Table 7.1-7—SAS FMEA Results Sheet 1 of 28 Name of Sensor,
by user
Comments
Transcript
Table 7.1-7—SAS FMEA Results Sheet 1 of 28 Name of Sensor,
U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 1 of 28 No System SAS Function Name of Sensor, Functional Unit, or Equipment (2) Failure Mode (1) Inherent Compensating Method of Detection Provision Effect on the SAS Function Comments Systems With Functions in 4 Divisions / Trains 1 2 3 4 Tier 2 Fuel Building Ventilation System (FBVS) Isolation of FBVS on Master CU in Containment 1 Division Isolation (Figure 7.3-62) Safety Injection and RHR Isolation Valves Master CU in Residual Heat Interlock 1 Division Removal System (SIS/ (Figure 7.6-11) RHRS) Electrical Division of SBVSE CCWS Pump Master CU in Safeguard Building Room Heat Removal 1 Division Ventilation System (Figure 7.3-59) (SBVSE) Component Cooling Water System (CCWS) CCWS Emergency Master CU in Temperature Control 1 Division (Figure 7.3-34) a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. Revision 5 Page 7.1-158 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 2 of 28 No System SAS Function 5 Deleted 6 Emergency Feedwater SG Level Control System (EFWS) (Figure 7.3-4) 7 8 9 Tier 2 Emergency Feedwater EFWS Pump Flow System (EFWS) Protection (Figure 7.3-4) Essential Service ESW Flood Water System (ESWS) Prevention in the Safeguard Building (Figure 7.3-69) Essential Service Water Pump Building Ventilation System (ESWPBVS) Name of Sensor, Functional Unit, or Equipment (2) Master CU in 1 Division Master CU in 1 Division Master CU in 1 division. ESWPBVS ESWS Master CU in Pump Rooms 1 Division Temperature Control (Figure 7.3-38) Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master/Standby CU switchover occurs to the standby CU and the function remains operable. b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division/train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. Revision 5 No effects on the system function Page 7.1-159 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 3 of 28 No 10 11 12 13 Tier 2 System Main Steam System (MSS) Main Steam System (MSS) Safeguard Building Controlled-Area Ventilation System (SBVS) Safeguard Building Controlled-Area Ventilation System (SBVS) SAS Function Steam Generator MSRCV Regulation during Pressure Control (Figure 7.3-12) Steam Generator MSRCV Regulation during Standby Position Control (Figure 7.3-12) Name of Sensor, Functional Unit, or Equipment (2) Master CU in 1 Division Master CU in 1 Division SIS/RHRS Pump Master CU in Rooms Heat Removal 1 Division (Figure 7.3-46) Isolation of Master CU in Mechanical Areas of 1 division. Safeguard Building on Containment Isolation (Figure 7.3-65) Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Mastery/Standby CU switchover occurs No effects on the system function to the standby CU in faulted division. Voting logic remains 2/4 in faulted division. Voting logic in other divisions is modified to 2/3. b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Voting in other divisions becomes 1/3. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Voting in trains other divisions becomes 2/3. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Mastery/Standby CU switchover occurs No effects on the system function to the standby CU in faulted division. Voting logic remains 2/4 in faulted division. Voting logic in other divisions is modified to 2/3. b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Voting in other divisions becomes 1/3. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Voting in trains other divisions becomes 2/3. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master/Standby CU switchover occurs to the standby CU and the function remains operable. b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division/train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. Revision 5 No effects on the system function Page 7.1-160 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 4 of 28 No 14 15 16 17 Tier 2 System Safeguard Building Controlled-Area Ventilation System (SBVS) Electrical Division of Safeguard Building Ventilation System (SBVSE) SAS Function Name of Sensor, Functional Unit, or Equipment (2) CCWS/EFWS Valve Master CU in Rooms Heat Removal 1 Division (Figure 7.3-47) Supply and Recirculation Exhaust Air Flow Control (Figure 7.3-48) Master CU in 1 Division Electrical Division of Supply Fan Safe Shut- Master CU in Safeguard Building off 1 Division Ventilation System (Figure 7.3-49) (SBVSE) Electrical Division of Recirculation Fan Safeguard Building Safe Shut-off Ventilation System (Figure 7.3-50) (SBVSE) Master CU in 1 Division Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. Revision 5 Page 7.1-161 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 5 of 28 No 18 19 20 21 Tier 2 System SAS Function Electrical Division of Exhaust Fan Safe Safeguard Building Shut-off Ventilation System (Figure 7.3-51) (SBVSE) Electrical Division of Safeguard Building Ventilation System (SBVSE) Supply Air Temperature Heater Control (Figure 7.3-52) Electrical Division of Freeze Protection Safeguard Building (Figure 7.3-53) Ventilation System (SBVSE) Electrical Division of Safeguard Building Ventilation System (SBVSE) Name of Sensor, Functional Unit, or Equipment (2) Master CU in 1 Division Master CU in 1 Division Master CU in 1 Division Supply Air Master CU in Temperature Control 1 Division for Supply Air Cooling (Figure 7.3-54) Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. Revision 5 Page 7.1-162 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 6 of 28 No 22 23 24 Tier 2 System SAS Function Name of Sensor, Functional Unit, or Equipment (2) Electrical Division of Battery Room Heater Master CU in Safeguard Building Control 1 Division Ventilation System (Figure 7.3-56) (SBVSE) Electrical Division of Safeguard Building Ventilation System (SBVSE) Electrical Division of Safeguard Building Ventilation System (SBVSE) Battery Room Supply Master CU in Air Temperature 1 Division Control (Figure 7.3-57) Emergency Feed Master CU in Water System 1 Division (EFWS) Pump Room Heat Removal (Figure 7.3-58) Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. Revision 5 Page 7.1-163 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 7 of 28 No 25 26 Tier 2 System Safety Chilled Water System (SCWS) Safety Chilled Water System (SCWS) SAS Function Name of Sensor, Functional Unit, or Equipment (2) SCWS Train 1 to Master CU in Train 2 Switchover 1 Division on Train 1 Loss of Pump/Loss of Chiller / SCWS Chiller Evaporator Water Flow Control / LOOP Re-start Failure (Figure 7.6-5) SCWS Train 2 to Master CU in Train 1 Switchover 1 Division on Train 2 Loss of Pump/Loss of Chiller / Loss of UHS-CCWS / SCWS Chiller Evaporator Water Flow Control / LOOP Re-start Failure (Figure 7.6-6) Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master/Standby CU switchover occurs. No effects on the system function to the standby CU Functionality that depends on information from other divisions is lost due to lost connection to CUs. Functionality that does not depend on information from other CUs remains operable. b) Undetected - Spurious None Two redundant cross-tied Spurious trigger of one division / train. train sets Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Two redundant cross-tied Loss of one division / train. Unable to train sets perform automatic SCWS train switchover function for the faulted cross-tied train set. One remaining cross-tied train set provides the safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master/Standby CU switchover occurs. No effects on the system function to the standby CU Functionality that depends on information from other divisions is lost due to lost connection to CUs. Functionality that does not depend on information from other CUs remains operable. b) Undetected - Spurious None Two redundant cross-tied Spurious trigger of one division / train. train sets Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Two redundant cross-tied Loss of one division / train. Unable to train sets perform automatic SCWS train switchover function for the faulted cross-tied train set. One remaining cross-tied train set provides the safety function. Revision 5 Page 7.1-164 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 8 of 28 No 27 28 Tier 2 System Safety Chilled Water System (SCWS) Safety Chilled Water System (SCWS) SAS Function Name of Sensor, Functional Unit, or Equipment (2) SCWS Train 3 to Master CU in Train 4 Switchover 1 Division on Train 3 Loss of Pump/Loss of Chiller / Loss of UHS-CCWS / SCWS Chiller Evaporator Water Flow Control / LOOP Re-start Failure (Figure 7.6-7) SCWS Train 4 to Master CU in Train 3 Switchover 1 Division on Train 4 Loss of Pump/Loss of Chiller / SCWS Chiller Evaporator Water Flow Control / LOOP Re-start Failure (Figure 7.6-8) Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master/Standby CU switchover occurs. No effects on the system function to the standby CU Functionality that depends on information from other divisions is lost due to lost connection to CUs. Functionality that does not depend on information from other CUs remains operable. b) Undetected - Spurious None Two redundant cross-tied Spurious trigger of one division / train. train sets Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Two redundant cross-tied Loss of one division / train. Unable to train sets perform automatic SCWS train switchover function for the faulted cross-tied train set. One remaining cross-tied train set provides the safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master/Standby CU switchover occurs. No effects on the system function to the standby CU Functionality that depends on information from other divisions is lost due to lost connection to CUs. Functionality that does not depend on information from other CUs remains operable. b) Undetected - Spurious None Two redundant cross-tied Spurious trigger of one division / train. train sets Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Two redundant cross-tied Loss of one division / train. Unable to train sets perform automatic SCWS train switchover function for the faulted cross-tied train set. One remaining cross-tied train set provides the safety function. Revision 5 Page 7.1-165 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 9 of 28 No 29 30 System SAS Function Safety Injection and Automatic RHRS Residual Heat Flow Rate Control Removal System (SIS/ (Figure 7.3-60) RHRS) Main Control Room Air Conditioning System (CRACS) Cooler Temperature Control (Figure 7.3-45) Name of Sensor, Functional Unit, or Equipment (2) Master CU in 1 Division Master CU in 1 Division Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. train Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three train remaining divisions / trains provide safety function. Systems With Functions Within 2 Redundant Train Sets 31 32 Tier 2 Main Control Room Air Conditioning System (CRACS) Annulus Ventilation System (AVS) Pressure Control (Figure 7.3-44) Master CU in 1 Division Accident Filtration Master CU in Train Heater Control 1 Division (Figure 7.3-31) a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train pair. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train pair. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. Revision 5 Page 7.1-166 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 10 of 28 No 33 34 35 36 Tier 2 System Annulus Ventilation System (AVS) Component Cooling Water System (CCWS) Fuel Building Ventilation System (FBVS) Fuel Building Ventilation System (FBVS) SAS Function Accident Train Switchover (Figure 7.3-32) SCWS Condenser Supply Water Flow Control (Figure 7.3-37) Name of Sensor, Functional Unit, or Equipment (2) Master CU in 1 Division Master CU in 1 Division Safety-Related Room Master CU in Heater Control 1 Division (Figure 7.3-39) FBVS EBS / FPCS Pump Rooms Heat Removal (Figure 7.3-40) Master CU in 1 Division Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train pair. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train pair. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train pair. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train pair. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. Revision 5 Page 7.1-167 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 11 of 28 No 37 38 39 40 Tier 2 System Fuel Building Ventilation System (FBVS) Fuel Building Ventilation System (FBVS) SAS Function Isolation of the Fuel Pool Hall (Figure 7.3-67) Isolation of the Emergency Airlock and Equipment Hatch (Figure 7.3-68) Name of Sensor, Functional Unit, or Equipment (2) Master CU in 1 division. Master CU in 1 division. Fuel Pool Cooling and FPCPS Pump Trip on Master CU in Purification System Low Spent Fuel Pool 1 Division (FPCPS) (SFP) Level (Figure 7.3-41) Main Control Room Air Conditioning System (CRACS) Iodine Filtration Master CU in Train Heater Control 1 Division (Figure 7.3-42) Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master/Standby CU switchover occurs to the standby CU and the function remains operable. b) Undetected - Spurious None Two redundant divisions/ Spurious trigger of one train pair. One trains remaining train set provides safety function. c) Undetected - Blocking None Two redundant divisions/ Loss of one train set. One remaining trains train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master/Standby CU switchover occurs to the standby CU and the function remains operable. b) Undetected - Spurious None Two redundant divisions/ Spurious trigger of one train pair. One trains remaining train set provides safety function. c) Undetected - Blocking None Two redundant divisions/ Loss of one train set. One remaining trains train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train pair. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train pair. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. Revision 5 No effects on the system function No effects on the system function Page 7.1-168 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 12 of 28 No 41 42 System Main Control Room Air Conditioning System (CRACS) Safeguard Building Controlled-Area Ventilation System (SBVS) SAS Function Heater Control for Outside Inlet Air (Figure 7.3-43) Name of Sensor, Functional Unit, or Equipment (2) Master CU in 1 Division Iodine Filtration Master CU in Train Electric Heater 1 division. Control (Figure 7.3-66) Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU and the function remains operable b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train pair. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master/Standby CU switchover occurs to the standby CU and the function remains operable. b) Undetected - Spurious None Two redundant divisions/ Spurious trigger of one train pair. One trains remaining train set provides safety function. c) Undetected - Blocking None Two redundant divisions/ Loss of one train set. One remaining trains train set provides safety function. No effects on the system function CCWS Switchover Functions 43 Tier 2 Component Cooling Water System (CCWS) CCWS Emergency Leak Detection (Figure 7.3-35) Master CU in 1 Division a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master/Standby CU switchover occurs. No effects on the system function to the standby CU Functionality that depends on information from other divisions is lost due to lost connection to CUs. Functionality that does not depend on information from other CUs remains operable. b) Undetected - Spurious None Four redundant divisions/ Spurious closure of switchover valve trains and isolation valve. Spurious closure of one pilot valve for other trains. c) Undetected - Blocking None Four redundant divisions/ Loss of switchover valve and isolation trains valve. Loss of one pilot valve for other trains. Revision 5 Page 7.1-169 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 13 of 28 No 44 45 46 Tier 2 System Component Cooling Water System (CCWS) Component Cooling Water System (CCWS) Component Cooling Water System (CCWS) SAS Function Name of Sensor, Functional Unit, or Equipment (2) CCWS Common 1.b Master CU in Automatic Backup 1 Division Switchover of Train 1 to Train 2 and Train 2 to Train 1 (Figure 7.3-33) CCWS Common 2.b Master CU in Automatic Backup 1 Division Switchover of Train 3 to Train 4 and Train 4 to Train 3 (Figure 7.3-33) CCWS Emergency Leak Detection – Switchover Valves Leakage or Failure (Figure 7.3-36) Master CU in 1 Division Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master/Standby CU switchover occurs. No effects on the system function to the standby CU Functionality that depends on information from other divisions is lost due to lost connection to CUs. Functionality that does not depend on information from other CUs remains operable. b) Undetected - Spurious None Two redundant train sets Spurious actuation of pumps and fans. c) Undetected - Blocking None Two redundant train sets Loss of pumps and fans. Remaining divisions/trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master/Standby CU switchover occurs. No effects on the system function to the standby CU Functionality that depends on information from other divisions is lost due to lost connection to CUs. Functionality that does not depend on information from other CUs remains operable. b) Undetected - Spurious None Two redundant train sets Spurious actuation of pumps and fans. c) Undetected - Blocking None Two redundant train sets Loss of pumps and fans. Remaining divisions/trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master/Standby CU switchover occurs. No effects on the system function to the standby CU Functionality that depends on information from other divisions is lost due to lost connection to CUs. Functionality that does not depend on information from other CUs remains operable. b) Undetected - Spurious None Two redundant train sets Spurious closure of switchover valves in faulted train and associated train. One remaining train set provides safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. Revision 5 Page 7.1-170 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 14 of 28 No 47 System Component Cooling Water System (CCWS) SAS Function CCWS Switchover Valves Interlock (Figure 7.6-1) Name of Sensor, Functional Unit, or Equipment (2) Master CU in 1 Division Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master/Standby CU switchover occurs. No effects on the system function to the standby CU Functionality that depends on information from other divisions is lost due to lost connection to CUs. Functionality that does not depend on information from other CUs remains operable. b) Undetected - Spurious None Two redundant train sets Spurious trigger of one division/train. Three remaining divisions/trains provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one division/train. Three remaining divisions/trains provide safety function. CCWS RCP Thermal Barrier Interlock Function 48 49 Tier 2 Component Cooling Water System (CCWS) Component Cooling Water System (CCWS) CCWS RCP Thermal Master CU in Barrier Containment 1 Division Isolation Valve Interlock (Figure 7.6-2) CCWS RCP Thermal Master CU in Barrier Containment 1 Division Isolation Valves Opening Interlock (Figure 7.6-12) a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master/Standby CU switchover occurs. No effects on the system function to the standby CU Functionality that depends on information from other divisions is lost due to lost connection to CUs. Functionality that does not depend on information from other CUs remains operable. b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train pair. The system automatically switches over to the other train pair. The other train pair performs the safety function. c) Undetected - Blocking None Two redundant train sets Loss of two CIVs. The remaining valves and train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master/Standby CU switchover occurs. No effects on the system function to the standby CU Functionality that depends on information from other divisions is lost due to lost connection to CUs. Functionality that does not depend on information from other CUs remains operable. b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train pair. The system automatically switches over to the other train pair. The other train pair performs the safety function. c) Undetected - Blocking None Two redundant train sets Loss of two CIVs. The remaining valves and train set provides safety function. Revision 5 Page 7.1-171 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 15 of 28 No System SAS Function Name of Sensor, Functional Unit, or Equipment (2) Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments Systems With Functions Utilizing Voting Logic 50 In-Containment Refueling Water Storage Tank System (IRWST) 51 Deleted 52 Deleted IRWST Boundary Isolation for Preserving IRWST Water Inventory Interlock (Figure 7.6-4) Master CU in 1 Division a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Master / Standby CU switchover occurs No effects on the system function to the standby CU in faulted division. Voting logic remains 2/4 in faulted division. Voting logic in other divisions is modified to 2/3. b) Undetected - Spurious None Redundant divisions/ trains Spurious trigger of one division / train. Voting in other divisions becomes 1/3. c) Undetected - Blocking None Redundant divisions/ trains Loss of one division / train. Voting in other divisions becomes 2/3. Systems With Functions in 4 Division/Trains 53 54 Tier 2 Fuel Building Ventilation System (FBVS) Isolation of FBVS on Loss of 1 Division Containment Isolation (Figure 7.3-62) Safety Injection and RHR Isolation Valves Loss of 1 Division Residual Heat Interlock Removal System (SIS/ (Figure 7.6-11) RHRS) a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function. b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Affected division switches Three remaining divisions / trains to the standby CU provide safety function. b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. Revision 5 No effects on the system function No effects on the system function Page 7.1-172 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 16 of 28 No 55 56 57 58 Tier 2 System Component Cooling Water System (CCWS) Component Cooling Water System (CCWS) SAS Function Name of Sensor, Functional Unit, or Equipment (2) CCWS Emergency Loss of 1 Division Temperature Control (Figure 7.3-34) CCWS Emergency Leak Detection (Figure 7.3-35) Emergency Feedwater SG Level Control System (EFWS) (Figure 7.3-4) Emergency Feedwater EFWS Pump Flow System (EFWS) Protection (Figure 7.3-4) Loss of 1 Division Loss of 1 Division Loss of 1 Division Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one pilot valve. trains Remaining pilot valves provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one pilot valve. Remaining pilot trains valves provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. Revision 5 Comments No effects on the system function No effects on the system function No effects on the system function No effects on the system function Page 7.1-173 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 17 of 28 No 59 60 61 62 Tier 2 System Essential Service Water Pump Building Ventilation System (ESWPBVS) SAS Function ESWPBVS ESWS Loss of 1 Division Pump Rooms Temperature Control (Figure 7.3-38) Essential Service ESW Flood Water System (ESWS) Prevention in the Safeguard Building (Figure 7.3-69) Main Control Room Air Conditioning System (CRACS) Main Control Room Air Conditioning System (CRACS) Name of Sensor, Functional Unit, or Equipment (2) Cooler Temperature Control (Figure 7.3-45) Pressure Control (Figure 7.3-44) Loss of 1 division. Loss of 1 Division Loss of 1 Division Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions/trains trains provide safety function. b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division/train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. Revision 5 Comments No effects on the system function No effects on the system function No effects on the system function No effects on the system function Page 7.1-174 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 18 of 28 No 63 64 65 66 Tier 2 System Main Steam System (MSS) Main Steam System (MSS) Safeguard Building Controlled-Area Ventilation System (SBVS) Safeguard Building Controlled-Area Ventilation System (SBVS) SAS Function Steam Generator MSRCV Regulation during Pressure Control (Figure 7.3-12) Steam Generator MSRCV Regulation during Standby Position Control (Figure 7.3-12) Name of Sensor, Functional Unit, or Equipment (2) Loss of 1 Division Loss of 1 Division SIS/RHRS Pump Loss of 1 Division Rooms Heat Removal (Figure 7.3-46) CCWS/EFWS Valve Loss of 1 Division Rooms Heat Removal (Figure 7.3-47) Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. Revision 5 Comments No effects on the system function No effects on the system function No effects on the system function No effects on the system function Page 7.1-175 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 19 of 28 No 67 68 69 70 Tier 2 System Safeguard Building Controlled-Area Ventilation System (SBVS) Electrical Division of Safeguard Building Ventilation System (SBVSE) SAS Function Name of Sensor, Functional Unit, or Equipment (2) Isolation of Loss of 1 Division Mechanical Areas of Safeguard Building on Containment Isolation (Figure 7.3-65) Supply and Recirculation Exhaust Air Flow Control (Figure 7.3-48) Loss of 1 Division Electrical Division of Supply Fan Safe Shut- Loss of 1 Division Safeguard Building off Ventilation System (Figure 7.3-49) (SBVSE) Electrical Division of Recirculation Fan Safeguard Building Safe Shut-off Ventilation System (Figure 7.3-50) (SBVSE) Loss of 1 Division Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions/trains trains provide safety function. b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division/train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. Revision 5 Comments No effects on the system function No effects on the system function No effects on the system function Page 7.1-176 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 20 of 28 No 71 72 73 74 Tier 2 System SAS Function Electrical Division of Exhaust Fan Safe Safeguard Building Shut-off Ventilation System (Figure 7.3-51) (SBVSE) Electrical Division of Safeguard Building Ventilation System (SBVSE) Supply Air Temperature Heater Control (Figure 7.3-52) Electrical Division of Freeze Protection Safeguard Building (Figure 7.3-53) Ventilation System (SBVSE) Electrical Division of Safeguard Building Ventilation System (SBVSE) Name of Sensor, Functional Unit, or Equipment (2) Loss of 1 Division Loss of 1 Division Loss of 1 Division Supply Air Loss of 1 Division Temperature Control for Supply Air Cooling (Figure 7.3-54) Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. Revision 5 Comments No effects on the system function No effects on the system function No effects on the system function No effects on the system function Page 7.1-177 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 21 of 28 No 75 76 77 78 Tier 2 System SAS Function Name of Sensor, Functional Unit, or Equipment (2) Electrical Division of Battery Room Heater Loss of 1 Division Safeguard Building Control Ventilation System (Figure 7.3-56) (SBVSE) Electrical Division of Battery Room Supply Loss of 1 Division Safeguard Building Air Temperature Ventilation System Control (SBVSE) (Figure 7.3-57) Electrical Division of Safeguard Building Ventilation System (SBVSE) Electrical Division of Safeguard Building Ventilation System (SBVSE) Emergency Feed Loss of 1 Division Water System (EFWS) Pump Room Heat Removal (Figure 7.3-58) SBVSE CCWS Pump Room Heat Removal (Figure 7.3-59) Loss of 1 Division Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. Revision 5 Comments No effects on the system function No effects on the system function No effects on the system function No effects on the system function Page 7.1-178 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 22 of 28 No 79 80 81 Tier 2 System Safety Chilled Water System (SCWS) Safety Chilled Water System (SCWS) Safety Chilled Water System (SCWS) SAS Function Name of Sensor, Functional Unit, or Equipment (2) Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments SCWS Train 1 to Loss of 1 Division Train 2 Switchover on Train 1 Loss of Pump/Loss of Chiller / SCWS Chiller Evaporator Water Flow Control / LOOP Re-start Failure (Figure 7.6-5) a) Detected Failure TXS inherent or engineered fault detection mechanism Two redundant cross-tied The error in the faulted division is No effects on the system function train sets alarmed. Loss of one cross-tied train set. One remaining cross-tied train set provides safety function. b) Undetected - Spurious None Two redundant cross-tied Spurious trigger of one division / train. train sets Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Two redundant cross-tied Loss of one division / train. Unable to train sets perform automatic SCWS train switchover function for the faulted cross-tied train set. One remaining cross-tied train set provides the safety function. SCWS Train 2 to Loss of 1 Division Train 1 Switchover on Train 2 Loss of Pump/Loss of Chiller / Loss of UHS-CCWS / SCWS Chiller Evaporator Water Flow Control / LOOP Re-start Failure (Figure 7.6-6) a) Detected Failure TXS inherent or engineered fault detection mechanism Two redundant cross-tied The error in the faulted division is No effects on the system function train sets alarmed. Loss of one cross-tied train set. One remaining cross-tied train set provides safety function. b) Undetected - Spurious None Two redundant cross-tied Spurious trigger of one division / train. train sets Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Two redundant cross-tied Loss of one division / train. Unable to train sets perform automatic SCWS train switchover function for the faulted cross-tied train set. One remaining cross-tied train set provides the safety function. SCWS Train 3 to Loss of 1 Division Train 4 Switchover on Train 3 Loss of Pump/Loss of Chiller / Loss of UHS-CCWS / SCWS Chiller Evaporator Water Flow Control / LOOP Re-start Failure (Figure 7.6-7) a) Detected Failure TXS inherent or engineered fault detection mechanism Two redundant cross-tied The error in the faulted division is No effects on the system function train sets alarmed. Loss of one cross-tied train set. One remaining cross-tied train set provides safety function. b) Undetected - Spurious None Two redundant cross-tied Spurious trigger of one division / train. train sets Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Two redundant cross-tied Loss of one division / train. Unable to train sets perform automatic SCWS train switchover function for the faulted cross-tied train set. One remaining cross-tied train set provides the safety function. Revision 5 Page 7.1-179 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 23 of 28 No 82 83 System Safety Chilled Water System (SCWS) SAS Function Name of Sensor, Functional Unit, or Equipment (2) SCWS Train 4 to Loss of 1 Division Train 3 Switchover on Train 4 Loss of Pump/Loss of Chiller / SCWS Chiller Evaporator Water Flow Control / LOOP Re-start Failure (Figure 7.6-8) Safety Injection and Automatic RHRS Residual Heat Flow Rate Control Removal System (SIS/ (Figure 7.3-60) RHRS) Loss of 1 Division Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments a) Detected Failure TXS inherent or engineered fault detection mechanism Two redundant cross-tied The error in the faulted division is No effects on the system function train sets alarmed. Loss of one cross-tied train set. One remaining cross-tied train set provides safety function. b) Undetected - Spurious None Two redundant cross-tied Spurious trigger of one division / train. train sets Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Two redundant cross-tied Loss of one division / train. Unable to train sets perform automatic SCWS train switchover function for the faulted cross-tied train set. One remaining cross-tied train set provides the safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Four redundant divisions/ Three remaining divisions / trains trains provide safety function b) Undetected - Spurious None Four redundant divisions/ Spurious trigger of one division / train. trains Three remaining divisions / trains provide safety function. c) Undetected - Blocking None Four redundant divisions/ Loss of one division / train. Three trains remaining divisions / trains provide safety function. No effects on the system function Systems With Functions Within 2 Redundant Train Sets 84 85 Tier 2 Annulus Ventilation System (AVS) Annulus Ventilation System (AVS) Accident Filtration Loss of 1 Division Train Heater Control (Figure 7.3-31) Accident Train Switchover (Figure 7.3-32) Loss of 1 Division a) Detected Failure TXS inherent or engineered fault detection mechanism Two redundant train sets Loss of one train set. One remaining train set provides safety function. b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train set. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Two redundant train sets Loss of one train set. One remaining train set provides safety function. b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train set. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. Revision 5 One train set remains functional One train set remains functional Page 7.1-180 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 24 of 28 No 86 87 88 89 Tier 2 System Component Cooling Water System (CCWS) Fuel Building Ventilation System (FBVS) Fuel Building Ventilation System (FBVS) Fuel Building Ventilation System (FBVS) SAS Function SCWS Condenser Supply Water Flow Control (Figure 7.3-37) Name of Sensor, Functional Unit, or Equipment (2) Loss of 1 Division Safety-Related Room Loss of 1 Division Heater Control (Figure 7.3-39) FBVS EBS / FPCS Pump Rooms Heat Removal (Figure 7.3-40) Isolation of the Fuel Pool Hall (Figure 7.3-67) Loss of 1 Division Loss of 1 Division Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function a) Detected Failure TXS inherent or engineered fault detection mechanism Two redundant train sets Loss of one train set. One remaining train set provides safety function. b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train set. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Two redundant train sets Loss of one train set. One remaining train set provides safety function. b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train set. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Two redundant train sets Loss of one train set. One remaining train set provides safety function. b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train set. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism None Loss of one train set. One remaining train set provides safety function. b) Undetected - Spurious None Two redundant divisions/ Spurious trigger of one train pair. One trains remaining train set provides safety function. c) Undetected - Blocking None Two redundant divisions/ Loss of one train set. One remaining trains train set provides safety function. Revision 5 Comments One train set remains functional One train set remains functional One train set remains functional Page 7.1-181 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 25 of 28 No 90 91 92 93 Tier 2 System Fuel Building Ventilation System (FBVS) SAS Function Isolation of the Emergency Airlock and Equipment Hatch (Figure 7.3-68) Name of Sensor, Functional Unit, or Equipment (2) Loss of 1 Division Fuel Pool Cooling and FPCPS Pump Trip on Loss of 1 Division Purification System Low Spent Fuel Pool (FPCPS) (SFP) Level (Figure 7.3-41) Main Control Room Air Conditioning System (CRACS) Main Control Room Air Conditioning System (CRACS) Iodine Filtration Loss of 1 Division Train Heater Control (Figure 7.3-42) Heater Control for Outside Inlet Air (Figure 7.3-43) Loss of 1 Division Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function a) Detected Failure TXS inherent or engineered fault detection mechanism Two redundant divisions/ Loss of one train set. One remaining trains train set provides safety function. b) Undetected - Spurious None Two redundant divisions/ Spurious trigger of one train pair. One trains remaining train set provides safety function. c) Undetected - Blocking None Two redundant divisions/ Loss of one train set. One remaining trains train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Two redundant train sets Loss of one train set. One remaining train set provides safety function. b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train set. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Two redundant train sets Loss of one train set. One remaining train set provides safety function. b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train set. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Two redundant train sets Loss of one train set. One remaining train set provides safety function. b) Undetected - Spurious None Two redundant train sets Spurious trigger of one train set. One remaining train set provide safety function. c) Undetected - Blocking None Two redundant train sets Loss of one train set. One remaining train set provides safety function. Revision 5 Comments One train set remains functional One train set remains functional One train set remains functional Page 7.1-182 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 26 of 28 No 94 System Safeguard Building Controlled-Area Ventilation System (SBVS) SAS Function Name of Sensor, Functional Unit, or Equipment (2) Iodine Filtration Loss of 1 Division Train Electric Heater Control (Figure 7.3-66) Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function a) Detected Failure TXS inherent or engineered fault detection mechanism Two redundant divisions/ Loss of one train set. One remaining trains train set provides safety function. b) Undetected - Spurious None Two redundant divisions/ Spurious trigger of one train pair. One trains remaining train set provides safety function. c) Undetected - Blocking None Two redundant divisions/ Loss of one train set. One remaining trains train set provides safety function. Comments No effects on the system function Systems With Functions Utilizing Voting Logic 95 In-Containment Refueling Water Storage Tank System (IRWST) 96 Deleted 97 Deleted IRWST Boundary Isolation for Preserving IRWST Water Inventory Interlock (Figure 7.6-4) Loss of 1 Division a) Detected Failure TXS inherent or engineered fault detection mechanism Redundant divisions/ trains Loss of Master CU and Standby CU in faulted division. Voting logic in other divisions is modified to 2/3. b) Undetected - Spurious None Redundant divisions/ trains One division sends a spurious actuation. Voting logic in other divisions becomes 1/3. c) Undetected - Blocking None Redundant divisions/ trains Loss of Master CU and Standby CU in faulted division. Voting logic in other divisions becomes 2/3. No effects on the system function CCWS Switchover Functions 98 99 Tier 2 Component Cooling Water System (CCWS) Component Cooling Water System (CCWS) CCWS Common 1.b Loss of 1 Division Automatic Backup Switchover of Train 1 to Train 2 and Train 2 to Train 1 (Figure 7.3-33) CCWS Common 2.b Loss of 1 Division Automatic Backup Switchover of Train 3 to Train 4 and Train 4 to Train 3 (Figure 7.3-33) a) Detected Failure TXS inherent or engineered fault detection mechanism Failed sensor marked invalid; two redundant train pairs. b) Undetected - Spurious None Two redundant trains pairs Spurious trigger of one pilot valve. Remaining pilot valves provide safety function. c) Undetected - Blocking None Two redundant trains pairs Loss of one pilot valve. Remaining pilot valves provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Failed sensor marked invalid; two redundant train pairs. b) Undetected - Spurious None Two redundant trains pairs Spurious trigger of one pilot valve. Remaining pilot valves provide safety function. c) Undetected - Blocking None Two redundant trains pairs Loss of one pilot valve. Remaining pilot valves provide safety function. Revision 5 Unable to automatically perform switchover function in the faulted division. Unable to automatically perform switchover function in the faulted division. A second pair serves its associated heat loads. Adequate cooling is provided by the second train pair. A second pair serves its associated heat loads. Adequate cooling is provided by the second train pair Page 7.1-183 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 27 of 28 No 100 101 System Component Cooling Water System (CCWS) Component Cooling Water System (CCWS) SAS Function CCWS Emergency Leak Detection – Switchover Valves Leakage or Failure (Figure 7.3-36) CCWS Switchover Valves Interlock (Figure 7.6-1) Name of Sensor, Functional Unit, or Equipment (2) Loss of 1 Division Loss of 1 Division Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function a) Detected Failure TXS inherent or engineered fault detection mechanism Failed sensor marked invalid; two redundant train pairs. Unable to automatically perform switchover function in the faulted division. b) Undetected - Spurious None Two redundant trains pairs Spurious trigger of one pilot valve. Remaining pilot valves provide safety function. c) Undetected - Blocking None Two redundant trains pairs Loss of one pilot valve. Remaining pilot valves provide safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Failed sensor marked invalid; two redundant train pairs. b) Undetected - Spurious None Two redundant trains pairs Spurious trigger of one pilot valve. Remaining pilot valves provide safety function. c) Undetected - Blocking None Two redundant trains pairs Loss of one pilot valve. Remaining pilot valves provide safety function. Unable to automatically perform switchover function in the faulted division. Comments A second pair serves its associated heat loads. Adequate cooling is provided by the second train pair A second pair serves its associated heat loads. Adequate cooling is provided by the second train pair CCWS RCP Thermal Barrier Interlock Function 102 103 Tier 2 Component Cooling Water System (CCWS) Component Cooling Water System (CCWS) CCWS RCP Thermal Loss of 1 Division Barrier Containment Isolation Valve Interlock (Figure 7.6-2) CCWS RCP Thermal Loss of 1 Division Barrier Containment Isolation Valves Opening Interlock (Figure 7.6-12). a) Detected Failure TXS inherent or engineered fault detection mechanism Two redundant train sets in two divisions The failed division's valves fail as-is. The other division provides the interlock function. b) Undetected - Spurious None Two redundant train sets Unable to automatically perform safety function in the faulted division and train set. Loss of 1 train set, redundant train set provides safety function. c) Undetected - Blocking None Two redundant train sets Unable to close valves in the faulted division. Other divisions isolate the faulted division's train set. Redundant train set provides safety function. a) Detected Failure TXS inherent or engineered fault detection mechanism Two redundant train sets in two divisions The failed division's valves fail as-is. The other division provides the interlock function. b) Undetected - Spurious None Two redundant train sets Unable to automatically perform safety function in the faulted division and train set. Loss of 1 train set, redundant train set provides safety function. c) Undetected - Blocking None Two redundant train sets Unable to close valves in the faulted division. Other divisions isolate the faulted division's train set. Redundant train set provides safety function. Revision 5 No effects on the system function. No effects on the system function. Page 7.1-184 U.S. EPR FINAL SAFETY ANALYSIS REPORT Table 7.1-7—SAS FMEA Results Sheet 28 of 28 No System SAS Function Name of Sensor, Functional Unit, or Equipment (2) Failure Mode (1) Method of Detection Inherent Compensating Provision Effect on the SAS Function Comments All SAS Functions 104 All systems for which All SAS functions SAS performs a function. Standby CU in 1 Division a) Detected Failure TXS inherent or engineered fault detection mechanism Master/Standby CU configuration. None - Master CU in affected division remains functional b) Undetected - Spurious None Master/Standby CU configuration. None - Master CU in affected division remains functional c) Undetected - Blocking None Master/Standby CU configuration. None - Master CU in affected division remains functional No effects on the system function Notes: 1. Failure Mode – The failure cause is not identified in the system-level analysis. The failure modes are selected to bound the results of any specific failure cause. Specific failure causes can be identified only after specific equipment is selected and application software is developed. 2. This FMEA has been analyzed for loss of a CU and loss of a division failure. These types of failures encompass any single failure within a division, (i.e. loss of a sensor, hardwired logic failure / fault). Next File Tier 2 Revision 5 Page 7.1-185