ML20204F600

From kanterella
Jump to navigation Jump to search
Revised SAR for Vermont Yankee Spds
ML20204F600
Person / Time
Site: Vermont Yankee File:NorthStar Vermont Yankee icon.png
Issue date: 07/30/1986
From:
VERMONT YANKEE NUCLEAR POWER CORP.
To:
Shared Package
ML20204F592 List:
References
RTR-NUREG-0737, RTR-NUREG-737, RTR-REGGD-01.097, RTR-REGGD-1.097 NUDOCS 8608040244
Download: ML20204F600 (58)


Text

p '

SAFETY ANALYSIS REPORT FOR THE VERMONT YANKEE SAFETY PARAMETER DISPLAY SYSTEM

. JULY 30, 1986 Vermont Yankee Nuclear Power Corporation 8608040244 860730 PDR ADOCK 05000271 P PDR

f TABLE OF CONTENTS SECTION PAGE

1.0 INTRODUCTION AND BACKGROUND


1 1.1 Background------------------------------------------------- 1 1.2 Sunsna ry of Sa fety Analys i s --------------------------------- 1 1.3 SPDS Basis------------------------------------------------- 2 1.4 USNRC Criteria--------------------------------------------- 2 1.5 Abbreviations---------------------------------------------- 3 2.0 DESIGN BASIS FOR THE SPDS--------------------------------------- 5 2.1 P1 ant Safety Monitoring and Emergency Response------------- 5 2.2 S PDS Pa ramet e r Sel ect i o n ----------------------------------- 9 2.3 SPDS Integration------------------------------------------- 15 3.0 SPDS DESIGN CONSIDERATIONS-------------------------------------- 19 3.1 S PD S De f i n i t i o n -------------------------------------------- 19 3.2 SPDS Use and Location-------------------------------------- 19 3.3 Reactor Modes---------------------------------------------- 20 3.4 S P DS Av a l l a b i l i ty ------------------------------------------ 20 3.5 Sy s t em F 1 e x i b i 1 i ty ----------------------------------------- 21 3.6 S PDS P r i o r i ty ---------------------------------------------- 22 3.7 S PDS Re s p o n s e Ti me ---------------------------------------- 22 3.8 Data Storage and Recal1 Capabil ity------------------------- 23 3.9 S i g n a l Va l i d a t i o n ------------------------------------------ 23 3.10 El ect ri cal Powe r Suppl i es ---------------------------------- 23 3.11 Electrical and Electronic Isolation------------------------ 24 3 .12 Huma n E n g i n e e r i n g ------------------------------------------ 24 3.13 Desi gn Cont r01 and Documentati on--------------------------- 24 3.14 System Documentation--------------------------------------- 25 i

?

4.0 SPDS DISPLAYS-------------------------------------------------- 27 4.1 Display Philosophy and Structure-------------------------- 27 4.2 Generic Display Content----------------------------------- 28-4.3 Overview Display------------------------------------------ 28 4.4 E 0 P C o n trol D i s pl ay s-------------------------------------- 28 4.5 Detail Parameter Trend Graphs----------------------------- 29 4.6 E0P L i m i t C u rve s------------------------------------------ 29 4.7 0ther Supporting Disp 1ays--------------------------------- 30 4.8 Display Access-------------------------------------------- 30 4.9 Parameter Quality Indication------------------------------ 31 4.10 S ununa ry o f D i s p l ay s --------------------------------------- 31 5.0 SIGNAL VALIDATION---------------------------------------------- 32 5.1 I ntro duc ti on an d Obj ec ti ves------------------------------- 32 5.2 Val i da ti on P roces s i n g------------------------------------- 32 5.3 Validation Features--------------------------------------- 33 6.0 , HUMAN FACTORS ENGINEERING-------------------------------------- 35 6.1 HFE Plan-------------------------------------------------- 35 6.2 Appl i ca tion o f HFE P1 a n----------------------------- ----- 36 6.3 Display Development--------------------------------------- 36 6.4 Human Factors Design Assessment--------------------------- 37 7.0 DESIGN VERIFICATION AND VALIDATION----------------------------- 38 7.1 V & V Overvfew-------------------------------------------- 38 7.2 Key Elements of SPDS V & V-------------------------------- 38 7.3 Verification---------------------------------------------- 39 7.4 Validation------------------------------------------------ 40 7.5 V & V Plan------------------------------------------------ 40 7.6 V & V Independence---------------------------------------- 41 ii

r ,

8.0 MAN-MACHINE VALIDATION----------------------------------------- 42 8.1 Goal and Objectives--------------------------------------- 42 8.2 Method of Validation-------------------------------------- 42 8.3 MMV Plan-------------------------------------------------- 42 8.4 MMV Results Follow Up------------------------------------- 43 9.0 SPDS TRAINING-------------------------------------------------- 44 9.1 User Training--------------------------------------------- 44

, 9.2 Operator Training----------------------------------------- 44

10.0 CONCLUSION

S---------------------------------------------------- 45 10.1 Compliance with NUREG-0737 Supp.1, Section 4.1.a--------- 45 10.2 Compliance with NUREG-0737 Supp.1, Section 4.1.b--------- 45 10.3 Compliance with NUREG-0737 Supp.1, 4.1.c----------------- 45 10.4 Compliance with NUREG-0737 Supp.1, 4.1.d----------------- 46 10.5 Compliance with NUREG-0737 Supp.1, 4.1.e----------------- 46 10.6 Compliance with NUREG-0737 Supp.1, 4.1.f----------------- 46 10.7 SPDS Impl emen ta tion at VYNPS----------------------------- 47 REFERENCES---------------------------------------------------------- 48 APPENDIX - IMPLEMENTATION PLAN-------------------------------------- 51 til

c- -

TABLES 1 Correlation of NUREG-0737 Supplement-1 CSFs, Generic EPGs, EPG Principle Control Functions, and YYNPS E0Ps------------- 8 2 Principle Control Function Parameters----------------------------- 10 3 VYNPS E0P Entry Condition Parameters------------------------------ 12 4 VYNPS E0P Limit Curves and Associated Parameters------------------ 13 5 SPDS Parameters and Sources--------------------------------------- 17 FIGURES 1 VYNPS Control Room Layout----------------------------------------- 26 2 SPDS Impl ementa ti o n Sc he dul e-------------------------------------- 52 iv

('

VERMONT YANKEE SPDS SAFETY ANALYSIS REPORT

1.0 INTRODUCTION AND BACKGROUND

1.1 Background

In previous correspondence with the USNRC, VYNPC indicated that implementation of the SPDS and replacement of the plant process computer must proceed concurrently (Ref.1-7), and submitted the SPDS Functional SAR (Ref. 8). The Functional SAR presented the VYNPS SPDS design approach and included process computer /SPDS project schedule information.

The project schedule showed completion of the SPDS SAR in July, 1986.

This report expands and supersedes the Functional SAR submitted previously, in compliance with the July, 1986 schedule.

1.2 Summary of Safety Analysis This report provides a written Safety Analysis for the Vermont Yankee Nuclear Power Station (VYNPS) SPDS, and is submitted in fulfillment of obligations specified in applicable USNRC Confirmatory Order (Ref. 5) and the VYllPC SPDS Functional SAR (Ref. 8).

Information is provided in this SAR to show that the SPDS is being designed to fully meet the provisions of Supplement I to NUREG-0737 (Ref. 19). More specifically, the SAR shows that the SPDS will include appropriate computer generated displays and plant parameters, that the SPDS will be consistent with Emergency Operating Procedures (E0Ps),

that the SPDS will aid operating personnel in reliably and rapidly determining the safety status of the plant and whether abnormal con-ditions warrant corrective action to avoid core degradation, that appropriate human factors principles will be incorporated, and that appropriate SPDS verification and validation will be performed.

1

?

1.3 SPDS Basis Emergency Procedure Guidelines (EPG) have been developed by the BWR Owner's Group (BWR0G) (Ref. 10) and have been accepted by the USNRC as the basis for emergency response in BWR's (Ref.11). These generic EPGs have been converted into plant specific technical guidelines and Emergency Operating Procedures, applicable to VYNPS, in accordance -

with a Procedures Generation Package (Ref. 12) that was submitted to the USNRC. These guidelines and E0Ps provide control room personnel with procedures for using appropriate information to take symptom oriented corrective action or a wide range of transient and accident conditions.

The SPDS design basis at VYNPS will be to monitor parameters derived '

from the Emergency Procedure Guidelines and the Emergency Operating Procedures and to display information that will aid the control room crew to determine plant safety status, determine when Emergency '

Operating Procedures should be initiated, and to aid them in E0P execu-tion. The SPDS will monitor existing plant analog and digital signals and calculated parameters to provide operating personnel with valid pro-cess information needed to ascertain the status of control of reac-tivity, reactor core cooling and heat removal, reactor coolant system integrity, drywell and secondary containment conditions, and radioac-tivity release, using key plant parameters specified in EPGs and E0Ps.

1.4 USNRC Criteria As a result of the 1979 accident at Three Mile Island, the USNRC deter-mined the need for a SPDS which provides operating personnel concise 2

s display of plant safety status information. This was first documented

, ,' in NUREG-0660 (Ref. 13). Subsequently, various USNRC and industry guidance documents were developed to define how SPDS should function and what information it should contain. These documents include NUREG-0737 (Ref. 14), NUREG-0696 (Ref. 15), NUREG-0835 (Draft) (Ref.

16), NSAC-21 (Ref. 17) and INP0 NUTAC 83-003 (Ref. 18). There are also numerous guidance documents for control room instrumentation that have

, been issued by the USNRC and industry sources.

USNRC guidance documents were supplemented with firm criteria for deve-lopment and acceptance of SPDS with the issuance of Supplement 1 to NUREG-0737, " Requirements for Emergency Response Capability" (Ref. 19),

and Standard Review Plan Section 18.2, "SPDS Acceptance Criteria" (Ref.

20). Section 4.1 of NUREG-0737 Supplement 1 addresses the specific requirements to be used in SPDS development. Each of these requirements will be met by VYNPC in the design for the VYNPS SPDS. This Safety Analysis Report explains how the requirements are met. Compliance with each of the SPDS requirements of Supplement 1 is specifically summarized in the Conclusions section of this SAR.

Information in this SAR, when supplemented with additional information to be developed during the SPDS implementation project, will also be used to demonstrate that the VYNPS SPDS also will satisfy the acceptance criteria contained in Standard Review Plan, Section 18.2 (Ref. 20).

1.5 Abbreviations Following is a list of abbreviations used in this document.

a. ADS - Automatic Depressurization System
b. APRM - Average Power Range Monitor 3

[

c. ATWS - Anticipated Transient Without Scram
d. BWR0G - BWR Owner's Group
e. CF - Control Function
f. CR - Control Room
g. CRT - Cathode Ray Tube
h. CSF - Critical Safety Function
1. DCRDR - Detailed Control Room Design Review
j. ECCS - Emergency Core Cooling Systems
k. E0F - Emergency Operations Facility
1. E0P - Emergency Operating Procedure
m. EPG - Emergency Procedure Guidelines
n. ERFIS - Emergency Response Facility Information System
o. EPRI - Electric Power Research Institute
p. INP0 - Institute for Nuclear Operations
q. LOCA - Loss of Coolant Accident
r. MM - Man-Machine or Man-Machine Validation (MMV)
s. MTBF - Mean Time Between Failures
t. MTTR - Mean Time To Repair
u. NRC or USNRC - U.S. Nuclear Regulatory Commission
v. NUTAC - Nuclear Utility Task Action Committee
w. PGP - Procedures Generation Package
x. PSTG - Plant Specific Technical Guidelines
y. RPV - Reactor Pressure Vessel
z. SAR - Safety Analysis Report, aa. SPDS - Safety Parameter Display System bb. TSC - Technical Support Center cc. V4V - Verification and Validation 4  ;

m s- ,_ . . , _ . . -

, -- y - -- -

-- , - . - ,.. ,, -, ,-- - - - 6

(

dd. VYNPC - Vermont Yankee Nuclear Power Corporation ee. VYNPS - Vermont Yankee Nuclear Power Station 2.0 DESIGN BASIS FOR THE SPDS 2.1 Plant Safety Monitoring and Emergency Response Industry experience in developing various SPDS designs has shown that SPDS displays are meaningful and useful to operating personnel during emergency response situations when they are directly integrated with Emergency Operating Procedures (EOP). Specifically, emergency response decisions and actions made by the operating crew are aided by an SPDS that provides information that supports the entry to and execution of the E0Ps. Results of an EPRI project to evaluate SPDS concepts in a nuclear plant simulator indicated that integration of procedures and SPDS is necessary for successful SPDS implementation (Ref. 21).

Simulator evaluation of the BWR0G generic graphic display system concluded that displays should be customized for individual plant appli-cation and should display emergency procedure entry conditions (Ref. 22).

EPRI guidelines for computer generated displays point out the need to reflect appropriate information requirements derived from system objec-tives, function and task analysis (Ref. 23).

Development of the BWR0G generic EPGs was based in part on analysis of severe accidents and transients. This analysis was documented by the reactor designer (Ref. 9). These EPGs have been evaluated and accepted by the NRC as documented in the Safety Evaluation Report on Revision 3 of the EPGs (Ref. 11). The NRC SER is in effect a supplemental analysis that supports the use of the EPGs as an acceptable basis for emergency response, and for development of emergency response procedures. The generic EPGs are symptom-based and not based on a limited set of speci-5 l

1

(

fic accidents and transients. In using symptomatic EPGs as the basis for emergency response, operating crews are not required to identify the event or sequence of events before initiating action to protect plant safety. Plant safety is assured for a wide range of events and severe accidents by conformance to the sympton-based EPGs, thereby maintaining plant conditions within the principal control functions as specified therein. VYNPC concurs with the position taken by the reactor designer (GE), the BWR0G, and the NRC, that safe plant status can be assured by conformance to the EPGs and the principal control functions embodied in the BWR EPGs.

In summary, use of the EPGs as a basis for selection of SPDS parameters to monitor plant safety status provides a basis for parameter selection that not only integrates with NRC-approved guidelines for emergency response (which are embodied in VYNPS E0Ps), but also is analytically traceable to the post-TMI requirement for additonal analyses of severe accidents and transients.

Since the BWOG EPGs are generic for all GE reactor and containment types, it is necessary to translate them into plant-specific guidelines.

Ia accordance with industry guidance reflected in Reference 24, VYNPC has translated the generic EPGs into specific technical guidelines and E0Ps that reflect systems and emergency response information that is appropriate for VYNPS. The process for development and implementation of the VYNPS E0Ps was documented and submitted to the NRC (Ref. 12) in accordance with the requirements of Supplement 1 to NUREG-0737.

Although the BWR EPGs, and the principal control functions there-in, are structured differently than the critical safety functions contained in 6

Supplement 1 to NUREG-0737, Table 1 shows the functional correlation that exists between the CSFs and the EPGs. Correlation with the VYNPS E0Ps is also shown in Table 1. Use of the symptom-based EPGs and E0Ps as as common basis for emergency response actions by the operating crew, as well as the basis for SPDS design, assures that the SPDS will integrate with approved emergency actions by the operating crew and will aid the crew by providing relevant information.

7

f Table 1 Correlation Between NUREG-0737 Supplement 1 CSFs, Generic EPGs, EPG Principal Control Functions, and VYNPS E0Ps.

CSF Generic EPG Principle Control VY E0P Rev. 3 Function Reactivity Reactor Power Control Reactivity Control Control Core Cooling RPV Control RPV Level Control

& Heat Removal RPV Level Control Reactor Con- RPV Pressure Control tainment

_ System Integrity Primary Containment Pressure Control Drywell Pressure &

Drywell Temperature Temperature Primary Control Control Containment Control Suppression Pool Temperature Control Torus Temperature

& Level Suppression Pool Water Control Level Control Containment Conditions Secondary Containment Temperature Control Secondary Secondary Containment Secondary Containment Containment Control Water Level Control Control Secondary Containment Radiation Control Radioactivity Radioactivity Radioactivity RPV Level Control Release Control Release Control Control i i

i l

8

2.2 SPDS Parameter Selection Detailed analysis of the BWR EPG's, and E0Ps, to identify all explicit and implicit information requirements pertaining to plant and systems produces an extremely large list of parameters. An analysis of this type was conducted as part of a project for the BWR0G (Ref. 28), and resulted in a list of approximately 900 parameters which would probably require in excess of 2000 plant signals. Such an extensive list would be excessive in the design of an SPDS for concise display of information to monitor plant safety status. Thus a subset of the total EPG and E0P information requirements is needed for the VYNPS SPDS.

Three categories of EPG and E0P information have been identified for the VYNPS SPDS. The first category consists of the BWR principle control func-tion parameters. As discussed in Section 2.1, the symptom-based EPGs spe-cify operating crew actions for controlling a small set of control functions. Thus, monitoring the parameters that correspond to the EPG control functions permits an assessment of plant safety status that inherently covers all of the NRC-identified functions for plant safety monitoring (reactivity, core cooling and heat removal, cooling system integrity, containment, and radioactivity). Table 2 shows the principle control function parameters that will be considered for the VYNPS SPDS.

9

f Table 2 Principle Control Function Parameters Reactor power level RPV water level RPV pressure Drywell pressure Drywell temperature Torus water temperature Torus water level Reactor building temperature Reactor building water level Reactor building radiation level 10

l 4

The second category of parameters for the SPDS are those parameters that provide entry conditions for the E0Ps. As discussed earlier, industry experience has shown that entry conditions are appropriate for SPDS infor-mation. These entry condition parameters are listed in Table 3. As can be ,

seen from Table 3, there is significant diversity, from both system and location standpoints, in the parameters that are associated in the E0P entry conditions. The computer-based SPDS can continuously scan these parameters and provide indication when an E0P entry condition has been met.

This presents an excellent opportunity to load routine data scanning on the machine and permit operating personnel to concentrate on decisions and actions in emergency response. In this manner the SPDS provides assistance in minimizing additional burden on operating crews from implementation of E0Ps. Thus the parameters in Table 3, along with the principle control parameters, are considered for the SPDS.

The symptom-based E0Ps for VYNPS include a number of multiparameter limit curves that guide important operator actions in executing the E0Ps.

The determination of proximity to these types of limits is often difficult when using conventional control room instruments that only show current values or time trends of single parameters. Even if the limit curve only requires a simple comparison of two parameters this can be inconvenient when conventional instruments are not adjacently located. Relocation of existing instruments is usually not appropriate as this would violate grouping of instruments from a systems standpoint. Therefore, the E0P limit curves are logical candidates for inclusion in the SPDS. This consititutes the third category of parameters for the SPDS. These parame-ters and their relationship to the VYNPS E0Ps are shown in Table 4.

11

Table 3 VYNPS E0P Entry Condition Parameters OE 3101 - Reactivity Control Procedure Reactor power Scram command OE 3102 - RPV Level Control Procedure RPV water level OE 3103 - Drywell Pressure and Temperature Control Procedure Drywell RRU average temperature Drywell pressure OE 3104 - Torus Temperature and Level Control Procedure Torus water volume Torus water temperature OE 3105 - Secondary Containment Control Procedure Reactor building area temperature Reactor building vent exhaust radiation Reactor building area radiation Reactor building area water levels Reactor building floor drain sump continuous operation 12

T' i

Table 4 VYNPS E0P Limit Curves and Associated Parameters OE 3102 Max Acceptable Core Uncovery Time Time after reactor shutdown OE 3102 Primary Containment Pressure Limit 0E 3103 Torus Pressure Torus Water Level OE 3103 RPV Saturation Curve Drywell temperature near cold reference legs RPV pressure OE 3103 Drywell Spray Initiation Pressure Limit OE 3104 Torus air space temperature Torus pressure OE 3103 Pressure Suppression Pressure Limit Torus pressure Torus water level 0E 3104 Torus Water Level Limit Torus water level Drywell/t orus differential pressure OE 3104 Torus Heat Capacity Limit Torus water level Torus water temperature OE 3104 NPSH Limit Curve Torus air space pressure Torus water temperature OE 3104 Torus Load Limit Torus water level RPV pressure OE 3104 Torus Heat Capacity Temperature Limit Torus temperature RPV pressure 13

In sunstary, the parameters that have been selected for the VYNPS SPDS are rooted in the NRC-approved basis for BWR emergency response. The SPDS will provide support to the operating crew by permitting concise display and monitoring of plant safety status, by permitting routine computer scanning and indication of conditions that require initiation of E0Ps, and by display of unique E0P limit curves that may be less convenient to evaluate with conventional instrumentation. Thus, the VYNPS SPDS not caly will meet NRC requirements, but in addition, will provide display functions that increase SPDS usefulness to operating crews.

Table 5 show the combined list of SPDS parameters from Tables 2, 3 and 4.

The sources for the parameters are indicated and the parameter redundancies have been eleminated. Table 5 also includes several additional parameters that did not appear in Tables 2, 3 or 4 but were determined to be appropriate for the SPDS.

Drywell and torus hydrogen and oxygen concentrations were added in anticipa-tion of revision 4 of the BWROG EPGs. Containment area radiation level was added due to its importance in assessing containment conditions. Radiation levels in the main steam lines and the plant stack effluent were added because of their importance in assessing radioactivity release potential.

Finally, primary containment isolation demand was added because of its relevance to containment conditions and radioactivity release. The position status of containment isolation valves is not needed. Isolation demand keys operators to check isolation valve status (a routine check immediately after the event), isolation valve status indication is already present in the control room at a higher quality level (1-E) than SPDS, and a status mimic of major valves exists in direct view of control room personnel.

14

SPDS Integration Integration is an important element in the overall design basis for the VYNPS SPDS. The SPDS will be designed and implemented in an integrated manner in several respects.

The SPDS will be implemented as part of a new integrated computer system to be installed at VYNPS. This will allow the sharing of a common data base, standard man-machine interface provisions and many other computer system capabilities.

As discussed in previous sections, the SPDS is to be fully integrated with the plant-specific emergency response guidelines and procedures derived form the BWR0G generic EPGs.

The integrated computer system will service the information needs that are identified for the emergency response facilities outside the control room, i.e. the Technical Support Center (TSC) and the Emergency Operations Facility (EOF). The SPDS data will also be an integrated part of the information that is available to these facilities.

The SPDS functions will also be integrated into the VYNPS control room simulator facility. This will not only provide the means to include SPDS as part of the continuing operator simulator training programs but will also provide the capability of validating SPDS features before they are imple-mented in the control room.

The SPDS will be implemented in the control room in a manner that integrates with control room functions and conventions, including location, operating crew functions, control room design review information, and instrument con-ventions.

15

VYNPC will integrate appropriate personnel in the SPDS project. This will include VYNPC participation in SPDS design, testing and installation by system vendor (s). VYNPC will not only assure that system requirements are met, but also that VYNPC has the system knowledge and experience necessary to assure satisfactory long term use and modification of the SPDS.

Integrated implementation of the SPDS, as outlined above, will provide maximum assurance that the SPDS will function as an effective aid to operating personnel during normal, abnormal and emergency response conditions.

i 16

Table 5 SPDS PARMETERS AND SOURCES Parameter Principle E0P E0P Control Entry Limit Parameter Curve

1. Reactor power------------------------------ x x
2. R PV wate r l evel ---------------------------- x x
3. RPV pressure------------------------------- x x
4. D rywel l p res s u re --------------------------- x x x
5. Torus water temperature-------------------- x x x
6. To ru s wat e r l evel -------------------------- x x x
7. Scram command------------------------------ x
8. Drywell RRU average temperature------------ x x
9. Reactor building vent exhaust radiation---- x x
10. Reactor building area radiation------------ x x

, 11. Reactor building area water levels--------- x x

12. Reactor building floor drain sump continuous- x operation
13. Reactor building area temperatures----------- x x
14. Time after reactor shutdown---------------- x
15. Drywell temperature near cold reference legs- x
16. Torus air temperature---------------------- x
17. Torus air pressure------------------------- x
18. Drywell & torus hydrogen and oxygen concentrations
19. Primary containment isolation demand
20. Plant stack radioactivity release
21. Main steam line adiation
22. Containment area radiation 17

Notes to Table 5 -

a. Drywell RRU average temperature (from Table 3) serves for Drywell tem-perature from Table 2.
b. Torus water level (from Table 2) serves fcr Torus water volume from Table 3.
c. Reactor building vent exhaust radiation and area radiation (from Table
3) serves for Reactor building radiation level from Table 2.
d. Reactor building area water levels (from Table 3) serves for reactor building water levels from Table 2.
e. Reactor building area temperatures (from Table 3) serves for reactor building temperature from Table 2.

I

}

18 1

9

3.0 SPDS DESIGN CONSIDERATIONS This section of the SAR provides summary information regarding a number of aspects of SPDS design that are of regulatory interest, and are relevant to SPDS safety analysis. Several topics that need to be addressed with more than summary information are also discussed in separate sections that follow Section 3.

3.1 SPDS Definition The SPDS is part of the VYNPS integrated computer system and is that portion that is being implemented to meet the SPDS provisions con-tained in Section 4.1 of Supplement 1 to NUREG-0737 (Ref. 19). From the standpoint of displays, the SPDS consists of the displays described in Section 4 of this SAR.

3.2 SPDS Use and Location SPDS displays and man-machine interface functions will be accessible to control room personnel at locations in the control room that are appropriate for monitoring plant safety status and for supervisory or overview functions during an emergency. The SPDS is primarily intended to be an aid to control room personnel in monitoring overall plant safety status and in entering and executing VYNPS E0Ps. The principle users of the SPDS will be shift supervisors and the shift engineers. Typical locations for display of SPDS information in the control room are shown in Figure 1. SPDS information will be con-tinuously displayed in at least one location in view of supervisory control room personnel . The VYNPS computer system will also provide SPDS data (and other data that is appropriate for facility functions) to emergency personnel in the TSC and E0F using common man-machine inter-i face provisions and SPDS displays.

19

3.3 Reactor Modes The BWROG EPGs provide the basis for effective and safe response to general symptoms of the plant without specification of the plant operational mode.

Thus the VYNPS plant-specific technical guidelines and E0Ps which are based on the BWR0G EPGs will be useful in all plant modes for monitoring plant safety and intitiating emergency response. The VYNPS SPDS will also be continuously subjected to operator reviews through their regular simulator training programs. Any additional alarms or data from these reviews that may be needed for cold shutdown or refueling modes will be considered for addition to the SPDS after the initial SPDS implementation has been completed.

3.4 SPDS Availability The SPDS will not be designed as a safety-grade system. However, the system will be designed as a state-of-the-art system for high reliability.

Modern reliability and maintainability features such as self checking, diagnostic utilities, and on-line error logging will be included in the system.

Design goals for VYNPS SPDS availability in the control room (including power supply failure) are as follows.

a. At least 0.98 during plant modes above shutdown and refueling:
b. At least 0.80 during cold shutdown and refueling modes:

These are design goals and not operating limits. However, if installed SPDS availability is significantly less than these goals, system enhancements to increase availability will be considered. In determining system availabi-lity, the availability of system components will be calculated using the following standard formula:

20

I l

Component availability = (MTBF-MTTR)/MTBF where:

MTBF = Mean time between failures MTTR = Mean time to repair, including time for identification of failed component The calculational analysis of SPDS availability will be documented as system design is finalized and specific hardware design configuration information is established. SPDS availability wil also be evaluated in an availability test that will be conducted on the completed system.

Both the availability analysis and availability test procedure and results will become part of the auditable system documentation files maintained by VYNPC.

3.5 System Flexibility SPDS will have appropriate flexibility so that system changes can occur, primarily in the software and displays. Spare capacity and expan-dability will be provided in data acquisition system (DAS) and CPU hard-ware design. Software and display features will be modular and with interface provisions to facilitate modifications.

The need to implement changes in the system could arise, for example, from user feedback based on operational experience, future revisions to VYNPS E0Ps and BWROG EPGs, and deficiencies identified during man-machine validation.

Examples of modifications that will be possible to incorporate in the SPDS include:

a. Change displays and display formats
b. Change processing of engineering units 21 l
c. Change input sensors
d. Change constants used in signal validation and composed points processing
e. Change or add SPDS cues and alarm levels.

In order to avoid changes without proper review and approval, changes to SPDS will not be permitted except under formal configuration control procedures. (See Sections 3.13 and 3.14.)

3.6 SPDS Priority Since SPDS will be part of an integrated VYNPS Computer system it is necessary to assure that SPDS functions will receive appropriate com-puter processing priority. Accordingly, SPDS functions will have com-puter execution priority over those functions that would not need high priority during an emergency. Also, control room access to historical and current SPDS data shall have computer execution priority over other locations, e.g., computer room, TSC and E0F.

3.7 SPDS Response Time SPDS functions of the computer system will be executed with short time delays that are appropriate for providing information during an emergency situation. The following response times will be provided for i

SPDS functions.

Query Type Max. Response Time (Sec)

Callup menu 3.0 Display call from menu 5.0 Display call from function key 5.0 Initial response to print request 10.0 Response to status inquiry 10.0 l

l Input error feedback 3.0

3.8 Data Storage and Recall Capability The capability to store and recall SPDS data for subsequent analysis will be provided. The system will have the capability to capture data for the two hour period immediately before reactor trip or emergency event and also to continue to store data for a period of twelve hours after such an event has occurred. Capacity for pre-event and post-event data storage will be designed to permit a minimum of two weeks of data to be archived off-line.

3.9 Signal Validation Presentation of inaccurate data and false alarms can cause lack of con-fidence in the SPDS. The VYNPS SPDS will include provisions for automa-tic determination and continuous indication of the quality of SPDS data.

SPDS signals will undergo pass / fall processing, range limit checking, and signal validation algorithm processing. Quality level indication will be presented to operating personnel along with the quantitative value of the data. On-line signal validation is intended to relieve operators from routine data quality assessments, yet make data available with quality level indicators for non-routine evaluation of data as operating perosonnel deem appropriate. Signal validation is discussed in more detail in Section 5 of this SAR.

3.10 Electrical Power Supplies The VYNPS computer system will be provided with an Uninterruptible Power Supply (UPS) which will allow continuous operation of the SPDS. UPS capability will include appropriate margin in excess of system maximum demand. The UPS will also include a backup dc power source with capabi-lity to provide at least one hour of system operation in the event that ac power is lost.

23 1

3.11 Electrical and Electronic Isolation The VYNPS computer system, including the SPDS, will be suitably isolated from electrical and electronic interference with equipment and sensors that are used in safety systems. Interfaces between the computer system and plant safety systems will be isolated in accordance with the provisions of applicable IEEE stardards (Refs 25, 26 and 33) and VYNPS criteria (Ref.

32) to preserve channel independence, as well as safety system integrity, from computer /SPDS malfunctions. Computer hardware that interfaces with safety class electrical equipment will be powered by a power supply that takes power from the electrical division concerned. Inputs to the computer from safety systems will be optically isolated or transformer coupled and surge protected in accordance with the cited IEEE standards, and isolation devices will be environmentally and seismically qualified, and tested for maximum credible faults.

3.12 Human Engineering Human factors engineering (HFE) is a necessary ingredient in developing an SPDS that will aid operators in assessing plant safety and responding to plant emergencies. HFE will be integral to the SPDS design process, not conducted as part of design review after the fact. Accordingly, a human factors plan will be developed and applied as part of the SPDS implementation project. Additonal discussion of the contents of the human factors plan and its application to the VYNPS is presented in Section 6 of this SAR.

3.13 Design Control and Documentation The VYNPS SPDS will be developed and implemented in a disciplined and consistent manner in accordance with specific plans and procedures.

24 d

_ _ _ - _ _ _ _ _ - ~_ _ _ -- _ _-

This will include Design Control, Quality Assurance Plan, Software and Hardware Configuration Control and a V & V Plan (see Section 7).

Design Control procedures will provide for an auditable documented l history of the SPDS design process. Design will be controlled in accor-

. dance with appropriate levels of documentation, including system

requirements, system design specifications, test procedures, and system operating instructions. Design control documentation will provide con-venient methods for documenting changes, updating software, and system documentation to the latest level of system development. Procedures and I tests will be specified and implemented to ensure that hardware and software perform functions as specified.

The SPDS will be designed, developed, tested and implemented in accor-i dance with an established quality assurance plan that is approved by VYNPC. VYNPC will audit application of the QA plan during system deve-lopment.

Configuration standards will provide controls to ensure top-down struc-tured system design and to control revision levels of software and hard-ware. Procedures will also be implemented for documented configuration 4

control of SPDS changes after the SPDS is operable at VYNPS.

3.14 System Documentation Complete documentation of the SPDS will be maintained by VYNPC as appropriate for system specification, description, operation, main-tenance, testing, modification, expansion, and for auditable records for the implementation project.

l 25 i

FIGURE 1 R

CRP 9 31 g,3 94 9 39 CRP 9 33 f,R4 CRP 9 25 CRP 9-26 CRP ,g CRP p

g 3k g. CRP 918 CRP 9 28 CRP 9 27 CRP 9-15 f,Ri CRP 917 CRP CRP g.43 CRP 9-12 CRP 914 CRP 913 g.11 CRP 9-10 CRP 9 2 CRP 9 21 i

U CRP 9-4 CRP 9 3 Ik o.

~

I

' l9"%

O o TYPER C.

c sc

+o o

U (a/

/ o es

! A

+

fa -

M

  • 9 I a, O g FILES 4

& =-

o t i >

I l c u 6 -

E U

l l

PINN t ScumE 26

4.0 SPDS DISPLAYS 4.1 Display Philosophy and Structure As discussed in Section 2, the SPDS displays will be based on the BWR EPGs and plant-specific E0Ps for VYNPS. These EPGs and E0Ps provide the approved basis for emergency actions that respond to plant symptoms, not a limited set of pre-conceived events. SPDS displays are intended to aid operating personnel in the rapid assessment of plant safety status, identify the need to initiate E0Ps, and to assist in monitoring impor-tant parameters and proximity to limits in executing the E0Ps. It is important that the displays and their structure and hierarchy be com-patible with use during emergency situations. Accordingly, each display will be designed for concise information presentation using similar for-mat structure, and the total number of displays will be limited and arranged into a simple and easy to use hierarchy. The VYNPS SPDS will not be designed to include all information requirements contained in the EPGs and E0Ps. This approach would lead to several hundred or thousands of parameters and signals that would be impossible to include in a small set of concise displays, and therefore would be inconsistent with the philosophy and requirements for a concise SPDS.

The structure of individual displays will be designed to use for-mats for data presentation that are standardized for similar displays.

This will allow users to immediately recognize information presentation formats and to anticipate information location when traversing from one display to another. Each display will present information in a com- l bination of data formats best suited for each type of data, consistant 1 with the overall structure of that display. An individual display may 27

consist of a combination of digital values, state indicators, parameter bar and plot graphs, warning and limit flags or boxes, along with alpha-numeric nomenclature.

The displays will be arranged in hierarchy from a top level, or plant overview display of summary information, supported by successive lower level displays that provide increasingly detailed information. The hierarchy of displays will be arranged to support the use of E0Ps and the systematic passage between displays within the hierarchy. Dedicated function keys will be provided to allow direct operator access to higher level displays using a single key stroke.

SPDS displays will incorporate operational viewpoints to help assure enthusiastic acceptance by operating personnel. This will be accomplished by including operator review and input as displays are con-ceived and designed, rather than after design has been completed.

4.2 Generic Display Content Each display will include certain information that will be presented in the same location and format for all displays. As a minimum this will

, include the display title, date, time and CRT function indicator, as well as the status boxes for E0P entry indication.

4.3 Overview Display In addition to the generic display information, the plant overview display will present the current value of the principal control parame-ters along with appropriate limit indicators. Since maintenance of these parameters within prescribed ranges is necessary and sufficient for plant safety, this display will provide operating personnel with a 28

I concise overview of plant safety. The information will be arranged and structured for rapid operator assessment, possibly using a plant mimic j format.

}

l 4.4 E0P Control Displays In addition to the generic display information, a group of E0P Control i

Displays will provide information to aid operators in monitoring and  !

j controlling parameters as specified in the E0Ps. Each display will be designed to aid operating personnel in the execution of one or more E0P.

The principle feature of these displays will be the graphical presen-

tation of current and recent history of the principle parameters to be l monitored and controlled by the respective E0P(s). Also, the displays will include appropriate limit indicators for each parameter. It is

]

expected that there will be 3 to 5 E0P control displays, depending on how many E0Ps can be supported by a single display.

i l 4.5 Detailed Parameter Trend Graphs

! In some instances operating personnel will desire to examine the history, changes and limits of certain principle control parameters in i'

greater detail. Appropriate principle control parameters will be selected for displays which will be designed to present higher resolu-tion trend graphs suitable for more detailed evaluation. It is expected that 5 to 7 of these detailed parameter trend graphs will be included in

! the SPDS. As for all SPDS displays, these displays will also include i

i the generic display information.

4 4.6 E0P Limit Curves I

As discussed earlier, the limit curves specified in the E0Ps will be 1 29 i

l

i

included in the SPDS. The limit curves will be presented in graphical form in displays that show detailed resolution similar to the detailed parameter trend graphs. The current value and appropriate history

" tail" will be shown in analog trend form and the current value of each parameter will also be shown in digital form. The generic display information will also be included. There may be up to ten of these limit curve displays, one of each of the E0P limit curves listed in Table 4.

4.7 Other Supporting Displays The SPDS will include several other support displays. Each of these displays will include the generic display information plus additional information. It is expected that there will be 2 to 5 displays of this type. The following two have been identified. Others will be added if needed.

a. SPDS Menu There will be an SPDS menu that shows the hierarchy, identification and call-up designation for all SPDS displays.
b. Validation Status Display (s) will be provided to enable operating personnel to examine the status of all SPDS signals and parameters that receive signal validation processing. The display will include input ID and values, as well as validation quality tags. This will permit users to determine the signals that contribute to an indication of low quality.

4.8 Display Access Each SPDS display may be accessed from keyboards located near each plant com-puter CRT. Display call-up may be either from menu selection information or by direct keyboard call-up without referring to a menu. SPDS call-up provisions 30

l will be designed to facilitate rapid access in emergency situations.

Dedicated function keys will be provided for direct call-up of higher  !

level and frequently used displays. These keys will use color coding and grouping to facilitate rapid location and use. For multiple page displays, page up and page down keys will be provided. As with display development, operating personnel review and input will be included in the development of display access provisions.

4.9 Parameter Quality Indication All SPDS parameters will be displayed with their associated quality level tags assigned from signal validation processing. The displays will show both the quantitative value of the parameter and the asso-ciated quality tag. Additional discussion of signal validation is pre-sented in Section 5.

4.10 Summary of Displays In summary, the SPDS will include between 20 and 28 displays as listed below.

Display Type Quantity Overview 1 E0P Control 3-5 Detail Parameter Graphs 5-7 E0P Limit Curves 10 Others 2--5 31

5.0 SIGNAL VALIDATION 5.1 Introduction and Objectives A particular concern with computer-based systems is to present users with believable and high quality data. Industry experience has shown that low quality data and false alarms can cause lack of confidence in SPDS and computer based displays. (Refs. 29, 30, 31) Also, the use of misleading or low quality data in SPDS processing can propagate the '

problem into a number of displays and into composed point calculations.

Unlike hard-wired instrumentation which directly measures and displays process variables, computer processed sensor signals may undergo exten-sive software processing, with su} sequent error propagation.

The objectives of signal validation are to:

a. Perform continuous real time checking of SPDS data using pre-established algorithms that are simple and do not place undue burden on the computer system.
b. Assign data quality level indicators and display this with the quan-titative data,
c. Relieve operating personnel from routine comparisons and checks of data and highlight potential low quality data for their attention.

5.2 Validation Processing

Signals to be used in the SPDS will undergo pss/ fail processing, range i

limit checking, and if appropriate, verb:io,* algorithm processing.

SPDS parameters will be associated witn quanty tags which indicate one i

of three quality levels: invalid unvalidated and validated. The vali-dation process of these levels is sunenarized below.

! a. Pass / Fail processing determines if a sensor signal is in scan, if i 32 il l

r- v se -m . m r-- ,m.ee,m,- - ,, ,e.--e,, ,,e ,

nw -,,--,w--m- -+,n-- -

e n.e. ---,,-w -

a - - ,

n p the multiplexor communication interface is operating within design limits, and if the analog / digital converter drift is within design limits. A signal that fails pass / fail processing is assigned an invalid quality tag.

b. Range limit checking determines if a signal is within its instrument range with predetermined margins from scale maximum and minimum. A signal not within the range limit is assigned an invalid tag. A i .. signal within the range limit is assigned an unvalidated tag.
c. Validation processing will be preformed on appropriate signals using I

simple predetermined algorithms for signal comparison to establish a 1

higher level of data quality. Successful comparison within algorithm limits results in assignment of a validated quality tag. An individual signal found to be inconsistent is assigned an invalid quality tag.

5.3 Validation Features

/ Signal validation for the SPDS will include the following features,

a. Signal Validation may include comparison of redundant or similar signals, as well as comparison with calculated parameters, as appropriate.
b. Signal Validation may include arithmetic averaging,. deviation weighted averaging, parity space vector analysis, and other proven methods.
c. Signal Validation may include algorithms to correct or compensate signals for effects of pressure, temperature and flow if different from those conditions under which an instrument is calibrated.
d. Validated signals and parameters will be used preferentially over lower quality data for indication of parameters, E0P entry conditions, 33

and other important SPDS information.

e. The quality tag associated with any data will be carried through and reflected in the quality tag for any subsequent calculations that use that data. If a calculation uses inputs with different quality levels, the lowest level of quality used will reflected in the quality assigned to the calculated result.
f. Application of quality tags will not affect the quantitative value of the data, and access to data will not be affected regardless of validity assignments rendered by the validation process.

9 Signal validation will be applied to SPDS variables using a specifi-cation table to define validation processing for each variable. A validation status table will be available for display of any or all SPDS signals and parameters, and shall show input ID and values as well as assigned quality levels.

34

6.0 HUMAN FACTORS ENGINEERING Human Factors Engineering (HFE) is a necessary ingredient in the suc-cessful development and implementation of the SPDS. The principle objective for the SPDS'is to serve as an aid to the operating crew in

! monitoring the safety status of the plant and initiating and executing 4

appropriate response to plant emergencies. Although as an operational aid the SPDS will not serve as safety grade instrumentation, it is important that human factors considerations be integral to the system development process to assure SPDS effectiveness in emergency response.

Accordingly, a HFE plan will be prepared and applied as part of the SPDS project. The plan will provide a top-down coordinated approach to HFE and will be based on proven and effective HFE methods.

6.1 HFE Plan The following elements will be included in the HFE Plan.

i a. Human Factors Principles and Criteria The human factors principles and criteria to be incorporated into

the SPDS will be documented along with the processes that will be
i followed to ensure their incorporation in to the SPDS design.
b. Definition of User, Functions and Tasks The users, functions and tasks, as well as related information needs, will be identified relevant to the role defined for the SPDS.

! c. Control Room Interface

! Plant computer /SPDS workstations will be integrated into the existing 4 plant instrumentation and control room arrangement. Layout and viewing environment requirements will be defined. Work stations will be designed to provide full visual access to existing panels and not i

interface with normal activities of the operating crew.

l 35 ,

i

. ..__--.m..__ _,.x. , . . , _ , . . . - . _ , . , , . ,m-._.-_..m,..r,__..,__....,_.- ..,_._._,-...,.m - - , . - , , . _

d. User Interface The methodology for designing and evaluating the man-machine inter-faces and displays will be specified and documented.

6.2 Application of HFE Plan Since the SPDS will be an integral part of the VYNPS computer system and will share many features, including man-machine interface provisions, the SPDS HFE plan will be able to utilize and share many elements of the HFE plan that will be prepared and implemented for the overall computer system. This will strengthen the achievement of an integrated and com-mon interface for all computer functions, including SPDS.

The HFE Plan and implementation activities will be prepared and coor-dinated by personnel who are experienced in human factors methodology, BWR plant operations, and computer /SPDS implementation technology.

6.3 Display Development SPDS displays will be developed in a logical progression from initial concepts, through detail design, iteration and final review. Initial display concepts regarding content, structure and hierarchy will be developed and reviewed. Detailed display design will be conducted along with multidiscipline review in a iterative fashion to match displays with user needs. A display fonctional description doucment will be prepared to explain how the displays will function from a plant opera-tors perspective. This will provide a basis for display configuration management as well as a point of departure for preparation of software specifications and SPDS training materials. Human factors personnel will 36

be involved in reviewing the displays and the display development pro-cess at appropriate points.

6.4 Human Factors Design Assessment The SPDS design will be evaluated against the human factors criteria contained in Section 18.2 of the Standard Review Plan (Ref. 20).

Results of this review will be documented and any deficiencies will be identified for follow up action.

37 1

1

_ _ _ _ . . _ _ . . . - . . _ _ _ _ . _____., __ . . _ _ .-,m.._. , , . . . _ . _ _ . . _ - , - - . . . . - . - -

7.0 DESIGN VERIFICATION AND VALIDATION 7.1 V & V Overview The objective of V & V is to provide a quality SPDS, that meets docu-mented requirements and functions, through independent technical review and evaluation conducted in parallel with SPDS design and installation.

When V & V is integrated with the SPDS implementation process it provi-des a means for:

a. Independent technical evaluation of the system
b. Assuring formally documented implementation
c. Early identification of system or implementation deficiencies
d. Meeting regulatory audit requirements.

7.2 Key Elements of SPDS V & V V & V of the VYNPS SPDS will, as a minimum, meet the guidelines contained in NSAC-39, " Verification and Validation for Safety Parameter Display Systems". (Ref. 27) Key overall elements of V & V will be to assure:

a. Comprehensive technical review of system functional requirements to assure that the SPDS will perform appropriate functions.
b. Comprehensive technical evaluation of the implementation process to establish that succeeding tasks are a consistent, complete and correct translation of previous tasks in the development process.
c. Adequate documentation of the system, as well as for system l

implementation. I

d. Adequate configuration management to document and control system and implementation changes.

38

7.3 Verification Verification is the review process to ensure that the design meets all requirements and that the requirements have been correctly and comple-tely translated through each level of system documentation.

Verification will be performed in a formal, structured and thoroughly documented manner at each level of system documentation. Important ele-1 ments of SPDS verification include the Requirements review, the System Design Specification review and the Design review.

A Review of the SPDS Requirements document will be conducted to deter-mine if the specified requirements reflect the provisions of NUREG-0737 Supplement 1 (Ref.19), applicable standards, and plant requiremants.

This review is the first formal check to asure that the SPDS will per-form intended functions. It will be completed prior to initiating SPDS design.

A review of the Design Specification will be co, ducted to determine if the provisions of the Requirements document have been translated into the Design Specificaton doucment. This review will be completed before SPDS design is initiated. Review elements will include correctness, completeness, consistency, understandability, feasibility, testability and traceability. To facilitate this review, and subsequent V & V acti-vities, a cross reference matrix of the requirements will be developed.

This will provide systematic documented mapping of requirements between the Requirements and Design Specification doucments, and will also pro-vide a basis for mapping to subsequent SPDS acceptance testing and vali-dation activities.

39

i After SPDS design is complete, a review will be conducted to determine if the design reflects the provisions fo the Design Specification docu-ment and if the configuration control procedures have properly docu-mented and controlled the design process. Results of the design review j will be documented.

7.4 Validation Validation is the end-to-end testing and evaluation of the integrated har&are and software to determine that SPDS requirements are met.

Determination of acceptable system function will be accomplished through a planned testing and evaluation process. Validation will be thoroughly documented by preparation of:

a. Validation test plan
b. Validation test procedures
c. Validation test and evaluation report.

Validation testing is used to confirm correct operation and compliance with specific functional and performance requirements of the SPDS.

Where possible, clearly defined acceptance criteria such as accuracy, response time, visual or audible signals, internal processing transfer functions, etc will be tested. Tests will include coverage of both sta-tic and dynamic modes. Engineering evaluation will be performed rela-tive to SPDS attributes that cannot be tested or when engineering evaluation is deemed more appropriate than testing.

7.5 V & V Plan i J

A Y & V plan will be developed and doucmented during the planning phase '

of the SPDS project. The plan will describe the scope, objectives, pro-cess, procedures, documentation and personnel qualifications that will i

j 40

.( l be applied to SPDS V & V.

~7.6 V & V Independence V & V planning and plan implementation will be conducted by personnel who are independent from SPDS design and development activities. V&V personnel will be experienced in industry practices in SPDS V & V. and I

will possess sufficient knowledge in SPDS technology to enable V & V activities to be conducted efficiently.

i l

4 i

41 a

E i

. - . - , , _ - - , .,.,,,,-,.,,,....m-,,_.,_ , . _ - . - . . - , - . _ . _ . _ , , , - , . , - , , ,.<.,,.,_.-,..-,-,-..,-.,.m_.-_.- . , , - . , , , - _ , . . - , , , . - - - . , , . . . - ,

8.0 MAN-MACHINE VALIDATION 8.1 Goal and Objectives The goal of SPDS Man-Machine Validation is to demonstrate that the SPDS

aids operating personnel in monitoring plant safety status and in ini-tiating and executing E0Ps. This element of the SPDS project will demonstrate the effective integration of the SPDS, the E0Ps and the operating crew in a realistic and dynamic environment. The objective is not to repeat detailed checks and evaluations previously conducted l during SPDS acceptance testing and validation, but rather, to validate the following overall objectives under simulated emergency conditions
a. The SPDS is understandable and usable.
b. The SPDS integrates with the E0Ps and the control room.
c. The displays are appropriately responsive to plant data under emergency conditions.

I

d. The SPDS does not interfere with operating crew duties during normal and emergency conditions.

d 8.2 Method of Validation The SPDS developed for VYNPS will be installed in the VYNPS simualtor prior to installation in the plant control room. Man-Machine Validation will be conducted in the simulator control room using a series of tran-sients and accidents of varying complexity, in accordance with a docu-4 mented plan.

i 8.3 MMV Plan A written plan will be developed for conducting Man-Machine validation.

This plan will address all appropriate MMY issues including:

42 eewe e ee---- ----~~v--~~4m-4,m

. --+wa--.---w,m-~- c---+ -- - --mw r-->a --,m-, - - , - - ,e,- w-, , , -vw--w.-

,---r,,g-v----, ,

. ~

a. Development of criteria for selection of scenarios with appropriate variation in complexity,
b. Selection, specification and preparation of scenarios.
c. Identification of resources needed for MMV.

I

d. Development of MMV procedures,
e. Developemnt of MMV data sheets.
f. MMV test conduct and organization.
g. Results evaluation and documentation.

8.4 MMV Results Follow Up A plan and schedule will be established to respond to any recommen-dations for SPDS or E0P modifications as a result of MHV findings.

43

9.0 SPDS TRAINING 9.1 USER Training A user training course will be prepared and conducted for all users, including engineering and support staff, as appropriate. Included in this training course will be topics of system operation, display descriptions and their expected use, and functional descriptions of hardware, software and system characteristics.

9.2 Operator Training Control room operating personnel will be provided with SPDS training on the VYNPS simulator. This training will be incorporated in the formal VYNPS operator training program. Control room personnel will be formally trained on the SPDS after the MMV program has been completed and prior to implemen-tation of the SPDS in the plant control room. Operator training will include topics listed under user training plus additional topics appropriate for control room personnel.

The operator training program will be developed in accordance with INP0 accreditation criteria. The program will utilize performance based objec-tives, clear and concise evaluation techniques, and an overall feedback mechanism to determine training effectiveness. Consistent with the design basis of SPDS as an aid, the training will address use during normal and abnormal conditions, as well as situations when SPDS is available and when it is not available. As stated earlier, care will be taken to emphasize that SPDS is intended to aid the control room operating personnel. It is not the only means to monitor plant safety status and does not replace other existing control room indication.

44

10.0 CONCLUSION

S i

The VYNPS SPDS is being implemented in compliance with the requirements of

! NUREG-0737 Supplement 1 as summarized in Sections 10.0 through 10.6 below.

l l 10.1 Compliance with NUREG-0737 Supplement 1, Section 4.1.a i

[ As discussed in Section 4 of this SAR, the status of the principle control 1

function parameters as well as the status of conditions to initiate E0Ps will be concisely displayed to aid operators in rapidly and reliably deter-j mining the safety status of the plant.

j. The VYNPS SPDS will be designed to operate in normal and abnormal plant
conditions (see SAR Section 3) and is based on NRC approved EPGs (see SAR  !

! Section 2) for avassing whether abnormal conditons warrant corrective action by operators to avoid a degraded core.

Therefore the VYNPS SPDS will comply with Section 4.1.a of Supplement 1.

I 1

4 10.2 Compliance with NUREG-0737 Supplement 1, Section 4.1.b i

l As discussed in Section 3.2 of this SAR, VYNPS is being provided with SPDS in the control room for use by control room personnel (primarily the shift supervisor and shift engineer) who assess plant safety status and who are

! responsible for avoiding degraded and damaged core events. Thus the l

{ SPDS will comply with Section 4.1.b.

i 10.3 Compliance with NUREG-0737 Supplement 1, Section 4.1.c As discussed in Section 2.3 of this SAR, the VYNPS SPDS is being used to i

l augment, and as an aid, to existing control room components and as such will be integrated into the control room environment. As discussed in i

j Section 9 of this SAR, SPDS training will address procedures for assessment

] 45 i

I a

. . , _ . - . ~ - . - _ _ _ _ , _ , _ _ _ _ . _ _ , , _ . _ _ _ _ . . _ _ _ _ _ . . _ . _ _ . . - , . . . - , _ . . . . - . . . _ _ _ - . _ - ,

of plant safety status and for response to accident conditions both with and without the SPDS available. As discussed in Section 3.11 of this SAR, the SPDS will be suitably isolated from interference with safety systems.

Therefore, it is concluded that the SPDS will comply with all provisions of Section 4.1.c of Supplement 1.

10.4 Compliance with NIJREG-0737 Supplement 1, Section 4.1.d Selection of specific information to be included in the SPDS is based on NRC and industry accepted EPGs and the V(NPS E0Ps. Sound engineering eva-luation and judgement is being used to select information for the SPDS, as discussed in Sections 2 and 4 of this SAR. As discussed in Section 3.6, the SPDS is also being designed with flexibility so the information can be modified in the future if the need arises. It is concluded that the SPDS will comply with Section 4.1.d of Supplement 1.

10.5 Compliance with NUREG-0737 Supplement 1, Section 4.1.e As discussed in Sections 4 and 6 of this SAR, the SPDS display will be designed to incorporate accepted human factors principles for ready percep-tion and compreheasion by users, in compliance with Section 4.1.e of Supplement 1.

10.6 Compliance with NUREG-0737 Supplement 1, Section 4.1.f The five critical safety function listed in Section 4.1.f of Supplement 1 are inherently addressed by the generic BWROG EPGs, and Section 2 of this SAR shows the correlation between the CSFs, the EPGs and the VYNPS E0Ps.

The NRC and the industry have accepted the EPGs as an adequate basis for development of plant specific technical guidelines and E0Ps. As discussed in Section 2 of this SAR, the SPDS parameters have been based on the EPGs 46

- . - __ = _

4 and E0Ps. With SPDS information based on EPG principle control function parameters, E0P entry conditions, and support for E0P execution, as l discussed in Sections 2 and 4 of this SAR, it is concluded that the SPDS complies with Supplement 1 Section 4.1.f, and will provide sufficient t

'information to plant operators about safety status, including all listed CSFs, to aid the operating crew in appropriate emergency response.

10.7 SPDS Implementation at VYNPS The VYNPS Plant Operations Review Committee will formally review design packages and affirm that the SPDS will not introduce any unreviewed

safety questions regarding VYNPS design or operation. As summarized in
this Safety Analysis Report the VYNPS SPDS has been formulated in compliance with the provisions of NUREG-0737 Supplement 1. VYNPC concludes that implementation of the SPDS will not require modification to the station Technical Specifications.

i f

a 47 i

4 4

REFERENCES

1. Letter, USNRC to ALL Operating Licensees, Generic Letter 82-33, December 17, 1982
2. Letter, L.H. Heider to D.B. Vassallo, NUREG-0737, Supplement 1 -

Proposed Integrated Plan for Emergency Response Capability, April 19, 1983

3. Letter, W.P. Murphy to D.B. Vassallo, NUREG-0737, Supplement 1 -

Additional Information, August 4,1983

4. Letter, W.P. Murphy to D.B. Vassallo, NUREG-0737, Supplement 1 -

Additional Information, August 12, 1983

5. Letter, D.B. Vassallo to J.B. Sinclair, Issuance of Order Confirming Licensee Commitments on Emergency Response Capability, June 12, 1984 6 Letter, D.B. Vassallo to R.W. Capstick, Order Modifying License Confirming Additional Licensee Commitments on Emergency Response Capability (Supplement 1 to NUREG-0737), August 29, 1985
7. Letter, W.P. Murphy to D.B. Vassallo, Safety Parameter Display System, February 1, 1985
8. Functional Safety Parameter Display System Safety Analysis Report for Vermont Yankee Nuclear Power Corporation, January,1985
9. General Electric Co, " Additional Information Required for NRC Staff Generic Report on Boiling Water Reactors", NED0-24708, August, 1979
10. "BWR Emergency Procedure Guidelines", Revision 3, BWR Owners' Group
11. U.S. Nuclear Regulatory Commission, " Safety Evaluation Report of BWR Emergency Procedure Guidelines, Revision 3", November 23, 1983
12. Vermont Yankee Nuclear Power Corporation, " Emergency Operating Procedure (E0P) Procedure Generation Package" Revision 0, November 4, 1985 48

- - . ~ - . - . . _ -- . - - _ . . . - . _ - .

13. U.S. Nuclear Regulatory Comission, "NRC Action Plan Developed as a Result of the TMI-2 Accident", NUREG-0660 Vols 1 and 2, May 1980
14. U.S. Nuclear Regulatory Comission, " Clarification of TMI Action Plan Requirements", NUREG-0737, November 1980
15. U.S. Nuclear Regulatory Comission, " Functional Criteria for Emergency Response Facilities", NUREG 0696, February,1981
16. U.S. Nuclear Regulatory Comission, " Human Factors Acceptance Criteria for the SPDS", NUREG-0835 (Draf t), October,1981
17. Nuclear Safety Analysis Center, " Functional Safety Parameter Set for BWRs", December, 1980
18. Nuclear Utility Task Action Comittee (NUTAC), " Guidelines for an Effective SPDS Implementation Program", INP0 83-003 (NUTAC), January,1983
19. U.S. Nuclear Regulatory Comission, " Requirements for Emergency Response Capability", (Generic Letter 82-33), Supplement 1 to NUREG-0737, December 17, 1982
20. U.S. Nuclear Regulatory Comission, " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, Section 18.2, Safety Parameter Display Systems, Rev. O, November 1984
21. Electric Power Research Institute, " Evaluation of Safety Parameter Display Concepts, Vol. 1", EPRI NP-2239, February, 1982
22. S: 1dia National Laboratories, " Simulator Evaluation of the BWROG Graphics Display System", ALO-1019, May 1983
23. Electric Power Researcn Institute, " Computer-Generated Display System Guidelines, Vol. 1", EPRI NP-3701, September, 1984
24. E0P Implementation Review Group, "E0P Writing Guideline", INP0 82-017, J uly, 1982 49

. - - . . - . - - - ._. - _ = . . - - . _ _ _ - _ - .

25. Institute of Electrical and Electronic Engineers, "American National Standard Guide for Surge Withstand Capability Tests", IEEE 472-1974, (ANSI /IEEE C37.90a-1974)
26. Institute of Electrical and Electronic Engineers, " Standard for Qualifying Class IE Equipment for Nuclear Power Generating Stations, IEEE 323-1974
27. Nuclear Safety Analysis Center, " Verification and Validation for Safety Parameter Display Systems", NSAC-39, December, 1981
28. Electric Power Research Institute and U.S. Department of Energy,

" Graphic Display Development Program", RP-2347-15, Interim Report OEI 8304-1, December, 1984

29. U.S. Nuclear Regulatory Commission, " Safety Parameter Display System Survey", IE Information Notice 86-10, February 13, 1986
30. ACRS Subcommittee on Human Factors, Meeting Notes, March 19-20, 1986
31. Electric Power Research Institute, " Validation and Integration of Critical PWR Signals for Safety Parameter Display Systems" - Interim Report, NP 4566, May, 1986
32. Vermont Yankee Nuclear Power Plant, " Ground Rules for Separation and Identification of Reactor Protection and Safeguard Systems - Related Electrical Equipment and Wiring", Revision 3, June 7,1971
33. Institute of Electrical and Electronic Engineers, " Recommended Practices for Seismic Qualification of Class IE Equipment for Nuclear Power Generating Stations," IEEE 344-1975 50

r ,

APPENDIX SPDS Implementation Plan VYNPC has worked closely with the NRC Project Manager in finalizing the schedule for implementing the provisions of Supplement 1 to NUREG-0737.

That effort resulted in mutually acceptable plans for the E0Ps, the DCRDR, Regulatory Guide 1.97 assessment, and emergency response facilities. Each of these implementation projects has been completed or is on schedule, and provides significant contribution to SPDS implementation.

As discussed previously, VYNPC completed an evaluation of the present plant computer and peripheral equipment and found it unsuited for preformance of SPDS functions. Although the present plant computer will be maintained to support the plant through the next two refueling outages, it will be phased out of sevice by a series of upgrades scheduled to be completed during the 1988 refueling outage. SPDS implementation will occur as part of this new integrated plant computer system.

The SPDS will be implemented in the VYNPS simulator prior to its implemen-tation in the plant control room. This will allow complete evaluation and validation on the simulator of SPDS displays, man-machine interface, human factors design, and other appropriate matters before the SPDS becomes operational in the control room. This will provide a realistic environ-ment in which to confirm the adequacy of the SPDS design.

As discussed in the SPDS SAR, the SPDS and the new plant computer are dependent items which share common components and are proceeding con-51

)

currently in a manner that integrates with other NUREG 0737, Supplement 1 issues and with future plant outage schedules. Significant planning and front-end documentation has been completed for SPDS implementation.

Important matters such as the following have already been evaluated and documented.

a. Who will use the system?

i

b. What should the system do?
c. Where will the system be used?
d. When will the system be used?-
e. How can advantage be taken of other existing systems?
f. What lessons have been learned by other utilities?

Some of this information has been included in the SPDS SAR. In addition to the SAR, the above matters and other appropriate information is documented in the following documents which have been completed for the VYNPS SPDS project.

a. SPDS Justification Document
b. SPDS Objectives Document
c. SPDS Requirements Document The overall schedule for continuing the SPDS implementation at VYNPS has been established. Figure 2 shows the key milestones of the SPDS implementation.

52

r-Figure.2 SPDS IMPLEMENTATION SCHEDULE 12/06 12/87 12/88 Safety Analysis Report --

Refueling Outage --

DAS Installation DAS Preop Testing Site Assessment Study --

Design - Top Level Design - Detailed Level Software Development Integration Testing --

FAT Install Simulator SPDS SPDS Validation --

Install Plant Computer SAT Refueling Outage -

Availability Run SPDS Operational 53