SPDS Sar.

ML17298B932
Person / Time
Site:	Palo Verde
Issue date:	02/28/1985
From:	ARIZONA PUBLIC SERVICE CO. (FORMERLY ARIZONA NUCLEAR
To:
Shared Package
ML17298B931	List: ML17298B930 ML17298B932
References
RTR-NUREG-0737, RTR-NUREG-737 ANPP-32008, GL-82-33, NUDOCS 8503010419
Download: ML17298B932 (98)
v • d • e

Text

ANPP-32008 I

PALO VERDE NUCLEAR GENERATING STATION SAFETY PARAMETER DISPLAY SYSTEM SAFETY ANALYSIS REPORT PREPARED BY ARIZONA PUBLIC SERVICE COMPANY February, 1985 85030i0419 850227 PDR ADOCK 05000528 F PDR } g 00251/00021

1 I PREFACE The plant system performing the function of the Safety Parameter Display System (SPDS) at the Palo Verde Nuclear Generating Station (PVNGS) is inte-grated into the Emergency Response Facility Data Acquisition and Display System (ERFDADS). This system takes plant process information coming from plant instrumentation; organizes it, applies it to a hierarchy of displays and presents it to the operators via color monitor cathode ray tubes (CRTs) in the Technical Support Center (TSC) and Emergency Operations Facility Control Room, (EOF).

This Safety Analysis Report (SAR) provides the results of the PVNGS SPDS Review. This SPDS Review was performed to meet the guidance contained in NUREG-0696 and the requirements'of NUREG-0737 Supplement 1 of providing a SAR.

This SPDS SAR discusses the selection of the PVNGS SPDS parameters and the qualification program established to verify and validate (V&V) the PVNGS SPDS hardware and software, including the human factors review performed on the PVNGS SPDS.

W U P

l Ill I ) a 'I I

P 4

TABLE OF CONTENTS Pa e Number PREFACE TABLE OF CONTENTS

1.0 INTRODUCTION

1.1 Objective 1.2 Program Plan 2.0 PVNGS SPDS DESCRIPTION 2.1 System Function 4 2.2 Component Description 4 2.2.1 General 4 2.2.2 Data Acquisition System (DAS) 4 2.2.3 Technical Support Center Computer System (TSCCS) 4 2.2.4 Display CRT's and Keyboards 5 2.3 System Operation 5 2.3.1 General 5 2.3.2 Deviation Bar Graphs and Trend Plots 5 2.3.3 Safety Indication Blocks ll 2.3.4 SPDS Algorithms 12 2.3.4.1 Validation 13 2.3.4.2 Grouping of Parameters 13 2.3.4.3 Comparison With A Calculated Value 13 2.3.4.4 Bar Color Limits 13 2.3.4.5 Bar Weighting 13 3.0 BASIS FOR SPDS PARAMETER SELECTION 14 3.1 Background 14 3.2 Emergency Procedure Overview 14 3.3 Parameter Selection 16 4.0 SPDS DESIGN VALIDATION AND VERIFICATION (VGV)

QUALIFICATION PROGRAM 20 4.1 General 20 4.2 Methodology and Data Collection 20 4.2.1 Validation of the SPDS Design 20 4.2.2 Verification of the SPDS Design 21 5.0 SPDS HUMAN FACTORS REVIEW 22 5.1 General 22 5.2 Methodology and Data Collection 22

I e

~ 4I H

~ e

TABLE OF CONTENTS (Cont'd)

Pa e Number

6. 0 RESULTS 23 6.1 General 23 6.2 Phase I Review 23 6.3 Phase II Review 23 6.4 Observation Summary 23

7. 0 CONCLUSION 29

~P1 ures l-l Program Plan for SPDS Review 2 3-1 SPDS Top-Level SPD 7 3-2 SPD Structure 9 3-3 Third-Level SPD (Trend Plots)s 10 Tables 6-1 Phase I Category Criteria 24 6-2 Phase II Category Criteria 25 6-3 Phase I 6 II Observation Summary 26 6-4 Outstanding Safety Parameter Observations (SPO's) 28 A endices A Category I Observations/Responses A-1 B Category II Observations/Responses B-1 C-1 C Non-Category Observations

PROGRAM PLAN The PVNGS SPDS Review Program Plan included the following areas:

Verify the Selection of SPDS Parameters SPDS Design Validation and Verification Qualification Program SPDS Human Factors Review 1.1 Objective The objective of performing the SPDS Review was to: (1) verify the proper selection of SPDS parameters; (2) validate the SPDS design using the scenario method to identify and prioritize observations for system correction; (3) verify the SPDS design requirements and capabilities as defined in NUREG-0696, NUREG-0737 Supplement 1, and specific functional design specifications (purchase specification) to identify and correct non-conformance observations; and (4) per-form a Human Factors Review to evaluate the human factors features associated with the SPDS parameters and displays to identify and correct non-conformance observations.

1.2 Program Description The Program Plan indicated in Figure l-l was established for per-forming the SPDS Review. The specific tasks for completing the Phase I SPDS review were:

Parameter Selection

-List Existing Safety Function Groups (SFG's) and their associated parameters

-Review SFG Parameters

-Evaluate Data

-List Observations Validation of Design

-Selection of Scenarios

-Perform Scenario Analysis

-Conduct Scenarios

-Evaluate Collected Data

-List Observations J

Verification of Design

-Review Regulatory and Design Documentation

-Prepare Design Requirement/Capability Matrix

-Complete Design Requirement/Capability Matrix

-Evaluate Collected Data

-List Observations

m l d

Q 0

h gh I

a l, I

Il

~ PROGRAM PLAN FOR SPDS REVIEW TH~

PROGRAM PLAN VERIFICATION VALIDATION PARAMETER HUMAH OF OF SELECTION FACTORS DESIGN DESIGN REVIEW DOC. SELECT SCEHARIO LIST SPDS PREPARE PREPARE DESIGN PERFORM SCENARIO PARAMETERS CHECKLIST MATRIX ANALYSIS REVIEW SPOS COMPLETE DESIGN PERFORM HUMAN COHOUCT PARAMETERS MATRIX 'ACTOR REVIEW SCENARIOS EVALUATE DATA EVALUATE DATA EVALUATE DATA EVALUATE DATA LIST OBSERVATIONS LIST OBSERVATIONS LIST OBSERVATIONS LIST OBSERVATIONS OBSERVATION REVIEW COMMITTEE APS MAHAGEMENT

- REVIEW OBSERVATIONS REVIEW RECOMMENDATIONS AND PRIORITIZE IMPLEMENTATION SCHEDULES IMPLEMENT MODIFICATIONS VERIFICATIOH REVIEW OF MODIFICATIOiJS REPORT Figure 1-1 PREPARATION Program Plan for the SPDS Review I

Human Factors Review

-Prepare Human Factors Checklist

-Perform Human Factors Review

-'Evaluate Collected Data

-List Observations As a result of completing the Phase I,review to the Program Plan, a list of observations were noted. Many items in this list, identified differences between the SPDS design/capability requirements and actual

, installed SPDS; differences'etween SPDS display group parameter organization and the PVNGS Emergency Operating Procedures (EOP's); and consistency of display labeling with other control board displays. These Phase I differences were considered the original observations and were required by APS to the resolved before completion of the SPDS SAR.

Software modifications to the Safety Parameter Display (SPD) bar algorithms, SPD displays, trend plots and data base changes were per-formed to correct the Phase I review observations. Subsequently, a Phase II review consisting of an SPDS reevaluation correct was completed to determine if the modifications as implemented, did observations and to verify if the Phase I review any new observations had been introduced.

A few minor observations resulted from this Phase II review and are discussed in this report.

1 ll W

2.0 PVNGS SPDS DESCRIPTION 2.1 S stem Function The PVNGS emergency response facilities computer system is the Emer-gency Response Facilities Data Acquisition and Display System (ERFDADS). The plant specific system performing the function of the SPDS at PVNGS has been integrated into the emergency response facil-ities computer system. The PVNGS SPDS has been designed to function and meet the guidance as provided in NUREG-0696.

2.2 S stem Com onent Descri tion 2.2.1 General The SPDS is a computer-based display system consisting of the following major subsystems (1) data acquisition system (DAS) in each unit power block, (2) a Technical Support Center Computer System (TSCCS) and (3) display cathode ray tubes (CRT's) and key-boards.

2.2.2 Data Ac uisition S stem (DAS)

The DAS for each unit at 'PVNGS consists of a multiplexer which transmits data to the TSCCS for processing. The DAS functions include acquiring raw data,'converting data into appropriate units, and transmitting data to the TSCCS. Though the DAS transmits data to the TSCCS, the TSCCS controls all DAS activities. Each DAS configuration includes two computers receiving data from a multiplexer.

Safety-related plant inputs in channels A, B, C, and D are termi-nated at isolation circuits. These circuits provide the electrical isolation between the plant class IE systems and the DAS class non-1E multiplexer. Each channel has its own isolation panel physically separated per the requirements of Regulatory Guide 1.75. Each isolater module power supply is isolated from the non-1E supply by IEEE-384 design couplers. There are 64 analog and 96 digital isolation circuits contained in each panel. Each cir-cuit is provided on a single plug in printed circuit board. This configuration allows for boards to be serviced without disturbing the operation of others.

2.2.3 Technical Su ort Center Com uter S stem (TSCCS)

The Technical Support Center Computer System (TSCCS) is a digital computer system located in the Technical Support Center (TSC). It receives data from the DAS in each of the three PVNGS units and provides displays of plant parameters via the display CRT's.

t~

N i

4 1 I

II" r, 1

H I

h

The TSCCS is comprised of two computers and their associated peripheral equipment. Both systems have identical configura-tions. One processor controls system functions, and the other processor is the backup processor operating in standby to provide availability in excess of 99X. Shadow memory, automatic CRT switching gear, and interprocessor communica-tions provide for switchover if the active computer fails.

Shadow memory, a block of memory common to both processors, is simultaneously updated in the standby computer. The TSCCS controls system functions such as intersystem communication, data storage, data retrieval, and computation of parameters from plant data used for presentation.

2.2.4 Dis la CRT's and Ke boards CRT displays are the principal mechanism to present data to the control room operators and TSC/EOF operators during SPDS normal, abnormal and emergency operation. SPDS bar charts are displayed on these displays. Control Room operators have a graphic terminal in each of the unit's control room and support personnel have graphic terminals in the Emergency Operations Facility (EOF), in the Technical Support Center (TSC), and in the satellite TSC adjacent to each unit'8 control room.

2.3 S stem 0 eration 2.3.1 General The SPDS presents leading indicator parameter data to person-nel in the control room, and TSC/EOF during normal, abnormal and emergency conditions. This presentation is via a set of color monitor displays. To help personnel focus on detailed information the set of displays is organized into a hier-archy. The highest level in the display hierarchy is devia-tion bar charts, which are designated Safety Parameter Displays (SPDs). The SPDs indicate deviation from the normal key safety parameters so an operator can rapidly assess system deviations in conjunction with the emergency and recovery operations procedures.

2.3.2 Deviation Bar Gra hs and Trend Plots The SPDs consist of a three-level hierarchy of displays:

top-level, mid-level, and trend plots. The top-level and mid-level displays are deviation bars that indicate normal or degree of off~ormal conditions in the plant.

I k

'I

'I

The top level display, which is the primary leading indicator is oriented as a deviation bar from a normal safety value for each of the six (6) Safety Function Groups. The safety value is a calculated value based upon the specific operating mode of the plant. The direction and amount of deviation is based upon a weighting algorithm of the specific parameters in the specific Safety Function Group. If the parameter value deviates from the norm (calculated safe value), flashing alarms on the CRT's are provided for the specific alarmed group on all displays. The operator has the capability to acknowledge and clear the display's alarm via function keys on the CRT.

Figure 3-1 illustrates the Top-Level SPD. As the figure shows, six sets of mid-level displays compose the top-level SPD. These displays (reactivity control, pressure and inven-tory controls, heat removal, containment inventory, indirect radiation release, and maintenance of vital auxiliaries) are driven by a group of parameters associated with the identi-fied safety function groups and calculated by individual SPD algorithms.

The color coding for each portion of the Top Level display will provide an indication of condition by the following colors:

kl RED Exceed Unsafe Value I

YELLOW In Alarm, But Iess Than Unsafe GREEN Value Okay BLUE Invalid data II Specifically, the parameter group bars in the mid-level displays will be coded to the above colors.

The SPDS mid-level displays, each consisting of parameter deviation bars, provides an indication of deviation from the norm (safe value) for each of the inputted parameters in the specific group. Each display, similar to figure 3-1 provides deviation bars of the leading analog and digital parameters of that identified Safety Function Group. Each bar is driven from single and multiple signals derived from direct measure-ment. These 'ignals are validated where practicable by direct comparison. Subsequently, t'e signal is associated with other parameters within an algorithm to provide a deviation from a safe value for the specific operating mode of the plant.

The mid-level displays are selected by either specific function key or "page down" and "page across" function keys on the primary display. Alarming of the specific parameter is provided in addition to a group level display.

k, 1

I t

P' Ui

PAGE 11 TOP LEVEL

1. REACTIVITY CONTROL RTV I

2. HEAT REMOVAL HRV Rg I

3. PRESSURE 8 INVENTORY CONTROL PIC shl I

4. INDIRECT RADIATION RELEASE IRR RLI I

5. CONTAINMENT CONTROL -CIN

6. MAINTENANCE OF VITAL AUXILIARIES VAX UNIT 1 MODE 1

~

~

MSIS CREFAS 8

~

CIAS RXTRIP 0

~

FBEVAS SIAS 6

6 CRVIASggglAggglB AFAS-Igg2Agg2B W .

~ l~~ WIERM IIKRW ~ ID~K SRTVO EIHRVB BPIC 9 BIRR 8 RCINU GVAXB K KZ~ IK~R IKRERQ RZRRl GiZKB ll AFAS-2 8 RAS 8 CPIAS 8 CSAS 07 FEB 83 08: 03 29 FIGURE 3-1 TOP LEVEL SPD

E 1

Trend plots are the product of time-history data from the memory-resident 30-minute file of key physical parameters associated with the deviation bars. Figure 3-2 shows how each level and each display is linked together. When a mid-level deviation bar display is shown, an identification number of the bar in the display corresponds to the number of third-level (time-history) trend plots that are available.

As an added convenience, the operator may select a specific trend plot using the number for the Nth bar of the mid-level display and then pressing the SUBLEVEL function key.

As the trend plot format in Figure 3-3 shows, time increments between points are always 30 seconds, yielding a resolution of 60 points. Thus, the third-level trend plots show the 60 points of most recent data, automatically scaled in the vertical axis and annotated. In addition to time increments, other information shown on this display are "value", which gives the current value of the parameter, validation indication, and trend plot "current time".

v~ 4 I \

t lb

TOP LEVEL SPD X1 X2 X3 X4 XS X7 REACTIVITY HEAT PRESSURE A INDIRECT CONTAINMENT MAINTENANCE OF COHTROL REMOVAL INVENTORY RADIATION INTEGRITY VITAL AUXILIARIES SPD SPD CONTROL RELEASE SPO SPD SPO SPD SUB-LEVEL SUB-LEVEL REACTIVITY HEAT PRESSURE 8 INDIRECT CONTAINMENT MAINTENANCE OF COHTROL REMOVAL INVENTORY RADIATION INTEGRITY VITAL AUXILIARIES TREND PLOTS (4) TREND PLOTS (11) CONTROL RELEASE TREND PLOTS (7) TREND PLOTS (10)

TREND PLOTS (7) TREND PLOTS (8)

WHERE X= UNIT NUMBER FIGURE 3-2 SPD STRUCTURE

li I'

PAGE 402 LOG POWER CP 1067 I I I I I I I I I I I I 3H VALUE I I 02 I I PR CNT 2II I I

I I I I I I I I P

I

/////I///////////I///////////I/I/I//////////////////I////////// I C

5 10 15 20 25 30 - 35 40 45 50 55 60 GENERATION p 5 10 15 20 25 30 CURRENT ( TIME MINUTES )

TIME Q MSIS 8 CREFAS 8

8 CIAS RXTRIP

~

6 FBEVAS SIAS Q CRVIASggglAIIIIB 9 AFAS-IQI2A@g2B

~ ~ ~M ~~I ~ ~

UNIT 1 ERR~

SRTVlI QHRVQ ClPIC ml EM~ B53KRH RIIRR 8 MODE SCIN 1

5 IXV~ IKIRKR KXR&

IIVAXEI 5 AFAS-2 li RAS El CPIAS 9 CSAS 07 FEB 83 08: 15 13 FIGURE 3 3 THIRD LEVEL SPD ITREbtD PLDTSi

1 ~

~

e g

'i P

A E

2.3.3 Safet 'ndicator Blocks A number of safety indicator blocks appear in the lower portion of every SPD, trend plots, and other displays.

Figure 3-1 shows the three types of blocks, which are:

(1) six system safety indicators (2) twelve actuation signal indicators (3) four Reactor Cooling (RC) Pump status indicators.

The six system safety indicators always appear on the lower right of the display and always correspond to the six bars of the Top-Level SPD. The color of safety indicators conveys the information. The safety indicators will always show as green, yellow, or red, which reflects the alarm status (and color) of the corresponding top-level bar. A blinking safety indicator block indicates an unacknowledged alarm. Thus, system safety indicators allow constant observation of the top-level status, even when other displays are showing. The six safety indicator signals are identified below:

Label ~S1 al RTV Reactivity Control HRV Heat Removal PIC Pressure & Inventory Control IRR Indirect Radiation Release CIN Containment Integrity VAX Maintenance of Vital Auxiliaries The actuation signal indicators are 12 colored boxes on the lower left of the screen. They are labeled indicators which show actuation signal status in blue or yellow: a blue banner indicates an inactive signal, and a yellow banner indicates an actuated signal. The 12 signals are identified below:

Label ~S1 al MSIS Main Steam Isolation Signal CIAS Containment Isolation Actuation Signal FBEVAS Fuel Building Essential Ventilation Actuation Signal CRVIAS Control Room Vent Isolation Actuation Signal

I Label ~SS nal CREFAS Control Room Essential Filtration Actuation Signal RX TRIP Reactor Trip SIAS Safety Injection Actuation Signal t

AFAS-1 Auxiliary Feedwater Actuation Signal Train 1 Auxiliary Feedwater Actuation Signal Train 2 RAS Recirculation Actuation System CPIAS Containment Purge Isolation Actuation Signal CSAS Containment Spray Actuation Signal The RC pump status indicators are four (4) colored pump symbols to the right of the actuation signal indicators.

They are labeled indicators which show status in green or red: a green indicates an non-operating pump and a red indicates an operating pump. The four signals are identified below:

Label ~Si nal Reactor Cooling Pump lA 1B Reactor Cooling Pump 1B 2A Reactor Cooling Pump 2A 2B Reactor Cooling Pump 2B 2.3.4 SPDS Al orithms The most important part of the SPD mid-level diplays is the methodology in which a group of plant data values are associated within an algorithm to provide' meaningful bar length'nd color to define a deviation length from a safe operating value. The SPDS algorithms generally consist of the following sections:

A K

~I

' / 8 g

2.3.4.1 Validation The validation portion of the algorithm compares each incoming signal with a like signal of similar range and measurement of the same plant parameter.

If the signals deviate from the compared signal by a given amount, the parameter measurement is declared invalid and the entire bar is shaded blue to identify to the viewer signal inv'alidity. This color is then vertically integrated to the Top Level SPD bar from that safety function group.

2.3.4.2 Grou in of Parameters The properly validated signals are then grouped (i.e., averaged, highest selection, lowest selec-tion) to become a "representative value" of the measured parameter.

2.3.4.3 Com arison With a Calculated Value The representative values are then compared with a calculated safe value based upon operating mode, measured plant parameter, or constant value. The resultant is then scaled, (i.e. normalized), to provide a bar-length value to identify disparity from the calculated "safe" value.

2.3.4.4 Bar Color Limits The alarm color limits are then calculated in relation to the identified and operator-selected plant operation mode and alarm limits associated with the identified mode.

This bar value is then weighted to prioritize the individual mid-level parameter within the overall Safety Function Group for vertical integration to the Top Level SPD display. This weighting provides a method of grouping consistant with apportionment of critical and information-only values.

1 Q

E

3.0 BASIS FOR SPDS PARAMETER SELECTION The purpose of the PVNGS SPDS is to provide a concise display of critical plant variables to the control room operators to aid them in rapidly evaluating the safety status of the plant. The PVNGS SPDS will be operated during normal operations as well as during abnormal and emergency conditions. The principal purpose and func-tion of the PVNGS SPDS is to aid the control room personnel during abnormal and emergency conditions for determining the safety status of the plant and addressing whether abnormal conditions warrant corrective actions to avoid a degraded core. Therefore, an under-standing of how the PVNGS Emergency and Recovery Procedures are developed is necessary for a complete understanding of how the selected PVNGS SPDS parameters will aid the control room operator in monitoring the overall plant status during abnormal and emer-gency conditions while 'he operators uses the plant emergency procedures.

3.2 Emer enc 0 erations Procedure (EOP) Overview The PVNGS EOP is a single procedure which is applicable to any plant condition which challenges the plant protection system. The EOP is functionally oriented to allow operators to begin procedural actions before the event is identified. The EOP directs the action of the entire Control Room staff with instructions for each The EOP provides (1) 'instructions to maintain plant safety member.

through the use of Safety Functions (SF), (2) allows the event to be identified using, a diagnostic method, and (3) directs the operators to specific 'instructions to recover the plant to a stable condition. Instructions are also provided in the EOP for an event which cannot be identified through the use of a functional recovery procedure.

I The PVNGS EOP will direct the operators to the correct Recovery Operations (RO) or Abnormal Operations (AO) procedures to be used once the event has been identified. Both the RO and AO procedures are applicable to only a specific event, and contain a second check through the use of the SFs to insure the correct procedure has been selected for existing plant conditions, and that a more extensive problem than expected does not exist. The RO procedures divide responsibilities among the operators, as the EOP does. Both the RO and AO procedures provide the instructions necessary to shutdown the plant, to a stable condition, with the existing abnormal condi-tions.

I

(

The PVNGS EOP uses a three step progression to recover the plant to a stable condition:

Step 1. Maintenance of Safety Functions (SF).

Step 2. Diagnostics to identify the necessary recovery actions.

Step 3. Performance of recovery actions.

Steps 1 and 2 are performed concurrently to maintain plant safety while the recovery actions are identified. The diagnostic flow-chart will identify the recovery actions or, if the event will be used.

cannot be identified, a functional recovery procedure The SF's are areas of reactor control which are vital in preventing both core damage and the release of radioactive material into the environment. Maintaining these SF's within appropriate limits will mitigate the consequences of an accident and provide for an orderly shutdown of the plant should an accident occur.

At PVNGS the SF's have been categorized into the following six areas:

Reactivity Control (RTV))

Heat Removal (HRV)

RCS Inventory and Pressure Control (PIC)

Indirect Radioactive Release Control (IRR)

Containment Integrity (CIN)

Maintenance of Vital Auxiliaries (VAX)

The following discussion details the SF's and how they are main-tained through implementation of the PVNGS EOP.

Reactivit Control The first SF is reactivity control. This is essential because the reactor is the major source of heat. Upon entering the Emergency Operations Procedure, the first action of the secondary operator is to trip the reactor then verify all CEA's, necessary to insure inadequate shutdown margin, are fully inserted, or if reactor power is not decreasing, he informs the Control Room Supervisor (CRS) and Primary Operator to emergency borate and then manually inserts the CEA's.

Heat Removal This category covers both core heat removal and RCS heat removal. For core heat removal, the operator will maintain either forced or natural circulation flow thru the core. This along with maintenance of RCS inventory and pressure control allows the core to be cooled. RCS heat removal is accomplished by using the steam generators with the condenser or atmospheric dump system or by using the shutdown cooling system if temperature and pressure limits are met.

( I I

k v s,Ii ) Q,< [

The Secondary Operator uses whatever combination of these, plant conditions permit, to maintain RCS heat removal. By maintaining RCS heat removal and RCS inventory and pressure, the operators have provided for core heat removal.

RCS Inventor and Pressure Control By maintaining RCS Pressure and Inventory Control the operator; ensures adequate subcooling of the RCS, prevents the formation of voids in the reactor core, main-tains the ability to transfer heat from the core and ensures that reactor vessel pressure limitations are not exceeded.

Indirect Radioactivit Release This safety function is verified to ensure radioactive material is not present outside containment to eliminate risk to the safety of the public. By monitoring Radiation levels w1thin the plant and at the plant vent, the oper-ator can determine if a release is imminent and take appropriate measures to minimize any radioactive release.

Containment Inte rit Containment Integr1ty means maintaining the containment isolated with 1nternal conditions which do not threaten the ability to prevent a releas'e of radioactivity. To maintain Containment Integrity, the CSF ensures Containment pressure/temp-erature control, Conta1nment Hydrogen control and Containment Isolation.

The Secondary Operator determines the need for containment 1solation and containment spray us1ng containment pressure and RCS pressure.' If necessary',':the, Primary Operator verifies these actions using the Safety Equipment Status System and containment spray flows. The Secondary Operator manually initiates containment isolation on a containment high radiat1on alarm. The containment combustible gas controls 'are operated in the recovery procedures.

Maintenance of, Vital Auxiliaries The Vital Auxiliaries safety function ensures that equipment necessary to support the other Safety Functions is operating and responding properly. The Primary Operator verifies Vital Aux1liaries are maintained. This operator informs the CRS and takes act1ons to restore any equipment which is not in the required condition.

3.3 Parameter Selection Since the above Safety Function (SF) Groups define a condition or action that prevents core damage or minimize radiation release to the general public, the PVNGS SPDS parameter selection was based on displaying information about these SF Groups. The current intent of the PVNGS SPDS parameter was to select the above safety function groups with their leading associated parameters that would be most useful to the control room operator when the operator uses the plant specific emergency operating procedures during an abnormal or emergency condition.

TP I t 7 li 1l

'I

At the time of the original parameter selection, the PVNGS EOP and Recovery Procedures were not complete. Therefore, the selection of parameters was preceded in good faith in selecting those safety function groups that were defined as "leading" groups in NUREG-0696 "Functional Criteria for SPDS". As a result of this selection, the following SF Groups were selected:

Reactivity Control Core Cooling and Heat Removal Secondary Heat Removal RCS Integrity Radioactivity Control ContainmentIntegrity Since the ERFDADS contains two ma)or functions, SPDS and display of R.G. 1.97 parameters in the Control Room, EOF and TSC, the original parameters selected were to be associated with each of the safety function groups and based on Regulatory Guide 1.97, "Instrumenta-tion of Light-Water Cooled Nuclear Power Plants to Access Plant &

Environs Conditions During and Following an Accident".

The SPDS parameter selection was completed in this manner in order not to impact the design evolution of the SPDS. It should be noted that the only guidance available at this time was NUREG-0696 and R.G. 1.97.

At approximately this time, the PVNGS Operations Department was initiating an, effort to develop an outline for the PVNGS Emergency Procedures; As' result of this effort, the PVNGS Operations Department developed the plant specific EOP and Functional Recovery Procedures. These procedures are based on the safety function criteria described.

The validation of the SPDS was performed using experienced plant operators trained on 'the current PVNGS, Emergency Operating Pro-cedures.

During this Phase I validation of the'PDS parameters, it was observed that the Safety Function Groups as selected from NUREG-0696 were not totally adequate to support the plant operator who has been trained on the plant specific EOP (e.g., safety function groups required re-arrangement and re~aming to be plant specific).

The results of this observation are that the current Safety Function Groups have been renamed and organized per the operator comments in the following manner to match the PVNGS EOP safety function groups.

Reactivity Control Pressure & Inventory Controls Heat Removal Containment Inventory Indirect Radiation Releases Maintenance of Vital Auxiliaries A

<1

)~ (

A

,k l,,W,li" 4 t

J t

The final parameter selection is based on selecting EOP parameters that, are associated with the above safety functions group as described in the PVNGS EOP. These parameters were directly designated from the PVNGS EOP. While many other parameters are also identified in the PVNGS EOP, the ones'xclusively selected for display on the PVNGS SPDS were identified by APS Engineering and concurred by APS Operations as being the leading EOP parameters associated with .each SF groups. Therefore, these parameters were identified to be the most useful',to the control room operator when assessing the safety status of the plant. This was verified during the SPDS Phase II validation program.

The use of the SPDS within maintenance of the above identified Safety Function Groups is to provide the control room operators with a quick visual indicator of deviations from safe values within that Safety Function Group. This indication will provide a visual warning of deviations in lieu of an actual value which the operator must mentally compare to plant setpoints. If the operator desires an actual value indication, lower level displays of the ERFDADS, control room indications, or Plant Monitoring System values may be obtained. PVNGS has selected .a total of 45 Safety Parameters to be displayed on the SPDS. These parameters and their SF grouping are indicated below.

REACTIVITY CONTROL (RTV)

CEA Position Log Power Linear Power HPSI Flow to RCS LPSI Flow to RCS HEAT REMOVAL (HRV)

Sub-Cooled Margin CET-T Hot T hot T cold (Loop 1)

T hot (Loop 1)

T hot T cold (Loop 2)

T hot (Loop 2)

Outlet Plenum Level SG-1 Level SG-2 Level Steam Flow Feed Flow 1 Steam Flow Feed Flow 2 7

K i'(

h f

PRESSURE & INVENTORY CONTROL (PIC)

Sub-Cooled Margin Vessel Head Ievel RCS Pressure Pressurizer Pressure Pressurizer Level HPSI Flow to RCS IPSI Flow to RCS INDIRECT RADIATION RELEASE (IRR)

Plant Vent Stack Condenser Vacuum Exhaust Fuel Building Exhaust S/G 1 Blow Down Radiation S/G 2 Blow Down Radiation Essential Cooling Water Radiation Control Room Vent Radiation Nuclear Cooling Water Radiation CONTAINMENT INTEGRITY (CIN)

Containment Isolation Verification Containment Pressure Contaiment Spray Flow Containment Temperature Containment Ievel Containment Radiation High Refuel Pool Radiation H2 Concentration MAINTENANCE OF VITAL AUXILIARIES (VAX)

HPSI Flow to Loop 1 HPSI Flow to Loop 2 LPSI Flow A to Loop 1 LPSI Flow B to Loop 2 CS Flow A CS Flow B Aux. Feed Flow to SGl Aux. Feed Flow to SG2 Steam Flow Feed Flow 1 Steam Flow Feed Flow 2

~ 'I I

I I

t 'I

)

a

4.0 SPDS DESIGN VALIDATIONAND VERIFICATION (V&V)

UALIFICATION PROGRAM 4.1 General The methodology used to perform and collect data for the Valida-tion and Verification of the SPDS design is given below.

4.2 Hethodolo and Data Collection 4.2.1 Validation of SPDS Desi n The method used in validating the SPDS design was the simulator method". The "simulator method" is an actual SPDS that is programmed with transient data to simulate critical safety function violations on the SPDS displays. This method was determined by APS as being the most effective method for the validating the SPDS use because of its'ynamic represen-tation of the safety function groups and associated parameters during the simulated scenarios.

The simulator method consisted of completing the following activities:

'esignate observer/review team personnel;

'valuate plant and simulator systems available for simulation;

'elect scenarios to be simulated;

'evelop data collection techniques for selected scenarios;

'valuate plant-simulator characteristics;

'elect operating crews, and

'onduct crew familiarization.

The PVNGS validation of SPDS equipment, parameter selection and display organization is outlined below:

l. Use of an SPDS terminal in the Technical Support Center (TSC).

2. Simulated the following four scenarios:

TMI Small Break LOCA Back-Up Power Failure Large Steam Line Break Large Steam Generator Tube Rupture in Steam Gener-ator 82

3. The Observer/Review team consisting of members from both APS'ngineering and Operations, presented the simulated scenarios to three PVNGS licensed personnel knowledge-able in the plant specific Emergency Operating Procedures (EOP) for evaluation.

I t l

l (I

F

4. The simulated scenario evaluation consisted of written guides and documented oral interviews.

An in-depth debriefing between the Observer/Review team and operators participating in the scenario was conducted. The debriefing occurred immediately after the completion of the scenario in order to maximize the effectiveness of the debriefing. Responses from the operators debriefing were documented by the Observer/Review team.

4.2.2 Verification of SPDS Design The verification of the SPDS design was performed by con-structing the ERFDADS (SPDS) Design Requirements/Capability Matrix. This matrix consisted of the NUREG-0737 Supplement 1 requirements, the guidance capabilities as defined in NUREG-0696, and functional design specification (purchase specification) requirements. This matrix was constructed by the SPDS Audit Team. This team consisted of representatives from Engineering, Licensing and Operations.

The data on the matrix was then used by the SPDS Audit Team to assist them in verifying by comparison the existing PVNGS SPDS design and its installation against the matrix requirements/capabilities. The following criteria was used to complete the matrix:

t Design Documents (Drawings, Manuals) to verify system design Test Plans (Factory Acceptance Tests "FAT", Operational Availability Demonstration "OAD", Site Demonstration Tests "SDT", Pre-Operational Test) and results to verify as-built system Visual Observation to verify as-built system The data collected by the SPDS Audit Team was recorded directly on to the ERFDADS (SPDS) Requirement/ Capability Matrix.

A k

0 I j

'S

5.0 SPDS HUMAN FACTORS REVIEW 5.1 General The PVNGS SPDS Human Factors Review as required by Supplement 1 of NUREG-0737 included the following areas:

Readability Equipment and Location in the Control Room Displays and Controls Alarms Labeling Anthropometrics 5.2 Methodolo and Data Collecion The guidelines and criteria presented in NUREG-0700, Section 6, NUREG-0835 (draft) and NUREG-0696 were reviewed for applicability to a Human Factors Review of the SPDS. An SPDS human factors criteria matrix was constructed to establish guideline categories relating criteria and guidelines which were not applicable to the SPDS configuration at PVNGS (e.g., the SPDS portion of ERFDADS does not include control board mounted CRT displays).

The criteria and guidelines were then assembled into a checklist, SPDS Human Factors Review Checklist.

The data was collected through the execution of the SPDS Human Factors Review Checklist by the Human Factors Consultant aided by an Instrumentation and Controls Engineer and a Computer Engineer from APS.

Although, the focus of the review was the control room CRT display console, some of the non"console-dependent items were reviewed in the TSC with subsequent verification in the control room as necessary.

The data was recorded directly on to SPDS Human Factors Review Checklist.

h~

1 4

h P

~ ~

6.0 RESULTS 6.1 General As shown on Figure 1-1, the PVNGS Program Plan included two review phases. Phase I consisted of the initial SPDS evaluation held during the time frame of October, 1983 through January 1984. Phase II consisted of a verification of the SPDS design improvement II recommended in Phase I. The Phase verification was conducted between December, 1984 and February, 1985.

6.2 Phase I Review The Phase I Review resulted in a list of observations from the parameter selection, human factors review, verification and valida-tion of design tasks. Within this list, many items identified variances with other control board displays, disparity of organiza-tion in the display groups as compared to the PVNGS Emergency Operating Procedures and discrepancies in labeling.

These observations were categorized into two (2) categories as shown in Table 6-1. Once categorized, the observations were presented to APS management for their concurrence and scheduling.

6.3 Phase II Review Upon completion of the modifications recommended from Phase I, the Phase II review was initiated. The Phase II Review consisted of verifying the SPDS improvements to ensure that new observations had not been introduced.

The observations listed in this Safety Analysis Report are those observations that evolved from the following sources: (1) Existing list of observations from Phase I and (2) verification of SPDS improvements. These observations were again categorized into two categories. The 'criteria for the two Phase II categories are listed in Table 6-2.

6.4 Observation Summar As a result of the overall Program Plan, Table 6-3 shows a summary of the Phase I and Phase II observations documented and their categorization.

I IP

) I

TABLE 6-1 PHASE I CATEGORY CRITERIA CATEGORY CRITERIA A Required to make system work or meet regulatory requirements.

B System currently works and meets regulatory requirements; enhancement implementation as plant betterment.

I' TABLE 6-2 PHASE II CATEGORY CRITERIA CATEGORY CRITERIA Observation will impact the SPDS function of providing leading indicators of safety function groups to control room operators during abnormal and emergency conditions.

Observation will not impact the SPDS function of providing reading indicator of safety function groups to control room operators during abnormal and emergency conditions.

I I

TABLE 6-3 PHASE I & II OBSERVATION

SUMMARY

Phase I Phase II Number Observation Number Observation Task IObservationsl Categories IObservationsl Category A B IParameter Selectionl 0 0 0 0 I

I I Validation of IDessgn 46* 24 ,

19 I

I IHuman Factors 3 0 3" 0 I

I IVerification of 12* 25 25 IDesign ITOTAL 61 14 49

• Note: Three (3) observations were categorized as non-discrepancies 19, 21, and 61 a

H

'l l

I Y

Jl V

IV H

d

~

I' I

I, 1i A

II i

l '

The remaining open observations from both the Phase I and Phase II reviews have been assigned a Safety Parameter Observation (SPO's) number. Several of the observations which were similar were combined into an SPO number. The category 1 SPO's shown in Table 6-4 and listed in Appendix A have been classified as observations which are scheduled to be closed by June 1, 1985. The Category 2 observations are listed in Appendix B and have been classified as observations which will be further evaluated for implementation as a plant enhancement items. Appendix C provides a listing of those observations which have either been closed out or will not be completed along with their justification.

TABLE 6-4 OUTSTANDING SAFETY PARAMETER OBSERVATIONS (SPO')

Category Number of SPO's 25 12 Total 37

7.0 CONCLUSION

Even though several observations were noted with regard to the current SPDS system design, the SPDS as installed at PVNGS has been demonstrated to be a useful aid in assisting the plant emergency operating personnel in evaluating the safety status of the plant under normal and abnormal conditions. During the,iscenarios that were used'o validate the SPDS, the SPDS 'parameters selected to be Safety Function Group leading indica-tors proved to be a correct choice since the operators were able to obtain the necessary plant information to assess the simulated plant safety status.

The Program Plan established by APS for verifing the SPDS design proved to be of great benefit, since itthe demonstrated to be a that the system better aid to the modifications as selected did improve SPDS control room operator. This is shown by the fact that no significant new observations surfaced during the re-verification effort, yet it should be noted that several of the original (Phase I) observations with major system implications were resolved satisfactorily. Performance of this verification step has assured APS that the PVNGS SPDS as designed and installed is a powerful control room aid to be used by operators during normal, emergency and abnormal conditions.

At this time, the PVNGS SPDS operates satisfactory fulfilling all regulatory criteria. With completion of the Appendix A observations, the PVNGS system will be able to provide a further degree of reliability to ensure the safety of both the plant and the general public.

)

l f i, l(

v I

APPENDIX A CATEGORY 1 SAFETY PARAMETER OBSERVATIONS (SPO's)

~ ~

I'

Appendix A CATEGORY 1 OBSERVATIONS (Criteria: Observation will impact the SPDS function of providing leading indicators of Safety Function Groups to control room operators during abnormal and emergency conditions).

D SPO 1. Insufficient operator training of the ERFDADS (SPDS) "

equipment and display evaluation to perform the data acquisition. (1, 3, ll, 64, 65, 66, 68, 69, 71).

~Res onse: Training will be provided to the operators.

SPO 2. Ranges of alarm limits are tight, the ranges provided do not reflect level of problem (67, 77, 78, 82)

~Res onse: Alarm limits will be reviewed and redefined based upon actual plant operating parameter values.

SPO 3. Containment temperatures bar in CIN display needs to indicate that its a temperature difference and not a direct containment temperature.

(73)

~Res onse: Display labeling will be modified to ind'icate its a "Delta temperature.

SPO 4. Trend plots do not page forward and several x-y axis borders are missing. (80, 81)

~Res onse: This software defect will be corrected.

SPO 5. Invalidation of data appears not to be transmitted to other display bars using the specific invalidated parameter data. (83)

~Res onse: This problem will be corrected.

SPO 6. Radiation Monitoring System (RMS) receiver task validates data improperly. (92)

~Res onse: This validation observation will be corrected.

SPO 7. Modacs 75 mv cards were improperly scaled as 100 mv. (94)

~Res onse: This software problem will be corrected by providing cor-rect scaling.

SPO 8. Trend plots should provide autoscaling in the vertical direction on a logarithmic scale. (95)

~Res onse: This software trend plot observation will be corrected.

fl C

pl t

II

Appendix A (Continued)

CATEGORY 1 OBSERVATIONS Criteria: Observation will impact the SPDS function of providing leading indicators of safety function groups to control room operators during abnormal and emergency conditions).

SPO 9. Thermocouple inputs database and signal range incorrect. (96)

~Res ones: Correct ranges will be provided.

SPO 10. Thirty (30) minute file data is'ot achieved 100X of the time.

(100)

~Res ones: This software observation will be corrected.

SPO 11. Insufficient Task Control Block (TCB) space. (101)

~Res ones: Sufficient TCB space will be corrected.

SPO 12. Alarm limits missing for Unit 2 overloads system. (88)

~Res ones: Missing Unit 2 alarm limits will be provided to avoid overloading SPD system.

SPO 13. Alarm message appears on console device. (87)

~Res onse: This observation will be corrected.

SPO 14. MODACS database required to be compared between APS development pack and APS merged pack. (102)

~Res onse: The required comparison will be performed to ensure packs are not different.

SPO 15. Validity errors in Unit 2, overloads system. (89)

~Res onse: This Unit 2 observation will be corrected to ensure SPDS system does not overload.

SPO 16. Verify MODACS database against Setpoint List for Unit 1 SPDS points. (107)

~Res onse: The SPDS points will be verified to assure they are correct in database.

SPO 17. gSPDS/ERFDADS Link Test not completed and documented for SPDS Unit 1 points. (103)

~Res onse: lest will be performed. The QSPDS/RRPDADS link.

SPO 18. Update system operating procedure with latest modifications and incorporate into station manual format. (105, 90, 108)

~Res ones: The system operating procedure will be updated.

A-2

l4 1 I

Appendix A (Continued)

CATEGORY 1 OBSERVATIONS (Criteria: Observation will impact the SPDS function of providing leading indicators of safety function groups to control room operators during abnormal and emergency conditions).

SPO 19. Change key-caps on Aydin terminal to reflect new safety group names. (106)

~Res ones: Key-caps will be changed to reflect new Safety Function Group names.

SPO 20. Provide proper security for display and programs. (91)

~Res ense: The proper security passwords will be provided.

SPO 21. Test RMS/ERFDADS Link for SPDS Unit 1 points. (93)

~Res ones: The RNS/SRFDADS link will be tested.

SPO 22. Trend plots do not indicate a validity error. (109)

~Res ones: ibis observation will be corrected by indicating invalidity of trend values. The invalidity indication has been verified satisfactorily.

SPO 23. "Reactor Cooling Pump (RCP)" status is too slow, since it use rpm to show status. (97, 98, 99, 104)

~Res onse: This observat'ion has been corrected by using amperes only to show RCP status. The "ampere" application has been verified satisfactorily. o I

l SPO '24. Place "Steam Generator (SG) Pressures" on HRV display instead of "Steam Flow-Feed Flow". (72)

~Res onse: "Steam Plow Feed Plow" will be removed from this display HRV and replaced with SG Pressures for SG1 and SG2.

Currently "Steam Flow Feed Flow" exist on display VAX.

SPO 37. The actuation, signal indicator for CREFAS "Control Room Essential Filtration Actuation Signal" is shown on all displays, yet the system does not have an incoming input signal to drive thi.s indication. (110)

~Res ones: The proper input signal will be provided.

A-3

IJ 1

'1 If 1

II

APPENDIX 'B,.

CATEGORY 2 SAFETY PARAMETER OBSERVATIONS (SPO's)

I I I

E

Appendix B CATEGORY 2 OBSERVATIONS Criteria: Observation will not impact the SPDS function of providing leading indicators of safety function groups to control room operators during abnormal and emergency conditions).

SPO 25. The display refresh time inhabited the ability of the operator to respond in a timely manner. (15, 16, 52, 62)

~Res onse: Operator response to this observation is that the speed of the displays was irritating but not inhibiting. Since the display refresh time did not inhibit the operator ability to respond in a timely manner, APS will review methods (as a plant betterment) available to "speed up" displays to ensure that display refresh time does not irritate the operator.

SPO 26.

'll Reverse time history scale to simulate a strip chart recorder on histograms. (10)

~Res onse: Currently the time history scale on all trend plots functions properly, therefore, APS will reverse time history scale to simulate a strip chart recorder's (a plant betterment item).

SPO 27. In the "Reactivity Control" display, a new bar should be added to reflect CET saturation margin available from the QSPDS channels.

This bar will directly show totalized heating as compared to upper head set margin. Additionally, in time, the CET margin will react faster therefore, announcing to the operator any trend in totalizing heating. (32)

~Res ones: Currently in display HRV the operator has been provided a "CET-Thot" bar, APS will review (as plant betterment) whether a CET bar is required on the RTV,display.

SPO 28. "Auxiliary Feed Flow" and "Steam Generator Level" need to be within the same Heat Removal (HRV) group. (70)

~Res onse: "Aux.'eed Plow" bar currently exists 1n the VAX d1splay and the "Steam Steam Generator Level" currently exists in the HRV display, therefore, APS will review (as a plant betterment) to determine if bars need to be'displayed on same display.

SPO 29. Add bar on display VAX to indicate 4160 volt buss. (74)

~Res onse: The VAX currently d1splays flows from pumps required to ensure 'that "equipment necessary to support the other five (5)

Safety Functions are operating and responding properly. The pumps providing the flows to this display are currently fed off the 4160 volt buss, therefore an operator with the proper training would be knowledgeable of the loss 4160 volts if proper pumps failed to if operate. Therefore, APS will review (as a plant betterment) the actual bar for displaying 4160 volt buss is required.

I

"(

P fl L L

I d

Appendix B (Continued)

CATEGORY 2 OBSERVATIONS Criteria: Observation will not impact the SPDS function of providing leading indicators of safety function groups to control room operators during abnormal and emergency conditions).

SPO 30. Add "Containment Temperature" bar on displays CIN. (75)

~Res onse: Currently the CIN display for the SPDS contains a temperature difference bar which indicates a difference between the upper and lower containment temperatures. APS will review (as plant betterment) to determine if an actual direct temperature bar is required.

SPO 31. In order to access the menu listing of displays on ERFDADS (SPDS),

the operator must have the correct password. (76)

~Res once: As a plant betterment, APS will consider placing the menu screens displayable without password entry and acceptance.

Currently the menu listing is accessible to the operator having the correct password, APS will make password available to operator.

SPO 32. The "Plant Vent Stack," algorithm which drives this bar in the IRR display should indicate when the air pump for its respective monitor fails. (84)

~Res onse: Currentl y, the '"plant Vent Steak" bar is intended to indicate'o the operator that a high gas condition exists, without attempting to show a value in units of "micro curies per cubic centimeter". ,Therefore, failure of the air pump will not impact the displayed bar.

5 SPO 33. Dark red and blue on all displays are difficult to discern. (2)

~Res onse: During the Human Pactors review of the SPDS, the human factors reviewer did not make any observations regarding the color of the SPDS displays. APS will continue to monitor the operators to determine if the problem still exists after operator training.

SPO 34. The alphanumeric keys on the control room SPDS display have three additional symbols on each key. The three symbols are for programmer use only, thus 75 percent of the information on each key is for non-operator use. Provide unique key tops with only the operator function engraved. (47)

~Res onse: Unique functional keys are provided on the upper part of the control room SPDS terminal which are only to be used by the control room operator. The terminal vendor has made an effort to install the programmer related keys on, the lower half of the SPDS terminal. APS will investigate (as a plant betterment) other terminals available which will only provide those keys required by the control room operator.

B-2

~ II

~

'A 1

~ '

II C,

1' L

Appendix B (Continued)

CATEGORY 2 OBSERVATIONS Criteria: Observation will not impact the SPDS function of providing leading indicators of safety function groups to control room operators during abnormal and emergency conditions).

SPO 35. The keyboard on the control room terminal contains 34 programmer keys which could be activated by an operator and alter the display program. These keys should be removed or the function eliminated.

(48)

~Res onse: The control room operator functional keys and the programmers keys have been grouped into two (2) groups. The control room operator will only be trained on the function keys, therefore, he will avoid the programmer keys. APS will investigate (as a plant betterment) other terminal available which will only provide those keys required by the control room operator.

SPO 36. Subsystem label is larger than the system label. Information on the labels are not consistent (49) i.e., the system label shows:

1-J-SDN-UI-002A (SPDS Console Pedestal)

The subsystem label shows: 1-J-SDN-UI-002 (Color Monitor)

I

~Res ones: The existing tags are'standard plant issued tags. The larger tag is for the SPDS console pedestal, the smaller tag is for the" SPDS CRT terminal. The only function the tags provide is to indicate the, equipment identification number. The size of the tags has no relation to the importance of the equipment. Therefore, APS will review as a plant betterment any questions that might be encountered with tag sizing inconsistencies.

o B-3

9

'I

APPENDIX C NON-CATEGORY OBSERVATIONS

0 Appendix C The following items have either been closed out or will not be completed for reasons stated.

4~ Top Level RTV Bar: CEA drop causes a right deflection. When all CEA's are down the SPD should be normal.

~Res onse: ibis item was closed out by changing the algorithm for this bar and has been verified to function properly.

Prevalidity checks for steam generators on loop-oriented devices should be per loop not loop comparison.

~Res ones: Validity checks for steam generator have been changed per loop. This has been verified to function properly.

6. Wrong names on Top Level display.

~Res ones: Shia item was closed out by making the Pop Level SPD match the plant specific safety function groups.

7~ Wrong group of parameters.

~Res onse: Th1s item was closed out by selecting the leading parameters in each plant specific safety function group that would be most useful to the operator using the plant specific emergency procedures.

Implementation of this resolution has been verified.

8e Need page number on displays.

~Res ense: ibis item has been closed out by provid1ng page numbers on all displays. This has been verified satisfactorily.

9. Need number on top level SPD to access lower level display SPD's.

~Res onse: A number ad)scent to each top level SPD parameter has been provided to ease in accessing 'lower level SPD's. The lower level SPD's have also been provided with a number to assist in accessing trend plots.

12. Expand "containment isolation valve" display.,

~Res ense: Even though this item is not SPDS related, APS proceeded in good faith to redesign the containment isolation display.

13. Label all derivative functon bars.

~Res onse: APS has closed this observation by deleting all derivat1ves from the SPD bars.

14. Rod bottom display should show number of rods in and number of rods out for procedure assistance.

~Res onse: Even though this 1tem is not SPD's relatedAPS p,roceeded in good faith to add a "rod bottom" display to the lower ERFDADS displays.

I r n

t

'I III i L

n Appendix C (Continued) u The following items have either been closed out or will not be completed for reasons stated.

17. Need a simpler method to access time history graphs on ICS (TSC/EOF) displays.

~Res ones: Even though this item is not related to the SPDS ORT terminals which the operator uses in the control room, APS has proceeded in good faith to provide a number adjacent to each lower level SPD parameter to ease in excessing trend plots.

18. Provide weighting of graph length of mid-level displays to Top Level displays.

~Res ones: APS has provided a weight factor to each of the mid-level displays. This has been verified to function properly.

19. Insufficent modeling in the scenarios used for validating.

~Res ones: lhe scenarios used for the validation only modeled those values required by the SPD bars and trend plots. The scenarios did not contain values which are displayed on the P&ID's displays which are part of ERFDADS. Therefore, the values used for validating the SPD's were sufficient.

20. An "L" for "Level" should be indicated in the reactor vessel PAID display.

~Res onse: This it'em is not SPDS related, therefore, APS at this time will not change display.

21. Need alarm box on lower left of all displays for "ATWAS".

~Res onse: Since "ATlfAS" 1s a specif1c event and the PVNGS SPDS is not designed to determine specific events, an alarm box for "ATWAS" will not be provided.

22. Place engineering units on mid-level bar displays.

~Res ones: The bars are des1gned to 1nd1cate a deviat1on from a normal sole value and not to show the value of the bar parameter. Therefore, APS will not place engineering units on the mid-level displays.

23. Display 15, "RCS Integrity":

measured by the QSPDS.

~Res ones: This item is closed, since APS has provided an "Outlet Plenum Level and "Vessel Head Level" on the SPD displays. The function of this displays has been verified.

24. Display 13, "Steam Flow-Feed Flow A": Parameters should show "A" channel unless "A" is out of service.

~Res ones: This item has been closed by providing both "Steam Plow Peed Flow 1" and "Steam Flow Feed Flow 2" in displays 13 and 17. These bars have been verified to function 'properly.

C-2

I (I

8

Appendix C (Continued)

The following items have either been closed out or will not be completed for reasons stated.

25. Display 14 "Containment Atmosphere Moisture Content": This parameter is only available from the Radiation Monitoring System (RMS) and does not give a very representative sample. Additionally, the nominal environment of the containment is very humid in nominal operating conditions.

~Res ones: This bar was deleted from the SPD displays since it was identified not to be a leading parameter in each plant specific Safety Function Group that would be useful to the operation using the Plant specific emergency procedures. Therefore, this item is closed.

26. Display 12, "Core Exit Temperature": The CET bar should reflect representative CET values from the QSPDS.

~Res onse: A "GET-THot" bar has been provided on SPD display 13. This CET reflects representative CET values from the QSPDS. Therefore, this item is closed and has been verified to function properly.

27. Display 14, "Aux. Feed Water Flow": Add a bar representing both channels of Aux. Feedwater Flow.

~Res onse: On display 17 both channels of Aux. Peedwater Plow have been provided. These bars were verified to function properly. This item is closed.

28. Display 12, "Coolant Activity": Should use different monitor (i.e.,

CRACS).

Response: This bar was not identified to be a leading parameter in the plant specific Safety Function Group that is useful to the operator using the plant specific emergency procedures, therefore, was deleted from the SPDS. This item is closed.

29. Display 13, "RCS T-Ave": Change bar input to read "T-Ave" directly. The current value is too confusing to an operator expecting to read "T-Ave".

~Res onse: This bar was not identified to be a leading parameter in the plant specific Safety Function Group that is useful to the operator using the plant specific emergency procedures, therefore, was deleted from the SPDS. Verification that this bar was not required has been completed.

30. Display 14, "Ess. Cooling Water Activity": Change algorithm to display sensor 13QR2 (1312) if sensor 1SQR3 (1313) is less than 1.25E-l mc/cc.

~Res onse: . This algorithm has been modified to obtain the maximum of 1SQR2 or 1SQR3. The bar for "Ess Cooling Water" on display 15 has been verified to"function properly.

C-3

rt l 'R

~ v

Appendix C (Continued)

The following items have either been closed out or will not be completed for reasons stated.

31. On Top Level display each of the mid-level bars that make up each of the Top Level bar should contain a weighting factor as the longest bar deflection may not be the most leading factor for top level bar displacement.

~Res onse: dpg has provided a weight factor to each of the mid-level displays. This has been verified to function properly.

33. On the "RCS Integrity" bar of the top level display, a derivative function should be used to provide a leading indication for primary system integrity. A faster rising pressure will indicate flashing of steam from a leak in the primary system. Additionally, the bar should be limited to positive excursions as negative fast changes are confusing.

(33)

~Res onse: Currently, the alarm limits have been set very tight to show a fast response in the mid-level SPD bars. In addition, a weight value has been assigned to each mid-level bar to transmit mid-level bar changes to top SPD. As a result of this SPDS re-validation this comment was verified not to be true because of the above described changes.

34. "Containment Temperature" on Display 17 works, but containment temperature on display 15 does not.

~Res onse: Containment temperature (delta) has been moved to Display 16 and verified that it functions properly.

35. "CET Temperature" on Display 12 does not respond.

~Res onse: "Core Exit Temperature" (CET) has been moved to Display 13.

"CET THot" was identified to be a leading parameter in the plant specific safety function group that is useful to the operator using the plant specific emergency procedures therefore, the CET bar by itself has been deleted. The "CET-THot" bar has been verified to work properly.

36. "Containment Pressure" on Display 17 does not work.

~Res onse: This bsr has been verified to work properly.

37. "CET" bar on Display 13 goes to right with lower temperature.

~Res onse: "Core Exit 1emperature" (CE1) has been moved to display 13.

"CET THot" was identified to be a leading parameter in the plant specific safety function Group that is useful to the operator using the plant specific emergency procedure, therefore, the CET bar by itself has been deleted. The "CET-THot" bar has been verified to function properly.

38. "Linear Power" bar on 12 does not work.

~Res onse: This bar has been verified to work properly.

C-4

II w

Appendix C (Continued)

The following items have either been closed out or will not be completed for reasons stated.

39. "Moisture Content" bar on Display 15 does not work.

Response: This bar was deleted from the SPD displays since it was identified not to be a leading parameter in each plant specific Safety Function Group that would be useful to the operator using the plant specific emergency procedures. Therefore, this item is closed.

40. Blowdown activity not on PIDs.

~Res ense: This item is not related to the SPDS, therefore, APS will not proceed to take further action.

41. "Containment Recirculation Sump Level" needs to be on PAID Display 165.

~Res ones: This item is not related to the SPDS, therefore, APS will not proceed to take further action.

42. Both "steam Generator Blowdown Radiation Level" not on Displays 15.

~Res onse: "Steam Generator Slowdown Radiation" for both steam generators has been added to display 15. This bars have been verified to function properly.

43. "Containment Integrity" display gave Unit 3 mode 2.

~Res ones: This display has been verified to work properly.

44 'Containment Recirculation" time history graph needs engineering units.

~Res onse: This bar was not identified to be a leading parameter in the plant specific Safety'unction Group that is useful to the operator using the plant specific emergency procedures, therefore, this bar and its time history graph has been deleted from the SPDS.

45. "CET" time history graph does not work.

~Res onse: "Core Exit lemperatnre" (CET) has been moved to display 13.

"CET THot" was identified to be a leading parameter in the plant specific, Safety Function Group that is useful to the operator using the plant specific emergency procedures, therefore, the CET bar and trend plot has been deleted;- The "CET-THot" bar and trend plot has been verified to function properly.

1

46. "T-AVE" time history graph does not work.

~Res onse: This bar was not identified to be a leading parameter in the plant specific Safety Function Group that is useful to the operator using the plant specific emergency procedure, therefore, this bar and its trend plot have been deleted from the SPDS.

C-5

(i C

II I

Appendix C (Continued)

The following items have either been closed out or will not be completed for reasons stated.

50. Recorded system lead factor is 95.23X. Site Demonstration Test (SDT) calls for less than 80X. (Purchase Order calls for less than 50X).

~Res onse: Th1s item was not 1dentified to impact the SPDS function of providing leading indicators of Safety Function Groups to operators during abnormal and emergency conditions. Therefore, this item is closed.

51. Expected response time in the system performance test do not match those in the PO (Section 4.5.2).

~Res onse: This item was not identified to impact the SPDS function of providing leading indicators of Safety Function Groups to operators during abnormal and emergency conditions. Therefore, this item is closed.

53. Recorded response times for AJ-SDN-UI-101 (ISC) higher than those expected in Steps 33, 34, 44, 46, 49, 51, 54, 56 and 58 (System Performance Test).

~Res onse: This 1tem is not related to the SPDS CRT terminal which the control room operator uses, therefore, APS will not proceed to take further action.

54. Deviation bar and alarm boxes on top SPD do not indicate correctly. They do not follow mid-level SPDS (all terminals).

~Res onse: APS has provided a we1ght factor to each of the mid-level displays. This has been verified to function properly.

I P I 1

55. When Program "MPP" is called for data in excess of 15 minutes, program receive data missing errors.

~Res onse: This item was not identified to impact the SPDS function of providing leading indicators of Safety Function Groups to operators during abnormal and emergency conditions. Therefore, this item is closed.

56. X/g calculation up to a decade in error (short term calculation).

~Res onse: This item was not 1dentified to impact the SPDS function of providing leading indicators of safety function groups to operators during abnormal and emergency conditions. Therefore, this item is closed.

57. No log software as required was provided, although various kinds of logs were described in the System Detailed Software Specification Volume II, Parts I and III (Bechtel documents J106-4, J106-11).

~Res onse: This item was not ident1fied to impact the SPDS function of providing leading indicators of safety function groups to operators during abnormal and emergency conditions. Therefore, this item is closed.

C-6

lt I 4

Appendix C (Continued)

I

.The following items have either been closed out or will not be completed for reasons stated.

58. No group software as required was provided, although groups were described in the System Detailed Software Specification Volume II, Parts I and III (Bechtel documents J106-4, J106-11).

~Res ones: This item was not identified to impact the SPDS function of.

providing leading indicators of safety function groups to operators during abnormal and emergency conditions. Therefore, this item is closed.

59. No general purpose report written was provided.

~Res onse: This item was not identified to impact the SPDS function of providing leading indicators of Safety Function Groups to operators during abnormal and emergency conditions. Therefore, this item is closed.

60. Program "MPP"p on short and long term calculations, fails to calculate any values if any data is missing. The program should attempt to the missing data and give the operator some indication of the accuracy fill in and/or confidence of the resulting calculated values.

,~Res onse: This item was not identified to impact the SPDS function of providing leading indicators of Safety Function Groups to operators during abnormal and emergency conditions. Since this item is not SPDS related, this item is closed.

61. Accident mode display not provided.

~Res ones: This 1tem was not identified to impact the SPDS function of providing leading indicators of Safety Function Groups to operators during abnormal and emergency conditions. Since this item is not SPDS related, this item is closed.

63. The top SPD display did not reflect the plant conditions as modeled by the scenario step.

~Res onse: Based upon the comments and system design that the lop Level Display is specifically required for directing the operator to the failing safety function group, APS will leave the Top I,evel Display within the system and emphasize the use of this display during system training.

79. System should be used as a success measurement device instead of a diagnostic device.

~Res onse: Enhancement of bas1c SPDS purpose w1thin the system training will be added.

85. Auto-scaling on large values on trend plots incorrect. (85)

~Res ones: APS has correct ed this sof'tware observation. Ver1fication that the auto-scaling on large value has been demonstrated satisfactorily.

86. System will not "boot up" with year of 1985. (86)

~Res onse: APS has corrected this software observation. Verificaion that system "bo'ot up" for 1985 is satisfactorily.

C-7

f- e l

nr r

6