Text

SAR & Implementation Plan for Davis-Besse Nuclear Power Station Safety Parameter Display Sys
	ML20082P038
Person / Time
Site:	Davis Besse
Issue date:	11/30/1983
From:	; TOLEDO EDISON CO.
To:	;
Shared Package
ML20082P035	List: ML20082P033; ML20082P038;
References
	RTR-NUREG-0737, RTR-NUREG-737 TAC-51234, NUDOCS 8312080063
	Download: ML20082P038 (73)
	v • d • e

7 b

SAFETY ANALYSIS REPORT AND IMPLEMENTATION PLAN FOR THE DAVIS-BESSE NUCLEAR POWER STATION SAFETY PARAMETER DISPLAY SYSTEM i

83220g0063 831130 hDRADOCK 05000346 i

PDR i

p ..

$- 1 I. INTRODUCTION This report is provided in response to NUREG 0737 Supplement I require-ment for a submittal of an implementation plan and safety analysis report on the Safety Parameter Display System (SPDS) at Davis-Besse.

.The following provides c description of the subsequent sections of this report.

Section II This section provides an historical perspective on the development of the SPDS at Toledo Edison and describes how Toledo Edison's early involvement in the development of Emergency Response Facilities has had a significant-impact on its approach to the design and implementation of an SPDS.

.Section III This section provides a description of the design bases and objectives used in the development of the SPDS.

Section IV 1This section provides a functional overview of the SPDS. Included are a-description of the hardware configuration and the operational features of the SPDS.

Section V

'This section describes the basis for the selection of parameters, their use and development of alarms, and their grouping in the trend displays.

Section VI This section provides a description of the approach Toledo Edison used in considering human factors in the development of the SPDS.

Section VII This section provides a description of the plans for verification and validation activities on the SPDS.

Section VIII.

This section provides the implementation plan and schedule for the design, development, installation, verification and validation, training, and operability of the SPDS.

_ _ _ _ _ _ _ i

e, p .

4 2 II. HISTORICAL PERSPECTIVE OF SPDS DEVELOPMENT AT TOLEDO EDIS0N The events at Three Mile Island pointed out problems not only with the operators training, procedures, and information systems, but with the logistics of overall emergency response. The physical facilities necessary to support both the onsite and offsite emergency response activities were inadequate at Three Mile Island. In response to these problems, Toledo Edison initiated numerous projects to improve its emergency response capabilities. One of those projects was the construc-tion of the Davis-Besse Administration Building and its associated emergency response facilities.

As a part of those facilities, a sophisticated computer system was installed to provide plant status information to emergency support organizations. During the initial design development of this computer system, and well before the NRC established the requirement for an SPDS, the need for improved operator informational systems was recognized within Toledo Edison. The usefulness of such displays was demonstrated to licensed operators and engineers during training activities which followed the Three Mile Island event. The Training Staff at the B&W Simulator developed simple, graphical displays which were extremely useful to the operators in diagnosing and mitigating accidents on the simulator. The use of these displays required very little explanation.

The operators were able to integrate the information available on the displays into their normal thought process in responding to accidents.

Consequently, the design of the computer system at the emergency res-ponse facilities (DADS - Data Acquisition and Display System) included two CRT terminals and repeaters located in the Control Room to provide the operator with a color graphics display device capable of generating these simple display formats. The initial design configuration of the DADS was described in the June 1981 submittal to the NRC on Toledo Edison's emergency response facilities.

Subsequent to this initial design development, the NRC established the requirement for the SPDS. Toledo Edison originally believed that the DADS, as then configured, would be sufficient to meet this SPDS require-ment. As the functional requirements for an SPDS were further defined and refined, the need for additional hardware to support the SPDS became clear. The primary limitation of the existing DADS was in its speed of response.

The DADS was designed to gather and make available to many locations, large quantities of information. The ability to instantaneously transfer back and forth between several displays was not a requirement. The primary users of the DADS were emergency support personnel in the Technical Support Center and Emergency Control Center, where the several second wait evolved for various displays of information, on both a current and historical basis was adequate. Consequently, the data input and data storage capabilities of the DADS is more than adequate to meet those functional requirements of the SPDS; and for any one display, the DADS equipment can update information at an acceptable rate for use by the operator as an SPDS. However, in paging back and forth through

i t> '

a 3 the several displays required for an SPDS, the DADS is not quite fast enough to meet all. operational objectives.

To satisfy these speed requirements, additional' equipment was obtained which uses a separate data processor (DEC 11/34) and substantially improved color graphics display devices (Chromatics terminals). One of these Chromatics terminals-will be located in the Technical Support Center and the other will be located in the Control Room as a replacement for'one of the-two terminals originally designated for the Control Room as part of the DADS. This new equipment will have st.bstantially improved

response capabilities, but'will.not maintain the~1arge historical-data base available in the DADS.

The DADS equipment is currently in place and will provide, on an interim basis, the'SPDS function by February 1, 1984. The DEC based SPDS will be installed and operational in November of 1984. The two_ systems together comprise all functional requirements identified in Section III.

Either system by itself, however, will provide a very useful tool to the operator and will meet most functional requirements of an SPDS.

Toledo Edison considers that either of these systems meets the basic intent of an SPDS. Since the equipment configurations of these two systems are largely independent, the availability of the minimum SPDS functions is substantially enhanced.

Although numerous prepackaged Safety Parameter Display Systems .are l available from various vendors, Toledo Edison has decided to develop its own hardware and software systems for the SPDS. There are several advantages to this approach. Within Toledo Edison, the hardware and software is being developed by the Station Technical Services section, which also has the primary responsibility for coordination of the detailed Control Room Design Review, preparation of upgraded emergency i

operating procedures, and the plant process computers. This arrangement improves the proper integration of these efforts. It assures that the user input necessary to maximize the compatibility of the SPDS, upgraded emergency procedures and Control Room is provided in the development of the SPDS. Such integration is frequently lost in vendor provided systems.

i- In-house development also assures that a detailed understanding of the workings of-the SPDS is maintained within Toledo Edison. This under-

standing is especially important to the future improvement of the system. The hardware system designed for the DADS and the additional DEC based system have the capacity to provide numerous additional F displays to the operator. Additional displays may be integrated into the SPDS in the future as optional display formats augmenting the j- currently planned capability. This in-house development of the SPDS by Toledo Edison permits this approach to the careful future expansion of the system.

i T

4-

.. ~ . . . , , , , , . , . ~ . . . . . ~ _ , , - - - , , . - . . - . _ - , , m ... , ~ , . . _ _ . . . -

.w

.a 4' III. SAFETY PARAMETER DISPLAY SYSTEM DESIGN BASES

.The bases for the design of.the Toledo Edison Safety Parameter Display System have been derived from several sources. These include the NRC requirements of Supplement I to NUREG 0737 and the guidance of- NUREGs

0696 and 0835. These criteria have also been influenced by earlier Toledo Edison display development activities and to some extent by the data input and storage capabilities of the DADS.

Another primary consideration in the development of the functional

. requirements was the plan for utilization of the SPDS. Toledo Edison considers the SPDS to be a tool useful to the reactor operators in monitoring plant safety status and in monitoring plant response to specific operator actions during normal and emergency conditions. The SPDS is equally important as a tool for the Shift Supervisor and other Control Room support personnel for the evaluation of plant safety status.

-The bases of the Davis-Besse SPDS design are listed below and grouped in two categories. The first of these are the general design requirements.

As the. heading implies, these criteria are high level design requirements which do not dictate specific system design features but which do present goals to be met to establish an effective SPDS.

The second group of criteria are the specific design objectives. These criteria are written in the form of guidance for the SPDS design which are highly desirable but not essential to the successful operation of the SPDS. 'These criteria have been more directly influenced by Toledo Edison's past experience in display deveiopment and by the capabilities and limitations of the bardware systems that have evolved as a part of the SPDS.

Taken together the general design requirements and the specific design objectives constitute the design bases and design philosophy used in the development of the Davis-Besse Safety Parameter Display System. Future changes to the hardware or software of the Safety Parameter Display System or to other displays used to augment the system will be evaluated against these criteria.

A. General Design Requirements The principal purpose and function of the SPDS is to aid the Control Room personnel during abnormal and emergency conditions in determining the safety status of the plant. To support this function, the SPDS is to meet the following list of requirements:

1. The SPDS is to provide a concise display of critical plant

-variables to the Control Room operators. The minimum informa-tion must be sufficient to allow the operator to determine the status of the following critical safety functions:

a) Reactor core cooling and heat removal from the primary system

F e

. 5 b) Reactor Coolant System integrity c) Containment integrity d) Radioactivity conditions e) Reactivity control

2. The SPDS is to be available and of use to the operator during normal operations, as well as during abnormal conditions, to assure operator familiarity with the use of the system.

3. The SPDS is to be located in the Cont.rol Room in a position that is as convenient as practical to the Control Room opera-tors, yet available for use by the Shift Supervisor and other support personnel.

4. The design and implementation process of the SPDS is to consider and be receptive to accepted human factors principles.

5. The SPDS is to be supportive of the upgraded symptom oriented emergency operating procedures.

6. The SPDS is to be suitably isolated from all electrical or electronic interference with equipment and sensors that are in use for safety systems.

7. The SPDS design and implementation process is to be flexible to permit future improvements as they are identified.

B. Specific Design Objectives The following design objectives consist of' basic assumptions, design considerations, and desired features which have been taken into account during the design and development of the SPDS.

1. Inputs to the SPDS a) Inputs to the SPDS should be highly reliable. If the same input is available from two separate sources, the more reliable source should be the primary input.

b) Automatic input data validation should be accomplished to the extent possible. This should include range checks and comparisons of redundant channels.

c) Invalid inputs should be appropriately identified to the operator. Operator training should identify the limita-tions of the system with invalid data.

d) Automatic manipulation of input parameters should be minimized. Simple data modifications which enhance the usefulness of the data to the operator are, however, acceptable.

6 6

2. Data Availability a) Data updates should be at intervals of no less than two seconds to avoid overloading the operator with information dynamics. Display rates may be slower if consistent with expected parameter variations.

b) Short term historical trend information (the past 20 to 30 minutes of data) should be available to tbe operator very quickly to assist in the evaluation of the current plant status.

c) Access to longer term historical information (over the past 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) should..be available to the operator to help analyze past plant events. Access to this historical information need not be ac rapid as for the short term historical information.

3. Operator Control of the SPDS a) Operator control of SPDS displays should be very simple.

No more than one or two buttons should be required to access any given display.

b) The method for accessing SPDS displays should be consis-tent with that for accessing other display information wherever possible. Maintaining consistency in operational controls helps assure operator understanding of their use.

4. Display Content a) The SPDS should provide useful information in all modes of plant operation (Technical Specification Operational Modes 1-3). This means the SPDS should appear similar to the operator in all modes of operation even though the SPDS data processing activities may differ.

b) Displays should be as simple as possible to understand and should be designed assuming that the operator will be trained in their use and familar with system limitations.

c) The SPDS displays should be designed assuming that the user has received training similar to that of a licensed reactor operator.

d) Alarm logic should be established to assure that all alarms are valid. The operator will be trained to assume that all alarms are valid and are to e investigated. He will also be trained to assume that the lack of an alarm does not mean that some adverse condition does not exist.

With these training assumptions a failure to alarm is more desirable than an invalid alarm.

. 7 e) SPDS alarms should not normally be redundant to existing alarms. Alarms can be provided for those conditions or combination of conditions for which no other Control Room indications exist.

f) The individual SPDS displays and their operation should be as similar as possible on the two SPDS hardware systems (DADS driven and DEC based systems).

IV. SAFETY PARAMETER DISPIAY SYSTEM DESCRIPTION The SPDS description provided in this section reflects the system as it will be configured when complete. The current status of hardware development and installation, and the schedule for completion of the remaining portions of the system, is described in Section VII, Implemen-tation Schedule.

A. Functional Configuration of the SPDS Figure IV-1 provides a block diagram of the basic SPDS components and information flowpaths. Information from plant process instru-mentation provides input to both the plant process computer and a separate multiplexer which is used as the primary source of data to the SPDS. Those signals originating in Class 1E instrumentation strings are isolated from the safety grade portion of the system using the appropriate Class 1E isolation devices.

Information from the plant process computer and the signal multi-plexer are then transmitted to the Davis-Besse Administration Building. The signal multiplexer provides information to both the DADS and the DEC, while the plant process computer provides informa-tion only to the DADS system. Within the Davis-Besse Administration Building, the DADS processor drives displays in the Technical Support Center and Emergency Control Center. The processed informs-tion is then transmitted from the DEC and DADS systems to their respective Control Room display devices for use by the Control Room operator.

The DEC based system that is being added consists of the Control Room display device, the DEC processor, and the associated input connections to the processor. The remainder of the system was designed as a part of the Data Acquisition and Display System. The DEC system, therefore, provides an essentially redundant SPD3 from the point of the primary signal multiplexer. The SPDS displays available in the Control Room are also available in the Technical Support Center via either system. They are also available in the Emergency Control Center via direct link to the DADS processor.

B. Hardware Configuration of the SPDS Figure IV-2 illustrates the hardware configuration of the SPDS.

The primary source of information used in the SPDS is fed from plant process instrumentation to the Validyne muliplexer located in the plant cabinet room. The inputs include approximately 100

. 8 signals consisting primarily of analog inputs with a few digital inputs. Inputs to this multiplexer are key plant parameters important to the evaluation of the plant safety status. These parameters were selected as a part of the development of the Data Acqusition Display System for use in the Emergency Response Facili-ties. The parameters used for the SPDS were derived primarily from these inputs.

The Validyne multiplexer samples each input, converts it to a digital signal, and transmits it to the Davis-Besse Administration Building via a fiber optics connection. Two separate fiber optics links exist between the Validyne multiplexer and the redundant Validyne receivers in the Davis-Besse Administration Building. The Validyne receivers decode the fiber optics signal and convert it to a digital signal, which is transmitted either to the Data Acqusition and Display System Prime A Computer Processor, or the DEC 11/34 Processor.

The plant process instrumentation also feeds digital and analog multiplexers which provide input to the plant process computer.

The plant process computer uses two MODCOMP Classic 7870 CPUs, which provide information directly to the Control Room operator via several display devices. Inputs to the plant process computer consist of approximately 2,000 analog points and 2,500 digital inputs, all of which are transmitted to the Davis-Besse Administra-tion Building via the Valtec fiber optics transmitter / receiver system. The plant process computer information is input to the Prime A data acquisition system. Plant process computer informa-tion is also available to the DEC 11/34 via the Prime A system.

The DADS system is composed of two Prime 550 Processors. The Prime A Processor has been designated as the data acquisition device, and the Prime B Processor is the display generation device. Each Prime processor is connected to two disc storage devices of 300 megabytes each for a total of 1200 megabytes of disc storage.

As a part of the DADS, the Prime A data acquisition system processor reads, characterizes, and stores the key plant parameters from the Validyne receiver at a rate of approximately once per second.

Information from the plant process computer is stored at the rate it is scanned by the plant process computer multiplexers. Scan rates for this information varies from 1 to 60 seconds. The information from the Validyne receiver and the plant process computer are stored for a period of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months in a rolling file.

CRT display devices in the Technical Support Center and Emergency Control Center are driven directly from the Prime B display genera-tion processor. These CRT display devices are RAMTEK 6200A Color-graphics Terminals. An identical RAMTEK terminal is located in the Control Room as the primary SPDS display device. The Control Room display is driven by the Prime B display generation processor through a Valtec fiber optics transmitter / receiver link. An overhead repeater is attached to the RAMTEK terminal to provide greater Control Room visibility.

y.,

O

. 9 The DEC 11/34 processor data acquisition and display generation device is a stand alone data acquisition system. Data storage capacity on the DEC system is sufficient to maintain 30 minutes of SPDS parametric data in a rollover type file. The DEC 11/34 drives two Chromatics 7900 display terminals. One terminal is located in the Technical Support Center and the other is located in the Control Room linked to the 11/34 via an independent Valtec fiber optics transmitter / receiver link. The Chromatics device in the Control Room also has an overhead repeater attached.

Equipment in the hardware configuration shown in Figure IV-2, located in the Cabinet / Computer Room or the Control Room, are powered from uninterruptable instrumentation buses VAU or YBU. The uninterruptable buses are supplied from the Station battery backed 250 VDC power supply system through an inverter. Power can also be supplied to these buses from a non-essential regulated instrumenta-tion bus through a static transfer switch within the inverter.

The power supply for the DADS and the DEC systems and other compo-nents within the Davis-Besse Administration Building is independent of the Station electrical system. The Davis-Besse Administration Building, which houses the Technical Support Center and the DADS, is supplied from a construction feeder independent of the three 345 KV lines connected to the Station grid. The Davis-Besse Administra-tion Building electrical system supplies an emergency response facilities bus which can also be fed by an emergency diesel genera-tor through an automatic transfer switch. The emergency response facilities bus in turn feeds an uninterruptable distribution network. Power to the uninterruptable distribution network is backed up by a battery driven system through a static transfer switch which assures continuous operation of the DADS and DEC computer system. The emergency battery system is charged from the emergency response facilities bus.

Figure IV-3 providas a diagram of the Control ~ayou; indicating the location of the RAMTEK and Chromatics teretaain and their respective repeatere. The terminals are located on either side of, and their repeaters are above, the Post Accident Monitoring Panels.

This arrangement makes the terminals visible from all parts of the Control Room and still permits access by the Shift Supervisor and other support personnel without interferring with the operator's access to Control Room indications and controls. This is the best location for these terminals currently available in the Control Room. Pending the outcome of the Control Room Design Review, this position may, of course, be modified.

C. Display Configuration and Operational Features The SPDS displays will be available to the Control Room operator on both the DEC and DADS based systems. To the extent practical, the display formats and the operation of the SPDS will be the same on both systems. However, to take advantage of the different capabili-ties of the systems, some differences in the display formats and operational features will exist. The following description generally

10 applies to both systems. Significant differences in the display configurations or operational features will be pointed out where they exict.

The configuration of displays supporting the SPDS at Davis-Besse is similar to the configuration described in NSAC 55 for the Yankee Rowe SPDS. The " top" level SPDS display consists of a series of six alarm boxes associated with six critical safety functions.

Note that the extra safety function used in the Davis-Besse SPDS results from splitting the " reactor core cooling and heat removal from the primary system" function identified in NUREG 0737 Supple-ment 1, into two subfunctions. The first of these is associated with core heat removal from the standpoint of the primary system, and the second is related to secondary plant heat removal capabili-ties.

These alarm boxes are displayed on the bottom of all displays associated with the SPDS. The alarms are activated by parameters reaching specified setpoints which can be fixed or derived from other parameters. Associated with each of the alarm boxes is another " lower" level display showing an historical trend of parameters selected to assist the operator in determining the status of the associated safety function. These six lower level displays and the top level alarm box display constitute the minimum SPDS display format.

Also associated with each of the alarm boxes is an " upper" level display which can provide the operator with additional information in various formats that may be useful in establishing the status of a given safety function. These upper level displays are not considered a part of the minimum SPDS. The top level SPDS alarm box display is displayed with each of these upper level displays.

While the lower level displays will be essentially the same on both the DEC and DADS systems, the upper level display formats may differ between the DEC and DADS based SPDS due to the difference in graphics capabilities of the two systems. On either system, however, the upper level displays will support the evaluation of the status of the critical safety functions.

Figures V-1 through V-6 are the six lower level displays with the associated top leiel alarm box display. These display formats are further described in Section V. Upper level display formats are under development and are not presented in this report. The alarm boxes associated with the six critical safety functions are displayed on all upper and lower level displays. The alarm logic which activates these alarm boxes is explained in Section V of this report.

Aside from the multiple button input required to initiate the operation of the SPDS, transfer back and forth between various SPDS displays requires only one or two key entries. These are primarily performed on numbered function keys which correspond directly to the six critical safety function alarm boxes. For example, if the

" primary" alarm box was lit and the operator wished to examine the

4 11-

-trend information available to support the evaluation of that--

alarm, he would press the control key and the f2 key (f2 correspond-ing to the second alarm box) to obtain the lower level primary display on the RAMTEK terminal. The corresponding upper level display could be obtained by depressing the f2 button alone. A similar type of one or two button display access will be implemented on the DEC driven Chromatics display terminals.

Historical SPDS information beyond that provided in the trend displays'is available to the operator from the DADS based system.

The historic mode of operation is accessed by a two button request followed by an entry of the time of interest. The past 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of SPDS parameter data is maintained on file and can be examined with the same formats that are available in the current time mode of operation. Therefore, once the operator establishes the historical-mode of operation, he may transfer back and forth among the various displays and see information presented as it would have been at the time of occurrence. Due to the considerably extensive file searching requirements of this function, portions of the display generation take longer than their current time counterparts. When the histori-cal mode of operation is selected, the SPDS displays of current critical safety fuction information are not displayed on that terminal. The information is still collected and stored in the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months file, however, so no information is lost. To return to the

' current mode of operation requires a single function key entry followed by the call up of the desired display.

If any alarm logic is satisfied, the appropriate critical safety function box will be lit and flash. Once the operator has called up the proper upper or lower level display for the alarm, the critical safety function box will no longer flash but will remain lit for as long as the alarm condition exists. The critical safety function box will return to normal (unlit) status automatically after an acknowledged alarm clears its alarm setpoint. If any new alarm occurs while a critical safety function box is lit, the new alarm will cause the critical safety function box to again flash until the appropriate upper or lower level display is called up.

This sequence of alarm receipt and acknowledgement is familiar to the operators since the main station annunciators operate on a similar basis.

Space is available on each upper and lower level display to indicate which alarm condition has caused the critical safety function to be lit. Up to five different alarm messages can be displayed, allowing positive identification of the cause of the alarm. For example, if a low pressurizer level occurs (<10"), the primary critical safety function box will be lit and flash until a primary

-display is selected by the operator. On the primary display there will be a "PRZR LEVEL LOW" alarm printed near the bottom of the screen.

This alarm method provides a concise method of directly displaying the alarm condition without requiring an analysis by the operator of a display to determine the cause of the alarm. This assists the

w o 12 operator in rapidly diagnosing an event and taking proper corrective action at the root of the problem.

V. PARAMETER SELECTION / ALARM LOGIC / DISPLAY FORMATS This section describes the parameters used as inputs to the Safety R.rameter Display System and the way those parameters are used within the system.

A. Parameter Selection The Data Acquisition and Display System was designed to provide information to the Technical Support Center to evaluate the safety status of the plant and to assist the operator in controlling and mitigating the consequences of an accident. The DADS, consequently, has access to a broad selection of plant data. The parameters judged most useful in evaluating the safety status of the plant were included on the input list of the Validyne multiplexer to provide a means of information redundant to that from the plant process computer. This large data base provides considerable flexibility in the determination of those points to be used to support the SPDS.

Since the flow of information from the plant process instrumenta-tion to the SPDS computere is less complex via the Validyne multi-plexer than through the plant process computer, the Validyne multiplexer inputs are considered to be more reliable and are, consequently, the primary sourc2 of information to the SPDS. Only a few inputs to the SPDS are derived from plant process computer inputs, and none of those have an exceptionally significant safety function.

The list of inputs used in the SPDS is provided in Table V-1. The parameters selected were chosen to support the development of the critical safety function alarms and some were chosen for display on the lower level trend plots. The basis for the selection of these parameters is described more thoroughly in the following sections on alarms and trend displays.

B. Ala rms For each of the six critical safety function alarm boxes of the top level display, a number of alarm conditions have been identified which will activate the alarm box. The intent of this effort was the development of alarm conditions which would be indicative of potential threats to the fulfillment of a critical safety function.

The selection and development of these alarm conditions were influenced by numerous design considerations and assumptions.

Foremost among these considerations was that the alarm conditions be consistent with the normal and emergency operating procedures (EOPs) in existence and the upgraded E0Ps under development. To assure this consistency, the development process directly involved

. 13 licensed operators and individuals responsible for the preparation of upgraded E0Ps.

An additional consideration was that the alarm conditions generated should provide accurate information not previously available to the Control Room operator. Euplications of existing Control Room alarms was considered undesirable, since the SPDS is an aid to the Control Room operator to be used in conjunction with existing alarms and indications, and not as a stand alone device. The alarm conditions developed, consequently, do not normally duplicate existing alarms. Some alarm conditions are based on parameters monitored by other Control Room alarms. In these cases, however, the alarm normally is generated at a setpoint that differs from the existing alarm. For example, the SPDS pressurizer level alarms are set at limits outside those of the existing Control Room alarms to indicate conditions that are more serious than those identified by the Control Room alarm.

In an attempt to assure that the alarms are accurate, that is, that the alarms reflect a truly significant condition, they have been designed with sufficient logic to eliminate false or inaccurate alarms. The operator is trained to identify unsafe plant conditions with, and without, an SPDS. The failure of an SPDS alarm to identify an unsafe condition should not lead the operator to believe that such a condition does not exist. On the other hand, an invalid SPDS alarm should not make an operator look for an unsafe condition which does not exist and thus divert his attention from potentially more significant conditions. The design philosophy in developing the SPDS alarm conditions, consequently, was that the failure of the SPDS to alarm an unsafe condition was more desirable than an invalid SPDS alarm.

The alarm conditions developed cover a large range of plant operating conditions. While some of the alarm conditions are only available during power operations or during shutdown conditions, some of the alarms are independent of the mode of operations. From a practical standpoint, however, the alarm function of the SPDS is only considered useful in Operational Modes 1-4. The alarm logic features designed to prevent invalid alarms are generally applicable in all modes.

However, in Modes 5 and 6, Cold Shutdown and Refueling, certain plant conditions can give rise to invalid alarms. The lack of SPDS alarm indications in Modes 5 and 6 is not considered significant since in these modes, the plant safety status is essentially dependent on the operability or inoperability of certain plant components such as the decay heat removal system. Since the operation of these systems is adequately indicated by existing Control Room alarms and instrumentation, the operability of the SPDS in these modes is not required.

To prevent an invalid signal from creating an invalid alarm, all inputs are marked with a validity flag within the SPDS software.

This validity flag can be set automatically by validation checks such as redundant parameter comparisons or out of range checks.

The flag can also be set by a manual input when a routine review of

o 14 inputs determines that a given parameter is inconsistent with other indications. Parameters that are marked as invalid are removed from the alarm logic. If another parameter is available to replace the invalid signal, the associated alarm will remain active; otherwise the alarm condition or affected portion thereof is defeated.

Alarm calculations are performed at intervals of approximately two seconds. The single exception to this is the calculation of the NI increasing after trip alarm discussed in the following section.

The results of the alarm calculations are stored in the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months historical file on the DADS system and are accessible in the historical mode of operation discussed in Section IV.

The following sections provide a description of the alarm conditions to be incorporated into the Davis-Besse SPDS. Each numbered section corresponds to one of the six critical safety function alarm boxes.

1. Reactor Coolant System (RCS) Pressure / Temperature Alarms for this critical safety function designated by a P/T indicate that conditions exist which may jeopardize the ability of the primary system to remove heat from the reactor Core.

a) RCS at Subcooled Margin Limit Alarm The usefulness of monitoring tt RCS subcooled margin has received wide acceptance since the TMI-2 accident.

Toledo Edison has installed redundant, essentially powered, independent meters to display the current value of either the temperature or pressure margin to saturation in the Control Room. The operator also has the option of selecting the temperature input to the meter from wide range hot leg thermocouples to any one of eight incore thermocouples.

The SPDS will provide additional information to the operator by monitoring both hot leg wide range tempera-tures and up to sixteen verified incore temperature inputs and alarming if any indication reaches, or is below, the subcooled margin limit. This will assist the operator in identifying one of the primary indicators cf a Loss of Coolant Accident (LOCA) condition; a loss of RCS pressure without a corresponding reduction in RCS temperature.

o 15

-The subcooled margin limit is a variable limit. calculated as a fuction of RCS. pressure-(using the average of P725 and P732). This precsure/ temperature function is derived from the saturation curve and adjusted for instrumentation

-errors.

The actual logic is:

If either hot leg temperature T753 or T782 or any verified incore (T514, T515, T520, T522, T524, T527, T530, T532, T539, T542, T544, T547, T550, T551, T557, or T560) reaches the subcooled margin limit ALARM "RCS AT SUBC00 LED MARGIN LIMIT" and P/T The statement in quotation marks is the alarm condition message printed at the bottom of the upper and lower level displays corresponding to this critical safety function.

b) Primary / Secondary Uncoupled Alarm If non-condensable gases or a small volume of hot water or steam is trapped at the top of a hot leg, the flow of water in that loop could stop if on natural circulation.

If this condition continues, the cold leg temperature will-deviate from the saturation te:nperature of the steam generator, indicating an uncoupling of the primary to the secondary. This will alert the operator to take action to restore flow in the loop such as increasing RCS pressure to compress the void, bumping reactor coolant pumps, and/or using the hot leg vents.

The steam generator saturation temperature is calculated from steam generator pressures (P932 and P936) and compared to the RCS cold leg temperatures. A deviation of more than 10 degrees is alarmed. This alarm is blocked if total RCS flow is more than 25 MPPH as measured by F727 and F732. The alarm is'also blocked if RCS pressure is less than 300 psig to accommodate operation during shutdown when reactor coolant pumps are tripped.

. 16 The actual alarm logic is:

If l SG 1 sat temp minus T781 l or l SG 1 sat temp minus T801 l or l SG 2 sat temp minus T821 l or l SG 2 sat temp minus T841 l is 3 10*F and F727 + F732 <25 MPPH and P725 + P732 >300 psig 2

ALARM "PRI/SEC UNCOUPLED" and P/T

2. Primary Status Alarm The main function of the primary alarm logic, indicated by PRIMARY is to notify the operator of a loss of primary coolant inven-tory. A LOCA will cause elevated containment pressure, containment temperature, and containment normal sump levels.

An opening of the power operated relief valve (PORV) causes consequences similar to a LOCA and is detectable by valve position and qucuch tank conditions. A large LOCA will reduce RCS pressure and pressurizer levels quickly. The following is a description of each alarm logic in the primary critical safety function.

a) Pressurizer Level Low Alarm A low pressurizer level is indicative of a loss of primary inventory or an overcooling of the primary system. Alarms already exist for small changes (120") in pressurizer normal level (200"). This alarm will supple-ment the existing alarms by having a setpoint that should not be reached during normal operation or after a reactor trip, thereby alarming only during a serious inventory problem. The alarm occurs while inventory still exists in the pressurizer, so that the operator can still take

. 17 action before blocking of the hot leg flowpath is possible from steam and/or gases outsurging from the pressurizer.

The actual alarm logic is:

If L768 is < 10 inches ALARM "PRZR LVL LOW" and PRIMARY b) Pressurizer Level High Alarm This alarm indicates excess primary inventory or a rapid insurge in the pressurizer due to void formation in the RCS. Alarms already exist for small changes ( 20") in pressurizer normal level (200"). This alarm will supple-ment the existing alarms by having a setpoint that should not be reached during normal operation or after a reactor trip, thereby alarming only during a serious inventory problem. Tha alarm occurs while adequate volume still exists in the pressurizer, so that the operator can take action before the pressurizer can completely fill.

The actual alarm logic is:

If L768 is > 270 inches ALARM "PRZR LVL HI" and PRIMARY c) PORV Open Alarm This alarm operates from the sonic flow detector on the PORV discharge piping. It provides indication redundant

~

to existing alarms of flow through the PORV. Due to the frequency of problems with PORV operation and the serious-ness of the condition, this redundancy in alarms does not seem excessive. Since the PORV is not normally used, this alarm should not occur during any aormal operating transients.

f -

, - x x ,

I

.o 1g

. ' ,s /

The actual alarm logic is: I '

If 2615 indica,tes cpen, then ALARM i

,3 "PORV OPEN",and PRIMARY a.

.')

s:

4, d) Pressurizer Relief Open Alarm This alarm operates from the sonic flow detectors on each presserizer relief valve discharge. It provides indica-tiori; redundant to existing alarms of flow through the primary. relief valves. Due to the serious nature of this condition, this redundancy in alarms does not seem excessive. This alana should not occur during any normal RCS operating transients.

The actual alarm logic is:

If Z766 or Z767 indicates open ALARM c ,

y s .o

- '?RZR PELIEF VLV OPEN" and PRIMARY

/

c[ -Q ench Tank Pressure High Alarm This alarm warns of an open or leaking PORV and provides an alarm redtindant to existing plant alarms. Due to the frequency of pressurizer PORV problems, this redundancy D* , is not excessive. Since the PORV is not used during normal plant operating transients, the alarm should only

occur due to abnormal plant conditions.

.)

, - -s The actual alarm logic is:

If P770 > 40 psig, 7

a S *+

.s $

?

,4' "

_.g F I. e

/ 1 4 .*

4

. 19 Or if P71) "PRZR QNCH TK PRESS" in alarm, ALARM

" QUENCH TK PRESS HI" and I PRIMARY I

f) Quench Tank Pressure Low Alarm This alarm is used to indicate a loss of normal quench tank pressure probably due to a blown rupture dice.

Since the quench tank is normally pressurized with nitrogen to 25 psig, the alarm should not occur during normal operation.

The actual alarm logic is:

If P770 is < 10 psig, then ALARM "PRZR QUENCH TK PRESS LOW" and PRIMARY g) Incore Thermocouples Above Saturation Temperature This alarm is used to provide indication that reactor coolant inventory has decreased sufficiently to allow the core to become uncovered, producing steam above the saturation temperature of the RCS. This condition would prompt the operator to initiate inadequate core cooling procedures.

The actual alarm logic is:

If any verified incore temperature T514, T515, T520, T522, T524, T527, 530. T532, T539, T542, T544, T547, T550, T551, T557, or T560 is > the saturation temperature for the RCS pressure by 10 F, then ALARM "INCORE T/C APOVE SAT" and PRIMARY

~

. 20 h) Containment Temperature Increasing Alarm '

This alarm would allow a rapid detection of a primary or secondary leak. By monitoring the suction temperature of all three containment air coolers, it is assured that containment temperature will be monitored during all cooler lineups. The setpoint of 120*F should never be reached during normal operation, and it coincides with the maximum allowable operating temperature allowed in Technical Specifications.

The actual alarm logic is:

If T306, T302, or T298 is > 120'F, then ALARM "CTMT TEMP INCR" and PRIMARY i) Containment Pressure Increasing Alarm This alarm provides an early warning of a primary or secondary leak. Its setpoint is below the actuation setpoint of the Reactor Protection System (RPS) and the Safety Features Actuation System (SFAS) but above normal i operating pressure in containment. The alarm logic allows the monthly testing of any one SFAS channel without causing an alarm condition while also being able to alarm with any one input failed.

The actual alarm logic is:

If P314 and P315 > 16.5 psia or If P316 and P317 > 16.5 psia THEN ALARM l

r e --

"CTMT PRESS INCR" and PRIMARY

. . _ _ . . --.- ..- , - - -, . ...- -, - , _ . . ~ _ , _ , . , - _ _ , . . _ , . . _ , _ . - , _ - _ . . ~ . . . . . , , , . - - - . , _ . . - . . .

. 21

3. Secondary Alann The main function of the secondary system is to properly remove heat from the primary system. The secondary alarms, indicated by SECONDARY should monitor the condition of too much heat transfer (high steam generator level, low steam generator precsure, main feedwater valve too far open, high feedwater flow mismatch) as well as not enough heat transfer (low steam generator level, high sneam generator pressure, low feedwater flow mismatch).

The following alarms concentrate on fulfilling these monitoring functions.

a) Feedwater Mismatch Alarm This alarm can detect an overfeed or underfeed condition to one steam geuerator as soon as the feedwater flows are significantly (20%) different. The advantage of this type clarm is its rapid detection of the condition; steam generator levels do not have to respond before an alarm is initiated. In order to prevent this alarm from occurring during normal operation, several blocking logics are required. For operation with three reactor coolant pumps, feedwater flow will be different to each steam generator. Therefore, whenever reactor coolant loop flow varies by more than 10% (approximately 7 MPPH),

the alarm will be blocked. The alarm will also be blocked during a shutdown when both feedwater flows are less than one million pounds per hour.

The actual alarm logic is:

If lF674 - F679l >.2 and F674 + F679 2

F674, F679 are > 1 MPPH and lF727 minus F732l is < 7 MPPH THEN ALGM "FW MISMATCH" and SECONDARY

o 22 b) Main Feedwater Valve Too Far Open Alarm This alarm is another leading indicator of a potential overfill / overcooling condition. During normal operation, both main feedwater control valves control below 60%. By alarming if either feedwater valve gets to 75% open, it provides an early warning of an overfeed condition. This is an actual valve position and not a demand signal.

The actual alarm logic is:

If 2673 or Z678 is > 75% open THEN ALARM "MN FW VLV T00 FAR OPEN" nd SECONDARY c) Steam Generator Pressure Low Alarm This alarm provides a warning of a low pressure condition which could cause an overcooling of the RCS. The alarm setpoint (800 psig) is above the low steam line pressure trip setpoint (612 psig) of the Steam and Feedwater Rupture Control System (SFRCS) and sufficiently below the 870 psig normal operating pressure. Since steam generator pressure increases after a trip to above 1000 psig, this alarm will not occur during normal transients. The 800 psig setpoint corresponds to a saturation temperature of approximately 520 F cold leg temperature which represents a significant cooldown from normal operating (558 at 100% FP) and post trip (552-554 F) values for cold leg ,

I temperature.

Since a plant cooldown is initiated by reducing steam generator pressure, a slow decrease in pressure below 800 psig should not be alarmed. Therefore, whenever a ten minute average of reactor coolant average temperature is less than 530 F, the alarm is blocked.

. 23 The actual alarm logic is:

If P932 or P936 is < 800 psig and Ten minute average of T709 is > 530, then ALARM "SG PRESS LOW" and SECONDARY d) Steam Generator Level Low Alarm This alarm warns of a loss of heat transfer due to a low level in the steam generator. To have this low of a level requires both main and auxiliary feedwater be lost to the steam generator since main feedwater would try to maintain at least 35 inches and auxiliary feedwater would actuate at approximately 26 inches. The setpoint is adequate to ensure the setpoint will be reached before a steam generator has completely lost level. No plant operations or normal operating transients would cause this alarm to occur, so no block function is required.

The actual alarm logic is:

If L883 or L893 is < 10 inches THEN ALARM "SG SU LVL LOW" and SECONDARY e) Steam Generator Startup Level High Alarm Steam generator overfill is an extremely rapid transient requiring quick action to prevent equipment daeage. A1.

overfill can cause excessive cooling of the RCS and add positive reactivity from the moderator coefficient. It can also cause damage to the secondary side of the plant if liquid carries over to the steam lines. For this reason alarms are provided both on the essentially powered startup level indication (that is not temperature compensated) and also on the non-essentially powered (but temperature compensated) operate level instrumentation.

The setpoint of 250" corresponds to approximately 82% on tue operate range (with 925 psig in the steam generators and a 120*F reference leg). This setpoint is sufficiently above the normal operating level on the steam generators

.- 24 to prevent frequent actuation but sufficiently low to occur soon into the transient.

Since steam generator levels may be increased during a shutdown condition, the alarm is blocked when the RCS is cooled to 250 F.

The actual alarm logic is:

If L883 or L893 is > 250 inches and T801 is > 280*F, then ALARM "SG STARTUP LVL HI" and SECONDARY f) Steam Generator Operate Range Level High Alarm This alarm is redundant to the SPDS startup level high alarm but the operate level is temperature compensated.

Due to the seriousness of an overfill condition, this redunde.ncy is not excessive.

The actual logic is:

If L881 or L891 is > 80% and T801 is > 280 F, then ALARM "SG OPER LVL HI" and SECONDARY

4. Plant Radiation Level Alarm Containment radiation levels and unit vent radiation levels are important parameters to monitor during normal operation and accident conditions. The following is a description of each alarm condition in the radiation critical safety function indicated by RADIATION

l- . 25 a) Containment Radiation High Alarm The containment normal (low) range detectors are useful to detect small increases in RCS leakages. The particu-late monitor is the most sensitive, being capable of detecting RCS leak rates as small as a gallon per minute within minutes. The containment radioactive gas monitors are inheritently less sensitive to small RCS leak rates but do provide a useful backup to the air particulate monitor. The SPDS alarm setpoints are based on current background readings for the individual detectors. The limits are set at approximately 2 times normal back-ground readings. The setpoints are sufficiently sensitive to detect a significant increase in RCS leakage.

~

The actual alarm logic is:

If R291 is > 1.5 x 10-7 pCi/cc 9E R292 is > 1.5 x 10-8 pCi/cc SE R293 is > 1 x 10-2 pCi/cc ALARM "CTM't RAD HI" and RADIATION b) Containment Radiation High High Alann The containment wide range detector is useful in deter-mining large scale increases in containment radiation levels that may occur after a LOCA. The SPDS alarm setpoint established for this wide range detector is high enough to preclude actuation during possible small RCS leaks, but low enough to alarm in the event of a serious loss of coolant situation.

. 26 The actual alarm logic is:

If R299 > 20 R/hr, THEN AI. ARM "CTMT RAD HI HI" and CONTAINMENT c) Unit Vent Radiation High The unit vent is the exhaust path for the station radio-active ventilation systems and the release path for radioactive gaseous releases from the station. It is, therefore, monit.ored to detect inadvertent increases in release rate and to determine the radioactive release rate for offsite dose calculations. The unit vent is monitored for radioactive particulates, iodine (I-131),

normal range xenon (Xe-133), and mid/high range xenon (Xe-133).

These four inputs are being added to the Validyne multi-plexer and will subsequently be incorporated into the SPDS alarms and displays. The addition of these points is a part of the modification which will add these monitoru to the unit vent. This portion of the modifica-tion is expected to be completed in mid-1984.

The unit vent alarm setpoints have been chosen at the Technical Specifications instantaneous release rates.

These setpoints are low enough to ensure adequate time exists for operator response since the quarterly limits would not be exceeded for at least seven days if the radiation levels remained at the instantaneous alarm setpoint. The setpoints are high enough to prevent actuation during any normal plant transient.

The station vent flow rate used in calculating the alarm setpoint is based on 100,000 ft 3/ min or 4.72 x 10 7 cc/sec. The following are the calculations of the instantaneous release rates per the Environmental Techni-cal Specification limits.

Station Vent I-131 and particulate concentrations for instantaneous release rates:

Based on 1-Mev maximum beta energy:

7.5 x 1012 per pCi/cc

. 27 From Environmental Technical Specifications, Page 2.4-7, 1.5 x 106 Q 5 1; Q $ 6.67 x 10-6 Ci/sec The concentration of I-131 and particulates in the station vent which would result in a release rate of 6.67 x 10'6 Ci/sec is:

6.6 x 10-6 Ci/sec

_(4.72 x 10' cc/sec) (1 x 10~* ci/pCi) = 1.4 x 10-7 pCi/cc Station vent noble gas concentrations for instantaneous release rates:

From Environmental Technical Specifications, Page 2.4-7, 0.33 [Q(E + 1.1 R)] 6 1 where Q is the total noble gas release rate from the station vent in Ci/sec.

E and H are dose factors for the station vent.

Using the values of f and H for Xe-133 from Table 2.4-5:

0.33 [Q (5.2 + (1.1)(0.65))] 5 1 Q 5 0.5123 ci/sec This release rate corresponds to a concentration of noble gas in the station vent of 0.5123 Ci/sec (4.72 x 10' cc/sec) (1 x 10 6 Ci/pCi) = 1.1 x 10-2 pCi/cc The actual alarm logic is:

If R844 is > 10-7 ccE If R845 is > 10-7 ccE If R846 is > 10-2 cc E

b l

. 28 If R847 is > 10-2 EE Cc THEN ALARM

" UNIT VENT RAD HI" and RADIATION

5. Containment Alarm Logic The main purpose of the containment alarm logic is to provide a warning that conditions inside containment threaten its integrity. The alarms, indicated by CONTAINMENT are not intended to detect small RCS leakage since this function is handled in the primary alarm logic. Conditions in containment of temperature, pressure, or hydrogen concentration above design assumptions could threaten the containment integrity. Cne additional alarm for high containment water level is included in this alarm function since excessive water in containment ca:Id cause damage to equipment required to maintain containment integrity. The following is a more detailed description of each alarm logic, a) Containment Pressure High Alarm The containment vessel is designed for a maximum pressure of 40 psig. The maximum preasure under accident conditions in containment (which occurs after a 14.14 ft2rupture of the hot leg) is 34.7 psig. Therefore, the alarm is set for 35 psig or 35 + 14.7 2 50 psia. This setpoint is below the maximum design pressure and above the maximum expected under accident conditions.

The alarm logic allows for the monthly testing of one SFAS channel without causing an alarm and also will operate even with a failure of a single channel.

The actual alarm logic is:

If P314 and P315 are > 50 psia or If P316 and P317 are > 50 psia or If P305 is > 50 psia

. 29 THEN ALARM "CTMT PRESS HI" and CONTAINMENT b) Containment Temperature High Alarm The containment vessel is designed for a maximum tempera-ture of 264*T. The maximum wall temperature after any design basis accident is 260*F from a 8.55 ft 2 double ended sheer of a cold leg. The steam line break in containment analysis does indicate a momentary spike in containment air temperature above 264*F, but the maximum thin metal temperature is expected to be less than 220 F.

Therefore, 260*F is the maximum accident temperature expected to be indicated on the containment air suction temperature indicators and will be used as the setpoint of the alarm.

The actual alarm logic is:

If T298, or T302, or T306 is > 260*F THEN ALARM "CTMT TEMP HI" and CONTAINMENT c) Containment Hydrogen Concentration Alarm Containment hydrogen concentrations of > 4% (and < 80%)

are explosive and must be diluted, recombined, or dis-charged. The procedures at Davis-Besse start actions to reduce the hydrogen concentration at a 2.5% hydrogen concentration. Therefore, this alarm is set at 2.5% for redundant indication that action is required.

The actual alarm logic is:

If A302 is > 2.5%

THEN ALARM "CTMT H2 CONC" and CONTAINMENT

f- n

- 30 d) Containment Water Level High Alarm Although a high water level doesn't directly damage the containment vessel, it could submerge some equipment necessary for post-accident operations. One of the lowest elevations that should not be submerged (at least until the long term boron dilution flowpaths are estab-lished) is the vent for the decay heat valve pit at an elevation of approximately 571'-7". The water level expected after a LOCA is 567'. Therefore, an alarm set at an elevation of 568' should be high enough not to actuate unless conditions significantly deviate from expected and low enough to allow action prior to submerg-ing the vent. It should be noted that the level instru-ment used is compensated by a pressure instrument which results in a worst case maximum string error of 6.6 feet.

The actual alarm logic is:

If L321 is > 568', then ALARM "CTMT WIR LVL HI" and CONTAINMENT

6. Reactivity Alarms The purpose of the reactivity alarms, indicated by REACTIVITY is to notify the operator of an unusual core condition. The following is a description of the specific alarm functions of the SPDS reactivity alarms.

a) Reactor Power High Alarm The main purpose of this alarm is to provide redundant alarm indication of reactor power above design rating.

The 107% alarm setpoint is above the normal RPS setpoint (approximately 105%) but below the 112% maximum power assumed in the accident analyses. The alarm logic is designed to prevent an alarm occurring during the monthly surveillance test and to ensure an alarm will occur even if one channel is failed.

o 31 The actual alarm logic is:

If R795 and R804 are > 107%

or If R814 and R820 are > 107%, then ALARM "RX PWR HI" and REACTIVITY b) Improper NI overlap Alarm The source range and intermediate range NIs are designed to have at least one decade of over.!ap in their ranges.

Technical Specifications require at least one decade overlap. This slarm monitors the one decade overlap on the source range to intermediate range and on the inter-mediate to power range. The alarm logic is designed also to prevent an alarm during power operation when the source range instrumentation is de-energized.

The actual alarm logic is:

If R805 is > 10+5 and R818 is < 10-10 or If R796 is > 10*S and R812 is < 10-10 or If R818 > 10-5 and R804 < 10 or If R812 > 10-5 and R795 < 10, then ALARM "IMPR NI OVERLAP" and REACTIVITY c) NI Increasing After Trip Alarm One of the lessons learned by the TMI-2 accident was that if the reactor core becomes uncovered, the neutron indication will increase. This alarm can also monitor for an inadvertent reactivity insertion (restart accident).

The alarm monitors all four intermediate range and startup range neutron indicators after a trip, and if a five minute average is increasing significantly (1%),

provides an alarm. Also, if a long slow increase is occurring, a second alarm logic will occur if the indica-tions increase significantly over a thirty minute period.

_ _ _ _ _ _ _ _ _ - - - - _ - _ _ . )

\

. 32 The alarm is interlocked with the control rod drive trip confirm indication to prevent an alarm during plant startup or power operation. Note that the short term increase alarm is compared once per minute while the long term increase alarm is compared over every five minutes.

The actual alarm logic is:

If R818, R812, R805, or R796 five minute averages are increasing per R ave @T -Rave @T-5 > .01 (Rave @T) rR ave @T -Rave @T-30 > .01 (Rave @T)

THEN ALARM "NI INCR AFTER TRIP" and REACTIVITY C. SPDS Trend Displays The lower level trend displays of the Davis-Besse SPDS are designed to provide the operator with historical information useful in evaluating the status of the critical safety functions. Figures V-1 through V-6 illustrate the lower level displays associated with each of the six critical safety functions. The displays illustrated have been developed for the DADS based SPDS. The improved graphics capabilities of the Chromatics terminal on the DEC based system will provide improved resolution and may result in minor changes to these formats. The content and use of those displays, however, will not be significantly altered Each lower level display features trends and instantaneous values of plant parameters that are primary indicators of the status of the associated critical safety function. Candidate parameters were evaluated with respect to their usefulness in the detection of critical safety function problems, reliability, and applicability under various plant conditions. The result was evaluated to achieve a balance between the complexity of displays, as a human factors concern, while providing as much applicable information as possible for the spectrum of plant operating conditions. Similarly, the range of each parameter to be displayed was selected with consideration for both the colorgraphics resolution capabilities and the expected variation in plant conditions for which the SPDS can provide useful information. The units of display were chosen to be consistent with those understood and used by the Control Room operators.

Current values of each trended parameter are provided at the right hand margin of each display, along with the parameter point identifi-cation number. This instantaneous data, the graphically trended

f

. 33 data, and the corresponding scale information are color coded to l allow simple identification of each parameter.

The trend display provides a minimum of 25 minutes of historical data plotted from left to right up to the zero timescale indication.

As current data is displayed, it is added to the trend until the screen is filled, which occurs at +5 minutes on the scale. At that point, the trends are scrolled to the left in one 5 minute increment to return the end of the trends to the 0 timescale.

The resolution of the RAMTEK's Colorgraphics device permits an update interval of six seconds. The data display time and date are provided in the upper right hand corner of each display, along with a letter indication of mode of operation. If the SPDS is displaying current data, the letter "C" appears in the upper right hand corner. If the SPDS is in the historical mode of operation, the letter "H" is displayed.

If the validity flag for a given parameter is set within the computer to identify a point as being invalid, that information is provided to the operator by displaying an instantaneous value of

-99.0 printed in white in the right hand margin of the display.

The.following is a description of each lower level display and the parameters selected to represent the particular critical safety function.

1. P/T Trends Display The P/T trend displav has six parameters:

COMPUTER POINT DESCRIPTION RANGE T751 RFACTOR COOLANT HOT LEG SUB- -50 to +150 C'K) LED CHANVEL A T752 RlACTOR COCLANT HOT LEG SUB- -50 to +150 CO3 LED CHANNEL B P732 REACTOR COOLANT LOOP 2 HOT LEG 0 to 2500 psig WIDE RANGE PRESSURE, SFAS CHANNEL 2 COMPUTED MAXIMUM VERIFIED INCORE TEMP- 200 to 2300 F ERATURE T753 REACTOR COOLANT LOOP 1 HOT LEG WIDE RANGE TEMPERATURE, CHAN- 120 to 920 F NEL 1 T782 REACTOR COOLANT LOOP 2 HOT LEG WIDE RANGE TEMPERATURE, CHAN-NEL 2 120 to 920 F

. 34 This trend allows the operator to view at a glance the recent values of the (RCS) subcooled margin and changes in the parameters, fron which the subcooled margin is computed. From this information, the operator can tell if the recent changes in subcooled margin were due to pressure changes or temperature changes.

Ilot leg temperatures are provided since they are the normal temperatures which are input into the subcooled margin calcula-tion and are the most likely location for the hottest RCS water. For the case when the hot legs could be partially drained, the maximum verified incore temperature indication is provided for comparison. This helps to remind the operator that the hot leg temperature may not be the maximum RCS temperature.

2. Primary Trends Display The primary trend display has six parameters:

COMPUTER POINT DESCRIPTION RANGE P725 REACTOR COOLANT LOOP 2 HOT LEG 0 to 2500 PSIG WIDE RANGE PRESSURE L768 REACTOR COOLANT PRESSURIZER 0 to 320 INCHES COMPUTER LEVEL (INCHES)

T709 REACTOR COOLANT AVERAGE 520 to 620 F $

NARROW RANGE TEMPERATURE COMPUTED AVERAGE VERIFIED INCORE TEMPERA- 200 to 2300 F TURE T753 REACTOR COOLANT LOOP 1 HOT LEG 120 to 920 F WIDE RANGE TEMPERATURE, CHANNEL 1 T781 REACTOR COOLANT PUMP 1-1 50 to 650 F DISCHARGE COLD LEG WIDE RANGE TEMPERATURE RC4B2 This trend provides the operator with a trend of the major indicators of the primary system status pressure, temperature, and pressurizer inventory.

A narrow range RCS average temperature provides the operator with the required range and accuracy for normal operating transients (normal operation T is 582 F, post trip normal E 552 F). This accuracy in temp $Eature measurements assists the operator in analyzing volume changes in the RCS caused by temperature induced density changes. For transients outside

l

. 35 of the 520-620*F narrow range instrumentation, wide range hot leg and cold leg temperatures are provided.

Average incore temperature is provided for a comparison with hot leg temperature to determine the location of the hottest water in the RCS.

The wide range RCS pressure parameter has a range from above the primary code safeties lift pressure (2435 psig) to O psig, making it useful for a broad spectrum of transients.

3. Secondary Trends Four sets of parameters are trended on the secondary trends:

COMFUTER POINT DESCRIPTION RANGE F674 MAIN FEEDWATER 1 COMPENSATED 0 to 7000 KPPH FLOW FY2B1 F679 MAIN FEEDUATER 2 COMPENSATED 0 to 7000 KPPH FLOW FY2A1 l0Rl F878 MAIN FEEDRATER 1 STARTUP FLOW 0 to 1500 KPPH F879 MAIN FEEDWATER 2 STARTUP FLOW 0 to 1500 KPPH P932 STEAM GENERATOR 1 OUTLET STEAM 0 to 1200 PSIG PRESSURE, PT12B2 P936 STEAM GENERATOR 2 OUTLET STEAM 0 to 1200 PSIG PRESSURE, PT12A1 F874 STEAM GENERATOR 1 AUXILIARY 0 to 1000 GPM FEEDWATER FLOW F875 STEAM GENERATOR 2 AUXILIARY 0 to 1000 GPM FEEDWATER FLOW L883 STEAM GENERATOR 1 STARTUP 0 to 250 INCHES RANGE LEVEL 9B3 L893 STZAM GENERATOR 2 STARTUP 0 to 250 INCHES RANGE LEVEL 9A3 The main parameters in_the secondary side of the steam genera-tors are level, pressure, and flow.

In order to provide the most accurate indication of feedwater flow, the feedwater flow trend transfers to read the startup feedwater flow below 1000 KPPH. Auxiliary feedwater flow is provided directly in gallons per minute.

Y

. 36 Since the steam generator pressure is critical in deciding the steam generator saturation temperature and, therefore, the cold leg temperature, a trend of steam generator pressure is included. The range of the instrument (0-1200 psig) extends above the maximum main steam safety valve setting (1100 psig) and can be used for the entire cooldown transient since it reads any positive pressure.

Since the steam generator startup level can be used to detect a low level condition (operate range instruments cannot read a steam generator level less than 102 inches above the lower tube sheet), and since ne, ;;tartup level trend recorder exits in the Control Room (operate range instruments have recorder),

startup level was chosen for the trend. Although startup level is not temperature compensated, the maximum range of 250 inches corresponds to approximately 82% on the operate range (with 925 psig in the steam generator and a 120*F reference leg), which is adequate to detect an overfill condition.

4. Radiation Trends The radiation trend display consists of nine trend parameters:

COMPUTER POINT DESCRIPTION RANGE R291 CONTAINMENT NORMAL RANGE PARTI- 10-10 to 10-2 CULATE RADIATION (pC/CC)

R292 CONTAINMENT NORMAL RANGE I-131 10-10 to 10-2CC6 RADIATION (pC/CC)

R293 CONTAINMENT NORMAL RANGE Xe-133 10-8 to 10 0$CC RADIATION (pC/CC)

R294 CONTAINMENT MID/HI Xe-133 10-3 to10+5h RADIATION (pC/CC)

R R299 CONTAINMENT HI RANGE AREA 10 0 to 10s HOUR RADIATION R HOUR R844 UNIT VENT NORMAL PARTICULATE 10-10 to 10-2 6 (pC/CC)

R845 UNIT VENT NORMAL I-131 (pC/CC) 10-10 to10-2h R846 UNIT VENT NORMAL Xe-133 (pC/CC) 10-10 to 10-2 R847 UNIT VENT MID/HI Xe-133 (pC/CC) 10-8 to 10 0h

. 37 Although this a large number of parameters to have on one display, only the trend of the radiation reading need be observed and, therefore, the nine parameters are not exces-sive. Digital readouts are printed on the screen for all nine of the parameters to provide an accurate and easily readable present value.

The display monitors normal range, mid-range, and high range of containment radiation to determine the amount of radioactive fluid release to containment and the extent of fuel demage.

The unit vent is used to indicate the offsite release rate and can be used in conjunction with the offsite dose computation of the Prime Computer. Note that values for the four unit vent radiation monitor inputs are not shown on the display.

These inputs are to be added to the Validyne multiplexer as a part of the modification which will install the wide range monitors. This portion of the modification is expected to be completed in mid-1984.

5. Containment Trends The containment trend display consists of four parameters:

COMPUTER POINT DESCRIPTION RANGE A302 CONTAINMENT HYDROGEN CONCEN- 0 - 10%

TRATION L321 CONTAINMENT WIDE RANGE LEVEL, Elevation CHANNEL 1 538-588 ft.

P305 CONTAINMENT WIDE RANGE PRESSURE, 0 - 200 psia CHANNEL 1 MODCOMP T306 CONTAINMENT COOLER FAN 3 SUCTION 0 - 300*F TEMPERATURE These parameters were chosen to monitor conditions inside containment that could threaten its integrity and not to detect small RCS leakage since this function is displayed on the primary display.

Since hydrogen concentrations of 4% to 80% are explosive, the hydrogen concentration must be monitored to ensure dilution, recombination, or discharge efforts are initiated in a timely manner.

Containment water level could submerge some equipment necessary for post-accident operation and, therefore, needs to be monitored.

4

. 38 Containment wide range pressure is monitored to ensure the 40 psig maximum design pressure is not exceeded and pressure reduction operations are properly initiated.

Conditions in containment of high containment temperature need to be monitored to assure the maximum containment design temperature of 264*F is not exceeded. This trend monitors Containment Air Cooler #3 inlet temperature since the SFAS always starts the #3 Cooler.

Reactivity Trends Eight parameters are contained on the reactivity trends:

COMPUTER POINT DESCRIPTION RANGE R805 RPS CHANNEL 2 STARTUP RANGE 10-1 to 10+6 CFS NI 1 FLUX (CPS)

R796 RPS CHANNEL 1 STARTUP RANGE 10-1 to 10+8 CPS NI 2 FLUX (CPS)

R818 RPS CHANNEL 4 INTERMEDIATE 10-11 to 10-3 AMPS RANGE NI 3 FLUX (LOG AMPS)

R812 RPS CHANNEL 3 INTERMEDIATE 10-11 to 10-3 AMPS RANGE NI 4 FLUX (AMPS)

R804 RPS CHANNEL 2 POWER RANGE 1 to 125% FP NI 5 FLUX (% FULL POWER)

R795 RPS CHANNEL 1 POWER RANGE 1 to 125% FP NI 6 FLUX (% FULL POWER)

R820 RPS CHANNEL 4 POWER RANGE 1 to 125% FP NI 7 FLUX (% FULL POWER)

R814 RP3 CHANNEL 3 POWER RANGE 1 to 125% FP NI 8 FLUX (% FULL POWER)

Since the Control Room has many existing indications of reactor power during full power operation, the trend is not designed to detect small variations in power during normal operation. If an accurate reading is required, the digital printout on the screen can be used to monitor the present value. The trend is designed to display the interrelation-ships between the source range, intermediate range, and power range detection. This allows direct comparison for overlap verification and channel checks not only between instruments of a given range but between different instrument ranges. The trer.d can be used to determine if the source range or intermed-iate range is increasing due to possible core uncovery or an inadvertent criticality.

. 39 VI. HUMAN FACTORS CONSIDERATIONS FOR THE SPDS In designing the Safety Parameter Display System, Toledo Edison has incorporated appropriate guidance from applicable NUREGs (i.e., 0737, 0700, 0835, 0696) with existing Toledo Edison design philosophies, in order to develop an integrated design concept that reflects both good human factors and a recognition of the practical constraints imposed by the existing Control Room. Throughout this process, Toledo Edison has considered the numan factors principles pertaining to selection, organiza-tion, and presentation of information in the SPDS.

In selecting the information to be displayed by the SPDS, Toledo Edison has followed the guidance of NUREG 0835, while taking into account the specific operator decision-action sequence dictated by Davis-Besse operating procedures. This process ensures that the information displayed by the SPDS will allow the operators to quickly and accurately assess the status of all critical plant functions.

Once the necessary parameters were_ selected, the range, precision, and accuracy of the information the operators would require were considered.

This involved consideration of the decision-making process of the operators, as it relates to specific plant operating sequences. For example, in selecting setpoints for SPDS alarms, care was taken to ensure that values were selected that were not likely to be encountered under routine operations, but which still ensured that the operator would have sufficient time to respond effectively.

The next step in the decision process involved organizing the information to ensure that it was maximally usable by the operator. The primary focus during this phase of the process was to organize the information in such a way as to minimize the need for the operator to view multiple displays for support of a specific decision-action sequence.

The final phase of the design process was directed at determining her the information could best be presented to the operator. This included the physical location of the SPD3 and the actual format the displayed information would take.

With regard to 1ccation, the primary concerns were visibility and readability of the displayed information. A location for the SPDS was selected that would provide the best visibility within the Control Room, without obstructing the operator's access to other important displays and controls.

In selecting the display location, consideration was given to the location of existing lighting to minimize glare and reflected light on the display face. Readability was considered with respect to the expected viewing distance for the selected SPDS display locations, and what effect this would have on character size requirements.

One of the major human factor concerns in designing the SPDS was develop-ing a display format that would minimize the time required for the operator to extract the necessary information. The designers attempted to minimize operator visual scan requirements by developing a format l

. 40 that was logical, standardized, and consistent with operator expectations.

IIighlighting techniques, including color coding, graphic enhancement and flashing, were used to assist the operator in quickly locating important information. To minimize operator memory requirements, the format was standardized with respect to the location and content of common fields, such as screen labels and alarm messages. Whenever possible, special function keys were utilized to minimize the number of keystrokes required by the operator during interaction with the system.

VII. VALIDATION AND VERIFICATION PLAN This section summarizes the plan that will be used to verify the design of the SPDS, to validate the design of the SPDS, and to verify the installation of the SPDS. Comprehensive validation and verification (V&V) procedures are being developed in accordance with this plan.

These procedures will be used to perform the V&V activities to ensure that a quality SPDS is implemented.

As previously discussed, Toledo Edison has adopted a phased approach for the design and implementation of the SPDS. The first phase involves the installation of the DADS based system. The second phase involves the installation of the DEC based SPDS.

Verification and validation activities are considered by Toledo Edison to be an integral part of the development and implementation of the SPDS. Therefore, these activities have been planned to conform to the phased approach for the design and implementation of the SPDS. Accord-ingly, V&V activities will be performed in four stages: before comple-tion of the DADS SPDS, after the completion of the DADS SPDS, midway into the evolution of the DEC SPDS, and after completion of the DEC SPDS.

The elements of the V&V plan are organized in three sections: the verification plan for the SPDS design, the validation of the SPDS design, and the verification of the SPDS installation.

A. Verification of SPDS Design The ohjectives of the verification activity are to review the design requirements to determine their validity and then to review the design to assess compliance with these requirements. In order to meet these objectives, the verification plan is concerned with the methods to determine whether an accurate translation has been made from requirements to design.

The Verification Plan for the design of the SPDS is comprehensive and addresses both technical and operational capabilities as well as human factors considerations.

The Verification Plan calls for the performance of the verification activity in two parts. The first part is concerned with reviewing the design from an engineering standpoint. The second part is concerned with reviewing the design on the basis of human factors considerations. The method of performing the verification for both l

F i r

. 41 j i

1 these parts relies on developing tabular matrices which list the !

regulatory requirements / guidelines and industry practices. The I verification process consists of systematically exercising the SPDS l and reviewing the design documentation of the SPDS to assess the j degree of compliance with those items listed in the tabular matrix. ;

An example of this matrix is shown as Fis .e VII-1.

This raatrix would allow the documentation of the method by which I verification activity was performed, the list of document references used in the verification effort, and the results of the verification process. The matrix would list the regulatory requirements / guidelines and industry practices for the following aspects of the SPDS:

. Design Criteria o Displays o Location, Size, and Visibility o Staffing o Procedures and Training Document review and personnel interviews will be conducted to determine that the SPDS design conforms to the design criteria and guidelines outlined in the matrix. The following documentation will be reviewed during the course of this effort:

. Toledo Edison SPDS Specification and SPDS Input List o Toledo Edison Design Drawings (Instrument Loop Diagrams) o Abnormal Transient Operating Guidelines for Davis-Besse Nuclear Power Station Unit 1

. Data Acquisition System, Central Processing Uait, and Display Generator Hardware Documentation

. Data Acquisition System and Display Generator Software Review The verification activity concerned with the engineering aspects of the SPDS will be documented in a report. Discrepancies would be noted between requirements versus the design and performance of the f SPDS for appropriate resolution. ;

The Toledo Edison SPDS implementation process has included human factors considerations as an integral part of the evolving design.

A human factors review of the DADS SPDS is being performed. The purpose of this review is to determine the degree to which the SPDS conforms to the applicable criteria contained in the October,1981 draft of NUREG 0835 and NUREG 0700.

Human factors review of the SPDS displays will be conducted to '

determine the adequacy of the operator-display relationships as well as the correspondence with procedures and the proper use of color, labels, scales, and symbols in the design of the SPDS displays. Surveys will be performed to determine if the TED SPDS 1

F

. 42 design is properly configured for lighting, location, and reada-bility. Operator interviews will be conducted to obtain feedback from plant operations personnel on the acceptance of the system and usability of the displayed values.

The human factors review will be documented in a report detailing the activities and the results. Any deviations from the criteria will be formulated into a Human Engineering Discrepancy (HED) and appropriately processed through the approved resolution process developed for the Detailed Control Room Design Review.

B. Validation of the SPDS Design The objectives of the validation activity are to test and evaluate the integrated hardware and software parts of the SPDS to assess compliance with the functional, performance and interface require-ments. Accordingly, the validation plan is concerned with methods that provide an overall assurance that the designed capabilities are implemented in the hardware and software of the SPDS.

The validation plan calls for three methods for validation of the SPDS. First, a comparison will be made between the values depicted on the SPDS and the values depicted on the Control Room indicator for each displayed parameter under normal operating conditions.

This comparison is applicable only to those parameters associated with normal steady-state power operation. Parameters associated with conditions other than steady-state power operation would not be validated by this method. An accurate correspondence between the Control Room meters and the SPDS values is critical for the operators to accept and use the SPDS.

Second, each displayed parameter will be checked for proper readout by introducing the appropriate signal at a convenient point in the instrument loop to determine that the SPDS display reads correctly over the range of the parameter. A signal of known strength will be manually introduced and the SPDS display will be checked. The amplitude of an input signal will be varied to cover the range of the parameter. The comparison of the input signal strength (i.e.,

a simulated input value of a parameter) versus the value indicated by the display would validate the response of the SPDS over the range of the parameter. This comparison is applicable to parameters associated with normal power operation as well as off-normal conditions (e.g., auxiliary feedwater flow, containment hydrogen concentration). It is judged that this comparison will adequately determine the accuracy and repeatability of each SPDS input.

System changes to force a response in the measured parameter will be avoided.

Third, to determine the integrated performance of the SPDS during plant upset conditions another method for validation will be utilized. Several transient sequences will be postulated and simulated data points generated for the sensitive parameters associated with these transients. Using these simulated data, a

" dummy" data file will be created to make it possible to drive the

T I

o 43 SPDS displays and observe its efficacy under abnormal plant condi-tions. In addition, this method would indicate how useful the SPDS is to the plant operations personnel under transient conditions.

The results of these validation activities will be summarized in a report and entered into the SPDS Verification and Validation Summary Matrix (Figure VII-1).

This validation effort will be performed on the Primary SPDS and will be updated as necessary to include the Backup SPDS.

C. Verification of SPDS Installation The objectives of the verification of the SPDS installation activity are to ensure that the SPDS is properly installed and complies with the applicable design and functional criteria. The DADS equipment has been installed and operational for over a year and was tested per normal modification testing procedures following installation.

Consequently, further installation verification of the DADS based SPDS is not deemed necessary.

The components of the DEC based SPDS, however, will require post installation verification. In order to meet these cbjectives, a walk-through of the SPDS is planned. A checklist and drawings (e.g., component connection diagrams) will be used during the walk-through to ensure that the as-built SPDS coniorms to the design requirements. Discrepancies observed during the walk-through will be documented for review and resolution.

Field Verification Tests to verify the correlation of the sensor signals (input data) to the SPDS displays will be performed as part of the validation effort (i.e., the second method discussed in Section VII-B).

A summary report will be generated to document the results of the field verification review and walkdown.

VIII. IMPLEMENTATION PI.AN/ SCHEDULE The majority of the Data Acquisition and Display System Hardware has been installed and in use for well over a year. Of the components necessary for the DADS based SPDS operation, only the overhead repeater for the Control Room RAMTEK terminal requires additional work. The repeater has been installed and requires only hookup and checkout to be operable. This will be completed by January 31, 1984.

Software development for the DADS based SPDS is essentially complete, and the displays are undergoing initial operational checkout and debug-ging.

The initial phase of design verification and preparations for validation testing are underway. The first phase of verification and validation testing will be completed by January 31, 1984.

. 44 Operator training on the use of the DADS based SPDS will include presen-tations on the use of the system and general design characteristics.

Particular emphasis will be placed on limitations of the system and methods by which the operator can identify invalid inputs and system operational problems. The DADS based SPDS will be considered operational at the conclusion of operator training on January 31, 1984. Post installation verification and validation activities will, of course, be an ongoing effort.

Most of the hardware associated with the DEC Based SPDS is currently on site. The data link between the Prime and the DEC 11/34 has been established to permit initial software development. The direct data link from the Validyne multiplexer has been designed, and equipment is on order. This data link should be operational by October 31, 1984.

The Chromatics terminals use a special double scan CRT. Consequently, the overhead repeater is not a standard device. Design options for the repeater are currently being evaluated. Therefore, a detailed installa-tion and operability schedule is not yet available. The remaining installation of the Chromatics terminal in the Control Room is now planned for the 1984 Refueling Outage, scheduled to begin in August.

The design verification, installation verification, and validation testing of the DEC based SPDS are to be completed by November 30, 1984.

Operator training on the total SPDS (DEC and DADS systems) will include information similar to that provided on the DADS system. The training will also include presentations on the use of the system, in conjunction with the upgraded Emergency Operating Procedures (EOPs). Portions of this training will be integrated with the training on the upgraded E0Ps to be conducted during the 1984 Refueling Outage, and all training activities will be completed by November 30, 1984, at which time the DEC based SPDS will be considered operational. As with the DADS based system, post installation verification and validation activities on the DEC based system will follow.

Thc SPDS design is not expected to be stagnant. The follow on verifica-tion and validation activities and other operator feedback mechanisms will provide continual impetus to modify and improve the SPDS. Similarly, the results of the Detailed Control Room Design Review and the continuing development of the upgraded Emergency Operating Procedures are expected to provide inputs for possible changes to the SPDS. Many of these changes will be incorporated into the development of the upper level SPDS displays. Others will be factored into the lower level displays and the alarm logic for the top level displays. Anticipated changes include display format modifications, alarm logic changes, and alarm setpoint changes.

As modifications to the SPDS are proposed, they will be evaluated against the design criteria in Section III of this report, and will be implemented, if acceptable. Post modification testing and training requirements will be established for these changes on a case-by-case basis.

. 45 Following the completion of the full SPDS installation and the completion of currently planned V&V activities, a revised Safety Analysis Report will be submitted for hPC review, t

m k

f ,

l 46 FIGURE IV-1 SPDS BASIC CONFIGURATION PLANT PROCESS INSTRUMENTATION i i sr F sp CLASS 1E ISOLATION EQUIPMENT FOR SAFETY

SYSTEM SIGNALS l N/ \/ L' \/

MULTIPLEXER I COMPUTER I PLANT l \/ 5/ \/ l DEC PROCESSOR ( DADS PROCESSOR N/ \/ l l

TSC DISPLAY D P 1 I DAVIS-BESSE ADMINISTRATION BUILDING H M _ M W O

\/ \/

CONTROL ROOM CONTROL ROOM DISPLAY DISPLAY ,

CONTROL ROOM A _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _

47

. FIGURE IV-2 SPDS HARDWARE CONFIGURATION PLANT PROCESS INSTRUMENTATION !

if ,

'/

VALIDYNE DIGITAL & AhALOG MULTIPLEXER VALTEC VALTEC g MULTIPLEXERS g

/\/\ /\ i\ /\

\/

MODCOMP i PLANT PROCESS

' I COMPUTER I PLANT CABINET /COMPUTEF ROOM

\/

PLANT PROCESS COMPUTER DISPLAY DEVICES i -

\/

RAMTEK g OVERHEAD OVERHEAD L JHROMATICS p DISPLAY REPEATER DISPLAY

_ REPEATER]

KEYBOARD KEYBOARD CONTROL ROOM V V VALTEC VALTEC y .VALIDYNE 4 4 RECEIVER ,s PRIME A ( ) PRIME B i

\/ /\ /\

VALIDYNE v v RECEIVER DISK DISK STORAGE STORAGE v

, DEC 11/34 O E

' I TSC ECC y DISPLAYS DISPLAY EK MM TSC

, DISPLAY CHROMATICS KEYBOARD KEYBOARD KEYBOARD DAVIS-BESSE ADMINISTRATION BUILDING

48 CONTROL Room LAYOUT F160RE .TE- 3 I

mt,cctnex MIN $a IIditt" SmT?Ct @tt.,

l l

j

$E '

5E c

s

o OPL%iORE DEfGK RAMTEM TEResAt I~l I

L ._ _J Qk 2 s Cot 3 TROL /

[

\ itLiRUtGTATia f"~ 7 [DMN CONF. OLE, I h L_J i c

d C#0 MAT 405 I Tt;eMiN A L

_ __l FUTORE LDf. AT tDN CONTA L/

"J45TROHEM AT told COM50LE. .

W LTH ANNUNC.if 6R$

U*Ico.U..

< !i I l1i

~

D E

S S 0 0 EE S 0 0 CG T 0 0 H 0 H 0 H 0 H ON I 1 7 P 7 P 9 P 9 P RA N - - P - P - P - P PR U 0 % 0 K 0 K 0 M 0 M S

WS PD T

I 5 0 C 0 0 NP N - 1 1 1 1 IS U 1 V 2 V 2 V 1 V 2 V D D D N N N E T E T E T T

- R O R O R O O M R T O T O T O O E E . R R R R T T T & & &

S CS P R E E E E Y TAC A M R M R M R M R M S URI S E R A R A R A R A R PAT DE N A U A U A U A U A Y NHS PS I L Q L Q I Q L Q L A ICI SU L A S A S A F A S A L

P S

I S D T U

R P E N -

T I I E F M G EIN E A D CSO RC Q- Q Q Q R I RSI ER - - -

A A UAT WU N U N U N N P N OLA OO 2 O B O B O i O I A SCC PS Q Y N Y N Y N Y N T 1 Y

- T R V E E F X E A E L S L B P A E I T S T S L E U B M S E I N V Y A D 5 D I CE S L RG T 0 0 R A UN l 5 0 0 1 1 O V OA i l - V 1 1 - -

F SR U 0 m 1 V 1 V 0 V 0 V T

S I

L W

P C C C C C N I I 1 I 1 I I I N N B N A N B N A O 7 O 2 O 2 O 1 O 1

~ E ER R 2 R 0 R 0 R 0 R 0 C CE T 0 T P T P T C T C RE RB C 5 C S C S C R C R UP UM E - E - E - E - E -

OY OU L E L T L T L T L T ST SN E A E I E F E F E F W W W W O D O

h I L I

F L

F T F F N G C I C P P L L N O N M M H N O P O O O I C C C 1 2 T R P E z 1 2 P P I T H O O R

C U

P T 2 V I 4 W

F 9 O

L 7 L O

2 S M M 0 7 7 2 3 E O T 3 N 6 N 6 C 7 C 7 D C C A M F M F R F R F

, ,llI l i[l ll

l4)i l Jl jlIl

. n

. it i' uC D

E S

S- 0 0 0 0 EE S 0 0 0 0 CG T 0 0 5 H 5 H ON I 1 M 1 M 1 P 1 P RA N - P - P - P - P PR U 0 G 0 G 0 K 0 K 7 S bS T PD I 5 5 0 0 NP N - - 1 1 IS U 1 V 1 V 1 V 1 V T T T T

- O O O O M R O O O O E E . R R R R T T l S CS P E E E E Y TAC R D R D R T R D S URI S A N A N A h A N PAT DE U E U E U E U E Y NHS PS Q R Q R Q R Q R A ICI SU S T S . T S T S T L

P S

I S D T U

R P E N -

T I I E T M G EIN E A O CSO RC Q Q R L RSI ER - -

A A UAT WU A A N U N U P N OLA OO 1 2 O A O B A SCC PS Q Y Q Y N Y N Y 1 Y

- T R V E E F X E A L

B S EP A E I T S T S L E U B H S E I N V Y A D E D I CE -S L RG T 0 0 R A UN I 2 2 0 0 O V OA N - A - A 1 1 F .S R U 4 m 4 m i V 1 V T

S I

L T

U P C C C C N I I I I I N N N B N A O 0 O 1 O 3 O 3 E ER R 3 R 3 R 0 R 3 C CE T 6 T 6 T P T F RE RB C 4 C 4 C S C S U!

OY UM OL E

L T

- E L T

- E L T ST SN E F E F E F E F T

W O

I N W O

W O

L F

N O L L O P F F U U I S S T

P R

E W

F W

F 1 2 I T A A R

C U

P 1 4 2 5 d

I 8 W

F 9 S M 7 7 7 7 E O G 8 G 8 N 8 N 8 D C S F S F M F M F ljl ll!1 . ,ll

I lIlJ 'I. l: Ii s l D- O 4

.E T S

S 33 EE S 33 0 0 0 CG T 2 0 5 ON I 88 3 1 2

.RA N 38 T - N - - N PR U 55 F 0 I 0 % 0 I

, T~ S US T 0 PD I 1 0 0 0 NP N - 1 1 1

" IS U 0 V 1 V 2 V 1 V.

D D D N N N E E E

- R R R M R T T T E E T T T. & & &

S CS P R R R R Y TAC A M A M A M A M S URI S E R E R E R E R PAT DE N A N J N A N A Y NIS PS I L I I I L I L A

L IJI SU L A L A L A L A P

S I S D T T

t R

E T h -

T I I E F M G EIN -E A O CSO RC Q R L RSI ER -

A A UAT WU A U N U U P N OLA OO 1 B O B A 1 A SCC PS Q Y Q 7 N Y Q Y

- Y V T R E E E F X L A E B S L P

A E I T S T S L E U B M S E I N V Y A D E D I CE S L RG T 0 0 0 0 R A UN I 2 2 2 A

2 A

O V OA N - A - A - -

F SR U 4 m 4 m 4 m 4 m T

S I

L T

U P C C C C N I I 1 I 1 I 3 I N N - N B F B O 5 O 4 O 9 O 9 E ER R 9 R 1 R 0 R 0 C CE T 5 T C T P T P RE RB C 4 C R C S C S UP UM E - E - E - E -

OY OU L T L T L T L T ST SN E L E L E L E L I

L

H L L V C V V L T L L N L E I E P E G N O V M T N O P E O A A I L C R R T R E P E R R P U I

R T

U W Z R

O S C P T 1 P 8 1 1 1 3 S M M 2 6 G

8 G

8 E O T 3 C 7 8 8 .

D C C L R S L S L _

L It \l 1lfi t l

jlIl ilIl j

s

_. 1

)

UN

l; !

D E

S S 0 0 EE S 0 0 0 0 0 CG T 0 5 0 A 5 G 5 G ON I 1 2 2 I 2 I 2 I RA N - - N - S - S - S PR U 0

0 I 0 P 0 P 0 P

. T S US T 0 0 0 PD I 0 0 1 1 1 NP N 1 1 - - -

IS U 1 V 1 V 0 V 0 V 0 V D D 3 D N N h N E E E E

- R R R R .

M R T T T T E E .

T T T & & & &

S CS P R R R R R Y TAC A M A M A M A M A M S URI S E R E R E R E R i. R PAT DE N A N A N A N A A Y NHS PS I L I I I L I L M L A ICI SU L A L - A L A L A L A L

P S

I S D T U

R P E N -

T I I E F M G EIN E A O CSO RC Q R L RSI ER -

A A UAT WU N U U A P N OLA OO O B B l 3 2 A SCC PS N Y Q Y Q Y Q Y Q Y 1

Y V T R E E F X E A E L S L B P A E I T S T S L E U B M S E I N V Y A D E D I CE S L RG T 0 0 0 0 0 R A UN I 2 2 2 2 2 O V OA N - A - A - A - A - A F SR U 4 m 4 m 4 m 4 m 4 m T

S I

L T

U P C C C C C N I l I 3 I I 3 I 4 I N A N A N N B N A O 9 O 9 O 7 O 2 O 2 E ER R 0 R 0 R 8 R O R 0 C CE T P T P T 5 T C T C RE RB C S C S C 4 C R C R UP UM E - E - E - E - E -

OY OU L T L T L T L T L T ST SN E L E L E P E P E P 3 2 H H C C S S A A F F S S S S, S S E E R R I P P L

L V H R t i

V L C W k T L N E S G G I E G S L L N O T N E H H O P A A R I R R P 1 2 T R E P E P U R P P I T T O S E O O R I O O C P 2 1 2 3 T 5 L 5 L 2 S M 9 9 M 0 2 3 E O G 8 G 8 T 3 C 7 C 7 D C S L S L C P R P R P l Il1 (l ll!1l tl

' I l 1l 1

I1t 2 2 9 0 3 1 D

E o o S t t S 0 0 EE S 0 0 0 0 c 8 c CG T 0 G 2 G 2 G 1 c 1 c ON I 2 I 1 I 1 I - / - /

RA N - S - S - S 0 C 0 C PR U 0 P 0 P 0 P 1 p 1 p I G US T 0 0 0 PD I 1 0 0 1 1 NP N - 1 1 - -

IS U 0 V 1 V 1 V 0 V 0 V D D 3 Di N N h E E E E'

- R R R R M R T T T T E E .

T T T & & & &

S CS P R R R Y TAC A M A M A M M M S URI S E. R E R E R R R PAT DE I A N A N A G A G A Y NHS PS I L I L I L O L O L A

L ICI SU L A L A L A L A L A P

S I S D I U

R P E N -

T I I E F M G t.IN E A D CSO RC Q Q Q R I RSI ER - - -

A A UAT WU N U N U N U A A P N OLA OO O A O B O A 1 1 A SCC PS N Y N Y N Y Q Y Q Y 1 Y

- T R V E E F X E A E L S L B P A E I T S T S L E U B M

. S E 8 8 I N 0 0 V Y 1 1 A D E > >

D I CE S 0 0 L RG T 0 5 5 o o R A UN I 2 - - t M t M O V OA N - A 0 A 0 A P P F SR U 4 m 1 m 1 m 0 C 0 C T

S I

L T

U P C C C C A C B N I I 2 I 1 I l. I A I N N B N A N A N A O O 2 O 2 O 7 O 7 E ER R 4 R 1 R 1 R 9 R 9 C CE T 2 T P T P T 5 T 5 RE RB C 2 C S C S C 4 C 4 UP UM E - E - E - E - E -

OY OU L T L T L T L E L E ST SN E P E P E P E R E R S D S A D E R A R R P T S S L 1 K S S C 3

T E E T 1 R R R -

T H P P P 1 N C I N M M G C N O E T T R R O P U S S I Q M M T R T T R R P E R U U O C I T Z O O N N R U R C P P 0 1 2 2 6 T 1 T 2 S M 7 3 3 M 9 M 9 E O C 7 G 9 G 9 T 2 T 2 D C R P S P S P C R C R l Il

l Il ll lll l 1 ll l!

i ,!l ji w#

~

5 0 -

0 0 8 D 1 1 0 E 1 S o o S

EE CG S

T s t

c c - 3 t

c c

o t

R 5

2 ON I - / ~ / 0 H 1 RA N 0 C 0 C 0 / -

PR U 1 p 1 p 1 R 0 %

T S US T 0 0 0 0 PD I 1 1 1 1 NP N - - - -

IS U 0 V 0 V 0 V 0 V D D N N E E

- R R M R T T E E .

T T T & &

S CS P R Y TAC M D M A M S URI S R N R E R PAT DE G A G E G A N A Y NHS PS O L O R D L I L A ICI SU L A L T I A L A t L

P S

I S D T U

R P E N -

T I I E F .

M G EIN E A O CSO RC R L RSI ER A A UAT WU A A A P N OLA OO 1 1 1 1 1 A SCC PS Q Y Q Y Q Y Q Y Y

V T R E E E

F X L A E B S L P

A E I T S T S L E U B M S E 8 8 8 I N 0 0 0 V Y 1 1 1 A D E > > >

D I CE S L RG T o o o 0 R A UN I t M t M t M 1 O V OA N P P P -

F SR U 0 C 0 C 0 C 0 V T

S I

L T

T I

P C C C C C C R N I A I B I I E I N A N A N A N E O 7 O 7 O 6 O N E ER R 9 R 9 R 9 R O C CE T 5 T 5 T 5 T IR RE RB C 4 C 4 C 4 C TE UP UM E - E - E - E CW OY OU L E L E L E L UO ST SN E R E R E R E AP D

A 1 D D R A H W R 3 C 3 G 3 1 D V 3 - A A 1 E R

- - X D E A E T X G E R N R R E I G A E N O R I N O P H G O I M / R I I R R D T P E O I I C I T N M H U R U A C P T 3 T 4 T 9 0 S M M 9 M 9 M 9 S 9 E O T 2 T 2 T 2 P 7 D C C R C R C R P R jj l[ f l

1 i e

n, t

,! ,jl

. l D 3 E 5 - S S 6 S 2 6 S P S ? 1 P o M EE S 5 o C o C t A CG T 2 t o t ON I 1 G t G 1' G RA N - 1 O 1 O 1 O PR U 0 % - L 0 % - L - L S

WS PD T

I 0

1 0

1 NP N - - - - -

IS U 0 V 0 V 0 V_ 0 V 0 V D D D D D N N N N N E E E E E

- R R R R R M R T T T T T E E .

T T T & & & & &

S CS P R R Y TAC A M M A M M M S URI S E R R E R R R PAT DE N A G A N A G A G A Y NHS PS I L O I I L L O L A

L ICI SU L A L A L A M A L A P

S I S D

R W

P E N -

T I I E F M G EIN E A O CSO RC R L. RSI ER A ! UAT WU P N OLA OO 1 i I 2 3 A SCC PS Q Y Q Y Q Y Q Y Q Y 1 Y

- T S V E F F X E A E L S L B P A E I T S T S L 8 7 E U 2 2 -

B M S

E 0

1 8

0 C

E y s o

C E

0 1

I N 1 A l S o L V Y o ' o / t A D E t o S t o S D I CE S t E t E 3 L RG T 5 S s S 1 R A UN I - 1 L ~ - 1 L -

O V OA N 0 U 0 U 0 F SR U 1 A 0 P 1 A 0 P 1 A T

S I

L W

P C C C C C N I I I I I I N N N N N O 6 O 2 O 5 O 1 O 4 E ER R O R O R O R O R O C CE T I T I T I T I T I RE RB C N " N C N C N C N UP UM E - I - E - E - E -

OY OU L I I I L I L I L I ST SN E N E N E N E N E N X X X X X U U U U U L L L L L F F F F Y f 6 2 5 1 4 T I I I I I N N N N N N I

N O R R R R R O P P S P S I I

T R I I 2 2 3 P E I T H H H H H R U C C C C C C P 5 6 4 5 2 S M S 9 S 9 S 0 S 0 S 1 E O P 7 P 7 P 8 P 8 P 8 D C R R R R R R R R R R l lllilllllll l lll

l

!l !l l - ; l

?

. D 3 E - S S P S o M 0 0 EE S 5 t A 5 0 0 CG T 2 2 3 3 ON I 1 1 G 1 2 2 4 RA N - 1 O - - T - F PR U 0 % - L 0 1 0 ' 0

T S US T 0 0 0 0 J PD I 1 1 1 1 1 NP N - - - - -

IS U 0 V 0 V 0 V 0 V 0 V D D D D D N N N N N E E E E E

- R R R R R M R T T T T T E E .

T T T & & & & &

S CS P R R R R Y TAC A M M A M A M A M S URI S E R R E R E R E R PAT DE N A G A N A N A N A Y NHS PS I I O L I L I L I L A ICI SU L A L A L A L A L A L

P S

I S D I T

I R P E N -

T I . I E F M G EIN E A O CSO RC R L RSI ER A A UAT WU A A P N OLA OO 4 4 4 1 2 A SCC PS Q Y Q Y Q Y Q Y Q Y l' Y

- T R V E E F X E A E L S L B P A E I 9 9 T S T 9 9 S L 3 E U 2 - 2 0 0 B M - 0 - 5 5

- 0 1 0 S E 1 1 o o I N o t t V Y o t o A D E t t 2 2 D I CE S 1 9 9 L RG T 5 1 5 6 6 R A UN I - ~

O V OA N 0 '0 0 0 V 0 V F SR U 1 A 1 A 1 A - m - m T

S I

L T

U P C C C C C N I I I I I I N N N N F N L O 8 O 3 O 7 O 3 O 3 E ER R O R O R O R 0 R 0 C CE T I T I T I T M T M RE RB C N C N C N C I C I UP UM E - E - E - E - E -

OY OU L I L I L I L E L E ST SN E N E N E N E T E T X X X U U U L L L F F F 3 3 F L ,

8 3 7

- - - P P T I I I M M N N N N E E I T T N O R R R O P P I P T T I U U T R 3 4 4 O O P E I T H H H E E R U C C C R R C P 4 8 0 O 4 O 5 S M S 1 S 1 S 2 C 1 C 1 E O P 8 P 8 P 8 N 5 N 5 D C R R R R R R I T I T l l lI llllll l

l l ll l

. 1 ;j U

j D

E S

. S 0 0 0 0 0

_ EE S 0 0 0 0 0 CG T 3 3 3 3 3 ON I 2 2 2 2 2 RA PR N

U 0

- F

' 0

- T 0

- T - - F - F

' ' 0 ' 0 '

T S US T 0 0 0 0 0 PD I 1 1 1 1 1 NP N - - - - -

IS U 0 V 0 V 0 V 0 V 0 V D D D D D N N N N N E E E E E

- R R R R R M -R T T T T T E E .

T T T & & & & &

S CS P ' R R R R R Y TAC A M A M A M A M A M S URI S E R E R E R E R E R FAT DE N A N A N A N A N A Y NHS PS I L I L I L I L I L A ICI SU L A L L A L A L A L

P S .

I S D T U

R P E N -

T I - I E F M G EIN E A O CSO RC R L RSI ER A A UAT WU A A A A A P N OLA OO l 2 2 I 2 A SCC PS Q Y Q Y Q Y Q i' Q Y 1 Y

- T R V E E F X E A E L S L B P A ES I T

9 9 9 9 9 T S L 9 9 9 9 9 E U 0 0 0 0 0 B

M 5 5 5 5 5 S E o o o o o I N t t t t t V Y A D E 2 2 2 2 2 D I CE S 9 9 9 9 9 L RG T 6 6 6 6 6 R A UN I O V OA N 0 V 0 V 0 V 0 V 0 V F SR U - m - m - m - m - m T

S I

L T

U P C C C C C N I I I I I T N 6 N K N C N 0 N E O 5 O 5 O 6 O 6 O 7 E ER R 0 R 0 R 0 R 0 R 0 C CE T M T M T M T M T M RE RB C I C I C I C I C I UP UM E - E - E - E - E -

OY OU L E L E L E L E L E ST SN E T E T E T E T E T 5 5 f 6 7 G K C 0 E P P P P P T M M M M M N E E E E E I T T T T T N

O I

M T U

T U

T R O O O O O P E I r r E E E E E R t R R R R R C P O 0 O 2 O 4 O 7 O 0 S M C 2 C 2 C 2 C 2 C 3 E O N 5 N 5 N 5 N 5 N 5 D C I T I T I T I T I T l !l lI ii(il ll

n. O tC e

D E

S S 0 0 0 0 0 EE S 0 0 0 0 0 CG T 3 3 3 3 3 ON I 2 2 2 2 2 RA N - F - F - T - F - F PR . U 0 ' 0

0 ' 0 ' 0

T- S

. US T 0 0 0 0 0 PD .I 1 1 1 1 1 NP N - - - - -

IS U 0 V 0 V 0 V 0 V 0 V D D. D D D N N N N N E E E E E

~. - R R R R R M R T T T T T E E .

T T T & & & & &

S CS P R R R R R

- Y S

TAC S

. EA M A M A M A M A M URI R E R E R E R E R PAT DE N A N A N A N A N A Y NHS PS I L I L I L I L I L

- A ICI SU L A L

A L A L A L A L

P S

. I S D T.

U R P.

E N -

T I I E F M G. EIN E A O CSO RC R L RSI ER A A UAT WU A A A A A P N OLA OO 1 1 2 1 2 A SCC PS Q Y Q Y. Q Y Q Y Q Y 1 Y

- T R V E E F X E A E L S L B P A E I 9 9 9 9 9 I S T 9 9 9 9 9 S L E U 0 0 0 0 0

- B N 5 5 5 5 5 S E o o o o o I N t t t t t V Y A D E 2 2 2 2 2 D I CE S 9 9 9 9 9 L RG T 6 6 6 6 6

- R A UN I O V OA N 0 V 0 V 0 V 0 V C V F SR U - m - m - m - m - m T

S I

L T

U P C C

~

C C C N I I I I I I N M N E N M N C N 0 O 7 O 9 O 9 O 0 O 0 E ER R 0 R 0 R 0 R 1 R 1 C CE T N T M T M T M T M RE RB C I C I C I C I C I UP UM E - E - E - E - E -

OY OU L E L E L E L E L E ST SN E T E I E T E I E T

+

0 0 7 9 9 1 1 M E M C 0 P P P P P T M M M M M N E E E E E I .T T T T T N O O P T T T T T I U U U U U

. T R O O O O O P E I T E E E E E R U R R R R R C P O 2 O 9 O 2 O 4 O 7 S M . C 3 C 3 C 4 C 4 C 4 E O N 5 N 5 N 5 N 5 N 5 D C I T I T I T I T I T

e n

L*

D E

S 0 S 0 0 0 0 2 EE S 0 0 0 0 6 CG T 3 3 3 3 -

ON I 2 2 2 2 0 RA N - F - T - F - F 2 F PR U 0 ' 0 ' 0 ' 0 ' 5

T S US T 0 0 0 0 PD I 1 1 1 1 0 NP N - - - - 1 IS U 0 V 0 V 0 V 0 V 1 V D D D 3 t N N N h h E E E E E

- R R R R R M R T T T T T E E .

T T T & & & & &

S CS P R R R R R Y TAC A M A M A M A M A M S URI S E R E R E R E R E R PAT DE N A N A N A N A N A Y NHS PS I L I L I L I L I L A ICI SU L A L A L A L A L A L

P S

I S D T U

R P E N -

T I I E F M G EIN E A O CSO RC Q R L RSI ER -

A A UAT WU A A A A N U P N OLA sO 2 1 2 l O B A SCC ' S Q V Q Y Q Y Q Y N Y 1 Y

- T R V E E F X E A E L S L 3 P A E I 9 9 9 9 T S T 9 9 9 9

. S L E U 0 0 0 0 B M 5 5 5 5 S E N

o o o o I t t t t V Y A D E 2 2 2 2 D I CE S 9 9 9 9 L RG T 6 6 6 6 R A UN I 0 O V OA N 0 V 0 V 0 V 0 V 1 F SR U - m - m - m - m 1 V T

S I

L T

U P C C C C C N I I I I I I N 6 N K N F N L N 7 O l O l O 3 O 3 O 0 E ER R i R i R 1 R 1 R C C CE T M T M T M T M T R RE RB C I C I C I C I C -

UP UM E - E - E - E - E T OY OU L E L E L E L E L Y ST SN E T E T E T E T E T l l 3 3 i i 1 1 G K F L P P P P T M M M M P N E E E E M I T T T T E N O T O P T T T T I U U U U R T R O O O O N P E I I T E E E E G R I R R R R V C P O 0 O 1 O 7 O 0 A 9 S M C 5 C 5 C 5 C 6 0 E O N 5 N 5 N 5 N 5 C 7 D C I T I T I T I T R 7 llll lll

l {illIl G

j m0, t

4 4 2 2 0 0 1 1 D

E o o S t t 0 0 S 2 0 2 EE S 4 4 9 5 9 CG T 2 2 - 6 -

ON I 0 0 0 - 0 RA PR W L

1 F

2 1

F 0

5 F

2 1

F T S US T 0 0 PD I 1 1 5 0 5 NP N - - - 1 -

IS U 0 V 0 V 1 V 1 V 1 V D D D N N N E E E

- R R R M R T T T E E .

T T T & & &

S CS P R R R R R Y TAC A D A D A M A M A M S URI S E N E N E R E R E R PAT DE N E N E N A N A N A Y NHS PS I R I R I L I L I L A ICI SU L T L T L A L A L A L

P S

I S D T U

R P E N -

T I I '

E F M G EIN E A O CSO RC Q R L RSI ER -

A A UAT WU A A A N U U P N OLA OO 1 2 1 O B B A SCC PS Q Y Q Y Q Y N Y Q Y 1

Y V

- T R E E

, F X A E U

B S L P %

A E I -

T S T S L E U B M

- ' 3 0 3 S E 8 3 8 I N 2 2 2 V Y A D E o o o D I CE S t t t L RG T 0 0 S S S R A UN I 1 1 9 M 4 M 9 M O V OA N - - 1 H 0 I l 1 H F SR U 0 V 0 V 1 O 1 O 1 O T

S I

L T

U P C C C C C N I I I I I I N 1 N 0 N 5 N 2 N 5 O 5 O 5 O B O B O A E ER R 9 R 9 R 3 R 4 R 3 C CE T 4 T 4 T C T C T C RE RB C - C - C R C R C R UP UM L Y E Y E - E - E -

OY OU L D L D L E L E L E ST SN F T E T E T E T E 7 1

I l

' P C M H E C A B ,

T P ?

H H M R M C C E V E T T D, G

D, R L R E E k C V T L L N 0 0 G H G I 0 0 L C L N O C C H S H O P B B I I U U 1 D 2 T R S S P E P 1 P I T G G O - O R U L L O l O C P H 1 H 2 L 3 1 L 2 S M 5 5 5 P 8 8 E O C 7 C 7 C 7 C 7 C 7 D C R T R T R T R T R T Ill!l ill i t 1 1 ! ! _

1Il e

h C"

D E

S D D S 0 0 E E EE 0 S S u S 5 5 5 0 O CG T 6 6 6 0 O ON I - - 0 L 0 L

- C C RA N 0 T 0 T 0 T 1

1 PR U 5 ' 5 ' 5 ' %

0 0 %

T S US T PD I 0 0 0 0 0 NP N 1 1 1 1 IS U 1 V 1 V 1 V 1 V 1

1 V M R E E .

T T T S CS P R R R Y TAC A M, R R S URI S A M A M A M A M E R E R E R E R E R Y

PAT DE N A N A N A N A N A NHS PS I L I L I L A ICI SU L A I L I L L L = A L A L A L A

. P S

. I S D T U

R 7 E h -

T I I -

E F u

f G EIN E J O CSO RC Q Q Q Q T L RSI ER - - - -

Q A A UAT WU N U N U N U N U P N OLA OO O B O B O A N U A SCC PS N Y N O A O B 1 Y Y N Y N Y N Y

- T R V E E F X E A E L S L B P A E I T S T S L E U B M

- 0 0 S E 0 3 3 3 I N 2 2 2 V Y A D E o o o D I CE S t t t L RC T S S S R A UN I 4 M 4 M O V OA .N 0 H 4 M 0 0 F SR 0 H 0 H 1 1 L 1 O 1 O 1 O 1 V 1 V T

S I

L T

U P C C C C N I I I C

I I I N 4 N 2 N 4 N B N O B O A O A O A

E ER R 4 R 4 R 6 O 6 C CE T C 4 R 0 R 0 RE RB T C T C T P T P C R C R C R C S C UP UM E - E - E - E - E S

OY OU L E L E -

ST SN L E L T L T E T E T E T E Z E Z P P P M M M E E E T T T t

R R M W W G G G

L L L V C C C V

T L L N H H li V V I C C C L L N O S S S R O P I R I D I

D I T T T R D C C P E 2 1 2 1 I T - - - 2 R U l 2 W C P 1 1 2

1 F 3 W

F 8 S M P 0 P 2 P 4 7 F O C 8 C 8 C 8 N 6 N 7

D C R T R T R T M 6

2 M 2 lI4 ; ;1l l

ll ) J1IIlIlI I il ,,

e $

.D E

S R R R S OD OD OD EE S E E E CG T NS NS NS ON I EO EO EO RA N PL PL PL PR U OC OC OC M M M RR RR RR UA UA UA DL DI DL T S A A A US T N N N PD I EG EG EG NP N PN PN PN IS U OI OI OI M R E E .

T T T L L L S CS P A A A Y TAC T M T M T M S URI S I R I R I R PAT DE PS G A G L

A G A Y NHS I L I I I A ICI SU D A D A I s

A L

P S S I T D U P

R N E

T I

1 E L F M A EIN E A T CSO RC R I RSI ER A G UAT WU P I OLA OO - A A A D SCC PS l l l 1 Y Q Y Q Y Q Y T R V E E F X E A E S L L P B E I A S T T S L E U B M S E I N V Y A D E D I CE S L RG T R A UN I O V OA N F SR U T

S I

L T

U P C C C N I I I I N N N O 3 O 5 O 7 E ER R 6 R 6 R 6 C CE T 2 T 4 T 2 RE RB C 4 C 4 C 4 UP UM E - E - E -

OY OU L E L E L E ST SN E Z E Z E Z 2 1 3 3 1 1 V V L L V V V L

V F F

L L F R R T L N R S S I S S N O R E E O P W R R I P P P T R P E R R R I T Z Z Z R U R R R C P P 5 P 6 P 7 S M 6 6 6 E O C 7 C 7 C 7 D C R Z R 2

- R Z

,i! i!ii ,1 ; , i ,i llIl , l l

l!

.ll 1lll e

D E

S S

EE S 0 CG T 0 A 0 A 0 A 0 A 0 ON I 6 I 6 I 6 I 6 I 3 RA N - S - S - S S F PR U 0 P 0 P 0 P 0 P 0 '

T S US T 0 0 0 0 0 PD I 2 2 2 2 2 NP N - A - A - A - A - A IS U 4 m 4 m 4 m 4 m 4 m M R E E .-

T T T S CS P R R R R R Y TAC A M A M A M A M A M S URI S E R E R E R E R E R PAT DE N A N A N A N A N A Y NHS PS I L I L I L I L I L A ICI SU L A L A L A L A L A L

P S S I T D U P

R N E I -

T I E G F M O EIN E A L CSO RC R A RSI ER Q A N UAT WU -

P A OLA OO N A SCC PS I 2 3 4 O 2 Y R Q Y Q Y Q Y Q Y N Y 1 T E

- E T V F U A P E S M L O B E C A S T S S E S B E

- C S O I R V P A E D T CE S N RG T 0 0 0 0 0 R A UN I 2 2 2 2 2 O L OA N - A - A - A - A - A F P SR U 4 m 4 m 4 m 4 m 4 m T

S ,

I L

T U

P C C C C C N I I I I I I N N N N N O 0 O 1 O 2 O 3 O 6 E ER R 0 R 0 R 0 R 0 R 5 C CE T 0 T 0 T 0 T 0 T 3 RE RB C 2 C 2 C 2 C 2 C I UP UM E - E - E - E - E -

OY OU L T L T L T L T L T ST SN E P E P E P E P E T

) ) ) )

S S S S B B B B P A A A A M

( ( ( ( E T

I 2 3 4 T

H H H H C C C C C U

S S S S S T A A A A I N F T F F I S S S S N N O A O P S S S S F I S S S S T R E E E E R P E R R R R L I T P P P P C R U C P T 4 T 5 T 6 T 7 T 8 S M M 1 M 1 M 1 M 1 M 9 E O T 3 T 3 T 3 T 3 T 2 4 D C C P C P C P C P C T l flI j i l1! ,l' { i ;l !j: l4 f, l Ill' I 1Il

j IlI (

(i l)l l, f1 D

E S

S EE S 0 0 CG T 0 0 ON I 3 3 RA N - F - F IR U 0

0

T S US T 0 0 PD I 2 2 NP N - A - A IS U 4 m 4 m D

N E

- R M R T E E .

T T T &

S CS P R R Y TAC A M A M S URI S E R E R PAT DE N A N A Y NHS PS I L I L A ICI SU L A L A L

P S S I T D U P

R N E I -

T I E G F M O EIN E A L CSO RC R A RSI ER Q- Q-A N UAT WU P A OLA OO N A N A SCC PS O 2 O 2 Y R N Y N Y 1 T E

- E T V F U A P E S M L O B E C A S T S S E S B E

- C S O I R V P A E D T CE S N RG T 0 0 R A UN I 2 2 O L OA N - A - A F P SR U 4 m 4 m T

S -

I L

T U

P C C N I I I N N O 7 O 8 E ER R 5 R 5 C CE T 3 T 3 RE RB C I C 1 UP UM E - E -

OY OU L T L T ST SN E T E T P P M M E E T T T T C C U U

S S T 2 3 N

I N N N O A A O P F F I

T R R R P E L L I T C C R U C P T 2 T 6 S M M 0 M 0 E O T 3 T 3 D C C T C T

.'ti tj' !! I ;i l II , l-ll ,1Ill 1l \\l l z

Ijll1Ijj1ll ll ,1 e $

- e D

_ E

_ S R R

_ S O O EE S

_ CG T HM PM ON I GR IR RA N IO RO PR U HN TN

- M M RR RR UA UA DL DL T S A A US T N N PD I EG EG NP N PN PN I$ U OI OI M R E E .

T T T L L S CS P A A

'r TAC T M T M S Ut I S I R I R Y

PUT NI LS DE PS G

I A

I G

I L A

A ICI SU D A D A L

P S S T I U D P N

R I E -

T L I E A F M T EIN E A I CSO RC R G RSI ER Q Q-A I UAT WU -

P D OLA OO N U N U SCC PS O A O A Y R N Y N Y 1 T E

- E T V FA U P

E S M L O B E C A S T S S E S B E

- C S O I R PL V P OC A E D T CE S 19 N RG T 08 R A UN I 43 O L OA N PL F P SR U 22 V OC V T

S I

L T

U P C C N I I I N N O 4 O 4 E

C ER CE R

T 2

2 R

T W

5 RE RB C - C -

UP UM E H E D OY OU L S L R ST SN E P E C S

S E

R

P M R

T K I N T F I N N O H O O P C C I N T R E P P E U I I T Q R 5 R U T 0 C P R 0 6 0 S M Z 1 D 6 /

E O R 7 R 2 B D C P P C Q E J

f t! !' 1l!s ! f

= l (,1 ll li illI1I11l llll

FIGURE V-1

-P.C5 HL5 SUCCLD RCS HR P/T IPE BS iMREIN FRE55

--150 -2500 -

F

~2000 1751 DI.A -100 P op g

-1500 "F -50 1752 5

-1000 OI.B -0 F732

-500

.g .

.. 59 g

RCS HR ttM IllCOEE i ; i i g

-15 -10 -5 0 +5 ih TEtF -25 -20 III I" "I"5 -

920 -2300 -

F

-800 -2000 100P

- 1753 1 -700

-1500 ,F

-600 op op 1782

-500

-400 -1000 l f

-300 CIFID

-500

-200 -

--120 -200 -

SEC0lD^iRY RADIATION CONTAlff06 REACTIVITY P/T PRllIARY _

u . .. ..

FIGURE V-2, FRZR RC5 MR RCS HR FRIWEfTRE!OS LVL TAVE FRE55

-320 -620 -2500- -

-300 -610 IN

-250 -600 -2000 L768

-590 I

-580 $ -1500 op H -150 T709

-1000

-100 -550 pggg

-500 F725

-50

-530 '

-0 -520 -0 - -

AVE RC5 RC5 INCORE LP 1 LP 1 I I I I I I M

I TEMP Th -25 -20 -15 -10 -5 0 IC I I" "I"

-2300 :920 -650 - - i

-2000 -800 F

-700 -500 CHPID

-1500 -600 -900 or S

F *F -500 *F

, 1753

-1000 _qog

-200 *F

-300

-500 -200 -100

-200 -120 -

P/T FRIMARY SECCtLVEf PJOIATION CONTAllt!EIR REACTIVITf l

i 1

O FIGURE V-3 ru 5s SEC0lLVEf TFDOS FLOH FRE55

--7000 r-1200- -

KPPH SG 1 -6000 SB I L

-1000 r679 A78 K

-5000 p _ggg gppy P -9000 5 F679 A79 P

--3000 I -600 PSIE

-2000

-90 P932 3G 2 -1000 SG 2 -200 PSIE

--O --O -

P936 ,

co AUX Fil 55 I I I i 1 1 I FL0li SU LVL -25 -20 -15 -10 -5 0 +5

--1000 --250 - TIN IN HIMS ,

-900 "

3G l -

800 SG I -200 F879

-700 spH 5 -600 -150 I

I F875

-500 y H -900 -

-100 IN

-300 L883 3G 2

-200 SG 2 -50

-100 in

--O --O -

L893 P/T FRIl1ARY SEC0fiDARY RADIATI0ll C0ffTAlllBIT FIACTIITf

O g

C r~ C g

CE ER 1

1 I E R H ECC . cc cN 1CE ,

I i

l 1

Y T

I 1 3 q V 2 3 9 5 6 7 I 9

2 R

9 2

R 9

g 9

2 R

9 2

R g

p.

9 3

R M

E R

9 8

R T

E D

F g

l, i

f l

E 8

I0 I A

I l

t 0

C i5 4 s O

- I V H T I

3 l A E

R 0 j1 0l I D

U G

B F

- N I A R

I I F E f

l l

t I C T I

T 5 A

y1 Y

1 - R 0 A f

F 0

f 0

C 0 E

,2 S Il g 7 s 5 4 3 + g l

l j

ll 5

- - s Y

t M H 4 4 #

4 4 0 0 i O G - 4_ - - 4_ - 1 5 3 1 3 R I I

~

1 H 4 4 + ~ - F R G - - ' - - ~ _ -

l H y I I R E l I

D E D 4- - _ - - 1 4

g 3 D A

E E

H 0

A M R H I l 0 S R R H A n 2 9 6 1

_. 0 o I R 4 - -

1 l

H 4-2 9

6 8

- t_ M W -

H - - - - . V O - .

R . L l O -

. I T C M M /

ll-T 1 3

3 U{ I T 1 P

R 3 g R 3 A 1 1 A 1 P I > P

- ~ - - -

o 9

FIGURE V-5 CTNT H C0NC HIR COIIAIIION IR303 LVL

-10 -538 -

-8 -578 '

4 E

-6 -ggg 302 L

4 E

-4 n* -558 ELEV

-2 -543 L321 l

-0 -538 -

y l

CTiti CRCE IR SUCT I I I I I I I PRESS TEtF -25 -20 -15 -10 -5 0 +5 l

-300 -

IIf1E IN HIMS p200

-150 p5In P -200 P305

-100 *F -

l n -100 *F

~50 T306

-0 -0 -

P/T FRIlh'iRY SEC0fD W( PRIATION C0flTAll#01T REACTIVITY c

l 71

.o m m

'b g M M N N N N e c b b '~

r o

u's o

N r.

. e.

. e.4 we o

sa e [

0> N 0> 0> 0> sl@ eXe D W Cal M M E W W sla:

._g t=

_o ~,;

c D

B

_m m 5 m.* W o r e

.e g S

t=4 f N

> --. = .

5 o

- i h; 4

H

" b 9

W Lti %

y g N g

W oo o .4 e.J">

0

,,,,,Ls m .4 L.De

. >- rs. .C.O Ct.

A c::

' ' J ZZZZ A

" N ca: W o

W s,c m Y LA u:s t o> @* C'"J T

~=

me ! ! ! ! ! ! ! ! ! =

- - 0 MM cl C Q e/o H

u.:e We 7

m. N.

. C. 7; =[h m

$gW UAM

.-___m 4' & / O

% 'g IMAGE EVALUATION ////p Ab4 y s. TEST TARGET (MT-3) Y ',[,4 4?

4 f

gp '

4)p+\.9// 'k9ff

~~4 6" >~~

~~% +~~

r

~~-#fh>,77,f Itf.,;;(& 1~~

~~2= _- _ _-__._____.___________ _~~
0
. FIGURE VII-1 Prepared by Date t-EXAMPLE OF Reviewed by Date VERIFICATIDN AND VALIDATION SIM4ARY MATRIX Approved by Date FDR SAFET7 PARAK TER DISPLAY SYSTEM (SPDS) 1 I I I I i ! I I I I I I Verif f- 1 I i i i i l l Design I cation l IValidationi Validation i l l l Method of 1 Verification l Report IVe.*1ficationlTest Plan i Test Plan l Comments l I Requirements / Guidelines IVerificationi References l Section l ResJlts l Reference l Results l l I I I I i I i I I I i i i i i i i i l Example of Typical Content i l 1 i i i l l I I I I l i I 1 l l Design Criteria i l I i i l l l l l l l 1 1 I I i l Sensors and signal conditioners l Document l- TED Instrument Index l l l l l 1 1 for SPDS parameters that are IReview 1- Q List or equivalent ! l l l l 1 I also used by safety systems are l l- Instrument Loop i l 1 i I i I to be designed and qualified to l l Diagrams l l l 1 l l 1 meet Class 1E requirements. I l- SPDS Input List l l l l l l l l l l 1 1 I I I I I I I I I I I 4 1 SPDS and safety system interfaces IDocument l- TED Instrument Loop i l 1 i l lu i shall be isolated from electronic IReview l Diagram i l l l l lN-l and electrical interferences. I l- SPDS Input List i l l l l l l SPDS failure shall not impact i l l l l 1 I l I safety systems. 1 I I I I I I l l l l l 1 1 I I I l Failure of non-safety systems IDocument l- TED Instrument Loop i i l l I I I shall not adversely impact the IReview I Diagrams i i l l 1 l l integrity of SPDS. I l- SPDS Input List i i l l I I I I l- SPUS Po..er Supply i 1 1 1 l l 1 l i I l i I I I I I I I I I I I I I Sensors and signal conditioners IDocument l- TED RG 1.97 l l l l l 1 l for those parameters of the SPDS [ Review l Documentation (List of I I l l I I l that are spec'ff ed by R.G.1.97 I l instruments and i l l l l I shall be qual;11ed to meet its l I qualification levels) l l l l l l l requirements. I I I I I I I I I I I I I I I I I I I I I I I I I I
I I I I I i 1 I I I I I I I I I I I I I I I i l i I I Page of

v t e Letter Sequence Other
TAC:51234, (Open)
Initiation Request, Request Acceptance... Administration Questions Answers Results Approval... Other: ML20082P033, ML20082P038
MONTHYEAR1984-07-26 [Table View]

ML20082P038

Text

Navigation menu

Search