ML20100A638
| ML20100A638 | |
| Person / Time | |
|---|---|
| Site: | San Onofre  |
| Issue date: | 11/02/1984 |
| From: | Chambers C, Raymond Hoffman, Starr T ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY |
| To: | |
| Shared Package | |
| ML13309B476 | List: |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737 1370-ICE-1302, 1370-ICE-1302-R01, 1370-ICE-1302-R1, NUDOCS 8412040024 | |
| Download: ML20100A638 (140) | |
Text
y- - . .
ICE-036(81G2)/jg 1 -
g SAFETY ANALYSIS OF SAFETY PARAMETER DISPLAY SYSTEM FOR SAN ONOFRE UNITS 2 AND 3 SOUTHERN CALIFORNIA EDISON DOCUMENT NO. 1370-ICE-1302, Rev. 01
/
Nuclear Power Systems COMBUSTION ENGINEERING, INC.
Windsor, Connecticut O
Prepared By <
/ c Date /[<'2 [Y R. 7. off (5ysyms Interaction and Operation
- Approved By Date // f C. A. c mbers, supervisor, safety status Monitoring systems Approved By [ c "+ Date //!1/89 T. M.'5tarr,'5ection Manager Instrumentation Systems ' Design l
l e COMBUSTION EMINEERING, INC. Issue Date O se 4 2.11rf l em
\
! 0412040024 841130 PDR ADOCK 05000361 F
pop
( .-_ _
._ ~ _ . _ . . _ .
ICE-036(81G2)/jg2 RECORD OF REVISIONS O NO. DATE PAGES INVOLVED PREPARED BY APPROVALS 00 9/27/84 All R. F. Hoffman K. R. Rohde T. M. Starr 01 19,21,40,56,75 R. F. Hoffman C. A. Chambers
' Il[1[T4 76,78,84,95,99 T. M. Starr I
i O .
1 l
i O
Document No. 1370-ICE-1302 i Rev. 01
ICE-036(81G2)/jg1.0.2 ~
ABSTRACT NUREG-0737, Supplement 1, requires that a " written safety analysis" shall be prepared for the Safety Parameter Display System (SPDS). The safety analysis shall describe the basis on which the selected parameters are sufficient to
- assess the safety status of critical functions for a wide range of events.
TherequirementsforanSPDShavebeenmetbySanOnofreUnits(SONGS)2and3 by the Accident Monitoring System (AMS), designed and built by Combustion Engineering. ,
This document fulfills the requirement for a " written safety analysis" by describing:
- 1) basis for parameter selection for the SPDS ,
- 2) basis for algorithms used in the SPOS
- 3) how human factors were incorporated into AMS design 1.
O Document No. 1370-ICE-1302 11 Rev. 01
.-+-m ,,,
ICE-036(8162)/jg1.0.3 -
- 4) verification and validation of the AMS
- 5) compliance with NRC regulations This is not a design document but is an assessment of the AMS design useful in licensing that system.
O O
Document No. 1370-!CE-1302 iii Rev. 01
ICE-036(8162)/jg2
() Table of Contents Section Pagg <
Record of Revisions i Abstract 11 I Safety Functions 9 A. Description of Safety Functions 9
- 8. 1. Basis for Parameter Selection 21
- 2. Basis for Algorithms and legs 37
- 3. Correlation of SPDS Parameters to the 54
() Five Critical Functions of NUREG-0737, Supp.1 1
II -
Human Factors Considerations 74
! A. Design of Displays 80 i 8. Design of Operator Station 86 C. User Functional Training 88 l
r J
(]) i 1
e Document No. 1370-ICE-1302 Rev. 01 I
- ~ - e .-,-..c- ,, ,---r- ,w.-ee-e. , - - - ,.w.-m .
y,w m---- ,-vm _~+-,e,-~~.
, .. .- o ICE-036(81G2)/jg3 -
p Table of Contents 1
v ,
1 Section M Verification and Validation III 89 A. Design Verification '
89 l
B. Validation Testing 91 C. CFMS Testing 96
^
IV Comparison of CFMS TO NUREGs 98 O
A. NUREG 0696 98 4
B. NUREG 0737 99 C. NUREG 0737, Supplement 1 101 D. NUREG 0835 l
l f V. Safety Analysis Items 128 i
l l
VI. References 130 i
O Document No. 137(-ICE-1302 -2 Rev. 01
ICE-036(8162)/jg 4 4
d 4
1 1 List of Tables s
i a
.Pa5L.
j 1. SONGS SPDS Parameter Selection 57 ,
I i
?
i 4 i
)
4
- r
- o d i i ;
i i
i I l
i I
I r
l h 1, i.
t i l !
i .
i j r i
. i
! t o
j l
t
!O I
i 1
Document No. 1370-ICE-1302 Rev. 01 l
- l i ._. . _ . . _ . _ . . . . - - . - - . . _ _ . .
s - _ , ,__ - -. - . . - , _ . _ - _ . _ _ , . _ _ . . _ _ _ ___..
ICE-036(81G2)/jg5 t
List of Figures fut Figure 1: Hierarchy of first five safety functions 18 Figure 2: Display Design Methodology 81 Figure 3: CFMS Display Hierarchy 85 0
Figure 4: SPDS Display Installation at SONGS 87 Figure 5: Halden Project Validation Setup 96 . ,
O Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg 6 _
List of Abbreviations Abbrevation oefinition A/C Air Conditioning AMS Accident Monitoring System AUX Auxiliary -
CCAS Containment Cooling Actuation Signal CCW Component Cooling Water CEA Control Element Assembly O CEoM Coatroi Eiemeat orive Mechanism CFMS Critical Function Monitoring System CIAS Containment Isolation Actuation Signal CLR Cooler CNMT Containment
! CNTL -
Control l
l C)ND Condenser ~
CPIS Containment Purge Isolation Signal CRT , Cathode Ray Tube O
j Document' No.1370-ICE-1302 Rev. 01 e
e- %n : %w.
~ seapose = w-* .>-+w. m == --%.- . - + - =
ICE-036(81G2)/jg7 -
List of Abbreviations (Continued)
Abbrevation Definition -
CSAS Containment Spray Actuation Signal DISCH Discharge FW Feedwater FWPT Feedwater Pump Turbine HDR Header HDSR Historical Data Storage and Retrieval O HPSI Hien eressure Safety Insection HX Heat Exchanger I/C Inside Containment ICC Inadequate Core Cooling INPO Institute for Nuclear Power Operations Inst. Air Instrument Air Isolation ISO LD Letdown LOCA Loss of Coolant Accident O.
Document No. 1370-ICE-1302 Rev. 01
3.
ICE-03'6(81G2)/jg8 _
List of Abbreviations (Continued)
O-.
~
gbrevation Definition
'LP Loop j LPSI tow Pressure Safety Injection MON Moniter
, MSIS Main Steam Isolation Signal MSIV Main Steam Isolation Valve 0/C Outside Containment C PRESS Pressure PZR Pressurizer QSPDS Qualified Safety Parameter Display System .
Rad Radiation RC Reactor Coolant RCP Reactor Coolant Pump RCS Reactor Coolant System REGEN Regenerative SCE Southern California Edison O
Document No.1370-ICE-1302 -
7- Rev. 01 er -
y y . ,-w-w-v,w,,-..w,--e-y *- -
ICE-036(81G2)/jg9 .
List of Abbreviations (Continued)
Abbrevation pefinition SDCS Shutdown Cooling System SG Steam Generator SI Safety Injection SIAS Safety Injection Actuation Signal SPDS Safety Pi.rameter Displa'y System SUCTN Suction O TEae Temperature TK Tank UVR Under Voltage Relay l
l VOL Volume
~
WTR Water i
O Document No. 1370-ICE-1302 Rev. 01
<,-w- w-pr-ws--- w= -
- e -g.---,. ----r-"-- -+% w-wme& wgg*wy -r gr7 p m' w-ww-gimer.r9 y pe-mW e $se w e 4'y;Mwye "m9y*ew*--M=-v-@*p+yT*p***ew=9erwt
ICE-036(81G2)/jg10 -
I. SAFETY FUNCTIONS A. DESCRIPTION OF SAFETY FUNCTIONS
' Southern California Edison has installed an Accident Monitoring System (AMS) which comprises a Safety Parameter Display System (SPDS) known as the Critical Function Monitoring System (CFMS), seismically qualified Safety Parameter Display System (QSPOS) and an enhanced Historical Data
, Storage and Retrieval System (HDSR). The purpose of the AMS is to O provide the contre e-m personnei with conc 4se, understandahie, and integrated information to assist in assessing plant status during all modes of operation. The AMS also assists in assessing abnormal plant behavior following a reactor trip, including those events that I lead to inadequate core cooling, which help prevent fuel damage and i
radiation releases to the public.
l l
The SPDS utilizes the safety function concept. Safety functions 1
1 introduce a systematic approach for mitigating the consequences of plant O
Document No. 1370-ICE-1302 -
9- Rev. 01
- - *yw- *.i ,-w--,
a . _ . - - - --
ICE-036(81G2)/jg 11 -
transients and accidents. A critical safety function (as applied to a nuclear power plant) is defined as a group of actions that prevent core melt or minimize radiation releases to the general public. The actions may result from automatic or manual actuation of a system (e.g., reactor protection system generates a trip), passive system performance (e.g., safety injection tanks feed water to the reactor coolant system) or from natural feedback designed into the plant (control of reactivity by voiding in the reactor). Using safety functions, the operator observes the plant's O state and determines if safety foactioas are aeopardizedi aad. if so.
l determines appropriate success paths and takes control actions along these success paths to ensure the safety functions are accomplished.
l The safety functions grouped into the classes suggested in NUREGS-0696, 0835 and 0737, Supplement 1, are related to the CFMS.
l Although the titles of the critical functions differ between the NUREGS and their application in the CFMS, the definitions are the same. The l correlation between the two follows:
lO l Document No.1370-ICE-1302 -
Rev. 01 l
t '
- . . , _ , . . . _ - - - . , , . ~ . - .
ICE-036(81G2)/jg12 .
NUREG-0696, 0835,0737 (Supplement 1) CFMS Reactivity Control Core Reactivity Control Reactor Core Cooling and Heat Removal Core Heat Removal Control
~
From the Primary System RCS Heat Removal Control Reactor Coolant System Integrity P.CS Inventory Centrol RCS Pressure Control O aadioactivity Coatroi a aiatioa emissioas Coatroi Containment Isolation
, Control l
l Containment Integrity Containment Temperature /
l .
Pressure Control I
! Descriptions of each of the critical functions follows:
l l
O Document No.1370-ICE-1302 Rev. 01 l _ . _ . . _ . _ . .
ICE-036(81G2)/jg 13 l
The purpose'of the first safety function, Reactivity Control, is to monitor those parameters that affect reactivity, and assist in maintaining the reactor shut down following reactor trip.
Reactivity is controlled in the short term by insertion of the control rods and/or through the natural feedback mechanism in.the reactor cool ant. In the long term, reactivity is controlled by the addition of borated water to the reactor coolant system. Borated water can be added to the reactor coolant system using the charging and boric acid addition portions of the chemical and volume control O system, the high and' low pressure safety injection system and/or the safety injection tanks (reference 6).
The purpose of the second and third safety functions, Reactor
~
Coolant System (RCS) pressure and RCS Inventory Control, is to j monitor parameters that indicate that the core is covered with an.
effective coolant medium. RCS pressure control can involve either
- pressure maintenance or pressure limitation. Likewise, RCS O -
Document No.1370-ICE-1302 -
12- Rev. 01
-- - .. - ---- . -.e ---.
---eg-.g.w-.i-- ey--.-gs, qr y-e+e-epy g-y-,, - - e r--g *er-mp w cw e g-.e- p e-.
ICE-036(81G2)/jg14 Inventory Control can involve either inventory maintenance or inventory limitation. Under normal circumstances, RCS Pressure and inventory control are maintained automatically by the pressurizer pressure and level control systems. These systems use the pressurizer spray valves and the letdown system to limit pressure and inventory respectively, and they use the pressurizer heaters and charging system to maintain pressure and inventory respectively. If the pressure and level control systems are unable to limit RCS pressure and inventory, the pressure and inventory can be kept O within bounds by action of the primary safety valves. In the event that RCS inventory and/or pressure becomes low due to an opening in the reactor coolant pressure boundary or excessive cooling of the reactor
! coolant system from excess steam flow, RCS inventory is maintained by injection of borated water by the safety injection system or the safety injectiontanks(reference 6).
l l
o V
Document No.1370-ICE-1302 Rev. 01 w
ICE-036(81G2)/jg15 _
The purpose of fourth safety function, Core Heat Removal, is to
.O monitor the ability to remove the heat generated in the core by radioactive decay following reactor trip ano transfer it to a point where it can be removed from the RCS. This is accomplished by passing a coolant medium through the core to a heat removal point.
Normally, the reactor coolant pumps are used to provide forced reactor coolant flow through the reactor core to the steam generators. In the absence of forced reactor coolant flow, the core can still be cooled by natural circulation induced by a temperature O differeatiai from the steam senerators to the core. (This impiies that the steam generators must be available to act as a heat sink). If natural circulation cannot be established, heat can be removed from the core by boiling and movement of the steam to a point such that it can be discharged through an opening in the reactor coolant system piping (reference 6).
O Document No.1370-ICE-1302 Rev. 01 l
. _ _ - . _ _ _ _ ~ _ , _ _ - -
ICE-036(81G2)/jg 16 _
The purpose of the fif1!h safety function, RCS Heat Removal, is to monitor the system's ability to transfer heat from the reactor coolant to another heat sink. RCS heat removal is normally accomplished by transferring heat from the reactor coolant to the secondary system in the steam generator. The secondary system water is supplied by the main feedwater system or the auxiliary feedwater system. Reactor coolant heat can be transferred to the component cooling water via the shutdown cooling heat exchanger, provided that the reactor coolant system pressure is less than the shutdown cooling system pressure interlock setpoint. If no other O heat sink is evasiesie, reactor cooiant system neat removai can eiso se accomplished by discharging the hot reactor coolant directly into the containment through a pressure boundary opening or a primary relief valve (reference 6).
The purpose of the sixth safety function, Containment Isolation, is to prevent release of radioactivity from the containment by ensuring that all normal containment penetrations are closed off when containment isolation is required.
O Document No.1370-ICE-1302 Rev. 01 -
. . ICE-036(81G2)/jg 17 -
Containment Isolation uses a system and compbnent type logic measuring containment pressure, electronic equipment to generate and transmit an isolation signal when the containment pressure exceeds a setpoint, and a
- set of valves for isolating each containment penetration. (Thesevalves are generally part of other systems also.) Each containment penetration is provided with two isolation valves, one inside containment and one outside containment (reference 6).
1 The purpose of the seventh safety function, Containment Temperature and O eressure Controi, is to prevent overstress of the containment structure and damage to other equipment from a hostile environment by keeping containment pressure and temperatures within prescribed limits.
l Containment pressure and temperature are controlled using the containment spray system and the containment cooling system (reference 6).
The purpose of the eighth safety function, Radiation Emissions control, l ,
is to prevent radioactive releases. The critical function monitors l
releases from the primary coolant into containment by monitoring
.O Document No. 1370-ICE-1302 Rev. 01
l ICE-036(81G2)/jg 18 -
containment radiation. This critical function assists in monitoring releases from various areas around the plant outside containment by monitoring the plant vent stack, the containment purge stack and condenser air ejector radiation (reference 6).
The first five safety functions have priority relative to the others as shown in Figure 1. In general, reactivity control is the foremost function because the amount of heat that must be removed from the core is determined by how well this function is O .
accompiisned. next in precedence are those functions for appropriately maintaining a core cooling medium. To achieve this, actions must be accomplished to maintain an adequate reactor coolant system inventory and an appropriate reactor coolant system pre'ssure'.
Finally, if core heat removal is not carried out, then coolant system heat removal is irrelevant (reference 6).
l l-
'n O
Document No. 1370-ICE-1302 17- Rev. 01
-d - <- p ,.-e - - . g---. # -.y-.$e..-g- --e-e rpw.--n- ..w,, ,p..,, ,,,,%-9 a-rra--=wmwm-- -*w- P--wh*cww-g- e-'yr--M -r--c-tr w-w----w rer--
ICE-036(81G2)/jg 10 _
l Fioure 1: liierarchy of first five ' safety functions O, .
REACTIVITY CONTROL .
RCS RCS INVENTORY PRESSURE CONTROL CONTROL
-O 1
l 1
l l
I l
i I
' CORE .
HEAT ,
REMOVAL RCS HEAT
- REMOVAL O
FIGURE 1 Rev. 01
~
Document No. 1370-ICE-1302 w--ey- ,.y-----w-,sy-,e c , , , , , , , , - ,, ,--pg yw-.-, - - , , - , ,.y.-rym. 9-gp.,g-+M ggy- gy,w--
ICE-036(81G2)/jg 24 .
Advanced human engineering techniques have been incorporated into the p
G' design of the CFMS. One way this is accomplished is by displaying only.
pertinent information related to a safety function, and by designing displays so that they are easily understood by the operators.
The displays have been arranged in a hierarchy (Figure 3). The hierarchy consists of three levels:
- 1) Level 1 - Overall plant status O 2) tevei 2 - Fuoction status
- 3) Level 3 - Subfunction diagnostic status The Level 1 display provides the operator with a broad overview of the status of all the' safety functions. Level 2 displays more information on l a safety function at the system level (i.e.; primary system, secondary system, etc.) Level 3 displays provide even more detailed information on a sub-function level (i.e., Safety Injection System, Main Feedwater System, etc.)
Document No. 1370-ICE-1302 Rev 01 1
' ICE-036(81G2)/jg 21 When an abnormality occurs, the affected safety function on the Level 1 display is highlighted by a color change and on-off blinking. The t
operator is then guided in a systematic fashion to the Level 2 and 3 displays to obtain more information on the nature of the abnormality.
l O
l I
l O-Document No. 1370-ICE-1302 Rev. 01 wv--r--w-~sw.,-,_ _ _ ,
ICE-036(81G2)/jg 26 I.B.1 Basis for Parameter Selection
- -O Supplement 1 to NUREG-0737 specifies that the SPDS must provide (as a minimum) plant operators with information about the following 5 areas: (The CFMS addresses these areas as eight unique critical safety functions which are noted in the parentheses):
A
- 1) Reactivity Control (same name)
- 2) Reactor Core Cooling and Heat Removal from the primary system (Core Heat Removal, RCS Heat Removal)
- 3) Reactor coolant system integrity (RCS Inventory Control, RCS Pressure Control)
- 4) Radioactivity control (Radiation Emissions Control, Containment Isolation) 5). Containment integrity (Containment Temperature / Pressure Control)
O Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg23 -
Additional guidance used to select SPDS parameters was obtained from Reg. Guide 1.97 and operating experience. Many of the parameters discussed below are monitored for a variety of reasons but will be discussed only with respect to their use in maintaining safety functions. The basis for the parameters selected to meet the l .
requirements of the subject areas identified in Generic Letter P2-33 is as follows:
- 1) Reactivity Control O
The purpose of the reactivity control critical function is to maintain control over the core nuclear process after a reactor trip has occurred and provide the operator with the status of conditions within the reactor core. The CFMS meets the objective by measuring various core parameters and conditions including
- 1) CEA rod bottom contacts ,
- 2) CEDM main power bus under voltage relays O 3) Neutron flux Document No.1370-ICE-1302 - 22- Rev. 01 w- ---, y ee-. . - g . - - ,-,p...,-4 g-w-4 ,._,w-_.wm,--,-gy, +yg,wy,,-w-% .,9-y--_w,e7, r.
. _ . . _. .. . ~ _
ICE-036(81G2)/jg-24 -
1
- 4) wide range log power
- 5) hot and cold leg temperatures i
The above parameters are monitored to alert the operator to possible loss of shutdown margin following a reactor trip.
l The CFMS monitors and displays reactor power in all ranges and l
l- rate of change of power. This provides the means to monitor O core fiux conditions throughout aii ranoes of reactor .
l
! operation. The CFMS monitors post trip power, reactivity addition, and reactor trip status. Based upon the above evaluation, these parameters are sufficient to provide the operator with indication of reactivity control for a range of plant conditions.
r l
lO L Document No.1370-ICE-1302 Rev. 01 l .._ _.._ ._...__,
ICE-036(81G2)/jg 25 -
p 2) Reactor Core Cooling and Heat Removal from the Primary System V
The objective of this area is to provide sufficient indication such that an operator can determine if the reactor core is being adequately cooled and heat is being sufficiently removed i
from this system.
a) Cora Heat Removal O The purpose of the core heet removai criticai foaction is to transfer heat generated in the reactor core to the primary coolant system, where heat will be transferred out of the RCS. A loss of core heat removal is indicated by the CFMS by high core exit temperatures, a lo s of primary coolant subcooling, and/or voiding in the reactor vessel and the hot legs. In order to monitor this critical function, the following parameters are measured by the CFMS:
Document No. 1370-ICE-1302 Rey, 01
.._ - . _ _ . _ _ . _ - . _ . _ . _ - . _ . _ _ - . _ 1:E_JZZ121~Z:1_ i
1 n ^
ICE-036(81G2)/jg26 -
- 1) hot and cold leg temperatures - this enables
[ '}
monitoring adequate forced or natural circulation cooling or shutdown cooling system operation.
- 2) reactor vessel level - the reactor vessel level is measured from the top of the core to the top of the reactor vessel head. A low reactor vessel level indicates a potential for core uncovery.
() 3) Core exit temper'ature - thermocouples are located just above the core. Rising core exit temperature indicates increasing cladding temperature caused by core uncovery while falling core exit temperatures indicate decreasing cladding temperature. Core exit temperature is also used for calculating the saturation margin at the ' core exit, another indicator of the trend of cladding temperature in the core.
([]) .
Document No. 1370-ICE-1302 Rey, 01 ,
- - . . - - , . . . , - - - . - .w-w-e-- -v = --% -_- -w-e- -
e-__ w-
_=_
ICE-036(81G2)/jg27
- 4) "**** " * "* P"*P ' 'd - *h "d * * "'* "
C'd the formation of voids in the reactor coolant system.
. Decreasing pump load may indicate void formation.
b) RCS Heat Removal The purpose of this critical function is to transfer the heat that is in the primary coolant to one of the following heat sinks: the steam generator, shutdown O cooiinssystem(SDCS),orcontainment(whenthereisanopenins in the primary system). This algorithm will monitor core conditions following a reactor trip.
The essential parameters monitored by the CFMS are:
- the status of these parameters are monitored during shutdown cooling operation to ensure adequate heat O removal from the RCS.
~
Document No.1370-ICE-1302 Rev. 01
^
ICE-036(81G2)/jg28 Steam generator levels, feedwater flows - these are
( 2) monitored to observe proper cooling of the RCS while the plant is in a mode other than shutdown cooling.
- 3) Charging flow, LPSI and HPSI flow - these flows are monitored to ensure adequate heat removal capability in the event that inventory remplacement is needed following SIAS.
.O the monitored par eeters - core exit temperatures, coid ieg temperatures, saturation margin, steam generator level, steam generator pressure, reactor vessel level, shutdown cooling temperatures and flow and the safety injection flow are sufficient l
for the operator to assess RCS Heat Removal and Core Heat Removal l
for a wide range of conditions.
l O
Document No.1370-ICE-1302 Rev. 01
., . r : T~ _ _. .. - - _ .
_ _ .__ _ - ,- _ - .L ::L ~::- : : , , - .
ICE-036(81G2)/jg29 -
- 3) Reactor Coolant System IntegHty The objective of this critical function is to provide sufficient indication such that an operator is able to detemine that primary coolant system boundaries are maintained. The CFMS meets this objective by monitoring two critical Safety functions, RCS Inventory Control and RCS Pressure Control.
O -) acs taveatory coatroi The objective of this critical function is to monitor the system's ability to keep the core covered with an effective coolant medium. Maintaining RCS inventory ensures maintaining adequate core cooling. The critical function algorithm considers only the initial loss of RCS inventory control.
Continued inventory losses are monitored by the core heat O
Document No.1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg30 q removal critical function (e.g., reactor vessel level). The k/ .
parameters that are monitored by the CFMS as follows:
- 1) Pressurizer Level - excessively low pressurizer level could indicate a large RCS coolant contraction (from an excess cooldown event) or a loss of inventory (from a steam generator tube rupture or LOCA).
- 11) Quench Tank Level, Temperature, Pressure - these O parameters monitor discharge from ene primary safety valves. A high level, temperature and pressure may indicate potential for relieving the Quench Tank contents into containment and indicate an abnormally large discharge of RCS inventory.
iii) Relief Valve Discharge Temperature - this is another indicator of primary safety valve discharge. A O
Document No. 1370-ICE-1302 Rev. 01 '
~ . . - - - . - . . . . . . - . .
ICE-036(81G2)/jg31 i
continually high relief valve discharge temperature may indicate abnormally large discharga of RCS i-inventory.
4 b) RCS Pressure Control i
This critical safety function monitors the system's i t ability to maintain an effective coolant medium by
- ensuring RCS pressure is within bounds. The parameters t
!O that are monitored by the CraS are:
1 1
- 1) Pressurizer Pressure - this parameter is used to monitor the maintenance of subcooled margin in the
- reactor coolant. This is also used to monitor (in j conjunction with cold leg temperature), the approach
) to material fracture limits. This is also used to monitor transients with a high rate of change of pressure, or high sustained pressurizer pressure, i O Document No. 1370-ICE-1302 Rev. 01 ,,
, t
. _ Z_ . ~ . _._ .._ ., , . _ -. _. ... _!Z._ ., _ _ _ _ . _.11~__. .__ _ _- .. _ , . _11 121.^11. ._.~!E._ Z1' - ~_, ..
-n r. __
ICE-036(81G2)/jg32 f- ii) Cold Leg Temperature - this is used, along with pressurizer pressure, to ensure that over-pressurization of the primary system does not occur when the RCS is cold (thus avoiding violation of material fracture requirements).
The monitored parameters, pressurizer pressure, pressurizer level, quench tank temperature, cold leg temperature, quench tank level and quench tank pressure assess RCS integrity for a wide range of O over tias coaditioas.
- 4) Radioactivity Control l
The objective of this critical function is to provide sufficient indication such that an operator can determine that radioactive l
j substances are not being released to the environment in an uncontrolled manner. The CFMS meets this objective by monitoring two critical safety functions: Radiation Emissions Control &
O Containment Isolation.
Document No. 1370-ICE-1302 -
31 - Rev. 01
--- .. ,. -_,.--y- _ , - , , - - - -
. _ ..,._..,.,-_,_c, ___,_._,,_.-w%-_ , , , _ _ , , , , , , _ , - w.-_.,- w-~. ,_m.-w,, .
ICE-036(81G2)/jg33
( a) Radiation emissions control - this critical function algorithm monitors potentially hamful radiation from the primary system to containment and from the plant into the ,
environment. The essential parameters that are monitored are:
- 1) condenser air ejector radiation - this detects high Xenon and Krypton gas concentration which may indicate a steam generator tube rupture.
1 O .
ii) vent stack radiation - this detects radiation leaving the plant by way of the ventilation system.
l l iii) containment radiation - this detects radioactive particulate concentrations in containment following a i LOCA.
1 O -
Document No. 1370-ICE-1302 Rev. 01 ,
t
ICE-036(81G2)/jg34 -
iv) . containment dome radiation - this detects radioactive I gas in the upper portion of the containment building i following a LOCA.
v) Purge stack radiation.- this detects radiation leaving the plant by way of the containment purge system, i
b) Containment Isolation - the purpose of this critical function is to prevent release of radioactivity from O containment by assuring that pipes that penetrate containment close upon receiving isolation signals. Isolation of these valves prevent release of radioactive water or steam from leaving containment and uncontrolled blowdown of the secondary side in the case of a steam line break. The valves monitored by the CFMS are found in Table 1, and are listed by.
classes below:
A V
Document No. 1370-ICE-1302 -
33- Rev. 01
,e, .n. . -.. -.~-+,s.r. ~ ,
,-c -e -e- e -v< g-m-wwww*v---* ***wp-""W""NT% 9'""'?T C~' * " " "" '" **
ICE-036(81G2)/jg35 -l 1
l i) valves that close on containment isolation signal (CIAS). This prevents release of radioactivity outside-f containment following a primary or secondary break.
ii) valves that close on containment purge isolation signal (CPIS). This prevents release of radioactivity from the containment purge system to the environment.
iii) valves that cl6se on Safety Injection Actuation (SIAS).
This prevents release of radioactivity outside containment following a primary or secondary break.
- iv) valves that close on Main Steam Isolation (MSIS).
l l
These valves prevent excessive blowdown of the secondary side following a steam line break.-
- O -
34-Document No.1370-ICE-1302 e
o e-- y *
.--rn
-.,%-. p r,yy yw-wy ., ,-,g,-w.isy.-y-,w m ,. -- y---%y__,.,_,,4 , ,_ w.-- , e --c. 9 , - , , -
- w. .
ICE-036(81G2)/jg36 c The monitored parameters for radiation emissions control
(
and containment isolation provide control room operators with sufficient indication of any potential uncontrolled radiation release.
- 5) Containment Integrity The objective of this critical function is to provide sufficient indication such that an operator can determine if a O containmeat bouadary is beins maintained to controi radioactive releases.
l a) Containment temperature / pressure control - the purpose of this critical function is to prevent potentially large l
radioactivity releases from containment by maintaining i
containment pressure within design limits. The following
[ ,
parameters are monitored by the CFMS:
O Document No.1370-ICE-1302 - 35- Rev. 01
,- ,, ., ,,-----,- .- - .- , ,--..u-, , m-., - - -
ICE-036(81G2)/jg37 -
- 1) containment fan cooler operability - containment fan coolers are used to reduce containment temperature and pressure. The CFMS will generate an alarm whenever more than two out of the four fan coolers are not working, when they are required to operate.
- 11) containment spray flow - containment sprays are necessary to reduce containment pressure following a LOCA or Main Steam Line Break (MSLB) inside
-O containment. .
iii) containment pressure - this parameter is observed to monitor the effectiveness of the containt.c; pressure mitigating systems.
iv) containment temperature - a persistently high containment temperature may adversely affect the operation of safety systems in centainment. This parametar can also provide indication of gas combustion in containment.
9 Document No. 1370-ICE-1302 Rey, 01
_._ . _ T -_~1_ T._.
-... a . .
ICE-036(81G2)/jg-38
(] I.B.2 Bases for Algorithms and Legs The basis for all the CFMS algorithms is to alert the operator when control of a critical function could be lost. For example, if the shutdown cooling heat exchangers malfunction during shutdown cooling operation, control over RCS heat removal could be lost. An alarm is generated, therefore, to alert the operator. A description for all the alarm algorithms legs is given below for each critical function.
Reactivity Control Core reactivity control monitors the status of various core parameters to ass'ure controllability of the nuclear process, i.e.,
the function's objective is to maintain control over the core nuclear process after a reactor trip has been generated. Prior to a reactor trip core, j
moderator and doppler feedbacks and baron concentration adjustments can compensate for small reactivity Document No.1370-ICE-1302 Rev. 01
-- - . - . - -.~- -- --.-- .. - - .-. L . r : :L~:;7 ~~:. -
ICE-036(81G2)/jg39 -
changes. For larger reactivity changes and for a variety of plant malfunctions a reactor trip will automatically occur. After reactor trip, boron maintains the core in a shutdown condition. This critical function algorithm will therefore (1) ensure that a sufficient number of CEAs drop in on reactor trip and (2) there is sufficient baron in the core to mainta'in shutdown margin.
The following alarm legs monitor these conditions:
- 1) CEA Drop Malfunction - An alarm is generated if a sufficient number (more than 10) of CEAs have not dropped following a reactor trip.
- 2) High Post Trip Power - This algorithm leg detects abnormal post l
trip increases in neutron count rate indicative of a flux increase.
l0 -
Document No. 1370-ICE-1302 -38" Rev. 01 l
[ .. .-- . .. - . . - - . . - - - . . - . , .
.. . ..m, . .. . .- -
ICE-036(81G2)/jg 40 -
4
- 3) Thermal Reactivity Addition - This algorithm leg detects high source range count rates indicative of flux increases in the cold shutdown condition.
- 4) Low Boron Concentration - If an insufficient number of CEAs have dropped in following a reactor trip (as detennined in the CEA Drop Malfunction leg) core reactivfty can be controlled by having sufficient boron in the core. An alarm is generated if the algorithm determines there is not enough boron in the core
) to maintain shuttown margin.
Core Heat Removal The purpose of the critical function is to monitor the system's ability to transfer heat from the reactor core to the primary coolant system. The primary mode of core heat removal' is by forced circulation of coolant by the reactor coolant pumps (RCPs). If the Document No.1370-ICE-1302 Rev. 01
- - - , - . - . L - . *:T :.L. .::~ LLET . L- . .
-ICE-036(81G2)/,jg 45- -
RCPs are unavailable, natural circulation of coolant will remove
] heat from the core. In the case where there is a break in the primary system, steam produced by water boiling in the core will remove heat.
If sufficient. inventory is lost from the primary system during a LOCA, the fuel cladding may heat up and rupture, releasing radioactivity into the primary system. The core heat removal critical function will alert the operator to the approach to O. inedequate core cooisas conditieas usin9 the foiiowins eisorithm legs.
- 1) Low reactor ~ coolant pump load - One of the early indicators of
~ a LOCA is the decrease in RCP load due to voiding. An alarm is generated whenever RCP load falls below a setpoint.
l l
l i O
, Document No. 1370-ICE-1302 Rev. 01 l
. ~ , . . . .
ICE-036(81G2)/jg42 Q 2) Low reactor vessel-level - An alarm is generated when level in the reactor vessel has decreased to the bottom of the hot leg.
This will alert the operator to the potential for core f
uncovery.
- 3) Core saturation margin - This leg alerts the operator to the transition from subcooled to saturated fluid at the core exit.
- 4) Hi core AT (Thot - Tcold) - This indicates lower circulation of primary fluid through the core than that needed to remove decay
, heat during natural circulation.
I
- 5) Hf core exit temperature - This indicates high cladding temperatures in the core as a result of core uncovery.
RCS Heat Removal l
I l The objective of the RCS heat removal algorithm is to transfer heat generated and stored in the RCS to a heat sink. The critical safety function monitors the various means of heat removal to detennine if 4
heat is being removed from the RCS. While the RCS is intact, heat
- O Document No.1370-ICE-1302 _41_ Rev. 01 t ,
, ~ . . , , . .. . . _ , _ _ _ _ . _ _ _ , , - . _ _ _ _ . , _ _ _ _ _ _ . _ . - . - ~ . . _ _ _ , , . . . . _ _ , _ . . .
' ICE-036(81G2)/jg 43 _
is removed either from the steam generators or the shutdown cooling system. If there is a small break LOCA heat is removed by a combination of steam exiting the RCS through a break and steam generator cooling. For a large break LOCA, heat is removed almost exclusively through the break.
The alarm algorithm legs are therefore:
- 1) Steam Generator Not Cooling i
O An alarm is generated to alert the operator that steam generator heat removal capability is lost based on low
(
feedwater flows and steam generator levels. This alarm will occur if the reactor has tripped, the shutdown cooling system is not aligned and the RCS is still subcooled.
O Document No.1370-ICE-1302 Rev. 01 m -- --- _w ._wme--.. . - -y,g,, . . ,_
,, -,mw-y,y,- %-, y __ _- . -. _ , - -ypy,..-,- ,..c- .- _,,_ y-e.
,- ,,-m_3 -.9#
ICE-036(81G2)/jg44 -
- 2) Shutdown Cooling System Not Cooling An alarm is generated to indicate inadequate shutdown cooling operation while the system is in cold shutdown. The alarm is based on Low Pressure Safety Injection (LPSI) flow and LPSI header temperature.
- 3) Low Safety Injection /Feedwater Cooling O An alarm is generated if the combined cooling capability of the steam generators and safety injection systems are insufficient to remove decay heat during a small break LOCA. The algorithm monitors feedwater and safety injection flows, RCS saturation margin, and RCS heatup rate. -
l O -
Document No.1370-ICE-1302 Rev. 01 i
l
( _ _ _ _ _ . _ . . _ . . _ . . _ . . _ _ _
ICE-036(81G2)/jg45 -
4,5) Low Safety Injection System Pump Flow, Emergency Core Cooling System Not Cooling Both of these algorithm legs generate alarms whenever the ECCS system is delivering inadequate safety injection flow to the RCS. This alarm is useful in monitoring large and small break LOCAs. The algorithms monitor safety injection flow vs.
pressurizer pressure performance, and safety injection flow vs time following a large break (before and after RAS).
O ,
Reactor Coolant System (RCS) Inventory Control The objective of this critical safety function is to keep the
, core covered with an effective coolant medium. The critical t
function compares the group of actions to maintain control over i
1
, coolant volume or mass. Normally, inventory is maintained by i
l the Pressurizer Level Control System (PLCS). Normal control over inventory is lost if level cannot be maintained in the O
Document No.1370-ICE-1302 44 Rev. 01
ICE-036(81G2)/jg 46 _
.n pressurizer. The algorithm therefore monitors the initial loss D
of inventory control (further losses are monitored by the RCS and core heat removal critical functions). The opening of the primary relief valves relieves inventory to the Quench Tank when the RCS is over-pressurized. Excessive blowdown through the relief valves though can jeopardize RCS inventory control and is therefore monitored. The alarm algorithm legs are therefore:
O 1) 'o Pressurizer 'evei - ^6aar i fiuid coatractioas (suca as an excess cooldown) or excess inventory losses (such as a LOCA) may cause pressurizer level to significantly
- decrease. An alarm is therefore provided.
- 2) Quench Tank Level, Pressure, Temperature - Primary relief valve discharges are monitored by the CFMS. High Quench Tank level, pressure or temperature indicates abnormally O
Document No.1370-ICE-1302 Rev. 01 i
~
- - - - . - - . . . . , ~ . . - . _ . _ . _ . .
ICE-036(81G2)/jg47 _
s large relief valve discharge, threatening inventory (v')
control. All three parameters are monitored since they may increase at an unequal rate.
l
- 3) Relief Valve Discharge Temperature - An alarm occurs when ver the relief valves open. If the alarm remains on below the relief valves blowdown pressure, inventory control is threatened.
() RCS Pressure Control This critical function, along with RCS Inventory Control, monitors the plant's ability to maintain an effective coolant medium around the core. The objective of this critical function algorithm is to maintain pressure between the high pressurizer pressure trip setpoint and the minimum pressure needed to maintain 20*F
( ]) -
Document No.1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg 48 _
subcooling. Alarms are generated when'RCS pressure or the rate of
-(
change of pressure is expected to exceed these bounds. The
, algorithm legs are therefore:
- 1) High pressurizer pressure / rate - An alarm is generated whenever the rate of change is expected to exceed the bounds listed
~
above, or whenever there is a high sustained pressurizer
)
i pressure.
- i I
() 2) Low Subcooled Margin - An alann is generated if subcooled margin goes below a setpoint indicating an approach to inadequate core cooling condition.
! 3) Cold Stress Temperature - In addition to the above alarms, an alarm is generated to detect overpressurization of the primary system while in a cold co'ndition, to prevent violation of material fracture requirements.
O Document No.1370-ICE-1302 Rev. 01
- - - . - - - T ___.__.._.___.__._.-____-_-_i_____________._-Z~.i._...
ICE-036(81G2)/jg 49 -
Radiation Emissions Control The objective of this critical safety function is to monitor relaases of radiation from the primary coolant system to containment, and from the plant as a whole to the environment. The algorithm legs are therefore:
- 1) High Containment Radiation - An alarm is generated whenever a high particulate concentration occurs in containment, O indicating a LOCA.
2). High Containment Dome Radiation - An alarm is generated
! whenever a high radioactive gas concentration occurs in the i
! containment dome, indicating a LOCA with fuel cladding failure.
l l
I lO Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg 50
. () 3) .High Condenser Air Ejector Radiation - An alarm is generated whenever a high xenon and krypton gas concentration occurs at the condenser air ejector, indicating a steam generator tube rupture.
A
- 4) High Vent / Stack - An alarm is generated whenever radiation is detected leaving the plant through the continuous vent stack.
This will detect releases that occur from a number of sources i
throughout the plant (waste tanks, vents, etc.)
- 5) Hi Purge Stack - An alarm is generated whenever radiation is detected leaving the plant through the purge stack. This will
, detect releases that occur from the containment purge system.
l l
Containment Isolation ,
i.
The purpose of the containment isolation critical function.is to l prevent radioactivity releases from containment by assuring that Document No. 1370-ICE-1302 49- Rev. 01 i
i
4 ICE-036(81G2)/jg 51'
(] valves in piping penetrating containment close on demand. There are a number of signals that will close containment penetration
- isolation values. This algorithm monitors the closure of isolation valves actuated from the following signals:
- 1) Containment Isolation Actuation Signal (CIAS) - This signal isolates a number of containment penetrations based on either a low pressurizer pressure or high containment pressure signal indicative of a steam line break or LOCA.
- 2) Containment Purge Isolation Signal (CPIS) - This signal occurs on a high radiation sensed in containment.
I
- 3) Safety Injection Actuation Signal (SIAS) - This signal isolates containment penetrations based on a low pressurizer pressure or l
high contiinment pressure. This prevents release of
~
radioactive water outside containment following a LOCA.
O Document No. 1370-ICE-1302 Rev. 01 I
-s
- ICE-036(81G2)/jg52
[
- 4) Main Steam Isolation Signal (MSIS) - This signal occurs to prevent uncontrolled blowdown of the secondary side following a Steam or Feedwater Line~ Break.
Containment Temperature / Pressure Control The objective of this critical function is to prevent overstress of the containment or damage to vital equipment by keeping temperature and pressure within prescribed limits. During a LOCA or steam line O break inside containment, temperature and pressure increase. At +4 psig containment pressure, a Containment Cooling Actuation Signal (CCAS) occurs, actuating containment fan coolers. At +12 psig a Containment Spray Actuation Signal (CSAS) occurs actuating containment sprays. Proper operation of these two systems should t
prevent approach to containment design limits. This algorithm therefore monitors the operation of the pressure mitigating systems.
t i
O Document No. 1370-ICE-1302 Rev. 01 1
.- _ . . .. . .~ . .._
ICE-036(81G2)/jg 53
(] .The algorithm logs are therefore:
'1) Fan Coolers - After CCAS initiation, if less than 2 fan coolers are operating an alarm will be generated.
1
- 2) Low Spray Flow - After CSAS, 'if there is insufficient spray flow to containment, an alarm will be generated.
t 3,4) Containment Pressure Change and High Containment Pressure -
O These two algorithm iegs monitor the effectiveness of the above 4
containment pressure mitigating systems. An alarm is generated if the magnitude or rate of change of pressure exceed limits.
4 l
- 5) Low Containment Pressure - An alarm occurs if containment pressure decreases below atmospheric pressure as a result of excessive spray flow.
l O .
Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg 54-
- 6) High Containment Temperatures - An alarm is generated if o
containment temperatures are high. This is to alert the operator of 1) possible adverse effect on safety equipment, or
- 2) the possibility of gas combustion taking place in containment.
i O
i i
I i
1 l
i 4
l:
l 1
l l
L o.
i- Document No. 1370-ICE-1302 Rev. 01
ICE-033(81G2)/jg55
/"'s I.B.3 Correlation of SPDS Parameters to the Five Critical Functions of
\.)
Supplement 1, NUREG 0737.
4 The five critical functions defined in NUREG-0696, 0835, and 0737 supplement 1 are:
- 1) Reactivity control
- 2) Reactor core cooling and heat removal from the primary system
- 3) Reactor coolant system integrity
(} 4) Radioactivity control
- 5) Containment integrity a
The critical functions within the CFMS are:
- 1) Reactivity Control
- 2) Reactor Coolant System (RCS) Inventory Control
- 3) RCS Pressure Control
- 4) Core Heat Removal Control
- O Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg 56 p 5) RCS Heat Removal Control v
- 6) Containment Pressure / Temperature Control
- 7) Containment Isolation
- 8) Radiation Emissions Control
- The critical functions defined in NUREGS-0696 and 0737 Supplement 1 l
correspond to the critical functions applied to the CFMS as shown below:
O NuReG-0696.0737<suo.1)
CFas 1
- 1. Reactivity control Core Reactivity control
- 2. Reactor core cooling and heat ' Core Heat Removal removal from the primary RCS Heat Removal sy: tem
- 3. Reactor coolant system RCS Inventory Control O integrity RCS Pressure Control Document No. 1370-ICE-1302 Rev. 01 n,a,-.--.----y-- - . , _ .-_..,~,.,---.e,
. u.,,w,,, <, y~--, - we__, ,,--,.g.w,_-n --.,ma.,-,--, .p--,-mp-emg-,,,-,_.,,,,,,,e.-r-
-w , --.,--g- an,w,,- w-
ICE-036(81G2)/jg 61 NUREG-0696,0737(Sup.1) CFMS -
O
- 4. Radioactivity control Radiation Emissions Control Containment Isolation
- 5. Containment Integrity Containment Temperature /
Pressure Control
)
eO Table 1 identifies the specific parameters monitored for each of the safety functions.
O Document No. 1370-ICE-1302 Rev. 01
-. ~ . . _ - . _ . _ . . - -.- _ -_ . .. _._ _ _ . _ _ _ - . _._ _ _ .. _ _-.. _ .-_ _ ___.._ _ .. _ _ _ _ _ _ _ _. _ _ _
I ICE-036(81G2)/1g 58 i-1 4-TABLE 1 .
L i !
l-i l SONGS Unit 2 and 3 [
} i i !
! Safety Parameter Display System (SPDS) !
i j Parameter Selection i
I l 1
i' i . ,
i I r-4 i
I ,
j- .i i l P
O .
l t- l i
I t
i L
F ,
t l, -
L ,
i i
r-g ,
i Document No. 1370-!CE-1302 -57 Rev. 01
,m, ,.~ ,n - <. . .-- _,,+m
ICE-036(81G2)/jg 59 O
POINT ID EhGLISH DESCP. RANGE I Core Reactivity Control Y1091 CEDM Main power bus uvr 1 On/Off Y1092 CEDM Main power bus uvr 2 On/0ff Y1093 CEDN Main power bus uvr 3 On/Off Y1094 CEDM Main power bus uvr 4 On/Off Y1542 to CEA 01 Bottom contact to On/Off ooo Y1632 ooo CEA 91 Bottom contact On/Off 5
XJ005 Neutron flux startup Ch. I 1x10' - 1x10 cnts/s XJ002C High log pwr lvl Ch. 3 2x10-8 to 2x102 pet.
T111X Hot leg temp Loop 1 525-625'F T121X Hot leg temp Loop 2 525-625'F T111XA Hot leg SGE089 Temp Ch. A 0-710*F T121XB Hot leg SGE088 Temp Ch. B 0-170*F T111Y Cold leg temp loop 1A 525-625'F T125 Cold leg temp loop 2A 0-600'F T115 Cold leg temp loop 1B 0-600*F T121Y Cold leg temp loop 28 525-625*F T111YA Cold leg LP 1A temp Ch. A 0-710'F T125A Cold leg LP 2A temp Ch. A 0-710*F T115B Cold leg LP 18 temp Ch. B 0-710*F T121YB Cold leg LP 2B temp Ch. B 0-710*F A203 Boronometer 0-5000/ ppm O
Document No. 1370-ICE-1302 Rev. 01 u
ICE-036(81G2)/jg60 POINT ID ENGLISH DESCP. RANGE II Core Heat Removal T111X Hot leg temp loop 1 525-625*F T121X Hot leg temp loop 2 5?S-625'F T111XA Hot leg SGE089 temp Ch. A* '0-710*F T121XB Hot leg SGE088 temp Ch. B 0-710*F Til1Y Cold leg temp loop 1A 525-625'F T121Y Cold leg temp loop 28 525-625'F T111YA Cold leg LP 1A temp Ch. A 0-710*F ,
T115B Cold leg LP IB temp Ch. B 0-710*F T125A Cold leg LP 2A temp Ch. A 0-710'F T121YB Cold leg LP 2B temp Ch. B 0-710*F T115 Cold leg temp Loop 18 0-600*F T125 Cold leg temp Loop 2A 0-600*F KRVLPLN Reactor Vessel Level (Plenum) 0 - 100' Pct.
KCET Representative core exit temp 32 - 2300'F KCTSM CET temp sat margin -2100-700'F YI9160A RCP 1A amps 0.0-1000 Amp YS9161A RCP 18 status On/Off YI9161A RCP 2A amps 0.0-1000 Amp YS9162A RCP 2A status On/Off YI9163A RCP 28 amps 0.0-1000 Amp YS9163A RCP 28 status On/Off YS9160A RCP 1A status On/Off YI9161A RCP 18 amps 0.0-1000 Amp 4
4 W
i .
i Document No. 1370-!CE-1302 Rev. 01 .
ICE-036(81G2)/jg61 PLANT-
. FUNCTION- DESCRIPTION RANGE
! III. RCS HEAT REMOVAL i'
T351Y LPSI HOR Temp 0-400*F
- - LT1114 SGE088 Level 0-100%
! LT1115 SGE089 Lavel 0-100%
! FT4725 Aux Fw Flowrate to SGE089 0.0-800.0 GPM 4
I FT1111 Fw Flowrate to SGE089 0.0-1.602 x10 GPM T111X Hot Leg Temp Loop 1 525-625'F 4 T111Y Cold Leg Temp Loop 1A 525-625'F T115 Cold Leg Temp Loop 1B 0-600*F l T111XA Hot Leg Temp SGE089 Ch. A 0-710*F h_ T111YA Cold Leg Temp LP 1A Ch. A 0-710*F f .O. T115. Coid Leg Tem, L, 1. Cn. .
0-710 F j LT1124 SGE089 Level 0-100%
LT1125 SGE088 Level 0-100%
l-j FT4720 Aux Fw Flowrate SGE088 0.0-800.0 GPM 4
FT1121 FW Flowrate to SGE088 0.0-1.602x10 GPM T121X Hot Leg Temp Loop 2 525-625'F 3
9 '
T125 Cold Leg Temp Loop 2A 0-600*F T121Y Cold Leg Temp Loop 28 525-625'F j
T121XB Hot Leg Temp SGE088 Ch. B 0-710'F T125A - Cold Leg Temp LP2A Ch. A 0-710*F T121Y8 Cold Leg Temp LP2B Ch. B 0-710'F i ZL93371 SDC ISO VIV Open/ Closed ZL93392 SDC 150 VIV Open/ Closed
j
.O Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg 62 G
V PLANT FUNCTION DESCRIPTION RANGE III. RCS HEAT REMOVAL (Continued)
Z93784 SDC ISO VIV Open/ Closed ZL93362 SDC ISO VIV Open/ Closed ZL93791 SDC ISO VIV Open/ Closed T111X Hot Leg Temp Loop 1 525-625'F T111XA Hot Leg Temp SGE089 Ch. A 0-710*F P100X Pzr. Pressure 1500-2500 PSIA P102A Pzr. Pressure 0-3000 PSIA P100Y Pzr. Pressure 0-3000 PSIA
- T121X Hot Leg Temp Loop 2 525-625'F T121XB Hot Leg Temp SGE088 Ch. 8 0-710*F XSIASA SIAS Status 1 Normal / Actuated XSIASB SIAS Status 2 Normal / Actuated ,
YS92281 Charging Pump #1 Status On/Off YS9229 Charging Pump #2 Status On/Off YS92302 Charging Pump #3 Status On/Off F311 HPSI Cold Leg 1A Flowrate 0-500 GPM F321 HPSI Cold Leg IB Flowrate 0-500 GPM F331 HPSI Cold Leg 2A Flowrate 0-500 GPM F341 HPSI Cold Leg 28 Flowrate 0-500 GPM
~
F391 HPSI Hot Leg 1 Flowrate 0-500 GPM F390
- Y1091 CEDM Main Power Bus Uvr 1 On/Off Y1092 CEDM Main Power Bus Uvr 2 On/0ff Y1093 CEDM Main Power Bus Uvr 3 On/Off Y1094 CEDM Main Power Bus Uvr 4 On/0ff
, A V
Document No. 1370-ICE-1302 Rev. 01
E ICE-036(81G2)/jg 63 i.
{ POINT ID ENGLISH DESCP. RANGE IV. RCS Inventory Control L110X< Pzr. Lvl Ch. X 0-100%
L110Y Pzr. Lvl Ch. Y 0-100%
L116 Quench Tank Level 0-100%
P116- Quench Tank Pressure 0-25 PSIG T116 Quench Tank Temperature 0-300*F T107 Pzr Relief Valve RC2000 0-300*F l -
' Discharge Temp T108 Pzr Relief Valve RC201 0-300'F Discharge Temp I
0 .
I I
f i
i 4
i 1
O .
Document No. 1370-ICE-1302 Rev. 01
.m.- .cw -m r- yer-3.r.w, ,,,,,-.-.,y,-r----w.-.,+,-,w,--%., r,--w.,vw,-,e.v.,,,,,--.% _ m------.--. -e - e,w-~,-.
, ICE-036(81G2)/jg64 PLANT FUNCTION DESCRIPTION RANGE V. RCS Pressure T115 Cold Leg Temp. Loop 1B 0-600*F T125 Cold Leg Temp. Loop 2A 0-600*F T111YA Cold Leg Temp. LP 1A Ch. A 0-710*F T1158 Cold Log Temp. LP IB Ch. B 0-710*F ,
T125A Cold Leg Temp. LP 2A Ch. A 0-710*F T121YB Cold Leg Temp. LP 28 Ch. B 0-710*F P102A P r. Pressure Ch. A 0-3000 PSIA P102'B Pzr. Pressure Ch. B 0-3000 PSIA P100X Pzr. Pressure 1500-2500 PSIA P100Y Pzr. Pressure 1500-2500 PSIA 0-700*F T101 Pzr. Water Temp T111X -
Hot Leg Temp Loop 1 525-625*F T121X Hot Leg Temp Loop 2 525-625*F T111XA Hot Leg SGE089 Temp. Ch. A 0-710*F T121XB Hot Leg SGE088 Temp. Ch. B 0-710*F t E
-Q Document No. 1370-ICE-1302 -
63- Rev. 01 g --e- .w., - --rw, , - , . - - .,, - , , a,-wn, ,--,.,,n..--. ~,,-,,,,-,--,,,r. we,r,,,- ,- ~ . - -.- , , , - , -r,,,,.,..-,, -,,.r--,,y ,m,,,m,,._, , , . .
ICE-036(81G2)/jg 65 O
PLANT FUNCTION DESCRIPTION RANGE l
VI. Radiation Emmissions ,
- 1) Hi Cond. Air Eject RT78518 Cond. air eject rad mon 1-1 x 106 mr/hr d
- 2) Hi Vent / Stack RT7808A Plant \ent stack mon 10 - 107 mr/hr
- 3) Hi Cnmt RT7804C Cnmt. airborne rad mon 10 - 107cpm 4
- 4) Hi cnmt Dome RT7857 Cnmt. dome rad mon 10 105 mr/hr
-5) Hi Purge Stack RT7828A. Purge Stack 10 10-9 uCi/cc RT7828B Radiation Monitor RT7828C i
Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg 66-l 4
PLANT FUNCTION DESCRIPTION RANGE VII. Cnmt-Isolation XCIASA CIAS Status 1 Nomal/ Actuated XCIASB CIAS Status 2 Normal / Actuated ZLO5102 Pzr Stm Sample Iso Viv Closed /Open-ZLO5111 Pzr Stm Sample Iso Viv Closed /Open ZL92672 Letdown Iso Viv Closed /Open ZL92051 Letdown Iso Viv Closed /Open ZLO5082 Hot Leg 1 Sample Iso Vlv Closed /Open ZLO5172 Hot Leg 2 Sample Iso Viv Closed /Open
- ZLO5091 Hot leg I/C Iso Viv Closed /Open ZL93341 SI Drain / Test V1v Closed /Open ,
ZL92172 RCP Bleedoff Osp Viv Closed /Open ZL92181 .RCP Bleedoff Iso Vlv Closed /Open O Zt79112 Ser, wtr To Cn t Sump Iso viv Closee/0,en ZLO5122 Pzr Surge Line Sample Iso Viv Closed /Open ZLO5131 Pzr Surge Line Sample Iso Viv Closed /Open
'ZL58031 Cnmt Sump Pump Iso V1v Closed /Open 2.L58042 Cnmt Sump Pump Iso Viv Closed /Open ZL5686 Fire Protection Iso Viv Closed /Open ZL78052 Cnmt Air Rad Mon Iso Viv Closed /Open ZL78101 Cnmt Air Rad Mon Iso Viv Closed /Open ZL98242 Cnnt Minipurge Outlet Viv Closed /Open ZL99502 Cnmt Lg Vol. Purge Disch Vlv Closed /Open l
ZL98251 Cnmt Minipurge Outlet Viv Closed /Open ZL99511 Cnmt Lg Vol Purge Disch Viv Closed /Open ZL53881 Inst Air Supply Iso Viv Closed /Open ZL54372 N2 Supply to Aux Sys Iso Vlv Closed /0 pen t
LO Document No. 1370-ICE-1302 Rev. 01
,. - .- . . , .. - , - . _ - . - . - - - . . - . - _ . ~ . - -.
ICE-036(81G2)/jg67 PLANT -
FUNCTION DESCRIPT,13 RANGE VII. Cnmt Isolation (Continued)
ZL73121 RC Drain Tank Pump Disch Iso Viv Closed /Open ZL75132
- RC Drain Tank Pump Disch Iso Vlv Closed /Open ZL78062 Comt Air Rad Mon-Iso Viv Closed /Open ZL78111 Cnmt Air Rad Mon Iso Viv Closed /Open Cnmt Air Rad Mon Iso V1v ZL78021 Closed /0 pen ZL78032 Cnmt Air Rad Mon Iso Viv Closed /0 pen j ZL'/8011 Cnmt Air Rad Mon Iso V1v Closed /Open ZL78002 Cnmt Air Rad Mon Iso Viv Closed /Open ZLO5161 RC Drain Tank Sample Iso Viv Closed /0 pen ZLO514 RC Drain Tank Sample Iso V1v Closed /Open ZLO5152 Quench & RC Drn Tnk Smp1 Iso Vlv Closed /Open IL82042 MSIV (SGE089) Closed /Open ZL4051 Main Fw Stop VIi SGE089 Closed /Open
- ZT1105 Main Fw Bypass SGE089 0-100%
ZL40522 Fw Isc Viv SGE089 Closed /Open ZL62112 CCW Inlet Viv Closed /Open ZL62162 CCW Outlet Viv Closed /Open ZL99002 Cnmt. Norm A/C Inlet Viv Closed /0 pen ZL99201 Cnat. Norm, A/C Inlet Vlv Closed /Open ZL99712 Cr.mt. Norm. A/C Outlet Viv Closed /0 pen ZL99211 Cnmt. Norm. A/C Inlet V1v Closed /Open ZL72562 Cnmt. Waste Gas Vent Hdr. Iso. Vlv Closed /0 pan .
ZL72591 Cnmt. Waste Gas Vent Hdr. Iso.Viv Closed /Open ZL5434 N2 supply to SI tanks Iso. V1v Closed /0 pen ZL82051 MSIV (SGE088) Closed /Open ZL40481 Fw Iso Viv SGE088 Closed /Open ZL4047 Main Fw Stop Viv SGE088 Closei/0 pen
~
ZT1106 Main Fw Bypass SGE088 V1v 0-100%
0 Document No. 1370-ICE-1302 Rev. 01
-ICE-036(81G2)/jg 68
(.
\-
PLANT FUNCTION DESCRIPTION RANGE VII.-'CnmtIsolation(Continued)
ZL98231 Cnmt Minipurge inlet Viv Closed /Open ZL99491 Cnmt lg vol purge inlet Viv Closed /Open ZL98212 Cnmt minipurge inlet Viv Closed /Open ZL99482 Cnmt lg vol purge inlet V1v Closed /Open ZL92042 Ld to regen hx control Viv Closed /Open ZLO2211 Ld to regen hx control Viv Closed /Open ZL6212 CCW disch to non-crit loop Closed /Open ZL6213 CCW disch to non-crit loop Closed /Open ZL6218 CCW suctn from non-crit loop Closed /Open ZL6219 CCW suctn from non-crit loop Closed /Open ZL6223 CCW inlet Viv Closed /Open ZL6236 CCW outlet Viv Closed /Open l
l l
l l
l C
i Document No. 1370-ICE-1302 Rev. 01 l
- _,. , _ _ _ _ - _ _ _ . _ _ . - _ _ _ _ , . . . _ , . _ _ , . , _ . _ _ _ _ . . . . . , _ _ . _ . . - - . , , . _ _ . ~ . . - _ . , _ . _ . _ -
ICE-036(81G2)/jg 69 O PLANT FUNCTION DESCRIPTION RANGE _
Containment Isolation-Main Steam Isolation Leg XMSISA MSIS Status 1 Normal / Actuated XMSISB MSIS Status 2 Normal / Actuated ZL40481 FW Iso Viv SGE088 Closed /Open ZL40522 FW Iso Viv SGE089 Closed /0 pen KXEFASI EFAS Status 1 Normal / Actuated ZL40532 Blowdown Iso Viv SGE089 Closed /0 pen KXEFAS2 EFAS Status 2 Normal / Actuated ZL40541 Blowdown Iso Viv SGE088 Closed /Open ZL40572 Blowdown Sample Line SGE089 Closed /Open ZL40581 Blowdown Sample Line SGE088 Closed /Open-ZL47152 Aux. Fw Iso Viv SGE089 Closed /Open ZL82002 Main Stm Aux Fwpt SGE089 Closed /0 pen ZL82011 Main Stm Aux Fwpt SGE088 Closed /Open ZL82022 MSIV Bypass V1v SGE089 Closed /Open ZL82031 MSIV Bypass Viv SGE089 Closed /Open ZL82042 MSIV(SGE089) Closed /Open ZL82051 MSIV (SGE088) Closed /Open ZL82481 MSIV Bypass to Cond. SGE088 Closed /Open '
ZL82492 MSIV Bypass to Cond. SGE089 Closed /Open ZL84191. Atmos. Dump Viv SGE088 Closed /Open ZL84212 Atmos. Dump Viv SGE089 Closed /0 pen ZL47301 Aux. Fw Iso Viv SGE088 Closed /Open ZL47311 Aux. Fw Iso Viv SGE089 Closed /Open ZL47051 Aux. Fw. Cnti Viv SGE088 Closed /Open ZL47062 Aux. Fw. Cnti Vlv SGE089 Closed /0 pen ZL4713 Aux. Fw. Cntl Vlv SGE089 Closed /Open ZL47122 Aux. Fw. Cnti Viv SGE088 Closed /Open Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg 70 (3
PLANT FUNCTION DESCRIPTION RANGE Containment Isolation-Containment Purge Isolation Leg ,
ZL99482 Cnmt lg vol purge inlet Viv Closed /Open ZL99491 Cnmt lg vol purge inlet Viv Closed /Open ZL99502 Cnmt lg vol purge disch Viv Closed /Open ZL99511 Cnmt lg vol purge inlet Viv Closed /Open ZL9821 Cnmt lg vol purge inlet Viv Closed /0 pen ZL9823 Cnmt 19 vol porge inlet Viv Closed /Open ZL98242 Cnmt minipurge catlet Vlv Closed /Open ZL98251 Cnmt minipurge outlet Viv Closed /0 pen' ZL98251 Cnmt minipurge outlet Viv Closed /Open XCPISA CPIS Status 1 Normal / Actuated XCPISB CPIS Status 2 -
Normal / Actuated-O -
l i
l -
(
L i
l 1
i O .
Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg 71
\
PLANT
-FUNCTION DESCRIPTION RANGE Containment Isolation-Safety Injection Isolation Leg ZLO5102 Pzr Steam Sample Iso Viv Closed /0 pen ZLO5111 Pzr Steam Sample Iso Viv Closed /Open ZL92672 Letdown Iso Viv Closed /Open ZL92051 Letdown Iso Viv Closed /Open ZLO5082 Hot Leg'1 Sample Iso Viv Closed /Open ZLO5172 Hot Leg 2 Sample Iso Vlv Closed /Open ZL05091 Hot Leg I/C Iso Vlv Closed /0 pen ZL93341 SI Drain / Test Viv Closed /Open ZL92172 RCP Bleedoff Iso Viv Closed /Open ZL92181 RCP Bleedoff Iso Viv Closed /0 pen ZL79112 Sery wtr to cnmt sump iso Vlv Closed /Open ZLO5122 Pzr surge line sample is Viv Closed /0 pen ZLO5131 Pzr surge line sample is Vlv Closed /Open ZL58031 Cnmt sump pump I/C iso Viv Closed /0 pen ZL58042 Cnmt sump pump 0/C iso Viv Closed /Open ZL5686 Fire protection iso Viv Closed /0 pen ZL78052 Cnmt air rad mon iso Viv Closed /Open ZL78101 Cnmt air rad mon iso Viv Closed /0 pen ZL98242 Cnmt minipurge outlet Viv Closed /Open ZL99502 Cnmt lg vol purge disch Vlv Closed /Open ZL98251 Cnmt minipurge outlet V1v Closed /Open ZL99511 Cnmt 19 vol purge disch Viv Closed /Open ZL53881 Inst air supply iso Viv Closed /0 pen ZL54372 N2 supply to aux sys iso Viv Closed /Open ZL75121 RC drain tank pump disch iso Vlv Closed /0 pen ZL75132 RC drain tank pump disch iso Viv Closed /Open ZL78062 Cnmt air rad mon iso Viv Closed /Open ZL78111 Cnmt air rad mon iso Vlv Closed /Open O
Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg 72 g
Cf PLANT FUNCTION DESCRIPTION RANGE J
Containment Isolation-Safety Injection Isolation Leg (Continued)
ZL78021 Cnmt air rad mon iso V1v Closed /0 pen ZL78032 Cnmt air rad mon iso Viv -Closed /0 pen ZL78011 Cnmt air rad mon iso Viv Closed /Open ZL78002 Cnmt air rad mon iso Viv Closed /Open ZLO5161 PC drain rank sample iso Viv Closed /0 pen ZLO5141 Quench tank sample iso Viv Closed /Open ZLO5152 Quench & RC drn tk smpi iso Viv Closed /0 pen ZL4051 Main Fw stop Viv SGE089 Closed /Open ZT1105 Main Fw bypass Vlv SGE089 0-100%
ZL40522' Fw iso V/V SGE089 Viv 0-100%
ZL99002 Cnmt norm A/C inlet Viv 0-100%
ZL99201 Cnmt norm A/C inlet Viv 0-100%
ZL99712 Cn'mt norm A/C outlet Viv 0-100%
ZL99211 Cnmt norm A/C outlet Viv 0-100%
ZL72582 Cnmt waste gas vent hdr iso Vlv Closed /Open ZL72591 Cnmt waste gas vent hdr iso Viv Closed /0 pen ZL5434 N2 supply to S1 tanks iso Viv Closed /Open ZL40481 Fw iso Viv SGE088 Closed /Open ZL4047 Main fw stop Viv SGE088 Closed /0 pen ZT1106 Main fw bypass SGE088 Viv 0-100%
ZL98231 Cnmt minipurge inlet Viv Closed /0 pen ZL99491 Cnmt lg vol purge inlet Viv Closed /0 pen f
ZL98212 Cnmt minipurge inlet Viv Closed /Open ZL99482 Cnmt lg vol purge inlet V1v Closed /Open ZL92042 Ld to regen hx control Viv Closed /Open ZLO2211 Ld to regen hx control Viv Closed /Open
Document No. 1370-ICE-1302 Rev. 01
-ICE-036(81G2)/jg73 O PLANT FUNCTION DESCRIPTION RANGE VIII. Cnmt Temp / Press Control XCCASA~ CCAS Status 1 Normal / Actuated XCCASB CCAS Status 2 ' Normal / Actuated i
YS99531 Cnmt. Fan clr E399 Status On/Off YS99471 Cnmt. Fan clr E401 Status On/Off YS99392 Cnmt. Fan clr E400 Status On/0ff
- YS99552 Cnmt. Fan clr E402 Status On/0ff 4
XCSASA CSAS Status 1 Normal / Actuated XCSASB CSAS Status 2 Normal / Actuated F338 Cnmt. Spray No.1 Flowrate 0-3500/GPM F348. Cnmt. Spray No. 2 Flowrate 0-3500/GPM P351A Cnmt. press 20/PSIG P352A Cnmt. press 85/PSIG TT99112 Cnmt. dome temp 0-400 F i
O Document No. 13 D-ICE-1302 Rev. 01
ICE-036(81G2)/jg 74 TN, -
II. HUMAN FACTORS CONSIDERATIONS
(.Q The fundamental SPDS design objective is to serve as an operator aid to monitor the overall safety status of the plant. Human factors considerations were included in the SPDS design and implementation process.
The central focus of human factors relates to the consideration of human beings in the design of the man-made facilities that people use. The objectives of human factors in the design of these .
man-made facilities are:
- 1) to enhance functional effectiveness f 2) to maintain or enhance certain human values in the process.
- 3) to enhance the machine's usability and practicability in l- stressful situations
- 4) to facilitate the man machine interface I
I l
O Document No.'1370-ICE-1302 Rev. 01
. . . .- .- - - - - . _ - ~ . . - . -
l
. ICE-036(81G2)/jg75
-; The central approach of human' factors is the application of relevant
- information about human characteristics and behavior to the-design of man-made facilities that people use, s
i When designing the CFMS, the role of the SPDS user was taken in to consideration, the context of use (control room), and the design -
constraints impacting the human factors development.
It is appropriate to consider the SPDS in the context of a i
O- structured crew model, i.e., task analysis. 'The shift supervisor is i-designated as the primary SPDS user. The SPDS is intended to aid the Shift Supervisor in allocating resources and directing the crew I
j' during highly unusual, complex' situations where problem detection i .
i
- and problem solving on a plant-wide scale is demanded. . This is j consistent with the goal-controlled, knowledge-based behavior I
articulated by Rasmussen's model. (Ref. 1) i ,
L e I
!O Document No. 1370-ICE-1302 Rev. 01
, em .--
yv.n,. -y.r--..,.w9 s
-.-,,y.,p--,-,,, ,,,,,y,,,m w _.,.,,,g
,w ,,- ,, ,ym .,-,-,,% m.w,,,,,,-v5p9 erstem e e v- mee=tr=**+- w w e v++w -ee e-- e v e -*- M -* W---+-e'e fv
ICE-036(81G2)/jg80 The role of the human factors verification process assured that goed q
V design practices were used to engineer SCE's CFMS in direct support of these job related tasks.
, One of the human factors design constraints is a direct consequence of the control room setting as it relates to viewing. Human factors design reflects a compromise between human factors, hardware / software limitations, and styles of use.
O ^ preiimiaery seos evaivation by vankee Atomic Eiectric compaar for their power plant in Rowe, fiass. (Reference 2) yielded the following human factors requirements on the display format:
Higher display update frequency
~
Faster display page call-ups (< 5 seconds)
Need for a top level display Provide parameter alarm capability Cues required for pages not displayed -
-- Should support normal operation Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg 81 Display some additional parameters
/ h V
Integrate with emergency procedures.
- 1) Higher display update frequency -
The CFMS displays are updated every 1 second. This is sufficient to keep the operator informed during a rapidly changing transient, but is also slow enough to keep the display from being confusing during a transient.
O .
- 2) Faster display page call ups -
2 l
It takes no more than 5 seconds to call up a new display page.
This will help keep the operator sufficiently up to date during a transient situation.
i O
Document No. 1370-ICE-1302 -76 Rev. 01 L
-ICE-036(81G2)/jg 78
- 3) Need for a top level display
'({])
The CFMS has a top level display page which lists all the critical functions and their associated alarm legs. The operator can at any time return to the top level display.page to gain an overall view of the plant safety status.
e
- 4) Provide parameter alarm capability O
k- The CFMS provides visual alarms for parameters that exceed alarm setpoints which alert the operator to a change in parameter -status.
- 5) Cues required for pages not displayed
! A new alarm is indicated on every display page. This cues the i
i
! operator to return to the top level page to obtain more information on the nature of the alarm.
l 1.
O l
l Document No. 1370-ICE-1302 Rev. 01 i
' ~ ' ~~ ~ ~ ~~ ^ ' ~ ~ ~ ~ -
ICE-036(81G2)/3g83
- 6) Will support normal operstion -
O The CFMS will provide plant data for normal operation as well as abnormal or emergency conditions.
4 7) Display some additional parameters t
The CFMS displays parameters at a system level (core, primary system, etc.), and at the subsystem or component level (valves, O namns, etc) in order to sive e detatied view.
- 8) . Integrate with emergency procedures-Efforts have been completed to integrate the CFMS use with emergency procedures.
1 O
Document No. 1370-ICE-1302 -
78- Rev. 01 e
, nw---,v=->v-ew,sv ~e-wv,====meew----*-=-,e--w-e-+rre-=
ICE-036(81G2)/jg80
~
A. Design Of Displays
({])
Display design criteria of the San Onofre Nuclear Generating Station CFMS took the following into account:
- Detectability -
brightness, size, contrast & glare Perceptability -
symbols, scales & graphic forms Interpretability -
meaning Density -
clutter
.O t
The main objective of the graphics displays is to assist the operator in making correct decisions in an optimal way during all i
conditions. With that objective ii mind, the displays were designed to be simple and easy to. understand; callup of a new display would l~
! be rapid; and effective, consistent use of color was incorporated -
i
. for fast operator response.
l O
Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg 81 A checklist of design considerations in graphics displays included:
o Understanding the task the operator performs o Identifying what information the operator needs to perform the 4
task o Selecting the proper-display techniques.
Figure 2 summarizes the display design methodology used for SCE's CFMS.
r~
The CFMS is designed to maximize contrast with hues. For example, the dark background of the CRT and dark blue containing non-essential information contrast with the cyan, yellow and magenta hues used for monitoring and updating. Alphanumerics are scaled not less than the 5 by 7 pixel matrix recommended by good human factors practice (Reference 3). These display designs are consistent with recommendations found in NUREG 0835.
O Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg 73 n
V FIGURE 2 DISPLAY DESIGN METHODOLOGY OPERATING OUTPUT DEFINE THE PURPOSE AND FUNCTION OF THIS EXPERIENCE DESCRI DISPLAY ~
OPERATING OUTPUT IDENTIFY THE DISPLAY PARAMETERS NECESSARY EXPERIENCE DESCRIPTION L TO ACCOMPLISH THE PURPOSE NSTRUMENT INPUT RELATE DISPLAYED DATA WITH THE INPUT LIST IDENTIFICATI0 AVAILABLE C
DISPLAY DISPLAY DESIGN THE DISPLAY ACCORDING TO THE HUMAN GUIDELINES LAYOUT HUMAN FACTORS GUIDELINES C
PROCESSING SPECIFY THE PROCESSING REQUIRED TO SPECIFICATION UPDATE THE DISPLAYED DATA O
Document No. 1370-ICE-1302' Rev. 01
ICE-036(81G2)/jg84 Q Only upper case letters are used in the CFMS displays, since studies indicate that upper case letters are more legible than lower case.
To ensure legibility, the character height is displayed at a minimum .,
, angle of 16 minutes of arc (Reference 4).
Color coding is used to represent information categories on the display screen. In a paper presented to the Instrument Society of '
America, M. M. Danchek recomended the following color codes:
l l
O l
t O .
Document No. 1370-ICE-1302 Rev. 01 ,.
l L
_ ,. _. . _ _ , . . - . . . . _ _ . . - . _ , . _ _ . _ _ . _ - . . _ , . . - . _ . . , . _ , . . . . . . , . . . - _ - . _ . . . ..~
ICE-036(81G2)/jg85'
] RECOMMENDED COLOR CODES COLOR USE i
Black Display Background Blue Non-Essential or Non-Information Bearing Data Cyan Essential or Information Bearing Numeric Data or Text Green Off, De-Energized, Closed, Normal Red On, Energized, Open, Bypassed
- White Intermediate Between Green and Red Yellow Cautionary, Attention Required Magenta Danger, Immediate Attention Required i
- The display hierarchy focuses on the concept of how the pages are
, related according to the operators scheme of the process. .The display hierarchy is established by defining the purpose and f
rO l
Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg.90 function of the display set and each individual display. The 8
'~'
]
hierarchy consists of three levels: See Figure 3.
~
Level 1 -
Overall status Level 2 -
Function status Level 3 -
Subfunction diagnostic The CFMS display hierarchy was organized on a systems level that dealt with the major systems of the plant, such as the NSSS, main steam, etc., relying heavily on operating experience to meet
(') operator requirements. The three levels are arranged in a tree structure that allows an operator to " zoom in" on problem areas in a rapid, straightforward manner. The hierarchy is designed to be self guiding. The primary advantage is that the information is organized in a structured, spatial and system-oriented fashion. This allows the user to move through the hierarchy with a minimum of key ,
strokes, no dialogs, a minimum of memorization, and no guide books.
N Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg 74 k
FIGURE 3
+
CFMS DISPLAY HIERARCHY i
l
~
Display Current Monitor Failed Computer Directory Alarm Display Sensor System List Level 1 List Status 1 3 6 4 5 7 RCS Display Level 2 1 1 2 1 2 1 2 1 2 1 2 3 i
Par Display
- Level 3 LO '
- l l
4 I
O
- Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg 87
{j_ The' display system automatically cues the operator on the occurrence ofalarm(s). The sector number and associated symbol will appear in the alarm color, blinking, allowing the operator to follow a structural fault diagnostic path within the display hierarchy.
B. DESIGN OF OPERATOR STATION The control room at SONGS is relatively compact for each of the Units 2 and 3, affording shift supervisor a good view of the total
-() plant condition. In this context, the control board and CFMS'
- displays are both complementary and interchangeable. Because of the intended use of the SPDS as a supervisory aid, the design of SPDS operator station was appropriately located at operator desks away
, 'from the control panels. See Figure 4.
1 i
O Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg 88 A
Q FIGURE CPMS keybo'ard
- \' ,;, f -
4
- 1) -. >
\
^%
,\ \
,g-I
- Nm f/
M T
\ %
r o \ '
ml
~
I QSPDS N#
SPOS DISPLAY INSTALLATION AT SONGS Document No. 1370-ICE-1302 Rev. 01
- ---- -- ,--.,..-,.,__,..--__.-_..,._...-.._._,,_n_.-,. . . - . . - _ , . . . . . , . . , , . . . . , - , , - , , - , . _ , . . . - , . . . _ , _ _ , _ . . . _ _ - _ _ . , . . - . , - - . - _ _
- ICE-036(81G2)/jg89 C. USER FUNCTIONAL TRAINING:
({])
Comprehensive training in the use and interpretation of the CFMS has been given to operators, plant personnel and management at San Onofre Units 2 and 3 to confirm that the CFMS is readily perceived and comprehended by the SPOS users. ~
Formal training programs were developed and presented to plant personnel at two separate times. Training was provided by qualified engineers who had taken an INP0-approved' instructor training course prior to developing the CFMS course. Recurrent training in the use and interpretation of the CFMS is held at SCE's Training and Educational Center.
I .
l I.
i l
l l
l Document No.1370-ICE-1302 Rev. 01 l,
, - - - - - - , w-- g 3y-.w--w- .-yw--e -,--, ,-ycy,- y..m.c
- ..- w--,-----,---y7 y,,.---=m ww m-w n -w e +
ICE-036(81G2)/jg 90 (v). III. VERIFICATION AND VALIDATION -(V & V)
A. DESIGN VERIFICATION Verification involves independent requirements review arid 1
.i design review. The requirements are the foundation upon which i
the SPDS was designed. NUREG-0696 was viewed as the primary requirements for the SPDS. The reviews consisted of evaluating:
O
- I. Determination of human factors requirements for effecti'le man / machine interfacing; these are addressed in Section l II.
+
[
- 2. Establishn:ent of the SPDS hardware environmenu in terms of reliability, maintainability and operating requirements i
t.
(O l
Document No. 1370-ICE-1302 Rev. 01 l
L-
ICE-036(81G2)/jg 91 j
l{ ' _
- 3. -De'finition of the inputs, outputs and historical data base requirements 4.~ Determination of the adequacy of the SPDS alarm strategy in responding to plant emergency conditions in a i
meaningful fashion.
n j; The objective of the validation testing was to certify that the 4
l CFMS operates in accordance with its design specifications.
~() There are two activities with-validation testing: 1) Functional
! and Software Test Plan and 2) test execution and re'sults i analysis. (Reference 5).
1
-CFMS test cases were run in order to test the CFMS alarms. The
,i test execu* ion entailed performing the tests, recording the test results and analyzing the results for acceptability. Each test was documented with date, tester, test case, test results and test. status.
O Document No._1370-ICE-1302 s Rev. 01
ICE-036(81G2)/jg 92 The level of V & V performed is consis' tent with the view of the
~
(~)T
\_ -
CFMS as a control room operational aid. The SPDS displays plant parameters that monitor the fundamental safety functions.
B. VALIDATION TESTING
- 1. Algorithm simulator testing Transient data, generated using standard transient snalysis codes were input to the CFMS, and a determination
() of the appropriate critical function alarms and sequence of alarm was made for dynamic testing purposes. Expected alarms for each jeopardized critical function were i
1 observed, i
i The critical function alarm algorithms were tested using test cases that simulated CFMS inputs. Evaluation of the i f'I a
Document No. 1370-ICE-1302 Rev. 01 l
ICE-036(81G2)/jg 93
. test cases and expected results were consistent. These a
critical function alarm algorithm tests are included as part of the overall CFMS functional test.
2.~ Halden Reactor Project:
The experimental validation of the critical function monitoring system was carried out by the Halden Project as a joint effort among C-E, the Technical Research Center of Finland (VIT), and Imatran Vorma OY (IVO). The experiments took place at the PWR training simulator situated at the 'IVO Loviisa Nuclear Power Plant in Finland. The purpose was to assess the impact'of the CFMS
>~
on operator performance when handling serious plant disturbances. The CFMS project, which lasted more than.18 months, covered all essential details, initial planning, development of a CFMS training program, specification and installation of data recording equipment, practical l
O.
l l Document No. 1370-ICE-1302 Rev. 01 i-I
. ICE-036(81G2)/jg 94
+
training of operating crews, experimentation and data
(~])
' collection, data precessing, analysis and evaluation. An effective modular tape-slide training program was used for initial instruction.
4 The subjects were twelve crews of experienced operators from the nuclear power plant undergoing their semi-annual retraining at the simulator. The experiments, which employed a "within group comparison" design, made O)
\- substantial use of both video and audio recordings, in addition to computer derived measurement. Two transients were developed which presented the operators with two equivalent, severe and complex plant disturbance ,
scenarios.
4 The analyses combined quantitative and qualitative methods, and used a detailed timeline description as the OL Document No. 1370-ICE-1302 Rev. 01
.- . = - .
ICE-036(81G2)/jg95 basis for answering questions about the impact of the L())) .
l' CFMS. In terms of overall quantitative analysis, two specific hypotheses were invertigated:
2 I
1.
i (1) that operators using the CFMS would maintain critical functions more effectively, and
- (2) that effective maintenance of critical functions was equivalent to improved plant safety.
Both the overall results and the more detailed, qualitative investigation of timeline data supported these hypotheses. In addition, the CFMS project demonstrated'successfully the methodology developed at Halden.
t One description of the overall crew performance was f
based on a quantitative analysis of measured operator and plant performance factors. The CFMS use could not, however, have been measured in any detail f-O Document No. 1370-ICE-1302 Rev. 01 t
, -- ,e-, - --,-.n -ans-v-- ,,,. - , -- - ~ , ~ ---,g w..e r - a.-e,-ep,,,,, ,,,,,,n-y,-e,ene -, .,,,p ,en----, - - , , wyp,w.-,-,---.,reee,,way-m-,-w,---ms--r,---,n,
ICE-036(81G2)/jg 100 without the use-of the video camera in the control O room. (Figure 5) The visual record provided data l
about which of the operators was using the display and the recorded verbal exchanges between crew members revealed a great deal on information about how they employed the CFMS in response to the transient.
Clearly, the operating crews did use the CFMS to
~
O obtaia userui infonnation during the test transient..
The supervision used the display the most and derived the most benefit from it.
l C. CFMS TESTING l
l
- 1. System Testing All the functions of the CFMS are fully tested using a functional test procedures document. (Reference 5) The Document No.1370-ICE-1302 Rev. 01 1
_. _m.._.- _ _ _ _ . . _ . , _ _ _ _ , _ , _ . _ _ _ . . _ . _ . . . . _ . _ . . - _ _ , . _ . . . . _ _ _ . _ _ _ . _ . _ , , . _ . _ _ . . . . . _ _ _ . .
ET8mg~nt5 N
, m O.
m ?"S* 8 gE E)"Ie js
' Wa h j,t nD 5 5 >5 ~ f'6 G i i
-- S R
E
]1 HT
]1
(
1 RN AI LR
, AP T
I U /
C H N s
R l E EY C
Y R
ft ' TA UL PP A MS D
/ OI N
O C
[CD E
S - *6*C^
, ' R L
EL 0 O El 2
UI NO BI RN R
EO NT R
/
1 S
I V
A IR e
l
- UO I
_ i 0 l TC BR rE
/
RE iP R S L nU UP
_ U T
Y A
L r'
hE N A
P TO SS P
2
\
S -
I D hCgsT N
U
[h Y R A, D /
R q F E -
I U
OO CR DE P
l l
CT R
O I
0 C dk AN EO RO HD FN I C RC CA -
A E
p R
%g /.
A 0
/ R 3
E M
l A
l C
_ u C
O i
t l 09 4,, E D I
C V Y -
H +
A l
l
\
\j\g O
- i H k{
l' \}
5b." EI2*
i TnN8[o g3$5$" 6? g'e ii1:l i' jii j : ili!i . iI 1I)ji;i' i!{l,l ii
. ICE-036(81G2)/jg98 functional tests include input processing, alarm state transition tests, display processing, annunciator output
~ tests, inadequate core cooling tests, and others. All test exceptions are identified, resolved, and the function retested before CFMS software is delivered to the site.
An independent review of this testing process is also 1
performed.
- 2. Pre-operational Testing Pre-operational testing is performed at San Onofre, before the CFMS software is officially installed for use by control room operators. Pre-operational testing includes all of the functional testing mentioned in the previous t
section, as well as hardware tests and string checks.
t.
I' This provided not only a check on the software, but a i
[
check on the installed system.
i Document No. 1370-ICE-1302 Rev. 01
. - - . - . . - , - . . - . . ~ - _ _ . . . . . . - - . . , , . . . . - - - .
ICE-035(81G2)/jg 99 IV. 'COMPARIS0N OF CFMS TO NUREGs
( })
IV. A. NUREG 0696 CFMS Requirement Compliance
- 1) Provide an SPDS available 1) The CFMS is designed to during normal operation display the safety status
., and during all classes of of the plant during all emergencies. modes of operation and for normal and all emergency conditions.
I
- 2) Should provide information 2) See Section I.B.3.
on a) reactivity control b) reactor core cooling and heat removal from the primary system c) reactor coolant system integrity d) radioactivity control
[)
e) containment integrity
- 3) The unavailability of the 3) CFMS and QSPDS designei to SPDS shall be 0.01 achieve availability (availability > 0.99) when > 0.99.
reactor is above cold shut-down. The cold shutdown unavailability shall be 0.2.
For additional 0696 requirements, See Section IV.D on NUREG-0835 1
O Document No. 1370-ICE-1302 Rev. 01
' ~
- ' ICE-036(81G2)/jg 104 l
I IV. B. NUREG 0737 q
kJ CFMS Requirement Compliance
- 2) Indication of Inadequate Core 2,3) Indication of ICC is indepen-Cooling (ICC) should determine dent of the initiating event.
4 the existence of inadequate core cooling caused by various phenomena.
- 3) ICC indication should be
. unambiguous.
- 4) Provide advance warning of 4) Advance warning of ICC is ICC. provided by saturation margin calculation, reactor vessel level calculation and core exit thermocouple temperature.
- 5) Cover full range from normal 5) Saturation margin, reactor operation to complete core vessel level, and core exit uncovery, thermocouple temperature are displayed at all times.
t Reactor vessel level is measured' to the top of the core. Core exit thermocouples provide indication of the trend of cladding temperature in the core.
- 6) Core exit thermocouple-primary 6) displays a) core map available on a) Core maps are available on demand demand 4
b) selective readina of core b) Representative core exit exit temperature temperature, which is a conservatively high core exit temperature, is displayed and trended.
c) direct readout hard copy c) thermocouple temperatures capability available for displayed on a core map all thermocouples which can be called up on demand with hard copy printout available.
d) temperature range from d) temperature ranne for
( 200 to 1800 (at least) thermocouples is 32*F to
- 2300 F.
Document No. 1370-ICE-1302 Rev. 01
ICE-036(81G2)/jg-101
, .IV. 8. NUREG 0737 (Continued)
CFMS Requirement Compliance e) trending of representative e) representative core exit core exit temperature . temperature trend available available on demand. on CFMS on demand.
f) alarm capability f) alarm generated if represent-ative CET temperature exceeds
-a setpoint g) operator display device g) CFMS displays are human interface should be human factored in accordance with factored. NUREG 0835.
- 7) Backup display should provide 7) QSPDS provides 56 core exit reading of at least 16 operable thermocouple temperatures, thermocouples, 4 per quadrant 14 per quadrant. The display in at least 6 minutes; range is on a core map which is should be from 200*F to 2300*F. available on demand. The thermocouple range is from 32* to 2300*F.
- 8) . Primary, backup display 8) 1E inputs to the primary SPDS
, channels should be electric- (CFMS) are isolated. 1E inputs
-( .
ally independent, powered from to the backup display (QSPDS)
IE power sources, physically are not isolated since the separate, up to the isolation QSPDS is a IE system. The devices. inputs are electrically and physically separate.
9)- Beyond isolation device, 9) The CFMS is powered from a high primary SPDS need not be class reliability power source which IE, but energized from a high is battery. backed.
reliability power source which is battery backed.
- 10) Backup display and associated 10) The QSPDS is a 1E system.
hardware should be class 1E.
- 11) Primary, backup display 11) The CFMS and QSPDS are designed channels should provide 99% to achieve 99% availability.
availability to display 4 thermocouples per quadrant (also in NUREG-0696).
O '
Document No. 1370-ICE-1302 -100- Rev. 01
ICE-036(81G2)/jg 102 p
v IV. C. NUREG 0737 Supplement i CFMS Requirement Compliance
- 1) SPDS is a concise display 1) The CFMS is a data acquisition of critical plant variables and display system in the control to the control room operators, room which presents essential used to evaluate safety plant information useful in status of the plant, diagnosing the safety status of the plant.
- 2) SPDS should function during 2) The CFMS is intended for use in normal, abnormal and normal abnormal and emergency emergency conditions. conditions. ,
room operators.
- 4) SPDS shall be suitably 4) CFMS inputs from the QSPDS or isolated from electrical from IE systems are isolated, or electronic interference with equipment and sensors used in safety systems.
- 5) Shall be designed according See Section II.
( to-accepted human factors principles. -
6)' Should provide information , See Section I.B. 3 to plant operators on:
a) reactivity control b) reactor, core cooling and heat removal from the primary system.
c) reactor coolant system integrity i
d) radioactivity control e) containment (integrity) ,
O Document No. 1370-ICE-1302 10). Rev. 01
ICE-036(81G2)/jg 103 IV. 'O. NUREG 0835 j]
'- CFMS General Acceptance Criteria Compliance
- 1) Primary SPDS display contains 1) See Section I.B.
sufficient information from ,
which the operator can assess plant safety status.
- 2) Operators must be trained on 2) See Section II.C.
the use of the SPDS.
- 3) Display of abnormal operating 3) CFMS uses color changes and conditions should be different flashing to alert the operator than the display during normal of a change in status, operating conditions.
- 4) Time history of parameters 4) The operator selects the time for at least 30 minutes should scale for trends.
I be displayed.
- 5) Parameter magnitudes should be 5) Parameter ranges are chocen displayed so that the operator' such that the operator recognizes change from normal -
recognizes the change from conditions, normal to abnormal conditions, O and from abnormal to emergency L/, conditions.
- 6) Parameter magnitudes should be 6) Operator selects the ranges on scaled to allow tracking over parameter trends, a wide range of abnormal cond-itions.
- 7) Each parameter should be 7) _Each parameter is labeled with labeled for identification. an identifier, magnitude or status.
- 8) Colors should conform to 8) Normal indication - light NUREG-0700, Sect. 6.5.1.6 blue, " caution" indication -
or 6.7.2.7. yellow, " danger" indication -
magenta.
- 9) No more than 2 levels of 9) See.above.
severity when there is a parameter change in status.
- 10) Symbols, mimics;seehijREG- 10) Standard symbols shape codes 0700, Sect. 6.6.3.4, 6.6.6.4. indicate major components for the operational displays and critical function status.
O -
Document No. 1370-ICE-1302 -102- Rev. 01
. ICE-036(81G2)/jg 104 IV. D. NUREG 0835 (Continued)-
CFMS General Acceptance Criteria Compliance
- 11) Overlays should not interfere 11) The CFMS does not use with observation or interpre- overlays, tation of plant operating conditions.
- 12) Setpoints for display changes 12) Hi and lo setpoints (yellow) should be chosen based on were chosen to alert the oper-technical considerations. ator to deviation from normal
, conditions. Hi-hi and 10-10 setpoints were chosen to alert the operator to an approach to safety limits.
- 13) Blinking, flashing conform 13) Blinking and flashing are with NUREG-0700, Sect. used to alert the operator 6.3.3.2 and 6.7.2.7. of new alarms.
I I
O l
i O
Document No. 1370-ICE-1302 -103- Rev. 01 1 i
-. __.- ,., _..-. __ _. ., .....,. ,_ _ ,__,,,,..,..,, ,,_._,,_ _.__,.,,,_ ___.... _ .._ ,,_,_._.m __, ..-,_.--s,,_,,,....
ICE-036(81G2)/jg 105 o NUREG 0696 Sections V As Interpreted By NUREG 0835 ,
l CFMS 0696 Requirement Compliance 1)- Primary Function (NUREG0696 The primary function of Sections) the SPDS is to serve as 5.1 an operator aid in the 1.3.4 rapid detection of abnormal conditions by providing a display of plant parameters from which the safety status of operation may be assessed in the control room.
0835 Interpretation
,. This criterion is satisfied when:
n a} the primary'SPDS display a) the SPDS provides infor-() format contains functional mation on the operability information to assist the and status of plant operator in rapidly evalu- systems required for ating the safety status of safety.
the riant.
and b) abnormal conditions which b) the occurrence of parameter impact safety of the plant and critical function are easily identified and alarms are shown on every recognized from the primary display page.
SPDS display format.
and c) the SPDS supplements the c) An alarm on the plant control room annunciator annunciator occurs when system when severe plant a critical function alarm transients occur. occurs.
O Document No. 1370-ICE-1302 -104- Rev. 01
ICE-036(81G2)/jg 106 O CFMS
'D - 0696 Requirement Comoliance (NUREG0696
- 2) Secondary Functions #5.5)
The display system may include other functions that aid operating personnel in evaluating plant status.
Secondary functions, such -
as the performance monitoring of plant systems or safety systems and the 4
presentation of data to assist the operator to diagnose abnormal oper-ating conditions may be used. No acceptance criteria for the-secondary functions were specified in 0835.
0835 Interpretation The secondary functions are acceptable provided:
a) They do not impair the a) -secondary displays are operator's use of the SPDS used to support the in executing the primary primary SPOS displays, function.
and b) the control room operating b) control room personnel ,
crew has been trained in have received functional the use of the secondary training on the SPDS and functions. .how to operate SPDS displays.
0696 Requirement (0696
- 3) Future Functions Section
- 5.5)
The design of the display system should be flexible to allow for future incor-poration of advanced diag-nostic concepts and evaluation techniques and , ,
systems.
.O '
Document No. 1370-ICE-1302 -105- Rev. 01
ICE-036(81G2)/jg 107 CFMS
.kJT* 0835 Interpretation Compliance The criterion may be satis-fled in designs using a computer based system when either:
a) . the design is expand- a) -the SPDS has capability able to. accept new to upgrade to functions. 1) Larger CPU
- 2) More main memory
- 3) Additional bulk memory
- 4) multi-processing-parallel processing .
or
, b) \the design allows for the addition of processors, memories or additional computers, such as in a i distributed network.
- 0696 Requirement-
- 0696
- 4) Basis of Parameter Selection Section 5.5 s- The basis for selection of the minimum set of parameters
- in the primary display shall be documented as part of the design.
0835 Interpretation
. This criterion is satisfied See Section 1.B.
when:
i it can be demonstrated that the primary display format, using the parameters selected meets the 4
guidelines or criteria of
- - Section 3 of'0835.
. 0696 Requirement 0696
- 5) Real Time Validation Section 5.1
, Display data shall be validated on a real time i basis where practicable.
O Document No. 1370-ICE-1302 -106-Rev. 01
ICE-036(81G2)/jg 112 O CFMS
\J - 0835 Interpretation Compliance i
This criterion is satisfied by:
a) comparing redundant al) *out of range points denoted sensor readings prior by ?? and identified on the to the display of the Failed Sensor Listing, parameter.
or b) using analytical re- a2) comparison of CFMS variables dundancy among dif- with corresponding points ferent parameters and from other sources (plant using models and equations computer and vertical '
that have been documented board) conducted by the and validated. Operating operator on a regular basis for i real-time validation.
regimes were the equations L used are not valid should be identified and docu-mented.
0696 Requirement 4
0696 i
- 6) Unvalidated Data Section 5.1 f
Display data which is i unvalidated shall be so indicated to operators. .
0835 Interpretation This criterion is satisfied when:
a) validated parameters, a) unvalidated data may unvalidated parameters, be taken cut of scan and invalid data are identified, where
. practical
. and
! b) validated parameters are b,c) unvalidated pararcters coded in a manner whereby displayed on the CFMS they are easily disting- are clearly disting-uished from unvalidated uishable from validated i' parameters. parameters.
.and c) coding of invalid data is distinct from the coding-of data for which data validation is unsuccess-ful.
i-i Document No. 1370-ICE-1302 -107- Rev. 01
r-ICE-036(81G2)/jg109 O
\_/ 0835 Interpretation CFMS Compliance and d) operating procedures for ' d) Procedures exist to take use of the SPDS provides invalid data out of scan, guidance for treatment of invalid data and resolution of unsuccessful data validation.
and e) operator training in the use e) operators are trained on of the SPDS includes practice taking unvalidated data in dealing with unvalidated out of scan.
data and application of procedures to resolve unsuc-cessful data validation.
Operator knowledge of the validity of data is important in correctly assessing the safety status of the plant.
0696 Requirements 0696
- 7) Design Principles Section (T
5.5
's_/ The display format shall b'e designed to accepted human -
factors principles.
0835 Interpretation This criterion is satisfied when:
a) the design conforms to the a) See Section II display guidelines presented in NUREG 0700,
, and b) the primary display format b) See Section II conforms to the general criteria in Section 3 of 0835.
O
\_/
Document No. 1370-ICE-1302 -108- Rev. 01
,, LICE-036(81G2)/jg 110 CFMS
?(?] 0696 Requirement Compliance 0696
- 8) ' Individual Parameters Section 5.1 The primary display may 5.5 be a continuous indication of individual plant parameters or may be composed of a number of measured variables or derived variables.
0835 Interpretation This criterion is satisfied when:
a) a dedicated display, a) The critical function such as a CRT with a
- display page displays single primary display all the algorithms used format continuously in assessing the safety displays the minimum status of the plant.
' parameter set necessary to assess the safety status of the plant.
.OE or .
b) reduction in size of the b) The critical function primary display format is matrix is displayed on all provided when it is other display pages in the necessary to display lower left. When an alarm secondary information, occurs in a' critical function algorithm, the critical function matrix will flash. This prompts
, the operator to return to the critical function display page for further assessment.
O Document No. 1370-ICE-1302 -109- Rev 01
ICE-036(81G2)/jg 115
. CFMS 0696 Requirement 1- Compliance 0696
- 9) . Timeliness and Accuracy Section of Data 5.1 Displayed data shall present current and
- accurate status of the i plant.-
! 0835 Interpretation The criterion is satisfied.
! , when:
a) the sampling rate for a) The CFMS display is each parameter is chosen updated every 1
- such that there is no second
! meaningful loss of infor-mation in the data presented to the operator.
and b) the time delay from when b) Time delay is less 4
the sensor signal is than 2 seconds. ,
sampled to when it is
, : -displayed is no greater t -
than 2 seconds.
, and
- c) maintaining the control c) All displays are given
! room SPDS display is given equal priority except that
, processor priority over the control room has i
display and processing priority in setting up requests from the TSC, EOF, HDSR trends.
- or other sources.
and
, d) each parameter is displayed d) CFMS alarms exist for with an accuracy sufficient the algorithms to alert for the operator to discri- the operator of devia-minate between abnormal- tion from normal conditions which impact conditions (hi or low safety and normal alarms),andofthe operating conditions, approach to safety limits (hi-hi and 10-10 alarms)
Document No. 1370-ICE-1302 -110- Rev. 01
ICE-036(81G2)/jg 112
- P CFMS
'd 0696 Requirement Compliance 0696
- 10) Scope of Data Section 5.5 The display should be responsive to transient and accident sequences.
0835 Interpretation The criterion is satisfied -
when:
a) operator comprehension a) The CFMS display is of a change in the safety updated every 1 second.
status of the plant from the primary SPDS display could be achieved in a matter of seconds. If closure of this task takes several minutes, the design is unacceptable, and b) the display system correctly b) See Section III portrays the plant process
.\p) . status for all design. basis events and events specified by NUREG-0737,Section I.C.1, Guidance For The Evaluation
'and Development of Procedures For Transients and Accidents 0696 Requirement 0696
- 11) Parameter Grouping Section 5.1 Parameters must be grouped to enhance operators assessment of the plant and to assist in making functional comparisons.
O Document No. 1370-ICE-1302 -111- Rev. 01
ICE-036(81G2)/jg.113 CFMSI LpJ 0835 Interpretation Compliance This criterion is satisfied when:
a) the minimum set of a) The critical function parameters are display page shows minimum presented on the single set of plant parameters primary display format. necessary to determine the
- The minimum set of safety status of the plant.
parameters must be the ones by which the operator evaluates the safety status of the plant.
and b) the parameters displayed b) The critical function are grouped so that all display page shows each are visible to the operator critical function and within one field of view. the algorithm legs that comprise each critical function, and c) the parameters are sequenced c) The CFMS uses a top down.
in a logical manner to . display hierarchy where O- facilitate operator comparison the first level displays of parameters in evaluating plant overview information.,
the safety status of the the second level shows plant, algorithm Systems infor-mation and the third level shows subsystem and component information.
~
and d) the primary display format d) Patterns and display utilizes patterns and enhancements are display enhancements as discussed in Section II discussed in Section 3 of and in this Section.
0835.
0696 Requirements 0696
- 12) Pattern and Coding Section 5.1 Pattern and coding techniques shall be used~to assist operator detection and recognition of-unsafe operating conditions.
Document No. 1370-ICE-1302 112 Rev. 01 L - . .. .-w,
ICE-036(81G2)/jg 114 i
7 C' CFMS 0835 Interpretation Compliance This criterion can be satisfied by:
a) the use of color coding a) The CFMS utilizes color to indicate the approach changes and flashing to to unsafe operation and alert the operator of an to indicate unsafe oper- approach to unsafe ation. operation,
~
or b) the use of limit marks for each parameter displayed.
The limit marks should be representative of operational limits established by technical specifications, process limits, and safety system actuation setpoints, if applicable.
or c) the use of patterns which noticeably distort when an unsafe condition is approached.
-]
0696 Requirement 0696
- 13) Magnitude, Trend Section 5.1 The display shall be capable of presenting magnitudes and trends of parameters or derived variables. The display of time derivatives in lieu of trends may be acceptable. -
O Document No. 1370-ICE-1302 -113- Rev. 01
ICE-036(81G2)/jg 115 3
(V 0835 Interpretation CFMS Compliance This criterion is satisfied when:
a) the primary display format a) The magnitude of all contains the magnitude for variables and the status all variables being of all pumps and valves are displayed. continuously displayed.
and b) the primary display format b) The operator has the has the capability of capability to select 4 indicating trends, or trends.
trends of operator selected parameters are available in -
a secondary display format.
and c) trend data is displayed with c) The operator selects the sufficient resolution in time range and time scale over and magnitude to ensure that which a parameter trend rapidly changing parameters may be observed, are accurately displayed.
The frequency bandwidth of the signal measurement system, consisting of sensor, signal k] processing devices and trend display device should be broad enough to transmit all meaningful information of the measured parameter or derived variable.
The display of time derivatives of variables is acceptable only when the derivatives unambiguously reflect the trends in the variables.
The algorithm used for time derivatives must be adequate'to track oscillating plant variables that may exist during the design basis events for the plant.
O Document No. 1370-ICE-1302 114- Rev. 01
ICE-036(81G2)/jg116 t o CFMS
.d 0696 Requirement Compliance 0696
- 14) Recall Capabilities Section 5.5 The recall of additional data on secondary formats -
or displays is desirable.
0835 Interpretation This criterion is met when:
a) operator requests to the a) The operator can display display system will result secondary pages by direct in displays, of additional paging, sectoring down data, on secondary formats, through the hierarchy or such as trend data of the by paging forward or safety status parameters, backwards.
and -
b) data is available for b,c) Data is available from retrieval and is not lost disk or magnetic tape as a result of an which is loaded by electrical power failure, computer operators. The CFMS power supply has
- high reliability.
and O -
c) data stored for retrieval is stored on a secure medium -
s and is available upon demand. .
d) response times to operator d) The response time for requests for information on operator requested dis-
. secondary displays conforms plays is designed to be with NUREG-0700 guidelines .less than 5 seconds, for computtr response time to operator queries.
, 0696 Requirement 0696
- 15) Mode of Plant Operation Section 5.5 The design of the display shall contain a single .
primary display format for
- each mode of plant s operation.
i h .
' Document No.1370-ICE-1302 -115- gey. 01
ICE-036(81G2)/jg 117 O CFMS U 0835 Interpretation Compliance This criterion is satisfied when:
a) the design contains a a) The display format is the primary display format for same for all operating each mode of plant operation modes. The CFMS is designed defined by the technical to monitor the plant safety specifications of operation. status during all modes of operation.
A common display format composed of '
the same parameters may be used for several modes of plant operation.
However, for any one mode, the display must contain that minimum set of parameters needed to assess the safety status of the pidnt.
Typical modes of plant operation are:
- 1. Power Operation
- 2. Startup
- 3. Hot Standby
- 4. Hot Shutdown
- 5. Cold Shutdown.
- 6. Refueling 0696 Requirement 0696
- 16) Display Format Selection Section 5.5 -
For each plant operating -
mode, display formats may either be automatically -
displayed or manually selected.
0835 Interpretation This criterion is satisfied when:
a) a manually operated switch a) display can be selected or input from an alpha- by using an alphanumeric numeric keyboard, touch panel, keyboard, light pen, cursor, or equivalent interface is provided by the design to allow the operatnr to adjust p the display format for the v mode of plant operation.
Document No. 1370-ICE-1302 -116- Rev. 01
- . - ~ .. - . . . .. . = ~ - . . - . .
ICE-036(81G2)/jg 118
. [] .
0835 Interpretation CFMS
. Compliance
'or b) in automatic display format change occurs with a change in moae of
- plant operation.
0696 Requirement 0696
- 17) Display Location 'Section 5.2
, The SPDS shall be located 4
in the control room with
0835 Interpretation This criterion is satisfied a
when: ,
- provisfor.s are made for 1) The SPDS displays an j locating the SPDS display keyboards are located in
]
] EOF.
0696 Requirew nt
. 0696
- 18) Control Board Section 5.2 If the SPDS is part of i the control board, it i must be easily recog-nizable and readable.
l 0835 Interpretation f
i This criterion is satisfied when:
i a) the SPDS is readily a) The SPDS displays are i
distinguished from other separate from the control
- displays on the control panel, board.
and b) the display conforms to b) Display format is the appropriate display discussed herein.
readability guidelines stated in NUREG 0700.
O Document No. 1370-ICE-1302 117 Rev. 01
.._.....__.._._._._..____.u._....___.,.. _ _ _.. _ __.. _ . ,. ____ ._ . _ _
ICE-036(81G2)/jg 119
/* CFMS
'd 0696 Requirement ~
Compliance 0696
- 19) Display Readability Section 5.3' The display shall be readable from the emergency station of the Senior Reactor Operator.
0835 Interpretation . ,
This criterion is satisfied when:
a) the displays design a) CRT located at 2/3 CR-66 conforms to the appropriate operating desk of SRO.
display readability guide-lines stated in NUREG-0700, such as viewing distance, viewing angle, and screen location for standing and seated operators at the Senior Reactor Operator's Station.
and (O) b) the data displayed on the b) CRT used has low CRT's has acceptably low flicker and noise, flicker and noise.
and c) Alpha-numeric characters c) -characters do not generated with a 7 x 9 have less than a 5 x 7 dot matrix or larger are dot matrix, preferable; characters with 5 x 7 dot matrix are acceptable, if necessary.
and d) density of display is less d) Display density is not than 25% when complex greater than 40%
symbology e.g. mimics are displayed, and e) for ease of detection, e) CFMS symbols are well acceptable symbol to back- highlighted and ground contrast ratio should distinguishable from fall in a range of 3:1 to 4:1. background for all important data.
O)
Document No. 1370-ICE-1302 -118- Rev. 01
- - - - , , - - , ,n. , ---n..n,.. -.,-., -- -- --~..----,...e,,-, . , , - - . , - ,v.-, - , , .,,
ICE-036(81G2)/jg 120 CFMS
' v('} . . Compliance and f) motion of data displayed on a f) See b)
CRT to prevent screen burnout is at a rate slow enough to avoid distracting the operator.
0696 Requirement 0696
- 20) ~
Display Accessibility Section
, 5.2 The display shall be readily accessible and visible to the:
4 Shift Supervisor Control Room Senior Reactor Operator Shift Technical Advisor One Reactor Operator.
0835 interpretation This criterion is satisfied p when:
V a) physical obstructions do a) no physical obstruction,'CRT not block a person's field and plasma display inset of view when the person is low in new operating consoles.
at the normal work station.
and b) if the SPDS is not in the b) CRT visible from seated operator's direct field of position (Figure 3) view at the workstation, a reorientation of his/her-field of view allows viewing the SPDS from the workstation.
and c) members of the control room c) CRT part of operators desk operating crew have physical access to the SPDS from their normal workstation. For example, a short direct walk to the SPDS is acceptable, and d) glare from normal or emergency d) anti gloss CRT screens used lighting does not restrict viewing of the SPDS from within the control room. The use of antiglare techniques and devices are acceptable when they are in b^, accord with other criteria stated in this report.
Document No. 1370-ICE-1302 _119 Rev. 01
ICE-036(31G2)/jg121 CFMS Compliance and e) luminance levels and luminance e) CRT adjustable locally contrast do not limit viewing for maximum visibility from locations throuchout control room.
0696 Requirement 0696
- 21) Control Accessibility Section 5.3 The display system shall not interfere with the normal movement of the control room operation crew. The display system shall not interfere with full visual access to other control room operating systems and displays.
0835 Interpretation This criterion is satisfied when:
a) the display system does not a) CRT does not obstuct the obstruct the normal move- normal movement of the ment of the control room operator operating crew.
and b) the display system does not b) CRT does not obstruct the interfere with the full visual access to the other visual access to other control' control room systems and room operating systems and displays displays.
0696 Requirement -
0696
- 22) Control Room Staff Section 5.4 No additional operating staff other than the normal control room operating staff should be needed for operation of the display.
Document No. 1370-ICE-1302 -120- Rev. 01 Y _ , - . .- .
- !!CE-036(81G2)/jg122
/~l V
CFMS 0835 Interpretation Compliance This criterion is satisfied when: ,
a) no additional operating a) Operators are trained on staff other than the normal operations of SPDS control room operating staff need be added for operation
- of the SPDS.
and b) the operator training program b) Operator training on-contains instructions on the functional use of the use of the SPDS. ,
SPDS includes instructions on use.
and c) an SPDS user's manual is c) Users manual available available for operator in the control room.
reference in the control room.
and d) interaction with and SPDS d) Operator can call up computer is designed such displays, perform all that training in computer historical data storage '
i programming is not required. and reset alarms from the alphanumeric keyboard.
l 0696 Requirement -
0696
- 23) Operator Interaction Section
! 5.5 Flexibility to allow for interaction by the operator is desirable in the design of the display designs.
0835 Interpretation 1
The criterion is satisfied when:
4 a) the system contains a,b,c) Each display station.has operator interactive an alpha-numeric keyboard devices. with 11 (eleven) function keys that allsv the b) the display system operator to manipulate positively acknowledges displays-set up historical each request that the data storage and retrieval design allows the operator tasks, acknowledge and to make. -
reset alarms. Positive identification of operator n
U .
. Document No. 1370-ICE-1302 -1 21 - Rev.~ 01
,4'-
ICE-036(81G2)/jg 123
]A 0835 Interpretation Compliance CFMS
.c) system response times to requests can be observed operator request conform to from display changes, the guidelines of NUREG 0700. Response times are designed
- Undue time delays in response to be less than 5 seconds.
- to a request are unacceptable. l 4
Function keys for the recall of data are the preferred type of interactive devices. Keyboards are acceptable for use in the recalling of data provided the necessary syntax is
- simple and straightforward to use.
Alpha-numeric keyboards added to s SPDS should have the same keyboard layout as other keyboards in control room. Other interactive devices I
such as touch panels or light pens may also be acceptable.
0696 Requirement 0696
- 24) Failure Recognition Section ,
t 5.6 The control room operations staff shall be provided with sufficient information and. criteria for performance of an operability evaluation .
l of the SPDS.
0835 Interpretation This criterion may be l satisfied by:
f a) designing a monitoring a) There are a number of system in the display which software and hardware i may be automatic or diagnostics within the operator activated. CFMS that will alert the operator'to hardware
. or software failures.
E or .
l b) a display of calendar date b) 'The CFMS has the current i and time of day, with some time displayed within 5' i means of indicating the seconds on each display
- passage of seconds. The page.
l, - display should be updated i
only when the system is operating properly so that O
I Document No. 1370-ICE-1302 Rev. 01
-122-i
. . - . . . , - - - , - - , - . . . . , - , - - . . . . - . , - - , . , . . . ~
ICE-036(81G2)/jg 124-3 CFMS f 0835 Interpretation Compliance a static time would indicate a system failure.
The data and time should be located in a corner of the display so as not to distract the operator.
or c) the operable status of the display system is available upon operator demand.
or d) An equivalent means of evaluating display system operability is available.
0696 Requirement 0696
- 25) Technical Specification Section 5.6 A technical specification of operations is required to define compensatory measures for the operator when the SPDS is inoperable.
0835 Interpretation This criterion is satisfied when:
a) the technical specification a) no technical specifications defines acceptable compens- exist on SPDS, however QSPDS atory measure for each is a seismic qualified
- function performed by the backup display _ system SPDS.
The use of the seismic qualified back-up display, monitored on a frequent basis, may be an accept-i able compensatory measure. The l same minimum set or comparable set of safety status parameters on the SPDS primary display format should be present on the backup. Also, the backup display must be readily interpretable by the operator.
i .
lO Document No. 1370-ICE-1302 -123- Rev. 01
ICE-036(81G2)/jg 125 r3 CFMS
's_J 0696 Requirement Compliance 0696
- 26) Audible Alarms Section 5.5 Where feasible, the SPDS should include some audible notification to alert personnel of an unsafe operating condition.
-0835 Interpretation This criterion is met when:
a) the display system emits a) The CFMS provides an a distinct audible sound, output for critical such as the beeper function alarms for the-available on computer plant annunciator.
terminals, upon detecting an abnormal operating condition.
and b) the SPDS alarm system has b) The CFMS keyboard will provisions to silence, acknowledge all visual acknowledge, reset and alarms on the display.
-Os test these functions, as The plant annunciator appropriate. system has the capability to acknowledge and reset An audible alarm from the SPDS the audible alarm.
need not meet the intensity requirements given in NUREG-0700.
SPDS alarms should be independent of the annunciator system and should not result in the gener-ation of the same audible alarms as the annunciator system.
0696 Requirement 0696
- 27) Functional Qualification Section 5.1 A functional qualification program should be establ-ished to demonstrate SPDS operational conformance with the functional design criteria.
Document No. 1370-ICE-1302 Rev. 01
-124-
I ICE-036(81G2)/jg 126 l fM
(> 0835 Interpretation CFMS Compliance This criterion is satisfied when:
a) a test plan is avail- a) A test plan exists for able for the display the CFMS that tests all system. The test plan major functions of the shall define a minimum SPOS (reference 5).
. of one test case,for each major functional criterion of the display system. The object of the test case is to illustrate the correct performarce of the implem-ented design.
and b) a test report containing the b) A test report was results of the test cases completed based on the is compiled. All major the' plan in a) above functional criteria must be tested successfully.
and c) all display formats in the c) displays are given human design are tested, including factors considerations.
mode dependent formats. There are no mode O and dependent formats.
d) a human factors review of the d) for human factors SPDS in accordance with considerations, see-appropriate portions of Section II.
NUREG-0700 is perfonned with results evaluated in accordance with the guidelines presented in NUREG 0801. The results of this effort are to be documented by the licensee /
applicant as part of the control room design review.
and e) a trained control rocm e) Control room orerating operating crew can crew has receive!j effectively use the SPDS functional training to detect abnormal plant on the use of the CFMS.
operating conditions which impact safety.
m U-Document No. 1370-ICE-1302 -125- Rev. 01
ICE-036(81G2)/jg 127 3 CFMS (V 0696 Requirement Compliance 0696
- 28) Backup Displays Section 5.6
. Displays designated as a seismically qualified backup to the SPDS must be designed to accepted human engineering principles.
0835 Interpretation This criterion is satisfied when:
a) the back-up displays a) The backup SPDS display, contain the same minimum the QSPDS, displays a set of safety status smaller, but similarly parameters as presented in organized set of IE inputs the primary display format vital to plant safety.
of the SPDS or an equivalent comparable set of safety status parameters.
and b) the back-up display is capable b) The backup display has s of operating during and been seismically quali-
- following earthquakes, to the fied from sensor through same degree as control room the display, displays needed to comply with Regulatory Guide 1.97.
and c) the needed seismically c) All of the backup SPDS qualified displays are parameters are available concentrated into one on 2 redundant displays (2).
segment of the control board. Dependence on i poorly human-engineered
( Class IE seismically qualified instruments that are scattered through-out the control room is not acceptable.
and d) the backup displays, when d) Human factors consider-reviewed as a grcup, ations have been conform with the guidelines incorporated into QSPDS of NUREG-0700. design.
i O
i a Docuntent No.1370-ICE-1302 -125- Rev. 01 u u . _ . . _ __ _ _ _ .. _. _ _ . _ _ -_, . . _ _ _ . . _ ._ . .. -.
ICE-036(81G2)/jg 128
(~; CFMS Compliance and e) meters on the control board e) Displays are separate which are part of the SPDS from the control board, backup display are readily identified and are not likely to be confused with similar meters in the vicinityT'
~~
0696 Requirement 0696
- 29) Primary Display, Section Seismically Qualified 5.6 ,
It is preferred that only one display system be used for evaluating the safety status of the plant.
However, an alternative is to design the overall SPDS function with a primary and a backup display.
0835 Interpretation When the option for a seismically qualified -
primary display is selected, this option is
_ satisfied when:
a) the design of the primary a) This option not display conforms to implemented.
Regulatory Guide 1.97, Revision 2, December 1980.
'" Instrumentation For Plants
. to Assess Plant and Environs .
l Conditions During and Following An Accident" and b) the design conforms to the acceptance criteria defined l in this report, with the-l exception of the context of Section 28, Backup Displays.
e l- Document No. 1370-ICE-1302 -127- Rev. 01
ICE-036(81G2)/jg 129 f-~ V. SAFETY ANALYSIS ITEMS D)
- 1. The safety parameter display system is electrically isolated from
.all other safety systems. All inputs are wired through analog and digital chassis cabinets, and the CFMS operates on its own power supply. Thus, the CFMS would not degrade any other safety related 4
, system.
- 2. The SPDS serves as a backup for main control board information
([]) during normal conditions, and as such would only confirm indications ,
in the control room. The CFMS would not provide any misleading information that could not be confirmed on the main control board, and therefore confuse an operator to take inappropriate action.
i
- 3. The SPDS contains approximately 1000 points; and with the exception of composed points, all the inputs can be confirmed.through other instrumentation.
O. -
Document No. 1370-ICE-1302 -128- Rev. 01 .
7 ICE-036(81G2)/jg 130 v
- 4. The SPDS will not pose a safety hazard; it is a passive, monitoring
.and indication system only, and.does not interfere with the J
automatic initiation of any protection system.
- 5. The CFMS contains the five critical safety functions of Supplement 1 to NUREG-0737. The correlation between the eight critical functions of the CFMS and the 5 safety functions listed in Supplement 1 is discussed in section 1.B.3.
F t
O t
i D
l s l
, 1 g?
~
l L
l l
Document No. 1370-ICE-1302 -129- Rev. 01
ICE-036(81G2)/jg 131
~
REFERENCES (1) L. P. Goodstein and J. Rasmussen, " Man-Machine System Design Criteria in Computerized Control Rooms," proceedings of ASSOP080, IFIP/IFAC Symposium, Trondheim, Norway, June, 1980.
(2) Yankee Atomic Electric Company, " Verification and Validation of the Yankee Plant Safety Parameter Display System", Nuclear Safety Analysis Center /61, January, 1984.
(3) M. M. Danchak, " Alphanumeric Displays for the Man-Process Interface," Combustion Engineering TIS-5301, Windsor, CT.
(4) M. M. Danchak, "The Man-Process Interface Using Computer Generated CRT Displays," ISA Power Symposium, New Orleans, LA, May, 1977.
(5) Functional Test Procedures for San Onofre Nuclear Generating Station-CFMS, 1470-ICE _4503, Rev. 03.
.O Document No. 1370-ICE-1302 -130- Rev. 01
. _ . - - . . ~
. . .== - _ -= . . .. . - . _ . _ . . - _ - - . . _ -
' ICE-036(81G2)/jg 132 (6) W. R. Corcoran, et.al., "The Operators Role and Safety Functions,"
< Workshop on Licensing and Technical Issues, Washington, D.C., March
! 1980.
t i
E Y
i
- O l
i I
1 i
i i
I f
1 l Document No.1370-ICE-1302 -131- Rev. 01 i
.-. ,_..,m.- _. . . _ _ . . ~ , . . - , , _ _ _ _ - _ . _ _ _ _ _ _ . . . , _ . _ _ . - _ , . _ . _ . . _ . . _ _ _ _ , _ _ . _ _ _ . .