ML20044B941

From kanterella
Jump to navigation Jump to search
Rev 0 to Human Factors Evaluation & Allocation of Sys 80+ Functions.
ML20044B941
Person / Time
Site: 05200002
Issue date: 02/23/1993
From:
ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY, ASEA BROWN BOVERI, INC.
To:
Shared Package
ML20044B940 List:
References
NPX80-IC-RR790, NPX80-IC-RR790-02-R0, NPX80-IC-RR790-2-R, NUDOCS 9303150104
Download: ML20044B941 (72)


Text

_ _ _ - - - _ _ __ _ _ - . __ - . . .. . . _

l NUMAN FACTORS EVALUATION AND ALLOCATION OF- j l

SYSTEM 80+ FUNCTIONS  !

l i

)

l NPX80-IC-RR790-02 Revision 00 f February 23, 1993 ABB COMBUSTION ENGINEERING, INC.

Nuclear Power Windsor, Connecticut 06095-0500 l

l l

1 I-i 1

1 9303150104 DR 930304 v'" l ADOCK 05200002  !

PDR }

i I

System 80+ Functions i u TABLE OF CONTENTS .

1 i

ABBREVIATIONS i

DEFINITIONS

1.0 INTRODUCTION

............................................ 1 l 2.0 REQUIREMErvTS ............................................ 3 ,

3.0 APPROACH ............................................... 11 l 4.0 EVALUATION ............................................. 14 [

5.0 RESULTS ................................................ 55

6.0 CONCLUSION

S ............................................ 56

7.0 REFERENCES

............................................. 57 APPENDIX A - FITTS LIST APPENDIX B - FUNCTION ALLOCATION CRITERIA NPX80-IC-RR790-02 Revision 00 ii of vi r

System 80+ Functions ABBREVIATIONS AAM Automatic-AND-Manual ABB-CE Asea Brown Boveri - Combustion Engineering AC Alternating Current AFW Auxiliary Feedwater ANS American Nuclear Society ANSI American National Standards Institute APS Auxiliary Protection System ATWS Anticipated Transient Without Scram Auto Automatic AVS Annulus Ventilation System CEA Control Element Assembly CFR Code of Federal Regulations CIAS Containment Isolation Actuation Signal Cntl Control CSAS Containment Spray Actuation Signal Ctat Containment CVCS Charging and Volume Control System DBE Design Basis Events DC Direct Current ,

DG Diesel Generator DVI Direct Vessel Injection EFAS Emergency Feedwater Actuation Signal EFW Emergency Feedwater EFWST Emergency Feedwater Storage Tank GDC General Design Criterion LOOP Loss Of Offsite Power IEEE Institute of Electrical and Electronics Engineers Init Initiate, Initiation MOA Manual-OR-Automatic MSIS Main Steam Isolation Signal MXR Manual-XOR-Automatic NRC Nuclear Regulatory Comnission PORV Power Operated Relief Valve PPS Plant Protection System PWR Pressurized Water Reactor PZR Pressurizer RCGV Reactor Coolant Gas Vent ,

RCGVS Reactor Coolant Gas Vent System l RCS Reactor Coolant System l RD Rapid Depressurization  !

RDS Rapid Depressurization System l RG Regulatory Guide RPS Reactor Protection System Rx Reactor SCS Shutdown Cooling System SDS Safety Depressurization System l

NPX80-IC-RR790-02 Revision 00 iii of vi 1

l l

l 1

System 80+ Functions i

i SG Steam Generator '

SGTR Steam Generator Tube Rupture l SI Safety Injection j SIS Safety Injection System ,

SIAS Safety Injection Actuation Signal j SIT Safety Injection Tank SPS Supplementary Protection Signal  ;

S/U Start Up I Xfmr Transformer )

i l

i l

I l

I I

l l 0 1

l NPX80-IC-RR790-02 Revision 00 iv of vi l r l

l

i I

l 1

System 80+ Functions j i

I DEFINITIONS Allocation of Function - The decision to use manual or automatic  !

control in the design of a particular system operating feature.  ;

Automatic - A type of control in which the main switching and/or l regulating features are governed by machine devices, without need  !

l l for human supervision or intervention. l l

Automatic-AND-Manual (AAM) - A system configuration affording both manual and automatic control modes in which the operator has discretion to implement manual control at any time, but not to l l

defeat automatic control, (excluding resets and operating ,

bypasses; e.g., reactor trip). This strategy tends to increase l the likelihood of executing the function.

Critical Safety Functions - The safety functions for the System 80+ design and its predecessors.

Critical Operator Actions - Human operator tasks identified by the PRA to contribute significantly to overall risk in the System 80+ design.

Desian Basis Events - Events evaluated by CESSAR-DC Chapter 15 safety analyses (Reference 4).

Manual - A type of control in which the main switching and/or regulating features are governed by human operator (s). l l

Manual-OR-Automatic (MOA) - A system configuration affording both manual and automatic control modes, in which the operator has discretion over which mode of control is in use (e.g.,

pressurizer spray). This strategy tends to provide increased l flexibility to the operator (e.g., to balance workload or manage l unusual conditions).

Manual-XOR-Automatic (MXA) - A system configuration with both (i.e., mutually exclusive) manual and automatic control requirements.

Non-safety System - A system not relied on to remain functional during design basis events.

Operatina Bypass - Inhibition of the capability for a protective action that could otherwise occur in response to plant conditions.

NPX80-IC-RR790-02 Revision 00 v of vi

i System 80+ Functions Protective Action - The generation of signal (s) by the process monitoring and equipment command features to initiate reactor trip and/or engineered safety feature operation (i.e., protective systems).

Protective System - A system relied on (i.e., credited in CESSAR-DC Chapter 15 analyses) to mitigate DBEs by performing the specified safety function. i Safety Functions - Physical processes, conditions, or actions relied on to maintain the plant within acceptable design basis limits, i.e. to prevent core melt and to ensure radiation releases do not exceed the limits of 10 CFR 100.

Seament - In Appendix B, a segment is any unit of functional decomposition (function, subfunction, task, etc.) proposed for allocation. This generic term is used to avoid invoking preconceptions about system hardware that might be implied for some readers by more frequently used systems terminology.

Success Path - A set of physical process commodities and equipment that, if available, are sufficient to perform a particular safety function in the design. i Unanticipated Systems Interaction - The undesired propagation of i results to one system (subsystem, division, train, component, structure, segment, etc.) due to a single credible failure within another system, by means of inconspicuous interdependencies between the systems (per NUREG-1229, Reference 5).

I l

NPX80-IC-RR790-02 Revision 00 vi of vi

.w-

i e

System 80+ Functions

1.0 INTRODUCTION

1.1 Background The identification of system functional requirements, and the subsequent allocation of the functions to man and machine are '

part of a generic, top-down approach to systems design (Reference  ;

1 1 2). The general concern, from a human factors standpoint, is ,

that the task demands on human operators consistently remain within the effective limits of their abilities. One specific goal is to avoid excessive (or insufficient) levels of workload. i A second, related goal is that the supervisory activity normally required of operators ensures their awareness of process status, {

and their readiness to perform safety-related functions.

Concerns that automated systems can give rise to problems in l these areas has led to an increasing emphasis on the allocation  :

of functions in design. l Of course, these are not the only concerns in allocation. Of '

greatest importance in nuclear power plant design is the maintenance of plant safety. To this end, a variety of specific  ;

requirements on the allocation of certain safety-related functions exist that must be met by the design (e.g., Reference l 3). The operator's present role in existing-plants has evolved  !

within these constraints. ,

As an evolutionary Pressurized Water Reactor (PWR) design, System 80+ has been developed in light of the success and experience accrued from prior generations of similar Combustion Engineering plants (see Reference 4, Table 1.3-1). In particular, the ABB-CE Critical Functions (i.e., safety functions) have proved  ;

themselves to be a sufficient and effective framework for emergency operations and maintaining plant safety.

1.2 Purpose The purpose of the present report is to explain how System 80+

conforms to the existing Critical Functions framework to meet the ~

applicable requirements and intentions of industry guidance for plant safety and emergency operations. The report identifies:  ;

1) requirements and guidelines applicable to the issues of functional analysis and allocation;
2) the ABB-CE plant operators' role as it has evolved and culminated in System 80+, with an emphasis on safety functions; and NPX80-IC-RR790-02 Revision 00 1 of 58 .

l l

l . - , . . _ ,_ -. _ , .

~ . - -- .. . .- a . - . . _ . . . ---a

. ----,a a a i

l l

l System 80+ Functions l

3) how System 80+ meets the safety-related requirements.

This report responds to the requirements of the ABB-CE Human  !

Factors Program Plan (Reference 6, Section A-2.3). In addition, l it addresses Elements 3 and 4 of Reference 2, per the agreements  !

of Reference 7. The commitments of Reference 7 included the ,

submission of the present report, an " explanation-of-functions" 1 paper grounded in System 80+ Critical Safety Functions that j describes:

1) the baseline system; l i
2) its functional objectives, requirements and allocations to human and machine elements-
3) changes to these requirements effected by the new system;
4) auditable bases for the allocations; i
5) analyses of particular allocation problems in predecessor plants; and  ;

i

6) activities confirming that personnel can propa ly perform j l tasks allocated to them. l The present report addresses each.of these areas. Further l

details may be obtained from References 4 and 8, and future t l

evaluation activities; see Section 3.4.  !

I  !

1.3 Scope  !

l .The scope of the present report is on the Safety Functions and -

Success Paths required to accommodate design basis events. The Safety Functions and their Success. Paths are-the means by which the System 80+ design safely accommodates all anticipated 1 operating cccurrences during normal, abnormal, and emergency j conditions. Events beyond design basis, such as severe accidents l or unanticipated systems interactions (Reference 5), are not I addressed by this evaluation. l In addition, passive or inherent functions are' generally outside the realm of the allocation concept. However, where these are credited for achieving Safety Functions, they have been treated as automatic functions in the evaluation.

1 L

i l NPX80-IC-RR790-02 Revision 00 2 of 58 _

l

i J

System 80+ Functions c

2.0 REQUIREMENTS I A variety of federal regulations, industry standards, and (

regulatory guidelines apply to the issues of PWR plant functional l design and the allocation of functions to human and/or machine  ;

l control. Both general and specific items are found. Relevant l portions are reviewed here to identify specific requirements i governing allocation. The resulting criteria are specified under l Section 3.3 of.the Approach, for application in the subsequent l Evaluation.

3 l

Please note that references within a document description refer ,

to the numbering scheme used in that document; references to  !

other documents will identify the document specifically; l references to the present report, where used, will  :

parenthetically indicate to "see" the indicated Section.  !

Material is not presented word for word or in its entirety from j the original sources; it has been paraphrased for brevity and I clarity. While it is felt that the original authors' intentions have been retained, readers with specific concerns should consult l the original sources. l 2.1 10 CFR 50 - Code of Federal Reculations: Nuclear Reaulatory Commission (Reference 3)

J 4

Part 50, " Domestic licensing of production and utilization )

3 facilities," provides several specific allocation requirements. -

2.1.1 General Design Criteria (10 CFR 50, Appendix A)

Automatic initiation of protective systems including reactivity control systems and associated systems and components important to safety; GDC 20.

2.1.2 Additional TMI-related requirements (10 CFR 50.34(f))

a) Automatic indication of the Bypassed and Inoperable Status of Safety Systems; 50. 34 (f) (2) (v) .

b) Automatic and manual initiation of auxiliary (and/or emergency) feedwater systems; 50.34 (f) (2) (xii) and 50.62(c).

c) Automatic actuation of containment isolation systems, including all non-essential systems, on high containment pressure; 50. 34 ( f) (2) (xiv) l l

NPX80-IC-RR790-02 Revision 00 3 of 58 ,

-. ,w -

,, >--s, , , ,- - , ,- --.--,n .-,.,,e, -

m e,,- -- ,--n.e-,

System 80+ Functions d) Ho automatic reopening of automatically closed containment isolation valves on reset of automatic containment isolation signals; 50. 34 (f) (2) (xiv) (C) .

e) Automatic isolation of containment system paths to environs on high radiation; 50.34 (f) (2) (xiv) (E) .

2.1.3 Requirements for reduction of risk from ATWS events for light-water-cooled nuclear power plants (10 CFR 50.62)

Automatic initiation of turbine trip; 50.62(c).

2.2 ANSI /ANS 58.8-1984 - Time Response Desian Criteria for Nuclear Safetv-related Operator Actions (Reference 11)

These criteria specify time test requirements to be met by design and nuclear-safety analyses, for credit to be taken for manual operator actions that initiate and/or control nuclear-safety system actions. If the manual time test requirements cannot be met, then additional control automation (or other mitigating steps) are necessary for resolution. The response time criteria of the Standard are based on simulator data; 95% confidence levels are established for the sufficiency of the defined intervals to permit operator action (these have since been validated as conservative with further testing for an upcoming  ;

revision of the Standard.)  !

The criteria of ANSI /ANS 58.8 are applied as part of the safety analyses during design, and the final results are provided in Chapter 15 of CESSAR-DC. Any issues identified in Chapter 15 are addressed as part of the safety analysis and Standard Review, and the results incorporated in the System 80+ design and design basis documentation. The ANSI /ANS 58.8 criteria will thus not be utilized further in the present report.

2.3 IEEE 279-1971 - IEEE Standard Criteria for Protection Systems for Nuclear Power Generatina Stations (Reference 12)

Section 4.17, " Manual Initiation" (to which RG 1.62 replied; see Section 2.9) presented specific requirements relating to allocations. However, for the purposes of function allocation, this document has been incorporated in and superseded by the current version of IEEE 603.

NPX80-IC-RR790-02 Revision 00 4 of 58

J l

System 80+ Punctions l l

2.4 IEEE 603-1991 - IEEE Standard Criteria for Safety Systems l for Nuclear Power Generatina Stations (Reference 13) l This Standard is an update of IEEE 603-1980, primarily in ,

response to the comments of RG 1.153 (whose technical input was, i essentially, incorporated by the revision.) The following requirements from IEEE 603-1991 are relevant to functional analysis and allocation:

2.4.1 Safety System Design Basis (Section 4)

I The following are part of the design basis documentation requirements for protective actions corresponding to safety l functions in each design basis event: ,

1 Solelv Manual Initiation (4.5.2) - The justification must be ,

documented for permitting initiation, or control subsequent I to initiation, solely by manual means.

Rance of Environmental Conditions (4. 5. 3 ) - The range of environmental conditions imposed on the operator in which .

the manual operations must be performed shall be documented. l 2.4.2 Safety System Criteria (Section 5)

The following are system functional and design requirements  !

to ensure that plant parameters are maintained within j acceptable limits for each design basis event: l l

Comoletion of Protective Action (5.2) - Safety systems shall be designed so that, once initiated automatically or manually, the intended sequence of protective actions of the execute features shall continue until completion. l Deliberate operator action shall be required to return the safety systems to normal. This requirement shall not preclude the use of equipment protective devices identified in 4.11 of the design basis [i.e., that can prevent a system from accomplishing its function) or the provision for deliberate operator interventions..

Human Factors (5.14) - Human factors shall be considered at the initial stages and throughout the design process to assure that the functions allocated in whole or in part to the human operator (s) and maintainer (s) can be successfully accomplished to meet the safety system design goals.

NPX80-IC-RR790-02 Revision 00 5 of 58 . .

_ _ _ . _ _ _ _ _ . ~ . . . - - . - ~ _ _ _ . . . . _ . . , . , , _ _ . _ _., . , _ _ _ . _ - . _

l l

l System 80+ Functions 2.4.3 Sense and Command Features - Functional and Design i Requirements (Section 6) l In addition to the functional and design requirements of Section 5, these requirements apply to sense and command features:

Automatic Control (6.1) - Means shall be provided to automatically initiate and control all protective actions except as justified in 4.5. The safety system design shall -

be such that the operator is not required to take any action prior to the time and plant conditions specified in 4.5 following the onset of each design basis event. At the option of the safety system designer, means may be provided to automatically initiate and control those protective actions of 4.5.

Manual control (6.2) - Means shall be provided in the control room to manually initiate all automatically initiated protective actions at the division level, and to manually initiate and control protective actions identified in 4.5 that have not been selected for automatic control under 6.1.

Operatina Bvoasses (6.6) - Whenever applicable permissive conditions are not met, a safety system shall automatically ,

prevent the activation of an operating bypass, or initiate l the appropriate safety function. If plant conditions change l so that an activated operating bypass is no longer permissible, the safety system shall automatically do one of I the following (6.6): l

1) Remove the appropriate active operating bypass (es).
2) Restore plant conditions so that permissive conditions once again exist.
3) Initiate the appropriate safety function.

2.4.4 Executive Features - Functional and Design Requirements (Section 7)

In addition to the functional and design requirements of Section 5, these requirements apply to executive features:

Automatic Control (7.1) - Capability shall be incorporated in the execute features to receive and act upon automatic control signals from the sense and command features consistent with 4.4 of the design basis (i.e., the variables monitored as the basis for control).

NPX80-IC-RR790-02 Revision 00 6 of 58

1 1

System 80+ Functions Manual Control (7.2) - If manual control of any actuated

! component in the execute features is provided, the additional design features in the execute features necessary to accomplish such manual control shall not defeat the requirements of 5.1 [i.e., single failure criteria) and 6.2.

Capability shall be provided in the execute features to receive and act upon manual control signals from the sense and command features consistent with the design basis.  !

Completion of Protective Action (7.3) - The design of the execute features shall be such that, once initiated, the protective actions of the execute features shall go to completion. This requirement shall not preclude the use of equipment protective devices identified in 4.11, or the-provision for deliberate operator interventions. When the sense and command features reset, the execute features shall ,

not automatically return to normal; they shall require separate, deliberate operator action to be returned to normal.

Operatina Bvoasses (7.4) - [As for 6.6.]

2.5 IEEE 1023-1988 - IEEE Guide for the Acolication of Human i Factors Engineerina to Systems. Ecuioment, and Facilities of Nuclear Power Generatina Stations (Reference 14)

Section 6, " Implementation in the Design, Operations, Testing, and Maintenance Process," includes guidance for planning, documentation, and review of experience. It proposes a typical program plan (see Figure 1) that includes analysis and allocation of functions for new designs, but not for modifications to 1' existing ones (any evolutionary design is some balance of the two). The specific guidance provided is as follows:

a) Functional Analysis - Functions required to meet the system design objectives should be determined (6.1.1.3).

b) Function Allocation - Functions should be allocated to the  ;

human operator (s) and maintainer (s), to machines, or to a i combination of humans and machines (6.1.1.4).

2.6 NUREG-0700 - Guidelines for Control Room Desion Reviews (Reference 1)

Appendix B, " Systems / Operations Design Analysis Techniques,"

provides high-level guidance on the overall systems design NPX80-IC-RR790-02 Revision 00 7 of 58 .

t l

mxmtmE r o+ 3o#p.o3" Y /

HH N

/I T GG G TN YL TI UU I

NO P tB OO EI U LA RR MTC K C

I BNI Iy HH U TT =

FlE UL O AA llT - -

G DE M EN KK F ES LL N R! A AA O M WT C m' + s s

e c

3 Y

t o

r g

L A L A P NN OG II

$ N A

l g n g

TS K i CE N s ND I e U

F L

D e

m' i

+ ht a

. _ i n

G N E S

T

,T S I N

F N

E G

N I E N

S L AI H f

M E NM sT A ST R 1 o T T 0 R I

I E A R tN RE N NE gn 3 RI E U uM M EM io l

t Y

Q E

T, QU 0E ER NR Fit t

Xn NE a t

L A

R T IOR Ci oU OI RU + c N

N TB RO IQ V

i l

A CO Ft E p

K E

M EJ R NR E p S

PI L D -

A T U E

S N A

t t A T Q A e -

E D

E T S v _

i s _

n l

- e h a e

r

> + p __

m _

_ N N o -

C

_ , O O N I T T I

t

_ O I

SI L N A A n e

S KTP S A5 NO L Y 1 OI U t _

N 0

W S T

SI AR L N1 OY IT TA M p l EI I TC A IL 4 CC I y t

A V

R E

T S

E A N T CA NN NO UL S E T _

V E D R T M UA FL _

E 1

N I

E T

T A  ; >- _

8 S 0 Y S

N

> G N

>- I S

E G D _

I S N D E L E C A E

D t t N N G E E F I

YN O N FI 1T W I F

0S 0X I E N

E D

ME ZmMmO tyM W o'h h<[Pj @ m O" em 4

System 80+ Functions process, including function analysis and allocation. It is based on Reference 9, and is generally consistent with the approach of NUREG/CR-3331. It includes human performance-related allocation criteria in the form of a Fitts list, which has been included in the present report as an aid to designers and evaluators (see Appendix A).

2.7 NUREG/CR-3331 - A Methodoloav for Allocatina Nuclear Power Plant Control Functions to Human or Automatic Control (Reference 15)

This document describes a method by which formal allocation can be included in the systems design process. Based on this document, evaluative criteria in the form of a decision algorithm have been provided as an aid to designers and evaluators in this report (see Appendix B).

2.8 Regulatory Guide 1.47 - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems (Reference 16)

This document expanded upon Section 4.13 of IEEE 279-1971, which l has been superseded by IEEE 603 (see Section 2.4), as well as on 10 CFR 50.34 (f) (2) (v) (see Section 2.1.2.a). In general, the concern was that administrative procedures alone were j insufficient to ensure operator cognizance of safety system l operability; the Regulatory Position recommended automatic i (supplemented by manual) bypassed and inoperable status indication for protection systems. IEEE 603-1991 incorporates similar standards in Section 5.8.3. System 80+ conformance to RG 1.47 is addressed in Chapter 7, Section 7.1.2.21 of CESSAR-DC, and is not further treated as an allocation issue in the present report.

i 2.9 Regulatory Guide 1.62 - Manual Initiation of Protective  !

Actions (Reference 17)

This document expanded upon IEEE 279-1971, which has been superseded by IEEE 603 (see Section 2.4). In general, there was a concern for an excessive number of component actions required in the manual initiation of safety functions. While the concerns l of RG 1.62 have been accommodated by subsequent versions of IEEE 603 (see Section 2.11), the allocation-related concerns presented  ;

in the Regulatory Position section of RG 1.62 are summarized here for the sake of completeness.

NPX80-IC-RR790-02 Revision 00 9 of 58

l System 80+ Punctions i

1) Means should be provided for the manual initiation of each '

protective action (e.g., reactor trip, containment isolation) at the system level, regardless of whether means are also provided to initiate the protective action at the component or channel level (e.g., individual control rod, individual isolation valve) (C.1).

1

2) Manual initiation of a protective action at the system level should perform all actions performed by automatic initiation such as starting auxiliary or supporting systems, sending signals to appropriate valve-actuating mechanisms to assure correct valve position, and providing the required action- '

sequencing functions and interlocks (C.2).

3) The switches for manual initiation of protective actions at {

the system level should be located in the control room and be easily accessible (C.3); manual initiation should depend on the operation of a minimum of equipment (C.5).

System 80+ conformance to RG 1.62 is addressed in Chapter 7, i Section 7.1.2.22 of CESSAR-DC, and is not further treated as an allocation issue in the present report.

2.10 Regulatory Guide 1.97 - Instrumentation for Licht-water-cooled Nuclear Power Plants to Assess Plant and Environs conditions Durina and Foll.owinq an Accident (Reference 18)

Regulatory Guide 1.97 has no allocation requirements, per se, but specifies information requirements including Type A variables (supporting fully manual safety actions) similar to 5.8.1 of IEEE 603-1991.

l l

The criteria of RG 1.97 have been met by preceding l generations of ABB-CE plants, and have been applied to the System 80+ design. Conformance to RG 1.97 is addressed in Chapter 7, Section 7.1.2.26 of CESSAR-DC, and is not further treated as an allocation issue in the present report.

2.11 Regulatory Guide 1.153 - Criteria for Power.

Instrumentation. and Control Portions of Safety Systems )

(Reference 19)

This document largely endorsed IEEE 603-1980, with a small number of modest caveats. These remaining issues, in that they related to allocation, have been incorporated in IEEE 603-1991 (see Section 2.4). .

NPX80-IC-RR790-02 Revision 00 10 of 58

System 80+ Functions  !

3.0 APPROACH System 80+ is an evolutionary design. It incorporates improvements that reflect experience gained from the design and operation of prior generation (s) of ABB-CE plants. However, the major characteristics of the System 80+ physical plant remain j similar to and consistent with those of its forbearers (see Table 1.3-1 of Reference 4 for an overview). Such incremental improvement to a successful design reflects a safe and ,

conservative approach to engineering. l i

Like the physical plant systems, the plant critical functions, and the operator's role in maintaining them, have been modified i and improved in light of experience and technological progress. I However, given the safe operating history of ABB-CE designs, and l the successful operation of licensed System 80 plants, there have l been no fundamental changes in these areas. Again, this reflects i i

a conservative engineering approach.

Section 3 states the goals and specifies the criteria that will be applied to evaluate the past and present acceptability of the allocation of functions in these areas of the ABB-CE designs. In )

i addition, Section 3 states the framework for the evaluation, and j identifies the relationship of subsequent design process i activities to those of allocation.

3.1 Allocation Goals The following goals direct the efforts of this portion of the design process, and should be met by any final allocation of nuclear power plant safety functions:

a) Maintain Critical Safety Functions - The ensemble of facility systems must maintain the provision of certain operating functions (i.e., Critical Safety Punctions) to ensure successful performance, particularly in the area of the health and safety of the public.

b) Comolementary Human and Machine Roles - As part of a defense-in-depth philosophy, the human and machine elements within the system ensemble should play complementary roles that make the successful accomplishment of these functions highly likely.

c) Ensure Suitable Allocation - The allocation of functions to the human and machine elements (particularly automated information processing and control) should consider how the NPX80-IC-RR790-02 Revision 00 11 of 58

_ - . ~ _ _ . . - - - .- . - - . . .. . --

I i

i 1

I l

System 80+ Functions l

l facility is to be operated, how plant safety functions are i accomplished, and the needs, capabilities, and limitations  ;

of the human operator (and the proposed machines.) '

3.2 Framework The critical functions and their success paths, and the operators  ;

role in implementing them, for System 80 and System 80+ shall be compared to verify their similarity and consistency. The System l 80+ success paths shall then be evaluated against the identified allocation criteria to verify the acceptability of the allocation' '

i of control of safety functions in the System 80+ design.

I i

3.3 Criteria The following criteria shall be applied to evaluate the acceptability of the allocation of control of safety functions in the System 80+ design.

10 CFR 50 l Critical Functions shall be consistent with the federally i mandated allocations identified in Section 2.1 from 10 CFR 50. '

l IEEE 603-1991 l Not superseding the criteria of 10 CFR 50, the following additional allocation criteria result from the requirements  !

identified in Section 2.4

  • a) Justification for requiring initiation or control of any protective actions solely by manual means, including j assurance of necessary habitability, shall be documented. ,

b) In all other cases, means shall be provided to:

1) automatically initiate and control protective actions, AND
2) manually initiate all automatic protective actions (at the division level from the control room).

NUREG/CR-1331 Not superseding the criteria of 10 CFR 50 and those resulting from IEEE 603-1991, the additional allocation criteria resulting from NUREG/CR-3331 (see Appendix B) shall be applied to verify NPX80-IC-RR790-02 Revision 00 12 of 58 .

l

-- - .- .-.- - .-.. .. l

l  !

i

! r

? I i

l System 80+ Functions l

[

compatibility of the allocated functions with human factors ,

guidelines.  ;

3.4 Subsequent Evaluations and Allocation Issues Throughout the life of the design, feedback.on design decisions 1 is generated. In particular, during the design process, various analysis and development efforts (not limited to human factors) may produce results that have allocation implications. In i particular, Task Analysis, Availability Verification, Suitability Verification, control room Validation, PRA, and procedure guideline development may be a source of further issues. l 1

However, findings thus identified, including allocation issues  !

(if any), shall be resolved using general program mechanisms as i specified in the HFPP (Reference 6). Emergent feedback is not a unique problem in the allocation area, and no unique process is necessarily indicated for the resolution of subsequent allocation issues. This approach satisfies the intent of Section 5.14 of j IEEE 603-1991, Appendix B of NUREG-0700, and Elements 3 and 4 of the NRC HFE Program Review Model.  ;

l l

i t

i f

NPX80-IC-RR790-02 Revision 00 13 of 58 ,

_ _ - _. __ , _ _ _ _ _ _ _ - . __ _-..u.-

l l

't System 80+ Functions i

4.O EVALUATION 1

This section provides a top-down descriptive evaluation of the  !

allocation of plant safety functions. This description will be j

]

sufficient to permit understanding of the operator's safety-  !

4 related role in the overall system design, and in design basis l evaluations performed to eptablish the adequacy of the System 80+ l

Critical Safety Functions. The description will take the form  ;

~

of "a discussion, with specific references, of similarities to and differences from, facilities of similar design for which applications have been previously filed with the-Commission",.

This is provided as an alternative to a formal systems analysis, which would be more appropriate if_ System 80+ had no direct -

predecessor system. l l

l 4.1 Critical Safety Functions l Safety functions are physical processes, conditions, or actions relied on to maintain the plant within acceptable design basis i limits, i.e. to prevent core melt and to ensure radiation l releases do not exceed the limits of 10 CFR 100. These functions  :

may be performed by automatic or manual actuation and/or regulation, from passive system performance, or from natural i feedback in the plant design. l l

The composition of the safety functions is relatively unchanging -

for a given type of plant design. Table 1 compares a list of CE j plant safety functions (i.e., the Critical Safety Functions, or  !

CSFs) as described in 1980 (Reference 10; note that this substantially predates System 80), with those for the System 80 j and System 80+ designs. Three changes should be noted in the 2 table.

One change is to the relative priority of the. functions:- " Vital Auxiliaries" moved to a higher priority in the Emergency Procedure Guidelines in response to operational considerations (Reference 20). Specifically, the provision of vital power is a ,

prerequisite for actively managing most other CSFs; thus, ,

' This requirement is consistent with the general regulations l of 10 CFR 50.34 (b) (2) for "A description ... of the facility ... .

sufficient to permit understanding of the system designs and their.

relationship to safety evaluations."

Per 10 CFR 50.34(a), footnote 5. j NPX80-IC-RR790-02 Revision 00 14 of 58 * '

i

.-- --- ., , - - , - 3 , ,-a, e  %-.

i l

System 80+ Functions '

verification of vital power precedes other CSF verifications for efficiency (" Reactivity Control" is the exception to this rule for its primary safety significance, its passive safety functionality, and for the importance of prompt response).

A second change is that " Indirect Radioactivity Release Control" I has evolved to " Radiation Emission." This acknowledges that i releases from plant systems may require management to minimize overall safety consequences.

The third change is that " Containment Temperature and Pressure" and " Combustible Gas Control" have been combined under the heading " Containment Environment." This reflects not so much a change in the required actions or the overall function, but that i their aggregation under a single concept remains coherent, but is j more procedurally efficient. i The aforementioned modifications reflect changes in operation, j rather than design, and have been validated to be effective in '

actual use on System 80 and other ABB-CE plants. No additional changes in the CSF framework are planned for System 80+. Thus, CSFs have received only small evolutionary refinements, rather than any major changes, over the generations of Combustion -

Engineering plant design.

I l

l l

l l

I NPX80-IC-RR790-02 Revision 00 15 of 58 ,

System 80+ Functions Table 1 - SAFETY FUNCTIONS ORIGINAL LIST (1980) SYSTEM 80 & SYSTEM 80+

Function Purpose Function Purpose Reactivity Control Shut reactor down to reduce heat production Reactivity Control Shut reactor down to reduce heat production RCS Inventory Control Maintain a coolant medium around core Maintenance of Vital Maintain operability of systems needed to Auriliaries support safety systems RC$ Pressure Control Maintain coolant medium in proper state RCS inventory Control Maintain a coolant medium around core Core Heat Removal Transfer heat out of core into coolant RCS Pressure Control Maintain coolant medium in proper state system medium RCS Heat Removal Transfer heat out of coolant system medium Core Heat Removal Transfer heat out of core into coolant system medium Containment Isolation Close containment penetrations to prevent RCS Heat Removal Transfer heat out of coolant system medium radiation release Containment Temperature Avoid equipment damage & maintain Containment Isolation Close containment penetrations to prevent

& Pressure Control containment integrity radiation release Combustible Gas Control Remove / redistribute H, to prevent fire or Containment Environment Control containment temperature, pressure, explosion & maintain containment integrity hydrogen concentration, and radiation levels; maintain containment integrity and minimize potential release Maintenance of Vital Maintain operability of systems needed to Radiation Emission Control radiation release Auxiliaries support safety systems Indirect Radioactivity Contain misc. stored radioactivity to Release Control protect public and avoid distracting operators from protection of larger sources NPX80-IC-RR790-02 Revision 00 16 of 58 3

System 80+ Functions 4.2 Success Paths For each safety function there are multiple, diverse success paths. A success path is a set of components and resource commodities that is capable of satisfying a particular safety function. The purpose of diverse success paths is to provide multiple alternative means to accomplish the safety function goal (see Figure 2). Individual success paths may have further i

redundancy as well. This is part of the defense-in-depth philosophy. Although each safety function has one or more safety-grade success paths, success paths may also be afforded by non-safety grade systems. Success paths join safety function to plant structure, providing a unitary framework to organize displayed information and integrate written procedures. The System 80+ CSFs and their success paths are portrayed graphically ,

in Figure 3. I A high level " functional" comparison of the major success paths for the System 80 and System 80+ CSFs is provided in Table 2.

Major changes to the success paths have been few, and reflect l evolutionary improvements to the ABB-CE design. These changes, are summarized briefly here and in Table 3:

a) Safety Deoressurization - The Safety Depressurization System consists of two major subsystems: 1) the Reactor Coolant Gas Vent System (RCGVS), and 2) the Rapid Depressurization System (RDS).

The RCGVS was part of the System 80 design, although its success path function (depressurization to SCS entry conditions during natural circulation cooldown) was not credited in full for safety (System 80 also credited Aux Spray; see Non-safety CVCS, below.)

l The RDS can be used to depressurize the plant while using SIS /DVI to inject water into the core. This accomplishes heat removal via feed-and-bleed (i.e., "once-through cooling"). RDS is an added success path for beyond-design basis and severe accident scenarios. While_it provides increased redundancy and diversity of the RCS heat removal success paths, its operation does not require. frequent, rapid, unique, or complex actions, and it is not the preferred means or a safety-credited system for this function. Once-through cooling was formerly available using PORVs manually on some earlier ABB-CE plants; the function was removed when PORVs were eliminated from the design (see D.6). Thus, though the RDS is itself new, its addition does NPX80-IC-RR790-02 Revision 00 17 of 58 I - . - . . , . . , . . . , . - . . , , , - .

i i

j System 80+ Functions

not represent a significant change of the System 80+

l

operators' role or responsibilities from that of System 80.

I I b) Hydrocen Ionitors - H2 Ignitors were not part of the System j 80 design, but have been proven in operation on other plants. They has been added to System 80+ for increased <

j redundancy and diversity of the Hydrogen control success I paths, and for severe accident management. They are not the  ;

initial means of Hydrogen control, their operation does not require frequent, rapid, unique, or complex actions, and they are not credited as a safety system. Thus, the incorporation of Hz Ignitors in the design does not ,

represent a significant change of the System 80+ operators' l' role or responsibilities from that of' System 80.

The following differences apparent in Table 2 are not operationally significant changes, from the CSF success path  ;

perspective, between the System 80 and System 80+: l a) Non-safety-orade CVCS - The System 80+ CVCS is no longer a  ;

safety-grade system. In System 80, portions of the CVCS system had to be safety grade because they were credited by safety analysis for achieving certain functions. In particular, CVCS was credited for borating at high pressure  ;

4 (reactivity control), and depressurizing from high pressure, via Aux Spray (RCS pressure control) . In System 80+,

however, these functions receive credit via the SIS pumps, ,

and the Reactor Coolant Gas Vent System of SDS, respectively. Thus, CVCS is not required to be a safety-grade system; however, it remains available in System 80+ as  :

a success path for these functions.

b) Safetv-arade Offsite Power - There are differences between the System 80 and System 80+ electrical system  ;

configurations, including some changes in nomenclature. I However, from the CSF success path perspective, the basic function of the Startup Transformers (System 80) and the Reserve Auxiliary Transformers (System 80+) are similar.

Both provide alternate off-site grid sources (separate from the Unit Main Transformer), as well as. automatic fast bus transfer from the Unit Main on loss of power.

c) Safetv-arade Emeroency Feedwater - The Emergency Feedwater System has not changed significantly from System 80 to System 80+. However, it has in the past been referred to as the Auxiliary Feedwater System at sites where Westinghouse plants already exist, for consistency.

NPX80-IC-RR790-02 Revision 00 18 of 58

, . , , . . ..m,,- . ~ . . . ,,, ,...,m,, ,.

System 80+ Functions Thus, the CSF Success Paths have changed little, consistent with ,

the evolutionary nature of the plant. Additional details are provided in Section 4.3; in general, however, the detailed design of physical systems and their operation are beyond the scope of the present analysis.

l l

NPX80-IC-RR790-02 Revision 00 19 of 58 ,

System 80+ Functions HA!NTAIN FUEL INTEGRITY A /\

g CDNTROL CDRE TEMPERATURE 7 A 7 ^ T

      • REACTIVITY CONTROL FUNCTION CnRE HEAT REMOVAL

/\ /\

ALTERNATE PROCESSE3 ALTERNATE PROCESSES INACTIVE ACTIVC ECCS St RCS

%^ k N^Sk

/ \... INVENTDRY

/ \ ho HEAT SINK SUBTUNCTIDN ILW (ETCJ q p FORCED NAftMAL

, Figure 2 - Goal-Means Hierarchy NPX80-IC-RR790-02 Revision 00 20 of 58

system 80+ Functions MAI'N TAIN SAFETY

/\ p

//

REACTIVITY ...,

CONTROL ..!- cost COOLING -

...f,

/\ MQRI, MECHANICAL

- Rx TRIP CHEMICAL

- ROD CNTL - CVCS

- SIS

/\

  • VITAL AUXILIARIES Figure 3 - System 80+ CSFs and Success Paths (page 1 of 3)

NPX80-IC-RR790-02 Revision 00 21 of 58

System 80+ Functions MAINTAIN SAFETY

/ \

REACTIVITY CONTROL ,~ -

\ MATERIAL 4 3 RETENTION

/

CORE COOLING INVENTORY

- CVCS

- SIS s'4 ' ' - ~ '

' ~s PRESSURE ') '* ,

- PZR CORE HR ')

(FLOV) RCS HR

- SIS 9 (SINK)

- SDS -

RCPs

- CVCS -

NATURAL [ hU FV

- SGs CIRC

- RELIEFS -

SIS [

- SCS VITAL AUXILIARIES Figure 3 - System 80+ CSFs and Success Paths (page 2 of 3)

NPX80-IC-RR790-02 Revision 00 22 of 58

System 80+ Functions MAINTAIN SAFETY

/\

q REACTIVITY ,

CONTROL ,

  • g ,y CORE COOLING ,

MATERIAL RETENTION CTMT 150 A /x

- 150

- CNTL CTMT ENVT RADIATION CTMT TEMP EMISSION

& PRESS CNTL H2 CNTL - 150

- CTMT SPRAY - PURGE - CNTL VITAL

! AUXILIARIES - FAN COOLERS - RECOMBINERS

- IGNITORS Figure 3 - System 80+ CSFs and Success Paths (page 3 of 3) 1 NPX80-IC-RR790-02 Revision 00 23 of 58 3

+

- , - - - - ,v - u -<-_.~-x - ---- - -- - - - -n - e

System 80+ Functions Table 2 - SUCCESS PATHS (Based on CEN-152 and CESSAR-DC)

MON-SAFETY GRADE Critical SAFETY GRADE Function Syst e 80 Systm 80+ Syst m 80 Systm 80+

Reactivity - Reactor trip - Reactor trip - Rod control - Rod control Control - Safety injection - Safety injection

- CVCS beration - CVCS boration Haintenance of - Emergency diesels - Emergency diesels - Unit xfmr backfeed - Unit xfmr backfeed Vital Auxiliaries - Startup xfmrs - Reserve Aux xfmrs - Alternate generator - Alternate generator

- Station batteries - Station batteries - Station batteries - Station batteries RCS Inventory - Safety injection - Safety injection - CVCS charging & letdown - CVCS charging & letdown i Control RCS Pressure - Safety injection - Safety injection - PZR beaters & sprays - PZR heaters & sprays Control - Rx coolant gas vent - Rx coolant gas vent - CVCS charging & letdown - CVCS charging & letdown

- CVCS aux spray - CVCS aux spray

- Primary reliefs - Primary reliefs - SG steaming - SG steaming Core Heat Removal - Natural circulation - Natural circulation - Forced circulation - Forced circulation

- Safety injection - Safety injection RCS Heat Removal - Emergency (Aux) feed - Emergency feed - Hain feed - Hein feed

- Rapid depressurtration - Startup feed - Startup feed

- Shutdown cooling - Shutdown cooling Containment

Environment - H, recombiners - H, recombiners - H, purge - H, purge

- H, igniters 1

Radiation - Release path isolation - Release path isolation - Release path monitoring & - Release path monitoring &

Emission control control i

NPX80-IC-RR790-02 Revision 00 24 of 58

^

System 80+ Functions Table 3 - CSF SUCCESS PATHS: FUNCTIONAL DESIGN STATUS CSF SUCCESS PATH UNCHANGED MODIFIED NEV DELETED i I

Reactor Trip X  ;

REACTIVITY CONTROL Safety injection X Rod Control X j CVCS Boration X VITAL AUXILIARIES Emergency Diesels X ,

Reserve Aux Xfmrs X Station Batteries X l

Unit Xfmr Backfeed X  ;

Alternate Generator X h

RCS INVENTORY CONTROL Safety Injection X CVCS Charging & Letdown X RCS PRESSURE CONTROL Safety injection X r i

Reactor Coolant Gas Vent X l

Primary Reliefs X I

PZR Heaters & Sprays X j CVCS Charging & Letdown X l

SG Steaming X  :

I CVCS Aux Spray X CORE HEAT REMOVAL Forced Circulation X Natural Circulation X i Safety injection X RCS HEAT REMOVAL Main Feed X 3

Startup Feed X Emergency Feed X Rapid Depressurization X Shutdown Cooling X i CONTAINMENT ISOLATION Penetration Path Iso X Penetration Path Cnti X NPX80-IC-RR790-02 Revision 00 25 of 58 ,

ew,- , . , - - - -, , - - ,

System 80+ Functions Table 3 -

CSF SUCCESS PATHS: FUNCTIONAL DESIGN STATUS CSF SUCCESS PATH UNCIRNGED MODIflED NEW DELETED CONTA!hMENT ENVIRONMENl Containment Spray X Fan Coolers X H, Purge X H, Recombiners X H, Igniters X RADIATION EMIS$10N Release Path Isolation X Release Path Control X l

l l

l NPX80-IC-RR790-02 Revision 00 26 of 58

i l

System 80+ Functions  ;

l 4.3 Operators' Role and Safety Functions The operator, along with automated systems and inherent and passive plant features, is part of the defense-in-depth approach  ;

to assure that safety functions are maintained. Specifically, the operators' role in executing safety functions (Reference 10) can be summarized as follows:  !

1) monitor the plant to verify that the safety functions are accomplished; i
2) actuate and control those systems that are not fully ,

automated;  !

3) intervene where the automatically actuated systems are not operating as intended.

Item 2) above represents primary manual allocations (i.e., to j human operators); Item 1) represents a supervisory role; Item 3) represents backup manual allocations (implying that the design i provides automatic, passive or inherent system features as a l first line of defense. Manual and automatic allocations in safety system operation are identified in the present Section of i

this report. Detailed specification of.the operators' role in '

l executing safety functions is provided by the actions and j contingencies of the Emergency Procedure Guidelines.

After reviewing the requirements identified in Section 2.0, and the resulting criteria in Section 3.3, it is evident that the design process has sought to remove the need for the operator to i respond with immediate control actions at the onset of events.

This approach increases reliability of overall system protective actions by 1) reducing reliance on sustained human vigilance, and

2) reducing time stress on human performance, which induces errors. Further allocation decisions tend to be based on experience and precedent.

! 4.4 Allocation Data To evaluate the acceptability of allocations to the operators' l safety role, Table 4 provides a summary of the System 80+ safety i function allocations in comparison to the Section 3.3 criteria.

1 The data fields of Table 4 are defined as follows: )

Critical Functions & Success Paths - Per the contents of Tables 1 j and 2.

NPX80-IC-RR790-02 Revision 00 27 of 58 I

l

-. . .- _ _ ._. _, ,_ .J

System 80+ Functions Protective System or Commodity? - Whether or not this is a system relied on (i.e., credited) by CESSAR-DC Chapter 15 safety analyses to mitigate DBEs by performing the specified safety function.

10 CFR 50 Allocation Requirements - General or specific '

allocation requirements from 10 CFR 50 as summarized in Section 2.1 of the present report.

NUREG/CR-3331 Allocation Requirements - The acceptance path resulting from application of the criteria in Appendix B of the present report.

Auto Init - The equipment-generated (i.e., automatic) Protective Action that initiates a Protective System to achieve the Safety l Function.

l Manual Init - Whether or not the operator is afforded a means to manually initiate the Protective Action.

Control - Following initiation, the responsibilities of manual j and automatic elements to maintain the safety function throughout the limiting DBE. These are categorized as either 1) auto (i.e.,

fully automatic), 2) automatic-AND-manual, 3) manual-OR-automatic, 4) manual-XOR-automatic, or 5) manual.

Justification for solely manual init/cntl of protection (IEEE 603-1991) - For protective systems, an explanation of why some portion of achieving a safety function has not been automated.

This is provided, as required, for the protective systems whose control responsibilities are described as either MOA, MXA, or fully manual (AAM implies manual control is redundant to fully automatic control). Also used as an overall comment field, as indicated.

Additional explanation of the CSF success paths and their allocations, and the allocation rationale (in terms of satisfied Appendix B criteria), is provided in the remainder of this Section.

A. Reactivity Control A.1 Reactor Trio - Reactor trip is a protective feature whose rapid and reliable initiation is of the utmost importance to safety. Automatic initiation of reactor trip is mandatory, and occurs in response to RPS or APS trip signals (see Reference 4, Sections 7.2 and 7.7.1.1.11, respectively);

manual initiation is also provided to enable operators to NPX80-IC-RR790-02 Revision 00 28 of 58

l t

System 80+ Functions  ?

I perform assigned supervisory and backup roles. Operator  ;

actions will be performed under normal MCR habitability i conditions. As a discrete function, Reactor Trip has no I continuous control component to be allocated. These System l 80+ allocations are unchanged from those in System 80. j A.1 Allocation Rationale: Automation is mandatory because of j sustained monitoring and rapid response time requirements ]

(1b), federal regulations (1c), and the need to assure plant I protecticn (id). Automation is feasible, i.e., technically j proven (2a) and pragmatically available (2b). Manual 1 initiation is desirable for flexibility and reliability (9d & J 9e). [

i A.2 Safety Iniection - The SI system performs Reactivity l Control by direct high pressure injection of borated water l into the Rx vessel. This occurs automatically, when a SIAS is j generated by the ESF system. Note that SIAS is not generated j automatically in order to shut the reactor down, per se; however, SI boration rate is sufficient to maintain chutdown margins even if the reactive rod were ejected from the core (see Chapter 7, Reference 4). Manual initiation is provided I to enable operators to perform assigned supervisory and backup roles. Following initiation, operators have the responsibility to evaluate, adjust, and/or terminate SI.  :

These System 80+ allocations are unchanged from those in System 80.

A.2 Allocation Rationale: Automation is preferable based on precedent (Sa), and in preference to human performance (5b) based on characteristics of the function (e.g., per 7a, 7b, 7d, 7e). Manual operation is desirable for flexibility and reliability (9d & 9e) .

A.3 Charaina & Volume Control (Boration) - The CVCS can be used to inject borated water into the RCS. However, it is a i relatively slow, long-term means of adjusting core reactivity, and is not a credited safety system for Reactivity Control.

Boration is not a standard lineup for the CVCS, and it is l performed and initiated manually from the control room. l However, once aligned, the CVCS can be operated'in either automatic or manual modes. These-System 80+ allocations are unchanged from those in System 80.

l A.3 Allocation Rationale: The function is suitable for allocation to the operator (8a, 8b, & 8c).

l l

l NPX80-IC-RR790-02. Revision 00 29 of 58 {

i i

- - - - .- .,~ ,- . _ _ -.

System 80+ Punctions A.4 Rod Control - Rod control provides a backup success path that can be used if rod (s) stick or otherwise fail to return to their bottom travel positions following a reactor trip.

This is accomplished by reshutting the trip breakers and energizing the rod drive mechanisms, then attempting to actively drive the rods inward using the rod control system.

The rod control system is not a protective means of reactivity insertion, it is not a credited safety system for Reactivity Control, and the execution of this task is fully manual.

These System 80+ allocations are unchanged from those in System 80.

A.4 Allocation Rationale: Given the suitability of the associated tasks (e.g., per Ba, 8b, & sc), human performance is clearly preferable for this application (6a, or 3b) due to the need to deliberately shut the Reactor Trip Breakers as part of the process.

B. Vital Auxiliaries The configuration of equipment and resource commodities used to maintain Vital Auxiliaries is part of the overall design of the electrical system. Electrical system design and operation is explained in Chapter 8 of CESSAR-DC (Reference 4).

B.1 Emeroency Diesel Generators - Emergency DG operation is initiated automatically on Loss of Offsite Power, and by SIAS or EFAS signals. Startup and vital loading are performed by automatic load sequencing. Manual startup and loading is also possible. Given automatic initiation, the operator is responsible to evaluate continued DG operation, modify its loading as necessary (particularly to satisfy subsequent CSFs), and transfer fuel oil to Fuel System (before the seven day fuel supply is exhausted; see section 9.5.4.1.1 of Reference 4). The auto sequencer must complete its function before sequenced loading can be manually modified. Operator actions will be performed under normal MCR habitability conditions. These System 80+ allocations are unchanged from those in System 80. l B.1 Allocation Rationale: Automation is mandatory because of federal regulations (lc), and the need to assure plant protection (ld). Automation is feasible, i.e., technically proven (2a) and pragmatically available (2b). Manual operation is desirable for, flexibility, reliability, and management of unusual conditions (9d, 9e, & 9f).

NPX80-IC-RR790-02 Revision 00 30 of 58

I l

System 80+ Functions j i

l B.2 Reserve Aux Transformers - The Reserve Aux Transformers I provides an offsite supply grid connection that is separate j from the Unit Main Transformer grid. Use of the Reserve Aux Transformer is automatically initiated via fast bus transfer on loss of the Unit Main Transformer. Manual transfer is also j possible. The operator is responsible to evaluate the

' electric plant and modify its loading and configuration as necessary (particularly to satisfy subsequent CSFs). Operator actions will be performed under normal MCR habitability conditions. These System 80+ allocations are unchanged from those in System 80.

B.2 Allocation Rationale: Automation is mandatory because of sustained monitoring and rapid response time requirements l

, (ib), federal regulations (ic), and the need to assure plant j protection (id). Automation is feasible, i.e., technically  ;

proven (2a) and pragmatically available (2b). Manual j operation is desirable for flexibility, reliability, and management of unusual conditions (9d, 9e, and 9f).

B.3 Vital Station Batteries - Vital Station Batteries are i normally on their bus in some form of standby charging or l discharging operation. Thus, " initiation" is to place or l retain the battery on the bus; " control" is to load or unload  !

the bus. On loss of vital AC power, initial loading i established by auto trips and load shedding. No immediate l operator action is required. However, the operator will evaluate operating conditions, and will shed unnecessary loads manually to extend battery life from 2 to 8 hrs (see Section 8.3.2.1.2.1.2 of Reference 4) while taking steps to restore AC power. Operator actions will be performed under normal MCR habitability conditions. These System 80+ allocations are unchanged from those in System 80.

B.3 Allocation Rationale: Automation is mandatory because of sustained monitoring and rapid response time requirements (1b), federal regulations (ic), and the need to assure plant protection (1d). Automation is feasible, i.e., technically proven (2a) and pragmatically available (2b). Manual operation is desirable for flexibility, reliability, and management of unusual conditions (9d, 9e, & 9f).

B.4 Alternate Generator - System 80+ provides a permanently installed Alternate Generator (i.e., a combustion turbine) as <

a separate and diverse source of onsite generating capacity. l This increases the redundancy and diversity of the AC power l success paths in System 80+. Alternate Generator operation is l initiated automatically on LOOP (along with Diesel Generator I NPX80-IC-RR790-02 Revision 00 31 of 58

-e---- , - - n ->,w- - ,---,mwm- p- cn e > - , ,,-~~,--r- ,s- <o w- w w . p -ev-- m---m

System 80+ Functions initiation). Load 3ng is by auto sequencing of permanent non-vital bus loads; however, vital bus loads can be assumed manually if DGs fai:. The operator is responsible to evaluate continuc3 Alternate Generator operation, and modify its loading as necessary. The Alternate Generator is not credited as a safety system for Vital Auxiliaries. The System 80 design did not include a permanently installed Alternate ,

Generator, although they have been provided as options. The allocations of Alternate Generator control are consistent with those for DG control in System 80 and System 80+.

B.4 Allocation Rationale: Due to response time requirements, human performance is less desirable, while automation is technically proven and pragmatically available (Sa & b).

Manual operation is desirable for flexibility, reliability, and management of unusual conditions (9d, 9e, & 9f).

B.5 Unit Main Transformers - The Unit Main Transformer provides a connection to an offsite supply grid that is separate from the Reserve Aux Transformer grid. The Unit Main is the default offsite AC power source, and is not credited as a safety system for Vital Auxiliaries. Normally, at power, the Unit Main Transformers are on line connecting the plant electrical system to supply power to the offsite grid; on turbine trip, the Main Transformer breakers remain shut, allowing power to be drawn from the grid to supply plant electrical demands (i.e., "backfeed"). The operator is responsible to evaluate the electric plant and modify its loading and configuration as necessary. These System 80+

allocations are unchanged from those in System 80.

B.5 Allocation Rationale: The function is suitable for allocation to the operator (8a, 8b, & 8c).

B.6 Non-Vital Station Batteries - Non-Vital Station Batteries are normally on their bus in some form of standby charging or discharging operation. Thus, " initiation" is to place or retain the battery on the bus; " control" is to load or unload the bus. Non-vital station batteries are not credited as a safety system for Vital Auxiliaries. On loss of non-vital AC ,

power, initial loading established by auto trips and load  !

shedding. No immediate operator action is required. However, the operator will evaluate operating conditions, and will shed unnecessary loads manually to extend battery life while taking steps to restore AC power. These System 80+ allocations are unchanged from those in System 80.

B.6 Allocation Rationale: Automation is mandatory because of NPX80-IC-RR790-02 Revision 00 32 of 58 l

, i l

l i

i l

System 80+ Functions i

sustained monitoring and rapid response time requirements  ;

(1b). Automation is feasible, i.e., technically proven (2a)  :

and pragmatically available (2b). Manual operation is l desirable for flexibility, reliability, and management of l unusual conditions (9d, 9e, & 9f). ,

f C. RCS Inventory Control C.1 Safety Iniection - The SI system performs Inventory j Control by direct high pressure injection of borated water  ;

into the Rx vessel (see Section 6.3, Reference 4). This  ;

occurs automatically, when a SIAS is generated by the ESF system (see Section 7.3, Reference 4), or passively,'if RCS pressure falls below SIT pressure. Manual initiation is also provided to enable operators to perform assigned supervisory and backup roles. Following initiation, operators have the responsibility to evaluate, adjust, and/or terminate SI;  ;

however, after initiation, operation can continue for one to three hours without manual intervention (Reference 4, Section i I

6.3.3.4). Operator actions will be performed under normal MCR l habitability conditions. These System 80+ allocations are -

I unchanged from those in System 80.

1 C.1 Allocation Rationale: Automation is mandatory because of i sustained monitoring and rapid response time requirements '

l (ib), federal regulations (Ic), and the need to assure plant protection (1d). Automation is feasible, i.e., technically proven (2a) and pragmatically available (2b). Manual  ;

operation is desirable for flexibility, reliability, and management of unusual conditions (9d, 9e, & 9f). i l

C.2 Charaina & Volume Control (Charaina & Letdown) - The CVCS I can be used to inject water into the RCS. However, it is a long term, relatively slow, backup means of adding core inventory, and is not a credited safety system for Inventory

Control (see Section 9.3.4, Reference 4). CVCS is initiated I manually from the control room. However, once initiated, the

, CVCS can be operated in either automatic or manual modes.

l These System 80+ allocations are unchanged from those in l System 80.

C.2 Allocation Rationale: The function is suitable for allocation to the operator (8a, 8b, & 8c).

i l

NPX80-IC-RR790-02 Revision 00 33 of 58 i

l

i i

System 80+ Functions -

I D. RCS Pressure Control j D.1 Safety Iniection - The SI system performs Pressure  !

Control by high pressure injection of borated water into the RCS (see Section 6.3, Reference 4). This occurs j automatically, when a SIAS is generated by the ESF system (see  ;

Section 7.3, Reference 4), or passively, if RCS pressure falls '

below SIT pressure. Manual initiation is also provided to l enable operators to perform assigned supervisory and backup l l roles. Following initiation, operators have the  !

responsibility to evaluate, adjust, and/or terminate SI-however, after initiation, operation can continue for one to )

three hours without manual intervention (Reference 4, Section 6.3.3.4). Operator actions will be performed under normal MCR habitability conditions. These System 80+ allocations are unchanged from those in System 80.

D.1 Allocation Rationale: Automation is mandatory because of sustained monitoring and rapid response time requirements (1b), federal regulations (ic), and the need to assure plant protection (Id). Automation is feasible, i.e., technically ,

proven (2a) and pragmatically available (2b) . Manual  !

operation is desirable for flexibility, reliability, and -

j management of unusual conditions (9d, 9e, & 9f). l D.2 Rx Coolant Gas Vent System - The Reactor Coolant Gas Vent System (RCGVS) is a portion of the SDS. It permits controlled RCS depressurization to SCS entry conditions during natural circulation cooldown scenarios (see Section 6.7, Reference 4).

Rapid response of this function is not required, since cooldown typically takes 8-12 hours. Thus, automatic initiation is not necessary or even desirable. Instead, operators have responsibility to in.itiate and control RCS depressurization by the RCGVS. Operator actions will be performed under normal MCR habitability conditions. Manual operation of RCGVS in System 80+ is an unchanged allocation from System 80, although System 80 credited Aux Spray for permitting depressurization with natural circulation.

Likewise, Aux Spray was manually allocated in System 80, and remains so in System 80+. Thus, these System 80+ allocations are unchanged from System 80.

D.2 Allocation Rationale: Automation could be argued to be

mandatory because of general regulations for automatic l

protective actions under GDC 20 (1c). However, although this is a credited safety system, it is not required to make  !

immediate or rapid (i.e., protective) responses in its safety  !

role. In addition, the uncertain conditions of its use, and i

NPX80-IC-RR790-02 Revision 00 34 of 58 .

i l

I i

f l

i System 80+ Functions )

1 I

concerns for inadvertent initiation make human performance l preferable (6).

D.3 PZR Heaters & Sorays - Normal RCS Pressure Control is  !

provided by the operation of PZR heaters and sprays to control l PZR saturation conditions. This system is described as  ;

manually initiated in that it is operated in either automatic l or manual modes at operator discretion; normally it would be 3 on line in auto. It is not credited as a safety system for  ;

RCS Pressure Control. These System'80+ allocations are  ;

unchanged from those in System 80.  ;

D.3 Allocation Rationale: Automation is preferable because  :

of the repetitive and predictable nature of the function (5); l the system is normally left on-line to cycle in automatic.

4 However, manual operation affords necessary flexibility and i

improved reliability (9d-f).

D.4 Charaina & Volume control - The CVCS provides PZR Aux Spray as an alternate means (i.e., during natural circulation cooling, without RCP head to provide PZR Main Spray) to reduce RCS pressure under saturated PZR conditions. CVCS can also be used to control RCS pressure with a solid PZR by adjusting RCS inventory. The CVCS is not a credited safety system for Pressure Control. CVCS operation is initiated manually from the control room. The CVCS can be operated in either automatic or manual modes, but manual mode is specified for solid plant operations due to the possibility of rapid pressure excursions. Although the System 80+ CVCS is a fully non-safety system (a change from System 80; see Section 4.2) the operation of the CVCS, and the allocation of these System 80+ functions, are unchanged from those in System 80.

D.4 Allocation Rationale: The uncertainty of conditions involved in the need for or control of RCS Pressure via CVCS make human performance preferable (6).

l D.5 SG Steamina - Controlled heat removal through the SGs (see Section 10, CESSAR-DC) can be used to control RCS pressure, particularly when solid, by manipulating-(i.e.,

contracting) available RCS inventory. Steaming and feeding in this case are initiated and controlled manually from the control room to avoid excessive pressure excursions. The Sgs are not a credited safety system for RCS Pressure Control. '

These System 80+ allocations are unchanged from those in l

System 80.  !

l NPX80-IC-RR790-02 Revision 00 35 of 58 i

- . , - . - , --,n-- ._.,-e ,nn,. , - - , , -- . ,

i e

I System 80+ Functions l

D.5 Allocation Rationale: The uncertainty of conditions '

involved in the need for or control of RCS Pressure via SG Steaming make human performance preferable (6).

D.6 Pressure Reliefs - Design basis overpressure relief for vessel protection is provided without the option for manual initiation. Some older units (predating System 80) used Power-Operated Relief Valves; PORVs permitted both manual and i automatic operation. However, experience has dictated a return to more simple and standard (i.e., hydromechanical) '

relief valve designs in recent plants (including System 80).

Thus, these System 80+ allocations are unchanged from System

80.  ;

D.6 Allocation Rationale: Automation is mandatory because of j J

sustained monitoring and rapid response time requirements (1b), federal regulations (ic), and the need to assure plant protection (ld). Automation is feasible, i.e., technically j proven (2a) and pragmatically available (2b). Manual operation is not necessary or desirable. i l E. Core Heat Removal E.1 Natural Circulation - Initiation and control of natural l circulation flow are essentially passive (equivalent to  !

automatic) functions. The operator has responsibility to j evaluate Heat Removal performance, and to' maintain an  !

effective heat sink. Operator actions will be performed under i normal MCR habitability conditions. These System 80+ l' allocations are unchanged from System 80.

E.1 Allocation Rationale: Automation can be viewed as mandatory because of federal regulations (Ic),.and the need to '

assure plant protection (id). Automation is feasible,.i.e.,

technically proven (2a) and pragmatically available (2b). As a passive function, manual operation can be viewed as either implicit, or inapplicable.

E.2 Forced Circulation (RCPs) - Initiation of forced circulation (i.e., RCP flow) is manual (the discrete " pump run" function has no continuous control component). Core Heat Removal via forced circulation is the normal means of Core Heat Removal during operations, but is not credited for safety. These System 80+ allocations are unchanged from System 80.

E.2 Allocation Rationale: The function is suitable for allocation to the operator (8a, 8b, & 8c).

NPX80-IC-RR790-02 Revision 00 36 of 58 t e = w * ',rr--n-

i i

System 80+ Functions j Safety Iniection (DVI) - The SI system performs Core Heat  !

E.3 Removal by direct high pressure injection of borated water  ;

into the Rx vessel. For DBEs, unavailability of natural ,

circulation may imply RCS pressure or inventory problems, and l SI actuation is thus a resultant possibility. However, DVI is j not the preferred means for Core Heat Removal, Land SIAS is not  ;

generated in response to Heat Removal problems, per se.  ;

Following either automatic, passive, or manual SIAS j initiation, the DVI lineup is automatically established; l operation can then continue for one to three hours'without manual intervention.(Reference 4, Sections 6.3.2.7 & 6.3.3.4). l The operator has responsibility to evaluate Core Heat Removal performance, to modify the SI lineup to suit plant conditions, j and to maintain effective RCS Heat Removal. Operator actions j will be performed under normal MCR habitability conditions. I Changes to the SI injection points are improvements in the  !

physical plant configuration; however, the related System 80+  !

allocations are unchanged from System 80.

E.3 Allocation Rationale: Automation'could be argued to be  !

mandatory because of. general regulations for automatic  !

protective rctions under GDC 20 (lc). However, although this  !

is a credi-ed safety system, it is'not required to make  ;

immediate or rapid (i.e., protective) responses in its safet role. The uncertainty of conditions involved in the-need for i or performance of Core Heat Removal'via SIS make human performance preferable (6). l F. RCS Heat Removal i

F.1 Main Feed - The Main Feed system provides heat removal for the RCS using the SGs and Main Feed Pumps. This is the normal means of heat removal for power operation. It is J initiated manually, but may be controlled in either manual or automatic modes. Main Feed is not a credited safety system.

These System 80+ allocations are unchanged from those in System 80.

F.1 Allocation Rationale: The function is suitable for allocation to the operator (8a, 8b, & 8c).

F.2 Startup Feed - The Startup Feed system provides heat removal for the RCS using the SGs.and Startup Feed Pump. This is the normal'means of heat removal for very low power (0 to 5%) operation. Startup Feed is automatically initiated on reactor trip with complete loss of MFW, providing diversity and defense in depth against total loss of feed. The system can also be manually initiated and controlled. Startup-Feed NPX80-IC-RR790-02 Revision 00 37 of 58 a

System 80+ Functions is not a credited safety system. The addition of automatic initiation and control of Startup Feed is a change to the prior System 80 allocation.

F.2 Allocation Rationale: The function is desirable for allocation to automation (5), due to risk reduction and utility requirements (Reference 22). Manual initiation and control is desirable for flexibility (9a, 9d, & 9f) .

F.3 Emeroency Feed - The Emergency Feedwater system assures that secondary plant heat removal capacity remains available if normal feedwater sources are lost. Initiation of EFW occurs automatically when an EFAS is generated by the PPS; manual initiation is also provided to enable operators to perform assigned supervisory and backup roles (this satisfies specific requirements of Section 2.1.2.b). EFW control requires no operator intervention until .5 hrs after limiting ,

DBE (CESSAR-DC 10.4.9); operators have the responsibility to operate ADVs, ensure adequate level in the Sgs, provide makeup '

to the EFWSTs, and evaluate, adjust or terminate EFW function.

Operator actions are performed under normal habitability conditions. These System 80+ allocations are unchanged from those in System 80.

F.3 Allocation Rationale: Automation is mandatory because of sustained monitoring and rapid response time requirements (1b), federal regulations (ic), and the need to assure plant protection (id). Automation is feasible, i.e., technically proven (2a) and pragmatically availabic (2b). Manual initiation is desirable for reliability (9e).

F.4 Rapid Depressurization (RD) - The RD portion of the SDS can be used to depressurize the plant while using SIS /DVI for Core Heat Removal. This accomplishes heat removal via feed-and-bleed, also known as "once-through cooling." It is not the preferred means for RCS Heat Removal, and it is not a i credited safety system for controlling RCS heat removal on System 80+. However, if no Sgs are available for steaming (i.e., total loss of feed, a beyond-design-basis event) then this provides an added, diverse success path. The operator has responsibility to evaluate and control RCS Heat Removal performance, and to maintain an adequate RCS inventory.  :

Control of RD itself is a discrete function (i.e., start /stop i only; no throttling). Operator actions will be performed under normal MCR habitability conditions. Once-through cooling using PORVs was available on some earlier ABB-CE plants. However, due to PORV problems, they were eliminated from newer designs (see D.6), and once-through cooling was not NPX80-IC-RR790-02 Revision 00 38 of 58 a

i System 80+ Functions afforded on System 80 (i.e., not at Palo Verde; however, RD is being installed in Korea). The manual allocation of the RD

" bleed" function in System 80+ is consistent with similar allocations in preceding ABB-CE plant designs.

F.4 Allocation Rationale: Given the suitability of the associated tasks (e.g., per 8a, 8b, & 8c, or 4), human performance is clearly preferable for this application (6a, or 3b) due to the uncertain conditions of the use of RD, and '

concerns for its inadvertent initiation.

F.5 Shutdown Coolina - SCS is not initially useful as success path in DBEs initiated from higher mode operation; SCS is placed on line as part of the normal transition to lower modes. Rapid initiation of SCS is not required (cooldown to SCS entry conditions typically takes 8-12 hours); on the other  :

hand, spurious system actuation would be problematic. Thus, l automatic actuation is not necessary or even desirable, while manual actuation is acceptable. Operator actions will be ,

performed under normal MCR habitability conditions. Certain l changes have been made to the SCS design from System 80 (e.g., l it no longer shares pumps with SI, and has a higher pressure rating, permitting removal of a suction valve trip that was a l chronic cause for loss of SCS; see Reference 4, Chapter 5). l However, these are improvements in the physical plant configuration; the related System 80+ allocations are similar to those in System 80.

F.5 Allocation Rationale: Automation could be argued to be mandatory because of general regulations for automatic protective actions under GDC 20 (Ic). However, although this is a credited safety system, it is not required to make immediate or rapid (i.e., protective) responses in its safety role. In addition, the uncertain conditions of its use, and concerns for inadvertent initiation make human performance preferable (6).

G. Containment Isolation G.3 Penetration Flowpath Isolation - Containment Flowpath Isolation is performed by automatically shutting containment isolation valves on CIAS actuation. CIAS may also be actuated manually, to enable operators to perform assigned supervisory and backup roles. CIAS does not shut penetrations used for accident mitigation, RCP operation, or safe shutdown; these are isolated manually, if necessary. If a CIAS is actuated, explicit manual reset is required before any of the flowpaths can be reopened (to prevent inadvertent release, per 10 CFR NPX80-IC-RR790-02 Revision 00 39 of 58

System 80+ Functions 50.34 (f) (2) (xiv)) ; subsequent reopening of the valves must also be done manually (remote manual controls are provided for all automatically isolated valves). As a discrete function (i.e., shutting the valves), containment Flowpath Isolation has no continuous control component. Operator actions are performed under normal MCR habitability conditions. These System 80+ allocations are unchanged from those in System 80.

G.1 Allocation Rationale: Automation is mandatory because of sustained monitoring and rapid response time requirements (1b), federal regulations (ic), and the need to assure plant protection (1d). Automation is feasible, i.e., technically proven (2a) and pragmatically available (2b). Manual initiation is desirable for reliability (9e).

G.2 Penetration Flowpath Control - Containment Flowpath Control is performed by individually selecting and shutting containment isolation valves using component control systems.

This is fully manual, enabling operators to perform assigned supervisory and backup roles, and providing flexibility and reliability in the overall system. If a CIAS has already actuated, the CIAS must be manually reset before any of the flowpath control valves can be reopened (to prevent inadvertent release, per 10 CFR 50.34 (f) (2) (xiv)) . As a discrete function (i.e., to shut the valves), Containment Flowpath Control has no continuous control component. '

Operator actions are performed under normal MCR habitability conditions. This is not a credited safety system. These System 80+ allocations are unchanged from those in System 80.

G.2 Allocation Rationale: The function is suitable for allocation to the operator (Ba, 8b, & 8c).

H. Containment Environment H.1 Containment Sorav - The Containment Spray system actively removes heat from a sealed Containment Environment so that containment temperature and pressure remain within limits under anticipated accident conditions. Initiation of Containment Spray occurs automatically when a CSAS is generated by the PPS; manual initiation is also provided, to enable operators to perform assigned supervisory and backup roles. Following initiation, operators have the responsibility to evaluate, adjust, and/or terminate Containment Spray. Additionally, operators can reconfigure the system to use SCS or an external water source if the preferred containment spray lineup is unsuccessful. Normally, however, manual action is indefinitely unnecessary, as the NPX80-IC-RR790-02 Revision 00 40 of 58

l

' System 80+ Functions s water is continuously recirculated through the IRWST. i operator actions will be performed under normal MCR habitability conditions. These System 80+ allocations are unchanged from those in System 80.

i H.1 Allocation Rationale: Automation is mandatory because of  ;

sustained monitoring and rapid response time requirements I (1b), federal regulations (1c), and the need to assure plant protection (1d). Automation is feasible, i.e., technically proven (2a) and pragmatically available (2b). Manual initiation is desirable for reliability (9e).

H.2 Fan Coolers - The Containment Fan Coolers actively remove heat from the Containment Environment to control containment temperature (and pressure, in a sealed containment).

Containment Fan Coolers are manually started and are normally  !

in operation; additional coolers may be manually started as an emergency mode supplement. Operator actions will be performed under normal MCR habitability conditions. This is not a credited safety system. These System 80+ allocations are unchanged from those in System 80.

H.2 Allocation Rationale: The function is suitable for allocation to the operator (8a, 8b, & 8c). .

H.3 H2 Recombiners - The H 2 Recombiners are a portable, externally connected means to maintain Hydrogen levels within limits in a sealed Containment Environment under anticipated accident conditions. They are not the initial success path ,

for containment Hydrogen control. Hz Recombiners are manually aligned and started, by procedure, within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> following a LOCA. After startup, the H2 Recombiners run continuously; operators are responsible to evaluate and/or terminate continued H2 Recombiner operation. Operator actions will be performed in the Nuclear Annex Building under acceptable post-accident habitability conditions. These System 80+

allocations are unchanged from those in System 80.

H.3 Allocation Rationale: Automation could be argued to be mandatory because of general regulations for automatic protective actions under GDC 20 (Ic). However, although this is a credited safety system, it is not required to make immediate or rapid (i.e., protective) responses in its safety role. The function is suitable for allocation to the operator (8a, 8b, & 8c).

H.4 H2 Purae - H 2 Purge is a permanently installed means to control containment Hydrogen levels. H2 Purge is accomplished NPX80-IC-RR790-02 Revision 00 41 of 58

  • + - - i= m e-vg ey- +y- -g--q--inv- > .4e- g-e+ ,rw we g e =nyc-q -t -r---g g>,ame9+ t-vM. ky n-y-11+ a g ge r-- B-;+yre34v.>t-----*

System 80+ Functions using portions of the Annulus Ventilation System, and the Containment Low Volume Purge System. H2 Purge is manually initiated. After startup, operators are then responsible to evaluate, adjust, and/or terminate H2 Purge operation; H 2 Purge is automatically isolated on CIAS actuation. This function j does not require any immediate or rapid responses, and operator actions will be-performed under normal MCR habitability conditions. This is not a credited safety system. Although the containment annulus vent system is part  ;

of an improved containment design for System 80+, these allocations for the System 80+ H2 Purge success path are unchanged from those in System 80.

H.4 Allocation Rationale: Given the suitability of the associated tasks (e.g., per Ba, 8b, & 8c, or 4), human performance is preferable for this application (6a, or 3b &

3c) due to the potential for inadvertent release during a j severe accident.

H.5 H2 Ionitors - The H 2 Ignitors are a permanently installed '

means to maintain Hydrogen levels within limits in a sealed Containment Environment. If H2 Purge and Recombiners are not available, H2 Ignitors can be manually started on indication of i high Hydrogen levels in containment. After startup, operators then are responsible to evaluate, adjust, and/or terminate H 2 Ignitor operation. Operator actions will be performed under ,

normal MCR habitability conditions. This success path was not i part of the System 80 design, but has been proven in operation 1 on other systems. It has been added for System 80+ for  ;

increased redundancy and diversity of the Hydrogen control j success paths. It is not a credited safety system. This does not represent a significant change of the System 80+

operators' role or responsibilities from those in System 80.

H.S Allocation Rationale: Given the suitability of the associated tasks (e.g., per 8a, 8b, & 8c), human performance is preferable for this application (6a) due to the potential for equipment damage from inadvertent actuation.

I. Radiation Emission I.1 Release Path Isolation - Containment-to-environment release paths are automatically isolated on high radiation and CIAS. They can also be manually isolated, to enable operators to perform assigned supervisory and backup roles. As a discrete function (i.e., to shut the valves), Release Path Isolation has no continuous control component. Operator actions are performed under normal MCR habitability NPX80-IC-RR790-02 Revision 00 42 of 58

...t j  !

i l 1  !

, +

l I i .

i System 80+ Functions  ;

a  ;

i i

i j conditions. These System 80+ allocations are unchanged from i those in System 80.  ;

i I.1 Allocation Rationale: Automation is mandatory because of l i sustained monitoring and rapid response time requirements  !

4 (1b), federal regulations (ic), and the need to assure plant  :

j protection (id). Automation is feasible, i.e., technically -

, proven (2a) and pragmatically available (2b). Manual  !

! initiation is desirable for reliability (9e). l I I.2 Release Path Control - Containment-to-environment release  !

l paths can be individually isolated by selecting and manually }

shutting individual valves through the component control l systems, to enable operators to perform assigned supervisory i and backup roles. Operator actions are performed under normal  !

j MCR habitability conditions. This is not a credited safety system. These System 80+ allocations are unchanged from those in System 80. l I.2 Allocation Rationale: The function is suitable for {

allocation to the operator (8a, 8b, & 8c).

i 1

I i

1 i

I j

i 1

l I

NPX80-IC-RR790-02 Revision 00 43 of 58 a

. _ , _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ . ...y . _ . . , . , , , . - ,m._ , _ _ .,.,_.m... . , _ .g .mm.g,.,, ,y.

System 80+ Functions Table 4 - SUCCESS PATH ALLOCATIONS (page 1 of 10)

CRtiICAL FUNCTIGN: Protective A. Reactivity Allocation Requi rments SYSTEM 80+

Control Syst e or Comodity? 10 CFR 50 NUREG/CR- Auto Manual Control Justification for solely unual init/cnti of SUCCESS PATH 3331 Init Init protective syst m (IEEE 603-1991)

1. Reacter Trip Yes Auto init ib-d; 2; RPS Yes -

(GDC 20) 9d,e APS

2. Safety injection No -

5: 9d.e SIAS Yes MXA

3. CVCS (boration) No - 8 No Yes MOA
4. Rod Control No -

6 No Yes Manual NPX80-IC-RR790-02 Revision 00 44 of 58 s

System 80+ Functions Table 4 - BUCCESS PATH ALLOCATIONS (page 2 of 10)

CRITICAL FUNCTION: Protective B. Maintenance of Allocation Requirements SfSTEM 80+

Vital Auxiliaries Systen or Comodity? 10 CFR 50 NUREG/CR- Auto Manual Control Justification for solely manual init/cnti of SUCCESS PATHS 3331 Init init protective systen (IEEE 603-1991)

1. Emergency Diesel Yes Auto intt ic-d; 2: LOOP Yes MXA Generators (AC) (GDC 20) 9d.e.f SIAS EFAS
2. Reserve Aux Yes Auto init Ib-d: 2: Loss Yes MXA Transformers (Site AC) (GDC 20) 9d e,f of Unit Main Xfmr
3. Vital Station Yes Auto init Ib-d; 2: Loss Yes MXA Batteries (DC) (GOC 20) 9d e.f of vital AC
4. Alternate Generator No - 5; 9d,e.f LOOP Yes MXA (AC)
5. Unit Main No -

8 No Yes MOA Transformer ($lte AC)

6. Non-vital Station No - Ib; 2: Yes Yes MDA Batteries (DC) 9d e.f NPX80-IC-RR790-02 Revision 00 45 of 58

System 80+ Functions Table 4 -

SUCCESS PATH ALLOCATIONS (page 4 of 10)

CRITICAL FUNCTION: Protective C. RCS Inventory Allocation Requirements SYSTEM 80+

Control Syst e or Comodity? 10 CFR 50 MUREG/CR- Auto Manual Control Justification for solely manual init/entl of SUCCESS FATHS 3331 init init protective syst m (IEEE 603-1991)

1. Safety Injection Yes Auto Init Ib-d; 2; SIAS Yes MXA (GDC 20) 9d.e f
2. CVCS (Charging & No -

8 No Yes MCA Letdown) i f

e NPX80-IC-RR790-02 Revision 00 46 of 58

! i i -

4 a

  • - . . - . - - , - , , , , , , _ . , , . _ -..,__.,__........,..,_,,,,,,._.._%,,,,,m m._,.., _

,_y,-,, ,,_,_.__.,

System 80+ Functions Table 4 - SUCCESS PATH ALLOCATIONS (page 5 of 10)

CRITICAL FUNCTION: Protective D. RCS Pressure Allocation Requirements SYSTEM 80+

Control System or Commodity? 10 CFR 50 NUREG/CR- Auto Manual Control Justification for solely manual Init/cnti of SUCCESS PATHS 3331 Init Init protective syst m (IEEE 603-1991)

1. Safety Injection Yes Auto init Ib-d; 2; SIA3 Yes MXA (GDC 20) 9d,e.f
2. Rx Gas Vent System Yes Auto init (Ic); 6 No Yes Manual System is credited for providing (Safety (GDC 20) depressurization ability to SCS entry Depressurization) conditions. Rapid response is not required (cooldown typically takes 8-12 hours), but spurious system actuation could compromise safety. Thus, auto initiation is not necessary or desirable. Operator actions performed under normal MCR habitability conditions.
3. PZR Heaters & No - S; 9d-f No Yes MOA Sprays
4. CVCS (Charging & No -

6 No Yes MOA letdown. Aur Spray)

S. SG Steaming No - 6 No Yes MOA

6. Pressure Reliefs Yes Auto init Ib-d; 2 Pres- No Auto (GDC 20) sure Set point NPX80-IC-RR790-02 Revision 00 47 of 58 s

System 80+ Functions Table 4 - SUCCESS PATH ALLOCATIONS (page 6 of 10)

CRITICAL FUNCTION: Protective E. Core Heat Removal Allocation Requirements SYSTEM 80+

System or Comodity? 10 CFR 50 NUREG/CR- Auto Manual Control Justification for solely ennual init/cnti of SUCCESS FATHS 3331 Init init protective syst e (IEEE G03-1991)

1. Natural Yes Auto init Ic.d: 2 Passive Yes MXA Circulation (GDC 20)
2. Forced Circulation No - 8 No Yes -
3. Safety injection Yes Auto : nit (Ic); 6 No Yes MXA DVI provides an added success path (not the (Direct Vessel (GDC 20) preferred means) for Core Heat Removal. For Injection) DBEs, loss of natural cire may imply prior RCS Pressure or Inventory problems and possible auto SI initiation, but not for Heat Removal per se. With 51 initiation, DVI lineup is automatically established.

Operator has responsibility to evaluate Core Heat Removal performance, to modify Si lineup to best suit plant conditions, and to initiate and maintain heat sink performance.

NPX80-IC-RR790-02 Revision 00 48 of 58

System 80+ Functions Table 4 - BUCCESS PATH ALLOCATIONS (page 7 of 10)

CRiflCAL FUNCi10N: Protective F. RCS Heat Removal Allocation Requirments SYSTEM 80*

Systm or Comodity? 10 CFR 50 NUREG/CR- Auto Manual Control Justification for solely manual init/cnti of SUCCESS PAilts 3331 Init Init protective systm (IEEE 603-1991)

1. Main Feed No - 8 No Yes MOA
2. Start Up Feed No - 5: 9a,d.f Yes Yes MXA
3. Emergency Feed Yes Auto & lb-d; 2; 9e EFAS Yes MXA Manual init (GDC 20; 50.34(f)

(2)(x11);

50.62(c)

4. Rapid No - (3b; 4); 6 No Yes Manual Depressurization System (Safety Depressurization)
5. Shutdown Cooling Yes Auto init (Ic); 6 No Yes MOA SCS not initially useful as success path in (GDC 20) DBEs, and inadvertent initiation is problematic; thus, manual operation is desirable. Actions performed under normal MCR habitability condittens.

NPX80-IC-RR790-02 Revision 00 49 of 58

System 80+ Functions Table 4 -

SUCCESS PATH ALLOCATIONS (page 8 of 10)

CRITICAL FUNCTION: Protective G. Containment Allocation Requirements SYSTEM 80+

lsolation Systen or Ccanodity? 10 CFR 50 NUREG/CR- Auto Manual Control Justification for solely mnual init/cntl of SUCCESS PATHS 3331 Init Init protective systm (IEEE 603-1991)

1. Penetration Yes Auto init. Ib-d 2: 9e CIAS Yes -

Flowpath Isolation Manual reset (GDC 20; 50.34(f)

(2)(xiv)

2. Penetration No -

8 No Yes Manual Flowcath Control NPX80-IC-RR790-02 Revision 00 50 of 58

System 80+ Functions l

Table 4 - BUCCESS PATH ALLOCATIONS (page 9 of 10)

CRITICAL FUNCTION: Protective H. Containment Allocation Requirements SYST[M 80+

Environment System or Comodity7 10 CFR SO MUREG/CR- Auto Manual Control Justification for solely manual init/cnti of SUCCESS FATliS 3331 init init protective systm (IEEE 603-1991)

1. Containment Spray Yes Auto init Ib-d; 2; 9e CSAS Yes MXA (GDC 20)
2. Fan Coolers No - 8 No Yes MOA
3. H, Recombiners Yes Auto init (Ic); 8 No Yes Manual H, Recombiners are not necessary prior to 72 (GDC 20) hrs after start of limiting DBE. Operator has responsibility to setup, initiate, evaluate, and adjust or terminate Recombiner function. Actions performed in Nuclear Annex under acceptable post-accident habitability conditions.
4. H, Purge No - (3b.c; 4); 6 No Yes Manual S. H, Igniters No -

6 No Yes Manual NPX80-IC-RR790-02 Revision 00 51 of 58

System 80+ Functions Table 4 - SUCCESS PATH ALLOCATIONS (page 10 of 10)

CRITICAL FUNCTION: Protective I. Radiation Allocation Requirements 5YSTEM 80+

Emission System or Ctanodity? 10 CFR $0 NUREG/CR- Auto Manual Control Justification for solely manual Init/cntl of SUCCESS PATHS 3331 Init Init protective syst m (IEEE 603-1991)

1. Release Path Yes Auto init Ib-d; 2; 9e Hi Rad Yes -

Isolation (GDC 20; CIAS 50.34(f)

(xtv)(E)

2. Release Path No - 8 No Yes Manual Monitoring & Control NPX80-IC-RR790-02 Revision 00 52 of 58

I l

l System 80+ Functions 4.4 Other Allocations Supporting System Safety / Operator Performance The present section reviews some other significant facets of the System 80+ design. While these items are beyond the scope of the >

present evaluation, they identify additional points of change and l

improvement of prior design allocations in terms of the criteria l

of this report.

l

! 4.4.1 Added Functions / Features a) validated Accrecation of Data - The cross-checking of redundant data channels, and the aggregation of redundant data into representative (i.e., process representation) values has long been recommended as appropriace for automation, and an unnecessary burden on the human operator.

The Nuplex 80+ system implements such features with easy access to individual datum, if desired.

b) Mode Dependency of Alarms - Alarm mode dependency is now a system feature, reducing the number of nuisance alarms.

Mode shifts are fully automated post-trip, and partially automated in other cases (requiring the operator to respond to a prompt.)

c) Explicit Display of Derived Parameters - Important derived operating data such as heatup and cooldown rates, and density compensations, are directly displayed by the system rather than requiring operator calculation or inference.

d) Low Power Feedwater Control - This has historically been a problem task for human operators and a source of unnecessary trips due to long lags and complex dynamics in the process.

The automatic Low Power Feedwater Control system has been proven as an operational success on the System 80 plant, and improves power production reliability.

e) Automatic Testina Features - Digital technology has proven the successful automation of various test features possible.

Automatic digital PPS surveillance features have been proven as an operational success on Arkansas Nuclear Unit 2, and will be implemented in Nuplex 80+. Computer Automated Testing (COMAT) algorithms will also be provided for specific systems as support for manual testing activities, by confirming correct 1) test lineups, 2) test performance, and 3) system restoration.

NPX80-IC-RR790-02 Revision 00 53 of 58 a

System 80+ Functions f) Automatic Load Dispatch - The Megawatt Demand Setter allows changing load demands from the grid to be processed automatically, including maintenance of appropriate operating margins. This system has already been approved and installed on earlier generations of Combustion Engineering plants (specifically, LP&L's Waterford 3 and ANOl's Unit 2).

4.4.2 Removed Functions / Features a) Automatic Closure of SCS Isolation Valves - This equipment protection feature was a common cause of loss of SCS.

Redesign of the system for a higher operating pressure has eliminated the need for the trip.

b) Recirculation Actuation - The change to the In-containment Refuelling Water Storage Tank has eliminated the need to automatically (or manually) switch SI pumps from the RWST to the containment sump on low tank level, thus improving reliability. i I

c) Reauired Boronation for Maneuverina Reactivity Control - The addition of four CEAs, and the change from part-length to ,

part-strength (i.e., " grey") control rods, permits plant maneuvering in response to load transients without the need to change soluble boron concentration. The CEA maneuvering response can be performed automatically (see 4.1.1.f) or l manually. Boronating remains a manual function, but is no '

longer required as part of this evolution.

d) Automatic Isolation of Emeraency Feedwater - The addition of cavitating venturis to the EFW headers, which limit feed flow to Sgs with a steam or feed line rupture, makes the automatic isolation feature that formerly mitigated these events unnecessary. Manual isolation of the EFW headers remains possible. j 4.4.3 Miscellaneous 10 CFR Conformance i i

The single remaining allocation criterion of Section 2.1 that has I not yet been addressed is met as follows:

Automatic Initiation of Turbine Trio - Automatic turbine trip presently is in use at all operating Combustion Engineering units, and will be incorporated as a standard System 80+ feature.

NPX80-IC-RR790-02 Revision 00 54 of 58

i  !

! l i i l

l l

f System 80+ Functions l i

r 5.0 RESULTS As a descriptive evaluation, this report did not aim to create or i revise the design. Perhaps its main benefit has been to improve  ;

the author's understanding of the System 80+ design. l Nonetheless, some constructive if miscellaneous' observations on  ;

the evolution and incorporation of certain design details are l l

collected here, and could be viewed as "results". ,

t 5.1 Emergency Procedure Guidelines l 1

One important perspective on the use of plant systems to maintain l CSFs is provided by the EPGs. It is notable that developing the l present report provided a nexus for the discussion of operating i issues that resulted in some useful feedback to the EPG l developers. For example, the draft revision of the EPGs showed ,

both Hydrogen Purge and the Ignitors being started concurrently. l However, this would be undesirable; they should be successive and '

independent success paths. Also, the present report anticipated i the addition of the SDS system to the Heat Removal recovery I guidelines. While these points only reflect, rather than effect, the design, they do suggest that the evaluation has been a l

coherent, even constructive effort.

5.2 Reg Guide 1.97 The results of this study informally reiterate the ABB-CE response to DSER Open Item 7.5.2.1-1; i.e., that there are no manual protective functions (and thus no Type A variables or i Class lE alarms) in the System 80+ design.

5.3 Operating Experience Virtually all of the changes described in Sections 4.4.1 and 4.4.2 of this report are a direct result of incorporating operating experience with similar plants in the design of System 80+.

5.4 Functional Task Analysis Improved operator support by adjustments to the " allocation" of information display functions were suggested by the results of initial task analysis (Reference 21) . The concerns were based on estimated operator task loadings (time required vs. time available); resolutions were suggested in keeping with the Appendix A criteria. These results are being addressed in the detailed design (as will any subsequent task analysis results),

to ensure acceptable task workload levels are maintained.

NPX80-IC-RR790-02 Revision 00 55 of 58 l

.- . - . , - . . , - , , . . ,, n n , - , . ,

l System 80+ Functions

6.0 CONCLUSION

S This report has been a descriptive evaluation of the allocation of critical safety functions in the System 80+ design. The analysis assumes that existing plants of similar design with extensive, successful operating histories are a valid reference point from which to evaluate evolutionary changes and improvements. The conclusions of this evaluation are summarized as follows:

l

1. Critical Safety Functions (CSFa) have not changed between System 80 and the System 80+ plants.
2. CSF Success Paths and their control allocations are similar in System 80 and System 80+; changes and additions have been few, and afford well-considered improvements to overall plant performance.
3. System 80+ meets all safety-related requirements for l allocation of function. No additional allocation concerns have been identified.
4. System 80+ provides improvements through revised allocations in areas of known concern to operator performance.

l S. Evaluation of the interaction between the human and machine elements of the plant control system, and resolution of specific problems identified, will continue as part of Task Analysis, PRA, Verification & Validation, and procedure development activities.

6. This report satisfies the requirements of Section A-3.3.2.2 of the System 80+ HFE Program Plan (Reference 6), and of Elements 3 and 4 of the HFE Program Review Model (Reference 2) for System 80+ Certification.

i l

i I

l NPX80-IC-RR790-02 Revision 00 56 of 58

i System 80+ Functions

7.0 REFERENCES

1) Guidelines for Control Room Desian Reviews (NUREG-0700). I U.S. Nuclear Regulatory Commission (1981). ].

r

2) HFE Procram Review Model and Acceptance Criteria for Evolutionary Reactors (NUREG-5908; draft). U.S. Nuclear  ;

Regulatory Commission (1992). l t

3) Code of Federal Regulations. Title 10. Chapter I - Nuclear -

l Reculatory Commission. Part 50 - Domestic Licensino of Production and Utilization Facilities (10 CFR 50). Office  ;

of the Federal Register (1992). i

4) System 80+ Standard Safety Analysis Report (CESSAR-DC). ABB Combustion Engineering, Inc.  !
5) Reculatory Analysis for Resolution of USI A-17 (NUREG-1229).

U.S. Nuclear Regulatory Commission (1989). ,

6) Human Factors Procram Plan for the System 80+ Standard Plant Desian (NPX80-IC-DP790-01, Rev 1). ABB Combustion Engineering, Inc. (1992).
7) Minutes of Public Meeting (September 10 and 11, 1992; Windsor, CT) between representatives of_the NRC Human Factors Branch Staff and the ABB Combustion Engineering MMI Group regarding Human Factors Engineering design issues.

l l 8) Operatina Experience Review for System 80+ MMI Desian l (NPX80-IC-RR790-01, Rev 0). ABB Combustion Engineering, Inc. (1992).

l

9) Human Enaineerina Reauirements for Military Systems.

Eauipment. and Facilities _(MIL-H-46855B). Department of Defense (1979).

10) The Operator's Role and Safety Functions (TIS-6555A). _ABB Combustion Engineering (1980).
11) Time Response Desian Criteria for Nuclear Safety Related Operator Actions (ANS 58.8-1984). American Nuclear Society l (1984).
12) IEEE Standard: Criteria for Protection Systems for Nuclear Power Generatina Stations (IEEE 279-1971). Institute of Electrical and Electronics Engineers (1971).

NPX80-IC-RR790-02 Revision 00 57 of 58

~

System 80+ Functions

13) IEEE Standard Criteria for Safety Systems for Nuclear Power Generatina Stations (IEEE 603-1991). Institute of i Electrical and Electronics Engineers (1991).
14) IEEE Guide for the Aoplication of Human Factors Encineerina  ;

to Systems. Eauioment, and Facilities of Nuclear Power Generatina Stations (IEEE 1023-1988). Institute of Electrical and Electronics Engineers (1988).  !

15) ~ A Methodoloav for A11ocatina Nuclear Power Plant Control Functions to Human or Automatic Control (NUREG-3331). U.S. ,

Nuclear Regulatory Commission (1983).

16) Bvoassed and Incoerable Status Indication for Nuclear Power

, Plant Safety Systems (Reg Guide 1.47). U.S. Nuclear

  • Regulatory Commission (1973).
17) Manual Initiation of Protective Actions-(Reg Guide 1.62). i U.S. Nuclear Regulatory Commission (1973).
18) Instrumentation for Licht-Water-cooled Nuclear Power Plants to Assess Plant and Environs Conditions Durina and Followina l

an Accident (Reg Guide 1.97). U.S. Nuclear Regulatory  ;

Commission (1983).

I

19) Criteria for Power. Instrumentation, and Control Portions of l Safety Systems (Reg Guide 1.153). U.S. Nuclear Regulatory Commission (1985) .
20) Emergency Procedure Guidelines (CEN-152, Rev 3). ABB i

Combustion Engineering, Inc.

21) System 80+ Function & Task Analysis Report (NPX80-IC-DP790-l 02). ABB Combustion Engineering, Inc. (1989).

I

22) Advanced Licht Water Reactor Recuirements Document (EPRI ,

URD, Rev B). Chapter 10, Man-Machine Interface Systems. I Electric Power Research. Institute (1989).

i l

NPX80-IC-RR790-02 Revision 00 58 of 58

.- ~ _ . _ , , . . _ . - _ . _ . _ , ~ .

1 i

l System 80+ Functions I

l l

6 1

APPENDIX A i

FITTS LIST CRITERIA (from NUREG-0700) ,

i 1

NPX80-IC-RR790-02 Revision 00 A - 1 of 2

I l

l System 80+ Functions )

l I

i Humans Excelin Machines Excel in Detection of certain forms of very Monitoring (both personnel and low energy levels ' equipment i

Sensitivity to an extremely wide Performing routine, repetitive, or  ;

variety of stimuli very precise operations Perceiving patterns and making Responding very quickly to control i generalizations about them signals {

)

Detecting signals in high noise Exerting great force, smoothly and j levels with precision Ability to store large amounts of Storing and recalling large amounts information for long periods-and of information in short time-periods recalling relevant facts at appropriate moments Ability to exercise judgment where Performing complex and rapid l events cannot be completely computations with high accuracy l defined l Improvising and adopting flexible Sensitivity of stimuli beyond the l procedures range of human sensitivity (infrared,  !

radio waves, etc.)

Doing many different things at one  !

Ability to react to unexpected low $robability events time, i Applying originality in solving Deductive processes l problems: 1.e., alternative  ;

solutions Ability to profit from experience Insensitivity to extraneous factors 1 and alter course of action Ability to perform fine manipulation, Ability to repeat operations very especially where misalignment appears rapidly, continuously, and precisely unexpectedly the same way over a long period Ability to continue to perform when Operating in environments whidi are {

overloaded hostile to humans or beyond human tolerance Ability to reason inductively i

. i NPX80-IC-RR790-02 Revision 00 A - 2 of 2 V

i l

l <

l l

System 80+ Functions '

t l

APPENDIX B FUNCTION ALLOCATION CRITERIA (from NUREG/CR-3331) t t

I l

l I

i NPX80-IC-RR790-02 Revision 00 B - 1 of 6

System 80+ Functions l

FUNCTION ALLOCATION CRITERIA The following guidelines and criteria are adapted from NUREG-CR/3331, A Methodoloav for A11ocatina Nuclear Power Plant Control Functions to Human or Automatic Control. Tradeoff mechanisms and Fitts list-type human performance criteria are provided in the l' form of a decision algorithm (see also Appendix A, "Fitts List Criteria"). The algorithm can be applied at any level of detail; however, engineering judgment must be applied to determine when I the design description is sufficiently detailed for the purpose at hand. This provides an expedient framework for designers and i evaluators to verify appropriate allocations of plant control functions in any aspect of the design.

1. Is automation mandatory?
a. Are working conditions hostile to humans?
b. Ara tasks included which humans cannot perform?
c. Is automation required by law or regulations?
d. Is automation required to assure plant safety or protection?

Yes (any) - Go to step 2.

No (all) - Go to step 3.

(If automation is required only in part, then the design description may be detailed to identify that part.)

2. Is automation technically feasible?
a. Are proven technologies available?
b. Are the costs and development / delivery times acceptable?

Yes (all) - Tentatively allocate to auto; go to step 9.

No (any) - Redefine the function (s), allocation, or engineering solution, j l

l NPX80-IC-RR790-02 Revision 00 B - 2 of 6

system 80+ Punctions

3. Is human performance mandatory?
a. Is automation technically infeasible?  !
b. Is human required to retain policy-level or ultimate I control? l
c. Is human required by law or regulation? l l

Yes (any) - Go to step 4.

No (all) - Go to step 5.

(If a human operator is required only in part, then the  :

design description may be detailed to identify that part.) l l

t

4. Is human performance a feasible solution?  !
a. Can humans perform the specified tasks? I
b. Are the costs and development / delivery times of the necessary support (e.g., procedures, training, etc.)

acceptable?

Yes (all) - Allocate to human; go to step 11.

No (any) - Redefine the function (s), allocation, or engineering solution. l

5. Is automation clearly preferable to human operators?
a. Is automation technology well-established as suitable?

(i.e., effective, reliable, cost-effective, etc.)

b. Is human performance acknowledged as less satisfactory?

Yes (all) - Tentatively allocate to auto; go to step 9. i No (any) - Go to step 6.

(If automation is preferable only in part, then expand the design description sufficiently to identify that part.)

l 1

l l

NPX80-IC-RR790-02 Revision 00 B - 3 of 6

I i

f System 80+ Functions ,

c

6. Is human performance clearly preferable to automation? i
a. Is human performance regarded as clearly necessary, or t superior to automation? l Yes - Allocate to human; go to step 11. l No - Go to step 7.

(If a human operator is preferable only in part, then the design description may be detailed to identify that part.)

i

7. Is the segment a suitable candidate for automation?
a. Is the segment comprised of mechanistic or repetitive tasks?
b. Does the segment require sustained vigilance?
c. Does the segment require extremely rapid or consistent responses? ,
d. Is the segment comprised of well-defined and highly predictable conditions, actions, and outcomes?
e. Is the segment likely to be required at the same time as +

a large (i.e., excessive) number of other tasks? ,

I

f. Does the segment require the collection, storage, manipulation, or recall of data in substantial amounts, '

or with high accuracy?

Yes (any) - Tentatively allocate to auto; go to step 9. f No (all) - Go to step 8. l l

8. Is the segment suitable for human operator performance?
a. Is it within the realm of human strengths and capabilities?
b. Will the task form an appropriate and satisfactory part  ;

of an operators job? (i.e., cannot be trivial, demeaning, l or comprised of leftovers)

c. Will it allow the operator to maintain satisfactory workload? (i.e., neither too high nor too low)

Yes (all) - Allocate to human; go to step 11.

No (any) - Go to step 10.

NPX80-IC-RR790-02 Revision 00 B - 4 of 6 ,

l System 80+ Functions j

9. Reconsider the tentative automatic. allocations in terms of their negative impact on human operator performance. ,
a. Would manual performance of the task help to keep the operator engaged with the plant, informed of process 7 status, or prepared to plan and solve problems? j
b. Would manual performance of the task provide the operator-with important opportunities to develop or maintain valuable skills or knowledge? ,
c. Will absolute implementation of the automatic. feature (s) contribute to operator underloading (e.g., boredom)?
d. Would the option for manual control from the control room afford desired flexibility?  !
e. Would the option for manual control from the control room i afford more reliable performance of the function? .
f. Would the option for manual control from the control room j be desirable for testing, maintenance, or management of i off-normal conditions?  ;

i Yes (any) - Make a tentative allocation to automation with  !

operator discretion. If operator discretion is i superordinate (man selects auto or manual modes) then go to l step 11. If operator discretion is subordinate (man may l initiate but not override automatic action), go to step 12. ,

No (all) - Allocate to automation; go to step 12. {

l

10. If any segments remain unallocated, apply the following l criteria: J
a. Comparative cost of human and automated. options
b. Consistency with preceding design goals and selections
c. Available technologies
d. Customer preference
e. Operator acceptance or, redefine the function (s), allocation, or engineering solution.

If allocated to automation, go to step 9.

If allocated to human operator, go to step 11.

l l

l NPX80-IC-RR790-02 Revision 00 B - 5 of 6 .

-. _ - , , , _ . . , . . ., _ .4 _ . - - . , _ _ , ~ _ . - . . _ _ _

l l

)

System 80+ Functions

11. Consider residual automated and control system support for the operator .
a. Data display and integration  !
b. Monitoring of limits _and detection of abnormalities >
c. Hierarchical access to indicating and control options-
d. Automatic control of inner loops
e. " Fail safe" controls
f. (etc.)

Complete any required documentation.

12. Consider the residual role of the human operator in support of the automated function:
a. Policy-level control.(e.g., initiation of transitions to  ;

less conservative plant states)-  ;

b. Awareness-of automatic system status, transitions, availability, etc.
c. Detection of abnormalities and management of failures, ,

including those in " hidden" or low-level features  ;

d. Emergency initiation or shutdown
e. Override of selected interlocks under specified i conditions
f. Removal of equipment from service
g. Status of local transfer or test switches Complete any required documentation.

l l

NPX80-IC-RR790-02 Revision 00 B - 6 of 6

. _ . - . . - - . - -