ML20064L061
| ML20064L061 | |
| Person / Time | |
|---|---|
| Site: | 05000000, Robinson |
| Issue date: | 11/02/1981 |
| From: | Huchton R SIEMENS POWER CORP. (FORMERLY SIEMENS NUCLEAR POWER |
| To: | |
| Shared Package | |
| ML20064E577 | List: |
| References | |
| FOIA-82-389, TASK-2.F.1, TASK-TM NUDOCS 8201200662 | |
| Download: ML20064L061 (8) | |
Text
(
.. ~
.., : a
^
TECHNICAL EVALUATION Of THE RESPONSE TO ATTACK 4ENT 1 Of ITEM II.F.1 OE HUREG-0737
" ADDITIONAL ACCIDENT H0HITORING INSTRUMENTA f0R THE H. B. ROBINSON STEAM ELECTRIC PLANT, UNIT 2 (DOCKET NO. 50-261)
BY R. L. HUCHTON
- s...,
EXXONNuclearIdahoCo$mpany,Inc.
1 P. D. Box 2800 Idaho falls, Idaho 83401 i
~
l I
i;
}
i 7
,,i?
.i i- !
R_{rERfNCE
- 1 3
?
II.F.1-1 H. D. Robinson submittalNoble G 4
\\
ur
. E. E. Uticy to 11.
P.. Denton
' INTRODUCTION AND BACKGROUND
, 3 March 19P.1 either internally 11. B. Robinson proposes th are duct to monitor noble g(ainline)or e use of inline radiation dete externally to the duct would s
releases fro.a the plant releases for the first h provide useful measur.Detectors mountedon the spectrum low and releases areaverage energy of the nob ements of effluent sa owever remaining, principally Xchange with monitoring concentrationsA detector mounted in e gases a duct (inline) is e
e-133, is very provided th externally mounted detectors radiation. e detector wall is sufficientlof noble gases from 102 considered acceptable for pCi/cc to 105 mounted either internally (i l11. B. Robinson, in a le y thin to detect low-energ/cc LICENSEE'S POSITION:
uti y, gamna duct will be used to monit er d n ine)ated 3 March 1981, states that d internally or or externally or releases of noble gas (es of the monitor.externally mounted detectorsonline) to the effluent where a. continuous,his detector geometry is rs T
will be dependent upon the raUs by a detector away from the duct'. representative sample of th proposed versus mounting conditions to be the tenn "inline" for cl nge e effluent stream is countedofflin CP&L does arification only.a deviation from the NRC req i not consider the proposed DESIGN BASIS AND REVIEW CR u
ITERIA:
rements and definesSection II.F.1 of NUREG 073The design basis and revi 7,.pages 3-94 through 3 99ew criteria for t TECilNICAL EVAlUATf0'N:
s contained in NUREG-0737
~
from nonnal condition (g for the total raSection II.F.1-1, gas effluent mon,itorin s licensees to a maximum of 105 as low as reasonably achievablnge of concentrations ex loth during and following a.
uCi/cc The monitors
{oncentrations of nobl ccommodate a design basis r l n
ng must be capable of functionie-ALARA) n accident.
s Proposed system designs sh ll e
Iternally e gases. ease and then be capable of following
[ fluent con (centrations from 107 inline) to the duct are a ng Systems utilizing detecto a
!mpling is pCi/cc to 105cceptable for monitoring nobl rs located ecreasing Icentrations below 102 considered necessary for acc
. vide plant person pCi e gas urately mea /ce; however, offline pCi/cc fition exist which could r,a for detennining subseque tne Because the monitors are i tsuring noble gas gency p esult in the detectors beingaction n
n ended to it is the NRC's position th e
at no off-sca le.
l, Depending upon the effluent release path and the range requirements
- ,.*, for the associated monitors. CPAL has proposed usi6 ~ detectors mounted 9
either internally (inline) or externally (online) to the effluent duct being monitored.
Tio offline sampling capability has been proposed.
Although the licensee states the proposed systems do not deviate from the fiRC require-ments, as independent monitoring systems neither system has the capability of fulfilling the monitoring requirements of Section II.F.1.1 of fiUREG-0737.
l The use of monitoring syste,us employing detutors mounted externally to the effluent duct can provide reasonably accurate measurements of noble gas concentrations for the first hours following an accident.
During this time the detector response fro:n the fission product noble gases is due primarily to the high-energy, short-lived noble gases.
!!ith time, however, the energy spectrum changes and becomes do.ninated by the low-energy gamma emitters--primarily Xc-133.
As this shif t in the noble gas energy spectrum occurs, the contribution of the lou-energy photon flux on the detector' response increases. ~ As a result, the attenuation of low-energy photons in the effluent duct materials and detector beco.nes important and can signifi-cantly affect the accuracy of the effluent release measurements.
for the effluent release pathways in which CP&L intends on using monitors that are mounted internally (inline),Section II.F.1-1 specifically states that such monitors are adequate for measuring release concentrations of noble gases between 102 pCi/cc and 105 pCi/cc.
This holds true only for those detectors with walls sufficiently thin to respond to photon energies of 60 kev.
For noble gas effluent concentrations below 102 pCi/cc, the liRC holds that offline sampling is required in conjunction with the high-range, inline s.ampling system.
CONCLUS10f15:
It is the conclusion of this Technical Evaluation that the licensee, in order to comply with NUREG-0737,Section II.F.1-1, should provide a system capable of measuring noble gas effluent concentrations from nonnal operating condition (ALARA) concentrations to a maximum concentration of 105 pCi/cc. As presently proposed neither of the detectors mounted externally or_ internally to the effluent duct are sufficient as noble gas. effluent monito' ring systems to meet the regiuirements of r40 REG-0737,Section II.F.'l-1.
For detectors mounted externally to the effluent duct, the attenuation of the low energyi gamina radiation associated with the long-lived, noble gases precludes the capability of accurately incasurinc ~ noble gas releases and is, therefore, unacceptable.
Inline detectors are considered appropriate for measuring noble gas concentrations between 102 pCi/cc and 105 pCi/cc provided the detector wall is sufficiently thin to respond to 60 kev photons, flowever, offline sampling is required to monitor concentrations below 102 pCi/cc and is required in conjunction with the inline monitoring system to meet the range requirements of Table II.F.1-1.
1-
. L'
~
g o
SAFETY CONCERN ASSOCIATED WITH REACTCR VESSEL LEVEL INSTRUMENTATION IN BOILING WATER REACTORS by the OFFICE FOR ANALYSIS AND EVALUATION OF OPERATIONAL DATA January 1982 Prepared by: Matthew Chiramal Frank Ashe Note:
This report documents results of studies prepared by the Office for Analysis and Evaluation of Operational Data with regard to several operating events. The findings contained in this report are provided in support of other ongoing NRC activities concerning these events. Since the studies are ongoing, the report is not necessarily final, and the findings do not represent the position or requirements of the program office of the 'luclear Regulatory Commi ssion, kN 4 ?' " j p
/N
- 7..
P k
O e
TABLE OF CONTENTS PAGE EXECUTIVE
SUMMARY
I 1.
BACXGROUND............................
3 2.
DISCUSSION OF SAFETY CONCERN...................
3 2.1 Description of Reactor Vessel Level Instrumentation Monitoring Normal or Harrow Range.............
4 2.2 Effect of Instrument Line Failure on Plant Protection and Control Systems...............
9 2.3 The Safety Concern and Related Regulations.......... 12 2.4 Possible Unanalyzed Sequence of Occurrencds......... 14
- 3. FINDINGS............................. 18
- 4. CONCLUSION............................ 19 5.
RECOMMENDATIONS.......................... 19 LIST OF FIGURES Figure - 1 REACTOR VESSEL LEVEL INSTRUMENTATION...........
5 Figure - 2 VESSEL WATER LEVEL BLOCX DIAGRAM.............
8 APPENDIX A EVENTS INVOLVING BWR LEVEL INSTRUMENTATION........ 21 y
y
.p
. o EXECUTIVE
SUMMARY
Our review of operating reactor events involving boiling water reactor (BWR) vessel level instrumentation has shown several cases where interaction between plant control systems and protection systems is evident. This interaction is basically dde to fluid coupling and sharing of instrument sensing ' lines by the attached sensors that monitor vessel level and provide input to the protection and control systems.
Our review of these cases has raised the safety concern of a single failure causing a control system action that (1) results in a station condition requiring protective action and, at the same time, (2) prevents proper actuation of protec-tion system channels designed to protect against such a condition. We believe the physical installation of certain'BWR level instrumentation may not fully meet the intent of the regulations for the separation of protection and control systems and the single failure criteria, as delineated in General Design Criterion 24.
Based upon operating experi.ence, we believe that a single random failure in the instrument sensing lines should now be considered in implementing IEEE 279-1971.
In this study we have not conducted a detailed plant specific review of level instrumentation installation, but have confined ourselves to a general evaluation.
This study addresses the interaction between feedwater control, reactor protection, primary containment isolation, and energency core cooling systems. The effect of the interaction may vary from that detailed in this study depending on the details of the installation of the instrumentation. We plan to expand the scope of the study later to consider the effects of interactions due to level instru-mentation permissive interlocks provided to the recirculation pump control and residual heat removal systems.
This report is intended to introduce the safety concern related to BWR vessel level instrumentation. We note that similar fluid coupling problems could exist between control and protection systen instrumentation that monitor other parmaeters such as stemn flow, water flow and liquid levels 'at both BWRs and PWRs. However, our initial review of operating reactor events has identified the BWR vessel level instrumentation system specifically as one that involves such problems. We plan to continue our reviews of operating experiences at both BWRs and PWRs for events involving similar problems that could af fect safe operation of nuclear plant units.
O O
. 1.
BACKGROUND In the design of the instrumentation used in ~ control and protection systems, conscious effort has been made to physically separate the different sensors used.
In reviewing BWR vessel level instrumentation drawings of operating plants provided in FSARs and in other associated documentation (e.g., NEDO 10139,
" Compliance of Protection System to Industry Criteria: GE BWR _NSSS," June 1970),
we note that the sensors used for control systems were shown mounted on instrument if nes that are separate from other instrument lines associated with sensors used in protection systems. However, review of operating experience and a few of the "as built" instrumentation drawings show that sensors for protection and control systems may be mounted on canmon instrument lines.
This study is based on Licensee Event Reports (LERs) and Nuclear Power Experiences (NPEs) involving BWR level instrumentation. The events are listed in Appendix A. The events cited are examples of how occurrences involving instrument lines and/or related items can lead to erroneous reactor vessel level indications.
The problem of control and protection system interaction studied here is applicable to operating BWRs and those with construction permits.
2.
DISCUSSION OF SAFETY CONCERN There have been a number of documented events involving potentially erroneous indications by reactor vessel water level instrumentation at operating BWRs (Appendix A). The events in general show that a single failure involving one of the instrument legs connected to the level measuring differential pressure cells could affect all instruments connected to either or both legs. A review of each event shows that the effect on the plant varies, depending on the instruments affected and on the function of those instruments. Thus, the initiating failure
o.
. either led to a plant trip or was detected and corrected by the plant operators without significantly affecting plant operation. Our review ranged further afield to consider the control and protective functions of the instruments involved.
BWR vessel water level is measured by means of differential pressure sensed across two instrument lines.
In general, operating BWRs use four constant reference legs and seven variable legs (see Figure 1 for a typical installation).
The constant reference is obtained by means of constant head condensing chambers.
Two of the condensing chambers have a temperature compensated' column and an auxiliary head chamber. The other chambers have no temperature compensation.
The level instruments connected to temperature compensated reference legs.are used to monitor vessel water level in the accident or wide range (typically -155 to +60 inches with instrument zero 528 inches above vessel zero.) The two without temperature compensated reference legs are used for normal or narrow range level instrumentation (zero to 60 inches with instrument zero 528 inches above vessel zero.) These reference legs are also used for instruments that monitor water level inside the core shroud (-100 inches to +200 inches with instrument zero 360 inches above vessel zero.) A fifth reference chamber is for the water level instrumentation in the refuel range (zero to +400 inches with instrument zero 528 inches above vessel = zero.)
Review of the LERs raised a concern regarding the level instrumentation that monitors the normal or narrow range of the vessel water level. This is discussed bel ow.
2.1 Description of Reactor Vessel Level Instrumentation Monitoring Normal or Narrow Range The level instruments that monitor normal or narrow range of the vessel water level are connected across two pairs of instrument lines (See Figure 1). One pair of instrument lines has the following level instruments:
o
.?I e5 g
- y
)
g
-gY tA g
aR m
gP E
E,
s 4o g5 S4 i
VI O y
gt I(D N
3,T L2 SL v
a nN ny uO SI L
YI A e
I g65 e
Ar n (C M
a O
L A
6 nHO A s l
34 Au tGC L
3 SB e
P E S n
E PI s
L2 gAv S
5 ST p
ll
- yEDN a R e
T4 5O.EMI t A
PP r
g L3 2
(s M C,O s T 1 R NR8 e
5 s A
E R T
S TA aO p
g p /u IL3 EE OHATNN n
lt2 L R. R N a I
B 5
C. C E G0 OSO s
I ! *J P 4NCRR I I W(
85e S
[
C UU M
EV U RGRTT 5
T2 O
s I6 ACC L3
'P C *P4 L. u C C m
L3 8
RR D
o SI RHER A
O S 3 0C CE6*
P, O D g
E WK I2 C
ET NN M
85 tO I
54 oC uAA at AT P ERA 4 8 Y
L3 0
4 l
sL I 1AHCC f R 3
R NTCP Pl At On u
T jl 8
E T SSSHl IL U
=
T I M N
=
MA 56 As 150 0
UH L3 T4 S
0O 0 0 AC f
I T
n L3 L
= -
+ +
O eo R
A A 6
N it AA o
68 0
01 55 3
8 a
C 5
8 O
55 2
2 L3 IS1 C
a 33 3
3 L3 P
t A
n t i 5
a T
e 5s l
s LL L
L O
R m
E u
6 W
r 1
O s
t L
n 8
I lev P
e L
le 5
L 5
E e
E vS O V
yOSR gst E r
Av2 o
tc 7
a 9
4 e
5 6
R 3
~
A j
t G
Ca E
I A
O Ns S n
. L P
R r
A U
l NE 4
WE T
8 G
E 8 1
lt3 LN C
51 OI R
NA G
l6 5
N*
I OM 5a F
N t3 eI g
W 0,
OH 4
J-f O N O
tat s.
CC 1
y P
T W L
A g
UO O
3 S
S T5 L
AO t
N S6 g
L3 O
(
E IL 5A R
P g
3 M
T YO~
L
- TIW, N
i O
A C. "
m F
C 3 2
Wl P" a
5 D
s l M' ib r,
3 O
A E t3 s,
T O YT' 2
o L -
r 1
f 5
3 3
5 5
8 2
9 L
,p 3
155A g
80I 85 3
1 i
S.
g.
t L3 43 12 T
n d N A
3 A' C
S6 0
3I E
4a A
2 I
L M1 IL3 I 5 KS 5
M u*
- Y L
3 y
sWn l P Pt 4:v')
I LA i
t 3
3 l
L2 E i 9
g T5~
lL A
a D
5 T
3 N
g1 w
L2 I T s
R N 4
I0A S0 H O Qf t
C H3 N
6 i'
I
e
-e
. LIS 3-208A and 3-2088 LIS 3-203A and 3-2038 LIS 3-184
.LT 3-206 and LT 3-53 The constant reference leg associated with these instruments is also used as the reference for the shroud level monitor LITS 3-52.
The other pair of instrument lines has:
LIS 3-208C and 3-2080 LIS 3-203C and 3-2030 LIS 3-185 LT 3-60 The constant reference leg is also used by shroud level monitors LITS 3-62 and LT 3-62.
The functions performed by these instruments are as follows:
LIS 3-208 A, B, C, D HPCI and RCIC turbine trip on high vessel level.
LIS 3-203 A, B, C, D Scram and primary containment isolation on low level. KPCI and RCIC turbine trip on high level.
LIS 3-184 and LIS 3-185 Auto blowdown permissive on low level.
LT 3-53,LT 3-60 and 3-206 Feedwater control system inputs
( A high water level trip of the main and reactor feedwater turbine is also provided by the feedwater control system).
a LITS 3-52 and LIS 3-62 Containment spray interlock on l ow-l ow-l ow l evel.
The physical arrangement of these level instruments on two separate sets of instrument lines is such that the A and B sensors are connected to one set of instrument lines and the C and D sensors to another set.
These sensors provide input to protection channels in the plant protection and emergency core cooling l
systems. The protection system and emergency core cooling system logic arrange-i ments for these SWR instrument channels are the usual one-out-of-two-twice I
i
. configuration using channel ( A OR C) AND (B OR D) arrangement. The two sets of instruthent lines are separated and isolated in their physical connection to the reactor pressure vessel. Thus, the arrangement of these level instruments asso-ciated with the plant protection system meets the Single Failure Criterion of IEEE 279-1971, paragraph 4.2.
The same instrument lines, however, also have reactor vessel level control transmitters (LT 3-53 and LT 3-206 on one set; LT 3-60 on the other) mounted on them. These transmitters provide input to the plant's feedwater control system (See Figure 2).
Each transmitter provides an output signal ranging from 10-50 ma, which represents the normal water level ranging from zero to +60 inches at normal operating pressure. Corrections for water density changes are made by
~
reactor pressure measurements. Signals fra pressure transmitters (shown on Figure 2) are applied to level correction amplifiers to accomplish this. Each of the three corrected level signals is applied to an alann unit. The three alam unit outputs are connected in a two-out-of-three coincidence logical to provide high water level trip (+54 inches) to the main and reactor feedwater turbines.
The three corrected signals are also displayed in the control room, as are the three pressure monitors. The corrected level signal from either transmitter LT 3-53 or LT 3-60 is selected by the controt room operator for use in the feedwater control system. The selected level signal is recorded in the control room.
It is also supplied to two alam units, the feedwater bypass valve con-troller, a level flow error summing device, and the feedwater control mode selector switch (one or three element control).
For BWRs in general, eight reactor vessel level indicators and two recorders are provided in the main control room to aid the operator. High and low level
1 e
-s, 3O-A" PRESSURE COMPENSATION
~
PRESS A PRESSB PRESS C LEVEL F
5 LEVEL E
LEVEL APli l,T3_ S3 5
l A Pli Lf3 do 5
.1 Pli LT3_2 of*
C
.C C
1
,p 3,
PROP '
A 1
1 o
o 0
i l
T_ _ _ _ _ _ L _ _ _ _ _ _ _ C_ _ _ _ _________.i HIGH LEVEL TURBINE J
TRIP (2 OF 3 j
COINCIDENCE) 5 a
g A
B g
T L13.so g
a L1 1 2 e 6,
a LZ3_f3 CR SELECTOR 8
LEVEL SWITCH LEVEL LEVEL B
C A
t t
x WATER LEVEL FW PUMP TRIP INTERLOCK O
O H
RECIRCULATION FLOW Af REDUCTION HIGH/ LOW s
ALARM UNIT REACTOR VESSEL WATER LEVEL 1 i TOTAL FEEDWATER FLOW
,. w h ll VALVE LEVEL CONTROLLER h
Jl LEVEL" FEED ROW 3
"1 C)
LEVEUFLOW CR (ERROR NETWORK MODE SELECTOR SWITCH i
SUMMER)
U NPROP (1 OR 3 ELEMENT CONTROL)
AMP I l
MASTER CONTROLLER STEAM /F E E D FLOW ERROR Figure f.
, Vessel Water t.evel 31ock Diagram
9 O
.g.
digital inputs to the control room annunciator system and the plant computer system also inform the operator of vessel level status.
The control room indicators and recorders are:
(~ )
two level indicators (LI 3-52 and LI 3-62) and one level recorder (LR 3-62) monitor the shroud level. These instruments are normally pegged high at +200 inches during power operation; (2) one level indicator (LI 3-55) monitors the refueling range (zero to +400 inches);
(3) two level indicators (LI 3-46A and LI 3-468) monitor the accident s
range (-155 inches to + 60 inches);
m (4) three level indicators (LI'3-53, LI ~3-60 and LI 3-206) monitor normal range (zero to +60 inches). A reactor level / feed flow two pen recorder in the control room also continuously monitors the level signal selected for the feedwater control system (either LI 3-53 or LI 3-60 signal).
During normal power operation, five indicators and one recorder (numbers 3 and 4 above) would be used by the operator to monitor level. Control room alanus would alert the operator to abnormal conditions. The refueling range level indicator (numoer 2 above) is not calibrated for operating conditions and is not used during normal operation.
2.2 Effect of Instrument Line Failure on Plant Protection and Control Systems A failure in the instrument line connected to the constant head condensing chadber (e.g. equalizing valve leak, excess flew check valve leak, drain N
g valve leak, etc.) could cause the reference leg level to decrease. This decrease in rehbrence leg level would caase all the differential pressure instruments' connected to that line to indicate false high reactor vessel water l evel.
Referring to Figure P, if such a failure was to occur in the reference leg of the normal range level sensors A and B, then LIS 3-208A&B, LIS 3-203 A&B, LIS 3-184, LT 3-53 and LT'3-206 would all sense an increasing level.
If LT 3-53 was selected by the control room operator for the level input to the feedwater control system (with the feedwater control mode switch in either the one or three element control), then the feedwater system s
would' reduce feedwater flow into the reactor vessel. This would tend to decrease the actual reactor vessel water level.
If pr'anpt operator action is not taken to manually control the feedwater system, then eventually the vessel level would reach the low level scram setpoint.
However, scram level: sensors LIS 3-203A&B would sense a high level and would not actuate.
Therefore, LIS 3-203C&D on the redundant instrument lines would be required to provide the necessary protective action.
In such an event the control roan level indicators, recorders and alanns would be providing ambiguous level information to the operator. The two accident range i dicators (LI 3-46 A&B) would still show true level, but only one of the normal range level indicators (in this instance LI 3-60)
I would indicate true level. The other two nonnal range level indicators (LI 3-53 and LI 3-206), as well as the level recorder pen, would show an erroneous high level.
If, on the other hand, the failure was to occur in
~
the reference leg associated with normal level sensors C and 0 (i.e.,
4
iI e
l'
=
LIS 3-203 C&D, L,IS 3-208 C&D, LIS 3-185 and LT 3-60) and if LT 3-60 was selected for level input to the feedwater control system, the effects would be similar,
.I with the following exceptions:
(1) only one nomal range level indicator (LI 3-60) and the level recorder would show the erroneous increasing level; and (2) tha high level turbine / reactor trip would not occur, since only one of the threc level transmitters associated with the feedwater control system would be af fected.
~
In either case, during the ensuing plant transient, both high and low level alams could be actuated in the control room. Depending on the type of instrument failure, the plant would soon experience a low level scram from the redundant unaffected instrument channels and perhaps a high level turbine trip / reactor trip. All of these conflicting indications'and automatic actions could hamper timely and correct operator response to such an event. Automatic plant response must be relied upon to teminate and control the transient.
This.0s confimed by operating experience (see Apendix A) which shows several cases where operators did not respond to such events and automatic protective action was needed to teminate the transient.
If the failure in the instrumentation causes a very gradual decrease in the reference leg level, then actual reactor level could fall to the low level scram setpoint (because of the feedwater control system action) before the false level appearing to level sensors in the failed instrument legs rises to the high level turbine trip setpoint. Low level reactor scram would occur due to actuation of redundant level sensors (LIS 3-203 C&D) on the other instrument lines. Eventually, the spurious high level sensed could
cause main and reactor feedwater turbine trips on two-out-of-three coincidence high level from the alarm units in the feedwater control system. If, on the other hand, the rate of increase of spurious level is faster, a high level
- trip (two-out-of-three high level) of the main and reactor feedwater turbines (and consequent reactor trip due to main turbine trip) could occur before the vessel level reaches the low level scram setpoi.nt.
In either case, the failure would cause a spurious high level to be sensed. The control system would then cause a reduction in the true vessel level, which could require the protective action of low level ' scram of the reactor.
This interaction between the feedwater control system and the reactor protection system is the safety concern in that the initiating instrument line failure could cause adverse feedwater control system action requiring low vessel level protective actions and, at the same time, would also prevent proper action of certain low level protection system channels.
2.3 The Safety Concern and Related Regulations General Design Criterion 24 on separation of protection and control systems states, "The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system.
Interconnection of the protection i
and control systems shall be limited so as to assure that safety is not significantly impaired."
In the BWR level instrumentation system, a single i
failure in the sensing line that causes control system action, does not leave intact a system satisfying all reliability, redundancy and independence recuirements for the low vessel level protective function.
r y
. IEEE 279-1971 paragraph 4.7.3 on ccntrol and protection -system interaction states, "'Where a single random failure can cause a control system a: tion that results in a generating station condition requiring protective action and can also prevent proper action of a protective system channel designed to protect against the condition, the remaining redundant protection channels shall be capable of providing the protective action even when degraded by a second random failure." This requirement of IEEE 279 augments the requirement of General Design Criterion 24 on leaving intact a protection system satisfying all reliability, redundancy, and independence requirenents of the protection system on failure of any single control system coiapanent or channel.
IEEE 279-1971 is, however, limited in scope to the protection system devices and circuitry from sensor to actuation device input terminals. NRC has interpreted this to exclude the fluid sensing lines.
Based upon operating experience, we believe that a single random failure in the sensing line should now be considered in implementing IEEE 279-1971.
(It is noted that the 1977 and 1980 editions of IEEE Standard 603, which are later versions of IEEE 279-1971, do address the subject of sensing lines and include them as part of the protection system.)
Applying the requirement of paragraph 4.7.3 to the instrumentation system under disccssion, the single random failure is the decreasing reference leg level and the resulting control system action is lowering of the actual vessel level, which would require a low level protective action. Two protection l
channels (LIS 3-203A&B) are prevented from performing their protective actions, leaving redundant channels (LIS 3-203C&D) to provide the required protective furiction.
If a single active failure is now postulated in one of the two l
l
. remaining channels, then the required automatic protective actions will not occur at the low water level scram setpoint. Further, if one of these four channels is inoperable due to maintenance or required surveillance, and is not placed in a trip condition, then this would tend to exacerbate the safety concern since the single failure of a decreasing reference leg could defeat the associated automatic protective actions at the low water level scram setpoint. Under these conditions the information provided in Section 2.2 of this report continues to be valid and appears to make the concern more significant. However, since the technical specifications allow the level instrument system to remain in this degraded mode (that is, three
~
operable channels and one inoperable non-tripped channel) for a period of up to only two hours this aspect may not be significant in the broader context of the concern.
The above concern can be extended to all designs where the protection system uses a one-out-of-two-twice logic (i.e., A or C and B or D) to initiate protective action. Even if only one protection system channel is coupled to a control system channel (say A), and if the single random failure causes a control system action requiring protective action and also prevents proper action of the protection system channel, a further single active failure of one particular remaining redundant protection system channel (C), will prevent the required protective actions associated with these protection channel s.
2.4 Possible Unanalyzed Seouence of Occurrences Level instrumentation sensor LIS 3-203A through D provide the following protective actions 7
T'
O.
(1) 'Sc ram (2) Primary containment isolation (3) HPCI and RCIC turbine trip (4) Start standby gas treatment system (SBGTS)
'4 hen two channels (LtS 3-203A&B) sense a spurious high level and a random failure is postulated in one of the remaining redundant channels (LIS 3-203C or D) the protective actions are affected as follows:
(1) Scram - Low level scram will not occur.
(2) Primary containment isolation due to low level will not occur.
(Typically Group 2, 3, and 6 valves are affected.) The following pipelines will not isolate:
- RHR reactor shutdown cooling supply
- RHR reactor head spray
- Reactor water cleanup system
- Drywell equipment drain discharge Drywell flow drain discharge Drywell purge inlet
- Drywell main exhaust
- Suppression chamber exhaust valve bypass Suppression chamber purge inlet
- Suppression chamber main exhaust Drywell exhaust valve bypass
- Suppression chamber drain
- RHR flush and drain vent to suppression chamber Drywell purge and vent outlet Drywell makeup Suppression chamber makeup Exhaust to S3GTS
. However, if isolation of the above pipelines were truly needed, excluding the lines associated with the reactor water cleanup system, it would still be obtained by other diverse means which initiate on high reactor building ventilation exhaust radiation and/or high drywell pressure.
(3) HPCI and'RCIC turbines will receive a high level trip signal (when LIS 3-203 A&B, connected to one set of instrument lines, reaches spurious high level of +54 inches, and if.either LIS 3-203C or D, connected to the other set of instrument lines, is postulated to fail high).
(4) SSGT system will not receive on automatic start signal.
The event initiated by the instrument line failure will continue and the reactor vessel level will decrease due to reduced or even tenninated feedwater fl ow.
If the operator does not take corrective actions, the vessel level will reach the low-low level and the level instrumentation monitoring the accident or wide range, specifically sensors LIS 3-56A thru 0, will initiate closure of MSIVs which in turn will cause a reactor scram. Sensors LIS 3-58A through D will sense conditions necessary to initiate HPCI, RCIC, ADS and core spray systems. Scram under these conditions *would occur at an actual vessel level which is considerably below the normal low level scram.
(Current safety analyses normally assume that a scram occurs directly from the low level instrumentation, which is defeated under these conditions, and not indirectly by the way of MSIVs from the low-low level instrumentation.) Further, when the MSIVs close, this action will tend to collapse the voids contained in the vessel fluid and will further decrease the fluid level in the reactor vessel.
.o O
' In addition, due to the presence of high level trip interlock signals. (item 3 above), automatic operation of HPCI and RCIC would not occur in some designs since the high level trip signal takes precedence over the low-low level start initiation signal. This situation of a decreasing water level in the vessel, coupled with (1) scram which is initiated at a vessel level lower than the normal-low level scram, and (2) the unavailability of automatic operation of.
safety grade high pressure injection systems, appears to be an 'unanalyzed sequence of occurrences.
A typical scenario initiated by a level instrumentation reference leg failure.
would be as follows:
The loss of the reference leg in the normal ran.ge level instrumentation causes a spurious increasing level to be sensed by the feedwater control system, leading to a decrease in actual vessel level. By the same failure, two low level protection system channels are disabled. When the vessel level reaches the low level setpoint, reactor scram and primary contaimnent isolation would normally occur due to actuation of redundant low level protection channels on the unaffected instrument lines. A postulated signal failure in the redundant low level protection channels, however, could disable the low level reactor scram. The spurious high level sensed by the instrumentation of the affected instrument line could cause a turbine trip which would, in turn, scram the reactor or, based on the various indications available in the control room and time permitting, an alert operator could initiate manual scram and containment isolation. HPCI and RCIC could be manually started if not locked out by the failed instrumentation. Otherwi se, low pressure energency core cooling would have to be initiated to provide water to the vessel.
If no manual action is taken, when low-low vessel level is reached MSIY closure and associated scram will occur. Automatic ECCS actuation will also be initiated.
Based on the availability of these various means of automatically and manually accomplishing the required protective actions, we do not consider the postulated control system protection system interaction precipitated by hydraulic effects
8 an immediate safety, concern; however, we do consider that the safety concern needs to be addressed.
- 3. FINDINGS (1) The physical arrangement of reactor vessel water level instrumentation i
in operating BWRs is such that hydraulic coupling exists between sensors that provide input to the feedwater control system and to the plant protection systems. The level instrumentation that monitors the operating range is physically arranged so that sensors which separately provide input to the feedwater control system and to two channels of the reactor protection system and ECCS are connected across canmon instrument lines.
(2) Certain single failures in the instrument lines can cause a decrease in
~
the reference leg level or affect the variable leg level of the vessel level instrumentation. The ensuing spurious level is sensed by the feedwater control system and two channels of tne protection system. The spurious level sensed by the control system could cause the system to respond adversely, resulting in a plant condition requiring protective action.
(3) Moreover, such a failure causing incorrect control system response would also prevent proper action by two of the protection channels.
If a random failure is now postulated in one of the remaining redundant two channels, then the protective function will not occur automatically from the normal low level protective instrumentation. This could lead to a plant condition which appears to be unanalyzed.
(4) The operator is presented with conflicting infonnation which may prevent him from taking correct and timely actions.
, (5) The situation outlined above suggests that selected BWR level instrumen-tation systems may not meet the intent of the regulations for operation of protection and control systems single failure criterion as delineated in General Design Criterion 24.
4.
C01:CLUSION BWR operating experience has shown that a single failure in an'instrumant sensing line could affect all level sensors that share the same sensing line.
There also have been events where interaction has occurred between control systems and protection systems. Our review of these operating experiences has raise'd the safety concern of a single failure in the 3WR vessel level instrumen-tation causing a feedwater control system action that could 1) result in a condition requiring protective actions and, at the same time, 2) prevent proper action of the reactor protection system channels designed to. protect against such a condition. We also consider that certain level instrumentation configuration in operating BWRs may not fully meet the intent of General Design Criterion 24.
Based upon operating experience we believe that a single random failure in the instrument sensing lines should now be considered in implementing IEEE 279-1971.
Although we do not consider the postulated control system-protection system interaction an immediate concern we do consider that the safety concern and associated problem need to be addressed.
5.
RECOMMENDATIONS (1) Action should be implemented to assure that automatic and manual safety-related low-low level start and high pressure injection functions of HPCI and RCIC turbines are not prevented or delayed by the non-safety-related high level trip. For ex1mple, the control system of HPCI and
. RCIC turbines could be modified to provide a low-low level start signal which overrides the high level trip signal.
(2) Action should be implemented to assure that protective functions are provided in spite of any adverse control system-protection system inter-action in the narrow range level instrumentation. For example, the protective functions provided by the narrow range level sensors could also be provided by the wide range level sensors (In employing the wide-range level instrumentation, the desired output signal quality in tenns of sensitivity, resolution, accuracy and repeatability must be considered to assure that the initiating signals achieve the required protective function. ). This approach would be consistent with the concept of
" alternate channels" as defined in paragraph 4.7.4.i of IEEE Standard 279-1971.
'(3) Control room operators should be trained to recognize spurious vessel level indications, and procedures should be provided for corrective actions 'a mitigate the consequences of potential transients that may be caused by level instrumentation malfunctions.
We believe that the BWR emergency procedure guidelines provide the best vehicle for the definition of appropriate corrective actions in the event of level instrumentation malfunctions.
. APPENDIX A EVENTS INVOLVING BWR LEVEL INSTRUMENTATION The events cited are examples of how occurrences involving instrument lines and related items can lead to erroneous vessel level indications. The event descrip-tions are quoted directly from the Licensee Event Reports and Nuclear Power Experiences.
Plant Name Date of Event Event Description Oyster Creek 1 March 1970 During a surveillance test on the reactor high pressure scram pressure switches, it was observed.that the sensing line to the high pressure 9:ran pressure switch had developed a leak at a " Swage-Lok" fitting which caused a level indicator to fail up-scal e.
An attempt was made to tighten the fitting and the leak increased, causing the excess flow check valve in the primary pressure sensing line to close. The resul t.
was a zero pressure signal to the pressure sensors mounted on this rack. (High Pressure Scram, High Pressure Isolation Condenser Actuation, Condenser low Vacuum Scram By-pass, Core Spray Valve Permissive, Triple Low Leve' Auto Depressurization, Level Transmitter to Feedwater Control System, Reactor Pressure Indicator Trans-mitter and Auto Relief Valve Pressure).
=- -
. Plant Name Date of Event Event Description Since the Protective Instrumentation Limiting Conditions for Operation could not be met, the operators were notified to prepare for a plant shutdown.
Subsequently, it was determined that the single failure of this sensing line prevented the operation of both isolation condensers upon receipt of a reactor high pressure signal. Emergency condenser isolation on pipe-break was still. operable as was emergency condenser ' actuation by low-low level and manual operation from the control Plans were to determine the wiring room.
modifications necessary to establish the ability of the emergency condensers to operate on a high pressure signal in the event of a loss of a single pressure sensing-line.
In the meantime, operating personnel were made aware of the situation and reminded that plant energency procedures call for verification of automatic action and manual initiation of such actions requi red.
Peach Gottom 2 Sept. 8, 1976 During routine surveillance testing, contain-ment spray permissive switch LIS-2-2-3-73A was
=
. Plant Name Date of Event Event Description found to be inoperative. Because the redundant B loop was operable and a manual override is provided for this switch, there was no safety hazard. Cracked bellows on a Yarway Model 4418CE level switch.
Millstone 1 Sept. 1973 During a plant startup, a discrepancy of 15 inches was noted between the two indepen-dent reactor level sensing columns. The mismatch was such that half of the RPS, ECCS and primary containment isolation system level switche's were seeing an indicated level that was higher than the actual level in the reactor. The mismatch could result in late initiation signals for the systems in a situation where a failure occurred in the level switches that were reading properly.
An investigation revealed a valve that is normally used for filling the system was l eaki ng. The water was being drained from the reference column at a rate greater than the make up rate by condensation in the level column condensing pot. A loss of water from the reference column in a device such as this causes the indicated level to l
rise.
\\
- Plant Name Date of Event Event Descriotion The valve was replaced and the indicated levels converged such that they were within the requirements of the Technical Specifications.
Monticello 1 July 13,1975 During nonnal operation a small leak (75-OlT) developed in a reactor pressure gauge. The leak lowered the reference leg level for the Scram and ECCS initiating Yarway level instruments connected to the same process tap causing incorrect level indication.
Redundant Yarways were operable. No previous similar occurrences.. Pressure Gauge isolated
( AD-50-263/75-12). A 1eak developed in the Bourdon tube of Heise Model C MM 7646 0-1500 psig pressure gauge.
Brunswick 2 May 1976 During start up a level indicating switch (Yarway) malfunctioned due to an internal leak. The associated instrument channel was manually tripped. The cause of the occurrence was the threaded pipe inside the instrument housing leaked because of a crossed thread.
Browns Ferry 2 Aug. 14, 1977 During start up from Cold Shutdown, reactor (LER 77-03L) water column "B" reference leg was low, pro-ducing a +20 inch error in t'r.o reactor water
. Plant Name Date of Event Event Description low-level scram switches. Redundant switches were operable and in service. The reference leg was refilled and water level agreement confimed. This was not a repetitive problem.
The integrity of all sensing lines and valves external to the drywell was confimed.
The apparent cause was either evaporation of water from the reference leg during cold shutdown, or inadvertent operation of equalizer or drain valves.
Cooper Jan. 1976 Cold shutdown. While maintenance was being perfomed in the drywell, a rusty spot was noticed on some insulation close *a the reactor. Upon further investigation, it was detemined that a crack in the two inch.
instrument sensing line on vessel pene-tration N-11A had developed outside the safe end weld, in the heat affected zone (HAZ) 1/2 inch from the weld center.
History of this weld showed the original weld failed the RT and was cut out and rewel ded. The second weld failed the RT and was repaired. The third weld passed the RT.
-=
. Plant Name Date of Event
_ Event Description The failure was the result of material failure in the HAZ of the two inch schedule 80 ASTM-A-312 GRTP-304 Stainless steel.
pipe. This instrument tap fed the low leg of the scram and primary contaimnent isolation level switches, auto blowdown permissive level switches, reactor feed-water control and wide range level indications.
Cooper Dec. 1977 While at 75" power, during a plant tour, it was noted that three reactor level instru-monts were reading high upscale. Further investigation revealed that the instrument line excess flow check valve was leaking around the body nut. The leak at the valve caused the condensing chamber and ref-erence leg level to decrease, thus causing instrudhnts associated with that sensing line to read upscale.
Brunswick 2 March 1978 Technicians were performing a test while at 97% power (reactor water level inside shroud) on a Yarway instrument when the main turbine and feedwater pump turbines tripped, causing a reactor scram.
. Plant Name Date of Event Event Description The scram occurred as a result of a pressure change in the commoa level instrument refer-ence leg which apparently actuated the N004 instruments. The pressure change apparently occurred due to the bellows movement in the instrument being calibrated. No personnel error was detected. They were shutdown for 25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br />.
An investigation was to be performed to determine the most suitable instrument arrangement and test procedures necessary to prevent reference leg pressure changes.
The. investigation was to consist of an 1
industrial survey and a design review.
Dresden 2 May 1979 During start up the main turbine tripped on high water level.
It was discovered that a-i packing leak existed on the isolation valve l
for the local pressure indication, PS-263-608.
The "B" reference leg drained to an abnormally low level through the packing leak. This resulted in an upscale reading on all the Yarways on instrument rack 2206.
The "S" reference leg root valve was shut to isolate the leak which isolated the following components:
. Plant Name Date of Event Event Description' PS-263-55C, 550, LIS-263-58A, 588, 72B, 72D, and LITS-263-59B. A control systems technician locally isolated PI-263-608 (local pressure indication) and PS-263-55D (reactor high pressure scram) via their canmon sensing line root valve. The "B" reference leg root valve was then opened and the reference leg filled.
~
Since the Technical Specifications require two instrument channels per trip system, an orderly reactor shutdown was begun immediately.
The packing was tightened and subjected to a hydro of 1000 psi. No leaks were discovered.
The isolation valves for PS-263-550 and PI-263-60B were opened and the common sensing line root valve was opened, returning the system to normal.
Monticello 1 Sept. 23, 1979 During normal operation a leak developed in a (LER 79-019/03L-0) reacton pressure gauge. The leak lowered the reference leg of the scram and ECCS Yarway level switches connected to the same process tap. As a result, the Yarways indicated a false high level and would not have tripped within the settings specified in sections 3.1.1 and 3.2.3 of Technical Specifications.
. Plant Name Date of Event Event Description Redundant level instruments were operable.
One previous similar occurrence reported in A0 50-263/75-12.
Pressure gauge is Heise Model C, 81/2 inch dial, 0-1500 psig, H03 Stainless Steel Bourdon Tube. Small crack discovered in Bourdon Tub ~e, most probable cause is fatigue. Gauge isolated and removed.
New gauge with wide range and improved Bourdon tube material to be -installed on different process tap.
Brunswick 1 May 8, 1980 During normal surveillance, the cap covering (LER 80-048/03L-0) the calibration adjustment screw on reactor level instrument,1-821-LIS-N031B, was leaking water. The leak was repaired and Pressure Test 3.1.7PC, Reactor low level #2 and #3 calibration and functional test was performed on the instrument Switch !2 of the instrument would not actuate. The reportable limit is >194.63 inches applied water. This event did not affect the health and safety of the public. The calibration adjustnent i
screw cap gasket was replaced, the contacts of swi tch 12 were cleaned. Pressure Test 3.1.7 PC was performed satisfactorily and the instrument was returned to service.
9 Plant Name Date of Event Event Description Fitzpatrick 1 Nov. 3, 1980 During normal operation while conducting (LER 80-084/03L-0) survei,1, lance to satisfy Technical Specifica-tions Table 4.1-1, reactor water level switch 02-3-LIS-1018 or 101D was found less conser-vative than allowed by Technical Specification -
Table 3.1-1 on three occasions between 11/3/80 and 11/25/80. Redundant level switches were within Technical Specification limits and in each case the level switches were immediately recalibrated to with'in its limits. No significant hazard existed. See attachment for ad'itional details. Probable d
cause was personnel error which resulted in the introduction of air in level sensing line. Back flushing of sensing lines to remove air eliminated problem.
Review e,
of procedure does not indicate need for change.
Brunswick 1 Jan. 20, 1981 During normal plant operation reactor instru-(LER 81-016/03L) ment penetration (RIP) valve, X-53C, shut with a Control Air Supply Failure Alarm, and isolated the variable leg to reactor level instruments 3 21-LIS-N017A and B 21-LI-3331, which resulted in a reactor scram on low l evel. This event did not affect the health or safety of the public.
o
5
- ~
Plant Name Date of Event Event Description An exhaustive investigation failed to reveal a definite cause for the RIP valve closure.
This investigation included a leak check on the valve control air supply, a timed leak check of the valve bellows and a visual inspection of the valve and the valve high flow isolation swi tch. This is considered an isolated event, as system air pressure was normal and no other valves isolated.
Browns Ferry 2 March 31, 1981 During normal operations while decreasing load (R0 50-260/81014) for M/G set maintenance, the Reactor Water Level Instrumentation indicated full upscale resul ting in a turbine trip. There was no hazard to the health or safety of the public.
Instruments affected were: 2-LITS-3-52; 2-LIS-3-203A, B; 2-LIS-3-184. The technical specifications were fully complied with at all times. Equalizing valve, on 2-LITS-3-52 was partially open. Closed equalizing valve, verified reactor water instruments operable.
Browns Ferry 3 May 25, 1981 During startup, following a maintenance outage, (LER 81-027/03L-0) reactor water level instrumentation 3-LIS-3-203A and 3 indicated full upscale and were declared inoperable. There was no danger to the heal th and safety of the public. Redundant systems were available and operable.
e
e
, Plant flame Date of Event Event Description Reference leg was lost on the water column for undetermined reasons, causing the Barton model 288 A, bellows type indicating switch, to indicate full upscale. The water leg was backfilled and the instruments returned to operable status.
Oyster Creek Sept. 5, 1981 On September 5,1981 at approximately 0100 (LER 81-36/03L) hours while performing a flush of Core Spray System I piping, one reactor water level indicator showed a high level while all other level indicato'rs renained stable and in agreenent. The flush in progress was immediately terminated and an investigation was initiated to detennine the cause of the high level indication.
It was found that the instrument reference leg was not filled with water which caused an erroneous high level reading on the instrument in question. The failure of this instrument resulted in the loss of one of two level instrument channels in each of two level instrument systems.
It should be noted that there are no piping connections between the Core Spray System and the affected water level instrumentation reference leg. This
~ me
. Plant Name 7 ate of Event Event Description was confirmed by a hand over hand walkdown of the reference leg piping.
The cause of the decrease in reference level head could not be determined. There is no connection which can be inferred between the loss of reference leg and the flush evolution.
The reactor water level instrument in question provides various Reactor Protection Safeguard System functions associated with Reactor Scram, Core Spray initiation, Isolation-Condenser initiation and ATWS Recirc Pump Trip.
Since redundant instrumentation, which was operable, also provides these functions and since the Reactor was shutdown, vented, and less than 212*F, the safety significance of this event is considered minimal. Addition-ally, it should be noted that no change in actual reactor water level occurred as a result of this event.
The reference leg for the affected level instrument was backfilled with condensate which restored it to an operable condition.
i A hand over hand walkdown of the Reference Leg System for proper configuration together
, Plant Name Date of Event Event Description with a check of the instrument connected to the reference leg for leakage was performed with no abnormalities noted.
(The following event' description is taken fran the INPO-NSAC Analysis and Evalua-tion Report of April 1981 on "High Pressure Core Cooling Systen Malfunction at Ha tch 1.")
Ha tch 1 June 26, 1980 At 6:49 am, on June 26,1980, Hatch-1 was operating at 99.4" of rated power. Operating conditions appeared nonnal. Reactor pressure indicated 990 psig.
Both reactor feedwater pwnps, and both reactor recirculation pumps were running. The reactor water level was nonnal at about +37 inches.
At 6:49:09 am, the GEMAC A and C reactor water level channels signaled that the level had quickly risen to +58 inches. With 2 of the 3 GEMAC channels indicating a high level, a number of automatic actions occurred.
The reactor feedwater pumps and the turbine /
generator were tripped. Subsequently, the reactor scranmed.
There are three GEMAC transmitters of reactor water level connected to 2 separate hydraulic systems that sense reactor water level. The
a
, Plant Name Date of Event Event Description GEMAC A and C channel transmitters are connected to one of the hydraulic systems.
Two Barton transmitters are also connected to this same hydraulic system. The GEMAC B cnannel transmitter, and two other Barton transmitters, are connected to the other hydraulic system that senses reactor level.
Only the GEMAC A and C channels signaled high reactor water level. The GEMAC B channel did not signal a high level.
More-over, one second after the GEiAC A and C channels picked-up on high water level, 2 Barton transmitters signaled low reactor water level at +12.5 inches. Within 4 seconds, all four Barton channels signaled that the reactor water was at +12.5 inches.
Summarizing, GEMAC channels A and C said the watbr level in the reactor was high, and 4 other channels said it was low.
Within 2 seconds after the start of the event, four channels indicated that the reactor pressure had risen to 1045 psig.
Within 4 seconds, four 3arton transmitters signalled a low reactor water level and triggered the isolation of some of the reactor support systems.
Increased system
=. :.
o <*f'
~
Plant Name Date of Event Event Description pressure and a decreased reactor water level are anticipated responses to.a total loss of feedwater and turbine / generator m
trip. Within 16 seconds, safety / relief
, valve operation, combined with the operation of the turbine steam bypass systems, had brought the pressure down to 1030 psig. With the decreased pressure, increased void formation i:aused the reactor water level to rise several inches and by 28 seconds, the reactor low water 1evel had cleared, indicating' that the reactor water level had recovered to
\\
at ieast +15 inches.
Thirty nine seconds after the event began, all four Barton channels '41amed a second time, indicating that $he reactor water level had again dropped below +12.5 inches. The a
GEMAC channels showed similar levels. The reactor pressure was n'od steady at about 890 psig.
At 47 seconds, a~signalias received that closed the'mliin steam line isolation valves.
All but one of. the closure signals are alamed on the computer. The low reactor water level (-38") closure signal is not l
L
o..,.
~
<('
37'-
Plant Name Date of Event Event Description al armed. None of the computer alarms asso-y ciated with the closure signals were activated.
This indicated that the low reactor water level closure signal was the most likely source' of the MSIY closure and that reactor i
i Yater level had dropped to -38".
s N,
At 95 seconds a feedwater pump was started,
- 5. ' '
w but because the main. steam line isolation 9
.s t
. val,ves~ had been closed, the pump ran for
- i-N
- I only about 10 seconds.
The HPCI turbine received a signal to start automatically.
However, the initial high flow of steam to s:
the turbine caused an instrument that monitors
\\
p for high steam line flow (symptom of a steam pipe break), to activate erroneously and close the two containnent isolation valves in the steam line to the HPCI turbine. The HPCI tLtbine ran momentarily and stopped.
During this period, operatorf 'also were attenpting to start the RCIC system.
However, the RCIC system would not start and continue to run.
It remai(.ed inoperable
)'
throughout the even't.
4 s
A
eo a,
~
g e
. i.
Plant Name Date of Event Event Description Operators reset the HPCI system isolation i
signal that had been triggered by the high o
steam flow surge on the initial startup i
a ttempt. They then opened the inboard 1
isolation valve in the HPCI turbine steam i
supply line, while leaving the outboard valve closed.
But again; for reasons unknown, an additional isolation signal activated, calling for closure of the closed outboard valve. Operators then closed tr,e inboard 7
val ve.
At three minutes into the event the following,
conditions existed: ' The main steam line isolation valves were closed. There was no feedwater supply to the reactor. Heat had been generated in the reactor faster than it was removed. The reactor pressure had risen to apprtximately 1100 psig and was being controlled by the safety / relief valves. The steam was now renoving the decay heat to the suppression pool.
About 5 minutes after the event began, the operators tried a different HPCI turbine start-up strategy. They closed the HPCI turbine steam supply valve. This valve