Design Criteria Document No. WB-DC-30-29, Revision 8, Plant Integrated Computer System (ICS) Dated August 10, 2009, Enclosure 1

ML102240383
Person / Time
Site:	Watts Bar
Issue date:	08/10/2009
From:	Adkinson R Tennessee Valley Authority
To:	Office of Nuclear Reactor Regulation
References
WB-DC-30-29, Rev 8
Download: ML102240383 (71)
v • d • e

Text

ENCLOSURE 1 WATTS BAR NUCLEAR PLANT (WBN) UNIT 2 - NRC MEETING HELD ON AUGUST 4,2010 - INSTRUMENTATION AND CONTROL -

REQUEST FOR ADDITIONAL INFORMATION Watts Bar Nuclear Plant Unit 1/Unit 2 Design Criteria Document No. WB-DC-30-29, Revision 8 "Plant Integrated Computer System (ICS)"

Dated August 10, 2009

TENNESSEE VALLEY AUTHORITY Division of Nuclear Engineering RIMS QA RECORD N/A DESIGN CRITERIA DOCUMENT No. WB-DC-30-29 WATTS BAR NUCLEAR PLANT UNIT 1 /UNIT 2 TITLE: PLANT INTEGRATED COMPUTER SYSTEM (ICS)

• Signatures on Original REVISION RO R5 R6 R7 R8 DATE: 2/21/84 3-5-2001 8-19-2008 2-4-2009 8-10-2009 PREPARED H.Henderson R.F.Adkinson F. D. Lively R.F.Adkinson CHECKED G.M.Stokes Roger Foster G.M.Stokes VERIFIED M.A.Wright G.M.Stokes Roger Foster G.M.Stokes APPROVED

• R.M.Johnson V.L.Lotspeich R. E. Cox TVA MGMT S.A.Hilmes N/A S.A.Hilmes

TVA REVISION LOG

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 REVISION DATE NO. DESCRIPTION OF REVISION APPROVED This revision incorporates applicable commitments and 0 requirements through May 16, 1986. 9/20/88 DCN DCN RIMS NO. B26 901002 800 S-12397-A 9/20/90 Added requirement for data printout after trip to reflect commitment in A27 831107 032 (response to generic letter 83-28) per OIDB-2638-ROO. This information was added to Section 3.1.1 page 5.

DCN DCN RIMS NO. T56 920816 920 M-18589-A 8/16/92 Revised P2500 MCR Operator Interface from P2500 Keypad to GUI Keyboard. Deleted reference to PC Operator console and replaced with P2500 workstation. (Software changes will be made to incorporate this P2500 interface change).

Affected pages are 1, 7, 8, 14, and 15.

1 General revision and resolve OITR-0272 RO. 10/8/92 2 Clarify the requirement for Auto-start feature. 4/9/93 3 Clarify the testing requirements.

8/30/94 Add requirements for RTDs TE-3-36, 49, 91, and 104.

Extend accuracy of analog input subsystem to include all ranges and clarify accuracy requirement of the equipment.

Affected Pages: 7 and 14 DCN DCN RIMS NO. T56 950703 824 S-37198-A 7/3/95 Added S/G operating pressure *80 psig to Section 4.4.1.

Added reference 6 to Section 8.1.6.

Pages Added: None Pages Deleted: None Pages Revised: ii, 12 and 19 DCN DCN RIMS NO. T56 950818 971 S-37891-A 8/18/95 Voided revision statement per DCN S-37198-A from page ii and reference 6 from Section 8.1.6, which were inadvertently entered into this Design Criteria.

Pages Added: iii Paged Deleted: None Pages Revised: ii and 20 DCN DCN RIMS NO. T56 950928 845 S-38193-A 9/28/95 Corrected pages inadvertently replaced by DCN S-37891-A.

Pages Added: iia Pages Deleted: None

_Pages Revised: iii, 19, and 20 ii

TVA REVISION LOG

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 REVISION DATE NO. DESCRIPTION OF REVISION APPROVED

" DCN M-39911-A (T56 981215 803): Replacement of the 4 obsolete Unit 1 Westinghouse P2500 Plant Process 9/20/99 Computer with a new Plant Integrated Computer System (ICS). This ICS provides an operator friendly, state of the art, real time process computer system for the WBN plant operators. After this modification, the new ICS computer will be operational and performing all the functions of the P2500. Additionally, all Emergency Response Facilities Data System (ERFDS) functions currently defined in Design Criteria WB-DC-30-8 will be consolidated into the new ICS. Therefore, Design Criteria's WB-DC-30-8 and WB-DC-30-29 have been combined into this Design Criteria WB-DC-30-29, "Plant Integrated Computer System." This Design Criteria (WB-DC-30-29) has been revised in its entirety.

• DCN D-50336-A (T56 990810 801) revised Section 3.2.6 to clarify display of alarm messages following return to normal of the initiating condition. Revised Section 3.2.17.3.14 to delete last two paragraphs, Trend Control Display.

" WBN Problem Evaluation Report (PER) 99-009596-000 was initiated to document that the previous page 12 of this Design Criteria had been replaced, by mistake, with the page 12 of WB-DC-40-29. By revising the entire document, DCN M-39911-A creates a new WB-DC-30-29, which is correct and complete. Therefore, the error caused by DCN S-37198-A is corrected, and the attempts made by DCNs S-37891-A and S-38193-A to correct this error are superseded by DCN M-39911-A.

• Incorporates DCNs S-37198-A, S-37891-A, S-38193-A, M-39911-A, and D-50336-A.

• Deleted Coordination Log, which is not required per NEDP-10.

• Renumbered entire document, and made minor format changes.

Pages Revised: All Total Pages: 67 (includes pages i-x and 1-57)

Incorporates DCN as follows:

5 DCN D-50301-A (T56 000605 802) implements phases 4 and 3-5-2001 5 of the Integrated Computer System (ICS) project.

These phases will complete the upgrade of the remaining plant computer data acquisition equipment, remove the ERFDS VAX computer, and interface with various other plant systems and equipment. These interfaces includes the Eagle-21 Reactor Protection System, ICCM/RVLIS, Ronan annunciator system (including printer replacement with a display unit), and 500KV voltage and frequency recorders in the main control room.

Design Criteria WB-DC-30-29 has been revised to incorporate this change by removing reference to the ERFDS datalink, removing reference to the 45B900 drawing series, adding the additional ICS interfaces, and replacing a canceled reference document with the current equivalent procedure. Revised Sections 3.1.4, 3.2.13, 4.0, 9.1.1.1, and 9.1.2.3.

_Total Pages: 67 (includes pages i-x and 1-57) iii

TVA REVISION LOG

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 REVISION DATE NO. DESCRIPTION OF REVISION APPROVED This DCD has been reviewed and determined to be fully This DCD has been reviewed and determined to be fully applicable to both Unit 1 and Unit 2. 8-19-2008 Outstanding WITEL Punchlist items are listed below:

PL-08-0369, Section 3.2.17.3.16 PL-08-0370, Rev. Log, Revisions 4 & 5 PL-08-0371, Table of Contents; Sections 3.8.1 & 3.8.2 PL-08-0372, Sections 3.2.13 & 9.1.1.1 PL-08-0373, Section 1.0 PL-08-0374, Section 9.1.1.4 PL-08-0375, Section 3.5 PL-08-0376, Section 3.6 PL-08-0378, Section 9.1.2.5 PL-08-0379, Section 9.1.3.1 PL-08-0380, Section 9.1.3.1 PL-08-0381, Section 9.1.3.1 PL-08-0382 Section 9.1.3.1 PL-08-0383, Section 9.1.3.1 PL-08-0384 Section 9.1.3.1 PL-08-0385 Section 9.1.3.1 PL-08-0386, Section 9.1.3.1 PL-08-0387, Section 9.1.3.1 PL-08-0388, Section 9.1.3.1 PL-08-0389, Section 9.1.3.1 PL-08-0390, Sections 3.3.5 & 9.1.3.2 PL-08-0391, Sections 3.3.5 & 9.1.3.2 PL-08-0392, Sections 3.3.5 & 9.1.3.3 PL-08-0393, Sections 3.3.5 & 9.1.3.3 PL-08-0394, Section 9.1.4.1 PL-08-0395, Section 9.1.4.2 PL-08-0396, Section 9.1.4.3 PL-08-0397, Section 9.1.5.10 PL-08-0398, Section 9.1.5.12 PL-08-0399, Section 9.1.5.13

.PL-08-0400, Section 9.1.8.1 PL-08-0401, Section 9.1.8.2 PL-08-0402, Section 9.1.8.3 PL-08-0403, Section 9.1.8.4 PL-08-0404, Section 9.1.8.5 PL-08-0405, Section 9.1.8.6 PL-08-0406, Sections 9.1.9.17, 9.1.9.18, & 9.1.9.21 PL-08-0407, Section 9.1.10.1 PL-08-0434, Sections 3.10 & 9.1.1.2 PL-08-0435, Section 9.1.1.3 PL-08-0436, Section 9.1.1.5 PL-08-0474, Section 1.1 Pages Revised, Coversheet, iii, iv, v, vi, 1, 21, 31, 32, 33, 39, 40, 41, 42, 50, 51, 52, 53 Total Paqes: 68 (includes paqes i-xi and 1-57) iv

TVA REVISION LOG

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 REVISION I DATE NO. DESCRIPTION OF REVISION APPROVED Section 3.2.17.3.16 of this Design Criteria was revised by 7 EDC# 53021-A in order to remove the restriction of using 2-4-2009 only touch screen SDS panels in the MCR.

Pages Revised: Coversheet, v, vi, 31 Total Pages: 69 (includes pages i-xii and 1-57)

This revision was issued by WB2CCP to address the ICS 8 applicability to Unit 2 in Section 1.0 of this DCD. An 8-10-2009 outstanding WITEL Punchlist item applicable to Unit 2 has been added to this DCD by this revision and is listed as follows:

• PL-08-2108, see Section 1.0 A new ICS system is being supplied for Unit 2 by the WB2CCP on EDCR No. 52322. Supporting vender and engineering analyses shall be completed and incorporated into this Design Criteria Document prior to the Unit 2 ICS being declared operational for Watts Bar Unit 2.

Therefore, the following WITEL Punchlist items have been deleted from this DCD by this revision:

PL-08-0369, Section 3.2.17.3.16 PL-08-0370, Rev. Log, Revisions 4 & 5 PL-08-0371, Table of Contents; Sections 3.8.1 & 3.8.2 PL-08-0372, Sections 3.2.13 & 9.1.1.1 PL-08-0373, Section 1.0 PL-08-0374, Section 9.1.1.4 PL-08-0375, Section 3.5 PL-08-0376, Section 3.6 PL-08-0378, Section 9.1.2.5 PL-08-0379, Section 9.1.3.1 PL-08-0380, Section 9.1.3.1 PL-08-0381, Section 9.1.3.1 PL-08-0382, Section 9.1.3.1 PL-08-0383, Section 9.1.3.1 PL-08-0384, Section 9.1.3.1 PL-08-0385, Section 9.1.3.1 PL-08-0386, Section 9.1.3.1 PL-08-0387, Section 9.1.3.1 PL-08-0388, Section 9.1.3.1 PL-08-0389, Section 9.1.3.1 PL-08-0390, Sections 3.3.5 & 9.1.3.2 PL-08-0391, Sections 3.3.5 & 9.1.3.2 PL-08-0392, Sections 3.3.5 & 9.1.3.3 PL-08-0393, Sections 3.3.5 & 9.1.3.3 PL-08-0394, Section 9.1.4.1 PL-08-0395, Section 9.1.4.2 PL-08-0396, Section 9.1.4.3 PL-08-0397, Section 9.1.5.10 PL-08-0398, Section 9.1.5.12 PL-08-0399, Section 9.1.5.13 PL-08-0400, Section 9.1.8.1 PL-08-0401, Section 9.1.8.2 17

TVA REVISION LOG

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 REVISION DATE NO. DESCRIPTION OF REVISION APPROVED

• PL-08-0402, Section 9.1.8.3 8

t PL-08-0403, Section 9.1.8.4

• PL-08--0404, Section 9.1.8.5

" PL-08-0405, Section 9.1.8.6

" PL-08-0406, Sections 9.1.9.17, 9.1.9.18, & 9.1.9.21

• PL-08-0407, Section 9.1.10.1

" PL-08-0434, Sections 3.10 & 9.1.2-

• PL-08-0435, Section 9.1.1.3

" PL-08-0436, Section 9.1.1.5

" PL-08-0474, Section 1.1 Pages Revised: Coversheet, iii, v, vi, viii, 1, 21, 31, 32, 33, 39, 40, 41, 42, 50, 51, 52, 53 Total Pages: 70 (includes pages i-xiii and 1-57) vi

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 TABLE OF CONTENTS Page Cover Page . ............................................................. i Revision Log ........................................................... ii Table of Contents ...................................................... vi Abbreviations and Acronyms ............................................. x

1.0 INTRODUCTION

..................................................... 1 1 .1 Scope . ...................................................... 1 1.2 System Description ......................................... 2 1.3 Background on ERFDS ........................................ 3 2.0 NOMENCLATURE ..................................................... 3 3.0 DESIGN REQUIREMENTS .............................................. 6 3.1 Functional Requirements .................................... 6 3.1.1 Normal Functions ................................... 6 3.1.2 SPDS. ............................................... 8 3.1.3 BISI ........................ ...................... 8 3.1.4 Communication Data Links ...................... 8 3.1.5 Display of PAM Variables ........................... 9 3.1.6 RHR Mid-Loop Operation Monitoring Function ........ 9 3.1.7 Safety Functions .................................. 9 3.1.8 Design Basis Event (DBE) .......................... 9 3.1.9 BOP and NSSS Displays ............................. 10 3.1.10 Technical Support Center .......................... 10 3.2 Plant Computer System ...................................... 10 3.2.1 Reliability ....................................... 10 3.2.1.1 Above Cold Shutdown ..................... 0 3.2.1.2 Cold Shutd6wn/Refueling ................. 1 3.2.2 Interface Requirements ............................ 11 3.2.3 ICS Equipment ..................................... 12 3.2.3.1 Data Acquisition Subsystem (DAS) ...... 12 3.2.3.2 Processor Subsystem (PS) .............. 14 3.2.3.3 Display Subsystem (DS) ................ 15 3.2.4 Software . .......................................... 16 3.2.5 Programmer's Console .............................. 19 3.2.6 Alarming .......................................... 19 3.2.7 Analog Trending (Pen Recorder Output) ............. 19 3.2.8 Test-Trip ......................................... 19 3.2.9 Post-Trip ......................................... 20 3.2.10 Sequence of Events .................................. 20 3.2.11 Sensor Calibration and Conversion ................. 20 3.2.12 Application Programs .............................. 21 3.2.13 Data Processing ................................... 21 3.2.14 Analog Inputs ..................................... 21 vii

TVA PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 I

Title:

TABLE OF CONTENTS (continued)

Page 3.2.15 Digital Inputs .................................... 23 3.2.15.1 Analog Composed Points ................. 23 3.2.15.2 Analog Calculated Points .............. 24 3.2.15.3 Transformations ........................ 24 3.2.15.4 Digital Composed Points ................ 24 3.2.15.5 Analog Outputs ......................... 24 3.2.15.6 Digital Outputs ........................ 24 3.2.15.7 Instrument Calibration and Maintenance Facility ................... 24 3.2.15.8 Data Logging .......................... 25 3.2.15.9 Data Base Change Log .................. 25 3.2.15.10 Historical Data Storage and Retrieval . 25 3.2.16 Security ......... .................................. 25 3.2.17 Man/Machine Interface ............................... 26 3.2.17.1 Man/Machine Functions .................. 26 3.2.17.2 Man/Machine Facilities ................ 26 3.2.17.3 Interactive Requirements ............... 26 3 .3 SPDS .. ..................................................... 31 3.3.1 Function .......................................... 31 3.3.2 Location .......................................... 32 3 .3 .3 Size .............................................. 32 3.3.4 Staffing .......................................... 32 3.3.5 Design Considerations ............................. 32 3.3.6 Display Considerations ............................ 33 3.3.6.1 Display Techniques .................... 35 3.3.6.2 Software for the SPDS Additional Requirements .......................... 35 3 .4 BISI . ...................................................... 35 3.4.1 BISI Design and Operation .......................... 36 3.4.2 Systems Monitored by BISI ......................... 37 3.4.3 Component Level Implementation Criteria ............ 37 3.4.4 BISI Display Criteria ...... ....................... 38 3.4.4.1 Alarm Function ......................... 38 3.4.4.2 Manual Control ......................... 39 3.5 Support Calculations .. ..................................... 39 3.6 RHR Mid-Loop Operation Monitoring Function .................. 39 3.7 Communication Networks and Data Links ....................... 40 3.7 .1 EOF ............................................... 40 3.7.2 EDS Computer ...................................... 40 3.8 Electrical Requirements ..................................... 41 3.8.1 Power System for the ICS .......................... 41 3.8.2 Power Supply for the ICS HVAC ..................... 41 viii

TVA

Title:

PLAMT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 TABLE OF CONTENTS (continued)

Page 3.9 Mechanical/Civil Requirements .............................. 42 3.9.1 Technical Support Center .......................... 42 3.9.2 Computer Room . ..................................... 42 3.9.3 Seismic ............................................. 42 3.10 Environmental Requirements ................................. 42 3.11 External Events ............................................ 43 3.12 Maintenance Requirements .................................... 43 3.13 Regulatory Requirements ....................................... 43 3.14 Human Factors Requirements ......................... ........ 44 3.15 Display of PAM Variables ................................... 44 3.16 Technical Support Center (TSC) ............................. 44 4.0 LAYOUT AND ARRANGEMENT ........................................... 45 5.0 EQUIPMENT AND MATERIAL REQUIREMENTS .............................. 45 5.1 Material Compatibility ..................................... 45 5.2 Hazardous Materials ........................................ 46 5.3 Material Restrictions ...................................... 46 5.4 Component Identification ................................... 46 5.5 Terminal Blocks ............................................ 46 5.6 Enclosure Grounding ........................................ 46 5.7 Interconnections ........................................... 46 5.8 Electromagnetic Interference (EMI) ......................... 47 6.0 TEST AND INSPECTION REQUIREMENTS .................................. 47 6.1 Hardware Test .............................................. 47 6.2 Software Test .............................................. 48 6.3 Integrated Test . ............................................ 48 6.4 Inservice Test and Inspections ............................... 48 7.0 QUALITY ASSURANCE ................................................. 49 7.1 Quality Assurance for Safety-Related Equipment .............. 49 7.2 Quality Assurance for Quality-Related and Non Safety-Related ICS Equipment ........................... 49 7.3 Verification and Validation ................................ 49 8.0 EXCEPTIONS ....................................................... 49

9.0 REFERENCES

....................................................... 50 9.1 Design Input ............................................... 50 9.1.1 TVA Drawings . ...................................... 50 9.1.2 TVA Documents ..................................... 50 9.1.3 Calculations ...................................... 50 9.1.4 System Descriptions ............................... 50 9.1.5 Design Criteria . ................................... 51 9.1.6 Specifications .................................... 51 9.1.7 Design Guides . ..................................... 52 9.1.8 Other Documents ................................... 52 9.1.9 NRC Documents . .................................... 52 9.1.10 EPRI Documents .................................... 53 ix

TVA

,Title: PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 TABLE OF CONTENTS (continued)

Page 9.2 Background ................................................. 54 9.2.1 NRC Documents ..................................... 54 9.3 Industry Standards ......................................... 54 Figure A ............................................................... 5 ........................................................... 56 x

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 2.0 ABBREVIATIONS AND ACRONYMS A/D - Analog to Digital AFW - Auxiliary Feedwater ANSI - American National Standards Institute BISI - Bypassed and Inoperable Status Indication BOP - Balance of Plant CECC - Central Emergency Control Center CFR - Code of Federal Regulations CPU - Central Processing Unit CR - Computer Room CRDR - Control Room Design Review CSF - Critical Safety Function D/G - Diesel Generator DAS - Data Acquisition Subsystem DBE - Design Basis Event DC - Design Criteria DS - Display Subsystem DTA - Digital Trip Action EDS - Environmental Data Station EIA - Electronic Industries Association EOF - Emergency Operations Facility EOI - Emergency Operating Instructions EP - Engineering Procedures ERCW - Essential Raw Cooling Water ERDS - Emergency Response Data System ERFDS - Emergency Response Facilities Data System ERG - Emergency Response Guidelines ESF - Engineered Safety Feature ESFAS - Engineered Safety Feature Actuation System F - Fahrenheit FAT - Factory Acceptance Test FCV - Flow Control Valve FORTRAN - Formula Translation FRG - Function Restoration Guidelines FSAR - Final Safety Analysis Report HED - Human Engineering Discrepancy HEX - Hexadecimal HFE - Human Factors Engineering HS - Handswitch HVAC - Heating, Ventilation, and Air Conditioning Hz - Hertz, Unit of Frequency I/O - Input/Output ICS - Plant Integrated Computer System xi

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 2.0 ABBREVIATIONS AND ACRONYMS (continued)

IEEE - Institute of Electrical and Electronic Engineers ISA - Instrument Society of America JCL - Job Control Language LCV - Level Control Valve MCR - Main Control Room MMI - Man-Machine Interface mV - Millivolts MW - Megawatts NEP - Nuclear Engineering Procedure NQAM - Nuclear Quality Assurance Manual NRC - Nuclear Regulatory Commission NSAC - Nuclear Safety Analysis Center NSSS - Nuclear Steam Supply System OSC - Operational Support Center P&ID - Process and Instrumentation Diagram PAM - Post Accident Monitoring PEDS - Plant Engineering Data System PS - Processor Subsystem PTR - Post Trip Review PVC - Poly-Vinyl-Chloride QWERTY - Keyboard which used standard alpha-numeric arrangement RAM - Random Access Memory RCPB - Reactor Coolant Pressure Boundary RG - Regulatory Guide RMS - Root Mean Square RO - Reactor Operator RPS - Reactor Protection System RTD - Resistance Temperature Detector SAT - Site Acceptance Test SDS - Satellite Display Station SG - Steam Generator SOE - Sequence of Events SPDS - Safety Parameter Display System SRO - Senior Reactor Operator SRS - Software Requirements Specification SSE - Safe Shutdown Earthquake STA - Shift Technical Advisor SVVR - Software Verification and Validation Report SWC - Surge Withstand Capability TC - Thermocouple xii

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 2.0 ABBREVIATIONS AND ACRONYMS (continued)

TCV - Temperature Control Valve TMI - Three Mile Island, Unit 2 TR - Train TSC - Technical Support Center TVA - Tennessee Valley Authority V&V - Verification and Validation V/F - Volts to Frequency W - Westinghouse Electrical Corporation WBN - Watts Bar Nuclear Plant WOG - Westinghouse Owners Group xiii

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29

1.0 INTRODUCTION

The purpose of this document is to establish the design requirements for the Unit 1 Plant Integrated Computer System (ICS) at Watts Bar Nuclear Plant (WBN).

It defines the criteria needed to ensure that a complete and adequate design is achieved and that the final installation will provide an acceptable level of operating reliability.

A new Plant Integrated Computer System (ICS) is being supplied for the Watts Bar Unit 2 Construction Project (WB2CCP). This system is being procured by WB2CCP on EDCR No. 52322. Supporting vender and engineering analyses shall be completed and incorporated into this Design Criteria Document prior to the Unit 2 ICS being declared operational for Watts Bar Unit 2. [PL-08-2108]

1.1 Scope This document describes the functional and engineering design requirements, modes of operation, user interfaces, system arrangements, and performance characteristics for the WBN ICS. This document provides top level hardware and functional requirements but is not intended to cover all detailed computer-related design information. However, specific design details for critical functions will be covered; otherwise detailed computer related design information is described in ICS's Software Requirements Specification (SRS).

The Plant Integrated Computer System (ICS) consolidates the functions of the Plant Computer with the functions of the Emergency Response Facilities Data System (ERFDS) (previously defined in WB-DC-30-8). Although the new Plant Computer System has been referred to as ICS throughout this Design Criteria, it is the WBN new Unit 1 Plant Computer and any references to the Plant Computer in any plant documents are referring to WBN Unit 1 Plant Integrated Computer System (ICS).

The Plant Computer System is designed to meet the intent of the following NRC documents:

" Generic Letter 82-33, NUREG-0737, Supplement 1, Requirements for Emergency Response Capability, (Reference 9.1.9.8).

• NUREG-0700, Guidelines for Control Room Design Reviews, (Reference 9.1.9.7).

" NUREG-0800, Standard Review Plan, Section 18.2 SPDS, (Reference 9.1.9.9).

• Regulatory Guide 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems, (References 9.1.9.11, 9.1.9.24, and 9.1.9.25).

" Regulatory Guide 1.97, Post Accident Monitoring (Reference 9.1.9.12).

• NUREG 1394, Emergency Response Data System (Reference 9.1.9.15).

Throughout this document, occasional references are made to these documents where the requirements or guidelines provided by these documents provided the basis for this criteria.

1

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 Related topics and the applicable requirements documentation that are not directly addressed within this design criteria (except as they interface with the ICS) are identified below:

" Technical Support Center (TSC), WB-DC-00-3

" EOF and CECC Computer

• Operational Support Center (OSC)

" EDS Computer

" PAM and Support Instrumentation, WB-DC-30-7

• Emergency Response Data System (ERDS) (NUREG 1394)

" Bentley Nevada Turbine Vibration Computer 1.2 System Description The primary purpose of the ICS is to present plant process and equipment status information to the control room operators to assist them in the normal operations of the power station, and inform them of any off-normal conditions.

The WBN ICS obtains real-time plant parameter information by scanning preassigned analog, pulse, and contact sensors located throughout the plant. The ICS shall also be able to obtain data from other digital plant monitoring systems and components located throughout the plant via serial and network data links.

The ICS performs data validity checks, simultaneous alarm processing, analog trending, sequence of events (SOE) monitoring, and Nuclear Steam Supply System (NSSS)/Balance of Plant (BOP) process application program calculations.

The user interfaces to the ICS are called Satellite Display Stations (SDS). The SDSs that are located in the main control room provide operators with process values, alarm information, mimics, graphic trending, and database functions. Similar stations are provided in the TSC and EOF (CECC).

The ICS provides an integrated approach to meet operational needs of system 261 (Plant Process Computer System)and system 264 (Technical Support System).

The ICS is not defined as being primary safety-related and it is not required to meet the single failure criterion or be qualified to IEEE criteria for Class 1E equipment.

The ICS shall be independent of existing sensors and equipment in safety-related systems. Independence shall be achieved through qualified safety-related Class 1E isolators (Reference 9.1.9.23). For isolation and separation requirements, see Design Criteria WB-DC-30-4 (Reference 9.1.5.1). Additionally, the ICS shall be suitably isolated to preclude electrical or electronic interference with existing safety systems. The ICS will not be required to operate during and following a seismic event.

(NUREG-0737, Supplement 1, Section 4.1.c).

1.2.1 The ICS shall provide the capability to monitor those parameters required to provide a SPDS, per the NUREGs as stated above in the MCR, TSC, and EOFs.

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 1.2.2 The ICS shall acquire, process, and display all required data to support the assessment capabilities of the MCR, TSC, and EOF as stated in NUREG-0737, and NUREG-0737 Supplement 1 (Reference 9.1.9.22).

1.2.3 The ICS shall provide the capability to monitor in real time those parameters required to provide a BISI system per the requirements as stated in RG 1.47. This system does not include the requirements for operating and trip bypasses of the RPS and ESFAS. Those requirements are addressed in the FSAR Section 7.0 and N3-99-4003.

1.2.4 The ICS shall provide communication data links to the EOF (CECC computer), and EDS Computer.

1.2.5 The ICS shall provide the capability for continuously monitoring residual heat removal (RHR) system performance in the control room whenever an RHR system is being used for cooling the reactor coolant system (RCS) per generic letter 88-17, "Loss of Decay Heat Removal."

1.2.6 The ICS shall provide PAM display for variables not displayed elsewhere and storage and trending requirements for category 1 variables.

1.2.7 The ICS shall calculate auxiliary feedwater total flow.

1.2.8 The ICS shall provide the capability to run and process other programs for operation support.

1.3 Background on ERFDS The history of the Watts Bar response to NUREG 0737 activities related to Emergency Response Facilities Data System is given in Attachment 1.

2.0 NOMENCLATURE 2.1 Bypassed and Inoperable Status Indication (BISI) System A system that provides automatic MCR indication and annunciation of bypassed and deliberately induced abnormal conditions for plant safety systems and the auxiliary or support system(s) that must be operable for the safety systems to perform their safety-related functions.

2.2 Class 1E The safety classification of the electric equipment and systems that are essential to emergency reactor shutdown, containment isolation, reactor core cooling and containment and reactor heat removal, or are otherwise essential in preventing a significant release of radioactive material to the environment.

2.3 Critical Safety Functions (CSF)

High level plant functions which, if maintained, will prevent a direct and immediate threat to the health and safety of the public and are defined in NUREG 0737, Supplement 1, Section 4.l.f.

3

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 2.4 Design Basis Events A postulated event or combination of events that is used in the design to establish the performance requirements of structures, systems, and components.

2.5 Emergency Operations Facility (EOF)

A facility where management coordinates the emergency response, radiological and environmental assessment, recommendations for public protective actions, and response activities with Federal, State, and local agencies.

2.6 Human Engineering Deficiency (HED)

A characteristic of the existing control room that does not comply with the human engineering criteria used in the control room survey.

2.7 Human Factors Engineering (HFE)

The designing and positioning of machines, instruments, and controls so that they may be used with maximum efficiency by humans: The process of designing for human use, concerned with integration of the human element with hardware and software. One objective of HFE is the prevention of human error.

2.8 Independence The state in which there is no mechanism by which any single design basis event, such as a flood, can cause redundant equipment to be inoperable.

2.9 "\Isolation Device A device in a circuit which prevents malfunctions in one Section of a circuit from causing unacceptable influences in other Sections of the circuit or in other circuits.

2.10 Man-Machine Interface (MMI)

The point of contact (or interconnection) between human beings and system equipment/hardware/software. Specific interface areas include instrumentation and controls, workspace, and working environment.

2.11 Quality-Related Quality-related is a term which encompasses quality assurance program requirements that describe activities which affect structures, systems, and components. These requirements provide reasonable assurance that the facility can be operated without undue risk to the health and safety of the public. In addition to safety-related structures, systems, components, and activities, the term "quality-related" encompasses the broad class of plant features covered (not necessarily explicitly) in the General Design Criteria of 10 CFR 50, Appendix A, that contribute in an important way to the safe operation and protection of the public in all phases and aspects of facility operation (i.e., normal operation and transient control as well as accident mitigation).

4

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 2.12 Safety Parameter Display Systems (SPDS)

A concise display of critical plant variables provided to the MCR operators to aid them in rapidly and reliably determining the safety status of the plant.

2.13 Safety-Related Those structures, systems, and components which are important to safety because they perform a safety function.

(A) Safety Function - That function of a structure, system, component or equipment which is necessary to assure: (1) integrity of the reactor coolant pressure boundary, (2) capability to shut down the reactor and maintain it in a safe shutdown condition, or (3) capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposure to a significant fraction of the guideline exposures of 10 CFR 100 (Reference 9.1.9.5). Also included are supporting and auxiliary systems which must function to provide such assurance.

2.14 Seismic Category I Classification given to those structures, systems, components, and equipment which perform or support safety functions and must be designed/constructed to ensure achievement of their safety functions at all times including a concurrent SSE.

2.15 Seismic Category I(L) - Classification given to those portions of structures, systems, components, and equipment for which limited structural integrity is required during the design basis seismic events.

Category I(L) items are designed and constructed to ensure achievement of their limited structural integrity requirement at all times including a concurrent SSE. The extent of this limited structural integrity is as necessary to ensure that the Category I(L) item will not cause the loss of a safety function of a Category I item or injury to occupants of the control room. The limited structural integrity concerns are position retention, pressure boundary retention, and seismic interaction.

6 2.1 Technical Support Center (TSC)

An area adjacent to the MCR for emergency response which, when activated, will relieve operators of peripheral duties and communications not directly related to reactor system manipulation and provide technical and engineering support.

2.17 Validation The test and evaluation of the integrated hardware and software system to determine compliance with the functional, performance, and interfacing requirements assuring that the capabilities required are implemented.

2.18 Verification The review of system requirements to establish that the problem has been adequately defined and the designed solution meets the requirements.

5

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.0 DESIGN REQUIREMENTS 3.1 FUNCTIONAL REQUIREMENTS 3.1.1 Normal Functions The WBN Unit 1 ICS shall be a general purpose computer system with peripheral hardware and application programs designed to provide the plant operators with real time plant process data.

Both the hardware and software shall be modular in form to ensure optimum performance, reliability, and maintainability. The ICS shall be designed to continuously obtain real-time plant data by scanning analog, pulse, and digital sensors, and collect data from other plant digital monitoring systems.

The ICS shall perform all data processing and software application-oriented functions concurrently, and present automatically or on demand, plant input values or calculated results to the control room operator.

The ICS must provide a complete data set to permit accurate assessment of an event without interfering with emergency operations in the MCR. As a minimum, the following functions/parameters are required to be performed/monitored by the ICS:

• Analog/pulse input scanning and conversion

• Digital input scanning

• Alarming

• Contact outputs for annunciator window actuation

• Visual display

• Logging

• Trending

• Sequence of events recording

• Post-trip review

• Performance calculations NSSS/BOP

• Human communications function

• One of each redundant R.G. 1.97 category 1 instrument except for containment isolation valves.

• Parameters required to support Westinghouse Owner's Group critical safety function status trees.

" Parameters required to support BISI function (reference 9.1.3.1).

" Those required to support TSC function (emergency plan implementing procedure contains guidance on minimum parameter set)

• Those required to support resolution of HEDs 139 - Reactor Coolant Leak Rate and Rad Release Rate Calculations 189 - Steam generator blowdown flow indication 194 - TSC computer problems

• Select parameters for RHR mid-loop operation

• Those required to indicate AMSAC armed or active

• PAM Category 2 variables not displayed elsewhere in the MCR.

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 The accuracy of the displayed data shall not be significantly less than the accuracy of comparable data displayed in the MCR.

The time resolution of the ICS shall be sufficient to capture transient conditions for analysis. The ICS shall be designed/constructed to provide a very high degree of reliability.

The ICS shall be designed to assist the operations staff in:

• Plant steady-state operating conditions prior to the initiating event.

• Transient conditions producing the initiating event.

• Plant dynamic behavior throughout the course of the event and its mitigation.

• Reviewing event sequences

• Determining appropriate event mitigation actions

• Evaluating the extent of any damage caused by an event

• Determining plant status during recovery from an event

• Determining safety system operability In the event of a trip, data is printed out for all points that have been identified for post-trip review. (see Section 3.2.8 and 3.2.9)

Data storage (historical) and recall capability shall be provided for the ICS data set. Pre-event data of at least 2.hours and post-event data of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> shall be recorded. Archival data storage and the capability to transfer data between storage and active memory without interruption of data acquisition or display shall be provided. The ICS displays shall include, but not be limited to, alphanumeric and/or graphical presentation of the following critical safety functions:

• Reactivity control

• Reactor core cooling and heat removal from the primary system

• Reactor coolant system integrity

• Radioactivity control

• Containment conditions On-line and historical display capability is required to provide a dynamic view of plant status during abnormal events. The displays shall be designed so that call-up, manipulation, and presentation of data can be readily performed. The display formats shall present information in a manner that permits easy analysis and comprehension. (NUREG-0737, Supplement 1, Section 4.1.f)

The ICS is designed to support resolution of HEDS 146 "Too many independent process computers" and 091 "Scale/Mathematical conversion requirements."

Refer to the ICS Software Requirement Specification (SRS) and System Design Description (SDD) for detailed design requirements for the above functions.

7

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.1.2 SPDS The SPDS is a function of the ICS.

The purpose of the SPDS is to provide MCR operators with a concise display of critical plant variables to aid them in rapidly and reliably determining the safety status of the plant and to aid them in determining corrective action required to avoid a degraded core condition.

The SPDS consists of block type critical safety function status trees derived from the upgraded Westinghouse Owners Group (WOG)

Emergency Response Guidelines (ERG's) (See FR-O, Reference 9.1.8.3). Each tree uses several blocks containing questions with a yes or no output which leads to a status. When a status tree branch is not satisfied it directs the operator to an appropriate function restoration guideline.

A SPDS display shall be located within the MCR convenient to the operators. Additionally, the SPDS displays will be available at the TSC and EOF.

The SPDS equipment must be installed so that it does not degrade existing safety systems. The SPDS is not a safety related system but may result in an improvement to nuclear safety. Operators must be trained to respond to accidents both with and without the SPDS available. The SPDS shall be designed to seismic category I(L)B criteria inside seismic category I areas and to provide reliable indication during all modes of plant operation. It is not designed to remain functional during or after a design basis seismic event.

The SPDS design shall incorporate accepted human factors principles so that the displays can be readily perceived and comprehended by plant management, operators, and technical support personnel. (NUREG-0737, Supplement 1, Section 4) 3.1.3 BISI BISI is a function of the ICS.

The purpose of BISI is to provide MCR indication of the bypassed and deliberately induced abnormal status of systems actuated or controlled by the reactor protection system (including auxiliary or supporting systems). These systems do not include the reactor trip system (Regulatory Guide 1.47, Revision 0).

3.1.4 Communication Data Links The communication data links are a function of the ICS.

Communications data links are required between the ICS and the EDS Computer for input of meteorological and river temperature data; and ICS and the CECC Computer for transmission of data offsite to the EOF.

8

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.1.5 Display of PAM Variables Category 1 Variables The Category 1 variables shall have data storage for trending by the ICS. The category 1 variables are defined in WB-DC-30-7 (reference 9.1.5.3). The trending of the category 1 variables must be available in the MCR & TSC for historical record.

Category 2 Variables Display of PAM category 2 variables that are not displayed elsewhere in the control room is a function of the ICS. Category 2 variables may be displayed in the main control room by computer display or by indicator per WB-DC-30-7 (reference 9.1.5.3).

3.1.6 RHR Mid-Loop Operation Monitoring Function The RHR mid-loop operation monitoring function provides for the monitoring of RCS temperature, reactor vessel level, and RHR system performance during mid-loop operation. The capability for continuously monitoring RHR system performance whenever an RHR system is being used for cooling the RCS is to be provided in the control room via the ICS.

3.1.7 Safety Functions The ICS is not expected to perform any nuclear safety-related function, therefore, the ICS need not be designed to meet nuclear safety-related Class 1E, single-failure criteria. None of the above systems (ICS, SPDS, BISI, BOP, NSSS, Communications Data Links, or the RHR Mid-Loop Operation Monitoring Function) performs a safety function. The ICS shall not be designed to safety system criteria and therefore is not to be used to perform functions essential to the health and safety of the public.

3.1.8 Design Basis Event (DBE)

The ICS is not required to detect or operate through any design basis event and performs no safety function.

The ICS design priority should be to perform continuous monitoring and evaluation of plant status in a reliable manner.

Since the WBN plant is designed on the basis that it can still operate when the ICS is inoperable, the ICS need not be required to function during or after a design basis seismic event.

9

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.1.9 BOP and NSSS Displays The ICS will provide for the display of BOP and NSSS data in various types of displays as an aid for normal operations using the data available for the other functions.

3.1.10 Technical Support Center The ICS shall support the TSC requirements. The WBN Emergency Preparedness manager has determined the requirements for the TSC data display to be the formats documented in Reference 9.1.1.4.

The data points to support these formats are to be furnished by the ICS. The display will be similar to the main control room and the software and man/machine interface will be the same.

3.2 PLANT COMPUTER SYSTEM 3.2.1 Reliability The ICS, and consequently, all of its sub-systems, must be designed to meet the SPDS reliability goals. The reliability criteria for the SPDS is described in terms of unavailability.

Therefore; 3.2.1.1 Above Cold Shutdown For plant modes above cold shutdown the unavailability shall be specified as an operational unavailability goal of 0.01 The operational unavailability goal shall be defined as:

Downtime ICS Operational umavailability =

Operating Time Downtime is defined as any length of time that the ICS is unavailable when the reactor is in a mode above cold shutdown status due to any of the following:

• Inability to perform its designed functions (see Sections 3.3-SPDS, 3.7-Communication Networks, 3.16-TSC).

• Impaired ability due to degraded conditions in its non-redundant circuits, equipment, power supplies, or instrumentation.

• Unreliable performance due to the lack of adequate sensor data

• Scheduled outages for preventive maintenance.

(NOTE: Scheduled outages shall be limited to no more that 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> per calendar quarter or 4 days per 18 month fuel cycle. SPDS shall be capable of becoming fully operational within 30 minutes during any of these scheduled outages.)

10

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 Operating time is defined as any length of time that the reactor is in a mode above cold shutdown status.

The unavailability goal of 0.01 yields a maximum of 5.5 days of downtime for an 18 month fuel cycle.

3.2.1.2 Cold Shutdown/Refueling The ICS has an unavailability goal of 0.2 while the reactor is in cold shutdown or refueling status. This unavailability is defined as:

Downtime PCS Cold Shutdown unavailability = Cold Shutdown Time*

Downtime is defined as any length of time in which the ICS is unavailable while the reactor is in cold shutdown/refueling status because of any of the following:

a Inability to perform its design functions (see Sections 3.3-SPDS).

• Impaired ability due to degraded conditions in its non-redundant circuits, instrumentation, or power supplies.

0 Scheduled outages for preventive maintenance of ICS.

The SPDS must be available within 30 minutes during such outages.

• Cold shutdown time is defined as the length of time the reactor is in cold shutdown or refueling mode.

3.2.2 Interface Requirements The ICS shall gather, store, and display data required for the analysis of plant conditions in the TSC, EOF, and MCR. The ICS shall perform these functions independent of actions in the MCR and without degrading or interfering with the MCR and plant functions. Independence between the ICS and safety grade instrumentation shall be in accordance with WB-DC-30-4. The ICS shall not degrade the performance of safety systems.

1) Electrical Isolation from Class 1E equipment. The inputs and outputs to the ICS shall meet the isolation requirements of WB-DC-30-4.

2) All inputs and outputs must be isolated from the plant inputs such that normal faults on the plant side of the loops will have no adverse impact on the ICS other than loss of the one circuit with the fault.

11

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29

3) The ICS shall be designed to prevent the ICS hardware from causing adverse affects on the plant loop being monitored.

4) The system shall be designed to prevent any changes to the ICS software or data being made by unauthorized personnel.

The interfaces that allow data highway transfer of ICS data shall be designed to be the lowest priority for processing and not affect the operator response times in any manner.

3.2.3 ICS Equipment The ICS shall be composed of a Data Acquisition Subsystem (DAS),

a Processor Subsystem (PS), a Display Subsystem (DS), and software. The ICS system shall be built around a solid state, integrated circuit, general purpose, high speed digital computer specifically designed for real-time operation. The system hardware configuration should include control room operator communication functions via the Satellite Display Station (SDS).

Hardcopy print-out of predefined logging and trending should be available in the MCR, TSC, and computer room. Hardware should be provided for performing diagnostics and maintenance. This equipment should be integral with the ICS and multiplexers.

The minimum ICS system configuration shall include the following:

3.2.3.1 Data Acquisition Subsystem (DAS)

1) The purpose of the DAS is to acquire and transmit to the plant computer system's PS required plant inputs to fulfill the requirements of the ICS.

2) The DAS shall be located in various parts of the plant and interface with the Processor Subsystem.

Plant parameters shall be sensed using multiplexer subsystems. Each multiplexer subsystem shall contain a microprocessor, memory, and point cards for analog, pulse or contact closure and voltage sense for discrete inputs. Sensor inputs performing redundant measurements shall be input to separate (channel-dependent) multiplexers. The scan rate for each analog input shall be assigned depending on the importance and estimated rate of change of the analog input. The minimum update rate for the reactor coolant system analog signals is 12 times per minute.

The scan rate for contact closure discrete inputs shall be once per second. Inputs to the DAS are based largely upon meeting the requirements of Regulatory Guides 1.23, 1.47 and 1.97.

12

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29

3) At a minimum, the DAS shall be designed to monitor at least 20,000 analog inputs or calculated values, and 10,000 digital inputs or composed (Boolean) points.

The scan frequency shall be a minimum of 4000 points per seconds. Multiple scan rates shall be provided for analog points, including 0.1, 1.0, 5.0, 30.0, and 60.0 seconds. Digital points shall be scanned every second. Sequence of events points shall have a resolution of 1 millisecond and should be updated at least once every two seconds. Sequence of events inputs on different multiplexers will be synchronized to 4 milliseconds.

4) Analog input subsystems should be provided to perform signal conversion. The analog to digital (A/D) conversion should be calibrated accurate/repeatable to +/- 0.25 percent Full Scale (with a 6-month drift of less than 0.1 percent). The A/D should be capable of receiving both positive and negative signals and provide a digital value of at least 12 bits, plus sign.

5) An analog output subsystem should be provided to drive control room pen recorders. The calibrated accuracy/repeatability of the output signal should be

+/- 1 percent of full scale.

6) The system shall have a scan diagnostics and monitoring system that monitors the scan cycle.

System input processing shall contain extensive error checking logic to detect errors in operation and in the data received. The system shall automatically indicate an open-thermocouple circuit prior to reading and produce an error message.

7) The system shall provide the capability to delete an input from scan processing, either manually or automatically. Deletion from scan processing shall not, however, remove the point from its normal scheduled scan and the scanned value shall be available to maintenance technicians.

The system shall automatically delete an input from scan processing when any of the following conditions is sensed:

(a) The value of the input exceeds its' range (b) The multiplexer indicates an open thermocouple condition or other failed input.

(c) Acquisition of the input's value from the multiplexer is not possible.

A point once deleted from scan processing shall only be restored manually. The system shall allow restoring scan processing for a single or groups of points. Restoration shall also generate appropriate message outputs to log the event.

13

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29

8) Isothermal ambient temperature reference junctions for ISA-T, J, and K type thermocouple shall be furnished. The junctions shall be monitored by devices capable of sensing changes in ambient temperature to provide for compensation.

9) The analog input point processing capabilities shall include linear analog signals, non-linear analog signals, pulse, thermocouple, and RTDs. Digital input points include two-state inputs and Sequence of Event (SOE) inputs. The system shall be capable of RS-232C and ETHERNET communications.

3.2.3.2 Processor Subsystem (PS)

The PS shall be located in the computer room and interface with the DAS and the Display Subsystem. The PS shall be configured to satisfy the data system needs.

This computer system shall be developed using proven, commercially-available hardware.

Each central processing unit shall contain solid state memory and floating point hardware, and hardware bootstrap. The system shall have automatic and manual restart features.

Both working and bulk memory should be sized to be adequate to accomplish all functions and software requirements (real time data acquisition, processing, archiving, and display as well as expected background support tasks). It shall be possible to add another 50%

memory without major system upgrades.

The system shall include a real-time clock to provide timing pulses as required by the system. The ICS shall accept a time synchronization standard such as an IRIG-B. This will be used to synchronize the ICS and with other time dependent plant equipment such as the main control room clock and Ronan Annunciator.

The Central Processing Unit of the PS shall be supported with the following peripherals:

a. Disk drive

b. Computer operator/programmers console

c. Printer

• d. Display devices The maximum time from completion of a new display request to initiation of the requested display page (display page information begins to appear) shall not exceed 2 seconds. The maximum time from completion of a new display request to completion of the requested display page (all static and dynamic information displayed) shall not exceed 3 seconds except for calculations and trend display request. There should be limited cases where the time exceeds 6 seconds. An example would be historical data request.

14

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 Processor Features The following features shall be provided for each processor:

(a) Hardware bootstrap loader, capable of manual designation of load device.

(b) Virtual main memory supported by the operating system for user application.

(c) Hardware floating-point arithmetic processor with precision of at least six decimal places.

(d) Multi-level, priority-interrupt structure providing the means to arm, disarm, activate, deactivate, and trigger individual interrupts and groups of interrupts, and providing the means to trigger interrupts by external events.

(e) Power fail-safe facilities, providing means for an orderly shutdown of the processor upon loss of power and for an automatic restoration of operation when power is restored.

(f) Facilities to monitor and detect misoperation of processor and I/O instructions (such as watchdog or deadman timers).

(g) Detection and reporting to the processor of memory errors, protect errors, attempts to access nonexistent main memory, I/O errors, and attempts to execute non-implemented or illegal commands.

Processor Loading System speed shall be sufficient to accomplish all defined tasks concurrently without degradation of system response. As a minimum average ICS CPU loading over a one hour period taken in one second slices shall be no more than 40 percent with the plant at 100% steady state power. Idle time waiting for auxiliary memory transfers, along with processor busy time, shall be included in the calculation of processor loading as unavailable processing capability.

A timing study to evaluate processing capability shall be performed to demonstrate the system's processing capability and spare capacity.

3.2.3.3 Display Subsystem (DS)

The ICS shall utilize a DS to provide information to the operator in the MCR and to personnel staffing the TSC.

The DS shall utilize printer and Satellite Display Stations (SDS) which consists of a CPU and color monitor, in the MCR, CR, and TSC. (NUREG-0737, Supplement 1, Section 4.l.b).

15

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 The High speed printers (e.g. line, laser) should be provided to perform all required printout functions, i.e., periodic logs, demand logs, summary logs, performance calculations, and alarms. Printer selection shall consider both print speed and ambient noise.

The BISI and SPDS functions shall be available at any SDS in the MCR and TSC.

The SPDS and BISI functions supply data required in the MCR as well as the TSC and EOF. The ICS shall facilitate providing the data to all three locations.

There must be at least two SDS located in the MCR which are both readily accessible and visible from the normal operating area and the SRO's desk. One of the SDS must be located convenient to the NSSS operator. The monitors should be viewable by the operator at the control panels if desired. They shall not restrict normal movements or hinder visual access to other instrumentation in the MCR. No additional personnel will be required for ICS operation.

All SDS shall have high resolution and shall be updated (refreshed) with the most recent dynamic information at least once every 2 seconds and shall continuously display the most recent data.

Abnormal BISI indication shall be accompanied by an audible alarm.

3.2.4 Software 3.2.4.1 The ICS shall have a software configuration comprised of a complete data acquisition, data base management, display, communication software package, and maintenance software. The primary purpose of the computer software will be to process, analyze, and display the plant data in the TSC, MCR and EOF. Many standard software features will be available to provide data to the operator. For example, such features as single point details, formulate and initiate logs, add/remove point to/from scan, enter constants values, display or print page, alarm review, and bad input reviews, will be provided.

Historical data shall be stored by the computer system and made available to TSC and EOF personnel for trend analysis and evaluations. A unit trip shall terminate the pre-trip data collection and initiate the post trip data collection routine.

16

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 The system shall provide for storage of at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of pre-trip data and at least 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of post trip data at a sample frequency of 10 seconds and at least 2 weeks of additional post-event data. Archival data storage shall not interrupt normal data acquisition and display functions. Historical data recall shall be provided.

The ICS data acquisition system shall obtain data on a time interval consistent with the importance or use of the data and the response characteristics of the particular instrument and system. The system throughput time interval (time from sensor detection plus transmission time plus computer software processing time for data to be stored into tables and displayed) should be < 6 seconds for points on a second scan rate. All data must be compared against data acquisition and system-limits to determine whether it is within range.

Redundant inputs shall be made for SPDS inputs where possible to increase confidence in the data.

Three quality levels shall be retained for each variable, Good, Bad, and Entered. The criteria are:

a. Good data

b. Bad data:

• Sensor data inconsistent with the majority of redundant sensor values.

" Data evaluated as bad because it is outside the process sensor limits or data acquisition system span, because hardware checks indicate a malfunctioning input device, or because it has been removed from scan.

c. Data which is operator entered.

The data quality shall be carried into all subsequent calculations involving that data, and the resultant data quality shall be indicated on each display of the variable and related variables computed using that variable.

The processor application software shall be written in a high level programming language like FORTRAN-77.

A software configuration management program to ensure software control and high quality shall be established during the project design and will continue to be followed to control software additions/changes and shall meet the requirements of SPP-2.6 (Reference 9.1.2.2).

17

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.2.4.2 The ICS Software shall be controlled by a Software Quality Assurance Plan. The software for SPDS, BISI, and other programs considered to be quality-related must meet the full requirements of SPP-2.6. The software programs not considered quality-related may meet less stringent requirements for V & V, but an evaluation as to the effects on quality-related software operation must be done.

The following documents must be maintained and engineering approval required on any revision.

" SOFTWARE REQUIREMENTS SPECIFICATION (SRS) - This is the critical document that defines to the user what the application/modification will do. The SRS describes each requirement of the software and external interfaces. Each requirement shall be defined such that its achievement can be verified and validated.

• SOFTWARE DESIGN DESCRIPTION (SDD) - The SDD shall describe the major components of the software design including data bases and internal interfaces. The SDD is a technical description of how the software will meet the requirements stated in the SRS. It describes the major functions of the software such as data bases, external and internal interfaces, and the overall structure. The SDD involves the detailed descriptions of the operating environment and modeling (engineering approval not required unless required by SPP-2.6 or other site procedures).

• SOFTWARE VERIFICATION AND VALIDATION PLAN (SVVP) -

The SVVP shall describe for each phase of the software life cycle: the verification and validation (V&V) tasks; tools, methods, and criteria; inputs and outputs; resources; and roles and responsibilities for accomplishing-V&V of the software product.

Verification activities are those activities, conducted by an individual independent from the code developer, that confirm, substantiate, and ensure the coding has been implemented and accomplished in conformance with the specified requirements. V&V is conducted in parallel with software development.

Each life cycle phase ends when the V&V tasks of that phase are complete. V&V tasks are iterative: As changes are made to the software product, selected V&V tasks are re-performed, or additional V&V tasks are developed and conducted to address the changes.

The Software Verification and Validation Report (SVVR) documents the results of the SVVP.

• SITE ACCEPTANCE TEST (SAT) PLAN TEST PROCEDURES

" SOFTWARE FACTORY ACCEPTANCE TEST (FAT) or equivalent document.

18

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29

• USER DOCUMENTATION

" Configuration Management plans shall be developed to ensure that the baseline documents and system accurately reflect current configuration. The following are the minimum required to be controlled:

1) Code Control - The revision level of the source code must be controlled on engineering output.

2) Supporting Documentation SRS SDD SVVP & SVVR SAT User Documents 3.2.5 Programmer's Console A programmer's console should be provided in the computer room for programming, debugging, and general system use.

3.2.6 Alarming Software shall be provided to warn the operator whenever field inputs or calculated values (with alarm destination set for alarm screen and alarm logger in the data base) exceed constant or variable limits by actuating an audible alarm and displaying a message. Alarm messages shall remain on the screen until acknowledged; once acknowledged, the alarm message shall automatically clear the display following a return to normal of the actuating condition. There should be a clearly identified method to identify to the operators the difference between alarm and unacknowledged return to normal. It shall be possible to request a display of all outstanding alarms, as well as a hardcopy alarm summary.

3.2.7 Analog Trending (Pen Recorder Output)

Software shall be provided to simultaneously trend up to 12 addressable points. The operator should be able to select the points for trending, set the scaling and update interval, and control the starting and stopping of the trending.

3.2.8 Test-Trip Software shall be provided to monitor the way in which certain plant variables are affected when some planned event is made to occur in the plant. This program, when selected at the time of the planned event, is to provide a printed record of operator selectable groups of plant variables/statuses for 2 minutes preceding the planned event and for 3 minutes following the event.

19

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.2.9 Post-Trip As a minimum, post trip log points are monitored for 3 minutes both before and after a reactor trip.

As a minimum, the following parameters shall be stored at 2.5 second intervals.

1. Power range channel 1 (Quad 4) Q 2 Power range channel 2 (Quad 2) Q

3. Power range channel 3 (Quad 1) Q

4. Power range channel 4 (Quad 3) Q

5. Turbine first stage pressure 1

6. Turbine first stage pressure 2

7. Reactor Coolant TREF

8. Unit Generator Gross megawatts (MW)

The hard copy printout is available for storage.

3.2.10 Sequence of Events Software shall be provided to record the sequence of change of status of up to 500 digital inputs. The reported time resolution between occurrence of the first change and subsequent changes shall be determined to the nearest millisecond. Sequence of events inputs on different multiplexers will be synchronized to 4 milliseconds.

The ICS shall store in the archive file the sequence of status changes of up to 64 changes of Digital Trip Action (DTA) inputs.

Printout occurs when either the number of saved status changes reaches 64, or after one minute has elapsed from the initiation of saving cycle time. Printout includes all scanned changes in order of their occurrence along with associated cycle times.

This printout is then available for permanent storage.

3.2.11 Sensor Calibration and Conversion This information is used mainly for input calibration verification and troubleshooting.

Analog Input Scanning - In addition to the hardware signal conversion, the ICS should automatically scan all analog inputs in a pre-established sequence, validate the input, perform computations necessary to convert the raw data values into engineering units, and store the engineering unit values in memory for use by the various application programs.

The ICS should maintain or update status information which describes the condition of each input such as, alarm condition out of range, removal from scan, etc.

20

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.2.12 Application Programs At a minimum, along with the application programs for ICS, SPDS, BISI, Communications Data Links, or the RHR Mid-Loop Operation Monitoring Function the following application programs and program packages should be supplied:

o Nuclear Steam Supply System Process Supervision o Reactor Control and Protection System Supervision o Sequence of Events o Post Trip Review Log 0 Balance of Plant Performance Calculations o Analog and Digital Scan o Miscellaneous Monitoring Programs o NUCLEAR PROGRAMS o River Temperature Monitoring o Saturation Monitoring o Steam Release Flow Calculations o Containment Sump Rate of Rise o Equipment Run Time Programs 3.2.13 Data Processing The following functions shall apply for each time new input data is obtained from the input/output equipment or a new calculated data is produced by the system.

All of the points found on drawing 47A615-series Computer Termination and I/O List, must be processed as one of the following: analog inputs, digital inputs, analog composed points, analog calculated points, transformations, digital composed points, analog outputs and digital outputs. (See sections 3.2.14 through 3.2.15.6) 3.2.14 Analog Inputs The system shall be capable of scanning and processing all analog inputs at a rate of at least once per second. The system shall perform, as a minimum, the following processing of all analog inputs each time they are scanned.

(a) Conversion to Engineering Units: Each analog input shall be converted to its engineering unit value before being stored in the system data base.

The System is to have .a conversion program that allows each point to have individually assignable conversion coefficients.

21

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 (b) Reasonability Limit Checking: The system shall contain limit-checking logic to allow each analog input value to be compared with stored high and low reasonability limits defined by the signal range of the input sensor. Input values outside this range indicate sensor or system failure and shall cause a bad quality alarm.

(c) Operating Range Limit Checking: The system shall have the capability to compare each analog input value with individually stored high-high, high, low, and low-low limits.

The high and low limits define the normal operating range of the plant variable. The high-high and low-low limits define an emergency range of an alarmed variable. Values outside the normal operating range or beyond the emergency range shall generate separate alarms.

(d) Calculated Limits: The system should have the capability .of using calculated high and low operating limits for all inputs. Calculated limits shall be dynamically calculated using values of other system variables as terms in equations.

(e) Alarm Limits Deadband: Each analog input shall have an adjustable deadband associated with its operating range alarm limits to prevent unnecessary alarms when an input value hovers about a limit. The alarm deadband value for each input shall be definable by on-line manual entry of values in engineering units on SDS displays.

(f) Alarm Enable/Disable: The system shall allow the user to manually disable and enable operating range alarm limits for each limit on a per-point basis. The capability shall be provided to block the disable function for any point or points.

(g) Alarm Cutout: The system shall provide an automatic alarm "cutout" capability to suppress and enable operating range alarm limits for any analog variable. This alarm cutout function shall be applied to a given analog point based on the state of a "cutout variable" which may be a digital input, a digital calculated point, or a digital composed point. The state of this "cutout variable" shall determine if the assigned limit checking is suppressed or enabled for each associated analog point. The state of the cutout variable that causes suppression shall be manually selectable on a per-point basis.

(h) Manual Value Substitution: The system shall permit manual substitution of the value of any analog variable. When a substitute value is assigned to an active point, that point shall be automatically deleted from scan processing. Normal data processing, however, shall continue using the substitute value in place of a scanned value. The substituted value shall be tagged with a "substitute" quality code (see section 3.2.4.1). Value substitution shall be terminated by manually restoring the point to scan processing.

22

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.2.15 Digital Inputs:

The system shall perform, as a minimum, the following processing of all digital inputs each time they are scanned. The system shall be capable of associating either state of a status point (open or closed input contact) with either state of the actual device (such as open or closed valve).

(a) Inversion: The system should include the capability to convert the scanned state of any digital input to the opposite state before it is stored in the data base.

(b) Alarm Detection: The system shall provide alarm status checking and alarm generation for digital inputs. Either state of the input contact may be designated as the alarm state.

(c) Action Triggering: Each digital input shall have the capability to have prespecified "actions" associated with it.

An "action" is an identification of a program or subroutine to be called when a change of state is detected. Each action shall be associated with the off-to-on change of state, the on-to-off change of state, or all changes of state.

(d) Alarm Status Enable/Disable: The system shall allow the user to manually disable and enable alarm detection on a per-point basis.

(e) Alarm Cutout: The system shall provide an automatic alarm "cutout" capability to suppress and enable alarm status checking for any digital input. The alarm cutout function shall be applied to a given digital point based on the state of a "cutout variable", which may be a digital input, a digital calculated point, or a digital composed point. The state of this "cutout variable" shall determine if the assigned alarm status checking is suppressed or enabled for each associated digital point. The state of the "cutout variable" that causes suppression shall be selectable on a per-point basis.

(f) Manual Status Substitution: The system shall permit manual substitution of the state of any digital variable via the Point Attribute display. Substitution may be performed on active points or points that have been deleted from scan processing. When a substitute state is assigned to an active point, that point shall be automatically deleted from the scan processing. Normal processing, however, shall continue using the substituted state in place of a scanned state. The substituted state shall be tagged with a 'substitute' quality. State substitution shall be terminated by restoring the point to scan processing.

3.2.15.1 Analog Composed Points Analog composed points shall have values that are the result of performing arithmetical and/or logical operations on the values of other system variables.

23

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.2.15.2 Analog Calculated Points Analog calculated points shall be named system variables whose values are calculated by any system application program and can be accessed by system functions, such as SDS, logs, and other application programs. The processing and attributes of analog calculated points shall be similar to analog inputs.

3.2.15.3 Transformations The system shall be capable of transforming a sequential set of values for any analog input, analog composed point, or analog calculated point, in engineering units, into another related variables from any transformed variable values shall be accessible to all system functions such as logs, SDS, and calculations. The ability to assign or remove variables from any transformation via on-line SDS interaction shall be provided. Any transformation based on an input variable with other than a 'good' quality shall automatically tag its result with the quality of the input used in the calculation.

3.2.15.4 Digital Composed Points The system shall provide digital composed points that are bi-state points whose states are resultants of logical operations involving other system variables.

3.2.15.5 Analog Outputs Analog outputs shall consist of digital-to-analog converter outputs for use in trend recording. These outputs shall be assignable from any system analog variable.

3.2.15.6 Digital Outputs The system shall provide contact closure outputs. These outputs shall be named system variables whose states (open/closed) are set by system programs and can be accessed by system functions, such as SDS and logs.

3.2.15.7 Instrument Calibration and Maintenance Facility The system shall provide the facilities described below to assist the user in performing instrument calibration and maintenance functions.

Conversion Coefficient Calculation: The system shall provide a facility for on-line calculation of the engineering unit conversion equation coefficients. The user will specify the type of conversion, and the system shall calculate the required coefficients in the equations.

24

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.2.15.8 Data Logging The system shall generate operations, performance, and event logs based on real-time, historical, calculated, and manually entered values. The system shall also generate logging related alarm messages, event messages, and user-action messages as required. Formatting of all logs shall be generated by the system such that preprinted log forms are not required.

Logs shall be individually assignable to any system printer. The system shall prevent output intermixing between functions such as alarm messages, logs, and summaries. For example, a log in progress shall complete before another printout is permitted. The system shall start each log page at the beginning of a new printer page. The system shall buffer all printer outputs to prevent loss of any data in the event the printer becomes inaccessible to the system for any reason during the printing operation. The ICS shall provide the capability to manually terminate any printout on demand.

3.2.15.9 Data Base Change Log The Data Base Change Log shall print a chronological list of all data base changes entered during the previous day. The log shall be printed automatically each day after midnight.

3.2.15.10 Historical Data Storage and Retrieval The system shall include Historical Data Storage and retrieval functions capable of storing and retrieving system variable values, logs, alarm messages, and other information.

3.2.16 Security 3.2.16.1 Protection of the ICS system hardware and software against unauthorized manipulation of or interference with input signals, data processing, storage, and output shall be provided.

3.2.16.2 The system shall be designed for both physical (limit terminals access) and software(access codes) to prevent the access to the systems by unauthorized personnel.

3.2.16.3 The system shall be designed to limit on a terminal bases the access to the system and priority for providing data request.

25

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.2.17 Man/Machine Interface The "users" are the Reactor Operators, Reactor Engineers, System Engineers, TVA Management Personnel, Computer Engineers, Programmers, and Instrument Mechanics who will interface with the system. The man/machine interface (MMI) must be convenient and responsive, and must provide the flexibility to adapt to system growth and changes. The system is not to be changed without the knowledge or consent of the control room operators and without "tagging out" the SPDS for maintenance.

3.2.17.1 Man/Machine Functions:

The man/machine interface equipment, software, and techniques shall be designed to enable the users to perform their activities as efficiently as possible.

Rapid, convenient, and reliable methods for interacting with all MMI equipment shall be provided.

(a) The number of user entries required to access any SDS or ICS function shall be minimized.

(b) Default values shall be inserted on screens requiring data entry wherever possible.

(c) A positive response to all user entries within two seconds of the entry.

The design of the MMI shall allow for future expansion of functions and flexibility in interactive techniques.

3.2.17.2 Man/Machine Facilities:

The principal interface between the ICS and its users shall be full-graphic, colori Satellite Display Stations (SDS) located in the Main Control Room, Computer Room, Technical Support Center (TSC), Emergency Operations Facility (EOF) and the Operations Support Center (OSC).

3.2.17.3 Interactive Requirements:

The following interactive techniques are to be used in the MMI.

3.2.17.3.1 Element Highlighting:

The high density of information on display pages demands that easily discernible highlighting techniques direct the user to critical data. The use of color, flashing, character inversion, and appended symbols to highlight alarms, data entry locations, and invalid or out-of-scan data is required.

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.2.17.3.2 Data Quality Indication:

All system displays and logs containing dynamic analog input values, analog composed points, analog transformations, and analog calculated values shall have an indication of quality associated with each data field. The quality indicator shall reflect the condition of the data (such as bad or substitute data) on the system display or printout.

3.2.17.3.3 User Guidance:

The MMI shall provide feedback for user input actions-even if only to indicate that the action was not accepted or that the requested function has been queued. Indications on system displays, such as test messages, color changes, flashing, and backlighted pushbuttons may be provided for this purpose.

The use of Help displays that provide instructions associated with the currently active system display should be used.

3.2.17.3.4 Display Coordinate Selection:

Areas of each system display for which interactive functions have been defined shall be selectable by cursor positioning. Several methods of rapid and convenient cursor positioning shall be provided, such as touch screen targets, forward and backward tab keys, basic cursor control keys, trackball and/or mouse.

3.2.17.3.5 Human Error:

Extensive checks on user entries to detect errors shall be done. Invalid entries, such as an incorrect point number or incorrect sequence of actions, shall be detected and reported to the user in an error message. Error messages shall be in plain English and shall not require the use of reference documents for interpretation.

Acknowledgment of error messages shall not be required. The user shall not be required to repeat steps that were correctly executed prior to the erroneous action.

If the user initiates a second function prior to completion of an input sequence, the system should automatically abort the current sequence and begin the input sequence for the new function.

27

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.2.17.3.6 Display Selection:

The following methods shall' be provided for user selection of system displays:

(a) Cursor selection of a display-select target on any system display, including index, graphic, and tabular displays (c) Forward and backward paging through a series of displays (d) Activation of a PREVIOUS option causing the display that was on view immediately prior to the current display to be recalled.

3.2.17.3.7 Data Entry:

Protection against unauthorized modifications to point-oriented data shall be provided.

Entering a value or state descriptor for a point that is normally scanned by the data acquisition subsystem or calculated by an application program shall result in the point being deleted from scan processing and marked as "substitute" on all displays and reports. If the parameter is not normally scanned or calculated, no "substitute" indication shall be utilized.

3.2.17.3.8 Single Point Control:

The system shall provide secure interactive, single point functions such as: inhibiting and enabling alarms, deleting points :from scan base attributes. These functions are only available on the MCR SDSs and the computer room programmer's

.SDSs.

3.2.17.3.9 Hardcopy Initiation:

A function shall be provided to initiate a hardcopy of an ICS display.

3.2.17.3.10 Response And Update:

.The system shall respond to user requests, even under the peak load conditions within two seconds.

All ICS responses to the user must be clear, complete, and in plain English.

When a new system display is requested, the new display shall be initiated within two seconds.

When data entry is performed on an existing display, the data entry operation shall be completed and the newly entered value(s) redisplayed in their final representation within three seconds.

28

TVA PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC--30-29 I

Title:

Once a display containing dynamic data appears on a SDS, the data shall be periodically updated.

Dynamic data shall be updated on all displays, except the SPDS displays and the system Trend displays, no less frequently than every five seconds. The dynamic data on the SPDS displays shall update every two seconds.

All system alarm actions, including SDS message production and highlighting of variables in alarm, shall occur on all system displays containing alarm information within two seconds of alarm detection by the ICS processor.

3.2.17.3.11 Alarm Processing:

All alarms, whether they are related to scanned data, calculated data, application programs, or system hardware, shall be presented to the user with a consistent man/machine interface technique.

3.2.17.3.12 Graphic Displays:

The system shall support graphic displays which present data on P&ID diagrams, electrical one-line diagrams, exclusion plots, and other graphic formats.

It shall be possible to include static graphic, dynamic graphic, static alphanumeric, and dynamic alphanumeric information on the same display. The capability to change the color and/or shape of any dynamic graphic symbol (single character or group of characters) depending on the alarm status or state of any data base point may be provided.

Graphic displays may contain cursor targets to allow convenient selection of related displays, including the associated group tabular display and bar chart display. The capability to link graphic displays for selection via the PAGE FORWARD and PAGE BACKWARD pushbuttons shall also be provided.

3.2.17.3.13 Group Displays:

Tabular and bar chart displays should be provided for displayed groups of related data base points.

The tabular and bar chart displays shall be independently definable, but related displays may be linked via cursor targets.

3.2.17.3.14 Graphic Trending:

The system shall provide graphic trending of real-time data and stored historical data against a user-selected time base for all variable, input or calculated. Variable may be selected for trending from any display containing that variable. All MCR & TSC SDS shall be capable of trending. The Trend function shall be capable of trending four sets of two variables at each SDS.

29

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 Trend Displays: The system shall provide for trending of real-time data and stored historical data against a user-selected time-base for any system variable, input or calculated. Individual ordinates shall be provided for each trend variable; these ordinates shall be color-coded to match the color of the variable's trace. Default values shall appear automatically for each variable's scale, based on the trend range listed in the data base. The user shall have the capability to conveniently revise the range of each variable and return to default conditions.

The technique for displaying trends shall differ depending on whether the data is being trended in real-time or from a historical data buffer:

(a) In real-time, the selected trend variable shall be presented on the SDS screen in a recorder-like format. Old data values shall roll off the trend graph as the display is being updated with new values. As a minimum, 256 individual data values shall be displayed for any variable on the SDS screen prior to rolling-off a data value for the variable.

When a variable is selected for trending, the trend function shall initially display the latest 256 values of historical data properly formatted for the selected time base. For example, if a thirty-minute time base has been selected, the most recent thirty-minutes of historical data shall be initially displayed on the SDS. The display shall then begin updating with real-time data. The trend update rate shall be based on the number of trend pixels across the screen and the selected time base. This function may be limited to PAM CAT I variables only.

(b) When selecting variable for trending from the historical data base, the user shall be able to specify the beginning of time period of interest and the time base to be displayed.

Once the historical data variables have been selected for trending, the user shall be able to "page" through a non-updating snapshot of the historical data. The user shall be able to page either forward in time within the constraints of the data stored in the historical files. No "wrap-around" of oldest to newest data shall be provided.

30

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.2.17.3.15 SDS Keyboards:

Plug-detachable keyboards may be mounted in front of the SDS at each console. The keyboards shall include standard QWERTY alphanumeric keys, a separate numeric keypad, and a cursor-control keypad. The cursor-control keypad shall include keys for horizontal, vertical, and home positioning of the cursor. Mice will be included with the keyboard if the SDS does not have a touch screen monitor.

Tactile feedback is required for all keyboards.

3.2.17.3.16 SDS Touch Screen Panels:

SDS Touch Screen Panels may be used in the MCR.

Cursor-control functions may be performed by a touch screen on applicable color SDS panels. Upon recognition of a valid touch the coordinates shall be read by the system and the appropriate actions taken. Touch screen resolution shall be sufficient to permit positioning the cursor unambiguously to the smallest screen target used.

3.3 SPDS 3.3.1 Function The SPDS is an operational aid that serves to concentrate a minimum set of plant parameters from which the safety status of the plant can be assessed in a timely manner without surveying the entire control room. The primary function is to aid the operating staff in the rapid detection of abnormal operating conditions. The secondary functions are to provide additional information to analyze and diagnose the cause of the abnormality and monitor plant response.

The primary users of the SPDS during an accident are the assistant shift operating supervisor and the shift technical advisor.

31

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.3.2 Location The location of the SPDS displays shall be in the MCR, TSC and OSC. At least two terminals shall be in the MCR.

From the normal control room operating area, the SPDS displays shall be both readily accessible and visible to the Shift Technical Advisor (STA) and the Assistant Shift Operating Supervisor (ASOS). Only one terminal in the MCR is required to be functional for the system to be operational.

3.3.3 Size The SPDS display console shall be sized to be compatible with existing space in the control area of the MCR. The SPDS display shall not interfere with normal movement or full visual access to other displays and systems. The SPDS display shall be readable from the emergency operating station of the senior reactor operator (refer to WB-DC-30-23).

3.3.4 Staffing No personnel additions to the normal control room operating staff shall be required due to the addition of SPDS.

3.3.5 Design Considerations The SPDS is based on the critical safety function status trees from the upgraded Westinghouse Owners Group (WOG) Emergency Response Guidelines (ERGs). The status trees are defined in FR-

0. (References 9.1.8.3 and 9.1.9.23).

Each tree uses several blocks containing questions with a yes or no output which leads to a status. When a status tree branch is not satisfied, it directs the operator to an appropriate Function Restoration Guideline. The set points for the status trees are defined in WBN-OSG4-188. (Reference 9.1.3.3)

Status trees developed from the WOG ERGs are converted to plant-specific trees for Watts Bar. The different branches are color coded to show the operator how serious any challenge is to a critical safety function. The ordering of the trees also defines priorities. The colors in order of priority are: red (solid line), orange (dashed line), yellow (short dashed line), and green (double line).

In addition to the critical safety function status trees, a radiation monitoring display for important radiation monitor points (including shield building, auxiliary building, steam generator blowdown, and condenser vacuum exhaust) to supplement the containment critical safety function status trees will be included on the top level display. The top level display will also monitor decay heat and hydrogen concentration in containment. The critical safety function status trees, along with this additional radiation monitoring display, fulfill the five SPDS functions of reactivity control, reactor core cooling and heat removal from primary system, reactor coolant system integrity, radioactivity control, and containment conditions as identified in Supplement 1 to NUREG-0737.

32

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 The SPDS does not have to meet the single failure criterion; however, Class 1E qualified isolators are required to maintain independence from safety-related systems (Reference 9.1.9.23).

The processing and display equipment shall be of proven high quality and reliability.

The SPDS will not be designed to safety related system criteria, and it is not to be used to perform functions essential to the health and safety of the public. Operator action cannot be based solely on SPDS indication.

The SPDS shall be integrated with other MCR improvements such as control room design review and the development of new function-oriented emergency operating procedures to enhance the operator's ability to comprehend plant status and cope with emergencies (NUREG-0737, Supplement 1, Sections 3 and 4.3)

The minimum information sufficient to provide an operator with the plant's safety status is the top level display which monitors the following critical safety functions:

• Reactivity control

• Reactor core cooling and heat removal from the primary system

• Reactor coolant system integrity

• Radioactivity control

• Containment conditions (NUREG-0737, Supplement 1, Section 4.l.f and NUREG-0800, Section 18.2A.l.f).

The parameters required for the SPDS are found in calculation WBN-OSG4-142 (reference 9.1.3.2).

The setpoints for the SPDS logic and alarms are determined in WBN-OSG4-188 (reference 9.1.3.3)

The SPDS unavailability goal is 99% or greater when the plant is operating in a mode above cold shutdown, 80% during cold shutdown (See Section 3.2.1).

The SPDS display shall be available on at least two color SDS in the MCR. Although both of these monitors are normally expected to be operational, only one is required to be operational in order for the SPDS to be considered available.

3.3.6 Display Considerations The SPDS display shall be designed to incorporate accepted human factors engineering principles so that the displayed information can be readily perceived and comprehended by SPDS users. (NUREG-0737, Supplement 1, Section 4.l.e and WB-DC-30-23).

The primary SPDS display should accurately indicate the status of important plant functions. A combination of primary and secondary displays shall be used resulting in a hierarchical display ranked one above another in a systematic order of importance.

33

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB7DC-30-29 The SPDS status trees are to be as identical as possible to the FR-O hard copy status trees.

The system shall display on all displays a constant SPDS target that indicates Critical Safety Parameter status to the operator priority by color change. Each status tree shall have a box that indicates priority by color. The highest priority status shall drive the SPDS target and status tree boxes as follows: red highest, orange next highest, yellow lowest priority, and green normal.

To ensure that the SPDS status boxes "S", "C", "H". "P", "Z", and "I" are continuously displayed, the WBN SPDS software will not be designed with the capability to overwrite any of the status boxes under any condition.

The top level display, i.e., the.primary display, should provide the operator with enough information to detect a change in the plant's safety status. The top display will also include decay heat, radiation, and hydrogen concentration. Succeeding lower level displays should provide correspondingly higher levels of detail. Travel through the hierarchy must be bi-directional in that the user should be readily able to go to higher or lower levels of detail. Lower level detail displays should notify the operator when a change in safety status occurs.

The use of the containment isolation status panels (CISPs) is sufficient for meeting the SPDS requirements for indication of containment isolation valves status.

The SPDS setpoints, logic flows, and display formats shall be in agreement with related instrumentation on the control panels in the Control Room, and system sensor characteristics, as applicable (Reference 9.1.9.23).

Displayed variables important to safety should be organized in formats that are easy for the operator to read and interpret.

Display formats should display each element so that it corresponds directly with a single variable or function, i.e.,

each element should have a label or other identifier.

Magnitude and trend information should be provided on lower level display formats. Trend displays showing quantitative rate of change information must accurately represent the trend of the variable.

The capability of displaying a time history of each safety-status variable shall be provided covering enough time to accurately depict the onset and development of conditions that vary from the proceeding normal operating conditions.

34

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.3.6.1 Display Techniques The SPDS display should provide enhancements to improve the operator's perception, comprehension, and detection of conditions that may affect the plant's safety status.

The display of abnormal conditions must be distinctly different in appearance from the display of normal conditions to allow the operator to readily detect conditions that may have safety significance as soon as they occur.

The following display techniques can be used to differentiate-normal from abnormal conditions:

• Graphic representation

• Identification

• Perceptual aids such as -

Color Symbols and mimics Graphic overlays Blinking

• Display patterns

• Status setpoints

• Dark Blue will not be used 3.2.6.2 Software for the SPDS Additional Requirements Regarding software reliability, the initial SPDS software and subsequent changes will undergo formal verification and validation to ensure that requirements are accurately specified, implemented, and tested.

Software changes are documented, approved, and controlled by qualified personnel and procedures.

3.4 BISI The primary intent of BISI is to provide an indication that a functional path for each train of a safety system has been purposely rendered in a state which could cause inoperability. The functional path is defined as the process flow path for each train of equipment. In this system, it is assumed that the use of alternate equipment to make up a functional path requires manual operator intervention and is not considered in the functional path definition. The final decision of system operability or inoperability is left to the unit operator to determine per Technical Specifications, since the operator may configure the system to meet Technical Specifications but may not meet the functional path logic (Regulatory Guide 1.47).

35

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.4.1 BISI Design and Operation The BISI shall be designed to operate during all normal plant modes of operations including startup, hot and cold shutdown, hot standby, refueling, and power operation. The logic to implement the BISI shall be developed for power operation. Process flow path alignment may be different for other modes of operation (e.g., refueling), thus creating abnormal alarms that do not directly relate to the system level alarm (e.g., Feedwater Train A). The operating crew will determine the impact of each alarm on the process flow path indication during these modes of operation.

The BISI is not required to operate during or after a design basis accident.

The BISI shall not be designed to safety related system criteria and therefore is not to be used to perform functions essential to the health and safety of the public. Class 1E isolation is required, however, to maintain the independence of safety related equipment and systems.

The components monitored to make up the functional path alarm for each plant mode for each system shall meet all of the following conditions (RG 1.47):

" The action is deliberate. It is not the intent of the system to show operator errors or component failures.

" Could render inoperable (not just potentially inoperable) a redundant portion of the protection system, systems actuated or controlled by the protection system, and auxiliary or supporting systems that must be operable for the protection system and the systems it actuates to perform their safety-related functions; and

• Is expected to be rendered inoperable more frequently than once a year; and

• Is expected to occur when the affected system is normally required to be operable per Technical Specifications.

" The deliberate action has taken place in the safety system or a necessary supporting system.

Not all equipment and components making up a functional path will require monitoring by BISI to satisfy the conditions above. Only those components determined to meet all of the above requirements will be required to be monitored.

BISI shall provide alarm notification of the abnormal status of each monitored system. Logic will be used to create the system level "ABNORMAL" such that if any component in a functional path is "ABNORMAL" then the path is abnormal. Also, if any supporting function such as cooling water, ventilation, control air, or electric power is lost, then all systems affected by the loss shall be so indicated. See Section 3.4.3 for implementation criteria.

TVA

Title:

• PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 Abnormal BISI indication shall be accompanied by an audible alarm.

The BISI shall provide on demand, alarm message displays or printouts of all BISI calculated points. The ICS shall be capable of providing printouts of all BISI alarms for shift turnover or historical logging.

3.4.2 'Systems Monitored by BISI The BISI shall monitor and provide system level alarms of the safety-related and support portions of the below listed plant systems (RG 1.47). Portions of these systems which serve no safety function and can be separated from the safety functions performed by these systems will not be monitored.

MAIN AND AUXILIARY FEEDWATER (INCLUDING SG ISOLATION)

SAFETY INJECTION RESIDUAL HEAT REMOVAL CONTAINMENT SPRAY EMERGENCY GAS TREATMENT ESSENTIAL RAW COOLING WATER CHEMICAL AND VOLUME CONTROL HEATING, VENTILATION AND AIR CONDITIONING COMPONENT COOLING CONTROL AIR (INCLUDING AUXILIARY CONTROL AIR)

STANDBY DIESEL GENERATOR If there are components identified which are not within the above

systems but are actuated by the ESFAS to support the operation of the above systems, then these components shall be monitored and alarmed with the system they support.

3.4.3 Component Level Implementation Criteria Components which are automatically actuated by the ESFAS and are determined to meet the criteria given in Section 3.4.1 will be monitored for the conditions described below.

Status contacts shall continuously monitor the availability of control power and the position of circuit breakers (rack-in or out) of all automatically actuated ESF devices identified in the systems referred to in Section 3.4.2.

Status contacts shall continuously monitor the availability of control power of motor starters of all automatically actuated ESF devices identified in the systems referred to in Section 3.4.2.

37

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 Status contacts shall continuously monitor the availability of control power of solenoid valve actuated components if the device requires control power to be available for movement to its safe condition. This applies to all automatically actuated ESF devices identified in the systems referred to in Section 3.4.2.

Status contacts shall continuously monitor the position of handswitches (e.g., Pull to Lock) that can be placed in a state which would yield the system or components identified in Section 3.4.2 inoperable.

A component which is not actuated directly by the ESFAS but is slaved to a monitored, automatically actuated ESF component and is required to operate to support that component shall be monitored.

No component is required to be monitored for available power supply if it fails safe on loss of power or power disconnect.

Other components may also be monitored as deemed appropriate.

System level logic shall be developed on each train functional path (e.g., Feedwater Train A) to actuate a system level alarm.

A conceptual example is shown in Figure A.

3.4.4 BISI Display Criteria A system level display via the BISI display or indicating lights shall be provided to indicate the status of the systems identified in Section 3.4.2.

This system level display or indicating lights shall indicate the status of each system's train functional path as well as the status of any support system that may place the indicated system in an inoperable or bypassed condition.

Each functional path column will contain a colored box in either blue, red, yellow or green depending on the status of the BISI system. If the BISI system has been bypassed, the word

'BYPASSED' will be displayed in red beside the box. If an alarm condition exists for the functional path or support system, additional detailed information shall be provided to the operating crew so as to allow determination of the abnormal condition. The information provided shall identify to the operating crew the exact nature of the initiating condition for the abnormal alarm. Each colored BISI system point will allow the user to access a detailed system screen when actiVated by touch area, mouse or other pointing device.

3.4.4.1 Alarm Function Whenever a system abnormal condition exists, an audible alarm in the MCR (separate from the main annunciator system) shall be generated so as to direct the operators attention to the BISI system display or indicating lights.

38

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 The BISI system shall have an acknowledge feature that will acknowledge the flashing boxes on the BISI screen.

An audible alarm will be generated and can be acknowledged by the control room operator.

3.4.4.2 Manual Control Manual entry capability of each system status shall be provided. This allows the operating crew to provide bypass indication for an event that renders a safety system abnormal but does not automatically operate the system level indicators.

There shall not be any capability to defeat an automatic operation of a system level indicator and audible alarm.

3.5 Support Calculations At a minimum, the ICS is used to perform the following calculations to support operations. Following each calculation is a reference to either the plant procedure being implemented and/or the Control Room Design Review (CRDR) HED.

3.5.1 Radiation Release Rates (HED 139, EPIP-16, Reference 9.1.8.6) 3.5.2 Deleted 3.5.3 Maximum Vent Time (Sequoyah HED 301, FR-I.3, Reference 9.1.8.5) 3.5.4 Reactor Core Delta-T (HED 194)*

3.5.5 Heat-Up/Cool-Down (HED 194, i-SI-68-44, Reference 9.1.8.4) 3.5.6 Auxiliary Feedwater Total Flow [Total of the four Auxiliary Feedwater loops]

The results of the calculation shall be displayed in the same or similar format as the instruction it supports. Those that do not support a specific instruction may be inputs to other displays.

These calculations, since they are implementing plant procedures, must be revised if the procedure being implemented is changed. The plant organizations responsible for the procedures are responsible for requesting changes to these calculations if the procedure changes.

3.6 RHR Mid-Loop Operation Monitoring Function The RHR mid-loop operation monitoring function provides for the monitoring of RCS temperature, reactor vessel level, and RHR system performance during mid-loop operation. The capability for continuously monitoring RHR system performance whenever a RHR system is being used for cooling the RCS is to be provided in the control room by a dedicated display page on the ICS.

RCS temperature shall be monitored by two incore thermocouples and visibly and audibly alarmed in the MCR.

RHR mid-loop wide range level indication shall be by RVLIS input to the ICS.

• Reactor Core Delta Temperature for Natural Circulation Verification =

(Hot Leg temperature - Cold Leg temperature) < 30OF and decreasing, "Natural Circulation Cool-down Operational Guidance Report" WCAP-12335.

39

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 RHR mid-Loop narrow range level indication shall be by ultrasonic level measurement input to the ICS.

RHR system performance shall be indicated by RHR pump discharge flow, discharge pressure, and pump motor current (as a backup indication) input to ICS.

3.7 Communication Networks and Data Links The ICS architecture shall utilize Local Area Networks (LAN), Campus Area Networks (CAN), and Wide Area Networks (WAN) to maximize system use by various organizations, yet still maintain overall system reliability, integrity, and minimize system response time. This shall be accomplished by using a hierarchical approach in the software and hardware. The hierarchy is as follows:

Process Control Communications Process Data Acquisition Communications Key User Interface Communications Primary User Interface Communications Other User Interface Communications The "Key Users" are primarily for meeting regulatory requirements.

Specifically, these are Main Control Room Unit Operators, TSC, and EOF (CECC) personnel. Key Users also includes two users off-site who will be able to remotely log in into the system. This person shall have the ability to resolve ICS problems during non-work hours.

The "Primary Users" are other on-shift Operations personnel, senior plant management, Tech Support, Instrument Maintenance, and Chemistry.

The "Other Users" are other on-site and off-site duty personnel.

Non-authorized users shall be prevented from obtaining access to the system.

The ICS shall provide a means of acquiring data from and supplying data to computer based systems both on and off site. The communications data links shall interconnect the following two computer systems.

3.7.1 EOF In response to NUREG 0737 Supplement 1, all data (real and calculated) along with status and quality information will be available for transmission by data link to one or more SDS in the EOF. Upon request the ICS will send the CECC computer a dynamic data base snapshot (a maximum of 200 process variables) every 15 seconds over a high speed communications link. This data shall meet the requirements of NUREG-1394, Emergency Response Data System (ERDS) (Reference 9.1.9.22).

3.7.2 EDS Computer Communications between the ICS and the EDS Computer shall allow the ICS to access variables that are input to the EDS computer.

All EDS data required by RG 1.23 and required to support the TSC functions shall be transmitted at a rate of once per minute and displayed with the radiation release data.

40

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.8 Electrical Requirements The ICS electrical load shall not degrade the capability or reliability of any safety-related power source. Transients or power supply failures/fluctuations shall not cause a loss of stored data vital to the ICS. Power sources shall be provided to maintain continuity of function and to immediately resume acquisition, storage and display of data if loss of the primary ICS power source occurs.

Class 1E electrical cable, tray, and conduit will be required to bring any safety-related signals to Class 1E isolators (WB-DC-30-4).

Non-Class 1E cabling, tray, and conduit may be used for all ICS interconnection downstream of the Class 1E isolation. All communication between the three subsystems of the ICS, i.e., DAS, PS, and DS, may be Non-Class IE.

3.8.1 Power System for the ICS A reliable uninterruptable high quality power system shall be required for the DAS, PS, DS, and data storage equipment. The hard copy equipment shall be able to self-recover from a power loss but does not have to be powered by uninterruptable power.

The power system shall have an operational availability sufficiently high to support the ICS design goal availability (See Section 3.2.1).

The system shall supply power to all components required for the data system. The uninterruptable power system shall have the ability to provide sufficient power for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to permit continued system operation in the event of a loss of offsite power and to permit an orderly shutdown of the DAS, DS, and PS.

The ICS power system shall incorporate administrative controls and power isolation features as needed for any interfaces with the Class 1E standby power system to prevent degradation of the capability or reliability of the safety-related power systems.

The ICS equipment including display hardware shall have three power sources:

Normal: Rectified station unit board AC power inverted to 120V AC Alternate: Station battery 250V DC inverted to 120V AC Maintenance: Regulated 120V AC from 480V AC station unit board The electrical control board operator's ICS SDS, located in the center of the MCR, is not required to support any ICS requirements and is not required to have uninterruptable power.

3.8.2 Power Supply for the ICS HVAC The power requirements for the support of the HVAC shall be from normal and alternate sources which are physically independent and electrically isolated. Manual transfer to the alternate power supply shall be acceptable. The equipment and its power supply need not be Class IE qualified.

41

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 3.9 Mechanical/Civil Requirements 3.9.1 Technical Support Center HVAC equipment shall support the ICS design goal unavailability of 0.01. This unavailability shall be to the extent that the failure of a single active component should not cause the ICS to fail. The display subsystem equipment located in the TSC shall be supported by a system that meets the requirements of N3-30CB-4002.

3.9.2 Computer Room HVAC equipment shall support the ICS design goal unavailability of 0.01 by meeting the vendor's recommended environment for maximum reliability. This unavailability is supported by the Electrical Board Rooms Air-Conditioning System which is an engineered safety feature. Cooling is supplemented by additional cooling from air handling units (water side is safety-related; air side is not) per WB-DC-40-36.1 (Reference 9.1.5.11). This system is described in N3-30CB-4002, System Description for Control Building-Heating, Ventilating, Air Conditioning and Air Cleanup. This system supports the ICS Processor Subsystem and the Display Subsystem for the MCR.

3.9.3 Seismic The ICS equipment located in close proximity to safety-related (Class 1E) equipment shall be qualified Seismic Category I (L) if it is determined that the loss of ICS structural integrity could jeopardize the function of the Class 1E equipment.

3.10 Environmental Requirements The ICS shall be designed for operation in a noncorrosive atmosphere. The equipment should not be submerged in water nor be subjected to any chemical spray. The system shall be designed to operate for the life of the plant under the environmental conditions identified on the Environmental Data Drawing Series 47E235 (Reference 9.1.1.2). All the ICS equipment must be procured to operate within the normal operating bands of temperature and humidity for the areas in which the equipment is located.

To ensure high system availability, the computer room .equipment shall be properly conditioned such that the ambient temperature is within 50 to 850F and the relative humidity is within 40 to 75 percent (non-condensing). Temperature changes shall not exceed a rate of 10'F per hour. Incoming air should be filtered to ensure clean air.

The ICS equipment that will experience environmental conditions of design basis accidents through which it need not function for mitigation of said accidents, but through which it must not fail in a manner detrimental to plant safety or accident mitigation, shall be qualified for same.

42

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 The ICS is designed for operation in a noncorrosive atmosphere.

Additionally:

• Wall and ceiling materials and/or coatings shall be dust and flake-proof.

" Flooring shall minimize powdering, i.e., vinyl tile.

• Halon or C0 2 fire extinguishing equipment shall be provided.

3.11 External Events The ICS is not required for safe shutdown of the plant during external design basis events such as tornadoes, floods, rain, and transportation accidents. The ICS does not have to be qualified Seismic Category I. See Section 3.9.3 for seismic events.

3.12 Maintenance Requirements The ICS will require periodic maintenance and calibration. Integral diagnostics will be provided to aid in trouble-shooting and to simplify maintenance. Calibration procedures will be required for the Class 1E isolators and the cards in the intelligent multiplexers. In addition, calibration procedures for instrumentation which is input to the ICS shall include verification of the ICS input signal at the DAS and as displayed on the DS.

3.13 Regulatory Requirements The design, installation, and operation of the ICS shall meet the intent of the following regulations and standards to the degree that these requirements have been incorporated into the WBN design basis.

1) Generic Letter 82-33, Supplement 1 to NUREG-0737-Requirements for Emergency Response Capability, dated December 17, 1982.

2) RG 1.47, BISI for Nuclear Power Plant Safety Systems, Revision 0, dated May 1973.

3) RG 1.97, Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident, Revision 2, dated December 1980.

4) NUREG-0800, Standard Review Plan, Section 18.2, SPDS, Revision 0 dated November 1984.

5) IEEE-Standard-279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, Section 4.7.2 (for Class lE isolators only)

(ANSI N42.7-1972).

6) IEEE-Standards-323-1974, Qualifying Class 1E Equipment for Nuclear Power Generating Stations, (for Class 1E isolators only).

7) IEEE-Standard-344-1975, Standard for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations (for Class 1E isolators only).

8) RG 1.75, Physical Independence of Electrical Systems, Revision 1, dated January 1975, as interpreted by the WBN FSAR Chapter 7.1.2.2 -

Independence of Redundant Safety-Related Systems (for Class 1E isolators only).

43

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29

9) Appendix R to 10 CFR 50, Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979, for consequence of additional combustibles in affected fire zones, i.e., cable insulation only.

10) Generic Letter 89-06, NUREG 1342, A Status Report Regarding Industry Implementation of Safety Parameter Display Systems.

A Safety Analysis of the SPDS subsystem of the ICS shall be prepared describing the basis for selecting parameters that are sufficient to assess the safety status of each identified function for a range of events which will include symptoms of severe accidents.

3.14 Human Factors Requirements The ICS shall meet the requirements of WB-DC-30-23 (Human Factors) and the intent of Design Standard DS-EI8.1.24 (Reference 9.1.7.2).

Additionally, the SPDS implementation plan shall be reviewed in accordance with the Technical Specifications to determine if the ICS involves an unreviewed safety question or changes to the Technical Specifications.

3.15 Display of PAM Variables 3.15.1 All Category 1 PAM Variables will have at least one of the redundant loops available for trending. Pre-trip data per Section 3.2.4 is required.

3.15.2 Display of the PAM category 2 variables identified for computer display will be by tabular format on a single page. Each input will be identified as a PAM category 2 parameter. If room allows, the PAM category 3 variables not displayed elsewhere in the control room may also be displayed on this same page for operator convenience. There is no requirement to display PAM category 3 variables on the computer.

3.16 Technical Support Center (TSC)

At a minimum, the TSC shall have three (3) color SDS/keyboard combinations, one printer, and a color printer. A large color monitor shall be provided for general monitoring.

3.16.1 The specific formats required for the TSC are documented in references 9.1.1.4 and 9.1.2.6. There should be a TSC menu to select displays from.

3.16.2 The TSC SDS stations have the same general capabilities as the MCR units.

3.16.3 The TSC requires the display and trending capability of at least one channel of each PAM category 1 variable.

44

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 4.0 LAYOUT AND ARRANGEMENT The majority of the ICS equipment will be located in the Computer Room, El.

708.0', of the Control Building. Located therein will be the Processor Subsystem.

Consoles: At a minimum, the following Sections specify the location of each console and the types and quantities of devices to be provided. Each console shall consist of one or more full-graphic, color monitor and one or more keyboard/function panels.

Operator's Console(s): At a minimum, the ICS shall include Operator's Console(s) in the MCR which shall include three color monitor/keyboard combinations and one (1) printer. These are located in the MCR, EL. 755.0' of the control building.

Computer Engineer Console: At a minimum, the ICS system shall include a Computer Engineer Console which will be located in the Computer Room and shall include one color monitor/keyboard combination, and one medium speed printer.

Technical Support Center (TSC) Console: At a minimum, the ICS system shall include three (3) color monitor/keyboard combinations, one (1) large screen (at least 31") color monitor/keyboard combination, one medium speed printer and one color copier. The TSC is at EL. 755' of the Control Building.

The intelligent multiplexers which make up the Data Acquisition Subsystem of the ICS are located in various parts of the plant.

At a minimum, the ICS will interface with the following equipment:

• Nuclear Instrumentation System (NIS)

• Process Instrumentation System

" Environmental Data Station Computer

• CECC Computer

• Emergency Auxiliary AC Power System

" 120 V AC Vital Instrument Power System

• Eagle-21 Reactor Protection System

" Main Control Room Annunciator System

" Various multipoint recorders acting as digital multiplexers

" ICCM/RVLIS System 5.0 EQUIPMENT AND MATERIAL REQUIREMENTS All hardware delivered as part of the system shall include all engineering and field changes since the time it was manufactured and shall comply with TVA's and/or the Vendor acceptable QA requirements. All equipment supplied should be acceptable for service under a maintenance contract by the local service office representing the equipment manufacturer(s). No uniquely modified (physically altered) modules or printed circuit boards shall be supplied as part of the system, as spare parts, or as replacement parts.

5.1 Material Compatibility All ICS materials shall be compatible with existing equipment and systems at each and every hardware/software interface.

45

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 5.2 Hazardous Materials Asbestos in any form and poly-vinyl-chloride (PVC) are not acceptable for use in the ICS.

5.3 Material Restrictions The ICS shall utilize only new or like new materials. Ali ICS cables shall be fire-retardant, self extinguishing, nonpropagating, and shall not release toxic gases or dense smoke.

5.4 Component Identification Each component in the system, to the level of printed circuit cards, should be clearly marked with the manufacturer's part number, the serial number, and the revision level. Changes to components should be indicated by an unambiguous change to the marked revision level. All custom parts (such as read-only memories) should be marked to specifically identify the part. All printed circuit card cages and all slots within the cages should be clearly labeled.

5.5 Terminal Blocks Terminal blocks shall be screw-type, with full-depth insulating barriers.

Terminal blocks shall accommodate power wiring sized in accordance with the National Electrical Code. All terminals and terminal blocks shall be clearly labeled.

Ring-tongue, compression-type lugs with full-length insulating sleeves shall be used for all terminal block wiring. No more than two wires shall be connected to any one terminal.

5.6 Enclosure Grounding Each enclosure or enclosure group shall include a suitable signal and safety ground network within the enclosure. The safety ground shall be isolated from the signal ground. The signal ground shall terminate at a separate stud connection which shall be sized for connection of a lugged 2/0 ground wire. Each ground network may be a copper bus bar, braid, or cable. Use of the enclosure frame, skins, or chassis mounting hardware for the ground network is not acceptable.

Desk-top equipment and devices provided in freestanding enclosures (such as printers) may be exempted from the above requirements. Instead, the ground wire of the ac power input connection shall be used as the ground connection unless otherwise recommended by the equipment manufacturer.

5.7 Interconnections Plug-type connectors with captive fasteners should be used for all signal interconnections. The connectors shall be polarized to prevent improper assembly. Each end of each interconnecting cable shall be identified by a marker which includes the cable number and the identifying number and location of each of the cable's terminations; this information shall agree with the drawings. Each cable should be continuous between terminations; no intermediate splices or connectors shall be used. Terminations shall be entirely within the enclosures.

46

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 Wiring of components within enclosures shall be neatly arranged and fastened securely to the enclosure with non-flammable fasteners. The use of non-flammable plastic wire troughs is permissible. Metal clamps must have insulating inserts between the clamps and the wiring. Wiring between stationary and moveable components, such as wiring across door hinges or to components mounted on extension slides, shall allow for full movement of the component without binding or chafing of the wire.

5.8 Electromagnetic Interference (EMI)

The ICS equipment is to be commercially available equipment that will function in the locations in the power plant when subjected to the extraneous electromagnetic emissions from other equipment that is expected for that location. The ICS equipment is required to not emit EMI that will cause other equipment in the power plant to not be functional.

SSEI8.14.01 for power line conducted emissions or equivalent should be used for ICS equipment purchases.

6.0 TEST AND INSPECTION REQUIREMENTS All ICS equipment, hardware and software, shall be tested.

A Verification and Validation (V&V) Plan consistent with references 9.1.2.1 and 9.1.10.1 shall be developed and followed for the ICS. The software and associated hardware shall undergo a detailed Factory Acceptance Test (FAT) prior to installation in the plant. For analog instrument loops, FAT calibration verification will include, at minimum, verification of calibration at 0, 50, and 100 percent of span for linear inputs, and verification of calibration at five points over the loop span for non-linear inputs. For Digital and Pulse input signals to the ICS, FAT testing will be completed by simulating contact change-of-state and verifying proper ICS response.

After installation in the plant the Site Acceptance Test shall be conducted.

Special testing for RTDs TE-3-36, 49, 91, and 104 is required. The conversion coefficients are required to be developed and verified by inserting a resistance test box as close as possible to the sensor. Testing is to be done at least at six points, in accordance with individually calibrated field sensor calibration sheets and appropriate loop calibration procedures.

6.1 Hardware Test As a minimum the following hardware shall be tested.

• Intelligent multiplexers

• Central Processing unit

" Main memories

• Auxiliary memories

• System peripherals 47

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 6.2 Software Test Software testing shall meet the requirements of SPP-2.6 (Reference 9.1.2.1)

As a minimum the following software tests shall be performed:

" Process data base

" Input scanning functions

• Input Alarming functions

" Data logging functions

• Summary functions

" Trending functions

" Graphic display functions

• SPDS functions

• Flow calculations

" Actual plant performance calculations

• Variable alarm limit calculations

" Interfaces to DAS, EDS, ERFDS, CECC Computer 6.3 Integrated Test The following tests shall be performed on the integrated hardware and software of the ICS:

• ICS Accuracy test Analog input accuracy Calculated value accuracy

• ICS Performance test System response times Utilization Reliability/Unavailability

• All I/O (from termination strip to CRT/printout)

All data ports All ICS power supplies ICS Validation test Upon successful completion of the ICS installation and startup, a validation test shall be performed to check the operation of all hardware, the validity of the software, accuracy, function as a system, and interfaces to the CECC and EDS computer.

6.4 Inservice Test and Inspections The ICS configuration is maintained within the plant. Any problems identified are resolved through the DCN process (or WO process if hardware/component failure and subsequent replacement only), with any required software changes verified-through Verification and Validations Program of Section 7.3.

48

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 In order to minimize the possibility of bad sensor inputs to the SPDS and/or inaccurate SPDS display of sensor inputs, routine instrument loop calibration of sensors that provide input to the SPDS will include verification that the SPDS-displayed values are correct. WBN's instrument surveillance instructions (SIs) will incorporate these verifications.

When a problem with SPDS is detected it will be resolved by the Work Request (WR) process. The cause and corrective action taken to resolve the problem will be documented and if it is determined that the SPDS is unavailable, the duration of unavailability will be recorded. A periodic calculation of system unavailability and determination of causes will be performed to identify trends and generic corrective actions to be taken.

7.0 QUALITY ASSURANCE The ICS shall be designed, constructed, and installed to meet TVA specifications and design criteria, and the Quality Assurance Program as defined in SSP-3.2.

7.1 Quality Assurance for Safety-Related Equipment Quality assurance for the Class 1E, Seismic Category I isolators shall be commensurate with the impact or importance of the isolators on safety and shall comply with 10 CFR 50 Appendix B and ASME III QAM and WB-DC-40-31.2 R3 "Seismic Qualification of Category 1 Fluid Systems, Components and Electrical or Mechanical Equipment."

7.2 Quality Assurance for Quality-Related and Non Safety-Related ICS Equipment Quality assurance for the non quality-related ICS hardware shall be in accordance with TVA's procedures.

Quality assurance for the non quality-related ICS software and quality-related SPDS software shall meet the requirements of SPP-2.6.

Quality assurance for quality-related Seismic Category 1(L) equipment shall be in accordance with ASME III QAM and WB-DC-40-31.13, "Seismic Qualification Category 1 (L) Fluid Systems, Components and Electrical or Mechanical Equipment."

7.3 Verification and Validation In accordance with NUREG-0737, Supplement 1, a verification and validation program shall be instituted which will meet the intent of NSAC-39, Verification and Validation for Safety Parameter Display Systems (also see Section 6).

8.0 EXCEPTIONS None 49

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29

9.0 REFERENCES

(unless otherwise noted the latest revision of a document or standard applies) 9.1 Design Input 9.1.1 TVA Drawings 9.1.1.1 Computer point listing 47A615-series.

9.1.1.2 Environmental Data, Environment-Mild and Harsh Drawing Series Index, 47E235-Series 9.1.1.3 Equipment, Powerhouse Units 1 & 2, Plan-El 713.0 &

708.0, 47W200-5.

9.1.1.4 ICS Software Listing, 1-47A618-261-Series.

9.1.1.5 Fire Protection Compartmentation - Fire Cells Plan EL 692.0 & 708.0", 47W240-6 9.1.2 TVA Documents 9.1.2.1 TVAN Standard Programs and Process SPP-2.6 "Computer Software Control."

9.1.2.2 Deleted 9.1.2.3 TVAN Standard Department Procedure NEDP-4, Q-List and UNID Control.

9.1.2.4 Standard Specification (SS)-E18.14.01, Electromagnetic Interference (EMI) Testing Requirements for Electronic Devices.

9.1.2.5 Integrated Computer System (ICS) Software Requirements Specifications, SRS-0261.

9.1.2.6 Branch Technical Position ICSB-21, Guidance for Application of Regulatory Guide 1.47.

9.1.3 Calculations 9.1.3.1 Bypassed and Inoperable Status Indication Logic Input Identifications, WBPEVAR8807025.

9.1.3.2 Evaluation of Parameters on the Safety Parameter Display System, WBN-OSG4-142.

9.1.3.3 EOP Setpoints Verification Document, WBN-OSG-4-188.

9.1.4 System Descriptions 9.1.4.1 N3-30CB-4002, Control Building Heating, Ventilating, Air Conditioning and Air Cleanup.

9.1.4.2 N3-30RB-4002, Reactor Building Ventilation System 9.1.4.3 N3-99-4003, Reactor Protection System 50

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 9.1.5 Design Criteria 9.1.5.1 WB-DC-30-4, "Separation/Isolation" 9.1.5.2 WB-DC-30-5, "Power, Control, and Signal Cables for use in Category I Structures" 9.1.5.3 WB-DC-30-7, "Post Accident Monitoring Instrumentation."

9.1.5.4 WB-DC-20-8, "Auxiliary-Control Building Concrete Structures."

9.1.5.5 WB-DC-20-21, "Miscellaneous Steel Components for Class 1 Equipment."

9.1.5.6 WB-DC-30-22, "Electrical Raceways" 9.1.5.7 WB-DC-30-23, "Human Factors" 9.1.5.8 WB-DC-40-31.2, "Seismic Qualification of Category 1 Fluid Systems, Components, and Electrical or Mechanical Equipment."

9.1.5.9 WB-DC-40-31.13 "Seismic Qualification of Category 1 (L)

Fluid Systems, Components, and Electrical or Mechanical Equipment."

9.1.5.10 WB-DC-00-3, "Technical Support Center" 9.1.5.11 WB-DC-40-36.1, Classification of HVAC Systems 9.1.5.12 WB-DC-30-29, "Plant Computer" 9.1.5.13 WB-DC-30-20, Control Panels 9.1.6 Specifications 9.1.6.1 G-38, General Engineering Specification for "Installation, Modification, and Maintenance of Insulated Cables Rated Up To 15,000 Volts."

9.1.6.2 G-40, General Engineering Specification for "Installation, Modification, and Maintenance of Electrical Conduit, Cable Trays, Boxes, Containment Electrical Penetrations, Electric Conductor Seal Assemblies, Lighting, and Miscellaneous Systems."

9.1.6.3 G-47, General Engineering Specification for "Installation, Modification, and Maintenance of Electrical Grounding Systems and Lightning Protection Devices."

51

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 9.1.7 Design Guides 9.1.7.1 DS-E18.1.19, "Class 1E Isolation for I&C Equipment" 9.1.7.2 DS-E18.1.24, "Human Factors Engineering" 9.1.7.3 DG-E18.2.1, "Nuclear Power Plant Safety Systems" 9.1.7.4 DS-E18.3.3, "Instrumentation Symbols and Tabulations" 9.1.8 Other Documents 9.1.8.1 WEN EPIP-6, "Activation and Operation of Technical Support Center TSC" 9.1.8.2 WBN FSAR (Section 7) 9.1.8.3 WBNP Emergency Operating Instructions, FR-0, Status Trees 9.1.8.4 Surveillance Instruction, I-SI-68-44, "RCS Temperature/Pressure Limits And Pressurizer Temperature Limits" 9.1.8.5 WBNP Emergency Operating Instructions, FR-I.3, Voids in Reactor Vessel 9.1.8.6 Emergency Plan Implementing Procedures, EPIP-16, "Initial Dose Assessment For Radiological Emergencies" 9.1.9 NRC Documents 9.1.9.1 10 CFR 50 Appendix A, General Design Criteria for Nuclear Power Plants 9.1.9.2 10 CFR 50 Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants 9.1.9.3 10 CFR 50 Appendix R, Fire Protection Program 9.1.9.4 10 CFR 50.49, Environmental Qualification of Electric Equipment Important to Safety for Nuclear Power Plant.

9.1.9.5 10 CFR 100, Reactor Site Criteria 9.1.9.6 NUREG 0696, Functional Criteria for Emergency Response Facilities, dated February 1981 9.1.9.7 NUREG-0700, Guidelines for Control Room Design Reviews, dated September 1981 9.1.9.8 NUREG-0737, Supplement 1, Requirements for Emergency Response Capability, Generic Letter 82-33, dated December 17, 1982 9.1.9.9 NUREG-0800, Standard Review Plan, Section 18.2 SPDS, dated November 1984 52

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 9.1.9.10 Regulatory Guide, 1.23, Onsite Meteorological Programs (Safety Guide 23), Revision 0 9.1.9.11 Regulatory Guide 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems, Revision 0 9.1.9.12 Regulatory Guide 1.97, Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident, Revision 2.

9.1.9.13 Generic Letter 89-06, NUREG 1342 9.1.9.14 Generic Letter 88-17, "Loss of Decay Heat Removal."

9.1.9.15 NUREG-1394, Emergency Response Data System Implementation.

9.1.9.16 Regulatory Guide 1.23, Onsite Meteorological Programs (Safety Guide 23) Revision 0.

9.1.9.17 TVA Letter to NRC dated August 3.1, 1990, Watts Bar Nuclear Plant (WBN) Conformance to Regulatory Guide (RG) 1.97 Revision 2. (RIMS L44 900831 804) 9.1.9.18 TVA letter to NRC dated October 29, 1991, Watts Bar Nuclear Plant WBN-Emergency Response Capability, Regulatory Guide 1.97, Revision 2 - Request for addition information response. (RIMS T04 911029 848) 9.1.9.19 NUREG-0847, Supplement 9, "Safety Evaluation Report Related to the Operation of Watts Bar Nuclear Plant, Unit 1 and 2," June 1992.

9.1.9.20 "General Design Criteria for Nuclear Power Plant,"

Appendix A to Title 10 CFR 50, Criterion 13, 1.9, and 64.

9.1.9.21 TVA letter to NRC dated April 21, 1995, "Watts Bar Nuclear Plant (WBN) Units 1 and 2 - Regulatory Guide (RG) 1.97, Revision 2, Post-Accident Monitoring System (PAM) - Supplemental Response (RIMS T04950421117).

9.1.9.22 TVA letter to NRC dated April 15, 1983 (RIMS A27 830415 013).

9.1.9.23 TVA letter to NRC dated November 1, 1990 (RIMS L44 901101 800).

9.1.9.24 TVA letter to NRC dated November 3, 1986 (RIMS L4.4 861103 808).

9.1.9.25 TVA letter to NRC dated January 7, 1982 (RIMS A27 820107 008).

9.1.10 EPRI Documents 9.1.10.1 NSAC-39, Verification and Validation for Safety Parameter Display Systems, dated December 1981, prepared for Nuclear Safety Analysis Center, EPRI.

53

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) - WB-DC-30-29 9.2 Background 9.2.1 NRC Documents 9.2.1.1 Post implementation Audit Report for TVA's Sequoyah Nuclear Plant, Units 1 and 2 Safety Parameter Display System, by Science Applications International Corporation(SAIC) for the NRC, dated April 1, 1988. (B25 880531 228 9.2.1.2 Watts Bar Safety Evaluation Report (Section 18.2 of Watts Bar SSER6) 9.2.1.3 Response to NRC request for information regarding the SPDS isolation devices (B45 850327 281) 9.2.1.4 TVA conformance to Regulatory Guide 1.47, Revision 0 and the functional requirements document (L44 870129 804) 9.2.1.5 TVA response to NRC Audit concerns - NUREG 0737, Supplement 1, Items I.D.2-SPDS (L44 901101 800) 9.2.1.6 Telephone call with NRC on SPDS Continuous Display (T03 900914 812) on 8-29-90 9.2.1.7 IE Information Notice No. 86-10: Safety Parameter Display System Malfunctions, dated February 13, 1986.

9.2.1.8 SQN/WBN SPDS Evaluation Report, Rev. 0, Impell Corporation, dated April 27, 1987.

9.2.1.9 Detailed Control Room Design Review Summary Report for the WBN units 1 and 2 by TVA WBN and Essex Corporation, dated September 1987.

9.3 Industry Standards 9.3.1 IEEE-Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations (ANSI-N42.7-1972) 9.3.2 IEEE-Standard 323-1974, Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations 9.3.3 IEEE-Standard 344-1975, Standard for Seismic Qualification of Class 1E Equipment for Nuclear Generating Stations 9.3.5 IEEE-Standard 730-1984, Standard for Software Quality Assurance Plans 54

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 FIELDWVNITIL M~AINA ABNO(R.tU.

• L*CV-3-152 1-1, V-3-33 I- -CSv-.*.

4

/7-

ý-WAý,,R TTZATN R ABNORNIAI.

I-r4CP-3-10) 1( VL\.3.173 AUX CONTRl AIR TRAIN A I-IM. DWATWR TRAI, A SU'PPORT WSVS- M .*NORMAl.

DIBSEL r11NIATOR I-7-

ALIX COTIMIRL AIR IR~

IL BI PR.. T AIN

.. N.1' MEEMIRATB=TAIN 13SI3I'PIRT SYSTEM AIWORNIAL DUSSISL(CLNEIIIOIR I3-I3 FIGURE A CONCEPTUAL EXAMPLE OF BISI SYSTEM LEVEL LOGIC 55

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 EMERGENCY RESPONSE FACILITIES DATA SYSTEM ATTACHMENT 1 SYSTEM HISTORY

1. In December 1979, TVA contracted with Westinghouse (W) to supply a Technical Support Center Data System (TSCDS) to include a Safety Parameter Display System (SPDS). The original completion schedule was January 1981.

2. A site acceptance test was initiated at WBN for the TSCDS/SPDS complex in December 1982. The software development was substantially behind schedule. The test identified and documented significant problems with the system. Some of the problems were resolved, but a large number of deficiencies were unresolved.

3. Early in 1983, W disbanded the primary software development group for TSCDS/SPDS although major problems had been identified in software.

4. The WBN response to Supplement 1 to NUREG 0737, "Requirements for Emergency Response Capability," (Generic Letter No. 82-33) was sent to the NRC on April 15, 1983.

5. In December 1983, W presented their plan to TVA for resolving the concerns on the TSCDS/SPDS. It was to first address similar problems at Virgil Summer Plant and make a major release in May 1984.

6. Because TVA and W could not obtain a successful completion of the TSCDS/SPDS to resolve repeated failure of the factory acceptance test, TVA, through Purchasing and the Office of the General Council, terminated the contract with W in January 1984 and proceeded to look at alternatives. It was decided to do the-rework internal to TVA.

7. In February 1984, DCR 527 was issued to ENDES for control room console changes at WBN.

8. NUC PR began development of the "status trees", displays for the SPDS. These displays are directly relatable to the Emergency Operating Instructions (EOIs).

ENDES, however, in a memorandum from Cantrell to Darling, dated May 21, 1984, stated that they would not accept any responsibility for the implementation, V&V, or safety analysis. They would assist, if requested, but cost would be NUR PR's and not EN DES'.

9. In March and June 1985, NRC was provided with requested additional information on SPDS which described the SPDS as the status trees, converted to be plant-specific from the generic W Owners Group Emergency Response Guidelines. These "trees" also reflects the status trees in our EOIs.

10. Revision 1 to the SPDS scope-of-work was issued by OE on September 19, 1985.

11. Remaining control room work on SPDS (ECN 5070) was made a capital project for FY 1986 (PNB 7219), Work Order 21672. WBN Design Services agreed that this was a BFL item.

12. October 1985, DCR 600 was issued to have the TVA drawings associated with TSCDS updated.

13. IE Information Notice 86-10 was received in February 1986, and reacted to by the plant site on April, with memorandum from Cottle to Cantrell (T09 860425 916).

56

TVA

Title:

PLANT INTEGRATED COMPUTER SYSTEM (ICS) WB-DC-30-29 EMERGENCY RESPONSE FACILITIES DATA SYSTEM ATTACHMENT 1 SYSTEM HISTORY

14. In May 1986, the project manager was changed and WBEP requested to clear up discrepancies on closed ECN 5070 so that they could be worked with ECN 6167 (T16 860508 961).

15. On June 26, 1986, a meeting on SPDS between WBN and DNE was held at WBN. DNE was told that SPDS was to be implemented BFL. WBN indicated that work in progress on ECN 5070 should be done by October 1, 1986. EEB stated that SPDS documentation needed to be surveyed versus Standard Review Plan (SRP) 18.2

16. Initial idea was to have an in-house survey of documents associated with SPDS to find areas of incompleteness or out-of-date data and compare to SRP 18.2.

Resource problems in EEB prompted a personal services contract and IMPELL was recommended after an evaluation by EEB of proposals.

17. On October 22, 1986, a meeting was held at WB with DEN, SQN project manager, and WBN Operations, CRDR Team, and project manager. This meeting set up a plan to attack known Human Engineering Deficiencies (HEDs) from SQN CRDR work.

18. In October 22, 1986 meeting of the Phase II Task Force, WBEP and the Task Force both indicated that efforts would be made to get the IMPELL contract released with revision A approved March 6, 1987.

19. 'April 8, 1987, WBN/SQN TSCDS Preliminary Functional Requirements Specification released.

20. July 7, 1988, Preliminary copy of ERFDS Design Criteria developed.

21. November 15, 1988, System Requirements Specification Original Issue Schedule developed.

22. In 1988, ERFDS Task Force initiated at Watts Bar. The ERFDS scope of work includes SPDS and-other activities related to the NUREG 0800 emergency response system, including:

- Technical Support Center functions support

- Historical data storage and retrieval

- Emergency Operations Facility Data transmission

23. November 17, 1988, NBO Information Systems, Real Time Computer Systems evaluation of WBN TSCDS against requirements proposed by task force for new system named ERFDS.

24. April 26, 1989, Tahler Engineering Company evaluation report of WBN TSCDS.

25. May 24, 1989, R. F. Rogers to 0. D. Kingsley, WBN-ERFDS Project Status on unit 1.

Redirection of project scope.

26. NRC Audit on August 22 and 23, 1990 and TVA's response. (See 9.2.1.2, 9.2.1.3, 9.2.1.5, and 9.2.1.6).

27. May 13, 1992, the Watts Bar Nuclear Plant (WBN) Change Control Board (CCB) approved additional funding to allow the ERFDS to be upgraded with a VAX computer and touchscreen ICS as the man/machine interface.

57