ML20133F373

From kanterella
Jump to navigation Jump to search
SPDS Safety Analysis & Implementation Plan
ML20133F373
Person / Time
Site: Grand Gulf Entergy icon.png
Issue date: 07/31/1985
From:
MISSISSIPPI POWER & LIGHT CO.
To:
Shared Package
ML20133F354 List:
References
RTR-NUREG-0737, RTR-NUREG-737 PROC-850731, NUDOCS 8508080260
Download: ML20133F373 (90)
v  d  e


Text

.. . . . - _ . _ - _ _ _ __- _ _ _ _ _ - .. .

1 GRAND GULF NUCLEAR STATION-UNIT 1 SAFETY PARAMETER DISPLAY SYSTEM SAFETY ANALYSIS AND

IMPLEMENTATION PLAN 2

( l l Prepared for i 1

U.S. Nuclear Regulatory Commission

! July 1985 1

i

!!R" F

X88M 888? A PDR MISSISSIPPI POWER & LIGHT COMPANY

{

t l

l 1

GRAND GULF NUCLEAR STATION SAFETY PARAMETER DISPLAY SYSTEM SAFETY ANALYSIS REPORT MISSISSIPPI POWER & LIGi!T COMPANY JULY 1985 t

v TABLE OF CONTENTS PAGE

1.0 INTRODUCTION

1 1.1 Summary of Safety Analysis --------------------------------------- 1 1.2 Discussion of SPDS Bases ----------------------------------------- 1 1.3 NRC Criteria ----------------------------------------------------- 2 1.4 Abbreviations ---------------------------------------------------- 2 2.0 SPDS DESIGN BASES ------------------------------------------------------ 5 2.1 Plant Safety Monitoring and Emergency Response ------------------- 5 2.2 SPDS Parameter Selection Methodology------------------------------ 7 2.3 Isolation Valve Status ------------------------------------------- 16 3.0 SPDS DESIGN CONSIDERATIONS --------------------------------------------- 18 3.1 Introduction------------------------------------------------------ 18 3.2 SPDS Definition -------------------------------------------------- 18 3.3 SPDS Availability ------------------------------------------------ 18 3.4 SPDS Use and Location -------------------------------------------- 22 3.5 Reactor Modes Cg,nsiderations ------------------------------------- 22 3.6 SPDS F1cxibility ------------------------------------------------- 24 3.7 System Hardware, Data Storage and Recall Capabilities ------------ 24 3.8 Signal Validation ------------------------------------------------ 27 3.9 Electrical Power Sources ----------------------------------------- 27 3.10 Circuit Isolation Devices ---------------------------------------- 27 3.11 Human Factors Engineering ---------------------------------------- 29 4.0 SPDS DISPLAYS ---------------------------------------------------------- 30  !

4.1 Display Philosophy ----------------------------------------------- 30 4.2 CF Assessment Display Feature ------------------------------------ 30 4.3 CF Overview Displays --------------------------------------------- 32 4.4 Primary Displays ------------------------------------------------- 32 4.5 Secondary Displays ----------------------------------------------- 33 4.6 Analog Trends ---------------------------------------------------- 33 j 4.7 Support Displays ------------------------------------------------- 34 4.8 Display Access -------------------------------------~~------------ 34 4.9 Variable Quality Indication -------------------------------------- 34 5.0 SIGNAL VALIDATION ------------------------------------------------------ 35 5.1 Introduction ----------------------------------------------------- 35 i

i t

5.2 The Validation Process ------------------------------------------- 35 (1)

TABLE OF CONTENTS (Continutd)

PAGE 5.3 Signal Validation Features --------------------------------------- 36 5.4 Validation Results ----------------------------------------------- 36 6.0 VERIFICATION AND VALIDATION -------------------------------------------- 37 6.1 Verification and Validation Overview ----------------------------- 37 6.2 SPDS Verification and Validation --------------------------------- 37 6.3 System Requirements Verification --------------------------------- 37 6.4 Design Analysis / Review ------------------------------------------- 38 6.5 SPDS Validation -------------------------------------------------- 38 7.0 HUMAN FACTORS ENGINEERING ---------------------------------------------- 40 7.1 Task Definition -------------------------------------------------- 40 7.2 Equipment Considerations ----------------------------------------- 40 7.3 Viewing Environment ---------------------------------------------- 40 7.4 Human Factors Criteria ------------------------------------------- 40 7.5 Display Concepts ------------------------------------------------- 41 7.6 Display Development ---------------------------------------------- 42 7.7 Display Functional Description ----------------------------------- 42 7.8 Display Review --------------------------------------------------- 42 8.0 MAN-MACHINE VALIDATION (MMV) ------------------------------------------- 43 8.1 MMV Objectives --------------------------------------------------- 43 8.2 MMV Methods ------------------------------------------------------ 43 8.3 MMV Program Documentation ---------------------------------------- 44 9.0 OPERATOR TRAINING ------------------------------------------------------ 45

10.0 CONCLUSION

46 10.1 Compliance with NUREG-0737 Supplement 1, Section 4.1.a ----------- 46 10.2 Compliance with NUREG-0737 Supplement 1, Section 4.1.b ----------- 46 10.3 Compliance with NUREG-0737 Supplement 1, Section 4.1.c ----------- 46 10.4 Compliance with NUREG-0737 Supplement 1, Section 4.1.d ----------- 47 10.5 Compliance with NUREG-0737 Supplement 1, Section 4.1.e ----------- 47 10.6 Compliance with NUREG-0737 Supplement 1, Section 4.1.f ----------- 47 APPENDIX A - PRINCIPAL CONTROL PARAMETER SET --------------------------- A-1 APPENDIX B - PARAMETER SET BASES --------------------------------------- B-1 REFERENCES ------------------------------------------------------------- R-1 I

l l

l 1 (11)

TABLE OF CONTENTS (Continu;d)

TABLES PAGE 2.1-1 Correlation of CSFs to EPGs ------------------------------------------- 6 2.2-1 Generic EPG Control Functions ----------------------------------------- 9 2.2-2 GGNS PSTG Principal Control Functions --------------------------------- 11 2.2-3 GGNS SPDS Parameters -------------------------------------------------- 14 2.2-4 Correlation of CSF to CGNS SPDS Parameters ---------------------------- 15 3.3-1 SPDS System Availability ---------------------------------------------- 20 FIGURES PAGE 2.2-1 Example Page from GGNS Functional Analysis ---------------------------- 12 3.3-1 SPDS Block Diagram ---------------------------------------------------- 19 3.4-1 Typical Control Room SPDS Location ------------------------------------ 23 4.1-1 Conceptual Display Heirarchy ------------------------------------------ 31 (iii)

GGNS SPDS SAFETY ANALYSIS kEPORT

1.0 INTRODUCTION

1.1 Summary of Safety Analysis This report provides a written Safety Analysis for the Grand Gulf Nuclear Station (GGNS) Safety Parameter D' splay System (SPDS), and is submitted in fulfillment of obligations specified in MP&L Letter AECM-83/0232 dated April 15, 1983, and Condition 2.C. (36), Attachment i requirement (a)(1) of Facility Operating License NPF-29, dated November 1, 1984. This requirement specified submittal of a Safety Analysis and Implementation Plan by July 1985. Accompanying this report is an implementation plan detailing tasks and a schedule MP&L will perform to impicment the SPDS described herein.

Information is provided to show that the SPDS is being designed to fully meet the provisions of Supplement 1 to NUREG-0737 (Ref. 5), that it will be consistent with the plant-specific Emergency Procedures being concurrently developed, that accepted human factors principles are being applied, that independent verification of systems and software will be performed, and that the SPDS will be an aid to the Control Room personnel in monitoring plar.t safety paramotors and in mitigating emergency situations.

1.2 Discussion of SPDS Bases Emergency Procedure Guidelines (EPGs) (Ref. 6) have been developed by the BWR Owner's Group and accepted by the NRC as the basis for emergency response in BWR's. These generic guidelines have been converted into plant-specific guidelines for preparation of GGNS emergency procedures.

( Using methodology developed by the BWR Owner's Group, the GGNS guidelines were evaluated to identify information requirements needed to monitor overall plant safety parameters and initiate operator actions to protect l principal safety functions based on general plant symptoms rather than l

l specific events or transients.

l l

l l

l

( '. )

l

i

! GGNS SPDS SAFETY ANALYSIS REPORT l .

l

  • l GGNS SPDS displays will be designed to incorporate appropriate informa-l tion based on the Plant Specific Technical Guidelines (PSTG's) and will be structured to aid the operating crew in initiating and executing the emergency procedures.

SPDS displays will conform to accepted human factors critoria in accordance with a GGNS SPDS human factors engineering plan. The SPDS design will be independently verified and validated (V&V) in accordance with the SPDS V&V plan, prior to its operational use at GGNS.

1.3 NRC Criteria Since the original requirement to provide an SPDS, various NRC and industry guidance has been developed to functionally define what the SPDS should contain and how it should function. These guidance documents include NUREG-0737, NUREG-0696, NUREG-0835, and INPO NUTAC on SPDS Implementation, along with various owner's group documents. Until the issuance of Generic Letter 82-33 entitled " Supplement 1 to NUREG-0737 -

Requirements for Emergency Response Capability", the specific NRC requirements for an SPDS had not been well established. Supplement 1 therefore became the NRC criterion that must be used to meet the emergency response capability requirements and all previous NRC documents were to be used as guidance.

Section 4.1 of NUREG-0737 Supplement 1 addresses the specific require-monts to be used for developing the SPDS. Each of those requirements will be met by MP&L in the design of the GGNS SPDS system. This Safety Analysis Report will demonstrate how each part of Supplement 1, Section 4.1, is mot. Results are summarized in this report in Section 10, Conclusions.

1.4 Abbreviations Throughout this document, the following abbreviations are usedt

a. ADS - Automatic Depressurization System
b. APRM - Average Power Hange Monitor l

(2) i

r GGNS SPDS SAFETY ANALYSIS REPORT

c. ATVS - Anticipated Transient Without Scram
d. BWR - Boiling Water Reactor
e. BWROG - BWR Owner's Group
f. CF - Control Function
g. CR - Control Room
h. CRT - Cathode Ray Tube (Display) {
i. CSF - Critical Safety Functions J. DCRDR - Detailed Control Room Design Review
k. DOE - Department of Energy
1. DTTU - Digital Tape Transport Unit
m. ECCS - Emergency Core Cooling Systems
n. E0P - Emergency Operating Procedure (Generic)
o. EP - Emergency Procedure (GGNS-Specific)
p. EPG - Emer gency Procedure Guidelines
q. EPRI - Electric Power Research Institute
r. ERFIS - Emergency Responso Facility Information System
s. FSAR - Final Safety Analysis Report
t. GDDP - Graphic Display Development Program
u. GGNS - Grand Gulf Nuclear Station
v. IHM - Integrated Memory Modules
w. INP0 - Institute for Nuclear Power Operations
x. IVSP - Isolation Valve Status Panel
y. LOCA - Loss of Coolant Accident
z. MMV - Man-Machine Validation an. MP&L - Missisrippi Power & Light Co.

bb. MTBF - Mean Time Between Failures cc. PfITR - Mean Time to Repair dd. NPSH - Not Positive Suction Head co. NRC - U.S. Nuclear Regulatory Commission ff. NUTAC - Nuclear Utility Task Action Committee gg. PGP - Procedures Generation Package hh, PSTG - Plant Specific Technical Guidelines

11. RAM - Random Access Memory jj. RPV - Reactor Pressure Vessel kk. SAR - Safety Analysis Report (3)

GGNS SPDS SAFETY ANALYSIS REPORT 0

11. SGTS - Standby Gas Treatment System mm. SMD - Storage Module Drive nn. SPDS - Safety Parameter Display System oo. TAF - Top of Active Fuel pp. V&V - Verific4 tion and Validation (4)

GGNS SPDS SAFETY ANALYSIS REPORT 2.0 SPDS DESIGN BASIS l

2.1 Plant Safety Monitoring and Emergency Response Industry experience in developing various SPDS designs has shown that SPDS displays are more meaningful and useful to operators during emer-gency response situations when they are directly integrated with Emergency Procedures (EPs).* Specifically, emergency response decisions and actions made by the operating crew are aided by an SPDS that supports the entry f to and execution of the EPs. The PSTG's which were prepared from generic Emergency Procedure Guidelines (EPGs) developed by the BWR Owner's Group (BWROG) will provide the technical basis for the Grand Gulf Nuclear Station (GGNS) SPDS to ensure SPDS/EP integration. ,

Development of the BWROG generic EPGs included analysis of severe accidents and transients by the reactor designer (Ref. 1). These EPGs '

have been evaluated and accepted by the NRC as documented in the NRC Safety Evaluation Report on Revision 3 of the EPGs (Ref. 2) which t

supports the use of the EPGs as a satisfactory basis for emergency  !

response procedures. The generic EPGs, and plant-specific EPs developed  !

from them, are symptom-based and therefore they are not based on a limited set of specific transients or accident scenarios. Thus, GGNS safety can  !

i be better assured for a wide range of events and severe accidents by [

adherence to the symptom-based EPGs and EPs and maintaining plant condi- l tions as specified there-ia. Selection of SPDS parameters to monitor [

plant safety status using information from EPGs and E0Ps provides a basis f for SPDS parameters that not only integrates with NRC-approved guidelines l l for emergency response but also is analytically traceable to the post-TMI I l

l requirements for additional analysis of transients and accidents.

l l

  • Note: The term Emergency Procedures (EPs) is synonymous with Emergency l l

Operating Procedures (EOPs) used in generic work by the BWROG and in NRC f

documents.  !

i t

i I

l (5)

GGNS SPDS SAFETY ANALYSIS REPORT l

l l

l The generic EPGs have been translated into Plant-Specific Technical Guidelines for use in developing EPs that reficct systems and emergency response information appropriate for GGNS (Ref 3). The format used by l MP&L to prepare the PSTGs shows the correspondence between the GGNS PSTGs i

and the generic EPGs and provides justification and explanation for the differences.

The generic EPGs developed by the BWROG address all five of the critical safety functions (CSF) specified in NUREG-0737 Supplement 1 through the use of four primary control guidelines for BWRs. The correlation between the five critical safety functions and the BWR emergency procedure guide-lines is shown in Table 2.1-1. Since GGNS PSTGs are based on the NRC-TABLE 2.1-1 CORRELATION OF CSFs TO EPGs NUREG 0737 PROPOSED Supplement 1 CSF BWR00 EPG CCNS EP Reactivity Control------------

l Reactor Core Cooling and l ,

Heat Removal l--RPV Control Guideline EP-2 I

Reactor Coolant System--------l Integrity Radioactivity Control------------Radioactivity Release EP-4 Control Guideline Primary Containment EP-3

-- -Control Guideline Containment Conditions------l l Secondary Containment EP-5

Control Guideline approved EPGs for emergency response which address the maintenance of plant safety functions, and since the PSTG functional analysis as discussed in Section 2.2 provides the emergency response information needs, the PSTGs are being used as a basis for development of the SPDS parameter requirements for GGNS. This developmental approach used for the GGNS SPDS binds NUREG-0737 Supplement 1, Section 4.1.f (CSF status monitoring) with Sections 4.1.a (design basis of SPDS displays) and (6)

GGNS SPDS SAFETY ANALYSIS REPORT O

5.1.b.il (use of E0P (PSTG) function and task analysis). As a result, displays developed using this approach support emergency response informa-tion requirements which in turn encompass the SPDS design basis functions specified in Section 4.1.f.

2.2 SPDS Parameter Selection Methodology Selection of parameters is based on the methodology and results of the BWROG Graphic Display Development Program (GDDP) conducted by the Electric Power Research Institute (EPRI) and the Department of Energy (DOE)

(Ref. 4).

In the GDDP a functional analysis was performed on the generic BWR Emergency Procedure Guidelines, Revision 3, developed by the BWR00. The functional analysis of the generic EPGs identified the generic emergency response functions of a BWR operating crew. The analysis was extended beyond function identification to determine the logical relationships between the response functions and to identify the generic information requirements needed by an operating crew to perform each EPG functional step. This analytical methodology is commonly referred to as cognitive task analysis.

The emergency response functions are addressed in the EPG functional analysis, but the specific emergency response tasks for the Control Room operating crew, as opposed to an individual operator or supervisor, were not addressed in the EPG functional analysis since the symptom-based EPGs do not specify a division of labor between operators and supervisors and do not restrict actions or decision-making to a specific Control Room location. Generally speaking, the operator takes actions and participates in making decisions, whereas the supervisor makes decisions and partici-pates in taking actions.

As indicated in the GDDP report, the process used in the EPG functional analysis is similar to the decision-making model developed by Jens Rasmussen of the Risco National Laboratory in Denmark. In general, the process adapted from the decision-making model describes rule based behavior, where specific operator actions are based directly on the identification of a changed plant condition followed by the application of (7)

GGNS SPDS SAFETY ANALYSIS REPORT a predetermined decision process. In the functional analysis, a single decision-making model with three basic function categories was used:

o Gathering and processing of information, o Making a decision, o Taking an action.

It should be noted that the EPG information requirements identified in the BWROG project are generic and are independent of any particular plant Control Room. Similar to the process required for the Control Room Design Review Task Analysis, the information and control identification process is not based on, or limited to, only currently available instru-mentation in a specific Control Room, thus the GDDP results were not

" driven" by the currently available instruments. The information' require-ments identified from analysis of EPGs or PSTGs are useful in determining plant parameters or variables for use in display aids.

Systematic analysis of the EPGs for all information requirements (both implicit and explicit in the EPGs) associated with the three basic function categories listed earlier produced a large list of plant parameters as provided in the GDDP report. This information may be used to design various types of graphic displays to meet a wide range of potential objectives for operational aids.

The BWROG examined steps identified in the EPG functional analysis and determined which parameters are principally controlled by performing each step. This resulted in the identification of twelve principle control functions for the generic EPG's. These control functions and the related EPG steps are shown in Table 2.2-1.

Actions specified in the EPGs directly correspond to one or more of these principal control functions which results in symptom-based EPs that are structured to specify operator actions for controlling a small set of parameters to assure continued safety of the plant. The BWROG EPGs inherently cover all of the NRC-identified critical safety functions for (8)

GGNS SPDS SAFETY ANALYSIS REPORT TABLE 2.2-1

, GENERIC EPG CONTROL FUNCTIONS AND SUPPORTING EPG STEPS (EPG REV. 3)

1. RPV Water Level Control Function RPV Control Guideline Steps RC/L Contingency C-1, Level Festoration Contingency C-4, Spray Cooling ,

Contingency C-5, Alternate Shutdown Cooling Contingency C-6, RPV Flooding '

Contingency C-7, Level / Power Control

2. RPV Pressure Control Function RPV Control Guideline Steps RC/P l Contingency C-2, Emergency Depressurization Contingency C-3, Steam Cooling Contingency C-5, Alternate Shutdown Cooling i- Contingency C-6, RPV Flooding
3. Reactor Power Control Function RPV Control Guideline Steps RC-1 and RC-Q Contingency C-7, Level / Power Control
4. Suppression Pool Temperature Control Function Primary Containment Control Guideline Steps SP/T
5. Drywell Temperature Control Function Primary Containment Control Guideline Steps DW/T
6. Containment Temperature Control Function
Primary Containment Control Guideline Steps CN/T
7. Primary Containment Pressure Control Function Primary Containment Control Guideline Steps PC/P
8. Suppression Pool Water Level Control Function Primary Containment Control Guideline Steps SP/L
9. Secondary Containment Temperature Control Function Secondary Containment Control Guideline Steps SC/T
10. Secondary Containment Radiation Level Control Function Secondary Containment Control Guideline Steps SC/R
11. Secondary Containment Water Level Control Function Secondary Containment Control Guideline Steps SC/L
12. Radioactivity Release Control Function Radioactivity Release Control Guideline Steps RR (9)

GGNS SPDS SAFETY ANALYSIS-REPORT monitoring plant safety, (i.e., reactivity, core cooling and primary system heat removal, cooling system integrity, containment and radio-activity).

The function of the EPG-based displays, as recognized by the BWROG, is to assist the operating crew in the decision-making process involved in EPGs/EPs. Thus the GDDP approach to parameter selection used decision classifications to distill three sets of parameters from the complete set of information requirements identified by functional analysis of EPGs.

The three decision types, and the three corresponding types of informa-tion required to support the decisions are:

o Information Type 1 - Information directly associated with determining the current value and trend of the specified control function parameters, together with their limits, setpoints and ranges.

o .Information Type 2 - Information required to assess availability and status of systems and components identified in the EPGs.

o Information Type 3 - All other information defined in the EPG func-tional analysis, not included in 1 or 2, and including information for decisions requiring judgment.

As a result three generic parameter sets were chosen which correspond to the following types of information:

o Control Function Status (Information Type 1) o Control Function and System Status (Information Types 1 & 2) o ' Composite (Information Types 1, 2, and 3)

(10) u

GGNS SPDS SAFETY ANALYSIS REPORT e

The GGNS PSTGs (based on EPG Rev. 3, modified) were used to convert the generic GDDP functional analysis into a GGNS specific analysis which will reflect the GGNS plant-specific systems, features, and emergency response actions. The GGNS functional analysis was then supplemented with GGNS information and control requirements of the PSTGs. That is, the component type and plant parameter as well as the parameter characteristics (i.e.,

range, scale, etc.) have been added to the documentation. This PSTG functional analysis was performed by an independent subject matter expert.

Figure 2.2-1 is an example page from the GGNS PSTG analysis. It should be noted that the results from the GGNS functional analysis can also pro-vide information and control requirements for use in the Detailed Control Room Design Review verification phase.

Similarly, the generic parameter sets from the GDDP have been made GGNS specific based on the analysis of the GGNS PSTGs. Although the BWROG functional analysis methodology can be used to identify a large number of plant parameters it is those parameters that relate to the principal BWR

^

control functions that can provide concise overall information about plant safety status.

A set of emergency response control functions can be identified in the existing GGNS PSTGs by applying the BWROG generic program methodology and results. These principal control functions are shown on Table 2.2-2.

TABLE 2.2-2 GGNS PSTG Principal Control Functions RPV Water Level RPV Pressure Reactor Power Suppression Pool Water Temperature Drywell Temperature Containment Temperature Containment Pressure Suppression Pool Water Level Secondary Containment Area Temperature Secondary Containment Area Radiation Level Secondary Containment Area Water Level Radioactivity Release Rate (11)

.__ r ..-

--m mma tad GGIIS-1 PSTG Ilumber

- 3.g esem and seassel W 18 " "

sempemame/Foremmaag Charessettot$se

~

{ g g Isa.llcit Inf ar mat t awi firemat r amneit a

1. Suppression pool Range: 0-200 051 " ' ' - ' " " ' " ' " ' " ' * " " ' ' " ' " " ' ' " " " ' ' " ' "

" te=Perature Div: 5'

.. os ages ... an puun t p.e.tur. t r w e 2. Local Suppression See Standard pool temperature f o urf - in trend Range: 0-1200 psig

3. RPV Pressure

.cr.. :e r.=ier. a2 s i.ei. a-4 m. uter scr.. .t.tu. Div 25 pois

4. RPV Water level Range -160 to 160 in.

(vide range) Div 2 inchea

5. RPV water level Range 0 to 60 inches (narrow range) Diva I inch
6. Control rod Full-in/ Full-Out/

position Intermediate Position O

u v

7. APRM neutron Fange: 0-1201 power Div 22
8. Mode switch ' Mode switch position (shutdown) in shutdown I = Informational Requirement D = Decional Requirement A = Action Requirement P = Information Processing Type Finure 2.2-1 Functional Analysis Example

GGNS SPDS SAFETY ANALYSIS REPORT Since BWR safety can be assured by proper maintenance of the principal control functions, a fundamental GGNS SPDS parameter set evolves from the PSTG analysis and the identified PSTG control functions. These parameters are those that are either used in PSTG entry conditions and/or are a principal control parameter. This set of principal control parameters is defined such that the plant will be maintained in a safe condition as long as these parameters are maintained within the ranges specified in the PSTGs. Thus, since the PSTGs provide sufficient emergency response for BWR analyzed transients and accidents occurring under all plant operating conditions, the GGNS SPDS parameter set derived from analysis of the PSTGs likewise provides adequate information for assessing plant safety status under all modes of operation.

The list of GGNS SPDS parameters is shown in Table 2.2-3. Secondary Containment parameters may need to be modified to be consistent with the final PSTG's and EP's being concurrently developed. Additionally, Hydrogen concentration will be included in the SPDS since it is known that a section of the PSTG devoted to H e ntr 1 will be developed.

2 MP&L has chosen to include in the SPDS every parameter concerned with Information Type 1. GGNS is an advanced design BWR/6 with installed color graphic computer systems which provide excellent plant system status information, and the SPDS displays will be simpler and more concise by keeping the parameter set to the size indicated, thereby making the SPDS easier to use in emergency situations. The parameter set in Table 2.2-3 will require input of approximately 100 individual data points. Note that the parameter set chosen is larger than the BWROG parameter set recommendations for Information Type 1 Parameter Set due to the plant unique PSTG implementation.

More detailed information is presented for each SPDS parameter in the Appendices. Information for each parameter is included regarding display requirements, parameter basis and relation to PSTG steps.

The NRC Critical Safety Functions (CSF) can, therefore, be related to the PSTG control functions. The correlation between CSF, defined in NUREG-0737 Supplement 1, and the GGNS SPDS parameters is shown in Table 2.2-4.

(13)

GGNS SPDS SAFETY ANALYSIS REPORT TABLE 2.2-3 GGNS SPDS Parameters

1. RPV Water Level
2. RPV Pressure
3. Reactor Power
4. RPV Water Temperature
5. SCRAM Status
6. Drywell Pressure
7. Drywell Temperature
8. Containment Temperature
9. Containment Pressure
10. Suppression Pool Temperature
11. Suppression Pool Water Level
12. Secondary Containment Differential Pressure

.13. Secondary Containment Area Temperature

14. Secondary Containment Cooler Differential Temperature
15. Secondary Containment HVAC Exhaust Rad Levels
16. Secondary Containment Area Rad. Levels
17. Secondary Containment Floor Drain Sump Water Levels
18. Secondary Containment Area Water Levels
19. Offsite Radioactivity Release Rate (14)

GGNS SPDS SAFETY ANALYSIS REPORT TABLE 2.2-4 CORRELATION BETWEEN CRITICAL SAFETY FUNCTIONS AND GGNS SPDS PARAMETERS ,

4 Associated GGNS Critical Safety Function SPDS Parameters

1. Reactivity Control Reactor Power RPV Water Level RPV Pressure Scram Status
2. Reactor Core Cooling and Reactor Power Heat Removal RPV Water Level RPV Pressure
3. Reactor Coolant System RPV Water Level Integrity RPV Pressure Drywell Pressure Drywell Temperature Suppression Pool Water Temperature Suppression Pool Water Level Containment Pressure Containment Temperature RPV Water Temperature
4. Containment Integrity Drywell Pressure .

Drywell Temperature

, Containment Pressure Containment Temperature Suppression Pool Water Temperature Suppression Pool Water Level Secondary Containment Area Temperature Secondary Containment Area Radiation Level Secondary Containment Floor Drain Sump and' Area Water Levels 4- Secondary Containment Differential Pressure Secondary Containment HVAC Cooler Differential Temperature

5. Radioactivity Control Secondary Containment Area Radiation Level Off-site Radioactivity Release Rate Secondary Containment HVAC Exhaust Radiation Level 1

(15) 2

GGNS SPDS SAFETY ANALYSIS REPORT If the BWROG EPGs and the PSTGs are modified in the future, an assessment will be made to determine what modification to the SPDS parameter set might be necessary (if any). Subsequent update of SPDS displays can then be accommodated, as discussed in Section 3.6, Display Flexibility.

2.3 Isolation Valve Status As indicated in Table 2.2-4, one of the safety functions that will be incorporated in the SPDS is containment integrity. The GGNS SPDS will monitor containment integrity by displaying the following parameters:

o Primary Containment Temperature o Primary Containment Pressure o Drywell Temperature o Drywell Pressure o Suppression Pool Temperature o Suppression Pool Level The SPDS will also provide Secondary Containment Radiation levels and Plant Effluent Radiation levels for plant operators to use as confirmation of containment integrity.

Assuming no breach of primary or secondary containment, a third method exists whereby the plant operator may confirm containment integrity. This method requires the plant operator to confirm the status (open/ closed) of isolation valves based upon plant operating mode and the isolation actuation setpoints for the containment integrity parameters listed above. Such confirmation is available to the operator from two sources:

o Position indicator lights at each isolation valve control switch o Position / demand status lights at the Control Room Isolation Valve Status Panel (IVSP)

The first source of isolation valve status requires the operator to know and search out each isolation valve control switch (distributed among three separate Control Room panels) to confirm containment integrity. Such a search would be slow under accident conditions since isolation valve control switches and position indicator lights are so similar to switches and lights of other valves located in the immediate vicinity.

(16)

4 GGNS SPDS SAFETY ANALYSIS REPORT However, the second source, the IVSP, provides the operator with isolation valve status in a much more comprehensive and comprehendible format. This source provides the following information for each of the isolation valves on t the IVSP:

, o A graphical (piping schematic) representation of the valve location and system assignment through the use of system-and location-demarcation lines and color coding 3

o Valve status (open/ closed) ,

The plant operator can determine the position of each isolation valve on the IVSP visually.

The IVSP is located directly above panel P870 (refer to Figure 3.4-1). It is

{ easily viewed by an operator at the SPDS console.

The IVSP system has been designed with power supplied from uninterruptible 120 VAC instrumentation panels.

The isolation valve status information need not be presented on SPDS displays, since this information is provided in easily comprehendible form on the IVSP.

l I

l 4

(17)

GGNS SPDS SAFETY ANALYSIS REPORT d

3.0 SPDS DESIGN CONSIDERATIONS 3.1 Introduction This section provides an overview of the computer system and addresses a number of topics that relate to SPDS design and are of regulatory interest. Each topic will be dealt with separately in the following subsections.

3.2 SPDS Definition The SPDS at GGNS is a subset of the Emergency Respense Facility Informa-tion System (ERFIS). The SPDS has one color CRT/ keyboard console located in the Control Room. As implemented at GGNS, the SPDS will be used solely as an operator aid in monitoring plant safety status and in entry into and execution of the EP's being developed in parallel with the SPDS.

3.3 SPDS Availability Design goals for SPDS availability are as follows:

o Availability = 0.99 (reactor above cold shutdown) o Availability = 0.80 (reactor at cold shutdown or refuel)

The determination of availability depends upon forced and scheduled out-ages of the SPDS data systems, instrumentation, and facilities and upon the configuration of the entire system.

Figure 3.3-1 is a block diagram of the GGNS SPDS system. A remote multi-plexer unit receives up to 25 individual instrument loop inputs (analog or digital). The remote multiplexer performs signal conditioning and A/D

, conversion and transmits the multiplexed signal (25 channels) to the digital multiplexer. The digital multiplexer receives signals from up to 8 remote multiplexers. The digital multiplexer transmits a multiplexed signal (200 channels) to a digital buffer. The digital buffer acts as a signal splitter and retransmits up to 3 inputs to as many as 4 master receivers. At this point, the SPDS system is redundant. Digital buffer outputs are received by each SPDS master receiver. Each master receiver can receive up to 16 multiplexed inputs for a total of up to 3200 separate instrument channels. Each master receiver scans all inputs and transmits I

(18)

i) !

E 9 SL DO S PN SO C E

L R B E A S T C I

FU P A B LI R T P

EM O

~

O C R A R B E

- BI T F O

F R

ER A B TV SC AR M

m a

r 1 g

- a LR 3 i AE 3 J03 2

3 D

- T F J0 k I

G F 3 e c I U r o DB u g

l B

i F S D

P S

L A

T X J2 0 gs 0

J4 0

I U O O 0 GM I

D l

O F

O F

l l OI F

O E

T 2 3 2 3 2 3 J41 l

OX 1

2E 2E J2 Ji J1 d E 5E J4 J4 MU 0I 0 I

O O 0 0 I

0 0 0 E M ,

R RS 22 2 2 EE EE EE 22 44 eel EE EE TP AA AA l l l l I l AA AA l l l I l SO - -

EE NN NN NN EE EE NN NN NN NO I

L E E I l I OO OO OO I I I I OO OO OO I

NN NN NN NN NN NN

GGNS SPDS SAFETY ANALYSIS REPORT each channels' digital data to the SPDS computer for data processing and storage. The output of each SPDS computer is switchable via the T-Bar switch to the SPDS console /CRT.

Both SPDS master receivers and computers are normally maintained in an operating state, so that should the primary system fail, a simple transfer of the T-Bar switch will re-establish SPDS displays to the Control Room.

The following sections present the GGNS availability analysis and results:

3.3.1 Forced Outage Analysis ,

Hardware failure analysis is performed by equipment manufac-turers. Reliability (as opposed to availability) data for each component or assembly is obtained in the form of mean-time-between-failures (MTBF) and mean-time-to-repair (NTTR). The GGNS SPDS utilizes an existing data acquisition system for data input.

This system (transient test recording system-GETARS) includes the remote and digital multiplexers and the digital buffers (refer to Figure 3.3-1). Equipment manufacturer's analysis results (MTBF only) are shown in Table 3.3-1 along with results from the remainder of the SPDS system. MTTR's on Table 3.3-1 are esti-mates of total forced outage time (includes problem diagnosis, repair / replace times, and an allowance for administrative requirements).

Table 3.3-1 SPDS System Availability l ITEM COMPONENT / SUBSYSTEM MTBF (HRS) MTTR (HRS) H A l l 1 Data Acquisition 43800 5 .99988 l l 2 SPDS Computer 552 6.5 .98836 l l 3 T-Bar Switch 29055 4.3 .99985 l l 4 SPDS Console 2814 4.5 .99840 l Equations MTBF n

A = MTBF + MTTR n n n 2

A SPDS = At x (2A 2-A)xA3xA4 2

= 0.9980 (20)

GGNS SPDS SAFETY ANALYSIS REPORT 3.3.2 Scheduled Outage Analysis Scheduled preventive maintenance of the GGNS SPDS encompasses equipment / cabinet cooling filter replacement and semi-annual instrument channel input amplifier calibration. Out-of-service time for this PM is as follows:

o SPDS Computer Hard Disk Memory Cooling-Filter-Replacement This requires out-of-service time on the system requiring service. However, since the SPDS computers are redundant there is no associated unavailability for the SPDS.

o Instrument Channel Input Amplifier Calibration (located in remote multiplexers). This calibration requires only a single instrument channel to be removed from service. This does not affect SPDS system availability. This also applies to instru-ment loop calibration.

3.3.3 Software Analysis SPDS availability could be affected by software reliability and software structure. Highly reliable software (software with few, if any errors) with sufficient error handling routines will be demonstrated during the validation process of the V&V effort.

Hence, software reliability should have little effect on SPDS availability. The SPDS software is also structured so that data acquisition always has priority over any other task. Display software is structured so that SPDS display output tasks have priority over any TSC or EOF tasks. Therefore highly reliable and prioritized software insures that SPDS availability will not be affected.

3.3.4 Availability Results Based upon the availability results shown in Table 3.3-1 and assuming software availability of 1 and preventive maintenance outage time of 0, the GGNS SPDS is expected to achieve an availability exceeding the design goals during all plant modes.

This includes refueling and cold shutdown modes since SPDS will be fully operational during these modes also.

(21)

GGNS SPDS SAFETY ANALYSIS REPORT The GGNS SPDS is already a mature system. The computer hardware has been installed for over a year. The Control Room SPDS Console is located in the Lower Cable Spreading Room rather than in the Control Room to facilitate testing; however, it is functionally connected (i.e. , via modems) as it will be in its ultimate Control Room location.

3.4 SPDS Use and Location The SPDS console in the Control Room will consist of keyboard with a 19 inch CRT/ color graphics display. The keyboard will be provided with special keycaps or other means to enhance usability by operators. The console will be located as shown in Figure 3.4-1, so as to provide quick access and easy viewing from operator workstations.

The SPDS will be operated by Control Room personnel in accordance with approved procedures. The GGNS Emergency Procedures (EP) will have special notations to indicate when the SPDS displays may be the most helpful.

The EPs will be designed for use both with and without SPDS, and operators will be trained for both situations.

3.5 Reactor Modes Considerations Emergency procedure guidelines developed by the BWR Owners Group provide the basis for effective and safe response to general symptoms of the plant without regard to the operational mode of the plant. Thus, the GGNS SPDS will be useful in various plant modes for monitoring plant safety and initiating appropriate emergency response consistent with the GGNS EPs and PSTG's which are based on the BWROG EPG's.

A detailed review of the GGNS EPs will be conducted to determine if additional alarms or data points are needed in the SPDS for non-power modes of operation. Any additional alarms or data points identified by this evaluation that are applicable to cold shutdown or refueling modes will be considered for addition to the SPDS after the initi31 SPDS implementation has been completed.

1 (22)

L =' ~' '"'

,,,, ,,,, I I II n, ,,.. m.

y (...

L ul - n, -

i l ,,,, , ,,,, , ,,,,

i ,,,

,,,, ,,,, , iu "

m. llaull ,Yas -

,"" D p ,

l ,,, l,..l

.I ll

. 'u ,,,,,,,, - ~2 (LCGn

,,, ,922 7, l . 3 l l,.M l 12 ll g *. m, ma

[

l , sui.  %,

  • p s i _

\ l n ll

"'2

,,,, g t, p nt, g

f-p aio I, q m, j m,l l .. l l

, s -

~.

=

  1. n.,

=

.$ p ll j, l, l ,,,.

ll s ,,, ,,,,

}co...c- ,,,,

q ""

l an H === l nsa l l lnnl

\l nm l A l noi l no  !,g t........

A,,A. ATUS (

SPDS CONSOLE Figure 3.4-1 T371 cal Control Room SPDS Location (23)

- . _ - _ - _ . ~ _ . -. _ _ - . - - . _ - - -- - - _ . _ . . .

GGNS SPDS SAFETY ANALYSIS REPORT l

3.6 SPDS Flexibility The GGNS SPDS is being designed so that future expansion and modifications can be accommodated. The following are general areas where SPDS flexibility will be considered:

a. Feedback from operating personnel after initial SPDS implementation.
b. BWROG EPG Revision 4 (currently in preparation) and future EPG l

revisions may result in changes to the GGNS PSTGs and EPs.

c. The results of the system function review and task analysis being conducted as part of the GGNS Detailed Control Room Design Review, including any Human Engineering Deficiencies which SPDS modifications might resolve.
d. Addition of alarms or data that may be needed for SPDS monitoring in i

non power modes of the plant,

e. Incorporation of improved algorithms and techniques for validating and determining quality level of certain SPDS parameters.
f. Man-machine validation of the SPDS may identify the need for SPDS modifications to improve usability by the operating crew.

l l Flexibility will be assured in the SPDS design by providing expandability in both data acquisition and computer hardware and by providing modular software and display features with interface provisions that will facili-tate future changes to SPDS. The hardware chosen can accept additional

, terminals and consideration will be given to adding one or more.

l l 3.7 System Hardware, Data Recall, and Storage Capabilities l The SPDS includes dual SEL 32/27 computers with interface to the C88 Data Acquisition Network, tape drives, 80 MByte moving head disk drives, and

! one color CRT/ keyboard console located in the Control Room. Data recall and storage capabilities for the SPDS is accomplished via three types of i

hardware media and various software programs and handlers designed to interface to those media. The capabilities and expandability of each (24)

GGNS SPDS SAFETY ANALYSIS REPORT type of media may be viewed from a hardware standpoint. The utilization of those capabilities and expandability may be viewed from a software standpoint.

3.7.1 Hardware Each of the two SPDS computers contain four 256KB (256 thousand byte) integrated memory modules (IMM's). Each IMM is composed of MOS (metal-oxide semi-conductor) memory, on-board refresh logic, and data format and error correction logic. Maximum throughput for this type of memory is 26.67 million bytes per second. The IMM random access memory (RAM) is the location of all programs and data during actual execution by the CPU. The SPDS RAM can be easily expanded from its 1024KB to its maximum configuration of 4096KB by simply replacing each of the four existing 256KB IMM's with 1024KB IMM's and instructing the operating system of the change. This represents an expandability of 400% for SPDS RAM.

When programs and data are not required to be resident in the IMM RAM they are stored on hard disk mass storage modules. Each SPDS computer has access to two Control Data Corporation (CDC) 80 MB (megabyte) storage module drives (SMD's). Each SMD is composed of a single multi platter magnetic storage media, associated read / write logic, and control / drive components. Maximum through-put for the unit is .98 million bytes /sec. Each processor is capable of supporting four 80 MB SMD's and is also capable of supporting other SMD's of larger capacity such as the CDC 300 MB SMD. SPDS mass storage capability can (space limitations excepted) be expanded by 750% by replacement / addition of the larger capacity SMD's.

System backup and longterm data archiving on the SPDS is attained via bulk storage tape. Each computer has the ability to communi-cate with a single Digital Tape Transport Unit (DTTU). The supply and takeup reels of the DTTU will accommodate up to 2400 foot rolls of tape. Maximum data throughput for the processor /

(25)

GGNS SPDS SAFETY ANALYSIS REPORT DTTU is 120KB per second. Each processor is capable of support-ing up to four DTTU's, giving the SPDS bulk storage expandability of 400% (physical space limitations excepted). It must be noted that a processor can control only one DTTU at any given time.

3.7.2 Software SPDS RAM requirements are based on sound system design princi-ples. Memory utilization of 50-85% is a goal for the SPDS RAM.

This ensures that sufficient memory will always be available for the programs that run SPDS. Should future expansions be required the expandability of the system may be utilized.

Utilization of the SPDS mass storage hard disc space is achieved by separating the program and associated data files from the archived data files via two SMD's. The program files SMD normally utilizes less than 50% of the total available storage space. The archival file SMD normally utilizes from 85-100% of the total storage space available when a database of 800 points is specified. A dual circular file structure for the archival SND is used so that while the archival program is utilizing one file, the computer operator can be saving the other file to bulk tape storage. Each archival file is capable of storing approxi-mately.seven hours of archive data for a total of fourteen hours of archived data before the circular file structure causes over-write. Thus combined pre and post-event archive data can total up to fourteen hours before operator intervention (manual loading of the DTTU) is required.

Longterm data storage required for post-event analysis utilizes the maximum size 2400 foot reels of magnetic tape on the DTTU.

For a database size of 800 points, approximately seven hours of data can be stored on a single reel. Recall of the archived data from bulk storage is accomplished by mounting the desired historical data file on the DTTU and activating a single program (26)

GGNS SPDS SAFETY ANALYSIS REPORT from the computer operators console. Once the data is restored to the SMD, it can be viewed at either of the two engineering consoles located in the TSC and EOF.

3.8 Signal Validation The GGNS SPDS will include provisions for automatic determination and continuous indication of SPDS data quality. SPDS signals will undergo pass / fail processing, range limit checking, and signal validation algorithm processing. Quality level indication will be presented to operating personnel along with the quantitative value of the data. The design is intended to relieve operators of routine data quality determi-nations and to make all data available for operator evaluation of data quality as they deem appropriate. The signal validation algorithms have not been developed at this time.

Detailed information about SPDS signal validation is presented in Section 5.0, 3.9 E'.ectrical Power Sources In order to ensure that the SPDS achieves high availability, the GGNS SPDS is powered from the Class 1E uninterruptible 120 VAC power system. This includes not only the Class IE signal conditioning / transmission portions of the system, but also the non-1E receiver units, SPDS computers and data storage equipment, and SPDS plant operator's console /CRT.

3.10 Circuit Isolation Devices NUREG-0737 Supplement 1, Section 4.1.c states that the SPDS shall be suitably isolated from electrical and electronic interference with equip-ment and sensors that are used for safety systems. NUREG-0696 more clearly states that interfaces between SPDS and safety systems shall be isolated in accordance with the safety system (s) criteria in order to preserve channel independence and to ensure safety system integrity should the SPDS malfunction. The GGNS SPDS accomplishes these require-ments by physical separation and by isolation.

(27)

F GGNS SPDS SAFETY ANALYSIS REPORT 4

Figure 3.3-1 is a block diagram of the GGNS SPDS system. Parameter data acquisition is accomplished via the instrumentation loop, remote multiplexer, digital multiplexer, digital buffer and master receiver i subsystem. The digital buffers perform signal splitting to provide the same parameter data to the redundant master receivers and SPDS computers.

Some of the instrumentation loop inputs to the system are associated with Class 1E systems. The 1E-Ax designator shown on the figure indicates this type of input (e.g., 1E-A2 is " associated Class 1E, Division 2)".

Channel independence is maintained by physical separation where any remote multiplexer receives inputs from only one associated Class 1E division. Remote multiplexers of one division are also physically separated from remote multiplexer of another division. Separation is accomplished in accordance with Regulatory Guide 1.75, Revision 1 as stated in the GGNS FSAR, Appendix 3A. Environmental qualification to the requirements of 10CFR50.49 is not applicable since the associated Class 1E remote multiplexers are located in a mild environment.

In order to maintain the integrity of safety systems should the SPDS malfunction, fiber optic cables are used for data transmission from the associated Class 1E remote multiplexers to the non-1E digital multi-plexers. Fiber optic cables have the following properties which qualify them as ideal isolators:

o They are totally dielectric, therefore electrical fault current /

voltage cannot propagate from one end to the other. A discussion of maximum credible faults is therefore not applicable to the fiber optic cables, o They are not susceptible to electrical interference. Possible electrical interference created by digital multiplexers or other SPDS components / equipment cannot propagate through or be induced in the optical fiber.

(28)

GGNS SPDS SAFETY ANALYSIS REPORT The optical fiber cables were considered for application of maximum credible faults. However, as discussed previously, fault current / voltage cannot propagate through the optical fibers and therefore, a discussion of maximum credible faults is not considered applicable.

3.11 Human Factors Engineering Human factors engineering is an important consideration for SPDS design.

Accepted human factors engineering considerations will be incorporated in the GGNS SPDS, and the design process will be planned and conducted accordingly. All appropriate elements of human factors engineering will be reflected in a human factors program document for the GGNS SPDS.

Additional details about this subject are presented in Section 7.0.

(29) 1

GGNS SPDS SAFETY ANALYSIS REPORT 4.0 SPDS DISPLAYS 4.1 Display Philosophy Previous industry experience has shown that SPDS displays which are

, directly linked to the Emergency Procedures (EPs) provide more meaningful and useful data to the operating crew during emergency conditions. As a ,

, result of this industry' experience (BVROG and Westinghouse Owners Group validation of SPDS displays, BWROG/EPRI/ DOE Graphic Display Development Program, INP0/NUTAC generic display guidance), the GGNS SPDS will employ a procedure-based display concept.

The GGNS SPDS displays will be developed to directly assist the operators in decision-making processes for assessing control function (CF) status and EP entry and execution. The technical basis for the information displayed by the SPDS will be provided by the GGNS PSTGs and the GGNS functional analysis described in Section 2.0 of this document.

The Control Room CRT will continuously monitor the summary safety status.

When lower level SPDS information is displayed, the summary safety status I

will still be displayed.

The SPDS displays will be implemented with a logic hierarchy or structure that facilitates systematic passage between displays and supports 4 operators assessment of CFs and EP entry. This hierarchy is illustrated conceptually on Figure 4.1-1.

4.2 CF Assessment Display Feature Each SPDS display will provide information on the status of the CFs. This will ensure that the operator is able to monitor control function status

! regardless of which SPDS display he is using. As a minimum, the CF assessment feature will monitor the entry conditions of the primary EPs (those EPs with independent entry conditions such as RPV control and  ;

containment control). The operator will be provided status information by alarm colors and/or alphanumeric changes in status indication. Human factors considerations will determine the means for providing status information on the SPDS. The format for presenting this information will be common to all SPDS displays. The logic for CF assessment will be -

based on the GGNS EP entry conditions.

(30)

1 y

D C D C

D h y

c r

C D 1 i

I I

a r

c C

. 1 y

. a W Y E 4 l p

I AL e s V P r i RS u D EI g VD i F

l a

O .

u t

p e

D C c

n o

C D C

D C D

)

C O

T E

(

I S

EI E

? l a

GGNS SPDS SAFETY ANALYSIS REPORT 4.3 CF Overview Display An overview display will be provided that presents the principal control function parameters. During normal, transient, and emergency conditions, access will be provided to the pre-defined overview display. This display will indicate the current values of the principal control function parameters, which are listed in Table 2.2-2 of Section 2.2.

This information will be shown as digital values and may be accompanied by 4 analog trends, mimics or bar graphs as appropriate. Color coding j consistent with that used in the CF .ssessment feature indications will be used in the overview display.

The overview display will support th- Assessment indicators and enable the operating crew to determine /evalusom which entry condition (s) has caused a change in CF status.

t 4.4 Primary Displays

During normal, transient, and emergency conditions, access will be provided to a set of pre-defined primary displays. These displays will be designed to integrate with the EP's in order to support operators in the execution of the EP's.

The methods chosen to present information on these displays will have a technical basis to aid and augment GGNS instrumentation and will do more

, than simply replicate existing control room instrumentation. The follow-ing process will be used to develop these displays:

o Identify " decision functions" in each EP.  :

o Identify SPDS parameters used in that " decision function".

o Determine what processing the operator is required to perform using 4

the SPDS parameter information.

o Develop a display to present this information processing.

4 Displays resulting from this process should aid the operating crew in their decision-making and further assure appropriate emergency response.

, (32)

GGNS SPDS SAFETY ANALYSIS REPORT The primary displays may utilize mimics, limit marks, trend arrows, alarm indication, digital parameter values, and operator information messages when limits are exceeded. Limits will be specified in accordance with those specified in the GGNS PSTGs and EP's. Determination of which features will be used will be based on logical EP/ control function relationships, computer /CRT limitations and human factors criteria for information presentation. Human factors criteria to ensure that the displayed information can be readily perceived and comprehended so as not to mislead the operator will be incorporated during the display develop-ment process. A summary of the iluman Factors program is addressed in Section 7.0, 4.5 Secondary Displays Access will also be provided to a set of pre-defined secondary displays.

These displays will provide the current values for each SPDS variable input sensor. These displays will be assigned on a one-for-one basis to each primary display. This will enable operators to have access to all of the input values used in determining the processed values shown on the primary displays. The precise information content and format of these secondary displays will be determined during the actual display development.

4.6 Analog Trends Analog trends will be provided for the principal control function param-eters listed in Table 2.2-2 of Section 2.2, as determined necessary during display development. These trends will support the CF assessment indi-cators, and overview and primary displays by providing operators with historical information to aid in assessing plant status. The analog trends will also enable operators to monitor recovery of principal control function parameters and aid in decision-making once the operating crew has entered an EP. A digital readout including engineering units will be displayed te inform the operator of the current control function parameter value. The amount of historical data displayed on each analog trend will be determined, consistent with EP information needs.

(33)

GGNS SPDS SAFETY ANALYSIS REPORT 4.7 Support Displays Additional displays will be incorporated in the SPDS to aid the operator in monitoring various plant limits reflected in the EPs. These displays will consist of X-Y and exclusion plots as appropriate for the EP's such as:

o Heat Capacity Temperature Limit - Suppression Pool Temperature vs.

RPV Pressure o Heat Capacity Level Limit - Suppression Pool Water Level vs. Delta T Heat Capacity o Suppression Pool Load Limit - Suppression Pool Level vs. RPV Pressure 4.8 Display Access Each display will be accessible directly or through a menu. Once a display is selected, other displays will be accessible in a timely manner.

The overview and primary displays will be accessible by a single key stroke, with other displays accessible in an efficient manner to be determined during display development.

4.9 Variable Quality Indication All SPDS variables will be displayed with a visual indication of the associated quality level as determined by SPDS data processing and validation (e.g., invalid or unvalidated variables, or values out-of-scan will be tagged). This validation process is further described in Section 5.0 of this document. Providing quality tag information will further assure operators of the validity of the SPDS data that is presented. The actual method of presenting the quality indication will be consistent with that used by other Control Room CRT display conventions. The quality tags themselves are internal to the SPDS system, maintained by software algorithms to be developed.

(34)

CGNS SPDS SAFETY ANALYSIS REPORT 5.0 SIGNAL VALIDATION 5.1 Introduction ,

The use of misleading data by the SPDS should be avoided since it can adversely affect the quality of many variables processed and presented in the SPDS. Sources of misleading data include instrumentation and sensors that drift, fail, or are removed from scan. Signal validation techniques will be incorporated into the software processing to determine and indicate data quality.

5.2 The Validation Process Sensor signals used by the SPDS will undergo pass / fail processing, range limit checking and signal validation, as appropriate, before being used in the algorithms which determine the status of the critical safety functions. The quality of a plant parameter will be indicated by its quality tag. All SPDS parameters including calculated values will carry a three state quality tag: validated, unvalidated, and invalid. The validation process is described below:

a. Pass / Fail Processing determines whether or not a sensor signal is in scan, the multiplexor communication interface is operating within design limits, and the analog / digital converter drift is within design limits. A sensor signal failing pass / fail processing is assigned an invalid quality tag.
b. Range Limit Checking determines that a sensor signal is within its instrument range, with predetermined margins from scale maximum and minimum. A sensor signal not within the range limit is assigned an unvalidated quality tag.
c. Signal Validation Processing will be performed on signals that are either physically redundant or analytically redundant to establish a higher level of data quality where appropriate. Processing techniques that will be employed for signal validation include one or more of the following:

o Arithmetic averaging o Deviation weighted averaging o Signal noise analysis o Parity space vector analysis (35)

r-GGNS SPDS SAFETY ANALYSIS REPORT Signal validation processing will utilize pre-determined algorithms and software designed for the number of redundant signals and the particular process appropriate for each SPDS parameter.

A parameter that fails signal validation processing is assigned an unvalidated quality tag and ona passing is assigned a validated quality tag. Any individual sensor signal rejected as inconsistent by signal validation processing is assigned an invalid quality tag.

5.3 Signal Validation Features

a. Preferential Use of Validated Data Validated signals and parameters will be used preferentially over lower quality data for indication of control function status.
b. Quality Tag Application Application of quality tags will not affect the quantitative value of the data and access to data will not be affected regardless of validity judgments rendered by the validation process.
c. Calculated Variable and Quality The quality tag associated with any signal or parameter will be carried through and reflected in the quality tag for any subsequent calculations that use that signal or parameter. If a particular calculation uses inputs with different levels of quality, the lowest level of quality used will be reflected in the quality tag for the calculated result.

5.4 Validation Results The described use of signal validation will provide input to the SPDS that:

a. is purged of inconsistent signals when remaining signals are consistent,
b. is chosen using pre-established decisions if sufficient consistency is lacking, and
c. is tagged to inform the operator of its quality status.

Thus, the process is designed to provide extra reliability and to reduce decision-making overhead in emergency situations.

(36)

GGNS SPDS SAFETY ANALYSIS REPORT 6.0 VERIFICATION AND VALIDATION 6.1 Verification and Validation Overview This section provides an overview of the SPDS Verification and Validation (V&V) program. The objective of the Verification and Validation Program is to provide a quality SPDS through independent technical review and evaluation conducted in parallel with SPDS development. -When V&V-is integrated with the SPDS development process it provides a means for:

o independent technical evaluation of the system o assuring formally documented implementation o improved integration of system hardware and software o regulatory review and approval 6.2 SPDS Verification and Validation Key overall elements of SPDS V&V will be to assure:

o Comprehensive technical review of system functional requirements to assure that the SPDS will perform appropriate functions.

o Comprehensive technical evaluation of the implementation process to establish that succeeding tasks are a consistent, complete and correct translation of previous tasks in the development process.

o Adequate documentation of the system, as well as for system implementation.

o Adequate configuration management to document and control system and implementation changes.

6.3 System Requirements Verification System Requirements Verification is a review of the system requirements documentation against standards and regulations. The object of this evaluation is to determine that the functions described in the system requirements meet the intent of NUREG-0737 Supplement 1. The require-ments are reviewed for correctness, completeness, consistency, under-standability, feasibility, testability, and traceability.

6.3.1 System Requirements Verification Overview System Requirements Verification will be separated into two phases. Initial activities will include preparing an Originating Requirements List (based on NRC regulations and guidelines) and a (37)

GGNS SPDS SAFETY ANALYSIS REPORT System Requirements List (based on MP&L's requirements). These will be performed in preparation for the formal System Requirements Verification. Formal evaluation of the system requirements will follow this preparation.

6.3.2 Traceability Matrix As part of V&V documentation, a traceability matrix will be utilized. The function of the matrix for V&V is to show the correlation of the SPDS functional and administrative require-ments to the NRC requirements and to the functional capabilities of the system, which in turn link to the Validation Test Plan and Validation Test Procedures and the test results. The matrix will demonstrate that all system functions have been tested.

Functionally, the matrix will facilitate the logical organization of a significant amount of data. This method is designed to provide a simpler and clearer tracking of the identified requirements.

6.4 Design Analysis / Review The objective of Design Analysis / Review is to establish the relationship between the system functions and its design structure. This Analysis /

Review establishes a basis for validation testing and evaluation. Design Analysis will be performed on the base system previously furnished by the computer system vendor to relate functions and design structure in order to support evaluation of SPDS-related functions. Design Review will be performed on the modifications being made to the base system to include the SPDS and related functions.

6.5 SPDS Validation System Validation is an end-to-end evaluation of the system functions to demonstrate that the system meets the system requirements. Demonstration of _ acceptable operation with the implemented frtnctions is accomplished through a planned testing and evaluation process. The validation process will include functional and performance testing and dynamic performance engineering evaluation. Requirements verification and design analysis will be used as insight to.the validation process by identifying the (38)

GGNS SPDS SAFETY ANALYSIS REPORT t

system's functional capabilities and limitations. The steps of the SPDS System Validation are:

o prepare Validation Test Plan o prepare Validation Test Procedures o perform Validation Testing and Analysis o prepare final Validation Test Report Validation tests are used to confirm correct operation of specific functional and performance requirements of the system. They will cover data acquisition, CPU and general purpose programs, SPDS applications programs, and display system requirements. Where possible, clearly defined acceptance criteria such as accuracy, response time, transfer function, alarm conditions, etc. will be used. Functions may be tested

- with both static and dynamic data inputs. Tests will include coverage of both the valid and invalid input domain. Particular attention will be given to validity algorithm or other data checking methods.

Engineering evaluation will be performed to show that the control room operator has available, rapidly and reliably, appropriate variab'les. The engineering evaluation will include appropriateness of parameters, timeli ess of the display, accuracy, resolution, appropriately scaled trends, etc. The evaluation will also consider human engineering aspects such as concise display formats, the accessibility of data and continuous display of representative safety status information.

(39)

GGNS SPDS SAFETY ANALYSIS REPORT 7.0 HUMAN FACTORS ENGINEERING A fundamental design objective is for the SPDS to serve as an aid to the operating crew in monitoring the overall safety status of the plant and in initiating response to plant emergencies. Although as an operating aid the SPDS will not serve as essential safety instrumentation, it is important that human factors considerations be integral to the design process to assure SPDS effectiveness in emergency situations. Accordingly, a human factors program will be developed and applied as part of the SPDS implementation program. The following considerations will be included as part of GGNS SPDS human factors program.

7.1 Task Definition Task definition is necessary to acquaint the designer with the reasoning i behind the display requirements and to provide understanding of how and when the displays will be used. The designer determines how each function is performed, the information needed to accomplish it, and how the display can assist operator performance.

7.2 Equipment Considerations This is to assure that any limitations which may be imposed by the equipment are known to the display designer. For example, the designer needs to determine the amount of information that will fit on one CRT screen, colors available, controls, brightness, resolution, etc.

7.3 Viewing Environment This will establish the location and environment in which the equipment is to be used and determine the positions (e.g., standing, sitting, viewing distance) from which the user will want to read the information on the displays.

7.4 Human Factors Criteria This activity will identify human factors principles and criteria that will be applied in the SPDS design. Appropriate principles and criteria will be derived from such documents as Section 6.7.2 of NUREG-0700 (Cathode Ray Tube Displays), EPRI Report NP-3701, September 1984,

" Computer Generated Display System Guidelines, Volume 1 Display Design" (40)

GGNS SPDS SAFETY ANALYSIS REPORT (Ref. 7), BWROG Graphic Display Development Project (Ref. 4), GGNS DCRDR Computer Display Conventions, and NUREG-0800 Chapter 18.2, Safety Parameter Display Systems.

In general, the following human factors aspects of display design will be emphasized:

a. Logical, functional arrangements and groupings of information
b. Intelligibility
c. Consistency in the manner of presenting information
d. Acceptable content density
e. Content integration
f. Readability
g. Effective, unambigious, consistent, and readily identifiable color usage
h. Application of highlighting techniques
1. Understandability of presented information J. Efficient utilization of display area
k. Use of hierarchical labeling to promote readability and unambiguous interpretation of presented information SPDS displays will utilize and be consistent with computer display conventions established for the GGNS Control Room.

7.5 Display Concepts Display concepts will be developed regarding the content of individual displays as well as the overall structure of display hierarchy. The number of displays, display access, and their relationship to the GGNS PSTGs and EPs will be addressed along with user capabilities so that the resulting displays mesh with user needs.

Additionally, there will be a review of the SPDS design concepts involving engineering, operations, and computer personnel.

(41)

GGNS SPDS SAFETY ANALYSIS REPORT 7.6 Display Development This is the actual design of the displays and will include activities such as the following:

a. Determine how the needed information is to be shown.
b. Determine the appearance of each display element.
c. Determine the colors to be used,
d. Determine the dynamics of each variable element or feature,
e. Determine access to each display.
f. Determine how the user can recover from errors.
g. Determine what user prompts are to be used and where.

7.7 Display Functional Description The displays and how they are to function will be described in order to provide clear guidance to programming personnel for design of the final display products. All display characteristics will be documented to provide a basis for configuration management and potential future modifications as well as for preparation of SPDS training materials.

7.8 Display Review 4 The purpose of this step is to insure that the detailed design meets all the original requirements. An important step in this process is a review of the displays by typical users (i.e., plant operators). This will also include review by an independent human factors consultant who will evaluate displays against NUREG-0800 and the SPDS human factors engineering criteria.

f (42)

GGNS SPDS SAFETY ANALYSIS REPORT 8.0 MAN-MACHINE VALIDATION (MMV) 8.1 MMV Objectives Confirmation that the SPDS meets functional performance requirements will be achieved through static and dynamic evaluations of the GGNS SPDS. The evaluations will address the integration of the SPDS with the PSTGs/EPs and the SPDS user in order to demonstrate that the'SPDS-aids in monitoring plant safety status and initiating response to plant emergencies. The objectives will be to validate the following:

o the SPDS exhibits good human engineering practices o the displays are understandable and usable o the displays are compatible with symptom-based EP entry conditions o the displays are responsive to changes in plant data and emergency conditions as directed by the EP's.

8.2 MMV Methods Methods to be employed for validation of system performance may include table-top evaluations, part-task simulator evaluations, and full-scope simulator evaluations. Results of table-top evaluations contribute effectively to an iterative design process. Information feedback from part-task simulator evaluations assists in finalizing the system design prior to performing the formal full-scope simulator evaluation.

For part-tesk simulator evaluation plant operators will be requested to observe preselected transients on the SPDS and indicate their responses to these transients. This will enable evaluators to determine if the operators can identify changes in CF status using the SPDS and are directed to the correct symptom-based EPs to mitigate these transients.

Operating personnel will be asked to explain what they observe on the SPDS 4

and the actions they would normally take to mitigate the transients included in each scenario. The crew will move about the control room or simulator as if they were interacting with GGNS instrumentation and controls, obtaining and following EPs, and using the SPDS to monitor CFs.

The tests will provide dynamic, real-time simulations for each scenario.

Scenarios will be selected that are sufficiently complex to involve (43)

GGNS SPDS SAFETY ANALYSIS REPORT multiple system failures and the need for-multiple operator decisions and actions for successful mitigation of the simulated emergency. The range of scenarios will challenge all CFs and exercise EP entry conditions.

Transients used in full-scope simulator evaluations will be similar to those used for EP validation as described in the GGNS Emergency Procedures Generation Package (Ref. 8). These scenarios include multiple failures (concurrent and sequential) and, in combination, will dynamically exercise the EPs and the SPDS displays to the extent possible within the capabili-ties of the simulator.

Evaluation team members for part-task and full-scope simulator evaluations will be independent of the design group. EP trained operators who are familiar with SPDS use will participate in the phases of the Man-Machine Validation Program. Assessment of validation results, and the recommen-dation and implementation of corrective actions to resolve discrepancies will involve members from the evaluation team as well as individuals who are knowledgeable in Control Room operations and SPDS design.

8.3 MMV Program Documentation Man-Machine Validation Program documentation will include:

a. A program plan
b. Evaluation procedures
c. Completed checklists and other collected data
d. Assessments of the results of the evaluations
e. Recommendations for corrections of deficiencies (44)

GGNS SPDS SAFETY ANALYSIS REPORT 9.0 OPERATOR TRAINING SPDS training for Control Room operators will be incorporated in the GGNS training program. Control room operators will be formally trained on the simulator prior to implementation of the SPDS at the plant. SPDS training will include the use of the SPDS, SPDS display information content, the neans of accessing displays, and the anticipated use of displays during both normal and off-normal plant conditions. Formal operator training on these topics will be conducted after the SPDS Man-Machine Validation program has been completed. The training program will be developed in accordance with the INPO accreditation criteria. The program will utilize performance based ob;ectives, clear and concise evaluation techniques and an overall feedback mechanism used to determine training effectiveness. Consistent with the design basis of the SPDS as an aid to safety status assessment and EP entry and execution, the training for the EPs will include situations where SPDS is available, and where SPDS is not available. Care will be taken to emphasize that the SPDS cannot be the only means used by the operator to monitor the plant safety status.

(45) i 4

l

GGNS SPDS SAFETY ANALYSIS REPORT 10.0 Conclusions The GGNS SPDS is being implemented in compliance with the SPDS requirements of

NUREG-0737 Supplement 1 as summarized below. A review of GGNS Technical Specifications indicates that implementation of the SPDS as described in this Safety Analysis Report (SAR) will not require modification or addition to the Technical Specifications.

10.1 Compliance with NUREG-0737 Supplement 1, Section 4.1.a As discussed in Section 4.0 of the Safety Analysis, display of the status of emergency procedure (EP) entry condition status summary, as well as values and alarms for the principal control parameters from the PSTG control functions constitutes a concise display of critical plant variables to aid operators in determining plant safety status.

t As discussed in Section 2.0 of the Safety Analysis, design of the GGNS SPDS as an aid to operators in determining the safety status of the plant and assessing whether abnormal conditions warrant corrective action to j avoid a degraded core, by using the NRC approved BWROG EPGs and the GGNS PSTGs as part of the design basis for SPDS, is consistent with Section 4.1.a of Supplement 1.

10.2 Compliance with NUREG-0737 Supplement 1, Section 4.1.b As discussed in Section 3.4 of the Safety Analysis, GGNS is being provided with an SPDS console in an appropriate location in the Control Room which can be used by operators to readily and reliably assess plant

safety status.

t 10.3 Compliance with NUREG-0737 Supplement 1, Section 4.1.c As discussed in Section 4.0 of the Safety Analysis, the GGNS SPDS will be used to aid and augment the installed Control Room instrumentation and i controls. As discussed in Section 3.10 the computers and equipment of l

!, SPDS are suitably isolated from safety system equipment and sensors. EPs, being developed at GGNS in parallel to SPDS, permit timely and correct (46)

e GGNS SPDS SAFETY ANAIXSIS REPORT assessment of plant safety status whether the SPDS is available or not, and licensed operators will be trained to enter and execute the EPs both with and without SPDS, as discussed in Sections 3.2, 3.4, 4.0 and 9.0.

10.4 Compliance with NUREG-0737 Supplement 1 Section 4.1.d Selection of specific information to be included in the SPDS is based on NRC accepted BWROG EPGs and the GGNS PSTGs using sound engineering evalua-tion and judgment as discussed in Sections 2.0 and 4.0 of the Safety Analysis. As discussed in Section 3.6 of the Safety Analysis the SPDS is being designed to permit future modifications based on results from these related activities.

10.5 Compliance with NUREG-0737 Supplement 1. Section 4.1.e As discussed in Section 7.0 of the Safety Analysis the GGNS SPDS displays will be designed to incorporate accepted human factors principles for ready perception and comprehension by SPDS users.

10.6 Compliance with NUREG-0737 Supplement 1, Section 4.1.f The five critical safety functions (CSFs) specified in Section 4.1.f are inherently addressed by the BWROG EPGs, which have been accepted by the NRC, and Section 2.0 of the Safety Analysis has shown the correlation between these CSFs and the generic EPGs in Table 2.1-1. The NRC has accepted the PWROG EPGs as an adequate basis for development of plant specific technical guidelines and emergency operating procedures. As discussed in Section 2.0, the GGNS EPs and PSTGs have been developed directly from the EPGs, and these two documents have been used as part of the SPDS design basis. With the safety parameter information from the principal control functions embodied in the PSTGs and the EP entry and execution support information being incorporated in the GGNS SPDS, as discussed in Sections 2.0 and 4.0, it is concluded that the SPDS will provide sufficient information to operators about the safety status, including all stated CSFs, to aid the operating crew in execution of appropriate response.

(47)

I REFERENCES

1. Additional information required for NRC Staff Generic Report on Boiling Water Reactors, NEDO-24708, General Electric Company, August 1979
2. Safety Evaluation Report of BWR Emergency Procedure Guidelines, Revision 3, U.S. Nuclear Regulatory Commission, November 23, 1983
3. GGNS PSTGs, draft dated June 4, 1985
4. Graphic Display Development Program, U.S. Department of Energy and Electric Power Research Institute, RP 2347 Interim Report OEIB304-1, Operations Engineering, Inc., December 1984
5. Requirements for Emergency Response Capability, NUREG-0737, Supplement 1 (Generic Letter 82-83), U.S. Nuclear Regulatory Commission, December 17, 1982
6. Emergency Procedure Guidelines, Revision 3, Boiling Water Reactor Owner's Group
7. Computer-Generated Display System Guidelines, Volume I: Display Design, EPRI NP-3701, September 1984
8. GGNS Emergency Procedures Generation Package, MP&L Letter AECM 85/0110 dated April 11, 1985 (R-1)

- . -- - . . - . . . - -_. - - - ., . ..__. _____ - . -.. . . .. ~ . . .

1 i

t APPENDIX A 1  :

{. GGNS SPDS SAFETY ANALYSIS REPORT

PRINCIPAL CONTROL PARAMETER SET.

$ This Appendix contains the parameter set which fully supports the information requirements of the GGNS PSTGs, and therefore the GGNS EPs. Each parameter listed contains the associated key action levels referenced in the PSTGs.

i 1

4 j ,

i i

t 4  :

i i

I l

e j

l l t i

j i t

4

! (A-1) i

APPENDIX A GGNS SPDS SAFETY ANALYSIS REPORT I.D. Description / Key Action Levels 1.0 RPV Water Level 1.1 High Trip Setpoint 1.2 Low Scram Setpoint 1.3 HPCS/RCIC Setpoint 1.4 ADS /LPCI/LPCS Setpoint 1.5 Flow Stagnation Level 1.6 Top of Active Fuel 1.7 Minimum Zero Injection Level 1.8 Trend 2.0 RPV Pressure 2.1 Lowest SRV Lift Setpoint 2.2 High Scram Setpoint 2.3 Bypass Valves Fully Open 2.4 Single SRV Steam Cooling 2.5 LPCS Design Flow Pressure 2.6 RCIC Isolation 2.7 Minimum RPV Flooding Pressure 2.8 Shutdown Cooling Interlocks 2.9 Trend 3.0 Reactor Power 3.1 APRM Downscale Trip 3.2 Trend 4.0 RPV Water Temperature 4.1 RPV Cooldown Rate 4.2 Trend 5.0 SCRAM Status 5.1 Condition Requiring SCRAM (any Automatic or Manual Logic Signal) 6.0 Drywell Pressure 6.1 High Scram Setpoint 6.2 Trend (A-2)

APPENDIX A GGNS SPDS SAFETY ANALYSIS REPORT I.D. Description / Key Action Levels 7.0 Drywell Temperature 7.1 High LCO 7.2 Near Cold Reference Leg 7.3 Space Being Evacuated 7.4 Maximum ADS Design 7.5 Trend 8.0 Containment Temperature 8.1 High LCO 8.2 Near Cold Reference Leg 8.3 Design Temperature 8.4 Space Being Evacuated 8.5 Trend 9.0 Containment Pressure 9.1 Minimum Spray Initiation Pressure 9.2 Pressure Suppression Pressure 9.3 Primary Containment Design Pressure 9.4 Primary Containment Pressure Limit 9.5 Trend 10.0 Suppression Pool Temperature 10.1 High LCO 10.2 Scram Temperature 10.3 Boron Injection Initiation Temperature 10.4 RPV Depressurization Temperature 10.5 Heat Capacity Limit 10.6 Trend 11.0 Suppression Pool (Containment) Water Level 11.1 SRV Discharge Device Elevation 11.2 Minimum / Maximum LCO 11.3 Suppression Pool Makeup System Minimum / Maximum LCO 11.4 Highest Containment Vent Point 11.5 Trend 12.0 Secondary Containment Differential Pressure 12.1 Entry Condition (A-3)

APPENDIX A GGNS SPDS SAFETY ANALYSIS REPORT I.D. Description / Key Action Levels 13.0 Secondary Containment (SC) Area Temperature 13.1 Maximum Normal 13.2 Maximum Safe 13.3 Space Evacuated 13.4 Trend 14.0 Secondary Containment Cooler Differential Temperature 14.1 Entry Secondary Containment Control Guideline 15.0 SC HVAC Exhaust Radiation Levels 15.1 Entry Secondary Containment Control Guideline 16.0 SC Area Radiation Levels 16.1 Maximum Normal 16.2 Maximum Safe 16.3 Trend 17.0 SC Floor Drain Sump Water Levels 17.1 Maximum Normal 17.2 Maximum Safe 17.3 Trend 18.0 SC Area Water Levels 18.1 Haximum Normal 18.2 Maximum Safe 18.3 Trend 19.0 Offsite Radioactivity Release Rate 19.1 Alert 19.2 General Emergency 19.3 Trend (A-4)

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT PARAMETER SET BASES This Appendix contains a detailed description of each parameter listed in Appendix A, as well as a technical basis and associated PSTG steps.

The PSTG steps referenced here are in the version of the GGNS PSTG dated June 1985.

There may be minor modifications to the PSTG before a final copy is issued, and close communications between the EP development group and the SPDS developer will ensure that changes will be incorporated in a timely manner.

Note that throughout this Appendix, the " Parameter Action Level No." is referenced to the key action levels in Appendix A.

(B-1)

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 1.0 RPV Water Level Parameter Basis RPV water level is one of the three major parameters used in the RPV Control j Guideline to ensure that the core is adequately cooled. RPV level below Level 2 is an entry condition to RPV control.

i In a BWR, if it can be determined that RPV water level is above the top of the active fuel, then adequate core cooling can be assured under all conditions.

Since this parameter is singularly definitive of adequate core cooling its significance cannot be over emphasized and a large number of operator actions are directed to:

a. Determine RPV water level
b. Restore RPV water 1cvel
c. Flood the RPV if RPV water level cannot be determined Upon decreasing water 1cvel, the operator is directed to take a number of steps to " restore and maintain" in one of several bands, with the severity of these actions increasing as water 1cvel decreases from the normal band through top of active fuel (TAF).

The key action levels identified in the PSTG's as needing special emphasis are as follows:

Action Level No.

1.1 High Trip Setpoint - This is the high end of the band that the operator is directed to " restore and maintain" in RC/L and corresponds to the RPV water level at which steam driven equipment (RCIC, Reactor Feed Pumps and Main Turbine Generator) trip or isolate to prevent potential water damage to this equipment. (PSTG Step Nos. 5-5, C7-3, C7-2, PR-1).

1.2 Low Scram Sotpoint - This is the low end of the band that the operator is directed to " restore and maintain" in RC/L. Maintaining RPV water level above this point is preferred because, barring the presence of other scram signals, it permits the reactor scram and reactor recirculation interlocks to be reset. (PSTG Step Nos. RC/L-2, C7-3, PR-1, Entry Reactor Scram).

(B-2)

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 1.3 HPCS/RCIC Setpoint - This is the entry condition to RPV control. The operator confirms initiation or initiates these systems to preclude further degradation of RPV water level. (PSTG Step Nos. RC/L-2, Entry RPV Control).

1.4 ADS /LPCI/LPCS Setpoint - The operator confirms initiation of or initiates LPCI/LPCS but may be required to inhibit ADS if boron injection is required or if the RPV level can be maintained above top of active fuel (TAF). (PSTG Step Nos. RC/L-2).

1.5 Flow Stagnation Level - At this point, the level reduction corresponds to the lowest required to assure minimum core flow during level / power control functions while still maintaining it above TAF. (PSTG Step Nos. RC/L-2, l C1-7, Cl-8, C4-3, C7-1, C7-3, PR-2).

1.6 Top of Active Fuel - The operator attempts to maintain RPV water level above TAF with all available injection systems since this assures adequate core cooling. (PSTG Step Nos. C3-1).

1.7 Minimum Zero Injection Level - This is the point at which steam cooling is initiated. The RPV water level is allowed to decrease through boiloff to this point. Opening an SRV at this point draws steam up through the fuel assemblies to absorb heat from the fuel and reduce cladding temperatures while efforts are accelerated to establish water injection into the RPV.

(PSTG Step Nos. C7-1).

1.8 Trend - Trending is required to " monitor and control" or to take actions '

"before" specific (degraded) limits are exceeded. (PSTG Step Nos. S-5, RC/L, RCL-1, RCL-2, RCP, C1-3, C1-4, Cl-5, Cl-6, C1-7, C1-8, C6-2,1, C6-3, C6-4, C6-5, C6-5.2, C6-5.3, C7-1).

(B-3)

APPENDIX B j GGNS SPDS SAFETY ANALYSIS REPORT 2.0 RPV Pressure l Parameter Basis RPV pressure is the second major parameter used in the RPV control guideline to assure that the core is adequately cooled. RPV pressure above the scram setpoint is an entry condition to RPV control.

The direct concern is for the structural integrity of the reactor pressure vessel (i.e., failure of SRV's), however, RPV pressure is also used indirectly to determine reactor power, RPV water icvel and containment loading / integrity.

Since the sources of RPV water makeup all have certain pressure ranges in which they are effective, knowledge of RPV pressure is necessary for the operator to determine if any of his available makeup systems are capable of injecting into the RPV and/or to key him to take actions to reduce RPV pressure to the point that availabic systems can inject into the RPV.

The key action Icvels identified in the PSTG's as needing special emphasis are as follows:

Action Level No.

2.1 Lowest SRV Lift Setpoint - The operator is directed to maintain RPV pressure below this point so that the energy being released is directed to the main condenser (if available). (PSTG Step Nos. RC/P-2).

2.2 High Scram Sotpoint - This is an entry condition to RPV control and corresponds to the highest pressure that should exist if all systems are functioning normally. (PSTG Step Nos. S-6, Entry RPV Control).

2.3 Bypass Valves Fully Open - Reducing RPV pressure below the minimum pressure at which the turbine bypass valves are fully open may cause these valves to partially close and actually increase steam flow through the SRV's to the suppression pool. (PSTG Step Nos. RC/P-1).

j 2.4 Single SRV Steam Cooling - This is the lowest RPV pressure at which steam flow through a single SRV is sufficient to remove decay heat from the core l with all fuel temperatures at or below 2200*F. Emergency RPV l Depressurization is entered when RPV pressure drops below this value to

(

l open additional SRV's and increase the rate of steam flow through the l core. (PSTG Step Nos. C-3).

I l

l (B-4) f

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 2.5 LPCS Design Flow Pressure - This point is used to determine that the LPCS ,

system is injecting into the RPV at rated flow. In the case of LPCS, it is used to determine adequate core cooling is achieved in " core cooling without level restoration". (PSTG Step Nos. C4-2).

2.6 RCIC Isolation - RPV pressure is controlled above this point any time RCIC is required to assure adequate core cooling. (PSTG Step Nos. C1-3).

2.7 Minimum RPV Flooding Pressure - So long as RPV pressure remains above the minimum alternate RPV flooding pressure, the core is adequately cooled by a combination of submergence and steam cooling irrespective of whether any water is being injteted into the RPV. (PSTG Step Nos. C6-2.1, C6-2.2, C6-2.3, C6-3.1, C6-3.2, C6-5.2, C7-2.1, C7-2.2).

2.8 Shutdown Cooling Interlocks - RHR shutdown cooling is the normal method of accomplishing a controlled cooldown of the RPV once the shutdown cooling interlocks have cleared. (PSTG Step Nos. PR-8) 2.9 Trend - Trending is required to " monitor and control" or to take actions "before" specific (degraded) limits are exceeded. (PSTG Step Nos. RC/P, RC/P-1, RC/P-2, SP/T-3, SP/T-4, CN/T-3, CN/T-4, PC/P-4, SP/L-2, SP/L-3.1, PC/H, PC/H-5, SC/T-5, SC/R-3, SC/L-3, RR-2, C1-3, C1-4, Cl-5, C1-6, Cl-7, Cl-8, C2-1.3, C4-2, C7-2.2, PR-6).

(B-5)

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 3.0 Reactor Power Parameter Basis Reactor power is the third major parameter used in the RPV control guideline.

Reactor power level above the low APRM trip setpoint (following a condition requiring reactor scram) is an entry condition to RPV control. Power levels above this indicate potential ATWS scenarios which not only challenge the core

, (through rapidly decreasing RPV water level) but also the containment.

Containment heat removal capacity is based on attaining a reactor shutdown within a short period of time after NSSSS initiation.

If power level remains high, the energy absorption capabilities of the suppression pool will be exceeded and design containment temperatures and pressures may be exceeded.

Operator actions to protect the core and containment increase in severity with power levels above the shutdown range. Since the APRM's are normally in service and will rapidly go downscale if reactor shutdown (control rod insertion) is effected, the APRM downscale trip point provides a rapidly determinable "go - no go" point.

Long term power level determinations can utilize other neutron monitors, and/or y

thermodynamics properties (such as RPV pressure, suppression pool temperatures and containment parameters) to define additional operator action levels.

The key action levels identified in the PSTG's as needing special emphasis are as follows:

Action Level No.

3.1 APRM Downscale Trip - Power levels above this point with suppression pool temperatures and an SRV open or drywell pressure high, in combination are symptomatic of plant conditions wherein heat is being rejected to the suppression pool at a rate in excess of that which can be accomnodated by the suppression pool cooling systems. The operator must reduce power and is directed to do so by' reducing RPV water level. Reactor power above the APRM downscale trip setpoint is a readily identifiable power level above 1

(B-6)

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT the normal decay heat rate. Further, at power levels below the APRM downscale trip setpoint, reducing RPV water level and core flow would effect little (if any) change in heat rate to the suppression pool since decay heat predominates below this point. (PSTG Step Nos. C7-1, Entry to RPV control).

3.2 Trend - Trending is required to " monitor and control" or to take actions "before" specific (degraded) limits are exceeded. (PSTG Step Nos. S-3, RC-1, RC/Q, RC/Q-3, C7-1, C7-2,2).

(B-7)

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 4.0 RPV Water Temperature Paracater Basis The need to monitor RPV water temperature is necessitated by MP&L's use of plant recovery procedures.

i 1he key action levels identified in the PSTG's as needing special emphasis are as follows:

Action Level No.

4.1 RPV Cooldown Rate - RPV water temperature is used to asnure that RPV cooldown rates are not exceeded. Exceeding cooldown rates could result in brittle failure of the reactor vessel. (PSTG Step Nos. PR-7).

4.2 Trend - Trending is required to " monitor and control" or to take actions before the combination of RPV pressure and RPV temperature fall to the left of the pressurization curve resulting in a higher Nil Ductility Transition Temperature (NDTT). (PSTG Step Nos. PR-6).

3

('

(B-8)

APPENDIX B I GGNS SPDS SAFETY ANALYSIS REPORT 5.0 Scram Status Parameter Bases i SCRAM status is required to assure the reactor is shutdown without the need for Boron Injection (e.g., ATWS scenarios). A condition which required reactor j scram coincident with the reactor at power is indicative of a failure to scram

! and thus relates directly to reactor power control and is thus an entry condition to RPV control.

The key action levels identified in the PSTG's as needing special emphasis are 1

as follows:

Action Level No.

f 5.1 Condition Requiring Scram - (any automatic or manual logic signal) failure of the plant to scram as a direct result of a scram causing condition may i necessitate the need for boron injection (ATWS scenario). (PSTG Step Nos.

! Entry to Reactor Scram, S-1, Entry to RPV Control RC-1, RC/Q-5.2, t

i RC/Q-5.3, RC/Q-5.5, SP/T-3, PR-4).

i i

J  :

i f

i k i

i 1 i i

i t

?

(B-9)

e I i

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT

$.0 Drywell Pressure Parameter Bases High Drywell pressure is an entry condition to containment control. Increasing drywell pressure is a symptom of a primary system leak in the drywell and is used on a number of automatic functions including reactor scram, isolation and ECCS initiation for this reason.

The entry condition is high enough to avoid " spurious" entry into Emergency Procedures but low enough to permit the operator to use his " normal" systems to reduce the pressure below the entry condition if there is no significant LOCA.

Since the drywell is vented to the containment (via the Suppression Pool and/or bypass leakage) entry into this procedure requires the operator to " monitor and control" containment pressure and to do so in conjunction with drywell pressure.

Drywell pressure increases are also associated (thermodynamica11y) with drywell temperature, suppression pool temperature / level and containment temperature so the operator is directed to concurrently monitor and control those parameters whenever he exceeds the high drywell pressure entry level.

The key action levels identified in the PSTG's as needing special emphasis are as follows:

Action Level No.

6.1 High Scram Setpoint - This is the entry condition and is the point where automatic reactor scram occurs. There is an earlier alarm (at lower pressure) to warn the operator of increasing drywell pressures possibly attributable to normal operating conditions. If the operators efforts to reduce drywell pressure are not effective before reaching the scram setpoint, then there is a reasonable probability that there is a LOCA inside the drywell. (PSTG Step Nos. C7-1 Entry RPV Control, Entry Containment Control).

6.2 Trend - Trending is required in order for the operator to " monitor and control" or to take actions "before" specific (degraded) limits are exceeded. (PSTG Step Nos. PC/P, PC/P-1, PC/P-6, PC/H-3.2).

(D-10)

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 7.0 Drywell Temperature Parameter Bases Drywell temperatures above the LCO point are indicative of either a loss of drywell cooling or LOCA. In addition to being concerned with a LOCA (i.e., RPV control) the operator will be concerned with equipment inside the drywell that may be temperature sensitive.

The key action levels identified in the PSTG's as needing special emphasis are as follows:

Action Level No.

7.1 High LCO - This is one of the entry conditions for " containment control" and corresponds to the point that normal operator action with normal systems is not functioning to control drywell temperature. It is the maximum assumed for the " start" of FSAR design basis events. (PSTG Step Nos. DW/T-1, Entry Containment Control).

l 7.2 Near Cold Reference Leg - With the RPV depressurized, a drywell l temperature above 212*F could result in flashing RPV water level reference 1egs. This condition would render the level instruments useless and could l

make it impossible for the operator to determine RPV water level. (PSTG j Stop Nos. DW/T-2, C6-5.1).

7.3 Space Being Evacuated - If drywell purge is being used to control drywell temperature this must be terminated at 212'F since continued purging could l

result in loss of all noncondensables (replaced with steam). Subsequent l RPV flooding could cause a rapid pressure transient in the drywell exceeding its design limits. (PSTG Step Nos. PC/P-1).

7.4 Maximum ADS Design - At this point it is expected that the ADS solenoids l

will start to fail. Loss of these components could result in the l

inability to keep the reactor depressurized and preclude RPV water makeup from low pressure systems. Repressurization of the RPV could also result I

l in increased drywell temperatures, thus compounding the problem. (PSTG Step Nos. DW/T-2).

7.5 Trend - Trending is required to " monitor and control" or to take actions "before" specific (degraded) limits are exceeded. (PSTG Step Nos. DW/T, l DW/T-2).

(B-11)

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 8.0 Containment Temperature Parameter Bases Containment temperatures above the LCO point are indicative of a loss of containment cooling, excessive bypass leakage during LOCA events, excessive suppression pool temperatures or incomplete steam condensation (during SRV actuation or LOCA).

In addition to being concerned with a LOCA (i.e., RPV control) the operator will be concerned with equipment inside the containment that may be temperature sensitive.

The key action levels identified in the PSTG's as needing special emphasis are as follows:

Action Level No.

8.1 High LCO - This is one of the entry conditions for " containment control" and corresponds to the point that normal operator action with normal systems is not functioning to control containment temperature. It is the maximum assumed for the " start" of FSAR design basis events. (PSTG Step Nos. CN/T-1, Entry Containment Control).

j 8.2 Near Cold Reference Leg - Elevated temperatures near these components can cause erroneous level indications, as well documented in various literature including the EPG Bases, and as specified in EPG Caution 6.

l (PSTG Step Nos. CN/T-4, C6-5.1).

8.3 Design Temperature - At this point, thermal limits for the containment l

l structure may be exceeded and structural integrity cannot be assured.

l- (PSTG Step Nos. CN/T-2).

1

[ 8.4 Space Being Evacuated - As is true in the drywell, replacement of non-condensables with water vapor could result in a large negative pressure transient if/when containment sprays are initiated. (PSTG Step Nos.

f PC/P-1).

8.5 Trend - Trending is required to " monitor and control" and to take actions "before" specific (degraded) limits are exceeded. (PSTG Step Nos. CN/T, CN/T-2).

(B-12) l

o-APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 9.0 Containment Pressure Parameter Bases The primary containment pressure control (PC/P) section of the Primary Containment Control Guideline specifies actions for controlling and maintaining primary containment pressure. Excessive primary containment pressure may result in overpressurization of the containment leading to containment failure.

The key action levels identified in the PSTG's as needing special emphasis are as follows:

Action Level No.

9.1 Minimum Spray Initiation Pressure - If available containment cooling is unable to terminate increasing containment temperature before equipment qualification limits or structural design limits are exceeded, containment sprays are initiated to effect the required temperature reduction. Spray initiation is conditioned, however, to the minimum spray initiation pressure. Initiation of containment sprays with containment pressure below this minimum pressure may, through the combined effects of evaporative and convective cooling, result in a depressurization which exceeds the negative design pressure of the containment, leading to failure of the containment. (PSTG Step Nos. PC/P-2, PC/H-6.1, PC/H-7.1).

9.2 Pressure Suppression Pressure - This is a function of primary containment pressure and suppression pool water level and ensures the use of contain-ment sprays to reduce primary containment pressure prior to reaching that pressure / level which corresponds to a failure of the pressure suppression system (e.g., large drywell to containment bypass leakage) or prior to the point at which, if ADS is initiated from rated RPV pressure, primary

[

containment pressure will remain below the design pressure throughout the blowdown. (PSTG Step Nos. PC/P-4).

9.3 Primary Containment Design Pressure - At this point, all previous efforts to control pressure have been insufficient, and RPV flooding is required.

RPV flooding will aid if reducing containment pressure by forcing sub-I cooled water out the break to terminate steam discharge to the contain-ment and to condense steam in the drywell. (PSTG Step Nos. PC/P-5).

(B-13) l l . -

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 9.4 Primary Containment Pressure Limit - Beyond this point, containment integrity can no longer be assured. Diversion of RPV injection flow to containment sprays is appropriate even if this will jeopardize adequate core cooling. If this, still, is ineffective in preventing pressures beyond this point, then venting the containment is the only mechanism which remains to prevent an uncontrolled, unpredictabic breach of primary containment. (PSTG Step Nos. PC/P-6, PC/P-7).

9.5 Trend - Trending is required to " monitor and control" and to take actions "before" specific (degraded) limits are exceeded. (PSTG Step Nos. PC/P, PC/P-1, PC/P-2, PC/P-4, PC/P-5, PC/P-6, PC/P-7, C6-3.1, C6-3.2, C6-6).

I (B-14)

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 10.0 Suppression Pool Temperature Parameter Bases The suppression pool temperature control (SP/T) section of the Primary Containment Control Guideline specifies actions for controlling and maintaining suppression pool temperature. Excessive suppression pool temperature may result in exceeding NPSH limits for pumps taking suction from the suppression pool, exceeding design temperature limits for the suppression chamber, or

, unstable steam condensation from SRV discharges leading to containment failure.

The key action levels identified in the PSTG's as needing special emphasis are as follows:

Action Level No.

10.1 High LCO - If the suppression pool temperature LCO is exceeded, this corresponds to the entry condition and, suppression pool cooling is initiated. (PSTG Step Nos. SP/T-2, Entry Containment Control).

10.2 Scram Temperature - If the pool temperature continues to increase and reaches the Boron Injection Initiation Temperature the reactor is scrammed. (PSTG Step Nos. SP/T-2).

10.3 Boron Injection Initiation Temperature - If the suppression pool temperature cannot be maintained below the heat capacity temperature limit, action is taken in the Reactor Pressure Control (RC/P) section of the RPV control guideline to reduce and maintain RPV pressure below the limit. Boron injection is required. (PSTG Step Nos. RC/Q-4, SP/T-3, C7-1).

10.4 RPV Depressurization Temperature - If in 10.3 above, temperature cannot be maintained below the heat capacity temperature limit, at some higher specified temperature (10.4) emergency depressurization of the RPV is required. (PSTG Step Nos. SP/T-3). ,

10.5 Heat Capacity Limit - Continued heatup of the suppression pool may ultimately result in exceeding primary containment design temperature limits or in reducing suppression pool heat capacity below that required to assure stable steam condensation. (PSTG Step Nos. SP/T-4, CN/T-2).

10.6 Trend - Trending is required to " monitor and control," and to take action "before" specific (degraded) limits are exceeded. (PSTG Step Nos. RC/P-1, SP/T, SP/T-3, SP/T-4, CN/T-2).

(B-15)

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 11.0 Suppression Pool (Containment) Water Level Parameter Basis The suppression pool water level control (SP/L) section of the Primary Containment Control Guideline specifies actions for controlling and maintaining suppression pool water level. Insufficient suppression pool water level may result in insufficient NPSH for pumps taking suction on the pool or unstable steam condensation from SRV discharges leading to containment failure.

Excessive suppression pool water level may result in hydro-dynamic loads from SRV discharges in excess of the loads to which the primary containment and equipment within the primary containment were designed, also leading to containment failure.

The key action levels identified in the PSTG's as needing special emphasis are as follows:

Action Level No. ,

11.1 SRV Discharge Device Elevation - At this point, unccvery of the x quenchers is likely and steam condensation from SRV discharge cannot be assured. (PSTG Step Nos. RC/P-2, C2-1.2).

11.2 Minimum / Maximum LCO - This corresponds to the entry condition and is the point where normal methods to control suppression pool level have been employed and have failed. (PSTG Step Nos. SP/L-1, SP/L-2, SP/L-3, Entry Containment Control).

11.3 Suppression Pool Makeup System Min / Max LCO - This is the level the suppression pool would be if auto Suppression Pool Makeup System occurred.

(PSTG Step Nos. SP/L-1).

11.4 Highest Containment Vent Point - Above this point, containment venting could not be effected, if required, and therefore all efforts should be employed (including termination of RPV injection from sources outside containment) to stop any further increase in suppression pool level.

(PSTG Step Nos. SP/L-3.2, SP/L-3.3).

11.5 Trend - Trending is required to " monitor and control" and to take actions "before" specific (degraded) limits are exceeded. (PSTG Step Nos. RC/P-1, SP/L, SP/L-2, SP/L-3.1, SP/L-3.2, SP/L-3.3).

(B-16)

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 12.0 Secondary Containment Differential Pressure Parameter Bases A high secondary containment differential pressure presents a direct challenge to the structural integrity of the secondary containment.

The key action levels identified in the PSTGs as needing special emphasis are as follows:

Action Level No.

12.1 Entry Condition - The absence of a negative pressure in the secondary containment will result in passage of radioisotopes directly to the environs via exfiltration through the exterior walls, thus bypassing the SGTS. This effectively eliminates the secondary containment function and could result in significantly higher release rates to the environs. (PSTG Step Nos. Entry Secondary Containment Control Guideline).

(B-17)

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 13.0 Secondary Containment Area Temperatures Parameter Bases A high area temperature provides direct indication that steam may be discharging into the secondary containment. In addition, as secondary containment temperatures continue to increase, the continued cperability of safety related equipment may be compromised and the design limits of the secondary structure may be reached.

The key action levels identified in the PSTG's as needing special emphasis are as follows:

Action Level No.

13.1 Maximum Normal - This is an entry condition to the secondary containment control guideline and is indicative that operation of normal systems is not working to maintain area temperatures. (PSTG Step Nos. Entry Secondary Containment Control Guideline, SC/T-3).

13.2 Maximum Safe - This corresponds to the highest temperature that continued operation of safety related systems and continued integrity of the secondary containment can be assured. (PSTG Step Nos. SC/T-4, SC/T-5).

13.3 Space Evacuated - SGTS is the normal means employed under post-transient conditions for maintaining a negative secondary pressure. The 212*F restriction for use of SGTS is due to the possibility of a deluge sprinkler system causing an immediate pressure drop in a saturated steam environment which is evacuated of non-condensables. This pressure drop may exceed the negative design pressure of the space being evacuated.

(PSTG Step Nos. SC; Operator Actions) 13.4 Trend - Trending is required so that the operator can take action before reaching the safe operating limit.

(B-18)

APPENDXX B GGNS SPDS SAFETY ANALYSIS REPORT 14.0 Secondary Containment Cooler Differential Temperatures Parameter Basis Cooler differential temperature is used in the leak detection system to determine / locate high energy leaks in specific secondary containment areas.

Concerns here are similar to high area temperatures.

'Dae key action levels identified in the PSTG's as needing special emphasis are as follows:

Action Level No.

14.1 Entry Secondary Containment Control Guideline - Temperature above the maximum normal operating level are an entry condition for the secondary containment control guideline. Above this point it is reasonable to expect a high energy (i.e., steam) leak into a room serviced by the respective cooler. (PSTG Step Nos. Entry Secondary Containment Control Guideline).

(B-19) ,

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 15.0 SC HVAC Exhaust Radiation Levels Parameter Bases Action in the secondary containment radiation control section of the PSTG's monitors and controls secondary containment radiation levels, limits radioactivity release into the secondary containment and in the event of a breach in the secondary containment, limits radioactivity release outside the secondary containment.

The key action levels identified in the PSTG's as needing special emphasis are as follows:

Action Level No.

15.1 Entry Secondary Containment Control Guideline, Isolation Setpoint - This is an entry condition to secondary containment control since it indicates a significantly higher release rate than the normal operating level.

(PSTG Step Nos. Entry Secondary Containment Control Guideline).

(B-20)

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 16.0 SC Area Radiation Levels Parameter Bases Action is taken to isolate systems that are discharging into the secondary containment to terminate possible sources of radioactivity release to the secondary containment. Minimizing radioactivity release to the secondary containment also accomplishes the objective of minimizing the radioactivity release outside the secondary containment under conditions where secondary containment integrity cannot be maintained.

The key action levels identified in the PSTG's as needing special emphasis are as follows:

Action Level No.

16.1 Maximum Normal - The most probable sources of radioactivity in the secondary containment are systems that are discharging, and these are isolated if the maximum normal levels are exceeded. This is also an entry condition to the secondary containment control guideline. (PSTG Step Nos.

Entry Secondary Containment Control Guideline, SC/R-1).

16.2 Maximum Safe - At this point a reactor scram is initiated to shutdown the reactor, and thereby reduce to decay heat levels, the energy the RPV may be discharging to the secondary containment. Since primary systems are the sources of radioactivity release, this action should be adequate to reverse the increasing radiation level. (PSTG Step Nos. SC/R-2, SC/R-3).

16.3 Trend - Action to scram is taken prior to reaching the maximum safe operating radiation level so that it may prevent having to later take more drastic action. Trending is required to be able to initiate action in time. (PSTG Step Nos. SC/R, SC/R-2).

(B-21)

. . - - . - . - ~ - = - - -

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT

17.0 Secondary Containment Floor Drain Sump Water Levels

~!

Parameter Bases Action in the secondary containment water level control of the secondary containment control guideline monitors and controls water inventory in areas of the secondary containment to protect vital equipment from flooding and/or to i

3 limit-the total inventory of radioactive fluid in the secondary-containment (thus limiting the potential radioactive release from the secondary

containment).

. The key action levels identified in the PSTG's as needing special emphasis are as follows:

i Action Level No.

r 17.1 Maximum Normal - This is an entry condition to secondary containment control. (PSTG Step Nos. Entry Secondary Containment Control Guideline, j SC/L-1).

i 17.2 Maximum Safe - If this point is exceeded, flooding of safety related

. equipment may occur; continued safe operation of the plant and continued

-integrity of the secondary containment is no longer. assured. (PSTG Step Nos. SC/L-2, SC/L-3).

17.3 Trend - Action to scram is taken prior to reaching the' maximum safe sump /

area water levels so that it may prevent having to later take more drastic l action. Trending is required to be able to initiate action in time.

(PSTG Step Nos. SC/L, SC/L-1, SC/L-2).

t

}

}

k

[ (B-22) 5

,,,.__,s.,..,- ,. e,-.. ,,m,, ,.,,._.-,-r-,, __---.-.m --,.,-...-.-y-.y , ~~ - . - - . . - ., --. - . - . - , .- ~

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 18.0 Secondary Containment Area Water Levels Parameter Basis Action in the secondary containment water level control of the secondary containment control guideline monitors and controls water inventory in areas of the secondary containment to protect vital equipment from flooding and/or to limit the total inventory of radioactive fluid in the secondary containment (thus limiting the potential radioactive release from the secondary containment).

The key action levels identified in the PSTG's as needing special emphasis are as follows:

Action Level Kb.

18.1 Maximum Normal - This is an entry condition to secondary containment control. (PSTG Step Nos. Entry Secondary Containment Control Guideline, SC/L-1).

18.2 Maximum Safe - If this point is exceeded, flooding of safety related equipment may occur; continued safe operation of the plant and continued integrity of the secondary containment is no longer assured. (PSTG Step Nos. SC/L-2, SC/L-3.

18.3 Trend - Action to scram is taken prior to reaching the maximum safe sump /

area water levels so that it may prevent having to later take more drastic action. Trending is required to be able to initiate action in time.

(PSTG Step Nos. SC/L, SC/L-1, SC/L-2).

I I

l

(

(B-23) l

APPENDIX B GGNS SPDS SAFETY ANALYSIS REPORT 19.0 Offsite Radioactivity Release Rate Parameter Bases The Radioactivity Release Control Guideline establishes the basis for isolating systems and controlling RPV pressure to minimize the off-site release of radioactivity in an emergency.

Discharges from primary systems to areas outside of the primary and secondary containment are isolated (if possible) to terminate or minimize any release.

The key action levels identified in the PSTG's as needing special emphasis are as fcllows:

Action Level No.

19.1 Alert - This is the entry condition for the guideline and provides the vehicle for coordinated execution of emergency procedures and the emergency plan. (PSTG Step Nos. Entry Radioactivity Release Guideline).

19.2 General Emergency - At this point, conditions in the RPV, primary containment and/or secondary containment have degraded significantly and actions to isolate the discharge are proving to be ineffective. (PSTG Step Nos. RR-2).

19.3 Trend - Action is required "if offsite radioactivity approaches or exceeds...". Trending is necessary to be able to initiate action in time.

(PSTG Step Nos. RR-2).

(B-24)

l l

GRAND GULF NUCLEAR STATION SAFETY PARAMETER DISPLAY SYSTEM IMPLEMENTATION PIAN MISSISSIPPI POWER & LIGHT COMPANY JULY 1985 (1)

GGNS SPDS IMPLEMENTATION PLAN

1.0 INTRODUCTION

-The GGNS SPDS will consist of specified set of computer displays which will provide the critical safety function parameters necessary to aid the Control l Room operations staff in following the GGNS EPs.

In a manner consistent with NUREG-0737 Supplement 1, the development of the SPDS displays will be integrated closely with the GGNS Emergency Procedures (EP) Upgrade Process with any required input from the DCRDR and RG 1.97 selection processes. As described herein and in the SPDS Safety Analysis, the SPDS parameter set is based on the GGNS PSTGs. The processes for further SPDS display development is closely tied to the emergency procedure development in that both are converted into a usable Control Room product by applying human factors principles.

The following sections provide SPDS configuration and implementation process for GGNS.

i (2)

2.0 SPDS/ERFIS CONFIGURATION AND HARDWARE The SPDS displays will be presented in the Control Room through the GGNS Emergency Response Facility Information System (ERFIS) which is designed to provide a complete emergency response computer system for GGNS. A diagram of the SPDS/ERFIS computer system is shown on Figure 1.

1 The ERFIS computer system consists of two identical SEL 32/27 computers and peripherals forming a redundant system to enhance SPDS availability. One computer is used as a warm standby while the other serves as the online system. Switching the two from warm standby to online and vice versa is accomplished by switching the RS-232 lines via the T-Bar switch. The ERFIS computer system will have the ability to store data for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> prior to an emergency and for more than two weeks after an emergency. The Control Room will contain a single CRT and keyboard to access primarily SPDS display information. The Technical Support Center (TSC) and Emergency Operations Facility (EOF) will each have 2 CRTs, a printer / plotter, and a keyboard to access both SPDS information and dose assessment through the GGNS Class A dose model.

The Data Acquisition System will receive its inputs by two methods: (1) some inputs are received from submultiplexers that also supply the General Electric Transient Analysis Recording System (GETARS) and (2) some are manually input. Circuit isolation as discussed in Section 3.10 of the SPDS Safety Analysis has been provided to assure that no degradation of IE circuits will occur.

(3)

3.0 SPDS IMPLEMENTATION PROCESS AND SCHEDULE The SPDS Implementation Process will primarily consist of the following activities:

o SPDS Display Design o Signal Processing and Validation Development o SPDS Software Development o SPDS Verification and Validation o SPDS Procedure Development o SPDS Simulator Hardware / Software Development o Operator Training o SPDS Implementation The projected schedule for the above activities is shown on Figure 2, SPDS Implementation. Actual schedule may vary somewhat from that shown, but the license committment will be met as required. The implementation of each of these activities is discussed below. Implementation tasks which are either ongoing or completed are not shown.

SPDS Display Design Basis Determination MP&L has been an active participant in the BWROG subcommittee on the Graphic Display Development Program which has recently developed a set of human factored SPDS displays to support the BWR Emergency Procedure Guideline (EPG) functions. SPDS parameter sets and computer based displays were developed for tailoring to plant specific application. An EPG functional (cognitive task) analysis was prepared which reduced the BWR EPGs into their basic informational, decisional, and action steps in order to determine the EPG information and. control requirements. This was converted to be GGNS plant specific by using the GGNS Plant Specific Technical Guidelines (PSTGs) with appropriate GGNS information and control requirements determined. This dccument will also support the information and control requirements necessary for the ongoing DCRDR. An example of this functional analysis is contained in the GGNS SPDS Safety Analysis.

Parameter Set Selection - The GGNS parameter set was based on the control function requirements and the entry conditions of the GGNS PSTGs as reflected by the functional analysis. This is further discussed in Section 2.2 of the GGNS SPDS Safety Analysis.

(4)

l I

Hardware Development - The GGNS SPDS/ERFIS computer hardware as described in ,

Section 2 of this plan was designed and completed early in the SPDS project to

support the initial NUREG-0696 requirements. Minor hardware improvements are

! being implemented to enhance system response and interaction.

i' i

SPDS Display Design - Static SPDS displays using the GGNS plant specific parameter set and display characteristics will be designed and built on the SPDS CRTs to assure display /CRT configuration acceptability. The computer

} display conventions established by the DCRDR, which are consistent with other displays in the Control Room, will be included at this time to assure human i factors principles are incorporated. The development of these displays will be designed to aid the GGNS operations staff in following the GGNS emergency l procedures during and after an accident.

i Signal Processing and Validation Development - The specific instrumentation

'! for acquiring SPDS parameter signals including the number of signals to be j used will be determined. This will be primarily selected from safety related and normal post-accident monitoring instrumentation (i.e., RG 1.97). The means of processing and averaging the input data to the SPDS will-also be determined.

Signal validation, which is the process for assuring that the input signals

being received at the SPDS are valid and that the operator is alerted if the I. signal is suspect, involves the use of algorithms for comparing multiple j signals to a processed signal in order to identify a failed instrument channel. Section 5.0 of the GGNS SPDS Safety Analysis provides more detailed information.

Human Factors Design and Review of SPDS - Prior to design of the SPDS displays acceptable human factors conventions will be applied to the displays. After

! display completion human factors review of the SPDS will be performed against Section 18.2 of the Standard Review Plan (NUREG-0800). A report of the human i factors review results will be documented and any modifications to the displays will be made prior to finalizing displays for future man / machine dynamic validation. Section 7.0 of the GGNS SPDS Safety Analysis provides more detailed information.

, (5) i I

. ~ - - . , , . . . . - . . , . , - , . . _ . _ . - - . . - . _ - _ . _ . . . _ - . . . - . . .

Develop Dynamic Display Software - Software for driving the static displays will be developed. The software package will utilize the signal validation, and the parameter selection and processing results. Verification and validation techniques will be applied to the software throughout the process to assure proper software development.

SPDS Verification / Validation (V&V) - The verification process will be conducted to assure that the SPDS system is designed, tested and installed as described by the SPDS functional requirements. The validation process assures that once the system has been installed and is operational that it is functionally adequate. The evaluation will demonstrate that the system actually accomplishes the role it is designed to perform. This involves the development of a V&V test plan and a validation test procedure, conducting the actual software and hardware V&V and developing a final V&V test report.

Section 6.0 of the GGNS Safety Analysis provides more detailed information.

SPDS Static and Dynamic Validation of Displays - During the DCRDR Validation of Control Room functions, the SPDS static displays will be evaluated for their control room relationship to other instruments and to note their use with the operators in use of the EPs (man / machine validation). Due to the schedule of other Emergency Response Capability activities, the dynamic displays will not be available for the DCRDR validation and, therefore, a set of static displays will be used. Validation of the dynamic displays will be performed later to assure the man / machine interface as discussed in Section 8.0 of the GGNS SPDS Safety Analysis.

SPDS Procedures Development - SPDS procedures will be developed to describe the timely and correct safety status assessment of the plant. These procedures will be developed from the SPDS users manual and will be a basis for operator use in the Control Room and training on the SPDS.

SPDS Simulator Hardware / Software Development - The hardware and software for the SPDS will be incorporated into the GGNS Simulator. This will be accomplished ahead of SPDS implementation in order to conduct the SPDS man /

machine validation and operator training.

(6)

l

~

l Operator Training - Prior to implementing the SPDS the Control Room operators  ;

must be fully trained in the use of the SPDS for both normal and emergency conditions. Training will include use of the SPDS as an aid for following the emergency procedures and as a means for providing plant status. EP training j will include situations both with and without SPDS available, s

i SPDS Implementation - Upon completion of these activities the SPDS will be ready for implementation in the GGNS Control Room. In accordance with GGNS ,

Operating License Condition 2.C. (36) and the attached schedule, the SPDS is planned for implementation prior to completion of the first refueling outage.

l-i 1

i t

r t

1 i

(7)

_=. -

a n.

!k.

~

t i

. 1.I I , _

!.. U O=. .h io;I b. ' -

---as . m n,I'"=

- f: ,4giff .;; . i 1

ih!

, ,- i ,_ .

e f5I t a

?fst ur.

g 2

I i I

- t.. _. . _ i.___(*. _;

i, .

il.. , .,i

  • m I_.f Y' ' P l G: -Q-w La % :!;,=

i I:'

I t -~ _L.--^

  • i I  !

~--

f wll 2 l  :

.7 ,

l 8

2
  • E a l 5 .

a 3

=

a e:.

5:-

m 3

  • l l 6 E, a s -

i,, e

-a .

w _

- =

A I 1 4 5= &! $'

? - I=a: -

=.- w In_. -

3  ::I f.

I w q x t ai 2- 3T .

c,- . .i u!

3 ,, !

- dl -

l'  ?

5.

^ ^ ^ ^- h? a 5 5m

  • - x 2  : u a

I d 2

b. . .:.

- \.

c c

a.

2 m +  :: :

15I m E

=

W;:\II) \$$

G

-l

La -

I -=$=+

I, e

a fi< !  ! g n t

>4

  • g

$ d2f an. r 2.

r

!!rvip a

~

1

-- s h.i .

--  : a i!{it'= G= ::t, if '

U $i

\

if l

1 (8) l L

i CCNS SPDS IMPLDIENTATION SCIIEDULE j

  • FIGURE 2 1986 ~ 1986 4 ACTIVITIES Jul AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN jut. AUG SEP OCT NOV ULC l

DETERMINE SPDS' DISPLAY DESIGN -

BASIS SELECT PARAMETER SET l DEVELOP HARDWARE l DESIGN DISPLAYS I

i DEVELOP SIGNAL PROCESSING /

j VALIDATION ALCORITHMS HUMAN FACTORS DESIGN & REVIEW i'

. i DEVELOP DYNAMIC DISPLAY SOFTWARE Q

VERIFICATION / VALIDATION l STATIC & DYNAMIC VALIDATION OF -

1 DISPLAYS i

DEVELOP SPDS PROCEDURES

! DEVELOP SIMULATOR HARD/ SOFTWARE '

i TRAIN OPERATORS I

j IMPLEMENT SPDS 3 '

u

, EP DEVELOPMENT / IMPLEMENTATION =

l j END FIRST REFUELING OUTACE g

! _ ___

Retrieved from "https://kanterella.com/w/index.php?title=ML20133F373&oldid=2881194"