ML20136H095
| ML20136H095 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse  |
| Issue date: | 11/15/1985 |
| From: | BABCOCK & WILCOX CO., TOLEDO EDISON CO. |
| To: | |
| Shared Package | |
| ML20136H086 | List: |
| References | |
| 51-1159218-02, 51-1159218-2, NUDOCS 8601090245 | |
| Download: ML20136H095 (33) | |
Text
.- - -
(*
BWNP 20440 3 (8/
Ba cox
, ENGINEERING INFORMATION RNCORD 1
l Safety Related: l Document identifier SJ 115921_8-02 l Revised by Toledo Edison December, 1985 Title Davis Besse Reactor Protection System Single Failure Analysis j Prepared by I <b- Date u/ef/bT
'/ .
Reviewed by M, MM Date // /f 94~
Remarks:
The single failure analysis is contained in pages 2 through 26 of this Engineering Infort:a'cion Record.
1 O
8601090245 860103 PDR ADOCK 050 36 P
L 2
TABLE OF CONTENTS SBCTION DESCRIPTION RAq1 1.0 Pu rpose of Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 4 ;
. 2.0 Scope of Analysis............................ 4 l
l i
3.0 M e t h o d o l og y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.0 Guidelines for Analysis...................... 5 5.0 Assumptions and Limitations.................. 5
- 6.d Classification of System Changes. . . . . . . . . . . . . 5 7.0 Analysis of Internal Changes................. 6 i
8.0 ,
Analysis of External Changes . . . . . . . . . . . . . . . . . 7 8.1 ARTS......................................... 7 8.1.1 Analysis of the Flux Signal Interf ace. . . . . . . . 7
! 8.1.2 Analysis of the Trip - Signal Inte rf ace . . . . . . . . 8 8.2 Flow Transmit ter Replacement . . . . . . . . . . . . . . . . . 9 9.0 Summary and Conclusions..................... 10
)
l 10.0 Deleted 1
E 1 ARTS Flux Signal ;Interf ace. . . . . . . . . . . . . . . . . . 12 2 ARTS Trip Signal Interface. . . . . . . . . . . . . . . . . . 13 3 RPS Interface for Flow Transmitter. . . . . . . . . . 14 Replacement T.81LA ._ Tl a t t .
! 1.1 ARTS Trip to RPS Failure Modes............. 15 i (ARTS and RPS Normal) 1.2 ARTS Trip to RPS Failure Modes.............. 16
+
(ARTS Tripped and RPS Normal) 1.3 ARTS Trip to RPS Failure Modes.............. 17 j (ARTS and RPS Tripped) 1.4 ARTS Trip to RPS Failure Modes.............. 18 (ARTS Normal and RPS Tripped) l Davis-Besse Single Failure Analysis ~
51-1159218-02 Page 2 Revised by Toledo Ediso December. 1985 E >
TABLE OP CONTENTS (continued)
TABLE TITLE PAGE Notes for Tables 1.1 Through 1. 4. . . . . . . . . . . . 20 APPENDIX DESCRIPTION PAGE A ,- Reference Documents......................... 22 B
Classification of Davis-Besse FCNs . . . . . . . . . . 26 .
l 1
Davis-Besse Single Failure Analysis 51-1159218-02 Page 3
)
SINGLE FAILURE ANALYSIS FOR TOLEDO EDISON DAVIS-BESSE UNIT 1 REACTOR PROTECTION SYSTEM FIELD CHANGES 1.0 Purpose of Analysis The purpose of this analysis is to demonstrate that no single failure of equipment added as part of the Anticipatory Reactor Trip System (ARTS), the changeover to Rosemount RC Flow transmitters or any other changes or additions to Reactor Trip System equipment directly -
interfacing with the NI/RPS can prevent the Reactor Protection System (RPS) from performing its safety function.
2.0 Scope of Analysis This Single Failure Analysis (SFA) addresses only those changes to the Reactor Trip System interfacing directly with the RPS and which are already implemented and described in the July 1985 revision to the Davis-Besse Updated Safety Analysis Report (USAR).
3.0 Methodoloav This analysis uses to the extent porH ble the scope and format of BAW 10003 " Qualification b'c ing of Protec-tion System Instrumentation". Generally, the same types of failures are analyzed. Where a change involves a significant deviation from the way the base-scope RPS was configured and interfaced with the Reactor Trip System (i.e., there is no analogous function, configuration or interface in the base-scope system) this analysis departs from the scope and format of RAW 10003 as necessary to account for the change to the system.
This Analysis follows the methodology of B&W Topical Report BAW 10003, that is, to show that the changes
, analyzed are ef fectively channelized and that no single failure will impair the performance of any RPS channel i other than that channel in its own vital power division.
i Davis-Besse Single Failure Analysis 51-1159218-02 Page 4
I 1
I 4.0 Guidelines for the Analysis The following guidelines were established for the ,
performance of this analysis: .
- 1) Related changes will be grouped so that common analysis of several changes may be used.
- 2) Related information (e.g. the Davis-Besse USAR) and results of existing analyses (e.g. BAW 10003) are to be used wherever possible.
- 3) If meeting the Single Failure Criteria of IEEE-279
- is conditional upon f actors beyond the scope of this analysis, those factors will be identified.
For example if meeting the criteria depends upon -
cables being run in certain cable trays, that fact will be noted.
5.0 Assumptions and Limitations
- 1) Technical data for the analysis has been obtained from the Davis-Besse USAR (through the July 1985 revision), from TED FCRs, from the drawings (supplied by TED) listed in Appendix A and from miscellaneous information provided by TED.
- 2) Any non-conformance to the Single Failure Criteria discovered as a result of the SFA, are identified in this report. This report does not attempt to specify or recommend corrective action.
- 3) Changes not yet implemented and described in the July 1985 revision to the USAR are not included in
! this analysis, i
i 4) This analysis takes credit for isolation devices
- and capabilities as described by TED in the USAR.
Verification or justification of the information in the USAR is beyond the scope of this analysis.
l 6.0 classification'of System Chances l
For purposes of this Single Failure Analysis changes to the Reactor Trip System which interface directly with the Reactor Protection System (RPS) have been divided into two groups. The first group, " Internal Changes",
comprises all changes which meet the following criteria:
Davis-Besse Single Failure Analysis 51-1159218-02 Page 5
- 1) The change affects all four RPS subsystems identically.
- 2) The change is wholly contained within the bounds of RPS subsystem cabinets.
- 3) The change does not affect the reactor trip module or inter-subsystem interfaces.
The second group, " External Changes", comprises all changes which meet the following criteria:
- 1) The change affects all four RPS subsystems
. identically.
- 2) The change affects, includes or interfaces with -
hardware external to the RPS subsystem cabinets.
- 3) External hardware is channelized so each RPS subsystem interfaces only with class-lE hardware within its own power division.
7.0 Analysis of Internal Changes Those changes categorized as Internal changes are identified in Appendix B.
BliW Topical Report BAW 10003 analyzes the base-scope RPS for single failures within the Reactor Trip Module and in the inter-subsystem interf ace. Single failures within subsystems are shown to be confined to the affected subsystems if suitable isolation and redundancy are provided between subsystems.
Those changes which meet the criteria of Internal Changes transcend neither subsystem physical nor electrical boundaries (by definition) . Although those changes are not covered explicitly by the Single Failure Analysis of BAN 10003, they do fall withdn the lialts of that analysis because of their confinement within single channel boundaries.
Based on the above, it is concluded that no single failure of hardware associated with the Internal changes can prevent the RPS from performing its protective function. Also, no single failure of hardware associated with these Internal Changes can cause a spurious subsystem trip.
Davis-Besse Single Failure Analysis 51-1159218-02 Page 6
l 4 Therefore those changes categorized as internal changes i do not prevent the RPS from meeting the single failure criteria. l 8.0 Analysis of External Chances:
8.1 ,
ABIf, The ARTS is a four channel anticipatory reactor trip system which performs a reactor trip on loss of both main feedwater pumps or on a turbine trip above a predetermined power level. The anticipatory trip on a
. turbine trip is inhibited when reactor power, as j , determined from RPS flux signals is below a speci-fled level. Each RPS subsystem sends a flux signal to ,
the ARTS subsystem in its own vital power division. -
Each ARTS subsystem sends subsystem, trip signals to, and receives trip signals from each other ARTS subsystem.
Each ARTS subsystem contains a trip combination logic which sends a trip command to the RPS subsystem in its
, own vital power division. The ARTS trip command (open :
contacts to trip) is connected in series with, and :
downstream of, the Reactor Trip Module at the RPS cabinets. ,
The analysis of the interface between the ARTS and the 2 RPS is broken down into separate analyses of the flux signal interface and the trip command interface.
l 8.1.1 Analysis of the Flux Sianal Interfaces 2 The RPS Flux signal interf ace with ARTS is accom-plished, at the RPS end, by wiring out an analog flux
- signal from a previously unused isolation / buffer amplifier within the flux summing amplifier module.
- The signal is terminated at terminal boards within the RPS_ subsystem cabinet. An interconnecting cable carries the signal to the associated ARTS subsystem cabinet.
Figure 1 is a simplified schematic of the interface ,
. (typical for all four vital power divisions) and identifies the points at which faults are postulated.
! The flux signal interface between ARTS and the RPS is i analyzed by considering the fault conditions that can 1
b Davis-Besse Single Failure Analysis 51-1159218-02 Page 7 i
be presented to the RPS by the ARTS (shorts, grounds and opens per BAW 10003) and analyzing their effects on the ability of the RPS to perform its safety function.
Section 7.2.2.1 (4.7) of the Davis-Besse USAR states the isolation capabilities of a buffer / isolation amplifier identical to the one used to isolate the flux
- signal sent to the ARTS. .
Misperformance of the RPS subsystem is precluded if the connection between the RPS and ARTS subsystems is accomplished in a way that eliminates the possibility
.- of fault ' voltages greater than those stated in the USAR
, appearing at the RPS flux output terminals.
Even in the event of a misperformance of a single RPS subsystem, redundancy will allow the RPS to perform its safety function.
It is concluded, therefore, that no single failure of the flux signal interface can prevent the RPS from performing its safety function. Also, no single failure of the flux signal interf ace within the isolation capability of the RPS buffer / isolation amplifier (as given in the USAR) can cause a spurious subsystem trip.
I 8.1.2 Analysis of the Trio Signal Interface ~
The RPS Trip signal interface with ARTS consists entirely of the use of RPS terminal points to connect the ARTS trip command (open relay contacts) in series with the RPS trip relay output contacts. No changes -
have been made 'to the RPS circuitry as a result of this change.
The trip signal interface between ARTS and the RPS is i i analyzed by considering the fault conditions that can be presented to the RPS by the ARTS (shorts, grounds and opens per BAW 10003) and analyzing their e,ffects on the ability of the RPS to perform its safety function.
l The analysis examines the postulated faults in tne trip
, signal interface for all four possible combinations of I
, RPS and ARTS subsystem trip states within the same vital power division (i.e., RPS and ARTS untripped, RPS and ARTS tripped; RPS tripped and ARTS untripped, RPS
- untripped and ARTS tripped).
Davis-Besse Single Failure Analysis 51-1159218-02 Revised b Toledo Edison l December, 1985 I 1_. . _ - _ . . - - - - - - - . - - - . . - - - -
b Figure 2 is a simplified schematic of the interface (typical for all four vital power divisions) and identifies the points at which faults are postulated.
Tables 1.1 through 1.4 are the tabulated results of the analysis for each fault for each combination of RPS and ARTS trip state.
The tables are modeled after table 7.2 in BAW 10003 but contain an additional column for defining the ARTS trip
, state. The descriptions of column contents in BAW 10003 apply to similarly titled columns in Tables 1.1
, through 1.4. 1 The tabulated results of the analysis show that no
, single f ail u re within the ARTS to RPS trip signal , .
interface can prevent the RPS from performing its l safety function.
Single failures within the trip signal interface can cause trip commands to be sent to the undervoltage coil of a single trip breaker but' will not cause a reactor trip.
8.2 Flow Transmitter Replacement This change replaced Bailey type BY dP transmitters (used to measure RC Flow dP) with Rosemount type 1153 dP transmitters. As with the ARTS trip signal
~
i interf ace, only the terminal wiring at the RPS has been changed. No other hardware or wiring modification to the RPS cabinets is involved.
Figure 3 is a simplified schematic of the interface (typical for all four vital power divisions). ,
The Bailey transmitters provided a 0 to 10 volt dc signal proportional to dP to the RPS. The Rosemount dP transmitters provide a 4 to 20 milliamp output signal .
proportional to dP. The current signal is converted to i a voltage signal using a Foxboro I/E converter. *The converters, one for each flow dP signal, are located in TEDS Post Accident Monitoring Equipment Racks. Each of these racks is associated with a separate vital power division and is physically and electrically separated i from the Post Accident Monitoring Equipment Racks associated with the other three vital power divisions.
The Rosemount Transmitters are powered from four independent vital power sources: Essential power j busses Y1A, Y2A, Y3 and Y4.
Davis-Besse Single Failure Analysis 51-1159218-02 Page 9
The physical and electrical separation of the flow dP signals associated with each RPS subsystem is equal to the separation which existed prior to the change in transmitters.
Because of this maintained separation, any single failure is confined within the bounds of the power l division in which it occurs. Therefore, no single failure within the reactor coolant flow dP strings in the RPS can prevent the RPS from performing its safety function.
I 9.0 -
Summary and conclusions The preceding analysis has addressed the significant .
changes affecting the Reactor Protection System for Davis-Besse. The changes addressed (listed in Appendix B) have been divided into " Internal" and. " External changes . The analysis has shown that single failures i of equipment involved in " Internal" changes are 1 implicitly covered by the original analysis in Topical I Report BAW 10003.
The analysis has shown that single failures of equip-ment involved in " External" changes cannot prevent the RPS from performing its safety function.
Also, single failures of equipment involved in the Flow Transmitter Replacement may cause a spurious trip signal to be sent to Reactor Trip Module in the affected channel providing one input to the 2/4 logics in each RPS Subsystem. This is consistent with a .
similar failure analyzed in BAN 10003. The RPS system trip logic becomes effectively 1/3.
Single failures of equipment involved in the ARTS Trip Signal Interface can result in a spurious trip command being sent to one (of four) trip breakers, but because the interface is downstream of the reactor trip module, only one subsystem is involved and the RPS system trip logic remains 2/4. i we conclude f rom the preceding analysis that the Davis-Besse Reactor Protection System, including modifications indicated by the documents identified in Appendix A, meets the single failure criteria of I IEEE-279.
Davis-Besse Single Failure Analysis 51-11592 3-02 PAGE 10 ;
Revised by Toledo Edison >
j December, 1985
c .
2-This page intentionally left blank
.* as a result of 10.0 being deleted.
l Davis-Besse Single Failure Analysis 51-1159218-02 Page 11 e Revised by Toledo Edis December, 1985 l
-w--v- -- w e-r- m y -+, ,, -r-w-m -- - --,w--rv -+r w - ww---,,- r w----- r - y
l FIGURE 1 ARTS FLUX SIGNAL INTERFACE i
.Sunming Amplif'er y' , s .
/ /
N
- Isol) s Isolatior y
l [
) 1 u
I l
RPS Subsystem Cabinet ARTS Subsystem Cabinet I
Davis-Besse Single Failure Analysis 51-1159218-02 Page 12 a
P - - -
e rw -
P--s', w w -
p,
PIGURE 2 ARTS TRIP SIGNAL INTERFACE VITAL AC (N) -
(H) -
~
Relay
' l TRIP LOGIC l Energizing
)--f- K KH) KJ,' Voltage a AC -15V
- DISTRIBUTION TRIP LOGIC
\]
., Y Z o G <
'N O Ih dl !b Y Z KG KF KF KH M N K L SW, NW
- :s . <
4! !!
KH KJ KJ KG Io o J
( h 33 C AATS RPS Subsystee $dsystes Cabinet ; .
Cabinet 8
f.._ h MANUAL .
g TRIP
,.. SWITCHES 11 RIP SREAKE UNDERV0LTAGE C0ll Davis-Besse single Failure Analysis 51-1159218-02 Page 13
. . )
e i
i FIGURE 3 RPS INTERFACE FOR FLOW TRANSMITTER REPLACEMENT P N..
I i -
flow dP _ ,
(j 7 ,
Transmitter [,
Foxboro I/E l , ., /~~7 N Conve rte r 4-20 ma.
l[ , . ,
8"# #
0-10voltsZ i. % Ampli fie r l LJ
////7 I
5 G
l Post Accident Monitoring Equipment Cabinet i
RPS Subsystem Cabinet ,,
1 1
1 i
Davis-Besse Single Failure Analysis 51-1159218-02 Page 14
)
- . ;t . _. - - , _ _ _
TABLE 1.1, ARTS TRIP TO RPS FAILURE MODE (ARTS AND RPS NORMAL)
I sitTS RPS FAILURE UDSYSTEM susSYSTEM
.TATt; STATE ITEM MODE DETRIMENTAL EFFECT ON SYSTEM TESTABLE REMAAAS 2/4 TRIP ,
.orsal Isormal My or Ka Fails Energised Mone Yes Yes Coil Does not impair RPS Trip Function (Note 13 A .ormal Normal Ky or Ks Shorted Spurious Breaker Trip Occurs Yes Yes 4
Coil (Note 2)
.ormal Normal Ey or mz Open Spurious Break er Trip Occurs Yes Yes Coil (Note 2)
.ormal Normal Ey or Ka Stuck Open Spurious Breaker Trip Occurs Yes Yes Contacts (Note 2)
, .ormal Normal Ry or Ks Stuck Closed None Yes Yes Does not impair RPS Trip Function Contacts (Note 1) ormal Normal My Con- Short to Es Contact N Spurious Breaker Trip Occurs Yes (Note 2, (Note 4) tact M or L or N 43
.armal Normal Ny Con = Short to V Vital AC Shorted to ARTS Power Supply tact M (Note $) (Note S) or N a rmal Normal Ky Con- Shcrt to Ground Spurious Breaker Trip Occurs (Note 4) (Note 4) tact M or N srmal Normal Es Con- Short to V ARTS Power Supply Shorted to Vital AC (Note 6) (Note 6) tact K (Sta. Gnd) or L J
- .rmol Nor1 sal Ka Con- Short to Ground None I Yes Station Ground Short to Instrument tact K Ground or L l
5 I
Revised by Toledo Edison December, 1985 navts. pense Single rasi.re Analyste
j .
I 6
( l TABLE.1.g ARTS TRIP TO RPS FAILURE MODES (ARTS TRIPPED AND PRS NORMAL) I l 1 i ___
i
, E" ARTS RPS FAILURI SL'1 SYSTEM SUS $YSTEM STATa; STATE ITEM NODE DETRIMENTAL ErrECT ON SYSTEM TESTABLE 2/4 yngy REMARES l
Tripped Normal Ky or Ka Fails Energised None Yes Yes Redundant Relay De-Energized
{ Coil (Note 1) l Tripped Normal My or Ka shorted None Yes Yes ARTS Trip Cannot Be Reset When l Coil (Note 2) Trip Condition Clears 7
Trippe} Normal My or Es Open None Yes Yes ARTS Trip Cannot Be Reset When
- Coil (Note 2 ) Trip Condition Clears Tripped Normal Ky or Na Stuck Open None Yes Yes ARTS Trip Cannot Be Roset When Contacts (Note 2) Trip Condition Clears i Tripped Normal Ky or K3 Stuck Closed None Yes Yes Contacts On Redundant Relay Open Contacts (Note 1)
Tripped Normal Ny Con- Short to un contact K None Yes (Notes (Note 43 tact M 2. 4) f Tripped Normal Ey Con- Short to Na Contact L None Yes Yes (Note 7) tact N i Tripped Normal Ky Con = Short to Na Contact K None Y33 Yes (Note 7) 1 tact N Tripped Normal Ry Con
- Short to Na Contact I. None Yes Yes (Note 7) 9 tact N Tripped Normal My Con- Short to V Short ARTS DC Power To Vital AC (Note 5) (Note 5) 1 tact M Tripped Normal My Con- Short to Ground Short 7 ital AC To Ground n(Note 4) (Note 4) tact M Tripped Normal Ny Con = Short to V None I Yes (Note 7) tact N Tripped Normal My Con- Short to Ground None Yes (Note 7) tact N i
.; Tripped Normal Na Con- Short to V Short ATRS DC Supply to AC (Station) Ground Yes (Note 6)
.; t.act K l
Tripped Normal Es Con- Short to Ground None ,Yes Shorts Station Ground to ARTS
' tact M P.S. Ground Tripped Normal Ks Con- Short to V None Yes (Note Il tact L Revised by Toledo Edison Tripped Normal Na Con- Short to Ground None ,
Yes (Note 7) 04*C4mher, 1985,
TA3LE 1.3 ARTS TRIP TO RFS FAILURE MODES (RPS TRIPPFA ann ARTS TRIPP1.0) l I
4RTS RFS FAILURE
>UISYSTEM SUBSYSTEM .
JTAT1; STATE ITEM MODE DETRIMENTAL EFFECT ON SYSTEM TESTABLE 2/4 gggy REMARJES i
Tripped Tripped My or Es rails Energized None Coil Yes Yes (Note 1)
Tripped Tripped My or Es Shorted None Yes Yes Coil AITS Will bot Roset When Trip (Note 2) gendition Clears Tripped Tripped My or Es Open i None Yes Yes Coil A2TS Will Not Reset When Trip (Note 2) Condition Clears Tripped Tripped Ky or Na Stuck Open None Yes Yes ITS Will Not Reset When Trip contacts (Note 2) @ndition Clears Tripped Tripped My or Ka Stuck Closed None Contacts Yes Yes (Note 1)
Tripped Tripped My Con- Short to Ks contact K None tact M Yes Yes 1ote 7)
Tripped Tripped Ky Con- Short to Ka Contact L None Yes Yes Hote 7) tact M rripped Tripped My Con- Short to Ka Contact K None tact W Yes Yes (Pote 7) rripped Tripped My Con- Short to Na Contact L Wone tact N Yes Yes l4ote 7) reipped Tripped My Con- Short to V None Yes tote 75 tact M tripped Tripped Ky Con- Short to Ground None tact M Yes l1ote 75 t
tripped Tripped Ky Con- Short to V None t.ct W yee hote i
7) reipped Tripped My Con- Short to Ground None l Yes (Wote 7 5 tact N I
rrippe2 Tripped Ka Con- Short to V None (Mote 7)
Yes tact K cripped
- Tripped Ks Con- Short to Ground None Yes (Note 7) tact K rripped Tripped Ka Con- Short to V None Yes (Mote 7) tact L l l ; Revised by Toledo Edison
i TABLE 1.4 sATS TPIP TO RPS, FAILURE NOOE (ARTS tv0RMAL AND APS TRIPPED)
I i
ARS RPS FAIIAKI SeasYSTEM susSYSTEn STATa; 57 ATE ITEM MDE DETRIMENTAL EFFECT ON SYSTEM TESTA 3LE AEMAkEI 2/4 TRIP.
sormal Tripped My or Es Falle Energised None Yes Yes Does Not Slock RPS Subsystem Trip Coil (Note 1) aormal Tripped Ky or Ms Shorted None Yes Yes Coil (Note 2) sormal Tripped My or Na Open Mone Yes Yes Coil (Note 2) aormal Tripped My of Et Stuck Open None Yes Yes Contacts (Note 2) sormal Tripped Ey or Ea Stuck closed None Yes Yes Contacts (Note 1) Does Not Block RPS Subsystem Trip sormal Tripped My Con- Short to Na Contact h None Yes Yes (Note 7) tact M sormal Tripped Ey Con- Short to Na Contact L None Yes Yes (Note 7) tact M ormal Tripped Ky Con- Short to Na Contact R. None Yes Yes (Note 7) tact N ormal Tripped My Con
- Short to Ea Contact L. None Yes Yes (Note 7) tact N ormal Tripped my Con- Short to V None Yes (Note 7) tact M armal Tripped Ky Con- Short to Ground None fes (Note 7) tact M
>rmal Tripped Ky Con- Short to V Nons Yes (Note 7) tact M I 4tual Tripped Ky Con- b l Short to Ground None Yes (Note 7) i tact N .
l armal Tripped Ka Con- Short to V Wone Yes (! lote 3)
- tact K 3 s
8 i
- Revised by Toledo Edison December, 1985
(
1 I
t I
1' TABLE 1.4 ARTS *.' RIP TO RPS FAILURE MODE (ARTS NORMAL RPS TEIp*E9) (cont'd) ,
I
(
l I,
)'
g RPs
.osYsTEM suasYsTEM
.rAILums i (ATE STATE ITEM MODE DETRIMENTAL EFFECT ON SYSTEM TESTABLE REMAARS 2/4 gggy ,
j '
! Jormat Tripped as coat- short to Ground Mone 1 tact x Yes (kute 7)
?
sormal Tripped sa con- short to V None tact L Yes (Note 7) j Jornal Tripped as Con- Short to Ground Mone i tact L Yes (Note 7) i 1
i I
l 1
i l
I l
t i
)i 1
t i
I i-1 1
Revised by Toledo Edison
! December, 1985
mores FOR TABLES 1.1 THROUGH 1,4 -
- 1. namn== this failure is downstrema of the RPS subsysten 2/4 logic, trips in any two RPS subsystems will result in a reactor trip. Therefore, the RPS systen logic remains 2/4. RPS syntes logic reverts to 2/3
{ if any RF8 subsystes is bypassed. -
i i
i j 2. Although this failure has the same effect as an RPS subsysten trip, two RPS subsystens naast generate 1 actual subeysten trips for a reactor trip to occur. 1herefore, the RPS systen logic remains 2/4.
j RPS systen logic reverts to 2/3 if any RPS subsysten is bypassed.
I
{
- 3. Deleted 4
j 1
- 4. This failure results in a short circuit of vital AC power causing loss of voltage to the Relay Under-i voltage (tN) 0011. The short circuit will either open the fuse in the RPS trip circuit or casse the AC
! breaker in the RPS subsysten to trip. If the fuse opens, then power to the trip breaker IN coil will be ,
l interrupted and the breaker will trip (if it has not already tripped becaise of the short circuit across it), leaving the RPS still in a 2/4 configuration. If the RPS sysbysten AC breaker opens, then a true RPS subsysten trip will occur, leaving the RPS in a 1/3 configuration. -
- 5. Effects of this fault in the . ARTS will be contained within one power division precluding failure of a second RPS or ARTS subsysten due to the original failure. (Note 4 may also gply if failure results in
]
grounding of vital power.)
1 I
i i Davis-Besse Single Failure Analysis '
51-1159218-42 Page 20
. Revised by Toledo Edison l December, 1985
t wyns M
- t l 6. ARTS power stgly is shorted to ground deenergizing the output relays. Voltage to the trip breaker UV 1
- coil is interrupte$. mar ===
the failure is downstream of the ARTS 2/4 logic, the AR15 syste logic j remins 2/4. ;
1 i 7. No detrisental effects occur because RPS or ARTS subsyste has already tripped. This fault may have a I
detrimental affact den a tripped subsyste is reset. Refer to the gpropriate table to determine if a potential detrimental effect exists.
l i
1 c
4
.)
1 1
l I
1 i
l
-l 1
i 1
Davis-Besse Single Failure Analysis 51-1159218-02 -
Page 21 i
i i
. . . . - . . . . _ - =
l APPENDIX A i REFERENCE DOCUMENTS RPS SUBSYSTEM DRAWINGS: Dwgs . No. 774 9-M-53 6. . . .
Description Dwa. No. Suffix for Subsystem......
A B C D RB Pressure String 71-5 72-3 73-5 74-4 Buc -Bar Wiring 38-8 48-8 58-8 67-7 Sub2ystem Cabinet il Layout 19-7 21-7 23-6 25-6 Suboystem Cabinet 42 Layout 20-6 22-6 24-6 26-6 PCwar Range String (Sh.1 of 2) 29-10 39-11 49-10 59-10 Powar Range String (Sh. 2 of 2) 30-6 40-4 50-6 60-6 RC Pressure String 34-8 44-9 54-9 64-9 RC Temperature String 35-6 ----
55-7 75-7
- Trip Module / Test Trip /Intik. 36-4 46-5 56-4 65-3 RC Pump Monitors 32-7 42-4 52-6 62-6 RC Flow String 33-4 43-4 53-4 63-4 Powar Distribution . 37-4 47-5 57-4 66-3 subsystem cabinet #1 Externals 12-11 14-10 15-8 17-9 Subsystem Cabinet #2 Externals 13-8 27-7 16-10 18-9 j S
- urce/I'ntermediate Range Strings 31-7 41-6 51-6 61-6 RPS SYSTEM LOGICS Digital Logic -- Sheet 1 of 3 7749-M-536-8-3
, Digital Logic -- Sheet 2 of 3 3 j Digital Logic -- Sheet 3 of 3 3 Anolog Logic 5
, Rod Hold a High Voltage Cutoff 4 Intorsubsystem Externals ,
6 Dcvis-Besse Single Failure Analysis 51-1159218-02 Page 22
Davis-Besse Documents Channel 1 Drawinas POct Accident / Radiation Monitoring Equipment Rack C5763B (Dwg. E-1013 Sh 1 Rev. 3)
Poot Accident / Radiation Monitoring Equipment Rack C5763B (Dwg. E-1013 Sh 2 Rev. 2)
POct Accident / Radiation Monitoring Equipment Rack C5763B (Dwg. E-1013 sh 3 Rev. 2) -
Clocs 1E124 Volt Power Distribution (Channel 1) (Dwg. J-114 Sh 1A R0v. 0A) -
Clocs lE 24 Volt Power Distribution (Channel 1) (Dwg. J-ll4 Sh IB rov. 0A)
RC Loop 2 HLG. Flow RPS Ch.1 (FT-RC01A1) (Dqg. J-111 Sh 1 Rev. OE) '
RC Lcop 1 HLG. Flow RPS Ch.1 (FT-RC01B1) (Dwg. J-lll Sh 2 Rev. OE)
PCn Term Box Ch 1 out CV (Dwg. E-529)
DCN E-611A-10 DCN E-611A-11 DCN E-732A-3 DCN J-lll-1 DCN J-111-2 DCN J-ll4-1 Channel 2 Drawines PoOt Accident / Radiation Monitoring Equipment Rack C5755A (Dwg. E-1014 sh 1 Rev. 3) ,
Po3t Accident / Radiation Monitoring Equipment Rack C5755A (Dwg. E-1014 l Sh 2 Rev. 2) .
Post Accident / Radiation Monitoring Equipment Rack C5755A (Dwg. E-1014 l Sh 3 Rev. 2) .
1 ClOCO lE 24 Volt Power Distribution (Channel 2) (Dwg. J-ll4 Sh 2A R;v. 0A)
- ClOOO lE it Volt Power Distribution (Channel 2)
~
(Dwg. J-ll4 sh 28 i Ecf. 0A)
DaviG-Besse Single Failure Analysis 51-1159218-02 Page 23 l
RC Loop 2 HLG. Flow RPS Ch. 2 (PT-RC01A2) (Dwg J-lli Sh 3 Ref OE)
RC Loop 1 HLG. Flow RPS Ch. 2 (PT-RC01B2) (Dwg J-lll Sh 4 Rev OE)
DCN E-612A-9 DCN E-612A-10 DCN E-731A-4 DCN J-114 DCN J-111-3 DCN J-lll-4 Channel 3 Drawinas P00t Accident Monitoring Equipment Rack C5760A (Dwg E-1015 Sh 1 Rev 0)
Pcot Accident Monitoring Equipment Rack C5760A (Dwg E-1315 Sh 2 Rev 0) -
Cloos lE 24 Volt Power Distribution (Channe] 3) (Dwg J-ll4 Sh 3A Rev OA)
RC Loop 2 HLG. Flow RPS Ch. 3 (PT-RC01A3) (Dwg J-lli Sh 5 Rev OE)
RC Loop 1 HLG. Flow RPS Ch. 3 (FT-RC01B3) (Dwg J-111 Sh 6 Rev OE)
P0n Tern Box Ch 3/4 Out CV (Dwg. E-533) .
DCJ E-613A-10 DCN E-613A-ll DCN J-111-5 DCN J-lll-6 DCN J-114-3 DCN E-1015-2 DCN E-1015-3 Channel 4 Drawines Po3t Accident Monitoring Equipment Rack C5756G (Dwg E-1016 Sh 1 Rev 0)
Post Accident Monitoring Equipment Rack C5756G (Dwg E-1016 Sh 2 Rev 0)
- Cloco IE 24 Volt Power Distribution (Channel 4) (Dwg J-ll4 Sh 4A Rev l 0A) .
RC Loop 2 HLG. Flow RPS Ch. 4 (PT-RC01A4) (Dwg J-111 Sh 7 Rev 05)
RC Loop 1 ELG. Flow RPS Ch. 4 (FT-RC01B4) (Dwg J-lll Sh 8 Rev 05)
POn Tern Box Ch 3/4 Out CV (Dwg E-533) l Davio-Besse Single Failure Analysis 51-1159218-02 Page 24 l
DCN'E-614A-11 DCN E-614A-12 -
DCN E-733A-2 DCN J-lll-7 DCN J-lll-8 DCN E-1016-2 ,
DCN J-ll4-4 .
Other Documents 250/125V DC and Instrumentation AC One Line Diagram (Dwg E-7)
B&W TopicalReport BAW 10003 "Q6alification Testing of Protection Syctem Instrumentation".
~VDCN M-536-12-9-2 '
4 VDCN M-536-14-8-2 VDCN M-536-15-6-2 VDCN M-536-17-7-2 VDCN M-536-33-4-3 VDCN M-536-36-4-1 VDCN M-536-37-4-1 VDCN M-536-43-4-3 VDCN M-536-46-4-1 VDCN M-536-47-5-1 VDCN M-536-53-4-3 ,
+
VDCN M-536-56-4-1 VDCN M-536-57-4-1 VDCN M-536-63-4-3 VDCN M-536-65-3-1 VDCN M-536-66-3-1 DOvis Besse Updated Safety Analysis Report (Including Revisions thrcugh July 1985) .
(Noto: For a complete listing of controlled documents transmitted to
.B&W by the Toledo Edison Co. refer to Mark A. Thayer's (TED) letter to E.J. Donaleski (B&N) dated 13 Sept 1985. The documents listed above oro those primarily used as the basis for the Single Failure Analysis.)
I l
1 k
Davio Besse-Single Failure Analysis 51-1159218-02 Page 25
e APPENDIX B CLASSIFICATION OF DAVIS-BESSE FCNs FCNG Chance Description External Internal 82-023 Changeover to Rosemount Flow dP X Transmitters83-020 . Addition of ARTS X 83-130' Remove Capacitors on Buffer Amplifier X Inputs80-208 Add Isolation Resistor to Funct:'.on. X Generators 82-16 Modify Linear Bridge Module Adjustments X Davis-Besse Single Failure Analysis 51-1159218-02 Page 26
c RESPONSES TO THE NRC REQUEST FOR ADDITIONAL INFORMATION (9 QUESTIONS)
DATED DECEMBER 5, 1985 LOG NO. 1879
QUESTTON NO. 1 Identify the existing improvement efforts which contribute signifi-cantly toward supporting enhanced maintenance and safe operation and hence, will be given greater emphasis and support. How will the greater emphasis and support be accomplished? (p. 34c).
RESPONSE TO QUESTION NO. 1 The existing improvement efforts referred to on page 34c of Volume 1 of th'e Course of Action (C0A) are those outstanding activities from the Performance Enhancement Program (PEP) and Systematic Assessment -
of License Performance (SALP) Improvement Program which are consid-ered high priority. These 11 high priority items are identified in Section I of Appendix B.2.1 to the COA. Five of the eleven priority items have been completed to date. Management attention continues to focus on the longer term programmatic improvement efforts. Each of the items and its current status is discussed below:
- Prepare detailed position descriptions for all management personnel positions in the new organization. - This effort has been completed. Toledo Edison letter dated November 16, 1985 (Serial No. 1208) detailed this activity.
- Merit Review & Salary Administration - Implement a merit review system to reflect performance and maintain a salary administra-tion program to attract and retain key experienced quality personnel. This activity has been completed.
temp 2 c/56
- STA capability to assume interim EDO function - Provide training to allow Shift Technical Advisor to assist the Shift Supervisor in performing the Interim Emergency Duty Officer function. This training has been completed.
- Additional staffing in Nuclear Training - The training staff has increased from 35 in August 1985 to a present level of 47 (44 on board and 3 accepted offers). This increase of 12 exceeds the PEP goal of 10 additional staff.
- Additional staffing in Nuclear Licensing - the original PEP actions, included a commitment to increase licensing staff by five positions (two contract and three TED). This action is complete.
The remaining six items continue to receive management attention.
The status of these items was presented to the NRC in Bethesda on December 9,1985 by Joe Williams, Jr. , Senior Vice President, Nuclear.
- Management by Objectives (MBO) - An integrated approach to goals, objectives and strategic planning within the Nuclear Mission. This task will be resumed after restart. MB0 is envisioned to provide the basis for management of performance by integrating the detailed position descriptions with specific responsibilities. After restart, management support and focus will be redirected to expeditious implementation of MBO.
temp 2 c/56
T'..
f 3
- Manaaement Trainina - Establish a core of management training programs to present basic management skills. - A needs analysis '
for management training has been completed and a supervisor has been hired in the Corporate Management training organization.
The addition of this new staff position will accelerate imple-mentation of a training program responsive to .the needs analysis.
- Configuration Manasement - Implementation of the program to establish a data base for equipment and systems, provide system descriptions, and ensure accurate documentation of administra-tive systems and procedures. Includes PEP interim actions on System Auxiliary Diagrams, Alpha Drawing Logs, Drawing Control Project, and Drawing Log. - Details of the configuration manage-ment program were presented on pages 34, 34a & 34b of Volume 1 of the Course of Action and updated by J. Williams' Jr. presenta-tion to the NRC on December 9, 1985. To expedite this activity a management plan has been developed, a Program Manager position and organization established, and the necessary funds programmed.
The progress of this program is reported weekly to upper management at- the Senior Vice President, Nuclear's staff meeting. The required funding is included in the 1986 budget.
temp 2 c/56
- Fire Protection - Provide cost-effective fire protection im-provements and decreased regulatory exposure, including protec-tion of employees and capital investment. - A interim Fire Protection Compliance Assurance Manager has been assigned and a two phase program developed. Phase 1, Regulatory Improvement, is expected to be completed by February 28, 1986. Phase II, Program Development, and its associated ongoing implementation activities will commence at the completion of Phase I. The required funding is included in the 1986 budget.
- Nuclear Mission Procedures (NMPs) - Provide a means to generate and maintain nuclear program procedures necessary to control inter-divisional nuclear program activities. The Nuclear Mission Procedures Development Project is well underway. A project team of 20 Toledo Edison personnel and 20 contract personnel are directly supporting the NMP effort. Division level procedures are being revised or prepared to implement the NMPs. This activity is supported by 55 personnel. The status of the Nuclear Mission Procedures is reported to upper manage-ment weekly. The required 1986 effort has been included in the 1986 budget.
- QA Awareness Program - Identify and document individual respon-sibilities for adherence to QA and train personnel on these roles. - The General Employee Training Module on Quality Assurance (QA) has been revised to provide a general description of Toledo Edison's Quality Assurance Pregram requirements and to temp 2 c/56
emphasize executive managements 's commitment to quality. As stated above, Nuclear Mission Procedures are being developed to implement the QA Program requirements and to define responsibil-ities for inter-divisional nuclear program activities. Person-nel affected by these procedures will receive training to establish their understanding of procedural requirements prior to implementing the procedures.
4 m
temp 2 c/56
u 4 :a _ 4- -w_ __ _ _ _ _ _ _ _
QUESTION NO. 2 Provide the station administrative procedure regarding improved engineering interface and support. (p.44)
RESPONSE TO QUESTION NO. 2 Station Administrative Procedure AD 1844.14 " Request for Engineering Assistance" is attached. This procedure has been successfully implemented. Toledo Edison is also developing a Nuclear Mission Procedure (NMP-DS-206) " Request for Assistance" that contains mission -
wide requirements in this area. This procedure is scheduled for issuance in early 1986. After NMP-DS-206 is issued, Station Adminis-trative Procedure AD 1844.14 will bt revised (or superseded) as appropriate.
i l
i l
temp 2 c/56 l
l l'=-y. % % - - .- w.,. -&w - t -+ -m -- --- -,w-- -r- --.-3,cy --
9- r rg -