SPDS Sar,Millstone Nuclear Power Station,Unit 2

ML20100E095
Person / Time
Site:	Millstone
Issue date:	03/31/1985
From:	NORTHEAST NUCLEAR ENERGY CO.
To:
Shared Package
ML20100E086	List: ML20100E083 ML20100E095
References
RTR-NUREG-0737, RTR-NUREG-737, TASK-1.D.2, TASK-TM TAC-51257, NUDOCS 8504030271
Download: ML20100E095 (52)
v • d • e

Text

w ,

Docket No. 50-336 Attachment No. 2 Millstone Nuclear Power Station, Unit No. 2 Safety Parameter Display System Safety Analysis Report i

i March,1985 8504030271 850325 PDR ADOCK 05000336 p PDR

~

1.0 INTRODUCTION

1.1 Summary of the Safety Analysis This report provides a written safety analysis for the Millstone Unit No. 2 Safety Parameter Display System (SPDS). Information is provided to show that the SPDS is being designed to meet the provisions of Supplement I to NUREG-0737.

The safety functions were selected to be consistent with the Millstone Unit No. 2 Emergency Operating Procedures (EOPs). These EOPs are based on the Combustion Engineering Owners' Group Emergency Procedure Guidelines.

The SPDS displays are being developed with the consideration of human factors principles. Signals input to SPDS will be evaluated for quality and validation. A verification and validation program will be conducted, including an independent review of the SPDS.

In this manner, a SPDS design is being developed that will provide an effective aid to the operators in determining the safety status of the plant during emergency conditions.

1.2 Discussion The SPDS represents one part of an integrated emergency response capability. It will be consistent with the Emergency Operating Procedures (EOPs) and the Operators' Training Program. For Millstone Unit No. 2, the EOPs are based upon the Combustion Engineering Owners' Group Emergency Procedure Guidelines.

The SPDS is being designed to complement the EOPs (i.e., to aid the operator in executing the BOPS). It is not intended that the SPDS be necessary for EOP execution. The major use of the SPDS during emergency conditions will be to independently monitor the safety status of the plant and alert the operator if the safety function status degrades.

In doing this, it allows the reactor operators to quickly "see" the overall plant condition and how actions taken affect the maintenance of the six Safety Functions (SFs).

The EOPs determine whether or not these SFs are being satisfied following a reactor trip by asking if certain key parameters are within acceptable limits. These same questions will be asked by the SPDS and the acceptability of the results displayed on the SPDS monitor as a series of color coded boxes. Lower level displays will be available to allow the operator to quickly determine why the resulting SF status is indicated.

1.3 NRC Criteria 1.3.1 Supplement 1 of NUREG-0737 Regarding the SPDS, Section 4.1 of Supplement I to NUREG-0737 identifies the following NRC criteria:

a. The SPDS should provide a concise display of critical plant variables to the control room operators to aid them in rapidly and

2--

reliably determining the safety status of the plant. Although the SPDS will be operated during normal operations as well as during abnormal conditions, the prm, cipal purpose and function of the SPDS is to aid the control room personnel during abnormal and emergency conditions in determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective action by operators to avoid a degraded core. This can be particularly important during anticipated transients and the initial phase of an accident.

b. Each operating reactor shall be provided with a Safety Parameter Display System that is located convenient to the control room operators. This system will continuously display information from which the plant safety status can be readily and reliably assessed by control room personnel who are responsible for the avoidance of degraded and damaged core events.

c. The SPDS shall be suitably isolated from electrical or electronic interference with equipment and sensors that are in use for safety systems. Procedures which describe the timely and correct safety status assessment when the SPDS is and is not available, will be develped by the licensee in parallel with the SPDS. Furthermore, operators should be trained to respond to accident conditions both with and without the SPDS available.

d. The selection of specific information that should be provided for a particular - plant shall be based on engineering judgment of individual plant licensees, taking into account the importance of prompt implementation.

e. The SPDS display shall be designed to incorporate accepted human factors principles so that the displayed information can be readily -

perceived and comprehended by SPDS users.

f. The minimum information to be provided shall be sufficient to provide information to plant operators about:

(i) Reactivity control (ii) Reactor core cooling and heat removal from the primary system (iii) Reactor coolant system integrity (iv) Radioactivity control (v) Containment conditions The specific parameters to be displayed shall be determined by the licensee.

~

The remainder of this report defines the extent of compliance of the Millstone Unit No. 2 SPDS with the above NRC criteria.

1 1

i i

4 2.0 SPDS DESIGN DESCRIPTION 2.1 - Overview One function of the Millstone Unit No. 2 plant process computer system is to supply information required for responses to an emergency condition.

This report covers only those functions of the plant process computer related to SPDS.

2.2 SPDS Definition

, SPDS aids the control room operating crew in monitoring the status of the SFs that constitute the basis of the EOPs. Its principal purpose is to aid the control room personnel during emergency conditions by independently monitoring the safety status of the plant and alerting the operators if the SF status degrades.

2.3 SPDS Availability Although the SPDS will not be a safety-grade system, implementation of a highly reliable, state-of-the-art SPDS is an important design objective.

As a design objective, the availability of the SPDS will be greater than 99 percent during normal plant operation.- In this context, design availability is understood to encompass the following minimal functional capabilities:

a) The ability to monitor and display the status of the safety functions.

b) The ability to determine the value and quality of all variables which are used in the SF status determination.

2.4 SPDS Use and Location SPDS displays of SF status and supporting -displays, including status determination and algorithm information, will be accessible to operators in the vicinity of the main control board.

2.5 Modes of Operation The EOPs are designed for use following a reactor trip, which can only occur during modes 1,2 and 3 (power operation, startup, and hot standby). .

Thereby, SPDS availability is only required for these modes. The SPDS algorithms are monitored, however, for both pre-trip and post-trip conditions. Those parameters which are inappropriate for pre-trip conditions are noted in Appendix B and are not monitored prior to reactor trip.

~

}

2.6 Signal Validation The SPDS will have the capability of validating individual signals used in SPDS displays and algorithms by use of simple analysis, checking and comparative methods to be specified for each SPDS variable.

2.7 Electric Power Sources The SPDS, as part of the plant process computer system, will be powered from an uninterruptible power supply, capable of supplying power to the computer system after a loss of offsite power.

2.8 Electrical Separation The SPDS, as part of the plant process computer system, will receive signals from both Class IE and non-lE sources. Electrical separation will be provided for all signals, power sources and output devices.

2.9 Data Storage Capability will be provided to store SPDS variables for the interval from two hour pre-event to twelve hours post-event.

l

3.0 SPDS SAFETY FUNCTION AND VARIABLE SELECTION 3.1 Selection Procedure The SPDS will be designed to be consistent with the EOPs. In order to assure this consistency, the SPDS will:

a. use the same SFs as the EOPs, and

b. monitor, as closely as reasonably possible, the same system parameters as the EOPs.

The EOPs are designed to be used following a reactor trip. They define a set of procedural steps to affect plant recovery. The Standard Post Trip Actions Procedure is designed to stabilize the plant following a reactor trip. The Reactor Trip Recovery Procedure (EOP 2526) is entered for an uncomplicated reactor trip. If a transient occurs which either causes the trip or results from the trip, the EOPs direct the operator to go to either event-oriented procedures or a Functional Recovery Procedure (EOP 2540).

An integral part of these EOPs are the Safety Function Status Check sheets. These check sheets are tailored for each specific procedure and are designed to assure that:

a. all necessary information is reviewed when using the procedures,

b. the EOP being used is producing acceptable results, and

c. all SFs are being maintained within acceptable limits.

To complement this process, the SPDS can be most effectively used to continuously monitor the EOP safety functions and assist the operator with the safety function evaluation scheme defined in the EOPs.

The SPDS has two separate severity limits for each SF. The first limit (Severity 1) corresponds to the SF status check limits defined in the Reactor Trip Recovery Procedure. These limits should not be exceeded following an uncomplicated reactor trip. The second limit (Severity 2) corresponds to the SF status check limits defined in the Function Recovery Procedure. In general, these are the limits which should not be exceeded during a design basis transient.

'Ihe EOPs also contain SF status check limits for the event-oriented procedures. Depending on whether or not the SF is challenged for the particular transient, these limits are generally consistent with those in either the Reactor Trip Recovery or the Functional Recovery Procedures.

If the operator tells the SPDS that he has selected an event-specific procedure for use, the SPDS will also compare the existing plant conditions with the event-specific SF status check limits to determine if any of the event-specific limits are violated.

3.2 Safety Functions As stated above, the SPDS SFs correspond to the EOP Safety Function Check lists for the Reactor Trip Recovery Procedure and the Fmetional .

Recovery Procedure. These lists are included as Appendix A. The SFs are ,

summarized below: )

Safety Function Purpose I. Reactivity Control Shutdown reactor and maintain it in a subcritical condition.

II. RCS Inventory Control Maintain a coolant medium around the core.

III. RCS Pressure Control Maintain the coolant in the proper state.

IV. RCS Heat Removal Transfer heat from the core to the coolant and from the coolant to a heat sink.

V. Containment Integrity Assure adequate radiation control and acceptable containment conditions for equipment required for accident mitigation.

VI. Vital Auxiliaries Maintain the systems necessary to support the other SFs.

The status of each of the six SFs is indicated by three states, each state

, being represented by a different color. These states correspond to which (if any) of the severity limits are exceeded. The green color corresponds

to the Severity 1 (nominal post scram) limits not being exceeded for that particular SF. The yellow color corresponds to one or more of the Severity I limits being exceeded, but the SF is still being satisfied by being within the Severity 2 (design basis analysis) limits. The red color implies that both the Severity 1 and Severity 2 limits are being exceeded,

! and that the SF has degraded beyond the analyzed design basis response.

l .l

The algorithms used for the SPDS SF severity level evaluations are shown  !

l in Appendix B. These severity levels are used as described above to determine the SF status. Comparison of the Appendix A (EOP Safety Function Check Sheets for the Reactor Trip Recovery Procedure and the Functional Recovery Procedure) and Appendix B (SPDS SF algorithms) show the consistency between the EOPs and the SPDS.

I i- .-

s

1 3.3 Safety Function Instrumentation The variables used for SF monitoring, and the plant instrumentation used to monitor the variables, are listed in Appendix C. They are grouped by safety function.

3.4 Analytical Basis for Safety Function and Variable Selection The SPDS SFs and variables have been chosen to be similar to those in the Millstone Unit No. 2 EOPs. These EOPs are based on the generic Combustion Engineering EPGs (Reference 1) which have previously been accepted for implementation by the NRC (Reference 2). The Millstone Unit No. 2 upgraded EOPs were implemented on January 7,1984. The Millstone Unit No. 2 Procedures Generation Package was initially submitted on September 1,1983 (Reference 3), and subsequently revised on January 30,1985 (Reference 4).

3.5 Emergency Response With and Without SPDS The Millstone Unit No. 2 EOPs are currently written for implementation without the SPDS. They will be revised following installation of the SPDS to include appropriate reference to SPDS use. Note that the EOPs are written to monitor safety function status with or without SPDS available.

4.0 SPDS DISPLAYS 4.1 Display Philosophy Each display location provides independent access to SPDS displays.

Displays selected at one CRT can be different from those displays selected elsewhere. The primary display gives information on the status of the SFs. Secondary displays will be provided to indicate:

a. The process values of the SPDS inputs

b. The algorithms used for SF determination These secondary displays will be designed to aid the operator in determining what current plant conditions result in the SF determination shown in the primary display.

The SPDS displays will be implemented with a hierarchy or structure that facilitates and systematizes passage between displays.

4.2 Primary Displays At least one control room CRT will continuously monitor the status of all SFs during modes 1, 2 and 3. Other information may be displayed simultaneously as long as the status of the SFs are still able to be determined.

Each SPDS display will show a common set of indications of the status of the SFs. Status indication colors will correspond to that described in Section 3.2. The format for presenting this information will be common to SPDS displays.

4.3 Secondarv Displays During normal, transient and accident conditions, access will be provided to a certain number of predefined displays. These secondary displays will support the SF status indicators and enable the operating crew to determine / evaluate the reasons for changes in the SF status.

The set of secondary displays will consist of at least one display oriented to each of the following functions:

a. Reactivity Control SF variables and status algorithms

b. RCS Inventory Control SF variables and status algorithms

, c. RCS Pressure Control SF variables and status algorithms

. d. RCS Heat Removal SF variables and status algorithms l

l l

t

i

e. Containment Integrity SF variables and status algorithms

f. Vital Auxiliaries SF variables and status algorithms 4.4 Display Change Each secondary display will be accessible directly or through a menu.

Once a secondary display is presented on the CRT, other supporting displays can be accessed in a timely manner.

All display page changes will be operator initiated and not computer initiated.

, 4.5 Variable Status Indication

! All SPDS variables will be displayed with a visual indication of the associated quality level as determined by SPDS data processing and validation (e.g., invalid or unvalidated variables will be tagged).

Appropriate status indication will also be available on displays of SPDS variables when out-of-scan, substituted or dummy signals are involved.

I i

a l

i 4

J i

1

-- , , - - - - , ,- , . . - , - , , . . . . , . . , - - - - , . - . , , , . - - , w-, ,- ,n- -.,--,,e..,- - - ~ , . - , ,,-,n-- , . . - - - , . , - , ~ , - - - - - , , - ~ . ,

e 5.0 SIGNAL VALIDATION 5.1 Introduction 4

The use of misleading data by the SPDS should be avoided since it can adversely affect the quality of many variables. Sources of misleading data include sensors that fail, peg, or are removed from scan and instrumentation that drifts. Signal validation techniques will be incorporated into the sof tware processing to reduce the chance of using inappropriate data.

5.2 The Validation Process Sensor signals used by the SPDS will undergo pass / fait processing, range limit checking and signal validation, as appropriate, before being used in the algorithms which determine the status of the safety functions. The quality of a plant parameter is indicated by its quality tag. AllSPDS parameters including calculated values carry a three state quality tag:

validated, unvalidated, and invalid. The validation process is as described below:

a. Pass / fall processing determines whether or not a sensor signal is in scan, the multiplexor communication interface is operating within design limits, and the analog / digital converter drif t is within design limits. A sensor signal failing pass / fait processing is assigned an invalid quality tag.

b. Range limit checking assures that a sensor signal is above the lower five percent (typical value) and below the upper five percent (typical value) of its instrument range. A sensor signal not within the range limit is assigned an unvalidated quality tag.

c. Signal validation determines whether or not a sensor signal is consistent with other redundant signals within a specified error band.

A sensor signal failing signal validation is assigned an unvalidated quality tag and one passing is assigned a validated quality tag.

Validated parameters will be used by the SPDS to evaluate the status of the safety functions. The status of each safety function will be displayed along with estimates of the plant parameters and their quality tags and the sensor signals and their quality tags.

It is believed that the described use of signal validation will provide input to the SPDS that:

a. is purged of inconsistent signals when remaining signals are consistent,

b. is chosen using pre-established decisions if sufficient consistency is lacking, and

}

4

c. is tagged to inform the operator of its quality status.

Thus, the process is designed to provide extra reliability and to reduce decision-making-overhead in emergency situations.

t i

e i

i 4

1 2

I

6.0 VERIFICATION AND VALIDATION 6.1 Verification and Validation Overview This section provides an overview of the system verification and validation program. The objective of the Verification and Validation (V&V) program is to provide a quality SPDS through independent technical review and evaluation conducted in parallel with SPDS development.

When V&V is integrated with the SPDS development process it provides a means for:

a. independent technical evaluation of the system

b. assuring formally documented implementation

c. improved integration of system hardware and software

d. regulatory review and approval 6.2 SPDS Verification and Validation Key overall elements of SPDS V&V will be to assure:

a. Comprehensive technical review of system functional requirements to determine that the SPDS will perform appropriate functions.

b. Comprehensive technical evaluation of the implementation process to establish that tasks are a consistent, complete and correct translation of previous tasks.

c. Adequate documentation of the system, as well as for system implementation.

d. Adequate configuration management to document and control system and implementation changes.

6.2.1 SPDS Design Verification The objective of SPDS design verification is to review the systera functional and design requirements to determine that they are adequate and technically correct, and then to review the following design activities to verify that the translation of requirements is adequate and technically correct throughout the ensuing design steps.

1

. e System functional requirements are the foundation on which the SPDS will be designed, built, installed and accepted. The system design will also be validated against the functional requirements. SPDS functional requirements will be verified against the criteria of Supplement I to NUREG-0737 and any other criteria that are identified to serve as the basis for SPDS functional definition.

After verification of the functional and design requirements, other design documentation will be verified for accurate and complete translation of the requirements from various tasks in the design process to the subsequent ones. Verification will include a correlation between the design features and the requirements.

6.2.2 SPDS Validation SPDS validation will be conducted using a combination of the three levels listed below and will assure that the system meets functional requirements and will aid control room use of EOPs.

a. Factory Testing SPDS sof tware and hardware may be integrated for functional testing prior to site installation. Testing will be conducted for appropriate hardware, software and system functions in accordance with a systematic test plan.

b. Installation and Acceptance Testing Af ter SPDS installation in the plant has been completed, functional testing will be performed to demonstrate correct operation of the installed SPDS hardware and sof tware. End-to-end checkouts of all SPDS inputs and outputs will be performed. These checkouts will cover from sensor signal input to SPDS variable display.

c. Man-in-the-Loop Evaluation Operations personnel, trained in EOPs, will review SPDS displays and interfacp provisions. The objective of this evaluation (not I necessarily performed in the control room) will be to review the

! SPDS design as a potential aid to emergency response by operations personnel.

i i

t

1 7.0 HUMAN FACTORS ENGINEERING 7.1 Human Factors Engineering The fundamental SPDS design objective is to serve as an operator aid to monitor the overall safety status of the plant. Human factors considerations are an integral part of a program to develop such a system.

This section describes the role of the primary SPDS user, the context of use, and the human factors principles that will be incorporated into the SPDS design.

7.2 SPDS Use The Millstone Unit No. 2 control room personnel include:

a. One Shif t Supervisor (SS), SRO licensed, Shif t Technical Advisor (STA) qualified

b. One Supervising Control Operator (SCO), SRO licensed

c. Two Control Operators (CO), RO licensed The SS and SCO will be the primary SPDS users. The SPDS is intended to help the SS and SCO in managing the plant during unusual situations where problem detection and problem solving on a plant wide scale are involved.

The major role of the SPDS is to help the operating crew by monitoring the safety status of the plant and alerting the operator if the SF status degrades.

The SPDS is intended as an aid to the SS/SCO, not as a replacement for necessary safety instrumentation. The SPDS serves as a concentrated data source and thus permits the SS/SCO to obtain desired information without walking the boards to check readings. SPDS displays will be accessible to COs to help maintain the needed understanding of the overall picture and to foster a team approach to plant emergency response.

7.3 Human Factors Design Guidelines The following is a discussion of the human factors activities to be accomplished during the development of the SPDS computer generated displays.

7.3.1 Task Definition i This activity is designed to acquaint the designer with the reasoning behind the display requirements and to give him a feel for how and when I

the displays will be used. The designer determines how each task is

presently performed, the information needed to accomplish it, and how l the display can assist in plant performance.

7.3.2 Determine Equipment Considerations The purpose of this activity is to assure that any limitations which may be imposed by the equipment are known to the display designer. For

- example, the designer needs to determine the amount of information that will fit on one CRT screen, colors available, controls, brightness, etc.

7.3.3 Determine Viewing Environment The purpose of this activity is to become familiar with the location and environment in which the equipment is to be used, it is also necessary to

, determine the positions (e.g., standing,' sitting, viewing distances) from which the user will want to read the information on the displays.

' ~

7.3.4 Determination of Human Factors Criteria This activity is to obtain a definition of existing human factro criteria that apply to the specific environmental conditions or displac, features.

Most of the criteria utilized for CRT displays can be found in Section 6.7.2 of NUREG-0700 (Cathode Ray Tube Displays).

I 7.3.5 Develop Display Concept l The display concept will be developed to give the display designer an overall idea of how he is going to accomplish the total task, how many displays will be used and how each one fits into the total picture. It will enable the design to be in accordance with user capabilities so that the resulting displays mesh with user needs. In general, the designer will develop the following information:

i l a. Identify user needs l b. How many displays are needed

! c. Define the task to be accomplished with each display

i. d. How they should be set up (hierarchy)

e. How the displays are to be accessed

f. How any required data is to be entered i g. How the user can recover from any errors l h. Define user capabilities (e.g., a newly licensed operator)

1. Develop a prompt philosophy based on operator capabilities

, 7.3.6 Design Review l The purpose of this activity is to insure that the overall plan for display l design is satisfactory. This is also another control point in the design

process. It permits the designer to be sure that his product is going to l meet all requirements when it is completed.

i l

i

,. , -.. _.,.-....--- .-. .....,.,,..,.. - n._._._ .. . , . - - - , _ , - . - _ . - . - - _ . . , _ . - , , _ . , , , . - . , . - , - , . , , , , , . . - , .

7.3.7 Develop Displays This is the actual design of the displays. All of the activities above are designed to get the designer to this point with enough knowledge of user needs, equipment capabilities, and the environmental constraints so that the resulting product is compatible with all requirements. In general, the following activities are performed as part of this process:

a. Determine how the needed information is to be shown.

b. Determine the appearance of each display element.

c. Determine the colors to be used.

d. Determine the dynamics of each variable element.

e. Determine access to each display.

f. Determine how the user can recover from errors.

g. Determine what prompts are to be used and where.

7.3.8 Display Review The purpose of this step is to insure that the detailed design meets all the original requirements. An important step in this process is a review of the displays by typical users (i.e., plant operators).

7.3.9 issue System Specification This is the final control point for the display design before its release for implementation. It also provides clear guidance to programming personnel regarding the final product.

8.0 SAFETY EVALUATION The SPDS will be designed to complement the EOPs (i.e., to aid the operator in executing the EOPs). It is not intended that the SPDS be necessary for EOP execution. The major use of the SPDS during emergency conditions will be to allow the reactor operators to quickly "see" the overall plant condition and how actions taken affect the maintenance of the six Safety Functions (SFs). The currently planned SPDS design has the following characteristics:

a. It cannot directly cause any plant transient.

b. It does not direct the operator to perform any action.

c. It will not affect the operation of any safety grade equipment because it is appropriately isolated from them (See Section 2.8).

d. It is not required for EOP execution.

e. It will not provide misleading information to the operator because of the Signal Validation (see Section 5.0) and the substantial Verification and Validation effort (see Section 6.0).

Because of the above assessment, it can be concluded that the SPDS will not directly affect the operation of any plant component, nor will it adversely affect the operators ability to diagnose and respond to a plant transient. Therefore, it will not cause any previously unanalyzed accident or increase the probability of occurrence of a previously analyzed accident.

The SPDS will be strictly a monitoring device and will not directly cause-any plant operation. Therefore, it cannot affect any of the accidents analyzed in the FSAR nor can it affect any of the barriers between the nuclear fuel and the public. Hence, the SPDS will not increase the probability of occurrence of any previously analyzed accident nor decrease the margin of safety as defined in the basis for any technical specification.

From the above discussion, the following can be concluded about implementation of the planned SPDS:

a. There will not be an increase in the probability of occurrence or the consequences of an accident or malfunction of equipment important to safety (i.e., safety-related) previously evaluated in the safety analysis report.

b. There will not be a possibility for the creation of an accident or malfunction of a different type than any evaluated previously in the safety analysis report.

I

c. There will not be a reduction in the margin of safety as defined in the basis for any technical specification.

Therefore, the implementation of the SPDS will not constitute an unreviewed safety question as defined in 10CFR50.59. In addition, it will not require any changes to the plant's technical specifications.

1 I

4

)

4 i

9.0 CONCLUSION

The SPDS for Millstone Unit No. 2 is being designed to adequately address the provisions of Supplement I to NUREG-0737. Specifically:

a) The SPDS will provide a concise display of important plant variables to aid the control room operators in determining the safety status of the plant that is consistent with the Combustion Engineering Emergency Procedure Guidelines and the Millstone Unit No. 2 Emergency Operating Procedures, b) The SPDS will display SF information on colorgraphic terminals located in the control room. The SPDS will monitor the status of the

safety functions continuously. The SPDS will be part of the plant i process computer system and is being designed to meet availability considerations consistent with SPDS criteria.

c) Since the SPDS will be completely consistent with the Emergency

! Operating Procedures, only one set of procedures is required for emergency response with and without the SPDS.

d) The safety functions and variables have been selected to be consistent with the analytical basis of the Emergency Operating Procedures.

e) The SPDS displays are being designed to meet human factors principles, f) The SPDS provides information about:

! (1) reactivity control i

l (2) core cooling and heat removal i

I (3) RCS integrity l

I (4) radioactivity control (5) containment conditions l

l (6) vital auxiliaries i

! This safety analysis shows that the SPDS will be consistent with the

! Millstone Unit No. 2 Emergency Operating Procedures and provides an l integrated approach to emergency conditions. Human factors principles

! are being considered in the design to assure that the operators can use the SPDS effectively. A Verification and Validation Program will assure that i

independent reviews are conducted to assure proper implementation of l the SPDS design.

l l

l

a

, e The development of the SPDS will be an effective aid for the control room operators to determine the safety status of the plant during emergency conditions.

l i

I l

L

e

10.0 REFERENCES

1. " Combustion Engineering Emergency Procedures Guidelines", CEN-152 (Rev 1).

2. Safety Evaluation of " Emergency Procedure Guidelines", Generic Letter 83-23, dated July 29,1983.

3. W. G. Counsil letter to D. M. Crutchfield/3. R. Miller, dated September 1,1983.

4. W. G. Counsil letter to 3. R. Miller, dated January 30,1985.

r

APPENDIX A EOP Safety Function Status Check Sheets

Approved By Eff. Date PORC Mtg. No.

REACTOR TRIP RECOVERY SAFETY FUNCTION STATUS CHECK NOTES:

1. The purpose of this form is to ensure that all necessary information is reviewed when using E0P 2526, Reactor Trip Recovery. The safety function status check verifies by independent assessment that the operator is using the correct procedure. It also assures that the procedure is satisfying all relevant safety functions and maintaining adequate core cooling.

2. Parameters marked with an asterisk require meter readings to be logged. All other parameters are responded to by yes or no.

3. Safety function status can be determined by evaluating Condition 1 or Condition 2 criteria where provided.

4. Data should be logged approximately every 10 minutes until plant conditions stabilize.

i OPS Form 2526-1 Rev. 1 Page 1 of 5

i 4

REACTOR TRIP RECOVERY SAFETY FUNCTION STATUS CHECK i

f CAUTION I SS/SCO must be notified immediately of any safety function criteria not satisfied.

i ACCEPTANCE TIME / DATA l PARAMETER CRITERIA / / / / / / /

i 4

1. REACTIVITY CONTROL Condition 1 - CEAs Inserted 1

i a. Reactor Power a.

(C04) 1. < 5%

and ii. Decreasing

b. CEA Position b. No more than (C04) one CEA not i inserted i

i k

l 2

l

' OPS Form 2526-1

, Rev. 1 Page 2 of 5

ACCEPTANCE PARAMETER CRITERIA DATA

1. REACTIVITY CONTROL (cont)

Condition 2 - Boration

a. Reactor Power a.

(C04) 1. < 5%

and ii. Decreasing

b. BAST level b. A (CO2) i. level 8 decreasing *

(adding boron to RCS) 9E ii. shutdown margin established per OPS Form 2208-13

2. ,RCS INVENTORY CONTROL

a. Pressurizer Level a.

(C03) i. 20-65%*

and ii. Trending to 35-45%

b. RCS Subcooling b. > 20 F*

OPS Form 2526-1 Rev. 1 Page 3 of 5

4 ACCEPTANCE PARAMETER CRITERIA DATA

3. RCS PRESSURE CONTROL

a. Pressurizer Pressure a. 1900-2350 psia *

(CO3) and

b. Trending to 2225-2300 psia

4. RCS HEAT REMOVAL

a. RCS Tavg a. 530-535*F*

(C04)

b. Steam Generator b.

)

Level (Feed Flow)

(C05) 1. 10-80%* A and B Trending to A 70-80% B SI ii. Feed flow A B

c. Steam Generator c. 880-920 psia

• A Pressure (C05) B

d. CST level (C05) d.

1. > 70%*

SI ii. Action being taken to re-store level OPS Form 2526-1 Rev. 1 Page 4 of 5 l

i

_ . _ ~ . __

ACCEPTANCE PARAMETER CRITERIA DATA

5. CONTAINMENT INTEGRITY

a. Containment Pressure a. <2 psig*

(C01)

b. Containment Temper- b. ,< 120*F*

ature (C01)

c. Containment Rad c. less than alarm Monitors (RC14) setpoint

d. Containment Sump d. no abnormal Level (C06) increase

e. Steam Jet Air e. less than alarm Ejectors and blow- setpoint down Rad Monitors (RC14) i

6. VITAL AUXILIARIES l

a. Buses, 24C and a Energized 240 (C08)

b. Buses, 201A and b. Energized l

2018 (C08) l c. Instrument Air c. > 90 psig l

l Pressure (C06)

OPS Form 2526-1 Rev. 1 Page 5 of 5

Approved Eff. Date PORC Mtg. No.

FUNCTIONAL RECOVERY SAFETY FUNCTION STATUS CHECK NOTES:

1. The purpose of this form is to ensure that all necessary information is reviewed when using E0P 2540, Functional Recovery. The safety function status check verifies by independent assessment that the operator is using the correct procedure. It also assures that the procedure is satisfying all relevant safety functions and maintaining adequate core cooling.

2. Parameters marked with an asterisk require meter readings to be logged. All other parameters are responded to by yes or no.

3. Safety function status can be determined by evaluating Condition 1, 2, or 3 Criteria where provided. Three conditions are necessary in the Functional Recovery Procedure to address a broader range of events.

4. Data should be logged approximately every 10 minutes until plant conditions stabilize.

i l

OPS Form 2540-1 Rev. 2 Page 1 of 11

FUNCTIONAL RECOVERY SAFETY FUNCTION STATUS CHECK CAUTION SS/SCO must be notified immediately of any safety function criteria not satisfied.

ACCEPTANCE TIME */ DATA PARAMETER CRITERIA / / / / / / /

1. REACTIVITY CONTROL Condition 1 - CEA Trip

a. Reactor Power a.

(C04) i. < 5%

and ii. Decreasing

b. CEA Position b. No more than (C04) one CEA not inserted c.

Tc (C03)

c. > 500 F OPS Form 2540-1 Rev. 2 Page 2 of 11

ACCEPTANCE PARAMETER CRITERIA DATA

1. REACTIVITY CONTROL (cont) i Condition 2 - CVCS Boration

a. Reactor Power a.

(C04) 1. < 5%

and ii. Decreasing

b. BAST level (CO2) b. -

1. level A decreasing

• B (adding boron to RCS)

EE ii. Shutdown margin established per OPS Form 2208-13 Condition 3 - Boration Using ECCS

a. Reactor Power a.

(C04) 1. < 5%

and ii. Decreasing

b. SIS Flow b. Acceptable (C01) per Figure 1

c. Charging Flow c. All available (C02) pumps operating

d. RWST level d.

. (C01) i. > 9.5%*

E -

ii. If < 9.5%

Then SRAS i OPS Form 2540-1 Rev. 2 Page 3 of 11

, c- --- , , , - - . ~ .n,.--, ,,----,,----,----m,,---, - - - , - , , - - ------,,_--,,,--,--,---w, -n--,-,,-w,-w ,---r-. , - , - - -<-- -

ACCEPTANCE PARAMETER CRITERIA DATA ,

2. RCS INVENTORY CONTROL l

Condition 1 - CVCS

a. Pressurizer Level a. 20-80%*

(CO3) i

b. RCS Subco< b ng b. > 20'F*

from loop RTD's (ICC display) i c. Reactor Vessel c. Above the Hot Level (ICC Leg

• display) '

Condition 2 - ECCS

a. SIS Flow a. Acceptable (C01) per Figure 1

b. Charging Flow b. All available (CO2) pumps operating

c. RWST level c.

(C01) i. > 9.5%*

EI

ii. If < 9.5%

Then SRAS

d. Reactor Vessel d. > 0%^

Level (ICC 1

display) f d

l OPS Form 2540-1 Rev. 2 Page 4 of 11

ACCEPTANCE PARAMETER CRITERIA DATA

3. RCS PRESSURE CONTROL Condition 1 - Pressurizer

a. Pressurizer Pressure a. Acceptable per (C03) Figure 2 Condition 2 - ECCS

a. SIS Flow a. Acceptable per (C01) Figure 1

b. Charging Flow b. All available (CO2) pumps operating i

t i

l OPS Form 2540-1 Rev. 2 l Page 5 of 11 l

l

ACCEPTANCE PARAMETER CRITERIA DATA

4. RCS HEAT REMOVAL Condition 1 - Steam Generator Heat Removal 4

a. RCS Tavg a. < 545*F*

(C04) 4

b. Steam Generator Level b.

and Feed Flow (C05)

1. 10-80%* A and B ii. Trending to A 70-80% B and lii. Feed flow A B

c. CST level (C05) c.

i. > 70%*

EI l ii. Action being I

taken to restore

level

. h l

l OPS Form 2540-1 Rev. 2 Page 6 of 11

o .

ACCEPTANCE PARAMETER CRITERIA DATA

4. RCS HEAT REMOVAL (cont)

Condition 2 - ECCS Heat Removal

a. Incore Thermo- a.

couple (ICC i. < 800*F*

display) and ii. Constant or decreasing 4 b. SIS Flow b. Acceptable per (C01) Figure 1

c. Charging Flow c. All available (CO2) pumps operating Condition 3 - Once Through Cooling

a. Incore Thermo- a.

couple (ICC i. < 545*F*

display) and ii. Constant or decreasing

b. SIS Flow b. Acceptable per (C01) Figure 1

c. Charging Flow c. All available (CO2) pumps operating

d. PORVs (C03) d. Open

e. Pressurizer e.

Pressure (C03) 1. < 1100 psia

• and ii. Constant or decreasing OPS Form 2540-1 Rev. 2 Page 7 of 11

ACCEPTANCE PARAMETER CRITERIA DATA

5. CONTAINMENT INTEGRITY Condition 1 - No Break Inside Containment

a. Containment Pressure a. < 2 psig*

(C01)

b. Containment rad b. less than monitors (RC05E) alarm setroint

c. Containment H c. < 2%*

2 Concentration (if in service)

(RCOSE)

Steam jet air

d. d. Less than ejectors and blow- alarm setpoint down rad monitors (RC14)

Condition 2 - Break in Containment

a. Containment Pressure a.

(C01) i. < 5 psig*

EI ii. If > 5 psig,

,Then SIAS, CIAS and EBFAS and iii. If > 27 psig Then CSAS

b. Containment H b. If > 2%,

2 Concentration Then H 2

(RC05E) Recombiners operating

c. Steam jet air c. Less than ejectors and blow- alarm setpoint down rad monitors (RC14)

OPS Form 2540-1 Rev. 2 Page 8 of 11

ACCEPTANCE

' PARAMETER CRITERIA DATA

6. VITAL AUXILIARIES

a. Buses, 24C or a Energized 24D (C08) ,

b. 125VDC Buses, 201A b. Energized or 201B (C08) -

c. Instrument Air c. > 90 psig Pressure (C06)

OPS Form 2540-1 Rev. 2 Page 9 of 11

.,. \

FIGURE 1 C . MILLSTONE UNIT 2 I .

.

• MINIMUM REQUIRED SAFETY INJECTION DELIVERY CURVE

1400 i,

.1

! 1300 -

, 1200 - (, l

' n  ;

il

{; 1100 t

1000 - ___

i ___

900 -__,

y --.-.

I E 800-a w

! 6 N D

700- ,,, ,,,,

y -- . -_

W 600< _ -_-. ACCEPTABLE REGION a.

u ' '

N 500-

> u D

E 400<

i M

a. _

300 ,

200 - - -

, il ir==%,

en ne  %

~

' \

100- 2- UNACCEPTABLE REGION q -__

0 800 1600 2400 3200 4000 l TOTAL SAFETY INJECTION FI4W (GPM)

(SUM OF FOUR LPSI AND FOUR HPSI HEADERS) l

• Curve based cm one HPSI ard one IPSI ptmp operatirwJ.

OPS Form 2540-1 Rev. 2 Page 10 of 11 I

. e FIGURE 2 RCS PRESSURE TEMPERATURE LIMITS i LOWEST SERVICE 100*/H0VR TEMPERATURE ** C00LDOWN**

... . s . . . . s . . . . ....s . ...

N0) ACCEPT {BLE \\\ .

000 ~

NOT ACCEPTABL g

[ ACCEPTABLE ,

\ -

2 G1500 -

N E 43 w

g -

8 '

a E

e J

• \

.q

$1000 -

f .

5 ' -

O!

l 5

}

\ ,

500- ,

, \ NOT ACCEPTABLE V

SHUTDOWN

\ ,,

COOLING w

l 0 .. . . . . . . . . . . .... ....

RCS TEMPERATURE (*F)

• This curve supersedes the 100*F/H0VR cooldown curve anytime the RCS has exper-ienced an uncontrolled cooldown which causes RCS temperature to go below 500*F.

• • Curves are lowered by 141 psi to account for possible instrument inaccuracies due to degraded containment conditions.

OPS Form 2540-1 Rev. 2 Page 11 of 11

._. - _ - _ ~ _ _ _ - _ _ _ - , _ - . . _ - _ - , _ _ _ _ - _ _ _ - . _ _ . . - - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

APPENDIX B Safety Function Algorithms *

• Note that the numbers in parenthesis refer to notes at the end of the Appendix. The brackets are included to indicate how the "and" and "or" statements are nested.

I

Safety Function Algorithms I) Reactivity Control (1)

Severity 1 Limits Severity 2 Limits (7)

[ Reactor Power 45% and decreasing (9) Reactor Power 45%

and decreasing and and I(CEA Position not more than 1 SIS Flow greater than I

not inserted assumed design and values I

TCOLD (10) >5000F Charging Flow (8) 240 gpm or and RWST level v9.5%

BAST Level decreasing or or SRAS confirmed Shutdown margin per OPS 2208-13 (manually set to acceptable)

II) - RCS Inventory Control Severity 1 Limits Severity 2 Limits (6)

Pressurizer 20-65% trending to SIS Flow greater than Level (1) 35-45 % assumed design values and and RCS Subcooling 2200F Charging Flow (8) >40 gpm and Reactor Vessel >0%

Level (ll) and RWST levels >9.5%

t or confirmed (SRAS

l Ill) RCS Pressure Control Severity 1 Limits Severity 2 Limits Pressurizer 1900-2350 psia, Subcooling between 200F and Pressure trending to 2000F 2225-2300 psia 9.[

' SIS Flow greater than

{

assumed design

/ values and Charging Flow (8) >40 gpm IV) RCS Heat Removal Severity 1 Limits (2) Severity 2 Limits (6), (3)

RCS Tavg (1) 530-5350F Limit 1 - when at least 1 of the 4 (2 each) PORVs or Block valves closed and during the previous 2 min.

SG Level 10-80% trending Incore Thermo- < 8000F to 70-80% couples and and SIS Flow greater than assumed design Steam Generator 880-920 psia value Press (each) (1) and Charging Flow (8) 740 GPM and Limit 2 - When all 4 (2 each)

CS T Level 7 70 % of the PORV's or Block Valves are open for the last 2 min.

Incore Thermo- < 5450F couples and SIS Flow greater than assumed design value and Charging Flow (8) >40 GPM and Pressurizer <1100 psia Pressure

l

, , V) Containment Integrity Severity 1 Limits Severity 2 Limits (5)(6)

Containment < 2 psig IContainment < 5 psig Pressure Pressure

' SIAS, CIAS, aiid confirmed Containment < 1200F EBFAS Temperature k and and

[ Containment < 27 psig Containment Rad < alarm setpoint Pressure Monitor " or and CSAS confirmed Containment < 95% and Sump Level Containment < 2%

and Hydrogen Concentration Steam Jet < alarm setpoint Air Ejectors and and Blowdown Rad < alarm setpoint Unit 1 Wide Range < 6 uCl/cc Monitor Stack Rad Monitor 4 and and Unit 1 Wide < 0.3 uCi/cc Unit 2 Wide Range < 3 uCi/cc Range Stack Rad Vent Rad Monitor (4) Monitor (4) and Unit 2 Wide < 0.1 uCl/cc Range Vent Rad Monitor (4)

VI) Vital Auxiliaries Severity 1 Limits Severity 2 Limits Bus 24C energized Bus 24C energized or and Bus 24D energized Bus 24D energized and and Bus 201 A energized or Bus 201 A energized Bus 201B energized 4

and and Bus 201B energized Instrument Air < alarm setpoint Pressure and Instrument Air < alarm setpoint Pressure

Notes to Safety Function Algorithms (1) Not monitored prior to generation of reactor trip signal.

(2) One item in the EOPs not included here is steam generator feedwater flow.

This is because main feedwater flow cannot be accurately measured under low flow post trip conditions. The acceptability of feedwater flow is indicated by steam generator level which is monitored here.

(3) If both PORVs and both block valves are open for at least two minutes, the SPDS assumes the operator is attempting to cool the core using the PORVs and the more restrictive Severity 2 Limit conditions apply.

(4) Not currently in the EOPs. It is included in SPDS to provide additional verification of plant radiological readings already monitored in the EOPs.

The limits selected correspond to the Site Area (Charlie 2) and General (Bravo) Emergency Action Levels.

(5) Items in the EOPs not included here are Steam Jet Air Ejector and Blowdown Rad Monitors. These items are included in the Severity 1 Limits. Therefore, inclusion as a Severity 2 Limit is redundant.

(6) The intent of the Function Recovery Procedure Safety Function Check Sheet Condition 1 is met by the SPDS Severity 1 Limits.

(7) The intent of the Functional Recovery Procedure Safety Function Check Sheet Conditons 1 and 2 is met by the SPDS Severity 1 Limits.

(8) Not monitored following SRAS.

(9) Decreasing not necessary if power is less than 10-3%

(10) RCS Temperature is normally monitored by the RCS Heat Removal SF in the Reactor Trip Recovery Procedure. Cold leg temperature is included here to make the SFs for Reactivity control and RCS Heat Removal independent of each other.

(11) The requirement on reactor vessel level is not included in the SF status check limits for the Loss of Primary Coolant Procedure (EOP 2532).

Therefore, if the operator tells the SPDS that he has selected this procedure, then the vessel level requirement is deleted from the Severity 2 Limits.

. ~

l

. i APPENDIX C SPDS Process Inputs I

- - _ . - - . - -- - - - - . - , , - _ - - - - - - . ~ - . - - - . . . - , .

o q

I. REACTIVITY CONTROL Description Process Computer ID

1. Reactor Power Power Range (Lower) R2AL,R2BL,R2CL,R2DL Power Range (Upper) R2AU,R2BU,R2CU,R2DU Wide Range - RI A, RIB, RIC, RID

2. . CEA Position Dropped Rod Signals Z1501 A - 21509A Z1514A - Z1533A Z1538A - Z1569A

3. BAST Level #1 L206

1. 2 L208

4. SIS Flow HPSI F311, F321, F331, F341 LPSI F312, F322, F332, F342

5. Charging Flow F212

6. RWST Level L3001,L3002,L3003,L3004

7. SRAS (See SRAS section)

8. Reactor Trip Trip Circuit Breakers Z1581 - Z1588 ZE242

9. TCOLD LOOP 1 T112CA, Til2CB, Til2CC, Til2CD Loop 2 T122CA, T122CB, T122CC, T122CD Loop 1 (Wide Range) Til5

.r Loop 2 (Wide Range) T125 II. RCS INVENTORY CONTROL Description Process Computer ID

1. Pressurizer Level L110X, L110Y 4

2. RCS subcooling (From ICC Panel)

3. SIS Flow ,(See Item I.4)

4. Charging Flow (See Item I.5)

5. RWST Level (See Item I.6)

6. SRAS (See Item I.7)

7. Reactor Vessel Level (From ICC Panel)

A

III. RCS PRESSURE CONTROL Description Process Computer ID

1. Pressurizer Pressure High Range P100X, P100Y Low Range P103, P103-1

2. RCS Subcooling (See Item II.2)

3. SIS Flow (See Item I.4)

4. Charging Flow (See Item I.5)

IV. RCS HEAT REMOVAL Description Process Computer ID

1. THOT Loop 1 (wide range) T111X Loop 1 T112HA, Til2HB, Til2HC, T112HD Loop 2 (wide range) T121X Loop 2 T122HA, T122HB, T122HC, T122HD

2. TCOLD (See Item I.9)

3. SG Level SGI L5272 SG2 L5274

4. CST Level L5282

5. Incore Thermocouple T10 - T450 i 6. SIS Flow (See Item I.4) l l 7. Charging Flow (See Item I.5)

8. SG Pressure SGI Press P1013A SG2 Press P1023A SGI Header Press P4223 SG2 Header Press P4224 l 9. PORV Position 2RC402, 2RC404

10. PORY Block Valve 2RC403#,2RC405#

11. Pressurizer Press (See Item III.1) ll

m-V. CONTAINMENT INTEGRITY Description Process Computer ID

1. Containment Pressure P8113,P8114,P8115,P8116

2. Containment Temperature (dome) T8097, T8098 (loop areas) T8108, T8109, T8110 T9765 - T9771

3. Blowdown Rad Monitor R4262

4. Containment Area Rad Monitor R8240, R8241

5. 53AE Rad Monitor R5099

6. Unit 1 Wide Range Stack Rad Monitor N/A

7. Unit 2 Wide Range Stack Rad Monitor N/A

8. SIAS* ZE391, ZE392

9. CIAS (see CIAS section)

10. EBFAS (see EBFAS section)

11. CSAS (see CSAS section)

12. Containment Normal Sump Level L9155

13. Containment Hydrogen Concentration (later)

• The individual valve positions required fo!!owing an SIAS do not need to be monitored since the endpoint of the SIAS signal (i.e., safety injection flow) is already monitored in RCS heat removal.

VI.- VITAL AUXILIARIES Description Process Computer ID Bus 24C Voltage ZE551, ZE552, ZE553, ZE554 Bus 24D Voltage ZE555, ZE556, ZE557, ZE558 Bus 201A Voltage ZE586 Bus 201B Voltage ZE587 Instrument Air Pressure P7078 l

o -

ESAS MONITORING CIAS Computer ID States Description 2MS220A# closed /partl #1 SG Blowdown Isolation 2CH505# closed /partl RCP Bleedoff to EDST 2CH198# closed /partl RCP Bleedoff to VCT 2RC45# closed /partl RCS Sample Isolation 2ACB= open/partl Enclosure Bldg. Purge Exhaust 2EB88# closed /part! H2 Monitor Emergency Isolation 2MS191A# closed /partl #1 SG Sample Isolation 2LRR43#2 closed /partl PDT Pump Outside Isolation 2AC47# closed / parti Containment Rad Monitor Isolation 2EB99# closed /partl H2 Purge Outside Isolation 2PMW43# closed /partl PMW to Containment Isolation 2CRil#2 closed /part! Waste Gas Oatside Isolation 2AC3= artl Enclosure Building Purge Supply 2EB100# open/p/partl closed H2 Purge Inside Isolation 2ACl# closed /partl Purge Fan Discharge 2 SSP 16#1 closed /partl Containment Sump Outside Isolation ZE692 start /stop "A" Containment Rad Monitor Fan ,

2AC15# closed /partl H2 Monitor Sample Isolation 2MS22B# closed /partl #2 SG Blowdown Isolation 2RC00l# closed /part! Hot Leg Sample Isolation 2RC002# closed / parti Surge Line Sample Isolation 2RC003# closed / parti Steam Space Sample Isolation 2LRR43#1 closed /partl PDT Pump Inside Isolation 2CH516# closed /partl Letdown Isolation 2AC11# closed /partl Purge Exhaust Discharge Damper ZE755 start /stop Containment Purge Supply Fan 2MS191B# closed /partl #2 SG Sample Is lation 2SI312# closed /partl N2 to Containment Isolation 2LRR61#1 closed /partl PDT Sample Isolation 2EB89# closed /partl H2 Monitor Emergency Isolation 2E693 start /stop "B" Containment Rad Monitor Fan 2CH506# closed /partl RCP Beedoff Incide Isolation 2GR11#1 closed /part! Waste Gas Inside Isolation 2EB92# closed /partl H2 Purge Inside Isolation 2AC20# closed /partl H2 Monitor Sample Isolation 2CH89# closed /part! Regernative HX Outlet Outside Isolation 2 SSP 16#2 closed / parti Containment Sump Inside Isolation 2AC12# closed / parti Containment Rad Monitor Isolation 2EB91# closed /partl H2 Purge Inside Isolation

o -

EBFAS (20 points)

Computer ID States Description 2EB60# close/partl Fuel Handling Area Vent to Plenum 2EB61# close/partl Fuel Handling Area Vent to Plenum ZE739 start /stop Enclosure Building Filtration Fan ZE740 start /stop Enclosure Building Filtration Fan ZEB56# close/partl 53AE MOV ZEB55# close/partl 53AE MOV ZEB51= open/partl Enclosure Building Vent Suction Isolation Damper ZEB41= open/partl Enclosure Building Vent Suction Isolation Damper 2EB50= open/partl Enclosure Building Plenum Isolation Damper 2EB40= open/partl Enclosure Building Plenum isolation Damper 2HV107# close/partl Engineered Safeguards Room Air Supply Valve 2HV106# close/partl Engineered Safeguards Room Air Supply Valve 2HVil6# close/partl Engineered Safeguards Room Air Supply Valve 2HVil7# close/partl Engineered Safeguards Room Air Supply Valve ZEB72# close/ parti Containment Clean-up Damper 2EB73# close/ parti Containment Clean-up Damper F-32A* start

• Control Room Filter Fan F-32B' start

• Control Room Filter Fan 2-HV-212 A* Open* Control Room Filter Fan Damper 2-HV-212B* Open* Control Room Filter Fan Damper The points not currently on the process computer. Given here is the plant component number and the desired state following EBFAS signal.

SRAS (8 points)

Computer ID States Description ZE708 start /stop LPSI pump 42A ZE709 start /stop LPSI pump 42B 2RB13=l A open/partl Shutdown Heat Exchanger "A" CW 2RB13=lB open/ parti Shutdown Heat Exchanger "B" CW 2CS16=lA open/ parti Containment Sump Recirc Stop Valve 2CS16=lB open/ parti Containment Sump Recirc Stop Valve 251659# close/ parti SI Recirc Header Shutoff Valve 251660# close/ parti 51 Recirc Header Shutoff Valve

9 4 i CSAS (4 points)

Computer ID States Description ZE713 start /stop Containment Spray Pump ZE714 start /stop Containment Spray Pump 2CS4=lA open/ parti Containment Spray Control Valve 2CS4=1B open/ parti Containment Spray Control Valve

.