Text

ADDITIONAL INFORMATION CONCERNING THE SAFETY PARAMHER DISPLAY SYSTEM.fiu~'*-~t l.f 'f;;c;,.-:z.ge?, " .

• .,,;. __ , -.1.Lr-.u,;/;;::.c c:- -~<I r, .... ,..... 07 "

..'./. *i I / 'f 1~f n:-cr1m&i'lt:

u *.:.-. . . I 2. 6.. ~*** _.; .... *; E 1'"

- NOTICE -

THE ATTACHED FILES ARE OFFICIAL RECORDS OF THE DIVISION OF DOCUMENT CONTROL. THEY HAVE BEEN CHARGED TO YOU FOR A LIMITED TIME PERIOD AND MUST BE RETURNED TO THE RECORDS FACILITY BRANCH 016. PLEASE DO NOT SEND DOCUMENTS CHARGED OUT THROUGH THE MAIL. REMOVAL OF ANY PAGE{S) FROM DOCUMENT FOR REPRODUCTION MUST BE REFERRED TO FILE PERSONNEL.

. DEADLINE RETURN DATE.

RECORDS FACILITY BRANCH

I. ISOLATION DEVICES Question:

a. For each type of device used to accomplish electrical isolation, describe the specific testing performed to demon,trate that the device is acceptable for its application(s). This description should include elementary diagrams when necessary to indicate the test configuration and how the maximum credible faults were applied to the devices.

Response

a. The data acquisition system installed by Vepco provides isolation by the multiplex unit, which is qualified Category lE, and additional isolation by the fiber optic link from the multiplexer to downstream devices. The testing performed to demonstrate the acceptability of this equipment is included as Attachment 1, 11 Nuclear Environmental Qualification of the Remote Multiplex Unit Models MC 170 AD-Q2 and MC 370 AD-Q2 and Associated PC Boards and Plug-In Modules 11 , Report QTR 82-002 Revision B dated October, ,

1982, and Attachment 2, 11 Qualificatibn Test Report, Surge Withstand Capability Tests, MC 170AD-Q2 Remote Multiplexer/Module Cases 11

• Question:

• b. Data to verify that the maximum credible faults applied during the test were the maximum voltage/current to which the device could be exposed, and define how the maximum voltage/current was determined.

Response

b. The maximum credible voltage for North Anna or Surry Station on instrument and control circuits were as follows:

125 Volt DC Circuits The maximum voltage that can be impressed on these circuits is 140 volts DC for about 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. This occurs when the station batteries are being equalized. Due to the high input impedance of the card, maximum fault current is negligible.

120 Volt AC Circuits

. This includes Motor Control Center (MCC) Control Circuits. The maximum voltage on these circuits is 137 volts.

Multiple fortuitous failures of an MCC control transformer including breakdown of internal barriers could result in the primary voltage of

• 73-BSD-2002N-2

480 volts being impressed on the* secondary side of the transformer but

• • this is not considered credtble. Due to the high input impedance of the card, maximum fault current is negligible.

Instrument Loops The maximum credible voltage that can be impressed on instrument loops is 120 volts AC. This can only exist if the loop power supply has an internal failure which shorts the primary voltage (120 V AC) to the low voltage (48 V AC) output used for instrument*current loops. Due to the high input impedance of the card, maximum fault current is negligible.

For all of the above circuits including RTD's, thermocouples, and contact inputs a spurious noise signal may be impressed. This noise signal is characterized by IEEE-472 Surge Capability Test. The "Environmental Qualification Report" and "Surge Withstand Capability Report" includes detailed information.

Question:

c. Data to verify that the maximum credible fault was applied to the output of the device in the transverse mode (between signal and return) and other faults were considered (i.e., open and short circuits) .

Response

c. The output of the multiplex unit is a fiber optic cable link.

The cable acts as a second isolation device and is not affected by the described faults.

Question:

d. Define the pass/fail acceptance criteria for each type of device.

Response

d. The Acceptance Test Reports which are included in the Environmental Qualification Report, Attachment 1, define the pass/fail acceptance criteria for each type of device.

Question:

e. Provide a commitment that the i..solation devices comply with the environmental qualifications (10 CFR 50.49) and with the seismic qualifications which were the basis for plant licensing.

73-BSD-2002N-3 .

Response

• e. The isolation devices are environmentally and seismically qualified and meet the basis for plant licensing. The information regarding this qualification is included in the Environmental Test Report, QTR-82-002, Revision B, dated October, 1982, provided as Attachment 1. All equipment is presently located in mild environment.

Question:

f. Provide a description of the measures taken to protect the safety systems from electrical interference (i.e, Electrostatic Coupling, EMI, Common Mode and Crosstalk) that may be generated by the SPDS.

Response

f. There are three basic measures which have been taken to protect the safety systems from electrical interference which may be generated by the SPDS.

1. All inputs of the isolation cards (multiplexer input cards) have single direction buffer/amplifiers between the input and multiplexer stage.

2. The current input cards have low impedance (approximately 250 ohms) shunt across the inputs to a very high ( 2 megaohm) impedance device.

3. All voltage input circuits have very high impedance ( 2 megaohm) compared with the external load to which they are connected.

These three measures will attenuate any noise generated by the SPDS to either zero or an extremely low level that will have no effect on the external safety systems.

II. HUMAN FACTORS PROGRAM Question:

Provide a description of the display system, its human factored design, and the methods used and results from a human factors program to ensure that the displayed information can be readily perceived and comprehended so as not to mislead the operator.

Response

'The Vepco Emergency Response Facilities (ERF) computer system SPDS is based on the AYDIN Controls model 5215 A color graphic display generator. The Interface Peripherals consist of AYDIN 13 inch color CRT's (model 8810), 19 inch color CRT's (model 8830), 25 inch color CRT's (model 8070), Keyboards (model 5115A) and Keypads manufactured 73-BSD-2002N-4

by Computer Technology Corp. (model IPS-2000). All CRT's except 25*

inch CRT 1 s are equipped with touch screens *

• The display builder/driver software is the OPTICS package developed by Modular Data Systems, Inc. This package supports the development of real time graphic displays using character graphics on the 48 x 80 character display screen and pixel level graphics using the dot addressable capabilities of the AYDIN 5215A display generator.

Additionally, the package supports special features such as user definable bar charts and X-Y plots as well as alarm presentation in graphic and tabular format.

Human factors considerations have been addressed by a contract with Advanced Resource Development Corp. (ARDC). Their recommendations have been utilized in two areas:

1. Hardware A. An ARDC study of ERF information needs was used to determine the type and location of color CRT 1 s and Keyboards in the EOF 1 s, TSC 1 s and control rooms.

B. Touch screens were ' added to all CRT s except 25 inch CRT s 1 1 to maximize the ease of operator interface.

C. Pixel level graphics support was added to the AYDIN display generators and to the OPTICS software package to provide greater flexibility in graphic display development with higher resolution.

D. The standard AYDIN graphic character PROM sets were replaced with custom PROM sets in all display generators to provide a more versatile graphic character set.

2. Software A. ARDC developed a 11 Display Planning Guideli*ne 11 document for Vepco which has been used in development of all SPDS graphic displays. This is a comprehensive guideline which includes recommendations on display background presentation such as titl~, time/date location, line thickness, and display density. Recommendations are also provided on dynamic data presentation such as bar charts, numerical values and graphic symbols. Additionally, guidance is given regarding the use of color and blink for both background and dynamic data.

B. ARDC has provided individual graphic display comments at the various stages of display development. Specifically, comments were provided on the display sketches during the design phase and on the actual static color display backgrounds after implementation on Vepco 1 s software development system. The final display reviews will be performed by ARDC when Vepco completes development of the SPDS software and the dynamic portions of the displays are demonstratable in real time update mode.

73-BSD-2002N-5

C. ARDC provides additional input on an as needed ~asis to

• III.

resolve issues such as the preferred graphic symbol for a given piece of equipment.

DATA VALIDATION Question:

11 Describe the specific methods used to validate data displayed in the SPDS. Also describe how invalid data is defined to the operator 11 *

Response

Two levels of validity checking are performed on all inputs to the Vepco ERF computer system:

First, the scan software, which is responsible for reading contact and analog inputs, performs various status checks and maintains a table of current value ~nd status bits for each input. These status bits store information about each input such as its current alarm condition and its validity. The various validity bits maintained by the scan software are:

Contact Inputs

1. Old Data - This bit indicates that the current. value for the input in the data base was not updated on its scan period. This would be due to failure of the scan software to process the point on schedule or a failure of the multiplexer link on which the point resides.

2. Off Scan - This bit indicates that the value for the input in the data base is not being updated as a result of a request from an operator to stop scanning the input.

3. Out For Maintenance - This bit indicates that the value for the input in the data base is unreliable as a result of maintenance activities in some portion of the instrument loop.

Analog Inputs

1. Old Data - Same as contact inputs.

2. Off Scan - Same as contact.inputs.

3. Out For Maintenance - Same as contact inputs.

• 4. High Instrument Limit Violation - This bit indicates that the value received from the input channel is higher than the field transducer is capable of reading.

5. Low Instrument Limit Violation - Same as 4 above for low

• 73-BSD-2002N-6 readings.

The second level of validity checking is performed by the SPDS software itself .

• Any inputs to the ERF system which are not represented by redundant instruments are checked for the status discussed above (i.e., old data, etc.). If the input has these status bits set, any calculations which depend on this input will have their 11 BAD 11 stat.us bits set.

Inputs for which redundant indication is available are treated differently.

Analog inputs are first checked for the status discussed above (i.e.

old data, etc.)- Any inputs with these status bits set are excluded from the calculations. The remaining inputs are then checked for deviation from their average. If any of the inputs deviate significantly from the average, the inputs are passed to a data rejection algorithm to determine which, if any, of the inputs to eliminate. If an input is eliminated, the remaining inputs are again checked for deviation from their average and, Jf necessary, the data rejection algorithm will be utilized. This process is repeated until no further rejections are required or only 2 data points remain.

The remaining valid inputs are then used as the parameter value for subsequent calculations. Typical uses of these valid inputs are averages or high/low selection depending on the calculation being performed *

• Any inputs rejected by this process will have their 11 BAD 11 status bit set as well as being excluded from calculational use. Should none of the redundant indications pass the status bit test, the average of the values is used and any calculations based on this average will have their 11 BAD 11 bit set.

Redundant contact inputs are first checked for the status discussed above (i.e, old data, etc.). Any inputs with these bits set are excluded from the calculations. The remaining inputs are checked for status agreement (i.e., contact open or closed). If all inputs disagree, the conservative status is used and any calculations based on *this status will have their 11 SUSPECP status bit set.

Any inputs rejected by this process wi 11 have their 11 BAD 11 status set as well as being excluded from calculational use.

Presence of invalid data is defined to the operator in a consistent fashion throughout the system. All dynamic representations of process inputs and calculated values (i.e. bar charts, numeric values, graphic symbols, etc.) are automatically displayed in a unique color and blink

. combination based on the status bits discussed above. Additionally, numeric values have a unique 2 character code appended based on these status bits. For example, a 11 BAD 11 input would be represented

'numerically as a blinking magenta value with the characters 11 BD 11 appended while a bar chart representing a 11 BAD 11 input would be a blinking magenta bar. Other typical status indications are non-blinking magenta with 11 0S 11 appended for off scan inputs and non-blinking green with no appended characters for valid normal values.

73-BSD-2002N-7

The color, blink, and appended character associations with the various status bits have been implemented as recommended by Vepco's human

• factors consultant.

73-BSD-2002N-8

ATTACHMENT 1