ML20206G072
| ML20206G072 | |
| Person / Time | |
|---|---|
| Site: | Clinton  |
| Issue date: | 05/20/1988 |
| From: | QUADREX CORP. |
| To: | |
| Shared Package | |
| ML19295G693 | List: |
| References | |
| QUAD-1-87-004, QUAD-1-87-004-R00, QUAD-1-87-4, QUAD-1-87-4-R, NUDOCS 8811220037 | |
| Download: ML20206G072 (49) | |
Text
I e i nis 11U A O64E 5 I P
QUAD-1-87-004 110 tis AFET Y-REI.ATED CCit'ROL SYSTE!4S FAILUPE AllALYSIS FIllAL REPORT Prepared fort ILLItiOIS POWER COMPA!1Y Clinton Power Station Purchase Order P.O. 503142 Prepared by:
QUADREX EtIERGY SFRVICES CORFORATIOli 1700 Dell Avenue Campbell, CA 95008 Fevi s i on rio . Date Peleased Pv Chaice flurl e r O 5/20/88 ,lu A m Js ILL-0948 d O 8011220037 681118 PDR ADOCK 05000461 P PDC
e %
QUAD-1-87-004 Table of Contents i
tun !
1.0 INTRODUCTION
1-1 f
2.0 ANALYSIS METtlODOLOGY '
2-1 2.1 Combinatory Qualitative Event Analysis 2-1 f 2.2 Identification of Nonsafety Control Systems 2-2 [
2.3 Event Categorization 2-6 f 2.4 Single Active Failure Analysis 2-7 3.0 DETAILED FAILURE ANALYSIS 3-1 1
3.1 Loss of Feedwater Heating Combined With !
Nonsafety-Related Control System Failures 3-1 3.2 Feedwater Controller Failure Combined With -
i Monsafety-Related Control System Failures 3-9 3.3 Turbine Pressure Regulator Failure Combined i
Nith Nonsafety-Related Control System failure 3-11 3.4 Safety / Relief Valve Opening 3-12 3.5 Inadvartent RHR Shutdown Cooling Operation 3-13 3.6 Generator Load Rejection Nith No Turbine
[
dypass Combined With Nonsafety-Related i Control SystSm Failures 3-14 3.7 Turbine Trip Combined With Nonsafety- !
Related Control System Failures 3-15 I 3.8 closure of Main 8 team Line Isolation valves I
, Combined With Nonsafety-Related Control (
System Failures 3-15 3.9 Loss of Condenser vacuum Combined Nith Nonsafety-Related Control System Failures 3-16 i i
i h
-i-
. s QUAD-1-87-004 Teble of Contents (continued)
F.AEA 3.10 Feedwater Line Break Combined with Nonsafety-Related Control System Failures 3-16
- 3.11 Loss of Insttument Air Combired With Nonsafety-Related Control System Failures 3-18 3.12 Large Steam Pipe Break Outside Containment Combined With Nonsafety-Related Control System railures 3-19 3.13 Loss of Coolant Accident Inside Containment Combined With Nonsafety-Related Control System railures 3-21 3.14 Main Condenser Offgas Treatment System l Failure Combined With Nonsafety-Related Control System Failures 3-23 l
l 4.0 LOSS OF TEEDWATER HEATING WITF TURBINE TRIP AND NO TURBINE BYPASS 4-1 l
5.0 CONCLUSION
5-1 l
l 6.0 GUIDE TO NRC QUESTIONS 1 THROUGH 6 AND RESPONSES 6-1 APPENDIX A SPECIAL TRANFIENT EVEhT ANALYSIS TO SUPPORT CONTROL SYSTEM FAILURE ANALYSIS FOR CLINTON POWER STATION DP. AWING ILL-0948El, Rev. 0, Non-Class 1E "lectrical Power Distribution Bus Tree l
- i e .e QUAD-1-87-004 !
4 f
1.0 INTRODUCTION
c This report describes the analysis performed by Quadrex to determine the effects of multiple nonsafety-related control system failures at I Illinois Power Company's (IPC) Clinton Power Station (CPS) . The object of this analysis is to determine whether the consequences of I such multiple control system failures are bounded by CPS Final !
Safety Analysis Report (FSAR) Chapter 15 events and whether the failures would have an adverse effect on the ability to achieve !
plant cold chutdown conditions. The analysis was performed in h accordance with IPC's Specification for Engineering Services to I L
perform a Control Systems Failure Analysia, Spec. No. K-10,001 of i
December 5, 1986 and Attachment, A-1, Conttol Systems Failure Analysis, Nuclear Regulation Commission Questions. This repo; .
- incorporates the information provided in the earlier Quadrex report, [
j QUAD-1-82-244, "Control Systems Failure Review and Evaluation P
a Program Final Report," dated November 12, 1982 as prepared for IPC.
I T
a Section 2 of this report details the analaytical methodology.
, Section 3 presents a detailed discussion of the multiple Control f Systems Failure Analysis for each failure combination. Section 4 is the FSAR section prepared by General Electric for the one failure event determined to be outside the bounds of the CPS FSAR Chapter l
- 15. The conclusions of this analysis are presented in Section 5.
Sa-ction 6 gives a roadmap to NRC questions and responses, This [
- report also includes Drawing ILL-0948E1, Non-Class 1E Electrical ;
! Power Distribution Bus Tree, which shows all non-class IE buses, f l' their sources and the loads supplied from tne buses.
t Ehe referenced documents used for this analysis are listed in the I
! addendum to this report (QUAD-1-87-004A). !
I i
i I
l 1-1 !
l l
f
. i QUAD-1-07-004 2.0 AllALYSIS METHODOLOGY 4
The methodology used in the multiple Control Systems Failure Analysis (CSFA) consists of the subtasks listed below. The analysis was performed using the CPS FSAR, plant design drawings, operating procedures, technical specifications and other applicable documents.
2.1 cembinatorv Oualit ative Event Analysis The CPS CSFA was performed using the " TOP -D OW11" niethodology. The TOP-Domi approach is based on the following two assumptions:
- 1. FSAR Chapter 15 identifies all possible initiating everst mechanisms, and i
- 2. any co abination of nonsafety-related control system failures can occur to further exacerbate the effects of the original initiating event.
The TOP-DOWN methodology is all-inclusive, i.e., all combinations of nonsafety-related control system failures are considered likely to occur regardless of power source, common instrument sensor, or proximity to a high energy line.
The combinatory qualitative event analysis postulates the possible failure modes of each nonsafety contrni system, identifies the a
initiating event (s), if possible, and identifies the most limiting combinatiuns of nonsafety control system failures. Each FSAR Chapter 15 initiating event was revietted to determine if the event w'as possible considering the initiating source of failure for this analysis, i.e., common power bus failure, common instrument sensor failure, or high energy line break. Each FSAR Chapter 15 event scenario was then f'arther reviewed to determine if the nonsafety control system failures postulated could exacerbate the event such
! 2-1 J
0 4 QUAD-1-87-004 i
that the effects are beyond the bounds of the existing TSAR Chapter 15 analysis. The criteric for this deterr,ination were based on a qualitative analysis of how the nonsafety control system failures affect the transient in terms of reactor parameters (i.e., minimum :
critical power ratio (MCPR), peak vessel presrure, suppression pool i temperature, or dose release).
In this analysis, the FSAR Chapter 10 events were not modified; rather, they were considered initiating events that were examined I for potential exacerbation by nonsafety control system failures.
The FSAR Chapter 15 events represent the limiting condition scenarios in each transient and accident category. Adding the ;
effects of all combinations of nonsafety control system failures to i each FSAR Chapter 15 event results in the identification of the i complete set of potential transient and recident events with regards to the CSFA. This ensures that the effects of all potential .
nonsafety control system failures are defined and included in each l of the FSAR Chapter 15 events, and considered for overall impact.
i 2.2 Identification of Nonsafety Centrol Systems P
- . The first step in the analysis sequence consisted of the preparation of a complete list of nonsafety control systems. ;
j c i
- A control system, for purposes of this analysis, was consioered to j be a system that has the capability to influence plant operation [
either directly or indirectly, in an active manner. Systems (
) comprised of structures alone or information systems that merely provide alarza, annunciations, or information to the control room {
l operators were not considered. Since the TOP-DOWN apy,oach j considers the worst case failure effects of all nonsafety systems j individually and in combination, power Dus failures is an inherent part of this TOF-DOWN analysis. In addition, the "long-term" j l
effects of failure of heating, ventilation, and air-conditioning r
2-2 l f
,. ,w.. - - - - , - - . - . - - - . .,__,n, . ,_ - ,_--- - -_-,,
I QUAD-1-87-004 (llVAC) systems were not considered, since 1) their Ic,alized effect on nonsafety control system f aAlure is a part of this analysis, and !
- 2) operator reaction to HVAC f ailure will mitigate the event in a f
relatively short time. !
[
The following list was prepared using the nonsafety-related control I systems identified in FSAR Section 7.7. l i
- 1. Reactor Vessel Instrumentation [
- 2. Rod Control and Information System f
- 3. Recirculation Flow Control System '
- 4. Feedwater Control System f
- 5. Pressure Regulator and Turbine-generator System i
- 6. Neutron Monitoring System -- Traversing In-core Probe i
[
- 7. Performance Monitoring System [
- 8. Reactor Water Cleanup System ;
- 9. Area Radiation Monitoring System {
- 10. Gaseous Radwaste System ,
- 11. Ligrid Radwaste System (
- 12. Solid Radwaste System
- 13. Auxiliary Building MVI.C System
- 14. Fuel Building MVAC System
- 15. Drywell cooling System I L
- 16. Drywell Purgo System t
- 17. Containment Building HVAC System f
- 18. Radwaste Building HVAC System
- 19. Process Radiation Monitoring System [
- 20. Fire Protection and Suppressant System
- 21. Display Control System i
- 21. Source Range Monitoring System
- 23. Main Control Room Annunciator System
- 24. Leak Detection System
. i QUAD-1-87-004 These systems were reviewed using CPS documents to determine the effects of their failure on reactor parameters or in influencing plant operation. Those systems whose failure would not affect reactor parameters or influence plant operation were eliminated from further analysis as a result of the review. The systems whose failure could affect reactor parameters (i .e , HOPR, peak vessel pressure, suppression pool temperature, or dose release), Jnitiate se.fety-related systems (reactor trip, Main Steam Line Isolation Valve (MSLIV) closure, Containment and Reactor Vessel Isolation Control System (CRVICS) or High Pressure Core Spray (HPCS) ot t Reactor Core Isolation Cooling (RCIC) initiation, etc.) nr initiate or trip nonsafety-related equipment (e.g., main turbine and
] feedwater pump turbine trip) are as follows: j i
) 1. Recirculation Flow Control System I f
1
- 2. Teodwater Control System t
- 3. Pressure Regulator and Turbine ~ generator System i .
j 4. Anticipated Transient Nithout Scram System ;
I These systems were analyzed with regard to their overall effects of !
failure. Each subsystem of a given system was considered including f
its interlocks and inte.' faces with other systems. Consistent with i the TOP-DOWN method of analysis, the control systems including their interfaces were assumed to undergo gross failure, wven though failure on a module-by-module basis, for example, might not result j in such a drastic conclusion. This approach assures that maximum I conservatisti is included in the analysis.
Failure of the Recirculation riow Control System could result in the l t
, following failure modes j I
k 2-4
W
), c. t f
QUAD-1-87-004 l I
o one recirculation flow control valve fast opening i o Both recirculation flow control valves fast opening !
l
, o one recirculation flow control valve fast closing '
o Both recirculation llow control valves fast closing o one recirculation pump trip
} o Both recirculation pumps trip o Spurious anticavitation valve runback i o Valvo runback failure under cavitation conditions I i
Failure of the Feedwater Control System could result in the I following failure modes: i t
o Feedwater pump speed increase caused by feedwater controller [
failure - maximum demand (up to 144% Nuclear Boiler Aated (NBR) [
value, which is the test data value of feedwater flow) !
o Feedwater pump spoed decrease caused by feedwater controller !
failure - minimum demand (decrease in feedwater flow rate) o One feedwater pump trip l
o Two feedwater pumps trip (loss of feedwater flow) i o Feedwater pumps fail to trip on reactor vessel high water level !
(L8) f o Main turbine fails to trip on (L8) o Feedwater pump discharge relief valve to condenser opens (energize-to-open, air-to-open valve) o Feedwater heater b> pass valves close i
s Failure of the Pressure Regulator and Turbine-generator System could result in the following failure modes:
o Failure of the main turbine pressure regulator or both main and backup turbine pressure regulators causing turbine control valves to (a) fully open or (b) to fully close o Turbine generator trip o Prevention of turbine bypass to condenser 2-5
. i QUAD-1-87-004 o Recirculation flow control system master controller failure, causing the recirculation flow control valves either (a) to open, or (b) to close o Extraction steam isolation valves to feedwater heaters close o Lost of analog speed controls to the feedwater pumps l Failure of the Anticipated Transient Without Scram (ATHS) System could result in the following failure modes:
o Spurious alternate rod injection o Alternate rod injection failure o Spurious recirculation pump trip
' o Recirculation pumps not tripped on ATWS (reactor high pressure l
or reactor vessel low low water level L2)
The above failure modes individually and in combination are included in the Detailed Failure Analysis of Section 3. For each failure j event analyzed, all possible worst-case combinations of failure
- modes of the f 7ur control systems given above are considered in 1
ditail and the scenarios are evaluated with reference to the results i of FSAR Chapter 15. If the impact could be more severe for a failure event when combined with fewer or no control system failures I
as compared with the case where all the above control systems are
]
postulated to have failed combined with the failure event, the more
! severe case is identified.
]
2.3 Event cateocriration The results of the combinatory qualitative event analysis were i
categorized as to whether the ensuing event would be (1) bounded by 1
FSAR Chapter 15, (2) may be bounded by TSAR Chapter 15, or (3) not bounded by TSAR Chapter 15. As detailed in Section 3 of this
{ report, all events except one were bounded by TSAR Chapter 15. For 2-6
QUAD-1-87-004 nI i 9
1.lWAD54 d AI this event, a plant-specific transient analysis was performed by General Electric.
2.4 Sinole Active railure Analysis The effect of a single active failure in a mitigating safety system was determined and included for all events reviewed in this analysis. TSAR Chapter 15 analyses were used to identify such single active failures for each event. The design drawings were also reviewed to determine the interconnections of the nonsafety-related and safety-related instrument and control system sensors to the commen impulse lines. A review was made to assure that if a nonsafety-related sensor is connected to a safety-related instrument impulse line of one division it is not also connected to an impulse line of another division. This assures that a sufficient number of safety-related mitigating systems would be available after allowing a single active failure of a mitigating safety system.
2-7 s
. e QUAD-1-47-004 l
T 3.0 DETAILED FAILUPI ANALYSIS 3.1. Loss tf Feedwater Beatino Combined With Nonsafetv-Related Control System Failures i This multiple Control System Failure combination is postulated to [
include loss of feedwater heating with combinations of failures in I the feodwater control system, turbine pressure regulator and turbine bypass control system and recirculation flow control system. The loss of feedwater heating could occur as a result of closure of steam extraction line motor operated valves (MOVs) to the feedwater j l heaters or feedwater bypassed around the heaters by opening of the i bypass HOVs. For the loss of feedwater heating event, the feedwater controller could be postulated to have failed resulting in a maximum demand limit of 144% NBR (test data value of feedwater flow) . This failure could be initiated by multiple failures of the control
- system or the power supplies of the feedwater control system.
Feedwater centrol system failure resulting in low or no demand for j feedwater flow is not postulated as this is not applicable to the I loss of feedwater heating failure combinatory analysis. For loss of
, feedwater heating event, as discussed below, the case of the feedwater control system not having a failure could be of more severe consequence than the case with the feedwater controller failure with maximum demand for feedwater flow.
i Failure of the turbine bypass control system is postulated for all j combinations as this would tesult in maximum impact on the sequence of events. Turbine bypass control system failure could be initiated by multiple power supply failures, inst rument power supply f ailure, failure of the control logic, or failure in the condenser pressure instrumentation. This could also be caused by failure of the steam jet air ejectors, loss of steam to gland seals, loss of condenser circulating water pumps, vacuum breaker valves opening or mechanical damage to the condenser.
3-1
. . l l
QUAD-1-87-004 1
i t
railure of the turbine pressure regulator control system and the recirculation flow control system could be initiated by failure of s
the instrumentation, failure of the electronic modules of the I control systems, or failure of the electromechanical valve ;
components of the recirculation flow control valves, h I Assuming that the feedwater controli '
is postulated to fill
{
resalting in maaimum demand, or assumed not to have f ailed and the
(
turbine bypass to have fail closed, the following four cases must be ;
considered for the loss of feedw?ter heating combinational tailure i
3 event analysis i i
- a. Turbine pressure regulator failure resulting in maximum !
I steam flow (approximately 130% NBR flow) to the turbine o and either (i) one recirculation valve fast opening, or !
(ii) two recirculation valves fast opening,
- b. Turbine pressure regulator failure resulting in maximum j t
steam flow and recirculation flow control system failure resulting in no recirculation flow,
- c. Turbine ; sure regulator failure causing the control i
j valves to close and either (i) ane recirculation valve {
fast opening or (ii) two recirculation valves f.n t !
1 opening, and ;
l
- c. Turbine pressure regulator tailure causing the control i; valves to close and recirquiation flow control system failure resulting in no recirculation flow.
f l
l In each case, the analysis considers the sequence of operation o' mitigating safety systems as discussed in FSAA Chapter 15. The [
effect of a single active corponent failure in a mitigating safety ;
system is considered for the above cases. L i
3-2 .
9 9
_.,,,..r.,m &- w.- <--. - - -
QUAD 87-0 0 4 I L
.e i.lUADREMF Case (l a) (1)
The ef t'e:t of combinations of these failures cou .titiate the following:
o Increased recircu3ation flow causing reactor scram due to Average Power Range Monitor (APRM) high flux trip (FSAR Table 15.4.5-1) (Reactor Protection System (RPS) meets the single failuce criteria).
o Reactor .essel high water level (L8) would initiate reactor scram (pressure regulator failure, control valves open, FSAR Chapter 15.1.3-1) (Feedwater controllet failure in maximum demand mode, FSAR Table 15.1.2-1). (Reactor scram due to LB da safety-reJatad and meets the single failure criteria),
c Safety / relief valves would open and close to control reactor pressure. (These valves and their control systems are safety-related and meet the single failure criteria).
o The L8 trip would also trip the feedwater pumps and the main turbine (FSAR Tables 15.1. 2-1, 15.1.3-1 Lnd Section 15.4.5-1).
o If L8 sencors or feedwater pump trip circuits are postulated to feil, feedwater would eventually be lost due to feedwater turbine trouble, and the main turbine stop valves would close due to high moisture in the moisture separators or excessive turbine vibration (i.e., turbine trip) . Steam / water mixture entering the safety / relief valves has been resolved by BNR
, Owners Group work report ed in Supplement No. S to the Clinton Power Station Safety Evaluation Report.
o Main turbine stop valve position switches would initiate recirculation pump trip (FSAR Tables 15.1.2-1 and 15.2.3-1).
3-3
, . o QUAD-1-87-004 oumone x[
(This trip is safety-related and meets the sing?.e failure criteria).
The trip function of the feedwater pumps and the main turbine at L8 is derived from three nonsafety-related differential pressure transmitters actu,: ting a 2-out-of-3 logic. If this control system is postulated to fail, then the feedwater pumps and main turbine ,
would not be tripped from level L8. These channels are subjected to periodic surveillance tests, each channel is checked once at intervals not exceeding 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, and each channel is functionally tested at intervals not exceeding 31 days (Tech. Spec. Table 4.3.9.1-1). However, for the combinatory control system failure analysis including loss of feedwater heating, the prime mitigating safety system action would be reactor scram due to APRM trip caused by recirculation system valve opening (earliest). However, if the pressure regulator is the only nonsafety-related control system postulated to fail in the high demand mode combined with loss of feedwater heating, reactor scram due to L8 trip would occur (FSAR Table 15.1.3-1). If failure of the feedwater control system alone in the high demand mode is postulated combined with loss of feedwater heating, react >r scram due to level L8 trip would also occur, but slightly later.
If loss of feedwater heating with recirculation control in manual mode combined with a turbine trip with no turbine bypass is the only event occurring with no other control system failure, reactor scram due to turbine trip would take the longest time fron event initiation. In this case, the turbine trip with no bypass event is superimposed on loss of feedwater heating event with t' recirculation flow controller in manual mode. The timing of t turbine t rip event without bypass is such that the loss of feedwatt heating event causes reactor power level to rise to just below the APRM scram setpoint, which results in a transient outside the bounds of the FSAR Chapter 15.
3-4
j l
QUAD-1-87-004 L
. I OuADRExF I l
1 For this event, the mitigating safety functions are thermal power monitor (TPM), APRM reactor scram, L8 reactor scram, turbine stop valves 90% open position, causing reactor scram, recirculation pump trip and safety / relief valves operation. These systems are safety-related and meet the single failure criteria.
Case fl a) (ii)
In this case the multiple control system failures are postulated to be the same as in Case (la) (1) except that instead of one recirculation valve opening fast, two valves are assumed to fast open.
The effect would be that reactor scram due to APRM trip would still occur as 1" one valve fast opening case, howevert the reactor vessel level would drop to level L2 and initiate HPCS and RCIC (FSAR i Section 15.4.5.3.3 and Table 15.4.5.2). Initiation of RCIC would also initiate trip of the main turbine and the feedwater pumps.
The ECCS initiation circuits of HPCS and RCIC by L2 are safety- ,
related and meet the active single failure criteria. The HPCS and RCIC systems together meet the single failure criteria.
Case fib)
In this combinatory failure event analysis it is postulated that the turbine pressure regulator fails resulting in maximum steam flow and the recirculation flow control system fails resulting in no flow (two recirculation pumps trip or both recirculation flow control valsas close).
Combinad failures of the control systems would initiate the following safety systemst 3-5
QUAD-1-87-004 E W L OuADRExT o L8 would initiate reactor scram (pressure regulater failure, control valves open, FSAR Table 15.1.3-1, reactor recirculation flow control failure, valves closed, FSAR Table 15.3.2-2, feedwater controller failure in maximum demand mode, FSAR Table 15.1.2-1).
o L8 would frip the foedwater pumps and the main turb Ene (FSAR Tables 15.1.3-1, 15.3.2-2, 15.1.2-1).
I o Recirculation pump trip would be initiated due to main turbine trip.
o- Safety / relief valves would open and close (FSAR Table 15. 3.2-2) ,
to relieve pressure as necessary.
o If L2 is reached, HPCS and RCIC systems would be initiated (ESAR Table 15.3.2-2).
o Initiation of RCIC would also trip the main turbine and the feedwater pumps.
Case fic) (1)
In this combinatory failure event analysis it is postulated that the i turbine pressure reguir. tor cauaes the control valves to close and (i) one recirculating flow control valve opens fast. Combined failures of the control systems would initiate the following:
o, Neutron high flux reactor screm would be initiated by pressure regulator downscale failure causing turbine control valve
[
closure (FSAR 15.2.1.1.1) or by recirculation flow control valve fast opening (FSA% Tablo 15.4.5-1).
3-6 l
QUAD-1-87-004 o Safety / relief valves would oran/close due to feedwater flow controller high mode failure or turbine pressure regulator low demand (FSAR Table 15.1. 2-1, 15.2.1-1).
o Reactor high pressure would trip the recirculation pumps (ATWS) . The ATWS recirculation pump trip circuits are powered from 125VDC (FSAR Table 15.2.1-1). Loss of DC control power is annunciated.
o LB would trip the feedwater pumps and the main turbine.
(Turbine pressure regulator f ailure closing control vals es or feedwater control system failure high flow demand, or 4
recirculation flow control one valve fast open would cause L8 trip, FSAR Tables 15.2.1-1, 15.1.2-1, and 15.4.5-1).
C120 fic) (ii)
Multiple control systems failure with loss of feedwater heating as in Case (c) (1) except that two recirculation valves are postulated to rast open.
o In this case, reactor scram would also occur due to APRM high flux trip. (Turbine pressure regulator downscale failure closing control vrives or by recirculation flow control system failure, with two valves fast opening).
o Safety / relief valves would open and close to relieve pressure (for all three cases of control system failures considered) .
i.
o LB would trip the feedwater pumps and the main turbine (FSAR Table 15.2.1-1).
o Main turbine stop valve closure would trip the recirculation pumps.
3-7
QUAD-1-87-004 faute_ fld)
Multiple control system failures involving feedwater flow controller (fails on maximum demand), turbine bypass failure, loss of feedwater heating, turbine pressure regulator failure resulting in control valve closure and recirculation flow control system failure resulting in low /no recirculation flow is postulated.
o Turbine pressure regulator failure would cause a reactor scram due to high flux trip (FSAR Table 15.3.2-2).
o Recirculation flow control system failure would cause a reactor scram due to L8 trip (FSAR Table 15.3.2-2) .
o Feedwater controller failure would also cause a reactor scram due to L8 trip (FSAB Table 15.1.2-1).
o L8 would trip the feedwater cumps and the main turbine (FSAR Table 15.2.1-1).
o Safety / relief valves would open and close to relieve pressure (FSAR Tables 15.2.1-1 and 15.3.2-2) .
Analysis The above discussion lists the sequence of safety-related actions in the event of failure of the three main control systems feedwater flow controller (failed in maximum demand mode), turbine pressore regulator system failure (both high and low demand) and r'ecirculation flow control system failure (maximum flow or no flow) with turbine bypass prevented. In each case where a control system failtre is combined with the loss of feedwat ir heating, earlier protective actions would be initiated as compared to the loss of feedwater heating event alone. However, the loss of feedwater 3-8
. a EE QUAD-1-87-004 i
PJAOMMT heating combined with a turbine trip and no turbine bypass is outside the bounds of FSAR Chapter 15 for an incident of moderate f re quency . This transient was analyzed by computer simulation and evaluatien to determine whether the effects are outside the bounds of TSAR Chapter 15 for an infrequent incident.
In multiple control system failure cases (la), (1b), (1c), and (1d),
different modes of failures of the turbine pressure regulator and the recirculation flow control system with no turbine bypass ard feedwater flow controller failure at maximum demand with loss of feedwater heating have been postulated. The cases of control system f ailutos including turbine pressure regulator alone or recirculation flow control system alone or feedwater flow controller at maximum demand alone are bounded by multiple control system failure cases (la), (1b), (Ic), or (1d).
3.2 Feedwater Controller Failure Combin0d With Nonsafetv-Related Control System Failures Case f 2a)
This multiple control system failure event is postulated to include feedwater controller failure resulting in maximum flow demand (144%
of NBR), combined with turbine pressure regulator failure, turbine bypass closed, and recirculation flow controller failure (maximum or minimum demand).
l This event would bo bounded by the loss of feedwater heating event with manual recirculation flow control, combined with turbine trip a'nd no turbine bypass.
3-9 >
r
. e i QUAD-1-87-004 Case (2b)
This f ailure event is identical to the above except w!th feedwater controller failure resulting in minimum demand.
In this case, reactor vessel inw water level (L3) would initiate a reactor scram terminating the event.
Pressure regulator failure with maximum steam flow would initiate L8 scram.
Pressure regulator failure with zero steam flow would initiate high flux scram Recirculation flow control system failure causing increasing flow would initiate APRH reactor trip, while no flow would initiate LB
These safety-related systems meet the single failure criteria.
Conclusion The failures described above are terminated by the safety-related functions of reactor scram, safety / relief valve opening, HPCS/RCIC initiation and recirculation pump trip, as described in FSAR Tables 15.1.2-1, 15.2.1-1, 15.3.1-2, 15.4.5-2, and 15.2.7-1. It is co7 eluded that the combined f ailure events are either bounded by FSAR Chapter 15 analyses or are less severe than the elevated power level turbine trip already discussed in Case (la) (1) .
l 3-10 L
e ,
i QUAD-1-87-004 auAomaxr !
3.3 Turbine Pressure Reculator Failure Combined With Nonsafetv-Related Control System Failures L
Case (3a) '
Hultiple control system failurms are postulated to include turbine pressure regulator causing the control valves to close, with simultaneous failures of the reciretistion flow of the recirculation flow controller and feedwater controller. If the main pressure regulator is assumed to fail, the backup regulator would take over the control automatically and maintain the plant in operating conditions. For failure of both pressure regulators downscale with i or without feedwater controller or recirculation flow controller failures, neutron APRM high flux or reactor high pressure would cause reactor scram. Safety / relief val.es would control reactor pressure. Recirculation pumps would be tripped on reactor high pressure (ATWS). If feedwater controller is postulated to fail in high node or is in normal condition, L8 would initiate rain turbine and feedwater pump trip. Main turbine stop valve closure would also initiate recirculation pump trip. If feedwater controller is postulated to fail in the low mode, reactor low level L2 would be reached which would initiate the HPCS and RCIC systems.
In the above discussion, failure of the backup pressure regulator is an active single failure. In addition, the citigating safety systems, reactor scram, safety / relief valves and their actuation
. systems, HPCS and RCIC in combination and recirculation pump trip from the turbine stop valve closure signal are safety-related, r,edundant and meet the single failure criteria. I Case (3b)
The event of turbine pressure regulator failure in the open position combined wit h other nonsafety-related control system failures has 3-11
QUAD-1-87-004 been analyzed with the more severe event of lors of feedwater heating in Case (1). For this event, L8 trip initiating reactor scram, main turbine and feedwater pump trip and recirculation pump tripped by turbine stop valve position, followed by safety / relief valve actuation will be the mitigating safety actions. Failure consequences of feedwater pump trip at L8 have been given in Section 3.1. Furthermore, for this failure event reactor low pressure would initiate closure of the MSLIVs, which is a redundant safety-related action. Closure of the MSLIVs would cause coastdown of the feedwater pump turbines and initiate reactor scram. Safety / relief valves would actuate to relieve pressure. When L2 is reached HPCS and RCIC would be actuated. Recirculation flow controller failure high would initiate an early APRM high flux trip. A feedwater controller failure high would aid to initiate reactor level L8 scram.
Recirculation flow controller failure with no f)ow would reduce core flow to natural circulation causing a greater aismatch in steam output and creating a high depressurization rate. The depressurization vould be terminated by earlier L8 reactor scram or
] low turbine inlet pressure trip causing MSLIV closure which would, in turn, cause reactor scram. Feedwater flow decrease would also have an effect similar to recirculation no flow condition. MCPR limits are not approached and thus there is no impact.
It is concluded that this postulated event would be bounded by the events described in FSAR Chapter 15, Sections 15.2.1, 15.1.2, 15.2.7, 15.4.5 and 15.3.2.
L 3.4 Safetv/ Relief Valve Ocenina The safety / relief valves are safety-related and are actuated by redundant reactor pressure sensors divided into two separated logics that control separate solenoid-operated air pilots on each valve, k l 3-12
,,.n -- ,.,,,e_,- - , , - ,, -. . . . - - - , , - - - .
nL oumomaEI QUAD-1-87-004 Cables from the vessel pressure sensors lead to two separa'e safety-related logic cabinets where the redundant logics are formed. The power supplies and electric circuits for the redundant logics are safety-related and are physically separated from those belonging to nonsafety-related systems. The instrument impulse lines do not penetrate the primary containment. The electrical elements in the cor. trol systems must be energized to open the safety / relief valves in the relief mode.
Based on the above design, a failure in common sensors, conson impulse lines or common power supplying nonsafety-related control systems cannot cause the sa'ety/ relief valves to open which is postulated to occur simultaneously with multiple failures of nonstfety control systems.
Individual opening of the bafety/ relief is subject to single failure and has been analyzed in FSAR Section 15.1.4. This event is bounded by FSAR Section 15.1.4.
3.5 2 dvertent RHR Shutdown Coolino Doeration This event cannot be postulated to occur during power >peration since the system pressure would be too high to permit operation of the shutdown cooling. During startup or cooldown operation if the reactor were critical and RHR cooling is inadvertently initiated resulting in misoperation of cooling water controls, then a very slow increase in flux would result, initiating a reactor scram if the operator does not take action.
Failure of the nonsafety-related control systems would have no effect on this event. The only systems that could be affected by a high energy line break in this event are the RHR lines. Separation and diversity of the F 8:R syste.a (A, B, C) provide adequate 3-13
QUAD-1-87-004 avannexr protection for any postulated event and meet the single failure criteria. This event is bounded by FSAR Section 15.1.6 analysis.
3.6 Generator Load Reiection with No Turbine BvDass Combined with Nonsafetv-Related Control System Failutgg This event is also similar in effect to loss of all grid connection with no turbine bypass combined with nonsafety system failures. As analyzed in FSAR Sections 15.2.2 and 15.2.6, these events would cause turbine control valve fast closure which would immediately initiate a reactor scram and a recirculation pump trip. These trips are redundant and safety-related. The safety / relief valves would actuate to control reactor pressure.
- vrefore, failure of turbine pressure regulator or recirculation flow controller would have no effect in this event.
In the case of loss of auxiliary power or loss of all grid connections, the recirc>lation pumps, condenser circulating water pumps, condensate pumps and condensate booster pumps would also be tripped, resulting in a trip of the feedwater pump turbines due to low condenser vacuum. Therefore, failure of the feedwater flow controller would have no effect for this event. For generator load rejection with no turbine bypass event, feedwater flow controller in low mode would have no effect.
For feedwater flow controller failure in high mode, LO would initiate reactor scram and feedwater pump trip. As vessel level decreases, HPCS and RCIC systems would be initiated at level L2.
(FSAR Sec. 15.1.2).
The above safety systems meet the single failure criteria.
This event is bounded by FSAR Section 15.2.2 and 1~.1.2 analysis.
3-14
e e <
I i
Qt*iD-1-87-004 OuADREXF t
3.7 Turbine Trio Combined with Nonsafetv-Related Control System Failures This event is included in the Section 3.1 analysis.
3.8 closure of Main Steam Line I, solation Valves Combined with Nonsafetv-Related Control System Failures This f ailure is postulated to include closure of all Main Steam Line Isolation Valves (MSLIVs). Multiple sensor failures in MSLIV closure circuits, for example low steam line pressure, high steam line flow, high steam line radiation, reactor low water level or failures in the control circuits could cause MSLIV closure. Closure of MSLIVs would increase reactor pressure.
Mitigation of reactor pressure increase would be accomplished by initiation of reactor scram by MSLIV position switches and the reactor protection systen. Safety / relief valves would also operate to limit system pressure. Closure of MSLIV would inhibit steam flow to the f.edwater turbines terminating feedwater flow. Because of loss of aeedwater flow, water level within the vessel would decrease suf ficiently to initiate trip of the recirculation pump and start the HPCS and RCIC systems at L2. There would be no change in thermal margins due to this event.
The above systems are safety-related and meet single failure i criteria in accomplishing their task.
R,CIC initiation would trip the main turbine. The closurs of the main turbins stop valve would also initiate safety-related tripping of the recirculation pumps.
Control system failures of the turbine pressure regulator and turbine bypass would not alter the above sequence of events because l
3-15
o 0 QUAD-1-87-004 JUAonaxr MSLIV closure is assumed to be the first event in this sequence.
Feedwater control system failurm would also not additionally influence the above sequence of events because MSLIV closure would stop steam flow to the feedwater turbines. Thus feedwater failure is included in tne above analysis (FSAR Chapter 15.2.4).
Conclusion This event combined with the above nonsafety control system failures is bounded by FSt.R Chapter 15 Section 15.2.4 analysis.
3.9 Lp4f of Condenser Vacuum Combined with Nonrafetv-Relat.g4 Control System Failures Loss of condenser vacuum could be caused by failure of the steam 3et air ejectcra, loss of steam to the turbine shaft gland seals, vacuum breaker opening, loss of circulating water pumps or mechanical damage to the condenser. Failures of the nonsafety-related control systems could be caused by malfunction or loss of instrument sensors, loss of the impulse lines or loss of electrical power. All these failures could be initiated by a high energy line break in the turbine building. This event would cause turbine trip and also ope 3 the turbine bypass valves. Low condenser vacuum would also cause feedwater pump turbine trip. Main turbine trip would cause reactor scram and recirculation pump trip. The effects of this combinatory event scenario are enveloped by Section 3.1 analysis.
3.10 Feedwater Line Break Combined with Nonshfetv-Related Systgm Failures In this combinatory faJ1ure event feedwater line break outside the containment combined with nonsefety control system failures is postulated. Feedwater contro11ar failure (maximum demand) would supply more water to the vessel as well as through the break until 3-16
w_ 4
- O ,
l QUAD-1-87-004 i
m ouronexr the feedwater air-operated stop/ check isolation valves close.
Turbine pressure regulatcr control system failure resulting in high steam flow (up to 130% NBR flow) would lower the reactor level sooner than the case with no pressure regulator failure.
For this combination of multiple control systcm failures with a feedwater line break, L3 would scram the reactor. Level L2 would initiate closure of the feedwater stop check isolation valves and start the HPCS, RCIC and trip the recirculation pumps. At reactor vessel low low low water level L1 MSLIV closure would be initiated.
These systems are safety-related and consist of redundant components and/or systems. The feedwater stop check valves are provided with air accumulators. The worst single failure for the feedwater line break event is the HPCS failure (FSAR Section 6.3.3.7.8.4.c and d).
The Emergency Core Cooling System (ECCS) remaining are the three Low Pressure Core Injection (LPCI) + Low Pressure Core Spray (LPCS) +
Automatic Depressurization System (ADS). Out of these a maximum of two LPCI pumps can be fully diverted at 10 minutes to the containment spray mode. Therefore, after diversion ILPC1+LPCS+ ADS would be available for ECCS and two LPCI pumps for containment spray. (This event is analyzed in FSAR Section 6.3.3.7.8.4 e and d and Table 6.3-9) .
Conclusion From the above discussion, it is concluded that the 1onsafety-rt.ated control system failures, either one at a s te or in combination, do not affect the sequence of events for the feedwater line break outside the containment event described in FSAR Sec.
15.6.61 thus, the events are bounded by Chapter 15 analysis.
3-17
QUAD-1-37-004 ADa t KT 3.11 Loss of Inst ru:nent Air Combined with Nonsafetv-Related Control System Failures In this combinatory failure event, loss of instrument air combined with nonsafety control system failures is postulated. The scram -
inlet and outlet valves of the cont rol rod drive system would open resulting in reactor scram. The following control system failures in addition to loss of instrument air are considered as regards the ability to achleve cold i:hutdown conditions: !
r (a) Pressure regulator failure resulting in turbine control valve opening and maximum steam flow, turbine bypass control failure allowing bypass, feedwe.ter flow controller failure resulting in loss of feedwater flow, i
1 Loss of instrument air would cause reactor scram and could open i the feedwater recirculation valve to the condenser. Loss of feedwater flow would lowar the reactor levels L2 wnuld initiate HPCS and RCIC and L1 would close the MSLIVs.
i Failure of the recirculation flow control system with one valve i
or two valves fast opening would have no additional effect on i this event.
I (b) Pressure regulator downscale failure would result in turbine l control valvo closure, feedwater flow controller failure !
resulting in maximum feedwater flow and recirculation flow f control valve fast opening.
Loss of inetrument air would causo reactor ecram and could open the feedwater recirculation valve to the condenser. Opening of condenser recirculation lines as well as two recirculation valse fast opening would lower reactor level and initiate HPCS ,.
and RCIC systems at L2 and close the HSLIVs et L1. RCIC l i
3-18 !
r.
QUAD-1-87-004 initiation would trip the main turbine. If the reactor mode switch is in the "run" mode, MSLIVs would also close when reactor pressure d.-opo below 849 psi.
If the relief valves to the condenser do not open cr only one recirculation valve fails and opens fast, feedwater high
^
failure mode combined with recirculation system failure would cause reactor water level to rise and initiate L8 trip of the t feedwater pumps and the main turbine. The main turbine stop valve closure would initiate recirculation pump trip. !
Safety / relief valves would be available for steam relief as redundant air accumulators are provided for this system.
If failure of the recirculation flow control system with valvo closure or pump trip had been postulated resulting in no recirculation flow combined with the above other control system failures, L8 trip would also initiate reactor screm and trip the main turbine and the feedwater pumps. The safety / relief valves would be used to relieve pressure to the suppression pool.
It is concluded that this event is bounded by FSAR Set; ion 15.2.10.
3.12 Laroe Steam Pfue Break Outside Containment Combined with i Nonsafetv-Related Control System rail 4 IRA This multiple Control Svste'A Failure is postulated to include the combination involving a laa,a steer system piping break outside
{
> containment, with failure of t'arbine pressure regulator, feedwater [
flow controller and the recirculation flow control system. In addition, loss of off-site power is also considered.
3-19 1
, , , , _..._,-n., - - . , , - ~ - . - - ~ - - - - - - - - - - - - + r =
OUAD-1-87-004 As described in the FSAR Section 15.6.4, this event would cause reactor scram and closure of the MSLIVs. The steam line break would result in an almost instantaneous loss of steam to the turbine.
Thus, turbine pressure regulator failures would not affect the sequence of events described in FSAR Section 15.6.4. The MSLIVs would close for this event which would also cause turbine pressure regulator f ailure to have no effect un the sequence of events.
Eteam flow to the feedwater pump turbine would also be lost and the pumps would coast down in speed. Therefore, feedwater controller failures would have no effect on tho sequenco cf events.
Safety / relief valves would open and close to maintain vessel pressure until L2 is reached.
i To include the effects of the steam line brnak and & single active J
failure, RCIC system is considered unavailable and HPCS system is assumed to be inoperable to allow for an active single failure.
L2 would initiate the CRVICS and close the feedwater isolation 4 valves.
l On MSLIV closure, the power / load unbalance relay would trip the turbine. The turbine stop valve closure position switches would initiate tripping of the recirculation pumps. This trip circuit is safety-related. The breaker trip circuits are powered from Class IE DC power.
I A f ailure in the power / load unbalance relay circuit or the turbine trip circuit could be postulated. In this case, the turbine would not bi tripped and the recirculation pump trip due to turbine stop valve clesure would not be initiated. However, the recirculation pumps would be tripped by the ATWS L2 signal.
1-20
m .. --
. QUAD-1-87-004
- ~ ,
u ou4one xr ADS would be initiated on L1 and the ADS valves would be actuated.
LPCS and LPCI would also be initiated at 41. Extended core coo 14,ng would be accomplished by the single failure-proof, parallel combination of LPCS, LPCI and HPCS.
The equipment and components used in the above sequence of events to mitigate the effects of the line break are safety-related and redundant. The sensors and impulse lines assigned to a particular safety-related division are physically and electrically separated from those assigned to another safety-related division. 2f a nonsafoty-related sensor is connected to a safety-related instrument impulse line of ona division it is not connected an impulse line belonging to another division.
The electrical equipment (e . g . , buses, batteries, chargers, uninterruptible power supplies, instrument DC power supplies) used for the safety-related systems arc different from those used for the nonsafety-related systems. Furthermore, each redundant division of the safety-related system is powered from a separate safety-related division of power source.
Conclusion From the abova discussion, it is concluded that the nonsafety-related control system failures, either one at a time or in combination, do not affect the sequence of even's e for the large steam piping break event described in FSAR Section 15.6.4; thus, the events are boun1ed by Chapter 15 analyses. !
3.13 Luss oL_fJtgJant Accident Insid3 contairur,ent_, Combined with Nonsafetv-Related Control System Failures 4
A pipe break, Loss of Coolant Accident (LOCA) with coincident loss of auxiliary power is postulated to occur inside contai,iment.
3-21
7
,1 QUAD-1-87-004 Ivrbine pressure regulator and turbine bypass control system are not affected by this event as this equipment is located outside the l containment and their effects are not considered in this analysis.
l Failure of other cor. trol systems are considered belows i
- a. Feedwater controller failure with no flow.
No credit is taken for feedwater flow in the analysis reported l in FSAR Sections 6.3 and 15.6. Therefore, feedwater controller l failure resulting in no f.1ow is bounded by the FSAR analysis. ,
- b. Feedwater controller failure with maximum flow.
.i i During the initial portion of the accident, additional cooling flow would be provided. Feedwater flow wov.1d be isolated at reactor low level L2. MSLIV isolation at level L1 would also I isolate steam to feedwater pump turbines resulting in loss of feedwater flow. Therefore, the effect of increased feedwater '
i flow would only occur during the initial portion of the event ,
and would serve to provide additional coolant. Thus, this failure is acceptable and is bounded by FSAR Sections 6.3 and I i
j 15.6 analyses. !
- c. Recirculation flow control system. !
I l 4
l (1) Pump trip: Loss of power and pump trip is assumed in the i
{
LOCA analysis; thus, it is bounded by FSAR Sections 6.3 f and 15.6.
- (2) Fast closure of recirculation valves closure of a I recirculation valve in the unbroken line will reduce the !
recirculation flow due to pump coastdown. Closure of the valve in the broken line would have no effect on the flow.
3-22
QUAD-1-87-004 FSAR Section 6.3.3.7.9 reports that analyses have shewn that inadvertent closure of a recirculation valve in combination with a recirculation line break is acceptable.
- d. Fast opening of recirculation valves.
Opening of the recirculation valve in the unbroken line would slightly increase core flow during the pump coastdown period and would have no adverse effects. Opening of the valve in the broken line would be bounded by the LOCA analyses that base break flow rate on the break size.
Conclusion A loss of coolant accident inside the containment accompanied by nonsafety-related control system failures would be bounded by FSAR Section 15.6.5 analysis.
] 3.14 Main Condenser Offaas Treatment System Failure Combingd with Nonsafetv-Related Control System Failures The initiating events for this failure could be a seismic occurrence, or hydrogen detonation within the system, or a fire in t the filter.
For this failure, increase in radioactivity levels would be alarmed i by the Area Radiation Monitoring System. Operator would then t
l initiate isolation of the offgan treatment system and main turbine apd reactor shutdown. An assumed seismic vvent could also cause turbine trip and consequential reactor scram.
The effect of gross failure of the offgas treatment system would be release of radioactivity with the steam jet air e.iector assumed to i continue pumping process gas for 30 minutes. In this case, operator i
3-23 t
t QUAD-1-87-004 would isolate the offgas treatment system. Loss of condenser vacuum wonid initiate main turbine trip and also close the MSLIVs. The main turbine trip would scram the reactor which is a safety-related trip function. The closure of the MSLIVs and reactor scram are safety-related trip actione and meet the single failure criteria.
The radiological consequences for this event is presented in FSAR Section 15.7.1. Failure of nonsafety-related control systems would not affect the above sequence of events. It is therefore concluded !
that the above failures are bounded by FSAR Section 15.7.1 analysis. f f
a I
k L
3-24 '
- . . ..-~,,,-r-----,-..,-,~~--r- -m-~~------ -,v-,-
QUAD-1-87-004 4.0 LOSS OF FEEDWATER HEATING WITH TUP.BINE TRIP AND NO TURBIllE BYPASS This section presents the analysis performed by General Electric (GE) for the postulated loss of feedwater heating event combined with a turbine trip and turbine bypass failure. For this event, the flux / flow controller was assumed to be in the manual mode. In addition, the turbine trip was assumed to be initiated just prior to the power level corresponding to the APPN scrato setpoint. Both of these assumptions result in the most severe conditions for this postulated event. '
The GE report included as Appendix A includes a description of *he analytical model, analysis conditions, results, reactor parameter l plots, and a table describing the sequence of events, i
f I
t
[
s i
4-1 ,
i >
1
.- . - ~ - . ,- . - - - - . . _ _ . . - _ ., ,,n , _ . _ - - .
5.
QUAD-1-87-G04 5.0 CONCLUSI071 The analyses presented in Section 3.0 of this report show that except for one combinatory failure event, tha consequances of any postulated combination of nonsafety-related control system failures are bounded by FSAn Chapter 15 events. The conclusions reached in the original Quadrex report, "Control System Failure Review and Evaluation Program, Clinton Power Station," QUAD-1-82-244, remain valid, except for the one event not specifically analyzed in FSAR Chapter 15. This combinational failure event, i.e., loss of feedwater heating with turbine trip and turbine bypass faiJure, was analyzed by the same meth7ds used for the CPS FSAR Chapter 15 Svents and the results are presented in Section 4.0 of this report. The consequences of this failure event are bouraded by an event already analyzed in the CPS FSAR Chapter 15, Section 15.2.4.5, closure of all MSLIVs. The analysis presented in Section 4.0 also shows that no adverse effects to the health and safety of the public would be caused by the postulated radiological releases.
A further conclusion of this analysis is that multiple failures of nonsafety-related control systems at CPS do not impact the capability of safety-related systems, as required by PRC IE Notice 79-22. Furthermore, loss of electrical power to instrumentation and control systems does not affect the ability to achieve a cold shutdown condition, as required by NRC IE Bulletin 79-27.
5-1
QUAD-1-87-004 6.O N TO NUCLEAR REGULATORY COMMISSION'S OUESTIONS AND RESPONSE 1 Q. 1. Information related to power sources whose failure or 7 malfunction could lead to malfunctions of multiple control systems was reviewed by the staff. The methodology information states that commonality of power supplies to control systems was determined through the load centers.
However, the subject information also indicates that the analysis considered power supplies only up to the load ,
centers. The applicant should verify that their review '
considered all higher level power sources such that the loss of the next higher level bus initiates an event altoady bounded by the FSAR Chapter 15 Analyses (e.g.,
3 loas of a 480V load center which supplies multiple 480V motor control centers). If not, the effects of failure or malfunction of these higher level power sources on multiple control systems should be analyzed. If the consequences of these failures are bounded by the Chapter 15 analysis, a positive statement to that effect should be provided with specification of the Chapter 15 analysis.
If not bounded, then information should be provided to justify the issue.
Resconse The technique used in the Clinton Power Station (CP S) t Control Systems Failure Review and Evaluation Program is ;
the "TOP-DOWN" approach. This approach postulates '
failures of nonsafety-related control systems regardless f of the cause, i.e., failure or malfunction of the power !
- source or instrument power supplies, failure of the sensors or instrunent impulse lines, or proximity of sensors, impulse lines or power sources to a high energy line. If there exists more than one mode of failure of a control system, all such modes are taken into 6-1
QUAD-1-87-004 consideration in the analysis. Furthermore, combinations of failures of all control systems that could affect reactor parameters are considered and each such combination is analyzed for the effect on the sequence of events and the effect on reactor parameters.
As failures of the nonsafety-related control systems in each I'r U .re modo are included in the analysis, the effect of the loss of electrical power on these control systems, whether it ic due to the failure at the 120V AC level, 480V AC MCC level, or 480V AC load centers at the higher voltage level of 4160V AC or 6900v AC buses, or 125V DC or instrument AC, is included in this analysis. A power distribution bus tree for the non-class 1E buses and !.s I attached. A review was made to assure that no safety-related equipment, instruments or control systems are supplied from nonsafety-related AC or DC buses.
Where DC control power is used to trip or close pump motor breakers, both modes of failure are considered, i.e.,
pumps are assumed to be tripped due to malfunction in their breaker control circuits, or to be prevented from ;
tripping when they are required to be tripped. Both <
failure consequences have been included in this analysis.
Whete credit for pump trip is included in the analysis, the reasons for such assumption is stated; for example, in the case of recirculation pump trip by ATMS signal, the sensors and trip circuits are subjected to periodic survelliance tests and the control power circuits of the ATW3 trip circuits are provided with undervoltage alarms.
On the other hand, the redundant recirculation pump breaker trip (RPT) initiated by the main turbine stop !
l 1
6-2 i
QUAD-1-87-004 valve closure or control valve fast closure are safety-related. These circuits are powered by redundant class 1E power and sach of the two breaker circuits of each pump '
receives DC power from a different safety division; thus, the design meets the single failure criteria.
The analysis shows that failure of electrical power, leading to multiple control system failures, would not result in an event not bounded by the FSAR Chapter 15 analyses. However, Section 4.0 discusses the results of an event previously unanalyzed in the CPS FSAR, namely a loss of feedwater heating event with turbine trip and turbine bypass failure. An FSAR transient event analysis was performed for this case.
The non-class 1E electrical loads are shown in the attached diagram, ILL-0948E1, "Non-class IE Electrical Power Distribution Bus Tree". In addition to the loads shown down to the level 480V AC unit substation buses, there are also 480V AC HCCs fed from the unit substation buses and 120/208V AC buses fed from the MCCs. The two non-class 1E 125V DC buses are supplied by two separate batteries. The bus loads are supplied by two separate 125V DC battery chargers which are fed from Auxiliary i
Building 480V AC unit substations ID and it and the batteries, j
P Two nonsafety-related uninterruptible power su,ylles (UPS)
. powered from the above two DC buses supply two UPS buses (FSAR Figure 8.3-7). In addition, the UPS buses receive alterrete feed from Control Building 120V AC HCCe *C and ID respectively. Tne Feedwater Control s, stem, Recirculatian Flow Control System and the Main Steam control System (including the turbine pressure regulator 6-3
e- .
QUAD-1-87-004 and turbine bypass control systems) are supplied by these 125V DC and 120V UPS systems.
The analysis assumed that the electrical power sources at '
the highest level could fail. Credit was taken ,T or availability of electrical power in the case of RPS and actuation or tripping of safety-related equipment due to the single-failure proof design of these systems and thsir 4
electrical power supplies. Credit is taken in the case of l
recirculation pump trip due to ATHS because the ATNS initiating sensors are subjected to surveillance tests and 1 the recirculation pump control DC circuits are provided with undervoltage alarms.
Loss of feedwater flow could result due to feedwater pump trip on malfunction of the trip circuits. Also, the !
- fewdwater pump trip function (on reactor high level) could ,
fail due to loss of electrical powor. The case for loss of feadwater is analyzed in Sect 3an 3.2 and is found to be bounded by FSAR Section 15.2.7. Failure of feedwater pump
, to trip could result in carryover of water to the steam lines. However, the issue of water in the steam lines was i
fully addressed and resolved by BWR Owntra Group work j j reported in Supplement No. 5 to the CPS Safety Evaluation I
<,.., and accepted bv the !?RC Staff. '
d t
Q. 2. Tha 3'pproach taken by the Clinton applicant appeara not to '
meet the intent of the control systems failures question.
2 The app 1xcant considered the effects of postulated control i sys*.em failures on Chapter 15 events and modified the event analysis to include the nonsafety control system intent of the control system failures issue failures. ?k l
was not to requirw modifications to the FSAR analyees but (
to determine whether combined potential muleiple control i i
6-4 i t
t'
QUAD-1-87-004 nI L
- 1. IuA u st a. x syscem failures resulting from (1) common power source or sensor (including impulse lines) malfunctions or (2) each postulated potential high energy line break could result in consequences more severe than those previously analyzed for in FSAR Chapter 15 (could such failures result in an unanalyzed event). If it is determined that all possible combinations of simultaneous malfunctions of control systems are bounded by the previous FSAR Chapter 15 analyses, then a positive statement to that effect should be provided including specification of the bounding FSAR analyses. If the Chapter 15 event analyses were modified to compensate for the multiple control system failure consequences or if conservatisms were not included in HELB, common power source, sensor or sensor impulse line evaluations consistent with those assumed for FSAR Chapter 15 analyses, details shoulc be provided for Staff review.
If no modifications to the FSAR analyses were made or reduction in conservatisms accounted for, then it should be so stated.
Response: The CPS FSAR Chapter 15 event analyses were not modified in this analysis. If an FSAR Chapter 15 event could be caused by sensor (including impulse line) failures, power supply failures, or high energy line breaks, the FSAR Chapter 15 event scenario was exacerbated by simultaneous failures of nonsafety-related control systems in order to determine the overall impact and to determine whether the ensuing event would be bounded by existing Chapter 15 analyses. No modificatiois were made to Chapter 15 event pf/[$a analyses tu compensate for the multiple contro- system failure consequences.
~ ig V j
3s= E',5 A La-review of the nonsafety-related control system
- C j.%f
- , failure analysis presented in QU.TD 82 -2 4 4 has been
^'
i s
6-!
- o .
QUAD-l-87-004 s
performed. It was determined that the original analysis did not specifically identify the loss of feedwater heating event with turbine trip and turbine bypass failure as an event not analyzed in FSAR Chapter 15. Thsa failure combination was subsequently analyzed by GE using FSAR methods; the results are discussed 'in Section 4.0 of this
. report. In the current re-review, all combinations of nonsafety-related control sys' ems were evaluated; all are bounded by either the event in Section 4.0 of this report or the other sections of FSAR Chapter 15 as given in Section 3.0 of this report.
Q. 3. The response states that the limiting HELB is a line break in the turbine building. This break was examined for its effects on the loss of feedwater heating (LOFH) event. It is not clear whether this is the limiting break in terms of the most severe consequences resulting from the turbine building HELB (i . e . , worst-case line break at Clinton which creates most severe combined effects that could occur from multiple control system failures) or the most limiting in terms of making the LOFH event itself more
]
severe. Thus, the Staff is not assured that the effects of each postulated HELB event were considered. The applicant should provide information to clarify the issue.
The inforzation should include a description of the procedure by which the location of nonsafety-related control system components that could be affected by high
, energy line breaks was determined (i.e., zone analysis and plant walkdown, etc.).
Response: An HELB in the turbine building would be the limiting break at CFS in terms of most severe consequences that j could result from multiple nonsafety-related control system failures. An HELB could be postulated that causes 6-6
O O QUAD .1-87-004 multiple electrical faults / shorts and mechanical failures whic.: could either close the steam extraction line to the feedwater heaters or bypass feedwater around the heaters, revulting in a decrease in feedwatet temperature. In addition, the turbine bypass system could fail, and vider the worst case, failures in the feedwater control system, turbine pressure regulator system, and recirculation flow control system could occur. However, failure of these latter three systems would initiate RPS and other mitigating safety systems earlier than if these three control systems had not been postulated to have f ailed.
The Steam Syst.em Piping Break and Feedwater Line Break outside'the containment event analyses aro presented in FSAR Soctions 15.6.4 and 15.6.6; the Loss of coolant Accident (LOCA) inside the containment everst analysis is presented in FSAR Section 15.6.5. The RPS and other mitigating safety actions would be initiated much earlier than in the case presented in Section 4.0 of this report, i.e., LOFH with turbine trip and turbine bypass failure.
Regardless, these hypothetical HELB events combined with nonsafety-related control system failures are bounded by the results of FSAR Sections 15.6.4, 15.6.6, and 15.6.5, and are discussed in Section 3.0 of this report.
A zone analysis and plant walkdown does not apply to the TOP-DOWN approach used in the CPS HELB analysis. Rather, this concern relatus to the BOTroMS-UP approach, which specifically locates each nonsafety-related control component in a pressure-tight zone and identifies each high energy line located in this rone. A plant wa14down verifies the location of the components, the zones, and the high energy lit.es. Then the ef f ect s of each line break, i.e., pipe whip, jet impingement, and/or 6-7
QUAD-1-87-004 environmental effects, are determined within each zone and the consequences compared with the FSAR Chapter 15 analysis.
The CPS Control System Failure Analysis which uses the TOP-DOWN approach, does not rely on a zone analysis nor a plant walkdown.
O. 4. The applicant should verify that a single active failure in the safety systems used to mitigate the consequences of high energy line breaks was assumed in the analysis performed.
Response The TOP-DOWN approach used in this analysis begins with the FSAR Chapter 15 initiating events and assesses the impact of all nonsafety-related control system failures to determine whethet an unanalyzed condition would exist.
For all events discussed in this report sxcept for the LOFH with with turbine trip event, the FSAR Chapter 15 analyses are bounding and identify all single active failures in the mitigating safety systems. The design drawings were also reviewed to determine the interconnoctions of the nonsafety-related and safety-related instrument and control system sensors to the common impulse lines. A review was eade to assure that if a nonsafety-related sensor is connected to a safety-related instrument impulse line of one division, it is not
{ connected to an impulse line of another safety-related division. This assures that a sufficient number of safety-related mitigatir.g systems would be available after allowing for a single active failure of a mitig '.ing safety system. Since the FSAR Chapter 15 analyses detail the effects of single active failutes in all safety 6-8
QUAD-1-87-004 I
systems, a f ailure in the safety systems used to mitigate the consequences of high energy line breaks is part of the analysis and, thus, is accounted for.
The Loss of feedwater heating event with turbine trip and turbine bypass t' allure was determined to be unanalyzed by CPS FSAR Chapter 15. In this event, ac discussed in Section 4.0, the thermal power monitor (TPM) (the primary protection system trip), the reactor protection system, and the control rod drive system are the mitigating safety systems for reactor scram. All of theso systems are single-failure proof. The L8 trip is also safety-related '
tsnd single- failure proof. The reactor scram and the recirculating pump trip on turbine stop valve position are single-failure proof. The safety / relief valves actuation is also single feiluis proof.
Q. 5. Assuming a failure rf the reactor vessel water level (L8) trip (safety-related) of the feedwater pumps and no ;
operator action, reactor power and vessel water level would continue to rise until a turbine trip (and subsequent reactor trip) will occur due to high vibration caused by moisturo in the steam lines. For the worst- I case, this could occur before the reactor power level l reaches the APRM highpower level reactor trip setpoint.
[
The Staff is concerned that this could lead to a turbine '
trip without bypass event initiated from a higher power level than previously analyzed in the FSAR. If it is !
concluded that such a condition could develop, the applicant should verify that the consequences are bounded '-
r by the Chapter 15 analyses.
l 6-9
O
- QUAD-1-87-004 Responset The analysis of this event is presented in Section 4.0 of this report. The analysis confirms that the consege+2nces are bounded by the FSAR Chapter 15 analyses.
Q. 6. It should be verified that the consequences of the worst- :
case event combination considered in the HELB analysis ate ,
bounded by a small fraction (<10%) of 10CFR Part 100 guidelines.
1 Response: The event of a large steam line pipe break outside containmint for CPS has been analyzed and the analysis is ,
presented in the FSAR Sectior. 15.6.4. The calculated radAological exposures for the design basis analysis for this event are shown tc be a small fraction of the guide)ines of 10CTR Part 100 (FSAR Section 15.6.4.5.1.3).
i The Loss-of-Coolant Accident (resulting from the spectrum of postulated piping breaks within the reactor coolant pressure boundary) inside containment analysis is ,
presented in the CPS FSAR Section 15.6.5. The calculated 4
radiological exposures for this event are shown to te a !
small fraction of the guidelines of 10CFR Part 100 (FSAR Jection 15.6.5.5.2.3).
The Feedwater Line Break outside containment analysis is presented in the CPS FSAR Section 15.6.6. The calculated '-
exposures for the realistic analysis for this event are shown to be a small fraction of 10CFR Part 100 guide 11nns l
, (FSAR Section 15.6.6.5.2.3). t i
These hypothetical HELB events combined with nonsafety- {
related cor. system failures are bounded by FSAR '
Sections 15.t % 15.6.5 and 15.6.6 and are discussed in See: ion 3.0 of this report. <
6-10
QUAD 1-87-004 The lose of feeawater heating event with turbine trip and turbine bypass failure has been analyzed by General Electric. The analysis presented in Section 4.0 indicates
- that no fuel rod perforations would be expected due to this event and that the radiological consequences are limited to the activity released to the suppression pool ,.
as a result of safity/ relief valve actuation. These [
radiological consequences are bounded by the analysis i
presented in Section 15.2.4.5 (closure of MSLIVs).
f l
l t
i
. V I i i
i W
i I
f I
h l
j I i
6-11 )
(
. - _ . . , _ . - . , , . , - - _ - _ _ , - . . _.-- .-, - . . - . . . . - , - - . ~ _ - _ - - . . _ , . . . - , . . . . . - , - .
. .g , - ' b .-
1 QUAD-1-07-004 '
i 1
t i
t l
AFPENDIX A i
SPECIAL TRANSIENT EVENT ANALYSIS TO SUPPORT '
t CONTROL SYSTEM FAILURE ANALYSIS FOR
[
CLINTON POWER STATION f
L 5
f t
l, I
l i
h i
I L
I t
- \
c o
I
{
l i
A-1 i f
. i t
. _ _ . . _ _ _ _ . . . _ _ . _ _ - , _