ML17139B885: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
(9 intermediate revisions by the same user not shown) | |||
Line 15: | Line 15: | ||
| page count = 29 | | page count = 29 | ||
}} | }} | ||
=Text= | |||
{{#Wiki_filter:CONTROL SYSTEM POKER SUPPLY AND SENSOR MALFUNCTION STUDY Prepared for: | |||
Pennsylvania Power and Light Company Susquehanna Steam Electric Station Prepared by: | |||
EDS Nuclear Ines March, 1982 Report No. 02-0160-1102 Revision 1 831018048i 831014 PDR ADOCK 05000387 P , PDR | |||
I l | |||
Report No. 02-0160-1102 Revisionh 1 | |||
CONTROL SYSTEM POWER SUPPLY AND SENSOR MALFUNCTION STUDY TABLE OF CONTENTS Sact1on Pacae 1.0 Introduction 2'0 Executive Summary 3.0 Methodology 4.0 Summary of Results 5 0 References 15 Appendices Appendix A Technical Procedure for the Performance of the Analysis Appendix B Control Systems/Safety Functions Appendix C Control System Identification Diagrams Appendix D Commonality Diagrams Appendix E Failure Modes and Effects Analysis Appendix F Malfunction Analysis Tables | |||
Report No. 02 0160 1102 Revision 0 CONTROL SYSTEM POWER SUPPLY AND SENSOR MALFUNCTION STUDY 1~0 INTRODUCTION On June 15, 1981, Pennsylvania Power and Light Company (PPEL) requested that EDS Nuclear Inc (EDS) assist them in responding | |||
~ | |||
to the Safety Evaluation Report (SER) item concerning the failure of non-safety grade control systems due to failure/malfunction of power supplies or sensord that are common to these control sytems for the Susquehanna Steam Electric Station (SSES) ~ Verification was requested to ensure that the subject control system failures would not impact on plant safety. | |||
The objective of the analysis contained herein is twofold- | |||
: 1. To identify power supplies and sensors to two or more non-safety grade control systems. | |||
: 2. To analyze the effects of the failure or malfunction of these power supplies and sensors on control systems to determine if the resulting plant conditions are contained within the boundary of Chapter 15 analysis and are within the capabilities of operators and safety systems. | |||
In order to achieve these objectives, EDS employed a two-phase approach consisting of the Identification Phase and the Analysis Phase. In the Identification Phase, diagrams were generated to identify the non-safety grade control systems and their power supplies and sensors. These diagrams were furtner analyzed in order to determine those common power supplies and sensors. In the Analysis Phase, Failure"Modes and Effect Analyses (FMEA) was utilized to determine the effects of these power supply and sensor failures on their respective control systems and, ultimately, on plant performances The FMEAs were then analyzed to determine the safety implications (if any) for the failure of these control systems. | |||
This report documents the result of this analysis. The methodology employed is described generally in Section 3 ' and in greater detail in Appendix A. A summary of results is presented in general terms in Section 4.0 and in detail in Appendices 3 through F. References are provided in Section 5.0. An Executive Summary is provided in Section 2.0 which highlights the salient results of this project. | |||
C | |||
Report No. 02-0160-1102 Revision 0 c 2. 0 EXECUTIVE | |||
==SUMMARY== | |||
The purpose of this report is to determine if the failure of common power supplies and sensors foz non-safety grade control systems will impact on plant safety. This was accomplished by first identifying those common power supplies and sensors, then analyzing the effects those control system failures on plant safety. In addition, for those control system failures that impacted on plant safety but were not addressed by Chapter 15 analysis and were not within operator and safety recommendations for plant modification or Chaptersystem'apabilities, 15 reanalysis were made. | |||
The project was divided into two phases the Identification Phase and the Analysis Phase ~ In the identification Phase, key plant safety functions were identified using Chapter | |||
: 15. The control systems that could affect these safety functions were then identified from those listed in Chapter 7'7, "Control Systems Not Required for Safety." The power supplies and sensors that provide power or signals to these control systems were identified'or these key items safety functions, control systems, power supplies, and sensors Control System Identification Diagrams (CSID) were generated to document this information and to assist in further analysis'ower supply and sensor commonality was determined using the CSIDs. A second diagram--Commonali ty Diagram ( CD) --was generated to show the control systems and their associated components that were affected by each common power supply or sensor. | |||
In the Analysis Phase, Failure Modes and Effects Analysis (FMEA) was performed on each common power supply and sensor to determine the effect of the failure on the control sytem and on plant performances Analysis was then performed using the FMEA results to determine the following: | |||
: l. Impact on plant safety including plant response as per Chapter 15. | |||
: 2. If the plant conditions were within operator and safety system capabilities as per Chapter 15 ~ | |||
For those conditions that did not meet the criteria of items {l) and {2), recommendations for plant modifications or Chapter 15 reanalysis were provided. | |||
Report No ~ 02-0160-1102 Revision 1 2.2 Results A total of ten power supply and sensor commonalities were identified and analyzed. Of these ten commonalities< n-'ne (9)'were of the power supply type and one (1) was of tne sensor type. | |||
: 1. The failure of power supply 1D635 125 VDC that is common to the Reactor Feedwater Control System and | |||
.Pxessure Regulator and T/G Control System resulted in plant conditions that may not be bounded by Chapter 15 analysis. The condition is generated by a maximum demand signal from the Feedwater System due to a zero flow signal from the B train flow sensor instrumentation being processed by the Feedwater System on loss of the power supply. This power supply also powers the Reactor Feed Pump Turbine C trip cixcuit. | |||
If the reactor vessel high level trip set point is reached in this maximum feed demand situation, RFPTs A and B will trip; RFPT C will continue to operate due to the trip circuit failure. | |||
It should be noted that data is not currently available to verify that the Level 8 txip point will be reached. | |||
EDS, therefore, recommends that the appropriate instrument perfoxmance be reviewed and transient analysis be performed to verify the condition exists. | |||
If the Level 8 trip is not reached< the conditions generated by the failure of 1D635 are bounded by Chapter 15 analysis. | |||
If it is detexmined that the Level 8 trip point is reached, EDS recommends that a plant modification be made to provide different power supplies for the B train feed flow instrumentation and the Reactor Feed Pump Turbine C trip circuit. As an alternate solution, EDS recommends that the maximum feed demand condition in Chapter 15 be reanalyzed to vexify that the failure of the feed pump to trip is, in fact, bounded by current Chapter 15 analysis. | |||
2~ All other common powex supply and sensor failures were detexmined to be either bounded by Chapter 15 analysis and within operator and safety system capabilities or to not impact plant safety. Detailed analysis documenting the results is contained in Section 4.0 and Appendices B through F. | |||
El Report No. 02-0160-1102 Revision 0 3~0 METHODOLOGY As indicated in the introduction, the methodology that was utilized by EDS for this project was designed to meet the following objectives: | |||
: 1. To identify power supplies and sensors to two or more non-safety grade control systems. | |||
: 2. To analyze the effects of the failure or malfunction of these power supplies and sensors on control systems to determine if the resulting plant conditions are contained within the boundary of Chapter 15 analysis and are within the capabilities of oper'ators and safety systems'he methodology employed to achieve these objectives is summarized in this section. A detailed description of this methodology is contained in Appendix "A, "Technical Procedures for the Performance of the Analysis. | |||
A two-phase approach was used as part of this methodology. | |||
Phase 1, the "Identification Phase," consisted of identifying the following items: | |||
Plant safety functions Control systems Power supplies and sensors to the control systems Power supplies and sensors common to control systems Phase 2, the "Analysis Phase," consisted of the analysis of the failure of these common power supplies and sensors with respect to their associated control systems. The control system failures were analyzed with respect to the following criteria: | |||
Plant response as per Chapter 15 Plant conditions within operator and safety system capabilities Reanalysis or modifications required to correct any problems not covered by the first two criteria 3.1 Identification Phase The first part of the identification phase consisted of identifying the non-safety grade control systems that could impact plant safety. In order to accomplish this, it was first necessary to identify those plant safety functions that are required to be met during the various modes of plant operation. The safety functions were generated using Chapter 15, Appendix 15A of the CESAR. The plant operating modes and safety functions were added to the Control System | |||
Report No. 02-0160-1102 Revision 0 Identification Diagrams (CSIDs). These diagrams contain all the identification information required to determine commonality with respect to power supplies and sensors-Subsequent to safety function identification, the control systems which could affect. these safety functions were identified. These control systems were selected from the list of non-safety grade control systems provided in Chapter 7 ' of the FSAR. The control systems were then added to the CSIDs. | |||
The power supplies and sensors required to support these control systems were identified and added to the CSIDs-The power supply identification also included the Cascading Power Supply Effect, that is, the potential for failure of higher level power supplies due to failure of a corresponding lower level power supply'he boundary of the cascading effect was limited to the 120 VAC and 125 VDC instrument and control buses. This boundary was based on information provided by the PPSL Electrical Group concerning credible higher level power supply bus failures. CSIDs are shown in Appendix C. | |||
The final. part of the identification phase was to determine which power supplies and sensors were common to more than one control system. This commonality was accomplished using the CSIDs. Each common power supply and sensor noted was then used as the focal point of a second diagram Commonality Diagram (CD) ~ This diagram presented the common power supply or sensor, the control systems affected, and the key components and circuits that are part of these control systems ~ CDs are shown in Appendix D.'.2 Anal sis Phase The methodology employed in the analysis phase consisted of two parts: Failure Modes and Effects Analysis (FMEA) and Malfunction Analysis. The FMEA technique was used to generate failure effects information on each control system as it pertains to its common mode. power supply or sensor failure. Using the information from the CDs, the overall effect of the power supply or sensor failure was determined with respect to control system and plant performance. The results of this part of the analysis were documented on FMEA forms as contained in Appe'ndix E. | |||
Malfunction analysis was then performed using the FNEAs to determine if the plant conditions generated impacted on plant safety and were within the capabilities of operators and safety systems. The conditions generated as per the | |||
Report No. 02-0160-1102 Revision 0 PMEAs were compared with Chapter 15 analysis for verif ication of plant response, operator response, and safety system response For those plant conditions in which plant safety was impacted without appropriate Chapter 15 analysis and operator and safety system capability 15 analysis verifications, system modifications or Chapter Appendix recommendations were provided. The tables in F were used as a tool to document the malfunction analysis. | |||
This information was then summarized in the results section of this report. | |||
Report No. 02-0160-1102 Revision 0. | |||
: 4. 0 | |||
==SUMMARY== | |||
OF RESULTS The purpose of this effort was to determine if the failure of control common power supplies and sensors for non-safety grade systems could impact on SSES plant safety. The results of this effort are divided into two major areas: | |||
Identification of key elements Control systems that could impact plant safety Power supplies and sensors to these control systems Common power supplies and sensors for these control systems | |||
: 2. Analysis of control system failure Referenced to the FSAR Chapter 15 Within capabilities of operator and safety systems Recommendations for reanalysis or modification if required This section provides a summary of the results determined by EDS with respect to each of the two major areas' more detailed item-by-item listing of the results is contained in Appendices B through F. | |||
4.1 Identification Prior to performing the analysis on the subject control system failure, it was necessary to first determine which of those SSES non-safety grade control system could impact plant safety. Based on the plant safety functions for each control systems described in Chapter 7 ', | |||
plant operating mode as described in Chapter"Control 15 and the Not Required for Safety," the control systems that could System impact plant safety were determined and documented as follows: | |||
1 ~ Reactor Manual Control System | |||
: 2. Recirculation Flow Control System | |||
: 3. Reactor Feedwater Control System 4, ~ Pressure Regulator and Turbine Generator Control System | |||
: 5. Traversing In-Core Probe Control System | |||
: 6. Reactor Water Cleanup Control System | |||
~ | |||
7 ~ Refueling Interlock Control System | |||
: 8. Rod Block Monitor System 9 ~ Nuclear Pressure Relief Control System that this list includes those It should be emphasizedcould control systems that impact plant safety. Actual determination of those control systems that, in fact, do impact plant safety would be accomplished during the | |||
Report No. 02-0160-1102 Revision 1 analysis phase of the project- Documentation of the safety functions and control systems is contained in the Control System Identification Diagrams (CSIDs) in Appendix C. | |||
Based on the control system scope as defined in Chapter 7.7, the power supplies and sensors that support each of these control systems were identified. The power supplies identified were those specific 120 VAC and 125 VDC instrument and control power supplies. The sensors identified were those sensors that provide inputs into the control system. Detailed documentation of these power supplies and sensors is also contained in the CSIDs. | |||
In the process of identifying control system power supplies, the Cascading Power Supply Effect was also add"essed. Based on a study performed by the PPGL Electrical Group, it was determined that the only credible cascading power supply failure possible at SSES was that combination of 1Y218 and 1Y219 120 VAC buses. These are the only two instrument and control power supplies that would be subject to the cascading effect based on the design of the SSES electrical distribution system. All other power supplies at a higher level are backed up by either an alternate AC source or a battery. | |||
Upon completion of the power supply and sensor identification, power supply and sensor commonality was determined. Commonality Diagrams (CDs) were generated to show commonality between those control systems identified. | |||
A total of ten (10) commonalities were determined. These commonalities form the basis for the analysis phase of the project. The CDs are contained in Appendix D. | |||
4.2 Analysis The analysis of the control systems that contained common power supplies and sensors was accomplished using Failure Modes and Effects Analysis (BREA), then analyzing the overall impact of each system FMEA on the plant. The FMEAs were generated for each control system as it pertains to the common power supply. or sensor. The detailed results of each FMEA are contained in Appendix E. | |||
Based on the BKAs, the detailed analysis of these control systems was performed. The results are presented here in two categories: (1) Failures that could impact plant | |||
'afety requiring further analysis, and (2) failures that could impact plant safety addressed by Chapter 15/failures that do not impact plant safety. | |||
Report No. 02-0160-1102 Revision 1 | |||
: 1. Failures That Could Im act Plant Safet Re irin Further Analysis EDS analysis determined that failure of the power supply 1D635 125 VDC could impact plant safety and therefore requires further analysis. The control systems affected by this power supply failure are the Reactor Feedwater and the Pressure Regulator and T/G Control Systems. The conditions that may not be bounded by Chapter 15 analysis are, however, isolated to the Feedwater System only - specifically the Feedwater Flow Control and Reactor Feedwater Pump Turbine (RFPT) Trip Contxol sub-systems. The loss of this power supply does not generate conditions outside of the boundary of Chapter 15 analysis for the Pressure Regulator and T/G Control System. | |||
Based on data currently available, the sequence of events that result from the loss of this power supply for the Feedwater System is as follows: | |||
: a. HM.le operating at 100% reactor power, the plant experiences a loss of 1D635. The feedwater flow signal from the B train instrumentation powered by 1D635 (Flow Transmitter FTlN002B and SRU 6) changes to zero due to the loss of 1D635- Since the feedwater flow signals from trains A, B and C aze summed, the total feed flow signal changes from 100% feed flow to 67% feed flow subsequent to receiving the erroneous zero signal from the B, train. This introduces a mismatch between steam flow, which is still at 100%, and feed flow which is at 67%. | |||
: b. In response to this steam flow, feed flow mismatch, the Feedwater Flow Contxol System sends a signal to the three RFPT's to inczease feed flow to make up for the erroneous 33% decxease in flow. Actual feed flow at this point would be approximately 135%. | |||
cd Since actual feed flow is significantly greater than that required, the increase in reactor vessel level ~ma rea'ch the Level 8 (high level) 'trip set point ~ | |||
d- If the Level 8 trip set point is reached, a trip signal will be sent to RFPTs A, B, and C and the T/G. RFPTs A and B and the T/G trip. RFPT C fails to trip because its trip circuit was disabled upon loss of 1D635. | |||
Report No 02-0160-1102 | |||
~ | |||
Revision 1 Based on the assumption that the Level 8 set point is reached due to excessive feedwater demand, the resulting conditions are not explicitly addressed by Chapter 15- Chapter 15 states that the plant response to a Level 8 condition, initiated by excess feed flow, should include the trip of all RPPTs and the T/G. | |||
Since the conditions generated subsequent to the failure of RPPT C to trip are not known< it cannot be detexmined if the plant system capabilities are adequate using present Chapter 15 analysis. | |||
The operator does retain the ability to take manual control of the RPPT C to mitigate the effects of its continued operation. The operator would be alerted to the rising reactor vessel level by the Level 7 alarm. | |||
This condition, therefore, appears to be within the capabilities of the operator. | |||
Xn order to resolve this problem, EDS recommends that, first, an analysis (thermal hydraulic and instrument) be conducted to verify that the Level 8 set point will be reached, based on the sequence of events previously postulated. Zf the results of this analysis verify that the Level 8 set point is not reached, then the conditions generated by the loss of power supply 1D635 125 VDC are in fact bounded by Chapter 15 analysis'f the Level 8 set point is reached, then the resulting conditions require further analysis. | |||
Por those conditions not explicitly addressed by Chapter 15 analysis, EDS recommends resolution of this problem be accomplished in one of two ways. A plant modification could be made to remove the commonality between the feedwater flow B process instrumentation (Plow Transmitter and SRU) and the RPPT C trip circuit. Based on EDS failure modes and effects analysis, changing these instruments to an alternate power supply would resolve this problem. 1D615 and XD625 should be eliminated as alternatives since they provide power to the RPPT A and B trip circuits, respectively. EDS recommends that the B train instruments be moved to the AC power supply that is currently providing power to the Peedwater Plow Control Syst: em - 1Y218 Breaker 13. The appropriate conversion devices would also have to be added in order to account for the changeover of these instruments from DC to AC. | |||
Moving these instruments to lY218 would not change the overall effect on the Feedwater Plow Control System subsequent to the loss of lY218- The system effects and plant response as noted in the 1Y218 PMEA would remain the same ~ | |||
- 10 | |||
Report No- 02-0160-1102 Revision 1 Zt should be noted that if any power supply other than 1Y218 is selected, the appropriate Failure Modes and Effects Analysis should be performed to ensure that a new problem is not created. | |||
The second method of problem resolution would be to analyze the conditions generated by the continued operation of RFPT C to verify that the plant systems will< in fact, mitigate the problem in spite of this new condition. | |||
: 2. Failures That Zm ct Plant Safety Addressed by Cha ter 15/Failures That Do Not Impact Plant Safety The remaining nine (9) control system commonalities have been detexmined by EDS to be eith'er addressed by Chapter 15 or to not impact plant safety. No recommendations fox modification or analysis are required. Each one is summarized as follows: | |||
: a. 1D615 125 VDC The control systems involved with this power supply failure are the Reactor Feedwater Control, Pressure Regulator T/G Control, and Recirculation Flow Contxol. The only plant safety-related condition generated by this failure is a loss of recirculation flow in Loop A and a recirculation runback in Loop B. | |||
This condition and the plant response is covered by Chapter 15 analysis. This condition is also within the capabilities of the operator. Zn addition< | |||
safety system response is not requixed. | |||
b 1D625 125 VDC The control systems involved with this power supply failure are the Reactor Feedwater Control, Pressure Regulator - T/G Control, Recirculation Flow Control, and the Traversing Zn-Coxe Probe. The only plant safety-related condition generated by this failure is a loss of recirculation flow Loop B. | |||
This condition and the plant response for single loop flow are covered by Chaptez 15 analysis. This condition is also within the capabilities of the operator. In addition, safety system response is not required-Report No. 02-0160-1102 Revision 0 C ~ 1D645 125 VDC The control systems involved with this power supply failure are the Reactor Feedwater Control Regulator T/6 Control. The only plant and'ressure safety-related condition generated by this failure is a potential high reactor vessel level due to the failure of the Feedwater B level sensor. .This failure combined with maximum feedwater flow demand (worst case) is addressed in Chapter 15. This vessel high level condition is within operator capabilities since manual control of the Reactor Feedwater Control System is still available. The safety systems that respond per Chapter 15 for this condition possess the necessary capabilities to mitigate the problem. | |||
'd ~ lY218 120 VAC The control systems involved with this power supply failure are the Reactor Feedwater Contol, Reactor Manual Control Recirculation Flow Control, Pressure Regulation T/6 Control, Reactor Water Cleanup, Nuclear Pressure Relief, and Traversing'n-Core Probe The plant safety condition generated by this failure is a potential high or low reactor vessel level resulting from the Feedwater Control System f ailing at maximum or minimum demand. The failure of this power supply involves a "speed freeze" of the reactor feedwater pump turbines (RFPT) ~ A "speed freeze" means that the RFPT speed is locked in at the rate that was present prior to the loss of power. This speed freeze at maximum or minimum demand directly leads to a high or low water level, respectively. | |||
The plant response to the maximum or minimum feed flow demand is addressed in Chapter 15. In the maximum demand condition, a Level 8 trip will result, eventually leading to RFPT trip, T/6 trip, reactor scram, recirculation pump trip, and HPC1'/RCIC actuation. The minimum demand condition condition, as per Chapter 15, will result in a plant response of a Level 3 trip followed by a Level 2 trip This results in a reactor scram, | |||
~ | |||
recirculation pump trip, MSIV closure, T/6 trip, and HPCI/RCIC actuation. | |||
12 | |||
Report No. 02-0160-1102 Revision 0 The maximum and minimum demand conditions are within operator capabiliti'es. The safety systems conditions that respond per Chapter 15 for these possess the necessary capabilities to mitigate this problem. | |||
It should be noted that although the condition generated in between maximum and minimum feed flow demand is not safety related, it prevents changes from being made on the Reactor Manual Control, Reactor Feedwater Control, and the Recirculation Plow Control systems'pon loss of power, each of these systems remains in the configuration it was in prior to the loss of power. Specifically, rods cannot be moved and feedwater and recirculation flow cannot be altered. | |||
This condition is not beyond operator capabilities, but should be considered when PPSL is generating plant training or operating procedures. | |||
: e. 1Y219. 120 VAC The control systems involved with this power supply failure are the Reactor Manual Control System and the Reactor Water Cleanup System. There are no plant safety-related conditions associated with the loss of this power supply; therefore, no Chapter 15 analysis is required'perator or safety system response is not required. | |||
1Y226 120 VAC The control systems involved with this power supply failure are the Nuclear Pressure Relief System and the Reactor Water Cleanup System. There are no plant safety-related conditions associated with the loss of this power supply; therefore, no Chapter 15 analysis is required. Operator or safety system response is not required. | |||
go 1Y629 120 VAC1 The control systems involved with this power supply failure are the Pressure Regulator T/6 Control, The analysis for lY629 failure is based on T/6 solenoid valves failing "as is." This assumption has to be made due to a lack of specific reference information. | |||
13 | |||
Report No. 02-0160-1102 Revision 0 the Reactor Manual Control System, 'and the ~ | |||
Recirculation Flow Control System. The conditions associated with this power supply failure are a T/6 trip at less than 30% power or a T/6 trip and reactor scram at greater than 30% power.. The plant response for either condition is covered by Chapter 15 analysis'oth the T/6 trip and the reactor scram are within operator capabilities. These | |||
. conditions are also within the capabilities of the safety systems, including Scram,,HPCI, 'and RCIC, as per Chapter 15. | |||
Feedwater Flow Elements FElNOOl A, B, C The control systems involved with this sensor failure are the Reactor Feedwater Control and the Recirculation Control The plant safety condition | |||
~ | |||
generated by this failure is a potential high or low reactor vessel level resulting from the Feedwater Control System failing at maximum or minimum demand. This failure is caused by one feedwater flow element failing such that either a high flow or low flow signal is generated. | |||
The plant response to the maximum or minimum feed flow demand is addressed in Chapter 15. In the maximum demand condition, a Level 8 trip will result, eventually leading to RFPT trip, T/6 trip, reactor scram, recirculation pump trip, and HPCI/RCIC actuation. The minimum demand condition condition, as per Chapter 15, will result in a plant response of a Level 3 trip followed by a Level 2 trip This result in a reactor scram, | |||
~ | |||
recirculation pump trip, MSIV closure, T/6 trip, and HPCI/RCIC actuation. | |||
The maximum and minimum demand conditions are within operator capabilities ~ The safety systems | |||
-that respond per Chapter 15 for these conditions possess the necessary capabilities to mitigate this problem. | |||
It should be noted that a flow element failure caused by a mechanical problem (i.e., clogging at the sensing inlet or outlet) would take place over a relatively long period of time Flow degradation should be noted through routine flow indication monitoring'4 | |||
Report No. 02-0160-1102 Revision 0 | |||
: i. Cascadin Power Su 1 Effect lY218 and 1Y219 120 VAC In analyzing the SSES electrical distribution system, it is possible that a failure in power supply 1X219 could cause power supply 1Y218 to it fail, as well, since supplies power to lY219. | |||
The failure of a higher level power supply due to a failure of a corresponding lower level power supply is defined as the Cascading Power Supply Effect. | |||
The combined failure of lY218 and 1Y219 does not invoke conditions not already covered in the analysis of each of these power supplies in sub-paragraphs (d) and (e) respectively. This combined failure is, therefore, bounded by Chapter 15 analysis and within the capabilities of the operator and safety systems. No other analysis is required. | |||
15 | |||
Report No. 02-0160-1102 Revision 0 | |||
==5.0 REFERENCES== | |||
The following is the list of references used during this project: | |||
5.1 General Information Susquehanna Steam Electric Station, Units 1 and 2, Final Safety Analysis Report, Pennsylvania Power and Light Company, Volumes 1-17, Revision 23, 6/81. | |||
5 ' S stem Descri tive References Reactor Feedwater Control S stem Instruction Manuals 4110 and 4125, Alphaline Pressure Transmitters Absolute and Gage, Models 1151AP and 1151GP, Rosemount. | |||
2~ Indicating Switches, Liquid Level-Differential Pressure-Plow Rate, Product/Bullet, in 288A/289A, ITT Barton. | |||
: 3. Bailey Service Manual, Type 771 Narrow Roll Strip-Chart Recorder (4577Kll-300A) | |||
Bailey Parts Manual, Type 771, 772, and 773 Strip-Chart Recorders, (4577Kll-350) ~ | |||
: 5. Operating and Instruction Manual, Static Inverter Model N250-MRS-125-60-115, Topaz Electronics, October 1974. | |||
: 6. Information about the (Orifice Plate) Bore Calculation, Vikery-Simms, Inc., VSI Job No ~ - N-1053 and N-1175. | |||
llew 7 ~ Orifice Bore Calculation Liquid Flow, Vike~-Simms, Inc., 2/23/76. | |||
: 8. Pressure Switches Parts Price List, Code 1 Bourdon Tube, Barksdale (Bulletin No. 671221-B), January 1, 1973. | |||
: 9. Bailey Service Manual, Type 745 Single and Dual Alarm,. | |||
( 4574K15-300F ) . | |||
~ | |||
10 ~ Bailey Service Manual, Type 754 Function Generator, (4575K14-300A). | |||
Bailey Installation Manual, Type 754 Function Generator, (4575K14-001). | |||
Report No'. 02-0160-1102 Revision 0 12 ~ Bailey Instructions, Type 760001 Voltage Signal Sources, (4576K10-001). | |||
13 'ailey Service Manual, (4575K15-300B). | |||
755 Dynamic Compensator, 14..Bailey Difference Data, Type 755 Dynamic Compensator Cat ~ No ~ 50-755010AAAA1NAB (4575K15-003). | |||
15 ~ Bailey Installation Manual, Type 701 Basic Controller, | |||
(.4570K11-001A). | |||
: 16. Susquehanna 1, Operations and Maintenance Instructions, Feedwater Control System, General Electric (GEK-73592A), April, 1981. | |||
Recirculation Flow Control S stem Susquehanna 1, Operations and Maintenance Instructions, | |||
.Recirculation Flow Control System, General Electric (GEK-73590), February, 1979. | |||
: 2. Bailey Service Manual, Type 724 Logic Unit, (4572K14-300B). | |||
: 3. Bailey Installation Manual, Type 745 Single and Dual Alarm, (4574K15-001A). | |||
4~ Bailey Service Manual, Type 745 Single and Dual Alarm, (4574K15-300F). | |||
: 5. Bailey Installation Manual, Type 752 Two Input and Four Input Summers, (4575K12-001B) . | |||
Installation and Operating Instructions, Regulated DC Power Supplies, General Electric (GEI-54440). | |||
7 ~ Bailey Installation Manual, Type 744 Difference Alarm, (4574K14-001). | |||
: 8. Bailey Installation Manual, Type 720 Utility Stations, (4572K10-001)- | |||
9~ Bailey Service Manual, Type 720 Utility Stations, (4574K10-300). | |||
: 10. Bailey Instructions, Type 766 Signal Resistor Units Cat No. 766--*, (4576K16-007A). | |||
~ | |||
17 | |||
Report No. 02-0160-1102 Revision 0 Bailey Installation Manual, Type 724 Logic Unit, (4572K14-001). | |||
: 12. Bailey Installation Manual, Type 740 Millivolt Converters, (4574K10-001A). | |||
13 Bailey Service Manual, Type 723 Proportional and Delay Unit, (4572K13-300). | |||
'4. | |||
Bailey Installation Manual, Type 723, Proportional and Delay Unit, (4572K13-001) . | |||
15 ~ Bailey Installation Manual,, Type 746 Signal Limiter, (4574K16-001A)- | |||
16 'Bailey Installation Manual, Type 722 Manual Unit, (4572K12-001). | |||
17 Bailey Service Manual, Type 722 Manual Unit, (4572K12-300A). | |||
'8. | |||
Bailey Installation Manual, Type 721 Control Unit, (4572K11-001). | |||
19 ~ Bailey Service Manual, Type 721 Control Unit, (4572K11-300). | |||
: 20. ACR Panels 120/125V and 24V Feeder Tabulation, Susquehanna Project, Bechtel Power Corporation, Electrical Scheme Group, June 22, 1981. | |||
: 21. Instructions for Operation, Installation, Maintenance, and Calibration, Electronic Flow Transmitter 73G-0049M, Ametek/Schutte s Koerting ( 74S-0269M-001), July, 1974. | |||
: 22. I'nstruction Manual, (4104/4126) Model 1151DP Alphaline, Differential and High Differential Pressure Transmitters, Rosemount (8856-J03-A-25-1). | |||
: 23. Bailey Service Manual, Type 751 Sealer, (4575K11-300F). | |||
: 24. IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Protection Systems, IEEE Standard 352-1975. | |||
Reactor Water Cleanu S stem Susquehanna 1, Operation and Maintenance Instructions, Reactor Water Cleanup System, General Electric (GEK-73608), February 1979. | |||
18 | |||
Repox't No. 02.-0160-1102 Revision 0 Pressure Re ulator and T/G Control S stem Generator Protection, General Electxic (GEK-75512A), | |||
November, 1980. | |||
2~ Basic Functions of Electrohydraulic Control (EHC) | |||
System, Nuclear (Boiling Water Reactor) Units, General Electric (GEK-17911) ~ | |||
3~ Protection System Electrohydraulic Control, Basic Functions, General Electric, (GEK-11366). | |||
4~ Speed Control Unit, (Fossil-Baseload, BWR, PWR), | |||
General Electric (GEK-11381E). | |||
t | |||
: 5. Instructions, EHC Line Speed Matcher, General Electric (GEK-17910A) ~ | |||
Instructions, Description of Load Control Unit (BWR), | |||
General Electric, (GEK-37946). | |||
7~ Load Control Unit, Load Reference Circuits, Nuclear Units, General Electric (GEK-17864A). | |||
: 8. Instructions, Load Limit Circuits and Logic, (BWR), | |||
General Electric,'(GEK-17863B) ~ | |||
9- Instructions, Chest/Shell Warming Circuits and Logic, 3 or 5 Light Conf iguration, Nuclear-BWR, General Electric, (GEK-46351B) . | |||
: 10. Rosemount Pressure Transducer Model 1104A, (GEK-37803). | |||
Current to Voltage Converter, General Electric, (GEK-25580). | |||
12- Instructions, Rate Sensitive Power Load Unbalance Ci rcuit and Relays, ( Nuclear), . General Electric, (GEK-37959A). | |||
13 ~ Flow Control Unit, General Electric, (GEK-25588). | |||
14- Valve Test Logic, (BWR), General Electric, (GEK-37941) . | |||
15 Pressux'e Control Unit, (BWR), General Electric, | |||
~ | |||
(GEK-17885A) ~ | |||
: 16. Turbine Initial Pressure Regulator and Control System, Bypass Control Unit, General Electric,; (GEK-17880). | |||
19 | |||
Report No. 02-,0160-1102 Revision 0 | |||
: 17. Initial Pressure Regulator and Control System, Automatic Load Following Signal, General Electric, | |||
'urbine (GEK 17881 ) ~ | |||
: 18. Automatic Pressure Set-Point Adjust, General Electric, (GEK-17882A). | |||
: 19. Instructions, Electric Alarm and Trip System, General Electric, (GEK-11367C) . | |||
: 20. First Hi t Circuitry, General Electric, (GEK-25557) . | |||
21 Protecti ve System Electrohydraulic Control, Basic Functions, General Electric, M-392, 1971. | |||
: 22. Electric Alarm and Trip System, General Electric, M-393 1971. | |||
: 23. Electrical Power Supplies, General Electric, M-399, 1971. | |||
: 24. Instructions, Testing oZ the Overspeed Trip System, General Electric, (GEK-11383C). | |||
: 25. Backup Overspeed Trip, Electrohydraulic Control System, General Electric, (GEK-17978A). | |||
: 26. Instructions, Electrical Power Supplies, EHC System, General Electric, (GEK-25540A). | |||
: 27. Instruction Manual and Parts List Model 730 and 751 Series Liquid Level Controls, Bulletin: 46-612, Magnetrol International, April 1976. | |||
Traversin In-Core Probe S stem Preliminary, Susquehanna 1 and 2, Operation and Maintenance Instructions, Traversing In-Core Probe Ca'libration System, General Electric (GEK-73601A), | |||
February 1981. | |||
: 2. Operation and Maintenance Instructions, Indexing Mechanism 791E241G4 (GEK-73601A), February 1981. | |||
: 3. Operation and Maintenance Instructions, Drive Mechanism 706E263G13, G14, G15, and G16, General Electric (GEK-39600D), March 1980. | |||
20 | |||
Report No. 02-0160-1102 Revision 0 | |||
: 4. .Operation and Maintenance Instructions, Valve Control Monitor 112C3706G8, G10, and G12, General Electric (GEK-34668D), February 1980. | |||
: 5. Operation and Maintenance Instructions, Valve Control Monitor 112C3706G7, G9, and Gll, General Electric (GEK-34573E), October 1979. | |||
Reactor Manual 'Control S stem | |||
: 1. Susquehanna 1 and 2, Operation and Maintenance Instructions, Reactor Manual Control System, General Electric (GEK-73596A), April 1981. | |||
: 2. Susquehanna 1, Operation and Maintenance Instructions, Control Rod Drive Hydraulics, General Electric (GEK-73595A), March 1981. | |||
Nuclear Pressure Relief S stem | |||
: 1. Susquehanna 1, Operation and Maintenance Instructions, Automatic Depressurization System, General Electric (GEK-73602), February 1979. | |||
5.3 S stem Drawings General References General Electric 8856-Ml-H12-877 SH 1-10 Bechtel E-10 SH 1-3 E-42 SH 14-19, SH 21-22 E-64 SH 1 7g SH ll 28 Reactor Feedwater Control S stem General Electric 8856-Ml-C32-17 SH 1-6 Bechtel 8856-M6-3 SH 11 E-126 SH 1-2 J-127 SH 7, 9 j-427 SH 3 M-106 M-127 SH 1-2 E-114 SH 1-2 E-127 SH 6 Recirculation Flow Control S stem General Electric FF116510 SH 1101-1103 | |||
* 8856-Ml-B31-178 SH 1-21 8856-Ml-B31-189 SH 1-5 8856-Ml-B31-275 SH 1-21 21 | |||
Report No. 02-0160-1102 Revision 0 0 | |||
Recirculation Plow Control S stem (cont'd) | |||
Bechtel M-103 M-105 M-106 M-115 M-140 M-143 E-129 SH 17 J-105 SH 1-10 J-106 SH 1-11 J-115 SH 1-11 J-406 "SH 2 J-410 SH 4 Reactor Water Cleanu S stem General Electric 8856-Mj-G33-140 SH 1-5 Bechtel M-144 Pressure Re ulator and T/G Control General Electric 8856-M2J-6 SH 1-39 8856-M2J-10 SH 1 8856-M2J-34 SH 1-3 8856-M2J-39 SH 1-7 8856-M2J-40 SH 1-10 8856-M2J-112 SH 1-7 Bechtel E>>101 SH 4 E-ill SH 1-4 E-120 SH 1-8 E-121 SH 1-4 E-122 SH 1-4 M-101 Traversin In-Core Probe General Electric 791E413 SH 1-5 | |||
* Bechtel E-177 SH 4, 8 Reactor Manual Control S stem General Electric 8856-Ml-C12-108 SH 1, 2 8856-Ml-C12-110 SH 1-9, SH 11-12, SH 14-32'H 35-36 Bechtel E-158 SH 1-3 E-169 SH 2-4 M-146 M-147 | |||
Report No. 02-0160-1102 Revision 0 Nuclear Pressure Relief System General Electric 8856-B21-'129 SH 1-8 Bechtel E-180 SH 1-8 M-141 M-142 Refuelin Interlock P | |||
General Electric 8856 Ml C12 110 14-32, SH 35-36 SH 1 9g SH ll 12'H 8856-Ml-F21-52 SH 1-19 Rod Block Monitoring Bechtel E-157 SH 1-6 E 177 SH 1I 3 I SH 4 8 | |||
'Note: Bechtel drawing numbers were used except where noted by an asterisk. An asterisk will indicate a General Electric number. | |||
23}} |
Latest revision as of 16:54, 4 February 2020
ML17139B885 | |
Person / Time | |
---|---|
Site: | Susquehanna |
Issue date: | 03/31/1982 |
From: | EDS NUCLEAR, INC. |
To: | |
Shared Package | |
ML17139B884 | List: |
References | |
02-0160-1102, 02-0160-1102-R01, 2-160-1102, 2-160-1102-R1, NUDOCS 8310180481 | |
Download: ML17139B885 (29) | |
Text
CONTROL SYSTEM POKER SUPPLY AND SENSOR MALFUNCTION STUDY Prepared for:
Pennsylvania Power and Light Company Susquehanna Steam Electric Station Prepared by:
EDS Nuclear Ines March, 1982 Report No. 02-0160-1102 Revision 1 831018048i 831014 PDR ADOCK 05000387 P , PDR
I l
Report No. 02-0160-1102 Revisionh 1
CONTROL SYSTEM POWER SUPPLY AND SENSOR MALFUNCTION STUDY TABLE OF CONTENTS Sact1on Pacae 1.0 Introduction 2'0 Executive Summary 3.0 Methodology 4.0 Summary of Results 5 0 References 15 Appendices Appendix A Technical Procedure for the Performance of the Analysis Appendix B Control Systems/Safety Functions Appendix C Control System Identification Diagrams Appendix D Commonality Diagrams Appendix E Failure Modes and Effects Analysis Appendix F Malfunction Analysis Tables
Report No. 02 0160 1102 Revision 0 CONTROL SYSTEM POWER SUPPLY AND SENSOR MALFUNCTION STUDY 1~0 INTRODUCTION On June 15, 1981, Pennsylvania Power and Light Company (PPEL) requested that EDS Nuclear Inc (EDS) assist them in responding
~
to the Safety Evaluation Report (SER) item concerning the failure of non-safety grade control systems due to failure/malfunction of power supplies or sensord that are common to these control sytems for the Susquehanna Steam Electric Station (SSES) ~ Verification was requested to ensure that the subject control system failures would not impact on plant safety.
The objective of the analysis contained herein is twofold-
- 1. To identify power supplies and sensors to two or more non-safety grade control systems.
- 2. To analyze the effects of the failure or malfunction of these power supplies and sensors on control systems to determine if the resulting plant conditions are contained within the boundary of Chapter 15 analysis and are within the capabilities of operators and safety systems.
In order to achieve these objectives, EDS employed a two-phase approach consisting of the Identification Phase and the Analysis Phase. In the Identification Phase, diagrams were generated to identify the non-safety grade control systems and their power supplies and sensors. These diagrams were furtner analyzed in order to determine those common power supplies and sensors. In the Analysis Phase, Failure"Modes and Effect Analyses (FMEA) was utilized to determine the effects of these power supply and sensor failures on their respective control systems and, ultimately, on plant performances The FMEAs were then analyzed to determine the safety implications (if any) for the failure of these control systems.
This report documents the result of this analysis. The methodology employed is described generally in Section 3 ' and in greater detail in Appendix A. A summary of results is presented in general terms in Section 4.0 and in detail in Appendices 3 through F. References are provided in Section 5.0. An Executive Summary is provided in Section 2.0 which highlights the salient results of this project.
C
Report No. 02-0160-1102 Revision 0 c 2. 0 EXECUTIVE
SUMMARY
The purpose of this report is to determine if the failure of common power supplies and sensors foz non-safety grade control systems will impact on plant safety. This was accomplished by first identifying those common power supplies and sensors, then analyzing the effects those control system failures on plant safety. In addition, for those control system failures that impacted on plant safety but were not addressed by Chapter 15 analysis and were not within operator and safety recommendations for plant modification or Chaptersystem'apabilities, 15 reanalysis were made.
The project was divided into two phases the Identification Phase and the Analysis Phase ~ In the identification Phase, key plant safety functions were identified using Chapter
- 15. The control systems that could affect these safety functions were then identified from those listed in Chapter 7'7, "Control Systems Not Required for Safety." The power supplies and sensors that provide power or signals to these control systems were identified'or these key items safety functions, control systems, power supplies, and sensors Control System Identification Diagrams (CSID) were generated to document this information and to assist in further analysis'ower supply and sensor commonality was determined using the CSIDs. A second diagram--Commonali ty Diagram ( CD) --was generated to show the control systems and their associated components that were affected by each common power supply or sensor.
In the Analysis Phase, Failure Modes and Effects Analysis (FMEA) was performed on each common power supply and sensor to determine the effect of the failure on the control sytem and on plant performances Analysis was then performed using the FMEA results to determine the following:
- l. Impact on plant safety including plant response as per Chapter 15.
- 2. If the plant conditions were within operator and safety system capabilities as per Chapter 15 ~
For those conditions that did not meet the criteria of items {l) and {2), recommendations for plant modifications or Chapter 15 reanalysis were provided.
Report No ~ 02-0160-1102 Revision 1 2.2 Results A total of ten power supply and sensor commonalities were identified and analyzed. Of these ten commonalities< n-'ne (9)'were of the power supply type and one (1) was of tne sensor type.
- 1. The failure of power supply 1D635 125 VDC that is common to the Reactor Feedwater Control System and
.Pxessure Regulator and T/G Control System resulted in plant conditions that may not be bounded by Chapter 15 analysis. The condition is generated by a maximum demand signal from the Feedwater System due to a zero flow signal from the B train flow sensor instrumentation being processed by the Feedwater System on loss of the power supply. This power supply also powers the Reactor Feed Pump Turbine C trip cixcuit.
If the reactor vessel high level trip set point is reached in this maximum feed demand situation, RFPTs A and B will trip; RFPT C will continue to operate due to the trip circuit failure.
It should be noted that data is not currently available to verify that the Level 8 txip point will be reached.
EDS, therefore, recommends that the appropriate instrument perfoxmance be reviewed and transient analysis be performed to verify the condition exists.
If the Level 8 trip is not reached< the conditions generated by the failure of 1D635 are bounded by Chapter 15 analysis.
If it is detexmined that the Level 8 trip point is reached, EDS recommends that a plant modification be made to provide different power supplies for the B train feed flow instrumentation and the Reactor Feed Pump Turbine C trip circuit. As an alternate solution, EDS recommends that the maximum feed demand condition in Chapter 15 be reanalyzed to vexify that the failure of the feed pump to trip is, in fact, bounded by current Chapter 15 analysis.
2~ All other common powex supply and sensor failures were detexmined to be either bounded by Chapter 15 analysis and within operator and safety system capabilities or to not impact plant safety. Detailed analysis documenting the results is contained in Section 4.0 and Appendices B through F.
El Report No. 02-0160-1102 Revision 0 3~0 METHODOLOGY As indicated in the introduction, the methodology that was utilized by EDS for this project was designed to meet the following objectives:
- 1. To identify power supplies and sensors to two or more non-safety grade control systems.
- 2. To analyze the effects of the failure or malfunction of these power supplies and sensors on control systems to determine if the resulting plant conditions are contained within the boundary of Chapter 15 analysis and are within the capabilities of oper'ators and safety systems'he methodology employed to achieve these objectives is summarized in this section. A detailed description of this methodology is contained in Appendix "A, "Technical Procedures for the Performance of the Analysis.
A two-phase approach was used as part of this methodology.
Phase 1, the "Identification Phase," consisted of identifying the following items:
Plant safety functions Control systems Power supplies and sensors to the control systems Power supplies and sensors common to control systems Phase 2, the "Analysis Phase," consisted of the analysis of the failure of these common power supplies and sensors with respect to their associated control systems. The control system failures were analyzed with respect to the following criteria:
Plant response as per Chapter 15 Plant conditions within operator and safety system capabilities Reanalysis or modifications required to correct any problems not covered by the first two criteria 3.1 Identification Phase The first part of the identification phase consisted of identifying the non-safety grade control systems that could impact plant safety. In order to accomplish this, it was first necessary to identify those plant safety functions that are required to be met during the various modes of plant operation. The safety functions were generated using Chapter 15, Appendix 15A of the CESAR. The plant operating modes and safety functions were added to the Control System
Report No. 02-0160-1102 Revision 0 Identification Diagrams (CSIDs). These diagrams contain all the identification information required to determine commonality with respect to power supplies and sensors-Subsequent to safety function identification, the control systems which could affect. these safety functions were identified. These control systems were selected from the list of non-safety grade control systems provided in Chapter 7 ' of the FSAR. The control systems were then added to the CSIDs.
The power supplies and sensors required to support these control systems were identified and added to the CSIDs-The power supply identification also included the Cascading Power Supply Effect, that is, the potential for failure of higher level power supplies due to failure of a corresponding lower level power supply'he boundary of the cascading effect was limited to the 120 VAC and 125 VDC instrument and control buses. This boundary was based on information provided by the PPSL Electrical Group concerning credible higher level power supply bus failures. CSIDs are shown in Appendix C.
The final. part of the identification phase was to determine which power supplies and sensors were common to more than one control system. This commonality was accomplished using the CSIDs. Each common power supply and sensor noted was then used as the focal point of a second diagram Commonality Diagram (CD) ~ This diagram presented the common power supply or sensor, the control systems affected, and the key components and circuits that are part of these control systems ~ CDs are shown in Appendix D.'.2 Anal sis Phase The methodology employed in the analysis phase consisted of two parts: Failure Modes and Effects Analysis (FMEA) and Malfunction Analysis. The FMEA technique was used to generate failure effects information on each control system as it pertains to its common mode. power supply or sensor failure. Using the information from the CDs, the overall effect of the power supply or sensor failure was determined with respect to control system and plant performance. The results of this part of the analysis were documented on FMEA forms as contained in Appe'ndix E.
Malfunction analysis was then performed using the FNEAs to determine if the plant conditions generated impacted on plant safety and were within the capabilities of operators and safety systems. The conditions generated as per the
Report No. 02-0160-1102 Revision 0 PMEAs were compared with Chapter 15 analysis for verif ication of plant response, operator response, and safety system response For those plant conditions in which plant safety was impacted without appropriate Chapter 15 analysis and operator and safety system capability 15 analysis verifications, system modifications or Chapter Appendix recommendations were provided. The tables in F were used as a tool to document the malfunction analysis.
This information was then summarized in the results section of this report.
Report No. 02-0160-1102 Revision 0.
- 4. 0
SUMMARY
OF RESULTS The purpose of this effort was to determine if the failure of control common power supplies and sensors for non-safety grade systems could impact on SSES plant safety. The results of this effort are divided into two major areas:
Identification of key elements Control systems that could impact plant safety Power supplies and sensors to these control systems Common power supplies and sensors for these control systems
- 2. Analysis of control system failure Referenced to the FSAR Chapter 15 Within capabilities of operator and safety systems Recommendations for reanalysis or modification if required This section provides a summary of the results determined by EDS with respect to each of the two major areas' more detailed item-by-item listing of the results is contained in Appendices B through F.
4.1 Identification Prior to performing the analysis on the subject control system failure, it was necessary to first determine which of those SSES non-safety grade control system could impact plant safety. Based on the plant safety functions for each control systems described in Chapter 7 ',
plant operating mode as described in Chapter"Control 15 and the Not Required for Safety," the control systems that could System impact plant safety were determined and documented as follows:
1 ~ Reactor Manual Control System
- 2. Recirculation Flow Control System
- 3. Reactor Feedwater Control System 4, ~ Pressure Regulator and Turbine Generator Control System
- 5. Traversing In-Core Probe Control System
- 6. Reactor Water Cleanup Control System
~
7 ~ Refueling Interlock Control System
- 8. Rod Block Monitor System 9 ~ Nuclear Pressure Relief Control System that this list includes those It should be emphasizedcould control systems that impact plant safety. Actual determination of those control systems that, in fact, do impact plant safety would be accomplished during the
Report No. 02-0160-1102 Revision 1 analysis phase of the project- Documentation of the safety functions and control systems is contained in the Control System Identification Diagrams (CSIDs) in Appendix C.
Based on the control system scope as defined in Chapter 7.7, the power supplies and sensors that support each of these control systems were identified. The power supplies identified were those specific 120 VAC and 125 VDC instrument and control power supplies. The sensors identified were those sensors that provide inputs into the control system. Detailed documentation of these power supplies and sensors is also contained in the CSIDs.
In the process of identifying control system power supplies, the Cascading Power Supply Effect was also add"essed. Based on a study performed by the PPGL Electrical Group, it was determined that the only credible cascading power supply failure possible at SSES was that combination of 1Y218 and 1Y219 120 VAC buses. These are the only two instrument and control power supplies that would be subject to the cascading effect based on the design of the SSES electrical distribution system. All other power supplies at a higher level are backed up by either an alternate AC source or a battery.
Upon completion of the power supply and sensor identification, power supply and sensor commonality was determined. Commonality Diagrams (CDs) were generated to show commonality between those control systems identified.
A total of ten (10) commonalities were determined. These commonalities form the basis for the analysis phase of the project. The CDs are contained in Appendix D.
4.2 Analysis The analysis of the control systems that contained common power supplies and sensors was accomplished using Failure Modes and Effects Analysis (BREA), then analyzing the overall impact of each system FMEA on the plant. The FMEAs were generated for each control system as it pertains to the common power supply. or sensor. The detailed results of each FMEA are contained in Appendix E.
Based on the BKAs, the detailed analysis of these control systems was performed. The results are presented here in two categories: (1) Failures that could impact plant
'afety requiring further analysis, and (2) failures that could impact plant safety addressed by Chapter 15/failures that do not impact plant safety.
Report No. 02-0160-1102 Revision 1
- 1. Failures That Could Im act Plant Safet Re irin Further Analysis EDS analysis determined that failure of the power supply 1D635 125 VDC could impact plant safety and therefore requires further analysis. The control systems affected by this power supply failure are the Reactor Feedwater and the Pressure Regulator and T/G Control Systems. The conditions that may not be bounded by Chapter 15 analysis are, however, isolated to the Feedwater System only - specifically the Feedwater Flow Control and Reactor Feedwater Pump Turbine (RFPT) Trip Contxol sub-systems. The loss of this power supply does not generate conditions outside of the boundary of Chapter 15 analysis for the Pressure Regulator and T/G Control System.
Based on data currently available, the sequence of events that result from the loss of this power supply for the Feedwater System is as follows:
- a. HM.le operating at 100% reactor power, the plant experiences a loss of 1D635. The feedwater flow signal from the B train instrumentation powered by 1D635 (Flow Transmitter FTlN002B and SRU 6) changes to zero due to the loss of 1D635- Since the feedwater flow signals from trains A, B and C aze summed, the total feed flow signal changes from 100% feed flow to 67% feed flow subsequent to receiving the erroneous zero signal from the B, train. This introduces a mismatch between steam flow, which is still at 100%, and feed flow which is at 67%.
- b. In response to this steam flow, feed flow mismatch, the Feedwater Flow Contxol System sends a signal to the three RFPT's to inczease feed flow to make up for the erroneous 33% decxease in flow. Actual feed flow at this point would be approximately 135%.
cd Since actual feed flow is significantly greater than that required, the increase in reactor vessel level ~ma rea'ch the Level 8 (high level) 'trip set point ~
d- If the Level 8 trip set point is reached, a trip signal will be sent to RFPTs A, B, and C and the T/G. RFPTs A and B and the T/G trip. RFPT C fails to trip because its trip circuit was disabled upon loss of 1D635.
Report No 02-0160-1102
~
Revision 1 Based on the assumption that the Level 8 set point is reached due to excessive feedwater demand, the resulting conditions are not explicitly addressed by Chapter 15- Chapter 15 states that the plant response to a Level 8 condition, initiated by excess feed flow, should include the trip of all RPPTs and the T/G.
Since the conditions generated subsequent to the failure of RPPT C to trip are not known< it cannot be detexmined if the plant system capabilities are adequate using present Chapter 15 analysis.
The operator does retain the ability to take manual control of the RPPT C to mitigate the effects of its continued operation. The operator would be alerted to the rising reactor vessel level by the Level 7 alarm.
This condition, therefore, appears to be within the capabilities of the operator.
Xn order to resolve this problem, EDS recommends that, first, an analysis (thermal hydraulic and instrument) be conducted to verify that the Level 8 set point will be reached, based on the sequence of events previously postulated. Zf the results of this analysis verify that the Level 8 set point is not reached, then the conditions generated by the loss of power supply 1D635 125 VDC are in fact bounded by Chapter 15 analysis'f the Level 8 set point is reached, then the resulting conditions require further analysis.
Por those conditions not explicitly addressed by Chapter 15 analysis, EDS recommends resolution of this problem be accomplished in one of two ways. A plant modification could be made to remove the commonality between the feedwater flow B process instrumentation (Plow Transmitter and SRU) and the RPPT C trip circuit. Based on EDS failure modes and effects analysis, changing these instruments to an alternate power supply would resolve this problem. 1D615 and XD625 should be eliminated as alternatives since they provide power to the RPPT A and B trip circuits, respectively. EDS recommends that the B train instruments be moved to the AC power supply that is currently providing power to the Peedwater Plow Control Syst: em - 1Y218 Breaker 13. The appropriate conversion devices would also have to be added in order to account for the changeover of these instruments from DC to AC.
Moving these instruments to lY218 would not change the overall effect on the Feedwater Plow Control System subsequent to the loss of lY218- The system effects and plant response as noted in the 1Y218 PMEA would remain the same ~
- 10
Report No- 02-0160-1102 Revision 1 Zt should be noted that if any power supply other than 1Y218 is selected, the appropriate Failure Modes and Effects Analysis should be performed to ensure that a new problem is not created.
The second method of problem resolution would be to analyze the conditions generated by the continued operation of RFPT C to verify that the plant systems will< in fact, mitigate the problem in spite of this new condition.
- 2. Failures That Zm ct Plant Safety Addressed by Cha ter 15/Failures That Do Not Impact Plant Safety The remaining nine (9) control system commonalities have been detexmined by EDS to be eith'er addressed by Chapter 15 or to not impact plant safety. No recommendations fox modification or analysis are required. Each one is summarized as follows:
- a. 1D615 125 VDC The control systems involved with this power supply failure are the Reactor Feedwater Control, Pressure Regulator T/G Control, and Recirculation Flow Contxol. The only plant safety-related condition generated by this failure is a loss of recirculation flow in Loop A and a recirculation runback in Loop B.
This condition and the plant response is covered by Chapter 15 analysis. This condition is also within the capabilities of the operator. Zn addition<
safety system response is not requixed.
b 1D625 125 VDC The control systems involved with this power supply failure are the Reactor Feedwater Control, Pressure Regulator - T/G Control, Recirculation Flow Control, and the Traversing Zn-Coxe Probe. The only plant safety-related condition generated by this failure is a loss of recirculation flow Loop B.
This condition and the plant response for single loop flow are covered by Chaptez 15 analysis. This condition is also within the capabilities of the operator. In addition, safety system response is not required-Report No. 02-0160-1102 Revision 0 C ~ 1D645 125 VDC The control systems involved with this power supply failure are the Reactor Feedwater Control Regulator T/6 Control. The only plant and'ressure safety-related condition generated by this failure is a potential high reactor vessel level due to the failure of the Feedwater B level sensor. .This failure combined with maximum feedwater flow demand (worst case) is addressed in Chapter 15. This vessel high level condition is within operator capabilities since manual control of the Reactor Feedwater Control System is still available. The safety systems that respond per Chapter 15 for this condition possess the necessary capabilities to mitigate the problem.
'd ~ lY218 120 VAC The control systems involved with this power supply failure are the Reactor Feedwater Contol, Reactor Manual Control Recirculation Flow Control, Pressure Regulation T/6 Control, Reactor Water Cleanup, Nuclear Pressure Relief, and Traversing'n-Core Probe The plant safety condition generated by this failure is a potential high or low reactor vessel level resulting from the Feedwater Control System f ailing at maximum or minimum demand. The failure of this power supply involves a "speed freeze" of the reactor feedwater pump turbines (RFPT) ~ A "speed freeze" means that the RFPT speed is locked in at the rate that was present prior to the loss of power. This speed freeze at maximum or minimum demand directly leads to a high or low water level, respectively.
The plant response to the maximum or minimum feed flow demand is addressed in Chapter 15. In the maximum demand condition, a Level 8 trip will result, eventually leading to RFPT trip, T/6 trip, reactor scram, recirculation pump trip, and HPC1'/RCIC actuation. The minimum demand condition condition, as per Chapter 15, will result in a plant response of a Level 3 trip followed by a Level 2 trip This results in a reactor scram,
~
recirculation pump trip, MSIV closure, T/6 trip, and HPCI/RCIC actuation.
12
Report No. 02-0160-1102 Revision 0 The maximum and minimum demand conditions are within operator capabiliti'es. The safety systems conditions that respond per Chapter 15 for these possess the necessary capabilities to mitigate this problem.
It should be noted that although the condition generated in between maximum and minimum feed flow demand is not safety related, it prevents changes from being made on the Reactor Manual Control, Reactor Feedwater Control, and the Recirculation Plow Control systems'pon loss of power, each of these systems remains in the configuration it was in prior to the loss of power. Specifically, rods cannot be moved and feedwater and recirculation flow cannot be altered.
This condition is not beyond operator capabilities, but should be considered when PPSL is generating plant training or operating procedures.
- e. 1Y219. 120 VAC The control systems involved with this power supply failure are the Reactor Manual Control System and the Reactor Water Cleanup System. There are no plant safety-related conditions associated with the loss of this power supply; therefore, no Chapter 15 analysis is required'perator or safety system response is not required.
1Y226 120 VAC The control systems involved with this power supply failure are the Nuclear Pressure Relief System and the Reactor Water Cleanup System. There are no plant safety-related conditions associated with the loss of this power supply; therefore, no Chapter 15 analysis is required. Operator or safety system response is not required.
go 1Y629 120 VAC1 The control systems involved with this power supply failure are the Pressure Regulator T/6 Control, The analysis for lY629 failure is based on T/6 solenoid valves failing "as is." This assumption has to be made due to a lack of specific reference information.
13
Report No. 02-0160-1102 Revision 0 the Reactor Manual Control System, 'and the ~
Recirculation Flow Control System. The conditions associated with this power supply failure are a T/6 trip at less than 30% power or a T/6 trip and reactor scram at greater than 30% power.. The plant response for either condition is covered by Chapter 15 analysis'oth the T/6 trip and the reactor scram are within operator capabilities. These
. conditions are also within the capabilities of the safety systems, including Scram,,HPCI, 'and RCIC, as per Chapter 15.
Feedwater Flow Elements FElNOOl A, B, C The control systems involved with this sensor failure are the Reactor Feedwater Control and the Recirculation Control The plant safety condition
~
generated by this failure is a potential high or low reactor vessel level resulting from the Feedwater Control System failing at maximum or minimum demand. This failure is caused by one feedwater flow element failing such that either a high flow or low flow signal is generated.
The plant response to the maximum or minimum feed flow demand is addressed in Chapter 15. In the maximum demand condition, a Level 8 trip will result, eventually leading to RFPT trip, T/6 trip, reactor scram, recirculation pump trip, and HPCI/RCIC actuation. The minimum demand condition condition, as per Chapter 15, will result in a plant response of a Level 3 trip followed by a Level 2 trip This result in a reactor scram,
~
recirculation pump trip, MSIV closure, T/6 trip, and HPCI/RCIC actuation.
The maximum and minimum demand conditions are within operator capabilities ~ The safety systems
-that respond per Chapter 15 for these conditions possess the necessary capabilities to mitigate this problem.
It should be noted that a flow element failure caused by a mechanical problem (i.e., clogging at the sensing inlet or outlet) would take place over a relatively long period of time Flow degradation should be noted through routine flow indication monitoring'4
Report No. 02-0160-1102 Revision 0
- i. Cascadin Power Su 1 Effect lY218 and 1Y219 120 VAC In analyzing the SSES electrical distribution system, it is possible that a failure in power supply 1X219 could cause power supply 1Y218 to it fail, as well, since supplies power to lY219.
The failure of a higher level power supply due to a failure of a corresponding lower level power supply is defined as the Cascading Power Supply Effect.
The combined failure of lY218 and 1Y219 does not invoke conditions not already covered in the analysis of each of these power supplies in sub-paragraphs (d) and (e) respectively. This combined failure is, therefore, bounded by Chapter 15 analysis and within the capabilities of the operator and safety systems. No other analysis is required.
15
Report No. 02-0160-1102 Revision 0
5.0 REFERENCES
The following is the list of references used during this project:
5.1 General Information Susquehanna Steam Electric Station, Units 1 and 2, Final Safety Analysis Report, Pennsylvania Power and Light Company, Volumes 1-17, Revision 23, 6/81.
5 ' S stem Descri tive References Reactor Feedwater Control S stem Instruction Manuals 4110 and 4125, Alphaline Pressure Transmitters Absolute and Gage, Models 1151AP and 1151GP, Rosemount.
2~ Indicating Switches, Liquid Level-Differential Pressure-Plow Rate, Product/Bullet, in 288A/289A, ITT Barton.
- 3. Bailey Service Manual, Type 771 Narrow Roll Strip-Chart Recorder (4577Kll-300A)
Bailey Parts Manual, Type 771, 772, and 773 Strip-Chart Recorders, (4577Kll-350) ~
- 5. Operating and Instruction Manual, Static Inverter Model N250-MRS-125-60-115, Topaz Electronics, October 1974.
- 6. Information about the (Orifice Plate) Bore Calculation, Vikery-Simms, Inc., VSI Job No ~ - N-1053 and N-1175.
llew 7 ~ Orifice Bore Calculation Liquid Flow, Vike~-Simms, Inc., 2/23/76.
- 8. Pressure Switches Parts Price List, Code 1 Bourdon Tube, Barksdale (Bulletin No. 671221-B), January 1, 1973.
- 9. Bailey Service Manual, Type 745 Single and Dual Alarm,.
( 4574K15-300F ) .
~
10 ~ Bailey Service Manual, Type 754 Function Generator, (4575K14-300A).
Bailey Installation Manual, Type 754 Function Generator, (4575K14-001).
Report No'. 02-0160-1102 Revision 0 12 ~ Bailey Instructions, Type 760001 Voltage Signal Sources, (4576K10-001).
13 'ailey Service Manual, (4575K15-300B).
755 Dynamic Compensator, 14..Bailey Difference Data, Type 755 Dynamic Compensator Cat ~ No ~ 50-755010AAAA1NAB (4575K15-003).
15 ~ Bailey Installation Manual, Type 701 Basic Controller,
(.4570K11-001A).
- 16. Susquehanna 1, Operations and Maintenance Instructions, Feedwater Control System, General Electric (GEK-73592A), April, 1981.
Recirculation Flow Control S stem Susquehanna 1, Operations and Maintenance Instructions,
.Recirculation Flow Control System, General Electric (GEK-73590), February, 1979.
- 2. Bailey Service Manual, Type 724 Logic Unit, (4572K14-300B).
- 3. Bailey Installation Manual, Type 745 Single and Dual Alarm, (4574K15-001A).
4~ Bailey Service Manual, Type 745 Single and Dual Alarm, (4574K15-300F).
- 5. Bailey Installation Manual, Type 752 Two Input and Four Input Summers, (4575K12-001B) .
Installation and Operating Instructions, Regulated DC Power Supplies, General Electric (GEI-54440).
7 ~ Bailey Installation Manual, Type 744 Difference Alarm, (4574K14-001).
- 8. Bailey Installation Manual, Type 720 Utility Stations, (4572K10-001)-
9~ Bailey Service Manual, Type 720 Utility Stations, (4574K10-300).
- 10. Bailey Instructions, Type 766 Signal Resistor Units Cat No. 766--*, (4576K16-007A).
~
17
Report No. 02-0160-1102 Revision 0 Bailey Installation Manual, Type 724 Logic Unit, (4572K14-001).
- 12. Bailey Installation Manual, Type 740 Millivolt Converters, (4574K10-001A).
13 Bailey Service Manual, Type 723 Proportional and Delay Unit, (4572K13-300).
'4.
Bailey Installation Manual, Type 723, Proportional and Delay Unit, (4572K13-001) .
15 ~ Bailey Installation Manual,, Type 746 Signal Limiter, (4574K16-001A)-
16 'Bailey Installation Manual, Type 722 Manual Unit, (4572K12-001).
17 Bailey Service Manual, Type 722 Manual Unit, (4572K12-300A).
'8.
Bailey Installation Manual, Type 721 Control Unit, (4572K11-001).
19 ~ Bailey Service Manual, Type 721 Control Unit, (4572K11-300).
- 20. ACR Panels 120/125V and 24V Feeder Tabulation, Susquehanna Project, Bechtel Power Corporation, Electrical Scheme Group, June 22, 1981.
- 21. Instructions for Operation, Installation, Maintenance, and Calibration, Electronic Flow Transmitter 73G-0049M, Ametek/Schutte s Koerting ( 74S-0269M-001), July, 1974.
- 22. I'nstruction Manual, (4104/4126) Model 1151DP Alphaline, Differential and High Differential Pressure Transmitters, Rosemount (8856-J03-A-25-1).
- 23. Bailey Service Manual, Type 751 Sealer, (4575K11-300F).
- 24. IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Protection Systems, IEEE Standard 352-1975.
Reactor Water Cleanu S stem Susquehanna 1, Operation and Maintenance Instructions, Reactor Water Cleanup System, General Electric (GEK-73608), February 1979.
18
Repox't No. 02.-0160-1102 Revision 0 Pressure Re ulator and T/G Control S stem Generator Protection, General Electxic (GEK-75512A),
November, 1980.
2~ Basic Functions of Electrohydraulic Control (EHC)
System, Nuclear (Boiling Water Reactor) Units, General Electric (GEK-17911) ~
3~ Protection System Electrohydraulic Control, Basic Functions, General Electric, (GEK-11366).
4~ Speed Control Unit, (Fossil-Baseload, BWR, PWR),
General Electric (GEK-11381E).
t
- 5. Instructions, EHC Line Speed Matcher, General Electric (GEK-17910A) ~
Instructions, Description of Load Control Unit (BWR),
General Electric, (GEK-37946).
7~ Load Control Unit, Load Reference Circuits, Nuclear Units, General Electric (GEK-17864A).
- 8. Instructions, Load Limit Circuits and Logic, (BWR),
General Electric,'(GEK-17863B) ~
9- Instructions, Chest/Shell Warming Circuits and Logic, 3 or 5 Light Conf iguration, Nuclear-BWR, General Electric, (GEK-46351B) .
- 10. Rosemount Pressure Transducer Model 1104A, (GEK-37803).
Current to Voltage Converter, General Electric, (GEK-25580).
12- Instructions, Rate Sensitive Power Load Unbalance Ci rcuit and Relays, ( Nuclear), . General Electric, (GEK-37959A).
13 ~ Flow Control Unit, General Electric, (GEK-25588).
14- Valve Test Logic, (BWR), General Electric, (GEK-37941) .
15 Pressux'e Control Unit, (BWR), General Electric,
~
(GEK-17885A) ~
- 16. Turbine Initial Pressure Regulator and Control System, Bypass Control Unit, General Electric,; (GEK-17880).
19
Report No. 02-,0160-1102 Revision 0
- 17. Initial Pressure Regulator and Control System, Automatic Load Following Signal, General Electric,
'urbine (GEK 17881 ) ~
- 18. Automatic Pressure Set-Point Adjust, General Electric, (GEK-17882A).
- 19. Instructions, Electric Alarm and Trip System, General Electric, (GEK-11367C) .
- 20. First Hi t Circuitry, General Electric, (GEK-25557) .
21 Protecti ve System Electrohydraulic Control, Basic Functions, General Electric, M-392, 1971.
- 22. Electric Alarm and Trip System, General Electric, M-393 1971.
- 23. Electrical Power Supplies, General Electric, M-399, 1971.
- 24. Instructions, Testing oZ the Overspeed Trip System, General Electric, (GEK-11383C).
- 25. Backup Overspeed Trip, Electrohydraulic Control System, General Electric, (GEK-17978A).
- 26. Instructions, Electrical Power Supplies, EHC System, General Electric, (GEK-25540A).
- 27. Instruction Manual and Parts List Model 730 and 751 Series Liquid Level Controls, Bulletin: 46-612, Magnetrol International, April 1976.
Traversin In-Core Probe S stem Preliminary, Susquehanna 1 and 2, Operation and Maintenance Instructions, Traversing In-Core Probe Ca'libration System, General Electric (GEK-73601A),
February 1981.
- 2. Operation and Maintenance Instructions, Indexing Mechanism 791E241G4 (GEK-73601A), February 1981.
- 3. Operation and Maintenance Instructions, Drive Mechanism 706E263G13, G14, G15, and G16, General Electric (GEK-39600D), March 1980.
20
Report No. 02-0160-1102 Revision 0
- 4. .Operation and Maintenance Instructions, Valve Control Monitor 112C3706G8, G10, and G12, General Electric (GEK-34668D), February 1980.
- 5. Operation and Maintenance Instructions, Valve Control Monitor 112C3706G7, G9, and Gll, General Electric (GEK-34573E), October 1979.
Reactor Manual 'Control S stem
- 1. Susquehanna 1 and 2, Operation and Maintenance Instructions, Reactor Manual Control System, General Electric (GEK-73596A), April 1981.
- 2. Susquehanna 1, Operation and Maintenance Instructions, Control Rod Drive Hydraulics, General Electric (GEK-73595A), March 1981.
Nuclear Pressure Relief S stem
- 1. Susquehanna 1, Operation and Maintenance Instructions, Automatic Depressurization System, General Electric (GEK-73602), February 1979.
5.3 S stem Drawings General References General Electric 8856-Ml-H12-877 SH 1-10 Bechtel E-10 SH 1-3 E-42 SH 14-19, SH 21-22 E-64 SH 1 7g SH ll 28 Reactor Feedwater Control S stem General Electric 8856-Ml-C32-17 SH 1-6 Bechtel 8856-M6-3 SH 11 E-126 SH 1-2 J-127 SH 7, 9 j-427 SH 3 M-106 M-127 SH 1-2 E-114 SH 1-2 E-127 SH 6 Recirculation Flow Control S stem General Electric FF116510 SH 1101-1103
- 8856-Ml-B31-178 SH 1-21 8856-Ml-B31-189 SH 1-5 8856-Ml-B31-275 SH 1-21 21
Report No. 02-0160-1102 Revision 0 0
Recirculation Plow Control S stem (cont'd)
Bechtel M-103 M-105 M-106 M-115 M-140 M-143 E-129 SH 17 J-105 SH 1-10 J-106 SH 1-11 J-115 SH 1-11 J-406 "SH 2 J-410 SH 4 Reactor Water Cleanu S stem General Electric 8856-Mj-G33-140 SH 1-5 Bechtel M-144 Pressure Re ulator and T/G Control General Electric 8856-M2J-6 SH 1-39 8856-M2J-10 SH 1 8856-M2J-34 SH 1-3 8856-M2J-39 SH 1-7 8856-M2J-40 SH 1-10 8856-M2J-112 SH 1-7 Bechtel E>>101 SH 4 E-ill SH 1-4 E-120 SH 1-8 E-121 SH 1-4 E-122 SH 1-4 M-101 Traversin In-Core Probe General Electric 791E413 SH 1-5
- Bechtel E-177 SH 4, 8 Reactor Manual Control S stem General Electric 8856-Ml-C12-108 SH 1, 2 8856-Ml-C12-110 SH 1-9, SH 11-12, SH 14-32'H 35-36 Bechtel E-158 SH 1-3 E-169 SH 2-4 M-146 M-147
Report No. 02-0160-1102 Revision 0 Nuclear Pressure Relief System General Electric 8856-B21-'129 SH 1-8 Bechtel E-180 SH 1-8 M-141 M-142 Refuelin Interlock P
General Electric 8856 Ml C12 110 14-32, SH 35-36 SH 1 9g SH ll 12'H 8856-Ml-F21-52 SH 1-19 Rod Block Monitoring Bechtel E-157 SH 1-6 E 177 SH 1I 3 I SH 4 8
'Note: Bechtel drawing numbers were used except where noted by an asterisk. An asterisk will indicate a General Electric number.
23