ML20206F689
| ML20206F689 | |
| Person / Time | |
|---|---|
| Site: | Millstone  |
| Issue date: | 04/30/1987 |
| From: | NORTHEAST UTILITIES |
| To: | |
| Shared Package | |
| ML20206F662 | List: |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737 A04135, A4135, NUDOCS 8704140333 | |
| Download: ML20206F689 (24) | |
Text
_ _ -.. _. -
i 5-4 i
Docket No. 50-245 A04135 1
Attachment No. 2 Millstone Nuclear Power Station, Unit No.1 Safety Parameter Display System Safety Analysis Report
[
l l
1 i
1 1
I 8704140333 870409 PDR ADOCK 05000245 P
pg r
i i
April,1987
i TABLE OF CObTIDES 1
ItERODUCTION...................
1 2
SPDS DESCRIPTION.................
1 2.1 GENERAL....................
1 2.2 TRANSIENT RECORDING AND ANALYSIS........
2 2.3 REAL-TIME ANALYSIS AND DISPIAY 2
2.4 USER ItRERFACE.................
3 2.5 SPDS AVAILABILITY...............
3 i
2.6 MODES OF OPERATION...............
4 2.7 ELECTRICAL POWER SOURCE............
4 2.8 ELECTRICAL ISO [ATION..............
4 3
DISPLAY BASES..................
5 3.1 SPDS CRITERIA AND VARIABLE SELECTION......
5 j
3.2 EMERGENCY OPERATING PROCEDURES.........
7 4
DISPLAY DESCRIPTIONS...............
7
}
4.1 RPV COtCROL DISPLAY..............
8 l
4.1.1 Event Targets.................
8 4.1.2 Control Parameter Trend Plots 9
i 4.1.3 Limit Tags................... 10 4.2 CONTAItNENT CONTROL DISPIAY 11 4.2.1 Event Targets 11 4.2.2 Control Parameter Trend Plots 11 4.2.3 Limit Tags................... 11 4.3 CRITICAL PLANT VARIABLES DISPLAY........
12 l
4.4 TREND PLDr DISPLAYS 12 i
4.5 2D PIDF DISPIAYS................
13 4.6 VALIDATION STATUS DISPIAYS........... 13 4.7 RADIOACTIVITY CONTROL DISPLAY 14 4.8 MSIV STATUS DISPLAY 14 4.9 SRV STATUS DISPIAY,..............
15 5
HlNAN FACIORS ENGINEERING (HFE) IMPLEMEtHATION..
15 5.1 GENERAL 15 5.2 DEFINITION OF SYSTEM FUNCTIONAL REQUIREMEtRS..
15 i
5.3 TASK ANALYSIS 16 i
5.4 USER INTERFACES 16
^
5.4.1 General 16 j
5.4.2 Hardware tocation Review 16
)
5.5 HlNAN FACIORS ENGINEERING VERIFICATION AND i
VALIDATION.....
17 1
5.5.1 General 17
- 5. i.2 Test Requirements Development..
17 5.5.3 Static Display Review 17 5.5.4 Dynamic Display Review.............
17 5.5.5 Man-in-the-Ioop Evaluation...........
17 i
6 VERIFICATION AND VALID 4 TION (V&V) 18 7
SAFETY EVALUATION 20 8
CONCLUSION...................
Il 9
REFERENCES.................... 22
i l
l 1 I!TITODUCTION l
As a result of the accident at t ree Mile Island, the Nuclear Regulatory l
Commission (NRC) has determined the need for a Safety Parameter Display System (SPDS) in operating nuclear power plants.
We SPDS is intended to provide a concise display of historical and real-time values of critical plant i
operating variables.
Its intended role is to provide vital plant data to aid l
control room personnel in determining the safety status of the plant during emergency conditions.
he NRC position for the SPDS is contained in Supplenent 1 to NUPEG 0737 " Requirements for Dnergency Response Capability" (Reference 1).
H e Millstone Nuclear Power Station Unit No. 1 (MP-1) SPDS conforms to Supple-ment 1 to NUREG-0737 in that it aids control room personnel in determining the safety status of the plant during abnormal or emergency conditions. W e graph-ic displays are designed to give assistance in following the MP-1 Emergency Operating Procedures (EOPs)(Reference 3).
We SPDS can be changed to accomodate revisions in the EDPs.
Ilonun factors engineering has also been taken into account during development of the MP-1 SPLG to maximize the control room personnel's ability to use the SPDS and to minimize errors by them during its use.
W e MP-1 SPDS is being added as an aid to plant personnel. It is not intended as a substitute for other safety-related equipmeat or instrumentation, but rather as an adjunct to such equipment. The MP-1 SPDS is not essential to the safe operation of the plant, it is not essential to the prevention of events potentially harmful to the public health and safety, nor is it essential to 1
the mitigation of the consequences of an accident.
This report addresses the criteria of Supplement 1, Section 4, !WREG 0737, by including the bases for the selection of the parameters included in the MP-1 SPDS.
his report constitutes the safety analysis report require,1 by the NRC to satisfy the SPDS documentation criteriu of Supplement 1 to NUREG 0737.
In addition to the basis for parameter selection, this report discusses other aspects of the MP-1 SPDS in relation to the NRC criteria.
Anong these are general descriptions of the system which provides the MP-1 SPDS function and descriptions of the various displays available to the MP-1 SPDG users.
Also discussed are the design bases for those displays, a general description of the human factors implementation plan, and the verification and validation procedures used in the development of the MP-1 SPDS.
2 SPDS DESCRIPTION 2.1 GENERAL The MP-1 SPDS, a centralized subsystem of the Integrated Computer System, per-forms the process monitoring and calculations defined as being necessary for the effective evaluation of emergency power plant operation.
he SPDS ac-quires and records process data including temperatures, pressures, flows, and status indicators.
%is data is processed by the SPDS to produce meaningful displays, logs, and plots of current or historical plant performance and then presented to plant personnel in the plant main control room.
l -
h e SPDS is designed to perform specific functions. % ese functions are:
a.
Transient recording and analysis - performs analysis, logging, plotting and recording functions.
b.
Real-time analysis and display - performs all functions required to produce displays, including display building and dynamic display processing functions.
c.
User Interface - performs the function of interfacing with the system user.
Data acquisition and basic data manipulations and preprocessin;; functions are provided to the SPDS by the Integrated Cmputer System.
A brief description of each SPDS function is contained in the following para-i graphs of this section.
2.2 TRANSIENT RECORDING AND ANALYSIS he Transient Recording and Analysis (TRA) function provides a real-time and historical perspective for the operation of the power plant.
he purpose of the TRA is to provide high resolution recording capabilities for various plant parameters and means for event monitoring, data archival, plotting, trending, analysis, automatic and on-demand logging.
W e TRA portion of the SPDS pro-vides a means of data recording, archiving and analysis in order to support the determination and analysis of plant transients.
Data recording and archiving capabilities can record changing plant parameters for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of pre-event data and 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of post-event data. Data is then available for vari-ous outputs such as alam logs, sequence of events reports, trending, post trip logs, significant chaaje reporting and plotting.
In addition, analysis rou-1 Lines are available to provide statistical evaluation (such as means, mini-nums, maxirums, standard deviations).
2.3 REAL-TIME ANALYSIS AND DISPLAY So Real-Time Analysis and Display (RTAD) functions provide real-tirae pro-cessing, updating, and displaying of critical plant parameters, such as water level, pressure, temperature and power level, and status indications of events.
Le RIAD also provides the capability to display plant operational parameters, sampled data, synthesized data, and trends.
Displayed information is updated at intervals of no more than 2 seconds.
Trends can be provided for up to 60 minutes of data.
RIAD also provides display creation capabilities. RIAD pro-cessing includes data range-checking and validation, limit checking, and status evaluations.
Derivation is also provided for certain parameters which cannot be measured. -
l l
he specific displays which are provided by the SPDS in order to meet the criteria of NUREG 0737, Supplement 1, and the design basis for these displays are described in more detail in the following sections.
2.4 USER INTERFACE Be MP-1 control room staff includes four licensed operators (i.e., two Senior Reactor Operators (SROs) and two Reactor Operators (R0s)). One of the SR0s is l
the Shift Supervisor (SS). We SS/SRO will be the primary SPDS user. W e SPDS is intended to help the SS/SRO in managing the plant during unusual situations I
where problem detection and problem solving on a plant wide scale are involved.
l n e, major role of the SPDS is to aid the operating crew maintain the plant in a l
safe condition and to provide assistance in how to return the plant to a safe condition after it has departed from normality.
User interface hardware consists of keyboards, function keys, trackballs, CRrs, printers and typers. h is hardware provides the interface between the SPDS and the SS/SPD.
Utilizing the interface, the SS/SRO can place demands on the system.
We interface also presents to the SS/SRO the results of manitoring, calculations, and control actions taken.
We SPDS is intended as an aid to the SS/SRO, not as a replacement for the necessary safety instrumentation.
We SPDS serves as a concentrated data source and thus permits the SS/SRO to obtain desired information without walking the boards to check readings.
We role of the SS/SRO is as a decision maker and manager of the plant. %e role of the Ros and the other SRO is to assist the SS/SRO by carrying out the tasks deemed necessary by the SS/SRO.
Although Ros are carrying out specific tasks such as maintaining levels, starting pumps, or checking instrument read-ings, they need to be cognizant of the impact their operations have on overall l
plant condition.
SPDS displays will be accessible to RO personnel to help maintain the needed understanding of the overall picture and to foster a team approach to plant emergency response.
2.5 SPDS AVAILABILITY Although the SPN need not be a safety grade system, implementation of a highly reliable, state-of-the-art SPN is an important design objective.
As a design goal the availability of the SPDS shall be at least 99.0 percent during normal plant operation.
In this context, design availability is understood to encompass the following minimal functional capabilities:
- 1) The ability to monitor and display the status of critical plant parameters in at least one location in the control room.
- 2) The ability to determine the value of all variables which are used in the critical plant parameter status determination in at least one loca-tion in the control room. i i
l
2.6 MODES OF OPERATION he SPDS for MP-1 is not appropriate for all modes of operation. W e design of the SPDS for MP-1 therefore only requires the availability of the SPDS during power operation, startup, hot standby, and hot shutdown.
2.7 ELECTRIC PONER SOURCE he SPDS, as part of the new integrated cmputer system, will be pcwored frm an emergency power supply in the even'. of loss of offsite power.
2.8 ELECTRICAL ISOLATION Re SPDS will receive signals from both Class lE and non-Class IE sources.
Electrical isolation will be provided for all signals that are in use for safety systems.
We existing Plant Process Computer at MP-1 will be replaced by a new Inte-grated Cmputer System (ICS). W e new ICS will provide isolation from existing safety system signals that is equivalent to that provided by the existing Plant Process Cmputer.
In addition to the existing safety signals, the SPDS will require new signals from sme safety systems. Electrical isolation has been provided for the new safety system signals.
Qualified isolation devices, Foxboro Model N-2AO-VAI and Energy Incorporated Series 01622 (Analog) and Series 01626 (Digital) have been selected for these new signals.
Rese isolation devices were found acceptable based on the following:
- 1. Qualification Testing a.
Calibration Test - Verified that the isolators can be calibrated to the required accuracy.
Also, adequate "zero" and " gain" adjust-ments are available.
l b.
Common Failure Isolation Test - Verified the isolators capability to minimize the effect on the input when the following faults are applied to the output:
bl. Output open circuit b2. Output short circuit b3. Fault voltage applied to the output in the transverse mode:
Foxboro - 600 VAC Energy Incorporated - 140 VAC, 140 VDC Since instrumentation and control cables at MP-1 are separated frm all high voltage cables, the maximum credible voltage the isolators could be subjected to is 120 VAC or 125 VDC.. _ _
c.
Isolation Test (Energy Incorporated only) - Verified output to in-put isolation capability (Hi Pot) to be greater than or equal to 2000 VAC and 2000 VDC.
No transients or steady state perturbations were observed on the isolators input during or following the ccmnon Failure Isolation Test.
- 2. Environmental and Seismic Testing The isolators will be installed in a mild environment and have been seismically tested in accordance with IEEE 344-1975.
'Ihe test demon-strated that the isolators are in cmpliance with MP-1 design basis.
- 3. Installation
'1he isolators will be seismically installed in four separate safety re-lated cabinets.
Two of these cabinets are powered from the Vital AC source and the remaining cabinets receive power from the Instrument AC source. Both power sources are safety related.
- 4. Electrical Interference Safety related instrumentation is protected fran electrical interfer-ence by the following methods:
a.
Physical separation of instrumentation and control cables
/
b.
Instrumentation cables are shielded twisted conductors c.
Shield grounding at a single point 3 DISPIAY BASES The bases for each MP-1 SPm color graphic display are the MP-1 Emergency Operating Procedures.
3.1 SPDS CRITERIA AND VARIABLE SELECTION Section 4.1 of Supplement 1 to NUREG -0737 states the following:
the principal purpose and function of the SPDS is to aid the control roan personnel during abnormal and emergency conditions in determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective action by operators to avoid a degraded core".
"The minimum information to be provided shall be sufficient to provide information to plant operators about -
(i)
Reactivity control (ii)
Peactor core cooling and heat removal from the primary system (iii)
Peactor coolant system integrity (iv)
Radioactivity control (v)
Contairrnent conditions".
The goal of the SPDS design is to meet these criteria in a fashion that is consistent with the current BOP's so that an integrated approach to emergency response is nuintained.
The EOP's for MP-1 are based upon a symptomatic rather than event oriented approach. That is, critical parameters that determine the safety status of the plant are monitored for entry into the EOP's.
Whenever the limit for a para-meter is exceeded, entry into the DOP's is required, regardless of the initia-ting event.
The actions in the E0P's are designed to restore the critical parameters within acceptable limits.
Based upon this discussion, it is concluded that the critical parameters monitored for entry and recovery in the EOPs are the parameters that determine the safety status of the plant and determine corrective action by the operators to avoid a degraded core.
De-picted below are the variables required for nonitoring by the SPDS.
1.
Peactivity Control a.
Reactor power b.
Scram demand 2.
Reactor core cooling and a.
Reactor Pressure Vessel (RPV) heaC removal from the water level primary system 3.
RPV water level integrity b.
RPV pressure c.
Drywell pressure d.
Isolation demand 4.
Radioactivity control a.
Contairment radiation b.
Fbin stack radiation level c.
Main steam lines radiation 5.
Containment conditions a.
Suppression pool level b.
Suppression pool temperature c.
Drywell pressure d.
Drywell temperature It should be noted that while radiation level is not an entry condition for the DOP's, the SPDS will monitor information for radioactivity control. Also, add-itional variables such as hydrogerv' oxygen status, meteorological data, RPV tem-perature, heatup/cooldown rates, RPV-drywell dP, SRV status, and loss of normal power status will also be monitored by the SPDS.
Furthermore, the SPDS will have a " test mode" indication to notify its users of any test activities.
~
i 3.2 D4ERGENCY OPEPATING PROCEDURES l
Based on the BWR Owners' Group Generic Emergency Procedure Guidelines (Reference 2), and the MP-1 Plant Specific Dnergency Procedure Guidelines, the following DOP's (Reference 3) were developed:
l EOP-570 Reactor Pressure Vessel (RPV) Invel Control l
EOP-571 RPV Pressure Control l
EOP-572 Reactor (Rx) Power Control EOP-573 RPV Spray Cooling EOP-574 RPV Steam Cooling l
EOP-575 RPV Level /Rx Ebwer Control EOP-576 RPV IcVel Restoration EOP-577 Emergency RPV Depressurization DOP-578 RPV Flooding l
EOP-579 Alternate Shut-down Cooling EOP-580 Containment Control EOPs 570-579 restore and maintain RPV water level within a satisfactory range, shut down the reactor, control RPV pressure, and cool down the RPV to cold shutdown conditions.
EOP-580 controls primary containment temperatures, pressure and level whenever Suppression Pool temperature, Drywell temperature, Drywell pressure, or Suppression Ebol water level are above their normal operating limits, or if Suppression Pool water level is below its normal opecating limit.
he design of the SPDS will be maintained consistent with the above EOP's, thus, operator response to transients will not be affected by the availability of the SPDS.
We EOP's have been designed so that they can be implemented based upon the main control board indications alone, without the assistance of
)
the SPDS.
4 DISPLAY DESCRIPTIONS Re SPM displays are designed to provide specific information to aid opera-tions personnel in fulfilling their assigned responsibilities. Although this information is generally available throughout the control roan, the SPDS supplies this information accurately and concisely in a unified and centralized display of emergency response infonnation.
Using alphanumeric keys, function keys, and poke points, the user can manually select displays based on plant conditions for viewing at the Intelligent Graphic Display Terminals (IGDTs).
H e displays available at each IGUI consist of:
l
\\
l a.
RPV control display b.
Containment control display c.
Critical plant variables display d.
h o-dimensional (2D) plots l
=
a l
l e.
Trend plots f.
Validation status displays g.
Radioactivity control display h.
SRV status display
- i. MSIV status display All displays are real time with enphasis on showing the current plant status and recent trend history.
Trend plots also provide historical data.
Se RPV control and containment control displays are keyed to the EOPs as described in Section 3.2.
We critical plant variables display shows the MP-100P key para-meters for RPV and containment control.
2D plots present the limits defined in the MP-1 BOPS which are curves showing the relationship between two parameters.
Trend plot displays contain real-time digital information, but their overall emphasis is to show the most recent trends.
Validation status displays supply an evaluation of plant control parameter signals.
We radioactivity control display, shows radiation and meteorolgical information.
He MSIV/SRV status displays provide status (open/ shut / stuck open) of respective MSIVs and SRVs.
Each display shows the plant name, color gun status, date and time, and the RPV/ containment alarm indications. We status of the three color guns -- red, blue, and green - are shown next to the plant name in the lower right-hand corher of each display.
We current calendar date and time of day (expressed to the nearest second) are shown next to the color gun status indication.
We RPV and containment alarm status indications are shown next to the display title on the upper lef t-hand and right-hand corners (respectively) of the cri-tical plant variables, trend plots, 2D plots, validation status, radioactivity control and MSIV/SRV status displays.
We RPV control display has only the containment alarm indication, and the containment control display has only the RPV alarm indication. We alarm indications labels and color coding for border and text indicate status of " inactive", " caution", and " alarm".
Labels and color coding for border and text changes are determined fran applicable control parameter process limit and event statuses.
4.1 RPV CONTROL DISPLAY This display is based on the RPV Control EOP's.
The displayed control parameters of RPV water level, RPV pressure, and reactor power mirror the organization of the RPV control EOP. As an addition to the control parameters, RPV temperature, RPV-drywell dp and heatup/cooldown rates are also displayed.
To nonitor the RPV response, the control roan personnel need the current value and trend of the control parameters, a comparison of the current value against control parameter action levels and limits, and the status of certain key plant functions (e.g., reactor scram).
4.1.1 Event Targets - Were are seven event targets on the RPV Control Dis-play. hey give the status of the following " events": _ _ _ _ _ _ _.
J a.
Group 2, 3, and 4 Isolation: Has a demand for group 2, 3, and 4 isolation occurred?
b.
Is any SRV open, or is any SRV stuck open?
c.
Main Steam Isolation Valve (MSIV):
Is a MSIV closure signal present and are the MSIVs open or shut?
d.
Scram: Has a scram been initiated and have all control rods been fully inserted to their shutdown limit?
e.
H2/02 Invels: Are elemental hydrogen and oxygen levels within acceptable limits?
f.
Radiation: Is any radiation signal above its limit or close to its limit?
g.
Normal Power Available: Is the normal power supply available?
The event labels and color coding for border and text indicate event status of
" inactive", " safe", " caution" and " alarm".
4 4.1.2 Control Parameter Trend Plots - Each control parameter and its asso.
ciated limits are presented in a trend plot mini-display consisting of a time history data plot, bar graph, digital readout, and limit tags. Control para-meters for the RPV Control Display are RPV water level and pressure, reactor power, and RPV temperature.
All RPV control parameters are validated parameters.
The validation process generates a weighted average of control parameter signals consisting of either an average of all consistent signals or an average of all' in-range signals if there are less than two consistent signals. The validation process generates a validation status which defines whether the average is validated (signals are consistent), non-validated (signals are in-range but not consistent), or bad data (signals cannot be measured).
If the average cannot be determined, the validation process parameter is assigned " Bad Data" and the parameter value is replaced with asterisks.
The signal average calculated is used to represent-the instrument readings of the process variable unless additional compensation is performed on the signal average (e.g., reactor power), in which. case the compensated value is used to represent the adjusted instrument reading.
For those parameters which are not directly measured (e.g., RPV tenperature and other bulk temperatures), calculations are performed to derive these variables fran measured parameters.
The horizontal scale of the time history data plot for all control parameters is the Imst recent ten minutes with the exception of RPV temperature, for which the horit.ontal scale is the most recent sixty minutes.
Re bar graph and digital readout are used to highlight and pinpoint the current value of the control parameter.
He color of the bar graph and border around the digital readout reflects the control parameter validation status.
A trend line tracks the value of each control parameter, and its color coding is the same as that for the bar graph.
Whenever the trend line goes off the vertical scale, it appears either at the top of the plot, if above scale, or at the bottom of the plot, if below scale. Le user can select the desired scale range to establish the vertical plot scales.
Pbke point capability and func-tion keys allow the operator to rescale' the plot.
4.1.3 Limit Tags - A control parameter may have up to five limit tags assso-ciated with it, each corresponding to a process limit identified by the MP-1 EDPs.
Table 4-1 lists the limit tags which are associated with each of the trend plots on the RPV Control Display. W e process limits are of two types:
dynamic limits and static limits. Dynamic limits are limits which functionally depend on other control parameters and, therefore, may change with time.
Static limits are limits which remain constant with time.
In addition, each of the two types of process limits fall into two categories:
upper limits and lower limits.
Upper limits are limits which alert the system user when the limit is approached or exceeded fran below; lower limits are limits which alert the system user when the limit is approached or exceeded from above.
The process limits further belong to two classes:
alarm limits and permissive limits.
An alarm limit informs the operator an operating limit has been exceeded, whereas a permissive limit lets the operator know when an action is capable of being performed.
Table 4-1 TREND PIUr LIMIT TAGS FOR RPV COtfrROL DISPIAY Control Parameter Static Limit Dynamic Limits RPV Water Level Trip Hi, Scram Io, None TAF,ECCS/Isol RPV Pressure Scram Hi, Inj Perm
- Indicates a permissive limit
%e process limit status is indicated by the color of the limit tag border.
For permissive limit tags, the border colors indicate " inactive", " active", or bad data / data not measured.
Permissive limit tags are " active" (e.g.
Action is permitted) when the control parameter equals or goes beyond the process limit or " inactive" otherwise. For alarm limit tags, the border colors reflect
" inactive", " safe", " caution", " alarm", or bad data / data not measured.
Alarm -
limit tags are in the " alarm" state when the control parameter equals or goes beyond the process limit, the " caution" state when the control parameter approaches the process limit, and the " safe" state if not in the " alarm" or
" caution" state.
A line (tail) connects each limit tag to the bar graph at a point which corresponds to the value of the process limit.
Limit lines are presented with trend lines to track the value of dynamic limits associated with the control parameters.
Color coding for the limit line (tail) is the same as for the limit tags.
hhenever data for a limit line is bad or not measured, the limit line is not plotted.
4.2 CONTAINMENT CORTROL DISPLAY Ris display is based on the Containment Control EOP.
Again, the displayed control parameters of suppression pool temperature and level, suppression chamber temperature, and drywell pressure and temperature mirror the organiza-tion of the containment control EOP.
To nonitor the contairunent response, the control room personnel need the current value and trend of the control para-meters, a comparison of the current value against their respective action levels and limits, and the status of certain key plant functions (e.g., scram).
4.2.1 Event Targets - here are seven event targets on the Containment Control Display which are identical to those on the RPV Control Display (See Section 4.1.1).
4.2.2 Control Parameter Trend Plots - Control parameters plotted for the con-tainment control display are drywell pressure and drywell temperature, suppres-sion chamber temperature, suppression pool temperature, and suppression pool water level. All containment control parameters are validated parameters. We trend plot description is the same as given in Section 4.1.2.
4.2.3 Limit Tags - As on the RPV Control Display, limit tags are associated with each of the trend plots on the Containment Control Display. W e limit tag description is the same as given in Section 4.1.3.
Table 4-2 lists the limit tags which are associated with each of the trend plots on the containment con-trol display.
Table 4-2 CONTAINMENT CONTROL DISPLAY TREND PLDr LIMITS Control Parameter Static Limits Dynamic Limits 31 Pressure Lim Hi, Maximum, Pressure Spray La Suppression, Spray Perm
- Di Temperature Design, Lim Hi RPV Sat Suppression Pool Man SCRM Heat Cap j
Temperature Lim Hi,
I
Control Parameter Static Limits Dynamic Limits Suppression Pool Ievel Lim Hi, Lim Pool LD, Heat Cap Io, Maximum Suppression Chamber Lim Hi None Temperature
- Indicates a permissive limit 4.3 CRITICAL PIANT VARIABLES DISPIAY This top-level safety parameter display provides the control room personnel l
with a quick summary of the status of the critical plant variables, which are I
the variables controlled by the MP-1 EOPs.
The Critical Plant Variables Display is an image of the plant and presents two l
types of EOP information: control parameters and their* limits, and event indi-l cations. For each control parameter, the current digital readout is shown with the upper limit above and/or the lower limit below. The label and color coding for each digital readout, limit tag, and event indication are identical to the corresponding digital readout, limit tag, or event indication in the RPV or Containment Control displays (Sections 4.1 and 4.2).
4.4 TREND PLOT DISPIAYS Larger trend plot displays with expanded time scales to provide more detail and greater resolution of parameter changes are available for all control para-meters on the RPV and Containment Control displays.
Each trend plot consists of a time history data plot, a bar graph giving the current reading, and a digital readout. Limit tags and limit lines are also supplied. The bar graph, digital readout, limit tags, trend lines, and limit lines are as specified for the control parameter trend plots and limit tags in the RPV or containment control displays (Sections 4.1 and 4.2).
The horizontal plot scale for all inputs is the most recent 10, 30, or 60 minutes. The rescale capabilities of the vertical plot scales are as specifled for the RPV and containment control displays (Section 4.1 and 4.2).
The trend plot displays include:
Reactor Pressure Vessel Water Level Suppression Pool Level Reactor Pressure Vessel Pressure Reactor Power Reactor Pressure Vessel Temperature Drywell Pressure Suppression Chamber Tenperature Suppression Ebol Temperature l
Drywell Tenperature i
4.5 2D PLOT DISPLAYS Certain parameter levels and specific limits which indicate the need for action in the MP-1 TPs are displayed in two-dimensional (2D) plots which relate sepa-rate control parameters.
For example, the heat capacity temperature limit is depicted on a plot of suppression pool water temperature vs. RPV pressure.
%e MP-1 WPs curves provide the basis for these displays.
here are dynamic and static 2D plot displays.
Each 2D plot display consists of an x-y plot with limit or action level defined by a curve, a red cross-hatched region which is to be avoided, and a historical track which contin-uously plots the actual x-y values.
Digital readings of the current values of the dependent and independent parameters are also provided.
Color coding for digital readings of control parameters is as specified for the RPV and contain-ment control displays (Sections 4.1 and 4.2).
He cursor at one end of the historical track represents the current plant status and is color coded the same as the limit status. he 2D plot displays include:
Suppression Pool Ioad Limit Heat Capacity Invel Limit Heat Capacity Temperature Limit Pressure Suppression Pressure Maximum Core Uncovery Time Limit Drywell Spray Initiation Pressure Limit (Suppr.
Chamber Temp.)
Drywell Spray Initiation Pressure Limit (Drywell Temp.)
RPV Saturation Temperature Primary Containment Pressure Limit Primary Containment Design Limit NPSH Requirements For Core Spray Pumps NPSH Requirements For LECI Pumps i
The 2D plots are provided for control room personnel to obtain detailed specific plant status infonnation and guidance for response with respect to WP limits.
4.6 VALIDATION STATUS DISPIAYS Validation status displays are used by the control roam personnel to assess the validity of the data displayed by the SPDS.
Although the EPs are based on monitoring the plant by examining as many diverse and redundant signals as possible, the SPDS automatically removes ambiguity from the nonnal control room instrumentation (where separate instruments can give several values for the same parameter) by evaluating all the acquired signals for any parameter and displaying a single value which is an average of all the in-range, consistent signals. When instrumentation failures lead to a non-validated value, or when more infonnation is required regarding how a validated value was generated, these displays may be examined.
l -
I he displays list each instrument that supplies a control parameter signal; indicate if the instrument. raw data value is within its calibrated range; j
cmpensate individual signals if appropriate; present the cmpensated value; indicate if these values are consistent with each other; and average these values for a final value, with weighting factors, if appropriate.
We upper right of the display presents the final averaged value, plus indica-tion if the value is compensated and/or validated.
We color coding of the readouts are consistent with the control parameter trend plots in Section j
4.1.2.
W e validation displays include:
l Peactor Pressure Vessel level Peactor Pressure Vessel Pressure Peactor Ibwer 4
Reactor Pressure Vessel Temperature Drywell Pressure i
Drywell/ Suppression Chamber Temperature Pool level Pool Tenperature i
Peactor Core Flow 4.7 RADIOACIIVITY CONTROL DISPLAY he radioactivity control display provides radioactivity and meteorological data to the operators.
Containment radioactivity and stack gas radioactivity are displayed against limits.
We analog radiation signals are alarm checked 1
for~three states:
" inactive", " caution", and " alarm".
Stack gas flow is also displayed.
Digital main steam line radiation tags are displayed as " normal" or " alarm".
Outside temperatures and wind speed and direction are displayed.
i
]
]
Alarming of any of the radiation tags is flagged on the radiation event target
- j on the top level displays.
i 4.8 MSIV STATUS DISPLAY I
Inboard and outboard MSIVs for the four main steam lines are monitored and displayed for the following conditions.
i Shut on cmmand (safe state)
Comnanded to shut (caution state)
Open -- normal (inactive state)
Open - failed to shut (alarm state) l An event target is provided on the top level displays summarizing the MSIV 1
status.
i I ]
4 i
i
4.9 SRV STATUS DISPLAY SRVs status is shown provided for each of six SRVs.
Status of each is shown with an event tag in one of three conditions.
Shut (inactive state)
Open (caution state)
Stuck open (alarm state)
An event target is provided on the top level displays sunmarizing the SRV status.
5 HWAN FACIORS ENGINEFRING (HFE) IMPLEMENTATION 5.1 GENEPAL A Human Factors Engineering Implementation plan is a part of the design process for the SPDS in order to ensure that the SPDS meets its intended objectives and accmmodates its intended users. Designs are developed based on Human Factors Engineering principles and then reviewed to assure that those principles have been properly inplemented.
Results and reconmendations frm reviews are then evaluated for impact and action plans are developed for incorporation into the design.
We SPDS HFE plan is an integral part of the design and review of the system as a whole as well as the design and review of the more detailed aspects of the system.
We plan generally consists of activities such as definition of HFE requirements, reviews, testing, analysis and verification activities.
Rese activities can be separated into the following specific major areas:
a.
Definition of System Functional Requirements b.
Task Aralysis c.
User Interface Development and Review d.
HFE Verification and Validation he following sections describe in nore detail the specific tasks which are perforned in order to provide a comprehensive implementation of the overall HFE plan.
Specific tasks consist of both plans for future inplementation as well as previously performed activities which can be related specifically to the SPDS.
5.2 DEFINITION OF SYSTEM FUNCTIONAL REQUIREMPRrS R e first task in the HFE plan is the development of system level requirements.
We system level requirements are based upon:
a.
Purpose of the SPDS (Mission Statement) b.
Definition of what SPDS is to perform and what the user is to perform (function al-location) -
i l
t c.
Interfaces to Systems Outside of the SPDS d.
Codes, Standards, and Pegulatory Requirements e.
Assumptions and Constraints j
I i
he system functional requirements define what the SPDS is to do, what perfor-l mance is expected and what part of the system consists of user interaction.
These requirements provide the basis for comparison of all other activities.
Any reviews performed on the SPDS are performed against the fulfillment of the i
requirements developed in this activity.
We system level requirements are issued in a controlled document.
1 5.3 TASK ANALYSIS f
1 The MP-1 EOPs provide a listing of tasks to be performed for emergency situations.
The SPDS provides information useful in performing the tasks.
We MP-1 EOPs, along with previous task analyses for other similar BWRs, were used to review the following.
J a.
The content of the SPDS displays b.
The user interface required to access the SPDS displays
- f c.
The usability of the data provided in the displays for an operator following the 00Ps.
1 The analysis of tasks is used similarly to the system functional requirements, in that, it provides a basis for any review which will compare the actual SPDS implementation to the fulfillment of its intended purpose.
Documentation J
includes the task descriptions as well as an analysis of the capabilities of the SPDS to aid in the performance of the EOP tasks.
1 i
)
5.4 USER INTERFACES 5.4.1 General - The purpose of the user interface portion of the HEE plan is to assure that the hardware used in the SPDS is consistent with the intended purpose and function of the system.
This assurance results from the use of HFE principles throughout the design process as well as a systematic review process.
The following specific activities are performed in order to implement this purpose.
[
5.4.2 Hardware Incation
- The MP-1 control room configuration was reviewed i
to locate the SPDS components. Inputs to this review were obtained from~ Opera-tions, HEE and Fbintenance personnel.
i The arrangement and number of SPDS display stations in the control room will j
provide separate SPDS stations for the SS/SRO (away from the boards) and for j
cperators (visible fran operating stations at the boards).
This arrangement i
will provide the 'SS/SRO with a good view.of the SPDS fran his work station (the SPDS and the boards can be seen at the same time) and by the operators j i I
k
1 from their stations at the boards.
Thus, the arrangement will permit a flexible use pattern which.is., weighted towards the needs of the SS/SPD while f
still permitting RO use.
5.5 HlNAN FACIORS ENGINEERING VERIFICATION AND VALIDATION 5.5.1 General - he HFE Verification and Validation activities are an ongoing part of the entire design process for the SPN.
Sme of the activities in verification and validation must be cmpleted in the early stages of the design process whereas others are completed only in the final stages of the project.
We general aspects of the Verification and Validation process for the entire SPDS design are described in Section 6.0.
The major features of the HFE portion of Verification and Validation are described below. ney include:
i i
a.
Test Requirements Development 3
b.
Static Display Review l
c.
Dynamic Display Review d.
Man-in-the-Ioop Evaluation g
j 5.5.2 Test Requirements Development - We system functional requirements are j
used as the basis for the development of tests and procedures which verify and 1
validate, in general, the SPDS functions, and specifically the MP-1 SPDS dis-
)
plays. Wese requirements are issued as controlled documents. %e implementa-
~
tion of these requirements is performed during the integrated hardware / software test as described in the testing description in Section 6.
5.5.3 Static Display Review - A Static review of the MP-1 specific SPDS j
dislays was conducted by MP-1 Operations, HFE and Engineering personnel.
he j
results were incorporated and verified to meet the requirements of MP-1 Operations, NUREG-0700 (Reference 4), and the plant specific DOPs.
1 5.5.4 Dynamic Display Review - An extensive dynamic review was performed by f
General Electric on the General Electric Generic ERIS displays at the BWR/6 simulator in Elsa, Oklahoma. his review consisted of an HFE evaluation, the i
performance of 12 difforent simulated transients, operator / system performance i
evaluations during the transients using the Perry Nuclear Power Plant EOPs and I
data collection for the measurement of the usefulness of the ERIS SPDS related l
displays.
1 ne results of this review are documented in Reference 5.
In general the ERIS j
was perceived by the operators who took part in the test, as a significant aid i
in plant control during emergencies and was judged as presenting an exceptional source of synthesized / centralized information with regards to j
plant performance.
i i
Design input on the dynamic characteristics of the MP-1 SPDS displays was obtained from HFE, MP-1 Operations, and Engineering personnel.
Reconmenda-
)
tions from the design input were incorporated in the MP-1 SPDS displays.
5.5.5 Man-in-the-Icop Evaluation - Operations personnel, trained in 80Ps, will review SPDS displays.
We objective of this evaluation (not necessarily j
performed in the control room) will be to review the SPDS design as a j
potential aid to emergency response by operations personnel.
J,
1
(
,-.,w,,,...,-
--,e
..n -
,,,.,_,,m
..,__.,n-.
__m.,,_._
_,,n.---
n,,-
g
.,,..---.-,,,m.--
6 VERIFICATION AND VALIDATION (V&V) he methods employed in the V&V procedures ensure that the MP-1 SPDS supplies the functions and characteristics that it is required to provide and that the functions cerform correctly.
Re review and testing processes are designed to identify problems or weaknesses in the design requirements, the design, and the inplementation of the design, and to correct those problems and weaknesses.
The V&V plan identifies quality audit points (QAPs) along the MP-1 SPDS development path.
Ecsc O\\Ps range fran performing specification reviews to code walkthroughs to several levels of software and system testing.
Heavy emphasis is placed on achieving independent V&V (i.e., employing reviewers and testers who have not been directly involved in the design).
Figure 6-1 shows the Quality Audit Points throughout the design and testing processes of the SPDS.
Major V&V milestones consist basically of preparation and review of design specifications, coding and review of test results. Eis V&V procedure is not only sequential bu; also iterative.
Results which iden-tify areas requiring correction are used to nodify the design or further define requirements in order to resolve concerns.
ne review of specifications is accompanied by the reviewers documenting coments on a controlled issued document during the development of these specifications.
Any comments must be resolved by the responsible engineer to the satisfaction of the reviewers prior to the issue of any document.
Testing begins with unit testing of small modules which are integrated into larger system tunctions.
We final activity in cmpleting the SPDS design is the integration of hardware /sof tware and the user in a final test scenario.
His 'est, also called " Factory Acceptance Test," verifies that the system has been correctly designed for the user and that the SPDS has met its intended purpose.
his test is based on the functional system requirements and the previously developed test plans / procedures. he results of this test are fully documented.
Integration testing is followed by total system validation testing at the fac-tory prior to site installation.
Following site installation, site testing is performed to assure proper operation of the system.
We testing phases produce test reports which show any discrepancies between expected and actual results, -and these discrepancies have to be resolved by the responsible engineer of the design group and the test repeated until satisfac-tory results are obtained.
i By performing the V&V procedures depicted in Figure 6-1, a systematic and structured method is implemented to insure that the correct functions are provided and that they work correctly.
b al 6
E II l
3:I J
goM 1
.-)
=
JL T
if 5
MI E
325 e
0 5
t E
=
=
a 2
6 g
z[
es,l il i
ii=
i Iie!
l l
n!
s sv
=E r
r.i.E
- r!
VE 3
ar 55i 8g i
E 5
IR5EE Q.
u S
a
.c SI
-C 2
3 7 U
0 s
s=a ra YgY e
m 6
E W
h I
17
7 SAFErrY EVAWATION 2e SPDS is being designed to conplement the EOPs (i.e., to aid the operator in implementing the E0Ps).
It is not intended that the SPDS be necessary for EOP execution.
Re major use of the SPDS during emergency conditions will be to allow the reactor operators to quickly "see" the overall plant condition and how actions taken affect the maintenance of the critical plant parameters. We currently planned SPDS design will have the following characteristics:
a.
It cannot directly cause any plant transient.
b.
It will not affect the operation of any safety grade equignent because it will be appropriately isolated frm them.
c.
It will not be required for DOP execution.
d.
It will not provide misleading information to the operator because of the Signal Validation and the substantial Verification and Validation Effort.
Because of the above assessment, it can be concluded that the SPDS will not directly affect the operation of any plant component, nor will it adversely affect the operators ability to diagnose and respond to a plant transient.
Herefore, it will not cause any previously unanalyzed accident or increase the probability of occurrence of any previously analyzed accident.
He SPDS will be strictly a monitoring device and will not directly cause any plant operation.
W erefore, it cannot affect the accidents analyzed in the FSAR nor can it affect any of t.he barriers between the nuclear fuel and the public. Hence, the SPDS will not increase the probability of occurrence of any previously analyzed accident nor decrease the margin of safety as defined in the basis for any technical specification.
From the above discussion, the following can be concluded about implementation of the planned SPDS:
a.
There will not be an increase in the probability of occurrence of the consequences of an accident or malfunction of equipment important to safety (i.e.,
safety-related) previously evaluated in the Safety Analysis Report.
b.
There will not be a possibility for the creation of an accident or malfunction of a different type than any evaluated previously in the Safety Analysis Report.
t c.
There will not be a reduction in the margin of safey as defined in the basis for any technical specification.
%erefore, the implementation of the SPDS will not constitute an unreviewed safety question as defined in 10 CFR 50.59.
In addition, it will not require any changes to the plant's Technical Specifications. -. - -
3 8 CONCLUSION The Millstone Nuclear Power Statior Unit No.1 Safety Parameter Display System is an integrated data system which provides a concise representation of per-tinent plant data sufficient to evaluate the safety status of the plant.
In addition, it allows for an evaluation of the response of the plant to any autanatic or operator initiated actions.
The MP-1 SPDG gathers plant data, stores and processes the data, generates visual human-engineered displays, and provides printed records to aid the control room personnel during emergency conditions.
The MP-1 SPDS design is based upon sound design goals which are intended to ensure a highly reliabic information system which will provide consistent and accurate data.
The MP-1 SPDS displays are keyed to the symptem-based plant DOPs. The operator uses the SPDS as an aid in entering and following the MP-1 EOPs. The MP-1 SPDS is not nuant to be a control device; it is simply a source of significant in-formation on plant safety to supplement instrumentation already provided in the control room.
The use of the MP-1 SPDS assists the control room personnel in performing their emergency response functions.
In sumnary, the MP-1 SPDS is a capable and effective data system for aiding responses to emergency situations.
As demonstrated above, the MP-1 SPDS complies with all the NRC guidance for the SPDS as set forth in Supplement I to NUREG 0737. -
" O o
9 REFERENCES 1)
U.S.
Nuclear Regulatory Commission,
" Requirements for Emergency Response Capability", Supplanent No. 1 to USNBC Report NUREG 0737, December 1982.
2)
BIE Owner's Group Emergency Procedure Guidelines, Revision 2.
3)
Millstone Point One Plant Emergency Operating Procedures, March 20, 1984 4)
U.S. Nuclear Regulatory Commission, " Guidelines for Control Room Design Reviews," lBNRC Report NUREG 0700, Sept., 1981.
5)
" Human Factors and Performance Evaluations of the Emergency Responso Information System - Final Report," July 1984, Anacapa Sciences Inc.
t