ML20155J575
| ML20155J575 | |
| Person / Time | |
|---|---|
| Site: | Haddam Neck File:Connecticut Yankee Atomic Power Co icon.png |
| Issue date: | 05/13/1986 |
| From: | Opeka J CONNECTICUT YANKEE ATOMIC POWER CO. |
| To: | Charemagne Grimes Office of Nuclear Reactor Regulation |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737, TASK-2.F.2, TASK-TM A02959, A04135, A2959, A4135, GL-82-28, GL-82-33, GL-83-22, NUDOCS 8605230322 | |
| Download: ML20155J575 (55) | |
Text
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ____._______ ___ _ ______ ___ ____-.. -___ _____..._________ _ _________
.g CONNECTICUT YANKEE ATOMIC POWER COMPANY B E R L I N, CONNECTICUT P o BOX 270 HARTFORD. CoNNrOTICUT 06141-027C i
T E LE PHONE l
203-e85-5000 May 13,1986 Docket No. 50-213 A02959 A04135 Office of Nuclear Reactor Regulation Attn:
Mr. C.1. Grimes, Director Integrated Safety Assessment Project Directorate l
Division of PWR Licensing - B U. S. Nuclear Regulatory Commission Washington, D. C. 20555
References:
(1)
D.
M.
Crutchfield letter to W.
G.
Counsil, " Orders Confit ming Licensee Commitments on Emergency Response Capability (Generic Letter 82-33, NUREG-0737)," dated June 12, 1984.
(2)
W. G. Counsil letter to D. G. Eisenhut, " Supplement I to NUREG-0737; Requirements for Emergency
Response
Capability (Generic Letter No. 82-33)," November 28, 1983.
Gentlemen:
Haddam Neck Plant Supplement I to NUREG-0737 Safety Parameter Display System Safety Analysis Report ISAP Topic No.1.20 i
By Reference (1), the NRC issued an Order confirming various commitments made by Connecticut Yankee Atomic Power Company (CYAPCO) on behalf of I
the Haddam Neck Plant regarding the implementation of Supplement I to NUREG-0737. This Order requires the submittal by May 13, 1986 of the Safety
}
Parameter Display System (SPDS) Safety Analysis Report (SAR) and a schedule for the implementation of the SPDS. Accordingly, we hereby submit the SPDS SAR for the Haddam Neck Plant.
In addition, we commit to implement (including operator training) the SPDS defined in the attached SAR within six (6) months from the start of Cycle 15 or by March 25,1988, whichever is later. This implementation date is based upon the Cycle 14 refueling outage beginning in July,1987. If the Cycle 14 refueling outage starts before July,1987, we may be unable to complete the SPDS on the current schedule due to equipment delivery schedules. In this instance, the implementation date for the SPDS will be within six (6) months from the start of Cycle 16.
The major milestones and their associated target dates for the implementation of the Haddam Neck Plant SPDS are included in Attachment No.1. However, only the completion date provided above, which allows for any uncertainties in
- m E) fon d
Apocn poa._
q40
.s p_
n
.c
- j. 4 our schedule and for the unexpected, is considered a licensing commitment.
. Attachment No.
I supersedes the SPDS implementation schedule previously provided in Attachment No. 2 in Reference (2).'
It is our understanding, per handouts received at the February 22, 1983 regional workshop on Supplement I to NUREG-0737, that the NRC Staff will indicate acceptance of the SPDS SAR within approximately two (2) months.
The SPDS SAR in Attachment No. 2 includes a safety evaluation in accordance with 10CFR50.59. However, this evaluation has not been reviewed and approved by the. Plant Operations Review Committee (PORC) or the off-site Nuclear Review Board (NRB). The PORC and NRB reviews will occur as required by our normal plant design change process.
We trust that this submittal complies with the requirements of Reference (1).
Very truly yours, CONNECTICUT YANKEE ATOMIC POWER COMPANY L E Cha~
- 3. F. OpeMa
.U Senior Vice President L.
/
Docket No. 50-213 Attachment No.1 Haddam Neck Plant SPDS Implementation Milestones l
(
May,1986
/
SPDS Implementation Milestones Milestone Target Date Identify Critical Safety Function (CSF)
February,1986 Parameters and Develop Algorithms Issue SPDS Functional Specification February,1986 Submit Safety Analysis Report May,1986 Complete SPDS Software Design Overview Document September,1986 Complete SPDS Software Development October,1986 Ship Hardware to Site March,1987 Installation and Acceptance Testing June,1987 Start Cycle 14 Refueling Outage July,1987 Start of Cycle 15 September,1987 SPDS Operational March,1988
/
Docket No. 50-213 Attachment No. 2 Haddam Neck Plant Safety Parameter Display System Safety Asialysis Report May,1986
/
Table of Contents 1.0 Introduction 1.1 Summary of the Safety Analysis 1.2 Discussion 1.3 NRC Criteria 2.0 SPDS Design Description-2.1 Overview 2.2 SPDS Definition 2.3 SPDS Availability
. 2.4 SPDS Use and Location
.2.5.
Modes of Operation 2.6 Data Storage 2.7 Signal Validation 2.8 Electric Power Sources 2.9 Electrical Separation 3.0 SPDS Critical Safety Function and Variable Selection 3.1 Se.lection Process 3.2 Critical Safety Functions 3.3 Critical Safety Function Variables 3.4-Radioactivity Release Function 3.5 Radioactivity Release Variables 3.6 Instrumentation 3.7 Analytical Basis for Critical Safety Function and Variable Selection 3.8 Emergency Response With and Without SPDS 4.0 SPDS Displays 4.1 Display Philosophy l
4.2 Primary Displays 4.3 Secondary Displays 4.4 Display Change 4.5 Variable Status Indication 5.0 Signal Validation 5.1 Introduction 3.2 The Validation Process 6.0 Verification and Validation (V&V) 6.1 Verification and Validation Overview 6.2 SPDS Verification and Validation
e
/
Table of Contents (Cont.)
7.0 Human Factors Engineering 7.1 Human Factors Engineering 7.2 Human Factors Design Guidelines 3.0 Safety Evaluation 9.0 Conclusions Tables Figures Appendices:
A.
Instrumentation for Critical Safety Function Monitoring B.
Instrumentation for Radioactivity Release Display
/
1.0 INTRODUCTION
1.1 Summary of the Safety Analysis This report provides a written safety analysis for the Haddam Neck Plant Safety Parameter Display System (SPDS). Information is provided to show t!mt the SPDS is being designed to meet the provisions of Supplement I to N UREG-0737.
The critical safety functions were selected to be consistent with the Westinghouse Owners' Group Emergency Response Guidelines from which the Haddam Neck Plant Emergency Operating Procedures (EOPs) are being developed.
The SPDS displays are being developed with the consideration of human factors principles. Signals input to SPDS will be evaluated for quality and validation.
A verification and validation program will be conducted, including an independent review of the SPDS.
In this manner, a SPDS design is being developed that will provide an effective aid to the operators in determining the safety status of the plant during abnormal and emergency conditions.
1.2 Discussion The SPDS is one part of an integrated emergency response capability. It will be consistent with the Emergency Operating Procedures (EOPs) and the Operators' Training Program. For the Haddam Neck Plant, the EOPs will be based upon the Westinghouse Owners' Group Emergency Response Guidelines.
The Emergency Response Guidelines (ERGS) are composed of:
o Optimal Recovery Guidelines and Emergency Contingencies o
Critical Safety Function Status Trees and Restoration Guidelines The Optimal Recovery Guidelines provide guidance for the operator to recover the plant from nominal design basis faulted and upset conditions.
The Function Restoration Guidelines, when used with the Critical Safety Function Status Trees, provide a systematic means for addressing any challenge to plant critical safety functions, which is entirely independent of initiating event or plant state.
The structure of the Critical Safety Function Status Trees has been carefully chosen to be compatible with the existing basis for operator training, since the status trees provide an explicit tool to re-emphasize the necessity for the operator to be always aware of the state of his plant safety f unctions. An additional advantage derived from the introduction of the status tree concept directly into the procedures structure is that the operator is provided with a performance aid, to reinforce his training 1-1
t and assist his memory, particularly during high-stress situations typical of transient or emergency conditions.
From this discussion of the Critical Safety Function Status Trees and the SPDS, it is clear that they perform the same functions and must be compatible. Thus, the Critical Safety Functions and Variables selection for SPDS has been based upon the Critical Safety Function Status Trees of the Emergency Response Guidelines.
1.3 NRC Criteria 1.3.1 Supplement 1 of NUREG-0737 Regarding the SPDS, Section 4.1 of Supplement I to NUREG-0737 identifies the following NRC criteria:
a.
The SPDS should provide a concise display -of critical plant variables to the control room operators to aid them in rapidly and reliably determining the safety status of the plant. Although the SPDS will be operated during normal operations as well as during abnormal conditions, the principal purpose and function of the SPDS is to aid the control room personnel during abnormal and emergency conditions in determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective action by operators to avoid a degraded core.
This can be particularly important during anticipated transients and the initial phase of an accident.
b.
Each operating reactor shall be provided with a Safety Parameter Display System that is located convenient to the control room operators. This system will continuously display information from which the plant safety status can be readily and reliably assessed by control room personnel who are responsible for the avoidance of degraded and damaged core events.
c.
The SPDS shall be suitably isolated from electrical or electronic interference with equipment and sensors that are in use for safety systems. Procedures which describe the timely and correct safety status assessment when the SPDS is and is not available, will be developed by the licensee in parallel with the SPDS. Furthermore, operators should be trained to respond to accident conditions both with and without the SPDS available.
d.
The selection of specific information that should be provided for a particular plant shall be based on engineering judgment of individual plant licensees, taking into account the importance of prompt implementation.
e.
The SPDS display shall be designed to incorporate accepted human factors principles so that the displayed information can be readily perceived and comprehended by SPDS users.
1-2
t f.
The minimum information to be provided shall be sufficient to provide information to plant operators about:
(i)
Reactivity control (ii)
Reactor core cooling and heat removal from the primary system (iii)
Reactor coolant system integrity (iv)
Radioactivity control (v)
Containment conditions The specific parameters to be displayed shall be determined by the licensee.
The remainder of this report defines the extent of compliance of the-Haddam Neck Plant SPDS with the above NRC criteria.
1.3.2 Generic 1.etter 82-28 (NUREG-0737 Item II.F.2)
Another designated function of the SPDS is to monitor the overall status of core cooling adequacy. The Class IE display for inadequate Core Cooling (ICC) is presently provided in the control room. Nonetheless, the primary ICC display will be provided via the SPDS. -'In the event that the SPDS is not available during accident conditions, the ICC information will still be 'available on - Class IE. qualified devices.(ICC panels).
As a minimum, the SPDS will include the capability to display the following ICC information.'
. Core map of all core exit thermocouples (CETs).
a.
b.
Pressure / Temperature Plots with the saturation curve, subcooling to 3000F, superheat to 450F.
c.
Time history plots of ICC related variables including reactor vessel level and selected temperature inputs, d.
Water level in the reactor vessel head and upper plenum.
1-3
9 2.0 SPDS DESIGN DESCRIPTION 2.1 Overview One function of the Haddam Neck Plant plant process computer system is to supply information required for responses to an emergency condition.
This report covers only those functions of the plant process computer related to SPDS.
2.2 SPDS Definition SPDS aids the control room operating crew in monitoring the status of the Critical Safety Functions (CSFs) that constitute the basis of the plant-specific, symptom-oriented EOPs.
Its principal purpose is to aid the control room personnel during abnormal and emergency conditions in determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective action by operators to avoid a degraded core.
2.3 SPDS Availability Although the SPDS nee'd not be a safety-grade system, implementation of a highly reliable, state-of-the-art SPDS is an important design objective.
As a design objective, the availability of the SPDS will be greater than 99 percent during normal plant operation. In this context, design availability
'is understood to encompass the following minimal functional capabilities:
1)
The ability to monitor and display the status of all CSFs in at least one location in the control room.
2)
The ability to determine the value of all variables which are used in the CSF status determination in at least one location in the control room. -
2.4 SPDS Use and Location SPDS displays of CSF status and supporting displays of CSF-related parameters will be accessible to operators in the vicinity of the main control board.
2.5 Modes of Operation The CSFs defined for the Haddam Neck Plant are not appropriate for all modes of operation. Specifically, it is assumed that a status tree is entered from either a Start-up or Power Operation mode and not from a Refueling or Cold Shutdewn mode.
2-1
i The design of the SPDS for the Haddam Neck Plant therefore only requires the availability of the SPDS in modes 1, 2, 3 and 4 (power operation, startup, hot standby, and hot shutdown).
2.6 Data Storage Capability will be provided to store SPDS variables for the interval from two hours pre-event to twelve hours post-event.
2.7 Signal Validation The SPDS will have the capability of validating individual signals used in SPDS displays and algorithms by use of simple analysis, checking and comparative methods to be specified for each SPDS variable.
2.8 Electric Power Sources The SPDS, as part of the plant process computer system, will be powered from an emergency power supply in the event of loss of offsite power.
2.9 Electrical Isolation The SPDS, as part of the plant process computer system (PPCS), will receive signals from both Class IE and non-Class IE sources. Electrical isolation will be provided for all signals that are in use for safety systems.
The existing PPCS at the Haddam Neck Plant will be replaced by a new PPCS. The new PPCS will provide isolation from existing safety system signals that is equivalent to that provided by the existing PPCS.
In addition to the existing safety system signals in the PPCS, the SPDS will require new signals from some safety systems. Electrical isolation will be provided for the new safety system signals. Qualified isolation devices will be selected for these new signals. Qualification data will be reviewed to ensure that the qualification program meets the following
~
criteria:
a.
Maximum credible faults applied at the output of the isolator, including faults applied in the transverse mode, do not perturb the input signal beyond a level determined to have no adverse effect on the safety systems at the Haddam Neck Plant.
The maximum credible faults will be conservatively picked as the highest levels available within the PPCS.
b.
The environmental and seismic qualifications of the devices envelop the basis for plant licensing.
2-2
Class IE isolation devices will be powered from Class IE power sources.
To protect the safety systems from electrical interference (e.g.,
electrostatic coupling, EMI, common mode and crosstalk) that may be generated by the SPDS, all instrumentation cables are twisted and shielded pairs and will be separated from power cables.
2-3
3.0 SPDS CRITICAL SAFETY FUNCTION AND VARIABLE SELECTION 3.1 Selection Process The SPDS is being designed to complement the EOPs, that is, to aid the operator in implementing the EOPs. It is not intended to require the operator to use the SPDS displays in the transient identifications. The major user of the SPDS during a transient would be the senior reactor operator to "see" the overall plant condition and how actions taken by the operator under his direction affect the maintenance of the six critical safety functions.
If the specific event can be diagnosed, the operator is directed to use a defined set of procedural steps to effect plant recovery. If no diagnosis is possible, the operator is trained to monitor certain critical safety functions which indicate overall plant safety status.
If any safety function is cha!!enged, the operator is directed to a contingency action through an evaluation and identification scheme of the critical safety func tions. To complement this plan, the SPDS can be most effectively used to continuously monitor the critical safety functions and assist the operator in the evaluation scheme to determine the appropriate contingency action. In this manner, the SPDS will be consistent with the W Emergency Response Guidelines.
The W Emergency Response Guidelines have identified the critical safety functions (CSFs) and have developed critical safety function status trees for critical safety function evaluation.
The Critical Safety Functions were selected to monitor three barriers to the release of radioactivity. The Critical Safety Functions are associated with the barriers in the following manner:
Barrier Critical Safety Function Maincenance of SUBCRITICALITY (minimize energy production in the fuel)
Maintenance of CORE COOLING (provide adequate reactor coolant for heat removal from the fuel)
Fuel Matrix Maintenance of a HEAT SINK and 4
(provide adequate secondary coolant for heat Fuel Clad removal from the fuel) s Control of Reactor Coolant INVENTORY (maintain enough reactor coolant for ef fective heat removal and pressure control) 3-1
o Maintenance of a HEAT SINK (provide adequate heat removal from the RCS)
Reactor Coolant Maintenance of Reactor Coolant System System Pressure INTEGRITY Boundary (prevent failure of RCS) s Control of Reactor Coolant INVENTORY (prevent flooding and loss of pressure control)
Containment Vessel Maintenance of CONTAINMENT Integrity (prevent failure of containment vessel)
Situations can arise in which the integrity of a barrier is lost and cannot be restored even though all Critical Safety Functions are satisfied. The classic double-ended guillotine break of reactor coolant system piping constitutes an irrevocable failure of the reactor coolant system pressure boundary barrier. In this situation the reactor coolant system pressure boundary barrier is recognized to be failed, and all available resources are directed toward minimizing further degradation of the failed barrier and keeping the fuel matrix / cladding barrier and the containment barrier intact.
The SPDS will be used to assist in the CSF evaluation by monitoring the CSFs, using the same logic as the CSF status trees. This is necessary to facilitate operator use of the SPDS in support of the Haddam Neck Plant Emergency Operating Procedures. A preliminary containment CSF status tree display is provided as an example in Figure 1.
The SPDS will also display information for Radioactivity Release.
Radioactivity Release is not a critical safety function, however, since radioactivity assessment has already been factored into the containment CSF.
3.2 Critical Safety Functions The critical safety functions are shown in Table 1 in order of priority.
The status of the critical safety function will be indicated by four states:
o Green - critical safety function is satisfied o
Yellow - critical safety function is not fully satisfied o
Orange - critical safety function is under severe challenge Red - critical safety function is in jeopardy o
The state of the critical safety functions will be determined using the status tree logic.
3-2
3.3 Critical Safety Function Variables The variables for determining critical safety function status will be the decision points in the critical safety function status trees.
These variables are listed in Table 2, grouped by safety function.
3.4 Radioactivity Release Function The status of the radioactivity release function will be indicated by two states:
o Green - no abnormal releases o
Red - abnormal releases in progress 3.5 Radioactivity Release Variable The main stack is the only monitored release path, and hence the only variable listed in Table 3.
The containment radiation monitors are included as part of the variables for the containment CSF.
3.6 Instrumentation The instruments used in measuring the critical safety function and radioactivity release variables are given in the Appendices A and B, respectively.
3.7 Analytical Basis for Critical Safety Function and Variable Selection The SPDS critical safety functions and variables have been chosen to be identical to the critical safety functions developed for the Emergency Response Guidelines. Thus, the analytical basis for the SPDS selection is the same as the basis for the ERGS. These ERG critical safety function status trees were reviewed and approved for implementation by the NRC in its Safety Evaluation of " Emergency Response Guidelines" (Generic Letter 83-22).
3.3 Emergency Response With and Without SPDS The Emergency Response Guidelines contain CSF evaluations that are simple enough to allow manual evaluations. These manual evaluations will be performed if the SPDS is not available. Since the SPDS is entirely compatible with the ERGS, only one set of procedures (EOPs) are required.
1 i
3-3 4
4 1
3
~
,_m
.e
^
'4.0 SPDS DISPLAYS 4.1 Display Philosophy Each. display location provides independent access.to SPDS displays.
Displays selected at one CRT can be different from those displays selected elsewhere. During an emergency, for example, this would allow operators to select SPDS displays that aid process control actions and permit ~ supervisory personnel to simultaneously view. SPDS displays oriented toward overview and safety assessment.
In order to maintain CSF status indication at all times, one SPDS display will include indication of the status of each CSF in a format that is common to all SPDS displays.- CSF status will be supplemented on each display with a unique set of information and plant data developed to aid one or more of the following:
a.
Assessment and Control of CSF plant variables.
b.-
EOP Entry Condition Indication.
c.
CSF Status Tree Assessment.
The set of SPDS displays and access controls will be implemented with a hierarchy or structure that facilitates and systematizes passage between displays.
/'
4.2 Primary Displays At least one (1) control room CRT will continuously monitor the status of.
all CSFs during Modes 1, 2, 3 & 4. Other information maf;be displayed simultaneously as long as the status of the CSFs are still able to be determined. CSF monitoring willinclude indication of the need to enter a specific Function Recovery Procedure as defined in the ERGS and EOPs.
3-Each SPDS display will show a common set of indications of the status of i
- the six CSFs and of Radioactivity Release. -Status indication colors will correspond to the status colors in the ERGS and EOPs. When any Function ~' "
Recovery entry condition is met, this will be indicated by the CSF to which it applies. The format for presenting this information will be common to all SPDS displays.
I' l'
4.3 Secondary Displays During normal, transient and accident conditions access will be provided to a certain number of predefined displays. These secondary displays will t
i f
4-1 i
support the CSF status indicators and enable the operating crew to evaluate the reasons for changes in CSF status and the potential need to enter a Function Recovery Procedure.
The set of secondary displays will consist of at least one display oriented to each of the following functions, a.
Subcriticality CSF Variables and Status Tree.
b.
Core Cooling CSF Variables and Status Tree.
c.
Heat Sink CSF Variables and Status Tree.
d.
Integrity CSF Variables and Status Tree, e.
Containment CSF Variables and Status Tree.
f.
- Coolant Inventory CSF Variables and Status Tree.
4.4 Display Change Each secondary display will be accessible through a menu.
Once a secondary display is presented on the CRT, other supporting displays can be accessed in a timely manner.
All display page changes will be operator initiated and not computer
. initiated.
4.5 Variable Status indication All SPDS variables will be displayed with a visual. indication of the associated quality level as determined by SPDS data processing and
. validation, e.g., invalid or unvalidated variables could be tagged.
Appropriate visual indication will also be available on displays of SPDS
- variables when out-of-scan or substituted signals are involved.
4-2
o 3
5.0,
SIGNAL VALIDATION 5.1 m introduction The use of misleading data by the SPDS should be avoided since it can adversely' af fect the quality of many variables. Sources of misicading data include sensors that fail, peg, or are removed from scan and instrumentation that drifts.
Signal validation techniques will be incorporated into the sof tware processing to reduce the chance of using inappropriate data.
5.2 The Validation Process Sensor signals used b'y the SPDS will undergo pass / fait processing, range limit checking and signal validation, as appropriate, before being used in the algorithms which determine the status of the safety functions. The quality of a plant parameter is indicated by its quality label.
The validation process 13 as described below:
Pass / fait processing determines whether or not a sensor signal is in a.
scan, the anato:;/ digital conierter drif t is within design limits, and data communication paths are intac t.
A sensor signal failing pass / fait processing is assigned an invalid quality tag.
b.
Range limit checking ' assures,. that a sensor signal is within predetermined limits near the upper and lower ends of the instrument range. A sensor signal not within the range limit is assigned an out of range quality label.
c.
Signal validation determines whether or not a sensor signal is consistent with other redundant signals within a specified error band.
A sensor signal failing signal validation is assigned an invalid quality tag and one passing is assigned a validated quality tag. A sensor signal which cannot be validated because redundant sensors have failed is assigned an unvalidated quality label.
Validated paramenrs will be used by the SPDS to evaluate the status of the safety functions. Presentation of information for the SPDS will be associated with quality labels which will indicate 'the quality of the processed sensor signal and the quality of calculated variables.
Five distinct quality labels will be used:
Validated Applies when redundant sensor signals or analytically derived variables are compared within a specified error band, pass limit checking, and pass Pass / Fail.
Unvalidated Applies when a calculated estimate cannot be validated due to lack of consistency in the sensor
- signals, Invalid' Applies when a sensor signal fails Pass / Fail or when a s
sensor signal fails the comparison with redundant sensors.
5-1 d
Out of Range -
Applies when sensor signals are above a high limit or below a low limit.
Substituted Applies when a substituted value is used instead of the actual sensor signal.
Substituted values are treated as invalid by the SPDS algorithms.
The approach to signal validation implemented on the Haddam Neck Plant SPDS is based on the parity space concept for fault detection and isolation developed at C.S.
Draper Laboratory for nuclear plant applications. The PARITY software module is adapted for use on the Haddam Neck Plant plant process computer. The standard use of PARITY is to evaluate each plant parameter based on three to five redundant sensor signals, and to provide a composite best estimate of the parameter along with an indication of the quality of the estimate.
Additional software was developed to make non-standard decisions, to revise the quality tag for each inconsistent sensor signal and to estimate parameters having only two redundant sensor signals.
It is believed that the described use of signal validation will provide input to the SPDS that:
a.
is purged of inconsistent signals when remaining signals are consistent, b.
is chosen using pre-established decisions if sufficient consistency is lacking, and c.
Is labelled to inform the operator of its quality status.
Thus, the process is designed to provide extra reliability and to reduce decision-making-overhead in emergency situations.
5-2
a 6.0 VERIFICATION AND VALIDATION (V&V) 6.1 Verification and Validation Overview This section provides an' overview of the system verification and validation program.
The objective of the Verification and Validation (V&V) program is to provide a quality SPDS through independent technical review and evaluation conducted in parallel with SPDS development.-
When V&V is integrated with the SPDS development process it provides a means for:
I a.
independent technical evaluation of the system b.
assuring formally documented implementation c.
Improved integration of system hardware and sof tware d.
regulatory review and approval V&V will be accomplished in accordance with a documented V&V plan.
6.2 SPDS Verification and Validation Key overall elements of SPDS V&V will be to assure:
a.
Comprehensive technical review of system functional requirements to determine that the SPDS will perform appropriate functions.
b.
Comprehensive technical evaluation of the implementation process to establish that tasks are a consistent, complete and correct translation of previous tasks.
c.
Adequate documentation of the system, as well as for system implementation.
d.
Adequate configuration management to document and control system and implementation changes.
6.2.1 SPDS Design Verification The objective of SPDS design verification is to review the system functional and design requirements to determine that they are adequate and technically correct, and then to review the following design activities to verify that the translation of requirements is adequate and technically correct throughout the ensuing design steps.
L a
6-1 y
m
-_m..,,,,-r..--
System functional requirements are the foundation on which the SPDS will be designed, built, installed and accepted. The system design will also be validated against the functional requirements.
SPDS functional requirements will be verified against the criteria of Supplement I to NUREG-0737 and any other criteria that are identified to serve as the basis for SPDS functional definition.
Af ter verification of the functional and design requirements, other design documentation will be verified for accurate and complete translation of the requirements from various tasks in the design process to the subsequent ones.
Verification will include a correlation between the design features and the requirements.
6.2.2 SPDS Validation SPDS validation will be conducted using a combination of the three levels listed below and will assure that the system meets functional requirements and will aid control room use of EOPs.
a.
Factory Testing SPDS sof tware and hardware will be integrated for functional testing prior to site installation.
Testing will be conducted for appropriate hardware, sof tware and system functions in accordance with a systematic test plan.
b.
Installation and Acceptance Testing Af ter SPDS installation in the plant has been completed, functional testing will be performed to demonstrate correct operation of the installed SPDS hardware and sof tware. End-to-end checkouts of all SPDS inputs and outputs will be performed. These checkouts will cover from sensor signalinput to SPDS variable display, c.
Man-in-the-Loop Evaluation Operations personnel, trained in EOPs, will review CSF displays and interface provisions. The objective of this evaluation (not necessarily performed in the control room) will be to review the SPDS design as a potential aid to emergency response by operations personnel.
6-2
7.0 HUMAN FACTORS ENGINEERING 7.1 Human Factors Engineering The fundamental SPDS design objective is to serve as an operator aid to monitor the overall safety status of the plant.
Human factors considerations must be an integral part of a program to successfully develop such a system.
This section describes the role of the primary SPDS user, the context of use, and the human f actors principles that will be incorporated into the SPDS design.
7.1.1 SPDS Use The Haddam Neck Plant control room staff includes four licensed operators (i.e., two Senior Reactor Operators (SROs) and two Reactor Operators (ROs)). One of the SROs will be the Shif t Supervisor (SS). The SS/SRO will be the primary SPDS user. The SPDS is intended to help the SS/SRO in managing the plant during unusual situations where problem detection and problem solving on a plant wide scale are involved. The major role of the SPDS is to help the operating crew maintain the plant in a safe condition or to show how to return the plant to a safe condition if it has departed from normality.
The SPDS is intended as an aid to the SS/SRO, not as a replacement for necessary safety equipment. The SPDS serves as a concentrated data source and thus permits the SS/SRO to obtain desired information without walking the boards to check readings.
The role of the SS/SRO is as a decision maker and manager of the plant.
The role of ROs and the other SRO is to assist the SS/SRO by carrying out the tasks deemed necessary by the SS/SRO. Although ROs are carrying out specific tasks such as maintaining levels, starting pumps, or checking instrument readings, they need to be cognizant of the impact their operations have on overall plant condition.
SPDS displays will be accessible to RO personnel to help maintain the needed understanding of the overall picture and to foster a team approach to plant emergency re sponse.
7.1.2 Control Room Design The arrangement and number of SPDS display stations in the control room will provide separate SPDS stations for the SS/SRO (away from the boards) and for operators (visible from operating stations at the boards).
This arrangement will provide the SS/SRO with a good view of the SPDS from his work station (the SPDS and the boards can be seen at the same time) and by the operators from their stations at the boards. Thus the arrangement will permit a flexible use pattern which is weighted towards the needs of the SS/SRO while still permitting RO use.
7-1
7.2 Human Factors Design Guidelines The following is a discussion of the human factors activities to be accomplished during the development of the SPDS computer generated displays.
7.2.i Task Definition This activity is designed to acquaint the designer with the reasoning behind the display requirements and to give him a feel for how and when the displays will be used. The designer determines how each task is presently performed, the information needed to accomplish it, and how the display can assist in plant performance.
7.2.2 Determine Equipment Considerations The purpose of this activity is to assure that any limitations which may be imposed by the equipment are known to the display designer.
For example, the designer needs to determine the amount of information that will fit on one CRT screen, colors available, controls, brightness, etc.
7.2.3 Determine Viewinn Environment The purpose of this activity is to become familiar with the location and environment in which the equipment is to be used. It is also necessary to determine the positions (e.g., standing, sitting, viewing distances) from which the user will want to read the information on th displays.
7.2.4 Determination of Human Factors Criteria This activity is to obtain a definition of existing human factors criteria that apply to the specific environmental conditions or display features.
Most of the criteria utilized for CRT displays can be found in Section 6.7.2 of NUREG-0700 (Cathode Ray Tube Displays).
7.2.5 Develop Display Concept The display concept will be developed to give the display designer an overall idea of how he is going to accomplish the total task, how many displays will be used and how each one fits into the total picture. It will enable the design to be in accordance with user capabilities so that the resulting displays mesh with user needs. In general, the designer will develop the following information:
a.
Identify user needs b.
How many displays are needed c.
Define the task to be accomplished with each display d.
How they should be set up (hierarchy) e.
How the displays are to be accessed f.
How any required data are to be entered g.
How the user can recover from any errors 7-2
h.
Define user capabilities (e.g., a newly licensed operator) i.
Develop a prompt philosophy based on operator capabilities 7.2.6 Design Review The purpose of this activity is to insure that the overall plan for display design is satisfactory. This is also another control point in the design process. It permits the designer to be sure that his product is going to meet all requirements when it is completed.
7.2.7 Develop Displays This is the actual design of the displays. All of the activities above are designed to get the designer to this point with enough knowledge of user needs, equipment capabilities, and the environmental constraints so that the resulting product is compatible with all requirements. In general, the following activities are performed as part of this process:
a.
Determine how the needed information is to be shown.
b.
Determine the appearance of each display element.
c.
Determine the colors to be used.
d.
Determine the dynamics of each variable element.
e.
Determine access to each display, f.
Determine how the user can recover from errors.
g.
Determine what prompts are to be used and where.
7.2.8 Display Review The purpose of this step is to insure that the detailed design meets all the original requirements. An important step in this process is a review of the displays by typical users (i.e., plant operators).
7.2.9 Issue System Specification This is the final control point for the display design before its release for implementation.
It also provides clear guidance to programming personnel regarding the final product.
7-3
8.0 '
SAFETY EVALUATION The SPDS will be designed to complement the EOPs (i.e., to aid the operator in implementing the EOPs). It is not intended that the SPDS be necessary for EOP execution. -The major use of the SPDS during emergency conditions will be to allow the reactor operators to quickly "see" the overall plant condition and how actions taken affect the maintenance of the six Critical Safety Functions (CSFs). The currently planned SPDS design will have the following characteristics:
a.
It cannot directly cause any plant transient.
b.
It will not affect the operation of any safety grade equipment because it will be appropriately isolated from them (See Section 2.9).
c.
It will not be required for EOP execution.
d.
-It will not provide misleading information to the operator because of the Signal Validation (see Section 5.0) and the substantial Verification and Validation effort (see Section 6.0).
Because of the above assessment, it can be concluded that the SPDS will not directly affect the operation of any plant component, nor will it adversely affect the operators ability to diagnose and respond to a plant transient. Therefore, it will not cause any previously unanalyzed accident or increase the probability of occurrence of a previously analyzed accident.
The SPDS will be strictly a monitoring device and will not directly cause any plant operation. Therefore, it cannot af fect any of the accidents analyzed in the FDSA nor can it affect any of the barriers between the nuclear fuel and the public.
Hence, the SPDS will not increase the probability of occurrence of any previously analyzed accident nor decrease the margin of safety as defined in the basis for any technical specification.
From the above discussion, the following can be concluded about implementation of the. planned SPDS:
a.
There will not be an increase in the probability of occurrence or the consequences of an accident or malfunction of equipment important to safety (i.e., safety-related) previously evaluated in the safety analysis report.
b.
There will not be a possibility for the creation of an accident or malfunction of a different type than any evaluated previously in the safety analysis report.
8-1
o c.
There will not be a reduction in the margin of safety as defined in the basis for any technical specification.
. Therefore, the implementation of the SPDS will not constitute an unreviewed safety question as defined in 10CFR50.59. In addition, it will not require any changes to the plant's technical specifications.
8-2 1
9.0 CONCLUSION
The SPDS for the Haddam Neck Plant is being designed to adequately address the provisions of Supplement I to NUREG-0737. Specifically:
a)
The SPDS will provide a concise display of critical plant variables to aid the control room operators in determining the safety status of the plant that will be consistent with the Westinghouse Emergency Response Guidelines and the Haddam Neck Plant Emergency Operating Procedures.
b)
The SPDS will display CSF information on colorgraphic terminals located in the control room. The SPDS will display the status of the CSFs continuously. The SPDS will be part of the plant process computer system and is being designed to meet availability considerations consistent with the SPDS function.
c)
Since the SPDS will be completely consistent with the Westinghouse Emergency Response Guidelines, only one set of procedures is required for emergency response with and without the SPDS.
d)
The critical safety functions and variables have been selected to be consistent with the analytical basis of the Emergency Response Guidelines.
e)
The SPDS displays are being designed to meet human factors principles.
f)
The SPDS provides information about:
(1) reactivity control (2) core cooling and heat removal (3)
RCS integrity (4) radioactivity control (5) containment conditions This safety analysis shows that the SPDS will be consistent with Emergency Response Guidelines and the Haddam Neck Plant Emergency Operating Procedures, and provides an integrated approach to abnormal and emergency conditions. Human factors principles are being considered in the design to assure that the operators can use the SPDS effectively. A Verification and Validation Program will assure that independent reviews are conducted to assure proper implementation of the SPDS design.
9-1
The development of the SPDS will be an effective aid for the control room operators to determine the safety status of the plant during abnormal and emergency conditions.
i 9-2
A 4-3A.
A-m..n a
s b
~.-r
--4 f
k 4
- I 1
s 1
i b
1 1
0 TABLES 4
l i
i i
k l
w TH'wt-'
'e wwei-wmy-w wew wer'em,m-we.
->--p+-.
a-----=___.ye.w m my-,-
_----m-w-y9m gg-yyygg yw-vm---i-mw-yy--
TABLE 1: Critical Safety Functions I.
Subcriticality Highest Priority s.
II.
Core Cooling 111.
Heat Sink IV.
Integrity V.
Containment VI.
Inventory Lowest Priority
l TABLE 2: Critical Saf ety Function Variables SAFETY FUNCTION VARIABLE I.
Subcriticality 1.
2.
Power level l
3.
Startup rate l
4.
Source range energized i
II.
Core Cooling 1.
Core exit temperature 2.
RCS subcooling 111.
Heat Sink 1.-
S/G level 2.
Total FW flow rate 3.
S/G pressure l
IV.
Integrity 1.
Cooldown Rate i
2.
RCS temperature 3.
RCS pressure V.
Containment 1.
Containment pressure 2.
Containment level 3.
Containment radiation i
VI.
RCS Inventory 1.
Pressurizer level 2.
Reactor vessel level l'
L
i 3
1 TABLE 3: Variable for Radioactivity Release 1.
Main Stack Radiation Alarm 4
7 1
4 l
1 i
I
,m..-,_..-_
F~
FIGURES s
1
HH:MM: 8S CTMT RED I
Colli A1NMElli N
F R-Z.1 i
PR ES SullE
< 4 0 l' S t G Y
ORANGE I
C0filAltlHENT N
{ p_] *l PRESSURE
< 35 P SIG Y
a ORANGE g
N R -Z.2
~
CONTAINMENr N
WATER LEVEL
< 6 fT Y.
YELLOW I
CONIAltlMENT N
{ p_] *}
RADIATION
< 10 R/HR Y
GREEN CTMT PREST XX@ PSIG WATER LVLt X. XLO F T CTMT RADt XX.XtiXXIO R/IIR
i APPENDIX A INSTRUMENTATION FOR CRITICAL SAFETY FUNCTION MONITORING
CRITICAL SAFETY FUNCTION:
Subcriticality VARIABLE:
Reactor Trip Description Instrument No.
First Out Trip Annunciators N/A
CRITICAL SAFETY FUNCTION: Subcriticality VARIABLE: Power Description Instrument No.
Power Range NE 31 Nuclear Instrumentation NE 32 NE 33 NE 34
CRITICAL SAFETY FUNCTION: Subcriticality VARIABLE: Startup Rate Description Instrument No.
Intermediate NE 21 Range Monitor NE 22 Source Range NE 11 Monitor NE 12 NE 14 t
CRITICAL SAFETY FUNCTION: Subcriticality VARIABLE: Source Range Energized Description Instrument No.
Source Range Power SRPI SRP2
CRITICAL SAFETY FUNCTION: Core Cooling VARIABLE: Core Exit Temperature Description Instrument No.
Core Exit N/A Thermocouples l
l
CRITICAL SAFETY FUNCTION: Core Cooling VARIABLE: RCS Subcooling Description Instrument No.
Core Exit Thermocouples N/A Pressurizer Pressure PT401-1 PT401-2 PT401-3 RCS Pressure PT403 PT404
=
CRITICAL SAFETY FUNCTION: Heat Sink VARIABLE: S/G level Description Instrument No.
Wide Range S/G Level
- 1 LT1302-1A LT1302-1B
- 2 LT1302-2A LT1302-2B
- 3 LT1302-3 A LT1302-3B
- 4 LT1302-4 A LT1302-4B
CRITICAL SAFETY FUNCTION: Heat Sink VARIABLE: Total FW Flow Description Instrument No.
AFW l FT1301-IC 2
FT1301-2C 3
FT1301-3C 4
FT1301-4C
s CRITICAL SAFETY FUNCTION: Heat Sink VARIABLE: S/G pressure Description Instrument No.
S/G Outlet Pressure i
PT1201-1 2
PT1201-2
, s 3
PT1201-3 4
PT1201-4 f
e
I s
CRITICAL SAFETY FUNCTION: Integrity VARIABLE: Cooldown Rate Description Instrument No.
Cold Leg RTD Loop #1 TE413B 2
TE423B 3
TE433B 4
TE443B Reactor Head TE415 Thermocouple
o CRITICAL SAFETY FtlNCTION: Integrity VARIABLE: RCS Temperature Description Instrument No.
Cold Leg RTD Loop #1 TE413B i
2 TE423B 3
TE433B 4
TE443B 4
k e
4 s
.m
?\\
l j
CRITICAL SAFETY FUNCTION: Integrity VARIABLE: RCS pressure bescription Instrument No.
Pressurizer PT401-1 Pressure PT401-2 PT401-3 Wide Range PT403 RCS Pressure PT404 u __
i o..
CRITICAL SAFETY FUNCTION: Containment VARIABLE: Containment Pressure Description Instrument No.
Wide Range Pressure PT1810A PT1810B
CRITICAL SAFETY FUNCTION: Containment VARIABLE: Water Level Description Instrument No.
Wide Range Water Level LTIS10A LTIS10B
o..,
CRITICAL SAFETY FUNCTION: Containment VARIABLE: Containment Area Radiation Description Instrument No.
Wide Range Monitors CD-1 CD-2
F e
=s o
CRITICAL SAFETY FUNCTION: Inventory VARIABLE: Pressurizer Level Description Instrument No.
Pressurizer Level LT401-1 LT401-2 LT401-3
r-s
.s a
CRITICAL SAFETY FUNCTION: Inventory VARIABLE: RV level Description Instrument No.
Head Level Train A Train B Plenum Level Train A Train B
[
c.
APPENDIX B INSTRUMENTATION FOR RADIOACTIVITY RELEASE DISPLA Y J
O ob e RADIOACTIVITY RELEASE DISPLAY VARIABLE: Effluent Radiation Description Instrument No.
Main Stack Wide Range R14B Noble Gas Monitor Alarm Y