Text

Non-proprietary Rev 0 to WCAP-14644, AP600 Functional Requirements Analysis & Function Allocation
	ML20128R072
Person / Time
Site:	05200003
Issue date:	10/09/1996
From:	Brockhoff C, Mumaw R, Reid J; WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:	;
Shared Package
ML20128R055	List: ML20128R072; ML20128R106; NSD-NRC-96-4831, Forwards non-proprietary Rev 0 to WCAP-14644, AP600 Functional Requirements Analysis & Function Allocation & non-proprietary Rev 1 to WCAP-14651, Integration of Human Reliability Analysis W/Human Factors Engineering Design..;
References
	WCAP-14644, WCAP-14644-R, WCAP-14644-R00, NUDOCS 9610210284
	Download: ML20128R072 (115)
	v • d • e

p;:Ri ,. '{f t :.p .f,s,iGy.q &, . , _, ., . y- . g;*'

v.' .y ). . .h .. . g , , [ ' . ; - [ <. j '. ' ' , .?,g . . ?- _ . .a 3 t .' ': .I ; Q. . ;;,., jr. , A, , ,. ,, . s...;. p . .[g . . y. : ., i. :., _' ,, .r_ p. ,j; . . s. ,e o n' .,. ..j )a . .q W, t ,.*-*p. y. . , "y , . _ .,n.v ;[ ' .p;;,;' j ; L_- ;,;.sa .'.- :'.:.

~ -

" .' - .- ,'.'.'.,\. .* *( 1' f. :'.ly..-I..hl. -*-, . . . .f. S ' Y

' ' ~ '

'.. . . j.b

^ '

- . b

. ,e.. .. .. . v. c - . . . . -. .:..vs.'.

-W M. t. -.e ..r s s -

<.- . . - M. .

.. -va*.

. . . . : - -.i& * ,'

>k!- (.,. (-l\':h)NQ A r . , r.4

'*..,$. . k'$' ;. . .,.. M ' l.: k'l\G.s;[

l.'.k. X

. . I:j z l ' .:.; '.: * *:,' .,,'...,,4.. f. : .l ' ,';Ioh,.. . *

.*..s qc*' '$.hy, : .? ,^..$. r. . f. , .,' .:~?' . ' T'*+('e -.- ' - . .r *u.jh;

<y *,',. ' .,'.Q . J, -[$';.., s;

.' .?.;f 4s ,

l .

. . . . .T ,'. . s :i.,. , ,.., ..i,. .;,,3..;,,h....i,,,,.,,i.g.,.,'.,. ,.,-- , .l, .., . _..y.g;e. .. ,, . , . .-

..;, gc+ .p:..,\,. .,..,,,.g, y,

,g.. 3 .< , ,g.

.,.e ..', . , , i..,

,..a..,,.... - . .

,s3,.,p , , - ),,

. , . .6c.,

g oc ; , . , . ,

, ,..c

g. . , . , .q 4 . .

,.,,.,, .',.. ;g.c. .j,5,y,y.,,','<,,.

j ,.

!. f . i . 2. , :',^ ..y .- ! . . . . . r, ;...g g' s, g -;y ., v .f,.. ,- .,.- Q . 7'e .. g, ..

.t. ; .. .

gjj 3.,.,. . *

,,; y ( c.p .,...;

.. , ,s

) . ', ', .'[ ['[ g[ ;; ., [N '; ,.[./ ' '.'i 1, ' (l',,([; [. l[ , t - I'.,, C jg)y;

' l . '. '. ; j,,. !b - I . , ', .. ,. a :; ,.k, ,1I .{, ,

I g}. 3;j' /l

. ;,. . -&. . , ' *,,. - _ .; : ..p.., ..

...-v .( ;*. y,,f _ .3., yf .

..ry.y,.=,'.',,,,t ;s .; .::.qQ *,, Y; Q * ,,, ' ;n

_l * , , y.

.,.y p, c.

_. p :. ;. ? _) .,;,, y, ,jp.

o,

, ' ; .c . n. , ,c . ..c;%,.-.,,.;...,~z_

... .,3-n, ;,7 . . ; h.f .. . - . ,

..t

?. ..., 4.4 . ;. ... . .

,u..; .a,..;.,.,.,,..m., .,, , .,g,,

j

. _.f,.)j.

f, .: ,3 ,..;;,.,

, ;; .> ;,,, 3.,. 3, . ,

~ ^' r$,

*:. ' .' *: h

"'i :, ; I

,L p ,7 ., . .;M>:1,lb,lfl;{!.h : j..[.t .

. D z. la. .

. .:.%...L',., -.;.:s , . .k. , ~ , , _ ,p+; )q, A. ,- :'- . ' .

.p,..

l ? . :. * ;v ws. ..,.;-r Y ' . 9.nfl .,.,..+.L,:- ,>p 4 , ;; -

_n * ; ? j < .J ; ;; ' .; .

1 ' ' :,$ ,.':..- ..i,.'. . _ . ., e :.v,.-,.,, *3f.. .q: , , - ?'..

e i ;qv,b g :$;;; ;.,,_': , %. v.,*. .

,(.g n , . - ' . .

. Y T' .1, ' [' 4 i . ',5., '.h 'l 'I'k h M I I[ ) I [Nd ONh ;'- $. /.[.,[.k. h,'.'. ' Ik.' $.. [ '; 'Yj ;.: n: . ,' 'N O

. .r,'

n .

.. d!i..i,*',y f , '. 'y ; $$ :

.. .,.n..*,O,>.I'...~k%,. bgr,.. k.e.^-' .o':v/I.. . .

y. W. s. :

p. u- -

?;a'd . :. A.. 3. .' 7.: w; p+e.

w, pv , . . . . . , 3., ;.. .4. ' . .n,. . , . Jy . , . . - ..:..,:...., .-

w W '. r; e ' '.y.f.t '.,.: w. .. ;' -. .. T x y, ; y.;.J. . 2. rg ' tr , .m:n. 5 .';'.; n .v

. - , c,c, - , . .

ue z-*.y f. s n .. . %v . . '.)%; .: :

.' :Y.&..:,:;.,;'. W' (v: I':

2.

.T. .:,..d+ p '9 ;.n .' !g.; :..%. ' b.. c.&l ~ .;;:::. .: '. a

.+

2 .:. .y>t

.:i. y :. .

M.; . y .J:p . :. w;i n : .p.i W:.H. ;. W:-n;;' ,Yh. <i,? ;...' p.qq%'9 m .%.

- M., . y . . .. % *. '.e l: ~..- W.^; ~ ? 'c . a ::1. '

r ; gj Q%,, Ys> 'u: .!.:L...

.n

. wL %c.t :gr9. ;t c L t;' T a n; f. . v- er .,

.. ; . .y : ,: a . .- 2. :- :. . . o.: ;;e. t+ :,- . . i.4 '~ \:n sy . . t

. ln'p ...c A.4 . i.' ,::.)

u .' ;,. : r'.. .v5*.: : . : ; y,, 4;.,v. _: . ~ .

o .b..F, .;;; ':.:::: . .: fir, .} ..

' f ?. .: f, ..:.] .l .45h l. &.s.q :$.j?'?l.5 k;I h.f.?.. W. :?.3h,.. ,. j?. .f.k. ?. ...ll... t . .. .,..h,,,,O h., ..

! I,

?.Y, .h, h.,.*?c h,

. . . ., . . . ....y . .' . . .... . . , . . . . . . . . .

.1 , . . .. ;... .. .. . s. ........4.... : .. ..,

, _ : .h..' .(. ..?. . . .{. . . . . '."'1._;.,.r,. .. ,l .. . .. <. ..v. ;, . . . . . '. :,, .

',..(*'=;..:' .,.a.,4

,$ . , *

g, .

,,. a; ; ;s _

.s'.'.' g. ' .- _ ._

,,.s _ ., *; .

'f.,_..y ' A t ,' :l'.'., ' . _ ~ ..

,' . ,' .N l.

.f; :'...[,,';*,,..;..i* =,: , '.l, '.'.:'.:.,' _ ,, -; f l ., ' _ {

,f.."..',*.'e. ' _., [* '(; j),.'.

Ln A , . *,:- . - ;' : :. '.' .*,y,,.

- o 4 (t*;; . L [ .: . . :; ,,

...=,..'...'..y'** .,,.,.::';, *,..,s.

6 ? ';>,

l. . ,

- ^ . , ,

q.. . . .- .:.- ..: s'

* ... ),:f..,.i.....,a.;'.._..',,.e

.;3;.

p..,- .

,j.,-

,g ....,,G_<t.%q.,,,y,\.,.,

e :.

.y y _

4

':3 ."..G., ,,l... J e" p.; . -

xlr n '. . y ;. . f .'9, _'{ - *

,....,.1,,.,

i r , ( is y .. -

c- .,.

.. Q ;.' . .-:.il'. l ' , ,.;'- .

d ..+. ,.-,'r.., . + .

q .;< . ,';.' .,. ,.* ..-),f,.-

j W-

, ,-' ..' .. -'h

. . -,., 8,.=

.7

.,.c.

. ,, _ . ., p-u., ,.

c..- .'. .- '.. . . . . ..

. . .. _ ::w

.. .' . ;[. +.: : >: . 9..,...,.,.; .;. .3... ; ::. g,,, ,. .. : , .[ ( .., ..;. ,;

f. ,, ;, ;. ': ;. { f,,.;, 4, :;; ' ,.':y , _ 'k.:. .'. ,_. ;'. f;;_ [. _:' .-[ '. . ' , , '

3. ; ,.,~. . ,Q ~

4

.g. , ;

7 3. , . , , ,,.;J..,.j-

.y . j

,.3d 7., p

,.,r'.,,.

. .- . .. ,., , . . , . ...-,;,. j ;, '.,..L.g.,.,.'...e..,.,', .,J.,,Y.., , .- .. .

,.9,

. . . . '.,',',;, . ,.e:'

_ , . -' '. -' . _ ' . . ,,.....(.,e S

, _ ; .e . . , ..,,,- ._.,'.,-.,.....T., n -

= . '

g'

.,.'...p,.,...,.....,,..

-,n

.a,.

.,'1' ,- , _ . . . . . , . , . .t

- 3.- .

' ' ' . - -+ . . , , , , ,. p .,.[

',,:. . _ , , ~

s-.+ ;. ... g.. .c a . "w

,,a. *- . - , ..,; ;c ._:,,.*.,*;,> ..; -~,,.s,z._.

) i.3..>.,.,.

. -, .. .*. . . ,, .,. < . ,' . . ..,,3,.,1.'n.,

.a

, . --f, , ' :r , . , ' . ' , , .

> S .;._, ', '

,s..-...-

s

,-. . ' , ";.7, ,, ; .

.,s..,-*;'

2 .s ;,* ,,y, s, ,,....___.- .

v. ,v..

n,4 j* s y

.- . ' , i., . ?A

' y, ' '.

q,* ';1* f.. - -

, .$[ . [ ,,' ,', ,*. ,ff ' . ..

[ , ', .}. :'. f .:. , '- . y . '. . .,. : ~...k,..,:

,-n.. ...

. ,.N-N .: ,

,, . ,_ :.._ '.; ; . . - 3 ' :. ,;} ,,g., !.})'

_. , . _ . . . . , . ......:.~. <

,, . ,[4., .';..'.3

, . . . ' . _ S , 4 -'

, .; . , s .n ,..

.. .- ~ . ...

,_ :..... . .' ;; . : ..? :. '-:.

- ;: ~ ; . . " ; '; . ... :., "

. . -a.~ . . .

, ( .J '.. . ' ; .

y; , ... s ,. . i. : '_.l.;v. .. ,3.,.*"-., ' , , .. .' ,' _ . . } y .[ u. ,' .l'*., g ' .~i,',"i':h,-,,_. .f _ .. , '. .;.'. .. . , . .; :. . __. i, . ' . . . . ' . ' _ .' , -

._' J.;_,.'_\.'. . . _

, ;..V' .. . , .,

b

.. . , ' ,s ' . _ i+ :..,_'_.;,'.,..':t'4.,...i._',n .:. '..-

...".,'y','...,,...:'- . ' Y. .... .,;.,

.~g-( ~.y..

o.*. ..,,.,u,

. A , .

s. ,,..r_.y .o..,,_,- ,-', ,. y_< - .-

u-f . . , ,,

!*l .-, ,

t *,. ^',, '

.'e * .* * *

r ^

c, 's !

. g ' ';' '

W _,",. *

.*:-**a. t ** * .

.?

, e *j ,'s _ ,

l'.' .,,'_..A...':.* '." _ l \ l ;. b-,."a.;. . .;y : l~,

? ' ,. + : ' ? V '-, W. ,# . ., . . ,? *,' , , , . a , . , *l .- .

.,'."*p ...i;,','..'c... g

..s',....'

. . ;.,, . e; .. . . . , , ( ; . .. . . . .,:, :...

g ;.,

.' .' . ., '[I 'J

'T

.' -' .'v, 'b '. .[ ;

8- .e

' . -.. ...'g"I.'.,.,,.:. - ,,..',;,,..

= +

'. ,b;

..j.-..',.'.'..,,..s

,,-s, :,* ' , , . .3. :,. . ,. -

, . . . ,.g . .

. , - , .. s.

,..,...,J.r ., . , - m...,...,.,.,..,.,, '. . . . . .

f.

, j F* .,,

f,- . .

..t,.

4

.,t#.

,.y,'e'6"..-

gg

. g

.4 ,,

p.,,,y',, . . , . , , '.**f*.,f.,-. ,+, ' ,- , . ' . ' , .

- - ,- +;.'.....4 *

-..-.J..,e*.,,,; I*,-.* .i .

. ..; ;, , i

.M. t

-e,,,^f. .. ;.- ,.c.* .- ,,

.._i

%; ..,g . ,

.- . , 4 .: ' ; ... ;, .. .. . ..,

,s

.:.. ..*,...* *. v. .. , . , . .

S . ,,

, * + - . . v ... . . . . , , ._ i _ , . ..<_ , , . , , y :.._

,. .s_. .; - . - ., . ' . r. .**,,:-- n..

,.',.I c:

o'. , 6 $. - , , .s..,,..1* , .. .

? '...* '

,L

.' ,. .,,:... a *,' ._. ,y,. .._'..;s,' '

,,'.y . *- . , .-;

}. '.[.,; ; -;",,.s"3 .' , ,y . J *., ,_-: '.. . , , *;* -' . ' *

..b

. ,".,'!.'2, , .':'. . ,. ,e i-

_ .**;.. y( , . , = '. . , ,. ..

. _. . ,. . . , , ,. m ...,.~...,.,...-7_',_d'.

,. e s .:. . * - . .-

g

- .j . .

'a. . . , . , , ,,

...v. .,p ; , , ..__._.,.,<.(,7.,., ;' , ,

p.. : .-

.;.",.g..'.

gg ; : . .,

.l- 4

,3. e,-......... , :,.

, 'n, .. ,, 4 ..

. ' . . .( , , .,

..s

. . ,_ , . . ., - .,.,.,....,.'2,- . . _,. _ . ,..,,~; i -

, . ,c.e g..-

. . : .,.: ..;.. ,.., ; -..a.- . . <-

v... - ' ._

.. , . g .. i .%. ' ';n' ..t._-". , ' ' . .'*-4.. '

,.:'.... .; ,:. ;y ., . . , * , 'i; . .n;. . ,_ . . , . . _ , . . . . - . . .

, . . . ,'..=4.':

',.....'.\. -

. ,., :: ; , ,. .s. ; '. ', . ? :"' *?- _. :. .. .r . . ; .:L : . . - . . ;' :,.. . , ' . . < ' , . '.' . :p. ..-' .. .*g-): .:* '

, . . . .'. y , s , . , '; -' _:.,'..* ':.:.

%y .~ .. -F:.

h,'d.9.[a.[' (-

- * , . ,' . h /; [ , '" , ', y . ;h ' '. 3 ,.[ I ',' .#-' ' ,i - ' .'

<[i :' ,[n .,.hq ..f ., ,

. ,L:. , ._k. . O . ' ' . -

f ,

'. ,ip f ', .j .- '. . .' -','. { m .' ;. M'(} ,,(3 ,...

s

'.':,*,,s

- - ' ... - ., ,. -';-' ;. . .; .h _; F .- _ ...; "; l' ; .. ,, .. y .:.l,,, .

6,4 , , , _ >

..:... m., .e. :r :;o .:'- ,

a.; *;

. ' - :z : :-%.'

.;{ ' [., F;; . . ' _ . y' ; . . - . . ... . -' :

',. .. ~ '. - - .. - -* *. .,;, .. .,;, * ' ' . .

) : '. . :' T .Q .';' ,e ,._

. ;.:. . - :j.'~. .

. .::;a . ; . '. '.* r ., , s c i. x .'.,. . ;. , ' ; ; ;g - . y ! . +4 : '..

. + > ,_ , .,.

.'_s _.* .:.,.s..

. . .,. ; j -

' 8 4 :3.";

~ : e. ."9.. ,

' . ; .~ ; . , f.'.:.,,...

~.p - ...i .'; . ;ev;. ~ .. q,;l,e .r. -.., -;.... ,- :.> . : ra. e.o... .:,-,:..' .'J.: ,: .' ....,.

~ . _,

as :. - ~. :, . : >, . ..

..*n .' . ... l .: y, r . -4.'.<. 4>.~- .

-.* * ' . ,- ,c; < .., :. :.'.:.:- .; d. '-: Qi:. : .. =. r. '. :L

. 2 ... . . ' . - ,6

.* 'fa 1, . .. t ,

s .. -< ,' ' , .?; .a_ ,6. .?. l 5 .s,

,. 's, .,v W . - '. g ; a,- ?

,'..s 4 :,9: 2 _.L..-c,..,.:_",A, ,,: . ;

,'. ,; y i .'.-;.0.;'

.n y, 3

.;.',.&...'.* .y;f.

.._y -

'..t.,.-- ..l

._K..;,',,.'.'-'.-a. :

_ l' _ , , . _ . . . - . , , -l : y _ '. li .; ;.. . v..*. *4. ... , .

;'?..*t(.;'e.' ._.,.,'n.'<. ;-. ...^..i.,,'._, ' ; ee,.,._<.

> _._ .: ...(* . .";,} _'. -':;g ; ;,,._};,_;,.,:_.u...i .; ..' . ' . . : W _W/. ; , ;

L-M-:. ;~6

..e.

.a, *

'. _ . . . ,r ; * *.

k, , ! " .l. r 'l. , y...';.*

^~ . , \ ;' >

.'.,'*'.v:

^

-:- . : f. , . . : .

L ' ' * , :t .-,

. L;. .- w... . . , . " . " _.:'.s,. _. ._.

-..bt,

$. 3q,9. ,s '. . . ' ...~..'.:-.t.

sm- .,;... . ... ;, .,: .. .. . , . ;.., '-; _

, . .s : ' ';T :..w.d.,..*

.'..2.

,**;, f ,:lj q

+)"[:.Q......t,.,..,:,,-f:a

.c....

\,.- '

.< **,.e': i, . "_:" ,

. ~ . ..:.I:"_-.,-_ . % :; G ,,/ ? g.

x, .. _ 'j.. _ . *4. i .,y, ~; -) ,> . J:(. . ,

. ,'l' ,-

o_ .. ,

.. .-: . ,:. .v'~::_ .tg' f.,,ry. . ,y^.,. ,'*,..

,...'p?..

y ,v::*

, ! : . ._ . ; ;1 : ; ';. .Y: ..

n.;.._

'q

.s :* :.. - _ : . ;,-.~..:'..,

s...,-

v.,.

. ,q

_

,: ..'.,4:.

] , . ' ; ,n'y , ; =._ - . ..' . f<y. / ; :..,. w','-

,a.

y. .t_

';j .: ,; U ;U*,

,;;.,',c,',:.~_.._._...,;._,;.P.,'.. . . . *. . ;- ;

- ; 7. g

.,s.,.

-4: .

.:* " . f.;

. . :s';--..'...,.t.. , . ..p.; :.' . .gr,

.- . ' ' p:,

",'...n'l;..,.,..,...

.;.. c -: . ';

v'- . . _: , * *

4. b <b. s-. . _ - ., , . . - -' . - : ;. . ~,.',%,.,*,-, ,.. . . _ ..r.. ' . ., . x- :

p e,..-.t- ,, : ' .. . ..

y';. .; : : x. ,s ...n,........

=

..a.. ..e..,,e.-

e z. ?

,'...:.* ... ;, :s

. .r:; q . . . . ., . .. m._

v... .-

.. .' :. .; _' , : - ). : ,, .\.._..:.

,, 3. 3 ., ,w,..,;..t,.. '_

o' . - - - ,.,..- . . . . ..

..,n,4.....,,....,:..,."...,.,......'.,..-;,,.i.,...,)-

....,y

..,.g#,.,, . _ .

. . : .,4 :,.,...

,. ...ss>st,... c'm. , , ,, ,.

,4 . .

+

..r.......,,--

. : . . ; . . Up ' ;'<;p.

s s7,

,,...y.-.+a.,.,i.-s ..

p -

, . .2 . , + . f' <M...., . . ; ,. -;.; ......;. . . ,.... :.f.,, ..

. , . .* . . .~- .

i-

n at ..

.. , ; ..,- .:..J-r 5,_-.':s.o', i.... , . . ; o ;; . s,. -;.,,...,,. , .,,

, . , -. ' ' .. t

,.s.r'.,. y.*.-. . ..._n

': . : , ; .1 ' '. .

3 . *.

. . . _ .; .e<.* , .. . . . ... ,

W

.- ,. :, , z '.- .

,.'.sf. ,v..t,.,..

,e.. ,.,- _:...;. :- ,..::4

. . 'nr. ;- u.. . . -: ; ys.

. . . , , ',.4 , .

e,,... , .;;.- ..: :- .-; . .c;. .... .;;. y., ....g..v....,.,..,~..;_.-

, ' , .a

, ; ,. 9..

...;. ;e : j.-

=

,..,7_.s .. .

g. ,:- . .

w ,,;. .y . , . . ~ -; -. .y . . ., s . f. , .-v. , 'c

- pr ,.4.....q.,. .y.,

,.,.; - v . ;.

a :: . . , . <. ..'- ,,

.. r. q,,u...,. .y_ ; . . . > . .: . ,

,.." ....",.,.2...

a,. , ., y; % ,- n.;

e.....

v -.-'*: * , ,. :r

,3,._ . n; . , -u . .-

5... .;,..yc:.; ., ,..-,..,.* ' . ' -,;.,: . : ,:",. %. .:: :a?.; . . :l 1,.. .. ~::.p; :. .;:.. _.e......

4

. . .3 .,a:; ,.:,. ,* :s

r .y , .*_ * '::.>-!,;.:. .:_ . u' ,,

..:.2 s m.-...m.,..n. .:

...;.'. t. :. '".: t .

c ~, r e .

. .,. ;.. ,,. _y >:.: , . :. . , . a;,, ,g, ,a, ";, ;. . - q

,e, y . l..,, d,,'.-[,);,.:

., y',,. ,: e..; ; ._ , > -;.:.L 9

" : .; D,' .:.,.3:.

m_

,;. _._.:: '. . ..*- . M *i ._..; ,,

. ,. ...,...:... . . .s- - - . . . . .

< , .q' . .. a..a,,.. . -. .. .a ,. . 9. - :.' q:., . e~w :p . .' s'. . ; ,, ;n: ? ,; .. > < ?.,,..;.:.

. . . :- . . , , . .l :v, ; .. .

s . . 4.,.i . . - :....... . . c. :; r ; \. . ,. . ,i e. ,. .a. u w

, . .~ *- .. ; . .., ,.

. ; c' , Lr. .* .:.. ; ~. ,:0 i, ; .v ' . . .

f. . ,. f. ','*.',,:.,,.c? . < , ..; ;}' .h. ', : l

.* f , :.i.:. . ' ,'a-l

.: } -,.; ( .vL . L. .;l.. '. .;;. .- ..['.:.. l;:. ' ;:' Q.

....y,.. y:' e;.-}'.;: ,..:. :;N,- Q. .. :. ; , . . ll :**.

l

':: ,. l ;.. . ;;1_

3.r f. .i... :,-. ,,.'.4.

.m . n. .: . e.-

- . ,;.. . ' . ,~ :.:i 9. _ ,, :;'c;_ ,,4. y , , '._. ..,'$y....._...

rr :) ,.e' '. .",; , ? ..

; .. .-3.J., .1 e :n , .:..t,,e, s ;. a .

n'*.,...;.,; h .

..'i.'.y

9. ,.,;b. y ... ; ; -

g ,9 _.

, .(.

y, ;...( .

.c, ,

v. Q ,' e... , : : ;".

. ,' ).

<: .':u-...,p( . -. .,, c .. . ; _

e

. . ,c . %

. <j- -c . 3 7, t.y- y 3...v, r,0. ' = j ' ,.'. :.. '7. , . ..7

. y'- l -: g,. ,N. :. > *, .. . . :. . . ..,.w,,'.4.*.- -: . s-. . . ,; ... ...,'m., ..,.-q9'..;.,..

a. .p\'.....,,..,-,.'.r-

.,e,.. .1,.... 'y a' v : 3._ . , ? ;~. ;.

. . . . +

y . 1 . . ..:... : y,. ;;.. .?. .,. ... ;..

. m s..:.. s.

+ 3, . %* ( ;., . .,' : ; .,. '

s ;.

. . s. .... e. s

....y!.r.....N......

. , 7 ..: ::. . s .-w.a : . 5. . -,A ,. f} . .: .-.:: . .y.. .';.t. ,,..; .; . . .'. ;

. . .. '........ .' ; *+ v ;. ..:. v.s..>., . ::. ,,' - v. >s..: :......._. ,

m; .-

, ._, ..,;...._a. u >..

5 . . . . ,.. . , '. . .i ; :: . ":..:,3, .( :' . ' . - ',9

(. . ; Q b '. '.{). }[,.-' '..'.y f. -._ \ . . ..-, . :: _ . +\.).*9, . O. < ' . , . ' c .. ;

y;;; [ r:.,,....,,,,<,i(.

. ., .. . . ~ , , ,n.,

. : ,, .. . . .u. '. . . , . , . , ..- . -. , . ... .. ....-v.

v. ..

. . ',. , . .. .s...'..'..,..u.,.. <. ,. . . . ., . . , .;y .. <

_..;..v.....; . . ,.. . . .- ..

,*7 ...f. ; -e;,: :n + .- ~, . ; 1 _, *S : n. .. .c .:...:. .. ;

. . .: . . . :~ . ... g -.1 ,s.;y.. . .:.~;. ,,4*'.*,,.r;

. x. .,'.:.7 ,. l, . ,;$' .. ".. .'. . ' ,'M.

..<l.'. ^- , "

4 . . ' . '

.} ; . _:g (, . ". i . i. . . * .' ..' ; . . ,

.'a'.a Q;, ;[. /. .{;'y : ( ;):,h. Vg . ii ,; . , ,,:..,._. , _ ,. ', . , -l

'....o ..,

. . .-. ; , 4 , . .: .g , 7 c ...l i. .L.J

,. 3 .

.t...

,.4 ..1 s'.,;,., ; . ,

, , ., l:

..,j..,...,; i'. , , ), ,.. .. ;<

.'.'.;...a.. .- .. ' - , : '. .. ;.- ..

- : ':.../

_ . 's. ,. _ ., 4 3. f : j. ._ . , , '.

- O' .. [.c: ,l ;.Q :. : . ; ; i [.'.;, :. .', 3 :, , Q 'q : . g.h,. . ' [. ', . : . ' ,,,g 2; ,p.,._[ Q'(..:

': ,J : ; 2;...>._: '. : .i;.i '. -

, - .z:.* _

.', :*' .~.. :;'.'"r.'.. *.':,.,*

,; : . . . . ; ll'

' ', ev.

. ; ;..:.. ' :n ? .. ;'.:. 'J . .: ' j. ;. ~ . .% . ': :: '. : 's L

. ... * .. ,s'

..-.... . .. ?.. . ' . ., ) . , ' ' ':

_-. . . ; -- .. l,...'.<

.*:' . * .: ' . 'T : :: '.

'_',.y'..-5,~...'...:. ,......._.i...':'..~.,.,'.'.'..;::*.'..;j,.. ,, . , . * -

, . ;y * ' ,. .'; , > , ~-

.- ; ,,e',, .. : . .

: . . e ~; - . . ' . . ; .< :. ;.s,. ..:;.3,. ,.;'..

.e .; e'.,a .s

. . , -.y*',.. . , * + ....,..y.

,j~r. e

. . 7, . ',, _. :: .e.,', , , .' ...: j.. . ' . ,. -'.

. : . -l .1

. e , ; ..c. ..

.u.;','l .;._: . ' !; .~ .

-l ' ., L ,; ). : ' ' - '

' \

,i.ei. '

. _, '{'[ _.' '?, -;l' ..;. ' ,r ...y- .u - -' .._ .. ,;:,, _: ;' .. .:; .l .(;.;, ::;. . , ..p.;

c. yif, 0- '*_. '.<::

,,- ., .:: h5:,q. K.l ' "g_'.:r+ . : :,. -;'l y _ ~ .,. _ *, ' ,. , .,'. j .. -

....'_;.._.,,:....c..:

~ ,.

i >.. - .

.. .y ..,...l,.. . -.. .r ) : , . . w v.

..; c: . x ~

2: y, .s .e., . . ; . .,-.

$..',q..*N.,g ,,;..et 2 . . s. ,5,. .. .,,- . . . . . . . , s. . g.a *..c ..r:"q.,..

b. ...c , .: e,.. ....,_ . . .

. s ...,o./,,..

, 3

....,jo....,.m.~ r,

.>,. .,' .. .G y.:<

., L. .s. '?

.....,;...,g y N.G..y ,; . ::Q:

p. .;.f ._' . . l'y)y y, s ,' ._ - ; .. ',';, _'; . . .; ; . _. . ,; ; . .l a y ; .. A . . [. :: ,;. ,,, :

, . . . . ,.'-l'#.'.g.. U. . ..j.'. ;. g. ; 9,_*ff'jj(;i.,. .'Y.

-g s 1. .e ,g .

.,,..y:

. .. i -. . - 4 y, . , , -+, . , . , ,, g ,_ .i .,

.,/. .

p :. . , a,'", .?: .c . ; :

. . . . ,.,.i. . :; , %: . s ;y. n ; . . ; .. . :, -2.-; .:..%

. . ..:. 3 ~ - .

'.- c.l

. s.

< - . ~ * ;* .: ..:. . : . ';i. .

:.v , w . . '... . .a .a .'..'.:.v....:,':.'t.'w.

.. kw : r. .F;.

. a. ..' : ..- Q~ .; &.. yN . . - ..

.e .,. a .'4*.:. :: : U,., -

m., ' .'. .

. .+ .q -

~ .

z f~+....:....?.;'[f:k.f f: ,,.:f _l:. n)l.n. .,Q:-Q* Q&.,',f}..1. f, %f & Q:f,;.g..E.M..&.&;,s;;.}yi.);$j. * .

QC.f j;.Q

. .. e :.u.. ..; si. .. :: '

,_. ,. . . . . ,, . . c. . .u. >, .g.

,3

,s

.. '.<...,y :m; .

,t < 3. ,6,; ..:v... q., ~- ). ::- s:r

..?..::.,..l;- : s Y:: ',v.-W . :. . . . y - ..Q4.'.:t.,. :v' .u: a .. :

.n .n. q. ..r~" ty :a .w

.b. '. : i .

. f.. .. ..y.m.. .:T . ..,.e:5..<, ...:'; i , .;, '.. .: ._,,, : ; ..n... ' ;,'.:.',-. ,.m .. . . , ;g;g .: /. ?;.. . O..,4l %. .. .. _.; ? ...;m% ' N:C

~ . . ,

c . ;>.

%. %- '. . ;. 'Y.'j . -. .. ..-. .::'. % . . e. ..

'y y. f. : :sN. ,.

' .- - 3. : k ~.j*g,.

., . p . .f. * . : .

.. . a p .. .

3 4 .. . . . ,

.-- _ -- - -nn- _

Westinghouse Non-Proprietary Class 3 1

WC AP-146"44

$ $~$ $ $ $ $$ Revision 0-g AP600 Functional Requirements Analysis and Function ? Allocation 0

Westinghouse Energy Systems 6

h -- -

~

AP600 DOCUMENT COVER SHEUT TDC: IDS: 1 S Form 58202G(5/94)[t\xxxx.wpf;1x)

AP600 CENTRAL FILE USE ONLY:

0058.FRM - RFS#: RFS ITEM #:

AP600 DOCUMENT NO. REVISION NO. ASSIGNED TO

() (, 9 K j,

N O 0 Page 1 OL ALTERNATE DOCUMENT NUMBER:

g ,

WORK BREAKDOWN #:

3,3,,,[ g j-DESIGN AGENT ORGANIZ; TION:

g g gg i PROJECT:

TITLE: NQ(, &,yf41gt$ lb GQMfWiJt3 S/S Y A ATTACHMENTS: DCP #/REV. INCORPORATED IN THIS DOCUMENT i j

REVISION: {

l 2 1 I

CALCULATION / ANALYSIS

REFERENCE:

! l ELECTRONIC FILENAME ELECTRONIC FILE FORMAT ELECTRONIC FILE DESCRIPTION

I b .

(C) WESTINGHOUSE ELECTRIC CORPORATION 18.%It

@ WESTINGHOUSE PROPRIETARY CLASS 2 This document contains information proprietary to Westinghouse Electric Corporation: it is autmatted in w. 74+ac and is to be used solely for the purpose for which it is furnshed and returned upon request. This document and such information is not to be reproduced, tranerntted, disclosed or used othendse in whole or in part without prior written authorization of Westinghouse Electric Corporation, Energy Systems Business Unit, sutiect to the legends contained hereof.

j~ ' O WESTINGHOUSE PROPRIETARY CLASS 2C This document is the property of and contains Proprietary information owned by Wesenghouse Electric Corporation and/or its subcontractors and

! suppliers. It is transmrtled to you in contdence and trust, and you agree to treat this document in strict accordance with the terms and conditions I the agreement under which it was provided to you.

! WESTINGHOUSE CLASS 3 (NON PROPRIETARY) j COMPLETE 1 IF WORK PERFORMED UNDER DESIGN CERTIFICATION -OR COMPLETE 2 IF WORK PERFORMED UNDER FOAKE.

i 10 DOE DEfelGN CERTIFICATION PROGRAM - GOVERNMENT LIMITED RIGHTS STATEMENT [See page 21

. Copyright statement A license is reserved to the U.S. Govemment under contract DE-AC03-90SF18495.

O DO.E Sutgect toCONTRACT DELIVERABLES specified exceptions, disclosure of this data (DELIVERED is restricted unti DATA)l September 30,1995 or Design Certification u 90SF18495 whichever is later.

EPRI CONFIDENTIAL: NOTICE: 1 2 3C 4 sO CATEGORY: A@ B C0 D eO F0 2 O ARC FOAKE PROGRAM - ARD LIMITED RIGHTS STATEMENT [See page 21 Copyright statement A license is reserved to the U.S. Govemment under contract DE-FCO2-NE34267 and subcontract ARC-93-3-SC-001.

O ARC CONTRACT DELIVERABLES (CONTRACT DATA)

Subject to specified exceptions, disclosure of this data is restricted under ARC Subcontract ARC-93-3-SC-001.

ORIGINATOR Cgg Cs. @cckov S, J SIGNATURYATE b,f sicc- //Uf4 AP600 RESPONSIBLE MANAGER SIGNATURE

APPROVAL DATE h /D hf '

A!k/f$

Approval of the responsible manager sognees fiat document isdimpiete, all reqdPed reviews are complete, electroruc file is attached and document is released for use.

cons.nsehn

j - - - - - ~~~-"~ ~ ~ ^ ~ O AP600 DOCUMENT COVER SHEET Page 2

{

I Form 58202G(s/94) LIMITED RIGHTS STATEMENTS i DOE GOVERNMENT UtNTED RIGHTS STATEMENT (A) T '

i used data are submitted wlm ilmited rights under govemment contract No. DE-AC03-90SF18495. These data mayand be 4

oi ,.c nor decios the express Emitaton ay wiu not, without wettlen permission of for purposesc.ontrac1 i

for me govemment '

wetn.d mmene ouisyidethat m.xceponai ~ govemmoni may decios.th.e daia ooiede m .m,noni purposes,if any, me goverm e'1akes such declosure subject to prohibiton against yr use and 1

(l) This " Proprietary Data" may be ese,4nnad for evt . . purposes under the restrictkms above.

(II) ' The ' Proprietary Data

may be declosed to the Ewctric Power Research Insttute (EPRI), electric utility representatvos a i direct consultants, restrtetons above. excluding direct commercial competitors, and me DOE Natonal Laboratories under me prohititions and !

(S) This notice shaR be marked on any reproducton of these data, in whole or in part.

) ARC LIMITED RIGHTS STATEMENT: '

This 1 ARC, data, fumished under Subcontract Number ARC-93-3-SC-001 with ARC may be duphcated and used by the govemment and outside me hmitations of Article H 17.F. of that subcontract, with the express limnatons met the proprietary data may not be rE='4aaa'8 the Subcontractor, except that further disclosure or use may be made solely for the following purposesI .

This proprietary data may be deciosed to other than commercial competitors of Sh e4.w for evaluaton purposes of this subcontract unde 4'

me restriction met me proprietary drda be retained in conRdence and not be further disclosed, and subject to the terms of a norHlisclosure j agreement between the Subcontractor and that organization, excluding DOE and its contractors ,

DEFINITIONS

' CONTRACTIDELIVERED DATA - Consists of documents (e.g. specifications, drawings, reports) which are I generated under the DOE or ARC contracts which contain no background proprietary data. '

EPRI CONFIDENTIALITY / OBLIGATIONNOTICES \

NOTICE 1: The data in this document is sublect to no conndentiahty obligabons NOTICE 2: The data in this document is proprietary and conndental to Westmghouse Electric Corporation and/or its Contractors. it is forwarde to recipient under an obhgetion of ConRdence and Trust for limited purposes only. Any use, declosure to unauthorized persons, or co l this document or parts thereof is prohibited except as agreed to in advance by the Electric Power Research Insttute (EPRI) and Wesi Electric that are Corporaton.

permitted. Recipient os this data has a duty to inquire of EPRI and/or Westinghouse as to the uses of the informaton contai herein NOTICE 3: The data in this document is proprietary and confidential to Westinghouse Electric to recipient under an obligaton of Confidence and Trust for use only in evaluaton tasks ation and/or its Contractors. itis forwarded l Insttute (EPRI). Any use, < Ear 4aame to unauthorized authorized b the Electric Power Research !

, or copying this document or parts thereof is advance by EPRI and Westinghouse Electric except as agreed to in !

. Recipient of this data has a duty to inquire of E I and/or Weetnghouse as to the i uses of the Information contained herein het are permitted. This document and any copies or excerpts thereof that may have been gener are to be retumed to Wesenghouse, directy or through EPRI, when requested to do so.

NOTICE 4: The data in mis document is proprietary and conAdental to Wesunghouse Electic Corporaton and/or its Contractors. it is revealed in conndence and trust only to Employees of EPRI and to certain contractors of EPRI for Emited evalueton tasks autiorized by EPR Any use, rea'daante to unauthortzed persons, or copying of mis document or parts meteof is prohibited. This Document and any copies o excerpts hereof met may have been generated are to be retumed to Westinghouse, drectly or trough EPRI, when requested to do so.

NOTICE 5: The data in this document is and conndential to Westmghouse Electric Corporaton and/or its Contractors. Access to this data is given in ConRdence and Trust at Wesenghouse facilites for Emned evaluation tasks assigned by EPRt. Any use, deciosure to unauthortred persone, or copying of this document or parts thereof is prohibned. Neither this document nor any excerpts therefrorn are to be removed from Wesunghouse facihtes EPRI CONFIDENTIALITY / OBLIGATION CATEGORIES CATEGORY *A* -(See Dogvered Data) Consists of CONTRACTOR Foreground Data that is contained in an issued reported. .

CATEGORY *B" -(See Denvered Data) Consists of CONTRACTOR Foreground Data that is not contamed in an issued report, except for computer programs CATEGORY *C'- Consists of CONTRACTOR Background Data except for computer programs. -

CATEGORY *D'- Consists of computer programs developed in the course of perforrrung the Work.

CATEGORY the Work. *E"- Consists of computer programs developed prior to the Effectve Date or after the Effective Date but outside the scope of CATEGORY *F* - Consets of admmistranve pians and admrustrative reports.

cass_ns *m

WESTINGHOUSE NON-PROPRIETARY CLASS S WCAP-14644 AP600 Functional Requirements Analysis and Function ;

Allocation l

C. S. Brockhoff R. J. Mumaw l E. M. Roth i T. L. Schulz AP600 Design Certification Project September 1996 l

l l

___ . _ _ _ _ _ _ _ _ _ . _ . ..._.~ .. . ._ - _. . __._ _ _ _.-.

WESTINGHOUSE PROPRIETARY CLMS 3 iii TABLE OF CONTENTS LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v LIST OF FIG URES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi ACRONYMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

1.0 INTRODUCTION

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 1

i 1.1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 1.2 Overview of AP600 Functional Requirements and Function Allocation Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.3 Overview of the Role of the Operator in AP600 . . . . . . . . . . . . . . . . . . . . 1-3 1.4 Scope of Analysis ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 1.4.1 CSFs and Success Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 1.4.2 Westinghouse PWR Reference Plant . . . . . . . . . . . . . . . . . . . . . . . 1-8 1.5 Supporting Westinghouse Reference Documents . . . . . . . . . . . . . . . . . . . 1 -9

{

1.5.1 WCAP-13793, AP600 System / Event Matrix (Reference 11) . . . . . . 1-9 ;

1.5.2 AP600 Emergency Response Guidelines (Reference 6) . . . . . . . . . 1-10 l 1.5.3 AP600 Emergency Response Guidelines Background Document (Reference 7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 -12 1.5.4 AP600 Standard Safety Analysis Report (Reference 12) . . . . . . . . 1-12 1.5.5 AP600 Probabilistic Risk Assessment (Reference 8) . . . . . . . . . . . 1-14 1.5.6 WCAP-13856, AP600 Implementation of the Regulatory Treatment of Nonsafety-Related Systems Process i (Reference 13) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15 1.5.7 WCAP-14477, The AP600 Adverse Systen '

etions Evaluation Report (Reference 10) . . . . . . . . . . . . . . . . . . . . . . . . . 1-15 1 1.5.8 AP600 Shutdown Evaluation Report (Reference 14) . . . . . . . . . . . 1-15 l 2.0 AP600 FUNCTIONAL REQUIREMENTS ANALYSIS . . . . . . . . . . . . . . . . . . . . . 2-1 l 2.1 Description of Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.1.1 AP600 CSFs (Table 1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 i 2.1.2 AP600 CSF Success Paths (Table 2) . . . . . . . . . . . . . . . . . . . . . . . . 2-2 2.1.3 Comparison of CSF Success Paths Between AP600 and

-, Generic Westinghouse PWR Reference Plant (Table 3) ......... 2-4 2.2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............. 2-7 2.3 Verification and Updating of Functional Requirements Analysis . . . . . . . 2-8 3.0 AP600 INITIAL FUNCTION ALLOCATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3.1 Methodology for Function Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3.1.1 The General Approach to Function Allocation . . . . . . . . . . . . . . . . 3-1 3.1.2 Westinghouse Function Allocation Process . . . . . . . . . . . . . . . . . . 3-3 Revision 0 m:\3243w.wpf:1b-100296 september 1996

,-,t g. y - y w m - .

iv WESTINGHOUSE PROPRIETARY CLASS 3 TABLE OF CONTENTS (Cont.)

3.1.3 Integration of Automation and Operators . . . . . . . . . . . . . . . . . 3-10 3.13.1 Guidelines for the Res2 dual Role of the Operator for Functions Allocated to Automation . . . . . . . . . . . . . . 3-10 3

3.13.2 Guidelines for the Residual Role of Automation for Functions Allocated to Human Performance . . . . . . . 3-17 -

3.133 Implementation Schemes . . . . . . . . . . . . . . . . . . . . . . 3-17 3.2 AP600 Function Allocation Summary (Table 4) . . . . . . . . . . . . . . . . . . . . 3-18 , ;

1 33 AP600 Function Allocation Basis (Table 5) . . . . . . . . . . . . . . . . . . . . . . . 3-24 ,

3.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24 4.0 HUMAN FACTORS CONSIDERATIONS IN FUNCTION ALLOCATION . . . . . . 4-1 '

4.1 Human Factors Input Early in the Design Process . . . . . . . . . . . . . . . . . . 4-1 4.2 Human Factors Evaluation of the Integrated Role of the Operator . . . . . . . 4-2 43 Mechanisms for Modifying Function Allocations Based on Analysis Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 5 'J CONCLUSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

6.0 REFERENCES

. . . . . .......................................... .. 6-1 I

i 4

i i

f i Y 3

f 1

Revision 0 m:\3243w.wpf:1b.100296 September 1996

WESTINGHOUSE PROPRIETARY CIASS 3 y l

LIST OF TABLES Table 1 Westinghouse ERG Critical Safety Functions . . . . . . . . . . . . . . . . . . . . . . . T-1 l Table 2 Su ccess Pa ths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T-3 Table 3 Success Path Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T-8 Table 4 Success Path SSC Allocations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T-19 Table 5 Function Allocation Basis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T-40 Table 6 Function Allocation Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T-45 e

I l

l l

l l-1 Revision 0 m:\3243w.wpf.1b-100296 september 1996

I i

vi WESTINGHOUSE PROPRIETARY CLASS 3 f LIST OF FIGURES i 4

Figure 1 ~ Function Allocation Decision Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . T-47 t

f t

i r

L i

i I

Revision 0 l m:\3243w.wpf:1b-100296 September 1996 1

l WESTINGHOUSE PROPRIETARY CLASS 3 vii l

ACRONYMS I ADS Automatic Depressurization System AFW Auxiliary Feedwater System ALWR Advanced Light Water Reactor AMSAC ATWS Mitigation System Actuation Circuitry

. ASI Adverse Systems Interactions ATWS Anticipated Transient Without Scram CCS Component Cooling Water System ,

CFR Code of Federal Regulations CMT Core Makeup Tank CVS Chemical and Volume Control System CSF Critical Safety Function DAS Diverse Actuation System DDS Data Display and Processing System ELS Plant Lighting System EOP Emergency Operating Procedure ERG Emergency Response Guideline i ESF Engineered Safety Feature FBTA Function-Based Task Analysis GDC General Design Criteria [

HFE Human Factors Engineering -

HRA Human Reliability Analysis HVAC Heating, Ventilation and Air-Conditioning '

HX Heat Exchanger IAEA International Atomic Energy Agency I&C Instrumentation & Control IIS Incore Instrumentation System i IRC Inside Reactor Containment i IRWST In-Containment Refueling Water Storage Tank LOCA Loss-of-Coolant Accident M-MIS Man-Machine Interface System / Human System Interface MCC Motor Control Center

. MCR Main Control Room MG Motor-Generator MSIV Main Steamhne Isolation Valve MTC Moderator Temperature Coefficient NSR Nonsafety-Related OCS Operation and Control Centers ORC Outside Reactor Containment OSA Operational Sequence Analysis PCS Passive Containment Cooling System Revision 0 m:\3243w.wpf:1b-100296 September 1996

viii WESTLNGHOUSE PROPRIETARY Cl. ASS 3 ACRONYMS (cont.)

PLS Plant Control System PMS Protection and Safety Monitoring System PORV Power-Operated Relief Valve PRA Probabilistic Risk Assessment PRHR Passive Residual Heat Removal -

PRM Human Factors Program Review Model PWR Pressurized Water Reactor

~

PXS Passive Core Cooling System RCP Reactor Coolant Pump RCS Reactor Coolant System RHR Residual Heat Removal RMS Radiation Monitoring System RNS Normal Residual Heat Removal System RWST Refueling Water Storage Tank RV Reactor Vessel SFS Spent Fuel Pool Cooling System SG Steam Generator SI Safety Injection SR Safety-Related SRP Standard Review Plan SSAR Standard Safety Analysis Report SSC Systems, Structures, and Components SSPS Solid State Protection System SWS Service Water System TS Technical Specifications UPS Uninterruptible Power Supply URD Utility Requirements Document i

Revision 0 m:\3243w.wpf:1b-100296 September 1996

l l

l 1-1 1

1.0 INTRODUCTION

l Element 3 of the Human Factors Program Review Model (PRM) specifies requirements for performing functional requirements analyses and function allocation in support of establishing and documenting design decisions with respect to the level of plant automation (NUREG-0711) (Ref.1). Similar analysis and documentation requirements, with respect to function allocation decisions, are specified in the Advanced Light Water Reactor Utility Requirements Document (ALWR URD) (EPRI,1992) (Ref. 2) and in international man-

,- machine interface design standards and guidelines documents that address the design of power plant control rooms (including IAEA-TECDOC-66S and IEC964, Ref. 3 and 4.)

The objective of this report is to document the methodology used by Westinghouse to arrive at the AP600 level of automation for plant functions, processes, and systems involved in maintaining plant safety, and to document the results and rationale for function allocation decisions for the AP600 plant. The report also describes human factors activities that are conducted as part of the AP600 man-machine interface system (M-MIS) design process to l verify the adequacy of function allocation decisions, and to establish the ability of operators to perform the role assigned to them. This report satisfies the requirements of Element 3 of the PRM.

This document employs the same definitions of function requirements analysis and function allocation provided in NUREG-0711. Consistent with NUREG-0711:

. Functional requirements analysis is defined as the " identification of those functions that i must be performed to satisfy plant safety objectives, that is, to prevent or mitigate the )

consequences of postulated accidents that could cause undue risk to the health and j safety of the public." (NUREG-0711, pg. 4-1).

. Function allocation is defined as the " analysis of the requirements for plant control and the assignment of control functions to (1) personnel (e.g., manual control), (2) system elements (e.g., automatic control and passive, self-controlling phenomena), and (3) combinations of personnel and system elements (e.g., shared control and automatic systems with manual backup)" (NUREG-0711, pg. 4-1).

1.1. Objectives This document has three primary objectives:

. To describe the Westinghouse approach to functional requirements analysis and present the results for the AP600 critical safety functions (CSFs)

Revision 0 m:\3243w.wpf:1b-100296 september 1996

1-2 To describe the Westinghouse approach to initial function allocation and present the results for the AP600 CSFs To describe the methods by which human factors considerations, with respect to function allocation, are addressed as part of the AP600 design process Section 2.0 provides a description of the Westinghouse approach to functional requirements analysis and presents the results for AP600 CSFs. The results indude a description of AP600 systems, structures, and components (SSCs) involved in maintaimng the AP600 CSFs. The .

section also includes a similar analysis for generic Westinghouse pressurized water reactor (PWR) designs to provide a comparison of where the AP600 plant differs from current Westinghouse PWR designs. The section indades an explicit comparison of the AP600 design with the reference plant design and identifies SSCs that are new or modified, relative to the reference plant design. This indudes changes in the level of automation.

Section 3.0 describes the Westinghouse approach to initial function allocation and presents the results for AP600 CSFs. The results indude specification of the level of automation and the responsibility of personnel for the AP600 CSFs. The results also document the rationale for function nilocation decisions for the AP600 CSFs.

The report also describes human factors activities that are conducted as part of the AP600 M-MIS design process to verify the adequacy of function allocation decisions and to establish the ability of operators to perform the role assigned to them.

Section 4.0 describes how human factors considerations, with respect to function allocation, are addressed as part of the AP600 design process. This indudes the following:

How human factors input is provided early in the design process How the integrated role of the operator, across all systems, is confirmed for acceptability The mechanisms available for reconsidering and, if necessary, changing AP600 , ,

function allocations in response to developing design specifics, operating experience, and the outcomes of on-going analyses and trade studies 1.2. Overview of AP600 Functional Requirements and Function Allocation Methodology In the Westinghouse design process, functional requirements analysis and preliminary function allocation are largely the responsibility of system designers. As explicitly recognized in the International Atomic Energy Agency report on the role of automation and humans in nuclear power plants (IAEA-TECDOC-668), as well as in NUREG-0711, functional requirements analysis and function allocation decisions for a new plant are rarely generated from a clean slate. Functional requirements and function allocation decisions for AP600 have Revision 0 m:\3243w.wpf:1b-100296 September 1996

1-3 been strongly guided by regulatory requirements (e.g.,10 CFR 50), industry requirements (e.g., URD requirements), design goals, and experience with predecessor plants as is typically the case with new plant designs. Details on the specific requirements and decision processes that etc2 red into AP600 function allocations are provided in Section 3.0.

l Human factors considerations in function allocation are incorporated in the design process at i e several points. Initial allocation, while largely constrained by external requirements and design goals, takes into account the strengths and limitations of human operators and l automated systems. As mentioned previously, the initial allocation is the responsibility of l

system designers. The system designers consider the relative capabilities of human and 4

automated systems in making allocation decisions. The role of the human operator in system operation is specified in cases where decisions are made to automate processes. This

typically includes monitoring the operation of the automated system. Depending on the 1 system, it may also include the ability to manually initiate the system, to initiate a backup system should the primary system perform improperly, and/or the ability to take over manual control if required. As part of the design process, the system designers specify the I sensors and controls to be provided to support the operator's role in system operations. A l methodology adapted from NUREG/CR-3331 (Ref. 5) has been used to document the '

j rationale for initial allocation decisions. The methodology was developed by an interdisciplinary team that included human factors and system design engineers. The methodology is presented in subsection 3.1 and the results are presented in subsection 3.2.

j The adequacy of the allocation is further evaluated throughout the AP600 design process.

4 Function-bsed task analyses (FIBAs) are used to verify that the sensors and controls provided are sufficient to enable operators to perform the role assigned to them in system l performance. Workload analyses are used to evaluate the adequacy of the integrated role assigned to operators across systems. Final integrated system validation is used to establish the adequacy of the function allocation using man-in-the-loop tests in dynamic simulated

, plant conditions. Should deficiencies in function allocation be identified at any point in time, formal mechanisms are available in the AP600 design process for making design changes, if determined to be necessary. Section 4.0 describes in more detail the processes that will be employed as part of the AP600 M-MIS design process to address human factors concerns related to function allocation during all phases of the design.

A

1.3 Overview of the Role of the Operator in AP600 1 In Reference 24, the role of the operator is defined as "the integration of the responsibilities that the operator performs in the fulfillment of the mission of plant systems and functions, where responsibilities are defined with regard to a spectrum of control modes" (page 9). The j

. Revision 0 m:\3243w.wpf:1b-101096 september 1996

...M m @ L..* -.A-e-ea __m-_* JJ--, s. .&.-._ + . - m a.dia, a u.*.*eAi.4m 4_a .. .+a_. - - .-ae, -. wm.* u4, .-

l 1-4 l

primary focus is on the operator's control authority and responsibility, with respect to the plant functions and systems in which the operator is a part of the control loop.

Subsection 3.2 provides detailed elescriptions of the specific operator responsibilities associated with the SSCs involved in CSFs. The results in Section 3.2 constitute a detailed description of the operator role in AP600 CSFs. An overview of the role of the operator in maintaining CSFs is provided in this section. -

At a high level, the role of the operator in maintaining CSFs in the AP600 plant remains the same as in current plants. This can be seen by examining the AP600 Emergency Response Guidelines (ERGS) (Ref. 6). An overview of the AP600 ERGS and the activities that operators are expected to engage in when responding to emergency situations can be found in the introduction of the AP600 ERG background document (Ref. 7).

As in current plants, operator response to emergency events will be guided by Emergency Operating Procedures (EOPs). The operator's role includes the following:

Monitoring plant state and verifying plant parameters Monitoring automatic operation of safety-related (SR) and nonsafety-related (NSR) systems, including:

Verifying operation of, or the need for operation of, the nonsafety-related defense-in-depth systems Verifying operation of, or the need for operation of, the passive safety-related systems

=

Controlling the operation of nonsafety-related systems 1

1 Terminating operation of the safety-related systems when plant conditions have been stabilized following an event and EOP termination criteria are determined to be met 1

These operator activities are similar to the activities required of operators in responding to j emergency events in current plants. As in current plants, the operator functions as ,

1 supervisory controller of automated systems. The operator monitors the state of the plant, verifies that automatic systems have actuated and are responding as required, and takes manual action when necessary. As in current plants, the operator's performance will be guided by EOPs.

The difference between the role of the operator in the AP600 plant and in current plants is one of degree, and not a fundamental change in character. At a detailed level, there will be differences in the specific activities performed by operators due to differences in safety-Revision 0 ,

m:\3243w.wpf:1b.101096 september 1996

1-5 related systems, increased automation, and the availability of improved M-MIS. The M-MIS includes displays that integrate information to facilitate assessment of plant state and supervisory monitoring of automated systems, and a computerized procedure system that facilitates utilization of the EOPs.

Some of the distinctions in equipment type that are important from a design and licensing a

perspective, should be relatively transparent from an operational perspective. In particular, the AP600 employs safety-related, passive systems that automatically protect the plant in the

, event of an accident, without the need for immediate operator actions. The AP600 also employs nonsafety-related, defense-in-depth systems that, if available, can automatically protect the plant for the more probable postulated transients and accidents. If these defense-in-depth systems are available and operate correctly, they will prevent the need for the operation of the safety-related, passive systems. The AP600 ERGS integrate the use of the nonsafety-related, defense-in-depth systems and the safety-related, passive systems to maximize the protection of the plant for design basis and beyond-design-basis accidents.

Dunng transients, operators are required to monitor the status of both nonsafety-related and safety-related systems, and are guided in the use of both types of systems.

Another aspect of the AP600 plant that is different from current plants is in the use of safety-related, passive systems. The passive systems rely on natural forces such as gravity or compressed gases, instead of mechanical forces such as pumps, to perform their functions.

From the perspective of the role of operators, passive systems can be considered a different form of automation. As with other automatic systems, operators are responsible for monitoring the availabihty and operational status of the passive systems. Operators are responsible to verify the operation of, or the need for operation of, the passive systems.

When termination criteria are met, operators are responsible for termmating the operation of the systems. Monitoring and control activities associated with passive systems are guided by EOPs.

In the design of the M-MIS procedures and training the passive systems are treated as a type of automated system. The M-MIS will be designed to support supervisory monitoring and control of the passive systems. While the passive systems are different in how they operate, they should not pose fundamentally different challenges for M-MIS design or operator supervisory control. In addition, some specific passive systems, such as the accumulators, have been installed in current plants and function identically for the AP600.

1.4 Scope of Analysis The scope of this report is to address the functional requirements analysis and the function allocation process for the AP600 CSFs for both design basis and beyond-design-basis events.

The CSFs are contained in the AP600 ERGS.

Revision 0 m:\3243w.wpf:1b-100296 September 1996

1-6 1.4.1 CSFs and Success Paths CSFs are physical processes, conditions, or actions taken using the safety-related and nonsafety-related SSCs to maintain the plant conditions within the acceptable design basis.

SSCs are the physical equipment used to initiate and control the processes that achieve the CSF.

A success path for a CSF is the specific combination of safety-related and nonsafety-related, defense-in-depth SSCs that are capable of accomplishing that particular CSF. The CSFs may ,

be accomplished by automatic or manual actuation, or control, and can be supplemented by passive processes.

The CSFs and their associated success paths are the means by which the AP600 design accommodates anticipated operational occurrences during normal, abnormal, and emergency conditions.

The CSFs for the AP600 have been developed considering the specific plant design basis, in conjunction with extensive Westinghouse PWR operating experience and with the previous experience in the development of ERGS for current plants.

The AP600 CSFs, as identified in Reference 6, include the following:

Subcriticality Core cooling

Heat sink Reactor Coolant System (RCS) integrity

Containment RCS inventory Table 1 provides an overview of the AP600 CSFs, including a brief summary of the purpose for each CSF and the primary AP600 plant parameters monitored to confirm the status of the associated CSF. The development of these CSFs for the AP600 is discussed in subsections 1.S.1 and 1.5.2. Additional information on each CSF is also provided in the ERG Background Document (Reference 7). .

These six CSFs provide protection for events initiating from both at-power and shutdown conditions. Therefore, the functional requirements analysis and the fur.ction allocation process described in this report addresses plant SSCs that are used to mitigate events that initiate from both at-power and shutdown conditions.

I Revision 0 m:\3243w.wpf:1b-100296 September 1996

1-7 The specific AP600 SSCs that form the CSF success paths and are addressed as part of the functional requirements analysis and the function allocation process include the following:

Safety-related passive SSCs (such as core makeup tanks (CMTs) and accumulators)

Nonsafety-related, defense-in-depth SSCs (such as chemical and volume control system (CVS) and startup feedwater systems)

Other nonsafety-related SSCs that support the CSF success paths as identified in References 6 and 7 (such as the main feedwater system)

As appropriate, the inherent passive processes that provide actuation and control functions for safety-related SSCs identified in the various success paths are also addressed as part of I

the function allocation process described in this report.

The definition of a success path is based on identifying the SSCs that accomplish the CSFs in the various tables. References to the phrase "SSCs"in the context of success paths for this evaluation are meant to encompass the following:

The actual equipment and components that accomplish the CSF, such as the system piping, valves, pumps, other mechanical and electrical components in the flowpaths or supporting the flowpaths (such as air-operated valve contzol solenoids), and components such as tanks, including those that may actually be integral to building structures, like the in-containment refueling water storage tank (IRWST)

The equipment and components that provide support for the functioning of the SSCs, such as instrumentation and control (I&C) system actuation and control functions, or electrical power generation and distribution equipment functions The physical plant and system processes associated with the operation of the SSCs in mitigating the consequences of the accident and ultimately accomplishing the CSFs (such as fluid system injection, depressurization flow, or reactor neutron kinetics processes related to control rod motion on a reactor trip or boration).

Since this report addresses the functional requirements analysis and the function allocation process incorporated for the AP600 ERGS, severe accident events are not included as part of this evaluation. Severe accident response is evaluated in the AP600 Probabilistic Risk Assessment (PRA) (Ref. 8) and addressed in WCAP-13913, Framework for AP600 Severe Accident Management Guidance (Ref. 9).

Unanticipated and adverse systems interactions are implicitly included in the ERG response since this aspect of the operation of the safety-related and nonsafety-related systems SSCs has Revision 0 m:\3243w.wpf 1b-100296 september 1996

1-8 been evaluated in WCAP-14477, The AP600 Adverse Systems Interactions (ASI) Evaluation Report (Ref.10) and considered in the development of the ERGS.

. The actuation, control, contimdng operation, and operator monitoring of the various SSCs for the CSF paths implicitly requires operation of both I&C systems and electrical power systems. Following a loss of electrical power, the nonsafety-related emergency diesel-generators automatically start and load the appropriate nonsafety-related, defense-in-depth '

systems. The diesel-generators also provide electrical power to both the ac and de power systems, thereby providing operating power for nonsafety-related components such as ,

pumps and fans, as well as power for actuation, control, and monitoring instrumentation.

These safety-related and nonsafety-related SSCs are included in the following AP600 systems:

Instrumentation and Control Systems Protection and Safety Monitoring System (PMS) (safety-related)

Plant Control System (PLS) (nonsafety-related)

Diverse Actuation System (DAS) (nonsafety-related)

Data Display and Processing System (DDS) (nonsafety-related)

Incore Instrumentation System (IIS) (nonsafety-related)

Operation and Control Centers (OCS) (safety-related)

Radiation Monitoring System (RMS) (safety-related)

Plant Lighting System (ELS) (nonsafety-related)

Electrical Power Systems Main ac Power System (nonsafety-related)

Class 1E de and uninterruptible power supply (UPS) System (safety-related)

Non-Class 1E de and UPS System (nonsafety-related)

Onsite Standby Power System (includes the nonsafety-related emergency diesel-generators) 1.4.2 Westinghouse PWR Reference Plant

Element 3 of the PRM (NUREG-0711) specifies that in conducting a functional requirements .

analysis, safety functions and processes of the new plant should be compared to those of predecessor plants. The predecessor plants provide a reference for identifying and documenting functions and processes that have been modified (i.e., are new, changed or deleted) and functions and processes that are unchanged relative to the reference plant.

The generic PWR design for currently licensed Westinghouse nuclear power plants functions as the reference plant in performing the function requirements analysis for the AP600. As shown in Table 1, the CSFs for the AP600 plant are identical to the CSFs for current Revision 0 m:\3243w.wpf:1b-100296 September 1996

1-9 Westinghouse PWR plants. This is because a similar design basis is used for the AP600 plant as for the current generic Westinghouse PWR design.

He functional requirements analysis and the function allocation process provides appropriate comparisons to the generic PWR reference plant design. They identify differences in the success paths that must be considered in completing the function allocation process.

1.5 Supporting Westinghouse Reference Documents A number of reference documents were used to support the functional requirements analysis and function allocation process and may be referenced as appropriate in this evaluation.

Together, these documents provide a comprehensive and complementary summary of the ;

pertinent aspects of the plant design needed to support the function allocation process. This !

process includes the design, operation, accident mitigation response, and safety importance of the various plant systems and components. These supporting reference documents follow.

1.5.1 WCAP-13793, AP600 System / Event Matrix (Reference 11)

The design basis for the Westinghouse PWRs, including the AP600, requires protecting the three fission product barriers following design basis events. The AP600 System / Event Matrix (Ref.11) is a design document that identifies four design basis safety functions that are required to provide this protection for the fission product barriers. These four design basis -;

safety functions idendfied in the design document were expanded into the six CSFs in ]

writing the symptom-based AP600 ERGS. j Along with Reference 6, the System / Event Matrix provides much of the basis for the activities described in this report. The System / Event Matrix provides an integrated summary of the plant accident mitigation response and has been used throughout the design process.

l The System / Event Matrix document identifies the following four safety-related, post-accident i mitigation functions that are required as part of the design basis for the AP600 to protect the integrity of the three fission product barriers in the plant (the fuel matrix and cladding, the RCS pressure boundary, and containment):

. Reactor shutdown

=

RCS inventory control Core decay heat removal Contamment cooling The design basis of the plant requires safety-related SSCs that can perform these safety-related functions for design basis events. The nonsafety-related SSCs also perform defense-Revision 0 m:\3243w.wpf:1b-100296 september 1996

- _. __. -- ~-

1-10 in-depth functions that complement the safety-related SSCs in performing these safety-related functions.

For each event, the System / Event Matrix document provides simplified flow diagrams that present the prioritized sequence for the operation of the various safety-related and nonsafety-related, defense-in-depth SSCs that are used to protect the reactor core and to mitigate the consequences of each event. Flow diagrams are provided for events initiated from both -

operating and shutdown conditions.

The document also provides tables for each event that shows the following:

Safety-related and nonsafety-related I&C system support requirements (actuation / control) for each success path Actuation mode (automatic / manual) for each of the success paths Safety-related and nonsafety-related electrical power support requirements for each success path This document is used in the functional requirements analysis and the function allocation process since it specifies how the AP600 safety-related and nonsafety-related systems are used to maintain CSFs during the specific events (i.e., which systems are used, and in what sequence, during each event).

1.3.2 AP600 Emergency Response Guidelines (Reference 6)

The AP600 ERGS provide functional guidelines for terminating accidents and transients that affect plant safety. The ERGS are a standardized document that was initially developed in a program by the Westinghouse Owners' Group (WOG) to provide control room operators with symptom-based technical guidance for response to emergency transients.

The ERGS provide a diagnostic process to direct operator actions based on plant symptoms, and do not require immediate identification of the cause (i.e., the specific initiating event) of the symptoms to determine the required actions. The recovery actions identified in the .

standardized ERGS for Westinghouse PWRs are based on satisfying the six CSFs listed in subsection 1.4.1.

The detailed plant EOPs that provide step-by-step actions for use by the control room operators in the plant, will be developed using the high-level functional guidelines provided in the ERGS. The ERGS provide the technical basis for development of the EOPs.

Revisvan 0 m:\3243w.wpf:ltr100296 september 1996

1-11 This document is used in the functional requirements analysis and the function allocation process since it provides the specific operator actions required to support the recovery guidelines, following a plant transient, and the function restoration guidelines (including both verification activities and control actions) that maintain the success paths for the CSFs.

l AP600 ERG Development The AP600 ERGS were developed using the System / Event Matrix document as the plant response design basis and following the standardized process for ERG development for Westinghouse PWRs. The design approach described in the System / Event Matrix document -

organizes the identified safety-related and nonsafety-related SSCs into the appropriate groups that perform the four safety-related design functions. In the AP600 ERGS, the same groups o

~ f safety-related and nonsafety-related SSCs in the System / Event Matrix are used to perform their basic design functions. But they are organized somewhat differently from the System / Event Matrix to support development of symptom-based functional guidelines that can be used more effectively by the operators. -

The four safety-related functions (listed in subsection 1.5.1) from the System / Event Matrix document are now replaced by six equivalent CSFs (listed in subsection 1.4) for use in the ERGS. This can be seen by studying the tables provided later in this report to support the AP600 function allocation process, and comparing them to the tables and flow charts in the '

System / Event Matrix document. .

The relation between the System / Event Matrix and the ERG development is also discussed in j the ERG background document, that also includes the specific System / Event Matrix flow l diagrams for the various events in the background document introduction.

Consolidation of At-Power and Shutdown ERG CSFs The AP600 ERGS are arranged to provide two sets of CSF status trees and two sets of CSF restoration guidelines for the operators - one for use following events initiated from at-power conditions and one for use following events initiated from shutdown conditions. This helps to simplify and improve operator response following an event. The six CSFs listed in

, subsection 1.4 form the basis for both sets of guidelines.

These CSF success paths in the ERGS were developed from one common list of success paths for events (both at-power and shutdown) that was provided in the System / Event Matrix

. document. The System / Event Matrix flow diagrams were split into two groups (at-power and shutdown) to support the ERG development.

This report uses the ERG success paths from a consolidation of the two sets of ERG guidelines for each CSF. This consolidation simply adds the SSCs in the success path for Revision 0 m:\3243w.wpf:1b.100296 september 1996

_ ~

1-12 each shutdown CSF to the SSCs to the success path for the same at-power CSF. This approach greatly simplifies the number of cases that must be displayed, since in many cases, the same success paths are used to satisfy the same CSF for events from both conditions. For example, accumulator injection is part of the success path following partial RCS depressurization for at-power events or for shutdown events initiated at reduced RCS pressures.

Tables 2,3,4, and 5 support the functional requirements analysis and the function allocation process described in this report, and include success paths that are applicable to at-power ,

events only, both at-power and shutdown events, and shutdown events only. Those specific success paths that apply only during shutdown conditions (such as when the reactor vessel head is removed and the refueling cavity is flooded up) are identified with the word

" shutdown" in parentheses after the list of the SSCs in the success path. The shutdown SSCs are listed last in the success paths provided in each table.

1.5.3 AP600 Emergency Response Guidelines Background Document (Reference 7)

The AP600 ERG Background Documents provide a brief overview of the ERG development and explanations of specific actions included in the ERG functional guidelines. The background document provides a comprehensive discussion of the actions taken by the operators including the purpose of the actions, the basis for actions taken, and the instrumentation, controls, and equipment used by the operators to accomplish the specific actions.

This document is used in the functional requirements analysis and the function allocation process since it provides the required background information to understand the basis for the accident mitigation actions identified in the ERGS.

1.5.4 AP600 Standard Safety Analysis Report (Reference 12)

The safety-related and nonsafety-related SSCs that are included in the CSF success paths discussed in this evaluation are described in the appropriate sections throughout the AP600 Standard Safety Analysis Report (SSAR). The AP600 SSAR provides four important categories of design information that are helpful in understanding the ftmetion allocation ,

process addressed in this evaluation. The individual SSAR sections describe this information for each system included in the CSF success path:

The design basis for the system The individual components within each system The operation of each system including accident mitigation response

. The associated I&C.

Revision 0 m:\3243w.wpf-Ib 100296 september 1996

1 1-13 For example, the safety-related passive core cooling system (PXS) is described in subsection 6.3 of the SSAR and the nonsafety-related, defense-in-depth chemical and volume control system (CVS) is described in subsection 9.3.6 of the SSAR.

Chapter 7 of the SSAR provides the following information related to the I&C systems, that was used to support the function allocation process:

The design of the safety-related PMS that is used to actuate and control safety-related SSCs, and the design of the nonsafety-related PLS that is used to actuate and control the nonsafety-related SSCs, are described in subsection 7.1 of the SSAR.

The safety-related reactor trip functions of the PMS are described in subsection 7.2 of the SSAR and reference functional diagrams for each of the reactor trip functions and other related plant functions included in the function allocation process. 'Ihese same trip functions are credited in the safety analyses, as described in Chapter 15 of the SSAR.

The PMS actuation functions for the safety-related engineered safety features SSCs in the various CSF success paths are described in subsection 7.3 of the SSAR and reference functional diagrams for each of the engineered safeguards functions included in the function allocation process. These same engineered safeguards functions are credited in the safety analyses, as described in Chapter 15 of the SSAR.

The instrumentation used by the operator to monitor the operation of the various plant SSCs in the CSF success paths for the various events is described in subsection 7.5 of the SSAR.

The safety-related PMS control systems and the nonsafety-related PLS control systems are described in subsection 7.7 of the SSAR. These control functions addressed in the function allocation process and considered in the safety analyses, as described in Chapter 15 of the SSAR.

Chapter 8 of the SSAR provides a description of the electrical power systems that are used to

, provide normal and emergency power for operation of the various SSCs in the CSF success paths. Chapter 8 also describes the normal and emergency electrical power sources for the I&C systems that was used to actuate and control the various SSCs in the CSF success paths.

Chapter 15 of the SSAR provides the accident analyses that confirm the design basis for the AP600. These safety analyses incorporate the appropriate automatic and manual actuation that result from the function allocations specified for each of the SSCs in the various CSF success paths and confirm that the design basis for the plant is met. The safety analyses can be used to support the function allocation process, for example, by identifying automatic Revision 0 mA3243w.wpf:1b-100296 september 1996

1-14 actuation and control functions that may be necessary. The safety anatya completed to support Chapter 15 provide conservative and bounding design basis analyses that assume the most limiting single failures of various components, including failures of the nonsafety-related control systems.

Chapter 18 of the SSAR describes the overall human factors engineering (HFE) process that was included as part of the AP600 design process. -

This document is used for the functional requirements analysis and the function allocation ,

process since it is one of the sources of specific design information for the various plant SSCs, including information related to SSC actuation and control. The SSAR also provides the design basis analyses to confum the accident mitigation capabilities of the various SSCs and a description of the overall HFE process.

1.5.5 AP600 Probabilistic Risk Assessment (Reference 8)

The AP600 design certification application includes a PRA that provides an evaluation of the design, including the plant, containment, and typical site analyses for both internal and extemal events, and for both at-power and shutdown plant conditions. The PRA modeled and evaluated various accident prevention and mitigation systems in achieving the required safety-related functions identified in the System / Event Matrix document and the ERGS. The major PRA activities included modeling and analysis of specific safety-related and nonsafety-related systems (including associated automatic and manual actuation and control) that provide accident mitigation support, human reliability analysis, common-cause failure analysis, severe accident analysis, and other related accident phenomena analysis.

The PRA evaluation analyses, completed as part of the PRA, provide more realistic evaluations of the plant success path response than the conservative SSAR Chapter 15 safety analyses. The PRA uses best estimate analyses that consider a comprehensive range of credible component failures, with component failure data compiled from operating plant component performance data. The PRA also includes the effects of common-mode failures of similar components.

The PRA is used in the functional requirements analysis and the function allocation process .

since it is one of the basis documents that evaluates plant accident response. The PRA was also used to identify the need for, and evaluate the success of, manual and automatic actuation and control for various SSCs that are used in the CSF success paths.

l Revision 0 m:\3243w.wpf-1b-100296 september 1996

1-15 1.5.6 WCAP-13856, AP600 Implementation of the Regulatory Treatment of Nonsafety-Related Systems Process (Reference 13)

This report summarizes the evaluation performed to determme the significant nonsafety-related SSCs for the AP600 and the appropriate additional regulatory oversight associated with these SSCs. The evaluation considers the impact of a range of important accident mitigation issues related to the nonsafety-related systems for both at-power and shutdown events.

This report is used in the functional requirements analysis and the function allocation process. It systematically considers nonsafety-related systems, evaluates them against ten important probabilistic and deterministic criteria related to accident mitigation, and helps to identify the most important nonsafety-related systems.

1.5.7 WCAP-14477, The AP600 Adverse Systems Interactions Evaluation Report (Reference 10)

This report provides a systematic approach to evaluate systems interactions and their impact on plant safety. The report summarizes the various interactions between safety-related systems and other safety-related systems and between safety-related systems and nonsafety-related systems. The report also describes how these interactions have been considered in the analyses and evaluations presented in the AP600 SSAR and the AP600 PRA. Insights for both the AP600 ERGS and the M-MIS design were identified in this report to preclude potential operator errors that could result in unintended adverse interactions and that could lead to degradation of the plant safety during an accident.

This report is used in the functional requirements analysis and the function allocation process since it discusses and evaluates the interactions between the various systems that must potentially be considered as part of operator event mitigation actions.

1.5.8 AP600 Shutdown Evaluation Report (Reference 14)

This report provides a comprehensive evaluation of the AP600 plant safety during shutdown

. modes. It describes features of the AP600 design that address issues of shutdown risk and provides an evaluation of these features, with respect to their ability to reduce this risk and mitigate the consequences of events initiated from shutdown conditions. The report provides descriptions of the AP600 SSCs that are designed to operate during shutdown modes and discusses their shutdown operations. It also includes an evaluation for the range of credible events that can initiate during shutdown conditions and provides an overview of the shutdown risk assessment included in the AP600 PRA.

Revision 0 m:\3243w.wpf:1b-100296 september 1996

1-16 This report is used in the functional requirements analysis and the function allocation process since it discusses and evaluates the CSF success paths and the associated accident mitigation response, specifically for events initiated during shutdown conditions.

Revision 0 m:\3243w.wpf 1b 100296 September 1996

2-1 2.0 AP600 FUNCTIONAL REQUIREMENTS ANALYSIS According to Element 3 of NUREG-0711, functional requirements analysis is the identification

{

of those functions that must be performed to satisfy plant safety objectives, that is, to prevent or mitigate the consequences of postulated accidents that could cause undue risk to the health and safety of the public.

1 NUREG-0711 states that:

" Functional requirements analysis is conducted to (1) determine the objectives, performance i requirements, and constraints of the design; (2) define thefunctions that must be accomplished to meet the objectives and required performance; (3) define the relationships between functions and plant processes (e.g., plant configurations or success paths) responsiblefor performing the functions; (4) provide aframeworkfor understanding the role of controllers (whether personnel or system)for controlling plant processes." (pg. 4-1)

This section describes the Westinghouse approach to functional requirements analysis and presents results for AP600 safety functions.

2.1 Description of Methodology Following the basis provided in NUREG-0711, a functional requirements analysis begins with identification of safety functions required to prevent or mitigate the consequences of postulated accidents that could cause undue risk to the health and safety of the public. For each safety function, the set of plant processes (plant system configurations or success paths) that are responsible for or capable of carrying out the function need to be clearly defined.

In the case of the AP600, the CSFs are the safety functions required to prevent or mitigate the consequences of postulated accidents that could cause undue risk to the health and safety of the public. For each CSF, the success paths that are capable of carrying out the CSF have been defined.

Functional requirements analysis is performed by system designers in support of plant

. system design and function allocation. This section describes the methodology used by Westinghouse to document the success paths that support CSFs for the AP600 plant.

Section 2.2 documents the results of the functional requirements analysis for the AP600 CSFs.

A related functional requirements activity is conducted by the M-MIS design group in support of FBTA and display design. Section 18.5 of the AP600 SSAR describes the goal-means decomposition of plant functions that is conducted as part of the M-MIS design process. The goal-means decomposition is developed by M-MIS designers as a way to represent plant functions as input to FBTAs and M-MIS design activities. The goal-means Revision 0 mA3243w.wpf:1b-100296 september 1996

2-2 l decomposition of plant functions contains two major branches that correspond to the two

! major goals of the plant: (1) generate electricity and (2) prevent radiation release. The AP600 CSFs correspond to high-level nodes under the " Prevent Radiation Release" branch. The goal-means decomposition is derived from system design documents, and as such, is consistent with the functional requirements analysis of CSFs presented here.

The functional requirements analysis presented in subsection 2.2 specifies the AP600 success -

paths involved in CSFs for the AP600 plant. It also provides a comparison between the AP600 success paths and the success paths involved in CSFs for the generic Westinghouse ,

PWR plant, which serves as the reference plant. The comparison with the reference plant l enables differences in the SSCs involved in the success paths for the AP600 plant and a typical current Westinghouse PWR plant to be identified.

2.1.1 AP600 CSFs (Table 1)

As discussed in subsection 1.4, Table 1 provides an overview of the AP600 CSFs that form i the basis for the approach used for the functional requirements analysis and the function

! allocation process. The table summarizes the purpose of each CSF and also identifies the primary plant parameters monitored in the associated ERG status tree for each CSF. This reinforces the specific focus of each CSF.

Additional information on each CSF and its associated ERG status tree and function restoration guidelines is provided in the AP600 ERGS (Ref 6) and the ERG Background Document (Ref. 7). As noted earlier, the AP600 CSFs are the same as the CSFs for the reference plant. I Table 1 also shows the correlation between the six CSFs in the AP600 ERGS and the four associated design basis safety functions identified in the AP600 System / Event Matrix document. This demonstrates the consistency of the AP600 ERGS with the design basis for the plant.

As discussed in subsection 1.S, the success paths for the ERG CSFs are based on the design basis success paths identified in the System / Event Matrix document. The ERGS were developed to address the design basis safety functions for events initiated from both at- .

power and shutdown conditions.

2.1.2 AP600 CSF Success Paths (Table 2)

For each AP600 CSF identified in Table 1, there are multiple success paths to accomplish the safety function. As discussed in subsection 1.4, a success path for a CSF is a specific j combination of safety-related and nonsafety-related, defense-in-depth SSCs that are capable l of accomplishing that particular CSF.

Revision 0 m:\3243w.wpf:1b-1002% september 1996

2-3 The overall goal of the defense-in-depth philosophy for the AP600 design is to provide multiple, diverse success paths that provide alternative means to accomplish each CSF, Each AP600 CSF has several safety-related success paths and additional success paths are provided by nonsafety-related, defense-in-depth SSCs. Individual success paths may have further redundancy as well.

Table 2 provides a list of the AP600 success paths for each CSF and a high-level functional comparison of the major success paths for the AP600 and a generic Westinghouse PWR plant,

, that serves as the reference plant. For each CSF, Table 2 hsts the safety-related SSCs in the success path for that CSF and compares them to the safety-related SSCs in the same success path for the generic reference Westinghouse PWR plant. Table 2 also provides this same comparison for the nonsafety-related SSCs in the succers paths for the CSF. The table organization, based on the six AP600 CSFs,is similar to the structure that is used in the subsequent tables that support the functional requirements analysis and the function allocation process.

Table 2 was compiled using the success paths identified in both the AP600 ERGS and the System / Event Matrix document.

The SSCs identified in Table 2 for the CSF Integrity are treated somewhat differently from the perspective of actuation, control, and operator actions than the SSCs for other CSFs. The CSFs, other than Integrity, are successful when the SSCs actuate and perforrn their specified functions. For example, core cooling is successful when the passive residual heat removal (PRHR) System / Event and other safety-related and nonsafety-related SSCs that provide core cooling actuate. The CSF restoration guidelines direct the operators to confirm satisfactory operation of the required SSCs or to take actions to initiate operation of required SSCs that have failed to start.

Similarly, the CSF Integrity is satisfied when the identified SSCs in the success path successfully actuate and are successfully controlled during their operation. However, challenges to Integrity occur when the required SSCs either actuate when not required, or when they successfully actuate and a control malfunction subsequently occurs. The AP600 design provides safety-related design basis protection. But beyond-design-basis malfunctions

, of the actuation or control functions for the identified SSCs in the success paths cause either overcooling (such as excessive steam flow through the turbine bypass valves) or overpressurization (excessive RCS makeup flow from the CVS makeup pumps). Therefore, to mitigate the consequences of these failures, most of the actions in the function restoration guidelines for Integrity direct the operator to respond in an opposite fashion from that of the other CSFs - to identify the malfunctioning SSCs that are operating in an unacceptable manner and to manually control or isolate the SSC, as appropriate.

Revision 0 mA3243w wplib-100296 september 1996

_ _____a

4 2-4 J

2.L3 Comparison of CSF Success Paths Between AP600 and Generic Westinghouse PWR Reference Plant (Table 3)

Once the AP600 CSF success paths are identified, the next step in the functional requirements analysis is to identify where the AP600 success paths are different from the success paths for the generic Westinghouse PWR plant, which serves as the reference plant.

For the purposes of the function allocation process for this evaluation, differences are identified only where they are operationally significant to the system and its function ,

allocation.

For success paths that are unchanged from the reference plant, operating experience from existing plants becomes an important source of input for establishing the technical basis and rationale for the functional requirements and the function allocations.

Table 3 summarizes the results of a comparison of the success paths for AP600 and the generic Westinghouse PWR reference plant. The SSCs for the AP600 success paths for each CSF in Table 2 are listed in Table 3. For each success path, the results of the comparison of the AP600 success path with the corresponding success path (if any) for the reference plant '

are characterized in Table 3, using the following three categories to describe the differences:

. Unchanged

. Modified

. New g Two aspects are considered in determming whether an AP600 success path is unchanged, I modified, or new. The first aspect relates to the overall system design configuration or system arrangement. This is represented in Table 3 by the letter "D" for " design." The l second aspect relates to whether there are any differences in person-machine function allocation. The set of SSCs associated with an AP600 success path may be the same as for the generic Westinghouse PWR reference plant but there may be changes in level of automation. This second aspect of the comparison between the AP600 success paths and the corresponding success paths for the reference plant is represented in Table 3 by the letter "A" I for " allocation." As a result, each success path in Table 3 includes the entries, "D" and "A." .

Each of these entries are placed in one of three columns that correspond to three categories -

unchanged, modified, and new.

The notes in the last column of Table 3 provide a brief summary description where there are differences between the AP600 and the reference plant for the SSCs in the various success paths.

Revision 0 m:\3243w.wpf:1b-100296 september 1996

2-5 l -

The three categories used in Table 3 to describe the differences that exist, if any, between the AP600 success path and the corresponding success path for the reference plant, are defined as follows:

Unchanged This category is selectedfor an AP600 success path where there are no operationally sigmpcant changes in either the SSC design orfunction allocation from the equivalent

. success path in current plants.

AP600 SSCs that normally operate to support power generation and can be used for accident mitigation such as main feedwater, RCS pressure control (pressurizer heaters and spray), and steam generator water level control are functionally and operationally equivalent to current plants, and their design is categorized as unchanged. This is consistent with the treatment for typical Westinghouse plants where there may be some slight differences in the exact pump designs or the number of specific valves, but these differences do not represent operationally significant differences. For these systems, the function allocation would also be categorized as unchanged.

There are no significant operational differences for nonsafety-related, defense-in-depth systems such as component cooling water or service water between current plants and AP600. Therefore, both their design and function allocation would be categorized as unchanged. For the component cooling water system and many other nonsafety-related and defense-in-depth systems, the primary !

difference between current plants and AP600 is that the piping and component classification is nonsafety-related instead of safety-related. The system operation is essentially identical, since the component classification changes do i not affect design or automation.

The accumulators are a passive safety injection subsystem that are identical to ,

the configuration in current plants and both their design and function allocation would be categorized as unchanged.

Moditied This category is selectedfor an AP600 success path where either the SSC design or its

, function allocation may be similar to the success path operation in typical Westinghouse PWRs, but where there are also some signtpcant operational differences that must be consideredfor thefunctional requirements analysis.

Although the high-level functions of the nonsafety-related CVS are essentially the same for the AP600 and for current plants (RCS purification, makeup, boration, letdown, etc.), the elinunation of the reactor coolant pump seals results in only intermittent automatic makeup and manual letdown operations.

Both AP600 and current plants do maintain continuous purification and the Revision 0 m:\3243w.wpf:1b-100296 September 1996

2-6 purification components are similar (ion exchangers, filters, control valves, etc.), but the AP600 purification loop is designed for higher system pressure.

Therefore, both the design and function allocation for this system is categorized as modified.

1 The design of the AP600 startup feedwater system would be categorized as I unchanged since it is functionally similar to current plants. However, the -

function allocation is categorized as modified since the AP600 startup feedwater flow control valves are automatically controlled to reduce post- ,

accident operator workload. In current plants, the equivalent auxiliary feedwater flow control valves actuate to a fully-open position on system startup. They must be manually throttled by the operators to reduce total feedwater soon after system actuation to prevent steam generator overfill and RCS overcooling. This is required early in an event when there are many conflicting demands on the operator.

New This category is selectedfor an AP600 success path that may have afunctional equivalent in current plants, but where a new system designfeature is employed to perform specifefunctions in mitigating the consequences of an event. For example, the CMTs employ passive processes to provide high-pressure injection that is provided by high head safety injection pumps in current plants.

The AP600 design includes passive core cooling and containment cooling systems that include new design features and, therefore, new function allocations for the associated components. Many of the actuation signals for the AP600 are similar or identical to the actuation of the functionally equivalent systems on a typical Westinghouse plant.

The differences in engineered safety features (ESFs) design for the AP600 are primarily due to the following five new passive, safety-related SSCs included in the Table 3 success paths:

. The PRHR System / Event functions to transfer core decay heat from the RCS to the in-containment refueling water storage tank (IRWST). ,

a The CMTs function to provide high-pressure gravity injection at the existing RCS pressure and initiate automatic depressurization when the contained CMT inventory decre es and the other passive, safety injection sources are needed.

The IRWST functions to provide a heat sink for the PRHR System / Event following PRHR actuation and a gravity injection source, Revision 0 j m:\3243w.wpf:1b-100296 september 1996 l

_ _ . _ _ _ _ _ _ ._ .. _ _ . _ . - _ ._ _ _ _ . _ _ _ _ _ . _ _ _ _m __

2-7 4 l

once the RCS has been depressurized. The IRWST performs similar .

functions to the refueling water storage tank (RWST) in current plants, except that the IRWST is now located at a high elevation inside the containment to provide gravity injection.

The automatic depressurization system (ADS) functions to automatically depressurize the RCS when the CMTs begin to empty and a transition to the other passive, safety injection sources is required.

The passive containment cooling system (PCS) functions to remove heat from containment (by convective and evaporative heat transfer) through gravity drain of water over the outside of the containment shell.

2.2 Results Table 1 provides an overview of the Westinghouse ERG CSFs that form the basis for the

, AP600 function allocation. The table shows that there is overlap and consistency between the AP600 desig, basis safety functions provided in the System / Event Matrix and the ERGS.

The ERGS are used to develop the symptom-based EOPs for use by the plant operators.

l Table 2 provides a comparison of AP600 and reference plant success paths. The table shows l the improved defense-in-depth capabilities that have been incorporated into the AP600 through the use of the safety-related, passive systems. The function allocation process must -

address each of the AP600 SSCs listed in this table. i Table 3 provides a comparison of the design and function allocation differences between AP600 and the reference plant for each SSC in the CSF success paths. The table shows that most of the differences that exist are related to one of the following four considerations:

The use of safety-related, passive systems for safety injection and decay heat removal The use of advanced, digital I&C systems Automation of SSC actuation 'and control functions that help to reduce operator workload during critical periods following an event Recommended design improvements (from operating plant experience, the AP600 PRA, etc.) that help to improve overall plant safety Revision 0 m:\3243w.wpf 1b-100296 september 1996

2-8 2.3 Verification and Updating of Functional Requirements Analysis l

A number of activities are conducted to verify the adequacy of the functional requirements

{

analysis specifying the functions, systems, and processes involved in maintaining CSFs. The design basis safety analysis presented in Chapter 15 of the SSAR establishes the adequacy of the functions, systems, and processes for design basis events. PRA analyses provide further j verification of the adequacy of the description of functions, systems, and processes involved .

in maintaining CSFs for beyond-design-basis events. In addition, the FBTAs that are l performed by the M-MIS group as part of task analysis activities, provide verification that the set of sensors and controls that have been specified by system designexs = sufficient to l support operators in performing the role they have been assigned in system function.

Mechanisms are available within the AP600 design process for updating the functional i requirements analysis as the design proceeds. The process by which design changes are proposed, evaluated, tracked, and implemented is described in the AP600 Simplified Passive Advanced Light Water Reactor Plant Program, Program Operating Procedures (WCAP-12601, Ref.19).

Revision 0 m:\3243w.wpf:1b 100296 September 1996 I

3-1 3.0 AP600 INITIAL FUNCTION ALLOCATION Function allocation involves the analysis of the requirements for plant control and the assignment of control functions to one of the following:

Personnel (i.e., manual control)

System elements (i.e., automatic I&C systems and passive, self-controlling phenomena)

Combinations of personnel and system elements (e.g., shared control using automatic systems with manual backup)

The goal of function allocation is to maximize overall plant safety and reliability by exploiting the strengths of personnel and system elements, including improvements that can be achieved through assignment of overlapping and redundant responsibilities.

This section describes the Westinghouse methodology for initial function allocation of the AP600 CSFs and presents the results. The results include documentation of the rationale for function allocations for AP600 CSFs.

3.1 Methodology for Function Allocation A review of the literature, including references cited in NUREG-0711, revealed no single standard or accepted function allocation methodology, either in the general HFE literature or in nuclear power industry-specific documents. Instead, there are a number of proposed approaches to function allocation, many of which share a similar philosophy.

3.1.1 The General Approach to Function Allocation The general approach to function allocation can be captured by the following:

1. Identify the functions that need to be allocated

, 2. Allocate as best as possible using a set of guidelines and heuristics

3. Document and justify the reasons for allocation

4. Test the allocation and fix the problems through iterative design-and-test cycles The primary example of this approach is found in NUREG/CR-3331. The approach outlined there begins with a specification of system functions. It then identifies the desired role of the Revision 0 m:\3243w.wpf:1b-100296 september 1996

3-2 ,

human operator. The allocation, however, is also driven by justifications for automating l functions. In fact, this allocation algorithm starts with the following sequence: l Identify functions for which automation is mandatory Identify functions for which human performance is mandatory i

For each function, a list of possible reasons is offered as to why the allocation should be -

mandatory. The process considers the feasibility of the allocation such as cost, capabilities, technology, schedule, etc. Not all functions will receive a mandatory allocation. Therefore, , ,

the function allocation in subsequent steps of the process is assigned based on weaker !

allocation criteria. The analyst must then identify reasons why an allocation would be clearly {

preferable. This decision is split into two steps i

Identify functions for which automation is strongly preferred !

. Identify functions for which human performance is strongly preferred i The first two allocation decision sequences should identify functions for which strong evidence supports a specific allocation. Remaining are functions that might be tailored to work either way, as automated or assigned to human performance. For these functions, a series of guidelines are used to determine which allocation best suits that function. These guidelines, which are perhaps better labelled heuristics, primarily concern performance ;

requirements and relevant capabilities of humans and automation. There are a number of

" tables of relative merit" (e.g., Fitts,1951, Ref.15) that are used to match task characteristics j with strengths of humans and machines. The common form of these tables is one list of task ]

characteristics for which humans have superior capabilities and one list of task characteristics i for which automation has superior capabilities.

Further, during this phased allocation process, there is an option to break a function into smaller segments (individual tasks or processes) that better lend themselves to allocation.

That is, a single function, as initially defined, may have a mix of performance characteristics that make it difficult to allocate one way or the other. In this case, the analyst is asked to redefine the function to identify smaller segments that are more easily allocated.

When this allocation process is complete, that is, after all functions have been given an initial .

assignment to either automation or human performance, a set of more in-depth questions must be answered having to do with ensuring that the allocations can truly be supported in the system design. For example, for functions that will be assigned to automation, there is a l need to determine the extent to which the human operator will have the capability for !

manual backup or to be aware of the activities of the automated process.

The allocation process, therefore, allows one to make initial assignments and to identify related groups of tasks assigned to humans and automation. However, because there is a Revision 0 m:\3243w.wpf 1b-100296 september 1996

3-3 I

strong dynamic component to task performance, it is necessary to evaluate the initial assignments in the context of actual performance (typically in a simulated control room).

Therefore, the design needs to remain open to the possibility for re-allocation, depending on the outcome of design tests. Especially important are issues of appropriate operator workload, which are best assessed in a dynamic simulation.

A recent International Atomic Energy Agency (IAEA) document (IAEA-TECDOC-668) lays out an allocation process with the same form although there are fewer details regarding the i

, criteria for each allocation decision. Recent analysis of the System 80+ by ABB/ Combustion Engineering (Reference 23) borrows heavily from the NUREG/CR-3331 method.

This general approach will be exploited for function allocation. The specific AP600 methodology begins with the core of the NUREG/CR-3331 process. The specifics of the approach are described in the next section.

3.1.2 Westinghouse Function Allocation Process Figure 1 shows the flow diagram that represents the AP600 approach to function allocation (Note that this diagram shows the flow through the process. The specific checidist items contained in each box are shown in Table 6). This diagram borrows heavily from the NUREG/CR-3331 process.

The initial question is "Is automation mandatory?" (box 1). This set of checklist items asks the analyst to determine whether there is a requirement to allocate the function to automation. The first two items assess whether there are conditions that prohibit the involvement of humans (hostile conditions, or tasks that are impossible for humans to conduct). The third item is used to reveal regulatory or industry requirements that might remove the option for human operator control. A variety of regulatory and industry requirements and guidelines must be considered. Some of these requirements and guidelines are specifically related to HFE activities, while others indirectly affect the function allocation through the impact on the design of specific plant systems and the associated system actuation and control requirements. The following are various regulatory and industry documents that are considered in the function allocation process described in this report:

Part 50 of the Code of Federal Regulations From a regulatory perspective, the overall nuclear power plant design is controlled through the licensing requirements specified in Part 50 of Title 10 of the Code of Federal Regulations (10 CFR 50), and this document forms the basis for many of the design requirements, including those that directly or indirectly affect function allocation. Appendix A of 10 CFR 50 provides the General Design Criteria (GDC) for nuclear power plants, that contain high-Revision 0 m:\3243w.wpf:1b-100296 September 1996

3-4 l

level design requirements that must be met as part of the plant licensing basis. There are 55 GDCs that indude the following requirements:

Overall requirements

. Protection by Multiple Fission Product Barriers

Protection and Reactivity Control Systems

. Fluid Systems *

Reactor Contamment

. Fuel and Reactivity Control ,

Some of these GDCs contain design requirements directly related to automation of actuation and control functions. GDC 20 (Protection System Functions) is one of the more important for function allocation. It contains generic GDC requirements for the automatic actuation of protective functions for the appropriate systems and components that are important to safety, induding the reactivity control system. There are other GDCs that also address automatic j actuation and control related to various SSCs, induding instrumentation, electrical power, main control room habitation, reactivity control, emergency cooling, containment penetrations, and radioactive ventilation discharge.

In addition, the CFR contains other groups of mycellaneous design requirements that may directly or indirectly affect function allocation. These indude the TMI-related requirements provided in 10 CFR 50.34(f) and special requirements for some individual safety issues such as Anticipated Transient Without Scram (ATWS) in 10 CFR 50.62 and loss of all alternating j

~

current (station blackout) in 10 CFR 50.63.

These general criteria are supplemented by more specific and detailed design criteria that are l contained in other supporting regulatory documents. These other documents are not part of i the CFR, but they reference the appropriate Appendix A requirements that the detailed requirements or guidelines are intended to support.

Other Reaulatory Documents The other important groups of regulatory documents that are considered and addressed in both the system design and the function allocation processes include the following: .

Standard Review Plan (NUREG-0800) !

Regulatory Guides

. Generic and Unresolved Safety Issues (NUREG-0933)

. Advanced Light Water Reactor (ALWR) Certification Issues (SECY 93-087)

Generic 1.etters and Bulletins Revision 0 m:\3243w.wpf:1b 100296 september 1996

3-5 These documents support and reference the high-level requirements in the GDCs. For example, Standard Review Plan (SRP) subsection 6.3 (Emergency Core Cooling System),

provides specific design acceptance criteria for the NRC staff reviewers to confirm that in accordance with the GDC requirements, "the pnmary mode of actuation for the emergency core cooling system must be automatic, and [that] actuation must be initiated by signals of suitable diversity and redundance." The AP600 PXS is designed with automatic actuation of isolation valves for some components controlled by I&C system signals, and for other ;

components controlled by inherent natural (passive) processes, as described later in this I report.

Note that as part of the AP600 design and design certification process, the AP600 design has been systematically and comprehensively assessed against the design requirements in these regulatory documents. Therefore, the AP600 overall design, including the function allocation, comprehensively addresses the requirements and guidelines provided in these regulatory documents. The results of these assessments are provided in either the appropriate sections of the AP600 SSAR or the WCAP reports listed below:

. General Design Criteria SSAR, subsection 3.1

Standard Review Plan WCAP-13054 (Ref. 21)

. Regulatory Guides SSAR, Appendix 1A

= Generic and Unresolved Safety Issues / Human Factors Issues SSAR, subsection 1.9.5

. TMI Issues SSAR, subsection 1.9.5

. ALWR Certification Issues SSAR, subsection 1.9.5

Generic Letters and Bulletins WCAP-13559 (Ref. 22)

One of the important considerations in the specific design criteria for automation of SSC actuation functions is related to the timing of manual operator actions for safety-related SSCs.

, In addition to the specific function allocation requirements identified in the system design ;

requirements, there are also regulatory and industry efforts to develop appropriate guidelines for automatic function actuation based on establishing a time criterion for safety-related operators actions. Additional information is provided in Unresolved Safety Issue B-17, Criteria for Safety-Related Operator Actions,in NUREG-0933 (Ref.16) and ANSI /ANS 58.8-1984, Time Response Design Criteria for Nuclear Safety-Related Operator Actions, (Ref.17).

These documents discuss the time criterion (10 minutes) to be met by the plant design related to automatic and manual actuation of safety-related SSCs, as confirmed by nuclear safety analyses presented in Chapter 15 of the SSAR.

Revision 0 m:\3243w.wpf;1b-100296 september 1996

3-6 Industry Desistn Reauirements In addition to these regulatory requirements, there are industry design requirements that must be considered as part of the AP600 design. The industry design requirements are contained in the EPRI Advanced Light Water Reactor Utility Requirements Document (ALWR URD) for the ALWR Passive Plant (Ref. 2). This document includes both high-level and specific industry design criteria that affect the AP600 plant and system design. -

The AP600 design process also includes a comprehensive assessment of the AP600 design against the URD design requirements. The URD design criteria can also affect the AP600 function allocation and, therefore, are considered as part of the process. The URD requirements include two specific design basis requirements (30 minutes and 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ) related to operator action times.

Function Allocation The function allocation flow diagram shows that if any question in box 1 receives a "YES,"

meaning that it must be allocated to automation, then the next question becomes "Is automation technically feasible?" (box 2). This decision requires an engineering analysis to determine whether issues such as cost, technology, scheduling, or implementation will prohibit the development of automation. If there is no concern, the function is tentativ:dy allocated to automation and control is passed to box 10. If there are concerns about the development of automation, the analyst is asked to redefine the function or rethink the analysis. Often, in this case, segments (individual tasks or processes) of the function can be defined for easier allocation.

If all items in box 1 receive a "NO," the flow diagram passes control to box 3 to ask "Is human performance mandatory?" The first checklist item in this box determines whether it is impossible to develop an adequate automation capability, which would preclude the use of automation and require an allocation to human performance. Note that this item also serves as a check for the feasibility of automation for the remainder of the flow diagram. The other item concerns mandatory allocation to a human operator based on a design requirement or

regulation. If there is a "YES" response to either of these items, the next question asked is "Is human performance a feasible solution?" (box 4). This decision requires two judgments. .

First, are human operators capable of performing the tasks specified? Secondly, the analyst is asked to judge the operator workload to determine whether this allocation to a human operator will exceed a manageable workload.

If the analyst determmes that there are no significant concerns about human capabilities or workload, the function is tentatively allocated to human performance and control is passed to box 11. If there are concerns about allocation to a human operator, the analyst is asked to Revision 0 m:\3243w.wpf:1b-100296 September 1996

l l

3-7 redefine the function or rethink the analysis. Often, in this case, segments (individual tasks, processes) of the function can be defined for easier allocation.

If there is a determination in box 3 that an allocation to human performance is not mandatory, the second phase of assessment begins - that is, the assessment moves from a mandatory allocation to an allocation that is preferred. As before, allocation to automation is.

tested first. Thus, the next question (box 5) is "Is automation clearly preferable to human operators?" The first checklist item found here focuses on whether automation technology

, can be implemented effectively. The second item is concemed with different types of analysis that indicate that an allocation to automation would clearly be preferred.

l Westinghouse identified four possible reasons why automation would be preferred at this point. First, automation could be important, based on operating experience from predecessor plants. An analysis of operating experience may reveal that either the function was i automated and this allocation worked well, or that the function was allocated to human performance and there were documented problems with this allocation.

Second, the PRA analysis may show that although automation is not mandatory, it can '

provide a benefit to plant safety for specific event sequences. For example, following a loss ;

of core cooling during reduced RCS inventory conditions (mid-loop operations). Although ;

the operator has sufficient time to mitigate this event, credit for operator action has a very small PRA benefit and automatic actuation of IRWST injection provides a more significant benefit. Another example is the addition of backup, safety-related heat removal functions -

through automatic actuation of the CMT. Although manual feed and bleed operation of the RCS is also modeled in the PRA, the automatic CMT actuation, using diverse actuation from the PRHR actuation signals, provides a more significant PRA benefit than the manual feed and bleed process. Therefore, this design feature was implemented in the AP600 design as safety-related, defense-in-depth protection in the event of beyond-design-basis failures of the PRHR System / Event.

Third, the plant design may include passive design features that actuate on inherent, passively controlled actuation and therefore, preclude human performance. For example, actuation ~and control of accumulator injection depend on the pressure differential between

, the RCS and the accumulator following an event, and are independent of manual actuation i or control. I l

Fourth, there is a judgment about the likelihood of operator overload if an SSC is not automated. When there is a high likelihood of overload, the allocation to automation is strongly preferred. For example, the startup feedwater flow control valves have been automated in AP600 so that steam generator water level is automatically controlled after system actuation. This is an improvement over current plants where manual actions are required to control feedwater flow shortly after an event initiates, in order to prevent steam Revision 0 !

m:\3243w.wpf:1b-1002% september 1996 l

, - - . , _ , ,m-

Y j 3-8 i

J l generator overfill and/or RCS overcooling. In current plants, these manual actions are required at a time very early in an event, where the potential for operator overload is high.

This automation is very beneficial.

! These four items are considered to determme whether automation is clearly preferred. Thus, if both checklist items receive a "YES" response, the function is tentatively allocated to j automation and control is passed to box 10. *

]

{ If the response to either checklist item is "NO," control is passed to box 6, which asks, "Is ,

human performance clearly preferable to automation?" This box provides an opportunity to l- identify special reasons that a human operator has significant advantages over automation,

{ such as the need for an operator judgment prior to actuation. If this item receives a "YES,"

the function is tentatively allocated to human performance, and control is passed to box 11.

If the response to box 6 is "NO," then the analyst probably needs to begin thinkmg about splitting the function into meaningful segments that can be more easily allocated. That is, if there is no strong reason to allocate the whole function to either automation or human performance, there may be a need to evaluate meaningful segments of the function to determine if there are segments that are better suited to one or the other.

1 Control is initially passed to box 7, which asks "Is the segment a suitable candidate for automation?" The checklist items found in box 7 provide the analyst with a set of criteria that suggest the value of allocating to automation. Thus,if any of these criteria are met (i.e.,

a "YES" response), the segment (and perhaps the bulk of the function) is tentatively allocated to automation. If none of the criteria is met (i.e., all "NO" responses), then control is passed to box 8.

Box 8 asks, "Is the segment suitable for human operator performance?" As with box 7, this 1 box provides a set of checklist items that suggest the value of allocating to a human operator. )

The first item is a general one that should lead the analyst back to a " table of relative merit" listing, such as the one found in Fitts (1951). The analyst can use this type of list to '

determine whether there are specific capabilities that are more characteristic of humans and are needed to perform the designated function. If the analyst identifies sorae aspect of performance from this list, the segment (and perhaps the bulk of the function) is tentatively .

allocated to human performance. If one of the criteria is met (i.e., any "NO" response), then control is passed to box 9.

Box 9 provides a final opportunity to allocate, after all compelling reasons to allocate one I way or the other have been reviewed and dismissed. This box allows the analyst to consider items such as cost and operator preference. Again, any allocations that occur at this late stage in the process are likely to apply to parts of functions instead of entire functions as ;

Revision 0 ;

m:\3243w.wpf:1b.100296 September 1996 l

- yw-.u p p y, , - - -

I 3-9 initially defined. This is also the last opportunity to split a function into meaningful segments if this option had not been selected in previous steps of the process.

Thus, through this phased process, all functions (or function segments) should be allocated to either automation or to human performance. It is insufficient to stop at this point and test the allocations in a dynamic simulation. Instead, the analyst needs to consider how the allocations will be integrated into the larger design. Thus, box 10 asks the analyst to revisit the functions allocated to automation and determine the role of the human operator, which

~

needs to be coordinated with the automated processes. Similarly, box 11 asks the analyst to consider how human performance needs to be supported by the control room interface and 4

coordinated with automated systems.

The flow diagram can be used to make alloct tions to automation. The process can also be specified so as to identify all decision paths that lead to an automation allocation and that 1 apply to AP600. From all of the possible allocation decision paths that exist in the flow diagram, the following eight paths to an allocation to automation were used as part of the j AP600 function allocation process. (Following each is the path through the flow diagram.

The numbers identify the questions that receive "YES" responses):

A1. The operator is.n_ot able to perform the required task due to human limitations. (1b,2,10)

A2. Automation is necessary due to regulatory design requirements. (1c,2,10)

A3. Automation is necessary due to utility design requirements. (Ic,2,10)

A4. Automation provides a safety benefit as identified in the FRA. (Sa,5b(2),10) I i

A5. Automation is preferred based on operating experience. (Sa,5b(1),10)

A6. Automation is preferred due to concerns for operator overload. (5a,5b(4),10)

A7. Automation is inherent in the passive design. (Sa,5b(3),10)

A8. Tasks are not well suited to human performance and are better suited to automation.

(7a-f,10) l These eight items are used to specify the basis for the automation allocation provided in the function allocation basis column of Table 5. If none of these criteria is met, there would be an allocation to human performance. As shown here, each specification is equivalent to a path through the flow diagram.

The flow diagram can also be used to make allocations to human performance. The process 4

can be specified so as to identify all decision paths that lead to a human performance allocation and that apply to AP600. The following are the possible paths to an allocation to Revision 0 m:\3243w.wpf:1b-100296 september 1996

3-10 human performance. (Following each is the path through the flow diagram. The numbers identify the questions that receive "YES" responses):

i M1. Human performance is regtured because automation is not technically feasible. (3a,4,11)

M2. Human performance is required by design recommendations or requirements. (3b,4,11) l i

M3. Human performance is preferred because of consideration of safety requirements, task l complexity, cost / benefit considerations to implement automation, and the value of ,

human judgement. (6a,11) ,

These items are used to specify the basis for human performance allocation provided in the function allocation basis column of Table 5. As shown here, each specification is equivalent to a path through the flow diagram.

3.1.3 Integration of Automation and Operators Boxes 10 and 11 in the function allocation decision process (Figure 1) are the points at which an initial allocation to automation or to human performance needs to be integrated into the larger design. These 1, oxes, described in the following subsections, present the set of guiding principles embedded within the methodology. That is, after the initial allocations to either ,

automation or human performance, Westinghouse integrates the complementary capabilitiec !

according to the principles found here. l 3.1.3.1 Guidelines for the Residual Role of the Operator for Functions Allocated to j Automation i

When a plant function is automated, the designer needs to specify the role that the human 1 operator will play in that function. There are traditional roles for nuclear power plant i operations, which are described here and split out into three components: actuation, control, j and termination. ,

w .

Actuation For automatic actuation, which is the automatic initiation of an SSC, the operator could be assigned any of the following roles.

1. To manually actuate a specific automatic function in a pre-emptive fashion:

This allows the operator to be proactive in maintaining safety during plant operation by manually actuating an SSC if it is recognized that an automatic actuation set point Revision 0 m:\3243w.wpf:1b-1002% September 1996 ;

I 3-11 i

j is being approached and mitigation actions are expected to be inadequate to prevent j the automatic actuation.

2. To be a back-up for the automatic actuation:

{ That is, when the actuation criteria are met and the automatic system fails, the human 1 .

operator has the capability to actuate the system manually.

i J

l 3. To take the role of a supervisor when an automatic actuation occurs in determming l' that the automatic function has actuated completely and is performing appropriately,

]. that is, achieving correct functional and operational goals i

l' 4. To take actions to mitigate the event by maintaining or restoring plant conditions to prevent reaching a condition that requires an automatic actuation:

i.

1

! For example, recovering RCS pressurizer level control by starting CVS makeup pumps j can prevent actuation of the CMTs or low-pressure reactor trip due to decreasing i pressurizer level. The operator prevents the automatic actuation function by

)' preventing the requisite condition for the automatic actuation rather than by interfering with the actuation function. !

)

d i It is important *o note the roles that operators are not explicitly given for automatic j

] actuation. Opelators are ng,t provided with the capability to prevent automatic actuation. l l Thus, the opera'.or has the capability to provide manual actuation at any time, but does net have the capabdity to defeat the automatic actuation. The need for automation is based on an inability of the function to be performed manually under all conditions. Therefore, the operator is normally prohibited from being able to defeat the automatic isolation.

For several specific actuation functions in a very limited number of situations, the operator must be able to defeat the automatic actuation function (using operational blocks or actuation resets), where it is required to support some plant operation such as plant startup, shutdown, or recovery following an accident. For example, the operator is directed by procedures to block low-pressure safety injection prior to reaching a specified pressure limit during plant

_, cooldown and depressurization. This is required to allow plant shutdown without initiating an unnecessary and undesirable safety injection. This function is not automated because I operator judgement is used in determining that satisfactory conditions exist to block the safety injection function. Similarly during a reactor startup, operator judgement is required to block the excore nuclear instrumentation source range high flux trip, after confmmng proper operation and overlap of the intermediate range instrumentation, to allow the reactor startup to continue without a reactor trip.

Revision 0 m:\3243w.wpf:1b-100296 September 1996

3-12 The operator also has the capability to override individual inputs that may contribute to i automatic actuation functions under certain very specific conditions. For example, there are a large number of individual plant parameters that can actuate a reactor trip or other safety- 7 related actuation (such as low pressunzer pressure, low reactor coolant loop flow, low !

pressurizer level, etc.). The I&C system designs must provide the capability to address component failures. This is provided by allowing defeat of the individual inputs from a failed instrument channel that actuates the specific function. The function within the affected - !

channel can be placed in a bypassed condition to allow repair of the failed sensor or channel. ,

This individual channel capability does not eliminate the automatic actuation function, but can defeat one of the multiple, redundant instrumentation channels that determine if the l

actuation function is required. In a bypass condition, the actuation coincidence logic for that function is automatically reduced to two-of-three instead of two-of-four, but the operator has not defeated the automatic actuation function. (

Functional diagrams for the automatic reactor trip and engineered safeguards functions are >

provided in subsection 7.2 of the AP600 SSAR.

Control l

An automated system, after it has been actuated, can also be automatically controlled without operator inputs. As with actuation, however, a significant role is assigned to the human operator. In many cases such as the startup of the nonsafety-related startup feedwater system, manual control is an option selected by the operator. That is, the design allows the operator to select whether the system is automated or under manual control. Thus, even :

though in most cases the system is actuated and controlled automatically, there are reasons why the operator may want to place the system under manual control: l

1. A manual back-up is needed when the automated control processfails. This depnes a manual overnde or intervention in which the operator must determine that the automated system is not working and manual control is needed.

i - For example, manual control would be required to override an automatic control function that fails because of an I&C system failure, such as a circuit board or an input sensor. The digitalI&C design provides capabilities such as self-checkmg of ,

internal components and identifying when sensors fail beyond an allowable or expected range. There is still a need to provide the operator with the capability to

- take manual control of control functions.

4 I

Revision D mA3243w.wpf:1b-100296 september 1996

, c .-. -- , . . - - . , - - - - ,-

3-13

2. Manual control of the system is needed prior to disabling automaticfunctionsfor preventive or corrective maintenance or post-maintenance testing.

1 It is possible to perform some preventive or corrective maintenance and post-maintenance testing on parts of an automatic control instrumentation channel while in automatic control. However, there are some parts of the circuitry that may require maintenance or testing and that preclude simultaneous automatic control operations.

, These discussions are not intended to imply that manual control is not a concern during steady state conditions, when there are no significant plant operational transients or events in progress. The design intent is to use automatic control, where installed and when possible, ;

because an unplanned transient or event can occur at any time. In this case, automatic response is expected to provide a more effective response for transients that occur too quickly to rely on manual actuation, and especially during the initial part of any transient or - ;

event where operator overload precludes effective manual control. !

There are variations in the difficulty of the manual control for the various automated control functions. For some plant control functions, such as the rod control system during power 1

- operation at a constant power level, long-terrr. manual control is less onerous and may be acceptable (note that accidents can result in t. reactor trip, which obviates the need for this specific automatic control function). In most situations, manual control is not difficult for short periods of time or during stable plant conditions, following the failure of the automatic control function while repairs or adjustments are being made.

The Role of Passive Systems - Actuation and Control For SSCs that actuate by passive processes, the operator cannot prevent component actuation, although there may be indirect control over plant conditions related to the actuation. For example, the initiation of accumulator injection is controlled by the RCS and accumulator pressure differences that open the accumulator discharge check valves. During plant depressurization following ADS actuation, the depressunzation sequence actuates accumulator injection independent of operator action. However, for some low-pressure .

events that do not involve ADS actuation, the operator could potentially take corrective l i

.- actions to restore RCS pressure or inventory, precluding the need to initiate accumulator 1

injection, although the operator has no direct control over the accumulator discharge valve operation.

The operator can take actions to initiate safety-related, passive processes for those that are actuated by operation of specific components, such as initiation of automatic ,

depressurization. These anticipatory actions can be taken by operators at any time prior to l reaching the automatic actuation set point.

i l

l Revision 0 m:\3243w.wpf:1b-100296 September 1996

l l

3-14 For most SSCs that are controlled by passive processes, the operator has no direct control l over the component performance, such as CMT injection flow or ADS valve vent flow, l although there may be indirect control over plant conditions that affect the passive process.

For example, recovering RCS inventory by providing CVS makeup will maintain sufficient inventory to preclude the need for further CMT injection.

Termination

I Termination of an automated process is performed by the human operator. The fundamental .

goals of the ERGS and the EOPs are to mitigate the consequences of an event and to stabilize l plant conditions, thereby placing the plant in the appropriate condition to facilitate plant recovery. Therefore, at some point during the event, the operator is required to determine when stable plant conditions have been established. At this time, repair, recovery, or re-start actions are expected to be initiated and the safeguards systems must be restored to the conditions required to provide design basis protection for the existing operational mode determined by Technical Specifications (TS).

The operator is assigned the role of evaluating plant conditions against specified criteria in the EOPs to determine if the termination criteria have been met. If the EOP safeguards actuation termination criteria are met, the operator is directed to reset the appropriate safeguards actuation signals provided by the I&C systems, to restore the required safeguards equipment to the proper standby conditions, and to recover the plant. These manual safeguards equipment termination actions override the automatic actuation signals for the associated equipment, provided that the actuation criteria and signals are no longer present.

Based on the existing plant conditions, the automatic actuation functions are then restored as appropriate by the I&C system actuation circuitry.

If manual actions are attempted to isolate safeguards equipment and to restore it to a standby condition, or to otherwise manually defeat automatic actuation and control functions without terminating the actuation signals, the operator will be unable to override the automatic actuation and control signals. ,

In previous Westinghouse plant designs, the use of manual termination had the potential to

- place the operator in a goal-conflict situation. However, the AP600 passive safety injection -

systems provide a benefit over the forced-flow safety injection systems in the reference plant in relation to the termination of safety injection systems following an accident.

Following a safeguards actuation signal in the reference plant, the operation of the pumped safety injection systems results in very large quantities of water being provided to the RCS.

For most events, unless there is a relatively large break, this forced flow from the high head, intermediate head, and low head safety injection pumps can potentially cause RCS overfill.

It can also re-pressurize the RCS to either the shutoff head of the operating pumps or the Revision 0 m:\3243w.wphib-100296 September 1996

3-15 pressurizer safety valve setpoint, whichever is less. The potential for overfill and RCS overpressurization provides the operators with conflicting goals - maintaining safety injection flow until the event is stabilized versus terminating the safety injection signal as soon as possible to prevent overfill.

The AP600 passive safety injection systems have been designed to provide the required safety injection flow for design basis events. The passive systems provide lower injection flow rates than the reference plant (for the same condition) and flow is controlled by passive

, processes, based on the need for injection. Therefore, passive components and the passive process control features are expected to result in slower transients.

For example, the CMT high-pressure injection flow provides significant benefits over high head injection in the reference plant, with regard to overfill and operator goals conflicts in terminating safety injection. Three features tend to naturally limit the potential for the CMT to cause RCS overfill. First, the injection volume that the CMTs can provide is physically limited by the CMT volumes. The CMT volume is much less than the RWST volume available to the high head safety injection pumps in the reference plant. Second, the CMT flow rate is controlled by passive processes, such as gravity injection and natural circulation conditions, and the injection flow is affected by the plant conditions that are related to the need for injection. For example, CMT injection flow is much greater when significant RCS voiding exists than for non-voided conditions. Third, the PRHR automatically actuates when the CMTs are actuated, thereby, reducing RCS temperatures. The subsequent RCS shnnkage tends to provide more margin to RCS overfill.

Therefore, for non-Loss of Coolant Accident (LOCA) events and smaller LOCA events, the potential for RCS overfill is reduced for the AP600. The operator has more time to stabilize plant conditions and to terminate safety injection, than for similar events in the reference plant.

The passive systems also provide the capability to respond to more severe transients when required. For example, a large-LOCA event results in a very rapid RCS depressurization and the passive safety injection systems must be capable of mitigating these rapid events. The accumulators are designed to rapidly inject into the RCS to flood and refill the reactor vessel y following a large-LOCA. However, for smaller LOCA events, the accumulator injection will be slower since it is passively controlled, based on pressure differences between the RCS and the accumulators.

The differences in operation of the passive safety-related systems is expected to reduce operator goal conflict in AP600, when compared to the reference plant.

Functional diagrams that clarify the termination capability for the specific engineered safeguards functions are provided in subsection 7.2 of the AP600 SSAR. i Revision 0 m:\3243w.wpf 1b-100296 september 1996

h 3-16 Information Needs To allow the operator to take these various roles that include supervisory monitoring, support, or back-up of automated SSCs, the M-MIS must provide an appropriate set of instrumentation to the operator. The AP600 SSAR describes the instrumentation available to the operator for each plant system. In addition, subsection 7.S of the AP600 SSAR contains the identified post-accident monitoring instrumentation provided to the operator to confirm .

required plant conditions and to verify proper operation of, or the need for manual actuation of, the safety-related and nonsafety-related, defense-in-depth SSCs that are used to mitigate ,

the consequences of an accident. The regulatory guidelines for this instrumentation are provided in Regulatory Guide 1.97 (Ref.18) and plant conformance with these guidelines is discussed in Appendix 1A of the AP600 SSAR. The M-MIS design activities will determine

'now to best display this information to support each of these operator roles.

Summary There are several fundamental principles related to automation and the role of the operator that are considered in function allocation, including the following:

Automatic actuation and control functions are meded for a variety of regulatory and design reasons - for example, when the operator is not fast enough or is too busy to perform required actuation and control functions. ;

1

. For SSC actuation, the human operator serves primarily as a back-up to the automated system.

For SSC control, the human operator serves as a back-up when automation fails, but for certain operating conditiors, the use of manual control is preferred.

. The human operator is used always for termmation.

. The operator has limited control over passively-actuated and passively-controlled functions.

Revision 0 m:\3243w.wpf;1b-100296 september 1996

V

=

3-17

! 3.1.3.2 Guidelines for the Residual Role of Automation for Functions Allocated to Human Performance When a function has been allocated to the human operator, the system designer needs to

apply guidelines fc,r integrating the capabilities of the M-MIS and plant systems to support j the operator in manual operations. In general, the following are applied through the M MIS l 2- design process

,, Develop displays that aid the operator in thinking about the process from both

physical and functional perspectives (present plant state indications to aid the

operator in understanding the current situation)

J Use plant systems to monitor for set point violations and other significant changes to

aid the operator in identifying important changes Use plant systems for monitoring parameter values that are needed in completing procedures and then informing the operator about the status of those parameters in the context of the procedure step Aid the operator in locating and accessing important plant state information that may j become relevant to operations i

f Chapter 18 of the AP600 SSAR provides a detailed discussion of the HFE design process, including the human system interface (M-MIS: Section 18.8 of the AP600 SSAR).

3.1.3.3 Implementation Schemes After decisions have been made regarding the use of automation and human operators, it is possible to classify the various implementation schemes that have been used at a system level. For actuation, there are five possible implementation schemes that are discussed in detail in subsection 3.2. These five implementations schemes include the following:

1. Passive The actuation of the SSC depends on an inherent, natural process and is

. independent of operator action.

2. Parallel The operator has the capability to actuate the SSC manually at any time. Although the function is actuated automatically, the operator does not have the capability to defeat automatic actuation (excluding certain required resets and operating bypasses).

Revision 0 m:\3243w.wphib-100296 september 1996

.-6 s m 2 a - ; .A 2 a a- -: _ __,, m, 3as.A 3-18

3. Selectable The operator has the capability to select whether the SSC can be manually or automatically actuated. Selecting manual actuation can !

defeat the automatic function. l l

i

4. Complementary l I

There is sharine of actuation responsibilities between the human operator and automation. .

5. Manual The human operator is solely responsible for actuation.

For control, there are four possible implementation schemes that are discussed in detail in subsection 3.2. These four implementations schemes include the following:

1. Passive The control of the SSC depends on an inherent, natural process and is independent of operator action.

2. Selectable The operator has the capability to select the mode of control, which can defeat the automatic function.

3. Complementary There is sharine of control responsibilities between the human operator and automation.

4. Manual The human operator is solely responsible for control.

Note that there is no implementation scheme in which actuation or control is solely achieved by I&C automation (see " Automatic" on page 3-18). These implementation schemes are identified in Table 4.

l Subsection 3.1 provides a discussion of the methodology used for the function allocation process. Subsections 32 and 3.3 provide the results of this process and subsection 3.4 provides a summary of the important results from Tables 4 and 5, which documents the l l

function allocation results.

3.2 AP600 Function Allocation Summary (Table 4 )

Table 4 was developed to provide a comprehensive summary of the AP600 function J allocation for the safety-related and nonsafety-related defense-in-depth SSCs. The table organization is based on the six CSFs, similar to the structure provided in Tables 1,2, and 3.

For each of the AP600 CSFs, the table identifies the same success paths and appropriate SSCs in each success path that were compiled in the earlier tables.

Revision 0 m:\3243w.wpf:1b.100296 September 1996

3-19 For each of the SSCs in the success paths, Table 4 provides the following information needed {

to understand the function allocation: ;

A description of the SSC actuation

A description of the SSC control l

Specific summary comments about each SSC in the success path l An overview of the type of protection provided by the success path As discussed previously, a success path can be made up of a single SSC or a group of SSCs that work together to accomplish a CSF. Table 4 provides information for each of the SSCs in each success path to understand the function allocation for that SSC.

. The sequence of the success paths in Table 4 for each CSF is listed in the order that the success paths are expected to be actuated. The nonsafety-related, defense-in-depth SSCs are normally automatically actuated first. The safety-related, passive components are not expected to be required for an event, unless there are failures of the defense-in-depth systems. For beyond-design-basis events where multiple, safety-related SSC failures have l occurred, backup success paths using either safety-related CSCs, nonsafety-related SSCs, or ;

combinations of the two groups of SSCs are listed in the order that they are expected to be !

implemented. The success paths that are expected to be used either during shutdown or after shutdown conditions have been established following an event, are listed last in the table and are indicated with the word " shutdown" in parentheses.

For example, nonsafety-related main feedwater pumps and startup feedwater pumps are the first success paths to provide core cooling, and the safety-related PRHR System / Event would not be expected to actuate following events unless both of these success paths were unavailable. If the design basis protection provided by the PRHR also fails, backup success paths using the CMTs, accumulators, normal residual heat removal system (RNS), IRWST, and ADS are available, as indicated.

SSC Actuation Functions Table 4 includes two columns to describe the SSC actuation. The first column is used to

, indicate when the SSC is automatically actuated and the entry in this column describes the type of actuation for that SSC. The second column is used to indicate when the SSC is manually actuated. If there are no automatic actuation capabilities for an SSC, then there will be no entries in the automatic column.

Most of the AP600 SSCs are actuated by the plant I&C systems - the safety-related PMS, the nonsafety-related PLS, or the nonsafety-related DAS. The I&C systems are designed to provide a manual actuation capability for SSCs that are automatically actuated. This capability allows the operator to proactively initiate success path SSC functions when Revision 0 m:\3243w.wpf:1b-100296 september 1996

3-20 necessary, as well as functioning as a backup in the event that the automatic actuation ;

function fails to properly actuate an SSC.

i The following actuation capabilities exist for the AP600:

Passive (Pass) The SSC accomplishes safetyfunction(s) through naturally inherent passive -

actuation processes (such as doppler reactivityfeedback. natural circulation -

flow, passive heat removal and injection, or mechanical overpressure relief protection) that are independent of both I&C system actuation and ,

operator action. !

Accumulator injection is initiated passively by the pressure differential !

that opens the discharge check valves when RCS pressure decreases below accumulator static pressure. Injection is controlled by the pressure differential between the accumulator and the RCS. !

Automatic (Auto) The SSC actuation is completelu automatic, without a meansfor manual .

actuation.

There are no AP600 SSC actuation functions in this category. The .

AP600 automatic actuation features also have the capability for manual l actuation.

There are certain interlocks and permissives that are contained within the high-level actuation functions addressed as part of the function allocation process, and that contain automatic actuation features (without the capability for manual operator interfaces). These are internal to the specific high-level actuation function circuitry and are not appropriate to address, based on the intent of the function allocation process. These automatic features on the I&C circuitry are limited to specific interlocks or permissives that are contained within larger actuation circuits and are only mentioned for clarification and completeness of this evaluation. See the functional diagrams in Chapter 7 of the AP600 SSAR for more details. .

For example, opening of the RNS pump suction isolation valves (that are used to establish closed-loop RNS cooling during shutdown conditions) is a " manual" actuation function. However, the actuation circuitry includes an automatic interlock to prevent the operator from openmg these valves if RCS pressure is above a certain setpoint to prevent overpressurizing the RNS. The operator cannot disable or defeat this interlock. As part of the function allocation process, Revision 0 m:\3243w.wpf:1b-100296 september 1996

3-21 i

actuation of the RNS is appropriately categorized as " manual," but the manual actuation circuitry contains this automatic interlock feature.

Pcrallel (Para) The SSC actuation can be provided both manually and automatically. The operator has the capability to provide manual actuation at any time, but does ;

nqt. have the capability to defeat the automatic actuation (excluding resets and operating bypasses, such as the block low-pressure safety injection to allow plant cooldown without initiating safety injection). t The majority of the AP600 safety-related automatic actuation functions are in this category, such as the CMTs and ADS. It is required that the ,

SSCs have the capacity to automatically actuate by plant technical [

specifications.

S11ectable (Sel) The SSC actuation can be provided both manually and automatically. The

operator has the capability to select the mode of actuation, which can defeat Y automatic actuation.

The majority of the AP600 nonsafety-related, defense-in-depth j '

automatic actuation functions are in this category, such as the startup

feedwater or CVS makeup pumps. The automatic actuation can be r

j defeated, for example, if a component malfunction occurs and repairs are being performed.

. Cemplementary The SSC actuation can be provided both manually and automatically.

(Comp) There is sharing of actuation responsibilities between the operator and the I&C l

l systems or the passive SSCs. While there may be somefunctional overlap, i there is ngt complete redundancy.

p j This actuation scheme exists because the operator has a continuous manual interface that affects the actuation setpoint for the component.

(

For example, the CVS and steam dumps have control setpoints for some operating modes that affect the actuation of the appropriate SSCs.

An example is the actuation of steam dumps in the " steam pressure" operating mode. The operator manually selects the desired steam generator pressure set point and the steam dumps actuate open and closed (and also modulate) as necessary to maintain the established set I point, based on the reactor core decay heat rate. The operator has j enabled automatic control (and established the specific operating condition) and can defeat automatic operation if desired for any reason.

Revision 0 m:\3243w.wpf:1b-1002% september 1996

3-22 Manual (Man) The SSC actuation is completely manual, without a meansfor automatic actuation. (For this type of control scheme, there are no entries in the automatic column in the table.)

l The discussion in subsection 3.1.1 provides additional information related to manual actions j to override automatic actuation and control signals by ternunating safeguards actuation l signals as part of the plant recovery following an event. -

SSC Control Functions , l Table 4 includes two columns to describe the SSC control. The first column is used to indicate when the SSC is automatically controlled and the entry in this column describes the type of control capabilities for that SSC. The second column is used to indicate when the SSC is manually controlled. If there are no automatic control capabilities for an SSC, then there will be no entries in the automatic column.

I Most of the AP600 SSCs are controlled by the ame plant I&C systems that provide the actuation functions, the safety-related PMS or the nonsafety-related PLS. (The other SSCs are ;

controlled by passive processes.) The I&C systems provide a manual control capability for ,

SSCs that can be automatically controlled, similar to the manual backup for the automatic actuation functions. This capability allows the operator to perform manual control of success -

path SSC functions when necessary and to provide a backup in the event that the automatic control function fails to properly control an SSC.

The following control capabilities exist for the AP600:

Passive (Pass) The SSC accomplishes safetyfunction(s) through naturally inherent passive control processes (such as . reactivityfeedback, natural circulation flow, passive heat removal and injection, x mechanical overpressure relief protection) that are independent of bot I&C system action and operator action.

Accumulator injection flow is controlled passively by the pressure i differential between the accumulator and the RCS. .

Automatic (Auto) The SSC controlfunction is comvletely automatic, without a meansfor manual actuation to execute the basicfunction.

1 There are no AP600 control functions in this category.

Revision 0 m:\3243w.wpf:1b-100296 september 1996

3-23 Perallel (Para) The SSC control can be provided both manually and automatically. The operator has the capability to provide manual input into the controlfunction at any time, but does M have the capability to defeat the automatic control function.

I There are no AP600 cont ol functions in this category.

S:lectable (Sel) The SSC control can be provided both manually and automatically. The operator has the capability to select the mode of control, which can defeat automatic control.

All of the AP600 control functions provided by the I&C systems are in l this category. (The only AP600 plant control functions that are not in this category are those controlled by passive processes that are identified in Table 4.)

]

Complementary The SSC control can be provided both manually and automatically. There is

'Ccmp) sharing of control responsibilities between the operator and the 1&C systems or the passive SSCs. While there may be somefunctional overlap, there is g complete redundancy.

This control scheme exists because the operator has a continuous ;

manual interface that affects the control setpoint for the component. j For example, the CVS and steam dumps have control setpoints for l

some operating modes that affect the continuous operation of the appropriate SSCs. !

An example is the reactivity control success path where the CVS provides boration for the RCS. The operator must input specified boron concentration, flow rate, and volume parameter values to the control system and then manually actuate the boration process. The CVS then automatically controls the system operation to supply the specified volume and concentration at the specified flow rate.

Mtnual (Man) The SSC actuation is comvletely manual, without a meansfor automatic control of the SSC. (For this case, there are no entries in the automatic column.)

The discussion in subsection 3.1.1 provides addition information related to manual actions to override automatic actuation and control signals by terminating safeguards actuation signals as part of the plant recovery following an event.

Revision 0 m:\3243w.wpf:1b-100296 september 1996

3-24 l

l 3.3 AP600 Function Allocation Basis (Table 5)

Table 5 identifies the basis for the function allocations for the AP600 SSCs in the CSF success paths. The table lists the SSCs for the AP600 success paths for each CSF (the same list as provided in Table 3) and provides a cross-reference to the detailed success path function allocation and description provided in Table 4.

Table 5 identifies the specific function allocation basis for each AP600 success path. The development of the specific function allocation basis is described in subsection 3.1.2 and the

~ '

l resulting function allocation basis codes that are specifically applicable to the AP600 are identified at the end of the subsection. These allocation basis codes are also listed at the end of Table 5.

I l For comparison, Table 5 indicates whether the equivalent or identical function is automated for the reference plant and also provides comments related to the function allocation basis.

3.4 Results Table 4 provides an overview of the success path allocations, that includes summaries of the integrated actuation and control functions for the SSCs in each success path. The success paths for each CSF are listed in the sequence that is expected to be followed by the operator ,

during an event. The comments for each success path help to explain the overall operation )

of the components in the success path and identify the protection basis for each path.

Table 4 identifies the specific actuation and control scheme for each of the SSCs. i Table 5, which provides the basis for the function allocation for the SSCs in each CSF success path, shows that the basis for the majority of the function allocations can be grouped into severalimportant categories:

The safety-related, passive SSCs are required to be automated by regulatory or utility requirements.

Many of the nonsafety-related, defense-in-depth systems must be automated by default since they are designed to actuate before the safety-related, passive systems .

(that must be automated) to prevent unnecessary actuation of the passive SSCs.

Design improvements have resulted in automation of some SSC actuation and control functions to help reduce operator workload during critical periods following an event or to improve plant safety.

l

=

A number of SSCs can be manually actuated because they serve defense-in-depth l functions where there are significant layers of defense-in-depth SSCs that must fail Revision 0 m:\3243w.wpf:1b-100296 september 1996

3-25 i before those SSCs are needed and where there is significant time for the SSC to be ;

manually actuated, when compared to the reference plant. l Many of the nonsafety-related SSCs that perform equivalent functions to those for the reference plant are equivalently automated, except where design improvements in the automatic functions were implemented based on plant experience or human factors ]

. considerations.

l i

5 l

Revision 0 m:\3243w.wpf:1b-100296 September 1996

4-1 4.0 HUMAN FACTORS CONSIDERATIONS IN FUNCTION ALLOCATION Human factors considerations in function allocation are incorporated in the design process at several points. Initial allocation, while largely constrained by external requirements and design goals, takes into account the strengths and limitations of human operators and automated systems. The adequacy of the allocation is further evaluated throughout the AP600 design process. FBTAs are used to verify that the sensors and controls that are provided are sufficient to enable operators to perform the role assigned to them in system

, performance. Workload analyses are used to evaluate the adequacy of the integrated role l assigned to operators across systems. Finalintegrated system validation is used to establish the adequacy of the function allocation using man-in-the-loop tests in dynamic simulated plant conditions. This section provides a detailed description of the processes, employed as part of the AP600 M-MIS design process, that address human factors concerns related to function allocation during all phases of the design.

4.1 Human Factors Input Early in the Design Process Figure 1 captures the decision process that was used by system designers to make initial allocations (see subsection 3.1 for a description of the use of this diagram). As shown in Figure 1, there is an explicit consideration of limitations in human capabilities in the following ways:

1. Tasks are not assigned to human operators when it is known that they will be unable to perform with sufficient speed to accomplish critical safety actions in a timely fashion.

2. Tasks are not assigned to human operators when they are complex or not routinely performed and the likelihood of error is great, or when there is likely to be an overwhelming workload due to the initiation of a transient.

3. Tasks are not assigned to human operators when operating experience indicates that l

human capabilities are inadequate to execute tasks with sufficient skill.

. 4. Tasks are not assigned to human operators when a PRA analysis indicates that human error probabilities are too high for safe operation.

5. Tasks are not assigned to human operators when activities are not well-suited to human strengths; for example, the activities require sustained vigilance.

6. Design improvements have resulted in modifying AP600 tasks to reduce the likelihood of situations that present conflicting goals to the operator (such as some Revision 0 m:\3243w.wpf:1b-100296 september 1996

4 4-2 1

) post-accident conditions in current plants where human operators are required to j throttle safety systems to prevent RCS overfill).

These allocation decisions were based on operating experience reviews and PRA and Human Reliability Analysis (HRA) analyses that allowed early tests of proposed roles for the operator. Further, the design of automated systems uses a set of guiding principles for

establishing appropriate roles for human operators. For example, human operators are -

t provided information to support supervisory monitoring, to ensure the process is achieving i its goals, and to provide the possibility for canual intervention, when the automated process ,

fails to achieve its goals.

4.2 Human Factors Evaluation of the Integrated Role of the Operator l

Initial function allocation results and rationale focus primarily on the responsibilities of an 4

operator with respect to an individual function, system, or process. However, in an i operational setting, operators have responsibilities across multiple systems. As a result, in j defining and evaluating the role of the operator, one must consider the total in;egration across plant functions and systems of the operator's responsibility. In this section the human j factors activities are discussed that are performed as part of the M-MIS design process and that are intended to verify the adequacy of function allocation and to create an M-MIS that supports the integrated role of the operator across plant functions and systems.

These issues will be addressed as part of task analyses, workload analyses, M-MIS design, 4

and verification and validation activities.

4 i

The AP600 Task Analysis Implementation Plan describes two types of task analyses that will

be conducted in support of M-MIS design. One type of task analysis is referred to as a "FBTA". The objective of the FBTA is to determine the process plant da;a needed to support operators in monitoring and controlling the plant to achieve primary plant safety and energy production goals.

1 The FBTA involves superimposing a set of questions derived from an operator decision-4 making model onto the nodes of a function decomposition goal-means structure to define the ,

plant process data and controls that are necessary to support operator performance. The ,

answers to these questions serve as a specification of the plant parameter information and

{ controls that need to be presented to operators to support monitoring, situation awareness,

planning, and control activities.

I l

l 4

i Revision 0 l m:\3243w.wpf:1b-100296 september 1996

I 4-3 This information and control requirements for supervisory monitoring and control of automated systems, must include the safety-related, passive SSCs and provide the information necessary to determine the following:

Availability of automated systems and initiation criteria (i.e., are the systems available and when will they come on?)

Performance of automated systems (i.e., are they performing correctly?)

The need for manual backup, manual intervention, or manual override (i.e., is manual l

intervention required to initiate, throttle, or terminate an automated system?)

The output of the FBTA provides a completeness check on the availability of needed

)

indications, parameters, and controls. It provides a verification of the adequacy of the I&C 1 available to support the operator's role in function achievement.

A second type of tark analysis that will be conducted as part of task analyses is the i operational sequence analysis (OSA). The OSA is one of the pnmary tools for verifying the ,

adequacy of the integ. ated role of the operator. The OSA will be conducted on a l representative set of operational tasks. The tasks will be selected to represent the full range of operating modes, including startup, normal operations, abnormal and emergency operations, transient conditions, and low-power and shutdown conditions. As part of the j OSA, workload analyses will be conducted on a subset of operational tasks (OSA-2). l The OSA, and in particular the workload analyses, will provide verification that the operational tasks assigned to operators that are integrated over multiple plant functions and systems, are within the operator's capability, and can be accomplished without too high or too low of a workload. The OSA will take into account control room staffing assumptions.

If it is determined that the workload is too high or too low, options include making changes in staffing assumptions, or modifying the person automated system allocation.

The final integrated system validation that will be conducted in an AP600-specific training simulator will provide a final check on the adequacy of the function allocation. The integrated system validation to be performed by Westinghouse is described in the M-MIS verification and validation implementation plan.

Revision 0 m:\3243w.wpf:1b-100296 september 1996

4-4 In the design and evaluation of the control room M-MIS for the AP600, particular attention will be paid to the need to support the operator's t ale as supervisory controller and system monitor of automated systems, including the following considerations:

Situation awareness, including awareness of status and operation of the automated systems (i.e., ability to detect and understand changes in automated system performance) .

Ability to detect degradation in automated system performance and establishing manual control Ability to make smooth transition from use of nonsafety-related SSCs to safety-related SSCs Monitoring and supervisory control of passive systems (including decisions and actions to mitigate events before necessitating a transition to actuation of safety-related, passive SSCs) a Moderate operator workload and workload transitions Operator vigilance and the need to keep the operator involved and knowledgeable of the plant status 4.3 Mechanisms for Modifying Function Allocations Based on Analysis Results Section 4.2 described the human factors activities that are conducted as part of the M-MIS development process to evaluate the adequacy of function allocations. These activities address the ability of operators to perform the role assigned to them, the adequacy of the information and controls provided to support task performance, and the resulting workload.

If at any point, deficiencies such as lack of necessary sensors or controls to support operator performance or excessive workload are identified, then action will be taken to remediate the problem. Options available include the following: -

l

. Changing the M-MIS (e.g., integrating available sensor information to create ,

" synthetic" values that provide informatian at the level the operator requires it and reduces the operator workload associated with data gathering and integration)

Changing system designs (e.g., to provide new sensors or to alter manual-automation system allocation assumptions)

Changing staffing assumptions Revision 0 m:\3243w.wpf:1b-100296 September 1996

i 4-5 The preferred option, whenever possible, is to make changes to the M-MIS. If a problem in function allocation is identified that cannot be deaP. with through changes in the M-MIS, then '

it may be possible to make changes to system designs and function allocations. Finally, if the problem cannot be dealt with either through changes in the M-ME or changes in the system designs and function allocations, then it may be possible to consider changes in the plant staffing assumptions. For example, while the design goal is to have plant operations controlled by a single operator, it may be determined that under certain plant conditions

' (such as plant startup, shutdown, or emergency conditions) additional staffing will be needed.

The AP600 design process includes a formal design configuration change control process that is used to centrol and implement changes to the plant design. It is used when the design to ,

be changed has been previously released in a document for use and placed under configuration control. A design change proposal is the vehicle used to initiate and document 4 review of proposed design changes. Design change proposals include identification of I impacts of the proposed design change from affected functional groups. Design change proposals are maintained in a data base that is used to .ack the status of each design change proposal from initiation through implementation and ca.,ure. A description of the Systems Engineering Procedures for the AP600, including the design configuration change control i process, is provided in WCAP-12601, AP600 Simplified Passive Advanced Light Water Reactor Plant Program, Program Operating Procedures (Ref.19), i I

Revision 0 4 m \3243w.wpf:1b.100296 september 1996 I

- . . --. _ _ . - - . . -- . _ ~ - . _ _ _ - - - . . - .. -- .-

5-1

5.0 CONCLUSION

S This report provides the AP600 functional requirements analysis and function allocation process for the CSFs that must be accomplished during design basis and beyond design-basis events. The analysis is based on comparisons with the generic Westinghouse PWR design used for current plants that provide an extensive experience base of successful operating histories that form a valid reference point from which to evaluate the design changes and improvements provided in the AP600 design. The conclusions of this evaluation include the I following:

1. The AP600 CSFs are the same as those used for current Westinghouse plants and

. satisfy the similar design basis requirements for both the AP600 and the reference plant designs.

2. The critical success paths and the function allocations for the safety-related and nonsafety-related SSCs are similar in the AP600 and the reference design.

The addition of safety-relaced, passive SSCs provides some new success paths l and resulting function allocations that perform equivalent safety functions to the corresponding SSCs in the reference plant.

Where necessary, there have also been some changes to the traditional SSCs success path functions and allocations due to the following reasons: l l

Specific changes that provide improvements in the SSC design or operation based on operational experience Consequential changes in the SSC design or operation as a result of other improvements in the AP600 design

3. The AP600 meets the safety-related requirements for function allocation. No additional allocation concerns have been identified.

4. The AP600 provides improvements through revised allocations in areas of known

. concern to operator performance.

5. The evaluation of the interaction between the human and machine elements of the plant actuation and control systems, and the resolution of specific problems identified, will continue as part of the FBTA, PRA, verification and validation, and procedure development activities.

Revision 0 m:\3243w.wpf:1b-100296 september 1996

1 5-2

~6. This report satisfies the complete review level requirements for Element 3 of the

' AP600 HFE Program Plan (Ref. 20) and the HFE Program Review Model for the AP600 desiga certification (Ref.1), and the requirements of NUREG/CR 3331 (Ref.5).

i

)

I i

l l

l I

1 Revision D m:\3243w.wpf:1b-100296 f*Ptember 1996

6-1

6.0 REFERENCES

1. NUREG-0711, " Human Factors Engineermg Program Review Model," U. S. Nuclear Regulatory Commission, Washington, D.C., July,1994.

2. EPRI Advanced Light Water Reactor Utility Requirements Document, Electrical Power i

. Research Institute, Rev. 6,1993.

3. IAEA-TECDOC-668. The Role of Automation and Humans in Nuclear Power Plants, i 1992 (International Atomic Energy Agency -International Working Group on NPP Control and Instrumentation).

I

4. IEC 964. Design for Control Rooms of Nuclear Power Plants,1989 (International Electrochemical Commission).

5. Pulliam, R., Prince, H.E., Bongarra, J., Sawyer, C.R., and Kisner, R.A. (1983). A methodologyfor allocating nuclear power plant controlfunctions to human and automatic control. NUREG/CR 3331. Washington, DC: Nuclear Regulatory Commission.

6. AP600 Emergency Response Guidelines, Rev. 2 April 1996.

7. AP600 Emergency Response Guidelines Background Document, Rev.1A, August 1996.

8. AP600 Probabilistic Risk Assessment, Rev. 6, November 1995.

9. WCAP-13913, Framework for AP600 Severe Accident Management Guidance. j

10. WCAP-14477, The AP600 Adverse Systems Interactions Evaluation Report, February 1996

11. WCAP-13793, AP600 System / Event Matrix, June 1994.

12. AP600 Standard Safety Analysis Report.

13. WCAP-13856, AP600 Implementation of the Regulatory Treatment of Nonsafety-Related Systems Process Summary Report, Rev. O, Sept 1993.

14. AP600 Shutdown Evaluation Report.

15. Fitts, P.M. (1951). Human engineeringfor an effective air navigation and traffic control system. Washington, DC: National Research Council.

Revision 0 m:\3243w.wpf;1b100296 September 1996

.~ - - . .- - .-

6-2 l

16. Unresolved Safety Issue B-17, Criteria for Safety-Related Operator Actions, NUREG 0933.

17. ANSI /ANS 58.8-1984, Time Response Design Criteria for Nuclear Safety-Related Operator Actions.

18. Regulatory Guide 1.97, Revision 3, Instrumentation for Light-Water-Cooled Nuclear .

Power Plants to Assess Plant and Environs During and Following an Accident,5/83.

19. WCAP-12601, AP600 Simplified Passive Advanced Light Water Reactor Plant Program, Program Operating Procedures.

20. AP600 Standard Safety Analysis Report, Chapter 18, HFE Program Plan.

21. WCAP-13054, AP600 Compliance with SRP Acceptance Criteria (GW GL 001 Rev.0),

January 1993.

22. WCAP-13559, Operational Assessment for AP600 (GW GLR 001), December 15,1992.

23. Human Factors Evaluation and Allocation of System 80+ Functions, NPX80-lC-RR790-02, Revision 01, March 15,1993, ABB Combustion Engineering, Inc., Windsor, CT.

24. Letter from W. C. Huffman (NRC) to N. J. Liparulo (Westinghouse), Nuclear Regulatory Commission (NRC) Response to AP600 Open Item and Related Follow on Questions, May 15,1995.

1 Revision 0 m:\3243w.wpf:1b-101096 september 1996

o o . .

s a

y TABLE 1 (Subsection 2.1.1)

A WESTINCHOUSE ERG CRITICAL SAFI!TY FUNCTIONS 5

p Equivalent Safety Primary Parameters Monitored ERG Critical Safety Functions from WCAP- by the ERGS to Confirm Functions 13793 Purpose Critical Safety Function Status

1. Subcriticality Reactor Shutdown Control core reactivity to limit the heat Core reactivity as monitored by excore generated by the reactor core to only core nuclear instrumentation decay heat

2. Core Cooling Core Decay Heat Removal Provide adequate RCS inventory to remove Core exit temperature as monitored by and RCS Inventory core decay heat, preventing core heatup due core exit thermocouples to inadequate core cooling, and assuring that core integrity will be maintained.

3. Heat Sink Core Decay Heat Removal Provide a heat sink for heat removal from Passive residual heat exchanger operation the RCS either to containment (through and steam generator level, feedwater flow, p

either the PRIIR heat exchangers or a feed and pressure and bleed process) or to the plant heat sink (through the steam generators)

4. Integrity Core Decay Heat Removal Mitigate the effects of events (excessive RCS temperature and pressure conditions and RCS Inventory RCS cooldown or overpressurization) that can challenge reactor vessel integrity due to pressurized thermal shock or cold overpressure

5. Containment Containment Cooling Maintain containment integrity to prevent Containment conditions including pressure, the release of radioactivity following an floodup water level, and radiation leve!s event

6. Inventory Reactor Coolant System Maintain RCS inventory and prevent reactor RCS pressurizer level Inventory vessel void formation following an event o.

IIE 5I

- .- - - - - .- ~ ~ . . -- - . .- ---

NOTES for TABLE 2 l

A list of abbreviations is provided at the beginning of this document.

2

'Ihe reactor is shut down by negative moderator temperature coefficient (MTC) as the coolant heats up. This capability requires automatic RCS pressure relief, turbine trip, and heat removal .

(auxiliary feedwater or PRHR actuation). AP600 which has a more negative MTC, includes a DAS, similar ATWS functions as ATWS Mitigation System Actuation Circuitry (AMSAC), has main feedwater, startup feedwater, and PRHR systems, and CMTs and CVS for boration. .

3 The SSCs identified in the CSF Integrity are treated somewhat differently, from the perspective of actuation, control, and operator actions, than the SSCs for other CSFs. The CSFs other than l Integrity are generally successful when the SSCs actuate and perform their specified functions.

For example, core cooling is successful when the PRHR heat exchanger (HX) and other safety-related and nonsafety-related SSCs that provide core cooling actuate. The CSF restoration guidelines generally direct the operators to confirm satisfactory operation of the required SSCs or to take actions to initiate operation of required SSCs that have failed to start.

l Similarly, the CSF Integrity is generally satisfied when the identified SSCs in the success path successfully actuate and are successfully controlled during their operation. However, challenges to Integrity occur when the required SSCs either actuate incorrectly when not required or when they actuate successfully and a conaol malfunction occurs. The AP600 design provides safety-related design basis protection, but beyond-design-basis malfunctions of the actuation or control functions l for the identified SSCs in the success paths cause either overcooling (such as excessive steam flow j l through the turbine bypass valves) or overpressurization (excessive RCS makeup flow from the !

i CVS makeup pumps).

Therefore, to mitigate the consequences of these failures, most of the actions in the function restoration guidelines for Integrity direct the operator to respond in an opposite fashion frorr that of the other CSFs; to identify the malfunctioning SSC(s) that are operating in an unacceptable manner and to manually control or isolate the SSC, as appropriate.

i l

l l

Revnion 0 mA3243w-l3pf:1b-100296 T-2 september 1996

t R ;

$ TABLE 2 (Subsection 2.1.2)

A -SUCCESS PATHS' I ;

I'F Safety-Related Nonsafety-Related j Critient Safety f Fanetions AP600 Reference Plant AP600 Reference Plant

1. Subcriticality - Reactor trip (PMS via -

Reactor trip (Solid State -

Reactor trip (DAS via -

Ride out (Auxiliary !

trip beakers) Protection System SSPS motor genenter (MG) Feedwater System l CMT boration via trip breakers) set) , (AFW) actuation and High head safety -

Ride out (PRHR turbine trip from injection actuation and turMne AMSAC)2 trip from DAS): -

Control rod insertion .

Corrol rod insertion -

CVS boration I CVS boration

2. Core Cooling -

PRHR -

Auxiliary feedwater -

Main feedwater -

Main feedwater Automatic RCS feed -

RHR closed loop --

Startup feedwater -

Manual RCS feed and p and bleed (CMT / cooling (shutdown) -

Manual RCS feed and bleed (pressurizer w accum / IRWST / - Refueling cavity biced (CMT / accum / power-operated relief .

recirculation ADS) inventory (refueling) RNS injection / IRWST valve (PORV)I high I Manual RCS feed and / recirculation / partial head SI pump) bleed (accum / ADS) ,

IRWST / recirculation -

RNS closed loop

/ ADS) cooling (shutdown) i Refueling cavity -

Spent fuel pool cooling i inventory (refueling) system (SFS) refueling ;

cavity cooling l (refueling)

I r

1 Ys ho

- . . . . . = . . . . ~ , ~- .. - .

B

$ TABLE 2 I SUCCESS PATHS (Cont.)

y Safety-Related Nonsafety Related Critical Safety f Functions AP600 Reference Plant AP600 Reference Plant

3. Ileat Sink -

PCS drain / air -

SG safety valves -

Steam dumps / circ -

Steam dumps / cire cooling -

Component cooling water water Air cooling w/o PCS water system (CCS) / -

SG PORVs -

SG PORVs drain essential service water / -

SG safety valves -

CCS / service water /

cooling tower fans - RNS closed-loop cooling tower (shutdown) cooling of IRWST Fan coolers / chilled water / CCS / service water I cooling tower fans Fire protection drain /

air cooling

[ { -

CCS / service water /

cooling tower fan (shutdown)

4. Integrity' -

PRIIR isolation -

Auxiliary feedwater -

SG PORV control -

Steam dumps control Steam generator (SG) control / SG PORY -

Steam dumps control -

Main feedwater PORV and block valve closure -

Main feedwater control contml closure - SG PORV and block -

Startup feedwater -

CVS makeup /

Steam dump closure valve closure control letdown control Main steamline -

Steam dump closure -

RNS cooling control -

Pressurizer heaters /

isolation valve (MSIV) -

MSIV and bypass valve -

CVS makeup / letdown - spray and bypass closure closure control -

Pressurizer auxiliary CMT isolation -

High head safety -

Pressurizer heaters / spray Accum isolation injection isolatior: spray ADS -

Accum isolation -

Pressurizer auxiliary

{ -

Reactor vessel (RV) -

RHR cooling control spray g head vent -

RV head vent 4

_. a.

B y TABLE 2 A SUCCESS PATHS (Cont.)

,1 C Safety-Related Nonsafety-Related E- Critical Safety l

a.

Functions AP600 Reference Plant AP600 Reference Plant

5. Containment Containment Heat Removal Containment Heat Removal Containment Heat Removal PCS drain -

Fan Coolers -

Fan coolers PCS drain w/o air -

Containment spray -

Fire protection drain flow Containment Isolation - Fire protection drain

- Air cooling w/o drain -

Isolation valves (11RC w/o air cooling Containment Isolation /1 ORC) LOCA Outside Containment Isolation valves (1 LOCA Outside Containment -

Iligher RNS design inside reactor -

RHR (2 barriers) pressure (no rupture) containment (IRC) /

I outside reactor 1 containment (ORC))

p -

Containment can be

" open (shutdown)

LOCA Outside Containment RNS (3 barriers) y "e

3:

O

a a

f TABLE 2 4 SUCCESS PATHS (Cont.)

h Critical Safety Functions Safety Related Nonsafety-Related Reference 8 AP600 Reference Plant AP600 Plant

6. Inventory liigh-Pressure Injection High-Pressure Injection liigh-Pressure Injection High-Pressure CMT injection -

High head safety -

CVS makeup pumps Injection Accum and IRWST injection -

Accum / RNS -CVS makeup injection / ADS Low-Pressure Injection injection / partial pumps Low-Pressure Injection -

Accum injection ADS Accum / ADS -

Low head safety Low-Pressure Injection IRWST/ ADS injection -

RNS injection /

Long-Term Recirculation Long-Term Recirculation IRWST / partial ADS Containment -

Low head safety Long-Term Recirculation recirculation / ADS injection (supplying -

RNS recirculation /

p Refueling high head safety partial ADS

Refueling cavity injection pumps)

Containment makeup inventory Refueling Refueling Refueling cavity -

SFS makeup ,

inventory SFS makeup K'

s n*o

NOTES for TABLE 3 The definitions for each column are as follows:

Unchanged This category is selectedfor an AP600 success path where there are no operationally significant changes in either the SSC design orfunction allocation from the equivalent success path in current plants.

Modified This category is selectedfor an AP600 success path where either the SSC design or its function allocation may be similar to the success path operation in typical Westinghouse PWRs, but where there are also some sigmficant operational diferences that must be consideredfor thefimctional requirements analysis.

New This category is selectedfor an AP600 success path that may have a functional equivalent in current plants, but where a new system design feature is employed to perform specificfunctions in mitigating the consequences of an event. For example, the CMTs employ passive processes to provide high pressure injection that is provided by high head safety injection pumps in current plants.

As discussed in subsection 2.1.3, two aspects are considered in determining whether an AP600 success path is unchanged, modified, or new. The first aspect relates to the overdl system design configuration or system arrangement. This is represented in Table 3 by the letter "D" for " design."

The second aspect relates to whether there are any differences in persor.-machine function allocation. The set of SSCs associated with an AP600 success path may be the same as for the generic Westinghouse PWR reference plant but there may be changes in the level of automation.

This second aspect of the comparison between the AP600 success paths and the corresponding success paths for the reference plant is represented in Table 3 by the letter "A" for " allocation."

The notes in the last column of Table 3 provide a brief summary description where there are differences between the AP600 and reference plant for the SSCs in the various success paths.

The abbreviations "SR" indicates " safety-related" SSCs and "NSR" indicates "nonsafety-related" SSCs. A list of abbreviations is provided at the beginning of this document.

2 Referenced " Items" refer to other entries in this table.

Reymon 0 mA3243w.l.wpf.lb-1002% T-7 sepiember 1996

-_- - ._- -- - = . _ - _ _ = - . -

l l

TABLE 3 (Subsection 2.1.3)

SUCCESS PATH DIFFERENCES Critical Safety i Function Unchanged 8 Modified' New' Notes' l

1. Suberiticality l.a Reactor trip A D The SR reactor trip functions are equivalent to I (PMS) those on the reference plant, but they are provided by the protection and safety -

, monitoring system with a design architecture i based on advanced, digital instrumentation and

{

control hardware and software that is different from the solid state protection system design in the reference plant. The digital instrumentation and control architecture has been licensed to provide process control reactor trip inputs to the ,

SSPS in the reference plant.

l.b Reactor trip D A The NSR DAS provides a diverse, automatic, (DAS) and manual trip capability that was added based !

on the AP600 PRA evaluation recommendations.

l DAS provides actuation functions provided by I&C system hardware and architecture that is diverse from the PMS and PLS designs to protect against common-cause malfunctions.

i i Although the DAS trip function is a new l function, it is fundamentally an extension of the original W AMSAC actuation capabilities for ATWS mitigation (only AFW actuation and turbine trip) and is performed using an improved system design.

(Additional automatic and manual functions beyond these three basic AP600 ATWS

~

l functions were added to this system, based on PRA recommendations.)

l l

Revision o m:\3243w-1.wpf:Ib-1002% T-8 september 1996

TABLE 3 SUCCESS PATH DIFFERENCES (Cont.)

Critical Safety Function Unchanged Modified New Notes'

, 1.c Control rod A D The NSR rod control system petforms insertion equivalent functions to the same system on the 1 (rod control reference plant, but the AP600 architecture now system) uses advanced, digital instmmentation and 4

control hardware and software that is different from those in the reference plant. The digital '

I&C architecture has been licensed to provide process control applications in the reference j plant.

Some of the types of power generation and j

! distribution components, such as the motor-

' l generator sets and the electrical breakers, are used for both the AP600 and the reference plant. I 1.d Rideout A D Rideout is a design capability of the plant, given that the operator is unable to initiate a reactor 1 trip, but that turbine trip and heat removal have ;

l been actuated. The automatic actuation is i

! performed by the AMSAC in the reference plant. j The automatic actuation of these two functions is unchanged from the reference plant, but the ,

DAS design is new, as discussed in Item 1.b, I and the PRHR now performs the heat removal function performed by the AFW in the reference plant.

I.e CVS A D See Item 6.a.

boration 1

1.f C M T D, A This is one of the SR passive design features boration that provides an equivalent boration function to that provided by the high head safety injection pumps in the reference plant.

4 4

4 4 Revision 0 mA3243w.l.wpf Ib-100296 T.9 segember 1996 4

i i

TABLE 3 l SUCCESS PATH DIFFERENCES (Cont.) !

[ Critical Safety Function Unchanged Modined New Notes'

2. Core l Coohng i

2.a ' Main D, A - '

feedwater i i

j 2.b Startup D A This system has an unchanged design and is

feedwater functionally similar to the AFW system in the reference plant, but has been enhanced by providing automatic SG level control instead of manual control as on the reference plant.

Therefore, the AP600 does not require post-event operator action to throttle back feedwater flow to prevent SG overfill and/or RCS overcooling, as required on the reference plant AFW system.

This NSR design feature can also support the heat removal function, in conjunction with SG venting via the SG safety valves, steam dumps, or SG PORVs in Items 3.a and 3.b.

2.c PRHR D, A 'Ihis is one of the SR passive design features that provides an equivalent heat removal function to that provided by the SR AFW and SG safety valves in the reference plant.

This SR design feature provides design basis heat removal, in conjunction with heat sink support in items 3.d to 3.i.

2.d C M T D, A This is one of the SR passive design features ,

injection that provides an equivalent high-pressure safety injection function to that provided by the high l head safety injection pumps in the reference i plant.

This SR design feature provides a defense-in-depth heat removal function, in conjunction with ;

ADS venting.

i Revision o mA3243w-1.wpf;lb.100296 T-10 sepember 1996

TABLE 3 SUCCESS PATH DIFFERENCES (Cont.)

Critical Safety Function Unchanged Modified New Notes'

, 2.e Accumulator D,A This is one of the SR passive design features injection that provide intermediate pressure safety injection and is identical to the accumulators

, used in the reference plant.

This SR design feature provides a defense-in-depth heat removal function, in conjunction with ADS venting.

2.f IRWST heat D, A 'this is one of the SR passive design features removal and that provides an equivalent post-depressurization injection safety injection function to that provided by the low head safety injection pumps in the reference plant.

'Ihis SR design feature provides a defense-in-depth heat removal function, in conjunction with ADS venting.

2.g Recirculation D, A This is one of the SR passive design features that provides an equivalent post-depressurization safety recirculation function (after the IRWST empties) to that provided by the low head safety _

recirculation arrangement in the reference plant.

This SR design feature provides a defense-in-depth heat removal function, in conjunction with ADS venting.

2.h ADS D, A This is one of the SR passive design features that provides an RCS depressurization (venting) function to provide the transition between the various passive injection sources. Only a manual depressurization capability (using pressurizer PORVs) is provided in the reference plant.

This SR design feature provides a defense-in-depth heat removal function, in conjunction with the various passive and active injection sources.

Revision o rn \3243w-1.wpf:Ib 100296 T-11 september 1996

l 1

TABLE 3 SUCCESS PATH DIFFERENCES (Cont.)

Critical Safety Function Unchanged Modified New Notes 8 2.i RNS D A The design of the RNS is essentially the same , )

injection as the SR RHR system in current plants, except j that the AP600 RNS is an NSR, defense-in- '

depth system that is not automatically actuated following an event.

The RNS provides an NSR, defense-in-depth l- injection capability that must be manually ,

l aligned and actuated following an event, in l

! conjunction with items 3.f and 3.g. The SR RHR system in the reference plant provides the automatically actuated, design basis low-pressure safety injection capability.

This NSR design feature provides a defense-in-depth heat removal function, in conjunction with ADS venting.

2.j RNS closed D, A loop cooling (shutdown) l 2.k SFS cooling- D, A l of refueling cavity (refueling) 2.1 Refueling D, A cavity cooling (refueling)

3. Heat Sink 3.a Steam D, A This NSR design feature provides the same l dumps defense-in-depth, heat sink function, in !

conjunction with main or startup feedwater to the SGs in Items 2.a and 2.b, as provided in the -

i reference plant.

This NSR design feature provides a heat sink function in conjunction with the operation of circulating water l'i Item 3.b.

3.b Circulating D, A This NSR design feature provides the same ;

j water defense-in-depth, heat sink function in conjunction with the operation of steam dumps in Item 3.a. as provided in the reference plant.

l Revision 0 l m:\3243w-1.wpf;1b-1002% T-12 september 1996 1

i TABLE 3 SUCCESS PATH DIFFERENCES (Cont.)

Critical Safety Function Unchanged Modified New Notes' 3.c SG PORVS D, A This NSR design feature provides a defense-in-depth, heat sink function, in conjunction with main or startup feedwater to the SGs in Items 2.a and 2.b.

This component was also NSR (to open) in the reference piant, providing the NSR defense-in- i depth heat sink function.

l 3.d Fan coolers D A This NSR design feature provides a defense-in- i depth, heat sink function, in conjunction with cooling water support in Items 3.e to 3.h. The fan coolers do not automatically actuate on a safety injection signal as they do in the reference plant since they provide NSR defense-in-depth functions.

This component was SR in the reference plant and provided the SR design basis heat removal function.

l 3.e Chilled D, A This NSR design feature provides a defense-in-water depth, heat sink function, in conjunction with cooling water support in Items 3.f to 3.h.

This component was SR in the reference plant and provided the SR design basis heat removal function.

3.f Component D, A This NSR design feature provides a defense-in-cooling depth, heat sink function, in conjunction with water cooling water support in Items 3.g and 3.h.

. This component was SR in the reference plant and provided the SR design basis heat removal function.

3.g Service D, A This NSR design feature provides a defense-in-water depth, heat sink function, in conjunction with heat sink support in Item 3.h. i This component was SR in the reference plant and provided the SR design basis heat removal function.

Revision o m:\3243w.l.wpf:1b-100296 T-13 September 1996

TABLE 3 SUCCESS PATH DIFFERENCES (Cont.)

Critical Safety Function Unchanged Modined New Notes'

3.h Service D, A His NSR design feature provides a defense-in- ,

i water depth, heat sink function.

cooling a tower and This component was SR in the reference plant fan and provided the SR design basis heat removal function.

3.i SG safety D, A

) valves

, 3.j RNS closed- D, A This NSR RNS can be used to remove heat l loop cooling from the IRWST. The manually actuated,

. of the closed-loop cooling of the IRWST is not i IRWST / operationally significant from the normal j PRHR operation of RHR in the reference plant to i support closed-loop RCS cooling (except that a j different volume of water is being cooled).

4 j 3.k PCS water D, A his is one of the SR passive design features j drain that provides an equivalent containment heat sink function to that provided by the fan cooler j and support heat sink success path in the j reference plant.

2 he SR design feature functions in conjunction

with Item 3.1 *o provide SR design basis protection.

3.1 Containment D, A his is one of the SR passive design features air cooling that provides an equivalent containment heat (external) sink function to that pre ided by the fan cooler and support heat sink success path in the reference plant.

The SR design feature functions in conjunction with Item 3.k to provide SR design basis protection. It can also function in conjunction with Item 3.m or alone to provide NSR defense-in-depth protection.

3.m Fire D, A The NSR design feature functions in protection conjunction with Item 3.1 to provide NSR water drain defense-in-depth protection.

Revision 0 m:\3243w-1.wpf:1b-100296 T-14 September 1996

TABLE 3 SUCCESS PATH DIFFERENCES (Cont.)

Critical Safety Function Unchanged Modified New Notes'

4. Integrity 4.a Steam See Item 3.a dumps 4.b SG PORVs See item 3.c 4.c PRHR See Item 2.c 4.d MSIVs and D, A '

bypasses 4.e Main See item 2.a feedwater 4.f Startup See Item 2.b feedwater 4.g RNS See Items 2.i and 2.j.

4.h Pressurizer D, A heaters 4.i Pressurizer D, A spray 4.j Pressurizer D, A auxiliary spray

)

4.k ADS See Item 2.h 4.1 CVS See Items 1.e and 6.a !

makeup 4.m CMT See Item 2.d

, injection 4.n Accum See item 2.e injection 4.o CVS See Item 2.e and 6.a letdown l

4.p RV head D, A vent letdown Revision 0 m:\3243w-1.wpf:1b-1002% T-15 september 1996

l 1

1

\

1 TABLE 3 SUCCESS PATH DIFFERENCES (Cont.)

Critical Safety Function Unchanged Modined New Notes'

5. Contal===ent 5.a Fan coolers See Item 3.d l

5.b Chilled See Item 3.e ,

water 5.c Component See Item 3.f cooling water 5.d Service See Item 3.g water ,

i 5.e Service See Item 3.h water i cooling j tower and

{

fan 5.f PCS water See Item 3.k drain 5.g Containment See Item 3.1 air cooling (external) 5.h Fire See Item 3.m protection water drain l

l Revision 0 mA3243w-1.wpf:Ib-100296 T-16 Sepember 1996

i j

i-a 4

l i

l 3 l l

j TABLE 3 i

4 SUCCESS PATH DIFFERENCES (Cont.)

, Critical Safety

Function Unchanged Modired New Notes' 1

!, 6. Inventory i

l 6.a CVS D, A The CVS performs equivalent functions to the j injection CVS on the reference plant, but the AP600 j* CVS makeup and letdown are not required to ,

j continuously operate for two reasons. Canned rotor RCPs are installed that eliminated the seal l l and associated continuous seal leakage in the

~. reference plant design, Also, the AP600

! purification subsystem uses RCP differential pressure to drive purification flow, which is . I different from the reference plant. RCS makeup

! is automatically actuated, but boration must be l l manually actuated. See Item 1.e for additional .

CVS information. l l

4

Although many of the operational features of

} the CVS are similar to the reference plant, some ;

i additional automatic actuation functions were i

! added or changed as a result of these design j differences. J t

j 6.b C M T See Item 2.d 1 j- 6.c Accumulator See Item 2.e I 1

6.d IRWST See Item 2.f 1 j 6.e Recirculation See Item 2.g i ,

i i

j 6.f ADS See Item 2.h j 6.g RNS See Item 2.i j, injection 1

! 6.h Contai'iment A D This SR makeup water piping flowpath allows I makeup manual addition of water to containment for

!* long-term cooling using transportable equipment and available water sources.

l 6.i SFS makeup D, A i (refueling) t i

i f

3 J

j i

i Revision 0 m:\3243w.l.wpf.lb.1002% T-17 Syember 1996 i

e i

NOTES for TABLE 4 1

8 5 The actuation, control, continuing operation, and operator monitoring of the various SSCs for the critical function success paths require operation of both I&C systems and electrical power systems.

Following a loss of electrical power, the NSR emergency diesel-generators automatically start and

] load the appropriate front-line and support NSR defense-in-depth systems and also provide .

j electrical power to both de and UPS systems to provide power for actuation, control, and 4

monitoring instrumentation. These SR and NSR SSCs are included in the following AP600

. systems: .

. Instrumentation and Control Systems 5 SR Protection and Safety Monitoring System 4

NSR Plant Control System NSR Diverse Actuation System

Electrical Power Systems

, NSR Main ac Power System i NSR Onsite Standby Power System (includes the NSR emergency diesel-generators)

SR Class IE de and UPS System i NSR Non Class 1E de and UPS System i

2 Main feedwater is normally operating and does not automatically start, but automatically aligns to the startup feedwater discharge header. The startup feedwater flow control valves automatically throttle both main feedwater pump flow and startup feedwater pump flow in the startup feedwater

. supply header.

! 8 The RNS includes automatic temperature control of the inlet flow to the HX, but the operator j manually controls the operating temperature for the automatic control circuitry.

j Referenced " Items" refer to other entries in this table. A list of abbreviations is provided at the beginning of the document.

5 The actuation and control implementation schemes are discussed in subsection 3.2 and identified in this table. The appropriate codes are listed under the " actuation" and " control" columns. When automatic schemes exist with some type of manual actuation or control, "x" is included in the manual column to indicate the manual capability. ,

If only manual control exists (and no automatic actuation or control function, as appropriate), then that scheme is indicated with " Man" in the actuation or control column instead of an "x." ,

Normally the operation of this component is passively controlled, but limited manual control is possible under certain special conditions. The first stage ADS valves are provided with the capability to be manually throttled,if an ADS actuation signal is not present. The PRHR discharge flow control valves are provided with the capability to be modulated, if a PRHR actuation signal is not present.

Revision 0 mA3243w.l.wpf:Ib IOO2% T-18 segnember 1996

TABLE 4 (Subsection 3.2)

SUCCESS PATH SSC ALLOCATIONS Actuation 8 Control' Critical Safety

,.. Function 8 Auto Man Auto Man Comments"

1. Suberiticality

, l.a PMS reactor trip Para x SR PMS actuates reactor trip breakers.

Rese SSCs provide the SR design basis event response for reactor trip following all events.

1.b DAS reactor trip Para x NSR DAS diversely de-energizes the MG set output.

These SSCs provide NSR defense-in-depth event response for beyond-design-basis SR component failures.

l.c Control rod insertion Man NSR rod control circuits can be (rod control system) manually de-energized using remotely-operated motor control center (MCC) supply breakers from the main control -

room or manually-operated local MCC or rod control system MG set breakers.

Dese SSCs provide NSR defense-in-depth event response for beyond-design-basis SR component failures.

1.d CVS boration Man Comp x NSR CVS makeup is normally aligned to automatically actuate and maintain programmed pressurizer level. CVS will automatically maintain the manually set boration parameters, but boration must be manually actuated for protection during events such as ATWS where pressurizer level is not expected to decrease. The boration process may also require manually initiating letdown to maintain RCS inventory.

Comp x - Boron concentration These SSCs provide NSR defense-in-depth event response for beyond-design-basis SR component failures.

Revision o rnA3243w 1.wpf:Ib-1002%

T-19 Sepember 1996

1 i:

TABLE 4 SUCCESS PATH SSC ALLOCATIONS (Cont.)

Actuation Control Critical Safety Function 8 Auto Man Auto Man Comments" .

I.e CMT boration Para x Pass SR CMT injection / boration is I automatically actuated. CMT injection l passively controls the RCS boration ~ -

flow by natural processes that depend on conditions such as the existing RCS inventory, flow, and voiding.

These SSCs provide SR defense-in-depth event response for beyond.

design-basis SR component failures.

1.f Rideout Para x Pass Rideout requires automatic or manual ,

actuation of turbine trip and PRHR. i I

NSR DAS automatically initiates diverse reactor trip and turbine trip, l along with PRHR actuation. (Rideout l capability is enhanced by both design (larger pressurizer, more negative MTC, RCS pressure relief) and defense-in-depth (startup feedwater /

PRHR, CVS boration / CMT boration.) l l

'Ihese SSCs provide SR and NSR defense-in-depth event response for beyond-design-basis SR and NSR component failures.

2. Core Cooling 2.a Main feedwater Sel 2 x Sel x' NSR main feedwater is manually aligned and actuated on plant startup, normally operates during power ,

operation, and automatically aligns to the startup feedwater automatic flow control valves following a reactor trip, to provide heat removal. It is designed 1 to actuate before the SR PRHR and .

provide heat removal.

These SSCs provide the expected NSR defense in-depth event response for non-LOCA events. This would be used in conjunction with Items 3.a (steam dumps) or 3.b (SG PORVs).

Revision 0 m:\3243w.1.wpf:Ib.100296 T-20 september 1996

TABLE 4 SUCCESS PATH SSC ALLOCATIONS (Cont.)

Actuation Control Critical Safety Function' Auto Man Auto Man Comments ^ d 2.b Startup feedwater Sel x Sel x NSR startup feedwater automatically starts and controls SG level following an event and automatically starts the standby pump if the operating pump fails. It is designed to actuate before the SR PRHR and provide heat removal.

This system is enhanced by providing automatic SG level control (in addition to automatic actuation), which does not require operator action to throttle back feedwater flow to prevent SG overfill and/or RCS overcooling, as required or:

current plant AFW systems.

These SSCs provide NSR defense-in-depth event response for non-LOCA events. This would be used in conjunction with Item 3.a (Steam dumps) or 3.b (SG PORVs).

2.c PRHR Para x Pass x' SR PRHR is automatically actuated and normally operates with discharge isolation valves fully open, with heat 4 removal controlled by natural processes that depend upon conditions such as RCS decay heat and flow and the IRWST conditions. The HX discharge isolation valves can be manually throttled under certain conditions.

)

Automatic actuation is designed to allow sufficient time for either main or startup feedwater to establish and maintain SG level control,if they are available.

These SSCs provide the SR design basis event response for non-LOCA events.

Revision o m:\3243w-1.wpf;1b-1002%

T-21 September 1996 l

TABLE 4 SUCCESS PATH SSC A~ ' 9 CATIONS (Cont.)

Actuation Control Critical Safety Function' Auto Man Auto Man Comments" .

2.d CMT / Accum / Para x Pass 1. SR CMTs actuate automatically RNS injection / and control RCS inventory by IRWST / natural processes that depend on -

Recirculation / conditions such as the existing ,

Partial ADS RCS inventory, flow, and voiding. l (Manual RCS feed 1 and bleed operation)

Pass Pass 2. SR accumulators are automatically actuated by operation of the discharge check valves that open j based on RCS pressure. Injection ,

is also automatically controlled by i natural processes that depend upon the same conditions such as RCS pressure.

Man 3. NSR RNS must be manually j aligned and actuated, but it !

requires no operator control to j provide RCS injection from the SR IRWST or containment recirculation when the RCS is partially depressurized.

l Man -

RNS suction is manually aligned to the IRWST / recirculation flowpath Sel x -

Automatic restart of operating pump on loss of power Para x -

Automatic pump shutoff on high .

containment radiation Man -

Manual control of pump combinations and flow throttling -

Para x Pass x' 4. Automatic SR ADS actuation based on CMT-level and manual system- and component-level ADS valve actuation. ADS vent flow is controlled by natural processes that depend on conditions such as RCS pressure and discharge backpressure.

Revision o m:u243w.1.wpr: b-ioom T-22 september 1996

TABLE 4 SUCCESS PATH SSC ALLOCATIONS (Cont.)

Actuation Control Critical Safety Function' Auto Man Auto Man Comments *

These SSCs provide SR and NSR defense-in-depth event response for beyond-design-basis SR and NSR component failures. This event response sequence requires manual actions to initiate NSR RNS and maintain RCS inventory, thereby preventing significant steaming to containment and opening fourth-stage ADS valves, prior to automatic actuation of the backup SR design basis event response sequence in Item 2.e. Only partial ADS is required to decrease RCS pressure to within the pressure capability of the RNS.

2.e CMT / Accum Para x Pass 1. SR CMTs actuate automatically on

/IRWST low pressurizer level or safety

/ Recirculation / Full injection (SI) signal to ADS (Automatic automatically maintain RCS and manual RCS inventory w/o operator control.

feed and bleed

. operation)

Pass Pass 2. SR accumulators are automatically ac:uated by operation of the discharge check valves that open based on RCS pressure. Injection is also automatically controlled by natural processes that depend upon the same conditions such as RCS pressure.

Para x Pass 3. SR IRWST injection automatically

~

actuates and is controlled by the physical conditions within the RCS and containment.

Para x Pass 4. SR containment recirculation automatically actuates and is controlled by the physical conditions within the RCS and containment.

Revision 0 m \3243w.l.wpf:1b-100296 T-23 September 1996

TABLE 4 SUCCESS PATH SSC ALLOCATIONS (Cont.)

Actuation Control Critical Safety Function' Auto Man Auto Man Comments * * ,

Para x Pass x' 5 Automatic SR ADS actuation is based on CMT level. Manual system- and component-level ADS '

valve control is also available.

ADS vent flow is controlled by natural processes that depend on conditions such as RCS pressure and discharge backpressure.

These SSCs provide SR defense-in-depth event response for beyen!-

design-basis SR and NSR component failures.

2.f Accum / RNS Pass Pass 1. SR accumulators are automatically Injection / IRWST / actuated by operation of the Recirculation / discharge check valves that open Partial ADS based on RCS pressure. Injection is also automatically controlled by natural processes that depend upon the same conditions such as RCS pressure.

Man 2. NSR RNS must be manually aligned and actuated, but it requires no operator control to provide RCS injection from the SR IRWST or containment recirculation when the RCS is partially depressurized.

Man -

RNS suction is manually aligned to the IRWST / recirculation flowpath Sel x -

Automatic restart of operating ,

pump on loss-of-power Para x -

Automatic pump shutoff on high containment radiation Man -

M:mual control of pump combinations and flow throttling Revision 0 m:\3243w l.wpf:lb-1002% T-24 sep< ember 1996

1 1

i I

1 TABLE 4 SUCCESS PATH SSC ALLOCATIONS (Cont.)

Actuation Control Critical Safety

, Function' Auto Man Auto Man Comments 8'd Man Pass x' 3. Manual SR ADS actuation is required since CMTs are not

=

available to provide automatic l actuation. ADS vent flow is 1

controlled by natural processes that !

depend on conditions such as RCS pressure and discharge backpressure.

'Ihese SSCs provide SR and NSR i

defense-in-depth event response for l

beyond-design-basis SR and NSR '

component failures. This event response sequence requires manual actions to initiate NSR RNS and ;

maintain RCS inventory and is similar i to the NSR manual RCS feed and l

)

bleed Item 2.d, except that beyond-

)

design-basis failure of all CMTs 1 occurs, thereby preventing automatic actuation of ADS. The same RNS actuation and control capabilities exist as in Item 2.d. Only partial ADS is required to decrease RCS pressure to within the pressure capability of the RNS.

2.g Accum / IRWST / Pass Pass 1. SR accumulators are automatically Recirculation ADS actu'ated by operation of the discharge check valves that open based on RCS pressure. Injection

. is also automatically controlled by natural processes that de, and upon the same conditions such as RCS

, pressure.

Para x Pass 2. SR 1RWST injection automatically actuates and is controlled by the physical conditions within the RCS and containment.

Para x Pass 3. SR containment recirculation 4 automatically actuates and is

controlled by the physical conditions within the RCS and containment.

Revision 0 mA3243w-1.wpf:1b-1002% T-25 september 1996

5 i

4

.; TABLE 4 SUCCESS PATH SSC ALLOCATIONS (Cont.)

Actuation Control

Cdtical Safety l Function' Auto Man Auto Man Comments" , ,

j Man Pass x' 4. Manual SR ADS actuation is )

{ required since CMTs are not

< available to provide automatic -

actuation. ADS vent flow is )

, controlled by natural processes that

, depend on conditions such as RCS l pressure and discharge i backpressure.

These SSCs provide SR defense-in-I depth event response for beyond-l design-basis SR and NSR component ;

l failures. This event response is similar j to the SR event response of Item 2.e l except that beyond-design-basis failure i of all CMTs occurs, thereby preventing automatic actuation of ADS.

Therefore, manual ADS is required and '

subsequent automatic actuation of the j other SR components occurs, j

- 1 2.h RNS dosed loop Man NSR RNS is manually aligned and i cooling (shutdown) actuated to provide closed-loop RCS )

cooling and some manual control of the J cooling process is possible.

Sel x - Automatic restart of operating pump on loss of power Para x -

Automatic pump shutoff on high containment radiation CompS x3 - Automatic control of RNS HX ,

inlet (RCS) temperature by throttling CCS flow to the RNS HX Man -

Manual control of pump combinations and flow throttling Revision 0 mA3243w-1.wpf:Ib-100296 T-26 sepember 1996

I l

\

l TABLE 4 l SUCCESS PATH SSC ALLOCATIONS (Cont.)

Actuation Control I, Critical Safety

). Function' Auto Man Auto Man Comments * '

4 i Rese SSCs provide the expected NSR defense-in-depth event response during

$. shutdown conditions. His NSR shutdown cooling mode operates in I conjunction with the heat sink

described in Item 3.i (CCS/SW) and j l does not require ADS venting for heat F removal as required in Items 2.d or 2.f, i j where RNS is providing RCS injection.

l 2.i SFS cooling of Man x NSR SFS is manually aligned and refueling cavity actuated to provide refueling cavity

(refueling) cooling and automatically starts the j standby pump if the operating pump l fails. Some manual control of the

+

cooling process is possible.

i Man - Manual control of pump combinations j These SSCs provide the NSR defense-

in-depth event respense for beyond-d design-basis NSR component failures

during shutdown conditions. This NSR i shutdown cooling mode operates in

, conjunction with the heat sink described in Item 3.i (CCS/SWS).

2.j Refueling cavity Pass Pass SR refueling cavity cooling is j cooling (refueling) automatically available during i shutdown modes when the reactor

. vessel head is removed and the l- refueling cavity is flooded up. 'The t heat capacity of this large volume of

refueling cavity water provides a heat

j. sink with heatup to boiling, controlled j by natural processes that depend on i conditions such as the core decay heat

] load and water circulation in the RV l and refueling pool, i

j Man -

Makeup water can be manually re-j supplied as refueling cavity water i boils off.

9

)

l i

Revision 0

? mA3243w-1.wpf:1b-100296 T-27 sepember 1996 1

-- - - - . - - - .= . - .

4 TABLE 4 SUCCESS PATH SSC ALLOCATIONS (Cont.)

Actuatior. Controt Critical Safety Function' Auto Man Auto Man Comments * * ,

'Ibese SSCs provide the SR design basis event response for multiple NSR component failures during shutdown -

conditions.

2.k IRWST injection / Para x Pass SR IRWST automatically actuates to venting (shutdown) provide RCS injection when the RCS is fully depressurized and the ADS valves are required to be open or the RCS is s

opened to provide sufficient steam l venting area. Injection and RCS heat

removal are controlled by natural processes that depend on conditions such as core decay heat levels and IRWST level.

These SSCs provide SR design basis or defense-in-depth event response, depending on the specific event.

3. Heat Sink i

3.a Steam dumps / Sel/ x Comp x 1. NSR steam dumps automatically circulating water Comp actuate imd automatically maintain the progammed Tave following an event. Following a reactor trip, operatian is manually selected to a i

mode where the steam dumps automatically control the SG pressure at a value selected by the operator.

Man 2. NSR circulating water system is

, manually aligned and actuated on plant startup, normally operates during power operation, and no -

actions are expected to be needed !

or taken to maintain this system as a post-accident heat sink except to manually restart a pump following power recovery after a loss of site

, power.

4 Revision 0 m:\3243w-l.wpf:Ib-1002% T-28 September 1996 4

TABLE 4 SUCCESS PATH SSC ALLOCATIONS (Cont.)

Actuation Control Critical Safety

, Function' Auto Man Auto Man Comments *

This NSR design feature provides the normal defense-in-depth, heat sink function, in conjunction with main or startup feedwater to the SGs in Items 2.a (main feedwater) and 2.b (startup feedwater).

3.b SG PORVs Comp x Comp x 1. NSR SG PORVs automatically actuate and automatically maintain the SG pressure at a value selected by the operator.

'Ihis NSR design feature provides a defense-in-depth, heat sink functioc, in conjunction with main or startup feedwater to the SGs in Items 2.a (main feedwater) and 2.b (startup feedwater).

3.c Fan coolers / Sel x Comp x 1. NSR fan coolers are manually chilled water / aligned and actuated on plant component cooling startup, normally operate during water / service power operation, automatically water / SW cooling start the standby fan coolers, and tower fan automatically maintain preset discharge temperatures during power operation.

Sel x -

Automatic start of standby fan cooler Comp x -

Automatic control of discharge air temperature by throttling chilled water flow to the cooling coils

, Man -

Manual control of fan cooler combinations and flow throttling Revision 0 m:\3243w-1.wpf;1b 100296 T-29 September 1996

l l

TABLE 4 SUCCESS PATH SSC ALLOCATIONS (Cont.)

Actuation Control I Critical Safety ;

Function' Auto Man Auto Man Comments * * .

Sel x 2. Both NSR chilled water systems are manually aligned and actuated I

~

on plant startup, normally operate during power operation, automatically start the standby chiller unit if the operating unit fails, automatically maintain chilled water outlet temperature,

, and automatically control individual cooler bypass valves to maintain associated heating, ventilation and air-conditioning (HVAC) system discharge air temperature.

Sel x -

Automatic re-start following loss of power Sel x -

Automatic start of standby unit and shutdown of faulted chiller Man -

Manual control of chiller ,

combinations and flow throttling

3. See Item 3.i for discussion of NSR component cooling water opention. l

4. See Item 3.i for discussion of NSR service water operation.

These SSCs provide the expected NSR defense-in-depth event response. . !

l l

Revnion 0 m:u243w-1.wpf:lt>100296 T-30 sepencer 1996

TABLE 4 SUCCESS PATH SSC ALLOCATIONS (Cont.)

Actuation Control Critical Safety Function' Auto Man Auto Man Comments *

3.d SG safety valves Passive SR SG safety valves automatically open at the high-pressure relief set t

point to discharge steam from the SG to remove decay heat. The safety valves automatically re-close whe:2 SG pressure is subsequently reduced.

These valves provide a backup to the SG PORVs since the safety valve relief set point is above the SG PORV operating set point.

x -

Safety valves can be manually gagged.

These SSCs provide the expected NSR defense-in-depth event response for non-LOCA events. This would be used in conjunction with Item 2.a (main feedwater) or 3.b (AFW) 3.e RNS closed-loop Man NSR RNS is manually aligned and cooling of IRWST actuated to provide closed-loop IRWST cooling and some manual control of the cooling process is possible.

Sel x -

Automatic restart of operating pump on loss of power Para x -

Automatic pump shutoff on high containment radiation Comp' x3 -

Automatic control of RNS HX inlet (IRWST) temperature by throttling CCS flow to the RNS HX Man -

Manual control of pump combinations and flow throttling Revision 0 mA3243w l.wpf:lb-100296 T-31 Seinember 1996

l TABLE 4 SUCCESS PATH SSC ALLOCATIONS (Cont.)

Actuation Control Critical Safety Function' Auto Man Auto Man Comments * * ,

'Ihese SSCs pcovide NSR defens< in-depth event response following beyond-design-basis NSR component failures.

This event response can prevent steaming to containment when IRWST heating occurs, such as following PRHR or ADS actuation, but no other containment steaming source such as a LOCA or steam break event has occurred. This NSR heat sink mode operates in conjunction with the heat sink described in Item 3.i (CCS/SW).

3.f PCS drain / air Par x Pass 1. SR PCS automatically actuates cooling water drain on the containment I shell, with convective / evaporative heat transfer controlled by natural ,

processes that depend on l

conditions such as containment temperature, PCS storage tank level, and water coverage.

Pass Pass 2. SR natural convection air flow on the outside of the containment shell continuously exists and the i convective / evaporative heat ;

I transfer is controlled by natural processes that depend on conditions such as containment temperature and ambient air temperature.

These SSCs provide the SR design basis event response.

Revision 0 m:\3243m.l.wpf.lb.1002% T-32 September 1996

TABLE 4 SUCCESS PATH SSC ALLOCATIONS (Cont.)

Actuation Control Critical Safety

, Function' Auto Man Auto Man Comments *

3.g Fire protection Man Comp x 1. The NSR fire protection system drain / air cooling can be manually aligned and actuated to provide water to either the PCS storage tank or directly to the water distribution bucket above the containment shell. The water flow to the PCS is automatically controlled by fire protection system design conditions such as system flow characteristics. The water flow to the distribution bucket is manually controlled by the fire protection system alignment (flowpath to tank or distribution bucket). The convective / evaporative heat transfer is controlled by natural processes that depend on conditions such as containment temperature, PCS storage tank level, and water coverage.

Sel x -

Automatic start of standby pump Pass Pass 2. SR natural convection air flow on the outside of the containment shell continuously exists and the convective / evaporative heat transfer is controlled by natural processes that depend on conditions such as containment temperature and ambient air temperature.

These SSCs provide SR and NSR defense-in-depth event responses for beyond-design-basis SR and NSR component failures.

Revision 0 mA3243w-1.wpf;lb.1002%

T-33 september 19%

TABLE 4 SUCCESS PATH SSC ALLOCATIONS (Cont.)

Actuation Control l'

! Critical Safety Function' Auto Man Auto Man Conuments* * ,

3.h Air cooling Pass Pass SR natural convection air flow on the I

w/o PCS or outside of the containment shell fire protection continuously exists and the convective / '

drain evaporative heat transferis controlled by natural processes that depend on conditions such as containment temperature and ambient air temperature. Air flow can provide containment heat removal even in the event that water drain is unavailable.

These SSCs provide SR defense-in-depth event response for beyond-design-basis SR and NSR component failures.

3.i Component cooling Sel x 1. Component cooling water is water / service water manually aligned and actuated on

/ SW cooling tower plant startup, normally operates fan (shutdown) during power and shutdown operation, and automatically starts the standby pump if the operating pump fails.

Sel x -

Automatic start of standby pump 2

Comp' x -

Automatic control of CCS flow to the RNS HX based on RNS HX inlet (RCS) temperature Man -

Manual control of pump combinations i Sel x 2. Service water is manually aligned and actuated on plant startup, normally operates during power ,

operation, and automatically stans the standby pump if the operating _

pump fails.

Sel x -

Automatic start of standby pump.

Sel x Sel x - Automatic operation of cooling tower fans to control system temperature Revision 0 mA3243w 1.wpf:tb-100296 T-34 september 1996

TABLE 4 SUCCESS PATH SSC ALLOCATIONS (Cont.)

Actuation Control Critical Safety

, Function' Auto Man Auto Man Comments *

These SSCs provide the expected NSR ,

defense-in-depth event response. These NSR systems are manually tdigned and actuated on plant startup, normally operate during power operation, and automatically operate as indicated to support plant operation and defense-in-depth event mitigation.

4. Integrity 4.a Stop excessive RCS Sel x Sel x ne identified NSR SSCs are verified cooldown. for proper operation and manually controlled as necessary to stop any SG PORVs excessive RCS cooldown, which could Steam dumps lead to pressurized thermal shock or PRHR cold overpressurization. The excessive MSIVs cooldown could be due to the Main /startup consequences of the event, the feedwater subsequer.t actuation of the associated RNS SSCs, or the actuation or control failures for the associated SSCs.

The identified SR SSCs are actuated and controlled as follows:

Para x Pass x' -

PRHR (See Item 2.c for additional information.)

Para x -

MSIVs These SSCs provide the expected SR

, and NSR defense-in-depth event response.

4.b Stop excessive RCS Sel x Sel x ne identified NSR SSCs are verified

- pressurization. for proper operation and manually controlled as necessary to stop any Pressure control SSCs: excessive RCS overpressurization, which could lead to pressurized th' .nal Pressurizer heaters shock or cold overpressurization. The Pressurizer spray overpressurization could be due to the Pressurizer aux consequences of the event, the spray subsequent actuation of the associated ADS SSCs, or the actuation or control failures for the associated SSCs.

I l

Revision 0 mA3243w-l.wpf;1b-100296 T-35 september 1996

1 l

4 4

TABLE 4 SUCCESS PATH SSC ALLOCATIONS (Cont.)

i i Actuation Control Critical Safety Function'. Auto Man Auto Man Comments * * .

Inventory control SSCs: The identified SR SSCs are actuated j

and controlled as follows:

) -

CVS makeup *

- CMT injection Para x Pass -

CMT injection Accum injection Para x Pass x' - ADS 4

CVS letdown l

- RV head vent letdown Pass Pass -

Accumulator injection Man -

RV head vent letdown These SSCs provide the expected SR and NSR defense-in-depth event response.

5. Co=*=I==ent The same design features that satisfy the heat sink CSF are also used to satisfy the containment CSF.

5.a Fan coolers / See Item 3.c j chilled water /

component cooling water / service water J

/ SWS cooling tower I

-fan I i-5.b PCS drain / air See Item 3.f cooling

]

5.c Fire protection drain See Item 3.g 1

- / air cooling !

5.d Air cooling w/o See Item 3.h PCS or fire protection drain .

6. Inventory With the exception of the Items 6.a.

6.f. and 6.g. the same design features that satisfy the core cooling CSF are

also used to satisfy the inventory CSF.

t a

i 1

Revaion 0 m:u2ew.1.wpcltrico296 T-36 Sepember 1996

TABLE 4 SUCCESS PATII SSC ALLOCATIONS (Cont.)

Actuation Control Critical Safety Function' Auto Man Auto Man Comments * '

6.a CVS injection Sel x NSR CVS makeup pumps are manually aligned for periodic automatic actuation during poveer operation and following any event where RCS inventory decreases. It is designed to actuate and provide RCS makeup before automatic actuation of SR injection sources following events where RCS inventory is lost.

Comp x -

RCS makeup flow rate and boron concentration Man -

Manual control of pump combinations These SSCs provide the expected NSR defense-in-depth event response for RCS leak. His NSR RCS injection source operates in conjunction with the heat sink described in Item 3.i (CCS/SWS) 6.b CMT / accum / RNS See Item 2.d injection / IRWST /

Recirculation /

Partial ADS 6.c CMT / accum / See Item 2.e IRWST /

Recirculation / Full ADS 6.d Accum / RNS See Item 2.f injection / IRWST /

Recirculation /

Partial ADS 6.e Accum / IRWST / See Item 2.g Full ADS Revuion 0 mA3243w-1.wpf:Ib-1002% T-37 September 1996

TABLE 4 SUCCESS PATH SSC ALLOCATIONS (Cont.)

Actuation Control Critical Safety Function' Auto Man Auto Man Comments * * ,

6.f IRWST injection / Para x Pass SR IRWST automatically actuates to venting (shutdown) provide RCS injection when the RCS is fully depressurized and the ADS valves -

are required to be open or the RCS is opened and can provide sufficient vent area. Injection and RCS heat removal are controlled by natural processes that depend on conditions such as core decay heat levels and IRWST level.

Man Man SR IRWST gravity injection to the RCS can also be manually aligned and controlled through the RNS when the RNS is aligned to the RCS.

These SSCs provide SR design basis or defense-in-depth event response, depending on the specific event.

6.g Containment Man Man NSR long-term (after 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ) i makeup makeup water is provided to I containment through an SR piping connection in the RNS.

'Ihese SSCs provide NSR defense-in-depth event response for beyond-design-basis SR and NSR component failures.

I 6.h Spent Fuel Pool Man NSR SFS is manually aligned and !

Cooling System actuated to provide RCS / refueling (SFS) makeup cavity makeup when the RCS is fully (refueling) depressurized and open for refueling.

Requires operator control to maintain the required spent fuel pool inventory.

Man - Manual control of pump combinations

'Ihese SSCs provide NSR defense-in- ;

depth event response for beyond-design-basis SR and NSR component failures.

Revision 0 m \3243w-1.wpf:Ib-100296 T-38 september 1996

TABLE 5 (Subsection 3.3)

FUNCTION ALLOCATION BASIS CODES (Paths in Figure 1 shown in parenthesis)

Automatic Al The operator is NOT able to perform the required task due to human limitations. (Ib, 2,10)

. A2 Automation is necessary due to regulatory design requirements. (le,2,10)

A3 Automation is necessary due to utility design requirements. (Ic,2,10)

A4 Automation provides a safety benefit as identified in the PRA. (Sa,5b(2),10)

A5 Automation is preferred based on operating experience. (Sa, Sb(1),10)

A6 Automation is preferred due to concerns for operator overload. (Sa,5b(4),10)

A7 Automation is inherent in the passive design. (Sa,5b(3),10)

A8 Tasks are not well suited to human performance and are better suited to automation. (7a-f,10) l Manual M1 Human performance is required because automation is not technically feasible. (3a, 4,11)

M2 Human performance is required by design recommendations or requirements. (3b,4,11)

M3 Human performance is preferred because of consideration of safety requirements, task complexity, cost / benefit considerations to implement automation, and the value of human judgement. (6a,11)

NOTES:

' Referenced " Items" refer to other entries in this table. A list of abbreviations is provided at the

^

beginning of this document.

Revision o m:u2cw-i.wpt:iwoo2% T-39 sepember 1996

TABLE 5 (Subsection 3.3)

FUNCTION ALLOCATION BASIS Function Automated Success Allocation on the Critical Safety Path (s) in Basis Reference Function Table 4 Code Plant Notes' +

1. Suberiticality

a. Reactor trip 1.a A2 x '

(PMS)

b. Reactor trip 1.b A4 j (DAS)

c. Control rod 1.c M3 Manual insertion is a backup to multiple insertion (rod beyond. design-basis failures of automatic control PMS and DAS reactor trips in Items 1.a system) and 1.b.

d. Rideout 1.f A2 x I l

e. CVS boration 1.d, 4.b, M3,A3 The URD only requires automatic CVS 6.a makeup based on maintaining programmed pressurizer level. Automatic boration can occur for certain events as a result of automatic boron dilution protection that isolates makeup water.

f. CMT boration 1.e A2

2. Core Cooling

a. Main 2.a. 4.a A6 x feedwater

b. Startup 2.b, 4.a A3,A6 x feedwater

c. PRHR 2.c,4.a A2 -

d. CMT injection 2.d,2.e, A2 4.b, 6.b.

^

6.c

e. Accumulator 2.d,2.e, A7 x injection 2.f. 2.g, 4.b, 6.b, 6.c, 6.d, 6.e Revuton 0 mA3243w-1.wpf.It 1002% T-40 segember im

TABLE 5 FUNCTION ALLOCATION BASIS (Cont.)

Function Automated Success Allocation on the Critical Safety Path (s) in Basis Reference Function Table 4 Code Plant Notes 8

2. Core Cooling (cont.)

f. IRWST heat 2.d 2.e. A2 removal and 2.f 2.g, injection 2.k. 6.b, 6.c, 6.d, 6.e, 6.f

g. Recirculation 2.d. 2.e, A2 x 2.f, 2.g, 6.b, 6.c, 6.d

h. ADS 2.d, 2.e, A2 2.f, 2.g, 2.k, 4.b, 6.b, 6.c, 6.d, 6.e, 6.f

i. RNS injection 2.d, 2.f. M3, A4 4.a. 6.b, 6.d

j. RNS closed 2.h, 4.a M3, A4 loop cooling (shutdown)

k. SFS cooling 2.i M3 of refueling cavity (refueling)

1. Refueling 2.j A7 x cavity cooling

(refueling)

3. Heat Sink

a. Steam dumps 3.a. 4.a A3 x

b. Circulating 3.a M3 x water

c. SG PORVS 3.a, 4.a A3 x

d. Fan coolers 3.c, 5.a A3 x

e. Chilled water 3.c, 5.a A3 x s

Revnion 0 nt\3243w 1.wpf:Ib-100296 T-41 September 1996

TABLE 5 FUNCTION ALLOCATION BASIS (Cont.)

Function Automated Success Allocation on the Critical Safety Path (s) in Basis Reference Function Table 4 Code Plant Notes * .

3. Heat Sink (cont.)

f. Component 3.c. 3.i, A3 x cooling water 5.a

g. Service water 3.c, 3.i, A3 x 5.a

h. SG safety 3.d A2 x valves

1. Service water 3.c, 3.i, A3 x cooling tower 5.a and fan

j. RNS closed- 3.e,4.a M3,A6 loop cooling of the IRWST/

PRHR

k. PCS water 3.f, 5.b, A3 drain 5.e

1. Containment 3.f. 3.g. A7 air cooling 3.h, 5.b, (external) 5.c,5.d

m. Fire 3.g, 5.c, M3 x protection 5.f water drain

4. Integrity

l

a. Steam dumps See Item 3.a

b. SG PORVs See Item 3.c

c. PRHR See Item 2.c

d. MSIVs and 4.a A2 x bypasses

e. Main See Item 2.a feedwater

f. Startup See Item 2.b feedwater

g. RNS See Items 2.i and 2.j.

Revision 0 mA3243w 1.wpf lb-1002% T-42 september 1996

TABLE 5 FUNCTION ALLOCATION BASIS (Cont.)

Function Automated Success Allocation on the Critical Safety Path (s) in Basis Reference

. Function Table 4 Code Plant Notes'

4. Integrity (cont.)

h. Pressurizer 4.b A5 x heaters

i. Pressurizer 4.b A5 x spray J. Pressurizer 4.b M3 auxiliary spray

k. ADS See Item 2.h

1. CVS See Items 1.d and 6.a injection

m. CMT injection See Item 2.d

n. Accum See Item 2.e injection

o. CVS letdown See Item 1.d and 6.a

p. RV head vent 4.b M3 letdown

5. Containment

a. Fan coolers See Item 3.d

b. Chilled water See Item 3.e

, c. Component See Item 3.f cooling water

d. Service water See Item 3.g

c. Service water See Item 3.h cooling tower and fan

f. PCS water See Item 3.k i drain r I.

9

g. Containment See hem 3.1 air cooling h (external)

Revision 0 m:me.13rf:1b-100296 T-43 September 1996

l TABLE 5 FUNCTION ALLOCATION BASIS (Cont.)

Function Automated l Success Allocation on the Critical Safety Path (s) in Basis Reference Function Table 4 Code Plant Notes * ,

5. Containment (cont.)

h. Fire See Item 3.m protection water drain

6. Inventory

a. CVS 1.d 4.b, A3 x injection 6.a

b. CMT' See Item 2.d

c. Accumulator See Item 2.e

d. IRWST See Item 2.f

s. Recirculation See Item 2.g

f. ADS See Item 2.h

g. RNS See Item 2.1 injection

h. Containment 6.g M1 makeup

i. SFS makeup 6.h M3 (refueling) s Revuion 0 m:\3243w 1.wpf:Ib-100296 T.44 September 1996

l TABLE 6 FUNCTION ALLOCATION QUESTIONS

1. Is automation mandatory?

a. Are working conditions hostile to humans?

b. Are tasks included that humans cannot perform?

(consider speed, complexity, strength, computation, etc.)

c. Is automation required by regulatory or utility requirements?

(one of the following documents: URD)

2. Is automation technically feasible?

Consider availability of technology, cost, development and implementation, and scheduling issues.

3. Is human performance mandatory?

a. Is automation not technically feasible?

b. Is operator involvement required by design requirements?

(regulatory, utility, or design requirements)

4. Is human performance a feasible solution?

a. Can humans perform the specified tasks?

b. Will operator workload be manageable?

5. Is automation clearly preferable to human operators?

a. Can automation technology be effectively implemented?

b. Is human performance clearly less satisfactory for one of the following reasons?

Does operating experience suggest a need for automation?

Does PRA analysis suggest a need for automation?

Does an effective AP600 design require automation?

Are operator tasks likely to lead to overload if allocated to human performance?

6. Is human performance clearly preferable to automation?

a. Is human performance regarded as clearly necessary, or superior to automation?

(Consider operating experience, safety significance, need for human judgement, special human capabilities, cost, barriers to the development and implementation of automation, and scheduling issues.)

7. Is the segment a suitable candidate for automation?

a. Is the segment comprised of mechanistic or repetitive tasks?

b. Does the segment require sustained vigilance?

c. Does the segment require extremely rapid or consistent response?

d. Is the segment comprised of well-defined and highly predictable conditions, actions, and outcomes?

e. Is the segment likely to be required at the same time as a large (i.e., excessive) number of other tasks?

f. Does the segment require the collection, storage, manipulation, or recall of data in substantial amounts, or with high accuracy?

l Revision o m:\3243w-1.wpf:Ib-lM296 T-45 september 1996

TABLE 6 (Cont.)

FUNCTION ALLOCATION QUESTIONS 8 Is the segment suitable for human operator performance?

a. Is it within the realm of human strengths and capabilities?

b. Will the task form an appropriate and satisfactory part of an operator's job? (i.e., cannot be trivial, demeaning, or comprised of leftovers)

c. Will it allow the operator to maintain satisfactory workload? (i.e., neither too high nor too low) ,

9. If any segments remain unallocated, apply the following criteria:

a. Comparative cost of human and automated options

b. Consistency with preceding design goals and selections

c. Available technologies

d. Customer preference

e. Operator acceptance

10. Consider the residual role of the human operator in support of the automated function.

(see text for guiding principles)

11. Consider residual automated and control system support for the operator.

(see text for guiding principles)

Revision 0 m:\3243w.l.wpf:lb-100296 T.46 segember 1996

( t. se - messeneryt }

b am vas d NO m (s. se homens pertermenos mandatory,)

, eNo anyrza

-r2. Is == ====*a== eseheesear Soesteet YEs NO

^

4. Be teamen ~a asenese esThsesamt anocene auto *E N a-allannMan gy g asiussen tentanvetr samate to h

[s as essessoases esesser peesssetto '

to hemmen speseneset an m ,,, ,o I

tantaa,ety essaar) anoaste to auto pseammase es sensassenant (s. se hauen y no Yes 3 tentathely C7. Se the esp a estesMeenadesene ser assommesamt aloness toj h

"F " eniso 8"8"'IF r 7 aDocate to auto 8, le h esposet eclestte der kneen apenser W----t o

enYEs F.ae gr semess c

,,, , & J anoonae is hussen to, comender the sesidset sete et the I ll. Consider sosteest estemmeed and hemsen opasseur as support et she sammes speeses suppest sur she sysseters essensees a==an=+ L J j

Figure 1. Function Allocation Decision Process Revision 0 m \3243w.l.wpf:lb-1002% T-47 September 1996

. . . . _ _ _ _ _ _ _ _ _ . . . _ _ _ .}

ML20128R072

Contents

Text

REFERENCE:

1.0 INTRODUCTION

6.0 REFERENCES

1.0 INTRODUCTION

5.0 CONCLUSION

6.0 REFERENCES

Navigation menu

ML20128R072

Text

REFERENCE:

1.0 INTRODUCTION

6.0 REFERENCES

1.0 INTRODUCTION

5.0 CONCLUSION

6.0 REFERENCES

Navigation menu

Search