ML20093M658
| ML20093M658 | |
| Person / Time | |
|---|---|
| Site: | Catawba  |
| Issue date: | 10/18/1984 |
| From: | Tucker H DUKE POWER CO. |
| To: | Adensam H, Harold Denton Office of Nuclear Reactor Regulation |
| References | |
| NUDOCS 8410230104 | |
| Download: ML20093M658 (10) | |
Text
r-DuxE POWER GOMPANY P.O. BOX 33180 CHARLOTTE, N.C. 28242 m B. MEM 7,L,,,oy, E=[,2b October 18, 1984
(*3 8*"
Mr. Harold R. Denton, Director Office of Nuclear Reactor Regulation U. S. Nuclear-Regulatory Commission Washington, D. C.
20555 Attention:
Ms. E. G. Adensam, Chief
-Licensing Branch No. 4
Subject:
Catawba Nuclear Station Docket Nos. 50-413 and 50-414
Dear Mr. Denton:
Inla letter dated ~ September 14, 1984,.the.NRC provided the results of a review of the Catawba Safety Parameter Display System submittal and requested that Duke respond,to several items identified during the review. The Duke response for Catawba is contained in the attachment to this letter.
Very truly yours, czl
.x Hal B. Tucker JSW: sib Attachment
- cc:
Mr. James P. O'Reilly, Regional Administrator U. S. Nuclear Regulatory Commission Region II 101 Marietta Street, NW, Suite 2900 Atlanta, Georgia 30323 Mr. P. K. Van Doorn
-NRC Resident _ Inspector Catawba Nuclear Station Dr. K. N. Jabbour, Project Manager Division of Project Management Office of Nuclear Reactor Regulation U. S.-Nuclear Regulatory Commission Washington, D. C.
20555 8410230104 841018 e/
PDR ADOCK 05000413
//
P PDR
DUKE POWER COMPANT~
l CATAWBA NUCLEAR STATION-RESPONSES TO NRC REQUESTS FOR ADDITIONAL INFORMATION ON THE SAFETY PARAMETER DISPLAY SYSTEM october 18, 1984
'The Safety Parameter Display System (SPDS) has been installed on Catawba Unit 1 operator aid computer and has been operational since May 30, 1984.
INSTRtBIENTATION AND CONTROL SYSTEMS INFORMATION 420.01 Isolation Devices (Provide the following:
a.
For each-type of device used to accomplish electrical isolation, describe the specific testing performed to demonstrate that the device.is acceptable for its application (s).
This description should include elementary diagrams when necessary to indicate the test ~ configuration and how the maximum credible faults were applied to the devices.
b.
Data to verify that the maximum credible faults applied during the test were-the maximum voltage /ourrent to which the device could be exposed,.
and define how the maximum voltage /ourrent was determined.
I o.
Data to verify that the maximum credible fault was
[
applied to the output of the device in the transverse mode (between signal and return) and other faults l
were considered (i.e., open and short circuits).
r d..
Define ~ the pass / fail acceptance criteria for each type of device.
e.
Provide a commitment that the isolation devices comply with the environmental qualifications (10CFR 50.49) and with the seissio qualifications which were the basis for plant licensing.
i l
f.
Provide a description of the measures taken to j
protect the safety systems from electrical interference (i.e.,
Electrostatic Coupling,
- EMI, l
Common Mode and Crosstalk) that may be generated by j
the SPDS.)
l~
i-I.
DUKE POWER COMPANY CATAWBA NUCLEAR STATION SPDS RESPONSES Dotober 18, 1984:
Page 2-Res.ponse:
The' Catawba Safety Parameter Display System is installed on the existing operator aid computer system and uses the same inputs. provided as part of the original plant design and utilize previously NRC
' reviewed electrical isolation techniques, as described Catawba FSAR Sections 7 1.2.2 and 7 2.1.1.8. Incorporation of existing OAC inputs into the
- SPDS, therefore, introduces no additional
- exposure, challenges, or failure modes to safety system interfaces. As such Duke Power does not feel it is necessary to provide the volumnous information required to respond to the above questions. The SPDS is installed on existing equipment which is connected to safety systems through existing isolation devices and methods which meet or exceed the requirements in effect for the station during its design.
c HUMAN FACTORS ENGINEERING INFORMATION
'620.01' Human Factors Program (Provide a description of the display system, its human factored design, and the methods used and results from a human factors program to ensure that the displayed information can be readily perceived and comprehended so as not to mislead the operator.)
SPDS System Description The SPDS provides the control room operators with an overview of the station operation during all normal and emergency operating conditions through the monitoring of the six Criti-cal. Safety Functions as defined by Westinghouse in their Emergency Response Guidelines.
The SPDS display system installed at Catawba is as described in our response to supplement 1 to NUREG-0737 submitted on April 14, 1983 by H.
B. Tucker's letter to H. R. Denton. It was developed in house i
using over ten years experience in implementing color graphic i-plant computer display systems.
Additional human factors j
guidance was obtained from various EPRI, NRC, and INPO docu-i monts.
The six critical. safety functions are displayed on the alarm l
video as shown on attachment one (1) and updated on a five l-second frequency.
The status of each CSF oan readily be l
determined from any location in the control room horseshoe
(
area.
The importance of the status for each function is defined by - the color of the block for a particular CSF.
Following is a description of the importance for each color.
1.
Green - The critical safety function is satisfied and no operator action is required.
DUKE POWER COMPANY CATAWBA NUCLEAR STATION SPDS RESPONSES October 18, 1984 Page 3 2.
Yellow - The CSF is not fully satisfied and operator action may eventually be needed.
3 Orange - The CSF is under severe challenge and prompt operator action is necessary.
4.
Red - The CSF is in jeopardy and immediate operator action is required.
a 5.
Magenta - Safety function is indeterminate due to an invalid input.
During normal operation the six blocks should be green and non-blinking.
If a status should change to any other condi-tion, the change will be alarmed on the alarm video as well as documented on the alarm typer, and the appropriate function block will begin to blink and remain blir. king until the condition returns to normal or is acknowledged. If a function block is already in alarm and the status changes to any other alarm condition, the block will change to the new status color, remain or - begin blinking, and the change will be alarmed on the alarm video as will as documented on the alarm typer.
I Supporting Displays In addition, supporting displays have been implemented on the OAC (plant computer) to provide the operator, shift technical advisor, and shift supervisor with additional levels of detail to allow them to determine the exact nature and causes of SPDS alarms. These supporting displays inchde the Westinghouse Status Trees with true paths automatically highlighted.
Additionally, alpha-numerio display lists are provided to l
allow the operator, shift technical advisor, and shift super-visor to determine which plant field inputs are in alarm and thereby causing the CSF to be in alarm.
l Other operator aid computer CRT displays are available to the operator, STA, and shift supervisor such as plant process and power systema dynamic graphic schematics, saturation monitor graphic, alarm summary table, systems input lists, etc. for their use in monitoring plant systems status.
l l
Human Factors Review Program l
The SPDS and supporting displays were reviewed by the Control Roca Review Team which had been trained on human factors. This review team also contained a human factors engineering consul-tant.
A human factors review and evaluation of the SPDS display system was performed to ensure that the system provides I
I
_ _,-...~. _. _ _ -
..~...
DUKE POWER COMPANY CATAWBA NUCLEAR STATION SPDS RESPONSES October 18, 1984 Page 4 direct, readily usable information organized in an effective format to support operator task, requirements.
The human factors review was conducted _in two separate activities:
(1) a task analysis conducted during the display system develop -
ment and (2) a human factors survey of the implemented displays.
Task Analysis-The task analysis activity of the SPDS human factors evalua-tion -was conducted using the control board mockup which had '
been fabricated for use in the task analysis activity of the Control Room Design Review (CRDR).
An event scenario was developed using the plant emergency procedures and the West-inghouse Emergency Response Guidelines. The scenario provided an ordered framework of a set of possible response to an initiating event against which the system was evaluated.
From the event scenario, plant parameter inputs to the SPDS logic were identified.
Values for these parameters were developed consistent with plant conditions for several select-ed time intervals during the duration of the scenario.
Selected time intervals were chosen to be one minute intervals from initiation until 5 minutes after initiation, and 10 minute intervals from 10 minutes into the scenario until 30 e
minutes after initiation.
r The SPDS logic output states were determined for each time interval using the specific plant parameter values.
Photo-graphic slides were then produced for each time -interval to represent. how each SPDS and supporting display would appear for that time interval.
A walk-through of the event scenario was performed by a task analysis team consisting of a senior reactor operator and a mechanical / nuclear systems engineer. During the walk-through, 4
the operator performed the task actions required while the engineer served as observer.
In addition, several other members of the Control Roon Review Team served as observers and slide coordinators.
The proper time aequenced slides for the SPDS display were projected onto the SPDS display CRT mockup to simulate the action of this display during the scenario. Slides represent-ing the proper display for any of the secondary supporting displays at a particular time interval were projected onto the supporting display CRT mockup in response to operator command, simulating the call-up feature of the supporting display system.
The usability and effectiveness of the displays were evaluated by the task analysis team using a set of pre-selected task analysis principles.
These principles covered such items as w
,,.,.,,,,,,--,,.,.--w-,,
.,--,--i,.%,,
w.,
,,wr m,,
>w ee.--,-=e--,--.,-----,,-4,r-
,-,----.--,--we,-,--
t ii.
r k.
DUKEiPOWER COMPANY Y 3-CATAWBA NUCLEAR STATION-
.SPDS RESPONSES October 18, 1984 Page;5-
~ ! h pogical ordering of displays, terminology and abbreviations, labeling, coding, usability of displayed information, and operator task support. In general, the task analysis activity evaluated the SPDS and supporting displays to determine if the displays provided a logical, readily usable format to support the following operator tasks:
Monitor Critical Safety Function Status (CSF) t.
Observe CSP status changes Determine which CSF is degraded Determine severity of degradation Identi.fy component / functional area out-of-tolerance y Determine which confirming displays and restoration procedures to use Monitor restoration progress Monitor remaining CSF status during restoration Human Factors Survey l
/ human factors survey of the actual SPDS atu secondary L
supporting displays as implemented on the control room CRT displays was performed.
During the survey the control room i
CRT displays and the operator keyboard were used to call-up, observe, and review each separate display.
In addition, the displays were reviewed during a simulated alarm condition.
t4 Thel survey evaluated the format and arrangement of the G
displays and the operator keyboard interface using applicable survey principles from the Control Room Survey Principles j~
Checklist which was derived from NUREG-0700 for use in the f_
P CRDR.
These principles covered areas -such as color, usage, r
. character height, room lighting and glare, presentation of e
i1 data, labels and coding, operator message presentation, and the arrangement and use of the operator keyboard interface.
Easults The results from both the task analysis activity and the human factors survey were documented in the form of recom3endations for design, changes to the SPDS and secondary supporting displays.
These recommendations concerned items such as audible alarming upon a change of-CSF status, the addition cf 3
CSF status blocks to the bottom of the supporting displays in addition to those on the primary SPDS display, alarm message format,- display. function button position on the operator-keyboard, and double., spacing of lists for readability.
The human factors recommendations from each review activity were resolved and the required changes to the SPDS display system were implemented.
In summary the human factors review activities determined that the SPDS and supporting displays and the operator interface
(
=_ _
DUKE POWER COMPANY CATAWBA NUCLEAR STATION SPDh RESPONSES October 18, 1984 Page 6 provided readily usable and easily comprehended information in an effective format to support operator task requirements.
4 620.02 Data validation
. (Dssoribe the specific methods used to validate data displayed in the SPDS. Also describe how invalid data is defined to the operator.)
The logic which drives the SPDS display utilizes redundant inputs on critical. parameters. These inputs are logically combined to provide conservative alar min 6, such that the tendency will be toward more alarms. However, maintenance programs provide high levels of availability for SPDS inputs.
Further, each computer analog input is continuously monitored for over and under range conditions, scan lookout, and out of service status. Digital input - power fuses are monitored. The SPDS logic is designed such that any failed input as monitored above is displayed to the operator.
When an input involving a function becomes invalid (blown fuse, over/under ranged, out of service, etc.) but the CSF status can still be determined from the. remaining inputs, an alara indicating an invalid input for the -particular function affected will be displayed and documented.
If the invalid input affects the determination of the status, the above alarm will be output along with a second alarm indicating the particular CSF affected is indeterminate.
Also, the affected CSF block will change to magonta indicating an indeterminate et adition and remain in this state until the p
invalid input can be correct.ed or until the input is looked out to a known valid value or status. If the CSF's status abould change to one in which the input does not affect determination, then the CSF block will change to the appropri-ate color for that status.
Ongoing Data Yalidation Programs Es;.sar signal validation in nuclear power plants has been historically confined to limit checks on individual sensors, averages of redundant sensors, or the detection of outlyers among a group of redundant sensors. Duke Power is currently working closely with other utilities on a Utility Advisory Group formed to provide project direction to EPHI Research Project RP-2292-1, " Validation and Integration of Critical PWR Signals". The purpose of the project is to develop a method-ology and a system of computer software for on-line validation of signals for use in nuclear power plants. The project scope is specifically aimed at validation of signals which input to a Safety Parameter Display System.
~-
4 DUKE POWER COMPANf CATAWBA NUCLEAR STATION SPDS RESPONSES october 18, 1984
'Page 7 Using advanced signal validation techniques deve7oped in previous EPRI ' projects,.the specific objectives of this.
project are to develop, ' qualify, and field test a set of software modules for the validation and integration of SPDS signals.
.The signal validation software will provide a validated signal, associated quality tag, and error message for each signal (variable).
Where sufficient physically redundant instrumentation is available, simple algorithms to ocebine the signals to produce the best estimate of the variable will'be provided. When physically redundant instru-mentation is not available, the signals are validated using analytic redundancy.
Analytio redundancy uses available signals and component or system mathematical models to provide an estimate of the variable.
An important goal of the project as a whole is a high degree of utility involvement in the requirements definition, the system design review and test results review to insure that the project results will satisfy the needs of the utilities.
Duke Power is hopeful that the project will produce practical signal validation techniques that potentially can be retro-fitted into.the Catawba Safety Parameter Display Systems.
620.03 Verification and Validation-Program (Define and discuss the Verification and Validation Program Plan which was used in. the development of the SPDS.
- Also, describe results to date from the Verification and Validation Program, and the corrective actions taken to address identi-fled design deficiencies.)
The Catawba SPDS design was developed by the Nuclear Produc-tion Department's Instrument and Electrical section using the Westinghouse Emergency Response Guidelines as well as Duke's 4
plant specific implementation of this systoa.- Nuclear Produo-tion's. Reactor Safety section performed numerous detailed reviews of the the SPDS logic as it was developed to ensure current plant safety and other systems. functions were appropriately acnitored by the logic. Numerous revisions were made to the logic due to the evolving nature of the Westinghouse ERG's as well as Duke's implementation of the ERG's. Other groups including the station operating staff, 9
nuclear production general office personnel, design engineering's Safety Review and Analysis, and the control room review team reviewed the SPDS design as it evolved through various stages.
The completed logic was then independently reviewed by Design 9
Engineering's - Electrical Division to test all logic combina-tions, verify computer input selection, setpoints, and curves.
This group also reviewed the assembly language codes as
. installed on the operator aid computer and performed static tests on'the OAC by inserting selected values into the OAC's
DUKE POWER COMPANY
' CATAWBA NUCLEAR STATION SPDS RESPONSES October 18, 1984 Page 8 SPDS logic to verify proper cperation. No discrepancies were found on the Catawba SPDS during this portion of the V & V.
(The Catawba SPDS design was derived from McGuire's SPDS which had already undergone its own Y & Y, deficiencies detected and corrected).
e i
---v--
m---e n-----
,. e
. -- -.- - -, - - -nw-
~a-.a.n_n,,-.
--v,..--.
,,,,. +
c-,.,,.-,,
=
7-
'+.
ATTACHMENT 1 ALARM VIDEO LAYOUT WITH SAFETY PARAMETER DISPLAY 1
1 1
1 1
1 1
1 1
1 2 2 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5 5 6 6 6 6 6 6 6 6 6 6 7 7
0 1234 56 7 690 I ? 3 4 5 6 7 8 9 0 1 2 3 456 7 8 9 01 2 3 4 5 6 7 8 9 0 123 G 78901234 5 678 9,0123 4 56 7 8 9 0 1
[4S 0
0249 9 H l NC
. D 3 A l N
_ TAN _ K 2_ BLA N KET
_ PR E S_S'U.R E 1
2 A 0l>7_2 8Ci_~~DE G _F LD__ U Pld SU(G5~T5hK 1~k I[i((k3P 3
4 01 30 8 HI L_0__P_ RESS _.H EATE R F3-LEV E.1 6
A005 4 64 2
DE!G F
LD HOTJ E LL PM'P DI SC'H AR GE_B E ADE R TEM )
7 I
8 D055 5 H I/ LIO' G EN H2 P R E S SUR E 9
l l
l 10 D'0Gs 2 H
I M01 5 TURE 9F P' ARA TD R DRN T NK R Y IF 1 Fi 11 l
l 12 A089,6 GPM LD CF PUM'P A
13 l
1 ll l
l 1
l 14 DD4 33' E NE R_
H I Cl C OND AME!RTA P E!MER.G'E N CY 15 l
l l
1 1I l
l B A ClKVA 5 H D/P____
ll 16 D05 72 H
I SM BYIP TO 00'L4E_DRN V!LV S B55 D R'N-POT L VL 17 ll l
l l
l l
l 18 D04 23 T RO:U;8 LEl POVE A'BL E D EiTE OTO R E A'R DW ARE 19 l
l l
l 20 D2 f> l 5
$B
_ 0WN FUS E B) A 1 D 207 4 21 l
1 I
l l
p DD65;6.
HI i
~
IS[T_SIG_
QJN T1K B2 _1 E VK L l
l I
23 ll 24 D:1.9 10; Q
_C F'PT IA O' l L_REME l.l R.._kVL l
J 2s li i
26 D2B 18t ii i
!40.1 5 TU RE SEP4 RATOR VESS EL Al LEV E L 27 l
l 23
- Ajj_18, 8'l DEG F
- ll__,
3 'l N C ) RE 29 l
[
l
..LMS T_3 10M_I EM E_ 3 30 Dl 3 $3 L ;0_
2 ND STG DRN TNK B1 LE V E L I
31 l
ll 32 D2 3 16 i l' M0J 5 T VRE S E1P / RATO R VE SB EL._p2__ LEV E'l 33 I
I I
I l
34 D05 73 i t' S H 3 YP TO CQiLQR4 VLV S'B60 DRN P CT L /!L I
l.'
35 36 005 55 LO 2ND S TG D,RN' I i K B2 LE V E L 37 l
l 38 D25 3'5 H il HIR E
BL E E.D ST H D%.L VL /
NE 1 5 DRf1 PO:T
- EVE L_
39 i
l 40 SUBC R ftT CORE COO L HEA 1 S l 4K i
C l NTED C01 TA 'I N N
C I N VEN 41 ll 42 iI 43 44 HH EN C M EG l
45 NC li S
H d 46 RC 47 R/
S M VV MC 1
1 1
1 1
1 1
1 1
1 2 2 2 2 2 2 2 2 2 2 3 3 33 3 3 3 3 3 34 4 4 4 4 4 4 4 4 4 5 5 5 5 5 s55 5 56 6 6 6 6 6 6 6 7 7 5 6 7 8 9h 12 3 4 5 6 7 8 9 012 3 4 5 6 7 8 9012 3 4 5 6 7 8 9 01 0
1 _23 4,5 6 7 8 90 1 2 3 4,56 7 89 0 1 2 3 4 56 7 8 9 0 1234 i
New 6/29/84 m
m.
.