ML18052A675

From kanterella
Jump to navigation Jump to search
Forwards Response to 860317 Request for Addl Info Re SPDS Display Clutter & Validation & Verification. Experimental Validation of Critical Function Monitoring Sys, Also Encl
ML18052A675
Person / Time
Site: Palisades Entergy icon.png
Issue date: 08/29/1986
From: Berry K
CONSUMERS ENERGY CO. (FORMERLY CONSUMERS POWER CO.)
To:
Office of Nuclear Reactor Regulation
Shared Package
ML18052A677 List:
References
RTR-NUREG-0737, RTR-NUREG-737 GL-82-33, NUDOCS 8609050085
Download: ML18052A675 (15)


Text

. *41, consumers Power Kenneth W Berry Director POWERINli Nuclear LJcensing

/llllCHlliAN'S PROliRESS General Offices: 1945 West Parnell Road, Jackson, Ml 49201 * (517) 788-1636 August 29, 1986

.... *. ).

Director, Nuclear Reac_tor Regu:lat;ion.,

US Nuclear Regulatory Commission Washington, DC 20555 DOCKET 50-255 - LICENSE DPR PALISADES PLANT -

RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION - PALISADES PLANT SAFETY PARAMETER DISPLAY SYSTEM DISPLAY CLUTTER AND VALIDATION AND VERIFICATION Generic Letter 82-33 entitled, "Supplement 1 to NUREG-0737 - Requirements for Emergency Response Capabilities", was issued by the Nuclear Regulatory Commis-sion on December 17, 1982. Item 4 of Supplement 1 required, in part, that each licensee develop and implement a Safety Parameter Display System (SPDS) that would aid the plant operators in rapidly and reliably determining the safety status of the plant.

By letter dated July 31, 1984, Consumers Power Company submitted a preliminary design description of the Safety Parameter Display System proposed for the Palisades Plant. Subsequently, by letter dated August 21, 1985, Consumers Power Company submitted a revised design description and preliminary Safety Analysis Report (SAR) for the Palisades Plant Safety Parameter Display System.

The NRC, by letter dated March 17, 1986, requested that Consumers Power Company provide additional information regarding the Palisades SPDS in order for the NRC to complete its review of the SAR. A portion of the additional information requested was provided to the NRC by our letter dated May 19, 1986. In our May 19, 1986 submittal, Consumers Power Company stated that the additional information requested concerning "Display Clutter," and "Verifica-tion and Validation" would be submitted by August 29, 1986. Attachment 1 to this report provides the additional information concerning these two subjects.

In conference calls with the NRC staff on July 10, and July 16, 1986, addi-tional clarification of certain information provided in our May 19, 1986 submittal was requested. Specifically, clarifications in the following four 8609osoo0s 860029 i ,*

~DR . ADOCK osooo25'.5 I

. PDR' I OC0886-0037S-NL01

Director, NRR 2 Palisades Plant Response to Request for Additional Information August 29, 1986 areas were requested; safety function parameter selection,_ trending of neutron flux, validation of safety function parameter input data, and the use of containment sump level to indicate the viability of the recirculation mode of operation. The report provided in Attachment 1 includes the information necessary to clarify these items.

Appendix A to Attachment 1 provides an executive summary of the results of the experimental validation of the c*ombustion Engineering designed CFMS carried out by the Halden Project in co-operation with Combustion Engineering.

This report is being submitted as a portion of Consumers Power Company's response to the NRC question concerning the validation and verification of the Palisades CFMS. Further discussion of the results of this experimental program and its application to the Palisades CFMS is provided in Attachment 1.

Kenneth W Berry Director, Nuclear Licensing CC Administrator, Region III, USNRC NRC Resident Inspector - Palisades OC0886-0037S-NL01

ATTACHMENT 1 Consumers Power Company Palisades Plant Docket 50-255 Response to Request for Additional Information Palisades Plant Safety *Parameter Display System Display Clutter and Validation and Verification August 29, 1986 9 Pages OC0886-0037S-NL01

~-

Director, NRR 1 Palisades Plant Attachment 1 August 29, 1986 I. DISPLAY CLUTTER The March 17, 1986 NRC request for additional information asked for information on the human factors guidelines used to design the Palisades CRT display formats. This sec.tion provides the requested information.

The Critical Function Monitoring System (CFMS) methodology utilized at the Palisades Plant evolved from Combustion Engineering's (CE) design efforts on the NUPLEX 80 advanced control center for nuclear power plants. This effort, which commenced prior to requirements for an SPDS, developed human engineering principles to be used in designing color graphic displays. The basic guidelines developed for designing displays are summarized below. These guidelines were extracted from References 1 and 2.

To adapt the displays to the human operator, some basic human engineer-ing principles had to be developed. These principles were a color convention, a basic symbology (component configuration coding), alarm identification (color and blink), display of variables (alphanumerics, bars, thermometers), and display sector/page information. The C-E color convention is summarized in Table 1.

TABLE 1 RECOMMENDED COLOR CODES Color Use Black Display Background Blue Nonessential or Non-Information Bearing Data Cyan Essential or Information Bearing Numeric Data or Text Green Off, De-Energized, Closed, Normal Red On, Energized, Open, Bypassed White Intermediate Between Green and Red Yellow Cautionary, Attention Required Magenta Danger, Immediate Attention Required

\

I OC0886-0037S~NL01

Director, NRR 2 Palisades Plant Draft Black is the unactivated screen color and serves as a logical background. Blue lies far below the eye's spectral sensitivity peak and may be difficult to perceive when the eye is stimulated by other colors on the CRT. This may be used as an advantage for labels and other static items which are purely advisory in nature. If the operator wishes to read the label associated with a variable it becomes informa-tion, otherwise it is noise. The poor contrast of blue on black reduces the impact of the noise but still allows the label to serve as inf orma-tion when focused upon. Cyan has a contrast ratio close to white but avoids the greater stimulus from the longer wavelength components of

. white. The corresponding legibility of cyan makes it applicable for numerics and test which always contain information.

Red and green have traditionally been used throughout the power industry to indicate ON and OFF respectively. The conventional use of red and green were retained, white is used as an intermediary state. Thus a valve used for throttling would be red when fully open, white when partly open, and green when fully closed. Yellow and magenta provide logical alarm colors as well as excellent contrast with black for portrayal of necessary alarm information. Additionally, their unique-ness aids the search task.

The choice of symbols utilized for the video displays is based on an experimental analysis of a plant operator preferred symbology research project. Many operators from different utilities contributed to this project.

Shape coding of the symbols is used in conjunction with color coding as a redundant indication of component status. By altering the configura-tion of a symbol, component operating status information is displayed to the operator. For example, a hollow red valve symbol is used to repre-sent an open valve, and a filled-in green valve symbol is used to -

represent*a closed valve. The hollow and filled-in shape coding allows proper interpretation of non-color hard copies of the displays. Table 2 shows examples of the use of shape coding for displaying component status.

OC0886-0037S-NL01

Director, NRR 3 Palisades Plant Attachment 1 Draft TABLE 2 NUPLEX 80 SHAPE CODING FOR COMPONENT STATUS Symbol Component Status Configuration Color Pump On Hollow Red Pump Off Solid Green Circuit Breaker Current Closed Red (Energized)

Circuit Breaker No current Open Green (De-energized)

Switch Current Closed Red (Energized)

Switch No current Open Green (De-energized)

Valve Open Hollow Red Valve Closed Solid Green Valve Throttled Combination White The standard flow direction used on the graphical displays is from the top of the screen to the bottom of the screen and from left to right.

These flow directions have been selected to be consistent with the operator's standard reading direction (left to right, top to bottom).

Wherever possible in the design of a particular display, these flow direction conventions have been followed. The use of the standard flow method allows the displays to incorporate a success path structure where the source, inlet control, driving force, processing, outlet control, and sink are displayed from left to right. The use of a consistent flow direction allows the users to be trained in the generic interpretation of the display set rather than the specific nuances of display (such as some displays flowing the opposite direction). The ability to utilize the consistent flow direction is especially important when the users in the Technical Support Center (TSC) and the Emergency Operation Facility (EOF) may not be familiar with the displays.

All "standard" methods are subject to exceptions and,. at times, a more effective means of presentation might require a different flow pattern.

Examples of an exception are looped systems such as the Primary Coolant OC0886-0037S-NL01

Direct~r, NRR 4 Palisades Plant Draft System and the Chemical Volume Control System. In these cases, a looped flow is utilized.

It is understood that on occasion the flow direction o~ the display system may be different from existing engineering drawings. The problem of whether this difference warrants an exception then arises~ In general, the use of a standard flow direction on the displays is still valid. The engineering drawings were not laid out for plant operation but rather for plant construction, and often reflect the whims and spatial limitations of the draftsman rather than an effective presenta-tion of information. The success path format utilized on the CFMS displays is designed to allow the operator to rapidly access the status of a system and plan remedial action if required. It is usually not effective to change the flow direction within the context of the display set. As in the use of color codes, the consistent use of a direction code is very important within a context. Consumers Power Company has concluded that maintaining consistency within the display set and making the directional change between contexts (eg, between drawings and displays) would be more effective and less error prone than having the change in flow direction between two display pages.

Recommended values for information density used in the design of the Palisades CFMS are summarized in Table 3. Obviously, these are general in nature and should not be used unquestioningly. The display designer must balance them against his experience for each and every display.

OC0886-0037S~NL01_

Director, NRR 5 Palisades Plant Draft TABLE 3 RECOMMENDED VALUES FOR INFORMATION DENSITY Total display loading, maximum 25%

Dynamic display loading, maximum 18.75%

Text word size, -maximum 12 characters Recommended 6 characters or less Numeric word size, maximum 12 characters Recommended 4 characters or less Symbol size, maximum 2 inches (5.08 cm)

Recommended

  • 1 inch (2.54 cm)

Word orientation Horizontal Word spacing 2 inches (5.08 cm)

Preferred quadrant Upper right (in.order of preference) Upper left, lower left, lower right Several of the hard copy displays submitted with our August 21, 1985 response do appear somewhat cluttered. These copies contained a grid surrounding the display which is used for display development, these grids are not included in displays presented to the operator thus reducing the apparent clutter. Further, the black and white hard copies of the displays do not fully represent the screen as actually viewed by an operator. Nonessential information, such as labels and other static items, is colored dark blue. The poor contrast of dark blue on black redu~es the impact of the noise while still allowing the label to serve as information when focused on. However, because the copying process does not provide an effective demonstration of these contrast differ-ences, the CRT displays do not appear as cluttered to an operator as might be inferred from the hard copies provided with our response.

OC0886-0037S-NL01

  • ' *.' e.

Direct9r, NRR 6 Palisades Plant Attachment 1 Draft II VERIFICATION AND VALIDATION The March 17, 1986 NRC letter also requested information on the verifi-cation and validation effort performed on the design and development of the Palisades SPDS display system. Consumers Power Company's response of May 19, 1986 noted that the Palisades CFMS was procured prior to the formal requirements for verification and validation being issued by the NRC and therefore, no formal validation and verification plan ~as used in the design of the Palisades CFMS. However, Consumers Power Company noted that an experimental validation test program of the CFMS design philosophy had been conducted and committed to providing information on this program of man-in-the-loop validation testing. This section provides that additional information.

An experimental validation of the Critical Function Monitoring System (CFMS) was carried out as part of the Halden Project as a joint effort among Combustion Engineering, the Technical Research Center of Finland (VTT) and Imatran Noima Oy (IVO). The experiments took place at the PWR training simulator situated at the Loviisa Nuclear Power Plant in Finland. The overall objective of the test program was to determine the impact of the CFMS on operator performance and hence, on operational safety. The experiment was designed to record and measure operator performance both with and without the use of the CFMS, to assess the correspondence between the expected and actual effects of operator use of the CFMS, to develop predictions about operator performance when using the CFMS, and to determine what problems might be expected from introducing the CFMS into an existing control room.

Two specific hypotheses were investigated: (1) that operators using the CFMS would maintain plant critical functions more effectively, and (2) that effective maintenance of plant critical functions was equivalent to improved plant safety. The results of the experiment indicated that overall, the operating crews used the CFMS to obtain useful information on critical safety function, and that the CFMS proved useful to the operating crews in providing an overview of plant conditions and assis-tance in early identification of process transients.

The Critical Functions Monitoring System implemented in this experimen-tal program contained the seven critical functions identified in the CE Emergency Procedure Guidelines (CEN-152): Core Reactivity Control, Reactor Coolant System (RCS) Inventory Control, RCS Pressure Control, Core Heat Removal, RCS Heat Removal, Containment Isolation, Containment Temperature/Pressure Control. The CFMS implemented at the Palisades Plant uses the same seven critical functions plus an eighth critical function, Environmental, which was not implemented in the experimental system. The experimental CFMS employed in the Loviisa experiments operated with the same top down hierarchy employed by the Palisades CFMS, wherein the top level displays consist of status indicators providing the operator with an overview of the condition of the plant safety systems and quick access to lower level displays which provide greater detail on specific parameters and systems. The hardware used by the operators to interface with the CFMS at the Loviisa test consisted OC0886-0037S-NL01

DirectQr, NRR 7 Palisades Plant Attachment 1 Draft of the same type of equipment as that installed in the Palisades system, a keypad for requesting different displays .and acknowledging alarms, and a color graphic video display terminal (CRT). The CFMS display format used in the Loviisa experiment was essentially the same as the format of the CFMS displays in use at the Palisades Plant in that the display shows a mimic diagram of major plant systems, important system parameter values, and the status of major components in the system.

Although there are differences between the experimental system tested at Loviisa and the Palisades CFMS, the differences are primarly in the CRT display format and are attributable to differences between plant designs and in the selection of specific plant process parameters monitored, not in the basic structure or design philosophy of the CFMS. Thus, these differences do not invalidate the conclusions of the Loviisa test program when the test results are applied to the Palisades CFMS.

Therefore, based on the similarities of design and operating philosophy between the experimental CFMS tested at Loviisa and the Palisades* CFMS, Consumers Power Company has concluded that the results of the Loviisa man-in-the-loop validation experiment are applicable to the Palisades CFMS.

III. ADDITIONAL CLARIFICATION OF MAY 19, 1986 RESPONSE In a telephone conversation on July 10, 1986, the NRC reviewer requested additional clarification of information submitted by Consumers Power Company letter dated May 19, 1986. The clarifications requested were i~

four areas; safety function parameter selection, use of containment sump level indication, trending of neutron flux and validation of safety function input data. This section provides the requested clarifications.

A. Safety Function Parameter Selection

1. Hot and Cold Leg Temperatures, Core Exit Temperatures Our May 19, 1986 response on parameters monitored for each safety function did not explicitly state that hot and cold leg temperatures were monitored as part of the "Reactor Core Cooling and Heat Removal From the Primary System" critical safety function. Our response did state that subcooled margin based on hot and cold leg temperatures and core exit temperatures are monitored. This use of hot and cold leg temperatures was meant to indicate that hot and cold leg temperatures were parameters included to assess the "Core Cooling and Heat Removal" safety function. These parameters are monitored for this function and are displayed on page 211. Core exit temperatures were noted as being parameters required to monitor core heat removal in Section 1.1.4 of our May 19, 1986 submittal.

OC0886-0037S-NL01

Direct~r, NRR 8 Palisades Plant Attachment 1 Draft

2. Containment Sump Level The choice of parameters monitored for each critical safety function was based on the safety function status checks identified in the Combustion Engineering Emergency Procedure
  • Guidelines (CEN-152). Containment sump level is not included as a parameter monitored for the "PCS Integrity" critical safety function for the following reasons:
a. Containment sump level is not a direct measure of PCS integrity. Sump level can increase as a result of steam line breaks inside of containment which do not effect PCS integrity. Further, sump levels will remain constant for steam generator tube ruptures which do violate PCS integri-ty. Thus, sump level changes do not correlate directly to violations of PCS integrity.
b. Parameters selected for monitoring the critical safety functions are those required to be controlled within appro-priate limits in order to assure that critical safety functions are being maintained. The operator has no control over the containment sump level.

Containment sump level is considered in the CEN-152 Emergency Procedure Guidelines as a diagnostic parameter. Sump level is used*

in conjunction with other parameters to determine the type event *in progress to allow selecting the optimal recovery guideline. Fur-ther, sump level is used to confirm that the safety injection pumps have adequate NPSH following the automatic switchover of the suction of these pumps to the containment sump.

Containment sump level is considered to be an important parameter and, as such, is included in the CFMS and is displayed on CRT pages 244 and 321 *. Sump level is not, however, considered to be a neces-sary parameter for determination of challenges to the critical safety functions and thus is not included as information required to assess "Reactor Coolant System Integrity."

B. Neutron Flux Trending Consumers Power Company's May 19, 1986 submittal provided informa-tion on the one second update rate utilized by the SPDS for display-ing trends of plant parameters. This response did not explicitly state that this update rate is acceptable for monitoring expected neutron flux oscillations. Consumers Power Company has reviewed the Palisades Plant Final Safety Analysis and determined that no neutron flux oscillations which might be indicative of a severe accident are discussed in this analysis. Further, no mechanism for rapid oscil-lations of reactivity has been identified which could result in rapid neutron flux oscillations. Changes in neutron flux which approximate step changes, such as following a reactor trip, have been identified, however, the one second update rate is sufficient OC0886-0037S-NL01

Director, NRR 9 Palisades Plant Attachment 1 Draft for an operator to clearly resolve the time such a step change in power occurs. Based on the above, we have concluded that the one second update rate is sufficient to provide operators the informa-tion necessary to trend neutron flux under all conditions.

C. Validation of Safety Function Input Data The May 19, 1986 submittal provided a description of the parameters monitored by the SPDS for each critical safety function. Of the parameters described, approximately 80% are provided with redundant inputs. Validation of these inputs is performed by a combination of input range checks and validity checks of .the redundant inputs.

All analog inputs to the SPDS are checked for out of range condi-tions prior to display. Inputs found to be out of range are indi-cated on the out-of-range display page and indicated on operational displays by question marks "????" in the value field. An input quality flag is also carried by the signal and utilized in safety function algorithms which require the input. For parameters having redundant inputs, the safety function algorithms determine the best estimate value to be utilized by evaluating the quality flag of each input. If there are no good quality inputs for a particular parame-ter, the color of the top level display matrix box and alarm leg name associated with that parameter are changed to yellow to indi-cate to the operator that the input data is questionable.

For some parameters, consistency checks against other input parame-ters are performed to further validate the input. For example, the source range nuclear instruments are turned off automatically when the wide range nuclear instruments exceed a certain value. To prevent this from indicating an invalid source range signal, the source range validity check determines if the wide range nuclear instruments are on scale above a certain value prior to tagging the source range instruments as invalid. A similar check is performed for the wide range nuclear instruments which can go off scale low when neutron level is in the source range. For this case, the status of the source range instruments is determined prior to flagging the wide range nuclear instrumentation invalid.

Parameters utilized in the critical safety function algorithms which do not have redundant inputs include the following:

a. Shutdown cooling flow
b. Shutdown cooling heat exchanger inlet temperature
c. Condenser off-gas radiation
d. Steam line radiation (one monitor/steam generator)
e. Containment temperature OC0886-0037S-NL01

Direct9r, NRR 10 Palisades Plant Attachment 1 Draft Of these items, a through d have only one transmitter available in the plant and thus redundancy is not provided in the computer.

Items c and d taken together provide for redundancy in determining secondary steam radiation. Item e, containment temperature, is redundant in its usage with containment pressure. Items a and b, which monitor shutdown cooling, are backed up by other parameters such as subcooled margin which would also indicate inadequate shutdown cooling. Thus, the combination of redundant inputs and functional redundancy provided for parameters having only a single input are adequate to provide the operator with valid safety func-

, tion data.

IV. REFERENCES

1. C H Meijer, J L Pucak and T J O'Connell, "Applied Human Engineering to Improve the Man-Process Interaction in a Nuclear Power Plant,"

Presented at IEEE 1980 Symposium on Nuclear Power Systems, November 5-7, 1980, Orland6, Florida, TIS-6047.

2. MM Danchak, "Effective CRT Display Creation for Power Plant Appli-cations," Presented at Instrument Society of American Power Instru-mentation Symposium, May 10-12, 1976, San Francisco, California, TIS-4868.

OC0886-0037S-NL01

Appendix A Consumers Power Company Palisades Plant Docket 50-255 Addendum to Response to Request for Additional Information Safety Parameter Display System OECD HALDEN REACTOR PROJECT August 1986 24 Pages OC0886-0037S-NL01

Appendix A Consumers Power Company Palisades Plant Docket 50-255 Addendum to Response to Request for Additional Information Safety Parameter Display System OECD HALDEN REACTOR PROJECT August 1986 24 Pages OC0886-0037S-NL01