ML13330B169
| ML13330B169 | |
| Person / Time | |
|---|---|
| Site: | San Onofre  |
| Issue date: | 01/31/1987 |
| From: | Southern California Edison Co |
| To: | |
| Shared Package | |
| ML13330B168 | List: |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737 NUDOCS 8703230369 | |
| Download: ML13330B169 (27) | |
Text
SAFETY PARAMETER DISPLAY SYSTEM DESIGN CRITERIA FOR SAN ONOFRE UNIT 1 JANUARY 1987 8703230'369 870717 PDR ADOCK 05000206 p
SAFETY PARAMETER DISPLAY DESIGN CRITERIA TABLE OF CONTENTS Content Page I.
Introduction 1
II. SPDS Criteria 1
A. Design Criteria 2
B. Human Factors Criteria 2
III. Critical Safety Functions 7
IV. Parameter List 10 V.
Conceptual Hardware/Software Design 10
I. INTRODUCTION In order to respond to the NUREG-0737, Supplement 1 initiative, regarding a Safety Parameter Display System (SPDS), this report provides a conceptual design for the San Onofre Nuclear Generating Station, Unit 1 (SONGS 1) SPDS including.SPDS criteria development and conceptual hardware/software design. Once implemented, the SONGS 1 SPDS will provide a concise display of critical plant variables to the control room operators to aid them in rapidly and reliably determining the safety status of the plant during normal, abnormal and emergency conditions.
This design criteria are the first step in the implementation of an SPDS for SONGS 1.
II. SPDS CRITERIA SCE conducted an extensive review of available SPDS literature to determine the applicable criteria for the SONGS 1 SPOS design. The sources of documentation included NRC NUREGs, industry publications, the Yankee Atomic SPDS design and the San Onofre Units 2 and 3 Accident Monitoring System (AMS) design. Based on the information gathered during this review, the criteria for the SONGS 1 SPDS have been developed consistent with the guidance provided in NUREG-0737, 0696, 0700, 0835 and 0737, Supplement 1.
A. Design Criteria Criteria for an SPDS design can be structured into two categories.
The first category, called the SPDS General Criteria, includes fundamental criteria that represent the philosophical framework for an SPDS. The criteria statements are very general but have many implications, such as specifying the use and users of the SPDS. The second category, called the SPDS Functional Criteria, is more specific and is confined to the SPDS design. For the SONGS 1 SPDS conceptual design, only the SPDS General Criteria have been completed. The Functional Criteria will be developed after the conceptual study and before a particular design is specified.
Table 1 provides the SPDS General Criteria to be utilized for an SPDS at SONGS 1.
B. Human Factors Criteria SCE recognizes the accident at Three Mile Island (TMI) and subsequent investigations have demonstrated the need for improving the presentation of plant and process information to SONGS I reactor operators. Presentation of this information is especially important when a nuclear power plant undergoes a major transient. During a major transient, the reactor operations personnel are required to monitor and process large amounts of data to determine the operating and safety status of the plant. It is this large amount of data processing by the operators that has required that human factors be incorporated into the SPDS design.
Human Factors Design Besides NUREG-0737, Supplement 1, NUREG-0696 and NUREG-0700 prescribe human factors criteria for SPDS. NUREG-0835 is also used to evaluate the scope of human factors criteria for the specific system. Table 2 provides the General Human Factors Criteria to be used for an SPDS at SONGS 1.
SCE's review of the NUREG-0700 guidance concludes that four sections directly apply to the SONGS 1 SPDS design. These guidelines are Section 6.5, Visual Displays, which includes principles of display, meters, light indicators, and graphic recorders; Section 6.6, Labels and Location Aids, which includes labeling principles, label location, label content, and location aids; Section 6.7, Process Computers, which includes computer access, CRT displays, and printers; and Section 6.8, Panel Layout, which includes panel contents, recognition and identification enhancement, and layout arrangement factors. The extent to which the four NUREG-0700 sections will be applied in the SONGS 1 SPDS design is described in the Specific Human Factors Criteria listed in Table 3.
Specific Human Factors Design Areas Human factors considerations are essential to optimizing the information transfer between the SPDS and the user. The proper design of the SONGS 1 SPDS, taking into account the capabilities and limitations of humans, will result in fewer errors, faster response times, and greater user acceptance. Human factors involvement in the SONGS 1 SPDS design will include a detailed evaluation of the proposed SONGS 1 SPDS design against human factors criteria. This will be accomplished by periodic meetings with the hardware and software vendor groups, operations personnel, and human factors specialists.
In conjunction with the Control Room Design Review, a photographic mockup of the control room has been constructed. To the extent possible, further evaluation of the human factors design of the SONGS 1 SPDS will include simulated problem exercises using this mockup to verify decisions with actual operations personnel and procedures.
The main features of the SPDS that will benefit from a systematic human factors analysis and evaluation are: (1) keyboard layout; (2) format of display pages; (3) design of operational manuals and job aids; and (4) the physical placement of the SPDS in the control room.
- a. Keyboard Layout Human factors considerations relevant to keyboard layout include determining functional location and the functions that should be evoked by command strings; placement of the function keys on the keyboard; labeling of the keys; and naming of the keys with meaningful abbreviations and function words.
- b. Format of Display Screens Human Factors considerations relevant to formatting of display screens include color and other coding conventions; labeling; methods of presenting time dependent data; overall information layout to avoid clutter and enhance extraction of information; methods for accessing display pages and backup data; selection of movement; consistency and rationality of design; legibility of alphanumeric information; and content and structure of error messages and help functions.
- c. Design of Operational Manuals and Job Aids Human factors considerations relevant to design of manuals and job aids include determining the necessary content; methods for formatting the information; use of graphics and color; and indexing and cross-referencing methods.
- d. Physical Placement of SPDS in Control Room Human factors considerations relevant to the placement of the SPDS in the control room include accessibility by the users; visual access to displays; glare; interference with other operator tasks; visual interference with control panels; and operator comfort while operating the system.
The Control Room Design Review (CRDR) will provide valuable input to determining the SPDS terminal location in the control room.
Accident scenario exercises were performed as part of CRDR.
These scenarios were video taped and will be reviewed to evaluate the optimum control room location of the SPDS terminal with respect to integration with operator tasks.
III. CRITICAL SAFETY FUNCTIONS The Westinghouse Emergency Response Guidelines (ERG's), along with plant specific documents provide the basis for the SONGS 1 Emergency Operating Instructions (EOI's).
The ERG's utilize symptom oriented guidelines in which Critical Safety Functions (CSF's) are defined. These CSF's provide the basis and logic for the SONGS 1 SPDS. Such CSF's are intended to ensure the integrity of the various barriers that prevent release of radioactive material to the environment. Each of the six CSF's is discussed in the following paragraphs.
Subcri ti cal i ty The status tree, SUBCRITICALITY, represents the highest priority Critical Safety Function (Priority-1) and, as such, is always entered first whenever tree monitoring is initiated. Since this tree is effectively gauging the reactivity state of the core, the parameter being evaluated is neutron (leakage) flux behavior. At SONGS 1 this function is performed by the Nuclear Instrumentation System (NIS).
Core Cooling The status tree, CORE COOLING represents the second highest priority Critical Safety Function (Priority-2) and, as such, is always entered directly after the SUBCRITICALITY tree. This tree evaluates the current status of fuel clad heat removal based on RCS temperature. At SONGS 1 this is determined by the RCS subcooling margin monitor (SMM), core exit thermocouples, and the RCS hot leg RTD's.
Heat Sink The status tree, HEAT SINK represents the third highest priority Critical Safety Function (Priority-3) and, as such, is always entered directly after the CORE COOLING tree. The intent of this Critical Safety Function is to remove any threat to RCS integrity from an unacceptable accumulation of thermal energy within the RCS. At SONGS 1 this status tree utilizes core exit thermocouples, feedwater flow, steam generator level, and condensor/atmosphere steam dump availability.
RCS Integrity The status tree, RCS INTEGRITY represents the fourth highest priority Critical Safety Function (Priority-4) and, as such, is always entered directly after the HEAT SINK tree. This particular tree is unique among all the Critical Safety Function Status Trees in that the reference values against which current plant parameters are compared do not appear explicitly at the branch points.
Rather, the reference values are lines separating entire operating regions in pressure-temperature space as depicted in the Operational Limits Curve attached to the status tree. At SONGS 1 RCS INTEGRITY is monitored by comparison of RCS pressure and cold leg temperature, and time trending RCS cold leg temperature.
Containment The status tree, CONTAINMENT represents the fifth priority Critical Safety Function (Priority-5) and, as such, is always entered directly after the RCS INTEGRITY tree. The intent of the CONTAINMENT Safety Function is to maintain containment integrity which represents the final barrier against radiation release from the plant. In order to evaluate the current status of this Critical Safety Function, the tree evaluates several possible threats to containment integrity and directs the operator to appropriate instructions if any threat exists. At SONGS 1 this is performed by evaluating containment pressure, containment sump level, and containment radiation.
RCS Inventory The status tree, RCS INVENTORY represents the sixth and lowest priority Critical Safety Function (Priority-6) and, as such, is always entered directly after the CONTAINMENT tree. The intent of the RCS INVENTORY safety function is to ensure that the reactor coolant volume is maintained. At SONGS 1 this is performed by evaluating pressurizer level.
9
IV. PARAMETER LIST In the above described critical safety functions, certain parameters are used to monitor those functions in the E0I's. For the SONGS 1 SPDS design, it is proposed to use the appropriate EOI parameters. Table 4 identifies the SONGS 1 parameters monitored for each critical safety function. Table 4 also lists vital auxiliaries as a safety function and includes the status for PORV's, electrical buses (i.e. Switchyard, 4Kv, 480v, etc.), containment isolation, and RCS loop flow and loop delta T's.
V. CONCEPTUAL HARDWARE/SOFTWARE DESIGN The conceptual hardware/software design is the second part of the SONGS 1 SPDS Design Criteria study. The conceptual hardware/software design includes the configuration of the SPDS, the supporting hardware, and the supporting software. Various options will be evaluated to meet the conceptual design scope for the SONGS 1 SPDS, including upgrading the existing Fox 3 system or installing other available systems.
The information provided in Sections I thru III define a basis upon which an SPDS system can be configured and the hardware and software further 10 -
defined. The major hardware for the SONGS 1 SPDS will be composed of a Central Processing Unit (CPU), a disk drive, a tape drive, approximately 4 MB of memory, a line printer, a minimum of three display systems, a data acquisition unit (DAU) and one system console. The main software consists of the operating system, Utilities/Programming software, and the Process/Monitoring software. Figure 1 illustrates the hardware configuration which will be implemented for the SONGS 1 SPDS.
With consideration of existing computer equipment at SONGS, the following four options are available for an SPDS:
- 1. Perkin Elmer (PIE) computer with CFMS P/M software.
- 2. Gould computer with PACE P/M software.
- 3. Minimum FOX 3 upgrade to accommodate approximately 100 inputs.
Uses existing P/M software.
- 4. FOX 3 upgrade to newer Foxboro product called multi-station.
Uses Foxboro P/M software.
These options are currently being evaluated to determine the most effective method of implementing the SONGS 1 SPDS. The Final Summary Report will indicate the option that is chosen.
11 -
TABLE 1 SPDS GENERAL CRITERIA
- 1. The SPDS shall provide a concise display of critical plant information necessary for safe reactor operations under normal and accident conditions.
- 2. The SPDS shall be conveniently located in the control room.
- 3. The SPDS is used in addition to and serves to aid and augment the basic instrumentation in the control room.
- 4. The SPDS shall integrate all the relevant NUREG-0737 and Regulatory Guide 1.97, Rev. 2, instrumentation.
- 5. The SPDS display shall be designed consistent with accepted human factors principles, so as to facilitate ready perception and comprehension of the displayed information by the operators.
-2
- 6. The SPDS shall display, as a minimum, the following functions:
NRC NUREG's Critical Safety Functions Function*
Unit 1 SPDS
- a. Reactivity Control Subcriticality
- b. Reactivity Core Cooling and Heat Core Cooling Removal from Primary System Heat Sink
- d. Radioactivity Control Containment**
- e. Containment Conditions Containment Referenced NUREG-0696, 0835, 0737 Supplement 1 Containment CSF includes Radioactivity Control.
- 7. The SPDS need not meet Class 1E or single failure criteria, but if not, shall be adequately isolated and interfaced from Class 1E systems so as not to degrade those systems.
- 8. The SPDS terminals shall be located in the Main Control Room (MCR), the Technical Support Center (TSC) and the Emergency Operating Facility (EOF).
It is noted that, although not required, an SPDS terminal will be located in the Operations Support Center (OSC).
- 9. The SPDS shall be designed such that no additional control room operators are required for its operation.
- 10.
The SPDS shall be designed to an operational unavailability goal of 0.01 and shutdown unavailability goal of 0.20 as defined in NUREG-0696.
S S
-3
- 11.
The SPDS display of abnormal conditions shall be distinctly different from the display of normal conditions.
- 12.
The SPDS display data shall be validated on a real time basis, where practical, and invalidated data will be identified.
- 13.
The design shall be such that when the SPDS is malfunctioning, it will be apparent to the control room operator.
- 14.
The SPDS shall include some audible notification to alert personnel of an unsafe operating condition.
- 15.
The parameter trending display shall contain recent and current magnitudes of parameters as a function of time.
- 16.
The SPDS shall be sufficiently flexible to allow for future expansion and improvements.
- 17.
Operators shall be trained in an SPDS program that demonstrates enhanced operator performance in correctly assessing the safety status of the plant.
-4
- 18. A verification plan shall be established to demonstrate SPDS conformance to the Functional Criteria.
- 19. The SPDS may include other functions that aid the operator in evaluating plant status if those functions do not impair the use of the SPDS for monitoring critical safety functions.
- 20. Displayed data shall present current and accurate status of the plant.
- 21.
The display system shall not interfere with the normal movement of the control room operations personnel.
- 22.
The SPDS design shall provide provisions for inclusion into a bigger computer system or provisions for facilitating interface with other monitoring computers.
TABLE 2 GENERAL HUMAN FACTORS CRITERIA
- 1. During emergencies, the SPDS shall serve as an aid to the control room operations personnel in executing the symptom oriented emergency procedures.
- 2. The SPDS shall aid the operator in the rapid detection of abnormal operating conditions significant to safety.
- 3. The SPDS will assist in initiating diagnosis to localize the source of the abnormality at the function or system level.
- 4. Status and performance of systems, subsystems, and components shall be allocated to secondary display formats.
- 5. The primary display of the SPDS shall consist of a minimum set of parameters from which the operator can assess the plant safety status.
- 6. No additional operating staff shall be needed for operating the SPDS.
- 7. Operator training shall contain instruction on the use of the SPDS.
2
- 8. System documentation shall include as a supplement to on-line guidance, a listing and explanation of all error messages.
- 9. If the SPDS is to be located on an existing control board, it shall be clearly identifiable.
- 10.
The SPDS shall not interfere with the full visual access to other control room operating systems and displays.
TABLE 3 SPECIFIC HUMAN FACTORS CRITERIA Alarms Some audible notification to alert personnel of an unsafe operating condition shall be included.
The order of presentation of alarms shall be organized in a way that will not confuse the operator and will permit recognition of priority alarms.
Coding All symbols and mimics on displays shall be consistent with those which users are most familiar.
Color codes, symbols, shall be consistent with those used on the control boards and EOI's.
Flash or blink coding shall be employed to call the users attention to critical events only.
Color Color as a visual code shall be used to identify:
kinds of data, sources of data, status of data, or order of operations.
-2 The most generally used colors shall be red, green, yellow, and blue. Other acceptable colors are orange, yellow-green, blue-green, and violet.
The user shall be able to discriminate the selected colors on an absolute basis.
Cursor The cursor shall be easily tracked as it is moved from one position to another.
The cursor shall not interfere with the reading of the symbol that it marks and not distract or impair the searching of the display for information unrelated to the cursor.
Display Motion of data displayed on a CRT to prevent screen burnout shall be at a rate slow enough to avoid distracting the operator.
The Video Display Terminal (VDT) shall be equipped with a control for foreground intensity and background intensity.
The VDT shall have a variable intensity control to accomodate very low ambient illumination and the higher levels normally found in offices.
0 0
-3 Feedback Software for automatic data validation shall be incorporated to check any item whose entry and/or correct format or content is required for subsequent data processing.
When functioning of the system requires that the user stand by, periodic feedback shall be provided to indicate that the system is functioning and has acknowledged its input command.
When the system detects an entry error, an error message shall be displayed to the user stating what is wrong and what can be done about it.
Information Presentation A display of calendar date and time with means of indicating the passage of seconds shall be provided. The display shall be updated only when the system is operating properly.
Display data which is unvalidated shall be so indicated to operators.
Each display frame shall have a unique identification and a title on a line by itself.
Similarity between display formats shall be provided, whenever possible, at each level.
-4 On graphs, the horizontal and vertical axis shall be clearly labeled with title, symbol, and units.
Parameters shall be grouped to enhance operator assessment of the plant and to assist in making functional comparisons.
The SPDS display parameters shall have units, titles, the particular instrument output used, and setpoints that are consistent with those on the control board.
The SPDS shall display the minimum set of plant parameters or derived variables and their trends in a single primary display format for each mode of plant operation.
The SPDS shall have the capability to recall additional data on secondary display formats or displays.
The change in pattern from normal to abnormal shall be readily detectable.
The last several lines at the bottom of every display shall be reserved for status and error messages, prompts, and command entry.
-5 When a user requests a change or deletion of a stored data item that is not currently being displayed, then both the old and new values shall be displayed.
Input Actual entry of a designated position shall be accomplished by an explicit user action distinct from cursor placement.
An operator shall be able to access any display screen directly without having to go through other screens.
Convenient control procedures shall be provided to let a user move easily from one page to another in a multi-page table or list.
Experienced users shall be provided means to by-pass a series of menu selections and make an equivalent command entry directly.
Operator inputs, responses, or actions which could significantly degrade computer system or plant performance shall not be dependent on a single keystroke.
-6 Keyboard Dedicated function keys shall. be provided for paging/scrolling forward and back.
Each function key shall be clearly labeled to indicate its function.
Event acknowledge or flash suppression keys shall be provided.
Labels On graphs, the horizontal and vertical axis shall be clearly labeled with title, symbol and units.
The SPDS display parameters shall have units, titles, the particular instrument used, and setpoints that are consistent with those on the control board.
When an updated display is frozen, some appropriate label should be added to remind the user of that status.
When displayed data forms are crowded, auxiliary coding shall be adopted to distinguish labels from data.
Glare Glare from normal and emergency lighting shall not restrict viewing of the SPDS from within the control room.
0216 MJT:ACL/mew
TABLE 4 SPDS CONCEPTUAL DESIGN SONGS UNIT 1 4
I)
U-0 0-I PARAMETER NEUTRON FLUX X
CET X
X HOT LEG TEMP.
X SMM X
FEEDWATER FLOW X
S.G.
LEVEL (NR)
X COND/ATMOS STEAM DUMP X
COLD LEG TEMP.
X RCS PRESS X
TIME TREND X
(RCS COLD LEG TEMP)
CMT PRESS X
CMT SUMP LEVEL X
CMT RADIATION X
PZR LEVEL X
PORV VALVE STATUS X
CMT ISOLATION X
ELEC.
BUS STATUS X
SPDS CONFIGURATION FIGURE 1 C
Signals from 0 R Control Room N 0 T o Data Acquisition ORni Operator's o0 Unit L
Cabinet C-72 Console T
- System, System E S C U E Printer Central Terminal
.H P N NPTProcessing 0 E Alarm UnCit C R R Printer AT L
Disk Tape Programmer's Modem Drive DIVe Modem Terminal E
0 Modem Modem F
0 s
Operator's c
Console Printer Console EMERGENCY OFFSITE FACILITY OPERATIONS SUPPORT CENTER Notes:
Power for DAU and' CPU supplied from 120 VAC UPS.