ML20129G861
| ML20129G861 | |
| Person / Time | |
|---|---|
| Site: | Millstone  |
| Issue date: | 05/24/1985 |
| From: | Opeka J NORTHEAST NUCLEAR ENERGY CO., NORTHEAST UTILITIES |
| To: | Youngblood B Office of Nuclear Reactor Regulation |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737 A02959, A04508, A04615, A04752, A2959, A4508, A4615, A4752, NUDOCS 8506070388 | |
| Download: ML20129G861 (107) | |
Text
Y 'T.
T kr 9 W t v
UTILITIES cenerei Orrice.. seioen street. serim. con..cticut J
37SNrrsTNU=~
P.O. BOX 270
.aos.arta=== co*=
HARTFORD, CONNECTICUT 06141-0270 L
t j ' y* "g ' ] c " ",
(203) 665-5000 May 24,1985 Docket No. 50-423 A02959 A04508 A04615 A04752 Director of Nuclear Reactor Regulation i
Attn:
Mr. B. 3. Youngblood, Chief Licensing Branch No.1 Division of Licensing U. S. Nuclear Regulatory Commission Washington, D. C. 20555
References:
(1)
W. G. Counsil letter to B. 3. Youngblood, dated April 5,1984.
(2)
.B.
3.
Youngblood. letter to W.
G.
Counsil, dated November 28,1984.
(3)
W.
G.
Counsil letter to B.
3.
Youngblood, dated December 7,1984.
(4)
W.
G.
Counsil letter to D.
G.
- Eisenhut, dated November 28,1983.
(5)
B.
3.
Youngblood letter to W.
G.
Counsil, dated January 18,1985.
(6)
B.
3.
Youngblood letter to W.
G.
Counsil, dated March 18,1985.
(7)
W.
G.
Counsil letter to B.
3.
Youngblood, dated June 14,1984.
Dear Mr. Youngblood:
Millstone Nuclear Power Station, Unit No. 3
- t Supplement I to NUREG-0737 Safety Parameter Display System In Reference (1), Northeast Nuclear Energy Company (NNECO) submitted the Safety Analysis Report (SAR) for the Millstone Unit No. 3 Safety Parameter Display System (SPDS).
This SAR provided information to the NRC Staff 1
8506070388 850524 gh PDR ADOCK 05000423 F
,} lQ i
l s.
t r
- N e demonstrating that our SPDS was being designed to meet the provisions of Supplement I to NUREG-0737. Based upon its review of our SPDS SAR, the NRC Staff requested additional information in Reference (2). Our response to the items contained in Reference (2) can be found in Attachment No.1.
We provided the NRC Staff in Reference (3) with a schedule for our phased implementation approach. This two-phase approach (i.e., Phase I completed by fuel load and Phase II completed by the first refueling outage) represented a revision to the implementation schedule submitted to the NRC Staff in Reference (4).
NRC Staff concurrence with our two-phase approach was requested. The NRC Staff responded to our request in a very timely fashion in Reference (5) and concurred with our two-phase approach with the exception of three (3) items. Although no response was requested by the NRC Staff, we have chosen to address these three (3) items in Attachment No. 2.
Reference (6) contains a proposed agenda for the NRC Staff's audit of our SPDS.
In addition, we were requested to notify the NRC Staff as to when we will be prepared for the audit. The optimum time interval to conduct the SPDS audit from our perspective is the last two weeks in "aly,1985. We believe that a Design Verification Audit and the majority of a Design Validation Audit could be performed at that time. We will be contacting the NRC Staff to further discuss the timing and scope of the SPDS audit.
In addition to Reference (2), Enclosure 2 in Reference (6) provided the results of the NRC Staff's review of our SAR and identified items which we should be prepared to address during the NRC Staf 's audit of our SPDS. Although no response was requested by the NRC Staff at this time, we have chosen to address those items in Attachment No. 3.
To incorporate our responses to Reference (2) and to reflect some minor changes, the SAR submitted in Reference (1) has been revised. The revised SAR is included in Attachment No. 4. Revised sections are identified by change bars.
This submittal also fulfills the commitment made in Reference (7) to provide the NRC Staff with the ICC core map display as part of the revised SPDS submittal.
~
We trust that this submittal adequately addresses the NRC Staff's concerns related to the Millstone Unit No. 3 SPDS identified in References (2), (5), and (6).
Very truly yours,
(
NORTHEAST NUCLEAR ENERGY COMPANY et. al.
BY NORTHEAST NUCLEAR ENERGY COMPANY Their Agent F. (R l
- 3. F. OpeKa V
Senior Vice President l
l l
l m
p y..,
x a
3_
cc:
Mr. G. W. Lapinsky, Jr.
NRC Human Factors Engineering Branch Mr.~ F. Orr
- NRC Procedures & Systems Review Branch STATE OF CONNECTICUT )
) ss. Berlin COUNTY OF HARTFORD
)
Then personally appeared before me 3. F. Opeka, who being duly sworn, did state that he is Senior Vice President of Northeast Nuclear Energy Company, an Applicant herein, that he is authorized to execute and file the foregoing information in the name and on behalf of the Applicants herein and that the statements contained in said information are true and correct to the best of his knowledge and belief.
w,c A&f &
N'otary Publip My Commission Expires March 31,1988 O
e e
,, a h
EEE General Offices e Selden Street, Berlin. Connecticut 1
msvY Es crac c5=
P.O. BOX 270
- a.arsa ma co" HARTFORD. CONNECTICUT 06141-0270 L
L J Z"',[3[,','""",
(203) 665-5000 May 24,1985 Docket No. 50-423 A02959 A04508 A04615 A04752 Director of Nuclear Reactor Regulation Attn:
Mr. B. 3. Youngblood, Chief Licensing Branch No.1 Division of Licensing U. S. Nuclear Regulatory Commission Washington, D. C. 20555
References:
(1)
W. G. Counsil letter to B. 3. Youngblood, dated April 5,1984.
(2)
B.
3.
Youngblood letter to W.
G.
CounsP, dated November 28,1984.
(3)
W.
G.
Counsil letter to B.
3.
Youngblood, dated December 7,1984.
(4)
W.
G.
Counsil letter to D.
G.
- Eisenhut, dated November 28,1983.
l l
(5)
B.
3.
Youngblood letter to W.
G.
Counsil, dated January 18,1985.
(6)
B.
3.
Youngblood letter to W.
G.
- Counsil, dated March 18,1985.
(7)
W.
G.
Counsil letter to B.
3.
Youngblood, dated June 14,1984.
Dear Mr. Youngblood:
Millstone Nuclear Power Station, Unit No. 3 Supplement I to NUREG-0737 Safety Parameter Display System In Reference (1), Northeast Nuclear Energy Company (NNECO) submitted the Safety Analysis Report (SAR) for the Millstone Unit No. 3 Safety Parameter Display System (SPDS).
This SAR provided information to the NRC Staff
a-g u demonstrating that our SPDS was being designed to meet the provisions of Supplement 1 to NUREG-0737. Based upon its review of our SPDS SAR, the NRC Staff requested additional information in Reference (2). Our response to
. the items contained in Reference (2) can be found in Attachment No.1.
We provided the NRC Staff in Reference (3) with a schedule for our phased implementation approach. This two-phase approach (i.e., Phase I completed by fuel load and Phase II completed by the first refueling outage) represented a
- revision to the implementation schedule submitted to the NRC Staff in Reference (4).
NRC Staff concurrence with our two-phase approach was requested. The NRC Staff responded to our request in a very timely fashion in Reference (5) and concurred with our two-phase approach with the exception of three (3) items. Although no response was requested by the NRC Staff, we have chosen to address these three (3) items in Attachment No. 2.
Reference (6) contains a proposed agenda for the NRC Staff's audit of our SPDS.
In addition, we were requested to notify the NRC Staff as to when we will be prepared for the audit. The optimum time interval to conduct the SPDS audit from our perspective is the last two weeks in July,1985. We believe that a Design Verification Audit and the majority of a Design Validation Audit could be performed at that time. We will be contacting the NRC Staff to further discuss the timing and scope of the SPDS audit.
In addition to Reference (2), Enclosure 2 in Reference (6) provided the results of the NRC Staff's review of our SAR and identified items which we should be prepared to address during the NRC Staff's audit of our SPDS. Although no response was requested by the NRC Staff at this time, we have chosen to address those items in Attachment No. 3.
To incorporate our responses to Reference (2) and to reflect some minor changes, the SAR submitted in Reference (1) has been revised. The revised SAR is included in Attachment No. 4. Revised sections are identified by change bars.
This submittal also fulfills the commitment made in Reference (7) to provide the NRC Staff with the ICC core map display as part of the revised SPDS submittal.
We trust that this submittal adequately addresses the NRC Staff's concerns related to the Millstone Unit No. 3 SPDS identified in References (2), (5), and (6).
Very truly yours, NORTHEAST NUCLEAR ENERGY COMPANY et. al.
BY NORTHEAST NUCLEAR ENERGY COMPANY Their Agent J. F.'Op6ka V
Senior Vice President
- e_
- a
_3_
cc:
Mr. G. W. Lapinsky, Jr.
NRC Human Factors Engineering Branch Mr. F. Orr NRC Procedures & Systems Review Branch STATE OF CONNECTICUT )
) ss. Berlin COUNTY OF HARTFORD
)
Then personally appeared before me 3. F. Opeka, who being du'l r sworn, did state that he is Senior Vice President of Northeast Nuclear Energy Company, an
. Applicant herein, that he is authorized to execute and file the foregoing information in the name and on behalf of the Applicants herein and that the statements contained in said information are true and correct to the best of his knowledge and belief.
AAMt 1X Y Notary Pubiff My Commission Expires March 31,1988 f
o e s
General Offices e Selden Street, Berlin, Connecticut usvY vs euEmc cow-P.O. BOX 270
==s.ana ma co"
((' ((2,*,"*",
HARTFORD, CONNECTICUT 06141-0270 k
L J
(203) 66s-5000 May 24,1985 Docket No. 50-423 A02959 A04508 A04615 A04752 Director of Nuclear Reactor Regulation Attn:
Mr. B. 3. Youngblood, Chief Licensing Branch No.1 Division of Licensing U. S. Nuclear Regulatory Commission Washington, D. C. 20555
References:
(1)
W. G. Counsil letter to B. 3. Youngblood, dated April 5,1984.
(2)
B.
3.
Youngblood letter to W.
G.
Counsil, dated November 28,1984.
(3)
W.
G.
Counsil letter to B.
3.
Youngblood, dated December 7,1984.
(4)
W.
G.
Counsil letter to D.
G.
- Eisenhut, dated November 28,1983.
(5)
B.
3.
Youngblood letter to W.
G.
Counsil, dated January 18,1985.
(6)
B.
3.
Youngblood letter to W.
G.
Counsil, dated March 18,1985.
(7)
W.
G.
Counsil letter to B.
3.
Youngblood, dated June 14,1984.
Dear Mr. Youngblood:
Millstone Nuclear Power Station, Unit No. 3 Supplement I to NUREG-0737 Safety Parameter Display System In Reference (1), Northeast Nuclear Energy Company (NNECO) submitted the Safety Analysis Report (SAR) for the Millstone Unit No. 3 Safety Parameter Display System (SPDS).
This SAR provided information to the NRC Staff I.
3 demonstrating that our SPDS was being designed to meet the provisions of Supplement I to NUREG-0737. Based upon its review of our SPDS SAR, the NRC Staff requested additional information in Reference (2). Our response to the items contained in Reference (2) can be found in Attachment No.1.
We provided the NRC Staff in Reference (3) with a schedule for our phased implementation approach. This two-phase approach (i.e., Phase I completed by fuel load and Phase II completed by the first refueling outage) represented a revision to the implementation schedule submitted to the NRC Staff in Reference (4).
NRC Staff concurrence with our two-phase approach was requested. The NRC Staff responded to our request in a very timely fashion in Reference (5) and concurred with our two-phase approach with the exception of three (3) items. Although no response was requested by the NRC Staff, we have chosen to address these three (3) items in Attachment No. 2.
Reference (6) contains a proposed agenda for the NRC Staff's audit of our SPDS.
In addition, we were requested to notify the NRC Staff as to when we will be prepared for the audit. The optimum time interval to conduct the SPDS audit from our perspective is the last two weeks in July,1985. We believe that a Design Verification Audit and the majority of a Design Validation Audit could be performed at that time. We will be contacting the NRC Staff to further discuss the timing and scope of the SPDS audit.
In addition to Reference (2), Enclosure 2 in Reference (6) provided the results of the NRC Staff's review of our SAR and identified items which we should be prepared to address during the NRC Staff's audit of our SPDS. Although no response was requested by the NRC Staff at this time, we have chosen to address those items in Attachment No. 3.
To incorporate our responses to Reference (2) and to reflect some minor changes, the SAR submitted in Reference (1) has been revised. The revised SAR is included in Attachment No. 4. Revised sections are identified by change bars.
This submittal also fulfills the commitment made in Reference (7) to provide the NRC Staff with the ICC core map display as part of the revised SPDS submittal.
We trust that this submittal adequately addresses the NRC Staff's concerns related to the Millstone Unit No. 3 SPDS identified in References (2), (5), and (6).
Very truly yours, NORTHEAST NUCLEAR ENERGY COMPANY et. al.
BY NORTHEAST NUCLEAR ENERGY COMPANY Their Agent h 5 nA 3.Ikopeka M
Senior Vice President l
[
f.'
,e,.
, cc: 1 Mr. G. W. Lapinsky, Jr.
NRC Human Factors Engineering Branch Mr. F. Orr
^ NRC Procedures & Systems Review Branch
-STATE OF CONNECTICUT )
) ss. Berlin COUNTY OF HARTFORD
)
Then personally appeared before me 3. F. Opeka, who being duly sworn, did state that 'he is Senior Vice President of Northeast Nuclear Energy Company, an
' Applicant herein, that he is authorized to execute and file the foregoing information in the name and on behalf of the Applicants herein and that the statements contained in said information are true and correct to the best of his knowledge and belief.
AddAM c'
171/ Y Sotary Pu My Commission Expires March 31,1988
g; 7.. -.
.%:5 2..
Docket No. 50-423 a
Attachment No.1
.Mllistone. Nuclear Power Station, Unit No. 3
= Response to NRC Staff's Letter Dated November.28,1984 May,1985
4 Response to NRC Staff's Letter Dated November 28,1984
- Instrumentation and Control Systems Information General:
which is a control grade system.
The PPC is isolated from the Reactor Protection Systems primarily by isolation devices that are classified as protection components. This isolation conforms to General Design Criterion 24 of Appendix A to 10 CFR 50, as discussed in Section 3.1.2.24 of the FSAR, and also complies with the provisions of Regulatory Guide 1.75 and IEEE-384-1974, as discussed in Sections 1.8 and 7.1.2.2.1 of the FSAR. A detailed description of our compliance with Regulatory Guide 1.75 is discussed in FSAR Section 8.3.1.4.
Two types of isolation devices are generally utilized, namely:
1.
Analog Isolators 2.
DigitalIsolators These isolators are discussed in the FSAR Sections 7.2.1.1.8 and 7.7.2.1, Most of the analog isolators are part of the Westinghouse 7300 Series Process Control System. Other Class IE instruments that input to the PPC are isolated by Class IE isolation devices such as the Foxboro N-2AO-VAI. The digital isolators are the Struthers-Dunn CX3917NE Reed Relay Isolation Devices located in various isolation cabinets.
Test results for these isolators are documented in the following Reference Test Reports:
1.
Westinghouse WCAP - 8892A - 7300 Series Process Control System Noise Test.
2.
Westinghouse WCAP - 8587 Report No. ESE-13 Environmental and Seismic Test Report for the 7300 Series Process Control System.
3.
Foxboro QOAAB44 - Type Test Report for 2AO-VAI Custom (ECEP 9206)
Style A CS-N/SRC Voltage to Current Converter.
4.
Foxboro QOAAA20-1 Test Report T7-6082 - Seismic Testing of Spec 200 Current Production Model Rack Mounted Modules on N-2ES Style B Rack.
5.
Struthers-Dunn Test Report No. 6379 Final Test Report for Qualification of CS3917NE Reed Relay Isolation Device to IEEE-323-1974 and IEEE-344-1975.
The following responses to the NRC Staff questions pertain to the analog and -
digital isolators described above. Information regarding isolation between the PPC/SPDS and the Inadequate Core Cooling (ICC) system follows our response to Question 420.12.
In addition, we will be prepared to discuss during the forthcoming SPDS audit any other isolation devices.
- Question 420.7:
For each type of device used to accomplish electrical isolation, describe the specific testing performed to demonstrate that the device is acceptable for its application (s).
This description should include elementary diagrams when necessary to indicate the test configuration and how the maximum credible faults were applied to the devices.
Response
The analog isolators of the Westinghouse 7300 Series Process Control System were tested with the applications of 580VAC and 250VDC on the output of the isolators. The Foxboro isolators were tested with 600 VAC. Results of the tests show that the voltages applied to the output of the isolator did not affect the input side. Details of the tests are documented in Reference Test Reports #1 and #3.
The digital isolators were tested with the applications of 532VAC,60HZ,2000 Amp. short circuit capabi!!ty and 500 Amp.,134VDC on both the output and input of the isolators to show that burnout of one side of the isoletor does not affect the other side. Results of the tests show that the input is adequately isolated from the output. This is documented in Reference Test Re99rt #5.
Question 420.8:
Data to verify that the maximum credible faults applied during the test were the maximum voltage / current to which the device could be exposed, and define how the maximum voltage / current was determined.
L
Response
The voltages used in the tests are conservative. The separation criteria at Millstone Unit No. 3 assures that the instrumentation cables are separated from high voltage cables. This is discussed in the FSAR Section 8.3.1.4.
Question 420.9:
Data to verify that the maximum credible fault was applied to the output of the device in the transverse mode (between signal and return) and other faults were considered (i.e., open and short circuits).
Response
Details of the tests are fully documented in Reference Test Reports #1, #3, and
- 5.
Question 420.10:
Define the pass / fall acceptance criteria for each type of device.
f Response:
The pass / fall acceptance criteria for each type of isolation device require that the input side of the isolation device (safety system side) is not affected by the application of electrical disturbances in the output side.
Question 420.11:
A commitment that the isolation devices comply with the environmental
. qualifications (10 CFR 50.49) and with seismic qualifications which are the basis for plant licensing.
Response
The isolation devices are environmentally qualified in accordance with Regulatory Guide 1.89 (IEEE-323-1974) and 10 CFR 50.49, and seismically qualified in accordance with Regulatory Guide 1.100 (IEEE-344-1975). These are documented in Reference Test Reports #2, #4, and #5.
Question 420.12:
A description of the measures taken to protect the safety systems from electrical interference (i.e., Electrostatic Coupling, EMI, Common Mode and Crosstalk) that may be generated by the SPDS.
Response
To protect the safety systems from electrical interference (i.e., Electrostatic Coupling, EMI, Common Mode and Crosstalk) that may be generated by the SPDS, all instrumentation cables are twisted and shielded. Also, separation criteria are established as described in FSAR Section 8.3.1.4.
Information Regarding Isolation Between the PPC/SPDS and the inadequate Core Cooling System The entire Inadequate Core Cooling (ICC) system is Class IE except for four (4) serial data links to non-Class IE terminals and to the non-Class IE PPC. These data links are designed to provide the isolation between Class IE and non-Class IE devices. The data links consist of Honeywell Model HFM 5000-003 Fiber Optic RS232C Link Module Kits interconnected with a minimum of two feet of fiber optic cable. The modules connected to the Class IE side of the link are powered from Class IE power. The modules connected on the non-Class IE side are powered from non-Class lE power. There are no electrical conducting paths between Class IE and' non-Class IE. The two foot (minimum) length of fiber optic cable provides electrical isolation to well over 3000 volts, as verified by the physical characteristics of the cable material. Approximately seventy-five (75) feet of cable exists between Class lE and non-Class IE components at Millstone Unit No. 3.
Seismic qualification was performed along with the entire system, as documented in Energy Incorporated Report No. El-84-15. These data links are environmentally qualified in accordance with 10 CFR 50.49.
m-
G
, <j.,
- 4 Human Factors Engineerina Information.
Question' 620.1 (Human Factors Program):
Provide a description of the display system, with emphasis on its human factored design, and the methods and results of a human factors program to ensure that.
the displayed information can be readily perceived and comprehended so as not to mislead the operator. Color photographs or reproductions of display pages and interface devices may be helpful in supporting the discussion.
Response: =
Section 7.0, entitled Human Factors Engineering, of our SAR has been revised and is included in Attachment No. 4. A representation of the process computer
. function keyboard and copies of the SPDS displays can be found at the end of this attachment.. Some changes may be made to these displays, as well as the
- keyboard configuration, prior to fuel load. Three sets of colored displays are being submitted to the NRC Human Factors Engineering Branch. More detailed information can be provided to the NRC Staff during the SPDS audit.
Question 620.2 (Data Validation):
Describe the method used to validate data displayed by the SPDS. Also describe how invalid data is identified to the operator on the displays.
Response
Section 3.0, entitled Signal Validation, of.our SAR has been revised and is included in Attachment No. 4. The quality tags discussed in this section can be seen' on the colored displays being submitted to the -NRC Human Factors Engineering Branch. The quality tags for each SPDS signal will be shown on the displays as follows:
Quality of Slanal Quality Tag validated none unvalidated "U" inside a magenta colored box invalid "X" inside a magenta colored box u
substituted "S" inside a magenta colored box Question 620.3 (Verification and Validation Program):
Define and discuss the Verification and Validation Program which was used or will be used in the development of the SPDS. Also, describe results to date from the Verification and Validation Program, and the corrective actions taken to address identified design deficiencies.
.. Response:
Section 6.0, entitled Verification and Validation, of our SAR has been revised and is included in Attachment No. 4. Many positive benefits have resulted from our verification and validation (V&V) efforts to date. In performing V&V, much more detailed design was done earlier and issues were resolved sooner, resulting in a mcre stable design at the end of development. In tandem with earlier resolution of issues, problems were identified and corrected earlier. Because of a more stable design towards the end, integration of all the software went much more smoothly than could otherwise have been expected. Also, corrections of many conceptual errors were accomplished before any code was developed.
Errors encountered at the level of the requirements and design documents are identified and corrected and thus are not propagated into the software coding stage. Errors encountered in the test procedure document are corrected to ensure that the test is in compliance with the functional specification.
Our experience has shown that the independent review process has aided in the discovery of potential errors at an early stage, has forced the various sub-system designs and interfaces to be consistent with each other and overall objectives, and has kept the documentation and audit trail in order.
The V&V procedures forced the production of an extensive set of documentation with audit trails. Overall, this has been an excellent tool in defining the total software package and has been an aid in problem solving. Because of the 'ypes of documentation produced, the milestones associated with the vtclous documents were excellent project management tools.
Question 620.4 (Unreviewed Safety Questions):
Provide conclusions regarding unreviewed safety questions or changes to technical specifications.
Response
Since an operating license for Millstone Unit No. 3 has not yet been received, this item is not directly applicable. Unreviewed safety question determinations made pursuant to 10 CFR 50.59 and changes to technical specifications only relate to operating plants. The SAR submitted in Reference (1) represents our safety evaluation for the Millstone Unit No. 3 SPDS and at this time we foresee no technical specifications pertaining to the SPDS.
Question 620.5 (Implementation Plan):
Provide a schedule for full implementation of the SPDS including hardware, software, operator training, procedures and users manuals.
Response
Our SPDS implementation plan was initially submitted to the NRC Staff in Reference (4). This implementation plan was subsequently revised in Reference (3). The two-phase approach proposed in Reference (3) was approved by the NRC Staff in Reference (5).
L
f l
j i
i l
i i
i l
PAGING SPDS-FUNCTION SELECT
" ^
STATUS PRINT FWD BACK 1
2 3
4 j
CR N1 l
l PARAMETER RECALL lhEN 5
6 7
8 DOP NSSS UTIL SCRN LVL IN EG CTMT PLNT CSF RAD 9
10 11 12 i
ENTER UP/DWN REL SNSRS FIGURE 1 PROCESS COMPUTER FUNCTION KEYBOARD
i i
J i
i 1
1 1
1 4
L 9:59:36 i
i APPEARANCE OF B A SIC SPDS CSF DISPL A Y l
1 i
SUB CORE HEAT RCS RCS RAD CTMT' CRIT COOL SINK INTG INVN REL 1
9 t
)
1 I
[
SUSCRiT CORECOOL HEAT StNn RCS INTEG CTMT RCS INVN RAD REL S 2 1
C 2 S
H 1
0 P 2 J 3 ii g
i I
FIGURE 2 i
~
11:10:50 OPERATOR INTERFACE LEVEL 1 i,
SUBCRITICALITY CSF
,l F1 F2 F3 F4 l
STATUS
. SUPPORTING TIME 2
STATUS TREE VARIABLES VARIABLES HISTORY i
4 1
i F5 F6
- l F7 F8 L;I 1
i.
1 s
i.
F9 F10 F11 F12 j
i i
i 1
'l i
i FIGURE 3.0 I
11:10:50 OPERATOR INTERFACE LEVEL 1 CORE COOLING CSF
?
F1 F2 F3 F4
- .. SUPPORTING : :
TIME STATUS STATUS TREE VARIABLES : :
VARIABLES HISTORY i
F5 F6 F7 F8 PRESSURE- *
- SUBCOOLING : :
REACTOR
- TEMPERATURE : : SUPERHEAT : :
VESSEL PLOT
- l LEVEL F9 F10 F11 F12
. e
. e e....................
e
...e.....................
FI G U R E 3.1
11:10:50 OPERATOR INTERFACE LEVEL 1 HEAT SINK.CSF
?
.................................................e....................................
~..
F1 F2 F3 F4 O
e O O O e e 8
e e e e e e 9
STATUS STATUS
- SUPPORTING : :
TIME TREE VARIABLES :
- VARIABLES HISTORY O
O O e G e 4 e
O
. e e O e O O
4 O
O 4
4 9 9
e e e e e e e O
9 9
. e 0 9 9
6 9 O O
e e
O O
99999999999999609996999999999999eteteeeeeeee90eceeeeeeeeeeeeeeOGO9999996ee99994089eG999 O
O 999999999999e999999999999999900eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee00000000999999664e89994 e O
O O
9 e O
O O
O 9 O O O e
0 e
0 e e e
9 9
6 e
9 e
4 e S 8 e
F5 F6 F7 F8 4
G G
e 9 0 9
9 6
O O
e O O O
O e
O e e 9 9 e
9 9
9 9 e 0
e 0
e e 9
e O
O O
O O
9 9
9 9
4 O 9
0. 9 e e 8 e e
9 9
9 9
9 9 e
O O
O O
e 9 O O
G 9
e
- G S
O 9
O O
e O O O
9 9 9 9 4 e 9 O
O O
O o
O 99999994 999 999604494999998#O99999999999999999999999999999999999999999999999600000000e e
e 99999999999999999999999999999999999999999999999999999999999999999999999969996690080999e e
O O
e e e e 6
O O
O e e O e 9
e O
9 e e o e O
O 4
9 e e e 9
O G
S e 9 e F9 F10 F11 F12 O
9 e
O e O e O
9 9
9 e e e e 9
G e e e e e
e O
e o O e O
G G
G G e S e G
9 8
8 9 e 9 e G
9 0
0 O e 9 e 9
9 9
O e e O e e
O O
O O e e e
.e 9
O O
O e O e O
9 O
e e e e 9
O O
9 O
O e
O
.e O
O O
O e
O O
O O
O e
9 O
e 9e999999999999996344e3360004eee49999eceeeece.eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.eeeeecee FIGURE 3.2 a
E 11:10:50 OPERATOR INTERFACE LEVEL 1 i
l
=
F1 -
F2 F3 F4 STATUS STATUS
- SUPPORTING :
TIME TREE VARIABLES : :
VARIABLES : :
HISTORY i
1 i
j
)
F5 F6 F7 F8 3,
i 1
,i l
I 4
I F9 F10 F11 F12 i
1 t
4 j
j l
g
.....................e.....................
1 i
l i
f
.I j
FIGURE 3.3 i
11:10:50 OPERATOR INTERFACE LEVEL 1 CONTAINMENT CSF F1 F2 F3 F4 status STATUS
- SUPPORTING : :
TIME TREE VARIABLES VARIABLES HISTORY F5 F6 F7 F8 F9 F10 F11 F12 l
l I
L
(
FIGURE 3.4 l
11:10:50 OPERATOR INTERFACE LEVEL 1 INVENTORY CSF
?
............e..............G................G....G............G..G...........G........
e e
F1 F2 F3 F4 G.
9 O O O 6 e O O
STATUS STATUS
- : SUPPORTING :
TIME O
TREE VARIABLES : :
VARIABLES HISTORY O
O O O
O O O O
9 O e e e e O O
G S 9 9 9 6 S G
G G e e O #
9 O O 9
e O O O
9 e e e e e e O
89999999999999999999999999999940890eetetetete999eeGeeeeeeeGeGGGGGGG990GGGGS############
e G
GGGG9999990eeeeeeeeeeeee990eseGeeeeeeeeeeeeeeeeeeeeeeGGeeeeeeeeeeeeeeeeGetteeeeeGeteGG e 6
O O
e o 9
- O O
O 9
O e G
- O e
e e e e G
G e
G G e 9 8 G
G G
G e 9
F5 F6 F7 F8 O
9 9
e e O O 9
e e
G e e 9
9 e
O O
O O
9 O
G G
G G e e #
9 6
e G
e e G
G G
G G
G e
9 9
9 9
9 e G
e G
G e e G
e 9
e e O 9 O
O O
O O e 9 9 9
9 e G e e 9
e o e e
e e
e.
e.
o.
O O
O O e O O O
99994499999999499994e99999999.ee08044e98990099999999999999900e90GGGGeeeeeeeeeeeeeeeeege e
G 99999999999999484949049999999999990G989999999999999999999999999999999999999999999999999 O
e 9
e e e e e
D O
G G e G G O
O O
O O 9 e 9
O O
9 9 9 9 e 9
O O
O O O O e O
F9 F10 F11 F12 G
O 9
O O e e e O
O O
O O
O O e O
O O
9 O O O e O
O G
G G G 9 e G
e e e e e e o O
e G
G 9 e 9 e S
9 S
S e e G g 9
9 4
9 e e G e 9
9 O
e e O e 6
O O
O e O e O
O O
O O e e e G
9 e O 9 O O e O
O G
G e e e e G
e G
9 e e 9 e G
9999999999999999999999999999999999999999999999999999999999994#9999999999999999889999996 FIGURE 3.5
11:10:50 OPERATORINTERFACE LEVEL 1 RADIATION RELEASE CSF
?
F2 F3 F4 F1 -
status STATUS TIME
- VARIABLES ::
HISTORY F5 F6 F7 F8 F9 F10 F11 F12 g
.g
. g
. g
.e
. e
. e
..e....................
FIGURE 3.6
4 i
t 1
l 1
i I
a 1
10: 1:36 SUB CRIT i
POWER AB i
TRIP IR SUR FR-S1 SIGNAL POS8T8vE Y
p IR SUR MORE POWER POSITIVE THAN FR-S2 BELOW 5%
-0.2 D P M 3
SR l
- OFF*
IR SUR MORE l
NEGATIVE THAN l
-0.2 D PM
,j IR SUR ZERO OR NEGATIVE SR SUR i
POSITIVE POWER: XXX (%)
SR INTER RANGE SUR: XXX DPM SR SUR SOURCE RANGE SUR: XXX DPM ZERO OR NEGATIVE FIGURE 4.0 t
l l
1 10: 3:42 CORE COOL CORE EXIT TCS ABOVE 1200 F i
CORE EXIT TCS FR-C.2 l
ABOVE 700 F l
SUBCOOL MARGIN LESS THAN (X) F i
l Rvtus BELOW 19 %
FR-C.2 CORE EXIT TCS BELOW CORE EXIT 700 F RVLMS EQUAL l
TCS BELOW OR ABOVE 19%
3200 F FR-C.3 SUBCOOL M ARGIN MORE THAN (X) F CORE EXIT TCS: XXXX F SUBCOOL MARGIN: ( X X X) F PLENUM LVL: XXX%
FIGURE 4.1 l
i n
w.
~
t 10: 2:33 4
i TOTAL FW FLOW BELOW (X)
{
FR-H.1 i
NR LVLS ABOVE (X) PSIG FR-H.2 l
BELOW (X)%
ANY SG NR LVL TOTAL FR-K3 FW FLOW l
t ABOVE (X) i ANY SG PRES ABOVE (X) PSIG ALL S FR-H.4 l
ANY SG NR PRES LVL ABOVE BELOW (X)
ALL SG (X)%
P SIG NR LEVELS ANY SG NR I
LVL BELOW l
BELOW FR-H.5 (X)%
(X)%
j ALL SG TOTAL FW FLOW: XXXX GPM PRESS 2
3 4
1 lXXX
( '
XXX XXX D%
l SG LEVEL: XXX PSIG ALL SG NR SG PRESS: XXXAlXXXX XXXX XXXX D PSIG LVLS ABOVE (X)%
FIGURE 4.2
I 1
i 1
l 1
i i
l 10: 5:35 RCSINTEG l
ANY PRES / COLD LEG TEMP FR-P.1 i
LEFT OF *A*
ANY
[
COLD LEG l
TEMP DEC ANY COLD LEG ABOVE BELOW (X) F 100F IN ALL PRES / COLD LEG LAST HR.
ANY COLD LEO TEMP RIGHT OF FR-P.1
'A ALL COLD LEGS SELOW (Y) F ABOVE (X) F ALL COLD LEGS ABOVE (Y) F l
l I
I ANY COLD LEG L
FR-P.2 RCS PRES BELOW (X) F l
ABOVE COLD i
COLD LEO ALL COLD LEGS
{
TEMP BELOW O/P LIMIT FR-P.1 i
ABOVE (X) F (Z) F RCS PRES BELOW OIP LIMIT p
BELOW 100F IN COLD LEG LAST HR TEMP ABOVE (Z) F LAST HR TEMP DEC: XXX DF RCS PRES: XXXX PSIA L1 L2 L3 L4 RCS CL TEMP: XXXDF XXXF XXXF XXX F s
i j
l l
i i
l i
)
I 2
)
i i
i 10: 3:7 CTMT CTMT PRES t
FR-Z.1 ABOVE (X) PSIA I
l CTMT PRES FR-Z.1 I
ABOVE (Y) PSIA CTMT PRES I
j FR-U j
LVL ABOVE l
(X) GAL l
CTMT PRES
^
BELOW (Y) PSIA FR-M ABOVE (X)
l
' SUMP LVL: X.XEX G AL LVL BELOW
( ' ^'
l CTMT RAD: X.XEX R/HR CTMT RAD f
i BELOW (X) t FIGURE 4.4 i
l l
l l
(
1 t
i i
I 4
10: 4:14 RCS INVENTORY
\\
RVLMS HEAD FR-l.3 NOT FULL PZR LVL j
ABOVE (XM
[
RVLMS HEAD I
FR-l.1 i
FULL i
I L
PZR LVL FR-L2 BELOW(XM PZR LVL I
BELOW (Y)%
RVLMS HEAD 1
FR-L3 l
NOT FULL I
PZR LVL PZR LVL: XXX%
ABOVE (Y)%
HEAD LVL: XXX %
RVLMS HEAD PLENUM LVL: XXX %
FULL I
l I
FIGURE 4.5 l
I i
i.
1 i
j i
1
.i r
I i
10: 4:51 RAD RELEASE STATUS i
I i
SENSOR LOCATION CONDITION DATA
)
i VENTILATION VENT OVER 0 4 X.X E-X UC/CC NOBLE GAS MONITOR sRAVO l
j SLORS O VE R So X.X E+X UC/CC NOBLE GAS MONITOR C H A RL IE 2 r
i i
i l
MAIN STEAMLINE SKND X.X E-X UC/CC f
RAD MONITOR NO RELEASE i
l l
AUX FEEDPUMP O VE R SK GNO X.X E-X UC/CC l
RAD MONITOR MINOR FIGURE 4.6
d l
1 10: 6:39 SUBCRIT SENSOR DATA I
POWER BREAKERS DATA SENSOR XXX NMP NM41F 1st OUT TRIP SIGNAL XXX 42F PRESENT (ABSENT)
XXX 44F BREAKERS OPEN TBM RX INTERMEDI ATE (^""8)
' ' 88 )
DATA SENSOR
- x. x E +x Nui Nu3ss FISSION COUNTERS X X.X E-X 368 WIDE RANGE (%)
i DATA SENSOR 5
SOURCE RANGE ( " *)
X.X E +X (L A TE R) ma um i
SOURCE R ANGE (CPS)
DATA-SENSOR 1
X.X E +X NMS NM 31F X. X E -X 32F (L A TE R)
(L ATER) i
^
IA POWER SENSOR OFF NMS NC 31H ON 32H FIGURE 5.0
10:10: 2 CORE COOLING SENSOR DATA i
- HIS L00P.2 XXXX LOOP 3 C14 E14 G14 J14 L14 N14 A
B XXXX XXXX XXXX XXXX XXXX XXXX HEAD XXX XXX PLENUM XXX XXX C12 E12 G12 J12 L12 N12 XXXX XXXX XXXX XXXX XXXX XXXX Ato C10 E10 G10 J10 L10 N10 R10 RCS PRES "8'^
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX RA N A8 C8 E8 G8 J8 L8 N8 R8 DATA SENSOR XXXX XXXX Xxxx XXXX XXXX XXXX XXXX XXXX XXXX RCS P403 A8 C6 E6 G6 J6 L8 N6 RC XXXX P405 XXXX XXXX XXXX XXXX XXXX XXXX XXxx XXXX NARROW RANGE C4 E4 G4 J4 L4 N4 XXXX XXXX XXXX XXXX XXXX XXXX DATA SENSOR l
C2 E2 G2 J2 L2 N2 l
XXXX XXXX XXXX XXXX M XXXX XXXX P456 i
H1 XXXX P457 I
LOOP 1 XXXX M
XXXX P458 DATA EE TEMP BELOW 700F 3 TEMP BETWEEN 700&t200F LOW T E M P: XXXX 3 TEMP ABOVE 1200F FIGURE 5.1 l
10: 7:20 HEAT SINK SENSOR DATA SG1 SG2 SG3 SG4 MAIN FW FLOW (LB/HR)
X.X E X F510 X.X E X F520 X.XEXO F530 X.X E X F540 X.XEX 511 X.X E X 521 X.XE X 531 X.X E X 541 AUX FW FLOW (GPM)
XXX F51A XXX F338 XXX F33C XXX F51D MSS SG PRES XXXX P514 XXXX PS24 XXXX P534 XXXX P544 xxxx Si5 xxxx 525 xxxx 535 xxxx 545
,,,,,3 XXXXD 516 XXXX 526 XXXX 536 XXXX 546 SG LVL FWS XXX L517 XXX L527 XXX L537 XXX L547 NR (%)
XXX 518 XXX 528 XXX 538 XXX 548 XXX 519.
XXX 529 XXX 539 XXX 549 FIGURE 5.2
10: 7:65 RCS INTEG SENSOR DATA COLD LEG RCS PRES '"8'^'
t LAST HR TEMP DECREASE: XXX F NARROW RANGE DATA SENSOR TE MPE R A TURE: (WR, F)
XXXXD P456 LEG DATA SENSOR XX:X P457 1
XXX RCS T4138 XXXX P458 2
XXX 4238 WIDE RANGE 3
XXX 4338 DATA SENSOR 4
XXX 4438 XXXXG RCS P403 XA4X P405 i
FIGURE 5.3
10:8:36 RCS INVENTORY SENSOR DATA PZR LEVEL (')
i DATA SENSOR XXX RCS L459 XXX 460 XXXD 461 HEAD LEVEL (')
i DATA SENSOR XXX TRAIN A XXX TRAIN 8 i
PLENUM LEVEL (')
DATA SENSOR XXX TRAIN A XXX TR AIN B FIGURE 5.4
I 10:12: 3 RAD RELEASE SENSOR DATA NOBLE OAS:
DATA SENSOR i
VE NTIL A TIO N VENT MONITOR:
X. X E-X HVR 10B SLORS MONITOR:
X.X E+ X HVR 19B AUX FEEDPUMP R AD MONITOR:
X. X E-X MSS 79 l
MAIN STEAM SG1 SG2 SG3 8G4 SVV SVV SVV SVV SAFETY &
CLOSED F28A CLOSED F28B OPEN F28C CLOSED F28D DUMP V ALVE CLOSED F29 CLOSED F29 CLOSED F29 CLOSED F29 POSITION OPEN F30 OPEN F30 OPEN F30 CLOSED F30 CLOSED F31 CLOSED F31 CLOSED F31 OPEN F31 CLOSED F32 OPEN F32 OPEN F32 CLOSED F32 STEAM LINE MSS RAD MONITORS X.X E-X 75 X.X E+ X 76 X.XE-X 77 X.X E-X 78 FIGURE 5.5
10: 9:20 PRESSURE TEMPERATURE PLOT M
TIME BASE 3000 di 5 MIN 1
TIME BASE 2500d i
TO GET PUSH 5 MIN F9 e
30 MIN F10 2000MI 60 MIN F11 PSI 1500di a
1000 Mi SENSOR DATA 0-TC X X X F e-TH XXX F
T TC F5 00 200 300 400 500 600 700 TH F6 CETC F7 DEG F SUBCOOLED LIMIT PRES: XXXX PSIA FIGURE 6.0
10:11:21 SUBCOOL-SUPERHEAT CORE MARGIN CONDITIONS tOOP 2 XXX C14 E14 G14 J14 L14 N14 XXX XXX XXX XXX XXX XXX C12 E12 G12 J12 L12 N12 XXX XXX XXX XXX XXX XXX Ato C10 E10 010 J10 L10 N10 R10 XXX XXX XXX XXX XXX XXX XXX XXX A8 C8 E8 G8 J8
.L8 N8 R8 XXX XXX XXX XXX XXX MXX XXX XXX A6 CS E6 G6 J6 L6 N6 R6 XXX XXX XXX XXX XXX D' X X XXX XXX C4 E4 G4 J4 L4 N4 XXX XXX XXX XXX XXX XXX C2 E2 G2 J2 L2 N2 XXX XXX XXX XXX XXX XXX H1 LOOP '
XXX LOOP 4 ADVERSE CTMT M ARGIN SENSOR BEST CETC: XXX F XXX E ABOVE SATUR ATION WORST CETC: XXX F XXX 4 ABOVE SUBCL LIMIT RCS PRES: XXXX PSIA FIGURE 6.1 mSuBCOOLEo I
I l
L
10:10:43 RPV LEVEL-ICC l
LEVEL TR AIN A TR AIN B HE AD REGION 100 %
100 Q%
UPPER PLENUM XXX%
82 %
TC TEMPERATURE:- (')
UHJTC COV/
TEMP UNCOV TEMP UNCOV HD RGN 100 XXXX C
XXXX U
63 XXXX C
XXXX C
UPR PLM 100 XXXXE U
XXXX C
l 82 XXXX C
XXXX C
e4 xxxx C
xxxx C
47 XXXX C
XXXX C
32 XXXX C
XXXX C
19 XXXX C
XXXX C
FIGURE 6.2
- f c
. r.
.. h:
{
?
~
- Docket No. 50-423'.
11 3
Attachment No. 2 P
Millstone Nuclear Power Station, Unit No. 3 1
Response' to'NRC Staff's Letter Dated January 18,1985 s
N, e
s 4
May,1985
(
i 4
?
i5' 4-,
.,.,,,-,.,,-,,.....,,,,,-,-n....-.-a
Response to NRC Staff's Letter Dated January 18,1985 Item' No.1:
Phase.1 must include implementation of electrical and electronic isolation.
. suitable to prevent interference with equipment and sensors that are used in safety systems.
Response
Phase I-will ' include implementation of adequate electrical and electronic
~ isolation. A discussion of such isolation is contained in Attachment No.1.
- Item No. 2:
Ph'ase 1 must include implementation of a parameter set that is acceptable to the staff.'. The inclusion of necessary parameters cannot be deferred beyond fuel.
load.~
Response
Specific NRC Staff concerns regarding our parameter selection were provided in Reference (6). Our response to these concerns is included in Attachment No. 3.
Item No. 3
. The staff is unsure of the meaning of the Phase il feature described as, " Plant variable information to aid critical safety function assessment and execution of emergency operating procedures..." Based on the teleconference between the staff and Northeast Utilities on December 7,1984, the staff assumes that this phrase' means "information that is helpful to - the operator for non-SPDS functions, such as event diagnosis." On that basis the staff -concurs that this feature may be deferred to first refueling. If the staff's assumption about the
. meaning of this phrase is incorrect, the applicant should provide further information to clarify the meaning.
Response
The NRC Staff's assumption is correct. This Phase II feature is not necessary to provide the SPDS users with adequate information to determine the safety status of the plant. -However, some displays may be identified that would be useful primarily to aid the operators in the execution of the emergency operating procedur es. As indicated in Reference (3), it may not be necessary to develop any additional displays. As such, the SAR has been appropriately revised.
Docket No. 50-423 4 -.
f 4
Attachment No. 3 Millstone Nuclear Power Station' Unit No. 3 Response to NRC Staff's Letter Dated March 18,1985 s
7 E
~.
May,1985 l' J e vag s,w-~-
-s
, a
-r--,w,--w-+--~---
e-o --
www- ~
v~-=nw=mvo-c--r~,-,->m-~~~---~e en-,
= ~ *--- - - --
.o Response to NRC Staff's Letter Dated March 18,1985 The NRC Staff identified seven (7) variables in Reference (6) that may not have already been included in our SPDS. We were requested to address these variables and their functions by:
(1) adding the recommended variable to the Millstone Unit No. 3 SPDS, (2) ' providing alternate added variables along with justifications that these alternates accomplish the same safety imctions for all scenarios, (3) providing justification that variables currently on the Millstone Unit No. 3 SPDS do in fact accomplish the same safety f unctions for all scenarios, or (4) identifying that these variables are in fact available from the SPDS console.
It is important to note that the Millstone _ Unit No. 3 SPDS is part of the plant process computer. As such, SPDS users have direct access to the plant process computer from all SPDS consoles. In addition, our SPDS has been designed with sufficient flexibility to allow for necessary expansion of our SPDS in the future due to revisions to the Westinghouse Owners' Group ERGS or for other reasons.
Each of the seven (7) variables identified by the NRC Staff are discussed below:
1.
RHR Flow -
We have considered RHR flow for inclusion as a SPDS variable and we have concluded that it is not necessary for critical safety fmetion monitoring.
However, RHR flow is available as an input to the plant process computer.
Thus, it can be displayed, as required, as part of the plant process computer displays. Since plant process computer displays are accessible from all SPDS consoles, RHR flow is available from any SPDS console.
Availability of RHR flow from any SPDS console is consistent with the fourth option identified by the NRC Staff.
The SPDS design philosophy is to provide the minimum, yet complete, set of variables necessary to monitor the critical safety functions. As such, only those parameters that directly monitor the critical safety functions have been included. Secondary variables and variables verifying system operation have not been included.
The variables monitored for core cooling are:
reactor coolant system subcooling, core exit temperature and reactor vessel level. These are sufficient to monitor challenges to core cooling. The RHR system is one of a number of systems providing core cooling.
The set of core cooling variables, monitored by the SPDS, cover failures of core cooling systems, including RHR. RHR flow is a system verification variable rather than a direct measure of core cooling and as such, need not be included as a SPDS variable.
, In addition, the 'RHR system is primarily used in the later stages of
' transients and normal operation, corresponding to Modes / 5.and 6.
As stated in the Safety Analysis Report, Modes 5 and 6 are beyond the scope of the SPDS design.
Since critical safety function status is based upon the trees developed by
.the Westinghouse Owners' Group, adding RHR flow as a SPDS variable would not alter the status determinaticn scheme. It could be added as part of the SPDS sensor displays. -However, if implemented in this manner, it would add very little to the usefulness of the SPDS. It would not provide Lany more information~to the operators by its inclusion in SPDS than by.its current availability through the plant process computer.
'2.
Containment Isolation We have.- considered ~ monitoring containment isolation and we have concluded that it is not necessary for critical safety function monitoring.
As discussed previously, variables verifying system operation have not been
~ included in SPDS.
Containment isolation verification falls into this category.
Upon receipt of a containment isolation signal, the operators will confirm that proper isolation _ has occurred.
This can be easily ~ performed by examining the ESF status panel.. When a containment isolation signal occurs, the containment isolation section of the panel will show a lit condition. Any non-lit' portions of this section will indicate an improper
-_ isolation condition to be corrected by operator action. This indication is backed up by valve position indication on the main control board.
- The' ESF status panel provides a concise, highly visible indication.of the containment isolation status. It is located on 'one of the main control boards directly across from the SPDS console station, which consists of a plant process computer /SPDS CRT and two keyboards. The ESF status panel is clearly visible and easily monitored at this SPDS console station by the' Senior Reactor Operator (s)' who are responsible for the overview fmetion.
Because of the number of valves involved in containment isolation, status indication for all the valves is not provided as input for the plant process computer.
Even if they were, we believe that the ESF status panel provides as good indication of containment isolation status as would be
" displayed on the plant process computer. Thus, we have concluded that containment isolation status need not be monitored by the plant process computer or included in our SPDS.
3.
Containment Hydrogen Concentration We have considered containment hydrogen concentration-and we have concluded that it need not be included in our SPDS. However, Millstone Unit No. 3 is equipped with hydrogen monitors that are included as input to
- the plant process computer. Thus, containment hydrogen concentration
.x
... can be displayed, as required, from any SPDS console. Availability of containment hydrogen concentration from any SPDS console is consistent with the fourth option identified by the NRC Staff.
Containment hydrogen concentration is an important variable for long-term containment integrity management. However, it is a slowly varying parameter for which sampling is one of ~ the primary means of its determination.
Because the analysis from the Post Accident Sampling System (PASS) is one of the primary means. of determining hydrogen concentration when required by the EOPs, it is not amenable to monitoring by the SPDS.
Since critical safety function status is based upon the trees developed by the Westinghouse Owners' Group, adding the output from the hydrogen monitors would not alter the status determination scheme. It could be added as part of the SPDS sensor displays.
However, it would be unvalidated by the PASS analysis and, if implemented in this manner, would add very little to the usefulness of the SPDS. It would not provide any more information to the operators by its inclusion in SPDS than by its current availability through the plant process computer displays.
As is the case with any variable, hydrogen concentration may be included in the critical safety function status determinatior. scheme by revision of the status trees by the Westinghouse Owners' Group. If this occurs, we will review the changes to determine if the revision should apply to the Millstone Unit No. 3 Emergency Operating Procedures. If a revision is appropriate, the SPDS design will also be revised. However, such a revision will not occur prior to fuel load.
- 4..
Hot Leg Temperature Hot leg temperature has not been included as an SPDS variable for critical safety function monitoring. However, hot leg temperature is available as an input to the plant process computer and can be displayed, as required, from any SPDS console. Availability of hot leg temperature from any SPDS console is consistent with the fourth option identified by the NRC Staff.
While hot ' leg temperature is 'an important. parameter for monitoring natural circulation, it is a secondary parameter for monitoring core cooling. Natural circulation is one of several ways of removing decay heat.
By monitoring reactor coolant system subcooling, core exit temperature and reactor vessel level, all modes of core cooling are addressed. The set of core cooling variables monitored by the SPDS covers failures, including loss of natural circulation. In keeping with the philosophy of a minimum, yet complete, set of variables for SPDS, hot leg temperature need not be included.
The highest-hot leg temperature has been included in the Pressure -
L Temperature plot-for the ICC displays on the SPDS.
However, these displays and the associated variables in these displays are not necessarily
4_
related to critical saf'ety' function monitoring. As stated in the Safety Analysis Report, these displays were included to resolve'a potential Human Engineering Discrepancy associated with the Class IE ICC displays.. The
' inclusion of hot leg temperature in the ICC display does not af fect the core
- cooling critical safety function status determination.
5.
' Cold Leg Temperature Col _d leg temperature _is a-variable monit'ored by SPDS for the RCS Integrity Critical Safety Function. It is monitored directly for cold over -
pressurization concerns and indirectly through cooldown rate.
It is
. included in the supplementary SPDS displays that show the sensors used to determine critical safety function status.
6.
Intermediate Range Neutron Flux Intermediate range neutron flux is indirectly used in.the critical safety function monitoring of subcriticality as an input to startup rate. As such, it is included in the supplementary SPDS displays of sensor input to the critical safety function status determination.
?7.
-Source Range Neutron Flux Source range neutron flux is indirectly used in the critical safety function monitoring of subcriticality as an input to startup rate. As such, it is included in the supplementary SPDS display of sensor input to the critical safety function status determination.
In addition,' the NRC Staff indicated in Reference' (6) that we had not demonstrated how radiation in the secondary system (steam generators and steamlines) is monitored by the SPDS when the steam generators and/or their steamlines are isolated.
The main steamline radiation monitors listed in Appendix B to the SAR are located upstream of the main steamline isolation valves and, as such, provide adequate indication of radiation levels in the secondary system even if the isolation valves are closed.
L
e.
Docket No. 50-423 Attachment No. 4 Millstone Nuclear Power Station, Unit No. 3 Safety Analysis Report Revision 1 May,1985
Tame of Contents 1.0 -Introduction
~1.1' Summary of the Safety Analysis 1.2 Discussion 1.3 - NRC Criteria 2.0 SPDS Design Description 2.1 Overview 2.2 SPDS Definition 2.3 SPDS Availability 2.4 SPDS Use and Location -
2.5 Modes of Operation 2.6 Display Flexibility 2.7 Data Storage 2.8 Signal Validation 2.9 Electric Power Sources 2.10 Electrical Separation i
3.0. SPDS Critical Safety Function and Variable Selection 3.1 Selection Process 3.2 Critical Safety Functions 3.3 ~ Critical Safety Function Variables 3.4 Radioactivity Release Function 3.5 Radioactivity Release Variables 3.6 Instrumentation 3.7. Analytical Basis for Critical Safety Function and Variable Selection 3.8 Emergency Response With and Without SPDS 4.0 SPDS Displays 4.1 Display Philosophy 4.2. Primary Displays 4.3 - Secondary Displays 4.4 Other Displays 4.5 Display Change 4.6 Variable Status Indication 5.0 Signal Validation 5.1 Introduction -
5.2 The Validation Process 6.0 Verification and Validation (V&V) 6.1 Verification and Validation Overview 6.2 SPDS Verification and Validation l
6.3 ' Verification and Validation of the Emergency Operating Procedures I
Table of Contents (Cont.)
. 7.0 Human Factors Engineering 7.1 Human _ Factors Engineering l
7.2 Human Factors Design Guidelines 8.0.
Conclusions -
Tables Figures Appendices:
A.
Instrumentation for Critical Safety Function Monitoring B.
Instrumentation for Radioactivity Release Display l
l.
{
t e
6-t*ee-
+.w w
rpe,-,
='e--
M-s-
7-
1.0 INTRODUCTION
1.1 Summary of the Safety Analysis This report provides a written safety analysis for the Millstone Unit No. 3 Safety Parameter Display System (SPDS). Information is provided to show that the SPDS is being designed to meet the provisions of Supplement I to NUREG-0737.
The'SPDS is part of an Emergency Response Information System (ERIS) that combines all plant process computer functions for emergency response tasks.
The critical safety functions were selected to be consistent with the Westinghouse Owners' Group Emergency Response Guidelines from which Millstone Unit No. 3 Emergency Operating Procedures (EOPs) are being developed. The SPDS displays are being developed with the consideration of human factors principles. Signals
-input to SPDS shall be evaluated for quality and validation. A verification and validation program will be conducted, including an independent review of the SPDS.
In this manner, a SPDS design is being developed that will provide an effective aid to the operators in determining the safety status of the plant during abnormal and emergency conditions.
1.2 Discussion The SPDS is cne part of an integrated emergency response capability. It will be consistent with the Emergency Operating Procedures (EOPs) and the Operators' Training Program. For Millstone Unit No. 3, the EOPs will be based upon the Westinghouse Owners' Group Emergency Response Guidelines.
The Emergency Response Guidelines (ERGS) are composed of:
Optimal Recovery Guidelines and Emergency Contingencies l
o o
Critical Safety Function Status Trees and Restoration Guidelines The Optimal Recovery Guidelines provide guidance for the operator to recover the plant from nominal design basis faulted and upset conditions.
-The Function Restoration Guidelines, when used with the Critical Safety Function Status Trees, provide a systematic means for addressing any challenge to plant critical safety functions, which is entirely independent of initiating event or plant state.
The structure of the Critical Safety Function Status Trees has been carefully chosen to be compatible with the existing basis for operator training, since the status trees provide an explicit tool to re-emphasize the necessity for the operator to be always aware of the state of his plant safety functions. An additional advantage derived from the introduction of the status tree concept directly into the procedures structure is that the operator is provided with a performance aid, to reinforce his training 1-1
'and assist his memory, particularly during'high-stress situations typical of transient or emergency conditions..
From this discussion of the Critical Safety Function Status Trees and the SPDS,~ it is clear that they perform the.same functions and must be
, compatible. ' Thus, the Critical Safety Functions and Variables selection for SPDS has been based upon the Critical Safety Function Status Trees of the Emergency Response Guidelines.
1.3 NRC Criteria' 1.3.1, Supplement 1 of NUREG-0737 Regarding. the SPDS, Section 4.1 of Supplement I to NUREG-0737
. identifies the following NRC criteria:
The SPDS should provide a concise display of critical plant a.
variables to the control room operators to aid them in rapidly and reliably determining the safety status of the plant. Although the SPDS will be operated during normal operations as well as during abnormal conditions, = the ~ principal purpose and function of. the SPDS is to aid the control room personnel during abnormal and
. emergency conditions in determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective action by operators to avoid.~a degraded core.
This can be particularly important during anticipated transients and the initial phase of an accident.
b.
Each operating reactor shall be provided with a Safety Parameter Display System that is located convenient to.the control room
~
operators. This system will continuously ~ display information from
.which the plant safety status can be readily and reliably assessed by control room personnel who are responsible for the avoidance of degraded and damaged core events.
c.
The SPDS shall be suitably. isolated from electrical or electronic interference with equipment and sensors that are in use for safety-p systems. Procedures which describe the timely and correct safety status assessment when the SPDS is and is not available, will be l
developed by the licensee in parallel with the SPDS. Furthermore, operators should be trained to respond to accident conditions both with and without the SPDS available.
d.
The selection of specific information that should be provided for a particular plant shall be based on engineering judgment of individual plant licensees, taking into account the importance of prompt implementation.
l e.
The SPDS display shall be designed to incorporate accepted human L
factors principles so that the displayed information can be readily
. perceived and comprehended by SPDS users.
1 1-2 L
i i
f
]' y
' ~ ~ ~ ~
~
~~
{
\\
7
~.
- f. -
The: minimem information to be 'provided shall be ' sufficient to prov!<Je information to plant operators'about:
.(i)
Reactivity control E-
-(ii)
' Reactor core cooling and heat removal from th'e primary-
~
system
'(iii)- Reactor coolant system integrity 3;
<w
-(iv) -.
Radioactl'vity control 4.-
(v)
Containment conditions-The specific parameters to be displayed shall be determined by'the
- !!censee..
The. remainder of this report defines the extent of compliance of the Millstene Unit No. 3 SPDS with the above NRC diteria.-
1.3.2 Restulatory Guide 1.97 -
The variables. needed to determine the status of the' Critical Safety
~t Functions (CSFs) and Radioactivity Releases are identical to the majority of the' Types A. B, C sr4 E ' var) ables of - Regulatory Guide -1.97, and
. therefore these' variables 'will~ be's major part of the SPDS data base.
~ Type.D varidbles, those needed to assess the performance and availability-
- of safety systems, are not part of the SP,DS data base. Although not part-of' the SPDS, most Type D variables sill be part of the plant process i:
computer data base.
n The design criteria stated in' Regulatory Guide 4.97 for Category I sensors infers'that a third channel may.be required if a' failure of one channel results in information _ ambiguity. The SPDS ddl ha've the capability, if necessary, to use techniques such as analytic redundancy, to determine the valid reading and avoid the sned to install a third channel.
1 1.3.3 Generi6 Letter 82-28 (NUREG-0737 Item II.F.2)
Another designated function of-the SPDS is to monitor e overall status of core cooling adequacy. The Class IE. display for inadequate Core--
' Cooling (ICC) is presently provided in the instrument rack room.. To resolve this potential Human Engineering Discrepancy (HED), the primary ICC display will,be provided via yn SPDS.- In the event that the SPDS is
- not available duhng accident cond tlons, the ICC information will still be available on Class'iE qualifie.1 devices (ICC panels). - As a.-minimum, the i
.SPDS will include the capability to display the following ICC information.
Core map of all co[eixit thefmocouples (CETs).
a.
4.,
1-3
+
- k.,
r __ y _?.
+
b.
Pressure / Temperature Plots with the saturation curve, subcooling to 3000F, superheat to 450F. -
-c.
Time history plots of all ICC-related variables including reactor vessel level and selected temperature inputs.
i
-d.~
Water level in the reactor vessel head and upper plenum.
l 4.
P u
+
i l-4
5 2.0
-SPDS DESIGN DESCRIPTION 2.1 ' Overview One function of the Millstone Unit No.'3 plant process computer system is the supplying of information required for responses to an emergency condition. Because of the need to develop integrated emergency response facilities and data systems to aid in accident management, an Emergency
-Response Information System (ERIS) is being developed for Millstone Unit No. 3.
This system will display information in the Technical Support
~ Center and Emergency Operations Facility. This report covers only those functions of ERIS related to SPDS.
2.2 SPDS Definition SPDS aids the control room operating crew in monitoring the status of the CSFs that constitute' the basis of, the plant-specific, symptom-oriented EOPs. Its principal purpose is to aid the control room personnel during abnormal and emergency conditions in determining-the safety status of the plant and in assessing whether abnormal conditions warrant corrective >
action by operators to avoid a degraded core.
2 2.3 SPDS Availability Although the SPDS need not be a safety-grade system, implementation of a highly reliable, state-of-the-art SPDS is an important design objective.
As a design objective, the availability of the SPDS will be greater than 99 percent during normal plant operation. In this context, design availability-is understood to encompass the following minimal functional capabilities:
1)
The. ability to monitor and display the status of all critical safety functions.
. 2)
The ability to determine the value of all variables which are used in the CSF status determination.
2.41 SPDS Use and Loca' tion SPDS " displays - of. CSF ' status and supporting displays of CSF-related -
parameters will be accessible to operators in the vicinity of the main control board.
SPDS displays that include EOP logic, prompts and algorithm 'information will be available at the control ~ room location where CSF monitoring will occur.
2.5
-Jodes of Operation.
The CSFs defined for Millstone Unit h, 't not appropriate for all modes ' of operation. Specifically, it a asw.ad that a status tree is entered from either a Start-up or Power Operation mode and not from a Refueling or Cold Shutdown mode.
2-1
.4 The design of the SPDS for Millstone Unit No. 3 therefore only requires
' the availability of the SPDS in modes I, 2, 3 and 4 (power operation,-
startup, hot standby, and hot shutdown).-
-2.6 Display Flexibility -
The SPDS hardware and software will have the capability to display plant information in the following types of common formats, both singly and mixed formats:
Alphanumeric prompts, messages and labels EOP status trees Horizontal or vertical bar graphs,if necessary l
Mimic /P&ID displays Multivariable plots vs. time
~ Variable vs. variable plots l
2.7 Data Storage Capability will' be-provided to store up to 375 SPDS variables for the interval from two hour pre-event to twelve hours post-event.-
2.8 Signal Validation -
The.SPDS will have the capability of validating individual signals used in SPDS displays and algorithms by use of simple analysis, checking and
' comparative methods to be specified for each SPDS variable.
2.9 Electric Power Sources The SPDS, as part of the plant process computer system, will be powered from an emergency power supply in the event of loss of offsite power.
l 2.10 Electrical Separation The SPDS, as part of the plant process computer system, will receive signals from both Class ' IE' and non-lE sources.
Adequate ' electrical
. separation _ in accordance with the guidance of Regulatory Guide 1.75 will
-be provided for all signals, power sources and output devices.
2-2
~ 3.0
- SPDS CRITICAL SAFETY FUNCTION AND VARIABLE SELECTION 3.1.
Selection Process The SPDS is being designed to complement the EOPs, that is, to aid the
- operator in implementing the EOPs. It is not. intended to require the
? operator to use the SPDS displays in the transient identifications. The:
major user of the SPDS during a transient would be the senior reactor operator to "see" the overall plant condition and how actions taken by the -
- operator under his direction affect the maintenance of the six critical safety functions.
The plan for operator' response to an Engineered Safeguards System actuation is shown in Figure 1. If the specific event can be diagnosed, the -
operator is directed to use a defined set of procedural steps to effect plant recovery. If no diagnosis;is possible, the operator,is trained to monitor, certain critical safety functions which indicate overall plant
- safety status.- If any safety fmetion is challenged, the operator is directed to a contingency action through an evaluation and identification scheme of the critical safety functions. To complement this plan, the SPDS can be most effectively used to continuously monitor the critical safety functions and assist the operator in the evaluation scheme to determine the appropriate contingency action. In this manner, the SPDS will be consistent with the W Emergency Response Guidelines.
The W Emergency Response Guidelines have identified the critical safety funcitTons (CSFs) and have developed critical safety function status trees for critical safety function evaluation.
The Critical Safety Functions were selected to monitor three barriers to the release of radioactivity. The Critical Safety Functions are associated with the barriers in the following manner:
Barrier Critical Safety Function Maintenance of SUBCRITICALITY (minimize energy production in the fuel)
Maintenance of CORE COOLING (provide adequate reactor coolant for heat removal from the fuel)
Fuel Matrix Maintenance of a HEAT SINK and
-(provide adequate secondary coolant for heat Fuel Clad removal from the fuel)
Control of Reactor Coolant INVENTORY (maintain enough reactor coolant for effective heat removal and pressure control) 3-1
l Maintenance of a HEAT SINK (provide adequate heat removal from the RCS) '
Reactor Coolant Maintenance of Reactor Coolant System System Pressure INTEGRITY
. prevent failure of RCS)
(
Boundary Control of Reactor Coolant INVENTORY (prevent flooding and loss of pressure control)
Containment Vessel Maintenance of CONTAINMENT Integrity (prevent failure of containment vessel)
Situations can arise in which the integrity 'of a barrier is lost and cannot be restored even though all Critical Safety Functions are satisfied. The classic double-ended. guillotine break of reactor coolant system piping constitutes an irrevocable failure of the reactor coolant system pressure boundary barrier. In this situation the reactor coolant system pressure
' boundary barrier is recognized to be failed, and all available resources are ~
directed toward minimizing further degradation of the failed barrier and keeping the fuel matrix / cladding barrier and L the containment barrier intact.
The SPDS will be used to assist in the CSF evaluation by monitoring the:
CSFs, using the same logic as the CSF status trees. This is necessary to facilitate operator use of the SPDS in support of the Millstone Unit No. 3 Emergency. Operating Procedures.
These status trees are shown in Figures 2a-2f.
The SPDS will also display information for Radioactivity Release. A display summarizing Radioactivity Release has been identified to aid the shift supervisor in performing his emergency response function prior to the staffing of the Emergency Response Facilities. Radioactivity Release l
is not a critical safety function, however, since radioactivity assessment has already been factored into the containment CSF.
3.2-Critical Safety Functions The critical safety functions are shown in Table 1 in order of priority.
The status of the critical safety function will be indicated by four states:
o Green - critical safety function is satisfied o
Yellow - critical safety function is not fully satisfied o
Orange - critical safety function is under severe challenge o
Red - critical safety function is in jeopardy 4
3-2
. =.
The state of the critical safety functions will be determined using the status tree logic given in Figures 2a-2f.
3.3 Critical Safety Function Variables The variables for determining critical safety function status will be the decision points in the critical safety function status trees.
These variables are listed in Table 2, grouped by safety function.
3.4 Radioactivity Release Function l
The status of the radioactivity release function will also be indicated by l
four states:
o Green - no abnormal releases o
Yellow - releases exceed unusual event (Delta-2) criteria o
Orange - releases exceed alert (Charlie-1) criteria Red - releases exceed site area emergency (Charlie-2) criteria o
These states were selected to correspond to the Emergency Action Levels identified in the Millstone Nuclear Power Station Emergency Plan.
3.5 Radioactivity Release Variables l
The variables for determining the radioactivity release status were l
selected by identifying all potential release paths for radioactivity. These variables are listed in Table 3.
3.6 Instrumentation The instruments used in measuring the critical safety and radioactivity function variables are given in the Appendices A and B.
3.7 Analytical Basis for Critical Safety Function and Variable Selection The SPDS critical safety functions and variables have been chosen to be identical to the critical safety functions developed for the Emergency Response Guidelines. Thus, the analytical basis for the SPDS selection is the same as the basis for the ERGS. These ERG critical safety function status trees were reviewed and approved for implementation by the NRC in its Safety Evaluation of " Emergency Response Guidelines" (Generic Letter 83-22).
3.8 Emergency Response With and Without SPDS The Emergency Response Guidelines contain CSF evaluations that are simple enough to allow manual evaluations. This manual evaluation will 3-3
- r, x 4.. -
.s be performed 1f the SPDS is not 'available. Since the SPDS is entirely.
- compatible. with ' the; ERGS,. only one set of procedures _ (EOPs) are required.
.e6 3-4
4
'p.
,D-.
g 4.0
?SPDS DISPLAYS 4.1 ~ ' Display Philosophy -
Each. display location : provides independent access to SPDS - displays.
- Displays selected. at one CRT can be different from those displays
~ selected elsewhere.. During an emergency, for example, this would allow.
operators to' select SPDS displays that aid processicontrol actions and permit supervisory ' personnel; to simultaneously view SPDS. displays oriented toward overview and safety assessment.
In order.to maintain' CSF status indication at all times, one SPDS display
'will include indication of the status of each CSF in a format that is common to all SPDS ' displays. CSF status will be supplemented on each' display with a unique set of information and plant data developed to aid
.one or more of the following:
a.
- Assessment / Control of CSF plant variables.
b.'
. EOP Entry Condition Indication.
c.
CSF Status Tree Assessment.
The set of SPDS displays and access controls will be implemented with a -
hierarchy or structure that facilitates and systematizes passage between :
displays. -
4.2 Primary Displays At least one (1) control room CRT will continuously monitor the status of all CSFs during Modes 1,2, 3 & 4. Other information may be displayed simultaneously as long as the status of the CSFs are still able to be determined. CSF monitoring willinclude indication of the need to enter a specific Function Recovery Procedure as defined in the ERGS and EOPs.
Each SPDS display will show a common set of indications of the status of the six CSFs and of Radioactivity Release. Status indication colors will l
correspond to the status colors in the ERGS and EOPs. When any Function Recovery entry condition is-met, this' will be indicated by the CSF to which it applies. The format for presenting this information will be
- common to all SPDS displays.
4.3
' Secondary Displays During normal, transient and accident conditions access will be provided to a'certain number of predefined displays.- These secondary displays will 4-1
E
~
~
support the CSF status indicators and enable the operating crew to
. determine / evaluate : the reasons for changes in CSF status and the
. potential need to enter a Function Recovery Procedure.
The set of secondary displays will consist of at least one display oriented to.each of the following functions. -
a.-
Subcriticality CSF Variables and Status Tree.
- b. -
. Core Cooling CSF Variables and Status Tree.
c.
Heat Sink CSF Variables and Status Tree.
- d. - -
Integrity CSF Yariables and Status Tree.
r e.
Containment CSF Variables and Status Tree.
f.
Codant Inventory CSF Variables and Status Tree.
4.4 Other Displays A set = of supporting displays will be generated for displaying other
~ important information such as-a)
Plant variable information to aid CSF assessment and EOP execution,if necessary.
l b)
Inadequate core cooling variables not included in the primary display of core cooling CSF variables.
4.5 Display Change Each secondary display will be accessible through a menu.
Once a secondary display is presented on the CRT, other supporting displays can be accessed in a timely manner.
All display page changes will be-operator initiated and not computer initiated.
4.6 Variable Status Indication All SPDS variables will be displayed with a visual indication of the associated quality level as determined by SPDS data processing and validation,. e.g.,
invalid or unvalidated variables could be tagged.
Appropriate visual indication will also be available on displays of SPDS variables when out-of-scan, substituted or dummy signals are involved.
4-2 ra
4 5.0
' SIGNAL VALIDATION 5.1 Introduction The use of misleading data by the SPDS should be avoided since it can adversely affect the quality of many variables. Sources of misleading data include sensors that fail, peg, or are removed from scan and instrumentation that drifts.
Signal validation techniques will be-incorporated into the sof tware processing to reduce the chance of using inappropriate data.
5.2.
The Validation Process Sensor signals used by the SPDS will undergo pass / fait processing, range limit checking and signal validation, as appropriate, before being used in the algorithms which determine the status of the safety functions. The quality of a plant parameter is indicated by its quality tag. The validation process is as described below:
Pass / fait processing determines whether or not a sensor signal is in a.
scan, the multiplexor communication interface is operating within design limits, and the analog / digital converter drift is within design limits. A senser signal failing pass / fail processing is assigned an invalid quality tag.
b.
Range limit checking assures that a sensor signal is above the lower five percent (typical value) and below the upper five percent (typical value) of its ir:strument range. A sensor signal not within the range limit is assigned an unvalidated quality tag.
c.
Signal validation determines whether or not a sensor signal is consistent with other redundant signals within a specified error band.
A sensor signal failing signal validation is assigned an unvalidated quality tag and one passing is assigned a validated quality tag.
Validated parameters will be used by the SPDS to evaluate the status of the safety functions. Presentation of information for the SPDS will be associated with quality tags which will indicate the quality of the processed sensor signal and the quality of calculated variables.
Four distinct quality levels will be used:
Validated Applies when redundant sensor signals or analytically derived variables are compared within a specified error band, pass limit checking, and pass Pass / Fail.
Unvalidated -
Applies when a sensor signal is correctly processed through Pass / Fail but is not validated by comparison with another sensor (s) or analytically derived variables, or f ails limit checking.
Invalid Applies when a sensor signal fails Pass / Fail.
5-1
i Substituted -
Applies when a substituted value is used'instead of the actual sensor signal.
Substituted values are treated as Invalid by the_SPDS algorithms.
The approach to signal validation implemented on the Millstone Unit No. 3 -
- SPDS. is : based on' the parity space concept _ for fault detection and isolation developed at-C.S. Draper Laboratory for nuclear plant applications. ; The PARITY software module is adapted for use on the
_ Millstone Unit No. - 3 plant process computer.
The standard use of PARITY is.to evaluate each plant parameter based on three to five redundant sensor signals, and to provide a composite best estimate of the-parameter along' with an indication of the quality of the estimate.
Additional software was developed to make_ non-standard decisions, to revise the quality. tag for each inconsistent sensor signal and to estimate parameters having only two redundant sensor signals.
It is believed that the described use of signal validation will provide input to the SPDS that:
a.
is-purged of inconsistent signals when remaining signals are consistent, b.
is chosen using pre-established decisions if sufficient consistency is lacking, and -
c.
is tagged to inform the operator of its quality status.
Thus, the process is designed to provide extra reliability and to reduce decision-making-overhead in emergency situations.
5-2
c.
-~
6.0 VERIFICATION AND VALIDATION (V&V)
~ 6.1 Verification and Validation Overview This section provides an overview of the system verification and validation program. The objective _ of the Verification and Validation (V&V) program is to provide a quality SPDS through independent technical review and evaluation conducted in parallel with SPDS development.
When V&V is integrated with the SPDS development process it provides a means for:
a.
independent technical evaluation of the $y item b.
assuring formally documented implementation c.
Improved integration of system hardware and sof tware d.
regulatory review and approval A team approach will be used for accomplishing V&V.
The team composition will be multi-discipline, will include both user, systems and design functions, and will be independent from system development activities. The V&V team will develop and document a V&V plan as one of its initial activities.
6.2 SPDS Verification and Validation Key overall elements of SPDS V&V will be to assure:
a.
Comprehensive technical review of system functional requirements to determine that the SPDS will perform appropriate functions.
b.
Comprehensive technical evaluation of the implementation process to establish that tasks are a consistent, complete and correct translation of previous tasks.
c.
Adequate documentation of the system, as well as for system implementation.
d.
Adequate configuration management to document and control system and implementation changes.
6.2.1 SPDS Design Verification The objective of SPDS design verification is to review the system functional and design requirements to determine that they are adequate and technically correct, and then to review the following design activities to verify that the translation of requirements is adequate and technically correct throughout the ensuing design steps.
6-1
System functional requirements are the foundation on which the SPDS will be designed, built,~ installed and accepted. The system design will also be validated - against the functional requirements.
SPDS functional requirements will be verified against the criteria of Supplement 1 to NUREG-0737 and any other criteria that are identified to serve as the basis for SPDS functional definition.
- Af ter verification of the functional and design requirements, other design documentation will be verified for accurate and complete translation o.
the ' requirements from various tasks in the design process to the subsequent ones.
Verification will include a correlation between the
- design features and the requirements.
6.2.2 SPDS Validation SPDS validation will be conducted using a combination of the three levels listed below and will assure that the system meets functional requirements and will aid control room use of EOPs.
a.
Factory Testing SPDS sof tware and hardware may be integrated for functional testing prior to site installation.
Testing will be conducted for appropriate hardware, sof tware and system functions in accordance with a systematic test plan.
b.
Installation and Acceptance Testing Af ter SPDS installation in the plant has been completed, functional testing will be performed to demonstrate correct operation of the installed SPDS hardware and software. End-to-end checkouts of all SPDS inputs and outputs will be performed. These checkouts will cover from sensor signal input to SPDS variable display.
c.
Man-in-the-Loop Evaluation Operations personnel, trained in EOPs, will review CSF disp (lays and interface provisions. The objective of this evaluation not necessarily performed in.the control room) will be to review the SPDS design as a potential aid to emergency response by operations personnel.
6.3 Verification and Validation of the Emergency Operating Procedures Because the SPDS philosophy is to complement the Emergency Operating Procedures (EOPs), verification and validation of the EOPs is an important part of the V&V of the SPDS. Verification and validation has been performed for the Westinghouse ERGS and will be performed for the Millstone Unit No. 3 EOPs that are being developed from these guidelines.
1 6-2 l
6.3.1 V&V of the Westinghouse Emergency Response Guidelines The Westinghouse Emergency Response Guidelines were submitted to the NRC Staff in 1982. The NRC reviewed these guidelines and issued a Safety Evaluation Report in June,1983.. The NRC Staff concluded that the guidelines were acceptable. In particular, they concluded that the six Critical Safety Functions were sufficient to protect the three physical barriers.- While some areas of additional work on the ERGS were identified, the NRC Staff recommended implementation of the ERGS.
In addition, the Westinghouse Owners' Group developed a Validation Program for the guidelines which included a simulator test program at the Seabrook facility in October,1983. The simulator test demonstrated that a computer-based status tree evaluation was a highly effective method of critical safety function monitoring.
Because of the extensive verification and validation performed on the ERGS, they represent a sound basis for the development of the Millstone Unit No. 3 SPDS and Emergency Operating Procedures.
6.3.2 Verification of the Millstone Unit No. 3 Emergency Operating Procedures The Millstone Unit No. 3 Emergency Operating Procedures are being developed based upon the guidance of the Westinginuse Owners' Group Emergency Response Guidelines. To verify consistency between the ERGS -
and EOPs, a step by step comparison will be jointly made by the Millstone Unit No. 3 operators and the Control Room Design Review (CRDR) team.
Justification for any differences will be provided and documented.
6.3.3 Validation of the Millstone Unit No. 3 Emergency Operating Procedures When the Millstone Unit No. 3 EOPs are developed, a task analysis of the procedures will be performed by the Millstone Unit No. 3 operators and
'the CRDR team. Actions required to perform the steps in the EOPs will be defined and assessed. The control room operators' ability to efficiently and correctly perform the stated actions considering controls, instrumentation and physical layouts will also be assessed. This task analysis will therefore be used for verification of the selection of the instrumentation to be used for the critical safety function variables.
The Millstone Unit No. 3 Emergency Operating Procedures will be validated upon completion. A description of the Emergency Operating Procedure Validation Program will be submitted as part of the Emergency Operating Procedures Generation Package.
6-3 j
t 7.0 HUMAN FACTORS ENGINEERING 7.1 Human Factors Engineering The~ fundamental SPDS design objective is to serve as an operator aid to monitor, the overall safety status of the plant.
Human factors considerations must be -an integral part of a program to successfully
-develop such a system.
- This section describes the role of the primary SPDS user, the context of use, and the human factors principles that will be incorporated into the SPDS design.
' 7.1.11 SPDS Use The Millstone Unit No. 3 - control room staff includes four licensed operators (i.e., two Senior Reactor Operators (SROs) and two Reactor Operators (ROs)). One of the SROs will be the Shif t Supervisor (SS). The SS/SRO will be the primary SPDS user. The SPDS is intended to help the SS/SRO in managing the plant during unusual situations where problem detection and problem solving on a plant wide scale are involved. The major role of the SPDS is to help the operating crew maintain the plant in a safe condition or to show how to return the plant to a safe condition if it has departed from normality.
.The present control room and the resources available to the SS/SRO are sufficient to carry out these tasks. The SPDS is intended as an aid to the SS/SRO, not as a replacement for necessary safety equipment. The SPDS serves as a concentrated data source and thus permits the SS/SRO to obtain desiredinformation without walking the boards to check readings..
The role of the SS/SRO is as a decision maker and manager of the plant.
The role of Ros and the other SRO is to assist the SS/SRO by carrying out the tasks deemed necessary by the SS/SRO. Although ROs are carrying out specific tasks such as maintaining levels, starting pumps, or checking instrument readings, they need to be cognizant of ~ the impact their operations have on overall plant condition.
SPDS displays will be accessible to RO personnel to help maintain the needed understanding of the overall picture and to foster a team approach to plant emergency response.
7.1.2 Control Room Design The arrangement and number of SPDS display stations in the control room will provide separate SPDS stations for the SS/SRO (away from the boards) and for operators (visib!e from operating stations at the boards).
This arrangement will provide the SS/SRO with a good view of the SPDS from his work station (he can 1.ee both the SPDS and the boards at the same time) and by the operators from their stations at the boards. Thus the arrangement will permit a flexible use pattern which is weighted towards the needs of the SS/SRO while still permitting RO use.
7-1 m
.o s
7.2' Human Factors Design Guidelines The ' following is a discussion of the human factors activities to be accomplished during the development of the SPDS computer generated displays.
~
7.2.1' Task Definition 1
This activity is designed to acquaint the designer with the reasoning-behind the display requirements and to give him a feel for how and when the displays will be used. - The designer determines how each task is
-presently ' performed, the information needed to accomplish it, and how =
-the display can assist in plant performance.
'7.2.2 Determine Equipment Considerations The purpose of this activity is to assure that any limitations which may be imposed by -the equipment are known to the display designer.
For-example, the designer needs to determine the amount of information that will fit on one CRT screen, colors available, controls, brightness, etc.
-7.2.3 Determine Viewing Environment The purpose of this activity is to become familiar with _the location and environment in which the equipment is to be used. It is also necessary to -
determine the positions (e.g., standing, sitting, viewing distances) from -
which the user will want to read the information on the displays.
7.2.4 - Determination of Human Factors Criteria This activity is to obtain a definition of existing human factors criteria-that apply to the specific environmental conditions or display features.
Most of the criteria utilized for CRT displays can be found in Section 6.7.2 of NUREG-0700 (Cathode Ray Tube Displays).
[
7.2.5 Develop Display Concept i.'
The display concept will be developed to give the display designer an-overall idea of how he is going to accomplish the total task, how many-
~ displays will be used and how each one fits into the total picture. It will -
i enable the design to be in accordance'with user capabilities so that the resulting displays mesh with user needs. In. general, the designer will develop the following information:
ic a.
Identify user needs b.-
How many displays are needed c.
Define the task to be accomplished with each display i.
d.
How they should be set up (hierarchy) e.
How the displays are to be accessed
[
f.
How any required data is to be entered g.
How the user can recover from any errors 7-2 s
v
-~reswne~,,r.--~,,mm.r,.ee-m...
mmw,-e w e,-
n<.-p-
~se-ev,-m-,.en.-w,,
-,,-r,,.w.,we,.m--mmwww-rn,,wm.-wv-a,e,,,-
-,m-ar,m.v,,
B
- h. -
l Define user capabilities (e.g., a newly licensed operator)
- 1. -
Develop a prompt philosophy based on operator capabilities
-7.2.6 Design Review 1 The purpose of this activity is to insure that the overall plan for display
~
design is satisfactory. This is also another control point in the design-
' process. _-It permits the designer to be sure that his product is going to -
meet all requirements when it is completed.
7.2.7 Develop Displays This is the actual design of the displays. All of the activities above are
. designed to get the designer to'this point with enough knowledge of user needs, equipment capabilities, and the environmental constraints so that -
. the resulting' product is compatible with all requirements. In general, the following activities are performed as part of this process:
a.
Determine how the needed information is to be shown.
. b.
Determine the appearance of each display element.
c.
Determine the colors to be used.
d.
Determine the dynamics of each variable element.
e.
- Determine access to each display.
- f..
Determine how the user can recover from errors.
g.
Determine what prompts are to be used and where..
7.2.8 ' Display Review The purpose of this step is to insure that the detailed design meets all the
. original requirements. An important step in this process is a review of the displays by typical users (i.e., plant operators).
7.2.9 Issue System Specification This is the final control point for the display design before its release for implementation.
It also provides clear : guidance to programming personnel regarding the final product.
P I
i 7-3 i
L
r-
_..n
?,
8.0
~ CONCLUSION -
The SPDS for Millstone Unit No. 3 is being designed to adequately address c
the provisions of Supplement I to NUREG-0737. Specifically:
a)
The SPDS will provide a concise display of critical plant variables to aid the control room operators in determining the safety status of the plant that is consistent'with the Westinghouse Emergency _
Response Guidelines and the Millstone -Unit No. 3 Emergency Operating Procedures, b)
The SPDS will display CSF information on colorgraphic terminals located in the control room. The SPDS-will display the status of the CSFs continuously. The SPDS will be part of the plant process -
computer system and -is being designed to meet availability considerations consistent with the SPDS function.
.c)
.Since the iSPDS will be completely consistent with the-Westinghou.se Emergency Response Guidelines, only one: set of procedures is required for emergency: response with and without.
the SPDS.
Adequate electrical separation will. be -provided in accordance with the' guidelines of Regulatory Guide 1.75.
d)
The critical safety functions and variables have been selected to be consistent with the analytical basis of the Emergency Response Guidelines. In general, the Regulatory Guide 1.97 instruments will be the source of the variables.
e)-
The SPDS displays are being: designed to meet human factors principles.
f)
The SPDS provides information about:
(1) reactivity control
-(2) core cooling and heat removal (3)
RCS integrity (4) radioactivity control (5) containment conditions This safety analysis shows that the-SPDS. will be consistent with Emergency Response Guidelines and the Millstone Unit No. 3 Emergency Operating Procedures, and provides an integrated approach to abnormal
.and emergency conditions.
Human factors principles are being considered in the design to assure that the operators can use the SPDS effectively.
A Verification and Validation Program will assure that independent reviews are conducted to assure proper implementation of the SPDS design.
8-1
z.
The development of the SPDS' will be an effective aid for the control-room operators :to determine the safety status of the plant during abnormal and emergency conditions.
n e-o t
l.-
8-2 L.
i, h )
TABLES
F4 TABLE 1: Critical Safety Functions I.
' Subcriticality Highest Priority n
II.
Core Cooling III.
Heat Sink IV.
Integrity V.-
Containment se VI.
Inventory Lowest Priority
r-TABLE 2: Critical Safety Function Variables SAFETY FUNCTION VARIABLE I.
Subcriticality 1.
Reactor trip signal l
2.
Power level 3.
Startup rate 4.
Source range energized
-II.
Core Cooling 1.
Core exit temperature 2.
RCS subcooling 3.
RV level l
-III..
Heat Sink 1.
S/G level 2.
Total FW flow rate 3.
S/G pressure IV.
Integrity 1.
Cooldown Rate 2.
RCS temperature 3.
RCS pressure V.
Containment 1.
Containment pressure 2.
Containment level 3.
Containment radiation VI.
RCS Inventory 1.
Pressurizer level 2.
Reactor vessel level
TABLE 3: Variables for Radioactivity Release l
i.
Main Steam Line Radiation a) main steam line radiation monitor
'b) steam generator safety valve status c)
~ atmospheric dump valve status
. d) auxiliary feedwater pump radiation monitor l
2.
Effluent Radiation a) ventilation vent gas monitor b)
SLCRS radiation monitor l
i l
L
e #
- 9 FIGURES i
i i
I t
l' i
l L__
.D'8 8 5
~
r SI
+-_______q l
l I
DIAGNOSE?
No l
MONITOR CRITICAL
__g SAFETY FUNCTIONS
,A
/\\
/
/
/
Yes
/
/
/
/
\\/
f4 v
RECOVERY CONTINGENCY ACTIONS ACTIONS OPERATOR RESPONSE LOGIC FOLLOWING ACTUATION OF ENGINEERED SAFEGUARDS SYSTEM FIGURE 1
f i
i 10: 1:36 SUB CRIT l
POWER ABOVE 5%
i i
j TRIP IR SUR FR-S1 l
SIGN A L POSITIVE IR SUR MORE POWER POSITIVE THAN BELOW 6%
-0.2 D P M SR
- OFF" IR SUR MORE NEGATIVE THAN
-0.2 D PM l
IR SUR ZERO OR NEGATIVE SR SUR FR-S2 POSITIVE POWER: X X X (%)
SR OC j
INTER RANGE SUR: XXX DPM SR SUR SOURCE RANGE SUR: XXX DPM ZERO OR NEGATIVE FIGURE 2a l
I 1
1 1
i 4
l
~
l 4
10: 3:42 CORE COOL CORE EXIT TCS j
FR-C.1 ABOVE 1200 F CORE EXIT TCS FR-C.2 s
ABOVE 700 F SUBCOOL M ARGIN LESS THAN (X) F i
RVLMS l
BELOW 19%
FR-C.2 CORE EXIT TCS BELOW
,l CORE EXIT 700 F RVLMS EQUAL
}
TCS BELOW OR ABOVE 19%
l
'200 F FR -C.3 i
SUBCOOL M ARGIN MORE TH AN (X) F CORE EXIT TCS: XXXXF SUBCOOL M ARGIN: (X X X) F PLENUM LVL: XXX%
FIGURE 2b i
i r
l e
9 I
4 1
1 i
i HEAT SINK 10: 2:33 TOTAL FW FLOW BEL OW (X)
NR LVLS ABOVE (X) PSIG FR-H.2 i
BELOW l
(X)%
i ANY SG NR LVL i
ABOVE (X)%
TOTAL FR-H.3 F W FLOW ANY SG PRES 1
ABOVE (X) PSIG j
Att SG FR-H.4
.l ANY SG NR PHES j
LVL ABOVE BELOW (X)
ALL SG J
(X)%
PSIG NR LEVELS ANY SG NR LVL BELOW BELOW FR-H.S (X)%
(X)%
e ALL SG 1
TOTAL FW FLOW: XXXX GPM
~
PRESS 1
2 3
4
( '
SG LEVEL: XXX XXX XXX XXX D%
SG PRESS: XXXX XXXX XXXX XXXX. G PSIG LVLS ABOVE (X)%
FIGURE 2c l
l I
10: 5:35 RCS INTEG ANY PRES / COLD LEO TEMP FR-P.1 LEFT OF *A*
ANY COLD LEO TEMP DEC ANY COLD LEG FR-P.2 ABOVE BELOW (X) F 100F IN ALL PRES / COLD LEG LAST HR.
ANY COLD LEO TEMP RIGHT OF FR-P.1
- A ALL COLD LEGS BELOW (Y) F ABOVE (X) F ALL COLD LEGS ABOVE (Y) F
%pj Jt,,
ANY COLD LEG FR-P.2 RCS PRES BELOW (X) F t
ABOVE COLD ALL COLD LEGS l
l COLD LEG TEMP BELOW O/P LIMIT l
ABOvE (x) F y,7 COLD LEG RCS PRES BELOW O/P LIMIT TEMP DEC BELOW 100 FIN COLD LEO LAST HR TEMP ABOVE (Z) F LAST HR TEMP DEC: XXXDF RCS PRES: XXXX PSIA i
L1 L2 L3 L4 RCS CL TEMP: XXXDF XXXF XXX F XXX F FIGURE 2d t
10: 3:7 CMT CTMT PRES FR-Z.1 ABOVE (X) PSIA CTMT PRES FR-Z.1 ABOVE (Y) PSIA CTMT PRES BELOW (X) PSIA FR-U LVL ABOVE (X) GAL CTMT PRES
' " ' " ^
setO W (v) eSiA FR-Z.3 ABOVE (X)
{
CTMT PRES: XX PSIA l
SUMP LVL: X.XEX G AL LVL BELOW CTM T RAD: X.XEX R/HR TRAD BELOW (X)
I FIGURE 2e i
I
J 10: 4:14 RCS INVENTORY RVLMS HEAD FR-l.3 NOT FULL PZH LVL ABOVE (XM RVLMS HEAD FR-l.1 FULL PZR LVL FR-l.2 BELOW(XM PZR LVL BELOW (YM RVLMS HEAD FR-l.3 NOT FULL PZR LVL PZR LVL: XXX%
ABOVE (YM HEAD LvL: XXX %
RVLMS HEAD PLENUM LVL: XXX %
FULL FIGURE 2f
6 6 9 APPENDIX A INSTRUMENTATION FOR CRITICAL SAFETY FUNCTION MONITORING N:_ -.
CRITICAL SAFETY FUNCTION:
Subcriticality
' VARIABLE:
- Description Instrument No.
Reactor Trip Signal.
TMB-RX Trip Annunciators MB4E-1-1 MB4E-1-2 MB4E-1-3 MB4E-1-4 MB4E-1-6 MB4E-2-3 MB4E-2-4 MB4E-2-6 MB4E-2-7 MB4E-3-3 MB4E-3-4 MB4E-3-5 MB4E-3-6 MB4E-4-1 MB4E-4-2 MB4E-4-5 MB4E-4-6 MB4E-5-1 ~
MB4 E-5-2 MB4E-5-3 MB4E-5-5 MB4E-5-7 MB4E-6-3 MB4E-6-5 MB4E-6-7 Rod Bottom 3RDI-RB 3RDI-RB2
CRITICAL SAFETY FUNCTION: Subcriticality VARIABLE: Power Description Instrument No.
Power Range 3NMP-NM41F Monitors 3NMP-NM42F 3NMP-NM43F 3NMP-NM44F Wide Range Fission Channels 3NME*DET1WR A and B 3NME*DET2WR t
v m
-.-- +,. -
a v
y.
v.-,, -
-9
CRITICAL SAFETY FUNCTION: Subcriticality VARIABLE: Startup Rate Description Instrument No.
Intermediate 3NMI-NM35B Range Monitor 3NMI-NM36B Source Range 3NMS-NM31F
. Monitor 3NMS-NM32F Wide Range _
3NME*DETISR Fission Channels A and B 3NME*DET2SR.
d CRITICAL SAFETY FUNCTION:.. Subcriticality -
VARIABLE: Source Range Energized 5
Description Instrument No.
Source Range 3NMS-NC31H Loss of Voltage.
4 v
4 1
4 ':
- .{,
4 l
,, - - - - -,,. -., -. ~,. ~..,,.,
..~,.., -..-,.. -- -
.:0 CRITICAL SAFETY FUNCTION: Core Cooling VARIABLE: Core Exit Temperature F
Description -
Instrument No.
~-
Core Exit..
3 CTS *TE:
Thermocouples
. through 3 CTS *TE50 c
- /.
i 5
b F
i I
i
CRITICAL SAFETY FUNCTION: Core Cooling VARIABLE: RCS Subcooling
' Description Instrument No.
Core Exit Thermocouples 3 CTS *TEl through 3 CTS *TE50 Pressurizer Pressure 3RCS*PT455A 3RCS*PT456 3RCS*PT457 3RCS*PT458 RCS Pressure 3RCS*PT403 3RCS*PT405 t:
L t.
1 I
j p
i f
CRITICAL SAFETY FUNCTION: Core Cooling VARIABLE: RC Pump Status DELETED i
I 9
(
CRITICAL SAFET FUNCTION: - Core Cooling _
-VARIABLE: RV level Description Instrument No.
Head Level '
Train'A Train B Plenum Level:
. Train A -
Train B t
...,., +
- - - ~
r -
- CRITICAL-SAFETY FUNCTION: Heat Sink VARIABLE: S/G level Description =
Instrument No.
Narrow Range'S/G Level
- 1 3FWS*LT517/LT518/LT519
- 2 3FWS*LT527/LT528/LT529
- 3 3FWS*LT537/LT538/LT539
- 4
'3FWS*LT547/LT548/LT549 D
e
(
P' k
CRITICAL SAFETY FUNCTION: Heat Sink VARIABLE: - Total FW Flow Description Instrument No.
MFWl 3FWS-FT510/511 2
3FWS-FT320/521 '
3 3FWS-FT530/531 4
3FWS-FT540/541
- AFWl 3FWA*FT51A 2
3FWA*FT33B 3
3FWA*FT33C 4
3FWA*FTSID r-i t.
J,
nm
- -,7, -
CRITICNL SAFETY FUNCTION: Heat Sink s
- VARIABLE: S/G pressure
- g Description Instrument No.
S/G Outlet Pressure A.
1 3 MSS *PT514/PT515/PT516 2
3 MSS *PT324/PT525/PT326 3
3 MSS *PT534/PT535/PT536 s
4 3 MSS *PT544/PT545/PT546 e
4 f.
L
.t i P
4 a
y:
9 CRITICAL SAFETY FUNCTION: Idtegrity VARIABLE: 'Cdaldown Rate-
- Description Instrument No.
Cold Leg RTD -
Loop //1 3RCS*TE413B 2
3RCS*TE423B 3
3RCS*TE433B
'4 3RCS*TE443B I
7 s
- CRITICAL SAFETY FUNCTION: Integrity
-- VARIABLE: RCS Temperature Description Instrument No.
Cold Leg RTD Loop #1 3RCS*TE413B 2
~ 3RCS*TE423B 3
3RCS*TE433B 4
- 3RCS*TE443B
^
i s
1
CRITICAL SAFETY FUNCTION: - Integrity VARIABLE: RCS pressure Description Instrument No.
Pressurizer 3RCS*PT455A
-Pressure 3RCS*PT456 3RCS*PT457 3RCS*PT458
' Wide Range 3RCS*PT403 RCS Pressure 3RCS*PT405
CRITICAL SAFETY FUNCTION: Containment VARIABLE: Containment Pressure Description Instrument No.
Wide Range Pressure 3LMS*PT24A 3LMS*PT24B Narrow Range Pressure 3LMS*PT934 3LMS*PT935 3LMS*PT936 3LMS*PT937 i
~., -
r:
,e.
CRITICAL SAFETY FUNCTION: Containment VARIABLE: Water Level.
' Description Instrument No.
Wide Range Sump Level 3RSS*LT22A 3RSS*LT22B k
A g
p
-e+,
-,,yn
-w,-,
w.mw.-.
v-arw-7,--,,,
,g,,-
3-,
.3-
- v. w-. -
rm.,.---,
---4.-
T.
9 *
. t 4 CRITICAL SAFETY FUNCTION: Containment VARIABLE: Containment Area Radiation Description -
Instrument No.
Wide Range Monitors 3RMS*RE04 3RMS*RE05 a'
L-i
o[.
.?
l CRITICAL SAFET'.' FUNCTI6N: Inventory VARIABLE: Pressurizer Level Description Instrument No.
Pressurizer Level
-3RCS*LT459 3RCS*LT460 3RCS*LT461
s CRITICAL SAFETY FUNCTION:. Inventory VARIABLE:., RV. level u
Description Instrument No.
Head Level Train A
Train B Plenum Level Train A Train B I
a e
.O %
8 e APPENDIX B INSTRUMENTATION FOR RADIOACTIVITY RELEASE DISPLAY
c r
RADIOACTIVITY RELEASE DISPLAY VARIABLE: Main Steam Line Radiation Description Instrument No.
Main Steam Line 3 MSS *RE75 Radiation Monitors 3 MSS *RE76 3 MSS
- RE77 3 MSS *RE78 Safety Valve 3SVV*FE28A/FE28B/FE28C/FE28D Flow Switches 3SVV*FE29A/FE29B/FE29C/FE29D 35VV*FE30A/FE30B/FE30C/FE30D 3SVV*FE31A/FE31B/FE31C/FE31D 3SVV*FE32A/FE32B/FE32C/FE32D Atmospheric Dump 3 MSS *Z20A#
Valve Position Switches 3 MSS *220B#
3 MSS *Z20C#
3 MSS *Z20D#
' Auxiliary Feedpump 3 MSS *RE79 Radiation Monitor n.., --,.,-
,------n n
+
,n,
y
~~
I
-g.
RADIOACTIVITY RELEASE DISPLAY VARIABLE: Effluent Radiation i
Description Instrument No.
Ventilation Vent Monitor 3HVR*RE10 SLCRS Monitor 3HVR*RE19 4
4 I