ML20079Q414
| ML20079Q414 | |
| Person / Time | |
|---|---|
| Site: | Fort Saint Vrain  |
| Issue date: | 09/30/1983 |
| From: | PUBLIC SERVICE CO. OF COLORADO |
| To: | |
| Shared Package | |
| ML20079Q407 | List: |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737 GL-82-33, PROC-830930, TAC-51242, NUDOCS 8402010157 | |
| Download: ML20079Q414 (38) | |
Text
,
a PUBLIC SERVICE COMPANY OF COLORADO FORT ST. VRAIN NUCLEAR GENERATING STATION SAFETY PARAMETER DISPLAY SYSTEM PROGRAM PLAN September 30, 1983 8402010157 840120 PDR ADOCK 05000267 F
PDR 1
l'
. TABLE OF CONTENTS
.o
1.0 INTRODUCTION
AND PURPOSE 1.1 PROGRAM PLAN 1.2 SPOS
1.3 REFERENCES
/ APPLICABLE DOCUMENTS 2.0 REQUIREMENTS 2.1 FUNCTIONAL /0PERATIONAL REQUIREMENTS 2.1.1 Functions / Features 2.1.2 P rameters 2.1.3 Ecuipment 2.1.4 Human Factors 2.1.5 Operations 2.2 PERFORMANCE REQUIREMENTS 2.3 INTERDEPENDENCIES 2.3.1 Training 2.3.2 Verification and Validation 2.3.3 Safety Analysis 3.0 FEATURE OVERVIEW 3.1 FEATURES 3.2 FUNCTIONAL RELATIONSHIPS 3.3 INTERFACES 4.0 FEATURE DESCRIPTIONS 4.1 DEDICATED CRT 4.2 2-0N-l' CONSOLE /3-ON-1 KEYBOARD 4.3 PRIMARY DISPLAY 4.4 SECONDARY DISPLAY 4.5 ACCESS TO DISPLAYS 4.6 ALARM / WARNING 4.7 ALARM BOXES 4.8 ALARM BOX "REFLASH" CAPABILITY 4.9 AUDIBLE ALARM 4.10 AUDIBLE ALARM "RESOUNO" CAPABILITIES 4.11 PARAMETER CONDITION CHANGE 4.12 ACKNOWLEDGMENT OF REQUESTS TO THE SYSTEM 4.13 TIME DERIVATIVES 4.14
' ACCURACY OF PARAMETERS 4.15 PARAMETER SELECTION AND ANALYSIS 4.16 HIGH RESOLUTION CRT
.4-
?
4.17 LOCATION IN THE CONTROL ROCM i
4.18 SYSTEM DATE 4.19 -LOCATIONS 4.20 AUTOMATIC OPERATION MODE 4.21 RESPONSE TIME 4.22 OATA AVAILABILITY
.4.23 DUAL COMPUTER SYSTEM 4.24 SAFETY ANALYSIS
~+
APPENDIX A Figure 1 SPDS Software Functional Relationships Figure 2' Future Plant Computer Configuration Figure 3 Existing Plant Computer Configuration Table 1 SPOS Feature / Requirement Implementation Table 2-SPDS Non-Seismic Panel Recommended Parameter List Table 3 PSC $PDS Parameter List Fort St. Vrain SPOS Verification and Validation Program Figure 1 Sequence of Events 7
o, i
ABBREVIATIONS SPDS Safety Parameter Display System l
NUTAC Nuclear Utility Task Action Committee FSV Fort St. Vrain f
HTGR High Temperature Gas-Cooled Reactor V&V Verification and Validation DD Design Directive TSC Technical Support Center FCp Forward Command Post CRT Cathode Ray Tube R0 Reactor Operator CSF Critical Safety Functions DEFINITIONS Podian Subsystem - Post-Disturbance Analysis software that stores
" snapshots" of the data base on disk.
Check point Failover Subsystem - Software that keeps the data
-current from on-line to standby and causes a "failover" from online to star dby.40-700 - The memory coupling device that allows the on-line computer system to communicate with the standby system.
Man-machine subsystem - Software that controls the interface between the console keyboards and the computer.
t
1.0 INTRODUCTION
AND PURPOSE 1.1 PROGRAM PLAN The Safety Parameter Display System (SPDS) is one element of several interrelated efforts designed to improve control rooms, emergency response capabilities and procedures.
The regulatory requirements for providing a SPDS is contained in NUREG 0737, Supplement 1 (Generic Letter 82-33).
Guidance for the SPDS and related activities has been derived from various NUREGS (See Section 1.2) and the industry sponsored SPDS Nuclear Utility Task Action Committee (NUTAC) document entitled " Guidelines for an Effective SPDS Implementation Program". Methodology developed within this plan takes into account the unique characteristics of the Fort St. Vrain (FSV)
High Temperature Gas-Cooled Reactor (HTGR).
The purpose of this program plan is to describe the manner in which Public Service Company (PSC) intends to proceed to implement the SPDS at the FSV Station.
This document will provide a basis for the requested NRC pre-implementation review of the SPDS.
A schedule for implementation for the SPDS was included in PSC Letter P-83147 and is not repeated here.
1.2 SPDS The orincipal purpose and function of the Safety Parameter Display System (SPDS) is to aid the control room personnel during abnormal and emergency conditions in determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective action by operators.
The SPDS simply concentrates the Critical Safety Functions of the plant (most of which are indicated on the control board) into a single set of dedicated displays.
The design of the primary or principal display format shall be as simple as possible, consistent with the required function, and shall incluse pattern and coding techniques to assist the operator in memory recall for the detection and recognition of potentially unsafe operating conditions. The SPDS will include some audible notification to alert personnel of an unsafe operating condition. The design of the SPDS will be expandable to accept new functions.
p Displayed data shall present a current and accurate status of the plant and shall be validated on a real time basis where practicable.
For example, redundant sensor data may be compared, the range of a parameter may be compared to predetermined limits, or other quantitive methods may be used to compare values.
Validated parameters, unvalidated parameters, and invalid data will be identified where practical. Validated parameters will be easily distinguished from unvalidated parameters. A Verification and Validation program will be followed in accordance with the guidelines in the attached document, " Fort St. Vrain SPOS Verification and Validation Plan".
Selected Emergency Procedures will be reviewed as part of the Control Room Design Review. Any necessary changes with regard to SPDS will be incorporated at that time.
1.3 REFERENCES
/ APPLICABLE COCUMENTS The following documents were considered in the development of Fort St. Vrain's SPOS program:
" Functional' Criteria for Emergency Response Facilities".
" human Factors Review Guidelines for the Safety Parameter Display System" NUREG-0737
" Requirements for Emergency Response Capability" Sueptement 1 to NUREG-0737 IEEE 384
" Criteria for Independence of Class 1E Equipment and Circuits", 1981 Other Public Service Company of Colorado documents utilized:
Design Directive CRT-1 (DD CRT-1)
Design Directive KEY-1 (00 KEY-1)
Design Directive SLS-1 (DD SLS-1)
Control Rcom Design Review Program Plan {_.-
y.-
p.
2.0 REQUIREMENTL The following subsections provide the descri.0:fon of the requirements essential to the successful development of the Safety Parameter Display System. Using the NUREGs as guidance, these requirements were developed as they apply to an HTGR.
2.1 FUNCTIONAL /0PERATIONAL REQUIREMENTS 2.'. 1 Functions / Features 1.
A dedicated display with a single primary display format will continuously display the minimum parameter set necessary to assess the safety status of the plant at each mode of plant operation.
Modes of plant operation are:
I
- 1. Startup
- 2. Low Power
- 3. Power 2.
The secondary display may be individual plant parameters or may be comnesed of a number of
. parameters or derived variables giving an overall system status.
3.
The recall of additional data on secondary formats or displays will be available.
4.
Display of time derivatives of the parameters in lieu of trends to both optimize operator process communication and conserve space is acceptable.
5.
The secondary display format will contain the magnitude of all variables being displayed and the time derivatives of selected parameters.
6.
The display of time derivatives of variables will unambiguously reflect the trends in the '.ariables.
7.
The algorithm used for time derivatives will be adequate to track oscillating plant variables that may exist during the design basis events for the
- plant, 8.
The SPDS will contain operator interactive devices.
9.
The display system will positively acknowledge each request that the design allows the operator to make. :
1.
l
- 10. A disolay will bc included of calendar date and time of day with some means of indicating the passage of seconds.
The display will be updated only when the system is operating properly so that a static time would indicate a system failure.
The date and time will be located in a corner of the display so as not
'to-distract the.op9rator.
11.
The use of color coding will be used to indicate the approach to unsafe eperations and to indicate unsafe operation.
12.
The display system will emit e distinct, audible sound, such as the beeper available on computer terminals, upon detecting an abnormal operating condition.
13.
The SPDS alarm system will have provisions to silence, acknowledge, and reset.
14 Performance. tests of the silence, acknowledge, and reset functions will be performed.
-t.
If
O; Na 2.1.2 Parameters 1.
Data will be displayed to provide sufficient information to plant operators about:
(a) Reactivity Control (b) Primary System Heat Removal (c) Secondary System Heat Removal (d) Radioactivity Control (e) Primary Coolant System Integrity Specific parameters to be displayed have been determined by Nuclear Engineering and Technical Services (See-Table 3).
2.
Each parameter will be displayed with an accuracy sufficient for the operator to discriminate between abnormal operating conditions and normal operating conditions.
3.
Non-calculated parameters can be compared to intrumentation on the control board.
2.1.3 Equipment 1.
The processing and dis' play devices of the SPDS will be of proven high quality and reliability.
2.
The'SPDS will be suitably isolated from electrical or electronic interference with equipment and sensors that are in use for safety systems.
3.
The SPDS will be located in the control room with additional SPDS displays provided in the TSC & FCP. c --
2.1.4 Human Factors 1.
The SPDS shall be designed to incorcarate acceoted human factors principles so that the displayed information can be readily perceived and comprehended by SPDS esers.
2.
Each group of parameters will be displayed so that all are visible to the oper.itor within one field of view.
'3.
The parameters will be sequenced in a logical manner to facilitate operator comparison of parameters in evaluating the safety status of the plant.
4.
The primary display format will utilize patterns and display enhancements as discussed in Section 3 of NUREG 0835 as it applies to an HTGR.
5.
The SPDS will be readily distinguished from other displays on the control board.
1 6.
The displays design will conform to the appropriate display readability guidelines stated in FSV Design Directive CRT-1 such as viewing distance, viewing j
angle, and screen location for standing and seated operators at the West End Reactor Operator's Station.
7.
The data displayed on the CRT will have acceptably low flicker and noise.
8.
Alpha-numeric characters generated with a 7x9 dot matrix or larger are preferable; characters with 5x7 dot matrix are acceptaole.
9.
The density of the display will be less than 25's when complex symbology are displayed (e.g. mimics).
- 10. Glare from normal or emergency lighting will not restrict viewing of the SPDS from within the control room.
The use of antiglare techniques and devices are acceptable when they are in accord with other criteria stated in FSV Design Directive CRT-1.
11.
For ease of detection, acceptable symbol to background contrast ratio will fall within the range specified in Design Directive CRT-1 for all important data.,
a
- 12. Alpha-numeric keyocards for the SPDS will have the same keyboard layout as the other keyboards in the control room (Design Directive KEY-1).
- 13. The display system will emit a distinct, audible sound, such as.the beeper available on computer terminals, upon detecting an abnormal operating condition.
- 14. Pattern and coding techniques shall be'used to assist operator detection and recognition of the approach to unsafe operating conditions.
- 15. Physical obstructions will not block a person's field of view of the SPDS when the person is at the normal work station.
16.
If the SPOS is not in the operator's direct field of view at the work station, a reorientation of his/her field of view will allow viewing the SPOS from the work station.
- 17. Members of the control room operating crew have physical access to the SPOS keyboard from their normal work station. A short direct walk to the SPDS teyboard is acceptable.
18.
Luminance levels and luminance contrast will not limit viewing from the normal work station.
l
- 19. The SPDS shall be of such size as to be compatible with the existing space in the control area.
- 20. The SPOS shall not interfere with normal movement or with full visual access to other control room operating systems and displays.
- 21. Operation of;the plant with the SPOS out of service is allowed provided that the control board is sufficiently human factored to allow the gerations-staff to perform the safety status assessment task in a timely manner.
e l
- 22. The SPOS will be designed incorporating human factors in accordance with the FSV Design Directives (CRT-1, KEY-1,SLS-1). The overall integration of the SPDS
~
will be evaluated by the Verification and Validation program.
7 f
O 2.1.5 Operations 1.
Operator interaction with the SPDS will be designed such that training in computer programming is not required.
2.
No additional operating staff other than the normal control room operating staff will be adced for operation of the SPDS.
3.
Operator requests to the display system will result in secondary displays of additional data on secondary formats.
4.
Operator acknowledgment of a change in the displayed parameters from the primary SPDS display will be possible in a matter of seconds.
5.
The display system will positively acknowledge each request that the design allows the operator to make.
6.
There will be operator interaction incorporated in the display designs.
7.
After the SPDS has been installed operating procedures will be avei:able that will allow timely and correct safety status assessment when the SPDS is not available....
2.2 PERFORMANCE REQUIREMENTS
.1.
The sampling rate for each parameter is chosen such that there is no meaningful loss of information in the data presented to the operator.
2.
Tce time delay from when the sensor signal is sampled to when it is displayed will be no greater than 5 seconds.
3.
Data will be available for retrieval and will not be lost as a result of an electrical power failure.
4.
Data stored for retrieval will be stored on a secure medium and will be available upon demand.
5.
Response times to operator requests for information on secondary displays will conform to FSV Design Directive SLS-1 guidelines for computer response time to operator queries.
6.
The SPDS as used in the control room shall be designed to an annual operational unavailability goal of.01.
7.
The startup annual unavailability goal for the SPOS during startup mode for the reactor shall be.2.
_g.
l
2.3 INTERDEPENDENCIES 2.3.1 Training 1.
The control room operations staff shall be provided with sufficient information and criteria for performance of an operability evaluation of the SPDS.
2.
Operating procedures and operator training in the use of the SPDS shall contain information and provide guidance for the resolution of unsuccessful data validations.
3.
After the SPDS has been installed, operating procedures will be available that will allow timely and correct safety status assessment when the SPDS is not available.
4.
Operator training in the use of the SPDS includes practice in dealing with unvalidated data and application of procedures to resolve unsuccessful data validation.
5.
The operatcr training program will contain instructions on the use of the SPDS.
6.
An SPDS user's manual will be available for operator reference in the control room.
2.3.2 Verification and Validation 1.
A qualification program will be established to demonstrate SPDS conformance to the functional criteria of this document.
2.
A test plan will be available for the SPDS which will define a alnimum of one test case for each major functional criterion of the display system.
3.
All display formats in the design will be tested, including mode dependent formats.
4.
A test report containing the results of the test cases will be compiled. All major functional criteria must be tested successfully.
i 2.3.3 Safety Analysis 1.
Public Service Company will prepare a written safety analysis d2 scribing the basis on which the selected carameters are sufficient to assess the safety status of each identified function for a wide range of events, which include symptoms of severe accidents.
2.
The selection of specific information that will be provided for FSV will be based on engineering judgement, taking into account the importance of prompt implementation.
3.
The minimum set of critical functions will be the l
ones by which the operator evaluates the safety status of the plant.
m 4
4
~
3.0 FEATURE OVERVIEW 3.1 FEATURES The FSV Safety Parameter Display System will be built around the current Fort St. Vrain plant computer system.
It will use the existing data base, data acquisition subsystem, the alarming subsystem and man-machine subsystem. Additions and some modifications will be made to the existing software to perform the SPOS functions. -The analog scan rate will remain unchanged.
The historical data requirements will be met by the Pocian Subsystem, the Post Trip Subsystem and the Historical Data Subsystem. Minor modifications will be made to the existing Checkpoint-Failover Subsystem to incorporate a second 40-700 (memory coupling device) into the seneme.
This is to increase system reliability.
A single dedicated CRT will be used in the control room for the SPOS displays.
The CRT will be mounted in the control board in the I-04 panel and will share the keyboard of the West End Reactor Operator's console. Only SPOS displays will be allowed on the CRT. Any cther CRT will have access to these same SPOS
' splays.
The Technical Support Center (TSC) and the Forward Lommand Post (FCP) will have CRis which are capable of displaying the SPOS parameters but not dedicated to that function.
The SPOS displays will be distinguished from the other displays by the five boxes (one for each parameter category) on the display which will indicate whether each category has any acknowledged or unacknowledged warnings or alarms (see the detailed feature descriptions in Section 4 for further explanation of this feature). Accessing the SPOS displays will be as simple as possible. An audible alarm on the CRT will be added for SPOS parameters which can be silenced from the control board. The alarm limits of the SPOS parameters may be variable depending on the plant status. Alarms generated by the SPOS parameters will be distinguishable from other alarms on the alarm summaries.
12-l g-nw.
ye g-r-m--
+-um.-
--y e
r---+
,' ;p u.
i.:
3.2 FUNdTIONALRELATICNSHIPS i
See Figure l' for functional relationships.
This diagram shows the.-areas in which new code must be added.or existing. code must 1
be modified.
INi,,iRFACES -
3.3 All interfaces to the SPDS system are thros;h the CRT's.
There s
will be very few changes required to the existfr.g Man-Machine
. c."
i;,
subsyttem.
The definition of the SPOS keyboard will take care of limiting the functional capabilities of the SPOS CRT to those things which are needed to determine the safety status of the
- plant, a
+
\\
t i
b I
r o.
9 9
3 l
ic r
t
..q
. t, s
t 13_
[
^
-G_
i
%1 g
4.0 FEATURE DESCRIPTIONS The following subsections describe in detail the external features introduced in Section 3.0 (FEATURE OVERVIEW).
The relationsnip between these featuras and their corresponding requirements can be found in Table 1.
4.1 DEDICATED CRT 4.1.1 The $POS will be a single dedicated CRT in the control roLm.
4.2 2-ON-1 CCNSOLE/3-ON-1 KEYBOARD 4.2.1 Although the SPOS is a physically separate CRT, it will be part of a'2-on-1 console with a 3-on-1 keyboard.
The SPOS CRT will be located in the I-04 panel; the other two CRTs are located at the West End Reactor Operator's Station in the control room.
There are 3 buttons, numbered 1,2,3 respectively.
Numbers 1 and 2 will access the 2 CRTs at the West End Reactor Operator's Station; number 3 will access the SPOS. When the SPOS is accessed, the physical keyboard !ayout remains the same but the pre-assigned function Keys are defined specifically for the SPDS.
4.3 PRIMARY DISPLAY 4.3.1 The primary display format consists of the S Critical Safety Function (CSF) ateg; ries through which the associated parameters for each category can be accessed.
This display serves as the " master menu" to the other SPOS
- displays, When tha operator recognizes there is an alarm / warning condition in one of the five CSF categories, he pushes button number 3 at the West End Reactor Operator's console. At this time he has the option of going to either:
1.
The poke point to the left of the category in alarm at the top of the display, or 2.
The poke points across the top of the large box at the bottom of the display.
By pressing the " cursor transmit" key, he will tnen access the secondary display with the associated parameters for that category. l J
%w s'J s
\\
-\\,. + ~,I
)<
4
+
l
~r 1
s s<
t 4.4lSECONDARYDISPLAY
',i+-
p t,,.
e
'\\a.4.1 Thesec)nca6y ' display format conf sts af: e
. c Vf, / r g I,,8
',', (Lo' the paramder name
-y
\\,>
e 4
s Y :<
g,y' /., - o tt.e,va l ue,<
e g
y;
\\.
><* y
- o a rate of cha"nge,va,tue
- e o'
h (wher,e applicable)
I A
a
.- s s l 4 ** '
f.s
- l
' } }[1 o, an associated dis;. lay where
\\
the -ccerator ~can access further V
infor0ntion at another CRT i t>,, y','e*~
c e
,. c 4t5" kCCE55 TO DISPLAYS 7
+
jg f l,,
J
- .in f 'f a
.4.5.1
/ccew to the va; ion, displays will be trrough the foilowtQmethocs,j,4-6
. y I
\\_
vt
',r i.
s-
- ML 'O v2 r
- p p
/,,c ' C5M c. p,qf ots' located next. to theategorydiame and.imudia
'e v o po8e
'c abov!Ahe large alarra box at
/
s f,f - tWbotton of screen -
e g
r
,1 t
-}
4
,, z o '"page fors ard" key will acce.ss the/
idis9aysinthefolioginy)rder:
1 1
/
t
-t
. it e
+
FSPDL: Master Menu 4
,-)
\\*,/k".
/)I
- g /
- Pr.imary Systerf r'est Removal feactivity Control V
e
[ I /s l'
j Secondary System,fleat' Removal 3; j l Primary Coolant'Syst'em Integrity
. 3
'/ -
4-Rad,ioactivity Control e,f v
f5 i o "pa;e'.back" will access *the i
/ [.,N
~~/s previous category's secondary r
\\
., w " 7l
._.._ dis' play /
r t -
h,oallotherpagingkeyswillrehrn e*,
to the " master menu" display
(!
- r. e
,Knother method of accessing the SPDS displays quickly and
~'
g-gis0y Will be through pre-assigned function keys.
This
- regaires pressing the number 3 button on the West End
\\
t,1 )
J Reactor Operator's console a6which time the keyboard is
.,I.,
assigned to SPD E The SPDS' master menu and the secondary displayswil}thenbeavafJf#lesthroughtheassigned A
functhn kefs.
~ f 4 4*
~' jl
/e g
i r
6
'g a
p l*
P, l
'-15-r
-f.
'g A
y',
s s./
/
g e
g-
i.
4.6 ALARM / WARNING 4.6.1 When any designated plant or SPDS parameter goes into an
-alarm / warning condition, it wil_1 sutomatically be posted on the appropriate summary. A small red or yellow box will blink at the top of all plant computer displays until
-l-all alarms / warnings are acknowledged. Acknowledgment of I
SPDS alarms / warnings will be by Reactor Operators only.
4.7 ALARM BOXES 4.7.1 All SPDS displays, both primary and secondary, will contain five large alarm boxes across the bottom of the screen that indicate.a warning / alarm / normal condition for all parameters in each of the Critical Safety Function (CSF) categories.
The appearance of the boxes will be (for each CSF category):
normal condition for blank all parameters blinking yellow - unacknowledged warning for one or more parameters solid yellow acknowledged warning for one or more parameters unacknowledged alarm blinking red for'one or more parameters acknowledged alarm solid red for one or more parameters Acknowledgment is achieved by requesting the appropriate
' summary' (through a function key) on one of the other I
control room consoles and warnings. Alarms are I
acknowledged by bringing up the appropriate summary and i
pressing the ' acknowledge' key. _ _ _ - _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
4.8 ALARM BOX "REFLASH" CAPABILITY 4.8.1 The large blinking boxes will have' "reflash" capability.
This imolies'that within the same CSF category, when a parameter goes into an alarm / warning state and is acknowledged or returns to a normal state, a second parameter going into an alarm / warning state will cause the box to flash again.
4.9 AUDIBLE ALARM 14.9.1 An audible alarm will sound when any of the SPDS parameters are in en alarm condition. This alarm can be acknowledged / silenced on the control board by the operator.
4.10 AUDIBLE ALARM " RESOUND" CAPABILITIES 4.10.1 The audible alarm will have " resound" capabilities.
This implies that within the same CSF category, when a parameter goes into an alarm condition and is acknowledged / silenced, a second parameter going into alarm will cause the audible alarm to sound again.
4.11 PARAMETER CONDITION CHANGE 4.11.1 Change of condition of a parameter will be indicated by the following codes:
Color o red - aiarm o yellow - warning o green - normal o magenta - bad telemetry Next to o white asterisk - value was manually replaced Value o cyan "I" - alarm on parameter was inhibited Appearance.o blinking - unacknowledged alarm / warning o solid - acknowledged slarm/ warning or normal
.I 4.12 ACKNOWLEDGMENT OF REQUESTS TO THE SYSTEM i
4.12.1 When the operator makes a request to the system, it is I
acknowledged in the usual manner:
- 1) the cursor goes away I
and upon return the request is complete or, 2) an I
appropriate message indicates the request is in progress.
I Acknowledgment of SPDS alarms and warnings is rec'.gnized I
by the blinking red or yellow box becoming solid.
The I
method oy which these alarms are acknowledged is discussed
-1 in Sections 4.6.1 and 4.8.1. _ _ - _ _ _ _ _ - - _ - _ _ _
4.13 TIME DERIVATIVCS
-4.13.1 Time derivatives will be displayed for selected l
parameters.
This will include displaying the rate-of-change value and an arrow next to tnat value indicating a positive or negative rate.
4.14 ACCURACY OF PARAMETERS 4.14.1 Instrument sensitivity, alarm / warning limits and deadband values will be analyzed for each. parameter to insure sufficient accuracy for the operator to evaluate the safety status of the plant.
4.15 PARAMETER SELECTION AND ANALYSIS 4.15.1 A study performed by Oak Ridge National Laboratory (ORNL) under contract to the Nuclear Regulatory Commission dated September 15, 1981 compiled a list of parameters and requirement catagories (Critical Safety Functions) for the Fort St. Vrain Safety Parameter Display System (SPDS)
(Table 2 shows ORNL's list).
Public Service Company (PSC) has modified this list slightly (see Table 3 for PSC's rinal list).
The following is a list of PSC's changes to the ORNL list:
1.
Critical Safety Functions (CSF)
(a) Containment integrity has been incorporated into the reactor coolant integrity CSF.
The parameter, primary system pressure, is the only indication of containment integrity.
It is also listed under reactor coolant integrity.
Fort St. Vrain's (FSV) Pre-Stressed Concrete Reactor Vessel is both the pressure boundary of the primary system and FSV containment, thus the containment integrity is still monitored by the SP05.
Combining the two CSFs would also eliminate redundant alarm conditions.
(b) Core and Primary System Heat Removal has been split into two separate CSFs, Primary Heat Removal and Secondary Heat Removal.
The majority of the 5905 parameters are listed urder the core and primary system heat removal.
The two CSFs are to be used to expedite recognition of an abnormal condition, and prevent confusion caused by a cluttered display. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
L 2.
Parameter Changes (a) Replace core flow resistance with core differential-pressure.
Core flow resistance is a seldom-used theoretical parameter, which would be of little value to the operator.
Core differential pressure is more familiar co the operator and more indicative of actual plant status.
(b) Replace crimary vs. secondary heas balance with the ratio of power / flow.
Both primary and set;ndary heat balances are calculated values.
Power / flow 15 a more accurate value and has greater meaning to the operator.
The safety analysis stating the reason these parameters were chosen will be documented by NED.
4.16 HIGH RESOLUTION CRT 4.16.1 A high resolution CRT will be used for the SPDS.
Documentation of the acceptance criteria can be found in Design Directive CRT-1.
4.17 LOCATION IN THE CONTROL ROOM 4.17.1 The SPDS will 'e located in the I-04 panel of tne control o
board for easy access and readability. A section of the I-04 panel will be cut out for the Mitsubishi CRT which will be mounted from the ceiling with the appropriate supports.
This implies that the SPDS is separate from I-04 and does not affect the seismic qualifications of the panel. The SPDS keyboard will be on the 3-on-1 keyboard at the West End Reactor Operator's work station.
4.18' SYSTEM DATE 4.18.1 The system date will be displayed in the upper left hand corner of all SPDS displays and will automatically
" refresh" the passage of seconds. MST is indicated with the semi-colon (;) as a delimiter (i.e. 08:23:20) while MDT is indicated with-the colon (: 1 as a delimiter.
Usually, the ability of " walk back" in time is allowed on displays (indicated by inverse video - solid tackground, black' letters) but this feature will not be available on I
This insures that the iqformation viewed by the operator is current. ~
u
+.
4.19 LOCATIONS 4.19.1 The SPDS will b'e:
o A dedicated CRT in the Control P.com o'An optional function of the CS-19 1-on-1 console in the TSC.
The 1-on-1 was purchased primarily for the SPDS.
o An optional function of the CS-19 2-on-1 console in the Forward Command Post (Emergency Operations Facility) o An optional function of any other console 4.20 AUTOMATIC OPERATION MODE 4.20.1 Variable alarm limits will be appli;.J to the SPDS parameters as a function of the ISS (Interlock Sequence Switch)' indicating the plant modes of operation:
- 1. Startup
-2.
Low Power
- 3. Power The displays will appear the same but the values will indicate alarm / warning conditions at different limits.
4.21 RESPONSE TIME
-1 4.21.1 Analog points are scanned every 5 seconds and the SPDS l.
will berefreshed every 5 seconds automatically.
4.22 DATA AVAILABILITY 4.22.1 Historical data is stored on disk and dumped to tape i
daily, historical-from any console (CRT) other than the
.i.
SPDS.
Disk-resident data is available upon demand.
4.23 DUAL COMPUTER SYSTEM 4.23.1 The FSV plant computer will be a dual computer system (Figure 2). The existing computer system (Figure 3) will Le expanded by the addition of a duplicate system to improve availability. The back-up computer will be kept current through check pointing software. An automatic fail-over from on-line to stand-by will be used.
All safety-related, Class 1E equipment will be electrically isolated from the FSV computer system. The 5 f, (tj
- 1. :
2, -
intention is to: provide additional isolation for safety-related ' analog inputs, only as all safety-related, digital inputs are isolated through the use of auxiliary relay contacts per IEEE 384 (1981).
-4.24 SAFETY ANALYSIS
~
4.24.1 Public Service' Company has committed to the preparaticn of a safety analysis for the SPOS by. March 20, 1984. This safety analysis will be based on the following.
1.
Parameter. Selection - Oak Ridge National Laboratory working as a consultant'for_the NRC has documented a review of-the proposed SPOS. parameters.. PSC has used this document as the basis for finalizing the SPDS parameter selection. Deviations from the original
~
list will be justified.
2.
HTGR' Technology - The SPOS safety analysis will be based on the technology associated with the. Fort St.
Vrain-HTGR' Design concerns at Fort St..Vrain are significantly different from those of a light water reactor.
Particularly, the time constraints during postulated accidents at' Fort St. Vrain are measured in hours not minutes.
3.
The completion of1the SPOS safety analysis by March 20,.1984' is based on receiving a-NRC pre-implementation' review in September of 1983.
1 1
6,.
..R.-
m,..
1.
.m....
I p
APPENDIX A l
l sn o
i t
a l
S e e r R R
1 a O
w l
TA ef a t
n t
R o o t
i I
i P
gS i
t O
FGI sci P
i SF m'
Y G 'U l NI I' IA RKW l' C 'l lXIE1 0
I I SCS n
N N
ir O
O i
t A
I AI AI M
U' ON ON l
DI EDI
/
NF N
1NF I
A X
E PI E 0 D SKD M
l 1 j
s g
eaeyn ht vri aion l t a
drgr n
dea t
H iig t w C
G T
Y E
g noa/
R
- f. G R isit cs S
N IS 0
NA dt t m
M I
TK MY X
eI W nse6r 1
t I
I C RS E1 N
'l miisloxaPl A'
a l
ME Al ARl l
I 1 l
I U
PN AO Ul ebS a W
L C f. IAS SC AWS I
I I
I K'
N t
O I
I R
S E'
R S
I E
O' N
T V
T I
I N
G M
O N
L C
I
=
s" 1500 GEAR e
ta
=
c id" n
S I
D l' f
I t EP IN FI F
il
,)slII l
l,!
!lji
\\
i l
i N
E E
T E
OD EN E V E
AR I
S S
~
~ K N
S O
J (-
~
~
I D
C
~
- 4 v 4-E
- N A
l V
Nl O
AaC P
N MA C
M F
l l
l I
Y l
I l
l l
R Q'-
U P
M 4
f E L DA C
M 8
N O O
O 7
K C
V Nl H O
l 3
H O
AiT 6
CN 6
N M
g AO
+o MC XU I
A
+
'/
p
,k
- e 9
N 0YO 4
0 RI A
O N
I O '+4(,
7OL T
M MP 9
A k I_
G 0EU l
4 H
i eg N
4MO 4
l d R C
/
G I
4 P A 0Y G T
I N S *\\
F UE N
N 0RI l
I I
G i
7OL T
l P
C N0
- M P A mR 0
0E U MP /
u H O
i6
- 4MC C
/
uT A
E c
E 1
4 U
T 7'
0 YG g
nFU l
a C
0 RN t
l C P
9 7
4 OR D M
M p
0EU H O
i/
- M 4
C
$4MO p
og C
F
- O 4
9 T
OH 4
t N
N 9
9 A.
p l
E L P
R U
Y N O A
E P
R l
T 4 C A
V H
l i
U 8
M O
C T
N D
N A
P 7 N I
6 R
O 1
E T MC M
6 P
K O i.
O LC R N l
l l
l AMT T
U S N T D E F l
l O
G i
O S
N D T N E
N IT N T A F
V v
NO l
N I
O l
R I
E O T D
~ S M N CC T)E K
P O D N E O U
(
P
~
_E S
I NR L
U T L I
I O
Q T OT 0 A
~D NL A S
T I
1 S
E R
4 N
E A T
T N
E T
A M
N R O G O
G T
S E
P E UC N C
N N
N NI MG I
I I
I R
U E
D I
T I
LP F N S Q L
L E T NO P
l I
S X
=E M OP u E
E C U D T
- Y I
)
)
O) 2 3
N I
l
!l
\\
l\\{
!l i
il
PLANT INPUTS 1500 GEAR CARO READER i
/
TAPE ORIVES *
\\
1784 V-N
/
65 X CPU 4 OlSKS
.LINE PRINTERS <ly V-N
\\
d OPERATOR i
CONSOLE i
NOVA MAN-MACHINE CONTRCL.
AUX. ROOM EXISTING PLANT COMPUTER CONF!G UR A TION FIGURE 3
TABLE 1 SPDS FEATURE / REQUIREMENT IMPLEMENTATION FEATURE / CAPABILITY REQUIREMENT REQUIREMENT SECTION NUMBER 4.1 Dedicated CRT 2.1.1 1
2.1.2 1
4.2 2-on-1 Console /3-on-1 Keyboard 2.1.1 8
2.1.4 12 2.1. 5 6
4.3 Primary Display 2.1. 4 1
2.1.4 3
2.1.4 9
2.1.4 14 2.1.5 4
4.4 Secondary Display 2.1.1 2
2.1.1 3
2.1.1 5
2.1.4 1
2.i.4 2
2.1. 4 3
2.1. 4 9
2.1.4 14 2.1. 5 3
4.5 Access to Displays 2.1.4 3
2.1.5 1
2.1.5 2
2.1. 5 6
4.6 Alarm / Warning 2.1.1 13 4.7 Alarm Boxes 2.1.1 8
2.1.1 11 2.1. 4 1
2.1.4 5
2.1.4 14 2.1. 5 6
4.8 Alarm Box "Re-flash" Capability 2.1.1 13 4.9 Audi',le Alarm 2.1.1 8
2.1.1 12 2.1.4 13 2.1. 5 6
4.10 Audible Alarm " Resound" Capabilities 2.1.1 13 4.11 Parameter Condition Change 2.1.1 11 2.1.4 4
2.1.4 14
TABLE 1 (continued)
~
REQUIREMENT REQUIREMENT FEATURE / CAPABILITY SECTION NUMBER 4.12 Acknowledgment of Requests to the System 2.1.1 9
2.1. 5 5
4.13. Time Derivatives i
2.1.1 4
2.1.1 5
2.1.1 6
2.1.1 7
4.14 Accuracy of Parameters 2.1. 2 2
2.2 1
4.15 Parameter Selection 2.1.2 1
2.3.3 1
2.3.3 2
2 3.3 3
4.16 High Resolution CRT 2.1.3 1
2.1. 4 6
2.1.4 7
2.1.4 8
2.1.4 10 2.l.4 11 2.1.4 19
. 4.17. Location in the Control Room 2.1. 4 5
2.1.4 6
2.1.4 15 2.1. 4 16 2.1.4 17 2.1.4 18 2.1. 4 20 4.18 System Date 2.1.1 10 4.19 Locations 2.1. 3 3
4.20 Automatic Operation Mode 2.1.1 1
4.21 Response Time 2.2 2
2.2 5
4.22 Data Availability 2.2 4
- 4.23~ Dual Computer System 2.1. 3 1
2.2 6
2.2 3
2.2 7
4.24 Safety Analysis 2.1. 2 1
2.1.4 21 2.1.5 7
6.
?.
t Table 2 S?DS Non-S=4-=4e Panel Recomended Parameter list Requirement Parameter Coments Catero:v*
-1.
Pri=ary Salium 71ow Hi-Lo Range, R
auto-s' lect e
2.
Average Neutron Power Average of 6 chambers -
RC 3.
Calculated Thermal Power Secondary Heat b1mnce R
4.
Average Core Outlet Te=perature T1ow-veighted R
5.
l'ar== region outlet tenperature Auto-select ER d
6.
Core islet temperature R
7.
Prima.y system pressure CSI, C:
8.
Total feedwater flow R
9.
Mais Steam Te=perature.
R
- 10. Main Steam Pressure R
- 11. Reheat Steam Te=perature R
- 12. Core Ticv resis m es CSI Special Notices (Displayed only when out of '* dts):
1.
Reactivity L'=nes anomaly RC 2.
Pr1 ary vs Secondary heat balance anomaly n
.3.
Eigh pri=ary coolant moisture CSI 4
H.igh activity (primary coolant or mais vent system)
RAC
- Raquirement Categories:
RC' = Reactivity Control n = Core and prd=ary system heat removal CSI = Reactor Coolant System integrity RAC = Radioactivity control CI = Contai:xnent integrity I
l
Tcble 3 PSC SPDS Parameter List Parameter Requirement Category
- 1. Primary Helium Flow PHR
- 2. Average Neutron Power RC
- 3. Calculated Thermal Power PHR
- 4. Avg Core Outlet Temperature PHR
- 5. Max Region Outlet Temperature PHR
- 6. Core inlet temperature PHR 7.
Primary system pressure CSI
- 8. Total feedwater ficw SHR
- 9. Main steam temperature SHR
- 10. Main steam pressure SHR
- 11. Reheat steam temperature SHR
- 12. Core differential pressure CSI
- 1. Reactivity Balance anomaly RC
- 2. Power / Flow PHR
- 3. High primary coolant moisture CSI 4.
High activity (primary coolant RAC and stack monitoring system)
Requirement Categories:
RC
= Reactivity Control PHR = Primary System Heat Removal SHR = Secondary System Heat Removal CSI = Primary Coolant System Integrity RAC = Radioactivity control CI
= Containment integrity
^k c
s.
FORT ST. VRAIN SPOS VERIFICATION AND VALIDATION PROGRAM A.
INTRODUCTION 1.
-This section of the-SPOS Program Plan profiles the verification and validation program to be implemented at the FSV plant, ts.
GENERAL 1.
Design, development, qualification, and installation shall be verified by qualified personnel other than the original designers and developers.
2.
.These requirements and the acceptance criteria for validation shall be documented and verified with the safety system requ'rements for programnsble digital computer systems in accordance with the following:
a.
Organization - The V&V group shall be organized to be independent of personnel, responsible for the system design and development.
The technical cualiffcations of the V&V team shall be comparable to those of the design team, b.
Review and Audit-Procedures - Verification of phase by phase documentation is needed in addition to. comprehensive test results (validation) in order to demonstrate that the completed system works as required to perform its intended function.
If the translation from one stage of development to another can be understood by knowledgeable persons other than the originator, and it is determined that a faithful and accurate translation has been performed, then the stage-by-stage verification can be considered satisfied.~
c.
Software Test and Analysis - Procedures will be develooed outlining the tests required for software and any modifications to software.
3.
There may be a need for two types of V&V plans and/or procedures for si ety and non-safety systems.
~
).
5 4.
The V&V program will be a three phase program made up of reviews,.
testing, and documentation.
5.
To assure a logical translation from one stage to another for the SPOS, the Designers and V&V will adopt a sequence of events similar to that denoted in Figure 1.
C.
REVIEWS' 1.
Reviews of three basic areas will occur:
- 1. Design
- 2. Deve opment
- 3. Test 2.
V&V will provide assurance that the designers and developers have met the requirements of all associated documents (System Requirements, Design Specification, NUREGs, etc.).
~3.
V&V shall provide assurance of operational conformance to design specifications.
4.
V&V will provide assurance that significant changes to the system are verified and the changes are accompanied by a statement indicating whether or not availability will be affected.
5.
V&V will provide assurance that the users.are trained both initially and when modifications occur.
6.
The results of the control room design review will be applied to verification of the SPOS parameter selection, data displays, and functions.
7.
V&V will serve as a second check of computer software for correctness, etc.
8.
Discrepancies will be documented that arise during review and will be accompanied by their resolution.
D.
TESTING 1.
All data _ display shall be validated where practicable on a real time basis as part of the display to the control room personnel.
2.
The computational capacity and data throughput of the plant processor must be sufficient to accomodate the combined computational and input-output loads of the ERF system and other functions being performed by the plant processor.
V&V will test to verify this. L'
s.,..
3.
'The data acquisition system will be initially tested by V&V to
- provide assurancs of correlation.of data with-the readings observed by the operators.
L 4.
-The integrity of the software and the integrated system will be tested (validation).
5.
A formal test plan will be produced.
- E.
-00CUMENTATION' 1.
V&V' plans to use where possible existing documentation from Lookout Center, Fort St. Vrain, and Engineering.
This documentation will be adapted for use with the V&V program.
2.
V&V shall provide an auditable trail for QA with regard to the following:
a.
Performance of V&V functions; b.
Satisfaction of requirements from NUREGs, Reg.
Guides, etc. by the designers, developers, and the V&V team; c.
-Satisfaction of Systers Requirements and associated documentation requirements; d.
Test and evaluation results; and-e.
Discrepancies and their resolutions.
F.
SUMMARY
1.
In.the near-term, Verification and Validation will provide adequate documentation and evidence of a comprehensive independent evaluation of the SPDS.
2.
In the long term, Verification and' Validation will provide the same for any software or associated system.
. ~
FIGURE 1.
SEQUENCE OF EVENTS SYSTEM REQUIREMENTS (HARDWARE & SOFTWARE)
' REQUIREMENTS VERIFICATION REVIEW
\\m HARDWARE SOFTWARE SPECIFICATION SPECIFICATION I
I PRELIMIN ARY PRELIMINARY DESIGN DESTCN l
l FINAL FINAL DESIGN DESIGN
~
DESIGN VERIFICATION DESIGN REVIEW RE_ VIEW TESTING ENVIRONMENT TOOLS; REQUIREMENTS;etc.
l MANUFACTURE l
TEST PROCEDURES CODE / DEBUG l
DESIGN CONSTRUCTION l
TEST l
TEST l
INTEGRATE
& TEST i
VALIDATIOh TEST I
l TEST RESULTSl 1
FIELD INSTALLATION i
& TESTS INSTALLATION VERIFICATION TESTS VALIDATION RE PORT
f 9,
Prepared by:
d.m ).kwxk D. Hunicke f
l Y
E. Pitchkolan
- f!< MN
-Approved by:
M.'E. Niehof D V m
-RAb-- -
C. H. Fuller b
w.,.,,.
.,