Failure Modes & Effects Analysis of Integrated Control Sys/ Non-Nuclear Instrumentation Electric Power Distribution Circuitry, Interim Rept

ML20080E606
Person / Time
Site:	Oconee
Issue date:	08/26/1983
From:	SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY
To:
References
NUDOCS 8402090608
Download: ML20080E606 (33)
v • d • e

Text

i J' c' I

i g y.lb l

l INTERIM REPORT FAILURE MODES AND EFFECTS ANALYSIS OF THE ICS/NNI ELECTRIC POWER DISTRIBUTION CIRCUITRY August 26, 1983 -

Prepared by Science Applications, Inc.

800 Oak Ridge Turnpike Oak Ridge, TN 37830 8402090608 840826 PDR ADOCK 05000269 P PDR

.~__ - -

TABLE OF CONTENTS Section pagg

1.0 INTRODUCTION

1 2.0 ICS/NNI FUNCTIONAL DESCRIPTION 3  ;

3.0 ICS/NNI ELECTRIC POWER DISTRIBUTION CIRCUITRY 9 4.0 EFFECTS OF ELECTRIC POWER BRANCH CIRCUIT 12 FAILURES ON ICS/NNI AUTOMATIC CONTROL CIRCUITS 4.1 Failure of Branch El 12 4.2 Failure of Branch H2 13 4.3 Failure of Auto Power: Branch H (KI-22) 13 4.4 Failure of Branch E1X 13 4.5 Failure of Branch H2X 20 4.6 Failure of Hand Powers Branch HX (KI-1) 20 4.7 Failure of Branch HEX, HEY or Panelboard KU 20 4.8 Failure of the RCS Narrow Range Transmitter 22 Power 4.9 Failure of Panelboard KI 22 5.0

SUMMARY

29 6

11

_--y

.- .- . l l

LIST OF TABLES Table Title Page 1 Summary of NNI Auxiliary Control Outputs 4 2 ICS Signal Inputs from NNI 5 3 Summary List of ICS Control Cutputs 7 4 ICS/NNI Electric Power Distribution 10 Circuits (118 VAC, 60 HZ, 10) 5 ICS Control Response: El Power Failure 14 6 NNI Auxiliary Controls: El Power Failure 15 7 NNI Auxiliary Controls: H2 Power Failure 17 8 ICS Control Response: ElX Power Failure 18 9 NNI Auxiliary Controls: ElX Power Failure 19 10 NNI Auxiliary Controls: H2X Power Failure 21 11 NNI Auxiliary Controls: HEX Power Failure 23 12 NNI Auxiliary Controls: HEY Power Failure 24 13 NNI Auxiliary Controls: Panelboard KU 25 Power Failure 14 NNI Auxiliary Controls: Failure of RCS 26 Narrow Range Pressure Transmitter Power i

l t lii l l l l

l '

l ,

i

1.0 INTRODUCTION

The interruption of electric power to nuclear power plant control systems has been recognized as an initiator of potentially severe plant transients. Among recorded plant transients resulting f rom this f ailure type,, the Rancho Seco

" dropped light bulb incident" was an example' of a severe '

transient resulting from a control system power failure.

As part of an evaluation of control system failures and their potential impacts on nuclear plant safety, a failure modes and ef f ects analysis (FMEA) of the electric power branch circuits of a nuclear power plant control system is being performed. The design of the Oconee Unit 1 IntSgrated Control System (ICS)/Non-Nuclear Instrumentation (NNI) and ,

associated electric power circuitry was selected for analysis.

This interim report describes the results of the analysis obtained to date; the effects of electric power interruptions on the automatic control outputs of the ICS/NNI. A brief description of the ICS/NNI and its electric power distrioution circuitry is given in Sections 2 and 3. The interim results of the power supply FMEA are presented and briefly discussed in Section 4 and the .

preliminary conclusions obtained from these results are summarized in Section 5.

The interim results discussed in this report are usef ul to ,

demonstrate the FMEA methodology and to assess the initial response of the automatic control circuits to electric power interruptions. However, the results obtained to date do not include the effects of electric power interruptions on plant -

parameter' indicator and alarm circuits, or the operator 1

A t

. l 1

response to this potentially misleading information. This aspect of the FMEA will be covered in the final analysis report.

s e

/

4 O

2 b

- - - - - < + - - - - - - - n

2.0 ICS/NNI FUNCTIONAL DESCRIPTION The ICS/NNI is a series of f ourteen electrical equipment cabinets containing the sensor and control circuits required for the controlled operation of the Oconee nuclear steam supply system (the reactor, steam generators and associated supporting systems). The ICS portion of the system provides the integrated control of the feedvater flowrate to the system generators, the reactor core power, the reactor coolant temperature and the pressure of the steam generated in the steam generators and supplied to the plant's bigh pressure turbine. The NNI portion provides sensor input signals to the ICS, reactor coolant system (RCS) inventory and pressure control and control <f selected auxiliary systems' f unctions. In addition, the NNI provides plant parameter information to the plant operating staff through control room iadicators, alarms and the plant computer.

More detailed descriptions of the fune.tions performed by the ICS/NNI may be f ound in the Oconee Final Saf ety Analysis Report.

The automatic control outputs of the NNI (Auxiliary Control Outputs) are listed in Table 1. Table 2 lists the process parameter signals transmitted from the NNI to the ICS. The control output signals developed in the ICS are listed in .

Table 3.

The principal source of design inf ormation on the ICS/NNI

( being used in this analysis is the Oconee ICS Instruction Book.1 This document shows the detailed ICS/NNI circuits 1

0conee 1 ICS - Instruction Book, Bailey Meter Co., 3/15/77 (latest Revision).

3 i

l l

l

. 1

TABLE 1

SUMMARY

OF NNI AUXILIARY CONTROL OUTPUTS

1. Lo-Lo pressurizer level interlock for heater Banks 1, 2, 3, and 4 (auto).

2. High and low pressure control contacts f or the PORV (Relief Valve RC-V3) (auto).

3. High and low pressure control contacts for Heater Banks 2,3,4 (auto and manual).

4. Analog signal to SCR controller for heater Bank 1 (auto and manual).

5, High and low pressure control contacts for Pressurizer Spray (block) valve (auto and manual).

6. Open and close control contacts for preseurizer spray stop valve (manual).

7. Interlock contacts to prevent RC pump start on icw KC temperature (auto).

8. Control contact on low letdown storage tank level -

Function unknown, Drawing 8032326 missing (auto).

9. Control contact to switch 3-way valv'e EP-V10 to divert letdown reactor coolant to the letdown storage tank on low letdown storage tank level (B&W elementary drawing 136129E missing) (auto).

10. Interlock contact to prevent RC pump start on low seal inlet header flow (auto).

11. Analog signal to control makeup flow (auto and manual). .

12. Analog signal to control pump seal inlet header flow (auto and manual).

13. Interlock contacts to prevent individual RC pump start on low seal pressure drop (auto).

14. Analog signal to control letdown flow (manual).

l l

4 l

l

\ _ _ _ - - -

TABLE 2 ICS SIGNAL INFUTS FROM NNI Indicated Range Voltage Range Parameter Range Temp. -Co:apensated 0 - 100% 0 - 10 V O - 1004 RC Flow tinit Frequency 57 - 63 Hz i 50 MV 57 - 63 Hz IWe 0 - 999 MW 0 - 100 M'V 0 - 874 MW Turbine Header Press 600 - 1200 psia 4 - 20 MA 0 - 900 psia Steam Gen. Press A 0 - 1200 psia i 10 V 0 - 925 psia steam Gen. Press B 0 - 1200 psia i 10 V O - 925 psia RC Tav 520 - 620 0 F i 10 VDC 120 - 579"F Neutron Power 0 - 100% 0 - 10 VDC 0 - 1004 Temp. Compensated 0 - 5.67 x 10 6 f/hr i 10 VDC 0 - 5.3 x 10 6 f/hr FW Flow A Temp. Compensated 0 - 5.67 x 10 6 t/hr i 10 VDC 0 - 5.3 x 10 6 t/hr FW Flow B ,

o Feedwater Temp. 0 - 470 F i 10 VDC 0 - 455 0 F T RCS Loops A&B Tcold 520 - 620 F i 10 VDC i 10 F RC Thot Wide Range 0 - 650*F i 10 VDC 120 - 555U P 0

RC Flow A&B 0 - 7 0 x 10 t/hr i 10 VDC 0 - 65.66 x 10 6 f/hr

~

TABLE 2 (Continued)

Indicated Range Voltage Range Parameter Range SG AEB OP Level 0 - 400" i 10 VDC 0 - 378" SG A&B SU Level 0 - 400" i 10 VDC 0 - 378" FW Valve A&B 0 - 100 psi i 10 VDC 0 - 35 psi Pressure Drop D

4 h

TABLE 3

SUMMARY

LIST OF ICS CONTROL OUTPUTS

1. Control contact to open and close turbine control valves (auto and manual).

2. Analog signal to open and close turbine bypass valves (auto and manual).

3. Analog signals to open and close startup feedwater valves (auto and manual).

1 4

4. Analog signals to open and close main feedwater valves l (auto and manual).

5. Analog signals to control main f eedwater pump speed (auto and manual). l

6. Control contacts to insert and withdraw control rods (auto and manual). ,

e 8

l 7 l

l l

l .

and their sources of electric power. In addition to the instruction book, recent information supplied to ORNL by Duke Powe: is ceing used to modify the ICS/NNI circuitry.2 The major modifications not shown in the instruction book are summarized below:

1. The use of the Panelboard KU (Computer Power) to power the RC Pump seal injection automatic control circuit upon loss of Panelboard KI.

2. The use of Panelboard EU to power manual control circuits for makeup and letdown flow, the turbine bypass valves and pressurizer heater bank 2 from the control room or auxiliary shutdown panel.

3. The addition of manual control switches for the PORV and pressurizer spray valve in ICS Cabinet 13 powered independently of Panelboard KI.

4. The use of ICS steam generator level signals to trip the main feedwater pumps on high level.

2 The principal sources have been a letter from R. L. Gill (Duke) to R. C. Kryter (ORNL) , 10/19/82 and Oconee Emergency Procedure EP/0/A/800/3, Loss of KI Bus (ICS Power), 1/21/81.

l 8

3.0 ICS/NNI ELECTRIC POWER D::STRIBUTION CIRCUITRY The ICS/NNI is powered from 118 VAC Panelboard KI with transfer of selected circuits for Panelboard KU upon loss of KI. Panelboards KI and KU each are powered through inverters from 125 VDC buses DCA and DCB. In addition, these panelboards may be powered f rom 118 VAC regulated instrument bus KRA by automatic transfer.3 From Panelboard KI, power is distributed to the ICS/NNI through five separate branch circuits capable of being isolated by circuit breakers: KI-1, KI-3, KI-5, KI-9 and KI-22. The Hand ' Power, HX (KI-1), and Auto Power, H (KI-22), branches are distributed within the ICS/NNI cabinets through an additional three and eight circuit breakers, respectively.4 The individual branch circuits feeding the ICS/NNI are listed in Table 4.

l The circuits listed in Table 4 are being considered separate f ailure points in the FMEA of the ICS/NNI power distribution circuitry. It is assumed that an arbitrary fault in the circuitry will be isolated by a circuit breaker deenergizing all circuits fed through that breaker. Thus, a fault in the circuits fed by branch El may be isolated by the circuit breaker in H1 or the circuit breaker in the Auto Power ,

branch, KI-22, or result in the entire KI Panelboard being isolated from its power sources. The power circuits listed 3

Oconee One Line Diagrams 0-705 and 0-705-A, 120 VAC and 125 VDC Statio.a. Auxiliary Circuits and 120/240 VAC Station Auxiliary Circuits.

40conee 1 ICS Instruction Book.

9 1 .

TABLE 4 ICS/NNI ELHCTRIC POWER DISTRIBUTION CIRCUITS (118 VAC, 60 Es,1 0)

1. ICS POWER PANELBOARD KI 1.1 HAND POWER, BRANCH HX (KI-1) 1.1.1 BRANCH H1X (HX to Aux. Shutdown Panel),

10 amp.

l.1.2 BRANCH H2X, 2 amp.

i 1.1.3 BRANCH H3X, 2 amp.

1.2 EMERGENCY POWER #1, BRANCH HEX (KI-3) 1.3 EMERGENCY POWER #2, BRANCH HEY (KI-5) 1.4 EMERGENCY STEAM GENERATOR LEVEL CONTROL, BRANCH H-EL (KI-9) 3 .5 AUTO POWER, BRANCH H (KI-22) 1.5.1 BRANCH B1, 30 amp.

1.5.2 BRANCH H2, 2 amp.

1.5.3 BRANCH H3, 2 amp.

1.5.4 BRANCH H4, 2 amp.

1.5.5 BRANCH H5, 2 amp.

1.5.6 BRANCH B6, 2 amp.

1.5.7 BRANCH B7 1.5.8 BRANCH E8

2. QMPUTER POWER PANELBOARD KU 10 r _. , _ _

q y

in Table 4 represent 18 separate electric power failures to be considered in the FMEA. For purposes of thi.s interim report, however, only those power circuits feeding automatic control circuits are cor.sidered.

i h

e 11

4.0 EFFECT OF ELECTRIC POWER BRANCH CIRCUIT FAILURES ON ICS/NNI AUTOMATIC CONTROL CIRCUITS A FMEA of the automatic ICS/NNI control circuits' responses to failures of the electric power branch circuits listed in Table 4 has been performed. This analysis was performed by:

1. Listing all ICS/NNI sensor-to-output device circuits and identifying the branch circuit supplying power to each module in each circuit. (This step was performed as part of the overall ICS/NNI electric power f distribution circuitry FMEA.)

2. Selecting those circuits with an automatic control output. (Computer input, alarm and indicator circuits will be considered in the overall FMEA.)

3. Selecting, for each applicable power distribution f ailure listed in Table 4, the control circuits affected by the failure.

4. Determining the response of the controlled component to the deenergized circuits (other control circuits and their controlled components are assumed to operate as ,

designed).

The control circuit responses to the ICS/NNI power failures are discussed below. l 4.1 FAILURE OF BRANCH H1 The control circuit output responses to failure of branch El are listed in Tables 5 and 6 for the NNI and ICS respectively. As shown, many control circuits switch to manual with the controlled devices remaining *as is." The response of the plant to this f ailure would be initially 12

I i

minor. The plant could continue to operate under manual control by the operators. .

As shown in Table 6, if the pressurizer spray valve were open or the pressurizer heaters energized at the time of

power f ailure, they could produce a transient leading to  ;

reactor trip unlesa controlled by the operator. In the event of reactor trip due to this or other causes, - the operator must manually throttle main feedwater or the steam generators will be over2ed. Failure of the operator to throttle would result in the main f eedwater pumps being tripped automatically on high steam generator level. In this event the emergency feedwater system would be automatically started and controlled.

4.2 FAILURE OF BRANCH H2 The only control failure resulting from a failure of branch H2 is the spurious interlock of the RC pump starting circuitry as shown in Table 7. This would not affect power operation.

4.3 FAILURE OF AUTO POWER: BRANCH H (KI-22)

Failure of Branch H would deenergize both the H1 and H2 branch circuits. The respo'nse would be identical to that described for the H1 failure (see Section 4.1). -

4.4 FAILURE OF BRANCH HlX The responses of the ICS and NNI controls to an H1X fai e are listed in Tables 8 and 9. The spurious throttling signal to the turbine, the potential for inserting or withdrawing control rods, and the potential for reducing main f eedwater pump speed combined with the inability to throttle main feedwater flow probably would result in a reactor trip. The main feedwater flow to the steam I

13 I

l l

w , . , - - - - n -----n w wg --- - - p -i+-4 m , gww

i TABLE 5 ICS CONTROL RESPONSE:

B1 FONER FAILURE Item Function Failure Mode Comments

1. Turbine Throttle As is Cannot be increased or decreased by ICS. Manual

- controls operable.

2. Turbine Bypass Manual control at Control automatically on Valves ICS is lost steam generator pressure; Manual control at Aux. shutdown panel opersble.

3. Reactor Power As is Can not be increased or decreased by ICS. Manual control of control rods operable.

4. Main Feedwater Switches to manual Manual control operable.

Pump Speed at operating value

5. Main Feedwater Switches to manual Manual control operable.

Valve Position at operating value

6. Startup Feedwater Switches to manual Manual control operable.

Valve Position at operating value Notes Failure of control output or transfer to manual prevents spurious response to any failed input signals..

I TABLE 6 NNI AUXILIARY CONTROLS H1 POWER FAILURE Item Function Failure Mode Comments

1. Pressurizer Lo-Lo Will not cut-off Relays 183/PLL and 183-1/PLL Interlock Heaters on Lo-Lo Lose power (Dwg. D8032338G).

pressurizer level

2. Pressurizer Spray Automatic control lost. Manual control using HlX (Block) Valve RC-V1 Valve will remain operable (Dwg. D8032338G).

closed or open depending on its position at time of power failure.

3. Pressurizer Heater Heater banks remain Manual control operable.

Banks 2, 3, 4 energized or J

deenergized dependin.;

on state at time of .

power failure.

, 4. SCR Controlled Heater Heater bank may be Manual control operable.

Bank 01 energized due to low 0 volt input signal should be RCS pressure signal compared to heater bank input to SCR setpoint.

controller. -

5. . Relief Valve RC*RV3 Valve will close Per Dwg. 8032332E. Actual or remain closed. control relay not found.

Manual control operable.

I a

G

l l

TABLE 6 (Continued)

Item Function Failure Mode Comments

6. Makeup Flow Demand Probable transfer to Power to Relay 83/LT not to Makeup Flow manual. Valve remains shown on D4g. 8032338G Control Valve in position existing prior to power failure.

7. Reactor Coolant Permits RC pump start Pump Start Interlock at low RC temp.

1 4

- --- a

~

l l

TABLE 7 NNI AUXILIARY CONTROLS B2 POWER FAILURE Item Function Failure Mode Comments

1. Reactor Coolant Cannot start pumps due Pump Interlock - to indicated low seal Low Seal Flow flow.

e 4

i

TABLE 8 ICS CONTRCL RESPONSE:

HlX POWER FAILURE Item Function Failure Mode Comments

1. Turbine Throttle Valve closes due to Valve apparent loss of turbine header pressure if sensor with HlX power is selectcd

2. Turbine Bypass Valves " freeze" as is Loss of power to E/P converter Valves

3. Reactor Power Increase, hold or Depends on temperature sensors decrease selected and resulting i increase, decrease, or constant value of Tav

4. Main Feedwater Probable decrease Speed demand goes to 0 vcit Pump Speed value

5. Main Feedwater Valves " freeze" as is Loss of power to E/P ,

i Valve Position '

6. Startup Feedwater Opens or closes in Manual control at Aux. sh'utdown

~

Valve Position automatic depends on panel operable.

i input sensors selected. 1/2 open when ICS hand control

is put on manual P

Note: Probable initial undercoo. ling and/or overcooling transient due to control tod response to temperature signal failures. Main feedwater supply continues until terminated by other means.

i TABLE 9 NNI AUXILIARY CONTROLS BlE POWER FAILURE Item Function Failure Mode Comnents

1. Pressurizer Spray Valve remains in Loss of power to 83/A and Block Valve RC-V1 position existing 83/M-O and 83/M-C prevent prior to power failure. automatic or manual operation

2. Pressurizer Heater Manual control lost State indeterminant, Dwg.

l Banks 2, 3, 4 D8032341 missing, may be I relevant

3. SCR Controlled Heater bank will be Loss of drive signal Pressurizer Heater deenergized or Bank #1 remain deenergized.

4. Makeup Flow Control Auto control remains Manual control at Aux. shutdown operable. If manual panel or control room operable control at ICS Hand by manually transferring Hand Station selected Stations to KU power.

valve will open or close to mid-position.

5. Spray Line Isolation Valve opens. '

Loss of power to 83-L/SSV.

(Stop) Valve RC-V5 -

1 '

I l

1 =

l l

l l

l 4

generators would continue until the pumps were manually l tripped by the operator or automatically tripped on high steam generator level. The trip of the feedwater pumps 4

result in automatic initiation and control of tha emergency f eedwater system.

4.5 FAILURE OF BRANCH H2X As shown in Table 10, the result of an H2X power f ailure is the loss of control of the makeup, letdown and seal injection flowrates.

The letdown flow is normally controlled through a block orifice with the bypass letdown valve closed. Since the makeup and seal injection valves remain in position, normal power operation would be expected to continue.

4.6 FAILURE OF HAND POWER: BRANCH HX (KI-1)

Failure of Branch HX would deenergize both the H1X and H2X' circuits. The response of the plant would be similar to that described for the H1X failure (see Section 4.4).

4.7 FAILURE OF BRANCH HEX, HEY OR PANELBOARD KU The makeup flowrate to the RCS can be terminated if the pressurizer level transmitter in the level control circuit is deenergized. There are three pressurizer level -

transmitters, LT-1, LT-2 and LT-3 powered, respectively, by circuits HEX, HEY and Panelboard KU. The control room operator selects one of the three level signals for input to f the makeup control and low level pressurizer heater l interlock circuits. If the selected transmitter is deenergized, the control circuitry will respond to the spurious high level signal by closing the makeup valve. In addition, the low level pressurizer heater interlock would be defeated.

20

TABLE 10 NNI AUXILIARY CONTROLS i H2X POWER FAILURE i

Item . Function Failure Mode Comments

1. Makeup Flow Control Valve fails as is Loss of power to E/P converter.

Power source for E/P transducer may be manually transferred to panelboard KU to allow manual control.

2. L2tdown Flow Control valve fails as is Loss of power to E/P converter.

Power source for E/P transducer may be manually transferred to panelboard KU to allow manual control.

3. Pump Sea) Inlet Valve fails as is Loss of power to E/P converter.

Header Flow Power sourco for E/P ,

tranducer may be manually transferred to panelboard EU to allow automatic or manual Control.

e

In the event this power f ailure occurred, the cperator would be able to manually control makeup flow or automatically control makeup flow by selecting an alternate, operable transmitter as shown in Tables 11, 12 and 13.

4.8 FAILURE OF THE RCS NARROW RANGE PRESSURE TRANSMITTER POWER  :

Verbal information received from Duke Power indicates that the normal RCS pressure input to the ICS/NNI is from a non-lE transmitter powered f rom Panelboard KI. How ever s the specific branch circuit for this transmitter is unknown. In Table 14, the specific response of the control circuits with RCS pressure inputs are listed for failures of possible transmitter power sources.

A branch circuit failure will result in a 0 volt RCS pressure signal input to the PORV, spray valve and pressurizer heater control circuits. This could result in the heaters being energized and the PORV and spray valve closing. In the event this f ailure occurred, the operator would be able to manually control the indicated devices.

These particular responses should be included with the more general plant responses to H1 or HlX power f ailures (see .

Tables 5, 6, 8 and 9) for overall plant response.

4.9 FAILURE OF PANELBOARD KI j The response of the plant to a failure of Panelboard KI (including all branch circuits) will be a loss of main feedwater transient, combined with the makeup flow,  !

pressurizer heater, PORV, spray valve and turbine bypass valve controls switching to manual. Failure of KI will result in a spurious high steam generator level trip of the 22 l

TABLE 11 NNI AUXILIARY CONTROLS BEX. POWER FAILURE Item Function Failure Mode Comments

1. Makeup Flow Makeup valve will Pressurizer level indicates close if pressurizer full if level transmitter LT-1 level transmitter is selected. Manual control LT-1 is selected. operable. Manual selection of

- operable level transmitters LT-2 or LT-3 for auto control is possible.

e O

_u__:

1 TABLE 12 NNI AUXILIARY CONTROLS HEY POWER FAILURE Item Function Failure Mode Comments

1. Makeup Flow Control Makeup valve will Pressurizer level indicates close if pressurizer full if level transmitters LT-2 level transmitter is selected. Manual control LT-2 is selected. operable. Manual selection of operable level transmitters LT-1 or LT-3 for auto control is possible.

e 9

l TABLE 13 NNI AUXILIARY CONTROLS -

PANELBOARD RU POWER FAILURE It'em Function Failure Mode Comments

1. Makeup Flow Makeup valve will Pressurizer level indicates close if pressurizer full if level transmitter LT-3 level transmitter is selected. Manual control LT-3 is selected. operable. Manual select. ion of operable level transmitters LT-1 or LT-2 for auto control is possible.  ;

Ncte: ICS/NNI Instruction Manual indicates that transmitter LT-3 is powered by HEY. However, information received from Duke power l indicates that the power source l for LT-3 has been changed to panelboard KU (computer power).

I i

l 0

l l

l l

l  :

TABLE 14 NNI AUXILIARY CONTROLS FAILURE OF RCS NARRON RANGE PRESSURE TRANSMITTER (S) POWER *

~

Item Function Failure Mode Comments i

,

• Note: The ICS/NNI Manual indicates that the RCS narrow range pressure signal is obtained from the RPS powered by the vital buses, KVIA - KVID. Verbal information received from Duke personnel, however, indicates that non-lE narrow range RCS pressure transmitter (s) have been added and powered from panelboard KI. The failures of possible branch circuits are discussed belows i

1. PORY JRelief Valve RC-RV3, RC-V66) Controls l.1 Any Power Source to PORV will close or 0 volt narrow range pressure Selected Narrow Range remain closed. signal is expected to be below RCS Pressure "open" setpoint pressure.

Transmitter Manual control operable.

2. Pressurizer Heater Controls 2.1 H1 Power Heater bank I may be 0 volt narrow range pressure energized due to low signal should be compared to ,

indicated RCS heater bank 1 setpoint.

pressure. Heater Manual control of heater bank 1 banks 2,.3 & 4 will operable.

remain deenergized.

However heater banks 2, 3 & 4 will remain

, energized if energized at the time of the power failure.

O t

4

._ =_

i TABLE 14 (Continued)

Item Function Failure Mode Comments j=

2.2 HlX Power Heater bank 1 0 volt narrow range pressure I

, deenergized. Heater signal should be compared to banks 2, 3 & 4 may setpoints for heater banks be energized due to 2, 3 & 4. Manual control low indicated RCS operable, pressure.

2.3 Power Source Heater banks 1, 2, O volt narrow range pressure Other Than H1 or H1X 3 & 4 may be energized signal should be compared to due to low indicated setpoints for heater banks RCS pressure. 1, 2, 3 & 4. Manual control operable.

3. Pressurizer Spray fBlock) Valve (RC-111 Controla 3.1 H1 Power Spray valve will Manual control operable.

remain closed or open depending on its position at time of power failure.

3.2 Power Source Spray valve will close 0 volt narrow rarnge pressure Other Than H1 due to low indicated signal should be compared,to RCS pressure. spray valve setpoint. Manual control operable.

\ =

main feedwater pumps, reactor and turbine trip and automatic initiation and control of emergency feedwater. .

Selected manual control station pow e r sources are automatically switched f rom KI to RU. This would allow the operator to manually position makeup flow control valves from the control room, the turbine bypass valves and pressurizer heater bank 2 from the auxiliary shutdown panel and, if required, po::ition of the PORV and spray valve from ICS Cabinet 13 control switches. Although the operator would be able to position these devices, it is not known. .

whether he would have adequate plant status information to maintain effective control.

l i

I e

28

5.0

SUMMARY

The initial response of the Oconee Nuclear Power Plant '

ICS/NNI control circuits to electric power branch circuit l

failures has been analyzed. The results of this analysis are summarized below:

1. The most severe plant transient resulted f rom a f ailure of the HlX or HX branch circuits.

This failure could cause an overcooling transient or an undercooling transient followed by an overcooling transient depending on the particular selection of RCS temperature sensors for control system input.

Without operator intervention, reactor and turbine trip, trip of the main feedwater pumps on high steam generator level and automatic initiation and control of emergency feedwater would occur.

2. Failures of the El or H branch circuits results in a transf er of automatic control circuits to manual. Although a transient would not immediately result, the plant would be incapable of automatically responding to perturbations to steady state operation.

Should a perturbation occur (e.g., ranctor -

t ri p) , the steam generators would be initially overfed. Without operator intervention, reactor and turbine trip, trip

> of the main feedwater pumps on high steam generator level and automatic initiation and control of emergency feedwater would occur.

3. Most power supply f a2 ? ures resulted in the controlled devices " freezing" in position

~

rather than responding to spurious control 29

signals. This f eature reduced the severity of resulting transients. .

4. For the transients investigated, necessary manual controls were available to the operator to control the plant. In many cases, continued power operation of the plant may be possible. However, the ability of the operator to manually control plant systems will depend on the availability of plant parameter indications for the operator which l will be studied in the overall FMEA.

e 4

6 30

_ _ _ _ _ _ _