ML17139B885: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
(Created page by program invented by StriderTol)
Line 17: Line 17:


=Text=
=Text=
{{#Wiki_filter:CONTROLSYSTEMPOKERSUPPLYANDSENSORMALFUNCTIONSTUDYPreparedfor:PennsylvaniaPowerandLightCompanySusquehannaSteamElectricStationPreparedby:EDSNuclearInesMarch,1982ReportNo.02-0160-1102Revision1831018048i831014PDRADOCK05000387P,PDR Il' ReportNo.02-0160-1102Revision1hCONTROLSYSTEMPOWERSUPPLYANDSENSORMALFUNCTIONSTUDYTABLEOFCONTENTSSact1onPacae1.0Introduction2'0ExecutiveSummary3.0Methodology4.0SummaryofResults50References15AppendicesAppendixATechnicalProcedureforthePerformanceoftheAnalysisAppendixBControlSystems/SafetyFunctionsAppendixCControlSystemIdentificationDiagramsAppendixDCommonalityDiagramsAppendixEFailureModesandEffectsAnalysisAppendixFMalfunctionAnalysisTables ReportNo.0201601102Revision0CONTROLSYSTEMPOWERSUPPLYANDSENSORMALFUNCTIONSTUDY1~0INTRODUCTIONOnJune15,1981,PennsylvaniaPowerandLightCompany(PPEL)requestedthatEDSNuclearInc~(EDS)assisttheminrespondingtotheSafetyEvaluationReport(SER)itemconcerningthefailureofnon-safetygradecontrolsystemsduetofailure/malfunctionofpowersuppliesorsensordthatarecommontothesecontrolsytemsfortheSusquehannaSteamElectricStation(SSES)~Verificationwasrequestedtoensurethatthesubjectcontrolsystemfailureswouldnotimpactonplantsafety.Theobjectiveoftheanalysiscontainedhereinistwofold-1.Toidentifypowersuppliesandsensorstotwoormorenon-safetygradecontrolsystems.2.ToanalyzetheeffectsofthefailureormalfunctionofthesepowersuppliesandsensorsoncontrolsystemstodetermineiftheresultingplantconditionsarecontainedwithintheboundaryofChapter15analysisandarewithinthecapabilitiesofoperatorsandsafetysystems.Inordertoachievetheseobjectives,EDSemployedatwo-phaseapproachconsistingoftheIdentificationPhaseandtheAnalysisPhase.IntheIdentificationPhase,diagramsweregeneratedtoidentifythenon-safetygradecontrolsystemsandtheirpowersuppliesandsensors.Thesediagramswerefurtneranalyzedinordertodeterminethosecommonpowersuppliesandsensors.IntheAnalysisPhase,Failure"ModesandEffectAnalyses(FMEA)wasutilizedtodeterminetheeffectsofthesepowersupplyandsensorfailuresontheirrespectivecontrolsystemsand,ultimately,onplantperformancesTheFMEAswerethenanalyzedtodeterminethesafetyimplications(ifany)forthefailureofthesecontrolsystems.Thisreportdocumentstheresultofthisanalysis.ThemethodologyemployedisdescribedgenerallyinSection3'andingreaterdetailinAppendixA.AsummaryofresultsispresentedingeneraltermsinSection4.0andindetailinAppendices3throughF.ReferencesareprovidedinSection5.0.AnExecutiveSummaryisprovidedinSection2.0whichhighlightsthesalientresultsofthisproject.C c2.0EXECUTIVESUMMARYReportNo.02-0160-1102Revision0Thepurposeofthisreportistodetermineifthefailureofcommonpowersuppliesandsensorsfoznon-safetygradecontrolsystemswillimpactonplantsafety.Thiswasaccomplishedbyfirstidentifyingthosecommonpowersuppliesandsensors,thenanalyzingtheeffectsthosecontrolsystemfailuresonplantsafety.Inaddition,forthosecontrolsystemfailuresthatimpactedonplantsafetybutwerenotaddressedbyChapter15analysisandwerenotwithinoperatorandsafetysystem'apabilities,recommendationsforplantmodificationorChapter15reanalysisweremade.Theprojectwasdividedintotwophases-theIdentificationPhaseandtheAnalysisPhase~IntheidentificationPhase,keyplantsafetyfunctionswereidentifiedusingChapter15.ThecontrolsystemsthatcouldaffectthesesafetyfunctionswerethenidentifiedfromthoselistedinChapter7'7,"ControlSystemsNotRequiredforSafety."Thepowersuppliesandsensorsthatprovidepowerorsignalstothesecontrolsystemswereidentified'orthesekeyitems-safetyfunctions,controlsystems,powersupplies,andsensors-ControlSystemIdentificationDiagrams(CSID)weregeneratedtodocumentthisinformationandtoassistinfurtheranalysis'owersupplyandsensorcommonalitywasdeterminedusingtheCSIDs.Aseconddiagram--CommonalityDiagram(CD)--wasgeneratedtoshowthecontrolsystemsandtheirassociatedcomponentsthatwereaffectedbyeachcommonpowersupplyorsensor.IntheAnalysisPhase,FailureModesandEffectsAnalysis(FMEA)wasperformedoneachcommonpowersupplyandsensortodeterminetheeffectofthefailureonthecontrolsytemandonplantperformancesAnalysiswasthenperformedusingtheFMEAresultstodeterminethefollowing:l.ImpactonplantsafetyincludingplantresponseasperChapter15.2.IftheplantconditionswerewithinoperatorandsafetysystemcapabilitiesasperChapter15~Forthoseconditionsthatdidnotmeetthecriteriaofitems{l)and{2),recommendationsforplantmodificationsorChapter15reanalysiswereprovided.
{{#Wiki_filter:CONTROLSYSTEMPOKERSUPPLYANDSENSORMALFUNCTION STUDYPreparedfor:Pennsylvania PowerandLightCompanySusquehanna SteamElectricStationPreparedby:EDSNuclearInesMarch,1982ReportNo.02-0160-1102 Revision1831018048i 831014PDRADOCK05000387P,PDR Il' ReportNo.02-0160-1102 Revision1hCONTROLSYSTEMPOWERSUPPLYANDSENSORMALFUNCTION STUDYTABLEOFCONTENTSSact1onPacae1.0Introduction 2'0Executive Summary3.0Methodology
ReportNo~02-0160-1102Revision12.2ResultsAtotaloftenpowersupplyandsensorcommonalitieswereidentifiedandanalyzed.Ofthesetencommonalities<n-'ne(9)'wereofthepowersupplytypeandone(1)wasoftnesensortype.1.Thefailureofpowersupply1D635125VDCthatiscommontotheReactorFeedwaterControlSystemand.PxessureRegulatorandT/GControlSystemresultedinplantconditionsthatmaynotbeboundedbyChapter15analysis.TheconditionisgeneratedbyamaximumdemandsignalfromtheFeedwaterSystemduetoazeroflowsignalfromtheBtrainflowsensorinstrumentationbeingprocessedbytheFeedwaterSystemonlossofthepowersupply.ThispowersupplyalsopowerstheReactorFeedPumpTurbineCtripcixcuit.Ifthereactorvesselhighleveltripsetpointisreachedinthismaximumfeeddemandsituation,RFPTsAandBwilltrip;RFPTCwillcontinuetooperateduetothetripcircuitfailure.ItshouldbenotedthatdataisnotcurrentlyavailabletoverifythattheLevel8txippointwillbereached.EDS,therefore,recommendsthattheappropriateinstrumentperfoxmancebereviewedandtransientanalysisbeperformedtoverifytheconditionexists.IftheLevel8tripisnotreached<theconditionsgeneratedbythefailureof1D635areboundedbyChapter15analysis.IfitisdetexminedthattheLevel8trippointisreached,EDSrecommendsthataplantmodificationbemadetoprovidedifferentpowersuppliesfortheBtrainfeedflowinstrumentationandtheReactorFeedPumpTurbineCtripcircuit.Asanalternatesolution,EDSrecommendsthatthemaximumfeeddemandconditioninChapter15bereanalyzedtovexifythatthefailureofthefeedpumptotripis,infact,boundedbycurrentChapter15analysis.2~AllothercommonpowexsupplyandsensorfailuresweredetexminedtobeeitherboundedbyChapter15analysisandwithinoperatorandsafetysystemcapabilitiesortonotimpactplantsafety.DetailedanalysisdocumentingtheresultsiscontainedinSection4.0andAppendicesBthroughF.
El ReportNo.02-0160-1102Revision03~0METHODOLOGYAsindicatedintheintroduction,themethodologythatwasutilizedbyEDSforthisprojectwasdesignedtomeetthefollowingobjectives:1.Toidentifypowersuppliesandsensorstotwoormorenon-safetygradecontrolsystems.2.ToanalyzetheeffectsofthefailureormalfunctionofthesepowersuppliesandsensorsoncontrolsystemstodetermineiftheresultingplantconditionsarecontainedwithintheboundaryofChapter15analysisandarewithinthecapabilitiesofoper'atorsandsafetysystems'hemethodologyemployedtoachievetheseobjectivesissummarizedinthissection.AdetaileddescriptionofthismethodologyiscontainedinAppendixA,"TechnicalProceduresforthePerformanceoftheAnalysis."Atwo-phaseapproachwasusedaspartofthismethodology.Phase1,the"IdentificationPhase,"consistedofidentifyingthefollowingitems:PlantsafetyfunctionsControlsystemsPowersuppliesandsensorstothecontrolsystemsPowersuppliesandsensorscommontocontrolsystemsPhase2,the"AnalysisPhase,"consistedoftheanalysisofthefailureofthesecommonpowersuppliesandsensorswithrespecttotheirassociatedcontrolsystems.Thecontrolsystemfailureswereanalyzedwithrespecttothefollowingcriteria:PlantresponseasperChapter15PlantconditionswithinoperatorandsafetysystemcapabilitiesReanalysisormodificationsrequiredtocorrectanyproblemsnotcoveredbythefirsttwocriteria3.1IdentificationPhaseThefirstpartoftheidentificationphaseconsistedofidentifyingthenon-safetygradecontrolsystemsthatcouldimpactplantsafety.Inordertoaccomplishthis,itwasfirstnecessarytoidentifythoseplantsafetyfunctionsthatarerequiredtobemetduringthevariousmodesofplantoperation.ThesafetyfunctionsweregeneratedusingChapter15,Appendix15AoftheCESAR.TheplantoperatingmodesandsafetyfunctionswereaddedtotheControlSystem ReportNo.02-0160-1102Revision0IdentificationDiagrams(CSIDs).Thesediagramscontainalltheidentificationinformationrequiredtodeterminecommonalitywithrespecttopowersuppliesandsensors-Subsequenttosafetyfunctionidentification,thecontrolsystemswhichcouldaffect.thesesafetyfunctionswereidentified.Thesecontrolsystemswereselectedfromthelistofnon-safetygradecontrolsystemsprovidedinChapter7'oftheFSAR.ThecontrolsystemswerethenaddedtotheCSIDs.ThepowersuppliesandsensorsrequiredtosupportthesecontrolsystemswereidentifiedandaddedtotheCSIDs-ThepowersupplyidentificationalsoincludedtheCascadingPowerSupplyEffect,thatis,thepotentialforfailureofhigherlevelpowersuppliesduetofailureofacorrespondinglowerlevelpowersupply'heboundaryofthecascadingeffectwaslimitedtothe120VACand125VDCinstrumentandcontrolbuses.ThisboundarywasbasedoninformationprovidedbythePPSLElectricalGroupconcerningcrediblehigherlevelpowersupplybusfailures.CSIDsareshowninAppendixC.Thefinal.partoftheidentificationphasewastodeterminewhichpowersuppliesandsensorswerecommontomorethanonecontrolsystem.ThiscommonalitywasaccomplishedusingtheCSIDs.Eachcommonpowersupplyandsensornotedwasthenusedasthefocalpointofaseconddiagram-CommonalityDiagram(CD)~Thisdiagrampresentedthecommonpowersupplyorsensor,thecontrolsystemsaffected,andthekeycomponentsandcircuitsthatarepartofthesecontrolsystems~CDsareshowninAppendixD.'.2AnalsisPhaseThemethodologyemployedintheanalysisphaseconsistedoftwoparts:FailureModesandEffectsAnalysis(FMEA)andMalfunctionAnalysis.TheFMEAtechniquewasusedtogeneratefailureeffectsinformationoneachcontrolsystemasitpertainstoitscommonmode.powersupplyorsensorfailure.UsingtheinformationfromtheCDs,theoveralleffectofthepowersupplyorsensorfailurewasdeterminedwithrespecttocontrolsystemandplantperformance.TheresultsofthispartoftheanalysisweredocumentedonFMEAformsascontainedinAppe'ndixE.MalfunctionanalysiswasthenperformedusingtheFNEAstodetermineiftheplantconditionsgeneratedimpactedonplantsafetyandwerewithinthecapabilitiesofoperatorsandsafetysystems.Theconditionsgeneratedasperthe ReportNo.02-0160-1102Revision0PMEAswerecomparedwithChapter15analysisforverificationofplantresponse,operatorresponse,andsafetysystemresponseForthoseplantconditionsinwhichplantsafetywasimpactedwithoutappropriateChapter15analysisandoperatorandsafetysystemcapabilityverifications,systemmodificationsorChapter15analysisrecommendationswereprovided.ThetablesinAppendixFwereusedasatooltodocumentthemalfunctionanalysis.Thisinformationwasthensummarizedintheresultssectionofthisreport.
ReportNo.02-0160-1102Revision0.4.0SUMMARYOFRESULTSThepurposeofthiseffortwastodetermineifthefailureofcommonpowersuppliesandsensorsfornon-safetygradecontrolsystemscouldimpactonSSESplantsafety.Theresultsofthiseffortaredividedintotwomajorareas:IdentificationofkeyelementsControlsystemsthatcouldimpactplantsafetyPowersuppliesandsensorstothesecontrolsystemsCommonpowersuppliesandsensorsforthesecontrolsystems2.AnalysisofcontrolsystemfailureReferencedtotheFSAR-Chapter15WithincapabilitiesofoperatorandsafetysystemsRecommendationsforreanalysisormodificationifrequiredThissectionprovidesasummaryoftheresultsdeterminedbyEDSwithrespecttoeachofthetwomajorareas'moredetaileditem-by-itemlistingoftheresultsiscontainedinAppendicesBthroughF.4.1IdentificationPriortoperformingtheanalysisonthesubjectcontrolsystemfailure,itwasnecessarytofirstdeterminewhichofthoseSSESnon-safetygradecontrolsystemcouldimpactplantsafety.BasedontheplantsafetyfunctionsforeachplantoperatingmodeasdescribedinChapter15andthecontrolsystemsdescribedinChapter7',"ControlSystemNotRequiredforSafety,"thecontrolsystemsthatcouldimpactplantsafetyweredeterminedanddocumentedasfollows:1~2.3.4,~5.6.~7~8.9~ReactorManualControlSystemRecirculationFlowControlSystemReactorFeedwaterControlSystemPressureRegulatorandTurbineGeneratorControlSystemTraversingIn-CoreProbeControlSystemReactorWaterCleanupControlSystemRefuelingInterlockControlSystemRodBlockMonitorSystemNuclearPressureReliefControlSystemItshouldbeemphasizedthatthislistincludesthosecontrolsystemsthatcouldimpactplantsafety.Actualdeterminationofthosecontrolsystemsthat,infact,doimpactplantsafetywouldbeaccomplishedduringthe ReportNo.02-0160-1102Revision1analysisphaseoftheproject-DocumentationofthesafetyfunctionsandcontrolsystemsiscontainedintheControlSystemIdentificationDiagrams(CSIDs)inAppendixC.BasedonthecontrolsystemscopeasdefinedinChapter7.7,thepowersuppliesandsensorsthatsupporteachofthesecontrolsystemswereidentified.Thepowersuppliesidentifiedwerethosespecific120VACand125VDCinstrumentandcontrolpowersupplies.Thesensorsidentifiedwerethosesensorsthatprovideinputsintothecontrolsystem.DetaileddocumentationofthesepowersuppliesandsensorsisalsocontainedintheCSIDs.Intheprocessofidentifyingcontrolsystempowersupplies,theCascadingPowerSupplyEffectwasalsoadd"essed.BasedonastudyperformedbythePPGLElectricalGroup,itwasdeterminedthattheonlycrediblecascadingpowersupplyfailurepossibleatSSESwasthatcombinationof1Y218and1Y219120VACbuses.ThesearetheonlytwoinstrumentandcontrolpowersuppliesthatwouldbesubjecttothecascadingeffectbasedonthedesignoftheSSESelectricaldistributionsystem.AllotherpowersuppliesatahigherlevelarebackedupbyeitheranalternateACsourceorabattery.Uponcompletionofthepowersupplyandsensoridentification,powersupplyandsensorcommonalitywasdetermined.CommonalityDiagrams(CDs)weregeneratedtoshowcommonalitybetweenthosecontrolsystemsidentified.Atotaloften(10)commonalitiesweredetermined.Thesecommonalitiesformthebasisfortheanalysisphaseoftheproject.TheCDsarecontainedinAppendixD.4.2AnalysisTheanalysisofthecontrolsystemsthatcontainedcommonpowersuppliesandsensorswasaccomplishedusingFailureModesandEffectsAnalysis(BREA),thenanalyzingtheoverallimpactofeachsystemFMEAontheplant.TheFMEAsweregeneratedforeachcontrolsystemasitpertainstothecommonpowersupply.orsensor.ThedetailedresultsofeachFMEAarecontainedinAppendixE.BasedontheBKAs,thedetailedanalysisofthesecontrolsystemswasperformed.Theresultsarepresentedhereintwocategories:(1)Failuresthatcouldimpactplant'afetyrequiringfurtheranalysis,and(2)failuresthatcouldimpactplantsafetyaddressedbyChapter15/failuresthatdonotimpactplantsafety.
ReportNo.02-0160-1102Revision11.FailuresThatCouldImactPlantSafetReirinFurtherAnalysisEDSanalysisdeterminedthatfailureofthepowersupply1D635125VDCcouldimpactplantsafetyandthereforerequiresfurtheranalysis.ThecontrolsystemsaffectedbythispowersupplyfailurearetheReactorFeedwaterandthePressureRegulatorandT/GControlSystems.TheconditionsthatmaynotbeboundedbyChapter15analysisare,however,isolatedtotheFeedwaterSystemonly-specificallytheFeedwaterFlowControlandReactorFeedwaterPumpTurbine(RFPT)TripContxolsub-systems.ThelossofthispowersupplydoesnotgenerateconditionsoutsideoftheboundaryofChapter15analysisforthePressureRegulatorandT/GControlSystem.Basedondatacurrentlyavailable,thesequenceofeventsthatresultfromthelossofthispowersupplyfortheFeedwaterSystemisasfollows:a.HM.leoperatingat100%reactorpower,theplantexperiencesalossof1D635.ThefeedwaterflowsignalfromtheBtraininstrumentationpoweredby1D635(FlowTransmitterFTlN002BandSRU6)changestozeroduetothelossof1D635-SincethefeedwaterflowsignalsfromtrainsA,BandCazesummed,thetotalfeedflowsignalchangesfrom100%feedflowto67%feedflowsubsequenttoreceivingtheerroneouszerosignalfromtheB,train.Thisintroducesamismatchbetweensteamflow,whichisstillat100%,andfeedflowwhichisat67%.b.Inresponsetothissteamflow,feedflowmismatch,theFeedwaterFlowContxolSystemsendsasignaltothethreeRFPT'stoinczeasefeedflowtomakeupfortheerroneous33%decxeaseinflow.Actualfeedflowatthispointwouldbeapproximately135%.cdSinceactualfeedflowissignificantlygreaterthanthatrequired,theincreaseinreactorvessellevel~marea'chtheLevel8(highlevel)'tripsetpoint~d-IftheLevel8tripsetpointisreached,atripsignalwillbesenttoRFPTsA,B,andCandtheT/G.RFPTsAandBandtheT/Gtrip.RFPTCfailstotripbecauseitstripcircuitwasdisableduponlossof1D635.
ReportNo~02-0160-1102Revision1BasedontheassumptionthattheLevel8setpointisreachedduetoexcessivefeedwaterdemand,theresultingconditionsarenotexplicitlyaddressedbyChapter15-Chapter15statesthattheplantresponsetoaLevel8condition,initiatedbyexcessfeedflow,shouldincludethetripofallRPPTsandtheT/G.SincetheconditionsgeneratedsubsequenttothefailureofRPPTCtotriparenotknown<itcannotbedetexminediftheplantsystemcapabilitiesareadequateusingpresentChapter15analysis.TheoperatordoesretaintheabilitytotakemanualcontroloftheRPPTCtomitigatetheeffectsofitscontinuedoperation.TheoperatorwouldbealertedtotherisingreactorvessellevelbytheLevel7alarm.Thiscondition,therefore,appearstobewithinthecapabilitiesoftheoperator.Xnordertoresolvethisproblem,EDSrecommendsthat,first,ananalysis(thermalhydraulicandinstrument)beconductedtoverifythattheLevel8setpointwillbereached,basedonthesequenceofeventspreviouslypostulated.ZftheresultsofthisanalysisverifythattheLevel8setpointisnotreached,thentheconditionsgeneratedbythelossofpowersupply1D635125VDCareinfactboundedbyChapter15analysis'ftheLevel8setpointisreached,thentheresultingconditionsrequirefurtheranalysis.PorthoseconditionsnotexplicitlyaddressedbyChapter15analysis,EDSrecommendsresolutionofthisproblembeaccomplishedinoneoftwoways.AplantmodificationcouldbemadetoremovethecommonalitybetweenthefeedwaterflowBprocessinstrumentation(PlowTransmitterandSRU)andtheRPPTCtripcircuit.BasedonEDSfailuremodesandeffectsanalysis,changingtheseinstrumentstoanalternatepowersupplywouldresolvethisproblem.1D615andXD625shouldbeeliminatedasalternativessincetheyprovidepowertotheRPPTAandBtripcircuits,respectively.EDSrecommendsthattheBtraininstrumentsbemovedtotheACpowersupplythatiscurrentlyprovidingpowertothePeedwaterPlowControlSyst:em-1Y218Breaker13.TheappropriateconversiondeviceswouldalsohavetobeaddedinordertoaccountforthechangeoveroftheseinstrumentsfromDCtoAC.MovingtheseinstrumentstolY218wouldnotchangetheoveralleffectontheFeedwaterPlowControlSystemsubsequenttothelossoflY218-Thesystemeffectsandplantresponseasnotedinthe1Y218PMEAwouldremainthesame~-10 ReportNo-02-0160-1102Revision1Ztshouldbenotedthatifanypowersupplyotherthan1Y218isselected,theappropriateFailureModesandEffectsAnalysisshouldbeperformedtoensurethatanewproblemisnotcreated.ThesecondmethodofproblemresolutionwouldbetoanalyzetheconditionsgeneratedbythecontinuedoperationofRFPTCtoverifythattheplantsystemswill<infact,mitigatetheprobleminspiteofthisnewcondition.2.FailuresThatZmctPlantSafetyAddressedbyChater15/FailuresThatDoNotImpactPlantSafetyTheremainingnine(9)controlsystemcommonalitieshavebeendetexminedbyEDStobeeith'eraddressedbyChapter15ortonotimpactplantsafety.Norecommendationsfoxmodificationoranalysisarerequired.Eachoneissummarizedasfollows:a.1D615125VDCThecontrolsystemsinvolvedwiththispowersupplyfailurearetheReactorFeedwaterControl,PressureRegulator-T/GControl,andRecirculationFlowContxol.Theonlyplantsafety-relatedconditiongeneratedbythisfailureisalossofrecirculationflowinLoopAandarecirculationrunbackinLoopB.ThisconditionandtheplantresponseiscoveredbyChapter15analysis.Thisconditionisalsowithinthecapabilitiesoftheoperator.Znaddition<safetysystemresponseisnotrequixed.b1D625125VDCThecontrolsystemsinvolvedwiththispowersupplyfailurearetheReactorFeedwaterControl,PressureRegulator-T/GControl,RecirculationFlowControl,andtheTraversingZn-CoxeProbe.Theonlyplantsafety-relatedconditiongeneratedbythisfailureisalossofrecirculationflowLoopB.ThisconditionandtheplantresponseforsingleloopflowarecoveredbyChaptez15analysis.Thisconditionisalsowithinthecapabilitiesoftheoperator.Inaddition,safetysystemresponseisnotrequired-ReportNo.02-0160-1102Revision0C~1D645125VDCThecontrolsystemsinvolvedwiththispowersupplyfailurearetheReactorFeedwaterControland'ressureRegulator-T/6Control.Theonlyplantsafety-relatedconditiongeneratedbythisfailureisapotentialhighreactorvessellevelduetothefailureoftheFeedwaterBlevelsensor..Thisfailurecombinedwithmaximumfeedwaterflowdemand(worstcase)isaddressedinChapter15.ThisvesselhighlevelconditioniswithinoperatorcapabilitiessincemanualcontroloftheReactorFeedwaterControlSystemisstillavailable.ThesafetysystemsthatrespondperChapter15forthisconditionpossessthenecessarycapabilitiestomitigatetheproblem.'d~lY218120VACThecontrolsystemsinvolvedwiththispowersupplyfailurearetheReactorFeedwaterContol,ReactorManualControlRecirculationFlowControl,PressureRegulation-T/6Control,ReactorWaterCleanup,NuclearPressureRelief,andTraversing'n-CoreProbeTheplantsafetyconditiongeneratedbythisfailureisapotentialhighorlowreactorvessellevelresultingfromtheFeedwaterControlSystemfailingatmaximumorminimumdemand.Thefailureofthispowersupplyinvolvesa"speedfreeze"ofthereactorfeedwaterpumpturbines(RFPT)~A"speedfreeze"meansthattheRFPTspeedislockedinattheratethatwaspresentpriortothelossofpower.Thisspeedfreezeatmaximumorminimumdemanddirectlyleadstoahighorlowwaterlevel,respectively.TheplantresponsetothemaximumorminimumfeedflowdemandisaddressedinChapter15.Inthemaximumdemandcondition,aLevel8tripwillresult,eventuallyleadingtoRFPTtrip,T/6trip,reactorscram,recirculationpumptrip,andHPC1'/RCICactuation.Theminimumdemandconditioncondition,asperChapter15,willresultinaplantresponseofaLevel3tripfollowedbyaLevel2trip~Thisresultsinareactorscram,recirculationpumptrip,MSIVclosure,T/6trip,andHPCI/RCICactuation.12


ReportNo.02-0160-1102Revision0Themaximumandminimumdemandconditionsarewithinoperatorcapabiliti'es.ThesafetysystemsthatrespondperChapter15fortheseconditionspossessthenecessarycapabilitiestomitigatethisproblem.Itshouldbenotedthatalthoughtheconditiongeneratedinbetweenmaximumandminimumfeedflowdemandisnotsafetyrelated,itpreventschangesfrombeingmadeontheReactorManualControl,ReactorFeedwaterControl,andtheRecirculationPlowControlsystems'ponlossofpower,eachofthesesystemsremainsintheconfigurationitwasinpriortothelossofpower.Specifically,rodscannotbemovedandfeedwaterandrecirculationflowcannotbealtered.Thisconditionisnotbeyondoperatorcapabilities,butshouldbeconsideredwhenPPSLisgeneratingplanttrainingoroperatingprocedures.e.1Y219.120VACThecontrolsystemsinvolvedwiththispowersupplyfailurearetheReactorManualControlSystemandtheReactorWaterCleanupSystem.Therearenoplantsafety-relatedconditionsassociatedwiththelossofthispowersupply;therefore,noChapter15analysisisrequired'peratororsafetysystemresponseisnotrequired.1Y226120VACgoThecontrolsystemsinvolvedwiththispowersupplyfailurearetheNuclearPressureReliefSystemandtheReactorWaterCleanupSystem.Therearenoplantsafety-relatedconditionsassociatedwiththelossofthispowersupply;therefore,noChapter15analysisisrequired.Operatororsafetysystemresponseisnotrequired.1Y629120VAC1ThecontrolsystemsinvolvedwiththispowersupplyfailurearethePressureRegulator-T/6Control,TheanalysisforlY629failureisbasedonT/6solenoidvalvesfailing"asis."Thisassumptionhastobemadeduetoalackofspecificreferenceinformation.13 ReportNo.02-0160-1102Revision0theReactorManualControlSystem,'andthe~RecirculationFlowControlSystem.TheconditionsassociatedwiththispowersupplyfailureareaT/6tripatlessthan30%poweroraT/6tripandreactorscramatgreaterthan30%power..TheplantresponseforeitherconditioniscoveredbyChapter15analysis'oththeT/6tripandthereactorscramarewithinoperatorcapabilities.These.conditionsarealsowithinthecapabilitiesofthesafetysystems,includingScram,,HPCI,'andRCIC,asperChapter15.FeedwaterFlowElements-FElNOOlA,B,CThecontrolsystemsinvolvedwiththissensorfailurearetheReactorFeedwaterControlandtheRecirculationControl~TheplantsafetyconditiongeneratedbythisfailureisapotentialhighorlowreactorvessellevelresultingfromtheFeedwaterControlSystemfailingatmaximumorminimumdemand.Thisfailureiscausedbyonefeedwaterflowelementfailingsuchthateitherahighfloworlowflowsignalisgenerated.TheplantresponsetothemaximumorminimumfeedflowdemandisaddressedinChapter15.Inthemaximumdemandcondition,aLevel8tripwillresult,eventuallyleadingtoRFPTtrip,T/6trip,reactorscram,recirculationpumptrip,andHPCI/RCICactuation.Theminimumdemandconditioncondition,asperChapter15,willresultinaplantresponseofaLevel3tripfollowedbyaLevel2trip~Thisresultinareactorscram,recirculationpumptrip,MSIVclosure,T/6trip,andHPCI/RCICactuation.Themaximumandminimumdemandconditionsarewithinoperatorcapabilities~Thesafetysystems-thatrespondperChapter15fortheseconditionspossessthenecessarycapabilitiestomitigatethisproblem.Itshouldbenotedthataflowelementfailurecausedbyamechanicalproblem(i.e.,cloggingatthesensinginletoroutlet)wouldtakeplaceoverarelativelylongperiodoftimeFlowdegradationshouldbenotedthroughroutineflowindicationmonitoring'4 ReportNo.02-0160-1102Revision0i.CascadinPowerSu1Effect-lY218and1Y219120VACInanalyzingtheSSESelectricaldistributionsystem,itispossiblethatafailureinpowersupply1X219couldcausepowersupply1Y218tofail,aswell,sinceitsuppliespowertolY219.ThefailureofahigherlevelpowersupplyduetoafailureofacorrespondinglowerlevelpowersupplyisdefinedastheCascadingPowerSupplyEffect.ThecombinedfailureoflY218and1Y219doesnotinvokeconditionsnotalreadycoveredintheanalysisofeachofthesepowersuppliesinsub-paragraphs(d)and(e)respectively.Thiscombinedfailureis,therefore,boundedbyChapter15analysisandwithinthecapabilitiesoftheoperatorandsafetysystems.Nootheranalysisisrequired.15  
==4.0 SummaryofResults50References==
15Appendices AppendixATechnical Procedure forthePerformance oftheAnalysisAppendixBControlSystems/Safety Functions AppendixCControlSystemIdentification DiagramsAppendixDCommonality DiagramsAppendixEFailureModesandEffectsAnalysisAppendixFMalfunction AnalysisTables ReportNo.0201601102Revision0CONTROLSYSTEMPOWERSUPPLYANDSENSORMALFUNCTION STUDY1~0INTRODUCTION OnJune15,1981,Pennsylvania PowerandLightCompany(PPEL)requested thatEDSNuclearInc~(EDS)assisttheminresponding totheSafetyEvaluation Report(SER)itemconcerning thefailureofnon-safety gradecontrolsystemsduetofailure/malfunction ofpowersuppliesorsensordthatarecommontothesecontrolsytemsfortheSusquehanna SteamElectricStation(SSES)~Verification wasrequested toensurethatthesubjectcontrolsystemfailureswouldnotimpactonplantsafety.Theobjective oftheanalysiscontained hereinistwofold-1.Toidentifypowersuppliesandsensorstotwoormorenon-safety gradecontrolsystems.2.Toanalyzetheeffectsofthefailureormalfunction ofthesepowersuppliesandsensorsoncontrolsystemstodetermine iftheresulting plantconditions arecontained withintheboundaryofChapter15analysisandarewithinthecapabilities ofoperators andsafetysystems.Inordertoachievetheseobjectives, EDSemployedatwo-phase approachconsisting oftheIdentification PhaseandtheAnalysisPhase.IntheIdentification Phase,diagramsweregenerated toidentifythenon-safety gradecontrolsystemsandtheirpowersuppliesandsensors.Thesediagramswerefurtneranalyzedinordertodetermine thosecommonpowersuppliesandsensors.IntheAnalysisPhase,Failure"Modes andEffectAnalyses(FMEA)wasutilizedtodetermine theeffectsofthesepowersupplyandsensorfailuresontheirrespective controlsystemsand,ultimately, onplantperformances TheFMEAswerethenanalyzedtodetermine thesafetyimplications (ifany)forthefailureofthesecontrolsystems.Thisreportdocuments theresultofthisanalysis.
Themethodology employedisdescribed generally inSection3'andingreaterdetailinAppendixA.Asummaryofresultsispresented ingeneraltermsinSection4.0andindetailinAppendices 3throughF.References areprovidedinSection5.0.AnExecutive SummaryisprovidedinSection2.0whichhighlights thesalientresultsofthisproject.C c2.0EXECUTIVE SUMMARYReportNo.02-0160-1102 Revision0Thepurposeofthisreportistodetermine ifthefailureofcommonpowersuppliesandsensorsfoznon-safety gradecontrolsystemswillimpactonplantsafety.Thiswasaccomplished byfirstidentifying thosecommonpowersuppliesandsensors,thenanalyzing theeffectsthosecontrolsystemfailuresonplantsafety.Inaddition, forthosecontrolsystemfailuresthatimpactedonplantsafetybutwerenotaddressed byChapter15analysisandwerenotwithinoperatorandsafetysystem'apabilities, recommendations forplantmodification orChapter15reanalysis weremade.Theprojectwasdividedintotwophases-theIdentification PhaseandtheAnalysisPhase~Intheidentification Phase,keyplantsafetyfunctions wereidentified usingChapter15.Thecontrolsystemsthatcouldaffectthesesafetyfunctions werethenidentified fromthoselistedinChapter7'7,"ControlSystemsNotRequiredforSafety."Thepowersuppliesandsensorsthatprovidepowerorsignalstothesecontrolsystemswereidentified'or thesekeyitems-safetyfunctions, controlsystems,powersupplies, andsensors-ControlSystemIdentification Diagrams(CSID)weregenerated todocumentthisinformation andtoassistinfurtheranalysis'ower supplyandsensorcommonality wasdetermined usingtheCSIDs.Aseconddiagram--Commonali tyDiagram(CD)--wasgenerated toshowthecontrolsystemsandtheirassociated components thatwereaffectedbyeachcommonpowersupplyorsensor.IntheAnalysisPhase,FailureModesandEffectsAnalysis(FMEA)wasperformed oneachcommonpowersupplyandsensortodetermine theeffectofthefailureonthecontrolsytemandonplantperformances Analysiswasthenperformed usingtheFMEAresultstodetermine thefollowing:
l.Impactonplantsafetyincluding plantresponseasperChapter15.2.Iftheplantconditions werewithinoperatorandsafetysystemcapabilities asperChapter15~Forthoseconditions thatdidnotmeetthecriteriaofitems{l)and{2),recommendations forplantmodifications orChapter15reanalysis wereprovided.
ReportNo~02-0160-1102 Revision12.2ResultsAtotaloftenpowersupplyandsensorcommonalities wereidentified andanalyzed.
Ofthesetencommonalities<
n-'ne(9)'wereofthepowersupplytypeandone(1)wasoftnesensortype.1.Thefailureofpowersupply1D635125VDCthatiscommontotheReactorFeedwater ControlSystemand.Pxessure Regulator andT/GControlSystemresultedinplantconditions thatmaynotbeboundedbyChapter15analysis.
Thecondition isgenerated byamaximumdemandsignalfromtheFeedwater SystemduetoazeroflowsignalfromtheBtrainflowsensorinstrumentation beingprocessed bytheFeedwater Systemonlossofthepowersupply.ThispowersupplyalsopowerstheReactorFeedPumpTurbineCtripcixcuit.Ifthereactorvesselhighleveltripsetpointisreachedinthismaximumfeeddemandsituation, RFPTsAandBwilltrip;RFPTCwillcontinuetooperateduetothetripcircuitfailure.Itshouldbenotedthatdataisnotcurrently available toverifythattheLevel8txippointwillbereached.EDS,therefore, recommends thattheappropriate instrument perfoxmance bereviewedandtransient analysisbeperformed toverifythecondition exists.IftheLevel8tripisnotreached<theconditions generated bythefailureof1D635areboundedbyChapter15analysis.
Ifitisdetexmined thattheLevel8trippointisreached,EDSrecommends thataplantmodification bemadetoprovidedifferent powersuppliesfortheBtrainfeedflowinstrumentation andtheReactorFeedPumpTurbineCtripcircuit.Asanalternate
: solution, EDSrecommends thatthemaximumfeeddemandcondition inChapter15bereanalyzed tovexifythatthefailureofthefeedpumptotripis,infact,boundedbycurrentChapter15analysis.
2~Allothercommonpowexsupplyandsensorfailuresweredetexmined tobeeitherboundedbyChapter15analysisandwithinoperatorandsafetysystemcapabilities ortonotimpactplantsafety.Detailedanalysisdocumenting theresultsiscontained inSection4.0andAppendices BthroughF.
El ReportNo.02-0160-1102 Revision03~0METHODOLOGY Asindicated intheintroduction, themethodology thatwasutilizedbyEDSforthisprojectwasdesignedtomeetthefollowing objectives:
1.Toidentifypowersuppliesandsensorstotwoormorenon-safety gradecontrolsystems.2.Toanalyzetheeffectsofthefailureormalfunction ofthesepowersuppliesandsensorsoncontrolsystemstodetermine iftheresulting plantconditions arecontained withintheboundaryofChapter15analysisandarewithinthecapabilities ofoper'ators andsafetysystems'he methodology employedtoachievetheseobjectives issummarized inthissection.Adetaileddescription ofthismethodology iscontained inAppendixA,"Technical Procedures forthePerformance oftheAnalysis.
"Atwo-phase approachwasusedaspartofthismethodology.
Phase1,the"Identification Phase,"consisted ofidentifying thefollowing items:Plantsafetyfunctions ControlsystemsPowersuppliesandsensorstothecontrolsystemsPowersuppliesandsensorscommontocontrolsystemsPhase2,the"Analysis Phase,"consisted oftheanalysisofthefailureofthesecommonpowersuppliesandsensorswithrespecttotheirassociated controlsystems.Thecontrolsystemfailureswereanalyzedwithrespecttothefollowing criteria:
PlantresponseasperChapter15Plantconditions withinoperatorandsafetysystemcapabilities Reanalysis ormodifications requiredtocorrectanyproblemsnotcoveredbythefirsttwocriteria3.1Identification PhaseThefirstpartoftheidentification phaseconsisted ofidentifying thenon-safety gradecontrolsystemsthatcouldimpactplantsafety.Inordertoaccomplish this,itwasfirstnecessary toidentifythoseplantsafetyfunctions thatarerequiredtobemetduringthevariousmodesofplantoperation.
Thesafetyfunctions weregenerated usingChapter15,Appendix15AoftheCESAR.Theplantoperating modesandsafetyfunctions wereaddedtotheControlSystem ReportNo.02-0160-1102 Revision0Identification Diagrams(CSIDs).Thesediagramscontainalltheidentification information requiredtodetermine commonality withrespecttopowersuppliesandsensors-Subsequent tosafetyfunctionidentification, thecontrolsystemswhichcouldaffect.thesesafetyfunctions wereidentified.
Thesecontrolsystemswereselectedfromthelistofnon-safety gradecontrolsystemsprovidedinChapter7'oftheFSAR.ThecontrolsystemswerethenaddedtotheCSIDs.Thepowersuppliesandsensorsrequiredtosupportthesecontrolsystemswereidentified andaddedtotheCSIDs-Thepowersupplyidentification alsoincludedtheCascading PowerSupplyEffect,thatis,thepotential forfailureofhigherlevelpowersuppliesduetofailureofacorresponding lowerlevelpowersupply'he boundaryofthecascading effectwaslimitedtothe120VACand125VDCinstrument andcontrolbuses.Thisboundarywasbasedoninformation providedbythePPSLElectrical Groupconcerning crediblehigherlevelpowersupplybusfailures.
CSIDsareshowninAppendixC.Thefinal.partoftheidentification phasewastodetermine whichpowersuppliesandsensorswerecommontomorethanonecontrolsystem.Thiscommonality wasaccomplished usingtheCSIDs.Eachcommonpowersupplyandsensornotedwasthenusedasthefocalpointofaseconddiagram-Commonality Diagram(CD)~Thisdiagrampresented thecommonpowersupplyorsensor,thecontrolsystemsaffected, andthekeycomponents andcircuitsthatarepartofthesecontrolsystems~CDsareshowninAppendixD.'.2AnalsisPhaseThemethodology employedintheanalysisphaseconsisted oftwoparts:FailureModesandEffectsAnalysis(FMEA)andMalfunction Analysis.
TheFMEAtechnique wasusedtogeneratefailureeffectsinformation oneachcontrolsystemasitpertainstoitscommonmode.powersupplyorsensorfailure.Usingtheinformation fromtheCDs,theoveralleffectofthepowersupplyorsensorfailurewasdetermined withrespecttocontrolsystemandplantperformance.
Theresultsofthispartoftheanalysisweredocumented onFMEAformsascontained inAppe'ndix E.Malfunction analysiswasthenperformed usingtheFNEAstodetermine iftheplantconditions generated impactedonplantsafetyandwerewithinthecapabilities ofoperators andsafetysystems.Theconditions generated asperthe ReportNo.02-0160-1102 Revision0PMEAswerecomparedwithChapter15analysisforverificationofplantresponse, operatorresponse, andsafetysystemresponseForthoseplantconditions inwhichplantsafetywasimpactedwithoutappropriate Chapter15analysisandoperatorandsafetysystemcapability verifications, systemmodifications orChapter15analysisrecommendations wereprovided.
ThetablesinAppendixFwereusedasatooltodocumentthemalfunction analysis.
Thisinformation wasthensummarized intheresultssectionofthisreport.
ReportNo.02-0160-1102 Revision0.4.0SUMMARYOFRESULTSThepurposeofthiseffortwastodetermine ifthefailureofcommonpowersuppliesandsensorsfornon-safety gradecontrolsystemscouldimpactonSSESplantsafety.Theresultsofthiseffortaredividedintotwomajorareas:Identification ofkeyelementsControlsystemsthatcouldimpactplantsafetyPowersuppliesandsensorstothesecontrolsystemsCommonpowersuppliesandsensorsforthesecontrolsystems2.AnalysisofcontrolsystemfailureReferenced totheFSAR-Chapter15Withincapabilities ofoperatorandsafetysystemsRecommendations forreanalysis ormodification ifrequiredThissectionprovidesasummaryoftheresultsdetermined byEDSwithrespecttoeachofthetwomajorareas'moredetaileditem-by-item listingoftheresultsiscontained inAppendices BthroughF.4.1Identification Priortoperforming theanalysisonthesubjectcontrolsystemfailure,itwasnecessary tofirstdetermine whichofthoseSSESnon-safety gradecontrolsystemcouldimpactplantsafety.Basedontheplantsafetyfunctions foreachplantoperating modeasdescribed inChapter15andthecontrolsystemsdescribed inChapter7',"ControlSystemNotRequiredforSafety,"thecontrolsystemsthatcouldimpactplantsafetyweredetermined anddocumented asfollows:1~2.3.4,~5.6.~7~8.9~ReactorManualControlSystemRecirculation FlowControlSystemReactorFeedwater ControlSystemPressureRegulator andTurbineGenerator ControlSystemTraversing In-CoreProbeControlSystemReactorWaterCleanupControlSystemRefueling Interlock ControlSystemRodBlockMonitorSystemNuclearPressureReliefControlSystemItshouldbeemphasized thatthislistincludesthosecontrolsystemsthatcouldimpactplantsafety.Actualdetermination ofthosecontrolsystemsthat,infact,doimpactplantsafetywouldbeaccomplished duringthe ReportNo.02-0160-1102 Revision1analysisphaseoftheproject-Documentation ofthesafetyfunctions andcontrolsystemsiscontained intheControlSystemIdentification Diagrams(CSIDs)inAppendixC.BasedonthecontrolsystemscopeasdefinedinChapter7.7,thepowersuppliesandsensorsthatsupporteachofthesecontrolsystemswereidentified.
Thepowersuppliesidentified werethosespecific120VACand125VDCinstrument andcontrolpowersupplies.
Thesensorsidentified werethosesensorsthatprovideinputsintothecontrolsystem.Detaileddocumentation ofthesepowersuppliesandsensorsisalsocontained intheCSIDs.Intheprocessofidentifying controlsystempowersupplies, theCascading PowerSupplyEffectwasalsoadd"essed.
Basedonastudyperformed bythePPGLElectrical Group,itwasdetermined thattheonlycrediblecascading powersupplyfailurepossibleatSSESwasthatcombination of1Y218and1Y219120VACbuses.Thesearetheonlytwoinstrument andcontrolpowersuppliesthatwouldbesubjecttothecascading effectbasedonthedesignoftheSSESelectrical distribution system.Allotherpowersuppliesatahigherlevelarebackedupbyeitheranalternate ACsourceorabattery.Uponcompletion ofthepowersupplyandsensoridentification, powersupplyandsensorcommonality wasdetermined.
Commonality Diagrams(CDs)weregenerated toshowcommonality betweenthosecontrolsystemsidentified.
Atotaloften(10)commonalities weredetermined.
Thesecommonalities formthebasisfortheanalysisphaseoftheproject.TheCDsarecontained inAppendixD.4.2AnalysisTheanalysisofthecontrolsystemsthatcontained commonpowersuppliesandsensorswasaccomplished usingFailureModesandEffectsAnalysis(BREA),thenanalyzing theoverallimpactofeachsystemFMEAontheplant.TheFMEAsweregenerated foreachcontrolsystemasitpertainstothecommonpowersupply.orsensor.ThedetailedresultsofeachFMEAarecontained inAppendixE.BasedontheBKAs,thedetailedanalysisofthesecontrolsystemswasperformed.
Theresultsarepresented hereintwocategories:
(1)Failuresthatcouldimpactplant'afetyrequiring furtheranalysis, and(2)failuresthatcouldimpactplantsafetyaddressed byChapter15/failures thatdonotimpactplantsafety.
ReportNo.02-0160-1102 Revision11.FailuresThatCouldImactPlantSafetReirinFurtherAnalysisEDSanalysisdetermined thatfailureofthepowersupply1D635125VDCcouldimpactplantsafetyandtherefore requiresfurtheranalysis.
ThecontrolsystemsaffectedbythispowersupplyfailurearetheReactorFeedwater andthePressureRegulator andT/GControlSystems.Theconditions thatmaynotbeboundedbyChapter15analysisare,however,isolatedtotheFeedwater Systemonly-specifically theFeedwater FlowControlandReactorFeedwater PumpTurbine(RFPT)TripContxolsub-systems.
Thelossofthispowersupplydoesnotgenerateconditions outsideoftheboundaryofChapter15analysisforthePressureRegulator andT/GControlSystem.Basedondatacurrently available, thesequenceofeventsthatresultfromthelossofthispowersupplyfortheFeedwater Systemisasfollows:a.HM.leoperating at100%reactorpower,theplantexperiences alossof1D635.Thefeedwater flowsignalfromtheBtraininstrumentation poweredby1D635(FlowTransmitter FTlN002BandSRU6)changestozeroduetothelossof1D635-Sincethefeedwater flowsignalsfromtrainsA,BandCazesummed,thetotalfeedflowsignalchangesfrom100%feedflowto67%feedflowsubsequent toreceiving theerroneous zerosignalfromtheB,train.Thisintroduces amismatchbetweensteamflow,whichisstillat100%,andfeedflowwhichisat67%.b.Inresponsetothissteamflow,feedflowmismatch, theFeedwater FlowContxolSystemsendsasignaltothethreeRFPT'stoinczeasefeedflowtomakeupfortheerroneous 33%decxeaseinflow.Actualfeedflowatthispointwouldbeapproximately 135%.cdSinceactualfeedflowissignificantly greaterthanthatrequired, theincreaseinreactorvessellevel~marea'chtheLevel8(highlevel)'tripsetpoint~d-IftheLevel8tripsetpointisreached,atripsignalwillbesenttoRFPTsA,B,andCandtheT/G.RFPTsAandBandtheT/Gtrip.RFPTCfailstotripbecauseitstripcircuitwasdisableduponlossof1D635.
ReportNo~02-0160-1102 Revision1Basedontheassumption thattheLevel8setpointisreachedduetoexcessive feedwater demand,theresulting conditions arenotexplicitly addressed byChapter15-Chapter15statesthattheplantresponsetoaLevel8condition, initiated byexcessfeedflow,shouldincludethetripofallRPPTsandtheT/G.Sincetheconditions generated subsequent tothefailureofRPPTCtotriparenotknown<itcannotbedetexmined iftheplantsystemcapabilities areadequateusingpresentChapter15analysis.
TheoperatordoesretaintheabilitytotakemanualcontroloftheRPPTCtomitigatetheeffectsofitscontinued operation.
TheoperatorwouldbealertedtotherisingreactorvessellevelbytheLevel7alarm.Thiscondition, therefore, appearstobewithinthecapabilities oftheoperator.
Xnordertoresolvethisproblem,EDSrecommends that,first,ananalysis(thermalhydraulic andinstrument) beconducted toverifythattheLevel8setpointwillbereached,basedonthesequenceofeventspreviously postulated.
ZftheresultsofthisanalysisverifythattheLevel8setpointisnotreached,thentheconditions generated bythelossofpowersupply1D635125VDCareinfactboundedbyChapter15analysis'f theLevel8setpointisreached,thentheresulting conditions requirefurtheranalysis.
Porthoseconditions notexplicitly addressed byChapter15analysis, EDSrecommends resolution ofthisproblembeaccomplished inoneoftwoways.Aplantmodification couldbemadetoremovethecommonality betweenthefeedwater flowBprocessinstrumentation (PlowTransmitter andSRU)andtheRPPTCtripcircuit.BasedonEDSfailuremodesandeffectsanalysis, changingtheseinstruments toanalternate powersupplywouldresolvethisproblem.1D615andXD625shouldbeeliminated asalternatives sincetheyprovidepowertotheRPPTAandBtripcircuits, respectively.
EDSrecommends thattheBtraininstruments bemovedtotheACpowersupplythatiscurrently providing powertothePeedwater PlowControlSyst:em-1Y218Breaker13.Theappropriate conversion deviceswouldalsohavetobeaddedinordertoaccountforthechangeover oftheseinstruments fromDCtoAC.Movingtheseinstruments tolY218wouldnotchangetheoveralleffectontheFeedwater PlowControlSystemsubsequent tothelossoflY218-Thesystemeffectsandplantresponseasnotedinthe1Y218PMEAwouldremainthesame~-10 ReportNo-02-0160-1102 Revision1Ztshouldbenotedthatifanypowersupplyotherthan1Y218isselected, theappropriate FailureModesandEffectsAnalysisshouldbeperformed toensurethatanewproblemisnotcreated.Thesecondmethodofproblemresolution wouldbetoanalyzetheconditions generated bythecontinued operation ofRFPTCtoverifythattheplantsystemswill<infact,mitigatetheprobleminspiteofthisnewcondition.
2.FailuresThatZmctPlantSafetyAddressed byChater15/Failures ThatDoNotImpactPlantSafetyTheremaining nine(9)controlsystemcommonalities havebeendetexmined byEDStobeeith'eraddressed byChapter15ortonotimpactplantsafety.Norecommendations foxmodification oranalysisarerequired.
Eachoneissummarized asfollows:a.1D615125VDCThecontrolsystemsinvolvedwiththispowersupplyfailurearetheReactorFeedwater Control,PressureRegulator
-T/GControl,andRecirculation FlowContxol.Theonlyplantsafety-related condition generated bythisfailureisalossofrecirculation flowinLoopAandarecirculation runbackinLoopB.Thiscondition andtheplantresponseiscoveredbyChapter15analysis.
Thiscondition isalsowithinthecapabilities oftheoperator.
Znaddition<
safetysystemresponseisnotrequixed.
b1D625125VDCThecontrolsystemsinvolvedwiththispowersupplyfailurearetheReactorFeedwater Control,PressureRegulator
-T/GControl,Recirculation FlowControl,andtheTraversing Zn-CoxeProbe.Theonlyplantsafety-related condition generated bythisfailureisalossofrecirculation flowLoopB.Thiscondition andtheplantresponseforsingleloopflowarecoveredbyChaptez15analysis.
Thiscondition isalsowithinthecapabilities oftheoperator.
Inaddition, safetysystemresponseisnotrequired-ReportNo.02-0160-1102 Revision0C~1D645125VDCThecontrolsystemsinvolvedwiththispowersupplyfailurearetheReactorFeedwater Controland'ressure Regulator
-T/6Control.Theonlyplantsafety-related condition generated bythisfailureisapotential highreactorvessellevelduetothefailureoftheFeedwater Blevelsensor..Thisfailurecombinedwithmaximumfeedwater flowdemand(worstcase)isaddressed inChapter15.Thisvesselhighlevelcondition iswithinoperatorcapabilities sincemanualcontroloftheReactorFeedwater ControlSystemisstillavailable.
ThesafetysystemsthatrespondperChapter15forthiscondition possessthenecessary capabilities tomitigatetheproblem.'d~lY218120VACThecontrolsystemsinvolvedwiththispowersupplyfailurearetheReactorFeedwater Contol,ReactorManualControlRecirculation FlowControl,PressureRegulation
-T/6Control,ReactorWaterCleanup,NuclearPressureRelief,andTraversing'n-Core ProbeTheplantsafetycondition generated bythisfailureisapotential highorlowreactorvessellevelresulting fromtheFeedwater ControlSystemfailingatmaximumorminimumdemand.Thefailureofthispowersupplyinvolvesa"speedfreeze"ofthereactorfeedwater pumpturbines(RFPT)~A"speedfreeze"meansthattheRFPTspeedislockedinattheratethatwaspresentpriortothelossofpower.Thisspeedfreezeatmaximumorminimumdemanddirectlyleadstoahighorlowwaterlevel,respectively.
Theplantresponsetothemaximumorminimumfeedflowdemandisaddressed inChapter15.Inthemaximumdemandcondition, aLevel8tripwillresult,eventually leadingtoRFPTtrip,T/6trip,reactorscram,recirculation pumptrip,andHPC1'/RCIC actuation.
Theminimumdemandcondition condition, asperChapter15,willresultinaplantresponseofaLevel3tripfollowedbyaLevel2trip~Thisresultsinareactorscram,recirculation pumptrip,MSIVclosure,T/6trip,andHPCI/RCIC actuation.
12
 
ReportNo.02-0160-1102 Revision0Themaximumandminimumdemandconditions arewithinoperatorcapabiliti'es.
ThesafetysystemsthatrespondperChapter15fortheseconditions possessthenecessary capabilities tomitigatethisproblem.Itshouldbenotedthatalthoughthecondition generated inbetweenmaximumandminimumfeedflowdemandisnotsafetyrelated,itpreventschangesfrombeingmadeontheReactorManualControl,ReactorFeedwater Control,andtheRecirculation PlowControlsystems'pon lossofpower,eachofthesesystemsremainsintheconfiguration itwasinpriortothelossofpower.Specifically, rodscannotbemovedandfeedwater andrecirculation flowcannotbealtered.Thiscondition isnotbeyondoperatorcapabilities, butshouldbeconsidered whenPPSLisgenerating planttrainingoroperating procedures.
e.1Y219.120VACThecontrolsystemsinvolvedwiththispowersupplyfailurearetheReactorManualControlSystemandtheReactorWaterCleanupSystem.Therearenoplantsafety-related conditions associated withthelossofthispowersupply;therefore, noChapter15analysisisrequired'perator orsafetysystemresponseisnotrequired.
1Y226120VACgoThecontrolsystemsinvolvedwiththispowersupplyfailurearetheNuclearPressureReliefSystemandtheReactorWaterCleanupSystem.Therearenoplantsafety-related conditions associated withthelossofthispowersupply;therefore, noChapter15analysisisrequired.
Operatororsafetysystemresponseisnotrequired.
1Y629120VAC1ThecontrolsystemsinvolvedwiththispowersupplyfailurearethePressureRegulator
-T/6Control,TheanalysisforlY629failureisbasedonT/6solenoidvalvesfailing"asis."Thisassumption hastobemadeduetoalackofspecificreference information.
13 ReportNo.02-0160-1102 Revision0theReactorManualControlSystem,'andthe~Recirculation FlowControlSystem.Theconditions associated withthispowersupplyfailureareaT/6tripatlessthan30%poweroraT/6tripandreactorscramatgreaterthan30%power..Theplantresponseforeithercondition iscoveredbyChapter15analysis'oth theT/6tripandthereactorscramarewithinoperatorcapabilities.
These.conditions arealsowithinthecapabilities ofthesafetysystems,including Scram,,HPCI,
'andRCIC,asperChapter15.Feedwater FlowElements-FElNOOlA,B,CThecontrolsystemsinvolvedwiththissensorfailurearetheReactorFeedwater ControlandtheRecirculation Control~Theplantsafetycondition generated bythisfailureisapotential highorlowreactorvessellevelresulting fromtheFeedwater ControlSystemfailingatmaximumorminimumdemand.Thisfailureiscausedbyonefeedwater flowelementfailingsuchthateitherahighfloworlowflowsignalisgenerated.
Theplantresponsetothemaximumorminimumfeedflowdemandisaddressed inChapter15.Inthemaximumdemandcondition, aLevel8tripwillresult,eventually leadingtoRFPTtrip,T/6trip,reactorscram,recirculation pumptrip,andHPCI/RCIC actuation.
Theminimumdemandcondition condition, asperChapter15,willresultinaplantresponseofaLevel3tripfollowedbyaLevel2trip~Thisresultinareactorscram,recirculation pumptrip,MSIVclosure,T/6trip,andHPCI/RCIC actuation.
Themaximumandminimumdemandconditions arewithinoperatorcapabilities
~Thesafetysystems-thatrespondperChapter15fortheseconditions possessthenecessary capabilities tomitigatethisproblem.Itshouldbenotedthataflowelementfailurecausedbyamechanical problem(i.e.,cloggingatthesensinginletoroutlet)wouldtakeplaceoverarelatively longperiodoftimeFlowdegradation shouldbenotedthroughroutineflowindication monitoring'4 ReportNo.02-0160-1102 Revision0i.CascadinPowerSu1Effect-lY218and1Y219120VACInanalyzing theSSESelectrical distribution system,itispossiblethatafailureinpowersupply1X219couldcausepowersupply1Y218tofail,aswell,sinceitsuppliespowertolY219.Thefailureofahigherlevelpowersupplyduetoafailureofacorresponding lowerlevelpowersupplyisdefinedastheCascading PowerSupplyEffect.ThecombinedfailureoflY218and1Y219doesnotinvokeconditions notalreadycoveredintheanalysisofeachofthesepowersuppliesinsub-paragraphs (d)and(e)respectively.
Thiscombinedfailureis,therefore, boundedbyChapter15analysisandwithinthecapabilities oftheoperatorandsafetysystems.Nootheranalysisisrequired.
15  
.
.


==5.0REFERENCES==
==5.0REFERENCES==
ReportNo.02-0160-1102Revision0Thefollowingisthelistofreferencesusedduringthisproject:5.1GeneralInformationSusquehannaSteamElectricStation,Units1and2,FinalSafetyAnalysisReport,PennsylvaniaPowerandLightCompany,Volumes1-17,Revision23,6/81.5'SstemDescritiveReferencesReactorFeedwaterControlSstemInstructionManuals4110and4125,AlphalinePressureTransmittersAbsoluteandGage,Models1151APand1151GP,Rosemount.2~3.5.6.7~8.IndicatingSwitches,LiquidLevel-DifferentialPressure-PlowRate,Product/Bullet,in288A/289A,ITTBarton.BaileyServiceManual,Type771NarrowRollStrip-ChartRecorder(4577Kll-300A)BaileyPartsManual,Type771,772,and773Strip-ChartRecorders,(4577Kll-350)~OperatingandInstructionManual,StaticInverterModelN250-MRS-125-60-115,TopazElectronics,October1974.Informationaboutthe(OrificePlate)BoreCalculation,Vikery-Simms,Inc.,VSIJobNo~-N-1053andN-1175.OrificeBoreCalculationLiquidFlow,Vike~-Simms,Inc.,2/23/76.PressureSwitchesPartsPriceList,Code1BourdonTube,Barksdale(BulletinNo.671221-B),January1,1973.9.BaileyServiceManual,Type745SingleandDualAlarm,.(4574K15-300F)~.10~BaileyServiceManual,Type754FunctionGenerator,(4575K14-300A).llewBaileyInstallationManual,Type754FunctionGenerator,(4575K14-001).
ReportNo'.02-0160-1102Revision012~BaileyInstructions,Type760001VoltageSignalSources,(4576K10-001).13'aileyServiceManual,755DynamicCompensator,(4575K15-300B).14..BaileyDifferenceData,Type755DynamicCompensatorCat~No~50-755010AAAA1NAB(4575K15-003).15~16.BaileyInstallationManual,Type701BasicController,(.4570K11-001A).Susquehanna1,OperationsandMaintenanceInstructions,FeedwaterControlSystem,GeneralElectric(GEK-73592A),April,1981.RecirculationFlowControlSstem2.3.4~5.7~8.9~10.Susquehanna1,OperationsandMaintenanceInstructions,.RecirculationFlowControlSystem,GeneralElectric(GEK-73590),February,1979.BaileyServiceManual,Type724LogicUnit,(4572K14-300B).BaileyInstallationManual,Type745SingleandDualAlarm,(4574K15-001A).BaileyServiceManual,Type745SingleandDualAlarm,(4574K15-300F).BaileyInstallationManual,Type752TwoInputandFourInputSummers,(4575K12-001B).InstallationandOperatingInstructions,RegulatedDCPowerSupplies,GeneralElectric(GEI-54440).BaileyInstallationManual,Type744DifferenceAlarm,(4574K14-001).BaileyInstallationManual,Type720UtilityStations,(4572K10-001)-BaileyServiceManual,Type720UtilityStations,(4574K10-300).BaileyInstructions,Type766SignalResistorUnitsCat~No.766--*,(4576K16-007A).17 ReportNo.02-0160-1102Revision012.13'4.15~BaileyInstallationManual,Type724LogicUnit,(4572K14-001).BaileyInstallationManual,Type740MillivoltConverters,(4574K10-001A).BaileyServiceManual,Type723ProportionalandDelayUnit,(4572K13-300).BaileyInstallationManual,Type723,ProportionalandDelayUnit,(4572K13-001).BaileyInstallationManual,,Type746SignalLimiter,(4574K16-001A)-16'BaileyInstallationManual,Type722ManualUnit,(4572K12-001).17'8.19~20.21.22.23.24.BaileyServiceManual,Type722ManualUnit,(4572K12-300A).BaileyInstallationManual,Type721ControlUnit,(4572K11-001).BaileyServiceManual,Type721ControlUnit,(4572K11-300).ACRPanels120/125Vand24VFeederTabulation,SusquehannaProject,BechtelPowerCorporation,ElectricalSchemeGroup,June22,1981.InstructionsforOperation,Installation,Maintenance,andCalibration,ElectronicFlowTransmitter73G-0049M,Ametek/SchuttesKoerting(74S-0269M-001),July,1974.I'nstructionManual,(4104/4126)Model1151DPAlphaline,DifferentialandHighDifferentialPressureTransmitters,Rosemount(8856-J03-A-25-1).BaileyServiceManual,Type751Sealer,(4575K11-300F).IEEEGuideforGeneralPrinciplesofReliabilityAnalysisofNuclearPowerGeneratingStationProtectionSystems,IEEEStandard352-1975.ReactorWaterCleanuSstemSusquehanna1,OperationandMaintenanceInstructions,ReactorWaterCleanupSystem,GeneralElectric(GEK-73608),February1979.18 Repox'tNo.02.-0160-1102Revision0PressureReulatorandT/GControlSstemGeneratorProtection,GeneralElectxic(GEK-75512A),November,1980.2~3~4~5.7~8.9-10.BasicFunctionsofElectrohydraulicControl(EHC)System,Nuclear(BoilingWaterReactor)Units,GeneralElectric(GEK-17911)~ProtectionSystem-ElectrohydraulicControl,BasicFunctions,GeneralElectric,(GEK-11366).SpeedControlUnit,(Fossil-Baseload,BWR,PWR),GeneralElectric(GEK-11381E).tInstructions,EHCLineSpeedMatcher,GeneralElectric(GEK-17910A)~Instructions,DescriptionofLoadControlUnit(BWR),GeneralElectric,(GEK-37946).LoadControlUnit,LoadReferenceCircuits,NuclearUnits,GeneralElectric(GEK-17864A).Instructions,LoadLimitCircuitsandLogic,(BWR),GeneralElectric,'(GEK-17863B)~Instructions,Chest/ShellWarmingCircuitsandLogic,3or5LightConfiguration,Nuclear-BWR,GeneralElectric,(GEK-46351B).RosemountPressureTransducerModel1104A,(GEK-37803).12-13~14-15~CurrenttoVoltageConverter,GeneralElectric,(GEK-25580).Instructions,RateSensitivePowerLoadUnbalanceCircuitandRelays,(Nuclear),.GeneralElectric,(GEK-37959A).FlowControlUnit,GeneralElectric,(GEK-25588).ValveTestLogic,(BWR),GeneralElectric,(GEK-37941).Pressux'eControlUnit,(BWR),GeneralElectric,(GEK-17885A)~16.TurbineInitialPressureRegulatorandControlSystem,BypassControlUnit,GeneralElectric,;(GEK-17880).19


ReportNo.02-,0160-1102Revision017.18.19.20.21'urbineInitialPressureRegulatorandControlSystem,AutomaticLoadFollowingSignal,GeneralElectric,(GEK17881)~AutomaticPressureSet-PointAdjust,GeneralElectric,(GEK-17882A).Instructions,ElectricAlarmandTripSystem,GeneralElectric,(GEK-11367C).FirstHitCircuitry,GeneralElectric,(GEK-25557).ProtectiveSystem-ElectrohydraulicControl,BasicFunctions,GeneralElectric,M-392,1971.22.ElectricAlarmandTripSystem,GeneralElectric,M-3931971.23.ElectricalPowerSupplies,GeneralElectric,M-399,1971.24.25.26.27.Instructions,TestingoZtheOverspeedTripSystem,GeneralElectric,(GEK-11383C).BackupOverspeedTrip,ElectrohydraulicControlSystem,GeneralElectric,(GEK-17978A).Instructions,ElectricalPowerSupplies,EHCSystem,GeneralElectric,(GEK-25540A).InstructionManualandPartsListModel730and751SeriesLiquidLevelControls,Bulletin:46-612,MagnetrolInternational,April1976.TraversinIn-CoreProbeSstem2.3.Preliminary,Susquehanna1and2,OperationandMaintenanceInstructions,TraversingIn-CoreProbeCa'librationSystem,GeneralElectric(GEK-73601A),February1981.OperationandMaintenanceInstructions,IndexingMechanism791E241G4(GEK-73601A),February1981.OperationandMaintenanceInstructions,DriveMechanism706E263G13,G14,G15,andG16,GeneralElectric(GEK-39600D),March1980.20 ReportNo.02-0160-1102Revision04..OperationandMaintenanceInstructions,ValveControlMonitor112C3706G8,G10,andG12,GeneralElectric(GEK-34668D),February1980.5.OperationandMaintenanceInstructions,ValveControlMonitor112C3706G7,G9,andGll,GeneralElectric(GEK-34573E),October1979.ReactorManual'ControlSstem1.Susquehanna1and2,OperationandMaintenanceInstructions,ReactorManualControlSystem,GeneralElectric(GEK-73596A),April1981.2.Susquehanna1,OperationandMaintenanceInstructions,ControlRodDriveHydraulics,GeneralElectric(GEK-73595A),March1981.NuclearPressureReliefSstem1.Susquehanna1,OperationandMaintenanceInstructions,AutomaticDepressurizationSystem,GeneralElectric(GEK-73602),February1979.5.3SstemDrawingsGeneralReferencesGeneralElectricBechtel8856-Ml-H12-877SH1-10E-10SH1-3E-42SH14-19,SH21-22E-64SH17gSHll28ReactorFeedwaterControlSstemGeneralElectricBechtel8856-Ml-C32-17SH1-68856-M6-3SH11E-126SH1-2J-127SH7,9j-427SH3M-106M-127SH1-2E-114SH1-2E-127SH6RecirculationFlowControlSstemGeneralElectricFF116510SH1101-1103*8856-Ml-B31-178SH1-218856-Ml-B31-189SH1-58856-Ml-B31-275SH1-2121 ReportNo.02-0160-1102Revision00RecirculationPlowControlSstem(cont'd)BechtelM-103M-105M-106M-115M-140M-143E-129SH17J-105SH1-10J-106SH1-11J-115SH1-11J-406"SH2J-410SH4ReactorWaterCleanuSstemGeneralElectricBechtel8856-Mj-G33-140SH1-5M-144PressureReulatorandT/GControlGeneralElectricBechtelTraversinIn-CoreProbeGeneralElectricBechtel8856-M2J-6SH1-398856-M2J-10SH18856-M2J-34SH1-38856-M2J-39SH1-78856-M2J-40SH1-108856-M2J-112SH1-7E>>101SH4E-illSH1-4E-120SH1-8E-121SH1-4E-122SH1-4M-101791E413SH1-5*E-177SH4,8ReactorManualControlSstemGeneralElectricBechtel8856-Ml-C12-108SH1,28856-Ml-C12-110SH1-9,SH11-12,SH14-32'H35-36E-158SH1-3E-169SH2-4M-146M-147 ReportNo.02-0160-1102Revision0NuclearPressureReliefSystemGeneralElectricBechtelRefuelinInterlockPGeneralElectricRodBlockMonitoringBechtel8856-B21-'129SH1-8E-180SH1-8M-141M-1428856MlC12110SH19gSHll12'H14-32,SH35-368856-Ml-F21-52SH1-19E-157SH1-6E177SH1I3ISH48'Note:Bechteldrawingnumberswereusedexceptwherenotedbyanasterisk.AnasteriskwillindicateaGeneralElectricnumber.23}}
ReportNo.02-0160-1102 Revision0Thefollowing isthelistofreferences usedduringthisproject:5.1GeneralInformation Susquehanna SteamElectricStation,Units1and2,FinalSafetyAnalysisReport,Pennsylvania PowerandLightCompany,Volumes1-17,Revision23,6/81.5'SstemDescritiveReferences ReactorFeedwater ControlSstemInstruction Manuals4110and4125,Alphaline PressureTransmitters AbsoluteandGage,Models1151APand1151GP,Rosemount.
2~3.5.6.7~8.Indicating
: Switches, LiquidLevel-Differential Pressure-Plow Rate,Product/Bullet, in288A/289A, ITTBarton.BaileyServiceManual,Type771NarrowRollStrip-Chart Recorder(4577Kll-300A)
BaileyPartsManual,Type771,772,and773Strip-Chart Recorders, (4577Kll-350)
~Operating andInstruction Manual,StaticInverterModelN250-MRS-125-60-115, TopazElectronics, October1974.Information aboutthe(OrificePlate)BoreCalculation, Vikery-Simms, Inc.,VSIJobNo~-N-1053andN-1175.OrificeBoreCalculation LiquidFlow,Vike~-Simms, Inc.,2/23/76.PressureSwitchesPartsPriceList,Code1BourdonTube,Barksdale (Bulletin No.671221-B),
January1,1973.9.BaileyServiceManual,Type745SingleandDualAlarm,.(4574K15-300F
)~.10~BaileyServiceManual,Type754FunctionGenerator, (4575K14-300A).
llewBaileyInstallation Manual,Type754FunctionGenerator, (4575K14-001).
ReportNo'.02-0160-1102 Revision012~BaileyInstructions, Type760001VoltageSignalSources,(4576K10-001).
13'aileyServiceManual,755DynamicCompensator, (4575K15-300B).
14..Bailey Difference Data,Type755DynamicCompensator Cat~No~50-755010AAAA1NAB (4575K15-003).
15~16.BaileyInstallation Manual,Type701BasicController,
(.4570K11-001A).
Susquehanna 1,Operations andMaintenance Instructions, Feedwater ControlSystem,GeneralElectric(GEK-73592A),
April,1981.Recirculation FlowControlSstem2.3.4~5.7~8.9~10.Susquehanna 1,Operations andMaintenance Instructions,
.Recirculation FlowControlSystem,GeneralElectric(GEK-73590),
: February, 1979.BaileyServiceManual,Type724LogicUnit,(4572K14-300B).
BaileyInstallation Manual,Type745SingleandDualAlarm,(4574K15-001A).
BaileyServiceManual,Type745SingleandDualAlarm,(4574K15-300F).
BaileyInstallation Manual,Type752TwoInputandFourInputSummers,(4575K12-001B)
.Installation andOperating Instructions, Regulated DCPowerSupplies, GeneralElectric(GEI-54440).
BaileyInstallation Manual,Type744Difference Alarm,(4574K14-001).
BaileyInstallation Manual,Type720UtilityStations, (4572K10-001)-
BaileyServiceManual,Type720UtilityStations, (4574K10-300).
BaileyInstructions, Type766SignalResistorUnitsCat~No.766--*,(4576K16-007A).
17 ReportNo.02-0160-1102 Revision012.13'4.15~BaileyInstallation Manual,Type724LogicUnit,(4572K14-001).
BaileyInstallation Manual,Type740Millivolt Converters, (4574K10-001A).
BaileyServiceManual,Type723Proportional andDelayUnit,(4572K13-300).
BaileyInstallation Manual,Type723,Proportional andDelayUnit,(4572K13-001)
.BaileyInstallation Manual,,Type746SignalLimiter,(4574K16-001A)-
16'BaileyInstallation Manual,Type722ManualUnit,(4572K12-001).
17'8.19~20.21.22.23.24.BaileyServiceManual,Type722ManualUnit,(4572K12-300A).
BaileyInstallation Manual,Type721ControlUnit,(4572K11-001).
BaileyServiceManual,Type721ControlUnit,(4572K11-300).
ACRPanels120/125Vand24VFeederTabulation, Susquehanna Project,BechtelPowerCorporation, Electrical SchemeGroup,June22,1981.Instructions forOperation, Installation, Maintenance, andCalibration, Electronic FlowTransmitter 73G-0049M, Ametek/Schutte sKoerting(74S-0269M-001),
July,1974.I'nstruction Manual,(4104/4126)
Model1151DPAlphaline, Differential andHighDifferential PressureTransmitters, Rosemount (8856-J03-A-25-1).
BaileyServiceManual,Type751Sealer,(4575K11-300F).
IEEEGuideforGeneralPrinciples ofReliability AnalysisofNuclearPowerGenerating StationProtection Systems,IEEEStandard352-1975.
ReactorWaterCleanuSstemSusquehanna 1,Operation andMaintenance Instructions, ReactorWaterCleanupSystem,GeneralElectric(GEK-73608),
February1979.18 Repox'tNo.02.-0160-1102 Revision0PressureReulatorandT/GControlSstemGenerator Protection, GeneralElectxic(GEK-75512A),
: November, 1980.2~3~4~5.7~8.9-10.BasicFunctions ofElectrohydraulic Control(EHC)System,Nuclear(BoilingWaterReactor)Units,GeneralElectric(GEK-17911)
~Protection System-Electrohydraulic Control,BasicFunctions, GeneralElectric, (GEK-11366).
SpeedControlUnit,(Fossil-Baseload, BWR,PWR),GeneralElectric(GEK-11381E).
tInstructions, EHCLineSpeedMatcher,GeneralElectric(GEK-17910A)
~Instructions, Description ofLoadControlUnit(BWR),GeneralElectric, (GEK-37946).
LoadControlUnit,LoadReference
: Circuits, NuclearUnits,GeneralElectric(GEK-17864A).
Instructions, LoadLimitCircuitsandLogic,(BWR),GeneralElectric,'(GEK-17863B)
~Instructions, Chest/Shell WarmingCircuitsandLogic,3or5LightConfiguration, Nuclear-BWR, GeneralElectric, (GEK-46351B)
.Rosemount PressureTransducer Model1104A,(GEK-37803).
12-13~14-15~CurrenttoVoltageConverter, GeneralElectric, (GEK-25580).
Instructions, RateSensitive PowerLoadUnbalance CircuitandRelays,(Nuclear),
.GeneralElectric, (GEK-37959A).
FlowControlUnit,GeneralElectric, (GEK-25588).
ValveTestLogic,(BWR),GeneralElectric, (GEK-37941)
.Pressux'e ControlUnit,(BWR),GeneralElectric, (GEK-17885A)
~16.TurbineInitialPressureRegulator andControlSystem,BypassControlUnit,GeneralElectric,;
(GEK-17880).
19
 
ReportNo.02-,0160-1102 Revision017.18.19.20.21'urbineInitialPressureRegulator andControlSystem,Automatic LoadFollowing Signal,GeneralElectric, (GEK17881)~Automatic PressureSet-Point Adjust,GeneralElectric, (GEK-17882A).
Instructions, ElectricAlarmandTripSystem,GeneralElectric, (GEK-11367C)
.FirstHitCircuitry, GeneralElectric, (GEK-25557)
.ProtectiveSystem-Electrohydraulic Control,BasicFunctions, GeneralElectric, M-392,1971.22.ElectricAlarmandTripSystem,GeneralElectric, M-3931971.23.Electrical PowerSupplies, GeneralElectric, M-399,1971.24.25.26.27.Instructions, TestingoZtheOverspeed TripSystem,GeneralElectric, (GEK-11383C).
BackupOverspeed Trip,Electrohydraulic ControlSystem,GeneralElectric, (GEK-17978A).
Instructions, Electrical PowerSupplies, EHCSystem,GeneralElectric, (GEK-25540A).
Instruction ManualandPartsListModel730and751SeriesLiquidLevelControls, Bulletin:
46-612,Magnetrol International, April1976.Traversin In-CoreProbeSstem2.3.Preliminary, Susquehanna 1and2,Operation andMaintenance Instructions, Traversing In-CoreProbeCa'libration System,GeneralElectric(GEK-73601A),
February1981.Operation andMaintenance Instructions, IndexingMechanism 791E241G4 (GEK-73601A),
February1981.Operation andMaintenance Instructions, DriveMechanism 706E263G13, G14,G15,andG16,GeneralElectric(GEK-39600D),
March1980.20 ReportNo.02-0160-1102 Revision04..Operation andMaintenance Instructions, ValveControlMonitor112C3706G8, G10,andG12,GeneralElectric(GEK-34668D),
February1980.5.Operation andMaintenance Instructions, ValveControlMonitor112C3706G7, G9,andGll,GeneralElectric(GEK-34573E),
October1979.ReactorManual'ControlSstem1.Susquehanna 1and2,Operation andMaintenance Instructions, ReactorManualControlSystem,GeneralElectric(GEK-73596A),
April1981.2.Susquehanna 1,Operation andMaintenance Instructions, ControlRodDriveHydraulics, GeneralElectric(GEK-73595A),
March1981.NuclearPressureReliefSstem1.Susquehanna 1,Operation andMaintenance Instructions, Automatic Depressurization System,GeneralElectric(GEK-73602),
February1979.5.3SstemDrawingsGeneralReferences GeneralElectricBechtel8856-Ml-H12-877 SH1-10E-10SH1-3E-42SH14-19,SH21-22E-64SH17gSHll28ReactorFeedwater ControlSstemGeneralElectricBechtel8856-Ml-C32-17 SH1-68856-M6-3 SH11E-126SH1-2J-127SH7,9j-427SH3M-106M-127SH1-2E-114SH1-2E-127SH6Recirculation FlowControlSstemGeneralElectricFF116510SH1101-1103
*8856-Ml-B31-178 SH1-218856-Ml-B31-189 SH1-58856-Ml-B31-275 SH1-2121 ReportNo.02-0160-1102 Revision00Recirculation PlowControlSstem(cont'd)BechtelM-103M-105M-106M-115M-140M-143E-129SH17J-105SH1-10J-106SH1-11J-115SH1-11J-406"SH2J-410SH4ReactorWaterCleanuSstemGeneralElectricBechtel8856-Mj-G33-140 SH1-5M-144PressureReulatorandT/GControlGeneralElectricBechtelTraversin In-CoreProbeGeneralElectricBechtel8856-M2J-6 SH1-398856-M2J-10 SH18856-M2J-34 SH1-38856-M2J-39 SH1-78856-M2J-40 SH1-108856-M2J-112 SH1-7E>>101SH4E-illSH1-4E-120SH1-8E-121SH1-4E-122SH1-4M-101791E413SH1-5*E-177SH4,8ReactorManualControlSstemGeneralElectricBechtel8856-Ml-C12-108 SH1,28856-Ml-C12-110 SH1-9,SH11-12,SH14-32'H35-36E-158SH1-3E-169SH2-4M-146M-147 ReportNo.02-0160-1102 Revision0NuclearPressureReliefSystemGeneralElectricBechtelRefuelinInterlock PGeneralElectricRodBlockMonitoring Bechtel8856-B21-'129 SH1-8E-180SH1-8M-141M-1428856MlC12110SH19gSHll12'H14-32,SH35-368856-Ml-F21-52 SH1-19E-157SH1-6E177SH1I3ISH48'Note:Bechteldrawingnumberswereusedexceptwherenotedbyanasterisk.
AnasteriskwillindicateaGeneralElectricnumber.23}}

Revision as of 20:18, 29 June 2018

Rev 1 to Control Sys Power Supply & Sensor Malfunction Study.
ML17139B885
Person / Time
Site: Susquehanna Talen Energy icon.png
Issue date: 03/31/1982
From:
EDS NUCLEAR, INC.
To:
Shared Package
ML17139B884 List:
References
02-0160-1102, 02-0160-1102-R01, 2-160-1102, 2-160-1102-R1, NUDOCS 8310180481
Download: ML17139B885 (29)
v  d  e


Text

CONTROLSYSTEMPOKERSUPPLYANDSENSORMALFUNCTION STUDYPreparedfor:Pennsylvania PowerandLightCompanySusquehanna SteamElectricStationPreparedby:EDSNuclearInesMarch,1982ReportNo.02-0160-1102 Revision1831018048i 831014PDRADOCK05000387P,PDR Il' ReportNo.02-0160-1102 Revision1hCONTROLSYSTEMPOWERSUPPLYANDSENSORMALFUNCTION STUDYTABLEOFCONTENTSSact1onPacae1.0Introduction 2'0Executive Summary3.0Methodology

4.0 SummaryofResults50References

15Appendices AppendixATechnical Procedure forthePerformance oftheAnalysisAppendixBControlSystems/Safety Functions AppendixCControlSystemIdentification DiagramsAppendixDCommonality DiagramsAppendixEFailureModesandEffectsAnalysisAppendixFMalfunction AnalysisTables ReportNo.0201601102Revision0CONTROLSYSTEMPOWERSUPPLYANDSENSORMALFUNCTION STUDY1~0INTRODUCTION OnJune15,1981,Pennsylvania PowerandLightCompany(PPEL)requested thatEDSNuclearInc~(EDS)assisttheminresponding totheSafetyEvaluation Report(SER)itemconcerning thefailureofnon-safety gradecontrolsystemsduetofailure/malfunction ofpowersuppliesorsensordthatarecommontothesecontrolsytemsfortheSusquehanna SteamElectricStation(SSES)~Verification wasrequested toensurethatthesubjectcontrolsystemfailureswouldnotimpactonplantsafety.Theobjective oftheanalysiscontained hereinistwofold-1.Toidentifypowersuppliesandsensorstotwoormorenon-safety gradecontrolsystems.2.Toanalyzetheeffectsofthefailureormalfunction ofthesepowersuppliesandsensorsoncontrolsystemstodetermine iftheresulting plantconditions arecontained withintheboundaryofChapter15analysisandarewithinthecapabilities ofoperators andsafetysystems.Inordertoachievetheseobjectives, EDSemployedatwo-phase approachconsisting oftheIdentification PhaseandtheAnalysisPhase.IntheIdentification Phase,diagramsweregenerated toidentifythenon-safety gradecontrolsystemsandtheirpowersuppliesandsensors.Thesediagramswerefurtneranalyzedinordertodetermine thosecommonpowersuppliesandsensors.IntheAnalysisPhase,Failure"Modes andEffectAnalyses(FMEA)wasutilizedtodetermine theeffectsofthesepowersupplyandsensorfailuresontheirrespective controlsystemsand,ultimately, onplantperformances TheFMEAswerethenanalyzedtodetermine thesafetyimplications (ifany)forthefailureofthesecontrolsystems.Thisreportdocuments theresultofthisanalysis.

Themethodology employedisdescribed generally inSection3'andingreaterdetailinAppendixA.Asummaryofresultsispresented ingeneraltermsinSection4.0andindetailinAppendices 3throughF.References areprovidedinSection5.0.AnExecutive SummaryisprovidedinSection2.0whichhighlights thesalientresultsofthisproject.C c2.0EXECUTIVE SUMMARYReportNo.02-0160-1102 Revision0Thepurposeofthisreportistodetermine ifthefailureofcommonpowersuppliesandsensorsfoznon-safety gradecontrolsystemswillimpactonplantsafety.Thiswasaccomplished byfirstidentifying thosecommonpowersuppliesandsensors,thenanalyzing theeffectsthosecontrolsystemfailuresonplantsafety.Inaddition, forthosecontrolsystemfailuresthatimpactedonplantsafetybutwerenotaddressed byChapter15analysisandwerenotwithinoperatorandsafetysystem'apabilities, recommendations forplantmodification orChapter15reanalysis weremade.Theprojectwasdividedintotwophases-theIdentification PhaseandtheAnalysisPhase~Intheidentification Phase,keyplantsafetyfunctions wereidentified usingChapter15.Thecontrolsystemsthatcouldaffectthesesafetyfunctions werethenidentified fromthoselistedinChapter7'7,"ControlSystemsNotRequiredforSafety."Thepowersuppliesandsensorsthatprovidepowerorsignalstothesecontrolsystemswereidentified'or thesekeyitems-safetyfunctions, controlsystems,powersupplies, andsensors-ControlSystemIdentification Diagrams(CSID)weregenerated todocumentthisinformation andtoassistinfurtheranalysis'ower supplyandsensorcommonality wasdetermined usingtheCSIDs.Aseconddiagram--Commonali tyDiagram(CD)--wasgenerated toshowthecontrolsystemsandtheirassociated components thatwereaffectedbyeachcommonpowersupplyorsensor.IntheAnalysisPhase,FailureModesandEffectsAnalysis(FMEA)wasperformed oneachcommonpowersupplyandsensortodetermine theeffectofthefailureonthecontrolsytemandonplantperformances Analysiswasthenperformed usingtheFMEAresultstodetermine thefollowing:

l.Impactonplantsafetyincluding plantresponseasperChapter15.2.Iftheplantconditions werewithinoperatorandsafetysystemcapabilities asperChapter15~Forthoseconditions thatdidnotmeetthecriteriaofitems{l)and{2),recommendations forplantmodifications orChapter15reanalysis wereprovided.

ReportNo~02-0160-1102 Revision12.2ResultsAtotaloftenpowersupplyandsensorcommonalities wereidentified andanalyzed.

Ofthesetencommonalities<

n-'ne(9)'wereofthepowersupplytypeandone(1)wasoftnesensortype.1.Thefailureofpowersupply1D635125VDCthatiscommontotheReactorFeedwater ControlSystemand.Pxessure Regulator andT/GControlSystemresultedinplantconditions thatmaynotbeboundedbyChapter15analysis.

Thecondition isgenerated byamaximumdemandsignalfromtheFeedwater SystemduetoazeroflowsignalfromtheBtrainflowsensorinstrumentation beingprocessed bytheFeedwater Systemonlossofthepowersupply.ThispowersupplyalsopowerstheReactorFeedPumpTurbineCtripcixcuit.Ifthereactorvesselhighleveltripsetpointisreachedinthismaximumfeeddemandsituation, RFPTsAandBwilltrip;RFPTCwillcontinuetooperateduetothetripcircuitfailure.Itshouldbenotedthatdataisnotcurrently available toverifythattheLevel8txippointwillbereached.EDS,therefore, recommends thattheappropriate instrument perfoxmance bereviewedandtransient analysisbeperformed toverifythecondition exists.IftheLevel8tripisnotreached<theconditions generated bythefailureof1D635areboundedbyChapter15analysis.

Ifitisdetexmined thattheLevel8trippointisreached,EDSrecommends thataplantmodification bemadetoprovidedifferent powersuppliesfortheBtrainfeedflowinstrumentation andtheReactorFeedPumpTurbineCtripcircuit.Asanalternate

solution, EDSrecommends thatthemaximumfeeddemandcondition inChapter15bereanalyzed tovexifythatthefailureofthefeedpumptotripis,infact,boundedbycurrentChapter15analysis.

2~Allothercommonpowexsupplyandsensorfailuresweredetexmined tobeeitherboundedbyChapter15analysisandwithinoperatorandsafetysystemcapabilities ortonotimpactplantsafety.Detailedanalysisdocumenting theresultsiscontained inSection4.0andAppendices BthroughF.

El ReportNo.02-0160-1102 Revision03~0METHODOLOGY Asindicated intheintroduction, themethodology thatwasutilizedbyEDSforthisprojectwasdesignedtomeetthefollowing objectives:

1.Toidentifypowersuppliesandsensorstotwoormorenon-safety gradecontrolsystems.2.Toanalyzetheeffectsofthefailureormalfunction ofthesepowersuppliesandsensorsoncontrolsystemstodetermine iftheresulting plantconditions arecontained withintheboundaryofChapter15analysisandarewithinthecapabilities ofoper'ators andsafetysystems'he methodology employedtoachievetheseobjectives issummarized inthissection.Adetaileddescription ofthismethodology iscontained inAppendixA,"Technical Procedures forthePerformance oftheAnalysis.

"Atwo-phase approachwasusedaspartofthismethodology.

Phase1,the"Identification Phase,"consisted ofidentifying thefollowing items:Plantsafetyfunctions ControlsystemsPowersuppliesandsensorstothecontrolsystemsPowersuppliesandsensorscommontocontrolsystemsPhase2,the"Analysis Phase,"consisted oftheanalysisofthefailureofthesecommonpowersuppliesandsensorswithrespecttotheirassociated controlsystems.Thecontrolsystemfailureswereanalyzedwithrespecttothefollowing criteria:

PlantresponseasperChapter15Plantconditions withinoperatorandsafetysystemcapabilities Reanalysis ormodifications requiredtocorrectanyproblemsnotcoveredbythefirsttwocriteria3.1Identification PhaseThefirstpartoftheidentification phaseconsisted ofidentifying thenon-safety gradecontrolsystemsthatcouldimpactplantsafety.Inordertoaccomplish this,itwasfirstnecessary toidentifythoseplantsafetyfunctions thatarerequiredtobemetduringthevariousmodesofplantoperation.

Thesafetyfunctions weregenerated usingChapter15,Appendix15AoftheCESAR.Theplantoperating modesandsafetyfunctions wereaddedtotheControlSystem ReportNo.02-0160-1102 Revision0Identification Diagrams(CSIDs).Thesediagramscontainalltheidentification information requiredtodetermine commonality withrespecttopowersuppliesandsensors-Subsequent tosafetyfunctionidentification, thecontrolsystemswhichcouldaffect.thesesafetyfunctions wereidentified.

Thesecontrolsystemswereselectedfromthelistofnon-safety gradecontrolsystemsprovidedinChapter7'oftheFSAR.ThecontrolsystemswerethenaddedtotheCSIDs.Thepowersuppliesandsensorsrequiredtosupportthesecontrolsystemswereidentified andaddedtotheCSIDs-Thepowersupplyidentification alsoincludedtheCascading PowerSupplyEffect,thatis,thepotential forfailureofhigherlevelpowersuppliesduetofailureofacorresponding lowerlevelpowersupply'he boundaryofthecascading effectwaslimitedtothe120VACand125VDCinstrument andcontrolbuses.Thisboundarywasbasedoninformation providedbythePPSLElectrical Groupconcerning crediblehigherlevelpowersupplybusfailures.

CSIDsareshowninAppendixC.Thefinal.partoftheidentification phasewastodetermine whichpowersuppliesandsensorswerecommontomorethanonecontrolsystem.Thiscommonality wasaccomplished usingtheCSIDs.Eachcommonpowersupplyandsensornotedwasthenusedasthefocalpointofaseconddiagram-Commonality Diagram(CD)~Thisdiagrampresented thecommonpowersupplyorsensor,thecontrolsystemsaffected, andthekeycomponents andcircuitsthatarepartofthesecontrolsystems~CDsareshowninAppendixD.'.2AnalsisPhaseThemethodology employedintheanalysisphaseconsisted oftwoparts:FailureModesandEffectsAnalysis(FMEA)andMalfunction Analysis.

TheFMEAtechnique wasusedtogeneratefailureeffectsinformation oneachcontrolsystemasitpertainstoitscommonmode.powersupplyorsensorfailure.Usingtheinformation fromtheCDs,theoveralleffectofthepowersupplyorsensorfailurewasdetermined withrespecttocontrolsystemandplantperformance.

Theresultsofthispartoftheanalysisweredocumented onFMEAformsascontained inAppe'ndix E.Malfunction analysiswasthenperformed usingtheFNEAstodetermine iftheplantconditions generated impactedonplantsafetyandwerewithinthecapabilities ofoperators andsafetysystems.Theconditions generated asperthe ReportNo.02-0160-1102 Revision0PMEAswerecomparedwithChapter15analysisforverificationofplantresponse, operatorresponse, andsafetysystemresponseForthoseplantconditions inwhichplantsafetywasimpactedwithoutappropriate Chapter15analysisandoperatorandsafetysystemcapability verifications, systemmodifications orChapter15analysisrecommendations wereprovided.

ThetablesinAppendixFwereusedasatooltodocumentthemalfunction analysis.

Thisinformation wasthensummarized intheresultssectionofthisreport.

ReportNo.02-0160-1102 Revision0.4.0SUMMARYOFRESULTSThepurposeofthiseffortwastodetermine ifthefailureofcommonpowersuppliesandsensorsfornon-safety gradecontrolsystemscouldimpactonSSESplantsafety.Theresultsofthiseffortaredividedintotwomajorareas:Identification ofkeyelementsControlsystemsthatcouldimpactplantsafetyPowersuppliesandsensorstothesecontrolsystemsCommonpowersuppliesandsensorsforthesecontrolsystems2.AnalysisofcontrolsystemfailureReferenced totheFSAR-Chapter15Withincapabilities ofoperatorandsafetysystemsRecommendations forreanalysis ormodification ifrequiredThissectionprovidesasummaryoftheresultsdetermined byEDSwithrespecttoeachofthetwomajorareas'moredetaileditem-by-item listingoftheresultsiscontained inAppendices BthroughF.4.1Identification Priortoperforming theanalysisonthesubjectcontrolsystemfailure,itwasnecessary tofirstdetermine whichofthoseSSESnon-safety gradecontrolsystemcouldimpactplantsafety.Basedontheplantsafetyfunctions foreachplantoperating modeasdescribed inChapter15andthecontrolsystemsdescribed inChapter7',"ControlSystemNotRequiredforSafety,"thecontrolsystemsthatcouldimpactplantsafetyweredetermined anddocumented asfollows:1~2.3.4,~5.6.~7~8.9~ReactorManualControlSystemRecirculation FlowControlSystemReactorFeedwater ControlSystemPressureRegulator andTurbineGenerator ControlSystemTraversing In-CoreProbeControlSystemReactorWaterCleanupControlSystemRefueling Interlock ControlSystemRodBlockMonitorSystemNuclearPressureReliefControlSystemItshouldbeemphasized thatthislistincludesthosecontrolsystemsthatcouldimpactplantsafety.Actualdetermination ofthosecontrolsystemsthat,infact,doimpactplantsafetywouldbeaccomplished duringthe ReportNo.02-0160-1102 Revision1analysisphaseoftheproject-Documentation ofthesafetyfunctions andcontrolsystemsiscontained intheControlSystemIdentification Diagrams(CSIDs)inAppendixC.BasedonthecontrolsystemscopeasdefinedinChapter7.7,thepowersuppliesandsensorsthatsupporteachofthesecontrolsystemswereidentified.

Thepowersuppliesidentified werethosespecific120VACand125VDCinstrument andcontrolpowersupplies.

Thesensorsidentified werethosesensorsthatprovideinputsintothecontrolsystem.Detaileddocumentation ofthesepowersuppliesandsensorsisalsocontained intheCSIDs.Intheprocessofidentifying controlsystempowersupplies, theCascading PowerSupplyEffectwasalsoadd"essed.

Basedonastudyperformed bythePPGLElectrical Group,itwasdetermined thattheonlycrediblecascading powersupplyfailurepossibleatSSESwasthatcombination of1Y218and1Y219120VACbuses.Thesearetheonlytwoinstrument andcontrolpowersuppliesthatwouldbesubjecttothecascading effectbasedonthedesignoftheSSESelectrical distribution system.Allotherpowersuppliesatahigherlevelarebackedupbyeitheranalternate ACsourceorabattery.Uponcompletion ofthepowersupplyandsensoridentification, powersupplyandsensorcommonality wasdetermined.

Commonality Diagrams(CDs)weregenerated toshowcommonality betweenthosecontrolsystemsidentified.

Atotaloften(10)commonalities weredetermined.

Thesecommonalities formthebasisfortheanalysisphaseoftheproject.TheCDsarecontained inAppendixD.4.2AnalysisTheanalysisofthecontrolsystemsthatcontained commonpowersuppliesandsensorswasaccomplished usingFailureModesandEffectsAnalysis(BREA),thenanalyzing theoverallimpactofeachsystemFMEAontheplant.TheFMEAsweregenerated foreachcontrolsystemasitpertainstothecommonpowersupply.orsensor.ThedetailedresultsofeachFMEAarecontained inAppendixE.BasedontheBKAs,thedetailedanalysisofthesecontrolsystemswasperformed.

Theresultsarepresented hereintwocategories:

(1)Failuresthatcouldimpactplant'afetyrequiring furtheranalysis, and(2)failuresthatcouldimpactplantsafetyaddressed byChapter15/failures thatdonotimpactplantsafety.

ReportNo.02-0160-1102 Revision11.FailuresThatCouldImactPlantSafetReirinFurtherAnalysisEDSanalysisdetermined thatfailureofthepowersupply1D635125VDCcouldimpactplantsafetyandtherefore requiresfurtheranalysis.

ThecontrolsystemsaffectedbythispowersupplyfailurearetheReactorFeedwater andthePressureRegulator andT/GControlSystems.Theconditions thatmaynotbeboundedbyChapter15analysisare,however,isolatedtotheFeedwater Systemonly-specifically theFeedwater FlowControlandReactorFeedwater PumpTurbine(RFPT)TripContxolsub-systems.

Thelossofthispowersupplydoesnotgenerateconditions outsideoftheboundaryofChapter15analysisforthePressureRegulator andT/GControlSystem.Basedondatacurrently available, thesequenceofeventsthatresultfromthelossofthispowersupplyfortheFeedwater Systemisasfollows:a.HM.leoperating at100%reactorpower,theplantexperiences alossof1D635.Thefeedwater flowsignalfromtheBtraininstrumentation poweredby1D635(FlowTransmitter FTlN002BandSRU6)changestozeroduetothelossof1D635-Sincethefeedwater flowsignalsfromtrainsA,BandCazesummed,thetotalfeedflowsignalchangesfrom100%feedflowto67%feedflowsubsequent toreceiving theerroneous zerosignalfromtheB,train.Thisintroduces amismatchbetweensteamflow,whichisstillat100%,andfeedflowwhichisat67%.b.Inresponsetothissteamflow,feedflowmismatch, theFeedwater FlowContxolSystemsendsasignaltothethreeRFPT'stoinczeasefeedflowtomakeupfortheerroneous 33%decxeaseinflow.Actualfeedflowatthispointwouldbeapproximately 135%.cdSinceactualfeedflowissignificantly greaterthanthatrequired, theincreaseinreactorvessellevel~marea'chtheLevel8(highlevel)'tripsetpoint~d-IftheLevel8tripsetpointisreached,atripsignalwillbesenttoRFPTsA,B,andCandtheT/G.RFPTsAandBandtheT/Gtrip.RFPTCfailstotripbecauseitstripcircuitwasdisableduponlossof1D635.

ReportNo~02-0160-1102 Revision1Basedontheassumption thattheLevel8setpointisreachedduetoexcessive feedwater demand,theresulting conditions arenotexplicitly addressed byChapter15-Chapter15statesthattheplantresponsetoaLevel8condition, initiated byexcessfeedflow,shouldincludethetripofallRPPTsandtheT/G.Sincetheconditions generated subsequent tothefailureofRPPTCtotriparenotknown<itcannotbedetexmined iftheplantsystemcapabilities areadequateusingpresentChapter15analysis.

TheoperatordoesretaintheabilitytotakemanualcontroloftheRPPTCtomitigatetheeffectsofitscontinued operation.

TheoperatorwouldbealertedtotherisingreactorvessellevelbytheLevel7alarm.Thiscondition, therefore, appearstobewithinthecapabilities oftheoperator.

Xnordertoresolvethisproblem,EDSrecommends that,first,ananalysis(thermalhydraulic andinstrument) beconducted toverifythattheLevel8setpointwillbereached,basedonthesequenceofeventspreviously postulated.

ZftheresultsofthisanalysisverifythattheLevel8setpointisnotreached,thentheconditions generated bythelossofpowersupply1D635125VDCareinfactboundedbyChapter15analysis'f theLevel8setpointisreached,thentheresulting conditions requirefurtheranalysis.

Porthoseconditions notexplicitly addressed byChapter15analysis, EDSrecommends resolution ofthisproblembeaccomplished inoneoftwoways.Aplantmodification couldbemadetoremovethecommonality betweenthefeedwater flowBprocessinstrumentation (PlowTransmitter andSRU)andtheRPPTCtripcircuit.BasedonEDSfailuremodesandeffectsanalysis, changingtheseinstruments toanalternate powersupplywouldresolvethisproblem.1D615andXD625shouldbeeliminated asalternatives sincetheyprovidepowertotheRPPTAandBtripcircuits, respectively.

EDSrecommends thattheBtraininstruments bemovedtotheACpowersupplythatiscurrently providing powertothePeedwater PlowControlSyst:em-1Y218Breaker13.Theappropriate conversion deviceswouldalsohavetobeaddedinordertoaccountforthechangeover oftheseinstruments fromDCtoAC.Movingtheseinstruments tolY218wouldnotchangetheoveralleffectontheFeedwater PlowControlSystemsubsequent tothelossoflY218-Thesystemeffectsandplantresponseasnotedinthe1Y218PMEAwouldremainthesame~-10 ReportNo-02-0160-1102 Revision1Ztshouldbenotedthatifanypowersupplyotherthan1Y218isselected, theappropriate FailureModesandEffectsAnalysisshouldbeperformed toensurethatanewproblemisnotcreated.Thesecondmethodofproblemresolution wouldbetoanalyzetheconditions generated bythecontinued operation ofRFPTCtoverifythattheplantsystemswill<infact,mitigatetheprobleminspiteofthisnewcondition.

2.FailuresThatZmctPlantSafetyAddressed byChater15/Failures ThatDoNotImpactPlantSafetyTheremaining nine(9)controlsystemcommonalities havebeendetexmined byEDStobeeith'eraddressed byChapter15ortonotimpactplantsafety.Norecommendations foxmodification oranalysisarerequired.

Eachoneissummarized asfollows:a.1D615125VDCThecontrolsystemsinvolvedwiththispowersupplyfailurearetheReactorFeedwater Control,PressureRegulator

-T/GControl,andRecirculation FlowContxol.Theonlyplantsafety-related condition generated bythisfailureisalossofrecirculation flowinLoopAandarecirculation runbackinLoopB.Thiscondition andtheplantresponseiscoveredbyChapter15analysis.

Thiscondition isalsowithinthecapabilities oftheoperator.

Znaddition<

safetysystemresponseisnotrequixed.

b1D625125VDCThecontrolsystemsinvolvedwiththispowersupplyfailurearetheReactorFeedwater Control,PressureRegulator

-T/GControl,Recirculation FlowControl,andtheTraversing Zn-CoxeProbe.Theonlyplantsafety-related condition generated bythisfailureisalossofrecirculation flowLoopB.Thiscondition andtheplantresponseforsingleloopflowarecoveredbyChaptez15analysis.

Thiscondition isalsowithinthecapabilities oftheoperator.

Inaddition, safetysystemresponseisnotrequired-ReportNo.02-0160-1102 Revision0C~1D645125VDCThecontrolsystemsinvolvedwiththispowersupplyfailurearetheReactorFeedwater Controland'ressure Regulator

-T/6Control.Theonlyplantsafety-related condition generated bythisfailureisapotential highreactorvessellevelduetothefailureoftheFeedwater Blevelsensor..Thisfailurecombinedwithmaximumfeedwater flowdemand(worstcase)isaddressed inChapter15.Thisvesselhighlevelcondition iswithinoperatorcapabilities sincemanualcontroloftheReactorFeedwater ControlSystemisstillavailable.

ThesafetysystemsthatrespondperChapter15forthiscondition possessthenecessary capabilities tomitigatetheproblem.'d~lY218120VACThecontrolsystemsinvolvedwiththispowersupplyfailurearetheReactorFeedwater Contol,ReactorManualControlRecirculation FlowControl,PressureRegulation

-T/6Control,ReactorWaterCleanup,NuclearPressureRelief,andTraversing'n-Core ProbeTheplantsafetycondition generated bythisfailureisapotential highorlowreactorvessellevelresulting fromtheFeedwater ControlSystemfailingatmaximumorminimumdemand.Thefailureofthispowersupplyinvolvesa"speedfreeze"ofthereactorfeedwater pumpturbines(RFPT)~A"speedfreeze"meansthattheRFPTspeedislockedinattheratethatwaspresentpriortothelossofpower.Thisspeedfreezeatmaximumorminimumdemanddirectlyleadstoahighorlowwaterlevel,respectively.

Theplantresponsetothemaximumorminimumfeedflowdemandisaddressed inChapter15.Inthemaximumdemandcondition, aLevel8tripwillresult,eventually leadingtoRFPTtrip,T/6trip,reactorscram,recirculation pumptrip,andHPC1'/RCIC actuation.

Theminimumdemandcondition condition, asperChapter15,willresultinaplantresponseofaLevel3tripfollowedbyaLevel2trip~Thisresultsinareactorscram,recirculation pumptrip,MSIVclosure,T/6trip,andHPCI/RCIC actuation.

12

ReportNo.02-0160-1102 Revision0Themaximumandminimumdemandconditions arewithinoperatorcapabiliti'es.

ThesafetysystemsthatrespondperChapter15fortheseconditions possessthenecessary capabilities tomitigatethisproblem.Itshouldbenotedthatalthoughthecondition generated inbetweenmaximumandminimumfeedflowdemandisnotsafetyrelated,itpreventschangesfrombeingmadeontheReactorManualControl,ReactorFeedwater Control,andtheRecirculation PlowControlsystems'pon lossofpower,eachofthesesystemsremainsintheconfiguration itwasinpriortothelossofpower.Specifically, rodscannotbemovedandfeedwater andrecirculation flowcannotbealtered.Thiscondition isnotbeyondoperatorcapabilities, butshouldbeconsidered whenPPSLisgenerating planttrainingoroperating procedures.

e.1Y219.120VACThecontrolsystemsinvolvedwiththispowersupplyfailurearetheReactorManualControlSystemandtheReactorWaterCleanupSystem.Therearenoplantsafety-related conditions associated withthelossofthispowersupply;therefore, noChapter15analysisisrequired'perator orsafetysystemresponseisnotrequired.

1Y226120VACgoThecontrolsystemsinvolvedwiththispowersupplyfailurearetheNuclearPressureReliefSystemandtheReactorWaterCleanupSystem.Therearenoplantsafety-related conditions associated withthelossofthispowersupply;therefore, noChapter15analysisisrequired.

Operatororsafetysystemresponseisnotrequired.

1Y629120VAC1ThecontrolsystemsinvolvedwiththispowersupplyfailurearethePressureRegulator

-T/6Control,TheanalysisforlY629failureisbasedonT/6solenoidvalvesfailing"asis."Thisassumption hastobemadeduetoalackofspecificreference information.

13 ReportNo.02-0160-1102 Revision0theReactorManualControlSystem,'andthe~Recirculation FlowControlSystem.Theconditions associated withthispowersupplyfailureareaT/6tripatlessthan30%poweroraT/6tripandreactorscramatgreaterthan30%power..Theplantresponseforeithercondition iscoveredbyChapter15analysis'oth theT/6tripandthereactorscramarewithinoperatorcapabilities.

These.conditions arealsowithinthecapabilities ofthesafetysystems,including Scram,,HPCI,

'andRCIC,asperChapter15.Feedwater FlowElements-FElNOOlA,B,CThecontrolsystemsinvolvedwiththissensorfailurearetheReactorFeedwater ControlandtheRecirculation Control~Theplantsafetycondition generated bythisfailureisapotential highorlowreactorvessellevelresulting fromtheFeedwater ControlSystemfailingatmaximumorminimumdemand.Thisfailureiscausedbyonefeedwater flowelementfailingsuchthateitherahighfloworlowflowsignalisgenerated.

Theplantresponsetothemaximumorminimumfeedflowdemandisaddressed inChapter15.Inthemaximumdemandcondition, aLevel8tripwillresult,eventually leadingtoRFPTtrip,T/6trip,reactorscram,recirculation pumptrip,andHPCI/RCIC actuation.

Theminimumdemandcondition condition, asperChapter15,willresultinaplantresponseofaLevel3tripfollowedbyaLevel2trip~Thisresultinareactorscram,recirculation pumptrip,MSIVclosure,T/6trip,andHPCI/RCIC actuation.

Themaximumandminimumdemandconditions arewithinoperatorcapabilities

~Thesafetysystems-thatrespondperChapter15fortheseconditions possessthenecessary capabilities tomitigatethisproblem.Itshouldbenotedthataflowelementfailurecausedbyamechanical problem(i.e.,cloggingatthesensinginletoroutlet)wouldtakeplaceoverarelatively longperiodoftimeFlowdegradation shouldbenotedthroughroutineflowindication monitoring'4 ReportNo.02-0160-1102 Revision0i.CascadinPowerSu1Effect-lY218and1Y219120VACInanalyzing theSSESelectrical distribution system,itispossiblethatafailureinpowersupply1X219couldcausepowersupply1Y218tofail,aswell,sinceitsuppliespowertolY219.Thefailureofahigherlevelpowersupplyduetoafailureofacorresponding lowerlevelpowersupplyisdefinedastheCascading PowerSupplyEffect.ThecombinedfailureoflY218and1Y219doesnotinvokeconditions notalreadycoveredintheanalysisofeachofthesepowersuppliesinsub-paragraphs (d)and(e)respectively.

Thiscombinedfailureis,therefore, boundedbyChapter15analysisandwithinthecapabilities oftheoperatorandsafetysystems.Nootheranalysisisrequired.

15

.

5.0REFERENCES

ReportNo.02-0160-1102 Revision0Thefollowing isthelistofreferences usedduringthisproject:5.1GeneralInformation Susquehanna SteamElectricStation,Units1and2,FinalSafetyAnalysisReport,Pennsylvania PowerandLightCompany,Volumes1-17,Revision23,6/81.5'SstemDescritiveReferences ReactorFeedwater ControlSstemInstruction Manuals4110and4125,Alphaline PressureTransmitters AbsoluteandGage,Models1151APand1151GP,Rosemount.

2~3.5.6.7~8.Indicating

Switches, LiquidLevel-Differential Pressure-Plow Rate,Product/Bullet, in288A/289A, ITTBarton.BaileyServiceManual,Type771NarrowRollStrip-Chart Recorder(4577Kll-300A)

BaileyPartsManual,Type771,772,and773Strip-Chart Recorders, (4577Kll-350)

~Operating andInstruction Manual,StaticInverterModelN250-MRS-125-60-115, TopazElectronics, October1974.Information aboutthe(OrificePlate)BoreCalculation, Vikery-Simms, Inc.,VSIJobNo~-N-1053andN-1175.OrificeBoreCalculation LiquidFlow,Vike~-Simms, Inc.,2/23/76.PressureSwitchesPartsPriceList,Code1BourdonTube,Barksdale (Bulletin No.671221-B),

January1,1973.9.BaileyServiceManual,Type745SingleandDualAlarm,.(4574K15-300F

)~.10~BaileyServiceManual,Type754FunctionGenerator, (4575K14-300A).

llewBaileyInstallation Manual,Type754FunctionGenerator, (4575K14-001).

ReportNo'.02-0160-1102 Revision012~BaileyInstructions, Type760001VoltageSignalSources,(4576K10-001).

13'aileyServiceManual,755DynamicCompensator, (4575K15-300B).

14..Bailey Difference Data,Type755DynamicCompensator Cat~No~50-755010AAAA1NAB (4575K15-003).

15~16.BaileyInstallation Manual,Type701BasicController,

(.4570K11-001A).

Susquehanna 1,Operations andMaintenance Instructions, Feedwater ControlSystem,GeneralElectric(GEK-73592A),

April,1981.Recirculation FlowControlSstem2.3.4~5.7~8.9~10.Susquehanna 1,Operations andMaintenance Instructions,

.Recirculation FlowControlSystem,GeneralElectric(GEK-73590),

February, 1979.BaileyServiceManual,Type724LogicUnit,(4572K14-300B).

BaileyInstallation Manual,Type745SingleandDualAlarm,(4574K15-001A).

BaileyServiceManual,Type745SingleandDualAlarm,(4574K15-300F).

BaileyInstallation Manual,Type752TwoInputandFourInputSummers,(4575K12-001B)

.Installation andOperating Instructions, Regulated DCPowerSupplies, GeneralElectric(GEI-54440).

BaileyInstallation Manual,Type744Difference Alarm,(4574K14-001).

BaileyInstallation Manual,Type720UtilityStations, (4572K10-001)-

BaileyServiceManual,Type720UtilityStations, (4574K10-300).

BaileyInstructions, Type766SignalResistorUnitsCat~No.766--*,(4576K16-007A).

17 ReportNo.02-0160-1102 Revision012.13'4.15~BaileyInstallation Manual,Type724LogicUnit,(4572K14-001).

BaileyInstallation Manual,Type740Millivolt Converters, (4574K10-001A).

BaileyServiceManual,Type723Proportional andDelayUnit,(4572K13-300).

BaileyInstallation Manual,Type723,Proportional andDelayUnit,(4572K13-001)

.BaileyInstallation Manual,,Type746SignalLimiter,(4574K16-001A)-

16'BaileyInstallation Manual,Type722ManualUnit,(4572K12-001).

17'8.19~20.21.22.23.24.BaileyServiceManual,Type722ManualUnit,(4572K12-300A).

BaileyInstallation Manual,Type721ControlUnit,(4572K11-001).

BaileyServiceManual,Type721ControlUnit,(4572K11-300).

ACRPanels120/125Vand24VFeederTabulation, Susquehanna Project,BechtelPowerCorporation, Electrical SchemeGroup,June22,1981.Instructions forOperation, Installation, Maintenance, andCalibration, Electronic FlowTransmitter 73G-0049M, Ametek/Schutte sKoerting(74S-0269M-001),

July,1974.I'nstruction Manual,(4104/4126)

Model1151DPAlphaline, Differential andHighDifferential PressureTransmitters, Rosemount (8856-J03-A-25-1).

BaileyServiceManual,Type751Sealer,(4575K11-300F).

IEEEGuideforGeneralPrinciples ofReliability AnalysisofNuclearPowerGenerating StationProtection Systems,IEEEStandard352-1975.

ReactorWaterCleanuSstemSusquehanna 1,Operation andMaintenance Instructions, ReactorWaterCleanupSystem,GeneralElectric(GEK-73608),

February1979.18 Repox'tNo.02.-0160-1102 Revision0PressureReulatorandT/GControlSstemGenerator Protection, GeneralElectxic(GEK-75512A),

November, 1980.2~3~4~5.7~8.9-10.BasicFunctions ofElectrohydraulic Control(EHC)System,Nuclear(BoilingWaterReactor)Units,GeneralElectric(GEK-17911)

~Protection System-Electrohydraulic Control,BasicFunctions, GeneralElectric, (GEK-11366).

SpeedControlUnit,(Fossil-Baseload, BWR,PWR),GeneralElectric(GEK-11381E).

tInstructions, EHCLineSpeedMatcher,GeneralElectric(GEK-17910A)

~Instructions, Description ofLoadControlUnit(BWR),GeneralElectric, (GEK-37946).

LoadControlUnit,LoadReference

Circuits, NuclearUnits,GeneralElectric(GEK-17864A).

Instructions, LoadLimitCircuitsandLogic,(BWR),GeneralElectric,'(GEK-17863B)

~Instructions, Chest/Shell WarmingCircuitsandLogic,3or5LightConfiguration, Nuclear-BWR, GeneralElectric, (GEK-46351B)

.Rosemount PressureTransducer Model1104A,(GEK-37803).

12-13~14-15~CurrenttoVoltageConverter, GeneralElectric, (GEK-25580).

Instructions, RateSensitive PowerLoadUnbalance CircuitandRelays,(Nuclear),

.GeneralElectric, (GEK-37959A).

FlowControlUnit,GeneralElectric, (GEK-25588).

ValveTestLogic,(BWR),GeneralElectric, (GEK-37941)

.Pressux'e ControlUnit,(BWR),GeneralElectric, (GEK-17885A)

~16.TurbineInitialPressureRegulator andControlSystem,BypassControlUnit,GeneralElectric,;

(GEK-17880).

19

ReportNo.02-,0160-1102 Revision017.18.19.20.21'urbineInitialPressureRegulator andControlSystem,Automatic LoadFollowing Signal,GeneralElectric, (GEK17881)~Automatic PressureSet-Point Adjust,GeneralElectric, (GEK-17882A).

Instructions, ElectricAlarmandTripSystem,GeneralElectric, (GEK-11367C)

.FirstHitCircuitry, GeneralElectric, (GEK-25557)

.ProtectiveSystem-Electrohydraulic Control,BasicFunctions, GeneralElectric, M-392,1971.22.ElectricAlarmandTripSystem,GeneralElectric, M-3931971.23.Electrical PowerSupplies, GeneralElectric, M-399,1971.24.25.26.27.Instructions, TestingoZtheOverspeed TripSystem,GeneralElectric, (GEK-11383C).

BackupOverspeed Trip,Electrohydraulic ControlSystem,GeneralElectric, (GEK-17978A).

Instructions, Electrical PowerSupplies, EHCSystem,GeneralElectric, (GEK-25540A).

Instruction ManualandPartsListModel730and751SeriesLiquidLevelControls, Bulletin:

46-612,Magnetrol International, April1976.Traversin In-CoreProbeSstem2.3.Preliminary, Susquehanna 1and2,Operation andMaintenance Instructions, Traversing In-CoreProbeCa'libration System,GeneralElectric(GEK-73601A),

February1981.Operation andMaintenance Instructions, IndexingMechanism 791E241G4 (GEK-73601A),

February1981.Operation andMaintenance Instructions, DriveMechanism 706E263G13, G14,G15,andG16,GeneralElectric(GEK-39600D),

March1980.20 ReportNo.02-0160-1102 Revision04..Operation andMaintenance Instructions, ValveControlMonitor112C3706G8, G10,andG12,GeneralElectric(GEK-34668D),

February1980.5.Operation andMaintenance Instructions, ValveControlMonitor112C3706G7, G9,andGll,GeneralElectric(GEK-34573E),

October1979.ReactorManual'ControlSstem1.Susquehanna 1and2,Operation andMaintenance Instructions, ReactorManualControlSystem,GeneralElectric(GEK-73596A),

April1981.2.Susquehanna 1,Operation andMaintenance Instructions, ControlRodDriveHydraulics, GeneralElectric(GEK-73595A),

March1981.NuclearPressureReliefSstem1.Susquehanna 1,Operation andMaintenance Instructions, Automatic Depressurization System,GeneralElectric(GEK-73602),

February1979.5.3SstemDrawingsGeneralReferences GeneralElectricBechtel8856-Ml-H12-877 SH1-10E-10SH1-3E-42SH14-19,SH21-22E-64SH17gSHll28ReactorFeedwater ControlSstemGeneralElectricBechtel8856-Ml-C32-17 SH1-68856-M6-3 SH11E-126SH1-2J-127SH7,9j-427SH3M-106M-127SH1-2E-114SH1-2E-127SH6Recirculation FlowControlSstemGeneralElectricFF116510SH1101-1103

  • 8856-Ml-B31-178 SH1-218856-Ml-B31-189 SH1-58856-Ml-B31-275 SH1-2121 ReportNo.02-0160-1102 Revision00Recirculation PlowControlSstem(cont'd)BechtelM-103M-105M-106M-115M-140M-143E-129SH17J-105SH1-10J-106SH1-11J-115SH1-11J-406"SH2J-410SH4ReactorWaterCleanuSstemGeneralElectricBechtel8856-Mj-G33-140 SH1-5M-144PressureReulatorandT/GControlGeneralElectricBechtelTraversin In-CoreProbeGeneralElectricBechtel8856-M2J-6 SH1-398856-M2J-10 SH18856-M2J-34 SH1-38856-M2J-39 SH1-78856-M2J-40 SH1-108856-M2J-112 SH1-7E>>101SH4E-illSH1-4E-120SH1-8E-121SH1-4E-122SH1-4M-101791E413SH1-5*E-177SH4,8ReactorManualControlSstemGeneralElectricBechtel8856-Ml-C12-108 SH1,28856-Ml-C12-110 SH1-9,SH11-12,SH14-32'H35-36E-158SH1-3E-169SH2-4M-146M-147 ReportNo.02-0160-1102 Revision0NuclearPressureReliefSystemGeneralElectricBechtelRefuelinInterlock PGeneralElectricRodBlockMonitoring Bechtel8856-B21-'129 SH1-8E-180SH1-8M-141M-1428856MlC12110SH19gSHll12'H14-32,SH35-368856-Ml-F21-52 SH1-19E-157SH1-6E177SH1I3ISH48'Note:Bechteldrawingnumberswereusedexceptwherenotedbyanasterisk.

AnasteriskwillindicateaGeneralElectricnumber.23

Retrieved from "https://kanterella.com/w/index.php?title=ML17139B885&oldid=752613"