an Assessment of the Safety Implications of Control at the Calvert CLIFFS-1 Nuclear Plant.Volume 2:Appendices

ML20210M450
Person / Time
Site:	Calvert Cliffs
Issue date:	07/31/1986
From:	Ball S OAK RIDGE NATIONAL LABORATORY
To:	NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
References
CON-FIN-B-0467, CON-FIN-B-0816, CON-FIN-B-467, CON-FIN-B-816 NUREG-CR-4265, NUREG-CR-4265-V02, NUREG-CR-4265-V2, ORNL-TM-9640-V2, NUDOCS 8610030411
Download: ML20210M450 (371)
v • d • e

Text

. - _ _ - _ _ _ _ _ _ _ _ _ _ _

o 1

NUREG/CR-4265 Volume 2 ORNL/TM-9640/V2 OAK RIDGE NATIONAL LABORATORY An Assessment of the Safety implications of Control at the

" " " " "'" Calvert Cliffs-1 Nuclear Plant Volume 2: Appendices S. J. Ball R. E. Battle  ;

E. W. Hagen 1 L. L. Joyner l A. F. McBride J-P. A. Renier O. L. Smith l R. S. Stone j Prepared for the U.S. Nuclear Regulatory Commission l Office of Nuclear Regulatory Research Under Interagency Agreement DOE 40-550-75 l

8610030411 860731 PDR P

ADOCK 05000317 PDR OPERATEDBY MARTIN MARIETTA ENERGY SYSTEMS, INC.

FOR THE UNITED STATES DEPARTMENT OF ENERCY

1

)

i 4

a l

NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for any third party's use, or the results of such use, of any information, apparatus

' product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned

- nghh.

I i

Available from Superintendent of Documents U.S. Government Printing Omce Post Office Box 37082 Washington, D.C. 20013-7982 1

and National Techmcal information Sennce Springfield, VA 22161 i

I L

NUREG/CR-4265 Volume 2 ORNL/TM-9640/V2 NRC Distribution R1, RG, R4, 13 Instrumentation and Controls Division AN ASSESSMENT OF THE SAFETY IMPLICATIONS OF CONTROL AT THE CALVERT CLIFFS-1 NUCLEAR PLANT Volume 2: APPENDICES S. J. Ball, Program Manager Authors and Contributors:

P. N. Austin' S. J. Hurrell S. J. Ball L. L. Joyner' R. E. Battle C. G. Lawson S. J. Caruthers

• C. W. Mayo 1 N. E. Clapp, Jr. T. C. Morelock F. H. Clark A. F. McBride l R. D. Dabbs* J-P. A. Renier J. D. Freels 2 0. L. Smith E. W. Hagen R. S. Stone K. M. Henry W. A. Waddell Manuscript Completed: June 1986 Date of Issue: July 1986

' Science Applications, Inc., Oak Ridge, Tenn.

Technology for Energy, Knoxville, Tenn.

8 Joyner Engineers and Trainers, PC., Forest, Va.

Prepared for the Division of Engineering Technology U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Washington, DC 20555 Under Interagency Agreement DOE 40-550-75 NRC FIN. Nos. B0467 and B0816 Prepared by OAK RIDGE NATIONAL LABORATORY Oak Ridge, Tennessee 37831 operated by MARTIN MARIETTA ENERGY SYSTEMS, INC.

for the U.S. DEPARTMENT OF ENERGY under Contract No. DE-AC05-840R21400

-. - . - - - _ . . _ _ _ - .- _ _ _ .. - _ - -- - . . ~ . - --

f.

i

'i j

1 .

j CONTENTS i

PAGE j LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . .. . vii 1

LIST OF TABLES . . . . . . . . .. . . . . . . . . . . . . . ... ix

=

i LIST OF ACRONYMS . . . . . . . . . . . . . . . . . . . . . . . . . xii r APPENDIX:

1 A. SELECTION OF SYSTEMS FOR ANALYSIS . . . . . .. . . . . . . . 1 i

j A.1 CALVERT CLIFFS SYSTEMS LIST . . . . . . . . . . . . .. 1 1 A.2 RCS INTERFACING SYSTEMS . . . . . . . . . . . . . . . . 19 i

A.3 SAFETY SYSTEM INTERFACING SYSTEMS . . . . . . .. . . . 23 B. SYSTEM DESCRIPTIONS . . . . . . . . . . . . .. . . . . . . 29 l B.1 REACTOR COOLANT SYSTEM . . . . . . . . . . . . . . . . . 29 l

t l B.2 CHEMICAL AND VOLUME CONTROL SYSTEM . . . . . . . . . . . 34 4

1 i B.3 PRESSURIZER LEVEL REGULATING SYSTEM . . .. . . . . . . 41 l

B.4 REACTOR COOLANT PRESSURE REGULATING SYSTEM . . . . . . . 42 i

B.5 REACTOR REGULATING SYSTEM . . . . . . . . . . . . . .. 45 i '

i B.6 CONDENSATE, MAIN FEEDWATER, AND STEAM j GENERATOR SYSTEM . . .. . . . . . . . . . . . . . . . . 52 j

l B.7 FEEDWATER REGULATING SYSTEM . . . .. . . . . . . . . . 65 4

! B.8 MAIN STEAM, ATMOSPHERE STEAM DUMP, AND TURBINE BYPASS CONTROL SYSTEM . . . . . . . . . . .. . 67 i

B.9 COMPONENT COOLING SYSTEM . . . . . . . . . . . . . . .. 72 4

B.10 SERVICE WATER SYSTEM . .. . . . . . . . . . . . . .. . 80

B.11 SALT WATER COOLING SYSTEM . . . . . . . . . . . .. .. 89 B.12 CALVERT CLIFFS AC ELECTRICAL DISTRIBUTION SYSTEM . . . . .. .. . . . . . . . . .. . . . . . . .. 92 1,

l B.13 INSTRUMENT AIR SYSTEM . . . . . . . .. .. . . . .. . 100 t

I iii i

i I - _ _ _ .. ..

'l CONTENTS (Continued)

C. DETAILED FMEAs . . . . . .. . . . . . . . . . . . . . . . . 113 C.1 REACTOR COOLANT SYSTEM . . . . . . . . . . . . . . . . . 115 C.2 CHEMICAL AND VOLUME CONTROL SYSTEM . . . . . . . . . . . 128 C.3 PRESSURIZER LEVEL REGULATING SYSTEM . . . . . . . . . . 159 C.4 REACTOR COOLANT PRESSURE REGULATING SYSTEM . . . . . . . 168 C.5 REACTOR REGULATING SYSTEM . . . . . . . . . . . . . . . 174 C.6 MAIN FEEDWATER AND CONDENSATE SYSTEM . . . . . . . . . . 177 C.7 FEEDWATER REGULATING SYSTEM . . . . . . . . . . . . . . 193 C.8 MAIN STEAM SYSTEM AND THE ATMOSPHERIC STEAM DUMP AND TURBINE BYPASS CONTROL SYSTEM . . . . . . . . . 198 C.9 COMPONENT COOLING SYSTEM , . . . . . . . . . . . . . . . 204 C.10 SERVICE WATER SYSTEM . . . . . . . . . . . . . . . . . . 21 6 C.11 SALT WATER COOLING SYSTEM . . . . . . . . . . . . . . . 234 C.12 INSTRUMENT AIR SYSTEM . . . . . . . . . . . . . . . . . 237 D. FMEA 0F THE REGULATING SYSTEMS ELECTRIC POWER DISTRIBUTION CIRCUITRY . . . . . . . . . . . . . . . . . . . 251 ABSTRACT . . . . . . . . .. . . . . . . . . . . . . . . . . 253 D.1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . 255 D.2

SUMMARY

OF RESULTS . . . . . . . . . . . . . . . . . . . 258 D.3 REGULATING SYSTEMS FUNCTIONAL DESCRIPTION . . . . . . . 261 D.4 POWER SUPPLY DISTRIBUTION AND ANALYSIS . . . . . . . . . 285 D.5 EFFECTS OF VITAL INSTRUMENT BUSES 1Y01 AND 1YO2 CIRCUIT FAILURES ON REGULATING SYSTEMS RESPONSE . . . . 293 D.6 EFFECTS OF INSTRUMENT BUSES 1YO9 AND 1Y10 CIRCUIT FAILURES ON REGULATING SYSTEMS RESPONSE , . . . 298

[

iv

l CONTENTS (Continued) i D.7 EFFECTS OF DOUBLE INSTRUMENT BUS FAILURES ON REGULATING SYSTEMS RESPONSE . . . . . . . . . . ... . 302 D.8 EFFECTS OF 125-V de BUSES 11 AND 21 FAILURES ON REGULATING SYSTEMS RESPONSE . . . . . . . . .. . ... 307 D.9 EFFECTS OF MOTOR CONTROL CENTER (MCC) 109PH, 110PH, 110PH,111PH, AND 112PH FAILURES ON REGULATING SYSTEMS RESPONSE . . . .. . . . . . . . . . . .. .. . 309 i

D.10 EFFECTS OF MOTOR CONTROL CENTER (MCC) 104R AND 114R FAILURES ON REGULATING SYSTEMS RESPONSE . . . ... 31 0 D.11 EFFECTS OF 480-V UNIT BUSES 11 A AND 11B (4-kV UNIT BUS 11) FAILURES ON REGULATING SYSTEMS RESPONSE . . . . . . . . . . . . . .. . . .. . 31 2 D.12 EFFECTS OF 480-V UNIT BUSES 12A AND 12B (4-kV UNIT BUS 12) FAILURES ON REGULATING SYSTEMS RESPONSE . .. . . . . . . .. . . . .. . .. . 31 4 D.13 EFFECTS OF 480-V UNIT BUSES 13A AND 13B (4-kV UNIT BUS 13) FAILURES ON REGULATING SYSTEMS RESPONSE . . . .. . . . . . .. . . . . . . . . 31 5 D.14 EFFECTS OF 480-V UNIT BUSES 14A AND 14B (4-kV UNIT BUS 14) FAILURES ON REGULATING SYSTEMS RESPONSE . .. . . . . . .. .. . . .. . .. . 31 6 E. RESPONSE TO BG&E COMMENTS ON MAY 31, 1985 DRAFT FINAL REPORT . . . . . . . .. . . . . . . . . . . .. .. . 31 9 l

l l

1 V

LIST OF FIGURES Figure Title Page B1 RCS piping and instrumentation diagram . . . . . . . . . . 30 B2 Quench tank piping and instrumentation diagram . . . . . . 31 B3 Piping diagram of charging and letdown system . . . . . . 35 B4 Piping diagram of makeup system . . . . . . . . . . . . . 36 Bd Pressurizer level regulating system functional block diagram . . . . . . . . . . . . . . . . . . . . . . 43 B6 Charging pump motor control functional block diagram . . . . . . . . . . . . . . . . . . . . . . . . . 44 B7 Reactor coolant pressure regulating system functional block diagram . . . . . . . . . . . . . . . . . 46 B8 Back-up heater control functional block diagram . . . . . 47 B9 Reactor regulating system block diagram . . . . . . . . . 49 B10 Unit-1 condensate system simplified diagram (sheet 1) . . 53 B11 Unit-1 condensate system simplified diagram (sheet 2) . . 54 B12 Main feedwater system simplified block diagram . . . . . . 55 B13 Feedwater regulating system . . . . . . . . . . . . . . . 66 B14 Main steam system flow diagram . . . . . . . . . . . . . . 68 B15 Turbine bypass and atmospheric steam dump functional block diagram . . . . . . . . . . . . . . . . . . . . . . 69 B16 Component cooling system (sheet 1) . . . . . . . . . . . . 73 B17 Component cooling system (sheet 2) . . . . . . . . . . . . 74 B18 Service water system block diagram . . . . . . . . . . . . 81 B19 Salt water cooling system . . . . . . . . . . . . . . . . 90 B20 500 kV and 13.8 kV distribution . . . . . . . . . . . . . 93 B21 4.16 kV distribution . . . . . . . . . . . . . . . . . . . 95 vii

I

'l i

4 LIST OF FIGURES (Continued) 1 1 Figure Title Page i

i B22 Emergency power (ESF) 4.16 kV bus . . . . . . . . . . . . 97 1

B23 480 y distribution . . . . . . . . . . . . . . . . . . . . 99  !

4 B24 125-V de and 120-V ac systems . . . . . . . . . . . . . . 101 1

i B25 Compressed air system simplified diagram . . . . . . . . . 103 j

! B26 Instrument air system power distribution . . . . . . . . . 105 i i

j B27 Unit 1 instrument air distribution system . . . . . . . . 107 4

B28 Unit 2 instrument air distribution system . . . . . . . . 108 3

l B29 Instrument air system diagram . . . . . . . . . . . . . . 109 l D1 Reactor regulating system functional block diagram . . . . 262 l D2 Reactor coolant pressure regulating system functional block diagram .. ... . . . . . . . . . . . . . . . . . 269

! D3 Back-up heater control functional block diagram . . . . . 270 l D4 Pressurizer relief valve control functional j block diagram . . . .. . . . . . . . . . . . . . . . . . 271 -

l D5 Pressurizer level regulating system functional

block diagram . . .... . . . . . . . . . . . . . . . . 275 D6 Charging pump motor control functional block diagram . . . 276 D7 Feedwater regulating system functional block diagram . . . 278 D8 Feedwater pump speed control functional block diagram . . 281 D9 Turbine bypass and atmospheric steam dump functional block diagram .. .. . ... . . . . . . . . . . . . . . 284 D10 Simplified schematic of Calvert Cliffs Unit I ac power distribution . . . . . . . . . . . . . . . . . . . . . . . 286 l

viii

i l

LIST OF TABLES j Table Title Page Al Identification and first-stage selection of I l Calvert Cliffs nuclear systems . . . . . . . . . . . . . . 3 3

! A2 Identification and first-stage selection of Calvert Cliffs engineered safety features actuation systems . . . . . . . . . . . . . . . . . . . . 6 A3 Identification and first-stage selection of i Calvert Cliffs containment systems . . . . . . . . . . . . 7 i

i A4 Identification and first-stage selection of a Calvert Cliffs electrical systems . . . . . . . . . . . . 9 i

j AS Identification and first-stage selection of Calvert Cliffs power conversion systems . . . . . . . . . 10 <

i A6 Identification and first-stage selection of Calvert Cliffs process auxiliary systems . . . . . . . . . 12 i

! A7 Identification and first-stage selection of Calvert Cliffs auxiliary systems . . . . . . . . . . . . . 15

A8 RCS interfac's with applicable nuclear, safety t

features, electrical, and containment systems . . . . . . 20 i

j , A9 RCS interfaces with power conversion systems . . . . . . . 21 A10 RCS interfaces with process auxiliary systems . . . . . . 22 l

l All RCS interfaces with auxiliary systems . . . . . . . . . . 24 4

A12 Secondary interface systems . . . . . . . . . . . . . . . 25 i

! A13 Sarety systems identified in Tables Al through A7 . . . . 27 1

B1 Steam generator design characteristics . . . . . . . . . . 58 j B2 Summary of significant steam generator levels . . . .. . 63 B3 125-v de breaker control panel . . . . . . . . . . . . . . 102 1

$ ix

[

l i

LIST OF TABLES (Continued)

Table Title Page C1 Reactor coolant system FMEA . . . . . . . . . . . . . . . 115 C2 Chemical and volume control system FMEA . . . . . . . . . 128 C3 Pressurizer level regulating system FMEA . . . . . . . . . 159 C4 Reactor coolant pressure regulating system FMEA . . . - . . 168 C5 Reactor regulating system FMEA . . . . . . . . . . . . . . 174 C6 Main feedwater and condensate FMEA . . . . . . . . . . . . 177 C7 Feedwater regulating system FMEA . . . . . . . . . . . . . 193 C8 Main steam and atmospheric steam dump turbine bypass control system FMEA . . . .. . . . . . . . . . . . . . . 196 C9 Component cooling system FMEA . . . . . . . . . . . . . . 204 C10 Service water system FMEA . .. . . . . . . . . . . . . . 21 6 C11 Salt water system FMEA . . . . . . . . . . . . . . . . . . 234 C12 Instrument air system FMEA . .. . . . . . . . . . . . . . 237 D1 Calvert Cliffs Unit I regulating systems . . . . . . . . . 256 D2 Reactor regulating system inputs and outputs . . . . . . . 263 D3 Reactor coolant pressure regulating system inputs and outputs . . . . . . . . . .... . . . . . . . . . . . . 268 D4 Pressurizer level regulating system inputs and outputs . . 274 D5 Feedwater regulating system inputs and outputs . . . . . . 277 D6 Main feedwater pump speed control inputs and outputs'. . . 280 l D7 Atmospheric steam dump and turbine bypass system inputs j and outputs . . . . . . . ................ 283

! D8 Calvert Cliffs Unit 1 regulating systems power supply failure modes . . . . . . ................ 289 l

x

LIST OF TABLES (Continued)

Table Title Page D9 Calvert Cliffs Unit I regulating systems multiple power supply f ailure modes . . . . . . . . . . . . . . . . 292 DIO Initial control response of individual regulating systems to failures of vital instrument buses 1Y01 and 1YO2 . . . 294 D11 Initial control response of affected regulating systems to f ailures of instrument bus 1YO9 . . . . . . . . . . . . 299 D12 Initial control response of affected regulating systems to failures of instrument bus 1Y10 . . . . . . . . . . . . 300 D13 Initial control response of affected regulating systems to failures of 125-V de buses 11 and 21 . . . . . . . . . 308 D14 Initial control response of affected regulating systems to failures of motor control centers (MCCs) 109PH, 110PH, 111 PH, and 112PH . . . . . . . . . . . . . . . . . 309 D15 Initial control response of affected regulating systems to failures of motor control center (MCC) 104R . . . . . . 311 D16 Initial control response of affected regulating systems to f ailures of motor control center (MCC) 114R . . . . . . 311 D17 Initial control response of affected regulating systems to failures of 480-V unit buses 11 A and 11B (4-kV unit bus 11) . . . . . . . . . . . . . . . . . . . . . . . . . 31 3 D18 Initial control response of affected regulating systems to failures of 480-V unit buses 12A and 128 (4-kV unit bus 12) . . . . . . . . . . . . . . . . . . . . . . . . . 31 4 D19 Initial control response of affected regulating systems to failures of 480-V unit buses 13A and 13B (4-kV unit bus 13) . . . . . . . . . . . . . . . . . . . . . . . . . 31 5 D20 Initial control response of affected regulating systems to failures of 480-V unit buses 14A and 14B (4-kV unit bus 14) . . . . . . . . . . . . . . . . . . . . . . . . . 317 xi

)

l ACRONYMS ac alternating current ADV atmospheric steam dump valve AFAS auxiliary feedwater actuation system AFW auxiliary feedwater BG&E Baltimore Gas and Electric B&W Babcock and Wilcox

! CE Combustion Engineering

! CEA control element assembly l CEDM control element drive mechanism I CEDS control element drive system

' containment isolation signal CIS CSAS containment spray actuation signal CVC chemical and volume control I CVCS chemical and volume control system 4 dc direct current j dP differential pressure i

j ECCS emergency core cooling system

E/I voltage-to-current i E/P Electric-to-pneumatic l EPRI Electric Power Research Institute j E0P Emergency Operating Procedure j ESF engineered safety features

! ESFAS engineered safety features actuation system 1

FMEA Failure Mode and Effects Analysis j FSAR final safety analysis report i FW feedwater j gpm gallons per minute i

j HP high pressure i hp horsepower j- HPI high-pressure injection HPSI high pressure safety injection l

4 I/I current-to-current l IA instrument air i kV kilovolts j kW kilowatts LER Licensee Event Report LOCA loss-of-coolant accident LOCI loss-of-coolant incident LP low pressure l xii

ACRONYMS (Continued)

LPI low-pressure injection LPSI low-pressure safety injection MCC motor control center MFW main feedwater MMS modular modeling system MSIV main steam isolation valve NIS nuclear instrumentation system NNI nonnuclear instrumentation j NRC U.S. Nuclear Regulatory Commission NSSS nuclear steam supply system ORNL Oak Ridge National Laboratory PA plant air PORV power-operated relief valve PPS plant protection system psia pounds per square inch (absolute) paid pounds per square inch (differential) psig pounds per square inch (gage)

PTS pressurized thermal shock PWR pressurized water reactor RAS recirculation actuation signal RCP reactor coolant pump RCS reactor coolant system RPS reactor protection system RRS reactor regulating system RWT refueling water tank ry reactor year

) SAIC Science Applications International Corporation j

SDS shutdown sequence i SG steam generator SGIS SG isolation signal

SGTR SG tube rupture SI safety injection l SIAS safety injection actuation signal SICS safety implications of control systems SLB steam line break SRW service water Tavg temperature (average) )

Trer desired reactor coolant average temperature '

TBV turbine bypass valve V volts VCT volume control tank xiii i

APPENDIX A 1

SELECTION OF SYSTEMS FOR .LNALYSIS The objective of this work, as discussed in Vol.1, Sect. 2, is to

conduct detailed FMEAs on control systems having a major impact on RCS

{ overcooling, undercooling, or safety system performance. The method of achieving this objective consists of three steps:

1. Identify the Calvert Cliffs systems and functional interfaces.

1 2. Based on the methodology discussed in Section 3.1 identify those

systems which have a potential impact on RCS overcooling, j undercooling or safety system performance.

i 3 Conduct FMEAs of the systems identified in (2) above.

! The impact of failures in many plant systems on plant transients is i expected to be minor. Thus, the purpose of a plant-specific system list l with identified interfaces is to aid in the selection of only those systems having a potential significant impact on plant response.

i Because of the large number of systems and components in a nuclear power

{ plant, this preliminary screening is necessary to determine which j systems require detailed analysis since it is not feasible to perform an

in-depth study of all of them.

A.1 CALVERT CLIFFS SYSTEMS LIST j Based on a previously developed generic list of pressurized water

! reactor (PWR) systems' and the Calvert Cliffs Units 1 and 2 Final Safety Analysis Report (FSAR),8 a list of Calvert Cliffs systems was developed.

i The generic systems and their associated subsystems have been grouped j according to seven major functions:

l

{' 1. Nuclear systems include the reactor core and those systems and subsystems which monitor and control core reactivity, remove heat

! from the core, and otherwise directly support the safe operation of the reactor.

l 2. Engineered safeguards systems include those systems, other than j containment systems, used to mitigate the effects of reactor

{ accidents such as those specified in the FSAR.

1 1 3 Containment systems include the reactor building and those systems

! needed to prevent reactor building overpressure, to prevent

} exccasive leakage from the reactor building to the environment, and to provide a habitable atmosphere inside the reactor building.

4

! 1

- _ _ _ - . _ _ - .__-__ - - -. - - . - _ _ - - . = _ - _ - - - . - - . . - -- ..

1 l

! 2 1

[ 4 Electrical systems including plant ac and de electric power j distribution circuitry.

1

5. Power conversion systems include the systems and components that i transform or support the transformation of heat energy produced by I the reactor core into electrical energy.

i

! 6. Process auxiliary systems include those systems and subsystems that support the plant systems directly involved in the operation of the reactor coolant systems.

t l 7. Plant auxiliary systems provide support to other plant activities

and personnel.

I

! The generic DWR systems and functionally corresponding Calvert Cliffs systems are listed in Tables A1 through A7. These tables correspond to

} the seven major system functions discussed above. In addition to j listing the generic and corresponding Calvert Cliffs systems. Tables A1 l through A7 list the criteria for selection or elimination based on the i control systems analysis scope considerations discussed in Sect. 3.1 of i Vol. 1.

l The nuclear systems, listed in Table A1, consist of the reactor core, the RCS and associated control systems, and the interfacing systems that

!j recirculate reactor coolant. Of the nuclear systems, only the chemical l and volume control system (CVCS), the RCS, and associated control instrumentation subsystems were retained for failure modes analysis. It l should be noted that systems not selected for FMEA are eliminated only i to the extent that failures of these systems are not postulated independently of other initiating control system failures.

i The engineered safety features actuation systems (ESFAS) have been l identified principally as safety systems as shown in Table A2. The only I

possible exceptions are the auxiliary control panels. Although these

! panels perform standby safety-related functions, it is not known whether i they are safety qualified based on available information. They are

eliminated based on their safety functions.

l The containment systems are listed in Table A3 Most containment l

. systems are safety systems. However, the containment air recirculation and cooling system, although safety qualified, performs the containment cooling functions during normal operation. In addition, the containment purge system and the pressurizer compartment cooling equipment have also been retained.

The power conversion systems are included in total as shown in Table AS.

The operating status of these control systems is expected to have a l

l

i Table A1. Identification and first-stage selection of Calvert Cliffs nuclear systems Non-Esclusion Exclusion Generic FWR Corresponding Calvert Cliffs Nuclear Systems Criteria Criteria Nuclear Systems N01 The reactor N01 Reactor Core Not Reactor Core core is a safety syntes Control Elesant Drive N02 CEDM do not NO2 Control Rod Drive NO2 influence System Mechanises (CEDM) transients following reactor trip _

Reactor Control System Control Element Drive NO3 CEDS does not NO3 NO3 System (CEDS) influence w transients following reactor trip N04 Reactor Coolant System N04 Reactor Coolant System N04 Bosponse of RCS (including reactor (RCS) provides the basis for vessel and internals) evaluating control N04.A Reactor Regulating Systes system failures N04 B Reactor Coolant Pressure Regulating System Emergency Boration NOS Cheetcal and Volume N05 Emergency NOS System Control System (CVCS) Boration is a (see N09) safety fun 9 tion (see N09, CVCS)

________m- _

Table A1. (continued) 1 Generic PWR Corresponding Calvert Non-Exclusion Exclusion Nuclear Systems Cliffs Nuclear Systems Criteria Criteria i

i 1 N06 Reactor Protection N06 Reactor Protective N06 The RPS is a 1 System System (RPS) safety syntes which has no 1

l function following reactor trip N07 Nuclear Monitoring / NOT Nuclear NO7 The NI has no Nuclear Instrumentation Instrumentation System function System (MI) following

reactor trip N08 Residual Heat Removal / N08 Shutdown Cooling

• N08 The Shutdown Low Pressure Safety System cooling systes

! Injection System is used only following plant shutdown and depres-surization 1

=

j

)

Table A1. (continued)

Generic PWR Corresponding Calvert Non-Exclusion Exclusion Nuclear Systems Cliffs Nuclear Systems Criteria Criteria N09 Chemical and Volume N09 Chemical and Volume N09 The CVCS directly Control System Control System (CVCS) interfaces with the (see NOS) RCS N09.A Pressurizer Level N09.A The Pressurizer Level Regulating System Regulating system controls flow to and from the PCS N09.B Reactor Regulating N09.B The Reactor Regulating System (see N04.1) System establishes the pressurizer level setpoint N09.C Electrio Heat Tracing N09.C No basis for elimination

1 Table A2. Identification and first-stage selection of Calvert Cliffs engineered safety features actuation systems Generic PWR Engineered Corresponding Calvert Cliffs Non-Exclusion Exclusion Safety Features Systems criteria Criteria Safety Features Systems Engineered Safety SO2 Engineered Safety SO2 The ESFAS is a S02 safety system Features Actuation Features Actuation System System (ESFAS)

Safety Injection S03 The Safety S03 Sarety Injection S03 System Injection System Systems are Safety Systems S03.A High Pressure Safety S03.A High Pressure Safety Injection Subsystem Injection Subsystem (HPSI) .

S03.B Safety Injection 303.B Safety Injection Tank / Core Flood Tanks Subsystem S03.C Low Pressure Safety S03.C Low Pressure Safety Injection Subsystem Injection Subsystem (LPSI)

Remote Shutdown System SO4 Auxiliary Control SO4 Assumed to be SO4 Panels a safety system Auxiliary Feedwater SOS The AFS is a SOS Auxiliary Feedwater SOS l

System (AFS) safety system System

\

l

Table A3 Identification and first-stage selection of Calvert Clifra containment systems Generic PWR Corresponding Calvert Cliffs Non-Exclusion Exclusion Containment Systems Criteria Criteria Containment Systems CO2 Containment Structure CO2 The contain-CO2 Reactor Building /

ment structure Containment and -

and penetra-Penetrations tions are safety systema Containment Cooling C03 Containment Air C03 Although a safety C03 System Rectroulation and system, the Containment Cooling System Air Recirculation and (see C08) Cooling System providea cooling during normal operation y C04 containment Isolation C04 Isolation System C04 The Contain-is a function of the ment Isolation Engineered Safety System is a safety system Features Actuation System and the various piping systems which penetrate containment C05 Containment Purge C05 Containment Purge C05 No basta for System System elimination Combustible Gas C07.A Electric Hydrogen C07 Hydrogen C07 Control System Recombiner Control Systems are C07.B Hydrogen Purge System, safety systems

Table A3 (continued)

Generic PWR Corresponding Calvert Cliffs Non-Exclusion Exclusion Containment Systems Containment Systems Criteria Criteria C08 Containment C08 Containment Air Ventilation System Recirculation and Cooling System (see C03)

C08.A CEDM Cooling System C08.1 The CEDM and their cooling system do not influence transients following remotor trip C08.B Pressurizer C08.B No basis for Compartment Cooling elimination C10 Containment Spray C10.A Containment Spray C10 The Contain-System System ment Spray and Iodine Removal C10.B Containment Iodico Systems are Removal Systes safety systems C11 Penetration Room C11 Containment C11 The Contain-Ventilation System Penetration Room ment Penetra-Ventilation System tion Room Ventilation System is a i safety system i

l

)

Table A4. Identificatien and first-stage selection of Calvert Cliffs electrical systems Generic PWR Corresponding Calvert Cliffs Non-Exclusion Exclusion Electrical Systems Electrical Systems Criteria Criteria E01 Main Power System E01 500 KV Switchyard and E01 Electrical Unit Transformer System (see E07)

E02 Plant AC Distribution E02 13.000, 4160 and 480 E02 Electrical System Volt Station System Distribution Systems E03 Instrumentation and E03 125 Volt DC and E03 Electrical Control Power Systems Instrument AC Systems System E04 Emergency Power E04 Emergency Diesel E04 Safety System Generators System EOS Plant Lighting System EOS Specific Systen EOS Not necessary Unidentified in responding to plant transients E06 Plant Computer E06 Plant Computer E06 No basis for elimination

l i

i i

Table AS. Identification and first-stage selection or Calvert C11rra power conversion systems Corresponding Generic PWR Power Calvert Cliffs Power Non-Exclusion Exclusion Conversion Systems Conversion Systems Criteria. Criteria P01 Main Steam System P01 Main Steam System P01 Direct Interface (see P03) with Steam Generators P02 Turbine-Generator P02 Turbine Generator and P02 Direct Interface System Condenser System with Hain Steam and (see PO4.A) Condensate and Feodwater Systems P02.A Turbine Generator Control System P03 Turbine Bypass System P03 Hein Steam System P03 Direct Interface .

(see POI) with Steam Generators P03.A Steam Dump and Turbine Bypass Control System P03.B Reactor Regulating System (see N04.A)

PO4 Condenser and PO4.A Turbine Generator and PO4.A See P02, Turbine Condensate System Condenser System Generator and (see P02) Condenser System PO4.B Condensate and PO4.B Direct Interface Feedvater System with Steam Cenerators (see POS)

i I

i Table AS. (continued)

Corresponding Generic PWR Power Calvert Cliffs Power Non-Exclusion Exclusion Conversion Systems Criteria Criteria Conversion Systems Feedwater System POS Condensate and POS See PO4.B. Condensate i POS Feedvater System and Feedwater System  !

(see PO4.B)

P05.A Feedwater Regulating System P06 Circulating Water P06 Circulating Salt P06 Direct Interface System Water Cooling System with Turbine Generator and Condenser System

=

P07 Steam Generator P07 Steam Generator P07 Direct Interface Blowdown System Blowdown System with Steam Generators P08 Auxiliary Steam System P08 Auxiliary Boiler P08 No Baats for Elimination i Steam System

Table A6. Identification and first-stage selection of Calvert Cliffs process auxiliary systems Corresponding Generio PWR Process Calvert Cliffs Process Non-Exclusion Exclusion Auxiliary Systems Auxiliary Systems Criteria Criteria WOI Radioactive Waste WO1 Waste Processing WOI Wo basis for System Systems elimination W01.A Gaseous Radwaste WO1.A Waste Gas Processing System System WO1.B Liquid Radwaste WOI.B1 Reactor Coolant Waste System Processing System (see WO4.A)

WO1.B2 Hiscellaneous Waste .

Processing System WO1.C Solid Radwaste System WOI.C Solid Waste Processing System WO2 Radiation Monitoring WO2 Radiation Monitoring WO2 No baats for System System elimination WO3 Cooling Water Systems WO3 Cooling Water Systems Wo3 Cooling water systems are required for the WO3.A Reactor Building WO3.A Component Cooling operation of other Cooling Water System Water System key systems WO3.B Turbine Building WO3.B Service Water System Cooling Water System

Table A6. (continued)

Corresponding Generic PWR Process Calvert Cliffs Process Non-Exclusion Exclusion Auxiliary Systems Auxiliary Systems Criteria Criteria WO4 Service Water Systems WO4 Cooling Water Systems WO4 Service and Cooling Water Systems are WO4.A Demineralized Hakeup WO4.A Reactor Coolant Waste required for the Water System Processing System operation of other (see WO1.B) key systems WO4.B Station Service Water WO4.B Salt Water System System WO4.C Chilled Water System WO4.C Function provided as parts of the Plant .

Ventilating System where applicable WOS Refueling System WO5 Reactor Component WOS Reactor Handling Equipment Component Handling Equipment la in operation only during reactor cold shutdoun WO6 Spent Fuel Storage WO6 Spent Fuel Storage WO6 No baats for System System elimination WO6.A Fuel Pool Cooling WO6.A Spent Fuel Pool and Cleanup System Cooling System

Table A6. (continued)

Corresponding Generic PWR Process Calvert Cliffs Process Non-Exclusion Exclusion Auxiliary Systems Auxiliary Syntena Criteria Criteria WO7 Compressed Air System WO7 Compressed Air System WO7 Compressed Air Systems are required for the WO7.A Service Air System WO7.A Plant Air System operation of other key ayatena WO7.B Instrument Air System WO7.B Instrument Air System WO8 Process Sampling WO8 Sampling System WO8 No basta for System elimination WO9 Plant Gas System WO9.A Hydrogen Gas System WO9 No basis for elimination ,

WO9.B Nitrogen Gas System

• t

M Table A7. Identification and first-stage selection of Ca} vert Cliffs auxiliary systems Generic Plant Corresponding Calvert Cliffs Non-Exclusion Exclusion Auxiliary Systems Aur111ary Systems Criteria Criteria 101 Potable and Sanitary 101 Specific system not 101 No basis for Water System identified from elimination

. available information 102 Fire Protection System 102 Fire Protection System 102 No basis for elimination 103 Communications System 103 Plant Communications 103 No basis for System elimination 104 Security System 104 Spectrio systems not IO4 No basis for identified from elimination -

available information 105 lleating, Ventilating, 105 Plant Ventilating and Air Conditioning Systems Systems 105.A Control Room 105.A Control and Cable 105.1 Although a safety Itabitability System Spreading Rooms system, the Control Ventilating System and Cable Spreading (see 105.D1) Roon Ventilation System provides cooling during normal operation

Table A7. (continued)

Generio Plant Corresponding Calvert C11rra Non-Exclusion Exclusion Auxiliary Systems Auxiliary Systems Criteria Criteria 105.B Turbine Building 105.B1 Turbine Building 105.B1 No beats for Ventilation System Ventilating System elimination IOS.B2 Auxiliary Feedvater 105.B2 Safety System Pump Room Emergency Cooling System 105.C Diesel Building 105.C Diesel Generator Rooms IOS.C Safety System Ventilation System Ventilating System (see 105.D4) 5 t

Table A7. (continued)

Generic Plant Corresponding Calvert Cliffs Non-Exclusion Exclusion Aur111ary Systems Criteria Criteria Auxiliary Systems 105.D Auxiliary Building 105.D Aur111ary Building Ventilation System Ventilating Systems 105.D1 Control and Cable IOS.D1 See 105.1 Spreading Room Ventilating System 4

(see 105.A) 105.D2 Access Controlled Area 105.D2 No basis for Ventilating Systems elimination IOS.D3 Switchgear Rooms 105.D3 Sarety System  ;

Ventilating System used to cool electrical equipment 105.D4 Diesel Generator Rooms IOS.D4 Saraty System Ventilating System (see 105.C) 105.D5 Spent Fuel Pool 105.D5 No basia for Ventilating System elimination (see 105.E) 105.D6 Radwaste Area 105.D6 No basis for Ventilating System elimination 105.D7 ECCS Pump Room 105.D7 Safety System Ventilating System

Table A7. (continued)

Generic Plant Correspending Calvert Cliffs Non-Exclusion Exclusion Auxiliary Systems Au4111ary Systems Criteria Criteria 105.E Fuel Building 105.E Spent Fuel Pool 105.E No basis for Ventilation Systen Ventilating Systen elimination (see 105.D5) 106 Non-Radioactive 106 Included in WO1, Waste 106 No basis for Waste System Processing Systems elimination iii

, ._= _ ._. - _ . ~ . - _ _ _ _ _ _

19 significant effect on the post reactor-trip RCS overcooling and insufficient core cooling failure modes.

With the exception of the reactor component handling system, which operates only during cold shutdown states, the process auxiliary systems

! have been retained. The process auxiliary systems are listed in Table A6.

The auxiliary systems are listed in Table A7. With the exception of qualified ventilation systems, used exclusively to cool safety systems, the auxiliary systems have been retained.

A.2 RCS INTERFACING SYSTEMS The Calvert Cliffs systems not excluded based on scope considerations l are examined further to assess their functional relationship to RCS l transient response. This functional relationship is assessed in two steps:

1. Control systems having a direct interface with the RCS are selected for FMEA.

2. Control systems having a direct interface with any of the systems directly interfacing with the RCS are selected for FMEA.

These assessments are discussed below.

A.2.1 Systems Directly Interfacing With the RCS The Calvert Cliffs systems selected for analysis as shown in Tables Al through A7 were examined individually to evaluate whether they interfaced directly with the RCS. If an RCS interface could be identified, the system was selected for FMEA.

Table A8 lists all nuclear, safety features, electrical, and containment systems found to be within the scope of this control systems analysis.

The RCS interface of eacn is characterized. As shown in Table A8, all applicable systems were found to have an RCS interface with the exception of the Containment Purge system.

Table A9 lists the selected power conversion systems and the RCS interface characteristics. As shown, the main steam, condensate and feedwater, feedwater regulating, and steam generator blowdown systems had direct RCS interfaces.

The process auxiliary systems and their RCS interface characteristics.

are listed in Table A10. As shown, only the component cooling water and I the sampling system had direct RCS interface. j i

20 Table A8. RCS interfaces with applicable nuclear, safety features, electrical, and containment systems Cn1 sert Cliffs RCS Interface System Number System Name Characterization N04 Reactor Coolant System --

N04.A Reactor Regulating System Direct Interface, Part of RCS N04.B Reactor Coolant Pressure Direct Interface, Part of RCS Regulating Systes l N09 and N09.A, Chemical and Volume Control Interactive Interface N09 B, and System N09.C) 304 Auxiliary Control Panel and Potential Interfaces with Other Local Control Panels Pressurizer and CEDM E06 Plant Computer Interfaces with RCS Instrumentation C03 Containment Air Recirculation Provide cooling for pressurizer and cooling Systes components, CEDM and in-containment RCS instrumentation components l C05 Containment Purge System No Interface with RCS C08.B Pressurizer Compartment The Pressurizer Compartment Cooling Cooling equipment consists of passive ductuork used to cool the pressurizer compartment l

21 Table A9. RCS interfeces with power conversion systems Calvert Cliffs RCS Interface System Number System Name Characterization P01 Main Steam System Interactive Interface (Including Steam Dump and i Turbine Bypass Valves) l P03 1 Steam Dump and Turbine No interface with RCS Bypass Control System P02 Turbine Generator and No interface with RCS Condenser System P02.A Turbine Generator Control No interface with RCS System P05 Condensate and Feedwater Interactive Interface System P05.1 Feedwater Regulating System Interactive Interface P06 Circulating Salt Water No interface with RCS Cooling System P07 Steam Generator Blowdown Interfaces with Steam Systen Generators P08 Auxiliary Boiler Steam No interface with RCS System

22 Table A10. RCS interfaces with process auxiliary systems Calvert Cliffs RCS Interface Systen Number Systen Name Characterization WO1.1 Wasta Gas Processing System No Interface with RCS WO1.51 Reactor Coolant Waste No Interface with RCS Processing Systen WO1.52 Miscellaneous Waste No Interface with RCS Processing System WD1.C Solid Waste Processing No Interface with RCS System WO2 Radiation Monitoring System No Interface with RCS WQ3 1 Component Cooling Water RCS Interface Systen WO3.B Service Water Systen No Interface with RCS WO4.B Salt Water Systen No Interface with RCS WO6 Spent Fuel Storage System No Interface with RCS during reactor operation

WO6. A Spent Fuel Pool Cooling No Interface with RCS System WO7.A Plant Air System No Interface with RCS WO7.B Instrument Air System No Interface with RCS WO8 Sampling System RCS Interface WO9.A Hydrogen Oas System No Interface with RCS ,

WO9.B Nitrogen Oas Systen No Interface with RCS

i 23 Of the auxiliary systems listed in Table All, none had a direct RCS interface.

A.2.2 Systems Indirectly Interfacing With the RCS Of the Calvert Cliffs systems identified, systems have been selected for FMEA based on a direct interface with the RCS. These systems are listed in Tables A8 through All . However, systems not interfacing with the RCS, but required for the operation of one that does, can have a significant influence on RCS response. For this reason, secondary interface systems also are selected for FMEA.

In Table A12, each of the primary RCS interface systems is listed. The systems that interface with these systems and the interface characterizations are listed for each primary RCS interface system.

These primary and secondary interface systems represent systems selected for FMEA. For convenience, systems selected for FMEA are listed only i once even though they may have interf aces with several systems.

For four primary interface systems, feedwater regulation, pressurizer compartment cooling, sampling, and the plant computer, no additional interface systems other than those previously listed were found. Due to the extensive number of possible interfaces, especially with the plant computer and the sampling system, a more detailed analysis than the current screening analysis may be required ~. For this reason, the FMEA i

to be performed on these systems also will serve to identify additional interfacing systems of importance if they exist.

A.3 SAFETY SYSTEM INTERFACING SYSTEMS Since the identification of control system failures which degrade safety functions is a major objective of this program, safety system interfacing systems were evaluated for possible selection. For those safety systems already selected in Table A12, the FMEA will identify and i examine the interf acing systems and the extent of their interaction.

In order to identify safety system interfacing systems, a review of the interfaces with those safety systems previously identified was

! undertaken. Those safety systems identified on the basis of their safety function in Tables Al through A7 are listed in Table A13 Each safety system was reviewed to determine its interfaces. The interfacing systems identified were selected for FMEA only if they were (1) not a safety system, and (2) not previously selected for FMEA.

This review resulted in three additions to the list of systems selected for FMEA: the nitrogen gas, auxiliary boiler steam, and auxiliary building ventilating. All other safety system interfacing systems had either previously been selected for FMEA or were outside the scope of the current analysis program.

r- - -.

24 Table All. RCS interfaces with auxiliary systems Calvert Cliffs RCS Interface Systen Number Systen Name Characterization 101 Potable and Sanitary Water No Interface with RCS 102 Fire Protection System No Interface with RCS Io3 Cosaunications System No Interface with RCS IO4 Security Systen No Interface with RCS 105.A control and Cable Spreading No Interface with RCS Rooms Ventilation System IOS.B1 Turbine Building No Interface with RCS Yentilating System IO5.D2 Access Controlled Area No Interface with RCS Yentilating System IOS.D5 Spent ruel Pool No Interface with RCS Yentilating System IOS.D6 Radwaste Area Ventilating No Interface with RCS Systes

l l

l 25 l

Table A12. Secondary interface systems Primary RCS Secondary Interface Interfacing System Interfacing System Characterization N04.A Reactor No Additional Systems' N/A Regulating Systen N04.B Reactor Coolant No Additional Systems' N/A Pressure Regulating Systen N09 C7CS WO1.A Waste Gas Intermittent Venting of (and Processing Systes Volume Control Tank N09.A, N09.B. WO1.B1 Reactor Coolant Reactor Coolant Diverted and Waste Processing for Processing N09.C) Systen WO1.C Solid Waste Intermittent Disposal of Processing Spent Resins WOT.B Instrument Air Required for the Systes Operation of C7CS Valves WO9.A Rydrogen Gas System Provides H 2 for Addition to Reactor Coolant Makeup 105.D2 Access Controlled Cooling for C7CS Area Ventilating Electrical Components Systes P01 Main Steam P03.A Steam Dump and Control of Turbine Bypass System Turbine Bypass and Atmospheric Dump Control System Valves P02 Turbine Generator Isolation of Steam Flcw and Condenser from Main Steam Lines System POS Condensate and P08 Auxiliary Boiler Auxiliary Boiler Steam Feedwater Steam System System is Used Only System Following Plant Shutdewn WO3.B Service Water cooling Water for System Feedwater and Condensate Pumps

(

26 Table A12. (continued)

Primary RCS Secondary Interface Interfacing System Interfacing System Characterization 105.B1 Turbine Building Cooling for Turbine Yentilating System Building Electrical Components P05.A Feedwater No Additional Systems N/A Regulatir4 System P07 Steam Generator WO1.B2 Miscellaneous Waste Processes Blowdown from Blowdown System Processing System Steam Generators WO2 Radiation Monitoring Monitors Blowdown System Radiation and Isolates Blowdown Line C03 Containment Air C05 Containment Purge Cooling for Purge System Recirculation System Electrical Components and Cooling System C08.B Pressurizer No Additional Systems N/A Compartment Cooling WO3.A Component WO4.B Salt Water System Heat Sink for Component Cooling Water Cooling Water Heat Loads System V08 Sampling No Additional Systems' N/A System E06 Plant Computer No Additional Systems' N/A 8Although additional interfacing systems could not be identified from available information, the possibility of additional interfacing systems and their characteristics will be reinvestigated in performing the FMEA's.

27 1

Table A13 Safety systems identified in Tables Al through A7 System Number Calvert Cliffs System Name N01 Reactor Core N06 Reactor Protective System 30 2 Engineered Safety Features Actuation System 303 Safety Injection System SO4 Auxiliary Control Panels 30 5 Auxiliary Feedwater System CO2 Containment Structure C04 Containment Isolation System C07.A Electric Hydrogen Recombiner C07.B Hydrogen Purge System C10.A Containment Spray System C10.B Containment Iodine Removal System C11 Containment Penetration Roca Ventilation System 105.B2 Auxiliary Feedwater Pump Room Emergency Cooling System 105.C Diesel Generator Rooms Ventilating System 105.D3 Switchgear Rooms Ventilating System 105.D7 ECCS Pump Room Ventilating System

28 REFERENCES FOR APPENDIX A

1. "A Ranking of Nuclear Plant Systems for Failure Modes and Effects Analysis," ORNL #62B-13819C/62X-30, SAI #1-245-08-492-02, December 1982.

2. " Final Safety Analysis Report, Baltimore Gas and Electric Calvert Cliffs Nuclear Plant," December 1980.

t l

l l

l

APPENDIX B SYSTEMS DESCRIPTIONS l

System descriptions are summarized in this section for those systems upon which a component level FMEA was performed (see Vol. 1, Sect. 4.2).

However, the system descriptions do not reflect al1 components included in a system. System components and capabilities built into the plant system but not used in actual operations have been omitted from consideration in this section. System components and capabilities not directly utilized in response to a transient have also been excluded.

B.1 REACTOR COOLANT SYSTEM The reactor coolant system (RCS)

• removes heat from the reactor core region and transfers it to the secondary system. The reactor coolant circulated in the system is borated water maintained above saturation pressure. The reactor coolant system is composed of the reactor vessel, two heat transfer loops, a pressurizer, and a quench tank. Each loop contains one steam generator, two reactor coolant pumps, connecting piping, and flow and temperature instrumentation. The pressurizer is connected to one of the two hot legs by a surge line for maintenance of RCS pressure.

The RCS is shown in Figs. B1 and B2. Four reactor coolant pumps force reactor coolant through the reactor vessel for heat removal and moderation of the core. Two hot legs carry the heated water from the reactor vessel to the steam generators, where heat is transferred to the secondary system water. Reactor coolant flow is returned to the reactor coolant pumps via four cold leg pipes (two leaving each steam generator).

The RCS is designed for 2500 psia and 650aF, but normally operates at 2250 psia. Cold leg temperature is typically 548aF and hot leg temperature varies with power level up to 600aF.

The steam generators are inverted U-tube heat exchangers with the reactor coolant inlet and outlet at the bottom. A vertical divider plate separates the inlet and outlet plenums. Reactor coolant flows on the tubo side while secondary-side water on the shell side absorbs the heat. Secondary-side water vaporizes to steam for use in the turbine generator. The steam generator tubes are designed to withstand a pressure differential of 1600 psi between the tube and shell sides.

On the primary side, a 1500 f t pressurizer provides a surge volume for 8

the control of reactor coolant volume and pressure. Volume and pressure variations caused by contraction or expansion of the reactor coolant occur with changes in power level, as well as with other factors 29

30

88. .

4 [ ,

4 y- ....c..

~~

l .c>4 a <... ... .

s - . . c.

-]

i, q i

. 4 .

-i

.c

, #u.... I- . . . .

mm c.c.,

. . .r. 3 .. . u .. r m 6

/--H (*~-'

c. . ==

.c-..-.

sw.

- ~ -.

.w

.s wat..

g

.. ~ .. y =

.- ===3 ..

.c ,,, = cv oc.

.. . - o

~ 1 .,

.a .

.a.

. . .u. c. .A .

] d

=

, ,,, JL vw ,

9P

.cio.

com ..

[a.a oc m ss

,g,,,,,

'a'="".,um.,

. ... , u.

N v e

{

,n. v ,

.. n

.au

...n ~-~

..c... m ..

a=,. H;4g

"* " ' " '=

i. , ==;;'=

u ... 3, 3,

s6 . s6

,r a co. - - 1r m2 mm. c.,m.

s6

- ' - '- sL

. .. o o a,,"'" s

, ..c. co

. . . ,,,,,,,, } ,,,,,,,,

cm.

/ 1

,,.,._ .u

' ' ' u.

n ... n

. .cu..

g .

=

.AC o. n.

g 2 s r ,2  %.,.,.,.

.C

. c.o.L. .- _mr ,2 u r ,2

l. . e. s.

. cu. -

Fig. B1. RCS piping and instrumentation diagram.

FROM g a f AOM NITROGEN (Ngi PRE S$URilf R l C g gyppgy Rittif VALVES N2 247 N2 246 FROM RE CIRCUL A f TON f .

8 RittEF VALVE ISAFETV INJECTION SYSTEMS FROM

- s DEMeesERAtt2ED FROM RE ACTOR COOL ANT ORAIN DW 6460 CV WATER IDWI SYSTEM OW 250 DW 251 TANK R(LIEF VALVE ;  ;

FROM REACTOR VESSEL N VENT VAlvis

/

r TO WASTE

1. M

• GA5 5YSTEM f ROM PRESSURilfR l TO CONTA188 MENT RUPTURg AC400 CV SV ACm2 SV et LIA- LEVEL INO0CATOR ALARM LT. LEVEL TRANSMITTER RC 260 km Jf pr 2C CA777 T PtA- PRES $UAE INDeCATOR ALARM g

'a is h,,.

PT.

Av.

PAESSUAE TRANSMITTER AtueF VALVE I OUENCH TANK T E- TEMPERATUAE ELEMENT I TIA- TEMPERATURE INosCATOR ALAAM g RC 261 SV. SOLENOt0 OPERATED VALVE CV- CONTROL VALVE ten TO

'h'

^

Rf ACTOR COOLANT RC ICV DRAIN TANK Fig. B2. Quench tank piping and instrumentation diagram.

32 including system heat loss and minor inventory losses. The pressurizer is equipped with electric heaters and automatic spray for either producing steam or condensing steam to maintain set-point pressure.

Volume is maintained based on level indication in the pressurizer through variable makeup and letdown flow, provided to and from the RCS by the CVCS. In automatic mode, letdown and makeup are controlled by the pressurizer level regulating system.

The pressurizer is located at a higher elevation than the reactor coolant piping, so that during contraction of reactor coolant, the pressurizer will drain before voiding in the rest of the RCS can occur.

Two power-operated relief valves (PORVs) and two spring-loaded safety valves connected to the top of the pressurizer are used to provide protection from overpressure. The PORVs are set to open at 2385 psig and sized to be able to release sufficient pressurizer steam during abnormal operating occurrences to prevent opening of the reactor coolant system safety valves, which open at 2485 and 2550 psig respectively.

The PORVs are solenoid-operated, requiring both instrument air and de power to open. A motor-actuated isolation valve is provided upstream of each of the PORVs to permit isolating the valve for maintenance or in case of f ailure of the valve to close on demand. The spring-loaded safety valves are totally enclosed and are back pressure compensated.

The safety valves are sized to pass sufficient pressurizer steam to limit the primary system pressure to 110% of design (2750 psia) following a complete loss of turbine load without simultaneous reactor trip while operating at 2700 MW(t) even without PORV operation. Since these valves are safety relief valves, there are no isolation valves downstream. Thus in the case of a mechanically failed open safety valve, the break in the system could not be isolated.

Steam discharged from the PORVs and safety valves is cooled and condensed by water in the quench tank. The quench tank is located at a level lower than the pressurizer to er.sure that leakage by the valves always flows out of rather than into the pressurizer. The quench tank is maintained with demineralized water. The tank is equipped with temperature, pressure, and level alarms, a rupture disk, and manual fill and drain valves. At 35 psig the quench tank relieves to the waste gas system. At 100 psig, the rupture disk will relieve the tank contents to contai nment . The tank may also be vented to containment by opening RC-402-SV.

Continuous RCS makeup and letdown flow are provided by the CVCS to maintain reactor coolant chemistry within design limits. Letdown is bled off upstream of a reactor coolant pump on one loop, and makeup is provided by the CVCS charging pumps downstream of a reactor coolant pump on the other loop.

33 The reactor coolant pumps (RCPs) are vertical, single-suction, centrifugal-type pumps (one pump on each cold leg). Their design flow is 81,200 gpm each. At 95% of full flow, a low reactor coolant flow reactor trip is initiated. The status of the RCPs is very important during overcooling transients. The RCPs add some heat to the system when operating, but also assure adequate mixing and circulation through the warmer core region. Present Calvert Cliffs procedures, however, require that the RCPs be tripped following safety injection actuation signal due to low pressure.

Component cooling water cools the RCP thermal barrier and integral heat exchanger, which cools the shaft seal assembly. The motors are air cooled. A controlled bleedoff flow through the seals is maintained to cool the seals and equalize the pressure drop across each seal. The bleedoff, amounting to about 1 gpm per pump, is collected and processed.

On a containment isolation signal, component cooling water to the RCPs is isolated.

The pressurizer, the primary means by which reactor coolant system pressure and coolant volume are maintained, operates at RCS pressure (2250 psia) and saturation temperature (653'F). At full-load nominal conditions, slightly more than one-half of the pressurizer volume is occupied by saturated water. The remaining volume is filled with saturated steam. The steam and water sections are in thermal-equilibrium at the saturation temperature corresponding to RCS pressure.

Thermal equilibrium is maintained as long as both phases exist. The pressurizer sprays and heaters maintain set-point pressure by either condensing part of the steam (for pressure reduction) or vaporizing part of the water (for pressure increase).

Pressurizer spray water is supplied from both cold legs on the loop containing the pressurizer during normal operation. The water is taken out of the cold legs downstream of the reactor coolant pumps, just prior to entering the reactor vessel (the coolest point) and delivered to the pressurizer spray lines. The automatic spray-control valves in parallel regulate the amount of spray as a function of pressurizer pressure. A small continuous flow of 1.5 gpm is maintained through the spray lines at all time to keep the spray lines and the surge line warm, reducing thermal shock during plant transients. If the reactor coolant pumps are shut down (as will be the case following several transients), the auxiliary spray lines must be used. Water is supplied through the auxiliary spray line by realigning the charging pump discharge from the CVCS.

The pressurizer heaters are single-unit, direct-immersion heaters, 7 ft long, which protrude vertically into the pressurizer through sleeves welded in the lower head. Approximately 20% of the heaters are connected to proportional controllers, which adjust the heat input as required to account for steady state heat losses in the pressurizer.

I

34 The remaining heaters, or backup heaters, normally are turned off but are turned on by a low pressurizer pressure signal or high pressurizer level. A low-low pressurizer level signal deenergizes all heaters to prevent heater burnout. The amount of water required to cover the heaters is 266 ft". .

The 96 backup heaters can provide 1200 kW collectively on demand for increased pressure. The maximum spray capacity is 375 gpm, which at a cold leg temperature of 548'F can offset the heat input from the pressurizer backup heaters by almost 4600 kW. Auxiliary spray flow is even colder (395'F) but is limited to 132 gpm, the maximum output of all j three charging pumps. The heaters can be operated in manual or in l

automatic mode. In automatic mode, the heaters are controlled by the l

pressure regulating system and the pressurizer level regulating system.

Pressurizer spray is controlled by the reactor coolant pressure regulating system.

! The RCS is also provided with four solenoid-operated vent valves for removal of accumulated non-condensible gas. The reactor vessel and the pressurizer each have two of these valves in series that can be opened manually from the control room and fail shut. The two vent lines join and empty to the quench tank, where gases can be vented to containment i via the quench tank solenoid valve RC-402-SV.

B.2 CHEMICAL AND VOLUME CONTROL SYSTEM l

The CVCS is designed to adjust the volume of water in the RCS and to control the chemistry of the water in the RCS by means of chemical addition, removal, and monitoring. The system also injects high head

concentrated boric aid into the RCS on a safety injection actuation signal (SIAS). The RCS volume control function compensates for coolant ,

i contraction and expansion resulting from changes in reactor coolant temperature and power changes, and for other coolant losses or additions.

During normal operation, the chemistry control function maintains

! reactor coolant activity by removing corrosion and fission products, injects chemicals to minimize corrosion, controls the reactor coolant boric acid concentration, and provides continuous on-line measurement of

! reactor coolant boron concentration and fission product activity. The description provided here is based on refs. 2 and 3 l The CVCS is shown in Figs. B3 and B4. Reactor coolant normally flows

! through the CVCS from one reactor coolant cold leg. The coolant la j monitored, purified, chemically adjusted, and then returned to the RCS via the charging pumps. The CVCS can be divided into the following subsystems: reactor coolant letdown, purification, volume control, makeup, chemical addition, and charging. The amount of reactor coolant let down from the RCS and returned by the charging pumps to achieve RCS l volume control is based on a signal from the pressurizer level' l

35 m

- m,

.;_g, o r' \"Y

[

@@\r m.. . i m

--m

@i r..

m.

g W

m . = = u ~. . . .

, 2, mT,2, &, 2, u

-.m

.= = .

5,;

E9- - . . .. .w

.-~-a. F-,

M.

',, - .= f-O<

) =~ ~ a.

~~:.' t_

.c.><~H

= H.>o. -

_,  : .--.,- a .

l__

_]

m..

V- A.. .

v JL rh r% .9, W . ,.,

1. <: w O.._1_ L J ..o. .. _

O.. m.

W '."

r- @

-~~.. .

m e ,.,r-

.. . m ..

1 I -

m

,_ _ F_ _ _, [ L_-  %

.. N -} }

S AWtll -:>o.. - @.--O I .- '

9 - }-.,

' ~ ~

m....... ,r..=,3,,3,- ,

. .. O I T

o l ,.y -g

---e ~ ~ ~ .y.

1. - - - f v =::', i a

.,.,,, _1 ..- m F)(->d l M.,,.., c.@...

m. ,;n .

Q,,, s l

'" h 7

.w a t. .w s "'C O- - -.

6 ~ " - ,

i i

9 :_. .,

o

_ g

~ ~ . ,

i

.. . ---n

...'m.,>< -

-C  ::

?4 l L_lH><Fe..Q--O-m _ _

m ..

I ~~

1. ... . ~

,,,,.T m .. ,

6 ...& -

~ ~ ~ '

a

_ L_& m..

l i  %

m

-C>4.

><: - g i m m.-PQ- . _ _

.C j . . . . . . . .

..; .... l 2. v v m n v-n.

__l_g- .<.

I N.

= == ma -O-_

Sv M

/

.;,'; :- "O.

h... ... h 5 ...... l l .

Fig. B3 Piping diagram

86

=.

n Y

O aw ..1r .

JL ~

Y ..

6 L ..

'~

.. ..1r sw ..1r JL JL d d l

<w . 1r c.e . 1r <w m 1 n JL

<=... cw ... ,.c...

-- - T I

c.c m cw II .cc IIm IIcw Yew .,,

JL JL" JL' " JL'" JL' " &

Th [h [N

/ t / i f i Qg1

..<, a. . ..c a.

.. ..m.. ..

) '

Ch

_ ..Ir

_I _ . .

1rm ,. 1r.. .

^

9 F.w .. WV1 1rc w ..

v cw..

A erture Card JL n ..

1 . . . . <

._ .. i t.

e E x .. r x E

r= .c sw ..

T T s, s, .ci.c ., e.u .4 l

m r oc ... c w .. . cw ..9f , , , . . . . . .

' .es.ste. 9 .g.u...T.

p .s.

' A

.~. i >4O '

• 4 9.

a,....

9.e . 9,s.. .t.e.t.t I'* .T u .. ett..

• .. .L...9 L .t.I. .eC.

.,, - J, O . . . . . . . . . . -

3 ..

y; y4 w w....

l - ..w..t-

.. D ..T. .eu.C98 T.,

.p., .. Se e.d.C te.In .C 9gs.te .e e

- .. e rr y es, ..C. e. . .*. C '.'s . ' ' L . t .s a

s. s. ... . .c r..

.s t. . es... . . . a C t g .v.s..

.c.. .. .c to. C ... ...e

c. a......

ew .w.......

.c . ..w...........

. .w....

1

. u ..

REF: OM 73. Rev.13 and DCNs (BG&E Dwg. No. 60-730-El if charging and letdown system.

.e{c {3 s

"66 ag

-r

% { *g iij i

i i il i liiiiil i a u

@e s I di i.lliini;ll1i!jiI111111;ll

' illllliti i

• liil.lil s, ., _

i

=

~ s

' c It g:o >

ti:i........iiiii.. x

9

! 1 oXj i  !

au sq e'

• m i

--6;'

ex 'g it T il s"  %

g l

ii []i . , i i ,i x x

! < iTr n,, ;p'sli, 1_.' ij q

il I Me/  % H

. ,, >4<1M

• l h:

i Qo

% lII'!g M l

ii d E->- / i i

X -

I , , N il l 5----

I'(p-11eb[iliff k I

rT-s.I i i.

f,i ii x

x x

l l I! 1!! x " h,  : i-  : i

, - x x  %, x 1" l

it - +Xl " +i - 7 '

J' si I

=

I 8 >4= -- -6 >

!  !\ I8 [ _

1 ,,

g l -

.l. I I

, -cbO d<: x x x x 5 l,l ,- @il - - e  :- -- _d=- i E

e

=

i _

- t li _ i ,

t L , 11; 5

6llXi l i ,

II gr*- - -

XiIt X

8 Iigl 3 8 laAt l

y, E

e

,Y ,l I . , , ng g2 '

lg. 'I ll ,

I' if. ii' ~ =

y -r+

i

. b, 4.s'fi 4 v.

, irq = "' : : 4 x e a 2 y .  :

M' x; y .

I x -cA:

jjl.l 7. T i. ilv 1 -

1 Mi -x i

n if v vir

11' Tn.ji g Q l =@

i 1

Il

37 regulating system. The pressurizer level set point is programmed to vary linearly with the average reactor coolant temperature. The progranmed level set point is maintained in the pressurizer by operation of the CVCS charging pumps and letdown control valves.

RCS letdown from the RCS cold leg passes first through two letdown stop valves in series, the tube side of a regenerative heat exchanger where temperature is reduced from 548'F to approximately 260*F, an excess flow check valve, and then through one of two letdown control valves. The position of the operating letdown control valve (one is in standby) is controlled by the pressurizer level regulating system. The maximum letdown flow rate through each valve is 128 gpm and the minimum is 29 gpm. Next the letdown passes through the letdown heat exchanger, where the temperature is reduced to 120 F, and then through the letdown backpressure regulating valves, which prevent flashing of the hot coolant to steam downstream of the letdown control valves. Backpressure is maintained at 460 psig at the heat exchanger outlet, which maintains liquid instead of steam in the heat exchanger.

The excess flow check valve is installed to minimize the consequences of a CVCS letdown line rupture. The valve is designed to shut at 210 20 gpm, thus limiting the loss of coolant from a downstream pipe rupture (190 to 210 gpm). Letdown is cooled by the cooler charging flow in tne regenerative heat exchanger and by component cooling water in the letdown heat exchanger.

The letdown flow next passes through either of two purification filters before it enters the ion exchanger section (purification) of the system.

A small amount of the flow bypasses the filters and passes through the boronometer and radiation monitor to measure RCS boron concentration and fission product activity. A temperature control valve upstream of the monitors will isolate to protect the monitors on high letdown heat exchanger outlet temperature (above 145'F). The same temperature indicating controller (TIC-224) will automatically divert high temperature letdown flow from the purification section to the volume control tank (VCT) to protect the ion exchangers from heat damage. Flow is diverted at a 3-way valve, which normally passes letdown flow to the ion exchangers for purification. This valve fails closed to the ion exchangers on loss of instrument air.

l The purification subsystem consists of three ion exchangers that can be l aligned for series or parallel operation, a downstream strainer, and l other support equipment for periodic loading and flushing of resins.

Normally, one ion exchanger is in service for purification and the other ion exchangers are placed in service as required for additional purification, coolant deboration, or RCS pH control. High pressure drop across the strainer is measured and alarmed at 20 paid (by PDIS-203).

l J'

38 The letdown flow frvm the ion exchangers and strainer normally passes through a 3-way, air-operated inlet valve (CVC-500-CV) to the VCT. In automatic mode, the valve directs letdown to the liquid waste processing system if a high level exists in the VCT. This valve fails open to the VCT on loss of air.

Letdown flow entering the VCT enters through a spray nozzle inlet to promote mixture of the reactor coolant with hydrogen in the VCT. A hydrogen blanket of <50 psig is normally maintained in the tank to scavenge oxygen from the coolant and makeup water. The VCT also collects the small offstream from RCP seal leakage. The two valves in series on the RCP seal return fail closed on loss of air.

Degasification of combustible and radioactive gases from the reactor coolant is accomplished during maintenance by venting the VCT and purging it with nitrogen. The tank is alarmed for high pressure, which alerts the operator to open the tank vent valve; but the tank relieves automatically only via a relief valve off the normal tank outlet (CVC-115-RV).

Level in the VCT is instrumented to ensure flow supply to the charging pumps. Makeup is normally supplied automatically to the VCT as required to maintain the VCT level within a predefined control band. On low-low level in the tank, the tank outlet valve automatically closes and the makeup valve from the refueling water storage tank (RWT) automatically opens to supply suction flow to the charging pumps. Three level controllers act off the same level transmitter in the VCT (LT-226). One provides normal makeup to the VCT as required (LIC-226), another closes the VCT outlet valve and opens the RWT makeup valve on low-low level (LC-227B), and the third diverts letdown to the waste processing system on high level in the VCT (LC-227 A) . The valves associated with these controllers also can be operated manually rather than in automatic modes.

The VCT is sized to contain enough makeup to maintain pressurizer level (compensate for reactor coolant shrinkage) during a power decrease from full power to zero power).

The charging pumps take suction from the VCT and deliver reactor coolant makeup to the RCS. There are three charging pumps in parallel, with at least one operating and the other two started on demand from the pressurizer level regulating system (on low level in the pressurizer).

The pumps are positive-displacement plunger pumps designed to provide a nominal 44 gpm at 2735 psig discharge pressure. The maximum charging flow rate with all three pumps in operation is 132 spm.

Charging flow passes through the shell side of the regenerative heat exchanger, which transfers heat from the letdown flow to preheat the charging flow from 120*F to approximately 395'F. Charging flow enters the RCS through two reactor coolant loops (11 A and 12B) and is also supplied to the pressurizer auxiliary spray during long-term core cooling.

l 1

39 Reactor coolant makeup is normally supplied to the VCT .from the concentrated boric acid storage tanks and the demineralized water storage tank. If normal makeup is not available on demand, borated makeup from the RWT is automatically available to the suction of the charging pumps as discussed above. Normally, the boric acid and water supply are mixed upstream of the makeup stop valve (CVC-512-CV) before l

entering the VCT. The CVCS makeup system also provides the borated water for the RWT on a periodic basis. On a SIAS, concentrated boric acid is supplied directly from the boric acid storage tanks to the charging pump suction header.

The makeup equipment includes two concentrated boric acid storage tanks which feed two boric acid pumps (one in standby), the boric acid batching tank, two reactor coolant makeup pumps for demineralized water j supply (one in standby), and associated valves and control. Makeup to the VCT can be operated in any one of four modes: (1) automatic, (2) dilute, (3) borate, and (4) manual. The boric acid concentration in the makeup is set from the makeup flow control unit, which positions control valves on the water and boric acid supply lines. A mode selector switch on the makeup flow control unit determines the makeup operating mode.

The automatic mode is the normal operating mode, with boric acid concentration preset on the flow control unit. When makeup is initiated by a low level in the VCT, one boric acid pump and one reactor coolant ]

4 makeup pump start, the makeup stop valve (CVC-512-CV) opens, and a blend of makeup is delivered to the VCT. When VCT level is restored to normal, the pumps stop and CVC-512-CV closes.

i The borate mode is used to increase the boric acid concentration in the

. VCT, RWT, or RCS. In this mode, the makeup consists of boric acid and the water supply is shut off. To operate in the borate mode, the desired amount of boric acid addition is set on the control unit, the makeup stop valve (CVC-512-CV) is opened, and the boric acid flow control is set in auto. The amount added is determined by a timer and the flow rate set for the boric acid flow control valve. Switching the mode selector to " borate" starts the boric acid pump and opens the boric acid control valve for the preset time period.

Similarly, the dilute mode is used to decrease the boric acid concentration of makeup to the RCS. In this mode makeup consists of j water only and the boric acid supply is shut off. Again, the addition rate and quantity is set, the makeup stop valve (CVC-512-CV) is opened, and the water flow controller is set in " auto." Then, switching the mode selector switch to " dilute" starts one RC makeup pump and opens the water control valve for the preset time period.

The manual mode is similar to the auto mode, supplying a preset blend of water and boric acid to the VCT. In the manual mode, the operator opens 1

, _ _ , _ - _ . , , - , , _ .--s. .- ,-+ e "+m* - P-"- T- ' -- ' --

40 the makeup stop valve (CVC-512-CV), starts the boric acid and RC makeup pumps, and runs the pumps for whatever period of time is required--

usually based on the level in the VCT. The two control valves (water and boric acid) and the makeup stop valve fail closed on loss of air.

Concentrated boric acid (7.25 wt%) is made up periodically in the boric acid batching tank and added into the boric acid storage tanks. The batching tank capacity is 500 gal, and the storage tank capacities are 9500 gal each. Boric acid also can be supplied to the storage tanks from the reactor coolant waste evaporator. The tanks and all piping that pass boric acid are heated or heat traced to maintain the contents at about 150 to 160*F.

One of two centrifugal boric acid pumps normally supplies the concentrated boric acid to the VCT makeup stream with a recirculating line back to the storage tank. The 143-gpm maximum discharge flow is limited to 30 gpm maximum at the boric acid makeup flow control valve.

The discharge from each boric acid pump is also piped to a common header that can supply boric acid directly to the charging pump suction on a SIAS or during emergency boration. A redundant path for boric acid supply to the charging pump suction header on SIAS that bypasses the pumps is also provided directly from each boric acid storage tank via normally closed gravity feed valves. On a SIAS both bcric acid pumps are automatically started, the gravity valves open, the boric acid pump discharge is switched from the VCT makeup to the charging pump suction, the boric acid storage tank recirculating valves and the VCT outlet are j

closed, and all three charging pumps are started. Seal return to the VCT is also isolated. The emergency boration procedure utilizes this same alignment but requires control room operator action to set it up.

The two RC makeup pumps, which supply the demineralized water to the makeup stream, are also centrifugal pumps with one in standby. These have a maximum capacity of 160 gpm. When a RC makeup pump is energized for " auto" and " manual" makeup, typically the chemical addition metering pump is also started if it is in its normal auto setting.

Normally, chemical addition is a slow, controlled addition at 0.5 to 20 gph from a 100-gal chemical supply tank to the charging pump suction header via the chemical addition metering pump. An alternate path from the metering pump to the RC makeup pump discharge is also provided. For f aster chemical addition to the RCS, a small 5 gal chemical addition tank is loaded and flushed to the RCS. This procedure involves aligning the RC makeup pump discharge to the tank and flushing the chemicals through a straincr to the charging pump suction.

In summary the CVCS provides RCS purification and chemical adjustment capability, in the form of monitoring, chemical addition, removal, and hydrogen addition; RCS volume control (letdown, charging, and borated

41 water makeup); boric acid concentration control (boration, dilution, and monitoring); concentrated, high pressure boric acid injection on SIAS;

! and other miscellaneous functions not described in detail here, but I

including RCS degasification, RCP seal bleedoff, auxiliary pressurizer spray; transfer of fluids to the radioactive waste processing system;

! and a means for leak testing the RCS and selected SI components.

t B.3 PRESSURIZER LEVEL REGULATING SYSTEM The pressurizer level regulating system provides automatic control of the pressurizer level through analog control of the letdown control valve position, start /stop control of the backup charging pumps, and partial on/off control of the pressurizer heaters. There are two letdown control valves in parallel on the letdown line, each of which can pass a maximum of 128 gpm and a minimum of 29 gpm of letdown flow.

) Under normal operating conditions, one valve is in operation while the other is in closed standby. One of three charging pumps normally operates, delivering 44 gpm of makeup to the RCS. On/off control of the backup charging pumps actuates an additional 44 gpm per pump for a maximum flow of 132 gpm. Charging flow is not throttled but is run back i on high pressurizer level by tripping the backup charging pumps. One charging pump continues to operate even on high level unless manually tripped. With all three pumps operating, charging flow supplied to the primary system can develop a high enough pressure to lif t the pressurizer PORVs (2385 psig). The pressurizer level regulating system also has dominant control over the pressurizer heaters to turn all 1 heaters full on high pressurizer level and to turn all heaters off on low-low pressurizer level.

Pressurizer level control signals are generated in two separate and

, fully redundant regulating systems powered separately by vital instrument buses 1YO1 and 1YO2. These systems have separate pressurizer level analog input signals and share the pressurizer level set-point

( signal developed in the reactor regulating system. The output signals to the operating letdown control valve and to the relays used to control

, the charging pumps and pressurizer heaters operate from non-vital instrument power (ac Bus 1Y10) and are not redundant.

Failure of vital instrument power to the selected pressurizer level regulating system will produce a zero current demand signal to the letdown control valve and to the backup charging pump control bistables.

The letdown valve will close and bistable outputs will de-energize all

, pressurizer heaters and start the backup charging pumps. These failures can be corrected by manually selecting the alternate pressurizer level regulating afstem.

Loss of non-vital instrument bus 1Y10 will also provide a zero current demand to close the letdown control valve and de-energize the control relays to de-energize all pressurizer heaters and start the backup 1

~ - - - - - - - ---

r 42 charging pumps. The charging pumps, letdown valve, and heaters can be operated in the manual mode through hand ' stations. A functional block diagram of the pressurizer level regulating system is shown in Fig. B5.

Supplemental details of charging pump motor control are shown in Fig. B6.

B.4 REACTOR COOLANT REGULATING SYSTEM The reactor coolant pressure regulating system controls reactor coolant pressure through automatic control inputs to the pressurizer heaters (1500 kW total capacity) and the pressurizer spray flow control valve (375 gpm maximum flow). A small continuous flow (1.5 gpm) is maintained through the spray lines at all times to keep the spray lines and the purge line warm, reducing thermal shock during plant transients.

Reactor coolant pressure is compared to a set-point value (2250 psia),

and the error signal provides proportional control of the spray valve position, proportional heater element power, and on/off control of the backup pressurizer heaters. Approximately 20% of the heaters are connected to the proportional controllers, which provide heat input to replace steady state heat losses based on the desired reactor coolant pressure . The remaining backup heaters normally are off but are turned on by a low reactor coolant pressure signal at 2200 psia or high pressurizer level error signal through a bistable controller output.

A high pressurizer pressure signal opens the pressurizer spray valves on a proportional basis, thereby reducing pressure. A low pressurizer pressure signal functions to energize heaters on a proportional or group basis to increase pressure. A high pressurizer level energizes the backup heaters in anticipation of a low-pressure . transient; a low pressurizer water level de-energizes all heaters for heater protection.

Two separate and redundant reactor coolant pressure regulating systems are used to develop the pressure control signals. These systems are powered from separate vital instrument buses (1Y01 or 1Y02), and either system can be selected for reactor coolant pressure control through a manual selector switch. Manual control of the heaters and spray may be selected at any time. The pressurizer spray valve control signal and the pressurizer heater demand signal are further processed by modules and relays powered from instrument power on bus 1YO9. Pressurizer heater ac power is obtained through 480-V motor control centers (MCCs 109 PH, 110 PH, 111 PH, and 112 PH). Control modules for the proportional heaters are powered by 480-V Bus 14A.

Each redundant reactor coolant pressure regulating system includes a pressure transmitter, bistable modules to provide independent high and low pressure alarms (2350 and 2100 psia, respectively), a module for control of the proportional heaters, and a control module for on/off control of the backup heaters. Nonredundant components process the

l.

g Y

A LS EP R M EU 2P l

GT RR EA NT ES-EO DT X

3E 6 C 3

NL hX 3H 1

WOERV 6 C T L L MNA EOV 2 S S E

E V

LC Xt R R L 3H OE E m 6 C T T TEI a A ANH r E SEON Y

g t

AH L A

LLU HTO i a

Xt LL ELB P d 3H AE RA M 6 C V LU k

~ E E Z EELP Z2A c p

l L l 1 GGP G o 0 t t o

S P

I GR O L RRO NI l b

3 ri smw uu t n E EETG YM ora e e neP mMU f O

NO E L NNS R l L l tno og EEDA a i

inse r

s rag nN d S EN EONH n ro a i peG H DO DTAC o o c tea n e to a R i snu oC e H t s C

• c s

u;g n

; 7 sg f" ,, u

' f m

e H aE u . " g 3

, . t s

1 sE *g y 0"'A 1'

s C g L n i

t R a

,E l 0

1 fL 1LE W0 u g

1 A I 1 LE 2 L O Y1 e CH t

0B 0B P1 r H 1 A 1 A , C 1

T 1 T

, A l

_' CS CS e L tB LI B v e

l l 8 r

e 0 z i

f',,,,1 ', e e tI g 'i kl8 ' i 1

1. p e ile r t

I~

' ' g*

D s y ilS -

u H s J ,M o

t o

J' s e

r P

__ ~

oun 1 - [I ~ t

o. [yL H p t ea I t n.

u. H f

o ts R

E Y

0 nta L V {TE L Y

0 f I_ a. V 0

{[

E f 2 OO YY 5

8 X L 1 H 0 {.

1 X 1, L L 11 l

f HL S 1 C X B E 0L L

- X B RR Yl 1 O A 1 C

X C 0 TA g I

0 A L

L 1 R t 01 1 + A T L oLO B ( 1 EE WW i CT L, S t A# 1S I N L A l AB I

1OT CLS CB I

OO PP F

i L" O gg  ! I'

[ C I_ _

LO L

L I

B

LI H XY EO VPM TS LINRR

-)

OE V 0

R Z

I R

U SL E

L TO t I SE ER X EV Sf T 0 1

RE L 1 PL T

L

u

!c ,_ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _;

f, f, I i I 1 3 "n m Ie 1a$ I

$5 1d 2 "f" l

'd

~1 g

l!

II 5 s i

l i -

i1i l-ig. s 8

a ),

i I

5 -

._ J % -

t g - [

5 i >1 Jg - en ,, o 2 t.

is

• ~

,'r

,# l'~ a- 38 I

i 3

s ab -i' =g  !

I 5 I

.---i; :e 1 sz I i

=

t o

1. 2

i. l I s;

j 86 l_ _"_ _ _ _ _ _ _ _ _._ _ _ _ _1

! 8 i-%- 1 5 ci .

3 S 8i i s  %

f -! $c 1 e g

a 8 na M & # g r I:*

8 G

I

"" == a e

" A wh $

I.I. E L gC8 LL ATCOINVd *0A ggt ,, 2 m: = 33 2C 3 44 O f  ::- 55

o n

2 a is s 8: 13

% cc i _ --

     -                                            v 4        f i
           -II (N;

• 3ld h

                                                                                                            !n!-

a-.ss.-> : s .

e.

                                                                                         .**:                a3
                                                                                                             -~

l l l - 0 t ,,lo {a - 3  :: O fI

                                                        <q -

f

 \                                                                                                     ________ -

45 heater and spray control signals through relays for on/off control of backup and proportional heaters, and through control modules for proportional control of spray valve position and proportional heater elements. A functional block diagram of the system is shown in Fig. B7. The pressurizer heater controls include relays in the pressurizer level regulating system and in the pressure regulating system. The pressurizer level relays act to turn all heaters full on at high pressurizer level and to de-energize all heaters on low-low pressurizer level (101 in.). These relays have dominant control over the pressurizer heaters and are powered by pressurizer level regulating system power suppif es. Backup heater control details are shown in Fig. B8. While not formally a part of the reactor coolant pressure regulating system, the pressurizer relief valve contributes to reactor coolant pressure control under certain conditions. A two-out-of-four logic indicating high reactor coolant pressure from the reactor protection system will open the two pressurizer relief valves when the reactor coolant pressure exceeds 2385 psig. Loss of vital instrument power to the selected reactor coolant pressure regulating system will produce a zero current demand signal to the pressurizer spray valves (the valves will close) and to the heaters (the heaters will energize, unless control is intercepted by the pressurizer level regulating system relays). The pressurizer spray valve and backup heaters can be controlled manually through non-vital instrument power. Loss of non-vital instrument bus 1YO9 will produce a zero current demand signal to the spray valve I/P (the valves will close) and fail the backup heater control relay in the "off" position. B.5 REACTOR REGULATING SYSTEM The purpose of the reactor regulating system (RRS) is to sense the operating condition of the reactor and prcvide the following information and/or control signals: ' pressurizer level regulating system programmed level set point, analog output signal for atmospheric steam dump and turbine bypass valve control, total error (power error plus temperature error) signal to provide an l l

l ,l g L IS A R NN E E O l M l a E i E RV R L UL OE SA P R SV O E E Y R I R A P A P H OE OP T$ TH l l l m a r g a i d A L L 4 R 4 AR AR 4 3 k E $ NE NE s c ot s u Ott Ot t t u o l l o iO s om0VI B t 0 f RR RR b gI c OT OT { ce pN V e i PN PN v l O 0 OO OO 0 a C 8 RC RC e n 4 P P 4 o i t c L n A Lc1 s 1 a L ts1 u X 3 0u 1 S xi ow S2 f 4 15U 1

                                                                                                    $ t 5u                 m C2B 1                                                                      C52e                e L                                                                          L                  t s

y s g N n i H O t Ao $L a RE l Xt E V u T EA 31 8CL A L'Y g EI e HH5 8 r l N R A e U r T s u e s

                                                                                                  , ci                     s e                     e r

p

               ~                                                                                               ~

0 ~ t 4 0 ~ n t H OM 0 1 l l y#T 18II ~ l a R S 8 AA o l l H o HtA c jI- - r

                             ~                     Y                                                                      t o

Y 0 Y rrL - C c 0 0 0 01 4 01 R A t 2 oO a A

                         =E   L                    C     g C

E V E YY R e P 0B 0 S P g P

                                                                                      = L 0L l B 1    A                           ,

0O RH T 1 EE AS R PI S g l C,T N WW OO T rl

: PP B m' O C xV .

g O i F

T N A Y 0 0 C 1 A r X E P 0 D 01 T P Il l I llIl i

il! l! i lll s i A ol X I I - S C 9) L 0 Y I ( E 0 R 0) 0 U Y 1 3 N S I O S ( 4 E L . 0 S R E a L R P V s a t 00 E E Rll E0 l Ce 5 8 T A O W 8 1 OE TI r g f_ I 1 3 E ll L 8 8 AA Rk a A N N Et l i P O O P P d U I X M S R S R Ou k 2 Cl o E E Rk c 4 A l T T OC o BY A A FA l S (l E L E H E H 4 lB CF b 2 E l S S TO l C GV E E I WL a W RE 2 2 S O n IM E L G 1 l G H o I I NO M R DI i I EL E E NN t EO N N AO c DL E E l tC n u f 3 L 0 l 0 0 0 o A 0 1 ll X 1 r 8 X 3C 3C Cl S H t 0 8L 4P I n 9 o 01 c 2 4 r e 1 t a e h p u k c a B 3 . 0 8 0 05 B 2 . 4 g

                   *~

IP S) uR K S i F d M E I N CA A Ell A 8le 4 6

          ' A8gg l) l l(li i            p PPp Ot y S i g Il g

48 automatic control capability for the regulating groups of control element assemblies (CEAs)," and automatic withdrawal prohibit signal and total error high and low alarms .

• The RRS is lef t with only two functions, and in that capacity it serves only to provide signal interfaces between other systems. As now utilized, the general system description is as follows:

The RRS, shown in FSAR Fig. 7-11 (Fig. B9) provides control signals which are used to generate a steam dump program and a pressurizer level set point program. The RRS is used to provide a signal for pressurizer level set point, steam dump demand, and steam dump quick opening. The operator has the ability to select between redundant systems x or y with a selector switch. Each system is separate and independent of the other. The system f unctions to give controlling signals as input parameters change. With a change in power level (e.g. , an increase), first-stage turbine pressure will follow (i.e., increase) linearly with load. In each channel a temperature programmer establishes the desired reactor coolant average temperature (Trer) based on a power signal from first-stage turbine pressure. This Trer signal is summed with the Tavg signal to provide a signal which represents the error between the actual temperature and the programmed temperature (Et ). If the deviation between Tavg and Trer should become too high, an alarm will be annunciated. The Tavg signal is used to provide a programmed level set point for the pressurizer. Tpe operating level of the pressurizer is programmed to increase with an increase in Tavg. This is done to accommodate plant load changes by minimizing changes in reactor coolant system volume during transients. This Tavg signal is also used to provide an analog output for steam dump demand and quick-opening at the time of turbine trip. As Tavg increases, the signal to the steam dump control valve increases. This signal is proportional to the quantity (Tavg minus 532*F). Should reactor power as determined by Tavg be in excess of a predetermined power level prior to a turbine trip, the steam dump quick-opening override bistable will cause quick opening of the steam dump and bypass valves at the time of the trip.

        "The automatic CEA control feature has been disabled at Calvert Cliffs to alleviate regulatory concerns about inadvertent CEA motion and to minimize local power changes in the fuel. The abandonment of the designed function of the RRS as a nominal means of control of the reactor under load through automatic positioning of the CEAs has reduced its safety implications substantially.

MD M L AN A E EA E V TM T N E S E SEP L CD I CO R RA I E M M EE R KE Z R HR ECV I T

                                                               . A                R HI USI             RN                                 A PA                    P                  UI
                                                                . L A                 L S

OP S OS SO A OPMI S P T_H MM MMR ET , G W T U TUE RE I O AD ADP PS H L H LC

                                                    -                                                  ET
                                                    -                                                  NI N W I

rv;g lI l ll l

                                            #e4 igg li
                                                             <C  f lt

( jD g 1II HT AS p p p P CCE SL RE RS

        ;                                  cJ              g>                  pJ O

Y m - 1 ( H a -

            )                                                     GLA                                        r 1

O Y I HN h WL a g 1 T NI G A i dOLNIGN ( I M OS d R ER E P F SO OS k M OR ER c OU LR M SO o TD CE R OR l EK e A LR b s L CE SOIC Te A LU mW m CQ T O e L t

                                                                                   /

l s y H Tl s g Y _ M n i E T X ,- t S Y M a E l S T l u G S g t* t s N I Y S u e T A G o0 r L U N I

                                         ~                                                                   r o

V T G A E L

                           '                                                                                t R          U                                                                                              c R          G                                                                                              a O          E          $               l                                     g*                            e T          R       $E                  e                                                                 R C          R A         O             -                                                    _

E R T . C 9 A B E R g i F 8 7 - 2 S

         %MT:              1 1

1 S 4Y1 O 2 1 S I H - l H -

                        ;1                                     = 1
                        ;                                      =

h T Op I E 1 E GE P p2) N A R O O t TU O Y 1 BSS S L ( RT E US TR I PR . F _

50 The steam dump program (from RRS) generates a suppressed range signal proportional to the quantity Tavg minus 532aF. Upon receipt of a turbine trip signal via the steam dump permissive relay, this signal is supplied to open the atmospheric steam dump valves and is an input to the turbine bypass auctioneering unit to simultaneously open the bypass valves. The position of the atmospheric steam dump and bypass valves is proportional to the signals supplied to them, thus providing a controlled relieving of thermal energy directly relative to the reactor power level. l The atmospheric steam dump valves will close proportionally as Tavg decreases and will close completely by 535'F. They will remain closed unless Tavg increases again to more than 539'F. B.5.1 Reactor Regulating System Major Components This section presents a general description of the RRS major components, signal paths and interrelationships, and interfaces. The purpose of this section is to provide the reader with a general understanding of the system's operation for FMEA purposes. Units 1 and 2 have nearly identical RRS. The following description is based on the Unit I system. Each reactor plant is provided with two independent RRSs. For Unit 1, one RRS provides channel X signals while the other RRS provides channel Y signals. Each RRS is housed in a separate cabinet. The four RRS cabinets are located in panels 1C31 and 1C32 in the control room. Each cabinet contains the four components of the RRS and a power range control channel. The four components of the RRS located within the cabinet are

  - reactor regulating system test panel,
  - reactor program unit calculator,
  + reactor control unit calculator, and
  . input / output interface panel.

The power range control channel is physically located within the RRS cabinet. It is however, functionally part of the nuclear instrumentation system (NIS). Two selector switches are provided for control of input and output RRS signals. Input signals, used by the RRS for output control function signal generation, pass through a function selector switch. An RRS channel selector switch selects which RRS channel (X or Y) provides system output control functions. B.S.2 Basic Signal Flow Paths and System Interfaces The basic signal flow paths and system interfaces for the RRS are described in the following paragraphs. I i i

51 The following signal inputs are utilized by each RRS:

                +

two hot leg and two cold leg temperature signals (from RCS instrumentation), turbine first stage pressure,

                +    pressurizer pressure, and
                +    power range neutron flux.

I Each RRS is supplied with two cold leg and two hot leg temperature signals from RCS instrumentation. The signals are in the form of 4- to 20 'A current signals representing 515 to 615'F. These signals are used t the RRS to compute coolant , i average temperature (Tavg). The generated Tavg signal is used within the RRS for various output signal calculations. Turbine power level is transmitted to the RRS in the form of a first-stage turbine pressure signal. This is a 4- to 20-mA current signal, which represents O to 125% power. The signal is used to compute a reference temperature (Trer) and a power error signal (reactor power minus turbine power)

originally designed for use in (no longer connected) CEA automatic

,               control.                 Pressurizer pressure level is transmitted to the RRS in the form of a 2- to 10-V signal representing a pressure of 1500 to 2500 psia.

This signal was designed for use as a stability compensation signal for CEA control. Reactor neutron flux level is transmitted to the RRS by the NIS power range control channel. The control channel transmits a 0 to 10-V signal representing 0 to 200% power. The signal was designed to be used by the RRS as a stability compensation signal for automatic j CEA control. The signal is also fed through the RRS input / output interface panel to a two-pen recorder. I The generated Tavg signal and the input first-stage turbine pressure, I reactor neutron flux, and pressurizer pressure signals pass though the

   ,             function selector switch. The three-position function selector switch i             allows testing of the RRS circuits with an internally generated adjustable calibration signal or an externally generated signal. The function selector switch is part of the RRS test panel, which interfaces I             with each subcomponent and subsystem in the RRS.                                          It is primarily used to test and calibrate the instrumentation in the RRS cabinet. However, it also performs various other functions including calculation of Tavg by the RRS test panel summing resistor network.

l The following is given as an "as-designed" description for understanding

    ;             the auto CEA function, which has been disabled.                                         RRS input signals are directed by the function selector switch to the reactor program unit calculator and the reactor control unit calculator. The program
   ]              calculator functions to produce the following signals:                                                                                  1
                   +                                                                                                                                      i i                   pressurizer level set point,

__--_- -- ~_-- _ - _ 4 52 l - steam dump valve positioning signal, t - Trer,and temperature error (Tavg minus Trer). The pressurizer level set point signal is transmitted to the pressurizer ! level controllers in the RCS instrumentation. The steam dump valve positioning signal is sent to the atmospheric steam dump valves and turbine bypass valves to dump steam to the atmosphere and the main condensers on turbine trip, thus removing heat from the primary system. A temperature signal which is proportional to steam demand (Tr er program) provides inputs to a Tavg and Trer dual-pen recorder and ! establishes a temperature set point for manual or automatic CEA control. l ! A Tavg - Trer error signal is calculated and provided to the control calculator to compute CEA motion signals. The error signal is also used to provide a Tavg - Trer high/ low alarm, an automatic CEA withdrawal prohibit alarm at control room panel 1C05, and an automatic l CEA withdrawal prohibit signal to the control element drive system

(CEDS). The control calculator computes CEA speed and direction i

signals. l The RRS-generated output signals pass through a two-position channel selector switch located on control room panel IC05 that selects which RRS will provide control functions. The switch also interlocks various RRS control functions if the selected RRS is inadvertently placed in j test and lights an RRS SELECTED lamp on the selected RRS panel. i j An input / output interface panel contains the terminal boards for j interconnections of internal and external RRS signals. Additionally, i the panel houses the current-to-current (I/I) converters and voltage-to-current (E/I) converters that provide current isolation and j output signal interface from the RRS to other systems. l B.6 CONDENSATE, MAIN FEEDWATER, AND STEAM GENERATOR SYSTEM The condensate and main feedwater system purifies, heats, and pumps the l condensate from the condenser hotwells to the two steam generators, completing the steam-feedwater cycle. The condensate and feedwater j system is shown on Calvert Cliffs FSAR Fig.10-4. Simplified schematics

of the Condensate and Feedwater System are shown in Figs. B10 through l B12.

f One condensate pump (8250 gpm) and one condensate booster pump (8540 gpm) are sufficient to provide adequate capacity and discharge l head during plant operation at 50% power or less. Above 50% power, two i condensate and two condensate booster pumps are necessary to meet condensate requirements. Although a third condensate and condensate booster pump are installed as spares, above 80% all three condensates _ , . - + , - --v s..e,-,,ew,,e,--y- n-e e -- v y-en--w - - -.-e,-- - -- -~ -,- -,-s n ,, ,,- .,--,,.c,- ---.,m ,-,r,v--,-,,-,,--,,--,,--,,,--e - --o,-----v---- - -- ~-- ,-

53 l r 3

                                          ?

I 3 o a.s8N , ! 5* a a E

              =

3a e 2-no10E

• I "* ,

m

                                                     *au         ::f 3: !

Sha e'4 es 1 s rs "

              %                  I"                  1                             :!                sie                                     J 0i Ir E            E      '1:31 E
                                                       *,! 'Tsa    35 h'g: b'=$                      biI ogu               . aE oai si                          se ou
              .- <                                                                 u                 o                              ,

e e: 8

                                              ,, e
                                              *I 8        m il      Il it     ((        ik                    [

w a [' l EI in r 3 Y *! k ji l:lI t n E l i ' {: c r r , # illv/ g I T  !!! e: A L o ,

• o m kk!'

:t f.

I.. -

g. ase <

h a w

                                                                                                                  3

• a b  :

1 r 11 N s . g 3 Re

                                                  #e t

4k\+ rT

                                                                                                                                       \

E "o Eo* 33 E. l( Sig ' 45 s 0 (( g. 0-Q: 88

                     "        ils                 Ig M*

6kWQu 5 5 8 m 8,I* +'+M l! ? g.

                                                                                                                       -n   ~

3 a y W .- s = 5 1-a O m

                                                            ** "                                                                             m EE ]          ,

e -e+ - 1, goeaj, si j3 C

                                                                 -                                             7%      a,e                  %c so 1    = =        2,
                                                                                                               -

• o ir

                                                                 .                                             el a, : e: 3                  o se                                             5 s =

8 =s' s:

8 r < T a

                        -t 3 jo g7         g         <+                           #es                             Ji   hL ,

il

• C a

                                                            -d           e                                                ,

D 8 .

                                \                                                (Il                         0!
                                                                               . _, L N5
                                                            --4>,-                                             tu                           -

4 A

                                            ._ a t e].

h nM $t e =

     .g4                                    .

g!.

                                                                                                < 5                                              i a%                                       '

h I, g Y v:n

      =                                   }~5:      8                                      - aga

e LSGENO

                                                                                                                    >4 WaLV8 NCAMaLLY SHVT CH3 Valvt NOAMaLLY Catm DadComimCLvaLv4 N CMECs waLys
                                                                                                                                         - amou     Steau cs%sanTC=

StowcDag mECQvtav P MGai$1CMamCIA LP pet 0waite m ainas g x , g h CONotNS.TE 1 80037E4 7 tas l l 12C [ 12 4 l l gg PU M ,

                                                                                                                                  }            33 I na l l       %

l na i l I vic l I

? :f  ::

TO  :: T 4i ComotmSSR TO SG7P N0.12 stab CONotab78eCOSTen. X 1 70 SCFP N0.11 Stat PUM8 mmPLow l y a peou scar ggalwaTgm _ Confect VaLvg 8003754 PUMPS Y l tia l *' vis l 'SC l LP 9ttawatER

                           /                                                    I ne l                   neaftas                     I     isa            1
                      <                   /

OmaWe coolies 00 37 tam Gtmanatos g g, g 'l g 9, g g g SLOW 00wn sotaf EEChamGt4 1

pecu No.12 setait4 , pecu go itpgarts 2 Pn0M CMewcaL a00sfiose SYSTEM m

FacM CQseotusaft

                                   "*'"##E "                                                                   f 4TSTEM                                                                TO $47F SUCTIO8e Fig. B11. Unit-1 condensate system simplified diagram (sheet 2).

*N m 55 ar4<       .- .. ~

i

                               ......s T
                                                 @@          .+ -C><}-        "* 7'f.T.'"*

p<: ( c

                                                                                   -             a
                                           /                                H          M   '+
                           ,             /                                         -
                             .            .W D<:
     . ..... ......, Q i ., ,.                                        -.

l 4 .... vm ,2 I I\ i99 *

                                                                                   ~

1 j uv so...es vaeve g

                                                                                              =

r Fig. B12. Main feedwater 1

                                                                                                                                  /
                               . .. . . g ,.
.-                          -#/

wh - , . . - - w........... 73.;;,,,, y ja *~a 1 x........... l

                         ,. W -~y   N                    j .
                                                                       ^
                                                                      .cTo.. . . ..
                                                                                                                                         \
        '"       .. ' -"4            .d..                  :::* . y...
 \                             G                         v            N        u. .

y '".".1L"l*" s...

         -t><:              =v}
                             .............                                                                                  .i.
                                                                                                               .g ,y stem simplified block diagram, fyl%RT CARD
                                                                                                         ,y.o Ayahble Os et itr.o.fCed l

l l l l f 84/o0304//- 03  ; L

56 and all three condensate booster pumps are operated. The condensate pumps draw condensate from the condenser hotwell and pump it through the steam seal exhaust condenser, precoat filters, demineralizers, drain coolers, and low pressure feedwater heaters to the condensate booster pumps. Part of the condensate pump discharge flow is diverted for seal water to the condensate pumps and SG feed pumps and for cooling water to the steam generator blowdown heat exchangers. Makeup water may also be supplied from the pump header to the component cooling water system and the service water system. Chemicals including ammonia and hydrazine are added by the chemical addition system to the pump header upstream of the drain coolers to control pH and reduce oxygen concentration. Condensate is used as a cooling medium in the drain coolers to prevent flashing of the drain water to steam. Three drain coolers are configured in parallel, providing a single stage of drain cooling. Six low-pressure feedwater heaters, upstream of the condensate booster pumps, are configured with three heaters in parallel, providing two stages of feedwater heating. Extraction steam from the low pressure (LP) turbines is used as a heat source. The heaters are provided to improve thermal efficiency and preclude thermal shocking of the steam i generator. The condensate booster pumps pump the condensate through six more t feedwater heaters configured in three stages of two heaters each. i Again, extraction steam from the LP turbines is used as the heat source. The condensate enters the steam generator feed pumps after leaving the last stage of feedwater heating. The condensed steam leaving the feedwater heaters flows to the heater drain tank. The heater drain pumps (4260 gpm) take suction from the drain tanks and pump this water to the condensate system. This water then enters the condensate system upstream of the last low-pressure heating stage (heater stage 15). i Two minimum flow control valves are installed in the condensate subsystem to prevent pump trip during low-flow conditions. The valves are designed to open upon low flow conditions recirculating water back to the condenser hotwell. One control valve is provided on the condensate pump header (8-in.-diam. valve) and the condensate booster pump header (6-in.-diam. valve). , Condensate is also used to cool the main turbine exhaust hood (at low load) and to deaerate the auxiliary boiler. Upon low level indication in the hotwell, the condensate storage tank makeup valve (CD 4406) is opened, permitting gravity feed of condensate l

        . . - .       _                       _. - --       .~.                  - - . . _ _ - _ - .

l 57 l Trom the storage tank. High hotwell level results in opening of the condensate storage tank dump valve (CD 4405), which permits the pumping ! of condensate from the hotwell to the storage tank. The condensate enters the steam generator feed pumps and is pumped

through high pressure heaters, feedwater regulating valves, and isolation valves to the steam generators. After the condensate enters the feed pumps it is more appropriately termed feedwater.

l The SG feed pumps (15,000 gpm each) are turbine-driven pumps with motive l steam supplied by the low pressure reheat steam system during normal j' operation. The pump turbines use high pressure steam from the main steam system during startup operations. ! Feedwater flows through two parallel high pressure heaters (heater l stage 16) located between the SG feed pump discharge valves and the i feedwater regulating valves. Extraction steam from the high-pressure turbine is used to heat the feedwater prior to entry into the steam generators. l The flow of feedwater to the steam generators is controlled by the j reedwater regulating valve controller. This controller is controlled during normal operation by a three-element controller, which uses feedwater flow (1FE 1111,1121), steam flow (IFE 1011, 10,21), and j downcomer level (1LT 1111, 1121) for level control. Following turbine trip, the regulating valve is closed and the regulating valve bypass l valve is opened and controlled by a single element controller that uses

 !              downcomer level (1LT 1105,1106) for control.       The regulating valve

{ bypass valve is also used to control steam generator level below j 15% power. The speed of the main feed pump turbines is controlled to { maintain a fixed differential pressure across the feedwater regulating valves. j A motor-operated isolation valve is provided downstream of the feed 1 regulating valve. This valve permits isolation of the feedwater system )i in the event of a steam line rupture. Actuation is provided by low steam generator pressure. l 1 A minimum flow control valve (6 in. diam.) is also provided on each SG L reed pump to preclude pump trip under low-flow conditions. The control valve recirculates part of the feedwater back to the condenser hotwell. For information regarding specific details of the condensate and feedwater systems, see refs. 4 and 5.

;                Steam Generator Description

Each Calvert Cliffs unit contains two identical steam generators.

Design information for the steam generator is listed in Table B1.

l l

58 Table B1. Steam generator design characteristics Physical Description Number 2 per unit Type Yortical inverted U-tube Dimensions Overall height (including support 749 in. skirt) Upper shell 239 75 in. Lower shell 165 in. Reactor coolant inlet nozzle 42 in. ID (one each) Reactor coolant outlet nozzle 30 in. ID (two each) Main steam nossle 34 in. ID (one each) Main feedwater nozzle 18 in. ID (one each) Auxiliary feedwater nossle 4 in. ID (one each) l Botton blowdown nozzle 2 in. ID (one each) Materials l Steam generator vessel Carbon steel Flenues 304 stainless steel clad l Tubmaheet-priary side Inoonel clad U-tubes Inconel Number of tubes 8.519 each generator Tube size 0.75 in. CD, 0.654 in. ID Weights Dry weight 1.004E6 lbe Flooded weight at 680F 1.5267E6 lbs l Volume of secondary fluid Secondary side flooded 8006 cubic feet At normal water level 4592 cubic feet l l l l I i

       ~.                                                           __.

59 r Table B1. (continued) Physical Description Weight of secondary fluid At 05 power 6818 lba steam 216,284 lbs liquid At 1005 power 9,820 lbs steaa 132,975 lbs liquid Reactor coolant conditions at full load Flow rates 61E6 lba/hr Pressure 2250 psia Inlet temperature 599.40F Cutlet temperature 5480F deat transfer rate 4 386E9 Btu /hr Steam conditions at full load Flow rate' 5.635E6 lba/hr Outlet pressure, temp. 850 psia, 525.20F Steas quality 0 998 (minimus) Steam temperature 525 20F Feedwater conditions at full load Flow rate 5.576E6 lba/hr

 ;                Pressure                                   1100 psig Temperature                                431.50F (Unit 1) 435.60F (Unit 2)
             'These flowrates are as reported in the Calvert Cliffs Steam Generator Design Description Number 17, published by Advanced Technology Inc. for Baltimore cas and Electric Company.

1 i

   - -    ,=                   . -     .      .-,     --                   - _ . - . _ . . - - _   - -

i 60 i i The steam generator is a vertical shell vessel with an inverted U-tube heat exchanger. Primary fluid flows inside the tubes, and secondary fluid flows outside the tubes. The U-tube exchanger contains j 5,819 Iconel tebes. Primary co<1 ant flows from the reactor vessel into the bottom head of the steam generator vessel through the inlet nozzle. A divider plate in

the bottom head guides the fluid into the tube bundle and separates the inlet from the outlet primary fluid. The primary fluid leaves the 1 vessel bottom head through two nozzles. When the reactor is at full

!, power, the primary coolant in Unit 1 enters the steam generator at 599.4*F and leaves at 548'F (Unit 2 has slightly different temperatures). The average primary coolant temperature varies linearly from 532*F at zero power to 572.5'F at full power. i l The secondary fluid comes from the main feedwater pumps (or the l cuxiliary feedwater pumps). The feedwater flow enters the steam 1 generator through the feedwater nozzle and is distributed through a

circular header ring located 47 in. below the reference operating level of the fluid in the downcomer. The auxiliary feedwater rc 7zle and distributor ring are located just below the main nozzle and ring. The reference operating level is located near the level of the recirculating fluid sump, which is just below the separators of the steam-water mixture.

Feedwater enters the downcomer through inverted "J" tubes that project upward from the top of the feed ring. The "J" tube prevents the i feedwater ring from emptying and causing a waterhammer when refilling l with colder water should the liquid level drop below the distributor i ring. Feedwater temperature varies with reactor power output and is 4 212*F at 5% power and 423*F at 100% power. I Feedwater is preheated in the downcomer as it mixes with the

recirculated water. The recirculated water is runoff from the j steam-water separators located at the bottom cf the steam drum and is at

! the saturation temperature of the steam drum. The ratio of recirculated water to feedwater decreases as the power increases, but the mixed fluid temperature is always subcooled so that boiling and void formation are l prevented in the downcomer. I The preheated water leaves the bottom of the downcomer and is directed i over the top of the tube sheet and up through the tube bundle, where j heat is added to produce saturated water and steam. The quality of the mixture leaving the tube bundle is 0.25 at full power. The steam and water mixture flows upward from tho evaporator section through the riser section to the steam-water separators. The saturated water in the riser acts as a sur ge capacity during transients. The separators are located on a metal support plate at the bottom of the steam drum. The support plate forms a separation between the drum and the riser. The separators have helical vanes that impart a rotational motion to the upward-flowing water mixture, and the centrifugal force effects a separation. The l L_ - - _ - . - - - - - . -_...-- - - _ - , - , - - -. - --

                                                          = _ - .      _. -     _-_-       .     - -

61

     ~

separated water flows outward and downward through holcs in the separator outer wall and returns to the downcomer, where it mixes with the cooler incoming feedwater. The separated steam flows into the steam drum and through corrugated sheet dryers that improve the steam quality to values greater than 0.998. The steam leaves the steam generator through a nozzle located at the top of the vessel and above a deflector plate. The saturated steam l temperature leaving the steam drum ranges from 532'F at 0% power to 525'F at 100% power. The steam generator is designed to maintain a difference between the reactor average temperature and the temperature of the steam produced , that varies almost linearly from 10'F to 47 3*F as the reactor power increases from 155 to 100% of full power. Steam Generator Operating Principles The Calvert Cliffs steam generators are designed with sufficient surge capacity for the secondary-side steam and water to respond to the power transients that are expected in the startup and shutdown of a base load operating plant. The internal flow is maintained by natural circulation. The liquid level is normally maintained by an automatic control system that adjusts the feedwater flow. The plan is also protected through high and low level trips. The natural circulation path in the steam generator includes the downcomer, the shell side of the heat exchanger, the riser section above the tube bundle, and the separators. The free surface of the flow path includes that of the downcomer and the recirculated water return path to the downcomer. The water at this surface is at the bottom of the steam crum and is in thermal equilibrium with the steam in the drum. The reference zero level for the liquid level and feedwater flow control system is located near the bottom of the recirculating water collection sump that supplies water to the downcomer. The driving force for the flow around the natural circulation loop is supplied by the net density difference between the fluid in the downcomer and the fluid in the remainder of the loop. The driving force required to maintain steady state increases as the reactor power and the steam generation rate increase. The increased driving force is obtained from a decrease in the density on the upflow side of the circulation loop as steam bubbles are produced in the boiling water. The resistance to the flow is the sum of the friction and acceleration forces generated as the water,and steam flow through the entire circuit, including the downcomer, tube bundle, riser and separators. Flow resistance varies roughly as the sum of the terms involving squares of the velocity of the fluid in the downcomer and the riser, and of a term which involves differences of the squares of the velocities of accelerated fluid. As the void fraction increases on the riser side, the recirculating water flow around the loop starts to decrease. The

62 mass velocity in the natural circulation' loop increases to a maximum value at about 70% of full power and decreases about 55 between 70 and 100% of full power. The riser circulation rate is constant within 13% when the power ranges between 50% and 100%. Steam Generator Control The feedwater control system is designed to maintain a fixed level in the downcomer. Feedwater flow is controlled primarily by modulating the main feedwater control valve and secondarily by controlling the speed of the feedwater pump. The main feedwater control valve has two modes of control, which depend upon the power level. The modes are switched at 155 power. Below 15%, power the flow control signal is based on a proportional band (i.e., a fixed gain) determined from the level error, which is determined by the difference between the measured level and a set point. Above 15% power, feedwater flow control is based on both the level error and the difference between the feedwater and steam flows. The controlling signal consists of the proportional band and the time integral of the level error, plus a proportional band signal using the difference between the steam flow and the feedwater flow. Secondary control of feedwater flow is obtained by varying the speed of the feedwater pump. This control system uses the pressure drop across both feedwater valves as inputs. The smaller pressure drop signal is compared to a set point of 105 paid, and the difference is sent to a controller . The controller generates a speed control signal based upon the derivative, proportional band, and time integral of the pressure difference error. The direction of control is such that the speed of the pump will be increased when the smaller pressure drop is below the 105 psid set point. The steam pressure and flow rate at the header of the first turbine stage are controlled manually from the turbine-generator control system. (The Calvert Cliffs plant is a baseloaded plant.) To establish the steam generator operating conditions when the desired operating power level is determined, the turbine-generator operator controls the setting of the turbine steam inlet valve to achieve a programmed pressure and steam flow rate for the desired electric power level. The reactor operator adjusts the positions of the reactor control rods and the boron concentration in the primary coolant (with the chemical addition system) until the average coolant temperature (Tavg) is increased to generate the required steam flow rate and steam pressure at the turbine steam inlet valve. Steam Generator Safety and Protection System In addition to the control system, the stem generator has safety limits that will either cause a turbine trip on high downcomer water level or a reactor trip on low level (see Table B2). The level measurement used in the safety system consists of four AP instruments that generate a signal that can be used to infer a liquid level in the downcomer. These four

63 Table B2. Summary of significant steam generator levels Distance Above Normal l Operating Level (in.) High high-level turbine trip +50 , High level alarm +30 Normal operating level 0 (550 in, above baseplate) Low level alarm -24 Low low-level reactor trip -46.8 Main feed ring -47 Top of tube bundle -55 Auxiliary feed ring -59 Low-level auxiliary feed actuation signal -170

!                                    Bottom of tubesheet                                             -412.2 1

i signals are sent to a two-out-of-four logic device, which can generate a trip when the safety limits are exceeded. The high-level turbine trip

 ,                         is part of the engineered safety features actuation system (ESFAS).

Two-out-of-four logic is used to prevent false trips, ensure valid trips, and allow for on-line testing. This logic system, however, reduces to one element that generates the trip signal (i.e., a single OR gate actuates a single relay which causes the turbine trip). If either i of these devices, the OR gate or the relay, is in an undetected failed state, the turbine trip signal will not be generated from this circuit. The same condition exists for the reactor trip on low water level, which uses a two-out-of-four logic and has a single OR gate and a single relay to generate the trip signal. If either the OR gate or the relay is in the undetected failed state, reactor trip will not be generated. The steam generators are protected from overpressure by a set of eight safety valves, all of which can exhaust steam to tha atmosphere. In addition there is a flow-restricted venturi that limits the blowdown rate of the generator in case of a steam line rupture inside the reactor containment and upstream of the main steam isolation valves. Flow is limited to prevent an excessive buildup of pressure in the containment vessel in case of an accident. These protection devices do not require any action by the control system, and there is no action that the

;                           control system can take to stop the safety action of the valves if the set points are exceeded. The safety valves can relieve 103.79% of the full power steam capacity at a steam header pressure of 1035 psig.

1 In addition to these safety systems, an atmospheric blowdown line and turbine bypass valves to the main concensers are used to reduce

           - - , - - - -~+                       > - - .    ,, - , - n,  ,c-    -

64 challenges to the safety valves and to limit the pressure in the steam generator in case of a reactor trip. Turbine bypass valves allow steam to flow directly from the steam generator to the main turbine condenser without going through the turbine. The capacity of each turbine bypass valve is 10% of the steam produced at 100% power. This valve is installed to allow the steam generator to dump its steam inventory (to the main condenser) without opening the safety valves when a turbine trip occurs. It is also sufficient to allow condensation of the steam generated from decay heat without exceeding normal operating pressure. , The atmospheric dump valve allows the steam generator to dump steam to l the atmosphere when the turbine and main condensers are not operating. The atmospheric dump valve line entrance is located upstream of the mai.n steam isolation valse (MSIV), so pressure in the steam generator is isolated from the rest of the reactor plant. Each steam generator has separate isolation valves on both the main feedwater and auxiliary feedwater lines. This enables a single steam generator to be isolated from either or both feedwater flow headers. The auxiliary feedwater ( AFW) system has two steam turbine-driven pumps (one of which is isolated from the loop by a hand valve) and an electric motor-driven pump. The steam-driven pump has de-powered controls. If there is a power failure, the plant protection system will start one steam-driven AFW pump af ter the reactor and turbine are tripped. If there is a turbine and reactor trip'with offsite power available, the motor-driven pump will be activated. These control systems are safety grade. The loaest level (-170 in.) steam generator alarm will activate the auxiliary feedwater actuation system (AFAS). The AFAS will start the AFW pumps and, after an appropriate time delay, run back the main feedwater (MFW) pumps and close the motor-operated valves that isolate both of the steam generators from the MFW system. This procedure assures continued availability of the MFW flow while avoiding the possibility of emptying the pressurizer by overcooling the primary system. Af ter an additional preset time delay, the equipment will remain in its actuated condition regardless of the steam generator level until the operator resets the AFAS at the AFAS cabinets or from the control room. There are AFAS " block" signals provided for each steam generator. If a low steam generator level is detected and, in addition, there is a high differential pressure between the steam generators' secondary sides, two blocking signals will'be generated. Each blocking signal will shut one of the two blocking valves in each of the steam-driven and l

66 motor-driven pumps' discharge lines to the indicated leaking steam generator. This block makes the AFW unavailable to that steam generator as long as the initiating conditions for the block exist. When this block is present, the AFAS will not run back the main feedwater pumps. B.7 FEEDWATER REGULATING SYSTEM Calvert Cliffs has two fully separate feedwater regulating systems. (A block diagram of the feedwater regulating system is shown in Fig. B13). Each system controls the main and bypass feedwater valve for one steam generator. Each steam generator level is compared to a set point and modified by the ratio of steam flow to feedwater flow to adjust the regulating valve. The main feedwater valves are automatically closed and the bypass valves set to 5% flow following reactor trip. This position can be overridden manually by the operator. The feedwater regulating system receives primary ac power from separate vital buses 1YO1 and 1Y02. Upon loss of an associated vital bus, the feedwater regulating systems automatically transfers to separate non-vital instrument buses 1YO9 and 1Y10. One vital bus and the associated non-vital bus must be lost before one feedwater regulating system is compromised, and both vital buses and both non-vital buses , must be lost before both feedwater regulating systems are compromised. The main feedwater valve electric-to-pneumat' (E/P) position controllers have solenoid valves on the air lines that use non-vital instrument power. Each of the two main feedwater valves has a different ' source of instrument power. Loss of non-vital instrument power will fail the affected main feedwater valve position "as is." The three= element main fcedwater valve con' troller (FC1111, 1121) receives inputs of steam flow (FT1011, 1021), feedwater flow (FT1111, 1121), and steam generator downcomer level (LT1111,1121 or LT1105, 1106). Steam and feedwater flows are provided to a comparator (FY1112, 1122) prior to processing by the feedwater controller. The steam and feedwater flow signals are summed in the comparator to produce an error signal. The downcomer level is provided to a lead / lag unit prior to processing by the controller. The lead / lag unit reflects transients in the steam generator level. The level signal is summed with the steam / feed flow error signal to produce a final signal to control the feedwater valve. A steam generator level set point, which is consistent with plant power level, is generated in controller FIC1111, 1121 and fed into controller FC1111, 1121. The final signal fed to the steam generator feedwater regulating valve controller adjusts the regulating valve to attain the correct level in the steam generator. Differential pressure transmitters sense the pressure drop across the feedwater regulating valves and send signals to the feedwater regulating valve differential pressure controllers (PDIC 4516, 4517). These

OSTEAM FLOW I k ' STEAM FLOW FW FLOW m

                                                                    ;                         LEAD / LAG
                                                                          }                               -

FEEDWATER FLOW l al

                                                               ;   'S       e  LEAD / LAG
                                                                   --e DOWNCOMER LEVEL                 l I

I l TURB!NE TRIP l ATMOSPHERIC STEAM S DUMP PERMISSIVE

                                                             \   '

O e CONTROLLER h K3

                                                                   -el DOWNCOMER                  l LEVEL

K3 St TRIP BIAS GENERATOR Fig. B13 Fecdwater a .. .. . . . . .

l / l 66 FEEDWATER > HlA > CONTROLLER VALVE ElP 4

 /

LEVEL SET POlt4T POWER SUPPLIES PRIMARY ALTERNATE (AUTOMATIC TRANSFERS) SG11 1Y01 1YO9 SG12 1Y02 1Y10 BYPASS FW ) {. VALVE E/P CARD Also Xvailable On Aperture Card regulating system. g6 i003o4//- 04'

67 controllers are set to maintain a 105-psig differential pressure across the feedwater regulating valves. The controllers send error correction signals to control feedwater pump turbine speed when the feed pump turbine is in the automatic control mode. As power level and valve position change, the correct feedwater differential pressure will be maintained to ensure flow into the steam generators. The three-element feedwater control system is used to control steam generator level at power. levels above 15%. At power levels below 15% or upon turbine or reactor. trip, the single-element feedwater control system is used to control the level. The single-element control system regulates the feedwater regulating bypass valve to control the level in the steam generator. Below 15% power, steam generator shrink and swell effects are not present to give false indication of steam generator level. A steam generator level signal is generated by LT1105,1106 or LT1111, 1121. This signal is sent to the feedwater bypass valve controller (LIC1105, 1106) where the actual steam generator downcomer level is compared with a level set point to produce an output signal that is converted into a pneumatic signal, which operates the feedwater bypass valve. For additional details regarding operation of the feedwater regulating system, see ref. 4. B.8 MAIN STEAM AND ATMOSPHERIC STEAM DUMP-TURBINE BYPASS CONTROL SYST The main steam system transfers steam from the steam generators to the following equipment:

        -    main high pressure (HP) turbines,
        -    moisture separator reheaters,
        -    main steam generator f eedwater pump turbines,
        -    auxiliary feedwater pump turbines, and
        -    steam seal regulator.

A simplified schematic of the main steam system is shown in Fig. B14. The atmospheric steam dump and turbine bypass control system functional block diagram is shown in Fig. B15. The main steam system also provides overpressure protection for the steam generators by relieving excess pressure to the atmosphere or the condenser. Automatic removal of nuclear steam supply system stored energy and sensible heat is provided by the main steam system following a turbine and reactor trip. B.8.1 Main Steam Flow Path During normal plant operation, steam generated in the steam generators , flows through a main steam header to the main high-pressure turbine stop valves. Each main steam header has a flow restrictor and a main steam isolation valve (MSIV). The two main steam headers from the steam

                                    ~                                                                                          MS d                                               atmos O3
                                                                                                                                ~

2. f

                                           ,                                   Sveicas tw
                                     ,   6                                        . - ,

TTTTTTT s

                               !)                                                                              _
                                                                                                                       ~~~

no,s ecostcos as at

                         ,, o.

l es s encros e e, 1fao ri p 1I 222 g g e avsniae, i I asero,evue tos "f ^ U

                                                                                                                               ,y U u is, ,

sftau casematoe " 8' #'** 12 231 ,,,,,g, a

                                                                                                                                              $          L w .

Q- us= -vomavac I asas i  % So? actuaron anno cousinoi -*--M

                                                       -i                                                     s, stem                          8 atepDsetete*C sflaw Y

useoancv wf_ V m 3M' 2 ' l puu* amo vues* eveass coseveois

                                                       -                                                         8
                                                                                                                              -+ us sees cv too       us asse cv =e,      l            b_w us ,, cv                   \    /
                                                      /_ on                                  uso,ev +          A----p_

STlau O I. -- + us

                                                                                                                                            ,,.,c,

c. U Os e:E maTOs n'2 'i 0

                                                       }P      }f,o2                     g      j
                                                                                                                 " usamet  a fito evase                      _ ci
                                              .L p^

L 2

                                      -5,                                                                                      vvewa     n a'.                    ' '"

V

                                                          .3,o
                                                                 '                                                                                       r,,,7 eE sta=C10e SCG4 2C34 LJ
                                    .,es a

icenc.>, mIm - et r m " SM sN i av os s ___ ,, l 3, .o.s n 3s3? seas a g i3336 Tveic44 08 nos ic,-i i l T TTTTTTT j

                               $                                                                          us aan
                                                                                                                   ..--- -              <=>
                                                                                                                                                                    ?l c%

l 1 M$

                                                                                                                         .oo                   **

l Fig. B134 Mainstej l l l {

                                                                                                                                                            /

68 a, i, u=>> i . 40 GI 4D

                       . ; usa 13:29 & 2P
              .U.        '.'.U.~.?.' .
         ..         . sen . -

a= cavaaero cion . n ah Co...u Uv a. ..

                                                     '                                     am OseaargD Cats watwg
                                          /

Lb tj n. 4 . ..a .. .a.. wa w. we NVDaaWLCata? OptaaggO

• TynesW CLOSEwatwE 11e21s enam k [s

 .O.mos
 . u mn, a    lta                 g j -                 :

3 . . 5f0au t= L1 U g a .. - . wa.w. essomma&&T Opq w a.amuaLLT Openatt0 wasvt l0mO845t3 MaesMP senommatt9 Ortese retti 92 22a r tumseg Tunesad Efgaw Sfo# wanwg 548# j js g _

                        .m.

yaJuremog STLa# CO8tf AOL waawl u mo.x... CDefem watwg asassuat Opvaston ht 13 21 Af uOff MaNuat OPim4708 04 WALwt M2$t2 \ m >>2ie j ,,a,,,,,,,,C., U noru 9 8*888= ALL unfT Sq)) CDeeP08stest5 metM 1 MS 2 MS a UtttBS OfessuriSE j..-==== % 2 mssw sevenawuc aCTuafos asso C04'eOL ST5itu Saecum m FIGWRES a e J ...

                 *=

MS .029 f

                             ', u . o .                                               ' aowaa a a
                     -'...,,n.a.,                                          '"'  '

, 2 2 STEau Etu REGulaton f$1 APER M l % system flow diagram. CARD Also Available Un Aperture Card gico304//-05 l l l -

  %s i

69 125 Vdc ". BUS 11 MANUAL SET STEAM POINT GENERATOR (900 psla) OUTLET PRESSURE STEAM GENERATOR PIC4056 ERROR 3 y , OUTLET PRESSURE CONTROLLER 1PT4056 j, t>- 4>- Tavo-Tntr FROM REACTOR y I@ p HEGULATING I SYSTEM itT -

                                       +               HIC             
                                                                           >   HIC
          @ CONTACT IN REACTOR REGULATING SYSTEM CLOSES ON HIGH Tavo Tntr TO PERMIT OUICK OPEN
          @ CONTACT CLOSE3 ON TURBINE TRIP                               -+    HIC OUICK OPEN WITH @
          @ CONTACT OPENS ON LOW CONDENSER VACUUM FOR QUICK CLOSE                                     NOTE: Relays shown in st to turbine not tripp g INSTRUMENT AIR 80-100 psi                                           vacuum Fig. B15.                Turbine bypass and atmospher

K7 ~ ~h ITT Ih @ ITVT _ _ _ _ _ _ - , 7 I l l A l ATM isv j ' ICV 3944 I l l/P A0 1 l TURBINE 6 ,l ATM  ! > I/P I ' 2 O g ATM l > llP 81

               'Q4j r
                                                            'cv 3940 l

l Al , ATM ________ ] APERTGN CARD I ---- 1 I I isv

                           $                                      icv I Aleo Xvailable On

> l/P 3938

                                                                                              ' Aperture Card
                                                                  ,   l

[ lg l ATMOSPHERIC l l STEAM l DUMP

                   ,s ,     j                                     icv l

I VALVES

• IIP 3939 l AO l l

b

                                                        ---- J

,e;,, pos,,g,egr;esgno,no

• 1c steam dump functional block diagram.

86/o030W/- O(o

70 generators are cross-connected downstream of the MSIVs. Steam from each main steam header flows through air-operated control valves to the auxiliary feedwater pump turbines. A smaller diameter branch header provides a steam flow path to the moisture separator reheaters and to the steam seal regulator. Another branch header, connected to the main steam header, supplies steam flow to the main steam generator feedwater pumps. . Each main steam header is provided with one atmospheric steam dump and eight ASME-code safety relief valves, which are connected between the containment penetration and the MSIV. These valves, normally shut, are opened to exhaust main steam to the atmosphere. Four turbine bypass valves are connected to the same branch header that supplies the main steam generator feedwater pump turbines. These valves, which are normally shut, are opened to exhaust steam to the main condenser. B.8.2 Main Steam Components Immediately downstream of each steam generator outlet nozzle is a venturi flow restrictor. The flow restrictor serves to limit the main steam flow rate in the event of main steam header rupture. Each flow restrictor is designed to limit steam flow to approximately 170% of normal flow. These components are designed to withstand a maximum pressure and temperature of 1000 psia and 580aF. Overpressure protection for the secondary side of the steam generators and main steam header up to the inlet of the turbine stop valves is provided'by 16 spring-loaded ASME-code safety valves. The safety valves are set to open sequentially, two at a time, when header pressure exceeds and continues to rise above 985 psig. When all eight safety valves on one main steam header are open simultaneously, these valves are capable of relieving approximately 104% of the steam flow from one steam generator. A hydraulically operated MSIV is installed in each main steam header between the code safety valves and the turbine stop valves. These Y-pattern globe valves are capable of withstanding steam pressure and temperature of 1085 psia and 580*F. The MSIVs are capable of shutting against 1000 psig of steam pressure applied to the valve seat. The MSIVs are installed to protect the steam generator and the reactor from damage due to a rupture in the main steam header. The valves are designed to close within 6 s of a SGIS. Quick plosure prevents rapid flashing and blowdown of steam generator water due to steam flow through the rupture. Rapid removal of steam from the steam generator could , cause rapid cooldown of the reactor coolant. The SGIS is generated when the steam pressure in the steam generator drops below 653 psia. A blocking signal is necessary to block the SGIS actuation during normal shutdown from power operation.

71 The atmospheric steam dump and turbine bypass system is used to remove stored energy and sensible heat following a turbine and reactor trip. This system is used to control secondary steam flow so that the safety valves are not frequently challenged. It can handle 45% of total ! secondary steam flow. The atmospheric dump and turbine bypass system i comprises two atmospheric steam dump valves and four turbine bypass valves. The atmospheric steam dump valves are connected to the main steam header between the containment penetration and the code safety valves. When opened, both dump valves exhaust up to 5% of the total steam flow from the steam generators. The dump valves are designed to withstand a maximum steam pressure and temperature of 1000 psig and 580*F. These valves fail shut and are equipped with a chain operator, which permits manual override. These valves are designed to quick open at reactor power levels above 63% to remove steam flow from the steam generators. Four normally shut turbine bypass valves are connected to the steam generator feedwater pump supply header downstream of MSIV 11. The turbine bypass valves are air-operated,10-in globe valves fabricated of carbon steel. When opened, the four valves are capable of passing 40% of the total secondary steam flow to the condenser. These valves are designed to withstand a maximum steam pressure and temperature of 1000 psig and 580*F. The valve operators are equipped with handwheels to permit manual operation should their controls fail to operate. When the main turbine trips w'hile the reactor is operating above 63% power, the turbine bypass valves receive a quick-opening signal from the main turbine control system. If the main steam pressure exceeds 895 psia without turbine trip, the bypass valves are opened automatically. The atmospheric steam dump and turbine bypass controls provide automatic or manual control of the atmospheric steam dump and turbine bypass valves during normal and emergency plant operation. During normal operation, the atmospheric steam dump and turbine bypass valves are designed to remain shut until the main turbine trips. For a turbine trip, the Tavg error from the RRS is used to control the atmospheric steam dump valve opening area. The larger of the secondary steam generator outlet pressure or Tavg error is selected to modulate thc 'urbine bypass valve position following a turbine trip. If the Tavg error is greater than a set point value (Tavg greater than 535*F usually at about 63% reactor power), both the atmospheric steam dump and turbine bypass valves receive a quick-open signal following turbine trip. Loss of condenser vacuum or MSIV closure will result in a quick-close signal to the turbine bypass valves. This signal will also prevent the turbine bypass valves from opening to prevent damage to the condenser.

72 i Loss of dc bus 11 control power to the atmospheric steam dump and turbine bypass controls will close or hold closed the turbine bypass valves due to the quick-close action of the isolation solenoid valves. An automatic close demand will also be signalled for the atmospheric steam dump valves; however, manual control is also available for these valves. Loss of instrument power to the valves will serve to close both the atmospheric and turbine bypass valves. The main steam system supplies steam to the auxiliary feedwater ( AFW) pump turbines when the auxiliary feedwater system is actuated. The supply piping for the AFW pump turbines connects to each main steam header between the containment penetration and the main steam safety valves. Each supply line contains a steam supply isolation valve. These valves are air-operated globe valves which are held shut by air pressure from normally de-energized solenoid valves. The isolation valves f ail open upon loss of instrument air pressure. The main steam system supplies steam to the moisture separator reheaters of the reheat steam system. Main steam flows to the reheaters warming the HP turbine exhaust steam before it enters the LP turbines. Normally open isolation valves are provided on each line. These valves are motor operated and each is equipped with a handwheel to allow manual operation of the valve. The main steam system has a dedicated drain system to provide removal of condensation from the main steam piping. This system assists in preventing turbine blade erosion and corrosion of the main steam piping. It also serves to improve plapt operating efficiency by returning moisture from low points to the main condenser. Additional details regarding operation of the main steam system can be found in ref. 6. B.9 COMPONENT COOLING SYSTEM The purpose of the component cooling system is to maintain certain plant components at their required operating temperatures by transferring heat to the salt water system. The system also acts as an intermediate barrier between the radioactive fluids in the components cooled and the l ultimate heat sink--the salt water system. The component cooling system consists of three circulating pumps, two heat exchangers, one chemical addition tank, and one head tank. Most of the components including piping, valves, and instrumentation are located in the auxiliary building. Cooling lines for containment components are located inside the containment. A simplified schematic of the component cooling system is shown in Figs. B16 and B17. For more information regarding the component cooling system, see ref. 7.

l 73 e' O~..t"'

                                                     @rg,.e t.=, ,,=
                                            ..:s                             ,         ,

c-o. .c,.

                                                                          //        // /                                                        WCl.

n .. . ** " gg 5 1 1

                                            -                                  /.
                                                                               ..           "                                                                            .\_cc ,

lA- 1ry ,, k.u u .. cc II. J.L ese ..-. we , = vu .._,2_, , . ,  %- m.. ........

                                                                                                                                              . . .         . e.. eene.
                                                                                                                                                                               & 2 u 2 _                                             oc=

F F , .***L.

                    .C0068  ..               e.1
                                           -c.

4' t**

                                                                                         .c.e..
                                                                                          .      0s e.,.c.O.
                                                                                                 .c           ct.im
                                                                                                            ...                                                                 - .M. ~
                          = =.                                                                                                              ee 37             ec =

gg g O ,,

                                                          . = , . . . . .

m 2 m 2 Mk kr J, # \ c, 9 0 C ec.4 ec 9 9

                          .. .                 J L                                                                                                 JL     <            JL                                                lpp 9

a

                  -=u                                                                       c.

Q...m

                                                                                                                                          *cq       .m.       ec =

o .pp u'

                                                     ,cv.

3 an. sc.h cC 1,. 8 O " .Q) ec = $ cc = .c

                                                                                                       **                            "           cc '**
                                             -4 l

1 l .

                                                                                                                    ~
                                                                                                                             '}- -C            !/F-                                                 .                             ,,=,p.

9

o. ,. a A

   -.....c_...
                                                                                / cc.       -
                                                                                                                                 .           w                                                                            -.,       -4u. x 9 ,, ,,,^-

2 YY - -

                                                                                                                                             . ~ . n.

Wec.w

                                                                          ..f                         , . ,

4.. aOl ca .,

                                                                                                 ....c.o. ., c.oo.iw.                                             .                                          ec,,
                                                          ...;:.....      ' L, ,                                             X"                     =                                                                    n                  ,
                                                             ......                                                       ., ,                                                 ....                                        --              2 cc =                                  cc .                                                           .
                                                                                                                                              .c. ,

us,. I

                                                                                                                                                                           -.- cc m j 1      P cc'"

cci. cc c3 g I,

                                                                                                                                                                        , , _c
                                                                                                                                                                                                                      ,..                  m
                                                                                                                                                                      ..af.      oC S*.T    .uase                                    g c

Fig. B16. Component cooling system (sheet 1) . l I w~n

O., - m T___ v vdr.. a

      -,                  an s                                                                             .,

d.

                                                                                        *,                             M...                  .........

c .::. .. _ _. ,- - - - 3 . n. ..........

                          ~.           s                   ,

TI i :4

                                                                                                                                             ^                                    APERTURE l             =.. m                                                       ....

9 F

                                                                                                                                              . - . .                                       CARD s 6 i                                         =

3r -~ 9r#~ 1, ,1., l i , 3 3 ^ I ..

                                                                                                                . - . ,                                                       'Also Xvailable On Y                               I Q.           -   -

ar,:. Aperture Card y i

                                                                                               ,                    ~-                                    m_
                                                                                                                                                       ,s - - .-.
                      . .,                                     ,,          ,.                            y                                                **"*

a ** a u s. a u

                         . ..                                 ==,
                          ....                                                                                                 v,
   .  ..... .                                                                                                __ __ n
        ..                 I.                                               .                                j(_. /_._

o m, .... .,

                            .                                                     .                           m        m
      ~./                               ,f..
                                        'u '          (      
                                     -v.C ,4:                                           #
                                                                                                                                      .:. ,,,                  -c> q.           .. - .. .

G n

:,. +4- . - . .

            \9 y;o ,,,

y - o m.. .. c.c.

                                                                                                                                                               +.4-~~.-
                                                             ,.u-                                                                       ,,,

4, _

                                                                                                                                                               -vF        a.,"=i"--                  = , - . .

- 4 ..... . u.' , '*f.*.' ~.

                                                                                                                                                             .I + F ~ ~...~ - , ~
  ,            :,                   .. ,.j.\~                                                                                  ;",2, Cn_i.V                                                                         6, m i . ... -

u . .. n.. g ,,, , ,,, ,, l

        .. r,,

A 1, ,] u 6. sm ,ee g { we,,c, ,,, o l o. T v.,,'.

      ~...                                                                                                          -            - . . . . .            , _.                      . . . .

af. -- . .

                                                                                                                                                                 <    -           o.          -    .

o

                                                                                                                    "            a-
                                                                                                                                                         .3              -

6., . . . . . . . . . . .... .

                                                                       ~. . . ... . . . .. . .
                                                                                                   ~ . . .                                        .
                                                                                                                    ~
                                                                                                                                 =...g,,_,,.

y .

                                                                       ~ .. .. .. .. .. .. . . . .                               . . . . . . .

I 2,.

                                                                       ........       .            ~...._.                                                       m,        . . , _

q . . . . 86/oo3oW/-07

I III Ii li i i  ! ld I  % ll'lIII11Ili!i ii l l 1.; , i:: i ii I g e b

     """"' $ t$$0 - />--ae((                                                                                  4> pgg     jj me q i                                   I,                                           9      Si j<

J. 2  ; i' l,1 Ji.O st

                          " E l ' "1                            dJ, " jii                                      $

f,!"i -- lli:- elk . qj..,...

                                                                   '-s Og,)        IW                  i

_" la ') *

                   + lle:                            -

l  : 2*

II e 0 -CE3-

:,.i sg

                                                                                       'L g .                   -
                   ~~ t                                      .=                                                  i Ii l i        'll             1,                                                               i!"

O: -  : i l w.-- ll l  ! li

                            =        ::-                                                                         8 le !!Iii:                 .

e ,

                                                                                  $ Y sis :                 -
                                                                  'I* i 9 ,, ,                      2:           -

ill l' 11 6

            - i i.il g

gq 3' 4t hb

  's        J.-2:                                       i ll'j. ,                                 i 4                   !                                     [
                                                                                ~
                                                                                                    > l,'.
  <                                     8                                                            !! i   11
 <        I(AW' %
                                                                                   ->-               iii i

lili ii

I-

                                                   -cA3-e                ll db' *3 d)ts!                               _                                       g,>-   .
        'I 5 E lf , E.i,-     .i          .

o e! jel 1i , Us

                                           -                                      f      .
                                              *E!! Ei.
                                               .                ,i
                                                                            .I e!g:e > g m
                                            -! i, ek' '.        ,i

i l 75 l t The nonradioactive, chemically treated water circulated by the component cooling pumps supplies the following loads: I - shutdown cooling heat exchangers; l - letdown heat exchanger;

                -    mechanical seal cooler, lube oil cooler, and thermal barrier for each reactor coolant pump;
                -    control element drive mechanism coolers; l

cooling jacket and af tercooler for each waste gas compressor; i mechanical seal sooler, stuffing box jackets, and bearing housings for each high-pressure safety injection (HPSI) pump; mechanical seal cooler, bearing house, and stuffing box jacket for each low-pressure safety injection (LPSI) pump;

                 -   main steam, feedwater, reactor coolant letdown, reactor coolant sampling, and steam generator blowdown containment penetration coolers; reactor vessel support coolers;
                 -    steam generator lateral support coolers;
                 -   reactor coolant drain tank heat exchanger; reactor coolant sample cooler; post-LOCI (loss-of-coolant incident) sample vessel heat exchanger;
   )

steam generator blowdown sample coolers and chiller; miscellaneous waste sample coolers;

                 -    gas analyzer sample coolers; 1

concentrator condenser, distillate cooler, vacuum pump seal water cooler and vacuum pump discharge gas cooler for each waste evaporator; steam generator blowdown radiation monitor unit sample cooler; degasifier vacuum pump accumulator; and

   )              -

miscellaneous waste heat exchanger. j B.9.1 Flow Path During normal operation, one component cooling pump takes suction from j the two return headers and discharges to the normal and standby

;                discharge headers. This water flows through the in-service component j                 cooling heat exchanger, where heat is transferred to the salt water system. The temperature of heat exchanger outlet water is controlled to 95aF by automatic positioning of the heat exchanger bypass valve and operator throttling of the salt water outlet valve. Water leaving the                              I i               heat exchanger flows in parallel paths to various plant components.                               {
 ;                The head tank functions to maintain the net positive auction head to the 1                 canponent cooling pumps. It also serves to provide a surge volume for expansion and contraction of the system inventory.

The additive tank is used to change the chemical content of component cooling system water. Chemicals in the tank are dissolved in the water as the pump discharge is circulated to the tank. j l'

76 B.9.2 Components Three component cooling pumps are piped in parallel to the normal and standby supply headers. Each pump is designed to supply 5000 gpm at a discharge head of 100 f t. Each pump is driven by a 150-hp motor, which receives power from a 480-V bus. Component cooling pump 11 is powered by unit bus 11A, and pump 12 is powered by bus 14A. Component cooling pump 13 can be powered by either unit bus 11B or 148. A key interlock prevents the potentially damaging arrangement of starting pumo 13 from two different power sources. During normal operation, only one pump is required for component cooling water circulation. Upon initiation of the SIAS, pumps 11 and 12 start automatically if not already operating. Failure of pump 11 or 12 to start within one second will result in the start of pump 13, provided its disconnects are selected to the appropriate bus. Loss of power to the 480-V unit buses will cause the cooling pumps to trip. After the diesel starts and picks up the bus, the pumps can be restarted manually. If a SIAS has been initiated, the cooling pumps will automatically be sequenced back on. The system contains pressure transmitters and alarms that detect and annunciate inadequate operation of the pumps. Operator action to restore component cooling flow is imperative 'for continued plant operati on. The component cooling system contains two 35 in. by 30 f t piped in parallel heat exchangers. Component cooling water flows through the shell while salt water flows through the tubes to provide cooling. Normal heat exchanger operation is such that the salt water heats 11 to 96*F, and the component cooling water cools 36 to 95*F. During normal operation, one heat exchanger is sufficient to provide the necessary heat removal. The heat exchanger outlet temperature is maintained at 95*F for proper reactor coolant pump cooling by control of the temperature control bypass valve. The other component cooling heat exchanger is normally placed in standby to increase system availability and reliability. In this mode, the heat exchanger is lined up for normal operation with the exception of the salt water outlet and heat exchanger outlet valves, which are closed. In order to maintain proper component cooling outlet temperature, these valves are opened as necessary. Plant cooldown and post-LOCI cooldown are normally accomplished using both exchangers. Both heat exchangers may also be necessary during hot weather when the salt water temperature is warmer. A component cooling head tank is used to provide static head to the component cooling system through two normally open butterfly valves.

77 The head from this tank provides more than the minimum net positive suction head for the component cooling pumps. This 2550-gal tank also serves as a surge volume for contraction and expansion due to temperature changes in the closed system. Makeup is provided to the system via the head tank by the demineralized water system and the condensate system. The head tank is provided with transmitters to annunciate high and low level conditions. A 75 gal additive tank is provided for addition of a corrosion inhibitor to the component cooling system. On a weekly basis the component cooling water is sampled for corrosion inhibitance. Hydrazine must be added occasionally to increase the corrosion inhibitance level. After chemical addition to the additive tank is completed, the operator establishes a flow path from the discharge of the pumps, through the tank, and back to the pumps' suction. Af ter adequate mixing into the system, the flow is secured and the tank is placed in a wet layup condition. B.9.3 component cooling system Interfaces The component cooling system interf aces with numerous systems throughout the plant. Most of these interfaces are the loads which the component cooling system supplies cooling water. The major interf aces are discussed in this section. The component cooling system interfaces with the radiation monitoring system, but does not provide cooling water. Component cooling water is circulated through the radiation monitoring system radiation detectors to determine if there is any activity in the water. An indication of high radioactivity in the water is indicative of a reactor coolant leak. Upon receipt of a high activity alarm, the operator determines the validity of the alarm by reading the activity level indication on the radiation monitor, sampling the component cooling system, and monitoring the head tank level. If high activity exists, it is imperative that the operator " feed and bleed" the system to reduce the activity. To feed and bleed the system, pure water is added to the head tank from the demineralized water system, and activated water is diverted to the miscellaneous waste processing system. Component cooling is provided to each of the four reactor coolant pumps. The flow path to each pump is subdivided into two streams; one for pump seal cooling and the other for motor bearing lube oil cooling.

78 1 i Pump seal cooling is divided into two side strearas:

                 -      thermal barrier cooling, which receives 17 gpm, and
                 -      seal water cooling, which receives 28 gpm.

Component cooling to the reactor coolant pumps must be controlled such that the bleedoff temperature from the thermal barrier does not fall below 125'F and the seal cavity temperature does not exceed 250*F. Component cooling water must be maintained to RCPs whenever the coolant temperature is greater than 175'F. The cooling water to the motor bearing lube oil coolers is also divided into two streams; 150 gpm supplies the upper bearing lube oil cooler and 5 gpm supplies the lower bearing lube oil cooler. Proper cooling of the I lube oil is necessary to prevent damage of these bearings and subsequent motor damage. The heat load generated to the motor bearings is so great that cooling water must be maintained for thirty minutes after the RCP is tripped. Loss of component cooling has a significant impact on continued plant operations due to cooling loss to the RCPs. Component cooling must be restored to operating RCPs within 10 min to prevent damage. The i operator is instructed to immediately stop the affected RCP if one of the following conditions exists:

                 -      flow is not restored within 10 min,
!                 -     seal cavity temperature reaches 200*F, or
                  -     thrust bearing temperature reaches 195'F.

The letdown heat exchanger uses component cooling water to cool the letdown from the outlet of the chemical and volume control system regenerative heat exchanger. The purpose of this heat exchanger is to provide sufficient cooling to the RCS letdown for ion exchanger operation. Temperatures exceeding 145'F can damage the ion exchanger resin. Component cooling water flow must be adjusted to provide a constant letdown temperature to the ion exchangers. A reduction in ion exchanger inlet temperature increases the resin's ability for boron capture because the ion exchanger affinity for boron is temperature dependent. Greater boron capture results in increased reactor power, while decreasing boron capture (higher inlet temperature) results in a power decrease. Due to this temperature dependence,' the operator must be especially alert to changing heat loads on the component cooling system. The power increases described above are not significant in magnitude but may result in an excursion above 100% power since normal operations are usually held at full power. The operator may anticipate major

temperature changes and bypass the ion exchangers accordingly.

79 f Cooling water is also supplied to two control element drive mechanism l (CEDM) water-to-air coolers. This cooling permits long-term operation and minimizes CEDM maintenance. Cooling water flows through the CEDM coils removing heat from the CEDM shroud exhaust. When the CEDMs are energized, the component cooling system should be in , operation to assist the CEDM ventilation system in maintaining the power coils below 350*F. Each mechanism is provided a constant 800-cfm air

flow with an inlet temperature of 120*F. Loss of component cooling does not have a critical impact unless air flow is also lost. Loss of water cooling to CEDM shortens coil life. As the temperature increases, the i coil resistance for each CEDM increases, causing a current decrease, j Eventually, the control rods drop due to insufficient current.

i

 ,                             Component cooling water is provided to three reactor vessel support
!                              coolers and four steam generator lateral support coolers. This cooling l                             water flow protects the support bearing surf aces and structural concrete from exceeding allowable temperatures in order to achieve a 40-y life expectancy. Short-term loss of component cooling to the support coolers is not expected to result in significant f ailures.
 ,                             Component cooling water is supplied to the two shutdown cooling heat exchangers during plant cooldown, cold shutdown, and post-LOCI cooldown.

j During normal operation, the shutdown heat exchangers are lined up to

cool the containment spray in the event of a CSAS. During shutdown cooling, two component cooling pumps and two component cooling heat '

 !                              exchangers are placed in service. For long-term cooling following a I                             LOCI, one pump and two heat exchangers are necessary to cool both j                              shutdown cooling heat exchangers.

1

 !                               In the event of a SIAS, the shutdown heat exchanger outlet control j                                 valves open automatically by a control signal to the solenoid valve.
 ;                              The shutdown cooling heat exchangers are then able to support l                              containment spray cooling and long-term cooling following a LOCI.

l The high-pressure safety injection (HPSI) pumps are supplied cooling water via the component cooling system. The HPSI pumps inject borated water into the RCS during a loss-of-reactor-coolant accident. Due to

 ;                               their safety f unction, these pumps have been designed to operate 2 h i                             without cooling. These centrifugal pumps require seal, bearing, and

{ stuffing box cooling for proper custained operation. l The low pressure safety injection 'LPSI) pumps also receive cooling t water via the component cooling water system. These pumps are also 1 designed to operate 2 h without cooling water. During normal operation. ) flow through the pumps is not required, but is maintained in preparation l for their sudden start. The LPSI pumps serve two purposes: 1 I l j 1

      . ~ _ _ _ _       . _ , _ _ - _ - _ . _ _ _ _ _ _ - - , - _ -     . . - , _ ~ _ _ _ . _          _~ _ , _ _      . __. _ _ . , -. __,         . _ . _         _

l 80

 -    inject large quantities of borated water into RCS during a LOCI.
 -    provide flow through the reactor core and shutdown cooling heat exchangers d'aring shutdown cooling.

Component cooling water also flows through the containment penetration coolers for the following penetrations:

 -    main steam,
 -     f eedwater ,
 -    steam generator blowdown.
  -   reactor coolant letdown, and
  -    reactor coolant sampling.

The purpose of these coolers is to reduce thermal stress on the contai nment . Complete loss of cooling will not result in any significant f ailure, but the concrete in the areas of the penetrations will be weakened. The reactor coolant waste evaporators and the miscellaneous waste evaporator require cooling wat er and represent a major load on the component cooling system when placed in operation. The primary cooling load for the waste evaporators is the concentrator condenser, which requires 1100 gpm of cooling water. During a LOCI, the CIS closes the waste evaporator supply isolation control valves, eliminating these major nonsafety loads. In the event of loss of component cooling, the operator should secure the evaporator to prevert damage and possible personnel inj ury. Component cooling water is supplied to the waste gas compressor when it cycles on. The purpose of these compressors is to compress gases collected in the surge tank for discharge to the gas decay tanks. Component cooling water is continuously supplied to the reactor coolant drain tank heat exchanger. Heat exchanger cooling is necessary to protect the reactor coolant drain tank from overheating and over press urization. B.10 SERVICE WATER SYSTEM The service water (SRW) system is designed to remove heat from turbine plant components, containment cooling units, the spent fuel pool, and emergency diesel generator heat exchangers. Heat is transferred from the SRW system to the salt water system via the SRW system heat exchangers. This section provides a description of the SRW system (for more information, see ref. 8). Figure B18 provides a functional block diagram of the SRW system. The SRW system functions as one system in the turbine building and as two subsystems in the auxiliary building. The two subsystems are required to function i' dependently to the degree necessary to assure safe shutdown of the plant in the event of a component f ailure. Each

81 f . .

                             .                                      I.

e.oi l 2 5 *5 y IS!a l

• b

                          *!'*                                      I                              b r- i a

V r--- ,,___f+_,  ! = g i f. f g - l f f 4 4 D ll;"l l.- *fI l;*5 \ - 5 si lisit

                                                                                  *\               R

f. 82 f.

lis2.ec 3a a-as a3 3a r= k\ 1 h lige -o

                                       .ewo -o 3o as                                      %\          ,

gw sa la t\ > I ;! :c

             == w                      :=    w                                            5 lI>=.                           >s.                                                 t\g    ;

o o I F.i J I

                                        '       +
                                                                                               \  $
              '                                                                                 I   .

I I

                                                                                                  =

a 1 - 1

               ,i    :       l             =                                  z                   =
                  ;.                                                                            i l--

5- r sj ' , I; ai I i n. is l

l s- i t i i 1 l

              ;              ;   I i                                                           i       i
                             ! l    !

l l L_______, m

                                                                                   ,         ,g i
                                                  ! .!:          ! !a       !!:

I I

                  ~

T A o

                                                                           -                    I 1                       I l

3

                                                                         '                      I f          .

h  !, I L > L________1_____J

82 subsystem includes a head tank, an electric-driven pump, and a heat exchanger. A third SRW pump is provided as backup and may be cross connected to supply either subsystem. The SRW system provides heat removal for the following components in the auxiliary building:

   -   two spent fuel pool cooling heat exchangers
   -   four containment air coolers
   -   three emergency diesel generators
   +   two SG blowdown recovery heat exchangers.

! Turbine building components receive cooling water through four air-operated isolation valves. These valves shut on a SIAS to reduce i the heat load and isolate nonsafety related equipment. The SRW system supplies cooling water to the following components in the turbine ' building: 1

   -   three circulating water system priming pumps
   -   four condenser vacuum pump seal water coolers
   +   three condensate booster pump seal water and lube oil coolers
   -   three air compressors and three af ter coolers
   . electrohydraulic power plant oil coolers j
   -   auxiliary feed pump room air conditioner condenser
    - main feed puoip lube oil coolers
   -   two turbine lube oil coolers
    -  four hydrogen coolers a   generator exciter air coolers
    -  two generator isolated phase bus duct coolers
    -  sampling system mechanical chillers
    -  nitrogen compressor.

l During normal plant operation, two of the three SRW system pumps are operating with the third pump in standby. The third pump is normally .I aligned to subsystem 12 and electrically powered from 4-kV bus 11. Both l SRW heat exchangers are used during normal plant operation. i During a LOCI, a SIAS will automatically start the primary SRW pumps if they are not already operating. If either fails to start, the standby pump will be started. A SIAS will also isolate service water flow to turbine building components, reducing nonessential system heat load. A CSAS will cause valves in the containment coolers to open, increasing SRW flow through the coolers. B.10.1 Components Service Water Head Tanks Two 2300-gal head tanks provide positive suction head for the SRW system. The head tank level is automatically maintained by a level control valve. l l l l

83 A level switch for each tank signals a solenoid valve to close, which permits the level control valve to open. Makeup water to the head tanks is supplied from the demineralized water system or the condensate system. Service Wcter Pumps and Motors Each of the three SRW pumps is driven by a 400-hp electric motor that rotates at 1185 rpm. Each pump is able to supply 7050 gpm at a 180-ft head. The pump seals are lubricated by controlled water leakage past the seals. Instrumentation is provided on each pump to detect bearing temperatures and excessive vibration. The normally operating pumps (11 and 12) take suction from the subsystem return header via a butterfly isolation valve. The pumps discharge service water through a check valve and isolation valve to the subsystem discharge header. The discharge headers contain temperature and pressure sensors that energize an alarm on low (<85 psig) pressure. The discharge headers supply water to service water heat exchangers and are connected to the chemical additive tank and the miscellaneous waste processing system. SRW pump 11 receives power from 4-kV bus 11, while pump 12 receives power from 4-kV bus 14 SRW pump 13 may receive power from bus 11 or 14, depending upon how its disconnect links are aligned. Kirk-key type interlocks prevent pump 13 from being energized from two buses simultaneously. SRW pumps 11 and 12 contain start and stop logic circuitry. Start cycle limitations are imposed on the pumps because of excessive heat generation in the windings caused by the starting circuit. Service Water Heat Exchangers Two service water heat exchangers transfer heat from the service water on the shell side to salt water on the tube side. Design temperature and pressure of the tube side of the heat exchanger are 200*F and 50 psi, v hile shell side parameters are 200 F and 175 psi. Actual operating conditions are substantially . lower. SRW temperature entering the shell side of the heat exchanger is 110*F and exit temperature is 95*F. Salt water temperature entering the tubes is 85'F and exit temperature is 95'F. Normal inlet temperature on the tube side will vary with seasonal temperatures. The design heat load on each heat exchanger is 105 x 10' Btu /h, and 120 x 10' Btu /h during a LOCI. The salt water outlet of each heat exchanger has a temperature indicator which annunciates in the Control Room if the temperature reaches 95'F. The heat exchangers were designed based on maximum salt water flow, and the salt water flow should be at maximum prior to admission of service

84 water to the shell. During shutdown operation, salt water flow -"a"' d be continued until the SRW pumps have been stopped. Care should be exercised during startup of a heat exchanger to assure that it is properly vented; an air-free system must be maintained to ensure proper , system operation. Periodic monitoring of heat exchanger temperature and pressure is necessary to assure proper operation. Chemical Additive Tank The SRW system is designed to permit addition of chemicals and discharge of service water should it become contaminated. In order to minimize I corrosion in tne system, hydrazine may be added to the system. A 75-gal chemical addition tank is included in the system to provide dissolution of chemicals into the system. Differential pressure across the SRW pump provides the driving head for chemical injection. Should the service water system become contaminated with radioactivity, provisions are incorporated in the design to permit discharge of contaminated water to the miscellaneous waste processing system. Contamination is reduced by dilution of the system with water from the demineralized water system. Valve SRW-305 may be opened to permit discharge of service water to the miscellaneous waste processing system. B.10.2 Auxiliary Building Loads The SRW system is divided into two subsystems in the auxiliary building in order to meet the single-failure design criteria. Auxiliary building heat loads are safety-related with the exception of the blowdown j recovery heat exchanger, i Spent Fuel Pool Cooling Heat Exchangers Two spent fuel pool cooling heat exchangers maintain the pool temperature below the design limit. These heat exchangers are horizontal, counterflow type with a SRW inlet temperature of 95'F and an outlet temperature of 106.5'F. Heat exchanger 11 is supplied service water from Unit 1 subsystem 12 header, while exchanger 12 is supplied by a Unit 2 subsystem header. Service water is supplied to the shell side of the heat exchanger and pool water is supplied to the tubes. Upon receipt of a CSAS, the inlet and outlet control valves automatically close in order to provide maximum flow to the containment coolers. These valves are designed to fail shut upon loss of control power or loss of pneumatic supply. The return line from the heat exchanger is monitored for radioactivity, and readings in excess of 1000 counts / min are alarmed in the Control Room. An alarm would be indicative of a heat exchanger tube f ailure with f ailed fuel in the pool. l I I l

l l l 85 Containment Coolers l Four containment coolers are provided in each unit to remove heat from i the containment during normal operation and also in the event of a LOCI. ! Containment coolers 11 and 12 are normally supplied by SRW subsystem 11, l with coolers 13 and 14 supplied by subsystem 12. However, manual valves are in place to permit the supply of any cooler by either header. The supply line to each cooler has an air-operateo, normally open stop valve. These valves are designed to fail in the open position. The return line from each cooler contains two air-operated stop valves piped in parallel. One valve located on a 4-in. line is used for normal operation cooling requirements. The parallel line is 8 in, diam, and its valve is automatically opened upon receipt of a CSAS. A third parallel, manually operated valve is also provided to permit flow should the 8-in, valve f ail following a CS AS. During normal operation, less than four coolers are operatin8 to remove containment heat. The fourth cooler usually serves as a spare with its inlet valve open and outlet valve shut. Depending on weather conditions, the fourth cooler may be valved into operation. Each containment cooler has a normal flow of 550 gpm with a heat removal capability of 2.2 x 10' Btu /h. During a LOCI the water flow is increased to 2000 gpm by the opening of the parallel 8-in. valve, which boosts the heat removal capability to 95 x 10' Btu /h. Emergency Diesel Generator Three emergency diesel generators are supplied service water for cooling of the heat exchangers for lube oil, diesel Jacket water, and ciesel air subsystems. Service water flows through the tubes of all three exchangers. Diesel generator 11 receives service water from Unit 1 subsystem 11, while Unit 2 SRW subsystem 22 supplies diesel 21. Diesel 12 may receive service water from either Unit 1 subsystem 12 or Unit 2 subsystem 21. Pressure-sensing valves, located in the supply and return line of each subsystem, sense subsystem pressure and the position of the alternate supply and return sensing valves. If any deviation in normal operation of the primary subsystem is detected, the pressure-sensing valves shut and the alternate set of pressure-sensing valves open automatically. These valves fail open upon less of instrument air. l I Additional redundancy is provided by cross-connects in the service water l system design. Diesel generator 12 can also receive service water from ) Unit 1 subsystem 11 by opening two manual valves. Unit 2 subsystem 22 may also supply diesel 12 by opening two other manual valves. The same sets of cross-connects may be used to supply diesel 21 from Unit 1 subsystem 12, and diesel 11 from Unit 2 subsystem 21. l l

c__ 86 Service water is supplied to each diesel generator through an air-operated cooling water supply valve. These valves automatically open upon receipt of a signal from the diesel jacket coolant pump speed switch. These valves, once opened, are modulated by a differential pressure controller that maintains 5 to 7 paid across the three diesel generator heat exchangers. Blowdown Recovery Heat Exchanger The SRW system supplies cooling to two blowdown recovery heat exchangers, one located in each plant. There are two blowdown recovery heat exchangers in series; one is cooled by condensate and the other by service water. The service water flows through the tube side with a design pressure and temperature of 350 psig and 200"F. Service water enters the heat exchanger through manually operated valves. Service water temperature and pressure are indicated locally on the discharge side of the heat exchanger. Overpressure protection is provided by relief valves on both the shell and tube sides of the heat exchanger. B.10. 3 Turbine Building Loads The turbine building components receive service water through air-operated valves SRW 1600-CV, 1637,1638, and 1639. These valves are automatically shut on a SIAS to permit additional flow to the containment coolers. Circulating Water System Primary Pumps Service water is supplied to the priming pump seal water coolers through manually operated inlet and outlet valves. Two of the three priming pumps are normally in automatic operation with service water flowing to the seal water coolers. Standby pump cooler inlet and outlet valves are closed, and outlet valves on the operating coolers are throttled to maintain optimum outlet temperature. Condenser Vacuum Pump Seal Water Coolers Service water is supplied to four condenser vacuum pump seal water coolers through a pressure regulating valve, CV-1627. This va?ve is maintaired at 80 psig by a pressure-indicating controller. During normal operation service water is supplied to three pump coolers, although only two of the pumps are operating. The standby pump is ready for automatic starting if needed. The fourth pump is isolated with its SRW inlet and outlet valves closed. The outlet valves for the pump seal water coolerr. are throttled to maintain the optimum temperature for pump operation.

    .~   . _ _ - .             .--     -     -  . .-                  . . .   .-                  .              .

87 Condensate Booster Pump Lube Oil and Seal Water Coolers Service water is supplied to condensate booster pumps for both lube oil and seal water cooling. Service water is supplied to the lube oil coolers via manually operated inlet and outlet valves. Temperature co.. trol valves on the service water outlet of the lube oil coolers t maintain the temperature between 110 and 120'F. Two seal water coolers are provided for each condensate booster pump, one for each end seal. Compressed Air System

Each Calvert Cliffs unit has a compressed air system that includes two i

instrument air compressors, one plant air compressor, and three af ter coolers . Service water pressure to these components is regulated 1 at 55 psig by pressure control valve SRW-1628-PCV. Flow to each component is directed through a solenoid-operated supply valve. These valves open automatically on a signal from the compressor motor controller. Service water flow through the compressor cooling jacket is automatically adj usted by a temperature control valve to maintain the outlet water temperature at 110*F. The af tercooler valve is manually throttled to maintain the outlet temperature within 15'F of the inlet temperat ure. Eight pressure relief valves provide overpressure protection for the compressors and aftercoolers. Teraperatura indication is also provided 1 for the three components including the inlet of each compressor and the outlet of each compressor and aftercooler. Auto vent valves are installed to prevent an air-to-water leak, which would air bind the 3 SRW system.

 ;                       Electrohydraulic Control System 011 Coolers 4

{ The SRW system supplies cooling water to two electrohydraulic oil j coolers. Each cooler has temperature indication as well as

 !                       overpressurization protection. Service water flow through the coolers is modulated by control valve SRW-1628-CV on the supply header. This control valve is   positioned by a temperature-indicating controller to i                        maintain the oil   temperature between 110 and 115'F. During normal plant operations, only   one cooler is necessary to cool the heat load from the
 ,                       electrohydraulic   control system.

Auxiliary Feed Pump Room Air Conditioner Condenser j' Service water is supplied to the auxiliary feedwater pump room air conditioner condenser to remove heat. Flow to the condenser is

 !                        regulated by a pressure control valve, and two manually operated valves are provided for isolation of the condenser.

__m ._ J 88 c Main Feed Pump Lube Oil Coolers

! Service water is supplied to the main feed pump lube oil coolers, which are located next to the feed pump lube oil reservoir. A temperature-indicating controller maintains the lube oil temperature between.120 and 130*F. Each cooler has temperature indication and pressure relief protection.                                                  .

l Turbine Lube Oil Coolers Each unit contains one turbine lube oil cooler, which is supplied flow l from the SRW system at 2000 gpm. A control valve automatically adjusts the flow of service water to maintain the lube oil reservoir temperature

between 120 and 130*F. A temperature-indicating controller positions the service water control valve.

Generator Hydrogen Coolers Service water is supplied to four generator hydrogen coolers located on top of and inside the unit generator casings. The service water manually operated inlet and outlet valves are normally open. The hydrogen temperature is regulated by a temperature-indicating controller, which modulates the control valve (CV-1608) on the service water outlet of the cooler. The temperature-indicating controller maintains the hydrogen cooler outlet temperature between 80 and 114*F. Generator -Stator Liquid Cooler Service water is also used to remove heat from the generator stator.

. Two stator liquid coolers are provided on Unit 1, and during normal operation service water is supplied to both. Constant service water flow is maintained and temperature control is determined to be unnecess ary. Pressure and temperature indication is provided on the cooler outlet side; overpressure protection is provided by a relief valve set at 150 psi.

! Generator Exciter Air Coolers i Service water is used for heat removal from the generator exciter air cooler located inside the generator housing. The temperature is regulated by modulating a control valve on the outlet side of the cooler. A temperature-indicating controller maintains the temperature between 120 and 130*F. Generator Isolated Phase Bus Duct Coolers Two generator isolated phase bus duct coolers are cooled by service water. The coolers are located inside a housing on each end of the turbine building. Circulating fans move air over the coolers to transfer heat from the generator buses. The inlet and outlet isolation

89 valves are normally in the open position. Two control valves open to admit service water flow through the coolers when the circulating fans are energized. The valves are not throttled because temperature control is unnecessary. Turbine Plant Sampling System Coolers Service water is supplied to the mechanical chillers used to cool the isothermal bath heat exchangers. The chiller inlet valve is normally open, and the manually operated outlet valve is used to throttle the service water flow. No temperature limits have been established for the service water flow. Nitrogen Compressor Cooler Service water is used for heat removal from the nitrogen compressor interstage and aftercooler. Service water inlet pressure is maintained at 55 psig by a pressure control valve. No specific temperature limits have been established, but the outlet valve is throttled to maintain the temperature of the compressor warm to the touch. B.11 SALT WATER COOLING SYSTEM The purpose of the salt water system is to transfer heat from various turbine and reactor plant components to Chesapeake Bay. It also supplies cooling water to the circulating water pump seals, the condenser tube bulleting system, and the water jet exhauster. This section is a brief description of the salt water system abstracted from ref. 9. Figure B19 is a schematic diagram of the salt water system. B.11.1 System Components The salt water system consists of three pumps and the necessary piping for distribution of the bay water to the proper components and its return to the discharge conduit. There are two supply headers,11 and

12. Supply header 11 may be used as an emergency discharge header in the event of a rupture downstream of the emergency core cooling system pump room air coolers, component cooling, or service water heat exchangers. Header 11 can be supplied by salt water pumps 11 or 13; header 12 can be supplied by salt water pumps 12 or 13 Power to the salt water pump motors comes from the plant 4160-V bus.

Salt water pump motor 11 receives power from 4-kV bus 11 and salt water pump motor 12 receives power from 4-kV bus 14 Pump 13 can receive its power from either bus 11 or 14 using key-operated disconnect links located in the switchgear rooms. Pumps 11 and 12 will automatically start on a SIAS or SDS signal if their control switches are in the " auto" position. Pump 13 starts only I 1

90 l: ()4-I .1 0 -1

                                                       }i                                             Q"             . - - -                        . - ,

it . J. .

         !                               .-  - - - - g - --g p                                             .
      @__                           O p.s     ..

h ,- p' S i p 5 _r .v. .g * < e . - eva. -

                    . . . . . . . . . . . .~.~.=.
                                                                        . . .      .              f.* :                             , ,   .

Wp4..q. .' e- 3@

.J i

                                                                                                                                                      '3
                                                                #:                             -p             -[.                   -'

y)g-{.,h G p ' 0 ., t 9

                .                                                                                         e o :                                                       ,                           +, - '                                                  ,..                          _

g .

                                                                        . -/

pld.. ' gL I &e Ls. e*t.-an . . ___ e - ..

• we' <:"'" '

f r:

                                                                                         ,..,                                                 N                                                          5                            g F I ':

6 ,.

                                                                                                                                                         ,,                 q)p ' {. ..  . . :.: .. .                                 o 3h. .                                 o ih
           '                                                             i     : btM .                                                                                                        '
                                                                                                                                                                                              .      j.                               W 11rijf i i

b! (' ) b! I __ b - G- * - e A y

           '. j ly                          -
           .                                                               i            .

a

                                                                                                                 . d , ,, (' 7 l-!u 8

1..1 i . .: o

                                                                            ,                                                                    .                b;"-         '-

y- c I ---- - - - < ' dg4 i  : , ~@. j

                                                                                                                                                 .. . . . .' Q )

i........._... .. m.,

                                           $ 1---                                                                        ..................p;j....

r-- [)) I. i o

. . . . . .. . . . , . . . . . . . . . , O .-O - ,t -

4.,5g

                                                                                     .                                  .- .                                                                                                           to
                                                                                ?

5N ^ L h d A  ; _ E .;_

                                                                                                               ' OLh,                '

is ]- - - - -@

                                  ,   }                  CI                  '!"                               ,,
                                                                                                               ' . ,. [ g q

II ,,I] 7 . - 3 n%

                                                                                                                                       )f1.3(                                                                                 ;.       m
                                                                                                               -;1 )

8 I

                                                                                                             .      .,                                   .e                                                                             m l.

{ .A.m . 04.m! l t, [ , g .A. .- fm> - - O; a i I . I- . f( [ T J ll

1 l 'i ] I, il e* i J T_3]  ! _

I ll1 iG u.......... .......a, .;

                             .                                                                                                                                 I (e

s)I - Ll l) i ci 5u. il ; ii  ! _.a l _ k

                                                                                                                                                                        , ,                                           t.
                                                                                                                                                                                                                              .~._  }

91 if the other pump motor, which is connected to the same bus, fails ! to start within 1 s of receiving the start signal. The motor on pump 13 is interlocked so that it can not be energized from two different buses at the same time. Each unit at Calvert Cliffs has three pumps, each able to supply 15,500 gpm at 68 ft head. Each pump is a single-stage centrifugal unit driven by a 450-hp electric motor. Salt water demand during power operation is 31,000 gpm, requiring operation of both pumps. Following a LOCI, one salt water pump is sufficient to supply the cooling water requirements of a unit. B.11.2 System Loads Circulating Water Pump Seals The circulating water pump seals are supplied filtered salt water from either pump header 11 or 12. This seal water is maintained at 12 to 15 psig with a flow rate of 3 to 6 gpm by a pressure control valve. A low-pressure alarm annunciates on a control room panel when the pressure drops to 11 psig. Condenser Tube Bulleting System The tube bulleting system is supplied by salt water supply header 12 via the salt water booster pump. The salt water booster pump is used to raise the header pressure from 40 to 200 psig to facilitate tube bulleting. This is the only place at which th'e two Calvert Cliffs units can be cross-connected. The tube bulleting system normally is shut down and its salt water supply valve from No.12 salt water supply header is shut. Circulating Water Pump Room Air Coolers Six air coolers are used to remove the heat produced by operation of the circulating water pump motors. These coolers are supplied by salt water supply header 12 only. These coolers are isolated by closing two motor operated valves upon receipt of a SIAS. Flow at the outlet of the coolers is mechanically adjusted and set at startup. Water Jet Exhauster The jet exhauster is supplied salt water to provide startup of the j screen wash system. Once a screen wash pump is running and the screen wash header is pressurized, it alone can facilitate priming of the other screen wash pumps. Upon a SIAS, the water jet exhauster salt water supply will be shut off.

92 Component Cooling Heat Exchangers No.11 component cooling heat exchanger is supplied salt water from salt water supply header 11, while heat exchanger 12 is supplied from header 12. The salt water supply inlet and outlet control valves are opened and shut by the same hand switch. A SIAS closes both valves so that maximum cooling can be supplied to the containment coolers. Both control valves are reopened upon a RAS to provide cooling of the containment spray. ECCS Pump Room Air Cooler Pump room air coolers 11 and 12 are supplied by salt water headers 11 and 12 respectively. Two remotely operated control valves are associated with ECCS pump room air cooler No.11. Both valves can be opened by the same hand switch, or both valves are opened when the cooler f ans receive a start signal from a local temperature switch. Service Water Heat Exchangers Service water heat exchangers 11 and 12 are supplied by salt water headers 11 and 12 respectively. Each heat exchanger has two remotely operated control valves, one each for the inlet and the outlet. A hand indicating controller enables throttling of the outlet control valve for control of SRW system temperature. B.12 CALVERT CLIFFS AC ELECTRICAL DISTRIBUTION SYSTEM B.12.1 500-kV System The following description applies to Calvert Cliffs-1, but because Units 1 and 2 are electrically interconnected, much of the description includes Unit 2 equipment. The system description begins with the 500-kV switchyard and includes each voltage level down to the 120-V ac instrument buses. The 500-kV switchyard is designed to be the interconnection point between the plant electrical distribution system and the bulk power transmission system. (Refer to Fig. B20 for the following description.) Electric power is supplied from the power grid system to the switchyard by two physically independent transmission lines (5051 and 5052) . Two physically independent circuits supply electric power from the switchyard to the on'aite electrical distribution system through the two 500-kV/13.8-kV plant service transformers (P-13000-1 and P-13000-2) . The main generators feed electrical power generated at 25 kV and 22 kV for Units 1 and 2, respectively, through the unit transformers (U-25000 and U-22000) to the 500-kV switchyard.

a - a 93

                                                                = ,x g                                                                 -

4 I U- k a s N

                                                                                                                                     -n g V

e

                                                                                            't ~u r                        y un
                                                                                              @w p                    en me 08                   -3                  O         A

\ 4

= ---e e- g p &

                                     ~ ~

{g;m - "

                                                                                                                                     +

4 o 1 n 2 . e-- J n tL

                                                                                                                              .--s           v g

4 S h g W _- , D D y- A $ !- , " , t d _R *z g % og

                          =

M z

                                            =                g w      ]*            wi' 5%              *tt            P-e-s e n       ' t. Y M     -                '~

M w == OB ^ yG A*[: , > t. g 9 - O a g e x 8 .: -

                   >                        m                 -

p T 4 E 5< -

             = gA 4 7 '4 T g ~8
             =                              3                                      $                                                                  5 3

T, ^ a wd n o $ I -O d

                                                                                                        ~                                               ,

R T i< <. ^ 3 o 3 1 2 $ P. e 2 g h y"s h *F '*A '

                                                                                   '                   m
                                                              }Y w-                                                                                                                                        u 2m O

w a - .}$ E

             .i g                                                                                       e                              ^        s.

p .- *- m

                  /                                                                                                                              **

a O D

                                                                                                                                       ^

o ,

                                                                                                                                   -  m*         A
                                   %                                                          n                                                  g w:s
                                                                                             " * ~
                                                                                                = <-                 .;
                                                                                                                         ~

h , a e 5 e -4~%. C e :s 4 e 's

                                                                                                                                   -   , e         ..

e A .

                                                                                                 %)                                                                 I M

l 1 1

94 The 500-kV switchyard normally operates with all breakers closed. Opening and closing the breakers can be accomplished locally in the switchyard control house or remotely from the plant main control room. The circuit breakers have dual trip coils on septrate isolated de control circuits and breaker f ailure relays to t[1p adjacent breakers. The 125-V de control power is supplied from two 59-cell batteries located in the switchyard. Each can supply the switchyard de power requirements for 8 h without recharging. Two battery chargers (powered from 4-kV ESF buses 11 and 21) keep the batteries fully charged and supply the 125-V de power requirements under normal conditions. B.12.2 13.8-kV System The plant (Units 1 and 2) 13.8-kV distribution system (Fig. B20) consists of two 500-kV/13.8-kV plant service transformers (P-13000-1 and P-13000-2); five service buses (11, 12, 21 , 22, and 23); eight reactor coolant pump buses (11 P,12P, 13P,14P, 21 P, 22P, 23P, and 24P); and one 13.8-kV line from Southern Maryland Electric Cooperative (SMECO). Service buses 12 and 22 supply power to the reactor coolant pump buses, and service buses 11 and 21 supply power to the 4160-V distribution system through the six 13.8-kV/4.16-kV service transformers (U-4000-11,

 -12, -13, -21. -22, and -23). Service bus 23 receives power from the SMECO 13.8-kV line and can be used to supply either bus 11 or 21 to supply the power necessary to maintain both units in a safe shutdown condition in the event normal off-site power fails.

The 13.8-kV unit switchgear for the service buses is metal clad with removable air circuit breakers designed for outdoor installation. Relay protection, ground connections, and structural safeguards are provided to assure adequate personnel protection and to prevent or mitigate equipment damage during system fault conditions. Dc control power is required for remote control and for operation of the protective relays of the 13 8-kV circuit breakers. Operation of all 13.8-kV equipment is effected and monitored in the control room. During normal operation both plant service transformers are energized and share the total plant load. The capacities of the two plant service transformers and associated switchgear and cable are such that either one of the transformers can supply tne total auxiliary load of both units but not the normal operating load of both units. All ! reactor coolant pump motors (RCPs) for Unit 1 are fed from service transformer P-13000-1 and tSe RCPs for Unit 2 from service transformer ! P-13000-2. I B.12.3 4160-V System The 4160-V distribution system (Fig. B21) is designed to supply power during normal and accident conditions. The system will supply power '; l the 4160-V auxiliary loads from the 13.8-kV system through the six unit service transformers to twelve 4160-V buses (11,12, 13, 14, 15, 16, 21,

g 2 u --

                                                                                                                       )

i I 96 4 S M  ? m n y ,

                                         -      e- A d G-e QN u                                                   &--    u
   %                                               V          %

D < , Q w -4~%

                                                   =n                              %

n nN n a m e

                                             ^     $*"

w l

e 4 .

                                                   ^                               M    8 w-&                                    n     a 0 "

03 n $ e - ,, - u a v) a, m) * .

                                             ;,,~                                     -

n A IW-, a. e e-e - 2 V W . 4 te m h6 m-M o A IA

                                                                                   ~

e ca

                                                   =-                        n
                                                                                    =
                                                                                    =

D ^ m E

      ..        k M
                <                         s         8:& -

s V y I m

      'a d       5

n. ,--,,-,--nn,- - -- - - ,- ,,. - - - - - - -- - ,,

96 22, 23, 24, 25, and 26)--six per unit. Two of the 4160-V buses for each unit (11 and 14 for Unit 1, 21 and 24 for Unit 2) supply power to the engineered safety features (ESF). The two ESF buses in each unit feed identical and redundant ESF equipment, and can be supplied from separate emergency diesel generators (DG-11, 12 or 21 ) . The 4160-V buses are metal-clad switchgear assemblies with draw-out air circuit breakers. Relay protection, ground connections, and structural safeguards are provided to assure adequate personnel protection and to prevent or mitigate equipment damage during system fault conditions. l l Dc control power is required for remote control and operation of the protective relays for the 4160-V circuit breakers. With loss of de control power, the breaker cannot be operated remotely and all relay protective f unctions are inoperable, but the breaker can be tripped by manually pushing the trip lever located on the breaker. The breaker can be closed manually by pushbutton on the breaker when the closing spring is fully charged, but because the treaker trip relays would not be operable an operator would be very cautious about closing the breaker without de power. With the exception of the non-Class 1E feeder to the south service building, all 4160-V feeder breakers can be operated from the control room. Normally the feeders to-buses 11, 12, and 13 are from unit service transformer U-4000-11; bus 14 from U-4000-21; bus 21 from U-4000-12; buses 22, 23, and 24 from U-4000-22; buses 15 and 16 from U-4000-13; and buses 25 and 26 from U-4000-23 However, each bus has an alternate source for use when the normal source is not available. All bus transfers from normal feeders to alternate feeders and return transf ers are manual. The only automatic transfer is from off-site power to diesel generators af ter off-site power has failed. The plant power system includes diesel generators (Fig. B22) that supply power to essentia l ESF equipment and to selected non-class 1E loads if the normal power upply is not available. The emergency power sources consist of threr 4160-V, 3-phase, 60-Hz diesel generators rated at 2500-kW each. 1 one of the three diesel generators should fail to start or carry che load, the remaining two diesels have the capacity to power the required loads. The diesel generators are started automatically by either a bus under-voltage or a SI AS; however, in the latter case, actual transfer to the bus is not made until the preferred source of power is lost. There are three control circuits, one for each of the diesel generators. During normal conditions with all three diesel generator units available, DG-11 is preselected to power bus 11, DG-21 is preselected to power bus 24, and DG-12 is set up to power bus 14 or 21. Preselection of a diesel generator to power a given 4160-V bus is accomplished by closing the disconnect to the selected bus. The disconnects are key interlocked to prevent simultaneously connecting two i i

97 LG//

                                                          % 21 il ll      \0c)     LL21                      g;            yaz           \        t12
                                                         %J l
                '5 C 545 3" 'y              8Qs f           ac:     Bus yi - t Bits
                                                                                                     ) .,
                             )ad, #(                 )*b       d6 (           ' } gy *'( '            ' }fg R21 3

tell ,g niz azz 3 DC,12 Fig. B22. Emergency power (ESF) 4.16 kV bus. l l l l l l

c-- . 98 diesels to a single bus or simultaneously closing more than one disconnect of a single diesel generator, except DC-12 where closure of the disconnects for bus 14 and 21 is permitted. The 480-V ac system (Fig. B23) consists of single-ended and double-ended unit load centers each supplied from a separate 4160/480-V unit service transf ormer . Four of the 480-V unit load centers for each unit (11A, 11B,14 A, and 14B for Unit 1; 21 A, 21B, 24A and 24B for Unit 2) supply power to ESFs. B.12.4 480-V System The 480-V unit load centers consist of metal-clad switchgear with draw-out air circuit breakers. The motor control centers (MCCs) fed by the 480-V unit buses are metal enclosed with removable breaker and starter combination modules. Relay protection, ground connections, and structural safeguards are provided to assure adequate personnel protection and to prevent or mitigate equipment damage during system fault conditions. The 480-V loads are protected by the amptector solid state trip device that receives its actuating energy from the sensors and supplies a pulse of tripping current to a direct trip device. These devices do not require de power to trip the breaker on a fault condition. However, the 480-V breakers that can be operated remotely require de for remote operation. The 480-V buses of particular interest to this program are reactor MCC 104R and reactor MCC 114R. These two MCCs power the 120-V ac instrument buses and also power the pressurizer PORVs and the pressurizer PORV isolation valves. MCC 104R is in Class 1E division ZB, and PCC 114R is in Class 1E division ZA. MCC 104R supplies instrument bus 1Y10 and MCC 114R supplies instrument bus 1YO9. B .12. 5 250-V de Emergency Pump System The 250-V de emergency pump system is designed to supply power to the backup lube oil and seal oil pumps in case of loss of auxiliary ac power or f ailure of the normal ac pumps. The 250-V de emergency pump system consists of one 250-V bus , one battery, and two battery chargers. One battery charger is powered from 480-V unit bus 11 A and the other from 480-V unit bus 21 A. The 250-V de emergency pump system is incapable of continually supplying all connected loads. It can power the largest connected load when operating in the designed state. It does have the capacity for orderly shut down of the main and f eedwater turbines without ac power. Failure of the system to provide emergency lubricating and seal oil could result in turbine damage, which affects the regulating system response only if the main feedwater pumps are required for shutdown heat removal.

                                                                            - .                                   na--__                    wa s                    P                     $          %

3 W R .N

                +x=5                                                   g P.                               %

R =

                                                ,                      <        n    3 i'                     S                                                              v1 va                                               s c<                              s
                                                                                   .N e
                                                                        <            =

• P  % &

k ^ 31 5 J v= , < n s

                                                                         ?;         .D                                                                                                                                   :
;                               g                                        <
                                                                                                                         $$                  e
                                                                                                                                                         !

• i

[ All -{ ~ j u h i, m

                                                                                                                                                            --* e-                                               8 m                     <       n a
                                                                                      ~                                                                                                   w s                      m h%                                                                                              d 4                                                                                     E XS                                                                                               al .5               m           $           !"L 44                        c                     <      n      $                                 W%                              &

g  % 3 c

                                                   <S &                          ~     8 gw                                                          vi v5 ,<                                               n      .

2 4

                                                    #                     4      n     &
                                                                                      ,4 "

kN v4 <. <4 s s-l c $ n R 2

                                                                                        ~

h; ' va e + g { 1

1 100 B.12.6 125-V de I&C System The 125-V de and 120-V vital ac systems (Fig. B24) for the plant are divided into four independent, isolated channels. Each channel consists of one battery, two fully rated battery chargers, one de bus, multiple de unit control panels, and two inverters. Each inverter has an associated vital ac distribution panelboard. Power to the de bus, de unit control panels, and inverters is supplied by the station batteries or one or both fully rated battery chargers. One battery charger for each bus is supplied from an MCC in Unit 1 and the second charger from MCC in Unit 2. The sources of 125-V de control power for the various distribution buses are listed in Table B3 A reserve 125-V de system for the plant is completely independent and isolated from all four channels, yet is capable of replacing any of the 125-V batteries. This system consists of one battery, one battery charger, and associated de switching equipment. The 120-V vital ac system provided for each unit has four separate distribution panelboards that provide power to the four reactor protection system channels and the four ESFAS channels. Each panelboard is supplied by an inverter with its own dc feeder from a separate battery and can be manually switched from the inverter to a 120-V ac back-up bus (one for Unit 1 and one for Unit 2) fed from an ESE MCC through a regulating transf ormer. Interlocks are provided on each inverter manual transfer switch to ensure that each back-up bus will have no more than one vital bus connected to it. Vital buses 1Y01 and 1Y02 provide power to some of the reactor regulating systens in Unit 1. These control systems and their power sources are identified in Appendix D.8' B.12.7 120-V ac Instrument Power The 208-120-V ac instrument system is designed to furnish power to all plant instruments other than those supplied from the de and vital ac systems. The ac instrument system for each unit is divided into two panelboard sections, 1YO9 and 1Y10, each supplied by a single three-phase transf ormer connected to an ESF MCC. The two instrument panelboards are connected through two normally open disconnects. The control systems powered by these instrument buses are identified in Appendix D. B.13 INSTRUMENT AIR SYSTEM The purpose of the instrument air (IA) system is to provide dry, oil-free air as needed throughout the plant for pneumatic valves, instruments , and controls.

L'1 --k

• a -. --m,m- a _ _

l 101

                                                                                                                                                                                     .-_             t
                                                                                                                                                                                                     ~

l g

                                                        ~

N4 3 +1 v k i ag } '

                                                             ~

s-C - , F !!Ls% - t t s LMg k

                     }, *                 (                      s-c                                 ,
                                                                                                                                                                                                     =
                                                                 % -C                                                                        M *"                                                    1 m

l s -O- m c I g $ F -_ _ kW -

                                                                                                                        $                          ~

g S ' N - ns T ,_$. s-c s-o- g -w

                                                                                                                                                                                     -- S UN                    1 k

E A Y - e t >~ -

                                                                                                                        -                       x-Lu        >w e                                                                     l 8         D y
                                                                                                                                               -a s-s-D 4           e

p. g .>

                                          <             ta       w EN                   l                      %                                                                                                                  ~"~

g S f X

                                            -                                                        r                                                                               _g                   a h                                                                        hD                                          '%     %                             N         ~N 6               %   >

g

                                                                                                                                                              >g                                     9   o
                                                                                                                                                                                                         ~

_ y

• T ha

                                                                                                                                                                                                     =   a.
                                '                                                                  3 ud4                                          T           % --O - %                                4    o

[ , n 2g "

                                                           .                                                                                                                                             n E.

l 1

                     @y Q M
                                            }        -O-g-O--                    (    -     (e    ga   -

n= y $

                                                                                                                                                                                                     ~

J g " is  % i

                                                                                                                                               -aw-           N-o-                       h           >c  2
                                                                                                                                                          ~

i s.

                                                                                                     ~~

A l m-u - y >- - s-  :,. A g <  %  %-O- N --; kN N - g ( m f BWEEND a e E.  :! h s-c > _

                                                                                                   .m l
                                                                                                            's   _       :             l         w-          -                                       '

4W  ;; g _c J ' D - h:3 l l a 3 4 mu N-O C e=g J r

4 i 102 )' Table B3 125-v de breaker control panel.

,                                 13.8-kV Distribution System l

i Bus 11 0C11-14 DCl2-3 Bus 21 DC25-14 DC26-3 12 DCl2-4 DC13-14 22 DC 26-4 DC27-4 f 11P DCll-13 DCl2-1 23 DC 26-12 } 12P DCl2-2 DC13-13 21P DC21-3 DC22-1 13P DC15-3 DC16-1 22P DC 22-2 DC23-24 { 14P DC16-2 DC17-20 23P DC25-13 DC26-1 i 24P DC26-2 DC27-13 I ! 4.16-kV Distribution System B m 11 0C11-15 DC12-5 Bus 21 DC12-13 DC22-13 ALT DC21-15 12 0C11-16 DCl2-6 22 DC21-16 DC22-4 13 DC15-15 DC16-3 23 DC 25-15 DC 26-5 j 14 DC15-16 DC26-14 ALT DC16-4 24 DC25-16 DC26-6 15 DCl2-7 DCl3-15 25 DC25-23 DC26-13 16 DC12-14 DCl3-16 26 DC25-24 DC26-7 j 480-V Distribution System i ! Bus 11 A DCll-17 DC12-9 Bus 21A DC21-17 DC22-7 l 11B 0C12-10 DCl3-17 21B DC 22-8 DC23-17 12A DCll-18 DC12-11 22A DC21-18 DC22-9 12 8 DC12-12 DC13-18 22B DC22-10 DC23-19 13A DC15-17 DC16-6 23A DC25-17 DC26-8 13B DC16-8 DC17-17 238 DC 26-9 DC27-17 i 14A DC15-18 DC16-7 24A DC25-18 DC26-10 4 14B DC16-9 DC17-18 248 DC26-11 DC27-18 l 15 DCll-19 DCl2-8 25 DC21-19 DC22-6 i 4 l l i j Each nuclear unit at Calvert Cliffs has a compressed air system that i supplies both instrument and plant air for that unit. The compressed air system for each unit can be divided into four components: IA supply, plant air supply (which also serves as the backup supply for IA). IA distribution network, and plant air distribution network. The plant air portion of the compressed air system is of no interest to this study and will not be considered further except as it serves to oack up the IA system. Instrument Air Supply Figure B25 shows the major components of the IA supply for Calvert Cliffs Unit 1. (The discussion in this report is for Unit 1; however, the Unit 2 IA system is almost identical to Unit 1.) On Fig. B25, l

     'N.

103 SRW SUPPLY SRW SUPPLY F U 1r l' AFTERCOOLEF_ AND Al O gO 21

                                       --->        MOISTURE SEPARATOR                                NO 1 4                     f NO 111211 l                   U SRW RETURN u

SRW RETURN X SRW SUPPLY SRW SUPPLY l d k y Y AFTERCOOLER AND ' AIR COMPRESSOR W

                                       --->        MOISTURE SEPARATOR O1     i                                                      N N O.12t22) l'                               l' INSTRUMENT AIR SYSTEM SRW RETURN                        SRW RETURN                                                                          3 I PA 2061 A N q

q; I PLANT AIR SYSTEM i I I L_ ___ SRW SUPPLY SRW SUPPLY -__-_ I u u

         !        ^'" C    "
                       ,o,","',   SS "
                                       -->        MOER!$UPARATOR NO 11(21)

W ^'"N O.11 )

                                                                                                                "                             <Q_,,                 PR n

i'

                                                              +

SRW RETURN SRW RETURN LJ _ PRI Vm" No I l Fig. B25. Compressed air

 -~,

l M  ! l'I'il$ -C>G+ 'O Oli " m I

                                    -c<:          ><                                                                                                                         1 y       hI                                                                                            ?

TO lA LOADS OUTSIDE

                                                                                                                                                                             ]

l 1r 3r CONTAINMENT AFTE R FILTER AFT ERFILTE R NO.11121) NO.12t221 l

                                    -t><:         ><                                                                                                                         l f                TO CONTAINMENT INSTRUMENT AIR                            1A 2080            IA-2085 service HEADER

_ _ _._____ _ _ _ _ _ _ _ _ q I

';M  ,    -c>o-                                    PmN, A,R SERVICE HEADER g                                                                           TO CONTAINMENT
                                                           ?

A OADS PA 2059 PA 2026 FILTEa gj 1024) 77 TO:FROM TO PA LOAD'

                                                                                                               ?      OUTSIDE UNIT 2111 PLANT 1 PA-126    2 PA-124          AIR $YSTEM                                              CONTAINMENT                                               f
--             -                -_                        - - _ _ _                         _ . _ _ _ _     _ _ ___ _ _ _ _ a system simplified diagram, g s,t o o s o 4 / / - 0 9 TI APERTURE CARD Also Xvallable On Apertur, o,.a
                                                                                                                                                                                        .F

104 numbers appropriate to Unit 1 are shown; Unit 2 numbers are shown in parenthesis where they differ. Referring to Fig. B25. two Joy electric motor-driven compressors (compressors No.11 and 12 for Unit 1 and 21 and 22 for Unit 2) provide the normal source of IA through two air intakes and silencers. Each compressor is rated at 470 scfm at 100 psig, and each is powered from a different 480-V ao electrical bus. Compressor No.11 receives electric power from Unit Bus 11B(ZA), and compressor No.12 receives power from Unit Bus 11B(ZB). Compressor No.11 receives power for its controls from 208/120-V ac Distribution Panel No.114, and compressor No.12 receives control power from 208/120-V ac Distribution Panel No.14 Figure B26 shows the power distribution wiring for the IA system. Each of the two IA compressors can be placed in either the SPEED, \UTO, or 0FF operating mode. In the SPEED mode, the compressor acts to maintain IA pressure between 93 and 100 psig. In the SPEED mode, the IA compressor runs continually at a constant speed; however, the normal, demand by the IA system does not require continuous operation of an IA compressor. Consequently, the IA compressor f unctions in two different cycles during SPEED mode of operation. In the loading cycle the compressor increases IA pressure from 93 to 100 psig. When IA pressure reaches 100 psig, the compressor goes into the unloading cycle, during which the compressor first-stage inlet is isolated and the second stage is vented. Internal air is pumped out and a vacuum is drawn inside the compressor. IA system pressure is allowed to decrease from 100 to 93 psig due to IA system demand. When IA pressure drops to 93 psig, the compressor shifts once again to the loading cycle and IA pressure is increased from 93 to 100 psig. In the AUTO (or standby) operating mode, an IA compressor normally does not run; however, if IA pressure drops to 90 psig, the compressor will automatically start, and af ter an 18-s delay it will be automatically loaded and an attempt made to restore IA pressure. During normal plant operation only one IA compressor is required; therefore, one of the IA compressors will be in the SPEED mode and the other will be in the AUTO mode, ready to start and provide air if a problem develops. Both compressors are cross-connected at their discharges by 6-in. lines to aftercoolers and moisture separators. The aftercoolers cool the compressed air leaving the compressors by means of a heat exchanger, which is cooled by flow from the service water (SRW) system. The cooling effect of the aftercooler causes moisture to condense in the aftercooler air. This moisture is removed by the moisture separators. Cooling water flow is provided to the compressed air system through SRW valve 1628. Af ter the cooling flow passes through valve 1628 (which controls SRW pressure to 55 psig), it splits into six parallel flow paths that provide cooling flow to the two IA compressors and their two af tercoolers . The other two branches provide cooling flow to the PA compressor and its af tercooler.

105

                                                                                                                     .00 . . .- . . u .

[ l m 1,., lp, u t-n i F- [ 13 e .. se nve(E sut l l NO 19sA8 l M21902 M21' I

                                                                                                               /\

152 1115 1U 1101 152 1401 152 to l 1 1 I 4 ,. .. UN , .u. i i .....UN. .u. i I NO TH2Ai l l NO 14120s l 112 1114 1U 1102 152 1402 112 1 82 1912 L21913 52 1412 62 14 I aso VAC UNsf aus NO 11 A42Al I ano VAC UN#7 aus NO 11882Al { l 480 V AC UNsf Bus NO 14A128# 480 VAC UNtf BU$ NO 148i207

                                                %2 1111         U 11(W       W 1919         52 lit e            U 1407         52 1409            52 to
                                           +

IM WDC

                                                                                        +                  +

IM WOC

                                                                                                                                             +

INSTRUMENT Al GNSTRUMENT AIR GATTf AT COMPRi& son BATTERY COMPatESOA CHARGan NO 11 CM A AGE R NO 12 NO 11 12 19101 W 11401 NO 13 g,,,,, I I I tuaesNg atACTOm O O REACTOR MCC101Af MCC 114n M 114M 12104M MCC 10am U 10114 52 11427 52 11463 62 10427 U 10416 i M IO *"O DISThe8u T80N i 1 PA 2000

                                                                                                                                    +

RE GULA TING 7, PANfL y, qq NO 11 208120 V AC 20s 1JO v AC Di$fAIBUTION DeSimiSUTION i, , PANEL PANEL y , NO 114 NO 14 sNSimuutNT Asa l' .> '> onTEn NO 11 e s 1 SV 2051 h INSTRUMINT AIR INSTRUMENT AsR CCMPef 8 Son NO 11 COMPRESSOR NO 12 CONYmots CONTROLS Fig. B26. Instrument

500 Re RED SUS 212 219% l tu 210s - 7 I 12 e av EERveCf Bus l I NO 218) ] a)2 252 21U 2u 2103 i L O to 2414 152 2401 fu 2101 tu 2115 I I l l l ' ~ n: '"' l l ' ~:=;& '"' l j2

            'hiu un h ut.u                                                h,unu                       h,u nt.

8 212 y.21. 'g . .,,2

                                                                                                      %l 2                                                                                                          . 2,,2 I                          I                                 !

eso v&C UNIT Sus eeDWACUNifSul aan VAC U4ef Bus ea0 V AC UNef sus NO 249:28i NO 24Ai2BP NO 2192A> NO 31 A 2Aa

)                52 2elt             u 2400         $2 2407             u 2118        &2 2119     62 210s       u lit t
            +                                  +                   +                                        +

tNSTRUMENT AeR 125 VDC BATTERT INSTRUMENT AIR 125 VDC SAFTEnv COMPRE SSOR CMARGER NO F1 COMPRIESOR CHARGER NO 22 NO D NO 21 u 20e01 u 2140 12 20101 I I I REACTOR O O Reactor TunsiNE MCC 20em uma u2ino MCC 2i4R MCC siAt T{ un u n.11 '[ u x,,. APERTU N t[um.1ffume,, } l CARD

               ,:==R                                              2-
                                                                                                       "9f'N R
                    'R 2'
                                   .A ix , AC                         m in . AC                          No "

oisvRisoro= DistRieuviON Al80 STallable On

                                                                                                  L              "
                                      '^01                              .'.O2,i                        ,               ,

Aperture Card b > INSTRUMEhf AIR , 9 9 DRVER NO 21 4 2 $v 2061 INSTRUMENT AIR INSTRUMENT Aan COMPRESSOR NO 22 COMPPt$80R NO 21 CONTROLS CONTROLS air system power distribution. l' g6/o0304//- /b

106 From the af tercoolers/ moisture separators, air flows to two 96-f t' air receivers that serve as air storage tanks to dampen system pressure vari ati ons . Each receiver is equipped with a safety relief valve that opens to relieve pressure greater than 115 psig. The two receivers are normally cross-connected but can be isolated at both their inlets and outlets by manual valves. Four-inch lines connect the receivers to a common' header. After leaving the air receivers, air enters two prefilters that remove oil, moisture, and particulate matter to prevent overloading the desiccant in the IA dryers. The two pref 11ters are in parallel and normally one is isolated and the other in operation. Both prefilters can be isolated by manual valves in their inlet and outlet lines. From the prefilters, air passes to the IA dryer. The dryer is an automatic, self-regulating unit that dehydrates the IA with a desiccant material, thus helping prevent corrosion in downstream piping and system loads. A bypass line around the dryer allows continued operation of the I A system if the dryer is out of service. The last components in the IA supply network are two afterfilters. These units remove very small particles from the IA that might still be present af ter air passes through the dryer. During normal system operation, only one afterfilter is in operation and the other is in standby. Each af tercooler can be isolated by manual valves in its input and output piping. Instrument Air Distribution Network Once air leaves the af tercoolers, it enters the 4-in. IA distribution header. From this header, a number of branch lines supply instrument air to leads located throughout the plant. Figures B27-B29 show these branch lines and the major locations by blocks that they serve. A diverse collection of valves, instruments, and controls is served by the IA system in each block. Plant Air Supply Figure B25 also shows the major components of the plant air (PA) supply at Calvert Cliffs Unit 1. An identical, redundant plant air system exists for Unit 2. Referring to Fig. B25, note that the plant air supply has one air compressor. The compressor is rated at 616 scfm at 100 psig and is produced by the Joy Manufacturing Company. The compressor is powered by 480 V ac from electrical bus No.14A(ZB). Compressor controls are powered from 208/120-V ac distribution panel No. 14. The PA compreosor provides compressed air at 100 psig and discharges it to the af tercooler/ moisture separator. There the compressed air is cooled and entrained moisture is removed. The af tercooler and compressor are cooled by parallel flow paths from the service water. From the af tercoolers/ moisture separators, air flows to a 96-ft'

h, 107 l CAusitC STOmact TANn MAK!US I A 20) I DE MsNim atett a$ TURSINE OECM

                                                                                               ,A,,,
                                                                                                                             -            A.. .L. A. . ._ t R$

IA 369 e A 215 L DialmATOR IA JJe 14 717 I sa se l l C ONDE N S A14 m CONDENSE R ARE & r PO L 4S Me N G We $7 SIDE Sit AM GthinatOn

                                                                       'AI'*                                              "m Aux 8 W PUMPS                                I
                                                                                             '       II                         FttDW Af t A ME Afl A
                                                                                                                          ' NOS 16A ANO 968                                    f
                                                                                                                                ,E t oW A,8. .E A.E.
                                                             ,c,,                                                         "_     NOS tlA ANO 158 IC13
                          #I                                    v                                                               FitDWAf tR M1 Af tR NOS 14A AND 143 l              .

m MOaStunt SEPARATOR l REME Aftn NO 12 PT PT 20rg PS PS 2071 - MOIStunt SEPARATOh RE Mt Af tR 40 11 I A 144 5AOM

                  "                                                                                                                                               gg g39 l A 944                                                            lA 333      lA 334 MVAC 6 8 5 m    SERviCf WATER PUMP ROOM la 456                            gg ggg
                                                                                       -                                            (AST 8tPWG CONT A#NME %T                                                                                                              4A 928 PENETRATION ROOM I A III iA 659                           -
                               '                                                 IA 657                                          Pt Nf f RAflON OOM CO #4G
                          -                                                   . A S,. A                       ,.,,,

SERVtCE WATE4 itCSPUMP a HEAD f ANK Ant A ROOM NO tt VCfANOeAST m ROOMS ga ggy m M AIM PLAN t AREA ECCS PUMP

                                                                                                                                               'I I       M CMARGING P                                                                                               > COMPONINT COOLING ROOM                                                                                                   HEAD TANS 14 795 MISC Watit                                             -

RECitvimTANu 14 914 ROOM gg pgy Ca v0GE NICS m

                                                                                         ~

mOOM .. .

                                                                               .A.,,

M0OM < -  %,$'47,e

                                                                               ,A.

la 950 L ACCISS CONimOL MvAC Fig. B27. Unit 1 instrument air dist 1 SW %me* \ ' - - - - -

la 372 MOUS 4A 1GO SA 374 acid WELL WATER STORAGE T ANs MOUSE 01 C LER$ N 12 la 641

                             -    CONDE NSAY E                                      DIE SEL GE NERATOR PRECOAT FILTER $                                          No f f 4 501                                                                la 880 EA & DE                               enc      GER ROOM
                                                                  ~

TRE ATMENT PIN x A377

                  +'=:

m CONDtNSER ARE A ReNG 4 A 945 PCW 20a2 ga ggy m LIYOOWN ME AT PLANT COMPUTER - ERCHANGER ROOM la sst

                                                                        > SFP COOLING ROOM

+ stowoOwN rAma A es2

                                                                            .A. E Aut,                            TI APERTURE A f            - CvCssoN CARD IN               EECMANGERS m    AURILIART SUILDING              I A e64
                     ~
                             "v^ c '  "

Also Available On Aperti re Card m RC WASTE

                                            " EVAPORATOR m     MISC WASTE
                                            " EVAPORATOR

~ :L g&lD03D41)-Il ribution system.

                                                                                                                             . --=

N

                                                                          $         E?

et l 'l SE "50 h$ 9 la 11 iij lliI!j 13 4! 7 iI il 11  !! 34 s o a db .h d,

                            't'Xtt                                                            la

x i

3, i b ( EI l IV I  ! I N 8 il ji j fy IV i

                  *?         '9                             *I
                                                            .I l                                   ?

2

                                                              /I
     =
                                                      ? v. -!!.                                   ,!

lil m, ,, v, ,1, ~ ja iA s-

l

             =            _                           x                                           i i !{ !2 i! +                                           "

8

                                     !                            !g
                                                                             'X                 I
                                                        !!il !I !l I j! !!  in    r,        !!                --
                                                                                         "m
       'l !!  11    11I!                                                   <g!!gi,,gi    ;
                                                                                            ,IlI 8

o if 11 l[1 If

       ![    !K i+q e 4                          y c:

lii

                         ~                                                     . . . . -               -.

7 -

109 CIS SHUTS 1C10 A , _ _I _ (2C101 V ' l MOV 637 2080 FROM gg733 AnR SERV CE HEADER 2080

68) (310) 643 ACCUMULATOR (195) TO PS-

                                                               ~

647 646 TO FROM (197) (194) ' PIPINj

                                                                 -                64                TRATi(

SALT WATER ,

       \lR COMPRESSOR ;

12 (22) 720 721 TO A (742) 1743)

                                                                                                      -451 <

FROM l 'fi h4 645 5 TO N 393' SPOOL 727' AIR COM RESSOR 3 11 (21) 723 722 (740) (741) pj 726' Fig. B29. Instrument a l l l l

 =%,

                                                                                                  /l l

SV 2085 HS

                                                        ~~T-       2085 I
                                               ,,  \       PS                                         i 2085
                                                   /

a p TO CONTAINMENT

    /
    \      l i

h2085 U lA LOADS 337 339 (175) (177) 341 5464 (193) LEGEND TO CVC-517. PREFIX ALL VALVE WEST 3 518. 519 NUMBERS BY 1A-3 PENE. W ROOM UNIT-2 VALVE NUM8ERS GIVEN IN PARENTHESIS TO CVC-5465,

• UNIT 1 ONLY W-4511 & - 5466. 5467

! (UNIT-1)                                                  % NORMALLY OPEN VALVE NORMALLY SHUT VALVE UN U-2 O

h( AIR-OPERATED VALVE SV-SOLENOID VALVE MOV-MOTOR OPERATED VALVE HS-HANDSWITCH g PS-PRESSURE SWITCH APERTUIlE CIS-CONTAINMENT CANb ISOLATION SIGNAL r system diagram. VMle On Perture Card ! g6/ooso#//- /3 e

110 receiver that serves as an air storage tank to dampen system pressure variations . The receiver is also equipped with a safety relief valve that opens when PA pressure exceeds 115 psig. After leaving the receiver, air enters two prefilters that remove oil, moisture, and particulate matter to prevent contamination of PA system piping and loads. The two prefilters are arranged in parallel in the PA system flow path. During normal operation, only one prefilter is in operation and the other is isolated in a standby condition. At the outlet of the PA prefilters, air enters the PA service header. From the service header, PA is provided throughout the plant to various outlets f or breathing air stations inside containment, to service outlets for compressed air for tools and cleaning, and for other miscellaneous uses throughout the plant. During normal operation Unit 1 and Unit 2 PA Systems are cross-connected by opening manual valves PA-126 and PA-124 as shown in Fig. B25. Either Unit 1 or Unit 2's PA compressor will be running (in the SPEED mode) and the other unit's compressor will be in the AUTO (or standby) mode. The two PA compressors will then operate in a manner identical to operation of the two IA compressors discussed earlier. That is, the compressor in the SPEED mode will load and unload to maintain PA pressure between 93 and 100 psig. If PA pressure drops to 90 psig, the PA compressor in the AUTO (or standby) mode will start and attempt to restore PA pressure to normal . Instrument Air Backup The PA compressors serve the additional duty of backing up the IA supply system in the event IA pressure drops abnormally low. This occurs in the following manner. The IA and PA systems can be automatically cross-connected by opening valve PA-2061 (see Fig. B25). This valve is set to open automatically if IA pressure drops to 85 psig; also, at 85 psig valve PA-2059 closes automatically, thus isolating the PA compressors from their normal loads and making all of the air they compress available to the IA system. A brief example of the sequence of events that occurs on falling IA pressure will illustrate operation of the PA compressors to back up the IA compressors. Suppose the following condition exists in Unit 1: IA compressor No.11 is in SPEED mode, loading a'nd unloading to maintain IA pressure between 93 and 100 psig; IA compressor No.12 is in the AUTO mode PA compressor No.11 is in the SPEED mode, loading and unloading to maintain PA pressure between 93 and 100 psig; PA compressor No. 21 (in Unit 2 PA system) is in the AUTO mode; valves PA-126 and PA-124 in Fig. B25 are open to cross-connect the Unit 1 and Unit 2 PA systems; PA-2061 is closed so that the PA and IA systems are isolated. l 1 u

111 l l Given the above conditions, suppose that a supply line in the IA header I develops a leak and IA pressure begins to drop. When IA pressure drops below 93 psig, IA compressor No.11 will be continually in the load mode.  ; When IA pressure drops to 90 psig, IA compressor No.12 will auto start ' and 18 s later load itself to help restore correct pressure. If IA pressure continues to fall, at 85 psig valve PS 2061 will automatically open to cross-connect the IA and PA systems. Opening PA 2061 should result in at least a temporary increase in IA pressure since the PA distribution header pressure will be at 93 pais or greater. At this

point both IA compressors are operating and PA compressor No. 11 is l operating to maintain pressure in the cross-connected IA/PA system.

i Suppose, however, that air pressure continues to decrease. At 90 psig ' PA compressor No.12 in Unit 2 will auto start and load itself. If 1, PA/IA pressure drops to 85 psig, valve PA-2059 will automatically close i to isolate the PA header. When valve PA-2059 closes, note that a total j of four air compressors (two IA and two PA compressors) are running and. j supplying compressed air to the IA distribution header. i 1 l l 1  ! l i i 6 I i i i i

            ,_ .___     . _ _._. _ _ _ _ . _ _ _ =..         . _      ._ _ _ _ . . _ _ _ _ _ _ _ _ . _ _

f i 112 l REFERENCES FOR APPENDIX B

1. " Reactor Coolant System, System Description No. 5," BG&E Calvert Cliffs Nuclear Power Plant, July 1983

2. " Final Safety Analysis Report, Baltimore Gas and Electric Calvert Cliffs Nuclear Plant," December 1980.

3 " Chemical and Volume Control System, System Description No. 6 " l BG&E Calvert Cliffs Nuclear Power Plant, September 1982.

4. " Main Feedwater System, System Description No. 32," BG&E Calvert I Cliffs Nuclear Power Plant, November 1982.

! 5. " Condensate System, System Description No. 29," BG&E Calvert , Cliffs Nuclear Power Plant, August 1982. t , 6. " Main Steam and MSIV System, System Description No. 19," BG&E 4 Calvert Cliffs Nuclear Power Plant, June 1983 '

7. " Component Cooling System, System Description No. 40," BG&E

{ Calvert Cliffs Nuclear Power Plant, October 1983

8. " Service Water System, System Description No. 39," BG&E Calvert Cliffs Nuclear Power Plant, November 1982.

l

9. " Salt Water System, System Description No. 38," Calvert Cliffs

Nuclear Station, revised May 14, 1976.

10. C. W. Mayo et al., " Failure Modes and Effects Analysis (FMEA) of the Regulating Systems Electric Power Distribution Circuitry at the Calvert Cliffs Unit 1 Nuclear Plant," Science Applications International Corporation, December 1984 I

i

APPENDIX C DETAILED FMEAs Peeliminary failure mode and effects analyses (FMEAs) were performed on all systems selected for analysis as a result of the work described in Appendix A. For completeness of documentation, the entire record of these FMEAs is provided in the following pages. The majority of this effort led to low consequence outcomes; the few cases not bounded by previous analyses are treated in detail in Chapters 4 through 6 in Vol. I of this report. l 113

Table C1. Reactor coolant system FMEA Failure / Component Possible Causes Effects Remedial Actions Reactor Vessel

1. Undetected 1. Fuel Damage Reduced heat transfer free Detect poor heet trasafer with Noncondensibles RCS to steam generator. axial flux monitora (?).

2. Corrosion Products Potential undercooling. Detoot fuel damage with process Collect in the Reactor Vessel activity monitor in CVC3.

1. Small LOCA. Reactor coolant Ensure reactor is tripped and

2. Vent Valves {RC- Operator Error discharges to quench tank. follow LOCA emergency 103-SV and RC-10ll-SII) Fall Open 2. Inadvertent Signal System pressure drops and procedures, from Control Board pressurizer level drops.

Low pressure reactor trip occurs at 1875 psig and on high containment pressure it (then) quench tank blows , down. Safety injection g actuates at 1600 psig. Steam Generator (SC)

3. SG Tubes Rupture 1. Adverse RCS or SG Reactor coolant (RC) leaka Follow 33 tube rupture Water Cheelstry to secondary side of the 30 emergency procedures.

and to the environment wie

2. Loose Parts atmospberto steam dump or SG earety valves. Depressuri-o zation of the RCS would be similar to a LOCA of equive-lent size.

Table C1. (continued) Failure / Component Possible Causes Effects Remedial Aetione

4. Primary Head Divider 1. Stress Corrosion RC flow through U-tubes in Trip reactor if not already Plate Between Inlet Cracking 30 is partially bypassed re- tripped. gnsure operability and Outlet Plenum sulting in decreased heat of all three charging pumps in Falls 2. High Temperature or transfer from primary to CWCS for needed makeup, Pressure Differential secondary side. Partial RCS cooling, and emergency Induced Failure undercooling will result. boration.

Other 30 still providea heat removal. FORya and safeties may open if temperatures rise drives pressure high enough. SG 1evel may ini-tially rise but then return to its setpoint. RCS pres-sure vill be too high for normal SI, except for 132 spo provided by the CWCS. g Reactor Coolant Punos

5. Reactor Coolant 1. Loss of AC Power Reduction of coolant flow Trip reactor if not already Pump (s) Fall rate through the core and tripped. Perform actions to

2. Trip of One or More SG's. Increased possibility assist natural circulation 13 kV RCP Bus Feeder of core boiling. Pump cooldown, which include:

Dreakern seizure will result in boration from the CVCS, RCS faster flow rate reduction inventory control with the CWCS

3. Loss of Component whereas failure due to power or HPSIS, maintenance of RCS Cooling Water loss will be slower due to pressure with pressuriser coastdown flow. Reactor heaters and avulliary spray or

4. Fault in Pump or Motor will trip on low reactor charging pumps, and hCS heat coolant flow (955 of full removal by manual control of fl ow) . turbine bypass and atmospherto dump valves.

Table C1. (continued) Failure / Component Possibla causes Effects Remedial Actiona The operator la required to Attempt to manually trip pump

6. Reactor Coolant 1. Loss of Control Power Pumpfs) Fall to trip the RCP's in the event breakers.

2. Operator Error of a LOCA. If the operator Trip on Demand falls to trip them, more RCS 3 Faulty Trip Relays inventory will be released through a hot leg break.

The increased rate of cool-ent loss may be important to recovery from LOCA's depen-ding on break aise. Also, containment isolation iso-lates CCW to the RCPs and an RCP from seal failure may result if the pumps continue to operate. Containment ., isolation is initiated on O high containment pressure (2/4 transmittera) or could be initiated inadvertently. The effect of this addition-al loss of coolant la expec-ted to depend on break aise.

7. RCP Seal Failure 1. Loss of CCW Seal failure LOCA. Trip reactor and RCPa. Follow emergency procedures for LOCA.

2. Seal Component Damage from Debris in System or from Wear

_ _ _ _ _ _ _ _ - _ _ _ _ _ - _ _ _ _ _ _ _ - - -.._ = ___ _ __ _ - _ _. Table C1. (continued) Failure / Component Posalble Causes Effects Benedial Actione 3 Integral Impeller Damage (auxiliary impeller for seal water intake or seal water recirculating impeller)

4. Seal Area Recircula-ting Pump Fails (to deliver water to the integral heat exchanger)

Pressuriz er

8. Pressurizer Backup 1. Loss of Supply Power If demanded due to dooreas- Maintain level in pressuriser j Heaters Fall to ing pressure in the pres- with charging pump and letdown Energize on Demand 2. Control Signal auriser, doorease cont 1mies control valve control. For Failure (level without abatement and reac- pressure maintenance, obeck transmitter fails tor eventually tripa, that pressuriser spray la not low) Development of possible actuating inadvertently and voids in the core. If de- that proportional heaters

3. Mechanical Failure manded due to high level in are operating. Trip reactor pressurizer (i.e., loss of if pressure approaches low

4. Control Handswitches letdown flow or loss of pressure reactor trip met-in "OFF" Position. power to pressuriser con- point.

(operator error) trol components), level may continue to rise. Too much water volume in the pressu-rizer may damage the reller valves or the spray nozzles and degrade pressure de-w

Table C1. (continued) Failure / Component Possible causes Effects Remedial Actions crease control capability (less steam volume to condense with spray).

9. Pressurizer Backup 1. Control Signal liigh pressure results in the Attoept to switch heaters to lleaters Fall to Failure (level pressurizer. If spray is "0FF" position with handswitch Trip on Demand or transmitter fails actuated, net effect will be or restore to " AUTO' if pre-Inadvertently high, pressure negligible. If pressure viously 'ON". Hunually operate Energize transmitter fails transmitter has fafled low, pressuriser spray as required.

low, etc.) spray will not operate. Hunually open breakers if (Heaters can still trip if required.

2. Control llandswitches 10-10 level develops in i Left in 'ON" pressurizer.) Resulting Position high pressure would poreal-ly open POW and trip reactor. If reactor trips O 3 Loss of Control Power

• and pressurizar esplies, possible damage to the pres-surizer could occur. If level transeitter fails high, pressurizar will empty with heaters failed on, which may initiate a failure of the pressure boundary (small nonisolable LOCA),

10. Pressurizer' Spray 1. Corrosion Product High pressure surges in the Turn off any backup Line (or Nezzles) Buildup pressurizer cann'o t be con- pressuriser heaters that are B1ccked trolled. On power increase, energized. Trip reactor if

2. Loose Parts or Debris a high pressure reactor not already tripped and repair trip and PORV opening may component. Utilize suulliary occur. spray from Cf CS as required.

Table C1. (continued) Failure / Component Possible causes Effects Remedial Actions

11. Pressurizer Spray 1. Mechanical Failure Pressurizer spray la Some as above.

Valves Fall to failed if both valves fail Open on Demand 2. Control Signal Failure and is degraded if only one (Pressure control falls. On a power increase fails low) or pressure surge, a high pressure reactor trip and

3. Loss of Instrument Air PORV opening may occur.

and Accumulator Holding Check Valves Fall

12. Pressurizer Spray 1. Valve Stuck Open Spray flow into pressuriser Trip reactor and RCPs if not Valves (RC-100E-CV continues. Maximum spray already tripped. Repair and RC-100F-CV) 2. Control Signal rate is 375 spa. Spray doea component. Switch to alternate Fall to close Failure not add to pressuriser level pressure regulating systen g on Demand due to surge volume outflow. (I or Y) if pressure O (Valves Fall Cooling from spray causes transmitter or control has Open) level increase and pressure failed.

decrease in pressuriser from condensation. Backup heaters energize in response to pressure drop, but cannot offset decreased enthalpy from spray addition. Low enough pressure in the pres-surizer will initiate a reactor trip and an SIAS. The operator is required to trip the RCPs on SIAS, which will stop the spray flow and terminate the transient. If transient is caused by pres-

Table C1. (continued) Failure / Component Possible causes Effects Remedial Actions aurizer pressure transmitter failed on the high side, low pressure RT and SI AS chan-nels will be degraded.

13. Spray Line Con- 1. Valves Plugged Potential for thermal shock Failure may be hard to detoot Linuous Flow Bypass from Corrosion to pressurizer spray line unless beat loss from stagnant Valves (RC-219 and or Debris in and nozzles when spray is line is detected at TE-103 and i

RC-220) Fall closed Systes demanded. Potential non- 104. Align auxiliary spray isolable LOCA. to provide bypass flow if

2. Operator Error CUC-517-CV can be set to in Setting low flow rate (1-2 spa).

3 Valve Fault

14. Spray Line Con- 1. Valve Fault No significant effect. In- Repair component at shutdown.

tinuous Flow Bypass creased flow through bypass Valves (RC-219 and 2. Operator Error line to pressuriser but RC-220) Fall Open in Setting line is only 3/4 in, dia.

15. Auxiliary Spray 1. Valve Fault Spray flow at 3950 F is Attempt to close valve.

valve (CVC-517) delivered to the' pressurizer Monitor pressuriser pressure Falls Open (this 2. Operator Error inadvertently. Maximum and trip reactor if pressure valve falla closed possible flow la 132 spe, drop is too great. Repair on loss of instru- more probable flow is less valve at shutdown, ment air) than 4% gpm. No not gain in RCS inventory beyond that demanded by pressuriser level program. Some pres-sure decrease in the pressu-rizer and potential level drop from contraction. CVCS

Table C1. (continued) Failure / Component Possible Causes Effects Remedial Actions ' response to decreased level of adding charging flow will add more spray flow. Maxi-eue probable lit spo at 3950F to pressurizer representing

                                                                                            -94,500 Btu / min vs the heater capaalty of +68,300 Btu / min.

16. Vent Valves from 1. Operator Error small LOCA. Steam free the Close vent valves. Trip Pressurizer p-essuriser is discharged reactor if not already tripped.

(RC-105-St and 2. Inadvertent Signal to the quench tenir. Pres- gneure heaters are de-energized RC-106-St) from Control Board surizer pressure drops. to prevent pressuriser damage. Inadvertently Level and temperature alac Open drop in pressuriser due to g increased vaporization of ** the reactor coolant. RCS pressure drope consistent with pressuriser pressure and slight contraction in RCS occurs (approximately 1 vol.1 for 600 paid). Low pressure reactor trip should occur at 1875 psig. SIAS at 1600 pais and charging flas on low pressurizer level. Pres-surizer may empty from reactor trip.

Table C1. (continued) Effects Remedial AoLions Failure / Component Possible causes Power Operated Relief Valves (PORVs1 Same as above (small LOCA). Attempt to close motor

17. PORV(s) Fall Open 1. Valves Fall to Close After Demanded to PORVs normally open with operated PORV block valves (NC-402-ERV and/or high pressure reactor trip, (RC-403->0V and/or RC-405-M0W).

RC-404-ENV) Open so reacter trip will have Follow appropriate emergency

2. Operator Error probably occurred. proederes for a maall LOCA.

3. Control Signal Failure

4. Valve (s) Leak

19. PORV(s) Fail to 1. Control Circuit Code safety valves will Shutdown and repair Failure open on high pressure if component (s).

Open on Demand the PORVs fatl. However, during a LOCA, the RCS can- G

2. Hechanical Failure "

not be depressurized to pre-3 Loss of Electric Power vent PTS conditions as re-Supply quired by procedure. In addition, the PORV's would

4. Block Valves closed be unavailable to enhance Due to Leaking PORVs post-LOCA RCS depressuriza-tion and not HPSI flowrate.

1. Operator Error Code safety valves will Open valves.

19. PORV Isolation Valves Inadvertantly open on high pressure Closed on Demand 2. Valves Closed Due to demand if the PORVs are Leaking PORVs. blocked.

Table C1. (continued) Failure / Component Possible Causes Effects Remedial Actions

20. POW Isolation 1. Operator Error These are demanded to close Ensure reactor la tripped Valves Fall to when POWS fall open, and pressuriser heatera are Close on Demand 2. Valve Fault Remote potential for small de-energised. Follow emergency LOCA as described for procedures for small break 3 Losa of Electrio Power POWS falling open. LOCA event.

Supply Houever, potential la remote since multiple failures are required and each isolation valve has a vital power supply separate from the power supply for its associated POW. Code Safety Valves

21. Code Safety Valves 1. Valve Fault If POW path falla to open Attempt to open POW path. $

Fall to Open on (calibration, damage) on demand (high pressure Trip reactor if not already Demand conditions), these valves tripped. are demanded. RCS under-cooling and potential for large break LOCA from vessel rupture.

22. Code Safety 1. Valve Fault (cali- Small LOCA. Pressuriser Follow emergenoy procedures Valve (s) Fall bration, damage) stone discharges to the for small LOCA. Ensure Open quench tank. Low pressure reactor has tripped, reactor trip occura and pressurizer may empty.

SIAS will be initiated at 1600 psig.

Table C1. (continued) Effects Remedial Actions Failure / Component Possible Causes Ouench Tank

1. Mechanical Failure of Quench tank may empty. LIA- Attempt to close the valve and

23. Drain Valve to Valve Resulting in 116 may also be on the same add dominere11 sed water to RCDT (RC-401-CV) quench tank via DW-5460-CV.

Valls Open or Valve Opening or power supply as the failed Failure to Close valve and may fail to detect Leaks once Open low tank level. When a pressurizer relief valve

2. Power to Solenoid opens, the quench tank will Falls 44 from relieve to the waste gaa Control Board system through RV-242 (at 35 Handswitch Failure psig) or to containment

( HS-1401 ) through the rupture disk (at 100 psig), rather than ab-

3. Operator Error or sorbing the discharge from the pressurizer. Quench C Action Based on

• Failed Level tank rupture may occur de-Indicator pending on the transient, if the (16 in.) rupture disk fails.

Utilise relier valve bypass

24. Relief Valve 1. Mechanical Failure of On demand (significant Valve pressurizer discharge to (RC-400-CV) at high tank (RV-242) Fails quench tank). The quench pressures below rupture disk to Open on setpoint (100 paig) and Dema nd 2. Error in talve tank relieves to the Setting Isring containment through the verify operability of vent Hatstenawce rupture disk rather than valve RC-402-St.

partially to the waste gas system. SI will be initia-ted from high containment pressure. SI may lead to pressurizer overfill from

Table C1. (continued) Failure / Component Possible Causes Effecta Benedial Actions charging pump initiation and letdown isolation.

25. Roller valve 1. Hechanical Failure Quench tank steam from Repair component at next (RV-242) on of Valve pressurizer and entrained shutdown.

Relief Bypass liquid may discharge to Valve (RC-400-CV) 2. Error in Valve waste gas ayates below Falls Open Setting During valve setpoint (i.e.. Maintenance unnecessary discharge). Not a signifloant effect.

26. Vent Valve 1. Operator Error Quench tank steam from pres. Attempt to close valve.

( RC-402-St ) urizer and entrained 11guld Shutdown and repair component Falls Open 2. Inadvertent Signal can discharge to contain- if faulted, from Control Board sent. SI will be initiated g; Falla Solenoid Power from high containment pres-

• On sure. TIA-102 will alarm at 3000F indicating steam dia-charge through vent valve.

SI may lead to pressuriser overfill from charging pump initiation and letdown iso-lation.

27. Quench Tank 1. Improper Installation Quench tank steam from Check pressuriser conditions Rupture Disk pressuriser and entrained and block pressurizer flow if Falls Open 2. Faulty Rupture Disk liquid can discharge to appropriate. Depair component containment. SI will be after shutdown and tranatent inittsted from high contain- in terminated.

ment pressure. SI may lead to pressurizer overfill from

Table C1. (continued) Failure /Compons t Possible Causes Effects Remedial Actions charging pump initiation and letdown isolation.

1. Improper Installation Rupture disk is demanded to Open relief valve bypass

28. Quench Tank Rupture Disk open at 100 psig (design (RC-400-CV) to ensure partial Falls to Open 2. Faulty Rupture Disk pressure of quench tank). relief to waste gas system, During transients, possible Check pressuriser conditions, at Design Pressure quench tank rupture. Close PORV block valves if Reactor coolant release to Popus have failed open.

containment. SI will be initiated. SI may lead to pressurizer overfill from charging pump initiation and letdown isolation.

1. Hechanical Failure Quench tank overfills. Attempt to close valve at E!

29. Fill Valve LI4-116 may also be on pa nel. Open drain valve as from Demineralized of Valve Resulting Water Storage Tank in Valve Opening same panel as failed required. Repair component (DW-5460-CV) Falls or Failure to Close valve and may fail to after shutdown and transient Open or Leaks Once dben detect high tank level. is terminated if component A pressurizer discharge is faulted.

2. Operator Error or transient may cause rupture Action Based on disk to open prematurely, Failed Level causir.g discharge to the Transmitter containment and initiation of SI. SI may lead to pres-3 Power to Solenoid surizer overfill from char-Falls on from ging pump initiation and Control Board letdown isolation.

Handswitch Failure (HS-5460)

Table C2. Chemical and volume control system FMEA Failure Possible Causes Effects Remedial Actions Letdown

1. Letdown Stop Valve 1. Inadvertent or Letdown flow is stopped, in- After detecting failure, moni-(CVC-515-CV) or erroneous signal cluding flow through the re- tor pressuriser level and Letdown Containment to close, generative heat exchanger charging flow temperature valve (CVC-516-CV) including (HI), which usually heats (TE-229). Trip charging pump Fall Closed a. ESFAS (SIAS or charging flow, Unheated if level in pressurizer is too CfCS isolation flow is delivered to the high.

signal) RCS. Pressuriser level will

b. High regenerative rise, which trips all but HI outlet tempera- one charging punp and at-ture TIC-221 tempts to increase letdown

2. Loss of instrument flow via the letdown control air valve (but letdown flow is

3. Loss of control power isolated by the failure).

to solenoid With charging flow from the g

4. Mechanical failure remaining pump at 44 gpe, including plugging RCS may overpressurize, free loose parts causing the PORV to open.

2. Excess Flow Check 1. Hechanical failure Same as above (loss of Same as above.

Valve Falls Closed 2. Plugging letdown flow).

3. Excess Flow Check 1. Mechanical failure No effect if letdown oon- This failure will not be Valve Fails Open trol valves operate detected unless by inspection properly and if no rupture at shutdown or demanded by an occurs between escess flow abnormal event, check valvo and letdown control valves.

Table C2. (cont inued) Possible causes Effects Remedial Actions Failure Loss of letdown flow which For both valves failing,

4. Operating Letdown 1. Loss of instrument Control Valve (CVC- air also stops RCS flow through isolating charging flow fa

2. Loss of solenoid regenerative HI. Unheated required. If only one of the 110P-CV or CVC-1100-

                                                             -CV) Falls Closed                                control power             charging flow at 44 spe         two valves falla, place the

3. Mechanical failure einimue is delivered to standby valve in servloe (re-

4. Control signal failure the RCS. Potential for quires manual alignment of RCS to overpressuriza valves).

and the PORV to open if charging flow continues.

5. 'Both Letdown 1. Operator error Potential thermal shock to Isolate one control valve.

Control Valves 2. Halfunction of CVCS with potential for (CV C-110P-CV valve selector pipe rupture downstrees of and CVC-1100-CV) switch (HS-110-1) control valves. Release in Service with j limited by excess flow RCS Pressure Above check valve to 210 +/- 20 Q 1$00 psig spa. Excess letdown flow ,' will lower pressurizer level and cause backup charging pumps to start. Not RCS loss of 98 spe.

6. Letdown Control 1. Hochantoal failure Excess letdown flow even Close letdown stop valves.

Valves (CVC-110P 2. Failure of the bias though both backup charging

                                                             -CV and CVC-1100                                 control regulator         pumps start on low pressuri-
                                                             -CV) Fall Open                                   on each valve             ser level. Net decrease in

3. Erroneous control RCS inventory and pressuri-signal from zer level (santeum letdown pressurizer level 230 spe - maximum charging regulating system 132 spe = 98 spe) and high level alare in volume con-trol tank (VC"J. Eventual

Table C2. (continued) Possible Causes Effects Remedial Actior.s Failure shif t of VCT inlet from tank to waste processing system,

1. Loss of component TE-224, on letdown outlet Assess boron concentration 7 Letdown HI Falls and activity in RCS based cooling water flow, will alarm, isolate to Cool on data from before the

2. HI damage the boronometer and radiation monitor and shift event. Shutdown plant, letdown flow to bypass if necessary, and repair the son exchangers. If HI or isolate letdown.

TE-224 fails, damage to monitors and ion exchangers could occur. Flashing of hot RCS fluid to steam is possible downstream of the letdown backpressure , regulating valves, whloh g would introduce steam into the VCT (via the l normal spray inlet). VCT may become pressurized and relieve to the waste gas surge tank. Operating Letdown 1. Pressure controller RCS fluid downstream of let- Isolate letdown, Check system

8. down control valve may flash flows and filter pressure drop Backpressure Regula- or transmitter to steam due to drop in line to detoot filter darage. If ti.as Valve (CV-201P (PT-201) falls high or CV-2010) Falls 2. Hechanical failure pressure. If fluid tempera- filter is not damaged attempt ture is above 145 0F, TE-224 throttling of manual valves Open (normally fall 3 Operator error associated with one of the closed on loss of should switch flow to VCT and bypass boronometer and failed regulating valves. If air) failure is not caused by trans-radiation monitor. If 0ten-perature is below 145 F, mitter failure, place the

Table C2. (continue 1) Effects Remedial Aotions Failure Possible Causes steam pockets may exist and standby regulating valve in damage monitors. High velo- servloe. city flow may damage the purification filter and carry debris through the system, either blocking let-down flow or eventually failing the charging pumpe. ,

1. Loss of instrument Letdown flow is stopped, in- Monitor pressuriser level and 9 Letdown Back- cluding flow throudh the re- RCS pretsure. Trip charging pressure Regu- air Ling Valves 2. Preneure controller generative HI. Pressuriser pump, if necessary.

or transmitter level will rise, backup (CV-201P and charging pump will trip, but CV-2010) Fall (PT-201) fails high Hochanical failure the main operating charging , closed 3 u pump will continue to dis-charge to the RCS. RCS could overpressurise and cause the PORV to open, if charging flow continues. RCS charging flow will be colder than normal. VCT level will decrease and makeup flow will be dell-wered to the VCT (if makeup controller is in AUTC).

Table C2. (continued) Failure Possible Causes Effects Remedial Actions

10. Differential 1. For PDIS-202, Reduced letdown flow, Deteet PDIS failure prior to Pressure Indicator mechantoal failure pressurizer level may rise relief valve lift by low flow PDIS-202 falls to or control power and open letdown control at Fg-202, and after relief indicate and alarm failure valve more. Beckpressure valve lift by high flow alare plugged inservice 2. For filter, accum- regulating valve will also (135 spe). Put alternate filter, and In- muistion of material open more, but flow will filter in service or put 2" service Purification not detected due to still be restricted. If bypese line in servloe via Filter is Plugged failed indicator upstream pressure reaches CVC-124, and isolate plugged (Normally Alarms 205 pais, an upstreme filter. Monitor flow closely at 30 paid) relier valve (354-RV) with Fg-202 to operate without relieves line pressure to PDIS-202.

the reactor coolant waste receiving tank. Makeup water will eventually be required in VCT for charging , pump suction. Failure n results in a small loss of

;                                                                                   coolant out relier valve and
!                                                                                   cooler charging flow to RCS.

11. Process Radiation 1. Nbohantoal failure If monitor reading is low, Unless red monitor has self Honitor Indicates 2. High temperature high activity level could checking function, failure will Erroneous Fission damage from failure 30 undetected. No signifi- be hard to detoot, especially Product Activity of alsnal from TE-224 cant effect on undercooling. low reading failure, and letdown cooling or failure of CVC-521, to close with failure of letdown cooling

3. Other support system If monitor reading la high, i failures purification and/or shut-

, down may be initiated l unnecessarily. i i l

Table C2. (continued) Failure Possible causes Effects Resedial Actions

12. 11oronometer 1. Hechanical failure Potential for operator to Dilution operation would Erroneously 2. High temperature initiate dilution. Dilution probably be stopped when no Indicates High damage from failure would result in slight reao- decrease in boron concentration RCS Boron of signal from tivity increase, but control registered at boronometer. ,

Concentration TE-224 and letdown rods would control under- Boron concentration could te l cooling or failure cooling. readjusted by calculated boron of CVC-521 with addition based on grab aanple, failure of letdown cooling

13. Doronometer 1. Hochanical failure Potential for operator to Detect failure by noting no Erroneously 2. High temperature initiate boration, and over- change in boron reading with Indicates 1,ow damage from failure of borate the RCS. Reactivity boron addition. Correct RCS Baron signal from TE-224 and decrease, no noticethle boron concentration based on Concentration letdown cooling or overcooling effect e.pected, grab sample and calculations. ,

failure of CVC-521 g with failure of letdown cooling

14. Tube Rupture in 1. External event Charging flow will preferen- Trip operating charging pump.

Regenerative Heat 2. Corrosion tially flow to lower pres- Isolate letdown. Shutdown Exchanger 3. Other internal sure outlet, i.e. , letdown plant and repair comp >nent, mechanical damage path instead of to the RCS. Amount of flow recycled through CVCS will depend on break size and location. Probably no net change in RCS inventery.

Table C2. ( continued) Possible Causes Effects Remedial Actions Failure

15. Tube Rupture in 1. External event RCS leak or loss into compo- Alert to failure by low flow at nent cooling water (CCW). FE-202 and decreasing level in Letdown lleat 2. Corrosion Exchanger 3. Otter internal Reduced letdown flow to VCT V CT. Isolate letdown flow from mechanical damage and consequent drop in VCT RCS. This will lower charging (loose parts) level. Makeup required from flow Lamperature more since desineraltzed water tark if flow will be stopped through in AUTO mode, may be cool the regenerative heat (ambient). Borto Acid Sto- exchanger, but the leak must rage Tank input (maximum 30 be isolated. Honitor TE-229 gpa in AUTO mode) will be and isolate charging flow 1500F, If makeup is in man- if temperature is too low.

ual mode and VCT level drops, makeup wt!; come from the refteling water storage tank (RWT) (450F or ambient). Net result la po- g tantial for slightly cool makeup to RCS as well as loss of letdown cooling. (See Failure 7) Purification No effect unless letdown Alert to failure by PDIS-203,

16. Ion Exchanger 1. Hechanical damage Signal from TE-224 cooling has failed. If ( P acrosa ion exchangers),

Dypass Valve 2. low flow at FE-202, and high fails with failure cooling has failed, resin (CVC-520) Falls of letdown cooling damage may occur in ton temperature at TE-223 Iso-Open to Ion late letdown and charging flow. Exchangers exchanger (s), with eventual plugging and loss of let- Shut plant down as required. i down flow. Potential for low temperature charging flow as discussed above due

Table C2. (continued) Failure Possible Causes Effects Remedial Actions to makeup requirements from domineralized water storage tank (NST) and losa of flow through regenerative HI.

17. Ion Exchanger 1. Mechantoal damage Loss of normal letdown Shutdown plant and repair Bypass Valve 2. Loss of instrument path through ion exchangers. when RCS chemistry becomes (CVC-520) Falls air No major short-term effect unacceptable. Monitor RCS ,

Closed to Ion on RCS. chemistry closely. l Exchangers

18. Ion Exchanger (s) 1. Ilest damage Initial loss or reduction Letdown flow can be switched Plug (s) or Strainer 2. Loose parts of letdown flow. PDIS-204 at CVC-520-CV to bypass ton Plugs 3. Bad resin supply alarms at 20 paid. VCT exchangers. Monitor RC level will decrease and chemistry and shutdown

' initiate makeup water from plant as required. N RWT or DWST, which could result in cooler charging flow to RCS. Net gain in RCS inventm? sf 44 gpa from j the operating charging pump. ,

19. Ion Exchanger 1. Operator error Possible long-term chem- Honitor RCS chemistry and Setup Error. 2. Resin supplier effects. Potential for activity to detect failure.

Wrong Resin error too much deboration, if Bypass ion exchangers with Loaded Wrong 3 Laboratory error not detected by borono- CVC-520-CV and correct Exchanger Placed on new resin meter, leads to increased ion exchange setup. In Operation, sampling RCS activity and potential or No Resin Loaded narrower shutdown margins.

I f Table C2. (conti nued) Failure Possible Causes Effects Remedial Actions

20. Resin Ded Support 1. Corrosion (RCS 1. Strainer downstream of Letdown flow can be switched Structure in Ion chemistry) exchangers plugs, PDIS- at CVC-520-CV to bypass lon Eachar.ger Fails 2. Maintenance error 20% and PDIS-203 alarm exchangers and resume letdown or Leaks causing mechantoal at 20 paid. Loss of flow to VCT.

failure letdown flow, VCT level will decrease and initi-ate automatic makeup from DWST or RWT, which could result in cooler charging flow to RCS. Net gain in RCS inventory from oper-ating charging pump. ! 2. Resin beads leak through Alert to failure by no (or low) strainer if strainer charging flow on FE-212, high , basket is faulty or has level alarm in VCT cand RC in- g not been replaced af ter ventory accumulating in Waste maintenance. Resin ao- Processing System. Isolate cumulates slowly in var- letdown. Shutdown plant and l lous locations down- remove resin. l stream of the VCT out l 1et, resulting in plug-ging of valves and/or charging pumps. Pot e n-l tial loss of charging l fl ow. Decrease in pres-surizer level vill run l back letdown to minimum I setting (29 gpa). Net I decrease in RCS invento-ry at 29 gpa with RC sent to Waste Processing i

Table C2. (continued) Failure Possible causes Effects Remedial AoLions Syster on high level (LC-227 A) in the VCT. Volume Control Tank (VCT)

21. VCT Inlet Valve 1. Control system Volume control will typi- Attempt manual switching of the (CVC-500-CV) Fails failure (VCT LC-227A cally be out of balance valve. Also, letdown can be to Divert Flow fails) (i.e., some other failure isolated and the VCT can be from VCT on Demand 2. Los s of instrument causing high VCT level) manually drained to the waste air (valve fails in order for this to be processing system.

open to VCT) demanded. Failure on

3. Hechanical failure demar.d results in overfill of VCT, which may alert the operator to open CVC-513-CV to relieve tank pressure.

l The VCT inlet spray nozzle  !! say flood, which will stop mixture of RC with hydrogen. Net result is failure to provide hydrogen to the RCS.

22. VCT Valve to 1. Operator error VCT depressurizers causing VCT lou pressure alarma Waste Gas System 2. Hechanical wear more hydrogen t.ddition, ven- (PI A-225) at 4 paig. Manually (CVC-513-CV) Falls (valve normally ting of hydrogen to the isolate hydrogen supply and Open fails closed) waste gas system and poten- CV C-513-CV . Checlc chemistry, tial depletion of the hydro- Shutdown plant if required.

gen supply; after which full Assess explosion potential in VCT depressurization could Waste Gas System. occur. flydrogen addition to the RCS would be degraded. Potential for hydrogen ex-

Table C2. (continued) Failure Possible causes Effects Remedial Actions plosion accident in Waste Cas System.

23. flydrogen Relief 1. Operator error ifydrogen supply depletes. Isolate hydrogen suppa, .t-Valve CVC-105-RW 2. Mechanical wear venting to plant vent. Hy- down and repair component.

Falls Open (valve normally drogen explosion potential fails closed) in plant vent. Loss of hy-drogen addition capability in V CT.

24. VCT Dutlet Valve 1. Inadvertant alsnal VCT level will rise, resul- Isolate letdown and manually (CVC-501-H0r) from makeup controller ting in letdown flow getting operate makeup valve CVC-504-Fails closed or SIAS diverted to the vaste pro- HOW as required.

2. Obstruction (plugged cessing system. If CVC-504-valve) HOV from NWT opens, as it ,

normally does with closure of g CVC-501-HOV, the only effect is potentially coole= makeup to RCS. But ainoe this valve does not open automa-tically on high VCT level, charging flow to the RCS may be lost, causing pressuriser level to drop. Letdown will run back to its minimum set-point of 29 spa, but will not isolate automatically. Net RCS loss of 29 spa.

Table C2. (continued) Failure Possible Causes Effects Remedial Aoticas

25. VCT Outlet valve 1. Control signal failure As a single failure, no sig- Manually open makeup flow

( CV C-501-HOV ) 2. Mechanical failure nifloant effect on charging valve or isolate letdown. Falls Open When (valve stuck open) pumps and flous as long as Demanded to Close 3 Power supply failure charging flow la supplied by (Low Level in VCT) CVC-504-CV from the NWT. (See Item 55 for SIAS effect.) .

26. Seal Return Beller 1. Internal or mechani- Loss of reactor coolant to Isolate RC loss with valve Valve (CVC-RV-199) cal failure the reactor coolant drain CVC-507-CV.

Falls Open 2. Maintenance error in tank threugh the 1" relief valve setting valve line instead of re-turning to the VCT. Charrine Punt j , M

27. Charging Pumps Fall 1. Common cause mechant- Loss of charging flow to Isolate letdown. Shutdown cal failure (broken RCS. If only one pump has plant if pressurizar level has diaphram, inlet check failed, pressurizer level dropped too low.

valve failed, etc.) will drop and initiate the

2. Loss of seal and plun- second and/or third pump to ger flush water from resume charging flow. If overhead supply tank charging pumps are unavail-

3. Blockage due to loose able, pressurizer level will parts, debris or resin drop and initiate runback of beads in system letdoun (minimum setpoint of

4. Loss of power on buses 29 gpa). Net RCS loss of 480 V II A,118,14 A, 29 spa, and 14B

Table C2. (continued) Failure Possible causes Effects Remedial Actions

28. Charging Pump 1. Internal or mechanical Part of flow relieves to Isolate faulty relief valves Suction or Discharge failure was*e processing system with manual pump suction Beller Valve (s) 2. Maintenance error in (abow.t 201). Failure of 1 solation valves (CVC-164, Fall Open (RV-315, valve setting discharge relief v111 CVC-170, and/or CVC-176).

RV-318, RV-321, likely open auction relief. Isolate letdown flow if no RV-324, RV-325, Degraded charging pump dia- charging pump la operable. and/or NV-326) charge flow. Probably will not algnificantly impact CVCS system operability, although a loss of reactor coolant to the vaste pro-cessing syates through the failed relief valve, will occur.

1. Loose parts, boron Loss or reduction of char- Isolate letdown. Shutdown j

29. Charging Line to Regenerative fleat buildup, or debris ging flow to RCS. Blockage plant if pressuriser level has Exchanger and RCS in line may cause high pressure at dropped too low to operate.

Plugs (HI Inlet 2. Operator error related charging pump discharge, Valve, HI Tubes, to valve closure subsequent opening of the or FE-212 Plugs) charging pump discharge re-lief valves. Pressuriser level vill drop and initiate runback of letdown (minimum i set point of 29 spm). Net RCS loss of 29 spm.

30. Charging Pumps 1. Loss or control power Excess charging flow deli- Charging flow to the RCS can be Fall to Trip on on 125 VDC panels 11 vered to the RCS. Pressuri- 1solated by the operator with Demand and 21 rer level and press-ee may valves CVC-518-CV and CVC-519-

2. Control signal failure rise. Maximum net increase CV or the breaker can be manu-

Table C2. (continued) Possible Causes Effects Remedial Actions Failure in RCS inventory of 104 gpa ally tripped at the breaker and minimum of 4 spa. front. Demineralized Vater HakeuD

1. Hochanical failure Loss of dominera11 sed water Provide makeup from the EWT and

31. Reactor Coolant teolate normal VCT automatto Hakeup-(RCHU) Pumps 2. Maintenance failure to the RCS on demand. This Fall cn Demand 3. Makeup control algnal would fall operations in the makeup.

fails ( AUTO mode only) DILUTE mode. In the AUTO

4. Loss of power (HCC- mode, if failure was unde-105R and MCC-115R) tected, excess boron addi-tion to the RCS could occur (makeup from the borio acid pumps would be undiluted).

Failure would probably be detected in the MANUAL mode. y Also any metered chemical addition would cease, causing RCS pH to gradually doorease.

32. Filter Downstream 1. Hochanical failure Same as above (loss of de- Isolate filter and repair, and of RCHil Pumps of instrument mineralized water flow). open filter bypese CVC-317 Plugs, and 2. Debris in line PDIS-2530 Falls 3 Maintenance failure

33. Water Hakeup Flow 1. Filter maintenance dame as above (loss of de- Provide makeup from NWT and Element Plugs error eineralized water flow). 1solate normal VCT makeup for FE-210X 2. Hechanical failure repair.

of instrument

Table C2. (continued) Failure Posajble Causes Effects Remedial Actions

34. Water Hakeup 1. Loss of instrument air Same as above (loss of de- Same as above.

Control Valve 2. Control signal failure mineralized water flow). (CV C-210I-CV ) 3 Hechanical failure or Fails Closed plugging

35. Water Hakeup control 1. Control signal or con- Dilution occura in makeup Supply makeup from NWT and re-Valve (CVC-210I-CV) troller failure system if makeup is in AUTO pair component. Failure may be Fails Open 2. Hechanical failure mode. Failure would proba- hard to detect when in AUTO bly be detected in MANUAL mode or if transmitter falla,

3. Flow transmitter failure mode.

Boric Acid Batchine Tank

1. Power supply failure Tank discharge valves could Repair heaters. Utilize borio

36. Immersion Heaters Fall 2. Hechanical failure plug from boron precipita- acid from RC waste evaporator ,

3 Controller fails tion and failure to dissolve if rg uired. A boric acid, which could pre-vent boric acid addition to storage tanks. Could jeopar-d1ze boric acid supply and ultimately result in RCS dilution or failure of boron l addition on SIA3 (although l unlikely).

1. Power suoply failure Same as above. Same as above.

, 37. H1xer Falls ! 2. Mechanical failure

1. Opecator error Low borto acid concentration If failure is detected,

38. Low Doron Con- concentration in BAST can be centration Hakeup 2. Doric acid supplier in boric acid storage tanks error (BASTS). Net result is po- adjusted via calculated tential boron dilution in addition of concentrated borto

   -- .        ..    .                  .              .-     . _.            _   _                     .         _     ~    -.      __.        . _ _ . .-        --
!                                                                                                                                                                    i j

Table C2. (continued) er.-- Failure Possible causes Effects Benedial Actions the RCS in the AUTO makeup acid through the batching mode, and underboration when tank. required in the BORATE mode.

39. High Boron 1. Operator error Excess RCS boration in AUTO, If failure la detected, Concentration 2. Boric acid supplier HANUAL, and BORATE makeup concentration in BAST can be Makeup error modes, adjusted via water addition through the batching tank.

ESTi e Acid Storane Tanks (BASTS) and Punos

40. Heat Tracing on 1. Power supply failure Possibly no effect ainoe Monitor B4ST levels and flow into tank is heated.

2. Hochanical failure locally heat inlet lines to BAST Inlet Falls restore addition capability.

However, borio acid sitting inline could precipitate and , eventually plug line. Boric $ 1 acid addition to BASTa would be prevented. However, j BASTS have large capacity (approximately 9500 gal ea.).

41. BAST Heaters Fall 1. Controller failure Boric acid precipitates and NWT can provide makeup to RCS.

on Both Tanks 2. Power sup?ly failure plugs tank outlet valves if Isolate normal AUTO makeup. (HCC-104R and MCC- solution is not continuously 114R) recirculated (providing mis-

3. Mechanical failure ing). Loss of borio acid ad-dition capability from BAST.

In AUTO makeup mode, RCS bo- ' ron gets diluted. On SIAS no B AST flow is delivered to

• RCS. In MANUAL mode, failure will probably be detected.

Table C2. (continued) Failure Possible Causes Effects Remedial Actiona

42. Heat Tracing to 1. Power supply failure Same sa above. (Losa of Same as above.

Pumps and Gravity 2. Hochanical failure boric acid addition capa-Valves Falls bility from BAST.)

43. Boric Acid Pumps 1. Haneup controller Loss of nomal boric acid Isolate normal AUTO makeup.

Fall failure supply for makeup (AUTO and Initiate emergency boration

2. Power supply failure BORATE modes). Boron dilu- if required with gravity feed

3. Hochanical failure tion occurs in RCS j f makeup valves.

4. Losa of cooling water la in AUTO mode. Failure of to seals or bearings only one operating boric acid pump could also produce this effect if the failure ta not detected and the second pump la not aligned

                                                                         ,for service.

44. Boric Acid Pump t

1. Power supply failure Strainer or other line coe. Same as above. Also the Discharge Line 2. Hocharical failure ponents plug and design flow rectroulation path to the Heat Tracing Falls is lost. Boron dilution BASTa could be realigned to occurs in RCS if makeup is provide flow around the in AUTO mode. atrainer to the VCT, if this i

line la not blocked free heat tracing failure.

45. Boric Acid Hakeup 1. Losa of instrument air Loss of boric acid flow to Failure may be hard to detect control Valve 2. Control afsnel or con- makeup streas. Boron dilu- when in AUTO mode or if trana-(CV C-210Y-CV ) troller failure t(on occurs in RCS if makeup sitter fails. Assesa boron re-Falls closed 3. Mechanical failure is in AUTO mode. quirementa. Open and close or plugging CWC-238 as required to deliver boric acid to RCS via charging pump suction.

Table C2. L:ontinued) Failure Possible Causes Effects Remedial Actiona

46. Boric Acid Hakeup 1. Control signal failure Excess boric acid delivered Assoaa RCS boron non-Control Valve 2. Mechanical failure to the RCS on AUTO or HANUAL oentration. Operate in (CVC-210Y-CV) makeup demand. Failure will dilute mode if necessary.

Falls Open probably be detected in Isolate normal makeup HANUAL model, and utilize makeup from RWT during repair. Volume Control Tank (VCT) Makeup

47. Makeup control 1. Loss of instrument air Normal makeup ( AUTO mode) Verify RWT flow path or ut11tze Valve (CVC-512-CV) 2. Control alsnal failure to VCT is stopped. Relief path from normal makeup aupply Falla closed 3. Mechanical failure or valve (CVC-376) around con- to CVC-504-CV via manual valve plugging (i.e., heat trol valve may open allowing CVC-254.

tracing falla) some askeup to VCT (opens at 70 psig). If VCT reachea , low-low level, makeup will g; automatically be supplied to the charging pump suction > header from the RWT (via CV C-504-H0t ) .

48. Makeup Control 1. Control alsnel failure Potentially no effect in all Secure RCHU pumps and borio Valve (CVC-512-CV) 2. Mechanical failure operating modes, ainee pumpa said pumps if operating.

Fails Open 3. Solenoid failure are off when makeup la not Isolate failed valve, demanded. However, if oon-trol signal failure la the cause, the pumps will also be on, and overfilling of the VCY ca'n occur. Any let-down will be directed to the waste processing system on high level in the VCT.

Table C2. (continued) i

!                  Failure             Possible Causes                   Effects                                                 Remedial Actions Overfilling may prevent mix-ture of required hydrogen with makeup with eventual result of low hydrogen con-centration in the RCS. VCT may overpressurize.

49. Reller Valve 1. naintenance error Minimal effect since pumpa Same as above.

(RV-194) Around 2. Hochanical failure will be off when control

               . Makeup Control                               valve la closed. Relier Valve Falls Open                              valve dumps back into make-up line and into VCT. Any overfill will occur more

alowly since relier line la only 3/4" vs. the 3" diameter ,

makeup line. g

50. RWT Pukeup Valve 1. Power supply failure Loss of charging flow to RCS Isolate letdown if required.

(CVC-504-HOV) 2. Mechanical failure due to loss of flow to char- Operate makeup in manual mode Falls to Open on 3 Control signal failure ging pump suction. Preasu- with makeup stop valve (CVC-Demand (Low Level rizer level may drop and 512-CV) open to restore VCT in VCT) initiate runback of letdown level. Water makeup can fl ow. Potential not RCS also be provided to charging loss of 29 spa (minimum let- pump suction from RCHU pumpa down setting). through the chemical addition tank (1-1/2" line to tank and 1/2" line out of tank to charging pump auction).

   ~ __ -   .     - - -    -     - ~ - _ - _ .            -                    _         ,~,  . _           .             - _ _ - - _-. _- .

l Table C2. (continued) i Possible causes Effects Benedial Actions Failure

1. Maintenance or Same' as above, given that Same as above.

-         51'. Manual valve from W T to CVC-504-                    operator error           makeup from the N T is HOV (component                                              demanded, above) is Closed on Demand SI AS Components

52. BAST Recirculation 1. Loss of instrument air No significant effect, al- Repair component (s). Failure Control Valves 2. Mechanical failure though mixing in BASTS le will be hard to detect.

l (CVC-518-CV and 3. Inadvertert SIAS reduced. Beller valves CVC-511-CV) Fall signal around these rectroulating Closed valves to BASTS outst, but will typtoally not be re-quired since pumps do not , operate unless makeup is *;, demanded, upon which main pump discharge line also opens to VCT. , 53. BAST Recirculating 1. Maintenance failure Potential not reduction in Provide emergenor boration Control Valves 2. Mechanical failure SI boric acid flow but not with gravity feed valves, (CVC-518-CV or a significant amount (<255). as required, bened on BCS baron CVC-511-CV) Fall requirementa, to Close on SI AS Demand

54. Boric Acid Gravity 1. Pouer supply failure One path for boric acid Verify operability of other Feed valves (CVC- 2. Mechanical failure addition to charging pump boric acid path to charging i 508-HOW and CVC- 3 Control sisnel failure auction is lost. Other path pump suction.

509-MOV) Fall to from boric acid pumps via Open on SIAS Demand CVC-514-MOV remains. i

Table C1. (continued) Failure Possible causes Effects Remedial Actions

55. VCT outlet Valve 1. Power supply failure SIAS boric acid flow direct- Attempt to manually close (CvC-501-HOV) Falls 2. Hochanical failure ly from BAST is diluted with valve.

to Close on SIAS 3 Control alsnal failure VCT flow. Extent of dilu-Des N tion depends on system hy-draulica (discharge heada, etc.). VCT volume la 3680 gal. Less shutdown margin than desired due to dilution.

56. Spare Charging Pumps 1. Power supply failure Potentially only 1/3 capa- Manually start charging pumpe Fall to Start on (4 KY Bus 11 or k KV city SIAS boric acid flow on detection of failure, if SIAS Demand Eua 14) delivered to the RCS on pumps are not failed

2. Mechanical failure demand. Reduced shutdown mechantoally.

3. Control signal failure margins achieved.

57. Seal Return Valves 1. Hochanical failure No algnificant effects on Attempt to manually close the j to VCT Fall to 2. Contrcl alsnal SI capability. VCT may fill valves. Open the VCT outlet close on SIAS Demand failure from seal return since SIAS valve if the VCT bas filled to will close the VCT outlet too high a level.

valve, but the fill rate will be slow.

58. SIAS Falls to 1. Control alsnal failure Autcastic delivery of con- Initiate emergency beration all CVCS Components 2. Control power failure centrated boric acid from alignment on detootton of

, (although control CVCS (132 spo design flow) reilure. Flow from CVCS is power default may is failed. probably not required on Produce an SIAS) SIAS, but providea a safety I margin. l

i Table C2. (continued) Possible causes Effects Remedial Actions Failure Chemical Hakeup

59. Hetering Pump Falls 1. Power supply failure Loss of normal continuous Pump can be operated locally

2. Hochanical failure chemical addition. Failure if AUTO control has failed.

AUTO control will be hard to detect. RCS cheelstry can be corrected

3. by flushing cheoloals into signal failure Gradual decrease in RCS pH.

4 Loss of pump cooling the charging pump suction water via the cheetcal addition tank and RCMI pump (a).

60. Hetering Pump Falls 1. Control alsnal failure Excess hydroxide delivered Adjust RCS chemistry with to Stop in AUTO 2. Loss of control power to RCS. Gradual increase addition of water and borio Hode in RCS pH. Failure say be acid and letdown reactor hard to detect. ooolant to waste processing system. ,

A

61. Chemical Addition 1. Operator or hro paths are available, Same as for metering ptop Discharge Block maintenance error with one normally open. failure (correct chemistry with Valve (s) (CVC-264, 2. Yalves stuck closed Metering pump suction valve flushing through the chemical CVC-296, CVC-338, can fail both patha. One addition tank) if valve to CVC-348, CVC-471, valve on each path can fail charging pump suction (CVC-338)

CVC-478) are Closed cheetcal addition. Failure la not stuck closed. l will be hard to detect. Hetering pump discharge may overpressurize, contributing to pipe break. Loss of normal chemical addition can lead to gradual decrease in

!                                                      RCS pit.

Table C2. (continued) Possible Causes Effecta Remedial Actions Failure

62. Makeup Error in 1. Operator error Wrong chemical concentration Failure may be hard to detect in HCS (pH too high or too unless RCS grab sample is Chemical Addition 2. Chemical supplier normal procedure. RCS coe-Hetering Tank error low). Long term effect, position can be adjusted (Hydroxide Concen- quickly with flush from tration Too High chemical addition tank.

or Too Low)

1. Operator error Loss of normal (slow) chemi- Restore tank integrity.

63. No Chemicals in Chemical Addition 2. Tank drain valve cal addition. Failure vill Utilize flush tank as required.

Hetering Tank open be hard to detect. Gradual decrease in RCS pH.

1. Potential debris in system Isolate strainer and/or

64. Chemical Addition Internal failure may fail charging pumps and chemical addition. Isolate (Flush) Tank 2. Maintenance failure letdown flow if charging flow Discharge (strainer reversed charging flow. See other -

or not replaced) " loss of charging flow" has failed. E Strainer Failed effects. Pressurizer Level Reaulatins System Interfaces

1. Loss of power to bus Letdown control valve clo- Assume manual control of let-

65. Loss of Non-Vital ses, backup charging pump down valve and charging pump Power to Regulating 2. Fault on bus start and all pressurizer operation. If power on 1YO1 or System Relays (AC 1Y02 failed ut11tze the un-l heaters de-energtze. Pre s-l bus 1Y10) or Loss of surizer high level transient failed power supply to resume l

Vital Power to with potential for high pressurizer level control. Regulating System pressure transient from Pressurizer heaters can also be B1 stables (bus 1Y10 turned on manually. or 1YO2) operating charging pumps on Iow pressure transient if loss of heaters is control-ling. I

1 Table C2. (continued) Possible Causes Effects Remedial Actione Failure

1. Power surge fails Letdasn control valve opens, Assume manual control of CFCS

66. Pressurizer Level components. Failure may be Transmitter Falla pouer supply regulator while any operating backup High (LT110Y or 2. Capacitance bridge charging pumps trip. V CT hard to detoot, low pressure LTI107) circuit fails or other fills. Level in pressurizer transient may be only indica-internal components drops. Pressurizer backup tion. Switch to alternate fall heaters energize on initial regulating system (i.e. , system high level signal and on I tr Y transmitter as failed).

subsequent low pressurizer pressure accompanied by the inventory loss. Heaters would not de-energize on ac-tual low level in preasuri-zer as designed due to the transmitter failure. Net loss in RCS inventory of 84 spa. With incorrect opera- @ tor response (opening other letdown control valve and tripping laat charging pump) net letdown flow (RCS losa) could be as high as 230 spa.

1. Loss of power to High level transient in Switch to alternate regulating

67. Pressurizer Level system (i.e., system I if Y Transmitter Falls transmitter (Bus 1Y01 pressurtzer. Letdown con-Low (LT110I or or 1YO2) trol valve runs back, backup transmitter is failed). Assume

2. Internal transmitter charging pumps start, and manual control of CWCS compo-LT110Y) components fail pressurizer heaters de-ener- nents (trip pump and isolate siz e. Potential high pres- letdown as required).

sure transient in pressuri-zer with potential to open PORV 's. a

d I r lT Table C2. (continued)

!                                                 Failure       Possible Causes                    Effects                    Remedial Actions

68. Pressurtzer Level 1. Signal fault Pressurizer overf111. Cor- Switch to alternate regulating Setpoint (from 2. Setpoint device fault rect pressuriser level will ayatos (I or Y) on detection Reactor Regulating appear low and extra char- of failure. Adjust RCS inven-l System) Fails High ging pumps and runbeck of tory with CVCS.

letdown flow will be initta-ted, resulting in overfill of the pressurizer. High pressurizer level will ap-pear normal and correct con-trol response (energize hea-ters, stop backup charging pumps and increase letdown) will not occur.

69. Pressurizer Level 1. Signal fault Correct pressurizer level Switch to alternate regulating Setpoint (from RRS) 2. Setpoint device fault will appear too high, ayates (I or Y) on detection Fails Low causing any extra charging of failure. Adjust RCS inven-6 pumpa to trip and the let- Lory with CFCS.

down control valve to run open; actual level in pres-surizer will then be too low, but heaters will still be operating based on de-j creasing pressure tranatent and erroneous high level indication in pressurizer.

Table C2. (continued) Failure Possible Causes Effects Remedial Actions Letdown TeeDerature Control If high letdown temperature TI-223 provides a bookup for

70. Temperature 1. Loss of power supply exists (letdown HI failure, correct temperature indication.

Transeitter (TT-224) to transmitter etc.) automatio bypass of Assume manual control of valves on Letdown Heat 2. Internal transmitter Exchanger Discharge components fail radiation monitor, borono- to bypees required equipment. Fails Low meter, and ion exchangers will not be initiated. Po-tential damage may occur to this equipment. Failure of the boronometer may be a significant effect from this transient.

71. Temperature 1. Loss of power to Same as above. Same as above.

Controller (TIC-224) to controller @ Output Falls Low 2. Output wire is failed (assume signal out- (corroaton or broken put is proportional during maintenance) to power supply)

72. Temperature 1. Power surge falls Radiation monitor, borono- Assume manual oomtrol of Transeitter (TT-224) power supply regulator meter, and ion exchangers in bypass valves based on TI-223.

or controller 2. Internal components letdown system are bypassed. (TIC-224) Falls High fall Loss of continuous puriffoa-tion and monitoring of RC activity and boron concen-tration.

Table C2. (continued) Failure Possible causes Effects Remedial Actions Volume control Tar.k Laval control 4

73. VCT Level 1. Loss of power to Failure causes controller Assume manual control of Transmitter (LT-226) transmitter LC-227A and B to initiate appropriate valves to stop Fails Low (LT-226 2. Internal components makeup from the RWT (via overfill. Failure may be hard provides input to fail CVC-504-MOV) and to close to detect since all VCT level LC-227 A, LC-227B the VCT outlet valve. Fall- indication la based on this and LC-226) ure also causes controller transmitter.

LC-226 to initiate makeup to the VCT and fail to shut off makeup when required. The VCT would overfill. Diver-slon of letdown to the waste processing system on high VCT level (from LC-227) would also be failed, con- g tributing to the overf111.

74. TCT Level 1. Power surge fails Failure causes controller Manually initiate enkeup from Transmitter (LT-226) power supply regulator LC-227 to divert letdown the RWT and then realign VCT Fails High 2. Internal components flow from VCT to the waste letdown inlet valve to the VCT.

fail processing syntes and causes Failure may be hard to detect LC-226 to fall to provide since low level indicatiton and needed automatic makeup to alare will be failed. the VCT as the VCT level drops. The failure also causes controller LC-227 to fail to initiate makeup from i the RWT, when VCT level is actually low, resulting in loss of flow to the charging pumps and loss of charging l l l

-i Table C2. (continued) Failure Fossible causes Effects Benedial Actions flow to the RCS. The VCT could espty on the order of a half hour from the trans-mitter failure.

75. Level Controller 1. Loas of power to Automatio diversion of let- Assume manual control of the LC-227 A) Output controller down from VCT to waste pro- valve CV-500 as required to Falls Low (assume 2. Output wire is failed cessing system on high level avoid overfill, signal output is (corrosion or broken in VCT would be failed. .

Proportional to during maintenance) Potential for VCT overf111. Power supply) 3. Other internal failure Charging flow would not be affected.

76. Inadvertent Output 1. Power surge Inadvertent diversion of Assume manual control of thia From Level 2. Other internal failure letdown to the waste proces- valve based on VCT level. ,

l sing system. Other makeup, gl Controller (LC-227 A) either from VCT makeup or RWT, will be provided for charging flow. Flow deli-wered to the RCS may be cooler than design tempera-ture.

77. Level controller 1. Loss of power to On low-low level in VCT, Assume manual control of this (LC-227B) Output controller makeup from the RWT is valve bened on VCT level.

Falls Low (assume 2. Output wire is failed failed resulting in loss of signal output is (corrosion or broken charging flow to the RC3. proportional to during maintenance) power supply) 3. Other internal failure

Table C2. (continued) Failure Possible Causes Effects Remedial Actions

78. Inadvertent Output 1. Power surge No alanificant effect. Repair component.

From Level 2. Other internal failure Opena WT makeup valve. Controller (LC-227B) hore flow available to charging pump section. VCT Makeuo control

79. Makeup Level 1. Loss of power to No effect unless makeup Operate VCT makeup in manual Controller (LIC-226) controller controller la in AUTO, which mode and verify operability Output Fails 1ow 2. Output wire is failed it normally la. If in AUTO, of backup makeup from W T.

(corrorion or broken VCT makeup fails on demand. during maintenance) Backup makeup from WT 1s

3. 6ther internal failure still operable.

80. Makeup Level 1. Power surge If makeup control is in Amaume manual control of ,

Controller (LIC-226) 2. Other internal failure AUTO, makeup to VCT is makeup and repair component. 3 Output Fails High initiated and not stopped when required. VCT may overf111. VCT level alarm will not be affected by failure and u111 annunciate on high level in tank.

81. Loss of Power to 1. Loss of power to panel Assuming panel requires Restore power to panel.

Makeup Flow Control 2. Fault at panel power tc actuate equipment, Utilise makeup from the WT Unit makeup valves fall closed and emergency boration path as and pumps stop. No makeup required. is delivered to the VCT. Automatic makeup from the WT will still be available on low level in the VCT.

Table C2. (ccenti nued) Failure Possitle causes Effects Remedial Actions

1. Runs water supply con- When makeup mode is in AUTO,

82. Water Hakeup Flow 1. Maintenance error or flow tranaeltter hae failed,

2. Flow transmitter trol valve open when it '

controller (FT-210I) failure should be running it failure will be hard to detoot. (FRC-210I) Falls back. Overfeed of water Repair component. 3 Other internal failure In makeup. Potential long term boron dilution in RCS.

2. Runs water supply con- Same as above.

trol valve back when it should be running it open. Unt. feed of water in makeup and potential for long ters overboration of RCS. , S

83. Boric Acid Hakeup 1. Maintenance error 1. Runs boric acid supply When makeup mode is in AUTO, Flow transmitter valve open when it or flow transmitter has failed, Flow Controller 2. ,

(FRC-210Y) Falls (FT-210I) failure should be running it failure will be hard to detect. 3 Other internal failure back. Overfeed of borto Repair ocoponent, acid in mak3up and po-tential for overboration of the RCS.

2. Runs toric acid supply Same as above.

vaM: back when it should be running it open. Underfeed of boric acid in makeup and potential for underboration of the RCS.

Table C2. (continued) Failure Possible causea Effects Remedial Actions

84. Makeup Hode 1. Printed circuit 1. Dilution instead of Isolate VCT makeup. Assoaa Selector Failure board failure boration may occur and problem and BCS boration.

vice versa (unless Liner Correct as required, then must be set to get flow, repair failed componenta. i.e., if boric acid line timer uas not set, no flow could be dia-charged).

2. Manual mode instead of Operate with W T makeup and AUTO vould result in repair component.

loss of automatie makeup to the VCT. Makeup from the WT would still be , available. E 3 Dilute or borate modes Isolate VCT makeup. Assena instead of manual (i.e., problem and BCS boration. makeup pumps and borio Correct as required, then acid pumps would not repair failed components, operate at the same time). Results in po-tential RCS over- or under-bora tion.

l Table C3 Pressurizer level regulating system FMEA Possible causes Effects Remedial Actions Failure Loss of Non-Vital 1. Loss cf power to bus Letdown control valve Assume manual control of let-

1. down valve and charging pump Power to Regulating 2. Fault on bus clases, backup charging System Peleys (AC pumps start and P11 operation. If power on 1Y01 or

! bus 1Y1() pressurizer heaters de- 1Y02 failed utilize the un-l energize. Pressurizer high failed power supply to resume level transient with poten- pressuriser levet control. tial for high pressure tran- Backup for 1Y01 and 1Y02 is stent from operating alea available on bus till. charging pumps or low pres- Trip charging pumps as re-l sure transient if less of quired. Turn on pressurizer j heaters is controlling. heaters manually as required. l Manual control of letdown valve is lost. If bus is not ( faulted manually align backup bus 1Y09. , E

2. Loss of Vital Power 1. Loss of tower to bus Same as above. Assume manual control of let-to Regulating System 2. Fault on bus down valve and charging pump l rporation. If power on 1Y01 or

! B1 stables (bus 1Y01 or 1YO2) If02 failed utilize the un-l ' failed power supply to resume l l pressurizer level control. Backup for 1Y01 and 1Y02 is l also available on bus 1Y11. Trip charging pumps as re-l quired. Turn on prassurizer l heaters manually as required. l Hanual control of letdown l valve is lost. If bus is not faulted manually align backup bus 1YO9. j l l l

Table C3 (continued) Fail ure Possible causes Effect s Remedial Actions

3. Pressuctzer Level 1. Power surge fails Letdown control valve opens, Amaume manual control of CFCS Transmitter Falla power supply regulator while any operating backup components. Failure may be High (LT110I or 2. Capacitance bridge charging pumps trip. Level hard to detect, volume control LT110Y) circuit fails or other in pressurizer drops. Pres- tank high level may be only internal components surizer backup heatera ener- indication. Switch to alter-fall size on initial high level nate regulating system (i.e. , '

alsnal. Heaters would not system I if f transe1Lter is de-energize on actual low failed). level in pressurizer as de-signed due to the transmit-ter failure. Potential heat damage to pressurizer. Net loss in RCS inventory of 84 spe. With incorrect opera-tor response (opening other , letdown control valve and 8 tripping last charging pump) net letdown flow (RCS losa) could be as high as 256 spa.

4. Pressurizer Level 1. Loss of power to High level transient in Switch to alternate regulating Transeitter Fails tranaatttar pressurizer. Letdown con- syntes (i.e., ayaten I af Y I

Low (LT110I or 2. Internal transmitter trol valve closes, backup transmitter la failed). Assume LT110Y) components fall charging pumps start, and manual control of CUCS compo-heaters de-energize. Poten- nents (trip pump and isolate tial high pressure transient letdown as required). from operating charging Pumps or low pressure tran-sient if loss of heaters is controlling. l l l I e

Table C3 (continued) ~ Possible causes Effects Remedial Actions , Failure i Pressurizer overfill. Suttoh to alternate regulating

5. Pressurizar Level 1. Signal fault Setpoint (from 2. Setpoint device fault Correct pressuriser level system (1 or Y) on detection will appear low and extra of failure. Adjust RCS inven-d reactor regulating system) Falls High charging pumps and runback Lory with CVCS.

of letdown flow will be ini-tlated, resulting in over-fill of the pressuriser. High pressurizer level will appear normal and correct control response (energize heaters, stop charging pumps and increase letdown) will not occur. 4

1. correct pressurizer level Switch to alternate regulating

6. Pressurizer Level Signal fault Setpoint (from RRS) 2. Setpoint device fault will appear too high, system (I or Y) on detection $

Falls Low causing any estra charging ;of failure. Adjust RCS inven-pumps to trip and the let- ' tory with CUCS. down control valve to run open; actual level in pres-surizer will then be too low. Heaters will be ener-gized based on er.aoneous high level indication in pressurizer, but will still de-energize if 10-10 level setpoint is reached, since 10-10 setpoint is indepen-dent of operating level set-Point. On a reactor trip, pressurizer could empty.

Table C3 (continued) Failure Possible Causes Effecta Benedial Actions Potential pressurizer damage l if heaters fail on.

7. Pressurizer Level 1. Loss of power to Heaters are inadvertently Switch to alternate (I or Y)

H1 B1 stable (LC- module resulting in energized and all but one regulating system to utilize 110XH or LC-110YH) failure to de-ener- charging pump is stopped, redundant operable b1 stable. Contacts Fall Open sized position On low level LA-110XL or YL (assumed normally 2. Burnout or waarout of would start pumps again. energized closed) power related compo. High pressure transient nents (contacts, etc.) would be initiated but ter-minated by pressuriser spray (by pressure regulating system).

8. Pressurizer Level 1. Contact short or Hesters would fail to ener- Switch to alternate (I or Y)

Hi B1 stable (LC- arcing caused by cor- gize on high level and if regulating system to utilize h 110XH er LC-110YH) tosion, aging, pois- backup charging pumps were redundant operable b1 stable. Contacts Fall closed ture, swell, etc. operating they would fail to (assumed normally trip automatically. Letdown energized closed) control valve would still open on demand. Net RCS gain of only 4 spe. Pre s-sure regulating system would not turn on heaters (no low pressure developing). Slow pressurizer overfill tran-sient. High level alarm would still be operable.

i i Table C3 (continued) Possible Causes Effects Remedial Actions Failure

1. Loss of power re- Even if level was not low, &#1toh to alternate (I or Y)

9. Lo-Lo B1 stable (LC- regulating system to utilise sulting in failure to or if pressure was low, 110XL or LC-110YL) redundant operable b1 stable.

Contacts Fall Open de-energized position pressurizer heaters would (assumed normally 2. Burnout or wearout of de-energize, resulting in i energized closed) power related compo- slow pressure decrease in ponts the pressurizer.

10. Lo-Lo B1 stable (LC- 1. Contact short or On low low level, heaters Switch to alternate (I or Y) 110XL or LC-110YL) arcing caused by cor- will not de-energise. Char- regulating system to utilise Contacts Fall closed rosion, aging, mois- ging pumps will still ener- - redundant operable blatable.

' (assumed normally ture, swell, etc. gise and letdeun control Asitch manual heater control energized closed) valve will close on demand. from "AUT0" to "0FF". Potential pressuriser damage t from dry heater operation if low low level estats. Lo-lo level alare may also be j failed, but low level alarm will be operable. k i

11. Lo B1 stable (LA- 1. Loss of power re. All charging pumps energise &#1toh to alternate (I or Y) 110XL or LA-110YL) sulting in failure to and, on low level, low level regulating system to utilise

!                                                   Contacts Fall Open      de-energized position     alarm fails. Lo-lo level       redundant operable b1 stable.

i (assumed normally 2. Burnout or wearout of alarm will still function on energized closed) power related compo- demand. Automatio response j of letdown control valve is nents 4 not affected. Net RCS gain 1 I of 4 spa. 4 1 i l i I i l l

Table C3 (continued) Failure Possible Causes Effects Remedial Actions

12. Lo B1 stable (LA- 1. Contact short or Low pressurizer level alara Switch to alternate (I or Y) 110XL or LA-110YL) arcing caused by cor- will actuate inadvertently, regulating system to. utilize Contacts Fall closed rosion, aging, mois- May induce operator to ratae redundant operable b1 stable.

(assumed normally ture, swelling, etc. level, initiating an in-energized closed) creasing level transient. High level alarm la not affected by failure and should actuate if level gets high enough.

13. 1.1 B1 stable (LA- 1. Contact short or On high pressuriser level, Switch to alternate (I or Y) 110IH or LA-110YH) arcing caused by cor- high level alars falla. Hay regulating syntes to utilize Contacts Fall Open rosion, aging, nois- degrade operator response in redundant operable b1 stable.

(assumed normally ture, swelling, etc. the event of high level. l energized open) Automatic response of let- , down control valves and g charging pumps is not affected.

14. Hi 51 stable (LA- 1. Loss of power to High pressurizer level alara Switch to alta-nota (I or Y) module resulting in will actuate inadvertently. regulating syntaa to utilize 110XH or LA-110YH)

Contacts Fall Closed failure to nonpower May induce operator to lower redundant operable blatable. (assumed normally position level, initiating a de-energized open) 2. Burnout or wearout of creasing level transient. power related compo- Low 1cvel alara is not af-nents (contacts, etc.) rected by failure and should annunciate if level gota low e nough. I l

                   ~ . ,                                                                                                                    --- .     - - _ _ - - . - _ - _ _ - ,

1, I I Table C3 (continued) 1 Possible Causes Effects Remedial Actions Failure

1. Loss of power to Backup charging pumps start Switch to alternate (I or Y)

15. LIC-1101 (or LIC-110Y) Controller controller and letdown control valve regulating system to utilize Output wire is failed closes. Increasing level redundant operable controller.

Falls Low 2. Trip laat charging pump if (Iow output) (corrosion or broken transient initiated. At during maintenance) high level alarm setpoint, level rise la not controlled.

3. Other internal failure alarm will still annunciate and LC-110H will de-energize

! backup charging pumps. Net RCS gain of 15 spe (44-29) after backup charging pumps trip.

16. LIC-1101 (or LIC- 1. Power surge Backup charging pumps trip Switch to alternate (I or Y)

110Y) Controller 2. Other internal failure and letdown control valve regulating nyates to utilize Fails liigh ope ns. Decreasing level operable controller. ,

(high output) transient initiated. But, g l 4 at low level alare setpoint, low level alars will annun-clate and backup charging l pumps will start automat 1-cally. Level will maintain around low level setpoint with pumps starting and stopping. I 17. Charging Pump 1. Contact short or Backup pumps will fail to Manually operate backup pumps B1 stables LC-110-1 arcing caused by cor- energtze from controller on as required.

and 110-2 Fall On rosion, aging, etc. dema nd. Low level alarm bi-l (contacts closed) stable will not be affected by failure and will start l and stop both pumps around low level setpoint.

d i

Table C3. (continued) Failure Possible Causes Effects Benedial Actions

18. Charging Pump 1. Loss of power Backup pumps will start in- Manually trip pumpa as required B1 stables LC-110-1 2. Burnout or waarout of advertently. High level to maintain level.

and 110-2 Fall Off power related compo- alarm will not be affected (contacts open) nents by failure. When level reaches setpoint of LC-110EH or TH bistable, pumps will deenergize.

19. Relays (LC-110H) 1. Burnout or waarout of On high level, heaters are Manually trip pa pa as required Fail to Close on power related compo- not energized and charging to maintain level.

Demand (when de- nents pumps are not stopped, but energized and when letdown control valve will h1 level exists) atill open. Net minimum RCS gain of Il spa.

20. Belays (LC-110H) 1. Loss of power No significant overall Manually control charging k Fail closed 2. Contact short or effect. Pressurized heatera pumps.

(normally energized arcing caused by cor- are inadvertently energized open) rosion, moisture, and backup charging pumps aging, etc. will stop. Heaters will de-energize if lo lo level exista. Also spray can off-set any pressure effect. Backup charging pumps will not be started automatically on demand, but letdown con-trol valve can still respond to any low level transient.

Table C3 (continued) Possible causes Effects Remedial Actions Failure

21. Relays (LC-110L) 1. Contact short or Heaters will not automat 1- Manually switch heaters off on Fall to Open On arcing caused by cor- cally de-energize on lo lo lo lo level alare.

rosion, moisture, level. Potential pressuri-Demand (when de-energized and when aging, etc. zer damage, lo lo level exists) Heaters would fail to ener- Monitor RCS pressure. Manually

22. Relays (LC-110L) 1. Loss of power Fall open (normally 2. Burnout or wearout of gize on demand. Could lead control heaters as required, energized closed) power related compo- to low pressure transient in pants RCS, with potential core boiling. Also degraded level control on high level in pressurizer.

23. Chargir.g Pump Relays 1. Burnout or wearout of On demand, backup charging Manually control pumps as re- _

Fall to close (when power related compo- pumps will fail to start. quired. Monitor level and let- $ de-energized and on ponts Letdown control is not down control valve performance, lo level) affected and can maintain Utilize apare relay from pump level. selection. 231. Charging Pump Relays 1. Loss of power All charging pumps are ener- Charging pumps can be manually Fall Closed 2. Contact short or gized. Letdown control tripped and started. Manually arcing caused by cor- valve will run open in re- operate pumps as required. rosion, moisture, sponse to resulting high aging, etc. level. Net RCS gain of 4 gpm (132-128). I

Table C4 Reactor coolant pressure regulating system FMEA Failure Possible Causes Effects Remedial Actions

1. Pressure Trans- 1. Loss of power on A sero current demand signal Switch to alternate regu-mitter (PT-100Y or operating vital bus will be produced indicating lating system (I or Y) to PT-100I) Falls Low (1Y01 or IT02) a low pressure condition, utilize operable alternate

2. Loss of power to Pressurizer spray valves transmi t ter. Also utilize transmitter (faulted will close, all pressuriser manual control of heaters and/

wires, etc.) heaters will energize and a or spray, as required.

3. Internal transmitter low pressure alarm will an-cosponents fail nunciate. Actual pressure will increase due to heater operation, which will cause the PORVs to lift. If fault is loss of vital pouer and pressurizer level regulating system is on same bus, all heaters will de-energize on ,

a false to-lo level signal. 3 The spray valves will still be closed and a low pressure alars will still annunciate, but no transient will deve-lop. If a high pressure transient did develop, manu-al response would be re-quired to open spray valves. If low pressure existed, the heaters could not be ener-gized as required, even san-ually. A decrease in pres-sure would occur with an eventual thermal margin / low pressure reactor trip.

                                                                                                          - - - - - - - _ _ __   _ _A

Table C4. (continued) Possible causes Effects Remedial Actions Failure Suttoh to alternate regulating

2. Pressure Trans- 1. Power supply regu- Spray valves will open fully, all heaters will system (I or Y) to utilise mitter (PT-100Y or lator fails due to de-energize, and high pres- operable alternate transmitter.

PT-1001) Fa!!s High power surge

2. Internal transmitter sure alarm will annunciate. Isolate spray with manual components fall Actual pressure will de- controller and manually ener-crease due to 375 spa spray size heatera as required.

flow at 548"F. Reactor trip will have occurred by 1750 psia from thermal margin / low pressure trip (assume BT pressure trans-sitters are separate from regulating system trans-mitter). Backup ifeater 1. Power surge Backup heaters would ener- Suttoh to alternate regulating $ 3

2. Failure of b1 stable gize. Pressure would system (I or Y) to utilize Controller (PC-1001 alternate operable controller.

or PC-100Y) Falls relays in closed start to increase, but Low position (contact would be controlled by short or arcing) pressurizer spray via controller F1C-100I (or Y).

1. Loss of power Backup heaters fall to Utilise alternate regulating

4. Backup Heater Controller (PC-100I resulting in failure energize on low pressure system (I or Y), or manually or PC-100Y) Fails to de-energized post- demand. If pressure dropa energise heaters with 1HS100-4 Iltah tion (wire failure) low enough, thermal margin / to maintain pressure.

2. Burnout or waarout low pressure reactor trip of power related will occur.

components (contacts, etc.)

Table C4 (continued) Failure Possible causes Effects Benedial Actions

5. Proportional 1. 1.oss of pouer to Pressurizer spray valves Utilise alternate regulating Controller controller close and proportional system (I or Y). Manually (PIC-100Y or 2. Internal failure heaters energize. Pressure turn on spray if required to P1C-100I) Fails would slowly increase in reduce pressure and avoid Low pressurizer, with eventual reactor trip.

high pressure alarm. POW s may lift with high pres-sure reactor trip. High pressure alars operability is not affected by failure.

6. Proportional 1. Pouer surge Pressurizer spray valves Isolate spray with manual controller 2. Component short or are opened and proportional control. Utilize alternate (P1C-100Y or arcird or other heaters are de-energized. regulating system for FIC-100I) Falls internal component Pressure decrease in pres- continued operation.

High failure surizer, which cannot be g offset by backup heaters. Low pressure alars will annunciate. Eventual thermal margin / low pres-sure reactor trip. Pressure may continue to drop. At 1600 pala safety injection signal will actuate.

7. High Pressure 1. Contact short or High pressure alem in- Terify alarm condition with Alarm B1 stables arcing caused by advertently annunciates. operable b1 stables on alternate (PA-100I or corrosion, aging. This may indu2e the oper- regulating syntes (I or Y)

PA-100Y) Fall moisture, swelling, ator to reduce pressure before taking manual action. Closed etc. manually by opening spray

2. Power surge valves and de-energizing heaters. If pressure dropa D-

l Table C4 (continued) Failure Possible Causes Effects Benedial Actiona low enough, thermal margin / low pressure reactor trip will occur. Operator would probably stop pressure f reduction at this point. I Also, low pressure alare may not be affected by the failure and say annunciate. j

1. 1.ow pressure alare in- Verify alaru condition with l 8. 1.ow Pressure Contact short or operable b1 stables on alternate i Alarm B1 stables arcing caused by advertently annunciates.

(PA-100I or corrosion, aging, This may induce the regulating syntes (I or Y) noisture, swelling, operator to increase before taking annual action. PA-100Y) Fall Closed etc. pressure manually by

2. Loss of peer stopping any pressuriser ,

resulting in spray and turning on 3 failure to de-ener- heaters. High pressure sized position alarm may not be affected by the failure and may annunciate. Pressure Alara 1. Wearout or burnout High or low alare condi- Failure may be herd to detoot. 9. B1 stables of power related tions are not annunciated On detection, utilise alternate (PA-1001 or components 30 that operator backup systes. PA-100Y) Fall to automatic response to to Initiate alare conditions is not Alaras available.

10. Spray Valve 1. Loss of power on Pressurizer spray fails to iltilise hand controller as Controller bus 1Y09 or to actuate on demand. No required to actuate spray (1Y09) Falls component other effect unless system flaw and reduce pressure.

1.ow 2. Internal failure pressure is out of balance

    - - . - - . _- -_ _ - - _ - . - . - - . _ _ -                     . _  - .        . _ . . . - . . _ . . - .         -     .   . _ - ~ . .    .-. . _ . .   ..- . _ _ - . . - _.   ._

Table C4. (continued) Failure Possible Causes Effects Semedial Aetiens 1 i (high). Then Four may lift and high pressure reactor trip may occur.

11. Spray Talve 1. Power surge Pressuriser spray fails on Isolate spray with manuel controller 2. Component short (375 som mas). Pressure control.

l (1Y09) Fatts or arcing or decrease in pressuriser High other internal which cannot be offset by component fault heaters. Law pressure

;                                                                                                   alarm will samunciate.

j Eventual thermal margin / low pressure reactor trip will occur. Pressure may continue to drop. At 1600 psia safety injectica signal , a will actuate. g , 12. Loss of T1tal 1. Loss of power to Loss of vital power will Ot111se operable power supply l Pouer on bua fail the pressure trama- en alternate regulating Operating Bus 2. Fault on bus mitter low. If the pres- system (I or T). (1Y01 or 1702) surizer Level Begulating System is still powered l (i.e., on the alternate bus) all heeters will be i energized and the pressur-iner spray valves will l close; 1.e., a high pressure transient will occur; but a low pressure alarm will annunciate. The operating i Pressurizer Level Regula- ! ting System was on the i

Table C4 (continued) I Possible causes Effects Remedial Aettene Failure failed bus, the heaters will de-energise on a falso lo-lo level signal. The  !

• spray valves will still be failed closed and a low pressure alare vill still annuseiste. No particular transient will develop from this failure, but estattag high pressure transients would require manual response and a low pressure transient could not be coa-trolled since the heaters could not be energized, ,

even manually, d

1. Loss of power to bus Pres *drizer spray valves Energise backup bestera

13. Loss of Non-Vital will close and boekup sommelly (with headawiteh) as Power on Bus 1Y09 2. Fault on bus beaters will de-energise. required to restore pressure.

Proportional heaters will also fall off. Lou pressure transient will develop. May get low pressure alors. ,

i Table C5. Reactor regulating system FMEA Failure Possible causes Effects Benedial Aetione

1. Loss of Instrument 1. Loss of normal pouer Loss of guick-open to atson- 1. hiteh to alternate supply Power via 125 Y supply to bus pherto disaps and turbine by- of hueos.

AC Bus Failure 2. Fault on bus pass valves. Laos of signal to pressuriser level con- 2. Suiteh to other abammel of troller. 383.

2. I/I Signal Error 1. Sensor failure 1. Proportional steam dump 1. No effeet from valve pro-free RC3I System 2. I/I failure valve errors la directica partional errers, unless Fails Te or Th of signal error. turhine trips.

  -Righ cr Lew

2. Pressuriser pre- 2. pressuriser level system programmed setpotat mill cheese pressuriser for level, errors in level-operator aetica direction of signal needed to eerrect.

error.

3. h iteh to useffected BBS 3 ehemsel.

3. Chamael selector Mechealcal failure 1. Proportional steen duay 1. Be effect free valve pro-Switch Falls Signal valve errors la direction partional errors, maless High or Low of signal error. turbias trips.

2. Pressuriser pre- 2. Pressuriser level systes programmed setpotat mill eheage preneuriser for level, errore la level-operater action directica of signel needed to correct.

error.

3. Suitek to unaffected BBS ehennel.

4

                                                                                                                       = . _
                                                                                                                             =

I Table C5. (continued) Failure Possible Causes Effects Bemedial Actior.e

1. Electromechanical 1. Proportional stone dump 1. No effect free valve pro-

4. Network Suoming Resisters Fall failure valve errors in direction portional errore, unless of signal error, turbine tripe.

Signal High or Low

2. Pressurizar pre- 2. Pressuriser level systes prograssed setpoint will change pressuriser for level, errors in level-operator action direction of signal needed to correct.

error. l

3. Suttoh to unaffected RRS ohannel.

5. Turbine First Stage 1. Power loss 1. Proportional staan d ep 1. No effect from valve pro-Pressure Signal 2. Transmitter failure valve errors in direction portional errore, unless Falls High or Low 3. I/I failure of signal error. turbine tripe.

4. Basistor failure O

2. Pressurizer pre- 2. Prosauriser level system prograssed setpoint will abange pressuriser for level, errors in level-operator action direction of signal needed to correct.

error.

3. a,1tok to unerfected nas channel.

6. Steae 1 Amp Analog 1. Failure of electrical 1. Steam dump proportional 1. No effect on system in output component components control error. normel operation.

31gnal Falls High or Lou (excluding quick opening bi-stable failure high)

Table C5. (continued) Failure Possible Causes Effects Benedial Aetions

7. Level Setpoint 1. Failure of electrical 1. Preprogrammed pressuri- 1. Operator adjust er abut Pressuriser Module components zer level setpoint wait down and repair Firuuare Fails changes. module.

High or Low

8. Quick Opening 1. 81 stable Falla High Places the turbine hypesa -

B1 stable Falls High valves and the atacophoric or Tav Error (',,- atese dump valves in a T,,g) Falla High failed state auch that, folloutng turbine trip, the valves would open and DCS overcooling would occur. O e

i Table C6. Main feedwater and conder. sate FMEA Failure Fossible Causes Effects Remedial Actions Steam Cenerator Overfill

1. Mechanical Failure SG 1evel increases initis- Operator should attempt to

1. Feedwater Regulating of Valve or Operator ting turbine and reactor throttle the valve manually if Valve (fV 1111 or possible and, if required, trip 1121) Fails Open trip. Prior to turbine

2. Controller (FC 1111) trip, overfall of the SG may the main feedwater pumps aan-Opens Valve result in carryover of ually to prevent SG overf111.

i Confirm subsequent automatio moisture into the main tur-l initiation of auxiliary feed-3 Erroneous controller b1ne, causing turbine blade Inputs erosion and/or failure, water. Operator should Following turbine trip, the manually override the con-regulating valve may be sig- troller if it is the problem. paled to close and the ty- Operator also may attempt to pass opened. SG overfall Saolate or control flow using ' potential estats if the the actor operated taolation , valve remains open. Exter, valve. O sive injection of water into steam lines could jeopardize l

steaa line integrity.

2. Feedwater segulating 1. Mechanical Failure Following reactor trip, 30 Operator should attempt to Valve (fv till or of Talve or Operator level will increase. Onless throttle the valve manually 1121) Fa!!s to Close controlled, the SG overfeed and, if required, trip the main Following Turbine 2. Loss of Pneumatie will result in injection of feedwater pumps prior to over-Trip Supply While Yalve is water into the staan lines. filling SG. Confirm the sub-Open Estensive injection could sequent automatic-initiation of jeopardize stone line aus111ery feedwater,

s. Loss of Instrument integrity.

Air Supply l

Table C6. (continued) Failure Possible Causes Effects Beendial Actions

b. Isolstica of Pneumatto Supply Due to Solenoid Talve Failure or Failure of 120 TAC Buses 109 or T10

3. Controller (FC 1111, 1121) Falls to Close Valve

3. Feeduater Begulattag 1. Control Room Operator Fo11oulag reactor trip, the Operator abould throttle hypesa Dypass Talve (FU Fails to Throttle mala feedwater regulattag valve asemally if posalble. If 1105. 1106) neestas Either typeas valve volves close and the hypese required, Saolate flaw path or Open Folloutng Manually Folloutag open to amintata 55 fleu. trip main feeduster pumpe prior Beactor/ Turbine Trip Seactor Trip As the realduel heet gemers- to m everf111. j ted la the core deereassa,

2. Mechanical Failure of the SG 1evel v111 begin to Valve or Operator increase sleuly. The eaa-trol room operator la re-

3. Controller (LIC 1105, required to throttle the 1106) Falla bypesa valves enanally to malatain SG 1evel. If the valves are act throttled. E cuerfill and possibly danese to the steam lines or their supports could occur.

_ _ _ . . . _ . _-__..._.___.m . _ _ _ _ _ . _ , . . _ _ . . _ . _ _ _ _ _ . _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ ____ ___ , m_._ _ _ _ _ . _ . _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ . _ _ _ . _ _ _ i Table C6. (continued) Fossible Causes Effects Somedial Acticas Failure

1. Loss of Electric Poteattal for contalement Beatore power, if possible.

4. Nia Feedwater Power from 4 EV Bus overpressurization if Isolation valves failure accompanies SGIS.

(FW-4516-Mut. 11 (ZA) and 14 (IB) m 4517-M0W) Falls to close 2. Mechanical Failure Failure of 125 VDC Bus 11 Poteattal for Steam Restore power, ir possible.

5. Feedwater Pump Generator Overf111 following 11, 12 Falls to and 21, Bespectively Trip E IS or CSAS conditions.

Also lopects DCS l overcool tag. I f asuffielent Flow of F--tar to Sf3 mechaateal Failure Steam Generator level Operator abould esaually

6. Feedwater segulattag 1.

eoatrol valve if possible. O Valve Fails closed Causes Valve to decreases resulting la * ( m 1111-Cr, Close reactor trip. Aus111ery Operator abould start aus111ery feedwater is destgaed to feedwater system if it is not N 1121-CV)

2. Controller (FC 1111) actuate opos low 5 j level. Failure to supply Falls Causing Valve i

l to Close feedwater to the steam j l generator may result la

3. Pneumatic Supply RCS undercooling.

l Isolated While Valve l 1a Closed l l l l I , 1 l l l

_ - - . _ _ .- = . . - - - _ . - - _ ~ _ _ - _ _ - - - - - - _ _ _ _ _ _ _ - _ _ _ _ - _ _ _ _ - - _ . - - . - - . . .. . - - . - - I i ( Table C6. (continued) l Failure Possible Causes Effects Beendial Aettens

4. Erreaeous Inputs to Spurious signals taeluding Controller cause Valve high feedwater flow rete and i

to Close. Ingets hiah dowmaa=** 1evel might Imelades cause the controller to incorrectly adjust the

a. Steam Flow Bate feedwater regulattag valve (FT1011. 1021) to the closed position.

b. Feedwater Flow Bate

('T1111, 1121) t

e. Dowmooner Level (LT1111. 1121) 7 Beader or Talve 1. Metal Defects; Stress Loss of main feedwater ,

Suptures Corrostoe Cracking flow to steen generator. 3

 !                  8. Motor C m tad        1.           Mechanteal Failure                       Falla flow to stees                       Despen valve if possible.

Talve Falls closed causes Talve to memorator. eentret steen flew frem

 }

(Outside Costalaneet Close affected steen generator. IV-4516-Mit) j 2. Spurious Signal causes Talve to Close j 9. Maal-Flow Control 1. Nachaalcal Fa11ere Minimum flow control valve Operator esaually shuts valve. Talves Fall Open causes Talve to Open falls open resulting in a (fW-44E4-CV, reductica of feedwater flow IV-44844-CV) 2. Talve Controller to the steas generater.

Falls. Opeatag Talve 4

i i

Table C6. (continued) Failure Possible causes Effects Benedial Aetions

                                                                                   **schanical failure                       Steam Generator level                                     Operator abould verify

10. Mata Feeduater 1. aus111ery feedwater flow is causes Pump to Trip decreases resulting ta Pump Trip reactor trip. Auxilian started. If aus111ery l feeduater should be manually feeduater is not auteentically

2. Turbine Control and Lubricatica High started if not autoontically started, operator abould l

Pressure 011 System actuated. enouelly start systee. Fails 3 Loss of Steam free Admit NP steam free Mata Steam Beheat Steam System System to pump turbine if LP ( Above 405 Pump steam flow fails. Capacity)

4. Loss of Mata Steam (Selow 405 Pump ,

e Capoeity)

5. LP Steam Control Valves Fall Closed

6. Turbine Enhaust Valves Fall Closed

7. Turbine Speed Controller Falls S. Turbine Overspeed i

' Causes Pump Trip

9. Lew Suetica Pressure Trips Pump l

l

W Table C6. (continued) i 1 j Fattire Possible Causes Effects Benedial Aettoes

10. Nigh Discharge Pressure Trips Pump j 11. Low facuum Causes Pump Trip

12. Turbine Castag Righ Water Level Causes Pump Trip

13. High Thrust Beartag Wear Trips Pump RCS UMerecalina I

11. Degraded Feedwater 1. toss er 13 W Service Trips Condenaste and Condon- Bostore bus. 2

!                                       Flow to Steam                             Sua 11 Coupled With                      aete Soester pump resulttag j                                       Generator                                 Loss of Diesel                           in the loss of main feed-
;                                                                                 Generator Power                         water flow. It also trips I                                                                                                                          motor driven aus111ery feedwater pump. Steam driven muu111ery feedwater pump 13 mot impacted.

12. Degraded Feedwater 1. Loss of 4 W Bus 11 Tripa condeasete and Condon- Bostore bus.

Flew to Steam Beaulting in Isolation ante 3 coster pimp resulting Cenerator of the 13 W Service in the Rosa of main feed- , Bus 11 From the 500 W water flow. It also fails Dus to power motor driven aus111ery feedwater peop. Steam driven muu111ery feed-water pump la mot impacted. l l

_ _ _ _ _ _ .._ _ _ ___ __._._ _...___...._ ____ ._ _ . m _. _ . .. _ _ _ _ . _ _ _ .._ Table C6. (continued) Fossible causes Effects Benedial Actions Failure Other Falleres Failure to supply eteen ifpea failure of one of the

13. SGFP Seal Water 1. Seal Water Booster seal water booster pump trains, Pimp Trips cooling water to the SGFP Failure seals. The time it would operator should verify the Filters Clogged take a loss of seal water standby peep train is started,

2. If it has not started, operator failure to fail 3GFP is 1

should manually actuate pump 3 Loss of Electric Power unknown. traim. (MCC-101) Bus 11 A (ZA) 4 Control Valve Failure i (N4702-CV, FW-4705-CV) 1

5. Controller FDC-4702 Spuriously Closes g Talve Talve closes Falling Flow Besults in lower Si feed- h aue11y open steam supply

14. R.P. Feedwater water temperature and valve, if possible.

l Heaters Fall to to Feedwater Beater I Heat FeeJuater escessive BCS heat removal. Pressurizer control will mitigate slow pressure and j level perturbetions. l l l l i I . l l

Table C6. (continued) Failure Possible Causes Effects Benedial Actions Fafts to Snoely cond=a==ta to SCFP

1. Condensate Booster 1. Mechanical Failure One pump is required below If pump trips, operator abould Pump 11, 12, 13 Trips Pump 50$ power; two pumps are verify a sufficient number of Trips required above 501 power; pumpe are operating to provide

2. Low Lube 011 Pressure three pumps are operated the necessary flow.

Trips Pump above 801 power. Failure to supply sufflotant met

3. Low Suction Pressure positive auction head for Trips Pump the SCFP will result in cavitation and failure of

4. Loss of Electrio Power main te edwater flow.

from 4 ET Bus 12,12, 13

7. Condensate Soester 1. Mechanical Failure Opening the mini-flow Operator abould verify position j Pump Mint-Flow control valve will divert of mini-flow control valve Valve (1-CD-44M-CT) 2. Isolation of Pneumatto part of the booster pump during abanging conditions.

Falls open Supply flow back to the hotwell. Operator abould manually The mini-flow valve re- control valve if necessary. 3 Controller (1-FIC- circulates 1700 spa to 44M) Spuriously Opens the hotwell with one pump Talve running; and 3400 gym with two pumps running. Failure

4. Spurious Flow Element of the mini-flow valves in (1-FS-4444) Signal the open position will not Causes Controller to affect ability to supply Open Talve sufficient feedwater for post-reactor trip heat removal.

Table C6. (continued) Possible causes Effects Remedial Actions Failure l Stress Corrosion Failure of components which Isolate ruptured component.

3. Ilupture of lieader, 1.

LP Heaters 11,12, Cracking; Faulty could result in a loss of 13, 14, 15, Valves, Manufacturing condensate which would fail or Drain Coolers main feedwater supply.

4. Condensate Pump 1. Mechanical Failure One pump is required below Operator should verify 11,12,13 Trips Trips Pump 501 power; two pumps are suffiolent pump capacity to e

required between 505 power; seet operating power level.

2. Loss of Electrio and three pumps are operated Power from Bus 12, above 805 power. The time Operator should open condensate 13, 13 it takes for failure of the storage tank makeup valve to oil cooling system to fall provide NPSH.

3. Low Suetion Pressure the pump is unknown. Loss of oil cooling for short periods is unlikely to cause ,

4. 011 Cooling System pump trip. 3 Failure

5. Condensate Booster 1. Mechanical Failure Degraded flow to SGFP Operator should attempt manual Pump Fails to Start may result in pump trip. initiation.

2. Pressure Switch (PS-4454) Falls to Actuate Standby Pump

6. Condensate Pump 1. Mechanical Failure Degraded flow to condensate Operator abould attempt manual Fails to Start booster pump may result in pump initiation.

2. Automatic Initiation trip of condensate booster Fails from PS-4414 or feedwater pump.

Table C6. (continued) Failure Possible Causes Effects Benedial Aetions 7 Ceedensate Mint-Flow 1. Mechanical Failure Opening the mini-flow operator abould verify position Centrol Valve (CD- control valve will divert of mini-flow eentrol valve 4434-CV) Falls Open 2. Isolation Pneumatic part of the condensate pump during ebanglag eseditions. Supply flow back to the hotwell. Manually sontrol valve if Mint-flow valve rectroulates necessary.

3. Controller (FIC-4438) 4650 gym to the hotwell with Spuriously Opens one pump running and 8800 Valve spe with two pumpa running.

Failure of the mini-flow

4. Spurious Flow Element valves in the open position Signal (FE-4438) will not affect ability to causes Controller to provide post-reactor trip Open Valve heat removal.

8. Beater Brain Pumps 1. Mechanical Failure Falls to supply a ,

Trip algnificant flow of LP steam 3

2. Loss of Electric Power condensate from LP heaters from 4 EV Bus 12 or to the condensate header 4 EV Bus 13 and say result in SOFP trip.

9. Less of Condensate 1. Tank or Header Supture Unlikely event in which Operater asaually olones from condensate condenser is flooded by valve, if possible.

Storage Tank 2. Dump Valve (CD-4405- atuck open dump valve. CV) Falls Open

3. Controller (LIC-4405)

Spuriously Opens Valve

Table C6. (continued) Possible causes Effects Remedial Actions Failure Other System Failures

10. Falls to Provide Seal Water to:

a. SGFP Seal Booster 1. Pipe or Valve Rupture Degraded operation of stone Pump generator feed pump due to

2. Yalve Closes loss of seal water.

b. Condensate Pump 1. Pipe or Valve Rupture Degraded condensate pump Operator could bypees the operation due to loss of pneumatic valve by opening Valve Closes seal water, the bypass valve.

2. 3 Pneumatic Supply Isolated and Valve Closed {

11. Falls to Provide Makeup Supply to:

a. Component Cooling 1. Pipe or Valve Rupture Failure to provide makeup to Align alternate saoup supply Water System the Component Cooling System if possible.

could impact critical components, if a leak in the system reemined undetected for an extended portod.

b. Service Water 1. Pipe or Valve Rupture Failure to supply makeup to Align alternate makeup supply System Service Water System could if poselble.

1.apact critical components, if a leak in the system u

1 1 l Table C6. (continued) Failure Possible causes Effects Benedial Actions remained undetected for an extended period.

12. Falls to Provide 1. CST Makeup Talve Upon low hotwell level this Operator may be able to Hotwell Level (CD-4406) Fails failure could cause trip manually open or aloes these Contron Closed of the condensate pumpe due valves. Could also open to low anotloa head. bypass valve.

2. CST Makeup Valve The almultaneous failure of (CD-4406) Falla these two valves could eense Open filling of the =aad== ,

and a loss of condoneer

3. CST Dump Talve as heat slak.

(CD-4405) Fails closed , E

4. CST Dump Talve This failure could result la (CD-4405) Falla reduction la the Ceedeemate Open Systes inventary due to filling of the Coedeemste i Storare Tank.

13. Fails to Provida 1. Pipe, Coadenser, or This failure will enuse the i Cooling Water to Valve Rupture turbine to leak a anell Steam Seal Exhaust quantity of steam and tend Condenser 2. Talve Closes to lower condesaate tempera-ture.

14. Falla to Supply 1. Valve, Pipe Cooler Failure to provide cooling Operator abould toelate the 5

Cooling Water to Rupture water to drain coolers would affected component. Drain Coolers result in the water flaahing 1

Table C6. (continued) Possible causes Effects Benedial Actiona Failure

2. Valve Closes as it passes through level control valves and piping bends. This leads to increased pipe erosion.

15. Falls to Supply 1. Pipe, Valve Rupture Minimal impact on plant Coo 11og Water to operation.

Turbine Exhaust 2. Valve Closes Hood Sprays

3. Pneumatic Supply Failure Causes Valve to Close

16. Falls to Supply 1. Valve, Pipe, Heat Failure to cool blowdown Bypees valve or component if Exchanger Rupture sufficiently may damage possible. .

Water to SG Blowdown 3 Recovery Heat ion exchangers and secondary Exchanger 2. Valve Closes purification system. Also results in a reduction in

3. Pneumatic Supply thermal efficiency due to Isolated Closing Valve decreased heating of condensate.

17. Falls to Supply 1. Pipe, Valve, Deaerator Failure could lead to Hakeup Water to Rupture failure to remove air from Auxiliary Boller the auxiliary steam system.

Deaerator This results in increased erosion of the system.

18. Fails to Remove 1. Bypass Valve (CD- Result in reduced thermal Operator may be able to bypass Suspended Impurities 5818-CV) Falls Open efficiency when impurities elogged filter, from Condensate plate out on steam generator

Table C6. (continued) Failure Possible Causes Effects Remedial Actions

2. Pipe, Valve Rupture and condenser tutes. May also cause increased erosion 3 Filter Clogs of confinement surfaces.

4. Controller (PDIC-5818) Fails

19. Falla to Remove 1. Bypass Valve (CD-4439- Failure of dominera11ser Ionio Contamination Mor) Falla Open system will result in from Condensate increased corroaton damage

2. Pipe, Yalve Rupture to components.

20. Fails to Provide 1. Pipe, Valve Rupture Failure to add ammonia and Chemical Addition hydrazine will result in from Cheatcal increased corroaton of steel Addition System surfaces in contact with $

water. Other Failures

21. Condensate Booster 1. Mechanical Failure of This failure could cause Operator should manual 1F open Pump Mint-Flow Valve Valve Stes pump trip upon loss of valve, if possible. Operator (CD-4486-CV) Fails condensate flow through should trip pump to proelude Closed 2. Controller (FIC-4486) pump. Valve is intended to damage, if volve manipulation Spuriously Closes circulate some flow through la not possible.

Valve pump during low flow conditions.

3. Spurious Flow Element (FE-4484) Signal causes Controller to Close Valve

Table C6. (continued) Possible Causes Effects Remedial Actions Failure

22. Condensate Pump 1. Mechanical Failure This failure could cause Operator should manually open Hint-Flow Valve pump trip upon loss of valve, if possible. Operator

2. Controller (FIC- condensate flow through should trip pump to preclude

( 1-CD-4438-CV ) Falls closed 4438) Spuriously pump. Valve is intended to damage, if valve sentpulation Closes Valve otrculate some flow through is not possible. pump during low flow

3. Spurious Flow Element conditions.

(FE-4438) Signal Causes Controller to Close Valve

1. Valve Closes Could fall the flow of Operator should manually open

23. Falls to Receive Flow from Heater feedwater to the steam valve, if possible.

Drain Pump 2. Pipe Plug generator.

1. Valve closes Failure to discharge to the Operator should manually open $

24. Falls to Receive valve, if possible. Operator Flow from Coolant condensate system may oause Waste Evaporator failure of the coolant waste should re-align valves such Drains processing system. that flow is diverted to auxiliary boiler deserstor.

25. Loss or condensate 1. Pipe, Valve Rupture Unlikely event in which low Operator manually opens valve, in System hotwell level is not if possible.

2. Hakeup Valve (CD- replenished by condensate 4406-CV) Falls Closed storage tank. Turbine trip will result.

3. Condenser Failure

4. Controller (LIC-4405) Spuriously Closes Valve a

Table C6. (continued) Failure Possible causes Effects Remedial Actions

26. Bypass Valves Fall Open Bypassing:

a. Drain Coolers 1. Mechanical Failure Drain liquida could flash Attempt to close valve, to steam enhancing erosion.

Loss of thermal effloiency.

b. LP lleaters 11,12 1. Hochanical Failure Loss of thereal efficiency. Attempt to close valve, Potential for thermal shock of steam generator,

c. LP Heaters 13, 1. Mechanical Failure Loss of thermal officiency. Attempt to close valve.

14, 15 Potential for thermal shock of steam generator. E N e

l Table C7. Feedwater regulating system FMEA Failure Possible Causea Effects Remedial Actions

1. Steam Flow 1. Capacitance Bridge Erroneous transmitter Operator should manually Transmitter (FT1011 Circuit Failure signal will cause oon- control the valve when level l troller to open valve wider rissa. Repair transmitter.

1021) Fails High

2. Capacitor Plates Fall to increase the rate of feedwater flow. This may result in steam generator overfill.

2. Steam Flow See Above Erroneous transmitter algnal Operator should manually Transmitter (FT1011, will cause controller to control the valve when level 1021) Falls Low modulate valve closed to falla. Repair transmitter.

decrease the feedwater flow Initiate auvillary feed if rate. This may result in necessary. insufficient flow to the steam generator and RCS , undercooling without 3 auxiliary feed initiation. 3 Feedwater Flow See Above Erroneous tranaeltter algnal Operator should manually Transmitter (FT1111, will cause controller to control the valve when level 1121) Fails High modulate valve closed to falla. Repair transmitter. decrease the feedwater flow Initiate auxiliary feed if rate. This may result in necessary. insufficient flow to the steam generator and RCS undercooling without auxiliary feedwater initiation. 4 Feedwater Flow See Above Erroneous transmitter afanal Operator should manually Transmitter (FT1111, will cause controller to control the valve when level 1121) Falls Low open valve to increase rises. Repair transettler, i J

Table C7 (continued) Failure Possible Causes Effects Remedial Actions feedwater flow rate. This any result in steam generator overfill.

5. SG Level Transmitter See Above Erroneous transmitter afsnal Operator should manually (LT1111,1121 or will cause controller to control the valve when level LT1105,1106) Fails modulate valve closed to falla. Repeir transmitter.

i High reduce feedvater flow rate. Initiate auxiliary feed if This may result in necessary. insufficient (Icw to the steam generator and RCS

                                                                    'undercooling without auxiliary feedvater initiation.

6. SG Level Transmitter See Above Erroneous transmitter afanal Operator should manually j (LT1111, 1121 or will cause controller to control the valve when level LT1105,1106) Fails modulate valve open to rises. Repair transmitter.

Low increase feedvater flow rate. This may result in steam generator overf111.

7. Feedwater Controller 1. Loss of Control Power Valve supplica excesalve Operator should attempt manual (FC1111, 1121 or (Y01 and Y09, YO2 and feedwater flow to steam control or trip the main feed-(FC105, 1106) Y10) Valve Open generator causing over- water pumps to prevent 30 over-Failure Opens Valve fill and RCS overcooling. fill.

2. Electronic Failure Potential for carryover to turbine causing turbine erosion exists prior to turbine trip.

_ _ < _ .. _. ~ _ _ _ . _ a Table C7. (continued) Failure , Possible Causes Effects Remedial Actiona

                                         ,.   - .-- . , .   % % 3 J,                                                                                                           Initiate aus111ery feedwater

8. Feedwater Controller 1. Loss of Control Power Vilve falls to supply (FC1111, 1121 or (Y01 and YO9, YO2 and sufficient feedwater flow if manual control can not LIC1105,1106) Fails Y10) Valve closed to steam generator result- modulate flow.

Valve Closed ing in RCS undercooling

2. Electronic Failure without auxiliary feed-water initiation.

I 3 4 I

Table C8. Main steam system and atmospheric steam dump turbine bypass control system FMEA Failure Possible causes Effects Benedial Actiona l

1. Atmospheric Steam 1. Mechanical failure Significant failure if it Manually open valve, if Dump Valves 2. Reactor regulating becomes necessary for these possible.

(MS-3938, 3939) system Tav error valves to open in response Fall to Open When signal not received to a small LOCA. RCS could Conditions Warrant 3. I/P converter failure not be depressurized.

4. Loss of do bus 11

2. Atmospheric Steam 1. Mechanical failure Minimal depressurisation of Manually close valve, if Dump Valves 2. Solenoid valves steam generator because each possible.

(HS-3938, 3939) (3938-St. 3939) rail valve is only capable of , Fall to close to close preventing relieving 2.55 of full power 1 4 1 solation of hp steam flow. instrument air

3. Tay error signal failure .

4. I/P converter failure I

3. Atmospheric Steam 1. Mechanical failure Minimal impact provided Manually cpen valve, if Dump Valves 2. Loss of do bus 11 turbine bypass and code possible.

j (MS-3938, MS-3939) 3 I/P converter failure safety valves are available close Inadvertently to relieve pressure.

4. Atmospheric Steam 1. Mechanical failure Minimal depressurization of Manually close valve, if Dump Valves 2. Spurious Tav error steam generator because each possible.

(HS-3938, 3939) signal valve is only capable of Open Inadvertently 3. E/P converter failure relieving 2.55 of full pouer steam flow. l l I l I

                                                                                    ?

\ c

Table C8. (continued)

                '            Possible causes                  Effects                      Remedial Actione Failure Atmospheric Steam    1. Mechanical failure       Hinimal impact. Turbine        Verify turbine bypass or oode                                                  >

5. Duap Valves 2. Loss of 125 VDC unit bypass and code safety aarety relieve 3.0. pressure. (MS-3938, 3939) control panels valves may be challenged. Fails to Quick Open 3. Solenoid valves (3938-SV, 3939) fail to open to permit higher instrument air pressure 4 Main Turbine control System fails to send quick open signal

6. Auxiliary Feed Pump 1. Neohanical failure Important failure mode Manually open valve, if Steam Supply Valve 2. Falla to receive AFAS regarding RCS undercooling. possible. Manually open bypass (HS-4070) afsnal Motor-driven auxiliary feed valve. ,

Falls to Open 3. Fails to receive pumps are assumed to be $ 125 VDC control pouer available to supply feedwater to SG.

7. Auxiliary Feed Pump 1. Hechanical failure Same as above. Manually open valve, if Steam Supply Valve possible.

( HS-407 0) Inadvertently Closes

8. Auxiliary Feed Pump 1. Hochanical failure Minimal impact on RCS and Manually close valves, if Steam Supply Valve 2. Loss of air pressure secondary system. Analysis possible.

(HS-4070) 3 Spurious AFAS signal assumes main feedwater Inadvertently Opens isolation valves are closed and main SGFP is runback. Otherwise, potential exists for SG overcooling and safety injection. +

i Table C8. (continued) Failure Possible causes Effects Remedial Actions

9. Main SCFP Steam 1. Mechanical failure Minimal impact SGFP trips.

Stop Valve Closes SG 1evel drops until SG 1evel initiates AFAS. Auxiliary feedwater pumps provide SG heat removal. Reactor tripa on low 30 level.

10. Main SCFP Turbine 1. Mechanical failure Same as above.

Steam Control Valve Closes

11. Valve MS-260 Closes 1. Mechanical failure Main Steam fails to supply steam to steam seal regulator. Hintoal impact.

Loss of steam seal will 3 cause trip of both the main turbine and the SOFF turbines.

12. Main Steam to MSR 1. Mechanloal failure Main Steam fails to supply Manually open valves, if Steam Supply 2. Inadvertent signal stene to moisture separator possible.

Isolation Valves reheaters. Minimal impact. (MS-4025. 4026) Reduced power from low Fall closed pressure turbines.

13. Turbine Bypass 1. Mechanical failure Significant failure if it Manually open valve, if Valves (MS-3940, 2. rails to receive becomes necessary for the possible.

3942. 3944, 3946) alsnal free SG outlet Turbine Bypasa Valves to Fall to Open pressure and reactor open in response to a small regulating system LOCA. RCS could not be de-

3. I/P converter failure pressurized.

1

Table C8. (continued) Failure Possible causes Effects Remedial Actions

4. Loss of de bus 11

5. Pressure transmitter fails

6. Signal auctioneering circuit (PY-4056) fails

14. Turbine Bypass 1. Mechanical failure Substantial depressurization Manually close valve, if Valves (HS-3940, 2. Solenoid valves (HS- of steam generator which possible. Close isolation 3942, 3944, 3946) 3941, 3943, 3945, could result in initial RCS valves or manually initiate HSIV closure, Fall to Close 3947) fail to close overcooling. F.ach turbine preventing isolation bypass valve is able to pass of instrument air 101 of full power steam

3. Tav error or pressure flow. If depressurization signal failure continues, HSIVs will auto- ,

4. I/P converter failure natically close isolating 3

5. Control circuit the bypass valves.

failure

15. Turbine Bypass 1. Mechanical failure Minimal 1spect provided Manually open valve, if Valves (HS-3940, 2. Loss of de bus atmospheric dump and oode possible.

3942, 3944, 3946) 3. I/P converter failure safety valves are available Close Inadvertently to relieve pressure.

16. Turbine Bypass 1. Mechanical failure Substantial depressurization Manually close valve, if Valves (HS-3940, 2. Spurious Tay error or of steam generator which possible. Take necessary pro-3942, 3944, 3946) pressure signal could result in initial RCS cedures to control and reduce Open Inadvertently 3. I/P converter failure overcooling. Each turbine depressurisation including

4. Control circuit bypass valve is able to pass manually closing isolation failure 101 of full power steam valves.

flow. If depressurization continues, HSIVs will auto-

{ Table C8. (continued) Failure Possible Causes Errects Remedial Actions matica11y close isolating the bypass valves.

17. Turbine Bypass 1. Mechanical railure Minimal impact atmospherto Verify atmospherto dump and Valves (MS-3940, 2. Loss or 125 VDC unit dump and code sarety valves code safety valves relieve I

3942, 3944, 3946) control panels may be challenged. 30 pressure. Falls to Quick Open 3. Solenoid valves 4 (3941-cv, 3943, 3945, 3947) rail to open to permit higher

 !                                                                            instrument air pressure

4. Main Turbine control System rails to send quick open signal u

18. Solenoid Valves 8

1. Mechanical ra11ure May damage condenaer.

(MS 3940-st, 3942, 2. Falls to receive low Minimal impact on RCS due 3944, 3946) Fail to condent.ec vacuum to availability or code Prevent Turbine signal safety valves. Bypass Valves from Opening When Condenser Vacuum is Lou or cause Quick close I

19. Code sarety Valves 1. Mechanical ra11ure Important event but unlikely Manually open valve, if (MS-3092 thru 4007) to happen. Sixteen valves necessary.

Fall to Open are available to open two-at-a-time to relieve SG

pressure. The sluteen i

l

l Table C8. (continued) Failure Possible Causes Effects Remedial Actiona l ) valves have sequentially q

'                                                                                             higher setpoints. Turbine trypass and steam dump valves must also fall for this to be                                                              i a significant event. If lower

) setpoint valves fall, higher setpoint valves will relieve i pressure.

Manually olone valve, if

20. Code Safety Valves 1. Mechanical failure Significant event due to rapid depressurization of necessary.

I (MS-3092 thru 4007) Opens Inadvertently main steam header which may or Falls to close result in RCS overcooling.

21. Hein Steam Line 1. Valves fail closed Insignificant failure. Most o

Drainage System due to mechanical valves can be opened Falls to Drain failure manually. Complete loss of

2. Loss of co1 trol power all drainage la unlikely, to motor operated All drain flow is a gravity valves flow to condenser or 1, lowdown tank.

22. Auxiliary Blowdown 1. Mechanical failure Instanificant failure. ,

Pumps (11,12) Fall 2. Loss of electric power Auxiliary Blowdown Tank to pump from motor would overfill and control center condensate would flow to plant drain. i. I

Table C8. (continued) Failure Possible causes Effects Remedial Actions

23. Main Steam Isolation 1. Mechanical failure Insignificant event because '

Valve (MS-4043, of valve atmospheric dump and code 4048) Closes 2. Spurious SGIS signal safety valves are available Inadvertently 3. Low pressure pumping to relieve main steam unit is unable to hold pressure. Main stone valve open pressure should normally be sufficient to hold valve open, low pressure pumping unit is normally only necessary to cause the valve to open from the closed position. Turbine trip would result.

24. Main Steam Isolation 1. Mechantoal failure Significant event if a steam .

Valve (MS-4043, of valve generator isolation alsnal 8 4048), Falls to 2. High pressure pumping actuates the valves to Close unit failure causes close. The inventory &n the accanulator pressure SG would rapidly blowdown to decrease below the through a rupture in the pressure necessary to main steam header, close valve Significant impact on RCS

3. Failure in the undercooling.

accumulator module

4. Failure in the cylinder module

5. Failure in the valve module

6. 125 VDC power failure

7. SGIS signal not received due to circuitry failure  !

i Table C8. (continued) Failure Possible causes Effects Remedial Actions

25. Main Steam Isolation 1. Mechanical failure Insignificant event because Valve (HS-4043, of valve plant is at low power level 4048) Fails to Open 2. 1.aw pressure pumping when valves are normally unit failure closed. Atmospherto dump

3. High pressure pumping and code safety valves are unit is signaled to available to relieve main I close the valve steam pressure. Once opened main steam pressure will hold valve open.

J u f

Table C9. Component cooling system FMEA Failure Possible Causes Effects Benedial Actions Falls to Suoolv Coolins Water to Loads

1. Loss of Component Upon detection of high RC Be-open component cooling Cooling Water to pump seal controlled bleedorf system valves to response flow Reactor Coolant temperature, which would possible. If component cooling t Pump Seals occur after a loss of com- water flow cannot be restored, ponent cooling water to trip RC pump prior to exceeding

a. All four pumps 1. CC-283 closes the pump seals, the operater temperature limits of pump

2. CC-284 closes tor is instructed te trip seals. If the seal fails,

3. CV-3832 closes the pumps. Failure to trip follow procedure for a small 4 CV-3833 closes the pumps under these non- LOCA.

5. Loss of control ditions is assumed to re-power to SJ-3832 sult in failure of the pump or 3833 seals. Rupture of the pump

6. Loss of pneumatic seals constitutes a small ,

supply to SV-3832 loss of coolant ao:1 dent g or 3833 (LOCA) safety systems

7. SV-3832 closes including HPSI and LPSI

8. SV-3833 closes will be challenged. RCS undercooling may result due

b. On one pump: Operator falls to trip to the LOCA.

pump after one of the following: Pump II A CC-170 or 171 closes , Pump 11B CC-173 or 174 closes Pump 12A CC-176 or 177 closes Pump 12B CC-179 or 180 closes

Table C9. (continued) Failure Possible Causes Effects Remedial Actione

2. Falls to Supply 1. CV 3832 or 3833 Closes rails to cool labyrinth Adjust throttle setting on passageway in body of RCP. component cooling beat Water to NCP Thermal Barrier 2. CC 284 or 289 Closes May require pump trip to eschenger. Valve-in bookup prevent damage. Normal flow heat exchanger. Start redun-SF 3832 or 3833 Closes is 28 gpe. dont component cooling pump.

3. Cooling must be restored in 10

4. Component Cooling minutes to prevent pump damage.

System Failure

5. Loss of Instrument Air

6. Loss of Control Power 7 Supply Return Valves close y 8

Falls to Supply 1. CV 3832 or 3833 Closes rails to cool RCP motor Adjust throttle setting on 3 Cooling Water to RCP bearing lube oil coolere. component cooling heat Upper /Louer Bearing 2. CC 384 or 389 closes May require pump trip to eschenger. Valve-in backup 011 Coolers prevent damage. Normal flow heat eschan6er. Start redun-

3. SV 3832 or 3833 Closes 150 spa to upper bearing dant component cooling pump.

cooler and 5 spa to lower Cooling must be restored in to

4. Component Cooling bearing cooler, minutes to prevent pump damage.

System Failure

5. Loss of Instrument Air

6. Loss of Control Power 7 Supply Return Valves Close

Table C9. (continued) Failure Possible Causes Effects Benedial Actions 4 Falls to Supply Component Cooling System Falls to cool heat exchanger Manually control letJown heat Cooling Water to Failure to a temperature suitable exchanger component cooling Letdown Heat (below 1450F) for long term outlet control valve to Exchanger operation of the purifica- maintain temperature at 1200F. Lion system. Above 145 0F, the ion exchanger bypass valve shif ts to bypass operation to protect the ion exchanger resins.

5. Falls to Supply 1. CV 3832 or 3833 Closes Loss of component cooling Beatore component cooling water Cooling Water to does not have a drastic flow to CEDM coolers.

Control Element 2. CC 284 or 289 Closes effect on CEDM unless air Drive Hechanism flow is also lost. Loss of

3. SV 3832 or 3833 Closes component cooling for sus- o tained periods can shorten S

4. Component Cooling CEDM coil life. Eventually System Failure due to degradation of the coil, the CEAs would drop

5. Loss of Instrument Air due to lack of sufficient current and the reactor

6. Loss of Control Power would shutdown.

7. Supply Beturn valves Close

6. Falls to Supply 1. CV 3832 or 3833 Closes Bearing surfaces and struc- Restore component cooling water Cooling Water to tural concrete exceed allow- flow to reactor vessel support Reactor Vessel 2. CC 284 or 289 Closes able working temperatures. ooolers.

Support Coolers 40-year life expectancy is

3. SW 3832 or 3833 Closes reduced due to extended overheating.

Table C9. (continued) Failure Possible Causes Effects Remedial Actions

4. Component Cooling System Failure

5. Loss of Instrument Air

6. Loss of Control Power 7 Supply Return valves Close

7. Fa11s to Supply 1. CV 3832 or 3833 Closes Bearing surfaces and strue- Restore component cooling water Cooling Water to tural concrete escoed allow- flow to steen generator vessel Steam Generator 2. CC 284 or 289 Closes able working temperatures, supports.

Support Coolers 40-year life espectancy u

3. Sr 3832 or 3833 Closes would be reduced due to S extended overheating.

4. Component Cooling Systen Failure

5. Loss or Instrument Air

6. Loss of Control Power 7 Supply Return Yalves Close

8. Falls to Supply 1. CC 264 or CC 261 Inability to reach shutdown Restore component cooling to Cooling Water to Closes temperature using heat ex- ahutdown cooling heat Shutdown Cooling changera. Alternate method exchangers.

Ileating Exchangers 2. CC 261 or CC 266 of cooldown should be used During: Closes until component cooling again becomes available.

i i Table C9. (continued) Failure Possible Causes Effects Benedial Actions

 )

1. Plant Cooldown 3. Component Cooling - Requires two pumps and two Systen Failure heat exchangers for plant cooldown (300 to 1200 F).

4. Outlet control Valve '

2. Post LOCI (CV 3830 or CW 3828) - Requires one pump and two j Cooldown Falls to Open heat exchangers for post j LOCI cooldown

3. Cold Shutdown - Requires one pep and one heat exchanger for cold shutdown

9. Loss of Component Pumps are designed to oper- Re-open valves if possible. If Cooling Water to ate for two houre witbeat safety lajeotion is required HPSI and LPSI conopnent cooling water. and cooling water flow cannot ,

Pumps Loss of component water for be restored, attempt to rotate g periods greater than two the pumps la operation.

a. All HPSI and Mechanical failure hours is assumed to fail LPSI pumps CC-258 closes HPSI and LPSI. HPSI and affected LPSI are safety systema de-signed to provide core heat

b. HPSI 11 and 12 Hochanical failure removal during emergency and LPSI 11 CC-270 closes operation.

affected

c. HPSI 13 and Mechanical failure LPSI 12 affected CC-242 closes

           . . _ _ _ . _ _ _ _ . . ___m._m_           _ __ _m . _ . _ _ _             _ _ _ _ _ _ _ _ _ _ _ . . . . . _ _ _ _ _ _ _ . _ _ _ . _ _ _ - . . _ . _ . . . . _ .

_~ - _ _ _ _ _ _ _ _ _ . _ _ _ _ i I i l Table C9. (continued) Failure Possible causes Effects Benedial Actions , t 4

10. Falls to Supply 1. CC 163, CC 270, or Failure of the ocoponent Bostore component cooling water cooling system to supply flaw to contalment penetration i Cooling Water to CC 111 Closes Containment Penetra- cooling water to the coolers coolers.

r l tions Coolers for 2. Component Cooling will not result in abrupt l Main Steae Lines, System Failure failure of containment Feedwater Lines, penetration. Steam Generator 3. Supply or Return i Bloudaun Lines, Valves to Individual Reactor Coolant Coolers Fall i Letdoun Lines, l Reactor Coolant Sampling

11. Falls to Supply 1. CC 457 or CC 458 Inability to condense vapor Operator restores component Cooling Water to Closes in the evaporator eoseentra- ocoltag water to BC waste u Beactor Coolant tor condenser. Evaporator evaporater. S Waste Evaporator 2. Component System requires entensive cooling, Failure so during a transient the cooling water supply to eva-

3. Individual Supply and porator is isolated, pro-Beturn Valves Closes viding more cooling water j for safety needs. IIo sigal-i ficant impact on plant safety.

12. Falls to Supply 1. Individual Supply or Inability to condense vapor Operater resteres aa=ramant Cooling Water to Beturn Valve Closes in concentrator h = = . eoeling water to the eis-Miscellaneous Waste Evaporator requires exten- cellemeems waste evaporator.

Evaporator 2. Ceeponent Cooling sive cooling, so during a l System Failure transient cooling water is 1solated, providtag addi-I I

Table C9. (continued) Failure Possible Causes Effects Remedial Actions 3 CC 457 or CC 458 tional cooling water for Closes safety needs. No signifi-cant impact on plant aafety,

13. Fails to Supply 1. Supply or Return Fails to cool distillate Operator restores cooling water Cooling Water to: Valve Closes prior to discharge to weste to the coolers. if possible, monitor tank. Fails to cool

1. Distillate Cooler 2. Component Cooling seal water prior to its dis-Systen Failure charge into the vacuus pump

2. Vacuus Pump Seal suctioa. Fails to cool Water Cooler vapors prior to their dio-charge to the Weste Gas

3. Vacuum Pump Dis- System. Isolated on CIS.

charge Cas Cooler Represents major non-safety load or component cooling. , o

14. Falls to Supply 1. Supply or Return Cooling water is absolutely Seeure weste Jas compressor Cooling Water to Valve Closes necessary to prevent over- and repairs component cooling Waste Gas heating of compressors. If system.

Compressors 2. Component Cooling cooling is lost, operator Systee Failurs should secure waste gas compressor. 3 Solenoid Valve SV 2203 (St 2205) Falls to Open

4. High Pressure Signal 3terts Compreasor but Doesn't Open Valve (SW 2203)

l Table C9. (continued) Possible Causes Effects Remedial Actions Failure Restore cooling water to

15. Falls to Supply 1. Supply or Return Valve Reactor coolant drain tank Closes overheats and overpressu- componenta as quickly as Cooling Water to:

rises. Drain water flashes possible.

1. Reactor Coolant 2. Component Cooling to steam. Failure to cool Drain Tank Heat Systen Failure incoming gases results in Exchanger loss of seal to the vacuus pump. Vacuus pump will then overheat if not secured by

2. Degasifier Vacuus Pump Accumulator the operator.

16. Falls to Supply 1. Supply or Return No cooling of samples L.a Provide an alternative method Cooling Water to Valves closes acceptable temperaturse for for cooling sample.

Sample Coolers for cheetcal analysis. Operator Component Cooling will need to wait for sample Hiscellaneous Waste 2. Steam Generator System Failure to cool before chanteel " analysis can be performed. l Reactor Coolant "* Personnel injury possible due to handling of hot samples.

17. Falls to Supply 1. Supply or Return Falls to cool hot oxygen and Provide component cooling water Cooling Water to Valves Closes hydrogen samples to accepta- free Unit 2 component cooling Gas Analyzing Unit ble temperatures for acou- water system.

2. Component Cooling rate analysis by the gas Systen Failure analyzers.

18. Fa11s to Supply 1. Supply or Return Fails to reduos temperature Restore cooling, if possible.

Cooling Water to Valves Closes of blowdown sample below Steam Generator Ili00F necessary for proper Blowdown Radiation 2. Component Cooling operation of radiation Monitoring Unit Systen Failure monitor unit. Sample Cooler

i Table C9. (continued) Failure Possible Causes Effects Remedial Actions Cenent Coolina System Failures Which Fall h=alv of Coolina Water to Iwa

19. Component Cooling 1. Loss of Electric Peuer Norwal operation requirea Upon failure of operating pump, i Pumps 11,12,13 from Unit Buses IIA, one component cooling water operator abould start standby Fall 14 A,11B or 148 pump to run as designed. pump. If third pump (13) does Although plant cooldaun is not start, alternate power

2. Mechanical Failure normally acocuplished using breaker abould be elooed in, two pumps, one pump could Failure to supply cooling water j

3. Pump Falls to Receive cooldoun but it would take a to some loads may require

• Start Actuation Due to longer time. Pump 13 has renator trip. l Circuitry Failure tuo sources of electrio increasing system reliabili-ty. Failure of all three pumps will adversely impact numerous eenponents through-out the plant. heo pumps upon SIAS.

3

20. Pump Suction Valves Mechanical Failure Component cooling water Manually open valve if (CC III, 112), system includes a normal and posatble.

(CC 116, 117), standby header for both the (CC 121, 122) Closes supply and return lines. If one of the headers becomes inoperable (valve failure), system operation een conti-nue on a single header with no significant degradation of performance, i.e., both supply or both return valves must fall. 1 1 I I e H l I

Table C9. (continued) Possible Causes Effects Remedial Actiona Failure

21. Pump Discharge Mechanical Failure Component cooling water Valves system includes a normal and (CC 113, 114), standby header for both the (CC 118, 119), supply and return lines. If (CC 123. 124) one or the headers becomes Closes inoperable (valve failure),

system operation can conti-pue on a single header with no significant degradation of performance, i.e. , both pump valves must fail.

22. Component Cooling 1. Level Switch Fails to Unlikely event in which head Manually open bypass valve llead Tank Falls to Provide Tank Makeup tank fails to supply head to permitting makeup from the Provide Net Positive component cooling return dominere11 sed water ayates or Suction llead and 2. CC 101 and 102 Fall headers causing pump cavita- the condenaste ayates. $

Surge Volume Closed tion.

23. Component Cooling 1. Outlet Valve CC 149, Loss of cooling water flow operator should valve in System lleat 156 Fall Closed will cause failure of stra- standby heat exchanger. May Exchangers 11, 12 tegio components in 2 hours, also be necessary to isolate

2. Salt Water System If only one heat eschenger the larger loads such as the Fall Fails to Cool Heat is required, the failed heat waste evaporators.

Exchanger exchanger should be isolated and the standby heat ex-change should be valved into operation. Loss of salt water cooling will degrade the ability of the component cooling system to cool stra-tegic components.

l l Table C9. (continued) Failure Possible Causes Effects llemedial Actions

24. Header Valve Mechanical Failure causes Operator manually reopena Failures: Valve to Close valve.

CC 147 and 148 Falla supply of component cooling water to heat exchanger 12. CC 154 and 155 Fails supply of component cooling water to heat exchanger 11. All four supply valves must fail closed to fail component cooling water supply to heat exchangers. CV 3824 Falls flow from heat $ exchanger 11 to cooling loads. CV 3826 Falls flow from heat exchanger 12 to cooling loads. For failure to be significant, valve must fail on the associated operating heat exchanger.

25. Bypass valve Mechanical Failure causes Bypass valve falla open Operator annually closea valve.

Failures: Valve to Open causing component cooling water to bypass the heat CV 3823 exchanger. This causes degraded operation of CV 3825 component cooling system.

      . _ - .~         _                                                   .

Table C9. (continued) Failure Possible Causes Effects Remedial Actions For failure to be signifi-cant, valve must fall on the associated operating heat exchanger and flow bypassed must be significant. Mechanical Failure causes Both valves must fall closed Operator manually reopens

26. Ileader Valve Failure: Valve to Close to cause a loss of component valve, cooling water to the loads.

CC 163, 162 , Other Failures

27. Component Cooling 1. CC 141 and 142 Fall Failure to add chemicals to If valves are source of Additive Tank Falls to Open component cooling system via probles, attempt to manually u the additive tank will re- open. 3;

2. CC 143 Fails to Open suit in increased corrosion of the components and piping in the component cooling system. Heat transfer across fouled surfaces will be reduced.

Table C10. Service water system FMEA Failure Possible Causes Effects Remedial Actions Service Water Header Failures

1. Service Water Pumps 1. Mechanical Failure Significant failure because Tarify automatio start of 11, 12, 13 Trip it degrades heat removal standby pump. If pump 13 does

2. Loss of Electric Power from important plant not start, align contacts to from 4 kV Bus 11 for components including the other bus.

Pump 11, 4 kV Bus 14 diesel generatora and the for Pump 12, and both instrument air compressors. 4 kV Duses 11 and 14 Two pumps are required to for Pump 13 operate so one pump is placed in standby. The re-

3. Supply or Return dundancy incorporated into Valves Fall closed the design permits operation of pump 13 from either bus.

Unlikely that two pumps ,, would fail simultaneously. g

2. Service Water lleat 1. Mechanical Failure Significant failure because Re-open valves or repair heat Exchanger 11,12 it degrades heat removal exchanger if possible.

Falls 2. Salt Wate.- System from important plant compo-Header Failure nents. Plant may be tempo-rarily operated with just

3. Inlet or outlet Valves one heat exchanger during Fall Closed normal operation. Durir.g an emergency some loads would be isolated, permitting longer operation with only one heat exchanger.

             . .    .~.            .=                                                                 .   -

Table C10. (continued) Failure Possible Causes Effects Remedial Actions 3 Service Water I!ead 1. SRW-1579 Fails to Open Failure to provide makeup to Operator should manually open Tank 11, 12 Fails to and Bypass Valve Falls head tanks may result in the valve to control water level Provide Suction Head to Open loss of not positive auction in head tank. head to the service water

2. LS-1529 Falle to Open pumps. Loss of suction head SHW-1579 and Bypass will fait pumps.

Valve Fails to Open < 3. Solenoid Valve SV-1579 Fails to Close

4. Service Water Valves Fall to Open Insignificant failure with Additive Tank Falla respect to plant response to Chemical Addition a transient.

Loss or Coolina Water to Svaten Loads $

5. Loss of Service Loss of service water to an If one supply header to a Water to Emergency emergency diesel generator partloular diesel la unavail-Diesel Generators will result in diesel able, operator should open generator failure. The buo valves to supply dieaal with No. 11 Diesel 1. 1-CV-1587 Falls to Calvert Cliffa units share 3 an alternate source of cooling Open diesels. Supply header 11 water.

a. Mechanical Failure can supply service water to

b. Diesel Start Signal either diesel 11 or 12.

Not Received Due to Supply header 12 can supply Circuitry Failure diesel 12 or 21. Supply

o. Controller PDIC- header 21 can supply diesel 1587 Closes Valve 11 or '12. Supply header 22 can supply diesel 21 and 12.

Table C10. (continued) Failure Possible causes Effects Remedial Actions

2. One of Two Manual servf ne water failures.

I Valves Fail closed This redundancy reduces the probability of loss of

3. Service Water Header diesel power due to servloe Failures water failures.

No. 21 Diesel 1. 2-CV-1587 Falla to Open

a. Nachanical Failure

b. Diesel Start Signal Not Beceived Due to Circuitry Failure

o. Controller PDIC-1587 Closes Valve

2. One of Tuo Manual h Valves Fall closed

3. Service Water Header Failures No.12 Diesel 1. 1 and 2-CV-1645 Fall to Open

a. Mechanical Failure

b. Pressure Sensors 1/2 PS-1645 Fall

2. 1 and 2-CV-1645 Fall to Open

a. Mechanical Failure l

Table C10. (continued) Failure Possible causea Effects Remedial Actions

b. Pressure Sensors Prevent Valve from Opening 3 1-CV-1588 Fails to Open

a. Hechanical Failure

b. Diesel Start Signal Not Received Due to Circuitry Failure

o. Controller PDIC-1588 Closes Valve j 4. Both Manual Supply or Both Return Valves u Fail closed Simulta- E peously

5. Service Water Header Failures

6. Loss of Service Loss of servloe water cool- Roopen servloe water supply

Water to compressed ing to the compressors or or return valves if possible.

Air System aftercoolers will result in Components: eventual compressor or after-cooler failure. This la a All Instrument 1. SRW-181 Falla closed significant failure because Air and Compressed pneumatic components aunt be Air Compressors 2. SRW-183 Falls Closed continuously supplied with instrument air to maintain

3. PCV-1628 Falls closed safe and reliable operation of the plant. Some redun-

f Table C10. (continued) Failure Possible causes Effects Benedial Actions 4

4. CV-1637 Fa11s closed dancy la provided in the compressed air ayates in the

5. CV-1639 Falls Closed event of component failures.

Two instrument air compres-

6. Service Water Pump 11 aors are available, although Trips one is usually all that is required. The Unit 1 plant

7. Loss of Electric Power air compressor is backed up From 125 VDC Bus 11 by the Unit 2 plant air closes CV-1637 compressor. Plant air la also important because it

8. Loss of Electric Power provides breathing air for From 125 VDC Bus 21 respirator operation inalde Closes CV-1639 containment. Plant air la backed up by breathing air y

Plant Compressor 1. SRW-197 Fails closed tanks inside containment. Verify that backup compressors 8 11 are started when line pressure

2. SV-1636 Falla closed drope below low limit.

3. TCV-1636 Falla closed Plant Compressor 1. SRW-199 Falls closed 11 Aftercooler

2. SV-1635 Fails Closed

3. SRW-200 Falls closed Instrument Air 1. SRW-189 Falls closed Compressor 11

2. TCV-1630 Falls closed

3. SV-1630 Falls closed i

Table C10. (continued) Failure Possible causes Effects Benedial Actions Instrument Air 1. SRW-191 Fails closed

!                   Compressor 11 Aftercooler        2. St-1629 Fails Closed 3     SRW-192 Falla closed Instrument Air     1. SRW-193 Fails closed i

Compressor 12 ]

2. St-1634 Fails closed 3 TCV-1634 Fails Closed Instrument Air 1. SRW-195 Fails closed Compressor 12 Aftercooler 2. St-1633 Falla Closed S

, 3. SRW-196 Fails closed

7. Loss of Service 1. SRW-502 Fails closed Extended loss of servine Re-open valve if possible.

Water to Aux. Feed unter to auxiliary feed pump Pump Room A/C Cooler 2. PCV-1600 Fails closed room coolers is assumed to fail the auxiliary feeduator 3 SRW-503 Falls Closed pumps if they are running. The time to failure cannot

4. Service Ultter Header be deterwined using FMtA Failures techniques.

(

Table C10. (continued) Failure Possible Causes Effects Remedial Actions

8. Loss of Service 1. SRW-286 Falls closed Loss of service water for Re-open valve if possible.

Water to Generator extended period is assumed Verify turbine trip on high Exciter Air Coolers 2. SRW-289 Falls Closed to result in the loss of exciter temperature. and SRW 291 Falls to heat removal from generator Open exciter and eventual turbine trip. This failure is not 3 SRW-1603-CV Fails expected to have a signifi-Closed and SRW-291 cant 1spect on plant Falls to Open response to a transient.

4. SRW-290 Fails Closed and SRW-291 Falls to Open

5. TIC-1603 Closes CV-1603 and SRW-291 Falle U to Open

6. Service Water Header Failures 9 Loss of Service Water to Generator Bus Duct Coolers cooler 12 1. SRW-296 Falla Closed Loss of service water for an Re-open valve if possible.

extended period is assumed

2. SRW-297 Falls closed to result in a turbine generator trip. This

3. CV-9901 Falls Closed failure is not expected to have a significant impact on i

i

Table C10. (continued) Failure Possible causes Effects Remedial Aotions

4. Service Water Header plant response to a Failures transient.

Cooler 11 1. SRW-252 Fails closed

2. SW-293 Falls closed

3. CV-9900 Fails closed

4. Service Water Header Failures

1. SW-270 Fails Closed Insignificant impact on Re-open valve if possible.

10. Loss of Service Water to Turbine plant response to a Plant Sampling 2. SW-271 Fails Closed transient.

0 Coolers " 3 Service Water Header Failures

11. Loss of Service 1. Manual or Pressure Failure for an extended Re-open valve if possible.

Water to Nitrogen control Valve Fall period la assumed to fail Compressor and Closed the nitrogen compressor. It Aftercooler does not represent a signi-

2. SW-226 Fails closed ficant impact on plant operation because Boron

3. Manual Valve Fails Injection Tanks are charged Closed at startup.

4. Service Water Header Failures

I Table C10. (continued) Failure Possible Causes Effects Benedial Actions

12. Loss of Service 1. SRW-392 Falls closed Inalgnificant failure which Re-open valve if possible.

' will have minimal impact on Vater to Degasifier Vacuum Pump 2. SRW-393 Falla Closed plant operation. 3 Service Water Header Failures SRW-252 Falla closed Loss of service water to Re-open valves if possible.

13. Loss of Service 1.

Water to Turbine coolers is assumed to fail Verify turbine trips if lube Lube Oil Coolers 2. SRW-256 Fails Closed coolers and trip turbine. oil temperature exceeds design and SRW-258 Fails to This failure is not consi- limit. Open dered to have a significant impact on plant operation. 3 SRW-1626-CV Fails closed and SRW-258 , Fails to Open y

4. SRW-257 Falla closed and SRW-258 Fails to Open

! 5. SRW-253 Fails closed l

6. TIC-1626 Closes CV-1626 and SRW-258 Falls to Open 7 Service Water lleader Failures l

l

l 2 Table C10. (conti nued) Failure Fossible causes Effects Remedial Actions I

'          14. Loss of Service    1. SRW-283 Fails closed     Loss of service water is        Re-open valves if possible.

and SRW-285 Falls to assumed to fait coolera ar. Trip or verify turbine trip

)

Water to Generator Ilydrogen Coolers: Open cause a turbine trip. upon high temperature indioa-1 1 Failure is not considered to tion.

2. SRW-1608-Cf Fails have a significant impact on Closed and SRW-285 plant response to a Fails to Open transient.

3 SRW-284 Fails Closed and SRW-285 Falla to 1 Open i

4. TIC-1608 Closes CV-1608 and SRW-285 Fails to Open ,

5. Service Water lleader Failures cooler 11 SRW-272 or 273 Fails Closed Cooler 12 SRW-274 or 275 Falls Closed Cooler 13 SRW-277 or 278 Fails closed Cooler 14 SRW-280 or 281 Fails closed

l Table C10. (continued) Failure Possible causes Errects Remedial Actions

15. Loss of Service Service Water Header Loss of service water is Re-open valve if possible.

Water to Generator Failures assumed to rail heat removal Trip or verify turbine trip on Stator Liquid from generator stator resul- high temperature indication on Coolers: ting in a turbine trip. generator stator. , Failure is not considered to cooler 11 SRW-240 or 241 Falla have a algnificant impact on Closed plant response to a tran-4 sient. Cooler 12 SRW-244 or 245 Fails Closed l

16. Loss of Service 1. SRW-429 Falla closed Loma of service water to oil Be-open valve if possible.

Water to caolors for an extended Open valve on standby cooler. ! Electrohydrau11e 2. SRW-442 Fails closed period is assumed to rail i Control System 011 and SRW-443 Falls to the EHC syntes. This Coolers Open railure la espected to have g minimal impact on plant i 3. CV-1628 Fails closed operation because one cooler and SRW-443 Fails to is surrictent to supply Open cooling requirements and one cooler la available if the

!                                           4. TIC-1628 Closes CV-      operating cooler abould

1628 and SRW-443 Falla rail, j to Open 4'

5. Service Water Header Failures l Cooler 11 SRW-260 Falls closed I

i Cooler 12 SRW-264 Falls closed

   - . _  -     - - . .        . . _ -    . ~              _.     -.  .     ._.    .           ._    . - - .           _    . _ . . _ _   . - _   . _ _ _   __

l Table C10. (continued) Failure Possible causes Effects Benedial Actions

17. Loss or Service Loss of service water Operator should feed trip of cooling to tube oil coolers turbine and reactor and verify Water to Hain Feed Lbe initiation of aus111ery Pump Lube Oil for an extended period is Coolers assumed to trip the main feedveter.

feedvator pump. Trip of Pump 11 Cooler 1. SW-202 Falls Closed pump will result in turbine and reactor trip.

2. S W-203 and S M-446 Fall closed

3. SW-1622-CV and SW-446 Fall closed

4. S W-445 and S W-446 Fall closed ,

0

5. TIC-1622 Closes CV-1622 and SW-446 Fails closed

6. Service Water lleader Failures Pump 12 Cooler 1. S W-206 Falls closed

2. SW-207 and SW-448 Fall closed

3. SW-1623-CV and SW-I 448 Fall closed 1

i l l l l i Table C10. (continued) Failure Possible Causes Effects Benedial Aetions

4. SW-447 and SW-448 Fall closed

5. TIC-1623 Closes CV-1623 and S W-448 .

Fails closed l

6. Service Water Header Failures

18. Loss of Service Service Water Header Loss of seal water cooling Be-open failed valves or open Water to circulating Failures la assumed to fall pu ps. Roelation valves to standby Water Priming Pumps Minimal impact on plant seal water cooler and start Seal Water Coolers: Operation. hso pumps are standby pump.

normally operating with one Cooler 11 S W-23% Falls Closed pump isolated. Loss of one g pump will require the , Cooler 12 S W-236 Falls closed starting of the standby Pump. Cooler 13 S W-238 Falla closed

19. Loss of Service 1. CV-1627 Fails closed Loss of service water is as- Be-open valve if possible.

Water to Condenser sused to fall p apa. Mini- Open valves and start the Vacuus Pump Seal 2. Service Water Header mal impact on plant opera- standby pump, if running pump Water Coolers: Failures tion because only two of fails, four pumps are operating. Cooler 11 S W-210 Falls closed others are in standby. Third pump (1st standby) is cooler 12 S W-214 Falls closed constantly receiving cooling water. Cooler 13 S W-218 Fails closed

 .- -- - - - - - - - _ . _ ~ - .    . _      . __. ..       _ - .       . _ _ - _ _ _ _ . . .        ._ _ - _ _ . . . _ _ _ _ _ . . - -         .- . . - - - . - -  ..   . - . ~

i i Table C10. (continued) Failure Fossible Causes Effects Benedial Aetions cooler 14 SRW-222 Fails closed I

20. Iess of Service Service Water Header Loss of service water is Be-open valve if possible.

Water to Condensate Failures assumed to fall the condon- Verify standby pump starts, I Booster Pump Lube sete booster pump. This if not already running. 011 and Seal Water failure will have minimal Coolers impact on plant operation since only 2 of 3 booster Lube 011 Cooler 11 1. h aual Valve Falls pumps are required for Closed acroal operation.

2. TCV-1619 Falls closed Lube 011 Cooler 12 1. Manual Valve Falla l

Closed , ' U

2. TCV-1620 Fails l Closed Lube 011 Cooler 13 1. Manual Valve Falls closed

2. TCV-1621 Fails Closed Seal Water Cooler 1. E nual Supply Valves II A and IIB Fall closed

2. h nual Beturn Valves Fall Closed Seal Water Cooler 1. E nual Supply Valves 12A and 12B Fall closed l

 - - - _ -_ - ._ -          -       -_      -                            --.                 =     . . _ - - _ - _ _ -    . - . _ -         - - -         - - - -- - -     - - - - - - -                 --

I Table C10. (continued) Failure Possible Causes Effects Remedial Actions

2. Manual Return Valves Fall closed Seal Water Cooler 1. knual Supply Valves 13A and 13B Fall Closed

2. Manual Return Valves Fall Closed

21. Loss of Service 1. CV-1597 Falls closed Extended failure of the ser- Manually re-open valves to Water to Spent Fuel a. Mechanical Failure vice water to the spent fuel restore servloe water flow to Pool Heat Exchangers b. 1.oss of Instrument pool heat exchangers will best exchanger, j Air cause the pool temperature

c. Inadvertent CSAS to rise above the design temperature. The impact of

2. CV-15% Falla closed this failure on the opera. y

a. Mechanical Failure ting reactor and power

b. Loss of Instrument systems will be minimal.

Air Substantial boiling would

o. Inadvertent CSAS have to occur before criti-cality would take place.

3 Manual Valves close hkeup water sources are as-Due ta Mechanical sumed to mitigate a signifi-Failures cant event.

4. Service Water lleader Failures

22. 1.oss of Service 1. Service Water Header Significant failure if more Re-open valves if possible or Water to Containment Failures than one cooler was to fall open other header supply valve Coolers; at one time, geovever, this to the effected cooler, represents an unlikely

                                                                                   +'7                                                   --       - - - -              -__               _ _ _ _ _ _ _

_____._ ___~ _ ___.__ _.m__ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ . _ . _ _ _ _ _ . _ . . _ . . _ . _ _ _ _ _ _ _ . _ _ _ . _ . - _ _ _ . _ _ _ _ __ . _ _ . _ _ _ . _ _ _ - _ _ . .___m t Table C1O. (cor.t i nued) Failure Possible causes Effects Benedial Actions CV-1581. 1583 Falls event. These coolers pro-11, 12 1. j Closed vide post accident heat re-ooval from the contalsment.

2. CV-1584. 1586 Falla Significant redundancy is l

closed available in this system be-cause either header can be

3. Supply Needer 11 used to supply any cooler.

Failure only 3 coolers are necessary for heat removal following a

4. Manual Valves Fall LOCI.

Closed 13, 14 1. CV-1589. 1592 Falls closed l

2. CV-1591. 1594 Fails $

Closed

3. Supply Needer 12 Failure Manual Talves Fall 4

closed

23. Loss of Service 1. Smi-640 Falla closed Insignifteent failure Be-opes supply and return Water to Bloudoun Due to Mechanical because another heet asehen- valves if possible.

Recovery Heat Failure ser, piped in earles, is Enchanger 12 cooled by h asete.

2. SAW-522 Fails closed Failure to adequately ecol Due to Mechanical bloudoun eight impact ton Failure exchange rs.

5 1

Table C10. (continued) Failure Possible causes Effects Remedial Actions

3. Service water Header Failures

24. Loss of Service 1. SRW-1600-CV Fails These valves can close due Re-open aupply and returu Water to Turbine Closed to mechanical failure or valvea if possible.

Building Components inadvertent SI AS. This (compressors, vacuus 2. SRW-1637-CV Falls action

• ralates tae turbine pump seal water Closed building loads, compressed coolers) air system would be in-3 52W-1638-CV Falls pacted.

Closed 4 SDW-1639-CY Falls closed

5. Service Water Header $

Failures Other Failurga

25. CV-1$82 Falls to 1. Mechanical Failure Falls to provide additional, Open SRW-140.

Open necessary service water flow l l 2. CS13 Circuitry Failure to contaicaent coolers fol-lowing a CSAS.

3. SV-1582 Fails to close

26. CV-1585 Falls to 1. Hechanical Failure Falls to provide additional. Open SRW-147.

Open necessary service water flow

2. CSAS Circuitry Failure to containment coolers fol-lowing a CSAS.

3. SV-1585 Falls to close

1 Table C10. (continued) Failure Possible causes Effects Benedial Actions

27. CV-1590 Falls to 1. Mechanical Failure Fails to provide additional. Open Smi-154.

Open necessary servloe water flow

2. CSAS Circuitry Failure to containment coolers fol-lowing a CSAS.

3. SV-1590 Falls to Close

28. CV-1593 Falls to 1. Mechanical Failure Falls to provide additional. Open Saf-161.

Open necessary service teater flow j

2. CSAS Circuitry Failure to containment coolers fol-loving a CSAS.

3. SV-1593 Falls to close

29. CV-1600 Falls closed 1. Mechanical Failure Loss of service water to Be-open valve.

Tuibine Building components.

2. Inadverter.t SIAS ,

U

30. CV-1638 Fails Closed 1. Mechanical Failure Loss of service water to Be-open valve.

Turbine Building components.

2. Inadvertent SIAS

                                                                     . _ = _ _ _ .   . _     . _ _

Table C11. Salt water system FMEA Failure Possible causes Effects Remedial Actions 1 Salt Water llender Failure

1. Salt Water Pump 1. Mechanical Failure During normal operation, two Assure standby pump starts (11, 12) Trips pumps are required to supply after primary pump trips.

2. Loss of Electric Power cooling loads. Following a Operator may need to change to W Bus 11,14 LOCI, one pump la able to Las to which pump 13 is supply cooling water re- aligned.

quirements, however two pumps start on SIAS. Mini-mal impact is expected from this failure, due to the presence of pump 13 which , can receive power from either bus 11 or 14 1

2. Salt Water Pump 13 1. Mechanical Failure Minimal probles. During Assure that pump 13 la aligned 5 Falls to Start On normal operation, shutdown to a powered bus.

Demand 2. Pump 13 Contacts are would be required if pump

Aligned to a Bus 11, 12 had failed and pump Without Electric Power 13 failed to start. Fol-lowing a LOCI, only one salt water is required.

l Failure to Sunolv Loads

3. Loss of Salt Water 1. SW 5160, 5162 CV Substantial impact on Ceepo- If salt water cooling is lost Cooling to Component Closes nent Cooling System due to to only one ocoponent cooling d

Cooling Water III loss of cooling to the com- HI, the operator should verify , 11, 12 2. SW 5206, 5208, or ponent cooling heat eschen- that the operating oceponent .! 5163 Closes ger. Time-to-failure for cooling HI has adequate cooling components serviced by the water. If cooling RCP pump 3 Salt Water Pump Trip component cooling system can seals is lost, trip pumps.

_ = - _ - _. _ _ _ _ _ . Tcble C11. (continued) Failure Possible Causes Effects Remedial Actions not be deterutned using REA techniques. Loss of compo-ment cooling to RCP seals will cause small LOCA. i Valve Failure circulating water syntes Operator abould trip turbine l 4. Loss of Salt Water 1. pump trip which will ulti- following otroulating water Cooling to Circula-Salt Water System mately result in a turbine pump trip. ting Water Pump 2. Seals Header Failure trip on high condenser temperature.

5. Loss of Salt Water- 1. Valve Failure Temporary inability to clean Repair valve or oceponent as condenser tubes will have no necessary.

to Condenser Tube Bulleting Systen 2. Salt Water Systes significant effect on plant Peader Failure operation. , N

1. Valve Failure Substantial 1spect on Ser- If salt water cooling is lost

6. Loss of Salt Water Cooling to Service vice Water System due to the to only one service water Water Heat Exchanger 2. Salt Water Systes loss of cooling to the aer- system beat eschengar, the 11, 12 Header Failure vice water heat exchanger. operator abould verify that Time-to-failure for compo- the operating servloe water nents serviced by the Ser- system has adequate cooling vice Water Systes can not be water.

determined using FM A tech-nique s. Loss of service i I water will fall diesel generators. I i

Table C11. (continued) Failure Possible causes Effects Benedial Aotiona l 7 Loss or Salt Water 1. Inlet Valve Closes HPSI and LPSI pumps are able Repair valve or oemponent as Cooling to ECCS to run 2 hours without necessary. Pump Roca Air 2. Salt Water Systes cooling water. Failure of Coolers Header Failure the room coolers under emer-gency conditions would cause

3. Inlet Valve Falls gradual room heating until to Open electrical components in the room began. Ylee-to-failure

4. Outlet Valve Falls for these components can not to Open be determined using FIEA techniques.

5. Outlet valve closes

8. Loss of Salt Water 1. Valve Failure Loss or room cooling for an Espoir valve or header.

Cooling to Circula- extended period will result , ting Water Pump 2. Salt Water System in electrical ocoponent g Roon Air Coolers Header Failure failure which will cause trip of circulating water pumps and eventually the turbine will trip.

9. Loss of Salt Water 1. Valve Failure Loss of salt water to jet Bepair valve or header.

to Water Jet exhauster will prevent Salt Water Systes Exhauster 2. startup of the screen wash Header Failure system, i

I

l l Table C12. Instrument air system FMEA EFFECTS M E DIAL ACTIONS F At ttR POSSIBLE CAUSES AC #12 will start when pressure decays No launediate operator actims

s. Air compressor I. Melntenancs error required provided ACil2 to 90 pslo.

fil stops when starts or the PA system in the SPEED 2. Loss of electric If AC#12 is not avellable then IA pressure will continue to decay to provides backup I A as desired. mode pcaser(Bus llBfZB)) Melntenance corrects problem 85 psig when crossconnect valve

3. Controller or PA 2068 auto opens and provides PA with AC#ll.

Instrumentation to the I A header as a backg. fallure 4 High afforcooler discharge temper-atue s

5. Other u

D

2. Air compressor AS A80VE

                                         #12 stops when in                                                     SAME SPEED mede Associated air compressor trips                No lammediate operator actions

3. Af tercooler 18 1. Lcar Sitt flow due required provided ACl2(ll)

(12) f unctions to meintenance causing the ef fects noted In 1. abow , is available to provide I A ig roperly error or the PA system prowldes causing high backup I A as designed. air discharge 2. Blocked heat Maintenance corrects problem. j tegerature exchange tubes 1 I i \ l

Table C12. (continued) I Al ttFE POS$18tE CAUSES EFFECTS IDEDI AL ACTIONS 4 Af tercooler Rust, scale, debris or ' A pressure will decrease at a rate The af tercooler with the relief valve other contamination in proportional to the rollef valve f ailed open valve can be sticks open the I A causes valve opening. At 90 psig the staney isolated with the manuel Rv206312065) failure I A compressor will start and if Isolation valws, pressure continues to decrease the PA crossconnect valve will open at 85 psig. For large f allures, reasonably rapid decreases in I A pressure are expected and could result in a total loss of instrument air transient with no action to isolate the failed valvo.

                                        * > . Isolation valve      Rust, scale, debris or      Af tercooler cannot be Isolated; hasever,           No lunedlate operator on af tercooler other contamination in      no adverse ef fect miess f ailure is                action rwquired. Malaten-outlet is open  the l A causes velve        comhined with a second f ailure.                     ance corrects the probles.

and cannot be falBure $ closed f f alls oP*nl (, . Isolation valve 8. Operator / maintenance Etf act is to cause loss of I A com- No lunediate operator on af tercooler error pressors ll(or 12) which was actions required provided outlet falls described in I and 2 above. ACl2 (or 113 starts or the closed 2. Gradual builde of When IA pressure drops to 90 psig PA systee provides backg rust, scale, debris the staney air compressor will IA as desi ped. and other contamin- start. Maintenance corrects problem ation closes valve with the valve.

h Table C12. (continued) EFFECTS IElEDI AL ACTlONS F A3 LtflE POSSIBLE CAUSES Rust, scale, dobrls Air recolwer cannot be Isolated; hasever, Mo immediate operator 7 Isolation velve actions required. on air recolwer or other contamination no adverse ef fect unless this f ailure in the I A causes waive is contined ulth another f ailure such Maintenance corrects Bill 2) Inlet is as air receiver relief valve f allure, problem. open and cannot fallure be closed (f alls opeal 8 Isolation valvo I. Operator / maintenance No of fact unless air recolwr [2(18) No famediate operator is out of service and Isolated, if actions required. on air recolwer error Malatenance corrects that is the case, the PA compressors 81(12) inlet

2. Gradual builde of must be used to provide I A. problean, f alls closed rust, scale, dobrls or other contamin-l ation closes valve 0

e 9 Air recolwer Rust, scale, debris or Same of feet as failed open roIIef Operator can Isolate the rollet valve other contamination valve on an af tercooler which was relief wolve by manually causes wale failure escribed above. closing the air recolwr RY2066(2067) sticks open inlet and outlet isolation j velwes. l { Air recolwer cannot be Isolated; No lausdlate operator action

10. Isolation valve Rust, scale, dobrls or requi red.

on air reonier other contamination however, no adverw ef fect unless 15(I2) outlet is causes walve failure this f ailure is combined with a Melntenance corrects probles, open and cannot second faI1urs soch as elr be closed recolwer rollet weite f ailure,

11. Isolation walve 8. Operator /molatenance No ef fect unless air recolwer 12(II) No Immediate operator actions cwn air recolwr error is out of service and isolated, requi red.

B ill2) outlet in that case the PA compressor Maintenance corrects problem. falls cloced 2. Gradual bulld q of must be used to provide I A. rust, scale, dobrls or other contamination

Table Cl2. (continued) FaluA4E POSSIBl.E CAUSES EFFECTS IElfDI AL ACTIONS

12. Cross connect 3. volw controller No of fact on I A system unless this No lamediate operator action valwe PA206I falIure f aliure Is combined wIth so I A requi red.

falls closed f ailure that requires the PA systear Maintenance corrects problen.

2. Failure of the to serve as a backg for the 1 A system, pressure transmitter that controls valve opening

3. Gradual bulide of rust, scale, embris or other contam-Instion 13 Cross connect 1 velve controller I A and PA systems ullt he cross No laumsdlate operator actlen welvo PA2068 failure connected; however, this should requi red. ,

f alls open cause no problem. Melntenance corrects problem. g

2. Fallure of the Manual valves eulst on both sides pressure transmitter of PA2061 and can be closed If that controls valve necessary, opening

14. Isolation valve 8. Operator / maintenance Thls valve is normally open and the Operator must take one of the on Inlet to pro- orror Isolation vatwo la profilter 12 is following actions:

filter 18 f alls normally closed, if this failure 1. Open the inlet and outlet closed 2. Gradual build, of occurs, I A pressure elli begin to isolation valves on pre-scale, rust, debris decrease since the I A service header filter 12 or or other contam- Is now Isolated from all air compressors. Instion without prompt operator response, a loss 2. Manage to open the felled of I A transient can result, closed valw or

3. .CR-88-007 modified the system so that the PA system could supply the I A system downstream of the l A dryer.

Table Cl2. (continued) l EFFECTS E E DIAL ACTIONS FAILuE POSSIBLE CAUSES This modification is not shown on the drawings available to Oltit but is assumed to exist. Profilter il cannot be Isolated; No lausdiate operator

15. Isolation valve Rust, scale, debris or action requi red.

on Inlet to pro- other contamination causes however, no adverse ef fect unless valve failure this f ailure is coseined with a Maintenance corrects filter Il f alls f ailure that requires the valve to problem. open and cannot be closed. l be closed

16. Isolation valve SAME A5 I4 A80VE on outlet of profilter il 5 l falls closed 8 7. Isolation valve 5AME AS I5 A80VE on outlet of profilter il f alls open and cannot be closed

18. Air dryer il inlet 1. Rust, scale, dobrls When this valve f alls closed, I A Operator must take one of the isolation valve or other contamin- pressure will begin to decrease since following actions:

i ation causes valve the I A service header is now Isolated I. Open the normally closed I f alls closed failure from all air compressors. air dryer bypass vatwo or without prompt operefor response, a

2. Operator / maintenance loss of IA transient can result. 2. Manage to open the failed error valve or

3. FCR-81-007 modifled the 1 A system so that the PA system could supply the l

l l l 1

Table C12. (continued) FAILURE POSSIBLE CAUSES EFFECTS MEDI AL ACTIONS 1 A system downstream of the l A dryer. This modification is not shown on the drawings available to OfNL but is assumed to exist. 19 Air dryer il Rust, scale, dobrls or No ef fect on the l A system unless No lamediate operator action intet Isolation other contamination this f ailure is combined with a requi red. valve falls open causes valve f ailure second f ailure that requires the Maintenance corrects problem, and cannot be Isolation of the air dryer. closed

20. Isolation valve SAME AS Ie AB0VE cm outlet of air ,

dryer il f alls g closed 28 Isolation valve SANE AS I9 AB0VE on outlet of air dryer Ii falis open and cannot be closed

22. Af terfilter 11 8. Operator / Af terfilter ll' isolation valves are Operator must open the inlet Inlet Isolation meintenance error normally open and the isolation valves and outlet isolation valves valve f alls for the redundant af terfilter (#12) are on af ter filter 12 or manage closed 2. Rust, scale, debris normally closed, i f the aftercooler to open the failed closed or other contamin- Isolation valve f alls closed, I A pressure valve, ation causes valve will begin to decrease sinos the I A failure service header is now Isolated from all air compressors. Without prompt oper-ator response, a loss of l A translent can result.

Table C12. (continued) EFFECTS KEDI AL ACTIONS FAILURE POSSIBLE CAUSES No ef fect on the 1 A system unless the No luenediate operator action 2 5. Af terfilter il Rust, scale, dobrls or is required. Maintenance inlet isolation other contamination f ailure is contined with a seccmd failure that requires the Isolation corrects the problem. valve falls causes valve failure of the af terfilter, open and cannot be closed l 24. Af terti t ter 18 SAME A5 22 ABOVE outlet isolation valw f alls closed l 2$. Af terfilter 11 SAME A5 23 AB0VE l outlet isolation valve falls open and cannot be g closed Operator / This f ailure results in loss of I A 1 Operations and meintenance

26. Manual valm 1 A-845 1.

falls closed maintenance error to the pneumatic valves and Instru- personnel attempt to l monts in the following systems and discover and correct the l areas of the plant: source of the problem. I l l

1. Diesel generators 11 and 12 2 Operator responds as directed by E0P-14, the l

2. INT heat exchanger roon " Loss of instrument Alr" l procedure

3. West penetration room 4 Letdown heat exchanger

5. SFP cooling room

6. Valwe campartwent 7 CVCS lon exchangers

Table C12. (continued) FAI LUE POSSIBLE CAUSES E FfECTS E E DIAL ACTIONS

27. Failure of I A Mechanical damege to the This failure results In a total loss of Close valve I A-845 to Iso-header downst +'.m 2 inch distribution IA transient. Ones the plant staf f late f ailure to the systems of valve IA-6 2 header by meintenance twcognizes and disposes the f ailure, and areas of the plant so that IA pres- personnel or by equip- the loss of alr can be confined to listed under 26 abow, sure decreases sont failure those systems and areas of the plant Melntenance repairs the below 80psig listed in 26 above, f ailed header.

28. Manual valve I A- Gradual bulldup of scale, No ef fect unless this f allure is combined No Ismediate operator action falls open and rust, debris or other with a second f ailure such as the l A required.

cannot be closed contamination prevents header f ailure discussed in 27 above. Melntenanu corrects problem, valve from closing

29. Man ual va l ve I A- 1. Operator /maintenanos This f ailure results in loss of I A to the 1 Operations and maintenance 657 f alls closed error pneumatic valves and Instruments In the personnel attempt to o following systems and armes of the plant: discover and correct the 2

2. Gradual bulldup of source of the probles, rust, scale, dobrls 1. Component cooling room or other contamination 2. Operator responds as

-l d closes valve 2. ECCS pump room nuster ll and 12 directed by EOP-14, the

                                                                                                                       " Loss of instrument Air"

3. VCT and BAST rooms procedure

4. Charging pump roon

5. Miscellaneous weste receiver tank room

6. Cryogenics room

7. rod pupp room I

Table C12. (continued) POSSIBLE CAUSES [FFECTS K E DIAL ACTIONS FAILURE

30. Fallure of l A Mechanical damage to the This failure can result in a total loss Close valve I A657 to Isolate header downstream 2 inch header by main- of I A translent. Once the plant staf f f ailure to those systems of valve IA657 so tenance personnel or diagnoses the problem, the air loss and plant areas listed under that I A pressure by equipment f ailure can be confined to those systems and 29 above, areas of the plant listed in 29 above. Maintenance repairs the decreases below 80 psig f ailed header.

31. Manual valve IA Gradual bulldup of scale, No of fact unless this f ailure is combined No laundlate operator action 657 f alls open and rust, dobrls or other with a second f ailure such as the I A requi red.

cannot be closed contamination prevents header failure discussed in 28 above. Maintenance corrects problem, valve from closing

32. Manual valve I A 1. Operator / maintenance This failure results in loss of l A to the 1. Operations and maintenance 823 f alls closed error pneunatic valves and instruments in the personnel attempt to u following systems and areas of the plant: discover and correct the $

2. Gradual bulldup of source of the probles, rust, scale, debris I. Aux, building HVAC area (elevation or other contamination 5' & 69') 2. Operator responds as closes valve directed by LOP-14, the

2. Service water pump room " Loss of instrument Air"

3. East piping penetration room

4. East electrical penetration room

5. Service water head tank area

6. Main plant area

7. Dattery vent area

8. Component cooling head tank

9. Access control HVAC

_ __ _ ________I

Table C12. (continued) FAILURE POSSIBLE CruSES EFFECTS E K OIAL ACTIONS

10. 1&C shop i t . Plant conputer

12. Blowdown tank area

13. ACW waste evaporator

14. Miscellaneous waste evaporator

15. Fuel upender

33. Failure of I A Mechanical damage to This f ailure can r=sult in a total Close valw 1 A823 to isolete header down- the 2" header by loss of I A transient if not quickly the failure to those systems stream of valve maintenance personnel diagnosed. Once the plant staff and plant areas listed under ,

I A823 so that or by equipment reco@lzes and disposes the problem, R above. Malntenance repairs & I A pressure failure the loss of air can be confined to the f ailed header decreases below those systems and areas of the plant 80psig listed in 32 above.

34. Manual valve l A Gradual bulldup of No ef fect unless combined with a No immediate operator action 823 falls open scale, rust, dobrls second f ailure such as the l A header required, and cannot be or other contamination f ailure discussed in 33 above. Maintenance corrects the closed preven ts valve f rom problem, closing

35. Manual vale l A 1. Operator / maintenance This failure results in loss of IA 1. Operations and maintenance 214 falls closed error to the pneumatic valws and Instru- personnel attempt to sents in the following systems and discover and correct the

2. Gradual buildup of areas of the plant: source of the problem.

rust, scrile, dobrls or other contamination 1. Caustic storage tank 2 Operator responds as closes valw directed by E0P-14, the

2. Make up dominerallzers " Loss of inst rument Alr"

3. Condensate polishers 1

i

Table C12. (continued) POSSIBLE CAUSES EFFECTS E K DIAL ACTIONS FAILURE

36. Failure of I A Mechanical damage to the This f ailure can result in a total loss Close valve f.*214 to Isolate header downstream 2" header by maintenance of I A transient i f not quickly diagnosed, the f ailure to those systems personnel or by equipment Once the plant staf f recognizes and and plant areas listed eder of manual valve 35 above, I A214 so that I A failure diagnoses this problem, the loss of lA can be confined to those systems and Halntenance repairs the pressure decreases below 80psig areas of the plant listed in 35 above. f ailed header.

37. Manual valve I A214 Gradual buildup of scale, No ef fect unless the fallure is conblned No Inunediate operator action falls open and rust, debris or other with a somnd f ailure such as the l A requi red.

cannot be closed contamination prevents header f ailure discussed in 36 above. Maintenance corrects the valve f rom closing p roblem.

38. Manual valve I A2131. Operator / maintenance This failure results in loss of IA to the 1 Operations and maintenance f alls closed error pneumatic valves and Instruments in the personnel attempt to u following systems and areas of the plant: discover and correct the D

2. Bulldup of rust, source of the problem.

scale, debris or 1. Turbine deck, eas? and west other contamination 2. Operator responds as

2. Auxillary boilers directed by E0P-14, the

                                                                                                   " Loss of instrument Al r"

3. Dearuator procedure

4. Condenser area ring

5. Sewage treatment

6. Intake core, water pumps

7. Condensate precoat filters

8. Turbine lube oil coolers

9. FW heaters 14A,14R,15A,158,16A,16B

Table C12. (continued) F AI LUE POSSIBLE CAUSES EFFECTS REMEDIAL ACTIONS

10. Auxillary FW pumps

11. Condenser area west

12. Molsture seperator reheaters 11 & 12

39. Failure of IA Mechanical damage to the This failure can result in a total loss Close valve I A213 to isolete header downstream 2" header by maintenance of I A transient I f not quickly diarposed, the failure to those systems of manual valve personnel or by equip- Once the plant staf f recopires and and plant areas listed under IA213 so that IA ment failure diacposes this problem, the loss of l A 38 aoove. Maintenance pressure decreases can be confined to those systems and repairs the f ailure header, below 80psig areas of the plant listed in 38 above.

40. Manual valve I A213 Gradual bulldup of scale, No ef fect unless the f ailure is conbined No immediate operator action y falls open and rust, debris or other with a second f ailure such as the l A requi red, g cannot be closed contamination prevents header f ailure discussed in 39 above. Maintenance corrects the valve from closing problem.

41. Manual valve I A656 1. Operator / maintenance This failure results in loss of IA to the Operator can start salt water falls closed error pneumatic valves and Instruments in the air compressors 11 and/or 12 following systems and areas of the plant: and open manual valve I A727 and/or 726

1. Systems inside the containment struc- These actions will allow the ture that includes the CVCS, the salt water conpressors to containment purge system, the RCS, prowlde alr to the l A loeds and the safety injection system downstream of I A656,

2. Auxillary FW control valves and 2. Operations / maintenance atmospheric dump valws attempts to correct problem

3. West piping penetration room 3. I f necessary laplement E0P-14, the " Loss of Instrument Al r" procedure.

Table C12. (continued) EFFECTS REMEDIAL ACTIONS FAILURE POSSIBLE CAUSES Mechanical damage to the This failure can result in a total loss Close valve I A656 to Isolete

42. Failure of I A of I A transient if not quickly diagnosed, the f ailure to those systems header downstream header by maintenance personnel or by equipment Once the plant staf f recoplzes and and plant areas listed above.

of manual valve Maintenance repairs the failed I A656 so that l A failure diagnoses this problem, the loss of ) I A can be confined to those systems header. ! pressure decreases 0 . below 80psig and areas of the plant listed in 41 above. Gradual bulldup of scale, No effect unless this failure is No immediate operator action

43. Manual valve requi red.

lA656 falls open rust, debris or other combined with a second failure such and cannot be contamination prevents as the l A header f allure discussed Maintenance corrects the closed valve from closing above. p rob lem.

44. Trip of both IA 1. Fallure of all three Both I A cogressors will overheat and The operator can take the compressors and service water pugs trip of f fir e. Also, the PA cogressor follwing actions: T the PA cogressor (Iow probability) will owrtient and trip of f line. This event is assumed to occur in imit i 1. Attempt to restore service

2. Failure closed of and the Unit 2 PA compressor normally water fim SRW pressure control would be cross cornected to the Unit 1 valve 1628 PA systee and could serve as a backup 2. Use Unit 2 cog ressors to source of cogressed alr. If this is provide backup compressing

3. Loss of both 500 KV the case, l A pressure should not drop capability for Unit 1.

electrical buses below 85 psig and no adverse plant ef fects should be experienced. 3. Implement EOP-14 " Loss of Instrument Alr" If I or 2 above is not successful.

4 -a n . e - ar . nu-a- s s - =..a < u-- s,au x ,- n a- .a -- a .ss a, -u - - u. r.- . -. - s ~~ ear---- - . - - - -..--ama-. - - + . - e , + _ - - - - _ , - - - - . . t W 1 1 e i l 1 i J t I J l l (r 5 4 I s , l1 i 1 I i i i t s e l i 1 4 [ , 2 f I e i, l b I 2 r I r f f e E I l i ,._,--- ,_--.. _ .___._ _.. _ -_ _ _.-_,-.._ ,_ , _ _ _ . ,-. ________ _ __.~.._. ._. ._ . . - . _, . . . _ - _ . _ _ _ . _ . _ _ _ ___ ._ . .._ _ - - - _ __ . - - _ ,

NUREG/CR-4265 VOLUME 2 ORNL/TM-9640-V2 APPENDIX D i APPENDIX D i 2 FAILURE MODES AND EFFECTS ANALYSIS (FMEA) 0F THE REGULATING SYSTEMS ELECTRIC POWER DISTRIBUTION CIRCUITRY

,                                AT THE CALVERT CLIFFS UNIT 1 NUCLEAR POWER PLANT 4

C. W. Mayo C. L. Mason  ; A.~ F. McBride D. P. Bozarth S. J. Caruthers j S. L. Turner I t Prepared for the OAK RIDGE NATIONAL LABORATORY Oak Ridge, Tennessee 37831 1

 ).
;                                                     April 2, 1985 Prepared by 4

SCIENCE APPLICATIONS INTERNATIONAL CORPORATION 1 Jackson Plaza Tower j 800 Oak Ridge Turnpike j Oak Ridge, Tennessee 37830

ABSTRACT The effects of regulating system electric power supply failures have been analyzed for the Calvert Cliffs Unit 1 power plant. Instrument and control system power distribution circuits were analyzed to define a comprehensive set of 24 single point failure modes. Selected multiple' power distribution failures were analyzed for circuits found to significantly affect regulating system response. For each power supply failure, the regulating system outputs were propagated through the energized and deenergized output control devices to determine the initial plant response. In addition, the effects of power supply failures on subsequent plant control were evaluated. Plant response to regulating system electrical power supply failure was not found to be severe. The regulating systems are substantially decoupled due to operation of the reactor and turbine generator in the manual mode only and the use of separate feedwater regulating systems , for each steam generator. Redundant reactor, reactor coolant pressure, l and pressurizer level regulating systems are available, but reactor coolant pressure and pressurizer level regulating functions are coupled through non-vital instrument power to control components. Some of the associated transients may initially appear similar to a small-break LOCA 1 or voiding in the reactor coolant system. Steam line safety valves may be challenged by loss of turbine bypass and atmospheric steam dump valve operations. Pressurizer relief valve operation and isolation can be affected. There is a possibility for overfilling one steam generator. These control failures can be managed through operator response and are not felt to have new cr significant safety implications. 253

I Dl. INTRODUCTION 1.1 3 COPE OF WORK This report presents the results of a failure modes and effects analysis (FMEA) of the electrical power supplies to the Calvert Cliffs Unit 1 regulating systeam. The objectives of this voric were as follows:

1. Perform a FMIA of the regulating systems power supplies to identify regulating system failures resulting from single point and selected multiple power supply failuren.

2. Evaluate the initial or near-ters response of the plant to the failed outputs resulting from each postulated power f ailure.

3. Note any failures that could lead to substantial imbalance between heat generation and removal or feedwater control problems.

4. Suggest design modifications that might eliminate or reduce the frequency or effects of the postulated power failures.

This study was performed for the U.S. Nuclear Regulatory Commission (NRC) and carried out by Science Applications International Corporation (SAIC) under the direction of Oak Ridge National Laboratory (ORNL). The seven regulaticg systems addressed in this study are identified in Table Dl. 1.2 TECHNICAL APPROACE The analysis of the regulating systems responses to power supply failures was performed using a modified yNEA. The regulating systems power supplies were identified and f ailure modes were defined. Regulating systes control failures and actions were determined for each power supply single f ailure mode. Mul tiple f ailures were identified that involved additional losses of regulating function. These failures, the initial transient, and subsequent plant control were reviewed for each response. 255 l

256 Table D1. Calvert Cliffs Unit I reguisting systems Systen Principal Functions Reactor Regulating System (RRS) Provide control signals which are used to regulate steen dump on high reactor Tavs after turbine trip, adjust pressuriser level setpoint as a function of power, and indicate high and low reactor Tavg error. Control Element Drive Transmit signal frca CEDS control console System (CEDS) to the coil power progreemers which develop the pulses for magnetic jack operation. Reactor Coolant Pressure Maintain system pressure within specified Regulating System limits by the use of pressuriser heaters and spray valves. Pressurizer Level Regulating Regulate pressurizer level as a function of System power by comparing seasured pressurizer l level to a programmed pressurizer level set point from the RR3 to control letdown control valve position and start or stop charging pumps. Feedwater Regulating System Maintain steam generator devacceer level within acceptable limits by positioning feedwater regulating valves which control the feedwater to each steam generator. Atmospheric Steam Dump and Dissipate excess N333 stored energy and Turbine Bypass System sensible heat following a turbine trip without lifting the safety valves. Turbine Generator Control steam flow to the turbine. Control Systes i l l

257 13 REPORT CONT!ITS This report describes the results of the Calvert Cliffs Unit 1 Regulating % stems FIEA The conclusions obtained from these resulta are suasarized in Section 2. Brief descriptions of the regulating systems and their electric power distribution circuitry are given in Sections 3 and 4 The results of the power supply FMIA for each power supply failure case are presented and discussed in Sections 5 through 14. l

                                                                           )

i 1 l l

258 D2. SNAIT OF IESULTS 1 detailed analysis of the effects of regulating systes electrical power supply failures has been performed for the Calvert Cliffs Unit 1 nuclear power plaat. This analysis consisted of determining the response of the regulating systems output signals to single and selected multiple point failures in the power supply circuitry. From these conditions, the automatic response of the plaat and subsequent control were evaluated. The regulating systems functions were found to be substantially deocupied due to manual control of reactor power, manual control of the turbine generator system, and setpcint control of steam generator level. Electrical power supply failures affect reactor coolant pressure, pressurizer level, main feedwater regulating valve and pump speed control, and atmospherio steam dump and turbine bypass control. These responses are primarily associated with failures of the non-vital instrument buses 1T09 and 1Y10 and 125-Y de bus 11. Failures of vital instrument buses 1T01 and IT02 can also affect these functions through the reactor, reactor coolant pressure, and pressuriser level regulating systems. Vital instrument bus single f ailure response can be corrected promptly by selecting the alternate regulating systems f or these functions. 1 The reactor coolant pressure and pressurizer level response to electrical power supply f ailures can lead to reactor trip in some cases. Pressuriz e r spray, pressurizer heater control, feedwater regulating valve 11, and feedvater pump speed control will remain failed until instrument bus 1709 is restored. Letdown flow control will remain f ailed until instrument bus 1710 is restored. Turbine bypass valves will fail closed until 125-Y de bus 11 is restored. Failure of 125-7 de bus 11 will result in Unit 1 turbine trip and may cause Unit 2 turbine trip. Manual controls are generally available for other regulating system functions following a single power failure. . The dominant reactor coolant pressure and pressurizer level regulating system response is to initiate a transient of decreasing reactor coolant pressure and/or increasing pressurizer level due to the loss of the pressuriz ar heaters, closure of the letdown control valve, and starting of the tackup i

259 charging pumps. If unterminated, this could lead to filling the pressuriser and liquid discharge through the pressuriser relief or code safety valves. Changes in reactor coolant pressure and pressuriser level could initially be interpreted as a small break LOCA or voiding in the reactor coolant system. Operator identification of the power supply failure vill contribute to the interpretation of this response. The failure of instrument bus 1T09 will freese the steam generator 11 main feedwater regulating valve and the main feedwater pump speed as-is. This will lead to constant feedwater flow to this steam generator. The main feedwater pump speed will also not run back on auxiliary feedvater actuation for this I bus failure. The feedwater pumps can be manually tripped at the pump turbine to terminate this flow. Failure of do bus 11 will inhibit automatic operation of the pressurizer relief valves. This failure will lead to turbine trip and reactor trip with the result that the pressuriser code safety valves will be challenged. Failure of MCC 104R or MCC 114R any lead to a reactor trip through effects on non-vital instrument bus 1Y10 or 1T09, respectively, and will fail one pressurizer relief isolation valve as-is. If the pressurizer relief valve sticks open during the transient, it cannot be isolated until the associated I block valve actor control center is restored. A double vital bus failure for 1Y01 and 1T02 would initiate a reactor trip, open the pressurizer relief valves, doenergize the pressurizer heaters, and j inhibit automatic control of pressurizer level. The pressuriser spray, charging pumps, and letdown throttle valve could be controlled manually. Double failures of instrument buses 1T09 and 1T10 and combinations of 1T01 and 1T02 with 1Y09 and 1710 failures generally produce the same regulating system response as single failures of IT09 or 1Y10 with some additional loss of steam generator instrumentation. Much of the single failure response could be eliminated by providing automatic bus transfers betwen 1Y09 and 1Y10 for non-vital powered components in the reactor coolant pressure regulating system, the pressurizer level regulating 1 l l l l 1

200 l l l l systes, the main feedwater regulating valve solenoids, and the main feedwater pump speed control. In suasary, failures of the regulating system power supplies can lead to reactor trips and increased dependence on code safety valves for secondary pressure control. They say also lead to constant feedwater supply to one I steam generator. The major effects could be reduced by developing alternate l power supplies for the pressuriser heater and charging pump regulating interface relays and the pressuriser spray and letdown control valve regulating interface modules. The design philosophy for failing the main feedvater valves as-is on loss of instrument power should be reviewed. The control failures and regulating systems responses to these failures can be managed by operator actions and should not significantly affect core cooling or the ability to achieve cold shutdown. 1 I

261 D3. IfDULATING SISTEMS FUNCTIONAL DESCRIPTICNS 3even regulating systems provide the signal processing and control functions required for operation of the Calvert Cliffs Unit 1 nuclear stema supply system. These systems provide information and controls for reactor regulation, control element drive position, reactor coolant pressure, pressurizer level, main feedwater flow to the steam generators, atmospheric i steam dump and turbine bypass valves, and steam flow to the high pressure turbine. Summary descriptions and functional block diagrams for these systems are provided below. More detailed descriptions of the functions performed by the regulating systems may be found in Reference 1. The regulating systems are primarily implemented with current loops for noise and signal isolation. The block diagrass are shown as functional equivalents in a voltage mode format for simplified illustration and are based on drawings provided by Baltimore Gas and Electric Company (Reference 2). 31 REACTCR REGULATING SYSTEM i The reacter regulating systes, illustrated in the functional block diagram in Figure D1, is used to provide signals for: o Atmospheric steam dump area demand, o Atmospheric steam dump quick-open permissive, o Pressurizer level setpoint, and o Eigh and low alars indication of the differences between reacter Tavg and the computed Tref. { The operator can select one of two reactor regulating systems designed as I or I with a manual selector switch. Each system is separate and independent of the other and receives ac power from separate vital 120-7 ao instrument buses. Reactor regulating system inputs and outputs are listed in Table D2. The controlling reactor Tavg signal is developed by passive summation of current signals frca selected temperature sensors. This signal is operated on by a function generator to provide an analog output for atmospheric steam dump and turbine bypass valve area demand and quick open. As Tavg increases, the

l y* RE ACTOR MGULATWO SYSTEhe V (17823 l e i e% se J d REACTOR MGULAT8NG SYSTEM N (1YOq ATM00PHERIC STEAM

                                                                                                                                                                                                 -~~

' ca.: Gh7...c- ... . !j I /~= c J y" [ TI CLOSE TO PEmami quick DUMP pl l ATMOGPHERIC STEAM M Duke QuCK OPEN PERMIS8 eve [ E)'*[ - e 3 1 I T" $2 )

                                                            .                                                                                                                          l *e-     PRES $UnilER LEVEL pl              SET POINT LOOP 2 (svg                      Te         %                                                                                                                        1
                                                      <+J                                                                                                )                             ' e(

T=T. g sus nas ctosEou m

                                                   ,*                                                                                 ERROR seOneAt HIGH M               N
                                                                                                          ,                                                                       ,g g[                  _

T== T= p OP, mesme J i2 Tw TURSaNE d  % I LDWf M P, ctOst O.n Low I NIM' O,., E- ~.. 1 I I i AftB CHApeleEL SELECT SWstiCH Fig. DI. Reactor regulating system functional block diagram.

260 Table D2. Reactor regulating system inputs and outputs Pea Description Comments Inruta 1 1-TIA-111I Loop 1 T hot Temperature sensors are manually selected to compute analog Tavs signal for both reactor regulating systems 2 1-TIC-111T Loop 1 T cold Temperature sensors are manually selected to compute anales Tavs signal for both reactor regulating systems 3 1-TIC-115 Loop 1 7 cold Temperature sensors are manually selected to compute analog Tavs signal for both reactor , regulating systems 4 1-TIA-121I Loop 2 T hot Temperature sensors are manually selected to compute analog Tavg signal for both reactor regulating systems 5 1-TIC-121T Loop 2 T cold Temperature sensors are manually selected to compute analog Tavg signal for both reactor regulating systems 6 1-TIC-125 Loop 2 T cold Temperature sensors are manually selected to ccepute analcg Tavg signal for both reactor regulating systems 7 PI-3957 Turbine 1st stage To RRS I for Tret calculatica Pressure 8 PI-4040 Turbine 1st Stage To RR3 T for Tref calculation Pressure Cut =uts 1 Atmospheric Steam Dump Area Analog signal to modulate atmos-Demand pheric steam dump and turbine bypass valves as a function of reactor Tavg

264 Table D2. (continued) Item Description Comments 2 Atmospheric Steam Dump Quick Contact closure vill permit tur-Open Pomissive bias bypass and atmospherio steam dump quick open af ter turbine trip 3 Pressurizer Level Setpoint Analog signal to pressuriser level regulating system adjusts level control setpoint as function of reactor Tavs 4 Tavg - Tref High Alam Contact closure indicates high Tavg compared to Tref 5 Tavs - Tref Low Alam Contact closure indicates low Tavg compared to Tref 6

265 l sigrAl to the atmospheric steam dump control valve increases. If the reactor power (as determined by Targ) exceeds a predetermined power level, the atmospheric steam dump quick open override bistable results in a quick opening of the atmospheric steam duap and turbine bypass valves following a turbine trip. The Tavs signal is also used to provide a programmed pressurizer level set-point that increases the pressurizer level as Tavs increases. This programmed setpoint minimizes changes in reactor coolant system water inventory during plant load changes and transients. 1 Tavs error signal is developed by comparison of Tavg to the desired reactor coolant average temperature (Tret) that represents a generated power referenc3 signal derived from the first stage turbine pressure. If the difference between Tavg and Tref should become either too high or too low, alaras will annunciate. These alaras indicate an imbalance between reactor power and turbine load. Loss of power to the selected reactor regulating system will result in a zero atnospheric steam dump area demand, loss of the atmospheric steam dump quick open permissive, regulation of pressurizer level at 270 inches, and loss of the Tavg high and icw error alara. The reactor regulating systes does not actively control the reactor power. The reactor is operated with all control rods fully withdrawn and nuclear power is controlled manually by the operator through reactor coolant boron concentration. The reactor regulating systes provides operator guidance in matching the reactor power to generator power through the Tavg high and low alarm. If the Tavs error exceeds the control band, the operator may reduce - the errce by adjusting boron concentration or adjusting the turbine throttle valve position. 32 CCNTSCL ELEMENT DRI7E SYSTEM (CEDS) The control element drive system is used to position the reactivity control rods in the reactor core. This system is operated in the manual mode only. l

266 The control rods are fully withdrawn from the core during operation and the reactor power is adjusted thmush the amount of dissolved boron in the reactor coolant. As a result, the 3DS cannot initiate positive reactivity changes. Faults with the 2DS can result in control red insertions and reactor trip. l Due to operation of the CEDS in the annual mode with all control rods fully j withdrawn and reactor trip functions provided by the reactor protection system, the CEDS is not considered to have a significant involvement in regulating systems interactions. 33 EEACTOR COOLANT PRESSURE REGULATING ST3 TEN The reactor coolant pressure regulating systes controla reactor coolant pressure through automatic control inputs to the pressurizer heaters to pr9 duce steam (1500 W total capacity) and the pressurizer spray flow control l valve to condense steam (375 gpa maximum flow). A small continuous ficw (1.5 gpa) is maintained through the spray lines at all times to keep the spray lines and the purge line wara, reducing thermal shock during plant transients. The reacter coolant pressure is compared to a setpoint value (2250 psia) and

 'the error signal provides proportional control of the spray valve position and proportional heater element power. Approximately 205 of the heaters are connected to proportional controllers which adjust the heat input as required to account for steady losses and to maintain the desired reactor coolant pressure. The remaining backup heaters are normally off but are turned on by a low reactor coolant pressure signal or high pressurizer level error signal through bistable controller outputs.

Two separate and redundant reactor coolant pressure regulating systems are used to develop the pressure control signals. These systems are powered from separate vital instrument buses and the operator can select either system for j l reactor coolant pressure -ontrol through a manual selector switch. The pressurizer spray valve contrc3 signal is further processed through modules l involving instrument power. The presswizer heater demand is also processed 1 through relays powered from instrument power. The pressurizer heater ac power is obtained through 480-7 actor control centers (MCCs).

267 The pressurizer heater controls include relays in the pressurizer level regulating system. These relays act to turn all hesters full on at high pressuriser level and to de-energize all heaters on lo-lo pressurizer level (101 inches). These functions involve the pressurizer level regulating system power supplies is pressuriser heater control. The reactor coolant pressure regulating system inputs and outputs are summarized in Table D3. A functional block diagram of the reactor coolant pressure regulating system is shown in Figure 02. Backup heater control details are shown in Figure 03. Loss of vital instrument power to the selected reactor coolant pressure  ;

;    regulating system will produce a zero current demand signal to the pressurizer                     l spray valve and to the proportional heatere. The pressur. .ir spray valve and                     !

backup heaters can be controlled manually through non-vital instrument power. Loss of non-vital instrument bus 1YO9 will produce a zero current demand signal to the spray valve I/P and fail the backup heater control relay in the "of f a position. While not formally a part of the reactor coolant pressure regulating systes, the pressurizer relief valves contribute tc reactor coolant pressure control under certain conditions. A two out of four logic indicating high reactor 1 coolant pressure from the reactor protection system will open the two pressurizer relief valves when the reactor coolant pressure exceeds 2365 pais. These valves are sized to be able to release sufficient pressurizer steaa , during abnormal operating occurrences to prevent opening of the reactor i coolant system safety valves. A actor-actuated isolation valve is provided i upstresa of each of the PR7s to permit isolating the valve. A functional block diagram for pressurizer relief valve control and isolation is shown in Figure 04. Failure of either the 480-7 ao or the 125-7 de buses will result in the PR7's closing or remaining closed. Due to the 2 of 4 logic, failure of any one of J the four 120-7 ao vital buses supplying the RPS will ceither open the PRV nor 1 prevent them from being opened due to high pressurizer pressure. Failure of _ _ _ _ _ _ _ ,_ _ _ _ _ - . . , _ . , - ~- _. ._

268 Table D3 Reactor coolant pressure regulating system inputs and outputs Item Description Comments lARILla 1 PT 100I Reactor Coolant Control signal to pressure Pressure regulating system I 2 PT 100! Reactor Coolant Control signal to pressure Pressure regulating system f cutnuta 1 Proportional Heater Demand Analog signal - Function inter-l copted by high and low level relays in pressurizer level system 2 63I/PC-100 Backup Heater Relay contacts switch heaters Demand on/off - intercepted by high and lo-lo level relays in pressurizer level system 3 Pressurizer Spray Talve Position Analog signal to selected spray valve I/P converter l l

                                  !                                   l                            !

yI LS AT A eN s E Z OEd 8 _ I g my aE f mL ut OE sa ey P g ny ORE eg R T P a PA Op 0E 1H . Tg i n a I , 1 i r g y = a

                                                               -                                            i d

k c o l 4 4 b R 4 L AA 4 E 4 8 peE l e

     #LO L u

s OL s L iO s u a a n M o

     #tO                                                                   mA l

c c _ e p u n i Ot e Pp { ya i t C o OO g c s RC a n e P g u

                              ,*                                                                           f L

Lc1 A ge 1 M iW S . ae Q L si t m e ew s s

                                                                                 - C12s 3 g6u 4

c2e t 3 i 6u t y s L - g n - i t a _ l M u g 4 e 3 3 l t" N r I 6 A y e E r H u i e s R s U e T p r _ , t

                                                                                              ..v           n
               ~                                                                            -

a O ~ i l L u o H OM E'j liI r e- Ogy j _ o c t A Iel I uA A HLA r o

                                                                  '       "                                t JT                                     c

_ V _ i

                                                                          =

a e V g y L e e (( cE R e R s ae sa s E g E e R ee A E t c NL t E vAs vv P 0e 0 A i p OL GO C KL eL EP ia 2 4 P nn T 3 a eO ee D AS Cd t R l PI D l g e ps O

                                                                   '      CT PN ww OO

r  :  : g C O PP i g

C xy F T - N A L _ O O C 7 R 9 0 8 ON C I I M A P o t e M t T P

heCC 100PHIA) O t 90PH4Al y1ClIE litPHIBl 926 was k tegated

• 5 t 82PHIB) gyes

                                               ;; : "   42 90001 1 A ='

43gesel

                                                                                                               .(             4" V

SACAUP HEATERS 83xA DE EsetAGeBS mema'* HEATEAS 000 U O LCineL LOLO LEWEL(IVt4 EpeEAGGES teEATEM Oss LOW m (1M A gygggggg ggggg g ggg g gggggggygg 1HG 3004 04AND SeeTCH FON O**dsTOR CONTROL OF GACgw teEATEM Fig. D3 Back-up heater control functional block diagram. i

L s e I

                    -]           c             I A

- 3} e s

                    -]

t r o M [j- E

                   ;                -                  V
                                    -                  L
                                    -                  A g                                  W N

0e [-l s o N s T 0 8 A L e 4 n t g- 4 w F E a i

                               -                   oe  e L

r g

                              -                        t s

n a

                               -                          i
 -                                                     n  d
                             ;                        z e  k j                         u r   c a

u ol { s b

                               -                      e
                               -                      n p   l
                               .                           a T                         n
                               .                           o C

l s i G t O g

                               .-                          c L                                                  n N

g

                                -                          u tle 9p       c"             .                         f 0 0                                               l 40 4   6w-                                         o r

F2 OT 2A 2-s t n o

 .-                                                        c e

v l a v r 2 e l

                        ,ol                               l
                        . i F                               e r

3 E r 4 V e 4 L z 3 A i 3, W r

                     ~

3 4 F u

 .                          g            4    t s             s 7,inp              3 g

g t t s e

 .                   -                   4    a             r g

P n t 2 m . m 4

                        , s a

s D . l N 4 e e s w g or i _ F no o L I 8 4 4 0 4 4 s 1 c 1 0s N c 2 2 E a 4 sP m . 4 oO e ne . 2O

                                            +

i . 0I s . 4 E c _ v2 t aGH c , u t et N i

                  .   - - - _ - . _ - - - - . .                         -.         -- - _          ~ _ -

i 1 i l 272 any two vital buses, however, will result in both PRT's opening and remaining open until manually closed from the control roca or one or both vital buses 4 are reenergised. 34 PSg330AIZEA LEYgL REULATING 3YSTDI The pressuriser level regulating system provides automatic control of the pressuriser level through analog control of the letdown control valve position ( and start /stop control of the backup charging pumps. There are two letdown control valves in parallel lines, each of which can supply a nazimum of 128 l spa of letdown flow. Under normal operating conditions, one valve is operating while the other is kept in a standby (closed) condition. Under j normal conditions one charging pump is operating at a design flow rate of 44 sp a. On/off control of the backup charging pumps provides an additional 44 i l spa per pump for a nazimum of 132 spa. There is no mechanism for throttling the flow on a charging line, i.e., the pump is either on and supplying 44 spa or off and supplying no flow. When all three pumps are on, flow will be supplied to the primary system up to a pressure which is high enough to lift i the pressurizer PAYS (2385 psig). The pressurizer level regulating system I also has dominant control over the pressurizer heaters to turn all heaters full on on high pressurizer level and to turn all heaters off on lo-lo j pressurizer level. 1 ne pressurizer level control signals are developed in two separate and fully redundant regulating systeam. Rose systems have separate pressurizer level

input signals and share the pressuriser level setpoint signal developed in the reactor regulating system. The analog output signal to the letdown control valve and relays used to control the charging pumps and pressurizer heaters operate from non-vital instrument power and are not redundant.

j Failure of vital instrument power to the selected pressurizer level regulating I system will produce a zero current demand signal to the letdown control valve and to the backup charging pump control histables. Pressurizer level regulating system bistable outputs will de-energize all pressuriser heaters and stop all but one charging pump. These failures can be corrected by manually selecting the altercate pressurizer level regulating system. I

273 l l l Loss of non-vital instrument bus !!10 vill provide a zero current demand to the letdown control valve and will de-energize contr. relays to de-energize all pressurizer heaters and stop all but one charging pump. Pressuriser heater controla vill fail off and the letdown control valve will fail closed. The charging pumps can be controlled manually through hand stations. The inputs and outputs of the pressuriser level regulating system are listed in Table D4. A functional block diagram of the pressurizer level regulating system is shown in Figure DS. Supplemental details of the charging pump actor control are shown in Figure D6. 35 FEECWATER REGULATING SISTEMS There are two fully separate feedwater regulating systems. Each system controls the main feedvater regulating valve and bypass valve position for one steam generator. Each steam generator level signal is compared to a setpoint and corrected by the ratio of steam flow to feedvater flow to provids the i correspecding feedvater regulating valve position control. The main feedvater regulating valves are autcaatically closed and the typass valves set to 55 of full power feedwater flew following reactor trip. This valve position can te manually overridden by the operator. i The two feedvater regulating systems rective pri ary ac power from separate vital buses. On the failure of a vital bus, the feedwater regulating system without pcwor automatically transfers to a separate non-vital instrument bus to restore power for continued plant operatioA It therefore requires one vital and o ne non-vital instrument bus f ailure to lose one feedwater regulating system, and two vital and two non-vital instrument bus failures to lose both feedwater regulating systeam. Inputs and outputs of the feedvater regulating systems are summarized in Table DS. A functional block diagram of the feedwater regulating systems is shown in Figure D7. The main feedwater regulating valve electro-to-pneumatic (E/P) position controllers have solenoid valves on the air lines that use non-vital I i b n

274 Table D4 Pressurizer level regulating system inputs and outputs Item Description Comments

                                                                                     ~

lABLt3 1 LC110Z Pressurizer Level 2 LC110I Pressurizer Level 3 Pressurizer Level Setpoint Fra reactor regulating systen Outnuta 1 63I Chit Relay Start /stop charging pump 111 2 63I CH12 Relay Start /stop charging pump 12 I 3 63I CH13 and T.elays Start /stop charging pump 131 63I CH14 4 63IA/LC110L Relay De-energizes to turn off all backup heaters on lo-lo level. Loss of control power to this relay overrides all control of backup heaters and de-energizes Group A proportional heaters. 5 63IB/LC110L Relay De-energizes to turn off Group B proportional heaters on lo-lo level 6 63IA/LC110H Relay De-energizes to turn heaters on at high level 7 63IB/LC110H Relay De-energizes to stop all but one charging pump on high level 1 0ne caarging pump iJ normally operatina. Control relays de-energize to start one selected out of the remaining two charging pumps. 1 r

l 276 l I l u u l.i as 5@ 8 11; 5$ a b 35# 2, El=a o! El 25!,5 5 5 5. a 2 I T

                                                 .i:

sig afg WW. rug , es lla l(

                                                                                         *ltl 8

P

  . i                i.i         tl g 8_i     .-

1 n.s. as 5 n.=s

                                                                                         .l se s.

j l s s5)

                                   $, '                                                    d..                    E
                                                                    $!.                                          y
                                                                                                                  -              l a

3 < 3e:! ga! y

t-e  :.

      '                                   I                                      :                                a S,                us          '
                                     -s                                                                   , =I s U NE                  ~g            gg                                                                     2    -
    -                  :              :3                                                                  :s sg            sg                                                                           .

t + '

 .w.__...                 ......_.___w.. w..._..w                      _.       _____     >c       4__.*

8 A w .I IA s w vl '

E jl

                             =            =  ,1 +
                                              .          1                          _ .l
                                  .l i-
              .              ;                5 g    -W          W     s o--       . E    +
                                                                                                   =

sa j a

            ==                               q     . ,  = ==        s-                    e-           :

w- eI

                             =, !s
                             -  8<+5 2 go g.

[- s zs sa

                                                                                                       --          4 9::         b            b 05                      r .r5 s:f     9F535                     r   Ef a ,,

g, , ,, ,, ,, 1L 1~ n Oi iP

                ==1                                  50L a
                                                     .:  a p-
                                                         =

i l l

                                                                                           .so k amor aus em
                                                                                                -t                                         'mg 1 Cs n
                                                                                                                                             -.a s         cs
                                                                                                                                                                      ,T '~'* *' ""' -  " . : : um2                                              ,=

i rc  ::

2 ::  : C4OSE f **

                                                                                                                                                                      - $4AS ] 4. 43X g

• h na m 224M I _j C" M

                                                                               . g /" /'       ' /" s        62                      g
                                                                              ,-              - -                                    3                        donascuan                        k I             sao was assas tesE FOR Ch13                             l 1

I g SEE peOIE 2 I l u 480 h 440 h I $ uNeTaus14A UNei euS 94A l j I cewuana esmee uoion g:miin stE NOTES 642 I I l b) - 4) l l l 1 owume cu,

                                                                                                                                                                                                                                                          ,1 MOOOn Cn 33 I                                                                     I I

J Note i owumas ruur uosoH ech are RED #seou aso k aus sea, sk: Pant a noAHo 2 Nolt 2 OtAfMAeG PuuP WOTOH lCh 333 FED ifeOM 480 unc bus 54 A OH 4e6 h bus tlA WlA MANUAL SWWIIQt, oc PANE & BOARD ll On 23 Fig. D6. Charging pump motor control functional block diagram.

277 t Table DS. Feedwater regulating system inputs and outputs Item Description Comments lAluLfJ 1 1-FT-1011/ Steen Flow Analog signal to regulating 1-FT-1012 system 11/12 2 1-FT-1111/ Feedwater Flow Analog signal to regulating 1-FT-1112 system 11/12 3 1-LT-1111/ Downconer Level Normally for main FW regulating 1-LT-1112 Tran =itter valve control in regulating system 11/12 4 1-LT-1105/ Normally for bypass FW valve 1-LT-11C6 control in regulating system

• 11/12 cut =uts 1 1-FL7-1111/ Main Feedwater Analog valve position signal for 1-FL7-1112 Regulating 7alve steam gecerator 11/12 E/P 2 1-HC7-1105/ Bypass valve E/P Analog valve position signal for 1-HC7-1106 steam generator 11/12 NOTE: Each steam generator has a separate feedwater regulating system.

                        *he input and output tag numbers shown correspond to SG11 followed by 3G12.

l

sIE Au f TOW FEEDwATE M N I"

                                                 ---+       yggg m                                  m m            #

Q -* coNinottEn vatvf E# siE au Ft OW tEvEt set roeNT y  % (EActAG - POWER SUPPLIES FEEowa:En PRIMARY ALTERNATE (AUTOMATIC stow TRANSFERS) i SG11 1Y01 1Y00 l SGl2 1Y02 1Y10

                       .P:'*--             LEArnAo
                          -e                                                                                                                                     ti*

oowNcousa g LEVEL g 1 I I tuRmME ifuP l Atuosenspec sTEAu a puuP PEnuessavt CoMinottER . _ Svenas Fw 0

• 41 '

VMWE EP K3 NR ll

sta LEVEL st IfeP GsAS GENERATOR l Fig. D7. Feedwater regulating system functional block diagram.

I i 1 i 4 3 i

i i 279 instrument power. Each of the two main feedwater regulating valves has a different source of instrument power. Loss of non-vital instrument bus 1T09 or 1710 will fail the affected main feedwater regulating valve position as-is. While not a part of the feedwater regulating system, the main feedwater pump speed control particisstes in feedvater flow control, mis function controls the main feedwater puni %oine speed to maintain a constant pressure drop across the main feedwater regulating valves. The main feedwater pump speed control uses non-vital instrument bus IIQ9. Loss of this power results in the failure of main feedwater pump speed control at the operating value. The main feedwater pumps can be tripped manually at the pump following this loss of power. The main feedwater pump speed control inputs and outputs are summarized in Table D6. A functional block diagram of the main feedwater pump speed control is shown in Figure ca. 3.6 ATMCSPEERIC STEAM DUMP AND TURBINE BIPASS SISTZM The atmospheric steam dump and turbine bypass system provides for steam pressure control through the two atmospheric steam dump valves which exhaust to the atmosphere and the four turbine bypass valves which exhaust downstream of the M3I7s to the main condenser. The steam flow capacity of each turbine bypass valve is 105, making the total capacity of the turbine bypass system 405 of full power steam flow. Each atmospheric steam dump valve can relieve 2.55 of full power steam flow. Prior to turbine roll, or under conditions where steam pressure exceeds a set value, steam generator outlet pressure is used to regulate turbine bypass valve position. Following a turbine trip, the larger of the secondary steam generator outlet pressure error or Tavg error from the reactor regulating system is selected to sedulate turbine bypass valve position. The Tavs error is also used to control atmospheric steam dump valve area following a reactor trip. If the Tavs error is greater than a setpoint value, then both the turbine bypass valves and stacaphoric steam dump valves receive a quick open signal follewing turbine trip. The valve position control will return to area demand based on steam pressure and/or Tavg error when the Tavg error is below the quick open setpoint. Loss of condenser vacuum will result in a quick

i 280 Table D6. Main feedwater pump speed control inputs and outputs Item Description Comments 1 Incuta 1 1-PDT-4516 DP Transmitter Hain W regulating valve 1-C71111-DP 2 1-PDT-4517 DP Tranmaitter Main W regulating valve 1-C71121-DP cutcuta 1 W Turbine Speed Demand Analog signal to motor control 11 unit 2 W Turbine Speed Demand Anales signal to acter control 12 unit 1ATAS actuation without steam gecerator tube rupture logic actuation will run pump speed back to ainlaus recirculation.

   . - ..         _ - - -            ..          .        _ _ . .          . . _ . _ - .          _ .. ._                 -         ._.               - - = . - .-   - --

i ) I i a t e i senc neoton cosetnot anotOsI GEAn P.W.Tunesses se spoec 4514 4514 uNii uself

          ,,,,3,.

4s 4696AA BHIC heOTOft COedist0L 6801084 OEAft 4M As stupessAca

                           ]            l       10 asise                                  iPY                                           F.W.TuneNE 12 ftECanCULAllosel er                     -am                   uusi              us.T                              g
          ,,,,,,,         iy NOTE. Att suretEp af avois LXCEPT IPT4547 WHICH 18 SUPPLIED eV SYle Fig. D8. Feedwater pump speed control functional block diagram.

i I d

282 close signal to the turbine bypass valves. The quick close signal dominates all other control inputs to the turbine bypass valves, i Lcas of de bus 11 will close or hold closed the turbine bypass valves due to the quick close action of isolation solenoid valves. The atmospheric steam dump valves will not quick open without power from de bus 113 however, ===m1 oontrol is trailable for these valves. Instrument power for turbine bypass valve pressure control or the atmospherio steam dump valve Tavg error regulating or hand ocatrol stations was t identified free the available documentation. Loss of this power will act to close the affected valves, l l The turbine bypass and staospherio dump system inputs and outputs are summarized in Table D7. The system functional block diagram is shown in Figure D9. 37 TURBINE GENER1 TOR CCNTIG. The turbine generator system is controlled manually. During load changes, operators adjust the position of the four turbine main steam control valves in l coordination with reactor power changes to maintain the reactor Tavg error within programmed limits. These limits are indicated by the reactor i regulating system through the comparison of the reactor Tavg to a cos;uted Tref derived from the turbine first stage pressure. Since the turbine first stage pressure varies as a function of turbine load, these actions provide a match between reactor thermal power and generated electric output. While some station power supply failures can cause a turbine trip, closure of the turbine control valves does not affect the ability of other regulating systems to operate as designed. As a result, the turbine generator control system is not considered to have a significant interaction with other regulating systems, t l I

283 Table D7. Atmospheric steam dump and turbine bypass system inputs and outputs l Item Description Co m ata IMM3 1 1-PT-4056 Steam Generator Anales signal for atmospheric Outlet Pressure steen dump and turbine bypass valve area control 2 Tavs from Reactor Regulating Analog signal for atmospheric System steam dump and turbine bypass valve area control 3 Turbine Trip Status Closed contact indicates turbine trip 4 condenser Yacuum Open contact indicates loss of vacuum 5 Relay contact E7 from reactor closed contact indicates quick regulating system open permissive cut =uts 1 Turbine Bypass Yalves (4) Analog position signal 2 Atmospherio Steam Dump inalog position signal Yalves (2)

us wm aus si

                                                                                                   ,I- -O uANuAt SET
                                          ,o           .seem b

pos**l ounae

                                                                                                  .n       @                                 pavi ___       __I

l 8 entssuNe I""U"

e. j -

acv siEAu..Gt.NERATORO ou,t . .u - IPI4GS4 ce PtC 4064 I - L.- )  ; w 3948 l l Au l g g

e. -4 3 acv 3

                                                                             %      w                                                                 asse        I
                                                                                                   '                                                    A0 Ol                    Aiu g J

l TUR80NE gBYPAS8

e. ecy l VALVES

                                                                             <%     w              L ,                                                 sees       i I                                               g         1 l

I Im enou asAcion mout aisNQ l.@._ _ dl i 4 l i sysitu 'TT scv g

• WP sees g

O8 Alu I ________J I l _____3 I I 4 ,cv i

                                     .        ,,,c              =      c            .                    ,                                                    i
                                                                  -                                      g                                              2     1 l ATMOSPHERIC h CONIACIIN M AcioA RtGut ATING                                                                 l                                                           STEAM sisieu ctosss o NIGH Ia.e im                                                              j                                                    l DUMP la PEnuar ousca oPEN
         @ cONiACI ctosEs oN TunesNE ineP
                                                                                                ,,      j                                                     g l VALVES
                                                              +     inC         ;   W                                                                  3930   l (mmen oPiN WBIH @                                                                   k                                                    Ao    l
         @ s(ON, ACI OPENS oN tow CONDENSER acuuu ron ouica etose                          ois%                   u                                                             ---- J
                                                                         . .u .- .u w . . - -

g hs1Ru.ACNT AaH 80 000 paa - Fig. D9. Turbine bypass and atmospheric steam dump functional block diagram.

2ss D4. PCWEB SUPPLI DEFINITION AND ANALI3IS The Calvert Cliffs Unit 1 ao electric power distribution is shown in a simplified schematic diagram in Figure Dlo. The plant power requirements normally are supplied from the switchyard through 13-kT service buses 11, 12, and 21. Bus 12 supplies the four reactor coolant pump buses, and bus 11 supplies the 4-kV unit buses 11,12,13,15, and 16. Bus 21 supplies 4-kV unit bus 4 The safety related Channel ZA and ZB power requirements are supplied by 4-kT unit buses 11 and 14, respectively. These buses are energized by two of the three emergency diesel generators shared by the two Calvert Cliffs units. The 4-kV unit buses supply the 480-7 unit buses through transformers. In particular, 4-kT unit bus 11 supplies 480-7 buses 11 A and 11B; 480-7 unit bus 115 supplies 480-7 reactor MCC 114R. The 4-k7 unit bus la supplies 480-7 unit buses 14A ad 148, and 480-7 unit bus 14 A supplies 480-7 reactor MCC 104R. Plant de leads are supplied by 125-7 de buses 11, 12, 21 and 22, and 250-7 de bus 13 which are shared between the two units. Each de bus normally is fed by its associated battery charger (Le., bus 11 fed by battery 11 and battery < charger 11). The four 125-7 de battery chargers 11, 12, 21, and 22 are fed by 480-7 unit buses 11A, 148, 218, and 24 A respectively. The 120-7 ac instrument buses are fed frca the do buses through inverters er from the 480-7 ac MCC's through transformers. The 120-7 ac vital buses 11, 12, 13, and 14 are supported through their associated inverters from de buses 11, 21,12, and 22 respectively. The vital buses may also be fed, by manual transfer, from 120-7 ac bus 1!11. The 120-7 ao buses 1Y10 and 1!11 are fed through their transformers from 480-7 ao MCC 104R. Bus 1!09 is fed from MCC 114 R. Electric bus failures can occur for a variety of reasons including isolation or failure of feeder buses cr shorts that could occur during maintenance. For purposes of this analysis, single unspecified failures have been postulated at various points in the power distribution circuitry. The failure has been

286 500 KV SUS Soo MV sus 13 KV SERV sus 21 13 KV SERY sus t' 13 KV SERV Bus 12 i m ERKVsuSES REACTOR COCLANT PUMP BUSES 4 KV UNIT SUS 12 CCMOEMSATE PUMP 11

                                                       . CONDENSATE 500 STER PUMPS 11 AND 12 4 MV UNIT SUS 13 CCNCENSATE PUMPS 12 ANO 13
                                                  <CNCENSATE SCCSTER PUMP 13 OtESEL4ENERATOR 4 KV UNIT SUS 11(ZA)               T

• SALT W4TER PUMPS 11 ANO 13 SERVICE WATER PUMP 11 ANO 13

                                       .MPSI PUMPS 11 ANO 13 40cv UNIT SUS 11 A            440V UNif SUS tes

• CMG PUMP 13*
• CMG PUMP 11
• CC PUMP 11
• INST AIR CCMP 11 CIESEL CENERATCR
• REACTCR MCC 114R

                                         ,  4 KV UNIT SUS 14(23)

• SALT WATER PUMP 12
• SERVICE WATER PUMP 12

                                      . HPS! PUMP 12 480 UNIT SUS 14A               440V UNIT GUS 14e
                                                            . CC PUMP 12

• INST AIR COMP 12

                                                            . PLT A R COMP 11            . CMG PUMP 12

• REACTOR MCC 104R
• CHG PUMP 13*

e CHANGING PUMP 13 FED SY 440 V UNIT BUSES 11A OR 14A VIA M ANUAL SWITCM Fig. DIO* Simplified schematic of Calvert C11rrs Unit 1 ac power distribution. .I l l I

287 assumed to de-energize the directly affected bus, buses fed only from this bus, and possibly the feeder buses to the affected bus. In cases where a maintenance tie exists, failures affecting both normally inlated buses were considered. 7 The 4-kT unit buses shown on yigure D10 have multiple sources of power (13-kT service bus 11 and the emergency diesel-generators). Thus, 4-kT unit bus failures were assumed due to postulated faults on the 4-kT unit buses. This fault results in de-energising the lower voltage bus fed from the affected bus. Similar faults were postulated on lower voltage buses. Maintenance ties between MCCs 104R and 114R and between non-vital instrument buses 1Y09 and 1Y10 were considered possible neohanisas for propagating a single f ault to both of these MCCs or the non, vital instrument buses. The 125-7 de buses 11,12, 21 and 22 each have multiple independent power supplies and have no maintenance ties. Therefore, only faults affecting , single buses were considered. Each of the 120-7 ac vital buses (1Y01,1Y02,1703, and IT04) is normally fed from a separate 40 bus through an inverter. One or more vital buses may be fed from 120-7 ao bus 1Y11. Therefore, single and multiple vital bus failures vem considered. Where either of two instrument buses supply a single instrument panel by automatic selection, two f ailure modes were considered. A fault in the panel l could result in both feeder buses being isolated from the panel. The feeder buses would continue to supply other loads in this case. The analysis also ! considered the possibility of a panel fault propagating to the primary supply bus and subsequently propagating to the backup supply bus on automatic transfer. In this case, the two buses feeding the panel would be doenergized. The Calvert Cliffs Unit I regulating systes power supplies were identified and

located on the station one-line power distribution. Single f ailures were j postulated at each node in the power distribution system and the affected  !

regulating systems and functions were identified. Multiple f ailures were i postulated for buses icrolving maintenance ties and regulating systen loads. l

288 Power supply failures which did not affect regulating systems functions were removed fece consideration. Twenty-four distinct single point bus f ailures were identified that affect the regulating systems. These f ailure points, associated lower level buses, and the affected regulating systes functions are summarized in Table D8. The multiple instrument bus f ailures that were analyzed are summarized in Table D9.

l 289 i Table D8. Calvert Cliffs Unit I regulating systems power supply failure modes Bus Failure Lower Level Ites P;, Ant Bus Failures iffected Control Fuaotions 1 1YO1 None Reactor, reactor coolant pressure, and pressuriser level systems (if selected to this bus) 2 1f02 None Reactor, reactor coolant pressure, and pressuriser level systems (if selected to this bus) 3 1!09 None Pressuriser spray, pressu:*iser backup heaters, one main feedwater regulating valve, main feedvater pump speed 4 tilo Mone Charging pumps, pressuriser heatere, letdown control valve, one sain feedwater regulating valve 5 125-7 de Bus 11 None Pressuriser relief valves, turbine bypass valves, atmospheric stesa dump valves, charging pump 11, half of the proportional heaters, main turbine EBC 6 125 7 do Bus 21 None Balf of the propertional heaters, charging pump 12 7 MCC 109PH None 1/4 of backup heaters 8 MCC 110P8 None 1/4 of backup heaters 9 MCC 111PH None 1/4 of backup heaters 10 MCC 112PH None 1/4 of backup heaters 11 MCC 104R 1!10 Cne PAY, charging pumps, pressuri. ser heaters, letdown control valve, one main feedwater regulating valve. 12 MCC 114A 1f39 Cne PRY, pressuriser spray, pressuriser backup heaters, one sain feedvater regulating valve, main feedwater pump speed

290 4 i Table D8. (continued) Bus Failure Lower Level Item Point Bus Failures Affected Control Functions ) i 13 480-T Unit Bone Balf of the proportional heaters, sus 11A charging pump 13 (also fed by 480-7 unit bus 14A via annual switch) 14 480-Y Unit Reactor MCC 114R Charging pump 11, one FAT, Bus 118 Instrument Eus 1709 pressuriser spray, pressurizer heaters, one main feedwater regulating valve, main feedwater pump speed 15 4-kT Usat Bus 11 480-Y Unit Combined functions of 480 Y Unit Buses 111 and 115 Buses 111 and 118 Reactor MC 114R Instrument Sus if09 16 480-7 Unit MCC 109FH8 1/4 of backup heaters Bus 12A 17 460-Y Unit MCC 110FH 1/4 of backup heaters l Bus 125 18 4-kT Unit Bus 12 480-7 Unit Combined function of 480 7 Unit Buses 12A and 125 Buses 12A and 125 MCC 109FE MCC 110FH 19 480-Y Unit MCC 111P5 1/4 of backup heaters Bus 131 20 400-7 Unit MCC 112FE8 1/4 of backup heaters Bus 138 21 4-kT Unit Bus 13 480-7 Unit Combined functions of 480 V Unit Buses 131 and 138 Buses 13A and 135 HCC 111P5 MCC 112FH i i p l

291 Table D8. (continued) Bus Failure Lower Level Itan Point Bus Failures Affected Control Functions 22 480-Y Unit Beactor MCC 1041 Cae FRT, half of the proportional Bus 14A Instrument Bus IIt0 heaters, letdown control valve, one main feedwater regulating valve, charging pump 13 (also fed by 480-Y unit bua Ita via manual suitoh). 23 480-Y Unit None Charging pump 12 Bus 14B 24 4-kT Unit 480-7 Unit Buses Combined functions of 480-Y Unit Bus 14 14A and 145 Buses 141 and 145 Reactor MCC 104R Instrument Bus 1!10 ' References 4 and 5 indicate MCC 109PH is fed fros 480-7 unit bus 115 and MCC 111PB is fed from 480-7 unit bus 148.

292 Table D9. Calvert Cliffs Unit I regulating systems multiple power supply failure modes Bus Failure Ites Point Affected Control Functions 1 1701 and 1702 Reactor coolant pressure and pressuriser level, steam dump quick open, and automatic atmospheric steam dump control 2 17C1 and 1Y09 Fressuriser spray, pressuriser bacicup heaters, one feedwater regulating system and main feedwater regulating valve, main feedwater pump speed 3 1Y02 and 1710 Charging pumps, pressurizer heaters, letdown control valve, one feedwater regulating system and main feedwater regulating valve 4 1Y09 and 1Y10 Charging pumps, pressuriser spray, pressurizer heaters, letdown control valve, main feedvater pump speed, both main feedwater regulating valves l r l

                                            ,_~          ,        _      _         ___                , _ _

293 l

05. gTTECTS OF TITAL INSTRUMENT BUSES IIO1 AND 1!02 CIECUIT FAILURES ON REGULATING SYSTEMS RESPONSE i

The failure of bus 1701 or 1702 can affect the reactor regulating systes, the pressurizer level regulating system, and the reactor coolant pressure regulating systes, but, because separate and redundant regulating systems are available for each of these functions, the plant response depends on the systems that were selected for operation at the time of the bus failure. The alternate systems can be selected by the operator through manual switches 30 that prompt recovery of operating regulating systess is possible for these bus failures. The individual and combined regulating systes responses are summarized in Table D10. These effects and the different combinations of regulating system failures are discussed in the following sections. 5.1 IIITIAL CCNTROL RESPONSE i The initial regulating system response to failure of the 1!01 or 1Y02 bus consists of the following cases:

1. Reactor regulating system failure

2. Reactor coolant pressure regulating systes failure

3. Pressurizer level regulating system failure 4 Reactor and reactor coolant pressure regulating system failure

5. Reactor and pressurizer level regulating system failure

6. Reactor coolant pressure and pressurizer level regulating system failure l T. Reactor, reactor coolant pressure, and pressurizer level regulating system failure, sameter ennutmein, syntam ratture. Failure of the selected reactor regulating system will result in loss of the atmospheria steam dump area demand function, the atmospheric steam dump quick open permissive Tavs error alarms, and a lowering of the pressurizer level setpoint. If the plant is operating normally, automatic control response will be to stop all but or:e chargteg pump and open the letdown control valve as steps to regulate pressurizer level at the lower indicated setpoint. If a plant trip occurs while the reactor 1

I l 1 i l

294 Table D10. Initial control response of individual regulating system to f ailures of vital instrument buses 1Y01 and 1YO2 Regulating Systen Failure Control Response l Reactor Power to selected Atmospheric stees dump area system fails demand goes to zero. Atmospherio steam dump quick open pomissive not allowed. Pressurizer level setpoint fails to lower level. Tavs - Tret high/ low alam fails. Power to non- Zero current from half of the selected system sensors. Atmospheric steam dump fails area demand fails closed. Atmos-pheric steam dump quick open per-missive not allowed. Pressurizer level setpoint Icwered. Tavs - Tref high/ lev alam indicates Tavs too low. Reactor Power to selected Pressurizar spray valve closes. Coolant system fails Prcportional heaters fail on. Pressure Backup heaters turn on. Pressurizer Power to selected Letdown control valve closes. Level system fails Pressuri=er level indicates 1cw which starts backup charging pump (s). All heaters de-energized due to apparent lo-lo level indication. Feedwater Power to selected No response. TIO1 alternate system fails (.1G11) is 1Y09; tr02 altercate (SG12) is 1!10. Transfer to alternate bus is autcoatic.

 ' Control response is for loss of power to single regulating system. Multiple regulating system failure response is described in the discussion.

4

296 regulating system power supply is failed, there will not be a turbine bypass valve or atmospheric steam dump valve quick open and secondary steam pressure control will be provided by the code safety valves. If the reactor regulating systes power supply fails while the turbine bypass or atmospheric steam dump valves are in operation, the quick open function will be lost and the atmospheric steam dump valves will close. The turbine bypass valves will regulate on steam pressure and manual control of the atmospherio steam dump valves will be available. Additional pressure control will be provided by the code safety valves if required. The regulating system failure can be corrected by manually selecting the alternate reactor coolant pressure regulating systes. Loss of power 1!01 or IIO2 is alarmed in the ecatrol room. SEM19E C991Md.122229E2 32M1 Mins Evstem. Loss of power to the operatLas reactor coolant pressure regulating system will close the pressurizer spray valve and turn on the proportional and backup pressurizer heaters. yh e pressurizer level regulating system will participate by closing the letdown control valve and turning on the backup charging pump (s) to maintain pressurizer level. This will introduce a positive pressure transient that could result in a high pressure reactor trip. The pressurizer heaters and spray valves any be controlled manually from non-vital instrument power. The regulating system failure can be corrected by sacually selecting the alternate reactor coolant pressure regulating system. Loss of power if01 or If02 is alarmed in the control room. 222J29E118E LB121 II* *"1MlBL12B12B. Loaa of power 1101 or 1102 %o tbe selected pressurizer level regulating system will close the letdown control valve, start the selected backup charging pump (s), and de-energize the pressuriser heaters. This will produce a transient of decreasics pressure and increasing pressurizer level. Unless terminated, this could lead to filling the pressuriser. There any be a low or high pressure reactor trip. The letdowr. control valve can still be controlled manually through non-vital

l 1

29e instruseat power. These effects can be corrested by manually selecting the 4 alterante pressuriser level regulating system.

Renatar and Ramatar canlaat Pressure Ranulatina Swatana Failure. If both the i reactor regulating systes and the reactor ocelaat pressure regulating systes f are selected from the failed bus, the net effect will be the esebination of the individual reactor regulating system and reactor eeelaat pressure regulating systes failures as previously deserited. A hig pressure resetor l trip is possible followed by dependesee en the code safety valves for d secondary steam pressure control. These automatie regulating fuantions can be ) restored by manually seleotias the alternate reactor and pressuriser level regulating systees. 4 Renator and Pressurizar t.aval Requintina Swatana Failure. If both the reactor regulating systes and the pressuriser level regulating systes are selected ! from the failed bus, the pressuriser level regulating systes failure dominates ! the failed pressuriser level setpoint signal free the reactor regulating

,      system. The pressuriser response will be the same as described for the i

failure of the pressuriser level regulating syntes by itself. The additional i failure of the reactor regulating system will affect atmospherto steam dump i 4 and turbine bypass control as described for failure of this systes alone. The not result will be an increasing pressuriser level transient combined with decreasing reactor coolant pressure and loss of the atmospherio steam dump

;      quick open or reactor Tavg atmospherto steam dump and turbine bypass ares

) demand if there is a reactor / turbine trip. These automatic regulating functions can be restored by manually selecting the alternate reactor and , pressuriser level regulating systees. l j tamatar esetant Premanae and Pramanat eme 1.sval Ammistattan swatans *r-e-F ai lur_e. Loss of power to the operating reactor coolant pressure and j pressuriser level regulating systees will result in loss of the pressuriser heaters, starting of the backup charging pump (s), and closure of the letdown control valve caused by failure of the pressuriser level regulating sysces ar.d , closure of the pressuriser spray valve caused by failure of the reacter coolant pressure regulating systes. The resulting reactor coolast pressure and pressuriser level transient will be the not effect of the loss of heaters I 1 I i j i

297 l combined with reduced spray and an increase in reactor coolaat inventory from the charging pumps. Manual control of the letdown control valve and the pressuriser spray valve are available through neo-vital instrument power. The autcastic regulating functions can be restored by manually selecting the alternate reactor ocolant pressure and pressuriser level regulating systems. i laantar. Raantar conlant ereasure. and Pressurinar Laval Raaulatina Statama l Pavar sunniv Failure. Loss of power to the reactor, reestor coolaat pressure, and pressuriser level regulating systems will result in the effects of the combined loss of power to the pressuriser level and reactor coolaat pressure regulating systems with the loss of atmospherie steam dump quick open and Tavs area demand functions assootsted with the reactor regulating system. An increasing pressuriser level and dooressing reactor coolaat pressure transient will be initiated with dependence on the code safety valves for secondary pressure control in the event of a reactor trip. These automatic regulating functions can be restored by selecting the alternate reactor, pressuriser level, and reactor coolant pressure regulating systees. 52 SUB3EQUENT CONTACL It is ex;ected that the operators will select the alternate regulatirg systems

 !  as required following a failure of vital instrument bus 1TC) or i!02 and that normal reguisting system functions will be available for subsequent plant control.

1 i l

298 c6. ETTECTS OF INSTRUMENT BUSE31709 AND 1Y10 CIRCUIT FAILURES Of RIDULATIN3 SYSTEMS RESPCNSE The failure of non-vital instrument bus 1T09 affects reactor coolant pressure regulation through f ailed output control modules and relays, and affects feedwater flow regulation through loss of power to one feedwater regulating valve and the feedwater pump speed controller. These effects are summarized in Table D11. The failure of non-vital instrument bus 1T10 will affect pressuriser level control through f ailed output relays and will affect the steam generator 12 feedwater regulating valve through loss of power to air control solenoids. These effects are summarized in Table 012, 6 .1 INIIIAL CCNT23. RESPCNSE Failure of instrument bus 1Y09 will result in the pressuriser spray valve closure due to loss of power to the spray valve control station. The pressuriser backup heaters will fail off due to loss of power to the backup beater control relays. The main feedwater regulating valve for steam generator 11 will fail as-is due to loss of power to air control solenoid valve s. The main feedwater pump speed will fail as-is due to loss of pcwer to the pump speed controller. The reactor coolant system any ez;erience decreasing pressure due to the backup heater f ailurea. Failure of instrument bus 1Y10 will deenergize all pressuriser heaters due to loss of power to the 1o.1o level heater protection relays. The backup charging pump (s) will be started due to loss of power to their control relays. This will lead to a transient of increasing pressuriser level and decreasing reactor molant pressure. The steam generator 12 feedwater flow regulating valve will f ail as-is. 6.2 35.'KOINT CCNTRQ. Correct diagnosis of the IT09 power supply failure will contribute to sperator interpretation of the changes in reactor coolant pressure. If there is a

299 Table D11. Initial control response of affected regulating system to failures of instrument bus 1YO9 Regulating System Failure Control Response Resotor Coolaat Bus fails Pressuriser spray valve fails Pressure elooed. Backup heetore deemergised. Feedvetor sus fails 3011 main feedwater regulating valve fails as.is. Feedvetor Pump Bus fails Feedwater pump speed fails as.is.1 Speed 1R eference 3 indicates that pump speed ruas back to idle speed. i !, ) j I _l

t 300 Table D12. Initial control response of affecte, regulating systems to f ailures of instrument bus 1Y10 tegulating System rallure Control Response Pressurizer Bus fails De-energize all pressurizer Level heaters due to apparent lo-lo level. Start backup charging ptmp(s). Letdown control valve fails closed. Feedvater Bus fails 3G12 feedvater regulating valve fails as-is. Pneumatic leakage may allow valve to slowly open or close.

301 reactor trip, the steam generator 11 level will increase due to the constant feedwater flow. This flow will not be terminated by an automatic control function but can be stopped by manually tripping the feedwater pump turbine. The pressuriser heaters will remain unavailable due to the dominance of the lo lo levd protection relay over other control pointa. The steam generator 11 mala feedwater regulating valve will remain open. The feedwater pump speed control will regulate the differential pressure across the steam generator 12 feedwater regulating valve when this valve has a larger differential pressure drop. Feedvater pump speed will run back to minimum roeirculation as designed if there is an auxiliary feedwater actuation. The charsiss pumps can be started or stopped annually. Operator identification of IIt0 power supply failure will contribute to the correct interpretation of the initially increasing pressurizer level combined with decreasing reactor coolant pressure. l l l

302 D7. EFFECTS OF DOUBLE INSTRUMNT BUS FAILURES CN REULATLT, SYSTEMS RESPCNSE The effects of selected double bus f ailures were evaluated with respect to regulating system response. The double failures considered were selected on the basis of introducing a total loss of power to regulating systes electronic modules, introducing regulating systes control failures that affect primary system water inventory and heat removal capacity, and the availability of maintenance ties as a potential common cause. 1 7.1 EFFECf3 CF TITAL INSTRUMENT BU*J.31Y01 AND 1702 FAILURES ON RB2tT.ATIMI SYSTEMS RESPONSE ra11ure of vital instrument buses ITC1 and IT02 will result in a loss of power to the electronic modules in the reactor regulating systems, the reactor coolant pressure regulating system, and the pressurizer level regulating system. These f ailures will affect control response for reactor coolant pressure and pressurizer level control. 7.1.1 Initial control Response i reactor trip will be initiated due to the loss of power to two protection enannels. The pressurizer relief valves will automatically open due to the trip. The atmospheric steam dump and turbine bypass valves vul not quick open due to the loss of both reactor regulating systems. The turbine bypass valves will open under the control of the steam generator outlet pressure controller. This delayed opening may lead to operation of the steam line code safety v alv e s. If the 1701 bus f ailure were due to a failure of de bus 11, the turbine typass valves will receive a quick close signal due to loss of de power through the low condenser vacuus switch. The pressurizer beaters will turn off due to apparent to-lo prossuriser level and the backup charging pumps will start due to apparent icw pressurizer level associated with loss of power to the pressurizer level regulating systen

303 modules. The letdown throttle valve and the pressuriser spray valve will close due to loss of signal from regulating systes modules. The not effect will be a reactor trip followed by reduced heat removal capability through the atmospherio steam dump and turbian bypass valves. 7.1.2 subsequent control The proportional and backup pressuriser heateep will remain unavailable due to the lo-lo level interlock in the pressuriser level regulating system. The pressurizer relier valves, the pressuriser spray valve, and the letdown throttle valve can be controlled manually. The atmospheric steam dump valves can be controlled annually and the turbine bypass valves will regulate on steam pressure or can be controlled manually unless the 1701 failure was associated with a de bus 11 failure, resulting in a quick close signal to the turbine bypass valves. With pecaptly instituted remedial action by the operator to manually close the PRYs or their isolation valves, the impact of the small LOCA is negligible. Recovery of either vital bus also results in automatic closure of the PR7s. Without remedial actions, a coupled small LOCA and f ailure to automatically start HPSI will occur (Reference 3). However, the automatic start of the backup charging pumps will moderate the effect of the HPSI initiation f ailure. 7.2 EFFECTS OF INSTRUMENT BUSE31701 AND 1709 FAILURES ON REGULATD0 ST3TIMS

RESPONSE

yailure of buses 1701 and IT09 will result in a loss of power to the steam generator 11 regulating system. The reactor coolant pressure regulating systes and the feedwater pump speed control system will also be affected if selected from bus 1701 at the time of f ailure. ) l

304 7.2.1 Initisi Control Besponse The pressuriser spray valve will close and the pressurizer heaters will turn on due to the loss of bus IT09 to reactor coolant pressure regulating system components. Steam generator 11 will receive a constant feedwater supply due to loss of power to the main feedwater regulating valve positioner and loss of sain feedwater pump speed control. Normal level indication for steam generator 11 will fail low due to loss of power to the regulating system. The backup charging pumps will start and the letdown throttle valve will close if the pressurizer level regulating system is selected from bus 1T01 at the time of failure. 7 2.2 Subsequent Control Operable reactor, reactor coolant pressure, and pressurizer level regulating systems can be selected from bus 1YO2 if originally selected from bus 1Y01. The pressurizer spray valve will remain closed due co loss of 1I09 power to the control station. Steam generator 11 feedwater ficw will remain constant unless the feedvater pump is manually tripped or the MFI7 is closed on indicated high steam generator level. 73 EFFICf3 CF INSTRUMENT BUSE31702 AND 1I10 FALURES CN RBICLATING ST3TEMS RESPCNSE Failure of buses 1702 and 1Y10 vill result in a loss of power to the steam generater 12 regulating system. The reactor coolant pressure and pressurizer level regulating systems will be affected by loss of 1710 power to regulating system components. The reactor regulating system will be affected if the operating system is selected from bus 1Y02 at the time of failure. 7 3.1 Initial control Response The pressurizer heaters will turn off and the backup charging pumps will start due to loss of bus 1I10 to pressurizer level regulating system components.

l The feedwater regulating system for steam generator 12 will fail and the main feedwater regulating valve for this generator will freese as-is. The I pressuriser spray valve will close if the reactor coolant pressure regulating system is selected to bus 1T02 at the time of failure. 732 mibeequent control l The reaetor, reactor coolant pressure, and pressuriser level regulating 1 systems can be switched to bus 1T01 if selected from bus 1702 at the time of failure. The proportional and backup pressuriser heaters will remain off and the letdown throttle valve vill remain closed due to the loss of bus 1T10. Normal feedvater flow and steam generator level indication will remain failed for steam generator 12 combined with the associated main feedvater regulating valve remaining fixed in p:,sition. The main feedwater pump speed control will remain operational and run back to minimum recirculation following auxiliary feedvater actuation. 7.4 EFyECTS CF INSTRUMENT BUSE31TC9 AND 1710 FAILURES CN RIGULATING SYSTEMS RESPCNSE Failure of buses 1!09 and 1Y10 vill affect the reactor coolant pressure regulating systes, the pressurizer level regulating system, the main feedwater regulating valve position control, and feedvater pump speed control. 7.4.1 Initial Response The pressuriser proportional and backup heaters will fail off due to loss of power to the 10-10 level interlock relays. The pressurizer spray valve will close and the letdown throttle valve will close due to loss of power to control ocuponents. The backup charging pumps will start due to loss of power to control relays. The main feedwater regulating valves will fail as-is and the main feedwater pump speed control will fail as-is. The not effect will be a transient of increasing pressurizer level combined with a loss of main feedwater control. l l

300 7.4.2 Subsequent Control Mone of the failed control function can be recovered without restoring the asacciated instrument power bus, Main feedwater flow can be terminated by maanally tripping the feedvater pump at the pump location, 1 1

307 D8. EFFECT3 0F 125-Y do BUSE3 11 AND 21 FAILURES ON REGULATIEG SYSTEMS RESPONSE DC buses 11 and 21 affect reactor coolant pressure control, pressurizer relief l valve control, charging pump control, and main turbine IRC through loss of de power to circuit breakers and relays used to energize and de-energize the controlled equipment. Atmospheric steam dump and turbine bypass valve control will be affected through loss of the quick open function and a quick close demand for the turbine bypass valves. These effects are summarized in Table D13. 8.1 IMITIAL CONTROL RESPON3E Charging pump 11 or 12 will fail as-is depending on which bus fails due to loss of power to operate the 480-7 actor control circuit breaker. The pressuriser relief valves will fail closed or remain closed due to loss of power to the control relay. The turbine bypass valves will receive a quick close signal due to loss of power to the quick close solenoid valves and the quick open function will be lost for both the turbine bypass and atmospheric steam dump valves. For loss of power to de bus 11, the main turbine will trip because of loss of power to the turbine protection system. Reactor coolant pressure relief will be provided through the pressurizer ecde safety valves and steam pressure control will be provided through the steam code safety valves. 8.2 SUBSEQUENT CONTRCL Charging pump start /stop control can be obtained by selecting the two charging pumps not affected by the failed do bus. The pressurizer relief valve can be operated manually. Steam pressure control will remain a code safety valve function. Manual control of the atmospheric steam dump valves is possible. 8.3 EFTECTS CF MULTIPLE DC BUS FAILUhES The de bus system was reviewed for potential common cause failure. No significant cause for multiple failure was identified. If multiple failure

300 Table D13 Initial control response of affected regulating systems to failures of 125-V de buses 11 and 21 Esgulating % sten Failure Control Eesponse 1 Beactor Coolant Bus 11 or 21 fails Proportional heater bus breaker Pressure (1/2 proportional heaters per bus) aust be closed annually if it trips. Pressuriser Bus 11 fails Loss of edief valve control indi-Relief Yalve nation and automatio open Control function. Talve fails closed or remains closed. Talves any be controlled manually. Pressuriser Level Charging Pump 11 Bus 11 fails Affected charging pap actor con-i Charging Pump 12 Bus 21 fails trol breaker f ails as-is with charging Pump 13 Bus 11 or 21 fails manual control at the breaker. Loss of control indication. Turbine Bypass Bus 11 fails Turbine bypass valves quick close. and Atmospheric Atmosphere steam dump valves will Steam Dump not quick open. Valve position indication lost. Turbine Generator Bus 11 f ails A turbine trip will occur which a Control will cause a reactor trip. A vital bus to each unit will also fa11. did occur, the effects on regulating system response would be similar to those reported for multiple failures of the vital instrument buses. Additional i effects could result from other safety equipment powered from de buses. l

309

09. EFFECTS CF MOTOR CCNT13. CENTER (MCC) 109FB,110PH, 111PB AND 112PR CN REGULATING SY3TEMS RESPCNSE Each of these actor control centers provides ao power to one fourth of the pressurizer backup heaters. These effects are suasarized in Table D14.

91 INITIAL CCNTR3. RESPONSE The pressurizer backup heater capacity will be reduced by one fourth for each actor control center failure. This will affect the backup heater heating rate, but should not introduce a substantial change in system control. 9.2 SUB3EQUENT CCNTROL Pressurizier heater control functions will remain operational at a reduced heat rate. Table D14 Initial control response of affected regulatine systems to f ailures of motor control centers (MCCs) 109PH, 110PH,111PH, and 112PH Regulating System Fellure Centrcl 3 spenas Reactor Coolant single MCC fails Backup besters powered by failed Pressure MCC fail 255 of capacity lost for each MCC Failure.

310 D10. EFFECTS OF MOTOR CONTROL CINTER (MCC) 104R AND 114R ON REGULATING ST3TEMS RESPONSE These actor control centers combine the loss of power to one pressurizer relief valve solenoid and the associated relief isolation valve with the failures of non-vital instrument bus 1709 or 1710. These effects are suasarized in Tables D15 and D16. 10.1 INITIAL CONTROL RESPONSE The failure of MCC 104R will combine the loss of power to one pressuriser relief valve, which normally fails closed, and loss of power to the isolation valve for the second pressurizer relief valve with the regulating system response for the loss of non-vital instrument bus 1710 as discussed in Section

6. The other pressurizer relief valve will remain operational.

The failure of MCC 114R will combine the loss of power to one pressurizer relief valve which normally fails closed and loss of power to the isolation valve for the second pressurizer relief valve with the regulating system response for the loss of non-vital instrument bus 1709 as discussed in Section

6. The other pressurizer relief valve will remain operational.

10.2 SUB3E UENT CONTRCL Subsequent control will be the same as that described for the failures of instrument bus 1Y10 and/or 1I09 as discussed in Sections 6 and 7. If pressurizer relief valve oper ation is demanded and the operable valve sticks in the open position, it cannot be isolated until the associated MCC power is restored. l l

i 311 Table D15. Initial control response of affected regulating s- ems to failures of motor control center (MCC) 104R Regulating % sten Failure Control Aesponse Reactor Coolant MCC 104R One pressurizer r4ist valve f ails Pressure closed or remains closed. The isolation valve for the second pressurizar relief valve fails ase-is. Pressurizer Level 1T10 Backup charging ptmp(s) turned on. De-ooergize all pressurizer i heaters due to apparent lo-lo level. Letdown control valve fails closed. Feedwater 1Y10 3012 feedwater regulating valve fails as-is. Pneumatic leaks in the valve any cause it to close or open gradually. Table D16. Initial control response of affected regulating systems to failures of motor control center (MCC) 114R Regulating % sten Failure Control Response Reactor Coolant MCC 114R One pressurisar relist valve fails Pressure closed or remains closed the iso-lation valve for the second pressurizer relief valve fails as-is. Pressurizer 1T09 Pressuriser spray valve f ails Level closed. Backup heaters de-energized. Feedwater IIO9 3311 feedvater regulating valve fails as-is. Feedwater Ptap 1Y09 Feedwater pump speed f ails as-is.I Speed 1Reference 3 indicates that pump speed runs back to idle speed.

312 Dil. EFFECTS OF 480-7 UNIT BUSES 111 AND 115 (4-kT UNIT BUS 11) FAILURES CN REGULATING SISTEMS RESPONSE Failure of 480-7 unit bus IT A will de-energize one half of the pressuriser proportional heaters. Failure of 480-7 unit bus 118 will fail reactor MCC 1142 and instrument bus IIO9 as discussed in Section 10. Failure of 480-7 unit bus 115 will fail one charging pump. Failure of 4-kT unit bus 11 will fail both 480-7 unit buses 11 A and 115. These effects are summarized in Table D17 11.1 INITIAL CONTROL RESPONSE Failure of the 480-7 unit bus 111 will reduce the proportional heater capacity by one half and fail charging pump 13 if running from this bus. This should not substantially affect reactor coolant pressure or pressurizer level control response. Failure of 480-7 unit bus 11B will have the same effect as the failure of actor control center 114R as described in Section 10, involving pressurizer spray valve closure, loss of all pressurizer heaters, failure of steam generator 11 feedwater regulating valve as-is, and failure of the main feed-water pump speed as-is. Failure of 480-7 unit bus 11B will fail charging ;usp 11 it rura:ing. Failure of 4-k? unit bus 11 will have the same effect as the failure of the 480-7 bus 11B due to the loss of all heaters through instrument bus IIO9 and the loss of one of three available charging pumps. 11.2 SUB3EQUENT CCNTROL I subsequent regulating system operation should not be substantially affected by failure of 480-7 unit bus 11L Charging pump 13 can be fed by 480-7 unit bus 14 A via manual switch. l 1

313 Table D17. Initial control response of affected regulating systems to f ailures of 480-V buses 11 A and 11B (4-kV unit bus 11) - 1 Regulating Systes Failure Control Response Reactor Coolant 480-Y Unit Bus 111 501 of the proportional heaters Pressure fail. Pressurizer Level 480-7 Unit Bus 111 Charging pump 13 fails if running but can be manually switched to alternate 480-7 unit bus 141. Reactor Coolant 480-7 Unit Bus 11B Cne pressuriser relief valve fails Pressure (HCC 114R/1T09) closed or remains closed. The isolation valve for the second pressuriser relief valve fails as-is. Pressurizer Level 480-7 Unit Bus 11B Pressuriser spray valve fails (NCC 114R/1T09) closed. Backup heaters de-energiz ed. Charging pump fails if running. Feedvater 480-7 Unit Bus 11B SG11 feedvater regulating valve (HCC 114R/1Y09) fails as-is. Feedvater Pump 480-7 Unit Bus 11B Feedvater pump speed fails as-is.1 Speed (HCC 114R/1Y09) All of above 4-kT Unit Bus 11 Combined response above. 1 Reference 3 indicates that pump speed runs back to idle speed. Subsequent regulating systes controls following failure of 480-7 unit bus 115 or 4-kT unit bus 11 will be the same as described for the failure of reactor MCC 1142 in Section 10. This vill involve loss of pressurizer heaters, pressuriser spray, and the requirement to manually trip the main feedvater turbine to reduce steam generator 11 main feedvater flow.

314 D12. EFFECTS OF 480-7 UNIT BUSE312A AND 125 (4-kV UNIT BUS 12) FAILURES ON REGULATING SYSTEMS RESPCNSE Failure of 480-7 unit bus 12A or 125 will each de-energize one quarter of the pressurizier backup heaters. Failure of 4-kT unit bus 12 will de-energize one half of the pressurizer backup heatera. These effects are summarized in Table D18. 12.1 INITIAL CONTEG. RESPONSE Failure of 480-7 unit bus 12 A vill de-energize one quarter of the backup heaters due to loss of power to MCC 1097& F illure of 480-7 unit bus 123 will de-energize another one fourth of the backup heaters due to loss of power to MCC 110PH. Failure of 4-kT unit bus 12 will de-energize one half of the pressurizer backup heaters due to the loss of power to both MCC 109PH and 110PH. 12.2 SUBSEQUENT CONTBCL The heat rate of the backup heaters will te reduced by one quarter or one half as noted above. The proportional heaters will remain operational. This is not expected to substantially affect the reactor coolant pressure regulating functions. Table D18. Initial control response of affected regulating systems to failures of 480-V unit buses 12A and 128 (4-kV unit bus 12) Failure Control Response Regulating Systen l ! Reactor Coolant 480-7 Unit Bus Same as failing MCC 109PR or 12A or 123 110PR. (1/4 of backup heaters l Pressure I each). 4-kT Unit Bus 12 Fails 1/2 of backup heaters. Reactor Coolant Pressure

315 013. EFFECT3 CF 480-7 UNIT BUSE3131 AND 138 (4-kT UNIT BUS 13) FAILUBES CN REGULATING SYSTEMS RESPONSE Failure of 480-T unit bus 131 or 13B will each de-energize one quarter of the pressurizier backup heaters. Failure of 4-kT unit bus 13 will combine these failures with the loss of one half of the pressurizer backup heaters. These effects are summarized in Table D19. 13.1 INITIAL CCNTEG. RESPCNSE Failure of 480-7 unit bus 13A vill de-energize one quarter of the backup heaters due to loss of power to MCC 111PH. Fai.ture of 480-Y unit bus 13B will de-energize another one fourth of the backup heaters due to loss of power to MCC 112PE. Failure of 4-kT unit bus 13 will de-energize one half of the pressurizer backup heaters due to the loss of power to both MCC 111PH and j 112Pil. I 13 2 SUB3EQUENT CCNTRCL The heat rate of the backup heaters will be reduced by one quarter or one half as noted above. The proportional heaters will remain operational. Table D19. Initial control response of affected regulating systems to f ailures of 480-V unit buses 13A and 13B (4-kV unit bus 13) Regulating systen Failure Control Response Beactor Coolant 480-Y Unit Bus Sese as failing MCC 111PR or Pressure 13A or 133 MCC 112PH. Reactor Coolant 4-kT Unit Bus 13 1/2 backup heaters. Pressure

316 D14. gFTECT3 CF %20-Y UNIT SUSES 14A AND 145 (4-kT UNIT SUS 14) FAILUBES CN EECULATING SYSTEMS AgSFCN3g Failure of 480-Y unit tus 14 A will de-energize one pressurizer relief valve, start the selected charging pump (s), turn off the pressuriser heaters, close the letdown control valve, and fail one main feedwater regulating valve as-is. Failure of 480-7 unit bus 143 will fail one charging pump. Failure of 4-kT unit bus 14 will fail both 480-T unit buses 14 A and 148. These effects are summarized in Table D20. 14.1 IIITIAL CCNTIG. RESPONSE I 1 Ta11ure of the 480-Y unit bus 14 A vill have the same effects as the failure of actor control center 104E and instrument bus 1710 as described in Section 10. These failures will de-energize one pressurizer relief valve, de-energize the pressurizer heaters, fail charging pump 13 if running, close the letdown control valve, and freeze the steam generator 12 main feedwater regulating valve as-is. Failure of 480-7 unit bus 14B will fail charging pump 12. Failure of 4-kT unit bus 14 will have the same effects as the failure of 480-7 unit bus 14A combined with the loss of one of three available charging pumps. 14.2 SCBSECUENT CCNTICL Subsequent control following the failure of 480-7 unit bus 14 A or 4-k7 unit bus 14 will be the same as the failure of MCC 104R as described in Section 10. l Charging pump 13 can be manually switched to 480-7 unit bus 11 A if required. ! Subsequent control following the failure of 480-7 unit bus 14B will not be affected due the ability to select two operating charging pumps.

317 i Table D20. Initial control response of affected regulating systems to f ailures of 480-V unit buses 14A and 14B (4-kV unit bus 14) Begulating % sten Failure Control Response Beactor Coolant 480-Y Unit Bus 14 A 505 of the proportional heaters Pressure (NCC 104E/1Y10) fail. One pressuriser relief valve f ails closed or remains closed. The isolation valve for the second pressuriser relief valve fails as-is. Pressurizer 480-Y Unit Bus 14A Charging ptmps turned on. De-Level (Mcc 104R/1Y10) energize all pressurizer heaters due to apparent lo-lo level. Lo t-down control valve fails closed. Feedwater 480-7 Unit Bus 14 A 3G12 feedwater regulating valve (MCC 104R/1It0) fails as-is. Pressurizer Level 480-7 Ocit Bus 14B Charging pump 12 tails off. All of above 4-k7 Unit Bus 14 Combined response above. I

318 APPENDIX D REFERENCES i

1. "Calvert Cliffs Final Safety Analysis Report," Baltimore Gas and Electric Co., July 1982.

2. Miscellaneous Calvert Cliffs Unit 1 Drawings received from Baltimore Gas and Electric Company.

3 " Pressurized Thermal Shock Evaluation of the Calvert Cliffs Unit 1 Nuclear Power Plant," Oak Ridge National Laboratory PTS Study Group, October 9, 1984, NUREG/CR-4022 (Draft). 4 Calvert Cliffs Unit 1, OI-27D, Rev. 10, January 25, 1984.

5. Calvert Cliffs Unit 1, A0P-16, Rev. 5, February 1983 i

i

                                  . . . ~       _ . ..         . .-.- .. __ .                          --                   .- ..- -. _ _-   - - _ _____ .                          _ _ _ _ _ _ _

a i 1 1 APPENDIX E Reply to BG&E Comments on the May 31, 1985 Draft Final Report NOTE: The authors appreciate BG&E's thorough and helpful review of the draft report. It should be noted that BG&E was not allowed (by NRC ruling) to comment on the final version, so it should not be assumed j that the final form of the report includes their last word on all issues. Further, we chose not to make any changes at all in response to many of BG&E's comments, so an additional caveat must be made that this report does not necessarily represent the utility's positions or opinions. In general, only those licensee comments that resulted in, or coincided with, a change to the draft report are commented on in this appendix, j The reader should also note that BG&E references to specific page numbers in the report refer to pages in the May 31, 1985, draft version, j and generally do not correspond to those in the final version. 1'

                             .The BG&E letter and our responses follow, j

I i j t t I i i l t l [ 319

   - _ _ , _ _ _ , , . . _ .           _%,--_-.          .,_yy                e_,m._ _ _ , _ _ , _ _       .,_._,,.-__-,_m_                ,               ,.mmy_,___.._,mm.. __ ,.

l l 320

                                            /  SALTIMOME oas ANO
                                                                                                \

l I ELECTRIC CHARLES CENTER e P.O. BOX 1473 BALTIMORE MARYLAND 21203 caev. e c-o.=en.... August 26,1955 osPa.7=tu Mr. A. P. Malinauskas, Director NRC Programs Oak Ridge National Laboratory P. O. Box X Oak Ridge, TN 37331

Dear Mr. Malinauskas:

l

Subject:

Technical Review Comments of Draft NUREG/CR 4265, "An Assessment of the Safety Implications of Control at the Calvert Cliffs Nuclear Power Plant" The Baltimore Gas and Electric Company staff has technically reviewed draft NUREG/CR 4265. Our comments are contained in Attachment 1. Some of these comments were discussed verba!!y in a telephone conversation with Messrs. Ball and Stone of ORNL on August 2, 1985. I hope that these comments are helpful and can be used to improve the technical accuracy and completeness of this report. Te would like the opportunity to review the next draft of the report and provide comments, as appropriate, prior to publication. If you have any questions, please do not hesitate to contact me at (301) 234-6116. Very t uly yours, , { l / .

5. M. Mirsky A-47 Project Coordinator SMM/vd Attachment l cc: Messrs. S. 3. Ball (ORNL) i R. S. Stone (ORNL)

D. L. Basdekas, RES/NRC l l

321 l

GENERAL COMMENT

5 l Several major comments and findings are repeatedly discussed throughout this report. The following comments are provided regarding these items.

1. Calvert Cliffs is depicted as a nuclear power plant with " major parameters . . .

' almost entirely under manual (operator) control." This statement is wrong. Pressurizer pressure and level and steam generator level, which constitute important major parameters, are automatica!!y controlled at Calvert Cliffs. The comparison of Calvert Cliffs to Oconee, which is characterized as using a " completely integrated and extensive control system," is misleading and reflects a basic lack of i knowledge about differences between the Babcock and Wilcox (B&W) and Combustion Engineering (CE) NSSS designs. The large U-tube steam generator and the corresponding secondary side inventory in CE plants result in an inherently long response time to secondary side malfunctions when compared to the once-through steam generator B&W design. This major design difference dictates the need for a

             " completely integrated and extensive control system" in S&W plants and obviates such a system for CE plants. This design difference is not discussed in the Calvert Cn!!s report. Finally, specific mention of differences in the shutoff head for HPS!

pumps at Calvert Cliffs and Oconee U273 psia for Calvert Cliffs vs 2800 psia for Oconee) is an irrelevant comparison of one design difference. The author incorrectly impues that the Oconee pump is a safer feature by the inclusion of this single comparison. One example of the incorrectness of the generalization is that the lower shutoff head HPSI pumo is actually safer for potential pressurized thermal shock transients. d

2. One of the two major findings of this study involves the steam generator overfl!!

scenario. BC&E agrees that there are postulated events in which the steam generator can be overfed. However, the emphasis on the importance of such an event is out of proportion to a realistic appraisal. SG overfeeding during full or significant power levels while steaming to the turbine results in an extremely slow rise in SC level. SG overfeeding at low or hot zero power will fill the SG more rapidly, but BG&E operators have demonstrated their proficiency in mitigating this event well before overfilling occurs in both operating experience and training. This i report consistently downplays or underrates operator action. Feedwater runback from the high steam generator level trip and SG15 initiated by overfeed induced low SG pressure are not accounted for in this report. SGIS causes MS;V closure even in liquid filled piping. Also, the probability of an overfeed at low power should be weighed within the framework of the small fraction of time in which Calvert Cliffs is at such power levels and the plant feedwater system configurations at such power levels. Finally, the questionable technica1 conclusions regarding the consequences of SG overfill (i.e., steam line rupture and SCTR) must be discussed in terms of the current understanding of this complex phenomenon. These are not probable consequences of a steam generator overfill. The report gives no credit for MSIV closure or steam line pipe seismic supports in this event. Steam line mechanical restraints and supports are designed to sustain concurrent!v-acting thermal, seismic and seismic anchor movement loads on the piping system. The suoports are designed to carry dead weight and insulation loads and the weight of the contents in the piping system. Supports permit free movement in longitudinal and lateral direct;on caused by thermal expansion or contraction and earthquakes. Restraints and supports at the isolation valves and stop valves are designed to carry, in addit?m to the above mentioned loads, the dynamic loads due to sudden closure of stop alves. i

322

3. The second major finding of this study was the apparent lack of a procedure for operator action in the case of a small break l yOCA greater than charging pump capability (132 gpm) but less than the (0.1 f t ) smMiest LOCA analyzed in the FSAR. Based on Emergency Procedure Guidelines funded by the CE Owners Group and documented in CEN-132, BC&E has develooed new Emergency Operating Procedures (EOPs) including EOP-300 (enciosed) for LOCAs. Although these new EOPs will not be officially effective until December 31, 1983, we are currently training operators on these EOPs CE p analyzed small break LOCAs as small as 0.0003 ft' (the PORY area is 0.00734 f t in CEN-!!4-P. These analyses showed that the primary coolant system deprssurizes below the HPSI pump shutoff head and that ,

10 CFR 30 Appendix K PCT limits are not reached fot these LOCAs. l l Two of the failures identified in this study as small break LOCA initiators are invalid. First, operating pressurizer heaters without water above them is an extremely low probability event requiring multiple independent failures. Furthermore, CE analyses have shown that steam covered operating heaters would not breach the pressurizer pressure boundary. The second failure discussed as a small break LOCA initiator was a loss of RCP seal integrity. A loss of comoonent cooling water to the RCP seal assembly will not result in a small break LOCA. The Byron-Jackson pump seal assemblies used at Calvert Cliffs have been demonstrated under a CE rest program to be capable of operation in the absence of cooling water flow for extended oeriods of time (at least 30 minutes) without exceeding seal leakage limits. Seal cooling is not required for an idle pump. As a precautionary measure to protect the non-metallic seal components from overheating (which could result in the need to replace the seal assembly), the vendor recommends that pump operation be ceased within 10 minutes of the loss of component cooc3 water. The RCP seals are well instrumented, and alarms are provided in the control room to alert the operators of a loss of component cooling water or increased seal face temperature. Operator guidance for responding to a loss of RCP seal cooling is provtoed in Aonormas Operating Procedure 7C, " Loss of Component Cooling." The importance of contro!!ed restoration of CCW during event recovery is stressed. In addition, our new emergency operating procedures developed pursuant to NUREG-0737, item 1.C.1 contain ooerating limits consistent with pump operating guidelines provided by Combustion Engineering and Byron Jackson. These new procedures are: EOP-200 Loss of Off-Site Power EOP-300 Total Loss of All Feedwater EOP-400 Excess Steam Demand EOP-300 Loss of Coolant Accident EOP-7005tation Slackout EOP-800 Functional Recovery Guideline The subject guidance is currently included in the operator requalification training program at Calvert Cliffs. The NRC was informed of the above during a meeting with BG&E, Arkansas Power and Light and Combustion Engineering on March 13, 1985 to discuss RCP seal integrity following a loss of offsite power (NUREG-0737, item II.K.3.25). As a result of that meeting, BG&E conducted operator interviews and confirmed the effectiveness of the training program with regards to RCP operation in the absence of component cooling water.

323 Based on experience gained from several operational occurrences at CE plants (i.e., San Onofre, St.1.ucie) and the results of the CE test program, the maximum expected (RCS) leakage due to a loss of CCW would be well under 10 gpm per pump, even if the pumps were left running for significant periods of time (e.g.,30 minutes).

n summary, the potential consequences of a loss of RCP seal cooling are that the technical specification limits for RCS leakage (10 gpm) may be exceeded if the pumps are not stopoed within ttn minutes in accordance with operator guidelines.

However, adequate procedures and training exist at Calvert Cliffs to preclude this event. In any case, the maximum expected RCS leakage from all four pumps combined would be less than the makeup capacity of one charging pump (f6a gpm). l ' This small amount of leakage is not classified as a 1.OCA unless no charging pumps are available. 4 Throughout this report, nebulous words are used without quantification and substantiation by analysis. Many descriptions and statements are subjective or are irrelevant to Calvert Cliffs. Negative connotations are utilized indiscriminately and, in some cases, without basis. Some underlined examples: Page 1-2 "Excessivelv frecuent challenges. . ." Page 1-3 " Time avaliable . . 13 short" Page 1-5 " Time available . . . relatively small . . ." Page 1-8 " Bothersome challenges to the plant protection system" Fage 2-6 " Safety tnreatening scenarios . . ." Page 3-11 * . . . natural allotment of operator errors . . ." Page 3 37 " Human error will be forever around . . ." Page 9-2 "The answer . . . ts tentativeiv affirmative." Page 9-3 " . . . sof t area of plant design" Page 9-4 "The conditions found in Calvert Cliffs-1 are not i frightful . . ."

5. There is a general reluctance to credit operator actions throughout the report. In those cases where operator actions were credited, unreasonable failure probabilities were assumed and applied. The tyoical value for recovery failure was 0.1/ event, regardless of how much time was available or the existence of specific procedure guidance.

324 ATTACHMENT I SPECIFIC COMMENTS

1. Page 1-1. The word "old" is improper - the prooer term would be a plant of "early vintage" or "1970's vintage" or " representative of an earlier generation of nuclear power plants."

l 2. Page 1-2. The term " .sianificantly impede, delay ..a plant protection system I action" needs to be further defined and quantsfied. This is certainly not adequate to describe the threshold for further investigation of FMEA sequences, without further guidance. Conservative interpretation could lead to all sequences being r identified, and liberal interpretation could eliminate all sequences.

3. Page 1-2. The term '. cause excessively frecuent challenges to the safety system ." is subjective and should be replaced by a simple quantification of the observed condition. Challenges to safety systems are possible because of the

' nature of nuclear power plant design, i.e., to fail safe under all conditions, and not to have any safety system fail to perform its design function when needed. Most safety systems can withstand frequent cha!!enges without adverse effects. No threshold is identified to clarify the meaning of " excessively frequent". 4 Page 1-3. The term " operator misaction" reeds to be further defined. Does this 'i imply the performance of a task that occurs at the worst possible time and is contrary to procedures, or does it imply failure to perform an action directed by procedures? The threshold for these types of "misactions" and the consequences of the "misaction" are vastly different. 1 5. Page 1-3. The terms " the time available to accomplish the task is go_r_t,. " needs to be quantified. In some cases, the report refers to actions on the order of minutes, where in other cases up to two hours (e.g., pressurizer overfill due to failure of the pressurizer level control system) as being a "short time".

6. Page 1-3. The emergency operating procedures (EOPs) now address the leak size between 132 gpm and .1 square foot in greater detail. The Emergency Procedure Guidelines (CEN-152) developed by Combmtion Enginming, Inc., for the CE j Owners Group addressed this area as well as others referenced in draft NUREG/

CR-4263. The CCNPP EOPs are being revised in accordance with CEN !J2 (many 3 are already revised).

7. Page 1-6. See comment above regarding procedures for very small break LOCA.

The report notes that in the case of very small SBLOCA the operator does not have we!! defined procedural steps for guidance. However,it fails to note that for the very small SBLOCA the operator has significant time in which to take action and to obtain assistance from other on-shif t licensed operators. RCP operation j procedures and training direct the operator to stop RCPs within 10 minutes of loss

of cooling water.

Also, page 6, item 1, the actual logic for steam generator high level signal is not a single OR gate, but rather multiple contacts on multiple relays. This logic also , applies to the low steam generator level trip logic. I l

325

8. Page t-8. There is no basis for concluding that challenges to the auxiliary feedwater system are a precursors to potential dryout or overheating sequences.

In actuality, automatically starting auxiliary feedwater enhances the plant's ability to remove decay heat, and reduces the potential for dryout or overheating sequences. There is no basis for the conclusion that ' events related to maintenance and testing resultec in the most frequent and bothersome challenges to the plant protection systems .". There has been no evidence of a review by the report writers of maintenance and testing procedures or human engineering (man-machine interface) practices at Calvert Cliffs to substantiate the judgement that , improvements are warranted. The discussion of " commode failure," while clever, is in poor taste. (This is also on page 8-7) i The loss of service water system was due to an air compressor after cooler leak, not instrument air dryer leak.

9. Page 2-4. See items 2 and 3 above.

10. Page 2-5. See item 3.

11. Page 2-7 The term " safety-threatening scenarios" is improper when referring to S/G overfill, RCS overcooling or undercooling. These events are not " safety-threatening", since there are safety systems and operator procedures designed to  !

mitigate the events before any bona fide threat to public safety occurs. j

12. Page 2-7. " Chapter 15 Analysis" should be " Chapter 14 Analysis".

13. Page 2-9. " Corrective Actions" is an improper title for this section of the report. An investigation of this narrow scope is inadequate to identify the need for " Corrective Actions", since further review of system design criteria is necessary before we would implement any facility changes. The proper title might be " engineering insights" instead of "correcthe actions".

14 0 Page 3-1. 0 935 gsig and $50 F are incorrect. The steam side is typically operated at 525 F to $32 F steam temperature (332*F to 548 F cold leg temperature in the RCS) and 850 psia to 900 psia steam pressure.

  )  15. Page 3-18 Sectisn 3.2.2.       The term " natural allotment of operator errors" is patronizing and subjective and gives no credit for operator training and professionalism.

16. Page 3-20. The tables listing so-called " relevant" operating experiences contain a number of irrelevant items. The arbitrary cutset of " forced outages in excess of three hours" appears to include many irrelevant items and exclude some relevant items.

17 Page 3-37, Section 3.2.6 contains an unnecessary and meaningless comparision of Calvert Cliffs operating experience to that of other nuclear plants. After observing that no significant events occurred at Calvert Cliffs, the author proceeds to list serious events that occurred at other plants (e.g., Browns Ferry fire). 4 l

326

13. Page 4-10. Item ! under Component Cooling Water System should read "5BLOCA Initiator" versus "St.B Initiator".

Item 2 under Component Cooling Water System should also include loss of cooling to Shutdown Cooling Heat Exchanger.

19. Page 4-9, Item 3 under Main Feedwater and Condensate System should be deleted. Loss of these is an insignificant contributer and AFT should not be included in here.

20. Page 4-10, Item 1. Under component cooling system should read "5BLOCA initiator.* There is little difference between item 3 in the table under Reactor Coolant System and this item.

21. Table 4.2.21, Page 4-15, Chemical Volume Control System (CVCS). It is not clear how a failure to control Reactor Coolant System (RCS) chemistry contributes to RCS undercooling and overcooling.

22. Page 4-16. Item 4 should have "No" under the RCS Overcooling column.

23. Page 4 16. Why does item PO7 list RCS Overcoolics as "Possible" Is this because of potential for Steam Generator Tube Rupture?

24 Items P05 and POS A (Excessive Flow) should list RCS Overcooling as "Possible".

25. Page 4-19. Item 704B should include ECCS room coolers as a lost component.

Steam Generator Overfillis not a result of this transient.

26. Page 4-24 Component Cooling Water also supplies Shutdown Cooling Heat Exchangers.

27. Page 4 25, paragraph three. The report states that charging flow is continuous!v supplied using a single charging pump. This is not accurate. It should state

     "..with at least a single charging oump .".

23. Page 4-26. The inlet control valve for the CVC system automatically shuts on a high temperature condition on the outlet of the Regenerative Heat Exchanger.

29. Page 4-29. "... Main feedwater control valves. " should be ". Main feedwater regulating valves .".

30. Page 4 29. Feedwater Regulating System, second paragraoh, indicates failure of the feedwater regulating system to provide sufficient feedwater can contribute to RCS undercooling. For this to be, the auxiliary feed system must also fail. This should be stated.

?l. Page 4-30. Steam Dump and Turbine Bypass Control System, last paragraph. states that failure of the control systems to control the valves once open could result in a steam generator blowdown and subsequent RCS overcooling event. This paragraph should also note that steam generator isolation would occur on low steam generator pressure which would reduce the blowdown rate when the MSIVs shut to only about 3% power, a level comparable to the post-trip decay heat level. MSIV closure would occur before cooldown proceeded below about 5000 F. E-8

327

32. Page 4 30. Turbine Generator Control system, second paragraph, indicates that failure of the turbine generator control system to pass sufficient steam to the turbine results in less than optimum turbine speed and an eventual trio on low speed. This is incorrect so long as the is paralleled to the grid. If anything, the turbine-generator would trip on reverse power.

33. Page 4 31. Pressure Regulating System, the first full paragraph, indicates that failure of the heaters in the "on" state would cause a high pressure of approximately 2000 psi resulting in a reactor trip. This is incorrect unless one assumes that the pressurizer spray control also fails. Past experience shows that spray flow with four reactor coolant pumps running reduces RCS pressure even with all pressurizer heaters energized.

Also, on this page, valve damage due to liquid discharge through the PORVs and/or SRVs is discussed. The EPRI safety and relief valve test program showed that these valves can pass liquid flow without any valve dama6e* 34 Page 4-32. Turbine Generator and Condenser System, the second main paragraoh, Indicates failure of the main turbine to trip following reactor trip would result in RCS o<ercooling. This paragraph fails to recognize that the MSIVs would close on Steam Generator Isolation Signal (Low Steam Generator pressure) and arrest the cooldown before it proceded below 5000F. Page 4.35, Table 4.2.1. The " safety significance" column of this table tends to be alarmist - ther t is quite a bit of imagmation coupling the "significant failure" to

       " safety significance." Examplet It is not clear why the failure of SIAS signal to CVCS leads to inadequate core cooling. Particularly when Table 4.2.2 2, Item 17       l (page 4-52) explains that flow from CVCS is probably not required.

(This type of loose and imaginative coupling between failures and effects is widespread. The precision of the wordin6 associated with each analysis is inadequate.)

35. Page 4-35, Table 4.2.2-1, Item 2, Reactor Coolant Pumps Failed to Trip on Demand. Remedial actions fail to recognize that the reactor coolant pump bus

! feeder breaker can also be opened from the control room. Delay in stopping the reactor coolant pumps would therefore be insignificant.

36. Page 4-36, Table 4.2.2-1, Item 4, (Pressurizer Backup Heaters Fail to Trio or Inadvertently Energize). Remedial actions indicate that manual operation of pressurizer spray is required. This is incorrect. Spray flow automatically increases to control pressure. As before, spray flow can remove more energy than the total capacity of the backuo and proportional pressurizer heaters. Therefore, '

the Effects section is also incorrect. '

37. Page 4-38. The scenario presented for pressurizer damage due to local overheating of the heater penetrations is flawed. !! the pressurizer pressure transmitter (PT-100X) failed low (y)) and perhaps led to che chain of events described, then LT-Il0X) would shut off the heaters on low pressurizer level and terminate the event before any damage could occur to either the heaters or the pressurizer. Therefore, the scenario is not credible.

! PT-100X and LT-ILOX are different instruments, and the low water level cutoff is independent of the condition of the pressure controller; therefore, it will protect l l l

328 the heaters. (See 1-LD-25, Sheet 24.) Also, heater burnout does not result in pressure boundary failure.

38. Page 4-38. Plant design does not include any " seal area recirculating pumps".

39. Page 4-23, last paragraph. Indicates non-isolable LOCAs may also occur following transients involving pressurizer overfill and discharge of saturated water through the PORVs (Power Operated Rellef Valves). This is incredible since the normal volume control tank capacity is less than that required to fill the pressurizer from the ncemal level to a solid condition. Therefore, the operator would have to ignore high pressurizer level and low VCT level alarms, not understand why the Volume Control Tank (VCT) level went low, and manually make-up a significant volume to the volume control tank. This paragraph also states that if a rising level transient occurs and the heaters fail to energize, a pressurizer overf!!! would result. A more likely event is for a reactor trip on low pressurizer pressure and a consequent reduction in pressurizer level. The subsequent sentence indicates that a pressurizer level transmitter failing low will cause both the rising level transient and no demand for the heaters. This is also incorrect since the introduction of colder water into the pressurizer will reduce pressure which will reduce spray and energize pressurizer heaters.

40. Page 4-39, paragraph three. As before, this fails to recognize that reactor I coolant pumps can be tripped individually or by opening the reactor coolant pump feeder breaker.

41. Page 4 a0, Item 4 Under Sienificant Results should say " Degradation of charging flow" vice " Degradation of saf ety injection flow". Safety injection flow is j independent of CVCS operation.

l

42. Page 4 41, Middle of the page. In discussing failures of the CVCS system, the report again fails to recognize that the capacity of the VCT is inadequate to charge the pressurizer solid and the various alarms the operator would receive on high pressurizer level and low VCT level and pressure. A more likely scenario for the case of excess charging is that, assuming the operator ignores all the alarms i and indications, charging pump suction shifts to the refueling water tank on low VCT level, injects significant amounts of borated water which results in a l reduction in the RCS temperature and an eventual trip on low steam generator i pressure, low pressurizer pressure or Thermal Margin / Low Pressure (TM/LP). The trip would result in a reduction in pressurizer level and the operator would then have to ignore the procedural steps addressing restoration of pressurizer level for the pressurizer overfill scenario to take place.

43. Page 4-41. Letdown control valve (CVC-515) closes on high temoerature on the Regenerative Heat Exchanger outlet in addition to SIAS and CVCIS (not CIAS).

The terms "any length of time" are used improperly here. The actual time to drain the pressurizer below the heaters would be greater than one hour. (There is approximately 1"/ minute drain rate.) The conclusion that this could lead to an non-isolable LOCA assumes multiple independent failures which is out of scope for the US! A 47 project. 44 PaSe 4-41, Eight lines from the bottom. Indicates that normal makeup to the VCT is initiated by the second VCT level controller. Apparently the authors have l i

329 assumed that the VCT make-up is normally run in automatic. It is not. During power operations makeup to the VCT is by manual operator action. The subsequent sentences discuss failure of the VCT outlet valve in the closed position. This faiis to recognize that the result would be gradual reduction in pressurizer level due or.ly to system leakage and Reactor Coolant Pump bleed off. *he operator would have to ignore low pressurizer level and high VCT level and pressure alarms. A reactor trip would eventually occur on low pressurizer pressure (TM/LP)

45. Pale 442, Middle of the page. Indicates that pressurizer damage is possible with a low pressurizer level if pressurizer backup heaters remain energized. This is inaccurate and should be clarified to state that pressurizer heater damage is possible.

46. Page 4-42, Bottom of the page. Same comment as before regarding pressurizer overfill.

47 Page 4-42. Numerous other temperature alarms on the CVCS system would be received other than the high letdown flow alarm.

43. Page 443. FSAR curves imply no overcooling will occur on a LOCA through the PORVs. In fact, procedures use this fact to help distinquish between a LOCA and a steam line break (SLB).

49. Page 443. Time to fill the pressurizer is approximately two hours. This should be more than enough time to take manual action.

50. Page 443, last paragraph. Same comment as before regarding VCT capacity being inadequate to overfill the pressurizer.

31. Page 444, middle of the page indicates failure of the VCT outlet valve to close on Safety Injection Actuation Signal (SIAS) will result in dilution of the safety injection concentrated boric acid flow to the RCS. This is incorrect since the boric acid pumps start and the direct boric acid valves go open on SIAS. The head of the boric acid pumps exceeds the normal VCT pressure. Therefore, no dilution of the boric acid would result.

52. Page 444, bottom. The last line indicates that hydrogen supplied to VCT is normally maintained on continuously. Make-up of hydrogen to the VCT is a manual function. Therefore, only a !!mited amount of hydrogen is available, yd the operator would have to ignore the low VCT pressure alarm and other alarms.

Oxygen would have to be present in the waste gas decay system. This paragraph contends that the hydrogen supply can pass directly into the plant vent from the VCT, apparently assuming that the waste gas processing system and the plant vent system have limited capacity relative to the normally maintained hydrogen storage capacity. This may not be totally accurate.

53. Table 4.2.2-2, Items 5 k 7. See comment 22, also "CVSC" in Item 21 should be "CV CS".

54 Table 4.2.2-2, item 13. Genera 1 comment - throughout the report, the 4 gpm lost to RCP controlled bleedoff is ignored. RCS gain in this case is 99 gpm, not 103 gpm.

330

55. Page 4 46, Table 4.2.2-2. This table needs to be updated to reflect many of the previous comments.

56. Page 4-52. Degradation of Safety Injection Capacity, should state that no credit is taken in the Safety Analysis for boration due to charging pumps. Under Item 17, remedial actions states flow from CVCS is probably not required on SIAS, etc. It should say ". is not credited in the safety analyses".

37 Page 4-54. See comment 54.

58. Page 4-54 Bottom and page 4-55 top. States that pressurizer heaters being e.tergized with a low pressurizer level is a potential cause of damage to the pressurizer pressure boundary. This fails to recognize that the pressurizer heaters when uncovered are likely to overheat and burnout and, therefore, no damage would result to the RCS pressure boundary.

59. P28e 4-56. TM/LP reactor trip setpoint and SIAS trip setpoints are now higher than the numbers given. Also, operators now use a trip 2RCP, leave 2RCP running strategy until positive LOCA conditions are identified (per CEOG procedure guidelines).

( 60. Page 4-58, Table 4.2.2-3, Item 5. Pressurizer Level transmitter fails high (LT-110X on LT-110Y). Note: two independent channels provide pressurizer leve! [ signals for two specific functions: a) a high level signal from the controlling ( channel energizes the back-up heaters; b) a low level signal from either channel de-energizes all heaters. This means that the postulated effects which result from this specific failure are invalid - no failure of the pressurizer would occur. Items 6 and 7. Effects are only seen when a low level transient is in progress - this is initiated independently of the failure.

61. Page 4-65, under Significant Results, second paragraph. As before, an overcooling due to turbine bypass valve and atmospheric dump valves being opened would be terminated or drastically slowed by MSIV closure on low steam generator pressure.

62. Page 4-66. Same comment, remedial actions are not provided and should be.

l

63. Under Significant Results. change " small steam line break, would occur ." to

       ". small steam tine break, could occur ".

64 Page 4-67, Steam Generator overfill. For the scenario where the feedwater regulating valve fails open, the analysis fails to recognize that the excess feed will result in a cooldown of the associated steam generator and the RCS. Depending on the time in cycle (and the associated MTC), the resultant temperature reduction may be sufficient to cause a low steam generator pressure trip and isolation of feed on Steam Generator Isolation Signal (SGIS).

65. Item 2, under Steam Generator Overfill indicates under the Effects section that excessive feed caused by the feed regulating valve failing to close following a l

i reactor trip could jeopardize steam line integrity. The previous comments l regarding low steam flow rates (or lack of any steam flow rate) following reactor trip with excess feed apoly here. l

331

66. Item 3, Feed Regulating Bypass Yahe Remains Open Following a Reactor Trip.

67 Page 449, RCS Undercooling. The two scenarios listed (Items 4 and 3) are inconsequential since the steam driven auxillary feed pumps are still operable. Therefore, these items should be deleted from Table 4.2.2-6, since according to the last paragraph on page 4-63 this table only includes major failures leading to steam generator overfill and RCS undercooling. 1.ikewise, on page 4 70 under significant results the report identifies these as two of the five important failure modes.

68. Page 4-70, Significant Results. Based on the previrus discussions, there are no significant results. None of the SG overfill scenarios result in cencurrent high steam flows at the time of high steam generator level.

69. Page 4-72, first paragraoh. The impact of moisture carry over on turbine life or blade erosion is a purely economic concern, not a safety consideration and, as such, is outside the scope of the A-47 project.

Page 4-72, last paragraoh. The raoort indicates that turbine trip on high steam generator level and reactor trip on low steam generator level are dependent on a single or-gate and relay, respectively, and that, if these devices are in an undetected failed state at the time of a steam generator overfeed, turbine trip and/or reactor trip will not occur.

70. Page 4-73, middle of the page. The report states that, if the operator fails to take appropriate action in either case (overfeed or undercooling) protective measures are incorporated into the design to protect the reactor and turbine. It goes on to state, however, that overff!! and undercooling may not be ruled out.

Justification should be provided for this conclesion.

71. Page 4-73. Add ". or cross-connect auxillary feedwater from the opposite unit. "

af ter " . restore the failed buses ".

72. Page 4-79 and 4-80. The discussion of failure of the turbine bypass valves and atmospheric dump valves does not recognize that the Main Steam Safety Valves can be manually gagged open to accomplish a cooldown and depressurization of the RCS.

73. Page 4-82, second paragraph. Again, this fails to recognize that secondary safety valves can be manually opened.

74 Page 4-98, Sensitivity Studies. Since results of the stMies are not available, We assume BC&E will have an opportunity to comment

• Dem at a later date, prior to issue of the final version of the report.

73. Section 4.7. EOP-14 is now AOP-70.

76. Page 4-101. Item 4 in Section 4.4.1 is over taken by mmts. The new Emergency Operating Procedures referenced in Comment 6 above soecifically address small break situations where atmosopheric dump valves, turbir'e bypass valves, or Power Operated Relief Valves must be used to remove decay heat. It also instructs the use of the auxiliary feedwater system.

                             - .                                          - . -               _ .=

332 l l l

77. Page 4-102. Accident Sequence initiators, first paragraph, last sentence, impiles that all reactor-related accident initiating events described in the Final Safety Analysis Report (F5AR) are Ilsted in Table 4.4-1. This is incorrect since the table fails to list several additional reactor-related events such as excess charging.

78. Page 4-103. This page is a duplicate of 4-104

79. Page 4-106. This figure improperly and without explanation, equates a steam line break event with a reactor trip coincident with a failure of turbine trip. These are different events which have different results.

80. Page 4-107, third to the last line of the first full paragraph. " Equivalent to a steam line break (SLB)* should be deleted.

81. Page 4-108, second paragraph. The report falls to recognize that the excess charging event has been analyzed and is included in the FSAR.

82. Page 4-110, Electric Generator 1.oad Malfunctions. The report implies that raold increases or decreases in electrical load can result in a change in the turbine speed. Turbine speed is constant so long as the turbine is parallel to the grid and only an interruption in the load to the generator can result in a change to the

 .         generator speed.

33. Pages 4-114 through 4-!!6, Section 4.4.23. THs entire section is longer valid due to the specificity of the new Emergency Operating Procedures. Also, there is a reference to a PTS event which is not substantiated. Only one of three criteria would be met for PTS (high pressure condition). New EOPs address PTS concerns in detail.

I 84 Page 4-113, third line. The reoort, again, fails to recognize that the secondary safety valves can be manually opened. Pa6e 4-!!6, Section 4.4.2.6, IF safety qualified buses are IE.

35. Page 4-!!7, last paragraph. Again, the report fails to recognize that post reactor trip, with excess feed there will be little if any steam flow and therefore minimal dynamic loads on the steam line and supp9rt system.

l

86. Page 4119, first full paragraph. A high power trip might occur prior to the high steam generator level trip.

87. Page 4-119, last paragraph. The report fails to recognize that a rapid overfill sequence will result in an excess cooldown of t% primary and secondary systems with resultant SCIS on low steam generator pressure.

88. Page 4-121, Steam Line Break. This title is inappropriate and should be replaced with " Excess Steam Demand" or something comparable. As before, the postulated ,

j transients in this report are not equivalent to steam line break as analyzed in the FSAR.

39. Page 4-123. The first paragraph discusses " Sufficient Times Available for l Operator Response". The report should state the basis for what constitutes l " sufficient time." Also, no analyses are provided to substantiate the selection of j probability numbers and their applicability to Calvert Cliffs.

i

333

90. Page 4-134 The first paragraph, the main purpose of the feedwater control loop is not to maintain efficient pump operation, but rather to control the FRV in the middle of its control range.

Page 4-134 The last paragraph indicates there is no redundancy in the feedwater turbine control Although this is strictly correct, it fails to recognize that there are a number of ways to stop feed flow, such as tripping the turbine manually or tripping the condensate or condensate booster pumpa

91. Page 4-136, end of the first paragraph. The report indicates the probability of operator failure to transfer power from !Y01 to !YO2 to be .1. This may be the probability of a single operator falling to recognize t! need to transfer power.

The reoort, however, should reflect that in addition to the reactor operator there are three to four additional licensed operators in the control room and a shift supervisor, all of whom are in the control room at the time of or sho% ofter the occurrence of a SBLOCA. Therefore, this number is probably several orde:s of magnitude too large.

92. Page 4-138. The listing of plant areas utilizing instrument air is somewhat meaningless. It would bemore useful to list plant equipment and functions utilizing instrument air.

93. Page 4'-139. The report fails to recognize that air accumulators are included to provide limited operation following loss of instrument air.

94 Page 5-2. It is not clear why shif ting the ADV control to the auxiliary shutdown panel is of any benefit. These valves receive the same instrument air suoply regardless of where they are selected. The Auxiliary Control (Shutdown) Panel was designed to operate ADVs when there is an electrical fault on the Control Room controller. Atmospheric Dump Valves receive air from any one of the following sources:

       - Containment Air Receiver
       - Salt Water Air Compressors
       - Salt Water Air Accumulators
       - Plant Air cross-connected from unaffected unit They can also be manually operated (remotely).

95. Page 5-3. For the rapid steam generator overfill sequence, the report fails to recognize that SGIS on low steam generator pressure is likely to occur and result in isolation of feed to the steam generator.

96. Figures 5.2-1 and 5.2-1, Small Break LOCA Sequences Involving Insufficient Core Cooling: U2 plant air should back-up the IAS and PAS systems for U1 via valves I.

PA-126 and 2-PA-12t,. Since, contrary to comments of page 5-7, no loss of offsite power is coincident with this 1 OCA, the DGs are not involved in the scenario and U2 PAS is available. This means that the estimate for loss of IAS of 0.1 is far too high. 1

334 If, indeed, IA is not lost, the sequence is much simpler. The estimate of 9E-5/ year will be reduced significantly.

97. Page 5-7. See above comment 92.

Third paragraph - SGIS should be SIAS. The priority implied for instrument air pressure restoration is improper as shown by the new emergency procedures. The effects of loss of instrument air during a I.OCA indicate that there is no immediate need for it in terms of plant safety. I I

93. Page 3-7, next to the last paragraph. The report appears to assume loss of off- (

site power coincident with I.OCA. It is not clear what bases or probabilities are I used to reflect this coincidence.

99. Pages 5-7, 3-8. New Functional Recovery Procedures address multiple failures and/or undiagnosed events. These are part of the new emergency procedures. The entire paragraph 5.2.1 is in error.

100. Page 5-8, second full paragraph. The stated probability of failing to initiate or continue RCS cooldown fails to recognize the possibility of manually opening the secondary safety valves. 10l. Page 5-8, third full paragraph. The probabi!!ty of the operator failitig to depressurize given failure of RCS cooldown of .5 seems several orders of magnitude high in view of the number of licensed operators that would be in the control room at the time of or shortly af ter a I.OCA. 102. Page 5-8, last paragraph. The report notes that the core damage event frequency incorporates multiple operator failure probabilities which are difficult at best to estimate and that the uncertainty in the estimated frequency is expected to be targe. The report should also indicate that the estimates used here are at the conservative end of the frequency spectrum. 103. Page 5-11, Figure 5.3.1. " Fault tree of 5/G overfill given regulating valve receives turbine trip signal." The quantification of this fault tree is in error. It must be quantified as frequency of demand, P (failure to close/ demand), for FW valve closure. This means that other than the initiating frequency, which is in demands / year, all other probabilities should be conditional demand failure probabilities. The demand failure probability for an ooeratine system is very low since it can be viewed as having a vanishingly small rest interval (i.e., the system is known to be operating at the onset of the event so the probability of failure during the ensuing few seconds is negligible (assuming independence from the initiating event.) This means that in the case of the FW reg valve, the only components for which demand failure probability is relevant are those which udergo a complete state change - from "0" to "1" or "1" to "0", wherein a failure could currently exist and be undetected.

335 104. Paragraoh 5.2.2. See above comments. Using the PORV as a backup to using the Steam Generators. That is why the atmospheric dumo valves can be operated manually, in addition to all the air suppIles described above. 105. Page 5-12, third full paragraph. The failure rate of .1 per demand appears unreasonably high. The statement that 2 minutes is " clearly . . . a short time for

      . . . operatur . . . action" is subjective in view of the fact that establishing feedwater control is one of the highest priority actions that operators take on a reactor trip. Furthermore, the 2 minutes estimate is clearly not supported by the results of the RETRAN runs, where SG fill occurs in 4.5 minutes (see page 6-23 first paragraph.

106. Page 5-14, Figure 5.3-2 Quantification appears to be correct from a methods point of view, but the numbers are incorrect.

      " Reg Valve fails to close" is only an event of interest if it is required to close -

this implies that a demand is required and that the valve failed on demand - this would imply a quantified value akin to the one calculated in figure 5.3-1. 107. Page 6-1. The non-equilibrium models are allowed in any volume, the two usual choices are the pressurizer and the reactor vessel upper head. Point kinetics is not the only option, RETRAN allows the use of 1-D kinetics as well. 103. Page 6 7 Feedwater bypass valves are actually 15% capacity, but are set to regulate at about Sa6. 109. Page 6-7, First full paragraph. Why refer to " previous boundary conditions"' Simply state the present configuration of the model and explain its importance. 110. Page 6-7. CCNPP is base loaded at full power, not programmed function. 111. Page 6-20. The various sets of figures for steam generator overfill should also depict hotwell inventory as a function of time. !!2. Page 6-71, last line. The report states that in the Modular Modeling System (MMS), reactor power is controlled manually by changing the boron concentration. Does this mean there are not temperature reactivity feedbacks in the MMS model? !! so, it cannot be expected to provide realistic results for overfeed and underfeed scenarios. 113. Page 7-1, Corrective Actions. As noted earlier (Comment 13), this section is mistitled. A more proper title would be " Engineering Insights." Since this section (is not provided but) will outline corrective measures that may be appropriate to eliminate or mitigate potential accidents, it states that BC&E will have an opportunity to comment on its contents prior to publication. This is absolutely necessary in view of the dated information which forms the basis for much of this study. 114 Page 3-1, first paragraph. The second sentence states that this draft report "is to be used by NRC Staff in draf ting resolutions to USI A-47." Hooefully, the word "not" is missing by mistake. The numerous errors in this draft make it unsuitable for decision-making support.

336 115. Page 3-4, middle of the page. Fails to recognize that an initial mis-diagnosis or erroneous operator action is likely to be corrected since an hour or more is available to take corrective action, as is indicated here. 116. Page 3 5. Reclassification of SBLOCA as an " anticipated transient" as opposed to a " postulated accident" is a serious escalation. While the event is bounded by the SBLOCAs in the FSAR, the licensing criteria imposed on " postulated accidents" is significantly different from that imposed on " anticipated transients." 117. Page 3-6, middle of the page. Again, the report fails to recognize that certain key components have instrument air accumulators to provide limited operation subsequent to loss of instrument air. !!3. Page 3-7, middle of the page. The report cites !! cases of steam generator low level trips mostly during startup and states that these should be considered as precursors to dryout or overheating events. It should also note that for the low power cases the decay heat levelis significantly reduced and the time to dryout or overheating significantly extended. 119. Page 3-7, seventh line from the bottom. The reference to " commode failure"is in poor taste. 120. Page 9-1, second paragraph. The first sentence is completely wrong. It states that " Non-safety grade control systems are presently covered by a general statement in NRC's General Desi 5 n Criteria,10 CFR 50, Appendix B, Criterion II: 'The quality assurance program . . .'." 10 CFR 50 Appendix S applies only to safetv-related equipment, and the General Design Criteria are contained in 10 CFR 50 Appendix A. This error underscores the inappropriateness of a research study makmg regulatory judgments. 121. Page 9 3, last sentence. The report fails to recognize that automatic actions to permit HPSI to insert water may, in fact, cause more safety concerns for other accidents and transients than it mitigates for one low probability event (e.g., overcooling, etc.) 122. Page 9 4, third sentence. The suggestion of an automatic MFW pump trip on high SG 1evel would decrease plant safety. Such a trip, if spuriously actuated or initiated by a level spike, would become an initiator for a total loss of feedwater event, increasing the frequency of such an event. Currently, high SG !evel ramps back MFW flow while allowing continued operation of the pump. Restart of MFW pumps requires several hours. 123. Page 9-4, next to last paragraph. use of the word " frightful" is clever, but in poor taste. Also, the statement that Calvert Cliffs " simply seems to depend too much on operators for what are essentially safety functions" is subjective and, at the very least, contrary to the recent and long overdue recognition of the overwhelming importance of operators. The statement implies that plants should be backfit with even more hardware and equipment complexity than currently exists - a condition that, presumably, led to the establishment of U5! A-47 in the first place.

337 Comments on Appendix S

1. Page 84. There are % backup heaters, not 100.

2. Pags B-12. Hydrogen blanket is less than 30 psig.

3. Page B-70. Control room alarm is set for 1000 counts per minute not 100 counts per minute.

4. Page B-77. Saltwater system pump design head is 63 ft. not 82 ft.

i l I i i i

___ m ._ ___ ._ . ___ _ _ .- . _ l 338

ORNL Replies to BG&E General Comments

1. The descriptions of the Calvert Cliffe plant which compared its control philosophies and control requirements to the more, automated l Oconee plant were made more specific, in hopes of removing whatever j chances there were for misinterpretation. The references to differences in HPSI shutoff heads were changed to explain the importance of this parameter to the SB-LOCA sequence. We agree i

that a lower or even a zero psi shutoff head would be " safer" in j PTS sequences. l l 2. We agree, and note in the report, that SG overfeed events at full

or nearly full power result in slow overfills and are not of j concern. We also note that only for the case of MFW valve or actuator failure can overfeeds after a scram lead to water in the steam lines in as little as 3 min if prompt operator action is not i taken. Credit is given for FW runbacks that would occur if the valve functioned properly, and for SGIS responses. Our estimates of the probability of proper operator action are in line with

' published test data and NRC-accepted norms. We acknowledge the lack of data supporting estimated SLB and SGTR follow-ons to the

overfill, but note that the steam lines are not designed or tested for sudden closure of MSIVs with steam water mixture flows.

I 3 As noted in the final version of our report, subsequent follow-on

RETRAN studies and the referenced CE report both reduced the

! concern about the critically-sized SB-LOCA scenarios. As noted in Sect. 5, the probability for core damage was reduced to 10-5/ry, j and could readily be removed from the realm of interest if the E0Ps were modified as recommended. The low probability of heater power { control failure was accounted for. Our concern for a leak due to

overheated heater rods was for the case where the hot rods are 4

suddenly quenched. With respect to RC pump seal failure-initiated SB-LOCAs, ORNL is

not suggesting that a loss of cooling water will invariably result in a catastrophic seal failure within some fixed period of time.

! However, based on the information available, we cannot dismiss RC l pump seal failures or assume a 10-gpm maximum leak rate. ] RC pump seals can and do fail, typically due to thermal cycling and/or wear. Leak rates are typically small (e.g., up to 30 gpm) to begin with but can and have increased significantly (e.g., 350 spm) later in the transient. Such an event occurred at Arkansas Nuclear One-Unit 1 (Byron-Jackson'RC pumps) on

July'17, 1980 (LER 80-015). It is interesting to note that the

! seal leak rate increased significantly after the RC pump was tripped. i 1

339 Based on such incidents, RC pump seal failures could not be dismissed, nor could 10-gpm maximum leak rates be assumed. There were two other RC pump seal leaks at ANO-1, for example, where the leak rates exceeded 10 gpm: LER 76-022 (25 gpm), and LER 82-021 (28 gpm). It is recognized that seal failure incidents terminated prior to significant leak rates occurring would be relatively more frequent than catastrophic seal failures.

4. We agree that numerous nebulous words were used in the draft and have taken particular care to correct the problems. We do note the fact that in the estimates of equipment failures and operator response, precise quantification is difficult, and that

         " engineering judgment" in pointing out " potential problem areas" necessarily leaves some fuzziness.      BG&E and other readers are cautioned not to assume that because we list something as a potential problem area we are implying that it will necessarily lead to fuel damage.

5. Our report did not and does not arbitrarily assign a 10%

probability to operator failure to accomplish a required task. In each case we took into account the difficulty of diagnosis, the time available, and the state of the in place procedures, at a minimum. ORNL Replies to BG&E Specific Comments 1-5. Noted and corrected.

6. Noted. However, even in the new E0P for LOCAs (Draft 0), the use of PORVs is not specified for the case where SG cooling is not available to depressurize the primary.

7. The draft and final versions do, in fact, note the long times available for operator action in the SB-LOCA sequence. We agree that the SG high level signal is an " equivalent OR" with multiple units. It does, however, feed a single relay in the turbine trip circuit. Our reference to the SG low-level trip logic in the PPS was in error and was deleted.

8. We disagree. AFW systems have failed to operate on numerous occasions in many reactors, and the more frequently these systems are challenged, the more likely the chance of SG dryout.

The comment about maintenance and testing problems leading to numerous PPS challenges was actually based on overall CE plant-and industry experience, not BG&E experience, and was corrected l

+

f 340 to note this. We agree that the " commode failure" comment was in poor taste. It was flushed from the final version. I The cause of the loss of service water was noted and corrected.

                                  '9-10. Noted and corrected.

11. Text revised as suggested.

i

12. Noted and corrected.

13 The corrective actions section was deleted. l 14. Noted and corrected. i

15. Text reworded as suggested.

4

16. Tables were revised to correspond more closely to points being made in text.

l 17 BG&E misunderstood intent of comment. Text reworded. 1 i

18. Correction made.

19. -The failure was considered to be "significant" in that a single j failure resulted in a complete loss of main feedwater.and l degraded the auxiliary feedwater system. However, this event was not selected as a significant SICS Program result since an i additional failure of a safety system would be required to i result in safety consequences.

20. See response to Item 1.

1 21 . Extremes in RCS water quality, which is regulated by the CVCS, could contribute to initiating a LOCA. As noted, this failure mode was not selected as significant since specific, available

failures that result in these extremes could not be identified.

22. Comment not understood. "No" is listed under "RCS Overcooling."

ll l 23 No, although the chemistry problem is a possibility. -The system could fail and result in a small reduction in SG pressure. As indicated, the system was not selected.

24. Correction made.

! 25. At this level of analysis, a consequential loss of compressed i air would freeze the MFW regulating valves in place. Failure of l [ l

n, . 341 systems due to degraded environmental conditions is considered beyond the scope of this analysis. 26-27. Noted.

28. Noted. However, this condition would be more applicable to a loss of charging flow rate.

29. Noted, correction made.

30. " Contributes to," in the sense used, implies that failures, in conjunction with other failures, could result in the unsafe condition. As a minimum, loss of SG cooling could not occur without a loss of main feedwater (assuming an intact RCS).

31 . Noted. " Result in" changed to " contributes to"

32. Noted.

33 Noted. Consideration has been limited to failures terminating spray and energizing heaters. Concerning liquid discharge, we don't believe the possibility of valve damage can be excluded--if the discharge is hot and may flash in the valve as contrasted to loop seal flow, for instance. 34 Noted. However, the purpose of this phase of the analysis is to exclude systems which do not affect plant safety, not to evaluate the specific effects of failure. The very conservative (or " alarmist") approach used in this phase merely increases the number of systems to be analyzed in greater detail. Final safety implications should not ue inferred.

35. Please review " Remedial Actions."

36. Please review second sentence of " Effects" section.

37. Paragraph deleted.

38. Noted. We interpret this statement to imply that no pumps other than the component cooling water pumps are required to maintain cooling of the reactor coolant which passes through the RC pump seals.

39. Failure should be " Isolable LOCA." With respect to VCT volume, i see response to Item 44.

40. The circuitry design has been recognized. However, all modes of tripping the pumps are manual.

1

                                              ~

i 342 l 41 . For clarity, function referred to as "SI-initiated charging capability."

42. Noted.

43 Noted. The isolation on high regenerative heat exchanger outlet temperature would require an independent loss of charging flow or circuit failure.

44. The observation is correct. In fact, we found the automatic VCT makeup a positive design feature. If this controller is left in manual, the probability of overfilling the pressurizer is reduced at the expense of introducing common cause failures, which could affect the three charging pumps.

45. The concern is that localized overheating and subsequent refilling could lead to high local thermal stresses. Wording i modified to reflect this.

46-48. Noted.

i

49. Agreed.

! 50. Noted. i ! 51 . Agreed.

52. Noted. Paragraph on H2 handling deleted.

53-63 Noted.

64. Typically, SG overfill was not assumed to produce a response this severe. RETRAN and the BG&E training simulator both showed l very little cooldcwn due to SG overfill. We would be willing to review additional analytic results or data if provided.

? l 65. Noted. i ! 66. Comment not understood. l 67. Noted. I ' 68. Low steam flows with water entrained in steam lines can be as bad as or worse than the high flow cases when the concern is for f weight (as opposed to water hammer) damage. This is because at ! the lower flows, water tends to collect in the low points rather l than being entrained and carried on out the steam line. 69-71. Noted. I l

343

72. Noted. Do operator training or written procedures suggest such actions?

73 Noted.

74. The sensitivity studies section was deleted.

75. Corrected.

i

76. Our review was, by ground rules, based on the status of the plant at a given time. However, similar comments are applicable to the new draft procedure, EDP-500.

77. Excess charging is addressed to the extent it could contribute to initiating a pressurizer valve failure or boron dilution.

Neither case was found to have significant safety consequences with respect to the CVCS.

78. Page 105 was included for emphasis. Since the point was made, it was deleted from the final version.

79. A SLB is assumed to bound the turbine trip failure. Are we to infer that BG&E disagrees?

80. Noted.

81. Noted. (See response to #77).

82. Noted.

83 Noted. Draft procedure E0P-500 was addressed in final report. With respect to PTS, the potential for PTS was identified and found not to be of safety significance, as discussed in Sect. 5.

84. Noted.

85. See reply to comment 68.

86. Noted.

87. Our RETRAN analyses and BG&E training simulator runs witnessed by ORNL participants showed very little effect of SG overfill on RCS temperature. Automatic isolation has not been corroborated by any analyses known to us.

88. There appears little point in categorizing SG depressurization transients when none lead to significant safety consequences.

l

1 344

89. The bases of operator failure rates (and associated " sufficient time" considerations) are addressed in Sect. 5. Discussion was redone, hopefully avoiding the problems noted.

90. This is a comment of minor significance which we believe should be covered by a motherhood clause.

91. Transfer from instrument power bus 1YO9 to vital power buses 1Y01 and 1YO2 for the atmospheric steam dump valves ( ADVs) is accomplished by selecting alternate controllers by manually positioning three-way pneumatic valves. The alternate controllers, which are located in the auxiliary shutdown panel, are not normally selected for control, but the three-way pneumatic valves are normally positioned to select the ADV controllers powered by 1YO9. The two three-way pneumatic valves are located in tamper proof, alarmed enclosures (see BG&E Drawing 60-911C). The 0.1 probability that the reactor operators would not reposition these valves was based on there being no mention of the three-way valves in E0P-5, " Loss of-Reactor Coolant," approved September 14, 1984

92. Listing was relabeled.

93 We disagree. Credit was given for an accumulator backup in six different places in the writeup.

94. Unless the design information available to us is completely outdated, the fact that this question is raised emphasizes our conclusion. According to our information (BG&E Dwg. 60-911C, Rev. OF), if instrument air / plant air pressure is lost, or YO9 deenergized, the operator can manually transfer the source of compressed air from the normal'aupply to the salt water air compressors. This action activates the IE manual ADV controllers at the auxiliary shutdown panel. We do not question whether the ADVs can be opened, but with what probability.

Without the procedural step in the LOCA E0P, we credited the operators with performing this function successfully nine times out of ten SB-LOCA demands. Clearly defined procedural instructions could increase this probability.

95. Our analyses showed that SGIS actuation would not occur. We would like to see the results of studies showing otherwise.

96. See response to 94. The use of Unit 2 equipment provides another physical alternative to the operator; however, the probability that the ' valves could be opened was assumed to be 1.0.

345 97 Noted. The question of whether the ADV and TBV are required remains.

98. No actual loss of offsite power was assumed. The instructions for bus transfer were taken from the LOCA procedure. We note that EDP-500 (draft) does not address bus transfer.

99. The new procedure will be reviewed.

100. Noted. 101. Not to mention additional instructions from many of the top elected and appointed leaders of our country! The 0.5 probability was selected because the specific procedural step instructs the operator to depressurize--but specifies RCS conditions which would not exist for this sequence. This also applies to EDP-500, 102. We are not convinced that they are at the conservative extreme. We do believe operator failure probabilities could be reduced significantly by modified procedures and/or training. 103 The fault tree depicts the frequencies of failures that would freeze or open one of the two regulating valves. In either case, it is assumed that the reactor will trip prior to restoring the valve to operability--thus creating the " demand" for valve closure. This assumption is considered reasonable since the principal plant response to these failures will be a perturbation in SG 1evel, which could initiate reactor and turbine trip (or possibly induce the operator to manually trip the reactor and/or turbine). Thus, the " initiating failure" is the valve failure. The conditional probabilities of the events

     " reactor trip given valve failure" and "SG overfeed given valve failure and reactor trip" are each assumed to be 1.0.

104. Comment not understood. 105. It should be noted that the operator is assumed to successfully diagnose ten unusual events (SG overfeed), determine a correct response, and prevent the SG overfill nine of ten times. The failure to accomplish this within as little as 3 min considers other possible actions the operator might attempt (e.g., manually throttling the regulating valve) prior to tripping the feedwater pumps or closing the isolation valve. 106. As in Fig. 5.3-1, the valve failure creates its own demand for closure (see response to item 103). l 107. Noted.

346 108. Noted. 109. Noted. 110. Noted. 111. Noted. l 112. The MMS model includes temperature reactivity feedback. 113 Corrective actions section deleted. 114. This comment is in poor taste and should be flushed from this otherwise civil and generally helpful review. 115. The long time for corrective action was accounted for. 116. Noted and corrected. 117. Accumulator backup was considered. 118. Noted. 119. Flushed. 120. BG&E indicates that the following sentence is completely wrong:

       "Non-safety grade control systems are presently covered by a general statement in NRC's General Criteria, 10 CFR 50 Appendix B, Criterion II:      'The quality assurance program'   . . ,, " and states  that 10 CFR 50 Appendix B applies only to safety-related equipment and that the General Design Criteria are contained in 10 CFR 50 Appendix A. In response, we changed the identification of Appendix B from " General Design Criteria" to " Quality Assurance Criteria." BG&E correctly flagged this error. We also narrowed the application of the sentence in question to those nonsafety-grade control systems "which have the potential for impacting plant safety"; such systems are clearly covered by the wording of Appendix B. With regard to their comment that "This error underscores the inappropriateness of a research study making regulatory judgments," we continued our policy of not making regulatory j udgments .

i 121 The comment makes a valid point. We have relaxed the suggestion for automatic depressurization. 122. We agree that spurious automatic pump trips could represent a greater hazard than the one the pump trips were designed to i L

347 prevent. We have modified the recommendations concerning this concept. 123 Our original statement characterized conditions at Calvert Cliffs as "not frightful." The phrase was not meant to be particularly clever; calling it "in poor taste" seems a bit strong. It is perhaps too folksy for a sensitive subject, and we have changed the wording to "not unusual or a cause for alarm . " We did nothing in response to the other two comments, but do feel that some feedback is in order. Operators are indeed vitally important, but should not, we believe, be essential to situations requiring only knee-jerk response. BG&E's last comment implies that there would be no safety implications of control systems if there were no control systems. There would also be no failures of protection systems if there were no protection systems. Human interaction was not a major part of this study, but operator f allibility versus controls fallibility must be addressed in any evaluation of means for optimizing responses to threats to plant safety. Comments on Appendix B Corrections made as noted.

r i 349 NUREG/CR-4265 l Volume 2 ORNL/TM-9640/v2 NRC Distribution Categories R1, RG, R4, R13 INTERNAL DISTRIBUTION ! 1. S. J. Ball 27. W. A. Waddell

2. R. E. Battle 28. J. D. White 3 N. E. Clapp, Jr. 29. R. S. Wiltshire

4. F. H. Clark 30. M. J. Kopp (Advisor)

5. B. G. Eads 31 . P. F. McCrea ( Advisor)

6. D. M. Eissenberg 32. H. M. Paynter (Advisor)

7. E. W. Hagen 33 H. E. Trammell (Advisor)

8. R. M. Harrington 34. Central Research Library

9. A. P. Malinauskas 35. Y-12 Document Reference Section

10. T. C. Morelock 36. I&C Publications Office

11. F. R. Mynatt 37. I&C IPC

12. L. C. Oakes 38. Laboratory Records Department 13 J-P. A. Renier 39. Laboratory Records

14. D. L. Selby Department, RC

15. O. L. Smith 40. ORNL Patent Section 16-26. R. S. Stone EXTERNAL DISTRIBUTION

41. P. N. Austin, Science Applications, Inc., 800 Oak Ridge Turnpike, Oak Ridge, TN 37830 42-46. D. L. Basdekas, Nuclear Regulatory Commission, 5650 Nicholson Lane, MS1130SS, Division of Engineering Technology, USNRC, Washington, DC 20555 47-48. W. E. Bickford, Pacific Northwest Laboratories, Richland, WA 99352 49-54. S. J. Bruske, INEL, P.O. Box 1625, Idaho Falls, ID 83415

55. S. J. Caruthers, Science Applications, Inc., 800 Oak Ridge Turnpike, Oak Ridge, TN 37830

56. Ivan Catton, Room 25670 Boelter Hall, UCLA, Los Angeles, CA 90024

57. R. D. Dabbs, Technology for Energy, P.O. Box 15202, Knoxville, TN 37901

58. J. D. Freels Technology for Energy, P.O. Box 15202, Knoxville, TN 37901

59. S. J. Hurrell, Science Applications, Inc., 800 Oak Ridge Turnpike, Oak Ridge, TN 37830

60. L. L. Joyner, Joyner Engineers and Trainers, PC., Route #2, Box 1072. Forest, VA 24551

350

61. J. F. Kapinos, C-E Power Systems, 9487-2403, 1000 Prospect Hill, Windsor, CT 06095

62. W. E. Kastenberg, University of California at Los Angeles, 5532 Boelter Hall, School of Engineering and Applied Science, Los Angeles, CA 90024 63 R. Kubik, EPRI Nuclear Power Division, P.O. Box 10412, Palo Alto, CA 94303

64. C. G. Lawson,115 Orkney Road, Oak Ridge, TN 37830

65. C. W. Mayo, Science Applications, Inc., 800 Oak Ridge Turnpike, Oak Ridge, TN 37830

66. A. F. McBride, Science Applications, Inc., 800 Oak Ridge Turnpike, Oak Ridge, TN 37830 67-77. S. M. Mirsky, Baltimore Gas & Electric Company, P.O. Box 1475, Baltimore, MD 21203

78. W. S. Farmer, Electrical Engineering Branch, Division of Engineering Technology, Office of RES, USNRC, Washington, DC 20555

79. F. J. Mustoe, PWR Systems and Safety Department, National Nuclear Corporation Limited, Booths Hall, Chelford Road, Knutsford, Cheshire, WA16 8QZ, England

80. Office of Scientific and Technical Information, Oak Ridge, TN 37831

81. Office of Assistant Manager for Energy Research and Development, U.S. Department of Energy, Oak Ridge Operations, Oak Ridge, TN 37831

82. P. Pan, Los Alamos National Laboratory, MS K557, Los Alamos, NM 87544 83 B. K. M. Sun, EPRI Nuclear Power Division, P.O. Box 10412, Palo Alto, CA 94303 84-109. A. J. Szukiewicz, U.S. Nuclear Regulatory Commission, 7915 Eastern Avenue, MS-1130SS, Silver Springs, MD 20910 110-544. Given NRC Category distribution R1, RG, R4, and 13 1

r- , 1 1ANIR11R41RG 12055S078877 US NRC ADM-0IV 0F TIOC POLICY W-501

                    & PUB MGT      BR-POR NUREG OC 20555 WASHINGTON b
  ~_        ~'~wr  _                    ._}}