ML20137T279
| ML20137T279 | |
| Person / Time | |
|---|---|
| Site: | Comanche Peak  |
| Issue date: | 01/21/1986 |
| From: | TEXAS UTILITIES ELECTRIC CO. (TU ELECTRIC) |
| To: | |
| Shared Package | |
| ML20137T263 | List: |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737 NUDOCS 8602180302 | |
| Download: ML20137T279 (45) | |
Text
..
ATTACHMENT 2 SAFETY' ANALYSIS REPORT FOR THE SAFETY PARAMETER DISPLAY SYO"~.2i 4
FOR COMANCHE PEAK STEAM ELECTRIC STATION UNITS 1 AND 2 REVISION 2 January 21, 1986 Prepared by:
Tex $s Utilities Generating Company 8602180302 860207 PDR ADOCK 05000445 E
pg
FOREWORD This revision to the Safety Analysis Report (SAR) for the Safety Parameter Display System was prepared to describe several changes to the system described in the original SAR, and to further explain Texas Utilities' response to several open items identified by the NRC staff in NRR-6251.
This revision is a complete rewrite of the original SAR. It was produced from the original by deleting some sections, adding some new sections, and revising some others, but no effort was made to identify line-by-line differences between the two reports. The major differences between the two are summarized below.
Section 1 (INTRODUCTION) was condensed slightly to remove text that was extraneous or redundant to text presented elsewhere in the report. This section was also revised to discuss the system in terms of the Critical Safety Functions described in the CPSES Emergency Response, Guidelines (ERGS) rather than those specified in NUREG 0737, supplement 1.
Section 2.1 (SYSTEM DESCRIPTION) was rewritten to clarify the relationship ~
between the Safety Parameter Display System and the Emergency Response Facilities Computer System, to simplify the description of the system configuration, and to clarify Texas Utilities' position regarding system availability.
Section 2.2 (SPDS DISPLAYS) was rewritten to describe the changes to the family of displays available on the system. Those changes include (1) implementing new data validity and alarm status conventions, (2) replacing the Accident Identification Display System displays with the ERG Summary displays. (3) adding stack radiation to the parameters that are monitored through the system, (4) adding messages to report the status of the plant's response to several system isolation signals, and (5) making several minor modifications to display formats.
Section 2.3 (HUMAN FACTORF DESIGN CONSIDERATIONS) was revised to encompass the new display t%atures.
Section 2.4, 3.1, 1.2, and 3.3 were Icft essentially unchanged, except for minor changes to enhance reo? ability.
Section 3.4 (SPDS DATA VALIDATION) was revised to clarify the description of the data validation methodology, to describe the nethod used to validate single-input parameters, and to describe the new method used to validate multiple-input parameters.
Sections 4, 5, and 6 were icft essentially unchanged, except for minor changes.
to enhance readability.
Appendices 1 and 2 were revised to describe the current parameter set, and Appendix 3 was added to complete the definition of the system.
4
TABLE OF CONTENTS
_P,,a,ge
1.0 INTRODUCTION
1
1.1 Purpose and Scope
1 1.2. Terminology-1 1.2.1 Critical Safety Functions 2
1.2.2 Parameters 2
1.2.3 Plant Signals 2
2.0 SPDS DESIGN AND OPERATION 2
2.1 System Description
2 2.1.1 Data Acquisition Subsystems 2
2.1.2 Computer Subsystems 3
2.1.3 Display Subsystem 3
2.1.4 System Availability 4
2.2 SPDS Displays 4
2.2.1 Display Conventions 9
2.2.2 Top Level Displays 11 2.2.3 ERG Summary Displays 11 2.2.4 Trend Graph Displays 12 2.2.5 Reactor Vessel Level Displays 13 2.3 Human Factors Design Considerations 19 2.3.1 Display Features 19 2.3.2 Graphic Coding 22 2.3.3 Display Access 23 2.3.4 Display Unit Locations 25 2.4 Verification and Validation Program 25 8
.N TABLE OF CONTENTS (Continued)
P,, age 2.4.1 Definitions 25
'2.4.2 V&V Activities 27 2.4.3 Relationship Between QA and V&V 27 3.0 SELECTION AND EVALUATION OF SPDS PARAMETERS 27 3.1 Selection and Evaluation Process 27
- 3.2 Parameter Ranges 12 9 3.3 Selection of SPDS Alarm Se,tpoints 31 3.4 SPDS. Data Validation 31 3.4.1 Single-Input Parameters 31 3.4.2 Parameters with Two Input Sensors 31 3.4.3 Parameters with Multiple Input Sensors 33 4.0 SAFETY EVALUATION PER 10 CFR 50.59 33 4.1 SPDS Function and Design 33 4.2 SPDS Installation and Safety System Interface 33 4.3 SPDS Operation 34 4.3.1 SPDS Functional Requirements 34 4.3.2 SPDS Input Sensor Verification 34 4.3.3 SPDS Control Room Operator Influence 34 5.0
SUMMARY
AND CONCLUSIONS 35
6.0 REFERENCES
36 APPEKDIX 1 - SPDS CRITICAL SAFETY FUNCTIONS AND ASSOC-IATED MONITORED PARAMETERS 37 APPENDIX 2 - SPDS PARAMETER RANGES 38 APPENDIX 3 - SPDS TREND GRAPH PARAMETER GROUPINGS 39
LIST OF FIGURES FIGURE DESCRIPTION PAGE 1
Relative Locations of the SPDS Display Units 5
in the Control Room 2
OPERATION Top-Level Display
- 6 3
Interpretation of the CSFM Status Targets 8
4 Logic Used to Determine Operating Mode 10 5
COLD SHUTDOWN Top Level Display
- 13 6
LOCA/LOSC ERG Summary Display
- 14 7
SG ISOLATION ERG Summary Display
- 16 9
ERG FOLDOUT' ERG Summary Display
- 17 10 Typical SPDS Trend Craph
- 19 11 Reactor Vessel Level Current-Conditions Display
- 20 12 Reactor Vessel Level Trend Graph
.21 13 SPDS Keypad Format 24 14 SPDS Menu Hierarchy 26 15 Logic for Validating Reactor Coolant System Cold Leg Loop Temperature Signals 32
- The displays shown here were produced using a color copier that reverses light and dark colors, so some display features are shown as negative images. (For
. example, the background of all displays is black, but is shown here as white.
Similarly, the beige-colored demarcation lines and text on the displays appear black on these copies.) Readers of this report are cautioned to keep this in mind while examining these copics.
L
Pcgs 1 of 40
1.0 INTRODUCTION
1.1 Purpose and Scope
This report has been prepared in response to section 4 of NUREG-0737, supplement 1 (reference 1), and presents the safety analysis of the Comanche Peak Steam Elec'. 'e Station (CPSES) Safety Parameter Display System (SPDS).
The CPSES SPDS is part of the plant Emergency Response Facilities Computer System (ERFCS). The CPSES ERFCS is a site-specific implementation of the generic Safety Assessment System (SAS) developed by the Westinghouse Owners Group Ad Hoc Subcommittee on Instrumentation Systems. The generic SAS design and development project included formal Verification ard Validation (V&V) of the generic portions of the design and underwent a user's evaluation program in 1982.
The generic SAS was designed to satisfy NUREG-0696 requirements for an SPDS. This report discusses.the adequacy of the SPDS portion of the CPSES ERFCS in terms of the later requirements specified in NUREG-0737, supplement 1.
An overview of the CPSES SPDS design and installation is presented in section 2.0.
Selection and evaluation of SPDS parameters is discussed in section 3.0.
The 10 CFR 50.59 safety evaluation of the CPSES SPDS implementation is presented in section 4.0, and an overall summary and conclusions are presented in section 5.0.
1.2 Terminology 1.2.1 Critical Safety Functions Critical Safety Functions (CSFs) are those safety functions that are essential to prevent a direct and immediate threat to the health and safety of the public. The crit. cal safety functions monitored by the SPDS are those developed by the Westinghouse Owner's Group to satisfy NUREG-0737, supplement 1, requirements. They are:
- Suberiticality
- Core Cooling
- Heat Sink
- Integrity
- Containment
- Inventory The purpose of the SPDS in relation to the CSFs is to continuously display information to enable a user to assess overall plant safety status'in terms of how well the CSFs are being maintained or accomplished. However, the SPDS is not designed to diagnose the specific events which may be affecting CSF maintenance or accomplishment. As implemented at CPSFS, the parameters displayed on the SPDS provide the reactor
Paga 2 of 40 operator and technical personnel with continuous, unambiguous data that will enable them to make proper decisions regarding appropriate operator action in response to developing plant conditions.
1.2.2 Parameters Parameters are those measures of system status or performance which are obtained directly from or calculated from plant signals. Each parameter is measured by one or more calibrated sensors.
1.2.3 Plant Signals Plant signals are the electronic or electrical outputs of
-calibrated monitoring and control sensing devices installed in the plant systems.
2.0 SPDS DESIGN AND OPERATION 2.1 SYSTEM DESCRIPTION The displays and features that comprise the SPDS at CPSES are a subset of the displays and features available through the ERFCS. The SPDS includes the specific displays and features described in this report, and the software that supports those displays and feat 2res; but the ERFCS includes several other displays and features thet are not described here.
The ERFCS is configured so that each CPSES unit has its own computer system. Each computer system includes the three major subsystems described below.
2.1.1 Data Acqu'sition Subsystem The data acquisition subsystem for each unit collects input signals through remote multiplexing units (RMUs) and associated communications controllers, and input data through ASCII-character communication data links, as discussed below.
2.1.1.1 Data Acquisition Via Remote Multiplexing Units (RMU)
The RMU systems are high-speed data multiplexers connected via redandant data links to a redundant set of communication controllers (CCs). The RMUs provide for analog and digital signal scanning, analog to digital conversion, and class IE isolation.
All field inputs are connected to the RMU's either directly or through qualified IE isolators as required by NUREC-0737, supplement 1 (reference 1). The RMUs transmit digitally coded information.to, or receive digitally coded commands from, the redundant CCs by means of redundant data links.
n.~
s
~
Paga 3 of 40-The redundant CCs control both the interrogation of the RMUs and the transmission of data along the redundant data links. The CCs also control the allocation and transfer of data to the memories of the computer
' systems. 'The CCs likewise control commands initiated by the computers and transmit them to the appropriate RMUs.
2.1.1.2 ' Data Acquisition Via ASCII Data Links Three ASCII data sources provide input.directly to the ERFCS Computers. These are:
- Radiation Monitoring System Core Cooling Monitoring System Reactor Vessel Level Indicating System These systems accomplish all engineering unit conversions and data validation for each of their respective inputs. Each provides a formatted ASCII data string to the ERFCS. Class 1E isolation'is provided by each system prior,to data transfer to the ERFCS.
2.1.2 Computer Subsystems The ERFCS includes two pairs of redundant PRIME 750 Computers.
One pair is located in each unit, and communicates with'and supports that unit's data acquisition system and display system (described below). One computer in each unit is configured to be the " primary" computer, and is capable of performing all SPDS-related data acquisition and display functions itself. The other computer in each unit 19 configured to be the " backup" computer. It routinely monitors the performance of the primary computer, and initiates a system failover (a transfer of
" primary" computer responsibilities from the normally primary computer to the normally backup computer) upon detection of an anomaly. Redundant computers in each unit thus ensure that system availability remains high.
2.1.3 Display Subsystem The ERFCS includes CRT display units in each of the station's emergency response facilities:
three display screens are located in each unit's control room, three display. units are located in the Technical Support Center, and two display units are locate.1 in the Emergency Operations Facility. With the exception of one of the screens in the control room (discussed below), all display units are Chromatics'CGC-7900 Colorgraphics Computers.
Three display units are available in each control room; two are mounted in a console in the central area of the " horseshoe" portion of the control room, and the third is mounted in the center of the main control board. The relative positions of these screens are shown in Figure 1. The CRT mounted on the right-hand side of each console is referred to as the u
Paga 4 of 40
" supervisor's CRT". It includes a full Chromatics keyboard, and allows system users to access all SPDS displays and all other ERFCS displays and features, through the bezel-key hierarchical menu described below (section 2.3.3). The CRT mounted on the
.Left-hand side of each console is the " operator's CRT". Through this CRT, system users may access only SPDS displays; access is provided via the single-stroke keypad described below (section 2.3.3). The third CRT in each control room is a high-resolution CRT monitor that is mounted at eye level in the main control board, as shown in Figure 1. A switch associated with this monitor allows users to select either SPDS displays supported by the ERFCS, or other displays supported by the r1. ant process computer. In the "SPDS" mode, this monitor is "sla 'ed" to the operator's CRT. That is, whatever is displayed on the operator's CRT will also be displayed on the control board monitor. A single-stroke display selection keypad identical to the one mounted near the operator's CRT, is mounted near the control board monitor. This keypad is connected in parallel with the other one, so that an operator may selec* a display from either keypad.
The display units in the Technical Support Center and the Emergency Operations Facility are all Chromatics CGC 7900 computers. Through these units, users may access any SPDS display, or any other ERFCS display or feature. Access is allowed through the bezel-key menu described below (section 2.3.3).
2.1.4. System Availability The ERFCS was designed to achieve high SPDS availability.
During the design of the system, the principle of redundancy was applied to ensure that the failure of any component would not cause system unavailability. In addition, except for the display units in the Emergency Operations Facility, all ERFCS components are powered from uninterruptible power sources. So, high system availability is assured. However, quantification of system availability in an operating-station environment cannot be assessed until the station begins operating. Therefore, before the first refueling outage, Texas Utilities will develop and implement a surveillance program to quantify SPDS availability.
2.2 SPDS DISPLAYS Four different types of displays are included in the SPDS.
These are Top Level. ERG Summary, 30-minute Trend, and Reactor Vessel Level displays, and are discussed belua. All of the SPDS displays except the two-hour trend graphs described below include several common display features. These common display features are in the Critical Safety Function Monitor (CSFM) summary area and the message area, and are illustrated in Figure 2.
The CSFM Summary area lists the six Critical Safety Functions which
Page 5 of 40 f,
44>
l 5
l UNIT 1 I. Main Control Board CRT 2.
Operator's CRT 6
- 3. Supervisor's CRT g
4.
SPDS Console 5.
Plant Process Computer Console Radiation Monitoring System Console 6.
UNIT 2 l
5 l
4 k
/
m Figure 1.
Relative Locations of the SPDS Display Units in the Control Room
i, RCS PRESS PRZR LVL TC CSFM 1
2 3
4 SUBCRITICALITY Q t
i CORE COOLING Q
HERT SINK INTEGRITY O
i i
V CONTAlt#1ENT Q
2100 50 350 K23 330 389,
INVENTORY PSIG F
i pouER s.extos ces SG HR LVL MSL PRESS
]
AUCT HI Tave 386 F g
g
-3 4
1 2
3 4
SR SUR DPM evmrs
[
[
[
[
i:d%r y
1:aur a
S-g m.<,. m. T.m.
' E**.,"rEE"c'** 1"uhi" A
Y Y
Y A
o
- W. '!P 1"a'A" 52 64 43 50
[B95 1208 866 997
= i::che ms.Wa PSIG
' Freo!#1h c 1:arg' RAD CNTMT RV AUCT HI MON ATMOS PAD LVL SUBC00L CET SPOS -FeRrtME T ER FHILURE i
)
COMPUTER TRousLE l
53ii05 E5]
[2599 '
' """" * " ~ "
26 SEe 85 17:04:39 CPSE3 d4 F
F g
CE OPERATIONS iMT hG LEVEL i SPDS TRS I ERJ SUM i RVLIS I
lOPERATIOH lCLD SHTDHl e
- m Figure 2.
OPERATION Top-Level Display (Information displayed is for demonstration purposes only.)
i I
l
c+
Pag 2 7 of 40 l
are monitored and maintained through the CPSES Emergency Response Guidelines (ERCS) and Function Restoration Guidelines (FRCs).'These functions are'11sted on the display'in the order of priority defined in the ERGS. This area also includes dynamic color-and pattern-coded targets which graphically indicate the status of each critical safety function. These targets are further described in Figure 3. The logic that activates each CSFM target is identical to the logic specified in the corresponding ERGS for monitoring the corresponding critical safety function. The specific ~1ogic trees used in the ERGS are duplicated on dynamic ERFCS displays that are not considered to be part of the SPDS.
The message area that is included on all SPDS displays except the two-hour trends includes information in three categories. One such 3
vt category is current conditions: a table is presented at the top of the message area that lists and identifies the current values of reactor power, suctioneered high average reactor coolant system temperature, and startup rate. The listed value of power is displayed in units of f
counts per second, detector amperes, or percent of full power, as appropriate.
l-The second category of information in the message area includes information about the occurrence of several events, and the plant's response to some of those events. The events monitored include
[
reactor trip, safety injection, phase "A" containment isolation, feedwater isolation, containment ventilation isolation, main steam line isolation, and phase "B" containment isolation. When any of these event signals are received, the name of the event appears in the message area, along with a corresponding integer number and the date and time that the signal was received. This information is formatted as shown in Figure 2. In addition, the status (complete / incomplete) of the plant's response to the latter five events is also displayed inx.ediately beneath each event's name. If all of the valves that are intended to close (or open) in response to a particular signal event are in their proper positions, then the status of that event will be displayed as " complete". Otherwise, the status will be displayed as
" incomplete", " complete-suspect", or " incomplete-suspect", as appropriate and as shown in the examples in Figure 2. The ERFCS includes a non-SPDS display associated with each of these five events that lists all of the components which are not in their proper positions and those components whose positions are unknown.
The integer numbers described above as being associated with each event are used to identify on the trend graphs the time at which the events occurred, as shown in the example in Figure 10.
The third category of information that is included in the ressage area includes the three computer system diagnostic messages illustrated in Figure 2. These messages will be displayed as conditions warrant.
A box in the lower left-hand corner of every display continuously displays current date and time. The box includes a large black-on-beige numeral ("1" or "2") to ensure that system users associate the presented data with the proper CPSES Unit. This box also
...u.--.~._--_._,
-. a.
-. _ - - - -. _,.. _ _ ~ - _ _. _ -,
- g w g
.l!!:
I
)
NW O
E N
Y V
M
)
K C
I H
U E
N N
W T
G I
N U
E O
A I
D O
G L
L H
E N
S R
E M
(
U U
R TATS(
s t
E e
U g
T E
W L
r R
a E
G O
N B
T O
D G
N L
E
/
L E
s R
A L
E E
O R
u A
R E
R G
t C
T O
Y G
I a
t E
S B
M F
S C
fo no N
i O
ta I
t T
e T
r A
E p
R r
[
G e
U R
t G
n A
I I
T FN 3
OC erug i
F 1
1 l
l i
Pag 2 9 of 40 identifies the current mode of operation ("0PERATION",
l "HEATUP/COOLDOWN", or " COLD SHUTDOWN"). The mode is determined on the SPDS by the logic shown in Figure 4. This logic determines not only the message that will be displayed in the box discussed above, but also the set of alarm and reactor trip setpoint values that will be used to implement the alarm status conventions discussed below. If the system cannot complete the logic shown in Figure 4 due to a loss of input signal, the mode message will be replaced by blue asterisks and all alarm status indications will disappear. A user may override the logic result with a user-specified mode designation. This may be accomplished only through the SPDS system terminal in the computer
. room, and will restore alarm status indications and result in the user-specified designation being displayed surrounded by a blue
" suspect" box.
2.2.1 Display Conventions Display conventions employed on all SPDS displays enable system users to readily assess data validity and alarm status. These conventions are discussed further below.
2.2.1.1. Data Validity Conventions The ERFCS assesses the validity of the data that are presented on SPDS displays and distinguishes between three states of data validity. (The algorithims used in these assessments are discussed in section 3.4.)
" Good" data are presented in white text; " suspect" data are presented in white text surrounded by a blue box; and " bad" data are replaced by blue asterisks.
2.2.1.2. Alarm Status Conventions Every SPDS display includes indications of the alarm status of displayed parameters. On bar charts, on trend graphs and the OPERATION top-level display, alarm limits are indicated by small triangles positioned immediately adjacent to the bars, as illustrated in Figure 2. These triangles are displayed at vertical positions.that correspond to the setpoints. Yellow triangles represent alarm setpoints and red triangles represent reactor trip setpoints.
Additional alarm status information is provided on the OPERATION top level display by bar chart color changes. While a parameter is within its normal operating range, its associated bar is displayed in green. When an alarm setpoint is exceeded, the bar turns yellow. When a reactor trip setpoint is exceeded, the bar turns red.
Yellow and red boxes are used to indicate the alarm status of parameters that are presented without an associated bar chart, as on the ERG Summary displays
Page 10 of 40 (START)
V NO AVE KNOWN
?
y YES (MODE UNKNOWN) ir TA YES d200'F
?
NO y
(~ COLD SHUTDOWN ~)
YES AVE
> 550*F 7
y NO
(~ OPERATION")
V
("HEATUP/ COOLDOWN")
i i
TAVE: AVERAGE REACTOR COOLANT SYSTEM TEMPERATURE Figure 4.
Logic Used to Determine Operating Mode
Pcgn 11 of 40 discussed below and illustrated in Figures 6 through 9.
When a parameter value exceeds an alarm setpoint, the displayed value is surrounded by a yellow colored box.
When the parameter value exceeds a reactor trip setpoint, the box turns red.
2.2.2 Top Level Displays The SPDS includes two " top-level" displays. One enables system users to monitor key parameters during plant operation (including heatup and cooldown), and the other monitors parameters of interest during cold shutdown, as discussed below.
The OPERATION top-level display includes color-coded bar charts with displayed values, color-coded targets, and display values alone, in addition to the features common to all SPDS displays, and is shown in Figure 2. The data validity and alarm status conventions described above are fully implemented on this display, and several examples of suspect data and parameters in alarm are illustrated on Figure 2. This display provides users a concise overview of all SPDS parameters, as all are either directly or indirectly monitored and/or displayed on this display. All of the parameters monitored through this display are also included on SPDS trend graphs (discussed below in section 2.2.4). For example, the RAD MON target on this display will change from green to yellow if any of four radiation monitor signals exceed their associated alarm setpoints; all four of those signals are included on the RAD MON trend graph. Similarly, two "RVLIS" displays (described in section 2.2.5) provide users with further insight to reactor vessel level data that is monitored on this display through the RV LVL target. Thus, this display will alert users to adverse trends in any of the SPDS parameters, and the users will be able to further investigate those trends through the trend graphs and other SPDS displays.
The COLD SHUTDOWN dispiny monitors the parameters that are important during cold shutdown conditions, and is shown in Figure 5. This display is similar in format to the trend graph displays discussed below in that-it includes bar-chart indications of current conditions on the left side of the display, and trend-graph indications of conditions during the past two hours on the right side. The data validity and alarm status indications described above are implemented on the bar charts. The trend graphs function in a manner similar to strip-chart records. Current conditions are indicated on H.e right, and time is read from icft to right. The trend graph scrolls to the left as time passes.
2.2.3 ERG Summary Displays The SPDS includes four displays that present parameters monitored through the CPSES Emergency Response Guidelines.
The formats of these displays are presented in Figures 6 L
P:go 12 ef 40 through 9. Standard data validity and alarm status conventions are implemented on these displays.
2.2.4. Trend Graph Displays The SPDS Trend Graph Displays provide the system users with graphical indications of pre-selected, functionally related groups of parameters. On the lef t-hand side of each trend graph are presented bar-chart displays that indicate the current values of each of the parameters presented on the display.
Alarm and reactor-trip setpoints associated with each parameter are displayed on each bar chart by yellow and red triangles, respectively, as per the alarm status conventions discussed earlier (section 2.2.1.2.). Most of the trend graph groupings include four parameters per display, but a few trend graphs include only three parameters. On the right-hand side of each trend graph is presented a thirty-minute plot, similar to a strip chart record, that shows variations in each of the parameters during the past thirty minutes. For each parameter, the scale used on both the bar chart and the plot corresponds to the range between the. minimum and maximum engineering-unit values for the associated input sensor. The color used to indicate a parameter's value on a bar-chart is also used to present its thirty-minute trend on the plot, thus enabling a user to readily identify each trend. A typical SPDS trend graph display is shown here as Figure 10.
Parameter groupings on SPDS trend graphs are listed in Appendix 3.
l 2.2.5 Reactor Vessel Level Displays The SPDS includes three displays that present data from the Reactor Vessel Level Indication System (RVLIS). On the OPERATION top-level display (Figure 2), the reactor vessel level status is indicated by a color-coded target: if RVLIS data indicate that the upper reactor vessel head is full (all
<s indicate coolant), the target is green; otherwise, the senc targe, is yellow. Two other displays present RVLIS data, as discussed below.
[
One of the RVLIS displays presents an indication of current conditions. This display employs a schematic representation of the upper vessel head and the core to shew the relative positions of the RVLIS sensors. The display format is shown here as Figure 11. Data from each sensor are displayed via a color-coded circle: each circle is displayed in solid dark blue if the sensor indicates " coolant", or in solid white if the sensor indicates "no coolant". If a sensor's signal is unknown, the solid-color circio is replaced by a light blue asterisk. As shown in Figure 11, this display also includes tables of upper-head temperatures sensed at each sensor location, and an indication of auctioneered high core exit thermocouple temperature. Position identification labels en 4
Page 13 of 40 e
O w
U u
th b
~*~
b 3 E
5 E
o 53
~
~+-
5%
US
- =
23 23 h
l 5
5 5
(h O
E_ R
- 14
- a Q
22
- :s
- 3 m
5 5
5 2
3R i_5 35 W
e i"
i' O!
1 i
se
- ss is p
a 3a es se a
8
. Ib 8
2 o
.e 5o j ;n 3
!ab i i_so imb C i'
js Q
g
- W l gsg 8g H a
- i,-
E&
1 33 55" 3 0
a u
3 5_ R ia 54 j
si i s si y) m 1
5t i 53 54 h
it 128
- S C
M E
! s i
j c.
5E
! 35 32 2
5$
j iG is C
s
-a s
c.)
t 5:
4s si
}
et ris is g
a p-a
,0 1
C.
O E== ^
! E 5.b I
' I I II I I I s..
.s.s i i i i i i ims II I
I
! 8':
77 7 7 i
oC
- rj
~;ii SO
)
^m i
i i
,i
,s l
aw e
=to o
mw n
- n a 2 O
' pg 1 *s 1 "s 1 i % - s' j a II 7 I 3 I I I, !
- E ! E..
3&
i i i i i i ia a g!
I I
g-!
i in 3 ca i i i i i o
u c.
i i
i i g
10 o
.g a
li,i,i,i,i.iIs!
U
,S r l$l%
g
CSFM LOCA/LOSC SUSCRITICALITY C RCS PRESS 2200 PSIG A
CORE COOLING Q
PRZR LYL B4 HEAT SINK PRZR PORY OPEN INTEGRITY PRZR SFTY VLV CLOSED A U HI CET 1600 F
CONTAIMMENT Q
SUBC00L 108 F
V INVENTORY CNDSR OFF GAS RAD 8.9x101 gCi/nl A
(
POWER 5.0X105 CPS CNTNT RFf;
[- *8xiO4] mR/}R RUCT HI Tave 386 F SR SUR m*
DPM SG BLDN RAD 2 7i103 gCval CNTMT PRESS 10 PSIG
=~1
CNTMT WATER LYL BI'C6 (EL)
~ = - - =
AN #
RklST LYL Y
' c'*o"::Ec c ' 3 ;r.;;=
RHR FLN 4800 GPM a
- W.'!?-
1241"4:*
1 2
3 4
= f"m.c S m ?I',= RCP STATUS ON 0FF ON ON
' Ereoiehe a 4 r-4 '
TH 689 A B2]
613 640
'F
' c""" Scaac' 1:41143-SG NR LYL
- 47 45 Y 52 A 53 A '/.
"* 7~""' C """'
FAI FLO 300 305 298 Y 002 GPM c
o MSL PRESS 808 A MA 804 806 A PSIG 39 m g MSL RAD 13i184] A (C0Mx 9.7x103 Y 9.8x193 gCval i
26 SEP 85 1 M 4:
TI HERTUP/COOLDOWN ET o
E Figure 6.
LOCA/LOSC ERC Su==ary Display (Information displayed is for information C,
purposes only.)
3o
CSFM SGTR SUBCRITICALITY
CORE COOLING PRZR LYL 45 Y
HEAT SINK PRZR PORV CLOSED INTEGRITY RWST LYL
[If0]
CONTAINMENT Q
RHR FLOW Ei35f01 GPM A
INVENTORY AUCT HI CET 1800 F
CST LYL 76 i
POWER 5.0X105 CPS R HI Ta E
CHDSR OFF GAS RAD 2.3x105 gCval Y SG BLDH RAD
[ 3x309 gCval cve,.1.
A:4e%:*
CNTMT WATER LVL BlTJi (EL.) A A211T4*"
1 2
3 4
1""' %* '""'"....
RCP STATUS OH OFF ON OH "de' E"go SG HR LVL 40 A 38 39 A 42 d
= fr.c!= tc,c snL3..?
AFW FLO 140 139 139 143 GPM
' Enho M L,=
AWM' PRI-SECAP 800 794 A 792 Y
$6]
PSIDi
'TC"'"AMM MSL PRESS 655 647 Y B3 659 A PSIGi
""'",7"""""Tc" """"
MSL RAD 2.3x105 A E28IBE 2.2x105 Y 2.2x105 gCva(
c - "'"" " " - "
SG ISOL m
R,SEP 85 17:04:39 s AS PER YES YES N0 YES j
[g HenTue cootoows an B E0P-2.0?
C; P,
8 Figure 7.
SGTP. ERG Summary Display (Information displayed is for demonstration purposes only.)
m 50,,o no i
tar
.l il tsnom ODSOOOOOPEOO D
GDDDDENNEE d
DD e
4 OO r
OPLORC(C L
LLLLL ODLL o
C CCC C CC f
s i
DD DDDD D
EE@GEEEENNE E GS A
3 S
e OP OOQOOODOPP O N L
LLLELOO L y
N ROECQCCCCC C
a l
O p
s DDDD D
i D@GEEEENNE I
d T
2 S
0P0OQOOOO0P PO N n
CCKO A
L OL o
1O1CQCCLLL L
C i
L ta O
DDDD DD m
S G GSDDQGEEEENNEE EE[
r S
S $S S S S S EE S S o
1 I
0P0OQOOOOOP P OO f
L LLLLLOO LL n
1O1CQCCCCC C C I
(
G VYSVyVVVVVVVVV S
EIMES fW l
VB{ B CCLLLL L L y
S I WI F FVVVVVV a
F M
FP PLLLL LY p
W WOO O OOL s
U L
F F S S SS S P i
R R
AAI I I I I S D
S D D O
Y T MNLL LT T y
M T
OP P P OP r
T F
L MM M P W a
A S
B S S S D F R
m MN m
U D u
R L S
DB G
R)
E y
mW Nl "aR4"7 S M e"
[
c W@
Q P P T
O n 3
a~ $ v. -u.
CFD 6;~
?"
EPM I o S
2 T
C(
4': l 2,";3 4 3'
t M
A s 6
- o R
9N L e 58 2,"
rCM 3W O s 3"
03 a
LW
- O S o MY
- p 4D I p 1
T
- C c,mu9 v
FI G X
- 0L r
e B. v **
e o0
- O G u LN T
. R0 7O I
N SA S p C LKYEY 5a 4
1C e
CI O NT M R T
P
.T 8
o
/
=""dc-5P T O I I NO R, R R 8U 3
e I CS RI T I
t v
m<
T 8
R GA N HR S
=~.;;$-
T c
T Y C E T ET E R U UU PR
. PP EE e
B R A T NV ETS M,
=
Ot e SH r
U O E NO N WC 1
R.
SC H I CI OUR i P u
g a a 2E_
PAS
=.. e 7
.CC t
E i
F
- i
CSFM ERG FOLDOUT SUBCRITICALITY
/
QUESTION AHS.
CRITERIA
@{
CORE COOLING EITHER: #1 CCP OH ON HEAT SINK
{
INTEGRITY OR: #2 CCP W OFF CONTAINMENT Q
jgIpUhh7 YES OR: #1 SIP OH OFF i
INVENTORY
~
POWER 5.8X185 CPS AUCT HI Tave 386 -F SR SUR Opit RHO: SUBCOOL < 15 F 44 cVcP4TS i ax Tare i4: sa:aa EITHER: SU8C00L < 15 F 22 ACTUATE OR YES REINITIATE SI?
essceos OR: PRZR LVL < 20 %
15 cvcuro-synvu.
EITHER: CNTMT PRESS > 5 PSIG 6
gy gege.
4 5 CV EstM.
CIS T1570 8
NYA 7.Ie5Ir USE ADVERSE YES OR: CHTMT RAD > 10 gfpg bg CNTNT SETPTS suconeccio e oro N
6 RAD ETDBC C BY OR: IHT. DOSE > 10 N#
seos e -.ncyc= raitunc coneurca vuouuoc SWITCHOVER HO CST LYL < 10 %
22 co usc= woon unan AFW SUPPLY?
2E SEP 85 17:04:39 CFSES m SWITCHOVER HO RWST LVL < 40 %
35 6
_EE HERTUP/COOLDOWN ttCT g CL RECIRC?
Figure 9.
ERG FOLDOUT ERG Summary Display (Information displayed is for demonstration purposes only.)
Page 18 of 40 this display are the same as the labels used on the RVLIS panel on the main control board.
The other RVLIS display presents a two-hour trend-graph display of selected RVLIS data (Figure 12). The upper portion of this' display presents the current values of the temperatures sensed by the uppermost two sensors.in each train, and their associated trends.'This portion of the display is identical in format to and employs the same conventions as a corresponding portion of the COLD SHUTDOWN top-level display (Figure 5).
The lower portion of this display presents, on the left, an indication of current upper-head conditions, using arrays of color-coded circles identical to those on the schematic display discussed above. A two-hour trend of sensor indications is presented on the right side. On this trend, each sensor's indications are represented by a bold, horizontally oriented, color-coded bar. The bar is divided into 12-second segments; current conditions are recorded in the right-most segments, which scroll to the left,and are replaced by new current-condition segments every 12 seconds. The color code for the bar segments is the same as for the circles: the bar segments are blue if the sensor indicates " coolant", or white if the sensor indicates "no coolant". If a sensor signal is lost, the bar segment is displayed in black.
2.3 Human Factor Design Considerations An interdisciplinary team of operations, control and instrumentation, and human factors engineers were involved in the definition, creation, and review ci the SPDS display formats to ensure displays were consistent with the requirements of supplement I to NUREG;-0737, the functional criteria of NUREG-0696, and the general human factors guidance of NUREG-0700. The program that developed the basic display formats included a user evaluation at the Indian Point 2 power plant simulator (Reference 5).
2.3.1 Features The display formats are designed with low-information densities. Furthermore, the color scheme is designed to reduce the visual dominance of the static background information.
Extensive use of demarcation lines is employed to separate classes of data or parameters. Four different colors are used on the trend graphs for differentiation and association.
Simple display formats are provided to reinforce user recognition of plant status. Similar data are presented in similar formats. Vertical-bar level indications are easy to associate with parameter values. Furthermore, the vertical-bar format is familiar to control room operators, as the control boards contain mainly vertical meters.
r 3
CSFM i
i SUBCRITICALITY..
+
CORE COOLING l
HEAT SIHK i
INTEGRITY O
l CONTAINMENT (O) l INVENTORY P0lJER 5.0X105 CPS RUCT HI Tave 386 F SR SUR DPM i
i EVEteTS e
1 MM THIP E4E16!OG 1
2 3
4 SG Mt LYL E SI 142 17:00 essEees EVEt4TSeeTRTUS
~
' E*C c "c' " A" Lina" c
- W. ' &
1"LLMi*
~"
~"
~"
~"
" ?"cl@ncTc
$241E3
n
' 2"itcolefhu l'inne' 7 e-~Sc o E m ;;;;;;g.
-=
i D'OS PHHHMETER FRILURC oaeu'ca va - c 95 95 95 95 aw a=
u=
ires a n.
u is i6 SEP 85 17:15:08 CPSES E
.o f..: HEATUP/C00LD0 ldh tMT W g
to
>=
c Figure 10. Typical SPDS Trend Graph (Two such trend graphs may be displayed at the S,
same time; when another is selected, the graph on the bottom of the display
,o will move to the top, and the newly selected graph will be inserted as shown here.
Information displayed is for demonstration purposes only.)
u j
CSFM RVLIS SUBCRITICALITY
[6]
l CORE COOLING O
f TRAIN A TRAIN 8 HEAT SINK i
INTEGRITY
[]
v=r si en v=a=
CONTAINMENT O
IINENTORY 21e0 r e
- a =- m e
e100 r POLDER 5.0X105 CPS RUCT HI Tave 386 F SR SUR DPM E
- a =x -
- B 2288 r aiaa r 1*110;;*
1;:41'4:*
cvcurs-svarus 2100 F G
a a== =
3 2100 F
' E!" Ec?c" ' 124E?44' 2100 F S
si m =x rm 9
2100 F J
i';'. ' t?'
AEdiE42" 2100 F S
o a== =
3 2100 F
' iT. cia 3tcic SEILEe's" 2100 F S
n m =x =
9 2100 F gg%
gg eg;gr eles F e
u===c=c e
2100 F-2100 F G
is m = x c=c 9
2100 F 7,,ose o im. 7,.., u,e*scres r 0CT HI CET 2100 F,,
8 4
seos enan cica raitu-c l
CORE l
co.,~,c.
c..neu.c= noon won 5 SEP 85 17:04:39 CESE m
~E HERTUP/COOLDOlJH ET W r.:
m O
Figure 11.
Reactor Vessel Level Current-Conditions Display (Information displayed o"
is for demonstration purposes only.)
z~
O
i i
l 1
1 4
I i
l 1
l v-a,. e4 r.an.,., <
=n..,4 mi.,4
-- =.
-u
-eu.
-a
-nua
-=
-im
-iu.
-im l
1
-i
-im.
-wa
-i
_ u.
"~ N
~ E
"~ E
'~ N iiniiU iiiiijiJijli31tilIJ Jin nJn 6 Illielill isillJ ul,33Jinfli ila!; Jill ilinikal nasailli siil3Jiil Inil.in, i
1149 F 1054 F 1446 F 1365 F a.
==.....wn an a.
u s.
M ;? A 0 ;!&
E',P.12 E*,0,12 TINE OF DAY YGPOFwc$WL TRAIN mummunummme mumma sammum-mumme a
.. i - ru.a -O-
+
- g a
L
.m--,-
_g-
-g-
+
1 l
n m a em
-g-
-g-
+
l 1
l
.i n. m cm
-g-
-g-
+
i i
-g-
-g-
+
i l
.7 - a cm nn. - cm
-g-
-g-
+
un. m eu
-g _ _ g- +
nn. m cm
-g-
-g-
+
'*-<=
- nnine.nm n dnin.nigin i n n pu nn ne.n m nip,uin n e m u nipin o n y..mu ne n n u ne.n..nnW m i.
.==
.w 3.
- i..
w-m i.
- i. =
mm.
- v. a u.us l
,omia.
m.m TIME OF DRY a
i
- L J'!EfS li!H RVLIS TRENDS 1
o ooo N
>=
0 t'igure 12.
Reactor Vessel Level Trend Graph (Information displayed is for demonstration n
purposes only.)
o l
I
.y Page 22 of 40 Color codes are consistent on all SPDS displays. Red is reserved for information related to reactor trip: red triangles on bar charts indicate trip setpoint values, and both red boxes around displayed values (on ERG Surnary displays and the OPERATION display) and changing bar chart color to red (on the Operations display only) indicate that the displayed parameter value exceeds a trip.setpoint. In.the same sense, yellow is reserved for alarm limits: yellow triangles on bar charts indicate alarm setpoint values, and both yellow boxes around displayed values (on ERG Summary displays and the Operation display) and changing bar chart color to yellow (on the Operations display only) indicate that the displayed parameter value exceeds an alarm setpoint. Light blue is reserved for data validity indications: on all displays, blue boxes indicate j
suspect data, and blue asterisks indicate bad data.
Arrangement consistency is a key feature of the SPDS displays.
Certain data (date, time, critical safety function summary, messages, etc.) always appear in the same areas on every display, to facilitate ready identification of data appearing on different displays. The data or information groups are located on the display in order of relative importance.
Generally, the grcups are ordered in a top-to-bottom and left-to-right ranking, with the most important data at the top or on the left of the display.
Displays are presented on high-resolution monitors. The 1024-pixel by 780-pixel CRT used in the Chromatics units enables sharply-defined symbols, lines, and text. Thus, users are able to readily discriminate between different display features, and between display features and background.
2.3.2 Graphic Coding Pattern and color coding techniques are extensively used on the SPDS displays to portray status in a graphic form for rapid user recognition, as discussed below.
2.3.2.1 Pattern Coding As previously mentioned,-vertical bar charts were selected as the means of presenting primary status indications. This technique allowed for a range of value indication in a form comprehended by the user.
Trend arrows are used on the top-level and ERG Summary displays in conjunction with the parameter values to i
provide immediate value trend direction information; examples of trend arrows are visible on Figure 2.
i w
c-
---,,-e
-, - - ~~-
p.m. -. _,,
n, n.n.--
~,.
-.-n.
..n.,
Pcgn 23 of 40 2.3.2.2 Color Coding Color coding is used to enhance changes in status and to add parameter differentiation and association.
Color use is consistent and restrained (only seven colors plus a black background are used). Each of the colors used is produced on the screen by more than one
~
color gun, so information will be displayed on the screen even if a CRT color gun fails.
The use of color on the Critical Safety Function summary employed a structured approach. To present CSF status information the following conventions are used:
Red - off-normal, immediate action, loss of safety function Orange - prompt action, potential loss of safety function
. Yellow - failure or caution, loss of redundancy, action may be needed Creen - normal, Critical Safety Function satisfied
- Blue Asterisk - loss of indication (sensor related); Critical Safety Function unknown Color usage on the trend' graphs was used for differentiation and associat. ion to distinguish the parameter trends on each graph and to relate each bar level to a corresponding trend line.
Beige color is used for demarcations, titles, graduations, static values, and text information.
White is used for dynamic values and event / message data because of its sharp contrast value against the black background of the displays.
2.3.3 Displav Access SPDS displays are available through two different types of terminals. Primary or " operators'" CRTs are located on the left
~
side of the SPDS consoles in the control rooms, and on the main control boards. Displays are accessed from these terminals via a dedicated kcypad that allows users to select any SPDS display by a single keypad stroke. The keypad is formatted and labelled as shown in Figure 13.
Besides the primary CRTs, the ERFCS includes secondary CRT units.-These units each' include a full Chromatics keyboard and a bezcl-key array through which users interact with the system.
The bezel keys enable the user to select any ERFCS display. The keyboard enables the. user to provide information to various non-SPDS functions as required. Displays are selected by using the bezel keys to move through a hierarchical menu that
i i
i p.
- vg I
[ CLD i LOCA SG FOLD s OPER ~ SHTDN SGTR DSPLY TREND LOSC ISOL QUT SPDS TRENDS i
RCS i
i CNTNT SG OTHER i
i i
ii i
PRESS MSL SG NR SG WR RAD CS LPR HHT NIS TEMP PRESS LVL LVL MON LOOP LOOP STM FW AFW TANK 1&2T 3&4T FLOW FLOW FLOW LVLS Figure 13.
SPDS Keypad Format P,,
8
Pagn 25 of'40 includes all displays. The menu is continuously displayed at the bottom of the CRT screen, immediately below the SPDS display on the screen, and immediately above the associated bezel keys. The menu position is clearly shown on the sample Operation display (Figure 2); a complete SPDS menu is depicted here as Figure 14, 2.3.4 DISPLAY UNIT LOCATIONS In each unit, the primary CRTs are located on the left side of the SPDS console in the control room, and on the main control board. A seconda~ry CRT (the " supervisor's" CRT) is located on the right side of the SPDS console. Additional secondary CRTs are located in the Technical Support Center (3 units) and the Emergency Operations Facility (2 units). These additional CRTs are free-standing Chromatics CGC 7900 display units.
2.4 Verification and Validation Program The Verification and Validation'(V&V) program for the Comanche Peak SPDS was conducted in accordance with NSAC 39.
The safety-related aspects of the SPDS design satisfy the requirements of ANS1 N45.2.11-1974 The SPDS is a subsystem of the Emergency Response Facilities Computer System. As such, its V&V program satisfies the objectives of NUREG-0696, " Functional Criteria for Emergency Response Facilities."
All V&V activities are performed by individuals who are independent from the design effort and have sufficient experience and expertise to properly evaluate the various activities which affect the final design and installation of the SPDS. Activities covered by the V&V plan include design verification against functional requirements and specifications, installation inspection, and overall system performance testing. The system requirements document for the ERFCS includes a requirements traceability matrix taken from the system requirements specifications and NUREG-0696.
2.4.1 Definitions Verification is the demonstration of the consistency, completeness, and correctness of each stage of the development of a project on the basis of fulfillment of all requirements imposed by the previous stage. Validation is the demonstration of the correctness of the final system as determined by testing against overall-functional, performance, and interface requirements.
The essential idea of verification is stage-by-stage confirmation of the design, while validation refers to overall testing of the final product. The V&V process is intended to provide an overall check that all requirements are met and that the system operates satisfactorfly.
SPDS MENU TOP LEW1 i SPDS TRS I ERG SUN I RVLIS I
10PERATION lCLD SHTDHl' ERG SUN MEHU SPDS I SPDS TRS I l RVLIS lLOCR/LOSC l SGTR l SG ISOL i FOLD OUT RVLIS MENU SPDS I SDPS TRS I ERG SUM i l
i DISPLRY I TREN I SPOS TRS MENU SPDS I
I ERG SUN 1 RVLIS I RCS TRS I SG TRS ICHTMT TRSI OTHER TRS RCS TRS KHU SPDS l SPDS TRS I l
l RCS IP-T CURVE lTElf 1&2 i TEMP.344 SG TRS EHU SPDS l SPDS TRS INSL PRESSISG HR LYL lSG WR LVL i STM FLOW l RFid FLOldt FW FLOW CHTNT TRS MENU SPDS i SPDS TRS l l
l lCNTMT LPR ICNTMT HHTI OTHER TRS NENU SPDS l SPDS TRS l l
l l
NIS l RfEl MON I TAE LYLS y
m Figure 14.
SPDSMenuHhirarchy
[
O
Paga 27 of 40 2.4.2 V&V Activities Specific areas covered by V&V activities are:
- System requirements verification
- Hardware and software design specification verification
- > System validation testing For each of the above V&V activities, qualified personnel are assigned to perform the activities required to ensure that all applicable design basis requirements are included in the design and that the design is complete, correct, and unambiguous.
An interim report is issued at each phase of.the V&V process, wherein all discrepancies are identified and resolved. A final
-V&V report summarizes the results of each activity, and documents _the resolutions of all required corrective actions.
2.4.3 Relationship Between QA and V&V The V&V cfforts of the V&V program are independent of any quality assurance (QA) requirements which may be imposed
.elsewhere. As part of the V&V effort, the V&V team may elect to employ QA procedures, forms, or personnel.
Such election would be for convenience and cost-effectiveness of the V&V effort, and would neither impose additional QA requirements nor compromise any QA requirements of any part of the overall system specifications.
3.0 SELECTION AND EVALUATION OF SPDS PARAMETERS The SPDS input parameters were selected based upon their ability to comprehensively and unambiguously monitor the various plant. safety functions. Additionally, the type, number ard range of each input parameter were selected to be sufficient to determine the maintenance or accomplishment status of each critical safety function for a wide variety of events, including design basis accidents for all modes of reactor operation.
3.1 Selection and Evaluation Process The CPSES Final Safety Analysis Report and the plant Technical Specifications were reviewed to determine requirements regarding the maintenance and accomplishment of each critical safety function during all modes of reactor operation. This review included system design bases and performance specifications, transient and accident analyses, characteristics of the modes of operation, alarm setpoints and system operational limits Technical Specifications bases.
The CPSES parameter set includes all of the minimum set of SPDS parameters selected by the Ad Hoc Group of the Westinghouse Owners Group Subcommittee on Instrumentation (1981), of which Texas Utilities
I Page 28 of 40 was a member. The parameter set for the CPSES SPDS was compared with the SPDS parameter sets recommended by NSAC and AIF. The NSAC (reference 6) set was derived by checking against WASH 1400 sequences and observing the number of times each parameter was a potential indicator of plant status. The indicators were classified as leading, secondary, possible misleading, or negligible response indicators for the various sequences. The AIF set (reference 7) was developed by using formal parameter selection criteria: detection, leading indicator, plant safety functions, radioactive barrier, direct measurement, reliability, and applicability under diverse plant conditions. Selected parameters were evaluated against the selection criteria in a predefined logic.
The CPSES SPDS parameter set includes all of the AIF SPDS parameters and all of the NSAC SPDS parameters which serve as leading indicators for the events analyzed except reactor coolant system flow rate, pressurizer relief tank level, volume control tank level, letdown flow rate, and control rod position. According to the NSAC study (reference 6), reactor coolant system flow rate is recommended to indicate loss of generator and subsequent failure to relay the_ plant loads to off site power and failure to establish conditions for natural circulation.
In the case of loss of the main generator, trip of the reactor coolant pumps, which occurs on undervoltage, would provide similar indication and is monitored by the CPSES SPDS.
Establishing and maintaining natural circulation and determining if adequate cooldown is occurring are accomplished without the use of RCS flow indication. Conditions which support or indicate natural circulation include reactor coolant core T greater than 10*F, steam generator pressure stable or decreasing, hot leg temperature stable or decreasing, core exit temperature stable or decreasing, and cold leg temperature near the saturation temperature for steam generator pressure. All these parameters are monitored and displayed on the SPDS.
Pressurizer relief tank level was recommended by NSAC to indicate pressurizer safety relief valve position. As an SPDS parameter, this only provides indication as to the possible cause of a reactor coolant system integrity breach. Since this is primarily used for Yingnostics and because primary indicators of reactor coolant system integrity are available on the CPSES SPDS, this parameter is not displayed on the SPDS.
Volume control tank level and letdown flow rate were recommended by NSAC as leading indicators of CVCS performance but are not primary indicators of CSF status. Control rod position is also recommended by NSAC to indicate reactor protection system (RPS) performance. The primary _ indicators of RPS performance, as well as adequate core subcriticality, are neutron flux and decreasing flux (negative startup rate), both of which are monitored and displayed on the CPSES SPDS. Control rod position is not monitored by the SPDS, but is adequately displayed via the rod position indicating system display located next to the SPDS CRT on the main control board.
A study was conducted which reviewed the SPDS parameter set against the CPSES Emergency Response Guideline procedures. The purpose of the
Pagn 29 of 40 study was to assess the adequacy of the parameter set. The study noted that:
The set of parameters monitored-through the SPDS displays includes all of the parameters necessary to determine the status of the six critical safety functions.
The status of.all but one of the parameters necessary to determine the status of the critical safety functions may be inferred from direct or indirect indications on the top-level displays. The Aux Feedwater flow rate may be viewed in the ERG Summary Displays.
The set of parameters available on the ERFCS includes all but two of the parameters which trigger entry into or exit from CPSES ERG procedures, and that those two parameters may be inferred from other parameters available on the system. (One of those parameters is pressurizer PORV block valve position, which may be inferred from pressurizer pressure, PORV position, and pressurizer relief tank pressure and temperature; the other is containment sump recirculation valve position, which may be inferred from refueling water storage tank level and residual
. heat removal pump status and flow rate.)
The study thus concluded that the set of parameters presented on SPDS displays are sufficient to meet the intent of NUREG-0696 and supplement I to NUREG-0737, and that parameter availability for the entire ERFCS supports and is compatibic with the CPSES ERGS.
3.2 Parameter Ranges The SPDS parameter ranges are presented in Appendix 2.
Analog signals which provide input to the SPDS are identified with their corresponding ranges. In general, all ranges monitored by the SPDS are identical to those in the control room and envelop system design criteria, plant responses to design basis accidents, transients, and
.ATWS responses.
Neutron flux (reactor power) information is provided in the range of one count per second to 120 percent of full reactor power. Full range monitors that include source range (SR). intermediate range (IR), and power range (PR) outputs are used with sufficient overlap of ranges to i
provide this information. Additionally, startup rate is monitored from
.5 to 5 decades per minute (dpm). These ranges correspond with the nuclear instrumentation system (NIS) indicators located'in the control room.
Pressurizer level is monitored and dim inyed from 0 to 100 percent of capacity, which corresponds with control room indication.
Core exit temperature is monitored and displayed over the range of 0 to 2,300*F.
This range corresponds with the Core Cooling Monitor indications located in the control room. The RCS subcooling margin is i
Paga 30 of 40 monitored and displayed over the range of -300 to +300 *F which corresponds with the Core Cooling Monitor. control room indications.
Cold and hot leg temperatures are monitored from 0 to 700*F which corresponds with the RCS temperature indicators located in the control room.
Steam generator level is monitored and displayed over its entire capacity of 0 to 100 percent. Main steam line pressure is monitored and displayed from 0 to 1,300 psig. These ranges correspond with the steam generator indicators located in the control room.
Steam generator gteam flow and auxiliary feedwater flow are monitored from 0 to 5 x 10 lbm/hr and 0 to 550 gpm, respectively. These flow rates are on a per-loop basis for each of the four loops. Both the auxiliary feedwater and steam flow rates are monitored and displayed and correspond with the control room indicators.
RHR system flow is monitored and displayed from 0 to 5,500 gpm which correspond with the indicstions located in the control room.
RHR heat exchanger inlet and outlet temperatures are monitored from 50 to 350*F which correspond with indications located in the control room.
Pressurizer pressure and reactor coolant loop pressure are monitored from 1,700 to 2,500 psig and 0 to 3,000 poig, respectively. These are combined to provide a reactor coolant system (RCS) pressure display of 0 to 3,000 psig. This display corresponds with indications located in-the control room.
Containment pressure is monitored and displayed over the range of -5 to 60 psig which corresponds with indications located in the control room.
Containment water level is monitored and displayed with respect to site elevation 808' to 817.5.
These displays correspond with indications located in the control room. Additionally, containment humidity is derived from containment temperatures (wet and dry bulb) and pressure and is displayed over the full range of 0 to 100 percent.
Congainmenggradiation is monitored and displayed over the range of 10 to 10 mR/hr which corresponds with the Radiation Monitoring System (RMS) indications located in the control room.
Containment hydrogen (H,) concentration is ronitored and displayed over the range of 0 to 10 percent which corresponds with the Hydrogen Analyzer indications located in the control room.
Steam generator blowdowr. radiatign and egndenser off gas radiation are monitored and displayed from 10 to 10 pCi/nl. Additionally, all four Main Steam lige radigtien levels are monitored and the highest is displayed from 10 to 10 pCi/ml. All of these indications correspond
r Paga 31 of 40 the Radiation Monitoring System indications in the control room.
3.3 SELECTION OF SPD.' ALARM SETPOINTS Alarm setpotits for SPDS input parameters were selected to provide indications consistent with existing plant alarm setpoints.
3.4 SPDS DATA VALIDATION All SPDS parameters except one are monitored by more than one input sensor, so the displayed value represents an average of the valid.
input sensor values or the worst case input sensor value. The method used to validate input sensor values depend on the number of foput sensor for each parameter, but all'of the methods employ a technique l
referred to as " range checking". That is, each individual sensor value is first validated by comparing that value with the minimum and maximum values that can be produced by the corresponding. sensor.
Within the range from +0.5% of the full scale between maximum and minimum values to 99.5% of full scale, the sensor is considered to be
" good"; from -0.5% to +0.5% and from 99.5% to 100.5%, the sensor is considered to be " suspect"; and,below -0.5% and above 100.5%, the sensor is considered to be " bad". Both the sensor values and the results of range-checking are used to determine and validate parameter values, as described below.
3.4.1. Single-Input Parameters Only the reactor coclant system cold leg loop temperatures are monitored by only one sensor per loop; all other SPDS parameters are monitored by nore than one sensor. However, single flow through each reactor coolant loop will be essentially identical, all loop cold leg temperatures should be i
the same. The nethod used to validate loop cold leg loop temperatures is based on that understanding, and is depicted in Figure 15.
3.4.2. Parameters with Two Input Sensors With two input sensor values, several different circumstances are possible. The different possibilities, and the way the
~
system deals with each, are discussed below.
Both values " good". In this case, the displayed value is the average of the two input sensor values or the worst case input sensor value:
If the two values differ by more than a pre-determined, parameter-specific divergence criterion (on the order of'10% of full-scale), then the value is marked as
" suspect".
Only one value " good". If only one sensor value is
" good", then that value is displayed, but is marked as
" suspect".
Both sensor values " suspect". The value displayed is the average of the two sensor values or the worst case input sensor value, and is marked as " suspect".
Page 32 of 40 (START) if NOTE STATdS OF EACH LOOP'S REACTOR COOLANT PUMP (ON/0FF)
V 1=0 HOW MANY OTHER LOOPS y
m HAVE REACTOR COOLANT PUMPS WITH THE SAME STATUS AS LOOP 1 ?
s N/
V DETERMINE AN I
AVERAGE COLD LEG q
NOTE THE DIFFERENCE BETWEEN THE TEMPERATURE VALUE i
COLD LEG TEMPERATURE FOR LOOP 1 FOR ALL LOOPS WITH AND THE COLD LEG TEMPERATURE FOR REACTOR COOLANT THE OTHER LOOP WITH THE SAME PUMPS WITF.
REACTOR COOLANT PUMP STATUS THE SAME STATUS
+
THE C LD LEG YES DIFFERENCE DIFFERENCE BETWEEN TEMPERATURE q
4
/-
> CRITERIO THE AVERAGE COLD LEG IS SUSPECT _
7 TEMPERATURE AND THE 1r COLD LEG TEMPERATURE NO FOR LOOP 1 y
THE COLD LEG
\\
TEMPERATURE YES IS " GOOD" V
(STOP) 4 Figure 15.
Logic for Validating Reactor Coolant System Cold Leg Loop Temperature Signals.
I Pagn 33 of 40 Only one value " suspect". If one value is " suspect" and the other value is " bad", then the suspect value is displayed, and is marked as " suspect".
Both sensor values " bad". Blue asterisks are displayed instead of a parameter value.
3.4.3 Parameters with Multiple Input Sensors The validation technique used for parameters with more than two input sensors essentially averages the " good" sensor values whose values are within a pre-determined, parameter-specific divergence criterion of each other. If any of the input sensor values fail the range-checking, or if any are outside the range established by the criterion, those values are not included in the average.
4.0 SAFETY EVALUATION PER 10CFR50.59 This evaluation analyzes the function, design, installation, and operation of the Safety Parameter Display System (SPDS) to ensure that SPDS implementation does not involve an unreviewed safety question. The objective of the evaluation is to verify that:
- 1) the probability of occurrence or the magnitude of.the consequences of an accident or malfunction of equipment important to safety, previously evaluated in the FSAR will not be increased, 2) the possibility for an accident or malfunction of a different type than any evaluated previously in the FSAR has not been created, and 3) the margin of safety as defined in the basis for any technical specification will not be reduced by the addition of the SPDS.
4.1 SPDS Function and Design The SPDS provides a concise display of critical plant safety parameters to the control room personnel to aid them in rapidly and reliably determining the safety status of the plant. The SPDS will continuously display real-time information in the control room during normal and abnormal plant conditions.
The SPDS, however, is not a safety system and will perform no active safety function. The existing control room instrumentation provides the operators with the information necessary for safe reactor operation under normal, transient, and accident conditions. The SPDS will be used in addition to the existing instrumentation and will serve to aid and augment it.
4.2 SPDS Installation and Safety System Interface The installation of the CPSES SPDS does not compromise any safety system or involve an unreviewed safety question for the following reasons:
All SPDS displays located in the control room are mounted per seismic category II specifications so that they will not affect any safety system in the event of a design basis seismic disturbance.
Page 34 of 40 The ERFCS supporting computers are located in a separate, seismic category I, fire protected room adjacent to the control room, and will not affect any safety system in the event of a fire or design basis seismic disturbance.
The SPDS is electrically and electronically isolated from all CPSES safety related devices and complies with Class 1E isolation criteria.
4.3 SPDS Operation The SPDS operational safety evaluation encompasses three major areas:
functional requirements as specified by Federal Regulations and CPSES procurement specifications, input sensor verification, and control room operator influence.
4.3.1 SPDS Functional Requirements The CPSES SPDS implementation was subject to an extensive verification and validation (V&V) program which followed the guidance of NSAC 39.
The verification (V&V) program provided an independent review to verify that:
All interfaces with existing safety-related and non-safety related equipment have been properly identified.
- The proper design standards have been invoked.
The applicable design requirements have been properly implemented in the design, functional, and procurement specifications.
Additionally, an extensive validation testing program was employed to ensure proper. functioning of the total integrated SPDS data acquisition, manipulation, and display systems per the verified design specifications.
4.3.2 SPDS Input Sensor Verification Each plant system sensor that has input to the SPDS was simulated through the actual sensor field cables to ensure a one-to-one correspondence between the input sensor signal and the SPDS displayed value. This input / output verification process both assured accurate, non-ambiguous sensor input recognition by the SPDS, and determined that no input data were
" lost" or " shuffled".
4.3.3 SPDS Control Room Operator Influence The SPDS does not degrade control room operators' perfo mance or ability to respond to plant operational requirements for either normal or accident conditions.
In addition to the human factors design considerations discussed in Section 2.3, the operators will be trained in the use of the SPDS.
Control room operators are trained in procedures which describe the timely and correct safety status assessment when the SPDS
Page 35 of 40 is and is not available. Operating procedures are written to preclude the operator from taking actions based solely on SPDS display information. The operating procedures require that all operator actions affecting the safety of the plant be based on information which has been confirmed using the existing control room indicators. Therefore, no transient or accident analyzed in the FSAR is affected by either the operation or the failure of the SPDS, nor is the potential increased for a malfunction or accident of a different type than those previously described in the FSAR.
5.0
SUMMARY
AND CONCLUSIONS This safety analysis report was prepared in response to section 4 of supplement 1 to NUREG-0737 (reference 1).
This SAR describes the methodology and basis on which the plant parameters selected for monitoring on the CPSES SPDS have been determined to be sufficient,to assess the overall safety status of the plant in terms of the critical safety functions implemented in the C.P.S.E.S. Emergency Response Guidelines.
The CPSES SPDS parameter set was evaluated against the CPSES FSAR, technical specifications, SAS simulator-tested parameter set, NSAC-recommended parameter set, and the AIF-recommended set for sufficiency in terms of the type and number of parameters monitored to assess each safety. function, and the range of plant conditions covered by the parameters. The final parameter set covers all Function Restoration Guidelines (FRG) entry conditions associated with critical safety function assessment, and includes all variables recommended by the SAS group for the SPDS. On the basis of this review and evaluation process, the CPSES parameters are sufficient to assess plant safety status over a wide range of conditions, including the symptoms of severe accidents and.all modes of reactor operction. The function, design, installation, and operation of the CPSES SPDS were also analyzed in accordance with the provisions of 10 CFR 50.59, and it was concluded that no unreviewed safety question is involved with the SPDS implementation at CPSES.
f
Page 36 of'40 i
6.0 REFERENCES
1.
NRC Letter. supplement 1 to NUREG-0737 " Requirements for Emergency Response Capability"-(Generic letter.no 82-33), December 17, 1982.
2.
" Functional Design Specification for SAS Software (Proprietary)."
prepared by Quadrex Corporation for the Ad. Hoc Committee on Instrumentation Systems, Safety Assessmenc System Project, revision 2 May 1982.
3.
" Safety Assessment System User Implementation Guide," QUAD-7-82-010 revision 0, prepared by Quadrex Corporation for the Ad Hoc Group of the West;'ughouse Owners Group-(WOG) Subcommittee on Instrumentation, May 1982.
4.
Comanche Peak Steam Electric Station Final Safety Analysis Report (FSAR).
5.
- Safety Assessment System Evaluation Program Report", prepared by Quadrex Corporation and Inpsych for the Ad Hoc-Committee on Instrumentation Systems, Safety Assessment System Project,'May 20, 1982.
6.
A. R. Buhi, et al., " Nuclear-Plant Safety-Parameter Evaluation by Event Tree Analysis", NSAC-8, October 1980.
7.1 Letter from David G. Cain, NSAC, to AIF subcommittee on safety parameter integration, Parameter Selection Work Group, subject: SPDS Minimum Parameter Set, July 3, 1980.
i ~
Page 37 of 40 APPENDIX 1 CRITICAL SAFETY FUNCTIONS AND ASSOCIATED MONITORED PARAMETERS CRITICAL SAFETY FUNCTION MONITORFD PARAMETER Suberiticality Power Range Power Intermediate Range Power Intermediate Range Start-up Source Range High Voltage Source Range Start-up Rate Core Cooling Core Exit Temperatures RCS Margin to Saturation Heat Sink Steam Generator Levels Steam Generator Pressures Auxillary Feedwater Flows.
Integrity RCS Cold Leg Temperatures RCS Hot Leg Temperatures RCS Pressurizer Pressure RCS Pressure
' Containment.
Containment Pressure Containment Water Lev'el Containment Radiation
" Inventory RCS Cold Leg Loop Temperature (wittaut RVLIS)
RCS Hot Leg Loop Temperature Pressurizer Level RCS Charging Flow RCS Letdown Flow Safety Injection Pump Discharge Flow Inventory Pressurize.r Level (with RVLIS)
Reactor Vessel Level
Psgs 38 of 40 APPENDIX 2 SPDS PARAME"ER RANGES
- DISPLAYED PARAMETER DISPLAYED RANCF.
6 SOURCE RANGE POWER 1 - 10 CPS
~11
~3 INTERMEDIATE RANGE POWER 10
--10 AMPS POWER RANGE POWER 0--120%
CORE EXIT TEMP 0--2300*F MARGIN TO SATURATION
-300-300*F STEAM GENERATOR LEVEL (NR) 0--100%
MAIN STEAMLINE' PRESSURE 0--1300 PSIC REACTOR COOLANT SYSTEM PRESSURE 0-3000 PSIG PRESSURIZER LEVEL 0--100%
COLD LEG TEMPERATURE 0--700*F CONTAINMENT PRESSURE (NR) 60 PSIG CONTAINMENT TEMPERATURE 0--300*F
- CONTAINMENT WATER LEVEL 808'-817.5' (EL.)
CONTAINMENT HUMIDITY 0--100%
CONTAINMENT RADIATION 10 -10" MR/HR REACTOR VESSEL LEVEL (SEE NOTE 1)
Note 1 - Spatially distributed sensors indicate coolant or no coolant.
See Pigure 11.
L
Pega 39 of 40 APPENDIX 3 PARAMETERS DISPLAYED ON SPDS TREND GRAPHS TREND GRAPH NAME DISPLAYED PARAMETERS RCS SUBC00 LING RCS PRESSURE AUCT. HIGH CORE EXIT TEMPERATURE PRESSURIZER LEVEL RCS PRESS / TEMP AUCT. HIGH TAVE PLOTTED VS. RCS PRESSURE (pairs plotted in non-scrolling background' RCS TEMP, LOOP 1&2 LOOP 1 HOT LEG TEMPERATURE
. LOOP 1 COLD LEG TEMPERATURE LOOP 2 HOT LEG TEMPERATURE LOOP 2 COLD LEG TEMPERATURE RCS TEMP, LOOP 3&4 LOOP 3 HOT LEG TEMPERATURE LOOP 3 COLD LEG TEMPERATURE LOOP 4 HOT LEG TEMPERATURE LOOP 4 COLD LEG TEMPERATURE I
MSL PRESS LOOP 1 MAIN STEAM LINE PRESSURE LOOP 2 MAIN STEAM LINE PRESSURE j-LOOP 3 MAIN STEAM LINE PRESSURE f
LOGP 4 MAIN STEAM LINE PRESSURE SG NR LVL
. LOOP 1 SG NR LEVEL LOOP 2 SG NR LEVEL j
LOOP 3 SG NR LEVEL LOOP 4 SG NR LEVEL SG WR LVL LOOP 1 SG WR LEVEL LOOP 2 SG WR LEVEL l
LOOP 4 SG WR LEVEL STM FLOW LOOP 1 STEN; FLOW LOOP 2 STEAM FLOW LOOP 3 STEAM FLOW LOOP 4 STEAM FLOW FW FLOW LOOP 1 FEEDWATER FLOU LOOP 2 FEEDWATER FLOW LOOP 3 FEEDWATER FLOW LCOP 4 FEEDWATER FLOW w.
Pags 40 of 40 APPENDIX 3 (cont.)
PARAMETERS DISPLAYED ON SPDS TREND GRAPHS TREND GRAPH NAME DISPLAYED PARAMETERS AW FLOW LOOP'l AUXILIARY FEEDWATER FLOW LOOP 2 AUXILIARY FEEDWATER FLOW LOOP 3 AUXILIARY FEEDWATER FLOW LOOP 4 AUXILIARY FEEDWATER FLOW CNTMT LPR CONTAINMENT WATER LEVEL.
CONTAINMENT PRESSURE CONTAINMENT RADIATION CNTMT HHT CONTAINMENT HYDROGEN CONTAINMENT RELATIVE HUMIDITY CONTAINMENT TEMPERATURE l'
l RAD MON.
STACK RADIATION l
CONDENSER OFFCAS RADIATION i
SG BLOWDOWN RADIATION i
HIGHEST MAIN STEAM LINE RADIATION i
I; NIS SOURCE RANGE POWER INTERMEDIATE RANGE POWER POWER RANGE POWER
~ TANK LVL CONTAINMENT WATER LEVEL REFUELING WATER STORAGE TANK LEVEL CONDENSATE STORAGE TANK LEVEL 1
N...
_ _ _ _ _ _ - _ _ _ _ _ _ _ _