ML20129C296
| ML20129C296 | |
| Person / Time | |
|---|---|
| Site: | Maine Yankee |
| Issue date: | 05/31/1985 |
| From: | Maine Yankee |
| To: | |
| Shared Package | |
| ML20129C276 | List: |
| References | |
| 5793L-SEN, NUDOCS 8506050463 | |
| Download: ML20129C296 (29) | |
Text
{{#Wiki_filter:- . . ---
.. g '-
MAINE YANKEE
- ATOMIC POWER COMPANY -
r b g_ r 4 SAFETY EVALUATION
- MAIE' YA*EE ATOMIC POWER COWANY
~
SAFETY PARAMETER DISPLAY SYSTEM
=
MAY 1985 6 F PDR ' *
, v. .. _ , , , 4--, ., s +, -e .--,-,-e ,, w-. + - - - - ..+,-...e-,- - c--- - - -w----- -aw-- +- - ** e--*-e*
1 w +-.: .
;g-
- j p MAINE YANKEE ATOMIC POWER COMPANY
.g.- .
4 TABLE OF CONTENTS p. M 0.0 EXECUTIVE
SUMMARY
.............................................. 1 y
. l. 0 INTR 00UCTION................................................... 2 2.0~ CRITICAL SAFETY FUNCTIONS - PARAETER SELECTION. . . . . . . . . . . . . . . . 4' 3.0 0IP LAYS....................................................... 8 4.0 COWUTER HARDWARE.............................................. 11
. 5.0 INSTRUENTATION AND CONTR0LS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 6.0 HUMAN FACT 0RS.................................................. 13
- 7. 0 SOFTW4RE....................................................... 15 8.0 VERIFICATION AND VALIDATION.................................... 20
- 9. 0 ; CONCLUSION..................................................... 23
10.0 REFERENCES
..................................................... 24 ENCLOSURE A - SPDS Inputs to Critical Safety Functions. . . . . . . . . . . . . . . 3 pages ENCLOSURE B - PDS Displays Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 pages t MAINE YANKEE ATOMIC POWER COMPANY 0.0 EXECUTIVE SLM4ARY The Maine Yankee Safety Parameter Display System (SPDS) is designed to assist plant personnel in assessing plant status during normal and off-normal conditions. The SPDS complements the Maine Yankee emergency operating procedures by monitoring the six critical safety functions (CSFs) tracked by the E0Ps, and by providing consolidated displays of the parameters supporting each CSF. It is not intended that the operator use only the SPDS for resolution of a transient. The electrical analog of each of the parameters displayed by the PDS is also available on the main
-control board or on one of the adjacent auxiliary panels. The instruments which display these parameters are the same the operators have been trained to use, and their acceptability has been confirmed through human factors task analysis walk-throughs and by years of use.
The general design of the SPDS has been based on industry research since TMI-2 by the Electric Power Research Institute and the Nuclear Safety Analysis Center. Plant-specific portions for monitoring of the plant Critical Safety Functions (CSFs) are designed to support the E0Ps by (a) subcriticality, (b) core maintaining)six cooling, (c (6) critical functions: heat sink, (d) RCS integrity, (e) containment, and inventory. Maine Yankee's SPDS is a single channel system containing sufficient inputs to support each of the CSFs. Class IE inputs are electrically isolated from the non-Class lE computer system and displays. l Duplicate displays of the Control Room PDS are located in the Technical Support Center (TT) and Emergency Operations Facility (EOF), both of which are located in the Staff Building. These additional stations aid the plant technical staff in evaluating transient conditions and providing guidance and direction to the plant operational staff. The pErameters displayed on the SPDS were chosen to provide a proper indication of the critical safety functions tracked by the E0Ps. A verification and validation program will be completed prior to implementing the PDS to ensure the parameters are valid and appropriate. The SPDS is electronically isolated from the safety related equipment and l sensors so as not to interfer with their safety related function. The SPDS displays have been designed using accepted human factors principles to provide reasonable assurance that the information provided will be i readily perceived and comprehended by the user. 5793L-SEN r 9 M AINE Y ANKEE ATOMIC POWER COMPONV 1.D INTRODUCTION The Maine Yankee Safety Parameter Display System is designed to assist plant personnel in assessing plant status during normal and off-normal conditions. The general design of the SPDS is based on industry research since TMI-2 by the Electric Power Research Institute and the Nuclear Safety Analysis Center. Plant-specific portions for monitoring the plant Critical Safety Functions (CSFs) are designed to support Maine Yankee's emergency operating procedures (EP s). Maine Yankee is in the process of upgrading our existing ECPs. Westinghouse has been chosen to assist us in this effort. The Westinghouse based E0Ps are developed for a broad range of operational events, and rely on a defense-in-depth philosophy which results in a plant-specific set of six Critical Safety Furctions. It is intended that the operator use the E0Ps to respond to a transient condition, and the SPDS provides'information to assist the operator. The SPDS monitors the six Critical Safety Functions and provides consolidated displays of the parameters supporting each CSF. The SPDS is available at four locations; two in the Main Control Room, and one each in the Emergency Operations Facility and the Technical Support Center. The additional stations aid the plant technical staff in evaluating transient conditions and providing guidance and direction to the plant operational staff. The primary parameters in SPDS are those which provide the information necessary to maintain a particular CSF. The electrical analog of each of these parameters is available on the main control board or on one of the adjacent auxiliary panels. The instruments which display these parameters are the ones which support the E0Ps and which the operator has been trained to use; human factors and task analysis walk-throughs have confirmed these instruments as being adequate. Additional alarm or pre-alarm setpoints are provided to aid the operator in detecting possible transients before they occur. The following sections describe each of the major features of the Maine Yankee SPDS in more detail and show that: (a) The variables displayed on the SPDS are sufficient to provide a proper assessment of the critical safety functions; (b) The SPDS is isolated from electrical and electronic interference to equipment and sensors that are used in safety systems; (c) Means are provided to ensure that the data displayed are valid; and (d) It has been demonstrated that the characteristics of the SPDS displays are sufficient to allow reasonable assurance that the information provided will be readily perceived and conprehended by its users. 5793L-5EN -- v-MAINE YANKEE ATOMIC POWEQ COMPANY 2.0 CRITICAL SAFETY FUNCTIONS - PARAETER SELECTION 2.1 General The main role of the SPDS is to aid the operators in determining the status of the CSFs. Selection of parameters to support the CSFs is concentrated on those parameters which actually contribute to providing an indication of the status of the CSFs. Primary parameters provide this indication. Secondary parameters provide additional or verifying information. At Maine Yankee, the E0Ps are derived from the Westinghouse Owners Group Emergency Response Guidelines (ERGS), the human factors task analysis, and USNRC Regulatory Guide .l.97. The CSFs and their support parameters are based upon these integrated guidelines. The Westinghouse-based ECPs are developed for a broad range of operational events. The E0Ps rely on a defense-in-depth philosophy which results in a plant-specific set of six (6) critical safety functions. The E0Ps are symptom / function orientated, and are intended to assist the operator in maintaining the critical safety functions. By maintaining the CSFs, the goal of minimizing radioactive releases is met. The Maine Yankee emergency operating procedure defense-in-depth philosophy ensures the following:
- Fuel matrix and cladding integrity
- Reactor Cooling System integrity
- Containment integrity Each of the six (6) CSFs has an order of priority which is based on that CSFs importance in maintaining the above philosophy. The six (6) critical safety functions, in order of priority, are:
(a) Subcriticality (b) Core cooling (c) Heat sink (d) Integrity (e) Containment (f) Inventory The ERGS set forth minimum instrumentation requirements needed to adequately support each of the critical safety functions. By reviewing the task requirements for each CSF tand comparing those requirements to the Maine Yankee plant-speciric design requirements, a basic list of support parameters is created. A review of the Westinghouse Functional Recovery Guidelines (FRGs), including the Fault Tree matrices, provides additional parameters to complete the list of primary CSF support parameters. Additional safety class and non-safety class instrumentation are also added to the list to provide secondary indication or to ensure data integrity. Enclosure (A) lists the parameters which support each critical safety function. 5793L-SdN O MalNE YANKEE ATOMIC POWER COMPANY G
=
2.2 Critical Safety Functions
-j 2.2.1 Subcriticality .
This CSF addresses symptoms associated with Anticipated 2 Transient Without Scram (ATWS), a return to power ; condition, and loss of core shutdown margin. 2.2.2 Core Cooling This CSF concerns symptoms associated with inadequate, [ l degraded, and saturated core cooling conditions resulting i from depletion of water in the reactor coolant system. 3_ 2.2.3 Heat Sink ] This category addresses symptoms associated with inadequate secondary heat sink resulting from depletion of water in all three steam generators. Also included are the j followin (a) high -5 level, (gb) conditions low level,in(c) anyoverpressure, steam generator: and (d) loss of - normal steam release capability. _]
=
2.2.4 Integrity
-i This CSF addresses symptoms associated with imminent and anticipated pressurized thermal shock conditions and cold -
overpressure conditions of the RCS. " 2.2.5 Containment j This CSF concerns symptoms associated with potential 3 containment overpressure (including hydrogen), flooding and i high radiation.
]
2.2.6 Inventory 7 This category concerns symptoms associated with high 4 pressurizer level, low pressurizer level and volds in the _3 reactor vessel. -- 2.3 Emergency Operating Procedures 2.3.1 General _. The Emergency Operating Procedures (E(Ps) are broken down h into two major groups. The first group, Optimal Recovery - Procedures, deals with the control manipulation and 3 feedback mechanisms performed and monitored by Reactor - Operators. The second group, Status Trees and Function
]
Restoration Procedures (FRPs), are used in conjunction with the SPDS in order to monitor the critical safety j' functions. The critical safety functions, as a set, define d the plant safety state. The status trees for each of the 3 six critical safety functions aid the Plant Shift j e 3 Y 5793L-SEN ]
Q [ ef - J
. MAINE YANNEE ATOMIC POWER COMPANY.-
Supervisor and Nuclear ' Safety Engineer in determining which
^, >
CSF restoration needs to be addressed. The information - J required by the CSF status trees and by the FRPs is
--displayed on the SPDS.
. To ensure the usability of the PDS, the PDS design process was integrated.with the EPs through the Emergency Response Capabilities Integration Program (E E IP) Steering
. Committee. . The EP upgrade working group.and the SPDS
~
- working group developed the initial.E0Ps and PDS functional-description-independently. .Certain verification steps, however, were developed together to accomplish the required integration (see Section 8.0 Verification and Validation). For instance, Westinghouse, through the g; '
. development of the Functional Restoration Guidelines,
!~ defined the list of required instrumentation and controls. This list.was compared to .the Maine Yankee SPOS parameter list as part of the integration effort with the E0Ps. Prior to implementation the EPs and SPDS will be validated using the Maine Yankee simulator and simulated event walk-throughs to ensure their compatibility. l .2.4 ' Data Integrity e 2.4.1- General o It ~1s important that the operator be confident that the information on a particular PDS display is accurate. Even though the SPDS provides no control functions or advisory
, actions, any inconsistency between information provided by the SPDS and the main control board could lead to confusion. -Operator action will be taken only after first L consulting the Instruments-on the main control board and verifying the information.
2.4.2 Loop Failure - Fall To Zero , l 'An important consideration with any instrument loop is indication of loop failure. Any ' loop which shows a zero L volt output will be considered as having failed. Such failures will be indicated on digital displays by replacing the numerals with " FAIL". Bar graphs will disappear, and
, trended graphs will stop at the failure point.
Prior to implementation, each algorithm will be-
, walked-through to show that no single. loop failure will destroy all support indication for a particular CSF.
2.4.3 Loop Failure - Fall To Non-Zero
. A continuous comparison with the other loops will be done for the Class lE instrument channels. For three instrument channels on three different' loops providing the same information, this comparison will detect any large E
7 4 15793L-!EN v'
.{
MAIN 2 YANKEE CTCMIC POW 23 COMPANY j, s differences. The acceptable differences will be defined for each parameter. l l If a particular channel is deemed to be out of tolerance, j then a comparison of that information will be made with i non-isolated data. If the original channel is then l declared incorrect, the digital display value will change ! color, indicating that the reading is possibly incorrect. At that point, the operator will check redundant Class lE main control board mounted instrumentation for the correct values. 5793L-SEN ,
w - o MAIN 3 YANKEE ATOMIC P!W3R COMPANY 3.0 DISPLAYS 3.1 General The Maine Yankee SPDS has four (4) color graphic display monitor: . Two are located in the Main Control Room (M'R), and one each in the ,
, TSC and EOF. Each monitor has a keyboard which is used to produce !
the desired display on that monitor. Different displays can be used on different monitors at the same time. The SPDS is not normally displayed on the monitors; upon receipt of any alarm to SPDS however, the SPDS default display appears on the CRT used by the PSS. The default display gives an overall CSF and primary plant status and menu for further access to all other displays. Enclosure (B) describes each primary display and the parameters associated with it. The menu is selectable via the keyboard attached to the CRT. 3.2 Human Factors Each SPDS display, the keyboard arrangement and other aspects of the man / machine inte:rface have been reviewed by a human factors engineer. A description of the human factors review of the SPDS is provided in Section 6.0. 3.3 Keyboard The keyboards used with the SPDS monitor are full-sized ASCII keyboards with additional assignable keys. A rectangular matrix of assignable keys at the top of the keyboard allows one-button access to each S30S display. The top key of each row is for the CSF top level displays. The keys below are for the CSF secondary displays. Each key is labeled and color-coded to distinguish between different CSFs and displays. 3.4 CSF Displays 3.4.1 General Monitors used for the SPDS are nineteen (19) inch and thirteen (13) inch CRTs with non-glare screens. Across the top of each SPDS display are six CSF status indication boxes. A change of color or flashing of a particular box indicates that a paramoter supporting that CSF has reached a setpoint and a possible challenge to that CSF exists. The full name of the CSF is contained in the box. The six boxes are not displayed if SPDS is not in use but will appear upon default to SPDS. 5793L-SEN g- v r a MAIN 3 YANKEE ATOMIC POWCH COMPANY 3.4.2 Default Display Since the SPDS will not be displayed at all times, it is necessary to automatically bring up a SPDS display upon receipt of any SPDS alarms. This display is called the S)DS default display. This default display gives the general status of each CSF, and presents specific data on plant primary side equipment. Pressing the key for the affected CSF then brings up the top level display for that CSF. The default display will be automatically displayed on the PSS's monitor unless SPDS is in use at the time of the alarm. 3.4.3 Top Level Displays There is a top level display for each CSF. This display shows the operator the status of the primary parameters supporting the CSF. Information such as parameter values and setpoints is shown. If further information is needed, a second key presents additional information via one or more secondary displays for that CSF. 3.4.4 Secondary Displays One or more secondary displays for each CSF provides the operator with data on individual parameters and equipment. Trending is available on many of these displays to aid the operator in determining which parameter is perturbing a particular CSF. Trending consists of graphs showing parameter values versus time with sidebars showing the setpoint locations. The amount of time covered by the graph is dependent upon the computer scan rate for a particular parameter, and varies from five to thirty minutes. Actual length of time on these historical trends depends on the above plus on specific ECP requirements. 3.4.5 Special Displays Certain pressure and temperature relationships can more y readily give the operator an idea of how a recovery operation is proceeding. Special displays such as the plant W T curve are available. The plant WT curve can be displayed by a single key action. A pointer on the graph instantly shows the operator whether or not the plant is operating in a desired region. While these special displays are technically not part of the S)DS, their inclusion will help to increase the efficiency of Control Room personnel in responding to certain operating conditions. The capability exists to provide several special displays of this type to aid the operator. 5793L-!EN ~7-
- -=
MAIN ~I YANMEE ATOMIC POW 2O CCMPANY 3.5 Alarms 3.5.1 General If the SPDS is not being used at the time an alarm comes in, 6 hen the SPDS default display is brought up on the screer at the Plant Shift Superintendent's desk. If the SPDS la in use when the alarm arrives, then the display in ' use remains on the screen. Additionally, an annunciator window on the main control board indicates that SPDS has an alarm. Next, the color of the affected CSF status indication box changes. If the alarm is not acknowledged within a few seconds, the status indication box begins flashing. At no time is any control function performed by the SPDS. 3.5.2 Setpoints Most parameters have two or more setpoints. One setpoint for normal operating conditions is typically a pre-alarm setpoint to alert the operator to non-urdinary changes in the operating characteristics of the plant. A second setpoint is typically for post-trip situations; these setpoints are largely based upon the E0Ps and Engineered Safety Features' post-trip requirements. Post-trip setpoints are designed to alert the operator to conditions outside of E0P requirements or Technical Specification limitations. Setpoints for each parameter are being developed to ensure that each CSF is properly supported by that parameter. 5793L-SEN I
n- v M AtNJ Y ANK23 ATOMIC POWE'J COMPANY 4.0 COW UTER H%RDWARE 4.1 General The Maine Yankee Computer System is composed of three subsystems, the Front End System (FES), the Operations Support System (OSS), and the Emergency Support System (ESS). The three subsystems providu data scanning and point processing, Control Room functions, 93DS, TSC and EOF functions, and development capability. Each of the three systems is described below. 4.2 Front End System (FES) The two Maine Yankee FES Central Processing Units (CPUs) are MODCOW CLASSIC's Model 7821 with floating point hardware and 256 KB of MOS memory. Each of the CPUs is connected to the OSS and ESS via high speed serial links. There is no direct communication between the two FES computers. Data is input from the plant via u M00ACS III data acquisition subsystem. This data acquisition subsystem is composed of cards which accept analog and digital inputs, pulse counters and Sequence-of-Events, and output digital signals. Event timing is provided by a Chrono-Log clock with a one millisecond pulse. The Chrono-Log clock is read through the M00ACS as 24 digital inputs. Software in the FES is limited to the following: (a) MAX IV Operating System (Revision G) with MAXPET extensions. (b) Analog / digital scan package. 4.3 Operations Support System The OSS is the Primary Plant Monitoring System. This system provides gain conpensation, instrument validation, analog and digital point processing, alarm checking, limited software development and off-line functions. The OSS consists of two (2) CPUs, two (2) 256 MB disc units and associated printers, tape drive and CRTs. 4.4 Emergency Support System The ESS provides the capability of responding to computer functions recommended by NUREG-0696. The ESS also provides support for engineerirg functions and program development. The ESS consists of two (2) CPUs, two (2) 256 M0 disc units, and associated printers, tape drives and CRTs. 4.5 Power Supply The Maine Yar.kee plant computers are powered by a non-Class lE uninterruptible power supply. 5793L-SEN a MAIN 3 YANK 33 ATOMIC POWED COMPANY 5.0 INSTRLDENTATION Ato CONTRQ.S 5.1 General The instrumentation selected for input to the SPDS includes analog and digital, safety class and non-safety class. Enclosure (A) lists all of the inputs to the SPDS. A total of 268 inputs are used to support the SPOS. 5.2 Signal-Isolation The Class lE sigwls are electrically isolated from the plant computer by Energy, Incorpwat ad (EI) isolators which meet IEEE Standards 323-1774, 344-198, (nd 472-1974. Analog signal isolators
. provide transformer-type Isra)ition; digital signal isolators provide optical isolation.
5.3 Signal Conditlo g Each 4 to 20 milliamp sit aal is conditioned by inserting a precision resistor in the signal luop, and then using the voltage drop across . the resistor to provide a 100-500 millivolt input to the analog isolation card circuit; the isolation card then provides a 0-1 volt signal to the computer. 5.4 Power Supply The Maine Yankee SPDS isolators and displays are powered by interruptible but diesel generator backed AC power supplies. The Maine Yankee plant computers which support SPDS are powered by a non-Class IE uninterruptible power supply. 5.5 Equipment Qualifications The Safety Class 1E equipment used for the SPDS has been reviewed in accordance with USNRC Regulatory Guideline 1.97 to ensure its qualification in a post-accident environment. Equipment supplying the information to the S)DS is or has been qualified in accordance with Maine Yankee's Regulatory Culde 1.97 submittal (Reference 10.10). , i l i 5793L-SEN- . - . . _ - _ _ _ _ _ _ _ _ _ _ _ - -
y M AIN] Y ANK~E ATCMIC POWED COMPANY S ( 6.0 HUMAN FACTORS 6.1 General The Maine Yankee SPDS is a combination of plant parameters which provide simplified higher level information on each of the six critical safety functions. The information is displayed on CRTs in the Control Room and at two additional monitoring stations. Of primary concern is the form of the displays and the human interaction with the displays. The display must: (a) De easy to understand, (b) Provide case of access to the desired information, (c) Provide the operator with the information required to make judgmentsconcerningtheplantstate. Each display in the system is judged upon these criteria and upon basic human factors principles. 6.2 Discussion Installation of a SPDS has important human factors impact on plant operations. Human factors personnel at Maine Yankee were involved in design of the SPDS from the beginning to ensure that the system's impact would be positive. The most visible portion of the SPDS is the series of displays which presents information on critical safety functions. Each 905 display uses bars and colors to supplement digital information. One quick look at bar colors and sizes tells an operator whether or not a CSF is stable. Bar width and/or orientation is different for each parameter within a single display. Borders are also provided to further distinguish different parameters. Access to each display is via a set of assigned keys on an attached keyboard. Six groupings of keys match each of the six critical safety functions. The top key of each group selects the primary display for that CSF. Keys below select secondary displays for that CSF. These labeled keys provide instant one-touch access to each P DS display. Each display contains several pieces of information to aid the operator in assessing the plant state: (a) The general condition of all CSFs, and (b) The specific condition of the parameter (s) supporting a single CSF. 5793L-SEN M AIN'I Y ANK2E ATCMIC POW 2D COMPANY I l i If an operator disploys one CSF, or if he displays different secondary information, other information on the CSFs is still available. ti; man factors analysis and operator walk-throughs of the displays will provide a final determination of the effectiveness of each l display and series of displays. The walk-throughs will be completed I during the POS/EP validation program. 6.3 Validation I Cach display must be validated as being accurate in the methods used to present the information. Human factors principles applied to the validation process ensure that the information presented to the { operators results in an effective and efficient performance of the f
, desired actions. A series of event simulations on the Maine Yankee simulator and a series of event walk-throughs on the Main Control Board with the EPs will further test the effectiveness of each
-display.
Each event simulation will present the operator with the opportunity to use the SPDS to aid him in minimizing any simt hted challenge to plant safety systems. A post-exercise analysis of operator actions, along with operator comments, allows for detection and correction of any remaining deficiencies in the displays prior to final implementation in the Main Control Room. 6.4 Conclusion ti; man factors engineering evaluation throughout the design, verification, and validation efforts ensures that proper consideration is given to the Control Room operators and supervisors who must work with TOS. As discussed in Section 3.0 the CRTs used to display the SPOS are the same that are used during, normal operation. By ensuring that the operators will be comfortable with the system under all conditions, the SPDS will be more effective in an emergency situation. u_ 5793L-SEN (~ ,
, MAINE VANKE3 ATOMIC POW 2O COMPANY 7.0 SOFTWARE 7.1 General Computer software to support the SPDS has not been completed at the time of this report. Software development will be accomplished under the guidelines outlined below.
Development of software for the Maine Yankee SPDS will be done by the Maine Yankee Computer Section. This development process will be
, primarily governed by the Maine Yankee Software Development Manual.
Additional guidance will be provided by other documents (References 10.1 through 10.7) which deal with the methodologies of software engineering and software quality. Specific activities will include the following: (a) Assurance that the logic employed in each of the algorithms is complete, (b) Review of display design and layout, (c) Software development and coding, (d) Software testing, and (e) System testing / validation. Each of these specific activities is discussed in more detail below. 7.2 Software Development Process
- 7. 2.1 General In developing the SPDS on the ModComp plant process computer, the following steps shall be applied. First, the algorithms given to the Co @ uter Section will be reviewed for content. The functional specification will be developed from the algorithm and general SPDS specification documentation. The functional specification can be used later for user training documentation. The design specification will be written from information obtained in the functional specification and algorithm. Specific software methods will be determined. From the design specificatloa, the detailed design document will indicate the specific software construction for the ModComp system.
7.2.2 Development Algorithms given to the Computer Section will be reviewed for content. The algorithms must 5793L-SEN I , MAIN 3 YANNE3 ATOMIC POW 3~) COMPANY l 5 (a) Describe all the inputs, (b) Jescribe all the outputs, (c) State the criteria for the correctness of the data, (d) Indicate what to do with incorrect data, and l l (e) State the correlation between the input and output; ' that is, state which input produces which output by means of specific events, related actions and any , constraints. The end product of the algorithm indicates what is to be done; not how it will be done. When this step is complete, the software development phase will begin. A functional specification will be developed from the algorithm and general SPDS specification documentation. The functional specification shall describe all the inputs and all the outputs to the SPDS algorithm. A definition of the display screen (s), as given from the algorithm, will be stated. The information in this document will contain most of the information in the algorithm. The criteria for the correctness of data, what to do with incorrect data, and the correlation between the input and output will be stated. The information in this document can be issued to the end user for documentation. Once the functional specification has been completed, the ; design specification will be written. This step will specify the algorithms, job control procedures, etc., required to implement the functional specification. The detailed design will be developed next. The detailed design specifies interfaces, including identifying arguments passed, the scope of the data, file structures, data structures, search and sort methods, and software construction. 'Any hardware specific items will be identified, and all error checking and process flow should be described completely. There should be no questions about the inputs, outputs and events. The programmer will ! use this information for coding, applying Maine Yankee's l Internal software document standards. Once this step is l complete, the programmer will begin to code. ) Each piece of code will be subject to a formal walk-through. This walk-through will determine if the code completes the specifications with no additions or deletions. This le the final stage of development. Once complete, the testing stage may begin and software development will be complete. l l l 5793L-SEN a (Y . MAINE YANK 23 ATOMIC POWE3 COMPANY 7.2.3 Testing Each module (subroutine, task, and subsystem) of the
!PDS software will be tested in isolation (unit testing) before its operation in the system is tested #
(integration testing). . Installation testing validates the availability of the source code and the compiling and linking instructions provided by the programmer. Module, integration, and installation testing will be performed on the site simulator. Installation testing will also be performed on the plant process computer r system. Figure 7-1 Indicates the type of testing that will be associated with the computer hardware and software. I I I Module Verification and validation l l (Subroutine, Task, and Subsystem) l l l l l l l l Integration Testing i l l I I l l l Installation Testing i l l Figure 7-1 i 5793L-SEN ._ _ _
MAIN] YANMEE ATOMIC POW"'O COMPANY a 8.0 VERIFICATION AND VALIDATION 8.1 General A verification and validation program was developed to ensure that each portion of the S)DS design process was compatible with existing systems, procedures, and operational philosophy. Maine Yankee is in the process of upgrading our existing E0Ps. Westinghouse has been chosen to assist us in this effort. A step-by-step comparison of the bases for the existing E0Ps versus the Westinghouse E0Ps was made to ensure that the SPOS merged successfully with the new E0Ps. 8.2 Verificatior. The verification program involved defining the critical safety functions, listing the parameters and their characteristics, defining the display formats, and developing the algorithms. Starting with the existing Maine Yankee emergency operating philosophyt a sequence of steps was developed to define cach aspect of the verification process. Six (6) stages of design considerations were developed: (a) Determine the number and type of critical safety functions, (b) Define cach critical safety function, (c) Perform a task analysis to show which parameters are necessary to properly support each CSF, (d) Develop a display format philosophy, (e) Oosign the S)DS displays, ( f) OcVelop the SPOS algorithms. This sequence of design considerations is essentially the same as that used to develop and design the SPOS. Some steps, such as (e) and (f) were performed concurrently. Step (d) was independent and was developed using basic human factors engineering principles. During the verification process, constant interaction with the Maine Yankee EG2 Working Group ensured that the SPOS philosophy and design were well integrated with that of the now E0Ps. Figure 8-1 shows the interplay associated with the SPOS and new E0Ps development processes. 8.3 Validation The validation process analyzed individual displays, keyboard layout, human factor concerns, and the support parameters for each CSF. 5793L-SIN w M AIN3 YANK 23 ATOMIC POWE3 COMPANY I The SPDS design was independently reviewed and validated by the Nuclear Services Division of Yankee Atomic Electric Company (YNSD). Validation at Maine Yankee included reviews by the E0P Working Group, { Operations (including Control Room operators), plant management and the Human Factors Working Group. Completed reviews at YNSD included the parameter selection and an E0P task analysis. Additional reviews will be completed prior to implementation. They will include the algcrithm review, comparisons of algorithms and displays, and t independent review of the final design package. !' A walk-through of the final system by Control Room Operators using l the E0Ps will be conducted prior to implementing the SPDS. This I walk-through will serve as a final check of the validity of the installed system. f 8.3 Conclusion [ I A step-by-step process has been developed and will be followed to ensure that the development of the !PDS merged successfully with the concurrent development of new E0Ps. Achering to this sequence will allow for multiple reviews of each step in the design process and ensure that, once fully integrated with existing systems, the SPDS will enhance the effectiveness and efficiency of Control Room personnel. l 5793L-5EN or *
' S '
NY Westinghouse Emergency Operating 0 0 Emergency Operating Philosophy Philosophy u o
' Humber of Number of CSTs
, Critical Safety 0 ; from Functions Westinghouse o _ ,,, _
u
) E0P's A
CSF Definitions , 6-- = -- - ,- O CST Definitions st
~
SPDSd + g 9 Ji 3 MY SPDS i d m . Westinghouse FRG '
^
TaskAnal.yefa' Task Analysis i '
+ * , . . . s
,J l y
" p s j .
64 5
,, s Disple) s Forma t Steering Committee
' 'I ,
m
.3, ! Philosophy . 't
' Independent Review
.s ~'( h, j,.'N.is' - "
}, l , f. G
=1 , ,
.,' 4 l l
- y t
. . YNSD Algorithms <.
independent Review
. ,1 s . =
\
p / Figure 8-1 NY WDS_ Verification Steps s . 4
\ \ ._
e
,i.. .la. ,
\ t
'} [ , ,
, 3 , ,.
~' - _s._.,-.- ,.-n . , . - . - - . , ., --
3 M AINE YANKEE ATOMIC POWEQ COMPANY
9.0 CONCLUSION
The Safety Parameter Display System is intended to aid the operator in monitoring plant status in an emergency situation. All parameters available on the SPDS displays are also displayed on the Main Control Board. Existing board-mounted displays for each parameter remain the primary source of information on the plant state. The SPDS is an informational system designed to display currently available data in an easy-to-understand format. The system enhances the operators awareness and undetstanding of the plant status and, therefore, increases his ability to control the plant efficiently.
-Continuous review of the PDS designs by a multidiscipline task group ensures that each step in the design process is fully integrated with other facets of plant operations:
(a) Haman factors walk-throughs ensure that the man-machine interface is co@ atible; (b)' Comparison to, and integration with, the plant emergency operating procedures ensures that no discrepancies between the two systems exist; (c) The software development and testing process ensures that the entire system is valid for use and presents the information properly; and (d) Simulated event walk-throughs test system integration. Maine Yankee has reviewed the PDS design in accordance with Section 50.59 of the Commission's Rules and Regulations. Use of the SPDS does not involve a significant increase in the probability or consequences of an accident previously evaluated, the possibility of a new or different kind of accident from any accident previously evaluated or a significant reduction in a margin of safety for any technical specification. Use of this system, therefore, does not involve an unreviewed safety question. Maine Yankee's Plant Operations Review Committee (PORC) has reviewed the plant hardware changes associated with the PDS. The PORC has determined that the hardware changes do not involve an unreviewed safety question (PORC-84-20) . The PORC will review the software changes associated with the SPDS prior to implementation. Iglementation cannot proceed unless PORC verifies that no unreviewed safety question is involved. 5793L-SEN _ _-19 __ _ _ _ __
MAINE YANKEE ATOMIC POWER COMPANY
10.0 REFERENCES
10.1- Maine 'ankee Y Computer Department. Software Standard Manual ~,
-April 1, 1983.
10.2 " Program. Design Methodology," D. R. Chand. 10.3 " Software Design Techniques," P. Freeman and A. Wasserman, 4th Edition, IEEE EH0-205-5. 10.4 " Software Design Strategies," G. Bergland and R. Gordon, IEEE EH0-184-2. 10.5 " Software Engineering," R. S. Pressman, McGraw-Hill, 1982. 10.6 - -"IEEE Standard for Software QA Plans," ANSI /IEEE 730-1981. 10.7 ~ "American National Standards Application Criteria for Programming
. Digital Computer Systems and Safety Systems of Nuclear Power Generating Stations" - ANSI /IEEE 7-4.3.2-1982.
10.8 " Guidelines for an Effective SPDS Implementation Program" - IM'0/NUTAC 83-003, January 1983. 10.9 " Safety Parameter Display System for the Yankee Atomic Electric Company" - NSAC-55, August 1982.. 10.10. Letter, MYAPC to USNRC, " Regulatory Guide 1.97 Report," MN-85-43, February.28, 1985. - 5793L-SEN
., rh
, MAINE YANKEE ATOMIC POWER COMPANY '
% ,C'
) ;
);
I ENCLOSURE:A.-
- S)DS IPPUTS TO CRITICAL SAFETY-FUNCTIONS'
~
NOTES:
- (1) Asterisk (*) indicates primary parameters which directly support the CSF.
(2) Numbers in parentheses indicate the number of inputs for that parameter. No. number indicates one (1)' input.
.1. SUBCRITICALITY (a)* Reactor % Power (10).
~(b)* Cdntrol Element Assemblies Positions (64)
-(c) -Reactor Trip Breaker Position
- 2. CORE COOLING
(~a)* Margin' to Saturation (Core Region) (b)* Margin to Saturation (Head Region)- (c)* Core' Exit Temperatures:(36) (d) Reactor Coolant Pump Status-(3) (via Steam Generators delta P) (e). Reactor Vessel Head Temperature (f)iRCS.T-Average (3)
- 3. IEAT SINK .
(a)* Core Exit Temperatures (36) (b)* Main Feed Flow (3) -
.(c)* Steam Generator Pressure (3)
(d)* Steam Generator Level (3)
'(e)* Margin to Saturation (3) (Steam generator regions)
(f)* Steam Generator Dump Availability
'(g)* T-Hot (6)
..( h)* T-Cold (6)-
.(1) Auxiliary Feed Flow (3) .
.(j) LPSI Flow '(3)
Page 1 of 3 (5793L-SENj -
= - - _ _ _ - _ - _ _
-21 .*
' ' X.h '
- 3_ .
- , ; ?% .
3 MAINE YANKEE ATOMIC POWER COMPANY .
-{4 }
, -(k) . WSI Flowi(3)
( 1) .' : SIAS Status.'(2) - (m)L' Atmospheric Dunp Radiation' Monitors (3) J4. INTEGRITY (a)*, Reactor Coolant System-Temperature
- (T-Hot'and T-Cold)
(b)* Reactor-Coolant System Pressure-
~1 )i Pressurizer Pressure .
2)? 1 Steam Generator Pressure (3)
^ N :(c)* Steam Generator' Level (3)
(d) . PCRV Positions-(e) . Main Steam Line Radiation (3)- 5.1 CONTAIteENT (a)* Pressure H' (b)* Sump Level .(2) m .
~
.(c)* Hydrogen.
(d)* Radiation- _ (E); , Humidity- (3) (f) CIS Status (2)
'(g) -Tenperature (13) ' '
.'(h) ~ Isolation Valve Status (67)
-1
-(1) Stack Fans ~(2)
(j) . > Stack" Radiation (2)' s 6.: ' INVENTORY-(a)* Pressurizer' Leveli L(b)* Margin.to Saturation (2)
~<
cl) . Core Region 2). Head Region (c)* Reactor Vessel Head Temperature
. Page 2 of 3
~
5793L-SEN. r
- x. -
y
?.5 -
14- MAINE YANKEE ATOMIC POWER COMPANY'
-(d) Charging Flow
, ., -t _.
_(e) Letdown Flow
. (f) Containment Sump Level (2).
I^ (g);? Safety. Inject!ionTank; Level (3)~
~ '
'.(h)i' LPSI Flow (3)-
(1)l- HPSI . Flow' (3)
'(j) SIAS Status '(2)
V -
!.(k)( Reactor Coolant _ Pump. Seal Leakage (3)
~
8
- r. .
. 7, ; - MISCELLAEOUS t . >
The following parameters provide information for variable or selectable parameters:c ,
;g
.(a) - LTOP Pressure (2) ,
~ (b) ' LTOP Setpoint((2)-
-(c):-Saturation Monitors Selected (5)
P 1 s u m
~
Page 3'of 3
~
m
-5793L-SEN .
MAINE YANKEE ATOMIC POWER COMPANY
+:
ENCLOSURE'B SPDS DISPLAYS-DESCRIPTION
~1.
DEFAULT DISPLAY-The' default display presents information regarding general plant status and specific.information on primary system-status. Information supporting the general plant status is described in each of the CSF sections below. Primary system status is indicated by a pictograph of the core, steam generators, reactor coolant pumps, and pressurizer. Status is indicated by bar graph size and/or color. The following parameters support this display:
. ( a) Steam Generator Level (3)
(b) Steam Generator Pressure (3) (c) Pressurizer Pressure (d) Pressurizer Level (e) PORV Status (f) Code Safety Valves Status (3) (g) RCPs Status (3) (h) Core Exit Temperature,(4 quadrants)- , 2.' CSF' TOP LEVEL' DISPLAYS ~
. (a) . Subcriticality .
Bar graph presentations of percent power and control element - assemblies' positions are supplemented by digital information in this
~
display. Setpoints are shown on each bar graph. Support parameters are:
- 1) Percent Power
- 2) Rod' Position (b) Core Cooling Bar graph presentations of core exit temperatures, margin to saturation,1fCS T-Average, and reactor coolant pump status, are supplemented by digital information.
f Page 1 of 3 "5793L-SEN --
~
~ MAINE YANKEE ATOMIC POWER COMPANY
. Support parameters.are:
'l)- Margin to Saturation ~ (core)-
- 2) Margin to Saturation (head)-
- 3) Core Exit Temperatures (average)
- 4) Steam Generators delta P
- 5) Reactor Vessel Head Temperature
- 6) ACS T-Average (c) _ Heat Sink For the top level display, primary concern is focused on the core and steam generators. Four sets of.bar graphs represent.the status in each loop of feed flow,1 steam generator level / pressure, core exit temperatures, and T-Average.
Support parameters are:
- 1) '_ Core Exit Temperatures
- 2) Steam Generator Pressure
- 3) Steam Generator Level 4)- Main Feed Flow
-5) Auxiliary Feed Flow
- 6) - RCS T-Hot
- 7) RCS T-Cold (d) -Integrity Bar graph presentations of RCS temperature, RCS pressure, and main steam line radiation compose this display.
Support parameters are:.
- 1) FCS T-Hot 2 ) .. RCS T-Cold
- 3) Pressurizer Pressure
- 4) Main Steam Line Radiation (e) Containment Bar graphs display containment pressure, sump level, radiation, and hydrogen concentration.
Support parameters are:
- 1) Containment Pressure
- 2) Containment Radiation 3),_ Containment-Sump Level
- 4) Containment Hydrogen (f) Inventory
-Bar graphs show primary inventory status, including the reactor
-vessel.
Page 2 of 3 i 5793L-SEN _ _ _
~b i_
,;j id;
MAINE YANKEE ATOMIC POWER COMPANY' 7
-Support parameters are:
- 1) Pres'surizer Level ..
. 2) . Margin to Saturation (Head Region)
- 3) < Margin to Saturation'(Core Region) 4), . Core Exit Tenperatures 5). -Reactor Vessel Head Temperature v- --
V
,e
. ~
e Page 3 of 3
=5793L-SEN
-26 _}}