ML20058E366
| ML20058E366 | |
| Person / Time | |
|---|---|
| Site: | Farley  |
| Issue date: | 07/31/1990 |
| From: | Mermigos J WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML19310C816 | List: |
| References | |
| WCAP-12676, NUDOCS 9011070145 | |
| Download: ML20058E366 (23) | |
Text
.,e,,. '.
- g g
.g
'N i
4
~ '
t e
.f g
p
?
.v.
s, c.
W e.
i m..
i a
w
.y y
l 9
e es I-a'*
A P
4 6
h.
5 3
+
g g
e
?
. ~.
?
r' s
s g
a r-r'.'
g f'.
9.
m 3
e
+
4
.g A
er i.
,s
\\
l q
I.
4 P.
hr
.ec f.:
L
?
e a-M e e
?
- l s
f 6
y
,s g
y
~
D
' ?
? :
s
+
p.
y e.
e
~
G e
+
'e i
v r
h"
,l-a.
e s
'v
=
a 1,,,
e t'
~
Y !
i A
4 r
e, i
.(
Y Ei 1"
'E
's.
g s
e
~
g.
y e
'.i 4
(
I
~
-T'
.g 4.
2*
4 4E 6
3
~
8 e
',s
,c\\'
e
'!K V.
MS
j
- O M'
k'<3 g
.).
48 -
6 s
'k 4
. m
.v.
Y
.m v
G To Y
(.'
?-
h'.
4*
e
{
o k
a t
'E
. i 4
k
- 4
- g.,
+
y
,. +,.-
,a
- x,.
s
. =
4 g
s s7
'A
'. s '^-. ~.
r 4
g.
- 4 t
i 4
s oM 107019 [d,b 9
~
~
gg ADOCL -
pot
.y p
o-
w-
..+ -.....,
.%..,,s-y
.. r E.
4 si in
- t
.. - - x Y.
4 eg 4_
' t M-
-4 e-Y
.c
'H
& to.o ; '*
.Y.
f F
e' s'.
O k
3 e
c{g g4 x
5e g
?
s I (
P p
k' s,..
k g
,g.
+
3 '
s
+
,=
- j s
3 s
4 n
v e.
,.e...
, h.
+
p s
K i
a-eu y'
+,
i -
y
- f.... -..'
- r....,
(
.e 4
$p '
~
s"
..6 J
4, I
f.
'+
8 I
et
.-.d:
I,.
m a
f i ~? v
- f
= *,.
-+
+. i g
O,.
2
.l
?
+
.X?
g
~*'
. i 4
'M
..y a
,y g *
.. ~
s
?-
+
C y
c g+.
d, o
+
d u1 4
3 s.
a 6'
+
5 D
I
.g-N *'
g s.
m
_ ~
y-g
^-
e g
- . a I:
~
r, e.
e t
s
,,. +<
- g
,-. 3.s 9
',.i
+
4 w
3
.- ^'
a-
- 4
+'
5 y
W s
~
+. k
'6-
=
s9 3
4
<L u_
e
. j
@J
' k 4-i g
m'~*
4 y
(_,
n
'i '
g w.
I
..l g.
/
~.
2
- e s
.g.
,(
2 y
i 9
3
't
+
i l
y i
M' s
y l
g.
f.
et 4.
s y
y gM a
n e.
.?
s
. ~.s s
e NN N
g g
t 4 +
4 w - h g..
y.
6 a
~
t
~
L 4'.
I a
jg w
+ +.
- n. =2
+
g
(
- ~
w.
+
p.
W f,
.m.
e
.e a
5
+
s,.
4 m- - - >- ', _...
u - -.
y.
e.
8'
, s_
u
-c s'{
.p.
W
- w 4
. N,
' =
- .g
.m
- l H
x,.
d
.s 9
x'~-
4 e
~
Y c
J a..
-4
.,\\
v.
/.
3
.5
+
r.
WESTINGHOUSE CLASS 3 WCAP 12676 l
1 MEDIAN SIGNAL SELECTOR FOR WESTINGHOUSE 7300 SERIES PROCESS INSTRUMENTATION i
APPLICATION TO WESTINGHOUSE THREE LOOP PLANTS EMPLOYING THE RTD BYPASS ELIMINATION ALABAMA LIGHT COMPANY JOSEPH M. FARLEY UNIT 1 J. F. Hermigos July 1990
_ Reviewed By: M8W Instrumentation and Control-System Licensing Approved:
U 'M l
- Manager,
~
Instrumentation and Control Systems Licensing s
b i
Westinghouse Electric Corporation-Energy Systems P. O. Box 355 Pittsburgh, PA 1,5230 c Copyright, Westinghouse Electric Corporation 1990 All rights reserved i
-nn-.. ~
..~,m,
4 i
l ABSTRACT To maintain the current level of functional performance of the Reactor Protection System subsequent to implementation of the resistance temperature detector bypass
. elimination (RTDBE) design modification at the Beaver Valley Unit 2 Nuclear St*. tion, the existing Reactor Control System must be modified by installation of a Median Signal Selector. The signal selector will prevent a potential control and protection system interaction mechanism involving the thermal overpower and
- f overtemperature protective functions.by providing (
]a,c between the Reactor Protection System and the Reactor Control System, in accordance with the requirements of IEEE Standard 279-1971, Section 4.7..
i t
'Various aspects of signal selector use are addressed by this report; these aspects
, include a demonstration of the functional adequacy of the signal selection process j
in preventing the interaction mechanism, requirements regarding device reliability "such as signal selector test and failure detection capabilities, and the Median Signal Selector's [
l Ja.c Additionally, recommendations regarding actions on the
'part of the operator necessary to support signal selector use are presented.
i i
L
[:)
[:
?
I 2
J e
r L
i t
I i
l y
TABLE OF CONTENTS
'SECTION TITLE PAGE ABSTRACT 1
TABLE OF CONTENTS ii LIST OF FIGURES iii ACRONYMS iv 1.0
' INTRODl!CTION 1-1 l
1.1 Background
1-1 I
1.2 Application.to the RTDBE Modification 1-2 2.0 SIGNAL SELECTOR IMPLEMENTATID';
2-1 2.1 Signal Selector Operation & Configuration 21 r
2.2' Signal Selector Reliability 2-3 2.3 Failure Detection 2-6 2.4 Fault Conditions from 7300 Failures 28 2.5 Recommended Operator Actions 2-9 I
3.0 CONCLUSION
S 31
?
5 k
ii
I i
i LIST OF FIGURES
- FIGURE TITLE Figure 1:
Reactor Thermal Overpower & Overtemperature -
Protection Functional Diagram l
Figure 2:
Protection System Inputs to Control System Figure 3:
Signal Selection Block Diagram c,
B e
f F
m 9
l l
i l;
iii
I t
I i
ACRONYMS l'
l MTBF Mean Time Before Failure i
RTD Resistance Temperature Detector RTDBE Resistance Temperature Detector Bypass Elimination i
T-avg Average Temperature RCS Reactor Coolant System hi i
?
'.s
\\
f iv t
I i
SECTION
1.0 INTRODUCTION
In order to implement the resistance temperature detector bypass elimination (RTDBE) design modification at the Joseph M. Farley Unit 1 Nuclear Station.
certain configurational changes must be made to the existing plant instrumentation and control complex to assure that the functional capability l
,and inherent reliability provided in the original Reactor Protection System y design are not compromised.
Consequently, to preserve these characteristics, a Median Signal Selector is implemented in the Reactor Control System for receiving reactor coolant temperature information. The function of the signal selector is to eliminate the potential for a control and prctection system interaction mechanism involving the Reactor Control System and the thermal Everpower and overtemperature protective functions in accordance with the
[
requirements of The Institute of Electrical and Electronics Engineers Standard,
.l IEEE Standard 279 1971, " Criteria for Protection Systems for Nuclear Powered Generating Stations", Section 4.7.
The following report constitutes the technical basis upon which the application of a signal selection device to the integrated RTDBE design is justified.
~
Various aspects of signal selector use are addressed by this report; these aspects include a demonstration of the sufficiency of the signal selection process in: eliminating-the interaction mechanism, and requirementsLregarding device. reliability such as signal selector test and failure detection Leapabilities.
Additionally, recommendations regarding actions on' the part of
, ' the utility necessary to support signal selector use are provided.
l
1.1 BACKGROUND
The fundamental purpose of plant instrumentation and control systems is to l
, permit control of nuclear plant operations, and to initiate automatic protective action in response to unsafe operating conditions.
The i
. infrastructure of instrumentation and control systems constitutes an
' interactive network of electrical circuits through which protection and control functions are carried out. This network can be best described in terms of two i
L functionally defined systems called the Reactor Protection System, and the
' Reactor Control System.
The Reactor Protection System is defined as that l
L l-1
- 1 j
part of the sense and command features involved in generating those signals 1
used primarily for reactor trip functions and the actuation of engineered safety features.
The Reactor Control Systems are defined as those electrical instrumentation and control systems that provide the operator with the l
necessary information and controls to affect proper primary plant control.
IEEE Standard 279 1971 is the governing criteria to which the Reactor Protection System design must conform, as a minimum, in order to meet the degree of operational reliability and functional adequacy considered acceptable for ~ nuclear plant service.
One of the specific provisions of this standard is the' issue of control and protection system interaction as presented in Section
~4.7.
Control and protection system interaction addresses any mechanism whereby the ability of the protection system to accomplish its safety related function is adversely affected by nonsafety related plant control systems. The mechanism tay be.a physical interaction such as electrical faults originating from within the control system and propagating to the Reactor Protection System (thereby bringing about an attendant failure within the protection system), or a i
functional interaction whereby the action of a control system degrades the l
ability of the protection system to provide adequate core protection consistent with_-the requirements of IEEE Standard 279-1971.
To prevent control and protection system interactions, protection systems are, in-general, designed
- with due regard for the requirements of-physical, electrical and functional independence relative to'non-protection (control) systems.
?
1.2e APPLICATION TO THE RTDBE MODIFICATION The current temperature measurement instrumentation provided for Westinghouse
{
three loop plants' consists of two separate and distinct sets of instrument
~
-channels. One. set is designated as a Class-lE system, and constitutes a portion-of the _ Reactor Protection System, it is utilized to provide reactor
' coolant temperature information to the RPS for the generation of thermal
.s overpower and overtemperature protactive functions.
The other set is non Class-lE, control grade equipment that supplies temperature information
- required by' the plant control systems for proper primary plant control.
1-2 5
p-n w--,.-
<n w
-w w,--
n - -, -
w a- - - -. -, - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
f i
Withtthe: implementation'.of the RTDBE modification, the dedicated control system l
resistance temperature detector (RTD) elements will be eliminated. Therefore,
' temperature signals;for use in the plant control systems must now be derived 9
, -from the-protection system RTDs. At a enuit of this configuration change, new L '
complexities regarding control and protection system interaction are introduced
' nto'the process system design.
Consequently, additional measures must be l
i a
p ntaken to assure the' functional independence of the protection and control
' Lsystems.- To. eliminate any degrading control and protection system interaction
~
. mechanisms-introduced as a result of the RTDBE modification, a Median Signal
?
Selector has been incorporated into the Reactor Control System design. The l
! Media'n) Signal Selector preserves the [-
Ja,c of interfacing cont'rolLand protection systems'that share common instrument channels.
)
Protective functions associated with the temperature measurement
?
instrumentation' consist)of two reactor trip channels; the overpower delta-T lt LtripJchannel and,the overtemperature~ delta-T trip channel. Ther' nrotective l
n ifunctions utilize' loop T-avg and delta-T signals, derived from tn=.iCS loop g.
narrow. range T-hotland T-cold measurements, to provide core protection against
[, :several condition Il accidentsf a's detailed in' the plant's Safety Analysis l
/ ' Report.
Botkof these trips are; configured with two out of three (2/3)
}O LaEtuationl'ogic.(TheicgicschemeisdepictedinFigure1,FunctionalLogic
! Diagram for Reactor Trip' Functions, j
g o
1 r
6.
Because' the ' dedicated control system RTD elements will be eliminated by the
~
[? < R1DBE; modification,[it is necessary to supply temperature information to the.
M J L Reactor: Control SystemLfroin the ' protection system.- For the RTDBE
\\
r,
LiCplementation,1 the calculated temperature signals T-avg and delta-T (one isignal. perNep)' are supplied a~s input to the Reactor Control. System.
- Thus, j
j, proper operu lon:of the. Reactor Control System will be.' dependent on the f Jint'egrity;ofithe channel selected. 'This characteristic l imparts a functional:
c
~
n p
dependence oflthe R'eactor Control; System on the' Reactor Protection System.
7
, LTnisiintrbduces "ie possibilityLthat certain failures, which.may occur in the
- l
. Reactor-PfotectioniSystem,' may negate a 'particular channel ~of a protective i
^
- I function,.and: simultaneously cause undesirable control system action that L
requires subsequent protective action, from the-failed safety function, in L
order to rrevent the transient from exceeding-any design safety limits.
For i
jsucha-scenario,cIEEEStandard 279-1971, Section 4.7.3 imposu -the jconsideration'of an additional random failure in the Reactor Protection System.
i-3 m
- n m
.l 07 p
if
]'
i
- Theundirlyingl'ogic'isthattheinitialprotectionsystemfailureis W
considered the. initiating evere fo, ;he transient, and, therefore, does not g
lg
- constitute the " single failure" IEEE Shndard 279 1971 imposes on the d
' protection system. As such, an additional protection system failure must be l postulated to occur, and the protection system must continue to be capable of l
f
' sinitiating the appropriate protective action.
1
.For example,- consider the hypothetical situation where a single T-avg sprotection1 signal is utilized to provide the input to the Reactor Control i
w,.
g" #. System. Failure of this temperature channel in the low direction will generate J
g" control: system action that results in control rod withdrawal.
Consequently, i
T E"the' thermal. overpower and overtemperature protection channels may be g,
~ subsequently required. The 11miting single failure in this instance would be a
]
= failure of one of the two remainina T-avg temperature channels. This leaves
[ m Lonly one-operable channel _which is-insufficient to satisfy the 2/3 actuation
?
logic implemented in,the overpower and overtemperature reactor trip functions, h
L *,10neTsolution;to:this:prolem is'to eliminate the need to consider a second 4
Lrandom failure by functionally isolating the Reactor Control-System from the.
I 1 Reactor' Protection System..This isfaccomplished by implementing a. Median i
n
~
g 1 Signal: Selector in'the Reactor Contro1' System..The signal' selector will-
% deceivef as input all-three channels of T-avg information,' and choose the median
' f (signal'for-controlipurposes..Thus any.singleifailed temperat'ure channel will f
g not result in adverse; control system bohreior. The delta-T' signals that are 4 transmitted to.the: control system are nst required to be input to a Median
[
! Signal' Selector since there ' arc no cearol 'and.' protection system interactions
~
'asiociated with the' delta-T calculated ' signal. Although the delta-T. signals c
%,,c~an be input to. improve.the availability of the delta-T calculated signal.' A
( [ block diagram ~ illustrating the protection system inputs to the control system i y is shown in; Figure 2.
The contro1 Land protection systems are.then functionally iisolated,7 as well as physically and electrically isolated. Thus, ~T-avg signals o_
uw f
jesulting from'a' eingle1 failed high.or' low. temperature channel will' be rejected i
h,[for control.. purposes and, therefdre, will. not affect the plant control system.
l
' 'C"LlHence,thecontrol.andprotectionVsysteminteractionmechanismhasbeen eliminated =
i 1-4
- b
~,,
. -.. ~.
W
_4 SECTION 2.0 l
SIGNAL SELECTOR IMPLEMENTATION 9
i The' objective of this report is to address engineering issues relative to the
- use lof. a Median Signal Selector in-eliminating control and protection system s
-interaction involving the Reactor Control System.
In meeting this objective, the characteristics of signal selector operation and signal selector reliability
-I ig willjedeveloped.
The discussion regarding signal selector operation describes
'f N
the units hardware configuration-and evinces the operating principal of the p signaliselector.
This. demonstrates how the device provides functional isolation
~
c as.-detailed in Section 1.
The ' discussion regarding signal selector-reliability i
k demonstrates that,the signal ' selector possesses the requisite degree of
.j K
.: operational readiness acceptable for nuclear plant service.
This discussion l
b will address quality'of signal selector hardware,. and the capability for, and y
- adequacy of sig'nal' selector. testing.
}'
p ' ~2.1 SIGNAL SELECTOR' OPERATION-AND CONFIGURATION f,,
s t
[w
~
L a,c t
L
\\.'
?,
g" LTO information in this section.has been omitted
[y from,the.non-proprietary version:due to'its j
j'.
Eproprietary nature? This'section dealt with pV y
' Signal Selector Operation and Configuration y
y.
o fu
,c1 i
n I:Ql "r
l
'(
f g
= = = = = = =
.{,
p
'k 2-1 l$b
- \\;
4 i
i e
(The' Median Signal Selector (MSS) for the process instrumentation at the Joseph
!M. Farley' Unit,1 Nuclear Station consists of four auctioneers.
(The four
' ~ auctioneers 1are NSA G03 and NSA G04 modules, for low select, and high select,
- respectively.) There.are three low select auctioneers and one high select auctioneer. - Another: card (NTP module) is required to provide test points.
The four active. cards consist of operational' amplifiers configured with appropriate input and feedback resistance and diode networks and with appropriate input and
. output signal conditioning. Th.e algorithm of this system produces an output' signal-that is equal (in voltage) to the median of the three input signals.
fio bevelop this algorithm one starts' by using the three low select i
p<
" auctioneers.
For a block diagram. layout of the Median Signal-Selector see L
Figure 3, SIGNALJSELECTOR BLOCK DIAGRAM.
Into these three low select
, 1
[,- auctioneers are input all combinations of the three input signals in groups of two.;.For example, Low; Auctioneer 1 would have as its inputs signals A and B.
, low-Auctioneer 2 would have signals B and C and Low Auctioneer 3 would have A k
and C. ' This "first stage" of the signal selector process will eliminate the i
ihigheitL of-all three sign'als.
L[
- The next' step of the median signal selector process uses the High Select
~
- Auctioneer.; The' output of the three low auctioneering cards will be. input to the high auctioneer. The inputs _to this high auctioneer will be the median =
l signil: and t'wo signals lthat are-the lowest signal.
The.high select will choose Lthe, highest of these three signals which wil_1_ be the median signal of the three original input signals. ' The'"first stage"'of the' signal selector: eliminated.
' ithe highest-signal,4 and the "second~ stage" of the signal selector eliminated
'the lowest of the: input' signals.
We have illustrated how the' median signal selector rejects ' signals that are
- lower-orl higher-than the median.
In normal-operation the low and high signals
'will be within~ the accuracy tolerance.
In the case that a signal should be low.
Lor high' because:it has failed. i.e., it has failed to achieve the accuracy
? tolerance, we'have. demonstrated how it'is rejected for control purposes.
In other words, the control and protection interaction mechanism has been
~
eliminated,-in that a single failed protection signal will not be propagated-
~
i into the control system.
2-2
yy,-
o' l2.2'iSIGNALSELECTORRELIABILITY_
a,c i
1 I
q 1
a ji The information in this section has been omitted j
I
'from the non-proprietary version due to its
{
proprietary nature. This section dealt with y
Signal Selector Reliability r
i l6 '
lpg L(L n
Ja,c.Therefore, steps have been taken to ensure sthe reliability of the signa 1' selection process.
[
p i
1 ja,c m
The' key to.ensur'ing proper signal selector operation. lies with the unit's I
w m
. reliability. LThe signal selector is designed to be consistent with the reliability-
-r.
l[
Echaracteristics necessary to' preserve the total integrity of the protection system.
7, E".'
- [r 1
r
'(
F i
i Ja,C-1 4
f i, 'i L'
.(.'
i I
W. X, ; 4-d,b 5-l--di' n, n-l_
-s 1
'l
i aff
]a,c-
- j. s
-.lEEE Standard 279-1971 delineates certain functional performance requirements regarding aspects of system reliability for protection systems. Because the signal selector will be implemented to support the protection system, it has been evaluated against those criteria considered applicable to its design as presented below..
Canability for' Unit Test:
The signal. selector'has been provided with the capability for on line testing.
Signal selector testing consists of monitoring the three input signals and the one output signal via test points. Comparison of the output signal to the input signals permit determination of whether or not the. median signal is being
. passed, and, consequently, whether the signal selector is functioning
. properly. Any ' output signal at a value other than that corresponding to the
' median signal isEindicative'of-a unit failure.
. Thei signal' selector should' be < tested concurrently with the protection nstrume't' channels feeding lthe unit. Test signals' are received from the i
n
' protection l system, as would'a' normal process signal, when the individual instrument) channels are placed-in the test mode.. [-
~
g
]a,c As the test. signal l magnitude is varied,: that instrument channel,which' represents the median signal will also be! altered allowingithe technician to determine the. presence of proper signal selector action.
S 1
Signal; selector testing consists of. measuring input and output signals which
. allow thec o'peratorsto. infer proper unit operation. We may examine, in iprincipal.. a typical 1 test sequence for the signal selector. ~As an example consider?th'e following assignments of hypothethical signal strengths to the three-inst' ument channels feeding the signal selector.
r Channel A - 4.0 volts Channel B - 5.0 volts Channel C - 6.0 volts 2-4 1
'l'l
- With-these assignments, Channel B would be selected as the median signal.
, L This may. be'. verified by noting the signal selector output voltage at the appropriate test' point. Now, let channel A be taken to test. As the L
signal' strength of Channel A is adjusted to any value less than 5.0 volts, channel B will continue to be selected as-the median signal.
However, as 1
-tha test-signal-strength is adjusted to a value between 5.0 and 6.0 volts, 4 channel A (the test channel) should be selected as the median signal, and finally as the test signal is raised to a value in excess of 6.0 volts, channel:0 will be' selected.
In.this manner, testing with a single input channel permits an assessment H
- of a,spedtrum of signal selector operational modes.
Furthermore, it should l
be emphasized that although each operational amplifier in the circuit is not specifically exercised lduring testing of an individual channel, all
[
);
" operational amplifiers will.have been exercised once each of the three
- protection'-sets has been-tested.
[
l k.%
l '.
P-q l
ja,c It.should also.be' noted that in practi.ce,1during normal operation, E'
tinstrumentation channel signal strengths 'may be'sufficiently: close that ltheir degreef of proximity to' one another makes it difficult (if not' L
Y l impossible).to determine when the test channel signal falls between the-h f - }f remaining?two channels. Nevertheless, it is still po
[ j; proper signalEselector operation by verifying that the test channel is-indeed rejected when it is taken to the high orLlow position.
1
$ ', IOuhlity of Comoonent's:-
f U
1 Components utilized in the signal selector.are of a quality consistent with-i
. low failure rates and minim'ur maintenance-requirements, and conform to prote'ction system requ'irements.
[
lj 2-5 o
m y
s 5
' Eauioment Qualif1 cation:
Equipment; qualification is aimed at improving the. operational reliability of safety related ' equipment by reducing the potential for common mode failures brought about by adverse environmental influences.
(
m ja,c w,
4 tThe remaining-attributes of IEEE Standard 279-1971, Section 4 are not
. considered applicable to the signal selector design.
2.3/!FAILUREDETECTION e
pf At[this.p6intLitiis-instructive to illustrate how system failures will manifest l
themselv'es /at the signal'. selector output; ;in doing. so,' we further= justify the test i heapab.ilities of the signal. selector as being adequate for failure detection.
s y r ;Let the previous signal.-assignment apply with Channel-A in test. ' As channel A is J
m aried.-all.four modules are exercised.
Not all components in modules are v
x -
4
.o lexercised, however. For: example the low auctioneer. may be' passing. a low signal.'and
- ifcthe test voltage is higher, then the. output of that module is not changing.
i
- However, it'must be operational for proper device action. One may postulate.the L
I aiIure of any active component,.(the buffer amplifier corresponding to the B input f
to the' low' auctioneer, for' example) such that it passes a voltage signal magnitude s
l Other than the magnitude received from the protection system, which for our.
. purposes. is; 5.0. volts as determined by direct measurement at the output. With _the
,' est signal-(channel A) adjust to any value that forces the " selection" of channel t
B -as the median signal, the output of the MSS should-b'e of equal magnitude.as the 2-6
- g.,
j
~i -
+
0
. input.to B-(5.0 volts). However, the input buffer in B has been failed by postulate to some value other than 5.0' volts which has an attendant effect on e
the~ signa 1' selector output voltage; therefore, the signal selector output voltage willl reflect this anomaly and signal selector failure is detected.
.Similar scenarios may be postulated for each of the other amplifiers with
' equally unambiguous results.
In fact the following generalities regarding failure modes'may be stated:
J
. 1. - Failure of any. single amplifier in the auctioneering circuits will be readily manifest through test point voltage measurements alone, if it f
- forces the auctioneer to pass a voltage different from the expected. voltage P
' based on measurement of the actual protection system input signals.
- 2. ' Failure of any single amplifier.in the auctioneer circuit that does not force the above action (such s a failure of the highest reading amplifier
>in theLlow' auctioneer circuit failing high) will be apparent during test
!once the testL voltage.is adjusted to a value which would, under normal conditions, forceLthe failed amplifier's signal to be passed, as determined' by. examination of the input voltages.
o Inasmuch as; all' modules will be exercised during a: complete test sequence, even "as-is" failures, in which an amplifier fails at'an output voltage (which corresponds to.its output under normal operating, conditions, will be L
readily detected,as theTtest procedure,is conducted..: Multiple failures in
~
the MSS willJsimply compound the. effects of: failure.?Of course, in l~
practice, it!is-not necessary to; determine to which' amplifier.the failure 1
is confined;1rather,Ea simple, card replacement followed by a repeat test sequence will-reveal correction of any:pr'oblems th'ai have'been-identified.
Thus,Lwe find that rottonly is'thel signal seledtor des'ign consistent with low failure. probability, but that circuit failures are clearly manifest m,
'during MSS testing..
e 2-7 i
4 m
-e
- + - =
2;4 FAULT. CONDITIONS FROM 7300 FAILURES a,c i
The information in this section has been deleted from
+
u the non-proprietary version due to its proprietary i
nature.
Tnis section dealt with Fault Conditions 3
From 7300 Failures 1.
1, 13
- o r
)
Tbe following assumpt' ions were made in evaluating the 7300 fault outputs.
L lo K
- 1.-
A. failure on the non-Class-1E side was considered the same as a
- control. failure. ' [
t i
f
.. ) a, c p
. 2..
1 ja,c-It' was not assumed that the isolation
~
device' prevents-the failure from. propagating across _to the L,
non-Class ~IE side.
_a U
The analysis'was limited to:a single failure. Multiple failures'on 3.
the same-board / channel were not considered.
L: W
> 4,
. Failures that caused;the output to remain "as-is" were~ considered L,
acceptable.
'a y4
+
' 'MQ a,c
/d i
c L i I?
, W 2-8 y
1' i
t
.1
q Q4 p, '
12.5-RECOMMENDED OPERATOR ACTIONS The objective of this report is to present information which supports the implementation of a signal selection device as part of the RTDBE design modification.-: ALproperly designed selection unit,- that possesses the requisite j
h
- reliability chara'cteristics as presented earlier, is paramount to preserving the total integrity of the Reactor Protection System. Notwithstanding, signal
/
selector. implementation must be fully integrated into'the overall plant operating j
scheme. Consequently, certain actions and policies need to be adapted by the
, : utility-in order to preserve the-integrity of the Reactor Protection System.
These actions' include:
- 1. ;
Conducting a. review'of all pertinent operating procedures to ensure they are 1
[
consistent with, Land support operation with a signal selector, including-
{
' administrative controls for operations with the signal.' selector disabled, or j
in. a1 test ~ mode. 'ForL example, when performing functional checks the.
i protection-channel should:be in the tripped condition. Attendant procedura 4
modification 'should. be affected.
-(
.2.;
Implementing necessary ~administrativa controls to ensure that signal
. selector: testing is. carried out at.the appropriate frequency, and that consistent: requirements for control room surveillance of Reactor Coolant
.l
['
S$ stem temperature during the shift are ' established.
[
2 13.c
. DevelopingL procedures for signal. selector. testing including test acceptance criteria..
?
?
+
ji- -
1
,kl E
L+
- k
[
[
t,(
7 1
'l
V
?
SECTION 3.0.
CONCLUSION
}
Based on the information' presented.in this document, a Median Signal Selector is deemed an acceptable means of addressing control and protection system 4
. interaction following the-implementation of the RTD Bypass Elimination
- modification.. Whereas the signal selector is being utilized to address an aspect of protection system functional performance relative to IEEE Standard 279-1971,
[
or
]C I'
Additionally,l high quality components commensurate with those used in the p
- protection system are also used to improve the overall. unit reliability. _ Due p
consideration of, the " Recommended Operator Actions" presented in Section 2.4 is.
essential' to the: application-of the signal selector in preserving the total protection system integrity.-
)
. I
~
l;,,
j i'
l; 1
h J
p I
o 3-1 f
y m
m-
.g-
-44,a m
4 W, Amu 4 na 4A 5
.-sA A=A4<
4e
-s--
6 L
A b-J A-&. - *coeu a
4 f
E
')!-
- (
m
' xx x2 E
h h
9 C
h 1
l-l.
n n
/:
N N
I:
N N
l, s
it
$as hU n o h h m
m
)
1 W 1 &
y Lg s' y -
g s
H H
O.
O d-g g, -
o g<
g E
<8
{
, [
-;a i
'to D
3 4
-r r,
8 y
v-
' w wi -,
4
-1
- LO e
r L.
t.
w l ,
b 1
h l,
-b l
4 fOi 4
' I p
l Hlm
- l s
m
. i, x-4 i
jt.
r!.
4 i '
.}'
1
f,.
"m&,
Cold Leg Temperature
- Hot Leg Temperatures
{
TH1 lTH2-TH3 lTC
-l inject ll '-
. Test l Test l Test. l l Test -
inject
. l inject I inject l '
i Test Test Test Test wit witc wit wife i
n
/
I --
l R/E R/E R/E I N
H
]
D 1
n isot. H f
V To Plant -
Computer E/3 d ISOt-THAVE r Isot.
~i 1
I,
. {
To l : T Average l -
l Delta T-l i
H To Median T
Medan N
Signal Signal Selector Selector Protection System.
l t
i FIGURE 2: Protection System Inputs to Control System i
I Del?6:10431598 t
af w-
.W e
e ag.,a
,*_.w->
o--
, p he %a 9
s-..rw
.w-asg e:
y w,.
-.-3,.e w-e:
y q
u t
(=
. j f,*-.
1 T
inputs A
B C
' from to >
,e V,
(Input A) v v
v v
v v
Lo-Lo Lo' Auctioneer -
Auctioneer Auctioneer L-
.NSA3 NSA3 NSA3
-V-V V Hi-Auctioneer n.;'
-NSA4-
+ output'=
m Wedlon(A, B, C) t i
. ; p. '.I s
FIGURE 3
- . l SIGNAL SELECTOR BLOCK DIAGRAM
.[}in q
4 l
..-L,'_----__--_-_
- - - - _ - - - _ _ _ - - - - _ - - - _ _ - _ _ - - - - _ _ _ - - - _ - - - - _ _ _ - _ _ - - - - - - - - _ - - - - - - _ - - - -