ML20071A431

From kanterella
Revision as of 04:29, 27 March 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Rev 1 to Reactor Protection Sys, Draft Chapter to PRA
ML20071A431
Person / Time
Site: Indian Point, 05000000
Issue date: 04/10/1981
From:
PLG, INC. (FORMERLY PICKARD, LOWE & GARRICK, INC.)
To:
Shared Package
ML20071A408 List:
References
FOIA-82-626 PRA-810410, NUDOCS 8302240100
Download: ML20071A431 (29)


Text

-

  • <Pickard, Lcwe and Garrick, Inc. INDIAN POINT ~PRA .

'" ApYil-10, 1951- REV 1 .,

DWS '

INDIAN POINT 3 f I b.br [b I[#d

' fi c "-

bI REACTOR PROTECTION SYSTEM A. SUPEARY . . ..

A.1 INTRODUCTION

~

The reactor protection system'(RPS) is_ evaluated in tne context.cf a

.small LOCA or plant. transients. The function of the RPS is;to protect

-the core from overpower conditions resulting from infrequent transients. -

The analysis is carried out under the following conditions:-

~

e The conditions in the plant require a reactor scram, e No operator action is taken to scram the' plant.

A.2 RE SULTS Table 1, " Reactor Protection System Failure to Scram," presents the results of the analysis of the RPS for Indian Point 3. The analysis has;

-revealed tne folicwing dcminant contributors to RPS failure:

  • Pean ,

e Ranocm coincident failures of two trains cf the 2.1 x 10-3 .

trip system-(50%)

e Failure of the red centrol cluster esserblies te ~9.2 x 10-6 enter the core (24%)

e Failures while in test or' maintenance (23%)' 8.9 x 10-6 A comparison of the results of this analysis and the RPS. analysis of the Reactor Safety Study, RASH-1400, is presented below.

F 7, joe9 e 5 ram Indian Point 3 WASH-1400

~

5th 6.0 x 10-7 1.3 x 10-5 Median- 6.5 x 10-6 ,

3.6 x 10-5 95th. 1.7 x 10-4 1.0 x 10 4 8302240100 830113 PDR FOIA PDR BLUM82-626 -

1 .

046SA040781/1 .,. . - . .

. . . _ ., - . . m O

e A.3 ; C0t4CLO510t:5 i

Tne failure cf-th'.RPS e is dcminated by ranecm coincident failures in the logic.. trains, predominately wiring faults, and reactor trip breaker failures. Operator action to manually, scram the. plant bypasses all Icgic train failures (except reacter trip breaker failures).fBy locally

- cpening the' output. breakers of the. rod drive motor' generator' sets,.

failure of.tne reactor trip breakers can-be corrected.

~

Failure of the rod control cluster assemblies (RCCA) to insert is not irunediately correctable with operator action-frecuency'ofthiseventoccurringis;9x'10-k.however,themean per. demand, which ~~

ecuates to one failure to scram due to RCCA multiple failures about-every cne hundred thousand demands.

t 4

4 4

i 2 . .

Oa68A040781/1. -

s

, .- - - - . . - . - -- . . , . , ,n ,.- - - - ,. - , . .,.g. - - - - - -

9

5. SYSTEM DESCRIPTION B.1 SYSTEM FUNCTION The reactor prot'ection system (RPS) and the engineered ~afety' s features (ESF) make up the protective _ systems of Indian Point 3.
  • The RPS performs the following primary functions:-

e Protects the reactor core against _ fuel rod cladding damage caused.by departure from nucleate boiling or high power density. ,

e Protects against reactor coolant system damage caused by high primary system pressure.

e Protects the reactor coolant system from sudden loss.of its heat sink through the steam generators.

e In conjunction with ESF, detects a failure of the ~ reactor coolant system and initiates actions to mitigate the consequences of the-accident. .

A simplified block diagram of the RPS is presented in Figura 1.

Figure 2 presents a simplified system arrangement diagram. Figure 3 presents a' typical reactor trip breaker schematic diagram.

~

B.2 SYSTEM OPERATION

  • The '!PS utilizes trip signals from various process sensors to deenergize undervoltage devices in two, series-connected reactor trip breakers.

The reactor trip breakers open and remove power from the control rod drive mechanism magnetic coils. When power is removed from the magnetic coils, the rod control cluster assemblies fall into the active fuel region of the reactor core; thereby inserting negative reactivity and making the reactor subcritical.

The paradeters measured by the process instrumentation and their associated scram setpoints are presented in Table 2. Also included in Tab.le 2 is the required scram logic for the process ses. sors; for example,_ two out of four indicates at least two trains out of four available trains must indicate that a scram condition exists before a

, scram signal is generated.

The process instrumentation is separated into a number of trains (maxieum of four trains) with each train receiving power from a different 120 VAC instrument bus. Upon loss of power, an instrumentation train is designed to fail in the mode that generates a scram signal.

The signal generated in the instrumentation loop is sent to the trip bistable for that loop. As the setpoint is reached, the bistable changes state from on to off which deenergizes the associated strain 3

046SA040881/1

logic relays in the reactor protection logic racks. In accition to the instrument lecp bistable, the Icops also provice indication, alarm, anc interlock functions.

There are two trains of actuation logic. Each reactor trip bistable 1 drives two relays, one in'each actuation logic train. The logic trains

. are duplicates of each other and are physically separated.

The logic trains are energized from separate 125 VDC buses. Less of power from a 125 VDC bus deenergizes the undervoltage trip device in the

. reactor trip breaker, causing the reactor trip breaker to open -

The scram logic relay contacts are arranged in a matrix to develop the.

_J[.3 required logic configuration for each reactor trip signal. The output

.t ; of a logic matrix is fed to two reactor. trip relays arranged in

, Fl.

j,
parallel. The parallel arrangment prevents a scram from a failed open 1 trip relay. There are eight parallel reactor trip relay sets. These sets are arranged as snown in Figure 2. The logic matrices supplying each set of reactor trip relays is presented in Table 3. ,

Each logic train energizes the undervoltage trip device in two reactor trip breakers. The two reactor trip breakers and the two trip bypass breakers are arranged in a series-parallel arrangement as shown in Figure 1. During normal operation, reactor trip breakers RTA and- RTB are closed and power from the rod drive motor generator sets must pass through both trip breakers. During testing, a trip bypass breaker, either BYA cr-BYB, is closed to allow testing of tne asscciated reactor trip breaker. In this condition, a single logic train supplies botn the c normal reactor trip breaker and the cpposite tric typass breaker. This arrangement allons one logic train to be testec te the reactor trip breaker. The trip bypass-breakers are electrically interlocked to prevent more than one bypass breaker from being closed at a time. If one bypass breaker is closed, closing the other bypass breaker causes ~

both bypass breakers to trip.

The reactor trip breakers are operated by 125 VDC from separate DC sources. To close a reactor trip breaker or trip bypass breaker, DC power must be available and the undervoltage coil must be energized.

Manual reactor trip is provided by two trip switches-in the control room. These switches deenergize the trip breaker undervoltage coils

- through the logic system and energize separate trip coils which are part of the breaker control circuit. An individual trip switch for each breaker at the breaker panels mechanically trips the reactor trip or reactor trip bypass breakers.

power from the rod drive motor generat'or sets is supplied through the reactor trip breakers to the red control panels. The rod control panels convert the power from AC to DC and distribute it to the individual

- control rod drive mechanisms. During normal operation the control rods are f ully witnorawn from tne reactor core and the stationary gripper

. & C.- coils are energized from the rod control panels. Upon a loss of power,

4 s f. 0468A0a0781/1 .

9

all coil assemblies are deenergized, the stationary gr1pper latches disengage from the control rod drive shaft, and the control rod drive shaft and rod control cluster assemblies drop into the active core

~

region, thus shutting down the reactor.

8.3 TECHNICAL SPECIFICATIONS The plant technical specifications identify: .

e The maximum or minimum trip setpoints.

e The frequency ofLtesting of the various RPS components. ,

e The number of out-of-service instrumentation or_ logic channels.

e- Limits on the number of channel tests that may be performed at the.

same time.

8.4 SUPPORT SYSTEMS Tne RPS is independent of any sopporting systems. .

8.5 INTERFACING SYSTEMS The RPS interfaces with the 120 VAC instrument power supply system and the 125 VOC battery power system. .

The instrucent buses supply pcwer-to the RPS instrument trains as shewn in Table 4 Table 4 also snows the battery system supplies to the RPS '

logic trains and the reactor trip and bypass breakers. <

8.6 TE ST!f.G .M D FAINTEt:ANCE The various components in the reactor protection system uncergo periodic testing and surveillance. Maintenance is performec as required.

1._ The process instrumentation trains are periodically tested to satisfy plant'tecnnical specifications as indicated below:

a. Train checks are performed every shift (8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />). .A train check is a cualitative determination of acceptable operability by observation of the instrument behavior during operation.-
b. Train functional tests are performed monthly. A train functional test involves the injection of a simulated signal (s) into the train to verify operability, including elarm, and/or trip initiating signals.
c. Train calibration for the instrument'ation loops is performed during refueling outages. Train' calibration is the adjustment of train output (s) such that it responds, within acceptable range and accuracy, to known values of the parameter (s) which the train monitors. Cal 1 oration encompasses tne entire. train,
  • including all train outputs, and includes the train functional test.

l- .

i 5 .

. 046SA040781/1 i

2. The reacter protection Icgic trains are pericoically tested. to-satisfy plant technical specification requirements as indicated below:

Legic Train Functional Test. , Logic train functional tests are performed monthly. A logic train functional test is' the application of input signals, or the operation of relays or switch contacts, in all the combinations teQuired to produce the required decision outputs' including the operation of all actuation devices. For the reacter' protection system logic trains, the actuated devices include the reactor trip breakers. During the logic. train test the bypass

, reactor trip breaker for_the logic train under test is racked into position and closed. Testing of the train then proceeds with the

(_,$ . ' fina.1 actuation device, the reactor trip breaker, tripping as the reQuireo trip logic'is mcde up. After the first trip actuation, the-reactor trip breaker remains open, and the required logic actuation ,

l

~1 is verified by test lights. This testing normally requires 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> per train with a range of 4 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. The hi'stogram presented below is based on discussions with plant personnel and presents the frequency distribution of test duration.

Os -

0.5 -

, 04 - q h 0.3 U

02 -

at -

g I t I !t t t t t i 2 3 4 5 6 7 a Duration (hour 51 The mean duration from the above histogram is 6.15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br />. Since the tests are performed once per montn, this histogram leads to an

. unavailability distribution characterized by the following mean and variance: -

Mean:

6.15 hrs./montn = 8.54 x 10-3 Sinole train 720 hrs./montn unavailability due to test Variance: 1.79 x-10-6, ,

6 0468A040781/1 .

P

3. The rod drive raechanisms and rod control cluster assemblies are

~

exercised biweekly if no other rod insertion inas occured during the past two-week period to ensure freedcm of movement and to satisfy technical specification requirements. -

B7 OPERATOR INTERACTION -

Operator action to manually scram the plant is excluded from this analysis. Operator errors during calibration are cuantified in Section 0.4, Common Cause Failure.

B.8 COMMON CAUSE EFFECT .

The logic and instrumentation. cabinets assoc'iated with the RPS are- .

located in the control room behind the flight panels at Indian-Point'3.

The reactor trip breakers.and the rod. drive motor generator sets are located at elevation IS' of the control building.

Common generic components of the RPS are supplied by the same' '

manufacturers, are subject to common test and maintenance procedures, and have common susceptibility to secondary causes of f ailure (grit, moisture, vibration,etc.).

Further discussion of the effects of common cause failures on system .s failures is presented in Section D.4 of'this analysis.

7 046SA0a0781/1

e C. LOGIC MODEL C.1 TOP EVENT The fault tree Failure.to is developed for the event " Reactor Protection System Scram." This event appears in the small LOCA event tree and all transient event trees.

C.2 SYSTsM FAULT TREE 3  :

Figure 4 presents the fault tree developed for the RPS. The tree identifies the hardware failures that must occur to fail the RPS.

Discussion of these events is presented in Section 0 of this report.

The fault tree was developed for.the event " Turbine Trip Without Bypass." All other transient events which require FPS action have similar fault tree logic.

C.3 FAULT TREE CODING .

Tablein used 5 this identifies the basic events and the basic event coding that was analysis.

associated with the basicAlso included in Table 5 are the failure rates events.

e e

6 9

e i

5 e

.. t,*

  • 1:

r 8 '

0468A040881/1

. .,.e- - , -, '

c .-

e t >

D. -QUANTIFICATION D .' l SINGLE FAILURES

~

~

Three single f ailures are identified and defined for'the RPS. - These oefined events are: .

4

- e: Reactor Core Misalignment- Causes Rod Not to' Insert.' For Ne.small LOCA and the transient event trees that recuire RPS action the' probability of this failure occuring-is'cuantitatively insignificant

( < 10-8) and does not contribute to system failure.to scram.

e Wiring Fault Prov' ides Sufficient Power to Hold RCCAs in Position.

The rod drive motor generator sets-supply.three phase,- ,

nonsynchronous power to the rod control panels through the reactor trip breakers. No power source exists'at,the plant that is capable ~

of. being paralleled with the rod control power. ;In addition, the

~

bus itself is completely metal enclosed frem the rod drive motor-generator sets to the rod: control panels. For1these reasons, the probability of this failure occurring is'cuantitatively insignificant ( 410-8) and .does not contribute to system f ailure .

to. scram.

e Rod. Control Cluster Assemblies Fail to Insert. In NUREG/CR-1331' a

,~ review of Licensee Event Reports for control rods and crives is ' y

'- presenteo.. Our use of this report is presented below.

I Ther_e have been three reported failu'res of rod centrol cluster-assemblies (RCCAs)' to fully insert

  • during'a reactor -scram condition' for Westinghousecpressurized. water reactors for the period

. reviewed. Using the data .from _NUREG/CR-1331, there were 50,987:

individual' rod cemands (number of' rods per plant times the number of' ~

scrams per plant) in this period. This dataLis used to. establish a prior population variability distr ~ibution.- For Indian Point 3 there: ,

have-been Zero failures in 1,908l demands (through June,'1980). A i  : population 1 variability analysis and update based on Indian Point 3 experience was performed. The reruits of-this procedure. lead to the following mean and . variance:for the rate of f ailure of.'an individual-RCCA to' insert on. demand:

'Mean: 4.72 x 10-5 ,

,- Variance: 4.92 x 10-9 i

Using the binomial probability theorem, the probability of any two '

I or more-RCCAs not fully inserting on-demano is:

Mean: 9.19 x 10-6, .

". ; . i,- ,

. " Fully insert is cerined as inserting' to 96f. position.

i, l

9 s

[' 0468A040781/1 ,

t This result cescribes the random coincident failure of two or more rods. We must note however, that failure of two RCCAs to insert

. does not constitute failure to scram. In fact, failure of ten to

, twenty RCCAs to fully insertswould probably not constitute failure to scram as those RCCAs that do insert may reduce power sufficiently-

to allow mitigation of the accident. -

With respect to commonc 'ause failures, we are onl'y considering here failures of the RCCAs themselves, the logic, instrumentation and the-trip breaker contributions to common cause failure are considered in

-l Section 0.4 of this analysis.. We have for evidence the fact that-there has not been a multiple' rod failure to insert.during scram in

.b

~

Westinghouse reactors. (From NUREG/CR-1331 zero multiple rodL

. failures in 1,110 scrams and zero multiple rod-failures in 50,987- -

'M individual rod scrams.) We cannot. envision any credible mechanism ,

V by which such a common cause f ailure could occur for the events of interest (external events, such as. earthquake,'are treated separately in this report). Common mechanisms for such common cause failures as wearcut or manufacturing defects are possible; however, the:following points-should be made:

5 Ouring refueling, the drive mechanisms and RCCAs are inspected e

. and replaced if excessive wear or other unusual conditions are

~

~

. present.

e If these mechanisms for failure exist they will occur in'the plants with similar mecnanisms that have teen on-line for a v longer period of time than' Indian Point 3. .

" ~

For the above reasons.we assign as the procability of multiple. rod failures to insert'during scram, the value obtained from the binomial theorem for failure of two or more rods to fully insert on

~

demand,,of:

Mean
9.19 x 10-6 .

. Variance: 5.58 x 10-9 .

0.2 DOUBLE FAILURES

, Double f ailures consist of f ailures in RPS train A and train B. The cuantification for a single train and the train comoination are presented below.

Train A consists of the following basic components:

e Reactor Trip Breaker A - RTA.

e Reactor Trip Bypass Breaker A - BYA.

e LcgicTainhwhichconsistsofthelogicmatrixandtrip.relaysfor Train A.

  • 10 04'68A040781/1 -

-p , - r-- . - + - - >-i-,,tv-, *-~ + ---

9 e- Wiring for the logic train and trip breakers.

~ '

Train B contains similar components. -

NOTE : The analog instrumentation system is common to trains A and B.

Discussion of the'effect of failure of tne instrumentation portion.of the RPS is discussed in Section'O.2.1.f.

The train _ arrangement simplifies the calculations for system failure. A train can be thought of.as a block of series connected basic events, failure of any one basic event results in train failure. Quantification-of the basic events is presented below.

1. RTA fails closed. Based upon a review of plant data, the '

probability of.this event occurring is: <

Mean: 1.17 x 10-3 Variance: 8.86 x 10-5,

2. BYA fails closed' This event is separate from the test or

. maintenance ;ondition where the bypass breakers are intentionally closed to facilitate testing.

(NOTE: Because the bypass breakers are manually operatec, normally z open, racked out, and locked in the racked out pcsition, no prcbability of failure is assigned.)

3. Loaic train A f ailures. This event consists of logic matrix failures or trip relay failures,
a. Trip relay failures. Our mean and variance for the probability of failing to open for a trip relay is: .

. Mean: 6.28 x 10-6 Variance: 2.49 x 10-II.

Failure of a skgle trip relay to open on demand does not cause system failure. Although the relays for a particular scram are arranged in parallel, diversity of scram signals requires coincident _ failure of two or-more relays in series. This results in a mean and variance for trip relay contribution to

.. RPS failure of:

Mean: 6.33 x 10-Il Variance: 2.28 x 10-20, .

b. Logic matrix failures. The logic matrices for the reactor trip signals consist of groupings of contacts which are opened'by

, relays actuated by the analog instrumentation system. Failure 11 e i'

l 0468A040781/1

- ~

..r_theserelays-toopenwillresult?inmatrixfailure. From

(@AYthe minimum number of relay failures that will cause

~~f ailure 'of a logic matrix is two for the small LOCA and transient events under consideration. These relays are similar

- to the reactor trip relays and the same mean and variance for two relays failing to open on demand is assigned. Diversity'of scram signals requires coincident failure of two or more logic matrices in order to fail the RPS logic. The coincident failure-of two matrices occurs ~with a mean frecuency of:

Mean: 2.68 x 10-20, This value is insignificant when compared to other causes of RPS failure.

'4 Wiring faults leading to RPS failure. Two general locations exist for possible wiring faults that fail the RPS.

a. ~

Wiring shorts to power. Undervoltage trip coil - a wiring short.

to power in the portion of the reactor trip circuit that supplies the- undervoltage trip device could result in power being maintained to this trip device when .a reactor- trip is -

demanded. Our mean and variance for this event is:

Mean: 3.22 x 10-6 Failures per hour-Variance: 8.96 x 10-11 To cetermine the contribution to system failure, we must convert frcm a probability of failure per hour, to a frecuency of failure on demand. The fault cetection time (MTTR) for this event is one half the test cycle (t = 360 hours0.00417 days <br />0.1 hours <br />5.952381e-4 weeks <br />1.3698e-4 months <br />). This results in_the following frecuency of-failure on demand due to wiring shorts to power:

Mean: 1.16 x 10-3 Variance: 1.16 x 10-5,

b. Wiring shorts to ground. k;SH-1400 postulated nine possible locations where a possible short to ground wculd result in failure of'the RPS. Our review of the RPS did not . reveal a location where a single wiring fault to ground results in failure of the system, due primarily to the fact that the RPS logic and breaker power supplies are ungrounded. To set up a parallel loop whicn would bypass contacts and maintain current flow, at least two shorts to ground in the correct location are, required. Our mean and variance for this event is:

Mean: 7.52 x 10-6 Failures per hour

  • 'f '

Variance: 4.88 x 10-10, 12 -

Oa6BA040781/1

To determine the contribution to system f ailure, we must convert from a probability of. failure per hour to a frequency of failure on demand. The f ault detection time (MTTR). for this event is one half .the test cycle (t = 360 hours0.00417 days <br />0.1 hours <br />5.952381e-4 weeks <br />1.3698e-4 months <br />). This results-in the

.following frequency of failure'on. demand due to a single wiring ~

short~to ground:

Mean: 2.71 x 10-3 Variancs: 5.63 x 10-5, For two faults to ground we obtain for mean and variance:

Mean: 5.77 x 10-5 Variance: 3.35 x 10-6, And for nine possible locations we have: ,

Mean: 5.20 x 10-4

~

Variance: 4.43 x 10-4 The total contribution to train f ailure due to wiring f aults is the sum of wiring faults to power anc' wiring faults to ground,' <

which is:

Mean: 1.68 x 10-3 Variance: 5.41 x 10-5,

5. For Train A f ailure using DPD arithmetic we h' ave:

0 Train A

  • ORTA
  • OBYA + OLogic + 0 Wiring to power

+0 Wiring to and 0

Train A = 2.85 x 10-3 g27 rain A = 7.06 x 10-5, .

Train B mean and variance are tne same. For the double contribution to RPS failure, we have:

0AB = 2.08 x 10-5 g2AB = 3.18 x 10-9 a t .- ,-

C

.~

13 -

0468A040781/1

f5 6.

To this value we mus't include the probability of failure of the instrumentation trains. We use for the probability of a single instrument' train failing to provice a trip signal, _ A = 1 x 10-4 failures per demand. We take the value as a median value and assign

- an error factor of 10 to express our uncertainty concerning this value. Taking the values obtained with this error. factor as our 5th and 95th percentiles we obtain for a single instrument train failure the following mean and variance: .

Mean: 2.66 x 10-4 Variance: 4.32 x 10-7 2- As was the case for logic matrices failure, we must fail at least two out of three instruments to cause a single scram signal failure. For two instruments failing we have for mean and variance:

's '

Mean: 4.61 x 10-7 Variance: 1.43 x 10-10, Scram signal diversity reouires failure of two or more different instrumentation groups.. For failure of two instrumentation _ groups-we have the following mean'value:

Mean: .l.43 x 10.10 which is insignificant when compared to other causes of RPS failure.

~

0.3 TEST AND PAINTENANCE FAILURE The test contribution to RPS failure is obtaine'd by multiplying the unavailability of a single train due to test times the probability of

' wiring faults in the other logic train. This 'results in a mean and variance of:

Mean: 4.44 x 10-6 Variance: 3.34'x 10-9 For the total system contribution we must double the contribution of a single train. This results in the following mean and varian.a:

Mean: 8.87 x 10-6 Variance: 1.34 x 10-8, Maintenance on the RPS is not quantified'for the following reasons:

e 1

The components reouiring the most maintenance are those located in the logic trains. Prior to performing maintenance on a component in the logic train, the associated trip relay is placed in the 14 0468A040781/1 i

e

" tripped" condition which sets up part of the logic matrix' required.

- for scram signal development. This_ maintenance does not affect the RPS analysis.

e Maintenance on the reactor-trip breakers occurs infrequently. If we

~

assume one maintenance act per year lasting for'four hours, the resulting unavailability due to maintenance is 1/12 the contribution due to testing. This does not significantly affect the results of the system analysis.

D.4 COMMON CAUSE FAILURE D.4.1 INSTRUMENT TRAIN M15 CALIBRATION ,

There is-a potential for common miscalibration errors to be applied to all instruments of a particular set. During the periodic calibrations, a single technician or group of technicicos perform the tests necessary to ensure instrument accuracy. These tests are usually performed secuentially among identical trains. This leads to an extremely close coupling between the acts. However, mest calibration activities,-even if performed in error do not result in an instrument _that fails to

- provide a trip. In addition, the diversity in the types of instruments that-provide trip signals limit the effect of these common cause miscalibrations. If we take the value of a sinole instrument train failing, 2.66 x 10-4, as the probability of com5cn cause miscalibration of a'setLof instruments, failure of two sets of instrumentatien due to miscalibration of this type woulc result in a mean eno variance of:

Mean: 4.61 x 10-7 Variance: 1.43 x 10-10,

~

This value is used as,the probability of common cause miscalibration errors. -

D.A.2 MONTHLY LOGIC TRAIN TESTING During the monthly logic train testing, it can be seen from.the fault tree that a single logic train failure-can cause failure of the RPS.-

Both trains of logic are tested secuentially which,' in pr.inciple, could introduce common cause coupling between the trains. However, the logic testing does not involve the changing of trip set points or logic -

arrangements. For'this reason, these testing failures.are treated as incependent events which do not affect system unavailability.

15 0468A040781/1

l 0.5 SYSTEM OUANTIFICATION The probability of the RPS failing to scram on demand is presented below:

ORPS'

  • 0 Singles + ODoubles
  • OTest.and Maintenance + OComon Cause

= 3.93 x'10-5 ,

gfp3 = 1.78 x'10-0~ .

Table 6 summarizes the results of the quantification of the RPS by cause. .

O e

e 5

e e

9 G

B 4

. v .

e 16 .,

0468A040881/1

' ~

-T >

P TABLE 1 RESULTS TABLE - REACTOR PROTECTION SYSTEM FAILURE TO SCRAM i

5th 95th WASif-1400 Mean Variance Percentile Percentile Median (Median Values)

Singles 9.2 x 10-6 5.6 x 10-9 1.8 x 10-8 2.2 x 10-5 8.9 x 10-7 1.7 x 10-5 Doubles 2.1 x 10-5 3.2 x 10-9 1.3 x 10-8 1.2 x 10-4 9.8 x 10-7 5.4 x 10-6 Test and Maintenance '8.9 x 10-6 1.3 x 10-8 6.~6 x 10-10 1.0 x 10-5 1.7 x 10-7 1.2 x 10-5 1,4 x 10-10 Comnon Cause 4.6 x 10-7 5.0 x 10-11 6.0 x 10-7 1.0 x 10-8 c*

System Failure to 3.9 x 10-5 1.8 x 10-8 6.0 x 10-7 1.7 x 10-4 6.5 x 10-6 3.4 x 10-5 Scram on Demand.

  • Epsilon used in WASil-1400 to signify insignificant contributors to failure, i

i

~

I S , MP97.M99 MMS #9

a Tant.E 2 .

REACTOR PROTECTION SYSTEM INSTRUMENTATION LOGIC AND SETPOINTS i .

I Coincidence Circuitry Reactor Trip and Interlocks Setpoint

  • Comments
1. Manual 1/2, no interlocks NA
2. liigh power range 2/4,. low setpoint neutron flux til $109% power Low power range setting interlocked with P-10. Low s25% power manual block. Automatic reset by P-10.
3. Overtemperature AT 2/4, no interlocks . ,

/LT > program g; 4. Overpower _ AT 2/4, no interlocks AT > program

5. Low pressurizer pressure 2/4, blocked by P-7 21,800 psig 5
6. iiigh pressurizer 2/3, no interlocks pressure s 2,385 psig
7. Illgh pressurizer 2/3, interlocked with P-7 water level s 92% span
8. Low reactor coolant flow 2/3 signals per loop, 2 90% flow interlocked with P-7, Blocked below P-7. Low P-8, respe'cti'vely flow in l'ioop pennitted below.P-8. '

s 0536A040781/1 y

TABLE 2 (continued)

REACTOR PROTECTION SYSTEM INSTRUMENTATION LOGIC AND SETPOINTS 4

Coincidence Circuitry Setpoint* Connents Reactor Trip and Interlocks ,

i l- 9. Monitored electrical

supply-to reactor

! coolant pumps:

9a. Undervoltage 6.9 KV' bus 2/4, interlocked with P-7 2 70% normal 1/ bus.

2/4, interlocked with P-7 2 55.0 cps 2/4 underfrequency.

. 9b. Low frequency signals will . trip all 6.9 KV bus reactor coolant pumps '

and indirectly acti-vate reactor trip.

Blocked below P-7.

j 9c. Reactor coolant pump Interlocked with P-7 and P-8 u

breakers 21,700 psig - Trips main feedwater

10. Safety injection signal 2/3 low pressurizer pump. Closes all feed-1 2/3 high containment pressure s 3.5 psig 2/3 differential steam line 2150 psid water control valves.

pressure low compared to Closes feedwater iso-

] .

two high, four channels lation valves and 2/4 high steam flow in programmed initiates' Phase A coincidence with: isolation.

8 2/4 low Tavg 2 540 F l 2/4 low pteam line pressure 2 600 psig, l

1/2 manual NA *,

11. . Turbine generator trip 2/3 low auto stop oil pressure interlocked with P-7 or all stop valves closed.

a l

0536A040781/1 y

a

-0.

TABLE 2 (continued)

REACTOR PROTECTION SYSTEM INSTRUMENTATION LOGIC AND SE Reactor Trip Coincidence Circuitry .

and Interlocks Setpoint*

Comments

12. Low feedwater flow and low S/G water level 1/2 steam /feedwater flow -

mismatch in coincidence 2 5.8 x 105 lb/hr.

and 30% of span with 1/2 low steam generator water level per loop.

13. Low-low steam generator water level 2/3, per loop 217% span
14. Intermediate range 1/2, manual block neutron flux pennitted by P-10 525% power Manual block and-15., Source range neutron automatic reset.

flux 1/2, manual block permitted by P-10 and P-6 s 105 cps Manual. block and automatic reset.

e 9

e 0536A040781/1

_ ____4 -

TABLE-3 LOGIC MATRIX TO REACTOR TRIP RELAY MATCHING Trip Relay Number

  • Reactor Trip Logic-Matrix RT1,2 Intermediate range trip Source range trip Power' range low level trip RT3,4 Overtemperature AT trip Overpressure AT trip Safety injection trip ,

RTS,6 Steam generator-low-low level trip RT7,8 Steam generator feedflow/ level mismatch trip RT9,10 High pressurizer level trip Power range high level. trip

  • c High pressurizer pressure trip low pressurizer pressure trip-RTil,12 Low locp flow trip Manual trip.

RT13,14 Undervoltage RCP breakers trip RT!5,16 -Turbine trip

  • See Figures 1 or 2 for the arrangement of the Trip Relays in the logic matrix.

4

o. (,- ,-

21 c 0536A040781/1 .

e.

t TABLE 4

_ INSTRUMENT AND LOGIC POWER SUPPLIES -

Instrument Bus 32 - 9 Reactor Analog Prot. Train 1 Instrumen't Bus-31 Nuclear Inst. Train 1 Reactor Analog Prot. Train 2 Steam Generator Analog Train 1 Nuclear Inst. Train 2 Reactor Protection Cabinets E-6, F-6 Steam Generator Analog' Train 2 Containment Inst. & Prot. Train 1 .

Reactor Protection Cabinets E-5, F-5 Instrument Sus 34 Containment Inst. & Prot. Train 2

- Reactor Prot. Analog . Train 3 Instrument Bus 33 Nuclear Inst.' Train 3- Reactor Prot. Analog Train 4

' Safeguard Relay Test (F-7, E-8) SIS. Inst. Analoo Reactor Prot. Cabinets E-4, F-4 Nuclear Inst. Train 4 Reactor Prot. Cacinets E-3, F.-3 OC Distribution Panel 31 Reactor Trip' Breaker Open/Close DC Distribution Panel' 32 Circuits Reactor Trip Breaker Open/Close Logic. B (RTS and BYA) Circuits.

Logic A (RTA and 8YB) e P

i s e

(

( 22 0536A040781/1 .

I

, -- , - - ~ . . - ,4-. .,m.

_ , ,, . . _ ,, s - . _ . _ _ _ . . _ , , , _ - . - - , _ _ ,6v -, - - -

, _. .r

a 9

Maa - Maud adaa o a www w w ww w w ww w w Gvw GGNUwUUN e w wem adamawam m a d CCC CCCCC CCC 4 C C

, w --- -------- -

C ,

W TTT TTTTTTTS T T UUG GG UvvUUk u w I has haahahah a *a O 300

=

000000 00 O O U ----m--- m m GGG G GwUGU99 y w C

U y m C OM e wm Oc weeeeeeemede em em b $~m WW G E O 9 e 0 e 0 TvvvvvwwvTvg STW BTT w 5e Ez W U E

..m.,,

  • me de bb bb k M 3 3 3 3 '

> 9 8 OO OO

% w 9 8 9 9 8 0 0 0 I e 0 0 8 5 60 t e t 9 0 0 044 0=4 #

E OO OO ee ce mm mm 9

a coccommmmmmmmmmm mc mO O

9 m@

e e eemmmmmmmmmmmmmmmmmmmmmm e e e e e e e e e e e e e o e e e e e e e e e e u OO C00000000000O00000000000 0

b C

4 em mmmmmmmmmmmmmmm-mmmmmmmm 3 =

b

. I wwI e N MM www==wwwwwwwww=wwwwww e >

e ce 20 mmmmmmmmmmmmmmmmmemommem ,

g  %. N. w. e. e. v. v. v. e. w. w. v. v. w. w. e. v. v. w. e. d. w. m. d.

CO mwammwNNNNNNNNNNNNWQwmOT.

O 4  %

=

B O B C000 0 80303000000000003 e==a==

H Q *

  • mm H m O e e me em %,%%%,e c. e. m.e ee ce oe ce ee ceeeeeme e e. m e e e ee ee a W g C O e e O

CO C00000000000JO0000000000- b

.g y y g m -

== =mmmmmmmmmmmmm-mmmmmmmmm O O > a y y ww e e M wwwwwwwwwwwww w=w = w = wwww o

< w d-

~~ b b ..-m-me===mee==== EON ~o~~

U =.=. W. e. e. e. e. @. N. N. N. N. N. N. N. N. N. N. N. N. e.N. 4. e. N. A. -W

- mm meewweeeeeeeeeeeeemm%mm% z M "

a wwo wmm ecUuwwmmw+cccccc

@wmNmNmOOO<m<m<m ccOcc mem<a

.c O w m O OO

-wC 8Q U5 O 8m - =O m m e w o m C4mee OOmOOOmm-mmm C

O am> OEJOOO6COOOOOOOOa-3 &= O J

  • g b7 05= com w-O u

ww2 mme UUU6Uu-a=a-wwwwwwwwwwww3 mmmmmmmmmmmmmmmmmmmmmma acamammema===m 3 w Y

m y

9 e

a e b O e

.

  • 9 C b

= 3 a -

Ob =

p e e d b aCO da C=> *W W g TT we h OL G GSTWw a dwW we &W W D 3 00e*bb 2 0-0 --0000 - -C D ge% UU--ww e o e

WW UU E C 9 m dbd TT p C b M e edW C ==m*W mamm we W =m m UTTTTT W b M9-TTTT77teW est a 3 3&= 9 9*=OO CMW WW W &Weweed e *

<w = em U  %%4M-- Gm ******OOOO OO m U-= b6UU b=aCOOOOC===--- r% p% C e @w e e 3M-------UUUUUU q T .

A w em de e *

  • e e buuuuuu b c bC 8
  • C O 3 Cu*CSCm *=w aw mem
  1. d****(

w3mu3 0 T enOaawwww yO 3 0 -

C e - amme=b >>-mm---===m=- UObuCb =

9 ( dw e e 4 A gd d "9 "9 "9 "9 "9 *99 9 9 9 C

m @= bb o e e eC

=bT*&&bbbbmA 'bb66bb 9hb6wwwm 9 -000000 h G "ehO d O

O m v=OdauwGG- myG e e e e o sawwawa e gw>% 1 9 dMMMW=Ob * * * *

  • W M @@O GG4 4 4 4 RJ 3 w
  • CmTmTm m<m<mOCA@weCMM CMM b

=a

~

3b CL b WWWWa C*A-mmb bb b-LLgkwwwwwwwww-w mewmmm-m==mm b hm bb &

OO* 00 w

% U D e

U G * * 'a n bem(--ed em mmmabGG m m ou

==a LEEMMMExMEMMM*Aw e o e e e o e e e e e .-

w O a* @2 C -

@ b W OO3Ub bed e*Wbg b E 3 .9 O Ubeu-w

-wa s a===C 6 .h ===

h h h =h h===

n a = .3 3 -------------w=,5=d7 h h h..h .h .h .3 vd

  • wTC w U C

a b C bL hh%%A++% 99 G H9UG9WGGG 3 3 -G C O O mT MUC-** O Ommmeb &W 3W b%u >M E M M E M M E M E m e= m- k G CU C U N

> =C w w U.

WO=

T b _= . s u u. n a n a- s m------------b-

--- o s a c h a s a n a n a a- C webbbbOCOOL b b b b b b b b b b b - %# = %#

b- .

gg3 mghwwwggtzkwwh>mmmmwww3 a

, 3 e 23

6 m m O o e e

m - e .

g. me- o -

o o e

o e

o e

-b oo=

-- = = = -

e e a w *

> ,m d.

- $ ) e. m . m. .  %.

m. - - - -

o

'La W - its e h st e o a.

C=%

-g QQ-o o o e

o e

o a gu e

- - e e own obu e e e e = w

=no e

-- e e a e e w .w E sw e m  % - m w a m

o. e. e. - m.

g =

N e , m M

M Z .

O .

cococococo p

e u

ess og g

-L- s-s-s-6 g meng sg sg s g w e o ssh e g g-U w 6-6-6-6 s 6 s w w uuu u-a-e-e-e- u u u mom o e e e g m a a H w w ow em ow cm O 000 e c e o e o c t o

aue oto3oto?ec3 e o o e o a o u g , w e

ese wwwwwwwwww o o o e h b bb ass o*owo*omow A h h h h L

3 b

a 6

g e 3 O

o o

g em ummedewe.em e w ocoooooooo~

g g

& www a ca ca ca ca c w w w

=

U c W

W o .

g d g W u b

o ~

  • J M m m m , m n m a g .oe g o e e e e e e e 4 H D o o o oe o o o o e

o Cme - - -

H Z ", g *

  • e - - -

ocw

~~

w e = w w w w g =

C 2' s e m e m . e e m .g a >

vw V e. e. o.

. . N. . m. e.

] e o V - N  % M - -

E-

.O @ M e M - M e @ N g e e e e e e e

  • c o o o o o o o o o

e g

mC- - - - - -- - - -

e e y com w = = =

s N

e - ox e

e

=

W a

ggm . . N.

M M. e. .

h e.

e.

m - m - 4 N N Q v H c W m o

g a m 6 .

d w M C - u a m & -

9

%d  %

9 C

- m E b e b 3

= @ o 4 b C - b me m e o g - e u

@ M ce = & L

  • m a

3 e-c o =

.m 6 MIm N u

g N=u- a 6 .

b w s  %

o g gw e

e oc w o a E3e o e a e e *** -o a a L e uma o- o

-- -% e - 6 s c co- ga L

-o-g es e 3 g - o -w s ou g a 6- -w e g - - - = g eew -

=we ch g e a w a w

g -e ccw =om -gw a

soum sb sow a h

mm c c d

w ==z cw g o eccc -m g e-v5-be wc e e

ou eu -u o q N 6m -g -n - -

-6 m > e4- g--

sk c oe u. e o

-6

.mosu og 6 o m6g e evas cm > ab- c- ao a 2 2 a sus aw3 4

-m -a o o , >o 5" = s - mhe u e mo m o

o

.. Q .

24

  • O t

. i l

t I

j llE AClOll Title ullE AKEft A 4.OGIC _

TitABN A ,

flE AC10tl Title

/- BYPASS /_

! DitEAKEli A

, g gpg ROD CON TitOL D 0 I INSinUMENTA TION l i

llE ACTOlt TillP i - /- DYPASS -

l enE AKEft 8 1

i *

!t

+

LOGIC TRAIN 8 IIE ACTOft lillP SilE AKEli 8 I

i Figure 1. Simplified Block Diagram,- Reactor Protection System

, 9 *

  • _ _ _ _ . . _ _ _ . . . - _ - _ _ _ _ _ _ _ . _ _ . _ _ - . _ _ _ _ _ - - _ _ . . _ _ _ _ _ _ . - _ _ _ _ _ _ _ _ _ _ . A ___ __ - _ __ - - _ - _ - _ _ _ _ _ _ - - _ _ _ _ _

e Y

L P

P -

C U DS 1

-: l l "

i i l 1 t s ' Rl l

- 4 l

3D T !

i fi R j g

e -

I

- e S -

t T !

I -i .

C s Ri I

G - a F e

m O! l i T ! D t 8

- R Ri O .

s 8 R N'

I l t o S T !

L OS S y

Aii R

T l

i cR R

{- T NIV E

n o

l l l i 2 l i

l J OR CD i

T i t

~H R '

c I i

- t 3

, - j- e

  • T 1 1 ' t I

R T 1

~

j o

R -

M r

e l0E P 1 1 -

5 L

! i T I

l T T L A O O T' O S r

- A R4 S S R Y S t o

Il  ; t 1 a1 I l c

a d R e

_ 3

_ L 4

t s t 0

_ C O C n

_ V U 8

_ V i

o

_ D G Y _ T P

,3_. -

0 ,.

  • 14 2

5_ 2 5

n

- a i

d

___ I n

~

_ t lL - n

_- O oll e C C m

. _ - V V g e

J A U A

- r Y 0 ] I n a

_ Im_5 2 9 nC 7 58 5_

r r

_ _' ~ j A

] l l i g l '

e m

hi I i G

T S

I i

l

- t s

R R y

^__

t L

L S S

m__ i

_ 3 E

_  ! te t F I L

l i i P d ofl ' R( 0 P e i

! I 2 l l

" 3 f

R l

_ l I i i

_ l E G C~

t I

f R - W a l p

G - SJ O

_ Ol L l 8 30 t l T

O P

i m

_ A~

8 8 f I

O M y S R

N l-I s 7

- L i Tl AI H l I O n .

R -

T f f T 2 l si E N i T ! O C

e r

FH R!

_0 u

- e 3 g .

l t  ! i I 1 e i F

B 19 -l l

I

- 2 1

l i 1

- H r fl 1

_ L P -

C r D3ti

,m ,

_ 6

4

. )t 4

v 80 4

t$ .; .

u s.Ps . . .

' a i.

nl . l f A.Sp g

.R t A L "

y g,

. A.l.O l 4 at iadl f 3A5 .vn atP _ .

8

- IC.t l AE .aI .

i l

.T -

, ".<AlilR a,I,I .WgA . i

~.

I e i

, 3 1 , C T

T

/,,

i

, i '

- T .

2,

,t e

H.

l 1 T 5 s. . - "

6 o i L_ - .

= 17 ,

i

'lH. :H> C.

s r . .,

c C

A A

i t

Srn V

. i a

.na O

,J m n . e In i 9 o 1 W i - h c

No Ec _ =

S Ve 9 En 1. "

i l -

r e

.eg ng -.

k a

G Yl i .

i l - e r

GlA _ -

= B

. p i i r

I l

.v T r

o O

. 't y (~.

R c

a e

6F e .

S .

sS. 1 Ae 0

a 8M P 3 t

l il i

n in a l A8 H l

f ni s O

ll . T e

= C il WI . . r

. 3,l " " 1 u

l. - e g .
. fl i

. lf ,

1- . F

,! n i g =

a .

T, 5

),

v 1 A

t

(, .

t p F.. tl il e =

. P A l

s 4 m ta r, tA ig c.

sR r

. 3 oI  : l i

t l

nl R

O C T T

. . A C e E

( Al S M

. S  !

(t le p T R E .

T

. . f!

l An F .

,tu O .

,I.

3 fl i

f

- l e n 17

= - .

l . r . '

a. .

1, f

1

. 1 A

,E

,C A

ne V C ,M,C I* A - s t ,. .

I I!.

g. *

,0 ,, C

,5 gN t ,'

o I

i.

.D.*b.'..

~

, I I I I

...c-. . < . . . ,

-i->

.m.

.c.05 TOb...

.c.....

...m...

, ,~,,'.t,;a.',

o

, .o m i I co .. . . . . . . . . . ........eo.,

4 . ..... . . ....

A 1'

T I I I I I I I

..... . ....... .......e ....... .........

..... .. ..... ~ . . . . - . . . .., . .

i n a o 1

T "

T '

I I I -1 I I I I g . gGG C '~a n=c

.....*,c

,B..

. . . . . . ,. , . . . .c... .. . ..c .

g.,ga.ma.

.. . c.ou

.. . .. u>. .

a

. .m. . .. .. , , , . , .

. Figure 4.. Reactor Protection System Fault Tree (Sheet 1 of 2)

A 6 . .

d~

e s . .

e 8 < .* -

40 *?g

.* -1

~3a su E

3

< . <s c <=

  • C >= o e

g s. , w<s 8

-3 o '. s 5

~~ -

ca ca.. 's<-.c o

.s

>st o-a

. o.

e

-1 I. .o. c .- .

.a 5g-zu o.

e, N-

-3

~ ~

"u = u E

= - *. 8 e 335 s EG N

$ E $

=.. - e a

= 5 =2

=

.g r so; . ~. E- o

'72 e c x: :3:; 5.3-s ge O as- -

m Q

C

=:2 a:es ~5:

ts- '"

l**

  • i. = 1_ e

< 3.g .-.

.= = s.= .=1..

" f - * =, ESE a

=

cr

<s _ s.:

acg T h. o E."

.  : k L

= EE 3 r.o o =. -

s--

8

. Es- -

g ci

-ao as -

.3o _

.=E 5 c 5U l

l t

l s W =d

.c*I W $4

. .g 4

as sd 6

- .* g as 3=

3< "I og m

i *E l

39 2e E*

1 4 t

i I .

Y

< m

S T

- e. o

. o-m.

EM i

l S

l

. A* .

I I

I 1 .

I i

l e

e 29 .

I 6