ML20154L650
| ML20154L650 | |
| Person / Time | |
|---|---|
| Site: | Prairie Island  |
| Issue date: | 09/30/1988 |
| From: | Adams J, Erin L, Morris P WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML19297G997 | List: |
| References | |
| WCAP-11932, NUDOCS 8809260238 | |
| Download: ML20154L650 (35) | |
Text
b WESTINGHOUSE CLASS 3 WCAP-11932 ADVANCED DIGITAL FEEDWATER CONTROL SYSTEM MEDIAN SIGNAL SELECTOR FOR NORTHERN STATES POWER PRAIRIE ISLAND UNITS 1 & 2 L. E ERIN J. M. ADAMS September, 1988
, Approved: . A4d Approved:
Manager, Manager, Instrumentation and Control System Design Control Systems Licensing Technology Approved: k'Y
/arprfger./, /
h Process Yontrol Equipment Westinghouse Electric Corporation Power Systems Division P. O. Box 355 Pittsburgh, Pennsylvania 15230 8809260230 DR 080915 p ADOCK 05000202 PNU
O I
8 ABSTRACT To improve the overall performance of the Reactor Control and Protection Systems at Prairie Island, the Feedwater Control System is being enhanced
~
by the installation of a Median Signal Selector. The signal selector will eliminate a ( Ja c mechanism involving the steam generator low low water level protective function by providing ( Ja,c between the Reactor Protection System and the Feedwater Control System in accordance with the requirements of IEEE Std. 279-1971.
Various aspects of signal selector use are addressed by this report; these aspects 'nclude: 1) basis for removal of the low feedwater flow reactor 4
trip, 2) a demonstration of the functional adequacy of the signal i selection process in eliminating the (
! Ja.c mechanism, and 3) signal selector test and failure 1 detection capabilities, i r l
- r t
i 1
1 1
i l
l l
- --. . ~. _ _ _ . _
TABLE OF CONTENTS l
t a .
4 Abstract Acronyms List of Figures 1.0 Intreduction 1.1 Backgrcund '
1.2 Median Signal Selector 4
2.0 Steam Generator Reactor Trip Functions '
2.1 Steam Generator Low Low Level Reactor Trip .
I j 2.2 Low feedwater Flow Rene, tor Trip J
I J 3.0 Elimination of Low Feedwater Flow Reactor Trip i l *
' 3.1 Elimination via Four Steam Generator Level Channels 1
3.2 Elimination via Median Signal Selector !
i j 3.3 Advantages i l 4.0 Median !!gnal Selector Implementation I i j 4.1 Operational Description i l
4.2 Software Description i 4.3 Hardware Description ;
, i I I i
q 5.0 Failure Detection l 2 .
(
) 5.1 Diagnostics 5.2 Test Capability i
e i
J l
1 i
l
t TABLE OF CONTENTS i 6.0 Fault Tolerance 6.1 Reliability l 6.1.1 Frequency of Failures 1 6.1.2 Consequences of Failures 6.1.3 Duration of Failures 6.2 Configuration Certification .
i 7.0 Conclusion ,
Appendix 1 - Fault Trse for the Westinghouse EAGLE DPF !
Advanced Digital Feedwater Control System f
f b
I l
i 1
I l
I i
, i ACRONYMS RPS Reactor Protection System RPCS Reactor Plant Contral System NSSS Nuclear Steam Supply System RCS Reactor Coolant System i
W EAGLE DPT Westir,ghouse EAGLE Distributed Processing Family l
1/0 Input / Output !
DPU Distributed Processing Unit RCS Reactor Coolant System AFS Auxiliary Feedwater System ,
I FCS Feedwater Control System j l
MSS Median Signal Selector i;
LED Light Emitting Diess MTBF Mean Time 'setween Failure CLP Con'.rol Loop Processor AC Alternating Current
- DC Direct Current [
USAR Updated Safety Analysis Report !
l i
r h
LIST OF FIGURES (
i
~ ,
t i
1 Original Functional Design l
.; 2 Median Signal Selector Functional Design i i 3 Median Signal Selector Functional Diagram l 4 Modularity Illustration
[ 5 Westinghouse EAGLE DPF System Architecture Overview l
- 6 Input /0utput Points
! 7 Median Signal Selector Configuration l ;
l 1
t i
J r I
I l
l l
)
J r
a I
i u :
f i
4 i
1 l
l I
i 1
a d
I I
J
1.0 INTRODUCTION
1.1 Background
The fundamental purpose of plant instrumentation and control systems is to permit operational control of the Nuclear Steam Supply System (NSSS), and to initiate automatic protective action in response to unsafe operating conditions. The infrastructure of instrumentation and control systems constitutes an interactive network of electrical circuits through which protection and control functions are carried out. This network can be best described in terms of two functionally defined systems called the Reactor Protection System (RPS), and the Reactor Plant Control System.
The Reactor Protection System is defined as that part of the sense u d command features involved in generating those signals used primarily for reactor trip functions and the actuation of engineered safety features.
The Reactor Plar.t Control System is defined as those electrical instrumentation and control systems that provide the operator with the necessary information and controls to effect proper primary plant control.
\
Accordingly, operation of a nuclear facility without ur.due risk to the health and safety of the public is largely predicated upon RPS design attributes which assure proper and complete operation of the RPS; these may be briefly summarized as RPS functional adequacy, and operational readiness. To insure that these characteristics are adequately implemented in the overall RPS design, the code of Federal Regulations requires that certain criteria be adhered to.
Specift: ally, the Code of Federal Regulations, Title 10, Part 50.55a, Codes and Standards, (h) protection systems, endorses the Institute of Electrical and Electronics Engineers Standard, IEEE 279, "Criteria for Protection Systems for Nuclear Power Generatino Stations", as the governing criteria to which the Reactor Protection System design must conform, as a minimum, in order to meet the requirements of functional adequacy and operational reliability. One of the specific provisions of this standard is the issue of (
]ac Page 1
. - l l
Basically,( '
I
. ja.c The mechanism may be a (physical interaction such as electrical faults originating in the control system and propagating tola.c the protection system (thereby bringing about an attendant failure within the protection ,
system), or a (functional interaction where the action of a control system is coupled to the ability of the]a,c protection system to provide adequate core protection consistent with the requirsments of IEEE Std. ,
279 1971. Once the failure mechanism l
(
]a.c has occurred, the protection system must continue to satisfy i all reliability, redundancy, and independence requirements. To prevent ,
[ Ja,c protection systems are, in general, designed with due regard for the requirements of physical, electrical and functional independence.
~
In the Westinghouse NSSS design, the Reactor Mant Control System derives many of its input signals not from dedicated control system instrument I channels, but directly from the protection system instruments through !
isolation devices. The requirements for process parameter measurements i for control and protection functions so nearly overlap that the same measurements serve both purposes equally well. Therefore, common
- instrument channels are, in essence, used in both the Reactor Protection !
System and the Reactor Plant Control System for those process parameters !
for which measurement is required in both the protection and control l system designs. This practice allows the NSSS to be controlled from the !
same measurements with which it is protected. Such a scheme precludes any j sensor deviation between control and protection functions which serves to l maintain margins between operating conditions and safety limits thereby reducing the likelihood of spurious reactor trips, and considerably :
reduces the tasks of channel calibration and maintenance. However, this l design r,onfiguration does present further difficulties in the area of l
( Ja c and in order to take !
I Page 2 '
advantage of the benefits derived from such an equipment configuration, additional measures must b) taken to assure the (functional independence !
of the protection and control systems.)a,c l.2 Median Signal Selector I !
Ja,c The MSS selects the l median of three steam generator narrow range level input signals ( {
l I
l l
I l
Ja c 4,c The material in this section has been deleted from this nonproprietary document due to its proprietary nature. The material in this section discussed operational benifits and location of the Median Signal Selector.
l l
h e !
Page 3
1 a,c ,
The material in this section has been deleted from this nonproprietary .
document due to its proprietary nature. The material in this section ;
discussed operational benifits and location of the Median Signal
~
Selector.
i I
f l
l d
4 Page 4
2.0 STEAM GENERATOR REACTOR TRIP FUNCTIONS l
The present Prairie Island reactor trip functions associated with the l
l steam generator protection system are: 1) the steam generator low low l water level reactor trip and 2) the low feedwater flow reactor trip (see !
Figure 1). .
l t l
l 2.1 Steam Generator low Low Water Level Reactor Trip j i
The basic function of the reactor protection cire,uits associated with !
steam generator low low water level trip channels is to preserve the steam l
generator as a heat sink for removal of residual heat. This automatic l
l protective action is taken before the steam ganerators are dry to maintain !
the heat sink, reduce the capacity and starting time requirements of the i i Auxiliary Feedwater System (AFS), and to minimize the thermal transient on
{
the Reactor coolant System (RCS). This trip is actuated on coincidence of ;
two out of three low low water level signals in any steam generator. !
l 2.2 Low Feedwater Flow Reactor Trip ;
a,c !
' I The material in this section has been deleted from this nonproprietary j i document due to its proprietary nature. The material in this section l discussed the low feedwater flow reactor trip. !
l I
l 1 l - -
l l :
l l l l l l
l l
I I
1 l Page 5 l
[ l L_._-__... . _ _ _ . - . -_ _
a.C The material in this section has been deleted from this nonproprietary document due to its proprietary nature. The material in this section discussed the low feedwater flow reactor trip.
l l
1 1 *
- Page 6
e O J
i a,c 1
l The material in this section has been deleted from this nonproprietary
~
i document due to its proprietary nature. The material in this section 1
i discussed the low feedwat.r flow reactor trip.
1 i
i.
f l
l l
1 i
j .
i j
i 1
)
i l
1 I
4 9
Page 7
O i
3.0 ELIMINATION OF 10W FEE 0 WATER FLOW REACTOR TRIP 1 .
3.1 Elimination via Four Steam Generator Level Channels j a,c The material in this section has been deleted from this nonproprietary j document due to its proprietary nature. The material in this section 4
discussed elimination of the low feedwater flow reactor trip via four
- steam generator level channels.
1 4
i 3.2 Elimination via Median Signal Selector i a,C The material in this section has been deleted from this nonproprietary j*
4 document due to its proprietary nature. The material in this section riiscussed elimination of the low feedwater flow reactor trip via a I Median Signal Selector.
(
< l 4
O Page 8
l l a.C [
1 1
The material in this section has been deleted from this nonproprietary ;
I -
document due to its proprietary nature. The material in this section discussed elimination of the low feedwater flow reactor trip via a j Median Signal Selector, i 3.3 Advantages ,
?
a,C l
The material in this section has been deleted from this nonproprietary [
document due to its proprietary nature. The material in this section I discussed advantages of eliminating the low feedwater flow reactor ;
trip.
{
l I
r f
1 i
i I
f l
9 Page 9 l
_._.~ ._ _ _ _ _ _ _._ _ _ __-- _ _ ___ _ _.. . _ . _ . _ _ _ . _ - _ . _ _ _ . _ . _ _ _ _ _ _ . _ . _ _ _ . _ _ _ .
4.0 ME0!AN SIGNAL SELECTOR IMPLEMENTATION 4.1 Operational Description The MSS receives three isolated narrow range level input signals (see f
Figure 3) designated as A, B, and C for each steam generator. The algorithms are configured to [ i I
i
}
Ja.c.e.f This output value is the median !
of the three input signals. For example, suppose that A, B, and C are !
I signals representing 30%, 40% and 50% of steam generator level. After the
( l l
Ja.c.e.f This signal representing 40% level !
l 1s now forwarded to the algorithms for feedwater control. Thus, the MSS .
will always select the median of three input signals, [
f l
l , Jaic !
l l
l 4.2 Software Description l
1 l The Westinghouse EAGLE Distributed Processing Family (W EAGLE DPF) MSS l function is configured using a Graphics Process Control Language. This
(
l high level language enables the system engineer to use menu driven screens l and interactive fill in the blanks editing to configure process control i loops, create a data base of input / output points and display the loops as configured during operation. The graphics language is comprised of three i subsets known as Data Base Generation Standard Modulating Control and l Ladder Logic Control.
i l
\
l I l
l t
\
l Page 10 j i
i .
l The data base of process inputs and outputs is created by using the subset i called Data Base Generation. The system engineer uses an interactive editor to load the EAGLE OPF with the characteristics of each input and output point. Information such as point type (analog or digital), alarm limits, scaling and hardware address are entered into the data base for each point. :
i The process control loops are configured by using the Standard Modulating ;
Control Subset. The graphics editor displays a screen showing five blank :
lines for input points at the top, five blank lines for output points at l the bottom and eight blocks for algorithms in between (see Figure 6). The l system engineer configures the control loops by filling in the blanks with !
input and output points defined in the data base and a standard library of l 24 field proven algorithms. The inputs, algorithms and outputs are then l connected to show the signal flow through the loop (see Figure 7 for MSS configuration).
In summary, the graphic process control language simplifies system l configuration. This fill-in the blank type language affords engineering l personnel the ability to make changes (if necessary in the future) without a background in computer languages such as BASIC, PASCAL, PLM86, FORTRAN, l
l etc. The system configuration is self documenting. All program diagrams and data base listings can be easily printed by a simpla menu selection on a personal computer. i 4.3 Hardware Description !
The MSS function is implemented in Westinghouse EAGLE OPF equipment which is installed as part of the plant control system, f
l !
This state of the art, microprocessor based system is a nature digital !
design, with a history of over 280 industrial uses including utility l appiteations. The modular features of the Westinghouse EAGLE OPF Digital :
Feedwater Controller with MSS permits installation into existing control !
cabinets, minimizing the impact on existing field terminations and wiring ;
(see Figure 4). i Page 11 l l
l
O <
l t
EAGLE DPF utilizes a distributed architecture systm and is basically comprised of input / output (!/0) cards and distributed processing units l (DPU's), which contain the functional microprocessors. An overview of the :
EAGLE DPF system architecture is shown in Figure 5. l
~
For the purpose of ( l Ja,C ;
Power supplies for (
i Ja.c is also provided in the Westinghouse EAGLE l DPF design. Automatic ( Ja.c occurs [
t upon failure of the [ Ja.c The Westinghouse EAGLE DPF equipment represents nine years of intensive :
Westinghouse product development in response to a strict set of product goals. There is an extensive history of industry usage and experience to l date for control system application and data acquisition. '
l l
[;
t
[
[
i l
Page 12 l
- i 1 -_
- . - . - _ _ = - . - _ .
W
. 1
+
i 5.0 FAILURE DETECTION l 1
The Westinghouse EAGLE DPF MSS to be installed at Prairie Island is designed to allow for easy detection of system failures through both self {
f diagnostics and periodic test. These methods for failure detection are !
discussed here below. ;
t i
I j 5.1 Diagnostics j i 1 I The self diagnostics are automatically executed during the normal !
i operation of the system and do not disrupt the real time performance of l
) the process. The major diagnostic features supporting the MSS function i j are as follows: !
a,c.e.f 4
The material in this section has been deleted from this nonproprietary i 3
document due to its proprietary nature. The material in this section discussed the diagnostic features of the EAGLE DPF equipment. (
l l [
! l I
i
! [
! i i i ,
! l l l i i i :
1
. I
! l i
1 -
i :
h i
! Page 13 [
i ;
I . . !
i I l a,c.e,f !
l l The material in this section has been deleted from this nonproprietary l document due to its proprietary nature. The material in this section ;
discussed the diagnostic features of the EAGLE DPF equipment. l i
?
\
1 l !
5.2 Test Capability The MSS has been provided with the capability for on line testing. Signal l
selectortestingconsistsof( Ja,cthethreesteamgenerator t level input signals and (
i Ja.c will permit determination of whether or not the actual median signal is being chosen, and, consequently, whether the !
signal selector is functioning properly.
l t
i Page 14
.--_.-_ - - - _ - _ _ _ _ ~ . . . ~ _ . . - . - - , . - , - . - _ _ - . - .
The NSS can be tested [
ja,c 1
Page 15
O 6.0 SYSTEM RELIABILITY AND FAULT TOLERANCE
~
6.1 Reliability From a functional stand point the implementation uf a signal selector eliminates control and protection system interaction in the steam generator protection circuitry by providing functional isolation from the Feedwater Control System; however, the continued ability of the device to prevent control and protection system interaction is contingent on its ability to select the median signal. Therefore, steps have been taken to ensure the reliability of the signal selection process. Furthermore, the design provides the capability for complete unit testing that provides unambiguous determination of credible system failures.
Reliability of the Westinghouse EAGLE DPF MSS design to be installed at Prairie Island is focused on three major areas: minimizing the frequency of failures, minimizing the consequences of a failure, and minimizing the duration of a failure.
6.1.1 Frequency of Failures The frequency of failures is minimized primarily by the simplification of the hardware and software design. The hardware design is based on a system organizr to limi+ the functions and interactions of each system element. The nean Time Between Failures (HTBF) calculation for the analog input printed circuit card is (
ja,b,c The software design is simplified by the (
Ja,c In addition, extensive quality assurance and testing programs are utilized to ensure an error free system.
6
)
4 Page 16
6.1.2 Consequences of Failures a,c.e,f The material in this section has been deleted from this nonproprietary document due to its proprietary nature. The material in this section
~
discussed the consequences of failures in the EAGLE DPF equipment.
4 i
s i
I t
a 1
1 Page 17
, i,
~
a,c.e,f The material in this section has been deleted from this nonproprietary document due to its proprietary nature. The material in this section
, discussed the consequences of failures in the EAGLE OPF equipment.
l 1
[ -
Ja,c Additionally, it should be noted that a Fault Tree for the EAGLE OPF Advanced Digital Feedwater Control System has been provided as Appendix 1 to this report. l 6.1.3 Duration of Failures The duration of a failure is minimized by the ability to diagnose and repair the system easily and quickly. For example, [
ja,c a
i i
i i Page 18 1
6.2 Configuration Certification Finally, in order to enhance the reliability of the MSS, a formal activity known as Conf'guration Certification has been devised to minimize design errors and provide an overall assurance that the specified functional requirements are implemented in the hardware and software as a system.
Configuration Certification is accomplished via:
a,c The material in this section has been deleted from this nonproprietary document due to its proprietary nature. The material in this section discussed configuration certification of the MSS in EAGLE DPF equipment.
Page 19
7.0 CONCLUSION
Based on the information presented in this report, implementation of the
. Median Signal Selector function for steam generator narrow range level is evaluated to be a totally acceptable means for [
Ja c Previously, a fourth steam generator narrow range level channel has been used as an alternative to eliminate the icw feedwater flow reactor trip by providing an adequate number of chanpals to allow for trip actuation following a (
Ja c Finally, it should be noted that through installation of the Median Signal Selector, Prairie Island Units 1 and 2 will attain significant operational improvements from (
]a.c reduced fatigue buildup on critical components, and improved Feedwater Control System reliability. Futhermore, the MSS function is easily accomplished in conjunction with the Prairie Island Feedwater l Control System upgrade which utilizes the Eagle DPF equipment, i
l l
I Page 20
~
l i
FIGURE 1 - ORIGINAL FUNCTIONAL DESIGN Low S O to Feedwater Flow SIeem Genersfor Lo-Lo Water Level Water Level (STMFIFWF Mismatch) l**P ^ SF FW SF FW l
I I II I FT I LT E LT IV LT FT FT FT 461 482 463 464 I 486 465 487 l
_. , T
< r ' t
{ Ill IV I il t
LC LC FC FC l 462C 463E 466C 4675 S1 82 63 FW < W
] FW < W 1
Lo-Lo o-Lo 0-Lo Lo lo i
+ +
h
.. a. . 21 2 2/ 3 4 ' Sleem Osmerator Lo-Lo Level Reactor Trip Low Feedwstor Flow Reactor Trp
} Feedwater Controlvalve Clostse l(Sot) Tstano Trip Protection j -. ---------
1 r Controf Feedwater Flow Controf 132s D28215 001 l
1 l
l l
4 FIGURE 2
.c...r MEDIAN SIGNAL SELECTOR FUNCTIONAL DESIGN i
i l
i
- l 1
1 l
i i
i f
I l
t I
l.
i ..
i l- - - _ __ -__ - --
i FIGURE 3 MEDIAN SIGNAL SELECTOR - FUNCTIONAL DIAGRAM ,,c,,,,
)
1 t
1 4
i 4
l 4
I I
\
FIGURE 4 - MODULARITY ILLUSTRATION TOFMLD
' ~ . TEmueNATIONS AND TEST PApott n 48 9
' ' - OC SUPPLIES /
.f- ~ FOAOCARDS
~!(I * * *
'd asutTseuS/
s
' 'g'..
- g .
,. ;l
- o*"
3 . . - ,
l -
- -c
- POEUERSUPPUEE#
,f
! . y poes SEP AR ATE e, . , ,,,,,g py wS titD$ 6
.45$1 Q O'
- TEST E29 P-
.+.
- 7 ' bl# ,
1 AC/
- lU...** :
l
' ' 's ' oestnieuvions f N '
OCA#o
' - ' ra*=E
,2 ;. e A, s to OC,
-p ,
suretsgs
/ # GCARO
.- 's I" '
enAast k/ '
s s
N
' - ' ~
OCARO yaAnst i
i 1329 D29220 001 P/5
, a,_ _ _ __ r _ _ma w + o. _ ~ , -_- -
9 8 9 6
l .
]
FIGURE 5 - WE RCH ECTURE OVERV EW c^
i 1
i l
I i,
e I
e P
. O R
D S
T N
I s
P O
O O L
P T R TJ T J5 U T5 U
'X MO M T I X T J JW P
t ID R O(
TI T M U R TH q g3 J N
_ U2 _TN R
q ls J N
S R
_TR q l: J M
_ D6 _TV R
q le J N
_ TR I
R
_TZ T 14 O T4 M T4 U I I I I 4 P*
N)W _ Rx OO _M - Rx O)M _M - Rx OO _M _ Rx
)) _M f X T
UiO
/ I f R TG _
GD L
R
_T M -
Gf L
R
_IQ -
OD L
R
_TU -
G (M L
R
_TY Ot T M A p ls L M A p lI L H A p ls L M A p lu L M
U R P T5 J
Mx I F M
T J5 T
I x N
I M f)X I R TE T )
UM Of M
q fI J q l8 J q lI J q )la J R 4 R N R N R e R 6 T2 Ux TD M _ W _TL (I
I
_ F T5 I
_TP _ IIT5 _TT _ l T7 I
_TX
.M T
U2 P
T X
_ RX _M - Rx _M _ RX _M _ RX ._
E M' O ID R TC _
O03 O1 L
R
_TM -
OO Ofi L
R
_TO _
OO GD L
R
_TS _
OO _
OD L _RTV UiO Of R M pl L A M pl L A M A p le L M A p lu L M
U R TB T G
8 Tl J
M U MX Px T)
I MO UX F IB R TA M
OE 9
/ _
P _
W 8
3 3
0 3 .
D _
03 _
31
l t
)
l l FIGURE 7 i MEDIAN SIGNAL SELECTOR CONFIGURATION ..c...r l
I l
i I.
l i
t i
l 1
l i
i l
i i
i
O l
l l
APPENDIX 1 1
FAULT TREE FOR THE WESTINGHOUSE EAGLE OPF ADVANCED DIGITAL FEEDWATER CONTROL SYSTEM
- 4,C 1
The material in this section has been deleted from this nonproprietary l document due to its proprietary nature. This section discussed the fault tree for the Westinghouse EAGLE OPF Advanced Digital Feedwater Control System.
9 l
l l
l l
t l
4 0 **
- 9 a,C
'*"? N mm =*e-m m mim neuvit yewnwi,En t!avvast symmu o
h e
f 1
e l
l 6
- l
\
l I
i l
_