Rev 3 to, SAR for SPDS for Comanche Peak Steam Electric Station,Units 1 & 2

ML20247R209
Person / Time
Site:	Comanche Peak
Issue date:	07/31/1989
From:	TEXAS UTILITIES ELECTRIC CO. (TU ELECTRIC)
To:
Shared Package
ML20247R185	List: ML20247R181 ML20247R209
References
NUDOCS 8908070384
Download: ML20247R209 (46)
v • d • e

Text

., :

.,- Enclosure to TXX-89531 July 31, 1989

.' *

• Page 1 of 46 SAFETY ANALYSIS REPORT FOR THE SAFETY PARAMETER DISPLAY SYSTEM FOR l COMANCHE PEAK STEAM ELECTRIC STATION l

UNITS 1 AND 2 REVISION 3 JULY 31, 1989 s90807038* 890731 FDR ADOCK 05000445 g PDC

I; . j Enclosure to.,TXX-89531'

.-July-31, 3989 i*

.. Page 2 of 46 i

FOREWORD Revision 3 to the Safety Analysis Report (SAR) for the Safety Parameter Display System (SPDS) was prepared to describe changes to the system since the issuance of Revision 2 of the SPDS SAR. Revision 3 to the SPDS SAR has been o generated from the previous submittal by adding information where necessary and deleting information that is deemed no longer valid. No' effort was made to identify line-by-line differences between the two reports, however, u significant changes from Revision 2 are identified by a " change bar". The major differences between the' reports are summarized below.

s Section 1.0 (Introduction) is unchanged.

Section 2.1 (System Description) has several changes. The addition of a new SPDS CRT display in the Control Room is included with additional text that discusses availability and reliability.

Section 2.2 (SPDS Displays) has been revised to show the addition of new monitoring signals, the expansion of the message area (added one message), and the' revision of the alarm status conventions for clarity. The revision also addresses the removal of the RVLIS TRENDS and COLD SHUTDOWN displays from the SPDS CRT Display - these displays are available on all other CRT displays.

Section 2.3 (Human Factors Design Considerations) was revised to encompass HFE changes since the previous submittal.

Section 2.4 (Verification & Validation Program) was revised to reflect V&V program changes since the previous submittal.

Sections 3.1, 3.3, 4.1 and 4.2 are unchanged.

Section 3.2 (Parameter Ranges) was revised to reflect the newly added signals and the proper-ranges.

Section 4.3 (SPDS Sensor Verification) was revised to reflect current system status.

Sections 5.and 6 were'left essentially unchanged except for minor changes to enhance readability.

Appendices 1 and 2 were revised to describe the current parameter set.

Appendix 3 is unchanged.

Enclosure to TXX-89531 H.;

July 31,1989 Pag 3 3.of 46 TABLE OF CONTENTS Page

1.0 INTRODUCTION

6

1.1 Purpose and Scope

6 1 T. Terminoloav 6 1.2.1 Critical Safety Functions 6 1.2.2- Parameters 7 1.2.3 Plant Sianals 7 2.0 SPDS DESIGN AND OPERATION 7 2.1 System Description 7 2.1.1 Data Acquisition Subsystem 7 2.1.2 Comouter Subsystems 8 2.1.3 Disolay Subsystem 9 2.1.4 System Availability 10 2.1.5 System Reliability 10 l 2.2 SPDS Disolavs 11 2.2.1 Disolav Conventions 17 2.2.2 Too level Disolavs 18 2.2.3 ERG Summary Disolavs 18 2.2.4 Trend Graoh Displays 18 2.2.5 Reactor Vessel level Display 19 2.3 Human Factors Desian Considerations 24 2.3.1 Display Features 24 2.3.2 Graohic Codina 27 2.3.3 Display Access 28 2.3.4 Displav Unit locations 30 ,

1 2.4 Verification and Validation Proaram 30

' Enclosure to TXX-89531 July 31,1989 -

' Page 4_cf 46-

' I TABLE OF CONTENTS

[ (CONTINUED) Page 2.4.1 Definitions 30 2.4.2 V&V Activities 32 2.4.3 Relationship Between OA and V&V 32

3.0 SELECTION AND EVALUATION OF SPDS PARAMETERS 13 2 3.1 Selection and Evaluation Process 32 3.2- Parameter Ranaes 34 3.3 Selection of SPDS Alarm Setooints 36 3.4 SPDS Data Validation 36 3.4.1 Sinale-Inout Parameters 36 3.4.2 Parameters with Two Input Sensors 37 3.4.3 Parameters with Multiole 37 Inout Sensors 4.0 SAFETY EVALUATION PER 10CFR50.59 39 4.1 SPDS Function and Desian 39 4.2 SPDS Installation and Safety System 39 Interface 4.3 SPDS Operation 40

-4.3.1 SPDS Functional Requirements 40 4.3.2 SPDS Inout Sensor Verification 40 4.3.3 SPDS Control Room Operation 41 Influence 5.0

SUMMARY

AND CONCLUSIONS 41

6.0 REFERENCES

42 APPENDIX 1 - SPDS CRITICAL SAFETY FUNCTIONS AN9 43 ASSOCIATED MONITORED PARAMETERS APPENDIX 2 - SPDS PARAMETER RANGES 44 APPENDIX 3 - SPDS TREND GRAPH PARAMETER GROUPINGS 45

____.m._m-_m_-__ ._ -. -

D*'

Enclesure~to TXX'-89531 r . July 31,-1989-

PageL5.of 46 LIST OF FIGURES FIGURi1  : DESCRIPTION EAGE 1~ Relative Locations of the 12

, SPDS Display Units in'the Control Room 2 10PERATION' Top-level. Display 13 3 Interpretation of the CSFM 15

. Status Targets 4 Logic Used to Determine Operating 16 Mode' 5 LOCA/LOSC ERG Summary Display 20 1

6 SGTR ERG Summary Display 21 7 SG ISOLATION ERG Summary Display 22

8. ERG FOLDOUT ERG Summary Display 23

9. . Typical SPDS Trend Graph 25 10 . Reactor' Vessel Level Current-Conditions 26 Display 11 tSPDS Keypad Format 29 12 -SPDS Menu Hierarchy- 31'

'13 Logic for Validating Reactor Coolant 38 System Cold leg Loop Temperature Signals i

Enclosure to TXX-89531 July 31, 1989 Page 6 of 46

1.0 INTRODUCTION

1.1 Purpose and Scope

This report has been prepared in response to Section 4 of NUREG-0737, Supplement 1 (Reference 1), and presents the safety analysis of Comanche Peak Steam Electric Station (CPSES) Safety Parameter Display System (SPDS).

The CPSES SPDS is part of the plant Emergency Response Facilities Computer System (ERFCS). The CPSES ERFCS is a site-specific implementation of the generic Safety Assessment System (SAS) developed by the Westinghouse Owners Group Ad Hoc Subcommittee on Instrumentation Systems. The generic SAS design and development project included formal Verification and Validation (V&V) of the generic portions of the design and a user's evaluation program in 1982.

The generic SAS was designed to satisfy NUREG-0696 requirements for SPDS. This report discusses the adequacy of the SPDS portion of the CPSES ERFCS in terms of the later requirements specified in NUREG-0737, Supplement 1.

An overview of the CPSES SPDS design and installation is presented in Section 2.0. Selection and evaluation of SPDS parameters is discussed in Section 3.0. The 10CFR50.59 safety evaluation of the CPSES SPDS impleraentation is presented in Section 4.0, and an overall summary and conclusions are presented in Section 5.0.

1.2 Terminology 1.2.1 Critical Safety Functions Critical Safety Functions (CSF's) are those ',afety functions that are essential to prevent a direct and immediate threat to the Sealth and safe'.y of the public.

The critical safety function.:. monits ed by the SPDS are those developed by the Westinghouse Owner's Group to satisfy NUREG-0737, Supplement I requirements. They are:

• Subcriticality

• Core Cooling Heat Sink

• Integrity Containment

• Inventory i

l i

4

Enclosure to TXX-89531

, ' July 31, 1989 Page-7.of 46 The purpose of the-SPDS in relation to the'CSF's is to continuously display information to enable a user to assess overall plant safety status in terms of how well the CSF's are being maintained or accomplished. However, the SPDS is not designed to diagnose the spPi fic events which may be affecting CSF maintenance or accomplishment.

As implemented at CPSES, the parameters displayed on the

l. SPDS provide the reactor operator and technical personnel with continuous, unambiguous data that will enable them to make proper decisions regarding appropriate operator action in response to developing plant conditions.

1.2.2- Parameters Parameters are those measures of system status or performance which are obtained directly from or calculated from plant signals. Each parameter is measured by one or more calibrated sensor.

1.2.3 Plant Sianals Plant signals are the electronic or electrical outputs of calibrated monitoring and control sensing devices installed in the plant systems.

2.0 SPDS DESIGN AND OPERATION 2.1 System Description

. The displays and features that comprise the_ SPDS at CPSES are a subset of the displays and features available through the ERFCS. The SPDS includes the specific displays and features described in this report, and the software that supports those displays and features; but the ERFCS includes other displays and features that are not described here.

The ERFCS is configured so that each CPSES unit has its own computer system. Each computer system includes the three major subsystems described below.

2.1.1 Data Acquisition Subsystem The data acquisition subsystem for each unit collects input signals through remote multiplexing units (RMUs) and associated communications controllers, and input data through ASCII-character communication data links.

(EnclGsure:toTXX-895311

'v July; 31, 1989 -

Page 8 of 46

- 2.1.1.1 Data Acquisition Via Remote Multiolex'ina Units (RMU)

The RMU systems are high-speed data multiplexer connected via redundant data links to a. redundant set of communication controllers (CC's). The RMU's are provided for analog and digital- signal scanning, analog to digital conversion, and Class IE isolation.

All field inputs are connected to the e" RMU's either directly or through qualified Class IE isole+ ors'as required by NUREG-0737, Supplement 1 (Reference 1). The RMU's transmit digitally coded information to, or receive oigitally coded commands-from, the redundant CC's by means of redundant data links.

The redundant CC's control both the interrogation of the RMU's and the transmission of data along the redundant data links. The CC's also control the allocation and transfer of data to the memories of the computer systems. The CC's likewise control commands initiated by the computers and transmit the.n to the appropriate RMU's.

2.1.1.2 Data Acquisition Via ASCII Data links Three ASCII data sources provide input directly to the ERFCS Computers. These are:

,

• Radiation Monitoring System Core Cooling Monitoring System

, Reactor Vessel Level-Indicating System These systems accomplish all engineering unit conversions and data validation for each of their respective inputs. Each provides a formatted ASCII data string to the ERFCS. Class IE isolation is provided I;

by each' system prior to data transfer to the ERFCS.

2.1.2 Cennuter Subsystems

'The ERFCS includes two pairs of redundant PRIME 750 Computers.

One pair is located in each unit, and communicates with and supports that unit's data acquisition system and display system a

.___2 _ _ _ _ - - . - - .- - _ _ -

Enclosure to TXX-89531

, July 31, 1989 Page 9 of 46 (described below). One computer in each unit is configured to be the " primary" computer, and is capable of performing all SPDS-related data acquisition and display functions itself. The other

{

computer in each unit is configured to be the " backup" computer. >

It routinely monitors the performance of the primary computer, and initiates a system failover (a transfer of " primary" computer responsibilities from the normally primary computer to the normally backup computer) upon detection of an anomaly. Redundant computers in each unit thus ensure that system availability remains high.

2.1.3 Display Subsystem The ERFCS includes CRT display units in each of the station's emergency response facilities: four display screens in each unit's control room, three display units in the Technical Support Center, and two display units in the Emergency Operations Facility. With the exception of one of the screens in the control room (discussed below), all display units are Chromatics CGC-7900 Colorgraphics Computers.

Four display units are available in each control room in which two are mounted in a console in the central area of the " horseshoe" portion of the control room. The third is mounted in the center of the main control board and the fourth is located at the unit supervisor's console. The relative positions of these screens are shown in Figure 1. The CRT mounted on the right-hand side of each console is referred to as the " supervisor's CRT". It includes a full Chromatics keyboard, and allows system users to access all SPDS displays and all other ERFCS displays and features, through the bezel-key hierarchical menu described in Section 2.3.3. The CRT mounted on the left-hand side of each console is the

" operator's CRT". Through this CRT, system users may access only SPDS displays. Access is provided via the single-stroke keypad described in Section 2.3.3. The third CRT in each control room is a high-resolution CRT monitor that is mounted at eye level in the main control board, as shown in Figure 1. A switch associated with this monitor allows users to select either SPDS displays supported by the ERFCS, or other displays supported by the plant process computer. In the "SPDS" mode, this monitor is " slaved" to the operator's CRT. That is, whatever is displayed on operator's CRT will also be displayed on the control board monitor. A single-stroke display selection keypad identical to the one moJnted near the operator's CRT, is mounted near the control board monitor. This keypad is connected in parallel with the other one, so that an operator may select a display from either keypad. The fourth CRT is a "su: 3rvisor's CRT," with the functions similar to the one previously oescribed.

The display units in the Technical Support Center and the Emergency Operations Facility are all Chromatics CGC 7900 computers. Through these units, users may access any SPDS display, or any other ERFCS display or feature. Access is allowed through the bezel-key menu described in Section 2.3.3.

e

.. . Enclosure to'TXX 89531 L

July 31,1989 -

!.1 Page 10 of 46 L

4-

'2.1.4 System Availability r m The ERFCS is designed to achieve high SPDS availability. During L

the design of the system, the principle of redundancy was applied to ensure that the failure of any component would not cause system unavailability. In addition, except for the display units in the Emergency Operations Facility, all ERFCS components are powered from uniterruptible power sources. Thus, high system availability

-is assured. However, quantification of system availability in an operating-station environment cannot be assessed until the station begins operating. .

l

'Therefore, during the low power startup operational phase, a j planned 30 day availability test will be run to quantify the SPDS availability. The data will be captured and evaluated, results will'then be compared with the design goal, and correc+1ve actions, if required, wili he initiated.

i

- During operational phase, all maintenance activities will be performed under an operations maintenance program that will maintain the installed system using plant work order procedures and plant. system downtime status logs in a manner such that the SPDS meets / exceeds its design goal.

2.1.5 System Reliability G The ERFCS is designed to achieve high reliability in terms of hardware, software, operator performance and data validation.

FroO the hardwarn point of view, the dual CPU, redundant system with automatic failover, uninterruptible power supplies, on-site hardwa.re maintenance support and adequate inventories of spare parts ensures a highly reliable system.

From the software point of view, the syste, '; s Nen designed and developed under a software quality assurance 1..a based on IEEE 730-1984 (Reference 8). Independent Verification and Validation (V&V) activities have been performed on the system using NSAC-39 as a guideline. The current V&V activities are being performed using ANSI /ANS 10.4-1987 as a guideline.

From the operator performance perspective, the SPDS displays have been designed and developed using control room operators' inputs.

A planned SPDS dynamic validation testing was conducted on the simulator using control room operators. The test results were evaluated, design modifications were initiated and implemented to address operator comments on the SPDS displays.

L Enclosure to TXX-89531 Q July 31, 1989 Page 11 of 46 Extensive Factory Acceptance tests and Site Acceptance tests have been conducted to ensure system reliability. Prior to the system L turnover to Operations, a preplanned Preoperational test will be i

conducted by TV Electric Startup group. The test will include a point by point wiring check of all SPDS inputs from the sensors / control cabinets to the ERFCS to ensure the validity of the signal inputs. Also, the SPDS displays will be checked by injecting known inputs at the sensor / control cabinets for data validation. This test is scheduled to be completed in August, l 1989.

As an ongoing program, Operations will include the SPDS computer points, if available, in addition to the control board indicators, in routine instrument loop calibrations that will further enhance the system reliability.

2.2 SFS Disolavs The four different types of displays included in the SPDS are Top Level, ERG Summary, 30-minute Trend, and Reactor Vessel Level.

All of the SPDS displays described below include several common display features. These common display features are in the Critical Safety Function Monitor (CSFM) summary area and the message area, and are illustrated in Figure 2.

The CSFM Summary area lists the six Critical Safety Functions which are monitored and maintained through the CPSES Emergency Response Guidelines (ERG's) and Function Restoration Guidelines (FRG's). These functions are listed on the display in the order of priority as defined in the ERG's. This area also includes dynamic color- and pattern-coded targets which graphically indicate the status of each critical safety function. These targets are further described in Figure 3. The logic that activates each CSFM target is identical to the logic specified in the corresponding ERG's for monitoring the corresponding critical safety function. The specific logic trees used in the ERG's are duplicated on dynamic ERFCS displays that are not considered to be part of the SPDS.

Currently, the CPSES SPDS design does not include a continuous display for the safety function, " Radioactivity Control." The SPDS design will be modified to include " Radioactivity Control" as a continuous tap level display prior to the start of the second operating cycle.

The message area that is included on all SPDS displays includes information in three categories. One such category is current conditions. A t ele is presented at the top of the message area that lists and ihntifies the current values of reactor power, auctioneered t N <erage reactor coolant system temperature, startup rate, n cre range neutron flux and wide range neutron fl ux. The listed value of power is displayed in units of counts per second, detector amperes, or percent of full power as appropriate.

l

- __- - b

Enclosure- to TXX-89531 July 31,1989

+ -Page 12 of 46'-

A:

Figure 1 4

Relative Locations of the SPDS Display Units g in the Control Room

\

111

~

/ 4 N .

3 2 6

iy UNITI

1. Main Control Board CRT r

/ 2. Operator's CRT 7

, 3. Supervisor's CRT

-- 4. SPDS Console

_ 5. Plant Process Computer Console 6 6. Radiation Monitor System Console

7. Unit Supervisor's CRT

_ - l 6

7 -

UNIT 2 5

3 2 4

\ /

111 L

4

. Enclosure to TXX-89531 July 31,1989 Page 13 of 46 Figure 2 OPERATION Top Level Display (Information displayed is for demonstration purpose only.)

RCS PRESS l PRZR LYL i TC CSFM r  ! ri '

11 na 3 4:

SUBCRITICALITY CORECOOLING

(*)

l l  :"  !'

l l

l l

l EAT SIHK @  !

'g a l

u l l Le ,

INTEGRITY  : ,

CONTA! K HT

• • • • I l *** *** EPJG H9i IHYENTORY PSIG l /. *r i HIS P0 heft!! .8X18~11lRMPs ' SG R LYL MSLPRESS

• • • r nuct wi T m wts ta sun s.se oPn g 2 3 '4;! 'l; 1,2 13 ,n,4 :'

l

. .. v..

= = = .

l l

. .. ..... 1 1

!  ! ll l r=m . -.v-o. - - -

4

-~'" --

!************ **** i -2 I I 2 I I T l !

. c. . .m ....

.z pg;g j

.m im ...,  ;  ; , ,

, _ .c . . . . .... I RAD CNTMT I RV  : 1 AUCT HI !

l MON ATMOS RAD ' LYL l SUBC00Ll, CET  !

-. - v..rmo .  ;  ;

c-c. v-  ! ,

.-v - ,

ei mi ., i. n:=

e - ,v c nig,

! * !E 1.9X10e ,

,,, ;i

, l

.r l****l r -

m. **** -

.n i .  ! j SPD5 l 1 ERG SLM l RVLIS l RCS TRS l 50 TRS ICHTMT TRSIOTHER TR5

i iEnclosureEto TXX-89531 s, July. 31,1989 Page 14 of. 46 The second category of information in the message area includes l information about the occurrence of several events,-and the plant's response to. some of those events. The events monitored

~ include reactor trip, safety injection, phase "A" containment isolation, feedwater isolation, containment ventilation isolation, main steam line isolation, and phase "B" containment isolation.

When any of these event signals are received, the name of the event appears in the message area, along with a corresponding integer number and the date and time that the signal was received.

This'information is formatted as shown in Figure 2. In addition, the status (complete / incomplete) of the plant's response to the latter five events is also displayed immediately beneath each event's name. If all of the valves that are intended to close (or open) in response to a particular signal event are in their proper positions, then the status of that event will be displayed as

" complete". . Otherwise, the status will be displepd as

" incomplete", " complete-suspect", or " incomplete-suspect", as appropriate and as shown in the example in Figure 2. The ERFCS includes a non-SPDS display associated with each of these five events that lists all of the components which are not in their proper positions and those components whose positions are unknown.

The integer. numbers described above as being associated with each event'are used to identify.on the trend graphs the time at which the events occurred, as shown in the example in Figure 9.

The third category of information that is included in the message area includes the four computer system diagnostic messages illustrated in Figure 2. These messages will be displayed as conditions warrant.

A box in the lower left-hand corner of every display continuously displays current date and time. The box includes a large black-on-beige number ("1" or "2") to ensure that system users associate the presented data with the proper CPSES Unit. This block flashes beige-on-black or black-on-beige based on data updates. This box also identifies the current mode of operation (e.g. "0PERATION,"

"HEATUP/C00LDOWN," OR " COLD SHUTDOWN"). The mode is determined on the SPDS by the logic shown in Figure 4. This logic determines not only the message that will be displayed in the box discussed above, but also the set of alarm and reactor trip setpoint values that will be used to implement the alarm status conventions discussed below. If the system cannot complete the logic shown in Figure 4 due to a loss of input signal, the mode message will be replaced by blue asterisks and all alarm status indications will disappear. A user may override the logic result with a user-specified mode designation. This may be accomplished only through the SPDS system terminal in the computer room, and will restore alarm status indications and result in the user-specified designation being displayed surrounded by a blue " suspect" box.

p  !

a

.- Enclosure to TXX-89531

• l July 31,1989 Paje 15 of 46 i

Figure 3 Interpretation of CSFM Status Targets -

t ).

TARGET TARGET RELATIVE i CONFIGURATION COLOR URGENCY ! l l

l RED HIGH ORANGE MEDIUM

\

l i

l 1 - _ _ - _ - - - - - _ _ - - - - _ _ - - - - - - - 1

,. .e

-' , Enclosure to TXX-89531 4 July 31,1989

- Page 16 of 46' ,

(

f Figure 4 Logic Used to Determine Operating Mode (START) 3r NO AVE KNOWN 7

1r YES (MODE UNKNOWN)

IP IA VES

<200*F 7

NO y

(~ COLD SHUTDOWN *)

YES AVE

> 550*F 7

1r NO

("0PERATION")

1r

'(~HEATUP/ COOLDOWN")

TAVE: AVERAGE REACTOR COOLANT SYSTEM TEMPERATURE l

_- . -- . )

Vi  ; Enclos'ure to TXX-89531 7' July 31, .1989 Page 17. of 46 7 _

~

p 2.2.'1 Disolav Conventions Display conventions employed on all SPDS displays enable system users to readily assess data validity and alarm status. These conventions are discussed further below.

2.2.1.1 Data Validity Conventions

' The ERFCS assesses the validity of the data that-K .are presented on SPDS displays and distinguishes between three states of data validity. The algorithms used in these assessments are discussed in Section 3.4. " Good" data are presented in-white text; " suspect" data are presented in white-

. text surrounded by a blue: box; and " bad" data are t

replaced by blue asterisks.

2.2.1.2 Alarm Status Conventions Every SPDS display includes indications of the alarm status of displayed parameters. On bar charts, trend graphs and the OPERATION top-level display, alarm limits are indicated by small triangles positioned immediately adjacent to the' bars, as illustrated in Figure 2. These triangles are displayed at vertical positions that correspond to the setpoints. Yellow triangles represent alert alarm setpoints and red triangles represent reactor trip setpctnts.

Additional alarm status information is provided on the OPERATION top level display by bar chart color changes. -While a parameter is within its normal operating range,'its associated bar is displayed in green. When an alert alarm setpoint is exceeded, the bar turns yellow. When a reactor trip setpoint is exceeded, the bar turns red.

Yellow and red boxes are used to indicate the alarm status of parameters that are presented without an associated bar chart, is on the ERG Summary displays discussed below and illustrated in Figures 5 through 8. When a parameter value exceeds an alert alarm setpoint, the displayed value is surrounded by a yellow colored box. When the parameter value exceeds a reactor trip setpoint, the box turns red.

-___x___-___-----_-----___---_- -_ --- _ _ - _ _ _ - _ _ - - _ - _ - - _ _ _ _ _ - - _ _ _

Enclosure to TXX-89531 3, July 31, 1989 Page 18 of 46 2.2.2 Too Level Disolavs The SPDS includes one " top-level" display that enables system users to monitor key parameters during plant operation (including heatup and cooldown).

The OPERATION top-level display includes color-coded bar charts with displayed values, color-coded targets, and display values alone, in addition to the features common to all SPDS displays, and is shown in Figure 2. The data validity and alarm status conventions described above are fully implemented on this display, and several examples of suspect data and parameters in alarm are illustrated on Figure 2. This display provides users a concite overview of all SPDS parameters, as all are either dir etly or indirectly monitored and/or displayed on this display.

All of the parameters monitored through this display are also included on SPDS trend graphs as discussed in Section 2.2.4. Fo* example, the RADIATION target on this display will change from green to yellow if any of four radiation monitor signals exceed their associated alarm setpoints; all four of those signals are included on the RAD MON trend graph. Similarly, the "RVLIS" display described in Section 2.2.5, provides the user with further insight to reactor vessel level data that is monitored on this display through the RV LVL target. Thus, this display will alert users of adverse trends in any of the SPDS parameters, and the users will be able to further investigate those trends through the trend graphs and other SPDS displays.

2.2.3 ERG Summary Disnlavs The SPDS includes four displays that present parameters monitored through the CPSES Emergency Response Guidelines.

The formats of these displays are presented in Figures 5 through 8. Standard data validity and alarm status conventions are implemented on these displays.

2.2.4 Trend Graoh Disolavs The SPDS Trend Graph Displays provide the system users with graphical indications of pre-selected, functionally related groups of parameters. On the left-hand side of each trend graph are bar-chart displays that indicate the current values of each of the parameters presented on the ,

display. Alert alarm and reactor trip setpoints '

associated with each parameter are displayed on each bar chart by yellow and red triangles, respectively, as per the alarm status conventions discussed earlier in Section 2.2.1.2. 4 l

1

Enclosura to'TXX-89531

>p '

' July 31, 1989 Page 19 of 46 Most of the trend graph groupings include four parameters per display, but a few trend graphs include only three parameters. The right-hand side of each trend graph presents a thirty-minute plot,- similar to a strip chart recorder, that shows. variations in each of the parameters during the past thirty minutes. For each parameter, the scale used on both the bar chart and the plot corresponds to the range between the minimum and maximum engineering-unit values for the associated input sensor. The color used to indicate a parameter's value on a bar-chart is also used to present its thirty-minute trend on the plot, thus enabling a user to readily identify each trend. A typical SPDS trend graph display is shown in Figure 9.

Parameter groupings on SPDS trend graphs are listed in Appendix 3.

2.2.5 Egaetor Vessel Level Disolav The SPDS includes two displays that present data from the Reactor Vessel Level Indication System (RVLIS). On the OPERATION top-level display in Figure 2, the reactor vessel level status is indicated by a color-coded target.

If RVLIS data indicate.that the upper reactor vessel head is full (i.e. all sensors indicate coolant), the target is green; otherwise, the target is yellow. The other display presents RVLIS data, as discussed below.

The RVLIS display presents an indication of current coolant inventory in the reactor vessel. This display employs a schematic representation of the upper vessel head and the core to show the relative positions of the RVLIS sensors. The display format is shown here as Figure

10. Data from each sensor are displayed via a color-coded circle. Each circle is displayed in solid dark blue if the sensor indicates " coolant," or in solid white if the sensor indicates "no coolant." If a sensor's signal is unknown, the solid-color circle is replaced by a light blue asterisk. As shown in Figure 10, this display also includes tables of upper-head temperatures sensed at each sensor location, and an indication of auctioneered high core exit thermocouple temperature. Position identification labels on this display are the same as the labels used on the RVLIS phnel on the main control board.

Enclosure to TXX-89531 July 31,1989 Page 20 of 46 1

Figure 5 LOCA/LOSC ERG Summary Display (Information displayed is for information purposes only.)

CSFM LOCR/LOSC RCS PRESS **** PSIG j SUBCRITICALITY PRza tvt Eis  %

CORE COOLING [J)

(* RECIRC SUMP LVL CNTMT PRESS

()pe 6 0.0 (EL)

PSIG EAT SM - @- CNTMT RAD 1.8X10' R/HR INTEGRITY (*) ; PazR PORv ****

CONTAINMENT Oj j PRzR SFTY VLV **** [

INENTMY RWST LVL 91  %

l SUBCOOL *** ,F HIS PolERIl 8X18~11} Apes AUCT HI CET '**** *F AUCT HI Tave *** T HIS IR SUR 0.06 DPM SG BLDH RAD **** HCiem t '

, ,, CHOSR OFF GRS RAD **** PCi/mi i m v. , ,,,, TOTAL RHR FLOW GE GPM

, .. ,,,, j $1P TOTAL FLOW O GPM

,..,,,,,,,,,y, j CCP !NJECTION FLOW 9 GPM a ~.,5c a s .<m .... j

! 1 i 2

• 3

• 4 '

!RCPSTATUS! OH I OH I ON l OH

• • • • f TH,I 261 ! 298 l *** { *** l'F  !

l*'"** lSG HR LVL' *** j *** ; *** ; 444 '%

ie ma.c = .ou ....

l AFW FLOW *** l 'E02 l *** l E2 lGPM i

..o. ena m cyc= rnacu c iPRI-SEC -Pl **** j t*** l ****  ; **** lPSIGl conavec= v=ou*'c '

lMSLPRESSl **** R { Q{ [TG !PSIG{

! me v wa.wrwo cowerviow MSL RA0l * * * - *  ! ****  ; ****  ; **** lyCi mt; l21 JUN 89 19:34: CG ISOLj HO l HO l HO l HO !

ePE **** 30l;im!fPE3l a A i1l 4 . . +

• i SPD5 15FD5 TRS l l RVLI5 (LOCR/LOSCI SOIN l 50 ISOL I FOLDOUT l

Enclosure to TXX-89531 July 31,1989 Page 21 of 46 Figure 6 SGTR ERG Summary Display (Information displayed is for demonstration purposes only)

I CSFM l SGTR SUBCRITICALITY fj ' RCS PRESS **** PSIG CORECOOLING @, PRZR LVL EG  %

EAT SINK @j RECIRC SL9lP LYL BRE% (EL.)  ;

INTEGRITY l PRZR PORV **** .

CONTAINENT RWST LYL 91  % .

INVENTORY ( CSTLYL O  %

His PoucRLexte-311mes AUCT HI CET **** 'F ,

RUCT HI Teve ***'F' SG BLDN RAD **** gCvm!

HIs IR SUR 8.85 DPM '

. .. , CHDSR OFF GAS RAD **** gCval

= *> -

l TOTAL RHR FLOW DJ3 GPM i ,

e , 3 6 4  :

.RCP STATUSj OR l' OH 1 OH l OH j l n., .om

• • a' lSGNRLYLl *** *** *** j *** i% i l AFW FLOW l *** 2B2 *** i O lGPM l

! FW+AFW-MSl0.39 0.00 0.27 i 0.00 Mbhri lMSLPRESS! **** l Rl Ol O !FSIGI l,*o;""""'1;"""'i MSL RAD! **** i **** l **** ! **** igCvmll

~c, . , ~. co~o , , , - l SGISOL! N0 i NO l H0 l H0 l l

,21 JUN 99

!W $44* 18:3534lEj tsili l

I l

l e

l l j

l 5FDS ISPDS TRS l ^ ~ l RVLI5 ILOCR4.OSCI Surn l SU ISOL 1 FOEDDUT l

4 Enclosure to TXX-89531

+ July 31,1989- -

Page 22 of 46 l

figure 7 SG ISOLATION ERG Summary Display

(:Information displayed is for demonstration purposes only.) i

?

l CSFM  : SG ISOLRTION SUBCRITICALITY CORECOOLING 3i U* i i

ET S!* @ RTMOS RLF VLV ,**** i****  !****  !****  !

INTEGRITY M TRI M

(*)ll O

gg;yjgggg lg,44 jgggg it,44 l

! SFTY RLF VLYS !NOT CLS0! HOT CLS0!NOT CLSDl HOT CL I EY '

! I I

MSIBV ****  !**** **** {**** il HIS PolERl AUCT HI Teve.8X1e*11lRifS

• • • Y i l fWjy *$** ,!)**$ j**** ll 6

HIS IR Sist -8.81 OPM j FWIBV , **** i!**** *

, ,, , , , , , . ,,,,  ! TDAFWP FCV l**** ****  !*****!****  !!

,, .... MDAFWP FCV l**** t**** l****  !**** !i r-~ r .-. T-~.  :

BLDN ISOL VLV !****  !**** '**** it*** ij SMPL ISOL VLV '**** i**** .**** ';

I , c, ..om ....  : DRUM SMPL ISOL VLV j**** l**** j****  !**** i,

-m .~ .... BLDN SMPL ISOL VLY 1****  !**** ****  !****  :'

r -~~ = '

i .~ - -

MS DPOT ISOL VLV it*** It***

i**** f****

.... ,, v .- , ,. w-=

Cosgr%#T ER Thouet.C TDAFWP SPLY VLV it*** N/A i WA i****

! MrT a.s m.4 3 NO CONDRTION *

'21 JUH 89 10:36:321;PE! EE llGC **** . wil Wu 5F D5 15PDS TR5 I i RVLI5 ILOCR/LDSCI Suin i SU ISOL i FOLDOUT

Enclosure to TXX-89531

+ July 31,1989 3 Page 23 of 46 i

{

Figure 8 ERG FOLD 0VT ERG Summary Display (Information displayed is for demonstration purposes only).

l CSFM  ! ERG FOLDOUT  :

I SUBCRITICALITY g' QUESTION lAHS.l CRITERIA lCUgR i

CORE COOLIE U* l lgirsgR: ,1 cep og j ,,, 1, HEATSIHK l l l INT M ITY @l l e

i OR: ee CCP OH  :

• • • l TAlmT R8M7 l***l OR: et SIP Os j *** l INVENTORY .

l l  : l l l OR: #2 SIP OH l *** l NIS PolERIt .8X18-11hWS i t * .

AUCT HI Teve *** T l  ! e SUBCOOL i HIS IR SUR 8.08 DPM l l AND: SUSC00L < 15 F  ; ,,,  ;

evEnv. ,  ;  ;

vase '

SUBCOOL '

i a- **** iEITHER: SUBCOOL < 15*T *

1. 8* l ACTURTE OR l g li I i

EvcNr.4r vv. REINITIRTE S!? le l OR: PRZR LVL < 20 % l 16] l

= rumc a 3.Oc .... l l l a rw saou .... 9.0 u

l { lEITHER: CNTMT PRESS > 5 PSIG! {

l e cv i.Ou .... 6 e i l - ~' > - -* OR: CHmT RAD > 185 R/HRf1.0X1#

! $!n! SE!!!S? l H0 l l  !"""."PREMMETEM SPD FRILURE

!'  !' OR: INT. DOSE > 10 6 RAD  % i l

c - En va uo'r l $7 H  ! TES ,! CST LVL < 10 % [D MCT 68MMN3NO CONO3 TION  ; , 9 2 J 18:37:26 l {I ph NO l RWST LVL < 40 % l 91 l

SPD5 iSPD5 TR5 l l RVL15 (LOCWLOSCi SuIM i SU ISDL I FOLDOUT I

1

~ Enclosure to TXX-89531 y July 31,1989 " .

Page_24 of 46 L

2.3 Human Factors Desian Considerations An interdisciplinary team of operations, instrumentation and controls, and human factors engineers were involved in the definition, creation, and review of the SPDS display formats to ensure displays were consistent with the requirements of Supplement I to NUREG-0737, the functional criteria of NUREG-0696, and the general human factors guidance of NUREG-0700. The l initial program that developed the basic display formats included a user evaluation at the Indian Point 2 power plant simulator (Reference 5). Additionally, a dynamic test was performed using the Comanche Peak simulator with the control' room operators to receive end user feedback in the display development process.

Subsequent reviews of the SPDS displays were performed to ensure that the system, as designed, meets the intent of NUREG-0800 and NUREG-0835.

2.3.1 Disolav Features The display formats are designed with low information densities. Furthermore, the color scheme is designed to reduce the visual dominance of the static background information. Extensive use of demarcation lines is employed to separate classes of data or parameters. Four different colors are used on the trend graphs for differentiation and association.

Simple display formats are provided to reinforce user recognition of plant status. Similar data are presented in similar formats. Vertical bar level indications are easy to associate with parameter _ values. Furthermore, the vertical bar format is familiar to control room operators, as the control boards ~contain mainly vertical meters.

Color codes are consistent on all SPDS displays. Red is reserved for information related to reactor trip. Red triangles on bar charts indicate trip setpoint values, and both red boxes around displayed values (on ERG Summary displays and the OPERATION display) and changing bar chart color to red (on the Operations display only) indicate that the displayed parameter value exceeds a reactor trip setpoint. .In the same sense, yellow is reserved for alert alarm limits. Yellow triangles on bar charts indicate alert alarm setpoint values, and both yellow boxes around

, displayed values (on ERG Summary displays and the Operation display) and changing bar chart color to yellow (on the Operations display only) indicate that the displayed parameter value exceeds an alert alarm setpoint.

1.ight blue is reserved for data validity indications. On all displays, blue boxes indicate suspect data, and blue asterisks indicate bad data.

u 1 3

_ _ . _ _ _ _ _ . _ _ _ _ _ _ . _ _ _ . _ . _ _ _ _ . _ _ _ _ _ _ . _ _ _ __ J

Enclosure to TXX-89531

• July 31.1989 Page 25 of 46 Figure 9 Typical SPDS Trend Graph (Two such trend graphs may be displayed at the same time: when another is selected. the graph on the bottom of the display pill move to the top, and the newly selected graph will be  ;

inserted as shown here. Information displayed is for demonstration purposes'only.)

CSFM I S'J CRITICALITY CORE COOLING O!

@t HERTSINK @! ,

ImEGRITY @! l CONTRIHMENT @  !

IWYENTORY @!  ! '

W POWER **** CPS l RUCT HI Teve 88 7 l W SR SUR **** DPM i rve v. I 1 l 2 3 4 I SG HR LVL f I -. -,. I evruvs-.vavo. l _- .l I %

_ -  !, 1 i l,

.I l

ii l -l - - -

l .

"iffRNv-  ! -  !, -

- .. - .. ,, ,;l ,

, i

! . .o e # i il l -! - -

-I IL  !  : li

!  ! -  !; I 1 l

-; - . -!! :,l l l, : ;t -

. m . eve. ,,,n.u.c , - , , , , .

c-> c= v.-c ' " '

-. -.! !_ _ '.' - 'l

_,_,,,c_,,,_ l *** t *** l *** *** l

.A'= *>'= s-'a +>'a' ' *4 i er Jut es er:54: - I Tl"E F D" 2 i

G COLD SHUTDOWN 1siers55

!E! i 5FD5 l5PDS TR5 lMSL PRESSISG HR LYLISG WR LYLi STM FLOW IW W FLOW i FW FLOW J

_ _ 3

Enclosure to TXX-89531 o July 31,1989 Page 26 of 46 2

figure 10 Reactor Vessel Level Current-Conditions Display i (Information displayed is for demonstration purposes only.)

>\ l CSFM RVLIS SUBCRITICALITY CORE COOLING @(*)l TRarH a TRsIH e HEATSINK @

INTEGRITY enJ. gr e .g e :rw e  ;

CONTAINMENT INVENTORY f unr e -- e unr His routRit.exta-14 anes g RUCT HI Teve ***'r HIS IR SUR 8.98 DPM r-

, _ ,. ****.r  ; e ... .- e g n** r

• • u *r e ,i  ! n s * *r c m.,,.-.,,,,u. ..= e l

tu* *r e ., . ~ = e , susr  !

' ' ~ *~ ""

• cv '-

unr ea . . - e ,/

sner

• unr su .. - e antr

~ ~ > ~ , unr s . , -- e nur r -~~.e . ..au -".

... nu r s ,, ,. - - 9 nur .

~~~~~ ~ ~~

een enna.,c,c= rascuac ; AUCT HI CET 4***'rl l CopePU,ER ,RoumLE j e e a CORE >

, , , , - ,- c-o... l l .

21 JUN 09 le:38:26llP!D mn E **** e TNT Bu ,

5FDS 15FD5 TRS l ERu SUM i i i DISPLRY l iMLND l

'Enclosura to TXX-89531

.. July 31,L1989 Page:27 of. 46 Arrangement consistency is a key feature cf the-SPDS.

displays. Certain data (date, time, critical safety-function summary, messages, etc.) alwa.)s appear in the same areas on every display to readily facilitate identification of data appearing on different displays.

The data or information groups are locate:t on the display in order of relative importance. Generally, the groups are ordered in a top-to-bottom and left-to-right ranking, with the most important data at the top or on the left of -

the display.

Displays are ' presented on high-resolution monitors. - The 1024-pixel by 780-pixel CRT used in the Chromatics units

, enables sharply-defined symbols, lines, and text. Thus, f users are able to readily discriminate between different display features, and between display features and background.

2.3.2 Graohic Codina Pattern and color coding techniques are extensively used on SPDS displays to portray status in a graphic form for rapid user recognition.

2.3.2.1 Pattern Codina l

As previously mentioned, vertical bar charts were selected as the means of presenting primary status indications. This technique allowed for a range of value indication in a. form comprehendible by the user.

Trend arrows are used on the top-level and ERG Summary displays in conjunction with the parameter values to provide immediate value trend direction information. Examples of trend arrows are visible on Figure 2.

2.3.2.2 Color Codina Color coding is used to enhance changes in status and to add parameter differentiation and association. Color use is consistent and restrained (only seven colors plus a black background are used). Each of the colors used is produced on the screen by more than one color gun, such that information will be displayed on the screen even if a CRT color gun fails.

The use of color on the Critical Safety function summary employs a structured approach. To present CSF status information the following conventions are used:

___ ____- --. I

b[ " 'Encicsure to TXX-89531 W

-July 31, 1989 Page 28 of:46 o

• Red - off-normal,.immediate action, loss L ,

of safety function r * . Orange - prompt action, potential loss of safety function

• Yellow - failure or caution, loss of redundancy, action may be needed

• Green - normal, Critical Safety Function satisfied Blue Asterisk - loss of indication (sensor i related); Critical Safety Function unknown

, Color usage on the trend graphs was used for differentiation and association to distinguish the L

-)arameter trends on each graph and to relate each 3ar level to a corresponding trend line.

Beige color is used for demarcations, titles, graduations, static values, and text information.

. White is used for dynamic values and event / message data because of its sharp contrast value against the black background of the displays.

j .2.3.3: Disolav Access

. SPDS displays are.available through two different types of

terminals. - Primary or " operators"_ CRT's are~ located on the left side of'the SPDS consoles in the control rooms, and on the main control boards. Displays are accessed from these terminals via a

-dedicated keypad that allows users to select any SPDS display by a single keypad stroke. The keypad. is formatted and labeled as shown in Figure.11.

Besides-the primary CRT's, the ERFCS includes secondary CRT units.

F These units each include a full Chromatics keyboard and a-bezel- )

key array through which users interact with the system. The bezel '

keys enable the user to select any ERFCS display. The keyboard

. enables the user to provide information to various non-SPDS functions as required. Displays are selected by using the bezel keys to move through a hierarchical menu that includes all displays. The menu is continuously displayed at the bottom of the CRT screen, immediately below the SPDS display on the screen, and immediately above the associated bezel keys. The menu position is clearly shown on the sample Operation display in Figure 2. A complete SPDS menu is depicted in Figure 12.

Currently, Human factors aspects of the SPDS screens with respect to color discrimination, letter size, and brightness are being evaluated. Upon completion of the evaluation, short-term and long-term action plans will be developed consistent with the requirements of this section.

Enclosure to TXX-89531 July 31,1989 Page 29 of 46 Figure 11 SPDS Keypad Format

. TOP LVL . . ERG SUN , , RVLIS .

- ~ ,

~

CLD LOCA SG FOLD '

OPER SHTDl4 LOSC SUN iSOL OUT DSPLY TRE

--.rm -- )

. SPDS TRENDS .

. RCS . . SG . . CNTNT .. (ITHER . )

)

PRESS NSL SG NR SG WR RAD RCS LPR HHT HIS TEMP PRESS LYL LVL NON LOOP LODP STN FW AFW TANK 112T 3&4T FLOW FLOW FLOW LVLS I

i 4

i

F Enc 1csure to TXX-89531 July 31,1989 Page 30 of 46 2.3.4 Display Unit locations In each unit, the primary CRT's are located on the left side of the SPDS console in the control room. An additional CRT display driven by the primary CRT is located on the main control board. A secondary CRT, the

" supervisor's" CRT, is located on the right side of the SPDS console. Additional secondary CRTs are located in l the Technical Support Center (3 units) and the Emergency Operations Facility (2 units). These additional CRT's are free-standing Chromatics CGC 7900 display units. A ,

display is also located at the Unit supervisor's console in the control room.

2.4 Verification and Validation Proaram The Verification and Validation (V&V) program for the Comanche Peak SPDS was conducted in accordance with NSAC-39. The safety-related aspects of the SPDS design satisfy the requirements of ANSI N45.2.11-1974.

The system baseline was established in 1987. Changes since that time have been and are being verified and validated using a program based on ANSI /ANS 10.4-1987.

The SPDS is a subsystem of the Emergency Response Facilities Computer System. As such, its V&V program satisfies the objectives of NUREG-0696, " Functional Criteria for Emergency Response Facilities." All V&V activities are performed by individuals who are independent from the design effort and have sufficient experience and expertise to properly evaluate the various activities which affect the final design and installation of the SPDS. Activities covered by the V&V plan include design verification against functional requirements and specifications, installation inspection, and overall system performance testing.

The system requirements document for the ERFCS includes a requirements traceability matrix taken from the system specifications and NUREG-0696.

2.4.1 Definitions Verification is the demonstration of the consistency, completeness, and correctness of each stage of the development of a project on the basis of fulfillment of {i all requirements imposed by the previous stage. l Validation is the demonstration of the correctness of the a final system as determined by testing against overall i functional, performance, and interface requirements. )

i The essential idea of verification is stage-by-stage confirmation of the design, while validation refers to overall testing of the final product. The V&V process is intended to provide an overall check that all requirements are met and that the system operates satisfactorily.

I

Enclosure to TXX-89531 .

July 31,1989 Page 31 of 46 Figure 12 SPOS Menu Hierarchy

\ ,

woS nou TOP LEVEL i SPOS TRS l OtG SLM I RVLIS l (EFEMTION lCLD SHTONI DIG SLM M

$PDS i SPOS TIfS i i RVLIS ILOCW LOSC i SGTR 185190L I FOLD OUT NYLIS e SFis$ ' i SDPS TRS'l DIG SUN I I I DIWUW l TMBe l SPos Tits e LPDS I I DtG SLM I RYLIS .I RCS TRS I 3G TRS ICHTNT T1t81 GTER lits RCS TRS m

.SPDS I SPOS TRS I I I RCS IP-T QalVE ITDF 142 i TDP 3M SG TRS 804J SPM i SPDS TRS IMSL Pfil"SSISG Mt LVL lSG IR LWL i STM Flaaf l IFW ft.thil FW Fulli CNTMT TRS m 0 FOS- I $79S TRS I l l lDffMT LM (CWTNT Ml DTER TRS Pd'MU SFL4 l SPDS TRS 1 i l l HIS l RfC 9041 T48C LYLS l

l f

~

< . Enclosure ~to TXX-89531

h. - '

1 July 31v1989' ,

.Page132 of.46 1 2.4.2 V&V Activities Specific areas covered by V&V activities are:

• System requirements verification, Hardware and software design specification verification,.and (

• System validation testing.

p- For each of the above V&V. activities, qualified i personnel are assigned to perform the activities required to ensure that all applicable design basis requirements-are included in the design and that the design is complete, correct, and unambiguous. An interim report is issued at each phase of the V&V process, wherein all discrepancies are identified and resolved. A final V&V report summarizes the results of each activity, and documents the resolutions of all required corrective actions.

2.4.3 Relationship Between OA and V&V The V&V efforts of the V&V program are independent of any Quality Assurance (QA) requirements which may be imposed elsewhere. As part of the V&V effort, the V&V team may elect to employ QA procedures, forms, or personnel. Such election would be for convenience and cost-effectiveness of the V&V effort, and would neither impose additional QA requirements nor compromise any QA requirements of any part of the overall system specifications.

3. 0 5 ELECTION AND EVALUATION OF SPDS PARAMETERJ The SPDS input parameters were selected based upon their ability to comprehensively 1:,d unambiguously monitor the various plant safety functions. Additionally, the type, number and range of each input parameter were selected to be sufficient to determine the maintenance or accomplishment status of each critical safe y.

function for a wide variety of events, including design basis accidents for all modes of reactor operation.

3.1 Selection and Evaluation Process The CPSES Final Safety Analysis Report and the plant Technical Specification were reviewed to determine requirements regarding the maintenance and accomplishment l' of each critical . safety function during all modes of reactor operation. This review included the system design bases and performance specifications, transient and

,. accident analyses, characteristics of the modes of operation, alarm setpoints and system operational limits Technical Specifications bases.

e Enclosura to TXX-89531- .

m July 31, 1989 ,

Page 33 of 46 m

The CPSES parameter set includes all of the minimum set of SPDS parameters selected by the Ad Hoc Group of the c Westinghouse Owners Group Subcommittee on Instrumentation (1981), of which TU Electric was a member. The parameter set for the CPSES.SPDS was compared with the SPDS parameter sets recommended by NSAC and AIF. The NSAC (Reference 6) set.was derived by checking against WASH 1400. sequences and observing the number of times each parameter was a potential indicator of plant status. .The indicators were classified as leading, secondary, possible misleading, or negligible response indicators for the various sequences. ihe AIF set (Reference 7) was developed by using tho formal parameter selection criteria: detection, leading indicator, plant safety functions, radioactive barrier, a rect measurement, reliability, and applicability under diverse plant conditions. Selected parameters were evaluated against the selection criteria in a predefined logic.

-The CPSES SPDS parameter set includes al1~of the AIF_SPDS parameters and all of the NSAC SPDS parameters which serve as leading indicators for the events' analyzed except reactor coolant system flow rate, pressurizer relief tank level, volume control tank level, letdown flow rate, and control rod position. According to the NSAC study, reactor coolant system flow rate is recommended to indicate loss of generator and subsequent failure to relay the plant loads to ofLite power aad failure to establish conditions for natura1' circulation. In the case of loss of the main generator, trip of the reactor coolant pumps, which occurs on undervoltage, would provide similar indication and is monitored by the CPSES SPDS.

Establishing and maintaining natural circulation and determining if adequate cooldown is occurring are accomplished without the use of RCS flow indication.

Conditions which support or indicate natural circulation include reactor coolant core delta T greater than 10 degrees F, steam generator pressure stable or decreasing, hot leg temperature stable or temperature near the saturation temperature for steam generator pressure. All these parameters are monitored and displayed on the SPDS.

Pressurizer relief tank level was recommended by NSAC to indicate pressurizer safety relief valve position. As an SPDS parameter, this only provides indication as to the possible cause of a reactor coolant system integrity breach. Since this is primarily used for diagnostics and because primary indicators of reactor coolant system integrity are available on the CPSES SPDS, this parameter is not displayed on the SPDS. Volume control tank level and letdown flow rate were recommended by NStC as leading indicators of CVCS performance but are not primary indicators of CSF status. Control rod position is also recommended by NSAC to indicate reactor projections system (RPS) performance. The primary indicators of RPS

g ;-' Enclosure to!TXX-89531- .

i

• July 31p1989 l Page 34 'of 46 '

performance as well as adequate core Subcriticality, are neutron flux and increasing flux (negative startup rate),

both of which are monitored and displayed on the CPSES SPDS. Control rod positica is not monitored by the SPDL, but is adequately displayed via the rod position indicating system display located next to the SPDS CRT on the main control board.

A study was conducted which reviewed the SPDS parameter set against the CPSES Emergency Response Guideline procedures. The purpose of the study was to assess the adequacy of-the parameter set. The study noted that:

The-set of parameters monitored through the SPDS displays includes all of the parameters necessary to determine the status of the six critical safety functions.

• The status of all but one of the parameters necessary to determine the status of the critical safety functions may be inferred from' direct or indirect indications on the top-level displays.

The Auxiliary Feedwater flow rate may be . reviewed in the ERG Summary Displays.

• The set of parameters available on the ERFCS includes all but two of the parameters which trigger entry into or exit from CPSES ERG procedures, and that those two parameters may be inferred from other parameters available on the system. One of those parameters is pressurizer PORY block' valve position, which may be inferred from pressurizer pressure, PORV position and pressurizer relief tank pressure and temperature.

The other is containment sump recirculation valve position, which may be inferred from refueling water storage tank level and residual heat removal pump status and flow rate.

The study thus concluded that the set of parameters presented on SPDS displays are sufficient to meet the intent of NUREG-0696 and Supplement I to NUREG-0737, and that parameter availability for the entire ERFCS supports and is compatible with the CPSES ERGS.

3.2 Parameter Ranoes The SPDS parameter ranges are presented in Appendix 2. Analog signals which provide input to the SPDS are identified with their corresponding ranges. In general, all ranges monitored by the SPDS are identical to these in the control room and envelop system design criteria, plant responses to design basis accidents, transients, and ATWS responses.

L

H .' Enclosure to TXX-89531 0  ; July 31, 1989 N Page 35 of.46 Neutron flux (reactor power) information is provided in.the range of one count per second to 120 percent of full reactor power.

Full range monitors that include Source Range (SR), Intermediate i Range (IR), and Power Range (PR) outputs are used with sufficient overlap of ranges to provide this information. In addition, the  !

startup rate is monitored from. .3 to 5 decades per minute. These ranges correspond with the Nuclear Instrumentation System (NIS) indicators located in the control' ropm. In addition to the NIS indigation, Source Range (10-1 to 103 CPS) and Wide Range (10-o to 200%) neutron flux parameters are also used.

Pressurizer level is monitored and displayed fror. O to 100 percent of capacity, which corresponds with control room indication.

. Core exit temperature is monitored-and displayed over the range of 0 to 2,300 degrees F. This range corresponds with the Core h oling Monitor indications located in the control room. The RCS subcooling margin:is monitored and displayed over the range of

-300 to +300 degrees F which corresponds with the Core Cooling Monitor control room indications.

Cold and hot leg. temperatures are monitored from 0 to 700 degrees .

in F which corresponds with the RCS temperature indicators located in the control room.

Steam generator level is monitored and displayed over its entire capacity of 0 to 100 percent. Main steam line pressure is monitored and displayed from 0 to 1,300 psig. These ranges correspond with the steam generator indicators located in the control room.

Steam generator steam flow and auxiliary feedwater flow are monitored from 0 to 5 x 106 lbm/hr and 0 to 550 gpm, respectively. These flow rates are on a per-loop basis for each of the four loops. Both the noxiliary feedwater and steam flow rates are monitored and displayed and correspond with the control room indicators.

RHR total flow is monitored and displayed from 0 to 11,000 gpm which is the sum of the Train A and B RHR flow, both of which are from 0 to 5,500 gpm and correspond with the control room indications.

Pressurizer pressure and reactor coolant loop pressure are monitored from 1,700 to 2,500 psig and 0 to 3,000 psig, respectively. These are combined to provide a reactor coolant system (RCS) pressure display of 0 to 3,000 psig. This display corresponds with indications located in the control room.

Containment pressure is monitored and displayed over the range of

-5 to 60 psig, which correspond with indications located in the control room. Additionally, containment humidity is derived from containment temperatures (wet and dry bulb) and pressure and is displayed over the full range of 0 to 100 percent.

w _ _ _ - - _ _ -- _ _

.. Enclosure to TXX-89531 E Ju19 31, 1989-C Page 36 of 46 Containment 100 e grees to radiagion 10 R/hr is monitored which and displayed corresponds with theover the range of Radiation l Monitoriq System (RMS) indications located in the control room.

Containment hydrogen (H 2 ) concentration is monitored and

~ displayed over the range of 0 to 10 percent which corresponds with-the Hydrogen Analyzer indications located in the control room.

Steam generator blowdown radiation apd condenser offgas radiation are monitored and displayed from 10-3 to 10-2 uCi/ml.

Additionally, all four main steam line radiation levelg are monitored and the highest is displayed 'from 10-1 to 103 uCi/m1'. All of these indications correspond to the Radiation Monitoring System indications in-the control room.

3.3 Selection of SPDS Alarm Setoolp_t1 Alarn, setpoints for SPDS input parameters were selected to provide indications consistent with existing plant alarm setpoints.

3.4 SPDS Data Validation All SPDS parameters except one are monitored by more than one input sensor, such that the displayed value represents an average of the valid input sensor values or the worst case input sensor.

value. The method used to validate input sensor values depends on

.the number of input sensors for each parameter, but all of the methods employ a-technique referred to as " range checking." That-is, each individual sensor value is first validated by comparing that value with the minimum and mr " mum values that can be produced by the corresponding sensor. Within the range from +0.5%

of full scale between maximum and: minimum values to 99.5% of full scale, the sensor is considered to be " good." From -0.5% to

+0.5% and from 99.5% to 100.5%, the sensor is considered to be

" suspect." Below -0.5% and above 100.5%, the sensor is considered ,

to be " bad." Both the sensor values and the results of range-checking are used to determine and validate parameter values as described below.

3.4.1 Sinale-Inout Parameters The reactor coolant system cold leg loop temperatures are monitored by only one sensor per loop. All other SPDS parameters are monitored by more than one sensor.

However, single flow through each reactor coolant loop will be essentially identical so that each loop cold leg temperatures should be the same. The method used to '

validate loop cold leg loop temperatures is based on this understanding, and is depicted in Figure 13.

l

,,' i

" .u: l Enclosure to TXX-89531 -1

.. ~ _ July 31, 1989 Page 37 of 46

'3.4.2 Parameters with Two Inout Sensors With two input sensor values, several different 1 circumstances are poss' ole. The different possibilities, J and the way the system deals with each, are discussed below.

Both values "aood":. In this case, the display value. is the average of the two input sensor values or the worst l case input sensor value. If the two values differ by more than a pre-determined parameter-specific divergence criterion (on the order of 10% of full-scale), then the value is marked as " suspect."

Only one value "oood": . If. only one sensor value is

" good," then that value is displayed, but is marked as'

" suspect."

Both sensor values "susoect": The value displayed is the average of the two sensor values or the worst case input sensor value, and is marked as " suspect."

Oniv one value " suspect": If one value is " suspect" and the other value is " bad," then the suspect value is

-displayed, and is marked as " suspect."

Both sensor values " bad": Blue asterisks are displayed

'instead of a parameter value.

3.4.3 Parameters with Multiole Inout Sensors The validation technique used for parameters with more than two input sensors essentially averages the " good" sensor values whose values are within a pre-determined parameter-specific divergence criterion of each other. If-any of the input sensor values fail the range-checMng, or if any are outside the range established by the criterion, those values are not included in the average l

I.-

I

. b.,

____i______i_______________ .__

' *- 1

.. Enclosure to TXX-89531 4 '

. July 31,1989

' Page 38 of 46 Figure 13 Logic for Validating Reactor Coolant System Cold Leg Loop Temperature Signals.

(START) 1r NOTE STATUS OF EACH LOOP'S REACTOR COOLANT PUMP (ON/OFF) ir i=0 m ,

" , @ HOW MANY OTHER LOOPS HAVE REACTOR COOLANT PUMPS WITH THE SAME STATUS AS LOOP 1 ? ~

DETERMINE AN

,[ AVERAGE COLD LEG NOTE THE DIFFERENCE BETWEEN THE TEMPERATURE VALUE COLD LEG TEMPERATURE FOR LOOP 1 FOR ALL LOOPS WITH AND THE COLD LEG TEMPERATURE FOR REACTOR COOLANT THE OTHER LOOP WITH THE SAME PUMPS WITH REACTOR COOLANT PUMP STATUS THE SAME STATUS ir  !

THE C LD LEG YES "'" "

TEMPERATURE  ; DIFFERENCE DIFFERENCE BETWEEN 1

is" SUSPECT _ > CRITERION THE AVERAGE COLD LEG

' 7 TEMPERATURE AND THE NO COLD LEG TEMPERATURE NO y

• FOR LOOP i {

1 THE COLD LEG I TEMPERATURE YES IS~ GOOD" j

1r (STOP )

n E+ Enclosure to TXX-89531-

% , f July 31, .1989-'

- Page:39 of 46

.4.0 SAFETY EVALUATION PER 10CFR50.59

=This evaluation analyzes thel function, design, installation, and operation of the Safety Parameter Display System (SPDS) to ensure

~. that SPDS implementation does not involve an unreviewed safety.

question. The objective of the evaluation is to verify that

~

\

1) the probability of occurrence or the magnitude of.the consequences of ~an. accident or malfunction of equipment important to safety, previously' evaluated in the FSAR will not be increased;

2) the possibility for an accident or malfunction' of a

'different type than any evaluated previously in the FSAR has not been' created; and.

3) the margin of safety.as defined'in the' basis for any-technical specification will not be reduced by the r addition of the SPDS.

4.1. SPDS Function and Desian t-The SPDS provides a concise display of critical plant

, safety parameters to the control room personnel to aid them'in rapidly and reliably determining the safety status of the plant. The SPDS will continuously' display real-time information in.the control room during normal and abnormal plant conditions.

4.2 SPDS Installation and Safety System Interface The installation 'of the CPSES SPDS does not compromise any safety s.vs'.em er involve an unreviewed safety question for the following reasons:

All SPDS displays located in the control room are mounted per se'smic Category II specifications, such that + hat they will not affect any safety system in the event of a design basis seismic

' disturbar ce.

• The ERFCS supporting computers are located in a separate, seismic Category I, fire protected room

-adjacent to the control room, and will not affect any safety system in the event of a fire or design basis seismic disturbance.

i

• The SPDS is electrically and electronically

isolated from all CrSES safety-related devices and complies with Class IE isolation criteria.

I

>[

r.., .

Enclosure to TXX-89531'

.: July r31,1989

. Page 40. of 46 4.3 SPDS Operation The SPDS operational safety evaluation encompasses three major areas;. functional requirements as specified by

' Federal Regulations and CPSES procurement specifications,

,' -input sensor verification, and control room operator

-influence.

4.3.'l SPDS Functional Requirements The CPSES SPDS implementation was subjected to an exteruive verification and validation (V&V)-

program which followed the guidance of NSAC-39.

The verification program provided an independent review to verify that:

• All interfaces with existing safety-related and non-nfety related equipment have been properiy identified.

• The proper design standards have been invoked.

• The applicable design requirements have been properly implemented in the design, functional, and procurement specifications.

In addition, an extensive validation testing program was employed to ensure proper functioning of the total integrated SPDS data acquisition, manipulation, and display systems per the verified design specifications.

4.3.2 SPDS Input Sensor Verification Each plant system sensor that provides input to the SPDS was simulated through the actual sensoc field cables to ensure a one-to-one correspondence between the input sensor signal and the SPDS displayed value. This input / output verification process assured accurate, non-a.2iguous sensor input recognition by the SPDS, and determined that no input data were " lost" or " shuffled".

tu cently, the SPDS is undergoing preoperatior,a1 testing. Preoperational testing will validate the SPDS inputs from sense- to display.

,_-__-_-_a -_m. ---.:--- -

p;

• Enclosure ~ to TXX-89531:

lM' Muly 31, s 1989 .

. Page141 - of. 46 V

4.3.3 ' SPDS~ Control Room Operator ' Influence The SPDS does not degrade the control room

c. operators' performance or ability to respond to plant operational requirements for either normal or accident conditions. In' addition to the human V factors design considerations discu : sed in Section 2.3, the operators are trained in t!.e use of the SPDS.

Control room' operators are trained in procedures which describe the timely and correct safety status assessment when the'SPDS is and is not available. Operating procedures are written to preclude the operator from taking actions based

. solely on SPDS display-information. The operating procedures require that all operator actions affecting the safety of the plant;be be. sed on information which has been confirmed using the

. existing control room indicators. Therefore, no transient or accident analyzed in the.FSAR is affected by either the operation or the failure of the SPDS, nor is the potential increased for'a malfunction or accident of a different type than

-those previously described in the FSAR.

5.0

SUMMARY

AND CONCLUSIONS

.This Safety Analysis Report'was prepared in response to Section 4 of Supplement I to NUREG-0737 (Reference 1). This SAR describes the methodology and basis on which the plant parameters selected for monitoring of the CPSES SPDS have been determined to be

. sufficient to assess the overall safety status of the plant in terms of the critical safety functions implemented in the CPSES Emergency Response Guidelines. The CPSES SPDS parameter set was evaluated against the CPSES FSAR and Technical Specifications. The SAS simulator-tested parameter set, NSAC-recommended parameter set, and the AIF-recommended set for sufficiency in terms'of the l type and number of parameters monitored to assessed each safety l

function, and the range of plant conditions covered by the parameters. The final parameter set covers all Function Restoration Guidelines (FRG) entry conditions associated with critical safety function assessment, and includes all variables

' recommended by the SAS group for the SPDS. On the basis of this

. review and evaluation process, the CPSES parameters are sufficient to assess plant safety status over a wide range of conditions, including the symptoms of severe accidents and all modes of reactor operation.

r L. Enclosura to TXX-89531 -

%  : July 31,' 1989: -!

<*'  ; Page L42 of 46' l The function, design, installation, and o)eration of the CPSES i_

SPDS were also analyzed in accordance wit 1 the provisions of. i 10CFR50.59. It was concluded that no unreviewed safety questions  :

are involved with the SPDS implementation at CPSES.

l

6.0 REFERENCES

1. NRC Letter, Supplement'l to NUREG-0737 " Requirements for Emergency Response Capability" (Generic Letter no. 82-33,  ;

December 17,.1982).

2. " Functional Design Specification for SAS Software 4 (Proprietary)", prepared by Quadrex Corporation for the Ad Hoc Committee on Instrumentation Systems, Safety Assessment System Project, Revision 2, May 1982- l l

3. " Safety Assessment System User Implementation Guide", 1 QUAD-7-82-010 Revision 0, prepared by Quadrex Corporation 1 for the Ad Hoc Group of the Westinghouse Owners Group I (WOG) Subcommittee on Instrumentation, May 1982.

-4. Comanche Peak Steam Electric Station Final Safety Analysis Report (FSAR).

l S. " Safety Assessment System Evaluation Program Report", i prepared by Quadrex Corporation and Inpsych for the Ad Hoc Committee on Instrumentation Systems, Safety Assessment i System Project, May 20, 1982. '

6. A.R. Buhi, et al,. " Nuclear Plant Safety Parameter Evaluation by Event Tree Analysis", NSAC-8, October 1980.

7. Letter from David G. Cain, NSAC, to AIF subcommittee on Safety Parameter Integration, Parameter Selection Work Group, subject: SPDS Minimum Parameter Set, July 3, 1980.

8. IEEE Standard 730-1984, "IEEE Standard for Software I Quality Assurance Plan," Institute of Electrical and  ;

Electronic Engineers, New York, 1984.

i

)

1 e' Enclosura to TXX-89531 )

e July 31, 1989 )

Page 43 of 46 l l

l APPENDIX 1 l i

SPDS CRITICAL SAFETY FUNCTIONS AND ASSOCIATED MONITORED PARAMETERS CRITI0t for(ly FUNCTIQH MONITORED PARAMETER Subcritica).., Power Range Power Intermediate Range Power Intermediate Range Start-up Rate 1 Source Range High Voltage Source Range Start-up Rate Neutron Flux Wide Range Neutron Flux Source Range Core Cooling Core Exit Temperature RCS Margin to Saturation RCP Breaker Status RVLIS Indication - Bottom level Heat Sink Steam Generator Levels Steam Generator Pressures Auxiliary Feedwater Flows Integrity RCS Cold Leg Temperature RCS Hot Leg Temperature RCS Pressurizer Pressure RCS Pressure Containment Containment Pressure Containment Water Level Containment Radiation Inventory Pressurizer Level Reactor Vessel Level I

_-_.m__ _ _ _ _ _ _ ..___

,,' Enclosure to TXX-89531 l

' f; . July 31, 1989 ,

Page 44 of 46 I APPENDIX 2 SPDS PARAMETER RANGES i

DISPLAYED PARAMETER DISPLAYED RANGE SOURCE RANGE POWER 1 - 106 CPS INTERMEDIATE RANGE POWER 10-11 -- 10-3 AMPS POWER RANGE POWER 0 - 120%

CORE EXIT TEMP 0 - 23000F MARGIN TO SATURATION -300 - 3000F STEAM GENERATOR LEVEL (NR) 0 - 100%

MAIN STEAM LINE PRESSURE O - 1300 PSIG REACTOR COOLANT SYSTEM PRESSURE O - 3000 PSIG PRESSURIZER LEVEL 0 - 100%

COLD LEG TEMPERATURE O - 7000F CONTA!NMENT PRESSURE (NR) 60 PSIG CONTAINMENT TEMPERATURE O - 3600F CONTAINMENT WATER LEVEL 808' - 817.5' (EL.)

CONTAINMENT HUMIDITY 0 - 100%

CONTAINMENT RADIATION 100 108 R/HR REACTOR VESSEL LEVEL (SEE NOTE 1)

SR NEUTRON FLUX A&B 10 105 CPS WR NEUTRON FLUX A&B 10-8 200%

Note 1 - Spatially distributed sensors indicate coolant or no coolant. See Figure 10.

. - - _ - = ___ - -_ -___ _ __ _ - -. -. . . - _ - _ - _ _ _ _ - __ -

~

'tEnclosure to TXX-89531 c;(37 -

• July 31,1989 Page 45 off46 APPENDIX 3 SPDS TREND GRAPH PARAMETER GROUPINGS

~ TREND GRAPH NAME DISPLAYED PARAMETERS RCS SUBC00 LING RCS PRESSURE-AUCT. HIGH CORE EXIT TEMPERATURE PRESSURIZER LEVEL RCS PRESS / TEMP AUCT.HIGH TAVE PLOTTED ,

i VS. RCS PRESSURE (PAIRS PLOTTED IN NON-SCROLLING BACKGROUND).

RCS TEMP,-LOOP 1&2 LOOP 1 HOT LEG TEMPERATURE LOOP 1 COLD LEG TEMPERATURE LOOP 2 HOT LEG' TEMPERATURE LOOP 2 COLD LEG TEMPERATURE RCS TEMP, LOOP 3&4 LOOP 3 HOT LEG TEMPERATURE:

LOOP 3 COLD LEG TEMPERATURE

". LOOP 4 HOT' LEG TEMPERATURE LOOP 4 COLD LEG TEMPERATURE-MSL PRESS LOOP 1 MAIN STEAM LINE PRESSURE LOOP 2 MAIN STEAM LINE PRESSURE LOOP 3 MAIN STEAM LINE PRESSURE LOOP 4 MAIN STEAM LINE PRESSURE

> SG NR LVL LOOP 1 SG NR LEVEL

, LOOP 2 SG NR LEVEL LOOP 3 SG NR LEVEL LOOP 4 SG NR LEVEL SG WR LVL LOOP 1 SG WR LEVEL LOOP 2 SG WR LEVEL LOOP 3 SG WR LEVEL LOOP 4 SG WR. LEVEL STM FLOW LOOP 1 STEAM FLOW LOOP 2 STEAM FLOW ]

LOOP 3 STEAM FLOW l LOOP 4 STEAM FLOW FW FLOW LOOP 1 FEEDWATER FLOW l LOOP 2 FEEDWATER FLOW LOOP 3 FEEDWATER FLOW LOOP 4 FEEDWATER FLOW

_ = = _ _ . _ _ _

! ;. ' * ' Enclosure'to TXX-89531 f July 31,'1989-Page 46 of.46 i

APPENDIX 3 (cont.)-

SPDS TREND GRAPH PARAMETER GROUPINGS TREND GRAPH NAME. DISPLAYER PARAMETERS AFW FLOW LOOP 1' AUXILIARY FEEDWATER FLOW LOOP 2 AUXILIARY FEEDWATER FLOW LOOP 3 AUXILIARY FEEDWATER FLOW LOOP 4 AUXILIARY FEEDWATER FLOW CNTMT LPR CONTAINMENT WATER LEVEL CONTAINMENT PRESSURE-CONTAINMENT RADIATION-CNTMT HHT CONTAINMENT HYDR 0 GEN CONTAINMENT RELATIVE HUMIDITY CONTAINMENT TEMPERATURE RAD MON STACK RADIATION CONDENSER OFFGAS RADIATION SG BLOWDOWN RADIATION HIGHEST MAIN STEAM LINE RADIATION NIS SOURCE RANGE POWER INTERMEDIATE RANGE POWER POWER RANGE POWER TANK LYL CONTAINMENT WATER LEVEL REFUELING. WATER STORAGE TANK LEVEL CONDENSATE STORAGE TANK LEVEL i

)

1 1

- - = _ - _ _ _ _ _ _ - _ _ _ _  !