ML20083N672
| ML20083N672 | |
| Person / Time | |
|---|---|
| Site: | Millstone  |
| Issue date: | 04/30/1984 |
| From: | NORTHEAST NUCLEAR ENERGY CO. |
| To: | |
| Shared Package | |
| ML20083N656 | List: |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737 NUDOCS 8404190258 | |
| Download: ML20083N672 (57) | |
Text
. . _ . ._.. . .
Docket No. 50-423 Millstone Nuclear Power Station, Unit No. 3 Satety Parameter Display System Safety Analysis Report
'k April,1984 i 9404190258 840405 i
PDR ADOCK 05000423 s
,. ..F_
- __.__.~_ PDR_ . u .
m e y ,P. y 3 e - - ' + -
4-- *q -
r
d Table of Contents 1.0 Introduction 1.1 Summary of the Saiety Analysis 1.2 Discussion 1.3 - NRC Criteria 2.0 SPDS Design Description 2.1 Overview 2.2 SPDS Definition 2.3 SPDS Availability 2.4 SPDS Use and Location 2.5 ~ Modes of Operation 2.6 Display Flexibility 2.7 Data Storage 2.8 Signal Validation 2.9 Electric Power Sources 2.10 Electrical Separation 3.0 SPDS Critical Safety Function and Variable Selection -
3.1 Selection Process 3.2 - Critical Safety Functions 3.3 Critical Safety Function Variables 3.4 _ Radioactivity Control Fmetion 3.5 - Radioactivity Control Variables 3.6 Instrumentation 3.7 Analytical Basis for Critical Safety Function and Variable Selection 3.8 Emergency Response With and Without SPDS 4.0 SPDS Displays 4.1 Display Philosophy 4.2 Primary Displays 4.3 - Secondary Displays -
4.4 Other Displays 4.5 - Display Change 4.6 Variable Status Indication 5.0.. Signal Validation 5.1 _ Quality Tags-6.0 - Verification and Validation (V&V) 6.1 ~ Verification and Validation Overview 6.2 .Y and V Program 6.3 < Verification and Validation of the Emergency Operating Procedures .
^
1
Table of Contents (Cont.)
7.0 Human Factors Engineering 7.1 Human Factors Engineering 8.0 Conclusions Tables Figures Appendices:
A. Instrumentation for Critical Safety Function Monitoring B. Instrumentation for Radioactivity Control Display 1
d w
.mo
1.0 INTRODUCTION
1.1 Summary of the Safety Analysis This report provides a written safety analysis for the Millstone Unit No. 3 Safety Parameter Display System (SPDS). Information is provided to show that the SPDS is being designed to meet the provisions of Supplement I to NUREG-0737.
The SPDS is part of an Emergency Response Information System (ERIS) that combines all plant process computer functions for emergency response tasks. The critical safety functions were selected to be consistent with the Westinghouse Owners' Group Emergency Response Guidelines from which Millstone Unit No. 3 Emergency Operating Procedures (EOPs) are being developed. The SPDS displays are being developed with the consideration of human factors principles. Signals input to SPDS shall be evaluated for quality and validation. A verification and validation program will be conducted, including an independent review of the SPDS.
In this manner, a SPDS design is being developed that will provide an effective aid to the operators in determining the safety status of the plant during abnormal and emergency conditions.
1.2 Discussion The SPDS is one part of an integrated emergency response capability. It will be consistent with the Emergency Operating Procedures (EOPs) and the Operators' Training Program. For Millstone Unit No. 3, the EOPs will be based upon the Westinghouse Owners' Group Emergency Response
. Guidelines.
The Emergency Response Guidelines (ERGS) are compose'd of:
' oi ' Optimal Recovery Guidelines and Emergency Contingencies o' Critical Safet'y Fmction Status Trees and Restoration Guidelines
~
The Optimal Recovery Guidelines provide guidance for the.o~perator to
- . recover the plant from nominal design basis faulted and upset conditions.
L The Function Restoration Guidelines, when used with the Critical Safetyj Function Status Trees, provide a systematic:means for addressing any
. challenge to plant critical safety functions, which is entirely independent -
.of initiating. event or plant state. . '
~
IThe structure : of the ; Critical Ssfety Func' tion Status Trees .hasL 'been s
carefully chosen.to be compatible with the existing basis l for ' operator.
! training,;since the status' trees provide an explicit tool to re-emphasize -
.the necessity for the operator to be always aware of the state of his plant
-safety functions. An additional advantage ' derived from the introduction..
of the status tree concept directly'into the procedures structure is that the operator is provided with a performance aid, to reinforce his training.
j .
1_1-
,- d
, , e -. 1 - . .-- , +r-, -- , , . , . . - , . - - ~ w
and assist his memory, particularly during high-stress situations typical of transient or emergency conditions.
From this discussion of the Critical Safety Function Status Trees and the SPDS, it is clear that they perform the same functions and must be compatible. Thus, the Critical Safety Functions and Variables selection for SPDS has been based upon the Critical Safety Function Status Trees of the Emergency Response Guidelines.
1.3 NRC Criteria 1.3.1 Supplement 1 of NUREG r,737 Regarding the SPDS, Section 4.1 of Supplement I to NUREG-0737 identifies the following NRC criteria:
- a. The SPDS should provide a concise display of critical plant variables to the control room operators to aid them in rapidly and reliably determining the safety status of the plant. Although the SPDS will be operated during normal operations as well as during abnormal conditions, the principal purpose and function of the SPDS is to aid the control room personnel during abnormal and emergency conditions in determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective action by operators to avoid a degraded core. This can be particularly important during anticipated transients and the initial phase of an accident.
- b. Each operating reactor shall be provided with a Safety Parameter Display System that is located convenient to the control room operators. This system will continuously display information from which the plant safety status can be readily and reliably assessed by control room personnel who are responsible for the avoidance of degraded and damaged core events.
- c. The SPDS shall be suitably isolated from electrical or electronic interference with equipment and sensors that are in use for safety
. systems. Procedures which describe the timely and correct safety status assessment when the SPDS is and is not available, will be developed by the licensee in parallel with the SPDS. Furthermore, operators should be trained to respond to accident conditions both with and without the SPDS available,
- d. The selection of specific information that should be provided for a particular plant shall be based on engineering judgment of individual plant licensees, taking into account the importance of prompt implementation.
- e. The SPDS display shall be designed to incorporate accepted human factors principles so that the displayed information can be readily perceived and comprehended by SPDS users.
1-2
.f. The minimum information to be provided shall be sufficient to provide information to plant operators about:
(i) Reactivity control (ii) Reactor core cooling and heat removal from the primary system (iii) Reactor coolant system integrity (iv) Radioactivity control (v) Containment conditions The specific parameters to be displayed shall be determined by the licensee.
Y-The remainder of this report defines the extent .of compliance of the Millstone Unit No. 3 SPDS with the above NRC criteria.
1.3.2 Regulatory Guide 1.97 The variables needed to determine the status of the Critical Safety
. Functions (CSFs) and Radioactivity Releases are identical to the majority
} of the Types . A, B, C 'and E variables of Regulatory Guide 1.97, and i
therefore these variables will be a maior part of the SPDS data base.
Type D variables, those needed.to assess the performance and availability of safety systems, are not part of the SPDS data base. Although not part of c the SPDS,' most~ Type D variables will be part of the plant- process t computer data base.
j The design criteria stated in Regulatory Guide 1.97 for Category I sensors infers that a third channel may be required if a failure of one channel results in information ambiguity. The SPDS will have the' capability to use techniques .such as analytic redundancy,- to -determine the. valid reading and avoid the need to install a third channel.
1.3.3 ' Generic Letter 82-28 (NUREG-0737 Item II.F.2):
~Another designated function.of 'the SPDS is to monitor the'overal1' status i'
of ' core : cooling L adequacy. The Class IE display for_ Inadequate Core Cooling (ICC) is presently provided in the = instrument rack room. To resolve this potential Human Engineering Discrepancy (HED), the primary ICC display will be provided via the SPDS.' In the event that the SPDS is -
not available during accident conditions, the ICC information will still be available on Class IE qualified devices (ICC panels).-.. As a minimum, the
' ~
'a. -. Core map of all core exit thermocouples (CETs). .
1 .
v 2' :
i l
i
- b. Pressure / Temperature Plots with the saturation curve, NPSH limits, heat-up/cooldown rates, subcooling to 2000F, superheat to 350F.
- c. Time history plots of all ICC related variables including reactor vessel level and selected temperature inputs.
1-4
2.0 SPDS DESIGN DESCRIPTION 2.1 Overview One function of the Millstone Unit No. 3 plant process coniputer system is the supplying of information required for responses to an emergency condition. Because of the need to develop integrated emergency response facilities and data systems to aid in accident management, an Emergency Response Information System (ERIS) is being developed for Millstone Unit No.3. This system will display information in the Technical Support Center and Emergency Operations Facility. This report covers only those imctions of ERIS related to SPDS.
2.2 SPDS Definition SPDS aids the control room operating crew in monitoring the status of the CSFs that constitute the basis of the plant-specific, symptom-oriented EOPs. Its principal purpose is to aid the control room personnel during abnormal and emergency conditions in determining the safety status of the plant and in a ,sessing whether abnormal conditions warrant corrective action by operators to avoid a degraded core.
2.3 SPDS Availability Although the SPDS need not be a safety-grade system, implementation of a highly reliable, state-of-the-art SPDS is an important design objective.
As a design objective,' the availability of the SPDS will be greatu than 99 percent during normal plant operation. In this context, design availability is understood to encompass the following minimal functional capabilities:
i
.1)' The ability to monitor and display the status of all. critical safety
- f mctions.
- 2) ~ The ability to determine the value of all variables which are used in the CSF status determination. -
2.4 SPDS Use and Location SPDS displays ' of CSF status and . supporting displays of CSF-related parameters will be accessible to operators in the' vicinity of the main control . board. SPDS . displays that include EOP logic, prompts and .
algorithm information .will be available at the control room location
. where CSF monitoring will occur. .
2.5 -Modes of Operation The 'CSFs defined for Millstone Unit No. 3 are not appropriate. for all'
. modes of operation. Specifically, it is assumed that a status tree is
. entered from either a Start-up or Power Operation mode and not from a Refueling or Cold Shutdown mode.
2-l '.
The design of the SPDS for Millstone Unit No. 3 therefore only requires the availability of the SPDS in modes 1, 2, 3 and 4 (power operation, startup, hot standby, and hot shutdown).
2.6 Display Flexibility The SPDS hardware and sof tware will have the capability to display plant information in the following types of common formats, both singly and mixed formats:
Alphanumeric prompts, messages and labels EOP status trees Horizontal or vertical bar graphs Mimic /P&lD displays Multivariable plots vs. time Variable vs. variable
' 2.7 - Data Storage Capability will be- provided to store up to 375 SPDS variables for the interval from two hour pre-event to twelve hours post-event.-
-2.8 Signal Validation The SPDS will have the capability of validating individual signals used in SPDS displays and -algorithms by use of simple analysis, checking 'and comparative methods to be specified for each SPDS variable.
2.9 Electric Power Sources The SPDS, as part of the plant process computer system, will be power'ed
[ .from an uninterruptible power supply, capable of supplying. power to the j computer system af ter a loss of offsite power.
2.10 Electrical Separation e
~
. The SPDS, as part of the plant process computer system, will receive
' signals from .both' Class -IE. and non-lE sources. ' Adequate electrical -
separation in accordance with the guidance of Regulatory Guide 1.75 will-be provided for all signals, power sources and output devices.
I' 2-2
_ , , um -
3.0 SPDS CRITICAL SAFETY FUNCTION AND VARIABLE SELECTION 3.1 Selection Process The SPDS is being designed to complement the EOPs, that is, to aid the operator in implementing the EOPs. It is not intended to require the operator to use the SPDS displays in the transient identifications. The major user of the SPDS during a transient would be the senior reactor operator to "see" the overall plant condition and how actions taken by the operator under his direction affect the maintenance of the six critical safety functions.
The plan for operator response to an Engineered Safeguards System actuation is shown in Figure 1. If the specific event can be diagnosed, the operator is directed to use a defined set of procedural steps to effect plant recovery. If no diagnosis is possible, the operator is trained to monitor certain critical safety functions which indicate overall plant safety status. If any safety function is challenged, the operator is directed to a contingency action through an evaluation and identification scheme of the critical safety fmetions. To complement this plan, the SPDS can be most effectively used to continuously monitor the critical safety functions aiid assist the operator in the evaluation scheme to determine the appropriate contingency action. In this manner, the SPDS will be consistent with the W Emergency Response Guidelines.
The W Emergency Response Guidelines have identified the critical safety functions (CSFs) and have developed critical safety function status trees for critical safety function evaluation.
The Critical Safety Functions were selected to monitor three barriers to the release of radioactivity. The Critical Safety Functions are associated with the barriers in the following manner: ,
Barrier Critical Safety Function Maintenance of SUBCRITICALITY (minimize energy production in the fuel)
Maintenance of CORE COOLING (provide adequate reactor coolant for heat removal from the fuel)
Fuel Matrix Maintenance of a HEAT SINK and (provide adequate secondary coolant for heat Fuel Clad removal from the fuel)
Control of Reactor Coolant INVENTORY (maintain enough reactor coolant for effective heat removal and pressure control) 3-1
. 7
, i .
s- 1
[
, ; Y, 5
\
- Maintenance of a HEAT SINK (provide adequate heat removal from the RCS) 2 Reactor Coolant Maintenance of Reactor Coolant System System Pressure INTEGRITY Boundary (prevent failure of RCS)
Control of Reactor Coolant INVENTORY (prevent flooding and loss of pressure control)
Containment Vessel Maintenance of CONTAINMENT Integrity 4
(prevent failure of containment vessel)
Situations can arise in which the integrity of a barrier is lost and cannot
- be restored even though all Critical Safety Functions are satisfied. The classic double-ended guillotine break of reactor coolant system piping constitutes an irrevocable failure of the reactor coolant system pressure boundary barrier. In _this situation the reactor coolant system pressure boundary barrier is recognized to be failed, and all available resources are directed toward minimizing further degradation of the failed barrier and keeping the fuel matrix / cladding barrier and the containment barrier 4
intact.
The SPDS will be used to assist in the CSF evaluation by monitoring the CSFs, using the same logic as the CSF status trees. This is necessary to facilitate operator use of the SPDS in support of the Millstone Unit No. 3 Emergency Operating . Procedures. These status trees. are shown in Figures 2a-2f.
The. SPDS will also display information for' Radioactivity . Control. A display summarizing Radioactivity Control has been identified to aid the
-shift supervisor in performing his emergency response function prior to the staffing of the Emergency Response Facilities. Radioactivity Control i
.is not a critical safety' function, however, since radioactivity assessment has already been factored into the containment CSF.
3.2 Critica! %fety Functions 4
The critical' safety functions are shown in Table 1 in order of priority.
~
' The status of the critical safety function will be indicated by four states:
o Green - critical safety f unction is satisfied
,o - Yellow - critical safety function is not fully satisfied;
- o ' Orange - critical safety f unction is under severe challenge o Red - criticM safety function is in jeopardy I
m ,. . - . , . , _ , , - . . . .- ,, -, - -. , , , , , ,
The state of the critical safety functions will be determined using the status tree logic given in Figures 2a-2f.
3.3 Critical Safety Function Variables The variables for determining critical safety function status will be the decision points in the critical safety function status trees. These variables are listed in Table 2, grouped by safety function.
3.4 Radioactivity Control Function The status of the radioactivity control function will also be indicated by four states:
o Green - no abnormal releases
- o. Yellow - releases exceed unusual event (Delta-2) criteria o Orange - releases exceed alert (Charlie-1) criteria o Red - releases exceed site area emergency (Charlie-2) criteria These states were selected to correspond to the Emergency Action Levels identified in the Millstone Nuclear Power Station Emergency Plan.
3.5 Radioactivity Control Variables The ~ variables for determining the radioactivity control status were selected by identifying all potential release paths for radioactivity. These variables are listed in Table 3.
3.6 Instrumentation The instruments used in measuring the critical safety and radioactivity Lfunction variables are given in the Appendices A and B.
v.
3.7 = Analytical Basis for Critical Safety Function and Variable Selection The SPDS critical _ safety functions and variables have been chosen to be
-identical to the critical safety functions developed for _the Emergency
[ Response Guidelines.-- Thus, the analytical basis-for. the__SPDS' selection is the same as the basis for the-ERGS. These ERG critical safety function
~
c.
status trees were reviewed and approved for implementation by.the NRC in -its Safety Evaluation of L" Emergency Response _ Guidelines" (Generic.
~
Letter. 8} 22). -
h s .-
. 3.8 ,
Emergency Response With'and Without'SPDS -i
~
The Emergency Response Guidelines contain CSF: evaluations that' are simple enough to a'llow manual evaluations. This manual evaluation will-5 9
) .$< -
4 s -s =
a, t 4 y ) t h-- t i , w - A ? w awm -' t $
- be performed if the SPDS is not available. Since the SPDS is entirely compatible with the ERGS, only one set of procedures (EOPs) are required.'
l
'V 3 - b, u ,
v.
~
& 4
~'
/ a 23-4: -
~ '
1 -
., ', s'
.s, u('
+ '
< ~ -
- _I i , 'a
4.0 SPDS DISPLAYS 4.1 Display Philosophy Each display location provides independent access to SPDS displays.
Displays selected at one CRT can be different from those displays selected elsewhere. During an emergency, for example, this would allow operators to select SPDS displays that aid process control actions and permit supervisory personnel to simultaneously view SPDS displays oriented toward overview and safety assessment.
In order to maintain CSF status indication at all times, one SPDS display will include indication of the status of each CSF in a format that is common to all SPDS displays. CSF status will be supplemented on each display with a unique set of information and plant data developed to aid one or more of the following:
- a. Assessment /Centrol af CSF plant variables.
- b. EOP Entry Condition Indication.
- c. CSF Status Tree Assessment.
The set of SPDS displays and access controls will be implemented with a hierarchy or structure that facilitates and systematizes passage between displays.
- 4.2 Primary Displays At least one (1) control room CRT will continuously monitor the status of all CSFs during Modes 1, 2, 3 & 4. Other information may be displayed simultaneously as long' as the status 'of the CSFs are still able to be determined. CSF monitoring willinclude indication of the need to enter a specific Function Recovery Procedure as defined in the ERGS and EOPs.
Each SPDS display will show a common set of indications of the status of the six CSFs and of Radioactivity Control. Status indication colors will correspond to the status colors in the ERGS and EOPs. When any Fmetion Recovery entry condition is met, this will be indicated by . the CSF to which it ' applies. The format for presenting this information .will be common to all SPDS displays.
. 4.3 : Secondary Displays
- During normal,~ transient and accident conditions access will be provided to a certain number of predefined displays. These secondary displays will 4-l~
support the CSF status indicators and enable the operating crew to determine / evaluate the reasons for changes in CSF status and the potential need to enter a Function Recovery Procedure.
The set of secondary displays will consist of at least one display oriented to each of the following functions,
- a. Subcriticality CSF Variables and Status Tree.
- b. Core Cooling CSF Variables and Status Tree.
- c. Heat Sink CSF Variables and Status Tree.
- d. Integrity CSF Variables and Status Tree.
- e. Containment CSF Variables and Status Tree.
- f. Coolant Inventory CSF Variables and Status Tree.
4.4 Other Displays A- set of supporting -displays will be generated for displaying other important information such as:
a) Plant variable information to aid CSF assessment and EOP 4 . execution.
b) Inadequate core cooling variables not included in the primary display of core cooling CSF variables.
4.5 Display Change
[ - Each secondary display will be accessible through a menu.
Once a- secondary display is presented on the. CRT, other supporting displays can be accessed in a timely manner.
All display 'page changes will be operator initiated and not computer
. initiated.
4.6 - Variable Status Indication -
All -SPDS variables will be displayed with a visual . indication of the associated quality level as . determined by SPDS. data processing and '
validation, ' e.g., invalid ' or- unvalidated variables could : be _ tagged.
. Appropriate visual indication'will also-be available on displays of SPDS
' variables when out-of-scan, substituted or dummy signals are involved.
2
%S t- "
t 5- '
9' ny *'
5.0 SIGNAL VALIDATION 5.1 Quality Tags A particular problem with all computer-based systems is the presentation to the operator of believable, validated data. In the real world environment, sensors fail, instrumentation drif ts, and calculations (which depend on the quality of many sensors) become invalid if certain sensors are removed f rom scan. Of ten a group of sensors is involved in a variety of calculations. Then, if the sensor f ails or is removed from scan, the operator has no knowledge of the calculation impact.
All presentation of information for the SPDS will be associated with Quality Tags which will indicate the quality of the processed sensor signal and the quality of calculated variables. Three distinct quality levels are required:
Validated -
Validaud quality applies when multiple sensors or analytically derived variables are compared for tracking within a specified error band and are within predefined limits.
Unvalidated - Unvalidated quality applies when a single sensor is correctly processed and has passed all limit checking and reasonability tests. Since this sensor is not compared with another sensor or group of sensors or an analytically derived variable, its quality remains mvalidated.
Invalid -
Invalid quality applies when a sensor mdergoing validation processing has failad that process or when a single sensor - has failed processing quality standards.
L d- a s., :
5-1 h g .- g w
6.0 VERIFICATION AND VALIDATION (V&V) 6.1 Verification and Validation Overview This section provides an overview of the system verification and validation program. The objective of the Verification and Validation (V&V
) program is to provide a quality system through independent technical review and evaluation conducted in parallel with system development.
The primary purposes of the V&V program is to:
- a. Assure that system, procedural and documentation deficiencies are identified and corrected as early as possible in the development process,
- b. Assure that system design reflects design specifications.
- c. Assure that the installed system meets f unctional specifications.
- d. Assure complete and auditable system documentation.
6.2 V&V Program A team approach will be used for accomplishing V&V. The team composition will be multi-discipline, will include both user, systems and design functions, and will be independent ~ from system development activities. The V&V team will develop and document a V&V plan as one of its initial activities.
Procedures and techniques to be used for conducting V&V activities will be determined. -Examples of techniques that could be used to implement a balanced V&V program include:
a) Development and use of a functional capabilities matrix b) Error identification and reporting system c) Structured graphic' techniques for analysis and presentation d) Design walk-throughs
. Procedures and techniques ior each major V&V activity include:
o . System Specifications Verification o Design Verification o: System Validation 6-1
,. - g
. .~ . ._
6.3 Verification and Validation of the Emergency Operating Procedures Because the SPDS philosophy is to complement the Emergency Operating Procedures (EOPs), verification and validation of the EOPs is an L important part of the V&V of the SPDS. Verification and validation has been performed for the Westinghouse ERGS and will be performed for the
, Millstone Unit No. 3 EOPs that are being developed from these guidelines.
6.3.1 V&V of the Westinghouse Emergency Response Guidelines The Westinghouse Emergency Response Guidelines were submitted to the NRC Staff in 1982.- The NRC reviewed the:se guidelines and issued a i- Safety Evaluation Report in June,1983. The NRC Staff concluded that the guidelines were acceptable. In particular, they concluded that the six E Critical Safety Functions were sufficient to protect the three physical barriers. While some areas of additional work on the ERGS were identified, the NRC Staff recommended implementation of the ERGS.
In addition, the Westinghouse Owners' Group developed a Validation
- Program for the guidelines which included a simulator test program at the Seabrook facility in October,1983. The simulator test demonstrated that a computer-based status tree evaluation was a highly effective method of critical safety function monitoring.
Because of' the extensive verification and validation perfcrmed on the ERGS, they represent a sound basis for the development of the Millstone
- Unit No. 3 SPDS and Emergency. Operating Procedures.
6.3.2 Verification of the Millstone Unit No. 3 Emergency Operating Procedures Thel Millstone Unit N.o. "3 Emergency Operating Procedures are being developed based upon the guidance of the Westinghouse Owners' Group
- , Emergency Response Guidelines. To verify consistency between the ERGS .
and EOPs, a step by step comparison will be jointly made by the Millstone Unit No. 3 operators and the Control Room Design Review (CRDR) team. .
Justification for any differences will be provided and documented.
{ '6.3.3 Validation of the Millstone Unit No. 3 Emergency Operating Procedures
~
When the Millstone Unit No. 3 EOPs are developed, a task analysis of the procedures will be~ performed by the' Millstone Unit No.'3 operators and -
-the CRDR' team. Actions required to perform the steps in the EOPs will
~ be defined and assessed. : The control room' operators' ability to efficiently-and : correctly perform - the Lstated -' actions - _ considering M controls,-
instrumentation and physical Llayouts. wi'l-also be assessed. This task ;
= analysis will therefore;be used for verification of _ the selection of' the
- instrumentation to,be used for the critical safety function variables.
6-21 i.- s
. _ ,_- ..;, , -~ . _
The Millstone Unit No. 3 Emergency Operating Procedures will be validated upon completion. A description of the Emergency Operating Procedure Validation Program will be submitted as part of the Emergency Operating Procedures Generation Package.
' 6- 3 4
7.0 HUMAN FACTORS ENGINEERING 7.1 Human Factors Engineering The fundamental SPDS design objective is to serve as an operator aid to monitor the overall safety status of the plant. Human factors considerations must be an integral part of a program to successfully develop such a system.
-This section describes the role of the primary SPDS user, the context of use, and the human factors principles that will be incorporated into the
-SPDS design.
-7.1.1 SPDS Use The Millstone Unit No. 3 control room will be occupied by three or four licensed operators (i.e., one or two Senior Reactor Operators (SROs) and two . Reactor Operators (ROs)). One of the SROs will be the Shift
_ Supervisor (SS). The SS/SRO will be the primary SPDS user. The SPDS is intended to help the SS/SRO in managing the plant during unusual situations where problem detection and problem solving on a plant wide scale are involved.- The major role of the SPDS is to help the operating crew maintain the plant in a safe condition or to show how to return the plant to a safe condition if it has departed from normality.
The present control room and the resources available to the SS/SRO are sufficient to carry out these tasks. The SPDS is intended as an aid to the.
SS/SRO, not'as a replacement for necessary safety equipment. The SPDS serves as a concentrated data source and thus permits the SS/SRO to obtain desired information without walking the boards to. check readings.
The role'of the SS/SRO is as a decision maker and ' manager of the plant.
The role of ROs and the other SRO is to assist the SS/SRO by carrying out the tasks deemed necessary by the SS/SRO. Although Ros are carrying out specific tasks such ~as maintaining levels, starting pumps, or checking
, instrument readings, they need to be cognizant . of the -impact their
~
. operations have on overall plant condition. SPDS. displays will be '
. accessible to RO personnel to help maintain the needed understanding of the; overall picture and to foster a team approach'to plant emergency response.
- 7.1.2. Control Room Design
~
The arrangement and number of SPDS display stations in the control room will provide separate SPDS stations for1the SS/SRO (away from the boards)-and ior operators (visible'from operating stations ~at the boards).
This arrangement will provide the SS/SRO with'a good. view of the SPDS
' from his. work station (he can'see both the~ SPDS and the boards' at the
- same time) and by the operators from their stations at the boards. Thus the arrangement will permit a flexible' use, patternf which is weighted towards the needs of the SS/SRO while still permitting RO use.
2, 1-g .
a
7.1.3 Human Factors Design Requirements The final element in the SPDS applications environment relates to the imposed design constraints. One of the human factors design constraints is a direct consequence from analysis of the control room setting as it relates to viewing distances. Actually, the human factors design reflects a compromise between human factors, hardware /sof tware limitations, and styles of use. To some extent the human factors ideal must be reconciled with existing hardware /sof tware limitations. The characteristics of CRT displays, the screen resolution, and archive data retrieval times are operative examples. Style of use relates to the plant operating philosophy and preferences: Human factors must be consistent with the traditional style and information content operators expect and will use.
To deal with these somewhat competing objectives, it was encumbent to adopt a set of high-level design principles for SPDS. They are as follows:
o Design and functional simplicity o Minimal set of SPDS display pages o Critical safety function format
.7-2 1
8.0 CONCLUSION
The SPDS for Millstone Unit No. 3 is being designed to adequately address the provisions of Supplement I to NUREG-0737. Specifically:
a) The SPDS will provide a concise display of critical plant variables to aid the control room operators in determining the safety status of the plant that is consistent with the Westinghouse Emergency Response Guidelines and the Millstone Unit No. 3 Emergency Operating Procedures.
b) The SPDS will display CSF information on colorgraphic terminals located in the control room. The SPDS will display the status of the CSFs continuously. The SPDS will be part of the plant process computer system and is being designed to meet availability considerations consistent with the SPDS function.
c) Since the SPDS will be completely consistent with the Westinghouse Emergency Response Guidelines, only one set of procedures is required for emergency response with and without the SPDS. Adequate electrical separation will be provided in accordance with the guidelines of Regulatory Guide 1.75.
d) . The critical safety functions and variables have been selected to be consistent with the analytical-basis of the Emergency Response Guidelines. In general, the Regulatory Guide 1.97 instruments will '
be the source of the variables.
e) The ~ SPDS displays are being designed to meet human f actors '
principles.
f) The SPDS provides information about:
(1) reactivity control
-._ _( 2). core cooling and heat removal (3) - . RCS integrity 7 (4). . radioactivity control i
(5) containment conditions l
This' safety analysis shows that . the SPDS - will be consistent with Emergency Response Guidelines and the Millstone Unit No. ~3 Emergency Operating Procedures, and provides an integrated approach to abnormal-and emergency conditions. - Human . factors ~ principles J are being considered in the design to assure that the operators can use tne SPDS
- effectively. . A iVerification and Validation 1 Program will assure .that independent, reviews are conder:d to assure proper implementation of ~
-the SPDS design.
8-1'
?
1 s g g ,- e y -
e'w- , , - , -mr
e ;
' The development of the SPDS will be an effective aid for the control room operators to determine the safety status of the plant during 2
abnormal and emergency conditions.
4 h
t i.
=4
{
2 s
.a -,
g
- m
.3-L.
j J
TABLE 1: Critical Saf ety Fmeti 7_ns I. Subcriticality - Highest Priority II. Core Cooling
^
III. Heat Sink IV. Integrity V. Containment i f VI. . Inventory Lowest Priority
(
r N
-'t ;
i 4
y e ., * , , -e. . , -. . - ,
TABLE 2: Critical Safety Function Variables SAFETY FUNCTION VARIABLE I. Subcriticality 1. Reactor trip
- 2. Power level
- 3. Startup rate
- 4. Source range energized II.. Core Cooling 1. Core exit temperature
- 2. RCS subcooling
- 3. RC pump status
- 4. RV level Ill.- Heat Sink 1. S/G level
- 2. Total FW flow rate
- 3. S/G pressure IV. Integrity 1. Cooldown Rate
- 2. RCS temperature
- 3. RCS presstre '
V. Containment 1.- Containment pressure
- 2. . Containment level 3 ~ Containment radiation VI. RCS Inventory 1. Pressurizer level
- 2. Reactor vessellevel
TABLE 3: Variables for Radioactivity Control
- 1. Main Steam Line Radiation a) main steam line radiation monitor b) steam generator safety valve status c) atmospheric dump valve status d) auxiliary feedwater pump steam status
- 2. Effluent Radiation a) stack monitor b) stack flow rate
P-FIGURES I
.q; ~ _ _
_. q
) '
I I
DIAGNOSE? No f MONITOR CRITICAL
~~~Y SAFETY FUNCTIONS d /\
/
/
/
Yes /
/
/
\/ fe N /
RECOVERY CONTINGENCY ACTIONS ACTIONS OPERATOR RESPONSE LOGIC FOLLOWING ACTUATION OF ENGINEERED SAFEGUARDS SYSTEM FIGURE 1
Number:
Title:
Rev. Issue /Date:
F-0.1 SUBCRITICALITY ' '
HP/LP, REV.1 1 Sept.,1983 POWER RANGE GREATER THAN 5%
GO TO FR-S.t i
INTERMEDIATE RANGE SUR POSITIVE E
FR-S.
1 INTERMEDIATE RANGE SUR MORE POSITIVE THAN POWER RANGE l 42DPM LESS THAN 5% g #*****9*##* GO TO FR-S.2 SOURCE RANGE =
NOT ENERGIZED ,
{
i
~ INTERMEDIATE RANGE SUR MORE NEGATIVE THAN
-0.2 DPM CSF l SAT lNTERMEDIATE RANGE SUR j ZERO OR NEGATIVE i SOURCE RANGE SUR POSITIVE menenemmeme GO TO SOURCE RANGE e ENERGlZED -
~ '
- SOURCE RANGE SUR
. ZERO OR NEGATIVE CSF SAT FIGURE 2a
Number:
Title:
Rev. true/Date:
F-0.2 CORE COOLING HP/LP, REV.1 1 Sept.,1983 l
CORE EXITTCs GREATERTHAN12000F GOTO i FR-C.1 RVLIS FULL RANGE
' LESS THAN(2)
GO TO
,- CORE EXIT TCs FR-C.1 I
GREATER THAN 7000F RVLIS FULL RANGE i E GREATERTHAN(2)
+ LESS THAN (2)
CORE EXITTCs p GOTO FR-gl RCS SUBCOOLING LESS THAN 7000F g
- RVLIS FULL RANGE
. EATER THAN (2)
! LESS THAN(1)'F ^^ * * [ GO TO i
FR-C.3 4
RVLIS DYNAMIC HEAD RANGE LESS THAN TABLE l
fMMEE (3)-4 RCP GO TO FR-C.2 CORE EXITYCs ATLEASTONE (4)-3 RCP i
LESSTHAN12000F RCP RilNNING g 5)-2RCP
_, , ((6)-1 RCP m
o RVLIS DYNAMIC HEAD RANGE o GREATER THAN TABLE
- RCS SUBCOOLlhG neoenenneee !
'GOTO FR-C.3 BASED ON CORE EXITTCs i GREATER THAN(1)0F CSF SAT
{ FIGURE 2b 1-g 1
Number:
Title:
Rev. Issue /Date:
F-0.3 HEAT SINK HP/LP, REV.1 1 Sept.,1983 TOTAL FWFLOWTO SGs LESS THAN (2) GPM GO TO NR LEVEL FR H.1 IN ALL SGs LESS THAN
, (1)% PRESSUREIN ANYSG GREATER THAN(3)PSIG pn-nnnnnn-rana TOTAL n
^
aaeaaem6**eaneanaee GO TO FR-H.2 -
FWFLOWTO a-SGs GREATER ^
THAN(2)GPM ^ NR LEVELIN ANYSG
+ GREATER THAN(4)%
3 anmmar.ance nnnnamaeannemen ' GOTO c * ' FR H.3
' NR Lt. VEL IN AT' ^
PRESSUREIN LEASTONESG 6 ALL SGs LESS GREATER THAN(1)% n PRESSUREIN ANY SG
[ THAN(3)PSIG GREATER THAN(5)PSIG
""****'"'*^*******
m FR-H.4 n
NR LEVELIN ALL ^
j SGs LESS THAN (4)% 6 NR LEVELIN ANY SG LESS THAN(1)%
enr -e nrn ma s )RESSUREIN s FR-H.S ALL SGs 6
! LESS THAN(5)PSIG NR LEVELIN ALL SGs i
i GREATER THAN(1)%
E I
Number:
Title:
Rev. Issue /Date:
F-0.4 l INTEGRITY HP/LP, REV.1 l 1 Sept.,1983 ANY RCS PRESSURE - COLD LEG TEMPERATURE POINT TO LEFT OF LIMIT A GO TO TEMPERATURE DECREASE FR-P.1 IN ANY COLD LEG GREATER THAN 100* FIN THE LAST 60 MINUTES ANY RCS COLD LEG TEMPERATURE LESS THAN(1)0F GOTO MMMMM FR-P.1 ALL RCS PRESSURE-COLD F EM 4
LEG TEMPERATURE POINTSE TO RIGHT OF LIMIT A TJ ANY RCS COLD LEG TEMPERATURE LESS THAN (2)0F ALL RCS COLD LEG
^'""^f' '
GOTO
& ' FR-P.2 TEMPERATURES GREATER -
l THAN (1)0F -
E "
[T i
,3 ALL RCS COLD LEG TEMPERATURES GREATER THAN (2)0F CSF U ANY RCS COI.D LEG
= T1 T2 TEMPERATURE COLD LEG TEMPERATURE
- LESS THAN(1)0F gm GO TO pp_p j RCS PRESSL'.9E GREATER THAN g ALL RCS COLD LEG COLD OVERPRESSURE LIMIT I TEMPERATURES TEMPERATURE DECREASE i GREATER THAN (1)0F IN ALL COLD LEGS RCS TEMPERATURE ' GOTO i LESS THAN 1000F LESS THAN(3) F ' FR-P.2
- IN THE LAST 60 MINUTES ~
l RCS PRESSUPE LESS THAN COLD OVERPRESSURE LIMIT CSF RCS TEMPERATURE OAI GREATER THAN (3)0F j '
! FIGURE 2d
j Number:
Title:
Rev. Issue /Date:
F-0.5 CONTAINMENT HP/LP, REV.1 1 Sept.,1983 l
i CONTAINMENT PRESSURE :
l GREATER THAN (1) PSIG l
GO TO FR-Z.1 i 4
CONTAINMENT PRESSURE
) GREATER THAN (2) PSIG l
CONTAINMENTPRESSURE g LESS THAN (1) PSIG g 0= .
- CONTAINMENT SUMP LEVEL GREATER THAN (3)
"EEE FR-Z.2 i l
t CONTAINMENTPRESSURE l LESS THAN (2) PSIG i CONTAINMENT RADIATION
- GREATER THAN (4) i
- ,nge GO TO FR-Z.3 CONTAINMENT SUMP LEVEL 1 -'
{
- LESS THAN (3)
- ~
l CONTAINMENT RADIATION I LESS THAN (4)
, CSF
{
SAT FIGURE 2e
Mugagier.- TMie: Rev. Issue /Date:
F-0.6 INVENTORY HP/LP, REV.1 1 Sept.,1983 t
RVLIS INuiCATES
. nee,',.,......
UPPER HF .D NOT FULL (3) pg,1o , ,
' PRZR LEVEL ^-
- GREATER THAN (1)% 6 i- n
- RVLIS INDICATES
^ UPPER HEAD FULL (3) aommoeoeaaeae GO pg.,TO PRZR LEVEL
. LESS THAN (2)%
-,n--e e.
nnn.en-nannosemenen ..
GO pg.,TO PRZR LEVEL ~
LESS THAN (1)%
L ,
RVLIS INDICATES
- UPPER HEAD NOT FULL (3) enneemnnemans 0
fg*.,[3 PRZR LEVEL n
- GREATER THAN (2)%
f _
RVLIS INDICATES UPPER HEAD FULL (3)
SF I SAT
- t. FIGbRE 2f
APPENDIX A INSTRUMENTATION FOR CRITICAL SAFETY FUNCTION MONITORING 4
CRITICAL SAFETY FUNCTION: Subcriticality l VARIABLE: Reactor Trip f r 1
Description Instrument No.
Reactor Trip Breaker A RP5RTA
,. Reactor Trip Breaker B RP5RTB
. Trip Signal later
- j. .
4 4
s r
i
~ , ., , , , , ,..s. . - -.
CRITICAL SAFETY FUNCTION: Subcriticality VARIABLE: Power Description Instrument No.
Power Range NM41F Monitors NM42F NM43F NM44F Wide Range Fission Channels A and B later O*
4 i /
r CRITICAL SAFETY FUNCTION: Suberiticality VARIABLE: Startup Rate Description Instrument No.
Inter mediate NM35B Range Monitx NM36B Source Range NM31F Monitor NM32F Wide Range Fission Channels A and B later 4-s
, :, - e ,- -, _-
-m - -, . - , , - .
CRITICAL SAFETY FUNCTION: Subcriticality VARIABLE: Source R.mge Energized Description Instrument No.
Source Range NC31H Loss of Voltage NC32H s-i
r CRITICAL SAFETY FUNCTION: Core Cooling VARIABLE: Core Exit Temperature 1
Description Instrument No.
k- Core Exit CTST1-Thermocouples CTST50 3
K.
4 0
h t
J-1 4
4 1
t I
!~
i d
r-
. -- y y ,v.-,,, . , , - ,, , --,,,3. ,- - -p -v,.,--- - 4--y,.y 4 ,, e 4 , rw-- , -g 9
CRITICAL SAFETY FUNCTION: Core Cooling VARIABLE: RCS Subcooling Desc'ription Instrtrnent No.
ICC Processors later Unheated Junction of the HJTC from ICC Processors later Core Exit Thermocouples CTST1-CTST50 Cold Leg RTDs RCS-T413B/423B/433B/443B Hot Leg RTDs RCS-T413A/423A/433A/443A Pressurizer Pressure RCS-P455/456/457/458 RCS Pressure RCS-P403/405 i
e f
, - - + , -
4 j
CRITICAL SAFETY FUNCTION: Core Cooling VARIABLE: RC Pump Status r
Description Instrurnent No.
4 RC Pump Speed #1 RCP5475 2 RCP5476 2 RCP5477
, 3 RCP5478 '
RCS Loop Flow 1 RCS-F414/415/416 1
2 RCS-F424/425/426 3 RCS-F434/435/436 4 RCS-F444/445/446 1
- i. : , s . _ _, _. _ _ _ . . . . - - - , ,
CRITICAL SAFETY FUNCTION: Core Cooling VARIABLE: RV level Description Instrument No.
ICC Processors later
.m_ --
CRITICAL SAFETY FUNCTION: Heat Sink VARIABLE: S/G level Description Instrurnent No.
Narrow Range S/G Level
- 1 FWS-L517/L518/L519
- 2 FWS-L527/L528/L529
- 3 FWS-L537/L538/L539
- 4 FWS-L547/L548/L549 Wide Range S/G Level
- 1 FWS-L501/551
- 2 FWS-L502/522
- 3 .
FWS-L503/553
- 4 FWS-L504/554 5
~ , , , - - -e, -+ s n - ,
CRITICAL SAFETY FUNCTION: Heat Sink VARIABLE: Total FW Flow Description Instrument No.
MFWI FWS-F510/511 2 FWS-F520/521 3 FWS-F530/531 4 FWS-F540/541 AFWl FWA-F33A 2 FWA-F33B 3 FWA-F33C 4- FWA-F33D
CRITICAL SAFETY FUNCTION: Heat Sink VARIABLE: S/G pressure s Description Instrument No.
S/G Outlet Pressure 1 MSS-P514/5/6 2 MSS-PS24/5/6 3 MSS-P534/5/6 4 MSS-P544/5/6 4
e i.
i 8
P 4
+
i l
!- l
CRITICAL SAFETY FUNCTION: Integrity VARIABLE: Cooldown Rate Description Instrument No.
Cold Leg RTD Loop #1 T413B 2 T423B 3 T433B 4 T443B
$)
- r. - w
+
CRITICAL SAFETY FUNCTION: Integrity VARIABLE: RCS Temperature i.
Description Instrument No.
Cold Leg RTD's Loop #1 T413B 2 T423B 3 T433B 4 T443B 5
-'., .. _ . , _ . - _ . . _. _ _ . .- . _ . . . .;.. . , . . . - - - . . .,m... -__ .__ , --_,.~ m..-,
CRITICAL SAFETY FUNCTION: Integrity VARIABLE: RCS pressure
, Description Instrument No.
Pressurizer RCS P456 Pressure RCS P457 RCS P458 Wide Range RCS P403/405 RCS Presstre i
i
+
i r
I S
h '
h M
a y p r --.e, , . - . r- , ,~ , . w,- y .,-,,y-, , ,.y3 g, w . , - r
- $$~.
CRITICAL SAFETY FUNCTION: Containment VARIABLE: Containment Pressure Description Instrument No.
Wide Range Pressure RMS-P24A RMS-P24B Narrow Range Pressure LMS-P934 LMS-P935 LMS-P936 LMS-P937 4
r"
TgF-CRITICAL SAFETY FUNCTION: Containment VARIABLE: Water Level Description Instrument No.
i Wide Range Sump Level DAS-L-22 i DAS-L-39 O
P w
t I
I, '
7 i
s
-- , . - , m,w--,, , , . . . - ~ ,-,+3 . - m r-.. _ ,r-.y,_ ,-- , - -,.-- . . .- , . -
'l CRITICAL SAFETY FUNCTION: Containment i
VARIABLE: Containment Area Radiation i
i i
Description Instrument No.
i Wide Range Monitors 3RMS*RE04 3RMS*RE05 1
i
'I 4 L
I f
T I
D,.
4 6
e o
m ., , - -- , m, n- . , , . .,v-< p y- -,r- , - - - + ~-m---, e*m-me
i 1
CRITICAL SAFETY FUNCTION: Inventory VARIABLE: Pressurizer Level Description Instrument No.
Pressurizer Level RCS L459 RCS L460 RCS L461 I.
I
CRITICAL SAFETY FUNCTION: Inventory VARIABLE: RV level Description Instrument No.
ICC Processors later 4 .
APPENDIX B INSTRUMENTATION FOR RADIOACTIVITY CONTROL DISPLAY
RADIOACTIVITY CONTROL DISPLAY VARIABLE: Main Steam Line Radiation Description Instrument No.
Main Steam Line 3 MMS *RE75 Radiation Monitors 3 MMS *RE76 3 MMS
- RE77 3 MMS *RE78 Saf ety Valve later Flow Switches Atmospheric Disnp later Valve Flow Switches Auxiliary Feed Pump later Steam Flow Switches
RADIOACTIVITY CONTROL DISPLAY VARIABLE: Effluent Radiation Description Instrurnent No.
Stack Monitor 3HVR-RE19 Stack Flow Rate 3GWS-FT51/79
.e C
' i e
9
.4