Text

Failure Modes and Effects Analysis (FMEA) of the Ics/Nni Electric Power Distribution Circuitry at the OCONEE-1 Nuclear Plant
	ML20138Q690
Person / Time
Site:	Oconee
Issue date:	10/31/1985
From:	Battle R, Mayo C, Mayo D, Mcbride A; OAK RIDGE NATIONAL LABORATORY, SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY
To:	; NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
References
	CON-FIN-B-0816, CON-FIN-B-816 NUREG-CR-3991, ORNL-TM-9383, NUDOCS 8512270363
	Download: ML20138Q690 (96)
	v • d • e

.

NUREG/CR-3991 ORNL/TM-9383 I OAK RIDGE

. NATIONAL LABORATORY Failure Modes and Effects Analysis .

(FMEA) of the ICS/NNI Electric Power

" " " " " ' ' " Distribution Circuitry at the j

Oconee 1 Nuclear Plant i

A. F. McBride C. W. Mayo g, R. E. Battle t

l l Prepared for the U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research l,

Under Interagency Agreement DOE 40-550-75 NRC FIN No. 80816 Dt D K 5 29 l

4 -0FMATEDBY

. MARTIN MARIETTA ENERGY SYSTEMS, INC.

' FOR THE UNITED STATES

+

DEPARTMENT OF ENERGY

F -

d .

NOTICE This report was preparM as an account of work sponsored by an egency of the United States Government. Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for any third party's use, or the results of such use, of any information, apparatus product or process disclrsed in this report, or represents that its use by such third party would not infringe privately owned rights.

W },

Available from Superintendent of Documents U.S. Government Printing Offee

Post Office Box 37082 Washington, D.C. 20013-7982

and National Techncal Information Service Springfield, VA 22161 e

l NUREC/CR-3991 ORNL/TM-9383 NRC Distribution R1, RG, R4 Instrumentation and Controls Division FAILURE MODES AND EFFECTS ANALYSIS (FMEA) 0F THE ACd/NNI ELECTRIC POWER DISTRIBUTION CIRCUITRY AT THE OCONEE 1 NUCLEAR PLANT A. F. McBride*

C. W. Mayo

R. E. Battle Manuscript Completed: August 1985 Date of Issue: October 1985

" Science Applications, Inc.

800 Oak Ridge Turnpike Oak Ridge, TN 37830 Prepared for the Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission under DOE Interagency Agreement 40-550-75 NRC FIN No. B0816 Prepared by the

, OAK RIDGE NATIONAL LABORATORY

, Oak Ridge, Tennessee 37831

, operated by MARTIN MARIETTA ENERGY SYSTEMS, INC.

for the U.S. DEPARTMENT OF ENERGY under Contract No. DE-AC05-840R21400

TABLE OF CONTENTS Section Page LIST OF FIGURES . . . . . . . . . . . . . . .. ... ... vii LIST OF TABLES . . . . . . . . . . . . . . . . . . . . .. ix LIST OF ACRONYMS AND ABBREVIATIONS . . . . . . . .. . .. xi ABSTRACT . . . .. . . . . . . . . . . . . . . . .. . . . xiii

1. INTRODUCTION . . . . . . . . . . . . . . . . . . . .. I

1.1 BACKGROUND

. . . . . . . . . . . . . .. . . .. 1 1.2 SCOPE OF WORK . . . . . . . . . . . . .. . . . . 1 1.3 TECHNICAL APPROACH . . . . . . . . . . . . . . . 4 1.4 REPORT CONTENTS . . . . . . . . . . . . . . . . . 6

2.

SUMMARY

OF RESULTS ... . . . . . . .. . . .. . .. 7 3 ICS/NNI FUNCTIONAL DESCRIPTION . . . . . . . . . . . . 15 31 NNI CONTROL OUTPUT SIGNALS . . . . . . . . . .. 16 3.2 ICS SIGNAL INPUTS FROM NNI . . . . . . . . . .. 16 33 NNI SIGNAL SELECT HAND STATIONS . . . . . . . . . 16 3.4 ICS CONTROL OUTPUT SIGNALS . . . . . . . . . .. 16 3.5 COMPARISON OF BAILEY METER MODELS 721 AND 820 NNI/ICS DESIGNS . . . . . . . 16 4

POWER SUPPLY DEFINITION AND ANALYSIS . . . . . . . .. 31

5. EFFECTS OF ELECTRIC POWER BRANCH H1 CIRCUIT FAILURES ON ICS/NNI CIRCUITS . . . . . . . .... . . 35 5.1 NNI CONTROL RESPONSE . . . . . . .. . .. . . . 35 5.2 ICS CONTROL RESPONSE . . . . . . . . . . . . . . 35 53 AUTOMATIC SYSTEM RESPONSE . . . . . . . . . . . . 35 5.4 CONTROL ROOM PARAMETER DISPLAY . . . . .. . . . 38

6. EFFECTS OF ELECTRICAL POWER BRANCH H2 CIRCUIT FAILURES ON ICS/NNI CIRCUITS . . . . . . . . . . . . . 39 6.1 NNI CONTROL RESPONSE . . . . . . . . . . . . . . 39 6.2 ICS CONTROL RESPONSE . . . . . . . . . ... ..

o 39 6.3 AUTOMATIC SYSTEM RESPONSE . . . . . . . . . . . . 39

. 6.4 CONTROL ROOM PARAMETER DISPLAY . . . . . . . . . 39

7. EFFECTS OF ELECTRIC POWER BRANCH H4 CIRCUIT FAILURES ON ICS/NNI CIRCUITS . . . . . . . . . . . . . 41 7.1 NNI CONTROL RESPONSE . . . . . . . . . .. . . . 41 7.2 ICS CONTROL RESPONSE . . . . . . . . . . . . . . 41 73 AUTOMATIC SYSTEM RESPONSE . . . . . . . . . . . . 41 7.4 CON 1ROL ROOM PARAMETER DISPLAY . . . . . . . . . 41 111

f TABLE OF CONTENTS (continued)

Section Page

8. EFFECTS OF ELECTRIC POWER BRANCH H5 CIRCUIT FAILURES ON ICS/NNI CIRCUITS . . . . . . . . . . . . . 43 .

8.1 NNI CONTROL RESPONSE . . . . . . . . . . . . . . 43 8.2 ICS CONTROL RESPONSE , . . . . . . . . . . . . . 43 8.3 AUTOMATIC SYSTEM RESPONSE . . . . . . . . . . . 43 8.4 CONTROL ROOM PARAMETER DISPLAY . . . . . . . . . 43

9. EFFECTS OF ELECTRIC POWCR BRANCH H8 CIRCUIT FAILURES ON ICS/NNI CIRCUITS . . . . . . . . . . . . . 45 9.1 NNI CONTROL RESPONSE . . . . . . . . . . . . . . 45 9.2 ICS CONTROL RESPCNSE . . . . . . . . . . . . . . 45 93 AUTOMATIC SYSTEM RESPONSE . . . . . . . . . . . 45 9.4 CONTROL ROOM PARAMETER DISPLAY . . . . . . . . . 45

10. EFFECTS OF ELECTRIC POWER BRANCH H CIRCUIT FAILURES ON ICS/NNI CIRCUITS (FAILURE OF AUTO POWER) . . . . . . 47 10.1 NNI CONTROL RESPONSE . . . . . . . . . . . . . . 47 10.2 ICS CONTROL RESPONSE . . . . . . . . . . . . . . 47 10.3 AUTOMATIC SYSTEM RESPONSE . . . . . . . . . . . 47 .

10.4 CONTROL ROOM PARAMETER DISPLAY . . . . . . . . . 47

11. EFFECTS OF ELECTRIC POWER BRANCH H1X CIRCUIT FAILURES ON ICS/NNI CIRCUITS . . . . . . . . . . . . . 49 11.1 NNI CONTROL RESPONSE . . . . . . . . . . . . . . 49 11.2 ICS CONTROL RESPONSE . . . . . . . . . . . . . . 49 11.3 AUTOMATIC SYSTEM RESPONSE . . . . . . . . . . . 49 11.4 CONTROL ROOM PARAMETER DISPLAY . . . . . . . . . 52

12. EFFECTS OF ELECTRIC POWER BRANCH H2X CIRCUIT FAILURES ON ICS/NNI CIRCUITS . . . . . . . . . . . . . 55 12.1 NNI CONTROL RESPONSE . . . . . . . . . . . . . . 55 12.2 ICS CONTROL RESPONSE . . . . . . . . . . . . . . 55 12.3 AUTOMATIC SYSTEM RESPONSE . . . . . . . . . . . 55 12.4 CONTROL ROOM PARAMETER DISPLAY . . . . . . . . . 55 13 EFFECTS OF ELECTRIC POWER BRANCH H3X CIRCUIT FAILURES ON ICS/NNI CIRCUITS . . . . . . . . . . . . . 57 .

13.1 NNI CONTROL RESPONSE , . . . . . . . . . . . . . 57 ,

13.2 ICS CONTROL RESPONSE . . . . . . . . . . . . . . 57 13.3 AUTOMATIC SYSTEM RESPONSE . . . . . . . . . . . 57 13.4 CONTROL ROOM PARAMETER DISPLAY , . . . . . . . . 57 IV l

TABLE OF CONTENTS (continued)

Section Page

14. EFFECTS OF ELECTRIC POWER BRANCH HX CIRCUIT FAILURES

. ON ICS/NNI CIRCUITS (FAILURE OF HAND POWER) ...... 59 14.1 NNI CONTROL RESPONSE . ............. 59 14.2 ICS CONTROL RESPONSE . ............. 59 14.3 AUTOMATIC SYSTEM RESPONSE ........... 59 14.4 CONTROL ROOM PARAMETER DISPLAY . . . . ..... 60

15. EFFECTS OF ELECTRIC POWER BRANCH HEX CIRCUIT FAILURES ON ICS/NNI CIRCUITS (FAILURE OF EMERGENCY POWER #2) .. 61 15.1 NNI CONTROL RESPONSE . ............. 61 15.2 ICS CONTROL RESPONSE . ............ . 61 15 3 AUTOMATIC SYSTEM RESPONSE .......... . 61 15.4 CONTROL ROOM PARAMETER DISPLAY . . . ..... . 63

16. EFFECTS OF ELECTRIC POWER BRANCH HEY CIRCUIT FAILURES ON ICS/NNI CIRCUITS (FAILURE OF EMERGENCY POWER #1) .. 65 16.1 NNI CONTROL RESPONSE , ............. 65 16.2 ICS CONTROL RESPONSE . ............. 65 16.3 AUTOMATIC SYSTEM RESPONSE ........... 65 16.4 CONTROL ROOM PARAMETER DISPLAY , . . ...... 65

17. EFFECTS OF ELECTRIC POWER BRANCH H'EL CIRCUIT FAILURES OF ICS/NNI CIRCUITS (FAILURE OF EMERGENCY STEAM GENERATOR LEVEL CONTROL POWER) ... ..... . 69 17.1 NNI CONTROL RESPONSE . . . ........... 69 17.2 ICS CONTROL RESPLNSE . ............ . 69 17 3 AUTOMATIC SYSTEM RESPONSE ... ........ 69 17.4 CONTROL ROOM PARAMETER DISPLAY . . . . . . . . . 69

18. EFFECTS OF ELECTRIC POWER PANELBOARD KI CIRCUIT FAILURES ON ICS/NNI CIRCUITS (FAILURE OF ICS POWER) .. 71

's. NNI CONTROL RESPONSE . ............. 71 18.2 *CS CONTROL RESPONSE .

. ............. 71 18.3 AUTOMATIC SYSTEM RESPONSE ........... 71 18.4 CONTROL ROOM PARAMETER DISPLAY . . . . . . . . . 72

19. EFFECTS OF ELECTRIC POWER PANELBOARD KU CIRCUIT FAILURES ON ICS/NNI CIRCUITS (FAILURE OF COMPUTER POWER) ... . . . . . . . . ............ . 73 19.1 NNI CONTROL RESPONSE . ........... .. 73 19.2 ICS CONTROL RESPONSE . ........... .. 73 19 3 AUTOMATIC SYSTEM RESPONSE ........... 73 19.4 CONTROL ROOM PARAMETER DISPLAY . . . . . . . . . 73 v

c .

TABLE OF CONTENTS (continued)

Section Page ,

20. EFFECTS OF ELECTRIC POWER BRANCH KI'10 CIRCUIT FAILURES ON ICS/NNI CIRCUITS (FAILURES OF RCS NARROW-RANGE PRESSURE TRANSMITTER POWER) . . . . . . . . . . . 75 20.1 NNI CONTROL RESPONSE . . . . . . . . . . . . . . 75 20.2 ICS CONTROL RESPONSE . . . . . . . . . . . . . . 75 20.3 AUTOMATIC SYSTEM RESPONSE . . . . . . . . . . . 75 20.4 CONTROL ROOM PARAMETER DISPLAY . . . . . . . . . 75

21. RESPONSE TO DUKE POWER COMPANY COMM"VTS . . . . . . . . 79 21.1 LETTER FROM R. L. GILL . . . . . . . . . . . . . 79 21.2 LETTER FROM K. S. CANADY . . . . . . . . . . . . 80 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . 83 e

vi l

LIST OF FIGURES

. Figure Title Page

, 1.1. Oconee Unit 1 instrumentation system and major interconnections . . ...... . . . . . . . 3 1.2. Technical approach . ................ 5

~

31. Hand stations 1SS8A, ISS88, and 1SS5 . . . . . . . . 19 3.2. Hand stations 1SS3A and 1SS11A . . . . . . . . . .. 20 3.3 Hand stations 1SS3B and ISS118 . . . . . . . . . .. 21 3.4 Hand stations 1RCSA, IRC5B, and 1SS1 . . . . . .. . 22 3 5. Hand stations 1RC1 and IRC2 . . . . . . . .. .. . 23 3.6. Hand stations 1SS11 A. ISS11B, 1SS6A, and 1SS6B . ....... . . ... . . . . . . . . .. 24 3.7. Hand stations 1SS4A and 1SS4B . . . . . . .. . .. 25 3.8. Hand stations ISS10A,1SS108, and 1HP14 . . . . . . 26 3.9. Hand stations 1RC4A, IRC48 IRC5A, IRC58, 1RC4, 1RCS, and IRC12 . . . . . . . . . . . . . .. 27 4.1. Oconee 1 nuclear station ICS/NNI ac power supply . . . . . . . . . . . . . . . . . . . . . . . 32 vit

LIST OF TABLES l

l

. l Table Title Page 2.1. Summary of spurious automatic system responses to ICS/NNI power supply failures . . . . ...... 8 2.2. Summary of control room parameter displays' response to ICS/NNI power control f ailures . .... 10

31. Summary of NNI auxiliary control outputs . ..... 17 3.2. ICS signal inputs from NNI . . . . . . .. . .... 18 3.3 Summary or ICS control outputs . . . .. ..... . 28 4.1. ICS/NNI electric power distribution circuits (118 V ac, 60 Hz,1 phase) . . . . . . ....... 33 5.1, NNI auxiliary controls response to H1 power f ailure . . . . . . . . . .. . . . . ...... . 36 5.2. ICS control response to H1 power f ailure . ..... 37 6.1. NNI auxiliary controls response to H2 power f ailure . . . . . . . . . . . . . . . ....... 40 11.1. NNI auxiliary controls response to H1X power f ailure . . . . . . . . . . . . . . . ....... 50 11.2. ICS control response to H1X power f ailure ..... 51 12.1. NNI auxiliary controls response to H2X power f ailure . . . . . . . . . . . . . . . .. ..... 56 15.1. NNI auxiliary controls response to HEX power failure . . . . . . . . . . . . . . . ...... . 62 16.1. NNI auxiliary controls response to HEY power f ailure . . . . . . . . . . . . . . . ....... 66 19.1. NNI auxiliary contrcls response to panclboard KU power f ailure . . . . . . . . . . . ....... 74 20.1. NNI auxiliary controls response to branch KI-10 power failure . . . . . . ....... 76 ix l .

l "444 1

LIST OF ACRONYMS AND ABBREVIATIONS

, ac alternating current B&W Babcock & Wilcox BWST borated water storage tank CFT core flood tank de direct current ECI essential control and instrument E/P electric-to pneumatic ESPS engineered safeguards protective system FMEA failure modes and effects analysis FW feedwater HPI high pressure i njection ICS integrated control system KI ICS panelboard KU computer panclboard LST letdown storage tank NNI nonnuclear instrumentation NRC U.S. Nuclear Regulatory Commission ORNL Oak Ridge National Laboratory PORV pilot-operated relief valve RB reactor building RC reactor coolant RCP reactor coolant pump RPS reactor protective system SAI Science Applications, Inc.

SCR silicon controlled rectifier SG steam generator T avg temperature (average)

TMI Three Mile Island V ac volts alternating current 9

X1

t 9 s u l

l l

iBSTRACT gp

' TNs effects of nonnuclear instrumentation (NNI) and integrated control system (ICS) electric power supply failures have been analyzed for the Oconee Unit 1 nuclear plant. The instrument and control system power distribution circuits were analyzed to define a comprehensive set of 19 single-point failure modes. For each power supply failure, the failed and operating control system signal inputs were propagated through the partially energized control system circuits as well as the energized and deenergized output control devices to evaluate the initial plant res ponse. In addition, the effects of the power supply failures on the principal control room parameter displays wdre combined with t he initial plant response to the automatic control circuits to evaluate possible control room operator responses. Plant responses to the defined power supply failures are described in detail.

The automatic responses of the plant to the instrument Jad control system power supply failures were not found to be severe. This was due in part to post-Three Mile Island (TMI) modifications. Possible opera-tor responses to spurious control room displays generally did not result

. , in significant transients. Improved automatic transfer of control system input circuits to operable power supplies, automatic trip of feed-water pumps on loss of certain power supply branch circuits, and suppres-

. sion of spurious alarms have been identified as possible ways to further limit the effects of transients induced by instrument power supply fail-

, ures. A status review of the power supply failure alarms and applicable operating procedures $as recommended to corroborate the adequacy of the information available to the control room operator following any power i supply failure.

r I

e s

Y

~

xiii

1.0 INTRODUCTION

1.1 BACKGROUND

A number of transients have occurred at Babcock & Wilcox (B&W) designed power reactors due to loss of non-Class-1E power supplies to the non-nuclear instrumentation (NNI) and the integrated control system (ICS).

On March 20, 1978, loss of NNI power supply at the Rancho Seco Station resulted in a loss of feedwater combined with a substantial loss of con-trol room information. This transient led to combined overcooling and repressurization of the primary system as a result of operator actions taken before the failed instrumentation was restored (ref.1). On November 20, 1979, loss of power to a non-Class 1E 120-V ac single phase power panel that suppliea power to the NNI and ICS at Oconee Unit 3 resulted in control system malfunctions and a significant loss of infor-mation to control room room operators (ref. 2). On February 26, 1980, loss of a NNI power supply at Crystal River Unit 3 led to a transient that was considered to have several similarities to the TMI-2 accident (ref. 3).

As a result of the loss of instrument power at Oconee Unit 3, the Nuclear Regulatory Commission (NRC) issued IE Bulletin No. 79-27, which included requirements for all operating nuclear power facilities to

- review Class 1E and non-Class 1E buses supplying power to safety- and non-safety-related instrumentation which could affect the ability to achieve a cold shutdown using existing procedures (ref. 2).

The Crystal River Unit 3 incident and the apparently high frequency of such somewhat similar types of transients in other B&W-designed plants resulted in the NRC task force study and report NUREG-0667 " Transient Response of Babcock [and] Wilcox Designed Reactors," released April 2, 1980 (ref. 4).

A historical summary of 23 ICS/NNI power failures during operation was presented in NUREG-0667. Failures that were identified included inverter failure, an electrical short in a dc bus and in an ICS power receptacle, and a variety of unspecified shorts. Most, if not all, of these problems appear to have occurred more than one time, and approxi-mately 50% of them were due to short circuits on cabinet-level ac or de power buses. Another 30% were attributed to maintenance or trouble-shooting activities. This experience suggests that the NNI and ICS ac and de power supplies and signals are sensitive to short circuits at the cabinet level and that failures of these buses should be expected during plant operation.

1.2 SCOPE OF WORK The Oconee Unit 1 instrumentation and controls consist of several major Class IE and non-Class 1E instrumentation systems:

1

2 System Principal Functions Class 1E Safety Systems Reactor protective system (RPS) Detection of abnormal plant operation and initiation of reactor scram. Input of selected buffered sigaals to ICS/NNI.

Engineered safeguards protective Detection of abnormal plant

. system (ESPS) operation and initiation of plant safety equipment.

Input of selected buffered signals to ICS/NNI.

Other Class 1E controls and Monitoring and indication of instrumentation process parameters important to safety and control of safety equipment.

Non-Class 1E Systems ,

/

Nonnuclear instrumentation Monitoring and indication of ,

system (NNI) plant parameters and control

, of selected nonsafety ,

equipment.

Integrated control system (ICS) Coordinated control of the main feedwater flow, reactor

. power, main turbine-generator power, and turbine bypass systems.

These systems are schematically shown in Fig.1.1 together with the process parameter interconnections among them and their electrical power supplies.

This report presents the results of a failure modes and effects analysis (FMEA) of the power supplies to the Oconee Unit 1 ICS and NNI instrumen-tation systems. This study was performed for the NRC and carried out by Science Applications, Inc., (SAI) under the direction of Oak Ridge National Laboratory (ORNL). Itpejobjectives of this work are as follows: ,

1. Perform a FMEA of the !!NI and ICS power supplies to identify ,

systems output failures resulting from singic. power supply failures.

2. Evaluate the initial or near-term response of the plant to the failed outputs resulting from each postulated power failure.

3 ORNL-DWC 84-15956 SENSOR WPUTS SENSORINPUTS SENSOR INPUi$

i, ,,

EMERGENCY FEEDWATER RPS ESPS CONTROLS CLASS lE POWtR

> SUS $t$

KVIA,KVtB, KVIC KVtD

<r i

, ir .,

ip CONTROL PLANT REACTOR PLANT PLANf CONTROL OUTPUTS STATUS TRP STATUS STATUS OUTPUTS NARROW RANGE PLANT STATUS RCS PRESSURE (WIDE RANGE (NORMALLY NOT RCS PRESSURE) p _ _ _ _ _ _ _ _ _ _SEL_EC_TED_)_______ _ _ ,

1 I I RC FLOW

' r

~~~---~~

I PLANT NON-CL ASS 1E l l SENSOR ICS : NNI C

> POWER SUSSES l WPUTS ElANDKU

. NEUTRON FLUX : giAyus

. ( o l

l CONTROL CO rROL OUTPUTS STATUS ,, ,, l g

PLANI CONTROL !

! STATUS OUTPUTS l L___________.__________j s SCOPE OF PRESENT STUDY Fig. 1.1. Oconee Unit 1 instrumentation system and major interconnections.

I, -

6 3 Identify potential design modifications that would eliminate or reduce the frequency of the postulated power failures.

1.3 TECHNICAL APPROACH .

The analysis of the ICS/NNI response to power supply failure was per-formed using an extended FEMA. The general technical approach used is illustrated in Fig.1.2. The ICS and NNI power supplies were reviewed and potential failure modes were defined. The NNI process variable dis-play failures and control actions were then identified for the distinct power supply failure modes. Failed NNI signals for the different power supply failure modes were identified and used to define inputs to the ICS, and ICS input failures were analyzed to predict the ICS response.

ICS power supply failure effects were then combined with the signal pro-pagation results as appropriate to predict net ICS response. Alarms and indications available to detect the resulting transient are also

-discussed.

This work included the development of a detailed data base for the power supply dependence of each instrument and control string in the Oconee Unit 1 ICS and NNI systems. . By coding the power supply dependence along each string, it was possible to efficiently search and list the failed and operating outputs by tag number for each power supply failure mode.

This data base was designed so that future alternate power sources can be included in the data fields and search logic.

Specific steps performed as part of this analysis included the rollowing:

1. Listing all ICS/NNI sensor-to-output device circuits and identi-fying the branch circuit supplying power to each module in each circuit.

2. Inputting the sensor-to-output circuits into a computerized data base.

3 Sorting the circuit data base to obtain a separate listing of circuits with deenergized components and energized circuits for each power supply failure.

4. Sorting each listing of energized and deenergized circuits into separate listings by output type [ control outputs, computer inputs, alarms, indicators (meters), and chart recorders].

5. Specifying for each output typo in the deenergized circuit listing the response of the output devices to each power supply failure by detailed circuit analysis. '

6. Evaluating and specifying the initial automatic plant response to 1 the deenergized control circuit outputs for each power distribution failure.

7. Evaluating the possible near-term operator responses and the resulting consequences to the. plant based on the initial automatic

5 ORNL-DWG 84-15957 1 DEFINE

POWER SUPPLIES POWER SUPPLY ANALYSIS DEFINE POWER SUPPLY FAILURE MODES IDENTIFY NNI NNI OUTPUT FAILURES ANALYSIS PROPAGATE NNI SIGN ALS

, THROUGH ICS ICS ANALYSIS IDENTIFY ICS OUTPUT FAILURES l

i FAILURE MODES INTEGRATING AND EFFECTS ANALYSIS IDENTIFY AND ANALYZE IMPROVEMENTS Fig. 1.2. Technical appro?ch.

1 1

6 plant response and the energized and deenergized indication and alarm outputs displayed to the operator.

1.4 REPORT CONTENTS -

This report describes the results of the ICS/NNI power supply by FMEA.

The conclusions. obtained from these results are summarized in Sect. 2.

Brief descriptions of the ICS/NNI and their electric power distribution circuitry are given in Sects. 3 and 4. The results of the power supply FMEA for each power supply failure case are presented and briefly discussed in Sects. S through 20.

9 9

4 9

L 0

1

. ~ . . ~ _ . - - .. --- - - - . .. . --

t

2.

SUMMARY

OF RESULTS

, o.

A detailed analysis of the effects of ICS/NNI electrical power supply failures hasL been performed for the Oconee Unit 1 nuclear power plant.

This analysis consisted of determining the response of ICS/NNI output signals to single-point failures in the power supply circuitry. From '

these degraded signal combinations, the automatic response of the

plant's controlled components and possible responses of the plant opera-

-tors to degraded control room parameter displays were evaluated.

The ICS/NNI -is supplied with 120-V ac power through five major branch circuits. from ICS Panelboard KI: auto power (branch H), hand power

' (branch HX), emergency power (branches HEX and HEY), emergency steam generator level control power (branch 9-EL)* and reactor control sys-tem (RCS) narrow range pressure transmitter power (branch KIm10). Auto ,

power and hand power are distributed to ICS/NNI components through

^

branch circuits H1, H2, H4, H5, H8; H1X, H2X, and H3X. In addition, computer panelboard KU can provide power to selected NNI circuits by manual transfer or automatic transfer if panelboard KI is deenergized.

i The results of the study are summarized in Tables 2.1 and 2.2 for the power supply branch circuit or combinations of branch circuits deener-gized. Table 2.1 lists the principal automatic control circuit and y . plant responses to the power supply failures. The principal control room parameter display failures and.possible operator responses result-

, ., ing from power supply failures are listed in Table 2.2. A detailed des-4 cription of the-plant response to each power supply failure is provided ;

.in' Sects. 5 through 20 of this report.

l- The conclusions resulting from the ICS/NNI power supply failure analysis l

.J are summarized below:

i 11. The automatic responses of the plant to power supply failures were not found to be severe. In part, this is due to the post-TMI modifications--in particular, the automatic trip of the main feedwater pumps on-high steam generator level and '

, subsequent automatic -initiation and control of the emergency L

feedwater system. The principal spurious automatic responses

' were found to. bet.

Several power supply failures resulted in opening or holding open the main-feedwater . control valves, which may: result in an ' automatic _ high steam generator trip of-Lthe main feedwater. pumps and automatic initiation and control of emergency feedwater. Manual throttling of-

..- main feedwatercoould avoid the high level trip in many 4

cases.-

.*The emergency feedwater- control system is . powered through the vital' buses, not from H-EL.

y

+

. !7

~

.u u . - _. a n. A , _ -_. . _ _ . . , ,._ . . _ - - _ , m, .< . .. .w .. _ .-

y a

Table 2.1 Summary of spurious automatic system responses to.ICS/NNI. power-supply.' failures

' Branch NNI> ICS

. circuit spurious- spurtous failure failure response Transfer to manual: Automatic system response HI Yes -No . Reactor power ' Continued short-term plant operation without Turbine throttle automatic control. Reactor / turbine trip in Main and startup feedwater valves response to perturbations, with possible Main feedwater pump high-SG-level feedwater pump trip.

Pressurized spray valves Pressurizer heater Makeup flow control H2- Yes- No Seal injection flow Interlock reactor coolant (RC) pumps from being started.

H4. . No No - None None HS No - No None None m.

'H8 No No None None

-H Yes No Branches H1 through H8 denergized, Branches H1 through H8 deenergized. ,

see above. Response described above.

H1X Yes Yes None Possible closure of turbine throttle, increase or decrease of reactor power, and reduction of feedwater pump speed will result in reactor / turbine trip. High-SG-level trip of feedwater pumps possible.

H2X'_ Yes' No None No immediate plant transient. The power supply for the letdown, makeup, and RC pump seal injection control valves electro /

pneumatic (E/P) transducers transfers auto-matica11y to panelboard KU. Letdown trans-ferred automatically to letdown storage tank.

'H3X No No None None l

HX Yes Yes None Branches H1X, H2X, and H3X deenergized.

Response described above.

,. , e . * '

d 4 m ~

=

HEX Yes Yes None Pressurizer level and SG startup level and pressure transmitters are powered by branches HEX and HEY. If selected for control, a deenergized pressurizer. level transmitter results in transferring coolant from the letdown storage tank to the pres-surizer. A deenergized SG level trans-mitter results in increased main feedwater flow to the affected SG(s). A deenergized SG pressure transmitter results in loss of

, automatic control of turbine bypass valves.

HEY Yes Yes None See HEX above.

H-EL No Yes None No immediate plant transient. Startup feedwater control valves " freeze" in position.

K1 Yes Yes Branches H HX, HEX, HEY, and H-EL Branches H, HX, HEX, HEY, and H-EL deener-deenergized. Letdown, makeup, and gized, Automatic reactor, turbine, and turbine bypass valve controls trans- feedwater pump trip. Automatic control of ferred to manual and energized via emergency feedwater and RC pump seal KU. Manual pressurizer spray and injection flow.

heater controls also available at ASP.

KU Yes No None If KU powered pressurizer level transmitter selected, coolant transferred from letdown storage tank to pressurizer.

KI-10 Yes No None RCS narrow range pressure transmitter deenergized, resulting in a low indicated pressure. Pressurizer heaters would be energized and the pilot-operated relief valve (PORV) and spray valves closed, probably resulting in a high pressure reactor trip.

o Table 2.2 'Sununary of control roorn parameter displaysi response'.to ICS/NNI-power control failures Branch

.circult' 'NNI . ICS Expected plant control failure . response response Spurious alarms Deenergized indications operator response

l' H1 .Yes. Yes H1, lo pressurizer level Cold leg dT Trip plant or manually attempt con-Hi, lo RC Tava - RCS loop A. Tavg trolled runback.

Low 3G A B startup levels SG A wide range level -

Loops A B startup feedwater flow rate Digital Tava indication RCS Tavg recorder Loop A B feedwater flow

-recorder H2 Yes'- No Lo RC pump seal dP Seal dP Manual trip of reactor and RC pump Lo, hi seal injection and Seal injection and outlet possible, outlet flow rates flow Letdown flow -

O H4 No No Hi, lo CFT pressure One of two core flood Continued plant operation.

tank pressure meters

.HS No No Hi quench tank T P, level Quench tank T. P, level Continued plant operation.

H1, lo reactor building RB sump level (RB). sump level Liquid, gaseous waste flow, flow recorder

' d .' HS No No H1 reactor building RB pressure meter, recorder Continued plant operation, pressure H No No Branches H1 through H8 Branches H1 through H8 Loss of branch H (auto power) alarmed.

deenergized, see above deenergized, see above Identification of cause of spurious indications increases likelihood of effective manual control by operator, including reactor trip and main feed-water control.

H1X Yes Yes Hi, lo turbine hdr. pressure Turbine hdr. pressure Manual trip of reactor / turbine, manual Hi, lo pressurizer level SG pressure trip cf main feedwater pumps, and Hi SG 1evel SG 1evel possible initiation of HPI, Hi RCS temperature, df Main feedwater flow RCS temperature

.e G . . G . .

Y a

.. . . . - +,

, 37

' H2X .Yes' No Hi, lo letdown storage. LST. level LT-2 Opening flow path from borated tank (LST). level water storage tank (BWST) to HPI.

, pumps possible.

2 . H3X- No No- None One of two CFT A B Continued power operation.

pressure meters

' HX .Yes Yes ' Branches H1X, H2X, and H3X Branches H1X, H2X, and H3X Loss of. branch HX (hand power) deenergized, see above deenergized. . see above alarmed. Operator expected to trip reactor, turbine, and feedwater pumps and regain manual control of selected components by manually transferrin. to KU power supply.

HEX Yes' Yes Lo pressurizer level if Lo pressurizer level if Loss of branch HEX (emergency power) selected selected alarmed. Operator expected to select

~

to SG 1evel if selected Lo SG 1evel if selected energized transmitters.

, Lo SG pressure if selected Lo SG pressre if selected HEY .Yes- Yes Lo pressurizer level if Lo pressurizer level if Loss of branch HEY (emergency power)

ll~ selected selected alarmed. Operator expected to select (Lo SG 1 eve 1~if selected to SG 1evel if selected energized transmitters. -*

Lo SG pressure if selected- ~

Lo SG press ve if selected H-EL ho Yes None None Loss of branch H-EL (emergency SG 1evel control power) alarmed in control room. No operator actions required during power operations.

Use of emergency feedwater may be required following shutdown.

-r1 Yes Yes Branches H. HX, HEX, HEY, Sa.ie as H. HX, HEX, HEY, Loss of panelboard KI (ICS panelboard)

H-EL deenergized, see H-EL deenergized, see alarmed in control room. Operator

~'

above above expected to follow emergency procedure EP/0/A/1800/31, loss of KI bus.

KU - Yes. No Lo pressurizu' level if Pressurizer level if Follow procedure for loss of plant selected selected, all computer computer. Select alternate prese outputs surizer level signal for indication and control.

KI-10 Ye.s No Lo RCS pressure RCS pressure Identify spurious low RCS narrow range signal from comparison with RPS signals. Manually control pressurizer heaters, spray valve, and PORV.

Aher responaes include the identification and repair of power supply failure.

- . - - _ . . _ _ . . . .. A

12

+ Host power supply failures resulted in the makeup control valve freezing in position (with manual control avail-able) without significantly affecting RCS inventory.

Failure of the power supply for the selected pressurizer level transmitter, however, opens the makeup valve. The -

operator, in this case, must manually control the makeup flow rate to prevent possible damage to the PORV and the operating high pressure injection (HPI) pump.

- Several power supply failures resulted in the pressurizer

- heaters remaining on or the pressurizer spray block valve remaining open if these components were energized or open at the time of power failure. The transient resulting is clow in either case; however, manual control is required.

~2. Specific alarms were identified for failure of panelboard KI and branches H, HX, HEX, HEY, and H-EL. However, alarms for failure of lower level circuits (H1, H2, H4, H5, H8, H1X, H2X, and H3X) were not identified from available information.

Alarms for these circuits, H1 and H1X in particular, and appropriate procedures for operator guidance are considered important to the rapid identification and manual mitigation of the resulting transients.

3 Possible operator responses to spurious control room displays .

resu'. ting from power supply failures were evaluated qualitatively. In general, possible operator actions (or .

failures of the operator to perform an action) did not result in significant transients. Two potentially significant operator responses, however, were identified:

- Following branch H, H1, or selected HEX or HEY failure at.high reactor power and high steam generator level, the operator may close the main feedwater control valves.

Due to the moderately long length of time that would elapse prior to requiring additional feedwater and the failure of the low-level alarm (spuriously energized by the power failure), the operator may fail to reopen the feedwater control valve prior to steam generator dryout.

In this case automatic initiation of emergency feedwater.

. is not expected since the main feedwater pumps are operating and only main feedwater pump trip initiates emergency feedwater.

. Failure of the selected pressurizer level transmitter power supply will result in spurious low-level alarm and- -

indication of pressurizer level and opening the makeup control valve.- Although the operator should be alerted .

to the power supply f.?ilure by the ICS/NNI emergency

- power (HEX, HEY) failure alarms and should transfer to an operable transmitter, other events may distract him.

The same power supply failure may result in reactor /

13 turbine trip, spurious low steam generator alarm and indication, increasing steam generator level, and main feedwater pump trip. If the pressurizer is allowed to fill and liquid is discharged through the PORV, valve damage could occur. Also, if the LST is allowed to drain (LST level is separately alarmed) and an alternate

' supply of water is not provided, damage of the operating HPI pump would occur.

4. During the power supply failure analysis, several modifications were identified which would prevent or moderate the effects of power supply failures. These modifications are suggested for review:

- Transmitter selection relay power: The contact switches used to select one of two redundant transmitters frequently are powered by one of the transmitters' power supply in the ICS/NNI design. With proper selection, a power supply failure will result in an automatic transfer to the alternate energized transmitter.

Modification of the HEX, HEY powered pressurizer and steam generator startup level transmitters' selection switches to this configuration is recommended (i.e.,

change the power supply of the transmitter selection relays to HEX or HEY aid configure to allow automatic transfer on power supply failure. Also note, a more elegant, double-switch arrangement is used for the selection of the SCs' operate range level transmitters.

This arrangement will allow automatic transfer on power supply failure regardless of the transmitter initially selected).

Automatic trip of feedwater pumps: Failure of branch H, H1, HX, or H1X is expected to cause a transient resulting in main feedwater pump trip (on high steam generator level). It is recommended that the pumps be tripped directly on loss of any of these power supplies (as they are on loss of panelboard KI) to minimize the effect of the transient.

. . Suppression of spurious alarms: The majority of alarm contacts are configured to alarm on power supply failure.

The resulting spurious alarms are not expected to aid transient diagnosis and may mask operable alarms. It is recommendcd that the signal monitor alarm contacts be changed to an energize-to-alarm configuration.

- Power supply failure alarns: Alarms for failure of branch circuits H1, H2, H4, H5, H8, H1X, H2X, and H3X were not identified frem ava!1able information. If these circuit failures are not alarmed, it is recommended that alarms for branch circuits H1 and H1X be considered.

f

14

- - Power. supply failure procedures: The " Loss of KI Bus" emergency procedure is expected to be very useful in the manual recovery from KI failures, particularly in the ,

identification of operable controls and. indications. It is recommended that the power supply failure procedures be reviewed to determine whether lower-level power supply branch circuit failures are addressed and that specific instructions be added if they are not.

- Preferred transmitters: Preferred positions for trans-mitter select switches should be used where possible to reduce single power supply, failure dependence and/or subsequent automatic control response, l

1

};-

1 t

t

- ~

l l

3 ICS/NNI FUNCTIONAL DESCRIPTION The ICS'/ NNI is a series of fourteen electrical equipment cabinets

. containing the sensor and control circuits required for the controlled operation of the Oconee 1 nuclear steam supply system (reactor, steam generators, and associated supporting systems). The ICS portion of the system provides the integrated control of the feedwater flow rate to the system generators, the reactor core power, the reactor coolant tempera-ture, and the pressure of the steam generated in the steam generators and supplied to the plant's high pressure turbine. The NNI portion pro-vides sensor input signals to the ICS, RCS inventory and pressure con-trol, and control of selected auxiliary systems functions. In addition, the NNI provides plant parameter information to the plant operating staff through control room indicators, alarms, and the plant computer.

More detailed descriptions of the functions performed by the ICS/NNI may be found in ref. 5.

The principal source of design information on the ICS/NNI used in this analysis is the Oconee ICS Instruction Book (ref. 6). This document shows the detailed ICS/NNI circuits and their sources of electric power.

Available information supplied to ORNL by Duke Power was used to update several sources of information (refs 7-12).

, The major modifications incorporated in the analysis but not shown on the instruction book drawings are summarized below:

1. The use of panelboard KU (computer power) to power the RC pump seal injection automatic control circuit upon loss of panelboard KI.

2. The use of .panelboard KU to power manual control circuits for makeup and letdown flow, turbine bypass valves, and pressur-izer heater bank 2 from the control room or auxiliary shutdown panel.

3 The addition of manual control switches for the PORV and pressurizer spray valve in ICS Cabinet 13 powered indepen-dently of panelboard KI.

4. The use of ICS steam generator level signals to trip the main feedwater pumps on high level.

5. The use of ICS power (branch KI-10) to power the non-Class-1E RCS narrow-range pressure transmitter input to the NNI.

Due to the modifications which are known to have been made to the NNI/ICS, the possibility of additional changes not identified in avail-

. able information is recognized. Uncertainties in the knowledge of the design have been identified where known.

15

16 31 NNI CONTROL OUTPUT SIGNALS The NNI performs two general functions: measurement of plant parameters ,

for plant control and control room indication, and control of selected RCS and auxiliary system functions. The equipment controlled by NNI and '

the associated NNI output identifications is listed in Table 3.1.

3.2 ICS SIGNAL INPUTS FROM NNI The I,CS controls main feedwater flow rate, reactor power, and steam pres-sure based on conditioned signals of plant parameters received from the NNI. These plant parameter signals are listed in Table 3 2.

33 NNI SIGNAL SELECT HAND STATIONS In the NNI system, 26 hand stations are used to select sensors for con-trol and indication. These hand stations control all NNI signal inputs to the ICS. In a number of cases, these signals have a mixed power supply dependence. In order to summarize these power supply dependen-cies,- drawings were developed to show the signal power supply dependence for each hand station switch position (see Figs. 31 through 3 9).

Note that the hand station relay contacts are shown in the deenergized position.

3.4 ICS CONTROL OUTPUT SIGNALS

~

The control signals developed in the ICS for plant control are listed in Table'3 3 Identification of the controlled devices, the control sig-nals type, and the ICS output identifications are provided.

3.5 COMPARISON OF BAILEY METER MODELS 721 AND 820 NNI/ICS DESIGNS The three units of the Oconee Nuclear Station have the Bailey Meter

~Model 721 ICS and NNI system. This system distributes 120-V ac power directly to individual function moddles as well as to sensors, relays, e

' relay power supplies,.and.E/P valve controllers from a number of ac branch circuits. 'The responses of the 721 series ICS/NNI to power fail-ures are described..in this. report.

Four of the seven operating B&W-designed plants (Rancho Seco, Davis ,

Besse, Crystal River, and Arkansas Nuclear Stations) have Bailey Meter Model.820 NNI and ICS systems that provide functions similar to the 721 ICS/NNI. The 820 systems use two sets of bipolar do power suoplies

fed from 120-V ao buses to distribute module and do relay power to the NNI system, and a third set of bipolar de power supplies distributes module and do relay power to the ICS. The B&W-designed Bellefonte and

17 Table 3.1 Summary of NNI aux!.liary control outputs Output

, identification Des cription 4

183-1/PLL Lo-lo pressurizer level interlock for heater banks i 183/PLL 1, 2, 3 and 4 (auto).

'1RC3-PS8 High and low pressure control contacts for the PORV i (27/H1-RP) (relief valve RC-V3) (auto).

IRC3-PS5 High and low pressure control contacts for heater IRC3-PS6 banks 2, 3, 4 (auto and manual).

I 1RC3-PS7 i.'

183/BHO-2 183/BHO-3 183/BHO-4 1RC3-PIC Analog signal to silicon-controlled rectifier (SCR) controller for heater bank 1 (auto and manual).

IRC3-PS3 High- and low pressure control contacts for the 83/M-O pressurizer spray valve (auto and manual).

83/M-C

, . 83-L/SSV Open and close control contacts for pressurizer

spray stop valve (manual),

i

1RC5A-TS Interlock contacts to prevent RC pump start on low 1RC58-TS RC temperature (auto).

! 1HP14-LS2 Control contact on low letdown storage tank level -

f function unknown, drawing 8032326 missing (auto).

1 1HP14-LR Control contact to switch 3-way valve HP-V10 to divert letdown reactor. coolant to the LST on low LST

. level (B&W elementary drawing 136129E missing) l' (auto) 1HP11-FS Interlock contact to prevent RC pump start on low seal inlet header flow (auto).

- p 1HP-25 E/P Analog signal' to control makeup flow (auto and manual).

1HP11-E/P Analog signal to control pump seal inlet header flow (auto and manual).

' - flip 28-DPS1 Interlock contacts to prevent individual RC. pump 1KP28-DPS2 start on low seal pressure drop (auto)'.

1HP28-DPS3 1HP28-DPS4 1HP3-E/P Analog signal to control letdowr. flow (manual). - i

_ . . =

t e , , , - - - .

9 Table 3.2 Ics signal inputs-from NNI' Signal input Indicated range Voltage range Process operating range

. Temperature-compensated 0 to 100% 0 to 10 V - O to 100%

RC flow :

Generated electric. 57 to 63 Hz 150 MV: 57 to 63Hz frequency Generated electric power- l0 to 999 MW- . O to 100 MV 0 to 874 MW x Turbine header pressure 600 to 1200 psig t10 V 0 to 900 psig ,

Steam' generator A'and,B .O to 1200 psig 110 V O to 925 psig pressure

' RO Tavg 520 to 620* F i10 V 532 to 579* F

. Neutron power 0.to 125% 0 to 10 V 0 - 109 nv .

o>

Temperature-compensated -.O to 5.67 -10' lbm/h 110 V O to 5 3 = 10' lbm/h (FW) flow loops A and B :

Feedwater temperature O to 470* F 210 V O to 455' F- ;

aT RCS loops A and B Teolo 110 V 210' F 210*F RC Th ot wide range O to 650* F 210 V 120 to 600* F i

RC flow loops A and B 0 to 70 = 10' lbm/h t10 V O to 65.66 = 10' lbm/h ;

' Steam generator A and B 0 - 1005 110 V O to 378 in.

operate range level Steam generator A and B 0 to 400 in. O to 10 V O to 378 in.

startup range level

- FW valve A and B O'to 100 psi 210 V O to 35 psi '

pressure drop 4

r 4

4 +

9 e S

9 e

,i-.

19 ORNL-DWC 84-15958

iSSSA4PT1 Hi

{

gHg TEMP COMP IN LOPA ISSSA MS ~

/

HI ISSSA<lPT2 (Hlxl )

HlX TEMP COMP 5 SU FW FLOW LOOP A 8537A4py HlX i ISS5TE1 Hi Hi MAIN N TEMP ISS5 MS -

/

H1 ISS5 TE2 9 T HlX Hi htX 1EMP COMP iSS784PT

% "I SU FW Flow LOOP 3 ISSas4PTt Hi

] [H7

~

S Q HD TEMD COMP iSSas.M \ MAIN FW FLOW LOOP e

~y ISSas4:PT2

] @ Hi Fig. 3.1. Hand stations ISS8A, ISS8B, and ISS5.

l

ORNL-DWG 84-15959 ISSit A-LT2 H EL __

H EL H EL M -

H EL

- ;C H-EL, HIXI ISS3A TEt H-EL a HI H EL STM OEN DNCMf1 TEMP LOOP A gggggg N CN OPERATE SG LEVEL N A ISS3AMS >

MSt

- I HI y H-EL, fu

$53A-TE2 HlX: _, ) Hlx 0 HlX HlX m

Hlx HlX _

I MOTE: Hlx FAILURE FORCES SELECTION OF H EL SENSORS ISSt14-LT3 H EL FAILURE FORCES SELECTION OF HlX SENSORS HlX ,

Fig. 3.2. Hand stations ISS3A and ISS11A.

l 9 9 9 8 9 9

ORNL-DWG 84-15960 ISSt18 LT2 g H EL H.EL H EL ISS38 TEt H EL ~ H EL HlXI H EL STM GEN DNCMR TEMP LOOP 8 TEMP COMP OPERATE SG LEVEL LOOP S ISS38-MS USS118-MSt ISS38 TE2 Hig $HI ;h. HlX, H-EL ,ro HlX -

HlX 1 -

HIX HlX ISSt18 LT3 INOTE: HlX FAILURE FORCES SELECTION OF H EL SENSORS HlX H EL FAILURE FORCES SELECTION OF HIX SENSORS Fig. 3.3 Hand stations ISS3B and ISS11B.

?2 ORNL-DWG 84-15961 Hi I Hi l s' '

HI LOOP A T INM R)

IRC5A- RC PUMP MS2 INTERLOCK Hi I

,v IRC5A TE3 "

1

~

HlX H1 if IRC5BM HI LOOP 5 TIN M R)

IRC58- _ RC PUMP MS2 - INTERLOCK

' IRC58 TE3 HlX ,.

"L .

HM ISSIA-PT1 g,

_[' HI T

- TURB. HOR. PRESS-

\

IS$1.MS HlX Hi ISS18-PT1 HlX l -

Fig. 3.14. Hand stittier.s IRCSA, IRCSB. and ISS1.

- , - - , - - - - - - _ _ . . - - . - - - - -- -- ^

23 ORNL-DWG 84-15962 HI BRCl-LTl j[

HEX Hi IRCl-LT2 l 1RCI-MS ' --

HEY IRC1-LT3 p TEMP COMP PZR LVL l

HEY ng L Hex Hi ire' sTE1 Hi -l l ,

HI BRC2-MS '

Hi IRC2 TE2 Hlx }l

' HlX -

Fig. 3.5. Hand stations IRC1 and IRC2.

e

2 11 ORNL-DWG 84-15963 Hi ISS11 A LT4 d'

HEX \ START UP LEVEL LOOP A STM GEN ISS11 A. \

MS2 ISS11 A LT5 }f Hi HEY Hi ISS118-LT4 j' HEY k IS$118. \ START UP LEVEL LOOP 8 STM GEN _

MS2 ISS118 LT5 JI H1 HEX Hi ISS6A PT1 ll '

HEY ISS6A MS '

HlX ISS6A PT2

'v

/

NI HEX l

Hi iS$68 PT1 ll l

! Hu ISS68 MS N OUTW PRESS LOOP 8 =

'HlX i

/

ISS68 PT2 jf HI HEY l

l t .

Fig. 3.6. Hand stations ISS11 A, ISS11B, ISS6A, and 15368.

25 ORNL-DWG 84-15964 ISS4A TEI Hi _; Hg Hi -

ISS4A. LOOP A STM GEN OUTLET TEMP MS ISS4A TE2 HlA $HI HlX -

ISS48 TE1 Hi Hi - T^- Hi ISS48 LOOP 8 SIM GEN OUTLET TEMP MS ~

ISS48 TE2 HI HlX -

Fig. 3.7. Hand stations ISS4A and ISS48.

26 i

ORNL-DWG 84-15965 ,

ISS10A<iPT1 ]

- HI Hi

\

ISS10A \ MAIN FW VLV AP LOOP A MS

- ' HI ISS10A 3PT2 HlX ISS108-dPT1

.7 Hi HI ISS10g MAIN FW VLV AP LOOP 8 MS

~

ISS108<lPT2 HI HlX .

(

lHP14 LT1 H2 LETDOWN STORAGE TANK LEVEL

,g, H2 IHP14 LT2

( HH Fig. 3.8. Hand stations ISS10A, ISS10B, and IHP14.

i l

I i

ORNL-DWG 84-15966 m ..a ,,,

....=.'. ;.

m ,,,

~. _Q .

.00P A .00 OS ave .g

=

_g .

=, . r, ,

u ' '

= n. _g ,;

~.

ERCM ...

- 3._ .

r

_g -

=="*

_ Q

,: a b: [ ,,,.- (~,u )" '" =

~

== ._. s ._

"a na d

I ,s E -

' 'c . '

..a.,

i

) -s. c

{

E ._..=.._.

W Fig. 3.9. Hand stations IRC4A, IRC4B, IRC5A, IRC5B, IRC4, IRCS, and IRC12.

4 28 Table 3 3 Summary of ICS control outputs Output.

. identification Description IC10-MSC Control contact to open and close turbine control (83/TcV) control valves (auto and manual).

1MT6-E/P .. Analog signal to open and close turbine bypass 1MT7-E/P.

valves (auto and manual).

1MT13,-E/P 1MT14-E/P 1SSV2A-E/P Analog signals to open and close startup feedwater 1SSV28-E/P valves (auto and manual).

MFV-1A- Analog signals to open and close main fecdwater MFV-1B valves (auto and manual).

Ic36A-MCS Analog signals' to control main feedwater pump speed Ic36B-MSC (auto and manual).

RC18.13 control contacts to insert and withdraw control rods .

(86-1/RPI, (auto and manual).

86-1/RPD)- ,

N k

t a

s s, l

w -

.- ? N-

^'

29 ,

I l

WNP Nuclear Stations, now under construction, have an extended arrange- l ment of the 820 NNI system where part of the NNI signals are obtained

. from redundant Class 1-E essential control and instrument (ECI) systems.

The ECI signals are received through an optical isolation system that has additional bipolar do power supplies.

The 820 series NNI systems use two sets of bipolar power supplies typi-cally designated "X" and "Y." An additional set of bipolar power supplies provide de power to the ICS. Some redundancy in X- and Y-powered signals is available, although not all input signals to the ICS from the NNI can be selected from one supply or the other. The bipolar do power supplies are operated in pairs, with the outputs from two separate supplies summed through diodes. The ac power input to a pair of the bipolar do supplies typically is provided from different ac power buses. In this manner, a failure of a single ac bus will not interrupt the summed de supply output.

The bipolar de power supply outputs are monitored by a power supply moni-tor circuit. In the event either polarity drops below a set value, the power supply monitor will interrupt the ac power input to both de supplies. In this manner, operation with a single power supply polarity is prevented. The power supply monitor will deenergize the do power supplies in the event of a short circuit on the de distribution wiring between the power supply output and the associated NNI or ICS modules.

The NNI/ICS bipolar do power is distributed inside the system cabinets by wire wrap connections to module sockets. One wire is used to serve multiple modules in some cases. The potential exists for operation of multiple modules with single polarity due to physical separation of a power supply distribution wire. While possible, such events are not known to have occurred.

Due to the differing power distribution arrangements and the types of power supply failures, the plant responses to these failures differ. In the Oconee 721 ICS/NNI, a majority of the control circuitry is powered from 120-V ao auto power (branch H/H1) and hand power (branch HX/H1X).

Failure of either of these power circuits results in most controlled devices remaining in position due to a transfe" to " manual" or deener-gized output devices (e.g., E/P controllers). Selected sensor devices (e.g., RCS pressure or SG level) are powered from separate power cir-cuits. Failure of these power circuits results in energized control circuitry responding to failed input signals.

In the 820 designs, the majority of sensor and output devices are

, powered from one of the 120-V ac buses. The internal ICS/NNI circuitry, however, is powered from one of the two NNI bipolar do power supplies or the ICS bipolar de supply. Since any of the ao buses or bipolar de power supplies may fail independently of the others, a much wider variety of power supply failure combinations is possible in the 820 model than in the 721 model ICS/NNI.

30 As an example, the 820 model ICS receives approximately 20 sensor input signals from the NNI. A majority of these inputs may be selected manually from either an X- or a Y powered circuit. Thus, depending on the signal ' selection, the energized ICSmcontrolled devices could respond '

to a combination of input signals of which any one or more signals may be deenergized due to a failure of a single NNI bipolar dc power supply.

Major transients of this type were initiated at the Rac.cho Seco and Crystal River stations due to loss of a bipolar de poder supply.

The 820 series NNI and ICS responses to power . failures have been studied ,

in depth by operating B&W-designed plants in response to NRC IE Bulletin 79-27. . Failure modes have been identified and ' procedures and training developed for operator identt.fication of thelpower supply failure states and identification of operable i ndicators i ani- controls.' In addition to the development of procedures ,and operations, the other steps taken include direct annunciation of power supply failure, tagging power supply dependence on indicators and controls, the use of standard sensor-selections to reduce the number of potential transient styles, and some power supply modifications to reduce single-failure dependence.

J t

i i-h)

I'

c

4. POWER SUPPLY DEFINITION AND ANALYSIS

. A one-line power distribution drawing (Fig. 4.1) was developed for the analysis of the ICS/NNI power supply dependencies. This diagram was used to identify unique single-failure modes and the associated ICS/NNI electrical loads. These failures then were used as input to the ICS/NNI power supply failure effects analysis.

The power supply failures analyzed corresponded to single failures at nodes in the power distribution drawing. Multiple independent failures in the power distribution system were not analyzed.

The ICS and NNI power supply system is a combination of ac power supply buses. Loss of ac power was considered to result from the associated ac bus failing to zero volts. As shown in Fig. 4.1, the ICS/NNI is powered from 118-V ac panelboard KI, with transfer of selected circuits to panel-board KU upon loss of KI. Panelboards KI and KU each are powered through inverters from 125-V do buses DCA and DCB. In addition, these panelboards may be powered from 118-V ac regulated instrument bus KRA by automatic transfer (ref. 9).

From panelboard KI, power is distributed to the ICS/NNI through five separate branch circuits capable of being isolated by circuit breakers:

KI-1, KI-3, KI-5, KI-9, and KI-22. The hand power, HX (KI-1), and auto power, H (KI-22), branches are distributed within the ICS/NNI cabinets through an additional three and eight circuit breakers, respoctively (ref. 6). The individual branch circuits feeding the ICS/NNI are shown on Fig. 4.1 and listed in Table 4.1.

The circuits shown in Table 4.1 are considered separate failure points j in the FMEA of the ICS/NNI power distribution circuitry. It is assumed tnat an arbitrary fault in the circuitry will be isolated by a circuit breaker, deenergizing all circuits fed through that breaker. Thus , a fault 'in the circuits fed by branch H1 may be isolated by the circuit breaker in H1 or the circuit breaker in .the auto power branch, KI.-22, or result in the entire KI panelboard being isolated from its power sources.

The power circuits shown in Table 4.1 represent 18 separate electric power failures to be considered in the FMEA. However, although branch circuits could be identified, specific modules fed from branch circuits H3, H6, and H7 could not be identified.

q.

-31.

32 ORNL-DWG-84-15967R FROM 125 VDC FROM 125 VDC FROM 125 VDC FROM 125 VDC -

DIST. CTR. DCA DIST. CTR. DCB DIST. CTR. DCA DIST. CTR. DCS v v v y 125 VDC 125 VDC ISOLATING ISOLATING

& TRANSFER TRANSFER DIODES DIODES y n STATIC INVERTER REGULATED NON-LOAD SHED BUS KRA STATIC INVERTER l KI KU l STATIC TRANSFER , , STATIC TRANSFER SWITCH SWITCH SW2 ,

AUTOMATIC [ q' '

p l

TRANSFER'._

SWITCH t SW3 SW3 r _ .a h SW2 i

ESOLATON ISOLATON TRANSFORMER TRANSFORMER 120 VAC ICS POWER PANELBOARD K1 118 VAC PANELBOARD KU 6T 6T 6T 6T 6T 6T 6]RCS N.R. PRESSURE TO COMPUTER q/ of of of of of qv (KI 10)

+ TO SELECTED ICS/NNI MODULES V

EMER. SG LEVEL CONTROL FEEDER H EL (Ki-9)

OTHER LOADS EME{. ROVER #1 FEEDER HEX (KI-9)

EMER. POWE9 #2 FEEDER HEY (Ki-3)

HAND POWER FEEDER HX (Ki-1)

O l FEEDER H1X FEEDER H2X FEEDER H3X AUTO POWER FEEDER H (Ki-22)

O O 9 *

- IFEEDER H4 FEEDER H5 FEEDER H2 FEEDER H7 FEEDER H8 .

FEEDER H3 Fig. 4.1. Oconee 1 nuclear station ICS/NNI ac power supply.

i m

33 R 1

Table 4.1. ICS/NNI electric power distribution circuits (118 V ac, 60 Hz, 1 phase) 1.- ICS power panelboard KI 1.1 . Hand power, branch HX (KI-1) 1.1.1 Branch H1X (HX to aux.. shutdown panel),

10 A 1.1.2 Branch H2X, 2 A 1.1.3 Branch H3X, 2 A 1.2 Emergency power #1, branch HEX (KI-5) 1.3 Emergency power #2, branch HEY (KI-3) 1.4 Emergency steam generator level control, branch H-EL (KI-9) 1.5 Auto power, branch H.(KI-22) 1.5.1 Branch H1, 10 A*

1.5.2 Branch H2, 10 A 1.5.3 Branch H3, 2 A 1.5.h Branch H4, 2.A 1.5.5 Branch H5, 2 A 1.5.6 Branch H6, 2 A 1.5.7 Branch H7

- 1.5.8 Branch H8 1.6 RCS narrow-range pressure, branch KI-10*

2. Computer power panelboard KU r

Per commente from Duke Power.

Y-

5. EFFECTS OF ELECTRIC POWER BRANCH H1 CIRCUIT FAILURES ON ICS/NNI CIRCUITS' 5.1 NNI CONTROL RESPONSE NNI control response to H1 power failures is shown in Table 5.1. No rapid transient is introduced, and manual controls remain avcilable.

The pressurizer spray valve would remain open until closed manually if it were open at the time of power failure. The pressurizer heaters would transfer to manual and remain energized until controlled manually if they were energized at the time of power failure. These controls would lead to changes in pressure and pressurizer level and could lead to a reactor trip unless controlled by the operator. The pressure-operated relief valve would fail closed, and any required pressure relief would be provided through a safety relief valve.

5.2 ICS CONTROL RESPONSE ICS control response to H1 power failure is summarized in Table 5.2.

The ICS control stations would switch to manual at the operating values existing at the time of power failure. If the power failure occurred during steady-state operation, the plant could continue to be operated under manual control. If the power failure occurred during a transient, it is likely that a reactor trip would result due to difficulty in balancing steam, reactor, and feedwater demand. If the power failure occurred immediately following a trip, there would be an initial ten-dency for overcooling until feedwater flow was manually matched to the reactor heat output. Such overcooling would be automatically terminated by a steam generator high-level trip of the main feedwater pumps.

53 AUTOMATIC SYSTEM RESPONSE Failure of the H1 branch circuit would result in the automatic transfer of many automatic plant control circuits to the manual mode. This trans-fer would result in ICS reactor power, turbine throttle, main and startup feedwater valves, main feedwater pump, pressurizer spray valves and "on-off" pressurizer heater, and makeup flow controls transferring to manual and " freezing" these variables at their existing values. The PORV would close or remain closed, the SCR-controlled pressurizer heaters may be spuriously energized (with manual control available), and the turbine bypass valves would be automatically controlled, with manual control available only from the auxiliary shutdown panel.

Under these conditions the plant would continue to operate but would be

. unable to respond automatically to 2nduced perturbations (e.g., contin-ued pressurizer spray and/or heater operation, etc.) . The major effect of such a perturbation would be a reactor / turbine trip followed by increasing level in the steam generators. Unless throttled by the 35

Table 5.1 NNI' auxiliary controls response to H1 power failure

, . Output.

Item ~ . Identification -Descriptior. Effect Comments

1. ~1 83-1/PPL Pressurizer lo-lo Relays .183/PLL and 183-1/PLL lose (Dwg. D8032338G) 183/PLL! Llevel. Interlock heater power. Will not cut off heaters banks 1, 2. 3. 4- on lo-lo pressurizer level.

2. IRC3-PS3. Pressurizer spray Control relays are deenergized- Manual control dependent on H1X ls

'ralve RC-V1 and automatic. control is lost. operable (Dwg. D8032338C).

Valve will remain closed or open depending on.its position'at time of power failure.

3 -1RC3-PS5 Pressurizer heater Control relays are deenergized Manual control dependent on H1X is 1RC3-PS6 : banks 2, 3, 4 and automatic control-is lost. operable (Dwg. D8032339E).

Heater banks remain on or off w depending on state at time of m power failure.

14 ~None 'SCR controlled heater . Heater bank may be energized due Manual control is operable.

bank 1 to low RCS pressure signal input Zero-V input signal should be 4 '

to SCR controller. compared to heater bank setpoint.

5. 1RC3-PS8 Relief valve RC-RV3 Control relays are deenergized Per Dwg. 8032332E. Actual control (27/HI-RP) and automatic control is lost, relay not found. Manual control

.Vai,ve will close or remain closed. Operable.

6. 1HP-25, E/P -Make,up flow demand Probable transfer to manual. Power to relay 83/LT not shown on

to makeup flow Valve remains in position existing Dwg. 80323380. -

control valve prior to power failure. ,

7. '1RCSA-TS -Reactor coolant Interlock relays are deenergized.

1RC5B-TS Pump start interlock Permits RC pump start at low RC temp.

9

J Table 5.2 ~ ICS control response to H1 power failure

Output Item ' identification Description -Effect Comments [

' 1. ICIO-MCS Turbine throttle Valve remains as is. Cannot be increased or decreased '

(83/TCv) valve by ICS. Manual controls operable.

2. IMT6-E/P- Turbine bypass Manual control at ICS is lost. Control automatically on steam IMT7-E/P valves generator pressures manual control IMT13-E/P' at aux. shutdown panel operable.

1MT14-E/P.

w 3 .. RC18.13 : Reactor power Reactor power remains as is. Cannot be increased or decreased N (86-1/RPI by ICS. Manual control of control 86-1/RPD). rods operable.

4. IC36A-MCS Main feedwater . Switches to manual at operating Manual. control operable.

IC36B-MCS pump speed 'value,

5. MFV-1A - Main feedwater . Switches to manual at operating Manual control operable.

MFV-18. . valve position value.

. 6. ISSV2A-E/P 'Startup feedwater Switches to manual at operating Manual control operable.

ISSV2B-E/P valve position value, a

f

38 operator, the main feedwater pumps would automatically trip on steam generator high level and the emergency feedwater system would start auto-matically.

5.4 CONTROL ROOM PARAMETER DISPLAY The H1 failure would result in spurious alarms and deenergized meter indicators and recorders. High-and-low level pressurizer, high and low and steam generator A and B low startup levels would be alarmed RC Tavg,ly. The operator could verify that these contradictory alarms spurious were spurious by the operable meter indications of these parameters.

Deenergized indications (bottom of scale) resulting from the H1 failure include cold leg dT, RCS loop A temperature and Tavg, steam generator A wide-range level, and Loops A and B startup feedwater flow rate. Also, the digital Tavg indication and recorders indicating RCS Tay and Loop A and B main feedwater flow would be deenergized. Specific indication or alarm of the H1 f ailure has not been identified from available infor-mation. If the operator reenergizes the h1 power failure, steady state operation of the plant under manual control while H1 is being restored is expected. If the power failure were not recognized, the expected response of the operator to the H1 power failure would be to trip the plant or manually attempt a controlled runback. A manual runback is considered difficult but possible with available indications and .

controls. If the operator succeeded, the plant would be shut down without a significant transient. If the attempt failed, the major .

result would be a reactor trip.

If the plant were tripped, either by the operator or automatically, the operator must manually throttle main feedwater to control the steam generator level (based on steam generator startup-range level indica-tions). The operator may choose to isolate main feedwater and utilize the automatically controlled emergency feedwater system. If the opera-tor failed to control level, the main feedwater pumps would be automatic-ally tripped on steam generator high level and the emergency feedwater system would be started and controlled automatically.

The spurious low-level steam generator alarms may be significant in the manual control of steam generator level. The initial steam generator levels are expected to be high, which would require manual closure of' the main and startup feedwater control valves. Since a period of time may elapse prior to requiring opening of the startup valves, the unavail-ability of low-level alarms could contribute to the failure to reopen the valves when required. This would lead to steam generator dryout. -

In addition to feedwater control, the operator must manually control the .

makeup flow control valve, pressurizer spray valve, and pressurizer heaters to control pressurizer level and pressure. Although the pres-surizer level alarms are unavailable, pressurizer level is not expected to vary significantly once RCS temperatures stabilize following reactor trip, and therefore immediate manual control of pressurizer level is not considered critical.

6. EFFECTS OF ELECTRIC POWER BRANCH H2 CIRCUIT FAILURES ON ICS/NNI CIRCUITS 6.1 NNI CONTROL RESPONSE The only control failure resulting from a failure of branch H2 is the spurious interlock of the reactor coolant pump (RCP) start circuitry (see Table 6.1). H2 power must be restored to remove this interlock.

Since no plant transient is involved, the failure should not affect normal operation. However, H2 power failure during a transient that involved RCP trips could prevent pump restart on demand. Since the pres-surizer spray operates on core differential pressure, loss of reactor coolant flow would also prevent pressurizer spray operation and there-fore affect pressure control. The pressurizer PORV would remain opera-tional.

6.2 ICS CONTROL RESPONSE H2 branch power f ailure would not affect ICS response or control func-tions. Normal operation would continue.

1 -

6.3 AUTOMATIC SYSTEM RESPONSE The HPI (non-safety-related makeup and letdown functions) system instru-mentation is powered via branch circuits H2 and H2X. Failure of branch H2 would not cause.a plant transient due to automatic control actions; the only automatic actions resulting would be transfer of the seal injec-tion flow control to manual at the existing flow rate and interlocking the RCPs to prevent their being started.

6.4 CONTROL ROOM PARAMETER DISPLAY Failure of H2 would result in several spurious alarm signals (contact closures) and meter indications. Assuming that the control room alarm /

annunciator circuits are powered separately from H2, low RCP seal dP would be alarmed for all seals. Low and high seal injection and outlet flow rates would also be alarmed. Meter indication of seal dP, seal injection flow, a-d seal outlet flow indicate low (bottom of scale). In addition to the RCr acal related parameters, the meter indication of letdown flow would. be low. All other indicators, alarms, and recorders

would remain operable. Specific indication of the H2 failure may be available'but has not been identified from available information.

Following the H2 failure the plant would continue to operate normally without operator intervention. Operator response to the spurious alarms and indications is difficult to assess due to contradictory information (e.g., high and low flow alarms). Possible responses include manually increasing seal injection flow, tripping the RCPs, and establishing natural circulation in the RCS.

39

40 Table 6.1 NNI auxiliary controls response to H2 power failure -

Out put Item identification Des cript ion Effect 1 1HP11-FS RCP Interlock relays are deenergized.

interlock - Cannot start pumps due to low seal flow indicated low seal flow.

2. 1HP28-DPS4 RCP Interlock relays are deenergized.

1HP28-DPSI interlock - low RCP B2, RCP are deenergized.

1HP28-DPS3 J1, A2, B1, SL #1, D/P IHP28-DPS2

3. 1HP11-E/P Seal inlet F ader flow Remains as is due to analog E/P convertt* memory module.

D 0

i

7. EFFECTS OF ELECTRIC POWER BRANCH H4 CIRCUIT FAILURES ON ICS/NNI CIRCUITS 7.1 NNI CONTROL RESPONSE H4 branch failure would not affect NNI control response. No change in operation would occur.

7.2 ICS CONTROL RESPONSE H4 branch failure would not affect ICS control response. No change in operation would occur. -

73 AUTOMATIC SYSTEM RESPONSE l The CFT pressure alarms and indicators are powered by branch circuits l H3X and H4. No control circuits are powered by these power supplies, and consequently failure of H3X and/or H4 would not cause an immediate transient.

L 7.4 CONTROL ROOM PARAMETER DISPLAY

~

Failure of branch H4 would result in spurious CFT high- and low-pressure

, alarms and one of the two dual pressure meters failing low (bottom of s cale) . Operator response to these spurious indications and alarms is not expected to cause a plant transient.

l Although redundant CFT level indications are provided in the control l

room (ref. 5), these circuits were not found in the CFT/NNI circuitry.

Power sources for the CFT level circuitry could not be identified, l'

i l'

I l

! O 41

l

- 8. EFFECTS OF ELECTP.IC POWER BRANCH H5 CIRCUIT FAILURES ON ICS/NNI CIRCUITS

-8.1 NNI CONTROL RESPONSE H5 branch power failure would not affect NNI control response. No

[ change in operation would occur.

8.2 'ICS CONTROL RESPONSE H5 branch power failure would not affect ICS control response. No l' change in operation would occur.

8.3 AUTOMATIC SYSTEM RESPONSE l- Branch circuit H5 powers waste disposal system display and alarms cir-I cuitry. No control circuits are powered by this power supply, and con- .

sequently failure of H5 would not cause an immediate transient. :

8.4 CONTROL ROOM PARAMETER DISPLAY

\ .

l Failure of H5 would result in quench tank temperature, pressure, and l

level being spuriously alarmed high and indicated low (bottom of scale), t The normal reactor building (RB) sump level would be spuriously alarmed high and low and indicated low. Liquid and gaseous waste flows would be indicated low (bottom of meter scales), and the liquid waste recorder.

would stop. No operator actions affecting RCS operation are expected.

t l

l .-

l 43

9. EFFECTS OF ELECTRIC POWER BRANCH H8 CIRC:IIT FAILURES ON ICS/NNI CIRCUITS 9.1 NNI CONTROL RESPONSE H8 branch power failure would not affect NNI control response. No change in operation would occur.

9.2 ICS CONTROL RESPONSE

< H8 branch power failure would not affect ICS control response. No change in operation would occur.

9.3 AUTOMATIC SYSTEM RESPONSE Branch circuit H8 powers RB pressure display and alarms circuitry. No

< control circuits are powered by this power supply, and consequently fail-ure of HB would not cause an immediate result.

9.4 CONTROL ROOM PARAMETER DISPLAY Failure of branch circuit H8 would result in a spurious RB high pressure alarm, the RB pressure recorder stopping, and the RB pressure meter indi-cating low (bottom of scale). No operator actions are expected to result from this failure because there are alternate building pressure 1:dications available through the ESPS.

45 I

10. EFFECTS OF ELECTRIC POWER BRAN.:I H CIRCUIT FAILURES ON ICS/NNI CIRCUITS (FAILURE OF AUTO POWER)

The " auto power" branch H circuit feeds branch circuits H1 through H8.

ICS/NNI instrumentation identified from available information utilized only branch circuits H1, H2, H4, H5, and H8. The instrumentation powered from branch circuits H3, H6, and H7 could not be identified.

10.1 NNI CONTROL RESPONSE The NNI control responses to branch H failure have been listed in Tables 5.1 and 6.1 for failures of branches H1 and H2. Branches H4, H5, and H8 do not supply NNI control circuits. As discussed in Sects. 5.1 and 6.1, the pressurizer heater, spray block valve, and seal injection control valve would transfer to manual and remain in the operating state existing prior to the power failure. The PORY would close or remain closed.

10.2 ICS CONTROL RESPONSE The ICS control responses to the branch H failuce have been listed in Table 5.2 for failure of branch H1. Branches H2, H4, H5, and H8 do not supply ICS control circuits. The response of the ICS to a branch H fail-ure, as discussed in Sect. 5.2, would be to transfer the reactor power, feedwater flow, and turbine throttle valve controls to manual. In this state the controlled devices cannot automatically respond to induced plant perturbations.

10.3 AUTOMATIC SYSTEM RESPONSE As discussed above and in Sects. 5 and 6, failure of branch h is not expected to cause an immediate plant transient. However, upon failure of branch H many of the plant controls would transfer to manual and would be unable to respond automatically to induced plant perturbations.

The effect of such a perturbation is expected to be an automatic reactor and turbine trip followed by increasing steam generator level. Unless the main feedwater flow is manually throttled, the main feedwater pumps would be tripped automatically on steam generator high-level and the emergency feedwater system would be initiated and controlled automati-cally.

10.4 CONTROL ROOM PARAMETER DISPLAY Failure of branch H would result in a large number of spurious alarms and erroneous meter indications. These failed control room displays have been discussed in Sects. 5, 6, 7, 8, and 9.

47

48 In possible contrast to the above, branch H circuit failure is alarmed in the control room (ref. 8). With knowledge of the probable cause of the spurious alarms and indications, the operator would be expected to

be capable of more rapid response to a possible reactor trip, including the manual throttling of main feedwater prior to a high-level, main feedwater pump trip.

G O

s e

11. EFFECTS OF ELECTRIC POWER EJANCH H1X CIRCUIT FAILURES ON ICS/NNI CIRCUITS 11.1 NNI CONTROL RESPONSE NNI control response to H1X power failure is shown in Table 11.1. The pressurizer spray valve would remain in position at the time of power failure, and the pressurizer spray block valve would open. Pressurizer heater manual control would be lost, and the makeup flow control valve would function properly in automatic but would go to mid position if l manual control were attempted. The degraded pressure control will lead to a slow pressure transient and possibly to reactor trip.

11.2 ICS CONTROL RESPONSE ICS control response to H1X power failure is shown in Table 11.2. The turbine throttle valves could close if the turbine-header pressw*e-sensor powered from H1X were selected. The turbine-bypass valves would close or remain closed due to loss of power to solenoid valves installed l

in the pneumatic lines between the electric-to pneumatic (E/P) convert-ers and the turbine-bypass valves' operators. Reactor power initially could increase, decrease, or remain constant depending on the change in indicated average reactor temperatures. This change would be determined by the temperature sensors selected for temperature control prior to the power failure. The main feedwater flow control valve would fail "as is" due to loss of power to the E/P converters, and the main feedwater pump speed probably would decrease due to a zero volt demand signal presented to the pump speed controller. The startup feedwater valve may open or close, depending on the input sensors selected, but would go to mid-( position if the ICS hand control is placed in manual.

These control system responses are expected to result in a reactor trip due to spurious changes in reactor power resulting from degraded tempera-ture signals and a probable decrease in feedwater flow rate resulting from the zero-volt main feedwater pump speed demand signal. Manual con-trols generally are disabled by failure of H1X. With the steam genera-i tors' pressure at 1050 psig (the lowest code safety valve lift pressure)

! and the main feedwater pump speed corresponding to the zero-volt signal, the main feedwater flow rate is expected to decrease to zero and the steam generators are expected to " dry out." Furthermore, unless the i main feedwater pumps were manually tripped, automatic initiation of the emergency feedwater pumps would not be expected.

11.3 AUTOMATIC SYSTEM RESPONSE Failure of the H1X branch circuit would cause a plant transient, prob-ably resulting in reactor trip. The loss of H1X would result in a probable decrease in main feedwater pump speed (zero-volt speed demand 49

Table 11.1 NNI auxiliary controls response to H1X power failure Output Item identification -Description Effect Comments

1. 1E3-PS3 Pressurizer spray Valve remains in position existing Loss of power to 83/A and 83/WO 83/W 0 valve E-V1 prior to power failure. and prevent automatic or manual 83/WC operation.

2. 183/BHO-2 Pressurizer heater Manual control loss. Automatic Dwg. D8032341 missing, may be 18?/BHD-3 banks 2, 3, 4 control expected to continue. relevant.

183/Bl(1-4 Hesters would be deenergized if manuel control was selected.

3. None SCR controlled Hester bank #1 will be pressurizer heater doenergized or remain Loss of drive signal. g bank #1 doenergized.

4. lW -25 E/P Makeup flow control If menu::1 control at ICS hand Auto control remains operable.

station selected, valve will open or close to mid-position. Manuel control at aux. ohutdown panel or control room operable by 4

manually transferring hand stations to KU power.

5. 83-L/SSV Pressurizer spray Velve opens. Loos of power to 83-L/SSV.

block velve RC-V5

s Ta51e 11.2 ICS control response to H1X power failure Output Item identification Description Effect Comments

1. IC10-#CS Turbine throttle valve Valve may close due to apparent Sensor fails to 900 PSIA (83/TCV) loss of turbine header pressure if indicated; setpoint is 885 PSIG.

sensor with HlX power is selected.

2. IMT6-E/P -Turbine bypese valves Valves close due to deenergized IMT7-E/P solenoid valve isolating turbine IMT13-E/P bypass valves from instrument air IMT14-E/P supply.

3. RC18.13 Reactor power Increases, holds, or decreases Depende on temperature sensoro $

(86-1/RPI,- reactor power. selected and resulting increase, 86-1/RPD) decrease, or conatant value of T.,g.

4. IC36A-MCS Mein feedwater pump Probable decrease in speed. Speed demand goes to 0 V value.

IC368-MCS opeed

5. WV-1A Main feedwater volve Valves " freeze" as is. Loss of power to E/P.

WV-1B position

6. ISSV2A-E/P Startup feedwater Opens or closes in automatic Manual control at aux. shutdown ISSV28-E/P valve position depending on input sensore panel operable.

selected. 1/2 open when ICS hand control is put on manual.

Note: Probable initial undercooling and/or overcooling transient due to control rod response to temperature signal failures.

52 signals in a 110-V range) and " freezing" the main feedwater control valves in position. Prior to reactor trip, if the H1X powered turbine-header pressure signal were selected, the turbine throttle valve would .

close. Depending on the selection of RCS inlet and outlet temperature signals to the Tavg circuitry, the reactor power initially may be auto- ,

matically increased, decreased, or rema:.n constant.

Pressurizer heaters would be deenergized due to a spurious low-level interlock signal, and the pressurizer npray would continue either off or on depending on the spray valve posit'.on prior to the H1X failure. The pressurizer level control would operate properly in automatic but would drive the makeup control valve to mid position if manual control were selected.

The freezing of the main feedwater control valve, the zero-volt feed-water pump speed signal, possible thrcttling of the turbine, and an increase or decrease in reactor power would be expected to lead to an automatic reactor trip. With the reactor and turbine tripped and the turbine bypass valves closed, feedwater flow would decrease to zero due to the decreased feedwater pump speed and the increased steam generator pressure. However, since the main feedwater pumps are not tripped, auto-matic initiation of the emergency feedwater system would not occur even if the steam generators were dry.

11.4 CONTROL ROOM PARAMETER DISPLAY Failure of H1X would result in spurious high and low turbine-header pres-

sure and pressurizer level alarms, steam generators A and B operate-range low-level alarms, and RCS hot-leg high-temperature and cold-leg dT alarms.

The several deenergized (bottom of scale indication) indicators and indicators with deenergized inputs could be interpreted to indicate a significant plant transient. The turbine header, steam generator pres-sure indicators, steam generator full-range and startup-range level indi-cators, feedwater flow indicators and the RCS loop A and B hot-leg and cold-leg temperature indicators would fail low. The Tavg indicators, while energized, may have failed inputs depending on manual selection.

Specific alarm or indication of the H1X power failure has not been identified from available information.

The immediate operator response to the misinformation displayed in the control room is difficult to assess. If the operator takes no action, the transient would result in steam Fenerator dryout and termination of ,

secondary heat removal from the RCS as described in Sect. 11.3. The spurious indications and alarms, however, may suggest a steam line break or similar transient. Possible near-term operator responses may include manually tripping the reactor and turbine, manually initiating emergency HPI, manually initiating emergency feodwater, and/or tripping the main feedwater pumps.

~

53 With the operable steam generator startup-level indications available through the emergency feedwater control system, and the operable, H-EL powered, steam generator operate-range indications, the operator would be expected to manually initiate the emergency feedwater system and

allow automatic control of steam generator level. Assuming that HPI were initiated, the operator would be expected to throttle HPI flow based on the operable pressurizer level indications and corroborated core subcooling indications (assuming emergency feedwater has been initiated). The manual initiation of HPI, however, may result in opening the pressurizer safety valves prior to throttling HPI due to the closed PORV (the PORV will close or . remain closed dus to the failure of H1X).

9

f

12. EFFECTS OF ELECTRIC POWER BRANCH H2X CIRCUIT FAILURES ON ICS/NNI CIRCUITS 1 .

. 12.1 NNI CONTROL RESPONSE NNI response to H2X branch power failure is summarized in Table 12.1.

Failure of branch H2X results in the automatic transfer of the power source for the deenergized makeup, letdown, and RCP seal injection con-trol valves' E/P converters to panelboard KU. This transfer permits continued automatic control of the seal injection and makeup flow rates and manual control of the normally closed letdown valve.

12.2 ICS CONTROL RESPONSE l . ICS response would not be affected by H2X power failure and normal con-trol system operation would continue.

I

.12 3 AUTOMATIC SYSTEM RESPONSE l Failure of branch H2X would not cause an immediate plant transient l'

However, the letdown flow would be transferred automatically to the let-l ,

down storage tank (LST).

12.4 CONTROL ROOM PARAMETER DISPLAY Spurious alarms resulting from the H2X failure indicate a high- and low-level LST. If the LST level transmitter LT-2 were selected, the control room meter would indicate low level. The operator may manually select transmitter LT-1 for indication, and'the output of the deener-gized and operable transmitter would be available through the plant com-

! puter. It is not known whether the H2X failure is alarmed in the con-trol room from available information.

Due to the contradictory information available to the operator, manual actions following an H2X failure are uncertain. The operator may choose to isolate makeup and letdown and/or provide an alternate supply of

- water to the HPI pumps from the BWST.

55

Table 12.1 NNI auxiliary controls response to H2X power failure Out put item identification Description Effect Comments

1. 1HP25-E/P Makeup flow control Power source to E/P converter Power source for E/P transducer is transferred to panelboard KU. transferred automatically to panelboard KU to allow continued automatic control.

2. 1HP3-E/P Letdown flow control Power source to E/P converter Power source for E/P transducer is transferred to panelboard KU. transferred automatically to panelboard KU to allow manual control.

v1 3 1HP11-E/P Pump seal inlet header Power source to E/P converter Power source for E/P transducer is m flow transferred to panelboard KU. transferred automatically to panelboard KU to allow continued automatic control.

4, 1HP14-LS2 Low LST level Unknown

5. THP14-LR Contact open or Letdown flow automatically contact close low transferred to the LST.

storage tank level to HP-V10

7 l

l l

13 EFFECTS OF ELECTRIC POWER BRANCH H3X CIRCUIT FAILURES ON ICS/NNI CIRCUITS

. 13 1 NNI CONTROL RESPONSE H3X branch failure would not affect NNI controls, and normal operation would continue.

13 2 ICS CONTROL RESPONSE H3X branch failure would not affect ICS controls, and normel operation would continue.

13 3 AUTOMATIC SYSTEM RESPONSE Branch circuit H3X powers CFT A and B pressure displays. No control circuits are powered by this power supply, and consequently failure of H3X would not cause an immediate transient.

13.4 CONTROL ROOM PARAMETER DISPLAY Failure of branch H3X would result in one of two dual meters failing low and indicating low (bottom of scale) pressure in CFT A and B. Since the operator can corroborate the operable redundant dual meter reading with high RCS pressure, immediate operator intervention, causing a plant tran-sient, would not be expected.

1 57

14. EFFECTS OF ELECTRIC POWER BRANCH HX CIRCUIT

FAILURES ON ICS/NNI CIRCUITS (FAILURE OF HAND POWER) 14.1 NNI CONTROL RESPONSE Failure of the HX branch circuit would deenergize H1X, H2X, and H3X power. The effect on NNI control response would be the combination of effects described in Sects.11.1 and 12.1; the H3X branch circuit does not power any NNI control circuit. The net result would be freezing the pressurizer spray valve in position and transferring the makeup valve to manual, with the valve remaining in an "as is" position.

14.2 ICS CONTROL RESPONSE HX branch circuit failure would affect ICS control response through H1X power failure as described in Sect. 11.2. There would be a probable reactor trip due to either the RCS temperature sensor selection at the time of the power failure and/or the expected change in main feedwater flow rate. Following reactor trip, feedwater at a reduced flow rate is expected to continue until manually tripped or automatically tripped by steam generator high level. Emergency feedwater would be initiated and controlled automatically.

14.3 AUT0HATIC SYSTEM RESPONSE Failure of the HX branch circuit would result in an immediate plant tran-sient as discussed above and in Sects.11 and 12. Depending on the manual se' lection of input signals, the turbine

throttle valve may close, the control rods would be either inserted or withdrawn, and the turbine bypass-valves would close. The main feedwater flow would be expected to be reduced and the main feedwater control valves " frozen" in position.

The makeup and letdown control valves would transfer to manual control and remain in position, and the letdown flow would automatically trans-fer to or continue to flow to the LST. The PORV would close or remain closed, but the pressurizer spray block valve and pressurizer heaters would remain in the operating state existing prior to the power failure.

The spurious control actions described above are expected to result in a rapid reactor and turbine trip. The steam generator levels are expected to increase at a rate dependent on the reduced capacity of the main feed-water pumps with a zero-volt speed demand signal. The increasing level in the steam generator would be expected to close the startup feedwater-control valves and subsequently the main block valves. This would result in either automatic control of main feedwater or a high-level feedwater pump trip and automatic initiation and control of emergency feedwater.

59

60

- 14.4 CONTROL ROOM PARAMETER DISPLAY The spurious alarms and indications resulting from an HX failure have

been discussed in Sects. 11.4,12.4, and 13 4, for the failure of H1X, H2X, and H3X, respectively. In the case of an HX failure, however, the .

operator is alerted to the situation by the ICS hand power failure alarm (ref. 8). With knowledge of the HX failure, the operator is expected to

- be able to rapidly mitigate the transient and establish manual control.

Actions the operator may take include mr.nually tripping the main feed-water pumps and manually controlling m3keup flow, pressurizer heaters, and spray valve by manually transferring their NNI/ICS power supplies to the KU panelboard.

4 4

e e

,. -,v. , n

15. EFFECTS OF ELECTRIC POWER BRANCH HEX CIRCUIT FAILURES ON ICS/NNI CIRCUITS (FAILURE OF EMERGENCY POWER #2) 15.1 NNI CONTROL RESPONSE One of three pressurizer level transmitters is powered from branch HEX.

If this sensor is selected at the time of power failure, the control system would respond by opening the RCS makeup flow control valve. This would lead to an increase in pressurizer level and pressure. An oper-able transmitter could be selected manually at the signal-select hand station. (The effects of HEX power failure are listed in Table 15.1.).

15.2 ICS CONTROL RESPONSE One steam generator startup-level transmitter in loop A and one in loop B are powered from HEX. If a sensor powered by HEX were selected at the

. time of power failure, the loop feedwater valve would open due to indi-cated low level in the steam generator. This would result in an over-feeding transient that could be corrected either by manually selecting the alternate sensor or transferring the ICS loop feedwater control to manual. This transient would be terminated automatically by feedwater pump trip on steam generator high level. The remaining two startup-level transmitters are powered from HEY (Sect.16.2).

One of the two steam pressure transmitters on each steam line is powered from HEX. If the HEX powered transmitter (s) were selected for control at the time of the power failure, the turbine-bypass valves on the affected steam line would close or remain closed, with manual control available.

15.3 AUTOMATIC SYSTEM RESPONSE Failure of the HEX branch circuit will deenergize one of two steam g0ner-ator startupelevel transmitters, one of two pressure transmitters on each steam generator, and one of three pressurizer-level transmitters.

If selected for plant control, the deenergized HEX powered level trans-mitter on each steam generator (LT-4 and/or LT-5) would generate a zero-volt signal (0- to +10-V range), opening the main feedwater control valves to that steam generator. Unless throttled, the increased feed-water flow to either steam generator would result in automatic trip of the main feedwater pumps, automatic initiation and control of the emer-

, gency feedwater pumps, and a reactor trip.

If the HEX powered, pressurizer-level transmitter (LT-1) were selected for plant control, the deenergized transmitter would generate a zero-volt signal (0- to V range), opening the makeup control valve and l

61

. . . . .. -, . . .- .. .. - .- . . - . .. - . - . - ~.. - . . . - . ,

Qc . ,

('

~

Table 15.1 NNI auxiliary controla response to HEX power' failure Out put _

Ites -identifloation Description Effect Comments t

1. 1HP-25 E/P. Makeup flow Makeup valve will close if Pressurizer level indicates full if 4

pressurizer level transmitter level transmitter LT-1 is selected.

4 LT-1 is selected. Manual control operable. ' Manual selection of operabia level trans-mitters LT-2 or LT-3 for auto -

control is possible. p

2. 183-1/PLL Low-low pressurizer -

Heater bank #1 will be cut off or

~ '~ level heater bank 1 interlock will be rendered ineffectif. tr pressurizer level m transmitter LT-1~2m selected. N 3 183/PLL Low-low pressurizer Heater banks 2, 3, 4 will be cut

.a level heater bank 2 off or interlock will be rendered-3, 4 ineffective if pressurizer level transmitter LT-1 is selected.

J r

.~ . _ ,_ , . .-

- - . - - . . _.. . . . .-.- . . ~ ~ - _ . . . - --.- -. . _ .

i i

f.

63

,. . deenergizing the pressurizer heaters through the low-level heater-interlock circuit. The continuous net transfer of coolant from the LST :

j , to the RCS (pressurizer) would compress the steam in the pressurizer, increasing RCS pressure and opening the pressurizer spray block valve.

1

. Unless makeup flow were manually throttled, the reactor would trip on i.

o high pressure and the RC (liquid) would discharge through the PORV.

i The principal effect of the steam generator low-pressure signal, if selected, would be the defeat of the automatic operation g the turbine-bypass. valves in the affected loop.

15.4 CONTROL ROOM PARAMETER DISPLAY ,

Failure of HEX would result in the signal inputs to several alarms and indicators failing low if selected. '

. If the transmitters powered by HEX were selected when HEX failed, steam l generator low startup level and pressurizer low level would be alarmed

. spuriously. The " selected" steam generator A and/or B startup level and selected pressurizer level meters would indicate low level. The selected steam generator A and/or B pressure meters would indicate low pressure. The pressurizer level meter and the steam generator A i startup-level on the auxiliary shutdown panel would also indicate low i

level (the pressurizer level and steam gene ~ator A startup-level signals j

are powered by HEX only).

4 .

The HEX power failure apparently is alarmed in the control room (ref. 8).

This alare is expected to be instrumental in the identification of the cause of'the possible transient and subsequent recovery actions.

i 1 Although the transient possibly resulting from the HEX power failure ,

could be terminated by the operator's manually selecting the alternate energized transmitter, the operator must identify the power failure before responding to the spurious alarms and indications. Due to the 4

HEX power failure alarm, and the limited number.of spurious alarms, j effective operator intervention is possible. The operator may rapidly compare a steam generator low startup level reading with the operable operate-range and full-range readings. This should provide sufficient information for the operator to select the alternato transmitter and/or i manually throttle the feedwater flow rate. In a similar manner the i . indicated steam generator low outlet pressure can be checked against 1

either the turbine-header pressure- transmitter output through the com-puter, or by sequential selection of redundant transmitters for comparison. _

l. A spurious pressurizer low-level reading can be checked against the out-

a puts of the two other ' pressurizer level. transmitters available through >

the computer. The operator may also sequentially select transmitters j LT-2 and LT-3 for comparison. The rapid drop of indicated pressurizer l

?

i t **

,~w

.-n+ ',e - - . =am--a,m--, ,y, -w.--w,e---w,g, r.,,,,- - -,n--,r --ee.- -..m--.- m-,.- ,- y -. +-e m' v- v t<sn w-w-- mn wn- s--- rn-o e-

64 level without a corresponding drop in RCP pressure should lead the oper-ator to suspect an incorrect output from the transmitter.

The consequences of the operator's failing to selec; an operable steam generator startup-level transmitter are limited to trip of the main feed- , ,

water pumps and automatic initiation and control of emergency feedwater.

If the operator takes no action in response to the pressurizer low-level indications, the eventual liquid discharge through the PORV may damage the valve, possibly failing it open. As the pressurizer is. filled and the operator is alerted to the low level in the LST, the operstor must throttle makeup. flow or provide an alternate supply of water to the HPI pumps to prevent damage to the operating HPI pump. Failure of the operator to select a correct steam generator pressure transmitter would result in the turbine-bypass valves remaining closed and lifting of the main steam safety valves following turbine trip.

c 4

e 4

r, b

=

J G

G i.

t

"'. . - , . , , - . m. , __ .

16. EFFECTS OF ELECTRIC POWER BRANCH HEY CIRCUIT FAILURES ON ICS/NNI CIRCUITS (FAILURE OF EMERGENCY POWER #1) 16.1 NNI CONTROL RESPONSE One of three pressurizer level transmitters is powered from branch HEY.

If this sensor were selected at the time of power failure, the control system would respond by opening the RCS makeup flow control valva. This would lead to an increase in pressurizer level and pressure. An oper-able transmitter can be selected manually at the signal-select hand station. Auxiliary control responses to a HEY power failure are

. presented in Table 16.1.

16.2 ICS CONTROL RESPONSE One steam generator startup-level transmitter in loop A and one in loop i B are powered from HEY. If a sensor powered by HEY were selected at the time of power failure, the loop feedwater valve would open due to indi-cated steam generator low level. This would result in an overfeeding I' transient that could be corrected by either manually selecting the alter-nate sensor or transferring the ICS loop feedwater control to manual.

This transient would be terminated automatically by feedwater pump trip on steam generator high level.

One of the two steam pressure transmitters on each steam line is powered from HEY. If the HEY-powered transmitter (s) were selected for control at the time of the power failure, the turbine-bypass valves on the affected steam line would close or remain closed, with manual control available.

16.3 AUTOMATIC SYSTEM RESPONSE Failure ~ of the HEY branch circuit may deenergize one of two steam gener-ator startup-level transmitters, one of two pressure transmitters on ,

each steam generator, and one of three pressurizer level transmitters, l depending on_the sensor selected for use. Branch circuits HEX and HEY each power one of the redundant pressurizer-level and one of the loop A and loop B steam generator-level and pressure transmitters. Thus, if the HEY.-powered transmitters were selected, the response of the plant i would be identical to that described for HEX power failure (see Sect. 15 3).

1 16.4 CONTROL ROOM PARAMETER. DISPLAY ;

1 l

The HEY failure would result in the signal inputs to several alarms-and indicators failing low if selected.

65 l

l

! 1

~,

-Table 16.1 NNI auxiliary controls response to HEY power. failure Output Item identifloation Description 'Effect Comments

1. 1HP-25 E/P Makeup flow control Makeup vale will close if pressurizer level transmitter Pressurizier level indicates full if level transmitters LT-2 is LT-2 is selected selveted. Manual control operable.

Manual selection of operable level transmitters LT-1 or LT-3 for auto control is possible.

2. 183-NPLL Low-low pressurizer Heater bank I will be cut off or level heater bank 1 interlock will be rendered

m ineffective if pressurizer level tranamitter LT-2 is selected.

3 '183/PLL Low-low pressurizer Heater banks 2, 3, 4 will be cut level heater bank 2, off or interlock will be rendered

' 3, 4 ineffective if pressurizer level transmitter LT-2 is selected.

i

l l

i I

67 If the transmitters powered by HEY were selected when HEY failed, steam generator low startup level and pressurizer low level would be alarmed spuriously. The " selected" steam generator A and/or B startup level and selected pressurizer level meters would indicate low level. The '

selected steam generator A and/or B pressure meters would indicate low pressure. The steam generator B startup-level meter on the auxiliary shutdown panel would also indicate low level. (The steam generator B startup-level signal input to the auxiliary shutdown panel is powered by HEY only.)

The HEY power failure apparently is alarmed in the control room (ref. 8).

Similar to the HEX power failure case, a transient resulting from an HEY power failure could be terminated. The possible operator responses to spurious alarms and indications caused by an HEY power failure are ident-ical to those described for the HEX power failure (see Sect.15.4) 4 e

e

17 EFFECTS OF ELECTRIC POWER BRANCH H-EL CIRCUIT FAILURES ON ICS/NNI CIRCUITS

. (FAILURE OF EMERGENCY STEAM GENERATOR LEVEL CONTROL POWER) 17.1 NNI CONTROL RESPONSE H-EL power failure does not affect NNI control system response or operation.

17.2 ICS CONTROL RESPONSE One channel of steam generator operate level in each loop is powered from branch H-EL. These sensors are shown to be connected so that H-EL power failures automatically transfer ICS inputs to sensors powered from H1X. No change in ICS response or control functions would result.

17 3 AUTOMATIC SYSTEM RESPONSE Failure of the H-EL branch circuit would have a minor effect on the oper-ation of the plant. The only immediate effect would be to deenergize the E/P transducers for the startup feedwater valve. This would

" freeze" the loop A and B valves in position. Although this failure would have no net impact during high power operation (greater than approximately 20% power), it could affect operation following plant shut-down. If .the plant were tripped, the startup valves would not close to maintain the steam generator shutdown level and the main feedwater control-valve block valve would not close automatically. If the block valves for the startup and main feedwater control valves were not manu-ally closed, the levels of the steam generators would continue to rise slowly. Eventually the main feedwater pumps would be tripped automati-cally on steam generator high level, and the emergency feedwater system would be automatically initiated and controlled (the high-level trip function would be performed by the H1X powered, operate-range level transmitters in each loop).

17.4 CONTROL ROOM PARAMETER DISPLAY The selected loop A and B steam generator operate-range level recorders and the steam generator A and B downcomer temperature meters have inputs powered from H-EL or H1X.

The H-EL power failure apparently is alarmed in the control room

, (ref. 8).

The two contact switches per_ loop used to select the H1X- or

~H-EL-powered transmitter input are positioned to allow an automatic

~

transfer to the energized transmitter in the event of power failure. l l

69

70 Thus, the ' operate-range level displayed on the level recorder would be correct following an H-EL failure, and the high-level alarms would be operable. The existence of an H-EL power failure alarm and high-level alarms enhances the operator's ability to rapidly identify the transient cause and manually take appropriate action following reactor shutdown. -

a 3

f 6

0 4

4 e

I i

4 5

g J

1

18. EFFECTS OF ELECTRIC POWER PANELBOARD KI CIRCUIT FAILURES ON ICS/NNI CIRCUITS (FAILURE OF ICS POWER) 18.1 NNI CONTROL RESPONSE Panelboard KI failure would result in loss of branch circuits H, HX, HEX, HEY, and H-EL. As described in Sect. 10.1, 14.1, 15.1, 16.1, and 17.1, makeup flow, pressurizer heater, and spray valve would initially switch to manual. The pressuremoperated relief valve would close or remain closed. Selected manual control station power sources would be switched automatically from panelboard KI to panelboard KU. The opera-tor would be able to manually position the makeup flow control valves from the control room or auxiliary shutdown panel, pressurizer heater bank 2 from the auxiliary shutdown panel, and, if required, position the pressure-operated relief valve and spray valve from the control switches in ICS Cabinet 13 18.2 ICS CONTROL RESPONSE Panelboard KI failure would result in loss of branch circuits H HX, HEX, HEY, and H-EL. A lossrof-feedwater transient would occur due to a spurious steam generator high-level trip of the main feedwater pumps, reactor, and turbine. There would be an automatic initiation and con-trol of emergency feedwater. Selected manual-control stations would be switched automatically from panelboard KI to panelboard KU. This would allow the operator to manually position the turbine-bypass valves from the auxiliary shutdown panel. (The position of the valves prior to manual control is unknown. Since the power supplies for the E/P con-verters and interposed solenoid valves are automatically transferred to KU, the turbine-bypass valves would be in manual and may be open if open at the time of power supply failure.)

18.3 AUTOMATIC SYSTEM RESPONSE The response of the plant to a failure of panelboard KI (including all branch circuits) would be a loss-of-main-feedwater transient, combined with makeup flow, pressurizer heater (group 2), PORV, spray valve, and turbine-bypass valve controls switching to manual. Failure of KI would result in a spurious steam generator high-level trip of the main feed-water pumps due to the ICS high steam generator level bi, stables being deenergized, followed by reactor and turbine trip. There would be an automatic initiation and control of emergency feedwater.

Selected manual-control station power sources would be switched auto-matically from panelboard KI to KU. This allows the operator to manu-ally position makeup-flow control valves from the control room, the turbine-bypass valves and pressurizer heater bank 2 from the auxiliary 71

72 shutdown panel and, if required, position of the PORV and spray valve from ICS Cabinet 13 control switches. The RC pump-seal injection, control-valve controls are transferred to KU. which results in continued .

automatic control of seal injection flow.

Following the reactor trip, the steam generator level would be controlled by the emergency feedwater control instrumentation and steam generator pressure would be controlled by the main steam safety valves.

The makeup control valve would not change position, and its control would transfer to manual. Although the pressurizer leval would initi-ally decrease due to the reactor trip, the level would be expected to stabilize. Pressurizer heaters would be deenergized (or remain deener-gized). The spray valve is expected to remain closcd but would remain open if it were open at the time of the power failure, and a slow RCS depressurization would result.

18.4 CONTROL ROOM PARAMETER DISPLAY Following loss of the KI panelboard, a majority of the control room alarms would be spurious (assuming that the specific control room alarm annunciators are powered separately from KI). In addition, the majority of the control room meter indications, recorders, and computer parameter displays would be erroneous.

In spite of the numerous spurious alarms and indications presented to the operator, the operator would be expected to rapidly diagnose the ,

problem as a major power supply failure. By checking the ICS inverter (KI) trouble alarm and alarms of the major ICS branch circuits (H, HX, HEX, HEY,'H-EL), the operator should recognize the loss of the panel-board and refer to the specific emergency procedure, on loss of KI bus.

The emergency procedure directs the ;erator to verify automatic actions, manually control pressurizer level (makeup and letdown), and attempt to reenergize the ICS/NNI. The procedure directs the operator to use specific controls and indications powered by vital power supplies (KVIA-KVID) and the computer panelboard KU. By following the emergency procedure, the operator would be expected to maintain the plant in a stable shutdown state.

.If the operator fails to recognize the KI failure, the possible actions he may or may not take are speculative. If the operator takes no action, the pressurizer level'would slowly increase or decrease and, if the pressurizer spray v&lve were " frozen" in an open position, the RCS pressure would slowly decrease. The reactor response to operator ,

actions depends-on how and to which alarms he responds.

19. EFFECTS OF ELECTRIC POWER PANELBOARD KU CIRCUIT FAILURES ON ICS/NNI CIRCUITS

. (FAILURE OF COMPUTER POWER) 19.1 NNI CONTROL RESPONSE Original NNI/ICS designs indicate that NNI controls do not use power from panelboard KU. Information received from Duke Power Company indi-cates that the power source for pressurizer-level transmitter LT-3 has been changed to panelboard KU. In this case, the reactor coolant makeup valve would close if pressurizer-level transmitter LT-3 were selected at the time of panelboard KU power failure. Manual control of the valve is operable, and automatic control could be restored by manual selection of one of the other two pressurizer-level transmitters.

19.2 ICS CONTROL RESPONSE ICS controls do not use power from panelboard KU unless there is a fail-ure of panelboard KI. Therefore, single failure of KU would not affect ICS controls or response.

19.3 AUTOMATIC SYSTEM RESPONSE

~

Failure of the KU panelboard may cause a plant transient if the KU powered pressurizer level transmitter (LT-3) were selected for plant

~

control. If this transmitter were selected, the makeup valve would be opened and the pressurizer heaters deenergized. Unless the operator manually throttled makeup flow, the pressurizer level would continue to increase eventually resulting in initiating pressurizer spray, tripping the reactor, and opening the PORV.

19.4 CONTROL ROOM PARAMETER DISPLAY Upon loss of the KU panelboard, assuming that the KU powered pressurizer level transmitter were selected, pressurizer low level would be alarmed and indicated. The pressurizer level output could be- compared to the alternate level outputs by sequential selection of the three trans-mitters or the auxiliary shutdown panel ir.dication (LT-1) .

Specific indication or alarm of the KU failure could not' be identified

, from available information. However, an- emergency procedure for loss of the plant computer apparently exists (ref.13).

If the operator takes- no action in response to this possible transient, the pressurizer would fill and the LST level would be alarmed low. The operator must throttle makeup flow or provide an alternate source of water.to the HPI pumps to prevent damage to the operating pump.

Auxiliary control responses to a KU panelboard power failure are listed

' in Table 19.1.

73

, _ - ~ , . . _ . _ . _ ._ _ _ .. ._. _ .. ,

f' , -

Table 19.1 NNI' auxiliary controls response'to-panelboard KU power. failure Output Item. Identification Descriptton Errect Comments

1. 1HP-25 E/P Makeup Flow Makeup valve will close if Pressurizer level indicates full if 4

^ ;

' pressurizer ~ 1evel transmitter level transmitter LT-3 is selected.

LT-3.is selected. Manual control operable. Manual selection or operable level ;

transmitters LT-1 or LT-2 for auto control is possible.

2. '183-1/PPL Low-low pressurizer Heater bank I will be cut orr or level heater bank 1 interlock will be rendered-inerrective ir pressurizer level

' transmitter LT-3 is selected.

7 3 183/PLL' Low-low pressurizer -Heater banks 2. 3. 4 will be cut level. heater bank 2, 'orr or interlock will be rendered

3. 4 inerrective ir pressurizer level transmitter LT-3 is selected.

em T

A I

i f

P 3

i

l l

l

20. EFFECTS OF ELECTRIC POWER BRANCH KI-10

~ CIRCUIT FAILURES ON ICS/NNI CIRCUITS (FAILURE OF RCS NARROW-RANGE PRESSURE TRANSMITTER POWER) 20.1 NNI CONTROL RESPONSE The original system design for Oconee provided the narrow-range pressure signal used for the PORV and pressurizer heater control from one channel of the reactor protection system (RPS). Information received from Duke Power Company indicates that the normal RCS pressure input to the ^

ICS/NNI is from a non-Class 1E transmitter powered from branch circuit KI-10. In Table 20.1, the specific response of the control circuits with RCS pressure inputs are listed for failure of branch KI-10.

A KI-10 branch circuit failure will result in a zero-volt RCS pressure signal input to the PORV, spray valve, and pressurizer heater control circuits. This could result in the heaters being energized and the PORV and spray valve being closed. In the event this failure occurred, the operator would be able to manually control the indicated devices.

20.2 ICS CONTROL RESPONSE The ICS does not use RCS narrow-range pressure for control. The ICS would continue to maintain effective control of steam pressure and feed-water flow rate following the expected reactor trip.

20.3 AUTOMATIC SYSTEM RESPONSE The automatic response of the plant to a zero-volt RCS pressure signal would be to energize the pressurizer heaters and close the FORV and the spray block valve. The resulting increase in RCS pressure would be expected to result in a high pressure reactor trip and lifting of the pressurizer code safety valves.

20.4 CONTROL ROOM PARAMETER DISPLAY The effect of deenergizing the RCS pressure transmitter results in a recorded and alarmed low RCS pressure in the control room and indicated low pressure on the shutdown panel meter. The expected high-pressure reactor trip and indicated and alarmed low RCS pressure should prompt the operator to compare the spurious low RCS pressure indications with 1E narrow-range RCS pressure signals. Once the spurious signal is iden-tified, the operator may manually control the pressurizer heaters, spray valve, and PORV, if required, or transfer to the 1E signal from the RPS for automatic control.

.75

4 Table'20.1 NNI auxiliary controls response to branch KI-10 power failure-

~- Output Item- identification Description' Effect Comments

1. IRC3-PS8 ~ PORV (relief valve' PORV will close or remain closed. Zero-V narrow-range pressure signal 27/H1-RP RC-RV3, RC-V66) is expected to be below "open set-point pressure. Manual control operable.

2. IRC3-PS5 Pressurizer heaters Heater banks 1. 2, 3. & 4 may be Zero-V narrow-range pressure signal IRC3-PS6 energized due to low indicated . should be compared to setpoints for 1RC3-PS7 RCS pressure. heater banks 1, 2. 3. ! 4. Manual control operable.

Cn 3 IRC3-PS3 Pressurizer spray Spray valve will close due to low Zero-V narrow-range pressure signal valve (RC-V1). indicated RCS pressure. should be compared to spray valve

~setpoint. Manual control operable.

77 If the operator takes no action, RCS pressure will be limited by the-

. pressurizer code safety valves.if required. Continued discharge through '

. the safety valves will result in heatup and pressurization of the quench tank. Quench tank temperature is alarmed. Pressurizer level is main-tained automatically by the makeup valve controls.

i J

G e

E 4

4 f

-Q i

e I

, v --e- - . . -, + ,e ,, 4 s .--- ,,

21. RESPONSE TO DUKE POWER COMPANY COMMENTS

.. An interim report addressing the automatic responses of the ICS/NNI con-trol circuits in response to power supply failures (ref.15) was pre-pared by Science Applications, Inc. (SAI). This interim report was sent to Duke Power Company for review and comments. The substance of their comments has been incorporated in this extensively rewritten and expanded final report.

Specific responses to Duke Power Company comments are provided below.

The page and table number references have been deleted since they refer ;

to earlier drafts of the report numbering and are not applicable here.

21.1 LETTER FROM R. L. GILL (DUKE POWER COMPANY) TO A. P. MALINAUSKAS (ORNL) JANUARY 5, 1984 Comment 1: The valve should be called pressurizer spray valve [versus spray block valve].

Response: The nomenclature has been revised (p. 36).

Comment 2: The unit for steam generator pressure is psig.

Response: The units have been revised from psia to psig (p. 18).

Comment 3: Sentence should read "Thus a fault in the circuits . ..

or the circuit breaker in the auto power branch . ...

Response: The sentence was corrected to include the fact that protection is also provided by the circuit breaker in the auto power branch. See Sect. 4 (p. 31).

Comment 4: The fuse for branch H2 is a 10-A fuse.

Response: Table 4.1 reflects the 10-A fuse rating (p. 33).

Comment 5: The valve described is the pressurizer spray valve [versus spray block valve]

Response: The nomenclature has been revised (Item 2, Table 5.1)

(p. 50).

Comment 6: The statement is made:

"Although the operator would be able to position these devices, it is not known whether he would have adequate plant status'information to maintain effective control."

~ Duke considers that adequate plant status information to maintain effective control:is available. The basis for this is as follows:

79 w.._

80 Following both the 1979 Oconee 3 incident the 1980 Crystal River III incident, Duke undertook an extensive investiga- .

tion of the Oconee instrumentation system design. Commit-ments were made in Duke letters to the NRC dated March 24, ,

March 28, and April 14, 1980. By confirmatory order dated April 17,1980,- the NRC agreed with the committed actions and concluded that they "should reduce the probability of a similar future power loss causing unexpected plant responses and allow the plant operator to better cope with losses of instrumentation and control functions."

The details of the committed actions were included in Duke letter dated July 23, 1980, a copy of which has been previously provided to ORNL.

e We believe that the above statement should be revised to clearly reflect the above conclusion.

Response: The quoted statement was made in an interim report prior to the analysis of the response of indicators and alarms to power supply failures. This final report specifically addresses the responses of both indicator and alarm circuits and control circuits to failures of panelboard KI, KU, and j circuits fed from these panelboards.

Based on our analysis, we concur with the quoted NRC evaluation, which refers to a loss of panelboard KI (ref. 14) . As addressed in Sect. 18, the transient

, resulting from a loss of KI is stabilized automatically, the i loss of the panelboard is alarmed specificially, and the operator is given clear and detailed guidance on the actions

, to be taken in the subsequent recovery in the emergency procedure " Loss of KI Bus" (ref. 8). However, we could not identify similar alarms and emergency procedures for failures of many of the circuits fed from panelboard KI. We believe that alarms and emergency procedures for these

. circuits would be useful to the operator in recovering from t circuit failures, as indicated in Sect. 2, Item 4. For further discussion of control room annunciators and displays, see Sects.- 5.4 6.4, 7.4, 8.4, 9.4, 10.4, 11.4, 12.4,-13.4, 14.4, 15.4, 16.4, 17.4, 18.4, 19.4, and 20.4 21.2 LETTER FROM K. S. CANADY (DUKE POWER COMPANY) TO A. P. MALINAUSKAS (ORNL), PAGE 7, FEBRUARY 18, 1985. .

Comment:1: Narrow-range RCS pressure is normally used for NNI pressure

control.

Response: In Fig.1.1, the RCS narrow-range pressure input from the RPS was shown as "normally not selected." It is our'

81 understanding that the normal RCS narrow-range pressure sensor input for the NNI control circuits is part of the NNI

. and powered from panelboard KI (p. 3).

Comment 2: The procedure is for the loss of the computer, not for loss of KU.

Response: Table 2.2 and Sect.19.4 have been modified to reflect a loss of plant computer procedure (p. 11).

Comment 3: CFR should be CFT in Table 2.2. f Response: "CFR" has been changed to "CFT" for branch circuit failure H4. Also " continued pump objection" was changed to

" continued power operation" for branch circuit failure H3X

-(p. 10).

Comment 4: The anit for steam generator pressure is psig (Table 3.2).

Response: Turbine header and steam generator pressure units have been corrected. Also the "AT RCS loops A and B Tcold" have been corrected (p. 18).

Comment 5: A key to the symbols in Figs. 3 1 through 3.9 would be helpful.

Response: Sensors are designated by rectangles, modules or groups of modules by squares, and switches by hexagons. In each case, the branch circuit supplying power has been noted (p. 19-27).

Comment 6: The valve referenced in Item 2, Table 5.1 and Item 1, Table 11.1 is the pressurizer spray and not the pressurizer spray block valve.

There are two valves in the pressurizer spray line: the pressurizer spray valve, which is under NNI. control for pressure control, and the pressurizer spray block valve.

Please revise the nomenclature in the whole report.

-Response: . References to the spray valve and spray block valve have been modified (p. 36, 50).

Comment 7: The operator response to an H1 power failure would be to maintain steady state conditions and attempt to restore H1.

This would avoid unnecessary trips.

Response: This operator response has been added to Sect. 7.4 (p.-41).

Comment 8: Indication for RCS NR pressure can also be fed from RPS Channel A as the alternate source.

Response: This availability of this alternate power source has been

-included in Sect. 20.4 (p. 75).

i l

REFERENCES

1. Casto, W. R., Selected Safety Related Events Reported in July and August 1978. Nuclear Safety, Vol.19, No. 6, November-December 1978, pp. 765-767.

2. " Loss of Non-Class-1E Instrumentation and Control Power System During Operation," U.S. Nuclear Regulatory Commission IE Bulletin No. 74-77, November 30, 1979.

3 " Analysis and Evaluation of Crystal River-Unit 3 Incident,"

NSAC-31/INPO-1, March 1980.

4. " Transient Response of Babcock-Wilcox Designed Reactor (Draf t),"

NUREG-0667, April 2,1980.

5. "Oconee Final Safety Analysis Report," Duke Power Company, July 1982.

6. Oconee 1 Integrated Control System (ICS) - Instruction Book, Bailey Meter Co., March 15, 1977.

7 Letter from R. L. Gill (Duke Power Company) to R. C. Kryter (ORNL), October 19, 1982.

8. Oconee Emergency Procedure EP/0/A/800/3, Loss of KI Bus (ICS

Power), January 21, 1981.

9. Auxiliary Control System Schematic Diagram, Steam Supply,

- No. D8032344D, Bailey Meter Company, June 1978. ,

10. Letter from R. L. Gill (Duke Power Company) to A. P. Malinauskas (ORNL), January 5, 1984.

11. Letter from R. L. Gill (Duke Power Company) to James D. White (ORNL), February 1,1984.

12. Oconee Line Diagrams 0-705 and 0-705-A, 120-V ao and 125-V de Station Auxiliary Circuits and 120/240-V ao Station Auxiliary Circuits.

13 Letter from R. L. Gill and A. L. Lotts, Review of Draf t Reports on the Project for Safety Implications of Control Systems, August 31, 1983

14. Letter from William Parker to Harold Denton, Review of NUREG-0667, July 23,1980.

15. Interim Report: Failure Modes and Effects Analysis for the

'ICS/NNI Electric Power Distribution Circuitry, August 26, 1983 83

_ t.,= -. -

NUREG/CR-3991 ORNL/TM-9383

INTERNAL DISTRIBUTION

1. J. L. Anderson 19. R. S. Stone

2. S. J. Dall 20. R. S. Wiltshire 3-7.- R. E. Battle 21. M. J. Kopp (Advisor)

8. R. J. Borkowski 22. P. F. McCrea ( Advisor)

9. N. E. Clapp 23 P. W. Murrill (Advisor) ,

10. F. H. Clark 24. H. M. Paynter (Advisor)

11. B. E. Eads 25. H. E. Trammel (Advisor)

12. E. W. Hagen 26-27 Laboratory Records Department 13 A. P. Malinauskas 28. Laboratory Records Department-RC

14. T. C. Morelock 29. Laboratory Protection Division

15. G. A. Murphy 30. ORNL Patent Section

. 16. F. R. Mynatt 31. ORNL Public Relations Office I '. 17. L. C. Oakes 32. I&C Publications Office

18. O. L. Smith EXTERNAL DISTRIBUTION 33-37. D. L.~ Basdekas, Division of Engineering Technology,

. U.S. Nuclear Regulatory Commission, Washington, DC 20555

38. R. D. Dabba, Technology for Energy Corporation,

- P. O. Box 15202, Knoxvillle, TN 37901 39-42. Paul Guill, Nuclear Production Department, Duke Power Company, P. O. Box 33189, Charlotte, NC 28242 43 L. L. Joyner, Joyner Engineers and Trainers, P.C., Route 2, Box 1072, Forest, VA 24551 44-47. A. F. McBride, Science Applications International Corporation, 800 Oak Ridge Turnpike, Oak Ridge, TN 37830 48-52. C. W. Mayo, . Science Applications International Corporation, 800 Oak Ridge Turnpike, ' Oak Ridge, TN 37830 53-54. Office of Scientific and Technical Information, Oak Ridge, TN 37831.

55. Office of Assistant Manager for Energy Research and Development, U.S. Department of Energy, Oak Ridge Operations, Oak Ridge, TN 37831 56-490. Given distribution as shown in NRC Disribution R1, RG, and R4 9

85

_ _ - .

ML20138Q690

Contents

Text

1.1 BACKGROUND

SUMMARY

1.0 INTRODUCTION

1.1 BACKGROUND

SUMMARY

Navigation menu

ML20138Q690

Text

1.1 BACKGROUND

SUMMARY

1.0 INTRODUCTION

1.1 BACKGROUND

SUMMARY

Navigation menu

Search