SPDS Design Basis Summary Package,Catawba Nuclear Station

ML20207H890
Person / Time
Site:	Catawba
Issue date:	03/27/1986
From:	Brown R DUKE POWER CO.
To:
Shared Package
ML20207H868	List: ML20207H863 ML20207H890 ML20207H921 ML20207H933 ML20207H950 ML20207H954 ML20207H960 ML20207H965 ML20207H970
References
NUDOCS 8607250131
Download: ML20207H890 (14)
v • d • e

Text

_ _ _ _ _ _

Attachment 1 SPDS DESIGN BASIS SINGEARY PACKAGE CATAWBA NUCLEAR STATION Section I: Description of SPDS Design Basis Section II: Review of Design Basis Section III: Listing of Applicable Documents R. L. Brown Technical Services Production Support Department March 27, 1986 Page 1 of 14 l

8607250131 860715 PDR ADOCK 05000414 P PDR l

t 1

r ]

5 )

Attachment 1 ,

4 I. Description of SPDS Design Basis General The design basis for the Safety Parameter Display System was developed by the Engineering Services Section of the Steam Production Department.

This basis took into consideration the guidance contained in NUREG-0737, Supplement 1 and other related activities in progress at that point in time. The development of this basis focused on a number of considerations, guidelines, available resources, and the unique capabilities within Duke Power Company.

These included the use of technical and operations expertise in formulating the design of the SPDS as well as integra-ting the SPDS into existing highly reliable and well-developed plant operator aid computer systems. The SPDS systems developed meet the intent of the guidance docu-ments NUREG-0737, Supplement 1, and was developed consider-ing the guidance of the NUTAC Guidelines for an Effective SPDS Implementation Program, NSAC/39, NUREG-0696, draft NUREG 0835 and other related documents.

Below is a summary of the design basis. Additional informa-tion is contained in the documents referenced in section III of this document.

Role and Mission Statement The primary objective of the Safety Parameter Display System is to provide plant Operations personnel with an overview of the safety status of the plant. This objective is being met by defining the role of the Safety Parameter Display System as an operational aid which will provide plant Operations personnel with an overview of how well the plant critical safety functions are being maintained. The critical safety functions are defined by the Emergency Operating Procedures Guidelines developed by the individual NSSS Owner's Groups.

I In the case of McGuire and Catawba, the Emergency Operating Procedures identify the following six critical safety

(

l functions:

o Subcriticality o Reactor Coolant System Integrity o Core Cooling o Reactor Coolant Inventory o Heat Sink o Containment Integrity Page 2 of 14

Attachment 1 Design Considerations The Safety Parameter Display System is an operational aid for overview and execution of the new Emergency Operating Procedures. It is not essential that the SPDS be operation-al for plant personnel to determine the safety status of the plant or to execute any of the new Emergency Operating Procedures since adequate instrumentation, instructions, and training will exist or be provided independent of the SPDS.

However, the Safety Parameter Display System can be an effective aid for facilitating this safety overview and executing the procedures. Consequently, it is not necessary that the SPDS meet safety system criteria such as seismic qualification, single failure criteria, etc.

The SPDS will be implemented on the existing Operator Aid Computers for aeveral reasons:

o The existing plant Operator Aid Computer Systems meet the equipment requirements based upon the defined role of the SPDS.

o The OAC Systems have been proven over many years to be highly reliable (approximately 99.9% measured avail-ability on an annual basis).

o Duke has the in-house expertise necessary for expedi-tious definition and implementation of the SPDS.

! o Each plant OAC has several thousand implemented inputs which provide readily available parameters for develop-ing the SPDS - a situation which further enhances the project schedule.

i o The plant Operator Aid Computer represents a " normal" and familiar source of much operating information for the plant staff and installation of the SPDS function i

on the existing system will enhance the effectiveness of the system.

o The installation of a separate SPDS is undesirable from a human factors perspective since it introduces addi-

' tional devices in the control room and competes for the operator's attention with other existing data systems.

1 Page 3 of 14 l

l

Attachment 1 o Ths: SPDS was initially developed under a " pilot" program on McGuire Unit 2 to demonstrate the cap-abilities of the plant computer to handle the SPDS function. Unit 2 was not operational at the time, but allowed the operators to review and comment on the proposed system. It was then moved to Unit 1 which.

was operational, but the displays were hidden from the operators to avoid confusion from using this new system. The SPDS dynamic responses to actual plant conditions was monitored using a " alarm summary system" which allowed debugging and verification of proper operation.

o The SPDS underwent many modifications and revisions, primarily due to the number of changes which occured during the development of the design basis - that being ,

the Westinghouse Emergency Procedures Guidelines. Due .

to the inability to " freeze" the SPDS design because of the numerous EPG changes which occurred and the fact that it was not felt wise to implement the SPDS until appropriate EPG based training could be provided to the operators, it was decided to delay final implementation until the above conditions could be resolved.

o The McGuire SPDS was used as the basis for the Catawba SPDS systems since there were only minor differences between the McGuire and Catawba units. The initial SPDS was reviewed for each McGuire and Catawba unit to

insure that any unit differences were incorporated.

o The Oconee SPDS was developed using a similar design basis but involved the use of inhouse developed status trees, alarm logic, and Oconee specific considerations l since the B&W ATOG guidelines were significantly different from the Westinghouse EPG's.

4 Dispicy:

The SPDS Display will consist of six blocks arranged horizontally on one of the CRT screens existing within the control boards. These blocks will represent the critical 1 safety functions of the Emergency Operating Procedure Guidelines. In the case of McGuire and Catawba, the color of the Critical Safety Function blocks will change depending l on departure of the CSF from the normal operating envelope.

l The logic to identify the deparature from normal envelope is l developed directly from the Westinghouse " status trees".

1 Page 4 of 14 i

- - . . . _ . . , , . _ . _ . , . _ , , _ _ , . _ _ - , _ _ _ _ _ . _ . . - _ - _ _ _ _ _ - . - _ . . , , , , , ..m_ _,-. - ___.,,. ._...- _-__. _._,,_ ._ ._.--

Attachment 1 The six critical safety function blocks will be continuously displayed on one of the CRT's on the control board and cannot be removed through operator action. Further, the CSF display will be large enough such that the shift supervisor or other Operations personnel can readily determine the status of each critical safety function frcm the back of the Control Room without requiring access into the immediate control board area.

SPDS Use In any mode of plant operation, the SPDS display will either confirm that the basic critical safety functions are being satisfactorily fulfilled or will identify to the operator the deparature (and in some cases the degree of departure) of the critical safety function from the normal envelope.

The fact that a critical safety function (or functions) has departed from the normal operating envelope will be readily apparent to the operator who can execute the appropriate EOP response to restore the unic within normal boundaries.

Secondary displays (which are not a part of the SPDS) will be identified as the EOP's are developed to assist the operator in this task. Due to the simple nature of the Safety Parameter Display System and the existence of other aids, displays, indicators, and the most important element of eperator training, the operator can effectively perform his surveillance and provide an appropriate response without the SPDS. However, the SPDS should be an effective aid in this overview / response mechanism.

II. Review of Design Basis The design basis of the SPDS was reviewed by members of the Control Room Design Review Steering Committee, operating staffs of the plant and general office staffs of Dcci;n Engineering and Steam Production Departments.

Additionally, review was obtained from EPRI/NSAC.

Summary of Comments

1. Operations personnel were concerned about tying up valuable CRT space for the SPDS, thereby reducing the number of plant alarms which could be

! displayed.

Response: Only four lines at the bottom of the video were needed to display the SPDS alarms.

Page 5 of 14

Attachment 1

2. Operations requested that status tree displays be provided to determine the sources and details of SPDS alarms.

4 Response: Status trees and displays of input values were developed during the control room design review phase and implemented on the OAC.

3. Since the existing plant computer systems did have limitations in the graphic display capabilites (character generated graphics versus dot addressable graphics), it was recommended that a thorough human factors review be performed on the display systems as they were developed.

Response: The Control Room Detailed Design Review Team as well as the contract Human Factors consultants were utilized to review the SPDS display system as well as the supporting display design basis and displays themselves.

4. Recommendations were made to employ postulated accident sequences to verify the SPDS functions.

Response: The Control Room Review Team performed a series of task analyses to verify the SPDS and its supporting displays.

EPRI/NSAC COMMENTS Dave Cain of EPRI/NSAC provided a number of comments during his visit to Duke Power on June 21, 1982 to review our design basis for the SPDS:

1. Parameter validation. Simple limit checks might not be adequate in cases where redundant signals are available. You may also consider simple deviation checks between the redundant signals, which is a relatively simple expedient. I do not endorse sophisticated validation schemes (averaging, voting with automatic point substitution, diverse variable comparisons, etc.)

for this application.

Page 6 of 14

- - . .- . .. -- =.

~

Attachment 1 Response: It was decided to rely on the already available high and low out of range checks as well as to develop the SPDS alarm logic to be conservative.

This along with the station's established practice of reviewing alarm summaries daily to pinpoint problem alarms were felt to be suitable in the interim while the research by EPRI into validation systems was completed.

2. Multiple parameter input. An alternative to deviation checks is to "or" gate the redundant signals directly into the status tree logic. This will result in a conservative design, but may also make it less tolerant of sensor failure, calibration checks, etc. Here the validation

j. function gets mixed in with the alarm function.

Response: This, as described above, is the course of action chosen.

3. Color coding. An effort has been made to retain the same color conventions Westinghouse has employed, even though CRT limitations prevent orange alarm boxes to be used. Why not redefine the colors?

! My suggestion: normal = green; yellow = yellow;

. orange = red; red = magenta; invalid input =

black. The absence of a color block is the logical (?) consequence of an invalid input. The l checkered block seems to be an awkward solution when changes to the procedures' color convention will do.

Response: It was decided to hold this decision regarding color coding of alarms until such time as the control room review team and the human factors consultants would be available. Mr. Cain's suggested solution conflicted with already established color coding being used on the Operator Aid Computers. The review by the control room review team and consultants resulted in a decision that the original Westinghouse EPG colors would be followed to avoid any possible confusion in tranposing the Westinghouse information into Duke specific procedures. The human factors review of the yellow / red " checkerboard" for the orange status revealed no particular problems with this approach. A pure orange would have been the optimum solution, but since this was not available, the yellow / red checkerboard was an acceptable alternative.

Page 7 of 14

.,-,..,_,~v. - . _ ___- , , . - . _ ...-.,~,,..,_,--,,,,,,_n,.v,.w..,,.r,m.,

5 Attachment 1

4. Signal set point. Although I endorse independent verification of EPG/SPDS logic setpoints by a i system engineer, it would be prudent to await task i analysis in the control room review prior to their final specification. The setpoint should reflect not only the plant response, but the time necessary for the operator to detect, understand, and take the necessary corrective actions.

Response: Setpoints were maintained at the same levels as established by the emergency operating procedures to avoid any confusion between the procedures (hard copy I status trees) and the SPDS since the hard copy procedures are the " final word" to be used in diagnosing emergency conditions.

5. Spurious alarms. EPG logic is not specifically designed to " gate-out" expected parameter deviations, such as during start-up and trip. It would be desirable to carry out early implementation on McGuire 1 in a test made in order to detect and correct these anticipated

! problems.

The SPDS implementation on unit 1 could be made i

invisible to operators (i.e., no color blocks);

! " traps" could be written in the coding to capture any alarms in the EPG logic which occur. No displays are necessary.

Response: This was the course followed. An alarm table was developed to specifically monitor SPDS outputs. This table was reviewed on numerous occasions to determine how well the SPDS would respond to normal evolutions such as start ups, shut downs, and unit trips. Logic was included to " gate-out" invalid alarms during different plant modes, and time delays were designed in to avoid spurious alarms to allow inputs to

' " settle out" during unit trips.

J I

Page 8 of 14 i

)

i 4

T Attachment 1

6. Secondary displays. I am fairly certain that some kind of secondary displays will be needed to explain why color blocks become activated. Though I understand ,

and accept that this will develop as part of the

control room reviews, it is logical to presume that secondary displays will ultimately be required. A very simple arrangement may be sufficient; perhaps a dedi-cated alarm summary for each CSF could be developed:

Parameter Setpoints Value Rate of Change The parameter (s) causing the color block change

should undergo the same color change. This secondary format requires little or no graphics, and can be called-up in the space above the color blocks on the designated CRT.

Response: Several levels of secondary displays were indeed developed and were reviewed using task analyses.

. 7. Validation. NSAC 39 was not intended to serve as a

" bible," but rather as a guide for validation. Your planning and documentation should freely reference those sections in NSAC 39 that are useful and are used.

We at (NSAC) recognize that alternatives and perhaps even better V&V programs may be developed. The key l features are a reasonable level of independent review

and good documentation specified in some sort of "V&V i plan". From what I have been able to observe, Duke personnel are proceeding in the right direction.

i

. Response: NSAC 39 and many other documents, standards, and guidelines were used as source material for our V&V programs.

l

8. Dynamic testing. EPRI is preparing a library of taped

simulator data for general access and use. Its purpose is to: (1) enable utilities to test and/or evaluate 4 their SPDS logic; (2) facilitate post-installation l training. It may be desirable for Duke to emulate the SPDS on a computer capable of reading EPRI transient data to checkout the SPDS routines. Let me know if there is interest in this. ,

i i

Page 9 of 14 J

-- __. _ . _ . _ _ _ _ _ _ _ _ _ _ _ . . . _ _ _ ~ . . _ , _ _ . . . _ _ _ _ _ . . _ . . _ . _ _ _ . . _ _ _ _ _ _ . _ _ . . , _ . - . - . _ . _ . _ _

Attachment 1.

Response: Duke did attempt to use these simulator data tapes. However, we found that many of the parameters needed for our SPDS were not available and would have to be created. The testing of the SPDS using so many

" created" parameters would not give meaningful results and could not be cost justified. It was decided it would be more feasible to install the SPDS on our control room simulators. This would allow us to do a much more comprehensive analysis of the SPDS while providing the operator training on the use of the SPDS during accident conditions.

III. Listing of Applicable Documents DATE TO FROM SUBJECT 02-26-82 TC McMeekin WA Coley Meeting with EPRI re Et Al implementation on existing Plant Computers 03-23-82 Memo WA Coley March 19, 1982 meeting on SPDS l

Development Concepts i 03-24-82 RL Brown TC McMeekin Control Room Review i Steering Committee

! Meeting 03-24-82 Paper WA Coley SPDS Development 1 l

Program Plan l

03-24-82 Paper WA Coley SPDS Concept l

03-26-82 SD Alexander RE Hall Control Room Review Et Al Implementation Plan

.3 03-29-82 WA Coley CE Muse Control Room Review SPDS Development -

Input Review I 03-29-82 WA Coley CA Little Control Room Review JO Crowe SPDS Pilot Program Development Page 10 of 14

_ . _ . _ . _ _ . _ . . . _ . _ . _ - - - ~ . _ _ . _ _ _ _ _

Attachment 1 DATE TO FROM SUBJECT 03-30-82 WA Haller GD Gilbert Concept & Program WA Coley B Travis Dev.

03-30-82 WA Coley CA Little Control Room Review SPDS Development 03-30-82 Paper on Development Program Plan 04-01-82 Paper on SPDS Concept - Revised By WA Coley 04-01-82 WA Coley RL Brown SPDS Implementation 04-02-82 WA Coley WH Rasin Response to Concept

& Development Program plans 04-06-82 Paper on CRGR Recommendations, SECY-82-lll 04-08-82 WA Coley RM Glover Company's approach to SPDS 04-21-82 DG Cain WA Coley Request for EPRI Review and Input 04-28-82 WA Coley DG Cain EPRI/NSAC Support 04-30-82 WA Coley CP Rogers Request for Computer JO Crow Program 06-07-82 TC McMeekin RL Brown SPDS Status et al 06-11-82 TC McMeekin RL Brown SPDS Implementation et al 06-11-82 RL Brown RC Bucy NSAC-40, " Accident Sequences for Design, Validation,

& Trng, Safety Display Systems 06-16-82 RL Brown TC McMeekin Same as 6-11-82 06-22-82 Outline on Verification and Validation Plan Page 11 of 14

. . . ~ . , . . - - - . , . , . . , , . , - . . - . ,, ,, , , . , - - . . . - - - . - . - . , . - - - . . . ,-

,, -, .-- - -- , - ~ - _ . . . . _ , , - . -

Attachment 1 DATE TO FROM SUBJECT 06-22-82 Memo For File LT Harbinson Meeting items 06-25-82 MD McIntosh RL Brown SPDS Implementation G Gilbert 06-25-82 Memo For File RL Brown Visit by Dave Cain of EPRI/NSAC on 6-17-82 and his comments documented in his letter of 06-21-82

06-28-82 WA Coley CP Rogers System Description et al 07-02-82 CP Rogers WA Coley Comments on System Description 07-02-82 WA Haller LR Frick Verification &

Validation 07-07-82 RM Koehler JO Crow Implementing SPDS Simulator Computer 07-08-82 Dave Cain LR Frick Verification &

Validation 07-09-82 WA Haller LR Frick Comments on System l

Description 07-12-82 CP Rogers JW Hallam Application of I EPRI/NSAC,NSS, Inc.

Tape Library l

i 07-22-82 RL Brown RC Collins SPDS Alarm Summary Program Request P820038-0 l 07-27-82 RM Koehler CP Rogers Review of Tape Library Installation on Training i Simulator 1

07-28-82 LR Frick DG Cain SPDS V&V Plan l

Page 12 of 14

Attachment 1 DATE TO FROM SUBJECT 08-02-82 JO Crow LP Duncan Response to Request to Implement NSAC Tapes on Training Simulator 08-09-82 RL Brown RC Collins Response Regarding use of NSAC Tapes 08-11-82 TC McMeekin RL Brown SPDS Status

. 08-20-82 Memo To File RL Brown 08-18-82 meeting 08-24-82 RL Brown RC Collins SPDS Alarm Table Program Request Completion Letter 08-24-82 CP Rogers RC Collins SPDS Program Req.

P820032-0 Completion Letter 10-13-82 Memo For File RL Brown SPDS Supporting Displays 10-14-82 RL Brown CP Rogers Summary and analysis of alarms, problems, and recommendations 10-18-82 MR Crews RL Brown Control Room Review Steering Committee SPDS Status 10-21-82 RW Bostian TC McMeekin SPDS Secondary Display 10-22-82 RL Brown B Ferguson Meeting comments on 10-27-82 RL Brown D Robinson SPDS on OAC 11-02-82 GW Hallman LR Frick Proposed Revisions 11-04-82 RL Brown MR Crews SPDS Secondary Display Page 13 of 14

Attachment 1

, DATE TO FROM SUBJECT 11-05-82 RL Brown L Firebaugh Supporting Displays 12-01-82 RL Brown LJ Cope Supporting Displays 12-08-82 Memo For File RL Brown Meeting on Supporting Displays 4

5 i

i i

i I

i i

Page 14 of 14 l

l i.

y e -- wy,. #7 *-w-.-y -

-.mNer- *TMe WW '* m"* **'t'--w'"*t'*-*F-MW**'-'rp"--*----wW^-M--"P+"*-"vT"'""d-* *-'