ML20101T409
| ML20101T409 | |
| Person / Time | |
|---|---|
| Site: | Clinton  |
| Issue date: | 01/15/1985 |
| From: | SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY |
| To: | NRC |
| Shared Package | |
| ML20101T411 | List: |
| References | |
| CON-NRC-03-82-096, CON-NRC-3-82-96, RTR-NUREG-0737, RTR-NUREG-737 NUDOCS 8502060152 | |
| Download: ML20101T409 (61) | |
Text
, -.
A, f -
PRE-IMPLEMENTATION AUDIT OF THE SAFETY PARAMETER DISPLAY SYSTEM FOR THE CLINTON POWER STATION January 15, 1985 Prepared for U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Prepared by Science Applications International Corporation 1710 Goodridge Drive McLean, Virginia 22102 Contract NRC-03-82-096 09 $(op/ 57 X&
l
t-t i
FOREWORD This Technical Evaluation Report (TER) documents the findings from a pre-implementation audit of the Safety Parameter Display System (SPDS) of Illinois Power Company's (IPC) Clinton Power Station.
The audit was conducted by a four-man team comprised of two representatives of the NRC's Division of Human Factors Safety, one representative of Science Applications International Corporation (SAIC), and one from Comex Corporation, a subcontractor to SAIC.
The audit consisted of discussions with IPC representatives at Clinton and visits to the Clinton simulator on December 12 and 13,1984. The SPDS design evolution and present hardware and software features were reviewed.
Discussions relevant to each SPDS requirement of NUREG-0737, Supplement I were generally structured so that IPC gave a slide presentation on a topic (e.g., SPDS V&V program) and entertained questions primarily regarding points of concern raised by the NRC in its evaluation of IPC's submittals previous to the audit. Visits to the Clinton simulator were conducted to review the SPDS hardware and walkthrough a selected scenario involving the SPDS.
SAIC's participation was provided under Contract NRC-03-82-096. SAIC had not been involved in the review of IPC's SPDS Pre-Implementation Package and the subsequent submittals prior to the audit.
i l
I
4 4
I I
TABLE OF CONTENTS Section Page
1.0 INTRODUCTION
1
2.0 BACKGROUND
2 3.0 PRE-!MPLEMENTATION AUDIT FINDINGS............
3 3.1 Provisions of a concise continuous display of critical plant parameters.............
3 3.2 Location convenient to the control-room operator..
4 3.3 Incorporation of accepted human factors principles in the design...................
4 3.4 Procedures for timely and correct safety status assessment.....................
7 3.5 Training for accident response with and without the SPDS......................
7 3.6 Safety parameter selection sufficient to access safety status for identified functions.......
8 3.7 Suitable electrical and electronic isolation....
12 4.0
SUMMARY
OF CONCLUSIONS AND RECOMMENDATIONS.......
13
5.0 REFERENCES
16 6.0 ATTACHMENT.......................
17 I
4.
i i
_o1 I
PRE-IMPLEMENTATION AUDIT OF THE SAFETY PARAMETER DISPLAY SYSTEM FOR THE CLINTON POWER STATION
1.0 INTRODUCTION
This report documents the findings from a pre-implementation audit of the Safety Parameter Display System (SPDS) of Illinois Power Company's (IPC)
Clinton Power Station.
The purpose of the audit was threefold:
(1)to obtain additional information required to resolve any outstanding questions 3
about the SPDS Verification and Validation (V&V) program, (2) to confirm that the V&V program is being correctly implemented, and (3) to audit the
]
results of the V&V activities to date. The requirements set forth in NUREG-0737 Supplement 1, " Requirements for Emergency Response Capability,"
December 1982 (Reference 7) served as the basis of the audit. Due to the absence of the NRC's represertative responsible for the review of SPDS j
electrical or electronic' isolation, this requirement was not discussed during the audit.
4 l
IPC's human factors revieu of the SPDS design for Clinton began in 1981 with the development of a riisplay format.
In July of 1981 IPC presented the NUCLENET SPDS concept to the NRC. Clinton's process computer system was t
l reviewed by General Physics Corporation during a preliminary design assess-ment performed in November of 1981.
IPC established an " Emergency Response f
Program Review Team" and with the assistance of a human factors specialist from the University of Illinois, developed and conducted a static checklist i
review of the SPDS in October of 1983. Presently, IPC has the assistance of Torrey Pines Technology (TPT) in performing a checklist review of the l
intended SPDS using criteria from industry guidance documents (e.g., NUREG-0700). This second checklist review will be integrated into the Detailed Control Room Design Review (DCRDR) scheduled for completion in June of 1985.
A listing of the documents exchanged between the NRC's Human Factors Engi-l neering Branch of the Division of Human Factors Safety and IPC is given as References 1 through 4.
The next document to be exchanged will be the NRC's report reflecting the findings of this audit. The findings of the audit follow a brief overview of the background of the SPDS requirements. The SPDS format is presented as an attachment at the end of this TER.
1
.O d
4 2.0 BACKGROUNO l'
Licensees and applicants for operating licensees are required to provide a Safety Parameter Display System (SPDS).
The objective is to "...
+
improve the ability of.' nuclear power plant control room operators to prevent accidents or cope with accidents if they occur by improving the information' l
provided to them" (NUREG-0660. Item I.D.1).
The need for an SPDS was con-firmed in NUREG-0737 and in Supplement 1 to NUREG-0737. 'SPDS requirements in Supplement I to NUREG-0737 replaced those in earlier documents. Supple-
. ment I to NUREG-0737 requires each licensee or applicant to implement an SPDS on a schedule negotiated with the NR'C. Human factors guidelines for i
SPDS design are currently providedlin NUREG-0696, NUREG-0835 (draft) and NUREG-0700. The NUREG documents cited are listed as References 5 through 8.
4 An SPDS is to be established according to the applicant's own safety analysis and implementation plan which must be submitted to the NRC.
4 i
According to Supplement I to NUREG-0737, "the written safety analysis shall j
include a description of the basis on which the selected parameters are f
sufficient to assess the safety status of each identified function for a wide range of events, which include symptoms of severe accidents." This safety analysis and the specific implementation plan for the SPDS shall be reviewed by the NRC. On-site audits shall be scheduled as necessary to confirm that the applicant is implementing an adequate design program.
The purpose of this Technical Evaluation Report (TER) is to assist the j
NRC in the technic 31 evaluation process by presenting the findings from the pre-implementation audit of IPC's SPDS for Clinton Power Station. This TER 1
also will provide a basis for constructive feedback to the licensee.
The provisions for SPDS as stated in Supplement I to NUREG-0737 can be i
summarized in terms of the seven elements listed below.
1.
Provision of a concise continuous display of critical plant parameters.
I j
2.
Location convenient to the control room operators.
i i
l 3.
Incorporation of accepted human factors principles in the design, i
i J
' - o.
4 c
4.-
Procedures for timely and correct safety status assessment.
5.
' Training for accident response with and without SPDS.
6.
Parameter selection sufficient to assess safety status for identi-2 fied functions.
i 7.
Suitable electrical or electronic isolation.
)
)
The audit findings will be formatted in seven sections reflecting the above j
topics.
Each section will include the -applicant's proposed design activi-j ties, conclusions and recommendations for improvement where necessary.
i 3.0 PRE-IMPLDENTATION AUDIT FINDINGS 3.1 Provision of a concise continuous display of critical plant parameters.
Supplement 1 to NUREG-0737 states that "the SPDS should provide a concise display of critical plant variables to the control room operators to l
aid them in rapidly and reliably determining the safety status of the pl a n t."
Supplement 1 to NUREG-0737 also states that this system "will continuously display information from which the plant safety status can be readily and reliably assessed by control room personnel who are responsible for the avoidance of degraded and damaged core events."
l l
IPC has developed an SPDS which portrays general plant status,11 l
different safety parameters, and containment isolation information all j
within 34 lines on one CRT. The IPC single CRT SPDS also provides a concise supplementary display of secondary indicators driven by initiation of the j
alarm system.
It appears that IPC has provided a dedicated CRT which serves as a concise means of displaying plant safety status information.
j The NRC position concerning continuous display is that all SPDS parameters should be continuously displayed or a method of alerting the l
operator.to changes in the status of SPOS parameters should be provided, j
such as the critical safety function boxes.
i I
3 4
i
,. -... - _, - -. _ -. ~, - -, -....
. -.. ~ -. -, - - - _... _.,, -, - -,. _, - - _ _, _ _.. - -.. - - _,.., _ -. _
6.
.s IPC is planning to display some plant safety status information on the -
. SS CRT on a continual basis.
However, all SPDS parameters are not contin-
)
uously-displayed, nor are all SPDS parameters input to the critical safety function boxes. Therefore, IPC appears to have met.the provision in' Supple-J ment 1 to NUREG-0737 regarding a concise display of critical plant variables but has not fully satisfied the provision for continuous display.
.3.2 Location convenient to the control room operator.
1 i
Supplement 1 to NUREG-0737 states that "each operating reactor shall be provided with a Safety Parameter Display System that is located convenient i
to the control room operators." IPC's SPDS CRT is an integral part of the NUCLENET 1000 Control Complex and is located just to the left of the rod l
control panel. The NUCLENET console functions as the primary plant / operator interface and ' replaces a significant number of controls and displays l
required on the traditional benchboard configuration.
generally adequate for seated observation by control room operators.
How-t j
ever, the NRC audit team noted that the top of the display is obscured when j
observed from a standing position directly in front of the SPDS.
Except as
]
described in Section 3.6 of this report, the key safety parameters are all J
available on the 55 CRT to the left of the rod control panel and are there-f fore convenient to control room operators. The staff noted that a plan exists to perform wiring changes to prevent the operators from moving the i
SPDS display to an alternative CRT. Since operators may have other displays i
j during certain plant evolutions which are more appropriate for display on l
the two CRTs closest to the rod control panel, the NRC audit team suggested that IPC consider using dedicated line space on every CRT showing the CSF l
l boxes, rather than dedicating the whole SS CRT solely to the SPDS function.
4 3.3 Incorporation of accepted human factor principles in the design.
Supplement 1 to NUREG-0737 states that "the SPDS shall be designed to I
incorporate human factors principles so that the information presented can be readily perceived and comprehended by the users."
IPC is apparently still in the process of conducting a human factors review of the SPDS. The review is to be completed by IPC with the assistance of Torrey Pines Tech-nology in conjunction with the DCRDR.
l l
i
-.----.----.-,-.~ -
- - ~,-
---n---
.-,-,n
.__-m i 4
- Documentation of IPC's intent to incorporate accepted human factors
.pr nc p es in the SPDS design is included in its submittal of October 1983.
i il i
This package contains the initial human factors review of the SPDS.
- employed design guidance from NUREG-0835.(draft) and NUREG-0700. From these I
criteria IPC constructed a human factors checklist and tabulated its find-ings in the 10-page review which contains four major sections; significant i
concerns, minor concerns, recommendations and unreviewed items. These concerns covered such issues as data validation, visibility of the ARM /PRM displays, radioactivity control data on a separate CRT, and segregation of
'l safety parameters on the display.
Other concerns of " lesser significance" included adequacy of color coding, lack of mimics, no indication of flow l
direction, etc. 'Several of these concerns identified over a year ago were j
still unresolved at the time of the NRC audit.
The following paragraphs contain brief summaries of some of the poten-tial problems identified during the audit.
For ease of implementation, the NRC's concerns are discussed under headings: (1) SPDS human factors design approach, (2) color coding, and (3) labeling.
3.3.1 SPDS human factors design approach.
The SPDS design has evolved over approximately four years starting with l
a preliminary display design by an operator in 1981.
IPC then presented its j
concept of an SPDS as part of the NUCLENET system to NRC in July of 1981.
j IPC submitted a " pre-implementation package" in October of 1983.
The human
)
i factors design process described in this document apparently was performed by engineers who designed a "strawman" display then looked at the criteria f
in NUREG-0835 (draft) and NUREG-0700 to see if it fit. The design process does not reflect the necessary top down (safety parameter driven) system i
function and task analysis activities which would have resulted in an ade-l quate SPDS display format.
Furthermore, it appears that although a human i
factors professional was involved in the development of the assessment checklists.. they were applied and interpreted by non human factors personnel.
The next step in the SPDS design evaluation process will be taken during the DCRDR supported by Torrey Pines Technology. This will apparently include an E0P walkthrough/talkthrough approach to SPOS and DCRDR validation, the administration of operator surveys, and a checklist review of the SPDS. This effort will commence in July 1985. However, the SPDS may i
t 5
i i
L.
o not be operational in time for dynamic evaluation. Overall, the design process was not optimal for the development of an SPDS.
The process should have been driven by the safety parameters first, human factors requirements second, and consideration of convenience / cost last.
IPC should commit to an adequate verification and validation process to compensate for its less than optimal design approach. This verification and validation effort must be capable of identifying the need for additional parameters and identifying human factors deficiencies in regard to the manner in which the parameters are displayed.
IPC should also commit to implementing the upgrades identi-fied during verification and validation.
3.3.2 Color coding The basic concern here appears to be an over reliance on the concept of color coding as a method to support the discrimination of information by operators.
It appears that the system can generate a limited number of colors (i.e., white, yellow, cyan, red, etc). The use of these colors is not only inappropriate due to the difficulty in detecting the differences in hue but also at odds with the accepted human factors principles concerning the meaning associated with colors.
For example, Section 6.5.1.t of NUREG-0700 suggests the use of red to indicate unsafe, danger, immediate operator action required, or an indication that a critical parameter is out of toler-ance; yellow to indicate hazard (potentially unsafe), caution, attention required, or an indication that a marginal value or parameter exists; and green to indicate safe, no operator action required, or an indication that a parameter is within tolerance. The SPDS display uses yellow rather than green to indicate a parameter is within tolerance.
In addition, green tic marks are used to indicate normal ranges in the bar graph while the numerics which indicate normal readings are yellow.
Furthermore, the NRC audit team observed that the hue / saturation of the red alphanumerics do not show up well against the CRT background. This may be aggravated in situations where emergency ambient lighting is used.
In addition to these problems in color coding there are several other concerns which together result in a display which is very difficult to read.
The red text has low contrast against the background and the color coding is inconsistent within the display itself.
Perhaps the single greatest criti-cism is the easiest to resolve. There is an over dependence on color coding 6
for information transfer and subsequently there is no redundant (backup) i coding scheme to account for partially color blind operators or for SPDS use in a lighting environment other than optimal. Since the colors are limited, hard to distinguish, inappropriate to human factors conventions and incon-sistent, perhaps flashing symbols, shape coding, size coding or some other more innovative approach may be more appropriate.
It is therefore suggested that alternative approaches to information coding be explored by IPC with i
help from its human factors consultant.
3.3.3 Labeling From the NRC discussion with operators during the audit it appears that the use of the letters "I" and "0" as designators of " isolated" and "open" in the containment isolation field of the display are confusing.
At least one operator thought the "I" and "0" referred to " inboard" and " outboard."
It is apparent from the preceding discussions that IPC has not fully met the requirement to incorporate acceptable human factors principles.
It is strongly suggested that both the analyses which resulted in the parame-ters selected and the design process which led to the display format be subjected to rigorous diagnostic evaluation by the IPC team supported by the human factors consultant.
3.4 Procedures for timely and correct safety status assessment.
Supplement 1 to NUREG-0737 states that " Procedures which describe the timely and correct safety status assessment when the SPDS is and is not available will be developed by the licensee in parallel with the SPDS."
IPC has neither developed nor committed to develop specific procedures describ-ing safety status assessment with and witho'ut SPDS.
IPC holds that "the i
SPDS is not a qualified class 1E piece of equipment and thus does not j
require associated procedures." The IPC position is that proper training on the use of emergency operating procedures (EOPs) and training in the use of the NUCLENET control room will meet the intent of this SPDS requirement.
It was not possible to verify the validity of this position during the two day audit.
It is recommended that as a minimum IPC personnel incorporate tests of the operators' ability to cope with an unexpected loss of the SPDS during upcoming verification and validation activities.
J f
7 v
c,.,
--,r
a i
3.5 Training for accident response with and without the SPDS.
Supplement I to NUREG-0737 states that "... operators should be trained to respond to accident conditions both with and without the SPDS available."
IPC states that it intends to develop rudimentary training via instructions for SPDS operators.
However, those training plans were not ready for pres-entation at the NRC audit.
3.6 Safety parameter selection sufficient to assess safety status for identified functions.
Supplement 1 to NUREG-0737 states that "the minimum information to be provided shall be sufficient to provide information to plant operators about:
1.
Reactivity control 2.
Reactor core cooling and heat removal from the primary system 3.
Reactor coolant system integrity 4.
Reactivity control 5.
Containment conditions The specific parameters to be displayed shall be determined by the licensee."
In an applicable requirement regarding the DCRDR Supplement 1 to NUREG-0737 states that the review shall consist of "The use of function and task analysis (that had been used as the basis for developing emergency operating procedures) to identify control room operator tasks and information and control requirements during emergency operations. This analysis has multiple purposes and should also serve as the basis for developing training and staffing needs and verifying SPDS parameters."
It appears that the SPDS design philosophy has changed since the last docketing of design information in October 1984 (Reference 3). The original concept treated the area radiation monitor / process radiation monitor (ARM /PRM) display as part of the SPDS. Since then a new critical safety function (CSF) alarm for the ARM /PRM display has been added to the SPDS upper level display.
This alarm is actuated by any of the several ARM /PRM 8
a
. alarms associated with the ARM /PRM system.
Under the original concept the operator had no direct alarm or display of radiological conditions on the primary SPDS display. While the new concept / design places an alarm directly on the primary SPDS display, the following potential problem exists:
o Radiological parameters are not directly displayed, nor are they directly accessible to the operator.
When an ARM /PRM alarm occurs, a second operator must be sent to the ARM /PRM panel about 10 feet away to determine the alarming channel and to obtain parameter values.
In order to address this potential problem IPC SPDS design personnci should evaluate the adequacy of this arrangement during upcoming verifica-l tion and validation (V&V) walkthroughs of the E0P's, DCRDR and SPDS.
]
A pre-implementation package submitted by IPC in October of 1983 includes the SPDS verification and validation team report on human factors.
Based on a close inspection of these documents and the findings of the NRC audit it appears that neither the selection nor operational definition of the safety parameters was based on any formal top down system function and task analysis.
In addition the team that developed the pre-implementation i
package, although multidisciplinary, had no input from human factors profes-sionals.
There appears to have been no a priori integration of human factors criteria. into the parameter selection process.
During the course of the audit the NRC audit team received and reviewed numerous documents and presentations concerning verification and validation work performed on the SPDS design project. However, all of this work was I
oriented toward the SPDS hardware and software operability and reliability.
None of the work appeared to emphasize the identification of operator infor-mation and action needs as they relate to identifying and assessing the safety status of the plant.
The following sections identify specific problems and areas requiring further investigation with respect to parameter j
selection and display.
1 9
y
3.6.1 Radioactivity Release Although a radioactivity release (control) CSF alarm block has recently been added to the SPDS display, the following problems still exist:
o Current design does not transmit drywell high radiation monitor output to the ARM /PRM panel and therefore will not actuate the radiation control CSF alarm.
A plan exists to add plant vent stack noble gas concentration o
instrumentation to the ARM /PRM panel.
Vent stack flowrate is already available on the ARM /PRM panel.
Since technical specifi-cations, emergency plan classification guides (EPIP on EALS). E0P entry conditions, etc. are all written in terms of release rates instead of concentrations, the SPDS designers should consider developing a simple algorithm to display release rate directly.
This would eliminate the need for operators to make the hand calculation to determine the relationship of release rate to the various action statements in the procedures referenced above.
None of the ARM /PRM parameters were selected for direct display on o
the SPDS.
With the change in philosophy which excludes the ARM /PRM panel from being part of the SPDS, the designers should evaluate the benefits of adding key radiological parameters such as containment radiation and stack release rate directly to the SPDS display, IPC's SPDS design team demonstrated only a cursory knowledge of o
the new radiological monitoring equipment being installed in the plant.
The design team should add this expertise for the remainder of the implementation phase of SPDS.
j 3.6.2 Containment AP Secondary containment AP (Combustible gas control volume to outside atmosphere) does not trigger the containment integrity CSF alarm.
The design team should consider adding this parameter as a trigger point to the existing containment integrity CSF or adding a separate CSF for secondary
[
l 10
containment (leaving the existing CSF dedicated to drywell and primary containment). Note that Revision 3 of the GE emergency procedure guidelines treats primary and secondary containment control as separate guidelines.
The SPDS design team contended that secondary containment AP units on the SPDS of PSID was correct. Upon further investigation by the NRC audit team, it was shown that the proper units are inches of water.
Errors such as this must be corrected prior to the final installation stage of the project.
3.6.3 Reactivity The power control (reactivity control) CSF is triggered only by the upscale, average power range monitors' (APRMS) trip at 108% of the CSF. As a minimum, it should also be triggered by a signal indicating valid reactor protection system (RPS) trip with failure to achieve a downscale (< 31) APRM trip within a few seconds.
This is the entry condition for the ATWS emer-gency procedure guideline. Failure to evaluate and include such features may be due to the fact that no formal system function and task analysis was conducted during the SPDS design process.
3.6.4 Coolant Control The reactor coolant system integrity CSF alarm is triggered by only one parameter:
drywell floor drain sump flow.
This parameter is provided to the SPDS from a single, non IE instrument which monitors the coolant level in a V-notch located in a Weir upstream of the sump pump. Therefore, the sole input to the reactor coolant system integrity CSF cannot be subjected to any kind of confidence check. Other parameters should be evaluated as possible redundant indicators of failure of the reactor coolant system.
Possibilities include safety relief valve position, reactor vessel level and drywell temperature. The present design does not provide for a CSF alarm associated with a bree.k in an interfacing system outside the drywell. Addi-tion of the suggested parameters as triggers to the CSF would provide indi-cation of the interfacing LOCA situation.
3.6.5 Group Isolation l
The existing SPDS display for group isolations is triggered only by a successful closure of all valves in the isolation group. A demand signal i
11
i for an isolation is not indicated. Que:;tioning of the SPDS team and availa-ble operators did not confirm that positive indication of the conditions warranting a group isolation exist elsewhere in the control room.
The SPDS design team should evaluate the benefits of including group isolation demand signals on the SPDS in addition to the current successful isolation indication provided.
3.6.6 Containment Pressure Primary containment pressure (outside drywell, inside primary containment) does not trigger the containment integrity CSF
- alarm.
This is probably the primary indicator of abnormal conditions in the primary containment and yet was not included in the CSF alarm logic.
The above examples demonstrate the need to utilize the task analysis results and V&V process being developed for the E0P and DCRDR project for the final parameter selection and SPDS design activities.
Should IPC per-sonnel identify SPDS deficiencies during the DCRDR, the findings and their resolutions should be reported to the NRC. IPC personnel stated that the SPDS is to be operational just prior to the submission of the DCRDR summary report.
The SPDS related HEDs should be included as a separate section of the DCRDR summary report.
3.7 Suitable electrical and electronic isolation.
Supplement I to NUREG-0737 states that "The SPDS shall be suitably isolated from electrical or electronic interference with equipment and sensors that are in use for safety systems." The NRC audit team did not include an I&C specialist and therefore did not evaluate the final test results for the TEC model 2200 isolation devices being used to isolate SPDS signals from class 1E safety equipment.
IPC personnel committed to submit results of this testing to the NRC for evaluation by specialists in this field (Re: GDC 24, APP A,10 CFR 50).
i 12
1 4.0 SUMARY OF CONCLUSIONS AND RECOMENDATIONS It is the general conclusion of SAIC that the IPC SPDS does not meet the provisions for SPDS development contained in NUREG-0737, Supplement 1.
Although IPC does indicate a commitment to provide a concise, continuous display of safety status information to support rapid.and accurate operator response to an accident, it does not appear to have a sufficient understand-ing of the requirements at this time to implement that commitment. The following constructive critiques and recommendations are provided in summary form for each of the SPDS provisions.
4.1 Concise continuous display.
To ensure that the plant safety status information will be continuously displayed IPC should consider (1) incorporating into the design a continu-ous display of the critical safety function boxes which includes input of all SPDS parameters as well as direct access to the underlying parameter values, or (2) continuous display of all SPDS parameters on a dedicated CRT.
4.2 Location convenient to operator.
SPDS may not be visible to a standing operator and may be fixed to one specific CRT in order to support the provision for " continuous display."
IPC should consider (1) a means to reduce glare and still allow observation by a standing operator and (2) not establish the SS CRT as the only location SPDS information can be displayed.
4.3 Incorporation of accepted HFE principles SPDS design approach in general and color coding and labeling speci-fically are areas of non-compliance with accepted human factors principles.
IPC personnel together with substantial support from human factors consult-ants should subject the design process and display format to rigorous diag-nostic evaluation with regard to human factors principles.
IPC should commit to the implementation of changes which enhance operator ability to rapidly and accurately respond to off-normal sequences.
13 l
I i
4.4 Procedures for safety status assessment.
IPC contends the SPDS specific operating procedures are not required.
IPC should test operator ability to use SPDS information and to cope with SPDS outages during upcoming V&V activities.
If specific procedures are demonstrated to be necessary then IPC should comply.
4.5 Training for accident response with and without SPDS.
Rudimentary training / orientation instructions and exercises should be developed to assure effective SPDS use.
4.6 Parameter selection.
IPC has not conducted a formal SFTA in support of parameter definition, selection, or verification. Without a priori knowledge of operator informa-tion requirements it is not likely to ensure the necessary parameters in an adequate display format.
IPC should subject parameter selection and infor-mation presentation to rigorous evaluation during the joint SPDS review and DCRDR.
4.7 Electrical and electronic isolation.
There was no evaluation of this provision during the NRC review.
IPC will submit pertinent information to NRC specialists for assessment.
4.8 Miscellaneous findings.
o Only wide range reactor vessel water level is supplied to the SPDS. Due to lack of time and lack of knowledge by IPC personnel, it was not possible to ascertain the adequacy of this range of indication during all accident conditions.
IPC personnel should review the adequacy of the level instrumentation with respect to operation during elevated drywell temperatures and while control-ling level to control power during the ATWS event.
o Numerous parameters used in the SPDS do not undergo a confidence check because they are measured by a single channel or by parallel l
l 14
channels of the same parameter.
IPC personnel should evaluate alternative means of validating data such as rate of change, comparison to average, etc.
o The provisions for a manual alarm acknowledge and for reflash of SPDS CSF alarms are presently in the conceptual stage of design.
The SPDS design team.should meet and agree on the exact hardware and features to be installed.
i
,*S' 15 i
l REFERENCES l
1.
Clinton Power Station SPDS and supporting displays design document, l
Revision 2, December 1984.
2.
Clinton Power Station Unit 1, SPDS Verification and Validation Plan, October 1983.
3.
Clinton Power Station Unit 1, response to NRC requests for additional information on SPDS, October 1984.
4.
C1inton Power Station Unit 1, SPDS functional description, February 1984.
5.
NUREG-0660, Vol.1, "NRC Action Plan Developed as a Result of the TMI-2 Accident," USNRC, Washington, D.C., May 1980; Rev. 1, August 1980.
6.
NUREG-0737, " Requirements for Emergency Response Capability," USNRC, Washington, D.C., November 1980.
7.
NUREG-0737, Supplement 1. " Requirements for Emergency Response Capa-bility," USNRC, Washington, D.C., December 1982, transmitted to reactor licensees via Generic Letter 82-33, December 17, 1982.
8.
NUREG-0700, " Guidelines for Control Room Design Reviews," USNRC, Washington, D.C., September 1981.
9.
NUREG-0835 (draft), " Human Factors Acceptance Criteria for the Safety Parameter Display System," USNRC, Washington, D.C., October 1981.
1 16
Attachment, page 1
=
ATTACM1ENT 1........
2........
3........
4........
5........
6........
7..
1 1
2 POwn RM CORE RCS Caett RAD 2
3 3
4 CONTROL COOL!NG INTEORITY CONOITION CONTROL 4
5 5
6 APRM E
RATE OF CNANSE 6
7 g
zum umn 1/ MIN 7
8 8
9 ERn CPS PWRIOD 9
10 g
-n.mEm
-mum SEC to 11 11 12 RI LEVEL (Wt)
INCH RATE F CMAWE 12 13 M
-uma
-ums IfCM/RIN 13 14 14 16
-Mg 15 Rx STE-an FLOW um.m um.m RATE OF 15 PL S/>ct CNAMBE 16 17 RI FEED FLOW M
mm.m um.m 17 la PLS/>Gt PLS/>Gt/ MIN IS 19 TOT CORE FLOW M
mm.m um.m 19 20 20 21 RI PRES 5URE (WR)
PSIS RATE OF CHANGE 21 22 g
amma maan PSIS/ MIN 22 23 23 24 DW FLOOR DRAIN SPM RATE OF CMANSE 24 25 SUMP FLOW g
um.m um.m SPM/ MIN 25 27 DW PRESSURE (NR)
PSIS RATE & CHANGE 27 20
' M m.m m.m PSIS/ MIN 29 29 29 30 GUPPRESSION DES F RATE OF CMANSE 30 31 POOL TEMP W
mm.m um.m DES F/ MIN 31 32 32 33 CONTAINMENT PSIG RATE OF CNANGE 33 34 PRESSURE M
mm.m i
mm.m PSIS/ MIN 34 35 35 34 34 37 1
2 3
4 5
6 7
8 9
to 11 37 38 CNMT ISOL IO IO IO IO i! O IO
39 39 40 40 41 41 42 42 43 43 l
44 44
(
45 45 46 44 l
47 47 48 48 1........
2........
3........
4........
5.........&........
7..
Attachment, page 2 l
1........
2........
3........
4........
5........
6........
7..
1 1
2 2
3 3
4 4
5 5
6 6
7 7
8 9
9 9
10 10 11 11 12 12 13 13 14 14 15 15 16 16 17 17 18 18 19 19 20 20 21 21 22 22 23 23 24 24 25 25 26 26 27 27 28 23 29 29 30 30 31 31 32 32 33 33 34 34 35 35 36 34 37 37 38 38 39 39 40 40 41 41 42 Rr WTR LYL
-um.m IN S W POOL LYL su.m FT 42 43 DW PRESS mm.m PSIS SUPP POOL TEPP mmm.m F 43 44 DW TEMP mum.m F CNMT PRESS mm.m PSIS 44 45 SRV STATUS (OPEN/CLOSEDI CNMT TEMP rsa== F 45 46 DW FL SUMP FLOW um.m SPN CNMT/DW H2 CONC sur.m1 zum.m% 44 47 SDV A/S LEVEL mm/mm SAL SEC CNMT AP m.au v.ma m.au PSID 47 48 48 1........
2........
3........
4.........S........
6........
7..
ALARM INITIATED DISPLAY 18
~,
CLINTON P O L.J E R STRTION UNIT
- 1 SRFETY PRRRMETER DISPLAY SYSTEM NRC PRE-I MPLEMENT AT I Ot4 RUDIT ENTRANCE MEETING I n t r-od v.ct i o n s 6w NRC Staff I 1 1 i rio i s P o e.s e r -
s Entrance Br-i e f i rge 9 bw NRC S t.s.f f Pr-o 9 r s.ro O v er-. i es>
.s. e. d Cv.r r e i t Statu.s bw I11inois Po w e r-SPDS Ve r-i C i c a~t i o a V s.1 i d.a.t i o n Pr osr aro SPDS Par aroeter-Set Se1ection Va1idation Process SPDS Desi9n Deve l oP roe nt I rop 1 ernentat i on P r o c a -s.s SPDS Avai1abi1itw C a l c C.1 a t i o aes SPDS H v.ro a a Fa c t o r^ s Revies>s O
b TLR
j l
SPDS PARAMETER SET SELECTION AND VRLIDRTION PROCESS SPDS Parameter Set Definition:
1 Mirsimum Set sufficierst to deteram i n e P 1avat in safe conditiosa.
Limits Eulk of Information r
Pr~o i des Sufficient I rif or-mat i o e
- ~d SssoPtic Set of, Par ~ameter~s -
Coracerned with Safets Status at Present f
{
l SLIDE
- 1 TLR l
i SPDS PRRAMETER SET SELECTIOH AND VALIDATION PROCESS CRITICAL SAFETY FUNCTIOF4S
< CSFs>
O v e r-a.1 1 Fu.re ct i o rs Co rs t.s. i n rce e rs t o -F-l R s.d i o.s.c t i v i t s.
BARRIER INTEORITY fru.e l Claddins Reactor Coolasst Sw ste rcs P r i r<s a r s C o s s t s. i s a rcs e re t Seconds.r w Cors ta i nr< sere t HEAT TRANSPORT Fu.e l Claddiss9 R e a c t o r-Coolarat S w :.s.t e rra P r i r<s ar w Conta i s arrient RERCTIVITY CONTROL 9
D SLIDE
- 2 TLR e
l w
s SPDS PARAMETER-SET SELECTION AND VALIDATION PROCESS VALIDATION PROCESS Reviewed CSFs R9airest C l i vs tors SPDS Parameter Set Cate9eri=ed Each Parameter 69 the CSF it Mors i tors -
V&V Team Evalu.ated
)
APPropriaterness of Paramete r -c.
Plaret Transiesst Rcciderst R e <i es.
- FSRR, Chapter
- 15 Area l s s i s -
NASH 1400 Reactor Safets Studs MS Loss of R11 Decaw Heat Removal M3 RTWS 1
Various Misc.
Eversts Chosers bw V&V Team.
Comparison of CPS SPDS Parameter Set to Other. Rec i derst-Mors i tor i r:9 Lists for EWRs NSRC/21 Re9ulatorw Guide 1.97 EWR Gemeric Emer9erscw P r o c e d u r e-
' Guidelines'<EPGs>
N URE G./ C R-1440 SLIDE
- 3 TLR e
, - ~ -
w
SPDS PARAMETER SET SELECTION AND
' 'RL I DRT I ON PROCESS VALIDRTION RESULTS Overall Monitorine of CSFs Comprehensive.
Verw Close Coorespondence With EPGs Particular1w U s e f u.1 1' to the Plant Operator <s).
V.% V Team Recommeredations SPDS Parameter Set Rdditions E Secondarw Containment d/P t
E SRV Position Status E SuPPressioes Pool Temkerature a1so oaa Perresane rat I w Displawed Hori=ontal Bar Graph.
SPDS Parameter Set Deletions E Reactor Feed Flow i
E Reactor Recirculs. tion F l ob.s i
E Drwwell Eq u. i p m e es t Sump Flow.
1 i
All Recommendations I mp l eme est _ d 4
With Exception of Deletins the Reactor Feed Flow Parameter.
1 I
SLIDE
- 4 TLR
'l
--,---n,--,
,------,---r-
SPDS PARAMETER SET SELECTION R:ID VALIDATION PROCESS 1
l CURRENT STATUS OF SPDS DISPLAY Par ameter-Set V a 1 i d.a t i ons Repor-t Completed
< s v.6 m i t t e.J-IP L e t t er-U - 0 6 7 6.,
dated 10./2 8./ S S.
- -M V'.n V T e a r.1 R e c o m r.s e rs.-J a t i o1 a s H o. v.II-2:eers I mP l er. sea sted. s i tt s the gxcePtiors of R>-
Feed F 1 o n..
.- 3. r c.ra c t e r~.
i
!+i NRC Co a scer-res Related'to CSF Over view Statu.s Iderstified D v.r-i s s 9 R P r-i 1 5
1984 IP Pr ese1 stati o a s to S t o.CC.
CSF "Statu.s I:o >::e s "
I se 1 v.d 1 s9 "Radicactivitu Co e str o 1 "
..dded to top of SPDS D i sP l o.w SPDS "5S" Disp 1o.s Per marst I s DisPlawed o rs NUCLEMET CRT it 5 Now a
Complete ared Stared-a l o a se S t.m.t v.s of R11 CSFs.
l l
P e r-IP L e tt e r-U-OT45 d.atud i
1 0./ 2./ 8 4.,
ARM /PRM DizPlaw P o. s s e l No Lor:9 e r-Par t of CPS SPDS.
j No Rdd i t i orsa 1 L J o r-k Remaisas for-I the SPDS Pa r-a me t er-Set Selectiors.
SLIDE
- 5 TLR
SPDS-VERIFICATIO:I RND VALIDATION PROGRAM
=
PLAN DESCRIPTION Mode 1 led R Cte r~
NSRC/39 NRC Finds Accepts.ble Gerser~ i c F l o.rs.
Ve r-i f i c s.t i o re Revies :
of R e q v. i r~.= r.s e s s t s.
< Sot: s NRC s.rs d Ss s ter.i F v. rs c +_. i o rs.s.1 >.
Re-ies.
of Desi 9 s a to E ra s v.r~ e R e 9 v. i r~ e r.s e s s t.2 s.r e bei s as I r.s P 1 e r.s e a s t e d.
i V O.1 1._:1.s.t i o rs
~
Dete.i1ed D e z.i 9 i Rev i es e
. Test E v.s.1 v. s.t i o n of I rat e 9 r s.t e d H.P.r de.'.s.r e S o f te>.s.r~ e Su ster.s < s >.
s E e a s v.r -e D e e 1 o p r.a.m-re t s.1 P r~ o b 1 e r.. -s.
s.r -e I de a st i f i ed 0.rs d Reso1ved.
VaV RCTIVITIES Swstem Re9 v. i r emersts Reviees Sw ste r.s Desien Rev i esa Field W.s.1 k d o s.sn a s Fi=Id V an r-i F i co.t i o s s-Test i i se V s.1 i d a.t i o n Testivos V&V Docu.me nts.t i o a a.
l l
SLIDE
- 1 TLR
,,_v..-
1 Revision: April 13, 1934 l Page 2 CLINTON POWER STATION
(
SPDS REQUIREMENTS REVIEW REPORT Figure 1.0 CPS VERIFICATION & VALIDATION PROGRAM NUREG-0737 Supplement 1 Step 1 r CPS V&V Plan l
Step 2 o
Step 5 g
V8V Requirements V&V Design Review Procedures Review Procedures
(
Step 3 Step 6 u
o Perform Perform Requirement Review Design Review Step 4 p
Step 7 p
VaV Requirements V8V Design Review Report Review Report l
l Step C y
V&V Field Verification Test Plan Step 9 y
Conduct Field Verification Test Step 10 y
V8V Field Verification Test Report P
Sheet 2
Revision: April 13, 1984
~
CLINTON POWER STATION
(
SPDS REQUIREMENTS REVIEW REPORT Figure 1.0 Sheet 1 Step 11 p
V&V Validation Test Plan r-
. ~ ~
Step 12 p
Conduct Validation Test r
Step 13 p
V&V Validation Test Report Step 14 p
V&V Program Final Validation Report
(.
j M.
l SPDS VERIFICATION V A L I D A T I O.bl PROGRAM CURRENT V&V STATUS l
"Clinton Power Station Safets Parameter Displaw Swstem Parameter Set Validatiors Report" Submitted to NRC i rs SPDS Pre-I mP 1 emerstat i o s s Ps.cka9e via IP L e t t e r-U-0676 dated 10./28./S S.
" C 1 i rat o ss Power Statioas e
Ver-i'f i cat i o a a arid V a.1 i d a t i o a Plai4 Cor-Safets Par ar.seter~.D i sp 1 as Sustem" Ir sP lemented October 1988.
Submitted to NRC in SPDS Pre-ImPlemerstation Packa9e via IP Le t ter-U-0676,
. dated.10./2S./SS.
I!
"SPDS Re9uiremeasts Review R e P o r-t "
Completed avid Issued o rs April 24, 1984.
V&V "SPDS Desi9n Review Report" l
Completed and Issued on C
tober S1, 1984.
SLIDE
- 4 TLR i
i G
y m,_
w- - -..
i SPDS VERIFICRTION R 2-J D VALIDRTICM PROGRAM l
i CURRENT V.% V STRTUS
< c o sst i sv.e d >
V.% V "SPDS Test P l s.rs "
G e rs e r s.1 ~ P 1 s.ss Cor.sP 1 ete
< d r-3. F t >.
Fie1d Ve r-i C i ca.t i o rs Test
-s. s s _:I V._'.1 i d O.t.i c'.ss-'T eis.t C h e c !< 1 i s t c s.r e Dr.s.O t e d
- o. s. d U s a d e r-Re..ie:.
SoCts :0.r e Teat Re :t v. i r e r s e s a t:2 D o c v.r.se sat De.c1oPed
< d r.m.-r t >.
S o f te..s.y e Test Pr -ocedu.r es
< d r o. f t >
Ee i s s B F i rss.1 i = e d.
S t s.r-t v. P CnIO
- o. s a d P r-e- O F e r* s.t i o : s.s.1 Phs.se Test Pr ocedu.r -es
< dr.s.C t >
Beiws F i rs.s.1 i = =- d.
H!
V.S V T e s t i ss B S cise d u.l e d f o r-M o._s - J v.l u 1985 T i r. s e - f r -s. r. s e.
F i s s.s. 1 v.n '..'
P r o B r~ o.r.s Reso.its R-2P or-t S cise d u.l e d f o r-I s s v.e J u. l u 1983.
SLIDE
- 5 TLR l
l l
=
l
o SPDS DESICN DE'/ELOPMENT PROCESS J v.19 1981 NUCLENET O s i n e r ' :n-G r o v.P Pr ese a statio e to NRC Staff.
SPDS Displaw Or' i s i rea l~ I w D -:- v e l o p e d h:: w CPS PLarit OP er atio iis Staff.
- M Detai1ed Desi9n D o c u.m.=..t Revisior O
- 10. ' 1 O. 'S S R e.. i s i o..
1 12./ 5. 'SS.
R.= vision 2
1,2.' 8 4,.
Re9 v. i r~emersts Doev. ment
- - Revisiors O
9 /20./ S S.
Re isioss 1
12.'84.
Sof twar-e/H ar-d war ~e F u.rse t i o sa 1 Descr~ i P t i o 4 P r e p a r e..d Crom SPDS D.=- s i 9 s D.s c u.m e re t Revisioaa 1
and SPDS Re9 v. i r errients D o c u.m e ret Rev.
O.
Seist to NRC Staff via IP Letter -
U-0695 d a t.=- d 2./ 1 0. '8 4.
I i
l SLIDE
- 1 TLR
+
,,_.,__,._m,_,
v-w_
,,r w_,_
SPDS DESIGM D E'.'S L O P M ERIT PROCESS IP Pres ersta t i o1 to NRC on SPDS Deve l op merit on RPril 5,
1984 at NRC
- Bethesda, Marw l ared Offices.
Br i ef i ra 9 Dooks Provided C SPDS Pre-Implementatiors Pks.
Mater-i a l.
EJ SPDS Re:I u i rer.se s ets D o c u r.s e re t Rev.
O.
El SPDS Sof ts sar e/Har~ds sare Furectional Descriptiors.
C Results of SPDS Availabilits.
Studs.
C Color Photos of Control Room DisPlas P.p.rs e l s.
IsP Responses to NRC Questio.es Pr ovided ia IP Letter -
U - 0 7 4 5.,
dated 10/2/84.
Add i t i orsa l NRC Co ra c erras o r.
Optical Isolatiors Devices Used at CPS have been Identified Under j
R e v i es,.i bw IP.
SLIDE
- 2 TLR
.\\
l I
l
l l
l t
4 SPDS DESIGN
-D E'.*E L O P M E!IT PROCESS i
SPDS RVRILRBILITY STUDY Rde9v.acw of CPS SPDS NUREG-0696 Rvailabi1itw Cr-i ter i a Operational Ussavailabi1itw Goal of O.01 When Reactor-Above Cold SIiv.t d oeea.
S t a t o.s..
Unavailabi1itw Goal of ' Es. 2 D u.r-i n s Cold S h v.t.
oasn.
J IMPELL Co a str acted to Per f or -rre Wor k.
Fav.it Tr-e e A na l s s. i s.
Methodolo99 l
Meaaa T i r.s e To R e p a i r~
<MTTR) and Mean T i rca e Betesee Fa i l u.r-e
< MT E f= >
Ca l c v. l a t e -J :
i s
MTTR I
UNRVRILRBILITY 4
==
MTTR
+
MTEfr 1
S o v.r-c e s.
of Data i
2 IEEE Standard 500 im Reactor ~
Safets S tu.dw
!G Mi 1 itar w Ha ndbo.ek MIL-HDEK-117D.
1, t
SLIDE
- S TLR I
l i
l
SPDS DESIGN D E '.* E L O P M E N T PROCESS SPDS RVRILRBILITY STUDY
< continued >
Scope of Evaluation Those Portions of PMS/DCS Re.o_c.ess.. C omp u t er Swstem Required to Operate NUCLENET CRT
- 5.
Did Not Include:
4 O External SPDS Displass
<e.9.
M SPDS Data Links.
M Software /Firmware Induced Swstem Failures.
- . Four
<4>
Cases Evaluated r
CASE
- 1 C Swstem as Desi9ned Conservative
- Failure Rate Estimates.
CASE
- 2 M Sw :.ste m as Des'iewed Most Likelw Failure Rate Estimates.
CASE
- 3 E Rep l acemeret of 'DCS/PMS Common Drum with Larse Core Stora9e Device
/
Conservative Failure Rates.
CRSE
- 4 t
M Replacement of DCS/PMS Common Drum with Large Core Storase Device
/
)
Most Likelw Failure Rates.
l i
SLIDE
- 4 TLR m~.g.,,,
--r-
.,e-
, -,,,, - - -. ~.,, -
.,n,. - -,, -, - -, -
.,-m-
l I
SPDS DESIGN D E '.' E L O P M E r 1 T PROCESS S v.m m a.r w SPDS U iis.
.s.i I s.6 1 e Resu.Its
< bJ i t h P 1 s.re t O P e r-a.t i ris >
C o rs s e r v.s.t i. e Most Ca.ses LikeIw C.P. s e -s i
SPDS LJ I TH DRUMS
.081 OSS SPDS LJ I TH EULK
.O199
. O O S 7'*
M E M O R 'r' It4 PLACE OF COMMON DRUM i
< DJ i t h P 1 a.rs t i vi Co1d S F s u.t d o s > re >
l LJith Respect to U rs.s.va. i 1 a.6 i 1 i t w G o a.1 of O.2 Review of Pr ocess.
CoreaP v.ter O P e r's.t i o e e s.1 Histors I vid i c a.t e d This Not Ex.Pected to be s.
Pr-o b l em.
SLIDE
- 5 TLR i
m' i
f a
2 F0 i
E 1
e M.,.
T m
A G
T M
E R S
E T E
T A F m
I.
A G S E
G N
a D A E.
E Y,
R N R N
c O A T
E 8
H, 8
n 3'
' 9 b nU k a
s M',
e e.
ie 7
I e
Y e
s e.
s a
T "a.
e I
'1 L
E..
d I
k B
=,
h 9 E.
A ns.
L r
'l a
M h,
E-d I
a.
mo A
u I
t V
h I
A N
s
'l a
m U
Q, a
1 S
- D d
4P 9
I S
9, ~_
E Mie
- R.
a E
RR 8L I
s GF 4
"s.i UO a.
m 8
I l
'n FL h
.I E
hh D
a m
t D
7.u 2::
I k
H es a_
s E
I 9
b k,
I a
h E
I L
3:
R E', b E
T I
c.
T s
I k
L T
U a
L A
m E.
L I
F I
h, b ia sa h,
=_
w at t
sa I_
b's]=
I Ye u
l
'. b W
T I
s E.
l e
I M
i "w.
s s
b a
9.
I b
I
- =a I
I.
m I
m M
e F
L
had LJ W
L af W
knalen Inand W
b haanJ w
thJ 6
thmad em a a a-s n.--a ba w
f 7
FIGURE 4-1 FAULT TREE HODEL FOR SPDS UNAVAILABILITY j$i, p>.- g O
O y
'll".O.? *.a'
'll".Ol,'t. ','
- "O.??.d'
=." ".3' 4 "a'4
.'.""'=4 h>- J: '.M1 a
a a
a a
a g
i w
.e. ire n-=..
.o.,
m, w.
- I
,?"
- 7v".,
p3.::P.y
,,,,g.
-...a 9
9 a
i r.. -
7.-
.T..S
.er..
.'ft all;
,.ll:,,..
=.
=
o
.=.
e s.o
.=
. =..
mie se rac-s m on w.,c rrco., cov. sts or
= swve er cs
.. s aca swve e r.,
ccm,,5,,,, c,.m t s sur. 2 or 2 IMPEIL@
J I
- - " - " ^ ^
M d d
d 1:5 b hds bbbb b
b M
M auas has had sWE 5
FIGURE 4-2A SPDS UNAVAILABILTY CONSERVATIVE FAILURE RATE CASE UNAVAILABLE 0.07 X 10-8 r m f%
DIGITIZED COMPUTER SPOS INPUT SIGNALS PROCESSING OISPLAY UNAVAILABLE UNAVAILAOLE UNAVAILABLE 6.55 X 10-8 7.47 X 10-8 7.28 X 10-'
e CHANNEL CN 112 e OCS ORUM e CRT CN3, CRT SWITCH (3.36 X 10-' )
(3.2 X 10 8)
( 5.04 X 10~')
e RAU 16 e PMS ORUM e CRT CN3, OPERATOR ERROR (2 24 X 10'*)
(3.2 X 10 8)
( l.13 X 10-')
e ROU 8
(3.0 X 10 )
(4.82 X 10 - )
I
.A v
&jQ Q
w G
a w
w w
w w
FIGURE 4-28 SPDS UNAVAILABILTY:
4 MOST LIKELY FAILURE RATE CASE SPOS UNAVAILABLE 3.30 X 10-2 r m r
f%
4 DIGITIZED COMPUTER SPDS INPUT SIGNALS PROCESSING DISPLAY UNAVAILABLE UNAVAILADLE UNAVAILABLE 1.55 X 10-'
3.15 X 10-8 1.78 X 10-"
e RAU 16 e DCS DRUM e CRT CN3, OPERATOR ERROR (8.64 X 10-*)
(l.48 X 10-8)
( G.49 X 10-)
e ROU 8
- PMS ORUM e DISPLAY GEN., OPTR. ERROR (3.68 X 10)
(1.48 X 10-a)
(3 56 X 10-'2 3
- CHAtJtJ:'t. Cil 112 e MAlHTEtlAtJCE e CRT, OPERATOR ERROR (3.14 X I II )
(l.! x I Ol (3.56 X 10-'2 )
l I
g y
m u
6 m
- hhia, hid, L
h ad imm4 b
O 6
d FIGURE 4-3A SPDS UNAVAILABILTY:
CDNSERVATIVE FAILURE RATE CASE WITH DCS AND PHS DRUMS REPLACED SPOS UNAVAILADLg 1.99 X 10-a r m O
DIGITIZED COMPUTER INPUT SIGNALS PROCESSING DISPLAY SPOS UNAVAILABLE UNAVAILABLE UNAVAILABLE G.SS X 10-8 1.34 X 10-8 7.28 X 10-'
e TRU CN 100 (3.00 X XO)
~
( 2.22 X X O)
e DCS ORUM CN 74 (2.22 X 108 1
M hmA Whh has baw hade haJe d
hast lunat thedr huw thut-the best-W h
huwt' ame' FIGURE 4-38 SPDS UNAVAILABILTY:
MDST LIKELY FAILURE RATE CASE WITH DCS AND PMS DRUMS REPLACED SPOS UNAVAILABLE 3.69 X 10-'
r m r5 DIGITIZED COMPUTER INPUT SIGNALS PROCESSING DISPLAY SPDS UNAVAILACLE UNAVAILABLE UNAVAILABLE I.55 X 10-8 2.I4 X 10-8 1.78 X 10-"
- MAINTENANCE (l.1 X 10-8)
- TRU CN 100 (2.8 X 10-*)
L.
l l
l l
l l
SPDS DESIGN DEVELOPMENT PROCESS il.
SPDS DESIGN STATUS ComPletins F i rsa l Desien Implementatiors i.e.
Plant Process Computer Swstem Software Beine Debue9ed and Made Operational.
SPDS Software Irsstalled 1 7.
-DCS Swstem.
Testin9 o[
DCS.*SPDS S o f t w.3.r e Ursderwaw.
Documerstat i ors :
SPDS Requiremerits Document Rev.
1 RP P r oved.
SPDS Desi9n Document Rev.
2 RPProved.
Software Test Requirements Document
< Complete Draft).
SPDS Test Procedures Still Under Development.
l 4
SLIDE
- 12 TLR O
S m
S:'DS DESION DEVELO*' MENT PROC:EESS SPDS DESIGN STATUS kcontinued>
Optical Isolation Devices IP Responses to NRC Questions Current 1w Under NRC Review.
Technoloss for Enersw Cor P.
<TEC)
Isolator Cabinets Complete 1w Assembled and Tested Cabinets wi11 be SFsiPPed Cr or.s TEC Followins IP Qualits Rssurance RPProval of Fabrication Records.
Estimated Shipment Date is December 15, 1984.
Comf12tiofs Scheduled i
!M SPDS Desissa f o r-Earlw 2nd Q u a r-t e r-1985.
1 CPS Operator Trainins to be Cor sP leted P r-i o r~
to, Fuel L. sad.
l SLIDE
- 13 TLR s
-,,-n,.-g-
--.---.---,-------,------,_-n,
,,,.n--,.--,---..-e, n,--.---
t
l l
1 SPDS DESIGN DEVELOPMENT PROCESS DATA VALIDATION DCS OPerativs9 Sw ster s Validatiors Reasorsa61eness Test:
each chavarse l is vs.lidated as it is dieiti=ed, a9ainst a
data base ran9e.
R.
R e a.1 Point
< associated with a
Plant sensor)
E.
Psuedo Po i ret
<value depends uP ors a
real P o i rs t >
will be
. turned WHITE if anw of its source P o i rs ts :
A r-e Deleted C r o r.s Processisas Fai1ed the R e a s o asals 1 e n e s s i
Test Out of Scan Undefined Has a rs I s s-ser-ted
' ' a l s.'. e C.
R e a l <'P s u edo Point" Has an Inserted Value Color WHITE Used to Displaw LOW CONFIDENCE Data.
Means Sensor-is No Lorsser Retive 4
Co r-arew one of the R6ove Re'a s o re s I
Last Good Value of Data is Displawed in WHITE-WHITE Color will
'F l a s Operators as to the Urscertaintw of the Data avsd to Resard the Point Values Accordin91w.
SLIDE
- 14 TLR l
l l
---,,v,
,,-,,,,,n
,,,-~,---,,,-,->--n,-
---r
SPDS DESIGN D E'.* E L O P M E F-4 T PROCESS DRTR
'.' A L I D R T I O N Di9 ital Points G r ou.P Failures.
Redursdant D.y. t a Poivet ComPanison Drwwell Pressure
< t.4 R >
Onis Displaws PID D21DROOS and Confidence Checks with PID D21DROO9.
l l
For VALID Data:
/D WP -D W i./
L a r<s 6 d a DNP where Lambda.
Scalin9 Factor
<will be determireed when the
.z. o v. r c.=-
tr a s esdu.cer and channel accuracs have beers measured.)
For INVRLID Data:
DisPlawed Value is Turned WHITE but Continues to Displaw the l
Value of DWP.
./DWP -DW i /,
L a rri b d.s.
DWP
]
SLIDE
- 15 TLR
.. - ~.
SPDS DESION DE' 'ELOPMENT PROCESS DRTR VALIDATION Rverasins R19erithm Parameters:
Averase Power Rarsee Monitor
<RPRM) i Sov.rce Ravise Monitor
<SRM) 2 Wide R a r:9e React.er Water L.= ' e 1 Sv.Pression Pool Temperatu.re RPRM:
Rverase of
- C51DRO21, C51DRO22,
- C51DRO23, and C51DRO24 after a. Confidence Check.
- ' SRM:
Rvera9e of
- C51DROO1, C51DROO2,
- C51DROO3, a ved C51DROO4 after a
CoeCideasce Check.
Wide R a r:9,e Reactor Water Level:
Rverase of
- B21DROO2, NB-DR401, NB-DR402, and NE-DR403 after a
Confidence Check.
Sv.P P ress i ors Pool Temp eratu.re :
Rverase of CMEROO1
- CMBROO2, CMBROO3,'
and CMBROO4 after a'
Confide *nce Check.
SLIDE
- 16 TLR l
~
o SPDS DESIGM DEVELOPMENT PROCESS DATR VALIDATION 4
Rver a9 i ve'de R 1 9 e r i t h r.e Fo r-VRLID Data:q 1
i M
=
Xi s' er ase N
[st valv.e
./ M - M i./
Lambda
.M F oT-I N '.' R L I D Data:
i Va 1 v.e i-s T u.r- : s e d L JH I TE b u.t C o rst i n v.e s to be Disp 1 awed.
<' M-M i./
Lambda X
The
' 'a 1 v.e o +'
L a r.a b e-!a e ai 11 6e Deter ~r s i s sed LJhe a a the Sov.r ce Tr~ a rvs d u.c e r and Cha syne 1 Accv.r acs have been Deter mi ned.
i f
l SLIDE
- 17 TLR
-. - - - _, _ _. - ~..... _., - - _,.. _ _.. _.. _ ~. - - - - - - -. _,. _ -... _. _ -., _, - - - ~... - _
HUMAN FACTORS REVIEW j
4 i
Overview Humare Factors Review Conducted in October 1983 6w an IP Interdisciplinarw Review Team and Dr.
Charlie HoPkins
<U.
of I.
Humars Factors Specialist >.
Used Draft NUREG-083.5 and NUREG-0700 Checklists.
Results of Review Submitted to NRC Staff i ts November 1983 as a re Enclosure to SPDS Pre-I mp l eme ntat i ori Packase
<IP Letter U-0676).
NRC Sta.Cf Questions Addressin9 Humars Factors Concerns Sent to IP in Letter dated Rusust 17s 1984..
CPS Responses to these Questiores Provided via U-0745 dated October 2,
1984.
1 i
O e
SLIDE
- 1 TLR l
-.w-,---,--a w~~~,~
~-~+--wwmw--co--~~
wv----
-v-
-m,-
vm ---~~ -'
w "c'-*
- ~ " - " ' ' ' ~ ' -
O o
HUMAN FACTORS R E'.' I E!. J P r-e s en t Statu.s CPS Detailed C o e s t r~ o l Rooro
- Desiss, Review
<DCRDR>
I rateer-ates the EOP V&V a vid the Hu.roa n Fact o r~s Review of SPDS.
Man-in-the-Loop Testins:
Involves O p e r~ at d r-Testives U s.iras CPS Ero e r-s en ew OP er-at i n Ee
<Off Nor roa l >
Pr~ocedu.r es and CPS S i ro u. l a t o r-a re d./o r-4 Main Co s str-o 1 Rooro L Ja 1 k thr ov.shr.
Evalu.ates O p e r~ a t o r-I a ster-f ace esith SPDS d u.r-i n s S i ro u. l ated Plant A c c i d e n t s / tra a n s i eist s.
Schedu.le F+1 CPS DCRDR Schedu. led to be CoroP l ete bw Maw 1985.
Final DCRDR R e p o r~ t to NRC StaCC bw J u.19 1985.
l l
l SLIDE
- 2 TLR l
g 9
,r--
.--e..-
,w.,
('
APPROVE:
VICE PRESIDENT e PROGRAM PLAN e FINAL REPORTS e DESIGN lMPLEMENTATIONS REVIEW AND RECOMMEND APPROVAL:
DIRECTOR PLANT MAN AGER e PROGRAM PLAN NUCLEAR SUPPORT MGR-NUC. STAT.
e DESIGN CRITERIA ENGR DEPART e DESIGN REVIEW FINDINGS REVIEW AND COORDINATE:
'^
PROJhT MANAGER NAL EPORT EME R. RES IMPL. PLAN e DESIGN IMPLEMENTATION e DESIGN CRITERIA
- DESIGN REVIEW l
FINDINGS l
l e EMER. RESP. PROGRAMS PROGRAM MAN AGER PROGRAM MANAGER SAFETY PAR AMETER SPOS VERIFICATION DISPLAY SYSTEM (SPDS)
AND VALIDATION PROGR AM MAN AGER PROGRAM MANAGER PROGRAM MANAGER
(
DETAILED CONTROL EME R. RESP.
UPGRADE EMER.
ROOM DESIGN REVIEW FACILITIES OPE R. PR OC.
1 DESIGN REVIEWTEAM DEVELOP / PERFORM / EVALUATE:
- PROGRAM PLAN ILLINDIS POWER COMPANY e FINAL
SUMMARY
REPORT l
PRINCIPAL INVESTIGATOR e CRITERIA ENGINEERING.0PERATIONS & LICENSING e CHECKLISTS AS REQUIRED eSURVEYS eINVENTORY GENERAL ELECTRIC /EARGENT & LUNDY e SYSTEM FUNCTION ENGINEERING AS REQUIRED
& TASK ANALYSIS e WALK / TALK THROUGHS TORREY MNES TECHNOLOGY e PROCEDURES l
PROJECT ENGINEER e ORSERVATIONS 4
ASST PROJEC* ENGINEER e E0PVERIFICATION TASK ANALYSISSPECIALISTS AND VALIDATION HUMAN FACTORS SPECIALISTS e ASSESSMENTS CORRECTIVE ACTION SPECIALISTS e DESIGN IMPLEMENTATION LICENSING PERSONNEL RECOMMENDATIONS
(
Overall ERCIP Organization
,,,-,~-----,,,--,,.,-,,.--------,----w y,--,,---
m - - - - - -es,,
- =. _
i -
SPDS HUMAN FACTORS REVIEW
Background
The original SPDS'was developed by a CPS assistant shift supervisor who was SRO Certified.
The operator was a system specialist on the process computer.
The concept of integrating SPDS on Nuclenet was presented on NRC Staff in July 1981 by the Nucionet Owners Group.
1 The process computer was reviewed for human factors during the NRC Staff's Preliminary Design Assessment in November 1981.
r IP interdisciplinary human factors 4
i review team utilized draft NUREG-0835, NUREG-0700 and industry guidance.
Checklist was made and the display was reviewed against the checklist in a method similar to the Preliminary i
Design Assessment.
The review team consisted of:
i I-Controls & Instrumentation Engineers
?
]
Electrical Engineers
)
Computer Specialists
(
i SRO Certified Operators Nuclear Engineers A,2 i
Human Factors Specialist -
+
Dr. Charles 0. Hopkins l.
I I
1 s
t-j Jf l
t t
4 f
1 e
Present Status The CPS detailed Control Room Design Review (DCRDR) is in progress The CPS DCRDR integrates the emergency response activities of Supplement 1 to NUREG-0737.
The human factors review of the process computer in the DCRDR will include the SPDS.
This in an independent review by our consultants (Torry Pines Technology) using the methodology in NUREG-0700.
The procedure used to conduct this review will be checked to ensure that the items not reviewed in the October 1983 review will be covered.
Special attention will be given to the findings identified in the prelbainary review of October 1983.
Schedule The SPDS human factors review to be completed early 1985.
'i The CPS DCRDR is scheduled to be completed in June 1985.
F l
i e
t e
__.-r
l t
i it *Q '
I\\J 4..........
- W A.eRM m''':
- */.
u
-9 y
- e..c..
e.c c
- .c : v n..e.
=
.MW1
- . : E::
sE:
e N o.x LEVEL (WR)
INCH g
&\\M l
INCH I
o 4
1^
RX STEAM FLOW K:l535'4:59
'..............:'.:: a. :.
l'
.f u.F.
.. _e.,.u..c.
M 1:
12 RX FEED FLOW
........., /HR
.L.e.,.v.g 1
14 TOT CORE FLOW th m la 5
=.
I 16 RX PRESSURE (WR)
. SIG 1:
5 17
- N
.c g g g g;
,~.
g o.
s 1t
)
to DW FLOOR DRAIN GFM ic 2C' SUMF FLOW G"
2(
a, t
~.
! ?
22 % DW PRE'.iEURE (NR)
- '. PSIG 2:
a t
Leww i
p e.r e
.e. -
- m. a e.s 2"
- SUPPRESSION t
': DEG F 2*
.e..t.
Pn.n,
- v..e M.e axsw i
- n..e.r..e
.e.
.-.F
. o.
eO.=JT A I Nw.eN v.
- c. e.v r
.. c.
ao.
.o.c.E e. SiJR.e-
-Nxx
.= c.e r c.
we w.,-
we
.n 4
=
6 7
a.
a.
C CNMT ISCL I 0:
!O IC 20 wa wt w
'.r.e E
98 8D 9er
. I.
9r -
w,
~'
?. ".?
".F C.
- C
'. O.
'C.
4 '.'
4C 41 41 4
4e 4.
S'.
44 44 as ac 46 4:
47 47 4E 4E 4.........,.........
3............
S P.n. e..e w
- n..,e.os.P.v.
^
a...
e I
e, s
e 4.........
4 e
=
e 3
. c..
.~
1e 1:
. e.
a.
,,r
~.
mw ag a
.m. e t
=s e
, a-e,.
~
~
=. *
~g
!?
1 RX WTR LEVEL
-::::::. :: IN SUFP POCL LVL
- . :: "T T
~.
w.
v
- v. a.
e...J o.c.E e S
.:... o c t r-e_Le.c.c. e nnL v. e..w.c. x.... x. e
+.
4f 4
41 DW TEMP
- .: F CNMT.*RESE
- in.x FEIS 4
4 ~.
4" SRV STATUS (OFEN/ CLOSED)
CNMT TEMP
- x. :: e 4'
44 4
4" DW FL SUMP FLOW : n. :: GPM CNMT MO CONC nn::.n %
d' 4e 4
47 SDV A LEVEL-n:: GAL SDV S LEVEL nn 3AL a:
45 4'
1.........
4.........,.........o............
i ALARM INITIATED DISPLAY i
l
.m.
EditoaddiT 4 5.0 SECONDARY CONTAINMENT / RADIOACTIVITY RELEASE CONTROL GUIDELINE f
Purpose The purpose of this guideline is to:
a)
Protect equipment in the secondary containment, b)
Limit radioactivity release to the secondary containment.
c)
Maintain secondary containment integrity.
d)
Limit radioactivity release outside of the primary and secondary containments.
Entry Conditions Section SC, Secondary Containment Control, should be entered if any of the following conditions are reached:
a)
Secondary containment differential pressure at or above 0 inches of water.
b)
Any secondary containment area temperature at or above alarm setpoint.
c)
Any secondary containment HVAC cooler differential temperature at or above alarm setpoint.
d)
Fuel Building Exhaust Vent Plenum radiation level at or above alarm setpoint.
e)
Any secondary containment area radiation level at or above its alarm setpoint.
f)
Any secondary containment floor drain sump water level at or above high high alarm setpoint.
Section RR, Radioactivity Release Control, should be entered if offsite radioactivity release rate requires an Alert.
1 L
i l.
i SLA37 Page No.
33 of 126 Rev. No.
0 l
J CPS tio. 1450.00
=
-Operator Actions-SC-Secondarv Containment Control SC-1 Verify all appropriate automatic actions have occurred and manually perform any that ha.ve not:
a.
VF isolation Caution #27 b.
SGTS initiation c.
VF supply fan trip Caution #24 SC-2 IJ[
At any time VF isolates AND SGTS cannot be started 1
AND VF exhaust radiation level is below the isolation setpoint l
THEN Restart the VF system l
SC-3 Operate available area coolers and available i
t i
1 i
i l
l SLA37 Page No.
34 of 126 Rev. No.
0
i
~
~~
CPS No. 1450.00 SC.IF Any area temperature is at or above its alarm point EE t
i Any radiation level exceeds its alarm point EE Any floor drain sump level cannot be restored and maintained below its alarm point THEN Isolate all systems discharging into the area except:
a.
systems required to shutdown the reactor 4
b.
systems required to assure adequate core cooling c.
systems required to suppress a working fire AND i
Establish or verify that Secondary Containment has been established.
SC-5 17 A primary system is discharging into an area i
THEN Before any area temperature, any area radiation level, or area water level reaches its maximum safe operating level:
a.
Place the Mode switch in SHUTDOWN.
b.
Perform Reactor Scram off normal procedure concurrently with this procedure.
c.
Proceed to cold shutdown.
Perform C00LDOWN RC/CD concurrently with this procedure.
l l
i i
i SLA37 Page No.
35 of 126 Rev. No.
0
. ~ _ _ _ _. _ _ _ _ _ _. _ _ _,. _ _... _ _... _. _ _ _ _ _ _ _. ~, -. _ _ _ _ _ _ _. _ _ _.. _ _.
CPS No. 1450.00 SC-6 g
.A primary system is discharging into an area AND either:
a.
Area temperature exceeds its maximum safe operating level in more than one area gR, b.
Area radiation level exceeds its maximum safe operating level in more than one area EE c.
Area water level exceeds its maximum safe operating level in more than one area THEN Emergency RPV Depressurization is required.
Enter Contingency #2, EMERGENCY RPV DEPRESSURIZATION, and execute it concurrently with this procedure.
~~
l i
l l
l SI.A37 Page No.
36 of 126 Rev. No.
O
CPS No. 1450.00 7
?
e
)
RR Radioactivity Release Control RR-1 Isolate all primary systems that are discharging into areas outside the primary and secondary containments except:
a.
systems required to assure adequate core cooling b.
systems required to shutdown the reactor RR-2 IF Offsite radioactivity release rate approaches or exceeds the release rate which requires a General Emergency.
AND A primary system is discharging outside the primary and secondary containment THEN Emergency RPV Depressurization is required.
Enter Contingency #2, EMERGENCY RPV DEPRESSURIZATION, and execute it concurrently with this procedure.
SLA37 Page No.
37 of 126 Rev. No.
O
.