ML102880481

From kanterella
Jump to navigation Jump to search
OL - FW: Emailing: FSAR 7 7 11 DCS Description Final.Doc
ML102880481
Person / Time
Site: Watts Bar Tennessee Valley Authority icon.png
Issue date: 10/04/2010
From:
Office of Nuclear Reactor Regulation
To:
Division of Operating Reactor Licensing
References
Download: ML102880481 (6)
v  d  e


Text

WBN2Public Resource From: Poole, Justin Sent: Monday, October 04, 2010 1:58 PM To: Garg, Hukam Cc: WBN2HearingFile Resource

Subject:

FW: Emailing: FSAR 7 7 11 DCS Description Final.doc Attachments: FSAR 7 7 11 DCS Description Final.doc Looks to be a draft of the new FSAR section. Please pass it on.

Original Message-----

From: Crouch, William D [1]

Sent: Monday, October 04, 2010 1:44 PM To: Poole, Justin Cc: Clark, Mark Steven

Subject:

FW: Emailing: FSAR 7 7 11 DCS Description Final.doc

<<FSAR 7 7 11 DCS Description Final.doc>> See questions below.

William D. (Bill) Crouch (423) 365-2004 WBN (256) 777-7676 Cell

Original Message-----

From: Clark, Mark Steven Sent: Monday, October 04, 2010 12:40 PM To: Crouch, William D

Subject:

Emailing: FSAR 7 7 11 DCS Description Final.doc Bill:

Please forward this to Justin for Norbert.

Thanks, Steve The message is ready to be sent with the following file or link attachments:

FSAR 7 7 11 DCS Description Final.doc Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled.

1

Hearing Identifier: Watts_Bar_2_Operating_LA_Public Email Number: 126 Mail Envelope Properties (19D990B45D535548840D1118C451C74D6FD36242E9)

Subject:

FW: Emailing: FSAR 7 7 11 DCS Description Final.doc Sent Date: 10/4/2010 1:57:48 PM Received Date: 10/4/2010 1:57:49 PM From: Poole, Justin Created By: Justin.Poole@nrc.gov Recipients:

"WBN2HearingFile Resource" <WBN2HearingFile.Resource@nrc.gov>

Tracking Status: None "Garg, Hukam" <Hukam.Garg@nrc.gov>

Tracking Status: None Post Office: HQCLSTR02.nrc.gov Files Size Date & Time MESSAGE 1020 10/4/2010 1:57:49 PM FSAR 7 7 11 DCS Description Final.doc 60482 Options Priority: Standard Return Notification: No Reply Requested: No Sensitivity: Normal Expiration Date:

Recipients Received:

Section Title Page 7.7 CONTROL SYSTEMS 7.7-1 7.

7.1 DESCRIPTION

7.7-1 7.7.1.1 CONTROL ROD DRIVE REACTOR CONTROL SYSTEM 7.7-1 7.7.1.2 ROD CONTROL SYSTEM 7.7-4 7.7.1.3 PLANT CONTROL SIGNALS FOR MONITORING 7.7-10 AND INDICATING 7.7.1.4 PLANT CONTROL SYSTEM INTERLOCKS 7.7-15 7.7.1.5 PRESSURIZER PRESSURE CONTROL 7.7-16 7.7.1.6 PRESSURIZER WATER LEVEL CONTROL 7.7-16 7.7.1.7 STEAM GENERATOR WATER LEVEL CONTROL 7.7-17 7.7.1.8 STEAM DUMP CONTROL 7.7-17 7.7.1.9 INCORE INSTRUMENTATION SYSTEM 7.7-19 7.7.1.10 CONTROL BOARD 7.7-20 7.7.1.11 DISTRIBUTEDPLANT CONTROL SYSTEM 7.7-21 Formatted: Font color: Red 7.7.1.12 ANTICIPATED TRANSIENT WITHOUT SCRAM 7.7-21 MITIGATION SYSTEM ACTUATION 7.7.2 ANALYSIS 7.7-22 7.7.2.1 SEPARATION OF PROTECTION AND CONTROL 7.7-23 SYSTEM 7.7.2.2 RESPONSE CONSIDERATIONS OF REACTIVITY 7.7-23 7.7.2.3 STEP LOAD CHANGES WITHOUT STEAM DUMP 7.7-25 7.7.2.4 LOADING AND UNLOADING 7.7-26 7.7.2.5 LOAD REJECTION FURNISHED BY STEAM DUMP 7.7-26 SYSTEM 7.7.2.6 TURBINE-GENERATOR TRIP WITH REACTOR TRIP 7.7-26

7.7.11 Distributed Plant Control System Formatted: Strikethrough Select Nnon safety-related control and indication functions in WBN Unit 2 are implemented using a Distributed Control System (DCS). The Unit 2 DCSsystem Formatted: Strikethrough replaces the analog control system used in Unit 1.

Formatted: Indent: Left: 0.5" The functional design of the WBN unit 2 control systems implemented in the DCS is similar to WBN Unit 1 analog control system but with incorporates changes which improve reliability and eliminate many significant single points of failure. The basic components of the DCS are redundant fault-tolerant processor pairs, redundant power supplies with diverse power sources, and redundant communication networks, and redundant operator workstations. Multiple inputs are provided for critical plant parameters. Redundant field-bus modules (FBMs) are utilized for critical inputs and outputs. redundant operator workstations are provided Workstations are provided in the main control room and the auxiliary instrument room for trending, alarm monitoring and system maintenance activities. Manual control is available from hand/auto stations on the main and auxiliary control boards. The system is designed such that the control system functions most important to safe plant operation are not affected by the failure of a single device or component.

7.7.11.1 Functional Groups - Control Processor Paris (CP Pairs) Formatted: Strikethrough The uUnit 2 DCS consists of 15 multiple functional groups, each with a redundant control Formatted: Strikethrough processor (CP) pair (a master and a backup). This arrangement provides capability The Formatted: Strikethrough control systems are assigned to different CP pairs to maintain independence between redundant control functions and to limit the effects of failures on the critical control systems. The system designconfiguration was evaluated to ensure that DCS failures are bounded by the safety analyses described in Chapter 15.

Formatted: Indent: Left: 0.5" The primary functions of each DCS functional groups is shown below. Each group also includes other control and monitoring functions for which segmentation is not considered Formatted: Strikethrough to be necessary.Two groups are dedicated to the Auxiliary Control System instrumentation which is not required for normal plant operation (refer to section 7.4). T hese two groups are isolated from the rest of the DCS network during normal operation, except for maintenance purposes, to eliminate the possibility of events external to the auxiliary control room causing loss of these processor pairs.

  • 05 Main Feedwater FW Pump Speed Control & Condenser Steam Dump Loss of Load Interlock
  • 06 Rod Control
  • 11 Condenser Steam Dump
  • 12 Pressurizer A - (Pressure, Level, Charging, Letdown, Spray, Cold Overpressure Mitigation System (COMS)
  • 13 Pressurizer B - (Pressure, Level, Charging, Letdown, Spray, Cold Overpressure Mitigation System (COMS)
  • 14 Auxiliary Control System A
  • 15 Auxiliary Control System B 7.7.11.2 Auxiliary Control System Groups 14 and 15 are dedicated to the Auxiliary Control System (ACS) which is not required for normal plant operation. The ACS provides controls and instrumentation needed for plant shutdown from outside the Main Control Room (MCR) in the event that the MCR has to be abandoned. Isolation of the ACS from the normal controls is achieved either by dedicated control loops or by manually-operated transfer switches.

The safety related functions of the ACS are implemented independently of the DCS.

Groups 14 and 15 are isolated from the network during normal operation, except for maintenance purposes, to eliminate the possibility of events external to the auxiliary control room causing loss of these processor pairs.

7.7.11.37.7.11.2 Power Supplies Each of the redundant power supplies for the control groups is fed from an inverter with Formatted: Keep with next battery and emergency diesel generator backup. T - typically the primary power supply is from a 120 VAC Vital Inverter and the secondary power supply from the 120 VAC TSC Inverter. This arrangement ensures that a single power supply or inverter failure will not result in loss of function, eliminating loss of power as a single point of failure. As a result, an inverter failure will not cause a plant trip due to the main feedwater control valves closure.

7.7.11.47.7.11.3 Signal Selection and Validation The use of multiple measurement channels inputs for critical parameters such as turbine impulse pressure, steam header pressure, and feedwater pressure allows the use of various signal selectors selection functions to improve reliability and eliminate single point failures. Redundant inputs are typically assigned to different input modules to provide additional hardware diversity redundancy and eliminate hardware common cause failure.

A median signal selector chooses the median value signal of three inputs for control use.

With the median signal selector, a spurious high or low signal from any one channel will not cause a control action. Where only two inputs are available, an average is computed, and a third correlated signal may be provided as a voter. The voter is never used for control. With four inputs, either the highest input (auctioneered) or the second highest input (higher median) is selected for control.

The system alsoDCS employs signal validation techniques which can remove bad or out-of-service signals from the algorithm and select from the remaining good signals or

transfer control to manual in the event of multiple input signal failures. This includes input signals which deviate significantly from the selected signal (auctioneered or median). These conditions will be alarmed and the bad signal removed from the control algorithm. Use of these techniques eliminates This scheme minimizes the potential for a transient initiated by the failure of a single input.

7.7.11.57.7.11.4 Shared Signals Some signals are used in more than one functional group or processor pair. They may be provided to each processor as separate inputs, or they may be input to one processor for development of the control signal (auctioneered, median, etc.) which is then transmitted to other processors by either a hardwired analog connection, peer-to-peer network connection or both. No critical control function is dependent upon the network alone. This scheme eliminates design minimizes the possibility that failure of a single input signal, a single processor pair, or both communication networks will disable multiple control systems or functions.

7.7.11.67.7.11.5 External Communication Two cCommunication links are provided from the DCS to the plant computer. Firewalls between the systems limit the volume of data traffic and to ensure that common cause events external to the DCS, such as a data storm, do not impact multiple control systems within the DCS.

There is no digital communication between the control system and the protection system. The control systemDCS receives analog process inputs from the protection system which are transmitted via qualified isolators which are part of the protection system as on uUnit 1.

7.7.11.7 Network Data Storm The impact of erroneous communication internal to the system, such as a data storm due to a processor failure, will bewas evaluated by test. A Sequoyah factory acceptance test for the same DCS demonstrated that a data storm can disable the communication networks and cause one CP of a pair to become non-functional. The control groups, however, continued to operate. The network is disabled only during the data storm event and full system redundancy can be restored by an online reboot of the secondary CP. A data storm test will be performed with the installed WBN Unit 2 system prior to final commissioning to confirmed similar results. Further, as noted previously, the system is designed with hardwired analog control signal transmission between CP pairs so that no critical control functions are totally dependent upon the network and the system will continue to function if the network fails.

Retrieved from "https://kanterella.com/w/index.php?title=ML102880481&oldid=2242864"