ML20247M628
| ML20247M628 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 03/31/1989 |
| From: | Erin L WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML16341F331 | List: |
| References | |
| WCAP-12222, NUDOCS 8909260015 | |
| Download: ML20247M628 (36) | |
Text
- - - - - - -
Y g.
g'a g
\ -- -
t .
(') . . . , - . . .
O Y*d
~[ ,
e 4 .
4 , , %
fe _ l _
- } #
- , ' - - /
' } .
8
, . 4 ..
,- i
{F.
. . 2 es
-__.-.-_.---,.-.F ,,',' n',* . , , . . ,,,i.
. ' . .. .I- P-A. +- - - - ,' '
t . ..
1 4 t yg .
,.e .
p ,
4 ' I, e ,
g I #
i 7 ,
o
/ -
. . .- . ....j '
4
. .. l o
'i i
, i
.g I
---% j
. l - -
i
{s . , .
l *
-k ..
'. ,/,
. t. . .a ,
g, e' . .
- .).,
) ,
y.
l
. ' . )
. 0 .
2 . '
k a f .'
- f . -
t) . . ,[.
- l A 4 -
i 3
- [i. . , . . . . . . .
.s P . . .
- q. , ,
A -
, .s .
e g , .
. . + 9
_/ _ **
~
. , g ,
n , _
o
. s
, 6 .
.g * . t
=_ /
g
- e ,
b E-
, q. . - . .
i ~
v M g ./ . ,
K-
' ?.
t .,
p
.4 WesthipphDShB18fgy$JStBmS [ -
?
.g . ,
. p
.i l# =
. 8
, W' .l
f"
~
a . - a *
, {
,r. ,
.3 '. ,. * -
' ./';. , #
E -
. . ,..,.[, .
a...
- -. . . . - , 4 .
...y.-
t
?!ESTINCHOUSE CLASS 3 h'.
- WCAP-12222 p.
' ADVANCED DIGITAL FEEDWATER CONTROL SYSTEM MEDIAN SIGNAL SELECTOR FOR PACIFIC GAS & ELECTRIC CO.
DIABLO CANYON UNITS 1 & 2 L. E. ERIN MARCH, 1989 c
/
/ .
Approved:N- [ bV I [l M Approved: W b A'b O'
Manager, Manag/
er, Instrumentation and Nuclear and Control Control Systems Licensing Technology 0
Approved: h%
Madag&r t b dW ' W ProcesY Control Equipment Westinghouse Electric Corporation Power Systems Division P. O. Box 355 i Pittsburgh, Pennsylvania 15230 a -
ABSTRACT.
[.
4 To improve the overall performance of the Reactor Control and Protection Systems at DiablofCanyon, the Feedwater Control System is being enhanced y by the installation of a Median Signal Selector. The signal selector will eliminate a'[ Ja,c mechanism
)
. involving the steam generator low-l ow water level protective function by n.
providing [ ]a,c between the Reactor Protection System and the Feedwater Control System in accordance with the requirements of IEEE Std. 279-1971.
Various aspects of signal selector use are addressed by this report; these aspects include: 1) basis for removal of the low feedwater flow reactor trip, 2) a demonstration of the functional adequacy of the signal selection process in eliminating the [
L Ja,c mechanism, and 3)- signal selector test and failure detection capabilities.
L 4
i
_ , = _ . _ - - - - _ - , _ - _ _ . _ _ . _ - - _ _. . _ _ - - - - .--. - - - - . -. . - - _ - . . _ _
- E LTABLE OF CONTENTS j e
p Abstract' Acronyms p:: List of-Figures f
1.0 Introduction l'
-1.1 Background ,
1.2 Median Signal Selector 2.0 Steam Generator Reactor Trip Functions 2.1 Steam' Generator Low Low Level Reactor Trip i 2.2 Low Feedwater Flow Reactor Trip.
3.0 Elimination of Low Feedwater Flow Reactor Trip 3.1 Elimination via Four Steam Generator Level Channels 3.2 Elimination via Median Signal Selector 3.3 Advantages 4.0 Median Signal Selector Implementation 4.1 Operational Description 4.2 Software Description 4.3 Hardware Description-I 5.0 Failure Detection 5.1 Diagnostics 5.2 Test Capability n
TABLE OF CONTENTS 6.0 Fault Tolerance 6.1 Reliability 4 6.1.1 Frequency of Failures ,
1 6.1.2 Consequences of Failures l
6.1.3 Duration of Failures 6.2 Configuration Certification i
! 7.0 Conclusion Appendix 1 -
Fault Tree for the Westinghouse EAGLE DPF Advanced Digital Feedwater Control System W
.d
. RPS Reactor Protection System
. RPCS - Reactor Plant Control System
- NSSS Nuclear Steam Supply System RCS Reactor Coolant System
}! EAGLE DPF Westinghouse EAGLE Distributed Processing Family 1/0 Input / Output DPU Distributed Processing Unit RCS Reactor Coolant System AFS Auxiliary Feedwater System FCS Feedwater Control System MSS Median Signal Selector LED Light Emitting Dicde MTBF Mean Time Between Failure CLP Control Loop Processor AC Alternating Current DC Direct Current FSAR Final Safety Analysis Report
LIST OF FIGURES Fiaure litig 1 Original Functional Design 2 Median Signal Selector Functional Design 3 Median Signal Selector Functional Diagram 4 Modularity Illustration 5 Westinghouse EAGLE DPF System Architecture Overview 6 Input / Output Points 7 Median Signal Selector Configuration l
l l
1.0 INTRODUCTION
1.1 Background
The fundamental purpose of plant instrumentation and control systems is to permit operational control of the Nuclear Steam Supply System (NSSS), and
- to initiate automatic protective action in response to unsafe operating conditions. The infrastructure of instrumentation and control systems constitutes an interactive network of electrical circuits through which protection and control functions are carried out. This network can be best described in terms of two functionally defined systems called the Reactor Protection System (RPS), and the Reactor Plant. Control System.
The Reactor Protection System is defined as that part of the sense and command features involved in generating those signals used primarily for l reactor trip functions and the actuation of engineered safety features.
l The Reactor Plant Control System is defined as those electrical instrumentation and control systems that provide the operator with the necessary information and controls to effect proper primary plant control.
- Accordingly, operation of a nuclear facility without undue risk to the l health and safety of the public is largely predicated upon RPS design
[ attributes which assure proper and complete operation of the RPS; these may be briefly summarized as RPS functional adequacy, and operational readiness. To insure that these characteristics are adequately implemented in the overall RPS design, the code of Federal Regulations requires that certain criteria be adhered to.
Specifically, the Code of Federal Regulations, Title 10, Part 50.55a, Codes and Standards, (h) protection systems, endorses the Institute of Electrical and Electronics Engineers Standard, IEEE-279, " Criteria for Protection Systems for Nuclear Power Generatino Stations", as the governing criteria to which the Reactor Protection System design must conform, as a minimum, in order to meet the requirements of functional adequacy and operational reliability. One of the specific provisions of this standard is the issue of [
]a,c Page 1
l
~ Basically, - [
ja.c The mechanism may be a [ physical interaction such as electrical faults I
originating in the control system and propagating to]a,c the protection system (thereby bringing about an attendant failure within the protection system), or a (functional interaction where the action of a control system is coupled to the ability of the]a,c protection system to provide ,
adequat'e core protection consistent with the requirements of IEEE Std. I 279-1971. Once the failure mechanism
[
Ja,c has occurred, the protection system must continue to satisfy all reliability, redundancy, and independence requirements. To prevent
[ ]a,c protection systems are, in general, designed with due regard' for the requirements of physical, electrical and functional independence.
In the Westinghouse NSSS design, the Reactor Plant Control System derives many of its input signals not from dedicated control system instrument channels, but directly from the protection system instruments.through isolation devices. The requirements for process-parameter measurements for control and protection functions so nearly overlap that the same measurements serve both purposes equally well. Therefore, common instrument channels are, in essence, used in both the Reactor Protection System and the Reactor Plant Control System for those process parameters for which measurement is required in both the protection and control system designs. This practice allows the NS$5 to be controlled from the same measurements with which it is protected. Such a scheme precludes any sensor deviation between control and protection functions which serves to maintain v.argins between operating conditions and safety limits thereby reducing the likelihood of spurious reactor trips, and considerably reduces the tasks of channel calibration and maintenance. However, this design configuration does present some difficulties in the area of
[ ]a,c and in order to take Page 2 a
advantage of the benefits derived from such an equipment configuration, additional measures must be taken to assure the (functional independence of the prot,ection and control systems.)a,c 1.2 Median Signal Selector
[
Ja,c The MSS selects the median of thrm steam generator narrow range level input signals [
s ja,c a,c
~
The material in this secticri has been deleted from this nonproprietary document due to its proprietary nature. The material in this section discussed operational benifits and location of the Median Signal Selector.
Page 3
I a,c The material in this section has been deleted from this nonproprietary document due to its proprietary nature. The material in this section discussed operational benifits and location of the Median Signal Selector.
s i
I Page 4
2.0. STEAM GENERATOR REACTOR TRIP FUNCTIONS The present Prairie Island reactor trip functions associated with the steam generator protection system are: 1) the steam generator low-low q water level reactor trip and 2) the low feedwater flow reactor trip (see l Figure 1). i l
2.1 Steam Generator Low-Low Water Level Reactor Trip 1 I
The basic function of the reactor protection circuits associated with j steam generator low-low water level trip channels is to preserve the steam j generator as a heat sink for removal of residual heat. This automat;c protective action is taken before the steam generators are dry to maintain the heat sink, reduce the capacity and starting time requirements of the Auxiliary Feedwater System (AFS), and to minimize the thermal transient on the Reactor coolant System (RCS). This trip is actuated on coincidence of two out of three low-low water level signals in any steam generator. ,
1 2.2 Low Feedwater Flow Reactor Trip
't . c The material in this section has been deleted from this nonproprietary document due to its proprietary nature. The material in this section discussed the low feedwater flow reactor trip.
4 Page 5
1
~..
~{:."
a,c
^
The material in this.section ha's been deleted-from this nonproprietary.
. document due~to its proprietary nature. The material in this section a=
discussed-the low feedwater flow reactor trip.
1
\
(
).
n I
l-Page 6 u _ _ _ _ _-__ ___ ___ - _____ __ ____ __ _
a,c The material in this section has been deleted from this nonproprietary documen,t due to its proprietary nature. The material in this section discussed the low feedwater flow reactor trip.
I h
Page 7
3.0 ELIMINATION OF LOW FEEDWATER FLOW REACTOR TRIP 3.1 Elimination via Four Steam Generator Level Channels a,C The material in this section has been deleted from this nonproprietary document due to its proprietary nature. The material in this section discussed elimination of the low feedwater flow reactor trip via four steam generator level channels.
l l
l l 3.2 Elimination via Median Signal Selector a,c The material in this section has been deleted from this nonproprietary
. document due to its proprietary nature. The material in this section discussed elimination of the low feedwater flow reactor trip via a Median Signal Selector.
Page 8
a,c The material in this section has been deleted from this nonproprietary documen, t due to its proprietary nature. The material in this section discussed elimination of the low feedwater flow reactor trip via a Median Signal Selector.
3.3 Advantages a,c The material in this section has been deleted from this nonproprietary document due to its proprietary nature. The material in this secticn discussed advantages of eliminating the low feedwater flow reactor trip.
l l
r l
l
- s Page 9
4.0 MEDIAN SIGNAL SELECTOR IMPLEMENTATION 4.1 Operational Description The MSS recqives three isolated narrow range level input signals (see Figure 3) designated as A, B, and C for each steam generator. The algorithms are configured to [
]a,c,e,f This output value is the median of the three input signals. For example, suppose that A, B, and C are signals representing 30%, 40% and 50% of steam generator level. After the
[
]a,c,e,f This signal representing 40% level is now forwarded to the algorithms for feedwater control. Thus, the MSS will always select the median of three input signals, [
ja,c 4.2 Software Description The Westinghouse EAGLE Distributed Processing Family (H EAGLE DPF) MSS function is configured using a Graphics Process Control Language. This high level language enables the system engineer to use menu-driven screens and interactive fill-in-the-blanks editing to configure process control loops, create a data base of input / output points and display the loops as configured during operation. The graphics language is comprised of three subsets known as Data Base Generation, Standard Modulating Control and Ladder Logic Control.
Page 10
The data base of process iaputs and outputs is created by using the subset called Data Base Genention. The system engineer uses an interactive editor to load the EAGLE DPF with the characteristics of each input and output point. Information such as point type (analog or digital), alarm limits, scaling and hardware address are entered into the data base for each point. .
The process control loops are configured by using the Standard Modulating Control Subset. The graphics editor displays a screen showing five blank lines for input points at the top, five blank lines for output points at the bottom and eight blocks for algorithms in between (see Figure 6). The system engineer configures the control loops by filling in the blanks with input and output points defined in the data base and a standard library of 24 field proven algorithms. The inputs, algorithms and outputs are then connected to show the signal flow through the loop (see Figure 7 for MSS configuration).
In summary, the graphic process control language simplifies system configuration. This fill-in-the-blank type language affords engineering personnel the ability to make changes (if necessary in the future) without a background in computer languages such as BASIC, PASCAL, PLM86, FORTRAN, etc. The system configuration is self-documenting. All program diagrams ,
and dr.ta base listings can be easily printed by a simpic menu seltction on a personal computer.
4.3 Hardware Description The MSS function is implemented in Westinghouse EAGLE DPF equipment which is installed as part of the plant control system.
This state-of-the-art, microprocessor-based system is a mature digital design, with a history of over 280 industrial uses including utility l
applications. The modular features of the Westinghouse EAGLE DPF Digital Feedwater Controller with MSS permits installation into existing control cabinets, minimizing the impact on existing field terminations and wiring (see Figure 4).
L Page 11
EAGLE DPF utilizes a distributed architecture system and is basically comprised of input / output (1/0) cards and distributed processing units (DPU's), which contain the functional microprocessors. An averview of the EAGLE DPF system architecture is shown in Figure 5.
For the purpose of [
ja,c I Power supplies for [
Ja,c is also provided in the Westinghouse EAGLE S DPF design. Automatic [ ]a,c occurs upon failure of the [ ]a,c The Westinghouse EAGLE DPF equipment represents nine years of intensive Westinghouse product development in response to a strict set of product goals. There is an extensive history of industry usage and experience to date for control system application and data acquisition.
s a
l 1
3 Page 12
5.0 FAILURE DETECTION The Westinghouse EAGLE DPF MSS to be installed at Prairie Island is designed to allow for easy detection of system failures through both self diagnostics and periodic test. These methods for failure detection are
~
discussed here below.
5.1 Diagnostics The self-diagnostics are automatically executed during the normal operation of the system and do not disrupt the real time performance of the process. The major diagnostic features supporting the MSS function are as follows:
a,c,e,f The material in this section has been deleted from this nonproprietary document due to its proprietary nature. The material in this secticn j discussed the diagnostic features of the EAGLE DPF equipment.
F l
^
r Page 13
a,c e,f
. The material in this section has been deleted from this nonproprietary document due to its proprietary nature. The material in this section
- discussed the diagnostic features of the EAGLE DPF equipment.
5.2 Test Capability The MSS has been provided with the capability for on-line testing. Signal selector testing consists of [ Ja.c the three steam generator I
level input signals and [
l l
Ja,c will permit determination of whether or not the l
actual median signal is being chosen, and, consequently, whether the signal selector is functioning properly.
Page 14
The MSS can be tested [
L Ja,c Page 15
6.0 SYSTEM RELIABILITY AND FAULT TOLERANCE 6.1 Reliability From a functional stand point the implementation of a signal selector eliminates control and protection system interaction in the steam
. generator protection circuitry by providing functional isolation from the Feedwater Control System; however, the continued ability of the device to prevent control and protection system interaction is contingent on its ability to select the median signal. Therefore, steps have been taken to ensure the reliability of the signal selection process. Furthermore, the design provides the capability for complete unit testing that provides unambiguous determination of credible system failures.
Reliability of the Westinghouse EAGLE DPF MSS design to be installed at Diablo Canyon is focused on three major areas: minimizing the frequency of failures, minimizing the consequences of a failure, and minimizing the duration of a failure.
6.1.1 Frequency of Failures The frequency of failures is minimized primarily by the . simplification of the hardware and software design. The hardware design is based on a system organized to limit the functions and interactions of each system element. The Mean Time Between Failures (MTBF) calculation for the analog input printed circuit card is [
ja,b,c The software design is simplified by the [
]a,c In addition, extensive quality assurance and testing programs are utilized to ensure an error-free system.
Page 16
~
6.1.2 Consequences of Failures a,c.e,f' The mat,erial in this section has been deleted from this nonproprietary document due to its proprietary nature. The material in this section discussed the consequences of failures in the EAGLE DPF equipment.
\
Page 17
~
a,c.e,f The material in this section has been deleted from this nonproprietary document due to its proprietary nature. The material in this section discussed the consequences of failures in the EAGLE DPF equipment.
[
Ja,c Additionally, it should be noted that a Fault Tree for the EAGLE DPF Advanced Digital Feedwater Control System has been provided as Appendix 1 to this report.
l 6.1.3 Duration of Failures The duration of a failure is minimized by the ability to diagnose and repair the system easily and quickly. For example, [
r I
i ja.c Page 18
6.2 Configuration Certification Finally, in order to enhance the reliability of the MSS, a formal activity known as Configuration Certification has been devised to minimize design errors and provide an overall assurance that the spec'Ified functional requirements are implemented in the hardware and software as a system.
Configuration Certification is accomplished via:
a,c The material in this section has been deleted from this nonproprietary document due to its proprietary nature. The material in this section discussed configuration certification of the MSS in EAGLE DPF equipment.
l n
Page 19 j
1
7.0 CONCLUSION
Based on the information presented in this report, implementation of the Median Signal Selector function for steam generator narrow range level is evaluated tp be a totally acceptable means for [
3a,c l
Previously, a fourth steam generator narrow range level channel has been used as an alternative to eliminate the low feedwater flow reactor trip by providing an adequate number of channels to allow for trip actuation following a [
]a,c Finally, it should be noted that through installation of the Median Signal Selector, Diablo Canyon Units 1 and 2 will attain significant operational improvements from [
Ja,c reduced fatigue buildup on critical components, and improved Feedwater Control System reliability. Futhermore, the MSS function is easily accomplished in conjunction with the Diablo Canyon Feedwater Control System upgrade which utilizes the Eagle DPF equipment.
O Page 20
r WT 1 1
W F F N 5 F
I r
0 I i C1 G
I )
h F T 3 l
I F1 5
S wc 1 t
S F 5 loa F ms E r eM e
1 II D t '
a p l L
w dW eF eI F
L o
o F S
FF <
ALT oM S
wT p F 0
1 5
W F - w N (
I r 1
C00 - lo F
O I p T 2 1
I F1 5
r 1
2
/
r t
r e
ap wir T 3 F 5 1 2 dT f e r eo C
I Ft c
wa oe N C -
- LR U G. e l
. v e o C7 L1 5 L o
F S L V D
I we ot r
L L a W o C8 C -
A l L1 5
L o
N l
I p
_ ir I T G
_ r
_ to c
I a ee R -
Rr u le so O T 1 L 5 7
T ( C7 L1 0 -
5 o L
vl eC ov e
_ r le L- Ll n
- o v - a o o l
V o
t a e oV i t
r r L I
L . .
. Ll c t o
1 e r 1
. r e n ne 8 B -
r tot r t o o n
et p T C8 3 C Ga o o L 5 1
i L1 r
. 2/
r ao r P r
E W L o i . eC p 1
5 ,
m L- nr ao l
1
. ee ir o i Gt a Te R teL l
l L . . .
SoL mwn U B - adib T 9
_ L 5 1
i C9 te eeur L1 o SFT G
5 L -
I l
l o
L F I L
O S
r 1
I
I S-E D
L A
N OI T
C N
L E
S L
A N
G I
S N
A I
D E
M
A R
G A
I D
L A
N O
I T
C N
U 3F E -
. RR UO O GT I
FC E
L E
S L
A N
G I
S N
A I
D
. E M
~
3
~
~
N O
R f
~
S S t f
I I i
S T / S P S P SD / A uS ER sH u
A LA P
PC UO g C s S t' sW w
I' e*
O R
A" t
n A
O M
A M CAR E
R S M CO OF lU uP mO
'M OO EF s" u
C" OI R
E GF T
I L
E ,
S N A
P '
j::
U T . -
S t J"- )6 t s L O * '
N*N M
L I
A S
M
~
" ' g O -
I {
Y t
t O A i
l L M N T
t t
t u ~ S s I
f Ot T
m i '
s i
/t Ci t
9T R '
t T
A R -
Ou TS f '
A A N ~
M P O t f S C t
O ~
L t f
A MvD AS 1
0 9 s U Oef t M" R C
t u
Rt FS tm ,1 N
a ""
t ctS x D '
t t *
, O s'
O M ~
- g ,
.. *. ' i'~4 - o i 4
/
- e ?~ . .i h
. . !i .:E .f l h l; !i8- ,4- i 4,;
E ; , ;,
g e,J ej . e
" 4_ - . , -
R N N U
G I
F U
6 l
F
. P DW EIE LV GR AE EV E O SE UR OU HT GC
+
NE I T
, TI SH EC R WA 5 ME ET RS UY GS I
F
I l m
e P
S O
R D
T _
N I P O
O O L
P _
T R TJ T U5 .
U T5 U
PX NO H
P T
UO X
P ID R TI OD
_ T M U R TH q II J N
I R
_TN q II J N
I T4 R
_TR q II J N
_ TG _M I
R Tv q II J N
_ U0
.R TZ T U4 O
T4 M T2 U I I
.M I I P X
_ Px _ RX OO _M - PX .
OO OO _
_ RX RX
_ OO _M T U1O
. R Of -
I I TG - L _TM - L _RTQ _ LA . _L . TY T A H A M M (A L M M p II L p II L p lu L lu U
_ R T P
TF T3 M U3 U P X v
N PX T N0 UU O(
I0 R I TE
- M
- q l*
q II J q II J q II J J R M R M R N R N TX TT 6 T2 U
TD M _H Tl I
_TL _H T3 I
_TP M _ T5 _
I I
M _
I T7 I
RX
_R
_M T
U2 P
T X PX _ OO _M RX _ Rx _ RX O3 _ OO UO _
E N0 I0 R TC _
OD L
R
_TM - O GE L
A R GD R m __p IITL O
- LA _Ts _
OE L
A
_RTW M
D D R M pl L A M .g lu L M M p l8 L U R TB T U
l G
I T1 U
PX
>O M
PX T
UO D R O F lD TA M
v o
i! l l ll' , l
_ O.
I T
A R
U G
I F
N O
C .
7R E O RC T
_ U E GL I
_ FE S
L A
N G
I S
N A
I
- D E
M i
e APPENDIX 1
~
- FAULT TREE FOR THE WESTINGHOUSE EAGLE DPF ADVANCED DIGITAL FEEDWATER CONTROL SYSTEM a,c The material in this section has been deleted from this nonproprietary document due to its proprietary nature. This section discussed the i
fault tree for the Westinghouse EAGLE DPF Advanced Digital Feedwater Control System.
i i
)
9 D
e FAIJLT iwrt FOR W AM12 BFF ADVANN DE,*ftil FerrnTATER CONTROL gygtnr 8,C e
d D
o l
)
i s