ML18100A313

From kanterella
Jump to navigation Jump to search
Responds to Comments Received Re License Change Request 92-14 on Median Signal Selector.Separation Criteria Listed. Util Procedures & WCAP-7509-P-A & WCAP-11313 Encl
ML18100A313
Person / Time
Site: Salem  PSEG icon.png
Issue date: 01/26/1993
From: Kerr R
WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To: Mcgovern M
Public Service Enterprise Group
Shared Package
ML18100A314 List:
References
NUDOCS 9304210002
Download: ML18100A313 (3)
v  d  e


Text

    • PSE-ADFCS-93-006 Westinghouse Energy Systems Box 355 Pittsburgh Pennsylvania 15230-0355 Electric Corporation January 26, 1993 Matt McGovern Public Service Electric & Gas Salem Nuclear Station
  • P. 0. Box 236 Hancocks Bridge, NJ 08038

Subject:

Response to MSS Issue

Dear Matt:

This letter is issued in response to comments received (see attached) regarding Salem License Change Request No. 92-14.

The Median Signal Selector (MSS) is specifically designed to prevent a failed instrument channel from causing a control system action which will initiate a plant transient that may require protective action. Implementation of the MSS meets the requirements of IEEE Std. 379 based on the following:

Separation Criteria Electrical isolation between analog inputs and MSS digital circuitry.

MSS Design Physical separation of the three level channel inputs via separate input boards.

Configuration Certification provides overall assurance that design requirements are met.

A Fault tree analysis concludes that the MSS is fault tolerant to any single failure of ac rack power, power supply (I/Ode, DPU de), DPU processor Board, data highway, or input signal failure to the MSS.

Automatically executed self-diagnostics Automatic bumpless transfer to a back-up DPU Approximately 20 reactor years of MSS operation without failure Please refer to Section 6.0 of WCAP-13502 for additional detail regarding system reliability and fault tolerance.

PSE-ADFCS-93-006

  • January 26, 1993 It should be recognized that IEEE Std. 279, Para. 4.7 addressed control and protection system interaction. The requirements of this paragraph may be satisfied by the design of protection and/or control systems. It is true that the protection and control system designs need coordination in this area, but they remain separate systems. The MSS which is physically located and implemented in a control system rack is not part of the plant protection system. Thus, a failure of the MSS is not a degradation of any safety system.

In summary, due to the design, fault tolerance, configuration certification and periodic testing of the MSS, a failed level sensor (high) coincident with a failure of the MSS to select the proper channel is not considered to be a credible occurrence. Therefore, implementation of the MSS meets the requirements of IEEE Std. 379.

Feel free to contact me with any questions or concerns.

Very truly yours, WESTINGHOUSE ELECTRIC CORPORATION Robert A. Kerr, Manager Nuclear & Control Technology

/spr Enclosure cc: M. Croney United Engineers & Constructors P. A. Federico PCD - O'Hara J. M. Huckabee W Hancocks Bridge, NJ N. Lane ABB Impell Corp W. L. Miller PCD - O'Hara S. D. Whaley EC E 4-29 3221K

93 f'SE&G LIC & 412 374 4693:# 2/ 2 Ol':i'SITE SAFETY REVIEW REVIEW

SUMMARY

RECORD SALEM 1 ~2 ~

~

PAGE 2 01' BOPB CREEX HUCLfAR SAFETI REVIEW COMMON c:J LI CENSI CHAllGE REQUEST LCR NO.I

  • 92*14 R!VIEIJER: LI This LCR modifies the Tech. Spec. 2.2 Limiting Safety System Settings and 3/4.1.1, Reactor Trip System Instrumentation. These changes are to replace the existing single channel analog control with a three input digital Steam Generator Level Control.

As a result of the improved reliability of the new control system the change also proposes to remove the Steam/Feedwater Flow Mismatch and Low Steam Generator Water Level Reactor Trip. This trip is necessary for the present design to avoid a potential control system and Reactor Trip system interaction. Therefore two independent and safety related trip channels are provided.

The new three input digital control system will continue to function if any of the level sensing instruments fail. However, the assurance that the signal from the failed detector will not be selected depends on the operation of non the safety grade computer systems. The failura analysis provided by Westinghouse should consider the requirements of IEEE Std. 379 Section 6.3. It requires that ihe single failure analysis of the Class 1E systems shall be preconditioned by the failures that the non-Class 1E systems may cause". If the steam generator level detector fails hi and the non Safety Related controller, components or the software is assumed to fail in a manner that this signal is selected than the level control fails. Since this is the initiating event a single failure of a second detector would result in a failure of the reactor trip.

Th~ review by OSR can not determine if the above failure modes of the Westinghouse digital control system are possible. This can best be determined by Westinghouse. We agree that isolaton devices are provided to protect the Steam Generator Level Detectors. The comments are made since the non safety related control system design must be .taDa ~me to avoid selecting the output from the failed level detector. Sfnce this system is not safety related its succesful operation should not be asumect. If the hi signal can be selected than the new design is susceptible to a similar failure mode of the present analog control system.

Westinghouse should be contacted to resolve these comments before the present Steam/Feedwater Flow Mismatch and Low Steam Generator Water Level Reactor Trip is eliminated. OSR can not concur with the no significant hazards consideration determination untm these comments are resolved.

JAN 25 '93

  • 14: 40 6093391448 PAGE.002
Retrieved from "https://kanterella.com/w/index.php?title=ML18100A313&oldid=2408845"