ML20197B749
| ML20197B749 | |
| Person / Time | |
|---|---|
| Site: | Millstone  |
| Issue date: | 10/31/1986 |
| From: | NORTHEAST NUCLEAR ENERGY CO. |
| To: | |
| Shared Package | |
| ML20197B397 | List: |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737 TAC-51257, NUDOCS 8610300396 | |
| Download: ML20197B749 (33) | |
Text
,
Docket No. 50-336 Millstone Nuclear Power Station, Unit No. 2 Supplement I to NUREG-0737 Safety Parameter Display System Revision I to Safety Analysis Report
)
l October,1986 8610300396 861008 PDR ADOCK 05000336 PDR
w 1
./
- 1.0
~ INTRODUCTION -
1.1 Summary of the Safety Analysis This report provides a written safety analysis for the Millstone Unit No. 2 -
Safety Parameter Display System (SPDS). Information is provided to show that the SPDS is being designed to meet the provisions of Supplement 1 to NUREG-0737.
The safety functions were selected to be consistent with the Millstone
~
Unit No. 2 Emergency Operating Procedures (EOPs). These EOPs are based on the Combustion Engineering Owners' Group Emergency Procedure Guidelines.
The SPDS displays are being developed with the consideration of human factors principles. Signals input to SPDS will be evaluated for quality and validation.
A verification and validation program will be conducted, including an independent review'of the'SPDS. ~
In this manner, a SPDS design is being developed that will provide an effective aid to the operators in determining the safety status of the plant during emergency conditions.
1.2 Discussion The SPDS represents one part of an integrated emergency response capability.
It will' be consistent with the Emergency Operating Procedures (EOPs) and the Operators' Training Program. For Millstone Unit No. 2, the EOPs are based upon the Combustion Engineering Owners' Group Emergency Procedure Guidelines.
The SPDS is being designed' to complement the EOPs (i.e., to aid the operator in executing the EOPs). It is' not intended that the SPDS be necessary for EOP execution.
The majer. u.e of the SPDS during emergency conditions will be to independently monitor the safety status of the plant and alert the operator if the safety function status degrades.
In doing' this, it allows the reactor operators to quickly "see" the overall plant condition and how actions taken affect the maintenance of the six Safety Functions (SFs).
The EOPs determine whether or not these SFs are being satisfied following a reactor trip by asking if certain key parameters are within acceptable limits. These same questions will be asked by the SPDS and the acceptability of the results displayed on the SPDS monitor as a series of color coded boxes. Lower level displays will be available to allow the operator to quickly determine why the resulting SF status is indicated.
1.3 NRC Criteria 1.3.1 Supplement 1 of NUREG-0737 Regarding the SPDS, Section 4.1 of Supplement I to NUREG-0737 identifies the following NRC criteria a.
The SPDS should provide a concise display of critical plant variables to the control room operators to aid them in rapidly and
2-reliably determining the safety status of the plant. Although the SPDS will be operated during normal operations as well as during abnormal conditions, the principal purpose and function of the SPDS is to aid the control room personnel during abnormal and emergency conditions in determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective action by operators to avoid a degraded core.
This can be particularly important during anticipated transients and the initial phase of an accident.
d b.
Each operating reactor shall be provided with a Safety Parameter Display System that is located convenient to the control room operators. This system will continuously display information from which the plant safety status can be readily and reliably assessed by control room personnel who are responsible for the avoidance of degraded and damaged core events.
c.
The SPDS shall be suitably isolated from electrical or electronic interference with equipment and sensors that are in use for safety systems. Procedures which describe the timely and correct safety status assessment when the SPDS is and is not available, will be develped by the licensee in parallel with the SPDS. Furthermore, operators should be trained to respond to accident conditions both with and without the SPDS available.
d.
The selection of specific information that should be provided for a particular plant shall be based on engineering judgment of individual plant licensees, taking into account the importance of prompt implementation.
e.
The SPDS display shall be designed to incorporate accepted human factors principles so that the displayed information can be readily perceived and comprehended by SPDS users.
i.
The minimum information to be provided shall be sufficient to provide information to plant operators about:
(i)
Reactivity control (ii)
Reactor core cooling and heat removal from the primary system (iii)
Reactor coolant system integrity (iv)
Radioactivity control (v)
Containment conditions The specific parameters to be displayed shall be determined by the licensee.
. The remainder of this report defines the extent of compliance of the Millstone Unit No. 2 SPDS with the above NRC criteria.
1 5
-~
. 2.0 SPDS DESIGN DESCRIPTION 2.1 Overview One function of the Millstone Unit No. 2 plant process computer system is to supply information required for responses to an emergency condition.
This report covers only those functions of the plant process computer related to SPDS.
2.2 SPDS Definition SPDS aids the control room operating crew in monitoring the status of the SFs that constitute the basis of the EOPs. Its principal purpose is to aid the control room personnel during emergency conditions by independently monitoring the safety status of the plant and alerting the operators if the SF status degrades.
2.3 SPDS Availability Although the SPDS will not be a safety-grade system, implementation of a highly reliable, state-of-the-art SPDS is an important design objective.
As a design objective, the aval! ability of the SPDS will be greater than 99 percent during normal plant operation. In this context, design availability is understood to encompass the following minimal functional capabilities:
l a)
The ability to monitor and display the status of the safety functions.
b)
The ability to determine the value and quality of all variables which are used in the SF status determination.
2.4 SPDS Use and Location SPDS displays of SF status and supporting displays, including status determination and algorithm information, will be accessible to operators in the vicinity of the main control board.
2.5 Modes of Operation The EOPs are designed for use following a reactor t..p, which can only occur during modes 1,2 and 3 (power operation, startup, and hot standby).
Thereby, SPDS availability is only required for these modes. The SPDS algorithms are monitored, however, for both pre-trip and post-trip conditions.
Those parameters which are inappropriate for pre-trip conditions are not monitored prior to reacior trip.
l
~5-2.6 Signal Validation The SPDS will have the capability of validating redundant signals used in 1
SPDS displays and algorithms by use of analysis, checking and comparative methods to be specified for each SPDS variable, i
2.7 Electric Power Sources The SPDS, as part of the plant process computer system, will be powered from an uninterruptible power supply, capable of supplying power to the computer system af ter a loss of offsite power.
2.8 Electrical Separation The SPDS, as part of the plant process computer system, will receive signals from both Class IE and non-lE sources. Electrical separation will be provided for all signals, power sources and output devices.
2.9 Data Storage Capability will be provided to store SPDS variables for the interval from two hour pre-event to twelve hours post-event.
d C
a.
.= -.
. 4 3.0 SPDS SAFETY FUNCTION AND VARIABLE SELECTION 3.1 Selection Procedure The-SPDS will be designed to be consistent with the EOPs. In order to assure this consistency, the SPDS will:
I a.
use the same SFs as the EOPs, and b.
monitor, as closely as reasonably possible, the same system parameters as the EOPs.
The EOPs are designed to be used following a reactor trip. They define a set of procedural steps to affect plant recovery. The Standard Post Trip l
Actions Procedure is designed to stabilize the' plant following a reactor j
trip. The Reactor Trip Recovery Procedure (EOP 2526) is entered for an uncomplicated reactor trip. If a transient occurs which either causes the trip or results from the trip, the EOPs direct the operator to go to either event-oriented procedures or a Functional Recovery Procedure (EOP 2540).
i An integral part of these EOPs are the Safety Function Status Check (SFSC) sheets.
These check sheets are tailored for each specific l
procedure and are designed to assure that:
a.
all necessary information is reviewed when using the procedures, b.
the EOP being used is producing acceptable results, and c.
all SFs are being maintained within acceptable limits.
To complement this process, the SPDS can be most effectively used to continuously monitor the EOP safety functions and assist the operator with the safety function evaluation scheme defined in the EOPs.
The EOPs contain seven (7) separate SFSCs. These are for the Reactor Trip Recovery Procedure, the five (5) event-oriented procedures and the Functional Recovery procedure. The SPDS contains an algorithm which corresponds to each SF for all seven SFSC sheets. The Reactor Trip Recovery algorithms are assumed following a reactor trip unless the operator tells the SPDS that a different procedure is being used. The SPDS then compares the existing plant conditions with the procedure specific algorithms to determine if any of the SF limits are violated.
i
_ -,. - -, - + - - -, -
= _ -. -,
- - - - _, -., ~,
~ _,
rm -.. ~
. 3.2 Safety Functions As stated above, the SPDS SFs correspond to the EOP Safety Functions.
They are summarized below:
Safety Function Purpose 1.
Reactivity Control Shutdown reactor and maintain it in a subcritical condition.
II.
RCS Inventory Control Maintain a coolant medium around the core.
Ill.
RCS Pressure Control Maintain the coolant in the proper state.
IV.
RCS Heat Removal Transfer heat from the core to the coolant and from the coolant to a heat sink.
V.
Containment Integrity Assure adequate radiation control and acceptable containment conditions for equipment required for accident mitigation.
VI.
Vital Auxiliaries Maintain the systems necessary to support the other SFs.
The status of each of the six SFs for the selected procedure is indicated by one of two colors. The green color indicates that the SFs are not exceeded. A red color indicates that the limits are exceeded.
3.3 Safety Function Instrumentation The variables used for SF monitoring, and the plant instrumentation used to monitor the variables, are listed in Appendix A. They are grouped by l
safety function.
3.4 Analytical Basis for Safety Function and Variable Selection The SPDS SFs and variables have been chosen to be similar to those in the i
Millstone Unit No. 2 EOPs.
These EOPs are based on the generic Combustion Engineering EPGs (Reference 1) which have previously been accepted for implementation by the NRC (Reference 2). The Millstone Unit No. 2 upgraded EOPs were implemented on January 7,1984. The Millstone Unit No. 2 Procedures Generation Package was initially submitted on September 1,1983 (Reference 3), and subsequently revised on January 30,1985 (Reference 4) and February 26,1986 (Reference 5).
l
-S-3.5 Emergency Response With and Without SPDS The Millstone Unit No. 2 EOPs are currently written for implementation without the SPDS. Note that the EOPs are written to monitor safety function status with or without SPDS available.
4 l
i i
l
_o_
4.0 SPDS DISPLAYS 4.1 Display Philosophy Each display location provides independent access to SPDS displays.
Displays selected at one CRT can be different from those displays selected elsewhere. The primary display gives information on the status of the SFs. Secondary displays will be provided to indicate:
a.
The process values of the SPDS inputs I
b.
The criteria used for SF determination These secondary displays will be designed to aid the operator in determining what current plant conditions result in the SF determination shown in the primary display.
The SPDS displays will be implemented with a three_ level hierarchy or structure that facilitates and systematizes passage between displays.
Level I consists of the Overview display for each of the seven Emergency Operating Procedures (EOPs). Level 11 consists of the six Safety Function (SF) displays for each of the seven recovery EOPs. Level III consists of a Sensor Data display for each of the six safety functions. The six safety function status boxes are integral with every display page. Human factors guidelines were used in developing this display hierarchy.
4.2 Primary Displays At least one control room CRT will continuously monitor the status of all SFs during modes 1, 2 and 3.
Other information may be displayed simultaneously as long as the status of the SFs are still able to be determined.
Each SPDS display will show a common set of indications of the status of the SFs. Status indication colors will correspond to that described in Section 3.2. The format for presenting this information will be common to SPDS displays.
4.3 Secondary Displays During normal, transient and accident conditions, access will be provided to a certain number of predefined displays. These secondary displays will support the SF status indicators and enable the operating crew to determine / evaluate the reasons for changes in the SF status.
The set of secondary displays will consist of at least one display oriented to each of the following functions:
a.
Reactivity Control SF variables and status criteria
. b.
RCS Inventory Control SF variables and status criteria c.
RCS Pressure Control SF variables and status criteria d.
RCS Heat Removal SF variables and status criteria e.
Containment integrity SF variables and status criteria f.
Vital Auxiliary SF variables and status criteria 4.4 Display Change Each secondary display will be accessible directly by a single keystroke.
Once a secondary display is presented on the CRT, other supporting displays can be accessed in a timely manner.
All display page changes will be operator initiated and not computer initiated.
4.5 Variable Status Indication All SPDS variables will be displayed with a visual indication of the associated quality level as determined by SPDS data processing and validation. Appropriate status indication will also be available on displays of SPDS sensor data when out-of-scan, substituted or dummy signals are involved.
t
, 1 5.0 SIGNAL VALIDATION 5.1 Introduction
}
The use of misleading data by the SPDS should be avoided since it can adversely affect the quality of many variables. Sources of misleading data include sensors that fail, peg, or are removed from scan and instrumentation that drifts.
Signal _ validation techniques will be incorporated into the sof tware processin6 to reduce the chance of using inappropriate data.
5.2 The Validation Process Sensor signals used by the SPDS will undergo pass / fail processing, range limit checking and signal validation, as appropriate, before being used in the algorithms which determine the status of the safety functions. The quality of a plant parameter is indicated by its quality tag. All SPDS i
parameters including calculated values carry a three state quality tag:
validated, unvalidated, and invalid. The quality tags assigned by the signal validation algorithms are Blank (good), U (unvalidated) and N (no good). These quality tags are displayed in magenta to the left of the parameter values. The validation process is as described below:
J Pass / fait processing determines whether or not a sensor signal is in a.
I scan (S = not in scan), the multiplexor communication interface is i
operating within design limits (X), and the analog / digital converter drif t is within design limits (X). A sensor signal failing pass / fail processing is assigned an S or X (bad data) quality tag.
b.
Range limit checking assures that a sensor signal is above the lower five percent (typical value) and below the upper five percent (typical value) of its instrument range. A sensor signal not within the range limit is assigned'an R (out of range) quality tag.
I c.
Signal validation determines whether or not a sensor signal is consistent with other redundant signals within a specified error band.
A best estimate valve and quality tag (Blank, U or N) based on the sensor signals is provided. Individual sensor signals found to be faulty are tagged with an F (faulty) and e:<cluded from the estimate.
" Good" parameters (Blank or U) will be used by the SPDS to evaluate the l
status of the safety functions. The status of each safety function will be j.
displayed along with estimates of the plant parameters and their quality tags and the sensor signals and their quality tags.
The approach to signal validation implemented on the Millstone Unit No.
2 SPDS is based on the parity space concept for fault detection and isolation developed at C.S.
Draper Laboratory for nuclear plant applications. The PARITY software module is adapted for use on the Millstone Unit No. 2 plant process computer.
The standard use of PARITY is to evaluate each plant parameter based on three to five redundant sensor signals, and to provide a composite best estimate of the f
- parameter along with an indication of the quality of the estimate.
Additional software was developed to make non-standard decisions, to revise the quality tag for each inconsistent sensor signal and to estimate parameters having only two redundant sensor signals.
Some plant variables are represented by a single sensor signal. The only information items to determine the validity of such signals are pass / fait processing and limit checking. When these two items indicate " pass", the variable is assigned a Blank, when the variable has an R tag it is assigned a U, and when it has an X or S tag it is assigned an N.
It is believed that the described use of signal validation will provide input to the SPDS that:
a.
is purged of inconsistent signals when remaining signals are consistent, b.
is chosen using pre-established decisions if sufficient consistency is lacking, and c.
is tagged to inform the operator of its quality status.
Thus, the process is designed to provide extra reliability and to reduce decision-making-overhead in emergency situations.
4 a
- e. 6.0 VERIFICATION AND VALIDATION 6.1 Verification and Validation Overview This section provides an overview of the system verification and validation program.
The objective of the Verification and Validation (V&V) program is to provide a quality SPDS through independent technical review and evaluation conducted in parallel with SPDS development.
When V&V is integrated with the SPDS development process it provides a means for:
a.
independent technical evaluation of the system b.
assuring formally documented implementation c.
improved integration of system hardware and sof tware d.
regulatory review and approval 6.2 SPDS Verification and Validation Key overall elements of SPDS V&V will be to assure:
a.
Comprehensive technical review of system functional requirements to determine that the SPDS will perform appropriate functions.
i b.
Comprehensive technical evaluation of the implementation process to establish that tasks are a consistent, complete and correct translation of previous tasks.
c.
Adequate documentation of the system, as well as for system implementation.
d.
Adequate configuration management to document and control system and implementation changes.
6.2.1 SPDS Design Verification The objective of SPDS design verification is to review the system functional and design requirements to determine that they are adequate and technically correct, and then to review the following design activities to verify that the translation of requirements is adequate and technically correct throughout the ensuing design steps, i
4 J
. -, -..,, -. - _ ~
..m
. _ _ - ~.
. i System functional requirements are the foundation on which the SPDS will be designed, built, installed and accepted. The system design will also be validated against the functional requirements.
SPDS functional
~
requirements will be verified against the criteria of Supplement I to NUREG-0/37 and any other criteria that are identified to serve as the basis for SPDS functional definition.
i After verification of the functional and design requirements, other design documentation will be verified for accurate and complete translation of the requirements from various tasks in the design process to the subsequent ones.
Verification will include a correlation between the design features and the requirements.
6.2.2 SPDS Validation SPDS validation will be conducted using a combination of the three levels listed below and will assure that the system meets functional requirements and will aid control room use of EOPs.
a.
Factory Testing i
SPDS software and hardware may.be integrated for funct )nal
~
testing prior to site installation.
Testing will be conducted for appropriate hardware, software and system functions in accordance with a systematic test plan.
b.
Installation and Acceptance Testing After SPDS installation in the plant has been completed, functional testing will be performed to demonstrate correct operation of the installed SPDS hardware and software. End-to-end checkouts of all SPDS inputs and outputs will be performed. These checkouts will cover from sensor signalinput to SPDS variable display.
c.
Man-in-the-Loop Evaluation Operations personnel, trained in EOPs, will review SPDS displays and interface provisions. The objective of this evaluation (not necessarily performed in the control room) will be to review the SPDS design as a potential aid to emergency response by operations personnel.
,,e
~ -, -, - - - - - - -
,,., - ---,=.
m-~
e
,n r.
_,g,.,
,,r-,-o,,,+,-,me.-,
- m. - -,,-,
1 7.0 HUMAN FACTORS ENGINEERING 7.1 Human Factors Engineering The fundamental SPDS design objective is to serve as an operator aid to monitor the overall safety status of the plant.
Human factors considerations are an integral part of a program to develop such a system.
This section describes the role of the primary SPDS user, the context of use, and the human factors principles that will be incorporated into the SPDS design.
7.2 SPDS Use The Millstone Unit No. 2 control room personnel include:
a.
One Shif t Supervisor (SS), SRO licensed, Shift Technical Advisor (STA) qualified b.
One Supervising Control Operator (SCO), SRO licensed Two Control Operators (CO), RO licensed c.
The SS and SCO will be the primary SPDS users. The SPDS is intended to help the SS and SCO in managing the plant during unusual situations where problem detection and problem solving on a plant wide scale are involved.
The major role of the SPDS is to help the operating crew by monitoring the safety status of the plant and alerting the operator if the SF status degrades.
The SPDS is intended as an aid to the SS/SCO, not as a replacement for necessary safety instrumentation. The SPDS serves as a concentrated data source and thus permits the SS/SCO to obtain desired information without walking the boards to check readings. SPDS displays will be accessible to COs to help maintain the needed understanding of the overall picture and to foster a team approach to plant emergency response.
7.3 Human Factors Design Guidelines The following is a discussion of the human factors activities to be accomplished during the development of the SPDS computer generated displays.
7.3.1 Task Definition This activity is designed to acquaint the designer with the reasoning behind the display requirements and to give him a feel for how and when the displays will be used. The designer determines how each task is presently performed, the information needed to accomplish it, and how the display can assist in plant performance.
. 7.3.2 Determine Equipment Considerations The purpose of this activity is to assure that any limitations which may be imposed -by the equipment are known to the display designer.
For example, the designer needs to determine the amount of information that will fit on one CRT screen, colors available, controls, brightness, etc.
7.3.3 Determine Viewing Environment The purpose of this activity is to become familiar with the location and environment in which the equipment is to be used. It is also necessary to determine the positions (e.g., standing, sitting, viewing distances) from which the user will want to read the information on the displays.
7.3.4 Determination of Human Factors Criteria This activity is to obtain a definition of existing human factors criteria that apply to the specific environmental conditions or display features.
Most of the criteria utilized for CRT displays can be found in Section 6.7.2 of NUREG-0700 (Cathode Ray Tube Displays).
7.3.5 Develop Display Concept The display concept will be developed to give the display designer an overall idea of how he is going to accomplish the total task, how many displays will be used and how each one fits into the total picture. It will enable the design to be in accordance with user capabilities so that the resulting displays mesh with user needs. In general, the designer will develop the following information:
a.
Identify user needs b.
How many displays are needed c.
Define the task to be accomplished with each display d.
How they should be set up (hierarchy) e.
How the displays are to be accessed I
f.
How any required data is to be entered g.
How the user can recover from any errors h.
Define user capabilities (e.g., a newly licensed operator) 1.
Develop a prompt philosophy based on operator capabilities 7.3.6 Design Review The purpose of this activity is to insure that the overall plan for display design is satisfactory. This is also another control point in the design process. It permits the designer to be sure that his product is going to meet all requirements when it is completed.
. 7.3.7 Develop Displays This is the actual design of the displays. All of the activities above are designed to get the designer to this point with enough knowledge of user needs, equipment capabilities, and the environmental constraints so that the resulting product is compatible with all requirements. In general, the following activities are performed as part of this process:
a.
Determine how the needed information is to be shown.
b.
Determine the appearance of each display element.
c.
. Determine the colors to be used.
d.
Determine the dynamics of each variable element.
e.
Determine access to each display.
f.
Determine how the user can recover from errors.
g.
Determine what prompts are to be used and where.
i 7.3.8 Display Review The purpose of this step is to insure that the detailed design meets all the original requirements. An important step in this process is a review of o
the displays by typical users (i.e., plant operators).
7.3.9 Issue System Specification This is the final control point for the display design before its release for implementation.
It also - provides clear guidance to programming personnel regarding the final product.
1 i'
- 2.0 SAFETY EVALUATION The SPDS will. be designed to complement the EOPs (i.e., to aid the operator in executing the EOPs). It is not intended that the SPDS be necessary. for EOP execution.
The major use of the SPDS during emergency conditions will be to allow the reactor operators to quickly "see" the overall plant condition and how actions taken affect the maintenance of the six Safety Functions (SFs). The currently planned SPDS design has the following characteristics:
a.
It cannot directly cause any plant transient.
b.
It does not direct the operator to perform any action.
c.
It will not affect the operation of any safety grade equipment because it is appropriately isolated from them (See Section 2.8).
d.
It is not required for EOP execution.
e.
It will not provide misleading information to the operator because of the Signal Validation (see Section 5.0) and the substantial Verification and Validation effort (see Section 6.0).
Because of the above assessment,'it can be concluded that the SPDS will not directly affect the operation of any plant component, nor will it adversely affect the operators' ability to diagnose and respond to a plant transient. Therefore, it will not cause any previously unanalyzed accident or increase the probability of occurrence of a previously analyzed accident.
The SPDS will be strictly a monitoring device and will not directly cause any plant operation. Therefore, it cannot affect any of the accidents analyzed in the FSAR nor can it affect any of the barriers between the nuclear fuel and the public.
Hence, the SPDS will not increase the probability of occurrence of any previously analyzed accident nor decrease the margin of safety as defined in the basis for any technical specification.
From the above discussion, the following can be concluded about implementation of the planned SPDS:
a.
There will not be an increase in the probability of occurrence or the consequences of an accident or malfunction of equipment important to safety (i.e., safety-related) previously evaluated in the safety analysis report.
b.
There will not be a possibility for the creation of an accident or malfunction of a different type than any evaluated previously in the safety analysis report.
l
i
. c.
There will not be a reduction in the margin of safety as defined in the basis for any technical specification.
Therefore,. the implementation of the SPDS will not constitute an unreviewed safety question as defined in 10CFR50.59. In addition, it will not require aay changes to the plant's technical specifications.
i i
f i
i 4
--v.---
-,-+-,n,,
-.,-,-,-----,-,--~--,--n..--.-
w
9.0 CONCLUSION
The SPDS for Millstone Unit No. 2 is being designed to adequately address the provisions of Supplement I to NUREG-0737. Specifically:
a)
The SPDS will provide a concise display of important plant variables to aid the control room operators in determining the safety status of the plant that is consistent with the Combustion Engineering Emergency Procedure Guidelines and the Millstone Unit No. 2 Emergency Operating Procedures, b)
The SPDS will display SF information on colorgraphic terminals located in the control room. The SPDS will monitor the status of the safety functions continuously. The SPDS will be part of the plant process computer system and is being designed to meet availability considerations censistent with SPDS criteria.
c)
Since the SPDS will be completely consistent with the Emergency Operating Procedures, only one set of procedures is required for emergency response with and without the SPDS.
d)
The safety functions and variables have been selected to be consistent with the analytical basis of the Emergency Operating Procedures.
c)
The SPDS displays are being designed to meet human factors principles.
f)
The SPDS provides information about:
(1) reactivity control (2) core cooling and heat removal (3)
RCS integrity (4) radioactivity control (5) containment conditions (6) vital auxiliaries This safety analysis shows that the SPDS will be consistent with the Millstone Unit No. 2 Emergency Operating Procedures and provides an integrated approach to emergency conditions. Human factors principles are being considered in the design to assure that the operators can use the SPDS effectively. A Verification and Validation Program will assure that independent reviews are conducted to assure proper implementation of the SPDS design.
3 7
4 9
y+
y
_g9r ei-e
}
21-
-i The development of the SPDS will be an effective ald for the control room operators to determine the safety. status of the. plant during emergency conditions.
[
-mw--
t--we-+--
g y
e--g,7gwrwpgg g w e as. -w w. ~--
% vg--
wn--p-geg-w+,-e+qpy ewH
--g w
%-y-.1 rw ww vavw w
10.0 REFERENCES
1.
" Combustion Engineering Emergency Procedures Guidelines", CEN-152 (Rev 1).
2.
Safety Evaluation of " Emergency Procedure Guidelines", Generic Letter 83-23, dated July 29,1983.
3.
W. G. Counsil letter to D. M. Crutchfield/3. R. Miller, dated September 1,1983.
4.
W. G. Counsil letter to 3. R. Miller, dated January 30,1985.
5.
- 3. F. Opeka letter to A. C. Thadani, dated February 26,1986.
{
APPENDIX A SPDS Process Inputs i
r i
1.
REACTIVITY CONTROL Description Process Computer ID 1.
Reactor Power Power Range R2AU, R2BU, R2CU, R2DU, R2AL,R2BL,R2CL,R2DL, Wide Range RI A, RIB, RIC, RID, Extended Range ZE221, ZE222, ZE223, ZE224 Fission Detector 2.
CEA Position Dropped Rod Signals Z1501 A - Z1509A Z1514 A - 21533A Z1538A - Z1569A 3.
BAST Level
- 1 L206
- 2 L208 4.
Charging Flow F212 Pump Status ZE928, ZE929, ZE930 ~
5.
SIS Flow HPSI F311, F321, F331, F341 LPSI F312, F322, F332, F342, F306 6.
RWST Level L3001, L3002, L3003, L3004 7.
Reactor Trip Trip Circuit Breakers Z1581 - Z1588 Annunciator ZE242 8.
Cold Leg Temp Loop 1 Til2CA, T112CB, Til2CC, Til2CD Loop 2 T122CA, T122CB, T122CC, T122CD Loop 1 (wide range)
Til5 Loop 2 (wide range)
T125
II.
INVENTORY CONTROL Description Process Computer ID 1.
Pressurizer Level L110X, L110Y 2.
Unheated Junction Top 2 from each U3TEMI-A, U3 TEM 2-A Thermocouples Train U3TEMI-B, U3 TEM 2-B 3.
Cold Leg Temp (see item 1.8) 4.
Hot Leg Temp Loop 1 Til2HA, Til2HB, Til2HC, Til2HD Loop 2 T122H A, T122HB, T122HC T122HD Loop 1 (wide range)
TWillX Loop 2 (wide range)
TW121X 5.
Incore Thermocouple T10 - T450 6.
Charging Flow (see Item 1.4) 7.
RWST Level (see Item 1.6) 8.
Pressurizer Pressure High Range P100X, P100Y Low Range P103, P103-1 Wide Range P102B-1 9.
Reactor Vessel Level Train 1 HDLEV-A Train 2 HDLEV-B 10.
Reactor Trip (see Item 1.7)
_.y
III.
PRESSURE CONTRTOL Description Process Computer ID i'
l.
Pressurizer Pressure (see Item II.8) 2.
Unheated Junction Thermocouple (see Item II.2) 3.
Cold Leg Temp (see Item I.8) 4.
Hot Leg Temp (see Item II.4) 5.
Incore Thermocouple (see Item II.5) 6.
Charging Flow (see Item I.4) 7.
Reactor Trip (see Item I.7)
e IV.
RCS HEAT REMOVAL Description Process Computer ID 1.
Hot Leg Temperature (see Item II.4) 2.
Cold Leg Temperature (see Item I.8) 3.
SG Level SGI Lill3A, Lill3B, Lill3C, L1113D SG2 L1123A, Lil23B, Lil23C, Lil23D 4.
CST Level L5282 5.
Incore Thermocouple (see Item II.5) 6.
Charging Flow (see Item II.6) 7.
SG Pressure SGI P1013A, P1013B, P1013C, P1013D SG2 P1023A, P1023B, P1023C, P1023D 8.
Pressurizer Pressure (see Item II.8) 9.
PORY Acoustic PORV 2-RC-402 2RC402 Monitor PORV 2-RC-404 2RC404
- 10.
Reactor Trip (see Item 1.7) 11.
Main Feedater Flow SGI F5268 SG2 F5269 12.
Aux. Feedwater Flow SGI F5277 SG2 F5278
V.
CONTAINMENT INTEGRITY Description Process Computer ID 1.
Containment Narrow Range P8113, P8114, P8115, P8116 Pressure Wide Range P9783 2.
Containment Temperature T8108, T8109 3.
SG Blowdown Rad Monitor R4262 4.
Containment Area Rad Monitor R8240,R8241 5.
53AE Rad Monitor R5099 6.
Stack Radiation Unit 1 RUl Monitor (Wide Range) Unit 2 RIC8168 7.
Containment Normal Sump Level L9155 8.
Containment Hydrogen Concentration AE8152, AE8154 9.
Main Steam Line #1 Rad Monitor R4299A 10.
Atmospheric Dump Valve #1 Rad Monitor R4299B 11.
Main Steam Line #2 Rad Monitor R4299C i
b I
(
O VI.
VITAL AUXILIARIES Description Process Computer ID 1.
Bus 24C Voltage ZE551, ZE552, ZE553, ZE554 2.
Bus 24D Voltage ZE555, ZE556, ZE557, ZE558 3.
Bus 201 A Voltage ZE586 4.
Bus 201B Voltage ZE587 5.
Instrument Air Pressure P7078
\\
r a e s VII. ESAS MONITORING VII.1 CIAS Process Computer ID Description 2 SSP 16#1 Containment Drain Sump Isolation Valve 2 SSP 16#2 Containment Drain Sump Isolation Valve 2GRll#1 Waste Gas Surge Tank Inlet Valve 2GRil#2 Waste Gas Surge Tank Inlet Valve 2LRR43#1 Primary Drain Tank Pump Discharge Valve 2LRR43#2 Primary Drain Tank Pump Discharge Valve 2LLR61#1 Quench Tank Cooler Sample Valve 2MS220A#
Steam Generator #1 Blowdown Valve 2MS220B#
Steam Generator #2 Blowdown Valve 2MS191A#
Steam Generator Sample Line Valve Steam G' nerator Sample Line Valve 2MS191B#
e 2RC45#
RCS Sample Isolation Valve 2RC003#
Pressurizer Steam Space Sample Valve 2RC002#
Pressurizer Surge Line Sample Valve 2RC00l#
RCS Hot Leg Sample Valve 2PMW43#
Quench Tank Make Up Valve 2CH198#
RCP Bleed Off to VCT Valve 2CH506#
RCP Bleed Off Inside Isolation Valve 2CH505#
RCP Bleed Off to Drains Valves 2CH516#
RCS Letdown Valve 2CH89#
Regenerative Heat Exchanger Outlet Valve 2S1312#
Nitrogen to SI Tank Shutoff Valve 2AC8=
Enclosure Building Purge Outlet Damper y
n
.-__m_.
r aoa y
a:
Process Co'mputer ID Description 2ACll#
Containment and Enclosure Bldg. Purge Outlet Damper 2AC20#
Containment Air Sample Valve 2AC47#
Containment Air Sample Valve j
}
2ACl2#
Containment Air Sample Valve 2AC15#
Containment Air Sample Valve 2ACl#
Purge Inlet Shutoff Damper 2AC3=
Enclosure Building Purge Shutoff Damper 2EB88#
Containment Hydrogen Monitoring Sample Iso. Valve 2EB89#
Containment Hydrogen Monitoring Sample Iso. Valve 2EB100#
Hydrogen Purge Isolation Valve 2EB99#
Hydrogen Purge Isolation Valve 2EB91#
Hydrogen Purge Isolation Valve 2EB92#
Hydrogen Purge Isolation Valve D
VII.2 EBFAS Process Computer ID Description 2EB60#
Fuel Handling Area Vent to Plenum 2EB61#
Fuel Handling Area Vent to Plenum ZE739 Enclosure Building Filtration Fan ZE740 Enclosure Building Filtration Fan 2EB56#
Steam Jet Air Ejector MOV 2EB55#
Steam Jet Air Ejector MOV 2EB51=
Enclosure Building Vent Suction Isolation Damper 2EB41=
Enclosure Building Vent Suction Isolation Damper
~..
c re t Process Computer ID Description 2EB50=
Enclosure Building Plenum Isolation Damper 2EB40=
Enclosure Building Plenum Isolation Damper 2HV107#
Engineered Safeguards Room Air Supply Valve 2HV106#
Engineered Safeguards Room Air Supply Valve 2HVil6#
Engineered Safeguards Room Air Return Valve 2HVil7#
Engineered Safeguards Room Air Return Valve 2EB72#
Containment Cleanup Damper 2EB73#.
Containment Cleanup Damper 2EB52=
EB Filter Fan A Discharge Damper 2EB42=
EB Filter Fan B Discharge Damper VIII.3 CSAS Process Computer ID Description F3023 Containment Spray Header A Flow F3024 Containment Spray Header B Flow ZE713 Containment Spray Pump A ZE714 Containment Spray Pump B 2CS4=1A Containment Spray Control Valve 2CS4=lB Containment Spray Control Valve VIII.4 SRAS Process Computer ID Description ZE710 HPSI Pump 42A ZE711 HPSI Pump 42B 2SI659#
SI Recirc Header Shutoff Valve 251660#
SI Recirc Header Shutoff Valve 2CS16=lA Containment Sump Recirc Stop Valve i
2CS16=l B Containment Sump Recirc Stop Valve
]
-