S Level Failure Modes alysis MEA)System Level Failure Modes and Effects Analysis Page 10 of 42 2....

S

Prepar PacifDiablProce March

System

red for:

fic Gas lo Canyess Pro

h, 2016

Level F

N

& Elecyon Powotection

Failure (F

DocuRevi

Nuclear S

tric Cower Plan Syste

ModesFMEA)

ument Nsion 0

Safety-R

. ant Unitem Rep

s & Effe

No. 15-06

Related

ts 1 & 2placeme

ects An

681-FME

2 ent

alysis

EA-001

aLTRa Report No.: 15-0681-FMEA-001

10CFR50. Appendix B Applies: [8J

Title: System Level Failure Modes & Effects Analysis (FMEA)

Process Protection System Replacement

Rev. No.:

Report Record 0 Page No. 2

Total Pages: _4_2 ___ __,

Client: Pacific Gas & Electric Co. Facility: Diablo Canyon Power Plant Units 1 & 2

Revision Description: Initial Release

Computer runs are identified on a Computer File Index : Yes D NIA IZI Error reports are evaluated by: NA Date:

Computer use is affected by error notices. No (.81. Yes 0 (if yes. attach explanation)

Preparer(s) Date Verifier(s) Date

3 -2. <\-20 ,,

Independent Review: Independent Review is perfonned in accordance with AOP 3.4 as indicated below

t'8l Design review as documented on the following sheet or 15-0681-VR-001, Rev. 0

0 Alternate calculation as documented in attachment or -------------------------1 D Qualification testing as documented in attachment or ----------------------~----11 Independent Reviewer:

~~~~~~~~~~~~--~

APPROVAL FOR RELEASE:

LEAD ENGINEE . Date:

CLIE

TITL

ENT/PROJECT

LE

Rev. N0

System Le

No. Initial

REVIS

Pac

evel Failure M

Release

ION DES

ific Gas & El

Modes & Effe

R

CRIPTIO

ectric Co.

ects Analysis

Revision D

N

s (FMEA)

Description

RPT. NO

REV. NO

PREP

CHK’D

n

O. 15-0681-FO. 0

PAGE 3 OF

DAT

DAT

FMEA-001

42

E

E

DCPP Units 1 & 2 Process Protection System 15-0681-FMEA-001, Rev. 0 System Level Failure Modes and Effects Analysis Page 4 of 42

Diablo Canyon Power Plant

Process Protection System Replacement System Level Failure Modes & Effects Analysis

FIGURES ...................................................................................................................................................... 5

ATTACHMENTS ........................................................................................................................................... 5

1. INTRODUCTION .................................................................................................................................. 6

2. PURPOSE ............................................................................................................................................ 8

3. SCOPE ................................................................................................................................................. 9

4. SYSTEM LEVEL FAILURE MODES EVALUATION .......................................................................... 10

4.1 Environmental Effects ................................................................................................................. 10

4.2 Power Failure .............................................................................................................................. 16

4.3 Software Common Cause Failure ............................................................................................... 18

4.4 Effects of Shared Transmitter Failures ....................................................................................... 21

4.5 Interactions with other Systems .................................................................................................. 22

4.6 Cyber Security Threats ............................................................................................................... 25

5. EVALUATION OF NON-TRICON/ALS PROVIDED PPS EQUIPMENT ............................................ 25

5.1 Analog Device Failure Evaluation ............................................................................................... 25

5.2 Discrete Device Failure Evaluation ............................................................................................. 31

5.3 Isolation Device Evaluation ......................................................................................................... 34

5.4 ALS/Tricon Interface Evaluation .................................................................................................. 34

6. EVALUATION OF FAILURES THAT MAY INITIATE AN FSAR CHAPTER 15 ACCIDENT ............. 35

7. TRICON SUBSYSTEM FMEA ........................................................................................................... 35

7.1 Tricon Platform FMEA ................................................................................................................. 35

7.2 Tricon DCPP Application Specific FMEA .................................................................................... 36

8. ALS SUBSYSTEM FMEA .................................................................................................................. 36

9. INPUT/OUTPUT (I/O) BOARD PROTECTION CHANNEL LOADING EVALUATION ...................... 36

10. SUMMARY AND CONCLUSIONS ..................................................................................................... 38

11. ACRONYMS AND ABBREVIATIONS ................................................................................................ 39

12. REFERENCES ................................................................................................................................... 41


FIGURES Figure 1- System Level FMEA Coverage ..................................................................................................... 8

ATTACHMENTS 1. Failure Modes and Effects Analysis (FMEA) Protection Set I

2. Failure Modes and Effects Analysis (FMEA) Protection Set II

3. Failure Modes and Effects Analysis (FMEA) Protection Set III

4. Failure Modes and Effects Analysis (FMEA) Protection Set IV

5. Failure Modes and Effects Analysis (FMEA) Remote Panels Fire Impact


1. INTRODUCTION

Due to obsolescence and maintenance issues, the existing Process Protection System (PPS) Eagle 21 equipment is being replaced. The Eagle 21 PPS is a digital microprocessor-based system that monitors plant parameters, compares them against setpoints and provides signals to the Solid State Protection System (SSPS) if setpoints are exceeded. The SSPS evaluates the signals through coincident logic and provides command functions (trip/actuation signals) to the Reactor Trip system (RTS) or Engineered Safety Features Actuation System (ESFAS) to mitigate an event that may be in progress. The PPS provides the sensing features of the Reactor Protection System (RPS) while the RTS and ESFAS as directed by the SSPS provide the command features of the RPS at Diablo Canyon Power Plant (DCPP).

The replacement PPS equipment will consist of a microprocessor-based Triconex Tricon Version 10.5 subsystem and an independent and diverse field programmable gate array (FPGA) based Westinghouse Advanced Logic System (ALS) subsystem for each of the four Protection Sets.

This platform is a digital upgrade of a previous digital system that requires a License Amendment for implementation. The License Amendment Request (LAR) was originally submitted to NRC via DCL-11-104, “Process Protection System Replacement,” dated October 26, 2011 [4].

The protection channels which are processed with the Eagle 21 PPS are as follows:

Reactor Coolant Delta-Temperature and Average Temperature (DTTA) Pressurizer Pressure Pressurizer Level Steamflow Feedwater flow (to be eliminated in upgrade)1 Reactor Coolant Flow Turbine Impulse Chamber Pressure Steamline Pressure Containment Pressure Reactor Coolant Wide Range Temperature Reactor Coolant Wide Range Pressure Steam Generator Water Level (narrow range) Pressurizer Vapor Temperature

1 The Feedwater Flow signals and the Steam Flow/Feedwater Flow Mismatch alarms will be removed from the PPS. The flow signals are non-safety-related and will be input to the Digital Feedwater System (DFWCS), which will then generate the Steam Flow/Feedwater Flow Mismatch alarms.


The Eagle 21 protection functions assumed in the UFSAR [3] Chapter 15 accident analyses are as follows:

Overtemperature Delta-Temperature (OTDT) Reactor Trip (RT) Overpower Delta-Temperature (OPDT) RT Pressurizer Pressure Low and High RT Pressurizer Level High RT Containment Pressure High-High Steam Line Isolation (SLI) Steam Line Pressure Low SLI and Safety Injection (SI) Steam Line Pressure High Negative Rate SLI Pressurizer Pressure Low SI Containment Pressure High SI Reactor Coolant Flow Low RT Steam Generator Water Level Low-Low RT and Auxiliary Feedwater

(AFW) Initiation Steam Generator Water Level High-High Turbine Trip and Feedwater

Isolation

The protection functions listed above have been allocated between the Tricon and the ALS PPS subsystems as discussed in the DCPP “Process Protection System Replacement Diversity & Defense-in-Depth Assessment” Topical Report submitted to the NRC (ADAMS Accession No. ML102580726) [5] and approved by the NRC in a Safety Evaluation issued April 19, 2011 [6].

Tricon:

Overtemperature Delta-Temperature (OTDT) Reactor Trip (RT) Overpower Delta-Temperature (OPDT) RT Pressurizer Level High RT Steam Line Pressure Low SLI and Safety Injection (SI) Steam Line Pressure High Negative Rate SLI Steam Generator Water Level Low-Low RT and Auxiliary Feedwater

(AFW) Initiation Steam Generator Water Level High-High Turbine Trip and Feedwater

Isolation

ALS:

Reactor Coolant Flow Low RT Pressurizer Pressure Low and High RT Pressurizer Pressure Low SI Containment Pressure High SI Containment Pressure High-High Steam Line Isolation (SLI)


2. PURPOSE

This System Level Failure Modes and Effects Analysis (FMEA) for the replacement PPS equipment is conducted in accordance with the guidance provided in IEEE Std. 379-2000 [21] as endorsed by Regulatory Guide 1.53, Rev. 2 [8].

This System Level FMEA is performed to provide complete coverage of the replacement PPS. Specifically, it evaluates the equipment not included in the lower level FMEAs that were performed by the platform vendors. It also evaluates interfaces between the Tricon and ALS platforms. References to the Tricon and ALS FMEAs are provided later in this document.

Figure 1- System Level FMEA Coverage


This FMEA in conjunction with vendor provided platform and application specific FMEAs will determine if new or different failure modes are created, as compared to the existing PPS, and if so, will assess those failure modes to identify potential adverse impacts on the design and/or licensing basis for the PPS functions.

The results and conclusions in this document are intended to support Phase 2 of the License Amendment Request process per the guidance of NRC DI&C ISG-06, Section D.9.4.2.1.1 [7].

Attachments 1-4 provide the analysis by Protection Set. The analysis is organized by component or Failure Mode as follows:

1. Sensor Failure 2. ALS Board failures by channels sharing an analog input board 3. Tricon Board failures 4. Remote Devices and components (analog indications/isolation

devices/switches/relays) 5. Power Distribution components 6. Maintenance Workstation (MWS) / Networking components

Failures that result in a trip input to SSPS will be described in the Impact/Conclusion column as resulting in "Reduced coincidence for SSPS actuation." With an active trip signal, SSPS logic has not been met, however, 2 of 3 logic becomes 1 of 2 and 2 of 4 logic becomes 1 of 3 for actuation.

Attachment 5 provides a specific analysis of the impact of fires in remote panels.

Applicable sections of this document may be referenced to provide information related to the components, failure modes or arrangements. Devices that are not modified by this design (e.g. Vital Power feeds to each Protection Set) are not analyzed because no new failure modes or affects are created.

3. SCOPE

The PPS consists of four Protection Sets located in the Cable Spreading Room (128' El). These Protection Sets currently use the Westinghouse Eagle 21 to perform safety-related functions required to mitigate accidents and design basis events analyzed in Chapter 15 of the DCPP FSAR [3].

A Protection Set is a physical grouping of process channels with the same Class-1E electrical channel designation (I, II, III, or IV) that are physically and electronically independent of each other. Each Protection Set is provided with separate and independent power feeds and process instrumentation transmitters. A Protection Set may also be referred to as a “rack set”.

Failures or malfunctions at the System Level may adversely affect redundant components or the over-all system function. This FMEA will consider failures and/or malfunctions at the System Level and will consider the following:

1. Environmental Effects (Section 4.1)


2. Power Failure (Section 4.2)

3. Software Common Cause Failure (Section 4.3)

4. Effects of Shared Transmitters (Section 4.4)

5. Interactions with Other Systems (Section 4.5)

6. Cyber Security Threats (see Section 4.6)

The following additional concerns will be addressed by this FMEA to ensure that total coverage of the PPS upgrade has been achieved by the various FMEAs developed in support of the replacement project:

1. Analog Device Failure Evaluations

Resistance Temperature Detectors (Section 5.1.1)

Pressure/Differential Pressure Transmitters (Section 5.1.2)

Remote Panel Analog Indicators (Section 5.1.3)

Nuclear Instrumentation System Inputs (see Section 5.1.4)

2. Discrete Device Failure Evaluations

Manual Bypass Switches (Section 5.2.1)

Manual Trip Switches (Section 5.2.2)

Manual Out-of-Service (OOS) Switches Section 5.2.3)

3. Isolation Device Failure Evaluation (Section 5.3)

4. ALS/Tricon Interfaces (Section 5.4)

5. Input/Output Board Protection Channel Loading Evaluation (see Section 9)

4. SYSTEM LEVEL FAILURE MODES EVALUATION

4.1 Environmental Effects

The possibility exists that system level functions, and/or redundant instrument functions performed in separate Protection Sets, could be adversely impacted by environmental effects within the cable spreading room. Common cause failures due to: 1) a seismic event; 2) electrical transients; and 3) room temperature and humidity effects are considered below.

4.1.1 Seismic Events

Design Class I PPS equipment and components are to be qualified and installed to satisfy Seismic Category I requirements applicable to DCPP. This will ensure that the equipment is able to perform required safety


related functions during and after a seismic event. Non Class I PPS equipment and components will be seismically supported to prevent damage to or loss of operability of the safety related PPS equipment should a seismic event occur.

Each of the vendors providing replacement PPS equipment was provided with DCPP seismic response spectra for use in qualification of their platforms.

Tricon seismic qualification reference: Section 2.2.4 of Triconex Topical Report [12].

ALS seismic qualification reference: Section 4.2 of ALS Topical Report [16] and Section 12 of the ALS System Design Specification [18].

4.1.2 Electrical Transients

All safety related components are to be qualified to ensure they resist the adverse impacts of electrical transients such as Electromagnetic Interference (EMI) and Radio Frequency Interference (RFI), Electrical Fast Transients (EFT), Electrical Surges, and Electrostatic Discharge (ESD). In addition, devices used for electrical isolation between various instrument classifications will be qualified to perform their isolation function under credible fault conditions.

The qualification also ensures the EMI/RFI emission levels from the PPS devices are below industry accepted levels to prevent interference with adjacent safety related equipment.

Tricon electrical transient qualification reference: Sections 2.2.5, 2.2.6, 2.2.7, and 2.2.8 of Triconex Topical Report [12].

ALS electrical transient qualification reference: Section 4.3 of ALS Topical Report [16] and Section 12 of the ALS System Design Specification [18].

4.1.3 Room Temperature & Humidity

The PPS FRS [1] Section 3.1.4.1 provides the following environmental conditions for which the PPS is to be qualified:

Temperature: 40 to 104°F

Relative Humidity: 0 to 95% (non-condensing)

Pressure: Atmospheric

Radiation: N/A (mild environment)


The ALS Subsystem System Design Specification [18] stipulates a temperature limitation of < 140 °F. The ALS Topical Report [16] stipulates an abnormal relative humidity range of 0-95% for a 12 hour duration.

The Tricon equipment is qualified to meet its performance requirements during and following exposure to abnormal environmental conditions of 40°F to 140°F and 5% to 95% relative humidity [12, 15].

The hazard associated with low humidity is an increased risk of ESD causing component failure [19]. The mitigation is to ensure ESD precautions are followed during maintenance and that chassis are properly grounded.

The cable spreading room environment is monitored to ensure the ventilation system maintains the room temperature and relative humidity within an acceptable range. Inputs are provided to the Main Annunciator System (MAS) when upper limits are exceeded.

A PPS failure caused by abnormal room temperature and/or humidity conditions is unlikely and is similar in magnitude to the existing system.

4.1.4 Radiation

Functional Requirements Specification (FRS) [1] Section 3.1.4 addresses Environmental Conditions and lists Radiation as: N/A (mild environment).

DCM T-20 [23] Section 2.4.3.4 addresses low radiation areas outside of containment.

Nuclear design calculation N-074 has determined the gamma total integrated dose (TID) values, for 40-year normal operation plus 1-year post-LOCA operation, for ten of the eleven designated low radiation areas. The cable spreading room is on this list.

The calculation states that between elevations 127 feet 4 inches and 140 feet the TID has been calculated for:

Unit 1 = 175 + 1 = 176 rad

Unit 2 = 175 + 1 = 176 rad

Section 3.5(b) of DCM T-20 [23] states that PG&E has committed to use 10^3 rads TID outside containment as the threshold gamma exposure, above which qualification for a radiation environment is required.

10CFR50.49 describes a “Mild Environment” as an environment that would at no time be significantly more severe than the environment that would occur during normal plant operations, including anticipated operational occurrences.

Hence, the cable spreading room can be designated as a mild environment and qualification for a radiation environment is not required.


4.1.5 Fire

A large fire in the cable spreading room could credibly disable all four Protection Sets. Per Section 9.5.1.1.9 of the DCPP Final Safety Analysis Report (FSAR) [3], “Capability is provided consistent with GDC 19 and 10 CFR 50, Appendix R, Section III.G, to safely shut down the plant in event of any single fire that can credibly occur.”

Diablo Canyon Power Plant (DCPP) is transitioning to a NFPA 805 Fire Protection Program (FPP) [28] as endorsed by USNRC Regulatory Guide 1.205 [29]. PG&E submitted LAR 13-003 via DCL-13-065 on June 26, 2013 [ML13196A139 [30]. DCPP will be fully licensed to NFPA 805 upon receipt of the Safety Evaluation (SE)/License Amendment (LA), which is expected in spring, 2016. After this, DCPP will have 180 days to fully implement the NFPA 805 FPP, which includes compensatory measures remaining in place until modifications can be installed and declared operational, expected to complete in 1R20 and 2R20. This will supersede the current provisions of 10CFR50.48 (b), 10CFR50 Appendix R and prior regulatory guidance documents.

To reduce the risk of fire in the PPS cabinets, incipient fire detection devices will be installed inside the PPS cabinets with installation dates to be determined by DCPP outage scheduling.

The Project will need to address design impact due to adopting NFPA 805. Most notably in relation to Section 4.5.1 of this FMEA document, wherein external indicators presently provided as analog outputs (and hence, isolated from the transmitters through the current platform) will be processed on the input loop.

Of specific concern are the indicators provided to the Hot Shutdown Panel and vertical boards. The current Eagle 21 platform provides separate isolated analog outputs to Main Control Room (MCR) and Hot Shutdown Panel (HSP) indicators. For those instruments and other systems that do not require adjustable scaling parameters or calculated values, the PPS replacement provides signals directly from the analog input loop in order to reduce the number of failure points (input board, processor, output board, etc.) and also to minimize software common cause failure and control/protection interaction issues (Refer to Section 4.5.1). Although reliability is improved, the possibility is created for a credible fire to adversely affect protective functions that does not exist in the Eagle 21 PPS. Details are provided in Attachment 5.

Both Appendix R and NFPA 805 use a deterministic approach in which it is assumed that, with any fire in a "fire room," all equipment in that room cannot perform its intended function. For the actual racks in the cable spreading room, a credible fire in any one Protection Set would not cause nor prevent a protective function. Any trip outputs would result in reduced SSPS coincidence only. This would not change with the new design. As


noted above, the present system provides several analog outputs to MCR vertical boards and remote indications that are isolated from one another.

It was described above how the new design combines certain signals on the same loop without isolation. A credible fire that renders the MCR uninhabitable could also disable HSP indications if isolation between the MCR and HSP is not provided. Likewise, a credible fire in a remote panel such as HSP could have protective function consequences that are not present in the current design. The following potential effects of a credible fire are the most significant:

4.1.5.1 VB1 Fire

a. Loss of all Containment Pressure Transmitters.

b. All (Set II, II, IV) Containment Pressure High bistables fail to the trip state (DTT) – SI and Phase A Containment Isolation are activated.

c. All Containment Pressure High-High bistables fail to the non-trip state (ETT) – Automatic Containment Spray actuation, Phase B Containment Isolation, and Steamline Isolation are not available.

d. Loss of all Containment Pressure indications, since the transmitters are all lost; there are no indications available from the MWS locally or from the PPC (Plant Process Computer) via the Gateway computer.

4.1.5.2 VB2 Fire (Pressurizer Level)

a. Loss of all Pressurizer Level Transmitters.

b. All Pressurizer Level High bistables fail to the trip state (DTT), SSPS coincidence is met, the reactor trip breakers open

c. Loss of all Pressurizer Level indications. Since the transmitters are all lost, there are no indications available from the MWS locally or from the PPC via the Gateway computer

d. All Pressurizer Level control signals to PCS fail low, loss of level control

4.1.5.3 VB2 Fire (Pressurizer Pressure)

a. Loss of all Pressurizer Pressure indications to the MCR and HSP

b. Loss of Pressurizer Pressure signal to PCS, loss of Pressurizer Pressure control

c. Note: Transmitters are unaffected as there is an isolation device (Class IA/II) for the indicators and PCS. Indications are still available from the MWS locally or from the PPC via the Gateway computer.


4.1.5.4 VB3 Fire (Steamline Pressure)

a. Loss of all Steam Generator (Steamline) Pressure Transmitters

b. All Steamline Low Pressure and High Negative Rate bistables fail to the trip state (DTT), Steamline Isolation coincidence is met

c. Loss of all Steam Generator Pressure indications. Since the transmitters are all lost, there are no indications available from the MWS locally or from the PPC via the Gateway computer

d. Loss of all Steam Generator Pressure signals to DFWCS

4.1.5.5 VB3 Fire (Steam Generator Level)

a. Loss of all Protection Set III and IV Steam Generator Level Transmitters (Protection Set I and II Transmitters are unaffected as there is an isolation device (Class IA/II) for the indicators)

b. Loss of Loop 1 (Set IV: LT-517) and Loop 2 (Set III: LT-528) Steam Generator Level signals to AMSAC

c. Loss of all Steam Generator Level signals to PCS (AFW) and DFWCS

d. Protection Set III and IV associated SSPS bistables fail to the trip state (DTT), coincidence met, reactor trip breakers open

e. Loss of all Steam Generator Level indications. Since the transmitters are all lost, there are no indications available from the MWS locally or from the PPC via the Gateway computer.

4.1.5.6 Hot Shutdown Panel (HSP) Fire

In a separate project, the Hot Shutdown Panel (HSP) is being modified to install temperature Indicators for Reactor Coolant Loop 4 Wide Range Temperature channels TE-443A and TE-443B to conform to the DCPP transition to NFPA 805. The transfer Switch will be installed in the HSP to provide PPS/HSP selection. With the transfer switch selected to the PPS the signal passes through PPS (no Reactor Coolant WR Temperature indication at HSP). When the transfer switch is selected to the HSP the signal will be disconnected from PPS and the Reactor Coolant WR temperature signals to PPS will fail low.

The detailed design should: (1) evaluate the potential to create the possibility for a credible fire to adversely affect protective functions and indications that does not exist in the current design; and (2) determine any additional measures that may be needed to comply with NFPA 805 [28].


In addition, the HSP indications should be separated from the associated MCR loops and provided with isolation to ensure that a credible fire in the HSP would not cause protection functions to activate and disable associated indications.

Attachment 5 addresses the full impact of specific panel fires. Worst case condition of all indicator input loops becoming an open circuit are identified and evaluated.

4.2 Power Failure

4.2.1 Loss of all Vital Power

A loss of vital power to all four Protection Sets would cause a system level failure of the PPS. For this to happen, however, would require multiple mechanical and/or electrical failures in the power feeds from four separate inverters and is therefore not considered a credible failure mechanism. There is no software utilized in the supply of vital power to the PPS and therefore no common cause software failure mechanism. The PPS replacement does not modify the supply of Vital Power to each Protection Set; a loss of all Vital Power does not create a failure mode different from that of the existing PPS.

4.2.2 Loss of Vital Power to a Single Protection Set

A loss of vital power to a single Protection Set is a credible failure mode. This could occur should the vital bus feeder breaker trip/open or a failure occur in the static switch that disconnects available power sources.

Loss of a single Protection Set due to loss of a vital bus would result in the setting of all de-energize-to-trip partial outputs to the SSPS from the Protection Set, with indication of the partial trip signals provided in the main control room, and inability to set energize to trip outputs in that protection set. Due to the redundancy in the PPS design, this condition would not inhibit any safety function from being automatically initiated when required. The loss of vital power to a single Protection Set does not create a failure mode is different from that of the existing PPS.

4.2.3 Rack Power Supply Failures (Tricon)

Rack Power Supplies are PG&E scope and are not provided by the vendor.

The PPS replacement Tricon Class IE equipment utilizes redundant pairs of qualified Class 1E Kepco 24 VDC and 48 VDC power supplies mounted in a Kepco rack adaptor for powering the following:

1. Class IE analog input module (9792-610NJ) powered from redundant 48vdc power supplies which provides 24Vdc power to analog input loop; and


2. Class IE discrete input module (9563-810NJ) powered from redundant 24Vdc power supplies which provide 24Vdc power to discrete loop input, and Class IE analog loop output power (24 VDC).

120 VAC vital power is provided to the rack adaptor via two separate circuit breakers with each circuit breaker providing power to one power supply of each redundant pair. This configuration (which is typical for all four Protection Sets) prevents a single failure downstream of the 120 VAC vital supplies to the Protection Set from causing a loss of both power supplies of a redundant pair. One operable power supply is adequate to power all loads associated with the redundant pair.

The PPS replacement Tricon Class II equipment utilizes redundant pairs of Kepco 24 VDC power supplies mounted in a Kepco rack adaptor for powering the following:

1. Class II analog loop output power (24 VDC); and

2. Class IE/II isolator power (24 VDC).

120 VAC power is provided to the rack adaptor via two separate circuit breakers with each circuit breaker providing power to one power supply of each redundant pair. As with the Class IE rack power supplies, this configuration prevents a single failure downstream of the 120 VAC vital supplies to the Protection Set from causing a loss of both power supplies of a redundant pair and is typical for all four Protection Sets.

Each rack power supply has a failure relay that will provide an input to the Power Supply Failure Logic such that a PPS Trouble or PPS Failure alarm signal to the Main Annunciator System (MAS) will be generated as required by and constrained by requirements contained in the Functional Requirements Specification (FRS) [1] and Interface Requirements Specification (IRS) [2].

A loss of one critical instrument power supply (redundant supply working) or loss of one or both non-critical instrument power supplies (of a redundant pair) will cause actuation of the PPS Trouble annunciator in the main control room. There is no adverse impact to any Tricon provided protective function.

A loss of both critical instrument power supplies (of a redundant pair) will cause actuation of the PPS Failure annunciator in the main control room. Due to the redundancy provided by the other 3 Protection Sets, there is no adverse impact to any Tricon provided protective function. The loss of both critical instrument power supplies of a redundant pair does not create a failure mode that is different from that of the existing PPS.


4.2.4 Rack Power Supply Failures (ALS)

Rack Power Supplies are PG&E scope and are not provided by the vendor.

The PPS replacement ALS equipment utilizes redundant pairs of qualified Class 1E Kepco 24 VDC and 48 VDC power supplies mounted in a Kepco Model rack adaptor for powering the following:

1. ALS-A/ALS-B chassis power (48 VDC);

2. ALS-A/ALS-B Core Logic Board (48 VDC);

3. ALS-A/ALS-B analog loop input power (24 VDC); and

4. ALS-A/ALS-B contact wetting power (48 VDC).

120 VAC vital power is provided to the rack adaptor via two separate circuit breakers with each circuit breaker providing power to one power supply of each redundant pair. This configuration (which is typical for all four Protection Sets) prevents a single failure downstream of the 120 VAC vital supply to the Protection Set from causing a loss of both power supplies of a redundant pair. One operable power supply is adequate to power all loads associated with the redundant pair.

Each rack power supply has a failure relay that will provide an input to the Power Supply Failure Logic such that a PPS Trouble or PPS Failure alarm signal to the Main Annunciator System (MAS) will be generated as required by and constrained by requirements contained in the FRS [1] and IRS [2].

A loss of one critical instrument power supply (redundant supply working) will cause actuation of the PPS Trouble annunciator in the main control room. There is no adverse impact to any ALS provided protective function.

A loss of both critical instrument power supplies (of a redundant pair) will cause actuation of the PPS Failure annunciator in the main control room. Due to the redundancy provided by the other 3 Protection Sets, there is no adverse impact to any ALS provided protective function. The loss of both critical instrument power supplies of a redundant pair does not create a failure mode that is different from that of the existing PPS.

4.3 Software Common Cause Failure

4.3.1 Tricon Platform

Since it is not possible to ensure that software errors do not exist, software common cause failure relative to the software-based Tricon subsystem was considered and evaluated.


A Diversity and Defense-in-Depth Assessment was performed for the proposed replacement PPS equipment, which demonstrated that the replacement PPS would continue to satisfy design basis requirements as identified in Chapter 15 of the DCPP Final Safety Analysis Report (FSAR) [3] even with consideration of a postulated software common cause failure within the Tricon subsystem. The DCPP “Process Protection System Replacement Diversity & Defense-in-Depth Assessment” Topical Report [5] was submitted to the NRC and approved by the NRC in a Safety Evaluation issued April 19, 2011 [6].

4.3.1.1 Events that do not require the PPS for primary or backup operation

Refer to Section 3.1.1 and Table 3-2 of the Diversity & Defense-in-Depth Assessment Topical Report [5]

4.3.1.2 Events that do not require the PPS for primary but require the PPS for backup protection


4.3.1.3 Events that require the PPS for primary protection signals but receive automatic backup protection from systems other than the PPS


4.3.1.4 Events that assume the PPS for primary and backup protection signals for some aspect of the automatic protection

Refer to Sections 3.1.4, 3.1.5, and Table 3-5 of the Diversity & Defense-in-Depth Assessment Topical Report [5]

4.3.2 Software Common Cause Failure – ALS

Section 2.3.2 of the Diversity and Defense-in-Depth Assessment Topical Report [5] provides a brief description of the ALS equipment and how concern for ALS software common cause failure is addressed through incorporation of additional design diversity in the FPGA-based hardware system and use of qualified design practices and methodologies to develop and implement the hardware. The Diversity and Defense-in-Depth Assessment states and defends the conclusion that the diverse ALS cannot be affected by a software common cause failure that affects the Tricon.

4.3.2.1 Events that assume the PPS for primary and backup protection signals for some aspect of the automatic protection

Refer to Sections 3.1.4, 3.1.5, and Table 3-5 of the Diversity & Defense-in-Depth Assessment Topical Report [5].


4.3.3 Partial losses due to software Common Cause Failure (CCF)

There is no software-based communication between or among individual Protection Sets. There is no digital communication of safety-related information between the software-based Tricon and the logic-based ALS. No database information or equipment that uses software is shared between Protection Sets within Tricon or ALS portions of the replacement PPS. The PPS replacement provides sufficient design diversity to automatically mitigate the DCPP FSAR Chapter 15 events should a software CCF occur in the PPS replacement concurrent with the event. Refer to the PPS replacement Diversity and Defense-in-Depth and Topical Report Submittal [5] as confirmed by the NRC SER [6]. Temperature indications (Pressurizer vapor space, Reactor Coolant System (RCS) narrow and wide range temperature) are transmitted from the logic-based ALS to the software-based Tricon via analog signals, a direct wire connection. The Tricon-based portion of the PPS replacement shares the Pressurizer Pressure analog signals with the ALS portion of the PPS replacement. The transmitter output is not processed by software upstream of either the Tricon or ALS analog input boards. Since the signal is shared at the transmitter (4-20 mA analog) output, a software failure in either ALS or Tricon cannot affect the other subsystem.

The Nuclear Instrumentation System (NIS) provides diverse automatic protection should a failure in either the ALS or Tricon disable the OPDT and OTDT trip functions.

4.3.3.1 Partial or complete losses of the Tricon portion of the PPS

The individual Tricon Protection Set application programs are different from each other; however, the Tricon uses the same processors, programming language and function blocks within the redundant Protection Sets. Therefore, the Tricon was assumed to be vulnerable to software CCF. The ALS subsystem mitigates the Tricon CCF vulnerability. Refer to the PPS Diversity Topical Report [5] for details.

4.3.3.2 Partial losses of the ALS portion of the PPS

Concern for ALS software CCF is addressed through incorporating additional design diversity in the FPGA-based hardware system.

The ALS subsystem in each Protection Set in the PPS replacement provides two independent chassis (“A” and “B”) comprised of the ALS-102 Core Logic Boards (CLB), input boards and output boards.


Core Diversity between chassis is implemented for each of the FPGAs on all of the ALS boards in order to mitigate the possibility of a software CCF between the chassis. The same software CCF cannot affect both ALS chasses.

The independent chassis execution path outputs are combined in hardwired logic as shown to ensure that the protective action is taken if directed by either path. A single failed path cannot prevent a protective action.

Therefore, the design diversity provided by the logic-based ALS portion of the PPS replacement ensures that all accidents and events credited with automatic PPS mitigation in DCPP UFSAR [3] Chapter 15 Safety Analyses continue to be mitigated automatically with a concurrent software CCF. The PPS replacement provides automatic mitigation for events that currently require manual protective action should a CCF disable the Eagle 21 primary and backup protection functions.

4.4 Effects of Shared Transmitter Failures

4.4.1 Pressurizer Pressure transmitters

Pressurizer Pressure transmitters in each Protection Set are shared by the two platforms for analog signal inputs. Loop power is provided by the Tricon subsystem from redundant sources. All other analog input transmitters are independent of the other subsystem.

The ALS subsystem provides processing and logic for functions associated with Pressurizer Pressure, the Tricon subsystem provides processing and logic associated with DTTA, these functions are independent of one another, sharing only the transmitter input. A failure in one subsystem cannot affect the other subsystem.

The failure of a single Pressurizer Pressure transmitter would neither cause nor prohibit a protective feature. The required protective functions would still be available from the three redundant Protection Set channels with reduced coincidence.

In summary, sufficient redundancy exists within the four Protection Sets that no single evaluated Pressurizer Pressure transmitter failure creates a condition that adversely affects the safe operation of the plant differently than the existing PPS.

4.4.2 Steam Generator pressure transmitters

Steam Generator transmitters are shared between the steam generator pressure channel and the associated loop steam flow channel for density compensation; that is, a single pressure transmitter is shared by two analog input channels. Both channels reside on a single analog input board in the Tricon platform and are independent of the ALS platform.


The use of two separate analog inputs allows taking the steam pressure channel out of service (OOS) without affecting the associated steam flow channel. The new PPS does not provide separate analog input channels; instead, the single Steam Pressure analog is input to the Steam Flow channel in software. Failure of the transmitter or the common analog input board does not result in a mode of failure that is different from the Eagle 21 PPS.

The steam flow channel does not perform a safety function. The replacement PPS will allow the Steam Flow channel to be removed from service without affecting the steam pressure channel. .

4.5 Interactions with other Systems

4.5.1 Analog Signal Inputs

The existing PPS system provides signal inputs (4-20 mA) to other systems and the replacement PPS will continue to provide those signals with one exception. Analog Signal inputs to the PPC will be replaced with digital signals transmitted via an isolated communications network (Section 4.5.3).

For those instruments that do not require adjustable scaling parameters or calculated values, the PPS replacement provides signals to these other systems directly from the analog input loop in order to reduce the number of failure points (input board, processor, output board, etc.) and possibility of software common cause failure issues. This is an improvement from the existing PPS. However, a potential fire impact is created that does not exist in the Eagle 21 PPS. See Section 4.1.5.

The following systems will receive inputs directly from the analog input loops by the replacement PPS:

Indicators (Section 5.1.3)

AFW – Auxiliary Feed Water (AFW is a function of PCS and not an independent system)

AMSAC – ATWS Mitigation System Actuation Circuitry

DFWCS – Digital Feedwater Control System

PCS – Process Control System

RVLIS – Reactor Vessel Level Indication System

Isolation devices (Section 5.3) are required for instrument class break isolation (Class IA to II) on the transmitter input loop for each of these systems with the exception of some indicators which are Class IB-A-1 and do not require an isolation device. Multiple outputs may share the same


isolation device, with the exception of AMSAC which has dedicated isolation devices. However, introduction of these un-isolated indicators on the analog input loops introduces a new failure mode where an open circuit of the analog indicator would result in the same failure as an open circuit of the transmitter. The existing PPS system has these indicators on the analog output loops where a failure would not have any effect on protective functions.

Similarly, a failure of an isolation device that results in an open circuit condition on the input loop side of the device would result in the same failure as an open circuit of the transmitter. AMSAC is not subject to a new failure mode as the existing PPS provides outputs from the input loops through an existing isolation device which will be replaced (Section 5.3).

The result of indicator or isolation device failure is no different than a transmitter failure in the existing PPS.

Attachment 1, 2, 3 and 4 provide a listing of all input loop components and an evaluation of the impact of a failure (open circuit or short circuit) on plant operation.

In summary, sufficient redundancy exists within the four Protection Sets that no single evaluated input loop component failure creates a condition that adversely affects the safe operation of the plant differently than the existing PPS.

4.5.2 Alarm Indications – Main Annunciator System (MAS)

The existing PPS system provides alarm indications to the MAS for activation in the MCR. These alarms will still be provided, but will have specific components due to the diversity in platforms.

4.5.2.1 Triconex System MAS Alarms

The Triconex System will provide the following alarms: PPS Failure PPS Trouble PPS OOS (Energize-to-Alarm) PPS Bypass (Energize-to-Alarm) PPS RTD Failure (Energize-to-Alarm) PPS S/G TTD Timer Actuated (Energize-to-Alarm)

4.5.2.2 ALS System MAS Alarms

The ALS System will provide the following alarms:

PPS Failure


PPS Trouble PPS OOS (Energize-to-Alarm) PPS Bypass (Energize-to-Alarm)

ALS Chassis A and ALS Chassis B will each provide the above alarms independent of one another.

Where applicable, Attachment 1, 2, 3 and 4 address alarm indications for the MAS for each Protection Sets I, II, III, and IV, respectively, as a method of detection. For Pressurizer Pressure, the applicable system generating the alarm is described.

Relay K1W (Protection Set 1; typical for Sets II, III, and IV) provides an independent MAS alarm that does not have any interaction with nor adverse impact on any PPS safety-related functions. It provides an indication that at least one pair of manual bypass switches are set concurrently, but the current design does not permit determining which switches are set without a physical inspection. This condition exists in multiple instances in all four protection sets.

There is no reflash capability to the MAS alarm associated with Relay K1W (Set 1; typical for Sets II, III, and IV). The wiring and relay configuration should be re-evaluated and revised to provide a useful indication.

4.5.3 MWS and Gateway Computer

The MWS and the Gateway Computer are PG&E scope and are not provided by the vendor. The vendors provide the software application for the MWS (ALS – ASU, Triconex – InTouch). PG&E will provide the software application for the Gateway Computer without support from the vendors. Both the ALS System and the Triconex System provide status information to a local MWS (one in each Protection Set) and to the Gateway Computer via digital transmissions. The MWS and the Gateway Computer are Class II, non-safety related systems. The MWS provides an interface for system status information and for maintenance functions to be performed. The Gateway Computer provides an interface to remote vertical board monitoring in the MCR and inputs to the PPC for display. This component was installed by the PCS project and is not modified (hardware) by the PPS replacement project.


Both systems utilize unidirectional communications/isolation allowing data to go out from the platforms but preventing incoming transmissions. This maintains isolation from external systems. The ALS communications are via RS-422 serial communications, the Tricon communications are via Ethernet. Although the Gateway computer will receive the same data as the MWS, specific indications or functions associated with failure detection are not used in this document as there is no specification or application written at this time.

4.6 Cyber Security Threats

The PPS replacement design will comply with 10CFR 73.54 “Protection of Digital Computer and Communications Systems and Networks” [24] and the DCPP Cyber Security Plan (CSP) which was developed following the guidance of Nuclear Energy Institute, NEI 08-09 “Cyber Security Plan for Nuclear Power Reactors” [25].

The DCPP CSP was accepted by the Nuclear Regulatory Commission (NRC) in a Safety Evaluation issuing Amendment 210 to Facility Operating License DPR-80 (Unit 1) and Amendment 212 to Facility Operating License DPR-82 (Unit 2) [26]. The DCPP CSP was found to be acceptable by the NRC staff as comparable to NRC Regulatory Guide 5.71, “Cyber Security Programs for Nuclear Facilities” [10], to satisfy the requirements contained in 10 CFR 73.54, “Protection of Digital Computer and Communications Systems and Networks.”

With regard to software development, NRC Regulatory Guide1.152, “Criteria for use of Computers in Safety Systems of Nuclear Power Plants” [11] describes a method that the NRC deems acceptable for complying with regulations for promoting high functional reliability, design quality, and security for the use of digital computers in safety systems for nuclear power plants. In the context of Regulatory Guide 1.152, “security” refers to protective actions taken against a predictable set of non-malicious acts that could challenge the integrity, reliability, or functionality of a digital safety system.

The Tricon and ALS vendors addressed the establishment of a secure development and operational environment in their respective Topical Reports: Tricon [12] Section 5.3, and ALS [16] Section 8.

5. EVALUATION OF NON-TRICON/ALS PROVIDED PPS EQUIPMENT

5.1 Analog Device Failure Evaluation

5.1.1 Resistance Temperature Detector (RTD)

RTDs are used to determine:


Reactor coolant loop wide range hot and cold leg temperatures (all loops)

Reactor coolant loop narrow range hot and cold leg temperatures (all loops) for use in the Delta-T/Tavg (DTTA) protection channels

Pressurizer vapor space temperature

All RTDs are input to the ALS subsystem for conversion from resistance to temperature. A 4-20 mA analog output scaled to the required temperature range is provided for input to the safety related Tricon processor in the same Protection Set.

Within a Protection Set, the RTDs are allocated between the ALS-A and ALS-B chasses (they are not shared) to minimize operational impact in the event of a loss of processing capability by either ALS chassis.

Wide Range RTDs are allocated as follows:

ALS-A Chassis

o Protection Set 1 – Loop 1 Thot/Tcold


ALS-B Chassis



Allocating Wide Range RTDs to separate chassis is an improvement over the existing PPS which processes both loops on the same RTD input board.

Narrow Range RTDs for each Protection Set (RCS Loop) are allocated as follows:

ALS-A Chassis

o 3 – Thot RTDs

o 1 – Tcold RTD

ALS-B Chassis

o 3 – Thot RTDs

o 1 – Tcold RTD


Allocating Narrow Range Tcold RTDs to separate chassis is an improvement over the existing PPS which processes both Tcold signals on the same RTD input board.

The three spare Narrow Range Thot RTDs that are not processed by the existing PPS will be active (ALS-B Chassis) to provide reliability. Therefore, detection of a failure and the ability to use the redundant Narrow Range Thot RTDs to provide DTTA functions is an improvement over the existing system.

Pressurizer Vapor Space Temperature is a single RTD input allocated to ALS-A Chassis in Protection Set 4 only. It provides an input to RHR Valve 8701 Interlock on Low temperature and a MAS alarm on High temperature. The Interlock requires an input from a Wide Range Pressure Channel as well; therefore a single failure of the RTD will result in the same condition as the existing system.

In addition, the inputs to the Tricon are applied to two different AI modules. One loop of WR (Tcold/Thot), one Tcold and three Thots are applied to each module in order to mitigate the possibility of losing all temperature inputs to a faulted FTP or module. Therefore, one ALS chassis supplies inputs to one Tricon AI module and the other ALS chassis supplies the remaining AI module.

The potential failure modes for RTDs are open circuit or short circuit.

Attachment 1, 2, 3 and 4 provide a listing of all RTDs and an evaluation of the impact of a failure (open circuit or short circuit) on plant operation.

Excessive deviation detection is a function of the Tricon subsystem logic (SQA2 and SQA3 functions) and are evaluated by the Tricon application specific FMEA [14].

Sufficient redundancy exists within the four Protection Sets that no single evaluated RTD failure creates a condition that adversely affects the safe operation of the plant.

5.1.2 Pressure/Differential Pressure Transmitter

Pressure/Differential Pressure transmitters are used to determine:

Reactor coolant flow (all loops)

Pressurizer pressure

Pressurizer level

Loops 3 and 4 wide range pressure

Steamflow (all steamlines)

Steamline pressure (all steamlines)

Steam generator level (all steam generators)


Turbine impulse chamber pressure

Containment pressure

Reactor Coolant Flow, Containment Pressure, and Pressurizer Pressure transmitter inputs are processed through the ALS subsystem; all other transmitters are processed by the Tricon subsystem.

Pressurizer Pressure transmitter is shared (see Section 4.4) by the ALS and Tricon subsystems, with loop power provided by the Tricon subsystem in each Protection Set.

The transmitters are qualified Class I devices that do not contain software, hence are not subject to common cause software failure.

The potential failure modes evaluated for transmitters include open circuit, short circuit.

A transmitter failure that causes the transmitter output to fail as-is (i.e., “freeze”) was not specifically evaluated for the PPS Replacement, because PPS behavior in response to such a frozen input signal is not different from the existing system.

Tricon field input circuits are protected by a Positive Temperature Coefficient (PTC) device in the Tricon 9792-610NJ Field Termination Panel (FTP) that opens the field circuit when it senses high current and recloses the circuit when the overcurrent condition is removed. Therefore, the Tricon input signal fails low due to transmitter power interruption when the PTC opens due to a short circuit in the field wiring.

If an open circuit occurs in an ALS process transmitter field circuit, the signal will fail Out of Range (OOR) low and generate a channel integrity error (CIE).

A short circuit in the ALS process transmitter field circuit may cause an OOR high condition if the external fuse does not open or an OOR low condition if the fuse opens. ALS analog input field wiring and electronics are provided with circuit protection to prevent damage should a short circuit occur in the field wiring or the process transmitter.

In either case, the CIE will generate appropriate alarms (PPS Failure or PPS Trouble). A CIE will cause the Analog Output Channel Health (AOCH) and Digital Output Channel Health (DOCH) functions to place the channel I/O in the specified fail-safe condition.

Attachment 1, 2, 3 and 4 provide a listing of all the input transmitters and an evaluation of the impact of a failure (open circuit, short circuit) on plant operation.

In summary, sufficient redundancy exists within the four Protection Sets that no single evaluated transmitter failure creates a condition that


adversely affects the safe operation of the plant to a greater extent than that of the existing PPS.

5.1.3 Remote Panel Analog Indicators

For those instruments which do not require adjustable scaling parameters or calculated values, the PPS replacement provides signals to remote panel analog indicators directly from the analog input loop in order to reduce the number of failure points (input board, processor, output board, etc.) and possibility of software common cause failure issues. This is an improvement from the existing PPS. However, a potential fire impact is created that does not exist in the Eagle 21 PPS. See Section 4.1.5.

Where instrument class break isolation is not required for a particular analog panel indicator, failure modes evaluated will be open circuit or short circuit occurring at the indicator.

For analog indicators that require instrument class break isolation, qualified isolation devices will be used on the transmitter input loop (Section 5.3).

Analog Outputs provided by the ALS and Tricon subsystems require no isolation devices as the vendors provided the boards as qualified isolation devices. PPS behavior in response to a failure in the output loops is not different from the existing system.

Since each of the diverse chassis of the ALS System process the same transmitter inputs, they are each capable of providing analog outputs to remote indications. For Protection Sets I, II and III, Loop 1and Loop 2 RCS flow indications are processed by Chassis A, Loop 3 and Loop 4 by Chassis B. Therefore, the failure of a single ALS-102 or output board in a chassis will only affect two flow indications, an improvement over the present system where all four indications are processed by the same processor and output board. PPC signals provided by the existing PPS system as discrete analog outputs will be provided as digital values to the Gateway computer via communication boards and independent isolation devices.

Attachment 1, 2, 3 and 4 provide a listing of the affected remote panel analog indicators and an evaluation of the impact of a failure (open circuit or short circuit) on plant operation.

In summary, sufficient redundancy exists within the four Protection Sets that no single evaluated remote panel analog indicator failure creates a condition that adversely affects the safe operation of the plant.

5.1.4 Nuclear Instrumentation System (NIS) - Neutron Monitoring Inputs

Each Protection Set DTTA channel receives upper and lower neutron flux signals (0-10 VDC) from the Power Range NIS. The neutron flux signals


are processed by the Tricon subsystem and are used to determine flux imbalance which is used in the calculation of DTTA Overpower (OPDT) and Overtemperature Delta-T (OTDT) setpoints.

The potential failure mode evaluated for the neutron flux value is a loss of signal from the NIS. This condition could be the result of either a failure of the NIS or a “wire-off” condition.

A NIS failure that results in a 0.0 VDC input to the PPS would not be detected by the Tricon as an out-of-range low signal because the value is within the lower limit of the Tricon 3703EN analog input board (range 0.0 – 10.0 VDC).

However, under normal conditions (Mode 1 100% power) a signal input of 0.0 VDC would result in a change of OPDT and OTDT setpoints that would be immediately indicated to the operator. Channel checks by Operations would indicate that the neutron flux signal is not consistent with thermal power as represented by the ∆T measurement.

A failure during shutdown operations would most likely be found during a Nuclear Instrumentation calibration. A failure during power ascension/descension would also be detected by the operator due to the neutron flux signal was not consistent with thermal power as represented by the ∆T measurement.

A failure that causes the NIS signal to fail low (0.0 VDC) is not different than the existing system.

A NIS failure that is a result of a “wire-off” condition would be indicated by the 3703EN AI board due to open circuit detection which identifies the condition where the input signal fails low due to an open circuit in the field wiring.

Detection of a failure that causes the NIS signal to fail low (open circuit) is an improvement over the existing system.

Upon detection, the affected DTTA channel would be considered inoperable and handled in accordance with administrative procedures.

The required Overtemperature and Overpower Delta-T reactor trip protective functions would still be available from the three redundant Protection Set DTTA channels with reduced coincidence (2 out of 3 versus 2 out of 4) logic.

In summary, sufficient redundancy exists within the four Protection Sets that no single evaluated NIS signal failure creates a condition that adversely affects the safe operation of the plant.

5.1.5 Reactor Coolant WR Temperature (TE-443A/443B) HSP transfer switch

The Hot Shutdown Panel (HSP) will be modified to install temperature Indicators for Reactor Coolant Loop 4 Wide Range Temperature channels


TE-443A and TE-443B to conform to the DCPP transition to NFPA 805 [28]. A transfer switch will provide PPS/HSP selection. The transfer switch is located in a panel that is separate from the HSP so that a credible HSP fire cannot adversely affect the PPS Loop 4 Wide Range Temperature Channels.

With the transfer switch selected to “PPS” the signals pass through PPS (no Reactor Coolant WR Temperature indication at the HSP). With the transfer switch selected to the HSP the signal will be disconnected from PPS. The Reactor Coolant WR temperature signals to PPS and to the PPC (via the Gateway computer) will fail low.

There are no feedback signals to the PPS for transfer switch position; however, the MAS Tricon Trouble alarm is activated when the transfer switch is selected to the HSP due to OOR low condition generated by the ALS platform (Loop 4 WR Hot/Cold RTD cut out from PPS).

5.2 Discrete Device Failure Evaluation

5.2.1 Manual Bypass Switches

5.2.1.1 ALS Platform

Manual Bypass switches are provided for each ALS subsystem comparator output to facilitate maintenance on one ALS subsystem chassis (such as IO module replacement) while maintaining operability via the diverse ALS chassis. The switches provide a method to maintain the non-tripped state of the comparator output to the SSPS without software.

These switches are qualified Class 1E devices with three sets of contacts, or poles.

1. One set of contacts is used to maintain the non-tripped condition of the ALS comparator output to the SSPS.

a. DTT – This set maintains a signal path through the LSM that bypasses the output relay for a single chassis. Closing one switch (A or B) bypasses only that chassis contact output; the other chassis contact is still functional and can perform the safety function.

b. ETT – This set provides an open circuit for the signal path through the LSM. The contact outputs from the chassis are in parallel, setting one switch (A or B) bypasses only that chassis contact output, the other chassis contact is still functional and can perform the safety function.

2. A second set of contacts is used for a digital input to the ALS subsystem logic. The logic is used to suppress system trouble alarms that might actuate due to maintenance activities when the contact is bypassed. The logic also provides an input to the Bypass alarm logic


for contact actuation of the PPS Channel in Bypass Alarm from the Main Annunciator System (MAS).

3. The third contact is used to actuate a relay when at least one pair (A and B Manual Bypass Switches for any single channel) are both closed. The relay provides an alarm input to the MAS, independent of the ALS logic. This alarm does not have reflash capability.

The relay is a qualified isolation device, which will prevent credible faults on the Class II (contact) side of the device from adversely affecting Class I circuits on the coil side of the device.

5.2.1.2 Tricon Platform

Manual Bypass switches are provided for Turbine Impulse Pressure High (PC-505A and PC-506A) to facilitate maintenance. These switches provide a method to maintain the non-tripped state of the comparator output to the SSPS.

These switches are qualified Class 1E devices with two sets of contacts, or poles.

1. One set of contacts is used to maintain the non-tripped condition of the Tricon comparator output to the SSPS.

2. A second set of contacts is used for a digital input to the Tricon logic. The logic is used to suppress system trouble alarms that might actuate due to maintenance activities when the contact is bypassed. The logic also provides an input to the Bypass alarm logic for contact actuation of the PPS Channel in Bypass Alarm from the Main Annunciator System (MAS).

5.2.1.3 Failure Modes

The potential failure modes evaluated for the Manual Bypass switches include failed open contact and failed shorted contact. Attachments 1, 2, 3 and 4 provide a listing of all the Manual Bypass switches and an evaluation of the impact of a failure (failed open or failed closed contact) on plant operation.

Sufficient redundancy exists within the four Protection Sets that no single evaluated manual bypass switch failure creates a condition that adversely affects the safe operation of the plant.

5.2.2 Manual Trip Switches

Manual trip switches are provided in the output circuitry of each Tricon and ALS DTT (de-energize-to-trip) comparator output to the Solid State Protection System (SSPS). These switches are wired to provide an external and independent means of providing the trip/actuate protective


action of the associated comparator output. There are no Manual Trip Switches associated with ETT outputs.

Status downstream of the manual trip switch is monitored by the Tricon or ALS subsystem (via the LSM circuitry for ALS). If the channel is in service, then the Tricon or ALS subsystem will actuate a Trouble alarm output to the Main Annunciator System (MAS) for a Trip-without-Demand condition.

The potential failure modes evaluated for the manual trip switch include failed open contact and failed shorted contact.

Attachment 1, 2, 3 and 4 provide a listing of all the manual trip switches and an evaluation of the impact of a failure (failed open or failed closed contact) on plant operation.

In summary, sufficient redundancy exists between the four Protection Sets that no single evaluated manual trip switch failure creates a condition that adversely affects the safe operation of the plant.

5.2.3 Manual Out-of-Service (OOS) Switches (Tricon subsystem only)

Manual OOS switches are provided to facilitate on-line testing and parameter updates for the channels processed by the Tricon subsystem. These switches are qualified Class 1E devices with dual contacts.

1. One contact provides an input to the Tricon to enable placing a channel out of service for maintenance. The Tricon will provide an output to the Main Annunciator System (MAS) to actuate the Protection Set level “Channel OOS” annunciator in the Main Control Room when a channel has been removed from service via the Maintenance Workstation “Request and Confirm” process. This alarm has reflash capability.

2. The second contact is used to actuate a relay when at least one switch is closed. The relay provides an alarm input to the MAS, independent of the Tricon logic. This alarm does not have reflash capability.

The relay is a qualified isolation device, which will prevent credible faults on the Class II (contact) side of the device from adversely affecting Class I circuits on the coil side of the device.

The potential failure modes evaluated for the manual OOS switch include failed open contact and failed shorted contact.

Attachments 1, 2, 3 and 4 provide a listing of all the manual OOS switches and an evaluation of the impact of a failure (failed open or failed closed contact) on plant operation.


In summary, no single evaluated manual OOS switch failure creates a condition that adversely affects the safe operation of the plant.

5.3 Isolation Device Evaluation

Current loop isolation devices will be purchased and qualified by PG&E to provide analog (4-20 mA/4-20 mA) signal isolation where required to implement instrument class breaks between Class I instrument loops and interfacing external systems per IEEE 603 Clause 6.3 requirements. These devices are used to isolate signals on the Class I transmitter input loops (see Section 4.5) and will prevent credible faults (short circuit, open circuit, application of 120 VAC and 125 VDC fault voltages) on the Class II side of the device from having an unacceptable adverse impact on the Class I side.

The isolation devices are analog with no software component and therefore are not subject to a software common cause failure. The devices are powered from a Class IE power source and are qualified to meet IEEE 603 requirements for separation of safety and control circuits as described in the PPS LAR and Supplement.

The failure modes evaluated for the isolation devices will be open circuit or short circuit occurring at the isolation device.

Attachment 1, 2, 3, 4 provide a listing of all the isolation devices being used and an evaluation of the impact of a failure (open circuit or short circuit) on plant operation.

In summary, sufficient redundancy exists within the four Protection Sets that no single evaluated isolation device failure creates a condition that adversely affects the safe operation of the plant.

5.4 ALS/Tricon Interface Evaluation

No direct digital interfaces exist between the ALS and Tricon subsystems.

The ALS subsystem does provide 4-20 mA analog output signals scaled to the temperature ranges required by the Functional Requirements Specification [1] to the Tricon for all temperature signals processed by the PPS. This is strictly a wiring interface which will be verified during the Site Acceptance Test and Design Validation Testing (which is performed after installation in the affected plant unit).

Failure of an analog output (ALS subsystem) or analog input (Tricon subsystem) is evaluated by the vendor level FMEAs [19, 13, respectively].

No evaluation of failure modes associated with an ALS/Tricon interface per this document is required.

Although not an interface between the ALS and Tricon subsystems, the Pressurizer Pressure transmitter current loop is shared by each subsystem in each Protection Set (see Section 4.4).


The failure modes evaluated for transmitter input loops are included in the evaluation done per Section 5.1.2.

6. EVALUATION OF FAILURES THAT MAY INITIATE AN FSAR CHAPTER 15 ACCIDENT

The ALS subsystem provides front-end processing for RCS temperatures that are used by the Tricon subsystem for protective functions within the same Protection Set. The Tricon provides Class 2 temperature signals that are also used for non-safety related control functions outside the PPS. The four Protection Sets (in the Tricon subsystem) separately calculate and provide isolated analog outputs of Tavg for use by the Rod Speed and Direction Control System. The four Tavg signals are auctioneered with the highest Tavg used for control by the Rod Speed and Direction Control System.

A common cause failure of the Tricon subsystem that resulted in a failed low Tavg signal from all four Protection Sets while the reactor is at power, could result in an uncontrolled rod cluster control assembly bank withdrawal at power.

This event is evaluated in Section 15.2.2 of the FSAR [3]. The analysis concludes that the protections provided by high neutron flux (which is diverse to the PPS) and the OTDT trip channels would provide adequate protection.

This event is also evaluated in the Process Protection System Replacement Diversity & Defense-in-Depth Topical Report [5], Section 3.1.3 and Table 3-4 with the same conclusion.

7. TRICON SUBSYSTEM FMEA

The Tricon is a commercial grade PLC that has been qualified for use in safety related applications as described in the “Equipment Qualification Summary Report,” Triconex Document 9600164-545 [15].

The failure modes evaluation of the Tricon subsystem is addressed by references to documents produced by Invensys Operations Management.

Input/Output (I/O) board loading is evaluated in Section 9 to ensure that protection channel reliability is not adversely affected.

7.1 Tricon Platform FMEA

The failure modes and effects evaluation of the Triconex V10 system is documented in the “FMEA for the Tricon Version 10.2 Programmable Logic Controller” [13]. The FMEA was performed in accordance with the applicable requirements of EPRI TR-107330 [26] while following the techniques of Appendix A and Sections 4.1, 4.4, and 4.5 of ANSI/IEEE Std. 352-1987 [20].


7.2 Tricon DCPP Application Specific FMEA

The failure modes and effects evaluation of the Triconex DCPP application is documented in Triconex Document 993754-1-811, “DCPP Failure Modes and Effects Analysis” [14].

8. ALS SUBSYSTEM FMEA

The diverse ALS subsystem platform utilizes Field Programmable Gate Array (FPGA) hardware logic rather than a microprocessor and therefore has no software component required for operation of the system. The built-in diversity of the ALS subsystem described in the “Advanced Logic System Topical Report” [16], ensures that the PPS replacement will perform the required safety functions automatically in the presence of a postulated common cause failure without an adverse impact on the operator’s ability to diagnose the event or perform manual actuation activities.

The USNRC has issued a Safety Evaluation Report (SER) [9] for use of the ALS platform in safety related applications in a nuclear power plant.

The failure modes and effects evaluation of the ALS DCPP application is documented in the “Diablo Canyon PPS ALS Reliability Analysis and FMEA,” [19].

The results of the FMEA performed for the DCPP application demonstrated that no single failure during normal operation will result in either the defeat of a safety function nor a spurious actuation of reactor trip or engineered safety features actuation.

9. INPUT/OUTPUT (I/O) BOARD PROTECTION CHANNEL LOADING EVALUATION

PPS redundancy is provided by multiple Protection Sets providing safety functions to the SSPS where coincidence logic is applied. This is designed such that the loss of a single Protection Set does not cause or inhibit any protection function from occurring when required by plant conditions. An individual I/O board failure of any type cannot prevent a protective action when required. The design did not move any existing channels between Protection Sets. With two platforms provided for diversity reasons, the evaluation focused on determining that I/O board protection channel loading did not reduce protective function reliability within a single Protection Set.

The ALS subsystem performs the signal processing for Reactor Coolant Flow, Pressurizer Pressure, and Containment Pressure. The ALS utilizes two diverse chassis, each capable of providing the required protective functions (Reactor Trip or ESFAS actuation) independent of the other chassis. The failure of a single I/O board within either chassis will not adversely impact the ability of the ALS in a Protection Set to initiate the appropriate protective action signals when required by system conditions. For RCS Flow only, the ALS subsystem provides scaled analog outputs for indication in the Main Control Room. Although both chassis of


the ALS subsystem process the four (4) analog input signals, the analog outputs are split between the two chassis. A failure on a single board will affect only two (2) channel indications. This is an improvement from the existing system which processes all four (4) analog outputs from the same AO board. Effects of ALS I/O board failures are evaluated in Attachments 1, 2, 3, and 4.

The ALS subsystem also processes all RTD inputs to the PPS and provides 4-20 mA analog outputs calibrated to the required temperature range for use by the Tricon subsystem. The ALS analog output fail-safe condition is to output a 0.0 mA signal when a fault with the RTD or signal processing path is identified. This allows the Tricon to provide for error handling and alarming as appropriate. RTD processing is split between the two ALS chassis (See Section 5.1.1).

Wide Range Temperature Thot and Tcold are processed as follows: Loop 1 by ALS-A (PPS I); Loop 2 by ALS-B (PPS I); Loop 3 by ALS-A (PPS II); and Loop 4 by ALS-B (PPS II). The analog output signals from ALS-A and ALS-B are input to separate analog input cards in the Tricon. Failure of a single I/O card in either ALS chassis or the Tricon chassis will result in the loss of inputs from only one Loop.

Narrow range Thot and Tcold signals for use by the DTTA channel are processed as follows: Tcold1 and Thot 1A, 2A, and 3A by ALS-A (all Protection Sets); Tcold 2 and Thot 1B, 2B, and 3B by ALS-B (all Protection Sets). The analog output signals from ALS-A and ALS-B are input to separate analog input cards in the Tricon. Failure of a single I/O card in either ALS chassis or the Tricon chassis will result in the loss of inputs from only half of the RTDs being used by the DTTA channel. This allows the DTTA channel to remain operable.

Note: The Narrow Range Thot spare RTDs in the thermowell of each hot leg will now be used by the PPS. Each thermowell contains two RTDs and currently only one in each thermowell is available for the averaging process. The total of 6 RTDs will improve accuracy and reliability of ∆T/Tavg.

Pressurizer Vapor Space Temperature is monitored by only one RTD which is processed by ALS-A (PPS IV). There are no protective functions associated with this channel.

All other protection channels are processed by the Tricon (Wide Range Pressure, PZR Level, Steamline Pressure, Steamline Flow, Steam Generator Level, and Turbine Impulse Chamber Pressure). Inputs and outputs are apportioned in such a fashion as to avoid loss of all processing capability of a particular channel within a single Protection Set Tricon due to the failure of a single I/O card. In the event of a failure to an I/O card in a single Protection Set Tricon, redundant functionality is provided by the other Protection Sets. Effects of Tricon I/O board failures are evaluated in Attachments 1, 2, 3, and 4.

In summary, the I/O board Protection Channel loading within any Protection Set provides a high degree of reliability within that Protection Set.


10. SUMMARY AND CONCLUSIONS

The failure modes and effects evaluations performed per this document and those performed by the vendors for the Tricon platform (See Section 7) and the ALS platform (see Section 8) did not identify any new single failure modes for the PPS replacement to be installed in DCPP Units 1 and 2.

The PPS Replacement utilizing the Triconex PLC and ALS FPGA based subsystems provides adequate reliability and will not increase the probability of an undetected failure and potential loss of protective function capability as compared to the existing PPS currently in use at DCPP. The diagnostic/self-test features incorporated into both subsystems provides improved detection of equipment failures/malfunctions providing a significant improvement when compared to the existing PPS.

However, Section 4.1.5 discusses the impact of relocating of signals from isolated analog Eagle 21 PPS outputs to the input loops, which creates the possibility that a credible fire in a MCR or remote panel could adversely affect protective functions and indications.


11. ACRONYMS AND ABBREVIATIONS

Acronym Meaning AFW Auxiliary Feedwater ALS Advanced Logic System AOCH Analog Output Channel Health ARP Annunciator Response Procedure CCF Common Cause Failure CFR Code of Federal Regulations CIE Channel Integrity Error CLB Core Logic Board DCM Design Criteria Memorandum DCPP Diablo Canyon Power Plant DFWCS Digital Feedwater Control System DOCH Digital Output Channel Health DTT Deenergize to Trip DTTA Delta T/Taverage (∆T/Tavg) EFT Electrical Fast Transient EMI Electromagnetic Interference ESD Electrostatic Discharge ESF Engineered Safeguards Feature ESFAS Engineered Safeguards Feature Actuation System ETT Energize to Trip FMEA Failure Modes and Effects Analysis FPGA Field Programmable Gate Array FPP Fire Protection Program FRS Functional Requirements Specification FTP Field Termination Panel GDC General Design Criteria HSP Hot Shutdown Panel I/O Input/Output IRS Interface Requirements Specification LAR License Amendment Request LSM Line Sense Module MAS Main Annunciator System MCR Main Control Room MP Maintenance Procedure MSS Median Signal Selector NFPA National Fire Protection Association NIS Nuclear Instrumentation System OOR Out of Range OOS Out of Service OPDT Overpower Delta Temperature OTDT Overtemperature Delta Temperature PCS Process Control System PDN Plant Data Network PG&E Pacific Gas & Electric Company PLC Programmable Logic Controller PPC Plant Process Computer PPS Process Protection System PTC Positive Temperature Coefficient


Acronym Meaning PZR Pressurizer RCS Reactor Coolant System RFI Radio Frequency Interference RH Relative Humidity RPS Reactor Protection System RT Reactor Trip RTD Resistance Temperature Detector RTS Reactor Trip System SE Safety Evaluation SER Safety Evaluation Report SI Safety Injection SLI Steam Line Isolation SQA Sensor Quality Algorithm SSPS Solid State Protection System STP Surveillance Test Procedure TID Total Integrated Dose UFSAR Updated Final Safety Analysis Report USNRC United States Nuclear Regulatory Commission WR Wide Range RVLIS Reactor Vessel Indication System AMSAC ATWS Mitigation System Actuation Circuitry ATWS Anticipated Transient Without Scram S/G Steam Generator TTD Trip Time Delay ASU ALS Support Unit MWS Maintenance Workstation


12. REFERENCES

1. Pacific Gas & Electric Co. Diablo Canyon Power Plant Units 1 & 2, 663195-44 Rev 9, “Process Protection System (PPS) Replacement Functional Requirements Specification”

2. Pacific Gas & Electric Co. Diablo Canyon Power Plant Units 1 & 2, Rev. 9, “Process Protection System (PPS) Replacement Interface Requirements Specification”

3. Diablo Canyon Updated Final Safety Analysis Report (UFSAR)

4. PG&E, Letter DCL-11-104, “License Amendment Request 11-07, Process Protection System Replacement,” October 26, 2011, ADAMS Accession No. ML 11307A331

5. PG&E, Letter DCL-10-114, Revision 1, "Submittal of Diablo Canyon Power Plant Topical Report, Process Protection System Replacement Diversity & Defense-in-Depth Assessment," September 9, 2010 (ADAMS Accession No. ML 102580726)

6. USNRC Safety Evaluation for Topical Report, “Process Protection System Replacement Diversity & Defense-in-Depth Assessment,” ADAMS Accession No. ML110480845

7. USNRC DI&C ISG-06, Section D.9.4.2.1.1

8. USNRC Regulatory Guide 1.53, Rev. 2, “Application of the Single-Failure Criterion to Safety Systems”

9. USNRC, Safety Evaluation Report for Topical Report 6002-00301, Advanced Logic System Topical Report”, ADAMS Accession No. ML13218A979

10. USNRC Regulatory Guide (5.71, Rev. 0, “Cyber Security Programs for Nuclear Facilities”

11. USNRC Regulatory Guide (1.152, Rev.3, “Criteria for Use of Computers in Safety Systems of Nuclear Power Plants”

12. Invensys Operations Management (IOM) Topical Report 7286-545-1, “Triconex Topical Report,” ADAMS Accession No. ML110140443

13. IOM Triconex Document 9600164-531, “Failure Modes and Effects Analysis (FMEA) for the Tricon Version 10.2 Programmable Logic Controller”

14. IOM Tricon Document 993754-1-811, “Pacific Gas & Electric Company Nuclear Safety-Related Process Protection System Replacement Diablo Canyon Power Plant Failure Modes and Effects Analysis”

15. IOM Tricon Document 9600164-545, “Tricon Equipment Qualification and Summary Report”


16. Westinghouse Topical Report 6002-00301, “Advanced Logic System Topical Report”

17. Westinghouse Document 6002-0031, “ALS Diversity Analysis,” Rev. 2

18. Westinghouse Document 6116-00011, “Pacific Gas & Electric Diablo Canyon Process Protection System, ALS System Design Specification”

19. Westinghouse Document 6116-00029, “Diablo Canyon PPS ALS Reliability Analysis and FMEA”

20. ANSI/IEEE Std. 352-1987, “IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Safety Systems”

21. IEEE Std. 379-2000, “IEEE Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems”

22. Electric Power Research Institute (EPRI) TR-102348, "Guidelines on Licensing Digital Upgrades”

23. PG&E Design Criteria Memorandum (DCM) T-20, “Environmental Qualification”

24. 10CFR 73.54, “Protection of Digital Computer and Communications Systems and Networks”

25. Nuclear Energy Institute, NEI 08-09, Rev 6, “Cyber Security Plan for Nuclear Power Reactors.”

26. U.S. Nuclear Regulatory Commission, Letter to PG&E, "Diablo Canyon Power Plant, Units Nos. 1 and 2 - Issuance of Amendments RE: Approval of Cyber Security Plan (TAC Nos. ME4290 and ME4291), July 15, 2011, including approved Cyber Security Plan

27. 5116-00011, ALS, “Diablo Canyon Power Plant (DCPP) Process Protection System (PPS) Outline and Installation.”

28. NFPA 805, "Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants," 2001.

29. USNRC Regulatory Guide 1.205, “Risk-Informed, Performance-Based Fire Protection For Existing Light-Water Nuclear Power Plants,” May, 2006.

30. PG&E, Letter DCL-13-065, “License Amendment Request to Adopt NFPA 805 Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants (2001 Edition), June 26, 2013 (ML13196A139).

DCPP Units 1 & 2 Process Protection System Replacement 15-0681-FMEA-001, Rev. 0 System Level Failure Modes and Effects Analysis Attachment 1 Sheet 1 of 44

PROCESS PROTECTION SYSTEM (PPS) REPLACEMENT Failure Modes and Effects Analysis (FMEA), Protection Set I, Attachment 1

Line Component ID Function Failure Mode System Effect Method of Detection Impact/Conclusion Reference Document

1)

TE-413A TE-413B TE-423A TE-423B (Section 5.1.1)

Provide Reactor Coolant WR Temp Loop 1 and 2 Hot Leg/Cold leg signals for Indication / Processing

RTD Open Circuit (one element open)

ALS System • Signal fails low • ALS sets analog output to Tricon to 0 mA

• PPS Failure Alarm is activated from Tricon due to OOR

• RTD OOR indication (MWS – associated ALS chassis and Tricon)

• RVLIS Trouble Alarm is activated (TE-413A and TE-423A only)

• MCR indicator (TR-413 or TR-423) fails low

• ERFDS indication fails low • Output to LTOP (PCV-456)

energizes

• No protection function impact • Same failure mode as existing system • Reactor Coolant WR Hot leg and Cold leg temperature

signals are available from PPS Set II • Reactor Coolant WR Hot leg or Cold leg temp signal to MCR

recorders and ERFDS is available from PPS Set II • Reactor Coolant WR Hot leg temp signal to RVLIS is

available from PPS Set II • Reactor Coolant WR Cold leg temp Low signal to LTOPS (to

open valve PCV-455C) is available from PPS Set II, loop 3 cold leg

• PCV-456 control switch Close/Open capability unaffected, only Auto for LTOP impacted

• ALS Chassis do not activate a Failure Alarm for OOR conditions IAW IRS 1.5.5.5

FRS 3.2.3

2)

Triconex System• Tricon output fails low (0 mA) • Reactor Coolant WR Hot leg or Cold leg Temp

signal to MCR Recorder and ERFDS fails low • Reactor Coolant WR Hot leg temp signal to RVLIS

fails low (from TE-413A and TE-423A only) • Reactor Coolant WR Cold leg temp signal to LTOP

(TE-423B only) is not available (ETT)

3)

RTD Short Circuit (one element shorts)


4)

Triconex System • Tricon output fails low(0 mA) • Reactor coolant WR RTD signal to MCR

Recorders and ERFDS fails low • Reactor Coolant WR Hot leg temp signal to RVLIS

fails low (from TE-413A and TE-423A only) • Reactor Coolant WR Cold leg temp signal to LTOP

(TE-423B only) is not available (ETT)

5)

TE-410B TE-411B (Section 5.1.1)

Provide Reactor Coolant NR Cold leg (Tcold) Loop 1 temperature signal for MCR indication / protection / control circuit


ALS System • Signal fails low • ALS sets analog output to Tricon to 0 mA • PPS Trouble Alarm is activated

from Tricon due to Tcold OOR • PPS RTD Failure Alarm is

activated from Tricon due to Input Deviation for SQA2


• No protection function impact • Same failure mode as existing system. • Reactor Coolant NR Cold leg (Tcold) temperature signal is

available from PPS Set II (loop 2), Set III (loop 3), Set IV (loop 4)

• Tricon PPS Set I Sensor Quality Algorithm 2 (SQA2) provides valid Tcold with at least 1 good RTD in each loop


FRS 3.2.5 6)

Triconex System• Reactor Coolant NR Cold leg temperature (Tcold)

signal to Tricon fails low (0 mA) • Tricon Sensor Quality Algorithm 2 (SQA2) rejects

failed signal

7) RTD Short Circuit (one element shorts)





8)


signal to Tricon fails low (0 mA) • Tricon Sensor Quality Algorithm 2 (SQA2) rejects

failed signal

9)

TE-410A TE-410C TE-411A TE-411C TE-412A TE-412C (Section 5.1.1)

Provide Reactor Coolant NR Hot leg (Thot) Loop 1 temperature signal for MCR indication / protection / control circuit

RTD Open Circuit (one element 0pen)


• PPS Trouble Alarm is activated from Tricon due to Thot OOR


• No protection function impact • Same failure mode as existing system • Reactor Coolant NR Hot leg temperature (Thot) signals to

Tricon are available from PPS Set II, III, IV • Tricon PPS Set I Sensor Quality Algorithm 3A (SQA3A) or 3B

(SQA3B) provides valid Thot average with at least 2 good RTD's in either Group A or Group B


FRS 3.2.5

10)

Triconex System• Tricon input (0 mA) • Tricon Sensor Quality Algorithm 3A (SQA3A -

Group A) or Sensor Quality Algorithm 3B (SQA3B - Group B) reject failed signal

11)



12)

Triconex System• Tricon input (0 mA) • Tricon Sensor Quality Algorithm 3A (SQA3A -


13) FT-414 FT-424 FT-434 FT-444 (Section 5.1.2)

Provide Reactor Coolant Flow signal for MCR indication / Protection

Open Circuit (4-20 mA input)

• Signal fails low • ALS 102 DOCH function sets comparators to fail

safe state (de-energized) – both chassis • ALS 102 AOCH function sets analog outputs to

fail safe state (0 mA) – both chassis • RCS flow signal to MCR indicator fails low

• PPS Failure Alarm is activated (both chassis)

• FT-414, 424, 434, 444 Virtual Channels (1) OOR indication for both ALS chassis (MWS)

• RCS Low Flow partial trip signal sent to SSPS with partial trip status light illuminated in MCR

• MCR indicator (FI-4x4) fails low

• Reduced coincidence for SSPS actuation • Same failure mode as existing system. • MCR RCS Loop flow indication is available from PPS Set II

and III • RCS Low Flow Rx trip available from PPS Set II and III

FRS 3.2.2

14) Short Circuit (4-20 mA input)

15) PT-455 (Section 4.4 and 5.1.2)

Provide PZR Pressure signal for MCR indication / HSP indication / Processing / Protection


• PZR Pressure signal to MCR indicator fails low (via isolator)

• PZR Pressure signal to HSP indicator fails low • PZR Pressure signal to PZR Pressure Control (PCS)

fails low

• PPS Failure Alarm is activated by both ALS (both chassis) and Tricon

• PT-455 Virtual Channels (5) OOR indication for both ALS chassis (MWS – ALS)

• Reduced coincidence for SSPS actuation • Same failure mode as existing system • OTDT Trip signal to SSPS is available from PPS Set II, III, IV • OTDT interlock C3 is available PPS Set II, III, IV • OTDT setpoint to MCR is available from PPS Set II (T/411A,

TI-421C), III (T/411A, TI-431C), IV (T/411A, TI-441C)

FRS 3.2.7





ALS System• Signal to ALS fails low • ALS 102 DOCH function sets comparators to fail

safe state (de-energized) – both chassis • PZR Pressure High to PC-455EX (PORV actuation)

is not available (ETT) Triconex System • PZR Pressure signal to Tricon fails low • OTDT Trip signal to SSPS is set • PZR Pressure signal fails low to

Overtemperature Setpoint calculation

• PT-455 OOR indication (MWS – Tricon)

• PCS Trouble Alarm is activated • MCR indicator (PI-455A) fails low • HSP indicator (PI-455B) fails low Partial trip signal sent to SSPS with partial trip status lights illuminated in MCR • PZR Pressure Low-Low SI to SSPS • PZR Pressure High Rx Trip to

SSPS • PZR Pressure Low Rx trip to SSPS • Unblock SI, P11 to SSPS

• PZR Pressure Low-Low SI to SSPS is available from PPS Set II, III, IV

• PZR Pressure High Rx Trip to SSPS is available from PPS Set II, III, IV

• PZR Pressure Low Rx trip to SSPS is available from Set II, III, IV

• Unblock SI, P11 to SSPS is available from PPS Set II, III • PZR Pressure High to RNASA (PORV actuation) is available

from PPS Set II, III, IV) • PZR Pressure Signal to MCR indicator is available from PPS

Set II, III , IV • Signal to PZR Pressure Control is available from PPS Set II,

III, IV

17)

LT-459 (Section 5.1.2)

Provide PZR Level signal for MCR indication / HSP indication/processing / ERFDS / Protection

Open Circuit

• PZR Level Signal to Tricon fails low • PZR Level Signal to MCR indicator fails low • PZR Level Signal to HSP indicator fails low • PZR Level Signal to PZR Level control (PCS) Set I

fails low • PZR Level Signal to PZR Level control (PCS) Set II

fails low • PZR Level Signal to ERFDS fails low • PZR Level High Rx trip to SSPS is set

• PPS Failure Alarm is activated • LT-459 OOR indication (MWS) • PCS Trouble Alarm is activated • PZR Level High partial trip signal

sent to SSPS with partial trip status lights illuminated in MCR

• MCR indicator (LI-459A) fails low • HSP indicator (LI-459B) fails low • ERFDS indication fails low

• Reduced coincidence for SSPS actuation • Same failure mode as existing system • PZR Level signal to MCR indicator, PZR Level control (Set I,

Set II) and ERFDS is available from PPS Set II and III • PZR Level signal to HSP indicator is available from PPS Set II • PZR Level High signal to SSPS (Reactor Trip) is available

from Set II and III

FRS 3.2.6

18) Short Circuit


Provide Steam Generator Steam Flow signal for MCR indication / DFWCS / ERFDS

Open Circuit

• SG Steam Flow signal to Tricon fails low • SG Steam Flow Signal to MCR indicator fails low • SG Steam Flow signal to ERFDS fails low • SG Steam Flow signal to DFWCS fails low

• PPS Trouble Alarm is activated • DFWCS Trouble Alarm is

activated • MCR indicator (FI-512, 522, 532,

542) fails low • FT-512 OOR indication (MWS) • FT-522 OOR indication (MWS) • FT-532 OOR indication (MWS) • FT-542 OOR indication (MWS) • ERFDS indication fails low

• No protection function impact • Same failure mode as existing system. • SG Steam Flow signal to MCR indicator, ERFDS and DFWCS

is available from PPS Set II

FRS 3.2.9

20) Short Circuit

21) PT-514 PT-524 PT-534 PT-544 (Section 5.1.2)

Provide Steam Generator Steam Pressure signal MCR indication / HSP indication / DFWCS / ERFDS / Protection

Open Circuit

• SG Steam Pressure signal to Tricon fails low • SG Steam Pressure signal to MCR indicator fails

low • SG Steam Pressure signal to HSP indicator fails

low • SG Steam Pressure signal to ERFDS fails low • SG Steam Pressure signal to DFWCS fails low • SG Low Steam Pressure signal to SSPS (SI and

Steam Line isolation) is set

• PPS Failure Alarm is activated • DFWCS Trouble Alarm is

activated • MCR indicators (PI-514A, 524A,

534A, 544A) fail low • HSP indicators (PI-514B, 524B,

534B, 544B) fail low • ERFDS indication fails low • PT-514 OOR indication (MWS)

• Reduced coincidence for SSPS actuation • Same failure mode as existing system • SG Steam pressure signal to MCR indicator and DFWCS is

available from PPS Set II, III, IV • Signal to ERFDS is available from PPS Set II • SG Low Steam Line Pressure to SSPS (SI and Steam Line

isolation) is available from PPS Set II, III, IV • SG Steam Line Pressure to SSPS (High Negative Rate Steam

Line isolation) is available from PPS Set II, III, IV

FRS 3.2.10

22) Short Circuit




• SG High Steam Pressure signal to SSPS (Negative Rate Steam Line isolation) is set

• PT-524 OOR indication (MWS) • PT-534 OOR indication (MWS) • PT-544 OOR indication (MWS) • SG Low Steam Pressure partial

trip signals sent to SSPS with partial trip status lights illuminated in MCR

23)


Provide Steam Generator 2 Level signal for MCR indication / DFWCS / AFW (PCS) / Protection

Open Circuit • SG2 Level signal to Tricon fails low • SG2 Level signal to MCR indicator fails low • SG2 Level signal to DFWCS fails low • SG2 Level signal to AFW (PCS) fails low • SG2 Level High-High signal to SSPS (Turbine Trip,

FW Isolation, Interlock P-14) is set • SG2 Level Low-Low signal to SSPS ( Rx trip and

AFW pump start) is set


activated • PCS (AFW) Trouble Alarm is

activated • MCR indicator (LI-529) fail low • LT-529 OOR indication (MWS) • Partial trip signals sent to SSPS

with partial trip status lights illuminated in MCR

• Reduced coincidence for SSPS actuation • Same failure mode as existing system. • SG2 Level Signal to MCR indicator, DFWCS and AFW (PCS) is

available from PPS Set III and IV • SG2 Level High-High signal to SSPS (Turbine Trip, FW

isolation. Interlock P-14) is available from PPS Set III and IV • SG2 Level Low-Low signal to SSPS (Rx trip and AFW pump

start) from PPS Set III and IV p

FRS 3.2.11

24) Short Circuit

25)


Provide Steam Generator 3 Level signal MCR indication / DFWCS / AMSAC / AFW (PCS) / Protection

Open Circuit

• SG3 Level signal to Tricon fails low • SG3 Level signal to MCR indicator fails low • SG3 Level signal to DFWCS fails low • SG3 Level signal to AFW (PCS) fails low • SG3 Level signal to AMSAC fails low • SG3 Level High-High signal to SSPS (Turbine Trip,




activated • AMSAC General Warning Alarm

is activated • PCS (AFW) Trouble Alarm is

activated • MCR indicator (LI-539) fail low • LT-539 OOR indication (MWS) • Partial trip signals sent to SSPS


• Reduced coincidence for SSPS actuation • Same failure mode as existing system • SG3 Level Signal to MCR indicator, DFWCS and AFW (PCS) is

available from PPS Set III and IV • Signal to AMSAC is available from PPS Set II (SG4), PPS Set

III (SG2) and PPS Set IV (SG1) • SG3 High-High Level signal to SSPS (Turbine Trip, FW

isolation, Interlock P-14) is available from PPS Set III and IV • SG3 Low-Low Level signal to SSPS (Rx trip and AFW pump

start)is available from PPS Set III and IV

FRS 3.2.11

26) Short Circuit

27)

PT-505 (Section 5.1.2)

Provide Turbine Impulse Chamber Pressure signal for MCR indication / AMSAC / Processing / Interlock

Open Circuit

• Turbine Impulse Chamber Pressure signal to Tricon fails low

• Turbine Impulse Chamber Pressure signal to AMSAC fails low

• Turbine Impulse Chamber Pressure signal to MCR indicator fails low

• Turbine Impulse Chamber Pressure High to SSPS (P13 interlock) is set

• Turbine Impulse Chamber Pressure Low to RNARA (power interlock C5) is set

• PPS Failure Alarm is activated • PT-505 OOR indication (MWS) • MCR Turbine Low Power C5

alarm • AMSAC General Warning alarm is

activated • MCR indicator (PI-505) fail low • Partial trip signals sent to SSPS


• No protection function impact • Same failure mode as existing system • Turbine Impulse Chamber Pressure signal to AMSAC is

available from PPS Set II (PT-506) • Turbine Impulse Chamber Pressure signal to MCR indicator

is available from PPS Set II (PT-506) • Turbine Impulse Pressure High to SSPS is available from PPS

Set II (P13 interlock – PT-506) • Turbine impulse Pressure Low signal to RNARA is not

available from PPS Set I

FRS 3.2.12

28) Short circuit




29)


Provide Containment Pressure signal for MCR indication / Protection

Open Circuit • Containment Pressure signal to ALS fails low • Containment Pressure signal to MCR indicator

(PI-937) fails low • Containment Pressure High-High signal to SSPS

(Containment Pressure-Phase B isolation containment Spray, Steam Line Isolation) is not available (ETT)

• PPS Failure Alarm is activated • MCR Containment Pressure

indicator (PI-937) fails low • PT-937 Virtual Channels (1) OOR

indication for both ALS chassis (MWS)

• Reduced coincidence for SSPS actuation • Same failure mode as existing system • MCR Containment Pressure indicator is available from PPS

Set II, III, IV • Containment Pressure High-High signal to SSPS (Phase B

isolation containment Spray, Steam Line Isolation) is available from PPS Set II, III, IV

FRS 3.2.13

30) Short circuit

31)

NE-41A (Section 5.1.4)

Provide Power Range Neutron Flux (Upper) signal to calculate DTTA Overpower and Overtemperature Delta-T setpoint for Protection and MCR indication

Open Circuit

• Upper Flux signal to Tricon fails low (open wire condition)

• Overtemperature Delta-T Trip to SSPS is set • Upper Flux signal fails low to Overpower

Setpoint calculation • Upper Flux signal fails low to Overtemperature

Setpoint calculation

• PPS Failure Alarm is activated due to wire off condition

• NE-41A open circuit indication (MWS)

• MCR indications (T/411A, TI-411B, TI-411C) do not channel check

• Partial trip signals sent to SSPS with partial trip status lights illuminated in MCR

• Reduced coincidence for SSPS actuation • Same failure mode as existing system • Overpower Delta-T Trip signal to SSPS is available from PPS

Set II, III, IV • MCR Overpower Setpoint indication is available from PPS

Set PPS Set II, III, IV • MCR Overtemperature Setpoint indication is available

from PPS Set II, III, IV

FRS 3.2.5 32) Short circuit (0 VDC)

• Upper Flux signal to Tricon fails low • Upper Flux signal fails low to Overpower



• MCR (Overpower Setpoint indication - T/411A, TI-411B) decreases

• MCR (Overtemperature Setpoint indication - T/411A, TI-411C) do not channel check

• Possible OTDT partial trip signals sent to SSPS with partial trip status lights illuminated in MCR

• Reduced coincidence for SSPS actuation if a trip function is activated

• Same failure mode as existing system • MCR Overpower Setpoint indication is available from PPS

Set II, III, IV • MCR Overtemperature Setpoint indication is available from

PPS Set II, III, IV • Fail low at 0 V does not incur OOR condition as it is within

the normal range of the signal value

33) Fail High due to electronics failure (>10 VDC)

• Upper Flux signal to Tricon fails high > 10 V • Overtemperature Delta-T Trip to SSPS is set • Upper Flux signal fails to Overpower Setpoint

calculation • Upper Flux signal fails to Overtemperature


• PPS Failure Alarm is activated due to OOR

• NE-41A OOR indication (MWS) • MCR indications (T/411A, TI-

411B, TI-411C) do not channel check




Set II, III, IV • MCR Overtemperature Setpoint indication is available


34) NE-41B (Section 5.1.4)

Provide Power Range Neutron Flux (Lower) signal to calculate DTTA Overpower and Overtemperature Delta-T setpoint for Protection and

Open Circuit

• Lower Flux signal to Tricon fails low (open wire condition)

• Overtemperature Delta-T Trip to SSPS is set • Lower Flux signal fails low to Overpower


• PPS Failure Alarm is activated

due to wire off condition • NE-41B open circuit indication

(MWS)



FRS 3.2.5




MCR indication • Lower Flux signal fails low to Overtemperature Setpoint calculation




PPS Set II, III, IV

35) Short circuit (0 VDC)

• Lower Flux signal to Tricon fails low • Lower Flux signal fails low to Overpower

Setpoint calculation • Lower Flux signal fails low to Overtemperature


• MCR (Overpower Setpoint indication - T/411A, TI-411B) increases





Set II, III, IV • MCR Overtemperature Setpoint indication is available

from PPS Set II, III, IV • Fail low at 0 V does not incur OOR condition as it is within



• Lower Flux signal to Tricon fails high > 10 V • Overtemperature Delta-T Trip to SSPS is set • Lower Flux signal fails high to Overpower

Setpoint calculation • Lower Flux signal fails high to Overtemperature



• NE-41B OOR indication (MWS) • MCR indications (T/411A, TI-






PPS Set II, III, IV

37)

TE-413A TE-413B TE-410B TE-410A TE-411A TE-412A (Section 5.1.1)

Provide Reactor Coolant Loop 1 WR Temp Hot Leg /Cold leg signal for Indication / Processing (TE-413A, 413B) Provide Reactor Coolant Loop 1 NR Hot leg (Thot)/Cold leg (Tcold) temperature signal for MCR indication / protection / control circuit (TE-410A, 410B, 411A, 412A)

ALS-311 (Slot 5) failure in chassis A (total loss of RTD input module due to power supply failure, both boards latch failure)

• ALS 102 AOCH function sets affected analog outputs to Tricon to 0 mA

• PPS Failure Alarm is activated by affected ALS chassis due to ALS module failure

• PPS Trouble Alarm is activated from Tricon due to WR RTDs OOR

• PPS RTD Failure Alarm is activated from Tricon due to Input Deviation for SQA2


• RVLIS Trouble Alarm is activated (TE-413A)

• RTDs OOR indication (MWS – both ALS and Tricon)

• MCR indicator (TR-413) fails low • ERFDS indication (TE-413A, TE-

• No protection function impact • RCS WR LP2 Hot leg and Cold leg temperature signals are

available from chassis B to Tricon • Tricon Sensor Quality Algorithm 2 (SQA2) rejects failed

signal and provides valid Tcold with other functional Tcold RTD

• Tricon Sensor Quality Algorithm 3B (SQA3B) provides valid Thot average with at least 2 good RTD's in Group B

• RCS WR LP3 and LP4 Hot leg and Cold leg temperature signals are available from PPS Set II

• RCS NR LP1 Tcold and Thots (3) temperature signals are available from chassis B to Tricon

• Reactor Coolant NR Tcold/Thot temperature signals are available from PPS Set II, III and IV

FRS 3.2.3, 3.2.5 IRS 2.8.1.2

38)

ALS -421-2 (Slot 8) failure in chassis A (total loss of AO module due to power supply failure, both boards latch failure)

• ALS- 421-2 output fails to “Safe State” for affected analog outputs (de-energized)

• Inputs to Tricon set to 0 mA • Tricon analog output fails low (0 mA)




413B) fails low• MWS indicates bad health

status for board

39)

ALS -421-2 (Slot 8) failure in chassis A (loss of function due to multiple electronics failure)

• ALS-421-2 output fails to “unknown state” • Fail safe output state may not occur

• PPS Failure Alarm is activated by ALS affected chassis due to Output Channel Integrity Error (CIE)

• MWS indicates bad health status for board

• Exception to IRS Section 2.8.1.2. The PPS Failure Alarm will be activated by the ALS system due to the output channel integrity error. This mitigates the possibility that an "unknown" output state would result in an undetected failure since the Tricon would not alarm on a OOR low signal

40)

TE-423A TE-423B TE-411B TE-410C TE-411C TE-412C (Section 5.1.1)

Provide Reactor Coolant Loop 2 WR Temp Hot Leg /Cold leg signal for Indication / Processing (TE-423A, 423B) LTOPS (TE-423B) Provide Reactor Coolant Loop 1 NR Hot leg (Thot)/Cold leg (Tcold) temperature signal for MCR indication / protection / control circuit (TE-411B, 410C, 411C, 412C)

ALS-311 (Slot 5) failure in chassis B (total loss of RTD input module due to power supply failure, both boards latch failure)

• ALS 102 AOCH function sets analog outputs to Tricon to 0 mA







• ERFDS indication (TE-423A, TE-423B) fails low


• No Impact to protective function • RCS WR LP1 Hot leg and Cold leg temperature signals are

available from chassis A to Tricon • Reactor Coolant WR Cold leg temp Low signal to LTOPS (to



• Tricon Sensor Quality Algorithm 2 (SQA2) rejects failed signal and provides valid Tcold with other functional Tcold RTD

• Tricon Sensor Quality Algorithm 3A (SQA3A) provides valid Thot average with at least 2 good RTD's in Group A


• RCS NR LP1 Tcold and Thots (3) temperature signals are available from chassis A to Tricon

• Reactor Coolant NR Tcold/Thot temperature signals are available from PPS Set II, III and IV

FRS 3.2.3, 3.2.5 IRS 2.8.1.2

41)

ALS -421-2 (Slot 8) failure in chassis B (total loss of AO module due to power supply failure, both boards latch failure)


• Inputs to Tricon Set to 0 mA • Tricon analog output fails low (0 mA)

42)

ALS -421-2 (Slot 8) failure in chassis B (loss of function due to multiple electronics failure)




• Exception to IRS Section 2.8.1.2. The PPS Failure Alarm will be activated by the ALS system due to the output channel integrity error. This mitigates the possibility that an "unknown" output state would result in an undetected failure since the Tricon would not alarm on a OOR low signal

43)

FT-414 FT-424 FT-434 FT-444 PT-937

• Provide Reactor Coolant Flow signals for MCR indication / Protection (FT-414, 424, 434, 444)

• Provide PZR Pressure

ALS-321 (Slot 6) failure in chassis A or B (total loss of AI module due to power supply failure, both boards latch failure)

• ALS 102 DOCH function sets comparators to fail safe state (de-energized)

• PZR Pressure High to PC-455EX (PORV actuation) is not available (ETT)

• Containment Pressure High-High signal to SSPS

• PPS Failure Alarm is activated by affected chassis due to ALS AI module failure

• PPS Trouble Alarm is activated by other chassis due to Trip-

• Reduced coincidence for SSPS actuation • RCS flow signal to MCR indications are available for the

two RCS Flow channels processed by the other chassis • RCS flow signal to MCR indications are available from PPS

Set II and III

FRS 3.2.2, 3.2.7, 3.2.13




PT-455 signal for Protection (PT-455)

• Provide PZR Pressure signal for control (PT-455)

• Provide Containment Pressure signal for Protection (PT-937)

(Containment Pressure-Phase B isolationcontainment Spray, Steam Line Isolation) is not available (ETT)

• ALS 102 AOCH function sets analog outputs to fail safe state (0 mA) for associated chassis RCS Flow analog outputs

without-Demand condition sensed by LSM (RCS Flow, PZR)

• MCR indication (FI-414, 424, 434, 444) fails low for associated chassis

• FT-414, 424, 434, 444 Virtual Channels (1) OOR indication for affected ALS chassis (MWS)

• PT-455 Virtual Channels (5) OOR indication for affected ALS chassis (MWS)




• RCS Low Flow Rx trip available from PPS Set II and III • PZR Pressure Low signal to SSPS is available from other

chassis and PPS Set II, III and IV • PZR Pressure Low-Low signal to SSPS is available from

other chassis and PPS Set II, III and IV • PZR Pressure High signal to SSPS is available from other

chassis and PPS Set II, III and IV • PZR SI permissive (P11) signal to SSPS is available from

other chassis and PPS Set II, III and IV • PZR Pressure High signal to RNASA (PORVS) is available

from other chassis and PPS Set II, III and IV • Containment Pressure High-High signal to SSPS (Phase B

isolation containment Spray, Steam Line Isolation) is available from the other chassis

• Containment Pressure High-High signal to SSPS (Phase B isolation Containment Spray, Steam Line Isolation) is available from PPS Set II, III, IV

• Interactions with other systems/indications associated with the input loop are unaffected as the input loop remains intact

44)

ALS-402-2 (Slot 9) failure in chassis A or B (total loss of DO module function due to power supply failure, both boards latch failure)

• ALS 102 DOCH function sets comparators to fail safe state (de-energized)


• Containment Pressure High-High signal to SSPS (Containment Pressure-Phase B isolation containment Spray, Steam Line Isolation) is not available (ETT)

• ALS-421-1 output fails to “Safe State” for RCS Flow analog outputs

• PPS Failure Alarm is activated by affected chassis due to ALS DO module failure

• PPS Trouble Alarm is activated by other chassis due to Trip-without-Demand condition sensed by LSM for DTT



• Reduced coincidence for SSPS actuation • RCS Low Flow Rx trip available from PPS Set II and III • PZR Pressure Low signal to SSPS is available from other

chassis and PPS Set II, III and IV • PZR Pressure Low-Low signal to SSPS is available from

other chassis and PPS Set II, III and IV • PZR Pressure High signal to SSPS is available from other

chassis and PPS Set II, III and IV • PZR SI permissive (P11) signal to SSPS is available from

other chassis and PPS Set II, III and IV • PZR Pressure High signal to RNASA (PORVS) is available

from other chassis and PPS Set II, III and IV • Containment Pressure High-High signal to SSPS (Phase B

isolation containment Spray, Steam Line Isolation) is available from PPS Set II, III, IV

45)

ALS-421-1 (Slot 1) failure in chassis A or B (total loss of AO module due to power supply failure, both boards latch failure)

• ALS-421-1 output fails to “Safe State” for RCS Flow analog outputs (de-energized)

• PPS Trouble Alarm is activated by chassis A due to ALS AO module failure

• MCR indication (FI-414, FI-424, FT-434, FT-444) fails low


• No protection function impact • RCS flow signal to MCR indications are available for the


Set II and III • If the AO module fails due to multiple electronics failure, it

is possible that ALS-421-2 output fails to “unknown state”




and the fail safe output state may not occur.

46)

FC-414_FB_LSM_A(B) FC-424_FB_LSM_A(B) FC-434_FB_LSM_A(B) FC-444_FB_LSM_A(B) PC-455C_FB_LSM_A(B) PC-455B_FB_LSM_A(B) PC-455A_FB_LSM_A(B) PC-455D_FB_LSM_A(B) PC-455E_FB_LSM_A(B) PC-937B_FB_LSM_A(B) FC-414_Byp_A(B) FC-424_Byp_A(B) FC-434_Byp_A(B) FC-444_Byp_A(B) PC-455C_Byp_A(B) PC-455B_Byp_A(B) PC-455A_Byp_A(B) PC-455D_Byp_A(B) PC-455E_Byp_A(B) PC-937B_Byp_A(B) PS1FAIL_IA(IB) PS2FAIL_IA(IB) PS3FAIL_IA(IB) PS4FAIL_IA(IB) PS5FAIL_IA(IB) PS6FAIL_IA(IB)

Provide LSM Trip Status to SSPS FB / Manual Bypass Switch Status for chassis A or B and Power Supplies PS1-PS6 Status

ALS-302 (Slot 7) failure in chassis A or B (total loss of DI module due to power supply failure, both boards latch failure)

• LSM Trip Status to SSPS for associated chassis is unavailable

• Manual Bypass Switch status for associated chassis is unavailable

• Power Supply Status indication for the affected chassis is unavailable

• PPS Failure Alarm is activated by chassis A or B due to ALS DI module failure

• PPS Trouble Alarm is activated by chassis A or B due to ALS DI module failure


• No protection function impact • Trip-without-demand alarms do not occur as they are

blocked due to bad channel integrity • Power Supply status are available from the unaffected

chassis

FRS 3.2.1.3

47)

ALS MAS Alarms (Section 4.5.2.2) UY-PS1A_DIV-A(B) UY-PS1B_DIV-A(B) UY-PS1C_DIV-A(B) UY-PS1D_DIV-A(B)

Provide input to MAS for ALS associated alarms

ALS-402-1 (Slot 2) failure in chassis A or B (total loss of DO module due to power supply failure, both boards latch failure)

• Outputs fail to deenergized state • PPS Bypass and OOS for the affected chassis

would be unavailable (ETT)

• PPS Failure Alarm is activated by ALS for affected chassis

• PPS Trouble Alarm is activated by ALS for affected chassis

• Any actuated PPS Bypass or OOS for the affected chassis would clear


• No protection function impact FRS 3.2.1.5




48) NE-41A NE-41B

Provide Power Range Neutron Flux (Upper/Lower) signals to calculate DTTA Overpower and Over Temperature Delta-T setpoint

Tricon 3703EN (Slot 2) module failure (total loss of AI module function due to multiple electronics failure or common software failure)

• Upper and Lower Flux signal to Tricon fails low (open wire condition)

• Overtemperature Delta-T Trip to SSPS is set • Upper and Lower Flux signal fails low to

Overpower Setpoint calculation • Upper and Lower Flux signal fails low to


• PPS Failure Alarm is activated due to open wire condition detected


• NE-41B open circuit indication (MWS)





Set PPS Set II, III, IV • MCR Overtemperature Setpoint indication is available


FRS 3.2.5




49)

TE-413A TE-413B TE-410B TE-410A TE-411A TE-412A PT-455 FT-522 FT-542 PT-524 PT-544 LT-529 PT-505

• Provide Reactor Coolant Loop 1 WR Temp Hot Leg /Cold leg signal for Indication / Processing (TE-413A, 413B)

• Provide Reactor Coolant Loop 1 NR Hot leg (Thot)/Cold leg (Tcold) temperature signal for MCR indication / protection / control circuit (Group A) (TE-410A, 410B, 411A, 412A)

• Provide PZR Pressure signal for Protection (PT-455)

• Provide Steam Generator Loop 2 Steam Flow signal for MCR indication / ERFDS (FT-522)


• Provide Steam Generator Loop 2 Steam Line Pressure signal for Protection(PT-524)

• Provide Steam Generator Loop 4 Steam Line Pressure signal for Protection (PT-544)

• Provide Steam Generator 2 Level signal for Protection (LT-529)

• Provide Turbine Impulse Chamber Pressure signal for Protection PT-505)

Tricon 3721N (Slot 3) module failure (total loss of AI module function due to multiple electronics failure or common software failure)

• Inputs fail low • WR LP1 Thot/Tcold indication to MCR recorder

and ERFDS fails low • WR LP1 Thot signal to RVLIS fails low • Sensor Quality Algorithm (SQA2) rejects failed

signal • Sensor Quality Algorithm 3A (SQA3A - Group A)

rejects failed signals • PZR Pressure signal fails low to

Overtemperature Setpoint calculation • OTDT Trip signal to SSPS is set (PZR Pressure

fails low) • SG2 and SG4 Steam Flow Signal to MCR

indicator fails low • SG2 and SG4 Steam Flow signal to ERFDS fails

low • SG2 and SG4 Low Steam Pressure signal to SSPS

(SI and Steam Line isolation) is set • SG2 and SG4 High Steam Pressure signal to SSPS

(Negative Rate Steam Line isolation) is set • SG2 Level High-High signal to SSPS (Turbine Trip,


AFW pump start) is set • Turbine Impulse Chamber Pressure signal to

MCR indicator fails low • Turbine Impulse Chamber Pressure High to SSPS

(P13 interlock) is set • Turbine Impulse Chamber Pressure Low to

RNARA (power interlock C5) is set

• PPS Failure Alarm is activated due to Tricon AI module failure


• MCR indicator (TR-413) fails low for WR LP 1 RTDs

• MCR indicator (T/411A, TI-411C) does not channel check

• MCR indicator (FI-522, FI-542) fails low for SG2 and SG4 Steam Flows

• MCR indicator (PI-505) fails low for Turbine Impulse Chamber Pressure

• ERFDS indication (WR LP1 RTDs, SG2 and SG4 Steam Flow) fails low



• Reduced coincidence for SSPS actuation • RCS WR LP2 Hot leg and Cold leg temperature signals are

available from Slot 4 of Tricon • Tricon Sensor Quality Algorithm 2 (SQA2) rejects failed


• Tricon Sensor Quality Algorithm 3A (SQA3A) provides valid Thot average with at least 2 good RTD's in Group B


• RCS NR LP1 Tcold and Thots (3) temperature signals are available from Slot 4 of Tricon (Group B)

• OTDT Setpoint indication is available from PPS Set II, III, IV • OTDT Trip signal to SSPS is available from PPS Set II, III, IV • Steam Generator Loop 2 Low Steam Pressure signal to

SSPS (SI and Steam Line isolation) is available from PPS Set II and III

• Steam Generator Loop 4 Low Steam Pressure is available for SI and Steam Line isolation (SSPS) from PPS Set II and IV

• Steam Generator 2 Level High-High signal to SSPS (turbine trip, feedwater isolation, interlock P14) is available from PPS Set III and IV

• Turbine Impulse Chamber Pressure High signal to SSPS (P13 interlock) is available from PPS Set II

• Steam Generator Loop 2 High Negative Rate Steam Line Pressure are available for Steam Line isolation (SSPS) from PPS Set II and III

• Steam Generator Loop 4 High Negative Rate Steam Line Pressure are available for Steam Line isolation (SSPS) from PPS Set II and IV

• Steam Generator 2 Low-Low Level signal to SSPS (Rx trip, AFW pump start) is available from PPS Set III and IV

• Steam Generator Loop 2 and 4 Steam Flow are available to the MCR indicator and ERFDS from PPS Set II

• Turbine Impulse Chamber Pressure signal to MCR indicator is available from PPS Set II


FRS 3.2.3, 3.2.5, 3.2.7, 3.2.9, 3.2.10, 3.2.11, 3.2.12




50)

TE-423A TE-423B TE-410C TE-411C TE-411B TE-412C LT-459 FT-512 FT-532 PT-514 PT-534 LT-539

• Provide Reactor Coolant

Loop 2 WR Temp Hot Leg /Cold leg signal for Indication / Processing (TE-423A, 423B)

• Provide Reactor Coolant Loop 1 NR Hot leg (Thot)/Cold leg (Tcold) temperature signal for MCR indication / protection / control circuit (Group B) (TE-410C, 411B, 411C, 412C)

• Provide PZR Level signal for Protection (LT-459)

• Provide SG1 Steam Flow signal for MCR indication / ERFDS (FT-512)

• Provide SG3 Steam Flow signal for MCR indication / ERFDS (FT-532

• Provide SG1 Steam Line Pressure signal for Protection (PT-514)


• Provide SG3 Level signal for Protection (LT-539)





rejects failed signals • SG1 and SG3 Steam Flow Signal to MCR


low • SG1 and SG3 Low Steam Pressure signal to SSPS

(SI and Steam Line isolation) is set • SG1 and SG3 High Steam Pressure signal to SSPS

(Negative Rate Steam Line isolation) is set • SG3 Level High-High signal to SSPS (Turbine Trip,


AFW pump start) is set • Reactor Coolant WR LP2 Cold leg temp Low

signal to LTOP (PCV-456) is not available from PPS Set I (ETT)



• MCR indicator (TR-423) fails low for WR LP2 RTDs





• No protection function impact or reduced coincidence for SSPS actuation

• Reactor Coolant WR Cold leg temp Low signal to LTOPS (to open valve PCV-455C) is available from PPS Set II, loop 3 cold leg


• RCS WR LP1 Hot leg and Cold leg temperature signals are available from Slot 3 of Tricon




• RCS NR LP1 Tcold and Thots (3) temperature signals are available from Slot 3 of Tricon (Group A)



• Steam Generator 3 Level Low-Low signal to SSPS (Rx trip, AFW pump start) is available from PPS Set III and IV

• PZR Level High signal to SSPS (Rx trip) is available from PPS Set II and III

• Steam Generator Loop 1 Low Steam Pressure signal to SSPS (SI and Steam Line isolation) is available from PPS Set II and IV

• Steam Generator Loop 3 Low Steam Pressure signal to SSPS (SI and Steam Line isolation) is available from PPS Set II and III

• Steam Generator 3 High-High Level signal to SSPS (turbine trip, feedwater isolation, interlock P14) is available from PPS Set III and IV

• Steam Generator Loop 1 and 3 Steam Flow are available to the MCR indicator and ERFDS from PPS Set II


FRS 3.2.3, 3.2.5, 3.2.6, 3.2.9, 3.2.10, 3.2.11




51)

TE-413A TE-423B FT-522 FT-542

• Provide Reactor Coolant Loop 1 WR Temp Hot Leg signal for Indication / Processing (TE-413A)

• Provide Reactor Coolant Loop 2 WR Temp Cold leg signal for Indication / Processing (TE-423B



Tricon 3805 (Slot 5) module failure (total loss of AO module)

• Analog outputs fail low (de-energized) • WR LP1 Thot indication to MCR, ERFDS and

RVLIS fails low • WR LP2 Tcold indication to MCR and ERFDS fails

low • SG2 and SG4 Steam Flow signal to MCR and

ERFDS fails low

• PPS Trouble Alarm is activated due to Tricon AO module failure


• MCR indicator (TR-413, TR-423) fails low

• MCR indicator (FI-522, FI-542) fails low

• ERFDS indication fails low (TE-413A, TE-423B)

• ERFDS indication fails low (FT-522, FT-542)


• No protection function impact • The same failure mode as existing system • MCR indicator, RVLIS and ERFDS for WR LP1 Tcold and

MCR indicator, ERFDS, RVLIS for WR LP2 Thot available from Slot 6

• Steam Flow indications available from PPS Set II

FRS 3.2.3, 3.2.9

52)

TE-413B TE-423A FT-512 FT-532

• Provide Reactor Coolant Loop 1 WR Temp Cold Leg signal for Indication / Processing (TE-413B

• Provide Reactor Coolant Loop 2 WR Temp Hot leg signal for Indication / Processing (TE-423A)




• Analog outputs fail low (de-energized) • WR LP1 Tcold indication to MCR and ERFDS fails

low • WR LP2 Thot indication to MCR, ERFDS and

RVLIS fails low • SG1 and SG3 Steam Flow signal to MCR and

ERFDS fails low





• ERFDS indication fails low (TE-413B, TE-423A)



• No protection function impact • The same failure mode as existing system • MCR indicator, RVLIS, ERFDS for WR LP1 Thot and MCR

indicator, ERFDS for WR LP2 Tcold available from Slot 5 • Steam Flow indications available from PPS Set II

FRS 3.2.3, 3.2.9

53)

TI-411A TI-411B TI-411C TI-412 (DTTA indicators) PI-505

• Provide DTTA signal for MCR indication (TI-411A, 411B, 411C, 412

• Provide Turbine Impulse Chamber Pressure signal for MCR indication

Tricon 3805 (Slot 2 Non-Safety) module failure (total loss of AO module)

• Analog outputs fail low (de-energized) • Loop Delta-T signal to PCS fails low (R28) • DTTA MCR indications for Set I fail low • Turbine Impulse Chamber Pressure signal to

MCR indication fails low


• PCS Trouble Alarm is actuated due to Delta-T signal fails low

• MCR indicator (TI-411A, TI-411B, TI-411C, TI-412) fails low

• MCR indicator (PI-505) fails low • MWS indicates bad health status

for board

• No protection function impact • The same failure mode as existing system • DTTA indications available on MWS and Gateway

computer • Turbine Impulse Chamber Pressure signal available on

MWS and Gateway computer • Turbine Impulse Chamber Pressure indication available

from PPS Set II

FRS 3.2.5, 3.2.12




54)

TC423A TC411G TC412D LC529A LC539B PC505A PC514C PC524A PC534C PC544A

• Provide Loop 2 WR Low Temp signal to LTOP (TC423A)

• Provide OPDT and Low-Low Tavg (P12) signals to SSPS (TC411G, 412D)

• Provide SG2 High-High Level Trip/Interlock (P14) to SSPS (LC529A)

• Provide SG3 Low-Low Level Trip and AFW Pump Start to SSPS TC539B)

• Provide SG2 and SG4 Low Steam Line Pressure to SSPS (SI and Steam Line isolation) (PC524A,544A)

• Provide SG1 and SG3 Steam Line Pressure to SSPS (High Negative Rate Steam Line isolation) (PC514C, 534C)

• Provide Turbine Impulse Chamber Pressure High trip to SSPS (P13 Interlock) (PC505A)

Tricon 3601 (Slot 6) module failure (total loss of DO module due to multiple electronics failure or common software failure)

• Outputs go OFF (de-energized) • Reactor Coolant WR LP2 Cold leg temp Low

signal to LTOP (PCV-456) is not available from PPS Set I (ETT)

• OPDT and Low-Low Tavg Trip to SSPS is set • SG2 Level High-High signal to SSPS (Turbine Trip,


AFW pump start) is set • Turbine Impulse Chamber Pressure High trip to

SSPS (P13 Interlock) is set • SG2 and SG4 Low Steam Pressure signal to SSPS

(SI and Steam Line isolation) are set • SG1 and SG3 High Steam Pressure signal to SSPS

(Negative Rate Steam Line isolation) are set

• PPS Failure Alarm is activated due to Tricon DO module failure



• Reduced coincidence for SSPS actuation • Reactor Coolant WR Cold leg temp Low signal to LTOPS (to



• OPDT and Low-Low Tavg (P12) signals to SSPS are available from PPS Set II, III and IV

• Steam Generator 2 Level High-High signal is available from PPS Set II and IV


• Turbine Impulse Chamber Pressure High trip to SSPS (P13 Interlock) is available from PPS Set II





FRS 3.2.3, 3.2.5, 3.2.10, 3.2.11, 3.2.12

55)

TC411C TC412G LC-459A LC529B LC539A PC514A PC524C PC534A PC544C

• Provide OTDT and Low Tavg Feedwater isolation signals to SSPS (TC411C, 412G)

• Provide PZR Level signal to SSPS (LC459A)


• Provide SG2 Low-Low Level Trip and AFW Pump Start to SSPS (LC529B)

• Provide SG1 and SG3 Low Steam Line Pressure to SSPS (SI and Steam Line isolation) (PC514A, 534A)


• Outputs go OFF (de-energized) • OTDT and Low Tavg Feedwater isolation signals

to SSPS are set • PZR Level High Rx trip to SSPS is set • SG3 Level High-High signal to SSPS (Turbine Trip,


AFW pump start) is set • SG1 and SG3 Low Steam Pressure signal to SSPS

(SI and Steam Line isolation) are set • SG2 and SG4 High Steam Pressure signal to SSPS

(Negative Rate Steam Line isolation) are set




• Reduced coincidence for SSPS actuation • OTDT and Low Tavg Feedwater isolation signals to SSPS are

available from PPS Set II, III and IV • PZR Level High signal to SSPS (Reactor Trip) is available

from Set II and III • Steam Generator 3 High-High Level signal to SSPS (turbine

trip, feedwater isolation, interlock P14) is available from PPS Set III and IV




FRS 3.2.5, 3.2.10, 3.2.11







56)

TC411D TC411H PC505C LY-529H UY-PS1A_TRICON UY-PS1B_TRICON UY-PS1C_TRICON TY-411_TRICON OOS_I_TRICON

• Provide OTDT (C3) and OPDT (C4) Interlock signals to RNARA (TC411D, 411H)

• Provide Turbine Low Power Interlock (C5) signal to RNARA (PC505C)

• Provide input to MAS for Tricon associated alarms

• Provide TTD Timer Activated alarm

Tricon 3636 (Slot 7 Non-Safety) module failure (total loss of RO module function)

• Relay output fails to the de-energized state • PPS Bypass, OOS, RTD Failure or S/G Low-Low

Timer Actuated Alarms are unavailable (ETT) • OTDT (C3) Interlock (RNARA) to SSPS is set • OPDT (C4) Interlock (RNARA) to SSPS is set • Turbine Low Power (C5) Interlock (RNARA) to

SSPS is set

• PPS Failure Alarm is activated • PPS Trouble Alarm is activated • Partial trip signals sent to SSPS



• Reduced coincidence for SSPS actuation • OTDT interlock C3 is available PPS Set II, III, IV • OPDT interlock C4 is available PPS Set II, III, IV

FRS 3.2.1.5, 3.2.5, 3.2.12

57)

PS2S_FAIL_15 PS3S_FAIL_15 PS4S_FAIL_15 PS5S_FAIL_15 PS6S_FAIL_15 PS7S_FAIL_15 24DI_PWR_15 T413A-OOS T413B-OOS T423A-OOS T423B-OOS L459-OOS F512-OOS F522-OOS F532-OOS F542-OOS P514-OOS P524-OOS P534-OOS P544-OOS L529-OOS L539-OOS P505-OOS LP1_DTTA_OOS LP1_TTD_OOS

• Provide Safety Power Supply Status

• Provide DI Power Supply Status

• Provide OOS Manual Switch Status

Tricon 3503EN2 (Slot 2) module failure (total loss of DI module function)

• Power Supply Status indication for the Safety power supplies are unavailable

• Manual OOS Switch status is unavailable, channels cannot be placed OOS for maintenance functions

• Any channel in a maintenance condition (OOS, TiT or TiB) will return to normal processing

• PPS Trouble Alarm is activated • MWS indicates bad health status

for board

• No protection function impact • PPS Failure Alarm is suppressed for power supply failures

due to loss of DI power supply indication

IRS 2.9.6.6 IRS 2.8.1.1




58)

TS/411C TS/411G TS/412D TS/412G TC423A LS/459A PS/514A PS/514C PS/524A PS/524C PS/534A PS/534C PS/544A PS/544C LS/529A LS/529B LS/539A LS/539B PS/505A PC-505A_Byp

• Provide Trip Output to SSPS FB Status

• Provide Manual Bypass Switch FB Status for PC505A

Tricon 3501TN2 (Slot 5) module failure (total loss of DI module function)

• Trip output FB status for DO to SSPS is unavailable


• Manual Bypass Switch status for Turbine Impulse Pressure High Interlock (P13) is unavailable

• PPS Trouble Alarm is activated due to module failure

• If a Trip condition was presently in for an ETT function, then a PPS Failure Alarm is activated due to a Failure-to-Trip-on-demand condition indicated


• No protection function impact IRS 2.9.6.6, FRS3.2.1.3.6

59)

PS2N_FAIL_15 PS3N_FAIL_15 PS5N_FAIL_15 PS6N_FAIL_15 PS/505C TS/411D TS/411H

• Provide Non-Safety Power Supply Status

• Provide Trip Output FB Status for Non-Safety functions

Tricon 3501E (Slot 5 Non-Safety) module failure (total loss of DI module function)


• Power Supply Status indication for the Non-Safety power supplies are unavailable


for board • No protection function impact

FRS 2.2.3, IRS 2.9.6.6

60) FI-414 FI-424 (Section 5.1.3)

Provide RCS Flow Indication to MCR from ALS Chassis A

Open Circuit

• RCS Flow indication to MCR indicator fails low • MCR indicator (FI-4x4) fails low • No protection function impacted, Analog Output only • RCS Loop Flow indications are available from Protection

Set II and III for each loop

FRS 3.2.1.4, 4.1.3 IRS 1.5.5.1

61) Short Circuit

62) FI-434 FI-444 (Section 5.1.3)

Provide RCS Flow Indication to MCR from ALS Chassis B

Open Circuit

63) Short Circuit

64) PI-514A (Section 5.1.3)

Provide Steam Generator 1 Steam Line Pressure indication In the Main Control Room (MCR)

Open Circuit

• Input current loop is open • SG1 Steam Pressure signal to Tricon fails low • SG1 Steam Pressure signal to MCR indicator fails

low • SG1 Steam Pressure signal to HSP indicator fails


activated • MCR indicator (PI-514A) fails low• HSP indicator (PI-514B) fails low

• Reduced coincidence for SSPS actuation, other Protection Sets can provide protective functions

• SG1 Steam Pressure signal to MCR indicator is available from PPS Set II, IV

• SG1 Steam Pressure signal to HSP indicator is not available

FRS 3.2.9




low• SG1 Steam Pressure signal to ERFDS fails low • SG1 Steam Pressure signal to DFWCS fails low • SG1 Loop 1 Low Steam Line Pressure signal to

SSPS (SI and Steam Line isolation) is set • SG Loop 1 Steam Line Pressure High Negative

Rate signal to SSPS (Steam Line isolation) is set

• ERFDS indication fails low • PT-514 OOR indication (MWS) • Partial trip signals sent to SSPS


• SG1 Steam Pressure signal to ERFDS is available from PPS Set II

• SG1 Steam Pressure signal to DFWCS is available from PPS Set II,IV

• SG1 Low Steam Line Pressure signal to SSPS (SI and Steam Line isolation) is available from PPS Set II,IV

• SG1 Steam Line Pressure High Negative Rate signal to SSPS (Steam Line isolation) is available from PPS Set II,IV

65) Short Circuit • SG1 Steam Pressure signal to MCR indicator fails low • MCR indicator (PI-514A) fails low • No protection function impact, input current loop is

maintained intact

66)

PI-514B (Section 5.1.3)

Provide Steam Generator 1 Steam Line Pressure indication In the Hot Shutdown panel (HSP)

Open Circuit

• SG1 Steam Pressure signal to Tricon fails low • SG1 Steam Pressure signal to MCR indicator fails


low • SG1 Steam Pressure signal to ERFDS fails low • SG1 Steam Pressure signal to DFWCS fails low • SG1 Low Steam Line Pressure signal to SSPS (SI

and Steam Line isolation) is set • SG1 Steam Line Pressure High Negative Rate

signal to SSPS (Steam Line isolation) is set


activated • MCR indicator (PI-514A) fails low• HSP indicator (PI-514B) fails low • ERFDS indication fails low • PT-514 OOR indication (MWS) • Partial trip signals sent to SSPS




• SG1 Steam Pressure signal to HSP indicator is not available • SG1 Steam Pressure signal to ERFDS is available from PPS

Set II • SG1 Steam Pressure signal to DFWCS is available from PPS

Set II,IV • SG1 Low Steam Line Pressure signal to SSPS (SI and Steam

Line isolation) is available from PPS Set II,IV • SG1 Steam Line Pressure High Negative Rate signal to SSPS

(Steam Line isolation) is available from PPS Set II,IV

FRS 3.2.9

67) Short Circuit • SG1 Steam Pressure signal to HSP indicator fails low • HSP indicator (PI-514B) fails low • No protection function impact, input current loop is

maintained intact

68) PD/514A (Section 4.5.1)

Resistor -Provides Steam Generator 1 Steam Line Pressure signal to ERFDS

Open Circuit



low • SG1 Steam Pressure signal to ERFDS fails high • SG1 Steam Pressure signal to DFWCS fails low • SG1 Low Steam Line Pressure signal to SSPS (SI









Set II • SG1 Steam Pressure Signal to DFWCS is available from PPS



FRS 3.2.9





69) Short Circuit • SG1 Steam Pressure signal to ERFDS fails low • ERFDS indication fails low • No protection function impact, input current loop is maintained intact

70)

PM-514_1 (Section 4.5.1)

Isolation device –Provide isolation between Class I SG1 Steam Line Pressure instruments and Class II DFWCS

Open Circuit (input)












Set II • SG1 Steam Pressure Signal to DFWCS is available from PPS



(Steam Line isolation) is available from PPS Set II,IV FRS 3.2.9

71) Short circuit (input) • SG1 Steam Pressure signal to DFWCS (via isolator) fails low

• DFWCS Trouble Alarm is activated

• No protection function impact, input current loop is maintained intact

72) Open Circuit (output)

• SG1 Steam Pressure signal to DFWCS fails low • DFWCS Trouble Alarm is activated


73) Short Circuit (output)

74) PI-524A (Section 5.1.3)


Open Circuit



low • SG2 Steam Pressure signal to ERFDS fails low • SG2 Steam Pressure signal to DFWCS fails low


activated • MCR indicator (PI-524A) fails low• HSP indicator (PI-524B) fails low • ERFDS indication fails low • PT-524 OOR indication (MWS)


• SG2 Steam Pressure signal to MCR indicator is available from PPS Set II, III


Set II

FRS 3.2.9




• SG2 Low Steam Line Pressure signal to SSPS (SI and Steam Line isolation) is set

• SG2 Steam Line Pressure High Negative Rate signal to SSPS (Steam Line isolation) is set


• SG2 Steam Flow signal to DFWCS is available from PPS Set II,III

• SG2 Low Steam Line Pressure signal to SSPS (SI and Steam Line isolation) is available from PPS Set II,III

• SG2 Steam Line Pressure High Negative Rate signal to SSPS (Steam Line isolation) is available from PPS Set II,III


maintained intact

76)



Open Circuit












Set II • SG2 Steam Flow signal to DFWCS is available from PPS Set

II,III • SG1 Low Steam Line Pressure signal to SSPS (SI and Steam

Line isolation) is available from PPS Set II,III • SG1 Steam Line Pressure High Negative Rate signal to SSPS

(Steam Line isolation) is available from PPS Set II,III

FRS 3.2.9

77) Short Circuit • SG2 Steam Pressure signal to HSP indicator fails low • MCR indicator (PI-524B) fails low • No protection function impact, input current loop is

maintained intact

78) PD/524A (Section 4.5.1)

Resistor -Provide Steam Generator 2 Steam Line Pressure signal to ERFDS

Open Circuit
















FRS 3.2.9





80)

PM-524_1 (Section 4.5.1)


Open Circuit (Input)















(Steam Line isolation) is available from PPS Set II,III FRS 3.2.9

81) Short Circuit (Input) • SG2 Steam Pressure signal to DFWCSS (via isolator) fails low



82) Open Circuit (Output)



83) Short Circuit (Output)

84) PI-534A (Section 5.1.3)


Open Circuit














Line isolation) is available from PPS Set II,III • SG Loop 3 Steam Line Pressure High Negative Rate signal

FRS 3.2.9




to SSPS (Steam Line isolation) is available from PPS Set II,III


maintained intact

86)



Open Circuit
















FRS 3.2.9

87) Short Circuit • SG3 Steam Pressure signal to HSP indicator fails low • MCR indicator (PI-534B) fails low • No protection function impact, input current loop is

maintained intact

88) PD/534D (Section 4.5.1)


Open Circuit
















FRS 3.2.9





90)

PM-534_1 (Section 4.5.1)

Isolation device – Provide isolation between Class I SG3 Steam Line Pressure instruments and Class II DFWCS











• The isolator is a qualified device and powered from class IE power source. The single failure of the isolation device does not create condition that impacts safe operation of the Plant protection System.







FRS 3.2.9

91) Short Circuit (Input) • SG3 Steam Pressure signal to DFWCS (via isolator) fails low



92) Open Circuit (Output) (Class II)



93) Short Circuit (output) (Class

II)

94) PI-544A (Section 5.1.3)


Open circuit










FRS 3.2.9




and Steam Line isolation) is set• SG4 Steam Line Pressure High Negative Rate



II,IV • SG4 Low Steam Line Pressure signal to SSPS (SI and Steam




maintained intact

96)



Open Circuit
















FRS 3.2.9

97) Short Circuit • SG4 Steam Pressure signal to MCR indicator fails low • MCR indicator (PI-544B) fails low • No protection function impact, input current loop is

maintained intact

98) PD/544D (Section 4.5.1)


Open Circuit














Line isolation) is available from PPS Set II,IV • SG Loop 4 Steam Line Pressure High Negative Rate signal

to SSPS (Steam Line isolation) is available from PPS Set II,IV

FRS 3.2.9




99) Short circuit • SG4 Steam Pressure signal to ERFDS fails low • ERFDS indication fails low • No protection function impact, input current loop is maintained intact

100)

PM-544_1 (Section 4.5.1)
















II,IV • SG Loop 4 Low Steam Line Pressure signal to SSPS (SI and

Steam Line isolation) is available from PPS Set II,IV • SG4 Steam Line Pressure High Negative Rate signal to SSPS


FRS 3.2.9

101) Short Circuit (Input) • SG4 Steam Pressure signal to DFWCS (via isolator) fails low






103) Short Circuit (Output) (Class II)

104) LM-529_1 (Section 4.5.1)

Isolation device –Provide isolation between Class I SG2 level instruments and Class II DFWCS, AFW (PCS), MCR indicator


• SG2 Level signal to Tricon fails low • SG2 Level signal to MCR indicator fails low • SG2 Level signal to DFWCS fails low • SG2 Level signal to AFW (PCS) fails low • SG2 Level High-High signal to SSPS (Turbine Trip,





activated • MCR indicator (LI-529) fails low • LT-529 OOR indication (MWS) • Partial trip signals sent to SSPS



• SG2 Level Signal to MCR indicator, DFWCS and AFW (PCS) is available from PPS Set III and IV

FRS 3.2.11





• SG2 Level High-High signal to SSPS (Turbine Trip, FW isolation. Interlock P-14) is available from PPS Set III and IV

• SG2 Level Low-Low signal to SSPS (Rx trip and AFW pump start) from PPS Set III and IV

105) Short Circuit (Input) • SG2 Level signal to DFWCS fails low • SG2 Level signal to AFW (PCS) fails low • SG2 Level signal to MCR indicator fails low


• PCS (AFW) Trouble Alarm is activated

• MCR indicator (LI-529) fails low



• SG2 Level signal to DFWCS fails low • SG2 Level signal to AFW (PCS) fails low • SG2 Level signal to MCR indicator fails low






108)

LM-539_1 (Section 4.5.1)






• PPS Failure Alarm is activated • AMSAC General Warning Alarm

is activated • DFWCS Trouble Alarm is







• Signal to AMSAC is available from PPS Set II (SG4), PPS Set III (SG2) and PPS Set IV (SG1)

• SG3 High-High Level signal to SSPS (Turbine Trip, FW isolation, Interlock P-14) is available from PPS Set III and IV

• SG3 Low-Low Level signal to SSPS (Rx trip and AFW pump start)is available from PPS Set III and IV

FRS 3.2.11

109) Short Circuit (input) • SG3 Level signal to MCR indicator fails low • SG3 Level signal to DFWCS fails low • SG3 Level signal to AFW fails low


• PCS Trouble Alarm is activated • MCR indicator (LI-539) fails low


110) Open Circuit (Output) • SG3 Level signal to DFWCS, AFW (PCS) and MCR indicator fails low









112)

LM-539_2 (Section 4.5.1)

Isolation device –Provide isolation between Class I SG3 level instruments and Class II AMSAC







activated • AMSAC General Warning alarm

is activated • MCR indicator (LI-539) fails low • LT-539 OOR indication (MWS) • Partial trip signals sent to SSPS





• Signal to AMSAC is available from PPS Set II (SG4), PPS Set III (SG2) and PPS Set IV (SG1)

• SG3 High-High Level signal to SSPS (Turbine Trip, FW isolation, Interlock P-14) is available from PPS Set III and IV

• SG3 Low-Low Level signal to SSPS (Rx trip and AFW pump start)is available from PPS Set III and IV FRS 3.2.11

113) Short Circuit (Input) • SG3 Level signal to AMSAC fails low • AMSAC General warning alarm is activated



• SG3 Level signal to AMSAC fails low • AMSAC General Warning alarm is activated



116)

FM-512_1 FM-522_1 FM-532_1 FM-542_1 (Section 4.5.1)

Isolation devices –Provide isolation between Class I SG1, 2, 3 , 4 Steam Flow and Class II DFWCS


• SG Steam Flow signal to Tricon fails low • SG Steam Flow signal to DFWCS fails low • SG Steam Flow Signal to MCR indicator fails low • SG Steam Flow signal to ERFDS fails low


activated • MCR indicator (FI-5x2) fails low • FT-512 OOR indication (MWS) • FT-522 OOR indication (MWS) • FT-534 OOR indication (MWS) • FT-542 OOR indication (MWS) • Indication failed low from ERFDS

• No protection function impact, Indication only • SG1, 2 ,3 ,4 Steam Flow signals to MCR indicator, ERFDS

and DFWCS are available from PPS Set II FRS 3.2.9




117) Short Circuit (Input) • SG Steam Flow signal to DFWCS fails low • DFWCS Trouble Alarm is activated



• SG Steam Flow signal to DFWCS fails low • DFWCS Trouble Alarm is activated



120)


Isolation devices –Provide isolation between Class IA SG1, 2, 3 , 4 Steam Flow and Class IB MCR/ERFDS Indications

• Open Circuit (Input)

• SG Steam Flow signal to MCR indictor fails low • SG Steam Flow signal to ERFDS fails low

• MCR indicator (FI-512, 522, 532, 542) fails low

• ERFDS indication fails low • No protection function impact, output indicators only

121) • Short Circuit (Input)

122) • Open Circuit (Output)

123) • Short Circuit (Input)

124) PM-505_1 (Section 4.5.1)

Isolation devices –Provide isolation between Class I Turbine Impulse Chamber Pressure and Class II AMSAC






• Turbine Impulse Chamber Pressure Low to RNARA (power interlock C5) is set

• PPS Failure Alarm is activated • AMSAC General Warning alarm

is activated • MCR indicator (PI-505) fails low • PT-505 OOR indication (MWS) • MCR Turbine Low Power C5

alarm • Partial trip signals sent to SSPS




• Turbine Impulse Chamber Pressure signal to AMSAC is available from PPS Set II (PT-506)

• Turbine Impulse Chamber Pressure signal to MCR indicator is available from PPS Set II (PT-506)

• Turbine Impulse Pressure High to SSPS is available from PPS Set II (P13 interlock)

FRS 3.2.12




• Turbine impulse Pressure Low signal to RNRAR is not available from PPS Set I (power interlock -C5)

125) Short Circuit (Input) • Turbine Impulse Chamber Pressure signal to AMSAC fails low

• AMSAC General Warning alarm is activated




• AMSAC General Warning alarm is activated



128)

PI-937 (Section 5.1.3)

Provide Containment Pressure indication in the MCR

Open Circuit

• Containment Pressure signal to ALS fails low • Containment Pressure signal to MCR indicator

fails low • Containment Pressure High-High signal to SSPS

(Containment Pressure-Phase B isolation containment Spray, Steam Line Isolation) is not available (ETT)

• PPS Failure Alarm (both ALS Chassis) is activated

• MCR indicator (PI-937) fails low • PT-937 Virtual Channels (1) OOR



• MCR Containment Pressure indicator is available from PPS Set II, III, IV

• High-High Containment Pressure signal to SSPS (Phase B isolation containment Spray, Steam Line Isolation) is available from PPS Set II, III, IV

FRS 3.2.13

129) Short Circuit • Containment Pressure signal to MCR indicator fails low • MCR indicator (PI-937) fails low • No protection function impact, input current loop is

maintained intact

130) LI-459A (Section 5.1.3)

PZR Level indicator in the MCR Open Circuit

• PZR Level signal to Tricon fails low • PZR Level signal to MCR indicator fails low • PZR Level signal to HSP indicator fails low • PZR Level signal to PZR Level control (Control Set

I) fails low • PZR Level signal to PZR Level control (Control Set

II) fails low • PZR Level signal to ERFDS fails low • PZR Level High signal to SSPS (Rx trip) is set

• PPS Failure Alarm is activated • PCS Trouble Alarm (Set I) is

activated • PCS Trouble Alarm (Set II) is

activated • MCR indicator (LI-459A) fails low • HSP indicator (LI-459B) fails low • LT-459 OOR indication (MWS) • Partial trip signal sent to SSPS


• ERFDS indication fails low


• PZR Level signal to MCR indicator is available from PPS Set II and III

• PZR Level signal to HSP indicator is available from PPS Set II• PZR Level signal to PZR Level control (Control Set I) is

available from PPS Set II and III • PZR Level signal to PZR Level control (Control Set II) is

available from Set II and III • PZR Level signal to ERFDS is available from PPS Set II and III • PZR Level High Rx trip to SSPS is available from Set II and III

FRS 3.2.6




131) Short Circuit • PZR Level signal to MCR indicator fails low • MCR indicator (LI-459A) fails low • No protection function impact, input current loop is maintained intact

132)

LI-459B (Section 5.1.3)

PZR Level indicator in the Hot Shutdown panel (HSP)

Open Circuit

• PZR Level signal to Tricon fails low • PZR Level signal to MCR indicator fails low • PZR Level signal to HSP indicator fails low • PZR Level signal to PZR Level control (Control Set


II) fails low • PZR Level signal to ERFDS fails low • PZR Level High signal to SSPS (Rx trip) is set










FRS 3.2.6

133) Short Circuit • PZR Level signal to HSP indicator fails low • HSP indicator (LI-459B) fails low • No protection function impact, input current loop is maintained intact

134)

LM-459_1 (Section 4.5.1)

Isolation device –Provide isolation between Class I PZR Level instruments and Class II PZR Level controller and ERFDS


• PZR Level signal to Tricon fails low • PZR Level signal to MCR indicator fails low • PZR Level signal to HSP indicator fails low) • PZR Level signal to PZR Level control (Control Set


II) fails low • PZR Level signal to ERFDS fails low • PZR Level High Rx trip to SSPS is set











FRS 3.2.6

135) Short Circuit (Input)

• PZR Level signal to PZR Level control (Control Set I) fails low

• Signal to PZR Level control (Control Set II) fails low

• Signal to ERFDS fails low

• PCS Trouble Alarm (Set I) is activated

• PCS Trouble Alarm (Set II) is activated






• Signal to PZR Level control (Control Set I) (Low) • Signal to PZR Level control (Control Set II) (Low) • Signal to ERFDS (Low)





138) PI-455A (Section 5.1.3)

PZR Pressure indicator in the MCR

Open Circuit (Class II)

• PZR Pressure signal to MCR indicator fails low • PZR Pressure signal to HSP indicator fails low • PZR Pressure signal to PZR Pressure Control (PCS

Set I) fails low

• PCS Trouble Alarm is activated • MCR indicator (PI-455A) fails low• HSP indicator (PI-455B) fails low • No protection function impact, indicator is on output loop

of PM-455_1 isolation device FRS 3.2.7

139) Short Circuit (Class II) • PZR Pressure signal to MCR indicator fails low • MCR indicator (PI-455A) fails low

140) PI-455B (Section 5.1.3)

PZR Pressure indicator in the HSP

Open Circuit (Class II)

• PZR Pressure signal to MCR indicator fails low • PZR Pressure signal to HSP indicator fails low • PZR Pressure signal to PZR Pressure Control (PCS

Set I) fails low

• PCS Trouble Alarm is activated • MCR indicator (PI-455A) fails low• HSP indicator (PI-455B) fails low • No protection function impact, indicator is on output loop

of PM-455_1 isolation device FRS 3.2.7

141) Short Circuit (Class II) • PZR Pressure signal to HSP indicator fails low • HSP indicator (PI-455B) fails low

142) PM-455_1 (Section 4.5.1)

Isolation device –Provide isolation between Class I PZR Pressure signal and Class II PZR Pressure Control (PCS) and indicators in the MCR and HSP



• PZR Pressure signal to HSP indicator fails low • PZR Pressure signal to PZR Pressure Control fails

low ALS System

• PZR Pressure Signal to ALS fails low • ALS 102 DOCH function sets comparators to fail

safe state (de-energized) • PZR Pressure Low-Low SI to SSPS is set • PZR Pressure High Rx Trip to SSPS is set • PZR Pressure Low Rx trip to SSPS is set • Unblock SI, P11 to SSPS is set • PZR Pressure High to PC-455EX (PORV actuation)

is not available (ETT) Tricon System

• PZR Pressure signal to Tricon fails low • PZR Pressure signal fails low to


• PPS Failure Alarm is activated by ALS (both chassis) and Tricon

• PCS Trouble Alarm is activated • PT-455 Virtual Channels (5) OOR

indication for both chassis (MWS – ALS)

• MCR indicator (PI-455A) fails low• HSP indicator (PI-455B) fails low • PT-455 OOR indication (MWS –

Tricon) • Partial trip signal sent to SSPS


• Reduced coincidence for SSPS actuation • The isolator is a qualified device and powered from class IE

power source. The single failure of the isolation device does not create condition that impacts safe operation of the Plant protection System.

• PZR Pressure signal to MCR indicator is available from PPS Set II, III, IV (via isolator)

• PZR Pressure signal to HSP indicator is not available • PZR Pressure signal to PZR Pressure Control is available

from Set II, III, IV • OTDT Trip signal to SSPS is available from PPS Set II, III, IV • OTDT interlock C3 is available PPS Set II, III, IV • OTDT setpoint to MCR (T/411A, TI-411C) is available from

PPS Set II, III, IV • PZR Pressure Low-Low SI to SSPS is available from PPS Set

II, III, IV • PZR Pressure High Rx Trip to SSPS is available from PPS Set

II, III, IV • PZR Pressure Low Rx trip to SSPS is available from Set II, III,

IV • Unblock SI, P11 to SSPS is available from PPS Set II, III

FRS 3.2.7




• OTDT Trip signal to SSPS is set • PZR Pressure High to RNARA (PORV actuation) is available from PPS Set II, III, IV)

• PZR Pressure Signal to MCR indicator is available from PPS Set II, III , IV


• PZR Pressure signal to PZR Pressure Control fails low

• PZR Pressure signal to MCR indicator fails low • PZR Pressure signal to HSP indicator fails low

• PCS Trouble Alarm is activated • MCR indicator (PI-455A) fails low• HSP indicator (PI-455B) fails low


144) Open Circuit (Output) (Class II) • PZR Pressure signal to PZR Pressure Control fails

low • PZR Pressure signal to MCR indicator fails low • PZR Pressure signal to HSP indicator fails low

• PCS Trouble Alarm is activated • MCR indicator (PI-455A) fails low• HSP indicator (PI-455B) fails low



146)

FC-414_Byp_A FC-414_Byp_B FC-424_Byp_A FC-424_Byp_B FC-434_Byp_A FC-434_Byp_B FC-444_Byp_A FC-444_Byp_B PC-455C_Byp_A PC-455C_Byp_B PC-455B_Byp-A PC-455B_Byp_B PC-455A_Byp_A PC-455A_Byp_B PC-455D_Byp-A PC-455D_Byp_B (Section 5.2.1.1)

RCS Flow and PZR Pressure Manual Bypass Switches (DTT)

Switch A or B in Bypass • Status contact closes • K1W alarm contact

closes • Bypass contact fails

open

• Bypass Switch status ALS-302 LED turns ON • ALS PPS Bypass alarm for affected chassis is

activated • K1W Relay would still actuate if other associated

Bypass Switch is set and no other pair of Bypass Switches are set

• Channel output is not Bypassed, if ALS processed a trip condition the output would de-energize

• Undetectable unless the associated chassis processed a trip condition (whether actual or due to maintenance)

• If “failed Bypass” chassis processes a trip signal due to a maintenance condition (ex: lifted leads), PPS Trouble Alarm would be activated by the other chassis due to a Trip-without-Demand indication

• No impact to protection function • Other Chassis (via LSM) is capable of performing the

protection function (trip signal) • Bypass Switch wiring and use should be revised or testing

methods put in place to verify contacts are in the proper position

FRS 2.2.3

147)

Switch A or B in Bypass • Status contact fails open • K1W alarm contact

closed • Bypass contact closed

• Bypass logic and alarm are not set • K1W Relay would still actuate if other associated


• DO contact is Bypassed through LSM

• Bypass Switch status ALS-302 LED remains off

• PPS Bypass alarm for affected chassis is not activated


protection function (trip signal) • Channel is in Manual Bypass –With trip demand from ALS-

402 (DO), no partial trip signal to SSPS (status light off in MCR)

148)

Switch A or B in Bypass • Status contact closed • K1W alarm contact fails

open • Bypass contact closes


activated • K1W Relay would not actuate if other associated



• Undetectable unless the other Bypass Switch is set and no other pair had already actuated the relay

• If no other pair had actuated the relay and the other associated Bypass switch was set, then

• No impact to protection function • K1W Relay provides an independent MAS alarm that does

not have any interaction with the safety-related functions. It provides an indication that at least one pair of manual Bypass Switches are concurrently set, but impossible to determine which without physically inspecting

• Alarm contact power is 48 VDC, independent of the 120




K1W would fail to activate the MAS alarm

• The wiring design enables using a DVM to measure across the contacts and determine that they had not changed state

VAC used by the Bypass contact and the 48 VDC used for Status Feedback

• The switches are qualified as class IE devices. Single failure of the manual Bypass Switch 3-4 contacts does not create condition that disables PPS safety function

• Since there is no reflash capability to the alarm associated with the K1W relay, the wiring and relay use should be re-evaluated and revised to provide a useful indication

149)

Change switch A or B from Bypass to Normal • Status contact opens • K1W alarm contact

opens • Bypass contact fails

closed

• Bypass Switch status ALS-302 LED turns OFF • ALS PPS Bypass alarm for affected chassis clears • K1W Relay would de-energize only if the other

associated Bypass Switch is set and no other pair of Bypass Switches were set (this is normal)

• DO contact is maintained Bypassed to LSM, an actual or maintenance condition that resulted in a trip would not de-energize the SSPS relay

• Undetectable without some method of indicating or testing the contacts to determine actual status


protection function (trip signal) • On an actual trip condition, the affected chassis would

process a trip and set the DO. However, a Failure-to-Trip on Demand condition would not be detected and alarmed because the other chassis would de-energize the SSPS relay and therefore the LSM feedback status would indicate that the trip did occur.

• Bypass Switch wiring and use should be revised or testing methods put in place to verify contacts are in the proper position

150)

Change switch A or B from Bypass to Normal • Status contact opens • K1W alarm contact fails

closed • Bypass contact opens

• Bypass Switch status ALS-302 LED turns OFF • ALS PPS Bypass alarm for affected chassis clears • If the K1W Relay was energized due to other

associated Bypass Switch was also set to Bypass, then it would not de-energize

• DO contact is no longer Bypassed to the LSM, trip function is operable

• Undetectable if other associated Bypass switch was set to Bypass or any other pair of Bypass switches were set

• If the K1W Relay was energized due to other associated Bypass Switch was also set to Bypass and no other pairs were set, then the MAS alarm would not clear




• Alarm contact power is 48 VDC, independent of the 120 VAC used by the Bypass contact and the 48 VDC used for Status Feedback



151)

Change switch A or B from Bypass to Normal • Status contact fails

closed • K1W alarm contact

opens • Bypass contact opens

• Bypass Switch status ALS-302 LED does not go OFF

• ALS PPS Bypass alarm for affected chassis would not clear

• K1W Relay would de-energize only if other associated Bypass switch was set and no other pair of Bypass Switches were set (this is normal)

• Bypass Switch status ALS-302 LED is ON

• PPS Bypass alarm for affected chassis remains activated

• No impact to protection function, an actual trip would still be processed by the affected chassis




• Channel output is no longer Bypassed, if ALS processed a trip condition the output would de-energize (returned to normal operation)

152)

PC-455E_Byp_A PC-455E_Byp_B PC-937B_Byp_A PC-937B_Byp_B (Section 5.2.1.1)

PZR Pressure, Containment Pressure Manual Bypass switches A / B (ETT)


closes • Bypass contact stays

closed


activated • Bypass condition (open circuit) for the affected

chassis is not set • K1W Relay would still actuate if other associated


• Undetectable unless a maintenance function was performed to actuate the trip output (ex: Test-in-Trip)

• If Test-in-Trip for Containment Pressure (PT-937) was activated, then it would activate partial trip signal sent to SSPS with partial trip status lights illuminated in MCR

• If Test-in-Trip for PZR Pressure (PT-455) was activated, then it would input a signal into the LTOP circuitry which would still be undetectable as no alarm or operation would occur without a Low temperature input as well



• Other Chassis (via LSM) is unaffected and capable of performing the safety function (trip signal)


FRS 2.2.3

153)

Switch A or B in Bypass • Status contact fails open • K1W Alarm contact

closes • Bypass contact opens



• Bypass condition (open circuit) for the affected chassis is set

• Bypass Switch status ALS-302 LED remains OFF



• Other Chassis (via LSM) is unaffected and capable of performing the protection function (trip signal)

154)

Switch A or B in Bypass • Status contact closes • K1W alarm contact fails

open • Bypass contact opens






• If no other pair had actuated the relay and the other associated Bypass switch was set, then K1W would fail to activate the MAS alarm

• The wiring design enables using a DVM to measure across the



• Alarm contact power is 48 VDC, independent of the 48 VDC (455) or 120 VAC (937) used by the Bypass contact and the 48 VDC used for Status Feedback

• The switches are qualified as class IE devices. Single failure of the manual Bypass Switch 4-5-6 contacts does not




contacts and determine that they had not changed state

create condition that disables PPS safety function• Since there is no reflash capability to the alarm associated

with the K1W relay, the wiring and relay use should be re-evaluated and revised to provide a useful indication

155)

Change Switch A or B from Bypass to normal • Status contact opens • K1W alarm contact


open

• Bypass Switch status ALS-302 LED turns OFF • ALS PPS Bypass alarm for affected chassis clears • K1W Relay would still de-energize if other

associated Bypass Switch is set and no other pair of Bypass Switches is set (this is normal)

• Bypass condition (open circuit) for the affected chassis remains set



• An actual trip would not be processed by the affected chassis



156)

Change Switch A or B from Bypass to normal • Status contact fails


opens • Bypass contact closes



• K1W Relay would still de-energize if other associated Bypass Switch is set and no other pair of Bypass Switches are set (this is normal)

• Bypass condition (open circuit) for the affected chassis is removed





157)

Change Switch A or B from Bypass to normal • Status contact opens • K1W alarm contact fails

closed • Bypass contact closes


• If the K1W Relay was energized due to other associated Bypass Switch was also set to Bypass, then it would not de-energize

• Bypass Switch status ALS-302 LED turns OFF • ALS PPS Bypass alarm for affected chassis clears


• If no other pair had actuated the relay and the other associated Bypass switch was set, then K1W would fail to clear the MAS alarm





• The switches are qualified as class IE devices. Single failure of the manual Bypass Switch 4-5-6 contacts does not create condition that disables PPS safety function


158)

FS/414 FS/424 FS/434 FS/444 PS/455A PS/455B

ALS Manual Trip switches (DTT) (normally closed)

Change Switch from normal to trip position • Contact fails to open

• Manual Trip unavailable

• No partial trip signal to SSPS, partial trip status lights not illuminated in MCR

• No PPS Trouble Alarm from either chassis due to a Trip-without-Demand condition

• No impact to protection function • The switches are qualified as class IE devices. Single failure

of the manual trip switch contacts does not create condition that disables PPS safety function

FRS 2.2.2




PS/455C PS/455D (Section 5.2.2)

(normal operating conditions)

159) Change Switch from trip to Normal position • Contact fails to close

• SSPS Relay remains tripped

• ALS PPS Trouble Alarm stays on due to a Trip-without-Demand condition (normal operating conditions)

• Partial trip signal is not cleared, partial trip status lights remain illuminated in MCR

160)

TS/411G TS/411C TS/412D TS/412G LS/529A LS/529B LS/539A LS/539B PS/514A PS/514C PS/524A PS/524C PS/534A PS/534C PS/544A PS/544C LS/459A PS/505A (Section 5.2.2)

Tricon Class I Manual Trip Switches




• No Tricon PPS Trouble Alarm



FRS 2.2.2




• Tricon PPS Trouble Alarm stays on in MCR

162) TS/411D TS/411H PS/505C (Section 5.2.2)

Tricon Class II Manual Trip Switches

Change Switch from Normal to Trip position • Contact fails to open



• No Tricon PPS Trouble Alarm • No impact to protection function FRS 2.2.2








164)

PC-505A_Byp (Section 5.2.1.2)

Turbine impulse Pressure manual Bypass switch

Change Bypass switch from Normal to Bypass position • Bypass contact remains

in normal; bypass condition not set,

• Status contact closed; bypass status set.

• Channel output is not Bypassed, if Tricon processed a trip condition the output would de-energize

• PPS Bypass alarm is activated



• No impact to protection function, an actual trip would still be processed by the Tricon


• The switches are qualified as class IE devices. Single failure of the manual Bypass switch contacts does not create condition that disables PPS safety function

FRS 2.2.3.2, 3.2.1.3.6 and 3.2.12.15

165)

Change Bypass switch from Normal to Bypass position • Bypass contact closed;

Bypass condition set • Status contact fails

open; bypass status not set

• Channel output is Bypassed • PPS Bypass alarm is not activated

• Bypass Switch status 3501 LED is OFF

• PPS Bypass alarm is not set


of the manual Bypass switch contacts does not create condition that disables PPS safety function

166)

Change Bypass switch from Bypass to Normal position • Bypass contact fails

closed; bypass condition remains set

• Status contact opens; bypass status is removed.

• If Tricon processed an actual trip condition, the SSPS relay would remain energized

• PPS Bypass alarm clears

• Undetectable unless an actual trip condition was processed or a maintenance function was performed to actuate the trip output (ex: Test-in-Trip)


• P13 coincidence is 2 of 2 (with Protection Set II PT-506); therefore, Bypass condition maintained would prevent P13 from actuating. P13 is an input to P7 (with P10) for blocking various actions at Low power. Impact would only be to operations <10% in Modes 1-2 which is a transition state and unlikely to have the channel in Bypass during the transition. Although some MAS alarms or SSPS status lights might show the wrong status in Modes 3-6, since the reactor trip breakers are open then there is no impact to the safety function


167)

Change Bypass switch from Bypass to Normal position • Bypass contact opens;

bypass condition is removed

• Status contact remains closed; bypass status remains set

• Channel output is no longer Bypassed, trip function is operable

• PPS Bypass alarm remains activated

• Bypass Switch status 3501 LED is ON

• PPS Bypass alarm does not clear



168)

LP1_DTTA_OOS LP1_TTD_OOS T413A_OOS T413B_OOS T423A_OOS T423B_OOS

Tricon Out-of-Service Switch. • Place a channel out of

service for Testing / Updating tuning constants and

Switch in OOS position • OOS contact fails open • K1T Alarm contact

closed

• Affected PPS channel cannot be taken OOS from MWS for maintenance activity

• K1T Relay would actuate if no other OOS Switches are set

• OOS Switch status 3501 LED is OFF

• MWS does not indicate the affected channel is OOS, would not allow the channel to be placed in a maintenance

• No impact to protection function • Affected channel cannot be taken OOS for testing without

the contact being made up FRS 3.2.1.3.7




L459_OOS F512_OOS F522_OOS F532_OOS F542_OOS P514_OOS P524_OOS P534_OOS P544_OOS L529_OOS L539_OOS P505_OOS (Section 5.2.3)

comparator setpoints; • Provides a permissive

for software to allow maintenance activities

condition

169)

Switch in OOS position • OOS contact closes • K1T Alarm contact fails

open

• Affected PPS channel can be taken OOS from MWS for maintenance activity

• K1T Relay would not actuate if no other OOS Switches are set

• If no other OOS switch is set, then K1T would fail to activate the MAS alarm

• Undetectable if any other OOS switch is set

• No impact to protection function • K1T Relay provides an independent MAS alarm that does

not have any interaction with the safety-related functions. It provides an indication that at least one OOS Switch is set, but impossible to determine which without physically inspecting

• The switches are qualified as class IE devices. Single failure of the OOS switch contacts does not create condition that disables PPS safety function

• Due to the wiring design (OOS switches in parallel), it is not possible to use a DVM to measure across the contacts and determine that they had not changed state

• Since there is no reflash capability to the alarm associated with the K1T relay, the wiring and relay use should be re-evaluated and revised to provide a useful indication

170)

Switch in normal position • OOS contact fails closed • K1T Alarm contact

opens

• Affected PPS channel does not return to normal condition

• K1T Relay would de-energize if no other OOS Switches are set

• OOS Switch status 3501 LED is ON

• MWS indicates affected channel is OOS

• No impact to protection function, affected channel can be removed from a maintenance condition which would allow an actual trip to be processed


171)

Switch in normal position • OOS contact opens • K1T Alarm contact fails

closed

• Affected PPS channel is in normal condition • K1T Relay would not de-energize if no other

OOS Switches are set

• If no other OOS switch is set, then K1T would continue to maintain the MAS alarm










172)

K1W (Section 5.2.1.1.3)

ALS Manual Bypass Switch pair status relay (indication that at least one pair of Manual Bypass Switches are set) Protection Set I

Relay coil open

• K1W relay fails to actuate MAS alarm

• Undetectable unless at least one pair of ALS Bypass Switches were both set to Bypass

• If coil is shorted and at least one pair of ALS Bypass Switches are set, fuse FU11 would blow and isolate power supply PS5 from failed component



• FU11 would provide isolation to power supply PS5 from a coil short


173) Relay coil short

174) Output contact open • K1W relay fails to actuate MAS alarm • Undetectable unless at least one

pair of ALS Bypass Switches were both set to Bypass

175) Output contact short • MAS alarm is activated without alarm condition set

• MAS Alarm set when no pair of Bypass Switches are set

• Undetectable if at least one pair of Bypass Switches are set

176)

K1T (Section 5.2.3.2)

Tricon OOS Switch status relay (indication that at least one OOS Switch is set) Protection Set I

Relay coil open

• MAS channel OOS alarm is not activated when switch is in OOS

• Undetectable unless at least one

OOS Switch is set • If coil is shorted and at least one

OOS Switch is set, fuse FU3 would blow and isolate power supply PS3S from failed component



• FU3 would provide isolation to power supply PS3S from a coil short


IRS 2.8.4.1.1


178) Output contact open • MAS channel OOS alarm is not activated when switch is in OOS

• Undetectable unless at least one OOS Switch is set


• MAS Alarm set when no OOS Switch is set

• Undetectable if any OOS Switch is set




180) PS3, PS6 (Section 4.2.4)

Provide 48 VDC power to ALS chassis A and B Loss of one power supply • Loss of single redundant power supply • PPS Trouble Alarm is activated

• No impact to protection function • The ALS chassis (A and B) continue to operate through

redundant 48 VDC power supply • The 48 VDC power supplies are qualified as class IE

devices.

FRS 3.2.1.5.2

181) PS2, PS5 (Section 4.2.4)

Provide 48 VDC power to ALS Digital input (DI) module ALS-302 and ALS-102 (Core Logic board) for contact wetting

Loss of one power supply • Loss of single redundant power supply • PS5 only – power to K1W ALS Bypass Switch

status relay is lost

• PPS Trouble Alarm is activated • If K1W was energized, MAS

alarm would clear

• No impact to protection function • The ALS-302 and ALS-102 continue to operate through


devices.

FRS 3.2.1.5.2

182) PS1, PS4 (Section 4.2.4)

Provide 24 VDC power to analog loop Loss of one power supply • Loss of single redundant power supply • PPS Trouble Alarm is activated

• No impact to protection function • The analog loops FT-414, 424, 434, 444 and PT-937

continue to operate through redundant 24 VDC power supply

• The 24 VDC power supplies are qualified as class IE devices.

FRS 3.2.1.5.2

183) PS2S, PS7S (Section 4.2.4)

Provide 48 VDC to Tricon termination module 9792-610 (AI)

Loss of one power supply • Loss of single redundant power supply • PPS Trouble Alarm is activated

• No impact to protection function • The analog input termination module continues to operate

through redundant 48 VDC power supply • The 48 VDC power supplies are qualified as class IE

devices.

FRS 3.2.1.5.2


Provide 24 VDC to Tricon termination module 9563-810 (DI)

Loss of one power supply • Loss of single redundant power supply • PS3S only – power to K1T Tricon OOS Switch


• PPS Trouble Alarm is activated • If K1T was energized, MAS alarm

would clear

• No impact to protection function • The digital input termination module continues to operate


devices.

FRS 3.2.1.5.2


Provide 24 VDC to Tricon termination module 9860-610 (AO)


• No impact to protection function • The analog output termination module continues to

operate through redundant 24 VDC power supply • The 24 VDC power supplies are qualified as class IE

devices.

FRS 3.2.1.5.2

186) PS3N, PS5N (Non-Safety cabinet) (Section 4.2.4)

Provide 24 VDC power to Tricon termination module 9853-610 (AO)




devices.

FRS 3.2.1.5.2


Provide 24 VDC power to isolation devices Loss of one power supply • Loss of single redundant power supply • PPS Trouble Alarm is activated

• No impact to protection function • The isolation devices continue to operate through the


devices.

FRS 3.2.1.5.2

188) PLF1 (Rack 1) Power Line Filter and Voltage Output Failure (Loss of Vital • Loss of Vital AC to Rack 1 (ALS), loss of all • PPS Failure Alarm is activated by • Reduced coincidence for SSPS actuation, other Protection IRS 2.4.3




(ALS) Regulator for 120 VAC supply to Rack 1 (ALS) components

Power) Protection Set I ALS functions• All DTT channels de-energize, both chassis • RCS Flow Indications (MCR) fail low • Containment Pressure signal to MCR indicator

(PI-937) fails low due to loss of loop power

ALS (both chassis)• PPS Trouble Alarm is activated

by ALS (both chassis) • Partial trip signals sent to SSPS


Sets can provide protective functions• Tricon Chassis in Rack 3 (TRICON) and Rack 4(TRICON)

unaffected as they are not supplied by this component

189) CB1 (Rack 1) Provide 120 VAC power to PS1-3 Breaker fails open • Loss of Vital AC to Power Supply PS1-3 • PPS Trouble Alarm is activated

by ALS (both chassis)

• No impact to protection function • PS4-6 provide redundant power

IRS 2.4.3

190) CB2 (Rack 1) Provide 120 VAC power to PS4-6 Breaker fails open • Loss of Vital AC to Power Supply PS4-6

• K1T Relay would de-energize if set • PPS Trouble Alarm is activated



IRS 2.4.3

191) CB3 (Rack 1) Provide 120 VAC to SSPS relays (via LSMs) for ALS protective functions

Breaker fails open • Loss of Vital AC to SSPS relays associated with

ALS Protection Set 1 • Loss of all Protection Set 1 ALS functions

• PPS Trouble Alarm is activated by ALS (both chassis) due to Trip-without-Demand condition

• DTT partial trip signals sent to SSPS with partial trip status lights illuminated in MCR

• Reduced coincidence for SSPS actuation, other Protection Sets can provide protective functions IRS 2.4.3

192) CB1 (Rack 3) CB2 (Rack 3)

Provide 120 VAC power to Rack 3 Non-Safety Related Remote RXM Chassis #3

Single Breaker fails open • Loss of Vital AC to redundant chassis power supply • PPS Trouble Alarm is activated • No impact to protection functions

• Redundant input provides power IRS 2.4.2

193) CB3 (Rack 3)

Provide 120 VAC to DI FTP 3-5U for:

• PS2N, PS3N, PS5N and PS6N failure contacts

• Manual Trip Switch status indication

Breaker fails open • Loss of wetting power to failure contacts • Loss of Manual Trip Switch status input, all

switches on associated FTP indicate tripped

• PPS Trouble Alarm is activated due to indicated loss of both non-critical instrument power supplies

• PPS Trouble Alarm is activated due to Trip-without-Demand condition indicated

• No impact to protection functions • Redundant non-Safety power supplies are still functional,

only the status information reads incorrect • Manual Trip switches are still closed, an actual trip will still

be processed by Tricon if condition is set

IRS 2.4.2

194) CB4 (Rack 3) Provide 120 VAC power to Non-Safety Related power supplies PS1N-PS4N

Breaker fails open • Loss of PS2N-4N redundant power supplies • PS1 is a spare, no effect • PPS Trouble Alarm is activated • No impact to protection functions

• Redundant PS5N-7N power supplies provide power IRS 2.4.2

195) CB5 (Rack3) Provide 120 VAC power to Non-Safety Related power supplies PS5N-PS7N

Breaker fails open • Loss of PS5N-PS7N redundant power supplies • PPS Trouble Alarm is activated • No impact to protection functions • Redundant PS2N-PS4N power supplies provide power

IRS 2.4.2

196) CB6 (Rack 3) Provide 120 VAC (from non-vital source) to Class II components in Rack 3

Breaker fails open

• Loss of MWS Monitor – no local indications or maintenance functions accessible for ALS or Tricon

• Loss of KVM Switch – no local indications or maintenance functions accessible for ALS or Tricon

• Monitor does not function when attempted to access for either MWS application

• Power indication LEDs on devices are not lit

• No impact to protection functions • Indications and status are available via the Gateway

Computer for both ALS and Triconex components • ALS Manual Trip and Bypass Switches are not affected • Triconex Manual Trip, OOS and Bypass Switches are not

affected

IRS 2.4.2





Breaker fails open

• Loss of ALS MWS PC – no maintenance functions accessible for ALS

• Loss of redundant Port Aggregator #1 • Loss of redundant Media Converter #1 • Loss of redundant network switch #1

• ASU application unavailable when attempted to access



Computer for both ALS and Triconex components • ALS Manual Trip and Bypass Switches are not affected • Tricon MWS application unaffected due to redundant

components powered from CB8 • Tricon status information to Gateway Computer

unaffected due to redundant components powered from CB8

IRS 2.4.2


Breaker fails open

• Loss of Tricon MWS PC – no maintenance functions accessible for Tricon


• Tricon MWS application unavailable when attempted to access



Computer for Triconex components due to redundant components powered from CB7

• Tricon Manual Trip, OOS and Bypass Switches are not affected

IRS 2.4.2

199) PLF1 (Rack 4)

Power Line Filter and Voltage Regulator for 120 VAC supply to Rack 3 (Non-Safety) CB1-5 and Rack 4 (Safety) CB1-11

Output Failure (Loss of Vital Power)

• Loss of Vital AC to Rack 3 (Non-Safety) and Rack 4 (Safety) , loss of all Protection Set I Tricon functions

• All DTT channels de-energizes • Analog Outputs (MCR) fail low • PZR Pressure Loop Power Supply loss, loss of

ALS PZR Pressure functions

• PPS Failure Alarm (Tricon) is activated

• PPS Trouble Alarm (Tricon) is activated

• PPS Failure Alarm is activated by ALS (both chassis) due to failed PZR Pressure input to both chassis



• ALS RCS Flow and Containment Pressure unaffected as they are supplied Loop Power from Rack 1 Vital Power

IRS 2.4.2


Provide 120 VAC power to Rack 4 Safety Related Chassis #1

Single Breaker fails open • Loss of Vital AC to redundant chassis power supply • PPS Trouble Alarm is activated

• No impact to protection functions • Redundant input provides power

IRS 2.4.2





IRS 2.4.2

202) CB5 (Rack 4) Provide 120 VAC to DI FTP 2S-5U for Manual Trip Switch status indication

Breaker fails open • Loss of Manual Trip Switch status input, all switches on associated FTP indicate tripped

•


• No impact to protection functions, actual trip did not occur but can still be processed by Tricon

IRS 2.4.2

203) CB6 (Rack 4)

Provide 120 VAC to DI FTP 2S-5L for Manual Trip Switch status indication

Breaker fails open • Loss of Manual Trip Switch status input, all switches on associated FTP indicate tripped (DTT)


• No impact to protection functions, actual trips did not occur and can still be processed by Tricon

IRS 2.4.2




Provide 120 VAC to DI FTP 2S-5L for PC-505A Bypass Switch status indication

• If PC-505A Bypass Switch was set, (1) would no longer indicate Bypass; and (2) maintenance functions would be denied by MWS application for Turbine Impulse Pressure 505 channel

204) CB7 (Rack 4) Provide 120 VAC to DO FTP 2S-6U for SSPS relay actuation

Breaker fails open • Loss of source power to associated SSPS relays (de-energized)

• PPS Trouble Alarm is activated due to Trip-without-Demand condition

• Partial trip signal sent to SSPS with partial trip status lights illuminated in MCR


IRS 2.4.2






IRS 2.4.2

206) CB9 (Rack 4) Provide 120 VAC power to Safety Related power supplies PS1S-PS4S

Breaker fails open • Loss of PS2S-4S redundant power supplies • PS1 is a spare, no effect • PPS Trouble Alarm is activated • No impact to protection functions

• Redundant PS5S-PS7S power supplies provide power IRS 2.4.2


Breaker fails open • Loss of PS5S-7S redundant power supplies • PPS Trouble Alarm is activated • No impact to protection functions • Redundant PS2S-PS4S power supplies provide power

IRS 2.4.2

208) CB11 (Rack 4) Provide 120 VAC power to PC505A_Byp Switch for maintaining Bypass condition

Breaker fails open • If PC505A_Byp switch was in Bypass, SSPS trip would actuate

• Partial trip signal to SSPS, partial trip status lights illuminated in MCR

• Undetectable if not in Bypass

• No impact to protection functions • If Bypass Switch was not set, there would be no impact to

operability. On performing a maintenance function and setting the Bypass Switch there would be indications that it failed to set

IRS 2.4.2

209) MWS Monitor KVM Switch

Provides local status indication and maintenance functions for both ALS and Tricon channels (switchable – monitor is shared only)

• Monitor fails • Switch fails

• Local indications are unavailable for both ALS and Triconex chassis

• Maintenance functions are unavailable for both ALS and Triconex chassis for the Protection Set

• Monitor does not function when attempted to access


Computer for both ALS and Triconex components • ALS Manual Trip and Bypass Switches are not affected • Tricon Manual Trip, OOS and Bypass Switches are not

affected

IRS 2.3.7

210) ALS MWS PC

Provides local status indication and maintenance functions for ALS channels (both chassis)

PC fails

• Local indications are unavailable for both ALS chassis

• Maintenance functions are unavailable for both ALS chassis

• ASU application does not function when attempted to access


Computer for both ALS chassis via TxB1 communications • ALS Manual Trip and Bypass Switches are not affected • Triconex indications and functions are unaffected as they

come from a separate PC

IRS 2.3.7

211) ALS MWS Serial Card Chassis A

Provides serial connection for ALS Chassis A status indication and maintenance

• Card Failure • Open wire condition

• Local indications are unavailable for ALS chassis A

• Maintenance functions are unavailable for ALS

• ASU application indicates loss of TxB2 communications for Chassis A


Computer for ALS chassis A via TxB1 communications IRS 2.3.4




ALS TxB2 Serial Components Chassis A

functions to the MWS chassis A • If TAB were enabled, the ASU application would indicate a loss of TAB communications for Chassis A

• ALS Chassis B indications, status and maintenance functions are available

• ALS Manual Trip and Bypass Switches are not affected

212)

ALS MWS Serial Card Chassis B ALS TxB2 Serial Components Chassis B

Provides serial connection for ALS Chassis B status indication and maintenance functions to the MWS


• Local indications are unavailable for ALS chassis B

• Maintenance functions are unavailable for ALS chassis B

• ASU application indicates loss of TxB2 communications for Chassis B

• If TAB were enabled, the ASU application would indicate a loss of TAB communications for Chassis B


Computer for ALS chassis A via TxB1 communications • ALS Chassis A indications, status and maintenance

functions are available • ALS Manual Trip and Bypass Switches are not affected

IRS 2.3.4

213) ALS TxB1 Serial Components Chassis A

Provides serial wiring and cable connections for ALS Chassis A to the MWS

Open wire condition • Remote indications are unavailable for ALS chassis A via Gateway Computer

• Remote application indicates loss of TxB1 communications for Chassis A

• No impact to protection functions • Indications and status are available on ASU (MWS) via the

TxB2 communications • Indications and status are available via the Gateway

Computer for ALS chassis B via TxB1 communications

IRS 2.3.4

214) ALS TxB1 Serial Components Chassis B

Provides serial wiring and cable connections for ALS Chassis B to the MWS

Open wire condition • Remote indications are unavailable for ALS chassis B via Gateway Computer

• Remote application indicates loss of TxB1 communications for Chassis B



Computer for ALS chassis A via TxB1 communications

IRS 2.3.4

215) Tricon MWS PC

Provides local status indication and maintenance functions for Triconex channels

PC fails

• Local indications are unavailable for Triconex chassis

• Maintenance functions are unavailable for Triconex chassis

• MWS application indicates loss of Tricon communications


computer • Tricon Manual Trip, OOS and Bypass Switches are not

affected • ALS indications and functions are unaffected as they come

from a separate PC

IRS 2.3.7

216) Media Converter #1 Media Converter #2

Provides fiber optic conversion to MT RJ45 Ethernet

Converter fails

• Loss of single source of communications to MWS

• Loss of single source of output data to Gateway Computer

• Tricon MWS application indicates a loss of redundant communication

• Gateway Computer indicates a loss of redundant input

• No impact to protection functions • Tricon Manual Trip, OOS and Bypass Switches are not

affected • MWS Indications and maintenance functions are available

from the redundant components • Indications and status are available via the Gateway

computer from the redundant components

IRS 2.3.1, 2.3.2, 2.3.3

217) Port Aggregator #1 Port Aggregator #2

• Provides unidirectional data to the Gateway Computer

• Provides bi-directional communications between the Tricon and the MWS

Aggregator fails









IRS 2.3.1, 2.3.2, 2.3.3




218) Network Switch #1 Network Switch #2

Provides communications between the MWS and the Port Aggregators

Switch fails • Loss of single source of communications to MWS




from the redundant components • Gateway computer unaffected as it is not connected to

these switches

IRS 2.3.1, 2.3.2, 2.3.3

219) Serial Device Server A Serial Device Server B

Provides data from the ALS Serial Devices (TxB1) to the Gateway Computer

Device fails • Loss of TxB1 data from either the A or B ALS

Chassis from each Protection Set to the Gateway Computer


• No impact to protection functions • Other Chassis TxB1 data available from other Serial Device

Server • All data available on individual Protection Set MWS via

TxB2 data streams

IRS 2.3.4


PROCESS PROTECTION SYSTEM (PPS) REPLACEMENT Failure Modes and Effects Analysis (FMEA), Protection Set II, Attachment 2


1)

TE-433A TE-433B TE-443A TE-443B (Section 5.1.1)

Provide Reactor Coolant WR Temp Loop 3 and 4 Hot Leg/Cold leg signals for Indication / Processing Provide Reactor Coolant WR Loop 4 temperature indication (TE-443A, TE-443B) to HSP


ALS-System • Signal fails low • ALS sets analog output to Tricon to 0mA

• PPS Failure Alarm is activated from Tricon due to the OOR


• RVLIS Trouble Alarm is activated (TE-433A and TE-443B only)

• MCR indicator (TR-433 or TR-443) fails low

• ERFDS indication fails low • Output to LTOP (PCV-455C)

energizes

• No protection function impact • Same failure mode as existing system • Reactor Coolant WR Hot leg and Cold leg temperature

signals are available from PPS Set I • Reactor Coolant WR Hot leg or Cold leg temp signal to MCR

recorders and ERFDS is available from PPS Set I • Reactor Coolant WR Hot leg temp signal to RVLIS is

available from PPS Set I • Reactor Coolant WR Cold leg temp Low signal to LTOPS (to

open valve PCV-456) is available from PPS Set I • PCV-455C control switch Close/Open capability

unaffected, only Auto for LTOP impacted • ALS Chassis do not activate a Failure Alarm for OOR

conditions IAW IRS 1.5.5.5 • Reactor Coolant WR Temp Loop 4 Hot Leg/Cold Leg signals

are available at the HSP by Placing the HSDP transfer switch to HSDP position (TE-443A/443B only) ; bypasses PPS electronic processing.

FRS 3.2.3

2)

Triconex System• Tricon output fails low (0.0 mA) • Reactor Coolant WR Hot leg or Cold leg Temp

signal to MCR Recorders and ERFDS fails low • Reactor Coolant WR Hot leg temp signal to

RVLIS fails low (from TE-433A and TE-443A only)

• Reactor Coolant WR Cold leg temp signal to LTOP (TE-433B only) is not available (ETT)

3)


ALS-System • Signal fails low • ALS sets analog output to Tricon to 0 mA

4)

Triconex System • Tricon output fails low (0.0 mA) • Reactor coolant WR Hot leg or Cold leg Temp

signal to MCR Recorders and ERFDS fails low • Reactor Coolant WR Hot leg temp signal to

RVLIS fails low (from TE-433A and TE-443A only)

• reactor Coolant WR Cold leg temp signal to LTOP (TE-433B only) is not available (ETT)

5)


Provide Reactor Coolant NR Cold leg (Tcold) Loop 2 temperature signal for MCR indication / protection / control circuit


ALS-System • Signal fails low • ALS sets analog output to Tricon to 0 mA due

to OOR condition • PPS Trouble Alarm is activated from Tricon due to Tcold OOR



• No protection function impact • Same failure mode as existing system • Reactor Coolant NR Cold leg (Tcold) temperature signal is

available from PPS Set I (loop 1), Set III (loop 3), Set IV (loop 4)

• Tricon PPS Set II Sensor Quality Algorithm 2 (SQA2) provides valid Tcold with at least 1 good RTD in each loop


FRS 3.2.5 6)

Triconex System• Reactor Coolant NR Cold leg temperature

(Tcold) signal to Tricon fails low (0.0 mA) • Tricon Sensor Quality Algorithm 2 (SQA2)

rejects failed signal

7) RTD Short Circuit (one element shorts)





8)

Triconex System• Reactor Coolant NR Cold leg temperature

(Tcold) signal to Tricon fails low (0.0 mA) • Tricon Sensor Quality Algorithm 2 (SQA2)

rejects failed signal

9)


Provide Reactor Coolant NR Hot leg (Thot) Loop 2 temperature signal for MCR indication / protection / control circuit



• PPS Trouble Alarm is activated from Tricon due to Thot OOR


• No protection function impact • Same failure mode as existing system • Reactor Coolant NR Hot leg temperature (Thot) signals to

Tricon are available from PPS Set I, III, IV • Tricon PPS Set II Sensor Quality Algorithm 3A (SQA3A) or

3B (SQA3B) provides valid Thot average with at least 2 good RTD's in either Group A or Group B


FRS 3.2.5

10)

Triconex System• Tricon input (0.0 mA) • Tricon Sensor Quality Algorithm 3A (SQA3A -


11)


ALS-System • Signal fails low • ALS-sets analog output to Tricon to 0 mA

12)

Triconex System• Tricon input(0.0 mA) • Tricon Sensor Quality Algorithm 3A (SQA3A -





• Signal fails low • ALS-102 DOCH function sets comparators to

fail safe state (de-energized) – both chassis • ALS-102 AOCH function sets analog outputs to

fail safe state (0 mA) – both chassis • RCS flow signal to MCR indicator fails low



• RCS Low Flow partial trip signal sent to SSPS with partial trip status light illuminated in MCR

• MCR RCS flow indication fails low

• Reduced coincidence for SSPS actuation • Same failure mode as existing system • MCR RCS Loop flow indication is available from PPS Set I

and III • RCS Low Flow Rx trip available from PPS Set I and III

FRS 3.2.2


15) PT-456 (Section 4.4 and 5.1.2)

Provide PZR Pressure signal for MCR indication / Processing / Protection




ALS-System


• PT-456 Virtual Channels (5) OOR indication for both ALS-chassis (MWS – ALS)

• MCR indicator (PI-456) fails low

• Reduced coincidence for SSPS actuation • Same failure mode as existing system • OTDT Trip signal to SSPS is available from PPS Set I, III, IV • OTDT interlock C3 is available PPS Set I, III, IV • OTDT setpoint to MCR is available from PPS Set I (T/411A,

TI-411C), III (T/411A, TI-431C), IV (T/411A, TI-441C)

FRS 3.2.7





• Signal to ALS fails low • ALS 102 DOCH function sets comparators to

fail safe state (de-energized) – both chassis • PZR Pressure High to PC-456EX (PORV

actuation) is not available (ETT) TRICON System • PZR Pressure signal to Tricon fails low • OTDT Trip signal to SSPS is set • PZR Pressure signal fails low to



• PCS Trouble alarm is activated Partial trip signal sent to SSPS with partial trip status lights illuminated in MCR • PZR Pressure Low-Low SI to SSPS • PZR Pressure High Rx Trip to SSPS • PZR Pressure Low Rx trip to SSPS • Unblock SI, P11 to SSPS

• PZR Pressure Low-Low SI to SSPS is available from PPS Set I, III, IV

• PZR Pressure High Rx Trip to SSPS is available from PPS Set I, III, IV

• PZR Pressure Low Rx trip to SSPS is available from Set I, III, IV

• Unblock SI, P11 to SSPS is available from PPS Set I, III • PZR Pressure High to RNASA (PORV actuation) is available

from PPS Set I, III, IV) • PZR Pressure Signal to MCR indicator is available from PPS

Set I, III , IV • Signal to PZR Pressure Control is available from PPS Set I,

III, IV

17)

LT-460 (section 5.1.2)

Provide PZR Level signal for MCR indication / HSP indication/ ERFDS / Processing / Protection

Open Circuit

• PZR Level signal to Tricon fails low • PZR Level Signal to MCR indicator fails low • PZR Level Signal to HSP indicator fails low • PZR Level signal to PZR Level control (PCS) Set I

fails low • PZR Level signal to PZR Level control (PCS) Set

II fails low • PZR Level signal to ERFDS fails low • PZR Level High Rx trip to SSPS is set

• PPS Failure Alarm is activated • PCS Trouble Alarm is activated • LT-460 OOR indication (MWS) • PZR Level High partial trip signal


• ERFDS indication fails low • MCR indicator (LI-460A) fails low • HSP indicator (LI-460B) fails low


Set II) and ERFDS is available from PPS Set I and III • PZR Level signal to HSP indicator is available from PPS Set I • PZR Level High signal to SSPS (Reactor Trip) is available

from Set I and III

FRS 3.2.6

18) Short Circuit


Provide Steam Generator Steam Flow signal for MCR indication / DFWCS / ERFDS

Open Circuit • SG Steam Flow signal to Tricon fails low • SG Steam Flow Signal to MCR indicator fails

low • SG Steam Flow signal to DFWCS fails low • SG Steam Flow signal to ERFDS fails low

• PPS Trouble Alarm is activated • DFWCS Trouble Alarm is activated • MCR indicator (FI-513, 523, 533,

543) fails low • FT-513 OOR indication (MWS) • FT-523 OOR indication (MWS) • FT-533 OOR indication (MWS) • FT-543 OOR indication (MWS) • ERFDS indication fails low

• No protection function impact • Same failure mode as existing system • SG Steam Flow signal to MCR indicator, ERFDS and DFWCS

is available from PPS Set I

FRS 3.2.9

20) Short Circuit

21)

PT-515 PT-525 PT-535 PT-545 (Section 5.1.2)

Provide Steam Generator Steam Pressure signal MCR indication / DFWCS / ERFDS / Protection

Open Circuit • SG Steam Pressure signal to Tricon fails low • SG Steam Pressure signal to MCR indicator fails

low • SG Steam Pressure signal to DFWCS fails low • SG Steam Pressure signal to ERFDS fails low • SG Low Steam Pressure signal to SSPS (SI and

Steam Line isolation) is set • SG High Steam Pressure signal to SSPS

(Negative Rate Steam Line isolation) is set

• PPS Failure Alarm is activated • DFWCS Trouble Alarm is activated • MCR indicator (PI-515, 525, 535,

545) fails low • PT-515 OOR indication (MWS) • PT-525 OOR indication (MWS) • PT-535 OOR indication (MWS) • PT-545 OOR indication (MWS) • SG Low Steam Pressure partial trip

signals sent to SSPS with partial trip status lights illuminated in

• Reduced coincidence for SSPS actuation • Same failure mode as existing system. • SG Steam pressure signal to MCR indicator and DFWCS is

available from PPS Set I, III, IV • Signal to ERFDS is available from PPS Set I • SG Low Steam Line Pressure to SSPS (SI and Steam Line

isolation) is available from PPS Set I, III, IV • SG Steam Line Pressure to SSPS (High Negative Rate Steam

Line isolation) is available from PPS Set I, III, IV

FRS 3.2.10

22) Short Circuit




MCR• ERFDS indication fails low

23)


Provide Steam Generator 1 Level signal for MCR indication / DFWCS / AFW (PCS) / Protection

Open Circuit • SG1 Level signal to Tricon fails low • SG1 Level signal to MCR indicator fails low • SG1 Level signal to DFWCS fails low • SG1 Level signal to AFW (PCS) fails low • SG1 Level High-High signal to SSPS (Turbine

Trip, FW Isolation, Interlock P-14) is set • SG1 Level Low-Low signal to SSPS ( Rx trip and


• PPS Failure Alarm is activated • DFWCS Trouble Alarm is activated • PCS (AFW) Trouble Alarm is




available from PPS Set III and IV • SG1Level High-High signal to SSPS (Turbine Trip, FW

isolation. Interlock P-14) is available from PPS Set III and IV • SG1 Level Lo-Lo signal to SSPS (Rx trip and AFW pump start)

from PPS Set III and IV

FRS 3.2.11

24) Short Circuit

25)

LT-549 (section 5.1.2)

Provide Steam Generator 4 Level signal MCR indication / DFWCS / AFW (PCS) / AMSAC / Protection

Open Circuit

• SG4 Level signal to Tricon fails low • SG4 Level signal to MCR indicator fails low • SG4 Level signal to DFWCS fails low • SG4 Level signal to AFW (PCS) fails low • SG Level signal to AMSAC fails low • SG4 Level High-High signal to SSPS (Turbine






• Reduced coincidence for SSPS actuation • Same failure mode as existing system. • SG 4 Level Signal to MCR indicator, DFWCS and AFW (PCS)

is available from PPS Set III and IV • Signal to AMSAC is available from PPS Set I (SG3), PPS Set III

(SG2) and PPS Set IV (SG1) • SG4 High-High Level signal to SSPS (Turbine Trip, FW

isolation, Interlock P-14) is available from PPS Set III and IV • SG4 Lo-Lo Level signal to SSPS (Rx trip and AFW pump


FRS 3.2.11

26) Short Circuit

27)


Provide Turbine Impulse Chamber Pressure signal for MCR indication / AMSAC / Interlock

Open Circuit





• PPS Failure Alarm is activated • AMSAC General Warning Alarm • MCR indicator (PI-506) fails low • PT-506 OOR indication (MWS) • Partial trip signals sent to SSPS


• No protection function impact • Same failure mode as existing system • Turbine Chamber Impulse Pressure signal to AMSAC is

available from PPS Set I (PT-505) • Turbine Chamber Impulse Pressure signal to MCR indicator

is available from PPS Set I (PT-505) • Turbine Impulse Pressure High to SSPS is available from PPS

Set I (P13 interlock – PT-505)

FRS 3.2.12

28) Short circuit

29)


Provide Containment Pressure signal for MCR indication / ERFDS / Protection

Open Circuit


(PI-936) fails low • Containment Pressure signal to ERFDS fails low • Containment Pressure High signal to SSPS (SI,

Phase A isolation) is set • Containment Pressure High-High signal to SSPS

(Containment Pressure-Phase B isolation

• PPS Failure Alarm is activated • MCR indicator (PI-936) fails low • PT-936 Virtual Channels (2) OOR


• ERFDS indication fails low • Partial trip signals sent to SSPS

with partial trip status lights


Set I, III, IV • Containment Pressure High-High signal to SSPS (Phase B

isolation containment Spray, Steam Line Isolation) is available from PPS Set I,III, IV

• Containment Pressure High signal to SSPS (SI, Phase A

FRS 3.2.13

30) Short circuit




containment Spray, Steam Line Isolation) is not available (ETT)

illuminated in MCR isolation) is available from PPS Set III and IV

31)

NE-42A (Section 5.1.4)


Open Circuit


• Overtemperature Delta-T Trip to SSPS is set • Upper Flux signal fails low to Overpower








Set I, III, IV • MCR Overpower Setpoint indication is available from PPS

Set PPS Set I, III, IV • MCR Overtemperature Setpoint indication is available

from PPS Set I, III, IV


• Upper Flux signal to Tricon fails low • Upper Flux signal fails low to Overpower



• MCR (Overpower Setpoint indication - T/411A, TI-421B) do not channel check





Set I, III, IV • MCR Overtemperature Setpoint indication is available from

PPS Set I, III, IV • Fail low at 0 V does not incur OOR condition as it is within



• Upper Flux signal to Tricon fails high > 10 V • Overtemperature Delta-T Trip to SSPS is set • Upper Flux signal fails low to Overpower




• NE-42A OOR indication (MWS) • MCR indications (T/411A, TI-421B,

TI-421C) do not channel check • Partial trip signals sent to SSPS




Set I, III, IV • MCR Overtemperature Setpoint indication is available


34) NE-42B (Section 5.1.4)

Provide Power Range Neutron Flux (Lower) signal to calculate DTTA Overpower and Overtemperature Delta-T setpoint for Protection and MCR indication

Open Circuit


• Overtemperature Delta-T Trip to SSPS is set • Lower Flux signal fails low to Overpower

Setpoint calculation • Lower Flux signal fails low to Overtemperature









PPS Set I, III, IV

FRS 3.2.5

35) Short circuit (0 VDC) • Lower Flux signal to Tricon fails low • Lower Flux signal fails low to Overpower




• Same failure mode as existing system




• Lower Flux signal fails low to Overtemperature Setpoint calculation



• MCR Overpower Setpoint indication is available from PPS Set I, III, IV

• MCR Overtemperature Setpoint indication is available from PPS Set I, III, IV

• Fail low at 0 V does not incur OOR condition as it is within the normal range of the signal value


• Lower Flux signal to Tricon fails high > 10 V • Overtemperature Delta-T Trip to SSPS is set • Lower Flux signal fails high to Overpower




• NE-42B OOR indication (MWS) • MCR indications (T/411A, TI-421B,

TI-421C) do not channel check • Partial trip signals sent to SSPS





PPS Set I, III, IV

37)

TE-433A TE-433B TE-420B TE-420A TE-421A TE-422A (Section 5.1.1)

Provide Reactor Coolant Loop 3 WR Temp Hot Leg /Cold Leg signal for Indication / Processing (TE-433A, 433B) Provide Reactor Coolant Loop 2 NR Hot leg (Thot)/Cold leg (Tcold) temperature signal for MCR indication / protection / control circuit (TE-420A, 220B, 421A, 422A


• ALS-102 AOCH function sets affected analog outputs to Tricon to 0 mA







• MCR indicator (TR-433) fails low • ERFDS indication (TE-433A, TE-

433B) fails low • MWS indicates bad health status

for board

• No protection function impact • RCS WR LP4 Hot leg and Cold leg temperature signals are

available from chassis B to Tricon • Reactor Coolant WR Cold leg temp Low signal to LTOPS (to

open valve PCV-456) is available from PPS Set I, loop 2 cold leg

• PCV-455C control switch Close/Open capability unaffected, only Auto for LTOP impacted



• RCS WR LP1 and LP2 Hot leg and Cold leg temperature signals are available from PPS Set I


• Reactor Coolant NR Tcold/Thot temperature signals are available from PPS Set I, III and IV

FRS 3.2.3, 3.2.5 IRS 2.8.1.2

38)




39)





• Exception to IRS section 2.8.1.2. The PPS Failure Alarm will be activated by the ALS system due to the output channel integrity error. This mitigates the possibility that an "unknown" output state would result in an undetected failure since the Tricon would not alarm on a OOR low signal




40)

TE-443A TE-443B TE-421B TE-420C TE-421C TE-422C (Section 5.1.1)

Provide Reactor Coolant Loop 4 WR Temp Hot Leg /Cold Leg signal for Indication / Processing (TE-443A, 443B) Provide Reactor Coolant NR Hot leg (Thot)/Cold leg (Tcold) temperature signal for MCR indication / Protection / Process Control (TE-421B, 420C, 421C, 422C) Provide Reactor Coolant WR Loop 4 temperature indication (TE-443A, 443B) to HSP









• ERFDS indication (TE-443A, TE-443B) fails low


• No Impact to protective function • RCS WR LP3 Hot leg and Cold leg temperature signals are

available from chassis A to Tricon • Tricon Sensor Quality Algorithm 2 (SQA2) rejects failed





• Reactor Coolant NR Tcold/Thot temperature signals are available from PPS Set I, III and IV

• Reactor Coolant WR Temp Loop 4 Hot Leg/Cold leg signals are available at the HSP by placing the transfer switch in HSDP position (See section 5.1.5) ; bypasses PPS electronic processing.

FRS 3.2.3, 3.2.5 IRS 2.8.1.2



41)


42)



• PPS Failure Alarm is activated due to Output Channel Integrity Error (CIE)


• Exception to IRS section 2.8.1.2, the PPS Failure Alarm will be activated by ALS-due to the output channel integrity error. This mitigates the possibility that an "unknown" output state would result in an undetected failure since the Tricon would not have an OOR low signal to alarm on

43)

FT-415 FT-425 FT-435 FT-445 PT-936 PT-456






• ALS-102 DOCH function sets comparators to fail safe state (de-energized)





• PPS Trouble Alarm is activated by other chassis due to Trip-without-Demand condition sensed by LSM

• MCR indication (FI-415, 425, 435, 445) fails low for associated chassis



• PT-936 Virtual Channels (2) OOR

• Reduced coincidence for SSPS actuation • RCS flow signal to MCR indications are available for the


Set I and III • RCS Low Flow Rx trip available from PPS Set I and III • PZR Pressure Low signal to SSPS is available from other

chassis and PPS Set I, III and IV • PZR Pressure Low-Low signal to SSPS is available from

other chassis and PPS Set I, III and IV • PZR Pressure High signal to SSPS is available from other

chassis and PPS Set I, III and IV • PZR SI permissive (P11) signal to SSPS is available from

other chassis and PPS Set I, III • PZR Pressure High signal to RNASA (PORVS) is available

from other chassis and PPS Set I, III and IV

FRS 3.2.2, 3.2.7, 3.2.13




indication for affected ALS chassis (MWS)



• Containment Pressure High-High signal to SSPS (Phase B isolation containment Spray, Steam Line Isolation) is available from the other chassis

• Containment Pressure High-High signal to SSPS (Phase B isolation containment Spray, Steam Line Isolation) is available from PPS Set I, III, IV

• Interactions with other systems/indications are unaffected as the input loop remains intact

•

44)





• Containment Pressure High signal to SSPS (SI, Phase A isolation) is set






• Reduced coincidence for SSPS actuation • RCS Low Flow Rx trip available from PPS Set I and III • PZR Pressure Low signal to SSPS is available from other

chassis and PPS Set I, III and IV • PZR Pressure Low-Low signal to SSPS is available from

other chassis and PPS Set I, III and IV • PZR Pressure High signal to SSPS is available from other

chassis and PPS Set I, III and IV • PZR SI permissive (P11) signal to SSPS is available from

other chassis and PPS Set I, III • PZR Pressure High signal to RNASA (PORVS) is available

from other chassis and PPS Set I, III and IV • Containment Pressure High-High signal to SSPS (Phase B

isolation containment Spray, Steam Line Isolation) is available from PPS Set I, III, IV

• Containment Pressure High signal to SSPS (SI, Phase A isolation) is available from PPS Set III, IV

45)

ALS-421-1 (Slot 1) failure in chassis A or B (total loss of AO module due to power supply failure, both boards latch failure)



• MCR indication (FI-415, FI-425) fails low


• No protection function impact • RCS flow signal to MCR indications are available for the


Set I and III • If the AO module fails due to multiple electronics failure, it

is possible that ALS-421-1 output fails to “unknown state” and the fail-safe output state may not occur.

46)

FC-415_FB_LSM_A(B) FC-425_FB_LSM_A(B) FC-435_FB_LSM_A(B) FC-445_FB_LSM_A(B) PC-456A_FB_LSM_A(B) PC-456B_FB_LSM_A(B) PC-456C_FB_LSM_A(B) PC-456D_FB_LSM_A(B) PC-456E_FB_LSM_A(B)











chassis

FRS 3.2.1.3




PC-936A_FB_LSM_A(B) PC-936B_FB_LSM_A(B) FC-415_Byp_A(B) FC-425_Byp_A(B) FC-435_Byp_A(B) FC-445_Byp_A(B) PC-456A_Byp_A(B PC-456B_Byp_A(B PC-456C_Byp_A(B PC-456D_Byp_A(B PC-456E_Byp_A(B PC-936A_Byp_A(B PC-936B_Byp_A(B PS1FAIL_IIA(B) PS2FAIL_IIA(B) PS3FAIL_IIA(B) PS4FAIL_IIA(B) PS5FAIL_IIA(B) PS6FAIL_IIA(B)

47)

ALS MAS Alarms (Section 4.5.2.2) UY-PS2A_DIV-A(B) UY-PS2B_DIV-A(B) UY-PS2C_DIV-A(B) UY-PS2D_DIV-A(B)









• No protection function impact




48) NE-42A NE-42B














Set PPS Set I, III, IV • MCR Overtemperature Setpoint indication is available


FRS 3.2.5




49)

TE-433A TE-433B TE-420B TE-420A TE-421A TE-422A PT-456 FT-513 FT-533 PT-515 PT-535 LT-519 PT-506









• Provide Turbine Impulse Chamber Pressure signal for Protection (PT-506)


• Inputs fail low • WR LP3 Thot/Tcold indication to MCR

recorder and ERFDS fails low • WR LP3 Thot signal to RVLIS fails low • Sensor Quality Algorithm (SQA2) rejects failed

signal • Sensor Quality Algorithm 3A (SQA3A - Group

A) rejects failed signals • PZR Pressure signal fails low to

Overtemperature Setpoint calculation • OTDT Trip signal to SSPS is set (PZR Pressure

fails low) • SG1 and SG3 Steam Flow Signal to MCR


low • SG1 and SG3 Low Steam Pressure signal to

SSPS (SI and Steam Line isolation) is set • SG1 and SG3 High Steam Pressure signal to

SSPS (Negative Rate Steam Line isolation) is set

• SG1 Level High-High signal to SSPS (Turbine Trip, FW Isolation, Interlock P-14) is set

• SG1 Level Low-Low signal to SSPS (Rx trip and AFW pump start) is set



• Reactor Coolant WR LP3 Cold leg temp Low signal to LTOP (PCV-455C) is not available from PPS Set I (ETT)



• MCR indicator (TR-433) fails low for WR LP 3 RTDs



• MCR indicator (PI-506) fails low for Turbine Impulse Chamber Pressure







• RCS WR LP4 Hot leg and Cold leg temperature signals are available from Slot 4 of Tricon


• Tricon Sensor Quality Algorithm 3A (SQA3A) provides valid Thot average with at least 2 good RTD's in Group B



• OTDT setpoint to MCR is available from PPS Set I (T/411A, TI-411C), III (T/411A, TI-431C), IV (T/411A, TI-441C)

• OTDT Trip signal to SSPS is available from PPS Set I, III, IV • Steam Generator Loop 1 Low Steam Pressure signal to

SSPS (SI and Steam Line isolation) is available from PPS Set I and IV

• Steam Generator Loop 3 Low Steam Pressure is available for SI and Steam Line isolation (SSPS) from PPS Set I and III

• Steam Generator 1 Level High-High signal to SSPS (turbine trip, feedwater isolation, interlock P14) is available from PPS Set III and IV

• Turbine Impulse Chamber Pressure High signal to SSPS (P13 interlock) is available from PPS Set I

• Steam Generator Loop 1 High Negative Rate Steam Line Pressure are available for Steam Line isolation (SSPS) from PPS Set I and IV

• Steam Generator Loop 3 High Negative Rate Steam Line Pressure are available for Steam Line isolation (SSPS) from PPS Set I and III

• Steam Generator 1 Low-Low Level signal to SSPS (Rx trip, AFW pump start) is available from PPS Set III and IV

• Steam Generator Loop 1 and 3 Steam Flow are available to the MCR indicator and ERFDS from PPS Set I

• Turbine Impulse Chamber Pressure signal to MCR indicator is available from PPS Set I

• Interactions with other systems/indications associated

FRS 3.2.3, 3.2.5, 3.2.7, 3.2.9, 3.2.10, 3.2.11, 3.2.12




with the input loop are unaffected as the input loop remains intact




50)

TE-443A TE-443B TE-421B TE-420C TE-421C TE-422C LT-460 FT-523 FT-543 PT-525 PT-545 LT-549


• Provide Reactor Coolant Loop 2 NR Hot leg (Thot)/Cold leg (Tcold) temperature signal for MCR indication / protection / control circuit (Group B) (TE-420C, 421B, 421C, 422C)






• Provide SG4 Level signal for Protection (LT-459)




signal • Sensor Quality Algorithm 3A (SQA3A - Group

A) rejects failed signals • SG2 and SG4 Steam Flow Signal to MCR


low • SG2 and SG4 Low Steam Pressure signal to

SSPS (SI and Steam Line isolation) is set • SG2 and SG4 High Steam Pressure signal to

SSPS (Negative Rate Steam Line isolation) is set


• SG4 Level Low-Low signal to SSPS ( Rx trip and AFW pump start) is set



• MCR indicator (TR-443) fails low for WR LP4 RTDs





• Reduced coincidence for SSPS actuation • RCS WR LP3 Hot leg and Cold leg temperature signals are

available from Slot 3 of Tricon • Tricon Sensor Quality Algorithm 2 (SQA2) rejects failed








• PZR Level High signal to SSPS (Rx trip) is available from PPS Set I and III

• Steam Generator Loop 2 Low Steam Pressure signal to SSPS (SI and Steam Line isolation) is available from PPS Set I and III

• Steam Generator Loop 4 Low Steam Pressure signal to SSPS (SI and Steam Line isolation) is available from PPS Set I and IV

• Steam Generator 4 High-High Level signal to SSPS (turbine trip, feedwater isolation, interlock P14) is available from PPS Set III and IV

• Steam Generator Loop 2 and 4 Steam Flow are available to the MCR indicator and ERFDS from PPS Set I

• Interactions with other systems/indications are unaffected as the input loop remains intact

• Reactor Coolant WR Temp Loop 4 Hot Leg/Cold leg signals are available at the HSP by placing the transfer switch in HSDP position (See section 5.1.5) ; bypasses PPS electronic processing.

FRS 3.2.3, 3.2.5, 3.2.6, 3.2.9, 3.2.10, 3.2.11

51)

TE-433A TE-443B FT-523 FT-543

• Provide Reactor Coolant Loop 3 WR Temp Hot Leg signal for Indication / Processing (TE-433A)


• Analog outputs fail low (de-energized) • WR LP3 Thot indication to MCR, REVLIS and

ERFDS fails low • WR LP4 Tcold indication to MCR and ERFDS



• No protection function impact • The same failure mode as existing system • MCR indicator, ERFDS for WR LP3 Tcold and MCR indicator,

ERFDS, RVLIS for LP4 Thot available from Slot 6

FRS 3.2.3, 3.2.9




• Provide Reactor Coolant Loop 4 WR Temp Cold leg signal for Indication / Processing ((TE-443B)



fails low• SG2 and SG4 Steam Flow signal to MCR and

ERFDS fails low



• ERFDS indication fails low (TE-433A, TE-443B)



• Steam Flow indications available from PPS Set I • WR Temperature Indication available on both ALS and

Tricon MWS applications • Steam Flow indication available on Tricon MWS • WR Temperature and Steam Flow Indication available via

the Gateway Computer

52)

TE-433B TE-443A FT-513 FT-533

• Provide Reactor Coolant Loop 3 WR Temp Cold Leg signal for Indication / Processing (TE-433A)

• Provide Reactor Coolant Loop 4 WR Temp Hot leg signal for Indication / Processing (TE-433B)

• Provide Steam Generator Loop 1 Steam Flow signal for MCR indication / ERFDS(FT-513)



• Analog outputs fail low (de-energized) • WR LP3 Tcold indication to MCR and ERFDS

fails low • WR LP4 Thot indication to MCR, RVLIS and

ERFDS fails low • SG1 and SG3 Steam Flow signal to MCR and

ERFDS fails low





• ERFDS indication fails low (TE-433B, TE-443A)



• No protection function impact • The same failure mode as existing system • MCR indicator, RVLIS, ERFDS for WR LP3 Thot and MCR

indicator, ERFDS for LP4 Tcold available from Slot 5 • Steam Flow indications available from PPS Set I • WR Temperature Indication available on both ALS and

Tricon MWS applications • Steam Flow indication available on Tricon MWS • WR Temperature and Steam Flow Indication available via

the Gateway Computer

FRS 3.2.3, 3.2.9

53)

TI-421A TI-421B TI-421C TI-422 PI-506

• Provide DTTA signal for MCR indication (TI-421A, 421B, 421C, 422))

• Provide Turbine Impulse Chamber Pressure signal for MCR indication (PI-506)


• Analog outputs fail low (de-energized) • Loop Delta-T signal to PCS fails low (R28) • DTTA MCR indications for Set II fail low • Turbine Impulse Chamber Pressure signal to

MCR indication fails low




• MCR indicator (PI-506) fails low • MWS indicates bad health status

for board

• No protection function impact • The same failure mode as existing system • DTTA indications available on MWS and Gateway

computer • Turbine Impulse Chamber Pressure signal available on

MWS and Gateway computer • Turbine Impulse Chamber Pressure indication available

from PPS Set I

FRS 3.2.5, 3.2.12

54)

TC433A TC421G TC422D LC519A LC549B PC506A PC515C

• Provide Loop 3 WR Low Temp signal to LTOP (TC433A)



• Outputs go OFF (de-energized) • Reactor Coolant WR LP3 Cold leg temp Low

signal to LTOP (PCV-455) is not available from PPS Set II (ETT)

• OPDT and Low-Low Tavg Trip to SSPS is set • SG1 Level High-High signal to SSPS (Turbine



• MWS indicates bad health status




FRS 3.2.3, 3.2.5, 3.2.10, 3.2.11, 3.2.12




PC525A PC535C PC545A


• Provide SG4 Low-Low Level Trip and AFW Pump Start to SSPS (LC549B)



• Provide Turbine Impulse Chamber Pressure High trip to SSPS (P13 Interlock) (PC506A)

Trip, FW Isolation, Interlock P-14) is set• SG4 Level Low-Low signal to SSPS ( Rx trip and

AFW pump start) is set • Turbine Impulse Chamber Pressure High trip

to SSPS (P13 Interlock) is set • SG2 and SG4 Low Steam Pressure signal to

SSPS (SI and Steam Line isolation) are set • SG1 and SG3 High Steam Pressure signal to

SSPS (Negative Rate Steam Line isolation) are set

for board • OPDT and Low-Low Tavg (P12) signals to SSPS are available from PPS Set I, III and IV

• Steam Generator 1 Level High-High signal is available from PPS Set III and IV


• Turbine Impulse Chamber Pressure High trip to SSPS (P13 Interlock) is available from PPS Set I





55)

TC421C TC422G LC460A LC519B LC549A PC515A PC525C PC535A PC545C

• Provide OTDT and Low Tavg Feedwater isolation signals to SSPS (TC421C, 422G)

• Provide PZR Level signal to SSPS (LC460A

• Provide SG1 High-High Level Trip/Interlock (P14) to SSPS LC519B)

• Provide SG4 Low-Low Level Trip and AFW Pump Start to SSPS (LC549A)


• Provide SG2 and SG4 Steam Line Pressure to SSPS (High Negative Rate Steam Line isolation) PC525C, 545C


• Outputs go OFF (de-energized) • OTDT and Low Tavg Feedwater isolation

signals to SSPS are set • PZR Level High Rx trip to SSPS is set • SG1 Level High-High signal to SSPS (Turbine


AFW pump start) is set • SG1 and SG3 Low Steam Pressure signal to

SSPS (SI and Steam Line isolation) are set • SG2 and SG4 High Steam Pressure signal to

SSPS (Negative Rate Steam Line isolation) are set





available from PPS Set I, III and IV • PZR Level High signal to SSPS (Reactor Trip) is available

from Set I and III • Steam Generator 1 High-High Level signal to SSPS (turbine

trip, feedwater isolation, interlock P14) is available from PPS Set III and IV





• Steam Generator Loop 4 High Negative Rate Steam Line Pressure are available for Steam Line isolation (SSPS) from PPS Set I and IVI

FRS 3.2.5, 3.2.10, 3.2.11




56)

TC421D TC421H LY-519H UY-PS2A_TRICON UY-PS2B_TRICON UY-PS2C_TRICON TY-421_TRICON OOS-II_TRICON

• Provide OTDT (C3) and OPDT (C4) Interlock signals to RNARA


• Provide Miscellaneous Tricon MAS Alarms (Section 4.5.2.1)



TTD Timer Actuated Alarms are unavailable (ETT)

• OTDT (C3) Interlock (RNARA) to SSPS is set • OPDT (C4) Interlock (RNARA) to SSPS is set

• PPS Failure Alarm is activated • PPS Trouble Alarm is activated • Partial trip signals sent to SSPS



• Reduced coincidence for SSPS actuation • OTDT interlock C3 is available PPS Set I, III, IV • OPDT interlock C4 is available PPS Set I, III, IV

FRS 3.2.1.5, 3.2.5, 3.2.12

57)

PS2S_FAIL_16 PS3S_FAIL_16 PS4S_FAIL_16 PS5S_FAIL_16 PS6S_FAIL_16 PS7S_FAIL_16 24DI_PWR_16 T433A_OOS T433B_OOS T443A_OOS T443B_OOS L460_OOS F513_OOS F523_OOS F533_OOS F543_OOS P515_OOS P525_OOS P535_OOS P545_OOS L519_OOS L549_OOS P506_OOS LP2_DTTA_OOS LP2_TTD_OOS









for board

• No protection function impact • PPS Failure Alarm is suppressed for loss of both critical

power supplies due to loss of DI power supply indication

IRS 2.9.6.6 IRS 2.8.1.1

58)

TS/421C TS/421G TS/422D TS/422G TC-433A LS/460A PS/515A PS/515C PS/525A PS/525C PS/535A


• Provide Manual Bypass Switch FB Status for PC506A




• Manual Bypass Switch status for Turbine Impulse Pressure High Interlock (P13) is unavailable




• No protection function impact IRS 2.9.6.6, FRS 3.2.1.3.6




PS/535C PS/545A PS/545C LS/519A LS/519B LS/549A LS/549B PS/506A PC-506A_Byp

59)

PS2N_FAIL_16 PS3N_FAIL_16 PS5N_FAIL_16 PS6N_FAIL_16 TS421D TS421H







for board • No protection function impact FRS 2.2.3, IRS

2.9.6.6

60) FI-415 FI-425 (Section 5.1.3)


Open Circuit

• RCS Flow indication to MCR indicator fails low • MCR indicator (FI-415, 425, 435, 445) fails low

• No protection function impacted, Analog Output only • RCS Loop Flow indications are available from Protection

Set I and III for each loop

FRS 3.2.1.4, 4.1.3

61) Short Circuit

62) FI-435 FI-445 (Section 5.1.3)


Open Circuit

63) Short Circuit

64)



Open Circuit

• Input current loop is open • SG1 Steam Pressure signal to Tricon fails low • SG1 Steam Pressure signal to MCR indicator

fails low • SG1 Steam Pressure signal to ERFDS fails low • SG1 Steam Pressure signal to DFWCS fails low • SG1 Loop 1 Low Steam Line Pressure signal to

SSPS (SI and Steam Line isolation) is set • SG Loop 1 Steam Line Pressure High Negative

Rate signal to SSPS (Steam Line isolation) is set

• PPS Trouble Alarm is activated • DFWCS Trouble Alarm is activated • MCR indicator (PI-515) fails low • PT-515 OOR indication (MWS) • ERFDS indication fails low • Partial trip signals sent to SSPS


• Reduced coincidence for SSPS actuation • SG1 Steam Pressure signal to MCR indicator is available

from PPS Set I, IV • SG1 Steam Pressure signal to ERFDS is available from PPS

Set I • SG1 Steam Pressure signal to DFWCS is available from PPS

Set I, IV • SG Loop 1 Low Steam Line Pressure signal to SSPS (SI and

Steam Line isolation) is available from PPS Set I, IV • SG Loop 1 Steam Line Pressure High Negative Rate signal

to SSPS (Steam Line isolation) is available from PPS Set I, IV

FRS 3.2.9

65) Short Circuit • SG1 Steam Pressure signal to MCR indicator fails low • MCR indicator (PI-515) fails low • No protection function impact, input current loop

maintained intact




66)

PD/515A (Section 5.1.3)


Open Circuit

• SG1 Steam Pressure signal to Tricon fails low • SG1 Steam Pressure signal to MCR indicator

fails low • SG1 Steam Pressure signal to ERFDS fails High • SG1 Steam Pressure signal to DFWCS fails low • SG1 Low Steam Line Pressure signal to SSPS (SI







Set I • SG1 Steam Pressure Signal to DFWCS is available from PPS

Set I, IV • SG1 Low Steam Line Pressure signal to SSPS (SI and Steam

Line isolation) is available from PPS Set I, IV • SG1 Steam Line Pressure High Negative Rate signal to SSPS

(Steam Line isolation) is available from PPS Set I, IV

FRS 3.2.9


68)

PM-515_1 (Section 4.5.1)

Isolation device –Provide isolation between Class I SG 1 Steam Line Pressure instruments and Class II DFWCS

Open Circuit (input)


fails low • SG1 Steam Pressure signal to ERFDS fails low • SG1 Steam Pressure signal to DFWCS fails low • SG1 Low Steam Line Pressure signal to SSPS (SI







Set I • SG1 Steam Pressure Signal to DFWCS is available from PPS

Set I, IV • SG1 Low Steam Line Pressure signal to SSPS (SI and Steam



FRS 3.2.9

69) Short circuit (input) • SG1 Steam Pressure signal to DFWCS (via isolator) fails low • DFWCS Trouble Alarm is activated • No protection function impact, input current loop is

maintained intact


• SG1 Steam Pressure signal to DFWCS fails low • DFWCS Trouble Alarm is activated • No protection function impact, input current loop is maintained intact

71) Short Circuit (output)




72)



Open Circuit



and Steam Line isolation) is set available • SG2 Steam Line Pressure High Negative Rate




• Reduced coincidence for SSPS actuation • SG 2 Steam Pressure signal to MCR indicator is available

from PPS Set I, III • SG 2 Steam Pressure signal to ERFDS is available from PPS

Set I • SG 2 Steam Flow signal to DFWCS is available from PPS Set

I, III • SG Loop 2 Low Steam Line Pressure signal to SSPS (SI and

Steam Line isolation) is available from PPS Set I, III • SG2 Steam Line Pressure High Negative Rate signal to SSPS

(Steam Line isolation) is available from PPS Set I, III

FRS 3.2.9

73) Short Circuit • SG 2 Steam Pressure signal to MCR indicator fails low • MCR indicator (PI-525) fails low • No protection function impact, input current loop is

maintained intact

74)



Open Circuit


fails low • SG2 Steam Pressure signal to ERFDS fails high • SG2 Steam Pressure signal to DFWCS fails low • SG2 Low Steam Line Pressure signal to SSPS (SI






from PPS Set I, III • SG2 Steam Pressure signal to ERFDS is available from PPS

Set I • SG2 Steam Flow signal to DFWCS is available from PPS Set

I, III • SG2 Low Steam Line Pressure signal to SSPS (SI and Steam

Line isolation) is available from PPS Set I, III • SG2 Steam Line Pressure High Negative Rate signal to SSPS


FRS 3.2.9

75) Short Circuit • SG2 Steam Pressure signal to ERFDS fails low • Indication failed Low from ERFDS • No protection function impact, input current loop is maintained intact

76) PM-525_1 (Section 4.5.1)















FRS 3.2.9




77) Short Circuit (Input) • SG2 Steam Pressure signal to DFWCS (via isolator) fails low • DFWCS Trouble Alarm is activated • No protection function impact, input current loop is

maintained intact

78) Open Circuit (Output0

• SG2 Steam Pressure signal to DFWCS fails low • DFWCS Trouble Alarm is activated • No protection function impact, input current loop is

maintained intact

79) Open circuit (Output)

80)



Open Circuit













FRS 3.2.9

81) Short Circuit • SG3 Steam Pressure signal to MCR indicator fails low • MCR indicator (PI-535) fails low • No protection function impact, input current loop is

maintained intact

82) PD/535D (Section 5.1.3)


Open Circuit


fails low • SG3 Steam Pressure signal to ERFDS fails high • SG3 Steam Pressure signal to DFWCS fails low • SG3 Low Steam Line Pressure signal to SSPS (SI











FRS 3.2.9





84)

PM-535_1 (Section 4.5.1)















FRS 3.2.9 85) Short Circuit (Input) • SG3 Steam Pressure signal to DFWCS (via

isolator) fails low • DFWCS Trouble Alarm is activated • No protection function impact, input current loop is maintained intact


• SG3 Steam Pressure signal to DFWCS fails low • DFWCS Trouble Alarm is activated • No protection function impact, input current loop is

maintained intact

87) Short Circuit (output) (Class II)

88) PI-545 (Section 5.1.3)


Open circuit










I, IV • SG4 Low Steam Line Pressure signal to SSPS (SI and Steam



FRS 3.2.9





maintained intact

90)

PD/545D (Section 5.1.3)


Open Circuit


fails low • SG4 Steam Pressure signal to ERFDS fails High • SG4 Steam Pressure signal to DFWCS fails low • SG4 Low Steam Line Pressure signal to SSPS (SI











FRS 3.2.9

91) Short circuit • SG4 Steam Pressure signal to ERFDS fails low • ERFDS indication fails low • No protection function impact, input current loop is maintained intact

92)

PM-545_1 (Section 4.5.1)














(Steam Line isolation) is available from PPS Set I, IV FRS 3.2.9

93) Short Circuit (Input) • SG4 Steam Pressure signal to DFWCS (via isolator) fails low • DFWCS Trouble Alarm is activated • No protection function impact, input current loop is

maintained intact

94) Open Circuit (Output) (Class II) • SG4 Steam Pressure signal to DFWCS fails low • DFWCS Trouble Alarm is activated • No protection function impact, input current loop is

maintained intact





96)

LM-519_1 (Section 4.5.1)



• SG1 Level signal to Tricon fails low • SG1 Level signal to MCR indicator fails low • SG1 Level signal to DFWCS fails low • SG1 Level signal to AFW (PCS) fails low • SG1 Level High-High signal to SSPS (Turbine






• Reduced coincidence for SSPS actuation • SG1 Level Signal to MCR indicator, DFWCS and AFW (PCS)

is available from PPS Set III and IV • SG1 Level High-High signal to SSPS (Turbine Trip, FW

isolation. Interlock P-14) is available from PPS Set III and IV • SG1 Level Lo-Lo signal to SSPS (Rx trip and AFW pump

start) from PPS Set III and IV

FRS 3.2.11 97) Short Circuit (Input) • SG1 Level signal to DFWCS fails low • SG1 Level signal to AFW fails low • SG1 Level signal to MCR indicator fails low

• DFWCS Trouble Alarm is activated • PCS (AFW) Trouble Alarm is

activated • MCR indicator (LI-519) fails low



• SG1 Level signal to DFWCS fails low • SG1 Level signal to AFW fails low • SG1 Level signal to MCR indicator fails low





100)

LM-549_1 (Section 4.5.1)



• SG4 Level signal to Tricon fails low • SG4 Level signal to AMSAC fails low • SG4 Level signal to DFWCS fails low • SG4 Level signal to AFW (PCS) fails low • SG4 Level signal to MCR indicator fails low • SG4 Level High-High signal to SSPS (Turbine



• PPS Failure Alarm is activated • AMSAC General Warning Alarm is

activated • DFWCS Trouble Alarm is activated • PCS (AFW) Trouble Alarm is




is available from PPS Set III and IV • Signal to AMSAC is not available from PPS Set II SG4 • Signal to AMSAC is available from PPS Set I (SG3), PPS Set


isolation, Interlock P-14) is available from PPS Set III and IV • SG4 Low-Low Level signal to SSPS (Rx trip and AFW pump


FRS 3.2.11

101) Short Circuit (input) • SG4 Level signal to DFWCS fails low • SG4 Level signal to AFW (PCS) fails low • SG4 Level signal to MCR indicator fails low







102) Open Circuit (Output) • SG4 Level signal to DFWCS fails low • SG4 Level signal to AFW fails low • SG4 Level signal to MCR indicator fails low





104)

LM-549_2 (Section 4.5.1)

Isolation device –Provide isolation between Class I SG4 level instruments and Class II AMSAC


• SG4 Level signal to Tricon fails low • SG4 Level signal to AMSAC fails low • SG4 Level signal to DFWCS fails low • SG4 Level signal to AFW (PCS) fails low • SG4 Level signal to MCR indicator fails low • SG4 Level High-High signal to SSPS (Turbine




activated • DFWCS Trouble Alarm is activated • PCS (AFW) Trouble Alarm is




is available from PPS Set III and IV • Signal to AMSAC is not available from PPS Set II SG4 • Signal to AMSAC is available from PPS Set I (SG3), PPS Set


isolation, Interlock P-14) is available from PPS Set III and IV • SG4 Lo-Lo Level signal to SSPS (Rx trip and AFW pump


FRS 3.2.11 105) Short Circuit (Input) • SG4 Level signal to AMSAC fails low • AMSAC General Warning Alarm is

activated • No protection function impact, input current loop is

maintained intact


• SG4 Level signal to AMSAC fails low • AMSAC General Warning Alarm is activated



108)


Isolation devices –Provide isolation between Class I SG1, 2, 3 , 4 Steam Flow and Class II DFWCS


• SG Steam Flow signal to Tricon fails low • SG Steam Flow signal to DFWCS fails low • SG Steam Flow Signal to MCR indicator fails

low • SG Steam Flow signal to ERFDS fails low

• PPS Trouble Alarm is activated • DFWCS Trouble Alarm is activated • MCR indicator (FI-5x3) fails low • FT-513 OOR indication (MWS) • FT-523 OOR indication (MWS) • FT-533 OOR indication (MWS) • FT-543 OOR indication (MWS) • ERFDS indication fails low

• No protection function impact, Indication only • SG1, 2 ,3 ,4 Steam Flow signals to MCR indicator, ERFDS

and DFWCS are available from PPS Set I FRS 3.2.9




109) Short Circuit (Input) • SG Steam Flow signal to DFWCS fails low • DFWCS Trouble Alarm is activated • No protection function impact, input current loop is maintained intact

110) Open Circuit (Output) • SG Steam Flow signal to DFWCS fails low • DFWCS Trouble Alarm is activated • No protection function impact, input current loop is

maintained intact


112)


Isolation devices –Provide isolation between Class IA SG1, 2, 3 , 4 Steam Flow and Class IB MCR/ERFDS Indications


• SG Steam Flow signal to MCR indictor fails low • SG Steam Flow signal to ERFDS fails low

• MCR indicator (FI-513, 523, 533, 543) fails low

• ERFDS indication fails low • No protection function impact, output indicators only




116)

PM-506_1 (Section 4.5.1)

Isolation devices –Provide isolation between Class I Turbine Impulse Chamber Pressure and Class II AMSAC


• Turbine Chamber Impulse Pressure signal to Tricon fails low

• Turbine Chamber Impulse Pressure signal to AMSAC fails low

• Turbine Chamber Impulse Pressure signal to MCR indicator fails low

• Turbine Chamber Impulse Pressure High to SSPS (P13 interlock) is set


activated • MCR indicator (PI-506) fails low • PT-506 OOR (MWS) • Partial trip signals sent to SSPS


• Reduced coincidence for SSPS actuation • The isolator is a qualified device and powered from class IE

power source. The single failure of the isolation device does not create condition that impacts safe operation of the Plant protection System.

• Turbine Chamber Impulse Pressure signal to AMSAC is available from PPS Set I (PT-505)

• Turbine Chamber Impulse Pressure signal to MCR indicator is available from PPS Set I (PT-505)

• Turbine Impulse Pressure High to SSPS is available from PPS Set I (P13 interlock)

FRS 3.2.12

117) Short Circuit (Input) • Turbine Chamber Impulse Pressure signal to AMSAC fails low

• AMSAC General Warning Alarm is activated







• Turbine Chamber Impulse Pressure signal to AMSAC fails low





120)



Open Circuit


fails low • Containment Pressure signal to ERFDS fails low• Containment Pressure High-High signal to SSPS

(Containment Pressure-Phase B isolation containment Spray, Steam Line Isolation) is unavailable (ETT)


• PPS Failure Alarm (both chassis) is activated


indication for both ALS-chassis (MWS)



• Reduced coincidence for SSPS actuation • Containment Pressure signal to MCR indicator is available

from PPS Set I, III, IV • Containment Pressure signal to ERFDS is available from

PPS Set III • Containment Pressure High-High signal to SSPS (Phase B


• Containment Pressure High signal to SSPS (SI, Phase A isolation) is available from PPS Set III and IV

FRS 3.2.13

121) Short Circuit • Containment Pressure signal to MCR indicator fails low • MCR indicator (PI-936) fails low


• MCR Containment Pressure indicator is available from PPS Set I, III, IV

122)


Resistor - Provide containment Pressure signal to ERFDS

Open Circuit


fails low • Containment Pressure signal to ERFDS fails

High • Containment Pressure High-High signal to SSPS

(Containment Pressure-Phase B isolation containment Spray, Steam Line Isolation) is not available



• PT-936 Virtual Channels (2) OOR indication for both ALS-chassis (MWS)


• MCR indicator(PI-936) fails low • ERFDS indication fails low

• Reduced coincidence for SSPS actuation • Containment Pressure signal to MCR indicator is available

from PPS Set I, III, IV • Containment Pressure signal to ERFDS is available from

PPS Set III • High-High Containment Pressure signal to SSPS (Phase B


• Containment Pressure High signal to SSPS (SI, Phase A isolation) is available from PPS Set III and IV

123) Short Circuit • Containment Pressure signal to ERFDS fails low • ERFDS indication fails low


• Containment Pressure signal to ERFDS is available from PPS Set III

124) LI-460A (Section 5.1.3) PZR Level indicator in the MCR Open Circuit

• PZR Level signal to Tricon fails low • PZR Level signal to MCR indicator fails low • PZR Level signal to HSP indicator fails low • PZR Level signal to PZR Level control (Control

Set I) fails low



activated

• Reduced coincidence for SSPS actuation • PZR Level signal to MCR indicator is available from PPS Set

I and III • PZR Level signal to HSP indicator is available from PPS Set

I

FRS 3.2.6




• PZR Level signal to PZR Level control (Control Set II) fails low

• PZR Level signal to ERFDS fails low • PZR Level High signal to SSPS (Rx trip) is set

• MCR indicator(LI-460A) fails low • HSP indicator(LI-460B) fails low • LT-460 OOR indication (MWS) • Partial trip signal sent to SSPS with

partial trip status lights illuminated in MCR

• PZR Level signal to PZR Level control (Control Set I) is available from PPS Set I and III

• PZR Level signal to PZR Level control (Control Set II) is available from Set I and III

• PZR Level signal to ERFDS is available from PPS Set I and III • PZR Level High Rx trip to SSPS is available from Set I and III

125) Short Circuit • PZR Level signal to MCR indicator fails low • MCR indicator(LI-460A) fails low


• PZR level signal to MCR indicator is available from PPS Set I and III

126)

LI-460B (Section 5.1.3)

PZR Level indicator in the Hot Shutdown panel (HSP)

Open Circuit

• PZR Level signal to Tricon fails low • PZR Level signal to MCR indicator fails low • PZR Level signal to HSP indicator fails low • PZR Level signal to PZR Level control (Control

Set I) fails low • PZR Level signal to PZR Level control (Control

Set II) fails low • PZR Level signal to ERFDS fails low • PZR Level High signal to SSPS (Rx trip) is set



activated • MCR indicator(LI-460A) fails low • HSP indicator(LI-460B) fails low • LT-460 OOR indication (MWS) • ERFDS indication fails low • Partial trip signal sent to SSPS with



I and III • PZR Level signal to HSP indicator is available from PPS Set I • PZR Level signal to PZR Level control (Control Set I) is

available from PPS Set I and III • PZR Level signal to PZR Level control (Control Set II) is

available from Set I and III • PZR Level signal to ERFDS is available from PPS Set I and III • PZR Level High Rx trip to SSPS is available from Set I and III

FRS 3.2.6

127) Short Circuit • Signal to HSP indicator fails low • HSP indicator(LI-460B) fails low • No protection function impact, input current loop is

maintained intact • PZR level signal to MCR indicator is available from PPS Set I

128)

LM-460_1 (Section 4.5.1)

Isolation device –Provide isolation between Class I PZR Level instruments and Class II PZR Level controller and ERFDS


• PZR Level signal to Tricon fails low • PZR Level signal to MCR indicator fails low • PZR Level signal to HSP indicator fails low) • PZR Level signal to PZR Level control (Control

Set I) fails low • PZR Level signal to PZR Level control (Control

Set II) fails low • PZR Level signal to ERFDS fails low • PZR Level High Rx trip to SSPS is not available)

• PPS Failure Alarm • PCS Trouble Alarm (Set I) is


activated • MCR indicator (LI-460A) fails low • HSP indicator (LI-460B) fails low • LT-460 OOR indication (MWS) • ERFDS indication fails low • Partial trip signal sent to SSPS with



I and III • PZR Level signal to HSP indicator is available from PPS Set I • PZR Level signal to PZR Level control (Control Set I) is

available from PPS Set I and III • PZR Level signal to PZR Level control (Control Set II) is

available from Set I and III • PZR Level signal to ERFDS is available from PPS Set I and III • PZR Level High Rx trip to SSPS is available from Set I and III

FRS 3.2.6


• PZR Level signal to PZR Level control (Control Set I) fails low

• Signal to PZR Level control (Control Set II) fails low

• PCS Trouble Alarm is activated • ERFDS indication fails low





• Signal to ERFDS fails low

130) Open Circuit (Output) (Class II) • Signal to PZR Level control (Control Set I) fails

low • Signal to PZR Level control (Control Set II) fails

low • Signal to ERFDS fails low






132) PI-456 (Section 5.1.3)

PZR Pressure indicator in the MCR

Open Circuit (Class II) • PZR Pressure signal to MCR indicator fails low • PZR Pressure signal to PZR Pressure Control

(PCS Set I) fails low

• MCR indicator (PI-456) fails low • PCS Trouble Alarm is activated • No protection function impact, input current loop is

maintained intact

133) Short Circuit (Class II) • PZR Pressure signal to MCR indicator fails low • MCR indicator (PI-456) fails low

134)

PM-456_1 (Section 4.5.1)

Isolation device –Provide isolation between Class I PZR Pressure signal and Class II MCR indicator and PZR Pressure control


• PZR Pressure signal to MCR indicator fails low • PZR Pressure signal to PZR Pressure Control

fails low ALS-System • Signal to ALS fails low • ALS 102 DOCH function sets comparators to

fail safe state (de-energized) • PZR Pressure Low-Low SI to SSPS is set • PZR Pressure High Rx Trip to SSPS is set • PZR Pressure Low Rx trip to SSPS is set • Unblock SI, P11 to SSPS is set • PZR Pressure High to PC-456EX (PORV

actuation) is not available (ETT) Triconex System • PZR Pressure signal to Tricon fails low • PZR Pressure signal fails low to

Overtemperature Setpoint calculation • OTDT Trip signal to SSPS is set


• PCS Trouble Alarm activates • MCR indicator (PI-456) fails low • PT-456 Virtual Channels (5) OOR

indication for both ALS-chassis (MWS – ALS)



• Reduced coincidence for SSPS actuation • PZR Pressure signal to MCR indicator is available from PPS

Set I, III, IV • OTDT Trip signal to SSPS is available from PPS Set I, III, IV • OTDT interlock C3 is available PPS Set I, III, IV • OTDT setpoint to MCR (T/411A, TI-421C) is available from

PPS Set I, III, IV • PZR Pressure Low-Low SI to SSPS is available from PPS Set

I, III, IV • PZR Pressure High Rx Trip to SSPS is available from PPS

Set I, III, IV • PZR Pressure Low Rx trip to SSPS is available from Set I, III,

IV • Unblock SI, P11 to SSPS is available from PPS Set I, III • PZR Pressure High to RNARA (PORV actuation) is available

from PPS Set I, III, IV • PZR Pressure Signal to MCR indicator is available from PPS

Set I, III , IV • PZR Pressure signal to PZR Pressure Control is available

from Set I, III, IV

FRS 3.2.7

135) Short Circuit (Input) • PZR Pressure signal to PZR Pressure Control

fails low • PZR Pressure signal to MCR indicator fails low

• PCS Trouble Alarm activates • MCR indicator (PI-456) fails low


• PZR Pressure signal to MCR indicator is available from PPS Set I, III, IV

• PZR Pressure signal to PZR Pressure Control is available




from Set I, III, IV


• PZR Pressure signal to MCR indicator fails low • PZR Pressure signal to PZR Pressure Control

fails low

• PCS Trouble Alarm activates • MCR indicator (PI-456) fails low


• PZR Pressure signal to MCR indicator is available from PPS Set I, III and IV

• PZR Pressure signal to PZR Pressure Control is available from Set I, III and IV 137) Short Circuit (Output) (Class

II)

138) FC-415_Byp_A FC-415_Byp_B FC-425_Byp_A FC-425_Byp_B FC-435_Byp_A FC-435_Byp_B FC-445_Byp_A FC-445_Byp_B PC-456C_Byp-A PC-456C_Byp_B PC-456B_Byp-A PC-456B_Byp_B PC-456A_Byp-A PC-456A_Byp_B PC-456D_Byp-A PC-456D_Byp_B PC-936A_Byp_A PC-936A_Byp_B (Section 5.2.1.1)

RCS Flow, PZR Pressure and Containment Pressure Manual Bypass switches (DTT)



open


activated • K2W Relay would still actuate if other

associated Bypass Switch is set and no other pair of Bypass Switches are set

• Channel output is not Bypassed, if ALS processed a trip condition the output would de-energize


• If “failed Bypass” chassis processes a trip signal due to a maintenance condition (ex: lifted leads), PPS Trouble Alarm would be activated by the other chassis due to a Trip-without-Demand indication

• No impact to protection function • Other Chassis (via LSM) is capable of performing the safety

function (trip signal) • Bypass Switch wiring and use should be revised or testing


FRS 2.2.3 139)


closes • Bypass contact closes

• Bypass logic and alarm are not set • K2W Relay would still actuate if other






function (trip signal) • Channel is in Manual Bypass – With trip demand from ALS-


140)

Switch A or B in Bypass • Status contact closes • K2W alarm contact fails



activated • K2W Relay would not actuate if other










• Since there is no reflash capability to the alarm associated





141)

Change switch A or B from Bypass to Normal • Status contact opens • K2W alarm contact


closed

• Bypass Switch status ALS-302 LED turns OFF • ALS PPS Bypass alarm for affected chassis

clears • K2W Relay would de-energize only if the other




• Other Chassis (via LSM) is capable of performing the safety function (trip signal)

• On an actual trip condition, the affected chassis would process a trip and set the DO. However, a Failure-to-Trip on Demand condition would not be detected and alarmed because the other chassis would de-energize the SSPS relay and therefore the LSM feedback status would indicate that the trip did occur.


142)

Change switch A or B from Bypass to Normal • Status contact opens • K2W alarm contact fails



clears • If the K2W Relay was energized due to other











143)


closed • K2W alarm contact fails





• Channel output is no longer Bypassed, if ALS-processed a trip condition the output would de-energize (returned to normal operation)







144)

PC-456E_Byp-A PC-456E_Byp_B PC-936B_Byp-A PC-936B_Byp_B (Section 5.2.1.1)

PZR Pressure, containment Pressure manual Bypass switches A / B (ETT)


closes • Bypass contact stays

close


activated • Bypass condition (open circuit) for the

affected chassis is not set • K2W Relay would still actuate if other









FRS 3.2.3.5.1

145)



• Bypass logic and alarm are not set • K2W Relay would still actuate if other







146)

Switch A or B is in Bypass • Status contact closes • K2W alarm contact fails



activated • K2W Relay would not actuate if other














147)



open


clears • K2W Relay would still de-energize if other

associated Bypass Switch is set and no other pair of Bypass Switches are set (this is normal)







148)












149)

Change Switch A or B from Bypass to normal • Status contact opens • K2W alarm contact fails





clears









150)

FS/415 FS/425 FS/435 FS/445 PS/456A PS/456B PS/456C PS/456D PS/936A (Section 5.2.2)

ALS-Manual Trip switches (DTT) (normally closed)




• No PPS Trouble Alarm from either chassis due to a Trip-without-Demand condition (normal operating conditions)



FRS 2.2.2



• ALS-PPS Trouble Alarm stays on due to a Trip-without-Demand condition (normal operating conditions)





152)

TS/421G TS/421C TS/422D TS/422G LS/519A LS/519B LS/549A LS/549B PS/515A PS/515C PS/525A PS/525C PS/535A PS/535C PS/545A PS/545C LS/460A (Section 5.2.2)

Tricon Manual Trip Switches




• No Tricon PPS Trouble Alarm



FRS 2.2.2





154) TS/421D TS/421H PS/506A (Section 5.2.2)





• No Tricon PPS Trouble Alarm • No impact to protection function FRS 2.2.2





156)

PC-506A_Byp (Section 5.2.1.2)

Turbine impulse Pressure manual Bypass switch

Change Bypass switch from Normal to Bypass position • Bypass contact remains

in normal; bypass condition not set,

• Status contact closed; bypass status set

• Channel output is not Bypassed, if Tricon processed a trip condition the output would de-energize

• PPS Bypass alarm is activated



• No impact to protection function, an actual trip would still be processed by the Tricon


• The switches are qualified as class IE devices. Single failure of the manual Bypass switch contacts does not create condition that disables PPS safety function

FRS 2.2.3.2, 3.2.1.3.6, 3.2.12.15

157)

Change Bypass switch from Normal to Bypass position • Bypass contact closed;

bypass condition set

• Channel output is Bypassed • PPS Bypass alarm is not activated

• Bypass Switch status 3501 LED is OFF

• PPS Bypass alarm is not set






• Status contact fails open; bypass status not set

158)

Change Bypass switch from Bypass to Normal position • Bypass fails closed;

bypass condition remains set

• Status contact opens; bypass status is removed

• If Tricon processed an actual trip condition, the SSPS relay would remain energized

• PPS Bypass alarm clears

• Undetectable unless an actual trip condition was processed or a maintenance function was performed to actuate the trip output (ex: Test-in-Trip)


• P13 coincidence is 2 of 2 (with Protection Set I PT-505); therefore, Bypass condition maintained would prevent P13 from actuating. P13 is an input to P7 (with P10) for blocking various actions at power. Impact would only be to operations <10% in Modes 1-2 which is a transition state and unlikely to have the channel in Bypass during the transition. Although some MAS alarms or SSPS status lights might show the wrong status in Modes 3-6, since the reactor trip breakers are open then there is no impact to the safety function


159)

Change Bypass switch from Bypass to Normal position • Bypass contact opens;

bypass condition is removed

• Status contact remains closed; bypass status remains set

• Channel output is no longer Bypassed, trip function is operable

• PPS Bypass alarm remains activated

• Bypass Switch status 3501 LED is ON

• PPS Bypass alarm does not clear



160)

LP2_DTTA_OOS LP2_TTD_OOS T433A_OOS T433B_OOS T443A_OOS T443B_OOS L460_OOS F513_OOS F523_OOS F533_OOS F543_OOS P515_OOS P525_OOS P535_OOS P545_OOS L519_OOS L549_OOS P506_OOS


service for Testing / Updating tuning constants and comparator setpoints;

• Provides a permissive for software to allow maintenance activities


closed



• OOS Switch status 3501 LED is OFF • MWS does not indicate the

affected channel is OOS, would not allow the channel to be placed in a maintenance condition


the contact being made up

FRS 3.2.1.3.7

161)

Switch is in OOS position • OOS contact closes • K2T Alarm contact fails

open









• Since there is no reflash capability to the alarm associated




(Section 5.2.3)

with the K2T relay, the wiring and relay use should be re-evaluated and revised to provide a useful indication

162)

Switch is in normal condition • OOS contact fails closed • K2T Alarm contact open



• OOS Switch status 3501 LED is ON • MWS indicates affected channel is

OOS



163)

Switch is in normal condition • OOS contact open • K2T Alarm contact fails

closed

• Affected PPS channel is in normal condition • K2T Relay would not de-energize if no other

OOS Switches are set








164)

K2W (Section 5.2.1.1.3)

ALS Manual Bypass Switch pair status relay (indication that at least one pair of Manual Bypass Switches are set) Protection Set II

Relay coil open


• Undetectable unless at least one pair of ALS-Bypass Switches were both set to Bypass

• If coil is shorted and at least one pair of ALS-Bypass Switches are set, fuse FU11 would blow and isolate power supply PS5 from failed component






166) Output contact open • K2W relay fails to actuate MAS alarm


• MAS Alarm set when no pair of





Bypass Switches are set• Undetectable if at least one pair of

Bypass Switches are set

168)

K2T (section 5.2.3.2)

Tricon OOS Switch status relay (indication that at least one OOS Switch is set) Protection Set II

Relay coil open


• Undetectable unless at least one

OOS Switch is set • If coil is shorted and at least one

OOS Switch is set, fuse FU3 would blow and isolate power supply PS3S from failed component





IRS 2.8.4.1.1





• Undetectable if any OOS Switch is set 171) Output contact short • MAS alarm is activated without alarm

condition set

172) PS3, PS6 (section 4.2.4)

Provide 48 VDC power to ALS chassis A and B Loss of one power supply • Loss of single redundant power supply • PPS Trouble Alarm is activated

• No impact to protection function • The ALS-chassis (A and B) continue to operate through


devices.

FRS 3.2.1.5.2

173) PS2, PS5 (section 4.2.4)

Provide 48 VDC power to ALS Digital input (DI) module ALS-302 and ALS-102 (Core Logic board) for contact wetting



• PPS Trouble Alarm is activated • If K2W was energized, MAS alarm

would clear



devices.

FRS 3.2.1.5.2

174) PS1, PS4 (section 4.2.4)

Provide 24 VDC power to analog loop Loss of one power supply • Loss of single redundant power supply • PPS Trouble Alarm is activated

• No impact to protection function • The analog loops FT-415, 425, 435, 445 and PT-936

continue to operate through redundant 24 VDC power supply

• The 24 VDC power supplies are qualified as class IE devices.

FRS 3.2.1.5.2

175) PS2S, PS7S (section 4.2.4)

Provide 48 VDC to Tricon termination module 9792-610 (AI)


• No impact to protection function • The analog input termination module continues to operate


devices.

FRS 3.2.1.5.2





Provide 24 VDC to Tricon termination module 9563-810 (DI)



• PPS Trouble Alarm is activated • If K2T was energized, MAS alarm

would clear

• No impact to protection function • The digital input termination module continues to operate


devices.

FRS 3.2.1.5.2


Provide 24 VDC to Tricon termination module 9860-610 (AO)




devices.

FRS 3.2.1.5.2

178) PS3N, PS5N (Non-Safety cabinet) (section 4.2.4)





devices.

FRS 3.2.1.5.2

179) PS2N, PS6N (Non-Safety cabinet) (section 4.2.4)

Provide 24 VDC power to isolation devices Loss of one power supply • Loss of single redundant power supply • PPS Trouble Alarm is activated

• No impact to protection function • The isolation devices continue to operate through


devices.

FRS 3.2.1.5.2

180) PLF1 (Rack 6) (ALS)

Power Line Filter and Voltage Regulator for 120 VAC supply to Rack 1 components


• Loss of Vital AC to Rack 1 (ALS), loss of all Protection Set II ALS-functions

• All DTT channels de-energize, both chassis • RCS Flow Indications (MCR) fail low • Containment Pressure signal to MCR

indicator (PI-937) fails low due to loss of loop power

• PPS Failure Alarm is activated by ALS-(both chassis)

• PPS Trouble Alarm is activated by ALS-(both chassis)


• Reduced coincidence for SSPS actuation • Tricon Chassis in Rack 8 (TRICON) and Rack 9 (TRICON)

unaffected as they are not supplied by this component IRS 2.4.3

181) CB1 (Rack 6) Provide 120 VAC power to PS1-3 Breaker fails open • Loss of Vital AC to Power Supply PS1-3 • PPS Trouble Alarm is activated by

ALS-(both chassis)


IRS 2.4.3

182) CB2 (Rack 6) Provide 120 VAC power to PS4-6 Breaker fails open • Loss of Vital AC to Power Supply PS4-6 • K2T Relay would de-energize if set

• PPS Trouble Alarm is activated by ALS-(both chassis)


IRS 2.4.3

183) CB3 (Rack 6) Provide 120 VAC to SSPS relays (via LSMs) for ALS-protective functions

Breaker fails open • Loss of Vital AC to SSPS relays associated

with ALS Protection Set II • Loss of all Protection Set II ALS-functions

• PPS Trouble Alarm is activated by ALS-(both chassis) due to Trip-without-Demand condition


• Reduced coincidence for SSPS actuation IRS 2.4.3








185) CB3 (Rack 8)



• Manual Trip Switch status indication (TS/411H, 421H, 421D)








IRS 2.4.2


Breaker fails open • Loss of PS2N-4N redundant power supplies • PS1 is a spare, no effect • PPS Trouble Alarm is activated • No impact to protection functions

• Redundant PS5N-PS7N power supplies provide power IRS 2.4.2


Breaker fails open • Loss of PS5N-PS7N redundant power supplies • PPS Trouble Alarm is activated • No impact to protection functions • Redundant PS2N-PS4N power supplies provide power

IRS 2.4.2


Breaker fails open

• Loss of MWS Monitor – no local indications or maintenance functions accessible for ALS-or Tricon

• Loss of KVM Switch – no local indications or maintenance functions accessible for ALS-or Tricon




Computer for both ALS-and Triconex components • ALS-Manual Trip and Bypass Switches are not affected • Triconex Manual Trip, OOS and Bypass Switches are not

affected

IRS 2.4.2


Breaker fails open






Computer for both ALS-and Triconex components • ALS-Manual Trip and Bypass Switches are not affected • Tricon MWS application unaffected due to redundant

components powered from CB8 • Tricon status information to Gateway Computer


IRS 2.4.2


Breaker fails open








IRS 2.4.2

191) PLF1 (Rack 9)



• Loss of Vital AC to Rack 8 (Non-Safety) and Rack 9 (Safety) , loss of all Protection Set II Tricon functions

• All DTT channels de-energizes


• PPS Trouble Alarm (Tricon) is activated

• Reduced coincidence for SSPS actuation • ALS-RCS Flow and Containment Pressure unaffected as

they are supplied Loop Power from Rack 1 Vital Power

IRS 2.4.2




• Analog Outputs (MCR) fail low • PZR Pressure Loop Power Supply loss, loss of

ALS-PZR Pressure functions

• PPS Failure Alarm is activated by ALS-(both chassis) due to failed PZR Pressure input to both chassis



Provide 120 VAC power to Rack 9 Safety Related Chassis #1 Single Breaker fails open • Loss of Vital AC to redundant chassis power

supply • PPS Trouble Alarm is activated • No impact to protection functions • Redundant input provides power

IRS 2.4.2


Provide 120 VAC power to Rack 9 Safety Related Chassis #2 Single Breaker fails open • Loss of Vital AC to redundant chassis power

supply • PPS Trouble Alarm is activated • No impact to protection functions • Redundant input provides power

IRS 2.4.2

194) CB5 (Rack 9)

• Provide 120 VAC to DI FTP 2S-5U for Manual Trip Switch status indication

•


•



IRS 2.4.2

195) CB6 (Rack 9)

Provide 120 VAC to DI FTP 2S-5L for Manual Trip Switch status indication Provide 120 VAC to DI FTP 2S-5L for PC-506A Bypass Switch status indication

Breaker fails open

• Loss of Manual Trip Switch status input, all switches on associated FTP indicate tripped (DTT)

• If PC-506A Bypass Switch was set, (1) would no longer indicate Bypass; and (2) maintenance functions would be denied by MWS application for Turbine Impulse Pressure 506 channel



IRS 2.4.2





• Reduced coincidence for SSPS actuation

IRS 2.4.2






IRS 2.4.2


Breaker fails open • Loss of PS2S-PS4S redundant power supplies • PS1S is a spare, no effect

• PPS Trouble Alarm is activated • No impact to protection functions • Redundant PS5S-PS7S power supplies provide power

IRS 2.4.2


Breaker fails open • Loss of PS5S-PS7S redundant power supplies • PPS Trouble Alarm is activated • No impact to protection functions • Redundant PS2S-PS4S power supplies provide power

IRS 2.4.2




200) CB11 (Rack 9) Provide 120 VAC power to PC505A_Byp Switch for maintaining Bypass condition

Breaker fails open • If PC506A_Byp switch was in Bypass, SSPS trip would actuate

• Partial trip signal to SSPS, partial trip status lights illuminated in MCR

• Undetectable if not in Bypass

• No impact to protection functions • If Bypass Switch was not set, there would be no impact to

operability. On performing a maintenance function and setting the Bypass Switch there would be indications that it failed to set

IRS 2.4.2


Provides local status indication and maintenance functions for both ALS-and Tricon channels (switchable – monitor is shared only)







affected

IRS 2.3.7

202) ALS-MWS PC Provides local status indication and maintenance functions for ALS-channels (both chassis)

PC fails





Computer for both ALS chassis via TxB1 communications • ALS-Manual Trip and Bypass Switches are not affected • Triconex indications and functions are unaffected as they


IRS 2.3.7

203)

ALS-MWS Serial Card Chassis A ALS-TxB2 Serial Components Chassis A

Provides serial connection for ALS-Chassis A status indication and maintenance functions to the MWS



• Maintenance functions are unavailable for ALS chassis A


• If TAB were enabled, the ASU application would indicate a loss of TAB communications for Chassis A


Computer for ALS chassis A via TxB1 communications • ALS Chassis B indications, status and maintenance

functions are available • ALS-Manual Trip and Bypass Switches are not affected

IRS 2.3.4

204)

ALS-MWS Serial Card Chassis B ALS-TxB2 Serial Components Chassis B

Provides serial connection for ALS-Chassis B status indication and maintenance functions to the MWS







Computer for ALS chassis A via TxB1 communications • ALS Chassis A indications, status and maintenance

functions are available • ALS-Manual Trip and Bypass Switches are not affected

IRS 2.3.4

205) ALS-TxB1 Serial Components Chassis A

Provides serial wiring and cable connections for ALS-Chassis A to the MWS






IRS 2.3.4

206) ALS-TxB1 Serial Components Chassis B

Provides serial wiring and cable connections for ALS-Chassis B to the MWS






IRS 2.3.4

207) Tricon MWS PC Provides local status indication and maintenance functions for PC fails • Local indications are unavailable for Triconex

chassis • MWS application indicates loss of

Tricon communications • No impact to protection functions • Indications and status are available via the Gateway

IRS 2.3.7




Triconex channels • Maintenance functions are unavailable for Triconex chassis


affected • ALS-indications and functions are unaffected as they come

from a separate PC


Provides fiber optic conversion to MT RJ45 Ethernet Converter fails









IRS 2.3.1, 2.3.2, 2.3.3


• Provides uni-directional data to the Gateway Computer


Aggregator fails









IRS 2.3.1, 2.3.2, 2.3.3








these switches

IRS 2.3.1, 2.3.2, 2.3.3







Server • All data available on individual Protection Set MWS via

TxB2 data streams

IRS 2.3.4


PROCESS PROTECTION SYSTEM (PPS)REPLACEMENT Failure Modes and Effects Analysis (FMEA), Protection Set III, Attachment 3


1)


Provide Reactor Coolant NR Cold leg (Tcold) Loop 3 temperature signal for MCR indication / Protection / Process control



• PPS Trouble Alarm is activated from Tricon due to Tcold OOR


• RTD OOR indication (MWS – ALS and Tricon)


available from PPS Set I (loop 1), II (loop 2), IV (loop 4) • Tricon PPS Set III Sensor Quality Algorithm 2 (SQA2)

provides valid Tcold with at least 1 good RTD in each loop • ALS Chassis do not activate a Failure Alarm for OOR

conditions IAW IRS 1.5.5.5

FRS 3.2.5

2)


signal to Tricon fails low (0.0 mA) • Tricon Sensor Quality Algorithm 2 (SQA2) rejects

failed signal

3)


ALS System• Signal fails low • ALS sets analog output to Tricon to 0 mA

4)

Triconex System • Reactor Coolant NR Cold leg temperature (Tcold)


failed signal

5)


Provide Reactor Coolant NR Hot leg (Thot) Loop 3 temperature signal for MCR indication / Protection / Process Control



• PPS Trouble alarm is activated from Tricon due to Thot OOR


• No protection function impact • Same failure mode as existing system • Reactor Coolant NR Hot leg (Thot) temperature signal is

available from PPS Set I (loop 1), II (loop 2), IV (loop 4) • Tricon PPS Set III Sensor Quality Algorithm 3A(SQA3A) or 3B



FRS 3.2.5

6)

Triconex System• Tricon input (0.0 mA) • Tricon Sensor Quality Algorithm 3A (SQA3A -

Group A) or Sensor Quality Algorithm 3B (SQA3B - Group B) rejects failed signal

7)



8)

Triconex System • Tricon input (0.0 mA) • Tricon Sensor Quality Algorithm 3A (SQA3A -





• Signal fails low • ALS 102 DOCH function sets comparators to fail

safe state (de-energized) – both chassis • ALS 102 AOCH function sets analog outputs to

fail safe state (0 mA) – both chassis • MCR RCS flow indication fails low



• RCS Low flow partial trip signal sent to SSPS with partial trip status light illuminated in MCR

• MCR indicator (FI-4x6) fails low

• Reduced coincidence for SSPS actuation • Same failure mode as existing system • MCR RCS Loop flow indication is available from PPS Set I and

II • RCS Low flow Rx trip available from PPS Set I and II

FRS 3.2.2





11)

PT-457 (Section 4.4 and 5.1.2)

Provide PZR Pressure signal for MCR indication / Protection / Process control



• PZR Pressure signal to PZR Pressure Control (PCS) fails low

ALS System • Signal to ALS fails low • ALS 102 DOCH function sets comparators to fail

safe state (de-energized) – both chassis • PZR Pressure High to PC-457EX (PORV actuation)

is unavailable (ETT) Triconex System • PZR Pressure signal to Tricon fails low • OTDT Trip signal to SSPS is set • PZR Pressure signal fails low to Overtemperature





• PCS Trouble Alarm is activated• MCR indicator (PI-457) fails

low Partial trip signal sent to SSPS with partial trip status lights illuminated in MCR • PZR Pressure Low-Low SI to SSPS • PZR Pressure High Rx Trip to

SSPS • PZR Pressure Low Rx trip to SSPS • Unblock SI, P11 to SSPS

• Reduced coincidence for SSPS actuation • Same failure mode as existing system • PZR Pressure Signal to MCR indicator is available from PPS

Set I, II, IV • Signal to PZR Pressure Control is available from Set I, II, IV • OTDT Trip signal to SSPS is available from PPS Set I, II, IV • OTDT interlock C3 is available PPS Set I, II, IV • OTDT setpoint to MCR is available from PPS Set I (T/411A, TI-

411C), II (T/411A, TI-421C), IV (T/411A, TI-441C) • PZR Pressure Low-Low SI to SSPS is available from PPS Set I,

II, IV • PZR Pressure High Rx Trip to SSPS is available from PPS Set I,

II, IV • PZR Pressure Low Rx trip to SSPS is available from Set I, II, IV • Unblock SI, P11 to SSPS is available from PPS Set I, II • PZR Pressure High to RNASA (PORV actuation) is available

from PPS Set I, II, IV

FRS 3.2.7


13)


Provide PZR Level signal for MCR indication / Protection / Process control

Open Circuit • PZR Level signal to Tricon fails low • PZR Level Signal to MCR indicator fails low • PZR Level signal to PZR Level control Set I (PCS)

fails low • PZR Level signal to PZR Level control (PCS) Set II

fails low • PZR Level signal to ERFDS fails low • PZR Level High Rx trip to SSPS is set


activated • PCS Trouble Alarm (Set I) is

activated • MCR indicator (LI-461) fails low • LT-461 OOR indication (MWS) • ERFDS indication fails low • PZR Level High partial trip signal



Set II) and ERFDS is available from PPS Set I and II • PZR Level High signal to SSPS (Reactor Trip) is available from

Set I and II

FRS 3.2.6

14) Short Circuit

15) PT-403 (Section 5.1.2)

Provide Reactor Coolant Hot Leg loop 4 WR Pressure signal to MCR recorder / ERFDS / RVLIS

Open Circuit • Reactor Coolant Hot leg Loop 4 WR Pressure

signal to Tricon fails low • Reactor Coolant Hot leg Loop 4 WR Pressure

signal to MCR recorder fails low • Reactor Coolant Hot leg Loop 4 WR Pressure

signal to ERFDS fails low • Reactor Coolant Hot leg Loop 4 WR Pressure

signal to RVLIS fails low

• PPS Trouble Alarm is activated • PCS Trouble Alarm is activated • RVLIS Trouble Alarm is activated • MCR indicator (PR-403) fails low • PT-403 OOR indication (MWS) • ERFDS indication fails low

• No protection function impact, provides indication only • Same failure mode as existing system • Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS

is available from PT-403A • Reactor Coolant Hot leg Loop 3 and 4 WR Pressure signal to

MCR indicator is available from PPS Set IV • Reactor Coolant Hot leg Loop 3 WR Pressure signal to RVLIS

is available from PPS Set IV

FRS 3.2.4

16) Short Circuit

17) PT-403A (Section 5.1.2)

Provide Reactor Coolant Hot Leg loop 4 WR Pressure signal to MCR indicator / ERFDS /

Open Circuit • Reactor Coolant Hot leg Loop 4 WR Pressure

signal to Tricon fails low • Reactor Coolant Hot leg Loop 4 WR Pressure

• PPS Trouble Alarm is activated • MCR indicator (PI-403A) fails

low

• No protection function impact • Same failure mode as existing system • Reactor Coolant Hot leg Loop 4 WR Pressure signal to MCR

FRS 3.2.4




18)

Interlock /Alarm

Short Circuit

signal to MCR indicator fails low• Reactor Coolant Hot leg Loop 4 WR Pressure

signal to ERFDS fails low • Reactor Coolant Hot leg Loop 4 WR High

Pressure signal to PC-403DX, LTOPS (RNASA) is not available (ETT)

• Reactor Coolant Hot leg Loop 4 WR Low Pressure signal to RHR valve (V-8702) interlock (RNSIA) is not available (ETT)

• Reactor Coolant Hot leg Loop 4 WR Pressure signal to RHR Suction Valve Open Alarm is set

• PT-403A OOR indication (MWS) • ERFDS indication fails low

indicator is available from PPS Set IV • Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS

is available from PPS Set III (PT-403), IV (PT-405, PT-405A) • Reactor Coolant Hot leg Loop 4 WR High Pressure signal to

PC-405DX, LTOPS (RNASA) is available from PPS Set IV • Reactor Coolant Hot leg Loop 4 WR Pressure signal to RHR

Suction Valve Open Alarm is available from PPS Set IV • Reactor Coolant Hot leg Loop 4 WR Pressure signal to RHR

valve (V-8701) is available from PPS Set IV • RHR valve (V-8702) does not open due to ETT fail safe (de-

energized), RHR Suction Valve Open Alarm does not actuate due to requiring the valve (V-8702) position switch open contact to be made up as well as the high pressure

19)

PT-526 PT-536 (Section 5.1.2)

Provide SG2, SG3 Steam Pressure signal for MCR indication / DFWCS / Protection


low • SG Steam Pressure signal to DFWCS fails low • SG Low Steam Pressure signal to SSPS (SI and

Steam Line isolation) is set • SG Steam Line Pressure High Negative Rate

signal to SSPS ( Steam Line isolation) is set • SG Steam Line Pressure alarm is set


activated • MAS Steam Line Low Pressure

alarm is activated • MCR indicator (PI-526) fails low • MCR indicator (PI-536) fails low • PT-526 OOR indication (MWS) • PT-536 OOR indication (MWS) • SG Low Steam Pressure Partial

trip signals sent to SSPS with partial trip status lights illuminated in MCR


available from PPS Set I and II • SG Low Steam Line Pressure to SSPS (SI and Steam Line

isolation) is available from PPS Set I and II • SG Steam Line Pressure High Negative Rate signal to SSPS (

Steam Line isolation) is available from PPS Set I and II

FRS 3.2.10

20) Short Circuit

21)


Provide SG1 Level signal for MCR indication / DFWCS / AFW (PCS) / ERFDS / Protection

Open Circuit

• SG1 Level signal to Tricon fails low • SG1 Level signal to MCR indicator fails low • SG1 Level signal to DFWCS fails low • SG1 Level signal to AFW (PCS) fails low • SG1 Level signal to ERFDS fails low • SG1 Level High-High signal to SSPS (Turbine Trip,

FW Isolation, P14 Interlock) is set • SG1 Level Low-Low signal to SSPS ( Rx trip and


• PPS Failure Alarm is activated • DFWCS Trouble alarm is






available from PPS Set II and IV • SG1 Level Signal to ERFDS is available from PPS Set IV • SG1 Level High-High signal to SSPS (Turbine Trip, FW

isolation. P14 Interlock) is available from PPS Set II and IV • SG1 Level Low-Low signal to SSPS (Rx trip and AFW pump

start) from PPS Set II and IV

FRS 3.2.11

22) Short Circuit

23) LT-528 (Section 5.1.2)

Provide SG2 Level signal for MCR indication / DFWCS / AMSAC / AFW (PCS) / ERFDS / Protection

Open Circuit

• SG2 Level signal to Tricon fails low • SG2 Level signal to MCR indicator fails low • SG2 Level signal to DFWCS fails low • SG2 Level signal to AFW (PCS) fails low • SG2 Level signal to ERFDS fails low



is activated


available from PPS Set I and IV • SG2 Level Signal to ERFDS is available from PPS Set IV

FRS 3.2.11




24) Short Circuit

• SG2 Level signal to AMSAC fails low • SG2 Level High-High signal to SSPS (Turbine Trip,




• MCR indicator (LI-528) fails low • LT-528 OOR indication (MWS) • Partial trip signals sent to SSPS



• Signal to AMSAC is available from PPS Set I (SG3), PPS Set II (SG4) and PPS Set IV (SG1)

• SG2 High-High Level signal to SSPS (Turbine Trip, FW isolation, P14 Interlock) is available from PPS Set I and IV

• SG2 Low-Low Level signal to SSPS (Rx trip and AFW pump start)is available from PPS Set I and IV

25)



Open Circuit










available from PPS Set I and IV • SG3 Level Signal to ERFDS is available from PPS Set IV • SG3 Level High-High signal to SSPS (Turbine Trip, FW

isolation. P14 Interlock) is available from PPS Set I and IV • SG3 Level Low-Low signal to SSPS (Rx trip and AFW pump

start) from PPS Set I and IV

FRS 3.2.11

26) Short circuit

27)



Open Circuit



AFW pump start) is set • SG Level Low-Low time delay timer actuated

Protection Set III alarm is set










FRS 3.2.11

28) Short Circuit

29)


Provide Containment Pressure signal for MCR indication / ERFDS / Protection

Open Circuit


fails low • Containment Pressure signal to ERFDS fails low • Containment Pressure High signal to SSPS (SI,


(Containment Pressure -Phase B isolation containment Spray, Steam Line Isolation) is not unavailable (ETT)


• PT-935 Virtual Channels (2) OOR indication for both ALS chassis (MWS)

• MCR indicator (PI-935) fails low • ERFDS indication fails low • Partial trip signals sent to SSPS



Set I, II, IV • Containment Pressure signal to ERFDS is available from PPS

Set II • Containment Pressure High signal to SSPS (SI, Phase A

isolation) is available from PPS Set II, IV • High-High Containment Pressure signal to SSPS (Phase B

isolation containment Spray, Steam Line Isolation) is available from PPS Set I, II, IV

FRS 3.2.13

30) Short circuit

31) NE-43A (Section 5.1.4)

Provide Power Range Neutron Flux (Upper) signal to calculate DTTA Overpower and Overtemperature Delta-T

Open Circuit


• Overtemperature Delta-T Trip to SSPS is set • Upper Flux signal fails low to Overpower Setpoint




Set I, II, IV

FRS 3.2.5




setpoint for Protection and MCR indication

calculation• Upper Flux signal fails low to Overtemperature




• MCR Overpower Setpoint indication is available from PPS Set PPS Set I, II, IV

• MCR Overtemperature Setpoint indication is available from PPS Set I, II, IV


• Upper Flux signal to Tricon fails low • Upper Flux signal fails low to Overpower Setpoint

calculation • Upper Flux signal fails low to Overtemperature






• Same failure mode as existing system • MCR Overpower Setpoint indication is available from PPS Set

I, II, IV • MCR Overtemperature Setpoint indication is available from

PPS Set I, II, IV • Fail low at 0 V does not incur OOR condition as it is within the

normal range of the signal value


• Upper Flux signal to Tricon fails high > 10 V • Overtemperature Delta-T Trip to SSPS is set • Upper Flux signal fails low to Overpower Setpoint








Set I, II, IV • MCR Overpower Setpoint indication is available from PPS Set


PPS Set I, II, IV

34)

NE-43B (Section 5.1.4)


Open Circuit


• Overtemperature Delta-T Trip to SSPS is set • Lower Flux signal fails low to Overpower Setpoint

calculation • Lower Flux signal fails low to Overtemperature









PPS Set I, II, IV

FRS 3.2.5


• Upper Flux signal to Tricon fails low • Overpower Delta-T Trip setpoint increases • Lower Flux signal fails low to Overpower Setpoint







• Same failure mode as existing system • MCR Overpower Setpoint indication is available from PPS Set


PPS Set I, II, IV • Fail low at 0 V does not incur OOR condition as it is within

the normal range of the signal value 36) Fail High due to electronics • Lower Flux signal to Tricon fails high > 10 V • PPS Failure Alarm is activated • Reduced coincidence for SSPS actuation




failure (>10 VDC) • Overtemperature Delta-T Trip to SSPS is set • Lower Flux signal fails high to Overpower



due to OOR• NE-43B OOR indication (MWS) • MCR indications (T/411A, TI-



• Same failure mode as existing system • Overpower Delta-T Trip signal to SSPS is available from PPS



PPS Set I, II, IV

37)

TE-430B TE-430A TE-431A TE-432A (Section 5.1.1)

Provide Reactor Coolant Loop 3 NR Hot leg (Thot)/Cold leg (Tcold) temperature signal for MCR indication / Protection / control circuit (TE-430B, 430A. 431A, 432A)








• No protection function impact • Tricon Sensor Quality Algorithm 2 (SQA2) rejects failed signal

and provides valid Tcold with other functional Tcold RTD • Tricon Sensor Quality Algorithm 3B (SQA3B) provides valid

Thot average with at least 2 good RTD's in Group B • RCS NR LP3 Tcold and Thots (3) temperature signals are

available from chassis B to Tricon • Reactor Coolant NR Tcold/Thot temperature signals are

available from PPS Set I, II and IV

FRS 3.2.5 IRS 2.8.1.2

38)




39)






40)

TE-431B TE-430C TE-431C TE-432C (Section 5.1.1)

Provide Reactor Coolant NR Hot leg (Thot)/Cold leg (Tcold) temperature signal for MCR indication / Protection / Process Control








• No Impact to protective function • Tricon Sensor Quality Algorithm 2 (SQA2) rejects failed signal

and provides valid Tcold with other functional Tcold RTD • Tricon Sensor Quality Algorithm 3A (SQA3A) provides valid

Thot average with at least 2 good RTD's in Group A • RCS NR LP3 Tcold and Thots (3) temperature signals are

available from chassis A to Tricon • Reactor Coolant NR Tcold/Thot temperature signals are

available from PPS Set I, II and IV

FRS 3.2.5 IRS 2.8.1.2

41)




42)









43)

FT-416 FT-426 FT-436 FT-446 PT-935 PT-457










•



• MCR indication (FI-416, 426,436, 446, PT-935, 457) fails low for associated chassis






• Reduced coincidence for SSPS actuation • RCS flow signal to MCR indications are available for the two

RCS Flow channels processed by the other chassis • RCS flow signal to MCR indications are available from PPS Set

I and II • RCS Low Flow Rx trip available from PPS Set I and II • PZR Pressure Low signal to SSPS is available from other

chassis and PPS Set I, II and IV • PZR Pressure Low-Low signal to SSPS is available from other

chassis and PPS Set I, II and IV • PZR Pressure High signal to SSPS is available from other

chassis and PPS Set I, II and IV • PZR SI permissive (P11) signal to SSPS is available from other

chassis and PPS Set I, II • PZR Pressure High signal to RNASA (PORVS) is available from

other chassis and PPS Set I, II and IV • Containment Pressure High-High signal to SSPS (Phase B

isolation Containment Spray, Steam Line Isolation) is available from the other chassis

• Containment Pressure High-High signal to SSPS (Phase B isolation containment Spray, Steam Line Isolation) is available from PPS Set I, II, IV


FRS 3.2.2, 3.2.7, 3.2.13

44)











• Reduced coincidence for SSPS actuation • RCS Low Flow Rx trip available from PPS Set I and II • PZR Pressure Low signal to SSPS is available from other

chassis and PPS Set I, II and IV • PZR Pressure Low-Low signal to SSPS is available from other

chassis and PPS Set I, II and IV • PZR Pressure High signal to SSPS is available from other

chassis and PPS Set I, II and IV • PZR SI permissive (P11) signal to SSPS is available from other

chassis and PPS Set I, II • PZR Pressure High signal to RNASA (PORVS) is available from

other chassis and PPS Set I, II and IV • Containment Pressure High-High signal to SSPS (Phase B

isolation Containment Spray, Steam Line Isolation) is available from PPS Set I, II, IV

• Containment Pressure High signal to SSPS (SI, Phase A isolation) is available from PPS Set II, IV

45) ALS-421-1 (Slot 1) failure in chassis A or B (total loss of AO module due to power



• No protection function impact • RCS flow signal to MCR indications are available for the two

RCS Flow channels processed by the other chassis




supply failure, both boards latch failure)

• MCR indication (FI-416, FI-426, FI-436, FI-446) fails low


• RCS flow signal to MCR indications are available from PPS Set I and II

• If the AO module fails due to multiple electronics failure, it is possible that ALS-421-12 output fails to “unknown state” and the fail safe output state may not occur.

46)

FC-416_FB_LSM_A(B) FC-426_FB_LSM_A(B) FC-436_FB_LSM_A(B) FC-446_FB_LSM_A(B) PC-457A_FB_LSM_A(B) PC-457B_FB_LSM_A(B) PC-457C_FB_LSM_A(B) PC-457D_FB_LSM_A(B) PC-457E_FB_LSM_A(B) PC-935A_FB_LSM_A(B) PC-935B_FB_LSM_A(B) FC-416_Byp_A(B) FC-426_Byp_A(B) FC-436_Byp_A(B) FC-446_Byp_A(B) PC-457A_Byp-A(B) PC-457B_Byp-A(B) PC-457C_Byp-A(B) PC-457D_Byp-A(B) PC-457E_Byp-A(B) PS1FAIL_IIIA(B) PS2FAIL_IIIA(B) PS3FAIL_IIIA(B) PS4FAIL_IIIA(B) PS5FAIL_IIIA(B) PS6FAIL_IIIA(B)











chassis

FRS 3.2.1.3

47)

ALS MAS Alarms (Section 4.5.2.2) UY-PS3A_DIV-A(B) UY-PS3B_DIV-A(B) UY-PS3C_DIV-A(B) UY-PS3D_DIV-A(B










48) NE-43A NE-43B

Provide Power Range Neutron Flux (Upper/Lower) signals to calculate DTTA Overpower and Over Temperature Delta-T

Tricon 3703EN (Slot 2) module failure (total loss of AI module function due to multiple electronics failure or common software



Overpower Setpoint calculation




Set I, II, IV

FRS 3.2.5




setpoint failure) • Upper and Lower Flux signal fails low to Overtemperature Setpoint calculation




• MCR Overpower Setpoint indication is available from PPS Set PPS Set I, II, IV

• MCR Overtemperature Setpoint indication is available from PPS Set I, II, IV

49)

TE-430B TE-430A TE-431A TE-432A PT-457 PT-526 LT-528 LT-548 PT-403A






• Provide Reactor Coolant Hot Leg Loop 4 WR Pressure signal for Alarm / Interlock / LTOP (PT-403A)


• Inputs fail Low • Sensor Quality Algorithm (SQA2) rejects failed


rejects failed signals • PZR Pressure signal fails low to Overtemperature

Setpoint calculation • OTDT Trip signal to SSPS is set (PZR Pressure fails

low) • SG2 Low Steam Pressure signal to SSPS (SI and

Steam Line isolation) is set • SG2 High Steam Pressure signal to SSPS

(Negative Rate Steam Line isolation) is set • SG2 and SG4 Level High-High signal to SSPS

(Turbine Trip, FW Isolation, Interlock P-14) is set • SG2 and SG4 Level Low-Low signal to SSPS (Rx

trip and AFW pump start) is set • Reactor Coolant Hot leg LP4 WR High Pressure

signal to PC-403DX, LTOPS (RNASA) is not available (ETT)

• Reactor Coolant Hot leg LP 4 WR Low Pressure signal to RHR valve (V-8702) interlock (RNSIA) is not available (ETT)

• Reactor Coolant Hot leg LP 4 WR Pressure signal to RHR Suction Valve Open Alarm is set





• Reduced coincidence for SSPS actuation • Reactor Coolant WR Pressure LP4 High signal to LTOPS (to

open valve PCV-456) is available from PPS Set IV, LP4 hot leg • PCV-455C control switch Close/Open capability unaffected,

only Auto for LTOP impacted • Tricon Sensor Quality Algorithm 2 (SQA2) rejects failed signal

and provides valid Tcold with other functional Tcold RTD • Tricon Sensor Quality Algorithm 3A (SQA3A) provides valid

Thot average with at least 2 good RTD's in Group B • RCS NR LP3 Tcold and Thots (3) temperature signals are

available from Slot 4 of Tricon (Group B) • OTDT setpoint to MCR is available from PPS Set I (T/411A, TI-

411C), II (T/411A, TI-421C), IV (T/411A, TI-441C) • OTDT Trip signal to SSPS is available from PPS Set I, II, IV • SG2 Low Steam Line Pressure to SSPS (SI and Steam Line

isolation) is available from PPS Set I and II • SG2 Steam Line Pressure High Negative Rate signal to SSPS

(Steam Line isolation) is available from PPS Set I and II • SG2 High-High Level signal to SSPS (Turbine Trip, FW

isolation, P14 Interlock) is available from PPS Set I and IV • SG2 Low-Low Level signal to SSPS (Rx trip and AFW pump

start)is available from PPS Set I and IV • SG4 Level High-High signal to SSPS (Turbine Trip, FW


start) from PPS Set II and IV • Reactor Coolant Hot leg LP4 WR Pressure signal to RHR

Suction Valve Open Alarm is available from PPS Set IV for RHR valve (V-8701)

• RHR valve (V-8702) does not open due to ETT fail safe (de-energized), RHR Suction Valve Open Alarm does not actuate due to requiring the valve (V-8702) position switch open contact to be made up as well as the high pressure


FRS 3.2.4, 3.2.5, 3.2.7, 3.2.10, 3.2.11

50) TE-431B • Provide Reactor Coolant Tricon 3721N (Slot4) • Inputs fail low • PPS Failure Alarm is activated • Reduced coincidence for SSPS actuation FRS 3.2.3,




TE-430C TE-431C TE-432C LT-461 PT-536 LT-518 LT-538 PT-403

Loop 3 NR Hot leg (Thot)/Cold leg (Tcold) temperature signal for MCR indication / protection / control circuit (Group B) (TE-431B, 430C, 431C, 432C)





• Provide Reactor Coolant Hot Leg loop 4 WR Pressure signal for MWS indication (PT-403)

module failure (total loss of AI module function due to multiple electronics failure or common software failure)

• Sensor Quality Algorithm (SQA2) rejects failed signal

• Sensor Quality Algorithm 3A (SQA3A - Group A) rejects failed signals

• PZR Level High Rx trip to SSPS is set • SG3 Low Steam Pressure signal to SSPS (SI and



(Turbine Trip, FW Isolation, Interlock P-14) is set • SG1 and SG3Level Low-Low signal to SSPS ( Rx

trip and AFW pump start) is set • Reactor Coolant Hot Leg loop 4 WR Pressure

MWS indication fails low

due to Tricon AI module failure• Partial trip signals sent to SSPS






• PZR Level High signal to SSPS (Reactor Trip) is available from Set I and II

• SG3 Low Steam Line Pressure to SSPS (SI and Steam Line isolation) is available from PPS Set I and II

• SG3 Steam Line Pressure to SSPS (High Negative Rate Steam Line isolation) is available from PPS Set I and II

• SG1 Level High-High signal to SSPS (Turbine Trip, FW isolation, P14 Interlock) is available from PPS Set II and IV

• SG1 Level Low-Low signal to SSPS (Rx trip and AFW pump start)is available from PPS Set II and IV

• SG3 Level High-High signal to SSPS (Turbine Trip, FW isolation. P14 Interlock) is available from PPS Set I and IV

• SG3 Level Low-Low signal to SSPS (Rx trip and AFW pump start) from PPS Set I and IV

• Interactions with other systems/indications associated with the input loop are unaffected as the input loop remains intact (PT-403 indicators are all on the input loop)

3.2.5, 3.2.6, 3.2.9, 3.2.10, 3.2.11

51)

TI-431A TI-431B TI-431C TI-432 (DTTA indicators)

• Provide DTTA signal for MCR indication TI-431A, 431B, 431C, 432


• Analog outputs fail low (de-energized) • Loop Delta-T signal to PCS fails low (R28) • DTTA MCR indications for Set III fail low





• No protection function impact • The same failure mode as existing system • DTTA indications available on MWS and Gateway computer

FRS 3.2.5

52)

TC431G TC432D LC518A LC528A LC538B LC548B PC526A PC536C PC403A PC403D

• Provide OPDT and Low-Low Tavg (P12) signals to SSPS (TC-431G, 432D)

• Provide SG1 and SG2 High-High Level Trip/Interlock (P14) to SSPS (LC-518A, 528A)

• Provide SG3 and SG4 Low-Low Level Trip and AFW Pump Start to SSPS (LC-538B, 548B)

• Provide SG2 Low Steam Line Pressure to SSPS (SI and Steam Line isolation) (PC-


• Outputs go OFF (de-energized) • Reactor Coolant WR LP4 Hot leg Pressure High

signal to LTOP (PCV-455C) is not available from PPS Set III (ETT)

• OPDT and Low-Low Tavg Trip to SSPS is set • SG1 and SG2 Level High-High signal to SSPS

(Turbine Trip, FW Isolation, Interlock P-14) is set • SG3 and SG4 Level Low-Low signal to SSPS ( Rx

trip and AFW pump start) is set • SG2 Low Steam Pressure signal to SSPS (SI and

Steam Line isolation) are set • SG3 High Steam Pressure signal to SSPS

(Negative Rate Steam Line isolation) are set • Reactor Coolant Hot leg Loop 4 WR High




• Reduced coincidence for SSPS actuation • Reactor Coolant WR LP4 Hot leg Pressure High signal to

LTOPS (to open valve PCV-456) is available from PPS Set IV • PCV-455C control switch Close/Open capability unaffected,

only Auto for LTOP impacted • Reactor Coolant Hot leg Loop 4 WR Low Pressure signal to

RHR valve (V-8701) interlock (RNSIA) is available from PPS Set IV (PT-405A)

• OPDT and Low-Low Tavg (P12) signals to SSPS are available from PPS Set I, II and IV

• SG1 Level High-High signal is available from PPS Set II and IV • SG2 Level High-High signal is available from PPS Set I and IV • SG3 Level Low-Low signal to SSPS (Rx trip, AFW pump start)

is available from PPS Set I and IV

FRS 3.2.4, 3.2.5, 3.2.10, 3.2.11




526A) • Provide SG3 Steam Line

Pressure to SSPS (High Negative Rate Steam Line isolation) (PC-536C)

• Provide Reactor Coolant Hot Leg loop 4 WR Pressure signal to LTOP / Interlock (PC-403A, 403D)



• SG4 Level Low-Low signal to SSPS (Rx trip, AFW pump start) is available from PPS Set II and IV

• SG2 Low Steam Pressure signal to SSPS (SI and Steam Line isolation) is available from PPS Set I and II

• SG3 High Negative Rate Steam Line Pressure are available for Steam Line isolation (SSPS) from PPS Set I and II

53)

TC431C TC432G LC461A LC518B LC528B LC538A LC548A PC526C PC536A PC403B

• Provide OTDT and Low Tavg (P12) Feedwater isolation signals to SSPS (TC-431C, 432G)

• Provide PZR Level signal to SSPS (LC-461A)

• Provide SG3 and SG4 High-High Level Trip/Interlock (P14) to SSPS (LC-538A, 548A)

• Provide SG1 and SG2 Low-Low Level Trip and AFW Pump Start to SSPS (LC-518B, 528B)

• Provide SG3 Low Steam Line Pressure to SSPS (SI and Steam Line isolation) (PC-536A)

• Provide SG2 Steam Line Pressure to SSPS (High Negative Rate Steam Line isolation) (PC-526C)

• Provide Reactor Coolant Hot Leg loop 4 WR Pressure High signal to RHR Suction Valve Open Alarm (PC-403B)



to SSPS are set • PZR Level High Rx trip to SSPS is set • SG3 and SG4 Level High-High signal to SSPS




(Negative Rate Steam Line isolation) are set • Reactor Coolant Hot leg Loop 4 WR Pressure

signal to RHR Suction Valve (V-8702) Open Alarm is set





available from PPS Set I, II and IV • PZR Level High signal to SSPS (Reactor Trip) is available from

PPS Set I and II • SG3 High-High Level signal to SSPS (turbine trip, feedwater

isolation, interlock P14) is available from PPS Set I and IV • SG4 High-High Level signal to SSPS (turbine trip, feedwater

isolation, interlock P14) is available from PPS Set II and IV • SG1 Level Low-Low signal to SSPS (Rx trip, AFW pump start)

is available from PPS Set II and IV • SG2 Level Low-Low signal to SSPS (Rx trip, AFW pump start)

is available from PPS Set I and IV • SG3 Low Steam Pressure signal to SSPS (SI and Steam Line

isolation) is available from PPS Set I and II • SG2 High Negative Rate Steam Line Pressure are available for

Steam Line isolation (SSPS) from PPS Set I and II • RHR Suction Valve Open Alarm does not actuate due to

requiring the valve (V-8702) position switch open contact to be made up

FRS 3.2.5, 3.2.10, 3.2.11

54)

TC431D TC431H PC526B PC536B LY-518H UY-PS3A_TRICON UY-PS3B_TRICON UY-PS3C_TRICON TY-431_TRICON

• Provide OTDT (C3) and OPDT (C4) Interlock signals to RNARA (TC-431D, 431H)

• Provide SG2 and SG3 Low Steam Line Pressure signal to MAS (PC526B, 536B)


• Provide TTD Timer



Timer TTD Actuated Alarms are unavailable (ETT)

• OTDT (C3) Interlock (RNARA) to SSPS is set • OPDT (C4) Interlock (RNARA) to SSPS is set • SG2 and SG3 Steam Pressure Low signals to MAS

are not available

• PPS Failure Alarm is activated • PPS Trouble Alarm is activated • SG2 and SG3 Steam Pressure

Low Alarms are activated • Partial trip signals sent to SSPS



• Reduced coincidence for SSPS actuation • OTDT interlock C3 is available PPS Set I, II, IV • OPDT interlock C4 is available PPS Set I, II, IV

FRS 3.2.1.5, 3.2.5, 3.2.12




OOS_III_TRICON Activated alarm • Provide Miscellaneous

Tricon MAS Alarms (Section 4.5.2.1)

55)

PS2S_FAIL_17 PS3S_FAIL_17 PS6S_FAIL_17 PS7S_FAIL_17 24DI_PWR_17 LP3_DTTA_OOS LP3_TTD_OOS L548_OOS L461_OOS P403_OOS P403A_OOS P526_OOS P536_OOS L518_OOS L528_OOS L538_OOS








• PPS Trouble Alarm is activated • MWS indicates bad health

status for board



IRS 2.9.6.6 IRS 2.8.1.1

56)

TS/431C TS/431G TS/432D TS/432G PC/403A LS/548A PC/403B PC/403D PS/526A PS/526C PS/536A PS/536C LS/518A TS/518B LS/528A LS/528B LS/538A LS/538B LS/548B LS/461A









57)

PS2N_FAIL_17 PS3N_FAIL_17 PS5N_FAIL_17 PS6N_FAIL_17







status for board • No protection function impact FRS 2.2.3,

IRS2.9.6.6




TS431D_Trip TS431H_Trip

58) FI-416 FI-426 (Section 5.1.3)


Open Circuit

• RCS Flow indication to MCR indicator fails low • MCR indicator (FI-416,426, 436, 446) fails low

• No protection function impacted, Analog Output only • RCS Loop Flow indications are available from Protection Set I

and II for each loop

FRS 3.2.1.4, 4.1.3

59) Short Circuit

60) FI-436 FI-446 (Section 5.1.3)


Open Circuit

61) Short Circuit

62) PI-526 (Section 5.1.3)

Provide SG2 Steam Line Pressure indication in the Main Control Room (MCR)

Open Circuit

• Input current loop is open • SG2 Steam Pressure signal to Tricon fails low • SG2 Steam Pressure signal to MCR indicator fails

low • SG2 Steam Pressure signal to DFWCS fails low • SG2 Low Steam Line Pressure signal to SSPS (SI


signal to SSPS (Steam Line isolation) is set • SG2 Steam Line Low Pressure signal to MAS is set


activated • SG2 Low Steam Line Pressure

Alarm is activated • MCR indicator (PI-526) fails low • PT-526 OOR indication (MWS) • Partial trip signals sent to SSPS


• Reduced coincidence for SSPS actuation • SG2 Steam Pressure signal to MCR indicator is available from

PPS Set I and II • SG2 Steam Pressure signal to DFWCS is available from PPS

Set I and II • SG2 Low Steam Line Pressure signal to SSPS (SI and Steam

Line isolation) is available from PPS Set I and II • SG2 Steam Line Pressure High Negative Rate signal to SSPS

(Steam Line isolation) is available from PPS Set I and II

FRS 3.2.10

63) Short Circuit • SG2 Steam Pressure signal to MCR indicator fails low • MCR indicator (PI-526) fails lows • No protection function impact, input current loop is

maintained intact

64) PM-526_1 (Section 4.5.1)

Isolation device provides electrical isolation between Class I SG2 Steam Line Pressure instruments and Class II DFWCS



low • SG2 Steam Pressure signal to DFWCS fails low • SG2 Steam Line Low Pressure signal to SSPS (SI




activated • SG2 Low Steam Line Low

Pressure Alarm is activated • MCR indicator (PI-526) fails low • PT-526 OOR indication (MWS) • Partial trip signals sent to SSPS







FRS 3.2.10

65) Short Circuit (Input) • SG2 Steam Pressure signal to DFWCS fails low • DFWCS Trouble Alarm is activated









68) PI-536 (Section 5.1.3)

Provide SG3 Steam Line Pressure indication in the Main Control Room (MCR)

Open Circuit






activated • SG3 Steam Line Low Pressure








FRS 3.2.10


maintained intact

70)

PM-536_1 (Section 4.5.1)
















FRS 3.2.10



• SG3 Steam Pressure signal to DFWCS is available from PPS Set I and II




• SG3 Steam Pressure signal to DFWCS is available from PPS Set I and II 73) Short Circuit (Output)

74) PI-403A (Section 5.1.3)

Provide Reactor Coolant Hot Leg Loop 4 WR Pressure indication in the Main Control

Open Circuit • Reactor Coolant Hot Leg Loop 4 WR Pressure

signal to MCR indicator fails low • Reactor Coolant Hot Leg Loop 4 WR Pressure

• MCR indicator (PI-403A) fails low






Room (MCR) signal to ERFDS fails low

75) Short Circuit • Reactor Coolant Hot Leg Loop 4 WR Pressure signal to MCR indicator fails low



76)

PM-403A_1 (Section 4.5.1)

Isolation device provides electrical isolation between Class I Reactor Coolant Hot Leg Loop 4 WR Pressure instruments and Class II MCR indicator and ERFDS


• Reactor Coolant Hot leg Loop 4 WR Pressure signal to Tricon fails low

• Reactor Coolant Hot leg Loop 4 WR Pressure signal to MCR indicator fails low

• Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS fails low

• Reactor Coolant Hot leg Loop 4 WR High Pressure signal to PC-403DX, LTOPS (RNASA) is not available (ETT)

• Reactor Coolant Hot leg Loop 4 WR Low Pressure signal to RHR valve (8702) interlock (RNSIA) is not available (ETT)

• Reactor Coolant Hot leg Loop 4 WR Pressure signal to RHR Suction Valve (8702) Open Alarm is set


low • PT-403A OOR indication (MWS) • ERFDS indication fails low


indicator is available from PPS Set IV • Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS

is available from PPS Set III (PT-403), IV PT-405A) • Reactor Coolant Hot leg Loop 4 WR High Pressure signal to

PC-405DX, LTOPS (RNASA) is available from PPS Set IV • Reactor Coolant Hot leg Loop 4 WR Pressure signal to RHR

Suction Valve (8702) Open Alarm is available from PPS Set IV • Reactor Coolant Hot leg Loop 4 WR Pressure signal to RHR

valve (8701) is available from PPS Set IV • RHR valve (8702) does not open due to ETT fail safe (de-

energized), RHR Suction Valve Open Alarm does not actuate due to requiring the valve (8702) position switch open contact to be made up as well as the high pressure

FRs 3.2.4


• Reactor Coolant Hot Leg loop 4WR Pressure signal MCR indicator fails low

• Reactor Coolant Hot Leg loop 4WR Pressure signal to ERFDS fails low




• Reactor Coolant Hot leg Loop 4 WR Pressure signal to MCR indicator is available from PPS Set IV

• Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS is available from PPS Set III (PT-403), IV PT-405A)



80)

PR-403 (Section 5.1.3)

Reactor Coolant Hot Leg loop 4 WR Pressure MCR recorder

Open Circuit


• Reactor Coolant Hot leg Loop 4 WR Pressure signal to MCR recorder fails low


• Reactor Coolant Hot leg Loop 4 WR Pressure signal to RVLIS fails low

• Reactor Coolant Hot leg Loop 4 WR Pressure signal to PPC fails low

• PPS Trouble Alarm is activated • MCR recorder (PR-403) fails low • ERFDS indication fails low • PT-403 OOR indication (MWS) • RVLIS Trouble Alarm is activated

• No impact to protection function • Same failure mode as existing system • Reactor Coolant Hot leg Loop 4 WR Pressure signal to MCR

indicator is available from PPS Set III and IV • Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS

is available from PPS Set III (PT-403), IV (PT-405A) • Reactor Coolant Hot leg Loop 3 WR Pressure signal to RVLIS

is available from PPS Set IV • Reactor Coolant Hot leg Loop 3 WR Pressure signal to PPC is

available from PPS Set IV (Class II)

81) Short Circuit • Reactor Coolant Hot Leg loop 4 WR Pressure to recorder and ERFDS fails low

• MCR recorder (PR-403) fails low • ERFDS indication fails low


• Reactor Coolant Hot leg Loop 4 WR Pressure signal to MCR indicator is available from PPS Set III and IV




• Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS is available from PPS Set III (PT-403A), IV PT-405A)

82)

WRP-R (Section 5.1.3)

Resistor provides Reactor Coolant Hot Leg loop 4 WR Pressure signal to RVLIS

Open Circuit




• Reactor Coolant Hot leg Loop 4 WR Pressure signal to RVLIS fails high


• PPS Trouble Alarm is activated • RVLIS Trouble Alarm is activated • MCR recorder (PR-403) fails low • PT-403 OOR indication (MWS)

• No impact to protection function • Reactor Coolant Hot leg Loop 4 WR Pressure signal to MCR

indicator is available from PPS Set III and IV • Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS

is available from PPS Set III (PT-403), IV (PT-405A) • Reactor Coolant Hot leg Loop 3 WR Pressure signal to RVLIS

is available from PPS Set IV • Reactor Coolant Hot leg Loop 3 WR Pressure signal to PPC is

available from PPS Set IV (Class II)

FRS 3.2.4

83) Short Circuit • Reactor Coolant Hot Leg loop 4WR Pressure to RVLIS fails low • RVLIS Trouble Alarm is activated


• Reactor Coolant Hot leg Loop 3 WR Pressure signal to RVLIS is available from PPS Set IV

84)

PM-457_1 (Section 4.5.1)

Isolation device provides electrical isolation between Class I PZR Pressure instruments and Class II MCR indicator and PZR Pressure Control




ALS System • PZR Pressure signal to ALS (both chassis) fails low• ALS 102 DOCH function sets comparators to fail

safe state (de-energized) • PZR Pressure Low-Low SI to SSPS is set • PZR Pressure High Rx Trip to SSPS is set • PZR Pressure Low Rx trip to SSPS is set • Unblock SI, P11 to SSPS is set • PZR Pressure High to PC-457EX (PORV actuation)

is unavailable (ETT) Triconex System • PZR Pressure signal to Tricon fails low • PZR Pressure signal fails low to Overtemperature

Setpoint calculation • OTDT Trip signal to SSPS is set

• PPS Failure Alarm is activated (ALS both chassis and Tricon)

• PCS Trouble Alarm is activated • MCR indicator (PI-457) fails low • PT-457 Virtual Channels (5) OOR

indication for both ALS chassis (MWS – ALS)



• Reduced coincidence for SSPS actuation • PZR Pressure Signal to MCR indicator is available from PPS

Set I, II and IV • Signal to PZR Pressure Control is available from Set I, II and

IV • OTDT Trip signal to SSPS is available from PPS Set I, II and IV • OTDT interlock C3 is available PPS Set I, II and IV • OTDT setpoint to MCR is available from PPS Set I, II and IV • PZR Pressure Low-Low SI to SSPS is available from PPS Set I, II

and IV • PZR Pressure High Rx Trip to SSPS is available from PPS Set I,

II and IV • PZR Pressure Low Rx trip to SSPS is available from Set I, II and

IV • Unblock SI, P11 to SSPS is available from PPS Set I, II • PZR Pressure High to RNARA (PORV actuation) is available

from PPS Set I, II and IV

FRS 3.2.7

85) Short Circuit (Input) • PZR Pressure signal to MCR indicator fails low • PZR Pressure signal to PZR Pressure control fails

low

• PCS Trouble Alarm is activated • MCR indicator (PI-457) fails low

• No impact to protection function, input current loop is maintained intact

• PZR Pressure Signal to MCR indicator is available from PPS Set I, II and IV

• Signal to PZR Pressure Control is available from Set I, II and IV 86) Open circuit (Output)




87) Short circuit (Output)

88)

LI-461 (Section 5.1.3)

Provide PZR Level indication In the MCR

Open Circuit

• PZR Level signal to Tricon fails low • PZR Level Signal to MCR indicator fails low • PZR Level signal to PZR Level control Set I fails

low • PZR Level signal to PZR Level control Set II fails

low • PZR Level signal to ERFDS fails low • PZR Level High Rx trip to SSPS is set

• PPS Failure Alarm is activated • PCS Trouble Alarm Set I is

activated • PCS Trouble Alarm Set II is

activated • MCR indicator (LI-461) fails low • LT-461 OOR indication (MWS) • ERFDS indicator fails low • PZR Level High partial trip signal


• Reduced coincidence for SSPS actuation • PZR Level signal to MCR indicator, PZR Level control (Set I,

Set II) and ERFDS is available from PPS Set I and II • PZR Level High signal to SSPS Reactor Trip is available from

Set I and II FRS 3.2.6

89) Short Circuit • PZR Level Signal to MCR indicator fails low • MCR indicator (LI-461) fails low


• PZR Level signal to MCR indicator, PZR Level control (Set I, Set II) and ERFDS is available from PPS Set I and II

90)

LM-461_1 (Section 4.5.1)

Isolation device provides electrical isolation between Class I PZR Level instruments and Class II PZR Level Control (Set I, Set II) and ERFDS


• PZR Level signal to Tricon fails low • PZR Level Signal to MCR indicator fails low • PZR Level signal to PZR Level control (Set I) fails

low • PZR Level signal to PZR Level control (Set II) fails

low • PZR Level signal to ERFDS fails low • PZR Level High Rx trip to SSPS is set

• PPS Failure Alarm is activated • PCS Trouble Alarm Set I is

activated • PCS Trouble Alarm Set II is

activated • MCR indicator (LI-461) fails low • LT-461 OOR indication (MWS) • ERFDS indicator fails low • PZR Level High partial trip signal


• Reduced coincidence for SSPS actuation • PZR Level signal to MCR indicator, PZR Level control (Set I,

Set II) and ERFDS is available from PPS Set I and II • PZR Level High signal to SSPS Reactor Trip) is available from

Set I and II

FRS 3.2.6

91) Short Circuit (Input) • PZR Level signal to PZR Level control (Set I) fails

low • PZR Level signal to PZR Level control (Set II) fails

low • PZR Level signal to ERFDS fails low

• PCS Trouble Alarm Set I is activated

• PCS Trouble Alarm Set II is activated

• ERFDS indicator fails low


• PZR Level signal to MCR indicator is available from PPS Set I and II

• PZR Level signal to PZR Level control (Set I) is available from PPS Set I and II

• PZR Level signal to PZR Level control (Set II) is available from PPS Set I and II

• PZR Level signal to ERFDS is available from PPS Set I and II



94) LI-518 (Section 5.1.3)

Provide SG1 Level indication In the MCR Open Circuit





• Reduced coincidence for SSPS actuation • SG1 Level Signal to MCR indicator, DFWCS and AFW (PCS) is

available from PPS Set II and IV • SG1 Level Signal to ERFDS is available from PPS Set IV • SG1Level High-High signal to SSPS (Turbine Trip, FW

isolation. P14 Interlock) is available from PPS Set II and IV

FRS 3.2.11






• LT-518 OOR indication (MWS) • ERFDS indication fails low • Partial trip signals sent to SSPS


• SG1 Level Low-Low signal to SSPS (Rx trip and AFW pump start) from PPS Set II and IV

95) Short Circuit • SG1 Level signal to MCR indicator fails low • MCR indicator (LI-518) fails low


• SG1 Level Signal to MCR indicator is available from PPS Set II and IV

96) LD/518A (Section 5.1.3)

Resistor provides SG1 Level signal to ERFDS

Open Circuit

• SG1 Level signal to Tricon fails low • SG1 Level signal to MCR indicator fails low • SG1 Level signal to DFWCS fails low • SG1 Level signal to AFW (PCS) fails low • SG1 Level signal to ERFDS fails high • SG1 Level High-High signal to SSPS (Turbine Trip,




activated • MCR indicator (LI-518) fails low • PCS (AFW) Trouble Alarm is

activated • LT-518 OOR indication (MWS) • ERFDS indication fails low • Partial trip signals sent to SSPS






FRS 3.2.11

97) Short Circuit • SG1 Level signal to ERFDS fails low • ERFDS indication fails low • No impact to protection function, input current loop is

maintained intact • SG1 Level Signal to ERFDS is available from PPS Set IV

98)

LM-518_1 (Section 4.5.1)

Isolation device provides electrical isolation between Class I SG1 Level instruments and Class II DFWCS and AFW (PCS)







activated • MCR indicator (LI-518) fails low • LT-518 OOR indication (MWS) • ERFDS indication fails low • Partial trip signals sent to SSPS



available from PPS Set II and IV • SG1 Level Signal to ERFDS is available from PPS Set IV • SG1Level High-High signal to SSPS (Turbine Trip, FW



FRS 3.2.11


• SG1 Level signal to DFWCS fails low • SG1 Level signal to AFW (PCS) fails low




• SG1 Level signal to DFWCS is available from PPS Set II, IV • SG1 Level signal to AFW (PCS) is available from PPS Set II, IV






102)


Provide SG2 Level indication In the MCR

Open circuit

• SG2 Level signal to Tricon fails low • SG2 Level signal to MCR indicator fails low • SG2 Level signal to DFWCS fails low • SG2 Level signal to AFW (PCS) fails low • SG2 Level signal to ERFDS fails low • SG2 Level signal to AMSAC fails low • SG2 Level High-High signal to SSPS (Turbine Trip,






is activated • MCR indicator (LI-528) fails low • LT-528 OOR indication (MWS) • ERFDS indication fails low • Partial trip signals sent to SSPS


• Reduced coincidence for SSPS actuation • SG2 Level Signal to MCR indicator, DFWCS and AFW is

available from PPS Set I and IV • SG Level signal to AMSAC is available from Set I (SG3), Set II

(SG4) and Set IV (SG1) • SG2 Level Signal to ERFDS is available from PPS Set IV • SG2 Level High-High signal to SSPS (Turbine Trip, FW



FRS 3.2.11



• SG2 Level Signal to MCR indicator is available from PPS Set I and IV

104) LD/528A (Section 5.1.3)


Open Circuit

• SG2 Level signal to Tricon fails low • SG2 Level signal to MCR indicator fails low • SG2 Level signal to DFWCS fails low • SG2 Level signal to AFW (PCS) fails low • SG2 Level signal to ERFDS fails high • SG2 Level signal to AMSAC fails low • SG2 Level High-High signal to SSPS (Turbine Trip,









available from PPS Set I and IV • SG2 Level Signal to ERFDS is available from PPS Set IV • Signal to AMSAC is available from Set I (SG3), Set II (SG4) and

Set IV (SG1) • SG2 Level High-High signal to SSPS (Turbine Trip, FW



FRS 3.2.11



106) LM-528_1 (Section 4.5.1)











available from PPS Set I and IV • SG2 Level Signal to ERFDS is available from PPS Set IV • SG2 Level signal to AMSAC is set • signal to AMSAC is available from Set I (SG3), Set II (SG4) and

Set IV (SG1) • SG2Level High-High signal to SSPS (Turbine Trip, FW



FRS 3.2.11






• SG2 Level signal to DFWCS fails low • SG2 Level signal to AFW fails low




• SG2 Level signal to DFWCS is available from PPS Set I and IV • SG2 Level signal to AFW is available from PPS Set I and IV



110)

LM-528_2 (Section 4.5.1)

Isolation device provides electrical isolation between Class I SG2 Level instruments and Class II AMSAC











available from PPS Set I and IV • SG2 Level Signal to ERFDS is available from PPS Set IV • Signal to AMSAC is available from Set I (SG3), Set II (SG4) and

Set IV (SG1) • SG2 Level High-High signal to SSPS (Turbine Trip, FW


start) from PPS Set I and IV FRS 3.2.11


• SG2 Level signal to AMSAC fails low



• SG Level signal to AMSAC is available from Set I (SG3), Set II (SG4) and Set IV (SG1)



114) LI-538 (Section 5.1.3)


Open Circuit












FRS 3.2.11

115) Short Circuit • SG3 Level signal to MCR indicator fails low • MCR indicator (LI-538) fails low • No impact to protection function, input current loop is




maintained intact • SG3 Level Signal to MCR indicator is available from PPS Set I

and IV

116) LD/538A (Section 5.1.3)


Open Circuit












FRS 3.2.11



118)

LM-538_1 (Section 4.5.1)

Isolation device provides electrical isolation between Class I SG3 Level instruments and Class II AFW (PCS) and DFWCS













FRS 3.2.11


• SG Level signal to DFWCS fails low • SG Level signal to AFW (PCS) fails low




• SG Level signal to DFWCS is available from PPS Set I and IV • SG Level signal to AFW (PCS) is available from PPS Set I and

IV



122) LI-548 (Section 5.1.3)

Provide SG4 Level indication In the MCR Open Circuit







isolation. P14 Interlock) is available from PPS Set II and IV

FRS 3.2.11






• LT-548 OOR indication (MWS) • ERFDS indication fails low • Partial trip signals sent to SSPS


• SG4 Level Low-Low signal to SSPS (Rx trip and AFW pump start) from PPS Set II and IV



• SG4 Level Signal to MCR indicator is available from PPS Set II and IV

124) LD/548A (Section 5.1.3)


Open Circuit


FW Isolation, P14 Interlock) is set • SG4 Level Low-Low signal to SSPS (Rx trip and










FRS 3.2.11



126)

LM-548_1 (Section 4.5.1)

Isolation device provides electrical isolation between Class I SG4 Level instruments and Class II AFW and DFWCS



FW Isolation, P14 Interlock) is set • SG4 Level Low-Low signal to SSPS (Rx trip and










FRS 3.2.11






• SG4 Level signal to DFWCS is available from PPS Set II and IV • SG4 Level signal to AFW (PCS) is available from PPS Set II and

IV






130)



Open Circuit


fails low • Containment Pressure signal to ERFDS fails low • Containment Pressure High signal to SSPS (SI,


(Containment Pressure -Phase B isolation containment Spray, Steam Line Isolation) is not available (ETT)






• Reduced coincidence for SSPS actuation • MCR Containment Pressure indicator is available from PPS

Set I, II and IV • Containment Pressure signal to ERFDS is available from PPS

Set II • Containment Pressure High signal to SSPS (SI, Phase A

isolation) is available from PPS Set II and IV • Containment Pressure High-High signal to SSPS (Phase B

isolation containment Spray, Steam Line Isolation) is available from PPS Set I, II and IV

FRS 3.2.13



• MCR Containment Pressure indicator is available from PPS Set I, II and IV

132)


Resistor provides Containment Pressure signal to ERFDS

Open Circuit


(PI-935) fails low • Containment Pressure signal to ERFDS fails high • Containment Pressure High signal to SSPS (SI,



• PPS Failure Alarm is activated • MCR indicator (PI-935) fails low • PT-935 Virtual Channels (2) OOR





Set I, II, IV • Containment Pressure High signal to SSPS (SI, Phase A

isolation) is available from PPS Set II, IV • Containment Pressure High-High signal to SSPS (Phase B

isolation containment Spray, Steam Line Isolation) is available from PPS Set I, II, IV

FRS 3.2.13

133) Short Circuit • Containment Pressure signal to ERFDS fails low • ERFDS indication fails low


• Containment Pressure signal to ERFDS is available from PPS Set II, IV

134)

FC-416_Byp_A FC-416_Byp_B FC-426_Byp_A FC-426_Byp_B FC-436_Byp_A FC-436_Byp_B FC-446_Byp_A FC-446_Byp_B PC-457C_Byp_A PC-457C_Byp_B PC-457B_Byp_A PC-457B_Byp_B PC-457A_Byp_A PC-457A_Byp_B PC-457D_Byp_A PC-457D_Byp_B PC-935A_Byp_A

RCS Flow, PZR Pressure and Containment Pressure Manual Bypass switches (DTT)

Switch A or B in Bypass • Status contact closes • K3W Alarm Contact

closes • Bypass contact failed

open




• Channel output is not Bypassed, if ALS-processed a trip condition the output would de-energize


• If “failed Bypass” chassis processes a trip signal due to a maintenance condition (ex: lifted leads), PPS Trouble alarm would be activated by the other chassis due to a Trip-without-Demand indication

• Other Chassis (via LSM) is capable of performing the safety function (trip signal)


FRS 2.2.3

135)

Switch A or B in Bypass • Status contact failed

open • K3W Alarm Contact













136)

PC-935A_Byp_B (Section 5.2.1.1)


failed open • Bypass contact closes













137)

Change switch A or B from Bypass to Normal • Status contact opens • K3W Alarm Contact


closed


clears • K3W Relay would de-energize only if the other








138)

Change switch A or B from Bypass to Normal • Status contact opens • K3W Alarm Contact fails







• The wiring design enables using a DVM to measure across the contacts and determine that they had not changed stat






139) Change switch A or B from Bypass to Normal • Status contact fails


• ALS PPS Bypass alarm for affected chassis would


• PPS Bypass alarm for affected





closed • K3W Alarm Contact


not clear• K3W Relay would de-energize only if other

associated Bypass switch was set and no other pair of Bypass Switches were set (this is normal)


chassis remains activated

140)

PC-457E_Byp-A PC-457E_Byp_B PC-935B_Byp-A PC-935B_Byp_B (Section 5.2.1.1)

PZR Pressure, Containment Pressure manual Bypass switches A / B (ETT)



closed












FRS 3.2.3.5.1

141)

Switch A or B in Bypass • Status contact fails open • K3W Alarm Contact






• PPS Bypass Alarm for affected chassis is not activated



142)

Switch A or B in Bypass • Status contact closed • K3W Alarm Contact fails








• The wiring design enables using a DVM to measure across the




• The switches are qualified as class IE devices. Single failure of the manual Bypass Switch 4-5-6 contacts does not create




contacts and determine that they had not changed state

condition that disables PPS safety function• Since there is no reflash capability to the alarm associated


143)



open






• An actual trip would not be processed by the affected chassis• Other Chassis (via LSM) is unaffected and capable of

performing the safety function (trip signal) • Bypass Switch wiring and use should be revised or testing


144)












145)

Change Switch A or B from Bypass to normal • Status contact opens • K3W Alarm Contact fails













146)

FS/416 FS/426 FS/436 FS/446 PS/457C PS/457B PS/457A PS/457D PS/935A





• No PPS Trouble alarm from either chassis due to a Trip-without-Demand condition (normal operating conditions)

• No impact to protection function • The switches are qualified as class IE devices. Single failure of

the manual trip switch contacts does not create condition that disables PPS safety function

FRS 2.2.2

147) Change Switch from trip to Normal position • SSPS Relay remains tripped • ALS-PPS Trouble alarm stays on

due to a Trip-without-Demand




(Section 5.2.2) • Contact fails to close condition (normal operating conditions)


148)

TS/431C TS/431G TS/432D TS/432G LS-518A LS-518B LS/528A LS/528B LS/538A LS/538B PS/526A LS-548A LS-548B PS/526C PS/536A PS/536C LS/461A (Section 5.2.2)





• No Tricon PPS Trouble alarm

• No impact to protection function • The switches are qualified as class IE devices. Single failure of

the manual trip switch contacts does not create condition that impact safety function of the plant protection system.

FRS 2.2.2




• Tricon PPS Trouble alarm stays on in MCR

150)

TS/431D TS/431H (Section 5.2.2)





• No Tricon PPS Trouble alarm • No impact to protection function FRS 2.2.2





152)

LP3_DTTA_OOS LP3_TTD_OOS L548_OOS L461_OOS P403_OOS P403A_OOS P526_OOS P536_OOS L518_OOS L528_OOS L538_OOS (Section 5.2.3)





closed




• MWS does not indicate the affected channel is OOS, would not allow the channel to be placed in a maintenance condition


the contact being made up

FRS 3.2.1.3.7

153)

Switch is in OOS position • OOS contact closed • K3T Alarm contact fails

open





• No impact to protection function • K3T Relay provides an independent MAS alarm that does not

have any interaction with the safety-related functions. It provides an indication that at least one OOS Switch is set, but impossible to determine which without physically inspecting







154) Switch is in normal position • OOS contact fails closed • K3T Alarm contact open







155)

Switch is in normal position • OOS contact open • K3T Alarm contact fails

closed

• Affected PPS channel is in normal condition • K3T Relay would not de-energize if no other OOS

Switches are set



• No impact to protection function • K3T Relay provides an independent MAS alarm that does not

have any interaction with the safety-related functions. It provides an indication that at least one OOS Switch is set, but impossible to determine which without physically inspecting




156)

K3W (Section 5.2.1.1.3)

ALS manual Bypass isolation relay

Relay coil open








FRS 3.2.1.5.2 157) Relay coil short

158) Output contact open • K3W relay fails to actuate MAS alarm • Undetectable unless at least

one pair of ALS-Bypass Switches were both set to Bypass

• MAS Alarm set when no pair of Bypass Switches are set 159) Output contact short • MAS alarm is activated without alarm condition

set





160)


Tricon OOS alarm isolation relay

Relay coil open



• If coil is shorted and at least one OOS Switch is set, fuse FU3 would blow and isolate power supply PS3S from failed component





IRS 2.8.4.1.1







164) PS3, PS6 (Section 4.2.4)

Provide 48 VDC power to ALS chassis A and B Loss of one power supply • Loss of single redundant power supply • PPS Trouble alarm is activated

• No impact to protection function • The ALS chassis (A and B) continue to operate through

redundant 48 VDC power supply • The 48 VDC power supplies are qualified as class IE devices.

FRS 3.2.1.5.2

165) PS2, PS5 (Section 4.2.4)

Provide 48 VDC power to ALS Digital input (DI) module ALS-302 and ALS-102 (Core Logic board)



• PPS Trouble alarm is activated • If K3W was energized, MAS

alarm would clear



FRS 3.2.1.5.2

166) PS1, PS4 (Section 4.2.4)

Provide 24 VDC power to analog loop (ALS) Loss of one power supply • Loss of single redundant power supply • PPS Trouble alarm is activated

• No impact to protection function • The analog loop FT-416, 426, 436, 446 and PT-935 continue

to operate through redundant 24 VDC power supply • The 24 VDC power supplies are qualified as class IE devices.

FRS 3.2.1.5.2


Provide 48 VDC power to Tricon termination module 9792-610 (AI)

Loss of one power supply • Loss of single redundant power supply • PPS Trouble alarm is activated

• No impact to protection function • The analog input termination module continue to operate

through redundant 48 VDC power supply • The 48 VDC power supplies are qualified as class IE devices.

FRS 3.2.1.5.2


Provide 24 VDC power to Tricon termination module 9563-810 (DI)



• PPS Trouble alarm is activated • If K3T was energized, MAS

alarm would clear

• No impact to protection function • The digital input termination module continue to operate


FRS 3.2.1.5.2




• No impact to protection function • The analog output termination module continue to operate


FRS 3.2.1.5.2


Provide 24 VDC power to isolation devices Loss of one power supply • Loss of single redundant power supply • PPS Trouble alarm is activated

• No impact to protection function • The isolation devices continue to operate through the


FRS 3.2.1.5.2




171) PLF1 (Rack 12) (ALS) Power Line Filter and Voltage Regulator for 120 VAC supply to Rack 12 (ALS) components


• Loss of Vital AC to Rack 12 (ALS), loss of all Protection Set III ALS functions

• All DTT channels de-energize, both chassis • RCS Flow Indications (MCR) fail low • Containment Pressure signal to MCR indicator


• PPS Failure Alarm is activated by ALS (both chassis)

• PPS Trouble Alarm is activated by ALS (both chassis)



• Tricon Chassis in Rack 11(TRICON) and Rack 13 (TRICON) unaffected as they are not supplied by this component

IRS 2.4.3




IRS 2.4.3





IRS 2.4.3



ALS Protection Set III • Loss of all Protection Set III ALS functions



• Reduced coincidence for SSPS actuation IRS 2.4.3

175) CB1 (Rack 11) CB2 (Rack 11)




176) CB3 (Rack 11)











IRS 2.4.3


Breaker fails open • Loss of PS2N-PS3N redundant power supplies • PS1N and PS4N are spares, no effect • PPS Trouble Alarm is activated • No impact to protection functions



Breaker fails open • Loss of PS5N-PS6N redundant power supplies • PS7N is a spare, no effect • PPS Trouble Alarm is activated • No impact to protection functions


179) CB6 (Rack 11) Provide 120 VAC (from non-vital source) to receptacles for Class II components in Rack 11

Breaker fails open






Computer for both ALS and Triconex components • ALS Manual Trip and Bypass Switches are not affected • Triconex Manual Trip, OOS and Bypass Switches are not

affected

IRS 2.4.3





Breaker fails open


• Loss of redundant Port Aggregator #1 • Loss of redundant Media Converter #1 • Loss of redundant Network Switch #1





components powered from CB8 • Tricon status information to Gateway Computer unaffected

due to redundant components powered from CB8

IRS 2.4.3


Breaker fails open


• Loss of redundant Port Aggregator #2 • Loss of redundant Media Converter #2 • Loss of redundant Network Switch #2






IRS 2.4.3

182) PLF1 (Rack 13)



• Loss of Vital AC to Rack 11 (Non-Safety) and Rack 13 (Safety) , loss of all Protection Set III Tricon functions

• All DTT channels de-energizes • Analog Outputs (MCR) fail Low • PZR Pressure Loop Power Supply loss, loss of



• PPS Trouble alarm (Tricon) is activated



• Reduced coincidence for SSPS actuation • ALS RCS Flow and Containment Pressure unaffected as they

are supplied Loop Power from Rack 12 Vital Power

IRS 2.4.3

183) CB1 (Rack 13) CB2 (Rack 13)




IRS 2.4.3

184) CB3 (Rack 13) CB4 (Rack 13)




IRS 2.4.3





IRS 2.4.3

186) CB6 (Rack 13)





IRS 2.4.3









IRS 2.4.3






IRS 2.4.3


Breaker fails open • Loss of PS2S-PS3S redundant power supplies • PS1S and PS4S are spares, no effect • PPS Trouble Alarm is activated • No impact to protection functions



Breaker fails open • Loss of PS6S-PS7S redundant power supplies • PS5S is a spare, no effect • PPS Trouble Alarm is activated • No impact to protection functions










affected

IRS 2.3.7

192) ALS MWS PC Provides local status indication and maintenance functions for ALS channels (both chassis)

PC fails







IRS 2.3.7

193)

ALS MWS Serial Card Chassis A ALS TxB2 Serial Components Chassis A

Provides serial connection for ALS Chassis A status indication and maintenance functions to the MWS







Computer for ALS chassis A via TxB1 communications • ALS Chassis B indications, status and maintenance functions

are available • ALS Manual Trip and Bypass Switches are not affected

IRS 2.3.4

194)









Computer for ALS chassis A via TxB1 communications • ALS Chassis A indications, status and maintenance functions

are available • Manual Trip and Bypass Switches are not affected

IRS 2.3.4





Provides serial wiring and cable connections for ALS Chassis A to the PPC






IRS 2.3.4


Provides serial wiring and cable connections for ALS Chassis B to the PPC






IRS 2.3.4

197) Tricon MWS PC Provides local status indication and maintenance functions for Triconex channels

PC fails







from a separate PC

IRS 2.3.7











IRS 2.3.1, 2.3.2, 2.3.3


• Provides unidirectional data to the Gateway Computer


Aggregator fails









IRS 2.3.1, 2.3.2, 2.3.3








these switches

IRS 2.3.1, 2.3.2, 2.3.3







Server • All data available on individual Protection Set MWS via TxB2

data streams

IRS 2.3.4

DCPP Units 1 & 2 Process Protection System Replacement 15-0681-FMEA-001, Rev. 0 System Level Failure Modes and Effects Analysis Attachment 4

Sheet 1 of 37

PROCESS PROTECTION SYSTEM (PPS) REPLACEMENT Failure Modes and Effects Analysis (FMEA), Protection Set IV, Attachment 4


1)


Provide Reactor Coolant NR Cold leg (Tcold) Loop 4 temperature signal for MCR indication / Protection / Process control



• PPS Failure Alarm is activated from Tricon due to Tcold OOR




available from PPS Set I (loop 1), II (loop 2), III (loop 3) • Tricon PPS Set IV Sensor Quality Algorithm 2 (SQA2)

provides valid Tcold at least with 1 good RTD in each loop • ALS Chassis do not activate a Failure Alarm for OOR


FRS 3.2.5

2)



failed signal

3)



4)



failed signal

5)


Provide Reactor Coolant NR Hot leg (Thot) Loop 4 temperature signal for MCR indication / Protection / Process Control



• PPS Failure Alarm is activated from Tricon


• No protection function impact • Same failure mode as existing system • Tricon PPS Set IV Sensor Quality Algorithm 3A(SQA3A) or 3B


• Reactor Coolant NR Hot leg temperature (Thot) signal is available from PPS Set I (loop 1), II (loop 2), III (loop 3)

• Protection function also is available from PPS Set I, II & III • ALS Chassis do not activate a Failure Alarm for OOR


FRS 3.2.5

6)



7)



8)




Sheet 2 of 37



9)

TE-454 (Section 5.1.1)

Provide PZR Vapor Temperature (Tpzr) to MCR indicator / Interlock / Process Control


ALS System (chassis A only) • Signal fails low • ALS sets analog output to Tricon to 0 mA


• PCS Trouble Alarm is activated (Tpzr failure)

• RTD OOR indication (MWS – ALS)

• TE-454 OOR indication (MWS – Tricon)

• No impact to protection function • Same failure mode as existing system • RHR valve 8701 Interlock is not set due to ETT fail safe (de-

energized)

FRS 3.2.8

10)

Triconex System • Tricon input (0.0 mA) • Tricon output to PCS fails low • Tpzr Low Temperature signal to RHR valve 8701

Interlock is not available (ETT) • MCR PZR Vapor Temperature indication fails

low

11)


ALS System (chassis A only) • Signal fails low • ALS sets analog output to Tricon to 0 mA

12)

Triconex System • Tricon input (0.0 mA) • Tricon output to PCS fails low • Tpzr Low Temperature signal to RHR valve 8701

Interlock is not available (ETT)

13)

PT-474 (Section 4.4 and 5.1.2)

Provide PZR Pressure signal for MCR indication / Protection / Process control



• PZR Pressure signal to PZR Pressure Control (PCS) fails low

ALS System • Signal to ALS fails low • ALS 102 DOCH function sets comparators to fail

safe state (de-energized) – both chassis • PZR Pressure High to PC-474BX (PORV actuation)

is unavailable (ETT) Triconex System • Signal to Tricon fails low • OTDT Trip signal to SSPS is set • PZR Pressure signal fails low to Overtemperature





• PCS Trouble Alarm is activated • MCR PZR Pressure indicator

(PI-474) fails low

Partial trip signal sent to SSPS with partial trip status lights illuminated in MCR • PZR Pressure Low-Low SI to

SSPS • PZR Pressure High Rx Trip to

SSPS

• Reduced coincidence for SSPS actuation • No protection function impact • Same failure mode as existing system • PZR Pressure Signal to MCR indicator is available from PPS

Set I, II & III • Signal to PZR Pressure Control is available from Set I, II & III • OTDT Trip signal to SSPS is available from PPS Set I, II & III • OTDT Interlock C3 is available PPS Set I, III, IV • Overtemperature setpoint to MCR is available from PPS Set

I (T/411A, TI-411C), II (T/411A, TI-421C), III (T/411A, TI-431C)

• PZR Pressure Low-Low SI to SSPS is available from PPS Set I, II & III

• PZR Pressure High Rx Trip to SSPS is available from PPS Set I, II & III

• PZR Pressure Low Rx trip to SSPS is available from Set I, II & III

• PZR Pressure High to RNASA (PORV actuation) is available from PPS Set I, II & III

FRS 3.2.7



Sheet 3 of 37



• PZR Pressure Low Rx trip to SSPS

15) PT-405 (Section 5.1.2)

Provide Reactor Coolant Hot Leg loop 3 WR Pressure signal to MCR recorder / ERFDS / RVLIS

Open Circuit





• PPS Trouble Alarm is activated • MCR indicator (PI-405) fails low• ERFDS indication fails low • RVLIS Trouble Alarm is

activated • PT-405 OOR indication (MWS)

• No protection function impact provides indication only • Same failure mode as existing system • Reactor Coolant Hot leg Loop 4 WR Pressure signal to MCR

indicator is available from PPS Set III (PT-403, PT-403A), IV (PT-405A)

• Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS is available from PPS Set III (PT-403, PT-403A), IV (PT-405A)

• Reactor Coolant Hot leg Loop 4 WR Pressure signal to RVLIS is available from PPS Set III (PT-403, PT-403A)

FRS 3.2.4

16) Short Circuit

17)

PT-405A (Section 5.1.2)

Provide Reactor Coolant Hot Leg loop 4 WR Pressure signal to MCR indicator / ERFDS / RNASA / RNSIB

Open Circuit





• Reactor Coolant Hot leg Loop 4 WR Low Pressure signal to RHR valve (V-8701) Interlock (RNSIB) is not available (ETT)

• Reactor Coolant Hot leg Loop 4 WR Pressure signal to RHR Suction Valve Open Alarm is set


low • PT-405A OOR indication

(MWS) • ERFDS indication fails low


indicator is available from PPS Set III (PT-403, PT-403A) • Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS

is available from PPS Set III (PT-403, PT-403A) • Reactor Coolant Hot leg Loop 4 WR High Pressure signal to

PC-403DX, LTOPS (RNASA) is available from PPS Set III (PT-403, PT-403A)

• Reactor Coolant Hot leg Loop 4 WR Pressure signal to RHR Suction Valve Open Alarm is available from PPS Set III (PT-403, PT-403A)

• RHR valve (V-8701) does not open due to ETT fail safe (de-energized), RHR Suction Valve Open Alarm does not actuate due to requiring the valve (V-8701) position switch open contact to be made up as well as the High pressure

FRS 3.2.4

18) Short Circuit

19)

PT-516 PT-546 (Section 5.1.2)

Provide SG (1, 4) Steam Pressure signal for MCR indication / DFWCS / Protection


low • SG Steam Pressure signal to DFWCS fails low • SG Low Steam Pressure signal to SSPS (SI and

Steam Line isolation) is set • SG High Steam Pressure signal to SSPS (Negative

Rate Steam Line isolation) is set • SG Steam Line Pressure alarm is set

• PPS Failure Alarm is activated • MAS Steam Line Low Pressure

alarm is activated • MCR indicator (PI-516) fails low• MCR indicator (PI-546) fails low• PT-516 OOR indication (MWS) • PT-546 OOR indication (MWS) • SG Low Steam Pressure partial

trip signals sent to SSPS with partial trip status lights


available from PPS Set I & II • SG Low Steam Line Pressure to SSPS (SI and Steam Line

isolation) is available from PPS Set I & II • SG Steam Line Pressure to SSPS (High Negative Rate Steam

Line isolation) is available from PPS Set I & II

FRS 3.2.10

20) Short Circuit


Sheet 4 of 37



illuminated in MCR

21)


Provide SG1 Level signal for MCR indication / DFWCS / AMSAC / AFW (PCS) / ERFDS / Protection

Open Circuit

• SG1 Level signal to Tricon fails low • SG1 Level signal to MCR indicator fails low • SG1 Level signal to DFWCS fails low • SG1 Level signal to AFW (PCS) fails low • SG1 Level signal to AMSAC fails low • SG1 Level signal to ERFDS fails low • SG1 Level High-High signal to SSPS (Turbine Trip,

FW Isolation, Interlock P-14) is set • SG1 Level Low-Low signal to SSPS ( Rx trip &




activated • AMSAC General Warning

Alarm is activated • MCR indicator (LI-517) fails low • LT-517 OOR indication (MWS) • ERFDS indication fails low • Partial trip signals sent to SSPS


• Reduced coincidence for SSPS actuation • Same failure mode as existing system • SG1 Level Signal to MCR indicator, DFWCS and AFW is

available from PPS Set II & III • SG1 Level Signal to ERFDS is available from PPS Set III • SG Level signal to AMSAC is available from PPS Set I (SG3),

PPS Set II (SG4) and PPS Set III (SG2) • SG1 Level High-High signal to SSPS (Turbine Trip, FW

isolation. Interlock P-14) is available from PPS Set II & III • SG1 Level Lo-Lo signal to SSPS (Rx trip & AFW pump start)

from PPS Set II, III

FRS 3.2.11

22) Short Circuit

23)



Open Circuit









available from PPS Set I, III • SG2 Level Signal to ERFDS is available from PPS Set III • SG2 High-High Level signal to SSPS (Turbine Trip, FW

isolation, Interlock P-14) is available from PPS Set I & III • SG2 Lo-Lo Level signal to SSPS (Rx trip & AFW pump start)is

available from PPS Set I, III

FRS 3.2.11

24) Short Circuit

25) LT-537 (Section 5.1.2)


Open Circuit


FW Isolation, Interlock P-14) is set



activated • MCR indicator (LI-537) fails low • LT-537 OOR indication (MWS)


available from PPS Set I & III • SG3 Level Signal to ERFDS is available from PPS Set III • SG3 Level High-High signal to SSPS (Turbine Trip, FW

isolation. Interlock P-14) is available from PPS Set I & III

FRS 3.2.11


Sheet 5 of 37



26) Short circuit

• SG3 Level Low-Low signal to SSPS ( Rx trip & AFW pump start) is set



• SG3 Level Lo-Lo signal to SSPS (Rx trip & AFW pump start) from PPS Set I & III

27)



Open Circuit









available from PPS Set II & III • SG4 Level Signal to ERFDS is available from PPS Set III • SG4 Level High-High signal to SSPS (Turbine Trip, FW


from PPS Set II & III

FRS 3.2.11

28) Short Circuit

29)


Provide Containment Pressure signal for MCR indication / Protection

Open Circuit


fails low • Containment Pressure High signal to SSPS (SI,


(Containment Pressure -Phase B isolation containment Spray, Steam Line Isolation) is not unavailable (ETT)

• PPS Failure Alarm is activated • MCR indicator (PI-934) fails low• PT-934 OOR indication (MWS) • Partial trip signals sent to SSPS



Set I, II, III • Containment Pressure High signal to SSPS (SI, Phase A

isolation) is available from PPS Set II, III • High-High Containment Pressure signal to SSPS (Phase B

isolation containment Spray, Steam Line Isolation) is available from PPS Set I, II, III

FRS 3.2.13

30) Short Circuit

31) NE-44A (Section 5.1.4)


Open Circuit


• Overtemperature Delta-T Trip to SSPS is set • Upper Flux signal fails low to Overpower Setpoint








Set I, II, III • MCR Overpower Setpoint indication is available from PPS

Set PPS Set I, II, III • MCR Overtemperature Setpoint indication is available from

PPS Set I, II, III

FRS 3.2.5

32) Short circuit (0 VDC) • Upper Flux signal to Tricon fails low • Upper Flux signal fails low to Overpower Setpoint

• MCR (Overpower Setpoint indication - T/411A, TI-441B) do



Sheet 6 of 37



calculation• Upper Flux signal fails low to Overtemperature


not channel check• MCR (Overtemperature

Setpoint indication - T/411A, TI-441C) do not channel check



Set I, II, III • MCR Overtemperature Setpoint indication is available from

PPS Set I, II, III • Fail at 0 V does not incur OOR condition as it is within the



• Upper Flux signal to Tricon fails high > 10 V • Overtemperature Delta-T Trip to SSPS is set • Upper Flux signal fails low to Overpower Setpoint










PPS Set I, II, III

34)

NE-44B (Section 5.1.4)


Open Circuit


• Overtemperature Delta-T Trip to SSPS is set • Lower Flux signal fails low to Overpower Setpoint










PPS Set I, II, III

FRS 3.2.5


• Lower Flux signal to Tricon fails low • Lower Flux signal fails low to Overpower Setpoint









PPS Set I, II, III • Fail at 0 V does not incur OOR condition as it is within the



• Lower Flux signal to Tricon fails high > 10 V • Overtemperature Delta-T Trip to SSPS is set • Lower Flux signal fails low to Overpower


• NE-44B OOR indication (MWS)



Sheet 7 of 37



Setpoint calculation• Lower Flux signal fails low to Overtemperature






PPS Set I, II, III

37)

TE-440B TE-440A TE-441A TE-442A TE-454 (Section 5.1.1)

• Provide Reactor Coolant Loop 4 NR Hot leg (Thot)/Cold leg (Tcold) temperature signal for MCR indication / Protection / control circuit (TE-440A, 440B, 441A, 442A)

• Provide PZR Vapor Temperature (Tpzr) to MCR indicator / Interlock / Process Control (TE-454)






• PPS Trouble Alarm is activated by Tricon (Tpzr failure)




• No protection function impact • Tricon Sensor Quality Algorithm 2 (SQA2) rejects failed




• Reactor Coolant NR Tcold/Thot temperature signals are available from PPS Set I, II and IV

• PZR Vapor Temperature is not available

FRS 3.2.5, 3.2.8 IRS 2.8.1.2

38)




39)






40)

TE-441B TE-440C TE-441C TE-442C (Section 5.1.1)

Provide Reactor Coolant NR Hot leg (Thot)/Cold leg (Tcold) temperature signal for MCR indication / Protection / Process Control







• MWS indicates bad health

• No Impact to protective function • Tricon Sensor Quality Algorithm 2 (SQA2) rejects failed




• Reactor Coolant NR Tcold/Thot temperature signals are available from PPS Set I, II and III

FRS 3.2.5 IRS 2.8.1.2

41)





Sheet 8 of 37



status for board

42)






43)

PT-934 PT-474






• PZR Pressure High to PC-474BX (PORV actuation) is not available (ETT)


• PZR Pressure signal to Pressurizer Pressure Control fails low (PT-474)



• MCR indication (PT-935, 457) fails low for associated chassis





• Reduced coincidence for SSPS actuation • PZR Pressure Low signal to SSPS is available from other

chassis and PPS Set I, II and III • PZR Pressure Low-Low signal to SSPS is available from other

chassis and PPS Set I, II and III • PZR Pressure High signal to SSPS is available from other

chassis and PPS Set I, II and III • PZR Pressure High signal to RNASA (PORVS) is available from

other chassis and PPS Set I, II and III • Containment Pressure High-High signal to SSPS (Phase B

isolation containment Spray, Steam Line Isolation) is available from Set I, II, III

• Containment Pressure High signal to SSPS (SI, Phase A isolation ) is available from PPS Set II, III


• PZR Pressure signal to Pressurizer Pressure Control fails low (PT-456)

FRS 3.2.7, 3.2.13

44)



• PZR Pressure High to PC-474BX (PORV actuation) is not available (ETT)








• Reduced coincidence for SSPS actuation • PZR Pressure Low signal to SSPS is available from other

chassis and PPS Set I, II and III • PZR Pressure Low-Low signal to SSPS is available from other

chassis and PPS Set I, II and III • PZR Pressure High signal to SSPS is available from other

chassis and PPS Set I, II and III • PZR SI permissive (P11) signal to SSPS is available from

other chassis and PPS Set I, II and III • PZR Pressure High signal to RNASA (PORVS) is available from

other chassis and PPS Set I, II and III • Containment Pressure High-High signal to SSPS (Phase B

isolation Containment Spray, Steam Line Isolation) is available from PPS Set I, II, III


Sheet 9 of 37



• Containment Pressure High signal to SSPS (SI, Phase A isolation) is available from PPS Set II, III

45)

PC-474A_FB_LSM_A(B) PC-474B_FB_LSM_A(B) PC-474C_FB_LSM_A(B) PC-474D_FB_LSM_A(B) PC-934A_FB_LSM_A(B) PC-934B_FB_LSM_A(B) PC-474A_Byp_A(B) PC-474B_Byp_A(B) PC-474C_Byp_A(B) PC-474D_Byp_A(B) PC-934A_Byp_A(B) PC-934B_Byp_A(B) PS1FAIL_IVA PS2FAIL_IVA PS3FAIL_IVA PS4FAIL_IVA PS5FAIL_IVA PS6FAIL_IVA











chassis

FRS 3.2.1.3

46)

ALS MAS Alarms (Section 4.5.2.2) UY-PS4A_DIV-A (B) UY-PS4B_DIV-A (B) UY-PS4C_DIV-A (B) UY-PS4D_DIV-A (B)










47) NE-44A NE-44B











• Partial trip signals sent to SSPS



Set PPS Set I, II, III • MCR Overtemperature Setpoint indication is available from

PPS Set I, II, III

FRS 3.2.5


Sheet 10 of 37




48)

TE-440B TE-440A TE-441A TE-442A PT-474 PT-516 LT-517 LT-537 PT-405A TE-454






• Provide Reactor Coolant Hot Leg Loop 4 WR Pressure signal for Alarm / Interlock / LTOP (PT-405A)

• Provide PZR Vapor Temperature (Tpzr) to MCR indicator / Interlock / Process Control (PT-454)


• Inputs fail Low • Sensor Quality Algorithm (SQA2) rejects failed


rejects failed signals • PZR Pressure signal fails low to Overtemperature

Setpoint calculation • OTDT Trip signal to SSPS is set (PZR Pressure fails

low) • SG1 Low Steam Pressure signal to SSPS (SI and



(Turbine Trip, FW Isolation, Interlock P-14) is set • SG1 and SG3 Level Low-Low signal to SSPS (Rx

trip and AFW pump start) is set • Reactor Coolant Hot leg LP4 WR High Pressure

signal to PC-405DX, LTOPS (RNASA) is not available (ETT)

• Reactor Coolant Hot leg LP 4 WR Low Pressure signal to RHR valve (V-8701) interlock (RNSIB) is not available (ETT)

• Reactor Coolant Hot leg LP 4 WR Pressure signal to RHR Suction Valve Open Alarm is set

• Tpzr Low Temperature signal to RHR valve 8701 Interlock is not available (ETT)






• Reduced coincidence for SSPS actuation • Reactor Coolant WR Pressure LP4 High signal to LTOPS (to

open valve PCV-455C) is available from PPS Set III, LP4 hot leg





• OTDT setpoint to MCR is available from PPS Set I (T/411A, TI-411C), II (T/411A, TI-421C), III (T/411A, TI-431C)

• OTDT Trip signal to SSPS is available from PPS Set I, II, III • SG1 Low Steam Line Pressure to SSPS (SI and Steam Line

isolation) is available from PPS Set I and II • SG1 Steam Line Pressure High Negative Rate signal to SSPS

(Steam Line isolation) is available from PPS Set I, II • SG1 High-High Level signal to SSPS (Turbine Trip, FW

isolation, P14 Interlock) is available from PPS Set II, III • SG1 Low-Low Level signal to SSPS (Rx trip and AFW pump

start)is available from PPS Set II, III • SG3 Level High-High signal to SSPS (Turbine Trip, FW

isolation. P14 Interlock) is available from PPS Set I, III • SG3 Level Lo-Lo signal to SSPS (Rx trip and AFW pump start)

from PPS Set I, III • Reactor Coolant Hot leg LP4 WR Pressure signal to RHR

Suction Valve Open Alarm is available from PPS Set III for RHR valve (V-8702)

• RHR valve (V-8701) does not open due to ETT fail safe (de-energized), RHR Suction Valve Open Alarm does not actuate due to requiring the valve (V-8702) position switch open contact to be made up as well as the High pressure

• Interactions with other systems/indications associated with the input loop are unaffected as the input loop remains

FRS 3.2.4, 3.2.5, 3.2.7, 3.2.8, 3.2.10, 3.2.11


Sheet 11 of 37



intact

49)

TE-441B TE-440C TE-441C TE-442C PT-546 LT-527 LT-547 PT-405

• Provide Reactor Coolant Loop 4 NR Hot leg (Thot)/Cold leg (Tcold) temperature signal for MCR indication / protection / control circuit (Group B) (TE441B, 440C, 441C, 442C)


• Provide Steam Generator 2 Level signal for Protection LT-527)


• Provide Reactor Coolant Hot Leg loop 3 WR Pressure signal for MWS indication (PT-405)

Tricon 3721N (Slot4) module failure (total loss of AI module function due to multiple electronics failure or common software failure)

• Inputs fail low • Sensor Quality Algorithm (SQA2) rejects failed


rejects failed signals • SG4 Low Steam Pressure signal to SSPS (SI and

Steam Line isolation) is set • SG High Steam Pressure signal to SSPS (Negative

Rate Steam Line isolation) is set • SG2 and SG4 Level High-High signal to SSPS

(Turbine Trip, FW Isolation, Interlock P-14) is set • SG2 and SG4Level Low-Low signal to SSPS ( Rx

trip and AFW pump start) is set • Reactor Coolant Hot Leg loop 3 WR Pressure

MWS indication fails low




• Reduced coincidence for SSPS actuation • Tricon Sensor Quality Algorithm 2 (SQA2) rejects failed




• SG4 Low Steam Line Pressure to SSPS (SI and Steam Line isolation) is available from PPS Set I, II

• SG4 Steam Line Pressure to SSPS (High Negative Rate Steam Line isolation) is available from PPS Set I, II

• SG2 Level High-High signal to SSPS (Turbine Trip, FW isolation, P14 Interlock) is available from PPS Set I, III

• SG2 Level Low-Low signal to SSPS (Rx trip and AFW pump start)is available from PPS Set I, III

• SG4 Level High-High signal to SSPS (Turbine Trip, FW isolation. P14 Interlock) is available from PPS Set II, III

• SG4 Level Low-Low signal to SSPS (Rx trip and AFW pump start) from PPS Set I, IV

• Interactions with other systems/indications associated with the input loop are unaffected as the input loop remains intact (PT-405 indicators are all on the input loop)

FRS 3.2.3, 3.2.5, 3.2.6, 3.2.9, 3.2.10, 3.2.11

50)

TI-441A TI-441B TI-441C TI-442 (DTTA indicators) TI-454

• Provide DTTA signal for MCR indication (TI-441A, 441B, 441C, 442)

• Provide PZR Vapor Temperature (Tpzr) to MCR indicator / Process Control (TI-454)


• Analog outputs fail low (de-energized) • Loop Delta-T signal to PCS fails low (R28) • DTTA MCR indications for Set IV fail low • Tpzr signal to MCR indicator (VIA PCS) fails low


• PCS Trouble Alarm is actuated due to Delta-T and Tpzr signals fail low



• No protection function impact • The same failure mode as existing system • DTTA indications available on MWS and Gateway computer • Tpzr indications available on MWS for both ALS Chassis A

and Tricon

FRS 3.2.5


Sheet 12 of 37



51)

TC441G TC442D PC516A PC546C LC517A LC527A LC537B LC547B PC405A PC405D


• Provide SG1 and SG2 High-High Level Trip/Interlock (P14) to SSPS (LC517A, 527A)

• Provide SG3 and SG4 Low-Low Level Trip and AFW Pump Start to SSPS (LC537B, 547B)

• Provide SG1 Low Steam Line Pressure to SSPS (SI and Steam Line isolation) (PC516A)

• Provide SG4 Steam Line Pressure to SSPS (High Negative Rate Steam Line isolation) (PC546C)

• Provide Reactor Coolant Hot Leg loop 4 WR Pressure signal to LTOP / Interlock (PC405A, 405D)


• Outputs go OFF (de-energized) • Reactor Coolant WR LP4 Hot leg Pressure High

signal to LTOP (PCV-456) is not available from PPS Set IV (ETT)

• OPDT and Low-Low Tavg Trip to SSPS is set • SG1 and SG2 Level High-High signal to SSPS




(Negative Rate Steam Line isolation) are set • Reactor Coolant Hot leg Loop 4 WR High






• Reduced coincidence for SSPS actuation • Reactor Coolant WR LP4 Hot leg Pressure High signal to

LTOPS (to open valve PCV-455C) is available from PPS Set III • PCV-456 control switch Close/Open capability unaffected,

only Auto for LTOP impacted • Reactor Coolant Hot leg Loop 4 WR Low Pressure signal to

RHR valve (V-8702) interlock (RNSIA) is available from PPS Set III (PT-403A)

• OPDT and Low-Low Tavg (P12) signals to SSPS are available from PPS Set I, II, III

• SG1 Level High-High signal is available from PPS Set II, III • SG2 Level High-High signal is available from PPS Set I, III • SG3 Level Low-Low signal to SSPS (Rx trip, AFW pump start)

is available from PPS Set I, III • SG4 Level Low-Low signal to SSPS (Rx trip, AFW pump start)

is available from PPS Set II, III • SG2 Low Steam Pressure signal to SSPS (SI and Steam Line

isolation) is available from PPS Set I, II • SG3 High Negative Rate Steam Line Pressure are available

for Steam Line isolation (SSPS) from PPS Set I, II

FRS 3.2.4, 3.2.5, 3.2.10, 3.2.11

52)

TC442G TC441C PC516C PC546A LC517B LC527B LC537A LC547A PC405B

• Provide OTDT and Low Tavg (P12) Feedwater isolation signals to SSPS (TC442G, TC441C)

• Provide SG3 and SG4 High-High Level Trip/Interlock (P14) to SSPS (LC537A, 547A)

• Provide SG1 and SG2 Low-Low Level Trip and AFW Pump Start to SSPS (LC517B, 527B)

• Provide SG4 Low Steam Line Pressure to SSPS (SI and Steam Line isolation) (PC546A)

• Provide SG1 Steam Line Pressure to SSPS (High



to SSPS are set • SG3 and SG4 Level High-High signal to SSPS




(Negative Rate Steam Line isolation) is set • Reactor Coolant Hot leg Loop 4 WR Pressure

signal to RHR Suction Valve (V-8701) Open Alarm is set





available from PPS Set I, II, III • SG3 High-High Level signal to SSPS (turbine trip, feedwater

isolation, interlock P14) is available from PPS Set I, III • SG4 High-High Level signal to SSPS (turbine trip, feedwater

isolation, interlock P14) is available from PPS Set II, III • SG1 Level Low-Low signal to SSPS (Rx trip, AFW pump start)

is available from PPS Set II, III • SG2 Level Low-Low signal to SSPS (Rx trip, AFW pump start)

is available from PPS Set I, III • SG4 Low Steam Pressure signal to SSPS (SI and Steam Line

isolation) is available from PPS Set I, II • SG1 High Negative Rate Steam Line Pressure are available

for Steam Line isolation (SSPS) from PPS Set I, II • RHR Suction Valve Open Alarm does not actuate due to

requiring the valve (V-8701) position switch open contact to be made up

FRS 3.2.5, 3.2.10, 3.2.11


Sheet 13 of 37



Negative Rate Steam Line isolation) (PC516C)

• Provide Reactor Coolant Hot Leg loop 4 WR Pressure High signal to RHR Suction Valve Open Alarm (PC405B)

53)

TC441D TC441H PC516B PC546B LY-517H UY-PS4A_TRICON UY-PS4B_TRICON UY-PS4C_TRICON TY-441_TRICON OOS_IV_TRICON

• Provide OTDT (C3) and OPDT (C4) Interlock signals to RNARA (TC441D, 441H)

• Provide SG1 and SG4 Low Steam Line Pressure signal to MAS (PC516B, 546B)



• Provide Miscellaneous Tricon MAS Alarms (Section 4.5.2.1)



TTD Timer Actuated Alarms are unavailable (ETT)

• OTDT (C3) Interlock (RNARA) to SSPS is set • OPDT (C4) Interlock (RNARA) to SSPS is set • SG1 and SG4 Steam Pressure Low signals are set

• PPS Failure Alarm is activated • PPS Trouble Alarm is activated • SG1 and SG4 Steam Pressure

Low Alarms are activated • Partial trip signals sent to SSPS



• Reduced coincidence for SSPS actuation • OTDT interlock C3 is available PPS Set I, II, III • OPDT interlock C4 is available PPS Set I, II, III

FRS 3.2.1.5, 3.2.5, 3.2.12

54)

PS2S_FAIL_18 PS3S_FAIL_18 PS6S_FAIL_18 PS7S_FAIL_18 24DI_PWR_18 LP4_DTTA_OOS LP4_TTD_OOS L547_OOS T454_OOS P405_OOS P405A_OOS P516_OOS P546_OOS L517_OOS L527_OOS L537_OOS









status for board



IRS 2.9.6.6 IRS 2.8.1.1

55)

TS/441C, TS/441G TS/442D, TS/442G PC/405A, LS/547A PC/405B, PC/405D PS/516A, PS/516C PS/546A, PS/546C






• If a Trip condition was presently in for an ETT function, then a PPS Failure



Sheet 14 of 37



LS/517A, LS/517B LS/527A, LS/527B LS/537A, LS/537B LS/547B

Alarm is activated due to a Failure-to-Trip-on-demand condition indicated


56)

PS2N_FAIL_18 PS3N_FAIL_18 PS5N_FAIL_18 PS6N_FAIL_18 TS441D_Trip TS441H_Trip







status for board • No protection function impact

FRS 2.2.3, IRS2.9.6.6

57)


Provide SG1 Steam Line Pressure indication In the Main Control Room (MCR)

Open Circuit




signal to SSPS (Steam Line isolation) is set • SG1 Low Steam Line Pressure signal to MAS is set



Alarm is activated • MCR indicator (PI-516) fails low• PT-516 OOR indication (MWS) • Partial trip signals sent to SSPS



from PPS Set I & II • SG1 Steam Pressure signal to DFWCS is available from PPS

Set I & II • SG1 Low Steam Line Pressure signal to SSPS (SI and Steam

Line isolation) is available from PPS Set I & II • SG1 Steam Line Pressure High Negative Rate signal to SSPS

(Steam Line isolation) is available from PPS Set I & II

FRS 3.2.10


maintained intact

59)

PM-516_1 (Section 4.5.1)












from PPS Set I, II • SG1 Steam Pressure signal to DFWCS is available from PPS

Set I, II • SG1 Low Steam Line Pressure signal to SSPS (SI and Steam

Line isolation) is available from PPS Set I,II • SG1 Steam Line Pressure High Negative Rate signal to SSPS

(Steam Line isolation) is available from PPS Set I,II

FRS 3.2.10



• SG1 Steam Pressure signal to DFWCS is available from PPS Set I, II


Sheet 15 of 37






• SG1 Steam Pressure signal to DFWCS is available from PPS Set I, II


63)


Provide SG4 Steam Line Pressure indication In the Hot Shutdown panel (HSP)

Open Circuit










from PPS Set I, II • SG4 Steam Pressure signal to DFWCS is available from PPS

Set I, II • SG4 Low Steam Line Pressure signal to SSPS (SI and Steam

Line isolation) is available from PPS Set I, II • SG4 Steam Line Pressure High Negative Rate signal to SSPS

(Steam Line isolation) is available from PPS Set I, II

FRS 3.2.10


maintained intact

65)

PM-546_1 (Section 4.5.1)








activated • MAS SG4 Steam Line Low

Pressure Alarm is activated • MCR indicator (PI-546) fails low• PT-546 OOR indication (MWS) • Partial trip signals sent to SSPS



from PPS Set I & II • SG4 Steam Pressure signal to DFWCS is available from PPS

Set I & II • SG4 Low Steam Line Pressure signal to SSPS (SI and Steam

Line isolation) is available from PPS Set I & II • SG4 Steam Line Pressure High Negative Rate signal to SSPS

(Steam Line isolation) is available from PPS Set I & II

FRS 3.2.10



• SG4 Steam Pressure signal to DFWCS is available from PPS Set I & II


Sheet 16 of 37






• SG4 Steam Pressure signal to DFWCS is available from PPS Set I & II


69) PI-405A (Section 5.1.3)

Provide Reactor Coolant Hot Leg Loop 4 WR Pressure indication in the Main Control Room (MCR)

Open Circuit

• Reactor Coolant Hot Leg Loop 4 WR Pressure signal to MCR indicator fails low

• Reactor Coolant Hot Leg Loop 4 WR Pressure signal to ERFDS fails low




70) Short Circuit • Reactor Coolant Hot Leg Loop 4 WR Pressure signal to MCR indicator fails low



71)

PM-405A_1 (Section 4.5.1)

Isolation device provides electrical isolation between Class I Reactor Coolant Hot Leg loop 4 WR Pressure instruments and Class II MCR indicator and ERFDS






• Reactor Coolant Hot leg Loop 4 WR Low Pressure signal to RHR valve (8701) Interlock (RNSIB) is not available (ETT)

• Reactor Coolant Hot leg Loop 4 WR Pressure signal to RHR Suction Valve (8701) Open Alarm is set


low • ERFDS indication fails low • PT-405A OOR indication

(MWS)


indicator is available from PPS Set III • Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS

is available from PPS Set III (PT-403, PT-403A) • Reactor Coolant Hot leg Loop 4 WR High Pressure signal to

PC-403DX, LTOPS (RNASA) is available from PPS Set III • Reactor Coolant Hot leg Loop 4 WR Pressure signal to RHR

Suction Valve Open (8701) Alarm is available from PPS Set III

• RHR valve (8701) does not open due to ETT fail safe (de-energized), RHR Suction Valve Open Alarm does not actuate due to requiring the valve (8701) position switch open contact to be made up as well as the high pressure

FRS 3.2.4

72) Short Circuit (Input) • Reactor Coolant Hot Leg loop 4WR Pressure signal MCR indicator fails low

• Reactor Coolant Hot Leg loop 4WR Pressure signal to ERFDS fails low




• Reactor Coolant Hot leg Loop 4 WR Pressure signal to MCR indicator is available from PPS Set III

• Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS is available from PPS Set III (PT-403, PT-403A)



• Reactor Coolant Hot leg Loop 4 WR Pressure signal to MCR indicator is available from PPS Set III.


Sheet 17 of 37




• Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS is available from PPS Set III (PT-403, PT-403A)

75)


Reactor Coolant Hot Leg loop 3 WR Pressure MCR indicator

Open Circuit






• PPS Trouble Alarm is activated • MCR indicator (PI-405) fails low• ERFDS indication fails low • PT-405 OOR indication (MWS)

• No protection function impact • Reactor Coolant Hot leg Loop 4 WR Pressure signal to MCR

indicator is available from PPS Set III & IV • Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS

is available from PPS Set III (PT-403, PT-403A), IV (PT-405A) • Reactor Coolant Hot leg Loop 4 WR Pressure signal to RVLIS

is available from PPS Set III • Reactor Coolant Hot leg Loop 4 WR Pressure signal to PPC is

available from PPS Set III (Class II)

FRS 3.2.4

76) Short Circuit • Reactor Coolant Hot leg Loop 3 WR Pressure signal to MCR indicator fails low • MCR indicator (PI-405) fails low • No protection function impact, input current loop is

maintained intact

77)

WRP-R (Section 5.1.3)

Resistor - Provides Reactor Coolant Hot Leg loop 3 WR Pressure signal to RVLIS

Open Circuit




• Reactor Coolant Hot leg Loop 3 WR Pressure signal to RVLIS fails high

• Reactor Coolant Hot leg Loop 3 WR Pressure signal to PPC is set (Class II)

• PPS Trouble Alarm is activated • RVLIS Trouble Alarm is

activated • MCR indicator (PI-405) fails low• PT-405 OOR indication (MWS)

• No impact to protection function • Reactor Coolant Hot leg Loop 3 WR Pressure signal to MCR

indicator is not available from set IV • Reactor Coolant Hot leg Loop 4 WR Pressure signal to MCR

indicator is available from PPS Set III, IV • Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS

is available from PPS Set IV • Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS

is available from PPS Set III & IV • Reactor Coolant Hot leg Loop 3 WR Pressure signal to RVLIS

is not available from set IV • Reactor Coolant Hot leg Loop 4 WR Pressure signal to RVLIS

is available from PPS Set III • Reactor Coolant Hot leg Loop 4 WR Pressure signal to PPC is

available from PPS Set III (Class II)

78) Short Circuit • Reactor Coolant Hot Leg loop 3WR Pressure to RVLIS fails low

• RVLIS Trouble Alarm is activated


• Reactor Coolant Hot leg Loop 4 WR Pressure signal to RVLIS is available from PPS Set III


Sheet 18 of 37



79)

PM-474_1 (Section 4.5.1)

Isolation device provides electrical isolation between Class I PZR Pressure instruments and Class II MCR indicator and PZR Pressure Control


• PZR Pressure signal to MCR indicator fails low • PZR Pressure signal to PZR Pressure Control is set ALS System • PZR Pressure signal to ALS (both chassis) fails low• ALS 102 DOCH function sets comparators to fail

safe state (de-energized) • PZR Pressure Low-Low SI to SSPS is set • PZR Pressure High Rx Trip to SSPS is set • PZR Pressure Low Rx trip to SSPS is set • • PZR Pressure High to PC-474BX (PORV actuation)

is unavailable (ETT) Triconex System • PZR Pressure signal to Tricon fails low • OTDT Trip signal to SSPS is set • OTDT Interlock C3 is set • Overtemperature setpoint to MCR (T/411A, TI-

431C) is set

• PPS Failure Alarm is activated • PCS Trouble Alarm is activated • MCR indicator (PI-474) fails low• PT-474 Virtual Channels (5)

OOR indication for both ALS chassis (MWS – ALS)

• PT-474 OOR indication (MWS - Tricon)


• Reduced coincidence for SSPS actuation • PZR Pressure Signal to MCR indicator is available from PPS

Set I, II, III • Signal to PZR Pressure Control is available from Set I, II & III • OTDT Trip signal to SSPS is available from PPS Set I, II & III • OTDT Interlock C3 is available PPS Set I, II & III • Overtemperature setpoint to MCR (T/411A, TI-431C) is

available from PPS Set I, II & III • PZR Pressure Low-Low SI to SSPS is available from PPS Set I,

II & III • PZR Pressure High Rx Trip to SSPS is available from PPS Set I,

II & III • PZR Pressure Low Rx trip to SSPS is available from Set I, II &

III • PZR Pressure High to RNASA (PORV actuation) is available

from PPS Set I, II & IIII FRS 3.2.7


• PZR Pressure signal to MCR indicator fails low • PZR Pressure signal to PZR Pressure control fails

low

• PCS Trouble Alarm is activated • MCR indicator (PI-474) fails low


• PZR Pressure Signal to MCR indicator is available from PPS Set I, II & III

• Signal to PZR Pressure Control is available from Set I, II & III


82) Short circuit (Output)


Sheet 19 of 37



83)



Open Circuit






Alarm is activated • PCS (AFW) Trouble Alarm is




available from PPS Set II & III • SG1 Level Signal to ERFDS is available from PPS Set III • SG1 level Signal to AMSAC is available from Set I (SG3), Set II

(SG4) and Set III (SG2) • SG1 Level High-High signal to SSPS (Turbine Trip, FW



FRS 3.2.11



• SG1 Level Signal to MCR indicator is available from PPS Set II & III

85)

LD/517A (Section 5.1.3)

Resistor - Provides SG1 Level signal to ERFDS

Open Circuit

• SG1 Level signal to Tricon fails low • SG1 Level signal to MCR indicator fails low • SG1 Level signal to DFWCS fails low • SG1 Level signal to AFW (PCS) fails low • SG1 Level signal to ERFDS fails high • SG1 Level signal to AMSAC fails low • SG1 Level High-High signal to SSPS (Turbine Trip,

FW Isolation, Interlock P-14) is set • SG1 Level Low-Low signal to SSPS (Rx trip & AFW

pump start) is set







available from PPS Set II & III • SG1 Level Signal to ERFDS is available from PPS Set III • Signal to AMSAC is available from Set I (SG3), Set II (SG4)

and Set III (SG2) • SG1 Level High-High signal to SSPS (Turbine Trip, FW



FRS 3.2.11


maintained intact • SG1 Level Signal to ERFDS is available from PPS Set III

87) LM-517_1 (Section 4.5.1)



• SG1 Level signal to Tricon fails low • SG1 Level signal to MCR indicator fails low • SG1 Level signal to DFWCS fails low • SG1 Level signal to AFW (PCS) fails low • SG1 Level signal to ERFDS fails low • SG1 Level signal to AMSAC fails low





available from PPS Set II & III • SG1 Level Signal to ERFDS is available from PPS Set III • Signal to AMSAC is available from Set I (SG3), Set II (SG4)

and Set III (SG2)

FRS 3.2.11


Sheet 20 of 37




• SG1 Level Low-Low signal to SSPS ( Rx trip & AFW pump start) is set

activated• MCR indicator (LI-517) fails low • LT-517 OOR indication (MWS) • ERFDS indication fails low • Partial trip signals sent to SSPS


• SG1 Level High-High signal to SSPS (Turbine Trip, FW isolation. Interlock P-14) is available from PPS Set II & III

• SG1 Level Lo-Lo signal to SSPS (Rx trip & AFW pump start) from PPS Set II & III






• SG1 Level signal to DFWCS is available from PPS Set II & III • SG1 Level signal to AFW (PCS) is available from PPS Set II &

III



91)

LM-517_2 (Section 4.5.1)

Isolation device provides electrical isolation between Class I SG1 Level instruments and Class II DFWCS and AFW











available from PPS Set II & III • SG1 Level Signal to ERFDS is available from PPS Set III • signal to AMSAC is available from Set I (SG3), Set II (SG4)

and Set III (SG2) • SG1Level High-High signal to SSPS (Turbine Trip, FW



FRS 3.2.11

92) Short Circuit (Input) • SG1 Level signal to AMSAC fails low • AMSAC General Warning Alarm is activated


• Signal to AMSAC is available from Set I (SG3), Set II (SG4) and Set III (SG2)


Sheet 21 of 37





95)



Open circuit










isolation. Interlock P-14) is available from PPS Set I & III • SG2 Level Lo-Lo signal to SSPS (Rx trip & AFW pump start)

from PPS Set I & III

FRS 3.2.11



• SG2 Level Signal to MCR indicator is available from PPS Set I & III

97)



Open Circuit












FRS 3.2.11

98) Short Circuit • SG1 Level signal to ERFDS fails low • ERFDS indicator fails low • No impact to protection function, input current loop is



Sheet 22 of 37



99)

LM-527_1 (Section 4.5.1)

Isolation device provides electrical isolation between Class I SG2 Level instruments and Class II DFWCS and AFW










available from PPS Set I & III • SG2 Level Signal to ERFDS is available from PPS Set III • SG2Level High-High signal to SSPS (Turbine Trip, FW



FRS 3.2.11 100) Short Circuit (Input)





• SG2 Level signal to DFWCS is available from PPS Set I & III • SG2 Level signal to AFW (PCS) is available from PPS Set I &

III



103)



Open Circuit












FRS 3.2.11



• SG3 Level Signal to MCR indicator is available from PPS Set I & III


Sheet 23 of 37



105)



Open Circuit












FRS 3.2.11



107)

LM-537_1 (Section 4.5.1)

Isolation device provides electrical isolation between Class I SG3 Level instruments and Class II AFW and DFWCS







activated • MCR indicator (LI-537) fails low • LT-537 OOR indication (MWS) • ERFDS indicator fails low • Partial trip signals sent to SSPS


• Reduced coincidence for SSPS actuation • SG3 Level Signal to MCR indicator, DFWCS and AFW PCS) is




FRS 3.2.11 108) Short Circuit (Input)

• SG Level signal to DFWCS fails low • SG Level signal to AFW (PCS) fails low




• SG Level signal to DFWCS is available from PPS Set I, III • SG Level signal to AFW (PCS) is available from PPS Set I, III




Sheet 24 of 37



111)



Open Circuit


FW Isolation, Interlock P-14) is set • SG4 Level Low-Low signal to SSPS (Rx trip & AFW

pump start) is set



activated • MCR indicator (LI-547) fails low • LT-547 OOR indication (MWS) • ERFDS indicator fails low • Partial trip signals sent to SSPS






FRS 3.2.11



• SG4 Level Signal to MCR indicator is available from PPS Set II & III

113)



Open Circuit












FRS 3.2.11



115) LM-547_1 (Section 4.5.1)

Isolation device provides electrical isolation between Class I SG4 Level instruments and Class II AFW (PCS) and DFWCS













FRS 3.2.11


Sheet 25 of 37








• SG4 Level signal to DFWCS is available from PPS Set II, III • SG4 Level signal to AFW (PCS) is available from PPS Set II, III



119)



Open Circuit


(PI-935) fails low • Containment Pressure High signal to SSPS (SI,



• PPS Failure Alarm is activated • MCR indicator (PI-934) fails low• PT-934 Virtual Channels (2)

OOR indication for both ALS-chassis (MWS)



Set I, II, III • Containment Pressure High signal to SSPS (SI, Phase A

isolation) is available from PPS Set II, III • High-High Containment Pressure signal to SSPS (Phase B

isolation containment Spray, Steam Line Isolation) is available from PPS Set I, II, III

FRS 3.2.13



• MCR Containment Pressure indicator is available from PPS Set I, II, III

121)

PC-474A_Byp_A PC-474A_Byp_B PC-474C_Byp_A PC-474C_Byp_B PC-474D_Byp_A PC-474D_Byp_B PC-934A_Byp_A PC-934A_Byp_B (Section 5.2.1.1)

PZR Pressure and Containment Pressure Manual Bypass switches (DTT)



open




• Channel output is not Bypassed, if ALS-processed a trip condition the output would de-energize


• If “failed Bypass” chassis processes a trip signal due to a maintenance condition (ex: lifted leads), PPS Trouble alarm would be activated by the other chassis due to a Trip-without-Demand indication


function (trip signal) • Bypass Switch wiring and use should be revised or testing


FRS 2.2.3, 3.2.1


Sheet 26 of 37



122)











123)

Switch A or B in Bypass • Status contact closes • K4W Alarm Contact fails














124)

Change switch A or B from Bypass to Normal • Status contact opens • K4W Alarm Contact


closed

• Bypass Switch status ALS-302 LED turns OFF • ALS PPS Bypass alarm for affected chassis clears • K4W Relay would de-energize only if the other








125)

Change switch A or B from Bypass to Normal • Status contact opens • K4W Alarm Contact fails






• If the K4W Relay was energized due to other associated Bypass Switch was also set to Bypass and no other pairs were set,



• Alarm contact power is 48 VDC, independent of the 120 VAC used by the Bypass contact and the 48 VDC used for


Sheet 27 of 37



then the MAS alarm would not clear


Status Feedback • The switches are qualified as class IE devices. Single failure

of the manual Bypass Switch 3-4 contacts does not create condition that disables PPS safety function


126)











127)

PC-474B_Byp_A PC-474B_Byp_B PC-934B_Byp_A PC-934B_Byp_B (Section 5.2.1.1)

PZR Pressure, Containment Pressure manual Bypass switches A / B (ETT)



closed












FRS 2.2.3, 3.2.1


Sheet 28 of 37



128)







• PPS Bypass Alarm for affected chassis is not activated



129)

Switch A or B in Bypass • Status contact closes • K4W Alarm Contact fails














130)

Change Switch A or B from Bypass to normal • Status contact opens • K4W Alarm Contact


open









131)













Sheet 29 of 37



132)

Change Switch A or B from Bypass to normal • Status contact opens • K4W Alarm Contact fails













133)

PS/474A PS/474C PS/474D PS/934A (Section 5.2.2)


NORMAL




• No PPS Trouble alarm from either chassis due to a Trip-without-Demand condition (normal operating conditions)



FRS 2.2.2



• ALS-PPS Trouble alarm stays on due to a Trip-without-Demand condition (normal operating conditions)


135)

TS/441C TS/441G TS/442D TS/442G PS/516A PS/516C PS/546A PS/546C LS/517A LS/517B LS/527A LS/527B


NORMAL




• No Tricon PPS Trouble alarm • No impact to protection function • The switches are qualified as class IE devices. Single failure

of the manual trip switch contacts does not create condition that impact safety function of the plant protection system.

FRS 2.2.2






Sheet 30 of 37



LS/537A LS/537B LS/547A LS-547B (Section 5.2.2)

137)

TS/441D TS/441H (Section 5.2.2)

Tricon Class II (Non-Safety) Manual Trip Switches

NORMAL




• No Tricon PPS Trouble alarm • No impact to protection function FRS 2.2.2





139)

LP4_DTTA_OOS LP4_TTD_OOS L547_OOS T454_OOS P405_OOS P405A_OOS P516_OOS P546_OOS L517_OOS L527_OOS L537_OOS (Section 5.2.3)





closed




• MWS does not indicate the affected channel is OOS, would not allow the channel to be placed in a maintenance condition


the contact being made up • No impact to protection function • K4T Relay provides an independent MAS alarm that does





FRS 3.2.1.5.5, 3.2.1.3.7

140)

Switch is in OOS position • OOS contact closed • K4T Alarm contact fails

open





141) Switch is in normal position • OOS contact fails closed • K4T Alarm contact open








not have any interaction with the safety-related functions.

142)

Switch is in normal position • OOS contact open • K4T Alarm contact fails

closed

• Affected PPS channel is in normal condition • K4T Relay would not de-energize if no other OOS

Switches are set


• Undetectable if any other OOS


Sheet 31 of 37



switch is set It provides an indication that at least one OOS Switch is set, but impossible to determine which without physically inspecting




143)

K4W (Section 5.2.1.1.3)

ALS manual Bypass isolation relay

Relay coil open








FRS 3.2.1.5.2


145) Output contact open • K4W relay fails to actuate MAS alarm


• MAS Alarm set when no pair of Bypass Switches are set



147)


Tricon OOS alarm isolation relay

Relay coil open


• Undetectable unless at least

one OOS Switch is set • If coil is shorted and at least

one OOS Switch is set, fuse FU3 would blow and isolate power supply PS3S from failed component




IRS 2.8.4.1.1



Sheet 32 of 37









151) PS3, PS6 (Section 4.2.4)

Provide 48 VDC power to ALS chassis A and B Loss of one power supply • Loss of single redundant power supply • PPS Failure Alarm is activated

• No impact to protection function • The ALS chassis (A &B) continue to operate through


FRS 3.2.1.5.2

152) PS2, PS5 (Section 4.2.4)

Provide 48 VDC power to ALS Digital input (DI) module ALS-302 and ALS-102 (Core Logic board)


status relay is lost • PPS Failure Alarm is activated



FRS 3.2.1.5.2

153) PS1, PS4 (Section 4.2.4)

Provide 24 VDC power to analog loop (ALS) Loss of one power supply • Loss of single redundant power supply • PPS Failure Alarm is activated

• No impact to protection function • The analog loop PT-934 continue to operate through


FRS 3.2.1.5.2


Provide 48 VDC power to Tricon termination module 9792-610 (AI)


• No impact to protection function • The analog input termination module continue to operate


FRS 3.2.1.5.2


Provide 24 VDC power to Tricon termination module 9563-810 (DI)



• PPS Trouble alarm is activated • If K4T was energized, MAS

alarm would clear

• No impact to protection function • The digital input termination module continue to operate


FRS 3.2.1.5.2




• No impact to protection function • The analog output termination module continue to operate


FRS 3.2.1.5.2


Provide 24 VDC power to isolation devices Loss of one power supply • Loss of single redundant power supply • PPS Trouble alarm is activated

• No impact to protection function • The isolation devices continues to operate through


FRS 3.2.1.5.2


Sheet 33 of 37



158) PLF1 (Rack 15) (ALS) Power Line Filter and Voltage Regulator for 120 VAC supply to Rack 15 (ALS) components


• Loss of Vital AC to Rack 15 (ALS), loss of all Protection Set IV ALS functions

• All DTT channels de-energize, both chassis • Containment Pressure signal to MCR indicator


• PPS Failure Alarm is activated by ALS (both chassis)

• PPS Trouble Alarm is activated by ALS (both chassis)



• Tricon Chassis in Rack 14 (TRICON) and Rack 16 (TRICON) unaffected as they are not supplied by this component

IRS 2.4.3




IRS 2.4.3





IRS 2.4.3



ALS Protection Set IV • Loss of all Protection Set IV ALS functions




IRS 2.4.3

162) CB1 (Rack 14) CB2 (Rack 14)




163) CB3 (Rack 14)











IRS 2.4.3


Breaker fails open • Loss of PS2N-PS3N redundant power supplies • PS1N and PS4N are spares, no effect • PPS Trouble Alarm is activated • No impact to protection functions



Sheet 34 of 37




Breaker fails open • Loss of PS5N-7N redundant power supplies • PS7N is a spare, no effect • PPS Trouble Alarm is activated • No impact to protection functions

• Redundant PS2SN-PS3N power supplies provide power IRS 2.4.3


Breaker fails open






Computer for ALS Chassis A and B (TxB1) • Indications and status are available via the Gateway

Computer for Triconex components • ALS Manual Trip and Bypass Switches are not affected • Triconex Manual Trip, OOS and Bypass Switches are not

affected

IRS 2.4.3


Breaker fails open







components powered from CB8 • Tricon status information to the Gateway Computer


IRS 2.4.3


Breaker fails open








IRS 2.4.3


Breaker fails open

• Loss of Serial Device Servers • Remote indications are unavailable for ALS

Chassis A (TxB1) via Gateway Computer • Remote indications are unavailable for ALS

Chassis B (TxB1) via Gateway Computer



• No impact to protection functions • Indications and status are available via the MWS for ALS

Chassis A (TxB2) • Indications and status are available via the MWS for ALS

Chassis B (TxB2)


Sheet 35 of 37



170) PLF1 (Rack 16) Power Line Filter and Voltage Regulator for 120 VAC supply to Rack 16 (Safety) CB1-10


• Loss of Vital AC to Rack 14 (Non-Safety) and Rack 16 (Safety) , loss of all Protection Set 1 Tricon functions

• All DTT channels de-energizes • Analog Outputs (MCR) fail low • PZR Pressure Loop Power Supply loss, loss of



• PPS Trouble alarm (Tricon) is activated




• ALS RCS Flow and Containment Pressure unaffected as they are supplied Loop Power from Rack 15 Vital Power

IRS 2.4.3

171) CB1 (Rack 16) CB2 (Rack 16)




IRS 2.4.3

172) CB3 (Rack 16) CB4 (Rack 16)




IRS 2.4.3





IRS 2.4.3

174) CB6 (Rack 16)





IRS 2.4.3






IRS 2.4.3






IRS 2.4.3


Sheet 36 of 37




Breaker fails open • Loss of PS2S-PS3S redundant power supplies • PS1S and PS4S are spares, no effect • PPS Trouble Alarm is activated • No impact to protection functions



Breaker fails open • Loss of PS6S-7S redundant power supplies • PS5S is a spare, no effect • PPS Trouble Alarm is activated • No impact to protection functions










affected

IRS 2.3.7

180) ALS MWS PC Provides local status indication and maintenance functions for ALS channels (both chassis)

PC fails







IRS 2.3.7

181)

ALS MWS Serial Card Chassis A ALS TxB2 Serial Components Chassis A

Provides serial connection for ALS Chassis A status indication and maintenance functions to the MWS







Computer for ALS chassis A via TxB1 communications • ALS Chassis B indications, status and maintenance functions


IRS 2.3.4

182)









Computer for ALS chassis A via TxB1 communications • ALS Chassis A indications, status and maintenance functions


IRS 2.3.4


Provides serial wiring and cable connections for ALS Chassis A to the PPC






IRS 2.3.4


Sheet 37 of 37




Provides serial wiring and cable connections for ALS Chassis B to the PPC






IRS 2.3.4

185) Tricon MWS PC Provides local status indication and maintenance functions for Triconex channels

PC fails







from a separate PC

IRS 2.3.7




• Loss of single source of output data to the Gateway Computer







IRS 2.3.1, 2.3.2, 2.3.3


• Provides uni-directional data to the Gateway Computer


Aggregator fails


• Loss of single source of output data to the Gateway Computer







IRS 2.3.1, 2.3.2, 2.3.3








these switches

IRS 2.3.1, 2.3.2, 2.3.3







Server • All data available on individual Protection Set MWS via TxB2

data streams

IRS 2.3.4


PROCESS PROTECTION SYSTEM (PPS) REPLACEMENT Failure Modes and Effects Analysis (FMEA), Remote Panels Fire Impact, Attachment 5

Line # Component ID Function Failure Mode System Effect Method of Detection Impact/Conclusion

1)

VB1 (ERFDS indications)

Provides: • WR Thot Loop1-4 signals to

ERFDS (Sets I – IV) • WR Tcold Loop1-4 to signals

ERFDS (Sets I – IV)

Loop 1-4 WR Thot and Tcold voltage inputs to ERFDS fail open (Sets I-IV)

• Loop 1-4 WR Thot and Tcold inputs to ERFDS fail low

• Loop 1-4 WR Thot and Tcold ERFDS indications fail low (Sets I-IV)

• No protective function impact. • Loop 1-4 WR Thot and Tcold ERFDS indication fails low (Sets I-IV) • Loop 1-4 WR Thot and Tcold MCR Recorder (TR-413, 4233, 433, 443 )

indication on VB2 is available from Sets I-IV • Loop 1-4 WR Thot RVLIS indication (PAM4) is available from Sets I-IV • Loop 1-4 WR Thot and Tcold indication is available locally on MWS and

PPC (via Gateway Computer) from Sets I-IV

2)

Provides: • Containment Pressure indicators

PI-934-937

Input loop to indicators fails open circuit (Transmitter output)

• All Containment Pressure transmitter signals to ALS fail low

• Containment Pressure signal to MCR indicators (PI-934-937) fail low

• All Containment Pressure High signals to SSPS (SI, Phase A isolation) are set (PPS Set II, III, IV)

• All Containment Pressure High-High signal to SSPS (Containment Pressure-Phase B ISLN containment Spray, Steamline Isolation) are not available (ETT)

• Containment Pressure signal to ERFDS fails low (PPS Set II, III)

• MCR indicator (PI-934-937) fails low • PT-934-936 Virtual Channels (2) OOR

indication for both ALS chassis (MWS) • PT-937 Virtual Channels (1) OOR

indication for both ALS chassis (MWS) • All Containment Pressure ERFDS

indications fail low • Partial trip signals sent to SSPS for

Containment Pressures with partial trip status lights illuminated in MCR.

• SSPS coincidence is met for Containment Pressure SI and Phase A isolation

• Containment Pressure Sets I-IV PPC indication (via Gateway computer) OOR

• All MCR Containment Pressure indications are unavailable • Containment Pressure High signals to SSPS set from PPS Set II, III and

IV. • Containment Pressure High-High signals to SSPS are not available from

PPS Set I, II, III and IV.

• Detailed design should address means to prevent actuation (SI, Phase A isolation) and loss of protective function (Containment Pressure-Phase B ISLN containment Spray, Steamline Isolation) for Containment Pressure channels. See Section 4.1.5 for discussion.

3) Provides:

• Containment Pressure PT-935, PT-936 signal to ERFDS

Input loop to ERFDS fails open circuit

• Containment Pressure transmitter signals to ALS fail low (PPS Set II, III)

• Containment Pressure signal to ERFDS fails low (PPS Set II, III)

• Containment Pressure signals to MCR indicators (PI-935-936) fail low

• Containment Pressure High signals to SSPS (SI, Phase A isolation) are set (PPS Set II, III)

• All Containment Pressure High-High signal to SSPS (Containment Pressure-Phase B ISLN containment Spray, Steamline Isolation) is not available (ETT)(PPS Set II, III)

• MCR indicator (PI-935-936) fails low • PT-935-936 Virtual Channels (2) OOR

indication for both ALS chassis (MWS) • All Containment Pressure ERFDS

indications fail low (PPS Set II, III) • Partial trip signals sent to SSPS for

Containment Pressures with partial trip status lights illuminated in MCR (PPS Set II, III).

• SSPS coincidence is met for Containment Pressure SI and Phase A isolation (PPS Set II,III)

• Containment Pressure Sets II-III PPC indication (via Gateway computer) OOR

• Containment Pressure indications are not available from PPS Set II and III

• Containment Pressure indications are available from PPS Set I and IV • Containment Pressure High signals to SSPS are not available from PPS

Set II and III. • Containment Pressure high signal is available from SET IV • Containment Pressure High-High signals to SSPS are not available from

PPS Set II and III. • Containment Pressure High-High signals to SSPS are available from

PPS Set I and IV. Detailed design should address means to prevent actuation (SI, Phase A isolation) and loss of protective function (Containment Pressure-Phase B ISLN containment Spray, Steamline Isolation) for Containment Pressure channels from PPS Set II and III. See Section 4.1.5 for discussion.




4) Provides:

• Steam Generator Level signals (LT-518-548 PPS Set III) to ERFDS

Input loop to VB1 indicators (ERFDS) fails open circuit (Transmitter output)

• SG1-SG4 Level transmitter signals to Tricon fail low

• SG1-SG4 Level signals to MCR indicator fail low

• SG1-SG4 Level signals to DFWCS fail low • SG1-SG4 Level signals to AFW (PCS) fail

low • SG1-SG4 Level signals to ERFDS fail low • SG1-SG4 Level High-High signals to SSPS

(Turbine Trip, FW Isolation, P14 Interlock) are set

• SG1-SG4 Level Low-Low signals to SSPS (Rx trip and AFW pump start) are set

• DFWCS Trouble alarm is activated • PCS (AFW) Trouble Alarm is activated • MCR indicators (LI-518-LI-548) fail low • LT-518 – LT-548 OOR indication (MWS

– Tricon) • Partial trip signals sent to SSPS for SG

Levels with partial trip status lights illuminated in MCR

• ERFDS indications (LT-518 – LT-548) fail low

• SG Level Set III PPC indication (via Gateway computer) OOR

• Reduced SSPS coincidence for SG Level protection functions • SG1-SG4 Level protection signals are available from PPS Set I, II, IV

Detailed design should address means to prevent actuation (SI, Phase A isolation) and loss of protective function (Containment Pressure-Phase B ISLN containment Spray, Steamline Isolation) for Containment Pressure channels.

See Section 4.1.5 for discussion.

5) Provides:

• Pressurizer Level signals (LT-459, 460, 461)(Set I, II, III) to ERFDS

Isolated ERFDS input loop fails open circuit

• Pressurizer level signal from PPS Set I, II, III to pressurizer level control Set I, II (LC-460C, LC-459C) fails low

• ERFDS loop is isolated from pressurizer level signal to the MCR, HSP indicators and Tricon

• ERFDS indications fail low (Set I, II, III) • PCS trouble alarm activated

• No Protective function impact • PZR level MCR and HSP indicators are available from Sets I, II, and III

and locally from Tricon MWS and PPC (via Gateway computer) • Detailed design should address means to prevent loss of signals to

both control sets I and II. See Section 4.1.5 for discussion.

6) • Steam Flow signals (FT-512, 522,

Set I) (FI-513, 523, Set II) to ERFDS

Tricon analog output loop to ERFDS input fails open circuit (SG 1 and 2)

• SG 1 and 2 Steam Flow signals to ERFDS and MCR indications fail low

• Isolated signal to DFWCS is on Tricon input loop; DFWCS is unaffected.

• SG 1 and 2 ERFDS indicators for Steam Flow fail low

• SG1 and 2 MCR indicators for Steam Flow fail low

• No protective function impact • SG 1 and 2 Steam Flow indications are available locally from MWS or

from PPC (via Gateway Computer)

7) Provides:

• WR Pressure Loop 4 (PT-403) signal to ERFDS (Set III)

WR Pressure voltage input to ERFDS fails open (Set III)

• Reactor Coolant Hot leg Loop 4 WR Pressure signal to ERFDS (VB1) fails low

• Loop 4 ERFDS WR Pressure indication fails low (Set III)

• No protective function impact • Loop 4 WR Pressure (PT-403) ERFDS indication fails low (Set III) • Loop 4 WR Pressure (PT-403) MCR Recorder indication is available

from on VB2 from Set III • Loop 4 WR Pressure (PT-403) RVLIS indication is available on VB4 (Set

III) • Loop 4 WR Pressure (PT-403) is available locally from Tricon MWS and

PPC (via Gateway Computer) • Loop 4 WR Pressure (PT-403A )ERFDS indication is available on VB4

(Set III)




8)

Provides: • Steamline Pressure signal to

ERFDS Set II (PT-525, 535, 545)

Input loop to ERFDS fails open circuit (SG 2-4)

• SG (2-4) Steamline Pressure transmitter (PT-525, 535, 545) signals to Tricon fail low (Set II)

• SG (2-4) Steamline Pressure signals to MCR indicator fail low (Set II)

• SG (2-4) Steamline Pressure signals to ERFDS fail low (Set II)

• SG (2-4) Steamline Pressure signals to DFWCS fail low (Set II)

• SG (2-4) Low Steamline Pressure signals to SSPS (SI and Steamline isolation) are set

• SG (2-4) Steamline Pressure High Negative Rate Steamline Isolation signals to SSPS are set

• PPS Failure Alarm is activated • DFWCS Trouble Alarm is activated • SG (2-4) Pressure MCR indicators fail

low • SG (2-4) Pressure ERFDS indications fail

low (Set I, II) • SG (2-4) Pressure transmitters OOR

indication (MWS) • SG Low Steamline Pressure and

Steamline Pressure High Negative Rate partial trip signals sent to SSPS with partial trip status lights illuminated in MCR

• Set II Steamline Pressure Loop 2, 3, 4 indications from MWS and PPC (via Gateway computer) OOR

• Steam Generator (2-4) Pressure Indications are unavailable due to loss of all transmitters

• Detailed design should address means to prevent: • A loss of all indication in MCR and ERFDS due to the same

failure. • SSPS partial trip signals from being generated by loss of VB1

ERFDS indications.


9)

VB2 (MCR indications) Provides:

• Reactor Coolant System Flow Indications (all loops)

Input loop to VB2 indicators from ALS A (Loop 1 & 2) and ALS B (Loop 3 & 4) Analog Outputs fails open circuit)

ALS System • Unaffected • All RCS Flow indications to VB2 fail low

• MCR indicators fail low Set I (FI-414,424,434,444) Set II (FI-415,425,435,445) Set III (FI-416,426,436,446)

• No protection function impact • Indications are available locally from MWS or PPC (via Gateway

Computer)

10)

Provides:

• WR Thot Lp1-4 to Temperature Recorders

• WR Tcold Lp1-4 to Temperature Recorders

Tricon Analog Output loops to TR-413, 423 (Set I), 433, 443 (Set II) Recorders (all loops) fail open circuit

ALS System • Unaffected – Triconex System provides

all Analog Outputs Triconex System • Unaffected – Analog Outputs become

open circuit • All Reactor Coolant WR Hot leg and Cold

leg Temp signals to MCR Recorders and ERFDS fail low

• Reactor Coolant WR Hot leg temp signal to RVLIS fails low (from TE-413A, TE-423A, TE-433A and TE-443A)

• PPS Trouble Alarm is activated. • Loop 1-4 ERFDS WR Thot and Tcold

indications fail low • RVLIS Trouble Alarm activated • MCR Recorders (TR-413-443) all fail low

• No protective function impact • WR Temperatures are available from ALS MWS, Triconex MWS and

PPC (via the Gateway computer) • WR Temperature inputs to LTOP are unaffected




11) Provides:

• PZR Pressure Indications (PI-455A, 456, 457, 474

Input loop to VB2 indicators fails open circuit (Class IA/II isolation device output)

ALS System• Unaffected – isolation device prevents

loss of signal to ALS Triconex System • Unaffected – isolation device prevents

loss of signal to Triconex • All PZR Pressure signals to MCR

indicators fail low (via isolator); • PZR Pressure signal to HSP indicator fails

low (PI-455B from PPS Set I only) • All PZR Pressure signals to PZR Pressure

Control (PCS – Set I) fails low (loss of control) via same isolator as MCR indicator;

• PCS Trouble Alarm is activated • All MCR indicators (PI-455A, PI-456, PI-

457, PI-474) fail low • HSP indicator (PI-455B) fails low

• No protection function impact • Class IA/II isolation devices (PM455_1, PM456_1, PM457_1,

PM474_1) isolate the transmitter input loop from the VB2 indications, therefore, ALS and Triconex protection functions are unaffected as the input loop is maintained intact

• Indications are available locally from MWS or PPC (via Gateway Computer) for ALS (both chassis) and Triconex

• Detailed design should address means to prevent • A loss of indication in both the MCR and HSP due to the same

failure • A loss of all signals for pressurizer Pressure Control to PCS


12)

Provides: • Tavg indications (TI-412, 422,

432, 442)(all loops) • OTDT indications (TI-411C, 421C,

431C, 441C)(all loops) • OPDT indications (TI-411B, 421B,

431B, 441B)(all loops) • Delta-T indications (TI-411A,

421A, 431A, 441A)(all loops)

Input loops to VB2 indicators (all loops) from Triconex Analog Output fail open circuit

ALS System• Unaffected – Triconex System provides

all Analog Outputs Triconex System • Unaffected – Analog Outputs become

open circuit • All Reactor Coolant DTTA signals to MCR

indicators fail low • Tavg signals to PCS for Tavg Deviation

Alarm fail low (all loops) • Delta-T Auctioneering signal to PCS fails

low (all loops)

• PPS Trouble Alarm is activated • PCS Trouble Alarm is activated • All DTTA MCR indicators fail low

• No protection function impact • Indications are available locally from MWS or PPC (via Gateway

Computer)

13) Provides:

• PZR Level indications (PI-459A, 460A, 461)

Input loop to VB2 indicators fails open circuit (Transmitter outputs)

• All PZR Level transmitter signals to Tricon fail low

• All PZR Level Signals to MCR indicators fail low

• All PZR Level Signals to HSP indicators fail low (PPS Set I and II)

• All PZR Level signals to PZR Level control (PCS – Set I and II) fail low

• All PZR Level signals to ERFDS fail low • All PZR Level High Rx trip to SSPS are

disabled

• PPS Failure Alarm is activated by Tricon • LT-459, LT-460, and LT-461 OOR

indication (MWS) • PCS Trouble Alarm is activated • All MCR indicators (LI-459A, LI-460A, LI-

461) fail low • All HSP indicators (LI-459B, LI-460B) fail

low • All ERFDS indications fail low • PZR Pressure PPC indications from

MWS and PPC (via Gateway computer) OOR

• All Transmitters are lost, therefore, all indications are not available from MWS or PPC (via Gateway Computer)

• Protective Functions are disabled • Detailed design should address means to prevent:

• Loss of pressurizer high level protection function due to open indication circuits

• A loss of all signals for Pressurizer Level Control to PCS • A loss of all indication in both the MCR and HSP due to the same

failure.





14)

Provides: • WR Pressure Lp4 (PT-403)

indication • WR Pressure Lp4 (PT-403A)

indication • WR Pressure Lp3 (PT-405)

indication • WR Pressure Lp4 (PT-405A)

indication

Input loop to VB2 indicators (PR-403, PI-403A, PI-405, PI-405A) fails open circuit (Transmitter outputs)

• Reactor Coolant Hot leg Loop 3 (PT-405) WR Pressure transmitter signal to Tricon fails low

• Reactor Coolant Hot leg Loop 4 (PT-403) WR Pressure signal to Tricon fails low

• Reactor Coolant Hot leg Loop 4 WR Pressure signal to MCR recorder (PR-403) fails low

• All (2) Reactor Coolant Hot leg Loop 4 WR Pressure signal to MCR indicators (PI-403A, PI-405A) fail low

• Reactor Coolant Hot leg Loop 3 WR Pressure signals to ERFDS fail low (PT-405)

• All (3) Reactor Coolant Hot leg Loop 4 WR Pressure signals to ERFDS fail low (PT-403, PT-403A, PT-405A)

• Reactor Coolant Hot leg Loop 3 WR Pressure signal to RVLIS fails low (PT-405)

• Reactor Coolant Hot leg Loop 4 WR Pressure signal to RVLIS fails low (PT-403); unaffected by VB2 fire in existing system

• PPS Trouble Alarm is activated • RVLIS Trouble Alarm is activated • PT-403, PT-405 OOR indications (MWS) • MCR indicators (PR-403, PI-403A, PI-

405, PI-405A) fail low • All ERFDS Hot Leg WR Pressure

indications fail low • All Hot Leg WR Pressure indications

from MWS and PPC (via Gateway computer) OOR

• No protective function impact • MCR/ERFDS indications are isolated from the PT-403A and PT-405A

input loop, which remains intact, no impact to LTOP, RHR Valve Interlocks or Alarms

• WR Pressures (PT-403A, PT-405A) are available locally from MWS or from PPC (via Gateway Computer).

15)

VB3 Provides: • Steam Flow Indications (all)

Set I (FI-512, 522, 532, 542) Set II (FI-513, 523, 533, 543)

Input loop to VB3 indicator (all loops) from Triconex Analog Output fails open circuit

• All SG Steam Flow signals to MCR and ERFDS indications fail low

• All MCR indicators for Steam Flow fail low

• All ERFDS indicators for Steam Flow fail low

• No protective function impact. • All Steam Flow indications are available locally from MWS or from PPC

(via Gateway Computer).




16)

Provides: • Steamline Pressure Indications

(all) Set I (PI-514A,524A, 534A, 544A) Set II (PI-515, 525, 535, 545) Set III (PI-526, 536) Set IV (PI-516, 546)

Input loop to VB3 indicators fails open circuit (Transmitter outputs)

• All Steamline Pressure transmitter signals to Tricon fail low

• All Steamline Pressure signals to MCR indicator fail low

• All Steamline Pressure signals to HSP indicators fail low (Set I)

• All Steamline Pressure signals to ERFDS fail low (Set I and II)

• All Steamline Pressure signals to DFWCS fail low

• All SG Low Steamline Pressure signals to SSPS (SI and Steamline isolation) are set

• All SG Steamline Pressure High Negative Rate Steamline Isolation signals to SSPS are set

• PPS Failure Alarm is activated • DFWCS Trouble Alarm is activated • All Steamline Pressure MCR indicators

fail low • All Steamline Pressure HSP indicators

fail low (Set I) • All Steamline Pressure ERFDS

indications fail low (Set I, II) • All Steamline Pressure transmitters

OOR indication (MWS) • SG Low Steamline Pressure and

Steamline Pressure High Negative Rate partial trip signals sent to SSPS with partial trip status lights illuminated in MCR

• SSPS coincidence is met for Low Steamline pressure SI/Steamline Isolation and Steamline Pressure High Negative Rate Steamline isolation

• All SG Steamline low pressure signal to MAS is activated (Set III, IV)

• All Steamline Pressure indications from MWS and PPC (via Gateway computer) OOR

• All Steamline Pressure Indications are unavailable due to loss of all transmitters

• Detailed design should address means to prevent: • A loss of all Steamline Pressure protection signals resulting in

SSPS coincidence being met for Steamline Pressure Low and Steamline Pressure Negative High Rate protective functions due to the same failure.

• A loss of all indication in MCR, HSP and ERFDS due to the same failure.

• A loss of low Steamline pressure annunciation in MCR (Set III and IV).


17)

Provides: • Steam Generator 2 and 3 Level

indications (Set I, LI-529, 539) • Steam Generator 1 and 4 Level

indications (Set II, LI-519, 549)

Input to VB3 indicator loops from Class IA/II isolation device output fail open circuit.

• Set I SG2 and SG3 Level signals to DFWCS fail low

• Set I SG2 and SG3 Level signals to AFW (PCS) fail low;

• Set I SG2 and SG3 Level signals to MCR fail low

• Set II SG1 and SG4 Level signals to DFWCS fail low

• Set II SG1 and SG4 Level signals to AFW (PCS) fail low

• Set II SG1 and SG4 Level signals to MCR fail low

• DFWCS Trouble Alarm is activated • PCS (AFW) Trouble Alarm is activated • MCR indicator (LI-529) fails low • AMSAC General Warning

• SG2 and SG3 Level indications (PPS Set I) are isolated from the transmitter input loop, protective functions are unaffected as the input loop from the transmitters remains intact

• SG1 and SG4 Level indicators (PPS Set II) are isolated from the transmitter input loop, protective functions are unaffected as the input loop from the transmitters remains intact

• SG3 Level (PPS Set I) is available to AMSAC due to separate isolation from the transmitter input loop

• SG4 Level (PPS Set II) is available to AMSAC due to separate isolation from the input loop

• All Set I and Set II SG Level inputs to PCS (AFW) fail low • All Set I and Set II SG Level inputs to DFWCS fail low




18)

Provides: • All Steam Generators Level

indications (PPS Set III and IV) Set III (LI-518, 528, 538, 548) Set IV (LI-517, 527, 537, 547)

Input loop to VB3 indicators fail open circuit (Transmitter outputs)

• All Set III and IV SG Level transmitter signals to Tricon fail low

• All Set III and IV SG Level signals to MCR indicators fail low;

• All Set III and IV SG Level signals to DFWCS fail low

• All Set III and Set IV SG Level signals to AFW (PCS) fail low

• All Set III and IV SG Level signals to ERFDS fail low;

• All SG Level High-High signals (PPS Set III and IV) to SSPS (Turbine Trip, FW Isolation, P14 Interlock) are disabled

• All SG Level Low-Low signals (PPS Set III and IV) to SSPS ( Rx trip and AFW pump start) are set

• PPS Failure Alarm is activated • DFWCS Trouble alarm is activated • PCS (AFW) Trouble Alarm is activated • All SG Level MCR indicators fail low • All SG Level OOR indication (MWS) • Partial trip signals sent to SSPS with


• SSPS coincidence is met for Low-Low SG Level

• All ERFDS indications fail low • AMSAC General Warning • Steam generator Level Set III and IV

indications from MWS and PPC (via Gateway computer) OOR

• Detailed design should address means to prevent: • Loss of SG Level High-High protective function (Sets III and IV) • Low-Low SG Level protection SSPS coincidence met in Sets III and IV • Loss of SG 1-4 Level inputs to PCS (AFW)AFW (Set III & IV) • Loss of SG 1-4 Level inputs to DFWCS (Set III & IV • Loss of SG 1-2 Level inputs to AMSAC (Set III & IV)


19) Provides:

• Turbine Impulse Pressure (505 Set I and 506 Set II)

Input loops to VB3 indicators from Triconex Analog Output fail open circuit

• Turbine Impulse Chamber Pressure signal to MCR indication fails low • MCR indicators (PI-505, PI-506) fail low

• Turbine Impulse Chamber Pressure channels indications are available locally from MWS or from PPC (via Gateway Computer) and from TR-412 via PT-505A, -506A, and -8)

• Turbine Impulse Chamber Pressure inputs to AMSAC are unaffected as they are isolated on the transmitter input loop and only the analog outputs are failed

20)

VB4

Provides: • Steam Generator Level signals to

ERFDS (LT-517-547 PPS Set IV)

Input loops to ERFDS fail open circuit (Transmitter outputs)

• SG1-SG4 Level transmitter signals to Tricon fail low from Set IV

• SG1-SG4 Level signals to MCR indicator fail low from Set IV

• SG1-SG4 Level signals to DFWCS fail low from Set IV

• SG1-SG4 Level signals to AFW (PCS) fail low from Set IV

• SG1-SG4 Level signals to ERFDS fail low from Set IV

• SG1-SG4 Level High-High signals to SSPS (Turbine Trip, FW Isolation, P14 Interlock) are disabled in Set IV

• SG1-SG4 Level Low-Low signals to SSPS ( Rx trip and AFW pump start) are set from Set IV

• SG1 (LT-517) signal to AMSAC fails low

• DFWCS Trouble Alarm is activated • PPS Failure Alarm is activated • MCR indicators (LI-517-LI-547) fail low • LT-517 – LT-547 OOR indication (MWS

– Tricon) • Partial trip signals sent to SSPS for SG



• AMSAC General Warning

• All Set IV SG (1-4) level transmitters are lost • Detailed design should address means to prevent:

• Loss of SG 1-4 Level inputs to SSPS (Set IV) • Loss of SG-1 Level inputs to AMSAC (Set IV)


21)

Provides: • Steam Flow signals to ERFDS

• (FT-532, 542, Set I) • (FT-533, 543, Set II)

Input loop to ERFDS from Tricon analog output fails open circuit (SG 3 and 4)


• SG 3 and 4 ERFDS indicators for Steam Flow fail low

• SG 3 and 4 MCR indicators for Steam Flow fail low

• SG 3 and 4 Steam Flow indications are available locally from MWS or from PPC (via Gateway Computer)




22)

Provides: • Steamline Pressure signals to ERFDS

• Set I (PT-514, 524, 534, 544) • Set II (PT-515)

Input loop to ERFDS fails open circuit (SG 1-4 , Set I) (SG-1, Set II) (Transmitter outputs)

• Steamline Pressure transmitter signals Set I (PT-514, 524, 534, 544) and Set II (PT-515) to Tricon fail low

• Steamline Pressure signals to MCR indicator fail low

• Steamline Pressure signals to HSP indicators fail low (Set I)

• Steamline Pressure signals to ERFDS fail low (Set I and II)

• Steamline Pressure signals to DFWCS fail low

• Steamline Pressure Low signals to SSPS (SI and Steamline isolation) are set

• Steamline Pressure High Negative Rate Steamline isolation signals to SSPS are set

• PPS Failure Alarm is activated • DFWCS Trouble Alarm is activated • Steamline Pressure MCR indicators

fail low • Steamline Pressure HSP indicators

fail low (Set I) • Steamline Pressure ERFDS

indications fail low (Set I, II) • Steamline Pressure OOR indication

(MWS) • Steamline Pressure Low Partial trip

signals sent to SSPS with partial trip status lights illuminated in MCR

• SSPS coincidence is met for Loop 1 Steamline Pressure Low SI/Steamline Isolation and Steamline Pressure High Negative Rate Steamline isolation

• Steam Steamline Pressure indications from MWS and PPC (via Gateway computer) OOR

• Steamline Pressure Indications are unavailable due to loss of transmitter loops.

• Detailed design should address means to prevent: • A loss of signals for Steamline Pressure for protection and

indication resulting in SSPS coincidence being met • A loss of Steamline Pressure indication in MCR, HSP and ERFDS

due to the same failure.

See Section 4.1.5 for discussion

23)

Provides • Reactor Coolant Hot Leg WR Pressure

signals to ERFDS: • Lp4 (PT-403A) (Set III) • Lp3 (PT-405) (Set IV) • LP4 (PT-405A) Set IV)

Input loop to ERFDS fails open circuit (Set III & IV)

• Reactor Coolant Hot leg Loop 3 (PT-405) WR Pressure transmitter signal to Tricon fails low

• Reactor Coolant Hot leg Loop 3 (PT-405) WR Pressure transmitter signal to MCR indicator (PI-405) fails low

• Reactor Coolant Hot leg Loop 3 & 4 WR Pressure signals to MCR indicators (PI-403A, PI-405A) from Class IA/II isolation device output fail low

• Reactor Coolant Hot leg Loop 3 WR Pressure signals to ERFDS fail low

• All (3) Reactor Coolant Hot leg Loop 4 WR Pressure signals to ERFDS fail low


• PPS Trouble Alarm is activated • RVLIS Trouble Alarm is activated • MCR indicators (PI-403A, PI-405, PI-

405A) fail low • ERFDS WR Pressure indications fail low

(PT-403A, PT-405, PT-405A) • PT-405 indication from MWS and PPC

(via Gateway computer) OOR

• No protective function impact • PT-403A and PT-505A are isolated from the MCR/ERFDS indications,

input loop remains intact, no impact to LTOP, RHR Valve Interlocks or Alarms

• WR Pressures (PT-403A, PT-405A) are available locally from MWS or from PPC (via Gateway Computer)

24) VB5 Provides: (Unit 2) • Steam Flow signals (FT-532, 542, Set

I)(FI-533, 543, Set II) to ERFDS

Input loop to ERFDS fail open circuit (SG 1 and 2)


• SG 3 and 4 Steam Flow ERFDS indicators

• SG 3 and 4 Steam Flow MCR indicators

• SG 3 and 4 Steam Flow indications are available locally from MWS or from PPC (via Gateway Computer)




25)

Provides (Unit 2): • Steamline Pressure signals to ERFDS

• Set I (PT-514, 524, 534, 544) • Set II (PT-515)

Input loop to ERFDS fails open circuit (SG 1-4 , Set I) (SG-1, Set II)

• Steamline Pressure transmitter signals to Tricon fail low Set I (PT-514, 524, 534, 544) Set II (PT-515)

• Steamline Pressure signals to MCR indicator fail low

• Steamline Pressure signals to HSP indicators fail low (Set I)

• Steamline Pressure signals to ERFDS fail low (Set I and II)

• Steamline Pressure signals to DFWCS fail low

• Steamline Pressure Low signals to SSPS (SI and Steamline isolation) are set

• Steamline Pressure High Negative Rate Steamline isolation signals to SSPS are set

• PPS Failure Alarm is activated • DFWCS Trouble Alarm is activated • Steamline Pressure MCR indicators fail

low • Steamline Pressure HSP indicators fail

low (Set I) • Steamline Pressure ERFDS indications

fail low (Set I, II) • Steamline Pressure transmitters OOR

indication (MWS) • Steamline Pressure Low partial trip

signals sent to SSPS with partial trip status lights illuminated in MCR

• SSPS coincidence is met for Loop 1 Steamline Pressure Low SI/Steamline Isolation and Steamline Pressure High Negative Rate Steamline isolation

• Set I and II Steam Steamline Pressure indications from MWS and PPC (via Gateway computer) OOR

• Steamline Pressure Indications are unavailable due to loss of transmitters Set I (PT-514, 524, 534, 544) Set II (PT-515)

• Detailed design should address means to prevent: • A loss of signals for Steamline Pressure for protection and

indication resulting in SSPS coincidence being met • A loss of indication in MCR, HSP and ERFDS due to the same

failure.


26)

Provides (Unit 2): • Steam Generators Level signals

to ERFDS Set IV (LT-517, 527, 537, 547)

Input loop to ERFDS fails open circuit

• Set IV SG1-SG4 Level transmitter signals to Tricon fail low

• Set IV SG1-SG4 Level signals to MCR indicator fail low

• Set IV SG1-SG4 Level signals to DFWCS fail low

• Set IV SG1-SG4 Level signals to AFW (PCS) fail low

• Set IV SG1-SG4 Level signals to ERFDS fail low

• Set IV SG1-SG4 Level High-High signals to SSPS (Turbine Trip, FW Isolation, P14 Interlock) are set

• Set IV SG1 Level signal to AMSAC fails low

• Set IV SG1-SG4 Level Low-Low signals to SSPS (Rx trip and AFW pump start) are set

• PPS Failure Alarm is activated • MCR indicators (LI-517-LI-547) fail low • LT-517 – LT-547 OOR indication (MWS

– Tricon) fail low • Partial trip signals sent to SSPS for SG



• AMSAC General Warning • Set IV SG Level indications from MWS

and PPC (via Gateway computer) OOR

• All Set IV SG 1-4 level transmitters are lost. • Detailed design should address means to prevent:

• Loss of SG 1-4 Level inputs to SSPS (Set IV) • Loss of SG 1 Level inputs to AMSAC (Set IV)





27)

HSP

Provides: • PZR Pressure indication (PI-455B

Set I)

Input loop to HSP indicators fails open circuit

ALS System • Unaffected – isolation device prevents

loss of signal to ALS Triconex System • Unaffected – isolation device prevents

loss of signal to Triconex • Isolated PZR Pressure signal to MCR

indicators fails low (PPS Set I only) • Isolated PZR Pressure signal to HSP

indicator fails low (PPS Set I only) • PPS Set I PZR Pressure signal to PZR

Pressure Control (PCS – Set I) fails low

• PCS Trouble Alarm is activated • MCR indicator (PI-455A) fail low • HSP indicator (PI-455B) fails low

• No protection function impact • Class IA/II isolation device (PM455_1) isolate the transmitter input

loop from the HSP indication, therefore, ALS and Triconex functions are unaffected as the input loop is maintained intact

• Indication are available locally from MWS or PPC (via Gateway Computer) for ALS (both chassis) and Triconex

• PZR Pressure Control in PCS Set I, IIII and IV will continue to function with Set II, III and Set IV inputs to PZR pressure control signal validation.

• Detailed design should consider means to prevent: • A loss of indication in both the MCR and HSP due to the same

failure.


28) Provides:

• PZR Level indications (LI-459B, 460B, Set I, II)


• PZR Level transmitter signals (LT-459, 460) to Tricon fail low

• PZR Level Signals (LT-459, 460) to MCR indicators fail low

• PZR Level Signals (LT-459, 460) to HSP indicators fail low

• PZR Level signals (LT-459, 460) to PZR Level control (PCS – Set I and II) fail low

• PZR Level signals (LT-459, 460) to ERFDS fail low

• PPS Failure Alarm is activated by Tricon • LT-459 and LT-460 OOR indication

(MWS) • PCS Trouble Alarm is activated • MCR indicators (LI-459A, LI-460A) fail

low • HSP indicators (LI-459B, LI-460B) fail

low • ERFDS indications fail low (Set I & II) • Set I and II PZR Level indications from

MWS and PPC (via Gateway computer) OOR

• Transmitters (PT-459, 460) are lost, therefore, indications are not available from MWS or PPC (via Gateway Computer)

• PZR Level Control in PCS Set I and II cannot continue to function with failed low Set I and Set II inputs to PZR level control MSS.

• Detailed design should consider means to prevent: • A loss of all signals for Pressurizer Level Control to PCS • A loss of all indication in both the MCR and HSP due to the same

failure.





29) Provides:

• Steamline Pressure indications (PI-514B, 524B, 534B, 544B, Set I)


• Steamline Pressure transmitter signals (PT-514, 524, 534, 544) to Tricon fail low (Set I)

• Steamline Pressure signals (PT-514, 524, 534, 544) to MCR indicator fail low (Set I)

• Steamline Pressure signals (PT-514, 524, 534, 544) to HSP indicators fail low (Set I)

• Steamline Pressure signals (PT-514, 524, 534, 544) to ERFDS fail low (Set I)

• Steamline Pressure signals (PT-514, 524, 534, 544) to DFWCS fail low (Set I)

• Steamline Pressure Low signals (PT-514, 524, 534, 544) to SSPS (SI and Steamline isolation) are set

• Steamline Pressure High Negative Rate Steamline Isolation signals to SSPS (PT-514, 524, 534, 544) are set

• PPS Failure Alarm is activated • DFWCS Trouble Alarm is activated • Steamline Pressure MCR indicators fail

low • All Steamline Pressure HSP indicators

(PI-514B, 524B, 534B, 544B) fail low (Set I)

• Steamline Pressure ERFDS indications fail low (Set I)

• Steamline Pressure transmitters (PT-514, 524, 534, 544) OOR indication (MWS)

• Steamline Pressure Low partial trip signals sent to SSPS with partial trip status lights illuminated in MCR

• Set I Steamline Pressure indications from MWS and PPC (via Gateway computer) OOR

• Set I Steamline Pressure Indications (PI-514B, 524B, 534B, 544B) are unavailable due to loss of transmitter loops

• Detailed design should consider means to prevent: • A loss of Set I (PT-514, 524, 534, 544) Steamline Pressure

indication in MCR, HSP and ERFDS due to the same failure


30)

Provides: Reactor Coolant WR Loop 4 temperature indication (TI-443A, TI-443B) directly to HSP from TE when associated transfer switch selected to HSDP

Input Loop to TI-443A and TI-443B fails open circuit if transfer switch is in HSDP position

• Reactor Coolant WR Loop 4 temperature signals (TE-443A(B) to HSP fail low

• Reactor Coolant WR Loop 4 temperature signal (TE-443A and TE-443B) are not available

• Reactor Coolant WR Loop 4 temperature indications are not available.

31)

PAM3 Provides:

• WR Thot LP3 (Set II TE-433A) to RVLIS

• WR Thot LP4 (Set II TE-443A) to RVLIS

Triconex Analog Output to RVLIS input fails open circuit

• WR LP3 Thot indication to MCR, ERFDS and RVLIS fails low from Set II

• WR LP4 Thot indication to MCR, ERFDS and RVLIS fails low from Set II

• PPS Trouble Alarm is activated • RVLIS Trouble Alarm is activated (TE-

433A, TE-443A) • MCR indicator (TR-433, TR-443) fails

low • ERFDS indication fails low (TE-433A,

TE-443A)

• No protection function impact • WR Thot LP3 and LP4 indications are available from ALS MWS,

Triconex MWS and PPC (via the Gateway computer)

32) Provides:

• WR Pressure LP3 (PT-405) to RVLIS

Input loop to RVLIS fails open circuit (Transmitter output)

• Reactor Coolant Hot leg Loop 3 WR Pressure transmitter signal to Tricon fails low

• Reactor Coolant Hot leg Loop 3 WR Pressure signal to MCR indicator fails low (PI-405)



• PPS Trouble Alarm is activated • RVLIS Trouble Alarm is activated ( PT-

405) • MCR indicator (PI-405) fails low • ERFDS indication fails low (PT-405) • PT-405 OOR indication (MWS) • WR Pressure LP3 (PT-405) indications


• No protection function impact • WR Pressure Loop 4 is available from PT-403, PT-403A and PT-405A to

MCR and ERFDS




33)

PAM4 Provides:

• WR Thot LP1 (Set I TE-413A) to RVLIS

• WR Thot LP2 (Set I TE-423A) to RVLIS

Triconex Analog Output to RVLIS input fails open circuit

• WR LP1 Thot indication to MCR, ERFDS and RVLIS fails low from Set I

• WR LP2 Thot indication to MCR, ERFDS and RVLIS fails low from Set I

• PPS Trouble Alarm is activated • RVLIS Trouble Alarm is activated (TE-

413A, TE-423A) • MCR indicator (TR-413, TR-423) fails

low • ERFDS indication fails low (TE-413A,

TE-423A)

• No protection function impact • WR Thot LP1 and LP2 indications are available from ALS MWS,

Triconex MWS and PPC (via the Gateway computer)

34) Provides:

• WR Pressure LP4 (PT-403) to RVLIS

Input loop to RVLIS fails open circuit (Transmitter outputs)

• Reactor Coolant Hot leg Loop 4 (PT-403 only) WR Pressure transmitter signal to Tricon fails low

• Reactor Coolant Hot leg Loop 4 WR Pressure signal to MCR recorder (PR-403) fails low



• PPS Trouble Alarm is activated • MCR indicator (PR-403) fails low • ERFDS indication fails low (PT-403) • PT-403 OOR indication (MWS) • WR Pressure LP4 (PT-403) indications


• No protection function impact • WR Pressure Loop 4 is available from PT-403A, PT-405 and PT-405A to

MCR and ERFDS

35)

EJSDTS2

Provide Reactor Coolant WR Loop 4 temperature indication (TI-443A, TI-443B) to PPS when associated transfer switch is in PPS (Eagle), to HSP when selected to HSDP

All transfer switch contacts fail open

ALS-System • Signal fails low • ALS sets analog output to Tricon to

0mA Triconex System • Tricon output fails low (0.0 mA) • Reactor Coolant WR Hot leg or Cold

leg Temp signal to MCR Recorders and ERFDS fails low

• Reactor Coolant WR Hot leg temp signal to RVLIS fails low (from TE-443A and TE-443A only)

• Reactor Coolant WR Cold leg temp signal to LTOP (TE-443B only) is not available (ETT)

• Reactor Coolant WR Loop 4 temperature signals (TE-443A and TE-443B) fail low


• HSP indicators (TI-443A, TI-443B) unavailable

• RVLIS Trouble Alarm is activated (TE-443A only)

• MCR indicator (TR-443) fails low • RTD OOR indication (MWS-associated

ALS chassis and Tricon) • ERFDS indications fail low for Reactor

Coolant WR Loop 4 temperature (Thot/Tcold)

• Reactor Coolant WR Hot leg and Cold leg temperature signals are available from PPS Set I for Loop 1&2 and from PPS Set II for Loop 3

• Reactor Coolant WR Hot leg or Cold leg temperature signal to MCR recorders and ERFDS is available from PPS Set I Loop 1&2 and from PPS Set II Loop3

• Reactor Coolant WR Hot leg temperature signal to RVLIS is available from PPS Set I Loop 1&2 and from PPS Set II Loop 3

• ALS Chassis do not activate a failure alarm for OOR conditions per IRS 1.5.5.5

Date post:	21-May-2020
Category:	Documents
Upload:	others
View:	11 times
Download:	0 times

S Level Failure Modes alysis MEA)System Level Failure Modes and Effects Analysis Page 10 of 42 2....

Documents