ML20098C665

From kanterella
Jump to navigation Jump to search
Safety Parameter Display Sys for Comanche Peak Steam Electric Station Units 1 & 2,Emergency Response Facility Computer Sys,Sar
ML20098C665
Person / Time
Site: Comanche Peak  Luminant icon.png
Issue date: 09/19/1984
From:
TEXAS UTILITIES ELECTRIC CO. (TU ELECTRIC)
To:
Shared Package
ML20098C654 List:
References
NUDOCS 8409270108
Download: ML20098C665 (34)
v  d  e


Text

--- .

,. -x .. - -. -

. o SAFETY PARAMETER DISPLAY SYSTEM i FOR COMANCHE PEAK STEAM ELECTRIC STATION

,. UNITS 1 AND 2 EMERGENCY RESPONSE FACILITY COMPUTER SYSTEM SAFETY ANALYSIS REPORT l

SEPTEMBER 19, 1984 l

l I

l i

8409270108 840920 hDRADOCK 05000445

'PDR l

l-l Prepared by:

Texas Utilities Generating Company l.

l l

L

' . .. u~ . . - - _ ..__ _

x-

~ ;

- ~ . - -.

TABLE OF CONTENTS

?.*S*

1.0 INTRODUCTION

1

1.1 Purpose and Scope

1 1.2 Terminology- 1 1.2.1 Critical Safety Functions 2 1.2.2 Parameters 2 1.2.3 Plant Signals 2 1.3 Relationship of Critical Safety Functions 2 and Barrier Concept 2.0 SPDS DESIGN AND OPERATION 3 2.1 System Description 3 2.1.1 Data Acquisition Systems 3 2.1.2 Computer Systems 6 I

2.1.3 Availability 6

+

4 2.2 SPDS Displays 6 ,

2.2.1 Top Level Displays 6 2.2.2 Secondary Displays 10 2.3 Human Factors Design Considerations 14 2.3.1 Features 14 2.3.2 Graphic Coding 15 2.3.3 Display Access 16 2.3.4 Control Room Location 17 o 2.4 Verification and Validation Program 17 2.4.1 Definitions 17

- 2.4.2 V&V Activities 18 i 2.4.3 Relationship Between QA and V&V 18 i

--,7--g---- w --.m -- --wee v 9 7 -w --v -y--h--w--- meee c. -a1 pe, , wee,y.-- m.e z.-e---r - -

.....mm.___, ~ _ _ _ _ _ . . .

n .

TABLE OF CONTENTS (Continued) fage, 3.0 SELECTIONANDEVALUATIONOFSPDSINPUTPARAhiETERS 18 3.1 Selection and Evaluation Process 19 3.2 Parameters Required to Access Each Critical 20 Safety Function 3.2.1 Reactivity Control 20 3.2.2 Reactor Core Cooling and Heat Removal 21 from the Primary System 3.2.3 Reactor Coolant System Integrity 22 3.2.4 Containment Conditions 22 3.2.5 Radioactivity Control 23 3.3 Parameter Ranges 23 ,

3.4 Selection of SPDS Alarm Setpoints 25 3.5 Reactor Mode Indication 25 3.6 Provisions for Validation of SPDS Data 25 4.0 SAFETY EVALUATION PER 10 CFR 50.59 26 4.1 SPDS Function and Design 26 4.2 SPDS Installation and Safety System Interface 27 4.3 SPDS Operation 27 4.3.1 SEDS Functional Requirements 27 4.3.2 SPDS Input Sensor Verification 27 4.3.3 SPDS Control Room Operator Influence 28 5.0

SUMMARY

AND CONCLUSIONS 28

6.0 REFERENCES

29 APPENDIX 1 - SPDS CRITICAL SAFETY FUNCTIONS AND ASSOC- 30 IATED MONITORED AND DISPLAYED PARAMETERS APPENDIX 2 - SPDS PARAMETER RANGES 31 11

. .. -. - - - - - - . -~ - _ _ _ _ . -_ .

Pegs 1 of 31 l

1.0 INTRODUCTION

1.1 Purpose and Scope

l l

I This report has been prepared in response to section 4 of NUREG-0737, supplement 1 (reference 1), and presents the safety analysis of the Comanche Peak Steam Electric Station (CPSEF) Safety Parameter Display System (SPDS). The CPSES SPDS parameters provide sufficient information in terms of the five safety functions specified in NUREG-0737, supplement 1, to enable'the plant operators to make a rapid and reliable assessment of overall plant safety status. The CPSES SPDS is responsive to a wide range of tvents, including the symptoms of severe accidents, and will be functional during all operating modes.

The Comanche Peak SPDS is part of the plant Safety Assessment System (SAS). The CPSES SAS has been implemented based on the generic SAS design developed by the Ad Hoc Group of the Westinghouse Owners Group Subcommittee on Instrumentation in 1981. The generic SAS design and development included a formal Verifi:ation and Validation (V6V) of the ,

generic portions of the design, as applicable, and underwent a ,

subsequent user's evaluation program in 1982.  :

j The generic SAS validation provisions were essentially preserved in the Comanche Peak adaptation.. The design and implementation of the CPSES SAS has been carried out in accordance with the generic SAS

. functional software specification and users implementation guide (references 2 and 3), subject to the Comanche Peak V&V plan for emergency response facilities data systems.

The generic SAS was originally designed to address NUREG-0696 guidelines for an SPDS. This report evaluates the adequacy of the SPDS portion of the CPSES SAS in terms of the later NUREG-0737, supplement i requirements.

SPDS capability to monitor a wide range of plant variables during transients and accidents was evaluated based on the analyses in the Final Safety Analysis Report (FSAR) and the critical safety function requirements of the plant technical specifications. Also, for added perapactive, comparisons were made with the SPDS parameters recommended by others.

An overview of the CPSES SPDS design and installation, is presented in section 2.0. Selection and evaluation of parameters is presented in section 3.0. The 10 CFR 50.59 safety evaluation of the CPSES SPDS implementation is presented in section 4.0, and an overall summary and

. conclusions are presented in section 5.0.

1.2 Terminology Key SPDS terminology used in this report is defined as follows.

- u . . , _ - ..

Pags 2 of 31 1.2.1 Critical Safety Functions Critical Safety Functions (CSF) are those safety functions that are essential to prevent a direct and immediate threat to the health and safety of the public. The critical safety functions monitored by the SPDS as required by NUREG-0737, supplement 1, are:

  • Reactivity control
  • Reactor core cooling and heat removal from the primary system
  • Containment conditions
  • Radioactivity control The purpose of the SPDS is to continuously display information from which to assess overall plant safety status in terms of how well the CSF's are being maintained or accomplished.

However, the SPDS is not intended nor is it designed to diagnose the_ specific events which may be affecting CSF maintenance or accomplishment. As implemented at CPSES, the parameters displayed on the SPDS provide the reactor operator and technical advisors with continuous, unambiguous data that will enable them to make proper decisions regarding appropriate operator action to developing plant conditions. Details of the selection and evaluation process for the CPSES SPDS parameters are given in Section 3.0.

1.2.2 Parameters Parameters are those measures of system status or performance and CSF status or performance which are obtained directly or calculated from plant signals. Plaat signals are obtained from monitoring and control sensors installed in the plant systems.

Each parameter is measured by one or more sensors, each of i which produces a signal corresponding to the value of the l parameter being measured.

i 1.2.3 Plant Signals f

l Plant signals are the electronic or electrical outputs of the i

monitoring and control sensing devices installed in the plant

[ systems. These devices are calibrated so that the signals

! produced correspond to actual values of the process variables j being measured.

1.3 Relationship of Critical Safety Functions and Barrier Concept l' The definitions of critical safety functions (CSF) are based on the activities required to assess the integrity of and the potential for breach of the radioactive material barriers. The assessment of the reactor core cooling and reactivity control critical safety functions provides the information required to assess the potential for breach l of fuel cladding integrity. The assessment of the coolant system s

i~

I L _:

~. .. _ _ _ _ . . _ _ - . ._ . - - - - - - . _ . - __.

Paga 3 of 31 integrity function provides the information required to arsess the integrity of the nuclear system process barrier. The assessment of containment conditions provides the information required to access the integrity and the potential for breach of the primary containment barrier. The assessment of the radiation control function provides the information required to ass <ss radioactive releases to the environment resulting from breaches of one or more of the radioactive material barriers. Therefore, as long as the critical safety functions are adequately maintained the radioactive barriers will remain intact and the health and safety of the public will be protected.

1

2.0 SPDS DESIGN AND OPERATION t

2.1 System Description

The Safety Parameter Display System (SPDS) is a set of application software which provides Emergency Response Facility (ERF) function for the main control room. The SPDS software runs on the ERF Computer Syst.a (ERFCS). The ERFCS consists of two hardware / software subsystems:

  • A data acquisition system
  • An integrated computer system

. The SPDS is available to the control room operators via dedicated I CRT's in the control room (see Figure 1). The SPDS provides a concise display of critical plant information to the control room operators to aid them in rapidly and reliably determining the safety status of the plant. This information consists of the status of plant safety functions in terms of associated plant parameters. The parameters are either directly monitored or are derived using data collected via plant instrumentation systems. . Derived parameters are based on algorithms consistent with those which drive other calculated parameter displays in the control room. This ensures that information protrayed for SPDS calculated parameters is consistent with that displayed by other control room instrumentation.

2.1.1 Data Acquisition Systems l

l Each unit (1 and 2) of the Comanche Peak Steam Electric Station ERFCS has its own Data Acquisition Systema (DAS). The total j .- DAS is made up of two types of systems:

1. Remote multiplexing units (RMU's) and associated communication controllers (CC's)

! 2. ASCII character communication data links l

[

Each DAS will service its respective host computer system, that ,

is the Unit 1 DAS will serve the Unit 1 ERF Computer System and the Unit 2 DAS will serve the Unit 2 ERF Computer System.

i

(

page 4 of 31 I

i i

1. Mam Contro\ Board SPOS/
  • 4 Not Pr=sss Co*Puter cars j 2. Operator's Conso\e SPOS CRTs  ;

l 3. Supervisor's Consok. SPOS CRTs

4. P w t A cess C =kp r can.as
5. Rt45 Compter Conso\*s ,

l UNIT- 1 .

i l

l 5 i

l 5

U NIT- 2

4 e FIGURE 1 1( CPSES Contro\ Roe = AcroSement i

_ . - . _ . ~. _ . . . . - .

Pegn 5 of 31

(

j The primary purpose of_the Data Acquisition Systems coupled with their respective host computers is to provide the Control i i

Room SPDS, the Technical Support Center (TSC), and the Emergency Operations Facility (EOF) that make up the emergency i response facilities with a highly reliable plant safety status database. This database contains the current status of all plant signals that form the basis of the overall plant safety status parameters.

2.2.1.1 Data Acquisition Via Remote Multiplexing Units (RMU) l The RMU systems are high-speed data multiplexers connected via redundant data links to a redundant set of communication controllers.

All field inputs, both IE and non-class IE, are connected to the remote multiplexing units (RMU's) either directly or through qualified IE isolators as ,

required in accordance with NUREG-0737, supplement 1 (reference 1). The RMU's transmit digitally coded information to, or receive digitally coded commands from, the redundant communication controllers (CC's) by means of redundant data links.

The redundant CC's contrcl the interrogstion of the RMU's and the transmission of data along the redundant data links. The CC's also control the allocation and

< transfer of data to the memories of the computer systema. The CC's likceisc ccatrol cecasul; initisted by the computers and transmit them to the appropriate RMU's.

The Remote Multiplexing Units provide the following functions:

  • Analog and digital signal scanning
  • Analog to digital conversion
  • Class 1E isolation 2.1.1.2 Data Acquisition Via ASCII Data Links f

There are three ASCII data sources that provide input to the SPDS safety status database, they are:

  • Radiation Monitoring System (RMS)
  • Core Cooling Monitoring System (CCM)
  • Reactor Vessel Level Indicating System (RVLIS)

These systems accomplish all engineering unit conversions and data validations for each of their respective inputs. They then provide a formatted ASCII data string to the ERF Computer System. Class IE isolation is provided by each system (RMS, CCM, and RVLIS) respectively prior to data transfer to the ERFCS.

- . :: N - - -- . . -, r. NN -e . . N . .- a. . N Pegs 6 of 31.

2.1.2 ' Computer Systems The Emergency Response Facility Computer System (ERFCS) consists of redundant computers designated as System A and

. System B for Unit 1 and an identical set for Unit 2. The other computer systems that communicate with the ERFCS are:

  • Radiation Monitoring System Computers
  • Meteorlogical Monitoring Computer
  • ' Core Cooling Monitoring Microprocessor
  • Reactor Vessel Level Indication System Computer
  • Each.Colorgraphic Display Computer The ERFCS will transmit the time-varying portions for all of the SAS/SPDS displays to the colorgraphics display computer CRT's. Data for the static portion of the displays (termed the template) will reside in each display computer memory.

2.1.3 Availability The CPSES SPDS has a high availability goal. A study which quantatively assesses system availability is currently _ underway to determine that this goal has been met. This study includes appropriate support systea considerations which may impact SPDS availability such as power supply and HVAC failures.

it 2.2 SPDS Displays The Safecy Pasumacer Displayf3 etea J1. ploys are divided lato Lwo -.16 categories: Top Level and Secondary.

2.2.1 Top Level Displays The Top Level displays provide the operator with an overview of 1the current plant safety status for each of the three major plant operating modes:

  • Cold Shutdown
  • Heatup/Cooldown
  • Normal Operation Each top-level display, except the cold shutdown display, contains a set of Critical Safety-Function Monitor (CSFM) summary indications which provide information on specific

' critical safety function conditions. Figures 2 through 4 show typical examples of the top level displays. (NOTE: the values shown were chosen for visual reference only.) The evaluation of adequacy of the CPSES SPDS' parameter set in section 3.0 addresses all of the parameters monitored and displayed on these displays.

4

. . . - . . - - - - - , - , ---y._r_,- .._--..-.-..-...,_.--..-,..,-,__.-...--_.,..m,-, - -

page 7 of 31 l

l-1 1

Es Es i Es '

Ei ,

Ei si E

i E < E Es 2: Es Ei si Ei

=

E! E! E! Z -

l Es

=

5:

=

Em

= 38r .

Es Es Es C g i is is gs Q,  ;

is is Es gi H

D h

gi gi E s..

- Es Z

is_> g @

Es Es> N g Es>g Es En En 2~

=g Es Eig Eig

=

Q f5  :

=

Esg Esg d -

' 'i Esg Es. Es- Es. O g i> E>  : E> Q >

g

B =5 =8 Es En E E E =

N a -

Es Es En y p

s =s as - ,.

E 1 5

E E2 U E4 E! =!

Es O c.n a g 5:

E h2u sas Es E E E En Es Es x Es

  • a EE EE

=

E 8

o E E l

1 m l o i

.s6 ,.......St a s s .,

a e p

a. . . s.. ya a  :

' ' ' ' ' ' ' ' J L' m ,g S' -

l '6 s g il A I !8 ge _,

l

! =' N 'S E E.. t:

e5 s.s3

. ....E* i A I I -=

- -a.- - .-- a.

'  %* lI I I I *

  • gg gc  !* d! -

2

! . 'N g ,_

@ O

= ,E Ii!,!!I"i 3 l 1 ss

! Ea 3, A, A, a : i *g a.ag ., , , ,

,gyN g '

.t , f w M

1

1 i

RCS PRESS PRZR LYL CL 1 CL 2 CL 3 CL 4 .,

CSFM c - - - - -

I SUBCRITICALITY l

CORE COOLING Q j{ -

i '

~ -

INTEGRITY @ -

[ -

[ [ [

2 d s HER~i SIHK @ t d -

CONTAINHEHT C 2100 50 345 330 330 330 >

INVENTORY @ PSIG  % F ,

i SG HR LYL SG PRESS l

i MODE: EATIP / C00LD0l&1 1- 2- 3- 4j _1. 2 3 4 _

! I i l l PossER S.exSe 5 CPS .

tusCT HE Yave 368 F* $

STHHTUP MHTE a .E5 DPM _ . f j S MX TMIP 99:egset - j, g l a a u a  ;

! 30 30 30 30 1240 1240 1240 1240

% PSIG ]. ,

i SEC CHTHT RV CORE EXIT RAD LVL SUBC00L TEMP E i.

i RAD ATMOS

-- m 6

~ '

5.0X18{ 25 15 T25B '

il 31 RUG 84 8: 3:12 i l'iR/W  % F F  !!

Trip LVL l l AlDS l TRF.HDS FRURM i HTUP/CLDHT1D SHTDHI kl FIGURE S TYPICAL HEATup/cooLDOPH T;W LEVEL DISPLAY 1

-a

i 1 C2

! RCSPRESS PRZR LYL CL1 CL 3 CL4 .!

CSFM _

SUBCRITICALITY @ . l

! CORE COOLING Q  !;(, ,

INTEGRITY @ G _ [

k u

] HEAT SIE @ d j C0HTAIHMENT @ 2100 50 345 330 330 330  ;

F

! INVENTORY @ PSIG  %

l SG HR LVL SG PRESS l MODE: HORHR. OPERATION -

1- 2- 3p 4- 1. 2 3 4._

, i t

i I j eo6aca s..x.a5 ces

-r ou v. . m. r , i l . -- 1,u ,- ........

j J { l l 30 30 30 30 1240 1240 1240 1240 o

% PSIG aa

~

l l SEC CHTNT RV CORE EXIT l l RAD ATH8S RAD LVL SUBC00L TElf ,

6 25 l

f# $ 5.0X19 15 [IE5B l4 at mo 84 syxes:a t MR/HR  % F F

! T6P LVL 1 l fnDS I TRENDS i HORM l HTUP/CLDHICLD SHTDHl i FIGt:RE 4 TYPICAL NORMAL OPEAATION TOP LEVEL Di'A.AY 'l

4 -. . s=: .: a :-- , - - .. -- .. - n s. -- -u.. .. -. . . ..: - - a

~. .

Paga 10 of 31 2.2.2 Secondary Displays 4

The Secondary SPDS displays are further subdivided into two groups: four Accident Identification and Display System (AIDS) displays and fifteen Trend Graph displays.

2.2.2.1 AIDS Displays h The AIDS displays provide the operator with detailed information concerning the current status of

-parameters that would most likely be affected during I' the development and course of a particular event. A '

set of plant parameters was chosen (based upon CPSES design bases analyses) for each of the following four '

abnormal conditions:

i

  • Loss Of Coolant Accident (LOCA) ,
  • Loss Of Secondary Coolant (LOSC) i
  • Inadequate Core Cooling (ICC)-

As implemented at CPSES, AIDS does not presume to identify or predict a particular abnormal occurrence.

The purpose of the CPSES AIDS is to group the current status of pertinent parameters together on a single half-page display that provides the operator and technical advisors with concise information to enable ~

~

them to make an accurate assessment of the r.'m2m.ality. Figures 5 and 6 show typical examples of the AIDS displays. (NOTE: any two AIDS displays can be observed siraultaneously; also the values shown in figures 5 and 5 were chosen for vieual reference only.)

2.2.2.2 Trend Graph Displays The Trend Graph displays provide the operator and technical staff with a graphical indication of fifteen pre-selected groups of plant safety status parameters.

These displays are also half-page and any two can be observed simultaneously. (NOTE: It is also possible to observe any one AIDS display and any one Trend Graph display simultaneously.)

Each Trend Graph display gives the current numeric value of each of its associated parameters directly beneath a vertical bar-graph depiction of the value.

In addition, a time-varing plot of the value of each of the parameters during the previous thirty minutes is displayed next to the vertical bar-graphs. Figure 7 shows two typical Trend Graph displays. (NOTE: The values shown in figure 7 were chosen for visual reference only.)

1

~

CSFM LOCR 2100 PSIG

-)

RCS PRES SU8 CRITICALITY @

CORE COOLING Q CNTMT TEF 150 F l INTEGRITY (0) CNTMT E PRESS 27 PSIG  !

CNTMT HUMIDITY 0  %

EAT SIHK @ 812.7 EL CONTAIHMENT O CNTMT WTR LYL CHTMT RAD 5.0X196 R4R .i INVENTORY @ PRZR PORY 10 SED PRZR SFTY VLV CLOSED g PRT PRESS 50 PSIG MODE: COLD SWTD0 lei s SGTR  ;

-1 m 1... -. r RCS PRESS 2100 PSIG

, .x 1m ........ PRZR LYL 50  %

CNTMT TEMP 150 F CNTNT E PRESS 27 PSIG CNTMT HUMIDITY 0  %

HIGEST CNTMT SUW LYL 1.5 FT ,

CWSR OFF GAS RAD 5.0X10-2 pC/nl  ; i SG BLDH RAD 5.0X10-2 pC/mi T i HIGEST SG HR LYL 30  %  ::

1 2 3 4 o 31 flUG 84 09:04:38 275 275 -  !

l UNIT 1 SG WW FLN 275 275 GPM 7DP LVL l Holies l l TRENDS l LOCfl l Sul< l LOSC l ICC {

FIGURE 5 1 i

TYPlc.AL LOCA ) S6TR AIDS DISPLAYS {

.i

( *

! LOSC -

CSFM PRZR LR 50

/, 1 l SUBCRITICALITY @ L0EST SG E LR 30  %  !

l CORE COOLING Q L0EST SG PRESS WMT TEW 1240 150 PSIG F i l INTEGRITY H'^3 CNTMT E PRESS 27 PSIG HEAT SINK @ CNTNT HUMIDITY 0  %

j CONTAIREHT D HIGEST CNTMT SUW LR 1.5 FT i.

a 3 4 l IHVENTORY @ 1 [

! SG E LR 30 30 30 30  % .

l SG PRESS 1240 1240 1240 1240 PSIG

    1. MS-FWMISMRTCH 732 854 1999 366 LB/HR l -

i l:  : = " . .t-**:". r

  • ICC t CORE EXIT TEF IPM F t W LR 5  % .

I RCP OH

} SUBCOOL 15 F ,

!., SR 5.0X195 CPS "a, .

C

_1 a 3 4 o .

31 AUG 84 09:05:13 SG E LR 30 30 30 30 % m UNIT 1 j T6P LVL I HODES I l TREHDS I LOCR l Suix l LOSC l ICC t FIGURE 6 -l J

Tvescat tosc 4 ICC AIDS DISPLAYS l

---.,w,-

page 13 of 31 m l g: i -n -

-5 -

I w

_s -s o

-i 3 :s> _

gb IB >-

d E*b a i

E*b E o m 1: g g w -W

- u ,

3 o

-n-m ,

- e

-t

=

sad  :

e O

j 'N .E*

a

,,,,,,,, w

i -a , ${.

m-sm o 9

i i i

i i

. ,m Emm ez 8

I I . 1 -a m

- i X. -

g O

a o %r yca a

i i,  ; i, n, i, i s s

.-w w <

1 -

i mm se o b l

i. n. i.

i n w-

?

! . s. -

M

. . .,~

CO@@OC -

8; i ii ;-

ui git rc i 8 LQ$

mo su w

- ,i !

hW- a g "=

r

  • "" g'
  • w g

CD J t  : r >

" w w *s 5  %: G3 - a g

h$Ewo$

mm- -

M l,1 N

@2 r

y -- -__-_-,-w-, , , , , , - - - - - ,

- . . - . -~ . .__- _. ._ - - _ _. _,

- ==  :-- .. :./ _ ~ ,

_ , . w. - ~ ~.

v - . - - . .___

Pegs 14 of 31 l l

l 1

i 2.3 Human Factor Design Considerations An interdisciplinary team of operations, control and instrumentation, ,

- and human factors engineers were involved in the definition, creation, j and review of the formats to ensure a set of user-oriented displays  !

consistent with the requirements of supplement 1 to NUREG-0737, the  !

- functional criteria of NUREG-0696, and the general human factors  !

4 guidance of NUREG-0700. This program included a simulator evaluation {

at the Indian Point 2 power plant (Reference 5).

2.3.1 Features 1

The display formats are designed with low information densities

and include only that information-required to support the task e

activity of the user. Further, the color scheme is designed to

reduce the visual dominance of the static background <

information. Extensive use of demarcation lines is employed to  ;

separate classes of data or parameters. Four different colors i

are used on the trend graphs for differentiation and association.

1 Simple display formats are provided to reinforce user recognition of plant status. Vertical bar level indications

, are easy to associate with parameter values or magnitudes as the control boards contain mainly vertical meters. A red (off-normal)/ green (normal) color is used to fill the vertical bars on top-level displays (except Cold Shutdown).

As numerous audible alarms already exist in the control room, the use of audible alarms on the SPDS display system is not provided (except for emergency computer shutdown due to adverse conditions in the computer room). However, once an alarnable parameter reaches an alarm setpoint, the parameter indication on the top-level displays (except Cold Shutdown) is set to red, i.e. the vertical bar turns red, the target turns red, and/or the numerical value is " boxed" in red. The alarm is then

. placed in a dead band to eliminate alarm chatter or reoccurrence should the parameter causing the alarms oscillate around the alarm setpoint.

Arrangement consistency is an important factor in display

design and is a key feature of the SPDS displays. Certain data (date, time, display titles, critical safety function summary, messages, etc.) always appear in the same areas to assist user identification of data appearing on multiple displays. The data or information groups are located on the display in order of relative importance. Generally, the groups are ordered in a
top-to-bottom and left-to-right ranking, with the most

, important data at the top or on the left of the display.

Additionally, the critical safety function summary and message areas remain on all SPDS displays to prompt the user when a l status change has occurred.

l e , - _ ,, .... . _ . - ,.,,-~,.....-__--_._,.m-v_---_- -

.- ,__ ..,_ ,,w, _ - , -.-.. _,,, m.- ,.__,_ . .,,-.w., ,

. . _ _ , ._x___. .. ,

Pega 15 of 31 The quality of information being displayed to the user is also presented. Should a caution exist concerning the validity of data, the numerical value is " boxed" in yellow. If all sensors l providing data for a parameter fail, or are taken out of scan, l the digital value for the parameter is replaced by yellow i asterisks. In no case.is the display void; it is presented to i the user as a system operational reference. l A predetermined set of time versus value trend graphe and a parameter versus parameter graph are provided to compare and .

gain historic data about functionally related sets of l parameters. A 30-minute (two hours for the Cold Shutdown mode l display) history is provided on each Trend Graph display.

Extensive use of graphic presentations is used on the SPDS displays. Standard or relatable symbols are used to the maximum practical extent. By using a 1024 by 1024 (780 viewable) pixel colorgraphic CRT, high-resolution color symbols and line clarity are achieved. With the high-resolution display and sharpness provided, high levels of object / background and object / object discrimination are obtained.

2.3.2 Craphic Coding Pattern and color coding techniques are extensively used to portray status in a graphic form for rapid user recognition.

2.3.2.1 Pattern Coding As previously mentioned, vertical bar charts were selected as the means of presenting primary status indications. This technique allowed for a range of val'te indication in a form comprehended by the user.

The predetermined trend graphs, mentioned in section 2.3.1, are provided for historic information over a 30-minute period. These time versus value trend graphs allow for comparison of functionally related sets of variables. Up to four variables are presented l

on a single graph. Each variable on a graph is assigned a specific color. To aid color-impaired users and provide a redundant coding dimension, each variable on a trend graph has a corresponding bar

[

graph to the left of the trend graph.

Trend arrows are used on the top-level and AIDS displays in conjunction with the parameter values to provide immediate value trend direction information.

Lines are used to annotate ranges on the top-level bar charts. This provides an indication to the user as to parameter proximity to a setpoint.

Pcg2 16 of 31 2.3.2.2 Color Coding Color coding is used to enhance changes in status and to aid parameter differentiation and association.

Color use is consistent (green is always used to portray normal or acceptable conditions) and restrained (only seven colors plus a black background are used). Should a color gun fail or an operator suffer from a visual color imbalance, parameter status information is obtainable by alternate means (display location, digital values, etc.), and since no " pure" colors (i.e. color gun red, green, or blue) are used, all display contents will be retained.

The use of color on the Critical Safety Function summary employed a structured approach. To present CSF status information the following conventions are used:

  • Red - off-normal, immediate action, loss of safety function
  • Orange - prompt action, potential loss of safety function
  • Yellow - failure or caution, loss of redundancy, action may be needed
  • Green - normal, Critical Safety Function satisfied
  • Yellow Asterisk - loss of indication (sensor related) Critical Safety Function unknown Color usage on the trend graphs was used for differentiation and association to distinguish the four parameter trends on each graph and to relate a corresponding bar level to a trend line.

Beige color is used for demarcations, titles, graduations, static values, and text information.

White is used for dynamic values and event / message data because of its sharp contrast value against the black background of the displays.

l 2.3.3 Display Access l

The SPDS displays are available on two types of display terminals: the primary (SPDS console and control board) CRT's and the secondary CRT's. The primary CRTs, normally used by l the reactor operators, are provided with dedicated function keypads that allow for rapid, single entry, non-ambiguous l-display requests. The function key access scheme--one button, l

one display--also provides a layout configuration reflecting l the display structure or heirarchy. The type and number of SPDS displays available on the primary and secondary CRT's are discussed in detail in section 2.2. A primary display heirarchy is used to present information at three levels of detail or content:

i

.. , --g >-

_l_ _,

Psgn 17 of 31

  • Top level
  • AIDS
  • Parameter trend graphs The secondary CRT's are configured to access displays that are in addition to but not part of SPDS. In this capacity most functions are called up via multiple keyboard commands on a standard keyboard. These functions provide for both detailed parameter data investigation and parameter summary capability.

2.3.4 Control Roon Location The primary CRT's (two per unit) are located on the main control board and on the reactor operators console (see Figure 1). .The secondary CRT's are readily accessible to the shif t supervisor-(at his emergency work station in the Control. Room) and the technical advisory staff (in both the Technical Support Center and the Emergency Operation Facility). The shift supervisor will also have visual access to the primary CRT's.

The primary CRT's will not interfere with the normal movement of the control room operations crew and will not interfere with visual access to other control room systems. The SPDS displays are readable from a minimum angle of 45' between operator line-of-sight and the plane of the display screen. The critical top-level display data is readable to a distance of 15 feet.

2.4 Verification and Validation Program- .__ _. _

The Verification and Validation (V&V) program for the Comanche Peak safety parameter display system is in accordance with NSAC 39. The safety-related aspects of the SPDS design satisfies the requirements of ANSI N45.2.11-1974.

The SPDS is a subsystem of the emergency response facility. As such, its V&V program satisfies the objectives of NUREG-0696, " Functional Criteria for Emergency Response Facilities." All V&V activities are performed by individuals who are independent from the design effort and have sufficient experience and expertise to properly evaluate the

.various activities which affect the final design and installation of the SPDS. Activities covered by the V&V plan include: design verification against functional requirements and specifications, installation inspection, and overall system performance testing. The system requirements document for the ERF cow.puter system consists of a requirements traceability matrix taken from the system requirements specifications and NUREG-0696.

2.4.1 Definitions Verification is the demonstration of the consistency, completeness, and correctness of each stage of the development of a project on the basis of fulfillment of all requirements i.

imposed by the previous stage. Validation is the demonstration L

of the correctness of the final system as determined by testing against overall functional, performance, and interface requirements.

l

___ _ _ . . _ _ . _ _ _ _ _ _ _ _ _ - . _ . _ _ _ _ . . _ _ . _ _ _ , _ . . _ _ _ _ . _ _ _ ~ . , _ _ . _ , _ _ _ _ _ _ _ . _ - _ , , _ _ , _ _ . _ . . , , . . _

g. ., ,_

_p_. ,

[ [, _ m h_ _ _ _ . .

Paga 18 of 31

(

The essential idea of verification is stage-by-stage confirmation of the design, while validation refers to overall testing of the final product. The V&V process is intended to provide an overall check that all requirements are met and that the system operates satisfactorily.-

2.4.2 V&V Activities Specific areas covered by V&V activities are:

  • System requirements verification
  • Hardware and software design specification-verification
  • System validation testing
  • System verification testing ,

Por each of the above V&V activities, qualified personnel are assigned to perform the activities required to ensure that all applicable design basis requirements are included in the design and that the design is complete, correct, and unambiguous. An interim report is issued at each phase of the V&V process, wherein all discrepancies are identified and resolved. A final V&V report summarizes the results of each activity, and documents the resolutions of all required corrective actions.

2.4.3 Relationship Between QA and V&V The V&V efforts of the V&V program are independent of any quality assurance (QA) requirements which may be imposed elsewhere. As part of the V&V effort, the V&V team may elect to employ QA procedures, forms, or personnel. Such election would be for convenience and

! cost-effectiveness of the V&V effort and would not impose additional QA requirements nor compromise any QA requirements of any part of the overall system specifications.

3.0 SELECTION AND EVALUATION OF SPDS INPUT PARAMETERS l

The CPSES SPDS input parameters were selected based upon their ability to comprehensively and unambiguously maaitor the various plant safety

(. functions (Reactivity Control, Reactor Core Cooling and Heat Removal, etc).

Additionally, the type, number and range of each input parameter were i selected to be sufficient to determine the maintenance or accomplishment L status of each critical safety function for a wide variety of events,

! including design basis accidents for all modes of reactor operation.

l

\

l L

.. - - . . . . - , _ . _ _ _ ..-__.-,_-__--~._,_,.-.__._.___,.-_.___,.._.,_._-.--.m..

u .. -

..-m__._ .ll . _ .w -~ r _ - ~ +-l---~~- 1 Ptgs 19 of 31 3.1 Selection and Evaluation Precess I

The CPSES Final Safety Analysis Report and the plant Technical Specifications were reviewed to determine requirements regarding the maintenance and accomplishment of each critical safety function during all modes of reactor operation; this review included:

  • System design bases and performance specifications
  • Characteristics of the modes of operation
  • Alarm setpoints and system operational limits
  • Technical Specifications bases The CPSES parameter set includes all of the minimum set of SPDS

-parameters selected by the Ad Hoc Group of the Westinghouse Owners Group Subcommittee on Instrumentation (1981) of which Texas Utilities is a member. The parameter set for the CPSES SPDS was also compared with the SPDS parameter sets recommended by NSAC and AIF. The NSAC (reference 6) set was derived by checking against WASH 1400 sequences l and observing the number of times each parsmeter was a potential -

indicator of plant status. The indicators were classified as leading, 4

secondary, possible misleading, or negligible response indicators for the various sequences. The AIF set (reference 7) was developed by using formal parameter selection criteria: detection, leading indicator, plant safety functions, radioactive barrier, direct measurement, reliability, and applicability under diverse plant

  • conditions. Selected parameters were evaluated against the selection ,

criteria in a predefined logic.

The CPSES SPDS parsmeter set includes all of the AIF SPDS parameters and all of the NSAC SPDS parameters which serve as leading indicators

! for the events analyzed except reactor coolant system flow rate, pressurizer relief tank level, volume control tank level, letdown flow

. rate, and control rod position. According to the NSAC study (reference 6), reactor coolant system flow rate is recommended to indicate loss of generator and subsequent failure to relay the plant loads to off site power and failure to establish conditions for natural circulation. In the case of loss of the main generator, trip of the reactor coolant pumps, which occurs on undervoltage, would provide similar indication and is monitored by the CPSES SPDS.

Establishing and maintaining natural circulation and determining if r adequate cooldown is occurring are accomplished without the use of RCS flow indication. Conditions which support or indicate natural circulation include reactor coolant subcooling margin greater than 10*F, steam generator pressure stable or decreasing, hot leg temperature stable or decreasing, core exit temperature stable or

decreasing, and cold leg temperature near the saturation temperature for steam generator pressure. All these parameters are monitored and displayed on the SPDS.

o

- ,-=.ww,. - -g..,3- ,,,,,...-c,m,,,, .n_ .,.,,y. ry.,..,.,.m._ g._.,. ,.,w,..,ey ,.,,,,.,-..r,..w_,,wm%,,,m,IP

.-. .~ , = _ _ .; . .- g . _ - _ ~ , . . ~ _ _ . _ . _ ,

I Pegs 20 of 31 i t

Pressurizer relief tank level was recommended oy NSAC to indicate i pressurizer safety relief valve position. As an SPDS parameter, this only provides indication as to the possible cause of a reactor coolant system integrity breach. Since this is primarily used for diagnostics and because primary, indicators of reactor coolant system integrity are available on the CPSES SPDS, this parameter is not displayed on the SPDS. Volume control tank level and letdown flow rate were recommended by NSAC as leading indicators of CVCS performance but are not primary indicators of CSF status. . Control rod position is recommended by NSAC to indicate reactor protection system (RPS) performance. The priniary indicators of RPS performance, as well as adequate core subcriticality, are neutron flux and decreasing flux (negative startup rate) both of which are monitored and displayed on the CPSES SPDS. Control rod position is not monitored by the SPDS, but is adequately displayed via the rod position indicating system display located next to the SPDS CRT on the main control board.

3.2 Parameters Required to Assess Each Critical Safety Function The CPSES parameters selected for monitoring each of the five critical safety functions identified in NUREG-0737, supplement 1, are listed in Appendix 1. Each parameter set is discussed in terms of:

  • The parameters which provide primary status indication for the critical function.
  • The systems and procedures which may be used to restore or maintain the critical safety functions within safe limits, and their associated parameters.
  • The parameters associated with monitoring the status or result of operator emergency actions to restore the plant to within safe operating limits.

The analog ranges of displayed parameters are listed in Appendix 2.

SPDS parameter ranges were selected (see Section 3.3) to correspond with existing control room instrumentation.

3.2.1 Reactivity Control

' As discussed in.section 1.3, one of the critical safety functions associated with maintaining the fuel clad barrier ,

intact is reactivity control, i.e., the control of fission in i

the fuel.

l l

For all modes of normal plant operation the primary indication of core reactivity is neutron flux which is monitored and displayed on the SPDS. For normal heatup, cooldown, and power operation, neutron flux information is provided in appropriate units of counts per second or percent power. The SPDS provides neutron flux information via the Nuclear Instrumentation System (NIS) and associated electronics which monitor the entire power range identified in section 3.3. This range covers the source i

l

~

,_._,__ L - __-_. _

^

3~g. ~ -~ .

.. . Z -

. i .

Pagn 21 of 31 ,

l i

range (SR) in units of counts per second, intermediate range (IR) in detector amperes and power range (PR) in percent power units. For the cold shutdown display, the source range (only)

-is provided in a two hour trend graph format.

For off-normal or accident conditions, the primary means of assessing reactivity control is by reactor seberiticality indicators. Achievement and maintenance of suberiticality is clearly indicated by trend graphs on the SPDS Nuclear Instrumentation System (NIS) display. In addition, the CSFM status summary (located in the upper left corner of the Normal and Heatup/Cooldown Top Level displays) indicates whether or not subcriticality is being maintained.

3.2.2 Reactor Core Cooling and Heat Removal from the Primary System '

Adequats core cooling and heat removal from the primary system ensures fuel cladding temperatures remain below failure limits.

In order to assess adequate core cooling, the coolant inventory

- and temperature, the margin of subcooling, and the primary system heat sinks must be monitored.

To ensure an adequate coolant inventory exists in the primary system, the operator must be cognizant of reactor vessel and pressurizer water levels. Adequate vessel level ensures the core is covered and adequate pressurizer level ensures a total coolant inventory is properly maintained. Both of these levels are monitored and displayed by the SPDS. Reactor vessel level i is monitored and displayed on all Top Level displays.  !

Pressurizer level is monitored and displayed for all normal operating Top Level displays, except cold shutdown.- In ,

addition, both pressurizer and vessel level are given on trend i 4'

graph displays.

Primary indicators of core cooling include coolant temperature and margin of subcooling. For normal power, heatup, and cooldown operations, core exit, cold leg, and hot leg temperatures are monitored to provide core exit, cold leg, and coolant average temperature indications. Margin of subcooling is also indicated in these modes. For the cold shutdown mode, only, core exit temperature is monitored. For off-normal and accident conditions, core exit temperature, margin of subcooling, vessel water level, and reactor coolant pump status are monitored for use in the ICC AIDS display and the CSFM summary on the Top Level displays (except for Cold Shutdcwn).

These variables provide indication of the core thermodynamic state and the degree to which core cooling is accomplished.

Margin of subcooling, core exit and cold leg temperatures are also given on Trend Graph displays.

e

.,-e-.e--9m--q +-t*.,wt- y p.,y9,,,-m.,.,,r ,g,yy-.-.ey,p,.. --y,-.9gy y,w*-p-ypg9ygr *---g-e-,7-.-gi-,w--m-w,mm.g-,,mm is,.m-gh-.9w-,.w-g-m.-e,--,-giw.mm9-g--q.-ssy-e-meg.grW-

._y ,.___ -.....__ -._ _ ,

7, . u .- - - -

__.-- _ - - . . 1; _

m . .

Psgs 22 of 31 The main heat sink for the primary system consists of four steam generators. If one of the four steam generators is receiving adequate flow, is not overpressurized, and has sufficient inventory, then an adequate heat sink exists. Steam generator level and pressure are monitored and displayed on the SPDS Top Level displays for normal power, heatup, and cooldown plant operating modes. Additionally, for off-normal or accident conditions, steam generator level and pressure, auxiliary feedwater flow and main steam-feedwater flow mismatch are monitored for use-in the STGR and LOSC AIDS displays and the CSFM summary portion of the Top Level displays (except for Cold Shutdown). Steam generator pressure and level are also given on Trend Graph displays.

For cold shutdown,' decay heat is removed using the manually initiated residual heat removal (RHR) system. RHR system flow and heat exchanger inlet and outlet temperatures which indicata the performance of this heat sink are monitored and trend graph displayed for this mode of operation.

3.2.3 Reactor Coolant System Integrity Keeping the reactor coolant system (RCS) intact and operating within limits is necessary to ensure proper heat removal during all modes of reactor operation. Breach of reactor coolant system integrity can occur due to overpressurization or excessive thermal stress. RCS pressure and temperature combinations which may cause a breach of RCS integrity are monitored for use in the CSFM summary on the Top Level displays (except for Cold Shutdown).

Detection that a RCS breach has occurred will be indicated by various parameters depending on the location and magnitude of the breach. Decreasing reactor coolant pressure, reactor vessel level, and pressurizer level will indicate a breach.

Increasing containment pressure, radiation, and water level will indicate the coolant is exiting into containment.

Increasing main steam, steam generator blowdown or condenser off gss radioactivity indicate coolant is exiting through steam generator tubes into the secondary side. These parameters are monitored and displayed on the AIDS displays and are also Trend Graph displayed.

i l

3.2.4 containment Conditions

' Containment parameters monitored which indicate a possible threat to integrity include containment pressure, sump level, l

water level, and radiation. The primary threat to containment is from overpressurization which could cause a breach of

. containment. Sump level and water level are monitored to indicate the potential for flooding which would render r important containment cooling and depressurization equipment inactive. Radiation, which does not pose a threat to l containment integrity directly, is monitored to assess to l

6 I

_- . . . _ _ . _ , _ . _ _ .__ _ _ . . . _ _ _ _ . . , , . g. _ . . _ . , - . _ _ . ,

_ . - .. m_. .- - - ~ . ._ .,

. a ,

Paga 23 of 31 1- magnitude and potential consequences of a breach and the need to ensure proper isolation of containment. All these parameters are monitored and displayed on the LOCA AIDS display

. -and Trend Graph displays of the SPDS.

3.2.5 Radioactivity Control In order to assess the status of radioactivity control, all 4

major potential release points are monitored.

The principal radioactive release point during normal, off-normal, and accident conditions is the main stack which is monitored by the SPDS. Containment radiation level is also monitored by the SPDS to enable the operators to assess the potential for radioactive releases resulting from accidents.

As discussed in section 3.2.3, radioactivity that could be released through the steam generators to the secondary side is monitored by the steam generator blowdown, the condenser off gas, and the main steam line radiation monitors.

Containment, steam generator blowdown, condenser off gas, and highest main steam line activities are all indicated on the SPDS Top Level displays for the normal and heatup/cooldown

. modes of operation. Additionally, containment radiation is displayed on the LOCA AIDS display while steam generator blowdown and condenser off gas radiation is displayed on the SGTR. AIDS display. All of these radioactivity pe;rameters are also given on a Trend Graph display.

3.3 Parameter Ranges The SPDS parameter ranges are presented in Appendix 2. Analog signals which provide input to the SPDS are identified with their corresponding ranges. In general, all ranges monitored by the SPDS are identical to those in the control room and envelope system design criteria, plant responses to design basis accidents, transients, and ATWS responses. ,

! Neutron flux (reactor power) information is provided in the range of one count per second to'150 percent of full reactor power. Full range monitors that include source range (SR), intermediate range (IR), and power range (PR) outputs are used with sufficient overlap of ranges to provide this information. Additionally, SR startup rate is monitored from .5 to 5 decades per minute (dpm). These ranges correspond with the nuclear instrumentation system (NIS) indicators located in the i control room.

Pressurizer level and reactor vessel level are monitored and displayed from 0 to 100 percent of capacity which corresponds with control room indication.

?

Core exit temperature is monitored and displayed over the range of 0 to 2,300*F. This range corresponds with the Core Cooling Monitor indications located in the control room. The RCS subcooling margin is monitored and displayed over the range of -300 to +300 *F which p corresponds with the Core Cooling Monitor control room indications.

.- _. _ . _ _ , _ _ _ _ _ . - . _ ~ _ _ _ , . _ _ _ _ _ _ ~ . _ _

~= , ,u- .,-

_.g r. -

c. - .

Pago 24 of'31 l Cold and hot leg temperatures are monitored from 0 to 700*F which  !

corresponds with the RCS temperature indicators located in the control room.

Steam generator level is monitored and displayed over its entire capacity of 0 to 100 percent. Steam generator pressure is monitored

s. and displayed from 0 to 1,300 psig. These ranges correspond with the steam generator indicators located in the control room.

Steam generator gteam flow and auxiliary feedwater-flow are monitored t- from 0 to 5 x 10 lbm/hr and 0 to 550 gym, respectively. These flow rates are on a per-loop basis for each of the four loops. Both the auxiliary feedwater and steam flow rates monitored and displayed correspond with the control room indicators.

RER system flow is monitored and displayed from 0 to 5,500 gym which correspond with the indications located in the control room. I 1

RER heat exchanger inlet and outlet temperatures are monitored from 50 to 400*F which correspond with indications located in the control

. room.

\

j Pressurizer pressure and reactor coolant loop pressure are monitored from 1,700 to 2,500 psig and 0 to 3,000 psig, respectively. These are combined to provide a reactor coolant system (RCS) pressure display of 0 to 3,000 psig. This display corresponds with indications located in the control room.

8 Containment pressure is monitored and displayed over the range of -5 to 60 psig which corresponds with indications located in the control room.

Containment water level is monitored and displayed with respect to site elevation and containment sump level is monitored and displayed from 0 to 3 feet. These displays correspond with indications located in the control room. Additionally, containment humidity is derived from containment temperatures (wat and dry bulb) 'and pressure and is displayed over the full range of 0 to 100 percent.

4 3

Conta{gnentradiationismonitoredanddisplayedovertherangeof10 to 10 mR/hr which corresponds with the Radiation Monitoring System (RMS) indications located in the control room.

4

) concentration is monitored and displayed Containment over the rangehydrogen of 0 to I(H,0 percent which corresponds with the Hydrogen Analyzer indications located in the control room.

Steam generator blowdown radiatign and egndenser off gas radiation are ~

monitored and displayed from 10 to 10~ AJC/mi which corresponds with

^

the Radiation Monitoring System (RMS) indications for these parameters. Additionally,allfourMainSteamlineradiatgonlevels g are monitored and the highest is displayed from 10 to 10 MC/ml which also corresponds with the RMS indications in the control room.

-- ~ m 2, , ,

.- -- , =-~ - - - .

.___--+ _ _ ...

- - .. 4 -

Pcg2 25 of 31 3.4 Selection of SPDS Alarm Setpointe Alarm setpoints for SPDS input parameters were selected to provide I indications consistent with existing plant alarm setpoints.

3.5 Reactor Mode Indication The SPDS will'be operational during all reactor operation modes, i.e.,

normal power operation, startup operation, hot shutdown, cold shutdown, and refueling shutdown. Three dedicated top-level displays are provided to cover the above operating modes they are: normal power operation, heatup/cooldown, and cold shutdown.

< 3.6 Provisions for Validation of SPDS Data

'The displayed value of each SPDS parameter is determined by processing one or more plant signals. Valid / invalid indications are provided for SPDS parameters and are determined through systematic consideration of the type and number.of signals available for each parameter. A ,

displayed variable which consists of a single analog input signal is ,

generally determined to be valid or invalid based on a validation  ;

table comparison check of the high and low limits. If the data is out  ;

of range, the parameter is failed, and the digital value on the display is replaced by yellow asterisks.

For a parameter with two sensor inputs, the sensor input data are checked against the validation table limits. Three different situations can occur:

1. One sensor is rejected in range checking. The data for the remaining one sensor is taken as the parameter data. Since only one sensor data is left, it is defined to be in a

" Suspect" condition and the parameter data is displayed in a yellow box.

2. Both sensors are rejected in range checking. The parameter will be displayed as a failed parameter, i.e., displayed as yellow asterisks.
3. No sensor has been rejected. The average of the two sensor's data will be displayed as the parameter data. If the two sensor data are divergent by more than 10%, the parameter value is considered as " Suspect" and is displayed in a yellow box.

For SPDS parameters utilizing three or more sensor inputs, the inputs are first checked against validation table range limits. If the unrejected sensors are less then three, the remaining sensor inputs will be treated as described above for one or two sensor inputs. If three or more sensors are lef t unrejected, these inputs will be validated with Chauvenet's criteria. If Chauvenet's criteria rejects an input, the remaining inputs (there will be at least two) will be averaged and the average will be used as the SPDS parameter value. If no other inputs are rejected by Chauvenet's criteria, all these inputs will be averaged and the average will be used as the SPDS parameter value.

.- - - , . . . - - - . , - . , - , - - - - . , , , , . . ,e-- ,w,,-,.,,,,._,,,, ,,,_-,_v,,-g,.- - - - - - - . , . , , , - - , - - -

- . . . - - - --. .- . . - .- ~. . . . - - _ . - . -

, .. 2 , . . . . . - .~ a. .. . . _ _ . _ . . ._ __

Pcgs 26 of 31

' Chauvenet's criteria is a simple rejection criteria that accounts for affects of sample size N, and the deviation of a sample from the mean 3(reference 2). Chauvenet's criteria allows a sample to be rejected if the probability is less than 1/(2N) that deviations from the mean

! equal to or greater than the sample deviation can occur. This probability is computed by integrating the normal distribution from the negative difference of the sample value and mean value to the positive difference of the sample value and mean value. If a sample is rejected, an new mean is recalculated, the the criteria applied again to the remaining valid data.

e

< If all SPDS input sensor signals for a parameter are rejected, the failed parameter is displayed on the Channel Malfunction Monitor display which provides information in text identifying the parameter.

Additionally, all failed plant input. sensors are tabulated and

-displayed on the Failed Point Summary display. These displays are available only on the supervisor's, TSC's, and EOF's CRT displays, and are not a part of the SPDS. They do, however, provide for rapid 2 diagnosis of signal malfunctions affecting the SPDS.

4.0 SAFETY EVALUATION PER 10CFR50.59 This evaluation analyzes the function, design, installation, and operation i of the Safety Parameter Display System (SPDS) to ensure that SPDS implementation does not involve an unreviewed safety question. The

objective of the evaluation is to verify that
1) the probability of occurrence or'the magnitude of the consequences of an accident or malfunction of equipment important to safety, previously evaluated in the FSAR will not be increased. 2) the possibility for an accident or malfunction of a different type than any evaluated previously in the FSAR

'has not been created, and 3) the margin of safety as defined in the basis for any technical specification will not be reduced by the addition of the SPDS.

4.1 SPDS Function and Design The SPDS provides a concise display of critical plant safety parameters to the control room personnel to aid them in rapidly and reliably determining the safety status of the plant. The SPDS will be operable during normal and abnormal plant conditions. The principal purpose and function of the SPDS is to aid the control room personnel during' abnormal and emergency conditions in determining the current safety status of the plant. The SPDS will continuously display real-time information in the control room from which the plant safety status can be readily and reliably assessed by control room personnel.

The SPDS, however, is not a safety system and will perform no active safety function. The existing control room instrumentation provides the operators'with the information necessary for safe reactor operation under normal. transient, and accident conditions. The SPDS 3 will be used in addition to the existing instrumentation and will

serve to aid and augment it. For these reasons, Supplement 1 to
j. NUREG-0737 directs that the requirements applicable to control room l

instrumentation are not needed for this augmentation. The SPDS need cat meet the requirements of the single-failure criteria and it need not.be qualified to meet Class 1E requirements.

' l

,- - .; - - . ..s_- - - .. _. , ,_ _,,

. .o Pags 27 of 31 4.2 SPDS Installation and Safety System Interface The installation of the CPSES SPDS does not compromise any safety system or involve an unreviewed safety question for the following reasons:

  • A11'SPDS displays located in the control room are mounted per seismic category II specifications so that they will not affect any safety system instrumentation or control in the event of a design basis seismic disturbance.
  • The ERF/SPDS supporting computers are located in a separate, seismic category I, fire protected room ajacent to the control room and will not affect any safety system instrumentation or control in the event of a fire or design basis seismic disturbance.
  • The SPDS is electrically and electronically isolated from all CPSES safety related devices and complies with Class 1E isolation criteria.

4.3 SPDS Operation The SPDS operational safety evaluation encompasses three major areas:

functional requirements as specified by Federal Regulations and CPSES procurement specifications, input sensor verification, and control-room operator influence.

4.3.1 SPDS Functional Requirements The CPSES SPDS implementation was subject to an extensive verification and validation (V&V) program which followed the guidance of NSAC 39. The verification (V&V) program provided an independent review to verify that:

  • All interfaces with existing safety-related and non-safety related equipment have been properly identified.
  • The proper design standards have been invoked.
  • The applicable design requirements have been properly implemented in the design, functional, and procurement specifications.

Additionally, an extensive validation testing program was employed to ensure proper functioning of the total integrated

- SPDS data acquisition, manipulation, and display systems per the verified design specifications.

4.3.2 SPDS Input Sensor Verification Each plant system sensor that has input to the SPDS was l

simulated through the actual sensor field cables to ensure a

l. one-to-one correspondence between the input sensor signal and i

.the'SPDS displayed value. This input / output (IO) verification

' process assured accurate, non-ambiguous sensor input recognition by the SPDS and it also determined that no input l

data was " lost" or " shuffled".

l . , - . - . - . - . _ _ _ _ . _ . _ _ _ . _ _ _ _ _ . , _ _ , _ _ , , _ , . _ , _ _ , _ ____ _ _

L y. , -. . -+.. w. . _

.n _ , _ _ , . ,

.ao -

Pegs 28 of 31 4.3.3l SPDS Control Room Operator Influence The SPDS will not degrade control room operators' performance or ability to respond to plant operational requirements for .

either normal or accident conditions. In addition to the human factors design considerations discussed in Section 2.3, the operators will be trained in the use of the SPDS.

Control room operators are trained in procedures which describe the timely and correct safety status assessment when the SEDS is and is not available. Operating procedures are written to preclude the operator from taking actions based solely on SPDS display information. The operating procedures require that all operator actions affecting the safety of the plant be. based on information which has been confirmed using the existing control.

room indicators. Therefore, no transient or accident analyzed in the FSAR are affected by either the operation or the failure of the SPDS, nor is the potential increased for a malfunction or accident of a different type than those previously described in the FSAR.

5.0 -

SUMMARY

AND CONCLUSIONS This safety analysis report was prepared in response to section 4 of supplement 1 to NUREG-0737 (reference 1). This SAR describes the methodology and basis on which the plant parsmeters selected for monitoring on the CPSES SPDS have been determined to be sufficient to assess the overall safety status of the plant in terms of the following five critical safety functions:

  • Reactivity control
  • Reactor core cooling and heat removal from the primary system
  • Containment conditions.
  • Radioactivity control The CPSES SPDS parsmeter set was evaluated against the CPSES FSAR, technical specifications, SAS simulator-tested parameter set, NSAC-recommended parameter set, and the AIF-recommended set for sufficiency in terms of the type and number of parameters set for sufficiency in terms of the type and number of parameters monitored to assess each safety function, and the range of plant conditions covered by the parameters. The final parameter set covers all Function Restoration Guidelines (FRG) entry conditions associated with critical safety function assessment, and includes all variables. recommended by the SAS group for the SPDS. On the basis of this review and evaluation process, the CPSES parameters are sufficient to assess plant safety status over a wide range of conditions, including the symptoms of severe accidents and all modes of reactor operation. The function, design, installation, and operation of the CPSES SPDS were also analyzed in accordance with the provisions of 10 CFR 50.59, and it was concluded that no unreviewed safety question is involved with the SPDS implementation at CPSES.

.s . - ,

Pega 29 of 31

6.0 REFERENCES

3 i

1. NRC Letter, supplement 1 to NUREG-0737 " Requirements for Emergency l Response Capability" (Generic letter no 82-33), December 17, 1982.  ;
2. " Functional Design Specification for SAS Sof tware (Proprietary)."

. prepared by Quadrex Corporation for the Ad Hoc Committee on '

' Instrumentation Systems, Safety Assessment System Project, revision 2 .'

May 1982.

3. " Safety Assessment System User Implementation Guide," QUAD-7-82-010 revision 0, prepared by Quadrex Corporation for the Ad Hoc Group of she Westinghouse Owners Group (WOG) Subcommittee on Instrumentation, May 1982.
4. Comanche Peak Steam Electric Station Final Safety Analysis Report (FSAR). .
5. " Safety Assessment System Evaluation Program Report", prepared by Quadrex Corporation and Inpsych for the Ad Hoc Committee on Instrumentation Systems, Safety Assessment System Project, May 20, 1982.
6. A. R. Buhi, et al., " Nuclear-Plant Safety-Parameter Evaluation by Event Tree Analysis", NSAC-8, October 1980.
7. Letter from David G. Cain, NSAC, to AIF subcommittee on safety parameter integration, Parameter Selection Work Group, subject: SPDS Minimum Parameter Set, July 3, 1980.

c

- ....h - ae w  ;**==~+-*

, fL' M J. *.-* ,f. .r- -  :: -. _ . ,

.. 4 -- o, Page 30 of 31 APPENDIX 1 SPDS CRITICAL SAFETY FUNCTIONS AND ASSOCIATED MONITORED AND DISPLAYED PARAMETERS

)ONITORED PARA E TER DISPLAYED PARAMETER TREND GRAPHED MITICAL SAFETY FUNCTION (SR, IR, & PR Monitor) Power (SR, IR, & PR Monitor) Power X Reactivity Control SR Startup Rate SR Startup Rate Reactor Trip Status Reactor Trip Status Reactor Vessel Level Reactor Vessel Level X Reactor Core Cooling and Pressurizer Level X Heat Remcval From the Pressuriser level Primary System Core Exit Temperature Core Exit Temperature X Ccid 14g Temperature Cold Les Temperature X Hot Leg Temperature and Hot Leg Temperature X Cold 14g Temperature. Reactor Coolant Average Temp.

Reactor Coolant Pump Status Peactor Coolant Pump Status Core Exit Temperature and Subcooling Margin I-Reactor Coolant Pressure Steam Generator I4 vel Steam Generator I4 vel 1 Steam Generator Pressure Steam Generator Pressure X Auxiliary Feedwater Flow Auxiliary Feedwater Flow Steam Generator Steam Flow Steam Generator Steam Flow I RHR System Flow RHR System Flow X RER Heat Exchanger Inlet Temp. RER Heat Exchanger Inlet Temp. X RXR Heat Exchanger Outlet Temp. _RHR Heat Exchanger Outlet Temp. I Reactor Coolant 14op Pressure Reactor Coolant System Pressure X Reactor Coolant System Integrity and Pressuriser Pressure Cold Les Temperature and Reactor Coolant Average Temperature Hot Leg Temperature Hot 14g Temperature X Cold les Temperature Cold Les Temperature X Reactor Vessel 14 vel Reactor Vessel 14 vel X Pressuriser Level X Pressuriser Level Containment Radiation Containment Radiation I Containment Pressure I Containment Pressure Containment Water Level Containment Water Level I Containment Sump Level Containment Sump Level X Steam Generator Blowdown Rad. Steam Generator Blowdown Rad. X Condenser Off Ces Radiation Condenser Off Gas Radiation X Main Steam Line Radiation X Main Steam Line Radiation Containment H Concentration X t Containment Conditions Containment H Concentration Containment Water 14 vel Containment Water Level I Containment Pressure X Containment Pressure Containment Radiatimi Containment Radiation X Containment Temperature Containment Temperature X Containment Pressure and Containment Humidity X Temperatures Main Steam Line Radiation Main Steam Line Radiation X Radioactivity Control Containment Radiation Containment Radiation I Steam Generator Blowdown Rad. X Steam Generator Blowdown Rad.

Condenser Off Ces Radiation Condenser OFf Ces Radiation X

_ _ __ . . _ . . __ _ _, ~ . . . _ _ _ _ . _ . _ _ . _ . _ _ _ _ _ _ _ _ . _ _ _ _ _ . _ _ _ _ _ _ _ _ _

    • --ar_ .n_ : . ~_ ,; :.  :-- . ,,_ ,, _ , _ ... ,..,. . _ . _ . _ q

'.t-~'

4 A $

Paga 31 of 31 APPENDIX 2 SPDS PARAMETER RANCES r

DISPI.AYED PARAETER DISPIAYED RANGE  !

5 Reactor Power (SR, IR, and PR Monitor) .1,g 10 cgg(SR) ,

10 to 10 amp (IR)  :

I 0 to 150% (PR)

SR Startup Rate .5 to 5 dap Reactor Vessel Level 0 to 100%

0 to 1004 I Pressuriser 14 vel  !

I Core Exit Temperature 0 to 2,300*F  !

RCS Subcooling Margin -300 to +300*F Cold Les Temperature O to 700*F Hot 14g Temperature 0 to 700*F Steam Generator Level O to 100%

Steam Generator Pressure O to 1,300 psig Steam Generator Steam Flow 0 to 5 x 10 lba/hr Auxiliary Feedwater Flow 0 to $50 spa RER System Flow 0 to 5,500 spa RXR Heat Exchanger Inlet and 50 to 400*F Outlet Temperatures Reactor Coolant System Pressure 0 to 3,000 psis Containment Temperature O to 30C'T Containment Pressure -5 to 60 psis Containment Water Level 808' to 816.5' elevation Containment Sump Level 0 to 3 ft.

Containment Humidity 0 to 100%

Containment Radiation 10 to 10 mR/hr Containment H Concentration 0 to 10%

-5 -1 Steam Generator Blowdown Radiation 10 to 10 gC/a1

-5 -1 Condenser Off Gas Radtscion 10 to 10 p C/mi

-1 3 Main Steam Line Radiation 10 to 10 pC/mi

-_

Retrieved from "https://kanterella.com/w/index.php?title=ML20098C665&oldid=2781219"