ML18151A135

From kanterella
Jump to navigation Jump to search
Rev 1 to SPDS SAR for VEPCO NUREG-0696 Computer Project, North Anna & Surry Nuclear Power Stations.
ML18151A135
Person / Time
Site: Surry, North Anna, 05000000
Issue date: 08/28/1987
From: Hurt W
ENERGY, INC.
To:
Shared Package
ML18151A134 List:
References
RTR-NUREG-0696, RTR-NUREG-696 SAR-VEPCO-005, SAR-VEPCO-005-R01, SAR-VEPCO-5, SAR-VEPCO-5-R1, NUDOCS 8711090045
Download: ML18151A135 (46)
v  d  e


Text

-1 e e SAFETY PARAMETER DISPLAY SYSTEM SAFETY ANALYSIS REPORT SAR-VEPC0-005 FOR VIRGINIA ELECTRIC AND POWER COMPANY NUREG 0696 COMPUTER PROJECT NORTH ANNA AND SURRY NUCLEAR POvJER STATIONS VEPCO CONTRACT NO. PSE-226.

PREPARED BY EI SERVICES P.O. BOX 736 IDAHO FALLS~ IDAHO 83402 APPROVED t{/dtu,v.; cJ._ du;;;f- /}~w;)- ~"o, /'l:J 7 W. L. HURT DATE EI Project Manager NOTE: Latest revisions are flagged with the symbol~ in the right-hand margin where N is the number of the latest revision.

Rev. 0 - Issued for use 1-20-84 Rev. 1 - Issued for use 8-28-87

\

e TABLE OF CONTENTS PAGE

1. a INTRooucrroN ................................................ 0 ******* 1 l., 1 Background ...................................................... 1 1.2 SPDS Basis ...................................................... 2 1.3 Abbreviations .......... o,o************************************* 3 2.0 NORTH ANNA AND SURRY CRITICAL SAFETY FUNCTIONS ...................... 5 3.0 SOURCES AND BASES FOR SPDS PARAMETERS ....... ; ......*......*...*..... 7 3.1 Emergency Response Guidelines ..............*..*. : .......*...*.. 7 3.2_ Regulatory Guide 1.97 ......................... , .. 111,., ********** 9 4.0 SPDS DISPLAY HIERARCHY .*..................*......................... 12 4.1 SPDS Displ.ays .... o, * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
  • 13 4.1.1 Top-Level Display ....................................... 13 4.1.2 Mid-Level Displays ........***........................... 13 4.1.3 Lower-Level Displays *.........*..*..*..*................ 14 4.2 Operator-Aid Displays ........... ,c,., *************************** 14 5.0 SPDS PARAMETERS .*.*..*.*........**.......*.....**........*...*...... 16 5.1 Safety Function Parameters .*......*... D ************************ 16 5.1.1 Reactivity Control ...**.*....*.......................... 16 5.1.2 Core Heat Removal ...*....*. o***********.**** a: *.******** 18 5.1.3 Secondary Heat Removal ...*..***..............*.......... 19 5 .1. 4 RCS Integrity ......*..*... o ***************************** 21 5.1. 5 Radioactivity Co ntro 1 .*..............*.....*....*... *.... 24 5.1. 6 Containment Conditions **........**.*.... ~ .........*..... 27 5.2 Plant Status Indicators .*............................*......... 28 5.3 ERG Status Tree Indicator ..*.*..........*.. ; *.................. 29 6.0 ELECTRICAL AND ELECTRONIC ISOLATION ..........................*...... 30 6.1 Introduction and Objectives ................*................... 30 6.2 VEPCO Design Features ........................*................. 30

- i -

Rev 1

  • TABLE OF CONTENTS (Conti-nued)

PAGE 6.2.1 Electrical Isolation *****.*.*...****..*...*.*.**.*..**.. 30 6.2.2 Fault Conditions ..*********.*...*.*.*...*..**.**** ~ ***** 31 6.2.3 Fault Testing *.****.******.**..**.....**.****...***. ~ .** 32 6.2.4 Acceptance Criteria ***......*...**..*.*....**..***.....* 32 6.2.5 Environmental Qualification *****. ~ *******.*.*.*.**....*. 33 6.2.6 Electrical Interference *.****.***.*..*.*..***.**..***.*. 33 7.0 HUMAN FACTORS ENGINEERING .**...***..***.**.****...*.*****.*******.** 35 7.1 Introduction and Objectives ***.**.***..***.**.....*..*.**.*..*. 35

7. 2 VEPCO Human Factors Program *****.****.*******.********.******** 35
8. 0 DATA VALIDATION ......*...*.......*.......*..........*.......*..*.... 38 8.1 Introduction and Objectives **.*.***************...*..*.*.****.* 38 8.2 VEPCO Design Approach **.*****.************..********..*.******* 38
9. 0 SUt~MARY * **********.*.***.**********.** ." *****************.****.**..*** 42 REFERENCES REVISION 1 NOTE Due to the extensive nature of this revision, revision bars in the right-hand margin were not used. The rationale behind this revision and additional background information are presented in Section 1.1.

- ii -

Rev 1

e

1.0 INTRODUCTION

1. 1 Bae kg round Virginia Electric and Power Company (VEPCO) has previously submitted a Safety Analysis Report (SAR) for the North Anna and Surry NUREG 0696 Computer Project (References 1 and 2) hereinafter referred .to as the Safety Parameter Display System (SPDS). - The initial submittal evaluated the

.response of the proposed SPDS with a number of accidents from the North Anna and Surry Updated FSAR' s ~ It was concluded then that the SPDS gave good indication of off-normal plant operation and would be a valuable tool in_

enhancing the safety of the plants during accident or incident occurrences.

Since that time, the SPDS has become operational and is being used routinely by the plant's staff. As a result of plant design changes and input from the staff having used the SPDS, VEPCO has elected to review and update the SAR. The original SAR relied upon UFSAR accident scenarios to evaluate the adequacy of the parameter set. This revised SAR will examine the adequacy of the selected parameters in relation to the Westinghouse Owner's Group Emergency Response Guide Status Trees, or ERGSTs. Other sources of data such as Regulatory Guide 1.97 will also be used to confirm the adequacy of the parameter set. Thus, this revised SAR will reflect the as-built

' condition of the SPDS and confirm that the design concepts are val id when reviewed against current regulatory and industry standards.

Additional licensing obligations related to the implementation of the VEPCO SPDS are also provided. This information* includes analysis and* as-built data related to the following topics:

(1) electrical and electronic isolation, (2) human factors engineering, and (3) data validation.

It should be noted that a single SPDS design applies to both stations.

There are minor differences in alarm setpoints between the stations. These differences are fully described in other related design documents.

Rev 1 l_

e e 1.2 SPDS Basis As a result of the Three Mile Island nuclear power plant accident on March 28, 1979, and the subsequent studies of needed improvements to nuclear power plant safety, the Nuclear Regulatory Commission (NRC) and the nuclear industry identified the need for a SPDS. The SPDS will provide a concise display of critical pl~nt parameters to the control-room operators to aid them in rapidly and r~liably determining the safety status of the plant.

The SPDS is in addition to the control-room instrumentation requir~d by General Design Criteria 13 and 19 of Appendix A to 10CFR50 that provides the operators with the information necessary for safe reactor operation under normal, transient, and accident conditions. The SPDS, therefore, represe~ts an improvement to the control room as it enhances the operator's ability to rapidly comprehend plant conditions and to interact in situations that require human intervention.

Supplement 1 to NUREG-0737, "Requirements for Emergency Response Capabflity", transmitted in NRC Generic Letter No. 82-33 (Reference 3),

consol i,dates the NRC requirements for an SPDS. These requirements are a distillation of the basic requirements from various previously issued NRC guidance documents (e.g., References 4, 5, and 6). Included in NUREG-0737, Supplement 1, is a requirement to submit a safety analysis report that describes 11

... the basis on which the selected parameters are sufficient to assess the safety status of each identified function for a wide range of events, which include symptoms of severe accidents."

The SPDS for the North Anna and Surry plants is integrated ~nto a comprehensive computer syst~m that includes the emergenty response facilities (ERF) data acquisition, data processing, and display functions.

The SPDS utilizes cathode-ray tube (CRT) monitors, strategically placed and having appropriate man-machine interfaces. By means of user-called displays, an abundance of information on the safety status ,of the plants can be quickly made available to operations and technical staff.

The purpose of this SAR is to document the selection of parameters used for the SPDS developed for the North Anna, and Surry pl ants and bring together Rev 1

' e other information relating to system design and implementation. This report complements other descriptions and program materials that document the design features and implementation program for the North Anna and Surry SPDS. Section 2.0'of this report identifies the safety function categories selected by VEPCO as the framework around which the stations SPDS are constructed. Section 3.0 explains the actual bases and origins for the parameters selected to characterize each of the chosen SPDS safety functions. The hierarchy and interrelationships of the SPDS displays are briefly discussed in Section 4.0, while the actual parameters are presented in Section 5.0. Section 6.0 describes the means used to provide for electrical and electronic isolation between plant systems and sensors, and the SPDS system. Section 7.0 provides an overview of the human factors program which was an integral part of the SPDS design effort. Section 8.0 provid~s a description of the means used to validate data displayed in the SPDS.

A summary and conclusions as to the adequacy of the selected parameters for SPDS use are given in Section 9.0.

1.3 Abbreviations The following is a list of abbreviations used in this document.

ac - Alternating Current CET - Core Exit Temperature CRT - Cathode Ray Tube CSF Critical Safety Function de - Direct Current EDP - Emergency Operating Procedure EMI Electromagnetic Interference EOF - Emergency Offsite Facility ERF Emergency Response Fae i 1ity ERG - Emergency Response Guideline ERGST - Emergency Response Guideline Status Tree IEEE - Institute of Electrical and Electronic Engineers MCC - Motor Control Center Rev 1

e NOT - Nil-Ductility Temperature NRC - Nuclear Regulatory Commission P&ID - Piping and Instrument Diagram RCS - Reactor Coolant System RTD - Resistance Temperature Detector SAR - Safety Analysis Report SPDS - Safety Parameter Display System TSC - Technical Support Center V - Volts VEPCO - Virginia Electric and Power Company WOG - Westinghouse Owner's Group Rev 1

e 2.0 NORTH ANNA AND SURRY CRITICAL SAFETY FUNCTIONS NUREG-0737, Supplement 1, requires that, as a minimum, the SPDS must provide safety status information to plant operators that includes:

(1) reactivity control, (2) reactor core cooling and heat removal from the primary system, (3) reactor coolant system integrity, (4) radioactivity control, and (5) containment conditions.

The specific parameters to be displayed within each of the above categories are to be determined by the licensee.

VEPCO has retained each of these safety functions but has divided the reactor core cooling and heat removal from the primary system into ( 1) core heat removal and (2) secondary heat removal. The list of VEPCO safety parameters is given below.

(1) reactivity control, (2) core heat removal, (3) secondary heat removal, (4) reactor cooling system integrity, (5) radiation control, and (6) containment conditions.

The completeness of these categories can be further verified by examining the North Anna and Surry ERG status trees. Table 1-1 shows the correlation between the required SPOS functions, the selected functions; and the ERG status tree functions. The parameters selected to monitor each of the above safety function categories are discussed in Section 5.0.

Rev 1

e Table 1-1 CORRELATION ]ETWEEN NUREG 0737 SUPPLEMENT 1 FUNCTIONS, VEPCO SPDS FUNCTIONS, AND VEPCO ERG STATUS TREE FUNCTIONS 0737 VEPCO SPDS VEPCO ERG Reactivity Reactivity Control Subcriticality Control Core Heat Removal co*re Coo 1 i ng Core Cooling &

Heat Removal Secondary Heat Removal Heat Sink Reactor Coolant RCS Integrity . Integrity System Integrity Containment Containment.Conditions Containment Conditions Radioactivity Radiation Control N/A Control Rev 1

e 3.0 SOURCES AND BASES FOR SPDS PARAMETERS The primary basis for SPDS parameters is the NRC requirement in Supplement 1 to NUREG-0737 that the SPDS provide a concise display of critical plant variables to the control-room operators to aid them in rapidly and reliably determining the safety status of the plant. The SPDS is intended to supplement and be in addition to, not instead of, the control-room instrumentation required by General Design Criteria 13 and 19 of Append~x A to 10CFR50 that provides all the information necessary for safe re~ctor operation under normal, transient, and accident conditions. Thus, the SPDS provides an improvement to the control room by concentrating and displaying the critical plant data so that the operator can quickly assess and evaluate the plant safety status and detect abnormal operating conditions.

The specific safety function categories selected by VEPCO for the North Anna and Surry plants have been given in Section 2.0. This section discusses the considerations that were made to select particular parameters to characterize each of those safety functions.

The parameter set selected resulte*d from three sources:

(1) Emergency Response Guidelines, (2) Regulatory Guide 1.97, and (3) specific evaluation of information required for manual operator action.*

These are discussed in the following sections.

3.1 Emergency Response Guidelines VEPCO has invoked the generic Emergency Response Guidelines (ERGs) as developed by the Westinghouse Owner's Group as its basis for developing plant-specific Emergency Operating Procedures (EOPs) for the North Anna and Surry stations.

Rev 1

e Upgraded EOPs are required by NUREG-0737, Supplement 1. The EOPs provide for preplanned responses to specific abnormal or emergency status in any of the critical safety functions. The safety function status is determined by a logic-tree methodology that was developed by the We5tinghouse Owner's Group. These logic trees are designated as the Emergency Response Guide Status Trees, or ERGSTs. The basis for construction of the ERGSTs was to select the minimum number of parameters whose individual conditions could be examined to reliably establish the status of the given safety function.

The ERGSTs are designed to be usable even in the absence of any specific event diagnosis~ This makes them of particular value in situations where multiple events have occurred and whose precise nature may not be immediately apparent. Use of the corresponding function restoration guidelines which are indicated by the logic trees would commence immediately to restore the critical safety function to an acceptable status.* These procedures would generally be complemented by a set of more optimal recovery procedures that would be invoked once diagnosis of the specific plant conditions has been made and confirmed.

The construction of the ERGSTs was the culmination of substantial efforts by the Westinghouse Owner's Group. This effort was conducted over a two-year period. It included exhaustive evaluations to assure that the ERGST-driving parameters comprised a necessary and sufficient set and that, coupled with the decision criteria used, reliable conclusions were drawn for safety function status. Development of the ERGSTs is documented in References 7 and 8.

The Westinghouse Owner's Group ERGSTs were selected verbatim as the processing methodology for the ERG critical safety functions. By so doing, the parameters upon which these ERGSTs depend are automatically invoked. The North Anna and Sufry SPDS parameters, being ostensibly ah inclusive set of the ERGST parameters, can thus rely on the Westinghouse Owner's Group methodology as a means of determining their adequacy.

Since the ERGSTs were developed only for posttrip conditions, VEPCO has developed SPDS displays using logic and setpoints to determine plant safety Rev 1

e -

status dur_ing tripped and non-trip operational modes. The decision points for these operational conditions have been drawn from, and are directly traceable to station technical specifications, procedures, or the ERGSTs as appropriate.

3.2 Regulatory Guide 1.97 Regulatory Guide 1.97 (Revision 3), "Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Fol lowing an Accident", has identified specific plant parameters required for control-room operating personnel during accident conditions. Whi.le Regulatory Guide 1.97 is not _a necessary and sufficient basis for selecting SPDS parameters, its purpose and that of the SPDS are closely related. It provides an excellent basis for developing and assessing SPDS parameters.

Reg. Guide 1.97 distinguishes several types of variables as to their usage in accident situations. Specific variables of types B, C, D, and E are given explicitly. These relate to the following:

{1) Type B - var i ab 1es that provide information to indicate whether reactivity control, core cooling, reactor coolant system integrity, and containment integrity functions are being maintained.

(2) Type C - variables that provide information to indicate*a breach, or the potential for a breach, of the fission product barriers:

{a) fuel cladding,

{b) primary coolant pressure boundary, and

( c) containment.

{3) Type D - variables that provide information to indicate the operation of individual safety systems and other systems important to safety.

Rev 1

e

{4) Type E - variables to be monitored as required for use in determining the magnitude of the release of radioactive materials.

Reg. Guide 1.97 also identifies a Type A classification consisting of plant-specific variables that are to be determined by the licensee:

Type A - variables to be monitored that provide the primary information required to permit the control-room operator to take specific manually controlled actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for design-basis-accident events.

  • It is quite clear that the Reg. Guide 1.97 variables fulfill needs very close to those of the SPOS. Both parameter sets respond to the needs for establishing an accurate status of plant safety functions, as well as providing the perspective of plant conditions necessary to anticipate challenges to safety.

Reg. Guide 1.97 establishes three levels of importance within each variable type:

(1) Category 1 - key variables, (2) Category 2 - important backup variables, and (3) Category 3 - backup variables of lesser importance.

Seismic and environmental qualification. as well a:s signal validation requirements are imposed by Reg. Guide 1.97 for each of these three categories to an extent that is consistent with their importance level.

  • The North Anna and Surry critical safety functions include all Category 1 variables or at least processed calculated parameters derived from such variables. In addition, certain preferred backup variables (i.e., Category
2) of Type C and a few variables of Type D have been similarly included.

All radiation monitoring signals have been provided to the SPOS. These include process radiation monitors (e.g., steam lines), 1 iquid and gaseous effluent radiation monitors, and area monitors.

Rev 1

e e Because of the integration of the SPDS function with the ERF computer system at North Anna and Surry, in fact, most plant Reg. Guide 1.97 variables are accessibl~ on the SPDS monitors through the man-machine interface.

Rev 1

e

. 4.0 SPDS Display Hierarchy The North Anna and Surry SPDS are comprised of CRT monitors with user keyboards *strategically located in the control room, technical support center, and emergency operations facilities (EOFs). The versatility of CRT monitoring, coupled with sophisticated man-machine interfaces and the capability of the computer system to process field and human inputs very rapidly, has enabled the design of a sophisticated and powerful monitoring system.

A very brief description of the data* presentation is helpfu.l here to place into context the manner in which the SPDS parameters are monitored. For.the J

purpose of this section, suffice it to note that the man-machine interface has been carefully thought out so that accessibility of the information and linkages among the displays are str~ightforward and rapidly accomplishable.

For licensing purposes, the North Anna and Surry SPDS is defined as the top and mid-level CSF displays and the time history plots for the individual parameters that are input to the six safety function catagories. Other displays including pressure-temperature ptots, piping and instrument diagrams, and ERGST displays are available in the ERF system and are described in this document as they relate to the SPDS.displays.

The top-level display providing a summary status of all CSFs is continually available in the control room.

All displays including the top-level, mid-level, piping and instrument diagrams, and pressure-temperat_ure plots, have common features including the foll owing:

(1) the status of the six top-level functions (parameters) are continuously displayed and are colored according to their alarm condition, (2) the status of selected plant actuation signals is presented, and Rev 1

(3) the name of the most limiting ERGST is presented and colored according to its severity.

4.1 SPDs* Displays

  • 4.1.1 Top-Level Display The top-1 evel display is the essence of the North Anna and Surry SPDS. It presents the status of all six critical safety functions (parameters),

indication of a challenge to any ERGST, status of selected plant actuation signals including plant trip, auxiliary feedwater, safety injection, and

  • containment isolation, and plant mode.

The top-level display has the following features:

(1) deviation bar graphs which show parameter values relative to their normal va:lue or limiting value for safe operation, (2) incorporates color coding of alarm severity using the population stereotype convention, green (normal), yellow (caution), and red (danger) ,

(3) includes pattern recognition and other human engineered characteristics, and 4.1.2 Mid~Level Displays Mid-level displays provide the details of the statuses summarized at the top level for the six critical safety functions. This includes showing the current value for all _discrete and computed values which are input to the top-level display. Data is presented in both bar graph and digital formats with proper engineering units. All data is color coded according to the alarm severity.

Rev 1

\ ....

e 4.1.3 Lower-Level Displays Lower-level displays provide the time-based trends for the individual parameters that make up the six critical safety functions. These displays are directly accessible from the mid-level displays.

4.2 Operator-Aid Displays A number of displays are available *as additional aids to the operators and system users. Although not intended specifically for SPDS use, the integration of the computer systems and data bases has resulted in their

  • accessibility by all users *. This is a significant enhancement to the u~efulneis of the overall Emergency Response Facility Computer System.

These displays provide the most detailed information to elaborate on data summarized on the top, mid, and lower level SPDS displays. These enable the operator to focus in on th*e origins of any off-normal status indications that *they may have been alerted to on SPDS displays.

Noteworthy among these aids are the foliowing:

(1) an extensive number of plant schematics, flow diagrams, and process and instrumentation diagrams (P&IDs), utilizing color coding and graphic enhancements to denote component status and al arm state, (2) six separate ERGST displays showing the current logic path and status, each of which includes a summary status of the companion ERGSTs, (3) time-based trends of user-selectable parameters in the system, (4) time-base trends for preselected parameters in the system, (5) digital values and graphics for core-exit temperatures in a variety of formats, Rev 1

e (6) locus of recent primary system operation relative to the saturation condition, (7) pressure~temperature operational limits map showing the locui of recent reactor coolant conditions,

. (8) containment isolation valve status, (9) current values for parameters driving each of the CSFs, and (10) current values for parameters driving the radiation indications for each of the plant areas on the effluent radiation monitoring mid-level display.

Rev 1

5. 0 SPDS PARAMETERS
  • Section ~.1 lists the six critical safety functions that are shown on the North Anna and Surry SPDS top-level SPDS display and all parameters that are input to each function and thus implicitly shown. A brief explanation and justification ties each of these to the selection bases described in Section 3.0. Section 5.2 lists plant status indicators which are shown on all displays to enhance the usefullness of the SPDS. Section 5.3 describes how the status of the ERGSTs are presented on the SPDS displays thus providing a means to integrate the SPDS with the ERGSTs.

The parameters _listed are provided for each reactor coolant loop, where appropriate. Where multiple sensors are present, the patameters represent calculated parameters based on specific processing of the individual sensors. In addition, certain processed parameters, such as maximum core-exit temperature, are generated from the plant sensors.

5.1 Safety Function Parameters This section lists all parameters which are inputs to the individual safety functions. Parameters are grouped by their safety function category. The parameter set presented in this section is, in general, the same parameter set proposed by VEPCO in its initial SAR (Reference 1 and 2). Boron concentration in the RCS was deleted as a SPDS parameter for the reactivity control function because, being an off-line measurement, it did not meet the criteria of providing a rapid assessment of plant status.

5.1.1 Reactivity Control (1) Neutron Flux-Source Range:

(2) Neutron Flux-Intermediate Range:

(3) Neutron Flux-Power Range:

(a) Reg. Guide 1.97 Type B variable (see definitions of variable types, Section 3.0);

Rev 1

e

.(b) key variable* for monitoring Westinghouse Owner's Group (WOG)

Subcriticality ERGST, (c) diagnosis of positive reactivity insertion.

(4) Startup Rate:

(a) key variable for monitoring WOG Subcriticality ERGST, (b) diagnosis of positive reactivity insertion.

(5) RCCA's Not Full-In:

.(a) provides a rapid check of control assembly insertion following a scram, and (b) Reg. Guide 1.97 Type B variable.

(6)

  • Cold Leg Temperature:

(a) Reg. Guide 1.97 Types A and B variable, (b) key variable for monitoring WOG reactor coolant system (RCS)

Integrity ERGST, (c) backup variable for monitoring reactivity and core cooling, (d) maintain proper relationship with RCS pressure, (el maintain primary inventory subcooling, (f) verify vessel NDT criteria, (g) determination of natural circulation conditions in conjunction with hot leg temperature, and Rev 1

e.

{h) detection of pressurized thermal shock condition.

5.1.2 Core Heat Removal (1) Peak Core Exit Temperature:

(a) Reg. Guide 1.97 Types A, B, and C variable, (b) key variable for monitoring WOG Core Cooling ERGST, (c)- determine if core is being adequately cooled, and *

(d) provides indication of uncovering of core.

(2) CET Saturation Margin:

(a) Reg. Guide 1.97 Types A and B variable, (b) key variable for monitoring WOG Core Cooling ERGST, (c) determine that a subcooled condition exists in_ the RCS, and

( d) verification of adequate RCS subcool ing margin.

(e) provides indication of uncovering of core.

(3) Reactor Vessel Water Level:

(a) Reg. Guide 1.97 Types Band C variable, (b) key variable for monitoring WOG RCS Inventory and Core Cooling ERGSTs, and (c) indication of a core-uncovery situation under a design-basis condition.

Rev 1

e (4) RCS Loop Flow:

(a) provides indication of proper operation of reactor coolant pumps, and (b) provides indication that there is adequate coolant for core heat removal (5) Average Loop Temperature:

(a) provides indication of overpower and overtemperature conditions, and.

(b) provides indication of inadequate core cooling (6) Loop Delta-Temperature:

(a) pr~vides indication of effectiveness of core heat removal, (b) provides a means to verify core flow during natural circulation, and (c) provides indication of magnitude of core heat generation.

5.1.3 Secondary Heat Removal (1) Steam Generator Level:

(a) Reg. Guide 1.97 Types A and B variable, (b) key variable for monitoring WOG heat sink ERGST, (c) determination of adequate heat sink, (d) detection of water carryover into steam lines, Rev 1

' e (e) determine whether auxiliary feedwater should be terminated, and (f) safety injection for secondary breaks outside containment.

(2) Steam Generator Pressure:

(a) Reg. Guide 1.97 Types A and B variable, (b) key variable for monitoring WOG heat sink ERGST, (c) determination of high energy, secondary line ~upture, (d) maintenance of adequate reactor heat sink, and (e) verify that auxiliary feedwater flow to steam generator associated with rupture is isolated.

(3) Feedwater Flow:

(a) Reg. Guide 1.97 Type A, B, and D variable, (b) determine if sufficient flow ex1sts to maintain adequate heat sink during power operation,.and (c) detection of secondary plant transients during power operation.

(d) key variable for monitoring WOG heat sink ERGST,

(e) safety injection termination.

( 4) Steam Fl ow:

(a) Reg. Guide 1.97 Type D variable (verification of proper system operation),

Rev 1

(b) maintenance of adequate heat sink during power operation, and

- (c) detection of secondary plant transients during power operation.

(5) Condensate Storage Tank Level:

(a) Reg. Guide 1.97 Types A and B variable and (b) determination of adequate water supply for auxiliary feed water pumps.

(6) Residual Heat Removal Flow:

(a) provides indication of ability of RHR system to provide core cooling, and (b) Reg. Guide 1.97 Type D variable.

5.1.4 RCS Integrity (1) RCS Pressure:

(a) Reg. Guide 1.97 Types A, B, and C variable, (b) key variable for monitoring WOG Integrity ERGST, (c) maintenance of a proper relationship with RCS temperature, (d) detection of potential for RCS boundary breach, (e) verify vessel nil-ductility temperature (-NOT) criteria, (f) maintenance of primary inventory subcooling, Rev 1

(g) establish correct condition for residual heat removal (RHR) operation, (h) det~rmine whether reactor coolant pump operation should be continued, and (i) determine whether high head safety injection should be terminated or reinitiated.

(2) Pressurizer Level:

( a) Reg. Guide 1.97 Types A and B variable,

( b) key variable for monitoring WOG Inventory ERGST,

( C) determine if safety injection should be terminated or

(3) Pressurizer Relief Paths Out of Position:

(a) Reg. Guide 1.97 Type D variable, and (b) provides alert to operator that RCS integrity is challenged.

(4) Margin To NOT Limit:

(a) provides indication of challenge to vessel integrity (5) High Head Safety Injection Flow:

(a) Reg. Guide 1.97 Type D variable, and (b) provides indication of operating status of safety injection system.

Rev 1

(6)

Containment Pressure:

. (a) Reg. Guide 1.97 Types A, B, and C variable, (b) key variable for monitoring WOG Containment ERGST, (c} backup variable for monitoring RCS integrity, (d) determine if break is inside or outside containment, (e) monitor conditions following break inside containment, and *

(f) verify event is properly c'ontro*lled.

(7) Containment Sump Level:

(a) Reg. Guide 1.97 Types A, B, and C variable, (b) key variable for monitoring WOG containment ERGST, (c) backup variable for determining adequate reactor coolant inventory, (d) verify water source available fcir recirculation mode cooling, (e} determination of high energy line rupture inside or outside containment, and (f) determination of flooded conditions at instrumentation mounting locations.

(8) Secondary System Activity:

(a) Reg. Guide 1.97 Type A variable, and*

Rev 1

_(b)

5.1.5 Radioactivity Control The radiation monitoring parameters are identified below. In addition to justification for each, a listing of discrete parameters monitored is provided for each catagory. These are shown as inputs.

(1) Crindenser Air Ejector: *

(a) Reg. Guide 1.97 Types A and E variable, (b) backup variable for monitoring RCS integrity, and (c) detection of radioactive release to system.

Inputs: [1] condenser air ejector.

(2) Vents and Stacks:

(a) Reg. Guide 1.97 Type C and E variable, and (b) monitoring of likely path of plant release.

Inputs: [l] process vent normal range release rate, - i

[2] process vent high range release rate,

[3] vent stack normal range release rate,

[4] vent stack high range release rate, (3) Liquid Release Paths:

Rev 1

' -A (a) Reg Guide 1.97 Type E variable, and

( b) monitoring of likely path of liquid releases.

Inputs: [l] discharge tunnel and

[2] liquid waste.

(4) Primary Coolant:

(a) Reg. Guide 1.97 Type C and E variable~

(b) provides indication of approach to cool ant activity limits for safe operation, and (c) provides indication of fuel cladding breach.

Inputs: [l] reactor coolant letdown activity.

(5) Secondary Steam:

( a) Reg. Guide 1. 97 Type E variable, (b) provides indication of primary to secondary leaks, and (c) backup variable for monitoring RCS integrity.

Inputs: [l] steam line to turbine driven auxiliary feedwater pump and

[2] main steam lines.

(6) Containment Monitors:

(a) Reg. Guide 1.97 Type E variable, Rev 1

l -.._l.

e (b). provides indication of significant radioactive release, and (c) backup variable for monitoring RCS integrity.

Inputs: [l] containment area gases,

[2] containment area particulates,

[3] containment high range gamma,

[4] incore instrument area, *

[5] manipulator crane area, and

[6] reactor control area.

(7) Area Monitors:

(a) Reg. Guide 1.97 Type E variable and (b) provides indication of radioactive releases Inputs: [l] auxiliary building control area,

[2] decontamination area,

[3] decontamination building,

[4] fuel pit bridge area,

[5] main control room,

[6] new fuel storage area,

[7] radiochemistry laboratory, and Rev 1

e

[8] sampling room.

5.1.6 CONTAINMENT CONDITION (1) Containment Isolation:

(a) Reg. Guide 1.97 Types Band C variable, (b) key variable for detection of containment boundary breac~,

and (c) determine accomplishment of containment isolation.

(2) Containment Pressure:

(a) Reg. Guide 1.97 Types A, B, and C variable, (b) key variable for monitoring WOG containment ERGST, (c) backup variable for monitoring RCS integrity, (d) determine if break is inside or outside containment,.

(e) monitor conditions following break inside containment, and (f) verify event is properly controlled.

(3) Containment Temperature:

(a) Reg. Guide 1.97 Type D variable.

(b) backup variable for monitoring RCS integrity, (c) determine if break is inside or outside containment, and (d) monitor conditions following break inside containment.

Rev 1

~ - - ---- ~-----

, I e

(4) Hydrogen Concentration:

(a) Reg. Guide 1.97 Types Band C variable, (b) key variable for monitori~g containment environment, (c) identifying potential for containment boundary breach due to

.hydrogen detonation, and (d) determination of acceptable hydrogen concentration control.

(5) Refueling Water Storage Tank Level:

(a) Reg. Guide 1.97 Type A variable, (b) verify water source available for the emergenc_y core cooling system and containment spray system, (c} determination of time for initiation of cold leg recirculation following a loss of coolant accident, *and 5.2 Plant Status Indicators To assist in mitigating the consequences of challenges to a safety fu~ction, selected plant actuation signals ar~ provided. They include Reg. Guide 1.97 variables and other information related to major equipment/component status which are frequently monitored following plant upset conditions._ The actuation signals are shown in a 2x4 array of colored boxes on all displays.

Each box has the acronym of the actuation signal shown in it. Each box is green if the signal indicates a non-tripped state, changing to red when the trip occurs. The set of signals include:

(1) Reactor Trip (2) Safety Injection Actuation Rev 1

¥

,I e e

  • Containment Depressurization Logic (North Anna) 5.3 ERG Status Tree Indicator
  • I In addition to the actuation signals listed above, an ERG status indicator is shown on all displays. This provides for complete integration between the SPDS function and the upgraded EOPs as required by NUREG 0737. The name of the most limiting ERG status tree is shown colored according to its alarm state. Since the ERG status trees are only calculated after a plant trip, the status indicator and the ERG decision paths on the ERG displays are colored white prior to a plant trip. The parameter set required to support ERGST use is a subset of the SPDS parameter set with exceptions noted below:

(1) Cooldown rate, (2) Reactor coolant pump status, and (3) Wide range hot leg temperature.

Rev 1

6.0 ELECTRICAL AND ELECTRONIC ISOLATION 6.1 Introduction and Objectives The information in this section is the VEPCO response to a NRC request for additional information related to electrical isolation which was transmitted to VEPCO in Reference 9. The requirements listed represent the questions posed by the NRC. The responses given are the VEPCO responses to these requests and transmitted to the NRC in Reference 2 with revisions as appropriate to reflect the current system design.

6.2 VEPCO Design Features 6.2.1 Electrical Isolation Requirement:

For each type of device used to accomplish electrical isolation, describe the specific testing performed to demonstrate that the.

device is acceptable for its application(s). This description should include elementary diagrams when necessary to indicate the test configuration and how the maximum credible faults were applied to the devices.

Response

The data acquisition system installed by VEPCO provides isolation by the m~ltiplex unit, which is qualified Category lE, and additional isolation by the fiber optic link from the multiplexer to downstream devices. The testing performed to demonstrate the acceptability of this equipment was included as Attachment 1 to Reference 2, "Nuclear Environmental Qualification of the Remote Multiplex Unit Models MC 170 AD-Q2 and MC 370 AD-Q2 and Associated PC Boards 3.nd *Plug-In Modules", Report QTR 82-002 Revision B dated -

October, 1982, and Attachment 2, "Qualification Test Report, Surge Rev 1

Withstand Capability Tests, MC 170 AD-Q2 Remote Multiplexer/Module Cases 11 6.2.2 Fault Conditions -

Requirement:

Provide data to verify that the maximum credible faults applied during the test were the maximum voltage/current to which the device could be exposed, and define how the maximum voltage/current was determined.

Response

The maximum credible voltages for North A~na or Surry Station instrument and control circuits are as follows:

125 Volt de Circuits The maximum voltage that can be impressed .on these circuits is 140 volts de for about 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. This occurs when the station batteries are being equalized. Due to thi high input impedance of

  • the card, ~aximum fault current is negligible.

120 Volt ac Circuits This includes Motor Control Center (MCC) Control Circuits. The maximum voltage on these circuits is 137 volts.

Multiple fortuitous failures of an MCC control transformer including breakdown of internal barriers could result in the primary voltage of 480 volts being impressed on the secondary side of the transformer but this is not considered credible. Due to the high input impedance of the card, maximum fault current is neg 1 i g i b1e

  • Rev 1

r I e.

Instrument Loops The maximum credible voltage that can be impressed on instrument loops is 120 ~alts ac. This can only exist if ihe loop power supply has an internal failure which shorts the primary voltage (120 V ac) to the low voltage (48 V ac) output used for instrument

. current loops. Due the the high input impedance of the card, maximum fault current is negligible.

For all of the above circuits including RTD's, thermocouples, and contact inputs a spurious noise signal may be impressed. This noise signal is characterized by IEEE-472 Surge Capability Test.

The "Environmental Qualification Report~ and "Surge Withstand Capability Report includes detailed information.

6.2.3 Fault Testing Requirement:

Provide data to verify that the maximum credib1e fault was applied to the output of the device in the transverse mode (between signal and return) and other faults were considered. (i.e., open and short circuits).

Response

The output of the multiplex unit is a fiber optic cable link. The cable acts as a second isolation device and is not affected by the described faults~

6.2.4 Acceptance Criteria Requirement:

Define the pass/fail acceptance criteria for each type of device.

Rev 1

.,. 'l e

Response: .

The Acceptance Test Reports which are included in the Environmental Qualification Report, Attachment 1 to Reference 2, define the pass/fail acceptance criteria for each type of device.

6.2.5 Environmental Qualification Requirement:

Provide a commitment that the isolation devices comply with the

  • environmental qualifications (10 CFR 50.49) and with the ~eismic qualifications which were the basis for plant licensing.

Response

The isolation devices are environmentally and seismically qualified and meet the basis for plant licensing. The information regarding this qualification is included in the Environmental Test Report, QTR-82-002, Revision B, dated October, 1982, provided as Attachment 1 to Reference 2. All equipment is presently located in mild environment.

6.2.6 Electrical Interference Requirement:

Provide a description of the measures taken to protect the safety systems from electrical interference (i.e., Electrostatic.

Coupling, EMI, Common Mode and Crosstalk) that may be generated by the SPDS.

Rev 1

e

Response

There are three basic measures which have been taken to protect the safety systems from electrical interference which may be generated by the SPDS.

1. All inputs of the isolation cards (multiplexer input cards) have single direction buffer/amplifiers between the input and multiplexer stage.
2. The current input cards have 1ow impedance (approximate1y 250 ohms) shunt across the inputs to a very high 2 megaohm) impedance device.
3. A1 l vo1 tage input circuits have very high impedance (2 megaohm) compared with the externa1 1oad to which they are connected.

These three measures will attenuate any noise generated by the SPDS to either zero or an extreme1y 1ow 1eve1 that wi1 l have no effect on the externa1 safety systems.

Rev 1

e 7.0 HUMAN FACTORS ENGINEERING 7.1 Introduction and Objectives The information in this section is the VEPCO response to a NRC request for additional information related to human factors which was transmitted to VEPCO in Reference 9. The requirement listed represents the question posed.

by the NRC. The response given is the VEPCO response to this request and transmitted to the NRC in Reference 2 with revisions as appropriate to reflect the current system design.

7.2 VEPCO Human Factors Program Requirement:

Provide a description of the display system, its human factored design, and the methods used and results from a human factors program to ensure that the displayed information can be readily perceived and comprehended so as not to mislead the operator.

Response

The VEPCO Emergency *Response Facilities (ERF) computer system SPDS is based on the AYDIN Controls model 5215 A color graphic display generator. The Interface Peripherals consist of AYDIN 13 inch color CRT s (model 8810), 19 inch color CRT s (model 8830), 25 1 1 inch color CRT 1 s (model 8070), Keyboards (model 5115A) and Keypads manufactured by Computer Technology Corp. (model IPS-2000). All CRT s except 25 inch CRT s are equipped with touch screens.

1 1 The display builder/driver software is the OPTICS package developed by Modular Data Systems, Inc. This package supports the development of real time graphic displays using character graphics on the 48 x 80 character display screen arid pixel level graphics using the dot addressable capabilities of the AYDIN 5215A display generator. Additionally, the package support special fe_atures Rev 1

<'1'* j, such as user definable bar charts and X-Y plots as well as alarm presentation in graphic and tabular format.

Human fattofs considerations were addressed by a study performed by Advanced Resource Development Corp. (ARDC). Their recommendations have been utilized in two areas:

1. Hardware A. An ARDC study of ERF information needs was used as the primary basis for choosing the type and location of color CRT's and keyboards in the EOF's, TSC's and control rooms.

B. Touch screens were added to al 1 CRT s except 25 inch I

CRT's to maximize the ease of operator interface.

C. Pixel level graphics support was added to the AYDIN display generators and to the OPTICS software package to

~rovide greater flexibility in graphic display development with higher resolution.

D. The standard AYDIN graphic character PROM sets were replaced with custom PROM sets in all display generators to provide a more versatile graphic character set.

2. Software A. ARDC developed a "Display Planning Guideline" document for VEPCO which has been used in development of all SPDS graphic displays. This is a comprehensive guideline which includes recommendations on display background presentation such as title, time/date location, line thickness, and display density. Recommendations are also provided on dynamic data presentation such as bar charts, numerical values and_ graphic symbols.

Rev 1

e Additionally, guidance is given regarding the use of col or and bl ink for both background and dynamic data*.

B. 'AROC has provided individual graphic display comments at the various stages of display development. Specifically, comments were provided on the display sketches during the design phase and on the actual color displays after implementation on VEPCO's Emergency Response Facilities Computer System.

C. ARDC provided additional input on an as needed basis to resolve issues such as the pr:eferred graphic symbol *for a given piece of equipment.

Rev 1

8.0 DATA VALIDATION 8.1 Introduction and Objectives The information in this section is the VEPCO response *to a NRC request for additional information related to data validation which was transmitted to VEPCO in Reference 9. The requirement listed represents the question posed by the NRC. The response given is the VEPCO response to this request and transmitted to the NRC in Reference 2 with revisions as appropriate to reflect the current system design.

8.2 VEPCO Design Approach Requirement:

Describe the specific methods used to validate data displayed in the SPDS. Also described is how invalid data is defined to the operator.

Response

Two 1evel s of validity checking .are performed on all inputs to the VEPCO ERF compute_r system:

First, the scan software, which is responsible for reading contact and analog inputs, performs various status checks and maintains a table of current value and status bits for each input. These status bits store information about each input such as its current alarm condition and its validity. The various validity bits maintained by the scan software are:

Contact Inputs

1. Old Data - This bit indicates that the current value for the input in the data base was not updated on its scan period ..

Rev 1

- e "This would be due. to failure of the scan software to process the point on schedule or a failure of the multiplexer link on which the point resides.

2. Off Scah - This bit indicates that the value for the input in the data base is not being updated as a result of a request from an operator to stop scanning the input.
3. Out For Maintenance - This bit indicates that the value for the input in the data .base is unreliable as a result of maintenance activities in some portion of the instrument
  • 1oop.

Analog Inputs

1. Old Data - Same as contact inputs.
2. Off Scan - Same as contact inputs.
3. Out For Maintenance - Same as contact inputs.
4. High Instrument Limit. Violation - This bit indicates that the value .received from the input channel is higher that the field transducer is capable of reading.
5. Low Instrument Limit Violation - Same as 4 above for low readings.

The second level of validity checking is performed by the SPDS software itself.

Any inputs to the ERF system which are not represented by redundant instruments are checked for the status discussed above (i.e., old data, etc). If the input has these status bits set, any calculations which depend on this input will have their "BAD" status bits set.

Rev 1

e .e Inputs for which redundant indication is available are treated differently.

Analog inputs are first checked for the status discussed above (i.e. old data, etc.). Any inputs with these status bits set are excluded from the calculations. The remaining inputs are then checked for deviation from their average. If any of the inputs deviate significantly from the average, the inputs are passed to a data rejection algorithm to determine which, if any, of the inputs to eliminate.

The data rejection algorithm compares the most posi_tive and negative deviations to the spread in tne remaining signals. Only one high and one low signal may be rejected'. The remaining valid inputs are then used as the parameter value for subsequent calculations. Typical uses of these valid inputs are averages or high/low selection depending on the calculation being performed.

Any inputs rejected by this process will have their "BAD" status bit set as well as being excluded from calculational use. Should none of the redundant indications pass the status bit test, the average of the values is used and any calculations based on this average will have their "BAD" bit set.

Redundant contact inputs are first checked for the status discussed above (i.e, old data, etc.). Any inputs with these bits set are excluded from the calculations. The remaining inputs are checked for status agreement (i.e., contact open or closed). If all inputs disagree, the conservative status is used and any calculations based on this status will have their "SUSPECT" status bit set.

Any inputs rejected by this process will have their "BAD" status set as well as being excluded from calculational use.

Rev 1

Presence of invalid data is defined to the operator in a consistent fashion throughout the system. All dynamic representations of process inputs and calculated values (i.e. bar charts, numerical values, graphic symbols, etc) are automatically displayed in a unique color based on the status bits discussed above. Additionally, numeric values have a unique 2 character code appended based on these status bits. For example, a "BAD" input would be represented numerically as a magenta value with the characters "BO" appended while a bar chart representing a "BAD" input would be a magenta bar. Other typical status indications are magenta with "OS" appended for off scan inputs and green with no appended characters for valid normal values.

The color and appended character associations with the various status bits have been implemented as recommended by VEPCO's human factors consultant.

Rev 1

e 9.0

SUMMARY

In response to NRC requirements, VEPCO has identified six critical safety functions upon which ~he SPDS at the North Anna and Surry stations was built. A minimum and sufficient parameter set was selected to characterize these safety functions. The methodology required to process these parameters so as to determine the statuses of the safety functions was established.

The adequacy of the North Anna and Surry parameter set has been largely confirmed by comparison to the parameter set required to support the ERGSTs.

  • This takes full advantage of the exhaustive, methodical approach followed* by the Westinghouse Owner's Group in identifying the critical safety functions,.

choosing the most concise parameter set for each o{ the safety functions,

_and establishing the processing methodology (logic tree construction, parameter decision values, and function restoration hierarchy).

After considering additional requirements for monitoring radioactivity releases which are not part of the ERGSTs and non-tripped plant modes, VEPCO elected to configure its SPOS as a set of displays independent of the ERGSTs thus providing information for complete safety status assessment independent of plant status.

While the SPOS parameters provide for a system that fully satisfies the NRC requirements, the integration of the SPOS with the ERF computer system and data base at North Anna and Surry greatly enhances the usefulness of the SPOS. Alarm conditions monitored on the SPOS can be investigated by operations and technical staff using the same monitors and man-maGhine interfaces. This permits a rapid interrogation, location, and timely diagnosis of abnormal plant operation.

VEPCO has carefully selected SPOS parameters to continuously monitor safety status of the North Anna and Surry plants. These parameters are sufficient to assess the plant safety status for a wide range of events, which include _

symptoms of severe accidents.

Rev 1

  • REFERENCES
1. Letter, W. L. Stewart to H. R. Denton, Surry and North Anna SPDS SAR, dated February'l, 1984.
2. Letter, W. L. Stewart to H. R. Denton, Surry and North Anna SPDS SAR, dated November 5, 1984.
3. NUREG 0737, Supplement 1, "Requirements for Emergency Response Ca pab i 1i ty Dec ember 1982.

11

4. NUREG-0696, "Functional Criteria for Emergency Response Fae il ities",

February 1981.

5. NUREG-0814, "Methodology for Evaluation of Emergency Response Facilities", August 1981.

J I .

6. NUREG-0835, "Human Factors Acceptance Criteria for SPDS 11

, October 1981.

7. Westinghouse Owner's Group Emergency Response Guidelines, Training Package, Three Volumes, September 1981.
8. Westinghouse Owner's Group Emergency Response Guidelines, High-Pressure Version, Rev. 1, September, 1983.
9. Letter, S. A. Varga to W. L. Stewart,*surry and North Anna SPDS SAR, dated August 30, 1984.

Rev 1

Retrieved from "https://kanterella.com/w/index.php?title=ML18151A135&oldid=2403956"