ML20202G945
| ML20202G945 | |
| Person / Time | |
|---|---|
| Site: | Waterford  |
| Issue date: | 07/02/1986 |
| From: | LOUISIANA POWER & LIGHT CO. |
| To: | |
| Shared Package | |
| ML20202G941 | List: |
| References | |
| 3738B, NS41100, NUDOCS 8607160153 | |
| Download: ML20202G945 (165) | |
Text
e e
j ATTACHMENT ONE (1)
CONTROL SYSTEMS SINGLE FAILURE STUDY
~~
8607160153 860702 PDR ADOCK 05000382 E PDR NS41100
TABLE OF CONTENTS 1.0. INTRODUCTION 2.0 METHODOLOGY 3.0. RESULTS
4.0 CONCLUSION
S 5.0. ENCLOSURES
- a. TABLES 1 - 3
- b. APPENDIX A - SYSTEM ANALYSES o Control Element Drive Mechanism Control System o Reactor Power Cutback o Pressurizer Level Control System o Pressurizer Pressure Control System o Steam Bypass Control System o Feedwater Control System o Reactor Regulating System o Turbine Control System o Main Steam Atmospheric Dump Valve Control System o Boron Control System (dilution mode) o Plant Protection System o Instrument Air System o Electric Power Distribution System i
l NS41100
l
1.0 INTRODUCTION
j This report analyzes if a single power supply, impulse line, or instrument sensor failure can cause multiple control system malfunctions that result in plant events that are not bounded by the FSAR Chapter 15 analyses. The analysis results demonstrate that all single power source, sensor, or impulse line failures result in plant conditions that are clearly bounded by the existing FSAR Chapter 15 analyses.
2.0 METHODOLOGY The methodology was to determine if there are any single power source, sensor, or impulse line failures that cause multiple control system malfunctions that
- lead to transients that are not clearly bounded by FSAR Chapter 15 analyses.
This was accomplished in four discrete steps as described in the following:
2.1 Identify the control systems of interest The control systems of interest are those that control the major process parameters that affect plant behavior, particularly during transients. These were determined by reviewing the flow diagrams of the major process systems, FSAR Section 7.7 and FSAR Chapter 15 to identify the controlled components of interest (e.g., main feedwater flow control valves, letdown flow control valves, etc.). The control circuits for these components were then traced to find the control systems of interest.
1 Many of the controlled components of interest require support systems in addition to control system signals for proper operation (e.g.,
! instrument air, electric power, plant protection system, etc.).
These are not control systems per se, but their malfunction can be caused by the same failures that are postulated to affect the control I systems. As such, these systems are important couplings for the analysis and were considered as well.
2.2 Analyze the effects of the power source, sensor, and impulse line failures on the control systems through the controlled components The effects of the power source, sensor, and impulse line failures on the control system and controlled components were determined by developing analyzing logic models called fault tree diagrams. The fault tree diagrams were developed through a detailed review of the control wiring diagrams (CWDs), process analog control drawings (PACS),
setpoint documents, instrumentation location drawings, and power j distribution and motor data (PD&MD). The unwanted state (s) of the controlled component was postulated and traced back through the control i
i NS41100
circuit (e.g., power sources, interposing relays, interlocks, bistables and PAC cards, etc.) to determine the conditions necessary to cause the corresponding unwanted control command. The logic development assumed that the control circuit itself operated properly except as affected by the power source, sensor, or impulse line failures. There are grouped in AND or OR logic as appropriate. Power source, sensor, and impulse line successes required to achieve the component state are included in the fault tree diagrams as well so that physically unrealistic combina-tions of components behavior are not predicted.
Each fault tree diagram logic was reduced using standard Boolean algebra to the basic events of power source, sensor, and impulse line that caused the component state being modelled. The single (excluding compliments) basic events that caused the component state were tabu-lated and retained for further consideration.
2.3 Collect the basic events that cause multiple control system malfunctions The results of the individual system analyses were reviewed to collect the power source, sensor, and impulse line failures that caused mal-function of more than one control system. These basic events were re-tabulated to include the control systems and controlled components affected by the failure.
2.4 Compare the predicted component behaviors to the events analyzed in FSAR Chapter 15 The predicted component behaviors resulting from each failure were compared to the events analyzed in FSAR Chapter 15. In making this comparison, the power source, sensor, and impulse line failures were considered as initiating events during normal plant operation. Con-current random failures or other events not directly related to or caused by the power source, sensor, or impulse line failures were not ,
considered. If the predicted component behaviors are equal to or less '
severe than those analyzed in FSAR Chapter 15, the FSAR Chapter 15 transient analysis is considered to be clearly bounding.
3.0 RESULTS The control systems analyzed for this study were:
o Control Element Drive Mechanism Control System o Reactor Power Cut Back System o Pressurizer Level Control System I o Pressurizer Pressure Control System o Steam Bypass Control System o Feedwater Control System o Reactor Regulating System o Turbine Control System o Main Steam Atmospheric Dump Valve Control System o Boron Control System (dilution mode) o Plant Protection System o Instrument Air System o Electric Power Distribution System NS41100 1
f.
PPS is considered only for its potential to initiate or aggravate a plant event caused by a power source, sensor, or impulse line failure.
The power source, sensor, and impulse line failures that can affect more than one control system are given on Tables 1 through 3, respec-tively along with the FSAR Chapter 15 analysis that clearly bounds the effect of the failure.
The fault trees are presented for each system of interest in Appendix A along with the results of the effects of the power source, sensor, and impulse line failures and the FSAR Chapter 15 analysis that clearly bounds the effect of the failure on that system.
4.0 CONCLUSION
S The Waterford Unit 3 control systems and associated power sources are well designed such that single failures of power sources, sensors, or impulse lines do not cause multiple control system malfunctions that lead to severe transients.
Major features of the design that protect against this are:
o redundant or independent power supplies to some of the process control cabinets o use of multiple sensors for many of the input parameters used for process control o utilization of semi-independent control systems for the major processes as opposed to a centralized control arrangement.
In conclusion, the results of this control system study indicate that the control system failures are clearly bounded by the FSAR Chapter 15 analyses.
NS41100
6 CONTROL SYSTEMS SINGLE FAILURE STUDY ENCLOSURES (5.0)
NS41100
- - . . -. .. - . . - - - . . - _-- - - - . .-. - -. _ . - ~ _. -- . . . _-
l i
Sheet 1 of 1 ,
TAtt E 1 - IDSS OF C0petON PuuiJt SUPPLY TO MUITIPtt CONTROL SYSTEMS ,
POWFR SOURCES AFFFf7FD SYSTFN FFFFCT BOUNDING EVENT 120VAC PDP 384A Steem typees Control System Steam bypees control volves fell to The combteed effects are bounded opes or modulate os demand by FSAR Section 15.2.1.3 toes of Condenser Veeuus Turblee Control System Turblee ruebeck eigest te set gen-ersted free Steem typene Centrol System if required 120VAC PDP 3014AS Reactor Regulettes System A. No pressurtser level setpotet The combleed effects are bounded from Reactor Regulettog System by PSAR Section 15.2.3.1 Feedwater to Presourtser level Control System Pipe Brecke. The BCS to System protected durlag thte t remetent i
i
. by the reactor tripe free stese I B. Autoestic Withdrawal Prohibit generator low level, low preneure.
j (AWP) elseal le not generated low DN98 and high presourl er from Reactor Regulettes Systes pressure.
i to terateete the control rod withdrawal if required Preneur! er level Castrol letdown flow path teolated letdove i,
System flow control velve CVC113A and CVC1135 f all closed. However, d
the lead charstes pump contienes ruaales which could result la higher presourl er level and pressure, poselbly to eefety valve actuettoe Pressuriser Pressure Centrol Normal oprey valves BC301A and Systee RC3018 f all to opes os deemed Steen Bypees Control System Steam bypese control valves felt to
- .-..a>.- opes or modulate ce deseed
. Peedwater Control Systee Male feeduster control valves FW173A, 1735 and bypees feedwater control valves FW1HA and 1HB felt closed resultleg to lose of morest feedveter to steen generatore 1 and 2 n)a 8607160153-o /
2
I Sheet I of 1 Tant F 2 - CrHMON SINsop F4ILURE TO MtJLTIFIF CONTROL SYSTDtS
- 4 * ~" ~ ASSUMfD SENSop FUNCTIONS AFFFCTED SYSTDt ,FAltERE DIRECTION EFFECT BOUNDINC EVElff LT-1101 Pressortaer level Presserteer 14 vel law A. latdown flow path teolated, Charging flow tecreases.
(when 1 channel Control Systes letdown flow control to selected letdown flow path toolates and * '
' valves CVC113A and CVC113e heaters felt to turn on. De '
fall closed combleed effecto are bounded by FSAA Section 15.5.1.1 Cheatcal B. Charging flow f acreases, and Volume Control Systre Mal-one charging pump continues function that lacreasee Beactor running and the other two Coolant Systes lavestory pumps will start to run when the low level and low-low level setpointo are reached Pressuriter Pressure A. Pressuriser proportional Control System heater banks fall to turn on
- B. Pressuriser backup heater banks fall to turn on LT-110Y Pressuriser level Pressuriser lavel law A. latdown flow path f oolated, Charging f!cv kacreases, (when Y channel Control Systes to selected) letdown flow control letdown flow path teolates, and valves CVC113A and CVC1135 heaters fall to turn on. De fait closed comblaed effects are bounded by FSAR Section 15.5.1.1 Osemical B. Charsfes flow tacreases, and Volume Control System Mel-one charging pump continues function that lacreases Reactor ruentes the other two Coolant Systes lavestory pumps will etert to run when low level and low-low level setpotato are reached Pressurtrer Pressure A. Pressuriser proport fonal Control System heater banks fall to turn on
--- - . . . B. Pressuriser backup beater banks fall to turn on 8607160153-4 2 3738b
i e
Sheet I of 3 TABI.F 3 - Ofse90N IMPUI.SE LINF RUPTUR E To NUI. TIPI.E CONTROL SYSTDtS (00fetON IMPULSE LINE SE3VLS MULTIPLE SENSORS) gnyULSE ASSUMED LINE ASSOCIATED FAILURE NUMBER
- S FJsSOR PUNCTION AFFFCTED STSTDt DIRECTION EFFECT ' BOUNDING EVDfT RCIA-7-7-45 LT-!!03 Preneurtser 1svel Pressurtser level Con- liigh A. Charglag flow decreases Decreased charging flow and (when I channel trol System to one cherstes pump letdown flow path not too-to selected) lated resulte la decrease i
' B. letdown flow path not in RCS inventory and subee-leolated, letdown flow quent depressurisattom of
~ control velves CVC113A the RCS. Presseriter and CTC1138 open too hesters may be damaged.
far The combined effects are bounded by PSAR Section 15.6.3.3 Imes of Coolant Accidents.
PT-1001 Presseriter Freneurtzer Pressure low A. Presourtzer proportional (when I channel Pressure Control System heater banks fall to
, to selected) modulate properly B. Presourtzer backup heater banks fall to
} trip C. Notsel sprey valves RC301A and RC3015 close too far PT-102A Pressertser Plant Protection Systee Imv ESFAS austilary relay SIAS/ The system to designed for Pressure CIAS coil not energized. two out four logica. There-Tteo out of four loput relay fore, the fatture of one cotte act energised all! channel w111 mot cauce in-cause SIAS and CIAS present. advertent actuation sf Therefore fattere of a $1AS/CIAS stagle input relay cot!
not energised will act cause inadvertent actus-tiene af SIAS/CIAS 1
3738b 8607160153-0.5
Sheet 2 of 3 TABIE 3 - COMMON 1MPt'tSF LINF BUPTUDF 70 MULTIPLF CONTROL SYSTTMS (CoretON IMPULSE L1hE SL8VLS MULTIPLE SENSORS)
~ ~
IMPUISE ASSUMED LINE ASSOCIATED FAILURE MiteSER . _S ENSOR FUNCTION AFFECTF.D SYSTEM DIR ECTION EFFECT BOUNDINC EVENT RC18-3-T-46 LT-110Y Pressurtser 1svel Presourtser level Righ A. Charging flow decreases Decreased charglog flow and (when Y channel Control System to one charging pump letdown flow path not loo-to selected) lated results in decrease la
- 5. Letdown flow path not RCS inventory and subsequent 1
toolated. Ietdown flow depresourtsattoo of the RCS.
control valves CV113A Pressortaer beater may be and CVC1135 open too damaged. The combleed far effects are bounded by FSAR 15.6.3.3 less of Coolant Accidente.
PT-100Y Pressuriser Presourtser Pressure low A. hesaurtser proportional (when Y channel Pressure Control System heater banks is11 to to selected) modulate properly B. Pressertrer back up heater banks istl to trip C. Normal spray valves BC301A and RC3018 close too far PT-1025 Pressertner Plant Protection Systee low ESFAS aus111ery relays The systee la destaned for Pressure $1AS/CIAS cell act two out of four logico.
energised. Two out of Therefore, the failure of four taput relay cette one channel will not cause not enerstred will cause inadvertest act .attoo of SIAS and CIAS present. SIAS/CIAS.
Therefore fatture of a single input relay cotte not enerotsed will not cause inadvertent actua-tion of 51AS/CIAS
_ _ _ _ _ m._. -
1 3738b 8607160153-4 /
. . . _ - . _ _ __ _ _ _ m_
Sheet 3 of 3 d TABtF 3 - COMMnN IMPULSE IINF SUPTURF TO MULTIPLE CONTROL SYSTINS (CopMON IMPULSE LINE $13VES ONE SENSOR AND UTILIZED BY MULTIPLE CONTROL SYSTDtS)
IMPULSE ASSUMED LINE ASSOCIATED FAILURE NUMBF3 SENSOR FTNCTf0N AFFICTID SYSTEM DIRECTION EFFECT BOUNDING EVENT kCIA-8-T-28 LT-110I Pressuriser level Pressuriser level low A. latdown flow path iso-(High Paese- (when I channel Charging flow increases.
Control System lated, letdown flow ure) la selected) letdown flow path toolates, control valves CVC1138 and heaters fall to turn and CVC1138 fait closed on. The combloed effects are bounded by 'SAR Section B. Garging flow tecreases, 15.5.1.1 Geetcal and one charglas pump con- Volume Control System Mal-tinues running and the function that Increases other tow pumps will atert Reactor Coolant System to run when the low level Inventory and low-low level set-potats are reached Presourtser Pressure C. Presserteer proportional Control System heater banke fall to tura on D. Pressuriser backup heater banks fa!! to ture on EC15-4-7-26 LT-110Y Pressuriser 14 vel Pressuriser level low A. Letdown flow path isolated.
4 High Press- (when Y channel Charging flow facreases, Control System letdvon flow control valves letdown flow path isolates, ure) to selected) CVC113A and CVC1135 fall and heaters f all to turn on.
closed The combined ef fecto are bounded by FSAR Section B. Charging flow tecreases, 15.5.1.1 Geetcal and Volume one charglog pump continues Control Systee Malfunction runates and the other two that increases Beactor pumps will etart to rue Coolant Systee Inventory when low level and low-low level setrotats are reached Pressuriser Freneure C. Pressuriser proportional Control System heater banks fall to tura on D. Pressurtser backup heete:
books istl to turn on 3% 8607160153 9 f
l M t
% i i f co l c :
M O i C
M N
O (O
C0 t
1 t
APPENDIX A SYSTEM ANALYSIS 3740b
g i
. #3 W I CONTit0L ELDtDrr DitIVE MECHANISM CONTROL SYSTEM O M
A. Systes Description b Q
U3 ,
The control Element Drive Mechanism Control Systes (CEDMCS) is designed to CD asintain reactor coolant average temperature by regulating core reactivity.
The Control Element Drive Mechanise Control System accepts automatic CEA action demand signals from the IRS or manual action signals free the CEDMCS control panel and converts these signals to direct current pulses that are transmitted to the CEDM coils to cause CIA motion.
Control is achieved by regulating control rod speed and direction. The CEDMCS is capable of automatic operation in the rense between 15 and 100 percent of rated power. Rod withdrawal commands suet pass through a series of permissive interlocks which prevent control bank withdrawal when setpoints are reached which indicate an approach to a DNBR limit or KW/FT limit.
CIDMCS is interlocked with the Steam Bypass Control System which generates an Automatic Motion inhibit and an Automatic Withdraw Prohibit. It is also interlocked with the Reactor Regulating and Plant Protection systems which generate an Automatic Withdraw Prohibit and a Control Rod Withdrawal Prohibit Signal respectively.
B. Fault Tree Bases The following bases are used in developing the fault treest a) Failure of the Control Element Drive Mechanisa Control system is defined as any inadvertent rod withdrawal which results in a positive reactivity insertion such that core design limits would be l exceeded. )
b) The control Element Drive Mechanise Control system is in the autoestic sequential mode of operation, 1
3740b 1
l l
i l
khD 99 W3 mg CD QD ag c) No credit is taken for operator intervention.
[
GD d) The detailed evaluation of the effects on the Control Element Drive 00 Mechanise Control Systes caused by sensor failure, impulse line rupture and power losses is presented in the fault trees.
e) The referenced documents for developing the fault trees ate presented in Table 1.
C. Conclusions There esists no single sensor, power source, or impulse line whose failure will result in an inadvertent control rod withdrawal.
3740b 1
. . .- - _. - . .. __ ~ - .-
1 Sheet I, of 1 ,
TARIF 1 CONTROL F1.fNFNT DRIVE NFCMANISN CDNTROL STSTFJe FAULT TRFE REFERINCED DOCUMENTS CWD (thU-1%4, B-424) ENEWAC SETPOINT DOCUMENT INSTRUNENT IDCATION OTHER FAULT TRFE No. FAULT %dFE TITLE $NEET NO./RFV NO. IRAWING NO./RFV No. 5757898 NO./ FACE NO./RFV NO. DRAWING NO./REV ND. DOC 13 TENTS 1000 control Element Drive 197/11 1 % 4-3174/6 FSAR Sectless Nechaatse Control System 196/8 1564-4441/2 7.2.1 6 7.7 Malfunction 198/10 PD&ND 1D01%4 3-209 Sheets 1 %/Rev S.
B-289 Sheet 137/Rev 7, B-289 Sheet
~
150/Rev 5 1001 CWP StSnel Not Present 266/8 1 % 4-3174/6 C-428507/7 PSAA Section 7.2.1 PD6ND IAU 1%4 B-209 Sheet 143/Rev 7 3-209 Sheet 144/Rev 6 S-209 Sheet
. 145/Rev 6 B-209 Sheet 146/Rev 6 2 *
8607160153-47
W3 w<
CD CD wA REACTOR POVDt CUTBACK SYST_EM N CD QD A. System Description gg The Reactor Power Cutback System (RPCS) is designed to provide a rapid reduction in reactor power, to avoid a reactor trip on loss of one feedwater pump transient. The step reduction in reactor power is accomplished by the sivultaneous dropping of one or more preselected groups of full length regulating CEAa into the core. The RPCS is actuated upon receiving coincident two-out of-two sensory logic signals indicating loss of one main feedvater pump.
B. Fault Tree Bases The following bases are used in developing the fault trees a) Reactor Power Cutback System malfssetions are defined as:
- 1) Reactor Power Cutback signals are not generated on demand and pre-selected CEA groups fail to drop into the core.
- 2) Reactor Power Cutback signals are generated spuriously and pre-selected CEA group drop into the core inadvertently.
b) No credit is taken for operator intervention.
c) The detailed evaluation of the effects on the Reactor Power Cutback System salfunction by sensor failure, impulse line rupture and power loses is presented in the fault trees.
d) The ref?renced documents for developing the fault trees are preser:ed in Table 2.
3740b o .) , - --
WD
==4 O
CD M
C. Conclusion p C
C a) The effects of power supply failure on Reactor Power Cutbeck Systen gl)
(IPCS) is presented in Table 1. Loss of the 120VAC PDP 384A will result in failing to generate the Reactor Power Cutback signals during the loss of one main feed water pump.
b) There exists no single sensor, or impulse line whose failure will result in Reactor Power Cuthsek System malfunction.
4 3740b l
l l
s.
l
I sheet 1 of 1 ,
TABt F 1 - II65 0F PnWl2 SUPPLY BFACTOR P0bF2 CUTBACE SYSTFM
,POWFR $0tmCES' AFFECTED SYSTFM EFftCT DOUNDING EVfMT .
120VAC PDP 384A Reactor Power Cutback System Reactor Power Cuthek eignete are not leserttoo of other CEA groupe ettber generated durtes lose of one este feed autoestically by the Beactor Regulettes j water pump Systee or enouelly by the operator occure se necessary. Not comeldered algetitcast for Chapter 15 emelyste.
1 8 6 0716 0153 -/A
. _m. . _ . _ _ _ _ _ _ _ _ . _ . _. _ _ . _ _. .. . . . _ _ . . m _
1 1
a Sheet 1 of I d TAhtf 2
. . . . _ . , . . RFACTOR FOWFR CUTRACK SYSTEM FAULT M FE REFFRfMCED DOCUMENTS CWD (1DU-1564. B-424) EMDRAC SETPOINT DOCINGNT INS 23UNENT 1ACAT10N OTNER FAULT TEEE NO. FAUI.T BfE TITI.E SHEET No./RFV NO. DRAWING NO./REV NO. SYSTEM NO./ PACE NO./REV No. DRAWINC NO./REV NO. DOCUNUf75 1100 Reactor Power ruttock 1430/12 5817-5911/0 System Malfunction 1431/6 " 8*'"I**
I*I 1460/10 1461/6 SM M 7/Rev 0 1685/7
, 1646/4
- . - . ~ . ~ . . . . . ..
J 3,40, 8607160153-3
1 I
b
% i i
F3 m
w C
C M
tw O
PRESSURIZER IIVEL CONTROL SYSTDI c W
A. Systes Description The Pressuriser I4 vel Control System (PLCS) functions to maintain the proper reactor coolant water inventory and interlocks with the pressuriser heater banks. This inventory is maintained by controlling the charging pumps and letdown flow control valves in the Chemical and Volume control System. The pressuriser Tsater level is pregrammed by the Reactor Regulating Systes as a function of coolant average temperature, with the average reactor coolant temperature (Tavg) being used. For pressuriser water level above the programmed reference level signal which varies as a function of Tava, the PLCS will trip the stand by charging pumps and increase the letdown flow rate. For pressurizer water level belnw the predetermined low level signal, the PLCS will turn off all heaters, st.rt the standby charging pumps and minimize the letdown flow rate.
B. Fault Tree Bases The following bases are used in developing the fault treest a) Pressurizer Level Control system malfunction is defined as:
- 1. An insurge of water into the pressurizer resulting in pressuriser overfill.
- 2. An outeurge of water from the pressurizer resulting in' pressuriser underfill.
b) For an insurge of water into the pressurizer resulting in pressurizar overfill, the following cases are examined:
- 1. At least two out of three charging pumps fail to trip.
- 2. Letdown flow path is isolated.
3740b
%4 1
00 U2
-4 )
CD CD eA l*
c) For an outeurge of water from the pressurf r.er resulting in q) pressurizer underfill, the following cases are examined CD 00
- 1. Lead charging pump does not function properly and the other two charging pumps do not function.
- 2. Letdown flow exceeds charging flow.
d) There are two independent automatic control channels with channel selection by means of a manual control switch on CP-2. Automatic control is normally used during operation but manual control may be utilized at anytime.
e) No credit is taken for operator intervention.
f) The detailed evaluation of the effect on PLCS nelfunction caused by sensor failure Impulse line rupture and power losses is presented in the fault trees.
- 3) The referenced documents for developing the fault trees are presented in Table 4.
C. Conclusions s) Failure of a pressurizer level transmitter (low signal) or rupture of its associated high pressure impulse line will generate a spurious low pressurizer level signal. A spurious lov level signal will cause an insurge of water into the pressuriser and result in pressurizer overfill.
b) Failure of a pressurizer level transmitter (high signal) or rupture of its associated low pressure impulse line will generate a spurious high pressurizer level signal. A spurious high level signal vill cause an outsurge of water from the pressuriser and result in a pressurizer underfill.
3740b
xe w
O E) m b
c) Loss of the 120VAC PDP 3014AB will cause the loss of modulation O signal to letdown flow control valves CVC113A and CVC1138, these valves will be in the fail closed position and isolate the letdown flow path. However, the lead charging pump continues running which could result in higher pressurizer level, d) The effects of the loss of a single power source. sensor failures, and impulse line ruptures en Pressurizer Level Control System are presented in Tables 1, 2 and 3, respectively.
3740b l
1
d Sheet 1 of J TAttF 1 - SENSom FAllLSFS PRFS$1mIrfE LEYFI. CONTROL SYSTEN (AN INSLRGE OF WATER INTO THE PRESE!ZFJt)
~ .
ASSUMED SENSOR FUNCTION FAILURE DIRFMION EFFECT
_ SOUNDINC EVFMT LT-110x Pressurtser 14 vel low A. letdown flow path isolated.
(when 1 channel Diarglas flow increases letdove flow path letdown flow control valves isolates and heaters fett to ture on. The to = elected) CVC111A and CVC1130 fell event la bounded by FSAR Section 15.5.1.1.
closed Cheetcal and Volume Control System Malfunction that lacreases Reactor Coolant System Inventory B. Charstes flow f acreases,
"~
one charstes pump coat;nvae running and the other two pumps will start to run when the low level and low-low level setpointe are reached LT-110Y Pressuriser level law A. Intdown flow path isolated. Charging flow increases letdove flow path
. (when 1 channel letdown flow control valves is selected) teolates and heaters f all to ture on. The CVC113A and CVC1138 fait event le bounded by FSAR Sectico 15.5.1.1 closed Cheetcal and Volume Control Systee Malfunction that Increases Reactor Coolant System leventory
- 3. Charging flow facreases, one charging pump costlaues runnlag and the other two pumps will start to run when low level and low-low level setpointe are teached I
m - - --
aw . . .
,y o, 8607160153-/[
.m . - _ . . . _ .
I e
Sheet 2 of 2 TABl.f I = SENsna FAlltsfS P9ESSim!!D LfWL CONTROL SYSTfN (AN OITISL*GE OF WAIER #1t0M THE PkL5 burl!ER)
ASSLIMED SEhs0R - FUNCTION FAILLSE DIRFCTION EFFF.CT BOUNDING FVFJf7 LT-110X Pressuriser level High A. Omarging flow decreases to one Decreased charatag low and letdove flow (when I channel charging pump path not toelated results to decrease la le selected) BCS inventory and subsequent depressuritetton B. 14tdown flow path not of the RCS. Pressurtrer heaters may be factated, letdown damaged. Depressurination of the RCS event flow control valves le bounded by PSAR Sectico 15.6.3.3 Imas of C7C113A and CVC1138 Coolest Accidente open too far LT 110Y Pressuriser level High A. Charging flow decreases Decreased charging flow and letdown flow (when Y channel to one charging pump path act isolated resulte la decrease in to selected) RCS leventory and subsequent depressurization
- B. latdown flow path not of the RCS. Pressuriser heatere may be isolated, letdown damaged. Depreneurisettom of the RCS event flow control velves le bounded by FSAR Section 15.6.3.3 toes of CVCll3A and CVC11)B Coolant Accidents open too far e
6 3n0h 8 6 0716 015.9 -/M
4 Sheet I of 2 TABI.E 2 - IMPtTISE LINE RUPTURE PRFSSURIZF3 LFVFI CONTROL SYSTfN (AN INSURGE OF WATut INTO THE PRES $URIZI3)
IMPLILSE ASSUMED LINE , FAILURE NUMBE3 ASSOCIATED SENSOR MINCTION DIRECTION EFFECT BOUNDING FVENT RCIA-8-7-28 LT-110X Pressuriser level low (High Pressure) A. Intdown flow path toolated, Charging flow increases, letdown flow (when I channel letdown flow control valves to selected) path teolates, and heaters fall to turn CVC113A and CVC1135 fall on. The event le bounded by FSAR Section closed 15.5.1.1 Gesical a.4 Volume control System Malfunction that lacreases teactor Coolant
- 3. Charging flow increases, System Investory one charging pump continues running and the other two pumps util start to run when the low level and low-low level setpointe are reached RCit-4-T-26 LT-110Y Pressuriser level Imu A. Intdown flow path leolated, (High Pressure) (when Y channel Charging flow facreases, letdown flow le selected) letdown flow control valves path teolates, and heatere fat! to turn CVC1134 and CVC1138 fall on. The event le bounded by FSAR Sectica closed 15.5.1.1 Cheatcal and volume Control System Melfunctions that increases B. Garging flow increases, one Reactor Coolant System laventory I chargteg pump continues runnlag and the other two pumps ut11 start to run when low level and low-low level setpointe are reached
-% ~ am, 3740b 8 6 0716 015 3-/,f
Sheet 3 of 3 d TABIE 2 - IMPULSF IINE BUPTimE ISESSURI7m I FVFL CONTROL SYSTFM
( AN OUTSURGE OF WATER FROM THE PRESSURIZD)
IMPUISE ASStMED LINE FAILUR E NUMBf1t ASSOCI*TED SENSOR FUNCTION DIRECTION TFFffT 3OUNDING TVENT .
RCI A-7-745 LT-1101 Pressertner Level High A. Charging flow decreases Decreased charging flow and letdown flow (Iow Pressure) (when I channel to one charstes pump path not teolated results in decrease in to selected) ECS toventory and subsequent depressurises- *
- 8. 14tdown flow path not 1:ation of the RCS. Pressuriser heaters tectated. Retdown may be damaged. Depressurtsattom of the flow control valves RCS event to bounded by FSAR Section CVC113A and CvC1138 open 15.6.3.3 and imes of Coolant Accidents too for RC18-3-T-46 LT-110Y Pressuriser level High A. Charging flow decreases Decreased charging flow and letdown flow (Iow Pressure) (w*.en Y channel to one charging pump path not teolated resulted in decrease in to selected) RCS leventory and subsequent depressurtra-B. latdown flow path not tion of the RCS. Presourtser heaters may be teolated letdown damaged. Depressurisattoo of the RCS event flow control valves to bounded by FSAR Section 15.6.3.3 teos of CVC113A and CVC1130 Coolant Accidente open too far 1
3740b 8607160158- M
6 Sheet 1 of 1 TABI E 3 - IDS $ OF POWf3 SUPP'Y
. PRFS$t!RIZER IMF1 C0errROL SYSTEN POWFR SOURCES POWFR OPF3ATED COMar#FETS FFFFCT DOUNDIldG FVINT 120VAC PDF 3014AS 14tdova Flow Control Italves letdown flow path toolated.
CVC113A and CVC113e 14tdown flow path leolates, the lead
' letdove flow control valves charglag pump coatiaues runnlag which CVC113A and CVC1138 fall closed could result la higher pressuttrer level and preneure, poselbly to safety valve actuettom. Not conaldered significant for ciapter 15 event.
l i
.._m _.
,,,,, 8607160153-:7/
.. A wa j e
TARIF 4 PRESSURIFFE LFVFL CONDOL SYSTFM FAULT TRFE REFF3FNCFD DOCUNFNTS CWD (14U-1564, B-424) DtDRAC SETP011rr DOCUMENT INSTRUNENT taCATION OTHER FAULT TREE NO. FAULT M EF TITIF SHFFT No./REV NO. IISAWING NO./REV NO. SYSTEN Wo./ PACE No./RFV NO. DRAWING NO./REV NO. DOCIMENTS 1200 Presourlier Level Control Systen Nelfunction FSAR Section 7.7 Flow Diagram C-168 Sheet 2/Rev 21 1201 14tdova Flow Control 199/9 1564-3875. Sheet C-428507/7 PD6MD Valve Fall Closed 273/10 15/13 IDU-1%4 274/10 1%4-4090. Sheet 277/8 3-289 Sheet 13/8 227/Rev 0 303/6 15/64-4091. Sheet 304/6 15/8 1564-60031/1 15/8 o
_ _ . -m._,
3740h 8607160153-1 2-
-- - .- _ . - - . = _ . - - , . _ - . _ . ,___._ . --_-.___._ _ _ - -_=_ . . - _ . .
l l
Steet -2 of 3 TAh!.F 4 I
PRFS$1rRI?f3 I.FVFI. Colf!ROI. SYSTEM FAUI.T TRFF RFFIEFEFD DOCUNFWTS CWD (IDU-1%4, B-424) IMilR AC SETPOINT DCCUMENT INSTRUNENT IDCATION OTHER FAUI.T TREE NO. FAULT 11tFE TITtt SMFFT No./RFV NO. IIRAWING NO./RFV NO. SYSTFM NO./ PACE NO./RFV NO. DRAWING NO./RFV NO. DOCUMENTS 1202 tatdown Flow Control 199/9 1%4-3875, Sheet C-428S07/7 PD&MD Velve Opene Too Far 273/10 15/13 IDU-1%4 2'/4/10 1564-4090, Sheet B-289 Sheet 277/8 13/8 227/Rev 0 303/6 1564-4091, Sheet 304/6 15/8
_ 1 % 4-6003/1 1203, Sheets Chersins Pumps A&B 199/9 1%4-3875, Sheet 52B/5/8 G-428507/7 PD&MD 1,263 Dome Not Function 273/10 15/13 IDU-1564 274/10 1%4-3875, Sheet B-289 Sheet 275/8 16/13 227/Rev 0 365/9 1%44091, Sheet 366/10 13/8 375/6 1 %4-4091 Sheet 376/10 15/8 2341/7 2343/4 2391/9 2393/6
-_m _
4 3740b 8607 inn 3 e o 9 2B 1
. -. _ - - - . _ _ _ . .. . - . - - - - . _ - c.-
l l
i i
Sheet -3 et 3, TA61.E 4 PR ESSUR 12 FJt 1.FVEL CONTROL SYSTEN FAULT TRFE RFFF8FJeCED DOCtBIENTS CWD (1.0U-1564. 3-424) EMDRAC SETro!NT DOCUMENT INSTRUNDIT thCATION OTHER FAULT TRFE NO. FAUI.T 19FE TITt E shelf NO./RFV NO. DRAWING NO./REV h0 SYSTFM NO./ PACE NO./REV NO. DRAWINC NO./REV NO. DOCLBtENTS 1204 Sheete' Garging Pump AB does 170/10 1564-3875. Sheet $2B/5/8 C-420S07/7 PDG D 1.2.364 not Function 199/9 15/13 lau-1%4 273/10 1564/3075. Sheet B-289 Sheet 274/10 16/13 227/Rev 0 275/8 1564-4090. Sheet 370/8 13/8 371/10 1 %4-4091. Sheet 15/8 e
awe - wh. --
h t
an0h 860716015S-2 /
u\
- 3 4t3 M
C O
PRESSURIZDt PRESSURE CONTROL SYSTEM #
b O
A. System Description @
E)
The Pressuriser Pressure control System (PPrS) maintains the pressure of the Reactor Coolant Systes at or naar a fixed setpoint during both steady state and transient conditions. The system consists of a combination of heater banks and spray valves actuated as required by a pressure contron er at various fixed pressure deviation points from the controller setpoint. If systes pressure decreases significantly from the setpoint, the proportional heaters will modulate and provide proper heat output and in addition, the backup heaters will be turned on. For systes pressure signal above the setpoint, all beaters will be turned off and the spray valves will be actuated proportionan y over a fixed pressure range. For very large pressure transients, the pressurizer safety valve will be actuated to limit the pressure surge.
B. Fault Tree Bases The fon owing bases are used in developing the fault trees a) Pressurizer Pressure Control System (PPCS) malfunction is defined as the inability to perform PPCS function resulting in:
- 1. High pressurizer pressure
- 2. Iow pressurizer pressure b) For high pressurizer pressure, the fon owing cases are examined:
- 1. Pressuriser proportional heaters fail to turn off/ modulate properly or pressurizer hockup heaters fail to trip.
. 2. Pressuriser pressure spray valves fail to open/close too far.
c) For low pressurizer pressure, the fonowing cases are examined:
3740b I
l 1
l l
1 l
e M
C
- I C 1 (O
M i'*
- 1. Pressuriser proportional heaters fail to provide proper heat o l
i output and backup heaters fail to turn on. C 00
- 2. Pressuriser spray valves open too far, d) There are two independent automatic control channels with channel selectics by means of a manual control switch on CP-2. Automatic control is normally used during operation but annual control of the heaters and spray valves may be utilised at any time.
e) No credit is taken for operator intervention.
f) The detailed evaluation of the effects on PPCS malfunction caused by sensor failure, impulse line rupture and power losses is presented in the fault trees.
- 3) The referenced documents for Leveloping the fault trees are presented in Table 4.
C. Conclusions a) Failure of a single pressuriser pressure transmitter (low signal) or rupture of its associated impulse line will generate a spurious low pressure signal. With heaters remain on, this will result in an increase o'f pressuriser pressure through failing to open of the spray valves. The pressure could increase above their setpoint and possibly to safety valve actuation.
I b) Rupture of the pressuriser pressure transmitter impulse line will generate a spurious low pressure signal. This will result in an increase of pressuriser pressure through failing to trip the backup
, heaters or modulate improperly the proportional heaters.
c) Failure of a single pressuriser pressure transmitter (high signal) will generate a spurious high pressure signal. This will result in
- a decrease of pressuriser pressure thrush opening too far of the 3740b l l 1
i
b h,
Oh ara M
O CD M
sprey valves or failing to turn on the backup heaters, and the p ,
proportional heaters. O l CD l
00 d) Failure of a single pressurf ter level transmitter (low signal) or I rupture of its associated high pressure impulse line will generate a spurious low level signal. This will result in a decrease of pressuriser pressure through turning off all the beaters.
e) Ioss of the 120VAC PDP 390-SA will cause loss of instrument air supply to spray valves. Upon loss of instrument air supply, these valves will assume in their fall closed position. However, the RCS pressure will be maintained properly by the PPCS.
f) Ioss of the 120VAC PDP 3014A3 could result in an increase of pressuriser pressure through failing to open the spray valves on demand. The pressure could increase above their setpoint and possibly to safety valve actuation.
- 3) The effects of sensor failures, impulse line ruptures and loss of a single power source on the Pressuriser Pressure Control System are presented in Tables 1, 2 and 3, respectively.
3740b a M g
Sheet I of 3 TABIF I - SFNSOR FAILimES PRFSSim .2F3 PRES $tmE CONTROL SYSTFM (INCREASE PRESSURIZER FRESSURL)
ASSUMED SID$oit FUNCTION FAILAmF. DIRFCTION EFFE.CT SOUNDIE EVFMT FT-1001 Pressuriser nessure low Norant spray valves BC301A and Heaters being on cause incrosse in presourts r (when I channel RC301B close too f ar is selected) pressure, and can possibly lead to safety valve actuation. Not conaldered significant for 4
Chapter 15 event 6
FT-100Y Pressuriser Pressure law %rmal spray velves BC301A and Heaters betag on cause increase in pressuriser (when Y channel RC301B close too far is selected) pressure, and can possibly lead to safety valve actuation. Ilot considered significant for Chapter 15 event 1
m 0h 860716 0153 - N
6
- i Sheet 2 of 3 TAht F 1 - SENSOR F All.lfR FS PPESSimIZl3 PRESSURE CONTRot. SYSTEM (DFIRitiF. PRESSURIZf3 PRES $URL)
ASSUNED SINSca IUNCTION Fall.imE DIRFCTION EFFECT BOUNDING EVENT PT-100I Pressuriser Pressure High A. Pressuriser proportional PSAR Section 15.6.3.4 Inadvertent opentas (when I channel hester banks f ail to turn on of a Pressuriser Safety Valve le selected)
B. Pressurfaer backup heater banks f all to turn on C. Moreal sprey velves RC301A and RC301B open too far PT-100Y Pressuriser Pressure High A. Presegriser proportional (when Y channel PSAR Section 15.6.3.4 Inadvertent Opening heater banks fall to turn on of a Pressuriser Safety Valve is selected)
- 3. Pressuriser backup heater banks fall to turn on C. Normal spray valve RC301A and RC301B open too far LT-110I Pressuriser level low A. Pressuriser proportional (when I channel Combleias ef fects of Pressuriser level
- heater fenke fail to turn ce Control Systee malfunctione, charging flow to selected) increases, letdown flow path isolates, and B. Pressuriser backup heater heaters fall to turn on. The event is banks fall to turn on bounded by FSAR Sectico 15.5.1.1 Cheetcal and Volume Control System Malfunction that lacreases Reactor Coolant System inventory
- _m ... , , . .
3,.o,,
8 60716 015 3 -Q
i j d Sheet -3 of _3 1
TARIE 1 = SFNSOR Fall.URES PRESSURIZF3 PRESSURE CONTROL SYSTEM (DimfASE PRESSURIZ13 FRI.SSURE)
ASSUMER SFASOR . FUNCTION FA!! AIRE DIk.TTION EFFECT BOUNDING EVENT LT-110Y Preneuriser 14 vel tou A. Pressurtrer proportional Combining effects of Presserteer Invel control (when Y chamael heater beaks f ail to turn on le selected) System astfunctions, charging flow increases.
letdown flow path teolates, and heatere B. Pressurlaer backup heater fall to turn on. The event is bounded by PSAR bank. sail to turn on Section 15.5.1.1 Cheatcal and Volume control
- Systes Melfunction that increasee Beector Coolant Systes Inventory i .
J 4
....u.
ma 860i160153-50
Sheet 1 of 2 ,
TABLE 2 - IMPtfLSE LINE RUPTURE PRESSURI2FR PRESSUDF CONTROL SYSTEM (INCRIASE PRESSURIZER PRESSURE)
IMPU13E ASS 1HED LINE FAILUR E NUMBER
- ASSOCIATED SENSOR FUNCTION DIRECTION EFFECT SOUNDINC EVFNT RCIA-7-T-45 PT-1001 Preneurtser law A. Pressurtser proportional Comblatas effects of Pressuriser Inval (when I channel Pressure heater beaks fall to Control system malfunction, charging flow is selected) modulate properly decreases, letdoun flow path not teolated results in the depreneurtsation of Reactor B. Presourtser backup heater Coolant System. Presourtser heatere may banks felt to trip he damaged. Depressurizattom of RCS event to bounded by FSAR Section 15.6.3.3 Imes of Coolant Accidente.
C. Normal spray valves RC301A and RC3018 close too far RC18-3-T-46 PT-100Y Presourtser low A. Presourtser proportional Comblains ef fects of Pressuriser Isvel (when Y channel Pressure heater banks f ati to Control Systes malfunction, charglog flow to selected) modulate properly decreases, letdown flow path not isolated results in the depreneurizattom of Reactor Coolant System. Preneurtser heaters may be B. Pressortaer backup heater demoged. Depressurination of RCS event to banks fall to trip bounded by FSAR Section 15.6.3.3 Imse of Coolant Accidente.
C. Normel aprey walves BC301A
,and RC3015 close too far 3740b 8 6 0716 015 a .5/
Sheet 2 of 2, TA91.F 2 - IMPUI.SE LINE RUPTURE PRES $URI2FE PRESSURE CONTROL SYSTDI (Df CREASE PRESSURIZER PRESSURE)
IMPULSE ASSUMED LINE FAILURE NUMBER , ASSOCIATED SENSOR FUNCTION DIRECTION EFFECT SOUNDING EVDif RCIA-8-T-28 LT-110x Pressuriser 14 vel low A. Preneurtser proportional Comblains effects of Pressuriser Level (Hl.h Pressure) (when I channel heater banks fall to Control System asifunctions, charging flow to selected) turn on increases, letdoun flow path toolates, and Featers fall to turn on. The event to
- 5. Pressertner backup heater bounded by PSAR Section 15.5.1.1 Cheetcal
, banke fett to turn on and Volume Control System Malfunction that lacreases Reactor Coolant System loventory RCIA-4-T-26 LT-110Y Pressurtser 14 vel low A. Preneuriser proportional Combining effects of Pressuriser level (High Pressure) (when Y channel heater banks fa!! to Control System malfunctices, charging flow te selected) turn on increases, letdown flow path toolates, and
- heaters fall to turn on. The event is B. Preneurtser backup heater bounded by FSAR Section 15.5.1 1 Chemical banks fati to turn on and Volume Control System Malfunctica that increases Beactor Coolant System Inventory
__._-.m. -
m0, 860716015S e
Sheet 1 of 1 TABLF 3 - thSS OF POWER SUPPLY PR ES$1m!ZFJI PRESSl%F CONTROL SYSTEN POWFR SotmCES POWFR OPFRATFD COMPONFNTS FFFFCT BotJNDING FV M 120VAC PDP 390*SA Normal Spray Valves Loss of lastrument air supply to normal Heaters betag on could cause lacrease la .
RC301A and RC3013 aprey valves RC301A and RC301t. Normal pressuriser preneure. PPCS will maintata the spray valves RC301A and RC301B in fell proper RCS pressure. Not considered closed position slanificant for Chapter 15 event 120VAC PDF 3014AB Normal $ prey Valves Normal spray valves RC301A and Heaters being os could cause lacrease la RC301A and BC3013 RC3013 fell to open on demand pressuriner pressure, possible to safety valve actuation. Not considered elgafficant for Chapter 15 event
=6 8 6 0716 015 3 -M
4 TARI.F 4 PRFSSURIZFR PRFSSIIRT Coff7Bol SYSTFM FAU1.T TREE RFFERENCED DOCUMENTS CWD (1D0-1%4, B-424) EMISAC SETP01NT DoctMENT INSTRIMENT EDCATION OTHER FAl?1,7 1REE NO. fat!!,7 TRFE TITLE SHEFf No./REV NO. BRAWINC NO./REV NO. SYSTEN No./ PACE NO./ RET NO. DRAWINC NO./RFV NO. DOCIMDrTS 1300 Presserteer Pressure ygag g,ction Control Systen y,y Malfunction Flow Diagras C-172/Rev 16 1301 Proportional Heaters 199/9 1 %4-3875 Sheet 528/5/8 C-428507/7 Sheeta Fei1 to Tura on/ 264/9 9/13 528/6/8 162 Modulate Too Lou 265/11 1 %4/3875, Sheet 273/10 10/13 274/10 1%4-3875, Sheet 291/10 15/13 292/11 1 %4-3875, Sheet 2491/12 16/13 2516/8 1 %4-4455/2
. 2938/0 1302 Backup Heaters Fall 199/9 1 %4-3875, Sheet 528/5/8 C-428507/7 to Turn on 264/9 9/13 525/6/8 273/10 1 M4-3875, Sheet 274/10 15/13 285/10 1%4-3875, Sheet 286/10 16/13
+
287/10 288/8 289/10 290/10 2491/12 2516/8
_ _ .._m _ . . . ,
8607160158- M
.* **4, TAtti 4 PRFSSCl2FR PRESSCE CONTROL SYSTFm FAlfLT TRFF RFF13ENCID DOCUNFMTS CWD (1DU-1%4, B-424) INDRAC SETPOINT DOCUMENT INSTRUNENT thCATION FAULT TREE N0 OTNER
, FAULT 13f1 TITIE SHitT NO./REV NO. DRAWING No./RFV NO. SYSTim NO./ PACE NO./RFV NO. DRANING MO./ REY NO. DOCite&NTS 1303 Normal Spray Valves 199/9 1 %4-3875, Sheet C-428507/7 264/9 9/13 296/10 1%4-3875, Sheet 10/13 1 % 4-6003/1 1304 Backup Nesters Fall 199/9 1 %4-3875, Sheet 52B/5/8 C-428507/7 To Trip 264/9 9/13 52B/6/8 273/10 1 % 4-3875, Sheet 274/10 15/13
- 285/10 1 % 4-3875, Sheet 206/10 16/13 287/10 288/8 289/10 290/10 2491/12 2516/8
-- - - = . ....
J 37406 8607160153-J r i
_ _ _ . . - . ._m. ._1 ._. --_. m...
Stes t 3 et 3 TAhlF 4 Pkf SSURIZEM FRESSUkF CONTROL SYSTEM FAUIT TRIE RFFF3ENCFD DOCONFNTS mp (LOU-1%4, 8-424) INDEAC SETPOINT DOCUNfRT INSTRUNENT IDCATION OTHER FAULT TRFF NO., FAUl.T TBFF TITI.E SHFFT NO./litV NO. DRAWINC NO./3FV NO. SYSTtM NO./ PACE No./RFV NO. DRAWING NO./RFV NO. DOCUDetWTS 1305 F.oportional Heatere 199/9 1%4-3875, Sheet 528/5/8 G-428507/7 F 11 to Turn Of f / 264/9 9/13 528/6/8 '
Modulate Properly 261/11 1%4-3875, sheet 273/10 10/13 274/10 1%4-3875 Sheet 291/10 15/13 292/11 1%4-3875, Sheet 2491/12 16/13 2516/8 1 %4-4455/2 2938/0 4
l I
i k
4 1
m o. 8 60716 0153 -8M 1
1 4
4 .
4 4
l A
l M) 99 W3 4
Q '
(O
.A STEAM BYPASS CONTROL SYSTDt b Q
(O A. Svetes Description The purpose of the Steam Bypass Control Systes (SBCS) is to nazimize plant availability by making full utilization of the steam bypass control valve capacity to remove NSSS thermal energy. This objective is achieved by the selective use of turbine bypass valves and/or dropping of selected CIA groups to avoid unnecessary reactor tripe and prevent the opening of secondary side safety valves whenever these occurrences can be averted by the controlled release of steam or rapid reduction of power.
To reduce the effects of a transient imposed on the Reactor Coolant Systes during load rejection or turbine trip, the system will maintain an artificial load by bypassing steam to the condenser.
A valve quick opening demand signal is generated whenever the siza of the load rejection is such that it cannot be accommodated with the normal valve modulation speed.
An automatic CIA withdrawal prohibit (AWP) signal is generated whenever an automatic bypass valve opening demand signal exists, since this implies the existence of excess energy in the NSSS. The AWP function fault tree is presented in Reactor Regulating Systes section.
B. Fault Tree Bases The folloving bases are used in developing the fault trees:
a) Steam Bypass Control System malfunctions are defined ass
- 1) Failure of any steam bypass control valve to open or modulate on demand.
- 2) Spurious operation (inadvertent opening) of one or more steam bypass control valves.
3742b
)
- 3 WS
-4 O
w b) No credit is taken for operator intervention. t*
C3 Q3 ,
c) The detailed evaluation of the effects on the Steam Bypass Control 00 l l
System malfunctica caused by sensor failure, impulse line rupture and power losses is presented in the fault trees. I i
d) The referenced documents for developing the fault trees are presented in Table 4. '
C. Conclusions a) Steam bypass control valves will fail to open ou demand under the following conditions:
- 1) Failure of any condenser vacuus pressure switch.
- 2) A spurious low signal frca failure of eitbar main steam header pressure transmitter or rupture of their associated impulse lines.
- 3) A spurious high signal from either main steam flow transmitter j or rupture of their associated low pressure impulse lines.
- 4) Loss of 120VAC PDPs 3014A3 or 384A will result in all steam bypass control valves failing to open on demand.
- 5) Loss of 125VDC PDP 3AB-DC-A will result in steam bypass control valvea MS319A, MS319C and MS320A failing to open on demand.
- 6) I4ss of 125VDC PDP 3A3-EC-B will result in steam bypass control valves MS3195, MS3205 and MS320C failing to open on demand.
b)* The effects of sensor failures, impulse line ruptures and loss of single power source on Steam Bypass Control System are presented in Tables 1, 2 and 3, respective;y.
3742b
i, 03 W3 M
c) There exists no single power source, sensor, or impulse line whcse O g
failure will result in spurious operation (inadvertent opening) of M one or more steen bypass control valves. N
! O i o i
r 1
3 i
i 1
1 I
4 0
i i
3 J
l i .
l 1
l 3742b 1
I i
l t
I i
- , . . ~ _ . .... -, , _ . - , .
. . = = = -
a e o o a o e
. . . . ., . . f l 3 3 3 3 3 3 3 O
- =
m a. a. e. a. a. a. a. @
- t 1 *
- a.
- M V ~ ~ ~ ~ ~ ~ ~.
2 g A1 "I
a l a I a l 18
- - - -> -=a1 -> a1
- U O
2 *
- I I #
2 =~ s =. a =. a.". s.* =. =.% a.". = s a .
.-4
- :: : : J" ...: :m.:: .::.
... .. .. t*
3"
. . . . . . O 31 "1 31 31 o
$ :3"$ :3"$ Ed Ed Ed Ed g
=. =. =. =. =. =. =.
~1 ~1 '.1 ~1 '.1g '.1g '.1
.g .g
- *g .
2.
. . *8 . 2. *8 1' .'
"" O' "" ~"
C
- 8 *8 8 *8 -.* 8 *8 "8 o . . a. . a. o . a .
t 2; 2; 2" 2' 2; 2* 2; 2 81 81 81 31 8. 81 8s A
y
- og
.a os
.J og
.a oga og .a og.a uj g , . . . . .
a 12 m
15 L 3 1 2 L2 15 L3 i
. a os on . . 4. .. ..
g eL
=
e..L.e .L ..
- e.
- L eL o .o a .*.L *eL .o a
Z 2e to mm me ew e
ww me e
Me Mw
<- w
- ,Y -$
a
- a
<3 5 .
as en 2 Tes
-5 A 2 3 3 3 3 e W
. b b b 5 5 m
C w
w 4
8 !
e a a - = R R I
eJ I
u.
I
.u I. ,
- E E a
f
.e
. 4 C
- 4 e u E 5 b.
w
. h.
m.
- e. . .
. **- =*
- . 5 a a 2 2 k b a $
d $ $ 2 2 3 8 4 e u
- 3 1
- 3 $ * -
o R
o
=
o
=
o x e.-. - - - - -
N N. . $. k. M. $. $. .
b
\
1 6
E
. 1 i
- i 3 4
- 1
- . - _, _ z -. ,
7 -, . ,--- 7--
-- _. . _ - . _ _ . -. . - - _ - - - _ . ~.
Taali 2 - IMPUI.SE I.INE RUPTO E O STEAM BYPASS CON 11tOL SYSTEM IMPULSE LINE NUMBFR SENSO4_ $1!NCTION ASSilMFD FAllt%F DIRFCTION EFFFCT SOUNDING EVENT TCS2-1-T-56 PT-MS1010 Main Steam Header 1 Fressure Imv Steam bypeso cont rol valves FSAR Section 15.2.1.3 Imes of f all to open er modulate Condesser Vacuus i om doesad
- TC51-5-T-54 PT-MS1020 Main Steen Header 2 Pressure Imv Steam bypesa control valves FSAR Sectico 15.2.1.3 Imme of fat! to open or modulate Condenser Vacuus on demand ECI A-2-T-4 3 FT-MS1011 SG-1 Mata Steam Flow
' Ntah Steam bypsee control valves FSAR Section 15.2.1.3 Loss of felt to opes or moduista Condenser Vacuum RC2B-4-T-60 FT-MS1021 SG-2 Mato Stees Flow High Steam bypass control valves FSAR Section 15.2.1.3 less of fall to open or modulate Condenser Vacum om deseed 3742b 8 6 0710 u 15 3 -f//
'I ACit J - 1 A 55 UF PIAs til $Ultl V ,
STIM BYPSS$ CONTROL SYSTF)t POWFR SOURCFS POWER OPFRATFD 0)MPOMFNTS EFFFCT BOUND!MG PVENT
~"
125 VDC PDP 3AB-DC-A Steam bypass control valves Steam bypeso cont rol valves FASAA Section 15.2.1.3 Imee of MS319A 45319C and MS3204 MS319A, MS319C and MS320A Condenser Vacuus fatt to opes or modulate on demand 125 VDC PDF 3AS-DC-D Steam bypasa control valves Steam bypees control valves PSAA Sectico 15.2.1.314ee of MS3198, MS320s and MS320C MS3195, MS320s and MS320C Condenser Vacuus f all to open or modulate on densad 120 VAC PDP 3014AB Stese bypass control valves All Steam bypass control valves PSAR Sectice 15.2.1.3 Imes of
. MS319A. MS3198, MS319C. fast to opes or modulate ce condenser vacuus MS3204, MS320s and MS320C deseed 120 VAC PDF 384A Steam bypese contret valves All Steam bypese control ve!'ves PSAR Section 15.2.1.3 Imee of MS3194 MS3195, MS319C. fell to opes or modulate on Condenser Vacuus MS320A, MS3208 and MS320C demand 37'26 8607160153-72
-- . - _ - . . _ _ _ _ ~ _ - - _ _ _ _ _ _ _ .. _ . _ _ . - _ _ _ ~ _ - - - - .
TAtlF 6
- STEM BYPASS CONTkol. SYSTEN FAUI.T TRFF RFFFAFNCFD DOCUMENTS odd (thU-1%4. B-424) kNDRAC SETpOINT DOCUNIET INSTBt4 TENT IDCATION OTHER FAUl.T TRFF No. FAU1.T 11tFF TITI.E SHIFT NO./RFV NO. !* AWING NO./kFV NO. SYSTEN NO./ PACE NO./stiV NO. DRAWING NO./RfV NO. DftUNFhi$
1400 Steam typese Control FSAA Section Systen Na1 function 7.7 Flow Diagram C-151 Sheet 2/Bev 21 1401 Steam Bypese Control 1689/5 1 % 4-4637/4 C-427504/6 PD&ND Sheets System Valves Fall to 1690/7 1 %4-4641/2 C-428S07/7 IDU-1%4 1&2 Opee ce Deemed 1691/6 1 % 4-6002/3 8-289 Sheet 1692/6 1564-6179/1 227/Rev 0 1693/6 1694/6 1695/6 1696/7 1402 Steam Bypass Control 1689/5 1 % 4-4637/4 C-427504/6
' PD4ND Sheets System Velves inad- 1690/7 1 %4-4641/2 C-428507/7 1h0-1%4 14 vertently Open 1691/6 1564-6002/3 3-249 1692/6 1 % 4-6179/1 Sheet 227/
1693/6 nov 0 1694/6 1695/6 1696/7 3,42, 8607160153-78 1
1
- a
i SD 10 m
O QD
-4 FEEDWATER CONTROL SYSTEM D*
CD G3 A. System Description CC)
One Feedwater Control System (FWCS) is provided for each steam generator. The two steam generators are operated in parallel. Each steam generator's downconer level is individually maintained by a three element controller.
Each controller provides a modulation signal to control the position of either a main or a bypass feedwater control valve and also adjust the speed of main feedwater pumps to regulate the feedwater flow to the respective steam generator. During normal operation, each IWCS provides output signal by continuously coopering steam flow, feedwater flow and steam generator downconer level. In addition, each FWCS simultaneously provides a pump speed setpoint to the turbine driven feed pump speed centrol systems.
When a reactor trip occurs, each FVCS automatically reduces the feedvater flowrate to its respective steam generator by closing the associated main feedwater control valves, partially opening the bypass feedwater control valves, and limiting the feedwater pump speed.
B. Fault Tree gases The following bases are used in developing the fault trees a) Feedwater Control System malfunctions are defined as:
- 1. Main or bypass feedwater control valves open too far resulting in steam generator overfeeding.
j 2. Main or bypass feedwater control valves fail closed resulting in loss of feedwater flow to steam generators.
I b)* For the overfeeding case, it is assumed that either the plant is in low power operation (with use of bypass feedwater control valves) or power operution (with use of main feedwater control valves) at one given time. lacess opening of any one loop feedveter control valve is assumed to cause overfeeding of a steam generator.
3742b
4) as V3
.-e O
O .
.-4 c) For a loss of feedwater flow to the steam generators, it is assumed E*
O that both loops must have control valves that fail closed. g W
d) No credit is taken for operator intervention.
, e) The detailed evaluation of the effect on the Feedwater Control System malfunction caused by sensor failure, impulse line rupture and power losses is presented in the fault trees.
l f) The reference documents for developiss the fault trees are presented in Table 4.
l Conclusions C.
I a) Any one of the following failures will result in a main feedwater control valve failing closed leading to loss of feedwater flow to steam generators:
- 1) A spurious high signal on either steam generator downconer level transmitter or rupture of its associated low pressure impulse line.
- 2) A spurious high signal from either steam generator feedvater i flow transmitter or its associated low pressure impulse line.
- 3) A spurious low signal from either main steam flow transmitter or rupture of its associated high pressure impulse line.
1
- 4) Loss of 120 VAC PDP 3014AB.
b) Any one of the following failures will result in a Bypass Feedwater Control valve failing closed Isading to loss of feeduster flow to steam generators. l
- 1) A spurious high signal on either steam generator downeeser level transeitter or rupture of its associated low pressure impulse line.
3742h I
e .; .
I l
l
. , , . . . - . _ - . . , . _ . , _ . . _ _ _ _ . . _ . _ ~_ _ . . . _ . . _ . _ _ _ , . _ , _ . - . _ ~ . _ . . . _ . _ _
03 LO M
C CD M
N
- 2) A spurious high signal from either steam generator feedwater O CD flow transmitter or its associated low pressure impulse line. g
- 3) A spurious low signal from either main steam flow transmitter or rupture of its associated high pressure impulse line.
- 4) Ioss of 120 VAC PDP 3014AB.
c) The effects of the loss of a single power s3urce, sensor failure and impulse line rupture on FWCS are presented in Tables 1, 2 and 3, respectively.
d) There exists no single power source, sensor, or impulse line whose failure will result in main or bypass feedwater control valves opening too far.
J 3742b
_ _ , _ _ , . - _ - - ~ . - , - - - . ~ - - - - - - - - ' ^ - ' ' ~ ~ ~ ' ' ' ~ ' ' ~ ~ ~ ~
\
saas t 1 - senste acume e SEF[nlAft3 CONT *01 SYSTEN SENSOR FUNCTION ASSUMf D FAlltmE DIRFCTION IFFFCT SOUNDINC ENFJf7
" " ~
LT-1111 SG-1 Duwacomer Isvel High Main feedwater control valve WI?3A falle FSAR Sectico 15.2.2.5 Imes of Normal closed resulting loss of normal feedwater Feedwater Flow.
flow to steam generator 1. Bypass feed-water control valve W166A falle closed resulting la lose of normal f eedwater flow to steam generator 1.
LT-1105 SC-1 Downconer Invel High Main feedwater control valve FW173A f alle FSAR Section 15.2.2.5 14ee of Normal closed resulting loss of normal feedwater Feedwater Flow.
flow to steam semerator 1. Bypass feed-water control Valve FW166A f alle clocad resulttog is lose of norma). feedwater flee to steam generator 1.
FT-1011 Main Steam Hesser 1 Flow low Mais feedwater control valve FW173A f atte FSAR Sestion 15.2.2.5 less of Normal closed resulting lose of normal feedwater Feedwater Flow.
flow to steam generator 1. Bypass feed-water control valve FW166A f atto closed resultlag in loss of normal feedwater flow to steam generator 1.
FT-1111 Mata Feedwater to SG-1 Flow High Mata feedveter control valve FW173A f alle FSAR Section 15.2.2.5 Imes of Normal closed resulting lose of normal feedwater Feedwater Flow.
flow to steam generator 1. Bypass feed-water control valve FW166A f alla closed tesulting in loss of moraal feedwater flow to stea9 generator 1.
LT-1121 SC-2 Dowacomer level high Mata feedvater control valve FW173B fatte FSAR Section 15.2.2.5 Loss of Normal closed resulttog loss of normal feedwater Feedwater Flow.
flow to steam generator 2. Bypass feed-arster control valve FW1668 f alle closed resulties in lose of normal feedwater flow to steam generator 2.
. m . -
u m _ __ .
3na 8 6 0716 015 3 - f7
. _._ _. _ _ _ m_.. _ _ ___ _ __ m _ _.. _ = _ . _ _, .,
TAOSF 1 - SIN 50k PAILUk1 d FitDWCTER ChNT301. SYSTIM SDiSOR FUNCTION ASSUHFD FA!!.l!Nf DIRfCTION ffFICT BOUNDING EVFJdT LT-1106 SG-2 Dowacomer level High kla feedwater control valve W1738 f atis FSAR Section 15.2.2.5 !ase of Normal closed tesulting loss of moraal f eedwater Feedwater Flow.
' flow to steam generator 2. Bypass feed-water contral valve W1HB f atto closed resultlag in loss of normal feedwater flow to steam generator 2.
FT-1021 Mats Steam Header 2 Flow law Mata feedwater control valve W1738 f atae FSAR Section 15.2.2.5 Lose of Normal closed resalties loss of normal feedwater Feedwater flow.
flow to steam generator 2. Bypass feed-water control Velve M1668 fatto closed resulting in loss of normal feeduster flow to steam generator 2.
FT-1121 Mata Feedwater to SG-2 Floe Nigh Main feedwater control valve W1738 f alle FSAR Section 15.2.2.514ee of Normal closed resulttog lose of moraal feedwater Feedwater Flow.
- flow to steam generator 2. Bypass feed-water control valve WIMB f atto closed resultias in lose of normal feedwater flow to steam generator 2.
O
, 8607160153-fif
TAnlF 7 - IMPULSF LINE kUPTOE d FitDW2TFa CONT 1:0L SYSTI'M IMPULSE LINE ASSOCIATFD nth 813 $FNSON FUNCTION ASSiMD FAIIDRE DIRECTION EFFFCT BOUNDINC FVENT RCIA-6-7-39 LT-1111 SG-1 Duwntoner level High Meta feedwater control valve FSAR Section 15.2.2.5 loss of
- PW173A f alle closed resulttog Normal Feedwater Flow.
loss of normal feedwater flow to stese generator 1. sypass feedwater control valve FWlHA fatto closed resulttog to toes of moraal feedwater f1ww sw steam generator 1.
gCID-1-T-42 LT-1105 SG-1 Downconer level High Main feedwater control valve FSAs Sectice 15.2.2.5 loss of PW173A istle closed resulttog Normal Feedwater Flav.
loss of normal feedwater flow to steam generator 1. Bypeso feedwater control valve FW1HA falla closed la resulting la loss of normal feedwater flow to steam generator 1.
BCI A-1-7-4 3 FT-1011 Mata Steam Header 1 Flow law Mata feedwater control valve FSAs section 15.2.2.5 Loss of FW173A f ails closed resultlag Normal Feedwater Flow.
lose of normal feedwater flow to steen generator 1. Bypass feedwater control valve FW166A fatto closed resulting la toes of normal feedveter flow to stees
_ semerator 1.
AC24-2-T-140 FT-1111 Mata Feedwater to SG-1 Flow High Mata feedwater control valve FSAs Sects a 15.2.2.5 lose of FW173A falls closed resultias Normal Feedwater Flow.
lose of normal feedvater flow to steam generator 1. Bypesa feedwater control valve FW1HA fatto closed resulting in lose of normal feedveter flow to stese generator 1.
ana 8607160153-//
Acasa J - I Mind a t. L!ht. 0,britet. 8 FIFDWOTFD CUNT 301 SYSTFM IMFULSE LINE ASSOCIATED NUMbflt SFNs0R FUNCTION ASSLMD F All.t!RF DIRFCTION IFil CT BOUNDING EVFNT RC2A-2-T-56 1.T-1121 SG-2 Downconer level High Mata feedwater cont rol valve FSAR Sectica 15.2.2.5 Loss of WIF3B f alle closed resulting Normal Feedwater Flow.
toes of normal feedwater flow to steam gemarator 2. typass feedwater control valve FW1668 falla closed resulting la loss of normal feedwater flow to steam generator 2.
. RC2D-1-T-59 LT-1106 SC-2 Downconer level Nigh Mata feedwater control velve FSAR Sectica 15.2.2.514ee of FW1738 fatto closed resulties Normal Feedwater Flow.
lose of normal feedwater flow to steam generator 2. Bypass feedwater control calve W1665 fatta closed resulting in loss of normal feedwater flow to steen generator 2.
. R C2 5-3-T-60 FT-1021 Mata Steam Header 2 Flow low Mata feedveter control valve FSAR Section 15.2.2.514es of PW1738 falla closed resulting Normal Feedveter Flow.
loss of normel feedwater flow to steam generator 2. Bypass feedwater control valve FW166b fatto closed resulting to loss of normal feedwater flow to steam generator 2.
AC24-6-7-142 FT-1121 Mata Feedwater to SG-2 Flow High Mata feedwater control valve FSAR Section 15.2.2.5 Loss of FW1738 falla closed resulting Normal Feedwater Flow.
Ic.es of normal feedwater flow to steam generator 2. Bypass feedwater control valve W1665 f alla closed resulting to loss of normal feedwater flow to steam generator 2.
3:42=
8 6 0716 015 3 -:SD
1 Acte 3 - Low w twta wtra.V e FIFlWATED CONTJ01. SYSTIM
- POWFR sot %CES PtWFR OPilt ATFD COMPONINTS EfitCT BOUNDING EVENT 120VAC PDP 3014A8 Mata feedwater control valves Main feedwater cootrol valves ISAa section 15.2.2.5 Loss of DWl?3A and SWIF3D FW173A and IW1738 fait closed resulting Normal feedwater Flow.
- in loss of normal feedveter flow to steam genergtore I sad 2 dettes
- normal operation.
Bypass feedwater control Bypass feedwater control valves valves fWIMA and enlMB fWlMA and IWlMB fall closed re-sulting is loss of moraal feedwater tiow to steen seaaratore I and 2
, --- during reactor trip or reductos power o,eretto..
4 4
+
i 4
_._u.....
4 l
1 27'26 8607160153- 4 4
4
. - _ . . _ - . ._ - _ _ _ _ __-____ ~ - --. _- .
TCBIE 6 #
FFEDWATER 00NTR01. SYSTFM FAULT 19fF RFDFRENCl3 DocthefRTS CWD (!DU-1564, 3-424) EMDRAC SETFOINT DOCitttAT INST 5tMENT 1MCATION OTNIJL FAULT TRIE No. FAU1T TRFE TITLE SHFET NO./REV NO. DRAWING NO /REV NO. SYSTim No./ Fact No./REV NO. DRAWINC NO./REV NO. DOCUMENTS 4
1500 ' Feedwater Control System MaliunctIon 1501 Main Feeduster Control 199/9 1564-3876, Sheet C-432508/8 Flow Diagram Valves FW173A & FW1738 1500/11 33/12 C-428507/7 G-153 Sbeet Fall Closed 1502/13 1%4-3876, Sheet C-428S04/7 4/Bev 22 1503/2 31/12 PD6MD 15I6/11 1%4-3876, Sheet IAU-1 %4 1517/8 34 /12 B-289 1518/9 1 % 4-4732/4 Sheet 227/
1519/3 1564-4733/3 Rev 0 1 % 4-6000/1 1M4-6002/3 1502 Bypese Coetrol Valves 199/9 1%4-3876 Sheet G-432508/8 FD6MD FW1HA & FW1HB Open Too 1500/11 31/12 G-428S07/7 140-1 % 4 Far and Fall Closed 1502/13 1%4-3876, Sheet C-428SO9/7 t-289 1503/2 3?/12 Sheet 227/
1516/11 1 % 4-4732/4 Rev 0 1517/8 1 %4-4733/3 1518/9 1%44000/1 1519/3 1%4-6002/3
, 1503 Mala Feeduster control 199/9 15&4-3876, Sheet C-432500/8 PD6MD Valves FW173A & FW1735 1509/11 31/12 G-428S07/7 IAU-1%4 Cosa Too Far 1502/13 1%4-3876, Sheet C-428509/7 B-289 1503/2 32/12 Sheet 227/
1516/11 1 %4-4732/4 sev 0 1517/8 1 %4-4733/3 1518/9 1 % 4-6000/1 1519/3 1 % 4-6002/3 3:42h 8607160153- # 2
%i cc tt3 O
REACTOR REGLUTING SYSTDI
- N O
A. Systes Description @
W The Reactor Regulating System (RRS) generates a reference temperature (Tref) es a function of turbine power as sessured by turbine first stage pressure.
The Tref signal is used by the RRS as a temperature set point for autoestic CEA Control. In addition, using inputs of hot leg and cold leg temperatures, the RRS calculates the average reactor coolant temperatures (Tavg). The Tavs signal is used as primary feedback signal for automatic CEA control. The RRS also uses the Tavs signal to calculate pressurizer level setpoint signal, and control actions of the Steam Bypass Coctrol System.
B. , Fault Tree Bases The following bases are used in developing the fault treet a) Five cases of operation of the Reactor Regulating Systes are I analyzed:
I CASE 1 - CEOMCS receives process signal from RRS and causes inadvertent CEA withdrawal CASE 2 - Pressurizer level setpoint signal unavailable from the RRS CASE 3 - Pressurizer level setpoint signal abnormally high from the RRS CASE 4 - Pressurizer level setpoint signal abnormally low from the RRS CASE 5 - AWP signal is not generated from the inputs of the RAS t
3742b l
00 W3 l M o
w to b) h cold les RTD selector switches, MS-111 and HS-121. are selected O to the " normal" position. Transmitters TT-RC-111Y and TT-RC-121Y C g
vill receive signals from RTD's TE-RC-111Y and TE-RC-121Y, 4
respectively. Upon maintenance or failure of the " normal" RTD's, the operator can turn the selector switches to the " alternate" position so that transmitters IT-RC-111Y and TT-RC-121Y will receive signals from RTD's TE-RC-115 and TE-EC-125, respectively. Both cold les and het les tesperature signals are processed and inputted to either RRS cabinets CP-12A or CP-123. h system will process the higher signal through an analog computer circuit to generate the setpoint signal.
c) h compensated temperature error and compensated power error signals are used for autoestic CEA Control.
d) Either RRS cabinet CP-12A or CP-128 is selected in service at one time, e) No credit is taken for operator intervention.
f) h detailed evaluation of the effects of a RRS signal caused by sensor failure, impulse line rupture and power loss is presented in the fault trees.
- 3) h referenced documents for developing the fault trees are presented in Table 3.
4 C. Conclusions a) An inadvertent control rod withdrawal could result from a spurious
- low signal of the selected encore neutron fluz detectors I or Y, or a spurious high signal of the selected first stage turbine pressure sensor. No adverse affects will be noted from the above failures since high pressuriser pressure trip action will be automatically initiated. The effects and bounding events of these failures are presented in Table 1.
3742b
_ - - - - _ = -_ .-. - . _ . .
,I a3 nt3
.4 O
CD M
b) A spurious high Tavs signal will result in a high pressurizer level g setpoint signal to the Pressurizer level Control System. This could C increase the charging flow to the pressurizer with the letdown flow @
path not isolated. The effects and bounding events of the sensor failure are presented in Table 1.
c) A spurious low Tavs signal will result in a low pressurizer level setpoint signal to the Presurizer level Control System, as well as aske an AWP signal unavailable from the Beactor Regulating System and a CIA withdrawal signal. The effects and bounding events of the sensor failure are presented in Table 1.
d) There exists no single impulse line whose failure will result in the malfunction of the Reactor Regulating System.
e) Loss of power sources 120 VAC PDP 3AB1 and 120 VAC PDP 3014AB will result in a no pressurizer level setpoint signal from the Reactor l Regulating System to the Pressurizer Level Control Systes, and an AWP signal unavailable from the Reactor Regulating Systes to terminate the control rod withdrawal if required. The effects and bounding events of the loss of a single power source are presented in Table 2.
3742b I
(
. _ _ . . _ . _ ._ _ _ _ _. ___ ~. . _ _ .
IAnae 1 - he mon e Q11 bm L e CI ACTt* ptttilATING SYSTFM
_ $FNSok FUNCTinN ASSUHFD FAlttfRF DIRtCTION FFFECT SOUNDINC EVENT FT-E51001 Turbine first stage Freneure Nigh A. Automatic Withdrawal Prohibit (AWP) PSAR Section 1$.4.1.2 uncontrol-algaal to not generated free Reactor led CLA withdrawal at power segulating System to terstaate control rod withdrawal if required. *
- 5. CEA withdrawal signal la steersted f ree teactor kegulating System when it is not required.
FT-ES1002 Turbine First Stage Praesure High A. Automatic Withdrawal Frohibit (AWF) F$aa section 15.4.1.2 uncontrol-elgaat is not semerated from teactor led CIA withdrawal at power Regulattag System to terstr. ate control rod withdrawal if required, a
- 9. CIA withdrawal signal le generated from Reactor Regulattag System whea it le not required.
1 Encore Neutron Flus Detector law Channel I A. Automatic Withdrawal Frohibit (AWP) FSAR Section 15.4.1.2 uncontrol-signal se act generated from teactor led CIA withdrawal at power Regulettag System to terstaate control rod withdravel !! required.
B. CEA withdrawal algaal is generated free teactor Regulatteg System when it le act required.
3,u, 8607160158-fd
TAell ) - 5 t hM 4 f CIllD i a
cl ACTok pit,0faithG SVSitM SE N% 4t FtMCTION ASSUHFD F All Ukf DIRECTION FFFFCT gGUNDING IVF.NT Y Lacore Neutron Flus Detector Imw A. Automatic Withdrawal Prohib!t (AWP)
Channel V alsnal le not generated from keactor FSAR Section 15.4.1.2 uncontrol-led CIA withdrawal at power Regulating System to terminate control rod witMrawal if required.
B. CIA withdrawal signal to generated f rom Reactor Regulating System when it is not required.
TE-RC111E Reactor Coolant h t lag 1 Temperature low A. Automatic Withdrawal Prohlt 't (AWP) FSAR Section 15.4.1.2 uncontrol-etsnal is not generated free Reactor led CEA withdrawal at power 4 Regulating System to terminate control rod withdrawal if required.
- 3. Cf.A wit Mrawat signal is generate.1 f rom Beactor Regulattag System whea
$t le not required.
C. Iow pressuriser level setpotat from Reactor Regulattag System to Presourtser level Control Sytes.
TE-RC111Y Reactor Coolant Cold 143 1 Temperature low A. Autoestic Withdrawal Prohibit (AWP) FSAR Section 15.4.1.2 uncontrol-signal to not generated free led CEA withdrawal at power Beactor Regulating Systes to terstaate control rod withdrawel is required.
- 3. CEA withdrawal signal le generated from Reactor Regulating System wheo it is not required.
C. Iow pressurtser level setpoint from Reactor Regulating System to Presourtser level Control Sytes.
1 i
1 8607160153-47 m3 4
TABl f 1 - SINSOk FAILUkf
- RfACTbR RFC11tA7tNG SYSTFM l SINSOR FifNCTION ASSlfNED Fall.URE DIRFCTION EFFFCT BOUND]NC EVENT TE-RC115 Reactor Coolant Cold lag 1 Temperature low A. Automat!c Withdrawal Prohibit (AWP) FSAA Section 15.4.1.2 uncontrola signal to not generated from led CIA withdrawal at power
- Reactor Regulattaa System to terminate control rod withdrawai if required.
B. CEA withdrawat signal to generated f rom Reactor Regulating System when it la not required.
C. Im pressuriser level setpoint from Reactor Regulating System to Pressuriser level Control Sytes.
TE*RC121X Reactor Coolant Hot 14g 2 Temperature low A. Automatic Withdrawal Prohibit (AWP) PSAR Section 15.4.1.2 uncootrol-signal to not generated from led CEA withdrawal at power Reactor Regulatlog System to terminate control rod withdsewat
. if required.
B. CIA withdrawal signal te generated from Reactor Regulating System when it is not required.
C. Iow pressuriser level setpotat f rom Reactor Regulating System to Pressuriser level Control Sytes.
ma 8607160153- M i
k I.
Tcatt 1 - SFNSOk F 011 t%I #
B540700 FIGUtATING SYSTIM S FNSOR FUNCTION ASSUMFD F Alll%F DIRf CTION FFFECT
~~ BOUNDING FVENT Tk-RCl21Y Reactor Coolant Cold tag 2 Temperature low A. Automatic Withdrawal Prohibit (AWP) FSAR Section 15.4.1.2 uncontrol-alsnal is not generated from led CEA withdrawal at power
- Reactor Regulating System to terminate control rod withdrawal if required.
B. CEA withdrawal signal is generated f rom Reactor Regulating System when it is not required.
C. tow pressuriser level setpoint free Reactor Regulatlog System to Pressurtser lavel Control Sytes.
TE-RC125 Reactor Coolant Cold tag 2 Temperature Low A. Automatic Withdrawal Prohibit (AWP) PSAR Section 15.4.1.2 uncontrol-signal is not generated from led CEA withdrawal at power Reactor Regulating System to terminate control rod withdrawal if required.
B. CEA withdrawal signal to generated free Beactor Regulating System when it is not required.
C. Iow pressuriser level setpctet f rom Reactor Regulattag System to Pressuriser Level Control Sytes.
TE-RC1111 Reactor Coolant Hot lag 1 Temperature High High presourtser level setpoint from Charging flow facreases.
Reactor Regulating Systne to Pressuriser pressuriser heaters are on and tavel Control Systee letdown flow path not isolated.
Steady state utit be reached at full power pressuriser level.
Not considered sisatiIcant for aspter 15 event.
TE-RC111Y Reactor Coolant Cold 143 1 Temperature High High pressuriser level setpoint from Charging flow increases.
Reactor Regulating Systes to Pressuriser pressuriser heaters are ce and lavel Control Systes letdown flow path not isolated.
Steady state will be reached at full prwer pressuriser level.
Not considered stantitcant for Chapter 15 event.
3742b 8 6 0716 015 3 ~57
TAhlt ! - EIN5bH FCILUkh e DFACTOO RFCU!CTING SYSilft SIRSOR FUNCTION ASSUMFD FA!!URE DIRFCTION FFFECT BOUNDING IVENT TL-RC1211 kcactor Coolant Hot Les 2 Temperaure Hi&h high pressurizer level set point from Charglag flow increases, kesctor Regulating System to pressuriser pressuriser heaters are on and
- Level Cont rol System letdown flow path not isolated.
Steady state will be reached at f ull power pressuriser level.
Not considered significant for Chapter 15 event.
TL-RC121Y Reactor Cooler.t Cold les 2 Temperaure Hi gh High pressuriser level set point f rom Charging flow increases.
Reactor Regulating System to pressuriser pressuriser heatera are on and Level Control System letdown flow path not isolated.
Steady state will be reached at full power pressuriser level.
Not considered significant for Chapter 15 event.
TL-kC115 Reactor Coolant Cold Leg 1 Temperaure High High pressuriser level set pola't f rom Charging flow increases.
Reactor Regulating System to pressuriser pressuriser heaters are on and Level Control System letdown flow path not isolated.
Steadf state will be reached at full power pressuriser level.
Not considered significant ic?.
Chapter 15 event.
TE-RC125 Reactor Coolant Cold Leg 2 Temperature High High pressuriser level set point from Charging flow increases.
Reactor Reguisting System to Pressuriser pressurtrar heaters are on and Level Control System letdown flow path not isolated.
Steady state will be reached at full power pressurtrer level.
Not considered significant for Qapter 15 event.
b
.na .w:a .- ,. .
]
m), 8607160153-44 o
l
sana t 4 - unh i.e e..in suason #
ktACT00 Cl4DIATING SYSTFM POWER SOURCES PtMR OPFRATFD COMPONFNTS IFfFCT BOUNDING EVENT 120VAC PDP 3AB1 Power supply to CP-12A & CP-125 I A. No pressuriser level setpolet Letdown flow path isolates, the I f rom Reactor Pegulstlas System lead charging pump continues run-
- to Freescriser Level Control stag which could result la higher System pressuriser level and pressure, and poselbly to safety valve actuation.
In addition, the RCS can be pro-tected by the reactor tripe f ree low DNbt and high pressuriser pree-sure. Not considered significant 4 for Chapter 15 event.
B. Automatic Withdrawal Prohibit (AWP) signal le not generated from Reactor Begulattag System to terminate the control rod withdrawal if required.
120VAC PDF 3014AB Power Supply to CP-30 & CP-31 A. No pressurtser level serpolat Letdown flow path isolates, the free Reactor Regulattag System lead charslag pump coattaues run-to Pressuriser Level Control atos which could result la higher Systes pressuriser level and pressure, and possibly to safety valve actuation.
In addition, the BCS can be pro-tected by the reactor tripe from low DNDR and high pressuriser pree-sure. Not considered afgelficast for Chapter 15 event.
- B. Automatic Withdrawal Prohibit (AWP) algaal to set generated from Reactor Regulating System to terminate the control rod withdrawal if required.
,5
^
- ow ., a 326 13 6 ()'r 16 () 1 !;!g --q$ //
. _ _ _ . . _ _ . _ . _ _ _ . . _ _ . . _ _ _ _ . _ _ _ __. , .__.. _ _ __._ .-.m . . _ . . . - . _ . . _ _. _ . _ _ _ . _ _ . _ . . . _ _ _ _ . _ _ . . . ~ . _ _ _ _ _m.__.. . _ , _ _ _ .m... .. _..m . _
1ast.t 3 ,
a i
DFACTf4 DFGlit.ATING SYSTIM FAlft.T TRFF DTPFRPNCFD DOCUMENTS
~ ~ ~ "
CWD (12U-1%4. 3-424) &NDkAC SETPOINT DOCUMt.NT INSTkUMLNT LOCATION OTHEX FAULT 11 TEE No. FAULT TRFE TITIE SHEET NO./REV NO. [$AWINC No./RFV No. SYSTIN NO./ PACE NO./kPV NO. DRAWING NO./kFV NO. DOCUMENTS 1600 CEDMCS Receives CEA 198/10 1 % 4-1487/0 FSAR Sectione Sheet 1 Withdraw Signal from 1 % 4-3174/6 7.2.167.7 RRS FD4MD 6 IDU-1564
- 3-289 Sheet 141/Rev 6 j 1600 CEA Withdrew Signal from 196/8 1 % 4-2558/4 FSAR Secticas Sheet 2 Ra5 Not present 197/6 1 % 4-3174/6 1
7.2.147.7 i
200/14 1 % 4-3712 PD4MD 204/12 Sheet 6/13 IDU-1%4 i
i 205/9 1564-3712 3-289 Sheet 206/11 Sheet 7/10 141/aev 6 3' 15o4-3712 3-289 Sheet Sheet 8/10 227/aev 0 1564-3712 Sheet 9/10 1
i l
226 8607160158- M i,
Y i
e
_. .- . - - . . . ~ - - - - - -
TAtlE 3 #
REACTOR RFCUIAT]NG SYSTEM FAUI.T TRFE RFFERENCED DOCUMENTS CWD (1DU-1%4, B-424) IMDKAC SETPOINT DOCUNIDT INSTkUNENT 1hCAT10N FAULT TREE NO. OTNEA FAULT TREE TITLE SHfkT NO./RFV NO. DRAWING Nu./RFV NO. SYSTEM NO./PAGE NO./REV NO. DRAWING NO./RFV NO. DOCUNIETS 1601 Preneur! er 14 vel 196/8 1564-3714/6 Setpoint Sissel FSAA Sect
- a 197/6 1 %4-3712 200/14 7.7 Sheet 6/15 PD6MD 204/12 1564-3712 LOU-1564 205/9 Sheet 7/10 206/11 3-289 Sheet 1 % 4-3712 141/Re= f.
Sheet 8/10 3-289 Sheet 1 % 4-3712, 227/aev 0 Sheet 9/10 6
i
_ -.-.a 3742.
8607160158- M
w 1 09 WS
- A CD Q3
=A TL1LBINE CONTROL SYSTEM p
CD CD A. System Description gg The Main Turbine is controlled oy a digital electrohydraulic (DEH) control system to control turbine valve movement. The system is designed to provide automatic speed / load control and overspeed protection for the turbine.
The flow of the main inlet steam is controlled by the governing valves. Each valve is actuated by an actuator assembly mounted directly on the valve. The valves are spring loaded and close automatically whenever the unit is tripped manually or automatically by protective signals.
The DEH controller positions the throttle and governor valves by electrohydraulic servo loops. DEH Control System receives three feedbacks from the turbines speed, generator MW output, and first stage pressure which is proportional to the turbine load. The feedback signals are used to develop control signals to turbine steam valves for speed / load control of the turbine and overspeed protection.
The turbine generator is provided with two overspeed protection systems:
a) Electrical b) Mechanical Electrical overspeed protection consists of an electrohydraulic control system that controls turbine overspeed in the event of a partial or complete. loss of load, and if the turbine reaches or exceeds 103 percent of rated speed. It trios the turbine at 111.5 percent of rated speed.
Overspeed information is supplied via three reluctance pickup speed sensors coupled magnetically to a notched wheel of the turbine rotor.
A redundant and diverse means of tripping the turbine is provided by a centrifugal clutch which will drain the hydraulic fluid at 1112 of rated speed.
3742b
I 40 ac
=4 O
D B. Fault Tree Bases -4 N
O The following bases are used in developing the fault trees ag 00 a) Turbine Control System Malfunctions are defined as:
- 1) Failure of any throttle valve to close on demand.
- 2) Failure of any Governor Valve to close on demand.
- 3) Loss of Turbine Trip capability.
- 4) Turbine runback signal is not generted on demand.
b) The detailed evaluation of the effects on the Turbine Control System caused by sensor failure, impulse line rupture and power losses is presented in the fault trees.
j c) The referenced documents for developing the fault trees are presented in Table 2.
C. Conclusions a) The e*fects of power supply failure on the Turbine Control Systen la presented in Table 1. Loss of 120VAC PDP 384A will result in a turbine runback signal not being senerated from Steam Bypees Control System if required.
i b) There exist no single sensor failure, or impulse line rupture whose l failure will result in failure of the Turbine Control System to fulfill its intended function.
3742b
..___._._._.___.___..._.._m___.+._,..m__ ___ .. . _ _-_ _ . _ . _ _ . _ . . - _ . . , _ . _ . _ _ _ _ _ _ _ . . , , , < _ _ . _ . . _ _ _ ..__m._._..__.. .. _ _ _ . . _ . . _ . _ . _ . . _ _ _ _ _ _ _ _
- l i
1 9
i f
I 1
i !
TA8t f 1 - IDSS OF Pistit SUPPLY g l TtW BINF CONTRO!, SYSTFM i
9 Pam SOURCES POWG CPGATFD COMPONENTS FFFFCT SOUNDING EVENT ;
1 j - -
-P 120 VAC PDP 384A Turbine Control System Turbine runbeck signal is not Turbine trip will occur on turbine l generated from Steam typass overspeed. This event is bounded Control Systes if required. by FSAR Section 15.2.1.2 Turblee Trip. .
k t
+
I i
I l
4 1
i f I
- -- w ... ~
e l
1 1
i 6
4
! m 2b 8607160153-84
~~ . . . - . _ - - - . - - - . . . . _ , . . . _ . .-. . . . . - . ~ . - . ~ . _.~.w--___ . . _ _ _ .- - _ - _ _ _ - . -. -_ . -. - _ . - - - . - . . . - . . _ . = . . -
TABI E 2 8 TURB!hE CDN1110L SYSTEM FAlft.T 11tFf REFERTNCED D0rt>FNTS CWD (1DU-1564, B-424) EMDRAC SETPOINT DOCUMENT INSTkUMENT LOCATION OTHER FAULT TRIE No. FAlfLT 11tFE TITLE SHEET NO./RFV NO. DRAWINC NO./RFV No. SYSTtM No./ PACE NO./REV NO. DRAWING NO./itf V NO. DOCUMENTS 1700 Turbine Control System PSAR Sectione Malfunctiou 7.7 6 10.4 1701 Turbine Runbact Stanal 199/9 1564-s'41/2 o C-427504/6 Not Generated on Demand. 1752/13 1702 Throttle Valves 1%4-9418/0 PDue 1D0-1%4 B-289 Sheet 227/Rev 0 1703 Covernor Velves 1858/8 1564-9418/0 C-427504/6 PD6MD 10U-1564 3-289 Sheet
, 227/tev0 1704 Loos of Turbine Trip 199/9 1 % 4-349/8 C-427504/6 PD&MD Capability 1750/8 15 64-374/11 1D0-1%4 1751/7 B-289 1752/13 Sheet 227/
1753/9 Rev 0 1754/12 SMP-987/0 1755/10 1856/10 2140/14 i 2201/8 ,
2205/10 1705 Imes of 14ad $1snel Not 1685/7 1 %4-4637/4 C-428507/7 PDU D IDU-1564 Cenerated f rom SBCS 1686/4 1 % 4-4641/2 3-289 Sheet 133/
Rev 7 & Sheet 227/Bev 0 SMP-947/0
.mu , . .
~
ma 8 6071ts u i s s -# 7 k
l l
i en W3 M
O MAIN STEAM ATMOSPHERIC DUMP VALVE CONTROL SYSTEM e
M A. System Description C
Each main steam line is provided with one atmospheric dump valve in order to E permit the removal of heat from the NSSS and avoid challenging the steam generator code class safety relief valves. The ADV's are required whenever the asin steam lines are isolated and during mild transients, in the event of the main condenser is not available or the preferred main steam bypass control valves are not in proper operations.
B. Fault Tree Bases The following bases are used in developing the fault trees I
a) Main Steam Atmospheric Dump Valve Control System malfunction is defined as one or more atmospheric dump valves inadvertently opec.
b) No credit is taken for operstor intervention.
c) The detailed evaluation of the effects on the Main Steam Atmospheric Dump Valve Control System caused by sensor failure, impulse line rupture and power losses is presented in the fault trees.
d) The referenced documents for developing the fault trees are presented in Table 2.
C. Conclusions a) Failure of a main steam pressure transaitter (high signal) will generate a spurious high main steam pressure signal. This signal can cause an inadvertent opening of an atmospheric dump valve and depressurisation of the main steam system. The effects of a single sensor failure are presented in Table 1.
b) There esiste no single power source or impulse line whose failure will result in an inadvertent opening of the atmospheric dump valves.
3744b
-- . . . ~ . _ _ _ . - . . , - - ~ ~ _ _ . . ~ - . - _ - . _ . - - . . - _ . - . . - _ - - - - - _ . , _ . - ~ _ . _-- - - _ _ _ .. - - , - - . - _ - - _ . - . , -- --.
t i
8 Sheet 1 of 1 i
l l
TAS11 2 l
I i
3..y . _ . . . . MAIN STEAM ATNnSPHFRIC DtMP VALVE CONTR01. SYSTEM FAULT TREE pf FFAENCFD DOCUNFETS CWD (10U-1544. B-424) EMcRAC SETFOINT DOCLMENT INSMUNENT IACATION OTHER FAl'LT TRFF No. PAULT TBkE TITt E SNEFT NO./RFV NO. BRAMING No./REV NO. SYSTEM NO./ PACE NO./REV NO. BRAWINC NO./REV NO. DOClmENTS 1800 Nata steam Atmospherte 1643/6 5817-1098/4 Damp Velve Coatzel 1658/9 5817-1099/3 System Nettuactles 2912/10 5817-1100/3 5817-1943/2 5817-1944/5 5817-1945/4 t
_ m . e m. ._
8 6 0716 01.5 s -lef
_. _ _ . _ _ . _ _ . _ . . . _ _ _ -. _ _ .. . .._._.._.__.m ._ . _ .__ _ _ . . . . _ _ __ _ .__..,m. ._m_. _ _ ~ _ . .
n.
I J
l, e
j at==L A c A o
1 TARIE 1 - SFNV8 FAlll%E MAIN STFM ATHOSPHFRIC DtiMP VAIVE CON 1110L SYSTEN l
i SENSOR - Ft!NCTION ASSUNFD FAILlRE DIRFCTION EFFFCT 90bMDINC EVENT FT-MS0303AS Malm Steam Pressure A High Main Steae Systes depressurtsee. FSAR Section 15.1.1.4 Inadvertent Opeates Atmospherte Dump Valve MS116A of a Steam Generator Atmospheric Dump inadvertently opene Valve or Steam Generator Safety Valve *
- FT-MS0303a5 Mate Steam Pressure 3 Nigh Malm Steae Systes depresseelses. FSAR Section 15.1.1.4 Imedverteet Opening 1 '~ Atmospherte Dump Valve MS116B of a Steam Generator Atmospheric Dump i inadvertently opene Valve or Steam Generator Safety Valve i
i 4
,, m 8607160153- 74
i
' 09 l 4/3 I O l 0 l M BORON CONTROL SYSTEM N
! O i CO A. Systes Description g The Chemical and Volume Coutrol Systes (CVCS) dilution and boration modes are ,
utilized to achieve the control of the boron concentration in the reactor coolant systes. The analyzed mode of operation is the CVCS normal dilution mode which supplies primary grade water into the RCS via the primary makeup portion of the CVCS.
B. Fault Tree Bases The following bases are used in developing the f au t trees a) Failure of the boron control function of he Cheelcal and Volume control Systes is defined as any subsyste- salfunction which would lead to an uncontrolled dilution of the eactor coolant system and an excess reactivity insertion.
b) The boron control function of the CVCS is manually placed in the i
normal dilution mode.
c) The Baron Monitoring Systes is not used to determine the reactor coolant boron concentration.
d) The detailed evaluation of the CVCS dilution malfunctions caused by sensor failure, impulse line rupture and power losses is presented in the fault trees.
e) The referenced documents for developing the fault trees are presented in Table 1.
C. Conclusion a) For the normal dilution path there esists no single power source, sensor, or impulse line whose failure will result in an uncontrolled reactor coolant overdilution event.
3744b i
_ _ - - _ _ - . _ , - _ _ _ _ . _ - - = . .
i P
t 7
i I
}
Sheet 1 of 2 #
l TABI.E I - SENSOR fall 1SF 1
S(20N C0erT1t0L SMTTM FAULT TRFI RFFIEFNCID DOCLMFJf75 I
CWD (IDU-!%4, B-424) EMDRAC StTPOINT DOCUMENT INSTBtMENT IDCATIDst OTHER FAULT TBFE NO. FAULT 3 FE TITLF $NFFT NO./RFV NO. DRAWING No./RFV NO. SYSTEM NO./ FACE NO./REV NO. DILAWINC NO./RIV NO. DoctMF.NTS 1900 Baron Control Systes FSAR Section a Malfuncties y,y
, Flow Diagrene C-168, Sheet 1/19 G-168, Sheet
/r 2/21 1901 Charging Pump A&R 199/9 1%4-3875 Sheet 52B/5/8 G-427S07/7 PD&MD
] Sheeta 162 tuantas 273/10 15/13 tou-1564 1
274/10 1 %4-3875 Sheet 3-289 275/8 16/13 Sheet 227/
j 365/9 1 %4-4090 Sheet Rev 0 366/10 15/8 4
375/6 376/10 2341/7 2343/4 2391/9
- 2393/6 1902 Charglag Ptamp AS Rumaing 170/10 3 %4-3875, Sheet $28/5/8 G-420S07/7 PD6MD i 199/9 15/13 1D0-1%4 l 273/10 1 %4-3875, Sheet B-289 j 274/10 16/13 Sheet 227/
275/8 1%4-4090, Sheet Rev 0 l' 370/8 13/8 371/10 1%4-4091, Sheet 15/18
__ _,. ._. _ __ 1903 volume control Tank 199/9 1%4-3876, Sheet 53A/4/8 G-432505/8 Discharge valve CVC 183 322/10 15/12 Open 327/9 1904 Seacter Makeup Stop 199/9 3%4-3876, Sheet 53A/4/8 G-432505/8 Velve CVC 510 Opea 322/9 14/12 355/7 3%/6 357/8 ma 4
1 8607160153-72
, - - . _ , . . ... - - . . . ~ . ~ - - . _ . _ . . - ~ _ . ~ . _ . - - - . . . . . - - _ _ . . . , -_.. -.... - ._ .. n-._ _ . . . . . . . . . - . , . - . - .. . -
i i
i
?
Sheet 2 of 2 8 TABLF 1 - SENSOR FA!!1SE SOSON CON 110L SYSTFM FAPI.T TRFF SFFIRFNCED DOCUNDrTS CWD (1D0-1%4. B-424) EMDRAC SETro!NT 90CtMENT INSTRt9 TENT thCATION OTNER FAULT TREE No. FAULT 1RFF TITLF SRFET NO./RFV NO. BRAWINC NO./RFV ND. SYSTDI NO./PAGE NO./RPT NO. BRM INC NO./RFV NO. DOCl4EtgrFS 1905 tsal Flow Control Velve 199/9 1 %4-3876, Sheet G-432502/7 Peti 144 opese Too For 3M/9 16/12 3M/6 1%4 6 2/3
- 351/8 1906 Primary Water Makeup 1357/9 Pumps A&B Running 1358/6
~
2'"'
8607160153~ 3
N
)
es W3 M
O PIANT PROTECTION SYSTEM C d
tw A. System Description O (O
GD The Plant Protection Systen generates the Engineered Safety Feature Actuation System (ESFAS) signals. These signals serve as interlocking circuits to de-energize auxiliary relays to control the power operated components. the ESTAS signals investigated in the system fault tree analysis ares a) Safety Injection Actuation Signal (SIAS) b) Main Steam Isolation Signal (MSIS): and c) Containment Isolation Actuation Signal (CIAS). For persaeters that initiate ESFAS signals on low process output signals, transmitter failure, or loss of suctioneered power supplies to its Process Protective Cabinets will cause its associated bistable relay to de-energize.
B. Fault Tree Bases The following assumptions are used in developing the fault treet a) The ESTAS auxiliary relay contacts ((a) open and (b) close) are defined as the inability to de-energize the coil when ESFAS signals are generated.
b) The ESFAS ausiliary relay contacts ((a) close and (b) open) are defined as the inability to energize the coils when ESFAS signals are not generated.
c) All relays (bistable, matriz, solid-state, ESFAS auxiliary) are not selected for their test mode.
d) The operator has not initiated the ESFAS signals manually.
e) , The detailed evaluation of the effect on ESFAS signale caused by sensor failure, tapulse line rupture and power losses is presented in the fault trees.
f) The referenced documents for developing the fault trees are presented in Table 1.
3744b I
t
- - . . . -- , ~ _ _ - - . _ - - _ _ . - - - . - . - - - - -
J i
\
A, CQ nt3 M
O C. Conclusions @
-g N
a) Each process parameter of ESFAS signals ' as four redundant C sessurement channels associated with it. Each type of ESFAS sis- A is generated by at least two out of four esasurement channels reaching their predetermined setpoint. Therefore, the loss of 4ay one chmanal power source, sensor or any single impulse line rupture will not affect the system function.
I i
i i
i I
(
l 3744b i
r I
]
l 4
,------n. - - - - . . . . - ~ - - - - - - - - - - - . , - - . . - - - - - _ - - - - ~ , - - - . ~ -
-.__..m.~ . _ _ _ . ____ _._ ..______________________.m._. __ --._.____m._ . _ _ . _ . . -_m..
, . - _ _ _ . . . _ _ _ _ . _ _ _ _ m. .___m_
Lt.eet 1 of 5 s TAatt I
. P! ANT P9nTECTIOII SYSTFM F AUlf TtFE RETTRFNCED DOCtINFMTS OID (140-1%4. B-424) EMDRAC SETPOINT 90Cinerf INSTRUMtJIT IDCATION OTNER QULT1RFENO. FMLT TREE TITIE SIEET WO./REW HO. MAWIIIC IIO./BFV MO. SYSTEN IID./ PACE IIO./RFV 100 BRAWIIIC IIO./DFV IIO. 30CUMENTS 2000 Safety lajection Actus- 160/6 1 %4-648/2 C-420$07/7 FSAR Sectico Sheets stem $$3nal Present 165/4 1564-4 % /4 7,3 1&2 199/9 1 %4-457/3 1%4468/4 1%4469/4 1M4470/4 1%4471/4 1%4472/4 1 M4-734/3 1%4-4090/8 1 %4-4091/8 1M 4-4092/9 1%4-4093/9 1 % 4-4410/3 1%44411/4 1 % 4-7463/1 2 2"*
8607160153 #
. - _ . _ _ ~ - . . . _ - _ . . - - _ _ . . . . ~ _ . - - - . - - . . - .
. _ . . . . - . - __ _ - . . _ - _ _ . . _ . _ _ . . -. ,,.-.--._-_a-. _- .. - - , . _ .
I 1
l l
l l
Sheet 2 of 5 8 '
f TABIF 1 FIANT PROTFCTION SYSTEM FAFI.T TEFf SEFFBFNCID 30CtMENTS k 0 4 (140-1 % 4, 3-424) EMDRAC FAULT 1afE NO. PatfLT TRFE TITIE SMFET ND./RTV NO.
SETPOINT 30CletENT INSTRUMENT LOCATION OTNER MAWING NO./REV ND. SYST90 No./ PACE NO./REV NO. DRANING NO./DFV WD. DoctMENTS 2001 Safety Rajectice Actes- 160/6 Sheets 162 1%4448/2 ~
time $1gnal Not Present 165/4 1%44 %/4 199/9 1%4-657/3 l 1 % 4-667/4 1%4468/4 i 1 % 4-669/4
( 1M4-670/4 1%4471/4 1%4472/4 1 % 4-734/3 1 %4-4090/S
~ ,
1%4-4091/8 1 % 4-4092/9 1 %
- 4 093/9 1%44410/3 1%44411/4 !
1 M4-7443/1 1
l i
3744b 8607100153-77
. _ _ _ _ . . _ - _ _m . _. _ ._ ____.. _ . _ _ . _ _ _ _ _ .__, _ . . _ . _ _ .
1 l
l sheet 3 .: 5 <
+ fatLE 1 PIANT PROTfCTION SYSTEM FAULT TREE RfFFRFNC D 30CUMElfr$
I i .
D e (120-1564. 3-424) meaAC SETPOINT 30CIBeff INSTRUNENT taCATION OTHER l PaDLT TREE NO. FacLT TREE TIT 12 SNEFT ND./EN No. MANINC No./ RET NO. SYSTEN NO./ PACE ND./REV NO. BRAWING NO./RFV NO. DOCUMENTS 2002 Costalement Isolation 160/6 1%4448/2 C-428507/7 rsAR Section actuettom Signal 165/4 1%4-6%/4 y,3 Fresent 199/9 1 %4-657/3 1M4-667/4 1M4-668/4 1 %4-669/4 1M4-470/4 1 %4-671/4 1564-672/4
, 1%4-734/3 l 1564-4090/8 1M4-4091/8 i
- 1M4-4092/9 1564-4093/9 1M4-6410/3 1 M4-6411/4 1M4-7463/1 2
i i
__ _ --e -
s.
8607160153 '/f
. _. _ _ . ._ . _ _ . __ __ _ _ . . _ _ . _ . _ _ . _ . _ . _ ._ _ _ _ . . _ _ _ _ _ < _ _ _ _ . - . _ ..__._m Sheet 4 of 5 d TABLE 1
,, ,, , _ _ PIANT PtoTFCTION SYSTEM FAtfLT TWFE 9FFFRENCfD DOCIStENTS CWD (1DU-1%4. 3-424) DORAC SETPOINT DOCUMENT INSTatMENT IACATION OTNER FAULT TREE NO. PatTLT TRfE TITLE SMFET NO./tFV NO. BRAWING NO./BrW NO. SYSTEM NO./PAGE NO./REV NO. BRAWING NO./REV NO. BOCUMENTS 2003 Malm Steae leeletion 160/6 1%4448/2 C-428507/7 F5AR Sectica Sheets 162 51snel Present 165f4 1%44 %/4 C-428508/7 7.3 199/9 1 % 4-457/3 1 % 4-467/4 1 %4-668/4 1 % 4-669/4 1 %4-670/4 1 % 4-471/4 1 %4-672/4 1%4-734/3 1%4-4090/8 1%4-4091/8 1%4-4092/9 1 % 4-4093/9 1%4-6410/3 1 %4-4411/4 1 %4-7443/1 4
____ L -_-
3n4. 8607160158 4
_ _ . - _ . . . _ _ _ _ .,_ .. _ ._ _ _ . _ _ . . _ _ _ _ _ . _ . . _ _ _ _ _ _ _. . .--__.__m__._ _ _ _ _ . . . . . _ _ _ _ _ _ _
l 1
i i
Sheet 5 of 5 #
l TABLF 1 I . _ _ . _ _ _ . PIANT PROTECTION SYSTEM FAULT 79ft StFF9ENCID BoctnetarFS CW3 (the-1%4. D-424) EMBRAC SETPollrr 30CineENT INSTRUNDff thCATION OMER PaDLT TREE un. PADt.T MFE TIT 12 SHEET NO./RIT NO. MAMING No./ RET No. SYSTEM No./P&GE No./Rrv No. IRAWING IIO./RW NO. BOCUIElrFS 2004 Mata Steam teolation 160/6 1%4448/2 C-420$07/7 PSAR Section Sheets 142 Signal Not Present 165/4 1 %4-4M/4 0-428508/7 7,3 199/9 1 %4-657/3 1564-667/4 1 %4-668/4 1%4469/4 '
1 % 4-6 70/4 1 %4-471/4 1 %4-672/4 1%4-734/3 -
1%4-4090/0 1 %4-4091/8 1 %4-4092/9 1M4-4093/9 1 % 4-6410/3 1 % 4-6411/4 l 1M4-7443/1 l
-- - - - w-.-
27"*
8607160153- 80
1 Eli
)
e3 W3 M
C CD W
b INSTRLHENT AIR SYSTEM Q 00 A. System Descrirtion The instrument air system is a process auxiliary system whose function is to deliver dry, filtered, oil free compressed air to reet pneumatic instrument and control requirements. The system consists of two,100% capacity air compressors aligned in parallel which feed a common distribution header.
The instruent air system can also be fed from the station air systes through a cross connecting self actuated pressure control valve.
B. Fault Tree Ruses The following bases are used in developing the fault trees a) Failure of the instrument air system is defined as the " loss of instrument air supply to components inside containment" or " loss of f astrtment air supply to balance of plant components," as required.
! b) The detailed evaluation of the loss of instrument air supply events
! caused by sensor failure, impulse line rupture and power losses is presented in she fault trees.
I c) The referenced documents for develapfer fault trees are presented in Table 2.
, C. Conclusions a) A loss of instrument air supply to components inside containment will occur upon loss of 120 VAC PDP 390-SA which will cause the single, fait closed, containment isolation valve 1A940 to cycle
. closed. This will isolate components located inside containment 1
from their required instrument air supply source causing them to
, assume their respective failed positions. The effects of loss of l power supply are presented in Table 1.
3744b
,.-4-------- , -
- - - - - - - ,-,, ,m.-, - --- - , - . - - . ,,r--- - ,m,----- - -
w - - ,
k h
1 C0 l C i
- l o
CD i w
b) N Due to the redundant, independent power supplies to the full C capacity air compressors, loss of a single power source will not D result in a loss of instrument air supply to balance of plant @
components.
c) There exists no single sensor or impulse line whose failure will result in a loss of instrument air supply to any air operated component.
1 4
0 l
I 4 i l
3144b 1 l
l l
I
! l 1
l
j i
8 Sheet 1 of 1 1
TABLE 1 - 1 ASS OF POWER SUPPLT
-- - ---- INSTRUMFNT AIR SYSTDI POWER SOURCES 70WER orgRATED COMPotfDfTS EFFECT 30UNDING ETBff .
120 vac PDP 390-SA lastrument Air contatement teolation valve Comteinment toelation velve la 900 PSAR Section 15.5.1.1 Chestest and Volume la 900 Closed Control System Melfunction Which Causes ao lacrease la Reactor Coolant System leventory The folloutes componente u111 be affected by less of teatrument ett supplyt Letdous flow path teolated.
- 1) 14tdove Line Isolation Telve CTC 103 1) letdous time toelattoa valve CVC 103 closed and,
- 1) letdeus Stop valve CTC 101 2) letdous flew path teolated, letdous stop valve CVC 101, closed
- 3) Pressuriser Nernet Spray 3) Pressuriser moraal ePray valve RC301A and RC301R valves RC301A and RC301R reesta
}
closed a
e i
"=~ -
- - 1 L
vm 8607160153-9.5
I a
8 Sheet 1of1 2
TA91.E 2 INSTRtlMFNT AIR STSTFJi t
., FAtTLT TREE RFFFRENCED DOCtMENTS OfD (1h0-1564. 3-424) EMBRAC SETPOINT 30CIMENT INSTRUMENT EDCATION OTIER FAULT TREE ND. FAULT 1REE TITLE $NEET NO./REV ND. DRAWINC NO./ RET NO. SYSTEM NO./ PACE NO./ RET NO. DRAWlNC NO./REV NO. DoctMENTS .
2100 Isotr e et Air Usavett- 99n/7 C-427503/6 PsAR Section able 992/10 g,3,g 997/8 Flem Diagrano 2331/6 s.152. Sheet 2232/11 1/te,2 2340/F C-157. Sheet 1/
2301/8 Rev 23 2382/8 2390/9 l 2101 Air Supply from Staties 945/6
- C-427503/6 FSAR Section Air Compressore A. B & C 907/6 9.3.1 Usavailable 909/0 Flow Diagrame 2416/7 C-152 Sheet 2446/2 1/Bev 2 C-157, Sheet 1/Rev 23 J
)
l
_ aw _ ,
na 860716 015 3 -Y
l et WD M
O ELECTRIC POWER DISTitIBUTION SYSTEM be A. Systes Description O The Electric Power Distribution System provides power to the power operated components, sensors and control systems. The distribution system consists of: (1) the transformers, buses and motor control centers necessary to provide the correct voltage as required, and (2) interconnecting breakers and cables between the various transformers, buses, motor control centers and power distribution panels.
- 3. Fault Tree Bases The following bases are used in developing the fault treest a) Failure of the electric power distribution system is defined as sudden and complete loss of voltage to any transformer, bus, motor control center, power distribution panel or interconnecting breaker ,
whose failure will in turn cause one or more control system failures.
b) No credit is taken for operator intervention in either changing tie l breaker positions from their normal, alignment or operating manual j breakers.
c) Passive component failures are not considered in this analysis.
I d) Failure of the 125VDC buses and 120VAC vital buses can result from either induced failures due to simultaneous loss of the normal supply source, alternate supply source and the associated DC battery or by an independent h a failure. 14ss of voltage from the DC bettery sources is not considered a credible event.
e)' The detailed evaluation of the Electric Power Distribution Systes is presented in the fault trees.
I f) The referenced documents for developing the fault trees are presented in Table 2.
3744b i l
l l
,- ---_,w------ - --- --- - --,-- . - --,--- ,-__ ,_
t
- 3 mfb
.=4 C. Conclusions O g
,=4 a) Jaalysis of the control systems has identified that failure of th' O
following low voltage (120VAC and 123YDC) buses will result in a 40 malfunction in one or more control systems. O
- 1) 120VAC PDF 3014AB
- 2) 120VAC PDF 384A
- 3) 120VAC PDF 390-SA
- 4) 123VAC PDP 3AB-DC-A
- 3) 123YAC PDF 3A3-DC-3
- 6) 120VAC PDF 3AB1 The effects and their beunding events of the above single power bus failure are presented in Table 1.
c e
a 3744b l
l
Sheet 1 of 3 I
! , TAB!.E 1 a ID5$ OF p0WER SUPPLY f
l .. . . . ELECTRIC f tWER DIstalBUTION f9TN ,~
t POWERSoldCt3 POWER OPERATED OMPONENT9 EPPECT DOUNDING ETENT
- 120fAC PDP 390-SA Imatrument Air Contateneet !aolettosi Delve Coetstament feeletton Velve 1A 900 W combined effecte are bounded by PSAR 1A 908 Closed Section 15.5.1.1 Cheetcel and Tetume Control System Melfunction that tecreases Reactor Coolant Systes levestery h followies e__, - te will be effected by lose of instrument att supply:
14tdeum flow path isolated,
- 1) 14tdown line toelation velve CVC103 1) 14tdous line toolettaa velve CVC103 elooed sed.
- 2) latdown stop velve CVC101 2) latdous flow path teoisted.
letdous stop valve CVC101 closed
- 3) Presserteer normal spray velvee 3) Pressertaer normal sPtsy valves RC301A and RC3013 BC301 A and RC3013 reesta closed 1209AC PDF 384A Steam Bypese Control Systee Steam bypees control vilves fall to N combined effecto are bounded by PSAR (Power Supply to CP-5) opes or modulate om demono Section 15.2.1.3 Imes of Coi. denser 7.cuu.a hrblee Control System . h rbine ruebeck signal te not gen-(Pomer Supply to CP-5) ersted from Stees typese control System if regelred 120 TAC PDF 3014As Reactor Regulettaa System A. No preneuriser level setpoint N combleed ef fects are ha==ded by PSAR (Power Supply to CP-306CP-31) from teactor Regulettaa Systen Section 15.2.3.1 Peeduster Systes Pipe to Pressurtser lavel Control Dreeks. h RCS le protected duttaa this System tremetent by the reactor tripe from etese generator low level, low preneure and lou
,. % _ , DWOR and high pressuriser pressure i
"6 8607160153 8
s.4 = t g e,. 3 e
TABI.E 1 - 1345 0F PnWFR SUPPLY ELFCTRIC POWIR DISTRIBUTION SYSTFN POWFR SOURCES POWER OPERATED COMPONFWTS EFFFCT BOUNDING FVENT
- 3. Automatic Withdrawal Prohibit (AWP) etsnel te not generated f rom Reactor Regulettes System to teratoate the control rod withdrawal if required Pressuriser level Control Systee 14tdove flow path teclated. letdown (Power Supply to CP-306CP-31) flow control valves CVC111A and CVC1138 f ait closed. However, the lead charging Pump continues runnlag which could result la higher pressuriser level and Freneure, poselbly lead to safety valve actuation.
Pressuriser Pressure Control System Normal sprey valves (Power Supply to CP-30&CP-31) ,
RC301A and RC3018 fall to opes os demand Steam typees Control Systee Steam bypese control valves fall (Power supply to CP-30) to open or modulate os demand Feedwater Control System Meta feedwater control valves (Power Supply to CP-11A. fW173A.1738 and bypeso f 2edwater CP-1154CP-29) control valves FW166A and 1665 fait closed reeutting in toes of normal feedwater to steam generatore 1 and 2
~ . -
374'h 8 6 0716 015 R- FF
Sheet 3 of 3 ,
1 -
TABI E 1 - LOSS OF POWER SUPPLY
{
ELEC11 TIC POWER DISTit19UTION SYSTDt i
POWFR SOURCES POWFR OPFRATFD COMPONENTS FFFFCT l
BOUNDING EVENT 120VAC PCP 3AB1- Beactor Regulattog System A. No pressuriter level setpotat (Power Supply to CP-12A&CP-123) 14tdown flow path tooletes, the lead free Beector Regulating System charging pump coattaues runnlag which to Pressuriser Invel Control System could result la higher pressuriser level and pressure, and poselbly lead to safety B. Autoestic Withdrawal Prohibit (AWP) valve actuettom. la addition, the RCS a
algaal le not generated free ces be protected by the reactor tripe Reactor Regulettag Systes to from low DNBR and high pressuriser. Not i terstaate control rod withdreuel considered significant for Chapter 15 if required event ,
125VDC PDP Steam typese Control Velves i Steam bypees control valves MS3194 PSAR Section 15.2.1.3 Imes of Condenser 3AB-DC-A MS3194, MS319C and MS320A MS319C and MS320A fail to opes or Vacuum ;
modulate ce demand 125VDC PDP Steam Bypees Control Velves Steam bypese control valves MS3198,
. 3AB-DC-B MS3195, MS3208 and MS320C PSAR Sectice 15.2.1.31mse of Condenser MS3208 and I.5320C fell to opes or vacuum modulate os demand um 8607160158- #
Sheet 1 of 2 e i
TARIE 2 ELFCTRIC POWFR DISTRIBUTION SYSTDI FAULT TBFE REFFRENCFD DoctBEDITS CWD (LOU-1%4, B-424) DfDRAC SETPOIIFF DOCUN D T INSTRUNENT LOCATION OTHER FAlfLT TREE NO. PAtt.T TREE TITLE $NEET NO./REV NO. DRAWING MO./RFV NO. SYSTDI No./ PACE NO./REV NO. DRAWING NO./REV NO. DOCUMENTS .
2200 120 VAC PDP 3014As i Diagram l
140 5817
! I Ce.247-501/
4 2201 120 VAC PDF 384A ;
ggg IAU 1%4 B-289 Sheet 133/
tew 8 2202 125 VDC PDPS 3A-DC-S, 3AB-DC-5, b I1**
3AS-DC-A & 3Al-DC-5 D gram G-287/Rev 4 2203 120 VAC PDF 3AB1 Diagram IAU 1%4
. C-287/te,4 2204 120 VAC PDP 390-SA Diagram IAU 1%4 G-287/Rev 4
- .m .: . u-9 374'h 860716 015 8 - N
Sheet 2 of 2 8 l
TAs!.E 2
. _ , , _ FLFCDIC POWER DISTRIBUTION SYSTEM .
FAULT TRFE RFFFDENCED DOCUMENTS i .
l WD (thU-1564. B-424) INDRAC SETP01h? 30COMENT INSTRUMENT IDCATION OTNER
, FAUI.T TREE NO. FAULT TREE TITLE SMFET NO./REV NO. DRAWING NO./RFV No. STSTEM NO./ PACE NO./RFV NO. DRAWINC No./R EV NO. SOCUNFETS 2205 4807 MCC Suces 3A311-5 2340/6 One Line 3A312-5. 3A313-5 & 2479/5 Diagram 1
us311-3 Peeder Dreakere- 2400/5 180 1564 Open 2481/5 G-286/Rev 7 '
i ;
2531/7 5 2206 480V MCC Bus 3A3312 2411/6 Coe Line i Feeder Breaker Open 2532/6 Diagres
- IAU 1564 G-286/Rev 7 3,.., 8607160153- 7/
OVERSIZE DOCUMENT PAGE PULLED SEE APERTURE CARDS NUMBER OF PAGES: h 6 7) b *Q/
-w ,
1 APERTURE CARD /HARD COPY AVAILABLE FROM RECORD SERVICES BRANCH,TIDC FTS 492-8989 l
- - _ _ . _ . .- . .-. . _ _ - _ - . . . . . .