Text

NRC Testimony Re ASLB Question 16 Concerning Integrated Control Sys.Only Small Number of Sys Malfunctions Resulted in Reactor Trip.Further Action Will Be Determined in Light of Encl ORNL Rept.Prof Qualifications Encl
	ML20126C136
Person / Time
Site:	Rancho Seco
Issue date:	03/25/1980
From:	Thatcher D; Office of Nuclear Reactor Regulation
To:	;
References
	NUDOCS 8003270067
	Download: ML20126C136 (10)
	v • d • e

.. . . = . . - .

e 7 _,,

.p,,.

i UNITED STATES OF A!' ERICA NUCLEAR REGULATORY C.0 "11SS10N BEFORE THE ATOMIC SAFETY AND LICENSING BOARO In the Mitter of )

)

SACRAMENTO MUNICIPAL UTILITY- )

DISTRICT Docket No. 50-312 (SP) ,

) ,

)

(Pancho Seco Nuclear Generating )

Station) )

NRC STAFF TESTIMONY OF DALE F. THATCHER RELATIVE TO THE INTEGRATED CONTROL SYSTEM (Board Question 16) l Q l. Please state your name and your position with the NRC.

A. My name is Dale F. Thatcher. I am an employee of the U. S. Nuclear Regulatory Comission. I was responsible for the review and evaluation !

' of instrumentation and control systems for Babcock & Wilcox (B&W) operating

. reactors following the Three Mile Island Unit 2 (TMI-2) incident.

Q 2. Have you prepared a statement of professional qualifications? '

A. Y e's~ . A copy of my statement of professional qualifications is attached to

' the"NRC Staff Testimony of Dale F. Thatcher Relative to Direct Initiation Of Off-Normal Conditions In The Feedaater System ' filed in this proceeding.

There I also explain the nature.of try responsibilities with respect to the

.I Rancho Seco Nuclear Generating Station. ;

Q 3. What is the purpose of your testimony?

A. The ' purpose of my testimony is to respond to Board Question 16 which states:

Board Question 16 SMUD, the licensee, has done insufficient analysis of the failure mode and effects analysis of the integrated control system, and therefore, Rancho Seco is unsafe and endangers the health and safety of Petitioners, constituents of Petitioners and the public.

800327 0 0N L ,

p* . , \

. . .m I

..' r !

l Q 4. Describe the Rancho Seco Integrated Control System (ICS).

A. The-ICS includes four subsystems. The four subsystems are the unit load ,

derand control, the integrated master control, the steam generator control, and the reactor. control. The system philosophy is that control of the plant is achieved through feed-forward control from the unit load derand control, j The unit load demand control produces demands for parallel control of the turbine, reactor, and steam generator feeddater system through respective l l

subsystems. 1 The integrated master control (IMC) is capable of automatic turbine valve con- I trol from mi6imum turbine load to full output. The steam generator control is

~ I capable of automatic cr tenual feedwater control from startup to full output. l The reactor control is dtsigned for automatic or manual operation above 15';

output and for manual operation below 15". The basis function of the ICS is l matching megawatt generation to unit load demand. The ICS does this by co- :

ordir.ating the steam flow to the turbine with the rate of steam generation.

To accomplish this effi:iently. the following basic reactor / stear l-generator i requirements are satisfied:

1. The ratios of feedwater flo.: and Btu input to the steam generator ere bal-anced as required to obtain the desired steam conditions. ,

i

2. Btu input and feedwater flow are controlled: ;

i

a. To compensate for changes in fluid and energy inventory requirements l at each load.

b. To compensate for teuporary deviatior.s in feed, tater terperature re-sulting from load change, feedwater heating system upsets, or final steam pressure changes.

Q'5. What function is the Rancho Seco ICS intended to perform? 5 A. The ICS orovides the proper coordination of the reactor, steam' generator, feed-water control, and turbine under all operatir.g conditions. Proper coordination consists of producing the best load response to the unit load demand while recognizing the capabilities and limitations of 'the reactor, steam generator, feedsater system, and turbine. Ilhen any single portion of the plant is at an operating limit or a control station is on ranual, the ICS design uses the limit or manual station as a load reference.

The ICS maintains constant average reactor coolant (RC) temperaturc between 15 and 100% rated power and constant steam pressure at all loads. Optimum unit performance is maintained by limiting steam pressure variations; by limit-ing the inbalance beteen the steam generator, turbine, and the reactors; and by limiting the total unit load demand upon loss of capability of the steam generator feed system,'the reactor, or the turbine generator. The ICS provides limiting actions to ensure proper relationships between the generated load, turbine valves, feedwater flow, and reactor power.

In performing its-functions, the ICS interacts with, i.e., it receives inputs from and provides outputs to, a number of other related plant control systems. For example, in controlling the reactor there is inter-action with control rod drive system, in controlling feedwater there is '

interaction with the feedwater pump control and the feedwater valve control, and in controlling the turbine there is interaction with the turbine electro- !

hydraulic control (EHC) system and the main steam valves such as atmospheric

~

dump valves and turbine bypass valves.

1

[ ', - ' *, . . .; .

In some operating GD; plcnts including 11'.1 2 ar.d T.,utho $tte, the ICS also controls auxiliary (emc-rgcncy) feec' water flew during Icis c f r.ain feednater or loss of' all reactor coolant pumps via control valves responding. to steam generator level signals.

Q 6. With specific reference to the TMI-2 incident, does the ICS pose a safety concern in the view of the NRC Staff with rdgard to its function to automatically regulate auxiliary feedwater flow?

A. At the time of the TMI-2 event, a specific safety concern was expressed with regard to the reliance on the ICS to regulate auxiliary feedwater flow for loss of main feedwater.

-Q 7. What was the nature of that. concern?

A. There w6s concern 'that the ICS could fail or malfunction in some manner to prevent the supply,of emergency feedwater when required. Subsequent investigation suggests that the ICS at TMI-2 did perform its iritended function.

Q' 8. Have any steps been taken at the Rancho Seco facility to deal with the ICS concerns relative to auxili~ary feedwater fluw raised by the TMI-2 incident? 1 If so, indicate what steps have been taken.

A. As a result of the Coninission Order of May 7,1979, the Rancho Seco plant was to develop and implement operating procedures for initiating and controlling auxiliary feedwater independent of ICS control. In the NRC Staff " Evaluation of Licensee's Compliance with the NRC Oruer dated May 7,1979; " Docket No.

50-312, dated June 27, 1979, page 13, we concluded that the Rancho Seco plant could initiate and control auxiliary feehater independent of ICS including starting the pumps and controlling the AFW bypass valves. Based on the measures

fo.

taken at Rancho Seco to initiate and control auxiliary feedwater independent of the ICS, the Staff concluded that continued operation of Rancho Seco was acceptable. ,

Q 9. Will any future steps be taken at Rancho Seco facility relative to the ICS and.its function to control auxiliary feedsater flow? If so, please identify what those actions will be and the time frame within which they will be completed .

A. Yes. In a letter dated October 18, 1979, J. J. Mattimoe to D. Eisenhut, the licensee comitted to install a safety grade auxiliary feedsater control system independent of the ICS. The licensee has comitted to implement these requirements during the 1981 refueling outage.

This would completely remove the initiation and control of the auxiliary ,

feedwater system from ICS. In addition, the system would meet requirements l

equivalent to those outlined in response to Question 10 of "NRC Staff Testimny of Dale F. Thatcher Relative to Direct Initiation of Reactor Trip Upon The Occurrence of Off-Noms 1 Concitions In The Feedvater System".

Q 10.. For each step identified in response to Question 9 above, indicate why the Rancho Seco facility may' continue to operate in the interim prior to corplete implemantation of the action to be taken.

A. - The implementation of the safety grade requirements will help ensure a highly !

l reliable ' automatic initiation and control of auxiliary feedwater in the long l 1

term. However, in the interim, the procedures in place at Rancho Seco provide

-a fully independent method to-initiate and control AFW should the ICS fail.

See: " Evaluation of Licensee's' Compliance with the NRC Order dated May 7, 1979,"

. pp.12-13 (June ' 27,1979) . This coupled with the improvements in overall reli-

'a, t

l ability of the Rancho Seco auxiliary feedwater system (Sce: Testinony of Phil Matthews in Response to Board Question CEC 1-6) provides assurance that the Rancho Seco auxiliary feedwater system will perform its function as required. . ,

Q 11. With specific reference to the TMI-2 incident, does the ICS pose a safety concern in addition to that related to auxiliary feedwater flow?

A. A general safety concern was expressed with regard to the complex role of the ICS in overall plant control, and whether or not it performs this function satisfactorily. In order to determine the potential contribution of the ICS in plant upsets, the staff concluded that further investigation was needed.

Q 12. What furthar investigations are presently in progress?

A. The NRC Staff believed that a failure rode and effects analysis of the ICS would previde a more comprehensive understanding of this control system and provide

-necessary guidance for determining the need for further requirements with respect to the ICS. The licensee committed to submit a failure mode and effects analysis (FMEA) of the Integrated Control System to the NRC Staff as soon as practicable.

The Comission Order of May 7,1979 confirr$e'd that this wou1d be carried out in the long term.

A failure mode and effects analysis is a' systematic procedure for identifying the r: odes of failure of a system and for evaluating their consequences. A FMEA is considered (as stated in IEEE 352-1975, "lEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Protective Systems") to be the first general step of a reliability analysis. It can potentially provide some early useful information and provide a basis for later studies and/or analyses. .

Typically a FMEA has been utilized as a tool to help syster.atically evaluate plant safety systems (such as the reactor protection and engineered

. . , 'a.

7 safety features actuation system) to deter.ine if a single failure can prevent the system safety function. It is a requirement that for plant safety systems no single failure shall prevent the system safety function. i Plant control systems such as the integrated control system (ICS) have typically not been required to meet this single failure criterion. However, for any system, including a control system, a FMEA can be used to identify failure modes which could lead to undesirable consequences.

B&W has performed an FMEA on the integrated control system (ICS) as part of its reliability analysis of the ICS. The other part of the reliability analysis is a review of the ICS' '" Operating Experience". The FMEA and Operating Experience are documnted in B&W Report BAW 1564, " Integrated Control System Reliability Analysis". ,

Based on the overall reliability analysis, the report makes reconrandations to be evaluated on a plant-specific basis. The reconmendations highlight areas in which B&W believes improvements could potentially contribute to i improved overall opert. tion of the facility. The majority of the recormendations involved areas outside the ICS itself, and were not specific in nature 1

because of the design differences which exist in these areas at the different plant; Therefore, based on the recommendations, the NRC Staff requested (by letter dated November 7, 1979) that all B&W licensees evaluate the report's reconmendations and include followup action plans. We are presently evaluati.ng the responses. In addition, Oak Ridge National Laboratory (ORNL) has reviewed the B&W report for the NRC Staff and reported its results in a Report Review, " Integrated Control System Reliability _ Analysis," trans-mitted to the Staff on January 21, 1980. A copy of the ORNL report is attached to this testimony.

I

. _ _ _ ~ __

.. x.

In addition, the NRC has one study underway entitled " Integrated Reliability EvaluationProgram(IREP)." Althoggh this program is still being developed, !

it does have as one of its objectives to identify the risk significance of the close-coupling of primary and secondary coolant systems and of the systems

)

interactions originating in the Integrated Control System at B&W reactor plants. '

The results of this program may give some indication of the relative signifi- ,

i cance of the Integrated Control System in the overall risk from operation of ;

B&W plants and, as a result, help determine the need for further study.

Q 13. What are the Staff conclusions in this area?

A. The Staff concluded that each plant needed to eveluate (as requested) its j specific design with respect to the potential fcr improvemenr. as summarized in the report by B&W.

/ l From the ORNL Review, it appears that although the ICS and related control systems contain areas which can potentially be improved, the ICS itself has. proven to have a low failure rate and it does not appear to precipitate a significant number of plant upsets. Specifically, the examination of

. the failure statistics revealed that only a small number of ICS malfunctions resulted in reactor trip (approximately 6 of 162). From this data, ORNL concludes that the system is failure tolerant to a significant degree.

In addition, ORNL has suggested areas for further study. We are in the process of-reviewing the ORNL final report and will determine any further action to be required by the licensee. ;

Q 14. Based on the Staff's review, are any further steps contemplated for the Rancho Seco facility relative to the ICS?

A. The Staff's preliminary evaluation of the licensee's response (dated January 21, 1930, J. J. Fattirroe to R. Reid) to our November 7,1979 request indicates

_. . . . _ . _ _ _. ~

,'. ' ...; _g_

that the licensee is implem nting modifications or is in the process of evaluating modifications related to the recommendations of the B&W report (BAW-1554).

The licensee is implemanting a power supply rmdification related to the recomendation of the B&W report. This modification is intended to increase power supply reliability and is to be completed during the January 1980 outage.

)

Other recom.2ndations are being evaluated by the licensee, but at this time, no specific actions have been defined.

The Staff is continuing to study and review this area as I indicated in ray response to Question 13 above. However, the Staff has made no further specific recomendations in this area at this time.

Q 15. Explain why continued operation of the Rancho Seco facility is permissible prior to completion of the studies which the Staff has underway.

A. The bases for continued operation prior to the completion of all studies and/or analyses is that, although there are areas which could potentially be improved, the present ICS has proven to have a low failure rate and does not initiate a significant number of plant upsets.

In addition, ORNL has concluded that the analysis (BAW-1554) shows that anticipated failures of and within the ICS are adequately mitigated by the plant safety systems, and that many potential failures would be mitigated by cross checking features of the control system without challenging the plant safety systems.

O b DALE F. THATCHER PROFESSIONAL OUALIFICATIONS

_ INSTRUMENTATION & CONTROL SYSTEMS BRANCH OIV1510N OF SYSTEMS SAFETY I am a Senior Reactor Engineer in the Instrumentation and Control Systems Branch, Division of Systems Safety, Nuclear Regulatory Commission.

From May to December 1979, I was assigned to the Bulletins and Orders Task Force as a technical reviewer in the area of instrumentation and control.

Just prior to this assignment I was a member of the NRR team which aided in the Three Mile Island Recovery Operation. i In the ICSB, my primary responsibility is to perform technical reviews of thenuclear for design,power fabrication, plants.andThis operation of instrumentation and control systens review encompasses evaluation of applicant's safety analysis reports, generic reports and other related information on the instrumentation and control designs.

I graduated from Lehigh University with a Bachelor of Science Degree in Electrical Engineering in June 1971..

From my graduation in June 1971 until my employment at the Commission, I was an Instrumentation Engineer with Gilbert Associates, Inc., an Architect-Engineering company located in Reading, Pennsylvania. My responsibilities included the design and evaluation of various instrumentation and control systems including primarily the areas of reactor protection systems and other safety systems for various domestic nuclear power plants.

I joined the Regulatory staff of the Atomic Energy Commission in March 1974 as a Reactor Engineer. Since then, I have participated in the review of j

instrumentation control and electrical systems of numerous nuclear power stations and standard plant designs. In addition, I heve participated in the 1

fornulation of related standards and regulatory guides.

I am a member of the Institute of Electrical and Electronics Engineers (IEEE) and have participated in the development of IEEE Standard 379-1977, "!EEE Standard Application of the Single Failure Criterion to Nuclear Power Generating l Station Class IE Systems" and other proposed standards.

p il "

INSTRLHENTATION AND CONTROLS DIVISION Report Review:

Integrated Control System Reliability Analysis **

Review by J. L. Anderson S. J. Ditto R. S. Stene Oak Ridge National laboratory Oak Ridge, Tennessee 37830 R. A. Hedrick A. F. McB ride J. R. Penland i- Science Applications, Inc.t i

s Je Research sponsored by the Division of Systems Safety, U. S. Nuclear Regulatory Commission under Interagency Agreement No. 40-544-75 with the U. S. Department of Energy under contract W-7405-eng-26 with the Union Carbide Corporation. -

By R. L. Dungan, L. L. Joyner, C. P. Bennett, and C. W. Tally, Babcock & Wilcox, BAW-1564 (August 1979).

Under Subcontract No. 62B13819C with the Union Carbide Corporation.

\'

(_ \{II yW ic G

0g q{1

2

1. INTRODUCTION The Instrumentation and Controls D1 vision of the Oak Ridge National Laboratory (ORNL) was requested by the U. S. Nuclear Regulatory Com=ission (NRC) to- review a report entitled In' tegrated Control System Relichility '

Analysis, by the Babcock and Wilcox Company (B&W).1 In this document (hereinaf ter referred to- as the "B&W analysis") B&W states their analysis l of the effects of postulated failures in the B&W integrated control system I (ICS) on the operation of the nuclear steam system (NSS). The object of the review by ORNL was to determine the adequacy of the B&W analysis. 1 The B&W analysis had been submitted in response to shutdown orders from the NRC to all B&W-designed plants (hereinaf ter referred to .

as the "NRC orders") .2 The " Executive Summary" of the NRC orders directed the B&W control system analysis to address the following NRC. concerns: " Plant design features unique to the B&W plants (e.g., OTSC and ICS) should be evalu-ated with regard to interactions in coping with transients. The miti-gating syste=s (e.g. , HPI) should also be included in the study." The NRC also' directed anclysis of other specific concerns in Sect. 8.2.3 of the NRC orders, which are rephrased as follows:

(a) The role of control systems (in this case the ICS) and their significance to safety.

(b) The rate at which transients initiated by control failures challenge the plant safety systems.

(c) The rate at which transients initiated outside the control system are not successfully mitigated by the control system.

(d) Identification of realistic plant interactions resulting from f ailure in nonsaf ety systems, safety syste=s, and operator actions. (Failure modes and effects analysis is indicated.)

1. R. L. Dungan, L. L. Joyner, G. P. Bennett, and C. W. Tally, Integrated Control System Reli, ability Analysis, Babcock & Wilcox, BAW-1564 (August 1979).

2. Staff Report on the Generic Assess ~:ent of Feedsater h'ansients in Pressudzed Water Reactors Designed by the Babcock & Wilco: Company, U. S. Nuclear Regulatory Commission, NUREG-0560 (May 1979) .

a l

l 1

l. '. c 3

Finally, additional concerns were expressed in Appendix Y of the NRC orders, and pertinent excerpts are paraphrased as follows: The NRC staff has ascertained that B&W-designed reactors appear to be unusually sensi-tive to certain off-normal transient conditions originating in the secondary system. The features of the B&W design that contribute to this sensitivity are: (1) the design of the steam generators to operate '

with relatively small liquid volumes in the secondary side; (2) the lack of direct initiation of reactor trip upon the occurrence of off-normal conditions in the feedwater system; (3) the reliance on an integrated control system (ICS) to automatically regulate feedwater flow; (4) the actuation before a reactor trip of a pilot-operated relief valve on the pri=ary system pressurizer (which, if the valve were to stick open, could aggravate the event); and (5) the low steam generator elevation relative to the reactor vessel, which provides a smaller driving head for natural circulation. '

Because of these features, B&W-designed reactors depend greatly on the reliability and performance characteristics of the auxiliary feedwater system, the ICS, and the emergency core cooling system (ECCS) to recover from frequent, anticipated transients, such as loss of offsite power and loss of normal feedwater. This, in turn, places a large burden on the i

plant operators to cope with off-normal system behavior during such anticipated transients.

I The administrative action required of B&W by the NRC was that "the licensee will submit a failure mode and effects analysis of the ICS to the NRC staff as soon as practicable."

2. GENERAL FINDING 3 0F ORNL REVIEW 1

The B&W analysisl submitted in response 'to che NRC orders deals only I narrowly with the ICS itself and not"at all with the plant systees it controls and with which it interacts. With note of the concerns expressed and the guidance given in the NRC orders, the B&W analysis is more notable for what it does not include than for what it does include.

With reference to the " Executive Suc=ary" of the NRC orders, the B&W nualysis does not deal with interactions or with transients, except those dhat might be initiated by limited signal or component failures (one at a time) within the ICS. Neither does the report deal with mitigating systems such as EPI, as suggested. In fact, consideration of all events is concluded with reactor trip; interactions with ECCS are not mentioned, 4

even though to some extent the ICS (auxiliary feedwater) is a part of the i ECCS.

The significance of the ICS to safety (item a) is not addressed.

l The rate at which transients initiated by control failure challenge the plant safety syste=s (item b) is dealt with only to a limited extent. !

l Only control f ailures within the ICS cabinets are considered, and then only to reactor trip. No significant control, instrument, or power i

I

4 failures external to the ICS cabinets are considered, even though several such failures have occurred in operating plants.

Transients initiated outside the control system (ites c), whether or not lationssuccessfully of operatingmitigated by the ICS, are not addressed, except in tabu-experience. :

Identification of interactions (item d) resulting from failures in safety or nonsafety systems or operator actions is notably absent.

Also notably absent is any consideration of the sensitivity of the

. B&W plant design to feedwater transients, to performance--either normal !

or abnormal--of the ICS, or to reliance on the pilot-operated relief valve for successful maneuvering.

In summary, the report deals only vich a very li=ited scope of fail-ures, essentially within the ICS cabinets; the only significant measure of response is whether a reactor trip would occur. Because of this limited scope, the results are necessarily of limited value. The following ORNL

. review takes into account this limited scope and attempts to evaluate the !

needed. presented and, also, to suggest additional work which might be analysis

3. Td' E ORNL REVIEW PLAN

- The ORNL review plan was that first we would identify the concerns i,

and need for a B&W analysis of the ICS. Then, from that statement of need, ve would establish specific objectives for the B&W analysis report. From the statement of objectives, the B&W analysis would be evaluated relative l

to their methodology by which the objectives were to be cchieved and to the adequacy af th,eir i=plementat$on of the methodology.

B&W' analysis:

This basic plan resulted in two classes of co=ments concerning the

" Methodology" and " Implementation. " Based on these two sets of comments, major concerns were identified and evaluated, from which the adequacy of the B&W reliability analysis of the ICS was assessed.

' Finally, from NRC areas of concern and from the ORNL evalua- ;

tion of the B&W analysis, we derived a set of recommended actions that !

would the NRC. lead to an achievement of the original study objectives desired by Several questions were submitted to B&W to obtain clarification and expansion analy sis. of some concerns expressed in our preliminary review of the These questions and the B&W responses are included as Appendix A.

l Because of the once-through steam generator, the B&W NSS responds rapidly to secondary' system perturbations. (This sensitivity was a key consideration in the analysis of the Three Mile Island accident.) In any l

! r 5

evaluation of potential or real abnormal events, evaluation of the ICS is a principal requirement because of its influence on the course of the events. The task of evaluation of the ICS is made co= plicated by the following engineering considerations:

1. The comple::ity of the ICS due to its feed-forward approach as augmented by feedback fine tuning.

2. The complexity of the plant response to control actions.

3. The sensitivity of the plant and a definition of what constitutes failure of the ICS (e.g. , instrument drift not normally associated with failure might be sufficient to initiate an ICS-induced transient).

An understanding of the sensitivity of the B&W NSS response to ICS actions enables identification of the following objectives for analysis of the B&W control system:

1. Estimate the probability that an ICS failure can initiate an accident. This escimation must be based on an objective evalua-tion vf the system.

i . 2. Identify design deficiencies.

3. Identify design features that influence the probability o {

accident initiation.

l,

?

4 Evaluate the capability of the ICS to respond properly to prob able events, and estimate the impact of adverse actions of the ICS.

~

In the following sectiens, we discuss tba methodology selected to meet the preceding objectives (Sect. 4), discuss and evaluate the implementation of the selected methodology to evaluate the B&W ICS (Sect. 5), and reco==end further work to address the role of control syste=s in the saf ety of nuclear power plants (Sect. 6).

4 METHODOLOGY SELECTION The methodology selected for the reliability evaluation of the ICS consisted of three parts: failure modes and effects analysis (FMEA),

systems simulation, and operating data collection and analysis. In con-cept, the FMEA is used as a predictive tool to estimate which failures within and without the ICS can lead to plant transients. A simulation model is used to study in more detail the effect of postulated failures identified by the FMEA. Finally, from collection and analysis of operating data, information is obtained for comparison of what has occurred with what has been predicted. From such comparisons, the validity of overall conclusions may be deter =ined.

6 The following paragraphs identify and discuss the bases for concerns with the methodology selected.

4.1 Scope of Analysis As part of the ongoing evaluation by the NRC staff, the initial concerns with the ICS were broadened into a more general concern about control syste=s and the interaction of safety and nonsafety syste=s as mentioned in the introduction of this review. The broader concerns were not considered explicitly in the ICS study.

Our review attempts to answer several questions. First, does the BSW analysis present a fair and cocplete representation of the ICS?

Second, do the failures selected for analysis and the results stated provide the insight to allow valid conclusions to be drawn? Third, can this type of study, based on failures within or at the boundaries of thethe of ICS, adequately evaluate the potential impact of the ICS on the safety plant? Fourth, if the answer to the previous question is "no,"

what other infor=ation is necessary t 4

We believe that-the usefulness of the B&W analysis is limited because the ICS is beimded so narrowly. A control systen, particularly onc claimed as " integrated," should include sensing, signal conditioning, and actuating equipment anc perhaps power supplies--if not primary power sources. l The system being controlled includes a number of process leops I

- that are highly interactive and which must of ten operate within rather narrow individual constraints. The B&W analysis does not address these interactions.

The failures se'lected by B&W for analysis are based on failures of functional blocks. Although it is recognized that functions car fail because af equipment failures, it is not clear that there are no undis-closed couplings or interactions of blocks. An exa=ple of co==en elements that nay involve multiple blocks is the arrangement of power supplies and their protective features (fuses, breakers, etc.). Additionally, the B&W analysis is seldom carried beyond reactor trip, if that occurs. While it is of interest to know that a failure causes a trip, it is also of interest lays to know whether all proble=s to rest. a trip is actually needed and whether the trip To some extent, the B&W analysis discusses the eff ect of operator posttrip action, but cacy of the scenarios end with the trip. Although the ICS controls the operation of equipment that is i=portant during posttrip situations, the B&W analysis does not pursue this necessary consideration. For exa=ple, it is suspected that some possible failure modes of the ICS could inhibit initiation of auxiliary feedwater (AIV) .

Also some f ailures in the ICS possibly could initiate a loss of feedwater and also could inhibit auxiliary feedwater via the flow control valves.

These possibilities are not addressed, presunab1v because they are plant spe cific.

l

7l Measures are underway to make initiation and control of AFW independent and safety grade.

Inasmuch as the ICS participates so directly. in the coordination of the generation, transport, and removal of heat, it influences the behavior -

of the whole plant, even to the extent that it could magnify anomalous

behavior that originates outside itself. Malfunctioning valves have required manual intervention for operation during startup, probably because the automatic systems .(ICS) could not cope. It would not be impossible for peculiar equipment interactions or operating conditions to place the ICS at such a disadvantage that it would respond, although

- as designed, in an undesirable way.

A basic question, from a safety viewpoint, is the following: Can

, the ICS cause the plant to misbehave in a credible way so that the protec-tion system (and ESF's) cannot adequately handle it? ' Hopefully the answer is no, but a corollary question might also be asked: Does the ICS increase or decrease the rate at which the protective features are being called upon a to cope with real hazards? These questions are not unique to the ICS.

They 'are concerns to be addressed in an analysis of any control system;

. - however, they. cannot be answered meaningfully by consideration of only a relatively small portion of the entire control beructure, such as the ICS

. as limited in the B&W analysis report. ,

It is clear that the B&W an$'ysis.was l an attempt to respond to loosely defined concerns on a short time schedule. It describes some problems that can arises but falls short as an in-depth evaluation. The supple-mentary operating statistics indicate that the control system is of reason-able reliability, but they also give a somewhat hazy image of a system that i l has some performance deficiencies. It does not appear to be an unworkable l

, system, but it falls short of being.a strong influence for safety.

^

The broader concerns are su=marized as f'ollows:

\

1. Other control systems. These include other automatic control l systems such as the nonnuclear instrumentation (NNI) makeup flow and PORV controls and turbine-generator controls. Fa11ures within l these control systems can affect the performance of the ICS and other key systems simultaneously. Of particular concern, for instance, is the postulated failure of power supplies in the NNI. In addition 1 to automatic controls, the plant operator is himself part of a control loop between the NNI indications and the controlled components. .

2. Controlled components. As identified by the historical data, plant trips, are caused more by f ailures of controlled components. than by failures of automatic control systems. As previously identified, interactions among control systems (including human operators) and . l controlled components may result in a transient, even though no I specific equipment has failed.

i<

C' $ m4y y +-=i. +y7 m - 'w' w rh+-9 w.Wtwr-'C

N*-*'*f V*V t- '*M Y

. 's 8

3. Control system inputs. The ICS analysis considered singic "high" or " low" ICS inputs. Failure of sensor signals to other control systems, including human operators, should be studied in detail.

Such failures are of particular concern, since they may have a simultaneous adverse effect on ICS performance and/or the perform-ance of other critical syste=s. The study should include multiple failures due to common causes (e.g. , power supplies) or undetected ,

failures. Failures of input signals at midscale should be studied because they may remain undetected and thus contribute to multiple component failures.

4.2 Multiple Failures The EKEA is a qualitative reliability engineering technique for evaluation of the effects on system operation of single, postulated f ailures within the system or within subsyste=s interconnected to the principal system. The FMEA starts with contributing events and traces them upward through the system hierarchy to determine the overall effects.

The E{EA is suited to the perfvrmance of single-failure analyses; it is

, not a convenient technique fer addressing multiple-failure situations.

This inability to address multiple failures in the B&W ICS may be significant since, as acknowledged by B&W, failures may occur in the

, ICS without being annunciated, such as those of signal limiters and

, auctioneers. .. A failed auctioneer, for instance, might have no effect on ICS performan:e until called upon to implement a cross limit initiated by another ICS failure. Since sufficient evidence to the contrary does '

not exist, multiple-failure-induced transients may have a significant !

I prob ability,

'.' j An alternative or augmenting technique is f ault tree analysis, since fault trees are suited to handling =ultiple failure situations. The ICS .

reliability study identified major events in which the ICS could partici- I pate: loss of main feedwater, steam generctor over:111, secondary depressurization through turbine bypass or atmospheric dump valves, and, possibly, combinations of these events due to instru=ent power f ailure.

It may be advisable to analyze fault trees on these major events, {

tracing through the system " top down" to identify the faults that could '

induce the specific event. This analysis would identify sets of multiple failures and estimates of their probability. Specifically, an inter-esting fault tree might be developed for a " top" event of loss of feedwater, using the equipment block diagram rather than the functional block diagram used in the B&W analysis. (Section 5.1.1 states the reasons for using an equipment diagram.) From the results of this analysis, one might judge whether it would be worthwhile to develop fault trees for other ,

major events.

l I

'a ' / . .-

9 i

4.3 Participation in Feedwater Oscillaciens The methodology that was selected cannot evaluate the possible involvement of the ICS with FW oscillation. At least two regimes of oscillation have been identified: one in the power range from 15 to 20%,

with a period of 3 to 90 s, and a second at %0.3 H , which occurs during operation up to 70% of full power in some plants. The ICS does partici-pate in these two regimes, and it is possible that its effect could cause the plant to trip. Further, the ability of the plant systems, including the ICS, to withstand such perturbations has not been determined. It is not plantclear dutythat the effect of such oscillations has been included in the cycle.

Because much is unknown concerning the dyna =ic response and stability i

' of the plant control system (a broader definition of the ICS), we believe '

that a dynamic performance analysis should be =ade to better understand the dynamic characteristics, including system oscillation. Some topics suggested for study are as follows:

1. The dynamic response of FW pump control is generally slower than

' that of FW valves. Will transition from valve to pump control of FW cause stability problems' :

l

l 2.

Do the pressa-izer controls ette=pt to nitigate,of to amplify pressure oscillations? How are the pressurizer and the ICS inter-dependent with regard to stabilicy? )

3. Are oscillations caused or mitigated by the ICS?

j 4 What conditions could lead to plant instability?

4.4 System Simulation-

~

The objective of system simulation is to evaluate the effect of postulated failures upon the NSS. This is, in concept, an excellent technique, inasmuch as evaluation using an operating plant would be prohibitively expensive and possibly dangerous. Likewise, an intuitive estimation of the effect of postulated failures on the system would be inadequate because the system response to inputs from the ICS is .too complex for such a simplified technique. Thus, system simulation is an appropriate technique, with a caveat that any simulation is limited in its ability to predict system response. The strengths and weaknesses of the simulation technique chosen, POWER TRAIN IV (PT-IV), are addressed in Sect. 5.2.

t, ,f 10 5.

EVALUATION OF IMPLEMENTATION OF METHODOLOGY

+

In this section we presume that the B&W method described in BAW-1564 is adequate for evaluation of the ICS. The results reported below evaluate - ,

the manner in which the methodology is applied to the ICS. The results of this ava cation are described in the three sections corresponding to the FMEA, POLER TRAIN simulation, and operating data.

5.1 Failure Modes and Effects Analysis 5.1.1 Functional versus hardware basis An FMEA can be performed on either a functional flow block diagram of the ICS or an ecuipment block diagram. The two are not necessarily the same, and results based on the functional flew block diagram may be misleading relative to the actual configuration of hardware.

For maximum utilization of an FMEA for a real system, the FMEA !

should be performed on an equipment block diagram.

I

' The functional flow FMEA provides little, if any, 'vasis for even a judgmental estimation of failure probability. This is exempitfied ]

in Table 4-5 of the B&W analysis l where almost all functional failures )

l of the ICS result in a trip. However, as implemented in ICS hardware, j the functions have cross limits that can prevent trip, conditions. Thus, i

'. the analysis, as presented,- does not reflect beneficial features of the ICS. {

Specifically, fault tolerance of the system cannot be evaluated, although plant data suggest that the ICS has a considerable degree of fault tolerance. The B&W Table 4-5 shows only one of the 39 functional blocks whose failure does not produce a trip. Hywever, operating data shows that only 6 of the 47 ictual ICS equipment failures resulted 4.n a trip.

i Unless portions of an FKEA on the equipment block diagram can be perf ormed, the impact of using the functional rather than the equipment diagram cannot be evaluated completely. As noted in Sect. 4.2, a fault tree using the equipment block diagram would have been a better method of analysis.

5.1.2 off-normal conditiens The serious safety problems experienced in operating reactors have, in general,. involved multiple failures, or sometimes a single failure compounded by operator error. Without deserting the probability-justified -

single-failure criterion, it would be instructive to examine the conse-quences of single hardware failures occurring during operation with less than a full complement of coolant pumps or with certain control functions

t 11 in the manual mode. These are allowed conditiens of operation; their occurrence is not unco = mon. Under the same probability guidelines that i mandate investigation of A':WS situations, it is not unreasonable to I examine the consequences of single ICS failures during off-normal con-ditions of plant operation. I t

Where control failures are postulated under conditions of degraded heat removal capabilities, a scram may not always be the final action to be considered. If reactor cooling must be followed from full power into the shutdown mode, PT-IV does not appear to have a dynamic range to {

follow the decreasing power nor the command of nonlinear effects to deal vich the interim transient. Additional investigation of ICS component j failures under off-normal conditions would be desirable, particularly where ope' r ation is on two pumps and such ICS failures occur as a "close !

l valve" malfunction in one steam generator's startup control valve actua-tor. In addition, it would be desirable to follow postscram heat removal l with a blowdown-competent coda, at least for a few extreme cases, in order I to demonstrate the medium-term consequences of the event and the adequacy of the PT-IV predictions.

l The B&W analysis asserts that ICS actions have averted more trips than they have caused. Although this assertion is not pertinent and is probably true, the data presented do not subscantiate the cssertion. 1 l

5.1.3 Power sueplies l

The evaluation of power supply failures was limited. Although a loss I of input power was listed as a f ailure, the eff ects of the failure were not evaluated. Failures of power conditioning equipment internal to the ICS vere not considered except for their potential contribution to "high" or " low" f ailures or to single internal ICS functices and to singic ICS : output signals .~ The B&W report l states that powet supply feilures could not be considered in greater detail because piant-to-plan; design variations were too great, the failure modes and effects were too complex, and the time allocated for the study was too brief to per=it such an analysis. In the B&W analysis, power supplies are listed as a subj ect for additional study.

5.1.4 Effect of costulated failures From the li=1ted B&W evaluation of postulated failures, it is dif fi-cult to assess the need for further evaluation or for potential design modifications. As an example, the FMEA describes the effect of steam generator overfill as ".. . overcooling of the primary, and possible loss of pressurizer inventory and/or level indication."* However, in the sum-mary of an NRC-B&W Operating Plant Licensees Meeting, the eff ects of the Ref. 1, p. 4-33.

12 :

same transient were described as follows: "Ihe resultant carry-over of liquid into the main steam lines could lead to equipoent damage to both the main turbine and any auxiliary turbines (i.e. , AFW pump turbines) being supplied steam from the main steam system. In addition, the carry--

over could lead to excessive waterhammer. It is also possible that the weight of the water in the steam lines could cause excessive stresses on the piping system and pipe supports."3 Regardless of how appropriate l either description is, the latter description would place a greater emphasis on the potential need for remedial action.

5.2 System Simulation A more accurate assessment of the response of a plant to ICS

( failures, we believe, could be achieved by simulating a failure with sufficient equipment that would be capable of following the transient resulting from the simulated failure. The equipment needed would be modules capable of responding to simulated failures of the NSS, ICS, and BOP over a wide range of parameters. Although no such global simulation capability exists, simulators that can encompass some combination of

' the three systems over a limited range of the parameters of interest are available. {

POVER TRAIN IV (PT-IV), was choben as the simulator. and was adapted to the lower loop, once-through steam generator configuration.

" It has all thre e systems, NSS, ICS, and BOP, modeled, but its thermo-

- dynamic, fluid mechanic, heat transfer, and core power applicability ranges are restricted.

Since evaluation of the ICS deals with failures that result in large changes in process parameters, e.g., steam generator dry out or flooding, the ability of DT-IV to adequately folios the resulting transients is suspect. For example, many of the undercooling transients are stated to cause a probable overpressure reactor trip; however, due to the changing core inlet temperature, DKBR trips may be more likely. Since the parameter that guides the system directly relates to ICS action, pressure and temperature, individually, will result in different plant transients and effects on the NSS even though both may cause trip. The impact of the limitations of the PT-IV simulation on the overall results is not fully understood; however, the need for using engineering judgment relating to the PT-IV results has been -indicated.

Although we would prefer a simulation tool with complete capability, in the context of state of the art, PT-IV is adequate. Its deficiencies do not greatly affect the overall results, since a reactor trip is the

3. R. A. Capra, "NRC Summary of Meeting Held on August 23, 1979, with -

the Babcock & Wilcox Operating Plant Licensees' to Discuss Recent (Post EdI-2) Feedwater Transients," (September 13, 1979), p. 8.

13 l l

l ter=inating point for the analysis. However, if a more detailed evaluation of system effects is desired, it will be necessary to develop a more sophisticated system simulation tool, i l

FMIA Table 4-3 is an extensive study of the i= pact of single ICS , i input failures on system behavior. Under the guidelines assu=ed, this was I a good study, but it is questionable whether much would be gained by j further pursuit of this particular approach. To begin with, a great deal of the infor=ation in Table 4-3 could be deter =ined by a knowledgeable, .

a priori examination of an ICS flow sheet, without resort to simulation. l Where simulation has been and should be used, it is not apparent that l conditions are so far from design point that a linearized model would :

not be acceptable. The reason is that a reactor trip from any out-of- l range variable would appear to call a halt to a study of further conse-quences. From a case by case exa=ination, this response also seems justifiable; no single ICS input failure appears to cause safety problems that a scram would not cure.

l l

5.3 Operating Data 1

\

The historical f ailure frequency of ICS components, the fmaquency of ICS initiated transients, and the actual response of operating plants to component failures were evaluated, using the records of transients at B&W ;

operating plants. This section complies adequately with the B&W co=mit- l ment. Since the scope was not 11=ited to ICS failures, even the more general control system concerns recently raised by the h'RC are addressed l in the section entitled " Operating Experience."

l As shown in Fig. 5.1 of " Operating Experience," only 2* of commercial, operating plant trips were caused by internal ICS failures (excluding l power supplies). Of the remaining trips, one-third were caused by operator I technician errors and two-thirds by ICS interactions with centro 11ed equipment, f ailures of ccntrolled equipment, ICS inputs (including power l supplies), and f ailures of other control systems. Therefore, internal !

ICS failures are not a major causative factor of transients that produce l trips.

1 The NE3F's (mean time between failures) for the ICS equipment are l consistent with expected values for equipment of that generation (for l both the 721 and the 820 series). The 820 series equipment appears to I be much more reliable than the 721, but there are insufficient data to state that the apparent large differences are statistically significant.

Although the operating data indicate a relatively low probability of ICS failure, the data should not be regarded as a source of insight into the sensitivity of the plant to the ICS.

l l

l I

I

- . .~ ._ - _. _ . ._ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - __ _

,j ,

14 l

l

6. EVALUATION AND RECOMMINDATIONS 1

6.1 Operating Experience i I

Reliance on the ICS or on automatic control in general to regulate :

feedwater and other plant parameters is not a shortcoming as might be inferred from current suspicion of the ICS; instead it is a significant asse't to plant safety and availability. That the system does not perform perfectly in all situations or that it may induce plant upsets when it fails is only to be expected. Thus, one should criticize only the de-ficiencies and not automation in general. Customer satisfaction and acceptance designs. of the ICS is high and at least as favorable as competitive 4 ..

It is clear that the ICS, either through its own failure or through l its response to real or unreal plant conditions, can alter plant operation l j

in undesirable ways. However, other effective control systems, including good and bad operators, can also do this. For example, feedwater pumps and valves, bypass valves, and atmospheric dump valves can be misoperated; e

control modes can be improperly altered; loop balances can be upset; and

many other anomalies can be caused or exacerbated by the ICS. Neither 4

is this surprising, nor is this necessarily a cause for alarm. The ICS

- has features tha'1 c are eff ective in mitigating the effects of some of its own failures and those of its auxiliaries. These include load, rate, and cross limits, which are useful but not infallible. We find no evidence that the ICS provides more frequent or more severe challenges to the PPS (plant protection syste=) than other control systems of similar scope, nor

- do these daa11enges exceed the PPS capability. The coordination of nuclear t power generation with load requirements under system constraints of pres-sure', temperature, and the like is a c~omplicated task. The development of a system such as the ICS required consideration of many problems too complex for an operator to handle during a minor (or major) plant dis-turb ance. The response of the ICS is far better and more predictable than char. of an operator, given the same information.

While we agree that the ICS should not be classed as a protective system, we believe that there should be more concern for avoiding, as well as detecting, degradation of failures within the system. Failures in control systems of do affectsystem.

the protection safety through their impacts upon the rate of challenge The economic costs are obvious. Better control equals better safety, but the quantification of the gain is difficult.

Examination of the failure statistics in the B&W analysis (notably Table 5-8) reveals that only a small number of ICS malfunctions resulted in reactor trips (approximately 6 of 162). These data, supported by conversations with plant operators, demonstrate that the system is failure tolerant to a significant degree. This feature is also evidenced by noting the large number of postulated failures in the FMEA that could result in a reactor trip, compared with the experienced low trip rate in practice. The positive results of the FMIA and operating experience of the ICS show that the control system itself has a low failure rate and that it does not instigate a sig-nificant number of plant upsets. The analysis further shows that anticipated l

. . . . = . - ._. - _- - _.

15 failures of and within the ICS are adequately mitigated by the PPS and that many potential failures would be =1tigated by cross-checking features of

' the control system without challenging the PPS.

The manufacturer contends, and we agree, that (1) the system prevents .

or mitigates many more upsets than it creates, and (2) the system is gener- '

ally superior to manual or frag =ented control schemes. The performance deficiencies that have been suggested relate mostly to the ability or 1 inability of the system to deal with major operational upsets, with maneu-vering through different plant modes as from hot standby to low power, and l with component problems such as valve leakage or pump response. Since these performance characteristics are not the subject of the B&W analysis, they are not emphasized in this review. .Instead, in this review a broader scope of, system performance was investigated, but to a limited extent. The following suggestions for further study are offered: i 1.

An analysis of overall plant stability, including the participation of the ICS in system oscillations and other specific ICS actions, such as control of feedwater af ter a turbine trip and other anticipated transients.

4

2. Development of an appropriate full-plant simulator co evaluate the interaction of the primary, secondary, and control syste=s.

This latter suggestion is a generic problem beyond the scope of the B&W analysis, i= plying a need for NRC sponsorship. The simulator would have to l

be an advancement over carrent tools, one that would combine all syste=s and still'have an acceptable parameter and transient range. Analog syste=s

. alone are not likely to be adequate for the purpose. A hybrid system would be the most applicable co=puter system based on our current views of the operational upsets te be covered.

- )

i 1

I 6.2 Failure Modes and Effects Analysis Our evaluation of the FMIA as performed and reported in the B&W analysis suggests several concerns and recomnendations for future investigation.

1. As discussed in Sect. 4 of this review, the functional block FMEA approach may have been selected as an economic expedient and may not l have been the optimum technique for deriving the information desired. {

If further pursuit of the failure consequences of the ICS is desired, '

we recom=end that a fault tree for less of feedwater be developed, based on equipment diagrams rather than functional blocks. This would allow assessment of the significance of multiple failures and some verification of the adequacy of the use of functional block diagrams.

We are satisfied that failures within the ICS itself do not constitute a significant threat to plant safety and that further analysis of this type may not be economically justifiable.

'.l ' * .

. . j 16

2. The FMEA would have been of greater significance if it had been expanded to include other systems with which the ICS interacts, such as the nonnuclear instrumentation (NNI) and its power and signal sources. In particular, the analysis should have considered midscale failures and off-normal initial conditions. It is not

evident that redoing the analysis at this point to include this , .

information would be worthwhile.

3. Power supply failures have caused and are continuing to cause significant plant upsets. They 'should be evaluated in detail, and specific recommendations for their upgrading should be reported.

4 The simulation tools used in these studies are deficient in their dynamic range and component details. .Nonetheless, they served a useful purpose. It is our opinion that more detailed analyses would not provide s!.gnificantly more enlightening D1 formation for purpcses of the FMIA.

6.3 Comments on B&W Recommendations

. {

6.3.1 ICS related 1 Our comments on the B&W recommendatiens are as follows: j

1. NNI/ICS power supply reliability: We concur that this is an area 1

needing attention, going somewnat beyond supply reliability per se.

Although our review of this subject has not been comprehensive, ;

{ proble=s of system arrangement and channeling and selection of input i

signals appear to need improvement. In at least two plants, a single power supply failure can result in a loss of virtually all signals to the ICS. Since power supply arrangements are specific for each plant, individual attention by plants is indicated.

2. Reliability of input signals from the NI/FSS system to the ICS, specifically the RC flow signal: The background for this recommen-dation was not described by B&W. We concur that this subject deserves attention for the same considerations as discussed in the preceding l recommendation. '

3. ICS/ BOP system tuning, particularly feedwater condensate syste=s !

and the ICS controls: The concern behind this reco=mendation may be broader than tuning. We believe that the dynamic performance of these syste=s should be studied in relation to the entire plant -

response, including the effects of control limitations, such as valve and pump-speed' responses, on plant stability. Since there is !

a tight coupling between the secondary system which is controlled .

i by the ICS and the primary system with its important considerations l of pressure and pressurizer level, including the primary system i within the ICS may be worthy of investigation as a potential control improvement.

1 L _

I 17 6.3.2 Balance of plant For the balance of the plant, B&W reco== ends the following:

1. Equip the turbine drive in the main feedwater pu=p with a =ini=u: ,

speed control to prevent a loss of main feedwater or a loss of indication of main feedwater.

2. Install means to prevent or citigate the consequences of a stuck-open startup valve in the main feedwater line.

3. Install means to prevent or mitigate the consequences of a stuck-open valve in the turbine bypass line.

We concur with these recommendations.

,P I

t e

19 4

I APPENDIX A: Q"ESTIONS AND PISPONSES I

t l

= i 4

f a

\

)

4

i

1 l

l 20 '

Af ter a preliminary review of the B&W analysis, we submitted several questions to B&W to obtain an expansion or clatification of infor:ation presented in their reporel or to obtain other infor:ation not contained in the report which may be ger=ane to the review. B&W invited the reviewers, NRC staff members, and representatives of the Toledo Edison and Duke Power Companies to their facilities in Lynchburg, Virginia, to hear their ~,

responses to the questions. This meeting was October 23, 1979.

The questions and the reviewers interpretation of the responses follow.

The reviewers have added some additional interpretations and observations su==arized from the group discussion.

QL.* Ynere may be a sign.ificant difference betueen failure mies er con-ditions vi h an frA that are based on fr.ctionai bioch diagrams ra:her than on equipment block diagrams. Were the f%nctional failure assu p:icns comared tr::h ac:ual equipmen failure mdes to assure that they are realistic and meaningful?

R. Functional block diagrams were used to reduce the scope of the effort and allow the analysis to be accomplished in the requested ti=e frame. As ;

stated in their report and in discussions, B&W believes that the functional '

approach is adequato and that very few cbservations would be in error as l a result of this choice.

( 1 C. An ex' ample of a possible incorrect or incomplete conclusion arising from this approach is that failure considerations of the turbine bypass valve control do not include details of wnether condenser cooling is available and whether the control will be transferred to the condenser dump or to the atmospheric du=p. Also not considered is operator response or interferenca/ interaction. This exa:ple was selected because the recom- t mendations of the B&W analysis include additional analysis of bypass valve failure. ,

. 1 Q2. Att ass:c:c:icns of ICS signal input failure appear to be either high or 100, vi:h some a::empt to identify a %crs: cas e . " Some of the operable piants under revieu potentially could e=perience ddscale failures. Ynere is some evidence cha: ecme discale failures could be ucrse chan high or Lou failures, as e:perienced by the plant selected as typical, ?=ncho Secc.

Are there plans for including ddscale failures in the analysis and hou is ;

the validity of the analysis comprodsed by not including ddacate faiha'es? '

R. B&W considers (1) midscale and multiple-input signal failures to be either outside the boundaries of the ICS or outside the scope of the review l as determined by B&W, and (2) the high or low signal assu=ptions to be the worst case for single failures, e

Q, question; R, response by B&W; and C, cot: ment by ORNL reviewers. l I

l ,

1 l

l l

l 1

. . ~. . - --. . - - - - . .- - - - -

21 C.

We find no specific evidence to confirm this assu=ption. With regard to multiple-input signal failures, operating experience confir=s that this is a highly credible event which can result from the single failure of~a power supply in the NNI in the input signal selection circuitry. An example of such a failure is the Rancho Seco event of March 20, 1978. We believe that the B&W decision not to include consideration of failures beyond the :

actual ICS cabinet ter:r.inals is a serious shortcoming of the analysis, especially sinc.e considerable operating experience indicates that power supplies are not reliable. B&W recommends further analysis of the ICS and NNI power supplies based on this operating experience.

Q3. Vir:ually att of the events / failures considered in the w.atyeis appear to be based on " normal" conditions, that is, uhen att pie.t ecuip-ment is f.metioning at now:nal design points. Our tiw:ted information regarding the sme operating eapenence suggests that many of the abnormat occurrences were the direct result of some plant equipment not f.metioning; for example, three primary pic pa instead of four vere running, one instead of tuo feedsater ptops uas running, one or mere hand / automatic stations ucs l

in manual, to name three instances. Since these seem to be the more signif- l icant initial conditions for unsatisfactory ICS perfor~.:nce, hou is their ov'esion justified? Were any of these " interesting" events w.alyzed but not reported?

R.

B&W did not miss any significant transients or protective system challenges by not induding off-normal, initial conditions. Nu unreported analyses were performed from off-normal conditions.

C.

Since B&W did not confirm this contention, we find it difficult to support. Our evaluation of plant events involving the ICS is that the l majority of these events occurred from off-normal initial conditions and/or with some function (s) of the ICS in manual or, tracking modes, This experi-ence would tend to deny their assertion.

QL. What process uas used to detemine the "effect on 'the NES"? 4' esther the technique nor the justification is included in the analysis. ifr.at verification techniques vere employed for the " effects" analysis?

R.

The effects were evaluated by knowledgeable people with plant expe rience.

QS. The POWER ??.AIN IV (PT-IV) code obviously has a tim:ted ability to simulate the NSS and 30P responses. Eco significant is this tim *tation on d'

the analysis? In particular:

(a) Describe the e: tent to which the simulation vas used to predict results.

(b) Describe errors and smcertainties ubich might have resulted from the tinited dynamic range and functional detail of the simulation.

(c)

Describe to what e: tent the eimulation results vere verified with plant data.

. . _ , , .- - . _ . . . . . _ - - , _ _ _ . . ~ _._

22 (d)

Describe the edent to uhich the simulation was valid or invalid for each of the individal planta and : heir differences, cepecially feed-ucter systems.

(e)

Was the simulation capable of dealing with off-normal operation, such as three prinary pwys or partial manual operation?

R.

PT-IV was used in about 75% of the cases to evaluate the eff ects on the NSS, along with supplemental " engineering judgment." This code has the following features:

two steam generators modeled in continuous space and discrete time; steam lines; feedwater pu=ps; feedwater heaters; condenser; pressurizer; turbine dynamics; and valves. The primary system includes pump characteristics programmed from other codes as a table and appropriate transport lags (N10 s). The pressurizer modeling includes the effects of surge flows, spray flows, internal flows with condensation and flashing, heaters, and safety and power-operated relief valves. The ICS codel uses

~

a dedicated system digital utilizing co=puter functional (EAI-640) and is a digital model of an analog blocks.

represent all FW valves. One feedwater valve model is used to The limiting ranges of PT-IV are reported to be : primary pressure of

- 1500-3000 psi, secondary pressure of 500-1500 psi, te=peratute (pri=ary and secondary) of 400-700*F, and feedvat.er te=perature of 350-700'F.

The hybrid model uses two EAI-680 analog computers and one CDC-1700 digital computer. Due to co=puter limitations, there is not much detail of the feedwater system. A more complete model (not PT-IV) would include pump pumps .

drains, flash tank levels, and condensate pe=ps, as well as =ain feed The condensate pu=ps have sucticn pressure trips that someti=es actuate when the interceptor valves close. This is not =edeled. Turbine trip is the transient used to check the code with pinnt data. The validity of the comparison is judg= ental. Ihe model is not valid at low powers.

C.

Within the limitations of the effects considered and the comparisons of the effects with plant data, we expect the results of PT-IV to be reasonably valid.

Q6. The ability of the ICS to respond properly to its design basis md other probable ecnditiene is not addressed. 2Lne ie, design probteme associated with normt operation or maneuvering are not included, unless a failure is assumed. This may be outeide the accre of the NRC request, but the interactions of the ICS feeducter systems obscrved in operat2 ng

plante indicate the this my be a valid concern. Were the design problems and corponent limitations associated with ecpected norma; opera-tien analyzed and doewented? Are these analyses available?

R. BGW has no strong motivation to i= prove the perfor=ance of the ICS.

Its utility customers have no significant unresolved ce= plaints about the ICS.

23 l

l C.

Subsequent discussions with three plant owners confirm this acceptance.

Q7. Is there any connection, physical cr phenomenclogical, betueen reactor 1 protection system (RPS) sensors and ICS inpuis? khich corr:cn signals, if any, initiate trip, and uhat is the possibility that ccr: cn-signal cv -

signal-conditioning failures could initiate a plant transient through the

ICS, requiring a response of the R?S to such signals. ,

1 R.

RPS signals are used by the ICS with suitable buffering. The redundancy provided in the RPS satisfies the requirements of IEEE-279.

QS. RZA categories for "causes., " detection, " and "propagaticn potential" uculd yield helpfbt information. Has this type of information been gener-ated and is it available?

R.

Identification of component causes is not considered necessary. l Detection of component failures is not warranted, considering the low failure rate. The propagation potential for failures in analog systems i is difficult to predict.

i Q9. The ir: pact of pcuer supply failures appears tc be inadeq:etely 1 addressed, especially cor.sidering that even's of much more significance

than those analyzed have occurred at operating clan +s. Rcu is the cmiesion of these consider: ticr.s ;'ustified, and it, pore ccqrehensive pcuer supply failure analysis available? \

R. Power supply reliability is a problem for the customers to resolve. l

'e It is a recognized problem that must be resolved plant by plant. This is i Joe of the principal recoc:=endations of the report.

Q10. A significan nwher of tripe cype r to h:ve occurred uhen pcrtions of the system vere in a manual mcde of cperation. hh:t fraction of time is it estima:ed :ha: con rol stations are in a manuci mode, and what are the problems associ:ted with this racde of cpera:icn of the ICS?

R. No data are available for the manual operating mode. Manual modes are judged to be used most of ten for startup and testing. The ICS is l

not designed to deal with many abnormal situations (e.g., odd align =ent of equipment). i l

Q11. Ecu veit dces historical failure data en ICS 721 and 920 cepare with predictions based cn nomb:a? behavior? Is there evidence of accelerated failure? \

l l

R. A higher " burn-in" failure rate was experienced, but it has leveled l off. The long-term failure rate remains level. TMI-l and Cconee 1, 2, I and 3 are 721 models. All others are (20 models.

Q12. httiple failures are not annuncicu! Therefore, zmacrrected failures may c=ist until other failures occur, resulting in effective 1 multiple failures. It appears that multiple failure situations my have l

l l

l

. s 24 c significant prchability of occ:crence. Eco is the cm'asion of multiple failure considerations ifustified in the cnclysis? Might fault tree analysis have been a betzer technique for cadressir.g the concerns expressed and producing the results requested?

R.

The ef f ort required to conduct a fault tree analysis is considered

excessive. The FMEA report addresses failures considered to be "important."

C.

The limited scope of the FMEA casts some doubt on this position.

Q13. The =nalysis does not include infomation c eubstan:icte the 28W recomenda:icn that improvemen: is needed in power supplies, signal selec-tion, and signal retichitity.

which led to this recomendation.Please s:cply the analysis or :he infomation In par:icutcr, does B&W h:ve specific recomend :icne to impmve the failure tolercnce of the IC5?

t R.

No additional data are available.

i Q14. Opera:ing experience reports and crat infomation not included in the analysis suggest th:: the IC5 and :he ECF syste~:, including the C:5G, are sensitive to " tuning" and component problems, such as feeducter valve speed and techage. Cescribe the extent to which these pmbic=s are sicnifican:,

hou how they night bethey have led to risopem icn and R?S chattenges, and

voided. !

of ptw.:, or do they represen: Are " tuning" problems inherent :c this type design deficiencies uhich can be correc:ei? ,

R. ;

The adequacy of tuning is based on customer acceptance. According j

.; to Licensee Event Report statistics, B&'d plants have fewer total reactor

.,1 trips and fewer feedvater trips than either of the other FWR types. !

Q15. Many Lircnsee Even: Peper:s, as well as this analysis, indicate that cperation.

ICS the opemtor is L~pticated in a large nu~ber of occurrences of peer huny of these events ciso involve sligh:ty cff-ncr~:t conditions such as nonst=nd:rd pu~p and valve align ~ent. Dc these events represent design deficiency, cperator twining deficiency, or a combinc-ticn of these? Does 28W h=ve recomenda:icns to correct these deficiencies and on what schedute can they be inptemen:ed?

R.

Most Problems occur due to maintenance, testing, or equipment problems l that require manual intervention. Also, the system is not designed for i

fully automatic startup.

,t .

25 l

1 l

e APPENDIX B: TRANSMITTAL LETTERS e

e t

t t

e e

4 5

4

l j

g,A KQ 26 ff %, UMITED STATES l

y ,g~ c (-l NUCLEAR REGULATORY COMMISSION wAsmucTos, c. c. rcsss o, ,,- .. ;

%, *...../

August 22, 1979 MEMORANCUM FOR: O!STRIBUTION FROM : ;

R. A. Capra , B&W Project Manager, Project Management Group '

Bulletins & Orders Task Force

SUBJECT:

INTEGRATED CONTROL SYSTEM RELIABILITY ANALYSIC 1

As part of the long-term portion of the Ccmmissien Orders of May,1979, each of the B&W operating plants was directed to perform a failure modes and effects analysis of the inte analysis for each licensee. grated control system (ICS). B&W performed this 2.

B&W has completed the analysis and forwarded ten copies of their repert, I

" Integrated Control System Reliability Analy:is - BAW1564 - August 1979."

,- via a letter from J. H. Taylor (B&W) to 0. F. Ross (NRC) dated August 17, 1979.

)

3.

The organization who will perform the review of this document has not i been determined yet; however, I am .aaking distribution of the ten copies t we have received as indicated below. I have requested that 50 additional

.1, copies be reproduced for further distribution.

~~2 G . CW R. A. Capra , B&W Project Manager Project Management Group Bulletins & Orders Task Force Distribution:

Ammmmmmm9 letter enly

' Novak (1) G. Mazetis C. Nelsen Heltemes (1) P. Ma tthews R. Ingram I Israel (1) D. Thatcher W. Gammill Rosztoczy (1) F. Ashe D. Eisenhut Satterfield (1) P. Norian S. Lewis Capra (1) R. Reid L. Brenner Docket files (1) G. Vissing M. Mulkey POR (1) D. Ga rner D. Davis .,

Reproduction (1) M. Fairtile j l

b'e (CO M.2 o %

. .' ~

27 i Babcock &Wilcox Power Generatien Gecup P.c. Sex 1 50. Lynencurg. Va. 24505 I Teleonene: (804) 354 5111 August 17, 1979 Dr. D. F. R ss, Jr.

Deputy Direc:cr

, Divisien of Projec Management Office of Nuclee.: Reactor Regulatien U.S. Nuclear Regulatory Cc=assion i Washingten, D.C. 20555 i

Subj ect: Integrated Centrol S'ystem Reliability Analysis l Gentlemen:

Transmitted herewith are ten cepies of the Integrated Centrol System (ICS) Reliability Analysis, BAN-1564 B5W performed this analysis .

1 at the request of the NRC, based en concems steming frca the DCI-2

' incident. Althcugh the ICS performed exactly as designed during the

, 30-2 incident, it was brought under scratiny since it was both the !

, , control system for Auxiliary Feedwater and one of the major differences i

' between B5W and other FdR designs. This analysis supports B5W's previcus position - the ICS is a reliable centrol system that pre ctes NSS availability by maintaining the conditiens, provid.ing runbacks, and plantminimi:ing on line during nor.a1 reactor and upset trips.

If you have any questiens, please call (Ext. 2317).

\

, Ve,r/ traly yours //

, &/.

773 b , ' $~ h es H. Taylor .

Manager, Licensing Jrfr:dsf Encl.

cc: R. B. Borsum (B5W)

R. A. Capra (h7.C)

B5W Owners Group Subccmmittee (list attached) l Y

6 .:,

- f O 'a tf Q q?} O 6 The Baccock & Wde:s corne.any / Estaeusnec 1867

.i '!.

28 Babcock &Wilcox B5W Owners Groun TMI-2 Subconmittee FPC CPC Florida Power Corporation Consumers Power Company P. O. Box 14042 1945 West Parnall Road f St. Petersburg, FL 33733 Jackson, MI 49203 Attn: E. C. Simpson (Bert) Attn: T. J. Sullivan (Terry)

DPCO GPU Duke Power Company GPU Service Corporation P. O. Box 33189 260 Cherry Hill Road Charlotte, NC 23242 Parsippany, NJ 07054 Attn: D. C. Holt (Dave) Attn: R. F. Wilson (Dick)

SMUD ,

Sacramento Municipal Utility District

, 6201 S Street i Sacramento, CA 95813

, -Attn: S. Anderson (Stan)

AP5L

. Arkansas Power 5 Light Company P. O. Box 551

} Little Rock, AR 72203 Attn: D. G. Mardis (Dave)

TECO. .

Toledo Edison Company Edison Pla:a 300 Madison Avenue Toledo, OH 43652 :

Attn: C. R. Domeck (Chuck)

MET ED Metropolitan Edison Company P. O. Box 542 Reading, PA 19603 l Attn: J. F. Fritzen (J e f f) l I

- I 29 Babcock & Wilcox ,,, , , c , , , ._ c , , ,

P.O. Scz ltEO. Lyne .:.u;. '.' . 45; I

. Te!:;n:ne:(504)234 5111

. )

, l April 28, 1979*

Mr. Harold R. Denton, Director 1 Of fice of Nuclear Reactor Regulation ', '

l

, U.S. Nuclear Regulatory Comission . . .

7920 Norfolk Avenue

, ~ '

Bethesda, Maryland 20555 .

Mr. Denton:

Subj ect: Integrated Control System .

., i As commi tted by. Sabcock & Vilcox in J. H. MacMillan's letter to you ..

on April 26, 1979, please find attached both the schedule and secpe for a Reliability Analysis of the Integrated Control-System and the .

l schedule fo'r developing en Auxiliary F,,eedwaterientrc+4 ndependent */. ,

of the Integrated Control Ssytem. -

it is our unders tanding that the commi tn}ent to compla.te these items -

1s not a prerequisite to plant restart. ~ j . , , , ;

If you have any questions, please call me (Ext. 2'817).

- . - i

, .*.- 7. . ,

Very truly yours..- ,4 ) 1

~' -

. . . . . . f. . . , ' *,.n c. , ~, .,, . C " ., . ,_ . ; - ,

J. H. Tay1or ., '-

I I

F.anage., licensing -

. . . . . . .. ' : :. ,, ., ~

. N . .',-~... .. ... .

JHT/wl . .

cc: R. S. Borsum (BrN, Bethasda)

~ ..

bec: E. R. Kane .

' ~

tX.' ,'ET. S uh rke't ,

R.- E. Ham . ..

l

0. D. Fai rbrothe r * * .

l C'. J. B ra:111 .

l T., E. Yascher '

J. H. MacMillan

~ ' '

h

.f o

'. 1 f u403

- l g

O .

. . The embcoch 4 wacs, commanx i ntacti:.hed tes7 .. .

. 50 :::pc and xhedule for a Relisbility Analysis of -

the 8ntegratcB Control System (ICS)

. . . ..~.. -

~ .

s

.,q..

Purpose:

.~ To prepare an ICS Reliability Analysis including ,

a Failure Modes and Effects" Analysis (FMSA) as conmitted by Babcock.15 Ifilcox.. This'. . . . .

analysis will identify sources of'transie' 't's.,'

n if'any, initiated by the ICS .

and deveio'p're'co:=Iended' design improvements whic

.be necessary to reduce the frequency of those' transients. ,

This. analysis'will* concentrate on ICS failure ~ modes , , .

..that could'. affect the feedwater syst'em, emergency feedwater' system [ pressurizer

..;.r: .. ' level, and reactor coolant -

s y s t e. m p r e >,s u..re.

. . . , . . . /

l. : .. . , ..,

. .,. > . . .s. :,.

... , ., ., : 3 ....; .

Scope:

. ,(1)

Two teams of enginc~ers~have be,en' dispatched to the presently,, opera' ting' plants to co'llect data and determine the ICS's role'in each transient, i:i t h.

^

,.~~

'particular~ s. emphasis on ' transients .

. involving feedwat t .

. (FW)J . emergency feedwater I.(AF11C), pressurize

' and reactor'. coolant system (RC3) ' pressure Data . . r' level

~

. ' . . ,.'" *will be; returned'to'NPGD for input into'the ICS reliabiIity analysis. , Data from other plants will -

~

. .., also be obtained with th'e' ass'istance of site pers:nnel (2) -

. A' FMEA i<ill be perform 5d ,by NPGD,.to the ICS medu level..

. . , The FMEA' will inclu. de ~ identification of i'. -

fail.ure. modes for hardware .

. . .. external to the ICS. '

This will consist of input signals for temperature,

,. pressure, !

(3) RCS 5 FW flow, pum,p s ta tus , and power. , .

- Af ter-id'dntification ,of ' possible failure modes, tlie, effects of these failures on the plant will be determined'by plant simulation. . The enphasis will be on.. failu'rcs-

.. : -- that affect or challenge the .-

.,, . . F W , .. AFWC, pre.ssuriz. .

.. er Icyc1 and pressure,' PORV's, ESFAS, and sa fe ty valves'. .

il'....3 .. .

{ u.

w. -

. ;...~,,.'~,.

. .e,. .

, ; , , . .' '. v. . ..

- . .. .,':.- . t' .

' .,: . . . . : ./ .,.

e.

' , , n

. s. . .

, * /, . W n. . iso u . . . . . . . . . . . . . . . . . .

........( . . . , ..

. . M of TCS failure modes which c:use undesir:bic

-- - . .. .., responses in the ICS will' be listed.

(5). Perfor.mance of the ICS.during normal plant tran >

.. 5,.sients ,will be considered in thc'ICS nalysis.

._ (6) .,.- .

I EEE.. .5 5 2 will b..e' u.s e'd.. a s 'a gui d.,e fo r. F.NEA fo rne t . . .

- ~ ^

. . e

. .: .'....# an d c. o. .n. t e n..t . . . v... . . . . . .'. .',.,,...-

. t.

c., .. ..-

.' . .. . . . . . ... . .v -

Schedule:

(1) On..- s i t e t r a n s i e n t . data co11cetion: 4/26/79,

~.

& ~' : , .. . ... :. ,: . ~: '.

. ~4.. : '. *... through .,. 5/9/79. * * .

. . . ..:' l -'". :.

(2) Definition 5 boundary of syste::f to be ann 19:cd: . . - . .

4/25/79 through 5/2/79.".

e .- ,. .

. . (3) .. .

. Identification'of failure modes: 5/2/79 through '

5/11/79. . .

)

. '(4) . Simulate . ... ;..

failure'-modes. and determine p]:nt e f fec't -

5/2/79 through 5./25/79'

"~ '

~ "(5)1 Generation ofI. MEA tables: 5/9/79 through

~

'6/1/79._." . _.

. . {.

,(6). Reliability, report narrative: 5/2/79 through

~ . .

.. ~

f..'..'

6/11/79G.] ' [. . .

, .( *l) .Listi.ng' of . potent'ial

.. ? ... .

hardware modifications:. .. .

t ..

,e s

S/16/.79 though,6/20/79. _ .

' s f~(8) , Revie'w and preparc letter report for submittal

- ..f...).1.,tc NRCE 6/15/79'through 6/27/79.

' .~.. ... ... *

.. . . ... ?- . .; .. . . ....~ . ;-:

..."5...

8: ... .

. . .... . , .'.; .c . .

. , , ., t ..'.~.. .

.3.... ...

. . . . . . .. s .

. c .. . a . . .. .. . . . . . . .. . ..

e. .

f. .

~.- .

.. ; r.y. . ..;:~.

.. . . .r

~

. . .. ..a -

..: : . :. . . . ..\. ;. .;.: . . .

.. . ; *. . . .. z.. . . . .

.c

. ?.... ... . c . . . . . . .. .

.. . - . v? .

. w .

. - .. ..~- .

....a

,. .s . .

, , . . . .: . e.

...a. -.. ... . . .. .

-w . . . . . .. . , . . . . :. ..:.. .. .. . . :. .. ,. . . .

.t*-

.......e.,...;..

.1..'* .'.-

o .

. l ,.

.=

. .. e . .

. . .,,?.*,..,,, . *e

,.e,e,

.n*. .c., , , . , , .. . , . _..

. . , , . t..* . -

4

s. .

,.7.' * * *

.f> ,

.h ." ,

t.a r. t o :,ystem ..

. .- %.. a , .

~

->. - 32 .

Description:

The Aux'iliary Feedda ter Control Sys tem (ANCS) will be ecmp

.. , .. separated from ,.

, .,.;.. ;; , pe r fo rm,a nc e. . . . . the I n t eg ra t e d. Cont-r.o.l The gener.al S ys tem ( .

cri teria for the AFMCS.are.: * * .. .. *

'. c . .; . ." .. /

.T-(1)1. . The. ANCS wi ll..con t rol 'the auxi lia ry .feedsate' r. flow

.'. . $. 1 y'7. deli ver'wa tir to' the steam genera tors' wi th con' trol. features

~

..

to.-minimize..-reactor coolant sys tem fluc..tuations.- .

w: ,

.:.. P. ' . r. . . )

. (2) . . .

, . w..>-. .;

. . .The .. AFWCS will centrol. auxiliary fe:edaa'tcr, fica to the cux-

.. . . .. . . . . . i ~ .

. . . li a ry . feeduc t e..r..-. nork l es . o f t'he

.y. . . .. .

. s t eam ge. ner. a. . ?. ?

to r -

- . < be abic, to a'chieve and' main tain sa fe shutd.esn. from th..e

.following' plan't configurations: . . .j . .

. . . :f .

.e 2 . . .

s,.

(a) 1oss'of main fecdua ter - ~. '

'T. - :

(b) .1oss of forced reactor coolant ; flow):- ..

.. 1 n . . . .

.'2

. . . . u. . .

.. (3) .The AFWCS will include .prov.i.sionsc for.s .~ ont rol of main. ..f' . .

steam pressure .during operatio.n,.in the plant. configuration --

... . e j

. ,modes identified in (2) 'above. . ..

..~

,. , ....~....,.., . .

s. .

. . a. . 'J .' . ~ ~ .. i e.9 . 3:.. ~'.; e : i ? s .

i criteria:.

},.. .

/. .

,' '.! l

' The hardware'.in . .. . . ~ . . .

.the. : 'ANCS . . - wi[1.. conform to the following,shneral.

.. . . s . , 1 criteria: . ', . ;.. . .h '.,' *

' . }, : , ..' ,",b. ,

. .;[: . -. - }[. ., Q; -"; : r.. *

' , . i (1) ....Th'e ANCS. wi ll. be independen.t'o f 'the. ICS j ' ' '

' ' ~

F'~

,, (2) . ..

~ ...,;... ... !!o sing, le random failure ,in the AFVCS' hill pre */en t the * ' '.#' ' .

.,m . .- .system from....

. . :. - - . .A . .,

.~..: :n

.. cont rolling t.,he.eeauxi lia ry, feedwa ter. flew to ,: ."1

....n.both steam generators.. w . .

' .i . . .+ '.o .. .

...'.y (3) . Standard non-1E commercialinuclear" equipment will

..'.: s..

be use

- , (4) . , -

.i: . ^ . The' ANCS will have prqvisions for' manual,and automatic ,W,. '

.. actuation..;.;..'i:

.a, t. \. .; :. . . . .. .. ,. i {nf '. . .

.'s.,... ~ ,. . ' ::, . .. .:...... .

. . n , .< .

, e. ;,

' ; : . . . . .. ,...s.. ..-.

..:..' .~

. .-*~;,.

=

! r./.e du l e: (1) ; Complete design " .

! ' . : '.; ~l.,

. J.. .,c.O (2)

~ ~ . .m . . . .06/01/73 1.b. ~.-r'.' f.:

Issue"sytem description to NCl'-)? ' #* # ~ '

' . ~ . ... ,.. .." ' .

. ' ' p.

..(3).,.and. . . . . . . ...

Customers;. . .. b.. .c. M * ':..*.'.',T. i.'.

06/08/79 ~

l

. Ha

, .nufacture (based on Customer . r: '.. ;. *-

. . ,... ., '} ,

t . 1

. .. b .. : * .-).m-c ' s..';.

i?.,.'. .. .. : ..

and MAC,coricurrence sby. . <06/15/79).c: .':. . ' 0 8/10/79k; .

.? .

c.%. .

'..,* .[.' ' . (4) ..,.M.lnirsum

...r.. shipment and'in's tallationb'(.;.%..'l: ;;,'/,q.';/.j$. .M. ~ . -.

...l'....... . . . . .:

time is ,.30 da.ys.

,y.q .

Exac t...in.s : <. v ..t a l la t i.on .*nl

.a. ..'; .; .W . , .'.. , :-

'. ... . .t.o. be schedu led b';..c.u t ua l "og r.c.

, . . ,. F, e.,. . .J. -'. '. .

~. I, cm: n :.t. .u : . l:4 . . u. F. .7%...n.....: ~

- N. ... .w. . -

. r. '.. .R;.,l;

. . : , . o. r.t..se' e .s. ;.:.;11 ecn's ce..'e nd :t.h'c ' n.aC.'1 t .: ; M:. ...::.

a

.c. .:. .: . y . ;. . .c::. .-!310.*T%e

'.?; TT'J. ". ~

. q'.. :. ,.. : . ;. .q......v ..:;.

-;g;

. ... .. ..n.. .

.. . ; - .. .. ... :..m. . :., . 4 u,;s. ..; . : , :.y./ s . u; a .? .-pj. .. . p.,.J ., . .

.. .; ...,1 w.... . ~ . . f,, :* g,*r.- ... :: y ...; (.m ..... y

. t..... .. . ,. .

n;

.'; ' .: . . , :..^ :. .:.-

. r. n. .. .<.,. . ". t.;.

. :. ,r. .? .

v.

..-u .. '.;

. - *.v" v*..n* %l n. . r.f.s..

.\ *. >(

.1

;. r

,r.

33 l l

l l

l I

I l

l l

APPENDI.X C: UTILITY SUBMITTALS RELATING

, TO THE B6*a* RELIABILITY AN*ALYSIS F

4 a

. - =

l l

o

,..,.(

34 "h Dunt Powsn CoxPxsT

[

Powra surumo 4:

2 SocTm Cat scu Sruzr. Ca i mnrTz. N. C. asau e .

wi e et *a.ca..,s v.e,a.n,..., August 31, 1979 seu - a....e,... resc....c4.u ec.

1

,Mr. Earold R. Denton, Director Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Co==tssion Washington, D. 20555 C.. . . )

Attention: Mr. D. F. Ross , Jr. , Direc tor Bulletins and Orders Task Force Re: Occeee Nuclear Station l Docket Numbers 50-269, -270, -287 l

Dear Mr. Denten:

7 With regard to your letter dated August 21, 1979 concerning identification and resolutien of long-term generic issues related to the Cec =tssion Orders of May 1979, the follevi=g infor:.ation is provided:

1. Failure =ede and effects analysis of the toteersted Centrol system.

The Integrated Control Sf ste= Reliability Acalysis, subnitted by Babcock and Wilcox in a letter dated August 17, 1979 has been reviewed by Duke Fever C =pany. This det.rtne is censidc. red to be applicable to the sys-

. tes at Oconee Nuclear G . CcT..

2. Centinued coerator tr:n Land dr1111=g.

The respense to this ;.. ~111 be submitted by Septa =ber 21, 1979.

3. Uptrsde of the acticip.__.._ reacter trio to safety rrade.

No additional inferr..n. :cquested.

4 Auxiliar r/ emergency f eci: ter system reliability analyses.

Duk.a Power Co=pany will pc reieipate in the auxiliary feedvater sys:e:

reliability analyses pre;:am proposed by B&W is a letter dated August 16, 1979 from J. H. Taylor to D. F. Ross, NRC. A final report of the results of the analysis for oconee vill be provided by December 3, 1979.

& bfo b u n@y o

35 3

[ Q S y =:M y --

ARKANSAS POWER & LIGHT COMPANY POSI UnFICE BCX $51 UTTLE HOCX, AM.At.SAS 72'cC3 (501)371-.'.CCO q

August 31, 1979 .

l 1 039-19 Director of Nuclear Reactor Regulation -

ATTN: Mr. R. W. Reid, Chief - ' !

Operating Reactor Branch (4 5

, U. S. Nuclear Regulatory Commission , . i Washington, D. C. 20555 - -

i i

Subject:

Arkansas Nuclear One-Unit 1 1 Docket No. 50-313 l License No. DPR-51 .

l Long - TerTn Generic I'ssues !

' Related to May 17, 1979 Crder

. (File : 1510). -

^' .

Gentlemen: -

~~ '

In accordance with the request of Dr. D.'$. Ross' letter of '

August 21', 1979, we have reviewed Inclosure 1 of that letter and provide the following responses to Items 1, 4, 5, 7 and

. 8. -

,[ ,

Iten 1 .

The failure modes and effects analysiso'd the Integrated Con-trol System (ICS) was provide:! *:. . letter from James H. Taylor '

to Dr. D. F. Ross, Jr., dated Ag ust 17, 1979. The report, entitled " Integrated Control .sy sm Reliability Analysis",

also includes a reliability ause.. ment of the ICS plant .

operating experience. We have rr.*iewed this report and basi-cally endorse it as applicabic t. our system. Specific areas of difference are limited and 1,1_1 be addressed in our response to necessary system or procedur:: changes, if your. review !

l should come to that conclusion. Our operating experience has lead us to believe the ICS it a reliable control system.

i t)gcu3s gi i 1qO (ff !

i l.

. n ,. l

} NSN

O SACRAMENTO MuNICIPA1. UTILITY elsTRICT (~) C1 S strett. Scz 12%. sacramento, California 9M12. (!!O 42'

~

August 31, 1979

. 1

Mr. D. F. Ross, Jr. , Directo.r Buiietins and Orders Task Force' *

~' Office of Nuclear Reactor Regulatfort * .

U. S. Nuclear Regulatory'Comissien Washington, D. C,. 20555 .

~l.

2 Occket Ht 50-312 Rancho Seco Nuclear Generating Station, Unit No. 1

Dear Mr. Ross:

1 letter of August' The Sacramento Municipal Utility District has reviewed your I 21, 1979 requesting information on several items. The

following provides that information which is due today and is listed by item number of enclosure 1 to your letter.

1.

On August 17, 1979 Mr. James H. Taylor of B&W transmitted

' . ,. .the Integrated Control Syscan Reliability analysis, BAW-1564, to you. We have reviewed this report and find it generally applicable to Rancho Seco Unit 1 and endorse the conclusions

'and recor:nendations of the report. .

4 . .

On August 16, 1979 Mr. J. H. Taylor o' "':i provided you with a scope and schedule for the auxiliuy .2dwater system reliability analysis. Rancho Seco L:.. . is the' lead plant for this analysis which will be avatic: a t'y the dates provided in Mr. Taylor's letter. .

5.- 'In response to your concerns over tn2 : .rt.al-mechanical

' conditions in the reactor vessel duri .; ,ecovery from small breaks with extended loss of all feed.':::r, the District conTnits to have the Babcock and Wilc: .pany perform an analysis on this subject. The result: : ' this analysis should be available by December 21, 1979. -

~

7. The'Oistric't cc: .its to previde the tafermation listed in Attachment A to the enclosure to ynr letter by the following dates. These dates supersede our commitment to Harold Centon on July 25, 4 979 to provide additional small break analysis information by September 15, 1979. The required analyses will be perfermed by the Babcock and Wilcox h] ../ Company.

pp f q0'f /!C N I An t L t cT aic sisit u s t avin c vont THAn 690.000 in THE HEAnT of calif 0Rif

.A ,, ;

5

. .J

' " ff . 37 r

'. roL E00

% EDISON Docket No. 50-346 t.CwELL E. PCE License No. NPF-3 I.',' U *?'2 ,

~

Serial No. 538 ' ' * ' " ' " "

August 31, 1979 '

Director of Nuclear Reactor- Regulati..u .

Attention: Mr. Robert V. Reid, Chief .

Operating Reactors Branch No. 4 Division of Operating Reactors United States Nuclear Regulatory Cec: mission Washington, D.C. 20555 , .

Dear Mr. Reid:

This letter is is respon'se to Mr. D. F. Ross's letter of August 21, 19 79 (1,og No.423 to all Babcock & Wilcox Operating Plants. Attachment A addresses ite=s 1, & 4 re-lating to requirements of the Davis-Besse Nuclear Power Station, Unit 1 Order

of May~ 16,1979. Additionally, items 5, 7 and 8 of the subject letter are addressed.

. .~

'l Very truly yours ,

/

y'.6 . [

I.ZR/TJM R. A'. Capra Proj ect Y.zmage=ent Group Bulletins and Orders Task Force U. S. Nuclear Regulatory Cocsission Washington, D. C. 20555

4 go q4 0 Il v .

THE TOLEDO ECISCN COMPANY EctsCN PLAZA 200 MActSON AVENUE TCLECC CHIO A"!E52

r

'{ / ,:. .

a- e 38 .

occket No. 50-346 * .

icense No. -NPT-3

Serial No. 338 .

Augus t 31, 1979 Accach=ent A Ice =s of NRC Letter No. 423) '

~--Augus t 21,1979 (TEco Log l 4 (

1 of the subject The ites ntabers-~belov"are consistent vich tho' set Enclosure .

letter. l System (ICS)

Item 1 - Failure Mode and Ef fects Analysis of the Integrated Centro 17, 1979.

he following The ICS Reliability Analysis (BAW-1564) was publish

- deviations: , .

1. Page 4-1, Section 4.1.1 ,

1 PORV se'epoint is 2400 psig.

Davis-Besse Unit 2

RPS seepoints: 2300 psig/1985 psig. *

2. Page 4-6, Section 4.2.3 1 .

90%

Davis-Besse race of change is limited to 3% per minute above full poser and below 20% full power. -

3. Page 4-9, Section 4.2.3.5 d

.j .

Ducing a reactor trip, the atmospheric venti valves by 155 arepsi. cedulate when the turbine header pressure exceeds its ser of condenser vacuun o,r loss of Circulating Water pu=ps.

-. Page 4-9, Section 4.2.3.6 The throttle pressure error signal is modified ini the bias sa=e versusmanner as for the at=espheric vent valves but with a 50/125 ps

.75/155 psi bias.

5. Page 4-11, Section 4.2.3 10 -

Error must be greater than +0.95% or less than -0.95% for ro movement.

6. Page 4-11, Section 4.2.3.11 Teedvater de=and is modified when the arrer is on input greater a the or less than -5%. . This change was ce reduce feedvater load rejection. .

7. Page 4-47, Table 4-4, Item 5-22, Tailure Mode-open 45 to 55% /

At Davis-Besse Unit 1, the f eedvater valves are about l the RCS open, and a signal to open these valves would overcoo and result in a low pressu-e trip.

[

), significant enough to af fect the The above deviatiens a,re noted, but are not results and conclusions of this reporr. .

l

_______-_________J

^

',".fl.jg'$' ;

Ms

.% Q,gd W >Ok%~3 3

-c 39 i

=g * .*

%' , y, 1 A @. $f3Ga '

.%. y y.

l .

w wpcG Florida

. Power ce aeo m s teon f

August 31, 1979, Tile: 3-0-3-a-3

' . . l

, j

. Mr. D. T. Ros s , 'Jr.

Director '

Bulletins and Orders Task. Torce

Of fice of Nuclear Reactor Regulation . ,

U.S. Nucle'ar Regulatory Com=1ssion Washington, DC 20555 -

Subject:

Crystal River Unit 3 Docket No. 50-302

- Operatin's' License No. CPR-72 ,

, ; Ideotificatien and Resolution of Long-Ters Generic Issues Related to the Co==ission Orders of May 1979 l A

Dear Mr. Ross:

On August 23, 1979, Florida Power Cor;: seien received your letter of August 21, 1979, identifyii:g eight long-term issues related to the Order which must be re-

' solved for Crystal River Unic 3 and the other 34U t.;erating Planer..

These eight (8) ite=s were identified and brief1" ciscussed in Euclosure 1 of your letter. In you.: discussion of Ite=s 1, I. ,

~

'/ , and 3, you requested Florida P.over Corporation to provide additional . :c natten and our schedule for resolution of these five (5) ite'=a by August I:. ' ' ' . ' .

In that regard, Tierida Power Corporation heret;* n :ni ts , as At t a c'h= en t 1 to this letter, cur respo:se to your August 21, P.,. aquest for additional iafor:atics.

If you require further discussion concerning oc,r :r pense , please cootact us.

Very truly yours,

T1.0RIDA PO'aTR CORPORATION .

../. . i ,..?/,'.. 7L

,e'.q.o.:,

.. s C. C. Moore '

Assistant Vice President n')

Porer Production

,, O#

f 0q$ p CCMekcT06(DS) 9 Attachment a . .. .e a er.. .... . ... . e..... e....% . O n m., uru ? Si Pet e<htg. Florica 33733 e 813-8664151

_ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ .. - ~ .- __

. j, g '

,' a 40 ATTACHMENT 1 Response to Ross Letter of August 21, 1979 {

. l

' Item 1 - Failure Hede and Af fects Analysis of the Integrated Control System On August 17,1979,- 86W submitted to you f or your review, copics oY the report entitled "B4W--1564, Integrated Control System (ICS) Rei tabli t ty Analysia". . 1 This letter is to advise you that this report is applicable to Crystal River *!

Unit 3. Although this was a generic report developed by B&W,. and. there are dif-ferences in the secondary system designs at, the various B&W pisnes, we feel that the conclusions reached in this report can be applied to, Crystal River Unit 3.

Florida Power Corporation la presently reviewing the recommendations listed in Section 3 of this report to de termine what possible changes are necessary at Crystal Ri,ver Unit 3 to' enhance reliabilley and saf ety. ,

Item 4 - Auxiliary / Emergency Feedwater System Reliability Upgrade This letter is to inform you of Florida Power Corporation's cocniement to the .

, ATW/EFV System Reliability Study prnposed by 24W and discussed with you and your sesff on July 19, 1979, and August 9, 1979. The draft report for Crystal River Unit 3 will-be submitted by October 22, 1979, and the first report will bc submitted by December 3,1979.

I j Ite: 5 - Detailed Analysis of the Thermal-Mechanical Conditions in the Reactor Vessel During Recovery. from Small Breaks With Stended 1.oss of All Teedwater

.' The above, analysis vill be submitted by December 21, 1979.

Item 7 - Small Break :1,0CA Analysis , ,, ,

The f ollevirig is our schedule of response to 4,he si::

ite=s contained in Accachment A of your letter:

1) A. Report will be submitted on December ! . '. 1 9 .

8. Report vill be submitted on Septemh... .. .379.

2) A. Report will be submitted on Septemic: . . , 1979.

B. In response to this request, w are p ru si~ng threc (3) options i in preference of order: -

1) Provide a statement by September 7'- 1979, that two sma ll

. break with.sux111ary feedWter will pressurize tin- system to .

. , the PCRV setpoint. .

Provide by Decembe r 30, 1979, a qualitative auxeunment of 2,).

the transient. .. ; .

,cj' 3)

Provide core analysis by February 1,1980, using 0.01 f t 2 brusk with no ATW available.

We are presently proceeding wlth option #1, unless otherwise notified by the flRC.by September 7,1979.

CCMekcT06(DS) '

. .-u- * .. . ..

L

.e

. , s- ,

Tohle 4-5. (umt'd)

FAltttpt Millut t 110. leN1utt timtt leiet ElflCT tot 1855 IlfACTOR 1 RIP RfMARE5 Functional: 2 lbditted Turbine liigh the ICI pulser ullt send a continiou Inteease sligh RC Pressure lC5: 4-2-1) Steader Pressure demand to the turbine ilt causta. a throttle -g $

trror - pressure decrease, the large pressure error '

detector transfers the tuebine tilC to manual -No problem after la s5 seconds, the ICS assumies the tracking reactor trip wJe and the feedvater and scatto- Inc.rease to esret tne 4% load increase. (he erroneous neidified thentile pressure error causes a als-s trh between ti,e fl55 stears pe o<*uc tion and the tuo tilne egerat ie.n I'ne p essure decrease 15 11 if ted at s100 pil by the turbine initial erru ure reculator. R.* attar t-In an hioh DC poenere is poullele.

3* I su n'lally the same respunse as failure Ibde llI h 9 RC Pressure

'itigh* es(eget peessure rises and is terminated if pouer M 01.

t>y turtsine t y-pass valve action. -t;o prublem after reactor trip ts e

L.Ft o b P

Functional: 3 Turbine Control

failure is very simitir to failure of functional-IC5: 3-6-4

~

bloth 2, above.

su (T

O O

O X

P k

=

0 0

M

_ _ . _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ____ _ _ _ _ _ _ _ _ _ _ _ _ __._.________________w -

7, A

(

.~4 ev 0

D 8 W6 Coclet Hos.: 50-269/270 50-287/220 50-213/346 V 50-302/312 MS;0RAuL44: FOR: Robert W. Raid. Chief, Operating Reactors Branch f4, CCR FP.C11: G. Zsitzig, Project Manager fer CPIid, COR SUSJECT: MEETEG WITH BEC0C" *. MILCCX 05 PROPCSED IXTEGRATCD REACTCR VE5SEL CURVEILLADCE P7:c6nAtt TIPE & MTE: 1 p.a. , tiednesday

bved>er 3,197G LOCATION: 13GS, Par!. 65]7 3ethesda, r3 PURPG3E: 1. Discussion of t?chnical basas in support of the proposed int:: ratad surveillw.c ;ro<,ran.

2. Discussion of probines associated with installation of surveillance specitan holder tubes in r2 actors tnat have operstad.

i PAXIICIPA W3: CC(OT) cc(^31 1

't. ilazalton, V.

. :conan G. ist;;:f r.j , 1 Canycrsu . '!. ,2cn~v

0. 'a'

'. Kcyworth J !

UTILITY I feyeral utilities representatives egected. l l

l dygtid9 )

G. Svetzig, Project f.anager QWiting P,eactors Branen ':4

~1vb..Nn of Creratina Tcactors

[

s - .

.P P iC .

00 M D E _. -

2- .. }-

........, GZwetzip:rm ,_

{' ..n * ._10/ /76

, - . a . , , , u= = .. m ......... ......... . ..................

l .

79/02ws~27 .

pt

~

e MEETING NOTICE DISTRIBUTION ORB #4 Docket File .

NRC PDR .

L PDR ORB #4 Rdg NRR Rdg BRusche EGCase VStello l DEisenhut l KRGoller l ASchwencer l DZiemann !

Glear RReid TJCarter LShao RBaer ,

WButler l BGrimes Project Manager Attorne'y, OELD l OI&E (5 l OSD(3))

BFaulkenberry, I&E l RIngram '

Receptionist, Bethesda Pricipal Staff Participants (W. Hazelton, V. Noonan, W. Converse, V. Rooney)

RFraley, ACRS (16) L. Engle, D. Neighbors, J. Stolz)

DThompson, E/W 359 e

, . ,

ML20126C136

Contents

Text

SUBJECT:

Purpose:

Description:

Dear Mr. Denten:

Subject:

Dear Mr. Ross:

Dear Mr. Reid:

Subject:

Dear Mr. Ross:

Navigation menu

ML20126C136

Text

SUBJECT:

Purpose:

Description:

Dear Mr. Denten:

Subject:

Dear Mr. Ross:

Dear Mr. Reid:

Subject:

Dear Mr. Ross:

Navigation menu

Search