ML20083K119
| ML20083K119 | |
| Person / Time | |
|---|---|
| Site: | Prairie Island  |
| Issue date: | 04/30/1984 |
| From: | NORTHERN STATES POWER CO. |
| To: | |
| Shared Package | |
| ML20083K075 | List: |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737 NUDOCS 8404160071 | |
| Download: ML20083K119 (51) | |
Text
'A
-t 4
SAFETY PARAMETER DISPLAY SYSTEM FOR PRAIRIE ISLAND NUCLEAR GENERATING PLANT UNITS'1 AND 2 EMERGENCY RESPONSE. FACILITY PROGRAM NORTHERN STATES POWER COMPANY 414 Nicollet Mall Minneapolis, Minnesota April 1984
.I D
~
8404160071 840410 PDR ADOCK 0500028 p
v M
w
.g
.y
- 4
-,y y
cy p-.
f<a s
I l
TABLE OF CONTENTS P, age
1.0 INTRODUCTION
1-1
1.1 Purpose and Scope
1-1
- 1. 2 Terminology 1-2
~
1.2.1 Critical Safety Functions 1-2 1.2.2 Parameters 1-3 1.2.3 Plant Signals 1-3 1.3 Relationship of Critical Safety Functions and Barrier Concept 1-3
- 1. 4 E0P/SPDS Compatibility 1-4 2.0 SPDS DESIGN AND OPERATION 2-1 '
2.1 System Description
2-1 2.1.1 Multiplexing and Data Collection 2-1 2.1.2 Computer Systems 2-3 2.1.3 Availability 2-4
- 2. 2 Levels of. Display 2-4 2.2.1 Definition of SPDS Displays 2-4 2.2.2 Relationship of. AIDS to SPDS Displays 2-7 2.3 Human Factors Design Considerations 2-8 2.3.1 Features 2-9
~
2.3.2 Graphic Coding 2-11 2'.3.3 Display Access 2-12 2.3.4 Control Room Location 2-13 l
2.4 Verification and Validation Program 2-13 2.4.1 Definitions-2-14 2.4.2 V&V Activities 2-14 2.4.3 Relationship Between QA and V&V 2 3.0. SELECTION AND EVALUATION OF SPOS INPUT PARAMETERS 3-1 3.1 Evaluation Criteria 3-1 3.1.1 ' Basis for Determining Adequacy 3-1
_j.
f e; s
.9 TABLE OF CONTENTS (Continued)
P.ag 3.1.2 Selection and Evaluation Process 3-2 3.2 Type and Number of Parameters Required to Access Each CSF 3-6 3.2.1 Reactivity Control 3-6 3.2.2 Reactor Core Cooling and Heat Removal from the Primary System 3-7 3.2.3 Reactor Coolant System Integrity 3-9 3.2.4 Containment Conditions 3-10 3.2.5 Radioactivity Control 3-10 3.3 Parameter-Ranges 3-11 3.4 Selection of SPDS Alarm Limits 3-15 3.5 Reactor Mode Indication 3-15 3.6 Provisions-for Validation of SPDS Data 3-15 4.0 PRELIMINARY 10 CFR 50.59 SAFETY EVALUATION 4-1 4.1 Function and Design of SPOS 4-1
-4.2' SPDS Installation 4-2
-4.3 'SPDS Operation 4-2 4.4 Conclusions.
4-4 l
5.0 L
SUMMARY
AN0' CONCLUSIONS 5-1
6.0 REFERENCES
6-1
' FIGURE:2-1.;CRTsL ontrol-Room Locations 2-5' C
FIGURE 2-2 ' Typical Top-Level Display-2.
L ATTACHMENT l'- SPD CRITICAL SAFETY-FUNCTIONS'AND ASS 0-S CIATE9 MONITORED AND DISPLAYED PARAMETERS A-1 ATTACHMENT 2 --SPDS PARAMETER RANGES A-2
-ti-
_ = -
?
- 1. 0 INTRODUCTION
1.1 Purpose and Scope
This report has been prepared in response to section 4 of NUREG-0737, supplement 1 (reference 1), and presents the safety analysis of the parameters selected for monitoring and display on the Prairie Island Nuclear Generating Plant (PINGP) safety parameter display system (SPOS).
4 The PINGP SPDS parameters will provide sufficient information in terms of the five safety functions specified in NUREG-0737, supplement 1, to enable the plant operators to make a rapid and reliable assessment of overall plant safety status.
The PINGP SPDS will be responsive to a wide range of events, including the symptoms of severe accidents, and will-be functional during all reactor operating modes.
The Prairie Island SPOS is part of the plant safety assessment system (SAS).
The PINGP SAS is currantly being implemented based on the generic
~
SAS design developed by the Ad Hoc Group of the Westinghouse Owners Group Subcommittee on~ Instrumentation in 1981.
The generic SAS design and development included a formal verification and validation (V&V) of the generic portions of the design, as applicable, and underwent a subsequent user's evaluation program.in 1982.
4
.The. generic SAS validation provisions will essentially be preserved in the Prairie Island adaptation.
The design and implementation of the PINGP SAS is being carried out in accordance with the generic SAS func-
,tional software specification and users implementation guide (references 2
-and 3), subject to the Prairie Island V&V: plan for emergency response
-facilities data systems.
4 1The generic SASfwas.origina11yLdesigned to address NUREG-0696 guidelines-
'forLan SPDS.
This report evaluatesLthe adequacy.of the SPOS. portion of
.the PINGP SASlin terms of.the later NUREG-0737, supplement?1 requirements.
I m
,r
,--24 y4e.
y v..
,E.~.
En-.
,. ~
(
- t.
l The principal basis for determining the adequacy of the PINGP SPDS parameters is compatibility with the PINGP symptom-oriented emergency operating procedures (EOPs) (reference 4).
SPDS capability to monitor a wide range of plant responses to transients and accidents was further evaluated based on the analyses in the updated safety analysis report (USAR) (reference 5).
Also, compariscos were made with the SPDS para-meters recommended by others for added perspective in determining the adequacy of the PINGP parameters.
Further discussion of SPDS/EOP compatibility and definitions of SPDS terminology used in this report are given in sections 1.2 and 1.3.
An overview of the PINGP SAS design and installation, including the defini-tion of the SPDS portion of the PINGP SAS is presented in sectiori 2.0.
Selection and evaluation of parameters is presented in section 3.0.
The preliminary 10 CFR 50.59 safety evaluation of the PINGP SAS implementa-tion is presented in section 4.0.
An overall summary and conclusions are presented in section 5.0, and references are listed in se~ction 6.0.
I i
- 1. 2 Terminology i
This section defines key SPDS terminology used in this report.
1.2.1 Critical Safety Functions l
Critical safety functions are those safety functions that are l.
essential to prevent a direct and immediate threat to the health j
.and safety _ of the public. The critical safety. functions monitored by the SPDS,tas required by.NUREG-0737, supplement 1, are:
.o' Reactivity control
- o Reactor core cooling and heat removal from the primary system o
Reactor coolant system integrity o.
-Containment conditions c.
,o Radioactivity contrS1 3-
~
1-2 L
~
T N
i
- 1. 2. 2 Parameters Parameters are those measures of system status or performance and CSF status or performance which are obtained directly or calculated from plant signals.
Plant signals are obtained from monitoring and control sensors installed in the plant systems.
Each parameter is measured by one or more sensors, each of which produces a signal corresponding to the value of the parameter being measured.
1.2.3 Plant Signals Plant signals are the electronic or electrical outputs of the monitoring and control sensing devices installed in the plant systems.
These devices are calibrated so that the signals produced correspond to etual values of the parameters being measured.
1.3 Relationship of Critical Safety Functions and Barrier Concept The section 1.2 definitions of critical safety functions are based on the activities required to assess the integrity of and the potential for breach of the radioactive material barriers.
The assessment of the reactor core cooling and reactivity control critical safety functions
.provides the information required to' assess the potential for breach of j
fuel cladding integrity.
The assessment of the coolant system. integrity function provides the information required to assess the integrity of
[
the nuclear system process barrier.
The assessment of containment l
conditions provides-the information required to assess the integrity and
'the potential for breach.of the primary containment barrier.
The assessment Lof the radiation control function provides the information required to i
assess radioactive releases to'the environment resulting from breaches of-~one'or more of the radioactive material barriers.
Therefore, as long as th'e critical safety functions are adequately maintained'the radioactive barriers remain intact'and the plant poses.no threat.to the 'ealth and safety of the public.
1-3
,e.
,-u-
-.,v=
=. - -
r s
- 1. 4 E0P/SPDS Compatibility The PI emergency operating procedures (EOPs) provide specific direction regarding the maintenance or accomplishment of plant safety functions.
The E0Ps are organized into four types:
o Optimal recovery guidelines (ORGs) o Emergency contingency actions (ECAs) o Critical safety function (CSF) status trees o
Function restoration guidelines (FP5f)
The E0Ps were initially based on the worst-case transient and accident
~
scenarios of the types analyzed in the transient and accident analysis report (reference 6).
Optimal recovery guidelines and emergency, contin-gency actions are event-oriented and provide operator guidance to mitigate the consequences of specifically diagnosed events.
Critical safety function status trees and function recovery guidelines are symptom-oriented and provide operator guidance to mitigate the symptoms of potential or actual CSF degradation.
The CSF status trees identify the appropriate function restoration guidelines. The CSF status trees and associated function restoration guidelines.are directly related to the maintenance and accomplishment of the critical plant safety functions identified in
.NUREG-0737, supplement 1, as follows:
NUREG-0737, Supplement 1 Related CSF Safety Functions Status Trees Reactivity Control Subcriticality-
. Reactor Core Cooling Core Cooling, Inventory, and Heat Sink and Heat. Removal from the Primary System Reactor Coolant System Integrity
.s.
' Integrity Containment Conditions Containment 1-4
13 As indicated in the E0P generation package (reference 7) the PINGP E0Ps were prepared using the Westinghouse Owners Group (WOG) emergency response guidelines (ERGS), basic revision, dated July 5, 1982.
The emergency response guidelines were initially based on the WOG transient and accident reanalyses made in response to NUREG-0578, item 2.1.9.c (reference 6) and subsequently revised based on discussions with the Nuclear Regulatory
. Commission (NRC), reference 8.
The ERGS are being implemented in response to NUREG-0737, item I.C.1.
The purpose of an SPDS is to continuously display information from which to assess overall plant safety status in terms of how well the CSFs are being maintained or accomplished.
However, the SPDS is not intended nor is it designed to diagnose the specific events which may be affec' ting CSF maintenance or accomplishment.
The determination of adequ'acy of an SPDS parameter set is, therefore, mainly based on establishing compati-bility with the symptom-oriented E0Ps.
Since both the event-oriented and the symptom-oriented E0Ps are designed to cover a wide range of emergency situations, the selection of SPDS parameters which are
. compatible with the E0Ps ensures coverage of a wide range of events, including severe accidents.
Details of the review and evaluation process
. for the PINGP.SPDS parameters are provided in Section 3.0.
l
~
i
[
f I
6 i
4
.1-5
---y g
v-m tg
,19---
+-- d 9.-
g, w-% rye.'.
ws-wgyw-,5g-9s.<ye>ge
.=gy-
--s W-we-,gw,se y
y-y-
neneg-v-g-
-g-
- t+vw
2.0 SPDS DESIGN AND OPERATION
2.1 System Description
The safety assessment system (SAS) is a set of application software which provides emergency response facility (ERF) function for the main control room.
The SAS software runs on the ERF computer system (ERFCS).
The ERFCS consists of two hardware / software subsystems, each performing a major function:
o A multiplexing and data collection system (MUX) o An integrated computer system The SPDS is that portion of the SAS which is available to the control room operators via a dedicated CRT on the main control board.
The SPDS will' provide a concise display of critical plant information to the control room operators to. aid them in rapidly and reliably determining the safety status of the plant.
This information will consist of the status of plant safety functions in terms of associated plant parameters.
The-parameters 'are either directly moriitored or are derived using data collected via plant instrumentation systems.
Derived parameters are
- basad on' algorithms consistent with those which drive ~other calculated l.
parameter displays in the control room.
This ensures information por-L trayed for SPDS calculated parameters is consistent with that displayed I~
by control room instrumentation.
2.1.1 Multiplexing and Data Collection Each unit (1.and 2) of the Prairie.-Island plant has~its own MUX system. ;The MUX ~ system is comprised of remote multiplexing units (RMUs) and communication controllers'(CC).
The MUX system for unit'l will~servelthe unit:1 emergency response facility's (ERF) computer system, the unit--1 plant process computer-system (PPCS).
and the plant-wide radiation release and offsite dose assessment computer; system _(RRDACS).
2-l' 4
J The MUX system for unit 2 will serve the unit 2 ERF computer system and the unit 2 PPCS.
The MUX system for unit 2 will be essentially the same as the MUX system for unit 1, except for the requirement to interface with only two computer systems and that it will have a different number of RMUs.
The MUX systems will be high-speed data multiplexers connected via redundant data highways to a redundant set of communication control-1ers.
All field inputs, both class 1E and non-class 1E, will be connected to the remote multiplexing units (RMUs) either directly or through qualified IE isolators as required in accordance with NUREG'0737, supplement 1 (reference 1).
The RMUs will transmit digitally coded information to, or receive digitally coded commands from, the redundant communication controllers (CCs) by means of redundant data highways.
The redundant CCs will control the interrogation of RMUs and the transmission of data along the redundant data highways.
The CCs will also control the allocation and transfer of data to the memories of the computer systems.
The CCs will likewise control
~
commands initiated by the computers and transmitted to the appro-priate RMUs.
L All RMUs located outside of the main plant buildings, i.e., the l
RMUs at the primary and backup meteorological towers, will use radial' fiber optic data links to the CCs.
L
, The primary purpose'of the MUX system is to provide the emergency response' facilitias, including SPDS, plant process, and radiation and' dose assessment computer systems with a highly reliable plant
. status database that contains the current status of all input 5
j 2
.:u:
a-.--
variables which are indications of plant parameters, and overall l
plant safety and normal operation status.
The MUX system will perform all data multiplexing and processing functions:
All analog and digital signal scanning o
o Reference junction compensation and linearization o
Square root extractions o
Data validation via input comparisons o
Data scaling and averaging o
Arithmetic and logic functions o
Engineering units conversion Time tagging, storage, and transmission of both fast transient o
and sequence of events inputs 2.1.2 Computer Systems The computer systems include the emergency response facilities computersystems(ERFCS),theplantpTocesscomputer-systems (PPCS) for each unit, and the radiation release and offsite dose assessment computer system (RRDACS).
The unit's SPDS is the main control board display portion of the ERFCS.
The ~ unit 1 ERFCS will consist of redundant computers, designated unit 1 ERFCS computer A, and unit 1 ERFCS computer.B.
The unit 2 ERFCS will consist of redundant computers, designated unit 2 ERFCS computer A and unit 2 ERFCS computer B.
The computer system will develop and transmit the time-varying portions for all of the safety assessment system (SAS) displays on the SAS primary and secondary colorgraphics CRTs.
Data for the static _ portion of the displays (termed the template) will reside in the CRT.
2-3
1 2.1.3 Availability The PINGP SPDS has a high availability goal.
A study which quanti-tatively assesses system availability is currently underway to determine that this goal has been met.
This study includes appropriate support system considerations which may impact SPDS availability such as power supply and HVAC failures.
2.2 Levels of Display 2.2.1 Definition of SPDS Displays The PINGP safety assessment system (SAS) uses a primary and a secondary set of display's to present all graphical information for the plant emergency response facility (ERF).
The primary set consists of 21 displays.
Only the primary displays are available
^ to the control room operators on the primary (main control board)
CRT.
All primary and secondary displays are available on each of p
the three secondary CRTs, which are also located in the main control room (see figure 2-1 for CRT locations in the main control room).
The SPDS portion of the PINGP SAS consists of 18 of the 31 primary displays.
These 18 displays are interrelated and are arranged in a hierarchy consisting of one group of top-level and two groups of
(;
lower-level. displays'. _All of the primary displays available on the primary (main control board) CRT are selectable from a dedicated-function keypad.
There are three, top-level displays, one for each reactor operating mode, which provide an overview of plant safety status in each
. operating mode in terms of key plant parameters.
'A typical' top-level
~
display is shown in figure 2-2.
i i
l' 2-4 L-l
T I
' s l
- NIS CONSOLE ANEL F i
'8UPERVISORS N
^
l OFFICE j
[N "
a r-Sto8 pg x
e N
PANEL E1 p m
/
2"S!
F N888 j
PANEL D1 OT po s
~
N888 ANEL C l
I SPD R
s PANEL A N888 PANEL 31 UNIT-1 I
.Ir
~
FIGURE 2-1--CRTs control room locations NOTE:. SPOS CRT
. -Locations shown are 2-5 i
. typical to both units
~ - -
.e
-.---.,w
-c,
CPU SOURCE NORMAL OPERATION 03/22/83 12:53:03 SUSCRITICAL OOOO RCS INTEGRITY O O O O RCS INVENTORYO O O O CORE COOLING O O O O
~
NEAT SINK OOOO 0
0 0
CONTAINMENT OOOO gy,,
CRITICAL SAFETY FUNCTIONS AIDS 11 12 11 12 11 12 11 12 l
II_
l l
lI I
I I
I 1%
l 1%
R5I l%
i ll l
~
TAVE F T-COLD F PRESS PRZR POWER LEVEL PRESS REACTOR COOLANT LEVEL STEAM GENERATORS I
IF i
IF i
1%
RADIATION OMR/HR AIR EJECT I 1R SUMP LEVELC]FT SOSi IR PRESSi IPSIG CORE EXIT REACTOR VSL SUSCOOL TEMP (T/C) '
LEVEL CONTAINMENT SECONDARY RADIATION FIGURE 2-2.--Typical top-level display 2-6
The lower level displays consist of nine trend graph displays and six critical safety function (CSF) monitor displays.
The trend graph displays provide time-varying plots of most of the key parameters on the top-level displays.
The CSF monitor displays are functionally the same as the CSF status trees in the emergency operating procedures (see section 1.4).
Each of the top-level displays, except the cold shutdown display, contains a set of CSF monitor blocks which will provide information on specific CSF conditions depending upon the nature of developing abnormal conditions and the specific plant safety functions involved.
The evaluation of adequacy of the PINGP SPDS parameter set in sec-tion 3.0 addresses all of the parameters monitored and disp 1"ayed on these 18 displays.
2.2.2 Relationship of Accident Identification and Display System (AIDS) Displays to SPDS Displays There are three additional lower-level displays available to the operators on the primary CRT.
These are the accident identification and display system (AIDS) displays which provide detailed status information for parameters involved in optimal recovery procedures.
AIDS is a cognitive model that analyzes the response'of plant
(
parameters and graphically depicts an evaluation for loss of coolant (LOCA), steam generator tube rupture (SGTR),.and loss of L
secondary coolant (LOSC)..The model uses. weighting factors for parameters for each event and combines individual parameter responses into vertical bar heights--one for each event.
A complete L
description of the AIDS concept'is included in NUREG/CR-3114
' (paper 5), refergpce 10.
AIDS is outside the scope of SPDS requirements.
For the purposes of this analysis, therefore,~the AIDS bar indicators and displays s
2-7
l' 2
are not considered a part of the PINGP SPDS, and no credit is taken for any of the parameters monitored and displayed exclusively on AIDS.
However, because the AIDS bar indicators and associated displays will be available to the operators on the primary CRT, the follow-4 ing provisions will be made to ensure that AIDS will not compromise the intended function and use of the PINGP SPDS.
The software providing parameter status information via AIDS bar t
indicators and associated displays will be subject to the same validation testing requirements as the SPDS hardware and software.
Alarm limits for AIDS parameters will be chosen to be consis' tent with existing control room alarm limits in the same manner as the SPDS parameter alarm limits.
Furthermore, the AIDS displays will be subject to the same human factors design criteria as the SPDS displays.
The parameter. status information provided on the lower-level AIDS displays, therefore, will meet the same specifications as that provided on the top-level and lower-level SPDS displays.
~0perator training will be conducted and administrative controls will be in effect to ensure that operators und:rstand the AIDS
~
algorithms and the relationship to the PINGP SPDS.
The avail-f ability of AIDS on the primary CRT will not present.the operators with misleading information, nor otherwise impair the use and function of the SPDS.
2.3 Human Factors Design Considerations
'This section describes the human factors design considerations followed
'to provide an effective information display system for the PINGP SPDS.
An interdisciplinary team of. operations, control and instrumentation, and human factors engineers were involved in the definition, creation, i
and. review of the formats to ensure a set of user-oriented displays l
2.
consistent with the requirements of supplement 1 to NUREG-0737, the functional criteria of NUREG-0676, and the general human factors guidance of NUREG-0700.
This program included a simulator evaluation a+
the Indian Point 2 plant (reference 11).
2.3.1 Features The display formats are designed with low information densities and include that information required to support the task activity of the user.
Further, the color scheme is designed to reduce the visual dominance of the static background information.
Extensive use of demarcation lines is employed to separate classes of data or parameters.
Four different colors are used on the trend graphs for differentiation and association.
Simple display formats are provided to reinforce user recognition of plant status.
Vertical bar level indications are easy to associate with parameter values or magnitudes of a parameter, as most control boards contain vertical meters.
A red (off-normal)/ green (normal) color is used to fill the vertical bars on top-level display.
As numero~us alarms already exist in the control room, the use of alarms on the SPDS display system is kept to a minimum.
Once an alarm has been set, the alarm then is placed in'a dead band to eliminate alarm chatter or reoccurrence should the value causing the alarm oscillate around the violation point.
Arrangement consistency is an important factor in display design and is a feature of the SAS displays.
Certain areas of data (date, time,' display titles, critical ~ safety function, AIDS, message, 2-9 w
-e
. =.
etc.) always appear in the same area in related formats.
This is done to assist user identification of data appearing on multiple displays.
The data or information groups are located on the display by importance.
Generally, the groups are ordered in a top-to-bottom and left-to-right ranking, with the most important data at the top or on the lef^. of the display.
Additionally, the critical safety function, AIDS, and message areas remain on all primary CRT displays, to prompt the user that status, change has occurred.
The quality of information being displayed to the user is also presented.
Should a caution exist concerning the validity of data, the numerical value is displayed in yellow rather than red (off-normal) or white (normal).
If all sensors providing data for a parimeter fail, or are taken out of scan, the digital value for the parameter is replaced by a yellow " FAIL."
In no case, whether it be a colored bar or target, or even a digital value, is the display void; it is presented to the user for a system operation reference.
A predetermined set of time versus level trend graphs and a parameter vs parameter graph are provided to compare and gain historic data about functionally related sets of ' parameters. _ A 30-minute (two
~ hours for the heatup/cooldown mode display) history is provided on
~
[
- each trend plot.
i Extensive use of graphic symbology or presentations is used on the
[
SPDS displays.
Standard or relatable symbols are used to the
. maximum practical extent.- By using a 512 by.512 pixel colorgraphic
. CRT, symbol-set, color and line clarity are achieved. With the
- high-resolution display ~and sharpness provided, high levels of object / background and object / object discrimination can be obtained.
Visual coding techniques of color and pattern recognition'are used
' effectively.
~
2-10 e
+
y._-
m.~
9=
..,.,w y,,.-
9,
,w-,,
.w-
-, ~. -,
,,,e
2.3.2 Graphic Coding Pattern and coding techniques are extensively used to portray status in a graphic form for rapid user recognition.
2.3.2.1 Pattern Coding As previously mentioned, bar charts were selected as the means of presenting primary status indications.
This technique allowed for a range of value indication and a form comprehended by the user.
4 The predetermined trend graphs, mentioned in section 2.3.1, are provided for historic information over a 30-minute period.
These time versus level trend graphs allow for comparison of functionally t
related sets of variables.
Up to four variables are presented on a single graph.
Each variable on a graph is assigned a specific color.
To aid color-impaired users and provide a redundant coding dimension, each variable on a trend graph has a corresponding bar graph to the left of the trend graph.
Trend arrows are used in conjunction with mode and AIDS parameter digital values and provide immediate value direction information.
Lines are used to annotate setpoint locations and ranges on the bar I
charts. 'This provides an indication to the user as to parameter proximity to a setpoint.
Rather than displaying a value on' a patch of. color when it is out I
of limits or off-normal, outlining of the value using a colored box L
tis employed.to highlight-the off-normal condition.
t
-2.3.2.2 Color Coding Color coding is used only to enhance changes in status, and to aid ~
- differentiation and association. ' Color is used in a consistent.
~
2-11'
..a
manner (green is always used to portray normal or acceptable condi-tions) and in a restrained manner; only seven colors plus a black background are used.
The use of color is backed up by a redundant code.
Status or information is obtainable should a color gun fail or an operator suffer from a visual color imbalance, by providing an alternat'e means (location, digital values, etc.) of gaining the same data.
The use of color employed a structured approach.
To present status information the following conventions are used:
o
-Red - off-normal, immediate action, loss of function o
Orange prompt action, potential loss of function Yellow - failure or caution (sensor related), loss of r'edun-o dancyi action may be needed o
Green - normal Color usage ~ on the trend graphs was used for differentiation and association, because'of the four parameter trends on a graph and also to relate a bar level to a trend line. White, green, orange, and cyan are used.
~
Beige color was used for demarcations, titles, graduations, static values, and text-information.
White was used because of its attention getting value over beige i _
and for: dynamic digital values and event / message data.
2.3.3 Display Access The SPOS~ displays are available on two types of display terminals; a primary CRT and a secondary CRT.
The primary CRT,.normally used-by the control board operators, is provided with a function keypad that allows for rapid and error-free display requests.
The function-2-12
+
ww
-..-g-9 y
e y p
+
<~
key access scheme--one button, one display--also provides a layout ccnfiguration reflecting the display structure or hierarchy.
The type and number of SPDS displays available on the primary and secondary CRTs are discussed in detail in section 2.2.
A primary display hierarchy is used to present information at four levels of detail or content:
o Top level o
Critical safety function o
AIDS (not part of SPDS) o Parameter trend graphs Levels of display are also discussed in section 2.2.
The secondary CRT is configured to access additional display's.
In this capacity most functions are called up via multiple keyboard commands.on a standard keyboard.
These functions provide for both data manipulation and display requests.
2.3.4 Control Room Location The primary CRTs (one per unit) are located on the main control boards.
While the: secondary CRTs are readily accessible to the shift supervisor's at their emergency work stations, they will also have visual. access to the primary CRTs.
The primary'CRTs will not interfere with the normal movement'of the control room operations crew, and will not interfere with visual access to other control room systems as they are mounted at eye-level in the control board.
The'SPDS' displays are readable from a minimum angle of 45' between operator line-of-sight and the plane of the display screen and the critical top-level data is readable to a distance of 15_ feet (see
" figure 2-1 for control room locations of CRTs).
2.4-Verification and Validation ~ Program
'The verification and validation (V&V) program for the Prairie Island safety parameter display system (SPDS) is in accordance with-the 2.
f.~
guidance of NSAC 39.
The safety-related aspects of the SPDS design will satisfy the requirements of ANSI N45.2.11-1974.
The SPDS is a subsystem of the emergency response' facility.
As such, t
its V&V program will satisfy the objectives of NUREG-0696, " Functional Criteria for Emergency Response Facilities." All V&V activities will be i
performed by individuals who are independent from the design effort and have sufficient experience and expertise to properly evaluate the various activities which affect the final design and installation of the SPOS.
Activities covered by the V&V plan include the design and installation phases.
A separate V&V plan for operations will be developed to ensure that all changes to the SPDS after initial operation are properly verified and validated.
i-2.4.1 Definitions Verification is the demonstration of the consistency, completeness, f
and correctness of each stage of the development of a project on 1 -
the basis of fulfillment of all requirements imposed by the previous stage.
Validation is the demonstration of the correctness of the j
final system as determined by testing against overall functional, l
performance, and interface requirements.
i l
The essential idea of verification is stage-by-stage confirmation of the design, while validation refers to overall testing of the i
final product.
The V&V process is intended to provide an overall check that all requirements are met and that the system will operate satisfactorily.
'2.4.2 V&V Activities Specific areas which will be covered by_V&V activities are:
o System requirements document verification o -
Design and procurement specification verification 2-14
.-w-,
--e r-,<-
-e
-w
+~_.--,.,.w,.-wa
=r.-sv>
^
M'*
-n+w--*
e--*CP-e a- - ' = - =
e-
"e m?
-+-
i o
Hardware and software specification verification o
Hardware and software development verification o
System validation testing Post-installation. field verification testing o
o Fast transient study o
Availability study For each of the above V&V activities, qualified personnel will be assigned to perform the activities required to ensure that all applicable design basis requirements are factored into the design and that the design is complete, correct, and unambiguous.
An interim report will be issued at each phase of the V&V process,
- wherein.all discrepancies will be identified and resolved. "A final V&V report will summarize the results of each activity, and document the completion of any corrective actions which may have been required.
The system requirements document for the ERF computer system will consist of statements taken from the system requirements analysis for ERF computer systems.
Since the systems requirements analysis deals with criteria for both the ERF computer system and the multi-plexing system, it will be necessary to select those criteria whica relate to the computer system.
There will be some criteria which
~
will apply to both the ERF computer and the multiplexer and which c
will, therefore, appear in two requirements documents.
Also if there is doubt as to whether a criterion applies'to the computer or multiplexer, it.shall be included in both documents.-
2.4.3 Relationship Between QA and V&V The V&V efforts of the V&V program are independent of any quality assurance (QA) requirements which may be imposed elsewhere.
As part of the V&V effort, the V&V team may elect to employ QA proced -
i ures, forms, or personnel..Such election would be for convenience and cost-effectiveness of the V&V effort'and would not impose 2-15 4
j.-
w-y---
.-wy
---e
,y v
,e
-w.--,,
-%-------,v----ee-------,---
additional QA requirements nor compromise any QA requirements of the specification.
9 4
2-16
1 3.0 SELECTION AND EVALUATION OF SPDS INPUT PARAMETERS Evaluation of the parameter set for the PINGP SPDS began with a review of the emergency operating procedures (EOPs) (reference 4).
The E0Ps 4 -
include optimal recovery guidelines (ORGs), emergency contingency actions (ECAs), critical safety function (CSF) status trees, and function restora-tion guidelines (FRGs).
Other SPDS design and plant-specific documentation were also examined to provide a second source of input to the PINGP parameter set review process.
The results of this evaulation show that the PINGP implementation of the generic SAS specifically addresses the PINGP plant design and the needs of PINGP operations personnel.
Evalua-tion criteria are discussed in the following subsection.
3.1 Evaluation Criteria
.The objective of this safety analysis report is to describe the basis upon which the set of input parameters to be monitored by the PINGP SPOS has been determined to be sufficient to assess the safety status of each of the given critical safety functions over the spectrum of normal, off-normal, and accident plant conditions.
t-m t.
-In order to provide an adequate assessment of safety status, both the type and number of parameters monitored and the range monitored for each displayed parameter must be sufficient to determine the maintenance or accomplishment status of each critical safety function for'a wide. range
- of events,. including severe. accidents and all modes of reactor operation.
3.1.1~ Basis for Determining Adequacy The principal basis for determining adequacy of-the SPDS parameter-set is' compatibility with the E0Ps. The E0Ps have been revised to
. take into consideration the reanalysis of transients -ana accidents irequired by NUREG-0737, item I.C.1 (see section 1.4) and _are designed.
-to improve the: operator's ability to mitigate the consequences of a broad range of initiating events and subsequent multiple failures or.
.3-1 f
w y
.-.h m. s w
-,,-----,,,----m.
,,,,,-w-
-v-.--
,,,-.,y v,-
,y
= -. - -.
s 4
operator errors.
The E0Ps address operator errors by checking the effects of directed operator actions and providing guidance when operator actions are unsuccessful.
The E0Ps are organized to improve the operator's ability to mitigate adverse consequences for various situations.
For specifically diagnosed events, ORGs and ECAs are used.
For specifically diagnosed events where multiple or sequential failures places an ongoing transient in the domain beyond where event-oriented procedures may be reliable guides and for events which have not been specifically diagnosed, the symptom-oriented E0Ps (CSF status trees and FRGs) are available.
As discussed in Section 1.4, the establishment of compatibility with the symptom-oriented E0Ps ensures coverage of a wide range of e
events and accidents.
The PINGP updated safety analysis report (USAR) (reference 5), the technical specifications (reference 12),
the generic SAS SPOS parameter set (reference 2), results of
' various Nuclear Safety Analysis Center (NSAC) reports (references 13 through 15), and the AIF generic PWR SPOS set (reference 16), were also used to establish adequacy of the SPOS parameter set.
The principal bases for determining adequacy of the ranges of the monitored parameters are compatibility with the ranges and alarm setpoints provided by existing control room instrumentation for all
~
modes of reactor operation and compatibility with ranges and set-points identified in the E0Ps.
.3.1.2 Selection and Evaluation Process 3.1.2.1 Review of E0Ps The set of PINGP SPOS parameters were reviewed against the current version of PINGP-specific emergency operating procedures (E0Ps).
The. objective of_the review was to' determine whether the PINGP
' parameter set is adequate for the operators to assess the mainte-nance and accomplishment of the critical _ safety functions, and the 1
3-21
e effectiveness of contingency actions taken to restore or maintain the CSFs.
The parameters were reviewed against the FRG entry conditions associated with critical safety function assessment and all other' parameters from the symptom-oriented E0Ps directly related to safety function assessment.
All E0P CSF status tree parameters,~
I hence FRGs entry conditions, are monitored and displa'yed on the s SPDS.
The parameter set was then reviewed for consistency against the PINGP USAR and technical specifications.
3.1.2.2 Review of PINGP USAR and Technical Specifications The PINGP USAR and technical specifications were reviewed for-informationregardingthemaintenanceandaccomplishmentof,dicb CSF 'during all modes of reactor operation.
This review included-the following, as applicable:
..~.
o
. System design bases and performance characteristics o
Transient and accident analyses o
Characteristics of various modes of operations o
Alare limits o-Technical specification bases The results of this review are discussed in sections 3.2 and 3.3.
3.1.2.3' Comparison with SAS Group SPOS Parameter Set The parameter set'for the PINGP SPOS was' compared with the minimum SPOS parameter set developed by'the Ad Hoc Committee for Instrument Systems, Safety' Assessment Systems Project, a group of Westinghouse PWR owners of which NSP is a member utility...The PINGP SPOS para-
~
meter set includes all of the SAS minimum group,SPDS parameters.
. V e
i e
5 g
.g oy, y --
+-p,r-
- +, -
A.m-.
,,w..m, s-e---
.,4,y...-*-i p
+wg.
e e
3.1.2.4 Comparison with NSAC Studies and AIF SPOS Parameter Sets The parameter set for the PINGP SPOS was compared with the SPOS parameter sets recommended by NSAC and the AIF.
The NSAC (reference 13) set was derived by checking against WASH 1400 sequences and observing the number of times each parameter was a potential indicator of plant status.
The indicators were classified as leading, secondary, possible misleading, or negligible response indicators for the various sequences.
The AIF set (reference 16) was develope:,by using formal parameter selection criteria:
detection, leading indicator, plant safety functions, radioactive barrier, direct measurement, reliability, and applicability under diverse plant conditions.
Selected parameters were evaluated against the.
selectioncriteriainapredAfinedlogic.
The PINGP SPOS parameter set includes all of the AIF SPOS parameters and all of the NSAC_SPOS parameters which serve as leading indicators for the events analyzed except reactor coolant system flow rate, pressurizer relief tank level, containment temperature, volume control tank level, letdown flow rate, and control rod position.
According to the NSAC study (reference 13), reactor coolant system flow rate is recommended to indicate loss of generater and subsequent failure to relay the plant loads-to offsite power and failure to l
establsh conditions for natural circulation.
In the case of_ loss of the main generator, trip of the reactor coolant pumps, which occurs on undervoltage, would provide similar indication and is monitored by the PINGP SPOS.
According to tha PINGP E0Ps, establish-ing and maintaining natural circulation and determining if adequate 1
cooldown is accomplished are accomplished without the use of RCS flow indication.
Conditions which support or indicate natural circulation, according to PINGP E0Ps, include reactor. coolant subcooling greater than 10*F, steam generator pressure stable or decreasing, hot leg. temperature stable or decreasing, core exit' temperature. stable or decreasing, and cold. leg temperature near the
'3-4 D
saturation temperature for steam generator pressure.
All these parameters are monitored and displayed on the SPDS.
Pressurizer relief tank level was recommended by NSAC to indicate pressurizer safety relief valve position.
As an SPDS parameter, this only provides indication as to the possible cause of a reactor coolant system integrity breach.
Since this is primarily used for diagnostics and because primary indicators of reactor coolant i'
system integrity are available on the PINGP SPDS, this parameter is not displayed on the PINGP SPDS.
It is, however, available on the.
LOCA AIDS display and could provide supplemental information, as discussed in section 2.2.2.
Containment temperature is also only monitored and displayed on the AIDS displays, but it is not a primary indicator of CSF status. Volume control tank level'and letdown flow rate were recommended by NSAC as leading indicators of CVCS performance and are not primary indicators of CSF status.
Control rod position is recommended by NSAC to indicate reactor 4
protection system (RPS) performance.
The primary indicators of RPS performance,.as well as adequate core subcriticality are neutron flux and. decreasing flux both of which are monitored and displayed on the PINGP SPDS.
Control rod position is not monitored by the l-PINGP SPDS, but is adequately displayed via rod bottom indicating l.
lights and position indicators which are prominently displayed next L
to the primary CRT on the main control board.
I 3.1.2.5'. Presentation'of Results L
-The PINGP' parameters selected for monitoring each of the five critical safety functions identified in-NUREG-0737, supplement 1, are' listed in attachment 1.
Section-3.2 provides'a discussion of
'these parameters by critical safety function.
Each parameter set is ' discussed in terms' of:
- o
.-The' parameters which provide primary status. indication for.the
~,
critica1' safety function
.h k 3-5 '
u p
4 s
o The systems and procedures which may be used to restore or maintain the critical safety functions within safe limits, and the parameters associated with monitoring these systems and procedures, and o
The parameters associated with monitoring the status or result of operator emergency actions to restore the plant to within safe limits The analog ranges of displayed parameters are listed in attachment 2.
Section 3.3 provides a discussion of the ranges monitored and displayed on the PINGP SPDS.
Parameter ranges are discussed in terms of compatibility with existing control room instrumentation and adequacy for monitoring and responding to a wide range o'f events, including symptoms-of severe accidents.
3.2 Type and Number of Parameters Required to Assess Each CSF 3.2.1 Reactivity Control
-As discussed in section 1.3, one of the critical safety functions associated with maintaining the fuel clad barrier intact is reactivity control, i.e., the control of energy release in the fuel.
For all modes of normal plant' operation the primary indication of.
L core reactivity is neutron flux which is monitored and displayed on
- the SPDS.
For normal heatup, cooldown, and power operation, neutron flux information is provided in appropriate units of counts per.
l second or percent power.
The SPDS provides neutron flux information
(
via appropriate use of fission chamber detectors and associated-slectronics which monitor the entire power range identified in L
section 3.3.
This range covers the source range (SR)_in units of-counts per second, intermediate' range (IR) in percent power. units, and~ average power range (APR) in percent' power units.
For.the cold E-
~
3.
~
J
-,,,*-.-w--,
o-
,-,3-
,--...,,,. -w-y,m,,
,,w.,-
.,-,.v-e, y.
..i...
' 1, shutdown display, neutron flux information is provided in a trend graph format.
For off-normal or accident conditions, the primary means of maintain-ing reactivity control is reactor subcriticality.
The E0P CSF status tree associated with maintenance of subcriticality was developed to provide general surveillance of the maintenance of subcriticality and direct operator guidance to appropriate FRGs, if required, to maintain adequate subcriticality.
The full range flux and IR startup rate are displayed on the CSF' status tree display.
Decreasing IR flux rate provides additional information for assess-ing the adequacy of subcriticality maintenance and whether or not subcriticality is being achieved at an appropriate rate.
3.2.2 Reactor Core Cooling and Heat Removal from the Primary System Adequate core cooling and heat removal from the primary system ensure fuel cladding temperatures remain below failure limits.
In order to assess adequate core cooling,. coolant inventory, coolant temperature, level of subcooling, and primary system heat sinks must be. monitored.
Inadequate coolant inventory is a consideration in core cooling.
l To ensure an adequate coolant inventory exists in the primary
-system, the operator must be cognizant of reactor vessel and pres-
.surizer water levels.
Adequate vessel' level' ensures the core is covered and adequate-pressurizer level ensures a total' coolant
~
- inventory is properly maintained.
Both of these levels are monitored and displayed by.the SPDS.
Reactor vessel level is monitored and displayed for all normal. operating modes and for use
'in conjunction with the E0P_CSF inventory status tree.
Pressurizer 11evel is monitored for all normal: operating displays, except cold shutdown, and forLuse withlthe E0P.CSF inventory status tree.
Both pressurizer and vessel level are available in trend graph format.
3-7, :
=-
ea w w
- e 9--e#
,-d'r---
+p
. ~-~ ewe
--wm
~--~~*Ym' sw - -
-w*~~--
Primary indicators of core cooling include coolant temperature and level of subcooling.
For normal power, heatup, and cooldown opera-tions, core exit, cold leg, and hot leg temperatures are monitored to provide core exit, cold leg, and coolant average temperature indications.
Level of subcooling is also indicated in these modes.
4-For cold shutdown, core exit temperature is monitored.
For off-normal and accident conditions, core exit temperature, level of subcooling, vessel water level, and reactor coolant pump status are monitored for use in conjunction with the E0P CSF core cooling status tree.
These variables provide indication of the core thermodynamic state and the degree to which core cooling is accomplished.
Level of subcooling and core exit and cold leg temperatures are also available in trend graph format.
The main heat sink for the primary system consists of two steam generators.
If the steam generators are receiving adequate flow, are not overpressurized, and have sufficient inventory, then an adequate heat sink exists.
For normal power, heatup, and cooldown plant operating modes, steam generator level and pressure are monitored and displayed.
For off-normal or accident conditions, steam generator level and pressure and auxiliary, feedwate'r flow are monitored for use in conjunction with the.EOP CSF heat sink status
~
tree.
Steam generator pressure and level are also available in trend graph format. -Additionally, steam flop is monitored and displayed in trend graph format in order to provide indication of f.
. potential steam / feed flow mismatch which may lead to a reduced
[
.' capacity'of the~ heat sink' Forcoldshutdown, decay;heatisremovedusingthemanually
-initiated residual heat removal (RHR) system. -RHR, system flow and
~
heat exchanger inlet and outlet temperatures which indicate the
- performance of this heat' sink are monitored'and trend graph dis-g played for this mode of operation.-
3-8 7
y a m.
+.-#.%-u
..e
+.
w.,,,
--r.-w.-,.,,
_-w.-.--,~,---
r
i J
3.2.3 Reactor Coolant System Integrity In order to assess the reactor coolant system integrity function, i
the operator must be cognizant of the potential for breach of integrity, indication that a breach may have occurred and status of actions taken to mitigate the potential for breach of integrity.
Parameters for monitoring the potential for breach of the reactor coolant system integrity include reactor coolant system pressure, reactor coolant system temperature, and cold leg temperature.
Parameters for monitoring the actual breach of the reactor coolant system include reactor coolant system pressure, reactor vessel and pressurizer levels, containment radiation, containment pressure, containment sump level, steam generator blowdown radiation, and condenser air ejector radiation. All of these parameters are E
available on trend graph displays.
Breach of reactor coolant system integrity can occur due to over-pressurization or excessive thermal stress.
Reactor ccolant pressure is monitored and displayed for all operating modes.
Improper vessel cooldown and adverse reactor coolant system pressure and temperature combinations which may cause a breach of coolant system integrity are monitored and displayed in conjunction with the E0P CSF integrity status tree.
This tree depicts pressure and temperature combinations beyond which excessive thermal stress j
may occur. -Monitored parameters for this status tree are reactor coolant system pressure and cold leg temperature.
Detection that a breach has occurred will be indicated by various parameters depending on the location and magnitude of the breach.
Decreasing reactor coolant pressure, reactor vessel level, and pressurizer level will indicate a breach.
Increasing containment pressure, radiation, and sump level will indicate the coolant is exiting into containment.
Increased steam generator and condensor-3-9
~ -,.,
-,,,,,, - ~.
-c-.
r-1 air ejector radioactivities indicate coolant is exiting through steam generator tubes into the secondary side.
3.2.4 Containment Conditions 4
In order to assess the status of containment integrity, the operators must be cognizant of the potential for breach of integrity and the status of actions taken to mitigate the potential for breach of integrity.
Containment conditions monitored which indicate a possible threat to integrity include containment pressure, sump level, and radiation.
The primary threat to containment is from overpressurization which could cause a breach of containment.
Sump level is monitored to indicate the potential for flooding which would render important containment cooling and depressurization equipment inactive.
Radiation, which does not pose a threat to containment integrity directly, is monitored to assess the magnitude of potential conse-i.
quences of a breach and the need to ensure proper isolation of containment.
All these parameters are monitored and displayed on i
the SPDS.
Additionally, containment pressure, sump level,, and L
radiation are available in trend graph format.
i 3.2.5 Radioactivity Control In order to assess the status of<the radioactivity control function, c
g all major identified release points must be monitored.
i
- The-principal radioactive release point during normal, off-normal,
- and accident conditions is the main stack.
The SPOS monitors main
[
. stack activity.
Containment radiation. level is also monitored by the SPOS.to enable the operators to assess the potential for releases resulting from accidents.
As discussed in section 3.2.3,' radio-activity that could be released through the steam generators to the 3-10 c---
,-wen,-,
..----w y
w. -.,
,-a.,-,-n-,
,-.-,--m
.wn~m-r,wn-...
n.-~.-mww~,-,,-v
.O h
secondary side is monitored by the steam generator blowdown and condenser air ejector radiation monitors.
The containment, steam generator blowdown, and condenser air ejector activities are monitored and indicated on the SPDS for power, heatup, and cooldown modes of operation, and are also trend graphed.
The main stack is monitored and indicated on the SPDS in a trend graph format. All trend graphs for these potential release points are overlayed on the same display.
3.3 Parameter Ranges The results of the parameter range evaluation are presented in at, tach-ment 2.
Analog signals which provide input to the SPOS are identified with their corresponding ranges and applicab1'e reference documents which identify the basis for the range.
In general, all ranges monitored by the SPDS are identical to those in the control room and envelope system design criteria, E0P entry conditions, and plant responses to design basis accidents, transients, and ATWS responses.
Ranges which extend well beyond those obtainable for the above considerations are installed in response to NUREG-0737 criteria.
l-Neutron flux information is provided in the range of 10 percent to
-10
~
200 percent of reactor power.
Full range monitors with SR, IR, and APR outputs are used with sufficient overlap of ranges to provide this j
. information.
As discussed in the ATWS analysis in chapter 14 of the l
USAR, the most limiting case of reactor power increase occurs for an uncontrolled rod cluster control assembly bank withdrawal at full power without a reactor trip.
For this transient, power level will not exceed 113 percent due to Doppler effect and moderator feedback.
This power level is within the monitored range of up to 200 percent.
IR startup rate is monitored from
.5 to 5 decades per minute (dpm).
This range more than adequately covers the positive or negative startup rate considerations for the subcriticality CSF status tree.
3-11
^
L
1 2
i Pressurizer level and reactor vessel level are monitored and displayed from 0 to 100 percent of capacity.
Core exit temperature is monitored and displayed over a range of 32 to 2,300*F.
This range adequately envelopes fr.dication of reactor coolant saturation or superheat' conditiora for d%ign and maximum technical specification pressure limits of the raector coolaat system.
This range includes the 700*F setpoint required to drive the core cooling CSF status tree indication of superheat conditions.
Additionally, it also includes the core cooling CSF status tree setpoint of 1,200*F which j
indicates a potential core dryout condition.
Cold and hot leg temperatures are monitored from 50 to 700*F whic'h encompasses the cold leg temperature setpoints of 166, 230, and 260*F l
identified on the CSF integrity status tree and adequately envelopes indication of reactor coolant saturation or superheat conditions for design and maximum technical specification pressure limits of the reactor coolant system.
Average reactor coolant temperature, which is based on cold and hot leg temperatures, is displayed over the same range.
Level of subcooling is a derived parameter based on coolant te'mperature and pressure and~is displayed from 200*F subcooling to 100*F of superheat.
This subcooling range extends well beyond the CSF core cooling status tree setpoint of 50*F subcooling.
Parameter inputs for subcooling include core exit temperature and coolant system pressure both of which have adequate ranges as discussed elsewhere.
Steam _ generator level'is monitored and displayed over its entire capacity of 0 to 100 percent.
Steam generator pressure is monitored and displayed
~
.from 0 to 1,400'psig.
This range covers the heat sink CSF tree setpoints of 1,090 and 1,129 psig, extends beyond the steam generator secondary side design pressure of 1,085 psig, and extends beyond the highes.,
safety-valve relief setpoint of 1,131 psig.
3-12 4 4
+
-,y
- ~. -,.
-n-
-w
,w--.
L Normal and auxiliary feedwater flows are monitored from 0 to 4.47 x 6
10 lbs/hr and 0 to 200 gpm, respectively.
Steam generator steam flow 6
is also monitored and displayed from 0 to 4.47 x 10 lbm/hr.
These flow rates are on a per-loop basis, same for each loop.
Both the normal 4
feedwater and steam flow rates monitored and displayed exceed the steam 6
generator steam flow rate at full load of 3.54 x 10 lbm/hr.
The auxiliary feedwater flow rate is monitored to the design capacity of the turbine 1.
and motor-driven auxiliary feedwater pumps, as well as the CSF heat sink l
status tree setpoint of 200 gpm.
i l
RHR system flow is monitored and displayed from 0 to 6,000 gpm which l
exceeds the total system design flow rate of 4,000 gpm.
RHR heat exchanger inlet and outlet temperatures are monitored from 100 to 400*F_which exceeds the RHR system startup temperature of 350*F and meets, at the upper end of the range, the RHR system design temper-ature of 400*F.
Pressurizer pressure and raactor coolant loop pressure are monitored from 1,700 to 2,500 psig and 0 to 3,000 psig, respectively.
These are combined to provide a reactor coolant. pressure display of 0 td 3,000 psig.
p Both monitored ranges exceed the design pressure rating of 2,485 psig for the reactor coolant system and the CSF core cooling ~ status tree range of 0 to 2,500 psig.
The reactor coolant. loop range additionally exceeds the maximum allowable technical specification transient pressure h
limit of 2,735 psig.
These monitors also encompass the CSF integrity I
status tree setpoints.
. Containment pressure is monitored and displayed from -5 to 200 psig and
-exceeds containment design pressure of 46 psig.
This' range _also exceeds the design basis accident maximum for a. double ended pipe break of 42.5 psig.
These wide range pressure monitors provide indication of up r 13 i
4 4
to four times design pressure, in accordance with NUREG-0737.
As identi-fied in t' USAR, section 7.10.1.a, this range extends over the maximum 3
expected range of the parameter being measured for the accident events of chapter 14.
Containment sump level is monitored and displayed from 0 to 144 inches.
This range is consistent with that identified in USAR section 7.10,
" Post-Accident Monitoring Instrumentation Requirements," and provides indication of an equivalent capacity of 300,000 gallons.
This range also exceeds the CSF containment status tree setpoint of 8 feet (96 inches) which corresponds to the combined volumes of the refueling water storage t
tank, accumulators, reactor coolant system, and one-half of the condensate storage tank.
The range that containment radiation is monitored over is.1 to 1 x 4
7 10 mR/hr for normal conditions and 1 to 10 R/hr for' accident conditions.
-4 7
The entire displayed range is 10 to 10 R/hr.
This range encompasses the 10 R/hr setpoint for the CSF containment status tree and meets the requirements of NUREG-0578, as identified in section 7.10.2.6 of the USAR.
i
- Steam generator blowdown radiation and air ejector radiation are monitored
~
I and displayed from 10 to 10 counts per minute.
These ranges are sufficient 6
to detect a primary to secondary system leak.
The alanu level for the steam generator blowdown equals the maximum permissible concentration-l (MPC) allowed in the discharge canal and is within this range.
7 Main stack activity is monitored and displayed from.1 to 10 mR/hr.
This monitor. samples from the shield building ventilation and continu'ously monitors effluent from the shield buildings during normal and accident
~
conditions.
During accident conditions, the auxiliary building ventila-tion also exhausts into the shield building and any activity from_the auxiliary building is detected by this monitor.
3-14
r f
3.4 Selection of SPDS Alarm Limits Alarm limits for SPDS parameters are determined by reviewing the USAR emergency procedure documentation, and plant design considerations for limiting safety system settings and other limiting values of the para-meters, as appropriate.
The setpoint for each SPDS parameter is selected to provide indications consistent with existing plant alarm limits and the E0P setpoints.
3.5 Reactor Mode Indication The SPDS will be operational during all reactor operating modes, i.e.,
power operation, startup operation, hot shutdown, cold shutdown, and refueling shutdown.
Three dedicated top-level displays are provided to cover the above operating modes and include a power operation, heatup/
cooldown, and cold shutdown top-level display.
3.6 Provisions-for Validation of SPDS Data i
The displayed value of each SPDS parameter is determined by processing one or more plant signals. Valid / invalid indications are provided for SPDS parameters and are determined through systematic consideration of the type and number of signals available for each parameter.
-A displayed variable which consists of a single analog input signal is generally determined to be valid or invalid based only on a validation table comparison check of the high and low limits.
If the data is out of
- range, the parameter is failed, and the digital value on the display is replaced by " FAIL". in, yellow.
For two sensor inputs for a given parameter, both sensor input data are checked against the validation table limits.
Three different situations can occur:
1..
One sensor is rejected in range checking. -The data for the remaining one sensor.is' taken as the parameter data.
Since only one sensor-3-15 f-w 4gTvw y-W--'w t--
--- e p- + v w
y-
---=%=
-v
-==9 h+-'-
data is left, it is defined to be in an " Alert" condition and the parameter data is displayed in yellow.
2.
Both sensors are rejected in range checking.
The parameter will be displayed as a failed parameter, i.e., displayed " FAIL" in yellow.
3.
No sensor has been rejected.
The average of the two sensor's data will be displayed as the parameter data.
There is another test for the " Alert" condition for this situation.
If the two sensor data are spread to wide, more than 10%, it is considered as " Alert" condition.
4 For a number of sensor inputs greater than 2, the sensor inputs are checked against validation table range limits.
If the unrejected sensor are less than 3, the data will be checked as described earlier for one or two sensor inputs.
If more than 2 sensors are left unrejected, the l
data will be verified with Chauvenet's criteria.
If any of the data is rejected, the data will be tested in the way described for one, two, and three sensor-inputs depending on the number of unrejected data.
The i
test will be terminated if no data is rejected against Chauvenet's criteria.
Chauvenet's criteria is a simple rejection criteria that accounts for
-effects of sample size, N, and the deviation of a' sample from the mean p
(reference 2).
Chauvenet's criteria allows a sample to be rejected if the probability is less than 1/(2N) that deviations from the mean equal
.to or greater than the sample deviation can occur.
This probability is computed by integrating the normal distribution from the negative difference of the sample value and mean value to the positive difference of the sample value and mean value.
If a sample is rejected, a new mean is recalculated,'and the criteria applied again to the remaining valid-data.
3-16 m-.,-,- - -
,.,,,,,n.--,,,.
,~v-o.
<v
-.--v,,..,e.,w
..v.,a.m.,
,-ve-
- - - + ~., -,. -
In all signal test cases, rejected signals are displayed on the channel malfunction display which provides information in text format identify-ing which signal or signals were rejected.
This display is available only on the secondary CRT, and is therefore, not a part of SPOS.
It does, however, provide for rapid diagnosis of signal malfunctions affecting the SPOS.
O e
O i
e 3-17
4.0 PRELIMINARY 10 CFR 50.59 SAFETY EVALUATION This evaluation analyzes the proposed function, design, installation, and operation of the Safety Parameter Display System (SPDS) to ensure that SPDS implementation does not involved an unreviewed safety question.
].
The objective of the evaluation.is to justify that:
- 1) the probability j
of occurrence or the magnitude of the consequences of an accident or l-malfunction as previously evaluated in the USAR will not be increased,
- 2) the possibility of an accident or malfunction of a different type than those previously evaluated in the USAR has not been created, and 3) the margin of safety as defined in the bases of any technical specification will not be decreased by the addition of the SPOS.
4.1 Function and Design of SPOS
~
The SPDS will provide a concise display of critical plant parameters to the control room personnel to aid them in rapidly and reliably deter-mining the safety status of the plant.
The SPOS will be operated during normal operations, as well as during abnormal conditions.
The principal i
purpose and function of the SPDS is to aid the control room personnel during abnormal and emergency conditions in determining the safety status of the plant.
The SPOS will continuously display real-time information in the control room from which the plant safety status can be readily and reliably assessed by control room personnel.
~
The SPOS, however, is not a safety system and it will perform no active safety function.
The existing control room instrumentation provides the operators with the.information necessary for safe reactor operation l
under. normal, transient, and accident conditions.
The SPOS will be used
'in addition to the existing instrumentation and will serve to aid and
. augment it.
For these reasons, Supplement 1 to NUREG-0737 directs that the requirements applicable to control room instrumentation are not needed for this augmentation.
The SPOS need not meet the requirements of the single-failure criteria and it need not be qualified to meet I
Class 1E requirements.
4-1
i
'I 1
4.2 SPDS Installation l
The SPOS installation process does not involve an unreviewed safety question for the following reasons:
Portions of the installation which could compromise safe i
o operating conditions will be accomplished during scheduled outages.
Strict administrative controls will be in force to ensure that none of the safety systems required to maintain t
the plant in a safe condition will be compromised.
All work interfacing with exsiting safety-related equipment o
will be performed and documented in accordance with NSP i
uniform modification procedures.
SPOS calibration and thru-channel checks will be designed such o
that they cannot degrade Class IE systems.
i o.
Prior to SPOS startup, the operators will be trained on the system, existing system documentation will be updated, and post-installation / modification testing will be performed to ensure that the system will not affect any safety-related i
functions.
4.3 'SPOS Operation LThe validation and field verification portions of the V&V program provide for comprehensive testing and documentation of test results to
~
ensure the proper. functioning of the SPOS is in accordance with the design, functional and procurement specifications.
The SPOS will be designed and tested to comply with Class 1E isolation criteria to assure that the performarce of safety system functions will not be adversely affected.
No technical specifications changes are expected to be required for the operation of the SPOS.
The SPOS need not be seismically qualified, and additional' seismically qualified indication is not required for the sole purpose of being a backup'for the SP05.
4-2
t
)
i l
The operation of the SPOS will require plant signals to be input from I
existing instrumentation and control circuity; therefore, the SPDS is required to be suitably isolated from electrical or electronic inter-l forence with equipment and sensors that are in use for safety systems.
The electrical isolation and seismic and environmental qualification 4
provisions in the SPDS design will ensure that neither the normal operation (including testing and calibration) nor the periodic failure of any SPDS components will prevent existing instrumentation and control equipment from performing its safety-related function.
i j
The graphic design of the display and the location of the SPDS terminals in the control room will be human-factor engineered.
Validation provisions will be designed into the SPDS software for each input signal.
I The human factors and signal validation provision in the SPOS design l
will ensure that the monitoring and presentation of plant safety status information will not be misleading to the operators.
Display conventions
[
such as ranges, units, color coding will be consistent.
Indication of l
unvalidated or invalid data will be provided.
i.
i The SPOS implementation is subject to an extensive verification and j.
validation (V&V) program which follows the guidance of NSAC 39.
The verification portion of the V&V program will provide an independent i
review to verify that:
l o
All interfaces with existing safety-related and non-safety related equipment have been properly identified, o
The proper design standards have been invoked, o
.The applicable design requirements have been properly implemented in the design, functional, and procurement specifications.
The operation of the SP05 will not degrade operators' performance because, in addition to the human factors considerations included in the design, the operators will be trained in procedures which describe the timely and correct safety status assessment when the $POS is and 4-3 4
is not available. Operating procedures will be written to preclude the operator from taking actions based solely on SPDS display information.
The operating procedures will require that all operator actions affect-ing the safety of the plant be based on information which-has been confirmed using the existing control room indicators.
The operators will also be trained to respond to accident conditions both with and without the SPOS available.
Therefore, r.c transient or accident analytical results in the USAR will be affected by either the operation or the failure of the SPOS, nor will the potential be increased for a malfunction or accident of a different type than those previously described in the USAR.
4.4 Conclusion The probability of occurrence or the magnitude of the consequences of an accident or malfunction as previously evaluated in the USAR will not be increased.
The possibility of an accident or malfunction of a different type than those previously evaluated in the USAR has not been created.
The margin of safety as defined in the basis of any technical specification will not be decreased by the implementation of the SPOS.
The following is provided as justification for the above:
The SPOS will perform no active safety function, and the provisions o
described in this section will be in force to ensure that the installation, operation, or failure of the SPOS will not degrade the' performance of existing safety systems.
o The potential for operator error will not be increased because the presentation of SPOS data will be consistent with existing control
' room indication, thorough training will be provided with and without the SPOS available, and no emergency, action can be taken based on SPOS data alone.
Based on the above evaluation of the function, design, installation, and operation of the Safety Parameter Display System (SPOS),.it is concluded that no unreviewed safety question is involved with the SPOS implementation.
4-4'
I.
5.0 SUMARY AND CONCLUSIONS This safety analysis report was prepared in response to section 4 of supplement 1 to NUREG-0737 (reference 1).
This SAR describes the methodology and basis on which the plant parameters selected for monitoring on the PINGP SPOS have been determined to be sufficient to assess the overall safety status of the plant in terms of the following 4
five critical safety functions:
o Reactivity control Reactor core cooling and heat removal from the primary system o
o Reactor coolant system integrity o
Containment conditions o
Radioactivity control J
The PINGP SPOS parameter set was first evaluated based on a review of i
the symptom-oriented emergency operating procedures (EOPs).
The para-meter set was then evaluated against the PINGP USAR, technical speci-l fications, SAS simulator-tested parameter set, NSAC-recommended parameter set, and the AIF-recommended parameter set for sufficiency in terms of the type and number of parameters monitored to assess each safety function, and the range of plant conditions covered by the parameters.
The final parameter set covers all FRG entry conditions associated with critical safety function assessment, and includes all variables recommended by the SAS group for the SPDS.
On the basis of this review and evaluation process, the PINGP parameters are considered to be compatible with the PINGP E0Ps and sufficient to assess plant safety over a wide range of conditions, including t'he symptoms of severe accidents and all :sodes of reactor operation.
The function, design, installation, and operation of the PINGP SPOS were also analyzed in accordance with the provisions of 10 CFR 50.59, and it was concluded that no unreviewed safety question is involved vith the SPOS implementation at PINGP.
).
5-l' l
6.0 REFERENCES
1.
NRC Letter, supplement 1 to NUREG-0737-Requirements for Emergency Response Capability (Generic letter no. 82-33), December 17, 1982.
2.
" Functional Design Specification for SAS Software (Proprietary),"
prepared by Quadrex Corporation for the Ad Hoc Committee on Instru-mentation Systems, Safety Assessment System Project, revision 2, May 1982.
1 3.
" Safety Assessment System User Implementation Guide," QUAD-7-82-010 revision 0, prepared by Quadrex Corporation for the Ad Hoc Group of the Westinghouse Owners Group (WOG) Subcommittee on Instrume'ntation, May 1982.
4.
Prairie Island Nuclear Generating Plant, " Emergency Operating Procedures."
5.
Prairie Island Nuclear Generating Plant Updated Safety Analysis Report (USAR), revision 1, December 1982.
6.
M' J. Hitchler, et al,'"NUREG-0578 2.1.9.c Transient and Accident'
~
Analysis," WCAP-9691, Westinghouse Electric Corporation, March 1980.
- 7.. Letter _from D. Musolf, NSP, to Director, NRC, " Supplement 1 to NUREG-0737, April 15, 1983 Response to Generic Letter 82-33, Emergency Operating Procedures Generation Package Submittal," May 31, 1983, docket numbers 50-282 and 50-306.
'8 NRC letter, safety evaluation of " Emergency Response Guidelines,"
(generic letter number 83-22), June 3,1983.
6-1
a,
9.
Letter from O. D. Kingsley, WOG, to 0. G. Eisenhut, NRC, " Transmittal of Volume III for the High Pressure Version of Emergency Response Guidelines," January 4, 1983 (0G-83).
10.
R. A. Newton, et al., "Using Cognitive Modeling to Improve the Man-Machine Interface," NUREG/CR-31]t, paper 5, August 1982.
11.
" Safety Assessment System Evaluation Program Report," prepared by Quadrex Corporation and Inpsych for the Ad Hoc Committee on Instru-mentation Systems, Safety Assessment System Project, May 20, 1982.
12.
Prairie Island Nuclear Generating Plant, " Technical Specifications, Units 1 and 2," docket numbers 50 - 282 and 50 - 306, revision 67, December 1983.
13.
A. R. Buhl, et al., " Nuclear-Plant Safety-Parameter Evaluation by Event Tree Analysis," NSAC-8, October 1980.
14.
J. C. Robinson, et al., "A Parameter Set for a Nuclear-Plant Safety Console," NSAC-10, November 1980.
15.
B. W. Johnson, " Accident Sequences for Design, Validation, and
~
Training," NSAC-40, April 1982.
16.
Letter from David G. Cain, NSAC, to AIF subcommittee on safety parameter integration, Parameter Selection Work Group, subject:
SPDS Minimum Parameter Set, July 3, 1980.
6-2
o ATTACl#IENT 1 SPOS CRITICAL SAFETY FUNCTIONS AND ASSOCIATED MONITORED AND O! SPLAYED PARANETERS CRITICAL SAFETY FUNCTION MONITORED PARAMETER DISPLAYED PARAPETER TRENO GRAPHED Reactivity Control (SR, IR, & APR Monitor) Power
($R, IR, & APR Monitor) Power X
IR Startup Rate IR Startup Rats Reactor Trip Status Reactor Trip Status Reactor Core Cooling and Reactor Vessel Level Reactor Vessel Level X
Heat Removal From the Pressurizer Level Pressurizer Level X
Primary System Core Exit Temperature Core Exit Temperature X
Cold Leg Temperature Cold Leg Temperature X
Hot Leg Teeperature and Reactor Coolant Average Temp.
X Cold Leg Temperature Reacter Coelant Pump Status Reactor Coolant Pump Status Core Exit Temperature and Level of Subcooling X
Reactor Coolant Pressure Steam Generator Level
$ team Generator Level X
Steam Generator Pressure Steam Generator Pressure X
Auxiliary Feedwater Flow Auxiliary Feedwater Flow Steam Generator Steam Flow steam Generator $ team Flow X
RHR $ysten Flow RHR System Flow X
d RHR Heat Exchanger Inlet Temp.
RHR Heat Exchanger Inlet Temp.
X RHR Heat Exchanger Outlet Temp.
RHR Heat Exchanger Outlet Temp.
X Reactor Coolant System Reactor Coolant Loop Pressure Reactor Coolant System Pressure X
i Integrity and Pressurizer Pressure Cold Leg Temperature and Reactor Coolant Average Temperature X
[
Hot Leg Temperature Cold Leg Temperature Cold Leg Temperature X
l Reactor Vessel Level Reactor Vessel Level X
Pressurizer Level Pressurizer Level X
Containment Radiation Containment Radiation X
Containment Pressure Containment Pressure X
Containment Sump Level Containment $ ump Level X
Steam Generator Blowdown Rad.
Steam Generator Slowdown Red.
X Condenser Air Ejector Radiation Condenser Air Ejector Radiation X
Containment Conditions Containment Pressure Containment Pressure X
Containment Sump Level Containment Sump Level X
Containment Radiation Containment Radiation X
Radioactivity Control Mein Stack Radiation Main Stack Radiation X
Containment Radiation containment Radiation X
Steam Generater Slowdown Red.
Steam Generator glowdown Red.
X CondenserAirEjectorRadiation Condenser Air Ejector Radiation X
i A-1
n s
ATTACHMENT 2
$POS PARAMETER RANGES e
DISPLAYED PARAMETER DISPLAYED RANGE BASIS FOR RANGE 5
Reactor Power (SR, IR, and
.}8to 10 cos (SR)
USAR, Section 14.8.3.5 APR Monitor) 10 to 2005 (IR)
CSF Suberiticality Status Tree 0 to 1255 (APR)
IR Startup Rate
.5 to 5 dpa CSF Subcriticality Status Tree Reactor Vessel Level 0 to 1005 CSF Core Cooling and Inventory Status Gree Pressurizer Level 0 to 1005 CSF Inventory Status, Tree Core Exit Teeperature 32 to 2,300*F CSF Core Cooling Status free Technical Specifications, Section 2.2 Cold Lag Teeperature 50 to 700*F CSF Integrity $tatus Tree Het Leg Teeperature(1) 50 to 700*F CSF Integrity Status Tree Level of Subcooling 200*F Subcooled to 100*F Superheet CSF Core Cooling Status Tree Steam Generater Level O to 1005 CSF Heat Sink Status Tree
$ team Generater Pressure 0 to 1,400 psig CSF Heat sink Status Tree USAR, Table 4.1-5*and Section 11.4.1 6
Normel Foodneter Flow 0 to 4.47 x 10 ths/hr U$AR, Tele 4.1-5 Aust1tary Feedseter Flow 0 to 200 gpa C$F Heat Sink Status Tree and USAR, Tele 11.1-1 6
Steen Generator Steam Flow 0 to 4.47 x 10 1ha/hr USAA, Table 4.1-5 RH4 Systen Flow 0 to 6,000 gas USAR, Tatie 10.2 9 RNR Host Emchanger Inlet and 100 to 400*F USA 4. Table 10.2 9 Outlet Teeperatures Reacter Coelant Loop Pressure 0 to 3,000 psig U$AA Table 4.1 2, (Displayed as Reacter Caelant Technical Specifications, Section 2.2 Pressure) and CSF Intdgrity $tatus Tree Pressurtzer Pressure (Oisplayed 1,700 to 2,500 peig U$AR, Table 4.1-4 as Reacter Coolant Pressure)
Containment Pressure
-5 to 200 peig U$AA, Sections 5.2.1.1, 7.10.1, 7.10.2.1, and 5.4 Containment $mp Level 0 to 144 inches USAR, Section 7.10.2.3 and CSF Containment Status Tree
.1to10jen/hr Containment Radiatten CSF Centainment Status Tree 1 to 10 R/hr U$AR, Section 7.10.2.6 0
Stese Generator Blowdown Radiation 10 to 10 cpm USAA, Sectfens 7.5.2.1.a.2 and 7.5.2.13 4
Condoneer Air Ejector Radiation 10 to 10 cpe USAR, Section 7.5.2.6 7
Mein Stack Effluent
.1 to 10 eA/hr USAR, sectfen 7.5.2.14 Feetnotes:
(1) Not a directly displayed pareester, drives the everage reacter coolant teoperature indication.
A=2
..