ML20035B613
| ML20035B613 | |
| Person / Time | |
|---|---|
| Site: | 05200002 |
| Issue date: | 03/15/1993 |
| From: | ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY, ASEA BROWN BOVERI, INC. |
| To: | |
| Shared Package | |
| ML20035B612 | List: |
| References | |
| NPX80-IC-RR790, NPX80-IC-RR790-02-R1, NPX80-IC-RR790-2-R1, NUDOCS 9304020224 | |
| Download: ML20035B613 (76) | |
Text
..
HUMAN FACTORS EVALUATION i
AND ALLOCATION OF SYSTEM 80+ FUNCTIONS NPX80-IC-RR790-02 Revision 01 March 15, 1993 ABB COMBUSTION ENGINEERING, INC.
Nuclear Power Windsor, Connecticut 06095-0500 i
r L
l' I
t I
9304020224 930326 PDR ADOCK 05200002 A
t.
e System 80+ Punctions.
TABLE OF CONTENTS
(
t
+
4 ABBREVIATIONS DEFINITIONS
1.0 INTRODUCTION
1 2.0 REQUIREMENTS 3
3.0 APPROACH............................................... 11 4
4.0 EVALUATION............................................. 14 i
5.0 RESULTS 60 i
6.0 CONCLUSION
S 61 l
7.0 REFERENCES
62 APPENDIX A - FITTS LIST APPENDIX B - FUNCTION ALLOCATION CRITERIA t
4 i
k
'i P
o
+
P t
6 i
V I
HPX80-IC-RR790-02 Revision 01 11 of vi I
e
E s
System 80+ Functions
[
ABBREVIATIONS I
ABB-CE Asea Brown Boveri - Combustion Engineering AC Alternating Current AFW Auxiliary Feedwater Alt Alternate ANS American Nuclear Society ANSI American National Standards Institute APS Auxiliary Protection System ATWS Anticipated Transient Without Scram Auto Automatic j
AVS Annulus Ventilation System CEA Control Element Assembly CFR Code of Federal Regulations CIAS Containment Isolation Actuation Signal Cntl Control Comp Complementary CSAS Containment Spray Actuation Signal Ctat Containment CVCS Charging and Volume Control System DBE Design Basis Events DC Direct Current DG Diesel Generator DVI Direct Vessel Injection EFAS Emergency Feedwater Actuation Signal EFW Emergency Feedwater EFWST Emergency Feedwater Storage Tank GDC General Design Criterion LOOP Loss Of Offsite Power IEEE Institute of Electrical and Electronics Engineers Init Initiate, Initiation MSIS Main Steam Isolation Signal NRC Nuclear Regulatory Commission Par Parallel PORV Power Operated Relief Valve PPS Plant Protection System PWR Pressurized Water Reactor PZR Pressurizer RCGV Reactor Coolant Gas Vent RCGVS Reactor Coolant Gas Vent System RCS Reactor Coolant System RD Rapid Depressurization RDS Rapid Depressurization System RG Regulatory Guide RPS Reactor Protection System Rx Reactor r
SCS Shutdown Cooling System SDS Safety Depressurization System NPX80-IC-RR790-02 Revision 01 iii of vi
r System 80+ Punctions SG Steam Generator
[
SGTR Steam Generator. Tube Rapture.
SI Safety Injection SIS Safety Injection System SIAS
' Safety Injection Actuation Signal i
SIT _
Safety Injection Tank SPS Supplementary Protection Signal i
S/U Start Up Xfmr Transformer 6
I P
i e
l i
NPX80-IC-RR790-02 Revision 01 iv of vi t
System 80+ Functions DEFINITIONS Allocation'of Function - The decision to use manual or automatic control in the design of a particular system operating feature.
This is described as falling into one of five categories of configuration:
- 1) Fully manual, 2) fully automatic, 3)
Complementary, 4) Alternate, or 5) Parallel (see Section x).
Automatic - A type of control in which the main switching and/or regulating features are governed by machine devices, without need for human supervision or intervention.
Critical Safety Functions - The safety functions for the System 80+ design and its predecessors.
Critical Operator Actions - Human operator tasks identified by the PRA to contribute significantly to overall risk in the System 80+ design.
Desian Basis Events - Events evaluated by CESSAR-DC Chapter 15 safety analyses (Reference 4).
Manual - A type of control in which the main switching and/or regulating features are governed by human operator (s).
Mixed Allocation - A combination of automatic and manual control i
used in one of several configurations (i.e., Complementary, Alternate, or Parallel; see Section 4.4).
Non-safety System - A system not relied on to remain functional i
during design basis events.
Operatina Bypass - Inhibition of the capability for a protective action that could otherwise occur in response to plant conditions.
Protective Action - The generation of signal (s) by the process monitoring and equipment command features to initiate reactor trip and/or engineered safety feature operation (i.e., protective systems).
Protective System - A system relied on (i.e.,
credited in CESSAR-DC Chapter 15 analyses) to mitigate DBEs by performing the specified safety function.
Safety Functions - Physical processes, conditions, or actions relied on to maintain the plant within acceptable design basis i
NPX80-IC-RR790-02 Revision 01 v of vi i
System 80+ Functions
- limits, i.e. to prevent core melt and to ensure' radiation releases do not exceed the limits of 10 CFR 100.
Seament - In Appendix B, a segment is any unit of functional f
decomposition (function, subfunction, task, etc.) proposed for allocation.
This generic term is used to avoid invoking
[
preconceptions about system hardware that might be implied for some readers by more frequently used systems terminology.
1 r
Success Path - A set of physical process commodities and equipment that, if available, are sufficient to perform a particular safety function in the design.
Unanticipated Systems Interaction - The undesired propagation of results to one system (subsystem, division, train, component, structure, segment, etc.) due to a single credible failure within I
another system, by means of inconspicuous interdependencies between the systems (per NUREG-1229, Reference 5).
i t
I i
i NPX80-IC-RR790-02 Revision 01 vi of vi
[
t i
1
System 80+ Functions
1.0 INTRODUCTION
1.1 Background
The identification of system functional requirements, and the subsequent allocation of the. functions to man and machi-
) are part of a generic, top-down approach to, systems design (Reference 1 & 2).
The general concern, from a human factors standpoint, is that the task demands on human operators consistently remain within the effective limits of their abilities.
One specific goal is to avoid excessive (or insufficient) levels.of workload.
A second, related goal is that the supervisory activity normally
~
required of operators ensures their awareness of process status, and their readiness to perform safety-related functions.
Concerns that automated systems can give rise to problems in these areas has led to an increasing emphasis on the allocation of functions in design.
Of course, these are. not the only concerns in allocation.
Of greatest importance in nuclear power plant design is the maintenance of plant safety.
To tnis end, a variety of specific requirements on the allocation of certain safety-related functions exist that must be met by the design (e.g., Reference 3)
The operator's present role in existing plants has. evolved within these constraints.
As an evolutionary Pressurized Water Reactor (PWR) design, System 80+ has been developed in light of the success and experience accrued from prior generations of similar Combustion Engineering plants (see Reference 4, Table 1.3-1).
In particular, the ABB-CE Critical Functions (i.e.,
safety functions) have' proved themselves to be a sufficient and effective framework for emergency operations and maintaining plant safety.
1.2 Purpose The purpose of the present report is to explain how System 80+
conforms to the existing Critical Functions framework to meet the applicable requirements and intentions of industry guidance for plant safety and emergency operations.
The report identifies:
- 1) requirements and guidelines applicable to the issues of functional analysis and allocation;
- 2) the ABB-CE plant operators' role as it has evolved and culminated in System 80+, with an emphasis on safety functions; and NPX80-IC-RR790-02 Revision 01 1 of 63
System 80+ Functions 3)-how System.80+ meets the safety-related requirements.
This report responds to the requirements _of the ABB-CE Human Factors Program Plan (Reference 6, Section A-2.3).
In addition, it addresses Elements 3 and 4 of Appendix E of Reference 2, per the agreements of Reference 7..
The commitments of Reference 7 i
included the submission of the present report, an " explanation-i of-functions" paper grounded in System 80+ Critical Safety Functions that describes:
- 1) the baseline system;
- 2) its functional objectives, requirements and allocations to human and machine elements;
- 3) changes to these requirements effected by the new system;
.{
- 4) auditable bases for the allocations;
^
- 5) analyses of particular allocation problems in predecessor plants; and j
- 6) activities confirming that personnel can properly perform tasks allocated to them.
i The present report addresses each of these areas.
Further details may be obtained from References 4 and 8, and future evaluation activities; see Section 3.4.
t 1.3 Scope The scope of the present report is on the Safety Functions and Success Paths required to accommodate design basis events.
The Safety Functions and their Success Paths are the means by which the System 80+ design safely accommodates all anticipated operating occurrences during normal, abnormal, and emergency 6
I conditions.
Events beyond design basis, such as severe accidents or unanticipated systems interactions (Reference 5), are not.
addressed by this evaluation.
i In addition, passive or inherent functions are generally outside
~
the realm of the allocation concept.
However, where these are credited for achieving Safety Functions, they have been treated as automatic functions in the evaluation.
[
i NPX80-IC-RR790-02 Revision 01 2 of 63 l
P
b l
System 80+ Functions f
2.0 REQUIREMENTS A variety of federal regulations, industry standards, and regulatory guidelines apply to the issues of PWR plant functional design and the allocation of functions to human and/or machine control.
Both general and specific items are found.
Relevant i
portions are reviewed here to identify specific requirements governing allocation.
The resulting criteria are specified under Section 3.3 of the Approach, for application in the subsequent l
Evaluation.
t Please note that references within a document description refer to the numbering scheme used in that document; references to 1
other documents will identify the document'specifically; references to the present report, where used, will parenthetically indicate to "see" the indicated Section.
Material is not presented word for word or in its entirety from the original sources; it has been paraphrased for brevity and clarity.
While it is felt that the original authors' intentions j
have been retained, readers with specific concerns should consult the original sources.
l 2.1 10 CFR 50 - Code of Federal Reaulations:
Nuclear Reculatory Commission (Reference 3)
[
Part 50, " Domestic licensing of production and utilization facilities," provides several specific allocation requirements.
2.1.1 General Design Criteria (10 CFR 50, Appendix A)
Automatic initiation of protective systems including reactivity control systems and associated systems and components important to safety; GDC 20.
i 2.1.2 Additional TMI-related requirements (10 CFR 50. 34 ( f) )
f a)
Automatic indication of the Bypassed and Inoperable Status of Safety Systems; 50. 34 (f) (2) (v).
b)
Automatic and manual initiation of auxiliary (and/or emergency) feedwater systems; 50.34 (f) (2) (xii) and 50.62(c).
c)
Automatic actuation of containment isolation systems, including all non-essential systems, on high containment pressure; 50.34 (f) (2) (xiv) t NPX80-IC-RR790-02 Revision 01 3 of 63
System 80+ Functions d)
Ho automatic reopening of automatically closed containment isolation valves on reset of automatic containment isolation signals; 50.34 (f) (2) (xiv) (C).
7 e)
Automatic isolation of containment system paths to environs on high radiation,; 50.34 (f) (2) (xiv) (E).
2.1.3 Requirements for reduction of risk from ATWS events for light-water-cooled nuclear power plants (10 CFR 50.62)
Automatic initiation of turbine trip; 50.62(c).
2.2 ANSI /ANS 58.8-1984 - Time Response Desion Criteria for Nuclear Safetv-related Operator Actions (Reference 11)
These criteria specify time test requirements to be met by design i
and nuclear-safety analyses, for credit to be taken for manual i
operator actions that initiate and/or control nuclear-safety system actions.
If the manual time test requirements cannot be met, then additional control automation (or other mitigating steps) are necessary for resolution.
The response time criteria of the Standard are based on simulator data; 95% confidence levels are established for the sufficiency of the defined intervals to permit opera or action (these have since been validated as conservative with further testing for an upcoming revision of the Standard.)
The criteria of ANSI /ANS 58.8 are applied as part of the safety analyses during design, and the final results are provided in Chapter 15 of CESSAR-DC.
Any issues identified in Chapter 15 are addressed as part of the safety analysis and Standard Review, and the results incorporated in the System 80+ design and design basis documentation.
The ANSI /ANS 58.8 criteria will thus not be utilized further in the present report.
2.3 IEEE 279-1971 - IEEE Standard Criteria for Protection Systems for Nuclear Power Generatina Stations (Reference 12)
Section 4.17, " Manual Initiation" (to which RG 1.62 replied; see Section 2.9) presented specific requirements relating to allocations.
However, for the purposes of function allocation, this document has been incorporated in and superseded by the current version of IEEE 603.
NPX80-IC-RR790-02 Revision 01 4 of 63
f System 80+ Punctions-2.4 IEEE 603-1991 - IEEE Standard Criteria for Safety Systems for Nuclear Power Generatina Stations (Reference 13)
This Standard is an update of IEEE 603-1980, primarily in response to the comments of RG 1.153 (whose technical. input was, essentially, incorporated by the revision.)
The following requirements'from IEEE 603-1991 are relevant to functional analysis and allocation:
2.4.1 Safety System Design Basis (Section 4)
The following are part of the design basis documentation requirements for protective actions corresponding to safety functions in each design basis event:
Solelv Manual Initiation (4.5.2) - The justification must be documented for permitting initiation, or control subsequent to initiation, solely by manual means.
Rance of Environmental Conditions (4.5.3) - The range of environmental conditions imposed on the operator in which the manual operations must be performed shall be documented.
2.4.2 Safety System Criteria (Section 5)
The following are system functional and design requirements to ensure that plant parameters are maintained within t
acceptable limits for each design basis event:
Completion of Protective Action (5.2) - Safety systems shall be designed so that, once initiated automatically or manually, the intended sequence of protective actions of the execute features shall continue until completion.
Deliberate operator action shall be required to return the safety systems to' normal.
This requirement shall not preclude the use of equipment protective devices identified in 4.11 of the design basis [i.e., that can prevent a system from accomplishing its function) or the provision for deliberate operator interventions.
Human Factors (5.14) - Human factors shall be considered at the initial stages and throughout the design process to assure that the functions allocated in whole or in part to the human operator (s) and maintainer (s) can be successfully accomplished to meet the safety system design goals.
NPX80-IC-RR790-02 Revision 01 5 of 63
h 2
System 80+ Functions T
2.4.3 Sense and Command Features - Functional and Design Requirements (Section 6)
In addition to the functional and design requirements of Section 5, these requirements apply to sense and command features:
Automatic Control (6.1) - Means shall be provided to automatically initiate and control all protective actions except as justified in 4.5.
The safety system design shall be such that the operator is not required to take any action prior to the time and plant conditions specified in 4.5 following the onset of each design basis event.
At the option of the safety system designer, means may be provided to automatically initiate and control those protective actions of 4.5.
Manual Control (6.2) - Means shall be provided in the control room to manually initiate all automatically initiated protective actions at the division level, and to manually initiate and control protective actions identified in 4.5 that have not been selected for automatic control under 6.1.
Operatino Bypasses (6.6) - Whenever applicable permissive conditions are not met, a safety system shall automatically prevent the activation of an operating bypass, or initiate the appropriate safety function.
If plant conditions change so that an activated operating bypass is no longer permissible, the safety system shall automatically do one of the following (6.6):
1)
Remove the appropriate active operating bypass (es).
2)
Restore plant conditions so that permissive conditions once again' exist.
3)
Initiate the appropriate safety function.
2.4.4 Executive Features - Functional and Design Requirements i
(Section 7)
In addition to the functional and design requirements of Section 5, these requirements apply to executive features:
Automatic Control (7.1) - Capability shall be incorporated in the execute features to receive and act upon automatic control signals from the sense and command features consistent with 4.4 of the design basis (i.e., the variables monitored as the basis for control).
NPX80-IC-RR790-02 Revision 01 6 of 63
m System 80+ Functions Manual Control (7.2) - If manual control of any actuated component in the execute features is provided, the additional design features in the execute features necessary to accomplish such manual control shall not. defeat the requirements of 5.1 [i.e., single failure criteria] and 6.2.
Capability shall be provided in the execute features to receive and act upon manual control signals from the sense and command features consistent with.the design basis.
Completion of Protective Action (7.3) - The design of the execute features shall be such that, once initiated, the' protective actions of the execute features shall go to r
completion.
This requirement shall.not preclude the use of equipment protective devices identified in 4.11, or the provision for deliberate operator interventions.
When the sense and command features reset, the execute features shall not automatically return to normal; they shall require separate, deliberate operator action to be returned to normal.
l Operatina Bypasses (7.4) - [As for 6.6.]
P 2.5 IEEE 1023-1988 - IEEE Guide for the Acolication of Human Factors Encineerina to Systems. Eauipment, and Facilities of l
Nuclear Power Generatina Stations (Reference 14)
Section 6,
" Implementation in the Design, Operations, Testing, f
and Maintenance Process," includes guidance for planning, documentation, and review of experience.
It proposes a typical i
program plan (see Figure 1) that includes analysis and allocation of functions for new designs, but not for modifications to existing ones (any evolutionary design is some balance of the-two).
The specific guidance provided is as follows:
a)
Functional Analysis - Functions required to meet the system design objectives should be determined (6.1.1.3).
b)
Function Allocation - Functions should be allocated to the human operator (s) and maintainer (s), to machines, or to a combination of humans and machines (6.1.1.4).
2.6 NUREG-0700 - Guidelines for Control Room Desian Reviews (Reference 1)
Appendix B,
" Systems / Operations Design Analysis Techniques,"
provides high-level guidance on the overall systems design NPX80-IC-RR790-02 Revision 01 7 of 63 1
F
f twtgeE mo N50 o5 n n l
Y "H
T
/I G
YL TI "0
ILA B
R T
l "H H C
lY lNI ly j
N AIA LT g
C EN 5
RI g
AM 4
s se N
c 3
O 1
o 3
I r
T Y
L A
P L
A n
y N
l A
g t
K is N
E ND I
R eD U
L P
F c
+
b
?
t n
i G
E N
5 I
F T
S
,T N
E N
L AI H
N O
I4 N
S f
M I E S
A R
T T
1 o NM ST T
E I E EN N
G I
A R RE N
gn R
E N
1 U
RI UM M
io I
3 E
U M
Fi TS Q
T, Q DE E
NR t
ST Y
E
+
ER IN NE a
CI OI XI L
R EA T
I OU RU A
OR c
ER N
N V
l A
CO PE E
EJ R
NR p
NT E
I3 K
M E
p MN S
rl E
L L D RO A
N A
EC T
U S
L A
T Q
A e
T v
E E
S i
D N
s I
n e
he
+
r t
p m
N N
o O
00 C
N I
Ng l
T 0
3 N
A a
Ki 1
L l
A3 NO L
c 3
P Y
1 OI U
i N
W S
5I L
IT M
p NS T
AR OY TA y
0 i
t TC IL I
T l
t A
f V
t 3
N T
CC S
g A
R T
t A
CA NO V
E O
NN UL M
UA FL R
T
+
A E
F t
N T
5 I
S 9
Y 0
S N
G
+
1 3
N t
G O
I 0
S N
L t
t G
A O
I t
N S
N I
G E
F I
YN D
N FI IT w
I
+
F D3 t
I E
OX N
D ME ZtXM iHO hJ*O $
N*<P $ o ow
4 System 80+ Functions process, including function analysis and allocation.
It is based on Reference 9, and is generally consistent with the approach of NUREG/CR-3331.
It includes human performance-related allocation criteria in the form of a Fitts list, which has been included in the present report as an aid to designers and evaluators (see t
Appendix A).
2.7 NUREG/CR-3331 - A Methodoloov for Allocatina Nuclear Power Plant Control Functions to Human or Automatic Control (Reference 15) i This document describes a method by which formal allocation can i
be included in the systems design process.
Based on this document, evaluative criteria in the form of a decision algorithm have been provided as an aid to designers and evaluators in this report (see Appendix B).
2.8 Regulatory Guide 1.47 - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems (Reference l
16) l This document expanded upon Section 4.13 of IEEE 279-1971, which has been superseded by IEEE 603 (see Section 2.4), as well as on 10 CFR 50.34 (f) (2) (v) (see Section 2.1.2.a).
In general, the
[
concern was that administrative procedures alone were insufficient to ensure operator cognizance of safety system operability; the Regulatory Position recommended automatic (supplemented by manual) bypassed and inoperable status indication for protection systems.
IEEE 603-1991 incorporates similar standards in Section 5.8.3.
System 80+ confermance to RG 1.47 is addressed in Chapter 7, Section 7.1.2.21 of CESSAR-DC, and is not further treated as an allocation issue in the present l
report.
?
2.9 Regulatory Guide 1.62 - Manual Initiation of Protective j
Actions (Reference 17)
This document expanded upon IEEE 279-1971, which has been superseded by IEEE 603 (see Section 2.4).
In general, there was a concern for an excessive number of component actions required in the manual initiation of safety functions.
While the concerns of RG 1.62 have been accommodated by subsequent versions of IEEE 603 (see Section 2.11), the allocation-related concerns presented in the Regulatory Position section of RG 1.62 are summarized here for the sake of completeness.
NPX80-IC-RR709-02 Revision 01 9 of 63 i
i 1
System 80+ Functions 1)
Means-should be provided for the manual initiation of each protective action (e.g.,
reactor trip, containment isolation) at the system level, regardless of whether means are also provided to initiate the protective action at the component or channel level (e.g.,' individual control rod, individual isolation valve) (C.1).
2)
Manual initiation of a protective action at the system. level should perform all actions performed by automatic initiation such as starting auxiliary or supporting systems, sending signals to appropriate valve-actuating mechanisms to assure correct valve position, and providing the required action-sequencing functions and interlocks (C.2).
3)
The switches for manual initiation of protective actions at I
the system level should be located in the control room and be easily accessible (C.3); manual initiation should depend on the operation of a minimum of equipment (C.5).
System 80+ conformance to RG 1.62 is addressed in Chapter 7,
[
Section 7.1.2.22 of CESSAR-DC, and is not further treated as an allocation issue in the present report.
2.10 Regulatory Guide 1.97 - Instrumentation for Licht-water-cooled Nuclear Power Plants to Assess Plant and Environs Conditions Durina and Followina an Accident (Reference 18)
Regulatory Guide 1.97 has no allocation requirements, per se, but specifies information requirements-including Type A variables (supporting fully manual safety actions) similar to 5.8.1 of IEEE 603-1991.
The criteria of RG 1.97 have been met by preceding generations of ABB-CE plants, and have been applied to the System 80+ design.
Conformance to RG 1.97 is addressed in L
Chapter 7, Section 7.1.2.26 of CESSAR-DC, and is not further treated as an allocation issue in the present report.
2.11 Regulatory Guide 1.153 - Criteria for Power, Instrumentation, and Control Portions of Safety Systems
'i (Reference 19)
This document largely endorsed IEEE 603-1980, with a small number of modest caveats.
These remaining issues, in that they related to allocation, have been incorporated in IEEE 603-1991 (see Section 2.4).
j L
NPX80-IC-RR790-02 Revision 01 10 of 63
t i
l System 80+ Functions 3.0 APPROACH I
System 80+ is an evolutionary design.
It incorporates improvements that reflect experience gained from the. design and operation of prior generation (s) of ABB-CE plants.
However,-the major characteristics of the System 80+ physical plant remain similar to and consistent with those of its forbearers (see Table 1.3-1 of Reference 4 for an overview).
Such incremental improvement to a successful design reflects a safe and conservative approach to engineering.
Like the physical plant systems, the plant critical functions,_
and the operator's role in maintaining them,chave been modified and improved in light of experience and technological progress.
However, given the safe operating. history of ABB-CE designs, and the successful operation of licensed System 80 plants, there have been no fundamental changes in these areas.
Again, this reflects a conservative engineering approach.
Section 3 states the goals and specifies the criteria that will be applied to evaluate the past and present acceptability of the
[
allocation of functions in these areas of the ABB-CE designs.
In addition, Section 3 states the framework for the evaluation, and identifies the relationship of subsequent design process activities to those of allocation.
3.1 Allocation Goals The following goals direct the efforts of this portion of the design process, and should be met by any final allocation of nuclear power plant safety functions:
a)
Maintain Critical Sale v Functions - The ensemble of facility systems must maintain the provision of certain operating functions (i.e., Critical Safety Functions) to j
ensure successful performance, particularly in the area of the health and safety of the public.
b)
Complementary Human and Machine Roles - As part of a defense-in-depth philosophy, the human and machine elements within the system ensemble should play complementary roles that make the successful accomplishment of these functions highly likely.
c)
Ensure Suitable Allocation - The allocation of functions to the human and machine elements (particularly automated i
information processing and control) should consider how the i
NPX8 0-IC -RR79 0-02 Revision 01-11 of 63 j
i
[
L System 80+ Functions t
i facility is to be operated, how plant safety functions are i
accomplished, and the needs, capabilities, and limitations of the human operator (and the proposed machines.)
3.2 Framework f
The critical functions and their success paths, and the operators role in implementing them, for System 80 and System 80+ shall be-i compared to verify their similarity and consistency.
The System 80+ success paths shall then be evaluated against the identified allocation criteria to verify the acceptability of the allocation of control of safety functions in the System 80+ design.
f 3.3 Criteria l
The following criteria shall be applied to evaluate the acceptability of the allocation of control of safety functions in r
the System 80+ design.
?
Critical Functions shall be consistent with the federally mandated allocations identified in Section 2.1 from 10 CFR 50.
[
l IEEE 603-1991 Not superseding the criteria of 10 CFR 50, the following y
i additional allocation criteria result from the requiret.cnts L
identified in Section 2.4 a)
Justification for requiring initiation or control of any protective actions solely by manual means, including assurance of necessary habitability, shall be documented.
i b)
In all other cases, means shall be provided to:
l
- 1) automatically initiate and control protective actions, AND
- 2) manually initiate all automatic protective actions (at the division level from the control room).
[
NUREG/CR-3331 Not superseding the criteria of 10 CFR 50 and those resulting t
from IEEE 603-1991, the additional allocation criteria resulting from NUREG/CR-3331 (see Appendix B) shall be applied to verify l
NPX80-IC-RR790-02 Revision 01 22 of 63 l
1 1
i
i System 80+ Functions i
t compatibility of the allocated functions with human factors l
guidelines.
r i
3.4 Subsequent Evaluations and Allocation Issues Throughout the life of the design, feedback on design decisions is generated.
In particular, during the design process, various analysis and development efforts (not limited to human factors) may produce results that have allocation implications.
In particular, Task Analysis, Availability Verification, suitability Verification, control room Validation, PRA, and procedure i
guideline development may be a source of further issues.
However, findings thus identified, including allocation issues
[
(if any), shall be resolved using general program mechanisms as j
specified in the E 'PP (Reference 6).
Emergent feedback is not a unique problem in che allocation area, and no unique process is necessarily indicated for the resolution of subsequent allocation issues.
This' approach satisfies the intent of Section 5.14 of IEEE 603-1991, Appendix B of NUREG-0700, and Elements 3 and 4 of the NRC HFE Program Review Model.
l i
i 1
1 l
1 NPX80-IC-RR790-02 Revision 01 13 of 63 I
)
.e-System 80+ Functions 4.0 EVALUATION This section provides a top-down descriptive evaluation of-the allocation of plant safety functions.
This description will be sufficient to permit understanding of the operator's safety-related role in the overall system design, and in design basis Critical Safety Functions.ptablish the adequacy of the System 80+
evaluations performed to e The description-will take the form of "a discussion, with FDGeific references, of similarities to and differences from, tacilities of-similar design for which applications have been previously filed with the Commission"2,
This is provided as an alternative to a formal systems analysis, which would be more appropriate if System 80+ had no direct predecessor system.
i 4.1 Critical Safety Functions Safety functions are physical processes, conditions, or actions reliad on to maintain the plant within acceptable design basis
- limits, i.e. to prevent core melt and to ensure radiation releases do not exceed the limits of 10 CFR 100.
These functions may be performed by automatic or manual actuation and/or regulation, from passive system performance, or from natural feedback in the plant design.
The composition of the safety functions is relatively unchanging f
for a given type of plant design.
Table 1 compares a list of CE plant safety functions (i.e., the Critical Safety Functions, or CSFs) as described in 1980 (Reference 10; note that this substantially predates System 80), with those for the System 80 and System 80+ designs.
Three changes should be noted in the table.
One change is to the relative priority of the functions:
" Vital Auxiliaries" moved to a higher priority in the Emergency Procedure Guidelines in response to operational considerations (Reference 20).
Specifically, the provision of vital power is a i
prerequisite for actively managing most other CSFs; thus,
' This requirement is consistent with the general regulations of 10 CFR 50.34 (b) (2) for "A description... of the facility...
sufficient to permit understanding of the system designs and their relationship to safety evaluations."
Per 10 CFR 50.34(a), footnote 5.
NPX80-IC-RR790-02 Revision 01 14 of 63
y System 80+ Functions verification of vital power precedes other CSF verifications for efficiency (" Reactivity Control" is the exception to this rule for its primary safety significance, its passive safety i
functionality, and for the importance of prompt response).
A second change is that " Indirect Radioactivity Release Control" has evolved to " Radiation Emission."
This acknowledges that releases from plant systems may require management to minimize overall safety consequences.
The third change is that " Containment Temperature and Pressure" and " Combustible Gas Control" have been combined under-the heading " Containment Environment."
This reflects not.so much a change in the required actions or the overall function, but that their aggregation under a single concept remains coherent, but ir, more procedurally efficient.
The aforementioned modifications reflect changes in operation, rather than design, and have been validated to be effective.in actual use on System 80 and other ABB-CE plants.
No additional l
changes in the CSF framework are planned for System 80+.
- Thus, CSFs have received only small evolutionary refinements, rather than any major changes, over the generations of Combustion Engineering plant design.
l t
I e
NPX80-IC-RR790-02 Revision 01 15 of 63 i
r t
System 80+ Functions Table 1 - BAFETY FUNCTIONS g_ ___
ORIGINAL tl5T (1980)
SYS11M 80 & SYSilM 80+
Function Purpose Function Purpose Reactivity Control Shut reactor down to reduce heat production Reactivity Control Shut reactor down to reduce heat production RCS Inventory Control Maintain a coolant medium around core Maintenance of Vital Maintain operability of systems needed to Austliaries support safety systems RCS Pressure Control Maintain ecolant medium in proper state RC3 inventory Control Maintain a coolant medium around core Core Heat om val Transfer heat out of core into coolant RCS Pressure Control Maintain coolant medium in proper state system medium RCS Heat Ramoval Transfer heat out of coolant system medium Core Heat Renovel Transfer heat out of core into coolant system medium Containment isolation Close containment penetrations to prevent 20$ Heat Removal Transfer heat out of coolant system medium radiation release Containment Temperature Avoid equipment damage & malrtain Containment Isolation Close containment penetrations to prevent
& Pressure Control containment integrity radiation release Combustible Gas Control Remove /redtstribute H, to prevent fire or Containment Environment Control containment temperature pressure.
explosic9 8 maintain containment integrity hydrogen concentration, and radiation levels; maintain containment integrity and minimire potential release Maintenance of Vital Maintain operability of sv % needed to Radiation Emission Control radiation release Auviliaries support safety systems Indirect Radioactivity Contain misc. stored radioactivity to Release Control protect public and "c'd d'stracting operators from prote tion or iarcer sources NPX80-IC-RR790-02 Revision 01 16 of 63
i System 80+ Functions 4.2 Success Paths For each safety function there are multiple, diverse success paths.
A success path is a set of components and resource-commodities that is capable of satisfying a particular safety function.
The purpose of diverse success paths is to provide multiple alternative means to accomplish a safety function goal (see Figure 2).
Individual success paths may have further redundancy as well.
This is part of the defense-in-depth I
philosophy.
Although each safety function has one or more safety-grade success paths, additional success paths may be afforded by non-safety grade systems.
Success paths join safety i
function to plant structure, providing a unitary framework'tc organize displayed information and integrate written procedures.
- i The System 80+ CSFs and their success paths are portrayed L
graphically in Figure 3.
A high level " functional" comparison of the major success paths for the System 80 and System 80+ CSFs is provided in Table 2.
Essentially, changes to the success paths have been few, and reflect evolutionary improvements to the ABB-CE design.
These i
changes, are summarized briefly here and in Table 3:
t a)
Safety Depressurization - The Safety Depressurization System-
-[
consists of two major subsystems: 1) the Reactor Coolant Gas i
Vent System (RCGVS), and 2) the Rapid Depressurization l
System (RDS).
The RCGVS was part of the System 80 design, although its
[
success path function (depressurization to SCS entry conditions curing natural circulation cooldown) was not credited in full for safety (System 80 also credited Aux Spray; see Non-safety CVCS, below.)
The RDS can be used to depressurize the plant while using SIS /DVI to inject water into the core.
This accomplishes heat removal via feed-and-bleed (i.e.; **once-through cooling").
RDS is an added success path for beyond-design basis and severe accident scenarios.
While it provides i
increased redundancy and diversity of the RCS heat removal i
success paths, its operation does not require frequent, i
rapid, unique, or complex actions, and it is not the preferred means or a safety-credited system for this j
function.
Once-through cooling was formerly available using PORVs manually on some earlier ABB-CE plants; the function was removed when PORVs were eliminated from the design (see D.6).
Thus, though the RDS is itself new, its addition does i
i NPX80-IC-RR790-02 Revision 01 17 of 63 l
i i
5 I
l System 80+ Functions not represent a significant change of the System 80+
l operators' role or responsibilities from that of System 80.
b)
Hydrocen Ionitors - H Ignitors were not part of the System g
80 design, but have been proven in operation on other plants.
They has been added to System 80+ for increased redundancy and diversity of the Hydrogen control success paths, and for severe accident management..They are not the initial means of Hydrogen control, their operation does not require frequent, rapid, unique, or complex actions, and they are not credited as a safety system.- Thus, the incorporation of H Ignitors in the design does not z
represent a significant change of the System 80+ operators' l
role or responsibilities from that of System 80.
i f
The following differences apparent in Table 2 are Dol operationally significant changes, from the CSF success path perspective, between the System 80 and System 80+:
a)
Non-safetv-arade CVCS - The System 80+ CVCS is no longer a
.[
safety-grade system.
In System 80, portions of the CVCS system had to be safety grade because they were credited by i
safety analysis for achieving certain functions.
In particular, CVCS was credited for borating at high pressure (reactivity control), and depressurizing from high pressure, via Aux Spray (RCS pressure control).
In System 80+,
however, these functions receive credit via the SIS pumps, and the Reactor Coolant Gas Vent System of SDS, respectively.
Thus, CVCS is not required to be a safety-grade system; however, it remains available in System 80+ as a success path for these functions.
b)
Safetv-arade Offsite Power - There are differences between the System 80 and System 80+ electrical system configurations, including some changes in nomenclature.
However, from the CSF success path perspective, the basic
)
function of the Startup Transformers (System 80) and the Reserve Auxiliary Transformers (System 80+) are similar.
Both provide alternate off-site grid sources (separate from l
the Unit Main Transformer), as well as automatic fast bus i
transfer from the Unit Main on loss of power.
j i
c)
Safety-crade Emercency Feedwater - The Emergency Feedwater System has not changed significantly from System 80 to l
System 80+.
However, it has in the past been referred to as the Auxiliary Feedwater System at sites where Westinghouse plants already exist, for consistency.
I l
NPXBO-IC-RR790-02 Revision 01 18 of 63 l
l t
r
System 80+ Functions Thus, the CSF Success Paths have changed little, consistent with the evolutionary nature of-the plant.
Additional details are-provided in Section 4.3; in general, however, the detailed design of physical systems and their operation are beyond the scope of the present analysis.
NPX80-IC-RR790-02 Revision 01 19 of 63
System 80+ Functions MAINTAIN FUCL INTCGRITY
/\\
/\\
GDAL CONTROL CORE TEMPERATURE RCACTIVITY CONTROL FUNCTION CORC HCAT RCHOVAL
/\\
/\\
ALTERNATE PROCES$tt ALTERNATC PROCES$ts INACTIVE ACTIVE ECC3 31 RCS 1 /\\ N N /\\.N k
/
/
\\...
/
'\\ DTC)
INVENTORY HCAT $!NK SU9rVNCTIDN FLOV ETCJ q p FORCED NATURAL Figure 2 - Goal-Means Hierarchy NPX8 0-IC-RR7 9 0 Revision 01 20 of 63
4 System 80+ Functions MAINTAIN SAFETY
/\\
p
//
REACTIVITY
' ' ' ~ ~.,
CONTROL CORE MATERIAL CDULING RETENTION
/\\
HECHANICAL
- Rx TRIP CHEMICAL
- ROD CNTL
- CVCS
- SIS -
/\\
VITAL AUXILIARIES
' Figure 3 - System 80+ CSFs and Success Paths (page'1 of 3)
NPX80-IC-RR790-02
. Revision 01-21 of 63'
-... -... - -.. - :.... ~,..... -. _
v -,
8.
System 80+ Functions MAINTAIN SAFETY A
REACTIVITY CONTROL
.,~
\\
MATERIAL
-4 W RETENTION
/
CORE COOLING
/
\\
INVENTORY -
- CVCS ss'* ',
- SIS s
s4's, PRESSURE
')
CDRC HR )
- SIS (FLOV) - %g ggg
^ [ pq
- CVCS
- NATURAL
- RELIEFS
- SIS
[.
- SCS v!TAL AUVILIARIES
~
Figure 3 - System 80+-CSFs and Success Paths.(page 2 of.3).
NPX80-IC-RR790-02' Rei"ision 01 22 of'63
_ _._ _ __- _.-..___ _ _. - -. - _ _ -. _ -..... _....... _ _ _. - ~. _... _. _.. _.,. _
_ _.. _ _....,..... _,... - ~. - _........, _ _. _. _....., _ _. - -... _
- :\\
System 80+ Functions MAINTAIN SAFETY
/\\
q REACTIVITY CONTROL
%g CDRC COOLING
'A
\\\\
MATERIAL RETENTION 7
/\\
CTHT 150
- 150
- CNTL CTNT ENVT RADIATION CTMT TEMP EMISSION
& PRESS CNTL' H2 CNTL
- ISD 1
- CNTL VITAL
- CTNT SPRAY-
' - PURGE AUXILIARIES
- FAN COGLERS
- RECDMBIMERS
- IGNITORS Figure 3 -. System 80+ CSFs and Success Paths (pago 3 of 3) i NPX80-IC-RR790-02 Revision 01-23 of-63 i.-
l-l l
. -.. - -.. -.. ~ - ~....... = -. - -.. -. -... -.. -...
System 80+ Functions Table 2 - SUCCESS PATH 8 (Based on CEN-152 and CESSAR-DC; Critical SAFITY GRAut NON-5 UTTY GRt.DE Function Systm 80 Systm 80+
l systm 80 systeen 80+
Reactivity
- Rod control
- Rod control Control
- Safety injection
- Safety injection CYC5 boration
- CVCS boration Maintenance of
- Cmergency diesels
- Emergency diesels
- Unit ufer backfeed
- Unit xfmr backfeed Vital Auxiliaries
- Startup xfmrs
- Reserve Auv afmrs
- Alternate generator
- Alternate generator
- Station batteries
- Station batteries
- Station batteries
- Station battertes RCS Inventory
- Safety injection Safety injection
- CVCS charging & letdown
- CVCS charging & letdown Control RC5 Pressure
- Safety injection
- Safety injection
- PZR beaters & sprays
- PZR heaters & sprays Control
- Rx coolant gas vent
- Ru coolant gas vent
- CVCS charging & letdown
- CVCS charging & letdown
- CVCS aux spray
- CVCS aux spray
- Primary reliefs
- Primary reliefs
- SG st_
jng
- SG steaming Core Heat Remo<el
- Natural circulation
- Natural circulation
- Fort.ed circulation
- Forced circulation
- Safet y in,tection
- Safety injection RCS Heat Removal
- Emergency (Aux) feed
- Emerge.tcy feed
- Main feed
- Main feed
- Rapid depressuritation
- Startup feed
$tartup feed
- Shutdown cooling Containment
- Penetration flowpath
- Penetration flowpath
- Penetration flowpath
- Penetratten flowpath Isolation isolation isolation control control Containment
- Fan coolers
- Fan coolers Environment
- H, recombiners
- H, recombiners
+ H, p rge
- H, purge
-M igniters y
Radiation
- Release path isolation
- Release path isolation
- Release path monitoring &
- Release path monitoring &
Emission control control NPX80-IC-RR790-02 Revision 01 24 of 63
i System 80+ Functions i
Table 3 - CSF SUCCESS PATHS:
FUNCTIONAL DESIGN STATUS t
i CSF SUCCESS PATH UNCtRNGED MODIFIED NEV DELETED I
+
REACTIVITY CDNTROL Reactor Trip X
i' Safety Iniection X
i
- t Rod Control X
CVCS Boration X
i VITAL AUXILIARIES Emergency Diesels X
Reserve Aux Xfmrs X
Station Batteries X
Unit Xfmr Backfeed X
Alternate Generator X
RCS IhvENTORY C0hTROL Safety injection X
CVCS Charging & tetdown X
RCS FRESSURE CONTROL Safety Injecti>n X
Reactor Coolart Gas Vent X
+
Primary Reliefs X
FZR Heaters & Sorays X
i CVCS Charging & Letdown X
SG Steaming X
CVCS Aux Spray X
CORE HEAT REMDVAL Forced Circulation X
hatural Circulation X
Safety injection X
RCS HEAT REMOVAL Main Feed X
Startup Feed X
Emergency Feed X
Rapid Depressurization X
t Shutdown Cooling X
l CDNTAlhMENT ISOLATION Fenetration Fath Iso X
Fenetration Fath Cnti X
NPX80-IC-RR790-02 Revision 01 25 of 63
i System 80+ Functions Table 3 - CSF SUCCESS PATHS:
FUNCTIONAL DESIGN STATUS CSF SUCCESS PATH LMCHANGED M3Difl[D h[V DEt[1LD 1
00hTAINMEh1 EWVIRONr.ENT Containment Spray X
Fan Coolers X
H Purge X
y H Recombiners X
y Hy igniters X
RADIATION EMISSION Release Fath Isolation X
Release Fath Control X
i i
NPX80-IC-RR790-02 Revision 01 26 of 63
i I
System 80+ Functions 4.3 Operators' Role and Safety Functions The operator, along with automated systems and inherent and passive plant features, is part of the defense-in-depth approach to assure that safety functions are maintained.
Specifically, the operators' role in executing safety functions (Reference 10) can be summarized as follows:
- 1) monitor the plant to verify that the safety functions-are i
accomplished; j
- 2) actuate and control those systems that are not fully
[
automated; j
- 3) intervene where the automatically actuated systems are not operating as intended.
I Item 2) above represents primary manual allocations (i.e.,
to human operators); Item 1)-represents a supervisory role; Item 3) represents backup manual allocations (implying that-the design i
provides automatic, passive or inherent system features as a first line of defense.
Manual and automatic allocations in i
safety system operation are identified in the present Section of this report.
Detailed. specification of the operators' role in executing safety functions is provided by the actions and contingencies of the Emergency Procedure Guidelines.
After reviewing the requirements identified in Section 2.0, and the resulting criteria in Section 3.3, it is evident that the i
design process has sought to remove the need for the operator to respond with immediate control actions at the onset of events.
This approach increases reliability of overall system protective actions by 1) reducing reliance on sustained human vigilance, and
- 2) reducing time stress on human performance, which induces errors.
Further allocation decisions tend to be based on
+
experience and precedent.
Ii I
NPX80-IC-RR790-02 Revision 01 27 of 63
[
System 80+ Functions r
4.4 Allocation Data To evaluate the acceptability of allocations to the operators' safety role, Table 4 provides a summary of the System 80+ safety function allocations in comparison to the Section 3.3 criteria.
The data fields of Table 4 are defined as follows:
Critical Functions & Success Paths - Per the contents of Tables 1 and 2.
Protective System or Commodity? - Whether or not this is a system l
relied on (i.e., credited) by CESSAR-DC Chapter 15 safety analyses to mitigate DBEs by performing the specified safety function.
i 10 CFR 50 Allocation Requirements - General or specific allocation requirements from 10 CFR 50 as summarized in Section 2.1 of the present report.
NUREG/CR-3331 Allocation Requirements - The acceptance path resulting from application of the criteria in Appendix B of the present report.
Auto Init - The equipment-generated (i.e., automatic) Protective Action that initiates a Protective System to achieve the Safety Function.
Manual Init - Whether or not the operator is afforded a means to manually initiate the Protective Action.
Control - After initiation, the manual and automatic elements of a control system configuration maintain the safety function throughout the limiting DBE.
These are categorized as follows:
- 1) Automatic (Auto) - A configuration that is completely automatic, i.e.,
without means for manual action to execute the basic function.
i
- 2) Parallel (Par) - A configuration affording both manual and automatic control modes in which the operator has discretion-to provide manual input at any time, but not to defeat the equivalent automatic processing (excluding resets and operating bypasses; e.g.,
reactor trip initiation).
This strategy tends to increase the likelihood of executing the-function.
- 3) Alternate (Alt) - A configuration affording both manual and NPX80-IC-RR790-02 Revision 01 28 of 63 I
i System 80+ Functions automatic control modes in which the operator has discretion 7
over which mode of control is in use (e.g.,
pressurizer spray control).
This strategy tends to provide. increased flexibility to the operator (e.g., to balance workload or-i manage unusual conditions).
l
- 4) Comolementarv (Comp) - A configuration in which there is sharing of responsibilities between the human and machine i
components.
While-there may be some functional overlap, there-i is not complete redundancy.
(An example is the use of SI for l
heat removal.
SI is not initiated automatically in response i
to degraded core heat removal conditions, per se.
If initiated, the-automatic alignmment of SI is sufficient'for p
initial core heat removal.
However, the SI configuration must be manually adjusted and realigned to suit plant conditions.
- 5) Manual - A fully manual configuration (i.e.,
other than i
transmission); all actions are executed on plant equipment.by i
operators.
[
The mixed configurations (parallel, alternate, and complementary)
[
are depicted schematically in Figure 4.
[
Justification for solely manual init/cntl of protection (IEEE p
603-1991) - For protective systems, an explanation of wny some
[
portion of achieving a safety function has not been automated.
i This is provided, as required, for the protective systems whose control responsibilities are described as'either Alternate, Complementary, or fully manual (Parallel implies manual-control is redundant to fully automatic control).
Also used as an overall comment field, as indicated.
Additional explanation of the CSF success paths and their allocations, and the allocation rationale (in terms of satisfied Appendix B criteria), is provided in the remainder of this Section.
A.
Reactivity Control t
A.1 Reactor Trio - Reactor trip is a protective feature whose
.i rapid and reliable initiation is of the utmost ilportance to l
safety.
Automatic initiation of reactor trip is mandatory, and occurs in response to RPS or APS trip signa!s (see Reference 4, Sections 7.2 and 7.7.1.1.11, respectively);
manual initiation is also provided to enable operators to perform assigned supervisory and backup roles.
Operator actions will be performed under normal MCR habitability NPX80-IC-RR790-02 Revision 01 29 of 63 i
i
System 80+ Functions
)
A in M
out 3 arallel l
AO I
U 1
in out i
M OV Alternate i
A Ox
/
c in M
out j
x 1
g/
Complementary i
I i
I Figure 4 - Mixed Allocation Configurations ~
?
NPX80-IC-RR790 Revision 01 30'of 63 i
i f
t System 80+ Functions conditions.
As a discrete function, Reactor Trip has no continuous control component to be allocated.
These System 80+ cllocations are unchanged from those in System 80.
A.1 Allocation Rationale:
Automation is mandatory because of sustained monitoring and rapid response time requirements (1b), federal regulations (ic), and the need to assure plant protection (Id).
Automation is feasible, i.e.,
technically proven (2a) and pragmatically available (2b).
Manual initiation is desirable for flexibility and reliability (9d &
9e).
A.2 Safety Iniection - The SI system performs Reactivity Control by direct high pressure injection of borated water into the Rx vessel.
This occurs automatically, when a SIAS is generated by the ESF system.
Note that SIAS is not generated automatically in order to shut the reactor down, per se; however, SI boration rate is sufficient to maintain shutdown marginn even if the reactive rod were ejected frou the core (see Chapter 7, Reference 4).
Manual initiation is provided to enable operators to perform assigned supervisory and backup roles.
Following initiation, operators have the responsibility to evaluate, adjust, and/or terminate SI.
These System 80+ allocations are unchanged from those in System 80.
A.2 Allocation Rationale:
Automation is preferable based on precedent (Sa), and in preference to human performance (5b) based on characteristics of the function (e.g., per 7a, 7b, 7d, 7e).
Manual operation is desirable for flexibility and reliability (9d & 9e).
A.3 Charaing & Volume Control (Boration) - The CVCS can be used to inject borated water into the RCS.
However, it.is a relatively slow, long-term means of adjusting core reactivity, and is not a credited safety system for Reactivity Control.
Boration is not a standard lineup for the CVCS, and it is performed and initiated manually from the control room.
However, once aligned, the CVCS can be operated in either automatic or manual modes.
These System 80+ allocations are unchanged from those in System 80.
A.3 Allocation Rationale:
The function is suitable for allocation to the operator (Ba, 8b, & Sc).
A.4 Rod Control - Rod control provides a backup success path that can be used if rod (s) stick or otherwise fail to return to their bottom travel positions following a reactor trip.
NPX80-IC-RR790-02 Revision 01 31 of 63
System 80+ Functions This is accomplished by reshutting the trip breakers and energizing the rod drive mechanisms, then attempting to actively drive the rods inward using the rod control system.
The rod control system is not a protective means of reactivity insertion, it is not a credited safety system for Reactivity Control, and the execution of this task is fully manual.
These System 80+ allocations are unchanged from those in System 80.
A.4 Allocation Rationale:
Given the suitability of the associated tasks (e.g., per Ba, 8b, & 8c), human performance is clearly preferable for this application (6a, or 3b) due to the need to deliberately shut the Reactor Trip Breakers as part of the process.
B.
Vital Auxiliaries The configuration of equipment and resource commodities used to maintain Vital Auxiliaries is part of the overall design of the electrical system.
Electrical system design and operation is explained in Chapter 8 of CESSAR-DC (Reference-4).
B.1 Emeroency Diesel Generators - Emergency DG operation is initiated automatically on Loss of Offsite Power, and by SIAS or EFAS signals.
Startup and vital loading are performed by automatic load sequencing.
Manual startup and loading is also possible.
Given automatic initiation, the operator is l
responsible to evaluate continued DG operation, modify its i
loading as necessary (particularly to satisfy subsequent CSFs), and transfer fuel oil to Fuel System (before the seven day fuel supply is exhausted; see Section 9.5.4.1.1 of Reference 4).
The auto sequencer must complete its function t
before sequenced loading can be manually modified.
Operator actions will be performed under normal MCR habitability conditions.
These System 80+ allocations are unchanged from those in System 80.
B.1 Allocation Rationale:
Automation is mandatory because of federal regulations (Ic), and the need to assure plant protection (1d).
Automation is feasible, i.e.,
technically proven (2a) and pragmatically available (2b).
Manual operation is desirable for flexibility, reliability, and management of unusual conditions (9d, 9e, & 9f).
B.2 Reserve Aux Transformers - The Reserve Aux Transformers provides an offsite supply grid connection that is separate from the Unit Main Transformer grid.
Use of the Reserve Aux-Transformer is~ automatically initiated via fast bus transfer NPX80-IC-RR790-02 Revision 01 32 of 63 I
l
(
System 80+ Functions i
on loss of the Unit Main-Transformer.- Manual tran'sfer-is also.
possible...The operator is responsible to evaluate,the.
l electric plant and modify its loading.and configuration as necessary-(particularly to satisfy subsequent CSFs).. Operator actions will be performed under normal MCh habitability conditions.
These System 80+ allocations are unchanged from-those in System 80.
j B.2.
Allocation Rationale:
Automation'is mandatory.because of sustained monitoring and rapid response' time requirements (1b), federal regulations (1c), ' and the need. to assure plant protection (1d).
Automation is feasible, i.e.,
technically t
proven (2a) and pragmatically available (2b).
Manual operation is desirable for flexibility,. reliability, and.
management of unusual conditions-(9d, 9e, and 9f).
l B.3 Vital Station Batteries - Vital Station Batteries are normally on their bus in-some' form of standby charging.or i
discharging operation.
Thus, " initiation" is to place or retain the battery on the bus; " control" is to load or unload the bus.
On loss of vital AC power, initial loading established by auto trips and load shedding.
No immediate
{
operator action is required.
However, the. operator will.
l evaluate operating conditions, and will shed unnecessary loads manually to extend battery life from 2 to 8 hrs-(see Section 8.3.2.1.2.1.2 of Reference 4) while taking steps to restore AC f
power.
Operator. actions will be performed under normal MCR t
habitability conditions.
These System 80+ allocations are
{
unchanged from those in System 80.
B.3 Allocation Rationale:
Automation is mandatory because of sustained monitoring and rapid response time requirements i
1 (1b), federal regulations (Ic),. and the' need.to : assure plant i
protection (Id).
Automation is feasible,.i.e., technically proven (2a) and pragmatically available-(2b).- Manual-operation is desirable for flexibility, reliability, and i
management of unusual conditions (9d, 9e,;& 9f).
l B.4 Alternate Generator - System 80+ provides a permanently.
l j
installed Alternate Generator (i.e., a combustion turbine) as a separate and diverse source of onsite generating capacity.
-l This increases the redundancy and diversity.ofLthe:AC power.
1 success paths in System 80+.
Alternate Generator operation is f
initiated automatically on LOOP (along with Diesel Generator' initiation).
Loading is by auto sequencing of-permanent.non-vital bus loads;.however, vital bus loads can be assumed l
manually if DGs fail.
The operator ~is responsible to' evaluate i
continued Alternate Generator operation, and modify its
[
l i
NPX80-IC-RR790-02 Revision 01 33 of 63
[
h a
System 80+ Functions loading as necessary.
The Alternate Generator is not credited as a safety system for Vital Auxiliaries.
The System 80 design did not include a permanently installed Alternate Generator, although they have been-provided as options.
The allocations of Alternate Generator control are consistent with those for DG control in System 80 and System 80+.
B.4 Allocation Rationale:
Since this is described in Table 3 as a " modified" success path, the steps through the criteria of Appendix B are given in full:
1.
Is automation mandatory?
- a. Are working conditions hostile to humans:
No
- b. Are tasks included which humans cannot perform:
No Is automation required by law or regulations:
No c.
d.
Is automation required to assure plant safety or protection:
No No (all) - Go to step 3.
i 3.
Is human performance mandatory?
- a. Is automation technically infeasible:
No
- b. Is human required to retain policy-level or ultimate control:
No
- c. Is human required by law or regulation:
No No (all) - Go to step 5.
5.
Is automation clearly preferable to human operators?
a.
Is automation technology well-established as suitable (i.e., effective, reliable, cost-effective, etc.):
Yes
- b. Is human performance acknowledged as less satisfactory:
Yes (due to time requirements of Alternate Generator S/U)
Yes (all) - Tentatively allocate to auto; go to step 9.
- 9. Reconsider the tentative automatic allocations in terms of their negative impact on human operator performance.
- a. Would manual performance of the task help to keep the t
operator engaged with the plant, informed of process status, or prepared to plan and solve problems:
No i
- b. Would manual performance of the task provide _the operator l
with important opportunities to develop or maintain valuable skills or knowledge:
No
- c. Will absolute implementation of the automatic feature (s) contribute to operator underloading (e.g., boredom):
No
- d. Would the option for manual control from the control room i
afford desired flexibility:
Yes
- e. Would the option for manual control from the control room i
afford more reliable performance of the function:
Yes i
- f. Would the option for manual control from the control room NPX80-IC-RR790-02 Revision 01 34 of 63
System 80+ Functions be desirable for testing, maintenance, or management of off-normal conditions:
Yes Yes (any) - Make a tentative allocation to automation with I
operator discretion.
If operator discretion is subordinate (man may initiate but not override automatic action), go to step 12 (Step 12, " Consider the residual role of the human operator in support of the automated function," alludes to detailed design tasks that are addressed during human-system interface design.)
i B. 5 Unit Main Transformers - The Unit Main Transformer provides a connection to an offsite supply grid tnat is separate from the Reserve Aux Transformer grid.
The Unit Main is the default offsite AC power source, and is not credited as a safety system for Vital Auxiliaries.
Normally, at power, the Unit Main Transformers are on line connecting the plant electrical system to supply power to the offsite grid; on turbine trip, the Main Transformer breakers remain shut, allowing power to be drawn from the grid to supply plant electrical demands (i.e., "backfeed").
The operator is responsible to evaluate the electric plant and modify its i
loading and configuration as necessary.
These System 80+
allocations are unchanged from those in System 80.
B.5 Allocation Rationale:
The function is suitable for
~
allocation to the operator (8a, 8b, & Sc).
B.6 Non-Vital Station Batteries - Non-Vital Station Batteries are normally on their bus in some form of standby charging or discharging operation.
Thus, " initiation" is to place or retain the battery on the bus; " control" is to load or unload the bus.
Non-vital station batteries are not credited as a safety system for Vital Auxiliaries.
On loss of non-vital AC power, initial loading established by auto trips'and load.
shedding.
No immediate operator action is required.
- However, e
the operator will evaluate operating conditions, and will shed unnecessa.Ty loade manually to extend battery life while taking steps to lestore AC power.
These System 80+ allocations are unchanged from those in System 80.
B.6 Allocation Rationale:
Automation is mandatory because of sustained monitoring and rapid response time requirements (1b).
Automation is feasible, i.e.,
technically proven (2a) and pragmatically available (2b).
Manual operation is desirable for flexibility, reliability, and management of unusual conditions (9d, 9e, & 9f).
NPX80-IC-RR790-02 Revision 01 35 of 63
i o
I System 80+ Functions C.
RCS Inventory Control i
C.1 Safety Iniection - The SI system performs Inventory Control by direct high pressure injection of borated water into the Rx vessel (see Section 6.3, Reference 4).
This occurs automatically, when a SIAS is generated by the ESF system (see Section 7.3, Reference 4), or passively, if RCS pressure falls below SIT pressure.
Manual initiation is also provided to enable operators to perform assigned supervisory and backup roles.
Following initiation, operators have the responsibility to evaluate, adjust, and/or terminate'SI; however, after initiation, operation can continue for one to three hours without manual intervention (Reference 4, Section 6.3.3.4).
Operator actions will be performed under normal MCR habitability conditions.
These System 80+ allocations are unchanged from those in System 80.
C.1 Allocation Rationale:
Automation is mandatory because of sustained monitoring and rapid response time requirements (1b), federal regulations (1c), and the need to assure plant protection (Id).
Automation is feasible, i.e.,
technically proven (2a) and pragmatically available (2b).
Manual operation is desirable for flexibility, reliability, and management of unusual conditions (9d, 9e, & 9f).
C.2 Charaina & Volume Control (Charaina & Letdown) - The CVCS i
can be used to inject water into the RCS.
However, it is a long term, relatively slow, backup means of adding core inventory, and is not a credited safety system for Inventory Control (see Section 9.3.4, Reference 4).
CVCS is initiated l
manually from the control room.
However, once initiated, the CVCS can be operated in either automatic or manual modes.
These System 80+ allocations are unchanged from those in System 80.
1 C.2 Allocation Rationale:
The function is suitable for allocation to the operator (8a, 8b, & Sc).
l D.
RCS Pressure control D.1 Safety Iniection - The SI system performs Pressure Control by high pressure injection of borated water into the RCS (see Section 6.3, Reference 4).
This occurs automatically, when a SIAS is generated by the ESP system (see Section 7.3, Reference 4), or passively, if RCS pressure falls j
below SIT pressure.
Manual initiation is also provided to enable operators to perform assigned supervisory and backup i
i NPX80-IC-RR790-02 Revision 01 36 of 63 i
i
System 80+ Functions roles.
Following initiation, operators have the responsibility to evaluate, adjust, and/or terminate SI; however, after initiation, operation can continue for one to three hours without manual intervention (Reference 4, Section 6.3.3.4).
Operator actions will be performed under normal MCR habitability conditions.
These System 80+ allocations are unchanged from those in System 80.
D.1 Allocation Rationale:
Autoraation 'is mandatory because of sustained monitoring and rapid response time requirements (1b), federal regulations (Ic), and the need to assure plant protection (Id).
Automation is feasible, i.e.,
technically i
proven (2a) and pragmatically available (2b).
Manual operation is desirable for flexibility, reliability, and management of unusual conditions (9d, 9e, & 9f).
D.2 Rx Coolant Gas Vent System - The Reactor Coolant Gas Vent System (RCGVS) is a portion of the SDS.
It permits controlled RCS depressurization to SCS entry conditions during natural circulation cooldown scenarios (see Section 6.7, Reference 4).
Rapid response of this function is not required, since cooldown typically takes 8-12 hours.
Thus, automatic
[
initiation is not necessary or even desirable.
- Instead, operators have responsibility to initiate and control RCS depressurization by the RCGVS.
Operator actions will be performed under normal MCR habitability conditions.
Manual i
operation of RCGVS in System 80+ is an unchanged allocation from System 80, although System 80 credited Aux Spray for permitting depressurization with natural circulation.
Likewise, Aux Spray was manually allocated in System 80, and remains so in System 80+.
Thus, these System 80+ allocations are unchanged from System 80.
D.2 Allocation Rationale:
Automation could be argued te,be
)
mandatory because of general regulations for automatic protective actions under GDC 20 (Ic).
However, altnough this is a credited safety system, it is not required to make immediate or rapid (i.e., protective) responses in its safety role.
In addition, the uncertain conditions of its use, and concerns for inadvertent initiation make human performance preferable (6).
D.3 PZR Heaters & Sprays - Normal RCS Pressure Control is provided by the operation of PZR heaters and sprays to control i
PZR saturation conditions.
This system is described as manually initiated in that it is operated in either automatic or manual modes at operator discretion; normally it would be on line in auto.
It is-not credited as a safety system for NPX80-IC-RR790-02 Revision 01 37 of 63
System 80+ Functions RCS Pressure Control.
These System 80+ allocations are unchanged from those in System 80.
D.3 Allocation Rationale:
Automation is preferable because of the repetitive and predictable nature of the function (5);
the system is normally left on-line to cycle in automatic.
However, manual operation affords necessary flexibility and improved reliability (9d-f).
D.4 Charaina & Volume Control - The CVCS provides PZR Aux Spray as an alternate means (i.e., during natural circulation cooling, without RCP head to provide PZR Main Spray) to reduce RCS pressure under saturated PZR conditions.
CVCS can also be used to control RCS pressure with a solid PZR by adjusting RCS inventory.
The CVCS is not a credited safety system for Pressure Control.
CVCS operation is initiated manually from the control room.
The CVCS can be operated in either automatic or manual modes, but manual mode is specified for solid plant operations due to the possibility of rapid pressure excursions.
Although the System 80+ CVCS is a fully non-safety system (a change from System 80; see Section 4.2) the operation of the CVCS, and the allocation of these System 80+ functions, are unchanged from those in System 80.
D.4 Allocation Rationale:
The uncertainty of conditions involved in the need for or control of RCS Pressure via CVCS make human performance preferable (6).
D.5 SG Steamina - Controlled heat removal through the SGs (see Section 10, CESSAR-DC) can be used to control RCS pressure, particularly when solid, by manipulating (i.e.,
contracting) available RCS inventory.
Steaming and feeding in this case are initiated and controlled manually from the control room to avoid excessive pressure excursions.
The Sgs are not a credited safety system for RCS Pressure Control.
These System 80+ allocations are unchanged from those in System 80.
D.5 Allocation Rationale:
The uncertainty of conditions involved in the need for or control of RCS Pressure via SG Steaming make human performance preferable (6).
D.6 Pressure Reliefs - Design basis overpressure relief for vessel protection is provided without the option for manual initiation.
Some older units (predating System 80) used Power-Operated Relief Valves; PORVs permitted both manual and automatic operation.
However, experience has dictated a i
return to more simple and standard (i.e., hydromechanical)
I NPX80-IC-RR790-02 Revision 01 38 of 63 j
l i
r-em System 80+ Functions relief valve designs in recent plants (including System 80).
Thus, these System 80+ allocations are unchanged from System l
80.
D.6 Allocation Rationale:
Automation is mandatory because of sustained monitoring and rapid response time requirements (ib), federal regulations (Ic), and the need to assure plant protection (id).
Automation is feasible, i.e.,
technically proven (2a) and pragmatically available (2b).
Manual operation is not necessary or desirable.
E.
Core Heat Removal E.1 Natural Circulation - Initiation and control of natural circulation flow are essentially passive (equivalent to automatic) functions.
The operator has responsibility to evaluate Heat Removal performance, and to maintain an effective heat sink.
Operator actions will be performed under normal MCR habitability conditions.
These System.80+
allocations are unchanged from System 80.
E.1 Allocation Rationale:
Automation can be viewed as mandatory because of federal regulations (Ic), and the need to assure plant protection (1d).
Automation is feasible, i.e.,
technically proven (2a) and pragmatically available (2b).
As a passive function, manual operation can be viewed as either implicit, or inapplicable.
E.2 Forced Circulation (RCPs) - Initiation of forced circulation (i.e., RCp flow) is manual (the discrete " pump run" function has no continuous control component).
Core Heat Removal via forced circulation is the normal means of Core Heat Removal during operations, but is not credited for safety.
These System 80+ allocations are unchanged from System 80.
E.2 Allocation Rationale:
The function is suitable for allocation to the operator (Ba, 8b, & Sc).
E.3 Safety Iniection (DVI) - The SI system performs Core Heat t
Removal by direct high pressure injection of borated water
'?
into the Rx vessel.
For DBEs, unavailability of natural circulation may imply RCS pressure or inventory problems, and 6
SI actuation is thus a resultant possibility.
However, DVI is l
not the preferred means for Core Heat Removal, and SIAE is not
~
generated in response to Heat Removal problems, per se.
Following either automatic, passive, or manual SIAS i
initiation, the DVI lineup is automatically established; NPX80-IC-RR790-02 Revision 01 39 of 63 i
i System 80+ Functions I
operation can then continue for one to three hours without manual intervention (Reference 4, Sections 6.3.2.7 & 6.3.3.4).
The operator has responsibility to evaluate Core Heat Removal performance, to modify the SI lineup to suit plant conditions, and to maintain effective RCS Heat Removal.
Operator actions l
will be. performed under normal MCR habitability conditions.
Changes to the SI injection points are improvements in the-physical plant configuration; however, the related System 80+
allocations are unchanged from System 80.
j I
E.3 Allocation Rationale:
Automation could be argued to be mandatory because of general regulations for automatic protective actions under GDC 20 (le).
However, although this is a credited safety system, it is not required to make immediate or rapid (i.e., protective) responses in its safety role.
The uncertainty of conditions involved in the need for or performance of Core Heat Removal via SIS make human performance preferable (6).
F.
RCS Heat Removal F.1 Main Feed - The Main Feed system provides heat removal for the RCS using the SGs and Main Feed-Pumps.
This is the normal means of heat removal for power operation.
It is initiated manually, but may be controlled in either manual or automatic modes.
Main Feed is not a credited safety system.
These System 80+ allocations are unchanged from those in I
System 80.
F.1 Allocation Rationale:
The function is suitable for allocation to the operator (Ba, 8b, & Sc).
F.2 Startup Feed - The Startup Feed system provides heat removal for the RCS using the SGs and Startup Feed Pump.
This is the normal means of heat removal for very low power (0 to 5%) operation.
Startup Feed is automatically initiated on reactor trip with complete loss of MFW, providing diversity I
and defense in depth against total loss of feed.
The system can also be manually initiated and controlled.
Startup Feed is not a credited safety system.
The addition of automatic initiation and control of Startup Feed is a change to the prior System 80 allocation.
F.2 Allocation Rationale:
Since this is described in Table 3 as a " modified" success path, the steps through the criteria of Appendix B are given in full.
l NPX80-IC-RR790-02 Revision 01 40 of 63 t
I 1
p System 80+ FunctionsL 1.
Is automation mandatory?
- a. Are' working conditions hostileito humans:- No
- b. Are tasks included which humans cannot perform:
No
- c. Is automation required by law or: regulations:
No
- d. Is automation required to assure plant safety or protection:
No No (all) - Go to step 3.
3.
Is human. performance mandatory?
a.
Is automation technically infeasible:
No-
- b. Is human required-to retain policy-level or ultimate control:
No
- c. Is human required by law or regulation:
No No (all) - Go to step 5.
-]
5.
Is automation clearly preferable to human operators?
- a. Is automation technology well-established as1 suitable i
(i.e.,. effective, reliable, cost-effective ~, etc.):
Yes
.i
- b. Is human performance acknowledged as less satisfactory:
1 Yes (due to risk reduction and utility requirements).
i Yes (all) - Tentatively allocate to auto;-go to step'9.
~
- 9. Reconsider the tent'ative automatic allocations 11n terms ~
of their negative impact on human operator performance.'
l
- a. Would manual performance of the task help'to~ keep the operator engaged.with the plant, informed of process.
status, or prepared to plan and solve problems:.Yes i
- b. Would manual performance of the task provide the operator I
with important opportunities to develop or maintain l
valuable skills or. knowledge:
No l
- c. Will absolute implementation of the automatic feature (s) contribute to operator.underloading.(e.g., boredom): LNo l
- d. Would the option for manual control from the control room 1
afford' desired' flexibility:
Yes.
I e.-Would the option for manual centrol from~the control-room afford more reliable performance of the function:- No
- f. Would the option-for manual control from the control-room-l be desirable for testing, maintenance, or' management of off-normal conditions:
Yes Yes (any) - Make a tentative allocation to automation with l
operator discretion.
If operator discretion is subordinate-(man may initiate but not override automatic-action),'go to-j step 12 (Step 12,." consider the residual role of the human j
~
-operator in support'of the automated function," alludes to i
detailed design tasks that are addressed during human-system interface design.)
NPX80-IC-RR790-02 Revision'01 41 of 63 I
-e
System 80+ Functions F.3 Emercency Feed - The Emergency Feedwater system assures that secondary plant heat removal capacity remains available if normal feedwater sources are lost.
Initiation of EFW occurs automatically when an EFAS is generated by.the PPS; manual initiation is also provided to enable operators to perform assigned supervisory and backup roles (this satisfies specific requirements of Section 2.1.2.b).
EFW control requires no operator intervention until
.5 hrs after limiting DBE (CESSAR-DC 10.4.9); operators have the responsibility to i
operate ADVs, ensure adequate level in the Sgs, provide makeup to the EFWSTs, and evaluate, adjust or terminate EFW function.
Operator actions are performed under normal habitability conditions.
These System 80+ allocations are unchanged from those in System 80.
F.3 Allocation Rationale:
Automation is mandatory because of sustained monitoring and rapid response time requirements (1b), federal regulations (1c), and the need to assure plant protection (1d).
Automation is feasible, i.e.,
technically proven (2a) and pragmatically available (2b).
Manual I
initiation is desirable for reliability (9e).
F.4 Rapid Depressurization (RD) - The RD portion of the SDS can be used to depressurize the plant while using SIS /DVI for Core Heat Removal.
This accomplishes heat removal via feed-and-bleed, also known as "once-through cooling."
It is not i
the preferred means for RCS Heat Removal, and it is not a i
credited safety system for controlling RCS heat removal on System 80+.
However, if no Sgs are available for steaming (i.e., total loss of feed, a beyond-design-basis event) then
[
this provides an added, diverse success path.
The operator has responsibility to evaluate and control RCS Heat Removal performance, and to maintain an adequate RCS inventory.
Control. of RD itself is a discrete function (i.e.,
start /stop only; no throttling).
Operator actions will be performed under normal MCR habitability conditions.
Once-through cooling using PORVs was available on-some earlier ABB-CE plants.
However, due to PORV problems, they were eliminated from newer designs (see D.6), and once-through cooling was not
(
afforded on System 80 (i.e., not at Palo Verde;_however, RD is I
being installed in Korea).
The manual allocation of the RD
)
" bleed" function in System 80+ is consistent with similar i
allocations in preceding ABB-CE plant designs.
F.4 Allocation Rationale:
Since this is described in Table 3 as a "new" success path, the steps through the criteria of Appendix B are given in full:
+
I NPX80-IC-RR790-02 Revision 01 42 of 63 l
t l
System 80+ Functions i
1.
Is automation mandatory?
- a. Are working conditions hostile to humans:
No'
- b. Are tasks included which humans _cannot perform:
No
[
- c. Is automation required by law or regulations:
No l
d.
Is automation required to assure plant safety or protection:
No No (all) - Go to step 3.
3.
Is human performance mandatory?
l
- a. Is automation technically infeasible:
No
- b. Is human required to retain policy-level or ultimate control:
No (The distinction between this question and 3a is somewhat subjective.)
- c. Is human required by law or regulation:
No No (all) - Go to step 5.
t 5.
Is automation clearly prcterable to human operators?
a.
Is automation technology well-established as suitable:
No
- b. Is human performance acknowledged as less satisfactory:
[
No i
No (any) - Go to step 6.
l
- 6. Is human performance clearly preferable to automation?
a.
Is human performance regarded as clearly'necessary, or superior to automation:
Yes (given the suitability of the required tasks, and due to the uncertain conditions i
of the use of RD and the concerns for spurious actuation.)
Yes - Allocate to human; go to step 11.
(Step 11, " Consider residual automated and control system support for the operator," alludes to detailed design tasks that are i
addressed during human-system interface design.)
l l
F.5 Shutdown Coolina - SCS is not initially useful as success path in DBEs initiated from higher mode operation; SCS is placed on line as part of the normal transition to lower modes.
Rapid initiation of SCS is not required (cooldown to l
SCS entry conditions typically takes 8-12 hours) ; on the other hand, spurious system actuation would be problematic.
- Thus, automatic actuation is not necessary or even desirable, while manual actuation is acceptable.
Operator actions will be 1
performed under normal MCR habitability conditions.
Certain changes have been made to the SCS design from System 80 (e.g.,
it no longer shares pumps with SI, and has a higher pressure rating, permitting removal of a suction valve trip that was a chronic cause for loss of SCS; see Reference 4, Chapter 5).
l However, these are improvements in the physical plant j
NPX80-IC-RR790-02 Revision 01 43 of 63
r System 80+ Functions i
configuration; the related System 80+ allocations are similar to those in System 80.
F.5 Allocation Rationale:
Automation could be argued to be mandatory because of general regulations for automatic protective actions under GDC 20 (ic).
However, although this is a credited safety system, it is not required to make immediate or rapid (i.e., protective) responses in its safety role.
In addition, the uncertain conditions of'its use, and concerns for inadvertent initiation make human performance preferable (6).
i G.
Containment Isolation G.1 Penetration Flowpath Isolation - Containment Flowpath Isolation is performed by automatically shutting containment isolation valves on CIAS actuation.
CIAS may also be actuated manually, to enable operators to perform assigned supervisory and backup roles.
CIAS does not shut penetrations used for accident mitigation, RCP operation, or safe shutdown; these are isolated manually, if necessary.
'If a CIAS is actuated, explicit manual reset is required before any of the flowpaths can be reopened (to prevent inadvertent release, per 10 CFR
- 50. 34 (f) (2) (xiv) ) ; subsequent reopening of the valves must also be done manually (remote manual controls are provided for all automatically isolated valves).
As a discrete function (i.e.,
shutting the valves), Containment Flowpath Isolation has no continuous control component.
Operator actions are performed under normal MCR habitability conditions.
These system 80+ ellocations are unchanged from those in System 80.
G.1 Allocation Rationale:
Automation is mandatory because of sustained monitoring and rapid response time requirements (1b), federal regulations (Ic), and the need to assure plant protection-(1d).
Automation is feasible, i.e.,
technically proven (2a) and pragmatically available (2b).
Manual initiation is desirable for reliability (9e).
G.2 Penetration Flowcath Control - Containment Flowpath Control is performed by individually selecting and shutting containment isolation valves using component control. systems.
This is fully manual, enabling operators to perform assigned supervisory and backup roles, and providing flexibility and reliability in the overall system.
If a CIAS has already actuated, the CIAS must be manually reset before any of the flowpath control valves can be reopened (to prevent inadvertent release, per 10 CFR 50.34 (f) (2) (xiv)).
As a discrete function (i.e., to shut the valves), containment NPX80-IC-RR790-02 Revision 01 44 of 63 e
i
System 80+ Functions
-Flowpath Control has no_ continuous control component.
Operator actions are performed under normal MCR habitability' conditions..This is not a credited safety. system. -These System 80+ allocations are unchanged from those in System 80.
G.2 Allocation Rationale:
The function is suitable for allocation to the operator (Ba, 8b, & Sc).
H.
Containment Environment H.1 Containment ~Sorav - The Containment Spray system actively renoves heat from a sealed Containment Environment so,that 3
containment. temperature and pressura remain within limits 1
under anticipated accident conditions.
Initiation of l
Containment Spray occurs automatically when a CSAS is-
.I generated by the PPS; manual initiation is also provided,.to enable operators to perform assigned supervisory and backup roles.
Following initiation, operators ve the responsibility to evaluate, adjust, and/r terminate containment Spray.
Additionally, operato.s can reconfigure the system to use SCS or an external water source if the preferred containment spray lineup is unsuccessful.
- Normally, however, manual action is indefinitely-unnecessary,.as the water is continuously recirculated through the_IRWST.
Operator actions will be performed under normal MCR habitability conditions.
These System 80+ allocations are unchanged from those in System 80.
H.1 Allocation Rationale:
Automation is mandatory because of sustained monitoring and rapid response _ time requirements (lb), federal regulations (lc), and the need to. assure plant protection (id).
Automation is feasible, i.e.,
technically proven (2a) and pragmatically available (2b).
Manual initiation is desirable for reliability (9e).
H.2 Fan Coolers - The Containment Fan Coolers actively remove heat from the Containment Environment to control containment temperature (and pressure, in a sealed containment).
Containment Fan Coolers are manually started and are normally.
in operation; additional coolers may be manually started as.an emergency mode supplement.
Operator actions will be_ performed-under normal MCR habitability conditions.
This.is not a credited safety system.
These System 80+ allocations are unchanged from those in System 80.
H.2 Allocation Rationale:
The function is suitable for allocation to the operator (Ba, 8b, & 8c).
NPX80-IC-RR790-02 Revision 01 45 of 63
l
[
t.
I System 80+ Functions f
l
(
H.3 H Recombiners - The H Recombiners are a portable, 2
g externally connected means to maintain Hydrogen levels within limits in a sealed Containment Environment under anticipated l
accident conditions.
They are not the initial success path for containment Hydrogen control.
H Recombiners are manually z
aligned and started, by procedure, within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> following a LOCA.
After startup, the H Recombiners run continuously, 2
1 operators are responsible to evaluate and/or terminate l
continued H Recombiner operation.
Operator actions will be i
2 performed in the Nuclear Annex Building under acceptable post-accident habitability conditions.
These System 80+
allocations are unchanged from those in System 80.
H.3 Allocation Rationale:
Automation could be argued to be mandatory because of general regulations for automatic protective actions under GDC 20 (Ic).
However, although this-is a credited safety system, it is not required to make immediate or rapid (i.e., protective) responses in its safety role.
The function is suitable for allocation to the operator (Ba, 8b, & Sc).
H.4 H Purce - H Purge is a permanently installed means to g
2 control containment Hydrogen levels.
H Purge is accomplished i
2 using portions of the Annulus Ventilation System, and the l
Containment Low Volume Purge System.
H Purge is manually 2
initiated.
After startup, operators are then responsible to evaluate, adjust, and/or terminate H Purge operation; H Purge 2
2 is automatically isolated on CIAS actuation.
This function does not require any immediate or rapid responses, and
[
operator actions will be performed under normal'MCR habitability conditions.
This is not a credited safety system.
Although the containment annulus vent system is part of an improved containment design for System 80+, these allocations for the System 80+ H Purge success path are 2
unchanged from those in System 80.
l H.4 Allocation Rationale:
Given the suitability of the associated tasks (e.g., per Ba, 8b, & 8c, or 4), human
[
performance is preferable for this application (6a, or 3b &
3c) due to the potential for inadvertent release during a severe accident.
H.S H Ionitors - The H Ignitors are a permanently installed 2
2 means to maintain Hydrogen levels within limits in a sealed Containment Environment.
If H Purge and Recombiners are not 2
available, H Ignitors can be manually started on indication of 2
high Hydrogen levels in containment.
After startup, operators j
then are responsible to evaluate, adjust, and/or terminate H f
2 f
NPX80-IC-RR790-02 Revision 01 46 of 63 i
F l
l l
System 80+ Functions i
Ignitor operation.
Operator actions will be performed under normal MCR habitability conditions.
This success path was not part of the System 80 design, but has been proven in operation on other systems.
It has been added for System 80+ for increased redundancy and diversity of the Hydrogen control success paths.
It is not a credited safety system.
This does not represent a significant change of the System 80+
operators' role or responsibilities from those in System 80.
H.5 Allocation Rationale:
Since this is described in Table 3 as a "new" success path, the steps through the criteria of Appendix B are given in full:
1.
Is automation mandatory?
- a. Are working conditions hostile to humans:
No b.
Are tasks included which humans cannot perform:
No c.
Is automation required by law or regulations:
No I
d.
Is automation required to assure plant safety or i
protection:
No l
No (all) - Go to step 3.
3.
Is human performance mandatory?
a.
Is automation technically infeasible:
No b.
Is human required to retain policy-level or ultimate s
l control:
No (The distinction between this question end 3a is somewhat subjective.)
c.
Is human required by law or regulation:
No No (all) - Go to step 5.
5.
Is automation clearly preferable to human operators?
a.
Is automation technology well-established as suitable:
No b.
Is human performance acknowledged as less satisfactory:
No i
No (any) - Go to step 6.
i 6.
Is human performance clearly preferable to automation?
a.
Is human performance regarded as clearly necessary, or superior to automation:
Yes (given the suitability of the required tasks, and the concern for equipment damage due to inadvertent actuation)
Yes - Allocate to human; go to step 11.
(Step 11, ',' Consider residual automated and control system support for the operator," alludes to detailed design tasks that are addressed during human-system interface design.)
NPX80-IC-RR790-02 Revision 01
-47 of-63
]
1
System 80+ Functions I.
Radiation Emission I.1 Release Path Isolation - Containment-to-environment release paths are automatically isolated on high: radiation and CIAS.
They can also be manually isolated, to enable operators to perform assigned supervisory and backup roles.
As a discrete function (i.e., to shut the valves), Release Path Isolation has no continuous control component.
Operator.
L actions are performed under normal MCR habitability
[
conditions.
These System 80+ allocations are unchanged from those in System 80.
I.1 Allocation Rationale:
Automation is mandatory because of sustained monitoring and rapid response time requirements (ib), federal regulations (Ic), and the need to assure plant protection (1d).
Automation is feasible, i.e.,
technically proven (2a) and pragmatically available (2b).
Manual initiation is desirable for reliability (9e).
[
I.2 Release Path Control - Containment-to-environment release paths can be individually isolated by selecting and manually shutting individual valves through the component control i
systems, to enable operators to perform assigned supervisory I
and backup roles.
Operator actions are performed under normal MCR habitability conditions.
This is not a credited safety system.
These System 80+ allocations are unchanged from those in System 80.
I.2 Allocation Rationale:
The function is suitable for allocation to the operator (8a, 8b, & 8c).
I h
t NPX80-IC-RR790-02 Revision 01 48 of 63 I
e
f d
System 80+ Functions Table 4 SUCCESS PATH ALLOCATIONS (page 1 of 10)
CRiflCAL RINCTIGE:
Protective A. Reactivity Allocatim Requiv m ents SYSTEM BC*
Controf Systen or Ccsendity?
10 CTR 50 NUREG/CR-Auto k nual Control Justification for solely annual init/enti of SUCCESS PATH 3331 Init Init protective systm (IEEE 603-1991)
- 1. Reactor Trip Yes Auto init Ib-d; 2; RPS Yrs (GOC 20) 9d.e APS
- 2. $afety Injection No
$; 9d,e SIAS Yes Camp 3 CVC5 (boration)
No 8
No Yes Alt
- 4. Rod Control No 6
No Yes Manual 14PX80-IC-RR790-02 Revision 01 49 of 63
System 80+ Functions Table 4 - BUCCESS PATH ALLOCATIONS (page 2 of 10)
CRITICAL fueCT104:
Protective B. Maintenance of Allocation Requirewnts
$YSTLM 80+
Vital Auxillaries System or Comodity?
10 Cf R 50 NURIG/CR-Auto Manual Control Justification for solely manual Init/cnti of
$tCCESS PATHS 3331 last Init protective systm (IEEE 603-1991)
(GDC 20) 9d e.f
$1A5 EFAS
- 2. Reserve Aux Yes Auto init Ib-d; 2; loss Yes Com Transform rs (Site AC)
(GCC 20) 9d e.f of Unit Main Kfer 3 Vital Station Yes Auto init Ib-d; 2:
Loss Yes Camp Batteries (DC)
- 5. Unit Main No 8
No Yes Alt Yransformer ($lte AC)
- 6. Non-vital Station No Ib: 2; Yes Yes Alt Batteries (DC) 9d.e.f NPX80-IC-RR790-02 Revision 01 50 of 63
- ~.
.. ~...
O System 80+ Functions Table 4 BUCCE8B PATH ALLOCATIONS (page 4 of 10)
F CRITICAL FIMCTION:
Protective C. RCS Inventory Allocation requirenents 5YSTEM 83+
Control System or r
Comuf t ty?
10 CFR $O NtmEG/CR-Auto Manual Cont r+J1 Justification for solely manual Init/cnt1 of
$UCCES$ PATHS 3331 Init Init protective systm (IEEE 603-1991)
- 1. Safety injection Yes Auto Init Ib-rt 2;
$lAS Yes Comp (GDC 20) 9d,e.f 2 CVCS (Charging &
No 8
No Yes Alt lettbm)
L NPX80-IC-RR790-02 Revision 01 51 of 63 l
t y
gg,
.+v9-*->
"M'1%T'"
e**
F-54wMaw
-"'D*+-T-w'N
- e
+%'.hw J
T
'em'"'--'-
'r O==
M M"
- -9 1-'
- "+wE" T1'+*e wt'd'*
6
+
W-b-k'-*
9 1
'P-M
a System 80+ Functions Table 4 SUCCESS PATH ALLOCATIONS (page 5 of 10)
CRITICAL FVNCil04:
Protective D. RCS Pressure Allocation Requirments
$TSTEM 80+
Cont rol System or l
Comrmfity?
10 CfR 50 NUREG/CR-Auto Manual Control Justification for solely ammual init/cntl of SLKCESS PATits 3331 Init Init proter:tive systne (IEEE 603-1991)
- 2. Ru Gas Vent System Yes Auto init (Ic): 6 i
No Yes 14anual System is credited for providing (Safety (GDC 20) depressuritation ability to 50$ entry Depressurization conditions. Rapid response is not required (cooldown typically takes B-12 hours), but spurious system actuation could compromise safety. Thus, auto inttletion is not necessary or desirable. Operator actions performed under normal MCR habitability conditions.
3 P2R Heaters &
No 5: 9d-f No Yes Alt Sprays
- 4. CVCS (Charging &
No 6
No Yes Alt letdown Aux Spray) 5 $G $ teeming No 6
No Yes Alt
- 6. Pressure Reliefs Yes Auto init lb-d: 2 Pres-No Auto (GDC 20) sure set tsoint NPX80-IC-RR790-02 Revision 01 52 of 63
4 System 80+ Functions Table 4 SUCCESS PATH ALLOCATIONS (page 6 of 10)
CRITICAL FUNCTION:
Protective E. Core Heat Removal Allocation Requirenents SYSitM Bo*
Systm or Crvendity?
10 CIR 50 NURIG/CN-Auto k nual Control Justification for solely unnual Init/cnti of SUCCESS PATHS 3331 Init init protective syst m (IEEE 603-1991)
- l. Natural Tes Auto init Ic.d; 2 Passive Yes Camp Circulation (GDC 20)
- 2. Forced Circulation No 8
No Yes
- 3. Safety In3ection Yes Auto init (Ic); 6 No Yes Comp DVI provides an added success path (not the (Direct Vessel (GDC 20) preferred means) fer Core Heat Removal. For Injection)
DBEs, 1 ss of natural circ may imply prior RCS Pressure or In7*ntory problems and possible auto 51 initiation, but not for Heat Renoval per se. With 51 initiation.
DVI lineup is automatically estabitsbed.
Operator has responsibility to evaluate Core Heat Rt
.a1 performance, to modify $1 lineup to best suit plant conditions, and to initiate and maintain heat sink performance.
NPX80-IC-RR790-02 Revision 01 53 of 63 y ##
m..,.
.---v----v
. v
,--~-.
~,.r,m-.
r v
-.. ~. -
System 80+ Functions Table 4 SUCCESS PATH ALLOCATIONS (page 7 of 10)
CRITICAL FUNCilDal:
Protective F. RCS Heat Removal Allocation Requi rments SYSTIN 80+
Syst m or Co undity?
10 CFR 50 MlNIL6/CR-Auto Manual Control Justification for solely aianual init/cnti of SUCCES$ FATHS 3331 Init Init protective syst m (IttE 603-1991)
- 1. Main Feed No 8
No Yes Alt
- 2. Start Up Feed No
$: 9a.d.f Yes Yes Comp
- 3. Emergency Feed W
Auto &
lb-d: 2: 9e EFAS Yes Cum Manual init (GDC 20; 50.34(f)
(2)(xit);
50.62(c)
- 4. Rapid No (3b: 4); 6 No Yes Manual Depressur1zation System (Safety Depressucitation)
- 5. Shutdown Cooling Yes Auto init (Ic): 6 ho Yes Alt SCS not initially useful as success path in (GDC 20)
DBEs. and inadvertent initiation is problematic; thus, manual operation is desirable. Actions performed under normal MCR habitability condhions.
NPX80-IC-RR790-02 Revision 01 54 of 63
+
i l
l System 80+ Functions i
Tabic 4 BUCCEBS PATH ALLOCATIONS (page 8 of 10)
OtlTICAL FUNCTION:
Protective G. Contatnment Allocation Requirnments SYSTEN 804 Isolation Syst m or Cterexfit yY 10 CFR $O MUREG/CR-Auto Manual Control Justificetton for solely senual intt/cnti of StICCESS PATHS 3331 Init Init protective system (It(( 603-1991)
- 1. Fenetration Yes Auto init.
Ib-d; 2: 9e CIA 5 Yes Flowpath Isolation Manual reset (GDC 20; 50.34(f)
(2)(xiv)
- 2. Penetration No 8
No Yes Manual Flowpath Control NPX80-IC-RR790-02 Revision 01 55 of 63 F
System 80+ Functions Table 4 - BUCCESS PATH ALLOCATIONS (page 9 of 10)
CRITICAL FUNCTICM:
Protective H. Containment Allocation Require==mts SYSTEM 80+
Environment Syst m or comodity?
10 CFR 50 NURIG/CR-Auto Manual Control Justification for solely manual Init/cnti of SUCCESS FATH5 3331 init init protective syst m (IIEE 603-1991) 1 Containment Spray Yes Auto init Ib-d 2: 9e CSAS Yes Comp (GDC 20)
- 2. Fan Coolers No 8
No Yes Alt
- 3. H, Recombiners Yes Auto init (Ic); 8 No Yes Manual H, Recombiners are not necessary prior to 72 (GDC 20) hrs after start of limiting DBE. Operator has responsibility to setup, initiate, evaluate, and adjust or terminate Rec mbiner function. Actions performed in Nuclear Anneu under acceptable post-accident habitability conditions.
4, H, Purge No (3b c: 4): 6 No Yes Manual
- 5. H, Igniters No 6
No Yes Manual NPX80-IC-RR790-02 Revision 01 56 of 63
s 3
n 6
f o
o i
f
)
o t
t c
n c )1 n
/
7 9
u it 9 5
1 F
In-30 l
+
6 a
0 u E n E 8
nI aI m
y(
l e e
ese l
t ots s
sy s
y ro S
f ev
)
it n
0 o
1 i ce t
+
t a
0 o
f 8
ic rp f
o M
i t
t 1
s 0
S u
Y J
1 S
e l
g o
la r
a u
t n
p n
a o
M
(
C SN l
at s
s O
ui e
e nn Y
Y I
aI T
M 1
0 AC d
n O
ot aS o
o t i R A L
un L
AI i I N
i C
H s
A iv HT e
e s
i 9
R A
m R
r C
P w
/
2:
1 3
e G
S ir E
8 33 R
d u
U S
q M
b e
E l
R CC n
U it o
0 it :))
5 0f E B
a R
in2((
4)
C 3, iv c
F o
C oDG0b l
t 5
0 u(
l 4
A 1
A e
l e
?
r b
i o
v y
t a
t i
s m
d o
T ce n
e e
N t
Y t
e s
o y
u r
r S
P C
2 0
0 lor 9
N:
S t
7 H
n O
T h
h o R
I A
t tC T n P
a a
R C on P
P&
Ni Vt io S
S e
eg C
F as E
s n s n i s C
ao ai I
Ldi C
ei ler Aam U
l t o
CRE S
ea et 0
i.
Rl Ri l
o n
8 t!
.s
,o X
R 1I 2M C
P N
i
System 80+ Functions 4.4 Other Allocations Supporting System Safety / Operator Performance The present section reviews some other significant facets of the System 80+ design.
While these items are beyond the scope of the present evaluation, they identify additional points of change and improvement of prior design allocations in terms of the criteria of this report.
4.4.1 Added Functions / Features a)
Validated Accrecation of Data - The cross-checking of redundant data channels, and the aggregation of redundant data into representative (i.e., process representation) values has long been recommended as appropriate for automation, and an unnecessary burden on the human operator.
The Nuplex 80+ system implements such features with easy access to individual datum, if desired.
b)
Mode Dependency of Alarms - Alarm mode dependency is now a system feature, reducing the number of nuisance alarms.
Mode shifts are fully automated post-trip, and partially automated in other cases (requiring the operator to respond to a prompt.)
c)
Explicit Display of Derived Parameters - Important derived operating data such as heatup and cooldown rates, and density compensations, are directly displayed by the system rather than requiring operator calculation or inference.
d)
Low Power Feedwater Control - This has historically been a problem task for human operators and a source of unnecessary trips due to long Jags and complex dynamics in the process.
The automatic Low Power Feedwater Control system has been proven as an operational success on the System 80 plant, and improves power production reliability, e)
Automatic Testina Features - Digital technology has proven the successful automation of various test features possible.
Automatic digital PPS surveillance features have been proven as an operational success on Arkansas Nuclear Unit 2, and will be implemented in Nuplex 80+.
Computer Automated Testing (COMAT) algorithms will also be provided for specific systems as support for manual testing activities, by confirming correct 1) test lineups, 2) test performance, and 3) system restoration.
NPX80-IC-RR790-02 Revision 01 58 of 63
~.
f l
f System 80+ Functions;
.f:
f)
Automatic Load Dispatch - The Megawatt Demand Setter-allows j
changing load demands:from the grid to be-processed:
automatically, including maintenance of appropriate-operating margins. 'This system has already been approved and installed on earlier generations of Combustion Engineering plants (specifically, LP&L's Waterford 3 and
.j ANOl's Unit 2).
4.4.2
' Removed Functions / Features a)
Automatic Closure of SCS Isolation' Valves This equipment zh protection feature was a common cause of loss of SCs.
Redesign of the system for a higher operating. pressure has~
eliminated the need for-the trip.
b)
Recirculation Actuation - The change to the In-containment l
Refuelling Water Storage Tank has eliminated the need to t
automatically (or manually) switch SI pumps from the RWST to i
the containment sump on low tank level, thus improving l
reliability.
l c)
Reauired Boronation for Maneuverina Reactivity Control - The l
addition of four CEAs,.and the change from part-length-to.
l part-strength'(i.e., " grey") control rods,_ permits. plant
~
'l
-i maneuvering in~ response to load transients without :the need to change soluble! boron concentration..The CEA maneuvering.
.,4 response can be performed automatically (see 4.1.1.f) or manually.
Boronating remains a manual function, but is no-i longer required as part of this evolution.
e O
d)
Autonatic Isolation of Emercency Feedwater -_The addition of l
cavitating venturis to'the EFW-headers, which limit feed l
flow to Sgs'with a steam or feed line rupture, makes the
~
automatic isolation feature that formerly mitigated these i
events unnecessary. ' Manual isolation of the EFW headers f
remains possible.
t 4.4.3 Miscellaneous 10 CFR Conformance' l
The single remaining. allocation criterion of Section 2.1 that.has not yet been addressed is met as follows-
-3 Automatic Initiation of Turbine' Trio - Automatic turb'ine trip presently is in use at all operating combustion f
Engineering units, and will be incorporated as a standard
{
System 80+ feature.
i l
i i
NPX80-IC-RR790-02 Revision 01 59 of 63 l
i l
l
l I
System 80+ Functions i
5.0 RESULTS i
i As a descriptive evaluation, this report did not aim to create or
~
revise the design.
Perhaps its main benefit has been to improve' the author's understanding of the System 80+ design.
Nonetheless, some constructive if miscellaneous observations on the evolution and incorporation of certain design details are l
collected here, and could be viewed as "results".
5.1 Emergency Procedure Guidelines
{
One important perspective on the use of plant systems to maintain CSFs is provided by the.EPGs.
It is notable that developing the present report provided a nexus for the discussion of operating' issues that resulted in some useful feedback to the EPG developers.
For example, the draft revision of the'EPGs showed both Hydrogen Purge and the Ignitors being started concurrently.
t However, this would be undesirable; they should be successive and independent success paths.
Also, the present report anticipated the addition of the SDS system to the Heat Removal recovery guidelines.
While these points only reflect, rather than effect, the design, they do suggest that the evaluation has been a coherent, even constructive effort.
_j 5.2 Reg Guide 1.97 The results of this study informally reiterate the ABB-CE response to DSER Open Item 7.5.2.1-1; i.e.,
that there are no manual protective functions (and thus no Type A variables or t
" lass 1E alarms) in the System 80+ design.
5.3 Operating Experience Virtually all of the changes described in Sections 4.4.1 and 4.4.2 of this report are a direct result of incorporating operating experience with similar plants in the design of System 80+.
5.4 Functional Task Analysis Improved operator support by adjustments to the " allocation" of information display functions were suggested by the results of initial task analysis (Reference 21).
The concerns were based on estimated operator task loadings (time required vs. time available); resolutions were suggested in keeping with the r
Appendix A criteria.
These results are being addressed in the detailed design (as will any subsequent task analysis results),
to ensure acceptable task workload levels are maintained.
NPX80-IC-RR790-02 Revision 01 60 of 63 l
l t
e i
i System 80+ Functions
6.0 CONCLUSION
S 1
This report has been a descriptive evaluation of the allocation cf critical safety functions in the System 80+ design.
The analysis assumes that existing plants of'similar design with l
extensive, successful operating histories are a valid reference.
point from which to evaluate evolutionary changes and l
improvements.
The conclusions of this evaluation are summarized as follows:
1.
Critical Safety Punctions (CSFs) have not changed between System 80 and the System 80+ plants.
2.
CSF Success Paths and their control allocations are similar in System 80 and System 80+; changes and additions have been few, and afford well-considered improvements to overall plant performance.
3.
System 80+ meets all safety-related requirements for allocation of function.
No additional allocation concerns.
j have been identified.
4.
System 80+ provides improvements through revised I
allocations in areas of known concern to operator performance.
5.
Evaluation of the interaction between the human and machine elements of the plant control system, and resolution of specific problems identified, will continue as part of Task Analysis, PRA, Verification & Validation, and procedure development activities.
6.
This report satisfies the requirements of Section A-3.3.2.2 of the System 80+ HFE Program Plan (Reference 6), and of Elements 3 and 4 of the HFE Program Review Model (Appendix E of Reference 2) for System 80+ Certification.
t NPX80-IC-RR790-02 Revision 01 61 of 63
System 80+ Functions
7.0 REFERENCES
i 1) guidelines for Control Room Desian Reviews (NUREG-0700).
U.S. Nuclear Regulatory Commission (1981).
2)
Advanced control Room Desian Review Guidelines (NUREG-5908; draft).
U.S. Naclear Regulatory Commission (1992).
3)
Code of Federal Reculations. Title 10. Chapter I - Nuclear i
Reculatory Commission. Part 50 - Domestic Licensina of Production and Utilization Facilities (10 CFR 50).
Office of the Federal Register (1992).
L i
4)
System 80+ Standard Safety Analysis Report (CESSAR-DC).
ABB Combustion Engineering, Inc.
5)
Regulatory Analysis-for Resolution of USI A-17 (NUREG-1229).
f U.S.
Nuclear Regulatory Commission (1989).
6)
Human Factors Procram Plan for the System 80+ Standard Plant Desian (NPX80-IC-DP790-01, Rev 1).
ABB Combustion i
Engineering, Inc. (1992).
7)
Minutes of Public Meeting (September 10 and 11, 1992; Windsor, CT) between representatives of the NRC Human Factors Branch Staff and the'ABB Combustion Engineering MMI Group regarding Human Factors Engineering design issues.
t 1
8)
Operatina Experience Review for System 80+ MMI Desian (NPX80-IC-RR790-01, Rev 0).
ABB Combustion Engineering, Inc. (1992).
9)
Human Enaineerina Reauirements for Military Systems.
Eauipment, and Facilities (MIL-H-46855B).
Department of Defense (1979).
10)
The Operator's Role and Safety Functions (TIS-6555A).
ABB Combustion Engineering (1980).
11)
Time Response Desian Criteria for Nuclear Safety Related Operator Actions (ANS 58.8-1984).
American Nuclear Society (1984).
12)
IEEE Standard:
Criteria for Protection Systems for Nuclear Power Generatina Stations (IEEE 279-1971).
Institute of Electrical and Electronics Engineers (1971).
NPX80-IC-RR790-02 Revision 01 62 of 63
.1
System 80+ Functions 13)
IEEE Standard Criteria for Safety Systems for Nuclear Power Generatina Stations (IEEE 603-1991).
Institute of Electrical and Electronics Engineers (1991).
14)
IEEE Guide for the Acolication of Human Factors Enaineerina to Systenis. Eauipment, and Facilities of Nuclear Power Generatina Stations (IEEE 1023-1988).
Institute of Electrical and Electronics Engineers (1988).
15)
A Methodolouv for Allocatina Nuclear Power Plant Control Functions to Human or Automatic Control (NUREG-3331).
U.S.
Nuclear Regulatory Commission (1983).
16)
Bvoassed and Inocerable Status Indication for Nuclear Power Plant Safety Systems (Reg Guide 1.47).
U.S.
Nuclear Regulatory Commission (1973).
17)
Manual Initiation of Protective Actions (Reg Guide 1.62).
U.S.
Nuclear Regulatory Commission (1973).
18)
Instrumentation for Licht-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions Durina and Followina an Accident (Reg Guide 1.97).
U.S.
Nuclear Regulatory Commission (1983).
19)
Criteria for Power, Instrumentation, and Control Portions of Safety Systems (Reg Guide 1.153).
U.S.
Nuclear Regulatory Cummission (1985).
20)
Emeroency Procedure Guidelines (CEN-152, Rev 3).
ABB Combustion Engineering, Inc.
21)
System 80+ Function & Task Analysis Report (NPX80-IC-DP790-02).
ABB Combustion Engineering, Inc. (1989).
22)
Advanced Licht Water Reactor Reauirements Document (EPRI URD, Rev B).
Chapter 10, Man-Machine Interface Systems.
Electric Power Research Institute (1989).
NPX80-IC-RR790-02 Revision 01 63 of 63 L
System 80d ' Functions APPENDIX A FITTS LIST CRITERIA (from NUREG-0700)
NPX80-IC-RR790-02 Revision 01 A - 1 of 2
t I
r System 80+ Functions Humans excelin Machines Excel in r
Detection of certain forms of very Monitoring (both personnel and low energy levels equipment Sensitivity to an extremely wide Performing routine, repetitive, or variety of stimuli very precise operations Perceiving patterns and making R esponding very quickly to control i
generalizations about them signals i
Detecting signals in high noise Exerting great force, smoothly and levels with precision j
Ability to store large amounts of Storing and recalling large amounts information for long periods-and of information in short time-periods recalling relevant facts at appropriate moments Ability to exercise judgment where Performing complex and rapid
)
events cannot be completely computationt.vith high accuracy defined improvising and adopting flexibfe Sensitivity of stimuli beyond the procedures range of human sensitivity (infrared, radio waves, etcJ Ability to react to unexpected Doing many dif ferent things at one I
low probability events
- time, Applying originality in solving Deductive processes problems: i.e., alternative solutions Ability to profit from experience Insensitivity to extraneous factors and alter course of action Ability to perform fine manipulation, Ability to repeat operations very especially where misalignment appears rapidly, continuously, and precisely unexpectedly the same way over a long period I
Ability to continue to perform when Operating in environments which are overloaded hostile to humans or beyond human
]
tolerance Ability to reason inductively I
NPX80-IC-RR790-02 Revision 01 A - 2 of 2
'l l
f..
System 80+ Functions APPENDIX B-'
FUNCTION ALLOCATION CRITERIA.
(from NUREG/CR-3331)'
=:
i t
r i
I i
r l
I J
L I
NPX80-IC-RR790-02 Revision 01 B - 1 of 6 l
l System 80+ Functions-l l
1 FUNCTION ALLOCATION CRITERIA i
The following guidelines and criteria are adapted from NUREG-CR/3331, A Methodoloav for Allocatina Nuclear Power Plant Control Functions to Human or Automatic Control.
Tradeoff mechanisms and Fitts list-type human performance criteria are provided in the form of a decision algorithm (see also Appendix A, "Fitts List Criteria").
The algorithm can be applied at any level of detail; however, engineering judgment must be applied to determine when the design description is sufficiently detailed for the purpose at hand.
This provides an expedient framework for designers and i
evaluators to verify appropriate allocations of plant control functions in any aspect of the design.
1.
Is automation mandatory?
a.
Are working conditions hostile to humans?
l b.
Are tasks included which humans cannot perform?.
c.
Is automation' required by law or regulations?
d.
Is automation required to assure plant safety or protection?
Yes (any) - Go to step 2.
I No (all) - Go to step 3.
(If automation is required only in part, then the design description may be detailed to identify that part.)
t 2.
Is automation technically feasible?
a.
Are proven technologies available?
b.
Are the costs and development / delivery times acceptable?
Yes (all) - Tentatively allocate to auto; go to step 9.
No (any) - Redefine the function (s), allocation, or engineering solution.
l NPX80-IC-RR790-02 Revision 01 B - 2 of 6 i
r:r U.
c.-
}
System 80+ Functions 3.
-Is human performance mandatory?
a.
Is automation technically: infeasible?
b Is human required to retain policy-level or ultimate control?
c.
Is human required by law'or regulation?
Yes1(any)
-Go to step 4.
No (all)
_Go to step 5.
(If a humanLoperator is required only in part,-then the
^
design description may be' detailed;to identify that1part.)
4.
Is human performance a' feasible solution?-
a.
Can' humans perform the specified tasks?
b.
Are the costs and development / delivery times of the necessary support (e.g., procedures, training, etc.)
acceptable?
Yes (all) - Allocate to human; go to step 11.
No (any) - Redefine the' function (s), allocation, or engineering solution.
5.
Is automation clearly preferable to human operators?
a.
Is automation technology _well-established as suitable?-
(i.e., effective, reliable, cost-effective,'etc.)-
b.
Is human performance acknowledged as less satisfactory?
Yes (all) -. Tentatively allocate to auto; go to step 9.-
No (any) - Go to step 6.
(If automation is preferable.only in part,-then expand.the design description sufficiently-to. identify that part.)
NPX80-IC-RR790-02 Revision 01 B-3 of 6
y
+
System 80+ Functions 6.
Is human performance clearly preferable to automation?'
a.
Is human performance regarded as clearly necessary, or superior to automation?
Yes - Allocate to human; go to step 11.
No - Go to step 7.
(If a human operator is preferable only in part, then the design description may be detailed to identify that part.)
7.
Is the segment a suitable candidate for automation?
a.
Is the segment comprised of mechanistic or repetitive i
tasks?
b.
Does the segment require sustained vigilance?
Does the segment require extremely rapid or consistent c.
responses?
d.
Is the segment comprised of well-defined and highly predictable conditions, actions, and outcomes?
Is the segment likely to be required at the same time as 3
e.
a large (i.e., excessive) number of other tasks?
l' f.
Does the segment require the collection, storage, manipulation, or recall of data in substantial amounts, or with high accuracy?
l Yes (any) - Tentatively allocate to auto; go to step 9.
f No (all) - Go to step 8.
8.
Is the segment suitable for human operator performance?
a.
Is it within the realm of human strengths and capabilities?
b.
Will the task form an appropriate and satisfactory part i
of an operators job? (i.e., cannot be trivial, demeaning, or comprised of leftovers) c.
Will it allow the operator to maintain satisfactory workload? (i.e., neither too high nor too low)
Yes (all) - Allocate to human; go to step 11.
I No (any) - Go to step 10.
I 1
P NPX80-IC-RR790-02 Revision 01 B-4 of 6 I
System 80+ Functions 9.
Reconsider the tentative automatic allocations in terms of their negative impact on human operator performance.
Would manual performance of the task help to keep the a.
operator engaged with the plant, informed.of process status, or prepared to plan and solve problems?
b.
Would manual performance of the task provide the operator with important opportunities to develop or maintain valuable skills or knowledge?
c.
Will absolute implementation of the. automatic feature (s) contribute to operator underloading (e.g., boredom)?
d.
Would the option for manual control from the control room afford desired flexibility?
e.
Would the option for manual control from the control room afford more reliable performance of the function?
f.
Would the option for manual control from the control room be desirable for testing, maintenance, or management of off-normal conditions?
Yes (any) - Make a tentative allocation to automation with operator discretion.
If operator discretion is superordinate (man selects auto or manual modes) then go to step 11.
If operator discretion is subordinate (man may initiate but not override automatic action), go to step 12.
No (all) - Allocate to automation; go to step 12.
10.
If any segments remain unallocated, apply the following criteria:
a.
Comparative cost of human and automated options b.
Consistency with preceding design goals and selections c.
Available technologies d.
Customer preference e.
Operator acceptance or, redefine the function (s), allocation, or engineering solution.
If allocated to automation, go to step 9.
If allocated to human operator, go to step 11.
i NPX80-IC-RR790-02 Revision 01 B - 5 of 6
.. -. s r
System-80+ Functions-j s
- 11.. Consider' residual automated and control' system supportfor
.the operators j
a.
. Data' display and integration b.
Monitoring of' limits and detection.of abnormalities; I
c.
Hierarchical access to indicating and' control options d.
Automatic control of inner loops e.
" Fail safe" controls f.
(etc.)'
]
i Complete any required documentation.
.{
12.
Consider the residual role of the human operator in support j
of the automated function:
l a..
Policy-level control (e.g.,
initiation of transitions to j
less conservative ~ plant states) 1 b.
Awareness of automatic system status,' transitions, i
availability, etc.
'I c.
Detection of abnormalities:nnd management of failures,
.i including those.in " hidden" or low-level features.
^!
d.
Emergency initiation or shutdown' l
Override of selected interlocks under.specified-e.
conditions i
f.
Removal of equipment from service "I
g.
' Status of local transfer or test' switches Complete any required documentation.
- l l
r
)
.k I
i I
f i
i
'l t
NPX80-IC-RR790-02.
Revision 01 B - 6~of 6 i
e-