static head and pressure ' drop between the bottom of the tube nest and the bleed point. There is an adjustable orifice in the lower section of the downcomer to ensure the dynamic ' stability of the recirculated loop.
'i
'- The fluid enters the tube nest through the ports' in the lower portion of the cylindrical- baffle (or wrapper). Since the fluid is at saturation ;
temperature it begins to boil as soon as it comes in contact with the j nr hot tubes. The boiling fluid - flows upward in counterflow with the primary fluid.- l
- l i
. 5 'I l
& l I
, - c. . -. -.
. . ;_ . . - ~ . .
, , _ - e ,
' The boiling taking place in the lower :section ~is in the regime called nucleate boiling.- The-tubes are wetted and small1 bubbles rapidly I form and break away from the surface. . Nucleate. boiling provides a very .
i high heat transfer coefficient because 'of the' turbulence resulting from
. bubble formation. Most of - the heat is transferred in' this region of thei .
- ; boiler. - Nucleate boiling continues until enough water has vaporized to allow a blanket of superheated steamito. form on the tubes; this condition is called film boilings The steam blanket forms' gradually as the steam quality reaches a high ~ value. It'is' fully' developed in only a very short section ofithe boiler.
The steam . quality at the - top of the film boiling ' region isu l00%.
> This saturated = steam .is then heated to at least -35'F above saturation temperature in the superheat:section of the boiler. The full-load steam temperature at the outlet l nozzle will approach 590*F with a clean ,
boiler; thel steam temperature will change as the boiler fouls. At the
~
top of the tube ~ nest .the _ steam- flows into the annulus between the upper l l
wrapper- and the shell. . The steam heats. the upper part of the shell to 1 the steam temperature; this minimizes the tube-to-shell temperature F difference. The steam' exits.through the two 24-in.-ID steam outlet nozzles.
The . steam generator is fed water from the feedwater systems, main or ' auxiliary, and heat from the primary loop. It is built to operate - .
with liquid water and steam, .each occupying approximately half of its secondary side volume. If the pumps and valving systems which supply. ,
water to the steam generator supply it at a rate greater than the heat '
from the primary side is able to vaporize it, the steam generator will ~
! begin to overfill. Hence, the proper operation and control of the steam
{ generator depends upon a balanced flow of mass through the secondary loop and energy from the primary to the secondary loop.
Figure 1 is an. outline sketch of the thermohydraulic aspects of the
- pressurized water reactor system of the Oconee plant. Much of it would E
apply to any B&W PWR system. Generally, the lower half of the diagram along with the secondary sides of the steam generators comprise the I feedwater system. Feed comes from.the condensate, through-the FW pumps into a common header. It is then split into loop A and loop B flow. In
- each loop there_is a startup valve and a main FW valve in parallel.
- There is'a flowmeter in the.startup. leg which is sensitive to low flows, and downstream beyond where the two legs have come together is a flowmeter receiving the combined flow through both valves. This meter j may be relatively inaccurate at ' low flows.
2.2 STEAM GENERATOR CONTROLS -
t i 2.2.1 - Operating Controls Control of~the feedwater system is provided through the MFW and start-up valves and the FW pump speed. Sensed signals which are sent to t
.-.----.m,. - -
e
_
- W M- E T
, A E
R SP N -
N E NN I - 8 1 EU I '
N DP
-vH R C E N 3 I O T C P u M P
L
=
H fI c P R W E
l e tl R A T' ' t lI_P E I '
NK I N A
n a
H ' R AT fEiRP . F D ' A- l p
Gu S l
yMI su
=
gu"F ' yE P
N U
P k(
r e
w o
p W
?y s i
b 7 m l r
a e
I c
= u 1g n
= T- a D
r -
E f S -
C N
I D
C 0
y l
- 4 1 PI;,
_NI,
., 7
$g g
o m
A O
1
=
s ?" -
T" a r
T g i M . i a
. ' AN EE A " d
'DS
(
IG
( i c
t a4ll c a m
e
- h
- El R
a R B0 I
s c
E C l
A d
i R E0 e U R i
$ f S i E '
R P
T- l p
/ m i
S M / "
MEEg AN IG S E V
1 I = L .
A E V V g L i t A l V F
- c. 4, l i P M O ll O T 9 ~ P U O C S E
G E
N
- K N
A 4
2 N
E G
I t I A K A 1 E
, N E R N M L A O A l l L T
. l T S
, 9" e
~~
4= A 5
3 8
th'e' Integrated Control System (ICS) and there processed' to produce Lcontrol signals for the FW system -include the' following:
- 1. Feedwater flow measures, both loops
.2. Level indicators (startup and operating), both SGs
- 4. Temperature difference between cold legs in the primary system
- 5. . Turbine header pressure signal
- 6. . Neutron error signal' t
- 7. RC hot leg temperature
- 8. RC flow
- 9. SG outlet pressure
- 10. Reactor coolant average temperature error
- 11. Pressure drops across FW valves .
In maintaining total feedwater flow equal to total feedwater demand, the feedwater control subsystem manipulates- two start-up valves,-
two main valves, and two pumps. The feedwater control includes the following considerations, each of which will be discussed below (see Fig. 2 - all references to Points and Blocks are on Fig. 2):
normal control mode feedwater temperature compensation high and low cross limits with. the reactor power level TAVG control to feedwater correct feedwater flow ratio between the two steam generators for control of inlet reactor temperatures
- total flow control on large reactor coolant flow error minimum steam generator degrees superheat limits minimum and maximum steam generator level limits
- Normal Control Mode In this mode, the.feedwater demand from the Integrated Master
- (Point A) is used for feedback control' of the valves and feedforward
. control of the pumps. Under balanced system conditions, the total
u E
- o
.4 e.
o.
b
= " " h
= ,
. o u
, , , , , . . , .. . . ~ . . . ,
o ns ""
."..~
..... . . .. n l g
.... 8. .. . .
E
. u .. . . a ..
. .e
. . . . ,~,
, . ~ T g
. . a .=~ * .=~
.. ..... ...... u . ' ' ' * * * '"** O I
e g
u so
- T.0 w
'1l}
u . .~ r...
.u.
. o o
I I w
.j .. .. a .W .,..
g ,. . . . . . ..
2 6 6 i ui
= --I a. I i == H ",,,., 4
. . ~ , . ~
w w on
.. . . . . . . . ~ .. . . . .
, g
. . 1 -
. a .. ue u ua a .e u . .. = . .. u .. ~
g ..
g.. . .g.. ..
.. 1
. i .: . tii.uu
..,~
.= .. .='= . a
. 3.. ..@. . . .-
a .... g ..; .; . g @ E.a .. .'
...... ,ysa*n.vu ,
i.4 s. 3.i i o4 4 44. u Q , .....
=$
s.i ..i.:. i.: i.u.aua
.u.a. .. vio u
.c
~
~ .n ... . ,n miusn.
t-
. at
~ ~
"" ..n i si. Sen . min
. ; $,. n, ... -, . r.
. . . .~ ~ .e._. .. .n..
. ui """***".','**'*"na 2n - -
Q ...... t:
- u. ~
-- --- J u u
. . . . . . . . ~ . . .
u n us..-suu n sn.n..:
. n.m s . u.
.au
..n.:.....,, . . , , . . . . ,
' ..n . vis
, , . , s.sa. **ia. . or ,
j> . g% ...i. . . m
. .. .,.4
.... n
. .u ft . . . .. ****
O O
.8.. . .. .E. 3. ..-
O. .i g gg u i. . .. _k 7 .A . ..
E.g. . .
. 4 O.
9%
4 1
1
\
l 1
l
10 feedwater demand from the Integrated Master is split evenly between ,
feedwater loops A and B (Point B and Block 1). The measured feedwater flow to each steam generator is compared with ris individual loop demand; the individual (Blocks 2 and 3) feedwater errors then pass through ~ proportional plus integral controllers -(Blocks 4 and 5) to establish the control valve positions. The individual loop dessads are summed together (Block 6) and used to generate a feedforward pump speed demand signal.
The operations of the start-up valve and main valve in each . loop are sequenced. Normally, as the loop demand varies from 0 to 15%, the start-up valve gain is adjusted to cause the start-up valve position demand to vary from 0 to 100% (Blocks 7, 8, 9, and 10). Then, as the loop demand varies from 15 to 100%, the gain on the main valve and the bias (Blocks 11,12,13. and 14) are adjusted to cause the main valve position demand to vary from 0 to 100%. When the start-up valve. becomes 80% open, a block valve in series with the main valve .is opened, and when the start-up valve becomes 50% closed, the blocking valve is closed.
The minimum pressure drop across the control valves is selected (Block 15) and used to form a feedback signal to the feedwater pump speed demand. The minimum pressure drop is compared with a setpoint, the resulting error passed through a proportional plus integral controller, and the feedback demand added to the feedforward pump speed _ '
demand (Blocks 16, 17, and 18). The feedback gain for the valve pressure drop error varies with the size of the~ error (Block 19).
The feedwater demands for each loop are passed through loop master hand / automatic stations (Blocks 20 and 21) so that the operator has the capability of establishing a manual feedwater demand for either or both loops. Valve position and pump speed demands can be manually specified for all actuators from hand / automatic st&tions (Blocks 22 through 27).
Feedwater Temperature Compensation A function generator (Block 28) is used to compute the feedwater temperature based on feedwater demand and exit conditions required on the secondary side of the steam generator. An error signal that is based on the difference between the desired feedwater temperature and the measured feedwater temperature (Block 29) is used to modify the total feedwater demand (Block 30). The purpose of this modification of feedwater demand is to reduce the demand on the primary side of the OTSG while maintaining the desired exit conditions. Thus, when the feedwater >
temperature varies from that used in plotting the function generator, a correction to the total feedwater flow demand is applied. The correction to the total feedwater demand is applied -in such a direction as to maintain the outlet steam generator temperatures at the values used in plotting the function generator.
h l,
l I
I
'll
, Cross Limits With Reactor Cross limits are used to maintain the feedwater flow in percent within a certain ratio of the reactor power in percent '(Blocks 31 through 36). Whenever the measured neutron- power is more than 5%
different from the neatron power demand, a correction is made to-
~
- increase or decrease the. feedwater flew demand accordingly. For instance,- if the neutron power error is -7%, then the cross limits will cause the feedwater flow demand . to be decreased by 2% (Blocks 33 and 34). . . If the neutron power error is 6%,' then the cross limits will cause
- the feedwater flow demand to be increased by 1% (Blocks 35 through 36).
TAVG Control to Feedwater Under certain conditions, the reactor control subsystem cannot control JAVG (i.e., reactor coolant average temperature). .One such condition occurs when the ~ reactor hand / automatic station is in manual.
When the reactor control subsystem cannot control IAVG, conditions are satisfied, Tgyg control is transferred to the feedwater control subsystem. When this occurs Tryg error is operated on by a proportional ;
plus integral controller (Point C), and the resulting feedback -demand is l summed with the feedforward total feedwater demand (Block 37). I Plant conditions which would prevent feedwater control from accepting the control of Tgyg are:
- both steam generators meeting level limits
- either steam generator on a Btu limit both feedwater Hand / Automatic master stations in manual.
Delta-Te Control To insure a uniform reactor inlet temperature distribution, the feedwater control ratios the two feedwater loop flows in such a manner as to maintain the temperature or tne reactor coolant in cold leg A equal to the temperature of the reactor coolant in cold leg B. This may be expressed as TCA = TCB, or delta-Te =TCA - TCB = 0. Ratioing the feedwater flow between the two steam generators for the control of reactor inlet temperature is referred to as delta-T control.
e Both reactor coolant cold leg temperature measurements and reactor coolant-flow measurements are used in implementing feedback control of delta-Tc .
A variable gain is modified by the delta-T efeedback control signals and applied to loop A feedwater demand (Block 48). The loop A demand is then subtracted from the total demand (Block 1) to create the loop B demand modified by delta-Te feedback.
The delta-Te setpoint is normally entered as zero (Block 49). A proportional gain, a calibrating integral, and high/ low limiters operate on the cold leg temperature difference delta-Te error (Blocks 38.through 43). Both the proportional and calibrating integral actions are blocked
' ~
y, x 12 f.
- if eitherf feedwater loop Hand / Automatic station is in manual or if ,
either steam generator is on-level limit. The calibrating integral-action' only, . and not the proportional 1 action, will be_ blocked if the
. megawatt electric Jdemand is changing faster than' a'specified rate or if
- s } reactor coolant ' flow transient - exists. L A. delta-T - cHand /Autematic '
station (Block. 44) .any be (med to replace. the demand Lcreated by delta-T e
-l
_ feedback: error with manual ratioing of the feedwater flow demands.
L LThere are four reactor coolant ? pumps, !with two pumps operating in
. parallel-in each loop.~-Iffan imbalance in the primary: flows through the steam generators exists, as when the l number of : reactor coolant pumps l running in each of the_two primary loops are not equal,.then delta-Tc
- will' deviate from zero unless the feedwater flows are ratioed properly.
To aid in maintaining delta-Te equal to zero in this situation, derivative 'and proportional' control actions are used 'to operate on the
- - difference between _the reactor coolant flows (Blocks 45 and 46, 50 and
!- 51). The feedbacks due to delta-Te error and primary loop flow imbalance are summed (Block 47) to create the variable gain applied to l
loop A feedwater demand (Block 48).
, Total Flow Control I
If the reactor coolant flow error becomes greater than 10% (Point
. D), then the total feedwater flow error passed through a proportional i plus integral controller is used to modify each of the individual loop
- - demands (Blocks 52 through 55). The effect of this controller is l modified by conditions in the following manner. If both reactor coolant *
} pumps on one loop are tripped, then the controller output is. bled to 0%
j with a 60-s time constant. If steam generator A is on low level control
, and steam generator B is on manual control, then the output of the total i' flow controller due to integral action is held constant. The same output will occur if the roles of A 'and B are reversed and when both i steam generators A and B are on low level control.
Btu Limits g - To insure steam with- a minimum specified number of degrees
- superheat (usually 19.4*C=35'F) Btu limit calculations are implemented..
The Btu limits are the maximum allowable feedwater flow demands for' each -
loop. A low. auctioneer is used in implementing the Btu limits in each
' ~
loop -(Blocks 56 through 57). Feedwater flow demands higher than the Btu
. limit _would. result in the degrees'superheat at the outlet of.the steam
- generator falling below the minimum specified degrees superheat.
i The Btu limit calculations are based upon measurements of tce '
reactor coolant flow, primary coolant temperature at the reactor outlet, 1
the feedwater temperature,1 and the steam ' generator outlet pressure i _
(Blocksf58 through 70). These variables are used to' determine the amount- 'of' energy available from the steam generator at the desired j- ' steam temperature. If the : normal feedwater demands -(Points E and 'F) are j- calling'for the removal'of more energy from the steam generators than is
, available: for the ' desired steam temperature, then the Btu limits override the normal feedwater demands.
t
, , , - _ - -_.-.m. ,_ .... ~._ ---m. n - . , - _ . , _ , , - . . . . . _ , - , - , , - . . . _ . - , , _ , . . . - , , , . _ _ _ ~ _ _ - - _ . ,
6 13 2.2.2 Steam Generator Level Limits and Sensors Low and high level limits are imposed on the operation of the. steam generators. In the high level limit control, a low auctioneer is used to compare the feedwater flow error against an appropriately gained
- operate level error signal, and the minimum error signal is passed on. to the valve control (Blocks 71 through 78). In the low level limit control, a high auctioneer is used to compare the feedwater. flow error against an appropriately gained start-up level error signal, and..the.
maximum error signal is passed on to the valve control (Blocks 79 through 89).
Note that this is not level control, that no attempt is.made.to maintain a set level; the limits simply Fi ve assurance that the level remains between pre-selected high and low points. Note further that a low lovel error signal, if present, will dominate.
Figure 3 shows a schematic of the Oconee-1 steam generator, water level sensing pressure taps (labeled A, A',B,B',D,D', and e), the MFW and AFW delta-P cells associated with the A,B,D taps, and the valves and pipes that connect the taps to the cells. There is an identical set of valves, cells, and pipes associated with taps A',B', D' . Referenced f rom the bottom tube sheet as 0, the tap heights are A, A' - 6 in.,
B,B' - 102 in., D,D' - 394 in., E - 606,in.
OR N L-DWG 83-19467 TE r STEEL DIAPHRAGM COUPLING AP CE LL TO CONNECTING WATER LINE 9 '- D g
B' B d _ ]az_g_ _g_ R 1ac
_g_
>< $0 Ar
~ ~
A MFW AFW Fig. 3. Schematic diagram of steam generator pressure taps'and AP cells.
.o ,
14 The operator selects which group ~ af taps, . A-B-D or
~
S A'-B'-D', will.-
' have its sensed signals sent to the ICli and the control . room display.
This is called the " selected" set.
~
Thel path from each pressure tap to the (normally open) blocking
~
~
valves (Fig. 3),is. open as .shown, clear of obstructions or other valves.
.When the water level is above.a-tap it flows'into the connecting pipe.
' When the water level is "below tap D(D'), as it is ' normally, the pipe from that. tap is filled to tap level by evaporation from the SG and condensation in the pipe. D(D') is the reference tap, and the water .in it is maintained -in this ' manner at height D-D_' .
The failure possibilities ~ are noted below for' this arrangement of sensing equipment. ' Each of these failures, in addition to sending misinformation to the control system, would send misinformation to the.
control room display. This misinformation would be inconsistent with
- other information available in the control room display.- The failure ^
would be undetected until the operator observed the inconsistency and deduced its cause.
(a) A sufficient leak in the selected A,A' tap or the connecting pipe or the packing of the blocking valves between the tap and the corresponding AFW or MFW delta-P cell can cause an apparent drop in the sensed low level of the SG and bring on an overriding ' requirement to increase feedwater flow. This misinformation would go to both AFW and
- MFW controls.
(b) A sufficient. leak in the selected B-B' level. tap or connecting pipe or packing if the terminating blocking valves will similarly cause ' e the operating level (or high level) sensing equipment to sense a lower ~
level than is actually prese.tt. This failure can defeat both high level protection systems--the high level MFW pump trip and the high level control valve closure.
(c) Failure of the selected B-D (B'-D') MFW delta-P cell so that it reads low when the level is high will also defeat both high level protection systems.
(d) The blocking valve in the selected set, marked V in Fig. 3, if failed into -a closed position during operation, will isolate the B-D MFW delta-P cell from sensing any further pressure changes at the B level tap. The other side of the cell " sees" the water column from the D level. This should remain essentially invariant-until the water . level exceeds the D level. At that point the cell should "see" a relative-increase in the D over the B ' level, or, equivalently, a decrease in the B under the D level. This should be interpreted as a falling water .
level. Hence, this failure also defeats the two high level protection systems (Ref. 1). .
m
y e- 'j f ,~ 15
'2.2.3 High Level Main Feedwater Pump Trip Circuitry
- " -Figure 4 is a-schematic of the circuit transmitting.SG high level' sensed signals to the high level MFW pump trip and alarm. The following failures can place this system in an undetected failed state.
'(A) For purposes of high level MFW pump trip and high level alarm the signals from both pairs B-D and B'-D' are ~ used. The signals B-D and B'-D' from SG-A (Fig.3) go respectively to contacts.2A and 3A (Fig. 4);
similarly, B-D and B'-D' from SG-B go to 2B and 3B. Note that if.either.
2A or 3A is in a failed open condition SG-A cannot cause a high level~
MFW pump trip. Trips from SG-B are similarly blocked if either 2B or 3B is failed 'open.
(b) If the relay FPTX is failed open, 111 high' level MFW pump trips from whatever source are blocked.
The circuitry of. Fig. 4 is not part of the Integrated Control System. Hence, failures within this circuitry will not fail protective
' features,- like the high level main feedwater control valve closure, which are operated'from the ICS.
e 4
1
A zg e
1 1
. 3 '. SYSTEMS SELECTED a
. , -The ; search- for possible safety problems in the operation or
. malfunction of controlfsystems requires deep and detailed examination of ,
possibly offending systems or components. This is because nuclear power
--plants are designed -with great- care ' for safety; they are further subject :
tossevere original and continuing'scruting by.the regulatory authorities
'for safe design and ! operation. It yis the reldte most unlikely that serious' problems willnbe-fosnd.with less than an in-depth search.- The number of systems and' components in the plant is so great that it would <
not be possible within allocated - resources to make an in-depth study of all of them. . Hence,:a preliminary screening of systems was necessary to determine where the deeper effort should tm applied.
'Approximately 100 systems-in the Oconee-1 nuclear plant were considered to determine whether they might have a significant effect on steam generator overfill.- The systems were put into five classes as follows:
Class A - This class consists of.those systems which, foe administrative reasons, are excluded'from consideration. It includes most safety systems and all plant electrical systems. The reason for the exclusion'is that responsibility for consideration of these systems ,
has been placed elsewhere. In the case of affew safety systems, for example the auxiliary feedwater system, we have been unable to avoid
- some consideration. A total of 24 electrical and 7 safety systems were placed in Class A.
Class B - This class consists of systems which contain components whose function or malfunction can directly increase the' pressure difference between the main feedwater pump discharge and the Steam Generator or decrease the flow of heat from the primary coolant to the secondary. side of the steam generator. Also in this class we include the control signals which motivate such components and the control circuitry associated with them.
Class B Systems Main Steam System Turbine Generator System Main Feedwater System Turbine Bypass System Auxiliary Feedwater System Reactor Coolant System Integrated Control System Class C - This class consists of systems which generate signals
- that are sent to the control systems (which, in turn, generate the
-signals which motivate the ' Class B components). -
16
17 =p-Class C. Systems Nuclear Instrumentation Turbine - Generator System
'*: Nonnuclear-Instrumentation Feedwater-System.
System Steam Generator -
Main Steam System Reactor Protection System Class D - This class consists of systems having components whose operation or malfunction can.directly affect the performance of Class B or Class ~C components. -
Class D Systems Cooling Water. System Essential Service Water Reactor Building Service System Water System Compressed 1 Air System Instrument Air System Heating.. Ventilation and Reactor Core Air Conditioaing Class E - This class contains all other systems.
Class E Systems Control Rod Drive System Chemical and Volume Control-Radioactive Waste System System Gaseous Radwaste System Liquid Radwaste System Solid Radwaste System Radiation Monitoring System Plant Area Radiation Environmental Radiation Monitors Monitors Process Radiation Monitors Refueling System Spent Fuel Storage System Fuel Pool Cooling and Cleanup Service Air System System Process Sampling System Plant Gas System Nitrogen System Hydrogen System Potable and Sanitary Water Fire Protection System System Water System (Fire)
Carbon Dioxide System Communication System Control Room Habitability Diesel Bldg Ventilation System System j Fuel Bldg Ventilation System Non Radioactive Waste System- I Gaseous Waste Liquid Waste Solid Waste l Turbine Gland Seal System i Turbine Lubrication System Stator Cooling System Hydrogen Seal Oil System Condenser Evacuation System Condensate Cleanup / Polishing Condensate Heater Drain System
. System Feedwater Heater Drain System Auxiliary Steam System Nine Containment Systems l
l
- 4. CONTROL SYSTEM FAILURES THAT CONTRIBUTE TO STEAM GENERATOR OVERFILL The Oconee-1 MFW control system has an overriding requirement to feed the steam. generator as long as the water level is sensed ~below low
~
1evel, (36 in. on the selected A-D (A'-D') sensor - see Fig. 3).
Between 36 in. and 282 in, control is not based on level during normal -
-operations. A complex of demand-related signals is mec by the control system. Most simple aberrations that might oc' cur in a component are compensated by action of the Integrated Control System in this region.
When the~ sensed level exceeds 282 in. the ICS sends a signal to close the MFW control valve. If despite this the level rises to 394 in a signal is sent by circuitry outside the ICS (see Fig. 4) to trip the MFW pumps. Note that this last signal will cause actuation of the trip only if signals are sent from both the B-D and the B'-D' sensor sets. (See Sects. 2.2.2 and 2.2.3.)
It is apparent, therefore, that the MFW cannot overfill a steam generator (above the 394" level) unless both high level protection features are defeated and an overfeed mechanism is initiated which is not controlled by cross limits or any of the other compensatory features of the ICS. We have accordingly classified possible failures as they may cause one or another of these.
onw omG e4 se 79 E HCP 7
Jb 2A gg 12 LV L. COC 3 LVL CONT.
15 34 M 3g 16 LVL. CONT 16 LV L . CONT.
?
5 55 g?8 ,,1.,
S U 28 C1 FPix 2Fa g g g yCI C2 ,
u EHCN Fig. 4. Main feedwater pump high-level trip circuit.
18
19 The auxiliary feedwater system (AFW) is not subject to the high level protection features. Therefore, once the system is on AFW, less control system failure is required to bring on SG overfill. Two things should be borne in mind. There must have been a prior failure or unusual circumstance to bring on the AFW. And the AFW pumps water much more slowly than the MFW with full open or nearly full open control valve. Hence, in the AFW case, there is more time for intervention and less ' potentially damaging momentum carried by the water.
4.1 CLASSIFICATION OF FAILURES Type A - Failures Which Place Both The High Level MFW Pump Trip and The High Level Control Valve Closure In Failed State - Since both of these systems depend on the same level detection equipment, a failure there would affect both equivalently.
- a. a sufficient leak in selected pressure tap B (B') or connecting pipe from it or packing of either blocking valve on which the connecting pipe terminates - 2.2.2, b
- b. failure of valve V (Fig. 3) of the selected set in the closed position during operation - 2.2.2, c
- c. any failure of the selected B-D (B'-D') MFW delta-P cell, mechanical, hydraulic, or electrical, which causes the cell to read a low level when the level is high - 2.2.2, d Further description of these failures appears in Sect. 2.2.2.
As observed there, since these are failures of level indications of the selected set, the indications are brought to the control room display where they are inconsistent with other level indications displayed there. The failure should be detected when the operator notices and understands the inconsistency.
Type B - Failures Which Place The High Level MFW Pump Trip In Undetected Failed State - As noted before the MFW pump trip circuitry is independent of the ICS which controls the high level control valve closure. Further, the pump trip requires a confirming signal from the nonselected B-D (B'-D') set.
- a. Any failure causing relay 2A or 3A (Fig. 4) to fail with contacts open places SG-A pump trip in undetected failed state. Analogously, 2B and 3B for SG-B. 2.2.3, a
- b. Any failure causing relay FPTX (Fig. 4) to fall with contacts open will put trip signals of both SGs in
. undetected failed state. 2.2.3, b I
l l
l
- .c f-a h'.
20.
.c. A sufficient leak in nonselected pressure tap B (B'); or connecting pipe from ~ it. or packing of either blocking -valve on which "the connecting pipe - terminates - 2.2.2, b
'd. Failu're of. valve V (Fig. 3) of the nonselected set in the L closed position during operation -i 2.2.2, c .
V
- e. Any failure of-the nonselected.B-D (B'-D') NFW delta-P cell, mechanical, hydraulic, or e!ectrical, which causes the cell; i- to read a low level when the level is high - 2.2.2, d Failures a and b are undetected by their nature. Failures c,d, and e are undetected because they are failures of the r nonselected set which is not displayed in the control room.
Type ' C - Failures Which Block the High Level MFW Control Valve Closure and Also Initiate Steam Generator Overfeed -
- a. Selected low level signal fails low. - Sect. 4.2, r; l 2.2.2, a
- b. Hard limiter on turbine header pressure error signal fails.
Or the summer immediately downstream of the limiter produces l a false signal. Either may have the effect of calling for increased flow. .
- c. Failure high of the low level setpoint. - Sect. 4.2 w ,
Type D - Failures Which May Initiate Fast Overfeed By MFW - Whether or j -not these failures would be controlled by the ICS and cross limits prior to challenging high. levels is not clear.-
Simulation is required to determine this. - Sect.'4.2, q,t=
- a. Delta-P measurement on FW control valve fails at O. Sect.
4.2, a.
- b. FW temperature measurement in one loop fails high. Sect. .
4.2, c.
l c. MFW flow signal fails- showing no flow. Sect. 4.2, d. >
l d. Hot leg temperature measurement fails high. - Sect. 4.2, g.
- e. Delta-Te signal fails either way. - Sect. 4.2, i.
- f. TAVG determination fails high. - Sect. 4.2, J. ,
- g. Neutron flux measurement fails high. - Sect. 4.2, k. .
- h. MFW blocking valve position-indicator fails 'in closed I
position. - Sect. 4.2, a
- 1. Reactor coolant flow measurement fails low. - Sect. 4.2,u.
21
- j. Main steam line safety, atmospheric, or turbine bypass valve fails open. - Sect. 4.2,.v.
- k. MFW control valve fails open or valve control signal fails demanding valve opening. - Sect. 4.2,- o Type E - Failures That Would Cause MFW Overfeed At Relatively Low Rate -
These would afford more time for intervention. If water were ejected from the SC it would be with relatively less energy and momentum than in the foregoing cases. >
[ a. Delta-P signal across MFW control fails between 0 and set point. - Sect. 4.2, b.
- b. MFW flow measurement fails at low value greater than zero. -
Sect. 4.2, e.
- c. Reactor inlet temperature measurement in one loop fails low.
- Sect. 4.2, h.
- d. Startup FW control valve position indicator fails with valve less than 50% open. - Sect. 4.2, 1.
- e. MFW pump speed governor fails. - Sect. 4.2, n.
- f. MFW Startup valve fails open. - Sect. 4.2, p. ~
- g. MWe demand fails high. - Sect. 4.2, s.
Type F - Single Failure Causing Relatively Slow Overfill of Steam Generator A sufficient leak in selected pressure tap A (A') - see Fig. 3
- or the connecting pipe from that tap or the packing of the blocking valves on which the connecting pipe terminates. Sect.
4.2, r; 2.2.2, a.
The foregoing classification is useful in the further analysis of the consequences of the failures, singly or in combination.
Type C failures, taken alone, should cause a rapid filling of the steam generator to the 394-in. level followed by MFW pump, reactor, and turbine trip and initiation of AFW.
Type D and E failures, taken alone, may be controlled by the ICS.
. In some cases they will lead to system trips. Type D' failures are expected to lead to greater and more rapid SG overfeeds than Type E
. failures.
Type A and B failures do not cause SG overfeed but block some or all of the high level protection. Type A failures, which bring inconsistent information to the control room display, are expected to be detected sooner than Type B failures, which do not.
22 There is one Type F failure. This is a single failure which causes the rapid filling of the SG to the 394-in. point and the relatively slow continued overfilling of it thereafter.
Any Type A failure or any Type B failure followed by any Type C failure (coming before the detection and correction of _ the Type A/B
. operating at high speed.
No operator intervention (ameliorative or otherwise) has been assumed in the above discussion. We have made no estimate of the probabilities of these failures.
4.2 DETAILED DESCRIPTIONS OF FAILURE SEQUENCES The component parts of the FW system, its controls and control signals, constitute a functional group that could have failures which could initiate a SG overfeed. We have examined this group to find failures that can lead to overfill of the SG at Oconee. All but one of the overfeed sequences we have found would be terminated by successful action of the high level trip of the FW pumps. The exception is sequence r below, in which overfeed comes also from the auxiliary FW pump, which does not have a high level trip.
The following event sets have been identified as having the potential to cause steam generator overfeed. In each case the
- initiating event appears to lead to increase of the steam generator water level. The sequence of events suggested in each scenario beyond the initiating events is not intended to be taken as predictive. Event sequences can depend upon many things, and surprising results of ten ensue. These scenarios are constructed and presented as guides for the modelers and simulators to highlight features that may have special significance. Where indicated they will be analyzed on a system simulator in the next phase of this study which will be the augmented failure modes and effects analysis (FMEA)
A most helpful source, which suggested a number of these sequences, was Reference 2.
- a. The delta-P signal across the FW control valves in loop A fails at its lowest value. The FW pumps go to high speed stop in an attempt to control the failed delta-P signal back to setpoint. Excessive feedwater flow results from the increased pump speed. Throttle pressure will increase, TAVG will start to fall, and the FW flow error will cause the FW valves to begin to close. Megawatts generated will begin to
- increase as the throttle valves move to control pressure back to setpoint. The control rods will pull, increasing reactor power, to -
control TAVG back up to setpoint.
However, as long as the tracking mode is not activated, the FW control valves should control the FW ilow back to the original setpoint.
= -
p; 7 ,
o 4-s ,
~ ~
w p Henceb thef plant. should settle out-at its original condition, except that the ~ high pump speed would result in a higher . pressure drop across
- ~
'the FW control valves. Also, with .the higher control valve pressure' ,
drop, the flow control would be more : sensitive and would not be as -
smooth as normal.~ The FW valve flow control should be rapid enough to<
E* .
- prevent a high _ level in. the steam generators from occurring. ..However, failure of the_ FW control valves to act" rapidly enough still leaves the
. 4.-
high levelfpump trip' protection.
- b. . The delta-P signal. across the FW control' valve fails at some point below the setpoint. ~ Qualitatively, the effects are the same as in (a). However, (a) appears' to be 'the bounding case; so the effects should be less severe. ' A failure of ' the delta-P signal above the setpoint value should not Llead to SG overfeed. .
- c. - _ The FW temperature measurement in loop A fails high at 500*F.
FW temperature compensation will cause the total ~ FW flow demand to -
. increase, resulting in overfeeding both steam generators -and overcooling .
the' core.' TAVG will start to drop, causing control - rods to pull .and -
~
reactor power to increase. _ The steam' pressure will increase, causing the turbine valves to open and the megawatt electric generation to increase. Because of negative megawatt electric error, .the megawatt electric calibrating integral will cause the feedforward control demands to the reactor and feedwater to decrease. If the megawatt electric calibrating integral does not reach a low limit, then the unit will settle out at its original condition. If the megawatt electric calibrating integral goes onto its low limit (generally set at -5%),
then the plant will settle out at a higher power level than its original condition. If the FW temperature measurement failure occurs at a low load level, a higher probability of reactor trip due to low RC pressure exists than at a 'high load level. This is because at the low load level the Mi temperature is lower than at the high load level. Hence, a greater percentage increase in FW flow will occur at the low load level.
Further, at low load levels BTU limits are less restrictive.
- d. The main FW flow signal in loop A fails showing zero flow. The loop A FW control valve will open fully trying to control the FW' flow to setpoint. _The delta-P across the loop AFW control valve will:
decrease below setpoint, and the FW pumps will speed up to control the delta-P back to setpoint. Steam generator A ~is overfed because control valve A goes fully open and the pumps speed up. Steam generator B~is initially underfed when control valve A goes fully open, is probably overfed for a short period of time when the pumps speed up, and eventua} 1y FW control valve B should control loop B FW flow to setpoint.
-c TAVG will fall and the control rods will pull to increase reactor power. The FW flow imbalance between loops A and B will cause a
. negative _ delta-T c error. The delta-T e' control will start to decrease the FW demand -in loop A and increase the FW demand in loop B. This
' transient may result in a reactor trip caused by low RC pressure or the trip of the FW pumps caused by a high -level in ' steam generator A.
3
v m
- 24 s
q.
- e. Main FW flow signal fails at a leve1'between 0 and demand.
Transient proceeds -as in (d) but less severe.
- f. This transient is initiated by the startup level _ signal.in loop --
- A failing low. As a result of this, loop A FW valve opens fully and the .
FW pumps _ speed up in an attempt ' to restore the level in SG-A'. -In order -
to control loop-B flow, loop B FW valve closes. Neither cross limits nor BTU limits are expected during this initial portion of the .
transient. Because of excessive FW' flow, the primary system may be rapidly overcooled. A reactor . trip cay occur, probably due to low RC pressure. Also, a high ' SG 1evel. FW pump trip may occur to prevent SG overfill (expected to occur in SJ-A).. A turbine trip would immediately follow the reactor trip. Because of excessive FW flow, steam pressure should be running high, and operation of steam relief as well as turbine bypass is expected to occur at moderate to high power levels. If the reactor trip occurs before the high steam generator level is reached, there is the potential for continued overcooling of the primary due to, the open relief valves and the failed level measurement causing the .
continuing supply of feedwater to SG-A. Popping of the relief valves would - cause rapid loss of steam pressure and high flows to be drawn from the steam generators. A possible loss of pressurizer inventory along.
' with initiation of HP1 may occur. Following the turbine trip,-the steam source for the FW pump turbines switches from the low pressure to the high pressure steam supply. Without the high trip SG-A should overfill.
- g. This transient is initiated when one of the reactor hot leg
, temperature measurements fails high. Let. .
+
TAVG = reactor average temperature measurement THi = hot leg temperature measurement, i = A,B TCi = cold leg temperature measurement, i = A,B.
- There_are 3 methods of determining TAVG: namely,
- l T +T +T +T HA HB CA CB
- 1. T =
i AVG 4 i
T +T RA CA
- 2. T =
AVG 2 T +T
- HB CB
- 3. T =
AVG 2
1 1 ,1 J p ,
25 For-a failure of.THA high, method 3 above will give the least error in the calculation of TAVG, and method 2 will give the greatest error.
- ~
t Two cases will be considered. The first case will consider complete automatic operation of the ICS.- In the second case, the >
, reactor H/A (i.e., Hand / Auto) station is in manual with all other H/A
~
stations in automatic. In both cases, a failure of THA will cause Tryg to be computed erroneously high. Hence, the Kryg error in the ICS, given by Error (TAVG) = Setpoint - TAVG will be negative.
With the ICS in complete automatic, the Kryg signal modifies the reactor demand. A negative Kgyg will cause the control rods to insert.
If Tryg is large enough it can cause the feedwater flow demand to be modified through the cross limits from neutron error to feedwater control. A sufficiently negative Tgyg will cause the feedwater demand to be increased. Hence, with the power generation of the reactor decreasing and the feedwater flow increasing, this transient is in the direction of a steam generator overfill.
With the reactor H/A station in manual and all other H/A stations in automatic, the TAVG error signal modifies the total feedwater demand through a proportional / integral controller. A step increase in the TAVG signal, such as would be caused by THA failing high, has the potential for driving this control loop unstable. The negative Tryg signal would initially cause the feedwater demand to increase rapidly while the reactor demand remains constant. Again, this transient is in the direction of a steam generator overfill.
- h. This transient is initiated by the reactor inlet temperature in loop A failing low. Proportional control action in the delta-T e control will immediately cause the flow demand in loop A to decrease and the flow oemand in loop n to increase. Inis proportional control action is limited to 5%. Integral action in the delta-Te control will eventually cause the variable gain multiplier in the flow ratioing circuit to be decreased by an additional 20%. Hence, because of the delta-Te control, the flow demand for loop A flow equals (100% - 5% - 20%) times the total flow demand. The flow demand for loop B flow then equals 200% (100% -
5% - 20%) times the total flow demand. Therefore, the flow demand in loop A is reduced by 25% and the flow demand in loop B is increased by 25% on account of delta-Te control. The low failure of the reactor inlet temperature in loop A will also cause an error in the calculation of Jgyg. There are three methods of determining TAVG. They are T +T +T +T HA HB CA CB
- 1. T =
AVG 4 1
h A
26 T +T J 2. =T ' --
- AVG- 2 .
r T T HB + CB
- 3. ' T - . =
AVG 2 For>a' failure of TCA low,' method (3) will result in .no error and method
~
--(2) will. result in the greatest error in the calculation of' TAVG. It will be assumed that _either method (1) or (2) is_ being used to calculate TAVG. For TCA failing low, TAVG will be calculated low. This will cause the reactor power to be increased. Also, the low TAVG "ill*
through the reactor cross limits to the FW system, cause -the total FW demand to be lowered. Hence, the reactor power increases; the T Ayc control causes the FW flow to SG-B to decrease, and the delta-Tc. control causes-the FW flow to SG-B to increase. 'snether or not SG-B will have excessive FW flow is not clear.
- 1. The reactor inlet temperature loop A-B difference delta-T e fails high. A high failure of delta-Te conveys the false information that on the primary side, the temperature of cold leg A is higher than cold leg B. The delta-Te error is apportioned in equal magnitude but .
opposite sign to the loop A and loop B flow demands. However, the change in demand in each loop is limited to 25% of the total flow .
demand.
If the initial unit load is high enough, the Btu limits will be activated and limit the increased FW flow in loop A. This will cause a net reduction of the total FW flow, and an increase in TAVG. The control rods will insert, reducing reactor power, to try to control TAVG back to setpoint. A reactor trip on high RC pressure is possible. If the plant is not at high load so that the Btu limits are not activated, then the unit will probably settle out at a new steady state with a cold leg temperature imbalance. llence, for a high failure of. delta-T c, steam generator A will be overfed and steam generator B will be underfed.
- j. T The high failure is;heassumed reactor toaverage be due totemperature, TAyg, fails one of the following high.
three failures:
- 1. Failure of the hot leg temperature measurement in primary side loop A (i.e., TRA)*
- 2. Failure of the cold leg temperature measurement in primary _ side ,
loop'A (i.e., TCA)'
- 3. A high failure of TAVG for some reason other than (1) or (2).
Each of the three failures will be considered separately. Also, it is assumed that Jgyg is calculated by (see scenario g):
m I ..
?^ _
, 127'
^
T.-+T-HA, CA-T .
- ,
- S AVG. -2
- .. for this results .in. the _ largest error in Tryc for the assumed failures.-
If.TAVG. fails high because THA fails'high then scenario g applies.--In this case, the high THA.(assuming THA is the outlet temperature selected by the operator) will increase the allowable maximus FW flow demands calculated by.the Btu limits. .If TAVG is determined to be . too high for some other reason there should be no effect on the Btu -limits.
If TAVG fails high as a result of TCA failing high,. then. scenario 's ,
must be modified to account for the effects of the delta-T econtrol loop. 'With delta-T control e coming into ' play, L the steam generator =
overfeed will not be symmetric as considered in scenario g. Instead, because delta-T econtrol reratios the FW flows, overfeed of - steam generator A'will be greater than of steam generator B. Hence, with a high failure of TCA, the overfeed of steam generator A should be worse than that considered in scenario g.
If a high failure of TAVG occurs for some reason other than a AVG.
high failure of THA or TCA, then scenario g will again apply except for the above-mentioned effect on the Btu limits.
With all three failure modes resulting in high failure of TAyg, the
. steam generators are overfed. In every case there is the possibility that the reactor may trip on low RC pressure or the FW pumps may be tripped on high steam generator level.
- k. The neutron flux density reading fails high. The control rods will begin to insert continuously in trying to reduce the failed neutron flux density reading. The lower the unit load, the larger the neutron error will be. Through the cross limits, the large neutron error calls -
for an increase in the FW flow.. Both steam generators are overfed and the primary is overcooled. The Btu limits will probably be activated and will limit the maximum feedwater flow demands.- The cross limits will cause the unit to go into the track mode, and because of the-increased FW flow and steam pressure, the unit megawatt electric demand will track up. A reactor trip on low pressure is highly probable.
Following the reactor trip, the turbine will trip and the megawatt electric generation will-go to zero. The unit is still in the track mode at this time, and the feedwater demand from the integrated master goes to zero. However, following the reactor trip, the cross limits f rom reactor control to .feedwater control increase, calling for feedwater ' flow close to 100%. Hence, the Stu limits, and not the feedforward signal from the integrated master, must be relied upon to run the FW system back.
1.
When the loop A startup FW control valve becomes less than 50%
open,- the loop A startup FW control valve position signal fails to indicate that 'the valve is-less than 50% open. Hence, the main feedwater blocking valve 'in loop A does not receive a signal to close.
j
28 The leakage through loop A main FW control valve, if excessive, may cause steam generator A to be overfed. Also, since the main feedwater blocking valve in loop A does not close, the flow measurement used in a
feedwater control is not switched from the main FW flow measurement, which is highly inaccurate at such low flows, to the startup FW flow measurement.- Thus, control will not be as smooth as normal. If the .
leakage through the main iW control valve is large enough, the startup FW valve may close completely while steam generator A continues to be overfed from the leakage. This condition would probably result in a steam generator high level trip of the FW pumps.
- m. MFW blocking valve in loop A is open, but its position indicator fails in closed position. This causes ICS to take flow measures from startup line. If reactor is at high power a flow demand signal is sent causing increase in flow in both loops. Cross limits cause rod insertion signals. Btu limit may be actuated. SGs are overfed.
Reactor may trip on low pressure.
- n. The speed governor on FW pump A fails high. This will cause FW pump A to go to its high-speed stop and the feedwater flow to the steam generators to increase. Flow control will cause the feedwater control valves to close to control the feedwater flows back ~to setpoint. As the control valves close, delta-P control will cause the speed of feedwater pump B to decrease. Concerning the operation of pump B during this -
transient, three conditions may occur. The plant may settle out with ,
pump B at a reduced speed with both pumps supplying flow to the steam generators, or the plant may cettle out with the check valve in series ,
with pump B closed and pump B supplying no flow to the steam generators; finally, pump B may end up operating in an oscillatory mode, with the check valve cycling open and closed. In any event, pump A will be at its high-speed stop. Also, a delta-P higher than setpoint may exist across the control valves following the transient. Some overfeed of the steam generators will occur, but a reactor trip is not anticipated.
1 o.. The NFW control valve in loop A fails open. (This transient will be more serious if it is initiated well below full power - say at
! 25%). The flow in A increases with the valve full open. The low delta-P signal across control valve A leads to pump speed up. The delta-Te error will attempt to reduce flow in A and increase flow in B.
t' The total flow demand error will attempt to reduce flow in both A and B.
Because of the valve failure, loop A is not affected by these signals.
On account of the substantial increase in total flow (resulting from the loop A failure) the total flow demand error should dominate the delta-Te error signal in loop B, either immediately or very quickly, and continue to do so. SG-A therefore fills while SG-B empties. If SG-B level drops to low level indication before high level pump trip occurs in SG-A, the ,
low level signals in SG-B will override and prevent the level from falling further. Hence, the low level signal in B along with the total flow demand error signal should between them keep the level in SG-B at about the low level indicator until the pumps are tripped.
e 29 The MFW pumps should trip on a high level signal in SG-A.
- p. The loop A feedwater startup valve fails open. There would be no effect during operation at power, and probably the failure would not -
be detected. However, during plant shutdown the excessive flow in loop A would prevent the steam generators from going on low level control.
Appropriate manual control actions could be used to shut the plant down safely.
Following a reactor trip, this failure would result in overfeed of steam generator A if proper manual control actions are not taken. When the reactor trips, the turbine also trips; the steam system goes on bypass control; the feedwater flow demand runs back to low value, and the steam generators are supposed to go on low level control. With the start up valve in loop A failed wide open, steam generator A will be overfed. Without manual control intervention, f(edwater pump trip on high level in steam generator A is likely. Simulation of failure with reactor trip is needed.
- q. The control system summer which sums the startup level and turbine header pressure signal fails, giving low indication. This failure is equivalent to the corresponding failure in any of the component signals and causes increased flow to the SG. The high level FW pump trip occurs at high level indication.
- r. A sufficient leak in selected SG pressure tap A (A') or in the pipe connecting it to blocking valves, or in the packing of either blocking valve on which the pipe terminates, will cause a low level signal and an overriding demand for feedwater. The SG will fill to the high level pump trip level, 394 in., and cause trip of the MFW pumps.
The AFW will come on, and, with the low level signal still present and no high level constraints, the AFW will continue the overfeed, causing SG overfill. Consult Sect. 2.2.2.
- s. Failure of the MWe demand signal high will lead to demand for more FW flow and more reactor power. The FW demand / response is much faster than the core power demand / response. However, cross limits would be activated and limit the rate of increase of feedwater flow. Hence, the feedwater system response would be approximately coordinated with that of the reactor. That is, if the system energy balance is taken into account the feedwater system should run just slightly ahead of the reactor. The cross limits should hold the feedwater system back. Some steam generator overfeed should result, but it should not be severe.
- t. Under normal conditions the turbine header pressure error signal compensates the startup level measurement. It is first put through a hard limiter to limit its effect on.the level indication to
, not more than 8 in. However, a failure of the hard limiter signal could negate the limiting effect. This error is then potentially equivalent to sequence f.
dl 30.
J
- u. ,Both high and low failures of the RC flow measurement in loop A
~
will be ' considered. - Consider first a.high failure._'The reactor coolant-flow ' imbalance feedwater ratioing circuit will immediately reratio the feedwater flows. The feedwater flow in' loop A will be increased and the feedwater. flow in_ loop' B willt be decreased. This will' lead to overfeed
- of steam generator _ A and underfeed of steam . generator B. - Af ter a short-time l lag, the delta-Tecontrol' will decrease the feedwater flow in loop
~
A~and increase the feedwater flow in loop B, thus providing some compensation . for the original failure. Whether or not a reactor trip -
will occur during the course of; events is uncertain.
-" Next : considek the RC ' flow measurement in loop A falsely indicating zero flow. The low failure has a much larger effect than the high -
failure. because there lis more room on 'the low side than on the -high side of the RC flow measurement range. A front end runback to a lower load level _ will immediately be' implemented in the unit load demand load limit circuitry. ' Again, the reactor coolant flow imbalance.feedwater ratioing circuit will immediately reratio the'feedwater loop flows.
However, 'in this - case the reratioing will be in the opposite direction and much larger. The. feedwater flow in loop. A should be decreased to the point that steam generator A goes on low level control. In loop B, the Btu '11mits should be activated and thus restrain the increase . in feedwater flow. Hence, in this case, overfeed of steam generator B and underfeed of steam generator A occur. ,
When loop B goes on Btu limits, cross limits to the reactor will
- ~
reduce reactor power, and the unit will also go 'into the track mode.
During the initial phase of this transient, there is a net reduction in feedwater flow when steam generator B goes on Btu limits, and a reactor trip on high RC pressure is probable. Simulation, especially initialized at high load,'is needed.
Failure in the open position of the atmospheric dump, turbine
~
v.
bypass, or any safety valve in the main steam line will cause an increase in the pressure drop across the steam generator and an initial increase in feed of the SG. This event is bounded ~ by the small break in the main steam line.
w.-The low level setpoint fails, giving a reading at its highest-level. This failure is functionally ' equivalent to r.
4.3 SIMULATION RECOMMENDATIONS The criteria which we follow in recommending that sequences be simulated are'as follows:
- a. The scenario is suf ficiently complex that we cannot be sure ' our -
speculations as to its course are correct both in magnitude'and in sequence of events. These uncertainties are especially pronounced in those events where compensatory ICS action is initiated.
i p --
31
, b'. Primary fide effects cannot be quantitatively evaluated without ~
J-t ' simulation. If primary side effects seem si &nificant. simulation is
- ~'. indicated.
o>
c.- If there are strong arguments that the event is insignificant it need not be simulated.
- d. If there are strong arguments that. the event is bounded by another, and if simulation shows' the bounding event is not significant,
- the ' bounded event need not be simulated. This would' be a special case -
of c. However, if the bounding event proves significant, the bounded event should then be simulated.
- e. An event suf ficiently similar to a simulated event need not be simulated.,
, With these criteria,.our recommendations for simulation at present are as follows.
(1) Any one Type C (Sect. 4.1) event.
(2) Any one Type A or B (Sect. 4.1) event followed by any one-Type C event while the A/B is still undetected.
4 -
(3) The single Type F (Sect. 4.1) event.
(4) We cannot eliminate from consideration at this timeLany of the following: Sect. 4.2 c,d,g,1,j,k,m.u. All of these are Type D (Sect. 4.1). We expect that exploratory calculations will permit us to eliminate a number of them on the basis of similarity or bounding.
(5) We recommend no Type E (Sect. 4.1) simulations at this time in anticipation that a number of them will be shown to be bounded and/or insignificant.
( . .
, t L-- 7, t <
.i o -
l' /5. POSSIBLE CONSEQUENCES OF STEAM GENERATOR OVERFILL' Steam generator overfill-can~ produce both primary side and.
~
secondary l side effects which may have1 safety consequences for.the plant. -,
..FI Secondary side ef fects may-indirectly produce significant primary side _.
-effects.
1 5.1 DIRECT-PRIMARY SIDE' EFFECTS
.0verfilling .of the steam generator will produce overcooling of the primary coolant. ~ This, in turn, can in some instances produce one or more of the following results:
- a. density increase and liquid phase shrinkage with attendant
. increase in reactor coolant pressure b.'pressuriser dryout
- c. steam in primary . flow passages with possible blockage of flow
- d. possible loss of natural circulation
- e. possible reactivity insertion from.high density moderation 5.2 POSSIBLE SECONDARY SIDE DAMAGE Overfill of the steam generator to the point where liquid water enters the main steam line may cause damage on the secondary side. In Sect. 4.1 we have classified, in various ways, control system failures that can lead to steam generator overfill. One way was according to the rate at which the overfill occurred. Overfills brought on by Type E and F failures (Sect. 4.1) are expected to occur rather slowly: E because tha HFW pumps and control valve are not wide .open, and F because the final overfill mechanism is the AFW. Type C overfills would involve control valves fully, open or nearly so, and MFW pumps operating at high speed. These would be rapid overfills. . Type D events are not yet sufficiently analyzed and may prove to produce overfills of~either kind.
The rapid overfill appears more threatening for two reasons.
First, it permits minimal time for effective recognition and countermeasures. Second, it injects water into the main steam line at maximum speed and therefore with the maximum kinetic energy / momentum that the MFW pumps are able to provide, only minimally dissipated in the open control valve.
32 J
n .. , ,
r
- y. . ~,
o ^
W~
7 g 33-
.s P ,
f ,, CA11' references've hive'foun:1 relating to the. ability of a B&W main Iteam line to withstand stresses'from~11guid water deal only1with the'
~
!O S ,
,b.y : static load of the water,-that is, motionless water, zero energy /
- - - e momentum (Refs. 3-5). :There appear to have-been no tests made of'the o~ ^ ability:oftthese lines'to bear the' dynamic stresses: associated with-the.
i.:
- ' influx.of' water of
- high energy / momentum such'as might come-from a Type C-
~
failure. .(In fact, there appear to be no tests to show whether'the f x '~
dynamic:htresses:from.a Type E'or F failure could be borne.).Under the f? circumstances, .it would not be prudent to: assume that the probability of v: main ~ steam line rupture in that dynamically stressfu1= environment is 4, -3
.h negligible.
The possi >1e results of such a rupture should be considered.
.1 -
Y Main steam line rupture. is one of the accidents analyzed in the g s0conee-1 FSAR. We are particularly interested here in the effect such a
[ rupture can have on'the steam generator. tubes. The tubes are subjecc to I'
considerab1'e wear _and damage during normal. operation. There are approximetely'16,000 of them in an Oconee-1 steam generator. Oconee has L , ' experienced a number of observed tube leaks, and a number of. tubes have -
L been plugged as a precautionary measure during maintenance on account of L a observed' wear. Appendix B pummarizes references to a number of SG tube
.,, problems which have.occurr/d at Oconee.
- i. 5, During normal operat})n the tubes and the massive supporting tube L sheets are at, elevated temperatures, and, consequently, in a thermally l-. expanded state. ~If now .. the tubes are suddenly cooled more rapidly than l xthe supporting tube sheets, the tubes, in attempting to contract, are
! placed under tensile st'ress. A main steam line break causes the water l in the SG to flash, suddenly cooling the tubes. The water is in more
" contact with the tubes thaa with the tube sheets. Further, the tube ,
sheets, being messive, would have longer thermal time characteristics l and would cool more slowly. 'All the tubes in the SG are' simultaneously
- l. subject to the added thermal stress. It is apparent that for large j stresses in these circumstances multiple tube ruptures could occur.
l i
The Oconee-1 FSAR examines this effect (on SG tubeo) in its main L steam line. break analysis (Sect. 15.13.5, Oconee 1, FSAR). In that section the additional stress (maximum) on SG tubes due to the flashing-of th* water in the SG ' den the ste'am line break occurs is given as 39 kai. That is compared with 42 kai, said to be the " maximum allowable l stress" but otherwise undefined. This analysis initiated the steam line breakxwith the steam generator less than two-thirds full'of water.
Apparently no account was taken of the severe vibrational stresses that would be' experienced during'the blowdown of the secondary side through 1, the ruptured steam'line.
In the scenario , proposed hiere a steam generator fills with high energy / momentum conf.entswater; the water enters the steam line producing dynamic stresses , that' lead ; to rupture of the line. Hence, the steam.
~
t t
, line break occurs"vith a fu'f1 SG, '50% more water' content than in the
, ' " case' computed in the Oconee-1 FSAR. With that much additional water t
s k
- x- ,
Q* ')_'
t .
w'
, __p $' -l 1
i;; ~ '
34 E
p- .
flashing in--;the steam generator there should be substantially more steam b ' generator tube cooling and substantially more resultant thermal stress.
These ' additional thermal stresses 'and the vibrational stresses of
- blowdown, when censideredlin analysis, may show that there is' sufficient
. additional stress'present to-cause' multiple tube-rupture in the_ steam -
generator. '
Multiple tube rupture taken together with main stream line rupture
-provides a leakage path through and out of the secondary system for t
radioactive materials contained in the primary fluid (Refs. 6-10).
- 1, i
f h
6 l
9 9
I -
.s l
I i
i I
i
.a >
, .. . . , , _ , . . . -,_ , _ _ . , . , . . . _ . ~ . . , . . - - ,. ,_ . , . _ .~ - _ , . .
. _ - . . __ m . . ~ , _ _ _ _ _ -. _ .
tu .e
, n. . *.
jJ y G3 - { ti-- .
- nt: >
q , ,. ' -
lr , '
y' ) . 3 %O 6.. TENTATIVE CONCLUSIONS:
- g - -
7 This fstudy has Lnot ' proceeded to Ja' point where serious system 4 iA -
. inadequacies have been demonstrated. 'In the course of'this study, 61[ l'however, _ we haYe, we' believe, uncovered . some potential concerns, in M'
' + particular, control s, 4 tem failure that might lead - to the failure i
PJisequence discussed in;! . fon.5. We have made no assessment of-the g jp' p"f . ' ' probability-of occurrence.of anylof these~ things. Therefore, it would
~
. be ' premature to.'suggest 'that . any corrective measures are -required. .We have noted;some places where improvements might be made'if it.is.found
/
they.are desirable. -We.present them here for consideration.
a.' The high level MFW pump trip. originating.infeach steam generator'is of primary.importance in preventing steam generator j ' overfill. . We have already noted -that contacts 2A and_3A in Figure 4' are
~
in series as_ are contacts 2B and 38. Revising these circuits to parallel configuration' would atford important redundancy to this
. circuit.
L
- b. y Also in Figure 4, functional replication in parallel of the j.
FPTX solt.noid/ contact would provide additional important redundancy.
. I, Both a and b would, of course, increase the likelihood.of spurious
@ f.
pump trips.
- - c. We have observed that pressure taps and some connecting E equipment are shared.in common by the MFW and the AFW. It may be useful to examine the desirability of modifyng the gang selection switching _ so
'that when the operator selects A-B-D (Figure 3) for MFW,-A'-B'-D'~is 1
selected for AFW..
i
- d. The plant computer could be programmed to track both sets of '
signals in c for consistency and to provide appropriate alarms when an inconsistency is noted.
4^
+
- e. The full range Steam Generator level sensor, which makes use of'
_information from tap- E, Figure 3, is the only sensor providing leve!
information once the SG water level exceeds the high level pump'~ trip-height (level D,D' in Figure 3). This information.does not go to the i ~ ,;
! ; control system, but . it is available to the ' operator. It is.apparently d-not explicitly referenced in the procedures governing _ steam generator-
' i ovebfills. An explicit reference.might be useful.
A r
/
4 .b y ,
i.- r -
- u. ,
] y
.k 9 s ( ,f'
- I
- g- , g \ .p <
35 ms.
JK . \.
~
fl
, ); * ,
w, 5
REFERENCES 11'. - ; Delta-P Transmitter, For Nuclear Service,- Product Instruction,
' E21-20, Bailey Meter Co. ,
- 2. .R. W. Ensinna, R. W. Winks, S. D.~Swartzell, R. P. Broadwater, M.
S.~Kai, and W. E. Wilson, " Failure Modes and Effects Analysis of the' Midland NN1 and ICS," Babcock & Wilcox Co. Report RAW 1743 (July - 1982) .
- 3. NRC Memo, Richard H. Vollmer to Thomas'Novak, " Power Reactor Events - Steam Generator Overfill," May ' 13,.1981.
.4. . Letter, K. S. Canady, Duke Power Co., to A. L. Lotts, Oak Ridge
. . National Laboratory,- August 31, 1983.
- 5. B&W Owners Group, "Probabilistic Evaluation of Pressurized Thermal Shock, Phase 1 Report," Babcock & Wilcox Co. Report BAW 1791, pp. ' 6-48, June 1983.
"NRC- Report on the January 25,.1982, Steam Generator Tube Rupture 6.
j at R._E. Ginna Nuclear Power Plant, " NRC Report NUREG-0909, April 1982. ,
- 7. L. B. Marsh, " Evaluation of Steam Generator Tube Rupture Events," *
- l@RC Report NUREG-0651, March 1980.
- 8. Preliminary Notification of Event-PNO-V-82-45A, November 15, 1982, San Onofre Unit 2, Excessive Cooldown Transient and Automatic Initiation of Safety Injection.
9.. C.~ Michelsce, " Case Study of the Abnormal Transient Operating Guidelines (ATOG) as Applied to the April 1981, Overfill Event at Arkansas' Nuclear One, Unit 1," NRC Memorandum, August 30, 1982.
{
- 10. C. S. Davis, J. M. Thomas, S. W. Winder, D. E. Allison,
" Engineering and Probabilistic Analysis of Tube Cracking Performance in Once Through Steam Generators," Electric Power
< Research Institute Report EPRl-3065, Vol 1, July 1983.
A e
s 1
._ __ . _ - _. . . ._ ,. ~.._ ..-- . _ .- _ _ - - _ _ _ . . - . - - . . , . - , - , -
Appendix A - Information Sources This program has the major aim of identifying control system
, malfunctions which might significantly impact safety systems and lead to-a serious transient, or wh1Lb might cause e transient for which there has been inadequate provision in the safety syntems. With such a mission it is. clear that our major sources of infocmation would, of ,
necessity, be design and procedural data.
In fact, this has proved to be the case. Documentation that has been of " mainstream" use to us has included the following:
Duke Power Company Oconee Nuclear Station Final Satety Analysis _ Report Oconee Nuclear Station-P& ids Bailey Instruction Book Duke Power Company Oconee Nuclear Plant, Unit No. 1
. Manual IC/NNI System, Vol. 4 i
, Oconee Nuclear. Plant No.1 Integrated Control system Reliability Analysis, prepared for NRC by B&W Abnormal Transient Operating Guidelines Duke Power BWNP-20807 Babcock and Wilcox-Control of a Nuclear Power Plant with Once Through Steam Generator, ASME, 80-WA/DSC-24 L. L. Joyner, R. P. Broadwater Oconee Units 1, 2, and 3 Training Manual In addition, there have been numerous conversations with former employees of B&W and of Duke Power. Particularly in the early phases of the program there has also been much examination of " loose" copies of circuits, sometimes poorly identified as to source.
37 I
_ o
38-w We have made a number of searches of _ the licensee ~ event -report (LER)' literature ' covering the . period ' 1973-1983. LERs have not provided one of the more useful primary sources -for this report. There are .
several reasons _ for this:
4; . 1. As nots d .above, . design and procedure are the ' major areas ,'
investigated for failure in this work. ,LERs deal very little with these two topics.
- 2. - Steam genera' tor overfill' as such has not been a- required UER 1 reportable event. Hence, not only when they occur alone may.such events go unreported, but 'also when they occur in conjunction with other reportable events the steam' generator. overfill aspect may be neglected. In th'ose cases where we have found it reported, its -
extent and cansequences are - not detailed.
3.- LERs are written with a brevity that tends to render their f descriptions of events too incomplete ' for a study of this- kind.
On account of the above considerations, item 2 in particular, retrieval of useful steam generator overfill information from the LER data base- has not been especially productive. Searches on various steam generator-related conditions for -the period 1973-1983 produced 70 LER
{ references, of which 21 were found to be related .to, performance of .
once-through steam generators. The LERs-did not produce any failure modes in addition to those deduced from study.of design and procedure ,
I documents. They confirmed experience with certain kinds of failure.
Their usefulness to this project probably will lie in their provision of ,
counts of certain kinds'of failures for aid in quantification.
Since SG overfill has not of itself ~ constituted a requirement for i submission of an LER in the past, we have no assured method of identifying all or most such events which have occurred. A number of LER searches along with resort to secondary sources disclosed 21 cases of SG overfill of some kind in once-through steam generators. We have identified only three events where water definitely entered the main steam line: San Onofre 11/9/82, Ginna 1/25/82, and Arkansas Nuclear One 4/8/81. Of these, only the last involved a once-through SG. In none of
~
these cases was.there any reported damage to steam line or to supports
- . as a result ' of the influx of water. (However, operation of a safety valve'was compromised in the Ginna case). On the other hand, conversations with workers in the field suggest to us that there may have been a number of additional SG overfill events not documented in the available' literature.
~
Various ' secondary sources, some of them heavily . based on LERs, have been useful. 'These are reports of NRC and NRC contractors which
- clarify, 'and to some extent quantify, various kinds of failures or which make in-depth studies'of particular failures which have occurred.
~ ,
-39 Prominent among these are:
, NUREG/CR-2497, Precursors to Potential Severe. Core Accidents' Summary of Event Tree Development, Branch Probability Estimation and Sequence
' Qualification for the Oconee Pressurized Thermal Shock Evaluation, SAI NUREG-0651 Evaluation' of Steam Generator Tube Rupture Events Case Study-of the Abnormal Transient Operating Guidelines as Applied to the April 1981 Overfill Event at Arkansas Nuclear One, USNRC,-
August 30, 1982.
Current Events Power Reactors, USNRC,1 March-30 April 1978, Loss of Non-Nuclear Instruments-(Rancho Seco).
Also of considerable use have been:
BAW 1743, Failure Modes and Effect Analysis of Midland NNI and ICS Control of a Nuclear Power Plant with once through Steam Generator, ASME 1980.
G
, ~
Appendix B - SO Tube Leak- Prob'lems at Oconee-1 l
.DATE/LER~ Sj; No. of Tubee Remark _
l
' 3/6/82 LER :1B. 1 0.08-gpm le'ak
'2/9/82 LER LA 1. 0.11 gpm. leak 5/29/80 Deficiency in FSAR NSIC ' 00ZO158256 - analysis of tube rupture 7/23/79' LER - IB 1 0.3-gpm leak 10/12/78 LER Tubes misplugged.
14/20/78'LER- 4 Leak observed
'1977 NSIC 00ZO128689 Status report on tube 5/7/77 LER 1B 2 Leak observed ..
3/27/77 LER 1-6 Leak observed .
2/28/77 1-6' Leaks observed 12/22/76 LER l1B 1-3 Leak observed 1976 NSIC 00ZO120234 1A 2 Leak observed e
40 . -
E -
1 Appendix C - Review of Draft by Duke Power Company An earlier draf t version of this report was sent to the licensee,
, Duke Power Co., for their comments. We found the licensee's response very useful. A number of misconceptions were corrected. We are grateful for ti;e obviously substantial effort expended by the licensee and have made use of the material supplied.
This report has been substantially revised since the early draf t was reviewed by the licensee. The principal thrust.of the revision was to conform with an NRC request for greater emphasis on sequences arising when an additional failure occurs with the system in an undetected failed state. The revisions have been so extensive that it is not possible to make a section-by-section correspondence between the revised draf t and the review letter. A number of comments in the review have been rendered moot by the revision. In keeping with current NRC policy, we reproduce here those parts of the licensee's response which have resulted in changes to the report.
Other comments made by the licensee, noted, but not incorporated in the report, included matters where different judgments were possible, situations with multiple possible outcomes dependent upon initial conditions, references to calculations or data not available to us, and comments on the proper limits of the study.
Specific comments referenced by page and paragraph follow.
Page/ Scenario Comments 7/2 The statement " total flow control on large feedwater error" is incorrect. It should read
" total feedwater flow control on a large reactor coolant flow error."
13/3 The total flow control circuit 'comes into play when reactor coolant (RC) flow error becomes greater than 10%, provided that: 1) both RC pumps on a steam generator are not tripped; 2) one steam generator is not on low level control
- and the other is; and 3) the steam generator not on low level control is under automatic control.
15/2, 3 Auxiliary feedwater control is part of the safety grade AFW system and independent of the ICS. Below is a description of the AFW control system:
l l
41 i
i,
, o -
r -
~.. -
4 42 Page/ Scenario Comments The AFW level control. system consists of two
- Rosemount #1152DP differential pressure transmitters connected to the 0 in. and 388 in.
taps of each OTSG, a two-bay Westinghouse'7300 series control cabinet per unit, and interfaces with pneumatic control valves FDW-315 and FDW-316.
The system.is designed to provide automatic OTSG water level. control while the emergency feedwater pumps are supplying water to the OTSGs. Two setpoints are provided: (a) a setpoint corresponding to 25 in. of level in the OTSG, which is used after the reactor has tripped and reactor coolant pumps continue to operate and (b) a setpoint corresponding to 240 in. of level in.the OTSG, which is automatically engaged when the RCP power monitoring system detects that all four RCPs have tripped in order y that natural circulation can be established. ,
Each OTSG is provided with two independent control systems, each of which consists of a level transmitter, controller, control system power supply, and E/P converter to supply a signal to that OTSGs emergency level control valve.
16-20/ Sect. 4 One'of the concerns listed was steam in primary flow passages with possible partial choking of flow. Considering the large pipe areas and low pressure differentials in the RCS, there is no possibility for choked flow to occur.
17, 18 Only two of the plant events discussed were caused by control system failures.
21/(1.) The statement about the total feedwater flow controller is in error and should be deleted from this section. It does not affect the course of the event.
The action of the Btu limits and cross limits
- should be accounted for. - Their effect is.to limit allowed feedwater demand.
~ .-- -_. _ .
er . _
,r.,
43 Page/ Scenario. ; Comments 23/(5.) ' There is no feedwater flow'"setpoint."
24/(6.) Neither sequence of events showed a tendency
.toward steam generator overfill; overfeeding is
. limited.
24/(7.) Delta-T c' control is blocked when either steam generator.is on low level control.
i:
27/(8.) The control loop for T avg control to feedwater has exhibited sluggish controlLin that it can be slow to respond and may~ subsequently-overcorrect. -However, it is not unstable in the sense of increasingly wider swings. It has exhibited poor tuning, not " stability problems."
29/(9.) The Delta-Te circuit may be blocked if one steam i
generator goes on level control.
29/(10.) The statement about the total flow control circuit is in error and should be deleted.
,_ 33/(15.) The frequency error modification to the ULD circuit is not in use at Oconee, and is
. physically disconnected.
34/(17.) The reference to the total flow controller is in error and should be deleted.
36/(18.) In the absence of manual action, the high level-pump trip will prevent overfill.
f u
t d
w l
-l 1
NUREG/CR-3692 ORNL/TM-9061 NRC Dist. Category R1, R4, RG INTERNAL DISTRIBUTION 1-5. N. E.' Clapp. 28. - P. F. McCrea (Aniisory Comm.)
6-10. F. H.'-Clark 29.- P. W. Murrill (Advisory Comm.)
- 11. B. G.~ Eads 30. H. M. Paynter (Advisory Comm.)
- 12. D.' M.' Eissenberg -31. H. E. Trammell (Advisory Comm.)
- 13. A. P. Malinauskas 32. ORNL Patent Office
- 14. -F. R. .
Mynatt 33-34. Central Research Library
- 15. L. C. Oakes 35. Y-12 Document Reference Section 16-25. R. S. Stone. 36-37. Laboratory Records Department
- 26. J. D. White 38. Laboratory Records (RC)
- 27. M. J. Kopp 39.' I&C Publications Office (Advisory Comm.)
EXTERNAL DISTRIBUTION
- 40. Assistant Manager 'for Energy Research and Development, DOE-ORO,
-. Oak Ridge, TN 37831 41-90. D. L. Basdekas, NRC Project Manager
. 91-95. R. P. Broadwater, Tennessee Technical University, Cookeville, TN 38501
- 96. A. F. McBride, Science Applications, Inc., 800 Oak Ridge Turnpike, Oak Ridge, TN -37830 97-98. Technical Information Center, DOE, Oak Ridge, TN 37831 99-533. Given distribution as shown in NUREG-0550/Rev. 2, NRC Categories for Water Reactor Safety Research: R1 Basic, R4 Analysis Development, and RG Systems'and Reliability Reports e
45
NRC P:mu 335 1, REP!!r4T NurAEED (Asswief by DOC #
,,,,,, u.s. NUCLEAD CEIULATORY COMMISSION BIBLIOGRAPHIC DATA SHEET NUREG/CR-3692 ORNL/TM-9061
/
_/
- 4. TITLE AND S itT LE IAdd Volume No., o! noproorretel Possible des of Steam Generator Overfill Resulting from
- 2. (Leave b/wk) f f.
Control Sys m Malfunctions at the Oconee-1 Nuclear Plant 3. RECIPIENT'S ACCE3d[lON NO.
?. AUTHOR (S)
/
g 5. DATE REPo[ COMPLETED
. F. H. Clark, N. Clapp, R. Broadwater MONTH f' lYE*"
liinbruary 1984 9 PE RFORMING ORGANIZATI AME AND MAILING ADDRESS //nclude lip Codel DATEsdEPoRT ISSUED Oak Ridge National L ratory P. O. Box X uops jvg4R
' /
Oak Ridge, TN 37831 sj,,,,u,na; ts Tennessee Technological Un .ersity, Cookeville, Tenn. f f , ,L,,,, y ,,,,
- 12. SPONSORING ORGANIZ ATION N AME AND M ING ADDRESS //nclude lip Codel g[
Division of Engineering Techno 'y 10. PROJECT / TASK / WORK UNIT No Office of Nuclear Regulatory Res ch U.S. Nuclear Regulatory Commission "' " "U' Washington, DC 20555 B0467 13 TYPE GF REPORT P 100 COVE RE D (Inclus<re dates /
NUREG '.
- 15. SUPPLEMEN TARY NOTES 14.Ileave o/m*/
e 16 ABSTR ACT (200 words or lessi %
A study has been made of control sys em fail es which might lead to overfill of the steam generator in Babcock and Wilco nuclear p nts. The steam generator and its control system are described. Only one sequence has en found in which a single failure would lead to overfill, and in. that case the 1%al stages of the overfill would proceed rather slowly. Because- f high level prothtetive features all other failure sequences we have examined r uire at least two f411ures to produce overfill-beyond the point of high level prote/ tion. Severalsequenksaredescribedinwhich high level protection features can ,We placed in an undetect failed state by a control system failure; a subseque additional failure, occu ing prior to the detection and correction of the fi st failure, could then prod .e system overfill.
Mechanical damage is identified ich might be consequent upon SIkeam generator overfill and water entry into the' main steam line. Several ways" reducing the probabilityofsteamgeneratorferfillaresuggested.
the probability of occurrence o. any of the sequences. No as,sessm' t has been made of 1 T KE Y WORDS AND DOCUMENT AN ALYSIS 17a DESCRIPTORS
)f 17n 4DENTIF IE RS OPEN ENDE D TE RMS IS AV AIL ABILITY ST ATEVE NT 19 SE CURITY CLASS ITM,s reporr/ 21 NO OF P AGES 50 20 SE CURIT Y CL ASS ITAss payr / 22 PRICE 1
N ec F ORV 335 ell ph
- y. - -
4 120555078077 1 LA?41RLIR41RG US NRC .
ADM-DIV OF TIDC POLICY & PU3 MGT BR-PDR.NUREG W-$01 WA SH If4GTON DC 20555 e
- - -